1/*-
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by NAI Labs,
--- 20 unchanged lines hidden (view full) ---
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 *
37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 101934 2002-08-15 18:51:27Z rwatson $
38 */
39
40/*
41 * Developed by the TrustedBSD Project.
42 * Biba fixed label mandatory integrity policy.
43 */
44
45#include <sys/types.h>
--- 1638 unchanged lines hidden (view full) ---
1684 if (!mac_biba_dominate_single(subj, obj))
1685 return (EACCES);
1686 }
1687
1688 return (0);
1689}
1690
1691static int
1692mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
1693 struct label *dlabel)
1694{
1695 struct mac_biba *subj, *obj;
1696
1697 if (!mac_biba_enabled)
1698 return (0);
1699
--- 250 unchanged lines hidden (view full) ---
1950 obj = SLOT(vnodelabel);
1951
1952 if (!mac_biba_dominate_single(obj, subj))
1953 return (EACCES);
1954
1955 return (0);
1956}
1957
1958static vm_prot_t
1959mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
1960 struct label *label, int newmapping)
1961{
1962 struct mac_biba *subj, *obj;
1963 vm_prot_t prot = 0;
1964
1965 if (!mac_biba_enabled || (!mac_biba_revocation_enabled && !newmapping))
--- 4 unchanged lines hidden (view full) ---
1970
1971 if (mac_biba_dominate_single(obj, subj))
1972 prot |= VM_PROT_READ | VM_PROT_EXECUTE;
1973 if (mac_biba_dominate_single(subj, obj))
1974 prot |= VM_PROT_WRITE;
1975 return (prot);
1976}
1977
1978static int
1979mac_biba_check_vnode_op(struct ucred *cred, struct vnode *vp,
1980 struct label *label, int op)
1981{
1982 struct mac_biba *subj, *obj;
1983
1984 if (!mac_biba_enabled || !mac_biba_revocation_enabled)
1985 return (0);
1986
1987 subj = SLOT(&cred->cr_label);
1988 obj = SLOT(label);
1989
1990 switch (op) {
1991 case MAC_OP_VNODE_POLL:
1992 case MAC_OP_VNODE_READ:
1993 if (!mac_biba_dominate_single(obj, subj))
1994 return (EACCES);
1995 return (0);
1996
1997 case MAC_OP_VNODE_WRITE:
1998 if (!mac_biba_dominate_single(subj, obj))
1999 return (EACCES);
2000 return (0);
2001
2002 default:
2003 printf("mac_biba_check_vnode_op: unknown operation %d\n", op);
2004 return (EINVAL);
2005 }
2006}
2007
2008static struct mac_policy_op_entry mac_biba_ops[] =
2009{
2010 { MAC_DESTROY,
2011 (macop_t)mac_biba_destroy },
2012 { MAC_INIT,
2013 (macop_t)mac_biba_init },
2014 { MAC_INIT_BPFDESC,
2015 (macop_t)mac_biba_init_bpfdesc },
--- 168 unchanged lines hidden (view full) ---
2184 { MAC_CHECK_VNODE_GETACL,
2185 (macop_t)mac_biba_check_vnode_getacl },
2186 { MAC_CHECK_VNODE_GETEXTATTR,
2187 (macop_t)mac_biba_check_vnode_getextattr },
2188 { MAC_CHECK_VNODE_LOOKUP,
2189 (macop_t)mac_biba_check_vnode_lookup },
2190 { MAC_CHECK_VNODE_OPEN,
2191 (macop_t)mac_biba_check_vnode_open },
2192 { MAC_CHECK_VNODE_READDIR,
2193 (macop_t)mac_biba_check_vnode_readdir },
2194 { MAC_CHECK_VNODE_READLINK,
2195 (macop_t)mac_biba_check_vnode_readlink },
2196 { MAC_CHECK_VNODE_RELABEL,
2197 (macop_t)mac_biba_check_vnode_relabel },
2198 { MAC_CHECK_VNODE_RENAME_FROM,
2199 (macop_t)mac_biba_check_vnode_rename_from },
--- 10 unchanged lines hidden (view full) ---
2210 { MAC_CHECK_VNODE_SETMODE,
2211 (macop_t)mac_biba_check_vnode_setmode },
2212 { MAC_CHECK_VNODE_SETOWNER,
2213 (macop_t)mac_biba_check_vnode_setowner },
2214 { MAC_CHECK_VNODE_SETUTIMES,
2215 (macop_t)mac_biba_check_vnode_setutimes },
2216 { MAC_CHECK_VNODE_STAT,
2217 (macop_t)mac_biba_check_vnode_stat },
2218 { MAC_CHECK_VNODE_MMAP_PERMS,
2219 (macop_t)mac_biba_check_vnode_mmap_perms },
2220 { MAC_CHECK_VNODE_OP,
2221 (macop_t)mac_biba_check_vnode_op },
2222 { MAC_OP_LAST, NULL }
2223};
2224
2225MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba",
2226 MPC_LOADTIME_FLAG_NOTLATE, &mac_biba_slot);
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by NAI Labs,
--- 20 unchanged lines hidden (view full) ---
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 *
37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 101934 2002-08-15 18:51:27Z rwatson $
38 */
39
40/*
41 * Developed by the TrustedBSD Project.
