mac_cred.c revision 111936
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. 9 * 10 * This software was developed for the FreeBSD Project in part by Network 11 * Associates Laboratories, the Security Research Division of Network 12 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 13 * as part of the DARPA CHATS research program. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 * 36 * $FreeBSD: head/sys/security/mac/mac_process.c 111936 2003-03-05 23:50:15Z rwatson $ 37 */ 38/* 39 * Developed by the TrustedBSD Project. 40 * 41 * Framework for extensible kernel access control. Kernel and userland 42 * interface to the framework, policy registration and composition. 43 */ 44 45#include "opt_mac.h" 46#include "opt_devfs.h" 47 48#include <sys/param.h> 49#include <sys/condvar.h> 50#include <sys/extattr.h> 51#include <sys/imgact.h> 52#include <sys/kernel.h> 53#include <sys/lock.h> 54#include <sys/malloc.h> 55#include <sys/mutex.h> 56#include <sys/mac.h> 57#include <sys/module.h> 58#include <sys/proc.h> 59#include <sys/systm.h> 60#include <sys/sysproto.h> 61#include <sys/sysent.h> 62#include <sys/vnode.h> 63#include <sys/mount.h> 64#include <sys/file.h> 65#include <sys/namei.h> 66#include <sys/socket.h> 67#include <sys/pipe.h> 68#include <sys/socketvar.h> 69#include <sys/sysctl.h> 70 71#include <vm/vm.h> 72#include <vm/pmap.h> 73#include <vm/vm_map.h> 74#include <vm/vm_object.h> 75 76#include <sys/mac_policy.h> 77 78#include <fs/devfs/devfs.h> 79 80#include <net/bpfdesc.h> 81#include <net/if.h> 82#include <net/if_var.h> 83 84#include <netinet/in.h> 85#include <netinet/ip_var.h> 86 87#ifdef MAC 88 89/* 90 * Declare that the kernel provides MAC support, version 1. This permits 91 * modules to refuse to be loaded if the necessary support isn't present, 92 * even if it's pre-boot. 93 */ 94MODULE_VERSION(kernel_mac_support, 1); 95 96SYSCTL_DECL(_security); 97 98SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, 99 "TrustedBSD MAC policy controls"); 100 101#if MAC_MAX_POLICIES > 32 102#error "MAC_MAX_POLICIES too large" 103#endif 104 105static unsigned int mac_max_policies = MAC_MAX_POLICIES; 106static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; 107SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, 108 &mac_max_policies, 0, ""); 109 110/* 111 * Has the kernel started generating labeled objects yet? All read/write 112 * access to this variable is serialized during the boot process. Following 113 * the end of serialization, we don't update this flag; no locking. 114 */ 115static int mac_late = 0; 116 117/* 118 * Warn about EA transactions only the first time they happen. 119 * Weak coherency, no locking. 120 */ 121static int ea_warn_once = 0; 122 123static int mac_enforce_fs = 1; 124SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 125 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 126TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 127 128static int mac_enforce_kld = 1; 129SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, 130 &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); 131TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); 132 133static int mac_enforce_network = 1; 134SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 135 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); 136TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); 137 138static int mac_enforce_pipe = 1; 139SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, 140 &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); 141TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); 142 143static int mac_enforce_process = 1; 144SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, 145 &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); 146TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); 147 148static int mac_enforce_socket = 1; 149SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, 150 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); 151TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); 152 153static int mac_enforce_system = 1; 154SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW, 155 &mac_enforce_system, 0, "Enforce MAC policy on system operations"); 156TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system); 157 158static int mac_enforce_vm = 1; 159SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, 160 &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); 161TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); 162 163static int mac_mmap_revocation = 1; 164SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, 165 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " 166 "relabel"); 167static int mac_mmap_revocation_via_cow = 0; 168SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, 169 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " 170 "copy-on-write semantics, or by removing all write access"); 171 172#ifdef MAC_DEBUG 173SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, 174 "TrustedBSD MAC debug info"); 175 176static int mac_debug_label_fallback = 0; 177SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, 178 &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" 179 "when label is corrupted."); 180TUNABLE_INT("security.mac.debug_label_fallback", 181 &mac_debug_label_fallback); 182 183SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, 184 "TrustedBSD MAC object counters"); 185 186static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, 187 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, 188 nmacipqs, nmacpipes, nmacprocs; 189 190SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, 191 &nmacmbufs, 0, "number of mbufs in use"); 192SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, 193 &nmaccreds, 0, "number of ucreds in use"); 194SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, 195 &nmacifnets, 0, "number of ifnets in use"); 196SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, 197 &nmacipqs, 0, "number of ipqs in use"); 198SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD, 199 &nmacbpfdescs, 0, "number of bpfdescs in use"); 200SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, 201 &nmacsockets, 0, "number of sockets in use"); 202SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, 203 &nmacpipes, 0, "number of pipes in use"); 204SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, 205 &nmacprocs, 0, "number of procs in use"); 206SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, 207 &nmacmounts, 0, "number of mounts in use"); 208SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, 209 &nmactemp, 0, "number of temporary labels in use"); 210SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD, 211 &nmacvnodes, 0, "number of vnodes in use"); 212SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, 213 &nmacdevfsdirents, 0, "number of devfs dirents inuse"); 214#endif 215 216static int error_select(int error1, int error2); 217static int mac_policy_register(struct mac_policy_conf *mpc); 218static int mac_policy_unregister(struct mac_policy_conf *mpc); 219 220static void mac_check_vnode_mmap_downgrade(struct ucred *cred, 221 struct vnode *vp, int *prot); 222static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 223 struct ucred *cred, struct vm_map *map); 224 225static void mac_destroy_socket_label(struct label *label); 226 227static int mac_setlabel_vnode_extattr(struct ucred *cred, 228 struct vnode *vp, struct label *intlabel); 229 230MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); 231MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage"); 232 233/* 234 * mac_policy_list stores the list of active policies. A busy count is 235 * maintained for the list, stored in mac_policy_busy. The busy count 236 * is protected by mac_policy_list_lock; the list may be modified only 237 * while the busy count is 0, requiring that the lock be held to 238 * prevent new references to the list from being acquired. For almost 239 * all operations, incrementing the busy count is sufficient to 240 * guarantee consistency, as the list cannot be modified while the 241 * busy count is elevated. For a few special operations involving a 242 * change to the list of active policies, the lock itself must be held. 243 * A condition variable, mac_policy_list_not_busy, is used to signal 244 * potential exclusive consumers that they should try to acquire the 245 * lock if a first attempt at exclusive access fails. 246 */ 247static struct mtx mac_policy_list_lock; 248static struct cv mac_policy_list_not_busy; 249static LIST_HEAD(, mac_policy_conf) mac_policy_list; 250static int mac_policy_list_busy; 251 252#define MAC_POLICY_LIST_LOCKINIT() do { \ 253 mtx_init(&mac_policy_list_lock, "mac_policy_list_lock", NULL, \ 254 MTX_DEF); \ 255 cv_init(&mac_policy_list_not_busy, "mac_policy_list_not_busy"); \ 256} while (0) 257 258#define MAC_POLICY_LIST_LOCK() do { \ 259 mtx_lock(&mac_policy_list_lock); \ 260} while (0) 261 262#define MAC_POLICY_LIST_UNLOCK() do { \ 263 mtx_unlock(&mac_policy_list_lock); \ 264} while (0) 265 266/* 267 * We manually invoke WITNESS_WARN() to allow Witness to generate 268 * warnings even if we don't end up ever triggering the wait at 269 * run-time. The consumer of the exclusive interface must not hold 270 * any locks (other than potentially Giant) since we may sleep for 271 * long (potentially indefinite) periods of time waiting for the 272 * framework to become quiescent so that a policy list change may 273 * be made. 274 */ 275#define MAC_POLICY_LIST_EXCLUSIVE() do { \ 276 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, \ 277 "mac_policy_list_exclusive() at %s:%d", __FILE__, __LINE__);\ 278 mtx_lock(&mac_policy_list_lock); \ 279 while (mac_policy_list_busy != 0) \ 280 cv_wait(&mac_policy_list_not_busy, \ 281 &mac_policy_list_lock); \ 282} while (0) 283 284#define MAC_POLICY_LIST_BUSY() do { \ 285 MAC_POLICY_LIST_LOCK(); \ 286 mac_policy_list_busy++; \ 287 MAC_POLICY_LIST_UNLOCK(); \ 288} while (0) 289 290#define MAC_POLICY_LIST_UNBUSY() do { \ 291 MAC_POLICY_LIST_LOCK(); \ 292 mac_policy_list_busy--; \ 293 KASSERT(mac_policy_list_busy >= 0, ("MAC_POLICY_LIST_LOCK")); \ 294 if (mac_policy_list_busy == 0) \ 295 cv_signal(&mac_policy_list_not_busy); \ 296 MAC_POLICY_LIST_UNLOCK(); \ 297} while (0) 298 299/* 300 * MAC_CHECK performs the designated check by walking the policy 301 * module list and checking with each as to how it feels about the 302 * request. Note that it returns its value via 'error' in the scope 303 * of the caller. 304 */ 305#define MAC_CHECK(check, args...) do { \ 306 struct mac_policy_conf *mpc; \ 307 \ 308 error = 0; \ 309 MAC_POLICY_LIST_BUSY(); \ 310 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 311 if (mpc->mpc_ops->mpo_ ## check != NULL) \ 312 error = error_select( \ 313 mpc->mpc_ops->mpo_ ## check (args), \ 314 error); \ 315 } \ 316 MAC_POLICY_LIST_UNBUSY(); \ 317} while (0) 318 319/* 320 * MAC_BOOLEAN performs the designated boolean composition by walking 321 * the module list, invoking each instance of the operation, and 322 * combining the results using the passed C operator. Note that it 323 * returns its value via 'result' in the scope of the caller, which 324 * should be initialized by the caller in a meaningful way to get 325 * a meaningful result. 