[Midnightbsd-cvs] src: security/mac:
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Fri Sep 12 21:25:57 EDT 2008
Log Message:
-----------
Modified Files:
--------------
src/sys/security/mac:
mac_inet.c (r1.1.1.1 -> r1.2)
mac_internal.h (r1.1.1.1 -> r1.2)
mac_label.c (r1.1.1.1 -> r1.2)
mac_net.c (r1.1.1.1 -> r1.2)
mac_pipe.c (r1.1.1.1 -> r1.2)
mac_posix_sem.c (r1.1.1.1 -> r1.2)
mac_process.c (r1.2 -> r1.3)
mac_socket.c (r1.1.1.1 -> r1.2)
mac_system.c (r1.1.1.1 -> r1.2)
mac_sysv_msg.c (r1.1.1.1 -> r1.2)
mac_sysv_sem.c (r1.1.1.1 -> r1.2)
mac_sysv_shm.c (r1.1.1.1 -> r1.2)
mac_vfs.c (r1.1.1.1 -> r1.2)
-------------- next part --------------
Index: mac_sysv_sem.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_sysv_sem.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_sysv_sem.c -L sys/security/mac/mac_sysv_sem.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_sysv_sem.c
+++ sys/security/mac/mac_sysv_sem.c
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_sysv_sem.c,v 1.2 2005/06/07 05:03:27 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_sysv_sem.c,v 1.8 2007/02/06 10:59:21 rwatson Exp $");
#include "opt_mac.h"
@@ -39,7 +39,6 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
-#include <sys/mac.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
#include <sys/vnode.h>
@@ -49,20 +48,9 @@
#include <sys/sysctl.h>
#include <sys/sem.h>
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
-
-static int mac_enforce_sysv_sem = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_sem, CTLFLAG_RW,
- &mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores");
-TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_sem);
-
-#ifdef MAC_DEBUG
-static unsigned int nmacipcsemas;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_semas, CTLFLAG_RD,
- &nmacipcsemas, 0, "number of sysv ipc semaphore identifiers inuse");
-#endif
+#include <security/mac/mac_policy.h>
static struct label *
mac_sysv_sem_label_alloc(void)
@@ -71,7 +59,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_sysv_sem_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacipcsemas);
return (label);
}
@@ -88,7 +75,6 @@
MAC_PERFORM(destroy_sysv_sem_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacipcsemas);
}
void
@@ -119,12 +105,9 @@
{
int error;
- if (!mac_enforce_sysv_sem)
- return (0);
-
MAC_CHECK(check_sysv_semctl, cred, semakptr, semakptr->label, cmd);
- return(error);
+ return (error);
}
int
@@ -132,12 +115,9 @@
{
int error;
- if (!mac_enforce_sysv_sem)
- return (0);
-
MAC_CHECK(check_sysv_semget, cred, semakptr, semakptr->label);
- return(error);
+ return (error);
}
int
@@ -146,11 +126,8 @@
{
int error;
- if (!mac_enforce_sysv_sem)
- return (0);
-
MAC_CHECK(check_sysv_semop, cred, semakptr, semakptr->label,
accesstype);
- return(error);
+ return (error);
}
Index: mac_label.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_label.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_label.c -L sys/security/mac/mac_label.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_label.c
+++ sys/security/mac/mac_label.c
@@ -1,5 +1,6 @@
/*-
* Copyright (c) 2003-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2007 Robert N. M. Watson
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@@ -30,20 +31,28 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_label.c,v 1.3 2004/10/22 11:08:52 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_label.c,v 1.8 2007/02/06 14:19:24 rwatson Exp $");
#include "opt_mac.h"
#include <sys/param.h>
-#include <sys/mac.h>
+#include <sys/module.h>
#include <sys/sysctl.h>
#include <sys/systm.h>
#include <vm/uma.h>
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
+#include <security/mac/mac_policy.h>
-uma_zone_t zone_label;
+/*
+ * zone_label is the UMA zone from which most labels are allocated. Label
+ * structures are initialized to zero bytes so that policies see a NULL/0
+ * slot on first use, even if the policy is loaded after the label is
+ * allocated for an object.
+ */
+static uma_zone_t zone_label;
static int mac_labelzone_ctor(void *mem, int size, void *arg, int flags);
static void mac_labelzone_dtor(void *mem, int size, void *arg);
@@ -57,6 +66,34 @@
UMA_ALIGN_PTR, 0);
}
+/*
+ * mac_init_label() and mac_destroy_label() are exported so that they can be
+ * used in mbuf tag initialization, where labels are not slab allocated from
+ * the zone_label zone.
+ */
+void
+mac_init_label(struct label *label)
+{
+
+ bzero(label, sizeof(*label));
+ label->l_flags = MAC_FLAG_INITIALIZED;
+}
+
+void
+mac_destroy_label(struct label *label)
+{
+
+ KASSERT(label->l_flags & MAC_FLAG_INITIALIZED,
+ ("destroying uninitialized label"));
+
+#ifdef DIAGNOSTIC
+ bzero(label, sizeof(*label));
+#else
+ label->l_flags &= ~MAC_FLAG_INITIALIZED;
+#endif
+}
+
+
static int
mac_labelzone_ctor(void *mem, int size, void *arg, int flags)
{
@@ -64,8 +101,7 @@
KASSERT(size == sizeof(*label), ("mac_labelzone_ctor: wrong size\n"));
label = mem;
- bzero(label, sizeof(*label));
- label->l_flags = MAC_FLAG_INITIALIZED;
+ mac_init_label(label);
return (0);
}
@@ -76,13 +112,7 @@
KASSERT(size == sizeof(*label), ("mac_labelzone_dtor: wrong size\n"));
label = mem;
- KASSERT(label->l_flags & MAC_FLAG_INITIALIZED,
- ("mac_labelzone_dtor: label not initialized"));
-#ifdef DIAGNOSTIC
- bzero(label, sizeof(*label));
-#else
- label->l_flags &= ~MAC_FLAG_INITIALIZED;
-#endif
+ mac_destroy_label(label);
}
struct label *
@@ -98,3 +128,24 @@
uma_zfree(zone_label, label);
}
+
+/*
+ * Functions used by policy modules to get and set label values.
+ */
+intptr_t
+mac_label_get(struct label *l, int slot)
+{
+
+ KASSERT(l != NULL, ("mac_label_get: NULL label"));
+
+ return (l->l_perpolicy[slot]);
+}
+
+void
+mac_label_set(struct label *l, int slot, intptr_t v)
+{
+
+ KASSERT(l != NULL, ("mac_label_set: NULL label"));
+
+ l->l_perpolicy[slot] = v;
+}
Index: mac_inet.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_inet.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_inet.c -L sys/security/mac/mac_inet.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_inet.c
+++ sys/security/mac/mac_inet.c
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_inet.c,v 1.1 2004/02/26 03:51:04 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_inet.c,v 1.11 2007/04/22 19:55:55 rwatson Exp $");
#include "opt_mac.h"
@@ -44,7 +44,6 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
-#include <sys/mac.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
#include <sys/mount.h>
@@ -55,8 +54,6 @@
#include <sys/socketvar.h>
#include <sys/sysctl.h>
-#include <sys/mac_policy.h>
-
#include <net/if.h>
#include <net/if_var.h>
@@ -64,16 +61,9 @@
#include <netinet/in_pcb.h>
#include <netinet/ip_var.h>
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
-
-#ifdef MAC_DEBUG
-static unsigned int nmacinpcbs, nmacipqs;
-
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD,
- &nmacinpcbs, 0, "number of inpcbs in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD,
- &nmacipqs, 0, "number of ipqs in use");
-#endif
+#include <security/mac/mac_policy.h>
static struct label *
mac_inpcb_label_alloc(int flag)
@@ -90,7 +80,6 @@
mac_labelzone_free(label);
return (NULL);
}
- MAC_DEBUG_COUNTER_INC(&nmacinpcbs);
return (label);
}
@@ -120,7 +109,6 @@
mac_labelzone_free(label);
return (NULL);
}
- MAC_DEBUG_COUNTER_INC(&nmacipqs);
return (label);
}
@@ -140,7 +128,6 @@
MAC_PERFORM(destroy_inpcb_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacinpcbs);
}
void
@@ -157,7 +144,6 @@
MAC_PERFORM(destroy_ipq_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacipqs);
}
void
@@ -177,36 +163,34 @@
}
void
-mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram)
+mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m)
{
struct label *label;
- label = mac_mbuf_to_label(datagram);
+ label = mac_mbuf_to_label(m);
- MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label,
- datagram, label);
+ MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, m, label);
}
void
-mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment)
+mac_create_fragment(struct mbuf *m, struct mbuf *frag)
{
- struct label *datagramlabel, *fragmentlabel;
+ struct label *mlabel, *fraglabel;
- datagramlabel = mac_mbuf_to_label(datagram);
- fragmentlabel = mac_mbuf_to_label(fragment);
+ mlabel = mac_mbuf_to_label(m);
+ fraglabel = mac_mbuf_to_label(frag);
- MAC_PERFORM(create_fragment, datagram, datagramlabel, fragment,
- fragmentlabel);
+ MAC_PERFORM(create_fragment, m, mlabel, frag, fraglabel);
}
void
-mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
+mac_create_ipq(struct mbuf *m, struct ipq *ipq)
{
struct label *label;
- label = mac_mbuf_to_label(fragment);
+ label = mac_mbuf_to_label(m);
- MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label);
+ MAC_PERFORM(create_ipq, m, label, ipq, ipq->ipq_label);
}
void
@@ -221,16 +205,15 @@
}
int
-mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
+mac_fragment_match(struct mbuf *m, struct ipq *ipq)
{
struct label *label;
int result;
- label = mac_mbuf_to_label(fragment);
+ label = mac_mbuf_to_label(m);
result = 1;
- MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq,
- ipq->ipq_label);
+ MAC_BOOLEAN(fragment_match, &&, m, label, ipq, ipq->ipq_label);
return (result);
}
@@ -244,6 +227,7 @@
MAC_PERFORM(reflect_mbuf_icmp, m, label);
}
+
void
mac_reflect_mbuf_tcp(struct mbuf *m)
{
@@ -255,13 +239,13 @@
}
void
-mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
+mac_update_ipq(struct mbuf *m, struct ipq *ipq)
{
struct label *label;
- label = mac_mbuf_to_label(fragment);
+ label = mac_mbuf_to_label(m);
- MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label);
+ MAC_PERFORM(update_ipq, m, label, ipq, ipq->ipq_label);
}
int
@@ -272,9 +256,6 @@
M_ASSERTPKTHDR(m);
- if (!mac_enforce_socket)
- return (0);
-
label = mac_mbuf_to_label(m);
MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label);
@@ -286,7 +267,71 @@
mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp)
{
- /* XXX: assert socket lock. */
INP_LOCK_ASSERT(inp);
+ SOCK_LOCK_ASSERT(so);
MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label);
}
+
+void
+mac_create_mbuf_from_firewall(struct mbuf *m)
+{
+ struct label *label;
+
+ M_ASSERTPKTHDR(m);
+ label = mac_mbuf_to_label(m);
+ MAC_PERFORM(create_mbuf_from_firewall, m, label);
+}
+
+/*
+ * These functions really should be referencing the syncache structure
+ * instead of the label. However, due to some of the complexities associated
+ * with exposing this syncache structure we operate directly on it's label
+ * pointer. This should be OK since we aren't making any access control
+ * decisions within this code directly, we are merely allocating and copying
+ * label storage so we can properly initialize mbuf labels for any packets
+ * the syncache code might create.
