1/*-
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by NAI Labs,
--- 17 unchanged lines hidden (view full) ---
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $FreeBSD: head/sys/security/mac_lomac/mac_lomac.c 116701 2003-06-23 01:26:34Z rwatson $
35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 * Low-watermark floating label mandatory integrity policy.
40 */
41
42#include <sys/types.h>
43#include <sys/param.h>
44#include <sys/acl.h>
45#include <sys/conf.h>
46#include <sys/extattr.h>
47#include <sys/kernel.h>
48#include <sys/mac.h>
49#include <sys/malloc.h>
50#include <sys/mount.h>
51#include <sys/proc.h>
52#include <sys/sbuf.h>
53#include <sys/systm.h>
54#include <sys/sysproto.h>
55#include <sys/sysent.h>
56#include <sys/systm.h>
57#include <sys/vnode.h>
58#include <sys/file.h>
59#include <sys/socket.h>
60#include <sys/socketvar.h>
--- 418 unchanged lines hidden (view full) ---
479 if (source->ml_flags & MAC_LOMAC_FLAG_SINGLE)
480 mac_lomac_copy_single(source, dest);
481 if (source->ml_flags & MAC_LOMAC_FLAG_AUX)
482 mac_lomac_copy_auxsingle(source, dest);
483 if (source->ml_flags & MAC_LOMAC_FLAG_RANGE)
484 mac_lomac_copy_range(source, dest);
485}
486
487static int mac_lomac_to_string(struct sbuf *sb,
488 struct mac_lomac *mac_lomac);
489
490static int
491maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel,
492 const char *actionname, const char *objname, struct vnode *vpq)
493{
494 struct sbuf subjlabel_sb, subjtext_sb, objlabel_sb;
495 char *subjlabeltext, *objlabeltext, *subjtext;
496 struct mac_lomac cached_subjlabel;
497 struct mac_lomac_proc *subj;
498 struct vattr va;
499 struct proc *p;
500 pid_t pgid;
501
502 subj = PSLOT(&curthread->td_proc->p_label);
503
504 p = curthread->td_proc;
505 mtx_lock(&subj->mtx);
506 if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) {
507 /*
508 * Check to see if the pending demotion would be more or
509 * less severe than this one, and keep the more severe.
510 * This can only happen for a multi-threaded application.
511 */
--- 17 unchanged lines hidden (view full) ---
529 &subj->mac_lomac.ml_rangelow))
530 subj->mac_lomac.ml_rangelow = objlabel->ml_single;
531 subj->mac_lomac.ml_rangehigh = objlabel->ml_single;
532 subj->mac_lomac.ml_flags |= MAC_LOMAC_FLAG_UPDATE;
533 mtx_lock_spin(&sched_lock);
534 curthread->td_flags |= TDF_ASTPENDING;
535 curthread->td_proc->p_sflag |= PS_MACPEND;
536 mtx_unlock_spin(&sched_lock);
537
538 /*
539 * Avoid memory allocation while holding a mutex; cache the
540 * label.