326 */ 327#define MAC_BOOLEAN(operation, composition, args...) do { \ 328 struct mac_policy_conf *mpc; \ 329 \ 330 MAC_POLICY_LIST_BUSY(); \ 331 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 332 if (mpc->mpc_ops->mpo_ ## operation != NULL) \ 333 result = result composition \ 334 mpc->mpc_ops->mpo_ ## operation (args); \ 335 } \ 336 MAC_POLICY_LIST_UNBUSY(); \ 337} while (0) 338 339#define MAC_EXTERNALIZE(type, label, elementlist, outbuf, \ 340 outbuflen) do { \ 341 char *curptr, *curptr_start, *element_name, *element_temp; \ 342 size_t left, left_start, len; \ 343 int claimed, first, first_start, ignorenotfound; \ 344 \ 345 error = 0; \ 346 element_temp = elementlist; \ 347 curptr = outbuf; \ 348 curptr[0] = '\0'; \ 349 left = outbuflen; \ 350 first = 1; \ 351 while ((element_name = strsep(&element_temp, ",")) != NULL) { \ 352 curptr_start = curptr; \ 353 left_start = left; \ 354 first_start = first; \ 355 if (element_name[0] == '?') { \ 356 element_name++; \ 357 ignorenotfound = 1; \ 358 } else \ 359 ignorenotfound = 0; \ 360 claimed = 0; \ 361 if (first) { \ 362 len = snprintf(curptr, left, "%s/", \ 363 element_name); \ 364 first = 0; \ 365 } else \ 366 len = snprintf(curptr, left, ",%s/", \ 367 element_name); \ 368 if (len >= left) { \ 369 error = EINVAL; /* XXXMAC: E2BIG */ \ 370 break; \ 371 } \ 372 curptr += len; \ 373 left -= len; \ 374 \ 375 MAC_CHECK(externalize_ ## type, label, element_name, \ 376 curptr, left, &len, &claimed); \ 377 if (error) \ 378 break; \ 379 if (claimed == 1) { \ 380 if (len >= outbuflen) { \ 381 error = EINVAL; /* XXXMAC: E2BIG */ \ 382 break; \ 383 } \ 384 curptr += len; \ 385 left -= len; \ 386 } else if (claimed == 0 && ignorenotfound) { \ 387 /* \ 388 * Revert addition of the label element \ 389 * name. \ 390 */ \ 391 curptr = curptr_start; \ 392 *curptr = '\0'; \ 393 left = left_start; \ 394 first = first_start; \ 395 } else { \ 396 error = EINVAL; /* XXXMAC: ENOLABEL */ \ 397 break; \ 398 } \ 399 } \ 400} while (0) 401 402#define MAC_INTERNALIZE(type, label, instring) do { \ 403 char *element, *element_name, *element_data; \ 404 int claimed; \ 405 \ 406 error = 0; \ 407 element = instring; \ 408 while ((element_name = strsep(&element, ",")) != NULL) { \ 409 element_data = element_name; \ 410 element_name = strsep(&element_data, "/"); \ 411 if (element_data == NULL) { \ 412 error = EINVAL; \ 413 break; \ 414 } \ 415 claimed = 0; \ 416 MAC_CHECK(internalize_ ## type, label, element_name, \ 417 element_data, &claimed); \ 418 if (error) \ 419 break; \ 420 if (claimed != 1) { \ 421 /* XXXMAC: Another error here? */ \ 422 error = EINVAL; \ 423 break; \ 424 } \ 425 } \ 426} while (0) 427 428/* 429 * MAC_PERFORM performs the designated operation by walking the policy 430 * module list and invoking that operation for each policy. 431 */ 432#define MAC_PERFORM(operation, args...) do { \ 433 struct mac_policy_conf *mpc; \ 434 \ 435 MAC_POLICY_LIST_BUSY(); \ 436 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 437 if (mpc->mpc_ops->mpo_ ## operation != NULL) \ 438 mpc->mpc_ops->mpo_ ## operation (args); \ 439 } \ 440 MAC_POLICY_LIST_UNBUSY(); \ 441} while (0) 442 443/* 444 * Initialize the MAC subsystem, including appropriate SMP locks. 445 */ 446static void 447mac_init(void) 448{ 449 450 LIST_INIT(&mac_policy_list); 451 MAC_POLICY_LIST_LOCKINIT(); 452} 453 454/* 455 * For the purposes of modules that want to know if they were loaded 456 * "early", set the mac_late flag once we've processed modules either 457 * linked into the kernel, or loaded before the kernel startup. 458 */ 459static void 460mac_late_init(void) 461{ 462 463 mac_late = 1; 464} 465 466/* 467 * Allow MAC policy modules to register during boot, etc. 468 */ 469int 470mac_policy_modevent(module_t mod, int type, void *data) 471{ 472 struct mac_policy_conf *mpc; 473 int error; 474 475 error = 0; 476 mpc = (struct mac_policy_conf *) data; 477 478 switch (type) { 479 case MOD_LOAD: 480 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && 481 mac_late) { 482 printf("mac_policy_modevent: can't load %s policy " 483 "after booting\n", mpc->mpc_name); 484 error = EBUSY; 485 break; 486 } 487 error = mac_policy_register(mpc); 488 break; 489 case MOD_UNLOAD: 490 /* Don't unregister the module if it was never registered. */ 491 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) 492 != 0) 493 error = mac_policy_unregister(mpc); 494 else 495 error = 0; 496 break; 497 default: 498 break; 499 } 500 501 return (error); 502} 503 504static int 505mac_policy_register(struct mac_policy_conf *mpc) 506{ 507 struct mac_policy_conf *tmpc; 508 int slot; 509 510 MAC_POLICY_LIST_EXCLUSIVE(); 511 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { 512 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { 513 MAC_POLICY_LIST_UNLOCK(); 514 return (EEXIST); 515 } 516 } 517 if (mpc->mpc_field_off != NULL) { 518 slot = ffs(mac_policy_offsets_free); 519 if (slot == 0) { 520 MAC_POLICY_LIST_UNLOCK(); 521 return (ENOMEM); 522 } 523 slot--; 524 mac_policy_offsets_free &= ~(1 << slot); 525 *mpc->mpc_field_off = slot; 526 } 527 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; 528 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); 529 530 /* Per-policy initialization. */ 531 if (mpc->mpc_ops->mpo_init != NULL) 532 (*(mpc->mpc_ops->mpo_init))(mpc); 533 MAC_POLICY_LIST_UNLOCK(); 534 535 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, 536 mpc->mpc_name); 537 538 return (0); 539} 540 541static int 542mac_policy_unregister(struct mac_policy_conf *mpc) 543{ 544 545 /* 546 * If we fail the load, we may get a request to unload. Check 547 * to see if we did the run-time registration, and if not, 548 * silently succeed. 549 */ 550 MAC_POLICY_LIST_EXCLUSIVE(); 551 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) { 552 MAC_POLICY_LIST_UNLOCK(); 553 return (0); 554 } 555#if 0 556 /* 557 * Don't allow unloading modules with private data. 558 */ 559 if (mpc->mpc_field_off != NULL) { 560 MAC_POLICY_LIST_UNLOCK(); 561 return (EBUSY); 562 } 563#endif 564 /* 565 * Only allow the unload to proceed if the module is unloadable 566 * by its own definition. 567 */ 568 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) { 569 MAC_POLICY_LIST_UNLOCK(); 570 return (EBUSY); 571 } 572 if (mpc->mpc_ops->mpo_destroy != NULL) 573 (*(mpc->mpc_ops->mpo_destroy))(mpc); 574 575 LIST_REMOVE(mpc, mpc_list); 576 mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED; 577 578 MAC_POLICY_LIST_UNLOCK(); 579 580 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, 581 mpc->mpc_name); 582 583 return (0); 584} 585 586/* 587 * Define an error value precedence, and given two arguments, selects the 588 * value with the higher precedence. 589 */ 590static int 591error_select(int error1, int error2) 592{ 593 594 /* Certain decision-making errors take top priority. */ 595 if (error1 == EDEADLK || error2 == EDEADLK) 596 return (EDEADLK); 597 598 /* Invalid arguments should be reported where possible. */ 599 if (error1 == EINVAL || error2 == EINVAL) 600 return (EINVAL); 601 602 /* Precedence goes to "visibility", with both process and file. */ 603 if (error1 == ESRCH || error2 == ESRCH) 604 return (ESRCH); 605 606 if (error1 == ENOENT || error2 == ENOENT) 607 return (ENOENT); 608 609 /* Precedence goes to DAC/MAC protections. */ 610 if (error1 == EACCES || error2 == EACCES) 611 return (EACCES); 612 613 /* Precedence goes to privilege. */ 614 if (error1 == EPERM || error2 == EPERM) 615 return (EPERM); 616 617 /* Precedence goes to error over success; otherwise, arbitrary. */ 618 if (error1 != 0) 619 return (error1); 620 return (error2); 621} 622 623static void 624mac_init_label(struct label *label) 625{ 626 627 bzero(label, sizeof(*label)); 628 label->l_flags = MAC_FLAG_INITIALIZED; 629} 630 631static void 632mac_destroy_label(struct label *label) 633{ 634 635 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, 636 ("destroying uninitialized label")); 637 638 bzero(label, sizeof(*label)); 639 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */ 640} 641 642void 643mac_init_bpfdesc(struct bpf_d *bpf_d) 644{ 645 646 mac_init_label(&bpf_d->bd_label); 647 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); 648#ifdef MAC_DEBUG 649 atomic_add_int(&nmacbpfdescs, 1); 650#endif 651} 652 653static void 654mac_init_cred_label(struct label *label) 655{ 656 657 mac_init_label(label); 658 MAC_PERFORM(init_cred_label, label); 659#ifdef MAC_DEBUG 660 atomic_add_int(&nmaccreds, 1); 661#endif 662} 663 664void 665mac_init_cred(struct ucred *cred) 666{ 667 668 mac_init_cred_label(&cred->cr_label); 669} 670 671void 672mac_init_devfsdirent(struct devfs_dirent *de) 673{ 674 675 mac_init_label(&de->de_label); 676 MAC_PERFORM(init_devfsdirent_label, &de->de_label); 677#ifdef MAC_DEBUG 678 atomic_add_int(&nmacdevfsdirents, 1); 679#endif 680} 681 682static void 683mac_init_ifnet_label(struct label *label) 684{ 685 686 mac_init_label(label); 687 MAC_PERFORM(init_ifnet_label, label); 688#ifdef MAC_DEBUG 689 atomic_add_int(&nmacifnets, 1); 690#endif 691} 692 693void 694mac_init_ifnet(struct ifnet *ifp) 695{ 696 697 mac_init_ifnet_label(&ifp->if_label); 698} 699 700void 701mac_init_ipq(struct ipq *ipq) 702{ 703 704 mac_init_label(&ipq->ipq_label); 705 MAC_PERFORM(init_ipq_label, &ipq->ipq_label); 706#ifdef MAC_DEBUG 707 atomic_add_int(&nmacipqs, 1); 708#endif 709} 710 711int 712mac_init_mbuf(struct mbuf *m, int flag) 713{ 714 int error; 715 716 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); 717 718 mac_init_label(&m->m_pkthdr.label); 719 720 MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); 721 if (error) { 722 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); 723 mac_destroy_label(&m->m_pkthdr.label); 724 } 725 726#ifdef MAC_DEBUG 727 if (error == 0) 728 atomic_add_int(&nmacmbufs, 1); 729#endif 730 return (error); 731} 732 733void 734mac_init_mount(struct mount *mp) 735{ 736 737 mac_init_label(&mp->mnt_mntlabel); 738 mac_init_label(&mp->mnt_fslabel); 739 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); 740 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); 741#ifdef MAC_DEBUG 742 atomic_add_int(&nmacmounts, 1); 743#endif 744} 745 746static void 747mac_init_pipe_label(struct label *label) 748{ 749 750 mac_init_label(label); 751 MAC_PERFORM(init_pipe_label, label); 752#ifdef MAC_DEBUG 753 atomic_add_int(&nmacpipes, 1); 754#endif 755} 756 757void 758mac_init_pipe(struct pipe *pipe) 759{ 760 struct label *label; 761 762 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); 763 pipe->pipe_label = label; 764 pipe->pipe_peer->pipe_label = label; 765 mac_init_pipe_label(label); 766} 767 768void 769mac_init_proc(struct proc *p) 770{ 771 772 mac_init_label(&p->p_label); 773 MAC_PERFORM(init_proc_label, &p->p_label); 774#ifdef MAC_DEBUG 775 atomic_add_int(&nmacprocs, 1); 776#endif 777} 778 779static int 780mac_init_socket_label(struct label *label, int flag) 781{ 782 int error; 783 784 mac_init_label(label); 785 786 MAC_CHECK(init_socket_label, label, flag); 787 if (error) { 788 MAC_PERFORM(destroy_socket_label, label); 789 