mac_bsdextended.c revision 106214
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, 9 * the Security Research Division of Network Associates, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 3. The names of the authors may not be used to endorse or promote 22 * products derived from this software without specific prior written 23 * permission. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 26 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * 37 * $FreeBSD: head/sys/security/mac_bsdextended/mac_bsdextended.c 106214 2002-10-30 18:10:46Z rwatson $ 38 */ 39/* 40 * Developed by the TrustedBSD Project. 41 * "BSD Extended" MAC policy, allowing the administrator to impose 42 * mandatory rules regarding users and some system objects. 43 * 44 * XXX: Much locking support required here. 45 */ 46 47#include <sys/types.h> 48#include <sys/param.h> 49#include <sys/acl.h> 50#include <sys/conf.h> 51#include <sys/kernel.h> 52#include <sys/mac.h> 53#include <sys/malloc.h> 54#include <sys/mount.h> 55#include <sys/proc.h> 56#include <sys/systm.h> 57#include <sys/sysproto.h> 58#include <sys/sysent.h> 59#include <sys/vnode.h> 60#include <sys/file.h> 61#include <sys/socket.h> 62#include <sys/socketvar.h> 63#include <sys/sysctl.h> 64 65#include <net/bpfdesc.h> 66#include <net/if.h> 67#include <net/if_types.h> 68#include <net/if_var.h> 69 70#include <vm/vm.h> 71 72#include <sys/mac_policy.h> 73 74#include <security/mac_bsdextended/mac_bsdextended.h> 75 76SYSCTL_DECL(_security_mac); 77 78SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0, 79 "TrustedBSD extended BSD MAC policy controls"); 80 81static int mac_bsdextended_enabled = 1; 82SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW, 83 &mac_bsdextended_enabled, 0, "Enforce extended BSD policy"); 84TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled); 85 86MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule"); 87 88#define MAC_BSDEXTENDED_MAXRULES 250 89static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES]; 90static int rule_count = 0; 91static int rule_slots = 0; 92 93SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD, 94 &rule_count, 0, "Number of defined rules\n"); 95SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD, 96 &rule_slots, 0, "Number of used rule slots\n"); 97 98static int mac_bsdextended_debugging; 99SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, debugging, CTLFLAG_RW, 100 &mac_bsdextended_debugging, 0, "Enable debugging on failure"); 101 102static int 103mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule) 104{ 105 106 if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS) 107 return (EINVAL); 108 109 if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS) 110 return (EINVAL); 111 112 if ((rule->mbr_mode | VALLPERM) != VALLPERM) 113 return (EINVAL); 114 115 return (0); 116} 117 118static int 119sysctl_rule(SYSCTL_HANDLER_ARGS) 120{ 121 struct mac_bsdextended_rule temprule, *ruleptr; 122 u_int namelen; 123 int error, index, *name; 124 125 name = (int *)arg1; 126 namelen = arg2; 127 128 /* printf("bsdextended sysctl handler (namelen %d)\n", namelen); */ 129 130 if (namelen != 1) 131 return (EINVAL); 132 133 index = name[0]; 134 if (index < 0 || index > rule_slots + 1) 135 return (ENOENT); 136 if (rule_slots >= MAC_BSDEXTENDED_MAXRULES) 137 return (ENOENT); 138 139 if (req->oldptr) { 140 if (rules[index] == NULL) 141 return (ENOENT); 142 143 error = SYSCTL_OUT(req, rules[index], sizeof(*rules[index])); 144 if (error) 145 return (error); 146 } 147 148 if (req->newptr) { 149 if (req->newlen == 0) { 150 /* printf("deletion\n"); */ 151 ruleptr = rules[index]; 152 if (ruleptr == NULL) 153 return (ENOENT); 154 rule_count--; 155 rules[index] = NULL; 156 FREE(ruleptr, M_MACBSDEXTENDED); 157 return(0); 158 } 159 error = SYSCTL_IN(req, &temprule, sizeof(temprule)); 160 if (error) 161 return (error); 