mac_framework.h revision 106788
1114402Sru/*- 2151497Sru * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3151497Sru * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4114402Sru * All rights reserved. 5114402Sru * 6114402Sru * This software was developed by Robert Watson for the TrustedBSD Project. 7114402Sru * 8114402Sru * This software was developed for the FreeBSD Project in part by Network 9114402Sru * Associates Laboratories, the Security Research Division of Network 10114402Sru * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11114402Sru * as part of the DARPA CHATS research program. 12114402Sru * 13114402Sru * Redistribution and use in source and binary forms, with or without 14114402Sru * modification, are permitted provided that the following conditions 15114402Sru * are met: 16114402Sru * 1. Redistributions of source code must retain the above copyright 17114402Sru * notice, this list of conditions and the following disclaimer. 18114402Sru * 2. Redistributions in binary form must reproduce the above copyright 19114402Sru * notice, this list of conditions and the following disclaimer in the 20151497Sru * documentation and/or other materials provided with the distribution. 21114402Sru * 22114402Sru * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23114402Sru * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24114402Sru * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25114402Sru * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26114402Sru * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27114402Sru * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28114402Sru * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29114402Sru * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30114402Sru * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31114402Sru * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32114402Sru * SUCH DAMAGE. 33114402Sru * 34114402Sru * $FreeBSD: head/sys/security/mac/mac_framework.h 106788 2002-11-12 04:20:36Z rwatson $ 35114402Sru */ 36114402Sru/* 37114402Sru * Userland/kernel interface for Mandatory Access Control. 38114402Sru * 39114402Sru * The POSIX.1e implementation page may be reached at: 40114402Sru * http://www.trustedbsd.org/ 41114402Sru */ 42114402Sru#ifndef _SYS_MAC_H 43114402Sru#define _SYS_MAC_H 44114402Sru 45114402Sru#include <sys/_label.h> 46114402Sru 47114402Sru#ifndef _POSIX_MAC 48114402Sru#define _POSIX_MAC 49114402Sru#endif 50114402Sru 51114402Sru/* 52114402Sru * XXXMAC: The single MAC extended attribute will be deprecated once 53114402Sru * compound EA writes on a single target file can be performed cleanly 54114402Sru * with UFS2. 55114402Sru */ 56114402Sru#define FREEBSD_MAC_EXTATTR_NAME "freebsd.mac" 57114402Sru#define FREEBSD_MAC_EXTATTR_NAMESPACE EXTATTR_NAMESPACE_SYSTEM 58114402Sru 59114402Sru/* 60114402Sru * MAC framework-related constants and limits. 61114402Sru */ 62114402Sru#define MAC_MAX_POLICY_NAME 32 63114402Sru#define MAC_MAX_LABEL_ELEMENT_NAME 32 64114402Sru#define MAC_MAX_LABEL_ELEMENT_DATA 4096 65114402Sru#define MAC_MAX_LABEL_BUF_LEN 8192 66114402Sru 67114402Srustruct mac { 68114402Sru size_t m_buflen; 69114402Sru char *m_string; 70114402Sru}; 71114402Sru 72114402Srutypedef struct mac *mac_t; 73114402Sru 74114402Sru#ifndef _KERNEL 75114402Sru 76114402Sru/* 77114402Sru * Location of the userland MAC framework configuration file. mac.conf 78114402Sru * binds policy names to shared libraries that understand those policies, 79114402Sru * as well as setting defaults for MAC-aware applications. 80114402Sru */ 81114402Sru#define MAC_CONFFILE "/etc/mac.conf" 82114402Sru 83114402Sru/* 84114402Sru * Extended non-POSIX.1e interfaces that offer additional services 85114402Sru * available from the userland and kernel MAC frameworks. 