mac_destroy_label(label); 790 } 791 792#ifdef MAC_DEBUG 793 if (error == 0) 794 atomic_add_int(&nmacsockets, 1); 795#endif 796 797 return (error); 798} 799 800static int 801mac_init_socket_peer_label(struct label *label, int flag) 802{ 803 int error; 804 805 mac_init_label(label); 806 807 MAC_CHECK(init_socket_peer_label, label, flag); 808 if (error) { 809 MAC_PERFORM(destroy_socket_label, label); 810 mac_destroy_label(label); 811 } 812 813 return (error); 814} 815 816int 817mac_init_socket(struct socket *socket, int flag) 818{ 819 int error; 820 821 error = mac_init_socket_label(&socket->so_label, flag); 822 if (error) 823 return (error); 824 825 error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); 826 if (error) 827 mac_destroy_socket_label(&socket->so_label); 828 829 return (error); 830} 831 832void 833mac_init_vnode_label(struct label *label) 834{ 835 836 mac_init_label(label); 837 MAC_PERFORM(init_vnode_label, label); 838#ifdef MAC_DEBUG 839 atomic_add_int(&nmacvnodes, 1); 840#endif 841} 842 843void 844mac_init_vnode(struct vnode *vp) 845{ 846 847 mac_init_vnode_label(&vp->v_label); 848} 849 850void 851mac_destroy_bpfdesc(struct bpf_d *bpf_d) 852{ 853 854 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); 855 mac_destroy_label(&bpf_d->bd_label); 856#ifdef MAC_DEBUG 857 atomic_subtract_int(&nmacbpfdescs, 1); 858#endif 859} 860 861static void 862mac_destroy_cred_label(struct label *label) 863{ 864 865 MAC_PERFORM(destroy_cred_label, label); 866 mac_destroy_label(label); 867#ifdef MAC_DEBUG 868 atomic_subtract_int(&nmaccreds, 1); 869#endif 870} 871 872void 873mac_destroy_cred(struct ucred *cred) 874{ 875 876 mac_destroy_cred_label(&cred->cr_label); 877} 878 879void 880mac_destroy_devfsdirent(struct devfs_dirent *de) 881{ 882 883 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); 884 mac_destroy_label(&de->de_label); 885#ifdef MAC_DEBUG 886 atomic_subtract_int(&nmacdevfsdirents, 1); 887#endif 888} 889 890static void 891mac_destroy_ifnet_label(struct label *label) 892{ 893 894 MAC_PERFORM(destroy_ifnet_label, label); 895 mac_destroy_label(label); 896#ifdef MAC_DEBUG 897 atomic_subtract_int(&nmacifnets, 1); 898#endif 899} 900 901void 902mac_destroy_ifnet(struct ifnet *ifp) 903{ 904 905 mac_destroy_ifnet_label(&ifp->if_label); 906} 907 908void 909mac_destroy_ipq(struct ipq *ipq) 910{ 911 912 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 913 mac_destroy_label(&ipq->ipq_label); 914#ifdef MAC_DEBUG 915 atomic_subtract_int(&nmacipqs, 1); 916#endif 917} 918 919void 920mac_destroy_mbuf(struct mbuf *m) 921{ 922 923 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); 924 mac_destroy_label(&m->m_pkthdr.label); 925#ifdef MAC_DEBUG 926 atomic_subtract_int(&nmacmbufs, 1); 927#endif 928} 929 930void 931mac_destroy_mount(struct mount *mp) 932{ 933 934 MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); 935 MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); 936 mac_destroy_label(&mp->mnt_fslabel); 937 mac_destroy_label(&mp->mnt_mntlabel); 938#ifdef MAC_DEBUG 939 atomic_subtract_int(&nmacmounts, 1); 940#endif 941} 942 943static void 944mac_destroy_pipe_label(struct label *label) 945{ 946 947 MAC_PERFORM(destroy_pipe_label, label); 948 mac_destroy_label(label); 949#ifdef MAC_DEBUG 950 atomic_subtract_int(&nmacpipes, 1); 951#endif 952} 953 954void 955mac_destroy_pipe(struct pipe *pipe) 956{ 957 958 mac_destroy_pipe_label(pipe->pipe_label); 959 free(pipe->pipe_label, M_MACPIPELABEL); 960} 961 962void 963mac_destroy_proc(struct proc *p) 964{ 965 966 MAC_PERFORM(destroy_proc_label, &p->p_label); 967 mac_destroy_label(&p->p_label); 968#ifdef MAC_DEBUG 969 atomic_subtract_int(&nmacprocs, 1); 970#endif 971} 972 973static void 974mac_destroy_socket_label(struct label *label) 975{ 976 977 MAC_PERFORM(destroy_socket_label, label); 978 mac_destroy_label(label); 979#ifdef MAC_DEBUG 980 atomic_subtract_int(&nmacsockets, 1); 981#endif 982} 983 984static void 985mac_destroy_socket_peer_label(struct label *label) 986{ 987 988 MAC_PERFORM(destroy_socket_peer_label, label); 989 mac_destroy_label(label); 990} 991 992void 993mac_destroy_socket(struct socket *socket) 994{ 995 996 mac_destroy_socket_label(&socket->so_label); 997 mac_destroy_socket_peer_label(&socket->so_peerlabel); 998} 999 1000void 1001mac_destroy_vnode_label(struct label *label) 1002{ 1003 1004 MAC_PERFORM(destroy_vnode_label, label); 1005 mac_destroy_label(label); 1006#ifdef MAC_DEBUG 1007 atomic_subtract_int(&nmacvnodes, 1); 1008#endif 1009} 1010 1011void 1012mac_destroy_vnode(struct vnode *vp) 1013{ 1014 1015 mac_destroy_vnode_label(&vp->v_label); 1016} 1017 1018static void 1019mac_copy_pipe_label(struct label *src, struct label *dest) 1020{ 1021 1022 MAC_PERFORM(copy_pipe_label, src, dest); 1023} 1024 1025void 1026mac_copy_vnode_label(struct label *src, struct label *dest) 1027{ 1028 1029 MAC_PERFORM(copy_vnode_label, src, dest); 1030} 1031 1032static int 1033mac_check_structmac_consistent(struct mac *mac) 1034{ 1035 1036 if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN) 1037 return (EINVAL); 1038 1039 return (0); 1040} 1041 1042static int 1043mac_externalize_cred_label(struct label *label, char *elements, 1044 char *outbuf, size_t outbuflen, int flags) 1045{ 1046 int error; 1047 1048 MAC_EXTERNALIZE(cred_label, label, elements, outbuf, outbuflen); 1049 1050 return (error); 1051} 1052 1053static int 1054mac_externalize_ifnet_label(struct label *label, char *elements, 1055 char *outbuf, size_t outbuflen, int flags) 1056{ 1057 int error; 1058 1059 MAC_EXTERNALIZE(ifnet_label, label, elements, outbuf, outbuflen); 1060 1061 return (error); 1062} 1063 1064static int 1065mac_externalize_pipe_label(struct label *label, char *elements, 1066 char *outbuf, size_t outbuflen, int flags) 1067{ 1068 int error; 1069 1070 MAC_EXTERNALIZE(pipe_label, label, elements, outbuf, outbuflen); 1071 1072 return (error); 1073} 1074 1075static int 1076mac_externalize_socket_label(struct label *label, char *elements, 1077 char *outbuf, size_t outbuflen, int flags) 1078{ 1079 int error; 1080 1081 MAC_EXTERNALIZE(socket_label, label, elements, outbuf, outbuflen); 1082 1083 return (error); 1084} 1085 1086static int 1087mac_externalize_socket_peer_label(struct label *label, char *elements, 1088 char *outbuf, size_t outbuflen, int flags) 1089{ 1090 int error; 1091 1092 MAC_EXTERNALIZE(socket_peer_label, label, elements, outbuf, outbuflen); 1093 1094 return (error); 1095} 1096 1097static int 1098mac_externalize_vnode_label(struct label *label, char *elements, 1099 char *outbuf, size_t outbuflen, int flags) 1100{ 1101 int error; 1102 1103 MAC_EXTERNALIZE(vnode_label, label, elements, outbuf, outbuflen); 1104 1105 return (error); 1106} 1107 1108static int 1109mac_internalize_cred_label(struct label *label, char *string) 1110{ 1111 int error; 1112 1113 MAC_INTERNALIZE(cred_label, label, string); 1114 1115 return (error); 1116} 1117 1118static int 1119mac_internalize_ifnet_label(struct label *label, char *string) 1120{ 1121 int error; 1122 1123 MAC_INTERNALIZE(ifnet_label, label, string); 1124 1125 return (error); 1126} 1127 1128static int 1129mac_internalize_pipe_label(struct label *label, char *string) 1130{ 1131 int error; 1132 1133 MAC_INTERNALIZE(pipe_label, label, string); 1134 1135 return (error); 1136} 1137 1138static int 1139mac_internalize_socket_label(struct label *label, char *string) 1140{ 1141 int error; 1142 1143 MAC_INTERNALIZE(socket_label, label, string); 1144 1145 return (error); 1146} 1147 1148static int 1149mac_internalize_vnode_label(struct label *label, char *string) 1150{ 1151 int error; 1152 1153 MAC_INTERNALIZE(vnode_label, label, string); 1154 1155 return (error); 1156} 1157 1158/* 1159 * Initialize MAC label for the first kernel process, from which other 1160 * kernel processes and threads are spawned. 1161 */ 1162void 1163mac_create_proc0(struct ucred *cred) 1164{ 1165 1166 MAC_PERFORM(create_proc0, cred); 1167} 1168 1169/* 1170 * Initialize MAC label for the first userland process, from which other 1171 * userland processes and threads are spawned. 1172 */ 1173void 1174mac_create_proc1(struct ucred *cred) 1175{ 1176 1177 MAC_PERFORM(create_proc1, cred); 1178} 1179 1180void 1181mac_thread_userret(struct thread *td) 1182{ 1183 1184 MAC_PERFORM(thread_userret, td); 1185} 1186 1187/* 1188 * When a new process is created, its label must be initialized. Generally, 1189 * this involves inheritence from the parent process, modulo possible 1190 * deltas. This function allows that processing to take place. 1191 */ 1192void 1193mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) 1194{ 1195 1196 MAC_PERFORM(create_cred, parent_cred, child_cred); 1197} 1198 1199void 1200mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de, 1201 struct vnode *vp) 1202{ 1203 1204 MAC_PERFORM(update_devfsdirent, mp, de, &de->de_label, vp, 1205 &vp->v_label); 1206} 1207 1208void 1209mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, 1210 struct vnode *vp) 1211{ 1212 1213 MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de, 1214 &de->de_label, vp, &vp->v_label); 1215} 1216 1217int 1218mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) 1219{ 1220 int error; 1221 1222 ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); 1223 1224 MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp, 1225 &vp->v_label); 1226 1227 return (error); 1228} 1229 1230void 1231mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) 1232{ 1233 1234 MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp, 1235 &vp->v_label); 1236} 1237 1238int 1239mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, 1240 struct vnode *dvp, struct vnode *vp, struct componentname *cnp) 1241{ 1242 int error; 1243 1244 ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr"); 1245 ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr"); 1246 1247 error = VOP_OPENEXTATTR(vp, cred, curthread); 1248 if (error == EOPNOTSUPP) { 1249 /* XXX: Optionally abort if transactions not supported. */ 1250 if (ea_warn_once == 0) { 1251 printf("Warning: transactions not supported " 1252 "in EA write.\n"); 1253 ea_warn_once = 1; 1254 } 1255 } else if (error) 1256 return (error); 1257 1258 MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel, 1259 dvp, &dvp->v_label, vp, &vp->v_label, cnp); 1260 1261 if (error) { 1262 VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); 1263 return (error); 1264 } 1265 1266 error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); 1267 1268 if (error == EOPNOTSUPP) 1269 error = 0; /* XXX */ 1270 1271 return (error); 1272} 1273 1274static int 1275mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 1276 struct label *intlabel) 1277{ 1278 int error; 1279 1280 ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr"); 1281 1282 error = VOP_OPENEXTATTR(vp, cred, curthread); 1283 if (error == EOPNOTSUPP) { 1284 /* XXX: Optionally abort if transactions not supported. */ 1285 if (ea_warn_once == 0) { 1286 printf("Warning: transactions not supported " 1287 "in EA write.