mac_net.c (113482) | mac_net.c (113487) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 19 unchanged lines hidden (view full) --- 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 19 unchanged lines hidden (view full) --- 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 * |
36 * $FreeBSD: head/sys/security/mac/mac_net.c 113482 2003-04-14 18:11:18Z rwatson $ | 36 * $FreeBSD: head/sys/security/mac/mac_net.c 113487 2003-04-14 20:39:06Z rwatson $ |
37 */ 38/* 39 * Developed by the TrustedBSD Project. 40 * 41 * Framework for extensible kernel access control. Kernel and userland 42 * interface to the framework, policy registration and composition. 43 */ 44 --- 70 unchanged lines hidden (view full) --- 115static int mac_late = 0; 116 117/* 118 * Warn about EA transactions only the first time they happen. 119 * Weak coherency, no locking. 120 */ 121static int ea_warn_once = 0; 122 | 37 */ 38/* 39 * Developed by the TrustedBSD Project. 40 * 41 * Framework for extensible kernel access control. Kernel and userland 42 * interface to the framework, policy registration and composition. 43 */ 44 --- 70 unchanged lines hidden (view full) --- 115static int mac_late = 0; 116 117/* 118 * Warn about EA transactions only the first time they happen. 119 * Weak coherency, no locking. 120 */ 121static int ea_warn_once = 0; 122 |
123#ifndef MAC_ALWAYS_LABEL_MBUF 124/* 125 * Flag to indicate whether or not we should allocate label storage for 126 * new mbufs. Since most dynamic policies we currently work with don't 127 * rely on mbuf labeling, try to avoid paying the cost of mtag allocation 128 * unless specifically notified of interest. One result of this is 129 * that if a dynamically loaded policy requests mbuf labels, it must 130 * be able to deal with a NULL label being returned on any mbufs that 131 * were already in flight when the policy was loaded. Since the policy 132 * already has to deal with uninitialized labels, this probably won't 133 * be a problem. Note: currently no locking. Will this be a problem? 134 */ 135static int mac_labelmbufs = 0; 136#endif 137 |
|
123static int mac_enforce_fs = 1; 124SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 125 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 126TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 127 128static int mac_enforce_kld = 1; 129SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, 130 &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); --- 145 unchanged lines hidden (view full) --- 276 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, \ 277 "mac_policy_list_exclusive() at %s:%d", __FILE__, __LINE__);\ 278 mtx_lock(&mac_policy_list_lock); \ 279 while (mac_policy_list_busy != 0) \ 280 cv_wait(&mac_policy_list_not_busy, \ 281 &mac_policy_list_lock); \ 282} while (0) 283 | 138static int mac_enforce_fs = 1; 139SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 140 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 141TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 142 143static int mac_enforce_kld = 1; 144SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, 145 &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); --- 145 unchanged lines hidden (view full) --- 291 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, \ 292 "mac_policy_list_exclusive() at %s:%d", __FILE__, __LINE__);\ 293 mtx_lock(&mac_policy_list_lock); \ 294 while (mac_policy_list_busy != 0) \ 295 cv_wait(&mac_policy_list_not_busy, \ 296 &mac_policy_list_lock); \ 297} while (0) 298 |
