[Midnightbsd-cvs] src: security/mac_mls: update MAC
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Fri Sep 12 21:34:15 EDT 2008
Log Message:
-----------
update MAC
Modified Files:
--------------
src/sys/security/mac_biba:
mac_biba.c (r1.1.1.2 -> r1.2)
src/sys/security/mac_bsdextended:
mac_bsdextended.c (r1.1.1.2 -> r1.2)
mac_bsdextended.h (r1.1.1.1 -> r1.2)
src/sys/security/mac_ifoff:
mac_ifoff.c (r1.1.1.1 -> r1.2)
src/sys/security/mac_lomac:
mac_lomac.c (r1.1.1.1 -> r1.2)
src/sys/security/mac_mls:
mac_mls.c (r1.1.1.1 -> r1.2)
src/sys/security/mac_none:
mac_none.c (r1.1.1.1 -> r1.2)
src/sys/security/mac_partition:
mac_partition.c (r1.1.1.1 -> r1.2)
src/sys/security/mac_portacl:
mac_portacl.c (r1.1.1.1 -> r1.2)
src/sys/security/mac_seeotheruids:
mac_seeotheruids.c (r1.1.1.1 -> r1.2)
src/sys/security/mac_stub:
mac_stub.c (r1.1.1.1 -> r1.2)
src/sys/security/mac_test:
mac_test.c (r1.1.1.1 -> r1.2)
-------------- next part --------------
Index: mac_biba.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_biba/mac_biba.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L sys/security/mac_biba/mac_biba.c -L sys/security/mac_biba/mac_biba.c -u -r1.1.1.2 -r1.2
--- sys/security/mac_biba/mac_biba.c
+++ sys/security/mac_biba/mac_biba.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* All rights reserved.
*
@@ -31,24 +31,24 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.87.2.4 2006/01/24 04:10:25 csjp Exp $
+ * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.107.2.1 2007/11/06 14:46:58 rwatson Exp $
*/
/*
* Developed by the TrustedBSD Project.
+ *
* Biba fixed label mandatory integrity policy.
*/
-#include <sys/types.h>
#include <sys/param.h>
-#include <sys/acl.h>
#include <sys/conf.h>
#include <sys/extattr.h>
#include <sys/kernel.h>
-#include <sys/mac.h>
+#include <sys/ksem.h>
#include <sys/malloc.h>
#include <sys/mman.h>
#include <sys/mount.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
@@ -66,8 +66,6 @@
#include <sys/sem.h>
#include <sys/shm.h>
-#include <posix4/ksem.h>
-
#include <fs/devfs/devfs.h>
#include <net/bpfdesc.h>
@@ -82,8 +80,7 @@
#include <vm/uma.h>
#include <vm/vm.h>
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_policy.h>
#include <security/mac_biba/mac_biba.h>
SYSCTL_DECL(_security_mac);
@@ -135,8 +132,8 @@
TUNABLE_INT("security.mac.biba.revocation_enabled", &revocation_enabled);
static int mac_biba_slot;
-#define SLOT(l) ((struct mac_biba *)LABEL_TO_SLOT((l), mac_biba_slot).l_ptr)
-#define SLOT_SET(l, val) (LABEL_TO_SLOT((l), mac_biba_slot).l_ptr = (val))
+#define SLOT(l) ((struct mac_biba *)mac_label_get((l), mac_biba_slot))
+#define SLOT_SET(l, val) mac_label_set((l), mac_biba_slot, (uintptr_t)(val))
static uma_zone_t zone_biba;
@@ -787,12 +784,12 @@
*/
static void
mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp,
- struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
+ struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
{
struct mac_biba *mac_biba;
int biba_type;
- mac_biba = SLOT(label);
+ mac_biba = SLOT(delabel);
if (strcmp(dev->si_name, "null") == 0 ||
strcmp(dev->si_name, "zero") == 0 ||
strcmp(dev->si_name, "random") == 0 ||
@@ -809,11 +806,11 @@
static void
mac_biba_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
+ int dirnamelen, struct devfs_dirent *de, struct label *delabel)
{
struct mac_biba *mac_biba;
- mac_biba = SLOT(label);
+ mac_biba = SLOT(delabel);
mac_biba_set_effective(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
}
@@ -832,64 +829,61 @@
static void
mac_biba_create_mount(struct ucred *cred, struct mount *mp,
- struct label *mntlabel, struct label *fslabel)
+ struct label *mplabel)
{
struct mac_biba *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(mntlabel);
- mac_biba_copy_effective(source, dest);
- dest = SLOT(fslabel);
+ dest = SLOT(mplabel);
mac_biba_copy_effective(source, dest);
}
static void
mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *label)
+ struct label *vplabel, struct label *newlabel)
{
struct mac_biba *source, *dest;
- source = SLOT(label);
- dest = SLOT(vnodelabel);
+ source = SLOT(newlabel);
+ dest = SLOT(vplabel);
mac_biba_copy(source, dest);
}
static void
-mac_biba_update_devfsdirent(struct mount *mp,
- struct devfs_dirent *devfs_dirent, struct label *direntlabel,
- struct vnode *vp, struct label *vnodelabel)
+mac_biba_update_devfs(struct mount *mp, struct devfs_dirent *de,
+ struct label *delabel, struct vnode *vp, struct label *vplabel)
{
struct mac_biba *source, *dest;
- source = SLOT(vnodelabel);
- dest = SLOT(direntlabel);
+ source = SLOT(vplabel);
+ dest = SLOT(delabel);
mac_biba_copy(source, dest);
}
static void
-mac_biba_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
+mac_biba_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
- struct label *vlabel)
+ struct label *vplabel)
{
struct mac_biba *source, *dest;
source = SLOT(delabel);
- dest = SLOT(vlabel);
+ dest = SLOT(vplabel);
mac_biba_copy_effective(source, dest);
}
static int
-mac_biba_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
- struct vnode *vp, struct label *vlabel)
+mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
+ struct vnode *vp, struct label *vplabel)
{
struct mac_biba temp, *source, *dest;
int buflen, error;
- source = SLOT(fslabel);
- dest = SLOT(vlabel);
+ source = SLOT(mplabel);
+ dest = SLOT(vplabel);
buflen = sizeof(temp);
bzero(&temp, buflen);
@@ -897,7 +891,7 @@
error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
if (error == ENOATTR || error == EOPNOTSUPP) {
- /* Fall back to the fslabel. */
+ /* Fall back to the mntlabel. */
mac_biba_copy_effective(source, dest);
return (0);
} else if (error)
@@ -923,20 +917,20 @@
static void
mac_biba_associate_vnode_singlelabel(struct mount *mp,
- struct label *fslabel, struct vnode *vp, struct label *vlabel)
+ struct label *mplabel, struct vnode *vp, struct label *vplabel)
{
struct mac_biba *source, *dest;
- source = SLOT(fslabel);
- dest = SLOT(vlabel);
+ source = SLOT(mplabel);
+ dest = SLOT(vplabel);
mac_biba_copy_effective(source, dest);
}
static int
mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp,
- struct label *fslabel, struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, struct label *vlabel, struct componentname *cnp)
+ struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
+ struct vnode *vp, struct label *vplabel, struct componentname *cnp)
{
struct mac_biba *source, *dest, temp;
size_t buflen;
@@ -946,7 +940,7 @@
bzero(&temp, buflen);
source = SLOT(cred->cr_label);
- dest = SLOT(vlabel);
+ dest = SLOT(vplabel);
mac_biba_copy_effective(source, &temp);
error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
@@ -958,7 +952,7 @@
static int
mac_biba_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
- struct label *vlabel, struct label *intlabel)
+ struct label *vplabel, struct label *intlabel)
{
struct mac_biba *source, temp;
size_t buflen;
@@ -994,98 +988,97 @@
}
static void
-mac_biba_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_biba_create_mbuf_from_socket(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_biba *source, *dest;
- source = SLOT(socketlabel);
- dest = SLOT(mbuflabel);
+ source = SLOT(solabel);
+ dest = SLOT(mlabel);
mac_biba_copy_effective(source, dest);
}
static void
-mac_biba_create_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_biba_create_socket(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
struct mac_biba *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(socketlabel);
+ dest = SLOT(solabel);
mac_biba_copy_effective(source, dest);
}
static void
mac_biba_create_pipe(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_biba *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(pipelabel);
+ dest = SLOT(pplabel);
mac_biba_copy_effective(source, dest);
}
static void
-mac_biba_create_posix_sem(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+mac_biba_create_posix_sem(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
struct mac_biba *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(ks_label);
+ dest = SLOT(kslabel);
mac_biba_copy_effective(source, dest);
}
static void
-mac_biba_create_socket_from_socket(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketlabel)
+mac_biba_create_socket_from_socket(struct socket *oldso,
+ struct label *oldsolabel, struct socket *newso, struct label *newsolabel)
{
struct mac_biba *source, *dest;
- source = SLOT(oldsocketlabel);
- dest = SLOT(newsocketlabel);
+ source = SLOT(oldsolabel);
+ dest = SLOT(newsolabel);
mac_biba_copy_effective(source, dest);
}
static void
-mac_biba_relabel_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct label *newlabel)
+mac_biba_relabel_socket(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct label *newlabel)
{
struct mac_biba *source, *dest;
source = SLOT(newlabel);
- dest = SLOT(socketlabel);
+ dest = SLOT(solabel);
mac_biba_copy(source, dest);
}
static void
mac_biba_relabel_pipe(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, struct label *newlabel)
+ struct label *pplabel, struct label *newlabel)
{
struct mac_biba *source, *dest;
source = SLOT(newlabel);
- dest = SLOT(pipelabel);
+ dest = SLOT(pplabel);
mac_biba_copy(source, dest);
}
static void
-mac_biba_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
- struct socket *socket, struct label *socketpeerlabel)
+mac_biba_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel,
+ struct socket *so, struct label *sopeerlabel)
{
struct mac_biba *source, *dest;
- source = SLOT(mbuflabel);
- dest = SLOT(socketpeerlabel);
+ source = SLOT(mlabel);
+ dest = SLOT(sopeerlabel);
mac_biba_copy_effective(source, dest);
}
@@ -1093,7 +1086,6 @@
/*
* Labeling event operations: System V IPC objects.
