1/*-
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
5 * All rights reserved.
6 *
7 * This software was developed by Robert Watson and Ilmar Habibulin for the
8 * TrustedBSD Project.
9 *
10 * This software was developed for the FreeBSD Project in part by NAI Labs,
11 * the Security Research Division of Network Associates, Inc. under
12 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
13 * CHATS research program.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. The names of the authors may not be used to endorse or promote
24 * products derived from this software without specific prior written
25 * permission.
26 *
27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 *
39 * $FreeBSD: head/sys/security/mac/mac_syscalls.c 101988 2002-08-16 14:21:38Z rwatson $
40 */
41/*
42 * Developed by the TrustedBSD Project.
43 *
44 * Framework for extensible kernel access control. Kernel and userland
45 * interface to the framework, policy registration and composition.
46 */
47
48#include "opt_mac.h"
49
50#include <sys/param.h>
51#include <sys/extattr.h>
52#include <sys/kernel.h>
53#include <sys/lock.h>
54#include <sys/mutex.h>
55#include <sys/sx.h>
56#include <sys/mac.h>
57#include <sys/module.h>
58#include <sys/proc.h>
59#include <sys/systm.h>
60#include <sys/sysproto.h>
61#include <sys/sysent.h>
62#include <sys/vnode.h>
63#include <sys/mount.h>
64#include <sys/file.h>
65#include <sys/namei.h>
66#include <sys/socket.h>
67#include <sys/pipe.h>
68#include <sys/socketvar.h>
69#include <sys/sx.h>
70#include <sys/sysctl.h>
71
72#include <vm/vm.h>
73#include <vm/pmap.h>
74#include <vm/vm_map.h>
75#include <vm/vm_object.h>
76
77#include <sys/mac_policy.h>
78
79#include <fs/devfs/devfs.h>
80
81#include <net/bpf.h>
82#include <net/bpfdesc.h>
83#include <net/if.h>
84#include <net/if_var.h>
85
86#include <netinet/in.h>
87#include <netinet/ip_var.h>
88
89#ifdef MAC
90
91/*
92 * Declare that the kernel provides MAC support, version 1. This permits
93 * modules to refuse to be loaded if the necessary support isn't present,
94 * even if it's pre-boot.
95 */
96MODULE_VERSION(kernel_mac_support, 1);
97
98SYSCTL_DECL(_security);
99
100SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0,
101 "TrustedBSD MAC policy controls");
102SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
103 "TrustedBSD MAC debug info");
104
105static int mac_debug_label_fallback = 0;
106SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW,
107 &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label"
108 "when label is corrupted.");
109TUNABLE_INT("security.mac.debug_label_fallback",
110 &mac_debug_label_fallback);
111
112#ifndef MAC_MAX_POLICIES
113#define MAC_MAX_POLICIES 8
114#endif
115#if MAC_MAX_POLICIES > 32
116#error "MAC_MAX_POLICIES too large"
117#endif
118static unsigned int mac_max_policies = MAC_MAX_POLICIES;
119static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1;
120SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD,
121 &mac_max_policies, 0, "");
122
123static int mac_late = 0;
124
125static int mac_enforce_fs = 1;
126SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
127 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
128TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
129
130static int mac_enforce_network = 1;
131SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
132 &mac_enforce_network, 0, "Enforce MAC policy on network packets");
133TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
134
135static int mac_enforce_process = 1;
136SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
137 &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
138TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
139
140static int mac_enforce_socket = 1;
141SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
142 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
143TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
144
145static int mac_enforce_pipe = 1;
146SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
147 &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
148
149static int mac_label_size = sizeof(struct mac);
150SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD,
151 &mac_label_size, 0, "Pre-compiled MAC label size");
152
153static int mac_cache_fslabel_in_vnode = 1;
154SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW,
155 &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode");
156TUNABLE_INT("security.mac.cache_fslabel_in_vnode",
157 &mac_cache_fslabel_in_vnode);
158
159static int mac_vnode_label_cache_hits = 0;
160SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD,
161 &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels");
162static int mac_vnode_label_cache_misses = 0;
163SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD,
164 &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels");
165static int mac_mmap_revocation_via_cow = 0;
166SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
167 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
168 "copy-on-write semantics, or by removing all write access");
169
170#ifdef MAC_DEBUG
171static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
172 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
173 nmacipqs, nmacpipes;
174SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD,
175 &nmacmbufs, 0, "number of mbufs in use");
176SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD,
177 &nmaccreds, 0, "number of ucreds in use");
178SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD,
179 &nmacifnets, 0, "number of ifnets in use");
180SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD,
181 &nmacipqs, 0, "number of ipqs in use");
182SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD,
183 &nmacbpfdescs, 0, "number of bpfdescs in use");
184SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD,
185 &nmacsockets, 0, "number of sockets in use");
186SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD,
187 &nmacpipes, 0, "number of pipes in use");
188SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD,
189 &nmacmounts, 0, "number of mounts in use");
190SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD,
191 &nmactemp, 0, "number of temporary labels in use");
192SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD,
193 &nmacvnodes, 0, "number of vnodes in use");
194SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD,
195 &nmacdevfsdirents, 0, "number of devfs dirents inuse");
196#endif
197
198static int error_select(int error1, int error2);
199static int mac_externalize(struct label *label, struct mac *mac);
200static int mac_policy_register(struct mac_policy_conf *mpc);
201static int mac_policy_unregister(struct mac_policy_conf *mpc);
202
203static int mac_stdcreatevnode_ea(struct vnode *vp);
204static void mac_cred_mmapped_drop_perms(struct thread *td,
205 struct ucred *cred);
206static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
207 struct ucred *cred, struct vm_map *map);
208
209MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
210MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
211
212/*
213 * mac_policy_list_lock protects the consistency of 'mac_policy_list',
214 * the linked list of attached policy modules. Read-only consumers of
215 * the list must acquire a shared lock for the duration of their use;
216 * writers must acquire an exclusive lock. Note that for compound
217 * operations, locks should be held for the entire compound operation,
218 * and that this is not yet done for relabel requests.
219 */
220static struct mtx mac_policy_list_lock;
221static LIST_HEAD(, mac_policy_conf) mac_policy_list;
222static int mac_policy_list_busy;
223#define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \
224 "mac_policy_list_lock", NULL, MTX_DEF);
225#define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock);
226#define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock);
227
228#define MAC_POLICY_LIST_BUSY() do { \
229 MAC_POLICY_LIST_LOCK(); \
230 mac_policy_list_busy++; \
231 MAC_POLICY_LIST_UNLOCK(); \
232} while (0)
233
234#define MAC_POLICY_LIST_UNBUSY() do { \
235 MAC_POLICY_LIST_LOCK(); \
236 mac_policy_list_busy--; \
237 if (mac_policy_list_busy < 0) \
238 panic("Extra mac_policy_list_busy--"); \
239 MAC_POLICY_LIST_UNLOCK(); \
240} while (0)
241
242/*
243 * MAC_CHECK performs the designated check by walking the policy
244 * module list and checking with each as to how it feels about the
245 * request. Note that it returns its value via 'error' in the scope
246 * of the caller.
247 */
248#define MAC_CHECK(check, args...) do { \
249 struct mac_policy_conf *mpc; \
250 \
251 error = 0; \
252 MAC_POLICY_LIST_BUSY(); \
253 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
254 if (mpc->mpc_ops->mpo_ ## check != NULL) \
255 error = error_select( \
256 mpc->mpc_ops->mpo_ ## check (args), \
257 error); \
258 } \
259 MAC_POLICY_LIST_UNBUSY(); \
260} while (0)
261
262/*
263 * MAC_BOOLEAN performs the designated boolean composition by walking
264 * the module list, invoking each instance of the operation, and
265 * combining the results using the passed C operator. Note that it
266 * returns its value via 'result' in the scope of the caller, which
267 * should be initialized by the caller in a meaningful way to get
268 * a meaningful result.
269 */
270#define MAC_BOOLEAN(operation, composition, args...) do { \
271 struct mac_policy_conf *mpc; \
272 \
273 MAC_POLICY_LIST_BUSY(); \
274 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
275 if (mpc->mpc_ops->mpo_ ## operation != NULL) \
276 result = result composition \
277 mpc->mpc_ops->mpo_ ## operation (args); \
278 } \
279 MAC_POLICY_LIST_UNBUSY(); \
280} while (0)
281
282/*
283 * MAC_PERFORM performs the designated operation by walking the policy
284 * module list and invoking that operation for each policy.
285 */
286#define MAC_PERFORM(operation, args...) do { \
287 struct mac_policy_conf *mpc; \
288 \
289 MAC_POLICY_LIST_BUSY(); \
290 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
291 if (mpc->mpc_ops->mpo_ ## operation != NULL) \
292 mpc->mpc_ops->mpo_ ## operation (args); \
293 } \
294 MAC_POLICY_LIST_UNBUSY(); \
295} while (0)
296
297/*
298 * Initialize the MAC subsystem, including appropriate SMP locks.
299 */
300static void
301mac_init(void)
302{
303
304 LIST_INIT(&mac_policy_list);
305 MAC_POLICY_LIST_LOCKINIT();
306}
307
308/*
309 * For the purposes of modules that want to know if they were loaded
310 * "early", set the mac_late flag once we've processed modules either
311 * linked into the kernel, or loaded before the kernel startup.
312 */
313static void
314mac_late_init(void)
315{
316
317 mac_late = 1;
318}
319
320/*
321 * Allow MAC policy modules to register during boot, etc.
322 */
323int
324mac_policy_modevent(module_t mod, int type, void *data)
325{
326 struct mac_policy_conf *mpc;
327 int error;
328
329 error = 0;
330 mpc = (struct mac_policy_conf *) data;
331
332 switch (type) {
333 case MOD_LOAD:
334 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE &&
335 mac_late) {
336 printf("mac_policy_modevent: can't load %s policy "
337 "after booting\n", mpc->mpc_name);
338 error = EBUSY;
339 break;
340 }
341 error = mac_policy_register(mpc);
342 break;
343 case MOD_UNLOAD:
344 /* Don't unregister the module if it was never registered. */
345 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED)
346 != 0)
347 error = mac_policy_unregister(mpc);
348 else
349 error = 0;
350 break;
351 default:
352 break;
353 }
354
355 return (error);
356}
357
358static int
359mac_policy_register(struct mac_policy_conf *mpc)
360{
361 struct mac_policy_conf *tmpc;
362 struct mac_policy_ops *ops;
363 struct mac_policy_op_entry *mpe;
364 int slot;
365
366 MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC,
367 M_WAITOK | M_ZERO);
368 for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
369 switch (mpe->mpe_constant) {
370 case MAC_OP_LAST:
371 /*
372 * Doesn't actually happen, but this allows checking
373 * that all enumerated values are handled.