299#define MAC_POLICY_LIST_ASSERT_EXCLUSIVE() do { \ 300 mtx_assert(&mac_policy_list_lock, MA_OWNED); \ 301 KASSERT(mac_policy_list_busy == 0, \ 302 ("MAC_POLICY_LIST_ASSERT_EXCLUSIVE()")); \ 303} while (0) 304 |
|
284#define MAC_POLICY_LIST_BUSY() do { \ 285 MAC_POLICY_LIST_LOCK(); \ 286 mac_policy_list_busy++; \ 287 MAC_POLICY_LIST_UNLOCK(); \ 288} while (0) 289 290#define MAC_POLICY_LIST_UNBUSY() do { \ 291 MAC_POLICY_LIST_LOCK(); \ --- 167 unchanged lines hidden (view full) --- 459static void 460mac_late_init(void) 461{ 462 463 mac_late = 1; 464} 465 466/* | 305#define MAC_POLICY_LIST_BUSY() do { \ 306 MAC_POLICY_LIST_LOCK(); \ 307 mac_policy_list_busy++; \ 308 MAC_POLICY_LIST_UNLOCK(); \ 309} while (0) 310 311#define MAC_POLICY_LIST_UNBUSY() do { \ 312 MAC_POLICY_LIST_LOCK(); \ --- 167 unchanged lines hidden (view full) --- 480static void 481mac_late_init(void) 482{ 483 484 mac_late = 1; 485} 486 487/* |
488 * After the policy list has changed, walk the list to update any global 489 * flags. 490 */ 491static void 492mac_policy_updateflags(void) 493{ 494 struct mac_policy_conf *tmpc; 495#ifndef MAC_ALWAYS_LABEL_MBUF 496 int labelmbufs; 497#endif 498 499 MAC_POLICY_LIST_ASSERT_EXCLUSIVE(); 500 501#ifndef MAC_ALWAYS_LABEL_MBUF 502 labelmbufs = 0; 503#endif 504 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { 505#ifndef MAC_ALWAYS_LABEL_MBUF 506 if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS) 507 labelmbufs++; 508#endif 509 } 510 511#ifndef MAC_ALWAYS_LABEL_MBUF 512 mac_labelmbufs = (labelmbufs != 0); 513#endif 514} 515 516/* |
|
467 * Allow MAC policy modules to register during boot, etc. 468 */ 469int 470mac_policy_modevent(module_t mod, int type, void *data) 471{ 472 struct mac_policy_conf *mpc; 473 int error; 474 --- 50 unchanged lines hidden (view full) --- 525 *mpc->mpc_field_off = slot; 526 } 527 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; 528 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); 529 530 /* Per-policy initialization. */ 531 if (mpc->mpc_ops->mpo_init != NULL) 532 (*(mpc->mpc_ops->mpo_init))(mpc); | 517 * Allow MAC policy modules to register during boot, etc. 518 */ 519int 520mac_policy_modevent(module_t mod, int type, void *data) 521{ 522 struct mac_policy_conf *mpc; 523 int error; 524 --- 50 unchanged lines hidden (view full) --- 575 *mpc->mpc_field_off = slot; 576 } 577 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; 578 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); 579 580 /* Per-policy initialization. */ 581 if (mpc->mpc_ops->mpo_init != NULL) 582 (*(mpc->mpc_ops->mpo_init))(mpc); |
583 mac_policy_updateflags(); |
|
533 MAC_POLICY_LIST_UNLOCK(); 534 535 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, 536 mpc->mpc_name); 537 538 return (0); 539} 540 --- 28 unchanged lines hidden (view full) --- 569 MAC_POLICY_LIST_UNLOCK(); 570 return (EBUSY); 571 } 572 if (mpc->mpc_ops->mpo_destroy != NULL) 573 (*(mpc->mpc_ops->mpo_destroy))(mpc); 574 575 LIST_REMOVE(mpc, mpc_list); 576 mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED; | 584 MAC_POLICY_LIST_UNLOCK(); 585 586 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, 587 mpc->mpc_name); 588 589 return (0); 590} 591 --- 28 unchanged lines hidden (view full) --- 620 MAC_POLICY_LIST_UNLOCK(); 621 return (EBUSY); 622 } 623 if (mpc->mpc_ops->mpo_destroy != NULL) 624 (*(mpc->mpc_ops->mpo_destroy))(mpc); 625 626 LIST_REMOVE(mpc, mpc_list); 627 mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED; |