*/
-
static void
mac_biba_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
@@ -1147,41 +1139,41 @@
* Labeling event operations: network objects.
*/
static void
-mac_biba_set_socket_peer_from_socket(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketpeerlabel)
+mac_biba_set_socket_peer_from_socket(struct socket *oldso,
+ struct label *oldsolabel, struct socket *newso,
+ struct label *newsopeerlabel)
{
struct mac_biba *source, *dest;
- source = SLOT(oldsocketlabel);
- dest = SLOT(newsocketpeerlabel);
+ source = SLOT(oldsolabel);
+ dest = SLOT(newsopeerlabel);
mac_biba_copy_effective(source, dest);
}
static void
-mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
- struct label *bpflabel)
+mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *d,
+ struct label *dlabel)
{
struct mac_biba *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(bpflabel);
+ dest = SLOT(dlabel);
mac_biba_copy_effective(source, dest);
}
static void
-mac_biba_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
+mac_biba_create_ifnet(struct ifnet *ifp, struct label *ifplabel)
{
char tifname[IFNAMSIZ], *p, *q;
char tiflist[sizeof(trusted_interfaces)];
struct mac_biba *dest;
int len, type;
- dest = SLOT(ifnetlabel);
+ dest = SLOT(ifplabel);
- if (ifnet->if_type == IFT_LOOP || interfaces_equal != 0) {
+ if (ifp->if_type == IFT_LOOP || interfaces_equal != 0) {
type = MAC_BIBA_TYPE_EQUAL;
goto set;
}
@@ -1208,7 +1200,7 @@
if (len < IFNAMSIZ) {
bzero(tifname, sizeof(tifname));
bcopy(q, tifname, len);
- if (strcmp(tifname, ifnet->if_xname) == 0) {
+ if (strcmp(tifname, ifp->if_xname) == 0) {
type = MAC_BIBA_TYPE_HIGH;
break;
}
@@ -1229,12 +1221,12 @@
}
static void
-mac_biba_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
- struct ipq *ipq, struct label *ipqlabel)
+mac_biba_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+ struct label *ipqlabel)
{
struct mac_biba *source, *dest;
- source = SLOT(fragmentlabel);
+ source = SLOT(mlabel);
dest = SLOT(ipqlabel);
mac_biba_copy_effective(source, dest);
@@ -1242,25 +1234,25 @@
static void
mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
- struct mbuf *datagram, struct label *datagramlabel)
+ struct mbuf *m, struct label *mlabel)
{
struct mac_biba *source, *dest;
source = SLOT(ipqlabel);
- dest = SLOT(datagramlabel);
+ dest = SLOT(mlabel);
/* Just use the head, since we require them all to match. */
mac_biba_copy_effective(source, dest);
}
static void
-mac_biba_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
- struct mbuf *fragment, struct label *fragmentlabel)
+mac_biba_create_fragment(struct mbuf *m, struct label *mlabel,
+ struct mbuf *frag, struct label *fraglabel)
{
struct mac_biba *source, *dest;
- source = SLOT(datagramlabel);
- dest = SLOT(fragmentlabel);
+ source = SLOT(mlabel);
+ dest = SLOT(fraglabel);
mac_biba_copy_effective(source, dest);
}
@@ -1278,92 +1270,92 @@
}
static void
-mac_biba_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *mbuf, struct label *mbuflabel)
+mac_biba_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_biba *dest;
- dest = SLOT(mbuflabel);
+ dest = SLOT(mlabel);
mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
}
static void
-mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
- struct mbuf *mbuf, struct label *mbuflabel)
+mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_biba *source, *dest;
- source = SLOT(bpflabel);
- dest = SLOT(mbuflabel);
+ source = SLOT(dlabel);
+ dest = SLOT(mlabel);
mac_biba_copy_effective(source, dest);
}
static void
-mac_biba_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_biba_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_biba *source, *dest;
- source = SLOT(ifnetlabel);
- dest = SLOT(mbuflabel);
+ source = SLOT(ifplabel);
+ dest = SLOT(mlabel);
mac_biba_copy_effective(source, dest);
}
static void
-mac_biba_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
- struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *newmbuf, struct label *newmbuflabel)
+mac_biba_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel,
+ struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew,
+ struct label *mnewlabel)
{
struct mac_biba *source, *dest;
- source = SLOT(oldmbuflabel);
- dest = SLOT(newmbuflabel);
+ source = SLOT(mlabel);
+ dest = SLOT(mnewlabel);
mac_biba_copy_effective(source, dest);
}
static void
-mac_biba_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel,
- struct mbuf *newmbuf, struct label *newmbuflabel)
+mac_biba_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel,
+ struct mbuf *newm, struct label *mnewlabel)
{
struct mac_biba *source, *dest;
- source = SLOT(oldmbuflabel);
- dest = SLOT(newmbuflabel);
+ source = SLOT(mlabel);
+ dest = SLOT(mnewlabel);
mac_biba_copy_effective(source, dest);
}
static int
-mac_biba_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
+mac_biba_fragment_match(struct mbuf *m, struct label *mlabel,
struct ipq *ipq, struct label *ipqlabel)
{
struct mac_biba *a, *b;
a = SLOT(ipqlabel);
- b = SLOT(fragmentlabel);
+ b = SLOT(mlabel);
return (mac_biba_equal_effective(a, b));
}
static void
-mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
- struct label *ifnetlabel, struct label *newlabel)
+mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifp,
+ struct label *ifplabel, struct label *newlabel)
{
struct mac_biba *source, *dest;
source = SLOT(newlabel);
- dest = SLOT(ifnetlabel);
+ dest = SLOT(ifplabel);
mac_biba_copy(source, dest);
}
static void
-mac_biba_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
- struct ipq *ipq, struct label *ipqlabel)
+mac_biba_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+ struct label *ipqlabel)
{
/* NOOP: we only accept matching labels, so no need to update */
@@ -1381,6 +1373,17 @@
mac_biba_copy(source, dest);
}
+static void
+mac_biba_create_mbuf_from_firewall(struct mbuf *m, struct label *label)
+{
+ struct mac_biba *dest;
+
+ dest = SLOT(label);
+
+ /* XXX: where is the label for the firewall really comming from? */
+ mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
+}
+
/*
* Labeling event operations: processes.
*/
@@ -1453,16 +1456,16 @@
* Access control checks.
