mac_biba.c revision 180059
1/*- 2 * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * Copyright (c) 2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * 9 * This software was developed for the FreeBSD Project in part by McAfee 10 * Research, the Security Research Division of McAfee, Inc. under 11 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 12 * CHATS research program. 13 * 14 * This software was enhanced by SPARTA ISSO under SPAWAR contract 15 * N66001-04-C-6019 ("SEFOS"). 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * 38 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 180059 2008-06-27 05:39:04Z jhb $ 39 */ 40 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Biba fixed label mandatory integrity policy. 45 */ 46 47#include <sys/param.h> 48#include <sys/conf.h> 49#include <sys/extattr.h> 50#include <sys/kernel.h> 51#include <sys/ksem.h> 52#include <sys/malloc.h> 53#include <sys/mman.h> 54#include <sys/mount.h> 55#include <sys/priv.h> 56#include <sys/proc.h> 57#include <sys/sbuf.h> 58#include <sys/systm.h> 59#include <sys/sysproto.h> 60#include <sys/sysent.h> 61#include <sys/systm.h> 62#include <sys/vnode.h> 63#include <sys/file.h> 64#include <sys/socket.h> 65#include <sys/socketvar.h> 66#include <sys/pipe.h> 67#include <sys/sx.h> 68#include <sys/sysctl.h> 69#include <sys/msg.h> 70#include <sys/sem.h> 71#include <sys/shm.h> 72 73#include <fs/devfs/devfs.h> 74 75#include <net/bpfdesc.h> 76#include <net/if.h> 77#include <net/if_types.h> 78#include <net/if_var.h> 79 80#include <netinet/in.h> 81#include <netinet/in_pcb.h> 82#include <netinet/ip_var.h> 83 84#include <vm/uma.h> 85#include <vm/vm.h> 86 87#include <security/mac/mac_policy.h> 88#include <security/mac_biba/mac_biba.h> 89 90SYSCTL_DECL(_security_mac); 91 92SYSCTL_NODE(_security_mac, OID_AUTO, biba, CTLFLAG_RW, 0, 93 "TrustedBSD mac_biba policy controls"); 94 95static int biba_label_size = sizeof(struct mac_biba); 96SYSCTL_INT(_security_mac_biba, OID_AUTO, label_size, CTLFLAG_RD, 97 &biba_label_size, 0, "Size of struct mac_biba"); 98 99static int biba_enabled = 1; 100SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW, &biba_enabled, 101 0, "Enforce MAC/Biba policy"); 102TUNABLE_INT("security.mac.biba.enabled", &biba_enabled); 103 104static int destroyed_not_inited; 105SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, 106 &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); 107 108static int trust_all_interfaces = 0; 109SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RD, 110 &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba"); 111TUNABLE_INT("security.mac.biba.trust_all_interfaces", &trust_all_interfaces); 112 113static char trusted_interfaces[128]; 114SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD, 115 trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba"); 116TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces, 117 sizeof(trusted_interfaces)); 118 119static int max_compartments = MAC_BIBA_MAX_COMPARTMENTS; 120SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD, 121 &max_compartments, 0, "Maximum supported compartments"); 122 123static int ptys_equal = 0; 124SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW, 125 &ptys_equal, 0, "Label pty devices as biba/equal on create"); 126TUNABLE_INT("security.mac.biba.ptys_equal", &ptys_equal); 127 128static int interfaces_equal; 129SYSCTL_INT(_security_mac_biba, OID_AUTO, interfaces_equal, CTLFLAG_RW, 130 &interfaces_equal, 0, "Label network interfaces as biba/equal on create"); 131TUNABLE_INT("security.mac.biba.interfaces_equal", &interfaces_equal); 132 133static int revocation_enabled = 0; 134SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW, 135 &revocation_enabled, 0, "Revoke access to objects on relabel"); 136TUNABLE_INT("security.mac.biba.revocation_enabled", &revocation_enabled); 137 138static int biba_slot; 139#define SLOT(l) ((struct mac_biba *)mac_label_get((l), biba_slot)) 140#define SLOT_SET(l, val) mac_label_set((l), biba_slot, (uintptr_t)(val)) 141 142static uma_zone_t zone_biba; 143 144static __inline int 145biba_bit_set_empty(u_char *set) { 146 int i; 147 148 for (i = 0; i < MAC_BIBA_MAX_COMPARTMENTS >> 3; i++) 149 if (set[i] != 0) 150 return (0); 151 return (1); 152} 153 154static struct mac_biba * 155biba_alloc(int flag) 156{ 157 158 return (uma_zalloc(zone_biba, flag | M_ZERO)); 159} 160 161static void 162biba_free(struct mac_biba *mb) 163{ 164 165 if (mb != NULL) 166 uma_zfree(zone_biba, mb); 167 else 168 atomic_add_int(&destroyed_not_inited, 1); 169} 170 171static int 172biba_atmostflags(struct mac_biba *mb, int flags) 173{ 174 175 if ((mb->mb_flags & flags) != mb->mb_flags) 176 return (EINVAL); 177 return (0); 178} 179 180static int 181biba_dominate_element(struct mac_biba_element *a, struct mac_biba_element *b) 182{ 183 int bit; 184 185 switch (a->mbe_type) { 186 case MAC_BIBA_TYPE_EQUAL: 187 case MAC_BIBA_TYPE_HIGH: 188 return (1); 189 190 case MAC_BIBA_TYPE_LOW: 191 switch (b->mbe_type) { 192 case MAC_BIBA_TYPE_GRADE: 193 case MAC_BIBA_TYPE_HIGH: 194 return (0); 195 196 case MAC_BIBA_TYPE_EQUAL: 197 case MAC_BIBA_TYPE_LOW: 198 return (1); 199 200 default: 201 panic("biba_dominate_element: b->mbe_type invalid"); 202 } 203 204 case MAC_BIBA_TYPE_GRADE: 205 switch (b->mbe_type) { 206 case MAC_BIBA_TYPE_EQUAL: 207 case MAC_BIBA_TYPE_LOW: 208 return (1); 209 210 case MAC_BIBA_TYPE_HIGH: 211 return (0); 212 213 case MAC_BIBA_TYPE_GRADE: 214 for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++) 215 if (!MAC_BIBA_BIT_TEST(bit, 216 a->mbe_compartments) && 217 MAC_BIBA_BIT_TEST(bit, b->mbe_compartments)) 218 return (0); 219 return (a->mbe_grade >= b->mbe_grade); 220 221 default: 222 panic("biba_dominate_element: b->mbe_type invalid"); 223 } 224 225 default: 226 panic("biba_dominate_element: a->mbe_type invalid"); 227 } 228 229 return (0); 230} 231 232static int 233biba_subject_dominate_high(struct mac_biba *mb) 234{ 235 struct mac_biba_element *element; 236 237 KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 238 ("biba_effective_in_range: mb not effective")); 239 element = &mb->mb_effective; 240 241 return (element->mbe_type == MAC_BIBA_TYPE_EQUAL || 242 element->mbe_type == MAC_BIBA_TYPE_HIGH); 243} 244 245static int 246biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb) 247{ 248 249 return (biba_dominate_element(&rangeb->mb_rangehigh, 250 &rangea->mb_rangehigh) && 251 biba_dominate_element(&rangea->mb_rangelow, 252 &rangeb->mb_rangelow)); 253} 254 255static int 256biba_effective_in_range(struct mac_biba *effective, struct mac_biba *range) 257{ 258 259 KASSERT((effective->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 260 ("biba_effective_in_range: a not effective")); 261 KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0, 262 ("biba_effective_in_range: b not range")); 263 264 return (biba_dominate_element(&range->mb_rangehigh, 265 &effective->mb_effective) && 266 biba_dominate_element(&effective->mb_effective, 267 &range->mb_rangelow)); 268 269 return (1); 270} 271 272static int 273biba_dominate_effective(struct mac_biba *a, struct mac_biba *b) 274{ 275 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 276 ("biba_dominate_effective: a not effective")); 277 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 278 ("biba_dominate_effective: b not effective")); 279 280 return (biba_dominate_element(&a->mb_effective, &b->mb_effective)); 281} 282 283static int 284biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b) 285{ 286 287 if (a->mbe_type == MAC_BIBA_TYPE_EQUAL || 288 b->mbe_type == MAC_BIBA_TYPE_EQUAL) 289 return (1); 290 291 return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade); 292} 293 294static int 295biba_equal_effective(struct mac_biba *a, struct mac_biba *b) 296{ 297 298 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 299 ("biba_equal_effective: a not effective")); 300 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 301 ("biba_equal_effective: b not effective")); 302 303 return (biba_equal_element(&a->mb_effective, &b->mb_effective)); 304} 305 306static int 307biba_contains_equal(struct mac_biba *mb) 308{ 309 310 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 311 if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL) 312 return (1); 313 } 314 315 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) { 316 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL) 317 return (1); 318 if (mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) 319 return (1); 320 } 321 322 return (0); 323} 324 325static int 326biba_subject_privileged(struct mac_biba *mb) 327{ 328 329 KASSERT((mb->mb_flags & MAC_BIBA_FLAGS_BOTH) == MAC_BIBA_FLAGS_BOTH, 330 ("biba_subject_privileged: subject doesn't have both labels")); 331 332 /* If the effective is EQUAL, it's ok. */ 333 if (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL) 334 return (0); 335 336 /* If either range endpoint is EQUAL, it's ok. */ 337 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL || 338 mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) 339 return (0); 340 341 /* If the range is low-high, it's ok. */ 342 if (mb->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW && 343 mb->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH) 344 return (0); 345 346 /* It's not ok. */ 347 return (EPERM); 348} 349 350static int 351biba_high_effective(struct mac_biba *mb) 352{ 353 354 KASSERT((mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 355 ("biba_equal_effective: mb not effective")); 356 357 return (mb->mb_effective.mbe_type == MAC_BIBA_TYPE_HIGH); 358} 359 360static int 361biba_valid(struct mac_biba *mb) 362{ 363 364 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 365 switch (mb->mb_effective.mbe_type) { 366 case MAC_BIBA_TYPE_GRADE: 367 break; 368 369 case MAC_BIBA_TYPE_EQUAL: 370 case MAC_BIBA_TYPE_HIGH: 371 case MAC_BIBA_TYPE_LOW: 372 if (mb->mb_effective.mbe_grade != 0 || 373 !MAC_BIBA_BIT_SET_EMPTY( 374 mb->mb_effective.mbe_compartments)) 375 return (EINVAL); 376 break; 377 378 default: 379 return (EINVAL); 380 } 381 } else { 382 if (mb->mb_effective.mbe_type != MAC_BIBA_TYPE_UNDEF) 383 return (EINVAL); 384 } 385 386 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) { 387 switch (mb->mb_rangelow.mbe_type) { 388 case MAC_BIBA_TYPE_GRADE: 389 break; 390 391 case MAC_BIBA_TYPE_EQUAL: 392 case MAC_BIBA_TYPE_HIGH: 393 case MAC_BIBA_TYPE_LOW: 394 if (mb->mb_rangelow.mbe_grade != 0 || 395 !MAC_BIBA_BIT_SET_EMPTY( 396 mb->mb_rangelow.mbe_compartments)) 397 return (EINVAL); 398 break; 399 400 default: 401 return (EINVAL); 402 } 403 404 switch (mb->mb_rangehigh.mbe_type) { 405 case MAC_BIBA_TYPE_GRADE: 406 break; 407 408 case MAC_BIBA_TYPE_EQUAL: 409 case MAC_BIBA_TYPE_HIGH: 410 case MAC_BIBA_TYPE_LOW: 411 if (mb->mb_rangehigh.mbe_grade != 0 || 412 !MAC_BIBA_BIT_SET_EMPTY( 413 mb->mb_rangehigh.mbe_compartments)) 414 return (EINVAL); 415 break; 416 417 default: 418 return (EINVAL); 419 } 420 if (!biba_dominate_element(&mb->mb_rangehigh, 421 &mb->mb_rangelow)) 