1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 4 * Copyright (c) 2005-2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * --- 21 unchanged lines hidden (view full) --- 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * |
38 * $FreeBSD: head/sys/security/mac/mac_framework.h 168955 2007-04-22 19:55:56Z rwatson $ |
39 */ 40 41/* 42 * Kernel interface for Mandatory Access Control -- how kernel services 43 * interact with the TrustedBSD MAC Framework. 44 */ 45 46#ifndef _SYS_SECURITY_MAC_MAC_FRAMEWORK_H_ --- 41 unchanged lines hidden (view full) --- 88 89/* 90 * Kernel functions to manage and evaluate labels. 91 */ 92void mac_init_bpfdesc(struct bpf_d *); 93void mac_init_cred(struct ucred *); 94void mac_init_devfsdirent(struct devfs_dirent *); 95void mac_init_ifnet(struct ifnet *); |
96int mac_init_inpcb(struct inpcb *, int); |
97void mac_init_sysv_msgmsg(struct msg *); |
98void mac_init_sysv_msgqueue(struct msqid_kernel *); 99void mac_init_sysv_sem(struct semid_kernel *); 100void mac_init_sysv_shm(struct shmid_kernel *); 101int mac_init_ipq(struct ipq *, int); 102int mac_init_socket(struct socket *, int); |
103void mac_init_pipe(struct pipepair *); 104void mac_init_posix_sem(struct ksem *); |
105int mac_init_mbuf(struct mbuf *, int); 106int mac_init_mbuf_tag(struct m_tag *, int); |
107void mac_init_mount(struct mount *); 108void mac_init_proc(struct proc *); 109void mac_init_vnode(struct vnode *); |
110void mac_copy_mbuf(struct mbuf *, struct mbuf *); |
111void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); |
112void mac_copy_vnode_label(struct label *, struct label *); |
113void mac_destroy_bpfdesc(struct bpf_d *); 114void mac_destroy_cred(struct ucred *); 115void mac_destroy_devfsdirent(struct devfs_dirent *); 116void mac_destroy_ifnet(struct ifnet *); 117void mac_destroy_inpcb(struct inpcb *); 118void mac_destroy_sysv_msgmsg(struct msg *); 119void mac_destroy_sysv_msgqueue(struct msqid_kernel *); 120void mac_destroy_sysv_sem(struct semid_kernel *); 121void mac_destroy_sysv_shm(struct shmid_kernel *); 122void mac_destroy_ipq(struct ipq *); 123void mac_destroy_socket(struct socket *); 124void mac_destroy_pipe(struct pipepair *); 125void mac_destroy_posix_sem(struct ksem *); 126void mac_destroy_proc(struct proc *); 127void mac_destroy_mbuf_tag(struct m_tag *); 128void mac_destroy_mount(struct mount *); 129void mac_destroy_vnode(struct vnode *); 130 131struct label *mac_cred_label_alloc(void); |
132void mac_cred_label_free(struct label *); |
133struct label *mac_vnode_label_alloc(void); |
134void mac_vnode_label_free(struct label *); |
135 136/* 137 * Labeling event operations: file system objects, and things that look a lot 138 * like file system objects. 139 */ 140void mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, 141 struct vnode *vp); 142int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); --- 11 unchanged lines hidden (view full) --- 154 struct label *newlabel); 155void mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de, 156 struct vnode *vp); 157 158/* 159 * Labeling event operations: IPC objects. 160 */ 161void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); |
162void mac_create_socket(struct ucred *cred, struct socket *so); 163void mac_create_socket_from_socket(struct socket *oldso, 164 struct socket *newso); 165void mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so); 166void mac_set_socket_peer_from_socket(struct socket *oldso, 167 struct socket *newso); |
168void mac_create_pipe(struct ucred *cred, struct pipepair *pp); 169 170/* 171 * Labeling event operations: System V IPC primitives 172 */ 173void mac_create_sysv_msgmsg(struct ucred *cred, 174 struct msqid_kernel *msqkptr, struct msg *msgptr); 175void mac_create_sysv_msgqueue(struct ucred *cred, --- 6 unchanged lines hidden (view full) --- 182/* 183 * Labeling event operations: POSIX (global/inter-process) semaphores. 184 */ 185void mac_create_posix_sem(struct ucred *cred, struct ksem *ksemptr); 186 187/* 188 * Labeling event operations: network objects. 189 */ |
190void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d); |
191void mac_create_ifnet(struct ifnet *ifp); 192void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); |
193void mac_create_ipq(struct mbuf *m, struct ipq *ipq); 194void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m); 195void mac_create_fragment(struct mbuf *m, struct mbuf *frag); |
196void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); |
197void mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m); 198void mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m); 199void mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m); 200void mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, 201 struct mbuf *mnew); 202void mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew); 203int mac_fragment_match(struct mbuf *m, struct ipq *ipq); |
204void mac_reflect_mbuf_icmp(struct mbuf *m); 205void mac_reflect_mbuf_tcp(struct mbuf *m); |
206void mac_update_ipq(struct mbuf *m, struct ipq *ipq); |
207void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); 208void mac_create_mbuf_from_firewall(struct mbuf *m); |
209void mac_destroy_syncache(struct label **l); 210int mac_init_syncache(struct label **l); 211void mac_init_syncache_from_inpcb(struct label *l, struct inpcb *inp); 212void mac_create_mbuf_from_syncache(struct label *l, struct mbuf *m); |
213 214/* 215 * Labeling event operations: processes. 216 */ 217void mac_copy_cred(struct ucred *cr1, struct ucred *cr2); 218int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); 219void mac_execve_exit(struct image_params *imgp); |
220void mac_execve_transition(struct ucred *oldcred, struct ucred *newcred, |
221 struct vnode *vp, struct label *interpvnodelabel, 222 struct image_params *imgp); |
223int mac_execve_will_transition(struct ucred *cred, struct vnode *vp, |
