mac_biba.c revision 102112
1/*-
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by NAI Labs,
9 * the Security Research Division of Network Associates, Inc. under
10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11 * CHATS research program.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 * 1. Redistributions of source code must retain the above copyright
17 *    notice, this list of conditions and the following disclaimer.
18 * 2. Redistributions in binary form must reproduce the above copyright
19 *    notice, this list of conditions and the following disclaimer in the
20 *    documentation and/or other materials provided with the distribution.
21 * 3. The names of the authors may not be used to endorse or promote
22 *    products derived from this software without specific prior written
23 *    permission.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 *
37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 102112 2002-08-19 16:43:25Z rwatson $
38 */
39
40/*
41 * Developed by the TrustedBSD Project.
42 * Biba fixed label mandatory integrity policy.
43 */
44
45#include <sys/types.h>
46#include <sys/param.h>
47#include <sys/acl.h>
48#include <sys/conf.h>
49#include <sys/kernel.h>
50#include <sys/mac.h>
51#include <sys/mount.h>
52#include <sys/proc.h>
53#include <sys/systm.h>
54#include <sys/sysproto.h>
55#include <sys/sysent.h>
56#include <sys/vnode.h>
57#include <sys/file.h>
58#include <sys/socket.h>
59#include <sys/socketvar.h>
60#include <sys/pipe.h>
61#include <sys/sysctl.h>
62
63#include <fs/devfs/devfs.h>
64
65#include <net/bpfdesc.h>
66#include <net/if.h>
67#include <net/if_types.h>
68#include <net/if_var.h>
69
70#include <netinet/in.h>
71#include <netinet/ip_var.h>
72
73#include <vm/vm.h>
74
75#include <sys/mac_policy.h>
76
77#include <security/mac_biba/mac_biba.h>
78
79SYSCTL_DECL(_security_mac);
80
81SYSCTL_NODE(_security_mac, OID_AUTO, biba, CTLFLAG_RW, 0,
82    "TrustedBSD mac_biba policy controls");
83
84static int	mac_biba_enabled = 0;
85SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW,
86    &mac_biba_enabled, 0, "Enforce MAC/Biba policy");
87
88static int	destroyed_not_inited;
89SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
90    &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
91
92static int	trust_all_interfaces = 0;
93SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RD,
94    &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba");
95TUNABLE_INT("security.mac.biba.trust_all_interfaces", &trust_all_interfaces);
96
97static char	trusted_interfaces[128];
98SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD,
99    trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba");
100TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces,
101    sizeof(trusted_interfaces));
102
103static int	mac_biba_revocation_enabled = 0;
104SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW,
105    &mac_biba_revocation_enabled, 0, "Revoke access to objects on relabel");
106TUNABLE_INT("security.mac.biba.revocation_enabled",
107    &mac_biba_revocation_enabled);
108
109static int	mac_biba_slot;
110#define	SLOT(l)	((struct mac_biba *)LABEL_TO_SLOT((l), mac_biba_slot).l_ptr)
111
112MALLOC_DEFINE(M_MACBIBA, "biba label", "MAC/Biba labels");
113
114static int	mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
115		    struct label *vnodelabel, mode_t acc_mode);
116
117static struct mac_biba *
118biba_alloc(int how)
119{
120	struct mac_biba *mac_biba;
121
122	mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | how);
123
124	return (mac_biba);
125}
126
127static void
128biba_free(struct mac_biba *mac_biba)
129{
130
131	if (mac_biba != NULL)
132		free(mac_biba, M_MACBIBA);
133	else
134		atomic_add_int(&destroyed_not_inited, 1);
135}
136
137static int
138mac_biba_dominate_element(struct mac_biba_element *a,
139    struct mac_biba_element *b)
140{
141
142	switch(a->mbe_type) {
143	case MAC_BIBA_TYPE_EQUAL:
144	case MAC_BIBA_TYPE_HIGH:
145		return (1);
146
147	case MAC_BIBA_TYPE_LOW:
148		switch (b->mbe_type) {
149		case MAC_BIBA_TYPE_GRADE:
150		case MAC_BIBA_TYPE_HIGH:
151			return (0);
152
153		case MAC_BIBA_TYPE_EQUAL:
154		case MAC_BIBA_TYPE_LOW:
155			return (1);
156
157		default:
158			panic("mac_biba_dominate_element: b->mbe_type invalid");
159		}
160
161	case MAC_BIBA_TYPE_GRADE:
162		switch (b->mbe_type) {
163		case MAC_BIBA_TYPE_EQUAL:
164		case MAC_BIBA_TYPE_LOW:
165			return (1);
166
167		case MAC_BIBA_TYPE_HIGH:
168			return (0);
169
170		case MAC_BIBA_TYPE_GRADE:
171			return (a->mbe_grade >= b->mbe_grade);
172
173		default:
174			panic("mac_biba_dominate_element: b->mbe_type invalid");
175		}
176
177	default:
178		panic("mac_biba_dominate_element: a->mbe_type invalid");
179	}
180
181	return (0);
182}
183
184static int
185mac_biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb)
186{
187
188	return (mac_biba_dominate_element(&rangeb->mb_rangehigh,
189	    &rangea->mb_rangehigh) &&
190	    mac_biba_dominate_element(&rangea->mb_rangelow,
191	    &rangeb->mb_rangelow));
192}
193
194static int
195mac_biba_single_in_range(struct mac_biba *single, struct mac_biba *range)
196{
197
198	KASSERT((single->mb_flag & MAC_BIBA_FLAG_SINGLE) != 0,
199	    ("mac_biba_single_in_range: a not single"));
200	KASSERT((range->mb_flag & MAC_BIBA_FLAG_RANGE) != 0,
201	    ("mac_biba_single_in_range: b not range"));
202
203	return (mac_biba_dominate_element(&range->mb_rangehigh,
204	    &single->mb_single) &&
205	    mac_biba_dominate_element(&single->mb_single,
206	    &range->mb_rangelow));
207
208	return (1);
209}
210
211static int
212mac_biba_dominate_single(struct mac_biba *a, struct mac_biba *b)
213{
214	KASSERT((a->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
215	    ("mac_biba_dominate_single: a not single"));
216	KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
217	    ("mac_biba_dominate_single: b not single"));
218
219	return (mac_biba_dominate_element(&a->mb_single, &b->mb_single));
220}
221
222static int
223mac_biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b)
224{
225
226	if (a->mbe_type == MAC_BIBA_TYPE_EQUAL ||
227	    b->mbe_type == MAC_BIBA_TYPE_EQUAL)
228		return (1);
229
230	return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade);
231}
232
233static int
234mac_biba_equal_range(struct mac_biba *a, struct mac_biba *b)
235{
236
237	KASSERT((a->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
238	    ("mac_biba_equal_range: a not range"));
239	KASSERT((b->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
240	    ("mac_biba_equal_range: b not range"));
241
242	return (mac_biba_equal_element(&a->mb_rangelow, &b->mb_rangelow) &&
243	    mac_biba_equal_element(&a->mb_rangehigh, &b->mb_rangehigh));
244}
245
246static int
247mac_biba_equal_single(struct mac_biba *a, struct mac_biba *b)
248{
249
250	KASSERT((a->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
251	    ("mac_biba_equal_single: a not single"));
252	KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
253	    ("mac_biba_equal_single: b not single"));
254
255	return (mac_biba_equal_element(&a->mb_single, &b->mb_single));
256}
257
258static int
259mac_biba_high_single(struct mac_biba *mac_biba)
260{
261
262	return (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_HIGH);
263}
264
265static int
266mac_biba_valid(struct mac_biba *mac_biba)
267{
268
269	if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) {
270		switch (mac_biba->mb_single.mbe_type) {
271		case MAC_BIBA_TYPE_GRADE:
272			break;
273
274		case MAC_BIBA_TYPE_EQUAL:
275		case MAC_BIBA_TYPE_HIGH:
276		case MAC_BIBA_TYPE_LOW:
