ugidfw_vnode.c revision 184331
1101099Srwatson/*- 2166905Srwatson * Copyright (c) 1999-2002, 2007 Robert N. M. Watson 3145412Strhodes * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 4171253Srwatson * Copyright (c) 2005 Tom Rhodes 5172930Srwatson * Copyright (c) 2006 SPARTA, Inc. 6101099Srwatson * All rights reserved. 7101099Srwatson * 8101099Srwatson * This software was developed by Robert Watson for the TrustedBSD Project. 9145412Strhodes * It was later enhanced by Tom Rhodes for the TrustedBSD Project. 10101099Srwatson * 11106393Srwatson * This software was developed for the FreeBSD Project in part by Network 12106393Srwatson * Associates Laboratories, the Security Research Division of Network 13106393Srwatson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 14106393Srwatson * as part of the DARPA CHATS research program. 15101099Srwatson * 16172930Srwatson * This software was enhanced by SPARTA ISSO under SPAWAR contract 17172930Srwatson * N66001-04-C-6019 ("SEFOS"). 18172930Srwatson * 19101099Srwatson * Redistribution and use in source and binary forms, with or without 20101099Srwatson * modification, are permitted provided that the following conditions 21101099Srwatson * are met: 22101099Srwatson * 1. Redistributions of source code must retain the above copyright 23101099Srwatson * notice, this list of conditions and the following disclaimer. 24101099Srwatson * 2. Redistributions in binary form must reproduce the above copyright 25101099Srwatson * notice, this list of conditions and the following disclaimer in the 26101099Srwatson * documentation and/or other materials provided with the distribution. 27101099Srwatson * 28101099Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 29101099Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 30101099Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 31101099Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 32101099Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 33101099Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 34101099Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35101099Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36101099Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37101099Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38101099Srwatson * SUCH DAMAGE. 39101099Srwatson * 40101099Srwatson * $FreeBSD: head/sys/security/mac_bsdextended/ugidfw_vnode.c 184331 2008-10-27 12:09:15Z rwatson $ 41101099Srwatson */ 42136774Srwatson 43101099Srwatson#include <sys/param.h> 44101099Srwatson#include <sys/acl.h> 45101099Srwatson#include <sys/kernel.h> 46157986Sdwmalone#include <sys/jail.h> 47145412Strhodes#include <sys/lock.h> 48101099Srwatson#include <sys/malloc.h> 49166905Srwatson#include <sys/module.h> 50101099Srwatson#include <sys/mount.h> 51145412Strhodes#include <sys/mutex.h> 52170689Srwatson#include <sys/priv.h> 53101099Srwatson#include <sys/systm.h> 54101099Srwatson#include <sys/vnode.h> 55101099Srwatson#include <sys/sysctl.h> 56134132Strhodes#include <sys/syslog.h> 57182905Strasz#include <sys/stat.h> 58101099Srwatson 59165469Srwatson#include <security/mac/mac_policy.h> 60101099Srwatson#include <security/mac_bsdextended/mac_bsdextended.h> 61184331Srwatson#include <security/mac_bsdextended/ugidfw_internal.h> 62101099Srwatson 63184331Srwatsonint 64172955Srwatsonugidfw_vnode_check_access(struct ucred *cred, struct vnode *vp, 65168976Srwatson struct label *vplabel, int acc_mode) 66101099Srwatson{ 67101099Srwatson 68172955Srwatson return (ugidfw_check_vp(cred, vp, acc_mode)); 69101099Srwatson} 70101099Srwatson 71184331Srwatsonint 72172955Srwatsonugidfw_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, 73168976Srwatson struct label *dvplabel) 74101099Srwatson{ 75101099Srwatson 76172955Srwatson return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); 77101099Srwatson} 78101099Srwatson 79184331Srwatsonint 80172955Srwatsonugidfw_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, 81168976Srwatson struct label *dvplabel) 82101099Srwatson{ 83101099Srwatson 84172955Srwatson return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); 