374 */
375 break;
376 case MAC_DESTROY:
377 mpc->mpc_ops->mpo_destroy =
378 mpe->mpe_function;
379 break;
380 case MAC_INIT:
381 mpc->mpc_ops->mpo_init =
382 mpe->mpe_function;
383 break;
384 case MAC_INIT_BPFDESC:
385 mpc->mpc_ops->mpo_init_bpfdesc =
386 mpe->mpe_function;
387 break;
388 case MAC_INIT_CRED:
389 mpc->mpc_ops->mpo_init_cred =
390 mpe->mpe_function;
391 break;
392 case MAC_INIT_DEVFSDIRENT:
393 mpc->mpc_ops->mpo_init_devfsdirent =
394 mpe->mpe_function;
395 break;
396 case MAC_INIT_IFNET:
397 mpc->mpc_ops->mpo_init_ifnet =
398 mpe->mpe_function;
399 break;
400 case MAC_INIT_IPQ:
401 mpc->mpc_ops->mpo_init_ipq =
402 mpe->mpe_function;
403 break;
404 case MAC_INIT_MBUF:
405 mpc->mpc_ops->mpo_init_mbuf =
406 mpe->mpe_function;
407 break;
408 case MAC_INIT_MOUNT:
409 mpc->mpc_ops->mpo_init_mount =
410 mpe->mpe_function;
411 break;
412 case MAC_INIT_PIPE:
413 mpc->mpc_ops->mpo_init_pipe =
414 mpe->mpe_function;
415 break;
416 case MAC_INIT_SOCKET:
417 mpc->mpc_ops->mpo_init_socket =
418 mpe->mpe_function;
419 break;
420 case MAC_INIT_TEMP:
421 mpc->mpc_ops->mpo_init_temp =
422 mpe->mpe_function;
423 break;
424 case MAC_INIT_VNODE:
425 mpc->mpc_ops->mpo_init_vnode =
426 mpe->mpe_function;
427 break;
428 case MAC_DESTROY_BPFDESC:
429 mpc->mpc_ops->mpo_destroy_bpfdesc =
430 mpe->mpe_function;
431 break;
432 case MAC_DESTROY_CRED:
433 mpc->mpc_ops->mpo_destroy_cred =
434 mpe->mpe_function;
435 break;
436 case MAC_DESTROY_DEVFSDIRENT:
437 mpc->mpc_ops->mpo_destroy_devfsdirent =
438 mpe->mpe_function;
439 break;
440 case MAC_DESTROY_IFNET:
441 mpc->mpc_ops->mpo_destroy_ifnet =
442 mpe->mpe_function;
443 break;
444 case MAC_DESTROY_IPQ:
445 mpc->mpc_ops->mpo_destroy_ipq =
446 mpe->mpe_function;
447 break;
448 case MAC_DESTROY_MBUF:
449 mpc->mpc_ops->mpo_destroy_mbuf =
450 mpe->mpe_function;
451 break;
452 case MAC_DESTROY_MOUNT:
453 mpc->mpc_ops->mpo_destroy_mount =
454 mpe->mpe_function;
455 break;
456 case MAC_DESTROY_PIPE:
457 mpc->mpc_ops->mpo_destroy_pipe =
458 mpe->mpe_function;
459 break;
460 case MAC_DESTROY_SOCKET:
461 mpc->mpc_ops->mpo_destroy_socket =
462 mpe->mpe_function;
463 break;
464 case MAC_DESTROY_TEMP:
465 mpc->mpc_ops->mpo_destroy_temp =
466 mpe->mpe_function;
467 break;
468 case MAC_DESTROY_VNODE:
469 mpc->mpc_ops->mpo_destroy_vnode =
470 mpe->mpe_function;
471 break;
472 case MAC_EXTERNALIZE:
473 mpc->mpc_ops->mpo_externalize =
474 mpe->mpe_function;
475 break;
476 case MAC_INTERNALIZE:
477 mpc->mpc_ops->mpo_internalize =
478 mpe->mpe_function;
479 break;
480 case MAC_CREATE_DEVFS_DEVICE:
481 mpc->mpc_ops->mpo_create_devfs_device =
482 mpe->mpe_function;
483 break;
484 case MAC_CREATE_DEVFS_DIRECTORY:
485 mpc->mpc_ops->mpo_create_devfs_directory =
486 mpe->mpe_function;
487 break;
488 case MAC_CREATE_DEVFS_VNODE:
489 mpc->mpc_ops->mpo_create_devfs_vnode =
490 mpe->mpe_function;
491 break;
492 case MAC_STDCREATEVNODE_EA:
493 mpc->mpc_ops->mpo_stdcreatevnode_ea =
494 mpe->mpe_function;
495 break;
496 case MAC_CREATE_VNODE:
497 mpc->mpc_ops->mpo_create_vnode =
498 mpe->mpe_function;
499 break;
500 case MAC_CREATE_MOUNT:
501 mpc->mpc_ops->mpo_create_mount =
502 mpe->mpe_function;
503 break;
504 case MAC_CREATE_ROOT_MOUNT:
505 mpc->mpc_ops->mpo_create_root_mount =
506 mpe->mpe_function;
507 break;
508 case MAC_RELABEL_VNODE:
509 mpc->mpc_ops->mpo_relabel_vnode =
510 mpe->mpe_function;
511 break;
512 case MAC_UPDATE_DEVFSDIRENT:
513 mpc->mpc_ops->mpo_update_devfsdirent =
514 mpe->mpe_function;
515 break;
516 case MAC_UPDATE_PROCFSVNODE:
517 mpc->mpc_ops->mpo_update_procfsvnode =
518 mpe->mpe_function;
519 break;
520 case MAC_UPDATE_VNODE_FROM_EXTATTR:
521 mpc->mpc_ops->mpo_update_vnode_from_extattr =
522 mpe->mpe_function;
523 break;
524 case MAC_UPDATE_VNODE_FROM_EXTERNALIZED:
525 mpc->mpc_ops->mpo_update_vnode_from_externalized =
526 mpe->mpe_function;
527 break;
528 case MAC_UPDATE_VNODE_FROM_MOUNT:
529 mpc->mpc_ops->mpo_update_vnode_from_mount =
530 mpe->mpe_function;
531 break;
532 case MAC_CREATE_MBUF_FROM_SOCKET:
533 mpc->mpc_ops->mpo_create_mbuf_from_socket =
534 mpe->mpe_function;
535 break;
536 case MAC_CREATE_PIPE:
537 mpc->mpc_ops->mpo_create_pipe =
538 mpe->mpe_function;
539 break;
540 case MAC_CREATE_SOCKET:
541 mpc->mpc_ops->mpo_create_socket =
542 mpe->mpe_function;
543 break;
544 case MAC_CREATE_SOCKET_FROM_SOCKET:
545 mpc->mpc_ops->mpo_create_socket_from_socket =
546 mpe->mpe_function;
547 break;
548 case MAC_RELABEL_PIPE:
549 mpc->mpc_ops->mpo_relabel_pipe =
550 mpe->mpe_function;
551 break;
552 case MAC_RELABEL_SOCKET:
553 mpc->mpc_ops->mpo_relabel_socket =
554 mpe->mpe_function;
555 break;
556 case MAC_SET_SOCKET_PEER_FROM_MBUF:
557 mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
558 mpe->mpe_function;
559 break;
560 case MAC_SET_SOCKET_PEER_FROM_SOCKET:
561 mpc->mpc_ops->mpo_set_socket_peer_from_socket =
562 mpe->mpe_function;
563 break;
564 case MAC_CREATE_BPFDESC:
565 mpc->mpc_ops->mpo_create_bpfdesc =
566 mpe->mpe_function;
567 break;
568 case MAC_CREATE_DATAGRAM_FROM_IPQ:
569 mpc->mpc_ops->mpo_create_datagram_from_ipq =
570 mpe->mpe_function;
571 break;
572 case MAC_CREATE_FRAGMENT:
573 mpc->mpc_ops->mpo_create_fragment =
574 mpe->mpe_function;
575 break;
576 case MAC_CREATE_IFNET:
577 mpc->mpc_ops->mpo_create_ifnet =
578 mpe->mpe_function;
579 break;
580 case MAC_CREATE_IPQ:
581 mpc->mpc_ops->mpo_create_ipq =
582 mpe->mpe_function;
583 break;
584 case MAC_CREATE_MBUF_FROM_MBUF:
585 mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
586 mpe->mpe_function;
587 break;
588 case MAC_CREATE_MBUF_LINKLAYER:
589 mpc->mpc_ops->mpo_create_mbuf_linklayer =
590 mpe->mpe_function;
591 break;
592 case MAC_CREATE_MBUF_FROM_BPFDESC:
593 mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
594 mpe->mpe_function;
595 break;
596 case MAC_CREATE_MBUF_FROM_IFNET:
597 mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
598 mpe->mpe_function;
599 break;
600 case MAC_CREATE_MBUF_MULTICAST_ENCAP:
601 mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
602 mpe->mpe_function;
603 break;
604 case MAC_CREATE_MBUF_NETLAYER:
605 mpc->mpc_ops->mpo_create_mbuf_netlayer =
606 mpe->mpe_function;
607 break;
608 case MAC_FRAGMENT_MATCH:
609 mpc->mpc_ops->mpo_fragment_match =
610 mpe->mpe_function;
611 break;
612 case MAC_RELABEL_IFNET:
613 mpc->mpc_ops->mpo_relabel_ifnet =
614 mpe->mpe_function;
615 break;
616 case MAC_UPDATE_IPQ:
617 mpc->mpc_ops->mpo_update_ipq =
618 mpe->mpe_function;
619 break;
620 case MAC_CREATE_CRED:
621 mpc->mpc_ops->mpo_create_cred =
622 mpe->mpe_function;
623 break;
624 case MAC_EXECVE_TRANSITION:
625 mpc->mpc_ops->mpo_execve_transition =
626 mpe->mpe_function;
627 break;
628 case MAC_EXECVE_WILL_TRANSITION:
629 mpc->mpc_ops->mpo_execve_will_transition =
630 mpe->mpe_function;
631 break;
632 case MAC_CREATE_PROC0:
633 mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function;
634 break;
635 case MAC_CREATE_PROC1:
636 mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function;
637 break;
638 case MAC_RELABEL_CRED:
639 mpc->mpc_ops->mpo_relabel_cred =