277			if (mac_biba->mb_single.mbe_grade != 0)
278				return (EINVAL);
279			break;
280
281		default:
282			return (EINVAL);
283		}
284	} else {
285		if (mac_biba->mb_single.mbe_type != MAC_BIBA_TYPE_UNDEF)
286			return (EINVAL);
287	}
288
289	if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
290		switch (mac_biba->mb_rangelow.mbe_type) {
291		case MAC_BIBA_TYPE_GRADE:
292			break;
293
294		case MAC_BIBA_TYPE_EQUAL:
295		case MAC_BIBA_TYPE_HIGH:
296		case MAC_BIBA_TYPE_LOW:
297			if (mac_biba->mb_rangelow.mbe_grade != 0)
298				return (EINVAL);
299			break;
300
301		default:
302			return (EINVAL);
303		}
304
305		switch (mac_biba->mb_rangehigh.mbe_type) {
306		case MAC_BIBA_TYPE_GRADE:
307			break;
308
309		case MAC_BIBA_TYPE_EQUAL:
310		case MAC_BIBA_TYPE_HIGH:
311		case MAC_BIBA_TYPE_LOW:
312			if (mac_biba->mb_rangehigh.mbe_grade != 0)
313				return (EINVAL);
314			break;
315
316		default:
317			return (EINVAL);
318		}
319		if (!mac_biba_dominate_element(&mac_biba->mb_rangehigh,
320		    &mac_biba->mb_rangelow))
321			return (EINVAL);
322	} else {
323		if (mac_biba->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF ||
324		    mac_biba->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF)
325			return (EINVAL);
326	}
327
328	return (0);
329}
330
331static void
332mac_biba_set_range(struct mac_biba *mac_biba, u_short typelow,
333    u_short gradelow, u_short typehigh, u_short gradehigh)
334{
335
336	mac_biba->mb_rangelow.mbe_type = typelow;
337	mac_biba->mb_rangelow.mbe_grade = gradelow;
338	mac_biba->mb_rangehigh.mbe_type = typehigh;
339	mac_biba->mb_rangehigh.mbe_grade = gradehigh;
340	mac_biba->mb_flags |= MAC_BIBA_FLAG_RANGE;
341}
342
343static void
344mac_biba_set_single(struct mac_biba *mac_biba, u_short type, u_short grade)
345{
346
347	mac_biba->mb_single.mbe_type = type;
348	mac_biba->mb_single.mbe_grade = grade;
349	mac_biba->mb_flags |= MAC_BIBA_FLAG_SINGLE;
350}
351
352static void
353mac_biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto)
354{
355	KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
356	    ("mac_biba_copy_range: labelfrom not range"));
357
358	labelto->mb_rangelow = labelfrom->mb_rangelow;
359	labelto->mb_rangehigh = labelfrom->mb_rangehigh;
360	labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
361}
362
363static void
364mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto)
365{
366
367	KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
368	    ("mac_biba_copy_single: labelfrom not single"));
369
370	labelto->mb_single = labelfrom->mb_single;
371	labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE;
372}
373
374static void
375mac_biba_copy_single_to_range(struct mac_biba *labelfrom,
376    struct mac_biba *labelto)
377{
378
379	KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
380	    ("mac_biba_copy_single_to_range: labelfrom not single"));
381
382	labelto->mb_rangelow = labelfrom->mb_single;
383	labelto->mb_rangehigh = labelfrom->mb_single;
384	labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
385}
386
387/*
388 * Policy module operations.
389 */
390static void
391mac_biba_destroy(struct mac_policy_conf *conf)
392{
393
394}
395
396static void
397mac_biba_init(struct mac_policy_conf *conf)
398{
399
400}
401
402/*
403 * Label operations.
404 */
405static void
406mac_biba_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
407{
408
409	SLOT(label) = biba_alloc(M_WAITOK);
410}
411
412static void
413mac_biba_init_cred(struct ucred *ucred, struct label *label)
414{
415
416	SLOT(label) = biba_alloc(M_WAITOK);
417}
418
419static void
420mac_biba_init_devfsdirent(struct devfs_dirent *devfs_dirent,
421    struct label *label)
422{
423
424	SLOT(label) = biba_alloc(M_WAITOK);
425}
426
427static void
428mac_biba_init_ifnet(struct ifnet *ifnet, struct label *label)
429{
430
431	SLOT(label) = biba_alloc(M_WAITOK);
432}
433
434static void
435mac_biba_init_ipq(struct ipq *ipq, struct label *label)
436{
437
438	SLOT(label) = biba_alloc(M_WAITOK);
439}
440
441static int
442mac_biba_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
443{
444
445	SLOT(label) = biba_alloc(how);
446	if (SLOT(label) == NULL)
447		return (ENOMEM);
448
449	return (0);
450}
451
452static void
453mac_biba_init_mount(struct mount *mount, struct label *mntlabel,
454    struct label *fslabel)
455{
456
457	SLOT(mntlabel) = biba_alloc(M_WAITOK);
458	SLOT(fslabel) = biba_alloc(M_WAITOK);
459}
460
461static void
462mac_biba_init_socket(struct socket *socket, struct label *label,
463    struct label *peerlabel)
464{
465
466	SLOT(label) = biba_alloc(M_WAITOK);
467	SLOT(peerlabel) = biba_alloc(M_WAITOK);
468}
469
470static void
471mac_biba_init_pipe(struct pipe *pipe, struct label *label)
472{
473
474	SLOT(label) = biba_alloc(M_WAITOK);
475}
476
477static void
478mac_biba_init_temp(struct label *label)
479{
480
481	SLOT(label) = biba_alloc(M_WAITOK);
482}
483
484static void
485mac_biba_init_vnode(struct vnode *vp, struct label *label)
486{
487
488	SLOT(label) = biba_alloc(M_WAITOK);
489}
490
491static void
492mac_biba_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
493{
494
495	biba_free(SLOT(label));
496	SLOT(label) = NULL;
497}
498
499static void
500mac_biba_destroy_cred(struct ucred *ucred, struct label *label)
501{
502
503	biba_free(SLOT(label));
504	SLOT(label) = NULL;
505}
506
507static void
508mac_biba_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
509    struct label *label)
510{
511
512	biba_free(SLOT(label));
513	SLOT(label) = NULL;
514}
515
516static void
517mac_biba_destroy_ifnet(struct ifnet *ifnet, struct label *label)
518{
519
520	biba_free(SLOT(label));
521	SLOT(label) = NULL;
522}
523
524static void
525mac_biba_destroy_ipq(struct ipq *ipq, struct label *label)
526{
527
528	biba_free(SLOT(label));
529	SLOT(label) = NULL;
530}
531
532static void
533mac_biba_destroy_mbuf(struct mbuf *mbuf, struct label *label)
534{
535
536	biba_free(SLOT(label));
537	SLOT(label) = NULL;
538}
539
540static void
541mac_biba_destroy_mount(struct mount *mount, struct label *mntlabel,
542    struct label *fslabel)
543{
544
545	biba_free(SLOT(mntlabel));
546	SLOT(mntlabel) = NULL;
547	biba_free(SLOT(fslabel));
548	SLOT(fslabel) = NULL;
549}
550
551static void
552mac_biba_destroy_socket(struct socket *socket, struct label *label,
553    struct label *peerlabel)
554{
555
556	biba_free(SLOT(label));
557	SLOT(label) = NULL;
558	biba_free(SLOT(peerlabel));
559	SLOT(peerlabel) = NULL;
560}
561
562static void
563mac_biba_destroy_pipe(struct pipe *pipe, struct label *label)
564{
565
566	biba_free(SLOT(label));
567	SLOT(label) = NULL;
568}
569
570static void
571mac_biba_destroy_temp(struct label *label)
572{
573
574	biba_free(SLOT(label));
575	SLOT(label) = NULL;
576}
577
578static void
579mac_biba_destroy_vnode(struct vnode *vp, struct label *label)
580{
581
582	biba_free(SLOT(label));
583	SLOT(label) = NULL;
584}
585
586static int
587mac_biba_externalize(struct label *label, struct mac *extmac)
588{
589	struct mac_biba *mac_biba;
590
591	mac_biba = SLOT(label);
592
593	if (mac_biba == NULL) {
594		printf("mac_biba_externalize: NULL pointer\n");
595		return (0);
596	}
597
598	extmac->m_biba = *mac_biba;
599
600	return (0);
601}
602
603static int
604mac_biba_internalize(struct label *label, struct mac *extmac)
605{
606	struct mac_biba *mac_biba;
607	int error;
608
609	mac_biba = SLOT(label);
610
611	error = mac_biba_valid(mac_biba);
612	if (error)
613		return (error);
614
615	*mac_biba = extmac->m_biba;
616
617	return (0);
618}
619
620/*
621 * Labeling event operations: file system objects, and things that look
622 * a lot like file system objects.
