mac_vfs.c (104520) | mac_vfs.c (104521) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * |
39 * $FreeBSD: head/sys/security/mac/mac_vfs.c 104520 2002-10-05 16:46:03Z rwatson $ | 39 * $FreeBSD: head/sys/security/mac/mac_vfs.c 104521 2002-10-05 16:54:59Z rwatson $ |
40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 963 unchanged lines hidden (view full) --- 1011 return (EPERM); 1012 1013 /* Precedence goes to error over success; otherwise, arbitrary. */ 1014 if (error1 != 0) 1015 return (error1); 1016 return (error2); 1017} 1018 | 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 963 unchanged lines hidden (view full) --- 1011 return (EPERM); 1012 1013 /* Precedence goes to error over success; otherwise, arbitrary. */ 1014 if (error1 != 0) 1015 return (error1); 1016 return (error2); 1017} 1018 |
1019static void 1020mac_init_label(struct label *label) 1021{ 1022 1023 bzero(label, sizeof(*label)); 1024 label->l_flags = MAC_FLAG_INITIALIZED; 1025} 1026 1027static void 1028mac_destroy_label(struct label *label) 1029{ 1030 1031 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, 1032 ("destroying uninitialized label")); 1033 1034 bzero(label, sizeof(*label)); 1035 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ 1036} 1037 1038static void 1039mac_init_structmac(struct mac *mac) 1040{ 1041 1042 bzero(mac, sizeof(*mac)); 1043 mac->m_macflags = MAC_FLAG_INITIALIZED; 1044} 1045 1046int 1047mac_init_mbuf(struct mbuf *m, int how) 1048{ 1049 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); 1050 1051 /* "how" is one of M_(TRY|DONT)WAIT */ 1052 mac_init_label(&m->m_pkthdr.label); 1053 MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how); 1054#ifdef MAC_DEBUG 1055 atomic_add_int(&nmacmbufs, 1); 1056#endif 1057 return (0); 1058} 1059 |
|
1019void | 1060void |
1061mac_destroy_mbuf(struct mbuf *m) 1062{ 1063 1064 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); 1065 mac_destroy_label(&m->m_pkthdr.label); 1066#ifdef MAC_DEBUG 1067 atomic_subtract_int(&nmacmbufs, 1); 1068#endif 1069} 1070 1071void 1072mac_init_cred(struct ucred *cr) 1073{ 1074 1075 mac_init_label(&cr->cr_label); 1076 MAC_PERFORM(init_cred_label, &cr->cr_label); 1077#ifdef MAC_DEBUG 1078 atomic_add_int(&nmaccreds, 1); 1079#endif 1080} 1081 1082void 1083mac_destroy_cred(struct ucred *cr) 1084{ 1085 1086 MAC_PERFORM(destroy_cred_label, &cr->cr_label); 1087 mac_destroy_label(&cr->cr_label); 1088#ifdef MAC_DEBUG 1089 atomic_subtract_int(&nmaccreds, 1); 1090#endif 1091} 1092 1093void 1094mac_init_ifnet(struct ifnet *ifp) 1095{ 1096 1097 mac_init_label(&ifp->if_label); 1098 MAC_PERFORM(init_ifnet_label, &ifp->if_label); 1099#ifdef MAC_DEBUG 1100 atomic_add_int(&nmacifnets, 1); 1101#endif 1102} 1103 1104void 1105mac_destroy_ifnet(struct ifnet *ifp) 1106{ 1107 1108 MAC_PERFORM(destroy_ifnet_label, &ifp->if_label); 1109 mac_destroy_label(&ifp->if_label); 1110#ifdef MAC_DEBUG 1111 atomic_subtract_int(&nmacifnets, 1); 1112#endif 1113} 1114 1115void 1116mac_init_ipq(struct ipq *ipq) 1117{ 1118 1119 mac_init_label(&ipq->ipq_label); 1120 MAC_PERFORM(init_ipq_label, &ipq->ipq_label); 1121#ifdef MAC_DEBUG 1122 atomic_add_int(&nmacipqs, 1); 1123#endif 1124} 1125 1126void 1127mac_destroy_ipq(struct ipq *ipq) 1128{ 1129 1130 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 1131 mac_destroy_label(&ipq->ipq_label); 1132#ifdef MAC_DEBUG 1133 atomic_subtract_int(&nmacipqs, 1); 1134#endif 1135} 1136 1137void 1138mac_init_socket(struct socket *socket) 1139{ 1140 1141 mac_init_label(&socket->so_label); 1142 mac_init_label(&socket->so_peerlabel); 1143 MAC_PERFORM(init_socket_label, &socket->so_label); 1144 MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); 1145#ifdef MAC_DEBUG 1146 atomic_add_int(&nmacsockets, 1); 1147#endif 1148} 1149 1150void 1151mac_destroy_socket(struct