640 mpe->mpe_function;
641 break;
642 case MAC_CHECK_BPFDESC_RECEIVE:
643 mpc->mpc_ops->mpo_check_bpfdesc_receive =
644 mpe->mpe_function;
645 break;
646 case MAC_CHECK_CRED_RELABEL:
647 mpc->mpc_ops->mpo_check_cred_relabel =
648 mpe->mpe_function;
649 break;
650 case MAC_CHECK_CRED_VISIBLE:
651 mpc->mpc_ops->mpo_check_cred_visible =
652 mpe->mpe_function;
653 break;
654 case MAC_CHECK_IFNET_RELABEL:
655 mpc->mpc_ops->mpo_check_ifnet_relabel =
656 mpe->mpe_function;
657 break;
658 case MAC_CHECK_IFNET_TRANSMIT:
659 mpc->mpc_ops->mpo_check_ifnet_transmit =
660 mpe->mpe_function;
661 break;
662 case MAC_CHECK_MOUNT_STAT:
663 mpc->mpc_ops->mpo_check_mount_stat =
664 mpe->mpe_function;
665 break;
666 case MAC_CHECK_PIPE_IOCTL:
667 mpc->mpc_ops->mpo_check_pipe_ioctl =
668 mpe->mpe_function;
669 break;
670 case MAC_CHECK_PIPE_OP:
671 mpc->mpc_ops->mpo_check_pipe_op =
672 mpe->mpe_function;
673 break;
674 case MAC_CHECK_PIPE_RELABEL:
675 mpc->mpc_ops->mpo_check_pipe_relabel =
676 mpe->mpe_function;
677 break;
678 case MAC_CHECK_PROC_DEBUG:
679 mpc->mpc_ops->mpo_check_proc_debug =
680 mpe->mpe_function;
681 break;
682 case MAC_CHECK_PROC_SCHED:
683 mpc->mpc_ops->mpo_check_proc_sched =
684 mpe->mpe_function;
685 break;
686 case MAC_CHECK_PROC_SIGNAL:
687 mpc->mpc_ops->mpo_check_proc_signal =
688 mpe->mpe_function;
689 break;
690 case MAC_CHECK_SOCKET_BIND:
691 mpc->mpc_ops->mpo_check_socket_bind =
692 mpe->mpe_function;
693 break;
694 case MAC_CHECK_SOCKET_CONNECT:
695 mpc->mpc_ops->mpo_check_socket_connect =
696 mpe->mpe_function;
697 break;
698 case MAC_CHECK_SOCKET_DELIVER:
699 mpc->mpc_ops->mpo_check_socket_deliver =
700 mpe->mpe_function;
701 break;
702 case MAC_CHECK_SOCKET_LISTEN:
703 mpc->mpc_ops->mpo_check_socket_listen =
704 mpe->mpe_function;
705 break;
706 case MAC_CHECK_SOCKET_RELABEL:
707 mpc->mpc_ops->mpo_check_socket_relabel =
708 mpe->mpe_function;
709 break;
710 case MAC_CHECK_SOCKET_VISIBLE:
711 mpc->mpc_ops->mpo_check_socket_visible =
712 mpe->mpe_function;
713 break;
714 case MAC_CHECK_VNODE_ACCESS:
715 mpc->mpc_ops->mpo_check_vnode_access =
716 mpe->mpe_function;
717 break;
718 case MAC_CHECK_VNODE_CHDIR:
719 mpc->mpc_ops->mpo_check_vnode_chdir =
720 mpe->mpe_function;
721 break;
722 case MAC_CHECK_VNODE_CHROOT:
723 mpc->mpc_ops->mpo_check_vnode_chroot =
724 mpe->mpe_function;
725 break;
726 case MAC_CHECK_VNODE_CREATE:
727 mpc->mpc_ops->mpo_check_vnode_create =
728 mpe->mpe_function;
729 break;
730 case MAC_CHECK_VNODE_DELETE:
731 mpc->mpc_ops->mpo_check_vnode_delete =
732 mpe->mpe_function;
733 break;
734 case MAC_CHECK_VNODE_DELETEACL:
735 mpc->mpc_ops->mpo_check_vnode_deleteacl =
736 mpe->mpe_function;
737 break;
738 case MAC_CHECK_VNODE_EXEC:
739 mpc->mpc_ops->mpo_check_vnode_exec =
740 mpe->mpe_function;
741 break;
742 case MAC_CHECK_VNODE_GETACL:
743 mpc->mpc_ops->mpo_check_vnode_getacl =
744 mpe->mpe_function;
745 break;
746 case MAC_CHECK_VNODE_GETEXTATTR:
747 mpc->mpc_ops->mpo_check_vnode_getextattr =
748 mpe->mpe_function;
749 break;
750 case MAC_CHECK_VNODE_LOOKUP:
751 mpc->mpc_ops->mpo_check_vnode_lookup =
752 mpe->mpe_function;
753 break;
754 case MAC_CHECK_VNODE_MMAP_PERMS:
755 mpc->mpc_ops->mpo_check_vnode_mmap_perms =
756 mpe->mpe_function;
757 break;
758 case MAC_CHECK_VNODE_OP:
759 mpc->mpc_ops->mpo_check_vnode_op =
760 mpe->mpe_function;
761 break;
762 case MAC_CHECK_VNODE_OPEN:
763 mpc->mpc_ops->mpo_check_vnode_open =
764 mpe->mpe_function;
765 break;
766 case MAC_CHECK_VNODE_READDIR:
767 mpc->mpc_ops->mpo_check_vnode_readdir =
768 mpe->mpe_function;
769 break;
770 case MAC_CHECK_VNODE_READLINK:
771 mpc->mpc_ops->mpo_check_vnode_readlink =
772 mpe->mpe_function;
773 break;
774 case MAC_CHECK_VNODE_RELABEL:
775 mpc->mpc_ops->mpo_check_vnode_relabel =
776 mpe->mpe_function;
777 break;
778 case MAC_CHECK_VNODE_RENAME_FROM:
779 mpc->mpc_ops->mpo_check_vnode_rename_from =
780 mpe->mpe_function;
781 break;
782 case MAC_CHECK_VNODE_RENAME_TO:
783 mpc->mpc_ops->mpo_check_vnode_rename_to =
784 mpe->mpe_function;
785 break;
786 case MAC_CHECK_VNODE_REVOKE:
787 mpc->mpc_ops->mpo_check_vnode_revoke =
788 mpe->mpe_function;
789 break;
790 case MAC_CHECK_VNODE_SETACL:
791 mpc->mpc_ops->mpo_check_vnode_setacl =
792 mpe->mpe_function;
793 break;
794 case MAC_CHECK_VNODE_SETEXTATTR:
795 mpc->mpc_ops->mpo_check_vnode_setextattr =
796 mpe->mpe_function;
797 break;
798 case MAC_CHECK_VNODE_SETFLAGS:
799 mpc->mpc_ops->mpo_check_vnode_setflags =
800 mpe->mpe_function;
801 break;
802 case MAC_CHECK_VNODE_SETMODE:
803 mpc->mpc_ops->mpo_check_vnode_setmode =
804 mpe->mpe_function;
805 break;
806 case MAC_CHECK_VNODE_SETOWNER:
807 mpc->mpc_ops->mpo_check_vnode_setowner =
808 mpe->mpe_function;
809 break;
810 case MAC_CHECK_VNODE_SETUTIMES:
811 mpc->mpc_ops->mpo_check_vnode_setutimes =
812 mpe->mpe_function;
813 break;
814 case MAC_CHECK_VNODE_STAT:
815 mpc->mpc_ops->mpo_check_vnode_stat =
816 mpe->mpe_function;
817 break;
818/*
819 default:
820 printf("MAC policy `%s': unknown operation %d\n",
821 mpc->mpc_name, mpe->mpe_constant);
822 return (EINVAL);
823*/
824 }
825 }
826 MAC_POLICY_LIST_LOCK();
827 if (mac_policy_list_busy > 0) {
828 MAC_POLICY_LIST_UNLOCK();
829 FREE(mpc->mpc_ops, M_MACOPVEC);
830 mpc->mpc_ops = NULL;
831 return (EBUSY);
832 }
833 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
834 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
835 MAC_POLICY_LIST_UNLOCK();
836 FREE(mpc->mpc_ops, M_MACOPVEC);
837 mpc->mpc_ops = NULL;
838 return (EEXIST);
839 }
840 }
841 if (mpc->mpc_field_off != NULL) {
842 slot = ffs(mac_policy_offsets_free);
843 if (slot == 0) {
844 MAC_POLICY_LIST_UNLOCK();
845 FREE(mpc->mpc_ops, M_MACOPVEC);
846 mpc->mpc_ops = NULL;
847 return (ENOMEM);
848 }
849 slot--;
850 mac_policy_offsets_free &= ~(1 << slot);
851 *mpc->mpc_field_off = slot;
852 }
853 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED;
854 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list);
855
856 /* Per-policy initialization. */
857 if (mpc->mpc_ops->mpo_init != NULL)
858 (*(mpc->mpc_ops->mpo_init))(mpc);
859 MAC_POLICY_LIST_UNLOCK();
860
861 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname,
862 mpc->mpc_name);
863
864 return (0);
865}
866
867static int
868mac_policy_unregister(struct mac_policy_conf *mpc)
869{
870
871#if 0
872 /*
873 * Don't allow unloading modules with private data.
874 */
875 if (mpc->mpc_field_off != NULL)
876 return (EBUSY);
877#endif
878 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0)
879 return (EBUSY);
880 MAC_POLICY_LIST_LOCK();
881 if (mac_policy_list_busy > 0) {
882 MAC_POLICY_LIST_UNLOCK();
883 return (EBUSY);
884 }
885 if (mpc->mpc_ops->mpo_destroy != NULL)
886 (*(mpc->mpc_ops->mpo_destroy))(mpc);
887
888 LIST_REMOVE(mpc, mpc_list);
889 MAC_POLICY_LIST_UNLOCK();
890
891 FREE(mpc->mpc_ops, M_MACOPVEC);
892 mpc->mpc_ops = NULL;
893
894 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
895 mpc->mpc_name);
896
897 return (0);
898}
899
900/*
901 * Define an error value precedence, and given two arguments, selects the
902 * value with the higher precedence.