623 */
624static void
625mac_biba_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,
626    struct label *label)
627{
628	struct mac_biba *mac_biba;
629	int biba_type;
630
631	mac_biba = SLOT(label);
632	if (strcmp(dev->si_name, "null") == 0 ||
633	    strcmp(dev->si_name, "zero") == 0 ||
634	    strcmp(dev->si_name, "random") == 0 ||
635	    strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
636		biba_type = MAC_BIBA_TYPE_EQUAL;
637	else
638		biba_type = MAC_BIBA_TYPE_HIGH;
639	mac_biba_set_single(mac_biba, biba_type, 0);
640}
641
642static void
643mac_biba_create_devfs_directory(char *dirname, int dirnamelen,
644    struct devfs_dirent *devfs_dirent, struct label *label)
645{
646	struct mac_biba *mac_biba;
647
648	mac_biba = SLOT(label);
649	mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0);
650}
651
652static void
653mac_biba_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
654    struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
655{
656	struct mac_biba *source, *dest;
657
658	source = SLOT(direntlabel);
659	dest = SLOT(vnodelabel);
660	mac_biba_copy_single(source, dest);
661}
662
663static void
664mac_biba_create_vnode(struct ucred *cred, struct vnode *parent,
665    struct label *parentlabel, struct vnode *child, struct label *childlabel)
666{
667	struct mac_biba *source, *dest;
668
669	source = SLOT(&cred->cr_label);
670	dest = SLOT(childlabel);
671
672	mac_biba_copy_single(source, dest);
673}
674
675static void
676mac_biba_create_mount(struct ucred *cred, struct mount *mp,
677    struct label *mntlabel, struct label *fslabel)
678{
679	struct mac_biba *source, *dest;
680
681	source = SLOT(&cred->cr_label);
682	dest = SLOT(mntlabel);
683	mac_biba_copy_single(source, dest);
684	dest = SLOT(fslabel);
685	mac_biba_copy_single(source, dest);
686}
687
688static void
689mac_biba_create_root_mount(struct ucred *cred, struct mount *mp,
690    struct label *mntlabel, struct label *fslabel)
691{
692	struct mac_biba *mac_biba;
693
694	/* Always mount root as high integrity. */
695	mac_biba = SLOT(fslabel);
696	mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0);
697	mac_biba = SLOT(mntlabel);
698	mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0);
699}
700
701static void
702mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp,
703    struct label *vnodelabel, struct label *label)
704{
705	struct mac_biba *source, *dest;
706
707	source = SLOT(label);
708	dest = SLOT(vnodelabel);
709
710	mac_biba_copy_single(source, dest);
711}
712
713static void
714mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent,
715    struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
716{
717	struct mac_biba *source, *dest;
718
719	source = SLOT(vnodelabel);
720	dest = SLOT(direntlabel);
721
722	mac_biba_copy_single(source, dest);
723}
724
725static void
726mac_biba_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
727    struct ucred *cred)
728{
729	struct mac_biba *source, *dest;
730
731	source = SLOT(&cred->cr_label);
732	dest = SLOT(vnodelabel);
733
734	/*
735	 * Only copy the single, not the range, since vnodes only have
736	 * a single.
737	 */
738	mac_biba_copy_single(source, dest);
739}
740
741static int
742mac_biba_update_vnode_from_externalized(struct vnode *vp,
743    struct label *vnodelabel, struct mac *extmac)
744{
745	struct mac_biba *source, *dest;
746	int error;
747
748	source = &extmac->m_biba;
749	dest = SLOT(vnodelabel);
750
751	error = mac_biba_valid(source);
752	if (error)
753		return (error);
754
755	if ((source->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
756		return (EINVAL);
757
758	mac_biba_copy_single(source, dest);
759
760	return (0);
761}
762
763static void
764mac_biba_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel,
765    struct mount *mp, struct label *fslabel)
766{
767	struct mac_biba *source, *dest;
768
769	source = SLOT(fslabel);
770	dest = SLOT(vnodelabel);
771
772	mac_biba_copy_single(source, dest);
773}
774
775/*
776 * Labeling event operations: IPC object.
777 */
778static void
779mac_biba_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
780    struct mbuf *m, struct label *mbuflabel)
781{
782	struct mac_biba *source, *dest;
783
784	source = SLOT(socketlabel);
785	dest = SLOT(mbuflabel);
786
787	mac_biba_copy_single(source, dest);
788}
789
790static void
791mac_biba_create_socket(struct ucred *cred, struct socket *socket,
792    struct label *socketlabel)
793{
794	struct mac_biba *source, *dest;
795
796	source = SLOT(&cred->cr_label);
797	dest = SLOT(socketlabel);
798
799	mac_biba_copy_single(source, dest);
800	mac_biba_copy_single_to_range(source, dest);
801}
802
803static void
804mac_biba_create_pipe(struct ucred *cred, struct pipe *pipe,
805    struct label *pipelabel)
806{
807	struct mac_biba *source, *dest;
808
809	source = SLOT(&cred->cr_label);
810	dest = SLOT(pipelabel);
811
812	mac_biba_copy_single(source, dest);
813}
814
815static void
816mac_biba_create_socket_from_socket(struct socket *oldsocket,
817    struct label *oldsocketlabel, struct socket *newsocket,
818    struct label *newsocketlabel)
819{
820	struct mac_biba *source, *dest;
821
822	source = SLOT(oldsocketlabel);
823	dest = SLOT(newsocketlabel);
824
825	mac_biba_copy_single(source, dest);
826	mac_biba_copy_range(source, dest);
827}
828
829static void
830mac_biba_relabel_socket(struct ucred *cred, struct socket *socket,
831    struct label *socketlabel, struct label *newlabel)
832{
833	struct mac_biba *source, *dest;
834
835	source = SLOT(newlabel);
836	dest = SLOT(socketlabel);
837
838	mac_biba_copy_single(source, dest);
839	mac_biba_copy_range(source, dest);
840}
841
842static void
843mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe,
844    struct label *pipelabel, struct label *newlabel)
845{
846	struct mac_biba *source, *dest;
847
848	source = SLOT(newlabel);
849	dest = SLOT(pipelabel);
850
851	mac_biba_copy_single(source, dest);
852}
853
854static void
855mac_biba_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
856    struct socket *socket, struct label *socketpeerlabel)
857{
858	struct mac_biba *source, *dest;
859
860	source = SLOT(mbuflabel);
861	dest = SLOT(socketpeerlabel);
862
863	mac_biba_copy_single(source, dest);
864}
865
866/*
867 * Labeling event operations: network objects.
