85 void (*mpo_init_pipe_label)(struct label *label); 86 void (*mpo_init_temp_label)(struct label *label); 87 void (*mpo_init_vnode_label)(struct label *label); 88 void (*mpo_destroy_bpfdesc_label)(struct label *label); 89 void (*mpo_destroy_cred_label)(struct label *label); 90 void (*mpo_destroy_devfsdirent_label)(struct label *label); 91 void (*mpo_destroy_ifnet_label)(struct label *label); 92 void (*mpo_destroy_ipq_label)(struct label *label); 93 void (*mpo_destroy_mbuf_label)(struct label *label); 94 void (*mpo_destroy_mount_label)(struct label *label); 95 void (*mpo_destroy_mount_fs_label)(struct label *label); 96 void (*mpo_destroy_socket_label)(struct label *label); 97 void (*mpo_destroy_socket_peer_label)(struct label *label); 98 void (*mpo_destroy_pipe_label)(struct label *label); 99 void (*mpo_destroy_temp_label)(struct label *label); 100 void (*mpo_destroy_vnode_label)(struct label *label); 101 102 int (*mpo_externalize)(struct label *label, struct mac *extmac); 103 int (*mpo_internalize)(struct label *label, struct mac *extmac); 104 105 /* 106 * Labeling event operations: file system objects, and things that 107 * look a lot like file system objects. 108 */ 109 void (*mpo_create_devfs_device)(dev_t dev, struct devfs_dirent *de, 110 struct label *label); 111 void (*mpo_create_devfs_directory)(char *dirname, int dirnamelen, 112 struct devfs_dirent *de, struct label *label); 113 void (*mpo_create_devfs_symlink)(struct ucred *cred, 114 struct devfs_dirent *dd, struct label *ddlabel, 115 struct devfs_dirent *de, struct label *delabel); 116 void (*mpo_create_devfs_vnode)(struct devfs_dirent *de, 117 struct label *direntlabel, struct vnode *vp, 118 struct label *vnodelabel); 119 void (*mpo_create_vnode)(struct ucred *cred, struct vnode *parent, 120 struct label *parentlabel, struct vnode *child, 121 struct label *childlabel); 122 void (*mpo_create_mount)(struct ucred *cred, struct mount *mp, 123 struct label *mntlabel, struct label *fslabel); 124 void (*mpo_create_root_mount)(struct ucred *cred, struct mount *mp, 125 struct label *mountlabel, struct label *fslabel); 126 void (*mpo_relabel_vnode)(struct ucred *cred, struct vnode *vp, 127 struct label *vnodelabel, struct label *label); 128 int (*mpo_stdcreatevnode_ea)(struct vnode *vp, 129 struct label *vnodelabel); 130 void (*mpo_update_devfsdirent)(struct devfs_dirent *devfs_dirent, 131 struct label *direntlabel, struct vnode *vp, 132 struct label *vnodelabel); 133 void (*mpo_update_procfsvnode)(struct vnode *vp, 134 struct label *vnodelabel, struct ucred *cred); 135 int (*mpo_update_vnode_from_extattr)(struct vnode *vp, 136 struct label *vnodelabel, struct mount *mp, 137 struct label *fslabel); 138 int (*mpo_update_vnode_from_externalized)(struct vnode *vp, 139 struct label *vnodelabel, struct mac *mac); 140 void (*mpo_update_vnode_from_mount)(struct vnode *vp, 141 struct label *vnodelabel, struct mount *mp, 142 struct label *fslabel); 143 144 /* 145 * Labeling event operations: IPC objects. 