*/
static int
-mac_biba_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
- struct ifnet *ifnet, struct label *ifnetlabel)
+mac_biba_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
+ struct ifnet *ifp, struct label *ifplabel)
{
struct mac_biba *a, *b;
if (!mac_biba_enabled)
return (0);
- a = SLOT(bpflabel);
- b = SLOT(ifnetlabel);
+ a = SLOT(dlabel);
+ b = SLOT(ifplabel);
if (mac_biba_equal_effective(a, b))
return (0);
@@ -1550,8 +1553,8 @@
}
static int
-mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
- struct label *ifnetlabel, struct label *newlabel)
+mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
+ struct label *ifplabel, struct label *newlabel)
{
struct mac_biba *subj, *new;
int error;
@@ -1578,16 +1581,16 @@
}
static int
-mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_biba_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_biba *p, *i;
if (!mac_biba_enabled)
return (0);
- p = SLOT(mbuflabel);
- i = SLOT(ifnetlabel);
+ p = SLOT(mlabel);
+ i = SLOT(ifplabel);
return (mac_biba_effective_in_range(p, i) ? 0 : EACCES);
}
@@ -1767,7 +1770,6 @@
return (0);
}
-
static int
mac_biba_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
struct label *semaklabel)
@@ -1884,7 +1886,7 @@
static int
mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
struct mac_biba *subj, *obj;
int error;
@@ -1898,30 +1900,16 @@
if (error)
return (error);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_high_effective(obj))
return (EACCES);
return (0);
}
-
-static int
-mac_biba_check_kld_unload(struct ucred *cred)
-{
- struct mac_biba *subj;
-
- if (!mac_biba_enabled)
- return (0);
-
- subj = SLOT(cred->cr_label);
-
- return (mac_biba_subject_privileged(subj));
-}
-
static int
mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp,
- struct label *mntlabel)
+ struct label *mplabel)
{
struct mac_biba *subj, *obj;
@@ -1929,7 +1917,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(mntlabel);
+ obj = SLOT(mplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -1939,7 +1927,7 @@
static int
mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
+ struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
{
if(!mac_biba_enabled)
@@ -1952,7 +1940,7 @@
static int
mac_biba_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_biba *subj, *obj;
@@ -1960,7 +1948,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((pipelabel));
+ obj = SLOT(pplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -1970,7 +1958,7 @@
static int
mac_biba_check_pipe_read(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_biba *subj, *obj;
@@ -1978,7 +1966,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((pipelabel));
+ obj = SLOT(pplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -1988,14 +1976,14 @@
static int
mac_biba_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, struct label *newlabel)
+ struct label *pplabel, struct label *newlabel)
{
struct mac_biba *subj, *obj, *new;
int error;
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
- obj = SLOT(pipelabel);
+ obj = SLOT(pplabel);
/*
* If there is a Biba label update for a pipe, it must be a
@@ -2039,7 +2027,7 @@
static int
mac_biba_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_biba *subj, *obj;
@@ -2047,7 +2035,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((pipelabel));
+ obj = SLOT(pplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2057,7 +2045,7 @@
static int
mac_biba_check_pipe_write(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_biba *subj, *obj;
@@ -2065,7 +2053,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((pipelabel));
+ obj = SLOT(pplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2074,8 +2062,8 @@
}
static int
-mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
struct mac_biba *subj, *obj;
@@ -2083,7 +2071,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(ks_label);
+ obj = SLOT(kslabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2092,8 +2080,8 @@
}
static int
-mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
struct mac_biba *subj, *obj;
@@ -2101,7 +2089,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(ks_label);
+ obj = SLOT(kslabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2110,7 +2098,7 @@
}
static int
-mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc)
+mac_biba_check_proc_debug(struct ucred *cred, struct proc *p)
{
struct mac_biba *subj, *obj;
@@ -2118,7 +2106,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(proc->p_ucred->cr_label);
+ obj = SLOT(p->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_biba_dominate_effective(obj, subj))
@@ -2130,7 +2118,7 @@
}
static int
-mac_biba_check_proc_sched(struct ucred *cred, struct proc *proc)
+mac_biba_check_proc_sched(struct ucred *cred, struct proc *p)
{
struct mac_biba *subj, *obj;
@@ -2138,7 +2126,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(proc->p_ucred->cr_label);
+ obj = SLOT(p->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_biba_dominate_effective(obj, subj))
@@ -2150,7 +2138,7 @@
}
static int
-mac_biba_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+mac_biba_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
{
struct mac_biba *subj, *obj;
@@ -2158,7 +2146,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(proc->p_ucred->cr_label);
+ obj = SLOT(p->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_biba_dominate_effective(obj, subj))
@@ -2170,30 +2158,30 @@
}
static int
-mac_biba_check_socket_deliver(struct socket *so, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_biba_check_socket_deliver(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_biba *p, *s;
if (!mac_biba_enabled)
return (0);
- p = SLOT(mbuflabel);
- s = SLOT(socketlabel);
+ p = SLOT(mlabel);
+ s = SLOT(solabel);
return (mac_biba_equal_effective(p, s) ? 0 : EACCES);
}
static int
mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so,
- struct label *socketlabel, struct label *newlabel)
+ struct label *solabel, struct label *newlabel)
{
struct mac_biba *subj, *obj, *new;
int error;
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
- obj = SLOT(socketlabel);
+ obj = SLOT(solabel);
/*
* If there is a Biba label update for the socket, it may be
@@ -2236,8 +2224,8 @@
}
static int
-mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_biba_check_socket_visible(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
struct mac_biba *subj, *obj;
@@ -2245,7 +2233,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(socketlabel);
+ obj = SLOT(solabel);
if (!mac_biba_dominate_effective(obj, subj))
return (ENOENT);
@@ -2253,8 +2241,13 @@
return (0);
}
+/*
+ * Some system privileges are allowed regardless of integrity grade; others
+ * are allowed only when running with privilege with respect to the Biba
+ * policy as they might otherwise allow bypassing of the integrity policy.
+ */
static int
-mac_biba_check_sysarch_ioperm(struct ucred *cred)
+mac_biba_priv_check(struct ucred *cred, int priv)
{
struct mac_biba *subj;
int error;
@@ -2262,18 +2255,210 @@
if (!mac_biba_enabled)
return (0);
+ /*
+ * Exempt only specific privileges from the Biba integrity policy.
+ */
+ switch (priv) {
+ case PRIV_KTRACE:
+ case PRIV_MSGBUF:
+
+ /*
+ * Allow processes to manipulate basic process audit properties, and
+ * to submit audit records.
+ */
+ case PRIV_AUDIT_GETAUDIT:
+ case PRIV_AUDIT_SETAUDIT:
+ case PRIV_AUDIT_SUBMIT:
+
+ /*
+ * Allow processes to manipulate their regular UNIX credentials.
+ */
+ case PRIV_CRED_SETUID:
+ case PRIV_CRED_SETEUID:
+ case PRIV_CRED_SETGID:
+ case PRIV_CRED_SETEGID:
+ case PRIV_CRED_SETGROUPS:
+ case PRIV_CRED_SETREUID:
+ case PRIV_CRED_SETREGID:
+ case PRIV_CRED_SETRESUID:
+ case PRIV_CRED_SETRESGID:
+
+ /*
+ * Allow processes to perform system monitoring.
+ */
+ case PRIV_SEEOTHERGIDS:
+ case PRIV_SEEOTHERUIDS:
+ break;
+
+ /*
+ * Allow access to general process debugging facilities. We
+ * separately control debugging based on MAC label.
+ */
+ case PRIV_DEBUG_DIFFCRED:
+ case PRIV_DEBUG_SUGID:
+ case PRIV_DEBUG_UNPRIV:
+
+ /*
+ * Allow manipulating jails.
+ */
+ case PRIV_JAIL_ATTACH:
+
+ /*
+ * Allow privilege with respect to the Partition policy, but not the
+ * Privs policy.
+ */
+ case PRIV_MAC_PARTITION:
+
+ /*
+ * Allow privilege with respect to process resource limits and login
+ * context.
+ */
+ case PRIV_PROC_LIMIT:
+ case PRIV_PROC_SETLOGIN:
+ case PRIV_PROC_SETRLIMIT:
+
+ /*
+ * Allow System V and POSIX IPC privileges.
+ */
+ case PRIV_IPC_READ:
+ case PRIV_IPC_WRITE:
+ case PRIV_IPC_ADMIN:
+ case PRIV_IPC_MSGSIZE:
+ case PRIV_MQ_ADMIN:
+
+ /*
+ * Allow certain scheduler manipulations -- possibly this should be
+ * controlled by more fine-grained policy, as potentially low
+ * integrity processes can deny CPU to higher integrity ones.
+ */
+ case PRIV_SCHED_DIFFCRED:
+ case PRIV_SCHED_SETPRIORITY:
+ case PRIV_SCHED_RTPRIO:
+ case PRIV_SCHED_SETPOLICY:
+ case PRIV_SCHED_SET:
+ case PRIV_SCHED_SETPARAM:
+
+ /*
+ * More IPC privileges.
+ */
+ case PRIV_SEM_WRITE:
+
+ /*
+ * Allow signaling privileges subject to integrity policy.
+ */
+ case PRIV_SIGNAL_DIFFCRED:
+ case PRIV_SIGNAL_SUGID:
+
+ /*
+ * Allow access to only limited sysctls from lower integrity levels;
+ * piggy-back on the Jail definition.
+ */
+ case PRIV_SYSCTL_WRITEJAIL:
+
+ /*
+ * Allow TTY-based privileges, subject to general device access using
+ * labels on TTY device nodes, but not console privilege.
+ */
+ case PRIV_TTY_DRAINWAIT:
+ case PRIV_TTY_DTRWAIT:
+ case PRIV_TTY_EXCLUSIVE:
+ case PRIV_TTY_PRISON:
+ case PRIV_TTY_STI:
+ case PRIV_TTY_SETA:
+
+ /*
+ * Grant most VFS privileges, as almost all are in practice bounded
+ * by more specific checks using labels.
+ */
+ case PRIV_VFS_READ:
+ case PRIV_VFS_WRITE:
+ case PRIV_VFS_ADMIN:
+ case PRIV_VFS_EXEC:
+ case PRIV_VFS_LOOKUP:
+ case PRIV_VFS_CHFLAGS_DEV:
+ case PRIV_VFS_CHOWN:
+ case PRIV_VFS_CHROOT:
+ case PRIV_VFS_RETAINSUGID:
+ case PRIV_VFS_EXCEEDQUOTA:
+ case PRIV_VFS_FCHROOT:
+ case PRIV_VFS_FHOPEN:
+ case PRIV_VFS_FHSTATFS:
+ case PRIV_VFS_GENERATION:
+ case PRIV_VFS_GETFH:
+ case PRIV_VFS_GETQUOTA:
+ case PRIV_VFS_LINK:
+ case PRIV_VFS_MOUNT:
+ case PRIV_VFS_MOUNT_OWNER:
+ case PRIV_VFS_MOUNT_PERM:
+ case PRIV_VFS_MOUNT_SUIDDIR:
+ case PRIV_VFS_MOUNT_NONUSER:
+ case PRIV_VFS_SETGID:
+ case PRIV_VFS_STICKYFILE:
+ case PRIV_VFS_SYSFLAGS:
+ case PRIV_VFS_UNMOUNT:
+
+ /*
+ * Allow VM privileges; it would be nice if these were subject to
+ * resource limits.