868 */
869static void
870mac_biba_set_socket_peer_from_socket(struct socket *oldsocket,
871    struct label *oldsocketlabel, struct socket *newsocket,
872    struct label *newsocketpeerlabel)
873{
874	struct mac_biba *source, *dest;
875
876	source = SLOT(oldsocketlabel);
877	dest = SLOT(newsocketpeerlabel);
878
879	mac_biba_copy_single(source, dest);
880}
881
882static void
883mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
884    struct label *bpflabel)
885{
886	struct mac_biba *source, *dest;
887
888	source = SLOT(&cred->cr_label);
889	dest = SLOT(bpflabel);
890
891	mac_biba_copy_single(source, dest);
892}
893
894static void
895mac_biba_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
896{
897	char tifname[IFNAMSIZ], ifname[IFNAMSIZ], *p, *q;
898	char tiflist[sizeof(trusted_interfaces)];
899	struct mac_biba *dest;
900	int len, grade;
901
902	dest = SLOT(ifnetlabel);
903
904	if (ifnet->if_type == IFT_LOOP) {
905		grade = MAC_BIBA_TYPE_EQUAL;
906		goto set;
907	}
908
909	if (trust_all_interfaces) {
910		grade = MAC_BIBA_TYPE_HIGH;
911		goto set;
912	}
913
914	grade = MAC_BIBA_TYPE_LOW;
915
916	if (trusted_interfaces[0] == '\0' ||
917	    !strvalid(trusted_interfaces, sizeof(trusted_interfaces)))
918		goto set;
919
920	for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++)
921		if(*p != ' ' && *p != '\t')
922			*q = *p;
923
924	snprintf(ifname, IFNAMSIZ, "%s%d", ifnet->if_name, ifnet->if_unit);
925
926	for (p = q = tiflist;; p++) {
927		if (*p == ',' || *p == '\0') {
928			len = p - q;
929			if (len < IFNAMSIZ) {
930				bzero(tifname, sizeof(tifname));
931				bcopy(q, tifname, len);
932				if (strcmp(tifname, ifname) == 0) {
933					grade = MAC_BIBA_TYPE_HIGH;
934					break;
935				}
936			}
937			if (*p == '\0')
938				break;
939			q = p + 1;
940		}
941	}
942set:
943	mac_biba_set_single(dest, grade, 0);
944	mac_biba_set_range(dest, grade, 0, grade, 0);
945}
946
947static void
948mac_biba_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
949    struct ipq *ipq, struct label *ipqlabel)
950{
951	struct mac_biba *source, *dest;
952
953	source = SLOT(fragmentlabel);
954	dest = SLOT(ipqlabel);
955
956	mac_biba_copy_single(source, dest);
957}
958
959static void
960mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
961    struct mbuf *datagram, struct label *datagramlabel)
962{
963	struct mac_biba *source, *dest;
964
965	source = SLOT(ipqlabel);
966	dest = SLOT(datagramlabel);
967
968	/* Just use the head, since we require them all to match. */
969	mac_biba_copy_single(source, dest);
970}
971
972static void
973mac_biba_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
974    struct mbuf *fragment, struct label *fragmentlabel)
975{
976	struct mac_biba *source, *dest;
977
978	source = SLOT(datagramlabel);
979	dest = SLOT(fragmentlabel);
980
981	mac_biba_copy_single(source, dest);
982}
983
984static void
985mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
986    struct label *oldmbuflabel, struct mbuf *newmbuf,
987    struct label *newmbuflabel)
988{
989	struct mac_biba *source, *dest;
990
991	source = SLOT(oldmbuflabel);
992	dest = SLOT(newmbuflabel);
993
994	mac_biba_copy_single(source, dest);
995}
996
997static void
998mac_biba_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
999    struct mbuf *mbuf, struct label *mbuflabel)
1000{
1001	struct mac_biba *dest;
1002
1003	dest = SLOT(mbuflabel);
1004
1005	mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0);
1006}
1007
1008static void
1009mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
1010    struct mbuf *mbuf, struct label *mbuflabel)
1011{
1012	struct mac_biba *source, *dest;
1013
1014	source = SLOT(bpflabel);
1015	dest = SLOT(mbuflabel);
1016
1017	mac_biba_copy_single(source, dest);
1018}
1019
1020static void
1021mac_biba_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
1022    struct mbuf *m, struct label *mbuflabel)
1023{
1024	struct mac_biba *source, *dest;
1025
1026	source = SLOT(ifnetlabel);
1027	dest = SLOT(mbuflabel);
1028
1029	mac_biba_copy_single(source, dest);
1030}
1031
1032static void
1033mac_biba_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
1034    struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
1035    struct mbuf *newmbuf, struct label *newmbuflabel)
1036{
1037	struct mac_biba *source, *dest;
1038
1039	source = SLOT(oldmbuflabel);
1040	dest = SLOT(newmbuflabel);
1041
1042	mac_biba_copy_single(source, dest);
1043}
1044
1045static void
1046mac_biba_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel,
1047    struct mbuf *newmbuf, struct label *newmbuflabel)
1048{
1049	struct mac_biba *source, *dest;
1050
1051	source = SLOT(oldmbuflabel);
1052	dest = SLOT(newmbuflabel);
1053
1054	mac_biba_copy_single(source, dest);
1055}
1056
1057static int
1058mac_biba_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
1059    struct ipq *ipq, struct label *ipqlabel)
1060{
1061	struct mac_biba *a, *b;
1062
1063	a = SLOT(ipqlabel);
1064	b = SLOT(fragmentlabel);
1065
1066	return (mac_biba_equal_single(a, b));
1067}
1068
1069static void
1070mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
1071    struct label *ifnetlabel, struct label *newlabel)
1072{
1073	struct mac_biba *source, *dest;
1074
1075	source = SLOT(newlabel);
1076	dest = SLOT(ifnetlabel);
1077
1078	mac_biba_copy_single(source, dest);
1079	mac_biba_copy_range(source, dest);
1080}
1081
1082static void
1083mac_biba_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1084    struct ipq *ipq, struct label *ipqlabel)
1085{
1086
1087	/* NOOP: we only accept matching labels, so no need to update */
1088}
1089
1090/*
1091 * Labeling event operations: processes.
1092 */
1093static void
1094mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
1095{
1096	struct mac_biba *source, *dest;
1097
1098	source = SLOT(&cred_parent->cr_label);
1099	dest = SLOT(&cred_child->cr_label);
1100
1101	mac_biba_copy_single(source, dest);
1102	mac_biba_copy_range(source, dest);
1103}
1104
1105static void
1106mac_biba_execve_transition(struct ucred *old, struct ucred *new,
1107    struct vnode *vp, struct mac *vnodelabel)
1108{
1109	struct mac_biba *source, *dest;
1110
1111	source = SLOT(&old->cr_label);
1112	dest = SLOT(&new->cr_label);
1113
1114	mac_biba_copy_single(source, dest);
1115	mac_biba_copy_range(source, dest);
1116}
1117
1118static int
1119mac_biba_execve_will_transition(struct ucred *old, struct vnode *vp,
1120    struct mac *vnodelabel)
1121{
1122
1123	return (0);
1124}
1125
1126static void
1127mac_biba_create_proc0(struct ucred *cred)
1128{
1129	struct mac_biba *dest;
1130
1131	dest = SLOT(&cred->cr_label);
1132
1133	mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0);
1134	mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, MAC_BIBA_TYPE_HIGH, 0);
1135}
1136
1137static void
1138mac_biba_create_proc1(struct ucred *cred)
1139{
1140	struct mac_biba *dest;
1141
1142	dest = SLOT(&cred->cr_label);
1143
1144	mac_biba_set_single(dest, MAC_BIBA_TYPE_HIGH, 0);
1145	mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, MAC_BIBA_TYPE_HIGH, 0);
1146}
1147
1148static void
1149mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel)
1150{
1151	struct mac_biba *source, *dest;
1152
1153	source = SLOT(newlabel);
1154	dest = SLOT(&cred->cr_label);
1155
1156	mac_biba_copy_single(source, dest);
1157	mac_biba_copy_range(source, dest);
1158}
1159
1160/*
1161 * Access control checks.
1162 */
1163static int
1164mac_biba_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
1165    struct ifnet *ifnet, struct label *ifnetlabel)
1166{
1167	struct mac_biba *a, *b;
1168
1169	if (!mac_biba_enabled)
1170		return (0);
1171
1172	a = SLOT(bpflabel);
1173	b = SLOT(ifnetlabel);
1174
1175	if (mac_biba_equal_single(a, b))
1176		return (0);
1177	return (EACCES);
1178}
1179
1180static int
1181mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
1182{
1183	struct mac_biba *subj, *new;
1184
1185	subj = SLOT(&cred->cr_label);
1186	new = SLOT(newlabel);
1187
1188	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
1189		return (EINVAL);
1190
1191	/*
1192	 * XXX: Allow processes with root privilege to set labels outside
1193	 * their range, so suid things like "su" work.  This WILL go away
1194	 * when we figure out the 'correct' solution...
1195	 */
1196	if (!suser_cred(cred, 0))
1197		return (0);
1198
1199	/*
1200	 * The new single must be in the old range.
1201	 */
1202	if (!mac_biba_single_in_range(new, subj))
1203		return (EPERM);
1204
1205	/*
1206	 * The new range must be in the old range.
