ugidfw_system.c revision 134131
1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD: head/sys/security/mac_bsdextended/mac_bsdextended.c 134131 2004-08-21 20:15:08Z trhodes $ 35 */ 36/* 37 * Developed by the TrustedBSD Project. 38 * "BSD Extended" MAC policy, allowing the administrator to impose 39 * mandatory rules regarding users and some system objects. 40 * 41 * XXX: Much locking support required here. 42 */ 43 44#include <sys/types.h> 45#include <sys/param.h> 46#include <sys/acl.h> 47#include <sys/conf.h> 48#include <sys/kernel.h> 49#include <sys/mac.h> 50#include <sys/malloc.h> 51#include <sys/mount.h> 52#include <sys/proc.h> 53#include <sys/systm.h> 54#include <sys/sysproto.h> 55#include <sys/sysent.h> 56#include <sys/vnode.h> 57#include <sys/file.h> 58#include <sys/socket.h> 59#include <sys/socketvar.h> 60#include <sys/sysctl.h> 61 62#include <net/bpfdesc.h> 63#include <net/if.h> 64#include <net/if_types.h> 65#include <net/if_var.h> 66 67#include <vm/vm.h> 68 69#include <sys/mac_policy.h> 70 71#include <security/mac_bsdextended/mac_bsdextended.h> 72 73SYSCTL_DECL(_security_mac); 74 75SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0, 76 "TrustedBSD extended BSD MAC policy controls"); 77 78static int mac_bsdextended_enabled = 1; 79SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW, 80 &mac_bsdextended_enabled, 0, "Enforce extended BSD policy"); 81TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled); 82 83MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule"); 84 85#define MAC_BSDEXTENDED_MAXRULES 250 86static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES]; 87static int rule_count = 0; 88static int rule_slots = 0; 89 90SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD, 91 &rule_count, 0, "Number of defined rules\n"); 92SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD, 93 &rule_slots, 0, "Number of used rule slots\n"); 94 95static int mac_bsdextended_debugging; 96SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, debugging, CTLFLAG_RW, 97 &mac_bsdextended_debugging, 0, "Enable debugging on failure"); 98 99/* 100 * This tunable is here for compatibility. It will allow the user 101 * to switch between the new mode (first rule matches) and the old 102 * functionality (all rules match). 103 */ 104static int 105mac_bsdextended_firstmatch_enabled; 106SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, 107 CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 0, 108 "Disable/enable match first rule functionality"); 109 110static int 111mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule) 112{ 113 114 if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS) 115 return (EINVAL); 116 117 if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS) 118 return (EINVAL); 119 120 if ((rule->mbr_mode | VALLPERM) != VALLPERM) 121 return (EINVAL); 122 123 return (0); 124} 125 126static int 127sysctl_rule(SYSCTL_HANDLER_ARGS) 128{ 129 struct mac_bsdextended_rule temprule, *ruleptr; 130 u_int namelen; 131 int error, index, *name; 132 133 name = (int *)arg1; 134 namelen = arg2; 135 136 /* printf("bsdextended sysctl handler (namelen %d)\n", namelen); */ 137 138 if (namelen != 1) 139 return (EINVAL); 140 141 index = name[0]; 142 if (index < 0 || index > rule_slots + 1) 143 return (ENOENT); 144 if (rule_slots >= MAC_BSDEXTENDED_MAXRULES) 145 return (ENOENT); 146 147 if (req->oldptr) { 148 if (rules[index] == NULL) 149 return (ENOENT); 150 151 error = SYSCTL_OUT(req, rules[index], sizeof(*rules[index])); 152 if (error) 153 return (error); 154 } 155 156 if (req->newptr) { 157 if (req->newlen == 0) { 158 /* printf("deletion\n"); */ 159 ruleptr = rules[index]; 160 if (ruleptr == NULL) 161 return (ENOENT); 162 rule_count--; 163 rules[index] = NULL; 164 FREE(ruleptr, M_MACBSDEXTENDED); 165 return(0); 166 } 167 error = SYSCTL_IN(req, &temprule, sizeof(temprule)); 168 if (error) 169 return (error); 170 171 error = mac_bsdextended_rule_valid(&temprule); 172 if (error) 173 return (error); 174 175 if (rules[index] == NULL) { 176 /* printf("addition\n"); */ 177 MALLOC(ruleptr, struct mac_bsdextended_rule *, 178 sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | 179 M_ZERO); 180 *ruleptr = temprule; 181 rules[index] = ruleptr; 182 if (index+1 > rule_slots) 183 rule_slots = index+1; 184 rule_count++; 185 } else { 186 /* printf("replacement\n"); */ 187 *rules[index] = temprule; 188 } 189 } 190 191 return (0); 192} 193 194SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, 195 CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules"); 196 197static void 198mac_bsdextended_init(struct mac_policy_conf *mpc) 199{ 200 201 /* Initialize ruleset lock. */ 202 /* Register dynamic sysctl's for rules. */ 203} 204 205static void 206mac_bsdextended_destroy(struct mac_policy_conf *mpc) 207{ 208 209 /* Tear down sysctls. */ 210 /* Destroy ruleset lock. */ 211} 212 213static int 214mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, 215 struct ucred *cred, uid_t object_uid, gid_t object_gid, int acc_mode) 216{ 217 int match; 218 219 /* 220 * Is there a subject match? 221 */ 222 if (rule->mbr_subject.mbi_flags & MBI_UID_DEFINED) { 223 match = (rule->mbr_subject.mbi_uid == cred->cr_uid || 224 rule->mbr_subject.mbi_uid == cred->cr_ruid || 225 rule->mbr_subject.mbi_uid == cred->cr_svuid); 226 227 if (rule->mbr_subject.mbi_flags & MBI_NEGATED) 228 match = !match; 229 230 if (!match) 231 return (0); 232 } 233 234 if (rule->mbr_subject.mbi_flags & MBI_GID_DEFINED) { 235 match = (groupmember(rule->mbr_subject.mbi_gid, cred) || 236 rule->mbr_subject.mbi_gid == cred->cr_rgid || 237 rule->mbr_subject.mbi_gid == cred->cr_svgid); 238 239 if (rule->mbr_subject.mbi_flags & MBI_NEGATED) 240 match = !match; 241 242 if (!match) 243 return (0); 244 } 245 246 /* 247 * Is there an object match? 248 */ 249 if (rule->mbr_object.mbi_flags & MBI_UID_DEFINED) { 250 match = (rule->mbr_object.mbi_uid == object_uid); 251 252 if (rule->mbr_object.mbi_flags & MBI_NEGATED) 253 match = !match; 254 255 if (!match) 256 return (0); 257 } 258 259 if (rule->mbr_object.mbi_flags & MBI_GID_DEFINED) { 260 match = (rule->mbr_object.mbi_gid == object_gid); 261 262 if (rule->mbr_object.mbi_flags & MBI_NEGATED) 263 match = !match; 264 265 if (!match) 266 return (0); 267 } 268 269 /* 270 * Is the access permitted? 271 */ 272 if ((rule->mbr_mode & acc_mode) != acc_mode) { 273 if (mac_bsdextended_debugging) 274 printf("mac_bsdextended: %d:%d request %d on %d:%d" 275 " fails\n", cred->cr_ruid, cred->cr_rgid, 276 acc_mode, object_uid, object_gid); 277 return (EACCES); 278 } 279 /* 280 * If the rule matched and allowed access and first match is 281 * enabled, then return success. 282 */ 283 if (mac_bsdextended_firstmatch_enabled) 284 return (EJUSTRETURN); 285 else 286 return(0); 287} 288 289static int 290mac_bsdextended_check(struct ucred *cred, uid_t object_uid, gid_t object_gid, 291 int acc_mode) 292{ 293 int error, i; 294 295 if (suser_cred(cred, 0) == 0) 296 return (0); 297 298 for (i = 0; i < rule_slots; i++) { 299 if (rules[i] == NULL) 300 continue; 301 302 /* 303 * Since we don't separately handle append, map append to 304 * write. 305 */ 306 if (acc_mode & VAPPEND) { 307 acc_mode &= ~VAPPEND; 308 acc_mode |= VWRITE; 309 } 310 311 error = mac_bsdextended_rulecheck(rules[i], cred, object_uid, 312 object_gid, acc_mode); 313 if (error == EJUSTRETURN) 314 break; 315 if (error) 316 return (error); 317 } 318 319 return (0); 320} 321 322static int 323mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, 324 struct label *label) 325{ 326 struct vattr vap; 327 int error; 328 329 if (!mac_bsdextended_enabled) 330 return (0); 331 332 error = VOP_GETATTR(vp, &vap, cred, curthread); 333 if (error) 334 return (error); 335 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); 336} 337 338static int 339mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, 340 struct label *label, int acc_mode) 341{ 342 struct vattr vap; 343 int error; 344 345 if (!mac_bsdextended_enabled) 346 return (0); 347 348 error = VOP_GETATTR(vp, &vap, cred, curthread); 349 if (error) 350 return (error); 351 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode)); 352} 353 354static int 355mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 356 struct label *dlabel) 357{ 