116958Siignatyev/*- 216958Siignatyev * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson 3 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 4 * Copyright (c) 2005-2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * 9 * This software was developed for the FreeBSD Project in part by Network 10 * Associates Laboratories, the Security Research Division of Network 11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 12 * as part of the DARPA CHATS research program. 13 * 14 * This software was enhanced by SPARTA ISSO under SPAWAR contract 15 * N66001-04-C-6019 ("SEFOS"). 16 * 17 * This software was developed at the University of Cambridge Computer 18 * Laboratory with support from a grant from Google, Inc. 19 * 20 * Redistribution and use in source and binary forms, with or without 21 * modification, are permitted provided that the following conditions 22 * are met: 23 * 1. Redistributions of source code must retain the above copyright 24 * notice, this list of conditions and the following disclaimer. 25 * 2. Redistributions in binary form must reproduce the above copyright 26 * notice, this list of conditions and the following disclaimer in the 27 * documentation and/or other materials provided with the distribution. 28 * 29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 30 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 31 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 32 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 33 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 34 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 35 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 36 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 37 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 38 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 39 * SUCH DAMAGE. 40 */ 41 42/* 43 * Kernel interface for Mandatory Access Control -- how kernel services 44 * interact with the TrustedBSD MAC Framework. 45 */ 46 47#ifndef _SECURITY_MAC_MAC_FRAMEWORK_H_ 48#define _SECURITY_MAC_MAC_FRAMEWORK_H_ 49 50#ifndef _KERNEL 51#error "no user-serviceable parts inside" 52#endif 53 54struct auditinfo; 55struct auditinfo_addr; 56struct bpf_d; 57struct cdev; 58struct componentname; 59struct devfs_dirent; 60struct ifnet; 61struct ifreq; 62struct image_params; 63struct inpcb; 64struct ip6q; 65struct ipq; 66struct kdb_dbbe; 67struct ksem; 68struct label; 69struct m_tag; 70struct mac; 71struct mbuf; 72struct mount; 73struct msg; 74struct msqid_kernel; 75struct proc; 76struct semid_kernel; 77struct shmfd; 78struct shmid_kernel; 79struct sockaddr; 80struct socket; 81struct sysctl_oid; 82struct sysctl_req; 83struct pipepair; 84struct thread; 85struct timespec; 86struct ucred; 87struct vattr; 88struct vnode; 89struct vop_setlabel_args; 90 91struct in_addr; 92struct in6_addr; 93 94#include <sys/acl.h> /* XXX acl_type_t */ 95#include <sys/types.h> /* accmode_t */ 96 97#include <ddb/ddb.h> /* db_expr_t */ 98 99/* 100 * Entry points to the TrustedBSD MAC Framework from the remainder of the 101 * kernel: entry points are named based on a principle object type and an 102 * action relating to it. They are sorted alphabetically first by object 103 * type and then action. In some situations, the principle object type is 104 * obvious, and in other cases, less so as multiple objects may be inolved 105 * in the operation. 106 */ 107int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp); 108void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d); 109void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m); 110void mac_bpfdesc_destroy(struct bpf_d *); 111void mac_bpfdesc_init(struct bpf_d *); 112 113void mac_cred_associate_nfsd(struct ucred *cred); 114int mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai); 115int mac_cred_check_setaudit_addr(struct ucred *cred, 116 struct auditinfo_addr *aia); 117int mac_cred_check_setauid(struct ucred *cred, uid_t auid); 118int mac_cred_check_setegid(struct ucred *cred, gid_t egid); 119int mac_cred_check_seteuid(struct