Deleted Added
sdiff udiff text old ( 172930 ) new ( 182063 )
full compact
mac_pipe.c (172930) mac_pipe.c (182063)
1/*-
2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3 * Copyright (c) 2006 SPARTA, Inc.
4 * All rights reserved.
5 *
6 * This software was developed for the FreeBSD Project in part by Network
7 * Associates Laboratories, the Security Research Division of Network
8 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
9 * as part of the DARPA CHATS research program.
10 *
11 * This software was enhanced by SPARTA ISSO under SPAWAR contract
12 * N66001-04-C-6019 ("SEFOS").
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36#include <sys/cdefs.h>
1/*-
2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3 * Copyright (c) 2006 SPARTA, Inc.
4 * All rights reserved.
5 *
6 * This software was developed for the FreeBSD Project in part by Network
7 * Associates Laboratories, the Security Research Division of Network
8 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
9 * as part of the DARPA CHATS research program.
10 *
11 * This software was enhanced by SPARTA ISSO under SPAWAR contract
12 * N66001-04-C-6019 ("SEFOS").
13 *
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
16 * are met:
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36#include <sys/cdefs.h>
37__FBSDID("$FreeBSD: head/sys/security/mac/mac_pipe.c 172930 2007-10-24 19:04:04Z rwatson $");
37__FBSDID("$FreeBSD: head/sys/security/mac/mac_pipe.c 182063 2008-08-23 15:26:36Z rwatson $");
38
39#include "opt_mac.h"
40
41#include <sys/param.h>
42#include <sys/kernel.h>
43#include <sys/lock.h>
44#include <sys/malloc.h>
45#include <sys/module.h>
46#include <sys/mutex.h>
47#include <sys/sbuf.h>
48#include <sys/systm.h>
49#include <sys/vnode.h>
50#include <sys/pipe.h>
51#include <sys/sysctl.h>
52
53#include <security/mac/mac_framework.h>
54#include <security/mac/mac_internal.h>
55#include <security/mac/mac_policy.h>
56
57struct label *
58mac_pipe_label_alloc(void)
59{
60 struct label *label;
61
62 label = mac_labelzone_alloc(M_WAITOK);
63 MAC_PERFORM(pipe_init_label, label);
64 return (label);
65}
66
67void
68mac_pipe_init(struct pipepair *pp)
69{
70
38
39#include "opt_mac.h"
40
41#include <sys/param.h>
42#include <sys/kernel.h>
43#include <sys/lock.h>
44#include <sys/malloc.h>
45#include <sys/module.h>
46#include <sys/mutex.h>
47#include <sys/sbuf.h>
48#include <sys/systm.h>
49#include <sys/vnode.h>
50#include <sys/pipe.h>
51#include <sys/sysctl.h>
52
53#include <security/mac/mac_framework.h>
54#include <security/mac/mac_internal.h>
55#include <security/mac/mac_policy.h>
56
57struct label *
58mac_pipe_label_alloc(void)
59{
60 struct label *label;
61
62 label = mac_labelzone_alloc(M_WAITOK);
63 MAC_PERFORM(pipe_init_label, label);
64 return (label);
65}
66
67void
68mac_pipe_init(struct pipepair *pp)
69{
70
71 pp->pp_label = mac_pipe_label_alloc();
71 if (mac_labeled & MPC_OBJECT_PIPE)
72 pp->pp_label = mac_pipe_label_alloc();
73 else
74 pp->pp_label = NULL;
72}
73
74void
75mac_pipe_label_free(struct label *label)
76{
77
78 MAC_PERFORM(pipe_destroy_label, label);
79 mac_labelzone_free(label);
80}
81
82void
83mac_pipe_destroy(struct pipepair *pp)
84{
85
75}
76
77void
78mac_pipe_label_free(struct label *label)
79{
80
81 MAC_PERFORM(pipe_destroy_label, label);
82 mac_labelzone_free(label);
83}
84
85void
86mac_pipe_destroy(struct pipepair *pp)
87{
88
86 mac_pipe_label_free(pp->pp_label);
87 pp->pp_label = NULL;
89 if (pp->pp_label != NULL) {
90 mac_pipe_label_free(pp->pp_label);
91 pp->pp_label = NULL;
92 }
88}
89
90void
91mac_pipe_copy_label(struct label *src, struct label *dest)
92{
93
94 MAC_PERFORM(pipe_copy_label, src, dest);
95}
96
97int
98mac_pipe_externalize_label(struct label *label, char *elements,
99 char *outbuf, size_t outbuflen)
100{
101 int error;
102
103 MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen);
104
105 return (error);
106}
107
108int
109mac_pipe_internalize_label(struct label *label, char *string)
110{
111 int error;
112
113 MAC_INTERNALIZE(pipe, label, string);
114
115 return (error);
116}
117
118void
119mac_pipe_create(struct ucred *cred, struct pipepair *pp)
120{
121
122 MAC_PERFORM(pipe_create, cred, pp, pp->pp_label);
123}
124
125static void
126mac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
127 struct label *newlabel)
128{
129
130 MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel);
131}