+ */
+void
+mac_destroy_syncache(struct label **label)
+{
+
+ MAC_PERFORM(destroy_syncache_label, *label);
+ mac_labelzone_free(*label);
+ *label = NULL;
+}
+
+int
+mac_init_syncache(struct label **label)
+{
+ int error;
+
+ *label = mac_labelzone_alloc(M_NOWAIT);
+ if (*label == NULL)
+ return (ENOMEM);
+ /*
+ * Since we are holding the inpcb locks the policy can not allocate
+ * policy specific label storage using M_WAITOK. So we need to do a
+ * MAC_CHECK instead of the typical MAC_PERFORM so we can propagate
+ * allocation failures back to the syncache code.
+ */
+ MAC_CHECK(init_syncache_label, *label, M_NOWAIT);
+ return (error);
+}
+
+void
+mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
+{
+
+ INP_LOCK_ASSERT(inp);
+ MAC_PERFORM(init_syncache_from_inpcb, label, inp);
+}
+
+void
+mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m)
+{
+ struct label *mlabel;
+
+ M_ASSERTPKTHDR(m);
+ mlabel = mac_mbuf_to_label(m);
+ MAC_PERFORM(create_mbuf_from_syncache, sc_label, m, mlabel);
+}
Index: mac_system.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_system.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_system.c -L sys/security/mac/mac_system.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_system.c
+++ sys/security/mac/mac_system.c
@@ -1,5 +1,6 @@
/*-
- * Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2007 Robert N. M. Watson
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@@ -7,6 +8,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
+ * Portions of this software were developed by Robert Watson for the
+ * TrustedBSD Project.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -29,8 +33,18 @@
* SUCH DAMAGE.
*/
+/*
+ * MAC Framework entry points relating to overall operation of system,
+ * including global services such as the kernel environment and loadable
+ * modules.
+ *
+ * System checks often align with existing privilege checks, but provide
+ * additional security context that may be relevant to policies, such as the
+ * specific object being operated on.
+ */
+
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_system.c,v 1.105 2005/06/10 04:44:38 csjp Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_system.c,v 1.112 2007/04/22 19:55:56 rwatson Exp $");
#include "opt_mac.h"
@@ -40,33 +54,19 @@
#include <sys/malloc.h>
#include <sys/module.h>
#include <sys/mutex.h>
-#include <sys/mac.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/sysctl.h>
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
-
-static int mac_enforce_kld = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW,
- &mac_enforce_kld, 0, "Enforce MAC policy on kld operations");
-TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld);
-
-static int mac_enforce_system = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW,
- &mac_enforce_system, 0, "Enforce MAC policy on system operations");
-TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system);
+#include <security/mac/mac_policy.h>
int
mac_check_kenv_dump(struct ucred *cred)
{
int error;
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(check_kenv_dump, cred);
return (error);
@@ -77,9 +77,6 @@
{
int error;
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(check_kenv_get, cred, name);
return (error);
@@ -90,9 +87,6 @@
{
int error;
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(check_kenv_set, cred, name, value);
return (error);
@@ -103,9 +97,6 @@
{
int error;
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(check_kenv_unset, cred, name);
return (error);
@@ -118,9 +109,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
- if (!mac_enforce_kld)
- return (0);
-
MAC_CHECK(check_kld_load, cred, vp, vp->v_label);
return (error);
@@ -131,40 +119,12 @@
{
int error;
- if (!mac_enforce_kld)
- return (0);
-
MAC_CHECK(check_kld_stat, cred);
return (error);
}
int
-mac_check_kld_unload(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_kld)
- return (0);
-
- MAC_CHECK(check_kld_unload, cred);
-
- return (error);
-}
-
-int
-mac_check_sysarch_ioperm(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_sysarch_ioperm, cred);
- return (error);
-}
-
-int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
{
int error;
@@ -173,9 +133,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
}
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? vp->v_label : NULL);
@@ -183,54 +140,22 @@
}
int
-mac_check_system_nfsd(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_nfsd, cred);
-
- return (error);
-}
-
-int
mac_check_system_reboot(struct ucred *cred, int howto)
{
int error;
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(check_system_reboot, cred, howto);
return (error);
}
int
-mac_check_system_settime(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_settime, cred);
-
- return (error);
-}
-
-int
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon");
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(check_system_swapon, cred, vp, vp->v_label);
return (error);
}
@@ -242,16 +167,13 @@
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label);
return (error);
}
int
-mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1,
- int arg2, struct sysctl_req *req)
+mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
+ void *arg1, int arg2, struct sysctl_req *req)
{
int error;
@@ -259,9 +181,6 @@
* XXXMAC: We would very much like to assert the SYSCTL_LOCK here,
* but since it's not exported from kern_sysctl.c, we can't.
*/
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req);
return (error);
Index: mac_process.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_process.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -L sys/security/mac/mac_process.c -L sys/security/mac/mac_process.c -u -r1.2 -r1.3
--- sys/security/mac/mac_process.c
+++ sys/security/mac/mac_process.c
@@ -36,7 +36,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_process.c,v 1.108.2.2 2006/03/09 00:18:45 tegge Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_process.c,v 1.118 2007/04/22 19:55:56 rwatson Exp $");
#include "opt_mac.h"
@@ -62,19 +62,9 @@
#include <vm/vm_map.h>
#include <vm/vm_object.h>
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
-
-int mac_enforce_process = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
- &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
-TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
-
-int mac_enforce_vm = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
- &mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
-TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm);
+#include <security/mac/mac_policy.h>
static int mac_mmap_revocation = 1;
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
@@ -86,19 +76,6 @@
&mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
"copy-on-write semantics, or by removing all write access");
-static int mac_enforce_suid = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_suid, CTLFLAG_RW,
- &mac_enforce_suid, 0, "Enforce MAC policy on suid/sgid operations");
-TUNABLE_INT("security.mac.enforce_suid", &mac_enforce_suid);
-
-#ifdef MAC_DEBUG
-static unsigned int nmaccreds, nmacprocs;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
- &nmaccreds, 0, "number of ucreds in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
- &nmacprocs, 0, "number of procs in use");
-#endif
-
static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
struct ucred *cred, struct vm_map *map);
@@ -109,7 +86,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_cred_label, label);
- MAC_DEBUG_COUNTER_INC(&nmaccreds);
return (label);
}
@@ -127,7 +103,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_proc_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacprocs);
return (label);
}
@@ -144,7 +119,6 @@
MAC_PERFORM(destroy_cred_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmaccreds);
}
void
@@ -161,7 +135,6 @@
MAC_PERFORM(destroy_proc_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacprocs);
}
void
@@ -194,8 +167,8 @@
}
/*
- * Initialize MAC label for the first kernel process, from which other
- * kernel processes and threads are spawned.
+ * Initialize MAC label for the first kernel process, from which other kernel
+ * processes and threads are spawned.
*/
void
mac_create_proc0(struct ucred *cred)
@@ -224,8 +197,8 @@
/*
* When a new process is created, its label must be initialized. Generally,
- * this involves inheritence from the parent process, modulo possible
- * deltas. This function allows that processing to take place.
+ * this involves inheritence from the parent process, modulo possible deltas.
+ * This function allows that processing to take place.
*/
void
mac_copy_cred(struct ucred *src, struct ucred *dest)
@@ -282,9 +255,9 @@
/*
* When relabeling a process, call out to the policies for the maximum
- * permission allowed for each object type we know about in its
- * memory space, and revoke access (in the least surprising ways we
- * know) when necessary. The process lock is not held here.