358 struct vattr vap; 359 int error; 360 361 if (!mac_bsdextended_enabled) 362 return (0); 363 364 error = VOP_GETATTR(dvp, &vap, cred, curthread); 365 if (error) 366 return (error); 367 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); 368} 369 370static int 371mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 372 struct label *dlabel) 373{ 374 struct vattr vap; 375 int error; 376 377 if (!mac_bsdextended_enabled) 378 return (0); 379 380 error = VOP_GETATTR(dvp, &vap, cred, curthread); 381 if (error) 382 return (error); 383 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); 384} 385 386static int 387mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp, 388 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 389{ 390 struct vattr dvap; 391 int error; 392 393 if (!mac_bsdextended_enabled) 394 return (0); 395 396 error = VOP_GETATTR(dvp, &dvap, cred, curthread); 397 if (error) 398 return (error); 399 return (mac_bsdextended_check(cred, dvap.va_uid, dvap.va_gid, VWRITE)); 400} 401 402static int 403mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 404 struct label *dlabel, struct vnode *vp, struct label *label, 405 struct componentname *cnp) 406{ 407 struct vattr vap; 408 int error; 409 410 if (!mac_bsdextended_enabled) 411 return (0); 412 413 error = VOP_GETATTR(dvp, &vap, cred, curthread); 414 if (error) 415 return (error); 416 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 417 if (error) 418 return (error); 419 420 error = VOP_GETATTR(vp, &vap, cred, curthread); 421 if (error) 422 return (error); 423 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); 424} 425 426static int 427mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 428 struct label *label, acl_type_t type) 429{ 430 struct vattr vap; 431 int error; 432 433 if (!mac_bsdextended_enabled) 434 return (0); 435 436 error = VOP_GETATTR(vp, &vap, cred, curthread); 437 if (error) 438 return (error); 439 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 440} 441 442static int 443mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 444 struct label *label, int attrnamespace, const char *name) 445{ 446 struct vattr vap; 447 int error; 448 449 if (!mac_bsdextended_enabled) 450 return (0); 451 452 error = VOP_GETATTR(vp, &vap, cred, curthread); 453 if (error) 454 return (error); 455 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); 456} 457 458static int 459mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, 460 struct label *label, struct image_params *imgp, 461 struct label *execlabel) 462{ 463 struct vattr vap; 464 int error; 465 466 if (!mac_bsdextended_enabled) 467 return (0); 468 469 error = VOP_GETATTR(vp, &vap, cred, curthread); 470 if (error) 471 return (error); 472 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 473 VREAD|VEXEC)); 474} 475 476static int 477mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 478 struct label *label, acl_type_t type) 479{ 480 struct vattr vap; 481 int error; 482 483 if (!mac_bsdextended_enabled) 484 return (0); 485 486 error = VOP_GETATTR(vp, &vap, cred, curthread); 487 if (error) 488 return (error); 489 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT)); 490} 491 492static int 493mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 494 struct label *label, int attrnamespace, const char *name, struct uio *uio) 495{ 496 struct vattr vap; 497 int error; 498 499 if (!mac_bsdextended_enabled) 500 return (0); 501 502 error = VOP_GETATTR(vp, &vap, cred, curthread); 503 if (error) 504 return (error); 505 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 506} 507 508static int 509mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, 510 struct label *dlabel, struct vnode *vp, struct label *label, 511 struct componentname *cnp) 512{ 513 struct vattr vap; 514 int error; 515 516 if (!mac_bsdextended_enabled) 517 return (0); 518 519 error = VOP_GETATTR(dvp, &vap, cred, curthread); 520 if (error) 521 return (error); 522 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 523 if (error) 524 return (error); 525 526 error = VOP_GETATTR(vp, &vap, cred, curthread); 527 if (error) 528 return (error); 529 