mac_vfs.c revision 102949
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. 9 * 10 * This software was developed for the FreeBSD Project in part by NAI Labs, 11 * the Security Research Division of Network Associates, Inc. under 12 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 13 * CHATS research program. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 3. The names of the authors may not be used to endorse or promote 24 * products derived from this software without specific prior written 25 * permission. 26 * 27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * 39 * $FreeBSD: head/sys/security/mac/mac_vfs.c 102949 2002-09-05 07:02:43Z bde $ 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 48#include "opt_mac.h" 49 50#include <sys/param.h> 51#include <sys/extattr.h> 52#include <sys/kernel.h> 53#include <sys/lock.h> 54#include <sys/malloc.h> 55#include <sys/mutex.h> 56#include <sys/mac.h> 57#include <sys/module.h> 58#include <sys/proc.h> 59#include <sys/systm.h> 60#include <sys/sysproto.h> 61#include <sys/sysent.h> 62#include <sys/vnode.h> 63#include <sys/mount.h> 64#include <sys/file.h> 65#include <sys/namei.h> 66#include <sys/socket.h> 67#include <sys/pipe.h> 68#include <sys/socketvar.h> 69#include <sys/sysctl.h> 70 71#include <vm/vm.h> 72#include <vm/pmap.h> 73#include <vm/vm_map.h> 74#include <vm/vm_object.h> 75 76#include <sys/mac_policy.h> 77 78#include <fs/devfs/devfs.h> 79 80#include <net/bpfdesc.h> 81#include <net/if.h> 82#include <net/if_var.h> 83 84#include <netinet/in.h> 85#include <netinet/ip_var.h> 86 87#ifdef MAC 88 89/* 90 * Declare that the kernel provides MAC support, version 1. This permits 91 * modules to refuse to be loaded if the necessary support isn't present, 92 * even if it's pre-boot. 93 */ 94MODULE_VERSION(kernel_mac_support, 1); 95 96SYSCTL_DECL(_security); 97 98SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, 99 "TrustedBSD MAC policy controls"); 100SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, 101 "TrustedBSD MAC debug info"); 102 103static int mac_debug_label_fallback = 0; 104SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, 105 &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" 106 "when label is corrupted."); 107TUNABLE_INT("security.mac.debug_label_fallback", 108 &mac_debug_label_fallback); 109 110#ifndef MAC_MAX_POLICIES 111#define MAC_MAX_POLICIES 8 112#endif 113#if MAC_MAX_POLICIES > 32 114#error "MAC_MAX_POLICIES too large" 115#endif 116static unsigned int mac_max_policies = MAC_MAX_POLICIES; 117static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; 118SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, 119 &mac_max_policies, 0, ""); 120 121static int mac_late = 0; 122 123static int mac_enforce_fs = 1; 124SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 125 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 126TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 127 128static int mac_enforce_network = 1; 129SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 130 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); 131TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); 132 133static int mac_enforce_process = 1; 134SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, 135 &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); 136TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); 137 138static int mac_enforce_socket = 1; 139SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, 140 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); 141TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); 142 143static int mac_enforce_pipe = 1; 144SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, 145 &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); 146 147static int mac_label_size = sizeof(struct mac); 148SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, 149 &mac_label_size, 0, "Pre-compiled MAC label size"); 150 151static int mac_cache_fslabel_in_vnode = 1; 152SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW, 153 &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode"); 154TUNABLE_INT("security.mac.cache_fslabel_in_vnode", 155 &mac_cache_fslabel_in_vnode); 156 157static int mac_vnode_label_cache_hits = 0; 158SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, 159 &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); 160static int mac_vnode_label_cache_misses = 0; 161SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, 162 &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); 163static int mac_mmap_revocation_via_cow = 0; 164SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, 165 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " 166 "copy-on-write semantics, or by removing all write access"); 167 168#ifdef MAC_DEBUG 169static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, 170 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, 171 nmacipqs, nmacpipes; 172SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, 173 &nmacmbufs, 0, "number of mbufs in use"); 174SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, 175 &nmaccreds, 0, "number of ucreds in use"); 176SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, 177 &nmacifnets, 0, "number of ifnets in use"); 178SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD, 179 &nmacipqs, 0, "number of ipqs in use"); 180SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD, 181 &nmacbpfdescs, 0, "number of bpfdescs in use"); 182SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, 183 &nmacsockets, 0, "number of sockets in use"); 184SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD, 185 &nmacpipes, 0, "number of pipes in use"); 186SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, 187 &nmacmounts, 0, "number of mounts in use"); 188SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD, 189 &nmactemp, 0, "number of temporary labels in use"); 190SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD, 191 &nmacvnodes, 0, "number of vnodes in use"); 192SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD, 193 &nmacdevfsdirents, 0, "number of devfs dirents inuse"); 194#endif 195 196static int error_select(int error1, int error2); 197static int mac_externalize(struct label *label, struct mac *mac); 198static int mac_policy_register(struct mac_policy_conf *mpc); 199static int mac_policy_unregister(struct mac_policy_conf *mpc); 200 201static int mac_stdcreatevnode_ea(struct vnode *vp); 202static void mac_cred_mmapped_drop_perms(struct thread *td, 203 struct ucred *cred); 204static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 205 struct ucred *cred, struct vm_map *map); 206 207MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); 208MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); 209 210/* 211 * mac_policy_list_lock protects the consistency of 'mac_policy_list', 212 * the linked list of attached policy modules. Read-only consumers of 213 * the list must acquire a shared lock for the duration of their use; 214 * writers must acquire an exclusive lock. Note that for compound 215 * operations, locks should be held for the entire compound operation, 216 * and that this is not yet done for relabel requests. 217 */ 218static struct mtx mac_policy_list_lock; 219static LIST_HEAD(, mac_policy_conf) mac_policy_list; 220static int mac_policy_list_busy; 221#define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \ 222 "mac_policy_list_lock", NULL, MTX_DEF); 223#define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock); 224#define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock); 225 226#define MAC_POLICY_LIST_BUSY() do { \ 227 MAC_POLICY_LIST_LOCK(); \ 228 mac_policy_list_busy++; \ 229 MAC_POLICY_LIST_UNLOCK(); \ 230} while (0) 231 232#define MAC_POLICY_LIST_UNBUSY() do { \ 233 MAC_POLICY_LIST_LOCK(); \ 234 mac_policy_list_busy--; \ 235 if (mac_policy_list_busy < 0) \ 236 panic("Extra mac_policy_list_busy--"); \ 237 MAC_POLICY_LIST_UNLOCK(); \ 238} while (0) 239 240/* 241 * MAC_CHECK performs the designated check by walking the policy 242 * module list and checking with each as to how it feels about the 243 * request. Note that it returns its value via 'error' in the scope 244 * of the caller. 245 */ 246#define MAC_CHECK(check, args...) do { \ 247 struct mac_policy_conf *mpc; \ 248 \ 249 error = 0; \ 250 MAC_POLICY_LIST_BUSY(); \ 251 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 252 if (mpc->mpc_ops->mpo_ ## check != NULL) \ 253 error = error_select( \ 254 mpc->mpc_ops->mpo_ ## check (args), \ 255 error); \ 256 } \ 257 MAC_POLICY_LIST_UNBUSY(); \ 258} while (0) 259 260/* 261 * MAC_BOOLEAN performs the designated boolean composition by walking 262 * the module list, invoking each instance of the operation, and 263 * combining the results using the passed C operator. Note that it 264 * returns its value via 'result' in the scope of the caller, which 265 * should be initialized by the caller in a meaningful way to get 266 * a meaningful result. 267 */ 268#define MAC_BOOLEAN(operation, composition, args...) do { \ 269 struct mac_policy_conf *mpc; \ 270 \ 271 MAC_POLICY_LIST_BUSY(); \ 272 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 273 if (mpc->mpc_ops->mpo_ ## operation != NULL) \ 274 result = result composition \ 275 mpc->mpc_ops->mpo_ ## operation (args); \ 276 } \ 277 MAC_POLICY_LIST_UNBUSY(); \ 278} while (0) 279 280/* 281 * MAC_PERFORM performs the designated operation by walking the policy 282 * module list and invoking that operation for each policy. 283 */ 284#define MAC_PERFORM(operation, args...) do { \ 285 struct mac_policy_conf *mpc; \ 286 \ 287 MAC_POLICY_LIST_BUSY(); \ 288 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 289 if (mpc->mpc_ops->mpo_ ## operation != NULL) \ 290 mpc->mpc_ops->mpo_ ## operation (args); \ 291 } \ 292 MAC_POLICY_LIST_UNBUSY(); \ 293} while (0) 294 295/* 296 * Initialize the MAC subsystem, including appropriate SMP locks. 297 */ 298static void 299mac_init(void) 300{ 301 302 LIST_INIT(&mac_policy_list); 303 MAC_POLICY_LIST_LOCKINIT(); 304} 305 306/* 307 * For the purposes of modules that want to know if they were loaded 308 * "early", set the mac_late flag once we've processed modules either 309 * linked into the kernel, or loaded before the kernel startup. 