422 return (EINVAL); 423 } else { 424 if (mb->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF || 425 mb->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF) 426 return (EINVAL); 427 } 428 429 return (0); 430} 431 432static void 433biba_set_range(struct mac_biba *mb, u_short typelow, u_short gradelow, 434 u_char *compartmentslow, u_short typehigh, u_short gradehigh, 435 u_char *compartmentshigh) 436{ 437 438 mb->mb_rangelow.mbe_type = typelow; 439 mb->mb_rangelow.mbe_grade = gradelow; 440 if (compartmentslow != NULL) 441 memcpy(mb->mb_rangelow.mbe_compartments, compartmentslow, 442 sizeof(mb->mb_rangelow.mbe_compartments)); 443 mb->mb_rangehigh.mbe_type = typehigh; 444 mb->mb_rangehigh.mbe_grade = gradehigh; 445 if (compartmentshigh != NULL) 446 memcpy(mb->mb_rangehigh.mbe_compartments, compartmentshigh, 447 sizeof(mb->mb_rangehigh.mbe_compartments)); 448 mb->mb_flags |= MAC_BIBA_FLAG_RANGE; 449} 450 451static void 452biba_set_effective(struct mac_biba *mb, u_short type, u_short grade, 453 u_char *compartments) 454{ 455 456 mb->mb_effective.mbe_type = type; 457 mb->mb_effective.mbe_grade = grade; 458 if (compartments != NULL) 459 memcpy(mb->mb_effective.mbe_compartments, compartments, 460 sizeof(mb->mb_effective.mbe_compartments)); 461 mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE; 462} 463 464static void 465biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto) 466{ 467 468 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0, 469 ("biba_copy_range: labelfrom not range")); 470 471 labelto->mb_rangelow = labelfrom->mb_rangelow; 472 labelto->mb_rangehigh = labelfrom->mb_rangehigh; 473 labelto->mb_flags |= MAC_BIBA_FLAG_RANGE; 474} 475 476static void 477biba_copy_effective(struct mac_biba *labelfrom, struct mac_biba *labelto) 478{ 479 480 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 481 ("biba_copy_effective: labelfrom not effective")); 482 483 labelto->mb_effective = labelfrom->mb_effective; 484 labelto->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE; 485} 486 487static void 488biba_copy(struct mac_biba *source, struct mac_biba *dest) 489{ 490 491 if (source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) 492 biba_copy_effective(source, dest); 493 if (source->mb_flags & MAC_BIBA_FLAG_RANGE) 494 biba_copy_range(source, dest); 495} 496 497/* 498 * Policy module operations. 499 */ 500static void 501biba_init(struct mac_policy_conf *conf) 502{ 503 504 zone_biba = uma_zcreate("mac_biba", sizeof(struct mac_biba), NULL, 505 NULL, NULL, NULL, UMA_ALIGN_PTR, 0); 506} 507 508/* 509 * Label operations. 510 */ 511static void 512biba_init_label(struct label *label) 513{ 514 515 SLOT_SET(label, biba_alloc(M_WAITOK)); 516} 517 518static int 519biba_init_label_waitcheck(struct label *label, int flag) 520{ 521 522 SLOT_SET(label, biba_alloc(flag)); 523 if (SLOT(label) == NULL) 524 return (ENOMEM); 525 526 return (0); 527} 528 529static void 530biba_destroy_label(struct label *label) 531{ 532 533 biba_free(SLOT(label)); 534 SLOT_SET(label, NULL); 535} 536 537/* 538 * biba_element_to_string() accepts an sbuf and Biba element. It converts 539 * the Biba element to a string and stores the result in the sbuf; if there 540 * isn't space in the sbuf, -1 is returned. 541 */ 542static int 543biba_element_to_string(struct sbuf *sb, struct mac_biba_element *element) 544{ 545 int i, first; 546 547 switch (element->mbe_type) { 548 case MAC_BIBA_TYPE_HIGH: 549 return (sbuf_printf(sb, "high")); 550 551 case MAC_BIBA_TYPE_LOW: 552 return (sbuf_printf(sb, "low")); 553 554 case MAC_BIBA_TYPE_EQUAL: 555 return (sbuf_printf(sb, "equal")); 556 557 case MAC_BIBA_TYPE_GRADE: 558 if (sbuf_printf(sb, "%d", element->mbe_grade) == -1) 559 return (-1); 560 561 first = 1; 562 for (i = 1; i <= MAC_BIBA_MAX_COMPARTMENTS; i++) { 563 if (MAC_BIBA_BIT_TEST(i, element->mbe_compartments)) { 564 if (first) { 565 if (sbuf_putc(sb, ':') == -1) 566 return (-1); 567 if (sbuf_printf(sb, "%d", i) == -1) 568 return (-1); 569 first = 0; 570 } else { 571 if (sbuf_printf(sb, "+%d", i) == -1) 572 return (-1); 573 } 574 } 575 } 576 return (0); 577 578 default: 579 panic("biba_element_to_string: invalid type (%d)", 580 element->mbe_type); 581 } 582} 583 584/* 585 * biba_to_string() converts a Biba label to a string, and places the results 586 * in the passed sbuf. It returns 0 on success, or EINVAL if there isn't 587 * room in the sbuf. Note: the sbuf will be modified even in a failure case, 588 * so the caller may need to revert the sbuf by restoring the offset if 589 * that's undesired. 590 */ 591static int 592biba_to_string(struct sbuf *sb, struct mac_biba *mb) 593{ 594 595 if (mb->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 596 if (biba_element_to_string(sb, &mb->mb_effective) == -1) 597 return (EINVAL); 598 } 599 600 if (mb->mb_flags & MAC_BIBA_FLAG_RANGE) { 601 if (sbuf_putc(sb, '(') == -1) 602 return (EINVAL); 603 604 if (biba_element_to_string(sb, &mb->mb_rangelow) == -1) 605 return (EINVAL); 606 607 if (sbuf_putc(sb, '-') == -1) 608 return (EINVAL); 609 610 if (biba_element_to_string(sb, &mb->mb_rangehigh) == -1) 611 return (EINVAL); 612 613 if (sbuf_putc(sb, ')') == -1) 614 return (EINVAL); 615 } 616 617 return (0); 618} 619 620static int 621biba_externalize_label(struct label *label, char *element_name, 622 struct sbuf *sb, int *claimed) 623{ 624 struct mac_biba *mb; 625 626 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0) 627 return (0); 628 629 (*claimed)++; 630 631 mb = SLOT(label); 632 return (biba_to_string(sb, mb)); 633} 634 635static int 636biba_parse_element(struct mac_biba_element *element, char *string) 637{ 638 char *compartment, *end, *grade; 639 int value; 640 641 if (strcmp(string, "high") == 0 || 642 strcmp(string, "hi") == 0) { 643 element->mbe_type = MAC_BIBA_TYPE_HIGH; 644 element->mbe_grade = MAC_BIBA_TYPE_UNDEF; 645 } else if (strcmp(string, "low") == 0 || 646 strcmp(string, "lo") == 0) { 647 element->mbe_type = MAC_BIBA_TYPE_LOW; 648 element->mbe_grade = MAC_BIBA_TYPE_UNDEF; 649 } else if (strcmp(string, "equal") == 0 || 650 strcmp(string, "eq") == 0) { 651 element->mbe_type = MAC_BIBA_TYPE_EQUAL; 652 element->mbe_grade = MAC_BIBA_TYPE_UNDEF; 653 } else { 654 element->mbe_type = MAC_BIBA_TYPE_GRADE; 655 656 /* 657 * Numeric grade piece of the element. 658 */ 659 grade = strsep(&string, ":"); 660 value = strtol(grade, &end, 10); 661 if (end == grade || *end != '\0') 662 return (EINVAL); 663 if (value < 0 || value > 65535) 664 return (EINVAL); 665 element->mbe_grade = value; 666 667 /* 668 * Optional compartment piece of the element. If none 669 * are included, we assume that the label has no 670 * compartments. 671 */ 672 if (string == NULL) 673 return (0); 674 if (*string == '\0') 675 return (0); 676 677 while ((compartment = strsep(&string, "+")) != NULL) { 678 value = strtol(compartment, &end, 10); 679 if (compartment == end || *end != '\0') 680 return (EINVAL); 681 if (value < 1 || value > MAC_BIBA_MAX_COMPARTMENTS) 682 return (EINVAL); 683 MAC_BIBA_BIT_SET(value, element->mbe_compartments); 684 } 685 } 686 687 return (0); 688} 689 690/* 691 * Note: destructively consumes the string, make a local copy before 692 * calling if that's a problem. 693 */ 694static int 695biba_parse(struct mac_biba *mb, char *string) 696{ 697 char *rangehigh, *rangelow, *effective; 698 int error; 699 700 effective = strsep(&string, "("); 701 if (*effective == '\0') 702 effective = NULL; 703 704 if (string != NULL) { 705 rangelow = strsep(&string, "-"); 706 if (string == NULL) 707 return (EINVAL); 708 rangehigh = strsep(&string, ")"); 709 if (string == NULL) 710 return (EINVAL); 711 if (*string != '\0') 712 return (EINVAL); 713 } else { 714 rangelow = NULL; 715 rangehigh = NULL; 716 } 717 718 KASSERT((rangelow != NULL && rangehigh != NULL) || 719 (rangelow == NULL && rangehigh == NULL), 720 ("biba_parse: range mismatch")); 721 722 bzero(mb, sizeof(*mb)); 723 if (effective != NULL) { 724 error = biba_parse_element(&mb->mb_effective, effective); 725 if (error) 726 return (error); 727 mb->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE; 728 } 729 730 if (rangelow != NULL) { 731 error = biba_parse_element(&mb->mb_rangelow, rangelow); 732 if (error) 733 return (error); 734 error = biba_parse_element(&mb->mb_rangehigh, rangehigh); 735 if (error) 736 return (error); 737 mb->mb_flags |= MAC_BIBA_FLAG_RANGE; 738 } 739 740 error = biba_valid(mb); 741 if (error) 742 return (error); 743 744 return (0); 745} 746 747static int 748biba_internalize_label(struct label *label, char *element_name, 749 char *element_data, int *claimed) 750{ 751 struct mac_biba *mb, mb_temp; 752 int error; 753 754 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0) 755 return (0); 756 757 (*claimed)++; 758 759 error = biba_parse(&mb_temp, element_data); 760 if (error) 761 return (error); 762 763 mb = SLOT(label); 764 *mb = mb_temp; 765 766 return (0); 767} 768 769static void 770biba_copy_label(struct label *src, struct label *dest) 771{ 772 773 *SLOT(dest) = *SLOT(src); 774} 775 776/* 777 * Object-specific entry point implementations are sorted alphabetically by 778 * object type name and then by operation. 779 */ 780static int 781biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, 782 struct ifnet *ifp, struct label *ifplabel) 783{ 784 struct mac_biba *a, *b; 785 786 if (!biba_enabled) 787 return (0); 788 789 a = SLOT(dlabel); 790 b = SLOT(ifplabel); 791 792 if (biba_equal_effective(a, b)) 793 return (0); 794 return (EACCES); 795} 796 797static void 798biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d, 799 struct label *dlabel) 800{ 801 struct mac_biba *source, *dest; 802 803 source = SLOT(cred->cr_label); 804 dest = SLOT(dlabel); 805 806 biba_copy_effective(source, dest); 807} 808 809static void 810biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, 811 struct mbuf *m, struct label *mlabel) 812{ 813 struct mac_biba *source, *dest; 814 815 source = SLOT(dlabel); 816 dest = SLOT(mlabel); 817 818 biba_copy_effective(source, dest); 819} 820 821static int 822biba_cred_check_relabel(struct ucred *cred, struct label *newlabel) 823{ 824 struct mac_biba *subj, *new; 825 int error; 826 827 subj = SLOT(cred->cr_label); 828 new = SLOT(newlabel); 829 830 /* 831 * If there is a Biba label update for the credential, it may 832 * be an update of the effective, range, or both. 833 */ 834 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); 835 if (error) 836 return (error); 837 838 /* 839 * If the Biba label is to be changed, authorize as appropriate. 840 */ 841 if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { 842 /* 843 * If the change request modifies both the Biba label 844 * effective and range, check that the new effective will be 845 * in the new range. 846 */ 847 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) == 848 MAC_BIBA_FLAGS_BOTH && 849 !biba_effective_in_range(new, new)) 850 return (EINVAL); 851 852 /* 853 * To change the Biba effective label on a credential, the 854 * new effective label must be in the current range. 