+ * permission allowed for each object type we know about in its memory space,
+ * and revoke access (in the least surprising ways we know) when necessary.
+ * The process lock is not held here.
*/
void
mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred)
@@ -364,9 +337,9 @@
}
VM_OBJECT_UNLOCK(object);
/*
- * At the moment, vm_maps and objects aren't considered
- * by the MAC system, so only things with backing by a
- * normal object (read: vnodes) are checked.
+ * At the moment, vm_maps and objects aren't considered by
+ * the MAC system, so only things with backing by a normal
+ * object (read: vnodes) are checked.
*/
if (object->type != OBJT_VNODE)
continue;
@@ -377,8 +350,8 @@
mac_check_vnode_mmap_downgrade(cred, vp, &result);
VOP_UNLOCK(vp, 0, td);
/*
- * Find out what maximum protection we may be allowing
- * now but a policy needs to get removed.
+ * Find out what maximum protection we may be allowing now
+ * but a policy needs to get removed.
*/
revokeperms = vme->max_protection & ~result;
if (!revokeperms) {
@@ -394,9 +367,8 @@
/*
* This is the really simple case: if a map has more
* max_protection than is allowed, but it's not being
- * actually used (that is, the current protection is
- * still allowed), we can just wipe it out and do
- * nothing more.
+ * actually used (that is, the current protection is still
+ * allowed), we can just wipe it out and do nothing more.
*/
if ((vme->protection & revokeperms) == 0) {
vme->max_protection -= revokeperms;
@@ -474,205 +446,168 @@
}
int
-mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
+mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
{
int error;
- if (!mac_enforce_process)
- return (0);
-
- MAC_CHECK(check_cred_visible, u1, u2);
+ MAC_CHECK(check_cred_visible, cr1, cr2);
return (error);
}
int
-mac_check_proc_debug(struct ucred *cred, struct proc *proc)
+mac_check_proc_debug(struct ucred *cred, struct proc *p)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_process)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
- MAC_CHECK(check_proc_debug, cred, proc);
+ MAC_CHECK(check_proc_debug, cred, p);
return (error);
}
int
-mac_check_proc_sched(struct ucred *cred, struct proc *proc)
+mac_check_proc_sched(struct ucred *cred, struct proc *p)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_process)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
- MAC_CHECK(check_proc_sched, cred, proc);
+ MAC_CHECK(check_proc_sched, cred, p);
return (error);
}
int
-mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+mac_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_process)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
- MAC_CHECK(check_proc_signal, cred, proc, signum);
+ MAC_CHECK(check_proc_signal, cred, p, signum);
return (error);
}
int
-mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid)
+mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_suid)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setuid, cred, uid);
return (error);
}
int
-mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, uid_t euid)
+mac_check_proc_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_suid)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_seteuid, cred, euid);
return (error);
}
int
-mac_check_proc_setgid(struct proc *proc, struct ucred *cred, gid_t gid)
+mac_check_proc_setgid(struct proc *p, struct ucred *cred, gid_t gid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_suid)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setgid, cred, gid);
+
return (error);
}
int
-mac_check_proc_setegid(struct proc *proc, struct ucred *cred, gid_t egid)
+mac_check_proc_setegid(struct proc *p, struct ucred *cred, gid_t egid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_suid)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setegid, cred, egid);
+
return (error);
}
int
-mac_check_proc_setgroups(struct proc *proc, struct ucred *cred,
- int ngroups, gid_t *gidset)
+mac_check_proc_setgroups(struct proc *p, struct ucred *cred, int ngroups,
+ gid_t *gidset)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_suid)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset);
return (error);
}
int
-mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, uid_t ruid,
- uid_t euid)
+mac_check_proc_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
+ uid_t euid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_suid)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setreuid, cred, ruid, euid);
+
return (error);
}
int
mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
- gid_t egid)
+ gid_t egid)
{
int error;
PROC_LOCK_ASSERT(proc, MA_OWNED);
- if (!mac_enforce_suid)
- return (0);
-
MAC_CHECK(check_proc_setregid, cred, rgid, egid);
+
return (error);
}
int
-mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, uid_t ruid,
- uid_t euid, uid_t suid)
+mac_check_proc_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
+ uid_t euid, uid_t suid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_suid)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid);
return (error);
}
int
-mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid,
- gid_t egid, gid_t sgid)
+mac_check_proc_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
+ gid_t egid, gid_t sgid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_suid)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid);
+
return (error);
}
int
-mac_check_proc_wait(struct ucred *cred, struct proc *proc)
+mac_check_proc_wait(struct ucred *cred, struct proc *p)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_process)
- return (0);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
- MAC_CHECK(check_proc_wait, cred, proc);
+ MAC_CHECK(check_proc_wait, cred, p);
return (error);
}
Index: mac_net.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_net.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_net.c -L sys/security/mac/mac_net.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_net.c
+++ sys/security/mac/mac_net.c
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_net.c,v 1.117 2005/07/05 23:39:50 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_net.c,v 1.126 2007/04/22 19:55:55 rwatson Exp $");
#include "opt_mac.h"
@@ -45,6 +45,7 @@
#include <sys/malloc.h>
#include <sys/mutex.h>
#include <sys/mac.h>
+#include <sys/priv.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
#include <sys/mount.h>
@@ -55,53 +56,40 @@
#include <sys/socketvar.h>
#include <sys/sysctl.h>
-#include <sys/mac_policy.h>
-
#include <net/bpfdesc.h>
#include <net/if.h>
#include <net/if_var.h>
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
+#include <security/mac/mac_policy.h>
/*
- * mac_enforce_network is used by IPv4 and IPv6 checks, and so must
- * be non-static for now.
- */
-int mac_enforce_network = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
- &mac_enforce_network, 0, "Enforce MAC policy on network packets");
-TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
-
-#ifdef MAC_DEBUG
-static unsigned int nmacbpfdescs, nmacifnets, nmacmbufs;
-
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD,
- &nmacbpfdescs, 0, "number of bpfdescs in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
- &nmacifnets, 0, "number of ifnets in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
- &nmacmbufs, 0, "number of mbufs in use");
-#endif
-
-/*
- * XXXRW: struct ifnet locking is incomplete in the network code, so we
- * use our own global mutex for struct ifnet. Non-ideal, but should help
- * in the SMP environment.
+ * XXXRW: struct ifnet locking is incomplete in the network code, so we use
+ * our own global mutex for struct ifnet. Non-ideal, but should help in the
+ * SMP environment.
*/
static struct mtx mac_ifnet_mtx;
MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF);
#define MAC_IFNET_LOCK(ifp) mtx_lock(&mac_ifnet_mtx)
#define MAC_IFNET_UNLOCK(ifp) mtx_unlock(&mac_ifnet_mtx)
+/*
+ * Retrieve the label associated with an mbuf by searching for the tag.
+ * Depending on the value of mac_labelmbufs, it's possible that a label will
+ * not be present, in which case NULL is returned. Policies must handle the
+ * possibility of an mbuf not having label storage if they do not enforce
+ * early loading.
+ */
struct label *
-mac_mbuf_to_label(struct mbuf *mbuf)
+mac_mbuf_to_label(struct mbuf *m)
{
struct m_tag *tag;
struct label *label;
- if (mbuf == NULL)
+ if (m == NULL)
return (NULL);
- tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL);
+ tag = m_tag_find(m, PACKET_TAG_MACLABEL, NULL);
if (tag == NULL)
return (NULL);
label = (struct label *)(tag+1);
@@ -115,15 +103,14 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_bpfdesc_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
return (label);
}
void
-mac_init_bpfdesc(struct bpf_d *bpf_d)
+mac_init_bpfdesc(struct bpf_d *d)
{
- bpf_d->bd_label = mac_bpfdesc_label_alloc();
+ d->bd_label = mac_bpfdesc_label_alloc();
}
static struct label *
@@ -133,7 +120,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_ifnet_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacifnets);
return (label);
}
@@ -157,8 +143,6 @@
if (error) {
MAC_PERFORM(destroy_mbuf_label, label);
mac_destroy_label(label);
- } else {
- MAC_DEBUG_COUNTER_INC(&nmacmbufs);
}
return (error);
}
@@ -198,15 +182,14 @@
MAC_PERFORM(destroy_bpfdesc_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
}
void
-mac_destroy_bpfdesc(struct bpf_d *bpf_d)
+mac_destroy_bpfdesc(struct bpf_d *d)
{
- mac_bpfdesc_label_free(bpf_d->bd_label);
- bpf_d->bd_label = NULL;
+ mac_bpfdesc_label_free(d->bd_label);
+ d->bd_label = NULL;
}
static void
@@ -215,7 +198,6 @@
MAC_PERFORM(destroy_ifnet_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacifnets);
}
void
@@ -235,9 +217,12 @@
MAC_PERFORM(destroy_mbuf_label, label);
mac_destroy_label(label);
- MAC_DEBUG_COUNTER_DEC(&nmacmbufs);
}
+/*
+ * mac_copy_mbuf_tag is called when an mbuf header is duplicated, in which
+ * case the labels must also be duplicated.
+ */
void
mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest)
{
@@ -247,8 +232,8 @@
dest_label = (struct label *)(dest+1);
/*
- * mac_init_mbuf_tag() is called on the target tag in
- * m_tag_copy(), so we don't need to call it here.
+ * mac_init_mbuf_tag() is called on the target tag in m_tag_copy(),
+ * so we don't need to call it here.
