mac_bsdextended.c (172930) | mac_bsdextended.c (172955) |
---|---|
1/*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 4 * Copyright (c) 2005 Tom Rhodes 5 * Copyright (c) 2006 SPARTA, Inc. 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson for the TrustedBSD Project. --- 23 unchanged lines hidden (view full) --- 32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 * | 1/*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 4 * Copyright (c) 2005 Tom Rhodes 5 * Copyright (c) 2006 SPARTA, Inc. 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson for the TrustedBSD Project. --- 23 unchanged lines hidden (view full) --- 32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 * |
40 * $FreeBSD: head/sys/security/mac_bsdextended/mac_bsdextended.c 172930 2007-10-24 19:04:04Z rwatson $ | 40 * $FreeBSD: head/sys/security/mac_bsdextended/mac_bsdextended.c 172955 2007-10-25 11:31:11Z rwatson $ |
41 */ 42 43/* 44 * Developed by the TrustedBSD Project. 45 * 46 * "BSD Extended" MAC policy, allowing the administrator to impose mandatory 47 * firewall-like rules regarding users and file system objects. 48 */ --- 11 unchanged lines hidden (view full) --- 60#include <sys/systm.h> 61#include <sys/vnode.h> 62#include <sys/sysctl.h> 63#include <sys/syslog.h> 64 65#include <security/mac/mac_policy.h> 66#include <security/mac_bsdextended/mac_bsdextended.h> 67 | 41 */ 42 43/* 44 * Developed by the TrustedBSD Project. 45 * 46 * "BSD Extended" MAC policy, allowing the administrator to impose mandatory 47 * firewall-like rules regarding users and file system objects. 48 */ --- 11 unchanged lines hidden (view full) --- 60#include <sys/systm.h> 61#include <sys/vnode.h> 62#include <sys/sysctl.h> 63#include <sys/syslog.h> 64 65#include <security/mac/mac_policy.h> 66#include <security/mac_bsdextended/mac_bsdextended.h> 67 |
68static struct mtx mac_bsdextended_mtx; | 68static struct mtx ugidfw_mtx; |
69 70SYSCTL_DECL(_security_mac); 71 72SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0, 73 "TrustedBSD extended BSD MAC policy controls"); 74 | 69 70SYSCTL_DECL(_security_mac); 71 72SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0, 73 "TrustedBSD extended BSD MAC policy controls"); 74 |
75static int mac_bsdextended_enabled = 1; | 75static int ugidfw_enabled = 1; |
76SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW, | 76SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW, |
77 &mac_bsdextended_enabled, 0, "Enforce extended BSD policy"); 78TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled); | 77 &ugidfw_enabled, 0, "Enforce extended BSD policy"); 78TUNABLE_INT("security.mac.bsdextended.enabled", &ugidfw_enabled); |
79 80MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule"); 81 82#define MAC_BSDEXTENDED_MAXRULES 250 83static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES]; 84static int rule_count = 0; 85static int rule_slots = 0; 86static int rule_version = MB_VERSION; --- 4 unchanged lines hidden (view full) --- 91 &rule_slots, 0, "Number of used rule slots\n"); 92SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD, 93 &rule_version, 0, "Version number for API\n"); 94 95/* 96 * This is just used for logging purposes, eventually we would like to log 97 * much more then failed requests. 98 */ | 79 80MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule"); 81 82#define MAC_BSDEXTENDED_MAXRULES 250 83static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES]; 84static int rule_count = 0; 85static int rule_slots = 0; 86static int rule_version = MB_VERSION; --- 4 unchanged lines hidden (view full) --- 91 &rule_slots, 0, "Number of used rule slots\n"); 92SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD, 93 &rule_version, 0, "Version number for API\n"); 94 95/* 96 * This is just used for logging purposes, eventually we would like to log 97 * much more then failed requests. 98 */ |
99static int mac_bsdextended_logging; | 99static int ugidfw_logging; |
100SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW, | 100SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW, |