855 */ 856 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE && 857 !biba_effective_in_range(new, subj)) 858 return (EPERM); 859 860 /* 861 * To change the Biba range on a credential, the new range 862 * label must be in the current range. 863 */ 864 if (new->mb_flags & MAC_BIBA_FLAG_RANGE && 865 !biba_range_in_range(new, subj)) 866 return (EPERM); 867 868 /* 869 * To have EQUAL in any component of the new credential Biba 870 * label, the subject must already have EQUAL in their label. 871 */ 872 if (biba_contains_equal(new)) { 873 error = biba_subject_privileged(subj); 874 if (error) 875 return (error); 876 } 877 } 878 879 return (0); 880} 881 882static int 883biba_cred_check_visible(struct ucred *u1, struct ucred *u2) 884{ 885 struct mac_biba *subj, *obj; 886 887 if (!biba_enabled) 888 return (0); 889 890 subj = SLOT(u1->cr_label); 891 obj = SLOT(u2->cr_label); 892 893 /* XXX: range */ 894 if (!biba_dominate_effective(obj, subj)) 895 return (ESRCH); 896 897 return (0); 898} 899 900static void 901biba_cred_relabel(struct ucred *cred, struct label *newlabel) 902{ 903 struct mac_biba *source, *dest; 904 905 source = SLOT(newlabel); 906 dest = SLOT(cred->cr_label); 907 908 biba_copy(source, dest); 909} 910 911static void 912biba_devfs_create_device(struct ucred *cred, struct mount *mp, 913 struct cdev *dev, struct devfs_dirent *de, struct label *delabel) 914{ 915 struct mac_biba *mb; 916 int biba_type; 917 918 mb = SLOT(delabel); 919 if (strcmp(dev->si_name, "null") == 0 || 920 strcmp(dev->si_name, "zero") == 0 || 921 strcmp(dev->si_name, "random") == 0 || 922 strncmp(dev->si_name, "fd/", strlen("fd/")) == 0) 923 biba_type = MAC_BIBA_TYPE_EQUAL; 924 else if (ptys_equal && 925 (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || 926 strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) 927 biba_type = MAC_BIBA_TYPE_EQUAL; 928 else 929 biba_type = MAC_BIBA_TYPE_HIGH; 930 biba_set_effective(mb, biba_type, 0, NULL); 931} 932 933static void 934biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, 935 struct devfs_dirent *de, struct label *delabel) 936{ 937 struct mac_biba *mb; 938 939 mb = SLOT(delabel); 940 941 biba_set_effective(mb, MAC_BIBA_TYPE_HIGH, 0, NULL); 942} 943 944static void 945biba_devfs_create_symlink(struct ucred *cred, struct mount *mp, 946 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 947 struct label *delabel) 948{ 949 struct mac_biba *source, *dest; 950 951 source = SLOT(cred->cr_label); 952 dest = SLOT(delabel); 953 954 biba_copy_effective(source, dest); 955} 956 957static void 958biba_devfs_update(struct mount *mp, struct devfs_dirent *de, 959 struct label *delabel, struct vnode *vp, struct label *vplabel) 960{ 961 struct mac_biba *source, *dest; 962 963 source = SLOT(vplabel); 964 dest = SLOT(delabel); 965 966 biba_copy(source, dest); 967} 968 969static void 970biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel, 971 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 972 struct label *vplabel) 973{ 974 struct mac_biba *source, *dest; 975 976 source = SLOT(delabel); 977 dest = SLOT(vplabel); 978 979 biba_copy_effective(source, dest); 980} 981 982static int 983biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, 984 struct label *ifplabel, struct label *newlabel) 985{ 986 struct mac_biba *subj, *new; 987 int error; 988 989 subj = SLOT(cred->cr_label); 990 new = SLOT(newlabel); 991 992 /* 993 * If there is a Biba label update for the interface, it may be an 994 * update of the effective, range, or both. 995 */ 996 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); 997 if (error) 998 return (error); 999 1000 /* 1001 * Relabling network interfaces requires Biba privilege. 1002 */ 1003 error = biba_subject_privileged(subj); 1004 if (error) 1005 return (error); 1006 1007 return (0); 1008} 1009 1010static int 1011biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, 1012 struct mbuf *m, struct label *mlabel) 1013{ 1014 struct mac_biba *p, *i; 1015 1016 if (!biba_enabled) 1017 return (0); 1018 1019 p = SLOT(mlabel); 1020 i = SLOT(ifplabel); 1021 1022 return (biba_effective_in_range(p, i) ? 0 : EACCES); 1023} 1024 1025static void 1026biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel) 1027{ 1028 char tifname[IFNAMSIZ], *p, *q; 1029 char tiflist[sizeof(trusted_interfaces)]; 1030 struct mac_biba *dest; 1031 int len, type; 1032 1033 dest = SLOT(ifplabel); 1034 1035 if (ifp->if_type == IFT_LOOP || interfaces_equal != 0) { 1036 type = MAC_BIBA_TYPE_EQUAL; 1037 goto set; 1038 } 1039 1040 if (trust_all_interfaces) { 1041 type = MAC_BIBA_TYPE_HIGH; 1042 goto set; 1043 } 1044 1045 type = MAC_BIBA_TYPE_LOW; 1046 1047 if (trusted_interfaces[0] == '\0' || 1048 !strvalid(trusted_interfaces, sizeof(trusted_interfaces))) 1049 goto set; 1050 1051 bzero(tiflist, sizeof(tiflist)); 1052 for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++) 1053 if(*p != ' ' && *p != '\t') 1054 *q = *p; 1055 1056 for (p = q = tiflist;; p++) { 1057 if (*p == ',' || *p == '\0') { 1058 len = p - q; 1059 if (len < IFNAMSIZ) { 1060 bzero(tifname, sizeof(tifname)); 1061 bcopy(q, tifname, len); 1062 if (strcmp(tifname, ifp->if_xname) == 0) { 1063 type = MAC_BIBA_TYPE_HIGH; 1064 break; 1065 } 1066 } else { 1067 *p = '\0'; 1068 printf("mac_biba warning: interface name " 1069 "\"%s\" is too long (must be < %d)\n", 1070 q, IFNAMSIZ); 1071 } 1072 if (*p == '\0') 1073 break; 1074 q = p + 1; 1075 } 1076 } 1077set: 1078 biba_set_effective(dest, type, 0, NULL); 1079 biba_set_range(dest, type, 0, NULL, type, 0, NULL); 1080} 1081 1082static void 1083biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, 1084 struct mbuf *m, struct label *mlabel) 1085{ 1086 struct mac_biba *source, *dest; 1087 1088 source = SLOT(ifplabel); 1089 dest = SLOT(mlabel); 1090 1091 biba_copy_effective(source, dest); 1092} 1093 1094static void 1095biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, 1096 struct label *ifplabel, struct label *newlabel) 1097{ 1098 struct mac_biba *source, *dest; 1099 1100 source = SLOT(newlabel); 1101 dest = SLOT(ifplabel); 1102 1103 biba_copy(source, dest); 1104} 1105 1106static int 1107biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, 1108 struct mbuf *m, struct label *mlabel) 1109{ 1110 struct mac_biba *p, *i; 1111 1112 if (!biba_enabled) 1113 return (0); 1114 1115 p = SLOT(mlabel); 1116 i = SLOT(inplabel); 1117 1118 return (biba_equal_effective(p, i) ? 0 : EACCES); 1119} 1120 1121static void 1122biba_inpcb_create(struct socket *so, struct label *solabel, 1123 struct inpcb *inp, struct label *inplabel) 1124{ 1125 struct mac_biba *source, *dest; 1126 1127 source = SLOT(solabel); 1128 dest = SLOT(inplabel); 1129 1130 biba_copy_effective(source, dest); 1131} 1132 1133static void 1134biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, 1135 struct mbuf *m, struct label *mlabel) 1136{ 1137 struct mac_biba *source, *dest; 1138 1139 source = SLOT(inplabel); 1140 dest = SLOT(mlabel); 1141 1142 biba_copy_effective(source, dest); 1143} 1144 1145static void 1146biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1147 struct inpcb *inp, struct label *inplabel) 1148{ 1149 struct mac_biba *source, *dest; 1150 1151 source = SLOT(solabel); 1152 dest = SLOT(inplabel); 1153 1154 biba_copy(source, dest); 1155} 1156 1157static void 1158biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *q, 1159 struct label *qlabel) 1160{ 1161 struct mac_biba *source, *dest; 1162 1163 source = SLOT(mlabel); 1164 dest = SLOT(qlabel); 1165 1166 biba_copy_effective(source, dest); 1167} 1168 1169static int 1170biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *q, 1171 struct label *qlabel) 1172{ 1173 struct mac_biba *a, *b; 1174 1175 a = SLOT(qlabel); 1176 b = SLOT(mlabel); 1177 1178 return (biba_equal_effective(a, b)); 1179} 1180 1181static void 1182biba_ipq_reassemble(struct ipq *q, struct label *qlabel, struct mbuf *m, 1183 struct label *mlabel) 1184{ 1185 struct mac_biba *source, *dest; 1186 1187 source = SLOT(qlabel); 1188 dest = SLOT(mlabel); 1189 1190 /* Just use the head, since we require them all to match. */ 1191 biba_copy_effective(source, dest); 1192} 1193 1194static void 1195biba_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *q, 1196 struct label *qlabel) 1197{ 1198 1199 /* NOOP: we only accept matching labels, so no need to update */ 1200} 1201 1202static int 1203biba_kld_check_load(struct ucred *cred, struct vnode *vp, 1204 struct label *vplabel) 1205{ 1206 struct mac_biba *subj, *obj; 1207 int error; 1208 1209 if (!biba_enabled) 1210 return (0); 1211 1212 subj = SLOT(cred->cr_label); 1213 1214 error = biba_subject_privileged(subj); 1215 if (error) 1216 return (error); 1217 1218 obj = SLOT(vplabel); 1219 if (!biba_high_effective(obj)) 1220 return (EACCES); 1221 1222 return (0); 1223} 1224 1225static int 1226biba_mount_check_stat(struct ucred *cred, struct mount *mp, 1227 struct label *mplabel) 1228{ 1229 struct mac_biba *subj, *obj; 1230 1231 if (!biba_enabled) 1232 return (0); 1233 1234 subj = SLOT(cred->cr_label); 1235 obj = SLOT(mplabel); 1236 1237 if (!biba_dominate_effective(obj, subj)) 1238 return (EACCES); 1239 1240 return (0); 1241} 1242 1243static void 1244biba_mount_create(struct ucred *cred, struct mount *mp, 1245 struct label *mplabel) 1246{ 1247 struct mac_biba *source, *dest; 1248 1249 source = SLOT(cred->cr_label); 1250 dest = SLOT(mplabel); 1251 1252 biba_copy_effective(source, dest); 1253} 1254 1255static void 1256biba_netatalk_aarp_send(struct ifnet *ifp, struct label *ifplabel, 1257 struct mbuf *m, struct label *mlabel) 1258{ 1259 struct mac_biba *dest; 1260 1261 dest = SLOT(mlabel); 1262 1263 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); 1264} 1265 1266static void 1267biba_netinet_arp_send(struct ifnet *ifp, struct label *ifplabel, 1268 struct mbuf *m, struct label *mlabel) 1269{ 1270 struct mac_biba *dest; 1271 1272 dest = SLOT(mlabel); 1273 1274 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); 1275} 1276 1277static void 1278biba_netinet_firewall_reply(struct mbuf *mrecv, struct label *mrecvlabel, 1279 struct mbuf *msend, struct label *msendlabel) 1280{ 1281 struct mac_biba *source, *dest; 1282 1283 source = SLOT(mrecvlabel); 1284 dest = SLOT(msendlabel); 1285 1286 biba_copy_effective(source, dest); 1287} 1288 1289static void 1290biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel) 1291{ 1292 struct mac_biba *dest; 1293 1294 dest = SLOT(mlabel); 1295 1296 /* XXX: where is the label for the firewall really coming from? */ 1297 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); 1298} 1299 1300static void 1301biba_netinet_fragment(struct mbuf *m, struct label *mlabel, 1302 struct mbuf *frag, struct label *fraglabel) 1303{ 1304 struct mac_biba *source, *dest; 1305 1306 source = SLOT(mlabel); 1307 dest = SLOT(fraglabel); 1308 1309 biba_copy_effective(source, dest); 1310} 1311 1312static void 1313biba_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel, 1314 struct mbuf *msend, struct label *msendlabel) 1315{ 1316 struct