85101099Srwatson} 86101099Srwatson 87184331Srwatsonint 88172955Srwatsonugidfw_check_create_vnode(struct ucred *cred, struct vnode *dvp, 89168976Srwatson struct label *dvplabel, struct componentname *cnp, struct vattr *vap) 90101099Srwatson{ 91101099Srwatson 92172955Srwatson return (ugidfw_check_vp(cred, dvp, MBI_WRITE)); 93101099Srwatson} 94101099Srwatson 95184331Srwatsonint 96172955Srwatsonugidfw_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, 97168976Srwatson struct label *vplabel, acl_type_t type) 98101099Srwatson{ 99101099Srwatson 100172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); 101101099Srwatson} 102101099Srwatson 103184331Srwatsonint 104172955Srwatsonugidfw_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, 105172955Srwatson struct label *vplabel, int attrnamespace, const char *name) 106119202Srwatson{ 107119202Srwatson 108172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_WRITE)); 109119202Srwatson} 110119202Srwatson 111184331Srwatsonint 112172955Srwatsonugidfw_vnode_check_exec(struct ucred *cred, struct vnode *vp, 113168976Srwatson struct label *vplabel, struct image_params *imgp, 114106648Srwatson struct label *execlabel) 115101099Srwatson{ 116101099Srwatson 117172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_READ|MBI_EXEC)); 118101099Srwatson} 119101099Srwatson 120184331Srwatsonint 121172955Srwatsonugidfw_vnode_check_getacl(struct ucred *cred, struct vnode *vp, 122168976Srwatson struct label *vplabel, acl_type_t type) 123101099Srwatson{ 124101099Srwatson 125172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_STAT)); 126101099Srwatson} 127101099Srwatson 128184331Srwatsonint 129172955Srwatsonugidfw_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, 130168976Srwatson struct label *vplabel, int attrnamespace, const char *name, 131168976Srwatson struct uio *uio) 132101099Srwatson{ 133101099Srwatson 134172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_READ)); 135101099Srwatson} 136101099Srwatson 137184331Srwatsonint 138172955Srwatsonugidfw_vnode_check_link(struct ucred *cred, struct vnode *dvp, 139168976Srwatson struct label *dvplabel, struct vnode *vp, struct label *label, 140104530Srwatson struct componentname *cnp) 141104530Srwatson{ 142104530Srwatson int error; 143104530Srwatson 144172955Srwatson error = ugidfw_check_vp(cred, dvp, MBI_WRITE); 145104530Srwatson if (error) 146104530Srwatson return (error); 147172955Srwatson error = ugidfw_check_vp(cred, vp, MBI_WRITE); 148104530Srwatson if (error) 149104530Srwatson return (error); 150104530Srwatson return (0); 151104530Srwatson} 152104530Srwatson 153184331Srwatsonint 154172955Srwatsonugidfw_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, 155168976Srwatson struct label *vplabel, int attrnamespace) 156119202Srwatson{ 157119202Srwatson 158172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_READ)); 159119202Srwatson} 160119202Srwatson 161184331Srwatsonint 162172955Srwatsonugidfw_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, 163168976Srwatson struct label *dvplabel, struct componentname *cnp) 164101099Srwatson{ 165117247Srwatson 166172955Srwatson return (ugidfw_check_vp(cred, dvp, MBI_EXEC)); 167101099Srwatson} 168101099Srwatson 169184331Srwatsonint 170172955Srwatsonugidfw_vnode_check_open(struct ucred *cred, struct vnode *vp, 171168976Srwatson struct label *vplabel, int acc_mode) 172101099Srwatson{ 173101099Srwatson 174172955Srwatson return (ugidfw_check_vp(cred, vp, acc_mode)); 175101099Srwatson} 176101099Srwatson 177184331Srwatsonint 178172955Srwatsonugidfw_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, 179168976Srwatson struct label *dvplabel) 180101099Srwatson{ 181101099Srwatson 182172955Srwatson return (ugidfw_check_vp(cred, dvp, MBI_READ)); 183101099Srwatson} 184101099Srwatson 185184331Srwatsonint 186172955Srwatsonugidfw_vnode_check_readdlink(struct ucred *cred, struct vnode *vp, 187168976Srwatson struct label *vplabel) 188101099Srwatson{ 189101099Srwatson 190172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_READ)); 191101099Srwatson} 192101099Srwatson 193184331Srwatsonint 