+ */
+ case PRIV_VM_MADV_PROTECT:
+ case PRIV_VM_MLOCK:
+ case PRIV_VM_MUNLOCK:
+
+ /*
+ * Allow some but not all network privileges. In general, dont allow
+ * reconfiguring the network stack, just normal use.
+ */
+ case PRIV_NETATALK_RESERVEDPORT:
+ case PRIV_NETINET_RESERVEDPORT:
+ case PRIV_NETINET_RAW:
+ case PRIV_NETINET_REUSEPORT:
+ case PRIV_NETIPX_RESERVEDPORT:
+ case PRIV_NETIPX_RAW:
+ break;
+
+ /*
+ * All remaining system privileges are allow only if the process
+ * holds privilege with respect to the Biba policy.
+ */
+ default:
+ subj = SLOT(cred->cr_label);
+ error = mac_biba_subject_privileged(subj);
+ if (error)
+ return (error);
+ }
+ return (0);
+}
+
+static int
+mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
+{
+ struct mac_biba *subj, *obj;
+ int error;
+
+ if (!mac_biba_enabled)
+ return (0);
+
subj = SLOT(cred->cr_label);
error = mac_biba_subject_privileged(subj);
if (error)
return (error);
+ if (vplabel == NULL)
+ return (0);
+
+ obj = SLOT(vplabel);
+ if (!mac_biba_high_effective(obj))
+ return (EACCES);
+
return (0);
}
static int
-mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
- struct label *label)
+mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
struct mac_biba *subj, *obj;
int error;
@@ -2287,10 +2472,10 @@
if (error)
return (error);
- if (label == NULL)
+ if (vplabel == NULL)
return (0);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_high_effective(obj))
return (EACCES);
@@ -2298,7 +2483,7 @@
}
static int
-mac_biba_check_system_settime(struct ucred *cred)
+mac_biba_check_system_auditon(struct ucred *cred, int cmd)
{
struct mac_biba *subj;
int error;
@@ -2317,7 +2502,7 @@
static int
mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
struct mac_biba *subj, *obj;
int error;
@@ -2326,7 +2511,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
error = mac_biba_subject_privileged(subj);
if (error)
@@ -2342,14 +2527,13 @@
mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp,
struct label *label)
{
- struct mac_biba *subj, *obj;
+ struct mac_biba *subj;
int error;
if (!mac_biba_enabled)
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
error = mac_biba_subject_privileged(subj);
if (error)
@@ -2388,7 +2572,7 @@
static int
mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+ struct label *dvplabel)
{
struct mac_biba *subj, *obj;
@@ -2396,7 +2580,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2406,7 +2590,7 @@
static int
mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+ struct label *dvplabel)
{
struct mac_biba *subj, *obj;
@@ -2414,7 +2598,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2424,26 +2608,7 @@
static int
mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp, struct vattr *vap)
-{
- struct mac_biba *subj, *obj;
-
- if (!mac_biba_enabled)
- return (0);
-
- subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
-
- if (!mac_biba_dominate_effective(subj, obj))
- return (EACCES);
-
- return (0);
-}
-
-static int
-mac_biba_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
- struct componentname *cnp)
+ struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
{
struct mac_biba *subj, *obj;
@@ -2451,12 +2616,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
-
- if (!mac_biba_dominate_effective(subj, obj))
- return (EACCES);
-
- obj = SLOT(label);
+ obj = SLOT(dvplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2466,7 +2626,7 @@
static int
mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
struct mac_biba *subj, *obj;
@@ -2474,7 +2634,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2484,7 +2644,7 @@
static int
mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name)
+ struct label *vplabel, int attrnamespace, const char *name)
{
struct mac_biba *subj, *obj;
@@ -2492,7 +2652,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2502,7 +2662,7 @@
static int
mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label, struct image_params *imgp,
+ struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
struct mac_biba *subj, *obj, *exec;
@@ -2524,7 +2684,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2534,7 +2694,7 @@
static int
mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
struct mac_biba *subj, *obj;
@@ -2542,7 +2702,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2552,7 +2712,8 @@
static int
mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name, struct uio *uio)
+ struct label *vplabel, int attrnamespace, const char *name,
+ struct uio *uio)
{
struct mac_biba *subj, *obj;
@@ -2560,7 +2721,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2570,7 +2731,7 @@
static int
mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
struct mac_biba *subj, *obj;
@@ -2579,12 +2740,12 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2594,7 +2755,7 @@
static int
mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace)
+ struct label *vplabel, int attrnamespace)
{
struct mac_biba *subj, *obj;
@@ -2602,7 +2763,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2612,7 +2773,7 @@
static int
mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp)
+ struct label *dvplabel, struct componentname *cnp)
{
struct mac_biba *subj, *obj;
@@ -2620,7 +2781,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2630,7 +2791,7 @@
static int
mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
- struct label *label, int prot, int flags)
+ struct label *vplabel, int prot, int flags)
{
struct mac_biba *subj, *obj;
@@ -2642,7 +2803,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
if (!mac_biba_dominate_effective(obj, subj))
@@ -2658,7 +2819,7 @@
static int
mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, int acc_mode)
+ struct label *vplabel, int acc_mode)
{
struct mac_biba *subj, *obj;
@@ -2666,7 +2827,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
/* XXX privilege override for admin? */
if (acc_mode & (VREAD | VEXEC | VSTAT)) {
@@ -2683,7 +2844,7 @@
static int
mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
{
struct mac_biba *subj, *obj;
@@ -2691,7 +2852,7 @@
return (0);
subj = SLOT(active_cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2701,7 +2862,7 @@
static int
mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
{
struct mac_biba *subj, *obj;
@@ -2709,7 +2870,7 @@
return (0);
subj = SLOT(active_cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2719,7 +2880,7 @@
static int
mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+ struct label *dvplabel)
{
struct mac_biba *subj, *obj;
@@ -2727,7 +2888,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2737,7 +2898,7 @@
static int
mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
struct mac_biba *subj, *obj;
@@ -2745,7 +2906,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -2755,12 +2916,12 @@
static int
mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *newlabel)
+ struct label *vplabel, struct label *newlabel)
{
struct mac_biba *old, *new, *subj;
int error;
- old = SLOT(vnodelabel);
+ old = SLOT(vplabel);
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
@@ -2806,7 +2967,7 @@
static int
mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
struct mac_biba *subj, *obj;
@@ -2815,12 +2976,12 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2830,8 +2991,8 @@
static int
mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
- struct componentname *cnp)
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ int samedir, struct componentname *cnp)
{
struct mac_biba *subj, *obj;
@@ -2839,13 +3000,13 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
if (vp != NULL) {
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2856,7 +3017,7 @@
static int
mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
struct mac_biba *subj, *obj;
@@ -2864,7 +3025,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2874,7 +3035,7 @@
static int
mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type, struct acl *acl)
+ struct label *vplabel, acl_type_t type, struct acl *acl)
{
struct mac_biba *subj, *obj;
@@ -2882,7 +3043,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2892,7 +3053,7 @@
static int
mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, int attrnamespace, const char *name,
+ struct label *vplabel, int attrnamespace, const char *name,
struct uio *uio)
{
struct mac_biba *subj, *obj;
@@ -2901,7 +3062,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2913,7 +3074,7 @@
static int
mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, u_long flags)
+ struct label *vplabel, u_long flags)
{
struct mac_biba *subj, *obj;
@@ -2921,7 +3082,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2931,7 +3092,7 @@
static int
mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, mode_t mode)
+ struct label *vplabel, mode_t mode)
{
struct mac_biba *subj, *obj;
@@ -2939,7 +3100,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2949,7 +3110,7 @@
static int
mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, uid_t uid, gid_t gid)
+ struct label *vplabel, uid_t uid, gid_t gid)
{
struct mac_biba *subj, *obj;
@@ -2957,7 +3118,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2967,7 +3128,7 @@
static int
mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct timespec atime, struct timespec mtime)
+ struct label *vplabel, struct timespec atime, struct timespec mtime)
{
struct mac_biba *subj, *obj;