mac_biba *source, *dest; 1317 1318 source = SLOT(mrecvlabel); 1319 dest = SLOT(msendlabel); 1320 1321 biba_copy_effective(source, dest); 1322} 1323 1324static void 1325biba_netinet_igmp_send(struct ifnet *ifp, struct label *ifplabel, 1326 struct mbuf *m, struct label *mlabel) 1327{ 1328 struct mac_biba *dest; 1329 1330 dest = SLOT(mlabel); 1331 1332 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); 1333} 1334 1335static void 1336biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel, 1337 struct mbuf *m, struct label *mlabel) 1338{ 1339 struct mac_biba *dest; 1340 1341 dest = SLOT(mlabel); 1342 1343 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); 1344} 1345 1346static int 1347biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, 1348 struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) 1349{ 1350 1351 if(!biba_enabled) 1352 return (0); 1353 1354 /* XXX: This will be implemented soon... */ 1355 1356 return (0); 1357} 1358 1359static int 1360biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp, 1361 struct label *pplabel) 1362{ 1363 struct mac_biba *subj, *obj; 1364 1365 if (!biba_enabled) 1366 return (0); 1367 1368 subj = SLOT(cred->cr_label); 1369 obj = SLOT(pplabel); 1370 1371 if (!biba_dominate_effective(obj, subj)) 1372 return (EACCES); 1373 1374 return (0); 1375} 1376 1377static int 1378biba_pipe_check_read(struct ucred *cred, struct pipepair *pp, 1379 struct label *pplabel) 1380{ 1381 struct mac_biba *subj, *obj; 1382 1383 if (!biba_enabled) 1384 return (0); 1385 1386 subj = SLOT(cred->cr_label); 1387 obj = SLOT(pplabel); 1388 1389 if (!biba_dominate_effective(obj, subj)) 1390 return (EACCES); 1391 1392 return (0); 1393} 1394 1395static int 1396biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, 1397 struct label *pplabel, struct label *newlabel) 1398{ 1399 struct mac_biba *subj, *obj, *new; 1400 int error; 1401 1402 new = SLOT(newlabel); 1403 subj = SLOT(cred->cr_label); 1404 obj = SLOT(pplabel); 1405 1406 /* 1407 * If there is a Biba label update for a pipe, it must be a effective 1408 * update. 1409 */ 1410 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE); 1411 if (error) 1412 return (error); 1413 1414 /* 1415 * To perform a relabel of a pipe (Biba label or not), Biba must 1416 * authorize the relabel. 1417 */ 1418 if (!biba_effective_in_range(obj, subj)) 1419 return (EPERM); 1420 1421 /* 1422 * If the Biba label is to be changed, authorize as appropriate. 1423 */ 1424 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 1425 /* 1426 * To change the Biba label on a pipe, the new pipe label 1427 * must be in the subject range. 1428 */ 1429 if (!biba_effective_in_range(new, subj)) 1430 return (EPERM); 1431 1432 /* 1433 * To change the Biba label on a pipe to be EQUAL, the 1434 * subject must have appropriate privilege. 1435 */ 1436 if (biba_contains_equal(new)) { 1437 error = biba_subject_privileged(subj); 1438 if (error) 1439 return (error); 1440 } 1441 } 1442 1443 return (0); 1444} 1445 1446static int 1447biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp, 1448 struct label *pplabel) 1449{ 1450 struct mac_biba *subj, *obj; 1451 1452 if (!biba_enabled) 1453 return (0); 1454 1455 subj = SLOT(cred->cr_label); 1456 obj = SLOT(pplabel); 1457 1458 if (!biba_dominate_effective(obj, subj)) 1459 return (EACCES); 1460 1461 return (0); 1462} 1463 1464static int 1465biba_pipe_check_write(struct ucred *cred, struct pipepair *pp, 1466 struct label *pplabel) 1467{ 1468 struct mac_biba *subj, *obj; 1469 1470 if (!biba_enabled) 1471 return (0); 1472 1473 subj = SLOT(cred->cr_label); 1474 obj = SLOT(pplabel); 1475 1476 if (!biba_dominate_effective(subj, obj)) 1477 return (EACCES); 1478 1479 return (0); 1480} 1481 1482static void 1483biba_pipe_create(struct ucred *cred, struct pipepair *pp, 1484 struct label *pplabel) 1485{ 1486 struct mac_biba *source, *dest; 1487 1488 source = SLOT(cred->cr_label); 1489 dest = SLOT(pplabel); 1490 1491 biba_copy_effective(source, dest); 1492} 1493 1494static void 1495biba_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1496 struct label *pplabel, struct label *newlabel) 1497{ 1498 struct mac_biba *source, *dest; 1499 1500 source = SLOT(newlabel); 1501 dest = SLOT(pplabel); 1502 1503 biba_copy(source, dest); 1504} 1505 1506static int 1507biba_posixsem_check_openunlink(struct ucred *cred, struct ksem *ks, 1508 struct label *kslabel) 1509{ 1510 struct mac_biba *subj, *obj; 1511 1512 if (!biba_enabled) 1513 return (0); 1514 1515 subj = SLOT(cred->cr_label); 1516 obj = SLOT(kslabel); 1517 1518 if (!biba_dominate_effective(subj, obj)) 1519 return (EACCES); 1520 1521 return (0); 1522} 1523 1524static int 1525biba_posixsem_check_write(struct ucred *active_cred, struct ucred *file_cred, 1526 struct ksem *ks, struct label *kslabel) 1527{ 1528 struct mac_biba *subj, *obj; 1529 1530 if (!biba_enabled) 1531 return (0); 1532 1533 subj = SLOT(active_cred->cr_label); 1534 obj = SLOT(kslabel); 1535 1536 if (!biba_dominate_effective(subj, obj)) 1537 return (EACCES); 1538 1539 return (0); 1540} 1541 1542static int 1543biba_posixsem_check_rdonly(struct ucred *active_cred, struct ucred *file_cred, 1544 struct ksem *ks, struct label *kslabel) 1545{ 1546 struct mac_biba *subj, *obj; 1547 1548 if (!biba_enabled) 1549 return (0); 1550 1551 subj = SLOT(active_cred->cr_label); 1552 obj = SLOT(kslabel); 1553 1554 if (!biba_dominate_effective(obj, subj)) 1555 return (EACCES); 1556 1557 return (0); 1558} 1559 1560static void 1561biba_posixsem_create(struct ucred *cred, struct ksem *ks, 1562 struct label *kslabel) 1563{ 1564 struct mac_biba *source, *dest; 1565 1566 source = SLOT(cred->cr_label); 1567 dest = SLOT(kslabel); 1568 1569 biba_copy_effective(source, dest); 1570} 1571 1572/* 1573 * Some system privileges are allowed regardless of integrity grade; others 1574 * are allowed only when running with privilege with respect to the Biba 1575 * policy as they might otherwise allow bypassing of the integrity policy. 1576 */ 1577static int 1578biba_priv_check(struct ucred *cred, int priv) 1579{ 1580 struct mac_biba *subj; 1581 int error; 1582 1583 if (!biba_enabled) 1584 return (0); 1585 1586 /* 1587 * Exempt only specific privileges from the Biba integrity policy. 1588 */ 1589 switch (priv) { 1590 case PRIV_KTRACE: 1591 case PRIV_MSGBUF: 1592 1593 /* 1594 * Allow processes to manipulate basic process audit properties, and 1595 * to submit audit records. 1596 */ 1597 case PRIV_AUDIT_GETAUDIT: 1598 case PRIV_AUDIT_SETAUDIT: 1599 case PRIV_AUDIT_SUBMIT: 1600 1601 /* 1602 * Allow processes to manipulate their regular UNIX credentials. 1603 */ 1604 case PRIV_CRED_SETUID: 1605 case PRIV_CRED_SETEUID: 1606 case PRIV_CRED_SETGID: 1607 case PRIV_CRED_SETEGID: 1608 case PRIV_CRED_SETGROUPS: 1609 case PRIV_CRED_SETREUID: 1610 case PRIV_CRED_SETREGID: 1611 case PRIV_CRED_SETRESUID: 1612 case PRIV_CRED_SETRESGID: 1613 1614 /* 1615 * Allow processes to perform system monitoring. 1616 */ 1617 case PRIV_SEEOTHERGIDS: 1618 case PRIV_SEEOTHERUIDS: 1619 break; 1620 1621 /* 1622 * Allow access to general process debugging facilities. We 1623 * separately control debugging based on MAC label. 1624 */ 1625 case PRIV_DEBUG_DIFFCRED: 1626 case PRIV_DEBUG_SUGID: 1627 case PRIV_DEBUG_UNPRIV: 1628 1629 /* 1630 * Allow manipulating jails. 1631 */ 1632 case PRIV_JAIL_ATTACH: 1633 1634 /* 1635 * Allow privilege with respect to the Partition policy, but not the 1636 * Privs policy. 1637 */ 1638 case PRIV_MAC_PARTITION: 1639 1640 /* 1641 * Allow privilege with respect to process resource limits and login 1642 * context. 1643 */ 1644 case PRIV_PROC_LIMIT: 1645 case PRIV_PROC_SETLOGIN: 1646 case PRIV_PROC_SETRLIMIT: 1647 1648 /* 1649 * Allow System V and POSIX IPC privileges. 1650 */ 1651 case PRIV_IPC_READ: 1652 case PRIV_IPC_WRITE: 1653 case PRIV_IPC_ADMIN: 1654 case PRIV_IPC_MSGSIZE: 1655 case PRIV_MQ_ADMIN: 1656 1657 /* 1658 * Allow certain scheduler manipulations -- possibly this should be 1659 * controlled by more fine-grained policy, as potentially low 1660 * integrity processes can deny CPU to higher integrity ones. 1661 */ 1662 case PRIV_SCHED_DIFFCRED: 1663 case PRIV_SCHED_SETPRIORITY: 1664 case PRIV_SCHED_RTPRIO: 1665 case PRIV_SCHED_SETPOLICY: 1666 case PRIV_SCHED_SET: 1667 case PRIV_SCHED_SETPARAM: 1668 1669 /* 1670 * More IPC privileges. 1671 */ 1672 case PRIV_SEM_WRITE: 1673 1674 /* 1675 * Allow signaling privileges subject to integrity policy. 1676 */ 1677 case PRIV_SIGNAL_DIFFCRED: 1678 case PRIV_SIGNAL_SUGID: 1679 1680 /* 1681 * Allow access to only limited sysctls from lower integrity levels; 1682 * piggy-back on the Jail definition. 1683 */ 1684 case PRIV_SYSCTL_WRITEJAIL: 1685 1686 /* 1687 * Allow TTY-based privileges, subject to general device access using 1688 * labels on TTY device nodes, but not console privilege. 1689 */ 1690 case PRIV_TTY_DRAINWAIT: 1691 case PRIV_TTY_DTRWAIT: 1692 case PRIV_TTY_EXCLUSIVE: 1693 case PRIV_TTY_PRISON: 1694 case PRIV_TTY_STI: 1695 case PRIV_TTY_SETA: 1696 1697 /* 1698 * Grant most VFS privileges, as almost all are in practice bounded 1699 * by more specific checks using labels. 1700 */ 1701 case PRIV_VFS_READ: 1702 case PRIV_VFS_WRITE: 1703 case PRIV_VFS_ADMIN: 1704 case PRIV_VFS_EXEC: 1705 case PRIV_VFS_LOOKUP: 1706 case PRIV_VFS_CHFLAGS_DEV: 1707 case PRIV_VFS_CHOWN: 1708 case PRIV_VFS_CHROOT: 1709 case PRIV_VFS_RETAINSUGID: 1710 case PRIV_VFS_EXCEEDQUOTA: 1711 case PRIV_VFS_FCHROOT: 1712 case PRIV_VFS_FHOPEN: 1713 case PRIV_VFS_FHSTATFS: 1714 case PRIV_VFS_GENERATION: 1715 case PRIV_VFS_GETFH: 1716 case PRIV_VFS_GETQUOTA: 1717 case PRIV_VFS_LINK: 1718 case PRIV_VFS_MOUNT: 1719 case PRIV_VFS_MOUNT_OWNER: 1720 case PRIV_VFS_MOUNT_PERM: 1721 case PRIV_VFS_MOUNT_SUIDDIR: 1722 case PRIV_VFS_MOUNT_NONUSER: 1723 case PRIV_VFS_SETGID: 1724 case PRIV_VFS_STICKYFILE: 1725 case PRIV_VFS_SYSFLAGS: 1726 case PRIV_VFS_UNMOUNT: 1727 1728 /* 1729 * Allow VM privileges; it would be nice if these were subject to 1730 * resource limits. 1731 */ 1732 case PRIV_VM_MADV_PROTECT: 1733 case PRIV_VM_MLOCK: 1734 case PRIV_VM_MUNLOCK: 1735 1736 /* 1737 * Allow some but not all network privileges. In general, dont allow 1738 * reconfiguring the network stack, just normal use. 1739 */ 1740 case PRIV_NETATALK_RESERVEDPORT: 1741 case PRIV_NETINET_RESERVEDPORT: 1742 case PRIV_NETINET_RAW: 1743 case PRIV_NETINET_REUSEPORT: 1744 case PRIV_NETIPX_RESERVEDPORT: 1745 case PRIV_NETIPX_RAW: 1746 break; 1747 1748 /* 1749 * All remaining system privileges are allow only if the process 1750 * holds privilege with respect to the Biba policy. 