ucred *cred, uid_t euid); 120int mac_cred_check_setgid(struct ucred *cred, gid_t gid); 121int mac_cred_check_setgroups(struct ucred *cred, int ngroups, 122 gid_t *gidset); 123int mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid); 124int mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, 125 gid_t sgid); 126int mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, 127 uid_t suid); 128int mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid); 129int mac_cred_check_setuid(struct ucred *cred, uid_t uid); 130int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); 131void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); 132void mac_cred_create_init(struct ucred *cred); 133void mac_cred_create_swapper(struct ucred *cred); 134void mac_cred_destroy(struct ucred *); 135void mac_cred_init(struct ucred *); 136 137int mac_ddb_command_register(struct db_command_table *table, 138 struct db_command *cmd); 139int mac_ddb_command_exec(struct db_command *cmd, db_expr_t addr, 140 bool have_addr, db_expr_t count, char *modif); 141 142void mac_devfs_create_device(struct ucred *cred, struct mount *mp, 143 struct cdev *dev, struct devfs_dirent *de); 144void mac_devfs_create_directory(struct mount *mp, char *dirname, 145 int dirnamelen, struct devfs_dirent *de); 146void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, 147 struct devfs_dirent *dd, struct devfs_dirent *de); 148void mac_devfs_destroy(struct devfs_dirent *); 149void mac_devfs_init(struct devfs_dirent *); 150void mac_devfs_update(struct mount *mp, struct devfs_dirent *de, 151 struct vnode *vp); 152void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, 153 struct vnode *vp); 154 155int mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m); 156#ifdef MAC 157extern bool mac_ifnet_check_transmit_fp_flag; 158#else 159#define mac_ifnet_check_transmit_fp_flag false 160#endif 161#define mac_ifnet_check_transmit_enabled() __predict_false(mac_ifnet_check_transmit_fp_flag) 162static inline int 163mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m) 164{ 165 166 if (mac_ifnet_check_transmit_enabled()) 167 return (mac_ifnet_check_transmit_impl(ifp, m)); 168 return (0); 169} 170 171void mac_ifnet_create(struct ifnet *ifp); 172 173void mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m); 174#ifdef MAC 175extern bool mac_ifnet_create_mbuf_fp_flag; 176#else 177#define mac_ifnet_create_mbuf_fp_flag false 178#endif 179#define mac_ifnet_create_mbuf_enabled() __predict_false(mac_ifnet_create_mbuf_fp_flag) 180static inline void 181mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) 182{ 183 184 if (mac_ifnet_create_mbuf_enabled()) 185 mac_ifnet_create_mbuf_impl(ifp, m); 186} 187 188void mac_ifnet_destroy(struct ifnet *); 189void mac_ifnet_init(struct ifnet *); 190int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, 191 struct ifnet *ifp); 192int mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, 193 struct ifnet *ifp); 194 195/* Check if the IP address is allowed for the interface. */ 196int mac_inet_check_add_addr(struct ucred *cred, 197 const struct in_addr *ia, struct ifnet *ifp); 198int mac_inet6_check_add_addr(struct ucred *cred, 199 const struct in6_addr *ia6, struct ifnet *ifp); 200 201int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m); 202int mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp); 203void mac_inpcb_create(struct socket *so, struct inpcb *inp); 204void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m); 205void mac_inpcb_destroy(struct inpcb *); 206int mac_inpcb_init(struct inpcb *, int); 207void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); 208 209void mac_ip6q_create(struct mbuf *m, struct ip6q *q6); 210void mac_ip6q_destroy(struct ip6q *q6); 211int mac_ip6q_init(struct ip6q *q6, int); 212int mac_ip6q_match(struct mbuf *m, struct ip6q *q6); 213void mac_ip6q_reassemble(struct ip6q *q6, struct mbuf *m); 214void mac_ip6q_update(struct mbuf *m, struct ip6q *q6); 215 216void mac_ipq_create(struct mbuf *m, struct ipq *q); 217void mac_ipq_destroy(struct ipq *q); 