@@ -2975,7 +3136,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -2985,7 +3146,7 @@
static int
mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *vnodelabel)
+ struct vnode *vp, struct label *vplabel)
{
struct mac_biba *subj, *obj;
@@ -2993,7 +3154,7 @@
return (0);
subj = SLOT(active_cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(obj, subj))
return (EACCES);
@@ -3002,8 +3163,32 @@
}
static int
+mac_biba_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ struct componentname *cnp)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ subj = SLOT(cred->cr_label);
+ obj = SLOT(dvplabel);
+
+ if (!mac_biba_dominate_effective(subj, obj))
+ return (EACCES);
+
+ obj = SLOT(vplabel);
+
+ if (!mac_biba_dominate_effective(subj, obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
mac_biba_check_vnode_write(struct ucred *active_cred,
- struct ucred *file_cred, struct vnode *vp, struct label *label)
+ struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
{
struct mac_biba *subj, *obj;
@@ -3011,7 +3196,7 @@
return (0);
subj = SLOT(active_cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_biba_dominate_effective(subj, obj))
return (EACCES);
@@ -3019,14 +3204,47 @@
return (0);
}
+static void
+mac_biba_associate_nfsd_label(struct ucred *cred)
+{
+ struct mac_biba *label;
+
+ label = SLOT(cred->cr_label);
+ mac_biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
+ mac_biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL,
+ MAC_BIBA_TYPE_HIGH, 0, NULL);
+}
+
+static void
+mac_biba_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
+{
+ struct mac_biba *source, *dest;
+
+ source = SLOT(inp->inp_label);
+ dest = SLOT(label);
+ mac_biba_copy_effective(source, dest);
+}
+
+static void
+mac_biba_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
+ struct label *mlabel)
+{
+ struct mac_biba *source, *dest;
+
+ source = SLOT(sc_label);
+ dest = SLOT(mlabel);
+ mac_biba_copy_effective(source, dest);
+}
+
static struct mac_policy_ops mac_biba_ops =
{
.mpo_init = mac_biba_init,
.mpo_init_bpfdesc_label = mac_biba_init_label,
.mpo_init_cred_label = mac_biba_init_label,
- .mpo_init_devfsdirent_label = mac_biba_init_label,
+ .mpo_init_devfs_label = mac_biba_init_label,
.mpo_init_ifnet_label = mac_biba_init_label,
.mpo_init_inpcb_label = mac_biba_init_label_waitcheck,
+ .mpo_init_syncache_label = mac_biba_init_label_waitcheck,
.mpo_init_sysv_msgmsg_label = mac_biba_init_label,
.mpo_init_sysv_msgqueue_label = mac_biba_init_label,
.mpo_init_sysv_sem_label = mac_biba_init_label,
@@ -3034,17 +3252,18 @@
.mpo_init_ipq_label = mac_biba_init_label_waitcheck,
.mpo_init_mbuf_label = mac_biba_init_label_waitcheck,
.mpo_init_mount_label = mac_biba_init_label,
- .mpo_init_mount_fs_label = mac_biba_init_label,
.mpo_init_pipe_label = mac_biba_init_label,
.mpo_init_posix_sem_label = mac_biba_init_label,
.mpo_init_socket_label = mac_biba_init_label_waitcheck,
.mpo_init_socket_peer_label = mac_biba_init_label_waitcheck,
+ .mpo_init_syncache_from_inpcb = mac_biba_init_syncache_from_inpcb,
.mpo_init_vnode_label = mac_biba_init_label,
.mpo_destroy_bpfdesc_label = mac_biba_destroy_label,
.mpo_destroy_cred_label = mac_biba_destroy_label,
- .mpo_destroy_devfsdirent_label = mac_biba_destroy_label,
+ .mpo_destroy_devfs_label = mac_biba_destroy_label,
.mpo_destroy_ifnet_label = mac_biba_destroy_label,
.mpo_destroy_inpcb_label = mac_biba_destroy_label,
+ .mpo_destroy_syncache_label = mac_biba_destroy_label,
.mpo_destroy_sysv_msgmsg_label = mac_biba_destroy_label,
.mpo_destroy_sysv_msgqueue_label = mac_biba_destroy_label,
.mpo_destroy_sysv_sem_label = mac_biba_destroy_label,
@@ -3052,7 +3271,6 @@
.mpo_destroy_ipq_label = mac_biba_destroy_label,
.mpo_destroy_mbuf_label = mac_biba_destroy_label,
.mpo_destroy_mount_label = mac_biba_destroy_label,
- .mpo_destroy_mount_fs_label = mac_biba_destroy_label,
.mpo_destroy_pipe_label = mac_biba_destroy_label,
.mpo_destroy_posix_sem_label = mac_biba_destroy_label,
.mpo_destroy_socket_label = mac_biba_destroy_label,
@@ -3080,13 +3298,14 @@
.mpo_create_devfs_symlink = mac_biba_create_devfs_symlink,
.mpo_create_mount = mac_biba_create_mount,
.mpo_relabel_vnode = mac_biba_relabel_vnode,
- .mpo_update_devfsdirent = mac_biba_update_devfsdirent,
+ .mpo_update_devfs = mac_biba_update_devfs,
.mpo_associate_vnode_devfs = mac_biba_associate_vnode_devfs,
.mpo_associate_vnode_extattr = mac_biba_associate_vnode_extattr,
.mpo_associate_vnode_singlelabel = mac_biba_associate_vnode_singlelabel,
.mpo_create_vnode_extattr = mac_biba_create_vnode_extattr,
.mpo_setlabel_vnode_extattr = mac_biba_setlabel_vnode_extattr,
.mpo_create_mbuf_from_socket = mac_biba_create_mbuf_from_socket,
+ .mpo_create_mbuf_from_syncache = mac_biba_create_mbuf_from_syncache,
.mpo_create_pipe = mac_biba_create_pipe,
.mpo_create_posix_sem = mac_biba_create_posix_sem,
.mpo_create_socket = mac_biba_create_socket,
@@ -3141,7 +3360,6 @@
.mpo_check_sysv_shmctl = mac_biba_check_sysv_shmctl,
.mpo_check_sysv_shmget = mac_biba_check_sysv_shmget,
.mpo_check_kld_load = mac_biba_check_kld_load,
- .mpo_check_kld_unload = mac_biba_check_kld_unload,
.mpo_check_mount_stat = mac_biba_check_mount_stat,
.mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl,
.mpo_check_pipe_poll = mac_biba_check_pipe_poll,
@@ -3161,9 +3379,9 @@
.mpo_check_socket_deliver = mac_biba_check_socket_deliver,
.mpo_check_socket_relabel = mac_biba_check_socket_relabel,
.mpo_check_socket_visible = mac_biba_check_socket_visible,
- .mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm,
.mpo_check_system_acct = mac_biba_check_system_acct,
- .mpo_check_system_settime = mac_biba_check_system_settime,
+ .mpo_check_system_auditctl = mac_biba_check_system_auditctl,
+ .mpo_check_system_auditon = mac_biba_check_system_auditon,
.mpo_check_system_swapon = mac_biba_check_system_swapon,
.mpo_check_system_swapoff = mac_biba_check_system_swapoff,
.mpo_check_system_sysctl = mac_biba_check_system_sysctl,
@@ -3171,7 +3389,6 @@
.mpo_check_vnode_chdir = mac_biba_check_vnode_chdir,
.mpo_check_vnode_chroot = mac_biba_check_vnode_chroot,
.mpo_check_vnode_create = mac_biba_check_vnode_create,
- .mpo_check_vnode_delete = mac_biba_check_vnode_delete,
.mpo_check_vnode_deleteacl = mac_biba_check_vnode_deleteacl,
.mpo_check_vnode_deleteextattr = mac_biba_check_vnode_deleteextattr,
.mpo_check_vnode_exec = mac_biba_check_vnode_exec,
@@ -3197,7 +3414,11 @@
.mpo_check_vnode_setowner = mac_biba_check_vnode_setowner,
.mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes,
.mpo_check_vnode_stat = mac_biba_check_vnode_stat,
+ .mpo_check_vnode_unlink = mac_biba_check_vnode_unlink,
.mpo_check_vnode_write = mac_biba_check_vnode_write,
+ .mpo_associate_nfsd_label = mac_biba_associate_nfsd_label,
+ .mpo_create_mbuf_from_firewall = mac_biba_create_mbuf_from_firewall,
+ .mpo_priv_check = mac_biba_priv_check,
};
MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
Index: mac_bsdextended.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_bsdextended/mac_bsdextended.c,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L sys/security/mac_bsdextended/mac_bsdextended.c -L sys/security/mac_bsdextended/mac_bsdextended.c -u -r1.1.1.2 -r1.2
--- sys/security/mac_bsdextended/mac_bsdextended.c
+++ sys/security/mac_bsdextended/mac_bsdextended.c
@@ -1,7 +1,7 @@
/*-
- * Copyright (c) 2005 Tom Rhodes
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 Tom Rhodes
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@@ -33,45 +33,32 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.25.2.2 2006/01/24 04:11:45 csjp Exp $
+ * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.39 2007/09/10 00:00:17 rwatson Exp $
*/
/*
* Developed by the TrustedBSD Project.
- * "BSD Extended" MAC policy, allowing the administrator to impose
- * mandatory rules regarding users and some system objects.
+ *
+ * "BSD Extended" MAC policy, allowing the administrator to impose mandatory
+ * firewall-like rules regarding users and file system objects.
*/
-#include <sys/types.h>
#include <sys/param.h>
#include <sys/acl.h>
-#include <sys/conf.h>
#include <sys/kernel.h>
+#include <sys/jail.h>
#include <sys/lock.h>
-#include <sys/mac.h>
#include <sys/malloc.h>
+#include <sys/module.h>
#include <sys/mount.h>
#include <sys/mutex.h>
-#include <sys/proc.h>
+#include <sys/priv.h>
#include <sys/systm.h>
-#include <sys/sysproto.h>
-#include <sys/sysent.h>
#include <sys/vnode.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/socketvar.h>
#include <sys/sysctl.h>
#include <sys/syslog.h>
-#include <net/bpfdesc.h>
-#include <net/if.h>
-#include <net/if_types.h>
-#include <net/if_var.h>
-
-#include <vm/vm.h>
-
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_policy.h>
#include <security/mac_bsdextended/mac_bsdextended.h>
static struct mtx mac_bsdextended_mtx;
@@ -92,44 +79,51 @@
static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
static int rule_count = 0;
static int rule_slots = 0;
+static int rule_version = MB_VERSION;
SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
&rule_count, 0, "Number of defined rules\n");
SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
&rule_slots, 0, "Number of used rule slots\n");
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
+ &rule_version, 0, "Version number for API\n");
/*
- * This is just used for logging purposes, eventually we would like
- * to log much more then failed requests.
