1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 26 unchanged lines hidden (view full) --- 35 */ 36 37/* 38 * Framework for extensible kernel access control. Kernel and userland 39 * interface to the framework, policy registration and composition. 40 */ 41 42#include <sys/cdefs.h> |
43__FBSDID("$FreeBSD: head/sys/security/mac/mac_syscalls.c 119184 2003-08-20 19:16:49Z rwatson $"); |
44 45#include "opt_mac.h" 46#include "opt_devfs.h" 47 48#include <sys/param.h> 49#include <sys/condvar.h> 50#include <sys/extattr.h> 51#include <sys/imgact.h> --- 146 unchanged lines hidden (view full) --- 198 199SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, 200 "TrustedBSD MAC object counters"); 201 202static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, 203 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, 204 nmacipqs, nmacpipes, nmacprocs; 205 |
206#define MAC_DEBUG_COUNTER_INC(x) atomic_add_int(x, 1); 207#define MAC_DEBUG_COUNTER_DEC(x) atomic_subtract_int(x, 1); 208 |
209SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, 210 &nmacmbufs, 0, "number of mbufs in use"); 211SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, 212 &nmaccreds, 0, "number of ucreds in use"); 213SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, 214 &nmacifnets, 0, "number of ifnets in use"); 215SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, 216 &nmacipqs, 0, "number of ipqs in use"); --- 8 unchanged lines hidden (view full) --- 225SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, 226 &nmacmounts, 0, "number of mounts in use"); 227SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, 228 &nmactemp, 0, "number of temporary labels in use"); 229SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD, 230 &nmacvnodes, 0, "number of vnodes in use"); 231SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, 232 &nmacdevfsdirents, 0, "number of devfs dirents inuse"); |
233#else 234#define MAC_DEBUG_COUNTER_INC(x) 235#define MAC_DEBUG_COUNTER_DEC(x) |
236#endif 237 238static int error_select(int error1, int error2); 239static int mac_policy_register(struct mac_policy_conf *mpc); 240static int mac_policy_unregister(struct mac_policy_conf *mpc); 241 242static void mac_check_vnode_mmap_downgrade(struct ucred *cred, 243 struct vnode *vp, int *prot); --- 530 unchanged lines hidden (view full) --- 774} 775 776void 777mac_init_bpfdesc(struct bpf_d *bpf_d) 778{ 779 780 mac_init_label(&bpf_d->bd_label); 781 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); |
782 MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); |
783} 784 785static void 786mac_init_cred_label(struct label *label) 787{ 788 789 mac_init_label(label); 790 MAC_PERFORM(init_cred_label, label); |
791 MAC_DEBUG_COUNTER_INC(&nmaccreds); |
792} 793 794void 795mac_init_cred(struct ucred *cred) 796{ 797 798 mac_init_cred_label(&cred->cr_label); 799} 800 801void 802mac_init_devfsdirent(struct devfs_dirent *de) 803{ 804 805 mac_init_label(&de->de_label); 806 MAC_PERFORM(init_devfsdirent_label, &de->de_label); |
807 MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents); |
808} 809 810static void 811mac_init_ifnet_label(struct label *label) 812{ 813 814 mac_init_label(label); 815 MAC_PERFORM(init_ifnet_label, label); |
816 MAC_DEBUG_COUNTER_INC(&nmacifnets); |
817} 818 819void 820mac_init_ifnet(struct ifnet *ifp) 821{ 822 823 mac_init_ifnet_label(&ifp->if_label); 824} --- 4 unchanged lines hidden (view full) --- 829 int error; 830 831 mac_init_label(&ipq->ipq_label); 832 833 MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); 834 if (error) { 835 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 836 mac_destroy_label(&ipq->ipq_label); |
837 } else { 838 MAC_DEBUG_COUNTER_INC(&nmacipqs); |
839 } |
840 return (error); 841} 842 843int 844mac_init_mbuf_tag(struct m_tag *tag, int flag) 845{ 846 struct label *label; 847 int error; 848 849 label = (struct label *) (tag + 1); 850 mac_init_label(label); 851 852 MAC_CHECK(init_mbuf_label, label, flag); 853 if (error) { 854 MAC_PERFORM(destroy_mbuf_label, label); 855 mac_destroy_label(label); |
856 } else { 857 MAC_DEBUG_COUNTER_INC(&nmacmbufs); |
858 } |
859 return (error); 860} 861 862int 863mac_init_mbuf(struct mbuf *m, int flag) 864{ 865 struct m_tag *tag; 866 int error; --- 24 unchanged lines hidden (view full) --- 891void 892mac_init_mount(struct mount *mp) 893{ 894 895 mac_init_label(&mp->mnt_mntlabel); 896 mac_init_label(&mp->mnt_fslabel); 897 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); 898 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); |
899 MAC_DEBUG_COUNTER_INC(&nmacmounts); |