101 &mac_bsdextended_logging, 0, "Log failed authorization requests"); | 101 &ugidfw_logging, 0, "Log failed authorization requests"); |
102 103/* 104 * This tunable is here for compatibility. It will allow the user to switch 105 * between the new mode (first rule matches) and the old functionality (all 106 * rules match). 107 */ | 102 103/* 104 * This tunable is here for compatibility. It will allow the user to switch 105 * between the new mode (first rule matches) and the old functionality (all 106 * rules match). 107 */ |
108static int 109mac_bsdextended_firstmatch_enabled; | 108static int ugidfw_firstmatch_enabled; |
110SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, | 109SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, |
111 CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1, | 110 CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1, |
112 "Disable/enable match first rule functionality"); 113 114static int | 111 "Disable/enable match first rule functionality"); 112 113static int |
115mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule) | 114ugidfw_rule_valid(struct mac_bsdextended_rule *rule) |
116{ 117 118 if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS) 119 return (EINVAL); 120 if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS) 121 return (EINVAL); 122 if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS) 123 return (EINVAL); --- 27 unchanged lines hidden (view full) --- 151 if (req->newptr && req->newlen != 0) { 152 error = SYSCTL_IN(req, &temprule, sizeof(temprule)); 153 if (error) 154 return (error); 155 MALLOC(ruleptr, struct mac_bsdextended_rule *, 156 sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | M_ZERO); 157 } 158 | 115{ 116 117 if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS) 118 return (EINVAL); 119 if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS) 120 return (EINVAL); 121 if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS) 122 return (EINVAL); --- 27 unchanged lines hidden (view full) --- 150 if (req->newptr && req->newlen != 0) { 151 error = SYSCTL_IN(req, &temprule, sizeof(temprule)); 152 if (error) 153 return (error); 154 MALLOC(ruleptr, struct mac_bsdextended_rule *, 155 sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | M_ZERO); 156 } 157 |
159 mtx_lock(&mac_bsdextended_mtx); | 158 mtx_lock(&ugidfw_mtx); |
160 if (req->oldptr) { 161 if (index < 0 || index > rule_slots + 1) { 162 error = ENOENT; 163 goto out; 164 } 165 if (rules[index] == NULL) { 166 error = ENOENT; 167 goto out; --- 5 unchanged lines hidden (view full) --- 173 ruleptr = rules[index]; 174 if (ruleptr == NULL) { 175 error = ENOENT; 176 goto out; 177 } 178 rule_count--; 179 rules[index] = NULL; 180 } else if (req->newptr) { | 159 if (req->oldptr) { 160 if (index < 0 || index > rule_slots + 1) { 161 error = ENOENT; 162 goto out; 163 } 164 if (rules[index] == NULL) { 165 error = ENOENT; 166 goto out; --- 5 unchanged lines hidden (view full) --- 172 ruleptr = rules[index]; 173 if (ruleptr == NULL) { 174 error = ENOENT; 175 goto out; 176 } 177 rule_count--; 178 rules[index] = NULL; 179 } else if (req->newptr) { |
181 error = mac_bsdextended_rule_valid(&temprule); | 180 error = ugidfw_rule_valid(&temprule); |
182 if (error) 183 goto out; 184 if (rules[index] == NULL) { 185 *ruleptr = temprule; 186 rules[index] = ruleptr; 187 ruleptr = NULL; 188 if (index + 1 > rule_slots) 189 rule_slots = index + 1; 190 rule_count++; 191 } else 192 *rules[index] = temprule; 193 } 194out: | 181 if (error) 182 goto out; 183 if (rules[index] == NULL) { 184 *ruleptr = temprule; 185 rules[index] = ruleptr; 186 ruleptr = NULL; 187 if (index + 1 > rule_slots) 188 rule_slots = index + 1; 189 rule_count++; 190 } else 191 *rules[index] = temprule; 192 } 193out: |
195 mtx_unlock(&mac_bsdextended_mtx); | 194 mtx_unlock(&ugidfw_mtx); |
196 if (ruleptr != NULL) 197 FREE(ruleptr, M_MACBSDEXTENDED); 198 if (req->oldptr && error == 0) 199 error = SYSCTL_OUT(req, &temprule, sizeof(temprule)); 200 return (error); 201} 202 203SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, CTLFLAG_RW, 204 sysctl_rule, "BSD extended MAC rules"); 205 206static void | 195 if (ruleptr != NULL) 196 FREE(ruleptr, M_MACBSDEXTENDED); 197 if (req->oldptr && error == 0) 198 error = SYSCTL_OUT(req, &temprule, sizeof(temprule)); 199 return (error); 200} 201 202SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, CTLFLAG_RW, 203 sysctl_rule, "BSD extended MAC rules"); 204 205static void |