1207	 */
1208	if (!mac_biba_range_in_range(new, subj))
1209		return (EPERM);
1210
1211	/*
1212	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
1213	 */
1214
1215	return (0);
1216}
1217
1218static int
1219mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2)
1220{
1221	struct mac_biba *subj, *obj;
1222
1223	if (!mac_biba_enabled)
1224		return (0);
1225
1226	subj = SLOT(&u1->cr_label);
1227	obj = SLOT(&u2->cr_label);
1228
1229	/* XXX: range */
1230	if (!mac_biba_dominate_single(obj, subj))
1231		return (ESRCH);
1232
1233	return (0);
1234}
1235
1236static int
1237mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
1238    struct label *ifnetlabel, struct label *newlabel)
1239{
1240	struct mac_biba *subj, *new;
1241
1242	subj = SLOT(&cred->cr_label);
1243	new = SLOT(newlabel);
1244
1245	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
1246		return (EINVAL);
1247
1248	/*
1249	 * XXX: Only Biba HIGH subjects may relabel interfaces. */
1250	if (!mac_biba_high_single(subj))
1251		return (EPERM);
1252
1253	return (suser_cred(cred, 0));
1254}
1255
1256static int
1257mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
1258    struct mbuf *m, struct label *mbuflabel)
1259{
1260	struct mac_biba *p, *i;
1261
1262	if (!mac_biba_enabled)
1263		return (0);
1264
1265	p = SLOT(mbuflabel);
1266	i = SLOT(ifnetlabel);
1267
1268	return (mac_biba_single_in_range(p, i) ? 0 : EACCES);
1269}
1270
1271static int
1272mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp,
1273    struct label *mntlabel)
1274{
1275	struct mac_biba *subj, *obj;
1276
1277	if (!mac_biba_enabled)
1278		return (0);
1279
1280	subj = SLOT(&cred->cr_label);
1281	obj = SLOT(mntlabel);
1282
1283	if (!mac_biba_dominate_single(obj, subj))
1284		return (EACCES);
1285
1286	return (0);
1287}
1288
1289static int
1290mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
1291    struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
1292{
1293
1294	if(!mac_biba_enabled)
1295		return (0);
1296
1297	/* XXX: This will be implemented soon... */
1298
1299	return (0);
1300}
1301
1302static int
1303mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe,
1304    struct label *pipelabel, int op)
1305{
1306	struct mac_biba *subj, *obj;
1307
1308	if (!mac_biba_enabled)
1309		return (0);
1310
1311	subj = SLOT(&cred->cr_label);
1312	obj = SLOT((pipelabel));
1313
1314	switch(op) {
1315	case MAC_OP_PIPE_READ:
1316	case MAC_OP_PIPE_STAT:
1317	case MAC_OP_PIPE_POLL:
1318		if (!mac_biba_dominate_single(obj, subj))
1319			return (EACCES);
1320		break;
1321	case MAC_OP_PIPE_WRITE:
1322		if (!mac_biba_dominate_single(subj, obj))
1323			return (EACCES);
1324		break;
1325	default:
1326		panic("mac_biba_check_pipe_op: invalid pipe operation");
1327	}
1328
1329	return (0);
1330}
1331
1332static int
1333mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
1334    struct label *pipelabel, struct label *newlabel)
1335{
1336	struct mac_biba *subj, *obj, *new;
1337
1338	new = SLOT(newlabel);
1339	subj = SLOT(&cred->cr_label);
1340	obj = SLOT(pipelabel);
1341
1342	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
1343		return (EINVAL);
1344
1345	/*
1346	 * To relabel a pipe, the old pipe label must be in the subject
1347	 * range.
1348	 */
1349	if (!mac_biba_single_in_range(obj, subj))
1350		return (EPERM);
1351
1352	/*
1353	 * To relabel a pipe, the new pipe label must be in the subject
1354	 * range.
1355	 */
1356	if (!mac_biba_single_in_range(new, subj))
1357		return (EPERM);
1358
1359	/*
1360	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
1361	 */
1362
1363	return (0);
1364}
1365
1366static int
1367mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc)
1368{
1369	struct mac_biba *subj, *obj;
1370
1371	if (!mac_biba_enabled)
1372		return (0);
1373
1374	subj = SLOT(&cred->cr_label);
1375	obj = SLOT(&proc->p_ucred->cr_label);
1376
1377	/* XXX: range checks */
1378	if (!mac_biba_dominate_single(obj, subj))
1379		return (ESRCH);
1380	if (!mac_biba_dominate_single(subj, obj))
1381		return (EACCES);
1382
1383	return (0);
1384}
1385
1386static int
1387mac_biba_check_proc_sched(struct ucred *cred, struct proc *proc)
1388{
1389	struct mac_biba *subj, *obj;
1390
1391	if (!mac_biba_enabled)
1392		return (0);
1393
1394	subj = SLOT(&cred->cr_label);
1395	obj = SLOT(&proc->p_ucred->cr_label);
1396
1397	/* XXX: range checks */
1398	if (!mac_biba_dominate_single(obj, subj))
1399		return (ESRCH);
1400	if (!mac_biba_dominate_single(subj, obj))
1401		return (EACCES);
1402
1403	return (0);
1404}
1405
1406static int
1407mac_biba_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
1408{
1409	struct mac_biba *subj, *obj;
1410
1411	if (!mac_biba_enabled)
1412		return (0);
1413
1414	subj = SLOT(&cred->cr_label);
1415	obj = SLOT(&proc->p_ucred->cr_label);
1416
1417	/* XXX: range checks */
1418	if (!mac_biba_dominate_single(obj, subj))
1419		return (ESRCH);
1420	if (!mac_biba_dominate_single(subj, obj))
1421		return (EACCES);
1422
1423	return (0);
1424}
1425
1426static int
1427mac_biba_check_socket_deliver(struct socket *so, struct label *socketlabel,
1428    struct mbuf *m, struct label *mbuflabel)
1429{
1430	struct mac_biba *p, *s;
1431
1432	if (!mac_biba_enabled)
1433		return (0);
1434
1435	p = SLOT(mbuflabel);
1436	s = SLOT(socketlabel);
1437
1438	return (mac_biba_equal_single(p, s) ? 0 : EACCES);
1439}
1440
1441static int
1442mac_biba_check_socket_relabel(struct ucred *cred, struct socket *socket,
1443    struct label *socketlabel, struct label *newlabel)
1444{
1445	struct mac_biba *subj, *obj, *new;
1446
1447	new = SLOT(newlabel);
1448	subj = SLOT(&cred->cr_label);
1449	obj = SLOT(socketlabel);
1450
1451	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
1452		return (EINVAL);
1453
1454	/*
1455	 * To relabel a socket, the old socket label must be in the subject
1456	 * range.
1457	 */
1458	if (!mac_biba_single_in_range(obj, subj))
1459		return (EPERM);
1460
1461	/*
1462	 * To relabel a socket, the new socket label must be in the subject
1463	 * range.
1464	 */
1465	if (!mac_biba_single_in_range(new, subj))
1466		return (EPERM);
1467
1468	/*
1469	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
1470	 */
1471
1472	return (0);
1473}
1474
1475static int
1476mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
1477    struct label *socketlabel)
1478{
1479	struct mac_biba *subj, *obj;
1480
1481	subj = SLOT(&cred->cr_label);
1482	obj = SLOT(socketlabel);
1483
1484	if (!mac_biba_dominate_single(obj, subj))
1485		return (ENOENT);
1486
1487	return (0);
1488}
1489
1490static int
1491mac_biba_check_vnode_access(struct ucred *cred, struct vnode *vp,
1492    struct label *label, mode_t flags)
1493{
1494
1495	return (mac_biba_check_vnode_open(cred, vp, label, flags));
1496}
1497
1498static int
1499mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