\n"); 1288 ea_warn_once = 1; 1289 } 1290 } else if (error) 1291 return (error); 1292 1293 MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel); 1294 1295 if (error) { 1296 VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); 1297 return (error); 1298 } 1299 1300 error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread); 1301 1302 if (error == EOPNOTSUPP) 1303 error = 0; /* XXX */ 1304 1305 return (error); 1306} 1307 1308int 1309mac_execve_enter(struct image_params *imgp, struct mac *mac_p, 1310 struct label *execlabelstorage) 1311{ 1312 struct mac mac; 1313 char *buffer; 1314 int error; 1315 1316 if (mac_p == NULL) 1317 return (0); 1318 1319 error = copyin(mac_p, &mac, sizeof(mac)); 1320 if (error) 1321 return (error); 1322 1323 error = mac_check_structmac_consistent(&mac); 1324 if (error) 1325 return (error); 1326 1327 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 1328 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 1329 if (error) { 1330 free(buffer, M_MACTEMP); 1331 return (error); 1332 } 1333 1334 mac_init_cred_label(execlabelstorage); 1335 error = mac_internalize_cred_label(execlabelstorage, buffer); 1336 free(buffer, M_MACTEMP); 1337 if (error) { 1338 mac_destroy_cred_label(execlabelstorage); 1339 return (error); 1340 } 1341 imgp->execlabel = execlabelstorage; 1342 return (0); 1343} 1344 1345void 1346mac_execve_exit(struct image_params *imgp) 1347{ 1348 if (imgp->execlabel != NULL) 1349 mac_destroy_cred_label(imgp->execlabel); 1350} 1351 1352void 1353mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, 1354 struct label *interpvnodelabel, struct image_params *imgp) 1355{ 1356 1357 ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); 1358 1359 if (!mac_enforce_process && !mac_enforce_fs) 1360 return; 1361 1362 MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, 1363 interpvnodelabel, imgp, imgp->execlabel); 1364} 1365 1366int 1367mac_execve_will_transition(struct ucred *old, struct vnode *vp, 1368 struct label *interpvnodelabel, struct image_params *imgp) 1369{ 1370 int result; 1371 1372 ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition"); 1373 1374 if (!mac_enforce_process && !mac_enforce_fs) 1375 return (0); 1376 1377 result = 0; 1378 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, 1379 interpvnodelabel, imgp, imgp->execlabel); 1380 1381 return (result); 1382} 1383 1384int 1385mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode) 1386{ 1387 int error; 1388 1389 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); 1390 1391 if (!mac_enforce_fs) 1392 return (0); 1393 1394 MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, acc_mode); 1395 return (error); 1396} 1397 1398int 1399mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) 1400{ 1401 int error; 1402 1403 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); 1404 1405 if (!mac_enforce_fs) 1406 return (0); 1407 1408 MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); 1409 return (error); 1410} 1411 1412int 1413mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) 1414{ 1415 int error; 1416 1417 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); 1418 1419 if (!mac_enforce_fs) 1420 return (0); 1421 1422 MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); 1423 return (error); 1424} 1425 1426int 1427mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, 1428 struct componentname *cnp, struct vattr *vap) 1429{ 1430 int error; 1431 1432 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); 1433 1434 if (!mac_enforce_fs) 1435 return (0); 1436 1437 MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); 1438 return (error); 1439} 1440 1441int 1442mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, 1443 struct componentname *cnp) 1444{ 1445 int error; 1446 1447 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete"); 1448 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete"); 1449 1450 if (!mac_enforce_fs) 1451 return (0); 1452 1453 MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, 1454 &vp->v_label, cnp); 1455 return (error); 1456} 1457 1458int 1459mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 1460 acl_type_t type) 1461{ 1462 int error; 1463 1464 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); 1465 1466 if (!mac_enforce_fs) 1467 return (0); 1468 1469 MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); 1470 return (error); 1471} 1472 1473int 1474mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, 1475 struct image_params *imgp) 1476{ 1477 int error; 1478 1479 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); 1480 1481 if (!mac_enforce_process && !mac_enforce_fs) 1482 return (0); 1483 1484 MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, 1485 imgp->execlabel); 1486 1487 return (error); 1488} 1489 1490int 1491mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) 1492{ 1493 int error; 1494 1495 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); 1496 1497 if (!mac_enforce_fs) 1498 return (0); 1499 1500 MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); 1501 return (error); 1502} 1503 1504int 1505mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 1506 int attrnamespace, const char *name, struct uio *uio) 1507{ 1508 int error; 1509 1510 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); 1511 1512 if (!mac_enforce_fs) 1513 return (0); 1514 1515 MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, 1516 attrnamespace, name, uio); 1517 return (error); 1518} 1519 1520int 1521mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, 1522 struct vnode *vp, struct componentname *cnp) 1523{ 1524 int error; 1525 1526 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); 1527 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); 1528 1529 if (!mac_enforce_fs) 1530 return (0); 1531 1532 MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, 1533 &vp->v_label, cnp); 1534 return (error); 1535} 1536 1537int 1538mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 1539 struct componentname *cnp) 1540{ 1541 int error; 1542 1543 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); 1544 1545 if (!mac_enforce_fs) 1546 return (0); 1547 1548 MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); 1549 return (error); 1550} 1551 1552int 1553mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot) 1554{ 1555 int error; 1556 1557 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap"); 1558 1559 if (!mac_enforce_fs || !mac_enforce_vm) 1560 return (0); 1561 1562 MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot); 1563 return (error); 1564} 1565 1566void 1567mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) 1568{ 1569 int result = *prot; 1570 1571 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade"); 1572 1573 if (!mac_enforce_fs || !mac_enforce_vm) 1574 return; 1575 1576 MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label, 1577 &result); 1578 1579 *prot = result; 1580} 1581 1582int 1583mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot) 1584{ 1585 int error; 1586 1587 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect"); 1588 1589 if (!mac_enforce_fs || !mac_enforce_vm) 1590 return (0); 1591 1592 MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot); 1593 return (error); 1594} 1595 1596int 1597mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode) 1598{ 1599 int error; 1600 1601 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); 1602 1603 if (!mac_enforce_fs) 1604 return (0); 1605 1606 MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); 1607 return (error); 1608} 1609 1610int 1611mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 1612 struct vnode *vp) 1613{ 1614 int error; 1615 1616 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); 1617 1618 if (!mac_enforce_fs) 1619 return (0); 1620 1621 MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, 1622 &vp->v_label); 1623 1624 return (error); 1625} 1626 1627int 1628mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 1629 struct vnode *vp) 1630{ 1631 int error; 1632 1633 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); 1634 1635 if (!mac_enforce_fs) 1636 return (0); 1637 1638 MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, 1639 &vp->v_label); 1640 1641 return (error); 1642} 1643 1644int 1645mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) 1646{ 1647 int error; 1648 1649 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); 1650 1651 if (!mac_enforce_fs) 1652 return (0); 1653 1654 MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); 1655 return (error); 1656} 1657 1658int 1659mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) 1660{ 1661 int error; 1662 1663 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); 1664 1665 if (!mac_enforce_fs) 1666 return (0); 1667 1668 MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); 1669 return (error); 1670} 1671 1672static int 1673mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 1674 struct label *newlabel) 1675{ 1676 int error; 1677 1678 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); 1679 1680 MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); 1681 1682 return (error); 1683} 1684 1685int 1686mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 1687 struct vnode *vp, struct componentname *cnp) 1688{ 1689 int error; 1690 1691 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); 1692 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); 1693 1694 if (!mac_enforce_fs) 1695 return (0); 1696 1697 MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, 1698 &vp->v_label, cnp); 1699 return (error); 1700} 1701 1702int 1703mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 1704 struct vnode *vp, int samedir, struct componentname *cnp) 1705{ 1706 int error; 1707 1708 ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); 1709 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); 1710 1711 if (!mac_enforce_fs) 1712 return (0); 1713 1714 MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, 1715 vp != NULL ? &vp->v_label : NULL, samedir, cnp); 1716 return (error); 1717} 1718 1719int 1720mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) 1721{ 1722 int error; 1723 1724 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); 1725 1726 if (!mac_enforce_fs) 1727 return (0); 1728 1729 MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); 1730 return (error); 1731} 1732 1733int 1734mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, 1735 struct acl *acl) 1736{ 1737 int error; 1738 1739 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); 1740 1741 if (!mac_enforce_fs) 1742 return (0); 1743 1744 MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); 1745 return (error); 1746} 1747 1748int 1749mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 1750 int attrnamespace, const char *name, struct uio *uio) 1751{ 1752 int error; 1753 1754 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); 1755 1756 if (!mac_enforce_fs) 1757 return (0); 1758 1759 MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, 1760 attrnamespace, name, uio); 1761 return (error); 1762} 1763 1764int 1765mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) 1766{ 1767 int error; 1768 1769 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); 1770 1771 if (!mac_enforce_fs) 1772 return (0); 1773 1774 MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); 1775 