*/
MAC_PERFORM(copy_mbuf_label, src_label, dest_label);
}
@@ -293,129 +278,117 @@
}
void
-mac_create_ifnet(struct ifnet *ifnet)
+mac_create_ifnet(struct ifnet *ifp)
{
- MAC_IFNET_LOCK(ifnet);
- MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_PERFORM(create_ifnet, ifp, ifp->if_label);
+ MAC_IFNET_UNLOCK(ifp);
}
void
-mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
+mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d)
{
- MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label);
+ MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label);
}
void
-mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
+mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m)
{
struct label *label;
- BPFD_LOCK_ASSERT(bpf_d);
+ BPFD_LOCK_ASSERT(d);
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf,
- label);
+ MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label);
}
void
-mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf)
+mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_IFNET_LOCK(ifnet);
- MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf,
- label);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_PERFORM(create_mbuf_linklayer, ifp, ifp->if_label, m, label);
+ MAC_IFNET_UNLOCK(ifp);
}
void
-mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf)
+mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_IFNET_LOCK(ifnet);
- MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf,
- label);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label);
+ MAC_IFNET_UNLOCK(ifp);
}
void
-mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet,
- struct mbuf *newmbuf)
+mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
+ struct mbuf *mnew)
{
- struct label *oldmbuflabel, *newmbuflabel;
+ struct label *mlabel, *mnewlabel;
- oldmbuflabel = mac_mbuf_to_label(oldmbuf);
- newmbuflabel = mac_mbuf_to_label(newmbuf);
+ mlabel = mac_mbuf_to_label(m);
+ mnewlabel = mac_mbuf_to_label(mnew);
- MAC_IFNET_LOCK(ifnet);
- MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel,
- ifnet, ifnet->if_label, newmbuf, newmbuflabel);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp,
+ ifp->if_label, mnew, mnewlabel);
+ MAC_IFNET_UNLOCK(ifp);
}
void
-mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf)
+mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew)
{
- struct label *oldmbuflabel, *newmbuflabel;
+ struct label *mlabel, *mnewlabel;
- oldmbuflabel = mac_mbuf_to_label(oldmbuf);
- newmbuflabel = mac_mbuf_to_label(newmbuf);
+ mlabel = mac_mbuf_to_label(m);
+ mnewlabel = mac_mbuf_to_label(mnew);
- MAC_PERFORM(create_mbuf_netlayer, oldmbuf, oldmbuflabel, newmbuf,
- newmbuflabel);
+ MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel);
}
int
-mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
+mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp)
{
int error;
- BPFD_LOCK_ASSERT(bpf_d);
-
- if (!mac_enforce_network)
- return (0);
+ BPFD_LOCK_ASSERT(d);
- MAC_IFNET_LOCK(ifnet);
- MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet,
- ifnet->if_label);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label);
+ MAC_IFNET_UNLOCK(ifp);
return (error);
}
int
-mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
+mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
int error;
- M_ASSERTPKTHDR(mbuf);
-
- if (!mac_enforce_network)
- return (0);
+ M_ASSERTPKTHDR(m);
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_IFNET_LOCK(ifnet);
- MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf,
- label);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label);
+ MAC_IFNET_UNLOCK(ifp);
return (error);
}
int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
- struct ifnet *ifnet)
+ struct ifnet *ifp)
{
char *elements, *buffer;
struct label *intlabel;
@@ -439,11 +412,11 @@
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
intlabel = mac_ifnet_label_alloc();
- MAC_IFNET_LOCK(ifnet);
- mac_copy_ifnet_label(ifnet->if_label, intlabel);
- MAC_IFNET_UNLOCK(ifnet);
- error = mac_externalize_ifnet_label(ifnet->if_label, elements,
- buffer, mac.m_buflen);
+ MAC_IFNET_LOCK(ifp);
+ mac_copy_ifnet_label(ifp->if_label, intlabel);
+ MAC_IFNET_UNLOCK(ifp);
+ error = mac_externalize_ifnet_label(intlabel, elements, buffer,
+ mac.m_buflen);
mac_ifnet_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -455,8 +428,7 @@
}
int
-mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
- struct ifnet *ifnet)
+mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
{
struct label *intlabel;
struct mac mac;
@@ -487,27 +459,26 @@
}
/*
- * XXX: Note that this is a redundant privilege check, since
- * policies impose this check themselves if required by the
- * policy. Eventually, this should go away.
+ * XXX: Note that this is a redundant privilege check, since policies
+ * impose this check themselves if required by the policy
+ * Eventually, this should go away.
*/
- error = suser_cred(cred, 0);
+ error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0);
if (error) {
mac_ifnet_label_free(intlabel);
return (error);
}
- MAC_IFNET_LOCK(ifnet);
- MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label,
- intlabel);
+ MAC_IFNET_LOCK(ifp);
+ MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel);
if (error) {
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_UNLOCK(ifp);
mac_ifnet_label_free(intlabel);
return (error);
}
- MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel);
+ MAC_IFNET_UNLOCK(ifp);
mac_ifnet_label_free(intlabel);
return (0);
Index: mac_sysv_msg.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_sysv_msg.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_sysv_msg.c -L sys/security/mac/mac_sysv_msg.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_sysv_msg.c
+++ sys/security/mac/mac_sysv_msg.c
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_sysv_msg.c,v 1.2 2005/02/24 16:08:41 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_sysv_msg.c,v 1.9 2007/02/06 10:59:21 rwatson Exp $");
#include "opt_mac.h"
@@ -39,7 +39,6 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
-#include <sys/mac.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
#include <sys/vnode.h>
@@ -49,23 +48,9 @@
#include <sys/sysctl.h>
#include <sys/msg.h>
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
-
-static int mac_enforce_sysv_msg = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_msg, CTLFLAG_RW,
- &mac_enforce_sysv_msg, 0,
- "Enforce MAC policy on System V IPC Message Queues");
-TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg);
-
-#ifdef MAC_DEBUG
-static unsigned int nmacipcmsgs, nmacipcmsqs;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msgs, CTLFLAG_RD,
- &nmacipcmsgs, 0, "number of sysv ipc messages inuse");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msqs, CTLFLAG_RD,
- &nmacipcmsqs, 0, "number of sysv ipc message queue identifiers inuse");
-#endif
+#include <security/mac/mac_policy.h>
static struct label *
mac_sysv_msgmsg_label_alloc(void)
@@ -74,7 +59,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_sysv_msgmsg_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacipcmsgs);
return (label);
}
@@ -92,7 +76,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_sysv_msgqueue_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacipcmsqs);
return (label);
}
@@ -109,7 +92,6 @@
MAC_PERFORM(destroy_sysv_msgmsg_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacipcmsgs);
}
void
@@ -126,7 +108,6 @@
MAC_PERFORM(destroy_sysv_msgqueue_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacipcmsqs);
}
void
@@ -138,18 +119,18 @@
}
void
-mac_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
+mac_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
struct msg *msgptr)
{
-
- MAC_PERFORM(create_sysv_msgmsg, cred, msqkptr, msqkptr->label,
+
+ MAC_PERFORM(create_sysv_msgmsg, cred, msqkptr, msqkptr->label,
msgptr, msgptr->label);
}
void
mac_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr)
{
-
+
MAC_PERFORM(create_sysv_msgqueue, cred, msqkptr, msqkptr->label);
}
@@ -163,7 +144,7 @@
void
mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr)
{
-
+
MAC_PERFORM(cleanup_sysv_msgqueue, msqkptr->label);
}
@@ -173,13 +154,10 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(check_sysv_msgmsq, cred, msgptr, msgptr->label, msqkptr,
msqkptr->label);
- return(error);
+ return (error);
}
int
@@ -187,12 +165,9 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(check_sysv_msgrcv, cred, msgptr, msgptr->label);
- return(error);
+ return (error);
}
int
@@ -200,12 +175,9 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(check_sysv_msgrmid, cred, msgptr, msgptr->label);
- return(error);
+ return (error);
}
int
@@ -213,12 +185,9 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(check_sysv_msqget, cred, msqkptr, msqkptr->label);
- return(error);
+ return (error);
}
int
@@ -226,12 +195,9 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(check_sysv_msqsnd, cred, msqkptr, msqkptr->label);
- return(error);
+ return (error);
}
int
@@ -239,12 +205,9 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(check_sysv_msqrcv, cred, msqkptr, msqkptr->label);
- return(error);
+ return (error);
}
int
@@ -253,10 +216,7 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(check_sysv_msqctl, cred, msqkptr, msqkptr->label, cmd);
- return(error);
+ return (error);
}