1500    struct label *dlabel)
1501{
1502	struct mac_biba *subj, *obj;
1503
1504	if (!mac_biba_enabled)
1505		return (0);
1506
1507	subj = SLOT(&cred->cr_label);
1508	obj = SLOT(dlabel);
1509
1510	if (!mac_biba_dominate_single(obj, subj))
1511		return (EACCES);
1512
1513	return (0);
1514}
1515
1516static int
1517mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
1518    struct label *dlabel)
1519{
1520	struct mac_biba *subj, *obj;
1521
1522	if (!mac_biba_enabled)
1523		return (0);
1524
1525	subj = SLOT(&cred->cr_label);
1526	obj = SLOT(dlabel);
1527
1528	if (!mac_biba_dominate_single(obj, subj))
1529		return (EACCES);
1530
1531	return (0);
1532}
1533
1534static int
1535mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp,
1536    struct label *dlabel, struct componentname *cnp, struct vattr *vap)
1537{
1538	struct mac_biba *subj, *obj;
1539
1540	if (!mac_biba_enabled)
1541		return (0);
1542
1543	subj = SLOT(&cred->cr_label);
1544	obj = SLOT(dlabel);
1545
1546	if (!mac_biba_dominate_single(subj, obj))
1547		return (EACCES);
1548
1549	return (0);
1550}
1551
1552static int
1553mac_biba_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
1554    struct label *dlabel, struct vnode *vp, struct label *label,
1555    struct componentname *cnp)
1556{
1557	struct mac_biba *subj, *obj;
1558
1559	if (!mac_biba_enabled)
1560		return (0);
1561
1562	subj = SLOT(&cred->cr_label);
1563	obj = SLOT(dlabel);
1564
1565	if (!mac_biba_dominate_single(subj, obj))
1566		return (EACCES);
1567
1568	obj = SLOT(label);
1569
1570	if (!mac_biba_dominate_single(subj, obj))
1571		return (EACCES);
1572
1573	return (0);
1574}
1575
1576static int
1577mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
1578    struct label *label, acl_type_t type)
1579{
1580	struct mac_biba *subj, *obj;
1581
1582	if (!mac_biba_enabled)
1583		return (0);
1584
1585	subj = SLOT(&cred->cr_label);
1586	obj = SLOT(label);
1587
1588	if (!mac_biba_dominate_single(subj, obj))
1589		return (EACCES);
1590
1591	return (0);
1592}
1593
1594static int
1595mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
1596    struct label *label)
1597{
1598	struct mac_biba *subj, *obj;
1599
1600	if (!mac_biba_enabled)
1601		return (0);
1602
1603	subj = SLOT(&cred->cr_label);
1604	obj = SLOT(label);
1605
1606	if (!mac_biba_dominate_single(obj, subj))
1607		return (EACCES);
1608
1609	return (0);
1610}
1611
1612static int
1613mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
1614    struct label *label, acl_type_t type)
1615{
1616	struct mac_biba *subj, *obj;
1617
1618	if (!mac_biba_enabled)
1619		return (0);
1620
1621	subj = SLOT(&cred->cr_label);
1622	obj = SLOT(label);
1623
1624	if (!mac_biba_dominate_single(obj, subj))
1625		return (EACCES);
1626
1627	return (0);
1628}
1629
1630static int
1631mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
1632    struct label *label, int attrnamespace, const char *name, struct uio *uio)
1633{
1634	struct mac_biba *subj, *obj;
1635
1636	if (!mac_biba_enabled)
1637		return (0);
1638
1639	subj = SLOT(&cred->cr_label);
1640	obj = SLOT(label);
1641
1642	if (!mac_biba_dominate_single(obj, subj))
1643		return (EACCES);
1644
1645	return (0);
1646}
1647
1648static int
1649mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
1650    struct label *dlabel, struct componentname *cnp)
1651{
1652	struct mac_biba *subj, *obj;
1653
1654	if (!mac_biba_enabled)
1655		return (0);
1656
1657	subj = SLOT(&cred->cr_label);
1658	obj = SLOT(dlabel);
1659
1660	if (!mac_biba_dominate_single(obj, subj))
1661		return (EACCES);
1662
1663	return (0);
1664}
1665
1666static int
1667mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
1668    struct label *vnodelabel, mode_t acc_mode)
1669{
1670	struct mac_biba *subj, *obj;
1671
1672	if (!mac_biba_enabled)
1673		return (0);
1674
1675	subj = SLOT(&cred->cr_label);
1676	obj = SLOT(vnodelabel);
1677
1678	/* XXX privilege override for admin? */
1679	if (acc_mode & (VREAD | VEXEC | VSTAT)) {
1680		if (!mac_biba_dominate_single(obj, subj))
1681			return (EACCES);
1682	}
1683	if (acc_mode & (VWRITE | VAPPEND | VADMIN)) {
1684		if (!mac_biba_dominate_single(subj, obj))
1685			return (EACCES);
1686	}
1687
1688	return (0);
1689}
1690
1691static int
1692mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp,
1693    struct label *label)
1694{
1695	struct mac_biba *subj, *obj;
1696
1697	if (!mac_biba_enabled || !mac_biba_revocation_enabled)
1698		return (0);
1699
1700	subj = SLOT(&cred->cr_label);
1701	obj = SLOT(label);
1702
1703	if (!mac_biba_dominate_single(obj, subj))
1704		return (EACCES);
1705
1706	return (0);
1707}
1708
1709static int
1710mac_biba_check_vnode_read(struct ucred *cred, struct vnode *vp,
1711    struct label *label)
1712{
1713	struct mac_biba *subj, *obj;
1714
1715	if (!mac_biba_enabled || !mac_biba_revocation_enabled)
1716		return (0);
1717
1718	subj = SLOT(&cred->cr_label);
1719	obj = SLOT(label);
1720
1721	if (!mac_biba_dominate_single(obj, subj))
1722		return (EACCES);
1723
1724	return (0);
1725}
1726
1727static int
1728mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
1729    struct label *dlabel)
1730{
1731	struct mac_biba *subj, *obj;
1732
1733	if (!mac_biba_enabled)
1734		return (0);
1735
1736	subj = SLOT(&cred->cr_label);
1737	obj = SLOT(dlabel);
1738
1739	if (!mac_biba_dominate_single(obj, subj))
1740		return (EACCES);
1741
1742	return (0);
1743}
1744
1745static int
1746mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
1747    struct label *label)
1748{
1749	struct mac_biba *subj, *obj;
1750
1751	if (!mac_biba_enabled)
1752		return (0);
1753
1754	subj = SLOT(&cred->cr_label);
1755	obj = SLOT(label);
1756
1757	if (!mac_biba_dominate_single(obj, subj))
1758		return (EACCES);
1759
1760	return (0);
1761}
1762
1763static int
1764mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
1765    struct label *vnodelabel, struct label *newlabel)
1766{
1767	struct mac_biba *old, *new, *subj;
1768
1769	old = SLOT(vnodelabel);
1770	new = SLOT(newlabel);
1771	subj = SLOT(&cred->cr_label);
1772
1773	if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
1774		return (EINVAL);
1775
1776	/*
1777	 * To relabel a vnode, the old vnode label must be in the subject
1778	 * range.
1779	 */
1780	if (!mac_biba_single_in_range(old, subj))
1781		return (EPERM);
1782
1783	/*
1784	 * To relabel a vnode, the new vnode label must be in the subject
1785	 * range.
1786	 */
1787	if (!mac_biba_single_in_range(new, subj))
1788		return (EPERM);
1789
1790	/*
1791	 * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
1792	 */
1793
1794	return (suser_cred(cred, 0));
1795}
1796
1797static int
1798mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
1799    struct label *dlabel, struct vnode *vp, struct label *label,
1800    struct componentname *cnp)
1801{
1802	struct mac_biba *subj, *obj;
1803
