Cross Reference: /freebsd-10.3-release/sys/security/mac_mls/mac

Deleted Added

sdiff udiff text old ( 105736 ) new ( 105988 )

full compact

mac_mls.c (105736)	mac_mls.c (105988)
1/- 2 Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 *	1/- 2 Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 *
37 * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 105736 2002-10-22 19:01:49Z rwatson $	37 * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 105988 2002-10-26 14:38:24Z rwatson $
38 / 39 40/ 41 * Developed by the TrustedBSD Project. 42 * MLS fixed label mandatory confidentiality policy. 43 */ 44 45#include <sys/types.h> 46#include <sys/param.h> 47#include <sys/acl.h> 48#include <sys/conf.h>	38 / 39 40/ 41 * Developed by the TrustedBSD Project. 42 * MLS fixed label mandatory confidentiality policy. 43 */ 44 45#include <sys/types.h> 46#include <sys/param.h> 47#include <sys/acl.h> 48#include <sys/conf.h>
	49#include <sys/extattr.h>
49#include <sys/kernel.h> 50#include <sys/mac.h> 51#include <sys/malloc.h> 52#include <sys/mount.h> 53#include <sys/proc.h> 54#include <sys/systm.h> 55#include <sys/sysproto.h> 56#include <sys/sysent.h> --- 21 unchanged lines hidden (view full) --- 78 79#include <security/mac_mls/mac_mls.h> 80 81SYSCTL_DECL(_security_mac); 82 83SYSCTL_NODE(_security_mac, OID_AUTO, mls, CTLFLAG_RW, 0, 84 "TrustedBSD mac_mls policy controls"); 85	50#include <sys/kernel.h> 51#include <sys/mac.h> 52#include <sys/malloc.h> 53#include <sys/mount.h> 54#include <sys/proc.h> 55#include <sys/systm.h> 56#include <sys/sysproto.h> 57#include <sys/sysent.h> --- 21 unchanged lines hidden (view full) --- 79 80#include <security/mac_mls/mac_mls.h> 81 82SYSCTL_DECL(_security_mac); 83 84SYSCTL_NODE(_security_mac, OID_AUTO, mls, CTLFLAG_RW, 0, 85 "TrustedBSD mac_mls policy controls"); 86
	87static int mac_mls_label_size = sizeof(struct mac_mls); 88SYSCTL_INT(_security_mac_mls, OID_AUTO, label_size, CTLFLAG_RD, 89 &mac_mls_label_size, 0, "Size of struct mac_mls"); 90
86static int mac_mls_enabled = 0; 87SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW, 88 &mac_mls_enabled, 0, "Enforce MAC/MLS policy"); 89TUNABLE_INT("security.mac.mls.enabled", &mac_mls_enabled); 90 91static int destroyed_not_inited; 92SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, 93 &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); --- 510 unchanged lines hidden (view full) --- 604 if (error) 605 return (error); 606 607 len = strlen(element_data); 608* return (0); 609} 610 611static int	91static int mac_mls_enabled = 0; 92SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW, 93 &mac_mls_enabled, 0, "Enforce MAC/MLS policy"); 94TUNABLE_INT("security.mac.mls.enabled", &mac_mls_enabled); 95 96static int destroyed_not_inited; 97SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, 98 &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); --- 510 unchanged lines hidden (view full) --- 609 if (error) 610 return (error); 611 612 len = strlen(element_data); 613* return (0); 614} 615 616static int
612mac_mls_externalize_vnode_oldmac(struct label label, struct oldmac extmac) 613{ 614 struct mac_mls mac_mls; 615* 616 mac_mls = SLOT(label); 617 618 if (mac_mls == NULL) { 619 printf("mac_mls_externalize: NULL pointer\n"); 620 return (0); 621 } 622 623 extmac->m_mls = mac_mls; 624* 625 return (0); 626} 627 628static int
