1/*-
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
5 * All rights reserved.
6 *
7 * This software was developed by Robert Watson and Ilmar Habibulin for the
8 * TrustedBSD Project.
--- 28 unchanged lines hidden (view full) ---
37/*-
38 * Framework for extensible kernel access control. This file contains
39 * Kernel and userland interface to the framework, policy registration
40 * and composition. Per-object interfaces, controls, and labeling may be
41 * found in src/sys/mac/. Sample policies may be found in src/sys/mac*.
42 */
43
44#include <sys/cdefs.h>
45__FBSDID("$FreeBSD: head/sys/security/mac/mac_framework.c 122454 2003-11-11 03:40:04Z rwatson $");
46
47#include "opt_mac.h"
48#include "opt_devfs.h"
49
50#include <sys/param.h>
51#include <sys/condvar.h>
52#include <sys/extattr.h>
53#include <sys/imgact.h>
--- 197 unchanged lines hidden (view full) ---
251 * Initialize the MAC subsystem, including appropriate SMP locks.
252 */
253static void
254mac_init(void)
255{
256
257 LIST_INIT(&mac_static_policy_list);
258 LIST_INIT(&mac_policy_list);
259
260 mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
261 cv_init(&mac_policy_cv, "mac_policy_cv");
262}
263
264/*
265 * For the purposes of modules that want to know if they were loaded
266 * "early", set the mac_late flag once we've processed modules either
--- 293 unchanged lines hidden (view full) ---
560 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
561 if (error) {
562 free(elements, M_MACTEMP);
563 crfree(tcred);
564 return (error);
565 }
566
567 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
568 error = mac_externalize_cred_label(&tcred->cr_label, elements,
569 buffer, mac.m_buflen);
570 if (error == 0)
571 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
572
573 free(buffer, M_MACTEMP);
574 free(elements, M_MACTEMP);
575 crfree(tcred);
576 return (error);
--- 20 unchanged lines hidden (view full) ---
597 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
598 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
599 if (error) {
600 free(elements, M_MACTEMP);
601 return (error);
602 }
603
604 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
605 error = mac_externalize_cred_label(&td->td_ucred->cr_label,
606 elements, buffer, mac.m_buflen);
607 if (error == 0)
608 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
609
610 free(buffer, M_MACTEMP);
611 free(elements, M_MACTEMP);
612 return (error);
613}
614
615/*
616 * MPSAFE
617 */
618int
619__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
620{
621 struct ucred *newcred, *oldcred;
622 struct label intlabel;
623 struct proc *p;
624 struct mac mac;
625 char *buffer;
626 int error;
627
628 error = copyin(uap->mac_p, &mac, sizeof(mac));
629 if (error)
630 return (error);
--- 4 unchanged lines hidden (view full) ---
635
636 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
637 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
638 if (error) {
639 free(buffer, M_MACTEMP);
640 return (error);
641 }
642
643 mac_init_cred_label(&intlabel);
644 error = mac_internalize_cred_label(&intlabel, buffer);
645 free(buffer, M_MACTEMP);
646 if (error) {
647 mac_destroy_cred_label(&intlabel);
648 return (error);
649 }
650
651 newcred = crget();
652
653 p = td->td_proc;
654 PROC_LOCK(p);
655 oldcred = p->p_ucred;
656
657 error = mac_check_cred_relabel(oldcred, &intlabel);
658 if (error) {
659 PROC_UNLOCK(p);
660 crfree(newcred);
661 goto out;
662 }
663
664 setsugid(p);
665 crcopy(newcred, oldcred);
666 mac_relabel_cred(newcred, &intlabel);
667 p->p_ucred = newcred;
668
669 /*
670 * Grab additional reference for use while revoking mmaps, prior
671 * to releasing the proc lock and sharing the cred.
