Cross Reference: /freebsd-10.0-release/sys/security/mac/mac

Deleted Added

sdiff udiff text old ( 118308 ) new ( 119184 )

full compact

1/*-
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
5 * All rights reserved.
6 *
7 * This software was developed by Robert Watson and Ilmar Habibulin for the
8 * TrustedBSD Project.

--- 26 unchanged lines hidden (view full) ---

35 */
36
37/*
38 * Framework for extensible kernel access control. Kernel and userland
39 * interface to the framework, policy registration and composition.
40 */
41
42#include <sys/cdefs.h>

43__FBSDID("$FreeBSD: head/sys/security/mac/mac_pipe.c 118308 2003-08-01 15:45:14Z rwatson $");

43__FBSDID("$FreeBSD: head/sys/security/mac/mac_pipe.c 119184 2003-08-20 19:16:49Z rwatson $");

44
45#include "opt_mac.h"
46#include "opt_devfs.h"
47
48#include <sys/param.h>
49#include <sys/condvar.h>
50#include <sys/extattr.h>
51#include <sys/imgact.h>

--- 146 unchanged lines hidden (view full) ---

198
199SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
200 "TrustedBSD MAC object counters");
201
202static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
203 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
204 nmacipqs, nmacpipes, nmacprocs;
205

206#define MAC_DEBUG_COUNTER_INC(x) atomic_add_int(x, 1);
207#define MAC_DEBUG_COUNTER_DEC(x) atomic_subtract_int(x, 1);
208

209SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
210 &nmacmbufs, 0, "number of mbufs in use");
211SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
212 &nmaccreds, 0, "number of ucreds in use");
213SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
214 &nmacifnets, 0, "number of ifnets in use");
215SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD,
216 &nmacipqs, 0, "number of ipqs in use");

--- 8 unchanged lines hidden (view full) ---

225SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
226 &nmacmounts, 0, "number of mounts in use");
227SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
228 &nmactemp, 0, "number of temporary labels in use");
229SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD,
230 &nmacvnodes, 0, "number of vnodes in use");
231SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
232 &nmacdevfsdirents, 0, "number of devfs dirents inuse");

233#else
234#define MAC_DEBUG_COUNTER_INC(x)
235#define MAC_DEBUG_COUNTER_DEC(x)

236#endif
237
238static int error_select(int error1, int error2);
239static int mac_policy_register(struct mac_policy_conf *mpc);
240static int mac_policy_unregister(struct mac_policy_conf *mpc);
241
242static void mac_check_vnode_mmap_downgrade(struct ucred *cred,
243 struct vnode *vp, int *prot);

--- 530 unchanged lines hidden (view full) ---

774}
775
776void
777mac_init_bpfdesc(struct bpf_d *bpf_d)
778{
779
780 mac_init_label(&bpf_d->bd_label);
781 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);

~~776~~#ifdef MAC_DEBUG
~~777~~ atomic_add_int(&nmacbpfdescs, 1);
~~778~~#endif

782 MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);

783}
784
785static void
786mac_init_cred_label(struct label *label)
787{
788
789 mac_init_label(label);
790 MAC_PERFORM(init_cred_label, label);

~~787~~#ifdef MAC_DEBUG
~~788~~ atomic_add_int(&nmaccreds, 1);
~~789~~#endif

791 MAC_DEBUG_COUNTER_INC(&nmaccreds);

792}
793
794void
795mac_init_cred(struct ucred *cred)
796{
797
798 mac_init_cred_label(&cred->cr_label);
799}
800
801void
802mac_init_devfsdirent(struct devfs_dirent *de)
803{
804
805 mac_init_label(&de->de_label);
806 MAC_PERFORM(init_devfsdirent_label, &de->de_label);

~~805~~#ifdef MAC_DEBUG
~~806~~ atomic_add_int(&nmacdevfsdirents, 1);
~~807~~#endif

807 MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);

808}
809
810static void
811mac_init_ifnet_label(struct label *label)
812{
813
814 mac_init_label(label);
815 MAC_PERFORM(init_ifnet_label, label);

~~816~~#ifdef MAC_DEBUG
~~817~~ atomic_add_int(&nmacifnets, 1);
~~818~~#endif

816 MAC_DEBUG_COUNTER_INC(&nmacifnets);

817}
818
819void
820mac_init_ifnet(struct ifnet *ifp)
821{
822
823 mac_init_ifnet_label(&ifp->if_label);
824}

--- 4 unchanged lines hidden (view full) ---

829 int error;
830
831 mac_init_label(&ipq->ipq_label);
832
833 MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag);
834 if (error) {
835 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
836 mac_destroy_label(&ipq->ipq_label);

837 } else {
838 MAC_DEBUG_COUNTER_INC(&nmacipqs);