541 */
542 mac_lomac_copy_single(&subj->mac_lomac, &cached_subjlabel);
543 mtx_unlock(&subj->mtx);
544
545 sbuf_new(&subjlabel_sb, NULL, 0, SBUF_AUTOEXTEND);
546 mac_lomac_to_string(&subjlabel_sb, subjlabel);
547 sbuf_finish(&subjlabel_sb);
548 subjlabeltext = sbuf_data(&subjlabel_sb);
549
550 sbuf_new(&subjtext_sb, NULL, 0, SBUF_AUTOEXTEND);
551 mac_lomac_to_string(&subjtext_sb, &subj->mac_lomac);
552 sbuf_finish(&subjtext_sb);
553 subjtext = sbuf_data(&subjtext_sb);
554
555 sbuf_new(&objlabel_sb, NULL, 0, SBUF_AUTOEXTEND);
556 mac_lomac_to_string(&objlabel_sb, objlabel);
557 sbuf_finish(&objlabel_sb);
558 objlabeltext = sbuf_data(&objlabel_sb);
559
560 pgid = p->p_pgrp->pg_id; /* XXX could be stale? */
561 if (vpq != NULL && VOP_GETATTR(vpq, &va, curthread->td_ucred,
562 curthread) == 0) {
563 log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
564 " level %s after %s a level-%s %s (inode=%ld, "
565 "mountpount=%s)\n",
566 subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
567 p->p_comm, subjtext, actionname, objlabeltext, objname,
568 va.va_fileid, vpq->v_mount->mnt_stat.f_mntonname);
569 } else {
570 log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
571 " level %s after %s a level-%s %s\n",
572 subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
573 p->p_comm, subjtext, actionname, objlabeltext, objname);
574 }
575
576 sbuf_delete(&subjlabel_sb);
577 sbuf_delete(&subjtext_sb);
578 sbuf_delete(&objlabel_sb);
579
580 return (0);
581}
582
583/*
584 * Relabel "to" to "from" only if "from" is a valid label (contains
585 * at least a single), as for a relabel operation which may or may
586 * not involve a relevant label.
587 */
--- 64 unchanged lines hidden (view full) ---
652mac_lomac_destroy_proc_label(struct label *label)
653{
654
655 mtx_destroy(&PSLOT(label)->mtx);
656 FREE(PSLOT(label), M_MACLOMAC);
657 PSLOT(label) = NULL;
658}
659
660static int
661mac_lomac_element_to_string(struct sbuf *sb, struct mac_lomac_element *element)
662{
663
664 switch (element->mle_type) {
665 case MAC_LOMAC_TYPE_HIGH:
666 return (sbuf_printf(sb, "high"));
667
668 case MAC_LOMAC_TYPE_LOW:
669 return (sbuf_printf(sb, "low"));
670
671 case MAC_LOMAC_TYPE_EQUAL:
672 return (sbuf_printf(sb, "equal"));
673
674 case MAC_LOMAC_TYPE_GRADE:
675 return (sbuf_printf(sb, "%d", element->mle_grade));
676
677 default:
678 panic("mac_lomac_element_to_string: invalid type (%d)",
679 element->mle_type);
680 }
681}
682
683static int
684mac_lomac_to_string(struct sbuf *sb, struct mac_lomac *mac_lomac)
685{
686
687 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
688 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_single)
689 == -1)
690 return (EINVAL);
691 }
692
693 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX) {
694 if (sbuf_putc(sb, '[') == -1)
695 return (EINVAL);
696
697 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_auxsingle)
698 == -1)
699 return (EINVAL);
700
701 if (sbuf_putc(sb, ']') == -1)
702 return (EINVAL);
703 }
704
705 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
706 if (sbuf_putc(sb, '(') == -1)
707 return (EINVAL);
708
709 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_rangelow)
710 == -1)
711 return (EINVAL);
712
713 if (sbuf_putc(sb, '-') == -1)
714 return (EINVAL);
715
716 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_rangehigh)
717 == -1)
718 return (EINVAL);
719
720 if (sbuf_putc(sb, '-') == -1)
721 return (EINVAL);
722 }
723
724 return (0);
725}
726
727static int
728mac_lomac_externalize_label(struct label *label, char *element_name,
729 struct sbuf *sb, int *claimed)
730{
731 struct mac_lomac *mac_lomac;
732
733 if (strcmp(MAC_LOMAC_LABEL_NAME, element_name) != 0)
734 return (0);
735
736 (*claimed)++;
737
738 mac_lomac = SLOT(label);
739
740 return (mac_lomac_to_string(sb, mac_lomac));
741}
742
743static int
744mac_lomac_parse_element(struct mac_lomac_element *element, char *string)
745{
746
747 if (strcmp(string, "high") == 0 ||
748 strcmp(string, "hi") == 0) {
--- 1949 unchanged lines hidden ---
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by NAI Labs,
--- 17 unchanged lines hidden (view full) ---
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $FreeBSD: head/sys/security/mac_lomac/mac_lomac.c 116701 2003-06-23 01:26:34Z rwatson $
35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 * Low-watermark floating label mandatory integrity policy.