903 */
904static int
905error_select(int error1, int error2)
906{
907
908 /* Certain decision-making errors take top priority. */
909 if (error1 == EDEADLK || error2 == EDEADLK)
910 return (EDEADLK);
911
912 /* Invalid arguments should be reported where possible. */
913 if (error1 == EINVAL || error2 == EINVAL)
914 return (EINVAL);
915
916 /* Precedence goes to "visibility", with both process and file. */
917 if (error1 == ESRCH || error2 == ESRCH)
918 return (ESRCH);
919
920 if (error1 == ENOENT || error2 == ENOENT)
921 return (ENOENT);
922
923 /* Precedence goes to DAC/MAC protections. */
924 if (error1 == EACCES || error2 == EACCES)
925 return (EACCES);
926
927 /* Precedence goes to privilege. */
928 if (error1 == EPERM || error2 == EPERM)
929 return (EPERM);
930
931 /* Precedence goes to error over success; otherwise, arbitrary. */
932 if (error1 != 0)
933 return (error1);
934 return (error2);
935}
936
937void
938mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp)
939{
940
941 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label);
942}
943
944void
945mac_update_procfsvnode(struct vnode *vp, struct ucred *cred)
946{
947
948 MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred);
949}
950
951/*
952 * Support callout for policies that manage their own externalization
953 * using extended attributes.
954 */
955static int
956mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp)
957{
958 int error;
959
960 MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp,
961 &mp->mnt_fslabel);
962
963 return (error);
964}
965
966/*
967 * Given an externalized mac label, internalize it and stamp it on a
968 * vnode.
969 */
970static int
971mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac)
972{
973 int error;
974
975 MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac);
976
977 return (error);
978}
979
980/*
981 * Call out to individual policies to update the label in a vnode from
982 * the mountpoint.
983 */
984void
985mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp)
986{
987
988 MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp,
989 &mp->mnt_fslabel);
990
991 ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount");
992 if (mac_cache_fslabel_in_vnode)
993 vp->v_vflag |= VV_CACHEDLABEL;
994}
995
996/*
997 * Implementation of VOP_REFRESHLABEL() that relies on extended attributes
998 * to store label data. Can be referenced by filesystems supporting
999 * extended attributes.
1000 */
1001int
1002vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap)
1003{
1004 struct vnode *vp = ap->a_vp;
1005 struct mac extmac;
1006 int buflen, error;
1007
1008 ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea");
1009
1010 /*
1011 * Call out to external policies first. Order doesn't really
1012 * matter, as long as failure of one assures failure of all.
1013 */
1014 error = mac_update_vnode_from_extattr(vp, vp->v_mount);
1015 if (error)
1016 return (error);
1017
1018 buflen = sizeof(extmac);
1019 error = vn_extattr_get(vp, IO_NODELOCKED,
1020 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen,
1021 (char *)&extmac, curthread);
1022 switch (error) {
1023 case 0:
1024 /* Got it */
1025 break;
1026
1027 case ENOATTR:
1028 /*
1029 * Use the label from the mount point.
1030 */
1031 mac_update_vnode_from_mount(vp, vp->v_mount);
1032 return (0);
1033
1034 case EOPNOTSUPP:
1035 default:
1036 /* Fail horribly. */
1037 return (error);
1038 }
1039
1040 if (buflen != sizeof(extmac))
1041 error = EPERM; /* Fail very closed. */
1042 if (error == 0)
1043 error = mac_update_vnode_from_externalized(vp, &extmac);
1044 if (error == 0)
1045 vp->v_vflag |= VV_CACHEDLABEL;
1046 else {
1047 struct vattr va;
1048
1049 printf("Corrupted label on %s",
1050 vp->v_mount->mnt_stat.f_mntonname);
1051 if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0)
1052 printf(" inum %ld", va.va_fileid);
1053 if (mac_debug_label_fallback) {
1054 printf(", falling back.\n");
1055 mac_update_vnode_from_mount(vp, vp->v_mount);
1056 error = 0;
1057 } else {
1058 printf(".\n");
1059 error = EPERM;
1060 }
1061 }
1062
1063 return (error);
1064}
1065
1066/*
1067 * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle
1068 * the labeling activity outselves. Filesystems should be careful not
1069 * to change their minds regarding whether they support vop_refreshlabel()
1070 * for a vnode or not. Don't cache the vnode here, allow the file
1071 * system code to determine if it's safe to cache. If we update from
1072 * the mount, don't cache since a change to the mount label should affect
1073 * all vnodes.
1074 */
1075static int
1076vn_refreshlabel(struct vnode *vp, struct ucred *cred)
1077{
1078 int error;
1079
1080 ASSERT_VOP_LOCKED(vp, "vn_refreshlabel");
1081
1082 if (vp->v_mount == NULL) {
1083/*
1084 Eventually, we probably want to special-case refreshing
1085 of deadfs vnodes, and if there's a lock-free race somewhere,
1086 that case might be handled here.
1087
1088 mac_update_vnode_deadfs(vp);
1089 return (0);
1090 */
1091 /* printf("vn_refreshlabel: null v_mount\n"); */
1092 if (vp->v_tag != VT_NON)
1093 printf(
1094 "vn_refreshlabel: null v_mount with non-VT_NON\n");
1095 return (EBADF);
1096 }
1097
1098 if (vp->v_vflag & VV_CACHEDLABEL) {
1099 mac_vnode_label_cache_hits++;
1100 return (0);
1101 } else
1102 mac_vnode_label_cache_misses++;
1103
1104 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
1105 mac_update_vnode_from_mount(vp, vp->v_mount);
1106 return (0);
1107 }
1108
1109 error = VOP_REFRESHLABEL(vp, cred, curthread);
1110 switch (error) {
1111 case EOPNOTSUPP:
1112 /*
1113 * If labels are not supported on this vnode, fall back to
1114 * the label in the mount and propagate it to the vnode.
1115 * There should probably be some sort of policy/flag/decision
1116 * about doing this.
1117 */
1118 mac_update_vnode_from_mount(vp, vp->v_mount);
1119 error = 0;
1120 default:
1121 return (error);
1122 }
1123}
1124
1125/*
1126 * Helper function for file systems using the vop_std*_ea() calls. This
1127 * function must be called after EA service is available for the vnode,
1128 * but before it's hooked up to the namespace so that the node persists
1129 * if there's a crash, or before it can be accessed. On successful
1130 * commit of the label to disk (etc), do cache the label.
1131 */
1132int
1133vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred)
1134{
1135 struct mac extmac;
1136 int error;
1137
1138 ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea");
1139 if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
1140 mac_update_vnode_from_mount(tvp, tvp->v_mount);
1141 } else {
1142 error = vn_refreshlabel(dvp, cred);
1143 if (error)
1144 return (error);
1145
1146 /*
1147 * Stick the label in the vnode. Then try to write to
1148 * disk. If we fail, return a failure to abort the
1149 * create operation. Really, this failure shouldn't
1150 * happen except in fairly unusual circumstances (out
1151 * of disk, etc).
1152 */
1153 mac_create_vnode(cred, dvp, tvp);
1154
1155 error = mac_stdcreatevnode_ea(tvp);
1156 if (error)
1157 return (error);
1158
1159 /*
1160 * XXX: Eventually this will go away and all policies will
1161 * directly manage their extended attributes.
1162 */
1163 error = mac_externalize(&tvp->v_label, &extmac);
1164 if (error)
1165 return (error);
1166
1167 error = vn_extattr_set(tvp, IO_NODELOCKED,
1168 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
1169 sizeof(extmac), (char *)&extmac, curthread);
1170 if (error == 0)
1171 tvp->v_vflag |= VV_CACHEDLABEL;
1172 else {
1173#if 0
1174 /*
1175 * In theory, we could have fall-back behavior here.
1176 * It would probably be incorrect.
1177 */
1178#endif
1179 return (error);
1180 }
1181 }
1182
1183 return (0);
1184}
1185
1186void
1187mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp)
1188{
1189 int error;
1190
1191 ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
1192
1193 error = vn_refreshlabel(vp, old);
1194 if (error) {
1195 printf("mac_execve_transition: vn_refreshlabel returned %d\n",
1196 error);
1197 printf("mac_execve_transition: using old vnode label\n");
1198 }
1199
1200 MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label);
1201}
1202
1203int
1204mac_execve_will_transition(struct ucred *old, struct vnode *vp)
1205{
1206 int error, result;
1207
1208 error = vn_refreshlabel(vp, old);
1209 if (error)
1210 return (error);
1211
1212 result = 0;
1213 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label);
1214
1215 return (result);
1216}
1217
1218static void
1219mac_init_label(struct label *label)
1220{
1221
1222 bzero(label, sizeof(*label));
1223 label->l_flags = MAC_FLAG_INITIALIZED;
1224}
1225
1226static void
1227mac_init_structmac(struct mac *mac)
1228{
1229
1230 bzero(mac, sizeof(*mac));
1231 mac->m_macflags = MAC_FLAG_INITIALIZED;
1232}
1233
1234static void
1235mac_destroy_label(struct label *label)
1236{
1237
1238 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED,
1239 ("destroying uninitialized label"));
1240
1241 bzero(label, sizeof(*label));
1242 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */
1243}
1244
1245int
1246mac_init_mbuf(struct mbuf *m, int how)
1247{
1248 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf"));
1249
1250 /* "how" is one of M_(TRY|DONT)WAIT */
1251 mac_init_label(&m->m_pkthdr.label);
1252 MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
1253#ifdef MAC_DEBUG
1254 atomic_add_int(&nmacmbufs, 1);
1255#endif
1256 return (0);
1257}
1258
1259void
1260mac_destroy_mbuf(struct mbuf *m)
1261{
1262
1263 MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
1264 mac_destroy_label(&m->m_pkthdr.label);
1265#ifdef MAC_DEBUG
1266 atomic_subtract_int(&nmacmbufs, 1);
1267#endif
1268}
1269
1270void
1271mac_init_cred(struct ucred *cr)
1272{
1273
1274 mac_init_label(&cr->cr_label);
1275 MAC_PERFORM(init_cred, cr, &cr->cr_label);
1276#ifdef MAC_DEBUG
1277 atomic_add_int(&nmaccreds, 1);
1278#endif
1279}
1280
1281void
1282mac_destroy_cred(struct ucred *cr)
1283{
1284
1285 MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
1286 mac_destroy_label(&cr->cr_label);
1287#ifdef MAC_DEBUG
1288 atomic_subtract_int(&nmaccreds, 1);
1289#endif
1290}
1291
1292void
1293mac_init_ifnet(struct ifnet *ifp)
1294{
1295
1296 mac_init_label(&ifp->if_label);
1297 MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
1298#ifdef MAC_DEBUG
1299 atomic_add_int(&nmacifnets, 1);
1300#endif
1301}
1302
1303void
1304mac_destroy_ifnet(struct ifnet *ifp)
1305{
1306
1307 MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
1308 mac_destroy_label(&ifp->if_label);
1309#ifdef MAC_DEBUG
1310 atomic_subtract_int(&nmacifnets, 1);
1311#endif
1312}
1313
1314void
1315mac_init_ipq(struct ipq *ipq)
1316{
1317
1318 mac_init_label(&ipq->ipq_label);