+ * This is just used for logging purposes, eventually we would like to log
+ * much more then failed requests.
*/
static int mac_bsdextended_logging;
SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
&mac_bsdextended_logging, 0, "Log failed authorization requests");
/*
- * This tunable is here for compatibility. It will allow the user
- * to switch between the new mode (first rule matches) and the old
- * functionality (all rules match).
+ * This tunable is here for compatibility. It will allow the user to switch
+ * between the new mode (first rule matches) and the old functionality (all
+ * rules match).
*/
static int
mac_bsdextended_firstmatch_enabled;
SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
- CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1,
- "Disable/enable match first rule functionality");
+ CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1,
+ "Disable/enable match first rule functionality");
static int
mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule)
{
- if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS)
+ if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
return (EINVAL);
-
- if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS)
+ if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
+ return (EINVAL);
+ if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
+ return (EINVAL);
+ if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
+ return (EINVAL);
+ if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) &&
+ (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
return (EINVAL);
-
if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
return (EINVAL);
-
return (0);
}
@@ -143,12 +137,8 @@
error = 0;
name = (int *)arg1;
namelen = arg2;
-
- /* printf("bsdextended sysctl handler (namelen %d)\n", namelen); */
-
if (namelen != 1)
return (EINVAL);
-
index = name[0];
if (index >= MAC_BSDEXTENDED_MAXRULES)
return (ENOENT);
@@ -163,7 +153,6 @@
}
mtx_lock(&mac_bsdextended_mtx);
-
if (req->oldptr) {
if (index < 0 || index > rule_slots + 1) {
error = ENOENT;
@@ -175,9 +164,7 @@
}
temprule = *rules[index];
}
-
if (req->newptr && req->newlen == 0) {
- /* printf("deletion\n"); */
KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
ruleptr = rules[index];
if (ruleptr == NULL) {
@@ -190,84 +177,93 @@
error = mac_bsdextended_rule_valid(&temprule);
if (error)
goto out;
-
if (rules[index] == NULL) {
- /* printf("addition\n"); */
*ruleptr = temprule;
rules[index] = ruleptr;
ruleptr = NULL;
if (index + 1 > rule_slots)
rule_slots = index + 1;
rule_count++;
- } else {
- /* printf("replacement\n"); */
+ } else
*rules[index] = temprule;
- }
}
-
out:
mtx_unlock(&mac_bsdextended_mtx);
if (ruleptr != NULL)
FREE(ruleptr, M_MACBSDEXTENDED);
if (req->oldptr && error == 0)
error = SYSCTL_OUT(req, &temprule, sizeof(temprule));
-
return (error);
}
-SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules,
- CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules");
+SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, CTLFLAG_RW,
+ sysctl_rule, "BSD extended MAC rules");
static void
mac_bsdextended_init(struct mac_policy_conf *mpc)
{
- /* Initialize ruleset lock. */
mtx_init(&mac_bsdextended_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
-
- /* Register dynamic sysctl's for rules. */
}
static void
mac_bsdextended_destroy(struct mac_policy_conf *mpc)
{
- /* Destroy ruleset lock. */
mtx_destroy(&mac_bsdextended_mtx);
-
- /* Tear down sysctls. */
}
static int
mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
- struct ucred *cred, uid_t object_uid, gid_t object_gid, int acc_mode)
+ struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
{
int match;
+ int i;
/*
* Is there a subject match?
*/
mtx_assert(&mac_bsdextended_mtx, MA_OWNED);
- if (rule->mbr_subject.mbi_flags & MBI_UID_DEFINED) {
- match = (rule->mbr_subject.mbi_uid == cred->cr_uid ||
- rule->mbr_subject.mbi_uid == cred->cr_ruid ||
- rule->mbr_subject.mbi_uid == cred->cr_svuid);
-
- if (rule->mbr_subject.mbi_flags & MBI_NEGATED)
+ if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
+ match = ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
+ cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
+ (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&
+ cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||
+ (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&
+ cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));
+ if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)
match = !match;
-
if (!match)
return (0);
}
- if (rule->mbr_subject.mbi_flags & MBI_GID_DEFINED) {
- match = (groupmember(rule->mbr_subject.mbi_gid, cred) ||
- rule->mbr_subject.mbi_gid == cred->cr_rgid ||
- rule->mbr_subject.mbi_gid == cred->cr_svgid);
-
- if (rule->mbr_subject.mbi_flags & MBI_NEGATED)
+ if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {
+ match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&
+ cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||
+ (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&
+ cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));
+ if (!match) {
+ for (i = 0; i < cred->cr_ngroups; i++) {
+ if (cred->cr_groups[i]
+ <= rule->mbr_subject.mbs_gid_max &&
+ cred->cr_groups[i]
+ >= rule->mbr_subject.mbs_gid_min) {
+ match = 1;
+ break;
+ }
+ }
+ }
+ if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)
match = !match;
+ if (!match)
+ return (0);
+ }
+ if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
+ match = (cred->cr_prison != NULL &&
+ cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);
+ if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)
+ match = !match;
if (!match)
return (0);
}
@@ -275,22 +271,98 @@
/*
* Is there an object match?
*/
- if (rule->mbr_object.mbi_flags & MBI_UID_DEFINED) {
- match = (rule->mbr_object.mbi_uid == object_uid);
+ if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
+ match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&
+ vap->va_uid >= rule->mbr_object.mbo_uid_min);
+ if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)
+ match = !match;
+ if (!match)
+ return (0);
+ }
- if (rule->mbr_object.mbi_flags & MBI_NEGATED)
+ if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
+ match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&
+ vap->va_gid >= rule->mbr_object.mbo_gid_min);
+ if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)
match = !match;
+ if (!match)
+ return (0);
+ }
+ if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
+ match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid),
+ &(rule->mbr_object.mbo_fsid),
+ sizeof(rule->mbr_object.mbo_fsid)) == 0);
+ if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)
+ match = !match;
if (!match)
return (0);
}
- if (rule->mbr_object.mbi_flags & MBI_GID_DEFINED) {
- match = (rule->mbr_object.mbi_gid == object_gid);
+ if (rule->mbr_object.mbo_flags & MBO_SUID) {
+ match = (vap->va_mode & VSUID);
+ if (rule->mbr_object.mbo_neg & MBO_SUID)
+ match = !match;
+ if (!match)
+ return (0);
+ }
+
+ if (rule->mbr_object.mbo_flags & MBO_SGID) {
+ match = (vap->va_mode & VSGID);
+ if (rule->mbr_object.mbo_neg & MBO_SGID)
+ match = !match;
+ if (!match)
+ return (0);
+ }
- if (rule->mbr_object.mbi_flags & MBI_NEGATED)
+ if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
+ match = (vap->va_uid == cred->cr_uid ||
+ vap->va_uid == cred->cr_ruid ||
+ vap->va_uid == cred->cr_svuid);
+ if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)
match = !match;
+ if (!match)
+ return (0);
+ }
+ if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
+ match = (groupmember(vap->va_gid, cred) ||
+ vap->va_gid == cred->cr_rgid ||
+ vap->va_gid == cred->cr_svgid);
+ if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)
+ match = !match;
+ if (!match)
+ return (0);
+ }
+
+ if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
+ switch (vap->va_type) {
+ case VREG:
+ match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);
+ break;
+ case VDIR:
+ match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);
+ break;
+ case VBLK:
+ match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);
+ break;
+ case VCHR:
+ match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);
+ break;
+ case VLNK:
+ match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);
+ break;
+ case VSOCK:
+ match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);
+ break;
+ case VFIFO:
+ match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);
+ break;
+ default:
+ match = 0;
+ }
+ if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)
+ match = !match;
if (!match)
return (0);
}
@@ -302,8 +374,9 @@
if (mac_bsdextended_logging)
log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d"
" on %d:%d failed. \n", cred->cr_ruid,
- cred->cr_rgid, acc_mode, object_uid, object_gid);
- return (EACCES); /* Matching rule denies access */
+ cred->cr_rgid, acc_mode, vap->va_uid,
+ vap->va_gid);
+ return (EACCES);
}
/*
@@ -313,34 +386,34 @@
if (mac_bsdextended_firstmatch_enabled)
return (EJUSTRETURN);
else
- return(0);
+ return (0);
}
static int
-mac_bsdextended_check(struct ucred *cred, uid_t object_uid, gid_t object_gid,
+mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
int acc_mode)
{
int error, i;
+ /*
+ * XXXRW: More specific privilege selection needed.
+ */
if (suser_cred(cred, 0) == 0)
return (0);
+ /*
+ * Since we do not separately handle append, map append to write.