1804	if (!mac_biba_enabled)
1805		return (0);
1806
1807	subj = SLOT(&cred->cr_label);
1808	obj = SLOT(dlabel);
1809
1810	if (!mac_biba_dominate_single(subj, obj))
1811		return (EACCES);
1812
1813	obj = SLOT(label);
1814
1815	if (!mac_biba_dominate_single(subj, obj))
1816		return (EACCES);
1817
1818	return (0);
1819}
1820
1821static int
1822mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
1823    struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
1824    struct componentname *cnp)
1825{
1826	struct mac_biba *subj, *obj;
1827
1828	if (!mac_biba_enabled)
1829		return (0);
1830
1831	subj = SLOT(&cred->cr_label);
1832	obj = SLOT(dlabel);
1833
1834	if (!mac_biba_dominate_single(subj, obj))
1835		return (EACCES);
1836
1837	if (vp != NULL) {
1838		obj = SLOT(label);
1839
1840		if (!mac_biba_dominate_single(subj, obj))
1841			return (EACCES);
1842	}
1843
1844	return (0);
1845}
1846
1847static int
1848mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
1849    struct label *label)
1850{
1851	struct mac_biba *subj, *obj;
1852
1853	if (!mac_biba_enabled)
1854		return (0);
1855
1856	subj = SLOT(&cred->cr_label);
1857	obj = SLOT(label);
1858
1859	if (!mac_biba_dominate_single(subj, obj))
1860		return (EACCES);
1861
1862	return (0);
1863}
1864
1865static int
1866mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
1867    struct label *label, acl_type_t type, struct acl *acl)
1868{
1869	struct mac_biba *subj, *obj;
1870
1871	if (!mac_biba_enabled)
1872		return (0);
1873
1874	subj = SLOT(&cred->cr_label);
1875	obj = SLOT(label);
1876
1877	if (!mac_biba_dominate_single(subj, obj))
1878		return (EACCES);
1879
1880	return (0);
1881}
1882
1883static int
1884mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
1885    struct label *vnodelabel, int attrnamespace, const char *name,
1886    struct uio *uio)
1887{
1888	struct mac_biba *subj, *obj;
1889
1890	if (!mac_biba_enabled)
1891		return (0);
1892
1893	subj = SLOT(&cred->cr_label);
1894	obj = SLOT(vnodelabel);
1895
1896	if (!mac_biba_dominate_single(subj, obj))
1897		return (EACCES);
1898
1899	/* XXX: protect the MAC EA in a special way? */
1900
1901	return (0);
1902}
1903
1904static int
1905mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
1906    struct label *vnodelabel, u_long flags)
1907{
1908	struct mac_biba *subj, *obj;
1909
1910	if (!mac_biba_enabled)
1911		return (0);
1912
1913	subj = SLOT(&cred->cr_label);
1914	obj = SLOT(vnodelabel);
1915
1916	if (!mac_biba_dominate_single(subj, obj))
1917		return (EACCES);
1918
1919	return (0);
1920}
1921
1922static int
1923mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
1924    struct label *vnodelabel, mode_t mode)
1925{
1926	struct mac_biba *subj, *obj;
1927
1928	if (!mac_biba_enabled)
1929		return (0);
1930
1931	subj = SLOT(&cred->cr_label);
1932	obj = SLOT(vnodelabel);
1933
1934	if (!mac_biba_dominate_single(subj, obj))
1935		return (EACCES);
1936
1937	return (0);
1938}
1939
1940static int
1941mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
1942    struct label *vnodelabel, uid_t uid, gid_t gid)
1943{
1944	struct mac_biba *subj, *obj;
1945
1946	if (!mac_biba_enabled)
1947		return (0);
1948
1949	subj = SLOT(&cred->cr_label);
1950	obj = SLOT(vnodelabel);
1951
1952	if (!mac_biba_dominate_single(subj, obj))
1953		return (EACCES);
1954
1955	return (0);
1956}
1957
1958static int
1959mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
1960    struct label *vnodelabel, struct timespec atime, struct timespec mtime)
1961{
1962	struct mac_biba *subj, *obj;
1963
1964	if (!mac_biba_enabled)
1965		return (0);
1966
1967	subj = SLOT(&cred->cr_label);
1968	obj = SLOT(vnodelabel);
1969
1970	if (!mac_biba_dominate_single(subj, obj))
1971		return (EACCES);
1972
1973	return (0);
1974}
1975
1976static int
1977mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp,
1978    struct label *vnodelabel)
1979{
1980	struct mac_biba *subj, *obj;
1981
1982	if (!mac_biba_enabled)
1983		return (0);
1984
1985	subj = SLOT(&cred->cr_label);
1986	obj = SLOT(vnodelabel);
1987
1988	if (!mac_biba_dominate_single(obj, subj))
1989		return (EACCES);
1990
1991	return (0);
1992}
1993
1994static int
1995mac_biba_check_vnode_write(struct ucred *cred, struct vnode *vp,
1996    struct label *label)
1997{
1998	struct mac_biba *subj, *obj;
1999
2000	if (!mac_biba_enabled || !mac_biba_revocation_enabled)
2001		return (0);
2002
2003	subj = SLOT(&cred->cr_label);
2004	obj = SLOT(label);
2005
2006	if (!mac_biba_dominate_single(subj, obj))
2007		return (EACCES);
2008
2009	return (0);
2010}
2011
2012static vm_prot_t
2013mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
2014    struct label *label, int newmapping)
2015{
2016	struct mac_biba *subj, *obj;
2017	vm_prot_t prot = 0;
2018
2019	if (!mac_biba_enabled || (!mac_biba_revocation_enabled && !newmapping))
2020		return (VM_PROT_ALL);
2021
2022	subj = SLOT(&cred->cr_label);
2023	obj = SLOT(label);
2024
2025	if (mac_biba_dominate_single(obj, subj))
2026		prot |= VM_PROT_READ | VM_PROT_EXECUTE;
2027	if (mac_biba_dominate_single(subj, obj))
2028		prot |= VM_PROT_WRITE;
2029	return (prot);
2030}
2031
2032static struct mac_policy_op_entry mac_biba_ops[] =
2033{
2034	{ MAC_DESTROY,
2035	    (macop_t)mac_biba_destroy },
2036	{ MAC_INIT,
2037	    (macop_t)mac_biba_init },
2038	{ MAC_INIT_BPFDESC,
2039	    (macop_t)mac_biba_init_bpfdesc },
2040	{ MAC_INIT_CRED,
2041	    (macop_t)mac_biba_init_cred },
2042	{ MAC_INIT_DEVFSDIRENT,
2043	    (macop_t)mac_biba_init_devfsdirent },
2044	{ MAC_INIT_IFNET,
2045	    (macop_t)mac_biba_init_ifnet },
2046	{ MAC_INIT_IPQ,
2047	    (macop_t)mac_biba_init_ipq },
2048	{ MAC_INIT_MBUF,
2049	    (macop_t)mac_biba_init_mbuf },
2050	{ MAC_INIT_MOUNT,
2051	    (macop_t)mac_biba_init_mount },
2052	{ MAC_INIT_PIPE,
2053	    (macop_t)mac_biba_init_pipe },
2054	{ MAC_INIT_SOCKET,
2055	    (macop_t)mac_biba_init_socket },
2056	{ MAC_INIT_TEMP,
2057	    (macop_t)mac_biba_init_temp },
2058	{ MAC_INIT_VNODE,
2059	    (macop_t)mac_biba_init_vnode },
2060	{ MAC_DESTROY_BPFDESC,
2061	    (macop_t)mac_biba_destroy_bpfdesc },
2062	{ MAC_DESTROY_CRED,
2063	    (macop_t)mac_biba_destroy_cred },
2064	{ MAC_DESTROY_DEVFSDIRENT,
2065	    (macop_t)mac_biba_destroy_devfsdirent },
2066	{ MAC_DESTROY_IFNET,
2067	    (macop_t)mac_biba_destroy_ifnet },
2068	{ MAC_DESTROY_IPQ,
2069	    (macop_t)mac_biba_destroy_ipq },
2070	{ MAC_DESTROY_MBUF,
2071	    (macop_t)mac_biba_destroy_mbuf },
2072	{ MAC_DESTROY_MOUNT,
2073	    (macop_t)mac_biba_destroy_mount },
2074	{ MAC_DESTROY_PIPE,
2075	    (macop_t)mac_biba_destroy_pipe },
2076	{ MAC_DESTROY_SOCKET,
2077	    (macop_t)mac_biba_destroy_socket },
2078	{ MAC_DESTROY_TEMP,
2079	    (macop_t)mac_biba_destroy_temp },
2080	{ MAC_DESTROY_VNODE,
2081	    (macop_t)mac_biba_destroy_vnode },
2082	{ MAC_EXTERNALIZE,
2083	    (macop_t)mac_biba_externalize },