839 }

~~840~~#ifdef MAC_DEBUG
~~841~~ if (error == 0)
~~842~~ atomic_add_int(&nmacipqs, 1);
~~843~~#endif

840 return (error);
841}
842
843int
844mac_init_mbuf_tag(struct m_tag *tag, int flag)
845{
846 struct label *label;
847 int error;
848
849 label = (struct label *) (tag + 1);
850 mac_init_label(label);
851
852 MAC_CHECK(init_mbuf_label, label, flag);
853 if (error) {
854 MAC_PERFORM(destroy_mbuf_label, label);
855 mac_destroy_label(label);

856 } else {
857 MAC_DEBUG_COUNTER_INC(&nmacmbufs);

858 }

~~861~~#ifdef MAC_DEBUG
~~862~~ if (error == 0)
~~863~~ atomic_add_int(&nmacmbufs, 1);
~~864~~#endif

859 return (error);
860}
861
862int
863mac_init_mbuf(struct mbuf *m, int flag)
864{
865 struct m_tag *tag;
866 int error;

--- 24 unchanged lines hidden (view full) ---

891void
892mac_init_mount(struct mount *mp)
893{
894
895 mac_init_label(&mp->mnt_mntlabel);
896 mac_init_label(&mp->mnt_fslabel);
897 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
898 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);

~~905~~#ifdef MAC_DEBUG
~~906~~ atomic_add_int(&nmacmounts, 1);
~~907~~#endif

899 MAC_DEBUG_COUNTER_INC(&nmacmounts);

900}
901
902static void
903mac_init_pipe_label(struct label *label)
904{
905
906 mac_init_label(label);
907 MAC_PERFORM(init_pipe_label, label);

~~916~~#ifdef MAC_DEBUG
~~917~~ atomic_add_int(&nmacpipes, 1);
~~918~~#endif

908 MAC_DEBUG_COUNTER_INC(&nmacpipes);

909}
910
911void
912mac_init_pipe(struct pipe *pipe)
913{
914 struct label *label;
915
916 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK);
917 pipe->pipe_label = label;
918 pipe->pipe_peer->pipe_label = label;
919 mac_init_pipe_label(label);
920}
921
922void
923mac_init_proc(struct proc *p)
924{
925
926 mac_init_label(&p->p_label);
927 MAC_PERFORM(init_proc_label, &p->p_label);

~~938~~#ifdef MAC_DEBUG
~~939~~ atomic_add_int(&nmacprocs, 1);
~~940~~#endif

928 MAC_DEBUG_COUNTER_INC(&nmacprocs);

929}
930
931static int
932mac_init_socket_label(struct label *label, int flag)
933{
934 int error;
935
936 mac_init_label(label);
937
938 MAC_CHECK(init_socket_label, label, flag);
939 if (error) {
940 MAC_PERFORM(destroy_socket_label, label);
941 mac_destroy_label(label);

942 } else {
943 MAC_DEBUG_COUNTER_INC(&nmacsockets);

944 }
945

~~956~~#ifdef MAC_DEBUG
~~957~~ if (error == 0)
~~958~~ atomic_add_int(&nmacsockets, 1);
~~959~~#endif
~~960~~

946 return (error);
947}
948
949static int
950mac_init_socket_peer_label(struct label *label, int flag)
951{
952 int error;
953

--- 25 unchanged lines hidden (view full) ---

979}
980
981void
982mac_init_vnode_label(struct label *label)
983{
984
985 mac_init_label(label);
986 MAC_PERFORM(init_vnode_label, label);

~~1002~~#ifdef MAC_DEBUG
~~1003~~ atomic_add_int(&nmacvnodes, 1);
~~1004~~#endif

987 MAC_DEBUG_COUNTER_INC(&nmacvnodes);

988}
989
990void
991mac_init_vnode(struct vnode *vp)
992{
993
994 mac_init_vnode_label(&vp->v_label);
995}
996
997void
998mac_destroy_bpfdesc(struct bpf_d *bpf_d)
999{
1000
1001 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
1002 mac_destroy_label(&bpf_d->bd_label);

~~1020~~#ifdef MAC_DEBUG
~~1021~~ atomic_subtract_int(&nmacbpfdescs, 1);
~~1022~~#endif

1003 MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);

1004}
1005
1006static void
1007mac_destroy_cred_label(struct label *label)
1008{
1009
1010 MAC_PERFORM(destroy_cred_label, label);
1011 mac_destroy_label(label);

~~1031~~#ifdef MAC_DEBUG
~~1032~~ atomic_subtract_int(&nmaccreds, 1);
~~1033~~#endif

1012 MAC_DEBUG_COUNTER_DEC(&nmaccreds);

1013}
1014
1015void
1016mac_destroy_cred(struct ucred *cred)
1017{
1018
1019 mac_destroy_cred_label(&cred->cr_label);
1020}
1021
1022void
1023mac_destroy_devfsdirent(struct devfs_dirent *de)
1024{
1025
1026 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
1027 mac_destroy_label(&de->de_label);