207mac_bsdextended_init(struct mac_policy_conf *mpc) | 206ugidfw_init(struct mac_policy_conf *mpc) |
208{ 209 | 207{ 208 |
210 mtx_init(&mac_bsdextended_mtx, "mac_bsdextended lock", NULL, MTX_DEF); | 209 mtx_init(&ugidfw_mtx, "mac_bsdextended lock", NULL, MTX_DEF); |
211} 212 213static void | 210} 211 212static void |
214mac_bsdextended_destroy(struct mac_policy_conf *mpc) | 213ugidfw_destroy(struct mac_policy_conf *mpc) |
215{ 216 | 214{ 215 |
217 mtx_destroy(&mac_bsdextended_mtx); | 216 mtx_destroy(&ugidfw_mtx); |
218} 219 220static int | 217} 218 219static int |
221mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, | 220ugidfw_rulecheck(struct mac_bsdextended_rule *rule, |
222 struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode) 223{ 224 int match; 225 int i; 226 227 /* 228 * Is there a subject match? 229 */ | 221 struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode) 222{ 223 int match; 224 int i; 225 226 /* 227 * Is there a subject match? 228 */ |
230 mtx_assert(&mac_bsdextended_mtx, MA_OWNED); | 229 mtx_assert(&ugidfw_mtx, MA_OWNED); |
231 if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) { 232 match = ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max && 233 cred->cr_uid >= rule->mbr_subject.mbs_uid_min) || 234 (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max && 235 cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) || 236 (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max && 237 cred->cr_svuid >= rule->mbr_subject.mbs_uid_min)); 238 if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED) --- 131 unchanged lines hidden (view full) --- 370 if (!match) 371 return (0); 372 } 373 374 /* 375 * Is the access permitted? 376 */ 377 if ((rule->mbr_mode & acc_mode) != acc_mode) { | 230 if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) { 231 match = ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max && 232 cred->cr_uid >= rule->mbr_subject.mbs_uid_min) || 233 (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max && 234 cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) || 235 (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max && 236 cred->cr_svuid >= rule->mbr_subject.mbs_uid_min)); 237 if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED) --- 131 unchanged lines hidden (view full) --- 369 if (!match) 370 return (0); 371 } 372 373 /* 374 * Is the access permitted? 375 */ 376 if ((rule->mbr_mode & acc_mode) != acc_mode) { |
378 if (mac_bsdextended_logging) | 377 if (ugidfw_logging) |
379 log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d" 380 " on %d:%d failed. \n", cred->cr_ruid, 381 cred->cr_rgid, acc_mode, vap->va_uid, 382 vap->va_gid); 383 return (EACCES); 384 } 385 386 /* 387 * If the rule matched, permits access, and first match is enabled, 388 * return success. 389 */ | 378 log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d" 379 " on %d:%d failed. \n", cred->cr_ruid, 380 cred->cr_rgid, acc_mode, vap->va_uid, 381 vap->va_gid); 382 return (EACCES); 383 } 384 385 /* 386 * If the rule matched, permits access, and first match is enabled, 387 * return success. 388 */ |
390 if (mac_bsdextended_firstmatch_enabled) | 389 if (ugidfw_firstmatch_enabled) |
391 return (EJUSTRETURN); 392 else 393 return (0); 394} 395 396static int | 390 return (EJUSTRETURN); 391 else 392 return (0); 393} 394 395static int |
397mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, | 396ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap, |