1751 */ 1752 default: 1753 subj = SLOT(cred->cr_label); 1754 error = biba_subject_privileged(subj); 1755 if (error) 1756 return (error); 1757 } 1758 return (0); 1759} 1760 1761static void 1762biba_proc_associate_nfsd(struct ucred *cred) 1763{ 1764 struct mac_biba *label; 1765 1766 label = SLOT(cred->cr_label); 1767 biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL); 1768 biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, 1769 0, NULL); 1770} 1771 1772static int 1773biba_proc_check_debug(struct ucred *cred, struct proc *p) 1774{ 1775 struct mac_biba *subj, *obj; 1776 1777 if (!biba_enabled) 1778 return (0); 1779 1780 subj = SLOT(cred->cr_label); 1781 obj = SLOT(p->p_ucred->cr_label); 1782 1783 /* XXX: range checks */ 1784 if (!biba_dominate_effective(obj, subj)) 1785 return (ESRCH); 1786 if (!biba_dominate_effective(subj, obj)) 1787 return (EACCES); 1788 1789 return (0); 1790} 1791 1792static int 1793biba_proc_check_sched(struct ucred *cred, struct proc *p) 1794{ 1795 struct mac_biba *subj, *obj; 1796 1797 if (!biba_enabled) 1798 return (0); 1799 1800 subj = SLOT(cred->cr_label); 1801 obj = SLOT(p->p_ucred->cr_label); 1802 1803 /* XXX: range checks */ 1804 if (!biba_dominate_effective(obj, subj)) 1805 return (ESRCH); 1806 if (!biba_dominate_effective(subj, obj)) 1807 return (EACCES); 1808 1809 return (0); 1810} 1811 1812static int 1813biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum) 1814{ 1815 struct mac_biba *subj, *obj; 1816 1817 if (!biba_enabled) 1818 return (0); 1819 1820 subj = SLOT(cred->cr_label); 1821 obj = SLOT(p->p_ucred->cr_label); 1822 1823 /* XXX: range checks */ 1824 if (!biba_dominate_effective(obj, subj)) 1825 return (ESRCH); 1826 if (!biba_dominate_effective(subj, obj)) 1827 return (EACCES); 1828 1829 return (0); 1830} 1831 1832static int 1833biba_socket_check_deliver(struct socket *so, struct label *solabel, 1834 struct mbuf *m, struct label *mlabel) 1835{ 1836 struct mac_biba *p, *s; 1837 1838 if (!biba_enabled) 1839 return (0); 1840 1841 p = SLOT(mlabel); 1842 s = SLOT(solabel); 1843 1844 return (biba_equal_effective(p, s) ? 0 : EACCES); 1845} 1846 1847static void 1848biba_proc_create_init(struct ucred *cred) 1849{ 1850 struct mac_biba *dest; 1851 1852 dest = SLOT(cred->cr_label); 1853 1854 biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); 1855 biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, 1856 0, NULL); 1857} 1858 1859static void 1860biba_proc_create_swapper(struct ucred *cred) 1861{ 1862 struct mac_biba *dest; 1863 1864 dest = SLOT(cred->cr_label); 1865 1866 biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); 1867 biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, 1868 0, NULL); 1869} 1870 1871static int 1872biba_socket_check_relabel(struct ucred *cred, struct socket *so, 1873 struct label *solabel, struct label *newlabel) 1874{ 1875 struct mac_biba *subj, *obj, *new; 1876 int error; 1877 1878 new = SLOT(newlabel); 1879 subj = SLOT(cred->cr_label); 1880 obj = SLOT(solabel); 1881 1882 /* 1883 * If there is a Biba label update for the socket, it may be an 1884 * update of effective. 1885 */ 1886 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE); 1887 if (error) 1888 return (error); 1889 1890 /* 1891 * To relabel a socket, the old socket effective must be in the 1892 * subject range. 1893 */ 1894 if (!biba_effective_in_range(obj, subj)) 1895 return (EPERM); 1896 1897 /* 1898 * If the Biba label is to be changed, authorize as appropriate. 1899 */ 1900 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 1901 /* 1902 * To relabel a socket, the new socket effective must be in 1903 * the subject range. 1904 */ 1905 if (!biba_effective_in_range(new, subj)) 1906 return (EPERM); 1907 1908 /* 1909 * To change the Biba label on the socket to contain EQUAL, 1910 * the subject must have appropriate privilege. 1911 */ 1912 if (biba_contains_equal(new)) { 1913 error = biba_subject_privileged(subj); 1914 if (error) 1915 return (error); 1916 } 1917 } 1918 1919 return (0); 1920} 1921 1922static int 1923biba_socket_check_visible(struct ucred *cred, struct socket *so, 1924 struct label *solabel) 1925{ 1926 struct mac_biba *subj, *obj; 1927 1928 if (!biba_enabled) 1929 return (0); 1930 1931 subj = SLOT(cred->cr_label); 1932 obj = SLOT(solabel); 1933 1934 if (!biba_dominate_effective(obj, subj)) 1935 return (ENOENT); 1936 1937 return (0); 1938} 1939 1940static void 1941biba_socket_create(struct ucred *cred, struct socket *so, 1942 struct label *solabel) 1943{ 1944 struct mac_biba *source, *dest; 1945 1946 source = SLOT(cred->cr_label); 1947 dest = SLOT(solabel); 1948 1949 biba_copy_effective(source, dest); 1950} 1951 1952static void 1953biba_socket_create_mbuf(struct socket *so, struct label *solabel, 1954 struct mbuf *m, struct label *mlabel) 1955{ 1956 struct mac_biba *source, *dest; 1957 1958 source = SLOT(solabel); 1959 dest = SLOT(mlabel); 1960 1961 biba_copy_effective(source, dest); 1962} 1963 1964static void 1965biba_socket_newconn(struct socket *oldso, struct label *oldsolabel, 1966 struct socket *newso, struct label *newsolabel) 1967{ 1968 struct mac_biba *source, *dest; 1969 1970 source = SLOT(oldsolabel); 1971 dest = SLOT(newsolabel); 1972 1973 biba_copy_effective(source, dest); 1974} 1975 1976static void 1977biba_socket_relabel(struct ucred *cred, struct socket *so, 1978 struct label *solabel, struct label *newlabel) 1979{ 1980 struct mac_biba *source, *dest; 1981 1982 source = SLOT(newlabel); 1983 dest = SLOT(solabel); 1984 1985 biba_copy(source, dest); 1986} 1987 1988static void 1989biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, 1990 struct socket *so, struct label *sopeerlabel) 1991{ 1992 struct mac_biba *source, *dest; 1993 1994 source = SLOT(mlabel); 1995 dest = SLOT(sopeerlabel); 1996 1997 biba_copy_effective(source, dest); 1998} 1999 2000static void 2001biba_socketpeer_set_from_socket(struct socket *oldso, 2002 struct label *oldsolabel, struct socket *newso, 2003 struct label *newsopeerlabel) 2004{ 2005 struct mac_biba *source, *dest; 2006 2007 source = SLOT(oldsolabel); 2008 dest = SLOT(newsopeerlabel); 2009 2010 biba_copy_effective(source, dest); 2011} 2012 2013static void 2014biba_syncache_create(struct label *label, struct inpcb *inp) 2015{ 2016 struct mac_biba *source, *dest; 2017 2018 source = SLOT(inp->inp_label); 2019 dest = SLOT(label); 2020 biba_copy_effective(source, dest); 2021} 2022 2023static void 2024biba_syncache_create_mbuf(struct label *sc_label, struct mbuf *m, 2025 struct label *mlabel) 2026{ 2027 struct mac_biba *source, *dest; 2028 2029 source = SLOT(sc_label); 2030 dest = SLOT(mlabel); 2031 biba_copy_effective(source, dest); 2032} 2033 2034static int 2035biba_system_check_acct(struct ucred *cred, struct vnode *vp, 2036 struct label *vplabel) 2037{ 2038 struct mac_biba *subj, *obj; 2039 int error; 2040 2041 if (!biba_enabled) 2042 return (0); 2043 2044 subj = SLOT(cred->cr_label); 2045 2046 error = biba_subject_privileged(subj); 2047 if (error) 2048 return (error); 2049 2050 if (vplabel == NULL) 2051 return (0); 2052 2053 obj = SLOT(vplabel); 2054 if (!biba_high_effective(obj)) 2055 return (EACCES); 2056 2057 return (0); 2058} 2059 2060static int 2061biba_system_check_auditctl(struct ucred *cred, struct vnode *vp, 2062 struct label *vplabel) 2063{ 2064 struct mac_biba *subj, *obj; 2065 int error; 2066 2067 if (!biba_enabled) 2068 return (0); 2069 2070 subj = SLOT(cred->cr_label); 2071 2072 error = biba_subject_privileged(subj); 2073 if (error) 2074 return (error); 2075 2076 if (vplabel == NULL) 2077 return (0); 2078 2079 obj = SLOT(vplabel); 2080 if (!biba_high_effective(obj)) 2081 return (EACCES); 2082 2083 return (0); 2084} 2085 2086static int 2087biba_system_check_auditon(struct ucred *cred, int cmd) 2088{ 2089 struct mac_biba *subj; 2090 int error; 2091 2092 if (!biba_enabled) 2093 return (0); 2094 2095 subj = SLOT(cred->cr_label); 2096 2097 error = biba_subject_privileged(subj); 2098 if (error) 2099 return (error); 2100 2101 return (0); 2102} 2103 2104static int 2105biba_system_check_swapoff(struct ucred *cred, struct vnode *vp, 2106 struct label *label) 2107{ 2108 struct mac_biba *subj; 2109 int error; 2110 2111 if (!biba_enabled) 2112 return (0); 2113 2114 subj = SLOT(cred->cr_label); 2115 2116 error = biba_subject_privileged(subj); 2117 if (error) 2118 return (error); 2119 2120 return (0); 2121} 2122 2123static int 2124biba_system_check_swapon(struct ucred *cred, struct vnode *vp, 2125 struct label *vplabel) 2126{ 2127 struct mac_biba *subj, *obj; 2128 int error; 2129 2130 if (!biba_enabled) 2131 return (0); 2132 2133 subj = SLOT(cred->cr_label); 2134 obj = SLOT(vplabel); 2135 2136 error = biba_subject_privileged(subj); 2137 if (error) 2138 return (error); 2139 2140 if (!biba_high_effective(obj)) 2141 return (EACCES); 2142 2143 return (0); 2144} 2145 2146static int 2147biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 2148 void *arg1, int arg2, struct sysctl_req *req) 2149{ 2150 struct mac_biba *subj; 2151 int error; 2152 2153 if (!biba_enabled) 2154 return (0); 2155 2156 subj = SLOT(cred->cr_label); 2157 2158 /* 2159 * Treat sysctl variables without CTLFLAG_ANYBODY flag as biba/high, 2160 * but also require privilege to change them. 2161 */ 2162 if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) { 2163 if (!biba_subject_dominate_high(subj)) 2164 return (EACCES); 2165 2166 error = biba_subject_privileged(subj); 2167 if (error) 2168 return (error); 2169 } 2170 2171 return (0); 2172} 2173 2174static void 2175biba_sysvmsg_cleanup(struct label *msglabel) 2176{ 2177 2178 bzero(SLOT(msglabel), sizeof(struct mac_biba)); 2179} 2180 2181static void 2182biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, 2183 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 2184{ 2185 struct mac_biba *source, *dest; 2186 2187 /* Ignore the msgq label */ 2188 source = SLOT(cred->cr_label); 2189 dest = SLOT(msglabel); 2190 2191 biba_copy_effective(source, dest); 2192} 2193 2194static int 2195biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, 2196 struct label *msglabel) 2197{ 2198 struct mac_biba *subj, *obj; 2199 2200 if (!biba_enabled) 2201 return (0); 2202 2203 subj = SLOT(cred->cr_label); 2204 obj = SLOT(msglabel); 2205 2206 if (!biba_dominate_effective(obj, subj)) 2207 return (EACCES); 2208 2209 return (0); 2210} 2211 2212static int 2213biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, 2214 struct label *msglabel) 2215{ 2216 struct mac_biba *subj, *obj; 2217 2218 if (!biba_enabled) 2219 return (0); 2220 2221 subj = SLOT(cred->cr_label); 2222 obj = SLOT(msglabel); 2223 2224 if (!biba_dominate_effective(subj, obj)) 2225 return (EACCES); 2226 2227 return (0); 2228} 2229 2230static int 2231biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, 2232 struct label *msqklabel) 2233{ 2234 struct mac_biba *subj, *obj; 2235 2236 if (!biba_enabled) 2237 return (0); 2238 2239 subj = SLOT(cred->cr_label); 2240 obj = SLOT(msqklabel); 2241 2242 if (!biba_dominate_effective(obj, subj)) 2243 return (EACCES); 2244 2245 return (0); 2246} 2247 2248static int 2249biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, 2250 struct label *msqklabel) 2251{ 2252 struct mac_biba *subj, *obj; 2253 2254 if (!biba_enabled) 2255 return (0); 2256 2257 subj = SLOT(cred->cr_label); 2258 obj = SLOT(msqklabel); 2259 2260 if (!biba_dominate_effective(subj, obj)) 2261 return (EACCES); 2262 2263 return (0); 2264} 2265 2266static int 2267biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, 