146 */ 147 void (*mpo_create_mbuf_from_socket)(struct socket *so, 148 struct label *socketlabel, struct mbuf *m, 149 struct label *mbuflabel); 150 void (*mpo_create_socket)(struct ucred *cred, struct socket *so, 151 struct label *socketlabel); 152 void (*mpo_create_socket_from_socket)(struct socket *oldsocket, 153 struct label *oldsocketlabel, struct socket *newsocket, 154 struct label *newsocketlabel); 155 void (*mpo_relabel_socket)(struct ucred *cred, struct socket *so, 156 struct label *oldlabel, struct label *newlabel); 157 void (*mpo_relabel_pipe)(struct ucred *cred, struct pipe *pipe, 158 struct label *oldlabel, struct label *newlabel); 159 void (*mpo_set_socket_peer_from_mbuf)(struct mbuf *mbuf, 160 struct label *mbuflabel, struct socket *so, 161 struct label *socketpeerlabel); 162 void (*mpo_set_socket_peer_from_socket)(struct socket *oldsocket, 163 struct label *oldsocketlabel, struct socket *newsocket, 164 struct label *newsocketpeerlabel); 165 void (*mpo_create_pipe)(struct ucred *cred, struct pipe *pipe, 166 struct label *pipelabel); 167 168 /* 169 * Labeling event operations: network objects. 170 */ 171 void (*mpo_create_bpfdesc)(struct ucred *cred, struct bpf_d *bpf_d, 172 struct label *bpflabel); 173 void (*mpo_create_ifnet)(struct ifnet *ifnet, 174 struct label *ifnetlabel); 175 void (*mpo_create_ipq)(struct mbuf *fragment, 176 struct label *fragmentlabel, struct ipq *ipq, 177 struct label *ipqlabel); 178 void (*mpo_create_datagram_from_ipq) 179 (struct ipq *ipq, struct label *ipqlabel, 180 struct mbuf *datagram, struct label *datagramlabel); 181 void (*mpo_create_fragment)(struct mbuf *datagram, 182 struct label *datagramlabel, struct mbuf *fragment, 183 struct label *fragmentlabel); 184 void (*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf, 185 struct label *oldlabel, struct mbuf *newmbuf, 186 struct label *newlabel); 187 void (*mpo_create_mbuf_linklayer)(struct ifnet *ifnet, 188 struct label *ifnetlabel, struct mbuf *mbuf, 189 struct label *mbuflabel); 190 void (*mpo_create_mbuf_from_bpfdesc)(struct bpf_d *bpf_d, 191 struct label *bpflabel, struct mbuf *mbuf, 192 struct label *mbuflabel); 193 void (*mpo_create_mbuf_from_ifnet)(struct ifnet *ifnet, 194 struct label *ifnetlabel, struct mbuf *mbuf, 195 struct label *mbuflabel); 196 void (*mpo_create_mbuf_multicast_encap)(struct mbuf *oldmbuf, 197 struct label *oldmbuflabel, struct ifnet *ifnet, 198 struct label *ifnetlabel, struct mbuf *newmbuf, 199 struct label *newmbuflabel); 200 void (*mpo_create_mbuf_netlayer)(struct mbuf *oldmbuf, 201 struct label *oldmbuflabel, struct mbuf *newmbuf, 202 struct label *newmbuflabel); 203 int (*mpo_fragment_match)(struct mbuf *fragment, 204 struct label *fragmentlabel, struct ipq *ipq, 205 struct label *ipqlabel); 206 void (*mpo_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, 207 struct label *ifnetlabel, struct label *newlabel); 208 void (*mpo_update_ipq)(struct mbuf *fragment, 209 struct label *fragmentlabel, struct ipq *ipq, 210 struct label *ipqlabel); 211 212 /* 213 * Labeling event operations: processes. 