398 int acc_mode) 399{ 400 int error, i; 401 402 /* 403 * XXXRW: More specific privilege selection needed. 404 */ 405 if (suser_cred(cred, 0) == 0) 406 return (0); 407 408 /* 409 * Since we do not separately handle append, map append to write. 410 */ 411 if (acc_mode & MBI_APPEND) { 412 acc_mode &= ~MBI_APPEND; 413 acc_mode |= MBI_WRITE; 414 } | 397 int acc_mode) 398{ 399 int error, i; 400 401 /* 402 * XXXRW: More specific privilege selection needed. 403 */ 404 if (suser_cred(cred, 0) == 0) 405 return (0); 406 407 /* 408 * Since we do not separately handle append, map append to write. 409 */ 410 if (acc_mode & MBI_APPEND) { 411 acc_mode &= ~MBI_APPEND; 412 acc_mode |= MBI_WRITE; 413 } |
415 mtx_lock(&mac_bsdextended_mtx); | 414 mtx_lock(&ugidfw_mtx); |
416 for (i = 0; i < rule_slots; i++) { 417 if (rules[i] == NULL) 418 continue; | 415 for (i = 0; i < rule_slots; i++) { 416 if (rules[i] == NULL) 417 continue; |
419 error = mac_bsdextended_rulecheck(rules[i], cred, | 418 error = ugidfw_rulecheck(rules[i], cred, |
420 vp, vap, acc_mode); 421 if (error == EJUSTRETURN) 422 break; 423 if (error) { | 419 vp, vap, acc_mode); 420 if (error == EJUSTRETURN) 421 break; 422 if (error) { |
424 mtx_unlock(&mac_bsdextended_mtx); | 423 mtx_unlock(&ugidfw_mtx); |
425 return (error); 426 } 427 } | 424 return (error); 425 } 426 } |
428 mtx_unlock(&mac_bsdextended_mtx); | 427 mtx_unlock(&ugidfw_mtx); |
429 return (0); 430} 431 432static int | 428 return (0); 429} 430 431static int |
433mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) | 432ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) |
434{ 435 int error; 436 struct vattr vap; 437 | 433{ 434 int error; 435 struct vattr vap; 436 |
438 if (!mac_bsdextended_enabled) | 437 if (!ugidfw_enabled) |
439 return (0); 440 error = VOP_GETATTR(vp, &vap, cred, curthread); 441 if (error) 442 return (error); | 438 return (0); 439 error = VOP_GETATTR(vp, &vap, cred, curthread); 440 if (error) 441 return (error); |
443 return (mac_bsdextended_check(cred, vp, &vap, acc_mode)); | 442 return (ugidfw_check(cred, vp, &vap, acc_mode)); |
444} 445 446static int | 443} 444 445static int |
447mac_bsdextended_system_check_acct(struct ucred *cred, struct vnode *vp, | 446ugidfw_system_check_acct(struct ucred *cred, struct vnode *vp, |
448 struct label *vplabel) 449{ 450 | 447 struct label *vplabel) 448{ 449 |
451 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); | 450 return (ugidfw_check_vp(cred, vp, MBI_WRITE)); |
452} 453 454static int | 451} 452 453static int |
455mac_bsdextended_system_check_auditctl(struct ucred *cred, struct vnode *vp, | 454ugidfw_system_check_auditctl(struct ucred *cred, struct vnode *vp, |
456 struct label *vplabel) 457{ 458 | 455 struct label *vplabel) 456{ 457 |
459 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); | 458 return (ugidfw_check_vp(cred, vp, MBI_WRITE)); |
460} 461 462static int | 459} 460 461static int |
463mac_bsdextended_system_check_swapoff(struct ucred *cred, struct vnode *vp, | 462ugidfw_system_check_swapoff(struct ucred *cred, struct vnode *vp, |
464 struct label *vplabel) 465{ 466 | 463 struct label *vplabel) 464{ 465 |
467 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); | 466 return (ugidfw_check_vp(cred, vp, MBI_WRITE)); |
468} 469 470static int | 467} 468 469static int |
471mac_bsdextended_system_check_swapon(struct ucred *cred, struct vnode *vp, | 470ugidfw_system_check_swapon(struct ucred *cred, struct vnode *vp, |
472 struct label *vplabel) 473{ 474 | 471 struct label *vplabel) 472{ 473 |
475 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); | 474 return (ugidfw_check_vp(cred, vp, MBI_WRITE)); |
476} 477 478static int | 475} 476 477static int |
479mac_bsdextended_vnode_check_access(struct ucred *cred, struct vnode *vp, | 478ugidfw_vnode_check_access(struct ucred *cred, struct vnode *vp, |
480 struct label *vplabel, int acc_mode) 481{ 482 | 479 struct label *vplabel, int acc_mode) 480{ 481 |
483 return (mac_bsdextended_check_vp(cred, vp, acc_mode)); | 482 return (ugidfw_check_vp(cred, vp, acc_mode)); |
484} 485 486static int | 483} 484 485static int |
487mac_bsdextended_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, | 486ugidfw_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, |
488 struct label *dvplabel) 489{ 490 | 487 struct label *dvplabel) 488{ 489 |
491 return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC)); | 490 return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); |