socket *socket) 1152{ 1153 1154 MAC_PERFORM(destroy_socket_label, &socket->so_label); 1155 MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); 1156 mac_destroy_label(&socket->so_label); 1157 mac_destroy_label(&socket->so_peerlabel); 1158#ifdef MAC_DEBUG 1159 atomic_subtract_int(&nmacsockets, 1); 1160#endif 1161} 1162 1163void 1164mac_init_pipe(struct pipe *pipe) 1165{ 1166 struct label *label; 1167 1168 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); 1169 mac_init_label(label); 1170 pipe->pipe_label = label; 1171 pipe->pipe_peer->pipe_label = label; 1172 MAC_PERFORM(init_pipe_label, pipe->pipe_label); 1173#ifdef MAC_DEBUG 1174 atomic_add_int(&nmacpipes, 1); 1175#endif 1176} 1177 1178void 1179mac_destroy_pipe(struct pipe *pipe) 1180{ 1181 1182 MAC_PERFORM(destroy_pipe_label, pipe->pipe_label); 1183 mac_destroy_label(pipe->pipe_label); 1184 free(pipe->pipe_label, M_MACPIPELABEL); 1185#ifdef MAC_DEBUG 1186 atomic_subtract_int(&nmacpipes, 1); 1187#endif 1188} 1189 1190void 1191mac_init_bpfdesc(struct bpf_d *bpf_d) 1192{ 1193 1194 mac_init_label(&bpf_d->bd_label); 1195 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); 1196#ifdef MAC_DEBUG 1197 atomic_add_int(&nmacbpfdescs, 1); 1198#endif 1199} 1200 1201void 1202mac_destroy_bpfdesc(struct bpf_d *bpf_d) 1203{ 1204 1205 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); 1206 mac_destroy_label(&bpf_d->bd_label); 1207#ifdef MAC_DEBUG 1208 atomic_subtract_int(&nmacbpfdescs, 1); 1209#endif 1210} 1211 1212void 1213mac_init_mount(struct mount *mp) 1214{ 1215 1216 mac_init_label(&mp->mnt_mntlabel); 1217 mac_init_label(&mp->mnt_fslabel); 1218 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); 1219 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); 1220#ifdef MAC_DEBUG 1221 atomic_add_int(&nmacmounts, 1); 1222#endif 1223} 1224 1225void 1226mac_destroy_mount(struct mount *mp) 1227{ 1228 1229 MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); 1230 MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); 1231 mac_destroy_label(&mp->mnt_fslabel); 1232 mac_destroy_label(&mp->mnt_mntlabel); 1233#ifdef MAC_DEBUG 1234 atomic_subtract_int(&nmacmounts, 1); 1235#endif 1236} 1237 1238static void 1239mac_init_temp(struct label *label) 1240{ 1241 1242 mac_init_label(label); 1243 MAC_PERFORM(init_temp_label, label); 1244#ifdef MAC_DEBUG 1245 atomic_add_int(&nmactemp, 1); 1246#endif 1247} 1248 1249static void 1250mac_destroy_temp(struct label *label) 1251{ 1252 1253 MAC_PERFORM(destroy_temp_label, label); 1254 mac_destroy_label(label); 1255#ifdef MAC_DEBUG 1256 atomic_subtract_int(&nmactemp, 1); 1257#endif 1258} 1259 1260void 1261mac_init_vnode(struct vnode *vp) 1262{ 1263 1264 mac_init_label(&vp->v_label); 1265 MAC_PERFORM(init_vnode_label, &vp->v_label); 1266#ifdef MAC_DEBUG 1267 atomic_add_int(&nmacvnodes, 1); 1268#endif 1269} 1270 1271void 1272mac_destroy_vnode(struct vnode *vp) 1273{ 1274 1275 MAC_PERFORM(destroy_vnode_label, &vp->v_label); 1276 mac_destroy_label(&vp->v_label); 1277#ifdef MAC_DEBUG 1278 atomic_subtract_int(&nmacvnodes, 1); 1279#endif 1280} 1281 1282void 1283mac_init_devfsdirent(struct devfs_dirent *de) 1284{ 1285 1286 mac_init_label(&de->de_label); 1287 MAC_PERFORM(init_devfsdirent_label, &de->de_label); 1288#ifdef MAC_DEBUG 1289 atomic_add_int(&nmacdevfsdirents, 1); 1290#endif 1291} 1292 1293void 1294mac_destroy_devfsdirent(struct devfs_dirent *de) 1295{ 1296 1297 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); 1298 mac_destroy_label(&de->de_label); 1299#ifdef MAC_DEBUG 1300 atomic_subtract_int(&nmacdevfsdirents, 1); 1301#endif 1302} 1303 1304void |
|