1319 MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
1320#ifdef MAC_DEBUG
1321 atomic_add_int(&nmacipqs, 1);
1322#endif
1323}
1324
1325void
1326mac_destroy_ipq(struct ipq *ipq)
1327{
1328
1329 MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
1330 mac_destroy_label(&ipq->ipq_label);
1331#ifdef MAC_DEBUG
1332 atomic_subtract_int(&nmacipqs, 1);
1333#endif
1334}
1335
1336void
1337mac_init_socket(struct socket *socket)
1338{
1339
1340 mac_init_label(&socket->so_label);
1341 mac_init_label(&socket->so_peerlabel);
1342 MAC_PERFORM(init_socket, socket, &socket->so_label,
1343 &socket->so_peerlabel);
1344#ifdef MAC_DEBUG
1345 atomic_add_int(&nmacsockets, 1);
1346#endif
1347}
1348
1349void
1350mac_destroy_socket(struct socket *socket)
1351{
1352
1353 MAC_PERFORM(destroy_socket, socket, &socket->so_label,
1354 &socket->so_peerlabel);
1355 mac_destroy_label(&socket->so_label);
1356 mac_destroy_label(&socket->so_peerlabel);
1357#ifdef MAC_DEBUG
1358 atomic_subtract_int(&nmacsockets, 1);
1359#endif
1360}
1361
1362void
1363mac_init_pipe(struct pipe *pipe)
1364{
1365 struct label *label;
1366
1367 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK);
1368 mac_init_label(label);
1369 pipe->pipe_label = label;
1370 pipe->pipe_peer->pipe_label = label;
1371 MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
1372#ifdef MAC_DEBUG
1373 atomic_add_int(&nmacpipes, 1);
1374#endif
1375}
1376
1377void
1378mac_destroy_pipe(struct pipe *pipe)
1379{
1380
1381 MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
1382 mac_destroy_label(pipe->pipe_label);
1383 free(pipe->pipe_label, M_MACPIPELABEL);
1384#ifdef MAC_DEBUG
1385 atomic_subtract_int(&nmacpipes, 1);
1386#endif
1387}
1388
1389void
1390mac_init_bpfdesc(struct bpf_d *bpf_d)
1391{
1392
1393 mac_init_label(&bpf_d->bd_label);
1394 MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
1395#ifdef MAC_DEBUG
1396 atomic_add_int(&nmacbpfdescs, 1);
1397#endif
1398}
1399
1400void
1401mac_destroy_bpfdesc(struct bpf_d *bpf_d)
1402{
1403
1404 MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
1405 mac_destroy_label(&bpf_d->bd_label);
1406#ifdef MAC_DEBUG
1407 atomic_subtract_int(&nmacbpfdescs, 1);
1408#endif
1409}
1410
1411void
1412mac_init_mount(struct mount *mp)
1413{
1414
1415 mac_init_label(&mp->mnt_mntlabel);
1416 mac_init_label(&mp->mnt_fslabel);
1417 MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
1418#ifdef MAC_DEBUG
1419 atomic_add_int(&nmacmounts, 1);
1420#endif
1421}
1422
1423void
1424mac_destroy_mount(struct mount *mp)
1425{
1426
1427 MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
1428 mac_destroy_label(&mp->mnt_fslabel);
1429 mac_destroy_label(&mp->mnt_mntlabel);
1430#ifdef MAC_DEBUG
1431 atomic_subtract_int(&nmacmounts, 1);
1432#endif
1433}
1434
1435static void
1436mac_init_temp(struct label *label)
1437{
1438
1439 mac_init_label(label);
1440 MAC_PERFORM(init_temp, label);
1441#ifdef MAC_DEBUG
1442 atomic_add_int(&nmactemp, 1);
1443#endif
1444}
1445
1446static void
1447mac_destroy_temp(struct label *label)
1448{
1449
1450 MAC_PERFORM(destroy_temp, label);
1451 mac_destroy_label(label);
1452#ifdef MAC_DEBUG
1453 atomic_subtract_int(&nmactemp, 1);
1454#endif
1455}
1456
1457void
1458mac_init_vnode(struct vnode *vp)
1459{
1460
1461 mac_init_label(&vp->v_label);
1462 MAC_PERFORM(init_vnode, vp, &vp->v_label);
1463#ifdef MAC_DEBUG
1464 atomic_add_int(&nmacvnodes, 1);
1465#endif
1466}
1467
1468void
1469mac_destroy_vnode(struct vnode *vp)
1470{
1471
1472 MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
1473 mac_destroy_label(&vp->v_label);
1474#ifdef MAC_DEBUG
1475 atomic_subtract_int(&nmacvnodes, 1);
1476#endif
1477}
1478
1479void
1480mac_init_devfsdirent(struct devfs_dirent *de)
1481{
1482
1483 mac_init_label(&de->de_label);
1484 MAC_PERFORM(init_devfsdirent, de, &de->de_label);
1485#ifdef MAC_DEBUG
1486 atomic_add_int(&nmacdevfsdirents, 1);
1487#endif
1488}
1489
1490void
1491mac_destroy_devfsdirent(struct devfs_dirent *de)
1492{
1493
1494 MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
1495 mac_destroy_label(&de->de_label);
1496#ifdef MAC_DEBUG
1497 atomic_subtract_int(&nmacdevfsdirents, 1);
1498#endif
1499}
1500
1501static int
1502mac_externalize(struct label *label, struct mac *mac)
1503{
1504 int error;
1505
1506 mac_init_structmac(mac);
1507 MAC_CHECK(externalize, label, mac);
1508
1509 return (error);
1510}
1511
1512static int
1513mac_internalize(struct label *label, struct mac *mac)
1514{
1515 int error;
1516
1517 mac_init_temp(label);
1518 MAC_CHECK(internalize, label, mac);
1519 if (error)
1520 mac_destroy_temp(label);
1521
1522 return (error);
1523}
1524
1525/*
1526 * Initialize MAC label for the first kernel process, from which other
1527 * kernel processes and threads are spawned.
1528 */
1529void
1530mac_create_proc0(struct ucred *cred)
1531{
1532
1533 MAC_PERFORM(create_proc0, cred);
1534}
1535
1536/*
1537 * Initialize MAC label for the first userland process, from which other
1538 * userland processes and threads are spawned.
1539 */
1540void
1541mac_create_proc1(struct ucred *cred)
1542{
1543
1544 MAC_PERFORM(create_proc1, cred);
1545}
1546
1547/*
1548 * When a new process is created, its label must be initialized. Generally,
1549 * this involves inheritence from the parent process, modulo possible
1550 * deltas. This function allows that processing to take place.
1551 */
1552void
1553mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
1554{
1555
1556 MAC_PERFORM(create_cred, parent_cred, child_cred);
1557}
1558
1559int
1560mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags)
1561{
1562 int error;
1563
1564 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
1565
1566 if (!mac_enforce_fs)
1567 return (0);
1568
1569 error = vn_refreshlabel(vp, cred);
1570 if (error)
1571 return (error);
1572
1573 MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags);
1574 return (error);
1575}
1576
1577int
1578mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
1579{
1580 int error;
1581
1582 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
1583
1584 if (!mac_enforce_fs)
1585 return (0);
1586
1587 error = vn_refreshlabel(dvp, cred);
1588 if (error)
1589 return (error);
1590
1591 MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
1592 return (error);
1593}
1594
1595int
1596mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
1597{
1598 int error;
1599
1600 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
1601
1602 if (!mac_enforce_fs)
1603 return (0);
1604
1605 error = vn_refreshlabel(dvp, cred);
1606 if (error)
1607 return (error);
1608
1609 MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
1610 return (error);
1611}
1612
1613int
1614mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
1615 struct componentname *cnp, struct vattr *vap)
1616{
1617 int error;
1618
1619 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
1620
1621 if (!mac_enforce_fs)
1622 return (0);
1623
1624 error = vn_refreshlabel(dvp, cred);
1625 if (error)
1626 return (error);
1627
1628 MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
1629 return (error);
1630}
1631
1632int
1633mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
1634 struct componentname *cnp)
1635{
1636 int error;
1637
1638 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete");
1639 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete");
1640
1641 if (!mac_enforce_fs)
1642 return (0);
1643
1644 error = vn_refreshlabel(dvp, cred);
1645 if (error)
1646 return (error);
1647 error = vn_refreshlabel(vp, cred);
1648 if (error)
1649 return (error);
1650
1651 MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
1652 &vp->v_label, cnp);
1653 return (error);
1654}
1655
1656int
1657mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
1658 acl_type_t type)
1659{
1660 int error;
1661
1662 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
1663
1664 if (!mac_enforce_fs)
1665 return (0);
1666
1667 error = vn_refreshlabel(vp, cred);
1668 if (error)
1669 return (error);
1670
1671 MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
1672 return (error);
1673}
1674
1675int
1676mac_check_vnode_exec(struct ucred *cred, struct vnode *vp)
1677{
1678 int error;
1679
1680 if (!mac_enforce_process && !mac_enforce_fs)
1681 return (0);
1682
1683 error = vn_refreshlabel(vp, cred);
1684 if (error)
1685 return (error);
1686 MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label);
1687
1688 return (error);
1689}
1690
1691int
1692mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
1693{
1694 int error;
1695
1696 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
1697
1698 if (!mac_enforce_fs)
1699 return (0);
1700
1701 error = vn_refreshlabel(vp, cred);
1702 if (error)
1703 return (error);
1704
1705 MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
1706 return (error);
1707}
1708
1709int
1710mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
1711 int attrnamespace, const char *name, struct uio *uio)
1712{
1713 int error;
1714
1715 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
1716
1717 if (!mac_enforce_fs)
1718 return (0);
1719
1720 error = vn_refreshlabel(vp, cred);
1721 if (error)
1722 return (error);
1723
1724 MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
1725 attrnamespace, name, uio);
1726 return (error);
1727}
1728
1729int
1730mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
1731 struct componentname *cnp)
1732{
1733 int error;
1734
1735 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
1736
1737 if (!mac_enforce_fs)
1738 return (0);
1739
1740 error = vn_refreshlabel(dvp, cred);
1741 if (error)
1742 return (error);
1743
1744 MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
1745 return (error);
1746}
1747
1748vm_prot_t
1749mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
1750{
1751 vm_prot_t result = VM_PROT_ALL;
1752
1753 /*
1754 * This should be some sort of MAC_BITWISE, maybe :)
1755 */
1756 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms");
1757 MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label,
1758 newmapping);
1759 return (result);
1760}
1761
1762int
1763mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
1764{
1765 int error;
1766
1767 if (!mac_enforce_fs)
1768 return (0);
1769
1770 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
1771
1772 error = vn_refreshlabel(vp, cred);
1773 if (error)
1774 return (error);
1775
1776 MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
1777
1778 return (error);
1779}
1780
1781int
1782mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
1783{
1784 int error;
1785
1786 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
1787
1788 if (!mac_enforce_fs)
1789 return (0);
1790
1791 error = vn_refreshlabel(vp, cred);
1792 if (error)