629mac_mls_parse_element(struct mac_mls_element element, char string) 630{ 631 632 if (strcmp(string, "high") == 0 \|\| 633 strcmp(string, "hi") == 0) { 634 element->mme_type = MAC_MLS_TYPE_HIGH; 635 element->mme_level = MAC_MLS_TYPE_UNDEF; 636 } else if (strcmp(string, "low") == 0 \|\| --- 197 unchanged lines hidden (view full) --- 834 struct mac_mls source, dest; 835 836 source = SLOT(direntlabel); 837 dest = SLOT(vnodelabel); 838 mac_mls_copy_single(source, dest); 839} 840 841static void	617mac_mls_parse_element(struct mac_mls_element element, char string) 618{ 619 620 if (strcmp(string, "high") == 0 \|\| 621 strcmp(string, "hi") == 0) { 622 element->mme_type = MAC_MLS_TYPE_HIGH; 623 element->mme_level = MAC_MLS_TYPE_UNDEF; 624 } else if (strcmp(string, "low") == 0 \|\| --- 197 unchanged lines hidden (view full) --- 822 struct mac_mls source, dest; 823 824 source = SLOT(direntlabel); 825 dest = SLOT(vnodelabel); 826 mac_mls_copy_single(source, dest); 827} 828 829static void
842mac_mls_create_vnode(struct ucred cred, struct vnode parent, 843 struct label parentlabel, struct vnode child, struct label childlabel) 844{ 845* struct mac_mls source, dest; 846 847 source = SLOT(&cred->cr_label); 848 dest = SLOT(childlabel); 849 850 mac_mls_copy_single(source, dest); 851} 852 853static void
854mac_mls_create_mount(struct ucred cred, struct mount mp, 855 struct label mntlabel, struct label fslabel) 856{ 857 struct mac_mls source, dest; 858 859 source = SLOT(&cred->cr_label); 860 dest = SLOT(mntlabel); 861 mac_mls_copy_single(source, dest); --- 34 unchanged lines hidden (view full) --- 896 897 source = SLOT(vnodelabel); 898 dest = SLOT(direntlabel); 899 900 mac_mls_copy_single(source, dest); 901} 902 903static void	830mac_mls_create_mount(struct ucred cred, struct mount mp, 831 struct label mntlabel, struct label fslabel) 832{ 833 struct mac_mls source, dest; 834 835 source = SLOT(&cred->cr_label); 836 dest = SLOT(mntlabel); 837 mac_mls_copy_single(source, dest); --- 34 unchanged lines hidden (view full) --- 872 873 source = SLOT(vnodelabel); 874 dest = SLOT(direntlabel); 875 876 mac_mls_copy_single(source, dest); 877} 878 879static void
904mac_mls_update_procfsvnode(struct vnode vp, struct label vnodelabel, 905 struct ucred *cred)	880mac_mls_associate_vnode_devfs(struct mount mp, struct label fslabel, 881 struct devfs_dirent de, struct label delabel, struct vnode vp, 882* struct label *vlabel)
906{ 907 struct mac_mls source, dest; 908	883{ 884 struct mac_mls source, dest; 885
909 source = SLOT(&cred->cr_label); 910 dest = SLOT(vnodelabel);	886 source = SLOT(delabel); 887 dest = SLOT(vlabel);
911	888
912 /* 913 * Only copy the single, not the range, since vnodes only have 914 * a single. 915 */
916 mac_mls_copy_single(source, dest); 917} 918 919static int	889 mac_mls_copy_single(source, dest); 890} 891 892static int
920mac_mls_update_vnode_from_externalized(struct vnode vp, 921* struct label vnodelabel, struct oldmac extmac)	893mac_mls_associate_vnode_extattr(struct mount mp, struct label fslabel, 894 struct vnode vp, struct label vlabel)
922{	895{
923 struct mac_mls source, dest;	896 struct mac_mls temp, source, dest; 897 size_t buflen;
924 int error; 925	898 int error; 899
926 source = &extmac->m_mls; 927 dest = SLOT(vnodelabel);	900 source = SLOT(fslabel); 901 dest = SLOT(vlabel);
928	902
929 error = mac_mls_valid(source); 930 if (error)	903 buflen = sizeof(temp); 904 bzero(&temp, buflen); 905 906 error = vn_extattr_get(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE, 907 MAC_MLS_EXTATTR_NAME, &buflen, (char ) &temp, curthread); 908* if (error == ENOATTR \|\| error == EOPNOTSUPP) { 909 /* Fall back to the fslabel. / 910* mac_mls_copy_single(source, dest); 911 return (0); 912 } else if (error)
931 return (error); 932	913 return (error); 914