1020mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) 1021{ 1022 1023 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); 1024} 1025 1026void 1027mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) --- 268 unchanged lines hidden (view full) --- 1296 return (error); 1297 1298 result = 0; 1299 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); 1300 1301 return (result); 1302} 1303 | 1305mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) 1306{ 1307 1308 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); 1309} 1310 1311void 1312mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) --- 268 unchanged lines hidden (view full) --- 1581 return (error); 1582 1583 result = 0; 1584 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); 1585 1586 return (result); 1587} 1588 |
1304static void 1305mac_init_label(struct label *label) 1306{ 1307 1308 bzero(label, sizeof(*label)); 1309 label->l_flags = MAC_FLAG_INITIALIZED; 1310} 1311 1312static void 1313mac_init_structmac(struct mac *mac) 1314{ 1315 1316 bzero(mac, sizeof(*mac)); 1317 mac->m_macflags = MAC_FLAG_INITIALIZED; 1318} 1319 1320static void 1321mac_destroy_label(struct label *label) 1322{ 1323 1324 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, 1325 ("destroying uninitialized label")); 1326 1327 bzero(label, sizeof(*label)); 1328 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ 1329} 1330 1331int 1332mac_init_mbuf(struct mbuf *m, int how) 1333{ 1334 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); 1335 1336 /* "how" is one of M_(TRY|DONT)WAIT */ 1337 mac_init_label(&m->m_pkthdr.label); 1338 MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how); 1339#ifdef MAC_DEBUG 1340 atomic_add_int(&nmacmbufs, 1); 1341#endif 1342 return (0); 1343} 1344 1345void 1346mac_destroy_mbuf(struct mbuf *m) 1347{ 1348 1349 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); 1350 mac_destroy_label(&m->m_pkthdr.label); 1351#ifdef MAC_DEBUG 1352 atomic_subtract_int(&nmacmbufs, 1); 1353#endif 1354} 1355 1356void 1357mac_init_cred(struct ucred *cr) 1358{ 1359 1360 mac_init_label(&cr->cr_label); 1361 MAC_PERFORM(init_cred_label, &cr->cr_label); 1362#ifdef MAC_DEBUG 1363 atomic_add_int(&nmaccreds, 1); 1364#endif 1365} 1366 1367void 1368mac_destroy_cred(struct ucred *cr) 1369{ 1370 1371 MAC_PERFORM(destroy_cred_label, &cr->cr_label); 1372 mac_destroy_label(&cr->cr_label); 1373#ifdef MAC_DEBUG 1374 atomic_subtract_int(&nmaccreds, 1); 1375#endif 1376} 1377 1378void 1379mac_init_ifnet(struct ifnet *ifp) 1380{ 1381 1382 mac_init_label(&ifp->if_label); 1383 MAC_PERFORM(init_ifnet_label, &ifp->if_label); 1384#ifdef MAC_DEBUG 1385 atomic_add_int(&nmacifnets, 1); 1386#endif 1387} 1388 1389void 1390mac_destroy_ifnet(struct ifnet *ifp) 1391{ 1392 1393 MAC_PERFORM(destroy_ifnet_label, &ifp->if_label); 1394 mac_destroy_label(&ifp->if_label); 1395#ifdef MAC_DEBUG 1396 atomic_subtract_int(&nmacifnets, 1); 1397#endif 1398} 1399 1400void 1401mac_init_ipq(struct ipq *ipq) 1402{ 1403 1404 mac_init_label(&ipq->ipq_label); 1405 MAC_PERFORM(init_ipq_label, &ipq->ipq_label); 1406#ifdef MAC_DEBUG 1407 atomic_add_int(&nmacipqs, 1); 1408#endif 1409} 1410 1411void 1412mac_destroy_ipq(struct ipq *ipq) 1413{ 1414 1415 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 1416 mac_destroy_label(&ipq->ipq_label); 1417#ifdef MAC_DEBUG 1418 atomic_subtract_int(&nmacipqs, 1); 1419#endif 1420} 1421 1422void 1423mac_init_socket(struct socket *socket) 1424{ 1425 1426 mac_init_label(&socket->so_label); 1427 mac_init_label(&socket->so_peerlabel); 1428 MAC_PERFORM(init_socket_label, &socket->so_label); 1429 MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); 1430#ifdef MAC_DEBUG 1431 atomic_add_int(&nmacsockets, 1); 1432#endif 1433} 1434 1435void 1436mac_destroy_socket(struct socket *socket) 1437{ 1438 1439 MAC_PERFORM(destroy_socket_label, &socket->so_label); 1440 MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); 1441 mac_destroy_label(&socket->so_label); 1442 