132
133int
134mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
135 unsigned long cmd, void *data)
136{
137 int error;
138
139 mtx_assert(&pp->pp_mtx, MA_OWNED);
140
141 MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data);
142
143 return (error);
144}
145
146int
147mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)
148{
149 int error;
150
151 mtx_assert(&pp->pp_mtx, MA_OWNED);
152
153 MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label);
154
155 return (error);
156}
157
158int
159mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
160{
161 int error;
162
163 mtx_assert(&pp->pp_mtx, MA_OWNED);
164
165 MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label);
166
167 return (error);
168}
169
170static int
171mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
172 struct label *newlabel)
173{
174 int error;
175
176 mtx_assert(&pp->pp_mtx, MA_OWNED);
177
178 MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel);
179
180 return (error);
181}
182
183int
184mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp)
185{
186 int error;
187
188 mtx_assert(&pp->pp_mtx, MA_OWNED);
189
190 MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label);
191
192 return (error);
193}
194
195int
196mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
197{
198 int error;
199
200 mtx_assert(&pp->pp_mtx, MA_OWNED);
201
202 MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label);
203
204 return (error);
205}
206
207int
208mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
209 struct label *label)
210{
211 int error;
212
213 mtx_assert(&pp->pp_mtx, MA_OWNED);
214
215 error = mac_pipe_check_relabel(cred, pp, label);
216 if (error)
217 return (error);
218
219 mac_pipe_relabel(cred, pp, label);
220
221 return (0);
222}
93}
94
95void
96mac_pipe_copy_label(struct label *src, struct label *dest)
97{
98
99 MAC_PERFORM(pipe_copy_label, src, dest);
100}
101
102int
103mac_pipe_externalize_label(struct label *label, char *elements,
104 char *outbuf, size_t outbuflen)
105{
106 int error;
107
108 MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen);
109
110 return (error);
111}
112
113int
114mac_pipe_internalize_label(struct label *label, char *string)
115{
116 int error;
117
118 MAC_INTERNALIZE(pipe, label, string);
119
120 return (error);
121}
122
123void
124mac_pipe_create(struct ucred *cred, struct pipepair *pp)
125{
126
127 MAC_PERFORM(pipe_create, cred, pp, pp->pp_label);
128}
129
130static void
131mac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
132 struct label *newlabel)
133{
134
135 MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel);
136}
137
138int
139mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
140 unsigned long cmd, void *data)
141{
142 int error;
143
144 mtx_assert(&pp->pp_mtx, MA_OWNED);
145
146 MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data);
147
148 return (error);
149}
150
151int
152mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)
153{
154 int error;
155
156 mtx_assert(&pp->pp_mtx, MA_OWNED);
157
158 MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label);
159
160 return (error);
161}
162
163int
164mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
165{
166 int error;
167
168 mtx_assert(&pp->pp_mtx, MA_OWNED);
169
170 MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label);
171
172 return (error);
173}
174
175static int
176mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
177 struct label *newlabel)
178{
179 int error;
180
181 mtx_assert(&pp->pp_mtx, MA_OWNED);
182
183 MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel);
184
185 return (error);
186}
187
188int
189mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp)
190{
191 int error;
192
193 mtx_assert(&pp->pp_mtx, MA_OWNED);
194
195 MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label);
196
197 return (error);
198}
199
200int
201mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
202{
203 int error;
204
205 mtx_assert(&pp->pp_mtx, MA_OWNED);
206
207 MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label);
208
209 return (error);
210}
211
212int
213mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
214 struct label *label)
215{
216 int error;
217
218 mtx_assert(&pp->pp_mtx, MA_OWNED);
219
220 error = mac_pipe_check_relabel(cred, pp, label);
221 if (error)
222 return (error);
223
224 mac_pipe_relabel(cred, pp, label);
225
226 return (0);
227}