672 */
673 crhold(newcred);
674 PROC_UNLOCK(p);
675
676 if (mac_enforce_vm) {
677 mtx_lock(&Giant);
678 mac_cred_mmapped_drop_perms(td, newcred);
679 mtx_unlock(&Giant);
680 }
681
682 crfree(newcred); /* Free revocation reference. */
683 crfree(oldcred);
684
685out:
686 mac_destroy_cred_label(&intlabel);
687 return (error);
688}
689
690/*
691 * MPSAFE
692 */
693int
694__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
695{
696 char *elements, *buffer;
697 struct label intlabel;
698 struct file *fp;
699 struct mac mac;
700 struct vnode *vp;
701 struct pipe *pipe;
702 short label_type;
703 int error;
704
705 error = copyin(uap->mac_p, &mac, sizeof(mac));
--- 18 unchanged lines hidden (view full) ---
724 goto out;
725
726 label_type = fp->f_type;
727 switch (fp->f_type) {
728 case DTYPE_FIFO:
729 case DTYPE_VNODE:
730 vp = fp->f_vnode;
731
732 mac_init_vnode_label(&intlabel);
733
734 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
735 mac_copy_vnode_label(&vp->v_label, &intlabel);
736 VOP_UNLOCK(vp, 0, td);
737
738 break;
739 case DTYPE_PIPE:
740 pipe = fp->f_data;
741
742 mac_init_pipe_label(&intlabel);
743
744 PIPE_LOCK(pipe);
745 mac_copy_pipe_label(pipe->pipe_label, &intlabel);
746 PIPE_UNLOCK(pipe);
747 break;
748 default:
749 error = EINVAL;
750 fdrop(fp, td);
751 goto out;
752 }
753 fdrop(fp, td);
754
755 switch (label_type) {
756 case DTYPE_FIFO:
757 case DTYPE_VNODE:
758 if (error == 0)
759 error = mac_externalize_vnode_label(&intlabel,
760 elements, buffer, mac.m_buflen);
761 mac_destroy_vnode_label(&intlabel);
762 break;
763 case DTYPE_PIPE:
764 error = mac_externalize_pipe_label(&intlabel, elements,
765 buffer, mac.m_buflen);
766 mac_destroy_pipe_label(&intlabel);
767 break;
768 default:
769 panic("__mac_get_fd: corrupted label_type");
770 }
771
772 if (error == 0)
773 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
774
--- 8 unchanged lines hidden (view full) ---
783/*
784 * MPSAFE
785 */
786int
787__mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
788{
789 char *elements, *buffer;
790 struct nameidata nd;
791 struct label intlabel;
792 struct mac mac;
793 int error;
794
795 error = copyin(uap->mac_p, &mac, sizeof(mac));
796 if (error)
797 return (error);
798
799 error = mac_check_structmac_consistent(&mac);
--- 10 unchanged lines hidden (view full) ---
810 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
811 mtx_lock(&Giant); /* VFS */
812 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p,
813 td);
814 error = namei(&nd);
815 if (error)
816 goto out;
817
818 mac_init_vnode_label(&intlabel);
819 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
820 error = mac_externalize_vnode_label(&intlabel, elements, buffer,
821 mac.m_buflen);
822
823 NDFREE(&nd, 0);
824 mac_destroy_vnode_label(&intlabel);
825
826 if (error == 0)
827 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
828
829out:
830 mtx_unlock(&Giant); /* VFS */
831
832 free(buffer, M_MACTEMP);
--- 5 unchanged lines hidden (view full) ---
838/*
839 * MPSAFE
840 */
841int
842__mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
843{
844 char *elements, *buffer;
845 struct nameidata nd;
846 struct label intlabel;
847 struct mac mac;
848 int error;
849
850 error = copyin(uap->mac_p, &mac, sizeof(mac));
851 if (error)
852 return (error);
853
854 error = mac_check_structmac_consistent(&mac);
--- 10 unchanged lines hidden (view full) ---
865 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
866 mtx_lock(&Giant); /* VFS */
867 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p,
868 td);
869 error = namei(&nd);
870 if (error)
871 goto out;
872
873 mac_init_vnode_label(&intlabel);
874 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
875 error = mac_externalize_vnode_label(&intlabel, elements, buffer,
876 mac.m_buflen);
877 NDFREE(&nd, 0);
878 mac_destroy_vnode_label(&intlabel);
879
880 if (error == 0)
881 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
882
883out:
884 mtx_unlock(&Giant); /* VFS */
885
886 free(buffer, M_MACTEMP);
887 free(elements, M_MACTEMP);
888
889 return (error);
890}
891
892/*
893 * MPSAFE
894 */
895int