86114402Sru */ 87114402Sruint mac_execve(char *fname, char **argv, char **envv, 88114402Sru mac_t _label); 89114402Sruint mac_free(mac_t _label); 90114402Sruint mac_from_text(mac_t *_label, const char *_text); 91114402Sruint mac_get_fd(int _fd, mac_t _label); 92114402Sruint mac_get_file(const char *_path, mac_t _label); 93114402Sruint mac_get_link(const char *_path, mac_t _label); 94114402Sruint mac_get_pid(pid_t _pid, mac_t _label); 95114402Sruint mac_get_proc(mac_t _label); 96114402Sruint mac_is_present(const char *_policyname); 97114402Sruint mac_prepare(mac_t *_label, char *_elements); 98114402Sruint mac_prepare_file_label(mac_t *_label); 99114402Sruint mac_prepare_ifnet_label(mac_t *_label); 100114402Sruint mac_prepare_process_label(mac_t *_label); 101114402Sruint mac_set_fd(int _fildes, const mac_t _label); 102114402Sruint mac_set_file(const char *_path, mac_t _label); 103114402Sruint mac_set_link(const char *_path, mac_t _label); 104114402Sruint mac_set_proc(const mac_t _label); 105114402Sruint mac_syscall(const char *_policyname, int _call, void *_arg); 106114402Sruint mac_to_text(mac_t mac, char **_text); 107114402Sru 108114402Sru#else /* _KERNEL */ 109114402Sru 110114402Sru/* 111114402Sru * Kernel functions to manage and evaluate labels. 112114402Sru */ 113114402Srustruct bpf_d; 114114402Srustruct componentname; 115114402Srustruct devfs_dirent; 116114402Srustruct ifnet; 117114402Srustruct ifreq; 118114402Srustruct image_params; 119114402Srustruct ipq; 120114402Srustruct mbuf; 121114402Srustruct mount; 122114402Srustruct proc; 123114402Srustruct sockaddr; 124114402Srustruct socket; 125114402Srustruct pipe; 126114402Srustruct thread; 127114402Srustruct timespec; 128114402Srustruct ucred; 129114402Srustruct uio; 130114402Srustruct vattr; 131114402Srustruct vnode; 132114402Sru 133114402Sru#include <sys/acl.h> /* XXX acl_type_t */ 134114402Sru 135114402Srustruct vop_setlabel_args; 136114402Sru 137114402Sru/* 138114402Sru * Label operations. 139114402Sru */ 140114402Sruvoid mac_init_bpfdesc(struct bpf_d *); 141114402Sruvoid mac_init_cred(struct ucred *); 142114402Sruvoid mac_init_devfsdirent(struct devfs_dirent *); 143114402Sruvoid mac_init_ifnet(struct ifnet *); 144114402Sruvoid mac_init_ipq(struct ipq *); 145114402Sruint mac_init_socket(struct socket *, int flag); 146114402Sruvoid mac_init_pipe(struct pipe *); 147114402Sruint mac_init_mbuf(struct mbuf *m, int flag); 148114402Sruvoid mac_init_mount(struct mount *); 149114402Sruvoid mac_init_vnode(struct vnode *); 150114402Sruvoid mac_init_vnode_label(struct label *); 151114402Sruvoid mac_copy_vnode_label(struct label *, struct label *label); 152114402Sruvoid mac_destroy_bpfdesc(struct bpf_d *); 153114402Sruvoid mac_destroy_cred(struct ucred *); 154114402Sruvoid mac_destroy_devfsdirent(struct devfs_dirent *); 155114402Sruvoid mac_destroy_ifnet(struct ifnet *); 156114402Sruvoid mac_destroy_ipq(struct ipq *); 157114402Sruvoid mac_destroy_socket(struct socket *); 158114402Sruvoid mac_destroy_pipe(struct pipe *); 159114402Sruvoid mac_destroy_mbuf(struct mbuf *); 160114402Sruvoid mac_destroy_mount(struct mount *); 161114402Sruvoid mac_destroy_vnode(struct vnode *); 162114402Sruvoid mac_destroy_vnode_label(struct label *); 163114402Sru 164114402Sru/* 165114402Sru * Labeling event operations: file system objects, and things that 166114402Sru * look a lot like file system objects. 167114402Sru */ 168114402Sruvoid mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, 169114402Sru struct vnode *vp); 170114402Sruint mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); 171114402Sruvoid mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp); 172114402Sruvoid mac_create_devfs_device(dev_t dev, struct devfs_dirent *de); 173114402Sruvoid mac_create_devfs_directory(char *dirname, int dirnamelen, 174114402Sru struct devfs_dirent *de); 175114402Sruvoid mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd, 176114402Sru struct devfs_dirent *de); 177114402Sruint mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, 178114402Sru struct vnode *dvp, struct vnode *vp, struct componentname *cnp); 179114402Sruvoid mac_create_mount(struct ucred *cred, struct mount *mp); 180114402Sruvoid mac_create_root_mount(struct ucred *cred, struct mount *mp); 181114402Sruvoid mac_relabel_vnode(struct ucred *cred, struct vnode *vp, 182114402Sru struct label *newlabel); 183114402Sruvoid mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp); 184114402Sru 185114402Sru/* 186114402Sru * Labeling event operations: IPC objects. 187114402Sru */ 188114402Sruvoid mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); 189114402Sruvoid mac_create_socket(struct ucred *cred, struct socket *socket); 190114402Sruvoid mac_create_socket_from_socket(struct socket *oldsocket, 191114402Sru struct socket *newsocket); 192114402Sruvoid mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, 193114402Sru struct socket *socket); 194114402Sruvoid mac_set_socket_peer_from_socket(struct socket *oldsocket, 195114402Sru struct socket *newsocket); 196114402Sruvoid mac_create_pipe(struct ucred *cred, struct pipe *pipe); 197114402Sru 198114402Sru/* 199114402Sru * Labeling event operations: network objects. 