+ */
+ if (acc_mode & MBI_APPEND) {
+ acc_mode &= ~MBI_APPEND;
+ acc_mode |= MBI_WRITE;
+ }
mtx_lock(&mac_bsdextended_mtx);
for (i = 0; i < rule_slots; i++) {
if (rules[i] == NULL)
continue;
-
- /*
- * Since we do not separately handle append, map append to
- * write.
- */
- if (acc_mode & MBI_APPEND) {
- acc_mode &= ~MBI_APPEND;
- acc_mode |= MBI_WRITE;
- }
-
- error = mac_bsdextended_rulecheck(rules[i], cred, object_uid,
- object_gid, acc_mode);
+ error = mac_bsdextended_rulecheck(rules[i], cred,
+ vp, vap, acc_mode);
if (error == EJUSTRETURN)
break;
if (error) {
@@ -353,225 +426,137 @@
}
static int
-mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp,
- struct label *label)
+mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
{
- struct vattr vap;
int error;
+ struct vattr vap;
if (!mac_bsdextended_enabled)
return (0);
-
error = VOP_GETATTR(vp, &vap, cred, curthread);
if (error)
return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE));
+ return (mac_bsdextended_check(cred, vp, &vap, acc_mode));
}
static int
-mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
- struct label *label, int acc_mode)
+mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
- struct vattr vap;
- int error;
-
- if (!mac_bsdextended_enabled)
- return (0);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
}
static int
-mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(dvp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_EXEC));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
}
static int
-mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
+ return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
+}
- error = VOP_GETATTR(dvp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_EXEC));
+static int
+mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
+{
+
+ return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
}
static int
-mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp, struct vattr *vap)
+mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel, int acc_mode)
{
- struct vattr dvap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
+ return (mac_bsdextended_check_vp(cred, vp, acc_mode));
+}
- error = VOP_GETATTR(dvp, &dvap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, dvap.va_uid, dvap.va_gid,
- MBI_WRITE));
+static int
+mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel)
+{
+
+ return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
}
static int
-mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
- struct componentname *cnp)
+mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
+ return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
+}
- error = VOP_GETATTR(dvp, &vap, cred, curthread);
- if (error)
- return (error);
- error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE);
- if (error)
- return (error);
+static int
+mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
+{
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE));
+ return (mac_bsdextended_check_vp(cred, dvp, MBI_WRITE));
}
static int
mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_ADMIN));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
}
static int
-mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name)
+mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred,
+ struct vnode *vp, struct label *vplabel, int attrnamespace,
+ const char *name)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
}
static int
mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label, struct image_params *imgp,
+ struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
- struct vattr vap;
- int error;
-
- if (!mac_bsdextended_enabled)
- return (0);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_READ|MBI_EXEC));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_READ|MBI_EXEC));
}
static int
mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_STAT));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_STAT));
}
static int
mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name, struct uio *uio)
+ struct label *vplabel, int attrnamespace, const char *name,
+ struct uio *uio)
{
- struct vattr vap;
- int error;
-
- if (!mac_bsdextended_enabled)
- return (0);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_READ));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
}
static int
mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
{
- struct vattr vap;
int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(dvp, &vap, cred, curthread);
- if (error)
- return (error);
- error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE);
+ error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
if (error)
return (error);
-
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE);
+ error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
if (error)
return (error);
return (0);
@@ -579,291 +564,162 @@
static int
mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace)
+ struct label *vplabel, int attrnamespace)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_READ));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
}
static int
mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp)
+ struct label *dvplabel, struct componentname *cnp)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(dvp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_EXEC));
+ return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
}
static int
mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp,
- struct label *filelabel, int acc_mode)
+ struct label *vplabel, int acc_mode)
{
- struct vattr vap;
- int error;
-
- if (!mac_bsdextended_enabled)
- return (0);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode));
+ return (mac_bsdextended_check_vp(cred, vp, acc_mode));
}
static int
mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+ struct label *dvplabel)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(dvp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_READ));
+ return (mac_bsdextended_check_vp(cred, dvp, MBI_READ));
}
static int
mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
- struct vattr vap;
- int error;
-
- if (!mac_bsdextended_enabled)
- return (0);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_READ));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
}
static int
mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
- struct vattr vap;
int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(dvp, &vap, cred, curthread);
+ error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
if (error)
return (error);
- error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE);
- if (error)
- return (error);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE);
-
- return (error);
+ return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
}
static int
mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
- struct componentname *cnp)
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ int samedir, struct componentname *cnp)
{
- struct vattr vap;
int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(dvp, &vap, cred, curthread);
+ error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
if (error)
return (error);
- error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE);
- if (error)
- return (error);
-
- if (vp != NULL) {
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE);
- }
-
+ if (vp != NULL)
+ error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
return (error);
}
static int
mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
- struct vattr vap;
- int error;
-
- if (!mac_bsdextended_enabled)
- return (0);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_ADMIN));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type, struct acl *acl)
+ struct label *vplabel, acl_type_t type, struct acl *acl)
{
- struct vattr vap;
- int error;
-
- if (!mac_bsdextended_enabled)
- return (0);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_ADMIN));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name, struct uio *uio)
+ struct label *vplabel, int attrnamespace, const char *name,
+ struct uio *uio)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_WRITE));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
}
static int
mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
- struct label *label, u_long flags)
+ struct label *vplabel, u_long flags)
{
- struct vattr vap;
- int error;
-
- if (!mac_bsdextended_enabled)
- return (0);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_ADMIN));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
- struct label *label, mode_t mode)
+ struct label *vplabel, mode_t mode)
{
- struct vattr vap;
- int error;
-
- if (!mac_bsdextended_enabled)
- return (0);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_ADMIN));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
- struct label *label, uid_t uid, gid_t gid)
+ struct label *vplabel, uid_t uid, gid_t gid)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
-
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_ADMIN));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
- struct label *label, struct timespec atime, struct timespec utime)
+ struct label *vplabel, struct timespec atime, struct timespec utime)
{
- struct vattr vap;
- int error;
-
- if (!mac_bsdextended_enabled)
- return (0);
- error = VOP_GETATTR(vp, &vap, cred, curthread);
- if (error)
- return (error);
- return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
- MBI_ADMIN));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
- struct ucred *file_cred, struct vnode *vp, struct label *label)
+ struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
{
- struct vattr vap;
- int error;
- if (!mac_bsdextended_enabled)
- return (0);
+ return (mac_bsdextended_check_vp(active_cred, vp, MBI_STAT));
+}
+
+static int
+mac_bsdextended_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ struct componentname *cnp)
+{
+ int error;
- error = VOP_GETATTR(vp, &vap, active_cred, curthread);
+ error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
if (error)
return (error);
- return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid,
- MBI_STAT));
+ return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
}
static struct mac_policy_ops mac_bsdextended_ops =
{
.mpo_destroy = mac_bsdextended_destroy,
.mpo_init = mac_bsdextended_init,
+ .mpo_check_system_acct = mac_bsdextended_check_system_acct,
+ .mpo_check_system_auditctl = mac_bsdextended_check_system_auditctl,
+ .mpo_check_system_swapoff = mac_bsdextended_check_system_swapoff,
.mpo_check_system_swapon = mac_bsdextended_check_system_swapon,
.mpo_check_vnode_access = mac_bsdextended_check_vnode_access,
.mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir,
.mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot,
.mpo_check_vnode_create = mac_bsdextended_check_create_vnode,
- .mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete,
.mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl,
.mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr,
.mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec,
@@ -885,6 +741,7 @@
.mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner,
.mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes,
.mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat,
+ .mpo_check_vnode_unlink = mac_bsdextended_check_vnode_unlink,
};
MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended,
Index: mac_bsdextended.h
===================================================================
RCS file: /home/cvs/src/sys/security/mac_bsdextended/mac_bsdextended.h,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac_bsdextended/mac_bsdextended.h -L sys/security/mac_bsdextended/mac_bsdextended.h -u -r1.1.1.1 -r1.2
--- sys/security/mac_bsdextended/mac_bsdextended.h
+++ sys/security/mac_bsdextended/mac_bsdextended.h
@@ -31,22 +31,19 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.h,v 1.5 2004/10/21 11:29:56 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.h,v 1.7 2007/07/05 13:16:04 rwatson Exp $
*/
#ifndef _SYS_SECURITY_MAC_BSDEXTENDED_H
#define _SYS_SECURITY_MAC_BSDEXTENDED_H
-#define MBI_UID_DEFINED 0x00000001 /* uid field should be used */
-#define MBI_GID_DEFINED 0x00000002 /* gid field should be used */
-#define MBI_NEGATED 0x00000004 /* negate uid/gid matches */
-#define MBI_BITS (MBI_UID_DEFINED | MBI_GID_DEFINED | MBI_NEGATED)
+#define MB_VERSION 2 /* Used to check library and kernel are the same. */
/*
- * Rights that can be represented in mbr_mode. These have the same values
- * as the V* rights in vnode.h, but in order to avoid sharing user and
- * kernel constants, we define them here. That will also improve ABI
- * stability if the in-kernel values change.
+ * Rights that can be represented in mbr_mode. These have the same values as
+ * the V* rights in vnode.h, but in order to avoid sharing user and kernel
+ * constants, we define them here. That will also improve ABI stability if
+ * the in-kernel values change.