214 */ 215 void (*mpo_create_cred)(struct ucred *parent_cred, 216 struct ucred *child_cred); 217 void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, 218 struct vnode *vp, struct label *vnodelabel); 219 int (*mpo_execve_will_transition)(struct ucred *old, 220 struct vnode *vp, struct label *vnodelabel); 221 void (*mpo_create_proc0)(struct ucred *cred); 222 void (*mpo_create_proc1)(struct ucred *cred); 223 void (*mpo_relabel_cred)(struct ucred *cred, 224 struct label *newlabel); 225 void (*mpo_thread_userret)(struct thread *thread); 226 227 /* 228 * Access control checks. 229 */ 230 int (*mpo_check_bpfdesc_receive)(struct bpf_d *bpf_d, 231 struct label *bpflabel, struct ifnet *ifnet, 232 struct label *ifnetlabel); 233 int (*mpo_check_cred_relabel)(struct ucred *cred, 234 struct label *newlabel); 235 int (*mpo_check_cred_visible)(struct ucred *u1, struct ucred *u2); 236 int (*mpo_check_ifnet_relabel)(struct ucred *cred, 237 struct ifnet *ifnet, struct label *ifnetlabel, 238 struct label *newlabel); 239 int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet, 240 struct label *ifnetlabel, struct mbuf *m, 241 struct label *mbuflabel); 242 int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp, 243 struct label *mntlabel); 244 int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, 245 struct label *pipelabel, unsigned long cmd, void *data); 246 int (*mpo_check_pipe_poll)(struct ucred *cred, struct pipe *pipe, 247 struct label *pipelabel); 248 int (*mpo_check_pipe_read)(struct ucred *cred, struct pipe *pipe, 249 struct label *pipelabel); 250 int (*mpo_check_pipe_relabel)(struct ucred *cred, 251 struct pipe *pipe, struct label *pipelabel, 252 struct label *newlabel); 253 int (*mpo_check_pipe_stat)(struct ucred *cred, struct pipe *pipe, 254 struct label *pipelabel); 255 int (*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe, 256 struct label *pipelabel); 257 int (*mpo_check_proc_debug)(struct ucred *cred, 258 struct proc *proc); 259 int (*mpo_check_proc_sched)(struct ucred *cred, 260 struct proc *proc); 261 int (*mpo_check_proc_signal)(struct ucred *cred, 262 struct proc *proc, int signum); 263 int (*mpo_check_socket_bind)(struct ucred *cred, 264 struct socket *so, struct label *socketlabel, 265 struct sockaddr *sockaddr); 266 int (*mpo_check_socket_connect)(struct ucred *cred, 267 struct socket *so, struct label *socketlabel, 268 struct sockaddr *sockaddr); 269 int (*mpo_check_socket_deliver)(struct socket *so, 270 struct label *socketlabel, struct mbuf *m, 271 struct label *mbuflabel); 272 int (*mpo_check_socket_listen)(struct ucred *cred, 273 struct socket *so, struct label *socketlabel); 274 int (*mpo_check_socket_relabel)(struct ucred *cred, 275 struct socket *so, struct label *socketlabel, 276 struct label *newlabel); 277 int (*mpo_check_socket_visible)(struct ucred *cred, 278 struct socket *so, struct label *socketlabel); 279 int (*mpo_check_vnode_access)(struct ucred *cred, 280 struct vnode *vp, struct label *label, int flags); 281 int (*mpo_check_vnode_chdir)(struct ucred *cred, 282 struct vnode *dvp, struct label *dlabel); 283 int (*mpo_check_vnode_chroot)(struct ucred *cred, 284 struct vnode *dvp, struct label *dlabel); 285 int (*mpo_check_vnode_create)(struct ucred *cred, 286 struct vnode *dvp, struct label *dlabel, 287 struct componentname *cnp, struct vattr *vap); 288 int (*mpo_check_vnode_delete)(struct ucred *cred, 289 struct vnode *dvp, struct label *dlabel, 290 struct vnode *vp, void *label, struct componentname *cnp); 291 int (*mpo_check_vnode_deleteacl)(struct ucred *cred, 292 struct vnode *vp, struct label *label, acl_type_t type); 293 int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp, 294 struct label *label); 295 int (*mpo_check_vnode_getacl)(struct ucred *cred, 296 struct vnode *vp, struct label *label, acl_type_t type); 297 int (*mpo_check_vnode_getextattr)(struct ucred *cred, 298 struct vnode *vp, struct label *label, int attrnamespace, 299 const char *name, struct uio *uio); 300 int (*mpo_check_vnode_link)(struct ucred *cred, struct vnode *dvp, 301 struct label *dlabel, struct vnode *vp, 302 struct label *label, struct componentname *cnp); 303 int (*mpo_check_vnode_lookup)(struct ucred *cred, 304 struct vnode *dvp, struct label *dlabel, 305 struct componentname *cnp); 306 vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred, 307 struct vnode *vp, struct label *label, int newmapping); 308 int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp, 309 struct label *label, mode_t acc_mode); 310 int (*mpo_check_vnode_poll)(struct ucred *active_cred, 311 struct ucred *file_cred, struct vnode *vp, 312 struct label *label); 313 int (*mpo_check_vnode_read)(struct ucred *active_cred, 314 struct ucred *file_cred, struct vnode *vp, 315 struct label *label); 316 int (*mpo_check_vnode_readdir)(struct ucred *cred, 317 struct vnode *dvp, struct label *dlabel); 318 int (*mpo_check_vnode_readlink)(struct ucred *cred, 319 struct vnode *vp, struct label *label); 320 int (*mpo_check_vnode_relabel)(struct ucred *cred, 321 struct vnode *vp, struct label *vnodelabel, 322 struct label *newlabel); 323 int (*mpo_check_vnode_rename_from)(struct ucred *cred, 324 struct vnode *dvp, struct label *dlabel, struct vnode *vp, 325 struct label *label, struct componentname *cnp); 326 int (*mpo_check_vnode_rename_to)(struct ucred *cred, 327 struct vnode *dvp, struct label *dlabel, struct vnode *vp, 328 struct label *label, int samedir, 329 struct componentname *cnp); 330 int (*mpo_check_vnode_revoke)(struct ucred *cred, 331 struct vnode *vp, struct label *label); 332 int (*mpo_check_vnode_setacl)(struct ucred *cred, 333 struct vnode *vp, struct label *label, acl_type_t type, 334 struct acl *acl); 335 int (*mpo_check_vnode_setextattr)(struct ucred *cred, 336 struct vnode *vp, struct