mac_pipe.c revision 182063 
11573Srgrimes/*-
21573Srgrimes * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
31573Srgrimes * Copyright (c) 2006 SPARTA, Inc.
41573Srgrimes * All rights reserved.
51573Srgrimes *
61573Srgrimes * This software was developed for the FreeBSD Project in part by Network
71573Srgrimes * Associates Laboratories, the Security Research Division of Network
81573Srgrimes * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
91573Srgrimes * as part of the DARPA CHATS research program.
101573Srgrimes *
111573Srgrimes * This software was enhanced by SPARTA ISSO under SPAWAR contract
121573Srgrimes * N66001-04-C-6019 ("SEFOS").
131573Srgrimes *
141573Srgrimes * Redistribution and use in source and binary forms, with or without
151573Srgrimes * modification, are permitted provided that the following conditions
161573Srgrimes * are met:
171573Srgrimes * 1. Redistributions of source code must retain the above copyright
181573Srgrimes *    notice, this list of conditions and the following disclaimer.
191573Srgrimes * 2. Redistributions in binary form must reproduce the above copyright
201573Srgrimes *    notice, this list of conditions and the following disclaimer in the
211573Srgrimes *    documentation and/or other materials provided with the distribution.
221573Srgrimes *
231573Srgrimes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
241573Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
251573Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
261573Srgrimes * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
271573Srgrimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
281573Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
291573Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
301573Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
311573Srgrimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
321573Srgrimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
331573Srgrimes * SUCH DAMAGE.
341573Srgrimes */
351573Srgrimes
361573Srgrimes#include <sys/cdefs.h>
371573Srgrimes__FBSDID("$FreeBSD: head/sys/security/mac/mac_pipe.c 182063 2008-08-23 15:26:36Z rwatson $");
381573Srgrimes
391573Srgrimes#include "opt_mac.h"
401573Srgrimes
411573Srgrimes#include <sys/param.h>
421573Srgrimes#include <sys/kernel.h>
431573Srgrimes#include <sys/lock.h>
441573Srgrimes#include <sys/malloc.h>
451573Srgrimes#include <sys/module.h>
461573Srgrimes#include <sys/mutex.h>
471573Srgrimes#include <sys/sbuf.h>
481573Srgrimes#include <sys/systm.h>
491573Srgrimes#include <sys/vnode.h>
501573Srgrimes#include <sys/pipe.h>
511573Srgrimes#include <sys/sysctl.h>
521573Srgrimes
531573Srgrimes#include <security/mac/mac_framework.h>
541573Srgrimes#include <security/mac/mac_internal.h>
551573Srgrimes#include <security/mac/mac_policy.h>
561573Srgrimes
571573Srgrimesstruct label *
581573Srgrimesmac_pipe_label_alloc(void)
591573Srgrimes{
601573Srgrimes	struct label *label;
611573Srgrimes
621573Srgrimes	label = mac_labelzone_alloc(M_WAITOK);
631573Srgrimes	MAC_PERFORM(pipe_init_label, label);
641573Srgrimes	return (label);
651573Srgrimes}
661573Srgrimes
671573Srgrimesvoid
681573Srgrimesmac_pipe_init(struct pipepair *pp)
691573Srgrimes{
701573Srgrimes
711573Srgrimes	if (mac_labeled & MPC_OBJECT_PIPE)
721573Srgrimes		pp->pp_label = mac_pipe_label_alloc();
731573Srgrimes	else
741573Srgrimes		pp->pp_label = NULL;
751573Srgrimes}
761573Srgrimes
771573Srgrimesvoid
781573Srgrimesmac_pipe_label_free(struct label *label)
791573Srgrimes{
801573Srgrimes
811573Srgrimes	MAC_PERFORM(pipe_destroy_label, label);
82	mac_labelzone_free(label);
83}
84
85void
86mac_pipe_destroy(struct pipepair *pp)
87{
88
89	if (pp->pp_label != NULL) {
90		mac_pipe_label_free(pp->pp_label);
91		pp->pp_label = NULL;
92	}
93}
94
95void
96mac_pipe_copy_label(struct label *src, struct label *dest)
97{
98
99	MAC_PERFORM(pipe_copy_label, src, dest);
100}
101
102int
103mac_pipe_externalize_label(struct label *label, char *elements,
104    char *outbuf, size_t outbuflen)
105{
106	int error;
107
108	MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen);
109
110	return (error);
111}
112
113int
114mac_pipe_internalize_label(struct label *label, char *string)
115{
116	int error;
117
118	MAC_INTERNALIZE(pipe, label, string);
119
120	return (error);
121}
122
123void
124mac_pipe_create(struct ucred *cred, struct pipepair *pp)
125{
126
127	MAC_PERFORM(pipe_create, cred, pp, pp->pp_label);
128}
129
130static void
131mac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
132    struct label *newlabel)
133{
134
135	MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel);
136}
137
138int
139mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
140    unsigned long cmd, void *data)
141{
142	int error;
143
144	mtx_assert(&pp->pp_mtx, MA_OWNED);
145
146	MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data);
147
148	return (error);
149}
150
151int
152mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)
153{
154	int error;
155
156	mtx_assert(&pp->pp_mtx, MA_OWNED);
157
158	MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label);
159
160	return (error);
161}
162
163int
164mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
165{
166	int error;
167
168	mtx_assert(&pp->pp_mtx, MA_OWNED);
169
170	MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label);
171
172	return (error);
173}
174
175static int
176mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
177    struct label *newlabel)
178{
179	int error;
180
181	mtx_assert(&pp->pp_mtx, MA_OWNED);
182
183	MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel);
184
185	return (error);
186}
187
188int
189mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp)
190{
191	int error;
192
193	mtx_assert(&pp->pp_mtx, MA_OWNED);
194
195	MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label);
196
197	return (error);
198}
199
200int
201mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
202{
203	int error;
204
205	mtx_assert(&pp->pp_mtx, MA_OWNED);
206
207	MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label);
208
209	return (error);
210}
211
212int
213mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
214    struct label *label)
215{
216	int error;
217
218	mtx_assert(&pp->pp_mtx, MA_OWNED);
219
220	error = mac_pipe_check_relabel(cred, pp, label);
221	if (error)
222		return (error);
223
224	mac_pipe_relabel(cred, pp, label);
225
226	return (0);
227}
228