2268 struct label *msqklabel) 2269{ 2270 struct mac_biba *subj, *obj; 2271 2272 if (!biba_enabled) 2273 return (0); 2274 2275 subj = SLOT(cred->cr_label); 2276 obj = SLOT(msqklabel); 2277 2278 if (!biba_dominate_effective(obj, subj)) 2279 return (EACCES); 2280 2281 return (0); 2282} 2283 2284static int 2285biba_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, 2286 struct label *msqklabel, int cmd) 2287{ 2288 struct mac_biba *subj, *obj; 2289 2290 if (!biba_enabled) 2291 return (0); 2292 2293 subj = SLOT(cred->cr_label); 2294 obj = SLOT(msqklabel); 2295 2296 switch(cmd) { 2297 case IPC_RMID: 2298 case IPC_SET: 2299 if (!biba_dominate_effective(subj, obj)) 2300 return (EACCES); 2301 break; 2302 2303 case IPC_STAT: 2304 if (!biba_dominate_effective(obj, subj)) 2305 return (EACCES); 2306 break; 2307 2308 default: 2309 return (EACCES); 2310 } 2311 2312 return (0); 2313} 2314 2315static void 2316biba_sysvmsq_cleanup(struct label *msqlabel) 2317{ 2318 2319 bzero(SLOT(msqlabel), sizeof(struct mac_biba)); 2320} 2321 2322static void 2323biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, 2324 struct label *msqlabel) 2325{ 2326 struct mac_biba *source, *dest; 2327 2328 source = SLOT(cred->cr_label); 2329 dest = SLOT(msqlabel); 2330 2331 biba_copy_effective(source, dest); 2332} 2333 2334static int 2335biba_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, 2336 struct label *semaklabel, int cmd) 2337{ 2338 struct mac_biba *subj, *obj; 2339 2340 if (!biba_enabled) 2341 return (0); 2342 2343 subj = SLOT(cred->cr_label); 2344 obj = SLOT(semaklabel); 2345 2346 switch(cmd) { 2347 case IPC_RMID: 2348 case IPC_SET: 2349 case SETVAL: 2350 case SETALL: 2351 if (!biba_dominate_effective(subj, obj)) 2352 return (EACCES); 2353 break; 2354 2355 case IPC_STAT: 2356 case GETVAL: 2357 case GETPID: 2358 case GETNCNT: 2359 case GETZCNT: 2360 case GETALL: 2361 if (!biba_dominate_effective(obj, subj)) 2362 return (EACCES); 2363 break; 2364 2365 default: 2366 return (EACCES); 2367 } 2368 2369 return (0); 2370} 2371 2372static int 2373biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr, 2374 struct label *semaklabel) 2375{ 2376 struct mac_biba *subj, *obj; 2377 2378 if (!biba_enabled) 2379 return (0); 2380 2381 subj = SLOT(cred->cr_label); 2382 obj = SLOT(semaklabel); 2383 2384 if (!biba_dominate_effective(obj, subj)) 2385 return (EACCES); 2386 2387 return (0); 2388} 2389 2390static int 2391biba_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, 2392 struct label *semaklabel, size_t accesstype) 2393{ 2394 struct mac_biba *subj, *obj; 2395 2396 if (!biba_enabled) 2397 return (0); 2398 2399 subj = SLOT(cred->cr_label); 2400 obj = SLOT(semaklabel); 2401 2402 if (accesstype & SEM_R) 2403 if (!biba_dominate_effective(obj, subj)) 2404 return (EACCES); 2405 2406 if (accesstype & SEM_A) 2407 if (!biba_dominate_effective(subj, obj)) 2408 return (EACCES); 2409 2410 return (0); 2411} 2412 2413static void 2414biba_sysvsem_cleanup(struct label *semalabel) 2415{ 2416 2417 bzero(SLOT(semalabel), sizeof(struct mac_biba)); 2418} 2419 2420static void 2421biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, 2422 struct label *semalabel) 2423{ 2424 struct mac_biba *source, *dest; 2425 2426 source = SLOT(cred->cr_label); 2427 dest = SLOT(semalabel); 2428 2429 biba_copy_effective(source, dest); 2430} 2431 2432static int 2433biba_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, 2434 struct label *shmseglabel, int shmflg) 2435{ 2436 struct mac_biba *subj, *obj; 2437 2438 if (!biba_enabled) 2439 return (0); 2440 2441 subj = SLOT(cred->cr_label); 2442 obj = SLOT(shmseglabel); 2443 2444 if (!biba_dominate_effective(obj, subj)) 2445 return (EACCES); 2446 if ((shmflg & SHM_RDONLY) == 0) { 2447 if (!biba_dominate_effective(subj, obj)) 2448 return (EACCES); 2449 } 2450 2451 return (0); 2452} 2453 2454static int 2455biba_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, 2456 struct label *shmseglabel, int cmd) 2457{ 2458 struct mac_biba *subj, *obj; 2459 2460 if (!biba_enabled) 2461 return (0); 2462 2463 subj = SLOT(cred->cr_label); 2464 obj = SLOT(shmseglabel); 2465 2466 switch(cmd) { 2467 case IPC_RMID: 2468 case IPC_SET: 2469 if (!biba_dominate_effective(subj, obj)) 2470 return (EACCES); 2471 break; 2472 2473 case IPC_STAT: 2474 case SHM_STAT: 2475 if (!biba_dominate_effective(obj, subj)) 2476 return (EACCES); 2477 break; 2478 2479 default: 2480 return (EACCES); 2481 } 2482 2483 return (0); 2484} 2485 2486static int 2487biba_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, 2488 struct label *shmseglabel, int shmflg) 2489{ 2490 struct mac_biba *subj, *obj; 2491 2492 if (!biba_enabled) 2493 return (0); 2494 2495 subj = SLOT(cred->cr_label); 2496 obj = SLOT(shmseglabel); 2497 2498 if (!biba_dominate_effective(obj, subj)) 2499 return (EACCES); 2500 2501 return (0); 2502} 2503 2504static void 2505biba_sysvshm_cleanup(struct label *shmlabel) 2506{ 2507 2508 bzero(SLOT(shmlabel), sizeof(struct mac_biba)); 2509} 2510 2511static void 2512biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, 2513 struct label *shmlabel) 2514{ 2515 struct mac_biba *source, *dest; 2516 2517 source = SLOT(cred->cr_label); 2518 dest = SLOT(shmlabel); 2519 2520 biba_copy_effective(source, dest); 2521} 2522 2523static int 2524biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel, 2525 struct vnode *vp, struct label *vplabel) 2526{ 2527 struct mac_biba mb_temp, *source, *dest; 2528 int buflen, error; 2529 2530 source = SLOT(mplabel); 2531 dest = SLOT(vplabel); 2532 2533 buflen = sizeof(mb_temp); 2534 bzero(&mb_temp, buflen); 2535 2536 error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, 2537 MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &mb_temp, curthread); 2538 if (error == ENOATTR || error == EOPNOTSUPP) { 2539 /* Fall back to the mntlabel. */ 2540 biba_copy_effective(source, dest); 2541 return (0); 2542 } else if (error) 2543 return (error); 2544 2545 if (buflen != sizeof(mb_temp)) { 2546 printf("biba_vnode_associate_extattr: bad size %d\n", 2547 buflen); 2548 return (EPERM); 2549 } 2550 if (biba_valid(&mb_temp) != 0) { 2551 printf("biba_vnode_associate_extattr: invalid\n"); 2552 return (EPERM); 2553 } 2554 if ((mb_temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != 2555 MAC_BIBA_FLAG_EFFECTIVE) { 2556 printf("biba_vnode_associate_extattr: not effective\n"); 2557 return (EPERM); 2558 } 2559 2560 biba_copy_effective(&mb_temp, dest); 2561 return (0); 2562} 2563 2564static void 2565biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, 2566 struct vnode *vp, struct label *vplabel) 2567{ 2568 struct mac_biba *source, *dest; 2569 2570 source = SLOT(mplabel); 2571 dest = SLOT(vplabel); 2572 2573 biba_copy_effective(source, dest); 2574} 2575 2576static int 2577biba_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, 2578 struct label *dvplabel) 2579{ 2580 struct mac_biba *subj, *obj; 2581 2582 if (!biba_enabled) 2583 return (0); 2584 2585 subj = SLOT(cred->cr_label); 2586 obj = SLOT(dvplabel); 2587 2588 if (!biba_dominate_effective(obj, subj)) 2589 return (EACCES); 2590 2591 return (0); 2592} 2593 2594static int 2595biba_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, 2596 struct label *dvplabel) 2597{ 2598 struct mac_biba *subj, *obj; 2599 2600 if (!biba_enabled) 2601 return (0); 2602 2603 subj = SLOT(cred->cr_label); 2604 obj = SLOT(dvplabel); 2605 2606 if (!biba_dominate_effective(obj, subj)) 2607 return (EACCES); 2608 2609 return (0); 2610} 2611 2612static int 2613biba_vnode_check_create(struct ucred *cred, struct vnode *dvp, 2614 struct label *dvplabel, struct componentname *cnp, struct vattr *vap) 2615{ 2616 struct mac_biba *subj, *obj; 2617 2618 if (!biba_enabled) 2619 return (0); 2620 2621 subj = SLOT(cred->cr_label); 2622 obj = SLOT(dvplabel); 2623 2624 if (!biba_dominate_effective(subj, obj)) 2625 return (EACCES); 2626 2627 return (0); 2628} 2629 2630static int 2631biba_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, 2632 struct label *vplabel, acl_type_t type) 2633{ 2634 struct mac_biba *subj, *obj; 2635 2636 if (!biba_enabled) 2637 return (0); 2638 2639 subj = SLOT(cred->cr_label); 2640 obj = SLOT(vplabel); 2641 2642 if (!biba_dominate_effective(subj, obj)) 2643 return (EACCES); 2644 2645 return (0); 2646} 2647 2648static int 2649biba_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, 2650 struct label *vplabel, int attrnamespace, const char *name) 2651{ 2652 struct mac_biba *subj, *obj; 2653 2654 if (!biba_enabled) 2655 return (0); 2656 2657 subj = SLOT(cred->cr_label); 2658 obj = SLOT(vplabel); 2659 2660 if (!biba_dominate_effective(subj, obj)) 2661 return (EACCES); 2662 2663 return (0); 2664} 2665 2666static int 2667biba_vnode_check_exec(struct ucred *cred, struct vnode *vp, 2668 struct label *vplabel, struct image_params *imgp, 2669 struct label *execlabel) 2670{ 2671 struct mac_biba *subj, *obj, *exec; 2672 int error; 2673 2674 if (execlabel != NULL) { 2675 /* 2676 * We currently don't permit labels to be changed at 2677 * exec-time as part of Biba, so disallow non-NULL Biba label 2678 * elements in the execlabel. 2679 */ 2680 exec = SLOT(execlabel); 2681 error = biba_atmostflags(exec, 0); 2682 if (error) 2683 return (error); 2684 } 2685 2686 if (!biba_enabled) 2687 return (0); 2688 2689 subj = SLOT(cred->cr_label); 2690 obj = SLOT(vplabel); 2691 2692 if (!biba_dominate_effective(obj, subj)) 2693 return (EACCES); 2694 2695 return (0); 2696} 2697 2698static int 2699biba_vnode_check_getacl(struct ucred *cred, struct vnode *vp, 2700 struct label *vplabel, acl_type_t type) 2701{ 2702 struct mac_biba *subj, *obj; 2703 2704 if (!biba_enabled) 2705 return (0); 2706 2707 subj = SLOT(cred->cr_label); 2708 obj = SLOT(vplabel); 2709 2710 if (!biba_dominate_effective(obj, subj)) 2711 return (EACCES); 2712 2713 return (0); 2714} 2715 2716static int 2717biba_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, 2718 struct label *vplabel, int attrnamespace, const char *name, 2719 struct uio *uio) 2720{ 2721 struct mac_biba *subj, *obj; 2722 2723 if (!biba_enabled) 2724 return (0); 2725 2726 subj = SLOT(cred->cr_label); 2727 obj = SLOT(vplabel); 2728 2729 if (!biba_dominate_effective(obj, subj)) 2730 return (EACCES); 2731 2732 return (0); 2733} 2734 2735static int 2736biba_vnode_check_link(struct ucred *cred, struct vnode *dvp, 2737 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2738 struct componentname *cnp) 2739{ 2740 struct mac_biba *subj, *obj; 2741 2742 if (!biba_enabled) 2743 return (0); 2744 2745 subj = SLOT(cred->cr_label); 2746 obj = SLOT(dvplabel); 2747 2748 if (!biba_dominate_effective(subj, obj)) 2749 return (EACCES); 2750 2751 obj = SLOT(vplabel); 2752 2753 if (!biba_dominate_effective(subj, obj)) 2754 return (EACCES); 2755 2756 return (0); 2757} 2758 2759static int 2760biba_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, 2761 struct label *vplabel, int attrnamespace) 2762{ 2763 struct mac_biba *subj, *obj; 2764 2765 if (!biba_enabled) 2766 return (0); 2767 2768 subj = SLOT(cred->cr_label); 2769 obj = SLOT(vplabel); 2770 2771 if (!biba_dominate_effective(obj, subj)) 2772 return (EACCES); 2773 2774 return (0); 2775} 2776 2777static int 2778biba_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, 2779 struct label *dvplabel, struct componentname *cnp) 2780{ 2781 struct mac_biba *subj, *obj; 2782 2783 if (!biba_enabled) 2784 return (0); 2785 2786 subj = SLOT(cred->cr_label); 2787 obj = SLOT(dvplabel); 2788 2789 if (!biba_dominate_effective(obj, subj)) 2790 return (EACCES); 2791 2792 return (0); 2793} 2794 2795static int 2796biba_vnode_check_mmap(struct ucred *cred, struct vnode *vp, 2797 struct label *vplabel, int prot, int flags) 2798{ 2799 struct mac_biba *subj, *obj; 2800 2801 /* 2802 * Rely on the use of open()-time protections to handle 2803 * non-revocation cases. 