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 530 if (error) 531 return (error); 532 return (0); 533} 534 535static int 536mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 537 struct label *label, int attrnamespace) 538{ 539 struct vattr vap; 540 int error; 541 542 if (!mac_bsdextended_enabled) 543 return (0); 544 545 error = VOP_GETATTR(vp, &vap, cred, curthread); 546 if (error) 547 return (error); 548 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 549} 550 551static int 552mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 553 struct label *dlabel, struct componentname *cnp) 554{ 555 struct vattr vap; 556 int error; 557 558 if (!mac_bsdextended_enabled) 559 return (0); 560 561 error = VOP_GETATTR(dvp, &vap, cred, curthread); 562 if (error) 563 return (error); 564 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); 565} 566 567static int 568mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, 569 struct label *filelabel, int acc_mode) 570{ 571 struct vattr vap; 572 int error; 573 574 if (!mac_bsdextended_enabled) 575 return (0); 576 577 error = VOP_GETATTR(vp, &vap, cred, curthread); 578 if (error) 579 return (error); 580 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode)); 581} 582 583static int 584mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 585 struct label *dlabel) 586{ 587 struct vattr vap; 588 int error; 589 590 if (!mac_bsdextended_enabled) 591 return (0); 592 593 error = VOP_GETATTR(dvp, &vap, cred, curthread); 594 if (error) 595 return (error); 596 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 597} 598 599static int 600mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, 601 struct label *label) 602{ 603 struct vattr vap; 604 int error; 605 606 if (!mac_bsdextended_enabled) 607 return (0); 608 609 error = VOP_GETATTR(vp, &vap, cred, curthread); 610 if (error) 611 return (error); 612 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 613} 614 615static int 616mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 617 struct label *dlabel, struct vnode *vp, struct label *label, 618 struct componentname *cnp) 619{ 620 struct vattr vap; 621 int error; 622 623 if (!mac_bsdextended_enabled) 624 return (0); 625 626 error = VOP_GETATTR(dvp, &vap, cred, curthread); 627 if (error) 628 return (error); 629 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 630 if (error) 631 return (error); 632 error = VOP_GETATTR(vp, &vap, cred, curthread); 633 if (error) 634 return (error); 635 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 636 637 return (error); 638} 639 640static int 641mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 642 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 643 struct componentname *cnp) 644{ 645 struct vattr vap; 646 int error; 647 648 if (!mac_bsdextended_enabled) 649 return (0); 650 651 error = VOP_GETATTR(dvp, &vap, cred, curthread); 652 if (error) 653 return (error); 654 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 655 if (error) 656 return (error); 657 658 if (vp != NULL) { 659 error = VOP_GETATTR(vp, &vap, cred, curthread); 660 if (error) 661 return (error); 662 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 663 VWRITE); 664 } 665 666 return (error); 667} 668 669static int 670mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 671 struct label *label) 672{ 673 struct vattr vap; 674 int error; 675 676 if (!mac_bsdextended_enabled) 677 return (0); 678 679 error = VOP_GETATTR(vp, &vap, cred, curthread); 680 if (error) 681 return (error); 682 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 683} 684 685static int 686mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp, 687 struct label *label, acl_type_t type, struct acl *acl) 688{ 689 struct vattr vap; 690 int error; 691 692 if (!mac_bsdextended_enabled) 693 return (0); 694 695 error = VOP_GETATTR(vp, &vap, cred, curthread); 696 if (error) 697 return (error); 698 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 699} 700 701static int 702mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 703 struct label *label, int attrnamespace, const char *name, struct uio *uio) 704{ 705 struct vattr vap; 