310 */ 311static void 312mac_late_init(void) 313{ 314 315 mac_late = 1; 316} 317 318/* 319 * Allow MAC policy modules to register during boot, etc. 320 */ 321int 322mac_policy_modevent(module_t mod, int type, void *data) 323{ 324 struct mac_policy_conf *mpc; 325 int error; 326 327 error = 0; 328 mpc = (struct mac_policy_conf *) data; 329 330 switch (type) { 331 case MOD_LOAD: 332 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && 333 mac_late) { 334 printf("mac_policy_modevent: can't load %s policy " 335 "after booting\n", mpc->mpc_name); 336 error = EBUSY; 337 break; 338 } 339 error = mac_policy_register(mpc); 340 break; 341 case MOD_UNLOAD: 342 /* Don't unregister the module if it was never registered. */ 343 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) 344 != 0) 345 error = mac_policy_unregister(mpc); 346 else 347 error = 0; 348 break; 349 default: 350 break; 351 } 352 353 return (error); 354} 355 356static int 357mac_policy_register(struct mac_policy_conf *mpc) 358{ 359 struct mac_policy_conf *tmpc; 360 struct mac_policy_ops *ops; 361 struct mac_policy_op_entry *mpe; 362 int slot; 363 364 MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC, 365 M_WAITOK | M_ZERO); 366 for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) { 367 switch (mpe->mpe_constant) { 368 case MAC_OP_LAST: 369 /* 370 * Doesn't actually happen, but this allows checking 371 * that all enumerated values are handled. 372 */ 373 break; 374 case MAC_DESTROY: 375 mpc->mpc_ops->mpo_destroy = 376 mpe->mpe_function; 377 break; 378 case MAC_INIT: 379 mpc->mpc_ops->mpo_init = 380 mpe->mpe_function; 381 break; 382 case MAC_SYSCALL: 383 mpc->mpc_ops->mpo_syscall = 384 mpe->mpe_function; 385 break; 386 case MAC_INIT_BPFDESC: 387 mpc->mpc_ops->mpo_init_bpfdesc = 388 mpe->mpe_function; 389 break; 390 case MAC_INIT_CRED: 391 mpc->mpc_ops->mpo_init_cred = 392 mpe->mpe_function; 393 break; 394 case MAC_INIT_DEVFSDIRENT: 395 mpc->mpc_ops->mpo_init_devfsdirent = 396 mpe->mpe_function; 397 break; 398 case MAC_INIT_IFNET: 399 mpc->mpc_ops->mpo_init_ifnet = 400 mpe->mpe_function; 401 break; 402 case MAC_INIT_IPQ: 403 mpc->mpc_ops->mpo_init_ipq = 404 mpe->mpe_function; 405 break; 406 case MAC_INIT_MBUF: 407 mpc->mpc_ops->mpo_init_mbuf = 408 mpe->mpe_function; 409 break; 410 case MAC_INIT_MOUNT: 411 mpc->mpc_ops->mpo_init_mount = 412 mpe->mpe_function; 413 break; 414 case MAC_INIT_PIPE: 415 mpc->mpc_ops->mpo_init_pipe = 416 mpe->mpe_function; 417 break; 418 case MAC_INIT_SOCKET: 419 mpc->mpc_ops->mpo_init_socket = 420 mpe->mpe_function; 421 break; 422 case MAC_INIT_TEMP: 423 mpc->mpc_ops->mpo_init_temp = 424 mpe->mpe_function; 425 break; 426 case MAC_INIT_VNODE: 427 mpc->mpc_ops->mpo_init_vnode = 428 mpe->mpe_function; 429 break; 430 case MAC_DESTROY_BPFDESC: 431 mpc->mpc_ops->mpo_destroy_bpfdesc = 432 mpe->mpe_function; 433 break; 434 case MAC_DESTROY_CRED: 435 mpc->mpc_ops->mpo_destroy_cred = 436 mpe->mpe_function; 437 break; 438 case MAC_DESTROY_DEVFSDIRENT: 439 mpc->mpc_ops->mpo_destroy_devfsdirent = 440 mpe->mpe_function; 441 break; 442 case MAC_DESTROY_IFNET: 443 mpc->mpc_ops->mpo_destroy_ifnet = 444 mpe->mpe_function; 445 break; 446 case MAC_DESTROY_IPQ: 447 mpc->mpc_ops->mpo_destroy_ipq = 448 mpe->mpe_function; 449 break; 450 case MAC_DESTROY_MBUF: 451 mpc->mpc_ops->mpo_destroy_mbuf = 452 mpe->mpe_function; 453 break; 454 case MAC_DESTROY_MOUNT: 455 mpc->mpc_ops->mpo_destroy_mount = 456 mpe->mpe_function; 457 break; 458 case MAC_DESTROY_PIPE: 459 mpc->mpc_ops->mpo_destroy_pipe = 460 mpe->mpe_function; 461 break; 462 case MAC_DESTROY_SOCKET: 463 mpc->mpc_ops->mpo_destroy_socket = 464 mpe->mpe_function; 465 break; 466 case MAC_DESTROY_TEMP: 467 mpc->mpc_ops->mpo_destroy_temp = 468 mpe->mpe_function; 469 break; 470 case MAC_DESTROY_VNODE: 471 mpc->mpc_ops->mpo_destroy_vnode = 472 mpe->mpe_function; 473 break; 474 case MAC_EXTERNALIZE: 475 mpc->mpc_ops->mpo_externalize = 476 mpe->mpe_function; 477 break; 478 case MAC_INTERNALIZE: 479 mpc->mpc_ops->mpo_internalize = 480 mpe->mpe_function; 481 break; 482 case MAC_CREATE_DEVFS_DEVICE: 483 mpc->mpc_ops->mpo_create_devfs_device = 484 mpe->mpe_function; 485 break; 486 case MAC_CREATE_DEVFS_DIRECTORY: 487 mpc->mpc_ops->mpo_create_devfs_directory = 488 mpe->mpe_function; 489 break; 490 case MAC_CREATE_DEVFS_VNODE: 491 mpc->mpc_ops->mpo_create_devfs_vnode = 492 mpe->mpe_function; 493 break; 494 case MAC_STDCREATEVNODE_EA: 495 mpc->mpc_ops->mpo_stdcreatevnode_ea = 496 mpe->mpe_function; 497 break; 498 case MAC_CREATE_VNODE: 499 mpc->mpc_ops->mpo_create_vnode = 500 mpe->mpe_function; 501 break; 502 case MAC_CREATE_MOUNT: 503 mpc->mpc_ops->mpo_create_mount = 504 mpe->mpe_function; 505 break; 506 case MAC_CREATE_ROOT_MOUNT: 507 mpc->mpc_ops->mpo_create_root_mount = 508 mpe->mpe_function; 509 break; 510 case MAC_RELABEL_VNODE: 511 mpc->mpc_ops->mpo_relabel_vnode = 512 mpe->mpe_function; 513 break; 514 case MAC_UPDATE_DEVFSDIRENT: 515 mpc->mpc_ops->mpo_update_devfsdirent = 516 mpe->mpe_function; 517 break; 518 case MAC_UPDATE_PROCFSVNODE: 519 mpc->mpc_ops->mpo_update_procfsvnode = 520 mpe->mpe_function; 521 break; 522 case MAC_UPDATE_VNODE_FROM_EXTATTR: 523 mpc->mpc_ops->mpo_update_vnode_from_extattr = 524 mpe->mpe_function; 525 break; 526 case MAC_UPDATE_VNODE_FROM_EXTERNALIZED: 527 mpc->mpc_ops->mpo_update_vnode_from_externalized = 528 mpe->mpe_function; 529 break; 530 case MAC_UPDATE_VNODE_FROM_MOUNT: 531 mpc->mpc_ops->mpo_update_vnode_from_mount = 532 mpe->mpe_function; 533 break; 534 case MAC_CREATE_MBUF_FROM_SOCKET: 535 mpc->mpc_ops->mpo_create_mbuf_from_socket = 536 mpe->mpe_function; 537 break; 538 case MAC_CREATE_PIPE: 539 mpc->mpc_ops->mpo_create_pipe = 540 mpe->mpe_function; 541 break; 542 case MAC_CREATE_SOCKET: 543 mpc->mpc_ops->mpo_create_socket = 544 mpe->mpe_function; 545 break; 546 case MAC_CREATE_SOCKET_FROM_SOCKET: 547 mpc->mpc_ops->mpo_create_socket_from_socket = 548 mpe->mpe_function; 549 break; 550 case MAC_RELABEL_PIPE: 551 mpc->mpc_ops->mpo_relabel_pipe = 552 mpe->mpe_function; 553 break; 554 case MAC_RELABEL_SOCKET: 555 mpc->mpc_ops->mpo_relabel_socket = 556 mpe->mpe_function; 557 break; 558 case MAC_SET_SOCKET_PEER_FROM_MBUF: 559 mpc->mpc_ops->mpo_set_socket_peer_from_mbuf = 560 mpe->mpe_function; 561 break; 562 case MAC_SET_SOCKET_PEER_FROM_SOCKET: 563 mpc->mpc_ops->mpo_set_socket_peer_from_socket = 564 mpe->mpe_function; 565 break; 566 case MAC_CREATE_BPFDESC: 567 mpc->mpc_ops->mpo_create_bpfdesc = 568 mpe->mpe_function; 569 break; 570 case MAC_CREATE_DATAGRAM_FROM_IPQ: 571 mpc->mpc_ops->mpo_create_datagram_from_ipq = 572 mpe->mpe_function; 573 break; 574 case MAC_CREATE_FRAGMENT: 575 mpc->mpc_ops->mpo_create_fragment = 576 mpe->mpe_function; 577 break; 578 case MAC_CREATE_IFNET: 579 mpc->mpc_ops->mpo_create_ifnet = 580 mpe->mpe_function; 581 break; 582 case MAC_CREATE_IPQ: 583 mpc->mpc_ops->mpo_create_ipq = 584 mpe->mpe_function; 585 break; 586 case MAC_CREATE_MBUF_FROM_MBUF: 587 mpc->mpc_ops->mpo_create_mbuf_from_mbuf = 588 mpe->mpe_function; 589 break; 590 case MAC_CREATE_MBUF_LINKLAYER: 591 mpc->mpc_ops->mpo_create_mbuf_linklayer = 592 mpe->mpe_function; 593 break; 594 case MAC_CREATE_MBUF_FROM_BPFDESC: 595 mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc = 596 mpe->mpe_function; 597 break; 598 case MAC_CREATE_MBUF_FROM_IFNET: 599 mpc->mpc_ops->mpo_create_mbuf_from_ifnet = 600 mpe->mpe_function; 601 break; 602 case MAC_CREATE_MBUF_MULTICAST_ENCAP: 603 mpc->mpc_ops->mpo_create_mbuf_multicast_encap = 604 mpe->mpe_function; 605 break; 606 case MAC_CREATE_MBUF_NETLAYER: 607 mpc->mpc_ops->mpo_create_mbuf_netlayer = 608 mpe->mpe_function; 609 break; 610 case MAC_FRAGMENT_MATCH: 611 mpc->mpc_ops->mpo_fragment_match = 612 mpe->mpe_function; 613 break; 614 case MAC_RELABEL_IFNET: 615 mpc->mpc_ops->mpo_relabel_ifnet = 616 mpe->mpe_function; 617 break; 618 case MAC_UPDATE_IPQ: 619 mpc->mpc_ops->mpo_update_ipq = 620 mpe->mpe_function; 621 break; 622 case MAC_CREATE_CRED: 623 mpc->mpc_ops->mpo_create_cred = 624 mpe->mpe_function; 625 break; 626 case MAC_EXECVE_TRANSITION: 627 mpc->mpc_ops->mpo_execve_transition = 628 mpe->mpe_function; 629 break; 630 case MAC_EXECVE_WILL_TRANSITION: 631 mpc->mpc_ops->mpo_execve_will_transition = 632 mpe->mpe_function; 633 break; 634 case MAC_CREATE_PROC0: 635 mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function; 636 break; 637 case MAC_CREATE_PROC1: 638 mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function; 639 break; 640 case MAC_RELABEL_CRED: 641 mpc->mpc_ops->mpo_relabel_cred = 642 mpe->mpe_function; 643 break; 644 case MAC_CHECK_BPFDESC_RECEIVE: 645 mpc->mpc_ops->mpo_check_bpfdesc_receive = 646 mpe->mpe_function; 647 break; 648 case MAC_CHECK_CRED_RELABEL: 649 mpc->mpc_ops->mpo_check_cred_relabel = 650 mpe->mpe_function; 651 break; 652 case MAC_CHECK_CRED_VISIBLE: 653 mpc->mpc_ops->mpo_check_cred_visible = 654 mpe->mpe_function; 655 break; 656 case MAC_CHECK_IFNET_RELABEL: 657 mpc->mpc_ops->mpo_check_ifnet_relabel = 658 mpe->mpe_function; 659 break; 660 case MAC_CHECK_IFNET_TRANSMIT: 661 mpc->mpc_ops->mpo_check_ifnet_transmit = 662 mpe->mpe_function; 663 break; 664 case MAC_CHECK_MOUNT_STAT: 665 mpc->mpc_ops->mpo_check_mount_stat = 666 mpe->mpe_function; 667 break; 668 case MAC_CHECK_PIPE_IOCTL: 669 mpc->mpc_ops->mpo_check_pipe_ioctl = 670 mpe->mpe_function; 671 break; 672 case MAC_CHECK_PIPE_POLL: 673 mpc->mpc_ops->mpo_check_pipe_poll = 674 mpe->mpe_function; 675 break; 676 case MAC_CHECK_PIPE_READ: 677 mpc->mpc_ops->mpo_check_pipe_read = 678 mpe->mpe_function; 679 break; 680 case MAC_CHECK_PIPE_RELABEL: 681 mpc->mpc_ops->mpo_check_pipe_relabel = 682 mpe->mpe_function; 683 break; 684 case MAC_CHECK_PIPE_STAT: 685 mpc->mpc_ops->mpo_check_pipe_stat = 686 mpe->mpe_function; 687 break; 688 case MAC_CHECK_PIPE_WRITE: 689 mpc->mpc_ops->mpo_check_pipe_write = 690 mpe->mpe_function; 691 break; 692 case MAC_CHECK_PROC_DEBUG: 693 mpc->mpc_ops->mpo_check_proc_debug = 694 mpe->mpe_function; 695 break; 696 case MAC_CHECK_PROC_SCHED: 697 mpc->mpc_ops->mpo_check_proc_sched = 698 mpe->mpe_function; 699 break; 700 case MAC_CHECK_PROC_SIGNAL: 701 mpc->mpc_ops->mpo_check_proc_signal = 702 mpe->mpe_function; 703 break; 704 case MAC_CHECK_SOCKET_BIND: 705 mpc->mpc_ops->mpo_check_socket_bind = 706 mpe->mpe_function; 707 break; 708 case MAC_CHECK_SOCKET_CONNECT: 709 mpc->mpc_ops->mpo_check_socket_connect = 710 mpe->mpe_function; 711 break; 712 case MAC_CHECK_SOCKET_DELIVER: 713 