218int mac_ipq_init(struct ipq *q, int); 219int mac_ipq_match(struct mbuf *m, struct ipq *q); 220void mac_ipq_reassemble(struct ipq *q, struct mbuf *m); 221void mac_ipq_update(struct mbuf *m, struct ipq *q); 222 223int mac_kdb_check_backend(struct kdb_dbbe *be); 224int mac_kdb_grant_backend(struct kdb_dbbe *be); 225 226int mac_kenv_check_dump(struct ucred *cred); 227int mac_kenv_check_get(struct ucred *cred, char *name); 228int mac_kenv_check_set(struct ucred *cred, char *name, char *value); 229int mac_kenv_check_unset(struct ucred *cred, char *name); 230 231int mac_kld_check_load(struct ucred *cred, struct vnode *vp); 232int mac_kld_check_stat(struct ucred *cred); 233 234void mac_mbuf_copy(struct mbuf *, struct mbuf *); 235int mac_mbuf_init(struct mbuf *, int); 236 237void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *); 238void mac_mbuf_tag_destroy(struct m_tag *); 239int mac_mbuf_tag_init(struct m_tag *, int); 240 241int mac_mount_check_stat(struct ucred *cred, struct mount *mp); 242void mac_mount_create(struct ucred *cred, struct mount *mp); 243void mac_mount_destroy(struct mount *); 244void mac_mount_init(struct mount *); 245 246void mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m); 247void mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend); 248void mac_netinet_firewall_send(struct mbuf *m); 249void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag); 250void mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend); 251void mac_netinet_icmp_replyinplace(struct mbuf *m); 252void mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m); 253void mac_netinet_tcp_reply(struct mbuf *m); 254 255void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m); 256 257int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, 258 unsigned long cmd, void *data); 259int mac_pipe_check_poll_impl(struct ucred *cred, struct pipepair *pp); 260#ifdef MAC 261extern bool mac_pipe_check_poll_fp_flag; 262#else 263#define mac_pipe_check_poll_fp_flag false 264#endif 265#define mac_pipe_check_poll_enabled() __predict_false(mac_pipe_check_poll_fp_flag) 266static inline int 267mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp) 268{ 269 270 if (mac_pipe_check_poll_enabled()) 271 return (mac_pipe_check_poll_impl(cred, pp)); 272 return (0); 273} 274 275#ifdef MAC 276extern bool mac_pipe_check_stat_fp_flag; 277#else 278#define mac_pipe_check_stat_fp_flag false 279#endif 280#define mac_pipe_check_stat_enabled() __predict_false(mac_pipe_check_stat_fp_flag) 281int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp); 282int mac_pipe_check_read_impl(struct ucred *cred, struct pipepair *pp); 283#ifdef MAC 284extern bool mac_pipe_check_read_fp_flag; 285#else 286#define mac_pipe_check_read_fp_flag false 287#endif 288#define mac_pipe_check_read_enabled() __predict_false(mac_pipe_check_read_fp_flag) 289static inline int 290mac_pipe_check_read(struct ucred *cred, struct pipepair *pp) 291{ 292 293 if (mac_pipe_check_read_enabled()) 294 return (mac_pipe_check_read_impl(cred, pp)); 295 return (0); 296} 297 298int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp); 299void mac_pipe_create(struct ucred *cred, struct pipepair *pp); 300void mac_pipe_destroy(struct pipepair *); 301void mac_pipe_init(struct pipepair *); 302int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, 303 struct label *label); 304 305int mac_posixsem_check_getvalue(struct ucred *active_cred, 306 struct ucred *file_cred, struct ksem *ks); 307int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks); 308int mac_posixsem_check_post(struct ucred *active_cred, 309 struct ucred *file_cred, struct ksem *ks); 310int mac_posixsem_check_setmode(struct ucred *cred, struct ksem *ks, 311 mode_t mode); 312int mac_posixsem_check_setowner(struct ucred *cred, struct ksem *ks, 313 uid_t uid, gid_t gid); 314int mac_posixsem_check_stat(struct ucred *active_cred, 315 struct ucred *file_cred, struct ksem *ks); 316int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks); 317int mac_posixsem_check_wait(struct ucred *active_cred, 