492} 493 494static int | 491} 492 493static int |
495mac_bsdextended_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, | 494ugidfw_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, |
496 struct label *dvplabel) 497{ 498 | 495 struct label *dvplabel) 496{ 497 |
499 return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC)); | 498 return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); |
500} 501 502static int | 499} 500 501static int |
503mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp, | 502ugidfw_check_create_vnode(struct ucred *cred, struct vnode *dvp, |
504 struct label *dvplabel, struct componentname *cnp, struct vattr *vap) 505{ 506 | 503 struct label *dvplabel, struct componentname *cnp, struct vattr *vap) 504{ 505 |
507 return (mac_bsdextended_check_vp(cred, dvp, MBI_WRITE)); | 506 return (ugidfw_check_vp(cred, dvp, MBI_WRITE)); |
508} 509 510static int | 507} 508 509static int |
511mac_bsdextended_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, | 510ugidfw_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, |
512 struct label *vplabel, acl_type_t type) 513{ 514 | 511 struct label *vplabel, acl_type_t type) 512{ 513 |
515 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); | 514 return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); |
516} 517 518static int | 515} 516 517static int |
519mac_bsdextended_vnode_check_deleteextattr(struct ucred *cred, 520 struct vnode *vp, struct label *vplabel, int attrnamespace, 521 const char *name) | 518ugidfw_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, 519 struct label *vplabel, int attrnamespace, const char *name) |
522{ 523 | 520{ 521 |
524 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); | 522 return (ugidfw_check_vp(cred, vp, MBI_WRITE)); |
525} 526 527static int | 523} 524 525static int |
528mac_bsdextended_vnode_check_exec(struct ucred *cred, struct vnode *vp, | 526ugidfw_vnode_check_exec(struct ucred *cred, struct vnode *vp, |
529 struct label *vplabel, struct image_params *imgp, 530 struct label *execlabel) 531{ 532 | 527 struct label *vplabel, struct image_params *imgp, 528 struct label *execlabel) 529{ 530 |
533 return (mac_bsdextended_check_vp(cred, vp, MBI_READ|MBI_EXEC)); | 531 return (ugidfw_check_vp(cred, vp, MBI_READ|MBI_EXEC)); |
534} 535 536static int | 532} 533 534static int |
537mac_bsdextended_vnode_check_getacl(struct ucred *cred, struct vnode *vp, | 535ugidfw_vnode_check_getacl(struct ucred *cred, struct vnode *vp, |
538 struct label *vplabel, acl_type_t type) 539{ 540 | 536 struct label *vplabel, acl_type_t type) 537{ 538 |
541 return (mac_bsdextended_check_vp(cred, vp, MBI_STAT)); | 539 return (ugidfw_check_vp(cred, vp, MBI_STAT)); |
542} 543 544static int | 540} 541 542static int |
545mac_bsdextended_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, | 543ugidfw_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, |
546 struct label *vplabel, int attrnamespace, const char *name, 547 struct uio *uio) 548{ 549 | 544 struct label *vplabel, int attrnamespace, const char *name, 545 struct uio *uio) 546{ 547 |
550 return (mac_bsdextended_check_vp(cred, vp, MBI_READ)); | 548 return (ugidfw_check_vp(cred, vp, MBI_READ)); |
551} 552 553static int | 549} 550 551static int |
554mac_bsdextended_vnode_check_link(struct ucred *cred, struct vnode *dvp, | 552ugidfw_vnode_check_link(struct ucred *cred, struct vnode *dvp, |
555 struct label *dvplabel, struct vnode *vp, struct label *label, 556 struct componentname *cnp) 557{ 558 int error; 559 | 553 struct label *dvplabel, struct vnode *vp, struct label *label, 554 struct componentname *cnp) 555{ 556 int error; 557 |
560 error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); | 558 error = ugidfw_check_vp(cred, dvp, MBI_WRITE); |
561 if (error) 562 return (error); | 559 if (error) 560 return (error); |
563 error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE); | 561 error = ugidfw_check_vp(cred, vp, MBI_WRITE); |
564 if (error) 565 return (error); 566 return (0); 567} 568 569static int | 562 if (error) 563 return (error); 564 return (0); 565} 566 567static int |