mac_destroy_label(&socket->so_peerlabel); 1443#ifdef MAC_DEBUG 1444 atomic_subtract_int(&nmacsockets, 1); 1445#endif 1446} 1447 1448void 1449mac_init_pipe(struct pipe *pipe) 1450{ 1451 struct label *label; 1452 1453 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); 1454 mac_init_label(label); 1455 pipe->pipe_label = label; 1456 pipe->pipe_peer->pipe_label = label; 1457 MAC_PERFORM(init_pipe_label, pipe->pipe_label); 1458#ifdef MAC_DEBUG 1459 atomic_add_int(&nmacpipes, 1); 1460#endif 1461} 1462 1463void 1464mac_destroy_pipe(struct pipe *pipe) 1465{ 1466 1467 MAC_PERFORM(destroy_pipe_label, pipe->pipe_label); 1468 mac_destroy_label(pipe->pipe_label); 1469 free(pipe->pipe_label, M_MACPIPELABEL); 1470#ifdef MAC_DEBUG 1471 atomic_subtract_int(&nmacpipes, 1); 1472#endif 1473} 1474 1475void 1476mac_init_bpfdesc(struct bpf_d *bpf_d) 1477{ 1478 1479 mac_init_label(&bpf_d->bd_label); 1480 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); 1481#ifdef MAC_DEBUG 1482 atomic_add_int(&nmacbpfdescs, 1); 1483#endif 1484} 1485 1486void 1487mac_destroy_bpfdesc(struct bpf_d *bpf_d) 1488{ 1489 1490 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); 1491 mac_destroy_label(&bpf_d->bd_label); 1492#ifdef MAC_DEBUG 1493 atomic_subtract_int(&nmacbpfdescs, 1); 1494#endif 1495} 1496 1497void 1498mac_init_mount(struct mount *mp) 1499{ 1500 1501 mac_init_label(&mp->mnt_mntlabel); 1502 mac_init_label(&mp->mnt_fslabel); 1503 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); 1504 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); 1505#ifdef MAC_DEBUG 1506 atomic_add_int(&nmacmounts, 1); 1507#endif 1508} 1509 1510void 1511mac_destroy_mount(struct mount *mp) 1512{ 1513 1514 MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); 1515 MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); 1516 mac_destroy_label(&mp->mnt_fslabel); 1517 mac_destroy_label(&mp->mnt_mntlabel); 1518#ifdef MAC_DEBUG 1519 atomic_subtract_int(&nmacmounts, 1); 1520#endif 1521} 1522 1523static void 1524mac_init_temp(struct label *label) 1525{ 1526 1527 mac_init_label(label); 1528 MAC_PERFORM(init_temp_label, label); 1529#ifdef MAC_DEBUG 1530 atomic_add_int(&nmactemp, 1); 1531#endif 1532} 1533 1534static void 1535mac_destroy_temp(struct label *label) 1536{ 1537 1538 MAC_PERFORM(destroy_temp_label, label); 1539 mac_destroy_label(label); 1540#ifdef MAC_DEBUG 1541 atomic_subtract_int(&nmactemp, 1); 1542#endif 1543} 1544 1545void 1546mac_init_vnode(struct vnode *vp) 1547{ 1548 1549 mac_init_label(&vp->v_label); 1550 MAC_PERFORM(init_vnode_label, &vp->v_label); 1551#ifdef MAC_DEBUG 1552 atomic_add_int(&nmacvnodes, 1); 1553#endif 1554} 1555 1556void 1557mac_destroy_vnode(struct vnode *vp) 1558{ 1559 1560 MAC_PERFORM(destroy_vnode_label, &vp->v_label); 1561 mac_destroy_label(&vp->v_label); 1562#ifdef MAC_DEBUG 1563 atomic_subtract_int(&nmacvnodes, 1); 1564#endif 1565} 1566 1567void 1568mac_init_devfsdirent(struct devfs_dirent *de) 1569{ 1570 1571 mac_init_label(&de->de_label); 1572 MAC_PERFORM(init_devfsdirent_label, &de->de_label); 1573#ifdef MAC_DEBUG 1574 atomic_add_int(&nmacdevfsdirents, 1); 1575#endif 1576} 1577 1578void 1579mac_destroy_devfsdirent(struct devfs_dirent *de) 1580{ 1581 1582 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); 1583 mac_destroy_label(&de->de_label); 1584#ifdef MAC_DEBUG 1585 atomic_subtract_int(&nmacdevfsdirents, 1); 1586#endif 1587} 1588 | |
1589static int 1590mac_externalize(struct label *label, struct mac *mac) 1591{ 1592 int error; 1593 1594 mac_init_structmac(mac); 1595 MAC_CHECK(externalize, label, mac); 1596 --- 1828 unchanged lines hidden --- | 1589static int 1590mac_externalize(struct label *label, struct mac *mac) 1591{ 1592 int error; 1593 1594 mac_init_structmac(mac); 1595 MAC_CHECK(externalize, label, mac); 1596 --- 1828 unchanged lines hidden --- |