Index: mac_posix_sem.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_posix_sem.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_posix_sem.c -L sys/security/mac/mac_posix_sem.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_posix_sem.c
+++ sys/security/mac/mac_posix_sem.c
@@ -30,35 +30,22 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_posix_sem.c,v 1.1 2005/05/04 10:39:14 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_posix_sem.c,v 1.9.2.2 2007/12/21 14:32:04 rwatson Exp $");
#include "opt_mac.h"
#include "opt_posix.h"
#include <sys/param.h>
#include <sys/kernel.h>
+#include <sys/ksem.h>
#include <sys/malloc.h>
-#include <sys/mac.h>
#include <sys/module.h>
#include <sys/systm.h>
#include <sys/sysctl.h>
-#include <posix4/ksem.h>
-
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
-
-static int mac_enforce_posix_sem = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_sem, CTLFLAG_RW,
- &mac_enforce_posix_sem, 0, "Enforce MAC policy on global POSIX semaphores");
-TUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem);
-
-#ifdef MAC_DEBUG
-static unsigned int nmacposixsems;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, posix_sems, CTLFLAG_RD,
- &nmacposixsems, 0, "number of posix global semaphores inuse");
-#endif
+#include <security/mac/mac_policy.h>
static struct label *
mac_posix_sem_label_alloc(void)
@@ -67,15 +54,14 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_posix_sem_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacposixsems);
return (label);
}
-void
-mac_init_posix_sem(struct ksem *ksemptr)
+void
+mac_init_posix_sem(struct ksem *ks)
{
- ksemptr->ks_label = mac_posix_sem_label_alloc();
+ ks->ks_label = mac_posix_sem_label_alloc();
}
static void
@@ -83,99 +69,80 @@
{
MAC_PERFORM(destroy_posix_sem_label, label);
- MAC_DEBUG_COUNTER_DEC(&nmacposixsems);
+ mac_labelzone_free(label);
}
void
-mac_destroy_posix_sem(struct ksem *ksemptr)
+mac_destroy_posix_sem(struct ksem *ks)
{
- mac_posix_sem_label_free(ksemptr->ks_label);
- ksemptr->ks_label = NULL;
+ mac_posix_sem_label_free(ks->ks_label);
+ ks->ks_label = NULL;
}
-void
-mac_create_posix_sem(struct ucred *cred, struct ksem *ksemptr)
+void
+mac_create_posix_sem(struct ucred *cred, struct ksem *ks)
{
- MAC_PERFORM(create_posix_sem, cred, ksemptr, ksemptr->ks_label);
+ MAC_PERFORM(create_posix_sem, cred, ks, ks->ks_label);
}
int
-mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr)
+mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks)
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
-
- MAC_CHECK(check_posix_sem_destroy, cred, ksemptr, ksemptr->ks_label);
+ MAC_CHECK(check_posix_sem_destroy, cred, ks, ks->ks_label);
- return(error);
+ return (error);
}
int
-mac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr)
+mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks)
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
+ MAC_CHECK(check_posix_sem_open, cred, ks, ks->ks_label);
- MAC_CHECK(check_posix_sem_open, cred, ksemptr, ksemptr->ks_label);
-
- return(error);
+ return (error);
}
int
-mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ksemptr)
+mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks)
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
-
- MAC_CHECK(check_posix_sem_getvalue, cred, ksemptr,
- ksemptr->ks_label);
+ MAC_CHECK(check_posix_sem_getvalue, cred, ks, ks->ks_label);
- return(error);
+ return (error);
}
int
-mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr)
+mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks)
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
-
- MAC_CHECK(check_posix_sem_post, cred, ksemptr, ksemptr->ks_label);
+ MAC_CHECK(check_posix_sem_post, cred, ks, ks->ks_label);
- return(error);
+ return (error);
}
int
-mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr)
+mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks)
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
+ MAC_CHECK(check_posix_sem_unlink, cred, ks, ks->ks_label);
- MAC_CHECK(check_posix_sem_unlink, cred, ksemptr, ksemptr->ks_label);
-
- return(error);
+ return (error);
}
int
-mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr)
+mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks)
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
-
- MAC_CHECK(check_posix_sem_wait, cred, ksemptr, ksemptr->ks_label);
+ MAC_CHECK(check_posix_sem_wait, cred, ks, ks->ks_label);
- return(error);
+ return (error);
}
Index: mac_socket.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_socket.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_socket.c -L sys/security/mac/mac_socket.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_socket.c
+++ sys/security/mac/mac_socket.c
@@ -12,7 +12,7 @@
* Research, the Technology Research Division of Network Associates, Inc.
* under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
* DARPA CHATS research program.
- *
+ *
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_socket.c,v 1.4 2005/07/05 22:49:09 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_socket.c,v 1.10 2007/04/22 19:55:56 rwatson Exp $");
#include "opt_mac.h"
@@ -59,8 +59,6 @@
#include <sys/socketvar.h>
#include <sys/sysctl.h>
-#include <sys/mac_policy.h>
-
#include <net/bpfdesc.h>
#include <net/if.h>
#include <net/if_var.h>
@@ -69,23 +67,22 @@
#include <netinet/in_pcb.h>
#include <netinet/ip_var.h>
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
+#include <security/mac/mac_policy.h>
/*
- * mac_enforce_socket is used by the inet code when delivering to an inpcb
- * without hitting the socket layer, and has to be non-static for now.
+ * Currently, sockets hold two labels: the label of the socket itself, and a
+ * peer label, which may be used by policies to hold a copy of the label of
+ * any remote endpoint.
+ *
+ * Possibly, this peer label should be maintained at the protocol layer
+ * (inpcb, unpcb, etc), as this would allow protocol-aware code to maintain
+ * the label consistently. For example, it might be copied live from a
+ * remote socket for UNIX domain sockets rather than keeping a local copy on
+ * this endpoint, but be cached and updated based on packets received for
+ * TCP/IP.
*/
-int mac_enforce_socket = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
- &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
-TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
-
-#ifdef MAC_DEBUG
-static unsigned int nmacsockets;
-
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
- &nmacsockets, 0, "number of sockets in use");
-#endif
struct label *
mac_socket_label_alloc(int flag)
@@ -103,7 +100,6 @@
mac_labelzone_free(label);
return (NULL);
}
- MAC_DEBUG_COUNTER_INC(&nmacsockets);
return (label);
}
@@ -123,7 +119,6 @@
mac_labelzone_free(label);
return (NULL);
}
- MAC_DEBUG_COUNTER_INC(&nmacsockets);
return (label);
}
@@ -149,7 +144,6 @@
MAC_PERFORM(destroy_socket_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacsockets);
}
static void
@@ -158,17 +152,16 @@
MAC_PERFORM(destroy_socket_peer_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacsockets);
}
void
-mac_destroy_socket(struct socket *socket)
+mac_destroy_socket(struct socket *so)
{
- mac_socket_label_free(socket->so_label);
- socket->so_label = NULL;
- mac_socket_peer_label_free(socket->so_peerlabel);
- socket->so_peerlabel = NULL;
+ mac_socket_label_free(so->so_label);
+ so->so_label = NULL;
+ mac_socket_peer_label_free(so->so_peerlabel);
+ so->so_peerlabel = NULL;
}
void
@@ -211,164 +204,142 @@
}
void
-mac_create_socket(struct ucred *cred, struct socket *socket)
+mac_create_socket(struct ucred *cred, struct socket *so)
{
- MAC_PERFORM(create_socket, cred, socket, socket->so_label);
+ MAC_PERFORM(create_socket, cred, so, so->so_label);
}
void
-mac_create_socket_from_socket(struct socket *oldsocket,
- struct socket *newsocket)
+mac_create_socket_from_socket(struct socket *oldso, struct socket *newso)
{
- SOCK_LOCK_ASSERT(oldsocket);
- MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label,
- newsocket, newsocket->so_label);
+ SOCK_LOCK_ASSERT(oldso);
+
+ MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso,
+ newso->so_label);
}
static void
-mac_relabel_socket(struct ucred *cred, struct socket *socket,
+mac_relabel_socket(struct ucred *cred, struct socket *so,
struct label *newlabel)
{
- SOCK_LOCK_ASSERT(socket);
- MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel);
+ SOCK_LOCK_ASSERT(so);
+
+ MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel);
}
void
-mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket)
+mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so)
{
struct label *label;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket,
- socket->so_peerlabel);
+ MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so,
+ so->so_peerlabel);
}
void
-mac_set_socket_peer_from_socket(struct socket *oldsocket,
- struct socket *newsocket)
+mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso)
{
/*
- * XXXRW: only hold the socket lock on one at a time, as one
- * socket is the original, and one is the new. However, it's
- * called in both directions, so we can't assert the lock
- * here currently.
+ * XXXRW: only hold the socket lock on one at a time, as one socket
+ * is the original, and one is the new. However, it's called in both
+ * directions, so we can't assert the lock here currently.