162 163 error = mac_bsdextended_rule_valid(&temprule); 164 if (error) 165 return (error); 166 167 if (rules[index] == NULL) { 168 /* printf("addition\n"); */ 169 MALLOC(ruleptr, struct mac_bsdextended_rule *, 170 sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | 171 M_ZERO); 172 *ruleptr = temprule; 173 rules[index] = ruleptr; 174 if (index+1 > rule_slots) 175 rule_slots = index+1; 176 rule_count++; 177 } else { 178 /* printf("replacement\n"); */ 179 *rules[index] = temprule; 180 } 181 } 182 183 return (0); 184} 185 186SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, 187 CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules"); 188 189static void 190mac_bsdextended_init(struct mac_policy_conf *mpc) 191{ 192 193 /* Initialize ruleset lock. */ 194 /* Register dynamic sysctl's for rules. */ 195} 196 197static void 198mac_bsdextended_destroy(struct mac_policy_conf *mpc) 199{ 200 201 /* Tear down sysctls. */ 202 /* Destroy ruleset lock. */ 203} 204 205static int 206mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, 207 struct ucred *cred, uid_t object_uid, gid_t object_gid, int acc_mode) 208{ 209 int match; 210 211 /* 212 * Is there a subject match? 213 */ 214 if (rule->mbr_subject.mbi_flags & MBI_UID_DEFINED) { 215 match = (rule->mbr_subject.mbi_uid == cred->cr_uid || 216 rule->mbr_subject.mbi_uid == cred->cr_ruid || 217 rule->mbr_subject.mbi_uid == cred->cr_svuid); 218 219 if (rule->mbr_subject.mbi_flags & MBI_NEGATED) 220 match = !match; 221 222 if (!match) 223 return (0); 224 } 225 226 if (rule->mbr_subject.mbi_flags & MBI_GID_DEFINED) { 227 match = (groupmember(rule->mbr_subject.mbi_gid, cred) || 228 rule->mbr_subject.mbi_gid == cred->cr_rgid || 229 rule->mbr_subject.mbi_gid == cred->cr_svgid); 230 231 if (rule->mbr_subject.mbi_flags & MBI_NEGATED) 232 match = !match; 233 234 if (!match) 235 return (0); 236 } 237 238 /* 239 * Is there an object match? 240 */ 241 if (rule->mbr_object.mbi_flags & MBI_UID_DEFINED) { 242 match = (rule->mbr_object.mbi_uid == object_uid); 243 244 if (rule->mbr_object.mbi_flags & MBI_NEGATED) 245 match = !match; 246 247 if (!match) 248 return (0); 249 } 250 251 if (rule->mbr_object.mbi_flags & MBI_GID_DEFINED) { 252 match = (rule->mbr_object.mbi_gid == object_gid); 253 254 if (rule->mbr_object.mbi_flags & MBI_NEGATED) 255 match = !match; 256 257 if (!match) 258 return (0); 259 } 260 261 /* 262 * Is the access permitted? 263 */ 264 if ((rule->mbr_mode & acc_mode) != acc_mode) { 265 if (mac_bsdextended_debugging) 266 printf("mac_bsdextended: %d:%d request %d on %d:%d" 267 " fails\n", cred->cr_ruid, cred->cr_rgid, 268 acc_mode, object_uid, object_gid); 269 return (EACCES); 270 } 271 272 return (0); 273} 274 275static int 276mac_bsdextended_check(struct ucred *cred, uid_t object_uid, gid_t object_gid, 277 int acc_mode) 278{ 279 int error, i; 280 281 for (i = 0; i < rule_slots; i++) { 282 if (rules[i] == NULL) 283 continue; 284 285 error = mac_bsdextended_rulecheck(rules[i], cred, object_uid, 286 object_gid, acc_mode); 287 if (error) 288 return (error); 289 } 290 291 return (0); 292} 293 294static int 295mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, 296 struct label *label, int acc_mode) 297{ 298 struct vattr vap; 299 int error; 300 301 if (!mac_bsdextended_enabled) 302 return (0); 303 304 error = VOP_GETATTR(vp, &vap, cred, curthread); 305 if (error) 306 return (error); 307 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode)); 308} 309 310static int 311mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 312 struct label *dlabel) 313{ 314 struct vattr vap; 315 int error; 316 317 if (!mac_bsdextended_enabled) 318 return (0); 319 320 error = VOP_GETATTR(dvp, &vap, cred, curthread); 321 if (error) 322 return (error); 323 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); 324} 325 326static int 327mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 