mac_pipe.c revision 182063
11573Srgrimes/*- 21573Srgrimes * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 31573Srgrimes * Copyright (c) 2006 SPARTA, Inc. 41573Srgrimes * All rights reserved. 51573Srgrimes * 61573Srgrimes * This software was developed for the FreeBSD Project in part by Network 71573Srgrimes * Associates Laboratories, the Security Research Division of Network 81573Srgrimes * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 91573Srgrimes * as part of the DARPA CHATS research program. 101573Srgrimes * 111573Srgrimes * This software was enhanced by SPARTA ISSO under SPAWAR contract 121573Srgrimes * N66001-04-C-6019 ("SEFOS"). 131573Srgrimes * 141573Srgrimes * Redistribution and use in source and binary forms, with or without 151573Srgrimes * modification, are permitted provided that the following conditions 161573Srgrimes * are met: 171573Srgrimes * 1. Redistributions of source code must retain the above copyright 181573Srgrimes * notice, this list of conditions and the following disclaimer. 191573Srgrimes * 2. Redistributions in binary form must reproduce the above copyright 201573Srgrimes * notice, this list of conditions and the following disclaimer in the 211573Srgrimes * documentation and/or other materials provided with the distribution. 221573Srgrimes * 231573Srgrimes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 241573Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 251573Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 261573Srgrimes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 271573Srgrimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 281573Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 291573Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 301573Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 311573Srgrimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 321573Srgrimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 331573Srgrimes * SUCH DAMAGE. 341573Srgrimes */ 351573Srgrimes 361573Srgrimes#include <sys/cdefs.h> 371573Srgrimes__FBSDID("$FreeBSD: head/sys/security/mac/mac_pipe.c 182063 2008-08-23 15:26:36Z rwatson $"); 381573Srgrimes 391573Srgrimes#include "opt_mac.h" 401573Srgrimes 411573Srgrimes#include <sys/param.h> 421573Srgrimes#include <sys/kernel.h> 431573Srgrimes#include <sys/lock.h> 441573Srgrimes#include <sys/malloc.h> 451573Srgrimes#include <sys/module.h> 461573Srgrimes#include <sys/mutex.h> 471573Srgrimes#include <sys/sbuf.h> 481573Srgrimes#include <sys/systm.h> 491573Srgrimes#include <sys/vnode.h> 501573Srgrimes#include <sys/pipe.h> 511573Srgrimes#include <sys/sysctl.h> 521573Srgrimes 531573Srgrimes#include <security/mac/mac_framework.h> 541573Srgrimes#include <security/mac/mac_internal.h> 551573Srgrimes#include <security/mac/mac_policy.h> 561573Srgrimes 571573Srgrimesstruct label * 581573Srgrimesmac_pipe_label_alloc(void) 591573Srgrimes{ 601573Srgrimes struct label *label; 611573Srgrimes 621573Srgrimes label = mac_labelzone_alloc(M_WAITOK); 631573Srgrimes MAC_PERFORM(pipe_init_label, label); 641573Srgrimes return (label); 651573Srgrimes} 661573Srgrimes 671573Srgrimesvoid 681573Srgrimesmac_pipe_init(struct pipepair *pp) 691573Srgrimes{ 701573Srgrimes 711573Srgrimes if (mac_labeled & MPC_OBJECT_PIPE) 721573Srgrimes pp->pp_label = mac_pipe_label_alloc(); 731573Srgrimes else 741573Srgrimes pp->pp_label = NULL; 751573Srgrimes} 761573Srgrimes 771573Srgrimesvoid 781573Srgrimesmac_pipe_label_free(struct label *label) 791573Srgrimes{ 801573Srgrimes 811573Srgrimes MAC_PERFORM(pipe_destroy_label, label); 82 mac_labelzone_free(label); 83} 84 85void 86mac_pipe_destroy(struct pipepair *pp) 87{ 88 89 if (pp->pp_label != NULL) { 90 mac_pipe_label_free(pp->pp_label); 91 pp->pp_label = NULL; 92 } 93} 94 95void 96mac_pipe_copy_label(struct label *src, struct label *dest) 97{ 98 99 MAC_PERFORM(pipe_copy_label, src, dest); 100} 101 102int 103mac_pipe_externalize_label(struct label *label, char *elements, 104 char *outbuf, size_t outbuflen) 105{ 106 int error; 107 108 MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen); 109 110 return (error); 111} 112 113int 114mac_pipe_internalize_label(struct label *label, char *string) 115{ 116 int error; 117 118 MAC_INTERNALIZE(pipe, label, string); 119 120 return (error); 121} 122 123void 124mac_pipe_create(struct ucred *cred, struct pipepair *pp) 125{ 126 127 MAC_PERFORM(pipe_create, cred, pp, pp->pp_label); 128} 129 130static void 131mac_pipe_relabel(struct ucred *cred, struct pipepair *pp, 132 struct label *newlabel) 133{ 134 135 MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel); 136} 137 138int 139mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, 140 unsigned long cmd, void *data) 141{ 142 int error; 143 144 mtx_assert(&pp->pp_mtx, MA_OWNED); 145 146 MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data); 147 148 return (error); 149} 150 151int 152mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp) 153{ 154 int error; 155 156 mtx_assert(&pp->pp_mtx, MA_OWNED); 157 158 MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label); 159 160 return (error); 161} 162 163int 164mac_pipe_check_read(struct ucred *cred, struct pipepair *pp) 165{ 166 int error; 167 168 mtx_assert(&pp->pp_mtx, MA_OWNED); 169 170 MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label); 171 172 return (error); 173} 174 175static int 176mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, 177 struct label *newlabel) 178{ 179 int error; 180 181 mtx_assert(&pp->pp_mtx, MA_OWNED); 182 183 MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel); 184 185 return (error); 186} 187 188int 189mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp) 190{ 191 int error; 192 193 mtx_assert(&pp->pp_mtx, MA_OWNED); 194 195 MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label); 196 197 return (error); 198} 199 200int 201mac_pipe_check_write(struct ucred *cred, struct pipepair *pp) 202{ 203 int error; 204 205 mtx_assert(&pp->pp_mtx, MA_OWNED); 206 207 MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label); 208 209 return (error); 210} 211 212int 213mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, 214 struct label *label) 215{ 216 int error; 217 218 mtx_assert(&pp->pp_mtx, MA_OWNED); 219 220 error = mac_pipe_check_relabel(cred, pp, label); 221 if (error) 222 return (error); 223 224 mac_pipe_relabel(cred, pp, label); 225 226 return (0); 227} 228