42 * Biba fixed label mandatory integrity policy.
43 */
44
45#include <sys/types.h>
--- 1638 unchanged lines hidden (view full) ---
1684 if (!mac_biba_dominate_single(subj, obj))
1685 return (EACCES);
1686 }
1687
1688 return (0);
1689}
1690
1691static int
1692mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
1693 struct label *dlabel)
1694{
1695 struct mac_biba *subj, *obj;
1696
1697 if (!mac_biba_enabled)
1698 return (0);
1699
--- 250 unchanged lines hidden (view full) ---
1950 obj = SLOT(vnodelabel);
1951
1952 if (!mac_biba_dominate_single(obj, subj))
1953 return (EACCES);
1954
1955 return (0);
1956}
1957
1958static vm_prot_t
1959mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
1960 struct label *label, int newmapping)
1961{
1962 struct mac_biba *subj, *obj;
1963 vm_prot_t prot = 0;
1964
1965 if (!mac_biba_enabled || (!mac_biba_revocation_enabled && !newmapping))
--- 4 unchanged lines hidden (view full) ---
1970
1971 if (mac_biba_dominate_single(obj, subj))
1972 prot |= VM_PROT_READ | VM_PROT_EXECUTE;
1973 if (mac_biba_dominate_single(subj, obj))
1974 prot |= VM_PROT_WRITE;
1975 return (prot);
1976}
1977
1978static int
1979mac_biba_check_vnode_op(struct ucred *cred, struct vnode *vp,
1980 struct label *label, int op)
1981{
1982 struct mac_biba *subj, *obj;
1983
1984 if (!mac_biba_enabled || !mac_biba_revocation_enabled)
1985 return (0);
1986
1987 subj = SLOT(&cred->cr_label);
1988 obj = SLOT(label);
1989
1990 switch (op) {
1991 case MAC_OP_VNODE_POLL:
1992 case MAC_OP_VNODE_READ:
1993 if (!mac_biba_dominate_single(obj, subj))
1994 return (EACCES);
1995 return (0);
1996
1997 case MAC_OP_VNODE_WRITE:
1998 if (!mac_biba_dominate_single(subj, obj))
1999 return (EACCES);
2000 return (0);
2001
2002 default:
2003 printf("mac_biba_check_vnode_op: unknown operation %d\n", op);
2004 return (EINVAL);
2005 }
2006}
2007
2008static struct mac_policy_op_entry mac_biba_ops[] =
2009{
2010 { MAC_DESTROY,
2011 (macop_t)mac_biba_destroy },
2012 { MAC_INIT,
2013 (macop_t)mac_biba_init },
2014 { MAC_INIT_BPFDESC,
2015 (macop_t)mac_biba_init_bpfdesc },
--- 168 unchanged lines hidden (view full) ---
2184 { MAC_CHECK_VNODE_GETACL,
2185 (macop_t)mac_biba_check_vnode_getacl },
2186 { MAC_CHECK_VNODE_GETEXTATTR,
2187 (macop_t)mac_biba_check_vnode_getextattr },
2188 { MAC_CHECK_VNODE_LOOKUP,
2189 (macop_t)mac_biba_check_vnode_lookup },
2190 { MAC_CHECK_VNODE_OPEN,
2191 (macop_t)mac_biba_check_vnode_open },
2192 { MAC_CHECK_VNODE_READDIR,
2193 (macop_t)mac_biba_check_vnode_readdir },
2194 { MAC_CHECK_VNODE_READLINK,
2195 (macop_t)mac_biba_check_vnode_readlink },
2196 { MAC_CHECK_VNODE_RELABEL,
2197 (macop_t)mac_biba_check_vnode_relabel },
2198 { MAC_CHECK_VNODE_RENAME_FROM,
2199 (macop_t)mac_biba_check_vnode_rename_from },
--- 10 unchanged lines hidden (view full) ---
2210 { MAC_CHECK_VNODE_SETMODE,
2211 (macop_t)mac_biba_check_vnode_setmode },
2212 { MAC_CHECK_VNODE_SETOWNER,
2213 (macop_t)mac_biba_check_vnode_setowner },
2214 { MAC_CHECK_VNODE_SETUTIMES,
2215 (macop_t)mac_biba_check_vnode_setutimes },
2216 { MAC_CHECK_VNODE_STAT,
2217 (macop_t)mac_biba_check_vnode_stat },
2218 { MAC_CHECK_VNODE_MMAP_PERMS,
2219 (macop_t)mac_biba_check_vnode_mmap_perms },
2220 { MAC_CHECK_VNODE_OP,
2221 (macop_t)mac_biba_check_vnode_op },
2222 { MAC_OP_LAST, NULL }
2223};
2224
2225MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba",
2226 MPC_LOADTIME_FLAG_NOTLATE, &mac_biba_slot);