328 struct label *dlabel) 329{ 330 struct vattr vap; 331 int error; 332 333 if (!mac_bsdextended_enabled) 334 return (0); 335 336 error = VOP_GETATTR(dvp, &vap, cred, curthread); 337 if (error) 338 return (error); 339 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); 340} 341 342static int 343mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp, 344 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 345{ 346 struct vattr dvap; 347 int error; 348 349 if (!mac_bsdextended_enabled) 350 return (0); 351 352 error = VOP_GETATTR(dvp, &dvap, cred, curthread); 353 if (error) 354 return (error); 355 return (mac_bsdextended_check(cred, dvap.va_uid, dvap.va_gid, VWRITE)); 356} 357 358static int 359mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 360 struct label *dlabel, struct vnode *vp, struct label *label, 361 struct componentname *cnp) 362{ 363 struct vattr vap; 364 int error; 365 366 if (!mac_bsdextended_enabled) 367 return (0); 368 369 error = VOP_GETATTR(dvp, &vap, cred, curthread); 370 if (error) 371 return (error); 372 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 373 if (error) 374 return (error); 375 376 error = VOP_GETATTR(vp, &vap, cred, curthread); 377 if (error) 378 return (error); 379 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); 380} 381 382static int 383mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 384 struct label *label, acl_type_t type) 385{ 386 struct vattr vap; 387 int error; 388 389 if (!mac_bsdextended_enabled) 390 return (0); 391 392 error = VOP_GETATTR(vp, &vap, cred, curthread); 393 if (error) 394 return (error); 395 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 396} 397 398static int 399mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, 400 struct label *label) 401{ 402 struct vattr vap; 403 int error; 404 405 if (!mac_bsdextended_enabled) 406 return (0); 407 408 error = VOP_GETATTR(vp, &vap, cred, curthread); 409 if (error) 410 return (error); 411 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 412 VREAD|VEXEC)); 413} 414 415static int 416mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 417 struct label *label, acl_type_t type) 418{ 419 struct vattr vap; 420 int error; 421 422 if (!mac_bsdextended_enabled) 423 return (0); 424 425 error = VOP_GETATTR(vp, &vap, cred, curthread); 426 if (error) 427 return (error); 428 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT)); 429} 430 431static int 432mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 433 struct label *label, int attrnamespace, const char *name, struct uio *uio) 434{ 435 struct vattr vap; 436 int error; 437 438 if (!mac_bsdextended_enabled) 439 return (0); 440 441 error = VOP_GETATTR(vp, &vap, cred, curthread); 442 if (error) 443 return (error); 444 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 445} 446 447static int 448mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, 449 struct label *dlabel, struct vnode *vp, struct label *label, 450 struct componentname *cnp) 451{ 452 struct vattr vap; 453 int error; 454 455 if (!mac_bsdextended_enabled) 456 return (0); 457 458 error = VOP_GETATTR(dvp, &vap, cred, curthread); 459 if (error) 460 return (error); 461 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 462 if (error) 463 return (error); 464 465 error = VOP_GETATTR(vp, &vap, cred, curthread); 466 if (error) 467 return (error); 468 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 469 if (error) 470 return (error); 471 return (0); 472} 473 474static int 475mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 476 struct label *dlabel, struct componentname *cnp) 477{ 478 struct vattr vap; 479 int error; 480 481 if (!mac_bsdextended_enabled) 482 return (0); 483 484 error = VOP_GETATTR(dvp, &vap, cred, curthread); 485 if (error) 486 return (error); 487 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); 488} 489 490static int 491mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, 492 struct label *filelabel, int acc_mode) 493{ 494 struct vattr vap; 495 int error; 496 497 if (!mac_bsdextended_enabled) 498 return (0); 499 500 error = VOP_GETATTR(vp, &vap, cred, curthread); 501 if (error) 502 return (error); 503 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode)); 504} 505 506static int 507mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 508 struct label *dlabel) 509{ 510 struct vattr vap; 511 int error; 512 513 if (!mac_bsdextended_enabled) 514 return (0); 515 516 error = VOP_GETATTR(dvp, &vap, cred, curthread); 517 if (error) 518 return (error); 519 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 520} 521 522static int 523mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, 524 struct label *label) 525{ 526 struct vattr vap; 527 int error; 528 529 if (!mac_bsdextended_enabled) 530 return (0); 531 532 error = VOP_GETATTR(vp, &vap, cred, curthread); 533 if (error) 534 return (error); 535 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 536} 537 538static int 539mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 540 struct label *dlabel, struct vnode *vp, struct label *label, 541 struct componentname *cnp) 542{ 543 struct vattr vap; 544 int error; 545 546 if (!mac_bsdextended_enabled) 547 return (0); 548 549 error = VOP_GETATTR(dvp, &vap, cred, curthread); 550 if (error) 551 return (error); 552 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 553 if (error) 554 return (error); 555 error = VOP_GETATTR(vp, &vap, cred, curthread); 556 if (error) 557 return (error); 558 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 559 560 return (error); 561} 562 563static int 564mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 565 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 566 struct componentname *cnp) 567{ 568 struct vattr vap; 569 int error; 570 571 if (!mac_bsdextended_enabled) 572 return (0); 573 574 error = VOP_GETATTR(dvp, &vap, cred, curthread); 575 if (error) 576 return (error); 577 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 578 if (error) 579 return (error); 580 581 if (vp != NULL) { 582 error = VOP_GETATTR(vp, &vap, cred, curthread); 583 if (error) 584 return (error); 585 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 586 VWRITE); 587 } 588 589 return (error); 590} 591 592static int 593mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 594 struct label *label) 595{ 596 struct vattr vap; 597 int error; 598 599 if (!mac_bsdextended_enabled) 600 return (0); 601 602 error = VOP_GETATTR(vp, &vap, cred, curthread); 603 if (error) 604 return (error); 605 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 606} 607 608static int 609mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp, 610 struct label *label, acl_type_t type, struct acl *acl) 611{ 612 struct vattr vap; 613 int error; 614 615 if (!mac_bsdextended_enabled) 616 return (0); 617 618 error = VOP_GETATTR(vp, &vap, cred, curthread); 619 if (error) 620 return (error); 621 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 622} 623 624static int 625mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 626 struct label *label, int attrnamespace, const char *name, struct uio *uio) 627{ 628 struct vattr vap; 629 int error; 630 631 if (!mac_bsdextended_enabled) 632 return (0); 633 634 error = VOP_GETATTR(vp, &vap, cred, curthread); 635 if (error) 636 return (error); 637 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); 638} 639 640static int 641mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 642 struct label *label, u_long flags) 643{ 644 struct vattr vap; 645 int error; 646 647 if (!mac_bsdextended_enabled) 648 return (0); 649 650 error = VOP_GETATTR(vp, &vap, cred, curthread); 651 if (error) 652 return (error); 653 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 654} 655 656static int 657mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 658 struct label *label, mode_t mode) 659{ 660 struct vattr vap; 661 int error; 662 663 if (!mac_bsdextended_enabled) 664 return (0); 665 666 error = VOP_GETATTR(vp, &vap, cred, curthread); 667 if (error) 668 return (error); 669 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 670} 671 672static int 673mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 674 struct label *label, uid_t uid, gid_t gid) 675{ 676 struct vattr vap; 677 int error; 678 679 if (!mac_bsdextended_enabled) 680 return (0); 681 682 error = VOP_GETATTR(vp, &vap, cred, curthread); 683 if (error) 684 return (error); 685 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 686} 687 688static int 689mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 690 struct label *label, struct timespec atime, struct timespec utime) 691{ 692 struct vattr vap; 693 int error; 694 695 if (!mac_bsdextended_enabled) 696 return (0); 697 698 error = VOP_GETATTR(vp, &vap, cred, curthread); 699 if (error) 700 return (error); 701 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 702} 703 704static int 705mac_bsdextended_check_vnode_stat(struct ucred *active_cred, 706 struct ucred *file_cred, struct vnode *vp, struct label *label) 707{ 708 struct vattr vap; 709 int error; 710 711 if (!mac_bsdextended_enabled) 712 return (0); 713 714 error = VOP_GETATTR(vp, &vap, active_cred, curthread); 715 if (error) 716 return (error); 717 return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid, 718 VSTAT)); 719} 720 721static struct mac_policy_op_entry mac_bsdextended_ops[] = 722{ 723 { MAC_DESTROY, 724 (macop_t)mac_bsdextended_destroy }, 725 { MAC_INIT, 726 (macop_t)mac_bsdextended_init }, 727 { MAC_CHECK_VNODE_ACCESS, 728 (macop_t)mac_bsdextended_check_vnode_access }, 729 { MAC_CHECK_VNODE_CHDIR, 730 (macop_t)mac_bsdextended_check_vnode_chdir }, 731 { MAC_CHECK_VNODE_CHROOT, 732 (macop_t)mac_bsdextended_check_vnode_chroot }, 733 { MAC_CHECK_VNODE_CREATE, 734 (macop_t)mac_bsdextended_check_create_vnode }, 735 { MAC_CHECK_VNODE_DELETE, 736 (macop_t)mac_bsdextended_check_vnode_delete }, 737 { MAC_CHECK_VNODE_DELETEACL, 738 (macop_t)mac_bsdextended_check_vnode_deleteacl }, 739 { MAC_CHECK_VNODE_EXEC, 740 (macop_t)mac_bsdextended_check_vnode_exec }, 741 { MAC_CHECK_VNODE_GETACL, 742 (macop_t)mac_bsdextended_check_vnode_getacl }, 743 { MAC_CHECK_VNODE_GETEXTATTR, 744 (macop_t)mac_bsdextended_check_vnode_getextattr }, 745 { MAC_CHECK_VNODE_LINK, 746 (macop_t)mac_bsdextended_check_vnode_link }, 747 { MAC_CHECK_VNODE_LOOKUP, 748 (macop_t)mac_bsdextended_check_vnode_lookup }, 749 { MAC_CHECK_VNODE_OPEN, 750 (macop_t)mac_bsdextended_check_vnode_open }, 751 { MAC_CHECK_VNODE_READDIR, 752 (macop_t)mac_bsdextended_check_vnode_readdir }, 753 { MAC_CHECK_VNODE_READLINK, 754 (macop_t)mac_bsdextended_check_vnode_readdlink }, 755 { MAC_CHECK_VNODE_RENAME_FROM, 756 (macop_t)mac_bsdextended_check_vnode_rename_from }, 757 { MAC_CHECK_VNODE_RENAME_TO, 758 (macop_t)mac_bsdextended_check_vnode_rename_to }, 759 { MAC_CHECK_VNODE_REVOKE, 760 (macop_t)mac_bsdextended_check_vnode_revoke }, 761 { MAC_CHECK_VNODE_SETACL, 762 (macop_t)mac_bsdextended_check_setacl_vnode }, 763 { MAC_CHECK_VNODE_SETEXTATTR, 764 (macop_t)mac_bsdextended_check_vnode_setextattr }, 765 { MAC_CHECK_VNODE_SETFLAGS, 766 (macop_t)mac_bsdextended_check_vnode_setflags }, 767 { MAC_CHECK_VNODE_SETMODE, 768 (macop_t)mac_bsdextended_check_vnode_setmode }, 769 { MAC_CHECK_VNODE_SETOWNER, 770 (macop_t)mac_bsdextended_check_vnode_setowner }, 771 { MAC_CHECK_VNODE_SETUTIMES, 772 (macop_t)mac_bsdextended_check_vnode_setutimes }, 773 { MAC_CHECK_VNODE_STAT, 774 (macop_t)mac_bsdextended_check_vnode_stat }, 775 { MAC_OP_LAST, NULL } 776}; 777 778MAC_POLICY_SET(mac_bsdextended_ops, trustedbsd_mac_bsdextended, 779 "TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL); 780