2804 */ 2805 if (!biba_enabled || !revocation_enabled) 2806 return (0); 2807 2808 subj = SLOT(cred->cr_label); 2809 obj = SLOT(vplabel); 2810 2811 if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { 2812 if (!biba_dominate_effective(obj, subj)) 2813 return (EACCES); 2814 } 2815 if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) { 2816 if (!biba_dominate_effective(subj, obj)) 2817 return (EACCES); 2818 } 2819 2820 return (0); 2821} 2822 2823static int 2824biba_vnode_check_open(struct ucred *cred, struct vnode *vp, 2825 struct label *vplabel, int acc_mode) 2826{ 2827 struct mac_biba *subj, *obj; 2828 2829 if (!biba_enabled) 2830 return (0); 2831 2832 subj = SLOT(cred->cr_label); 2833 obj = SLOT(vplabel); 2834 2835 /* XXX privilege override for admin? */ 2836 if (acc_mode & (VREAD | VEXEC | VSTAT)) { 2837 if (!biba_dominate_effective(obj, subj)) 2838 return (EACCES); 2839 } 2840 if (acc_mode & (VWRITE | VAPPEND | VADMIN)) { 2841 if (!biba_dominate_effective(subj, obj)) 2842 return (EACCES); 2843 } 2844 2845 return (0); 2846} 2847 2848static int 2849biba_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, 2850 struct vnode *vp, struct label *vplabel) 2851{ 2852 struct mac_biba *subj, *obj; 2853 2854 if (!biba_enabled || !revocation_enabled) 2855 return (0); 2856 2857 subj = SLOT(active_cred->cr_label); 2858 obj = SLOT(vplabel); 2859 2860 if (!biba_dominate_effective(obj, subj)) 2861 return (EACCES); 2862 2863 return (0); 2864} 2865 2866static int 2867biba_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, 2868 struct vnode *vp, struct label *vplabel) 2869{ 2870 struct mac_biba *subj, *obj; 2871 2872 if (!biba_enabled || !revocation_enabled) 2873 return (0); 2874 2875 subj = SLOT(active_cred->cr_label); 2876 obj = SLOT(vplabel); 2877 2878 if (!biba_dominate_effective(obj, subj)) 2879 return (EACCES); 2880 2881 return (0); 2882} 2883 2884static int 2885biba_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, 2886 struct label *dvplabel) 2887{ 2888 struct mac_biba *subj, *obj; 2889 2890 if (!biba_enabled) 2891 return (0); 2892 2893 subj = SLOT(cred->cr_label); 2894 obj = SLOT(dvplabel); 2895 2896 if (!biba_dominate_effective(obj, subj)) 2897 return (EACCES); 2898 2899 return (0); 2900} 2901 2902static int 2903biba_vnode_check_readlink(struct ucred *cred, struct vnode *vp, 2904 struct label *vplabel) 2905{ 2906 struct mac_biba *subj, *obj; 2907 2908 if (!biba_enabled) 2909 return (0); 2910 2911 subj = SLOT(cred->cr_label); 2912 obj = SLOT(vplabel); 2913 2914 if (!biba_dominate_effective(obj, subj)) 2915 return (EACCES); 2916 2917 return (0); 2918} 2919 2920static int 2921biba_vnode_check_relabel(struct ucred *cred, struct vnode *vp, 2922 struct label *vplabel, struct label *newlabel) 2923{ 2924 struct mac_biba *old, *new, *subj; 2925 int error; 2926 2927 old = SLOT(vplabel); 2928 new = SLOT(newlabel); 2929 subj = SLOT(cred->cr_label); 2930 2931 /* 2932 * If there is a Biba label update for the vnode, it must be a 2933 * effective label. 2934 */ 2935 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE); 2936 if (error) 2937 return (error); 2938 2939 /* 2940 * To perform a relabel of the vnode (Biba label or not), Biba must 2941 * authorize the relabel. 2942 */ 2943 if (!biba_effective_in_range(old, subj)) 2944 return (EPERM); 2945 2946 /* 2947 * If the Biba label is to be changed, authorize as appropriate. 2948 */ 2949 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 2950 /* 2951 * To change the Biba label on a vnode, the new vnode label 2952 * must be in the subject range. 2953 */ 2954 if (!biba_effective_in_range(new, subj)) 2955 return (EPERM); 2956 2957 /* 2958 * To change the Biba label on the vnode to be EQUAL, the 2959 * subject must have appropriate privilege. 2960 */ 2961 if (biba_contains_equal(new)) { 2962 error = biba_subject_privileged(subj); 2963 if (error) 2964 return (error); 2965 } 2966 } 2967 2968 return (0); 2969} 2970 2971static int 2972biba_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, 2973 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2974 struct componentname *cnp) 2975{ 2976 struct mac_biba *subj, *obj; 2977 2978 if (!biba_enabled) 2979 return (0); 2980 2981 subj = SLOT(cred->cr_label); 2982 obj = SLOT(dvplabel); 2983 2984 if (!biba_dominate_effective(subj, obj)) 2985 return (EACCES); 2986 2987 obj = SLOT(vplabel); 2988 2989 if (!biba_dominate_effective(subj, obj)) 2990 return (EACCES); 2991 2992 return (0); 2993} 2994 2995static int 2996biba_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, 2997 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 2998 int samedir, struct componentname *cnp) 2999{ 3000 struct mac_biba *subj, *obj; 3001 3002 if (!biba_enabled) 3003 return (0); 3004 3005 subj = SLOT(cred->cr_label); 3006 obj = SLOT(dvplabel); 3007 3008 if (!biba_dominate_effective(subj, obj)) 3009 return (EACCES); 3010 3011 if (vp != NULL) { 3012 obj = SLOT(vplabel); 3013 3014 if (!biba_dominate_effective(subj, obj)) 3015 return (EACCES); 3016 } 3017 3018 return (0); 3019} 3020 3021static int 3022biba_vnode_check_revoke(struct ucred *cred, struct vnode *vp, 3023 struct label *vplabel) 3024{ 3025 struct mac_biba *subj, *obj; 3026 3027 if (!biba_enabled) 3028 return (0); 3029 3030 subj = SLOT(cred->cr_label); 3031 obj = SLOT(vplabel); 3032 3033 if (!biba_dominate_effective(subj, obj)) 3034 return (EACCES); 3035 3036 return (0); 3037} 3038 3039static int 3040biba_vnode_check_setacl(struct ucred *cred, struct vnode *vp, 3041 struct label *vplabel, acl_type_t type, struct acl *acl) 3042{ 3043 struct mac_biba *subj, *obj; 3044 3045 if (!biba_enabled) 3046 return (0); 3047 3048 subj = SLOT(cred->cr_label); 3049 obj = SLOT(vplabel); 3050 3051 if (!biba_dominate_effective(subj, obj)) 3052 return (EACCES); 3053 3054 return (0); 3055} 3056 3057static int 3058biba_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, 3059 struct label *vplabel, int attrnamespace, const char *name, 3060 struct uio *uio) 3061{ 3062 struct mac_biba *subj, *obj; 3063 3064 if (!biba_enabled) 3065 return (0); 3066 3067 subj = SLOT(cred->cr_label); 3068 obj = SLOT(vplabel); 3069 3070 if (!biba_dominate_effective(subj, obj)) 3071 return (EACCES); 3072 3073 /* XXX: protect the MAC EA in a special way? */ 3074 3075 return (0); 3076} 3077 3078static int 3079biba_vnode_check_setflags(struct ucred *cred, struct vnode *vp, 3080 struct label *vplabel, u_long flags) 3081{ 3082 struct mac_biba *subj, *obj; 3083 3084 if (!biba_enabled) 3085 return (0); 3086 3087 subj = SLOT(cred->cr_label); 3088 obj = SLOT(vplabel); 3089 3090 if (!biba_dominate_effective(subj, obj)) 3091 return (EACCES); 3092 3093 return (0); 3094} 3095 3096static int 3097biba_vnode_check_setmode(struct ucred *cred, struct vnode *vp, 3098 struct label *vplabel, mode_t mode) 3099{ 3100 struct mac_biba *subj, *obj; 3101 3102 if (!biba_enabled) 3103 return (0); 3104 3105 subj = SLOT(cred->cr_label); 3106 obj = SLOT(vplabel); 3107 3108 if (!biba_dominate_effective(subj, obj)) 3109 return (EACCES); 3110 3111 return (0); 3112} 3113 3114static int 3115biba_vnode_check_setowner(struct ucred *cred, struct vnode *vp, 3116 struct label *vplabel, uid_t uid, gid_t gid) 3117{ 3118 struct mac_biba *subj, *obj; 3119 3120 if (!biba_enabled) 3121 return (0); 3122 3123 subj = SLOT(cred->cr_label); 3124 obj = SLOT(vplabel); 3125 3126 if (!biba_dominate_effective(subj, obj)) 3127 return (EACCES); 3128 3129 return (0); 3130} 3131 3132static int 3133biba_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, 3134 struct label *vplabel, struct timespec atime, struct timespec mtime) 3135{ 3136 struct mac_biba *subj, *obj; 3137 3138 if (!biba_enabled) 3139 return (0); 3140 3141 subj = SLOT(cred->cr_label); 3142 obj = SLOT(vplabel); 3143 3144 if (!biba_dominate_effective(subj, obj)) 3145 return (EACCES); 3146 3147 return (0); 3148} 3149 3150static int 3151biba_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, 3152 struct vnode *vp, struct label *vplabel) 3153{ 3154 struct mac_biba *subj, *obj; 3155 3156 if (!biba_enabled) 3157 return (0); 3158 3159 subj = SLOT(active_cred->cr_label); 3160 obj = SLOT(vplabel); 3161 3162 if (!biba_dominate_effective(obj, subj)) 3163 return (EACCES); 3164 3165 return (0); 3166} 3167 3168static int 3169biba_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, 3170 struct label *dvplabel, struct vnode *vp, struct label *vplabel, 3171 struct componentname *cnp) 3172{ 3173 struct mac_biba *subj, *obj; 3174 3175 if (!biba_enabled) 3176 return (0); 3177 3178 subj = SLOT(cred->cr_label); 3179 obj = SLOT(dvplabel); 3180 3181 if (!biba_dominate_effective(subj, obj)) 3182 return (EACCES); 3183 3184 obj = SLOT(vplabel); 3185 3186 if (!biba_dominate_effective(subj, obj)) 3187 return (EACCES); 3188 3189 return (0); 3190} 3191 3192static int 3193biba_vnode_check_write(struct ucred *active_cred, 3194 struct ucred *file_cred, struct vnode *vp, struct label *vplabel) 3195{ 3196 struct mac_biba *subj, *obj; 3197 3198 if (!biba_enabled || !revocation_enabled) 3199 return (0); 3200 3201 subj = SLOT(active_cred->cr_label); 3202 obj = SLOT(vplabel); 3203 3204 if (!biba_dominate_effective(subj, obj)) 3205 return (EACCES); 3206 3207 return (0); 3208} 3209 3210static int 3211biba_vnode_create_extattr(struct ucred *cred, struct mount *mp, 3212 struct label *mplabel, struct vnode *dvp, struct label *dvplabel, 3213 struct vnode *vp, struct label *vplabel, struct componentname *cnp) 3214{ 3215 struct mac_biba *source, *dest, mb_temp; 3216 size_t buflen; 3217 int error; 3218 3219 buflen = sizeof(mb_temp); 3220 bzero(&mb_temp, buflen); 3221 3222 source = SLOT(cred->cr_label); 3223 dest = SLOT(vplabel); 3224 biba_copy_effective(source, &mb_temp); 3225 3226 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, 3227 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread); 3228 if (error == 0) 3229 biba_copy_effective(source, dest); 3230 return (error); 3231} 3232 3233static void 3234biba_vnode_relabel(struct ucred *cred, struct vnode *vp, 3235 struct label *vplabel, struct label *newlabel) 3236{ 3237 struct mac_biba *source, *dest; 3238 3239 source = SLOT(newlabel); 3240 dest = SLOT(vplabel); 3241 3242 biba_copy(source, dest); 3243} 3244 