200114402Sru */ 201114402Sruvoid mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d); 202114402Sruvoid mac_create_ifnet(struct ifnet *ifp); 203114402Sruvoid mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); 204114402Sruvoid mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); 205114402Sruvoid mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); 206114402Sruvoid mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf); 207114402Sruvoid mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m); 208114402Sruvoid mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); 209114402Sruvoid mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *m); 210114402Sruvoid mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 211114402Sru struct ifnet *ifnet, struct mbuf *newmbuf); 212114402Sruvoid mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); 213114402Sruint mac_fragment_match(struct mbuf *fragment, struct ipq *ipq); 214114402Sruvoid mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); 215114402Sru 216114402Sru/* 217114402Sru * Labeling event operations: processes. 218114402Sru */ 219114402Sruvoid mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); 220114402Sruint mac_execve_enter(struct image_params *imgp, struct mac *mac_p, 221114402Sru struct label *execlabel); 222114402Sruvoid mac_execve_exit(struct image_params *imgp); 223114402Sruvoid mac_execve_transition(struct ucred *old, struct ucred *new, 224114402Sru struct vnode *vp, struct label *interpvnodelabel, 225114402Sru struct image_params *imgp); 226114402Sruint mac_execve_will_transition(struct ucred *old, struct vnode *vp, 227114402Sru struct label *interpvnodelabel, struct image_params *imgp); 228114402Sruvoid mac_create_proc0(struct ucred *cred); 229114402Sruvoid mac_create_proc1(struct ucred *cred); 230114402Sruvoid mac_thread_userret(struct thread *td); 231114402Sru 232114402Sru/* Access control checks. */ 233114402Sruint mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); 234114402Sruint mac_check_cred_visible(struct ucred *u1, struct ucred *u2); 235114402Sruint mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); 236114402Sruint mac_check_kenv_dump(struct ucred *cred); 237114402Sruint mac_check_kenv_get(struct ucred *cred, char *name); 238114402Sruint mac_check_kenv_set(struct ucred *cred, char *name, char *value); 239114402Sruint mac_check_kenv_unset(struct ucred *cred, char *name); 240114402Sruint mac_check_mount_stat(struct ucred *cred, struct mount *mp); 241114402Sruint mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, 242114402Sru unsigned long cmd, void *data); 243114402Sruint mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe); 244114402Sruint mac_check_pipe_read(struct ucred *cred, struct pipe *pipe); 245114402Sruint mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe); 246114402Sruint mac_check_pipe_write(struct ucred *cred, struct pipe *pipe); 247114402Sruint mac_check_proc_debug(struct ucred *cred, struct proc *proc); 248114402Sruint mac_check_proc_sched(struct ucred *cred, struct proc *proc); 249114402Sruint mac_check_proc_signal(struct ucred *cred, struct proc *proc, 250114402Sru int signum); 251114402Sruint mac_check_socket_bind(struct ucred *cred, struct socket *so, 252114402Sru struct sockaddr *sockaddr); 253114402Sruint mac_check_socket_connect(struct ucred *cred, struct socket *so, 254114402Sru struct sockaddr *sockaddr); 255114402Sruint mac_check_socket_deliver(struct socket *so, struct mbuf *m); 256114402Sruint mac_check_socket_listen(struct ucred *cred, struct socket *so); 257114402Sruint mac_check_socket_receive(struct ucred *cred, struct socket *so); 258114402Sruint mac_check_socket_send(struct ucred *cred, struct socket *so); 259114402Sruint mac_check_socket_visible(struct ucred *cred, struct socket *so); 260114402Sruint mac_check_system_acct(struct ucred *cred, struct vnode *vp); 261114402Sruint mac_check_system_nfsd(struct ucred *cred); 262114402Sruint mac_check_system_reboot(struct ucred *cred, int howto); 263114402Sruint mac_check_system_settime(struct ucred *cred); 264114402Sruint mac_check_system_swapon(struct ucred *cred, struct