*/
- MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
- oldsocket->so_label, newsocket, newsocket->so_peerlabel);
+ MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label,
+ newso, newso->so_peerlabel);
}
void
-mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
+mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m)
{
struct label *label;
- label = mac_mbuf_to_label(mbuf);
+ SOCK_LOCK_ASSERT(so);
+
+ label = mac_mbuf_to_label(m);
- SOCK_LOCK_ASSERT(socket);
- MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf,
- label);
+ MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label);
}
int
-mac_check_socket_accept(struct ucred *cred, struct socket *socket)
+mac_check_socket_accept(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
+ SOCK_LOCK_ASSERT(so);
- MAC_CHECK(check_socket_accept, cred, socket, socket->so_label);
+ MAC_CHECK(check_socket_accept, cred, so, so->so_label);
return (error);
}
int
-mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
- struct sockaddr *sockaddr)
+mac_check_socket_bind(struct ucred *ucred, struct socket *so,
+ struct sockaddr *sa)
{
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
+ SOCK_LOCK_ASSERT(so);
- MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label,
- sockaddr);
+ MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa);
return (error);
}
int
-mac_check_socket_connect(struct ucred *cred, struct socket *socket,
- struct sockaddr *sockaddr)
+mac_check_socket_connect(struct ucred *cred, struct socket *so,
+ struct sockaddr *sa)
{
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
+ SOCK_LOCK_ASSERT(so);
- MAC_CHECK(check_socket_connect, cred, socket, socket->so_label,
- sockaddr);
+ MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa);
return (error);
}
int
-mac_check_socket_create(struct ucred *cred, int domain, int type,
- int protocol)
+mac_check_socket_create(struct ucred *cred, int domain, int type, int proto)
{
int error;
- if (!mac_enforce_socket)
- return (0);
-
- MAC_CHECK(check_socket_create, cred, domain, type, protocol);
+ MAC_CHECK(check_socket_create, cred, domain, type, proto);
return (error);
}
int
-mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
+mac_check_socket_deliver(struct socket *so, struct mbuf *m)
{
struct label *label;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
+ SOCK_LOCK_ASSERT(so);
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf,
- label);
+ MAC_CHECK(check_socket_deliver, so, so->so_label, m, label);
return (error);
}
int
-mac_check_socket_listen(struct ucred *cred, struct socket *socket)
+mac_check_socket_listen(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
- if (!mac_enforce_socket)
- return (0);
+ MAC_CHECK(check_socket_listen, cred, so, so->so_label);
- MAC_CHECK(check_socket_listen, cred, socket, socket->so_label);
return (error);
}
@@ -379,10 +350,8 @@
SOCK_LOCK_ASSERT(so);
- if (!mac_enforce_socket)
- return (0);
-
MAC_CHECK(check_socket_poll, cred, so, so->so_label);
+
return (error);
}
@@ -393,24 +362,20 @@
SOCK_LOCK_ASSERT(so);
- if (!mac_enforce_socket)
- return (0);
-
MAC_CHECK(check_socket_receive, cred, so, so->so_label);
return (error);
}
static int
-mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
+mac_check_socket_relabel(struct ucred *cred, struct socket *so,
struct label *newlabel)
{
int error;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
- MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label,
- newlabel);
+ MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel);
return (error);
}
@@ -422,9 +387,6 @@
SOCK_LOCK_ASSERT(so);
- if (!mac_enforce_socket)
- return (0);
-
MAC_CHECK(check_socket_send, cred, so, so->so_label);
return (error);
@@ -437,25 +399,19 @@
SOCK_LOCK_ASSERT(so);
- if (!mac_enforce_socket)
- return (0);
-
MAC_CHECK(check_socket_stat, cred, so, so->so_label);
return (error);
}
int
-mac_check_socket_visible(struct ucred *cred, struct socket *socket)
+mac_check_socket_visible(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
+ SOCK_LOCK_ASSERT(so);
- MAC_CHECK(check_socket_visible, cred, socket, socket->so_label);
+ MAC_CHECK(check_socket_visible, cred, so, so->so_label);
return (error);
}
@@ -467,13 +423,12 @@
int error;
/*
- * We acquire the socket lock when we perform the test and set,
- * but have to release it as the pcb code needs to acquire the
- * pcb lock, which will precede the socket lock in the lock
- * order. However, this is fine, as any race will simply
- * result in the inpcb being refreshed twice, but still
- * consistently, as the inpcb code will acquire the socket lock
- * before refreshing, holding both locks.
+ * We acquire the socket lock when we perform the test and set, but
+ * have to release it as the pcb code needs to acquire the pcb lock,
+ * which will precede the socket lock in the lock order. However,
+ * this is fine, as any race will simply result in the inpcb being
+ * refreshed twice, but still consistently, as the inpcb code will
+ * acquire the socket lock before refreshing, holding both locks.
*/
SOCK_LOCK(so);
error = mac_check_socket_relabel(cred, so, label);
@@ -484,11 +439,12 @@
mac_relabel_socket(cred, so, label);
SOCK_UNLOCK(so);
+
/*
* If the protocol has expressed interest in socket layer changes,
- * such as if it needs to propagate changes to a cached pcb
- * label from the socket, notify it of the label change while
- * holding the socket lock.
+ * such as if it needs to propagate changes to a cached pcb label
+ * from the socket, notify it of the label change while holding the
+ * socket lock.
*/
if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL)
(so->so_proto->pr_usrreqs->pru_sosetlabel)(so);
Index: mac_internal.h
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_internal.h,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_internal.h -L sys/security/mac/mac_internal.h -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_internal.h
+++ sys/security/mac/mac_internal.h
@@ -1,7 +1,8 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2006 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2006 nCircle Network Security, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -12,6 +13,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
+ * This software was developed by Robert N. M. Watson for the TrustedBSD
+ * Project under contract to nCircle Network Security, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -33,19 +37,21 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac/mac_internal.h,v 1.112 2004/10/22 11:07:18 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac/mac_internal.h,v 1.121 2007/02/06 14:19:24 rwatson Exp $
*/
+#ifndef _SYS_SECURITY_MAC_MAC_INTERNAL_H_
+#define _SYS_SECURITY_MAC_MAC_INTERNAL_H_
+
+#ifndef _KERNEL
+#error "no user-serviceable parts inside"
+#endif
+
/*
* MAC Framework sysctl namespace.
*/
#ifdef SYSCTL_DECL
-SYSCTL_DECL(_security);
SYSCTL_DECL(_security_mac);
-#ifdef MAC_DEBUG
-SYSCTL_DECL(_security_mac_debug);
-SYSCTL_DECL(_security_mac_debug_counters);
-#endif
#endif /* SYSCTL_DECL */
/*
@@ -57,32 +63,32 @@
#endif
/*
+ * MAC labels -- in-kernel storage format.
+ *
+ * In general, struct label pointers are embedded in kernel data structures
+ * representing objects that may be labeled (and protected). Struct label is
+ * opaque to both kernel services that invoke the MAC Framework and MAC
+ * policy modules. In particular, we do not wish to encode the layout of the
+ * label structure into any ABIs. Historically, the slot array contained
+ * unions of {long, void} but now contains uintptr_t.
+ */
+#define MAC_MAX_SLOTS 4
+#define MAC_FLAG_INITIALIZED 0x0000001 /* Is initialized for use. */
+struct label {
+ int l_flags;
+ intptr_t l_perpolicy[MAC_MAX_SLOTS];
+};
+
+/*
* MAC Framework global variables.
*/
extern struct mac_policy_list_head mac_policy_list;
extern struct mac_policy_list_head mac_static_policy_list;
-extern int mac_late;
-extern int mac_enforce_network;
-extern int mac_enforce_process;
-extern int mac_enforce_socket;
-extern int mac_enforce_vm;
#ifndef MAC_ALWAYS_LABEL_MBUF
extern int mac_labelmbufs;
#endif
/*
- * MAC Framework object/access counter primitives, conditionally
- * compiled.
- */
-#ifdef MAC_DEBUG
-#define MAC_DEBUG_COUNTER_INC(x) atomic_add_int(x, 1);
-#define MAC_DEBUG_COUNTER_DEC(x) atomic_subtract_int(x, 1);
-#else
-#define MAC_DEBUG_COUNTER_INC(x)
-#define MAC_DEBUG_COUNTER_DEC(x)
-#endif
-
-/*
* MAC Framework infrastructure functions.
*/
int mac_error_select(int error1, int error2);
@@ -104,9 +110,8 @@
int mac_allocate_slot(void);
/*
- * MAC Framework per-object type functions. It's not yet clear how
- * the namespaces, etc, should work for these, so for now, sort by
- * object type.
+ * MAC Framework per-object type functions. It's not yet clear how the
+ * namespaces, etc, should work for these, so for now, sort by object type.
*/
struct label *mac_pipe_label_alloc(void);
void mac_pipe_label_free(struct label *label);
@@ -114,7 +119,7 @@
void mac_socket_label_free(struct label *label);
int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
-int mac_externalize_cred_label(struct label *label, char *elements,
+int mac_externalize_cred_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
int mac_internalize_cred_label(struct label *label, char *string);
void mac_relabel_cred(struct ucred *cred, struct label *newlabel);
@@ -142,9 +147,9 @@
struct ucred *cred);
/*
- * MAC_CHECK performs the designated check by walking the policy module
- * list and checking with each as to how it feels about the request.
- * Note that it returns its value via 'error' in the scope of the caller.
+ * MAC_CHECK performs the designated check by walking the policy module list
+ * and checking with each as to how it feels about the request. Note that it
+ * returns its value via 'error' in the scope of the caller.
*/
#define MAC_CHECK(check, args...) do { \
struct mac_policy_conf *mpc; \
@@ -169,12 +174,41 @@
} while (0)
/*
- * MAC_BOOLEAN performs the designated boolean composition by walking
- * the module list, invoking each instance of the operation, and
- * combining the results using the passed C operator. Note that it
- * returns its value via 'result' in the scope of the caller, which
- * should be initialized by the caller in a meaningful way to get
- * a meaningful result.
+ * MAC_GRANT performs the designated check by walking the policy module list
+ * and checking with each as to how it feels about the request. Unlike
+ * MAC_CHECK, it grants if any policies return '0', and otherwise returns
+ * EPERM. Note that it returns its value via 'error' in the scope of the
+ * caller.
+ */
+#define MAC_GRANT(check, args...) do { \
+ struct mac_policy_conf *mpc; \
+ int entrycount; \
+ \
+ error = EPERM; \
+ LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \
+ if (mpc->mpc_ops->mpo_ ## check != NULL) { \
+ if (mpc->mpc_ops->mpo_ ## check(args) == 0) \
+ error = 0; \
+ } \
+ } \
+ if ((entrycount = mac_policy_list_conditional_busy()) != 0) { \
+ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
+ if (mpc->mpc_ops->mpo_ ## check != NULL) { \
+ if (mpc->mpc_ops->mpo_ ## check (args) \
+ == 0) \
+ error = 0; \
+ } \
+ } \
+ mac_policy_list_unbusy(); \
+ } \
+} while (0)
+
+/*
+ * MAC_BOOLEAN performs the designated boolean composition by walking the
+ * module list, invoking each instance of the operation, and combining the
+ * results using the passed C operator. Note that it returns its value via
+ * 'result' in the scope of the caller, which should be initialized by the
+ * caller in a meaningful way to get a meaningful result.