3245static int 3246biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, 3247 struct label *vplabel, struct label *intlabel) 3248{ 3249 struct mac_biba *source, mb_temp; 3250 size_t buflen; 3251 int error; 3252 3253 buflen = sizeof(mb_temp); 3254 bzero(&mb_temp, buflen); 3255 3256 source = SLOT(intlabel); 3257 if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0) 3258 return (0); 3259 3260 biba_copy_effective(source, &mb_temp); 3261 3262 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, 3263 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread); 3264 return (error); 3265} 3266 3267static struct mac_policy_ops mac_biba_ops = 3268{ 3269 .mpo_init = biba_init, 3270 3271 .mpo_bpfdesc_check_receive = biba_bpfdesc_check_receive, 3272 .mpo_bpfdesc_create = biba_bpfdesc_create, 3273 .mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf, 3274 .mpo_bpfdesc_destroy_label = biba_destroy_label, 3275 .mpo_bpfdesc_init_label = biba_init_label, 3276 3277 .mpo_cred_check_relabel = biba_cred_check_relabel, 3278 .mpo_cred_check_visible = biba_cred_check_visible, 3279 .mpo_cred_copy_label = biba_copy_label, 3280 .mpo_cred_destroy_label = biba_destroy_label, 3281 .mpo_cred_externalize_label = biba_externalize_label, 3282 .mpo_cred_init_label = biba_init_label, 3283 .mpo_cred_internalize_label = biba_internalize_label, 3284 .mpo_cred_relabel = biba_cred_relabel, 3285 3286 .mpo_devfs_create_device = biba_devfs_create_device, 3287 .mpo_devfs_create_directory = biba_devfs_create_directory, 3288 .mpo_devfs_create_symlink = biba_devfs_create_symlink, 3289 .mpo_devfs_destroy_label = biba_destroy_label, 3290 .mpo_devfs_init_label = biba_init_label, 3291 .mpo_devfs_update = biba_devfs_update, 3292 .mpo_devfs_vnode_associate = biba_devfs_vnode_associate, 3293 3294 .mpo_ifnet_check_relabel = biba_ifnet_check_relabel, 3295 .mpo_ifnet_check_transmit = biba_ifnet_check_transmit, 3296 .mpo_ifnet_copy_label = biba_copy_label, 3297 .mpo_ifnet_create = biba_ifnet_create, 3298 .mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf, 3299 .mpo_ifnet_destroy_label = biba_destroy_label, 3300 .mpo_ifnet_externalize_label = biba_externalize_label, 3301 .mpo_ifnet_init_label = biba_init_label, 3302 .mpo_ifnet_internalize_label = biba_internalize_label, 3303 .mpo_ifnet_relabel = biba_ifnet_relabel, 3304 3305 .mpo_inpcb_check_deliver = biba_inpcb_check_deliver, 3306 .mpo_inpcb_create = biba_inpcb_create, 3307 .mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf, 3308 .mpo_inpcb_destroy_label = biba_destroy_label, 3309 .mpo_inpcb_init_label = biba_init_label_waitcheck, 3310 .mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel, 3311 3312 .mpo_ipq_create = biba_ipq_create, 3313 .mpo_ipq_destroy_label = biba_destroy_label, 3314 .mpo_ipq_init_label = biba_init_label_waitcheck, 3315 .mpo_ipq_match = biba_ipq_match, 3316 .mpo_ipq_reassemble = biba_ipq_reassemble, 3317 .mpo_ipq_update = biba_ipq_update, 3318 3319 .mpo_kld_check_load = biba_kld_check_load, 3320 3321 .mpo_mbuf_copy_label = biba_copy_label, 3322 .mpo_mbuf_destroy_label = biba_destroy_label, 3323 .mpo_mbuf_init_label = biba_init_label_waitcheck, 3324 3325 .mpo_mount_check_stat = biba_mount_check_stat, 3326 .mpo_mount_create = biba_mount_create, 3327 .mpo_mount_destroy_label = biba_destroy_label, 3328 .mpo_mount_init_label = biba_init_label, 3329 3330 .mpo_netatalk_aarp_send = biba_netatalk_aarp_send, 3331 3332 .mpo_netinet_arp_send = biba_netinet_arp_send, 3333 .mpo_netinet_firewall_reply = biba_netinet_firewall_reply, 3334 .mpo_netinet_firewall_send = biba_netinet_firewall_send, 3335 .mpo_netinet_fragment = biba_netinet_fragment, 3336 .mpo_netinet_icmp_reply = biba_netinet_icmp_reply, 3337 .mpo_netinet_igmp_send = biba_netinet_igmp_send, 3338 3339 .mpo_netinet6_nd6_send = biba_netinet6_nd6_send, 3340 3341 .mpo_pipe_check_ioctl = biba_pipe_check_ioctl, 3342 .mpo_pipe_check_poll = biba_pipe_check_poll, 3343 .mpo_pipe_check_read = biba_pipe_check_read, 3344 .mpo_pipe_check_relabel = biba_pipe_check_relabel, 3345 .mpo_pipe_check_stat = biba_pipe_check_stat, 3346 .mpo_pipe_check_write = biba_pipe_check_write, 3347 .mpo_pipe_copy_label = biba_copy_label, 3348 .mpo_pipe_create = biba_pipe_create, 3349 .mpo_pipe_destroy_label = biba_destroy_label, 3350 .mpo_pipe_externalize_label = biba_externalize_label, 3351 .mpo_pipe_init_label = biba_init_label, 3352 .mpo_pipe_internalize_label = biba_internalize_label, 3353 .mpo_pipe_relabel = biba_pipe_relabel, 3354 3355 .mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly, 3356 .mpo_posixsem_check_open = biba_posixsem_check_openunlink, 3357 .mpo_posixsem_check_post = biba_posixsem_check_write, 3358 .mpo_posixsem_check_stat = biba_posixsem_check_rdonly, 3359 .mpo_posixsem_check_unlink = biba_posixsem_check_openunlink, 3360 .mpo_posixsem_check_wait = biba_posixsem_check_write, 3361 .mpo_posixsem_create = biba_posixsem_create, 3362 .mpo_posixsem_destroy_label = biba_destroy_label, 3363 .mpo_posixsem_init_label = biba_init_label, 3364 3365 .mpo_priv_check = biba_priv_check, 3366 3367 .mpo_proc_associate_nfsd = biba_proc_associate_nfsd, 3368 .mpo_proc_check_debug = biba_proc_check_debug, 3369 .mpo_proc_check_sched = biba_proc_check_sched, 3370 .mpo_proc_check_signal = biba_proc_check_signal, 3371 .mpo_proc_create_init = biba_proc_create_init, 3372 .mpo_proc_create_swapper = biba_proc_create_swapper, 3373 3374 .mpo_socket_check_deliver = biba_socket_check_deliver, 3375 .mpo_socket_check_relabel = biba_socket_check_relabel, 3376 .mpo_socket_check_visible = biba_socket_check_visible, 3377 .mpo_socket_copy_label = biba_copy_label, 3378 .mpo_socket_create = biba_socket_create, 3379 .mpo_socket_create_mbuf = biba_socket_create_mbuf, 3380 .mpo_socket_destroy_label = biba_destroy_label, 3381 .mpo_socket_externalize_label = biba_externalize_label, 3382 .mpo_socket_init_label = biba_init_label_waitcheck, 3383 .mpo_socket_internalize_label = biba_internalize_label, 3384 .mpo_socket_newconn = biba_socket_newconn, 3385 .mpo_socket_relabel = biba_socket_relabel, 3386 3387 .mpo_socketpeer_destroy_label = biba_destroy_label, 3388 .mpo_socketpeer_externalize_label = biba_externalize_label, 3389 .mpo_socketpeer_init_label = biba_init_label_waitcheck, 3390 .mpo_socketpeer_set_from_mbuf = biba_socketpeer_set_from_mbuf, 3391 .mpo_socketpeer_set_from_socket = biba_socketpeer_set_from_socket, 3392 3393 .mpo_syncache_create = biba_syncache_create, 3394 .mpo_syncache_create_mbuf = biba_syncache_create_mbuf, 3395 .mpo_syncache_destroy_label = biba_destroy_label, 3396 .mpo_syncache_init_label = biba_init_label_waitcheck, 3397 3398 .mpo_system_check_acct = biba_system_check_acct, 3399 .mpo_system_check_auditctl = biba_system_check_auditctl, 3400 .mpo_system_check_auditon = biba_system_check_auditon, 3401 .mpo_system_check_swapoff = biba_system_check_swapoff, 3402 .mpo_system_check_swapon = biba_system_check_swapon, 3403 .mpo_system_check_sysctl = biba_system_check_sysctl, 3404 3405 .mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup, 3406 .mpo_sysvmsg_create = biba_sysvmsg_create, 3407 .mpo_sysvmsg_destroy_label = biba_destroy_label, 3408 .mpo_sysvmsg_init_label = biba_init_label, 3409 3410 .mpo_sysvmsq_check_msgrcv = biba_sysvmsq_check_msgrcv, 3411 .mpo_sysvmsq_check_msgrmid = biba_sysvmsq_check_msgrmid, 3412 .mpo_sysvmsq_check_msqget = biba_sysvmsq_check_msqget, 3413 .mpo_sysvmsq_check_msqsnd = biba_sysvmsq_check_msqsnd, 3414 .mpo_sysvmsq_check_msqrcv = biba_sysvmsq_check_msqrcv, 3415 .mpo_sysvmsq_check_msqctl = biba_sysvmsq_check_msqctl, 3416 .mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup, 3417 .mpo_sysvmsq_create = biba_sysvmsq_create, 3418 .mpo_sysvmsq_destroy_label = biba_destroy_label, 3419 .mpo_sysvmsq_init_label = biba_init_label, 3420 3421 .mpo_sysvsem_check_semctl = biba_sysvsem_check_semctl, 3422 .mpo_sysvsem_check_semget = biba_sysvsem_check_semget, 3423 .mpo_sysvsem_check_semop = biba_sysvsem_check_semop, 3424 .mpo_sysvsem_cleanup = biba_sysvsem_cleanup, 3425 .mpo_sysvsem_create = biba_sysvsem_create, 3426 .mpo_sysvsem_destroy_label = biba_destroy_label, 3427 .mpo_sysvsem_init_label = biba_init_label, 3428 3429 .mpo_sysvshm_check_shmat = biba_sysvshm_check_shmat, 3430 .mpo_sysvshm_check_shmctl = biba_sysvshm_check_shmctl, 3431 .mpo_sysvshm_check_shmget = biba_sysvshm_check_shmget, 3432 .mpo_sysvshm_cleanup = biba_sysvshm_cleanup, 3433 .mpo_sysvshm_create = biba_sysvshm_create, 3434 .mpo_sysvshm_destroy_label = biba_destroy_label, 3435 .mpo_sysvshm_init_label = biba_init_label, 3436 3437 .mpo_vnode_associate_extattr = biba_vnode_associate_extattr, 3438 .mpo_vnode_associate_singlelabel = biba_vnode_associate_singlelabel, 3439 .mpo_vnode_check_access = biba_vnode_check_open, 3440 .mpo_vnode_check_chdir = biba_vnode_check_chdir, 3441 .mpo_vnode_check_chroot = biba_vnode_check_chroot, 3442 .mpo_vnode_check_create = biba_vnode_check_create, 3443 .mpo_vnode_check_deleteacl = biba_vnode_check_deleteacl, 3444 .mpo_vnode_check_deleteextattr = biba_vnode_check_deleteextattr, 3445 .mpo_vnode_check_exec = biba_vnode_check_exec, 3446 .mpo_vnode_check_getacl = biba_vnode_check_getacl, 3447 .mpo_vnode_check_getextattr = biba_vnode_check_getextattr, 3448 .mpo_vnode_check_link = biba_vnode_check_link, 3449 .mpo_vnode_check_listextattr = biba_vnode_check_listextattr, 3450 .mpo_vnode_check_lookup = biba_vnode_check_lookup, 3451 .mpo_vnode_check_mmap = biba_vnode_check_mmap, 3452 .mpo_vnode_check_open = biba_vnode_check_open, 3453 .mpo_vnode_check_poll = biba_vnode_check_poll, 3454 .mpo_vnode_check_read = biba_vnode_check_read, 3455 .mpo_vnode_check_readdir = biba_vnode_check_readdir, 3456 .mpo_vnode_check_readlink = biba_vnode_check_readlink, 3457 .mpo_vnode_check_relabel = biba_vnode_check_relabel, 3458 .mpo_vnode_check_rename_from = biba_vnode_check_rename_from, 3459 .mpo_vnode_check_rename_to = biba_vnode_check_rename_to, 3460 .mpo_vnode_check_revoke = biba_vnode_check_revoke, 3461 .mpo_vnode_check_setacl = biba_vnode_check_setacl, 3462 .mpo_vnode_check_setextattr = biba_vnode_check_setextattr, 3463 .mpo_vnode_check_setflags = biba_vnode_check_setflags, 3464 .mpo_vnode_check_setmode = biba_vnode_check_setmode, 3465 .mpo_vnode_check_setowner = biba_vnode_check_setowner, 3466 .mpo_vnode_check_setutimes = biba_vnode_check_setutimes, 3467 .mpo_vnode_check_stat = biba_vnode_check_stat, 3468 .mpo_vnode_check_unlink = biba_vnode_check_unlink, 3469 .mpo_vnode_check_write = biba_vnode_check_write, 3470 .mpo_vnode_create_extattr = biba_vnode_create_extattr, 3471 .mpo_vnode_copy_label = biba_copy_label, 3472 .mpo_vnode_destroy_label = biba_destroy_label, 3473 .mpo_vnode_externalize_label = biba_externalize_label, 3474 .mpo_vnode_init_label = biba_init_label, 3475 .mpo_vnode_internalize_label = biba_internalize_label, 3476 .mpo_vnode_relabel = biba_vnode_relabel, 3477 .mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr, 3478}; 3479 3480MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba", 3481 MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &biba_slot); 3482