label *label, int attrnamespace, 337 const char *name, struct uio *uio); 338 int (*mpo_check_vnode_setflags)(struct ucred *cred, 339 struct vnode *vp, struct label *label, u_long flags); 340 int (*mpo_check_vnode_setmode)(struct ucred *cred, 341 struct vnode *vp, struct label *label, mode_t mode); 342 int (*mpo_check_vnode_setowner)(struct ucred *cred, 343 struct vnode *vp, struct label *label, uid_t uid, 344 gid_t gid); 345 int (*mpo_check_vnode_setutimes)(struct ucred *cred, 346 struct vnode *vp, struct label *label, 347 struct timespec atime, struct timespec mtime); 348 int (*mpo_check_vnode_stat)(struct ucred *active_cred, 349 struct ucred *file_cred, struct vnode *vp, 350 struct label *label); 351 int (*mpo_check_vnode_write)(struct ucred *active_cred, 352 struct ucred *file_cred, struct vnode *vp, 353 struct label *label); 354}; 355 356typedef const void *macop_t; 357 358enum mac_op_constant { 359 MAC_OP_LAST, 360 MAC_DESTROY, 361 MAC_INIT, 362 MAC_SYSCALL, 363 MAC_INIT_BPFDESC_LABEL, 364 MAC_INIT_CRED_LABEL, 365 MAC_INIT_DEVFSDIRENT_LABEL, 366 MAC_INIT_IFNET_LABEL, 367 MAC_INIT_IPQ_LABEL, 368 MAC_INIT_MBUF_LABEL, 369 MAC_INIT_MOUNT_LABEL, 370 MAC_INIT_MOUNT_FS_LABEL, 371 MAC_INIT_PIPE_LABEL, 372 MAC_INIT_SOCKET_LABEL, 373 MAC_INIT_SOCKET_PEER_LABEL, 374 MAC_INIT_TEMP_LABEL, 375 MAC_INIT_VNODE_LABEL, 376 MAC_DESTROY_BPFDESC_LABEL, 377 MAC_DESTROY_CRED_LABEL, 378 MAC_DESTROY_DEVFSDIRENT_LABEL, 379 MAC_DESTROY_IFNET_LABEL, 380 MAC_DESTROY_IPQ_LABEL, 381 MAC_DESTROY_MBUF_LABEL, 382 MAC_DESTROY_MOUNT_LABEL, 383 MAC_DESTROY_MOUNT_FS_LABEL, 384 MAC_DESTROY_PIPE_LABEL, 385 MAC_DESTROY_SOCKET_LABEL, 386 MAC_DESTROY_SOCKET_PEER_LABEL, 387 MAC_DESTROY_TEMP_LABEL, 388 MAC_DESTROY_VNODE_LABEL, 389 MAC_EXTERNALIZE, 390 MAC_INTERNALIZE, 391 MAC_CREATE_DEVFS_DEVICE, 392 MAC_CREATE_DEVFS_DIRECTORY, 393 MAC_CREATE_DEVFS_SYMLINK, 394 MAC_CREATE_DEVFS_VNODE, 395 MAC_CREATE_VNODE, 396 MAC_CREATE_MOUNT, 397 MAC_CREATE_ROOT_MOUNT, 398 MAC_RELABEL_VNODE, 399 MAC_STDCREATEVNODE_EA, 400 MAC_UPDATE_DEVFSDIRENT, 401 MAC_UPDATE_PROCFSVNODE, 402 MAC_UPDATE_VNODE_FROM_EXTATTR, 403 MAC_UPDATE_VNODE_FROM_EXTERNALIZED, 404 MAC_UPDATE_VNODE_FROM_MOUNT, 405 MAC_CREATE_MBUF_FROM_SOCKET, 406 MAC_CREATE_PIPE, 407 MAC_CREATE_SOCKET, 408 MAC_CREATE_SOCKET_FROM_SOCKET, 409 MAC_RELABEL_PIPE, 410 MAC_RELABEL_SOCKET, 411 MAC_SET_SOCKET_PEER_FROM_MBUF, 412 MAC_SET_SOCKET_PEER_FROM_SOCKET, 413 MAC_CREATE_BPFDESC, 414 MAC_CREATE_DATAGRAM_FROM_IPQ, 415 MAC_CREATE_IFNET, 416 MAC_CREATE_IPQ, 417 MAC_CREATE_FRAGMENT, 418 MAC_CREATE_MBUF_FROM_MBUF, 419 MAC_CREATE_MBUF_LINKLAYER, 420 MAC_CREATE_MBUF_FROM_BPFDESC, 421 MAC_CREATE_MBUF_FROM_IFNET, 422 MAC_CREATE_MBUF_MULTICAST_ENCAP, 423 MAC_CREATE_MBUF_NETLAYER, 424 MAC_FRAGMENT_MATCH, 425 MAC_RELABEL_IFNET, 426 MAC_UPDATE_IPQ, 427 MAC_CREATE_CRED, 428 MAC_EXECVE_TRANSITION, 429 MAC_EXECVE_WILL_TRANSITION, 430 MAC_CREATE_PROC0, 431 MAC_CREATE_PROC1, 432 MAC_RELABEL_CRED, 433 MAC_THREAD_USERRET, 434 MAC_CHECK_BPFDESC_RECEIVE, 