933 if ((source->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) 934 return (EINVAL);	915 if (buflen != sizeof(temp)) { 916 printf("mac_mls_associate_vnode_extattr: bad size %d\n", 917 buflen); 918 return (EPERM); 919 } 920 if (mac_mls_valid(&temp) != 0) { 921 printf("mac_mls_associate_vnode_extattr: invalid\n"); 922 return (EPERM); 923 } 924 if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) { 925 printf("mac_mls_associated_vnode_extattr: not single\n"); 926 return (EPERM); 927 }
935	928
936 mac_mls_copy_single(source, dest); 937	929 mac_mls_copy_single(&temp, dest);
938 return (0); 939} 940 941static void	930 return (0); 931} 932 933static void
942mac_mls_update_vnode_from_mount(struct vnode vp, struct label vnodelabel, 943 struct mount mp, struct label fslabel)	934mac_mls_associate_vnode_singlelabel(struct mount mp, 935* struct label fslabel, struct vnode vp, struct label *vlabel)
944{ 945 struct mac_mls source, dest; 946 947 source = SLOT(fslabel);	936{ 937 struct mac_mls source, dest; 938 939 source = SLOT(fslabel);
948 dest = SLOT(vnodelabel);	940 dest = SLOT(vlabel);
949 950 mac_mls_copy_single(source, dest); 951} 952	941 942 mac_mls_copy_single(source, dest); 943} 944
	945static int 946mac_mls_create_vnode_extattr(struct ucred cred, struct mount mp, 947 struct label fslabel, struct vnode dvp, struct label dlabel, 948* struct vnode vp, struct label vlabel, struct componentname cnp) 949{ 950* struct mac_mls source, dest, temp; 951 size_t buflen; 952 int error; 953 954 buflen = sizeof(temp); 955 bzero(&temp, buflen); 956 957 source = SLOT(&cred->cr_label); 958 dest = SLOT(vlabel); 959 mac_mls_copy_single(source, &temp); 960 961 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE, 962 MAC_MLS_EXTATTR_NAME, buflen, (char ) &temp, curthread); 963* if (error == 0) 964 mac_mls_copy_single(source, dest); 965 return (error); 966} 967 968static int 969mac_mls_setlabel_vnode_extattr(struct ucred cred, struct vnode vp, 970 struct label vlabel, struct label intlabel) 971{ 972 struct mac_mls source, temp; 973* size_t buflen; 974 int error; 975 976 buflen = sizeof(temp); 977 bzero(&temp, buflen); 978 979 source = SLOT(intlabel); 980 if ((source->mm_flags & MAC_MLS_FLAG_SINGLE) == 0) 981 return (0); 982 983 mac_mls_copy_single(source, &temp); 984 985 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE, 986 MAC_MLS_EXTATTR_NAME, buflen, (char ) &temp, curthread); 987* return (error); 988} 989
953/* 954 * Labeling event operations: IPC object. 955 / 956static void 957mac_mls_create_mbuf_from_socket(struct socket so, struct label socketlabel, 958* struct mbuf m, struct label mbuflabel) 959{ 960 struct mac_mls source, dest; --- 1439 unchanged lines hidden (view full) --- 2400 { MAC_EXTERNALIZE_PIPE_LABEL, 2401 (macop_t)mac_mls_externalize_label }, 2402 { MAC_EXTERNALIZE_SOCKET_LABEL, 2403 (macop_t)mac_mls_externalize_label }, 2404 { MAC_EXTERNALIZE_SOCKET_PEER_LABEL, 2405 (macop_t)mac_mls_externalize_label }, 2406 { MAC_EXTERNALIZE_VNODE_LABEL, 2407 (macop_t)mac_mls_externalize_label },	990/* 991 * Labeling event operations: IPC object. 992 / 993static void 994mac_mls_create_mbuf_from_socket(struct socket so, struct label socketlabel, 995* struct mbuf m, struct label mbuflabel) 996{ 997 struct mac_mls source, dest; --- 1439 unchanged lines hidden (view full) --- 2437 { MAC_EXTERNALIZE_PIPE_LABEL, 2438 (macop_t)mac_mls_externalize_label }, 2439 { MAC_EXTERNALIZE_SOCKET_LABEL, 2440 (macop_t)mac_mls_externalize_label }, 2441 { MAC_EXTERNALIZE_SOCKET_PEER_LABEL, 2442 (macop_t)mac_mls_externalize_label }, 2443 { MAC_EXTERNALIZE_VNODE_LABEL, 2444 (macop_t)mac_mls_externalize_label },