vnode *vp); 265114402Sruint mac_check_system_sysctl(struct ucred *cred, int *name, 266114402Sru u_int namelen, void *old, size_t *oldlenp, int inkernel, 267114402Sru void *new, size_t newlen); 268114402Sruint mac_check_vnode_access(struct ucred *cred, struct vnode *vp, 269114402Sru int acc_mode); 270114402Sruint mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); 271114402Sruint mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp); 272114402Sruint mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, 273114402Sru struct componentname *cnp, struct vattr *vap); 274114402Sruint mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 275114402Sru struct vnode *vp, struct componentname *cnp); 276114402Sruint mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 277114402Sru acl_type_t type); 278114402Sruint mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, 279114402Sru struct image_params *imgp); 280114402Sruint mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 281114402Sru acl_type_t type); 282114402Sruint mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 283114402Sru int attrnamespace, const char *name, struct uio *uio); 284114402Sruint mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, 285114402Sru struct vnode *vp, struct componentname *cnp); 286114402Sruint mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 287114402Sru struct componentname *cnp); 288114402Sruint mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 289114402Sru int prot); 290114402Sruint mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 291114402Sru int prot); 292114402Sruint mac_check_vnode_open(struct ucred *cred, struct vnode *vp, 293114402Sru int acc_mode); 294114402Sruint mac_check_vnode_poll(struct ucred *active_cred, 295114402Sru struct ucred *file_cred, struct vnode *vp); 296114402Sruint mac_check_vnode_read(struct ucred *active_cred, 297114402Sru struct ucred *file_cred, struct vnode *vp); 298114402Sruint mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); 299114402Sruint mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); 300114402Sruint mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 301114402Sru struct vnode *vp, struct componentname *cnp); 302114402Sruint mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 303114402Sru struct vnode *vp, int samedir, struct componentname *cnp); 304114402Sruint mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp); 305114402Sruint mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 306114402Sru acl_type_t type, struct acl *acl); 307114402Sruint mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 308114402Sru int attrnamespace, const char *name, struct uio *uio); 309114402Sruint mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 310114402Sru u_long flags); 311114402Sruint mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 312114402Sru mode_t mode); 313114402Sruint mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 314114402Sru uid_t uid, gid_t gid); 315114402Sruint mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 316114402Sru struct timespec atime, struct timespec mtime); 317114402Sruint mac_check_vnode_stat(struct ucred *active_cred, 318114402Sru struct ucred *file_cred, struct vnode *vp); 319114402Sruint mac_check_vnode_write(struct ucred *active_cred, 320114402Sru struct ucred *file_cred, struct vnode *vp); 321114402Sruint mac_getsockopt_label_get(struct ucred *cred, struct socket *so, 322114402Sru struct mac *extmac); 323114402Sruint mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, 324114402Sru struct mac *extmac); 325114402Sruint mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, 326114402Sru struct ifnet *ifnet); 327114402Sruint mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, 328114402Sru struct ifnet *ifnet); 329114402Sruint mac_setsockopt_label_set(struct ucred *cred, struct socket *so, 330114402Sru struct mac *extmac); 331114402Sruint mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, 332114402Sru struct label *label); 333114402Sru 334114402Sru/* 335114402Sru * Calls to help various file systems implement labeling functionality 336114402Sru * using their existing EA implementation. 337114402Sru */ 338114402Sruint vop_stdsetlabel_ea(struct vop_setlabel_args *ap); 339114402Sru 340114402Sru#endif /* !_KERNEL */ 341114402Sru 342114402Sru#endif /* !_SYS_MAC_H */ 343114402Sru