896__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
897{
898 struct label intlabel;
899 struct pipe *pipe;
900 struct file *fp;
901 struct mount *mp;
902 struct vnode *vp;
903 struct mac mac;
904 char *buffer;
905 int error;
906
--- 16 unchanged lines hidden (view full) ---
923
924 error = fget(td, uap->fd, &fp);
925 if (error)
926 goto out;
927
928 switch (fp->f_type) {
929 case DTYPE_FIFO:
930 case DTYPE_VNODE:
931 mac_init_vnode_label(&intlabel);
932 error = mac_internalize_vnode_label(&intlabel, buffer);
933 if (error) {
934 mac_destroy_vnode_label(&intlabel);
935 break;
936 }
937
938 vp = fp->f_vnode;
939 error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
940 if (error != 0) {
941 mac_destroy_vnode_label(&intlabel);
942 break;
943 }
944
945 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
946 error = vn_setlabel(vp, &intlabel, td->td_ucred);
947 VOP_UNLOCK(vp, 0, td);
948 vn_finished_write(mp);
949
950 mac_destroy_vnode_label(&intlabel);
951 break;
952
953 case DTYPE_PIPE:
954 mac_init_pipe_label(&intlabel);
955 error = mac_internalize_pipe_label(&intlabel, buffer);
956 if (error == 0) {
957 pipe = fp->f_data;
958 PIPE_LOCK(pipe);
959 error = mac_pipe_label_set(td->td_ucred, pipe,
960 &intlabel);
961 PIPE_UNLOCK(pipe);
962 }
963
964 mac_destroy_pipe_label(&intlabel);
965 break;
966
967 default:
968 error = EINVAL;
969 }
970
971 fdrop(fp, td);
972out:
--- 5 unchanged lines hidden (view full) ---
978}
979
980/*
981 * MPSAFE
982 */
983int
984__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
985{
986 struct label intlabel;
987 struct nameidata nd;
988 struct mount *mp;
989 struct mac mac;
990 char *buffer;
991 int error;
992
993 error = copyin(uap->mac_p, &mac, sizeof(mac));
994 if (error)
--- 5 unchanged lines hidden (view full) ---
1000
1001 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
1002 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
1003 if (error) {
1004 free(buffer, M_MACTEMP);
1005 return (error);
1006 }
1007
1008 mac_init_vnode_label(&intlabel);
1009 error = mac_internalize_vnode_label(&intlabel, buffer);
1010 free(buffer, M_MACTEMP);
1011 if (error) {
1012 mac_destroy_vnode_label(&intlabel);
1013 return (error);
1014 }
1015
1016 mtx_lock(&Giant); /* VFS */
1017
1018 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p,
1019 td);
1020 error = namei(&nd);
1021 if (error == 0) {
1022 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
1023 if (error == 0)
1024 error = vn_setlabel(nd.ni_vp, &intlabel,
1025 td->td_ucred);
1026 vn_finished_write(mp);
1027 }
1028
1029 NDFREE(&nd, 0);
1030 mtx_unlock(&Giant); /* VFS */
1031 mac_destroy_vnode_label(&intlabel);
1032
1033 return (error);
1034}
1035
1036/*
1037 * MPSAFE
1038 */
1039int
1040__mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
1041{
1042 struct label intlabel;
1043 struct nameidata nd;
1044 struct mount *mp;
1045 struct mac mac;
1046 char *buffer;
1047 int error;
1048
1049 error = copyin(uap->mac_p, &mac, sizeof(mac));
1050 if (error)
--- 5 unchanged lines hidden (view full) ---
1056
1057 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
1058 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
1059 if (error) {
1060 free(buffer, M_MACTEMP);
1061 return (error);
1062 }
1063
1064 mac_init_vnode_label(&intlabel);
1065 error = mac_internalize_vnode_label(&intlabel, buffer);
1066 free(buffer, M_MACTEMP);
1067 if (error) {
1068 mac_destroy_vnode_label(&intlabel);
1069 return (error);
1070 }
1071
1072 mtx_lock(&Giant); /* VFS */
1073
1074 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p,
1075 td);
1076 error = namei(&nd);
1077 if (error == 0) {
1078 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
1079 if (error == 0)
1080 error = vn_setlabel(nd.ni_vp, &intlabel,
1081 td->td_ucred);
1082 vn_finished_write(mp);
1083 }
1084
1085 NDFREE(&nd, 0);
1086 mtx_unlock(&Giant); /* VFS */
1087 mac_destroy_vnode_label(&intlabel);
1088
1089 return (error);
1090}
1091
1092/*
1093 * MPSAFE
1094 */
1095int
1096mac_syscall(struct thread *td, struct mac_syscall_args *uap)
--- 110 unchanged lines hidden ---
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
5 * All rights reserved.