2408 { MAC_EXTERNALIZE_VNODE_OLDMAC, 2409 (macop_t)mac_mls_externalize_vnode_oldmac },
2410 { MAC_INTERNALIZE_CRED_LABEL, 2411 (macop_t)mac_mls_internalize_label }, 2412 { MAC_INTERNALIZE_IFNET_LABEL, 2413 (macop_t)mac_mls_internalize_label }, 2414 { MAC_INTERNALIZE_PIPE_LABEL, 2415 (macop_t)mac_mls_internalize_label }, 2416 { MAC_INTERNALIZE_SOCKET_LABEL, 2417 (macop_t)mac_mls_internalize_label }, 2418 { MAC_INTERNALIZE_VNODE_LABEL, 2419 (macop_t)mac_mls_internalize_label }, 2420 { MAC_CREATE_DEVFS_DEVICE, 2421 (macop_t)mac_mls_create_devfs_device }, 2422 { MAC_CREATE_DEVFS_DIRECTORY, 2423 (macop_t)mac_mls_create_devfs_directory }, 2424 { MAC_CREATE_DEVFS_SYMLINK, 2425 (macop_t)mac_mls_create_devfs_symlink }, 2426 { MAC_CREATE_DEVFS_VNODE, 2427 (macop_t)mac_mls_create_devfs_vnode },	2445 { MAC_INTERNALIZE_CRED_LABEL, 2446 (macop_t)mac_mls_internalize_label }, 2447 { MAC_INTERNALIZE_IFNET_LABEL, 2448 (macop_t)mac_mls_internalize_label }, 2449 { MAC_INTERNALIZE_PIPE_LABEL, 2450 (macop_t)mac_mls_internalize_label }, 2451 { MAC_INTERNALIZE_SOCKET_LABEL, 2452 (macop_t)mac_mls_internalize_label }, 2453 { MAC_INTERNALIZE_VNODE_LABEL, 2454 (macop_t)mac_mls_internalize_label }, 2455 { MAC_CREATE_DEVFS_DEVICE, 2456 (macop_t)mac_mls_create_devfs_device }, 2457 { MAC_CREATE_DEVFS_DIRECTORY, 2458 (macop_t)mac_mls_create_devfs_directory }, 2459 { MAC_CREATE_DEVFS_SYMLINK, 2460 (macop_t)mac_mls_create_devfs_symlink }, 2461 { MAC_CREATE_DEVFS_VNODE, 2462 (macop_t)mac_mls_create_devfs_vnode },
2428 { MAC_CREATE_VNODE, 2429 (macop_t)mac_mls_create_vnode },
2430 { MAC_CREATE_MOUNT, 2431 (macop_t)mac_mls_create_mount }, 2432 { MAC_CREATE_ROOT_MOUNT, 2433 (macop_t)mac_mls_create_root_mount }, 2434 { MAC_RELABEL_VNODE, 2435 (macop_t)mac_mls_relabel_vnode }, 2436 { MAC_UPDATE_DEVFSDIRENT, 2437 (macop_t)mac_mls_update_devfsdirent },	2463 { MAC_CREATE_MOUNT, 2464 (macop_t)mac_mls_create_mount }, 2465 { MAC_CREATE_ROOT_MOUNT, 2466 (macop_t)mac_mls_create_root_mount }, 2467 { MAC_RELABEL_VNODE, 2468 (macop_t)mac_mls_relabel_vnode }, 2469 { MAC_UPDATE_DEVFSDIRENT, 2470 (macop_t)mac_mls_update_devfsdirent },
2438 { MAC_UPDATE_PROCFSVNODE, 2439 (macop_t)mac_mls_update_procfsvnode }, 2440 { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, 2441 (macop_t)mac_mls_update_vnode_from_externalized }, 2442 { MAC_UPDATE_VNODE_FROM_MOUNT, 2443 (macop_t)mac_mls_update_vnode_from_mount },	2471 { MAC_ASSOCIATE_VNODE_DEVFS, 2472 (macop_t)mac_mls_associate_vnode_devfs }, 2473 { MAC_ASSOCIATE_VNODE_EXTATTR, 2474 (macop_t)mac_mls_associate_vnode_extattr }, 2475 { MAC_ASSOCIATE_VNODE_SINGLELABEL, 2476 (macop_t)mac_mls_associate_vnode_singlelabel }, 2477 { MAC_CREATE_VNODE_EXTATTR, 2478 (macop_t)mac_mls_create_vnode_extattr }, 2479 { MAC_SETLABEL_VNODE_EXTATTR, 2480 (macop_t)mac_mls_setlabel_vnode_extattr },
2444 { MAC_CREATE_MBUF_FROM_SOCKET, 2445 (macop_t)mac_mls_create_mbuf_from_socket }, 2446 { MAC_CREATE_PIPE, 2447 (macop_t)mac_mls_create_pipe }, 2448 { MAC_CREATE_SOCKET, 2449 (macop_t)mac_mls_create_socket }, 2450 { MAC_CREATE_SOCKET_FROM_SOCKET, 2451 (macop_t)mac_mls_create_socket_from_socket }, --- 149 unchanged lines hidden ---	2481 { MAC_CREATE_MBUF_FROM_SOCKET, 2482 (macop_t)mac_mls_create_mbuf_from_socket }, 2483 { MAC_CREATE_PIPE, 2484 (macop_t)mac_mls_create_pipe }, 2485 { MAC_CREATE_SOCKET, 2486 (macop_t)mac_mls_create_socket }, 2487 { MAC_CREATE_SOCKET_FROM_SOCKET, 2488 (macop_t)mac_mls_create_socket_from_socket }, --- 149 unchanged lines hidden ---