*/
#define MAC_BOOLEAN(operation, composition, args...) do { \
struct mac_policy_conf *mpc; \
@@ -196,6 +230,13 @@
} \
} while (0)
+/*
+ * MAC_EXTERNALIZE queries each policy to see if it can generate an
+ * externalized version of a label element by name. Policies declare whether
+ * they have matched a particular element name, parsed from the string by
+ * MAC_EXTERNALIZE, and an error is returned if any element is matched by no
+ * policy.
+ */
#define MAC_EXTERNALIZE(type, label, elementlist, outbuf, \
outbuflen) do { \
int claimed, first, ignorenotfound, savedlen; \
@@ -239,6 +280,11 @@
sbuf_finish(&sb); \
} while (0)
+/*
+ * MAC_INTERNALIZE presents parsed element names and data to each policy to
+ * see if any is willing to claim it and internalize the label data. If no
+ * policies match, an error is returned.
+ */
#define MAC_INTERNALIZE(type, label, instring) do { \
char *element, *element_name, *element_data; \
int claimed; \
@@ -266,8 +312,8 @@
} while (0)
/*
- * MAC_PERFORM performs the designated operation by walking the policy
- * module list and invoking that operation for each policy.
+ * MAC_PERFORM performs the designated operation by walking the policy module
+ * list and invoking that operation for each policy.
*/
#define MAC_PERFORM(operation, args...) do { \
struct mac_policy_conf *mpc; \
@@ -285,3 +331,5 @@
mac_policy_list_unbusy(); \
} \
} while (0)
+
+#endif /* !_SYS_SECURITY_MAC_MAC_INTERNAL_H_ */
Index: mac_vfs.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_vfs.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_vfs.c -L sys/security/mac/mac_vfs.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_vfs.c
+++ sys/security/mac/mac_vfs.c
@@ -2,7 +2,7 @@
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2005 McAfee, Inc.
- * Copyright (c) 2005 SPARTA, Inc.
+ * Copyright (c) 2005-2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -13,7 +13,7 @@
* DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
* CHATS research program.
*
- * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
@@ -39,10 +39,9 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_vfs.c,v 1.108.2.2 2005/10/05 10:31:03 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_vfs.c,v 1.122 2007/09/10 00:00:16 rwatson Exp $");
#include "opt_mac.h"
-#include "opt_devfs.h"
#include <sys/param.h>
#include <sys/condvar.h>
@@ -52,7 +51,6 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
-#include <sys/mac.h>
#include <sys/proc.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
@@ -67,59 +65,36 @@
#include <vm/vm_map.h>
#include <vm/vm_object.h>
-#include <sys/mac_policy.h>
-
#include <fs/devfs/devfs.h>
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
+#include <security/mac/mac_policy.h>
/*
- * Warn about EA transactions only the first time they happen.
- * Weak coherency, no locking.
+ * Warn about EA transactions only the first time they happen. No locking on
+ * this variable.
*/
static int ea_warn_once = 0;
-static int mac_enforce_fs = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
- &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
-TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
-
-#ifdef MAC_DEBUG
-static int mac_debug_label_fallback = 0;
-SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW,
- &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label"
- "when label is corrupted.");
-TUNABLE_INT("security.mac.debug_label_fallback",
- &mac_debug_label_fallback);
-
-static unsigned int nmacmounts, nmacvnodes, nmacdevfsdirents;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
- &nmacmounts, 0, "number of mounts in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD,
- &nmacvnodes, 0, "number of vnodes in use");
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
- &nmacdevfsdirents, 0, "number of devfs dirents inuse");
-#endif
-
static int mac_setlabel_vnode_extattr(struct ucred *cred,
struct vnode *vp, struct label *intlabel);
static struct label *
-mac_devfsdirent_label_alloc(void)
+mac_devfs_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
- MAC_PERFORM(init_devfsdirent_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);
+ MAC_PERFORM(init_devfs_label, label);
return (label);
}
void
-mac_init_devfsdirent(struct devfs_dirent *de)
+mac_init_devfs(struct devfs_dirent *de)
{
- de->de_label = mac_devfsdirent_label_alloc();
+ de->de_label = mac_devfs_label_alloc();
}
static struct label *
@@ -129,18 +104,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_mount_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacmounts);
- return (label);
-}
-
-static struct label *
-mac_mount_fs_label_alloc(void)
-{
- struct label *label;
-
- label = mac_labelzone_alloc(M_WAITOK);
- MAC_PERFORM(init_mount_fs_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacmounts);
return (label);
}
@@ -148,8 +111,7 @@
mac_init_mount(struct mount *mp)
{
- mp->mnt_mntlabel = mac_mount_label_alloc();
- mp->mnt_fslabel = mac_mount_fs_label_alloc();
+ mp->mnt_label = mac_mount_label_alloc();
}
struct label *
@@ -159,7 +121,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_vnode_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacvnodes);
return (label);
}
@@ -171,19 +132,18 @@
}
static void
-mac_devfsdirent_label_free(struct label *label)
+mac_devfs_label_free(struct label *label)
{
- MAC_PERFORM(destroy_devfsdirent_label, label);
+ MAC_PERFORM(destroy_devfs_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
}
void
-mac_destroy_devfsdirent(struct devfs_dirent *de)
+mac_destroy_devfs(struct devfs_dirent *de)
{
- mac_devfsdirent_label_free(de->de_label);
+ mac_devfs_label_free(de->de_label);
de->de_label = NULL;
}
@@ -193,26 +153,14 @@
MAC_PERFORM(destroy_mount_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacmounts);
-}
-
-static void
-mac_mount_fs_label_free(struct label *label)
-{
-
- MAC_PERFORM(destroy_mount_fs_label, label);
- mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacmounts);
}
void
mac_destroy_mount(struct mount *mp)
{
- mac_mount_fs_label_free(mp->mnt_fslabel);
- mp->mnt_fslabel = NULL;
- mac_mount_label_free(mp->mnt_mntlabel);
- mp->mnt_mntlabel = NULL;
+ mac_mount_label_free(mp->mnt_label);
+ mp->mnt_label = NULL;
}
void
@@ -221,7 +169,6 @@
MAC_PERFORM(destroy_vnode_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
}
void
@@ -261,12 +208,10 @@
}
void
-mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de,
- struct vnode *vp)
+mac_update_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp)
{
- MAC_PERFORM(update_devfsdirent, mp, de, de->de_label, vp,
- vp->v_label);
+ MAC_PERFORM(update_devfs, mp, de, de->de_label, vp, vp->v_label);
}
void
@@ -274,7 +219,7 @@
struct vnode *vp)
{
- MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_fslabel, de,
+ MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_label, de,
de->de_label, vp, vp->v_label);
}
@@ -285,7 +230,7 @@
ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
- MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_fslabel, vp,
+ MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_label, vp,
vp->v_label);
return (error);
@@ -295,10 +240,19 @@
mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
{
- MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_fslabel, vp,
+ MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_label, vp,
vp->v_label);
}
+/*
+ * Functions implementing extended-attribute backed labels for file systems
+ * that support it.
+ *
+ * Where possible, we use EA transactions to make writes to multiple
+ * attributes across difference policies mutually atomic. We allow work to
+ * continue on file systems not supporting EA transactions, but generate a
+ * printf warning.