706 int error; 707 708 if (!mac_bsdextended_enabled) 709 return (0); 710 711 error = VOP_GETATTR(vp, &vap, cred, curthread); 712 if (error) 713 return (error); 714 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); 715} 716 717static int 718mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 719 struct label *label, u_long flags) 720{ 721 struct vattr vap; 722 int error; 723 724 if (!mac_bsdextended_enabled) 725 return (0); 726 727 error = VOP_GETATTR(vp, &vap, cred, curthread); 728 if (error) 729 return (error); 730 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 731} 732 733static int 734mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 735 struct label *label, mode_t mode) 736{ 737 struct vattr vap; 738 int error; 739 740 if (!mac_bsdextended_enabled) 741 return (0); 742 743 error = VOP_GETATTR(vp, &vap, cred, curthread); 744 if (error) 745 return (error); 746 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 747} 748 749static int 750mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 751 struct label *label, uid_t uid, gid_t gid) 752{ 753 struct vattr vap; 754 int error; 755 756 if (!mac_bsdextended_enabled) 757 return (0); 758 759 error = VOP_GETATTR(vp, &vap, cred, curthread); 760 if (error) 761 return (error); 762 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 763} 764 765static int 766mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 767 struct label *label, struct timespec atime, struct timespec utime) 768{ 769 struct vattr vap; 770 int error; 771 772 if (!mac_bsdextended_enabled) 773 return (0); 774 775 error = VOP_GETATTR(vp, &vap, cred, curthread); 776 if (error) 777 return (error); 778 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 779} 780 781static int 782mac_bsdextended_check_vnode_stat(struct ucred *active_cred, 783 struct ucred *file_cred, struct vnode *vp, struct label *label) 784{ 785 struct vattr vap; 786 int error; 787 788 if (!mac_bsdextended_enabled) 789 return (0); 790 791 error = VOP_GETATTR(vp, &vap, active_cred, curthread); 792 if (error) 793 return (error); 794 return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid, 795 VSTAT)); 796} 797 798static struct mac_policy_ops mac_bsdextended_ops = 799{ 800 .mpo_destroy = mac_bsdextended_destroy, 801 .mpo_init = mac_bsdextended_init, 802 .mpo_check_system_swapon = mac_bsdextended_check_system_swapon, 803 .mpo_check_vnode_access = mac_bsdextended_check_vnode_access, 804 .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir, 805 .mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot, 806 .mpo_check_vnode_create = mac_bsdextended_check_create_vnode, 807 .mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete, 808 .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl, 809 .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr, 810 .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec, 811 .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl, 812 .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr, 813 .mpo_check_vnode_link = mac_bsdextended_check_vnode_link, 814 .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr, 815 .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup, 816 .mpo_check_vnode_open = mac_bsdextended_check_vnode_open, 817 .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir, 818 .mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink, 819 .mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from, 820 .mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to, 821 .mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke, 822 .mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode, 823 .mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr, 824 .mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags, 825 .mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode, 826 .mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner, 827 .mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes, 828 .mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat, 829}; 830 831MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended, 832 "TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL); 833