224 struct label *interpvnodelabel, struct image_params *imgp); 225void mac_create_proc0(struct ucred *cred); 226void mac_create_proc1(struct ucred *cred); 227void mac_thread_userret(struct thread *td); 228 229/* 230 * Label cleanup operation: This is the inverse complement for the mac_create 231 * and associate type of hooks. This hook lets the policy module(s) perform a --- 8 unchanged lines hidden (view full) --- 240void mac_cleanup_sysv_msgmsg(struct msg *msgptr); 241void mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr); 242void mac_cleanup_sysv_sem(struct semid_kernel *semakptr); 243void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr); 244 245/* 246 * Access control checks. 247 */ |
248int mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp); 249int mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2); 250int mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m); |
251int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m); 252int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, 253 struct msqid_kernel *msqkptr); 254int mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr); 255int mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr); 256int mac_check_sysv_msqget(struct ucred *cred, 257 struct msqid_kernel *msqkptr); 258int mac_check_sysv_msqsnd(struct ucred *cred, --- 30 unchanged lines hidden (view full) --- 289int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp); 290int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp); 291int mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr); 292int mac_check_posix_sem_getvalue(struct ucred *cred,struct ksem *ksemptr); 293int mac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr); 294int mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr); 295int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr); 296int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr); |
297int mac_check_proc_debug(struct ucred *cred, struct proc *p); 298int mac_check_proc_sched(struct ucred *cred, struct proc *p); |
299int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai); 300int mac_check_proc_setauid(struct ucred *cred, uid_t auid); |
301int mac_check_proc_setuid(struct proc *p, struct ucred *cred, |
302 uid_t uid); |
303int mac_check_proc_seteuid(struct proc *p, struct ucred *cred, |
304 uid_t euid); |
305int mac_check_proc_setgid(struct proc *p, struct ucred *cred, |
306 gid_t gid); |
307int mac_check_proc_setegid(struct proc *p, struct ucred *cred, |
308 gid_t egid); |
309int mac_check_proc_setgroups(struct proc *p, struct ucred *cred, |
310 int ngroups, gid_t *gidset); |
311int mac_check_proc_setreuid(struct proc *p, struct ucred *cred, |
312 uid_t ruid, uid_t euid); |
313int mac_check_proc_setregid(struct proc *p, struct ucred *cred, |
314 gid_t rgid, gid_t egid); |
315int mac_check_proc_setresuid(struct proc *p, struct ucred *cred, |
316 uid_t ruid, uid_t euid, uid_t suid); |
317int mac_check_proc_setresgid(struct proc *p, struct ucred *cred, |
318 gid_t rgid, gid_t egid, gid_t sgid); |
319int mac_check_proc_signal(struct ucred *cred, struct proc *p, |
320 int signum); |
321int mac_check_proc_wait(struct ucred *cred, struct proc *p); |
322int mac_check_socket_accept(struct ucred *cred, struct socket *so); 323int mac_check_socket_bind(struct ucred *cred, struct socket *so, |
324 struct sockaddr *sa); |
325int mac_check_socket_connect(struct ucred *cred, struct socket *so, |
326 struct sockaddr *sa); |
327int mac_check_socket_create(struct ucred *cred, int domain, int type, |
328 int proto); |
329int mac_check_socket_deliver(struct socket *so, struct mbuf *m); 330int mac_check_socket_listen(struct ucred *cred, struct socket *so); 331int mac_check_socket_poll(struct ucred *cred, struct socket *so); 332int mac_check_socket_receive(struct ucred *cred, struct socket *so); 333int mac_check_socket_send(struct ucred *cred, struct socket *so); 334int mac_check_socket_stat(struct ucred *cred, struct socket *so); 335int mac_check_socket_visible(struct ucred *cred, struct socket *so); 336int mac_check_system_acct(struct ucred *cred, struct vnode *vp); --- 24 unchanged lines hidden (view full) --- 361int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 362 int attrnamespace, const char *name, struct uio *uio); 363int mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, 364 struct vnode *vp, struct componentname *cnp); 365int mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 366 int attrnamespace); 367int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 368 struct componentname *cnp); |
369int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot, 370 int flags); |
371int mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 372 int prot); 373int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, 374 int acc_mode); 375int mac_check_vnode_poll(struct ucred *active_cred, 376 struct ucred *file_cred, struct vnode *vp); 377int mac_check_vnode_read(struct ucred *active_cred, 378 struct ucred *file_cred, struct vnode *vp); --- 20 unchanged lines hidden (view full) --- 399 struct ucred *file_cred, struct vnode *vp); 400int mac_check_vnode_write(struct ucred *active_cred, 401 struct ucred *file_cred, struct vnode *vp); 402int mac_getsockopt_label(struct ucred *cred, struct socket *so, 403 struct mac *extmac); 404int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, 405 struct mac *extmac); 406int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, |
407 struct ifnet *ifp); |
408int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, |
409 struct ifnet *ifp); |
410int mac_setsockopt_label(struct ucred *cred, struct socket *so, 411 struct mac *extmac); 412int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, 413 struct label *label); 414void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); 415void mac_associate_nfsd_label(struct ucred *cred); 416int mac_priv_check(struct ucred *cred, int priv); 417int mac_priv_grant(struct ucred *cred, int priv); 418 419/* 420 * Calls to help various file systems implement labeling functionality using 421 * their existing EA implementation. 422 */ 423int vop_stdsetlabel_ea(struct vop_setlabel_args *ap); 424 425#endif /* !_SYS_SECURITY_MAC_MAC_FRAMEWORK_H_ */ |