+ */
int
mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
@@ -310,7 +264,6 @@
error = VOP_OPENEXTATTR(vp, cred, curthread);
if (error == EOPNOTSUPP) {
- /* XXX: Optionally abort if transactions not supported. */
if (ea_warn_once == 0) {
printf("Warning: transactions not supported "
"in EA write.\n");
@@ -319,8 +272,8 @@
} else if (error)
return (error);
- MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel,
- dvp, dvp->v_label, vp, vp->v_label, cnp);
+ MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_label, dvp,
+ dvp->v_label, vp, vp->v_label, cnp);
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
@@ -328,9 +281,8 @@
}
error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
-
if (error == EOPNOTSUPP)
- error = 0; /* XXX */
+ error = 0;
return (error);
}
@@ -345,7 +297,6 @@
error = VOP_OPENEXTATTR(vp, cred, curthread);
if (error == EOPNOTSUPP) {
- /* XXX: Optionally abort if transactions not supported. */
if (ea_warn_once == 0) {
printf("Warning: transactions not supported "
"in EA write.\n");
@@ -362,9 +313,8 @@
}
error = VOP_CLOSEEXTATTR(vp, 1, NOCRED, curthread);
-
if (error == EOPNOTSUPP)
- error = 0; /* XXX */
+ error = 0;
return (error);
}
@@ -376,9 +326,6 @@
ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
- if (!mac_enforce_process && !mac_enforce_fs)
- return;
-
MAC_PERFORM(execve_transition, old, new, vp, vp->v_label,
interpvnodelabel, imgp, imgp->execlabel);
}
@@ -391,9 +338,6 @@
ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition");
- if (!mac_enforce_process && !mac_enforce_fs)
- return (0);
-
result = 0;
MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label,
interpvnodelabel, imgp, imgp->execlabel);
@@ -408,9 +352,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode);
return (error);
}
@@ -422,9 +363,6 @@
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label);
return (error);
}
@@ -436,9 +374,6 @@
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label);
return (error);
}
@@ -451,31 +386,11 @@
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap);
return (error);
}
int
-mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
- struct componentname *cnp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete");
- ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete");
-
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_vnode_delete, cred, dvp, dvp->v_label, vp,
- vp->v_label, cnp);
- return (error);
-}
-
-int
mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
acl_type_t type)
{
@@ -483,9 +398,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type);
return (error);
}
@@ -498,9 +410,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label,
attrnamespace, name);
return (error);
@@ -514,9 +423,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec");
- if (!mac_enforce_process && !mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp,
imgp->execlabel);
@@ -530,9 +436,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type);
return (error);
}
@@ -545,9 +448,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
return (error);
@@ -562,9 +462,6 @@
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link");
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
@@ -578,9 +475,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label,
attrnamespace);
return (error);
@@ -594,9 +488,6 @@
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp);
return (error);
}
@@ -609,9 +500,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap");
- if (!mac_enforce_fs || !mac_enforce_vm)
- return (0);
-
MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot, flags);
return (error);
}
@@ -623,9 +511,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade");
- if (!mac_enforce_fs || !mac_enforce_vm)
- return;
-
MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label,
&result);
@@ -639,9 +524,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect");
- if (!mac_enforce_fs || !mac_enforce_vm)
- return (0);
-
MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot);
return (error);
}
@@ -653,9 +535,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode);
return (error);
}
@@ -668,9 +547,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
vp->v_label);
@@ -685,9 +561,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
vp->v_label);
@@ -701,9 +574,6 @@
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label);
return (error);
}
@@ -715,9 +585,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label);
return (error);
}
@@ -744,9 +611,6 @@
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
@@ -761,9 +625,6 @@
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp,
vp != NULL ? vp->v_label : NULL, samedir, cnp);
return (error);
@@ -776,9 +637,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label);
return (error);
}
@@ -791,9 +649,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl);
return (error);
}
@@ -806,9 +661,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
return (error);
@@ -821,9 +673,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags);
return (error);
}
@@ -835,9 +684,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode);
return (error);
}
@@ -850,9 +696,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid);
return (error);
}
@@ -865,9 +708,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime,
mtime);
return (error);
@@ -881,15 +721,26 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
vp->v_label);
return (error);
}
int
+mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
+ struct componentname *cnp)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_unlink");
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_unlink");
+
+ MAC_CHECK(check_vnode_unlink, cred, dvp, dvp->v_label, vp,
+ vp->v_label, cnp);
+ return (error);
+}
+
+int
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
@@ -897,9 +748,6 @@
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
- if (!mac_enforce_fs)
- return (0);
-
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
vp->v_label);
@@ -917,8 +765,7 @@
mac_create_mount(struct ucred *cred, struct mount *mp)
{
- MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel,
- mp->mnt_fslabel);
+ MAC_PERFORM(create_mount, cred, mp, mp->mnt_label);
}
int
@@ -926,10 +773,7 @@
{
int error;
- if (!mac_enforce_fs)
- return (0);
-
- MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel);
+ MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_label);
return (error);
}
@@ -1003,9 +847,11 @@
/*
* Multi-phase commit. First check the policies to confirm the
- * change is OK. Then commit via the filesystem. Finally,
- * update the actual vnode label. Question: maybe the filesystem
- * should update the vnode at the end as part of VOP_SETLABEL()?
+ * change is OK. Then commit via the filesystem. Finally, update
+ * the actual vnode label.
+ *
+ * Question: maybe the filesystem should update the vnode at the end
+ * as part of VOP_SETLABEL()?
*/
error = mac_check_vnode_relabel(cred, vp, intlabel);
if (error)
@@ -1013,10 +859,10 @@
/*
* VADMIN provides the opportunity for the filesystem to make
- * decisions about who is and is not able to modify labels
- * and protections on files. This might not be right. We can't
- * assume VOP_SETLABEL() will do it, because we might implement
- * that as part of vop_stdsetlabel_ea().
+ * decisions about who is and is not able to modify labels and
+ * protections on files. This might not be right. We can't assume
+ * VOP_SETLABEL() will do it, because we might implement that as
+ * part of vop_stdsetlabel_ea().
*/
error = VOP_ACCESS(vp, VADMIN, cred, curthread);
if (error)
@@ -1028,3 +874,19 @@
return (0);
}
+
+/*
+ * When a thread becomes an NFS server daemon, its credential may need to be
+ * updated to reflect this so that policies can recognize when file system
+ * operations originate from the network.
+ *
+ * At some point, it would be desirable if the credential used for each NFS
+ * RPC could be set based on the RPC context (i.e., source system, etc) to
+ * provide more fine-grained access control.
+ */
+void
+mac_associate_nfsd_label(struct ucred *cred)
+{
+
+ MAC_PERFORM(associate_nfsd_label, cred);
+}
Index: mac_pipe.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_pipe.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_pipe.c -L sys/security/mac/mac_pipe.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_pipe.c
+++ sys/security/mac/mac_pipe.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_pipe.c,v 1.106 2004/05/30 20:27:19 phk Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_pipe.c,v 1.112 2007/04/22 19:55:56 rwatson Exp $");
#include "opt_mac.h"
@@ -40,27 +40,15 @@
#include <sys/malloc.h>
#include <sys/module.h>
#include <sys/mutex.h>
-#include <sys/mac.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/pipe.h>
#include <sys/sysctl.h>
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
-
-static int mac_enforce_pipe = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
- &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
-TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe);
-
-#ifdef MAC_DEBUG
-static unsigned int nmacpipes;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
- &nmacpipes, 0, "number of pipes in use");
-#endif
+#include <security/mac/mac_policy.h>
struct label *
mac_pipe_label_alloc(void)
@@ -69,7 +57,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_pipe_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacpipes);
return (label);
}
@@ -86,7 +73,6 @@
MAC_PERFORM(destroy_pipe_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacpipes);
}
void
@@ -148,9 +134,6 @@
mtx_assert(&pp->pp_mtx, MA_OWNED);
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(check_pipe_ioctl, cred, pp, pp->pp_label, cmd, data);
return (error);
@@ -163,9 +146,6 @@
mtx_assert(&pp->pp_mtx, MA_OWNED);
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(check_pipe_poll, cred, pp, pp->pp_label);
return (error);
@@ -178,9 +158,6 @@
mtx_assert(&pp->pp_mtx, MA_OWNED);
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(check_pipe_read, cred, pp, pp->pp_label);
return (error);
@@ -194,9 +171,6 @@
mtx_assert(&pp->pp_mtx, MA_OWNED);
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(check_pipe_relabel, cred, pp, pp->pp_label, newlabel);
return (error);
@@ -209,9 +183,6 @@
mtx_assert(&pp->pp_mtx, MA_OWNED);
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(check_pipe_stat, cred, pp, pp->pp_label);
return (error);
@@ -224,9 +195,6 @@
mtx_assert(&pp->pp_mtx, MA_OWNED);
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(check_pipe_write, cred, pp, pp->pp_label);
return (error);
Index: mac_sysv_shm.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac/mac_sysv_shm.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac/mac_sysv_shm.c -L sys/security/mac/mac_sysv_shm.c -u -r1.1.1.1 -r1.2
--- sys/security/mac/mac_sysv_shm.c
+++ sys/security/mac/mac_sysv_shm.c
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/security/mac/mac_sysv_shm.c,v 1.1 2004/11/17 13:14:24 rwatson Exp $");
+__FBSDID("$FreeBSD: src/sys/security/mac/mac_sysv_shm.c,v 1.7 2007/02/06 10:59:21 rwatson Exp $");
#include "opt_mac.h"
@@ -39,7 +39,6 @@
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
-#include <sys/mac.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
#include <sys/vnode.h>
@@ -49,21 +48,9 @@
#include <sys/sysctl.h>
#include <sys/shm.h>
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
-
-static int mac_enforce_sysv_shm = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_shm, CTLFLAG_RW,
- &mac_enforce_sysv_shm, 0,
- "Enforce MAC policy on System V IPC shared memory");
-TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm);
-
-#ifdef MAC_DEBUG
-static unsigned int nmacipcshms;
-SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_shms, CTLFLAG_RD,
- &nmacipcshms, 0, "number of sysv ipc shm identifiers inuse");
-#endif
+#include <security/mac/mac_policy.h>
static struct label *
mac_sysv_shm_label_alloc(void)
@@ -72,7 +59,6 @@
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_sysv_shm_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacipcshms);
return (label);
}
@@ -89,7 +75,6 @@
MAC_PERFORM(destroy_sysv_shm_label, label);
mac_labelzone_free(label);
- MAC_DEBUG_COUNTER_DEC(&nmacipcshms);
}
void
@@ -120,13 +105,10 @@
{
int error;
- if (!mac_enforce_sysv_shm)
- return (0);
-
MAC_CHECK(check_sysv_shmat, cred, shmsegptr, shmsegptr->label,
shmflg);
- return(error);
+ return (error);
}
int
@@ -135,13 +117,10 @@
{
int error;
- if (!mac_enforce_sysv_shm)
- return (0);
-
MAC_CHECK(check_sysv_shmctl, cred, shmsegptr, shmsegptr->label,
cmd);
- return(error);
+ return (error);
}
int
@@ -149,12 +128,9 @@
{
int error;
- if (!mac_enforce_sysv_shm)
- return (0);
-
MAC_CHECK(check_sysv_shmdt, cred, shmsegptr, shmsegptr->label);
- return(error);
+ return (error);
}
int
@@ -163,11 +139,8 @@
{
int error;
- if (!mac_enforce_sysv_shm)
- return (0);
-
MAC_CHECK(check_sysv_shmget, cred, shmsegptr, shmsegptr->label,
shmflg);
- return(error);
+ return (error);
}
More information about the Midnightbsd-cvs
mailing list