mpc->mpc_ops->mpo_check_socket_deliver = 714 mpe->mpe_function; 715 break; 716 case MAC_CHECK_SOCKET_LISTEN: 717 mpc->mpc_ops->mpo_check_socket_listen = 718 mpe->mpe_function; 719 break; 720 case MAC_CHECK_SOCKET_RELABEL: 721 mpc->mpc_ops->mpo_check_socket_relabel = 722 mpe->mpe_function; 723 break; 724 case MAC_CHECK_SOCKET_VISIBLE: 725 mpc->mpc_ops->mpo_check_socket_visible = 726 mpe->mpe_function; 727 break; 728 case MAC_CHECK_VNODE_ACCESS: 729 mpc->mpc_ops->mpo_check_vnode_access = 730 mpe->mpe_function; 731 break; 732 case MAC_CHECK_VNODE_CHDIR: 733 mpc->mpc_ops->mpo_check_vnode_chdir = 734 mpe->mpe_function; 735 break; 736 case MAC_CHECK_VNODE_CHROOT: 737 mpc->mpc_ops->mpo_check_vnode_chroot = 738 mpe->mpe_function; 739 break; 740 case MAC_CHECK_VNODE_CREATE: 741 mpc->mpc_ops->mpo_check_vnode_create = 742 mpe->mpe_function; 743 break; 744 case MAC_CHECK_VNODE_DELETE: 745 mpc->mpc_ops->mpo_check_vnode_delete = 746 mpe->mpe_function; 747 break; 748 case MAC_CHECK_VNODE_DELETEACL: 749 mpc->mpc_ops->mpo_check_vnode_deleteacl = 750 mpe->mpe_function; 751 break; 752 case MAC_CHECK_VNODE_EXEC: 753 mpc->mpc_ops->mpo_check_vnode_exec = 754 mpe->mpe_function; 755 break; 756 case MAC_CHECK_VNODE_GETACL: 757 mpc->mpc_ops->mpo_check_vnode_getacl = 758 mpe->mpe_function; 759 break; 760 case MAC_CHECK_VNODE_GETEXTATTR: 761 mpc->mpc_ops->mpo_check_vnode_getextattr = 762 mpe->mpe_function; 763 break; 764 case MAC_CHECK_VNODE_LOOKUP: 765 mpc->mpc_ops->mpo_check_vnode_lookup = 766 mpe->mpe_function; 767 break; 768 case MAC_CHECK_VNODE_MMAP_PERMS: 769 mpc->mpc_ops->mpo_check_vnode_mmap_perms = 770 mpe->mpe_function; 771 break; 772 case MAC_CHECK_VNODE_OPEN: 773 mpc->mpc_ops->mpo_check_vnode_open = 774 mpe->mpe_function; 775 break; 776 case MAC_CHECK_VNODE_POLL: 777 mpc->mpc_ops->mpo_check_vnode_poll = 778 mpe->mpe_function; 779 break; 780 case MAC_CHECK_VNODE_READ: 781 mpc->mpc_ops->mpo_check_vnode_read = 782 mpe->mpe_function; 783 break; 784 case MAC_CHECK_VNODE_READDIR: 785 mpc->mpc_ops->mpo_check_vnode_readdir = 786 mpe->mpe_function; 787 break; 788 case MAC_CHECK_VNODE_READLINK: 789 mpc->mpc_ops->mpo_check_vnode_readlink = 790 mpe->mpe_function; 791 break; 792 case MAC_CHECK_VNODE_RELABEL: 793 mpc->mpc_ops->mpo_check_vnode_relabel = 794 mpe->mpe_function; 795 break; 796 case MAC_CHECK_VNODE_RENAME_FROM: 797 mpc->mpc_ops->mpo_check_vnode_rename_from = 798 mpe->mpe_function; 799 break; 800 case MAC_CHECK_VNODE_RENAME_TO: 801 mpc->mpc_ops->mpo_check_vnode_rename_to = 802 mpe->mpe_function; 803 break; 804 case MAC_CHECK_VNODE_REVOKE: 805 mpc->mpc_ops->mpo_check_vnode_revoke = 806 mpe->mpe_function; 807 break; 808 case MAC_CHECK_VNODE_SETACL: 809 mpc->mpc_ops->mpo_check_vnode_setacl = 810 mpe->mpe_function; 811 break; 812 case MAC_CHECK_VNODE_SETEXTATTR: 813 mpc->mpc_ops->mpo_check_vnode_setextattr = 814 mpe->mpe_function; 815 break; 816 case MAC_CHECK_VNODE_SETFLAGS: 817 mpc->mpc_ops->mpo_check_vnode_setflags = 818 mpe->mpe_function; 819 break; 820 case MAC_CHECK_VNODE_SETMODE: 821 mpc->mpc_ops->mpo_check_vnode_setmode = 822 mpe->mpe_function; 823 break; 824 case MAC_CHECK_VNODE_SETOWNER: 825 mpc->mpc_ops->mpo_check_vnode_setowner = 826 mpe->mpe_function; 827 break; 828 case MAC_CHECK_VNODE_SETUTIMES: 829 mpc->mpc_ops->mpo_check_vnode_setutimes = 830 mpe->mpe_function; 831 break; 832 case MAC_CHECK_VNODE_STAT: 833 mpc->mpc_ops->mpo_check_vnode_stat = 834 mpe->mpe_function; 835 break; 836 case MAC_CHECK_VNODE_WRITE: 837 mpc->mpc_ops->mpo_check_vnode_write = 838 mpe->mpe_function; 839 break; 840/* 841 default: 842 printf("MAC policy `%s': unknown operation %d\n", 843 mpc->mpc_name, mpe->mpe_constant); 844 return (EINVAL); 845*/ 846 } 847 } 848 MAC_POLICY_LIST_LOCK(); 849 if (mac_policy_list_busy > 0) { 850 MAC_POLICY_LIST_UNLOCK(); 851 FREE(mpc->mpc_ops, M_MACOPVEC); 852 mpc->mpc_ops = NULL; 853 return (EBUSY); 854 } 855 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { 856 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { 857 MAC_POLICY_LIST_UNLOCK(); 858 FREE(mpc->mpc_ops, M_MACOPVEC); 859 mpc->mpc_ops = NULL; 860 return (EEXIST); 861 } 862 } 863 if (mpc->mpc_field_off != NULL) { 864 slot = ffs(mac_policy_offsets_free); 865 if (slot == 0) { 866 MAC_POLICY_LIST_UNLOCK(); 867 FREE(mpc->mpc_ops, M_MACOPVEC); 868 mpc->mpc_ops = NULL; 869 return (ENOMEM); 870 } 871 slot--; 872 mac_policy_offsets_free &= ~(1 << slot); 873 *mpc->mpc_field_off = slot; 874 } 875 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; 876 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); 877 878 /* Per-policy initialization. */ 879 if (mpc->mpc_ops->mpo_init != NULL) 880 (*(mpc->mpc_ops->mpo_init))(mpc); 881 MAC_POLICY_LIST_UNLOCK(); 882 883 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, 884 mpc->mpc_name); 885 886 return (0); 887} 888 889static int 890mac_policy_unregister(struct mac_policy_conf *mpc) 891{ 892 893#if 0 894 /* 895 * Don't allow unloading modules with private data. 896 */ 897 if (mpc->mpc_field_off != NULL) 898 return (EBUSY); 899#endif 900 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) 901 return (EBUSY); 902 MAC_POLICY_LIST_LOCK(); 903 if (mac_policy_list_busy > 0) { 904 MAC_POLICY_LIST_UNLOCK(); 905 return (EBUSY); 906 } 907 if (mpc->mpc_ops->mpo_destroy != NULL) 908 (*(mpc->mpc_ops->mpo_destroy))(mpc); 909 910 LIST_REMOVE(mpc, mpc_list); 911 MAC_POLICY_LIST_UNLOCK(); 912 913 FREE(mpc->mpc_ops, M_MACOPVEC); 914 mpc->mpc_ops = NULL; 915 916 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, 917 mpc->mpc_name); 918 919 return (0); 920} 921 922/* 923 * Define an error value precedence, and given two arguments, selects the 924 * value with the higher precedence. 925 */ 926static int 927error_select(int error1, int error2) 928{ 929 930 /* Certain decision-making errors take top priority. */ 931 if (error1 == EDEADLK || error2 == EDEADLK) 932 return (EDEADLK); 933 934 /* Invalid arguments should be reported where possible. */ 935 if (error1 == EINVAL || error2 == EINVAL) 936 return (EINVAL); 937 938 /* Precedence goes to "visibility", with both process and file. */ 939 if (error1 == ESRCH || error2 == ESRCH) 940 return (ESRCH); 941 942 if (error1 == ENOENT || error2 == ENOENT) 943 return (ENOENT); 944 945 /* Precedence goes to DAC/MAC protections. */ 946 if (error1 == EACCES || error2 == EACCES) 947 return (EACCES); 948 949 /* Precedence goes to privilege. */ 950 if (error1 == EPERM || error2 == EPERM) 951 return (EPERM); 952 953 /* Precedence goes to error over success; otherwise, arbitrary. */ 954 if (error1 != 0) 955 return (error1); 956 return (error2); 957} 958 959void 960mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) 961{ 962 963 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); 964} 965 966void 967mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) 968{ 969 970 MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred); 971} 972 973/* 974 * Support callout for policies that manage their own externalization 975 * using extended attributes. 976 */ 977static int 978mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp) 979{ 980 int error; 981 982 MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp, 983 &mp->mnt_fslabel); 984 985 return (error); 986} 987 988/* 989 * Given an externalized mac label, internalize it and stamp it on a 990 * vnode. 991 */ 992static int 993mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac) 994{ 995 int error; 996 997 MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac); 998 999 return (error); 1000} 1001 1002/* 1003 * Call out to individual policies to update the label in a vnode from 1004 * the mountpoint. 1005 */ 1006void 1007mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp) 1008{ 1009 1010 MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp, 1011 &mp->mnt_fslabel); 1012 1013 ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount"); 1014 if (mac_cache_fslabel_in_vnode) 1015 vp->v_vflag |= VV_CACHEDLABEL; 1016} 1017 1018/* 1019 * Implementation of VOP_REFRESHLABEL() that relies on extended attributes 1020 * to store label data. Can be referenced by filesystems supporting 1021 * extended attributes. 1022 */ 1023int 1024vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap) 1025{ 1026 struct vnode *vp = ap->a_vp; 1027 struct mac extmac; 1028 int buflen, error; 1029 1030 ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea"); 1031 1032 /* 1033 * Call out to external policies first. Order doesn't really 1034 * matter, as long as failure of one assures failure of all. 1035 */ 1036 error = mac_update_vnode_from_extattr(vp, vp->v_mount); 1037 if (error) 1038 return (error); 1039 1040 buflen = sizeof(extmac); 1041 error = vn_extattr_get(vp, IO_NODELOCKED, 1042 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen, 1043 (char *)&extmac, curthread); 1044 switch (error) { 1045 case 0: 1046 /* Got it */ 1047 break; 1048 1049 case ENOATTR: 1050 /* 1051 * Use the label from the mount point. 1052 */ 1053 mac_update_vnode_from_mount(vp, vp->v_mount); 1054 return (0); 1055 1056 case EOPNOTSUPP: 1057 default: 1058 /* Fail horribly. */ 1059 return (error); 1060 } 1061 1062 if (buflen != sizeof(extmac)) 1063 error = EPERM; /* Fail very closed. */ 1064 if (error == 0) 1065 error = mac_update_vnode_from_externalized(vp, &extmac); 1066 if (error == 0) 1067 vp->v_vflag |= VV_CACHEDLABEL; 1068 else { 1069 struct vattr va; 1070 1071 printf("Corrupted label on %s", 1072 vp->v_mount->mnt_stat.f_mntonname); 1073 if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) 1074 printf(" inum %ld", va.va_fileid); 1075 if (mac_debug_label_fallback) { 1076 printf(", falling back.\n"); 1077 mac_update_vnode_from_mount(vp, vp->v_mount); 1078 error = 0; 1079 } else { 1080 printf(".\n"); 1081 error = EPERM; 1082 } 1083 } 1084 1085 return (error); 1086} 1087 1088/* 1089 * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle 1090 * the labeling activity outselves. Filesystems should be careful not 1091 * to change their minds regarding whether they support vop_refreshlabel() 1092 * for a vnode or not. Don't cache the vnode here, allow the file 1093 * system code to determine if it's safe to cache. If we update from 1094 * the mount, don't cache since a change to the mount label should affect 1095 * all vnodes. 