318 struct ucred *file_cred, struct ksem *ks); 319void mac_posixsem_create(struct ucred *cred, struct ksem *ks); 320void mac_posixsem_destroy(struct ksem *); 321void mac_posixsem_init(struct ksem *); 322 323int mac_posixshm_check_create(struct ucred *cred, const char *path); 324int mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, 325 int prot, int flags); 326int mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd, 327 accmode_t accmode); 328int mac_posixshm_check_read(struct ucred *active_cred, 329 struct ucred *file_cred, struct shmfd *shmfd); 330int mac_posixshm_check_setmode(struct ucred *cred, struct shmfd *shmfd, 331 mode_t mode); 332int mac_posixshm_check_setowner(struct ucred *cred, struct shmfd *shmfd, 333 uid_t uid, gid_t gid); 334int mac_posixshm_check_stat(struct ucred *active_cred, 335 struct ucred *file_cred, struct shmfd *shmfd); 336int mac_posixshm_check_truncate(struct ucred *active_cred, 337 struct ucred *file_cred, struct shmfd *shmfd); 338int mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd); 339int mac_posixshm_check_write(struct ucred *active_cred, 340 struct ucred *file_cred, struct shmfd *shmfd); 341void mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd); 342void mac_posixshm_destroy(struct shmfd *); 343void mac_posixshm_init(struct shmfd *); 344 345int mac_priv_check_impl(struct ucred *cred, int priv); 346#ifdef MAC 347extern bool mac_priv_check_fp_flag; 348#else 349#define mac_priv_check_fp_flag false 350#endif 351#define mac_priv_check_enabled() __predict_false(mac_priv_check_fp_flag) 352static inline int 353mac_priv_check(struct ucred *cred, int priv) 354{ 355 356 if (mac_priv_check_enabled()) 357 return (mac_priv_check_impl(cred, priv)); 358 return (0); 359} 360 361int mac_priv_grant_impl(struct ucred *cred, int priv); 362#ifdef MAC 363extern bool mac_priv_grant_fp_flag; 364#else 365#define mac_priv_grant_fp_flag false 366#endif 367#define mac_priv_grant_enabled() __predict_false(mac_priv_grant_fp_flag) 368static inline int 369mac_priv_grant(struct ucred *cred, int priv) 370{ 371 372 if (mac_priv_grant_enabled()) 373 return (mac_priv_grant_impl(cred, priv)); 374 return (EPERM); 375} 376 377int mac_proc_check_debug(struct ucred *cred, struct proc *p); 378int mac_proc_check_sched(struct ucred *cred, struct proc *p); 379int mac_proc_check_signal(struct ucred *cred, struct proc *p, 380 int signum); 381int mac_proc_check_wait(struct ucred *cred, struct proc *p); 382void mac_proc_destroy(struct proc *); 383void mac_proc_init(struct proc *); 384void mac_proc_vm_revoke(struct thread *td); 385int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); 386void mac_execve_exit(struct image_params *imgp); 387void mac_execve_interpreter_enter(struct vnode *interpvp, 388 struct label **interplabel); 389void mac_execve_interpreter_exit(struct label *interpvplabel); 390 391int mac_socket_check_accept(struct ucred *cred, struct socket *so); 392int mac_socket_check_bind(struct ucred *cred, struct socket *so, 393 struct sockaddr *sa); 394int mac_socket_check_connect(struct ucred *cred, struct socket *so, 395 struct sockaddr *sa); 396int mac_socket_check_create(struct ucred *cred, int domain, int type, 397 int proto); 398int mac_socket_check_deliver(struct socket *so, struct mbuf *m); 399int mac_socket_check_listen(struct ucred *cred, struct socket *so); 400int mac_socket_check_poll(struct ucred *cred, struct socket *so); 401int mac_socket_check_receive(struct ucred *cred, struct socket *so); 402int mac_socket_check_send(struct ucred *cred, struct socket *so); 403int mac_socket_check_stat(struct ucred *cred, struct socket *so); 404int mac_socket_check_visible(struct ucred *cred, struct socket *so); 405void mac_socket_create_mbuf(struct socket *so, struct mbuf *m); 406void mac_socket_create(struct ucred *cred, struct socket *so); 407void mac_socket_destroy(struct socket *); 408int mac_socket_init(struct socket *, int); 409void mac_socket_newconn(struct socket *oldso, struct socket *newso); 410int mac_getsockopt_label(struct ucred *cred, struct