40 */
41
42#include <sys/types.h>
43#include <sys/param.h>
44#include <sys/acl.h>
45#include <sys/conf.h>
46#include <sys/extattr.h>
47#include <sys/kernel.h>
48#include <sys/mac.h>
49#include <sys/malloc.h>
50#include <sys/mount.h>
51#include <sys/proc.h>
52#include <sys/sbuf.h>
53#include <sys/systm.h>
54#include <sys/sysproto.h>
55#include <sys/sysent.h>
56#include <sys/systm.h>
57#include <sys/vnode.h>
58#include <sys/file.h>
59#include <sys/socket.h>
60#include <sys/socketvar.h>
--- 418 unchanged lines hidden (view full) ---
479 if (source->ml_flags & MAC_LOMAC_FLAG_SINGLE)
480 mac_lomac_copy_single(source, dest);
481 if (source->ml_flags & MAC_LOMAC_FLAG_AUX)
482 mac_lomac_copy_auxsingle(source, dest);
483 if (source->ml_flags & MAC_LOMAC_FLAG_RANGE)
484 mac_lomac_copy_range(source, dest);
485}
486
487static int mac_lomac_to_string(struct sbuf *sb,
488 struct mac_lomac *mac_lomac);
489
490static int
491maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel,
492 const char *actionname, const char *objname, struct vnode *vpq)
493{
494 struct sbuf subjlabel_sb, subjtext_sb, objlabel_sb;
495 char *subjlabeltext, *objlabeltext, *subjtext;
496 struct mac_lomac cached_subjlabel;
497 struct mac_lomac_proc *subj;
498 struct vattr va;
499 struct proc *p;
500 pid_t pgid;
501
502 subj = PSLOT(&curthread->td_proc->p_label);
503
504 p = curthread->td_proc;
505 mtx_lock(&subj->mtx);
506 if (subj->mac_lomac.ml_flags & MAC_LOMAC_FLAG_UPDATE) {
507 /*
508 * Check to see if the pending demotion would be more or
509 * less severe than this one, and keep the more severe.
510 * This can only happen for a multi-threaded application.
511 */
--- 17 unchanged lines hidden (view full) ---
529 &subj->mac_lomac.ml_rangelow))
530 subj->mac_lomac.ml_rangelow = objlabel->ml_single;
531 subj->mac_lomac.ml_rangehigh = objlabel->ml_single;
532 subj->mac_lomac.ml_flags |= MAC_LOMAC_FLAG_UPDATE;
533 mtx_lock_spin(&sched_lock);
534 curthread->td_flags |= TDF_ASTPENDING;
535 curthread->td_proc->p_sflag |= PS_MACPEND;
536 mtx_unlock_spin(&sched_lock);
537
538 /*
539 * Avoid memory allocation while holding a mutex; cache the
540 * label.