570mac_bsdextended_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, | 568ugidfw_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, |
571 struct label *vplabel, int attrnamespace) 572{ 573 | 569 struct label *vplabel, int attrnamespace) 570{ 571 |
574 return (mac_bsdextended_check_vp(cred, vp, MBI_READ)); | 572 return (ugidfw_check_vp(cred, vp, MBI_READ)); |
575} 576 577static int | 573} 574 575static int |
578mac_bsdextended_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, | 576ugidfw_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, |
579 struct label *dvplabel, struct componentname *cnp) 580{ 581 | 577 struct label *dvplabel, struct componentname *cnp) 578{ 579 |
582 return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC)); | 580 return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); |
583} 584 585static int | 581} 582 583static int |
586mac_bsdextended_vnode_check_open(struct ucred *cred, struct vnode *vp, | 584ugidfw_vnode_check_open(struct ucred *cred, struct vnode *vp, |
587 struct label *vplabel, int acc_mode) 588{ 589 | 585 struct label *vplabel, int acc_mode) 586{ 587 |
590 return (mac_bsdextended_check_vp(cred, vp, acc_mode)); | 588 return (ugidfw_check_vp(cred, vp, acc_mode)); |
591} 592 593static int | 589} 590 591static int |
594mac_bsdextended_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, | 592ugidfw_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, |
595 struct label *dvplabel) 596{ 597 | 593 struct label *dvplabel) 594{ 595 |
598 return (mac_bsdextended_check_vp(cred, dvp, MBI_READ)); | 596 return (ugidfw_check_vp(cred, dvp, MBI_READ)); |
599} 600 601static int | 597} 598 599static int |
602mac_bsdextended_vnode_check_readdlink(struct ucred *cred, struct vnode *vp, | 600ugidfw_vnode_check_readdlink(struct ucred *cred, struct vnode *vp, |
603 struct label *vplabel) 604{ 605 | 601 struct label *vplabel) 602{ 603 |
606 return (mac_bsdextended_check_vp(cred, vp, MBI_READ)); | 604 return (ugidfw_check_vp(cred, vp, MBI_READ)); |
607} 608 609static int | 605} 606 607static int |
610mac_bsdextended_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, | 608ugidfw_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, |
611 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 612 struct componentname *cnp) 613{ 614 int error; 615 | 609 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 610 struct componentname *cnp) 611{ 612 int error; 613 |
616 error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); | 614 error = ugidfw_check_vp(cred, dvp, MBI_WRITE); |
617 if (error) 618 return (error); | 615 if (error) 616 return (error); |
619 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); | 617 return (ugidfw_check_vp(cred, vp, MBI_WRITE)); |
620} 621 622static int | 618} 619 620static int |
623mac_bsdextended_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, | 621ugidfw_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, |
624 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 625 int samedir, struct componentname *cnp) 626{ 627 int error; 628 | 622 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 623 int samedir, struct componentname *cnp) 624{ 625 int error; 626 |
629 error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); | 627 error = ugidfw_check_vp(cred, dvp, MBI_WRITE); |
630 if (error) 631 return (error); 632 if (vp != NULL) | 628 if (error) 629 return (error); 630 if (vp != NULL) |
633 error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE); | 631 error = ugidfw_check_vp(cred, vp, MBI_WRITE); |
634 return (error); 635} 636 637static int | 632 return (error); 633} 634 635static int |
638mac_bsdextended_vnode_check_revoke(struct ucred *cred, struct vnode *vp, | 636ugidfw_vnode_check_revoke(struct ucred *cred, struct vnode *vp, |
639 struct label *vplabel) 640{ 641 | 637 struct label *vplabel) 638{ 639 |
642 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); | 640 return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); |
643} 644 645static int | 641} 642 643static int |
646mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp, | 644ugidfw_check_setacl_vnode(struct ucred *cred, struct vnode *vp, |
647 struct label *vplabel, acl_type_t type, struct acl *acl) 648{ 649 | 645 struct label *vplabel, acl_type_t type, struct acl *acl) 646{ 647 |
650 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); | 648 return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); |
651} 652 653static int | 649} 650 651static int |
654mac_bsdextended_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, | 652ugidfw_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, |
655 struct label *vplabel, int attrnamespace, const char *name, 656 struct uio *uio) 657{ 658 | 653 struct label *vplabel, int attrnamespace, const char *name, 654 struct uio *uio) 655{ 656 |
659 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); | 657 return (ugidfw_check_vp(cred, vp, MBI_WRITE)); |
660} 661 662static int | 658} 659 660static int |
663mac_bsdextended_vnode_check_setflags(struct ucred *cred, struct vnode *vp, | 661ugidfw_vnode_check_setflags(struct ucred *cred, struct vnode *vp, |
664 struct label *vplabel, u_long flags) 665{ 666 | 662 struct label *vplabel, u_long flags) 663{ 664 |
667 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); | 665 return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); |
668} 669 670static int | 666} 667 668static int |
671mac_bsdextended_vnode_check_setmode(struct ucred *cred, struct vnode *vp, | 669ugidfw_vnode_check_setmode(struct ucred *cred, struct vnode *vp, |
672 struct label *vplabel, mode_t mode) 673{ 674 | 670 struct label *vplabel, mode_t mode) 671{ 672 |
675 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); | 673 return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); |
676} 677 678static int | 674} 675 676static int |
679mac_bsdextended_vnode_check_setowner(struct ucred *cred, struct vnode *vp, | 677ugidfw_vnode_check_setowner(struct ucred *cred, struct vnode *vp, |
680 struct label *vplabel, uid_t uid, gid_t gid) 681{ 682 | 678 struct label *vplabel, uid_t uid, gid_t gid) 679{ 680 |
683 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); | 681 return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); |
684} 685 686static int | 682} 683 684static int |
687mac_bsdextended_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, | 685ugidfw_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, |
688 struct label *vplabel, struct timespec atime, struct timespec utime) 689{ 690 | 686 struct label *vplabel, struct timespec atime, struct timespec utime) 687{ 688 |
691 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN)); | 689 return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); |
692} 693 694static int | 690} 691 692static int |
695mac_bsdextended_vnode_check_stat(struct ucred *active_cred, | 693ugidfw_vnode_check_stat(struct ucred *active_cred, |
696 struct ucred *file_cred, struct vnode *vp, struct label *vplabel) 697{ 698 | 694 struct ucred *file_cred, struct vnode *vp, struct label *vplabel) 695{ 696 |
699 return (mac_bsdextended_check_vp(active_cred, vp, MBI_STAT)); | 697 return (ugidfw_check_vp(active_cred, vp, MBI_STAT)); |
700} 701 702static int | 698} 699 700static int |
703mac_bsdextended_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, | 701ugidfw_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, |
704 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 705 struct componentname *cnp) 706{ 707 int error; 708 | 702 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 703 struct componentname *cnp) 704{ 705 int error; 706 |
709 error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE); | 707 error = ugidfw_check_vp(cred, dvp, MBI_WRITE); |
710 if (error) 711 return (error); | 708 if (error) 709 return (error); |
712 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); | 710 return (ugidfw_check_vp(cred, vp, MBI_WRITE)); |
713} 714 | 711} 712 |
715static struct mac_policy_ops mac_bsdextended_ops = | 713static struct mac_policy_ops ugidfw_ops = |
716{ | 714{ |