1096 */ 1097static int 1098vn_refreshlabel(struct vnode *vp, struct ucred *cred) 1099{ 1100 int error; 1101 1102 ASSERT_VOP_LOCKED(vp, "vn_refreshlabel"); 1103 1104 if (vp->v_mount == NULL) { 1105/* 1106 Eventually, we probably want to special-case refreshing 1107 of deadfs vnodes, and if there's a lock-free race somewhere, 1108 that case might be handled here. 1109 1110 mac_update_vnode_deadfs(vp); 1111 return (0); 1112 */ 1113 /* printf("vn_refreshlabel: null v_mount\n"); */ 1114 if (vp->v_tag != VT_NON) 1115 printf( 1116 "vn_refreshlabel: null v_mount with non-VT_NON\n"); 1117 return (EBADF); 1118 } 1119 1120 if (vp->v_vflag & VV_CACHEDLABEL) { 1121 mac_vnode_label_cache_hits++; 1122 return (0); 1123 } else 1124 mac_vnode_label_cache_misses++; 1125 1126 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { 1127 mac_update_vnode_from_mount(vp, vp->v_mount); 1128 return (0); 1129 } 1130 1131 error = VOP_REFRESHLABEL(vp, cred, curthread); 1132 switch (error) { 1133 case EOPNOTSUPP: 1134 /* 1135 * If labels are not supported on this vnode, fall back to 1136 * the label in the mount and propagate it to the vnode. 1137 * There should probably be some sort of policy/flag/decision 1138 * about doing this. 1139 */ 1140 mac_update_vnode_from_mount(vp, vp->v_mount); 1141 error = 0; 1142 default: 1143 return (error); 1144 } 1145} 1146 1147/* 1148 * Helper function for file systems using the vop_std*_ea() calls. This 1149 * function must be called after EA service is available for the vnode, 1150 * but before it's hooked up to the namespace so that the node persists 1151 * if there's a crash, or before it can be accessed. On successful 1152 * commit of the label to disk (etc), do cache the label. 1153 */ 1154int 1155vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred) 1156{ 1157 struct mac extmac; 1158 int error; 1159 1160 ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea"); 1161 if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) { 1162 mac_update_vnode_from_mount(tvp, tvp->v_mount); 1163 } else { 1164 error = vn_refreshlabel(dvp, cred); 1165 if (error) 1166 return (error); 1167 1168 /* 1169 * Stick the label in the vnode. Then try to write to 1170 * disk. If we fail, return a failure to abort the 1171 * create operation. Really, this failure shouldn't 1172 * happen except in fairly unusual circumstances (out 1173 * of disk, etc). 1174 */ 1175 mac_create_vnode(cred, dvp, tvp); 1176 1177 error = mac_stdcreatevnode_ea(tvp); 1178 if (error) 1179 return (error); 1180 1181 /* 1182 * XXX: Eventually this will go away and all policies will 1183 * directly manage their extended attributes. 1184 */ 1185 error = mac_externalize(&tvp->v_label, &extmac); 1186 if (error) 1187 return (error); 1188 1189 error = vn_extattr_set(tvp, IO_NODELOCKED, 1190 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, 1191 sizeof(extmac), (char *)&extmac, curthread); 1192 if (error == 0) 1193 tvp->v_vflag |= VV_CACHEDLABEL; 1194 else { 1195#if 0 1196 /* 1197 * In theory, we could have fall-back behavior here. 1198 * It would probably be incorrect. 1199 */ 1200#endif 1201 return (error); 1202 } 1203 } 1204 1205 return (0); 1206} 1207 1208void 1209mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp) 1210{ 1211 int error; 1212 1213 ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); 1214 1215 error = vn_refreshlabel(vp, old); 1216 if (error) { 1217 printf("mac_execve_transition: vn_refreshlabel returned %d\n", 1218 error); 1219 printf("mac_execve_transition: using old vnode label\n"); 1220 } 1221 1222 MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label); 1223} 1224 1225int 1226mac_execve_will_transition(struct ucred *old, struct vnode *vp) 1227{ 1228 int error, result; 1229 1230 error = vn_refreshlabel(vp, old); 1231 if (error) 1232 return (error); 1233 1234 result = 0; 1235 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); 1236 1237 return (result); 1238} 1239 1240static void 1241mac_init_label(struct label *label) 1242{ 1243 1244 bzero(label, sizeof(*label)); 1245 label->l_flags = MAC_FLAG_INITIALIZED; 1246} 1247 1248static void 1249mac_init_structmac(struct mac *mac) 1250{ 1251 1252 bzero(mac, sizeof(*mac)); 1253 mac->m_macflags = MAC_FLAG_INITIALIZED; 1254} 1255 1256static void 1257mac_destroy_label(struct label *label) 1258{ 1259 1260 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, 1261 ("destroying uninitialized label")); 1262 1263 bzero(label, sizeof(*label)); 1264 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ 1265} 1266 1267int 1268mac_init_mbuf(struct mbuf *m, int how) 1269{ 1270 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); 1271 1272 /* "how" is one of M_(TRY|DONT)WAIT */ 1273 mac_init_label(&m->m_pkthdr.label); 1274 MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label); 1275#ifdef MAC_DEBUG 1276 atomic_add_int(&nmacmbufs, 1); 1277#endif 1278 return (0); 1279} 1280 1281void 1282mac_destroy_mbuf(struct mbuf *m) 1283{ 1284 1285 MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label); 1286 mac_destroy_label(&m->m_pkthdr.label); 1287#ifdef MAC_DEBUG 1288 atomic_subtract_int(&nmacmbufs, 1); 1289#endif 1290} 1291 1292void 1293mac_init_cred(struct ucred *cr) 1294{ 1295 1296 mac_init_label(&cr->cr_label); 1297 MAC_PERFORM(init_cred, cr, &cr->cr_label); 1298#ifdef MAC_DEBUG 1299 atomic_add_int(&nmaccreds, 1); 1300#endif 1301} 1302 1303void 1304mac_destroy_cred(struct ucred *cr) 1305{ 1306 1307 MAC_PERFORM(destroy_cred, cr, &cr->cr_label); 1308 mac_destroy_label(&cr->cr_label); 1309#ifdef MAC_DEBUG 1310 atomic_subtract_int(&nmaccreds, 1); 1311#endif 1312} 1313 1314void 1315mac_init_ifnet(struct ifnet *ifp) 1316{ 1317 1318 mac_init_label(&ifp->if_label); 1319 MAC_PERFORM(init_ifnet, ifp, &ifp->if_label); 1320#ifdef MAC_DEBUG 1321 atomic_add_int(&nmacifnets, 1); 1322#endif 1323} 1324 1325void 1326mac_destroy_ifnet(struct ifnet *ifp) 1327{ 1328 1329 MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label); 1330 mac_destroy_label(&ifp->if_label); 1331#ifdef MAC_DEBUG 1332 atomic_subtract_int(&nmacifnets, 1); 1333#endif 1334} 1335 1336void 1337mac_init_ipq(struct ipq *ipq) 1338{ 1339 1340 mac_init_label(&ipq->ipq_label); 1341 MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label); 1342#ifdef MAC_DEBUG 1343 atomic_add_int(&nmacipqs, 1); 1344#endif 1345} 1346 1347void 1348mac_destroy_ipq(struct ipq *ipq) 1349{ 1350 1351 MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label); 1352 mac_destroy_label(&ipq->ipq_label); 1353#ifdef MAC_DEBUG 1354 atomic_subtract_int(&nmacipqs, 1); 1355#endif 1356} 1357 1358void 1359mac_init_socket(struct socket *socket) 1360{ 1361 1362 mac_init_label(&socket->so_label); 1363 mac_init_label(&socket->so_peerlabel); 1364 MAC_PERFORM(init_socket, socket, &socket->so_label, 1365 &socket->so_peerlabel); 1366#ifdef MAC_DEBUG 1367 atomic_add_int(&nmacsockets, 1); 1368#endif 1369} 1370 1371void 1372mac_destroy_socket(struct socket *socket) 1373{ 1374 1375 MAC_PERFORM(destroy_socket, socket, &socket->so_label, 1376 &socket->so_peerlabel); 1377 mac_destroy_label(&socket->so_label); 1378 mac_destroy_label(&socket->so_peerlabel); 1379#ifdef MAC_DEBUG 1380 atomic_subtract_int(&nmacsockets, 1); 1381#endif 1382} 1383 1384void 1385mac_init_pipe(struct pipe *pipe) 1386{ 1387 struct label *label; 1388 1389 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); 1390 mac_init_label(label); 1391 pipe->pipe_label = label; 1392 pipe->pipe_peer->pipe_label = label; 1393 MAC_PERFORM(init_pipe, pipe, pipe->pipe_label); 1394#ifdef MAC_DEBUG 1395 atomic_add_int(&nmacpipes, 1); 1396#endif 1397} 1398 1399void 1400mac_destroy_pipe(struct pipe *pipe) 1401{ 1402 1403 MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label); 1404 mac_destroy_label(pipe->pipe_label); 1405 free(pipe->pipe_label, M_MACPIPELABEL); 1406#ifdef MAC_DEBUG 1407 atomic_subtract_int(&nmacpipes, 1); 1408#endif 1409} 1410 1411void 1412mac_init_bpfdesc(struct bpf_d *bpf_d) 1413{ 1414 1415 mac_init_label(&bpf_d->bd_label); 1416 MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label); 1417#ifdef MAC_DEBUG 1418 atomic_add_int(&nmacbpfdescs, 1); 1419#endif 1420} 1421 1422void 1423mac_destroy_bpfdesc(struct bpf_d *bpf_d) 1424{ 1425 1426 MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label); 1427 mac_destroy_label(&bpf_d->bd_label); 1428#ifdef MAC_DEBUG 1429 atomic_subtract_int(&nmacbpfdescs, 1); 1430#endif 1431} 1432 1433void 1434mac_init_mount(struct mount *mp) 1435{ 1436 1437 mac_init_label(&mp->mnt_mntlabel); 1438 mac_init_label(&mp->mnt_fslabel); 1439 MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); 1440#ifdef MAC_DEBUG 1441 atomic_add_int(&nmacmounts, 1); 1442#endif 1443} 1444 1445void 1446mac_destroy_mount(struct mount *mp) 1447{ 1448 1449 MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel); 1450 mac_destroy_label(&mp->mnt_fslabel); 1451 mac_destroy_label(&mp->mnt_mntlabel); 1452#ifdef MAC_DEBUG 1453 atomic_subtract_int(&nmacmounts, 1); 1454#endif 1455} 1456 1457static void 1458mac_init_temp(struct label *label) 1459{ 1460 1461 mac_init_label(label); 1462 MAC_PERFORM(init_temp, label); 1463#ifdef MAC_DEBUG 1464 atomic_add_int(&nmactemp, 1); 1465#endif 1466} 1467 1468static void 1469mac_destroy_temp(struct label *label) 1470{ 1471 1472 MAC_PERFORM(destroy_temp, label); 1473 mac_destroy_label(label); 1474#ifdef MAC_DEBUG 1475 atomic_subtract_int(&nmactemp, 1); 1476#endif 1477} 1478 1479void 1480mac_init_vnode(struct vnode *vp) 1481{ 1482 1483 mac_init_label(&vp->v_label); 1484 MAC_PERFORM(init_vnode, vp, &vp->v_label); 1485#ifdef MAC_DEBUG 1486 atomic_add_int(&nmacvnodes, 1); 1487#endif 1488} 1489 1490void 1491mac_destroy_vnode(struct vnode *vp) 1492{ 1493 1494 MAC_PERFORM(destroy_vnode, vp, &vp->v_label); 1495 mac_destroy_label(&vp->v_label); 1496#ifdef MAC_DEBUG 1497 atomic_subtract_int(&nmacvnodes, 1); 1498#endif 1499} 1500 1501void 1502mac_init_devfsdirent(struct devfs_dirent *de) 1503{ 1504 1505 mac_init_label(&de->de_label); 1506 MAC_PERFORM(init_devfsdirent, de, &de->de_label); 1507#ifdef MAC_DEBUG 1508 atomic_add_int(&nmacdevfsdirents, 1); 1509#endif 1510} 1511 1512void 1513mac_destroy_devfsdirent(struct devfs_dirent *de) 1514{ 1515 1516 MAC_PERFORM(destroy_devfsdirent, de, &de->de_label); 1517 mac_destroy_label(&de->de_label); 1518#ifdef MAC_DEBUG 1519 atomic_subtract_int(&nmacdevfsdirents, 1); 1520#endif 1521} 1522 1523static int 1524mac_externalize(struct label *label, struct mac *mac) 1525{ 1526 int error; 1527 1528 mac_init_structmac(mac); 1529 MAC_CHECK(externalize, label, mac); 1530 1531 return (error); 1532} 1533 1534static int 1535mac_internalize(struct label *label, struct mac *mac) 1536{ 1537 int error; 1538 1539 mac_init_temp(label); 1540 MAC_CHECK(internalize, label, mac); 1541 if (error) 1542 mac_destroy_temp(label); 1543 1544 return (error); 1545} 1546 1547/* 1548 * Initialize MAC label for the first kernel process, from which other 1549 * kernel processes and threads are spawned. 