194172955Srwatsonugidfw_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, 195168976Srwatson struct label *dvplabel, struct vnode *vp, struct label *vplabel, 196101099Srwatson struct componentname *cnp) 197101099Srwatson{ 198101099Srwatson int error; 199101099Srwatson 200172955Srwatson error = ugidfw_check_vp(cred, dvp, MBI_WRITE); 201101099Srwatson if (error) 202101099Srwatson return (error); 203172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_WRITE)); 204101099Srwatson} 205101099Srwatson 206184331Srwatsonint 207172955Srwatsonugidfw_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, 208168976Srwatson struct label *dvplabel, struct vnode *vp, struct label *vplabel, 209168976Srwatson int samedir, struct componentname *cnp) 210101099Srwatson{ 211101099Srwatson int error; 212101099Srwatson 213172955Srwatson error = ugidfw_check_vp(cred, dvp, MBI_WRITE); 214101099Srwatson if (error) 215101099Srwatson return (error); 216156300Sdwmalone if (vp != NULL) 217172955Srwatson error = ugidfw_check_vp(cred, vp, MBI_WRITE); 218101099Srwatson return (error); 219101099Srwatson} 220101099Srwatson 221184331Srwatsonint 222172955Srwatsonugidfw_vnode_check_revoke(struct ucred *cred, struct vnode *vp, 223168976Srwatson struct label *vplabel) 224101099Srwatson{ 225101099Srwatson 226172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); 227101099Srwatson} 228101099Srwatson 229184331Srwatsonint 230172955Srwatsonugidfw_check_setacl_vnode(struct ucred *cred, struct vnode *vp, 231168976Srwatson struct label *vplabel, acl_type_t type, struct acl *acl) 232101099Srwatson{ 233101099Srwatson 234172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); 235101099Srwatson} 236101099Srwatson 237184331Srwatsonint 238172955Srwatsonugidfw_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, 239168976Srwatson struct label *vplabel, int attrnamespace, const char *name, 240168976Srwatson struct uio *uio) 241101099Srwatson{ 242101099Srwatson 243172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_WRITE)); 244101099Srwatson} 245101099Srwatson 246184331Srwatsonint 247172955Srwatsonugidfw_vnode_check_setflags(struct ucred *cred, struct vnode *vp, 248168976Srwatson struct label *vplabel, u_long flags) 249101099Srwatson{ 250101099Srwatson 251172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); 252101099Srwatson} 253101099Srwatson 254184331Srwatsonint 255172955Srwatsonugidfw_vnode_check_setmode(struct ucred *cred, struct vnode *vp, 256168976Srwatson struct label *vplabel, mode_t mode) 257101099Srwatson{ 258101099Srwatson 259172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); 260101099Srwatson} 261101099Srwatson 262184331Srwatsonint 263172955Srwatsonugidfw_vnode_check_setowner(struct ucred *cred, struct vnode *vp, 264168976Srwatson struct label *vplabel, uid_t uid, gid_t gid) 265101099Srwatson{ 266101099Srwatson 267172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); 268101099Srwatson} 269101099Srwatson 270184331Srwatsonint 271172955Srwatsonugidfw_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, 272168976Srwatson struct label *vplabel, struct timespec atime, struct timespec utime) 273101099Srwatson{ 274101099Srwatson 275172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_ADMIN)); 276101099Srwatson} 277101099Srwatson 278184331Srwatsonint 279172955Srwatsonugidfw_vnode_check_stat(struct ucred *active_cred, 280168976Srwatson struct ucred *file_cred, struct vnode *vp, struct label *vplabel) 281101099Srwatson{ 282101099Srwatson 283172955Srwatson return (ugidfw_check_vp(active_cred, vp, MBI_STAT)); 284101099Srwatson} 285101099Srwatson 286184331Srwatsonint 287172955Srwatsonugidfw_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, 288172107Srwatson struct label *dvplabel, struct vnode *vp, struct label *vplabel, 289172107Srwatson struct componentname *cnp) 290172107Srwatson{ 291172107Srwatson int error; 292172107Srwatson 293172955Srwatson error = ugidfw_check_vp(cred, dvp, MBI_WRITE); 294172107Srwatson if (error) 295172107Srwatson return (error); 296172955Srwatson return (ugidfw_check_vp(cred, vp, MBI_WRITE)); 297172107Srwatson} 298