900} 901 902static void 903mac_init_pipe_label(struct label *label) 904{ 905 906 mac_init_label(label); 907 MAC_PERFORM(init_pipe_label, label); |
908 MAC_DEBUG_COUNTER_INC(&nmacpipes); |
909} 910 911void 912mac_init_pipe(struct pipe *pipe) 913{ 914 struct label *label; 915 916 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); 917 pipe->pipe_label = label; 918 pipe->pipe_peer->pipe_label = label; 919 mac_init_pipe_label(label); 920} 921 922void 923mac_init_proc(struct proc *p) 924{ 925 926 mac_init_label(&p->p_label); 927 MAC_PERFORM(init_proc_label, &p->p_label); |
928 MAC_DEBUG_COUNTER_INC(&nmacprocs); |
929} 930 931static int 932mac_init_socket_label(struct label *label, int flag) 933{ 934 int error; 935 936 mac_init_label(label); 937 938 MAC_CHECK(init_socket_label, label, flag); 939 if (error) { 940 MAC_PERFORM(destroy_socket_label, label); 941 mac_destroy_label(label); |
942 } else { 943 MAC_DEBUG_COUNTER_INC(&nmacsockets); |
944 } 945 |
946 return (error); 947} 948 949static int 950mac_init_socket_peer_label(struct label *label, int flag) 951{ 952 int error; 953 --- 25 unchanged lines hidden (view full) --- 979} 980 981void 982mac_init_vnode_label(struct label *label) 983{ 984 985 mac_init_label(label); 986 MAC_PERFORM(init_vnode_label, label); |
987 MAC_DEBUG_COUNTER_INC(&nmacvnodes); |
988} 989 990void 991mac_init_vnode(struct vnode *vp) 992{ 993 994 mac_init_vnode_label(&vp->v_label); 995} 996 997void 998mac_destroy_bpfdesc(struct bpf_d *bpf_d) 999{ 1000 1001 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); 1002 mac_destroy_label(&bpf_d->bd_label); |
1003 MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); |
1004} 1005 1006static void 1007mac_destroy_cred_label(struct label *label) 1008{ 1009 1010 MAC_PERFORM(destroy_cred_label, label); 1011 mac_destroy_label(label); |
1012 MAC_DEBUG_COUNTER_DEC(&nmaccreds); |
1013} 1014 1015void 1016mac_destroy_cred(struct ucred *cred) 1017{ 1018 1019 mac_destroy_cred_label(&cred->cr_label); 1020} 1021 1022void 1023mac_destroy_devfsdirent(struct devfs_dirent *de) 1024{ 1025 1026 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); 1027 mac_destroy_label(&de->de_label); |
1028 MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents); |
1029} 1030 1031static void 1032mac_destroy_ifnet_label(struct label *label) 1033{ 1034 1035 MAC_PERFORM(destroy_ifnet_label, label); 1036 mac_destroy_label(label); |
1037 MAC_DEBUG_COUNTER_DEC(&nmacifnets); |
1038} 1039 1040void 1041mac_destroy_ifnet(struct ifnet *ifp) 1042{ 1043 1044 mac_destroy_ifnet_label(&ifp->if_label); 1045} 1046 1047void 1048mac_destroy_ipq(struct ipq *ipq) 1049{ 1050 1051 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 1052 mac_destroy_label(&ipq->ipq_label); |
1053 MAC_DEBUG_COUNTER_DEC(&nmacipqs); |
1054} 1055 1056void 1057mac_destroy_mbuf_tag(struct m_tag *tag) 1058{ 1059 struct label *label; 1060 1061 label = (struct label *)(tag+1); 1062 1063 MAC_PERFORM(destroy_mbuf_label, label); 1064 mac_destroy_label(label); |
1065 MAC_DEBUG_COUNTER_DEC(&nmacmbufs); |
1066} 1067 1068void 1069mac_destroy_mount(struct mount *mp) 1070{ 1071 1072 MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); 1073 MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); 1074 mac_destroy_label(&mp->mnt_fslabel); 1075 mac_destroy_label(&mp->mnt_mntlabel); |
1076 MAC_DEBUG_COUNTER_DEC(&nmacmounts); |
1077} 1078 1079static void 1080mac_destroy_pipe_label(struct label *label) 1081{ 1082 1083 MAC_PERFORM(destroy_pipe_label, label); 1084 mac_destroy_label(label); |
1085 MAC_DEBUG_COUNTER_DEC(&nmacpipes); |
1086} 1087 1088void 1089mac_destroy_pipe(struct pipe *pipe) 1090{ 1091 1092 mac_destroy_pipe_label(pipe->pipe_label); 1093 free(pipe->pipe_label, M_MACPIPELABEL); 1094} 1095 1096void 1097mac_destroy_proc(struct proc *p) 1098{ 1099 1100 MAC_PERFORM(destroy_proc_label, &p->p_label); 1101 mac_destroy_label(&p->p_label); |
1102 MAC_DEBUG_COUNTER_DEC(&nmacprocs); |
1103} 1104 1105static void 1106mac_destroy_socket_label(struct label *label) 1107{ 1108 1109 MAC_PERFORM(destroy_socket_label, label); 1110 mac_destroy_label(label); |
1111 MAC_DEBUG_COUNTER_DEC(&nmacsockets); |
1112} 1113 1114static void 1115mac_destroy_socket_peer_label(struct label *label) 1116{ 1117 1118 MAC_PERFORM(destroy_socket_peer_label, label); 1119 mac_destroy_label(label); --- 8 unchanged lines hidden (view full) --- 1128} 1129 1130void 1131mac_destroy_vnode_label(struct label *label) 1132{ 1133 1134 MAC_PERFORM(destroy_vnode_label, label); 1135 mac_destroy_label(label); |
1136 MAC_DEBUG_COUNTER_DEC(&nmacvnodes); |
1137} 1138 1139void 1140mac_destroy_vnode(struct vnode *vp) 1141{ 1142 1143 mac_destroy_vnode_label(&vp->v_label); 1144} --- 2762 unchanged lines hidden --- |