1550 */ 1551void 1552mac_create_proc0(struct ucred *cred) 1553{ 1554 1555 MAC_PERFORM(create_proc0, cred); 1556} 1557 1558/* 1559 * Initialize MAC label for the first userland process, from which other 1560 * userland processes and threads are spawned. 1561 */ 1562void 1563mac_create_proc1(struct ucred *cred) 1564{ 1565 1566 MAC_PERFORM(create_proc1, cred); 1567} 1568 1569/* 1570 * When a new process is created, its label must be initialized. Generally, 1571 * this involves inheritence from the parent process, modulo possible 1572 * deltas. This function allows that processing to take place. 1573 */ 1574void 1575mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) 1576{ 1577 1578 MAC_PERFORM(create_cred, parent_cred, child_cred); 1579} 1580 1581int 1582mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) 1583{ 1584 int error; 1585 1586 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); 1587 1588 if (!mac_enforce_fs) 1589 return (0); 1590 1591 error = vn_refreshlabel(vp, cred); 1592 if (error) 1593 return (error); 1594 1595 MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, flags); 1596 return (error); 1597} 1598 1599int 1600mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) 1601{ 1602 int error; 1603 1604 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); 1605 1606 if (!mac_enforce_fs) 1607 return (0); 1608 1609 error = vn_refreshlabel(dvp, cred); 1610 if (error) 1611 return (error); 1612 1613 MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); 1614 return (error); 1615} 1616 1617int 1618mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) 1619{ 1620 int error; 1621 1622 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); 1623 1624 if (!mac_enforce_fs) 1625 return (0); 1626 1627 error = vn_refreshlabel(dvp, cred); 1628 if (error) 1629 return (error); 1630 1631 MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); 1632 return (error); 1633} 1634 1635int 1636mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1637 struct componentname *cnp, struct vattr *vap) 1638{ 1639 int error; 1640 1641 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); 1642 1643 if (!mac_enforce_fs) 1644 return (0); 1645 1646 error = vn_refreshlabel(dvp, cred); 1647 if (error) 1648 return (error); 1649 1650 MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); 1651 return (error); 1652} 1653 1654int 1655mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, 1656 struct componentname *cnp) 1657{ 1658 int error; 1659 1660 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); 1661 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); 1662 1663 if (!mac_enforce_fs) 1664 return (0); 1665 1666 error = vn_refreshlabel(dvp, cred); 1667 if (error) 1668 return (error); 1669 error = vn_refreshlabel(vp, cred); 1670 if (error) 1671 return (error); 1672 1673 MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, 1674 &vp->v_label, cnp); 1675 return (error); 1676} 1677 1678int 1679mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1680 acl_type_t type) 1681{ 1682 int error; 1683 1684 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); 1685 1686 if (!mac_enforce_fs) 1687 return (0); 1688 1689 error = vn_refreshlabel(vp, cred); 1690 if (error) 1691 return (error); 1692 1693 MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); 1694 return (error); 1695} 1696 1697int 1698mac_check_vnode_exec(struct ucred *cred, struct vnode *vp) 1699{ 1700 int error; 1701 1702 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); 1703 1704 if (!mac_enforce_process && !mac_enforce_fs) 1705 return (0); 1706 1707 error = vn_refreshlabel(vp, cred); 1708 if (error) 1709 return (error); 1710 MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label); 1711 1712 return (error); 1713} 1714 1715int 1716mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) 1717{ 1718 int error; 1719 1720 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); 1721 1722 if (!mac_enforce_fs) 1723 return (0); 1724 1725 error = vn_refreshlabel(vp, cred); 1726 if (error) 1727 return (error); 1728 1729 MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); 1730 return (error); 1731} 1732 1733int 1734mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1735 int attrnamespace, const char *name, struct uio *uio) 1736{ 1737 int error; 1738 1739 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); 1740 1741 if (!mac_enforce_fs) 1742 return (0); 1743 1744 error = vn_refreshlabel(vp, cred); 1745 if (error) 1746 return (error); 1747 1748 MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, 1749 attrnamespace, name, uio); 1750 return (error); 1751} 1752 1753int 1754mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1755 struct componentname *cnp) 1756{ 1757 int error; 1758 1759 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); 1760 1761 if (!mac_enforce_fs) 1762 return (0); 1763 1764 error = vn_refreshlabel(dvp, cred); 1765 if (error) 1766 return (error); 1767 1768 MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); 1769 return (error); 1770} 1771 1772vm_prot_t 1773mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) 1774{ 1775 vm_prot_t result = VM_PROT_ALL; 1776 1777 /* 1778 * This should be some sort of MAC_BITWISE, maybe :) 1779 */ 1780 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_perms"); 1781 MAC_BOOLEAN(check_vnode_mmap_perms, &, cred, vp, &vp->v_label, 1782 newmapping); 1783 return (result); 1784} 1785 1786int 1787mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) 1788{ 1789 int error; 1790 1791 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); 1792 1793 if (!mac_enforce_fs) 1794 return (0); 1795 1796 error = vn_refreshlabel(vp, cred); 1797 if (error) 1798 return (error); 1799 1800 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); 1801 return (error); 1802} 1803 1804int 1805mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1806 struct vnode *vp) 1807{ 1808 int error; 1809 1810 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); 1811 1812 if (!mac_enforce_fs) 1813 return (0); 1814 1815 error = vn_refreshlabel(vp, active_cred); 1816 if (error) 1817 return (error); 1818 1819 MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, 1820 &vp->v_label); 1821 1822 return (error); 1823} 1824 1825int 1826mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1827 struct vnode *vp) 1828{ 1829 int error; 1830 1831 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); 1832 1833 if (!mac_enforce_fs) 1834 return (0); 1835 1836 error = vn_refreshlabel(vp, active_cred); 1837 if (error) 1838 return (error); 1839 1840 MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, 1841 &vp->v_label); 1842 1843 return (error); 1844} 1845 1846int 1847mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) 1848{ 1849 int error; 1850 1851 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); 1852 1853 if (!mac_enforce_fs) 1854 return (0); 1855 1856 error = vn_refreshlabel(dvp, cred); 1857 if (error) 1858 return (error); 1859 1860 MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); 1861 return (error); 1862} 1863 1864int 1865mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) 1866{ 1867 int error; 1868 1869 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); 1870 1871 if (!mac_enforce_fs) 1872 return (0); 1873 1874 error = vn_refreshlabel(vp, cred); 1875 if (error) 1876 return (error); 1877 1878 MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); 1879 return (error); 1880} 1881 1882static int 1883mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1884 struct label *newlabel) 1885{ 1886 int error; 1887 1888 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); 1889 1890 error = vn_refreshlabel(vp, cred); 1891 if (error) 1892 return (error); 1893 1894 MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); 1895 1896 return (error); 1897} 1898 1899int 1900mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1901 struct vnode *vp, struct componentname *cnp) 1902{ 1903 int error; 1904 1905 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); 1906 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); 1907 1908 if (!mac_enforce_fs) 1909 return (0); 1910 1911 error = vn_refreshlabel(dvp, cred); 1912 if (error) 1913 return (error); 1914 error = vn_refreshlabel(vp, cred); 1915 if (error) 1916 return (error); 1917 1918 MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, 1919 &vp->v_label, cnp); 1920 return (error); 1921} 1922 1923int 1924mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1925 struct vnode *vp, int samedir, struct componentname *cnp) 1926{ 1927 int error; 1928 1929 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); 1930 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); 1931 1932 if (!mac_enforce_fs) 1933 return (0); 1934 1935 error = vn_refreshlabel(dvp, cred); 1936 if (error) 1937 return (error); 1938 if (vp != NULL) { 1939 error = vn_refreshlabel(vp, cred); 1940 if (error) 1941 return (error); 1942 } 1943 MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, 1944 vp != NULL ? &vp->v_label : NULL, samedir, cnp); 1945 return (error); 1946} 1947 1948int 1949mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) 1950{ 1951 int error; 1952 1953 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); 1954 1955 if (!mac_enforce_fs) 1956 return (0); 1957 1958 error = vn_refreshlabel(vp, cred); 1959 if (error) 1960 return (error); 1961 1962 MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); 1963 return (error); 1964} 1965 1966int 1967mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, 1968 struct acl *acl) 1969{ 1970 int error; 1971 1972 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); 1973 1974 if (!mac_enforce_fs) 1975 return (0); 1976 1977 error = vn_refreshlabel(vp, cred); 1978 if (error) 1979 return (error); 1980 1981 MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); 1982 return (error); 1983} 1984 1985int 