577 | 628 mac_policy_updateflags(); |
578 MAC_POLICY_LIST_UNLOCK(); 579 580 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, 581 mpc->mpc_name); 582 583 return (0); 584} 585 --- 32 unchanged lines hidden (view full) --- 618 if (error1 != 0) 619 return (error1); 620 return (error2); 621} 622 623static struct label * 624mbuf_to_label(struct mbuf *mbuf) 625{ | 629 MAC_POLICY_LIST_UNLOCK(); 630 631 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, 632 mpc->mpc_name); 633 634 return (0); 635} 636 --- 32 unchanged lines hidden (view full) --- 669 if (error1 != 0) 670 return (error1); 671 return (error2); 672} 673 674static struct label * 675mbuf_to_label(struct mbuf *mbuf) 676{ |
677 struct m_tag *tag; |
|
626 struct label *label; 627 | 678 struct label *label; 679 |
628 label = &mbuf->m_pkthdr.label; | 680 tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL); 681 label = (struct label *)(tag+1); |
629 630 return (label); 631} 632 633static void 634mac_init_label(struct label *label) 635{ 636 --- 85 unchanged lines hidden (view full) --- 722#ifdef MAC_DEBUG 723 if (error == 0) 724 atomic_add_int(&nmacipqs, 1); 725#endif 726 return (error); 727} 728 729int | 682 683 return (label); 684} 685 686static void 687mac_init_label(struct label *label) 688{ 689 --- 85 unchanged lines hidden (view full) --- 775#ifdef MAC_DEBUG 776 if (error == 0) 777 atomic_add_int(&nmacipqs, 1); 778#endif 779 return (error); 780} 781 782int |
730mac_init_mbuf(struct mbuf *m, int flag) | 783mac_init_mbuf_tag(struct m_tag *tag, int flag) |
731{ | 784{ |
732 int error; | 785 struct label *label; 786 int error, trflag; |
733 | 787 |
734 M_ASSERTPKTHDR(m); | 788 label = (struct label *) (tag + 1); 789 mac_init_label(label); |
735 | 790 |
736 mac_init_label(&m->m_pkthdr.label); 737 738 MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); | 791 trflag = (flag == M_DONTWAIT ? M_NOWAIT : M_WAITOK); 792 MAC_CHECK(init_mbuf_label, label, trflag); |
739 if (error) { | 793 if (error) { |
740 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); 741 mac_destroy_label(&m->m_pkthdr.label); | 794 MAC_PERFORM(destroy_mbuf_label, label); 795 mac_destroy_label(label); |
742 } | 796 } |
743 | |
744#ifdef MAC_DEBUG 745 if (error == 0) 746 atomic_add_int(&nmacmbufs, 1); 747#endif 748 return (error); 749} 750 | 797#ifdef MAC_DEBUG 798 if (error == 0) 799 atomic_add_int(&nmacmbufs, 1); 800#endif 801 return (error); 802} 803 |
804int 805mac_init_mbuf(struct mbuf *m, int flag) 806{ 807 struct m_tag *tag; 808 int error; 809 810 M_ASSERTPKTHDR(m); 811 812#ifndef MAC_ALWAYS_LABEL_MBUF 813 /* 814 * Don't reserve space for labels on mbufs unless we have a policy 815 * that uses the labels. 816 */ 817 if (mac_labelmbufs) { 818#endif 819 tag = m_tag_get(PACKET_TAG_MACLABEL, sizeof(struct label), 820 flag); 821 if (tag == NULL) 822 return (ENOMEM); 823 error = mac_init_mbuf_tag(tag, flag); 824 if (error) { 825 m_tag_free(tag); 826 return (error); 827 } 828 m_tag_prepend(m, tag); 829#ifndef MAC_ALWAYS_LABEL_MBUF 830 } 831#endif 832 return (0); 833} 834 |
|