1793 return (error);
1794
1795 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
1796 return (error);
1797}
1798
1799int
1800mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
1801{
1802 int error;
1803
1804 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
1805
1806 if (!mac_enforce_fs)
1807 return (0);
1808
1809 error = vn_refreshlabel(dvp, cred);
1810 if (error)
1811 return (error);
1812
1813 MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
1814 return (error);
1815}
1816
1817int
1818mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
1819{
1820 int error;
1821
1822 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
1823
1824 if (!mac_enforce_fs)
1825 return (0);
1826
1827 error = vn_refreshlabel(vp, cred);
1828 if (error)
1829 return (error);
1830
1831 MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
1832 return (error);
1833}
1834
1835static int
1836mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
1837 struct label *newlabel)
1838{
1839 int error;
1840
1841 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
1842
1843 error = vn_refreshlabel(vp, cred);
1844 if (error)
1845 return (error);
1846
1847 MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
1848
1849 return (error);
1850}
1851
1852int
1853mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
1854 struct vnode *vp, struct componentname *cnp)
1855{
1856 int error;
1857
1858 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
1859 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
1860
1861 if (!mac_enforce_fs)
1862 return (0);
1863
1864 error = vn_refreshlabel(dvp, cred);
1865 if (error)
1866 return (error);
1867 error = vn_refreshlabel(vp, cred);
1868 if (error)
1869 return (error);
1870
1871 MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
1872 &vp->v_label, cnp);
1873 return (error);
1874}
1875
1876int
1877mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
1878 struct vnode *vp, int samedir, struct componentname *cnp)
1879{
1880 int error;
1881
1882 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
1883 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
1884
1885 if (!mac_enforce_fs)
1886 return (0);
1887
1888 error = vn_refreshlabel(dvp, cred);
1889 if (error)
1890 return (error);
1891 if (vp != NULL) {
1892 error = vn_refreshlabel(vp, cred);
1893 if (error)
1894 return (error);
1895 }
1896 MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
1897 vp != NULL ? &vp->v_label : NULL, samedir, cnp);
1898 return (error);
1899}
1900
1901int
1902mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
1903{
1904 int error;
1905
1906 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
1907
1908 if (!mac_enforce_fs)
1909 return (0);
1910
1911 error = vn_refreshlabel(vp, cred);
1912 if (error)
1913 return (error);
1914
1915 MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
1916 return (error);
1917}
1918
1919int
1920mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
1921 struct acl *acl)
1922{
1923 int error;
1924
1925 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
1926
1927 if (!mac_enforce_fs)
1928 return (0);
1929
1930 error = vn_refreshlabel(vp, cred);
1931 if (error)
1932 return (error);
1933
1934 MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
1935 return (error);
1936}
1937
1938int
1939mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
1940 int attrnamespace, const char *name, struct uio *uio)
1941{
1942 int error;
1943
1944 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
1945
1946 if (!mac_enforce_fs)
1947 return (0);
1948
1949 error = vn_refreshlabel(vp, cred);
1950 if (error)
1951 return (error);
1952
1953 MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
1954 attrnamespace, name, uio);
1955 return (error);
1956}
1957
1958int
1959mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
1960{
1961 int error;
1962
1963 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
1964
1965 if (!mac_enforce_fs)
1966 return (0);
1967
1968 error = vn_refreshlabel(vp, cred);
1969 if (error)
1970 return (error);
1971
1972 MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
1973 return (error);
1974}
1975
1976int
1977mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
1978{
1979 int error;
1980
1981 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
1982
1983 if (!mac_enforce_fs)
1984 return (0);
1985
1986 error = vn_refreshlabel(vp, cred);
1987 if (error)
1988 return (error);
1989
1990 MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
1991 return (error);
1992}
1993
1994int
1995mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
1996 gid_t gid)
1997{
1998 int error;
1999
2000 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
2001
2002 if (!mac_enforce_fs)
2003 return (0);
2004
2005 error = vn_refreshlabel(vp, cred);
2006 if (error)
2007 return (error);
2008
2009 MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
2010 return (error);
2011}
2012
2013int
2014mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
2015 struct timespec atime, struct timespec mtime)
2016{
2017 int error;
2018
2019 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
2020
2021 if (!mac_enforce_fs)
2022 return (0);
2023
2024 error = vn_refreshlabel(vp, cred);
2025 if (error)
2026 return (error);
2027
2028 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
2029 mtime);
2030 return (error);
2031}
2032
2033int
2034mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
2035{
2036 int error;
2037
2038 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
2039
2040 if (!mac_enforce_fs)
2041 return (0);
2042
2043 error = vn_refreshlabel(vp, cred);
2044 if (error)
2045 return (error);
2046
2047 MAC_CHECK(check_vnode_stat, cred, vp, &vp->v_label);
2048 return (error);
2049}
2050
2051/*
2052 * When relabeling a process, call out to the policies for the maximum
2053 * permission allowed for each object type we know about in its
2054 * memory space, and revoke access (in the least surprising ways we
2055 * know) when necessary. The process lock is not held here.
2056 */
2057static void
2058mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred)
2059{
2060
2061 /* XXX freeze all other threads */
2062 mtx_lock(&Giant);
2063 mac_cred_mmapped_drop_perms_recurse(td, cred,
2064 &td->td_proc->p_vmspace->vm_map);
2065 mtx_unlock(&Giant);
2066 /* XXX allow other threads to continue */
2067}
2068
2069static __inline const char *
2070prot2str(vm_prot_t prot)
2071{
2072
2073 switch (prot & VM_PROT_ALL) {
2074 case VM_PROT_READ:
2075 return ("r--");
2076 case VM_PROT_READ | VM_PROT_WRITE:
2077 return ("rw-");
2078 case VM_PROT_READ | VM_PROT_EXECUTE:
2079 return ("r-x");
2080 case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE:
2081 return ("rwx");
2082 case VM_PROT_WRITE:
2083 return ("-w-");
2084 case VM_PROT_EXECUTE:
2085 return ("--x");
2086 case VM_PROT_WRITE | VM_PROT_EXECUTE:
2087 return ("-wx");
2088 default:
2089 return ("---");
2090 }
2091}
2092
2093static void
2094mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
2095 struct vm_map *map)
2096{
2097 struct vm_map_entry *vme;
2098 vm_prot_t result, revokeperms;
2099 vm_object_t object;
2100 vm_ooffset_t offset;
2101 struct vnode *vp;
2102
2103 vm_map_lock_read(map);
2104 for (vme = map->header.next; vme != &map->header; vme = vme->next) {
2105 if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) {
2106 mac_cred_mmapped_drop_perms_recurse(td, cred,
2107 vme->object.sub_map);
2108 continue;
2109 }
2110 /*
2111 * Skip over entries that obviously are not shared.
2112 */
2113 if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) ||
2114 !vme->max_protection)
2115 continue;
2116 /*
2117 * Drill down to the deepest backing object.
2118 */
2119 offset = vme->offset;
2120 object = vme->object.vm_object;
2121 if (object == NULL)
2122 continue;
2123 while (object->backing_object != NULL) {
2124 object = object->backing_object;
2125 offset += object->backing_object_offset;
2126 }
2127 /*
2128 * At the moment, vm_maps and objects aren't considered
2129 * by the MAC system, so only things with backing by a
2130 * normal object (read: vnodes) are checked.
2131 */
2132 if (object->type != OBJT_VNODE)
2133 continue;
2134 vp = (struct vnode *)object->handle;
2135 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
2136 result = mac_check_vnode_mmap_prot(cred, vp, 0);
2137 VOP_UNLOCK(vp, 0, td);
2138 /*
2139 * Find out what maximum protection we may be allowing
2140 * now but a policy needs to get removed.
2141 */
2142 revokeperms = vme->max_protection & ~result;
2143 if (!revokeperms)
2144 continue;
2145 printf("pid %d: revoking %s perms from %#lx:%d "
2146 "(max %s/cur %s)\n", td->td_proc->p_pid,
2147 prot2str(revokeperms), vme->start, vme->end - vme->start,
2148 prot2str(vme->max_protection), prot2str(vme->protection));
2149 vm_map_lock_upgrade(map);
2150 /*
2151 * This is the really simple case: if a map has more
2152 * max_protection than is allowed, but it's not being
2153 * actually used (that is, the current protection is
2154 * still allowed), we can just wipe it out and do
2155 * nothing more.
2156 */
2157 if ((vme->protection & revokeperms) == 0) {
2158 vme->max_protection -= revokeperms;
2159 } else {
2160 if (revokeperms & VM_PROT_WRITE) {
2161 /*
2162 * In the more complicated case, flush out all
2163 * pending changes to the object then turn it
2164 * copy-on-write.
2165 */
2166 vm_object_reference(object);
2167 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
2168 vm_object_page_clean(object,
2169 OFF_TO_IDX(offset),
2170 OFF_TO_IDX(offset + vme->end - vme->start +
2171 PAGE_MASK),
2172 OBJPC_SYNC);
2173 VOP_UNLOCK(vp, 0, td);
2174 vm_object_deallocate(object);
2175 /*
2176 * Why bother if there's no read permissions
2177 * anymore? For the rest, we need to leave
2178 * the write permissions on for COW, or
2179 * remove them entirely if configured to.
2180 */
2181 if (!mac_mmap_revocation_via_cow) {
2182 vme->max_protection &= ~VM_PROT_WRITE;
2183 vme->protection &= ~VM_PROT_WRITE;
2184 } if ((revokeperms & VM_PROT_READ) == 0)
2185 vme->eflags |= MAP_ENTRY_COW |
2186 MAP_ENTRY_NEEDS_COPY;
2187 }
2188 if (revokeperms & VM_PROT_EXECUTE) {
2189 vme->max_protection &= ~VM_PROT_EXECUTE;
2190 vme->protection &= ~VM_PROT_EXECUTE;
2191 }
2192 if (revokeperms & VM_PROT_READ) {
2193 vme->max_protection = 0;
2194 vme->protection = 0;
2195 }
2196 pmap_protect(map->pmap, vme->start, vme->end,
2197 vme->protection & ~revokeperms);
2198 vm_map_simplify_entry(map, vme);
2199 }
2200 vm_map_lock_downgrade(map);
2201 }
2202 vm_map_unlock_read(map);
2203}
2204
2205/*
2206 * When the subject's label changes, it may require revocation of privilege
2207 * to mapped objects. This can't be done on-the-fly later with a unified
2208 * buffer cache.