6 *
7 * This software was developed by Robert Watson and Ilmar Habibulin for the
8 * TrustedBSD Project.
--- 28 unchanged lines hidden (view full) ---
37/*-
38 * Framework for extensible kernel access control. This file contains
39 * Kernel and userland interface to the framework, policy registration
40 * and composition. Per-object interfaces, controls, and labeling may be
41 * found in src/sys/mac/. Sample policies may be found in src/sys/mac*.
42 */
43
44#include <sys/cdefs.h>
45__FBSDID("$FreeBSD: head/sys/security/mac/mac_framework.c 122454 2003-11-11 03:40:04Z rwatson $");
46
47#include "opt_mac.h"
48#include "opt_devfs.h"
49
50#include <sys/param.h>
51#include <sys/condvar.h>
52#include <sys/extattr.h>
53#include <sys/imgact.h>
--- 197 unchanged lines hidden (view full) ---
251 * Initialize the MAC subsystem, including appropriate SMP locks.
252 */
253static void
254mac_init(void)
255{
256
257 LIST_INIT(&mac_static_policy_list);
258 LIST_INIT(&mac_policy_list);
259
260 mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
261 cv_init(&mac_policy_cv, "mac_policy_cv");
262}
263
264/*
265 * For the purposes of modules that want to know if they were loaded
266 * "early", set the mac_late flag once we've processed modules either
--- 293 unchanged lines hidden (view full) ---
560 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
561 if (error) {
562 free(elements, M_MACTEMP);
563 crfree(tcred);
564 return (error);
565 }
566
567 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
568 error = mac_externalize_cred_label(&tcred->cr_label, elements,
569 buffer, mac.m_buflen);
570 if (error == 0)
571 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
572
573 free(buffer, M_MACTEMP);
574 free(elements, M_MACTEMP);
575 crfree(tcred);
576 return (error);
--- 20 unchanged lines hidden (view full) ---
597 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
598 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
599 if (error) {
600 free(elements, M_MACTEMP);
601 return (error);
602 }
603
604 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
605 error = mac_externalize_cred_label(&td->td_ucred->cr_label,
606 elements, buffer, mac.m_buflen);
607 if (error == 0)
608 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
609
610 free(buffer, M_MACTEMP);
611 free(elements, M_MACTEMP);
612 return (error);
613}
614
615/*
616 * MPSAFE
617 */
618int
619__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
620{
621 struct ucred *newcred, *oldcred;
622 struct label intlabel;
623 struct proc *p;
624 struct mac mac;
625 char *buffer;
626 int error;
627
628 error = copyin(uap->mac_p, &mac, sizeof(mac));
629 if (error)
630 return (error);
--- 4 unchanged lines hidden (view full) ---
635
636 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
637 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
638 if (error) {
639 free(buffer, M_MACTEMP);
640 return (error);
641 }
642
643 mac_init_cred_label(&intlabel);
644 error = mac_internalize_cred_label(&intlabel, buffer);
645 free(buffer, M_MACTEMP);
646 if (error) {
647 mac_destroy_cred_label(&intlabel);
648 return (error);
649 }
650
651 newcred = crget();
652
653 p = td->td_proc;
654 PROC_LOCK(p);
655 oldcred = p->p_ucred;
656
657 error = mac_check_cred_relabel(oldcred, &intlabel);
658 if (error) {
659 PROC_UNLOCK(p);
660 crfree(newcred);
661 goto out;
662 }
663
664 setsugid(p);
665 crcopy(newcred, oldcred);
666 mac_relabel_cred(newcred, &intlabel);
667 p->p_ucred = newcred;
668
669 /*
670 * Grab additional reference for use while revoking mmaps, prior
671 * to releasing the proc lock and sharing the cred.
