83     "BSD Extended MAC rule");
94     &rule_slots, 0, "Number of used rule slots\n");
108  * between the new mode (first rule matches) and the old functionality (all
114     "Disable/enable match first rule functionality");
117 ugidfw_rule_valid(struct mac_bsdextended_rule *rule)
120 	if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
122 	if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
124 	if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
126 	if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
128 	if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) &&
129 	    (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
131 	if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
228 ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
238 	if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
239 		match =  ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
240 		    cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
241 		    (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&
242 		    cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||
243 		    (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&
244 		    cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));
245 		if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)
251 	if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {
252 		match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&
253 		    cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||
254 		    (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&
255 		    cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));
259 				    <= rule->mbr_subject.mbs_gid_max &&
261 				    >= rule->mbr_subject.mbs_gid_min) {
267 		if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)
273 	if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
275 		    (cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);
276 		if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)
285 	if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
286 		match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&
287 		    vap->va_uid >= rule->mbr_object.mbo_uid_min);
288 		if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)
294 	if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
295 		match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&
296 		    vap->va_gid >= rule->mbr_object.mbo_gid_min);
297 		if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)
303 	if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
305 		    &(rule->mbr_object.mbo_fsid),
306 		    sizeof(rule->mbr_object.mbo_fsid)) == 0);
307 		if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)
313 	if (rule->mbr_object.mbo_flags & MBO_SUID) {
315 		if (rule->mbr_object.mbo_neg & MBO_SUID)
321 	if (rule->mbr_object.mbo_flags & MBO_SGID) {
323 		if (rule->mbr_object.mbo_neg & MBO_SGID)
329 	if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
333 		if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)
339 	if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
343 		if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)
349 	if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
352 			match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);
355 			match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);
358 			match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);
361 			match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);
364 			match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);
367 			match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);
370 			match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);
375 		if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)
386 	mac_granted = rule->mbr_mode;
416 	 * If the rule matched, permits access, and first match is enabled,

Indexes created Sun Jun 30 11:05:36 MDT 2024