mac_biba.c (101934) | mac_biba.c (102112) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * |
37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 101934 2002-08-15 18:51:27Z rwatson $ | 37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 102112 2002-08-19 16:43:25Z rwatson $ |
38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 1638 unchanged lines hidden (view full) --- 1684 if (!mac_biba_dominate_single(subj, obj)) 1685 return (EACCES); 1686 } 1687 1688 return (0); 1689} 1690 1691static int | 38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 1638 unchanged lines hidden (view full) --- 1684 if (!mac_biba_dominate_single(subj, obj)) 1685 return (EACCES); 1686 } 1687 1688 return (0); 1689} 1690 1691static int |
1692mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp, 1693 struct label *label) 1694{ 1695 struct mac_biba *subj, *obj; 1696 1697 if (!mac_biba_enabled || !mac_biba_revocation_enabled) 1698 return (0); 1699 1700 subj = SLOT(&cred->cr_label); 1701 obj = SLOT(label); 1702 1703 if (!mac_biba_dominate_single(obj, subj)) 1704 return (EACCES); 1705 1706 return (0); 1707} 1708 1709static int 1710mac_biba_check_vnode_read(struct ucred *cred, struct vnode *vp, 1711 struct label *label) 1712{ 1713 struct mac_biba *subj, *obj; 1714 1715 if (!mac_biba_enabled || !mac_biba_revocation_enabled) 1716 return (0); 1717 1718 subj = SLOT(&cred->cr_label); 1719 obj = SLOT(label); 1720 1721 if (!mac_biba_dominate_single(obj, subj)) 1722 return (EACCES); 1723 1724 return (0); 1725} 1726 1727static int |
|
1692mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1693 struct label *dlabel) 1694{ 1695 struct mac_biba *subj, *obj; 1696 1697 if (!mac_biba_enabled) 1698 return (0); 1699 --- 250 unchanged lines hidden (view full) --- 1950 obj = SLOT(vnodelabel); 1951 1952 if (!mac_biba_dominate_single(obj, subj)) 1953 return (EACCES); 1954 1955 return (0); 1956} 1957 | 1728mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 1729 struct label *dlabel) 1730{ 1731 struct mac_biba *subj, *obj; 1732 1733 if (!mac_biba_enabled) 1734 return (0); 1735 --- 250 unchanged lines hidden (view full) --- 1986 obj = SLOT(vnodelabel); 1987 1988 if (!mac_biba_dominate_single(obj, subj)) 1989 return (EACCES); 1990 1991 return (0); 1992} 1993 |
1994static int 1995mac_biba_check_vnode_write(struct ucred *cred, struct vnode *vp, 1996 struct label *label) 1997{ 1998 struct mac_biba *subj, *obj; 1999 2000 if (!mac_biba_enabled || !mac_biba_revocation_enabled) 2001 return (0); 2002 2003 subj = SLOT(&cred->cr_label); 2004 obj = SLOT(label); 2005 2006 if (!mac_biba_dominate_single(subj, obj)) 2007 return (EACCES); 2008 2009 return (0); 2010} 2011 |
|
1958static vm_prot_t 1959mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, 1960 struct label *label, int newmapping) 1961{ 1962 struct mac_biba *subj, *obj; 1963 vm_prot_t prot = 0; 1964 1965 if (!mac_biba_enabled || (!mac_biba_revocation_enabled && !newmapping)) --- 4 unchanged lines hidden (view full) --- 1970 1971 if (mac_biba_dominate_single(obj, subj)) 1972 prot |= VM_PROT_READ | VM_PROT_EXECUTE; 1973 if (mac_biba_dominate_single(subj, obj)) 1974 prot |= VM_PROT_WRITE; 1975 return (prot); 1976} 1977 | 2012static vm_prot_t 2013mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, 2014 struct label *label, int newmapping) 2015{ 2016 struct mac_biba *subj, *obj; 2017 vm_prot_t prot = 0; 2018 2019 if (!mac_biba_enabled || (!mac_biba_revocation_enabled && !newmapping)) --- 4 unchanged lines hidden (view full) --- 2024 2025 if (mac_biba_dominate_single(obj, subj)) 2026 prot |= VM_PROT_READ | VM_PROT_EXECUTE; 2027 if (mac_biba_dominate_single(subj, obj)) 2028 prot |= VM_PROT_WRITE; 2029 return (prot); 2030} 2031 |