751void 752mac_init_mount(struct mount *mp) 753{ 754 755 mac_init_label(&mp->mnt_mntlabel); 756 mac_init_label(&mp->mnt_fslabel); 757 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); 758 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); --- 171 unchanged lines hidden (view full) --- 930 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 931 mac_destroy_label(&ipq->ipq_label); 932#ifdef MAC_DEBUG 933 atomic_subtract_int(&nmacipqs, 1); 934#endif 935} 936 937void | 835void 836mac_init_mount(struct mount *mp) 837{ 838 839 mac_init_label(&mp->mnt_mntlabel); 840 mac_init_label(&mp->mnt_fslabel); 841 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); 842 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); --- 171 unchanged lines hidden (view full) --- 1014 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 1015 mac_destroy_label(&ipq->ipq_label); 1016#ifdef MAC_DEBUG 1017 atomic_subtract_int(&nmacipqs, 1); 1018#endif 1019} 1020 1021void |
938mac_destroy_mbuf(struct mbuf *m) | 1022mac_destroy_mbuf_tag(struct m_tag *tag) |
939{ | 1023{ |
1024 struct label *label; |
|
940 | 1025 |
941 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); 942 mac_destroy_label(&m->m_pkthdr.label); | 1026 label = (struct label *)(tag+1); 1027 1028 MAC_PERFORM(destroy_mbuf_label, label); 1029 mac_destroy_label(label); |
943#ifdef MAC_DEBUG 944 atomic_subtract_int(&nmacmbufs, 1); 945#endif 946} 947 948void 949mac_destroy_mount(struct mount *mp) 950{ --- 77 unchanged lines hidden (view full) --- 1028 1029void 1030mac_destroy_vnode(struct vnode *vp) 1031{ 1032 1033 mac_destroy_vnode_label(&vp->v_label); 1034} 1035 | 1030#ifdef MAC_DEBUG 1031 atomic_subtract_int(&nmacmbufs, 1); 1032#endif 1033} 1034 1035void 1036mac_destroy_mount(struct mount *mp) 1037{ --- 77 unchanged lines hidden (view full) --- 1115 1116void 1117mac_destroy_vnode(struct vnode *vp) 1118{ 1119 1120 mac_destroy_vnode_label(&vp->v_label); 1121} 1122 |
1123void 1124mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) 1125{ 1126 struct label *src_label, *dest_label; 1127 1128 src_label = (struct label *)(src+1); 1129 dest_label = (struct label *)(dest+1); 1130 1131 /* 1132 * mac_init_mbuf_tag() is called on the target tag in 1133 * m_tag_copy(), so we don't need to call it here. 1134 */ 1135 MAC_PERFORM(copy_mbuf_label, src_label, dest_label); 1136} 1137 |
|
1036static void 1037mac_copy_pipe_label(struct label *src, struct label *dest) 1038{ 1039 1040 MAC_PERFORM(copy_pipe_label, src, dest); 1041} 1042 1043void --- 1269 unchanged lines hidden (view full) --- 2313} 2314 2315int 2316mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) 2317{ 2318 struct label *label; 2319 int error; 2320 | 1138static void 1139mac_copy_pipe_label(struct label *src, struct label *dest) 1140{ 1141 1142 MAC_PERFORM(copy_pipe_label, src, dest); 1143} 1144 1145void --- 1269 unchanged lines hidden (view full) --- 2415} 2416 2417int 2418mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) 2419{ 2420 struct label *label; 2421 int error; 2422 |
2423 M_ASSERTPKTHDR(mbuf); 2424 |
|
2321 if (!mac_enforce_network) 2322 return (0); 2323 | 2425 if (!mac_enforce_network) 2426 return (0); 2427 |
2324 M_ASSERTPKTHDR(mbuf); | |
2325 label = mbuf_to_label(mbuf); | 2428 label = mbuf_to_label(mbuf); |
2326 if (!(label->l_flags & MAC_FLAG_INITIALIZED)) 2327 if_printf(ifnet, "not initialized\n"); | |
2328 2329 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, 2330 label); 2331 2332 return (error); 2333} 2334 2335int --- 1436 unchanged lines hidden --- | 2429 2430 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, 2431 label); 2432 2433 return (error); 2434} 2435 2436int --- 1436 unchanged lines hidden --- |