1986mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1987 int attrnamespace, const char *name, struct uio *uio) 1988{ 1989 int error; 1990 1991 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); 1992 1993 if (!mac_enforce_fs) 1994 return (0); 1995 1996 error = vn_refreshlabel(vp, cred); 1997 if (error) 1998 return (error); 1999 2000 MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, 2001 attrnamespace, name, uio); 2002 return (error); 2003} 2004 2005int 2006mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) 2007{ 2008 int error; 2009 2010 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); 2011 2012 if (!mac_enforce_fs) 2013 return (0); 2014 2015 error = vn_refreshlabel(vp, cred); 2016 if (error) 2017 return (error); 2018 2019 MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); 2020 return (error); 2021} 2022 2023int 2024mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) 2025{ 2026 int error; 2027 2028 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); 2029 2030 if (!mac_enforce_fs) 2031 return (0); 2032 2033 error = vn_refreshlabel(vp, cred); 2034 if (error) 2035 return (error); 2036 2037 MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); 2038 return (error); 2039} 2040 2041int 2042mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, 2043 gid_t gid) 2044{ 2045 int error; 2046 2047 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); 2048 2049 if (!mac_enforce_fs) 2050 return (0); 2051 2052 error = vn_refreshlabel(vp, cred); 2053 if (error) 2054 return (error); 2055 2056 MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); 2057 return (error); 2058} 2059 2060int 2061mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2062 struct timespec atime, struct timespec mtime) 2063{ 2064 int error; 2065 2066 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); 2067 2068 if (!mac_enforce_fs) 2069 return (0); 2070 2071 error = vn_refreshlabel(vp, cred); 2072 if (error) 2073 return (error); 2074 2075 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, 2076 mtime); 2077 return (error); 2078} 2079 2080int 2081mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2082 struct vnode *vp) 2083{ 2084 int error; 2085 2086 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); 2087 2088 if (!mac_enforce_fs) 2089 return (0); 2090 2091 error = vn_refreshlabel(vp, active_cred); 2092 if (error) 2093 return (error); 2094 2095 MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, 2096 &vp->v_label); 2097 return (error); 2098} 2099 2100int 2101mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, 2102 struct vnode *vp) 2103{ 2104 int error; 2105 2106 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); 2107 2108 if (!mac_enforce_fs) 2109 return (0); 2110 2111 error = vn_refreshlabel(vp, active_cred); 2112 if (error) 2113 return (error); 2114 2115 MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, 2116 &vp->v_label); 2117 2118 return (error); 2119} 2120 2121/* 2122 * When relabeling a process, call out to the policies for the maximum 2123 * permission allowed for each object type we know about in its 2124 * memory space, and revoke access (in the least surprising ways we 2125 * know) when necessary. The process lock is not held here. 2126 */ 2127static void 2128mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) 2129{ 2130 2131 /* XXX freeze all other threads */ 2132 mtx_lock(&Giant); 2133 mac_cred_mmapped_drop_perms_recurse(td, cred, 2134 &td->td_proc->p_vmspace->vm_map); 2135 mtx_unlock(&Giant); 2136 /* XXX allow other threads to continue */ 2137} 2138 2139static __inline const char * 2140prot2str(vm_prot_t prot) 2141{ 2142 2143 switch (prot & VM_PROT_ALL) { 2144 case VM_PROT_READ: 2145 return ("r--"); 2146 case VM_PROT_READ | VM_PROT_WRITE: 2147 return ("rw-"); 2148 case VM_PROT_READ | VM_PROT_EXECUTE: 2149 return ("r-x"); 2150 case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: 2151 return ("rwx"); 2152 case VM_PROT_WRITE: 2153 return ("-w-"); 2154 case VM_PROT_EXECUTE: 2155 return ("--x"); 2156 case VM_PROT_WRITE | VM_PROT_EXECUTE: 2157 return ("-wx"); 2158 default: 2159 return ("---"); 2160 } 2161} 2162 2163static void 2164mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, 2165 struct vm_map *map) 2166{ 2167 struct vm_map_entry *vme; 2168 vm_prot_t result, revokeperms; 2169 vm_object_t object; 2170 vm_ooffset_t offset; 2171 struct vnode *vp; 2172 2173 vm_map_lock_read(map); 2174 for (vme = map->header.next; vme != &map->header; vme = vme->next) { 2175 if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { 2176 mac_cred_mmapped_drop_perms_recurse(td, cred, 2177 vme->object.sub_map); 2178 continue; 2179 } 2180 /* 2181 * Skip over entries that obviously are not shared. 2182 */ 2183 if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || 2184 !vme->max_protection) 2185 continue; 2186 /* 2187 * Drill down to the deepest backing object. 2188 */ 2189 offset = vme->offset; 2190 object = vme->object.vm_object; 2191 if (object == NULL) 2192 continue; 2193 while (object->backing_object != NULL) { 2194 object = object->backing_object; 2195 offset += object->backing_object_offset; 2196 } 2197 /* 2198 * At the moment, vm_maps and objects aren't considered 2199 * by the MAC system, so only things with backing by a 2200 * normal object (read: vnodes) are checked. 2201 */ 2202 if (object->type != OBJT_VNODE) 2203 continue; 2204 vp = (struct vnode *)object->handle; 2205 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 2206 result = mac_check_vnode_mmap_prot(cred, vp, 0); 2207 VOP_UNLOCK(vp, 0, td); 2208 /* 2209 * Find out what maximum protection we may be allowing 2210 * now but a policy needs to get removed. 2211 */ 2212 revokeperms = vme->max_protection & ~result; 2213 if (!revokeperms) 2214 continue; 2215 printf("pid %ld: revoking %s perms from %#lx:%ld " 2216 "(max %s/cur %s)\n", (long)td->td_proc->p_pid, 2217 prot2str(revokeperms), (u_long)vme->start, 2218 (long)(vme->end - vme->start), 2219 prot2str(vme->max_protection), prot2str(vme->protection)); 2220 vm_map_lock_upgrade(map); 2221 /* 2222 * This is the really simple case: if a map has more 2223 * max_protection than is allowed, but it's not being 2224 * actually used (that is, the current protection is 2225 * still allowed), we can just wipe it out and do 2226 * nothing more. 2227 */ 2228 if ((vme->protection & revokeperms) == 0) { 2229 vme->max_protection -= revokeperms; 2230 } else { 2231 if (revokeperms & VM_PROT_WRITE) { 2232 /* 2233 * In the more complicated case, flush out all 2234 * pending changes to the object then turn it 2235 * copy-on-write. 2236 */ 2237 vm_object_reference(object); 2238 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 2239 vm_object_page_clean(object, 2240 OFF_TO_IDX(offset), 2241 OFF_TO_IDX(offset + vme->end - vme->start + 2242 PAGE_MASK), 2243 OBJPC_SYNC); 2244 VOP_UNLOCK(vp, 0, td); 2245 vm_object_deallocate(object); 2246 /* 2247 * Why bother if there's no read permissions 2248 * anymore? For the rest, we need to leave 2249 * the write permissions on for COW, or 2250 * remove them entirely if configured to. 2251 */ 2252 if (!mac_mmap_revocation_via_cow) { 2253 vme->max_protection &= ~VM_PROT_WRITE; 2254 vme->protection &= ~VM_PROT_WRITE; 2255 } if ((revokeperms & VM_PROT_READ) == 0) 2256 vme->eflags |= MAP_ENTRY_COW | 2257 MAP_ENTRY_NEEDS_COPY; 2258 } 2259 if (revokeperms & VM_PROT_EXECUTE) { 2260 vme->max_protection &= ~VM_PROT_EXECUTE; 2261 vme->protection &= ~VM_PROT_EXECUTE; 2262 } 2263 if (revokeperms & VM_PROT_READ) { 2264 vme->max_protection = 0; 2265 vme->protection = 0; 2266 } 2267 pmap_protect(map->pmap, vme->start, vme->end, 2268 vme->protection & ~revokeperms); 2269 vm_map_simplify_entry(map, vme); 2270 } 2271 vm_map_lock_downgrade(map); 2272 } 2273 vm_map_unlock_read(map); 2274} 2275 2276/* 2277 * When the subject's label changes, it may require revocation of privilege 2278 * to mapped objects. This can't be done on-the-fly later with a unified 2279 * buffer cache. 2280 */ 2281static void 2282mac_relabel_cred(struct ucred *cred, struct label *newlabel) 2283{ 2284 2285 MAC_PERFORM(relabel_cred, cred, newlabel); 2286} 2287 2288void 2289mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) 2290{ 2291 2292 MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); 2293} 2294 2295void 2296mac_create_ifnet(struct ifnet *ifnet) 2297{ 2298 2299 MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); 2300} 2301 2302void 2303mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) 2304{ 2305 2306 MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); 2307} 2308 2309void 2310mac_create_socket(struct ucred *cred, struct socket *socket) 2311{ 2312 2313 MAC_PERFORM(create_socket, cred, socket, &socket->so_label); 2314} 2315 2316void 2317mac_create_pipe(struct ucred *cred, struct pipe *pipe) 2318{ 2319 2320 MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); 2321} 2322 2323void 2324mac_create_socket_from_socket(struct socket *oldsocket, 2325 struct socket *newsocket) 2326{ 2327 2328 MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, 2329 newsocket, &newsocket->so_label); 2330} 2331 2332static void 2333mac_relabel_socket(struct ucred *cred, struct socket *socket, 2334 struct label *newlabel) 2335{ 2336 2337 MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); 2338} 2339 2340static void 2341mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) 2342{ 2343 2344 MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); 2345} 2346 2347void 2348mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) 2349{ 2350 2351 MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, 2352 socket, &socket->so_peerlabel); 2353} 2354 2355void 2356mac_set_socket_peer_from_socket(struct socket *oldsocket, 2357 struct socket *newsocket) 2358{ 2359 2360 MAC_PERFORM(set_socket_peer_from_socket, oldsocket, 2361 &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); 2362} 2363 2364void 2365mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) 2366{ 2367 2368 MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, 2369 datagram, &datagram->m_pkthdr.label); 2370} 2371 2372void 2373mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) 2374{ 2375 2376 MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, 2377 fragment, &fragment->m_pkthdr.label); 2378} 2379 2380void 2381mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) 