socket *so, 411 const struct mac *extmac); 412int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, 413 const struct mac *extmac); 414int mac_setsockopt_label(struct ucred *cred, struct socket *so, 415 const struct mac *extmac); 416 417void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so); 418void mac_socketpeer_set_from_socket(struct socket *oldso, 419 struct socket *newso); 420 421void mac_syncache_create(struct label *l, struct inpcb *inp); 422void mac_syncache_create_mbuf(struct label *l, struct mbuf *m); 423void mac_syncache_destroy(struct label **l); 424int mac_syncache_init(struct label **l); 425 426int mac_system_check_acct(struct ucred *cred, struct vnode *vp); 427int mac_system_check_audit(struct ucred *cred, void *record, int length); 428int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp); 429int mac_system_check_auditon(struct ucred *cred, int cmd); 430int mac_system_check_reboot(struct ucred *cred, int howto); 431int mac_system_check_swapon(struct ucred *cred, struct vnode *vp); 432int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp); 433int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 434 void *arg1, int arg2, struct sysctl_req *req); 435 436void mac_sysvmsg_cleanup(struct msg *msgptr); 437void mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, 438 struct msg *msgptr); 439void mac_sysvmsg_destroy(struct msg *); 440void mac_sysvmsg_init(struct msg *); 441 442int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, 443 struct msqid_kernel *msqkptr); 444int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr); 445int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr); 446int mac_sysvmsq_check_msqctl(struct ucred *cred, 447 struct msqid_kernel *msqkptr, int cmd); 448int mac_sysvmsq_check_msqget(struct ucred *cred, 449 struct msqid_kernel *msqkptr); 450int mac_sysvmsq_check_msqrcv(struct ucred *cred, 451 struct msqid_kernel *msqkptr); 452int mac_sysvmsq_check_msqsnd(struct ucred *cred, 453 struct msqid_kernel *msqkptr); 454void mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr); 455void mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr); 456void mac_sysvmsq_destroy(struct msqid_kernel *); 457void mac_sysvmsq_init(struct msqid_kernel *); 458 459int mac_sysvsem_check_semctl(struct ucred *cred, 460 struct semid_kernel *semakptr, int cmd); 461int mac_sysvsem_check_semget(struct ucred *cred, 462 struct semid_kernel *semakptr); 463int mac_sysvsem_check_semop(struct ucred *cred, 464 struct semid_kernel *semakptr, size_t accesstype); 465void mac_sysvsem_cleanup(struct semid_kernel *semakptr); 466void mac_sysvsem_create(struct ucred *cred, 467 struct semid_kernel *semakptr); 468void mac_sysvsem_destroy(struct semid_kernel *); 469void mac_sysvsem_init(struct semid_kernel *); 470 471int mac_sysvshm_check_shmat(struct ucred *cred, 472 struct shmid_kernel *shmsegptr, int shmflg); 473int mac_sysvshm_check_shmctl(struct ucred *cred, 474 struct shmid_kernel *shmsegptr, int cmd); 475int mac_sysvshm_check_shmdt(struct ucred *cred, 476 struct shmid_kernel *shmsegptr); 477int mac_sysvshm_check_shmget(struct ucred *cred, 478 struct shmid_kernel *shmsegptr, int shmflg); 479void mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr); 480void mac_sysvshm_create(struct ucred *cred, 481 struct shmid_kernel *shmsegptr); 482void mac_sysvshm_destroy(struct shmid_kernel *); 483void mac_sysvshm_init(struct shmid_kernel *); 484 485void mac_thread_userret(struct thread *td); 486 487#if defined(MAC) && defined(DEBUG_VFS_LOCKS) 488void mac_vnode_assert_locked(struct vnode *vp, const char *func); 489#else 490#define mac_vnode_assert_locked(vp, func) do { } while (0) 491#endif 492 493int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp); 494void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp); 495int mac_vnode_check_access_impl(struct ucred *cred, struct vnode *dvp, 496 accmode_t accmode); 497extern bool mac_vnode_check_access_fp_flag; 498#define mac_vnode_check_access_enabled() __predict_false(mac_vnode_check_access_fp_flag) 499static