2209 */
2210static void
2211mac_relabel_cred(struct ucred *cred, struct label *newlabel)
2212{
2213
2214 MAC_PERFORM(relabel_cred, cred, newlabel);
2215 mac_cred_mmapped_drop_perms(curthread, cred);
2216}
2217
2218void
2219mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
2220{
2221
2222 MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel);
2223}
2224
2225void
2226mac_create_ifnet(struct ifnet *ifnet)
2227{
2228
2229 MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label);
2230}
2231
2232void
2233mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
2234{
2235
2236 MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label);
2237}
2238
2239void
2240mac_create_socket(struct ucred *cred, struct socket *socket)
2241{
2242
2243 MAC_PERFORM(create_socket, cred, socket, &socket->so_label);
2244}
2245
2246void
2247mac_create_pipe(struct ucred *cred, struct pipe *pipe)
2248{
2249
2250 MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label);
2251}
2252
2253void
2254mac_create_socket_from_socket(struct socket *oldsocket,
2255 struct socket *newsocket)
2256{
2257
2258 MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label,
2259 newsocket, &newsocket->so_label);
2260}
2261
2262static void
2263mac_relabel_socket(struct ucred *cred, struct socket *socket,
2264 struct label *newlabel)
2265{
2266
2267 MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel);
2268}
2269
2270static void
2271mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel)
2272{
2273
2274 MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel);
2275}
2276
2277void
2278mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket)
2279{
2280
2281 MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label,
2282 socket, &socket->so_peerlabel);
2283}
2284
2285void
2286mac_set_socket_peer_from_socket(struct socket *oldsocket,
2287 struct socket *newsocket)
2288{
2289
2290 MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
2291 &oldsocket->so_label, newsocket, &newsocket->so_peerlabel);
2292}
2293
2294void
2295mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram)
2296{
2297
2298 MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label,
2299 datagram, &datagram->m_pkthdr.label);
2300}
2301
2302void
2303mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment)
2304{
2305
2306 MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label,
2307 fragment, &fragment->m_pkthdr.label);
2308}
2309
2310void
2311mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
2312{
2313
2314 MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq,
2315 &ipq->ipq_label);
2316}
2317
2318void
2319mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf)
2320{
2321
2322 MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label,
2323 newmbuf, &newmbuf->m_pkthdr.label);
2324}
2325
2326void
2327mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
2328{
2329
2330 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf,
2331 &mbuf->m_pkthdr.label);
2332}
2333
2334void
2335mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf)
2336{
2337
2338 MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf,
2339 &mbuf->m_pkthdr.label);
2340}
2341
2342void
2343mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf)
2344{
2345
2346 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf,
2347 &mbuf->m_pkthdr.label);
2348}
2349
2350void
2351mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet,
2352 struct mbuf *newmbuf)
2353{
2354
2355 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf,
2356 &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf,
2357 &newmbuf->m_pkthdr.label);
2358}
2359
2360void
2361mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf)
2362{
2363
2364 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label,
2365 newmbuf, &newmbuf->m_pkthdr.label);
2366}
2367
2368int
2369mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
2370{
2371 int result;
2372
2373 result = 1;
2374 MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label,
2375 ipq, &ipq->ipq_label);
2376
2377 return (result);
2378}
2379
2380void
2381mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
2382{
2383
2384 MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq,
2385 &ipq->ipq_label);
2386}
2387
2388void
2389mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
2390{
2391
2392 MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf,
2393 &mbuf->m_pkthdr.label);
2394}
2395
2396void
2397mac_create_mount(struct ucred *cred, struct mount *mp)
2398{
2399
2400 MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel,
2401 &mp->mnt_fslabel);
2402}
2403
2404void
2405mac_create_root_mount(struct ucred *cred, struct mount *mp)
2406{
2407
2408 MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel,
2409 &mp->mnt_fslabel);
2410}
2411
2412int
2413mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
2414{
2415 int error;
2416
2417 if (!mac_enforce_network)
2418 return (0);
2419
2420 MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet,
2421 &ifnet->if_label);
2422
2423 return (error);
2424}
2425
2426static int
2427mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
2428{
2429 int error;
2430
2431 MAC_CHECK(check_cred_relabel, cred, newlabel);
2432
2433 return (error);
2434}
2435
2436int
2437mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
2438{
2439 int error;
2440
2441 if (!mac_enforce_process)
2442 return (0);
2443
2444 MAC_CHECK(check_cred_visible, u1, u2);
2445
2446 return (error);
2447}
2448
2449int
2450mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
2451{
2452 int error;
2453
2454 if (!mac_enforce_network)
2455 return (0);
2456
2457 KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr"));
2458 if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED))
2459 printf("%s%d: not initialized\n", ifnet->if_name,
2460 ifnet->if_unit);
2461
2462 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
2463 &mbuf->m_pkthdr.label);
2464
2465 return (error);
2466}
2467
2468int
2469mac_check_mount_stat(struct ucred *cred, struct mount *mount)
2470{
2471 int error;
2472
2473 if (!mac_enforce_fs)
2474 return (0);
2475
2476 MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel);
2477
2478 return (error);
2479}
2480
2481int
2482mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
2483 void *data)
2484{
2485 int error;
2486
2487 MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data);
2488
2489 return (error);
2490}
2491
2492int
2493mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
2494{
2495 int error;
2496
2497 MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
2498
2499 return (error);
2500}
2501
2502static int
2503mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
2504 struct label *newlabel)
2505{
2506 int error;
2507
2508 MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel);
2509
2510 return (error);
2511}
2512
2513int
2514mac_check_proc_debug(struct ucred *cred, struct proc *proc)
2515{
2516 int error;
2517
2518 if (!mac_enforce_process)
2519 return (0);
2520
2521 MAC_CHECK(check_proc_debug, cred, proc);
2522
2523 return (error);
2524}
2525
2526int
2527mac_check_proc_sched(struct ucred *cred, struct proc *proc)
2528{
2529 int error;
2530
2531 if (!mac_enforce_process)
2532 return (0);
2533
2534 MAC_CHECK(check_proc_sched, cred, proc);
2535
2536 return (error);
2537}
2538
2539int
2540mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
2541{
2542 int error;
2543
2544 if (!mac_enforce_process)
2545 return (0);
2546
2547 MAC_CHECK(check_proc_signal, cred, proc, signum);
2548
2549 return (error);
2550}
2551
2552int
2553mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
2554 struct sockaddr *sockaddr)
2555{
2556 int error;
2557
2558 if (!mac_enforce_socket)
2559 return (0);
2560
2561 MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label,
2562 sockaddr);
2563
2564 return (error);
2565}
2566
2567int
2568mac_check_socket_connect(struct ucred *cred, struct socket *socket,
2569 struct sockaddr *sockaddr)
2570{
2571 int error;
2572
2573 if (!mac_enforce_socket)
2574 return (0);
2575
2576 MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label,
2577 sockaddr);
2578
2579 return (error);
2580}
2581
2582int
2583mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
2584{
2585 int error;
2586
2587 if (!mac_enforce_socket)
2588 return (0);
2589
2590 MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf,
2591 &mbuf->m_pkthdr.label);
2592
2593 return (error);
2594}
2595
2596int
2597mac_check_socket_listen(struct ucred *cred, struct socket *socket)
2598{
2599 int error;
2600
2601 if (!mac_enforce_socket)
2602 return (0);
2603
2604 MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label);
2605 return (error);
2606}
2607
2608static int
2609mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
2610 struct label *newlabel)
2611{
2612 int error;
2613
2614 MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label,
2615 newlabel);
2616
2617 return (error);
2618}
2619
2620int
2621mac_check_socket_visible(struct ucred *cred, struct socket *socket)
2622{
2623 int error;
2624
2625 if (!mac_enforce_socket)
2626 return (0);
2627
2628 MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label);
2629
2630 return (error);
2631}
2632
2633int
2634mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
2635 struct ifnet *ifnet)
2636{
2637 struct mac label;
2638 int error;
2639
2640 error = mac_externalize(&ifnet->if_label, &label);
2641 if (error)
2642 return (error);
2643
2644 return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label)));
2645}
2646
2647int
2648mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
2649 struct ifnet *ifnet)
2650{
2651 struct mac newlabel;
2652 struct label intlabel;
2653 int error;
2654
2655 error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel));
2656 if (error)
2657 return (error);
2658
2659 error = mac_internalize(&intlabel, &newlabel);
2660 if (error)
2661 return (error);
2662
2663 /*
2664 * XXX: Note that this is a redundant privilege check, since
2665 * policies impose this check themselves if required by the
2666 * policy. Eventually, this should go away.
2667 */
2668 error = suser_cred(cred, 0);
2669 if (error)
2670 goto out;
2671
2672 MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
2673 &intlabel);
2674 if (error)
2675 goto out;
2676
2677 MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel);
2678
2679out:
2680 mac_destroy_temp(&intlabel);
2681 return (error);
2682}
2683
2684void
2685mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp)
2686{
2687
2688 MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label);
2689}
2690
2691void
2692mac_create_devfs_device(dev_t dev, struct devfs_dirent *de)
2693{
2694
2695 MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
2696}
2697
2698static int
2699mac_stdcreatevnode_ea(struct vnode *vp)
2700{
2701 int error;
2702
2703 MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label);
2704
2705 return (error);
2706}
2707
2708void
2709mac_create_devfs_directory(char *dirname, int dirnamelen,
2710 struct devfs_dirent *de)
2711{
2712
2713 MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de,
2714 &de->de_label);
2715}
2716
2717/*
2718 * When a new vnode is created, this call will initialize its label.