672 */
673 crhold(newcred);
674 PROC_UNLOCK(p);
675
676 if (mac_enforce_vm) {
677 mtx_lock(&Giant);
678 mac_cred_mmapped_drop_perms(td, newcred);
679 mtx_unlock(&Giant);
680 }
681
682 crfree(newcred); /* Free revocation reference. */
683 crfree(oldcred);
684
685out:
686 mac_destroy_cred_label(&intlabel);
687 return (error);
688}
689
690/*
691 * MPSAFE
692 */
693int
694__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
695{
696 char *elements, *buffer;
697 struct label intlabel;
698 struct file *fp;
699 struct mac mac;
700 struct vnode *vp;
701 struct pipe *pipe;
702 short label_type;
703 int error;
704
705 error = copyin(uap->mac_p, &mac, sizeof(mac));
--- 18 unchanged lines hidden (view full) ---
724 goto out;
725
726 label_type = fp->f_type;
727 switch (fp->f_type) {
728 case DTYPE_FIFO:
729 case DTYPE_VNODE:
730 vp = fp->f_vnode;
731
732 mac_init_vnode_label(&intlabel);
733
734 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
735 mac_copy_vnode_label(&vp->v_label, &intlabel);
736 VOP_UNLOCK(vp, 0, td);
737
738 break;
739 case DTYPE_PIPE:
740 pipe = fp->f_data;
741
742 mac_init_pipe_label(&intlabel);
743
744 PIPE_LOCK(pipe);
745 mac_copy_pipe_label(pipe->pipe_label, &intlabel);
746 PIPE_UNLOCK(pipe);
747 break;
748 default:
749 error = EINVAL;
750 fdrop(fp, td);
751 goto out;
752 }
753 fdrop(fp, td);
754
755 switch (label_type) {
756 case DTYPE_FIFO:
757 case DTYPE_VNODE:
758 if (error == 0)
759 error = mac_externalize_vnode_label(&intlabel,
760 elements, buffer, mac.m_buflen);
761 mac_destroy_vnode_label(&intlabel);
762 break;
763 case DTYPE_PIPE:
764 error = mac_externalize_pipe_label(&intlabel, elements,
765 buffer, mac.m_buflen);
766 mac_destroy_pipe_label(&intlabel);
767 break;
768 default:
769 panic("__mac_get_fd: corrupted label_type");
770 }
771
772 if (error == 0)
773 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
774
--- 8 unchanged lines hidden (view full) ---
783/*
784 * MPSAFE
785 */
786int
787__mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
788{
789 char *elements, *buffer;
790 struct nameidata nd;
791 struct label intlabel;
792 struct mac mac;
793 int error;
794
795 error = copyin(uap->mac_p, &mac, sizeof(mac));
796 if (error)
797 return (error);
798
799 error = mac_check_structmac_consistent(&mac);
--- 10 unchanged lines hidden (view full) ---
810 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
811 mtx_lock(&Giant); /* VFS */
812 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p,
813 td);
814 error = namei(&nd);
815 if (error)
816 goto out;
817
818 mac_init_vnode_label(&intlabel);
819 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
820 error = mac_externalize_vnode_label(&intlabel, elements, buffer,
821 mac.m_buflen);
822
823 NDFREE(&nd, 0);
824 mac_destroy_vnode_label(&intlabel);
825
826 if (error == 0)
827 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
828
829out:
830 mtx_unlock(&Giant); /* VFS */
831
832 free(buffer, M_MACTEMP);
--- 5 unchanged lines hidden (view full) ---
838/*
839 * MPSAFE
840 */
841int
842__mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
843{
844 char *elements, *buffer;
845 struct nameidata nd;
846 struct label intlabel;
847 struct mac mac;
848 int error;
849
850 error = copyin(uap->mac_p, &mac, sizeof(mac));
851 if (error)
852 return (error);
853
854 error = mac_check_structmac_consistent(&mac);
--- 10 unchanged lines hidden (view full) ---
865 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
866 mtx_lock(&Giant); /* VFS */
867 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p,
868 td);
869 error = namei(&nd);
870 if (error)
871 goto out;
872
873 mac_init_vnode_label(&intlabel);
874 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
875 error = mac_externalize_vnode_label(&intlabel, elements, buffer,
876 mac.m_buflen);
877 NDFREE(&nd, 0);
878 mac_destroy_vnode_label(&intlabel);
879
880 if (error == 0)
881 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
882
883out:
884 mtx_unlock(&Giant); /* VFS */
885
886 free(buffer, M_MACTEMP);
887 free(elements, M_MACTEMP);
888
889 return (error);
890}
891
892/*
893 * MPSAFE