return (error); 1776} 1777 1778int 1779mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) 1780{ 1781 int error; 1782 1783 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); 1784 1785 if (!mac_enforce_fs) 1786 return (0); 1787 1788 MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); 1789 return (error); 1790} 1791 1792int 1793mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, 1794 gid_t gid) 1795{ 1796 int error; 1797 1798 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); 1799 1800 if (!mac_enforce_fs) 1801 return (0); 1802 1803 MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); 1804 return (error); 1805} 1806 1807int 1808mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1809 struct timespec atime, struct timespec mtime) 1810{ 1811 int error; 1812 1813 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); 1814 1815 if (!mac_enforce_fs) 1816 return (0); 1817 1818 MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, 1819 mtime); 1820 return (error); 1821} 1822 1823int 1824mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1825 struct vnode *vp) 1826{ 1827 int error; 1828 1829 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); 1830 1831 if (!mac_enforce_fs) 1832 return (0); 1833 1834 MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, 1835 &vp->v_label); 1836 return (error); 1837} 1838 1839int 1840mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, 1841 struct vnode *vp) 1842{ 1843 int error; 1844 1845 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); 1846 1847 if (!mac_enforce_fs) 1848 return (0); 1849 1850 MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, 1851 &vp->v_label); 1852 1853 return (error); 1854} 1855 1856/* 1857 * When relabeling a process, call out to the policies for the maximum 1858 * permission allowed for each object type we know about in its 1859 * memory space, and revoke access (in the least surprising ways we 1860 * know) when necessary. The process lock is not held here. 1861 */ 1862void 1863mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred) 1864{ 1865 1866 /* XXX freeze all other threads */ 1867 mac_cred_mmapped_drop_perms_recurse(td, cred, 1868 &td->td_proc->p_vmspace->vm_map); 1869 /* XXX allow other threads to continue */ 1870} 1871 1872static __inline const char * 1873prot2str(vm_prot_t prot) 1874{ 1875 1876 switch (prot & VM_PROT_ALL) { 1877 case VM_PROT_READ: 1878 return ("r--"); 1879 case VM_PROT_READ | VM_PROT_WRITE: 1880 return ("rw-"); 1881 case VM_PROT_READ | VM_PROT_EXECUTE: 1882 return ("r-x"); 1883 case VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE: 1884 return ("rwx"); 1885 case VM_PROT_WRITE: 1886 return ("-w-"); 1887 case VM_PROT_EXECUTE: 1888 return ("--x"); 1889 case VM_PROT_WRITE | VM_PROT_EXECUTE: 1890 return ("-wx"); 1891 default: 1892 return ("---"); 1893 } 1894} 1895 1896static void 1897mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, 1898 struct vm_map *map) 1899{ 1900 struct vm_map_entry *vme; 1901 int result; 1902 vm_prot_t revokeperms; 1903 vm_object_t object; 1904 vm_ooffset_t offset; 1905 struct vnode *vp; 1906 1907 if (!mac_mmap_revocation) 1908 return; 1909 1910 vm_map_lock_read(map); 1911 for (vme = map->header.next; vme != &map->header; vme = vme->next) { 1912 if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { 1913 mac_cred_mmapped_drop_perms_recurse(td, cred, 1914 vme->object.sub_map); 1915 continue; 1916 } 1917 /* 1918 * Skip over entries that obviously are not shared. 1919 */ 1920 if (vme->eflags & (MAP_ENTRY_COW | MAP_ENTRY_NOSYNC) || 1921 !vme->max_protection) 1922 continue; 1923 /* 1924 * Drill down to the deepest backing object. 1925 */ 1926 offset = vme->offset; 1927 object = vme->object.vm_object; 1928 if (object == NULL) 1929 continue; 1930 while (object->backing_object != NULL) { 1931 object = object->backing_object; 1932 offset += object->backing_object_offset; 1933 } 1934 /* 1935 * At the moment, vm_maps and objects aren't considered 1936 * by the MAC system, so only things with backing by a 1937 * normal object (read: vnodes) are checked. 1938 */ 1939 if (object->type != OBJT_VNODE) 1940 continue; 1941 vp = (struct vnode *)object->handle; 1942 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 1943 result = vme->max_protection; 1944 mac_check_vnode_mmap_downgrade(cred, vp, &result); 1945 VOP_UNLOCK(vp, 0, td); 1946 /* 1947 * Find out what maximum protection we may be allowing 1948 * now but a policy needs to get removed. 1949 */ 1950 revokeperms = vme->max_protection & ~result; 1951 if (!revokeperms) 1952 continue; 1953 printf("pid %ld: revoking %s perms from %#lx:%ld " 1954 "(max %s/cur %s)\n", (long)td->td_proc->p_pid, 1955 prot2str(revokeperms), (u_long)vme->start, 1956 (long)(vme->end - vme->start), 1957 prot2str(vme->max_protection), prot2str(vme->protection)); 1958 vm_map_lock_upgrade(map); 1959 /* 1960 * This is the really simple case: if a map has more 1961 * max_protection than is allowed, but it's not being 1962 * actually used (that is, the current protection is 1963 * still allowed), we can just wipe it out and do 1964 * nothing more. 1965 */ 1966 if ((vme->protection & revokeperms) == 0) { 1967 vme->max_protection -= revokeperms; 1968 } else { 1969 if (revokeperms & VM_PROT_WRITE) { 1970 /* 1971 * In the more complicated case, flush out all 1972 * pending changes to the object then turn it 1973 * copy-on-write. 1974 */ 1975 vm_object_reference(object); 1976 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 1977 vm_object_page_clean(object, 1978 OFF_TO_IDX(offset), 1979 OFF_TO_IDX(offset + vme->end - vme->start + 1980 PAGE_MASK), 1981 OBJPC_SYNC); 1982 VOP_UNLOCK(vp, 0, td); 1983 vm_object_deallocate(object); 1984 /* 1985 * Why bother if there's no read permissions 1986 * anymore? For the rest, we need to leave 1987 * the write permissions on for COW, or 1988 * remove them entirely if configured to. 1989 */ 1990 if (!mac_mmap_revocation_via_cow) { 1991 vme->max_protection &= ~VM_PROT_WRITE; 1992 vme->protection &= ~VM_PROT_WRITE; 1993 } if ((revokeperms & VM_PROT_READ) == 0) 1994 vme->eflags |= MAP_ENTRY_COW | 1995 MAP_ENTRY_NEEDS_COPY; 1996 } 1997 if (revokeperms & VM_PROT_EXECUTE) { 1998 vme->max_protection &= ~VM_PROT_EXECUTE; 1999 vme->protection &= ~VM_PROT_EXECUTE; 2000 } 2001 if (revokeperms & VM_PROT_READ) { 2002 vme->max_protection = 0; 2003 vme->protection = 0; 2004 } 2005 pmap_protect(map->pmap, vme->start, vme->end, 2006 vme->protection & ~revokeperms); 2007 vm_map_simplify_entry(map, vme); 2008 } 2009 vm_map_lock_downgrade(map); 2010 } 2011 vm_map_unlock_read(map); 2012} 2013 2014/* 2015 * When the subject's label changes, it may require revocation of privilege 2016 * to mapped objects. This can't be done on-the-fly later with a unified 2017 * buffer cache. 2018 */ 2019static void 2020mac_relabel_cred(struct ucred *cred, struct label *newlabel) 2021{ 2022 2023 MAC_PERFORM(relabel_cred, cred, newlabel); 2024} 2025 2026void 2027mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) 2028{ 2029 2030 MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); 2031} 2032 2033void 2034mac_create_ifnet(struct ifnet *ifnet) 2035{ 2036 2037 MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); 2038} 2039 2040void 2041mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) 2042{ 2043 2044 MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); 2045} 2046 2047void 2048mac_create_socket(struct ucred *cred, struct socket *socket) 2049{ 2050 2051 MAC_PERFORM(create_socket, cred, socket, &socket->so_label); 2052} 2053 2054void 2055mac_create_pipe(struct ucred *cred, struct pipe *pipe) 2056{ 2057 2058 MAC_PERFORM(create_pipe, cred, pipe, pipe->pipe_label); 2059} 2060 2061void 2062mac_create_socket_from_socket(struct socket *oldsocket, 2063 struct socket *newsocket) 2064{ 2065 2066 MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, 2067 newsocket, &newsocket->so_label); 2068} 2069 2070static void 2071mac_relabel_socket(struct ucred *cred, struct socket *socket, 2072 struct label *newlabel) 2073{ 2074 2075 MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); 2076} 2077 2078static void 2079mac_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *newlabel) 2080{ 2081 2082 MAC_PERFORM(relabel_pipe, cred, pipe, pipe->pipe_label, newlabel); 2083} 2084 2085void 2086mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) 2087{ 2088 2089 MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, &mbuf->m_pkthdr.label, 2090 socket, &socket->so_peerlabel); 2091} 2092 2093void 2094mac_set_socket_peer_from_socket(struct socket *oldsocket, 2095 struct socket *newsocket) 2096{ 2097 2098 MAC_PERFORM(set_socket_peer_from_socket, oldsocket, 2099 &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); 2100} 2101 2102void 2103mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) 2104{ 2105 2106 MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, 2107 datagram, &datagram->m_pkthdr.label); 2108} 2109 2110void 2111mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) 2112{ 2113 2114 MAC_PERFORM(create_fragment, datagram, &datagram->m_pkthdr.label, 2115 fragment, &fragment->m_pkthdr.label); 2116} 2117 2118void 2119mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) 2120{ 2121 2122 MAC_PERFORM(create_ipq, fragment, &fragment->m_pkthdr.label, ipq, 2123 &ipq->ipq_label); 2124} 2125 2126void 2127mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) 2128{ 2129 2130 MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, &oldmbuf->m_pkthdr.label, 2131 newmbuf, &newmbuf->m_pkthdr.label); 2132} 2133 2134void 2135mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) 2136{ 2137 2138 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, 2139 &mbuf->m_pkthdr.label); 2140} 2141 2142void 2143mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) 2144{ 2145 2146 MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, 2147 &mbuf->m_pkthdr.label); 2148} 2149 2150void 2151mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) 2152{ 2153 2154 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, 2155 &mbuf->m_pkthdr.label); 2156} 2157 2158void 2159mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, 2160 struct mbuf *newmbuf) 2161{ 2162 2163 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, 2164 &oldmbuf->m_pkthdr.label, ifnet, &ifnet->if_label, newmbuf, 2165 &newmbuf->m_pkthdr.label); 2166} 2167 2168void 2169mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) 2170{ 2171 2172 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, &oldmbuf->m_pkthdr.label, 2173 newmbuf, &newmbuf->m_pkthdr.label); 2174} 2175 2176int 2177mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) 2178{ 2179 int result; 2180 2181 result = 1; 2182 MAC_BOOLEAN(fragment_match, &&, fragment, &fragment->m_pkthdr.label, 2183 ipq, &ipq->ipq_label); 2184 2185 return (result); 2186} 2187 2188void 2189mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) 2190{ 2191 2192 MAC_PERFORM(update_ipq, fragment, &fragment->m_pkthdr.label, ipq, 2193 &ipq->ipq_label); 2194} 2195 2196void 2197mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) 2198{ 2199 2200 MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, 2201 &mbuf->m_pkthdr.label); 