2719 */
2720void
2721mac_create_vnode(struct ucred *cred, struct vnode *parent,
2722 struct vnode *child)
2723{
2724 int error;
2725
2726 ASSERT_VOP_LOCKED(parent, "mac_create_vnode");
2727 ASSERT_VOP_LOCKED(child, "mac_create_vnode");
2728
2729 error = vn_refreshlabel(parent, cred);
2730 if (error) {
2731 printf("mac_create_vnode: vn_refreshlabel returned %d\n",
2732 error);
2733 printf("mac_create_vnode: using old vnode label\n");
2734 }
2735
2736 MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child,
2737 &child->v_label);
2738}
2739
2740int
2741mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
2742 struct mac *extmac)
2743{
2744 struct label intlabel;
2745 int error;
2746
2747 error = mac_internalize(&intlabel, extmac);
2748 if (error)
2749 return (error);
2750
2751 mac_check_socket_relabel(cred, so, &intlabel);
2752 if (error) {
2753 mac_destroy_temp(&intlabel);
2754 return (error);
2755 }
2756
2757 mac_relabel_socket(cred, so, &intlabel);
2758
2759 mac_destroy_temp(&intlabel);
2760 return (0);
2761}
2762
2763int
2764mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label)
2765{
2766 int error;
2767
2768 error = mac_check_pipe_relabel(cred, pipe, label);
2769 if (error)
2770 return (error);
2771
2772 mac_relabel_pipe(cred, pipe, label);
2773
2774 return (0);
2775}
2776
2777int
2778mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
2779 struct mac *extmac)
2780{
2781
2782 return (mac_externalize(&so->so_label, extmac));
2783}
2784
2785int
2786mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,
2787 struct mac *extmac)
2788{
2789
2790 return (mac_externalize(&so->so_peerlabel, extmac));
2791}
2792
2793/*
2794 * Implementation of VOP_SETLABEL() that relies on extended attributes
2795 * to store label data. Can be referenced by filesystems supporting
2796 * extended attributes.
2797 */
2798int
2799vop_stdsetlabel_ea(struct vop_setlabel_args *ap)
2800{
2801 struct vnode *vp = ap->a_vp;
2802 struct label *intlabel = ap->a_label;
2803 struct mac extmac;
2804 int error;
2805
2806 ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea");
2807
2808 /*
2809 * XXX: Eventually call out to EA check/set calls here.
2810 * Be particularly careful to avoid race conditions,
2811 * consistency problems, and stability problems when
2812 * dealing with multiple EAs. In particular, we require
2813 * the ability to write multiple EAs on the same file in
2814 * a single transaction, which the current EA interface
2815 * does not provide.
2816 */
2817
2818 error = mac_externalize(intlabel, &extmac);
2819 if (error)
2820 return (error);
2821
2822 error = vn_extattr_set(vp, IO_NODELOCKED,
2823 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
2824 sizeof(extmac), (char *)&extmac, curthread);
2825 if (error)
2826 return (error);
2827
2828 mac_relabel_vnode(ap->a_cred, vp, intlabel);
2829
2830 vp->v_vflag |= VV_CACHEDLABEL;
2831
2832 return (0);
2833}
2834
2835static int
2836vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
2837{
2838 int error;
2839
2840 if (vp->v_mount == NULL) {
2841 /* printf("vn_setlabel: null v_mount\n"); */
2842 if (vp->v_tag != VT_NON)
2843 printf("vn_setlabel: null v_mount with non-VT_NON\n");
2844 return (EBADF);
2845 }
2846
2847 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
2848 return (EOPNOTSUPP);
2849
2850 /*
2851 * Multi-phase commit. First check the policies to confirm the
2852 * change is OK. Then commit via the filesystem. Finally,
2853 * update the actual vnode label. Question: maybe the filesystem
2854 * should update the vnode at the end as part of VOP_SETLABEL()?
2855 */
2856 error = mac_check_vnode_relabel(cred, vp, intlabel);
2857 if (error)
2858 return (error);
2859
2860 /*
2861 * VADMIN provides the opportunity for the filesystem to make
2862 * decisions about who is and is not able to modify labels
2863 * and protections on files. This might not be right. We can't
2864 * assume VOP_SETLABEL() will do it, because we might implement
2865 * that as part of vop_stdsetlabel_ea().
2866 */
2867 error = VOP_ACCESS(vp, VADMIN, cred, curthread);
2868 if (error)
2869 return (error);
2870
2871 error = VOP_SETLABEL(vp, intlabel, cred, curthread);
2872 if (error)
2873 return (error);
2874
2875 return (0);
2876}
2877
2878/*
2879 * MPSAFE
2880 */
2881int
2882__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
2883{
2884 struct mac extmac;
2885 int error;
2886
2887 error = mac_externalize(&td->td_ucred->cr_label, &extmac);
2888 if (error == 0)
2889 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac));
2890
2891 return (error);
2892}
2893
2894/*
2895 * MPSAFE
2896 *
2897 * XXX: Needs to be re-written for proc locking.
2898 */
2899int
2900__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
2901{
2902 struct ucred *newcred, *oldcred;
2903 struct proc *p;
2904 struct mac extmac;
2905 struct label intlabel;
2906 int error;
2907
2908 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac));
2909 if (error)
2910 return (error);
2911
2912 error = mac_internalize(&intlabel, &extmac);
2913 if (error)
2914 return (error);
2915
2916 newcred = crget();
2917
2918 p = td->td_proc;
2919 PROC_LOCK(p);
2920 oldcred = p->p_ucred;
2921
2922 error = mac_check_cred_relabel(oldcred, &intlabel);
2923 if (error) {
2924 PROC_UNLOCK(p);
2925 mac_destroy_temp(&intlabel);
2926 crfree(newcred);
2927 return (error);
2928 }
2929
2930 setsugid(p);
2931 crcopy(newcred, oldcred);
2932 PROC_UNLOCK(p);
2933 mac_relabel_cred(newcred, &intlabel);
2934
2935 PROC_LOCK(p);
2936 p->p_ucred = newcred;
2937 PROC_UNLOCK(p);
2938 crfree(oldcred);
2939 mac_destroy_temp(&intlabel);
2940 return (0);
2941}
2942
2943/*
2944 * MPSAFE
2945 */
2946int
2947__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
2948{
2949 struct file *fp;
2950 struct mac extmac;
2951 struct vnode *vp;
2952 struct pipe *pipe;
2953 int error;
2954
2955 mtx_lock(&Giant);
2956
2957 error = fget(td, SCARG(uap, fd), &fp);
2958 if (error)
2959 goto out;
2960
2961 switch (fp->f_type) {
2962 case DTYPE_FIFO:
2963 case DTYPE_VNODE:
2964 vp = (struct vnode *)fp->f_data;
2965
2966 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
2967 error = vn_refreshlabel(vp, td->td_ucred);
2968 if (error == 0)
2969 error = mac_externalize(&vp->v_label, &extmac);
2970 VOP_UNLOCK(vp, 0, td);
2971 break;
2972 case DTYPE_PIPE:
2973 pipe = (struct pipe *)fp->f_data;
2974 error = mac_externalize(pipe->pipe_label, &extmac);
2975 break;
2976 default:
2977 error = EINVAL;
2978 }
2979
2980 if (error == 0)
2981 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac));
2982
2983 fdrop(fp, td);
2984
2985out:
2986 mtx_unlock(&Giant);
2987 return (error);
2988}
2989
2990/*
2991 * MPSAFE
2992 */
2993int
2994__mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
2995{
2996 struct nameidata nd;
2997 struct mac extmac;
2998 int error;
2999
3000 mtx_lock(&Giant);
3001 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE,
3002 SCARG(uap, path_p), td);
3003 error = namei(&nd);
3004 if (error)
3005 goto out;
3006
3007 error = vn_refreshlabel(nd.ni_vp, td->td_ucred);
3008 if (error == 0)
3009 error = mac_externalize(&nd.ni_vp->v_label, &extmac);
3010 NDFREE(&nd, 0);
3011 if (error)
3012 goto out;
3013
3014 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac));
3015
3016out:
3017 mtx_unlock(&Giant);
3018 return (error);
3019}
3020
3021/*
3022 * MPSAFE
3023 */
3024int
3025__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
3026{
3027 struct file *fp;
3028 struct mac extmac;
3029 struct label intlabel;
3030 struct mount *mp;
3031 struct vnode *vp;
3032 struct pipe *pipe;
3033 int error;
3034
3035 mtx_lock(&Giant);
3036 error = fget(td, SCARG(uap, fd), &fp);
3037 if (error)
3038 goto out1;
3039
3040 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac));
3041 if (error)
3042 goto out2;
3043
3044 error = mac_internalize(&intlabel, &extmac);
3045 if (error)
3046 goto out2;
3047
3048 switch (fp->f_type) {
3049 case DTYPE_FIFO:
3050 case DTYPE_VNODE:
3051 vp = (struct vnode *)fp->f_data;
3052 error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
3053 if (error != 0)
3054 break;
3055
3056 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
3057 error = vn_setlabel(vp, &intlabel, td->td_ucred);
3058 VOP_UNLOCK(vp, 0, td);
3059 vn_finished_write(mp);
3060 mac_destroy_temp(&intlabel);
3061 break;
3062 case DTYPE_PIPE:
3063 pipe = (struct pipe *)fp->f_data;
3064 error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel);
3065 break;
3066 default:
3067 error = EINVAL;
3068 }
3069
3070out2:
3071 fdrop(fp, td);
3072out1:
3073 mtx_unlock(&Giant);
3074 return (error);
3075}
3076
3077/*
3078 * MPSAFE
3079 */
3080int
3081__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
3082{
3083 struct nameidata nd;
3084 struct mac extmac;
3085 struct label intlabel;
3086 struct mount *mp;
3087 int error;
3088
3089 mtx_lock(&Giant);
3090
3091 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac));
3092 if (error)
3093 goto out;
3094
3095 error = mac_internalize(&intlabel, &extmac);
3096 if (error)
3097 goto out;
3098
3099 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE,
3100 SCARG(uap, path_p), td);
3101 error = namei(&nd);
3102 if (error)
3103 goto out2;
3104 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
3105 if (error)
3106 goto out2;
3107
3108 error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred);
3109
3110 vn_finished_write(mp);
3111out2:
3112 mac_destroy_temp(&intlabel);
3113 NDFREE(&nd, 0);
3114out:
3115 mtx_unlock(&Giant);
3116 return (error);
3117}
3118
3119SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL);
3120SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL);
3121
3122#else /* !MAC */
3123
3124int
3125__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
3126{
3127
3128 return (ENOSYS);
3129}
3130
3131int
3132__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
3133{
3134
3135 return (ENOSYS);
3136}
3137
3138int
3139__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
3140{
3141
3142 return (ENOSYS);
3143}
3144
3145int
3146__mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
3147{
3148
3149 return (ENOSYS);
3150}
3151
3152int
3153__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
3154{
3155
3156 return (ENOSYS);
3157}
3158
3159int
3160__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
3161{
3162
3163 return (ENOSYS);
3164}
3165
3166#endif /* !MAC */