541 */
542 mac_lomac_copy_single(&subj->mac_lomac, &cached_subjlabel);
543 mtx_unlock(&subj->mtx);
544
545 sbuf_new(&subjlabel_sb, NULL, 0, SBUF_AUTOEXTEND);
546 mac_lomac_to_string(&subjlabel_sb, subjlabel);
547 sbuf_finish(&subjlabel_sb);
548 subjlabeltext = sbuf_data(&subjlabel_sb);
549
550 sbuf_new(&subjtext_sb, NULL, 0, SBUF_AUTOEXTEND);
551 mac_lomac_to_string(&subjtext_sb, &subj->mac_lomac);
552 sbuf_finish(&subjtext_sb);
553 subjtext = sbuf_data(&subjtext_sb);
554
555 sbuf_new(&objlabel_sb, NULL, 0, SBUF_AUTOEXTEND);
556 mac_lomac_to_string(&objlabel_sb, objlabel);
557 sbuf_finish(&objlabel_sb);
558 objlabeltext = sbuf_data(&objlabel_sb);
559
560 pgid = p->p_pgrp->pg_id; /* XXX could be stale? */
561 if (vpq != NULL && VOP_GETATTR(vpq, &va, curthread->td_ucred,
562 curthread) == 0) {
563 log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
564 " level %s after %s a level-%s %s (inode=%ld, "
565 "mountpount=%s)\n",
566 subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
567 p->p_comm, subjtext, actionname, objlabeltext, objname,
568 va.va_fileid, vpq->v_mount->mnt_stat.f_mntonname);
569 } else {
570 log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
571 " level %s after %s a level-%s %s\n",
572 subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
573 p->p_comm, subjtext, actionname, objlabeltext, objname);
574 }
575
576 sbuf_delete(&subjlabel_sb);
577 sbuf_delete(&subjtext_sb);
578 sbuf_delete(&objlabel_sb);
579
580 return (0);
581}
582
583/*
584 * Relabel "to" to "from" only if "from" is a valid label (contains
585 * at least a single), as for a relabel operation which may or may
586 * not involve a relevant label.
587 */
--- 64 unchanged lines hidden (view full) ---
652mac_lomac_destroy_proc_label(struct label *label)
653{
654
655 mtx_destroy(&PSLOT(label)->mtx);
656 FREE(PSLOT(label), M_MACLOMAC);
657 PSLOT(label) = NULL;
658}
659
660static int
661mac_lomac_element_to_string(struct sbuf *sb, struct mac_lomac_element *element)
662{
663
664 switch (element->mle_type) {
665 case MAC_LOMAC_TYPE_HIGH:
666 return (sbuf_printf(sb, "high"));
667
668 case MAC_LOMAC_TYPE_LOW:
669 return (sbuf_printf(sb, "low"));
670
671 case MAC_LOMAC_TYPE_EQUAL:
672 return (sbuf_printf(sb, "equal"));
673
674 case MAC_LOMAC_TYPE_GRADE:
675 return (sbuf_printf(sb, "%d", element->mle_grade));
676
677 default:
678 panic("mac_lomac_element_to_string: invalid type (%d)",
679 element->mle_type);
680 }
681}
682
683static int
684mac_lomac_to_string(struct sbuf *sb, struct mac_lomac *mac_lomac)
685{
686
687 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
688 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_single)
689 == -1)
690 return (EINVAL);
691 }
692
693 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_AUX) {
694 if (sbuf_putc(sb, '[') == -1)
695 return (EINVAL);
696
697 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_auxsingle)
698 == -1)
699 return (EINVAL);
700
701 if (sbuf_putc(sb, ']') == -1)
702 return (EINVAL);
703 }
704
705 if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
706 if (sbuf_putc(sb, '(') == -1)
707 return (EINVAL);
708
709 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_rangelow)
710 == -1)
711 return (EINVAL);
712
713 if (sbuf_putc(sb, '-') == -1)
714 return (EINVAL);
715
716 if (mac_lomac_element_to_string(sb, &mac_lomac->ml_rangehigh)
717 == -1)
718 return (EINVAL);
719
720 if (sbuf_putc(sb, '-') == -1)
721 return (EINVAL);
722 }
723
724 return (0);
725}
726
727static int
728mac_lomac_externalize_label(struct label *label, char *element_name,
729 struct sbuf *sb, int *claimed)
730{
731 struct mac_lomac *mac_lomac;
732
733 if (strcmp(MAC_LOMAC_LABEL_NAME, element_name) != 0)
734 return (0);
735
736 (*claimed)++;
737
738 mac_lomac = SLOT(label);
739
740 return (mac_lomac_to_string(sb, mac_lomac));
741}
742
743static int
744mac_lomac_parse_element(struct mac_lomac_element *element, char *string)
745{
746
747 if (strcmp(string, "high") == 0 ||
748 strcmp(string, "hi") == 0) {
--- 1949 unchanged lines hidden ---