717 .mpo_destroy = mac_bsdextended_destroy, 718 .mpo_init = mac_bsdextended_init, 719 .mpo_system_check_acct = mac_bsdextended_system_check_acct, 720 .mpo_system_check_auditctl = mac_bsdextended_system_check_auditctl, 721 .mpo_system_check_swapoff = mac_bsdextended_system_check_swapoff, 722 .mpo_system_check_swapon = mac_bsdextended_system_check_swapon, 723 .mpo_vnode_check_access = mac_bsdextended_vnode_check_access, 724 .mpo_vnode_check_chdir = mac_bsdextended_vnode_check_chdir, 725 .mpo_vnode_check_chroot = mac_bsdextended_vnode_check_chroot, 726 .mpo_vnode_check_create = mac_bsdextended_check_create_vnode, 727 .mpo_vnode_check_deleteacl = mac_bsdextended_vnode_check_deleteacl, 728 .mpo_vnode_check_deleteextattr = mac_bsdextended_vnode_check_deleteextattr, 729 .mpo_vnode_check_exec = mac_bsdextended_vnode_check_exec, 730 .mpo_vnode_check_getacl = mac_bsdextended_vnode_check_getacl, 731 .mpo_vnode_check_getextattr = mac_bsdextended_vnode_check_getextattr, 732 .mpo_vnode_check_link = mac_bsdextended_vnode_check_link, 733 .mpo_vnode_check_listextattr = mac_bsdextended_vnode_check_listextattr, 734 .mpo_vnode_check_lookup = mac_bsdextended_vnode_check_lookup, 735 .mpo_vnode_check_open = mac_bsdextended_vnode_check_open, 736 .mpo_vnode_check_readdir = mac_bsdextended_vnode_check_readdir, 737 .mpo_vnode_check_readlink = mac_bsdextended_vnode_check_readdlink, 738 .mpo_vnode_check_rename_from = mac_bsdextended_vnode_check_rename_from, 739 .mpo_vnode_check_rename_to = mac_bsdextended_vnode_check_rename_to, 740 .mpo_vnode_check_revoke = mac_bsdextended_vnode_check_revoke, 741 .mpo_vnode_check_setacl = mac_bsdextended_check_setacl_vnode, 742 .mpo_vnode_check_setextattr = mac_bsdextended_vnode_check_setextattr, 743 .mpo_vnode_check_setflags = mac_bsdextended_vnode_check_setflags, 744 .mpo_vnode_check_setmode = mac_bsdextended_vnode_check_setmode, 745 .mpo_vnode_check_setowner = mac_bsdextended_vnode_check_setowner, 746 .mpo_vnode_check_setutimes = mac_bsdextended_vnode_check_setutimes, 747 .mpo_vnode_check_stat = mac_bsdextended_vnode_check_stat, 748 .mpo_vnode_check_unlink = mac_bsdextended_vnode_check_unlink, | 715 .mpo_destroy = ugidfw_destroy, 716 .mpo_init = ugidfw_init, 717 .mpo_system_check_acct = ugidfw_system_check_acct, 718 .mpo_system_check_auditctl = ugidfw_system_check_auditctl, 719 .mpo_system_check_swapoff = ugidfw_system_check_swapoff, 720 .mpo_system_check_swapon = ugidfw_system_check_swapon, 721 .mpo_vnode_check_access = ugidfw_vnode_check_access, 722 .mpo_vnode_check_chdir = ugidfw_vnode_check_chdir, 723 .mpo_vnode_check_chroot = ugidfw_vnode_check_chroot, 724 .mpo_vnode_check_create = ugidfw_check_create_vnode, 725 .mpo_vnode_check_deleteacl = ugidfw_vnode_check_deleteacl, 726 .mpo_vnode_check_deleteextattr = ugidfw_vnode_check_deleteextattr, 727 .mpo_vnode_check_exec = ugidfw_vnode_check_exec, 728 .mpo_vnode_check_getacl = ugidfw_vnode_check_getacl, 729 .mpo_vnode_check_getextattr = ugidfw_vnode_check_getextattr, 730 .mpo_vnode_check_link = ugidfw_vnode_check_link, 731 .mpo_vnode_check_listextattr = ugidfw_vnode_check_listextattr, 732 .mpo_vnode_check_lookup = ugidfw_vnode_check_lookup, 733 .mpo_vnode_check_open = ugidfw_vnode_check_open, 734 .mpo_vnode_check_readdir = ugidfw_vnode_check_readdir, 735 .mpo_vnode_check_readlink = ugidfw_vnode_check_readdlink, 736 .mpo_vnode_check_rename_from = ugidfw_vnode_check_rename_from, 737 .mpo_vnode_check_rename_to = ugidfw_vnode_check_rename_to, 738 .mpo_vnode_check_revoke = ugidfw_vnode_check_revoke, 739 .mpo_vnode_check_setacl = ugidfw_check_setacl_vnode, 740 .mpo_vnode_check_setextattr = ugidfw_vnode_check_setextattr, 741 .mpo_vnode_check_setflags = ugidfw_vnode_check_setflags, 742 .mpo_vnode_check_setmode = ugidfw_vnode_check_setmode, 743 .mpo_vnode_check_setowner = ugidfw_vnode_check_setowner, 744 .mpo_vnode_check_setutimes = ugidfw_vnode_check_setutimes, 745 .mpo_vnode_check_stat = ugidfw_vnode_check_stat, 746 .mpo_vnode_check_unlink = ugidfw_vnode_check_unlink, |
749}; 750 | 747}; 748 |
751MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended, 752 "TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL); | 749MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended", 750 MPC_LOADTIME_FLAG_UNLOADOK, NULL); |