894 */
895int
896__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
897{
898 struct label intlabel;
899 struct pipe *pipe;
900 struct file *fp;
901 struct mount *mp;
902 struct vnode *vp;
903 struct mac mac;
904 char *buffer;
905 int error;
906
--- 16 unchanged lines hidden (view full) ---
923
924 error = fget(td, uap->fd, &fp);
925 if (error)
926 goto out;
927
928 switch (fp->f_type) {
929 case DTYPE_FIFO:
930 case DTYPE_VNODE:
931 mac_init_vnode_label(&intlabel);
932 error = mac_internalize_vnode_label(&intlabel, buffer);
933 if (error) {
934 mac_destroy_vnode_label(&intlabel);
935 break;
936 }
937
938 vp = fp->f_vnode;
939 error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
940 if (error != 0) {
941 mac_destroy_vnode_label(&intlabel);
942 break;
943 }
944
945 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
946 error = vn_setlabel(vp, &intlabel, td->td_ucred);
947 VOP_UNLOCK(vp, 0, td);
948 vn_finished_write(mp);
949
950 mac_destroy_vnode_label(&intlabel);
951 break;
952
953 case DTYPE_PIPE:
954 mac_init_pipe_label(&intlabel);
955 error = mac_internalize_pipe_label(&intlabel, buffer);
956 if (error == 0) {
957 pipe = fp->f_data;
958 PIPE_LOCK(pipe);
959 error = mac_pipe_label_set(td->td_ucred, pipe,
960 &intlabel);
961 PIPE_UNLOCK(pipe);
962 }
963
964 mac_destroy_pipe_label(&intlabel);
965 break;
966
967 default:
968 error = EINVAL;
969 }
970
971 fdrop(fp, td);
972out:
--- 5 unchanged lines hidden (view full) ---
978}
979
980/*
981 * MPSAFE
982 */
983int
984__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
985{
986 struct label intlabel;
987 struct nameidata nd;
988 struct mount *mp;
989 struct mac mac;
990 char *buffer;
991 int error;
992
993 error = copyin(uap->mac_p, &mac, sizeof(mac));
994 if (error)
--- 5 unchanged lines hidden (view full) ---
1000
1001 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
1002 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
1003 if (error) {
1004 free(buffer, M_MACTEMP);
1005 return (error);
1006 }
1007
1008 mac_init_vnode_label(&intlabel);
1009 error = mac_internalize_vnode_label(&intlabel, buffer);
1010 free(buffer, M_MACTEMP);
1011 if (error) {
1012 mac_destroy_vnode_label(&intlabel);
1013 return (error);
1014 }
1015
1016 mtx_lock(&Giant); /* VFS */
1017
1018 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p,
1019 td);
1020 error = namei(&nd);
1021 if (error == 0) {
1022 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
1023 if (error == 0)
1024 error = vn_setlabel(nd.ni_vp, &intlabel,
1025 td->td_ucred);
1026 vn_finished_write(mp);
1027 }
1028
1029 NDFREE(&nd, 0);
1030 mtx_unlock(&Giant); /* VFS */
1031 mac_destroy_vnode_label(&intlabel);
1032
1033 return (error);
1034}
1035
1036/*
1037 * MPSAFE
1038 */
1039int
1040__mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
1041{
1042 struct label intlabel;
1043 struct nameidata nd;
1044 struct mount *mp;
1045 struct mac mac;
1046 char *buffer;
1047 int error;
1048
1049 error = copyin(uap->mac_p, &mac, sizeof(mac));
1050 if (error)
--- 5 unchanged lines hidden (view full) ---
1056
1057 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
1058 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
1059 if (error) {
1060 free(buffer, M_MACTEMP);
1061 return (error);
1062 }
1063
1064 mac_init_vnode_label(&intlabel);
1065 error = mac_internalize_vnode_label(&intlabel, buffer);
1066 free(buffer, M_MACTEMP);
1067 if (error) {
1068 mac_destroy_vnode_label(&intlabel);
1069 return (error);
1070 }
1071
1072 mtx_lock(&Giant); /* VFS */
1073
1074 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p,
1075 td);
1076 error = namei(&nd);
1077 if (error == 0) {
1078 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
1079 if (error == 0)
1080 error = vn_setlabel(nd.ni_vp, &intlabel,
1081 td->td_ucred);
1082 vn_finished_write(mp);
1083 }
1084
1085 NDFREE(&nd, 0);
1086 mtx_unlock(&Giant); /* VFS */
1087 mac_destroy_vnode_label(&intlabel);
1088
1089 return (error);
1090}
1091
1092/*
1093 * MPSAFE
1094 */
1095int
1096mac_syscall(struct thread *td, struct mac_syscall_args *uap)
--- 110 unchanged lines hidden ---