1978static int 1979mac_biba_check_vnode_op(struct ucred *cred, struct vnode *vp, 1980 struct label *label, int op) 1981{ 1982 struct mac_biba *subj, *obj; 1983 1984 if (!mac_biba_enabled || !mac_biba_revocation_enabled) 1985 return (0); 1986 1987 subj = SLOT(&cred->cr_label); 1988 obj = SLOT(label); 1989 1990 switch (op) { 1991 case MAC_OP_VNODE_POLL: 1992 case MAC_OP_VNODE_READ: 1993 if (!mac_biba_dominate_single(obj, subj)) 1994 return (EACCES); 1995 return (0); 1996 1997 case MAC_OP_VNODE_WRITE: 1998 if (!mac_biba_dominate_single(subj, obj)) 1999 return (EACCES); 2000 return (0); 2001 2002 default: 2003 printf("mac_biba_check_vnode_op: unknown operation %d\n", op); 2004 return (EINVAL); 2005 } 2006} 2007 | |
2008static struct mac_policy_op_entry mac_biba_ops[] = 2009{ 2010 { MAC_DESTROY, 2011 (macop_t)mac_biba_destroy }, 2012 { MAC_INIT, 2013 (macop_t)mac_biba_init }, 2014 { MAC_INIT_BPFDESC, 2015 (macop_t)mac_biba_init_bpfdesc }, --- 168 unchanged lines hidden (view full) --- 2184 { MAC_CHECK_VNODE_GETACL, 2185 (macop_t)mac_biba_check_vnode_getacl }, 2186 { MAC_CHECK_VNODE_GETEXTATTR, 2187 (macop_t)mac_biba_check_vnode_getextattr }, 2188 { MAC_CHECK_VNODE_LOOKUP, 2189 (macop_t)mac_biba_check_vnode_lookup }, 2190 { MAC_CHECK_VNODE_OPEN, 2191 (macop_t)mac_biba_check_vnode_open }, | 2032static struct mac_policy_op_entry mac_biba_ops[] = 2033{ 2034 { MAC_DESTROY, 2035 (macop_t)mac_biba_destroy }, 2036 { MAC_INIT, 2037 (macop_t)mac_biba_init }, 2038 { MAC_INIT_BPFDESC, 2039 (macop_t)mac_biba_init_bpfdesc }, --- 168 unchanged lines hidden (view full) --- 2208 { MAC_CHECK_VNODE_GETACL, 2209 (macop_t)mac_biba_check_vnode_getacl }, 2210 { MAC_CHECK_VNODE_GETEXTATTR, 2211 (macop_t)mac_biba_check_vnode_getextattr }, 2212 { MAC_CHECK_VNODE_LOOKUP, 2213 (macop_t)mac_biba_check_vnode_lookup }, 2214 { MAC_CHECK_VNODE_OPEN, 2215 (macop_t)mac_biba_check_vnode_open }, |
2216 { MAC_CHECK_VNODE_POLL, 2217 (macop_t)mac_biba_check_vnode_poll }, 2218 { MAC_CHECK_VNODE_READ, 2219 (macop_t)mac_biba_check_vnode_read }, |
|
2192 { MAC_CHECK_VNODE_READDIR, 2193 (macop_t)mac_biba_check_vnode_readdir }, 2194 { MAC_CHECK_VNODE_READLINK, 2195 (macop_t)mac_biba_check_vnode_readlink }, 2196 { MAC_CHECK_VNODE_RELABEL, 2197 (macop_t)mac_biba_check_vnode_relabel }, 2198 { MAC_CHECK_VNODE_RENAME_FROM, 2199 (macop_t)mac_biba_check_vnode_rename_from }, --- 10 unchanged lines hidden (view full) --- 2210 { MAC_CHECK_VNODE_SETMODE, 2211 (macop_t)mac_biba_check_vnode_setmode }, 2212 { MAC_CHECK_VNODE_SETOWNER, 2213 (macop_t)mac_biba_check_vnode_setowner }, 2214 { MAC_CHECK_VNODE_SETUTIMES, 2215 (macop_t)mac_biba_check_vnode_setutimes }, 2216 { MAC_CHECK_VNODE_STAT, 2217 (macop_t)mac_biba_check_vnode_stat }, | 2220 { MAC_CHECK_VNODE_READDIR, 2221 (macop_t)mac_biba_check_vnode_readdir }, 2222 { MAC_CHECK_VNODE_READLINK, 2223 (macop_t)mac_biba_check_vnode_readlink }, 2224 { MAC_CHECK_VNODE_RELABEL, 2225 (macop_t)mac_biba_check_vnode_relabel }, 2226 { MAC_CHECK_VNODE_RENAME_FROM, 2227 (macop_t)mac_biba_check_vnode_rename_from }, --- 10 unchanged lines hidden (view full) --- 2238 { MAC_CHECK_VNODE_SETMODE, 2239 (macop_t)mac_biba_check_vnode_setmode }, 2240 { MAC_CHECK_VNODE_SETOWNER, 2241 (macop_t)mac_biba_check_vnode_setowner }, 2242 { MAC_CHECK_VNODE_SETUTIMES, 2243 (macop_t)mac_biba_check_vnode_setutimes }, 2244 { MAC_CHECK_VNODE_STAT, 2245 (macop_t)mac_biba_check_vnode_stat }, |
2246 { MAC_CHECK_VNODE_WRITE, 2247 (macop_t)mac_biba_check_vnode_write }, |
|
2218 { MAC_CHECK_VNODE_MMAP_PERMS, 2219 (macop_t)mac_biba_check_vnode_mmap_perms }, | 2248 { MAC_CHECK_VNODE_MMAP_PERMS, 2249 (macop_t)mac_biba_check_vnode_mmap_perms }, |
2220 { MAC_CHECK_VNODE_OP, 2221 (macop_t)mac_biba_check_vnode_op }, | |
2222 { MAC_OP_LAST, NULL } 2223}; 2224 2225MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba", 2226 MPC_LOADTIME_FLAG_NOTLATE, &mac_biba_slot); | 2250 { MAC_OP_LAST, NULL } 2251}; 2252 2253MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba", 2254 MPC_LOADTIME_FLAG_NOTLATE, &mac_biba_slot); |