2382{ 2383 2384 MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, 2385 &ipq->ipq_label); 2386} 2387 2388void 2389mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) 2390{ 2391 2392 MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, 2393 newmbuf, &newmbuf->m_pkthdr.label); 2394} 2395 2396void 2397mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) 2398{ 2399 2400 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, 2401 &mbuf->m_pkthdr.label); 2402} 2403 2404void 2405mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) 2406{ 2407 2408 MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, 2409 &mbuf->m_pkthdr.label); 2410} 2411 2412void 2413mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) 2414{ 2415 2416 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, 2417 &mbuf->m_pkthdr.label); 2418} 2419 2420void 2421mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, 2422 struct mbuf *newmbuf) 2423{ 2424 2425 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, 2426 &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, 2427 &newmbuf->m_pkthdr.label); 2428} 2429 2430void 2431mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) 2432{ 2433 2434 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, 2435 newmbuf, &newmbuf->m_pkthdr.label); 2436} 2437 2438int 2439mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) 2440{ 2441 int result; 2442 2443 result = 1; 2444 MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, 2445 ipq, &ipq->ipq_label); 2446 2447 return (result); 2448} 2449 2450void 2451mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) 2452{ 2453 2454 MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, 2455 &ipq->ipq_label); 2456} 2457 2458void 2459mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) 2460{ 2461 2462 MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, 2463 &mbuf->m_pkthdr.label); 2464} 2465 2466void 2467mac_create_mount(struct ucred *cred, struct mount *mp) 2468{ 2469 2470 MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, 2471 &mp->mnt_fslabel); 2472} 2473 2474void 2475mac_create_root_mount(struct ucred *cred, struct mount *mp) 2476{ 2477 2478 MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, 2479 &mp->mnt_fslabel); 2480} 2481 2482int 2483mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) 2484{ 2485 int error; 2486 2487 if (!mac_enforce_network) 2488 return (0); 2489 2490 MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, 2491 &ifnet->if_label); 2492 2493 return (error); 2494} 2495 2496static int 2497mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) 2498{ 2499 int error; 2500 2501 MAC_CHECK(check_cred_relabel, cred, newlabel); 2502 2503 return (error); 2504} 2505 2506int 2507mac_check_cred_visible(struct ucred *u1, struct ucred *u2) 2508{ 2509 int error; 2510 2511 if (!mac_enforce_process) 2512 return (0); 2513 2514 MAC_CHECK(check_cred_visible, u1, u2); 2515 2516 return (error); 2517} 2518 2519int 2520mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) 2521{ 2522 int error; 2523 2524 if (!mac_enforce_network) 2525 return (0); 2526 2527 KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); 2528 if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) 2529 printf("%s%d: not initialized\n", ifnet->if_name, 2530 ifnet->if_unit); 2531 2532 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, 2533 &mbuf->m_pkthdr.label); 2534 2535 return (error); 2536} 2537 2538int 2539mac_check_mount_stat(struct ucred *cred, struct mount *mount) 2540{ 2541 int error; 2542 2543 if (!mac_enforce_fs) 2544 return (0); 2545 2546 MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); 2547 2548 return (error); 2549} 2550 2551int 2552mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, 2553 void *data) 2554{ 2555 int error; 2556 2557 MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); 2558 2559 return (error); 2560} 2561 2562int 2563mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) 2564{ 2565 int error; 2566 2567 MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); 2568 2569 return (error); 2570} 2571 2572int 2573mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) 2574{ 2575 int error; 2576 2577 MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); 2578 2579 return (error); 2580} 2581 2582static int 2583mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, 2584 struct label *newlabel) 2585{ 2586 int error; 2587 2588 MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); 2589 2590 return (error); 2591} 2592 2593int 2594mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) 2595{ 2596 int error; 2597 2598 MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); 2599 2600 return (error); 2601} 2602 2603int 2604mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) 2605{ 2606 int error; 2607 2608 MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); 2609 2610 return (error); 2611} 2612 2613int 2614mac_check_proc_debug(struct ucred *cred, struct proc *proc) 2615{ 2616 int error; 2617 2618 PROC_LOCK_ASSERT(proc, MA_OWNED); 2619 2620 if (!mac_enforce_process) 2621 return (0); 2622 2623 MAC_CHECK(check_proc_debug, cred, proc); 2624 2625 return (error); 2626} 2627 2628int 2629mac_check_proc_sched(struct ucred *cred, struct proc *proc) 2630{ 2631 int error; 2632 2633 PROC_LOCK_ASSERT(proc, MA_OWNED); 2634 2635 if (!mac_enforce_process) 2636 return (0); 2637 2638 MAC_CHECK(check_proc_sched, cred, proc); 2639 2640 return (error); 2641} 2642 2643int 2644mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 2645{ 2646 int error; 2647 2648 PROC_LOCK_ASSERT(proc, MA_OWNED); 2649 2650 if (!mac_enforce_process) 2651 return (0); 2652 2653 MAC_CHECK(check_proc_signal, cred, proc, signum); 2654 2655 return (error); 2656} 2657 2658int 2659mac_check_socket_bind(struct ucred *ucred, struct socket *socket, 2660 struct sockaddr *sockaddr) 2661{ 2662 int error; 2663 2664 if (!mac_enforce_socket) 2665 return (0); 2666 2667 MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, 2668 sockaddr); 2669 2670 return (error); 2671} 2672 2673int 2674mac_check_socket_connect(struct ucred *cred, struct socket *socket, 2675 struct sockaddr *sockaddr) 2676{ 2677 int error; 2678 2679 if (!mac_enforce_socket) 2680 return (0); 2681 2682 MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, 2683 sockaddr); 2684 2685 return (error); 2686} 2687 2688int 2689mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) 2690{ 2691 int error; 2692 2693 if (!mac_enforce_socket) 2694 return (0); 2695 2696 MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, 2697 &mbuf->m_pkthdr.label); 2698 2699 return (error); 2700} 2701 2702int 2703mac_check_socket_listen(struct ucred *cred, struct socket *socket) 2704{ 2705 int error; 2706 2707 if (!mac_enforce_socket) 2708 return (0); 2709 2710 MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); 2711 return (error); 2712} 2713 2714static int 2715mac_check_socket_relabel(struct ucred *cred, struct socket *socket, 2716 struct label *newlabel) 2717{ 2718 int error; 2719 2720 MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, 2721 newlabel); 2722 2723 return (error); 2724} 2725 2726int 2727mac_check_socket_visible(struct ucred *cred, struct socket *socket) 2728{ 2729 int error; 2730 2731 if (!mac_enforce_socket) 2732 return (0); 2733 2734 MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); 2735 2736 return (error); 2737} 2738 2739int 2740mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, 2741 struct ifnet *ifnet) 2742{ 2743 struct mac label; 2744 int error; 2745 2746 error = mac_externalize(&ifnet->if_label, &label); 2747 if (error) 2748 return (error); 2749 2750 return (copyout(&label, ifr->ifr_ifru.ifru_data, sizeof(label))); 2751} 2752 2753int 2754mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, 2755 struct ifnet *ifnet) 2756{ 2757 struct mac newlabel; 2758 struct label intlabel; 2759 int error; 2760 2761 error = copyin(ifr->ifr_ifru.ifru_data, &newlabel, sizeof(newlabel)); 2762 if (error) 2763 return (error); 2764 2765 error = mac_internalize(&intlabel, &newlabel); 2766 if (error) 2767 return (error); 2768 2769 /* 2770 * XXX: Note that this is a redundant privilege check, since 2771 * policies impose this check themselves if required by the 2772 * policy. Eventually, this should go away. 2773 */ 2774 error = suser_cred(cred, 0); 2775 if (error) 2776 goto out; 2777 2778 MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, 2779 &intlabel); 2780 if (error) 2781 goto out; 2782 2783 MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); 2784 2785out: 2786 mac_destroy_temp(&intlabel); 2787 return (error); 2788} 2789 2790void 2791mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp) 2792{ 2793 2794 MAC_PERFORM(create_devfs_vnode, de, &de->de_label, vp, &vp->v_label); 2795} 2796 2797void 2798mac_create_devfs_device(dev_t dev, struct devfs_dirent *de) 2799{ 2800 2801 MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); 2802} 2803 2804static int 2805mac_stdcreatevnode_ea(struct vnode *vp) 2806{ 2807 int error; 2808 2809 MAC_CHECK(stdcreatevnode_ea, vp, &vp->v_label); 2810 2811 return (error); 2812} 2813 2814void 2815mac_create_devfs_directory(char *dirname, int dirnamelen, 2816 struct devfs_dirent *de) 2817{ 2818 2819 MAC_PERFORM(create_devfs_directory, dirname, dirnamelen, de, 2820 &de->de_label); 2821} 2822 2823/* 2824 * When a new vnode is created, this call will initialize its label. 2825 */ 2826void 2827mac_create_vnode(struct ucred *cred, struct vnode *parent, 2828 struct vnode *child) 2829{ 2830 int error; 2831 2832 ASSERT_VOP_LOCKED(parent, "mac_create_vnode"); 2833 ASSERT_VOP_LOCKED(child, "mac_create_vnode"); 2834 2835 error = vn_refreshlabel(parent, cred); 2836 if (error) { 2837 printf("mac_create_vnode: vn_refreshlabel returned %d\n", 2838 error); 2839 printf("mac_create_vnode: using old vnode label\n"); 2840 } 2841 2842 MAC_PERFORM(create_vnode, cred, parent, &parent->v_label, child, 2843 &child->v_label); 2844} 2845 2846int 2847mac_setsockopt_label_set(struct ucred *cred, struct socket *so, 2848 struct mac *extmac) 2849{ 2850 struct label intlabel; 2851 int error; 2852 2853 error = mac_internalize(&intlabel, extmac); 2854 if (error) 2855 return (error); 2856 2857 mac_check_socket_relabel(cred, so, &intlabel); 2858 if (error) { 2859 mac_destroy_temp(&intlabel); 2860 return (error); 2861 } 2862 2863 mac_relabel_socket(cred, so, &intlabel); 2864 2865 mac_destroy_temp(&intlabel); 2866 return (0); 2867} 2868 2869int 2870mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) 2871{ 2872 int error; 2873 2874 error = mac_check_pipe_relabel(cred, pipe, label); 2875 if (error) 2876 return (error); 2877 2878 mac_relabel_pipe(cred, pipe, label); 2879 2880 return (0); 2881} 2882 2883int 2884mac_getsockopt_label_get(struct ucred *cred, struct socket *so, 2885 struct mac *extmac) 2886{ 2887 2888 return (mac_externalize(&so->so_label, extmac)); 2889} 2890 2891int 2892mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, 2893 struct mac *extmac) 2894{ 2895 2896 return (mac_externalize(&so->so_peerlabel, extmac)); 2897} 2898 2899/* 2900 * Implementation of VOP_SETLABEL() that relies on extended attributes 2901 * to store label data. Can be referenced by filesystems supporting 2902 * extended attributes. 