2202} 2203 2204void 2205mac_create_mount(struct ucred *cred, struct mount *mp) 2206{ 2207 2208 MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, 2209 &mp->mnt_fslabel); 2210} 2211 2212void 2213mac_create_root_mount(struct ucred *cred, struct mount *mp) 2214{ 2215 2216 MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, 2217 &mp->mnt_fslabel); 2218} 2219 2220int 2221mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) 2222{ 2223 int error; 2224 2225 if (!mac_enforce_network) 2226 return (0); 2227 2228 MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, 2229 &ifnet->if_label); 2230 2231 return (error); 2232} 2233 2234static int 2235mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) 2236{ 2237 int error; 2238 2239 MAC_CHECK(check_cred_relabel, cred, newlabel); 2240 2241 return (error); 2242} 2243 2244int 2245mac_check_cred_visible(struct ucred *u1, struct ucred *u2) 2246{ 2247 int error; 2248 2249 if (!mac_enforce_process) 2250 return (0); 2251 2252 MAC_CHECK(check_cred_visible, u1, u2); 2253 2254 return (error); 2255} 2256 2257int 2258mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) 2259{ 2260 int error; 2261 2262 if (!mac_enforce_network) 2263 return (0); 2264 2265 KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); 2266 if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) 2267 if_printf(ifnet, "not initialized\n"); 2268 2269 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, 2270 &mbuf->m_pkthdr.label); 2271 2272 return (error); 2273} 2274 2275int 2276mac_check_kenv_dump(struct ucred *cred) 2277{ 2278 int error; 2279 2280 if (!mac_enforce_system) 2281 return (0); 2282 2283 MAC_CHECK(check_kenv_dump, cred); 2284 2285 return (error); 2286} 2287 2288int 2289mac_check_kenv_get(struct ucred *cred, char *name) 2290{ 2291 int error; 2292 2293 if (!mac_enforce_system) 2294 return (0); 2295 2296 MAC_CHECK(check_kenv_get, cred, name); 2297 2298 return (error); 2299} 2300 2301int 2302mac_check_kenv_set(struct ucred *cred, char *name, char *value) 2303{ 2304 int error; 2305 2306 if (!mac_enforce_system) 2307 return (0); 2308 2309 MAC_CHECK(check_kenv_set, cred, name, value); 2310 2311 return (error); 2312} 2313 2314int 2315mac_check_kenv_unset(struct ucred *cred, char *name) 2316{ 2317 int error; 2318 2319 if (!mac_enforce_system) 2320 return (0); 2321 2322 MAC_CHECK(check_kenv_unset, cred, name); 2323 2324 return (error); 2325} 2326 2327int 2328mac_check_kld_load(struct ucred *cred, struct vnode *vp) 2329{ 2330 int error; 2331 2332 ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); 2333 2334 if (!mac_enforce_kld) 2335 return (0); 2336 2337 MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); 2338 2339 return (error); 2340} 2341 2342int 2343mac_check_kld_stat(struct ucred *cred) 2344{ 2345 int error; 2346 2347 if (!mac_enforce_kld) 2348 return (0); 2349 2350 MAC_CHECK(check_kld_stat, cred); 2351 2352 return (error); 2353} 2354 2355int 2356mac_check_kld_unload(struct ucred *cred) 2357{ 2358 int error; 2359 2360 if (!mac_enforce_kld) 2361 return (0); 2362 2363 MAC_CHECK(check_kld_unload, cred); 2364 2365 return (error); 2366} 2367 2368int 2369mac_check_mount_stat(struct ucred *cred, struct mount *mount) 2370{ 2371 int error; 2372 2373 if (!mac_enforce_fs) 2374 return (0); 2375 2376 MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); 2377 2378 return (error); 2379} 2380 2381int 2382mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, 2383 void *data) 2384{ 2385 int error; 2386 2387 PIPE_LOCK_ASSERT(pipe, MA_OWNED); 2388 2389 if (!mac_enforce_pipe) 2390 return (0); 2391 2392 MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); 2393 2394 return (error); 2395} 2396 2397int 2398mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) 2399{ 2400 int error; 2401 2402 PIPE_LOCK_ASSERT(pipe, MA_OWNED); 2403 2404 if (!mac_enforce_pipe) 2405 return (0); 2406 2407 MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); 2408 2409 return (error); 2410} 2411 2412int 2413mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) 2414{ 2415 int error; 2416 2417 PIPE_LOCK_ASSERT(pipe, MA_OWNED); 2418 2419 if (!mac_enforce_pipe) 2420 return (0); 2421 2422 MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); 2423 2424 return (error); 2425} 2426 2427static int 2428mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, 2429 struct label *newlabel) 2430{ 2431 int error; 2432 2433 PIPE_LOCK_ASSERT(pipe, MA_OWNED); 2434 2435 if (!mac_enforce_pipe) 2436 return (0); 2437 2438 MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel); 2439 2440 return (error); 2441} 2442 2443int 2444mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) 2445{ 2446 int error; 2447 2448 PIPE_LOCK_ASSERT(pipe, MA_OWNED); 2449 2450 if (!mac_enforce_pipe) 2451 return (0); 2452 2453 MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); 2454 2455 return (error); 2456} 2457 2458int 2459mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) 2460{ 2461 int error; 2462 2463 PIPE_LOCK_ASSERT(pipe, MA_OWNED); 2464 2465 if (!mac_enforce_pipe) 2466 return (0); 2467 2468 MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); 2469 2470 return (error); 2471} 2472 2473int 2474mac_check_proc_debug(struct ucred *cred, struct proc *proc) 2475{ 2476 int error; 2477 2478 PROC_LOCK_ASSERT(proc, MA_OWNED); 2479 2480 if (!mac_enforce_process) 2481 return (0); 2482 2483 MAC_CHECK(check_proc_debug, cred, proc); 2484 2485 return (error); 2486} 2487 2488int 2489mac_check_proc_sched(struct ucred *cred, struct proc *proc) 2490{ 2491 int error; 2492 2493 PROC_LOCK_ASSERT(proc, MA_OWNED); 2494 2495 if (!mac_enforce_process) 2496 return (0); 2497 2498 MAC_CHECK(check_proc_sched, cred, proc); 2499 2500 return (error); 2501} 2502 2503int 2504mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 2505{ 2506 int error; 2507 2508 PROC_LOCK_ASSERT(proc, MA_OWNED); 2509 2510 if (!mac_enforce_process) 2511 return (0); 2512 2513 MAC_CHECK(check_proc_signal, cred, proc, signum); 2514 2515 return (error); 2516} 2517 2518int 2519mac_check_socket_bind(struct ucred *ucred, struct socket *socket, 2520 struct sockaddr *sockaddr) 2521{ 2522 int error; 2523 2524 if (!mac_enforce_socket) 2525 return (0); 2526 2527 MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, 2528 sockaddr); 2529 2530 return (error); 2531} 2532 2533int 2534mac_check_socket_connect(struct ucred *cred, struct socket *socket, 2535 struct sockaddr *sockaddr) 2536{ 2537 int error; 2538 2539 if (!mac_enforce_socket) 2540 return (0); 2541 2542 MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, 2543 sockaddr); 2544 2545 return (error); 2546} 2547 2548int 2549mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) 2550{ 2551 int error; 2552 2553 if (!mac_enforce_socket) 2554 return (0); 2555 2556 MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, 2557 &mbuf->m_pkthdr.label); 2558 2559 return (error); 2560} 2561 2562int 2563mac_check_socket_listen(struct ucred *cred, struct socket *socket) 2564{ 2565 int error; 2566 2567 if (!mac_enforce_socket) 2568 return (0); 2569 2570 MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); 2571 return (error); 2572} 2573 2574int 2575mac_check_socket_receive(struct ucred *cred, struct socket *so) 2576{ 2577 int error; 2578 2579 if (!mac_enforce_socket) 2580 return (0); 2581 2582 MAC_CHECK(check_socket_receive, cred, so, &so->so_label); 2583 2584 return (error); 2585} 2586 2587static int 2588mac_check_socket_relabel(struct ucred *cred, struct socket *socket, 2589 struct label *newlabel) 2590{ 2591 int error; 2592 2593 MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, 2594 newlabel); 2595 2596 return (error); 2597} 2598 2599int 2600mac_check_socket_send(struct ucred *cred, struct socket *so) 2601{ 2602 int error; 2603 2604 if (!mac_enforce_socket) 2605 return (0); 2606 2607 MAC_CHECK(check_socket_send, cred, so, &so->so_label); 2608 2609 return (error); 2610} 2611 2612int 2613mac_check_socket_visible(struct ucred *cred, struct socket *socket) 2614{ 2615 int error; 2616 2617 if (!mac_enforce_socket) 2618 return (0); 2619 2620 MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); 2621 2622 return (error); 2623} 2624 2625int 2626mac_check_system_acct(struct ucred *cred, struct vnode *vp) 2627{ 2628 int error; 2629 2630 if (vp != NULL) { 2631 ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); 2632 } 2633 2634 if (!mac_enforce_system) 2635 return (0); 2636 2637 MAC_CHECK(check_system_acct, cred, vp, 2638 vp != NULL ? &vp->v_label : NULL); 2639 2640 return (error); 2641} 2642 2643int 2644mac_check_system_nfsd(struct ucred *cred) 2645{ 2646 int error; 2647 2648 if (!mac_enforce_system) 2649 return (0); 2650 2651 MAC_CHECK(check_system_nfsd, cred); 2652 2653 return (error); 2654} 2655 2656int 2657mac_check_system_reboot(struct ucred *cred, int howto) 2658{ 2659 int error; 2660 2661 if (!mac_enforce_system) 2662 return (0); 2663 2664 MAC_CHECK(check_system_reboot, cred, howto); 2665 2666 return (error); 2667} 2668 2669int 2670mac_check_system_settime(struct ucred *cred) 2671{ 2672 int error; 2673 2674 if (!mac_enforce_system) 2675 return (0); 2676 2677 MAC_CHECK(check_system_settime, cred); 2678 2679 return (error); 2680} 2681 2682int 2683mac_check_system_swapon(struct ucred *cred, struct vnode *vp) 2684{ 2685 int error; 2686 2687 ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon"); 2688 2689 if (!mac_enforce_system) 2690 return (0); 2691 2692 MAC_CHECK(check_system_swapon, cred, vp, &vp->v_label); 2693 return (error); 2694} 2695 2696int 2697mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) 2698{ 2699 int error; 2700 2701 ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); 2702 2703 if (!mac_enforce_system) 2704 return (0); 2705 2706 MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); 2707 return (error); 2708} 2709 2710int 2711mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, 2712 void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) 2713{ 2714 int error; 2715 2716 /* 2717 * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, 2718 * but since it's not exported from kern_sysctl.c, we can't. 2719 */ 2720 if (!mac_enforce_system) 2721 return (0); 2722 2723 MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, 2724 inkernel, new, newlen); 2725 2726 return (error); 2727} 2728 2729int 2730mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, 2731 struct ifnet *ifnet) 2732{ 2733 char *elements, *buffer; 2734 struct mac mac; 2735 int error; 2736 2737 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 2738 if (error) 2739 return (error); 2740 2741 error = mac_check_structmac_consistent(&mac); 2742 if (error) 2743 return (error); 2744 2745 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 2746 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 2747 if (error) { 2748 free(elements, M_MACTEMP); 2749 return (error); 2750 } 2751 2752 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 2753 error = mac_externalize_ifnet_label(&ifnet->if_label, elements, 2754 buffer, mac.m_buflen, M_WAITOK); 2755 if (error == 0) 2756 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 2757 2758 free(buffer, M_MACTEMP); 2759 free(elements, M_MACTEMP); 2760 2761 return (error); 2762} 2763 