435 MAC_CHECK_CRED_RELABEL, 436 MAC_CHECK_CRED_VISIBLE, 437 MAC_CHECK_IFNET_RELABEL, 438 MAC_CHECK_IFNET_TRANSMIT, 439 MAC_CHECK_MOUNT_STAT, 440 MAC_CHECK_PIPE_IOCTL, 441 MAC_CHECK_PIPE_POLL, 442 MAC_CHECK_PIPE_READ, 443 MAC_CHECK_PIPE_RELABEL, 444 MAC_CHECK_PIPE_STAT, 445 MAC_CHECK_PIPE_WRITE, 446 MAC_CHECK_PROC_DEBUG, 447 MAC_CHECK_PROC_SCHED, 448 MAC_CHECK_PROC_SIGNAL, 449 MAC_CHECK_SOCKET_BIND, 450 MAC_CHECK_SOCKET_CONNECT, 451 MAC_CHECK_SOCKET_DELIVER, 452 MAC_CHECK_SOCKET_LISTEN, 453 MAC_CHECK_SOCKET_RELABEL, 454 MAC_CHECK_SOCKET_VISIBLE, 455 MAC_CHECK_VNODE_ACCESS, 456 MAC_CHECK_VNODE_CHDIR, 457 MAC_CHECK_VNODE_CHROOT, 458 MAC_CHECK_VNODE_CREATE, 459 MAC_CHECK_VNODE_DELETE, 460 MAC_CHECK_VNODE_DELETEACL, 461 MAC_CHECK_VNODE_EXEC, 462 MAC_CHECK_VNODE_GETACL, 463 MAC_CHECK_VNODE_GETEXTATTR, 464 MAC_CHECK_VNODE_LINK, 465 MAC_CHECK_VNODE_LOOKUP, 466 MAC_CHECK_VNODE_MMAP_PERMS, 467 MAC_CHECK_VNODE_OPEN, 468 MAC_CHECK_VNODE_POLL, 469 MAC_CHECK_VNODE_READ, 470 MAC_CHECK_VNODE_READDIR, 471 MAC_CHECK_VNODE_READLINK, 472 MAC_CHECK_VNODE_RELABEL, 473 MAC_CHECK_VNODE_RENAME_FROM, 474 MAC_CHECK_VNODE_RENAME_TO, 475 MAC_CHECK_VNODE_REVOKE, 476 MAC_CHECK_VNODE_SETACL, 477 MAC_CHECK_VNODE_SETEXTATTR, 478 MAC_CHECK_VNODE_SETFLAGS, 479 MAC_CHECK_VNODE_SETMODE, 480 MAC_CHECK_VNODE_SETOWNER, 481 MAC_CHECK_VNODE_SETUTIMES, 482 MAC_CHECK_VNODE_STAT, 483 MAC_CHECK_VNODE_WRITE, 484}; 485 486struct mac_policy_op_entry { 487 enum mac_op_constant mpe_constant; /* what this hook implements */ 488 macop_t mpe_function; /* hook's implementation */ 489}; 490 491struct mac_policy_conf { 492 char *mpc_name; /* policy name */ 493 char *mpc_fullname; /* policy full name */ 494 struct mac_policy_ops *mpc_ops; /* policy operations */ 495 struct mac_policy_op_entry *mpc_entries; /* ops to fill in */ 496 int mpc_loadtime_flags; /* flags */ 497 int *mpc_field_off; /* security field */ 498 int mpc_runtime_flags; /* flags */ 499 LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ 500}; 501 502/* Flags for the mpc_loadtime_flags field. */ 503#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 504#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 505 506/* Flags for the mpc_runtime_flags field. */ 507#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 508 509#define MAC_POLICY_SET(mpents, mpname, mpfullname, mpflags, privdata_wanted) \ 510 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 511 #mpname, \ 512 mpfullname, \ 513 NULL, \ 514 mpents, \ 515 mpflags, \ 516 privdata_wanted, \ 517 0, \ 518 }; \ 519 static moduledata_t mpname##_mod = { \ 520 #mpname, \ 521 mac_policy_modevent, \ 522 &mpname##_mac_policy_conf \ 523 }; \ 524 MODULE_DEPEND(mpname, kernel_mac_support, 1, 1, 1); \ 525 DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY, \ 526 SI_ORDER_MIDDLE) 527 528int mac_policy_modevent(module_t mod, int type, void *data); 529 530#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s] 531 532#endif /* !_SYS_MAC_POLICY_H */
|