2903 */ 2904int 2905vop_stdsetlabel_ea(struct vop_setlabel_args *ap) 2906{ 2907 struct vnode *vp = ap->a_vp; 2908 struct label *intlabel = ap->a_label; 2909 struct mac extmac; 2910 int error; 2911 2912 ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); 2913 2914 /* 2915 * XXX: Eventually call out to EA check/set calls here. 2916 * Be particularly careful to avoid race conditions, 2917 * consistency problems, and stability problems when 2918 * dealing with multiple EAs. In particular, we require 2919 * the ability to write multiple EAs on the same file in 2920 * a single transaction, which the current EA interface 2921 * does not provide. 2922 */ 2923 2924 error = mac_externalize(intlabel, &extmac); 2925 if (error) 2926 return (error); 2927 2928 error = vn_extattr_set(vp, IO_NODELOCKED, 2929 FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, 2930 sizeof(extmac), (char *)&extmac, curthread); 2931 if (error) 2932 return (error); 2933 2934 mac_relabel_vnode(ap->a_cred, vp, intlabel); 2935 2936 vp->v_vflag |= VV_CACHEDLABEL; 2937 2938 return (0); 2939} 2940 2941static int 2942vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) 2943{ 2944 int error; 2945 2946 if (vp->v_mount == NULL) { 2947 /* printf("vn_setlabel: null v_mount\n"); */ 2948 if (vp->v_tag != VT_NON) 2949 printf("vn_setlabel: null v_mount with non-VT_NON\n"); 2950 return (EBADF); 2951 } 2952 2953 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) 2954 return (EOPNOTSUPP); 2955 2956 /* 2957 * Multi-phase commit. First check the policies to confirm the 2958 * change is OK. Then commit via the filesystem. Finally, 2959 * update the actual vnode label. Question: maybe the filesystem 2960 * should update the vnode at the end as part of VOP_SETLABEL()? 2961 */ 2962 error = mac_check_vnode_relabel(cred, vp, intlabel); 2963 if (error) 2964 return (error); 2965 2966 /* 2967 * VADMIN provides the opportunity for the filesystem to make 2968 * decisions about who is and is not able to modify labels 2969 * and protections on files. This might not be right. We can't 2970 * assume VOP_SETLABEL() will do it, because we might implement 2971 * that as part of vop_stdsetlabel_ea(). 2972 */ 2973 error = VOP_ACCESS(vp, VADMIN, cred, curthread); 2974 if (error) 2975 return (error); 2976 2977 error = VOP_SETLABEL(vp, intlabel, cred, curthread); 2978 if (error) 2979 return (error); 2980 2981 return (0); 2982} 2983 2984/* 2985 * MPSAFE 2986 */ 2987int 2988__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) 2989{ 2990 struct mac extmac; 2991 int error; 2992 2993 error = mac_externalize(&td->td_ucred->cr_label, &extmac); 2994 if (error == 0) 2995 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); 2996 2997 return (error); 2998} 2999 3000/* 3001 * MPSAFE 3002 */ 3003int 3004__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) 3005{ 3006 struct ucred *newcred, *oldcred; 3007 struct proc *p; 3008 struct mac extmac; 3009 struct label intlabel; 3010 int error; 3011 3012 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); 3013 if (error) 3014 return (error); 3015 3016 error = mac_internalize(&intlabel, &extmac); 3017 if (error) 3018 return (error); 3019 3020 newcred = crget(); 3021 3022 p = td->td_proc; 3023 PROC_LOCK(p); 3024 oldcred = p->p_ucred; 3025 3026 error = mac_check_cred_relabel(oldcred, &intlabel); 3027 if (error) { 3028 PROC_UNLOCK(p); 3029 mac_destroy_temp(&intlabel); 3030 crfree(newcred); 3031 return (error); 3032 } 3033 3034 setsugid(p); 3035 crcopy(newcred, oldcred); 3036 mac_relabel_cred(newcred, &intlabel); 3037 p->p_ucred = newcred; 3038 3039 /* 3040 * Grab additional reference for use while revoking mmaps, prior 3041 * to releasing the proc lock and sharing the cred. 3042 */ 3043 crhold(newcred); 3044 PROC_UNLOCK(p); 3045 3046 mac_cred_mmapped_drop_perms(td, newcred); 3047 3048 crfree(newcred); /* Free revocation reference. */ 3049 crfree(oldcred); 3050 mac_destroy_temp(&intlabel); 3051 return (0); 3052} 3053 3054/* 3055 * MPSAFE 3056 */ 3057int 3058__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) 3059{ 3060 struct file *fp; 3061 struct mac extmac; 3062 struct vnode *vp; 3063 struct pipe *pipe; 3064 int error; 3065 3066 mtx_lock(&Giant); 3067 3068 error = fget(td, SCARG(uap, fd), &fp); 3069 if (error) 3070 goto out; 3071 3072 switch (fp->f_type) { 3073 case DTYPE_FIFO: 3074 case DTYPE_VNODE: 3075 vp = (struct vnode *)fp->f_data; 3076 3077 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 3078 error = vn_refreshlabel(vp, td->td_ucred); 3079 if (error == 0) 3080 error = mac_externalize(&vp->v_label, &extmac); 3081 VOP_UNLOCK(vp, 0, td); 3082 break; 3083 case DTYPE_PIPE: 3084 pipe = (struct pipe *)fp->f_data; 3085 error = mac_externalize(pipe->pipe_label, &extmac); 3086 break; 3087 default: 3088 error = EINVAL; 3089 } 3090 3091 if (error == 0) 3092 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); 3093 3094 fdrop(fp, td); 3095 3096out: 3097 mtx_unlock(&Giant); 3098 return (error); 3099} 3100 3101/* 3102 * MPSAFE 3103 */ 3104int 3105__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) 3106{ 3107 struct nameidata nd; 3108 struct mac extmac; 3109 int error; 3110 3111 mtx_lock(&Giant); 3112 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, 3113 SCARG(uap, path_p), td); 3114 error = namei(&nd); 3115 if (error) 3116 goto out; 3117 3118 error = vn_refreshlabel(nd.ni_vp, td->td_ucred); 3119 if (error == 0) 3120 error = mac_externalize(&nd.ni_vp->v_label, &extmac); 3121 NDFREE(&nd, 0); 3122 if (error) 3123 goto out; 3124 3125 error = copyout(&extmac, SCARG(uap, mac_p), sizeof(extmac)); 3126 3127out: 3128 mtx_unlock(&Giant); 3129 return (error); 3130} 3131 3132/* 3133 * MPSAFE 3134 */ 3135int 3136__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) 3137{ 3138 struct file *fp; 3139 struct mac extmac; 3140 struct label intlabel; 3141 struct mount *mp; 3142 struct vnode *vp; 3143 struct pipe *pipe; 3144 int error; 3145 3146 mtx_lock(&Giant); 3147 error = fget(td, SCARG(uap, fd), &fp); 3148 if (error) 3149 goto out1; 3150 3151 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); 3152 if (error) 3153 goto out2; 3154 3155 error = mac_internalize(&intlabel, &extmac); 3156 if (error) 3157 goto out2; 3158 3159 switch (fp->f_type) { 3160 case DTYPE_FIFO: 3161 case DTYPE_VNODE: 3162 vp = (struct vnode *)fp->f_data; 3163 error = vn_start_write(vp, &mp, V_WAIT | PCATCH); 3164 if (error != 0) 3165 break; 3166 3167 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 3168 error = vn_setlabel(vp, &intlabel, td->td_ucred); 3169 VOP_UNLOCK(vp, 0, td); 3170 vn_finished_write(mp); 3171 mac_destroy_temp(&intlabel); 3172 break; 3173 case DTYPE_PIPE: 3174 pipe = (struct pipe *)fp->f_data; 3175 error = mac_pipe_label_set(td->td_ucred, pipe, &intlabel); 3176 break; 3177 default: 3178 error = EINVAL; 3179 } 3180 3181out2: 3182 fdrop(fp, td); 3183out1: 3184 mtx_unlock(&Giant); 3185 return (error); 3186} 3187 3188/* 3189 * MPSAFE 3190 */ 3191int 3192__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) 3193{ 3194 struct nameidata nd; 3195 struct mac extmac; 3196 struct label intlabel; 3197 struct mount *mp; 3198 int error; 3199 3200 mtx_lock(&Giant); 3201 3202 error = copyin(SCARG(uap, mac_p), &extmac, sizeof(extmac)); 3203 if (error) 3204 goto out; 3205 3206 error = mac_internalize(&intlabel, &extmac); 3207 if (error) 3208 goto out; 3209 3210 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, 3211 SCARG(uap, path_p), td); 3212 error = namei(&nd); 3213 if (error) 3214 goto out2; 3215 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); 3216 if (error) 3217 goto out2; 3218 3219 error = vn_setlabel(nd.ni_vp, &intlabel, td->td_ucred); 3220 3221 vn_finished_write(mp); 3222out2: 3223 mac_destroy_temp(&intlabel); 3224 NDFREE(&nd, 0); 3225out: 3226 mtx_unlock(&Giant); 3227 return (error); 3228} 3229 3230int 3231mac_syscall(struct thread *td, struct mac_syscall_args *uap) 3232{ 3233 struct mac_policy_conf *mpc; 3234 char target[MAC_MAX_POLICY_NAME]; 3235 int error; 3236 3237 error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); 3238 if (error) 3239 return (error); 3240 3241 error = ENOSYS; 3242 MAC_POLICY_LIST_BUSY(); 3243 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { 3244 if (strcmp(mpc->mpc_name, target) == 0 && 3245 mpc->mpc_ops->mpo_syscall != NULL) { 3246 error = mpc->mpc_ops->mpo_syscall(td, 3247 SCARG(uap, call), SCARG(uap, arg)); 3248 goto out; 3249 } 3250 } 3251 3252out: 3253 MAC_POLICY_LIST_UNBUSY(); 3254 return (error); 3255} 3256 3257SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); 3258SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); 3259 3260#else /* !MAC */ 3261 3262int 3263__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) 3264{ 3265 3266 return (ENOSYS); 3267} 3268 3269int 3270__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) 3271{ 3272 3273 return (ENOSYS); 3274} 3275 3276int 3277__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) 3278{ 3279 3280 return (ENOSYS); 3281} 3282 3283int 3284__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) 3285{ 3286 3287 return (ENOSYS); 3288} 3289 3290int 3291__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) 3292{ 3293 3294 return (ENOSYS); 3295} 3296 3297int 3298__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) 3299{ 3300 3301 return (ENOSYS); 3302} 3303 3304int 3305mac_syscall(struct thread *td, struct mac_syscall_args *uap) 3306{ 3307 3308 return (ENOSYS); 3309} 3310 3311#endif /* !MAC */ 3312