2764int 2765mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, 2766 struct ifnet *ifnet) 2767{ 2768 struct label intlabel; 2769 struct mac mac; 2770 char *buffer; 2771 int error; 2772 2773 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 2774 if (error) 2775 return (error); 2776 2777 error = mac_check_structmac_consistent(&mac); 2778 if (error) 2779 return (error); 2780 2781 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 2782 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 2783 if (error) { 2784 free(buffer, M_MACTEMP); 2785 return (error); 2786 } 2787 2788 mac_init_ifnet_label(&intlabel); 2789 error = mac_internalize_ifnet_label(&intlabel, buffer); 2790 free(buffer, M_MACTEMP); 2791 if (error) { 2792 mac_destroy_ifnet_label(&intlabel); 2793 return (error); 2794 } 2795 2796 /* 2797 * XXX: Note that this is a redundant privilege check, since 2798 * policies impose this check themselves if required by the 2799 * policy. Eventually, this should go away. 2800 */ 2801 error = suser_cred(cred, 0); 2802 if (error) { 2803 mac_destroy_ifnet_label(&intlabel); 2804 return (error); 2805 } 2806 2807 MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, 2808 &intlabel); 2809 if (error) { 2810 mac_destroy_ifnet_label(&intlabel); 2811 return (error); 2812 } 2813 2814 MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); 2815 2816 mac_destroy_ifnet_label(&intlabel); 2817 return (0); 2818} 2819 2820void 2821mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de) 2822{ 2823 2824 MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label); 2825} 2826 2827void 2828mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, 2829 struct devfs_dirent *dd, struct devfs_dirent *de) 2830{ 2831 2832 MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de, 2833 &de->de_label); 2834} 2835 2836void 2837mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, 2838 struct devfs_dirent *de) 2839{ 2840 2841 MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de, 2842 &de->de_label); 2843} 2844 2845int 2846mac_setsockopt_label_set(struct ucred *cred, struct socket *so, 2847 struct mac *mac) 2848{ 2849 struct label intlabel; 2850 char *buffer; 2851 int error; 2852 2853 error = mac_check_structmac_consistent(mac); 2854 if (error) 2855 return (error); 2856 2857 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 2858 error = copyinstr(mac->m_string, buffer, mac->m_buflen, NULL); 2859 if (error) { 2860 free(buffer, M_MACTEMP); 2861 return (error); 2862 } 2863 2864 mac_init_socket_label(&intlabel, M_WAITOK); 2865 error = mac_internalize_socket_label(&intlabel, buffer); 2866 free(buffer, M_MACTEMP); 2867 if (error) { 2868 mac_destroy_socket_label(&intlabel); 2869 return (error); 2870 } 2871 2872 mac_check_socket_relabel(cred, so, &intlabel); 2873 if (error) { 2874 mac_destroy_socket_label(&intlabel); 2875 return (error); 2876 } 2877 2878 mac_relabel_socket(cred, so, &intlabel); 2879 2880 mac_destroy_socket_label(&intlabel); 2881 return (0); 2882} 2883 2884int 2885mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, struct label *label) 2886{ 2887 int error; 2888 2889 PIPE_LOCK_ASSERT(pipe, MA_OWNED); 2890 2891 error = mac_check_pipe_relabel(cred, pipe, label); 2892 if (error) 2893 return (error); 2894 2895 mac_relabel_pipe(cred, pipe, label); 2896 2897 return (0); 2898} 2899 2900int 2901mac_getsockopt_label_get(struct ucred *cred, struct socket *so, 2902 struct mac *mac) 2903{ 2904 char *buffer, *elements; 2905 int error; 2906 2907 error = mac_check_structmac_consistent(mac); 2908 if (error) 2909 return (error); 2910 2911 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 2912 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 2913 if (error) { 2914 free(elements, M_MACTEMP); 2915 return (error); 2916 } 2917 2918 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 2919 error = mac_externalize_socket_label(&so->so_label, elements, 2920 buffer, mac->m_buflen, M_WAITOK); 2921 if (error == 0) 2922 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 2923 2924 free(buffer, M_MACTEMP); 2925 free(elements, M_MACTEMP); 2926 2927 return (error); 2928} 2929 2930int 2931mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, 2932 struct mac *mac) 2933{ 2934 char *elements, *buffer; 2935 int error; 2936 2937 error = mac_check_structmac_consistent(mac); 2938 if (error) 2939 return (error); 2940 2941 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 2942 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 2943 if (error) { 2944 free(elements, M_MACTEMP); 2945 return (error); 2946 } 2947 2948 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 2949 error = mac_externalize_socket_peer_label(&so->so_peerlabel, 2950 elements, buffer, mac->m_buflen, M_WAITOK); 2951 if (error == 0) 2952 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 2953 2954 free(buffer, M_MACTEMP); 2955 free(elements, M_MACTEMP); 2956 2957 return (error); 2958} 2959 2960/* 2961 * Implementation of VOP_SETLABEL() that relies on extended attributes 2962 * to store label data. Can be referenced by filesystems supporting 2963 * extended attributes. 2964 */ 2965int 2966vop_stdsetlabel_ea(struct vop_setlabel_args *ap) 2967{ 2968 struct vnode *vp = ap->a_vp; 2969 struct label *intlabel = ap->a_label; 2970 int error; 2971 2972 ASSERT_VOP_LOCKED(vp, "vop_stdsetlabel_ea"); 2973 2974 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) 2975 return (EOPNOTSUPP); 2976 2977 error = mac_setlabel_vnode_extattr(ap->a_cred, vp, intlabel); 2978 if (error) 2979 return (error); 2980 2981 mac_relabel_vnode(ap->a_cred, vp, intlabel); 2982 2983 return (0); 2984} 2985 2986static int 2987vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) 2988{ 2989 int error; 2990 2991 if (vp->v_mount == NULL) { 2992 /* printf("vn_setlabel: null v_mount\n"); */ 2993 if (vp->v_type != VNON) 2994 printf("vn_setlabel: null v_mount with non-VNON\n"); 2995 return (EBADF); 2996 } 2997 2998 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) 2999 return (EOPNOTSUPP); 3000 3001 /* 3002 * Multi-phase commit. First check the policies to confirm the 3003 * change is OK. Then commit via the filesystem. Finally, 3004 * update the actual vnode label. Question: maybe the filesystem 3005 * should update the vnode at the end as part of VOP_SETLABEL()? 3006 */ 3007 error = mac_check_vnode_relabel(cred, vp, intlabel); 3008 if (error) 3009 return (error); 3010 3011 /* 3012 * VADMIN provides the opportunity for the filesystem to make 3013 * decisions about who is and is not able to modify labels 3014 * and protections on files. This might not be right. We can't 3015 * assume VOP_SETLABEL() will do it, because we might implement 3016 * that as part of vop_stdsetlabel_ea(). 3017 */ 3018 error = VOP_ACCESS(vp, VADMIN, cred, curthread); 3019 if (error) 3020 return (error); 3021 3022 error = VOP_SETLABEL(vp, intlabel, cred, curthread); 3023 if (error) 3024 return (error); 3025 3026 return (0); 3027} 3028 3029int 3030__mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) 3031{ 3032 char *elements, *buffer; 3033 struct mac mac; 3034 struct proc *tproc; 3035 struct ucred *tcred; 3036 int error; 3037 3038 error = copyin(uap->mac_p, &mac, sizeof(mac)); 3039 if (error) 3040 return (error); 3041 3042 error = mac_check_structmac_consistent(&mac); 3043 if (error) 3044 return (error); 3045 3046 tproc = pfind(uap->pid); 3047 if (tproc == NULL) 3048 return (ESRCH); 3049 3050 tcred = NULL; /* Satisfy gcc. */ 3051 error = p_cansee(td, tproc); 3052 if (error == 0) 3053 tcred = crhold(tproc->p_ucred); 3054 PROC_UNLOCK(tproc); 3055 if (error) 3056 return (error); 3057 3058 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 3059 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3060 if (error) { 3061 free(elements, M_MACTEMP); 3062 crfree(tcred); 3063 return (error); 3064 } 3065 3066 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 3067 error = mac_externalize_cred_label(&tcred->cr_label, elements, 3068 buffer, mac.m_buflen, M_WAITOK); 3069 if (error == 0) 3070 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3071 3072 free(buffer, M_MACTEMP); 3073 free(elements, M_MACTEMP); 3074 crfree(tcred); 3075 return (error); 3076} 3077 3078/* 3079 * MPSAFE 3080 */ 3081int 3082__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) 3083{ 3084 char *elements, *buffer; 3085 struct mac mac; 3086 int error; 3087 3088 error = copyin(uap->mac_p, &mac, sizeof(mac)); 3089 if (error) 3090 return (error); 3091 3092 error = mac_check_structmac_consistent(&mac); 3093 if (error) 3094 return (error); 3095 3096 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 3097 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3098 if (error) { 3099 free(elements, M_MACTEMP); 3100 return (error); 3101 } 3102 3103 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 3104 error = mac_externalize_cred_label(&td->td_ucred->cr_label, 3105 elements, buffer, mac.m_buflen, M_WAITOK); 3106 if (error == 0) 3107 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3108 3109 free(buffer, M_MACTEMP); 3110 free(elements, M_MACTEMP); 3111 return (error); 3112} 3113 3114/* 3115 * MPSAFE 3116 */ 3117int 3118__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) 3119{ 3120 struct ucred *newcred, *oldcred; 3121 struct label intlabel; 3122 struct proc *p; 3123 struct mac mac; 3124 char *buffer; 3125 int error; 3126 3127 error = copyin(uap->mac_p, &mac, sizeof(mac)); 3128 if (error) 3129 return (error); 3130 3131 error = mac_check_structmac_consistent(&mac); 3132 if (error) 3133 return (error); 3134 3135 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 3136 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3137 if (error) { 3138 free(buffer, M_MACTEMP); 3139 return (error); 3140 } 3141 3142 mac_init_cred_label(&intlabel); 3143 error = mac_internalize_cred_label(&intlabel, buffer); 3144 free(buffer, M_MACTEMP); 3145 if (error) { 3146 mac_destroy_cred_label(&intlabel); 3147 return (error); 3148 } 3149 3150 newcred = crget(); 3151 3152 p = td->td_proc; 3153 PROC_LOCK(p); 3154 oldcred = p->p_ucred; 3155 3156 error = mac_check_cred_relabel(oldcred, &intlabel); 3157 if (error) { 3158 PROC_UNLOCK(p); 3159 crfree(newcred); 3160 goto out; 3161 } 3162 3163 setsugid(p); 3164 crcopy(newcred, oldcred); 3165 mac_relabel_cred(newcred, &intlabel); 3166 p->p_ucred = newcred; 3167 3168 /* 3169 * Grab additional reference for use while revoking mmaps, prior 3170 * to releasing the proc lock and sharing the cred. 3171 */ 3172 crhold(newcred); 3173 PROC_UNLOCK(p); 3174 3175 if (mac_enforce_vm) { 3176 mtx_lock(&Giant); 3177 mac_cred_mmapped_drop_perms(td, newcred); 3178 mtx_unlock(&Giant); 3179 } 3180 3181 crfree(newcred); /* Free revocation reference. */ 3182 crfree(oldcred); 3183 3184out: 3185 mac_destroy_cred_label(&intlabel); 3186 return (error); 3187} 3188 3189/* 3190 * MPSAFE 3191 */ 3192int 3193__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) 3194{ 3195 char *elements, *buffer; 3196 struct label intlabel; 3197 struct file *fp; 3198 struct mac mac; 3199 struct vnode *vp; 3200 struct pipe *pipe; 3201 short label_type; 3202 int error; 3203 3204 error = copyin(uap->mac_p, &mac, sizeof(mac)); 3205 if (error) 3206 return (error); 3207 3208 error = mac_check_structmac_consistent(&mac); 3209 if (error) 3210 return (error); 3211 3212 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 3213 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3214 if (error) { 3215 free(elements, M_MACTEMP); 3216 return (error); 3217 } 3218 3219 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 3220 mtx_lock(&Giant); /* VFS */ 3221 error = fget(td, uap->fd, &fp); 3222 if (error) 3223 goto out; 3224 3225 label_type = fp->f_type; 3226 switch (fp->f_type) { 3227 case DTYPE_FIFO: 3228 case DTYPE_VNODE: 3229 vp = fp->f_data; 3230 3231 mac_init_vnode_label(&intlabel); 3232 3233 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 3234 mac_copy_vnode_label(&vp->v_label, &intlabel); 3235 VOP_UNLOCK(vp, 0, td); 3236 3237 break; 3238 case DTYPE_PIPE: 3239 pipe = fp->f_data; 3240 3241 mac_init_pipe_label(&intlabel); 3242 3243 PIPE_LOCK(pipe); 3244 mac_copy_pipe_label(pipe->pipe_label, &intlabel); 3245 PIPE_UNLOCK(pipe); 3246 break; 3247 default: 3248 error = EINVAL; 3249 fdrop(fp, td); 3250 goto out; 3251 } 3252 fdrop(fp, td); 3253 3254 switch (label_type) { 3255 case DTYPE_FIFO: 3256 case DTYPE_VNODE: 3257 if (error == 0) 3258 error = mac_externalize_vnode_label(&intlabel, 3259 elements, buffer, mac.m_buflen, M_WAITOK); 3260 mac_destroy_vnode_label(&intlabel); 3261 break; 3262 case DTYPE_PIPE: 3263 error = mac_externalize_pipe_label(&intlabel, elements, 3264 buffer, mac.m_buflen, M_WAITOK); 3265 mac_destroy_pipe_label(&intlabel); 3266 break; 3267 default: 3268 panic("__mac_get_fd: corrupted label_type"); 3269 } 3270 3271 if (error == 0) 3272 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3273 3274out: 3275 mtx_unlock(&Giant); /* VFS */ 3276 free(buffer, M_MACTEMP); 3277 free(elements, M_MACTEMP); 3278 3279 return (error); 3280} 3281 3282/* 3283 * MPSAFE 3284 */ 3285int 3286__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) 3287{ 3288 char *elements, *buffer; 3289 struct nameidata nd; 3290 struct label intlabel; 3291 struct mac mac; 3292 int error; 3293 3294 error = copyin(uap->mac_p, &mac, sizeof(mac)); 3295 if (error) 3296 return (error); 3297 3298 error = mac_check_structmac_consistent(&mac); 3299 if (error) 3300 return (error); 3301 3302 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 3303 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3304 if (error) { 3305 free(elements, M_MACTEMP); 3306 return (error); 3307 } 3308 3309 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 3310 mtx_lock(&Giant); /* VFS */ 3311 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p, 3312 td); 3313 error = namei(&nd); 3314 if (error) 3315 goto out; 3316 3317 mac_init_vnode_label(&intlabel); 3318 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); 3319 error = mac_externalize_vnode_label(&intlabel, elements, buffer, 3320 mac.m_buflen, M_WAITOK); 3321 3322 NDFREE(&nd, 0); 3323 mac_destroy_vnode_label(&intlabel); 3324 3325 if (error == 0) 3326 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3327 3328out: 3329 mtx_unlock(&Giant); /* VFS */ 3330 3331 free(buffer, M_MACTEMP); 3332 free(elements, M_MACTEMP); 3333 3334 return (error); 3335} 3336 3337/* 3338 * MPSAFE 3339 */ 3340int 3341__mac_get_link(struct thread *td, struct __mac_get_link_args *uap) 3342{ 3343 char *elements, *buffer; 3344 struct nameidata nd; 3345 struct label intlabel; 3346 struct mac mac; 3347 int error; 3348 3349 error = copyin(uap->mac_p, &mac, sizeof(mac)); 3350 if (error) 3351 return (error); 3352 3353 error = mac_check_structmac_consistent(&mac); 3354 if (error) 3355 return (error); 3356 3357 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 3358 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 3359 if (error) { 3360 free(elements, M_MACTEMP); 3361 return (error); 3362 } 3363 3364 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 3365 mtx_lock(&Giant); /* VFS */ 3366 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p, 3367 td); 3368 error = namei(&nd); 3369 if (error) 3370 goto out; 3371 3372 mac_init_vnode_label(&intlabel); 3373 mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); 3374 error = mac_externalize_vnode_label(&intlabel, elements, buffer, 3375 mac.m_buflen, M_WAITOK); 3376 NDFREE(&nd, 0); 3377 mac_destroy_vnode_label(&intlabel); 3378 3379 if (error == 0) 3380 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 3381 3382out: 3383 mtx_unlock(&Giant); /* VFS */ 3384 3385 free(buffer, M_MACTEMP); 3386 free(elements, M_MACTEMP); 3387 3388 return (error); 3389} 3390 3391/* 3392 * MPSAFE 3393 */ 3394int 3395__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) 3396{ 3397 struct label intlabel; 3398 struct pipe *pipe; 3399 struct file *fp; 3400 struct mount *mp; 3401 struct vnode *vp; 3402 struct mac mac; 3403 char *buffer; 3404 int error; 3405 3406 error = copyin(uap->mac_p, &mac, sizeof(mac)); 3407 if (error) 3408 return (error); 3409 3410 error = mac_check_structmac_consistent(&mac); 3411 if (error) 3412 return (error); 3413 3414 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 3415 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3416 if (error) { 3417 free(buffer, M_MACTEMP); 3418 return (error); 3419 } 3420 3421 mtx_lock(&Giant); /* VFS */ 3422 3423 error = fget(td, uap->fd, &fp); 3424 if (error) 3425 goto out; 3426 3427 switch (fp->f_type) { 3428 case DTYPE_FIFO: 3429 case DTYPE_VNODE: 3430 mac_init_vnode_label(&intlabel); 3431 error = mac_internalize_vnode_label(&intlabel, buffer); 3432 if (error) { 3433 mac_destroy_vnode_label(&intlabel); 3434 break; 3435 } 3436 3437 vp = fp->f_data; 3438 error = vn_start_write(vp, &mp, V_WAIT | PCATCH); 3439 if (error != 0) { 3440 mac_destroy_vnode_label(&intlabel); 3441 break; 3442 } 3443 3444 vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); 3445 error = vn_setlabel(vp, &intlabel, td->td_ucred); 3446 VOP_UNLOCK(vp, 0, td); 3447 vn_finished_write(mp); 3448 3449 mac_destroy_vnode_label(&intlabel); 3450 break; 3451 3452 case DTYPE_PIPE: 3453 mac_init_pipe_label(&intlabel); 3454 error = mac_internalize_pipe_label(&intlabel, buffer); 3455 if (error == 0) { 3456 pipe = fp->f_data; 3457 PIPE_LOCK(pipe); 3458 error = mac_pipe_label_set(td->td_ucred, pipe, 3459 &intlabel); 3460 PIPE_UNLOCK(pipe); 3461 } 3462 3463 mac_destroy_pipe_label(&intlabel); 3464 break; 3465 3466 default: 3467 error = EINVAL; 3468 } 3469 3470 fdrop(fp, td); 3471out: 3472 mtx_unlock(&Giant); /* VFS */ 3473 3474 free(buffer, M_MACTEMP); 3475 3476 return (error); 3477} 3478 3479/* 3480 * MPSAFE 3481 */ 3482int 3483__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) 3484{ 3485 struct label intlabel; 3486 struct nameidata nd; 3487 struct mount *mp; 3488 struct mac mac; 3489 char *buffer; 3490 int error; 3491 3492 error = copyin(uap->mac_p, &mac, sizeof(mac)); 3493 if (error) 3494 return (error); 3495 3496 error = mac_check_structmac_consistent(&mac); 3497 if (error) 3498 return (error); 3499 3500 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 3501 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3502 if (error) { 3503 free(buffer, M_MACTEMP); 3504 return (error); 3505 } 3506 3507 mac_init_vnode_label(&intlabel); 3508 error = mac_internalize_vnode_label(&intlabel, buffer); 3509 free(buffer, M_MACTEMP); 3510 if (error) { 3511 mac_destroy_vnode_label(&intlabel); 3512 return (error); 3513 } 3514 3515 mtx_lock(&Giant); /* VFS */ 3516 3517 NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, uap->path_p, 3518 td); 3519 error = namei(&nd); 3520 if (error == 0) { 3521 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); 3522 if (error == 0) 3523 error = vn_setlabel(nd.ni_vp, &intlabel, 3524 td->td_ucred); 3525 vn_finished_write(mp); 3526 } 3527 3528 NDFREE(&nd, 0); 3529 mtx_unlock(&Giant); /* VFS */ 3530 mac_destroy_vnode_label(&intlabel); 3531 3532 return (error); 3533} 3534 3535/* 3536 * MPSAFE 3537 */ 3538int 3539__mac_set_link(struct thread *td, struct __mac_set_link_args *uap) 3540{ 3541 struct label intlabel; 3542 struct nameidata nd; 3543 struct mount *mp; 3544 struct mac mac; 3545 char *buffer; 3546 int error; 3547 3548 error = copyin(uap->mac_p, &mac, sizeof(mac)); 3549 if (error) 3550 return (error); 3551 3552 error = mac_check_structmac_consistent(&mac); 3553 if (error) 3554 return (error); 3555 3556 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 3557 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 3558 if (error) { 3559 free(buffer, M_MACTEMP); 3560 return (error); 3561 } 3562 3563 mac_init_vnode_label(&intlabel); 3564 error = mac_internalize_vnode_label(&intlabel, buffer); 3565 free(buffer, M_MACTEMP); 3566 if (error) { 3567 mac_destroy_vnode_label(&intlabel); 3568 return (error); 3569 } 3570 3571 mtx_lock(&Giant); /* VFS */ 3572 3573 NDINIT(&nd, LOOKUP, LOCKLEAF | NOFOLLOW, UIO_USERSPACE, uap->path_p, 3574 td); 3575 error = namei(&nd); 3576 if (error == 0) { 3577 error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); 3578 if (error == 0) 3579 error = vn_setlabel(nd.ni_vp, &intlabel, 3580 td->td_ucred); 3581 vn_finished_write(mp); 3582 } 3583 3584 NDFREE(&nd, 0); 3585 mtx_unlock(&Giant); /* VFS */ 3586 mac_destroy_vnode_label(&intlabel); 3587 3588 return (error); 3589} 3590 3591/* 3592 * MPSAFE 3593 */ 3594int 3595mac_syscall(struct thread *td, struct mac_syscall_args *uap) 3596{ 3597 struct mac_policy_conf *mpc; 3598 char target[MAC_MAX_POLICY_NAME]; 3599 int error; 3600 3601 error = copyinstr(uap->policy, target, sizeof(target), NULL); 3602 if (error) 3603 return (error); 3604 3605 error = ENOSYS; 3606 MAC_POLICY_LIST_BUSY(); 3607 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { 3608 if (strcmp(mpc->mpc_name, target) == 0 && 3609 mpc->mpc_ops->mpo_syscall != NULL) { 3610 error = mpc->mpc_ops->mpo_syscall(td, 3611 uap->call, uap->arg); 3612 goto out; 3613 } 3614 } 3615 3616out: 3617 MAC_POLICY_LIST_UNBUSY(); 3618 return (error); 3619} 3620 3621SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); 3622SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); 3623 3624#else /* !MAC */ 3625 3626int 3627__mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) 3628{ 3629 3630 return (ENOSYS); 3631} 3632 3633int 3634__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) 3635{ 3636 3637 return (ENOSYS); 3638} 3639 3640int 3641__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) 3642{ 3643 3644 return (ENOSYS); 3645} 3646 3647int 3648__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) 3649{ 3650 3651 return (ENOSYS); 3652} 3653 3654int 3655__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) 3656{ 3657 3658 return (ENOSYS); 3659} 3660 3661int 3662__mac_get_link(struct thread *td, struct __mac_get_link_args *uap) 3663{ 3664 3665 return (ENOSYS); 3666} 3667 3668int 3669__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) 3670{ 3671 3672 return (ENOSYS); 3673} 3674 3675int 3676__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) 3677{ 3678 3679 return (ENOSYS); 3680} 3681 3682int 3683__mac_set_link(struct thread *td, struct __mac_set_link_args *uap) 3684{ 3685 3686 return (ENOSYS); 3687} 3688 3689int 3690mac_syscall(struct thread *td, struct mac_syscall_args *uap) 3691{ 3692 3693 return (ENOSYS); 3694} 3695 3696#endif 3697