~~1049~~#ifdef MAC_DEBUG
~~1050~~ atomic_subtract_int(&nmacdevfsdirents, 1);
~~1051~~#endif

1028 MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);

1029}
1030
1031static void
1032mac_destroy_ifnet_label(struct label *label)
1033{
1034
1035 MAC_PERFORM(destroy_ifnet_label, label);
1036 mac_destroy_label(label);

~~1060~~#ifdef MAC_DEBUG
~~1061~~ atomic_subtract_int(&nmacifnets, 1);
~~1062~~#endif

1037 MAC_DEBUG_COUNTER_DEC(&nmacifnets);

1038}
1039
1040void
1041mac_destroy_ifnet(struct ifnet *ifp)
1042{
1043
1044 mac_destroy_ifnet_label(&ifp->if_label);
1045}
1046
1047void
1048mac_destroy_ipq(struct ipq *ipq)
1049{
1050
1051 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
1052 mac_destroy_label(&ipq->ipq_label);

~~1078~~#ifdef MAC_DEBUG
~~1079~~ atomic_subtract_int(&nmacipqs, 1);
~~1080~~#endif

1053 MAC_DEBUG_COUNTER_DEC(&nmacipqs);

1054}
1055
1056void
1057mac_destroy_mbuf_tag(struct m_tag *tag)
1058{
1059 struct label *label;
1060
1061 label = (struct label *)(tag+1);
1062
1063 MAC_PERFORM(destroy_mbuf_label, label);
1064 mac_destroy_label(label);

~~1092~~#ifdef MAC_DEBUG
~~1093~~ atomic_subtract_int(&nmacmbufs, 1);
~~1094~~#endif

1065 MAC_DEBUG_COUNTER_DEC(&nmacmbufs);

1066}
1067
1068void
1069mac_destroy_mount(struct mount *mp)
1070{
1071
1072 MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
1073 MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
1074 mac_destroy_label(&mp->mnt_fslabel);
1075 mac_destroy_label(&mp->mnt_mntlabel);

~~1105~~#ifdef MAC_DEBUG
~~1106~~ atomic_subtract_int(&nmacmounts, 1);
~~1107~~#endif

1076 MAC_DEBUG_COUNTER_DEC(&nmacmounts);

1077}
1078
1079static void
1080mac_destroy_pipe_label(struct label *label)
1081{
1082
1083 MAC_PERFORM(destroy_pipe_label, label);
1084 mac_destroy_label(label);

~~1116~~#ifdef MAC_DEBUG
~~1117~~ atomic_subtract_int(&nmacpipes, 1);
~~1118~~#endif

1085 MAC_DEBUG_COUNTER_DEC(&nmacpipes);

1086}
1087
1088void
1089mac_destroy_pipe(struct pipe *pipe)
1090{
1091
1092 mac_destroy_pipe_label(pipe->pipe_label);
1093 free(pipe->pipe_label, M_MACPIPELABEL);
1094}
1095
1096void
1097mac_destroy_proc(struct proc *p)
1098{
1099
1100 MAC_PERFORM(destroy_proc_label, &p->p_label);
1101 mac_destroy_label(&p->p_label);

~~1135~~#ifdef MAC_DEBUG
~~1136~~ atomic_subtract_int(&nmacprocs, 1);
~~1137~~#endif

1102 MAC_DEBUG_COUNTER_DEC(&nmacprocs);

1103}
1104
1105static void
1106mac_destroy_socket_label(struct label *label)
1107{
1108
1109 MAC_PERFORM(destroy_socket_label, label);
1110 mac_destroy_label(label);

~~1146~~#ifdef MAC_DEBUG
~~1147~~ atomic_subtract_int(&nmacsockets, 1);
~~1148~~#endif

1111 MAC_DEBUG_COUNTER_DEC(&nmacsockets);

1112}
1113
1114static void
1115mac_destroy_socket_peer_label(struct label *label)
1116{
1117
1118 MAC_PERFORM(destroy_socket_peer_label, label);
1119 mac_destroy_label(label);

--- 8 unchanged lines hidden (view full) ---

1128}
1129
1130void
1131mac_destroy_vnode_label(struct label *label)
1132{
1133
1134 MAC_PERFORM(destroy_vnode_label, label);
1135 mac_destroy_label(label);

~~1173~~#ifdef MAC_DEBUG
~~1174~~ atomic_subtract_int(&nmacvnodes, 1);
~~1175~~#endif

1136 MAC_DEBUG_COUNTER_DEC(&nmacvnodes);

1137}
1138
1139void
1140mac_destroy_vnode(struct vnode *vp)
1141{
1142
1143 mac_destroy_vnode_label(&vp->v_label);
1144}

--- 2762 unchanged lines hidden ---