2084	{ MAC_INTERNALIZE,
2085	    (macop_t)mac_biba_internalize },
2086	{ MAC_CREATE_DEVFS_DEVICE,
2087	    (macop_t)mac_biba_create_devfs_device },
2088	{ MAC_CREATE_DEVFS_DIRECTORY,
2089	    (macop_t)mac_biba_create_devfs_directory },
2090	{ MAC_CREATE_DEVFS_VNODE,
2091	    (macop_t)mac_biba_create_devfs_vnode },
2092	{ MAC_CREATE_VNODE,
2093	    (macop_t)mac_biba_create_vnode },
2094	{ MAC_CREATE_MOUNT,
2095	    (macop_t)mac_biba_create_mount },
2096	{ MAC_CREATE_ROOT_MOUNT,
2097	    (macop_t)mac_biba_create_root_mount },
2098	{ MAC_RELABEL_VNODE,
2099	    (macop_t)mac_biba_relabel_vnode },
2100	{ MAC_UPDATE_DEVFSDIRENT,
2101	    (macop_t)mac_biba_update_devfsdirent },
2102	{ MAC_UPDATE_PROCFSVNODE,
2103	    (macop_t)mac_biba_update_procfsvnode },
2104	{ MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
2105	    (macop_t)mac_biba_update_vnode_from_externalized },
2106	{ MAC_UPDATE_VNODE_FROM_MOUNT,
2107	    (macop_t)mac_biba_update_vnode_from_mount },
2108	{ MAC_CREATE_MBUF_FROM_SOCKET,
2109	    (macop_t)mac_biba_create_mbuf_from_socket },
2110	{ MAC_CREATE_PIPE,
2111	    (macop_t)mac_biba_create_pipe },
2112	{ MAC_CREATE_SOCKET,
2113	    (macop_t)mac_biba_create_socket },
2114	{ MAC_CREATE_SOCKET_FROM_SOCKET,
2115	    (macop_t)mac_biba_create_socket_from_socket },
2116	{ MAC_RELABEL_PIPE,
2117	    (macop_t)mac_biba_relabel_pipe },
2118	{ MAC_RELABEL_SOCKET,
2119	    (macop_t)mac_biba_relabel_socket },
2120	{ MAC_SET_SOCKET_PEER_FROM_MBUF,
2121	    (macop_t)mac_biba_set_socket_peer_from_mbuf },
2122	{ MAC_SET_SOCKET_PEER_FROM_SOCKET,
2123	    (macop_t)mac_biba_set_socket_peer_from_socket },
2124	{ MAC_CREATE_BPFDESC,
2125	    (macop_t)mac_biba_create_bpfdesc },
2126	{ MAC_CREATE_DATAGRAM_FROM_IPQ,
2127	    (macop_t)mac_biba_create_datagram_from_ipq },
2128	{ MAC_CREATE_FRAGMENT,
2129	    (macop_t)mac_biba_create_fragment },
2130	{ MAC_CREATE_IFNET,
2131	    (macop_t)mac_biba_create_ifnet },
2132	{ MAC_CREATE_IPQ,
2133	    (macop_t)mac_biba_create_ipq },
2134	{ MAC_CREATE_MBUF_FROM_MBUF,
2135	    (macop_t)mac_biba_create_mbuf_from_mbuf },
2136	{ MAC_CREATE_MBUF_LINKLAYER,
2137	    (macop_t)mac_biba_create_mbuf_linklayer },
2138	{ MAC_CREATE_MBUF_FROM_BPFDESC,
2139	    (macop_t)mac_biba_create_mbuf_from_bpfdesc },
2140	{ MAC_CREATE_MBUF_FROM_IFNET,
2141	    (macop_t)mac_biba_create_mbuf_from_ifnet },
2142	{ MAC_CREATE_MBUF_MULTICAST_ENCAP,
2143	    (macop_t)mac_biba_create_mbuf_multicast_encap },
2144	{ MAC_CREATE_MBUF_NETLAYER,
2145	    (macop_t)mac_biba_create_mbuf_netlayer },
2146	{ MAC_FRAGMENT_MATCH,
2147	    (macop_t)mac_biba_fragment_match },
2148	{ MAC_RELABEL_IFNET,
2149	    (macop_t)mac_biba_relabel_ifnet },
2150	{ MAC_UPDATE_IPQ,
2151	    (macop_t)mac_biba_update_ipq },
2152	{ MAC_CREATE_CRED,
2153	    (macop_t)mac_biba_create_cred },
2154	{ MAC_EXECVE_TRANSITION,
2155	    (macop_t)mac_biba_execve_transition },
2156	{ MAC_EXECVE_WILL_TRANSITION,
2157	    (macop_t)mac_biba_execve_will_transition },
2158	{ MAC_CREATE_PROC0,
2159	    (macop_t)mac_biba_create_proc0 },
2160	{ MAC_CREATE_PROC1,
2161	    (macop_t)mac_biba_create_proc1 },
2162	{ MAC_RELABEL_CRED,
2163	    (macop_t)mac_biba_relabel_cred },
2164	{ MAC_CHECK_BPFDESC_RECEIVE,
2165	    (macop_t)mac_biba_check_bpfdesc_receive },
2166	{ MAC_CHECK_CRED_RELABEL,
2167	    (macop_t)mac_biba_check_cred_relabel },
2168	{ MAC_CHECK_CRED_VISIBLE,
2169	    (macop_t)mac_biba_check_cred_visible },
2170	{ MAC_CHECK_IFNET_RELABEL,
2171	    (macop_t)mac_biba_check_ifnet_relabel },
2172	{ MAC_CHECK_IFNET_TRANSMIT,
2173	    (macop_t)mac_biba_check_ifnet_transmit },
2174	{ MAC_CHECK_MOUNT_STAT,
2175	    (macop_t)mac_biba_check_mount_stat },
2176	{ MAC_CHECK_PIPE_IOCTL,
2177	    (macop_t)mac_biba_check_pipe_ioctl },
2178	{ MAC_CHECK_PIPE_OP,
2179	    (macop_t)mac_biba_check_pipe_op },
2180	{ MAC_CHECK_PIPE_RELABEL,
2181	    (macop_t)mac_biba_check_pipe_relabel },
2182	{ MAC_CHECK_PROC_DEBUG,
2183	    (macop_t)mac_biba_check_proc_debug },
2184	{ MAC_CHECK_PROC_SCHED,
2185	    (macop_t)mac_biba_check_proc_sched },
2186	{ MAC_CHECK_PROC_SIGNAL,
2187	    (macop_t)mac_biba_check_proc_signal },
2188	{ MAC_CHECK_SOCKET_DELIVER,
2189	    (macop_t)mac_biba_check_socket_deliver },
2190	{ MAC_CHECK_SOCKET_RELABEL,
2191	    (macop_t)mac_biba_check_socket_relabel },
2192	{ MAC_CHECK_SOCKET_VISIBLE,
2193	    (macop_t)mac_biba_check_socket_visible },
2194	{ MAC_CHECK_VNODE_ACCESS,
2195	    (macop_t)mac_biba_check_vnode_access },
2196	{ MAC_CHECK_VNODE_CHDIR,
2197	    (macop_t)mac_biba_check_vnode_chdir },
2198	{ MAC_CHECK_VNODE_CHROOT,
2199	    (macop_t)mac_biba_check_vnode_chroot },
2200	{ MAC_CHECK_VNODE_CREATE,
2201	    (macop_t)mac_biba_check_vnode_create },
2202	{ MAC_CHECK_VNODE_DELETE,
2203	    (macop_t)mac_biba_check_vnode_delete },
2204	{ MAC_CHECK_VNODE_DELETEACL,
2205	    (macop_t)mac_biba_check_vnode_deleteacl },
2206	{ MAC_CHECK_VNODE_EXEC,
2207	    (macop_t)mac_biba_check_vnode_exec },
2208	{ MAC_CHECK_VNODE_GETACL,
2209	    (macop_t)mac_biba_check_vnode_getacl },
2210	{ MAC_CHECK_VNODE_GETEXTATTR,
2211	    (macop_t)mac_biba_check_vnode_getextattr },
2212	{ MAC_CHECK_VNODE_LOOKUP,
2213	    (macop_t)mac_biba_check_vnode_lookup },
2214	{ MAC_CHECK_VNODE_OPEN,
2215	    (macop_t)mac_biba_check_vnode_open },
2216	{ MAC_CHECK_VNODE_POLL,
2217	    (macop_t)mac_biba_check_vnode_poll },
2218	{ MAC_CHECK_VNODE_READ,
2219	    (macop_t)mac_biba_check_vnode_read },
2220	{ MAC_CHECK_VNODE_READDIR,
2221	    (macop_t)mac_biba_check_vnode_readdir },
2222	{ MAC_CHECK_VNODE_READLINK,
2223	    (macop_t)mac_biba_check_vnode_readlink },
2224	{ MAC_CHECK_VNODE_RELABEL,
2225	    (macop_t)mac_biba_check_vnode_relabel },
2226	{ MAC_CHECK_VNODE_RENAME_FROM,
2227	    (macop_t)mac_biba_check_vnode_rename_from },
2228	{ MAC_CHECK_VNODE_RENAME_TO,
2229	    (macop_t)mac_biba_check_vnode_rename_to },
2230	{ MAC_CHECK_VNODE_REVOKE,
2231	    (macop_t)mac_biba_check_vnode_revoke },
2232	{ MAC_CHECK_VNODE_SETACL,
2233	    (macop_t)mac_biba_check_vnode_setacl },
2234	{ MAC_CHECK_VNODE_SETEXTATTR,
2235	    (macop_t)mac_biba_check_vnode_setextattr },
2236	{ MAC_CHECK_VNODE_SETFLAGS,
2237	    (macop_t)mac_biba_check_vnode_setflags },
2238	{ MAC_CHECK_VNODE_SETMODE,
2239	    (macop_t)mac_biba_check_vnode_setmode },
2240	{ MAC_CHECK_VNODE_SETOWNER,
2241	    (macop_t)mac_biba_check_vnode_setowner },
2242	{ MAC_CHECK_VNODE_SETUTIMES,
2243	    (macop_t)mac_biba_check_vnode_setutimes },
2244	{ MAC_CHECK_VNODE_STAT,
2245	    (macop_t)mac_biba_check_vnode_stat },
2246	{ MAC_CHECK_VNODE_WRITE,
2247	    (macop_t)mac_biba_check_vnode_write },
2248	{ MAC_CHECK_VNODE_MMAP_PERMS,
2249	    (macop_t)mac_biba_check_vnode_mmap_perms },
2250	{ MAC_OP_LAST, NULL }
2251};
2252
2253MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba",
2254    MPC_LOADTIME_FLAG_NOTLATE, &mac_biba_slot);
2255