inline int 500mac_vnode_check_access(struct ucred *cred, struct vnode *dvp, 501 accmode_t accmode) 502{ 503 504 mac_vnode_assert_locked(dvp, "mac_vnode_check_access"); 505 if (mac_vnode_check_access_enabled()) 506 return (mac_vnode_check_access_impl(cred, dvp, accmode)); 507 return (0); 508} 509int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); 510int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); 511int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, 512 struct componentname *cnp, struct vattr *vap); 513int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, 514 acl_type_t type); 515int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, 516 int attrnamespace, const char *name); 517int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, 518 struct image_params *imgp); 519int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, 520 acl_type_t type); 521int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, 522 int attrnamespace, const char *name); 523int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, 524 struct vnode *vp, struct componentname *cnp); 525int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, 526 int attrnamespace); 527 528int mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp, 529 struct componentname *cnp); 530#ifdef MAC 531extern bool mac_vnode_check_lookup_fp_flag; 532#else 533#define mac_vnode_check_lookup_fp_flag false 534#endif 535#define mac_vnode_check_lookup_enabled() __predict_false(mac_vnode_check_lookup_fp_flag) 536static inline int 537mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, 538 struct componentname *cnp) 539{ 540 541 mac_vnode_assert_locked(dvp, "mac_vnode_check_lookup"); 542 if (mac_vnode_check_lookup_enabled()) 543 return (mac_vnode_check_lookup_impl(cred, dvp, cnp)); 544 return (0); 545} 546 547int mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot, 548 int flags); 549#ifdef MAC 550extern bool mac_vnode_check_mmap_fp_flag; 551#else 552#define mac_vnode_check_mmap_fp_flag false 553#endif 554#define mac_vnode_check_mmap_enabled() __predict_false(mac_vnode_check_mmap_fp_flag) 555static inline int 556mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, 557 int flags) 558{ 559 560 mac_vnode_assert_locked(vp, "mac_vnode_check_mmap"); 561 if (mac_vnode_check_mmap_enabled()) 562 return (mac_vnode_check_mmap_impl(cred, vp, prot, flags)); 563 return (0); 564} 565 566int mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp, 567 accmode_t accmode); 568#ifdef MAC 569extern bool mac_vnode_check_open_fp_flag; 570#else 571#define mac_vnode_check_open_fp_flag false 572#endif 573#define mac_vnode_check_open_enabled() __predict_false(mac_vnode_check_open_fp_flag) 574static inline int 575mac_vnode_check_open(struct ucred *cred, struct vnode *vp, 576 accmode_t accmode) 577{ 578 579 mac_vnode_assert_locked(vp, "mac_vnode_check_open"); 580 if (mac_vnode_check_open_enabled()) 581 return (mac_vnode_check_open_impl(cred, vp, accmode)); 582 return (0); 583} 584 585int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, 586 int prot); 587 588#define mac_vnode_check_poll_enabled() __predict_false(mac_vnode_check_poll_fp_flag) 589#ifdef MAC 590extern bool mac_vnode_check_poll_fp_flag; 591int mac_vnode_check_poll(struct ucred *active_cred, 592 struct ucred *file_cred, struct vnode *vp); 593#else 594#define mac_vnode_check_poll_fp_flag false 595static inline int 596mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, 597 struct vnode *vp) 598{ 599 600 return (0); 601} 602#endif 603int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp); 604int mac_vnode_check_readlink_impl(struct ucred *cred, struct vnode *dvp); 605#ifdef MAC 606extern bool mac_vnode_check_readlink_fp_flag; 607#else 608#define mac_vnode_check_readlink_fp_flag false 609#endif 610#define mac_vnode_check_readlink_enabled() __predict_false(mac_vnode_check_readlink_fp_flag) 611static inline int 612mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp) 613{ 614 615 mac_vnode_assert_locked(vp, "mac_vnode_check_readlink"); 616 if (mac_vnode_check_readlink_enabled()) 617 return (mac_vnode_check_readlink_impl(cred, vp)); 618 return (0); 619} 620#define mac_vnode_check_rename_from_enabled() __predict_false(mac_vnode_check_rename_from_fp_flag) 621#ifdef MAC 622extern bool mac_vnode_check_rename_from_fp_flag; 623#endif 624int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, 625 struct vnode *vp, struct componentname *cnp); 626int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, 627 struct vnode *vp, int samedir, struct componentname *cnp); 628int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp); 629int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, 630 acl_type_t type, struct acl *acl); 631int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, 632 int attrnamespace, const char *name); 633int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, 634 u_long flags); 635int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, 636 mode_t mode); 637int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, 638 uid_t uid, gid_t gid); 639int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, 640 struct timespec atime, struct timespec mtime); 641 642int mac_vnode_check_stat_impl(struct ucred *active_cred, 643 struct ucred *file_cred, struct vnode *vp); 644#ifdef MAC 645extern bool mac_vnode_check_stat_fp_flag; 646#else 647#define mac_vnode_check_stat_fp_flag false 648#endif 649#define mac_vnode_check_stat_enabled() __predict_false(mac_vnode_check_stat_fp_flag) 650static inline int 651mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, 652 struct vnode *vp) 653{ 654 655 mac_vnode_assert_locked(vp, "mac_vnode_check_stat"); 656 if (mac_vnode_check_stat_enabled()) 657 return (mac_vnode_check_stat_impl(active_cred, file_cred, vp)); 658 return (0); 659} 660 661int mac_vnode_check_read_impl(struct ucred *active_cred, 662 struct ucred *file_cred, struct vnode *vp); 663#ifdef MAC 664extern bool mac_vnode_check_read_fp_flag; 665#else 666#define mac_vnode_check_read_fp_flag false 667#endif 668#define mac_vnode_check_read_enabled() __predict_false(mac_vnode_check_read_fp_flag) 669static inline int 670mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, 671 struct vnode *vp) 672{ 673 674 mac_vnode_assert_locked(vp, "mac_vnode_check_read"); 675 if (mac_vnode_check_read_enabled()) 676 return (mac_vnode_check_read_impl(active_cred, file_cred, vp)); 677 return (0); 678} 679 680int mac_vnode_check_write_impl(struct ucred *active_cred, 681 struct ucred *file_cred, struct vnode *vp); 682#ifdef MAC 683extern bool mac_vnode_check_write_fp_flag; 684#else 685#define mac_vnode_check_write_fp_flag false 686#endif 687#define mac_vnode_check_write_enabled() __predict_false(mac_vnode_check_write_fp_flag) 688static inline int 689mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, 690 struct vnode *vp) 691{ 692 693 mac_vnode_assert_locked(vp, "mac_vnode_check_write"); 694 if (mac_vnode_check_write_enabled()) 695 return (mac_vnode_check_write_impl(active_cred, file_cred, vp)); 696 return (0); 697} 698 699int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, 700 struct vnode *vp, struct componentname *cnp); 701void mac_vnode_copy_label(struct label *, struct label *); 702void mac_vnode_init(struct vnode *); 703int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, 704 struct vnode *dvp, struct vnode *vp, struct componentname *cnp); 705void mac_vnode_destroy(struct vnode *); 706void mac_vnode_execve_transition(struct ucred *oldcred, 707 struct ucred *newcred, struct vnode *vp, 708 struct label *interpvplabel, struct image_params *imgp); 709int mac_vnode_execve_will_transition(struct ucred *cred, 710 struct vnode *vp, struct label *interpvplabel, 711 struct image_params *imgp); 712void mac_vnode_relabel(struct ucred *cred, struct vnode *vp, 713 struct label *newlabel); 714 715/* 716 * Calls to help various file systems implement labeling functionality using 717 * their existing EA implementation. 718 */ 719int vop_stdsetlabel_ea(struct vop_setlabel_args *ap); 720 721#endif /* !_SECURITY_MAC_MAC_FRAMEWORK_H_ */ 722