*/
#define MBI_EXEC 000100
#define MBI_WRITE 000200
@@ -57,15 +54,60 @@
#define MBI_ALLPERM (MBI_EXEC | MBI_WRITE | MBI_READ | MBI_ADMIN | \
MBI_STAT | MBI_APPEND)
-struct mac_bsdextended_identity {
- int mbi_flags;
- uid_t mbi_uid;
- gid_t mbi_gid;
+#define MBS_UID_DEFINED 0x00000001 /* uid field should be matched */
+#define MBS_GID_DEFINED 0x00000002 /* gid field should be matched */
+#define MBS_PRISON_DEFINED 0x00000004 /* prison field should be matched */
+
+#define MBS_ALL_FLAGS (MBS_UID_DEFINED | MBS_GID_DEFINED | MBS_PRISON_DEFINED)
+
+struct mac_bsdextended_subject {
+ int mbs_flags;
+ int mbs_neg;
+ uid_t mbs_uid_min;
+ uid_t mbs_uid_max;
+ gid_t mbs_gid_min;
+ gid_t mbs_gid_max;
+ int mbs_prison;
+};
+
+#define MBO_UID_DEFINED 0x00000001 /* uid field should be matched */
+#define MBO_GID_DEFINED 0x00000002 /* gid field should be matched */
+#define MBO_FSID_DEFINED 0x00000004 /* fsid field should be matched */
+#define MBO_SUID 0x00000008 /* object must be suid */
+#define MBO_SGID 0x00000010 /* object must be sgid */
+#define MBO_UID_SUBJECT 0x00000020 /* uid must match subject */
+#define MBO_GID_SUBJECT 0x00000040 /* gid must match subject */
+#define MBO_TYPE_DEFINED 0x00000080 /* object type should be matched */
+
+#define MBO_ALL_FLAGS (MBO_UID_DEFINED | MBO_GID_DEFINED | MBO_FSID_DEFINED | \
+ MBO_SUID | MBO_SGID | MBO_UID_SUBJECT | MBO_GID_SUBJECT | \
+ MBO_TYPE_DEFINED)
+
+#define MBO_TYPE_REG 0x00000001
+#define MBO_TYPE_DIR 0x00000002
+#define MBO_TYPE_BLK 0x00000004
+#define MBO_TYPE_CHR 0x00000008
+#define MBO_TYPE_LNK 0x00000010
+#define MBO_TYPE_SOCK 0x00000020
+#define MBO_TYPE_FIFO 0x00000040
+
+#define MBO_ALL_TYPE (MBO_TYPE_REG | MBO_TYPE_DIR | MBO_TYPE_BLK | \
+ MBO_TYPE_CHR | MBO_TYPE_LNK | MBO_TYPE_SOCK | MBO_TYPE_FIFO)
+
+struct mac_bsdextended_object {
+ int mbo_flags;
+ int mbo_neg;
+ uid_t mbo_uid_min;
+ uid_t mbo_uid_max;
+ gid_t mbo_gid_min;
+ gid_t mbo_gid_max;
+ struct fsid mbo_fsid;
+ int mbo_type;
};
struct mac_bsdextended_rule {
- struct mac_bsdextended_identity mbr_subject;
- struct mac_bsdextended_identity mbr_object;
+ struct mac_bsdextended_subject mbr_subject;
+ struct mac_bsdextended_object mbr_object;
mode_t mbr_mode; /* maximum access */
};
Index: mac_ifoff.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_ifoff/mac_ifoff.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac_ifoff/mac_ifoff.c -L sys/security/mac_ifoff/mac_ifoff.c -u -r1.1.1.1 -r1.2
--- sys/security/mac_ifoff/mac_ifoff.c
+++ sys/security/mac_ifoff/mac_ifoff.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2002 Networks Associates Technology, Inc.
* All rights reserved.
*
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_ifoff/mac_ifoff.c,v 1.9 2004/02/22 00:33:11 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_ifoff/mac_ifoff.c,v 1.13 2007/04/23 13:15:21 rwatson Exp $
*/
/*
@@ -41,30 +41,16 @@
* environments.
*/
-#include <sys/types.h>
#include <sys/param.h>
-#include <sys/conf.h>
#include <sys/kernel.h>
-#include <sys/mac.h>
-#include <sys/mount.h>
-#include <sys/proc.h>
-#include <sys/systm.h>
-#include <sys/sysproto.h>
-#include <sys/sysent.h>
-#include <sys/vnode.h>
-#include <sys/file.h>
+#include <sys/module.h>
#include <sys/socket.h>
-#include <sys/socketvar.h>
#include <sys/sysctl.h>
#include <net/bpfdesc.h>
-#include <net/if.h>
#include <net/if_types.h>
-#include <net/if_var.h>
-#include <vm/vm.h>
-
-#include <sys/mac_policy.h>
+#include <security/mac/mac_policy.h>
SYSCTL_DECL(_security_mac);
@@ -93,31 +79,31 @@
TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled);
static int
-check_ifnet_outgoing(struct ifnet *ifnet)
+check_ifnet_outgoing(struct ifnet *ifp)
{
if (!mac_ifoff_enabled)
return (0);
- if (mac_ifoff_lo_enabled && ifnet->if_type == IFT_LOOP)
+ if (mac_ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
return (0);
- if (mac_ifoff_other_enabled && ifnet->if_type != IFT_LOOP)
+ if (mac_ifoff_other_enabled && ifp->if_type != IFT_LOOP)
return (0);
return (EPERM);
}
static int
-check_ifnet_incoming(struct ifnet *ifnet, int viabpf)
+check_ifnet_incoming(struct ifnet *ifp, int viabpf)
{
if (!mac_ifoff_enabled)
return (0);
- if (mac_ifoff_lo_enabled && ifnet->if_type == IFT_LOOP)
+ if (mac_ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
return (0);
- if (mac_ifoff_other_enabled && ifnet->if_type != IFT_LOOP)
+ if (mac_ifoff_other_enabled && ifp->if_type != IFT_LOOP)
return (0);
if (viabpf && mac_ifoff_bpfrecv_enabled)
@@ -127,19 +113,19 @@
}
static int
-mac_ifoff_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
- struct ifnet *ifnet, struct label *ifnetlabel)
+mac_ifoff_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
+ struct ifnet *ifp, struct label *ifplabel)
{
- return (check_ifnet_incoming(ifnet, 1));
+ return (check_ifnet_incoming(ifp, 1));
}
static int
-mac_ifoff_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_ifoff_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
- return (check_ifnet_outgoing(ifnet));
+ return (check_ifnet_outgoing(ifp));
}
static int
@@ -155,8 +141,8 @@
}
static int
-mac_ifoff_check_socket_deliver(struct socket *so, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_ifoff_check_socket_deliver(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
{
M_ASSERTPKTHDR(m);
Index: mac_lomac.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_lomac/mac_lomac.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac_lomac/mac_lomac.c -L sys/security/mac_lomac/mac_lomac.c -u -r1.1.1.1 -r1.2
--- sys/security/mac_lomac/mac_lomac.c
+++ sys/security/mac_lomac/mac_lomac.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* All rights reserved.
*
@@ -31,11 +31,12 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_lomac/mac_lomac.c,v 1.35.2.3 2005/10/05 10:31:04 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_lomac/mac_lomac.c,v 1.53 2007/09/17 05:27:20 jeff Exp $
*/
/*
* Developed by the TrustedBSD Project.
+ *
* Low-watermark floating label mandatory integrity policy.
*/
@@ -45,10 +46,10 @@
#include <sys/conf.h>
#include <sys/extattr.h>
#include <sys/kernel.h>
-#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/mman.h>
#include <sys/mount.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
@@ -77,8 +78,8 @@
#include <vm/vm.h>
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_policy.h>
+#include <security/mac/mac_framework.h>
#include <security/mac_lomac/mac_lomac.h>
struct mac_lomac_proc {
@@ -126,13 +127,13 @@
TUNABLE_INT("security.mac.lomac.revocation_enabled", &revocation_enabled);
static int mac_lomac_slot;
-#define SLOT(l) ((struct mac_lomac *)LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr)
-#define SLOT_SET(l, val) (LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr = (val))
+#define SLOT(l) ((struct mac_lomac *)mac_label_get((l), mac_lomac_slot))
+#define SLOT_SET(l, val) mac_label_set((l), mac_lomac_slot, (uintptr_t)(val))
#define PSLOT(l) ((struct mac_lomac_proc *) \
- LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr)
-#define PSLOT_SET(l, val) (LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr = (val))
+ mac_label_get((l), mac_lomac_slot))
+#define PSLOT_SET(l, val) mac_label_set((l), mac_lomac_slot, (uintptr_t)(val))
-MALLOC_DEFINE(M_MACLOMAC, "lomac label", "MAC/LOMAC labels");
+MALLOC_DEFINE(M_MACLOMAC, "mac_lomac_label", "MAC/LOMAC labels");
static struct mac_lomac *
lomac_alloc(int flag)
@@ -494,7 +495,7 @@
static int
maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel,
- const char *actionname, const char *objname, struct vnode *vpq)
+ const char *actionname, const char *objname, struct vnode *vp)
{
struct sbuf subjlabel_sb, subjtext_sb, objlabel_sb;
char *subjlabeltext, *objlabeltext, *subjtext;
@@ -535,10 +536,9 @@
subj->mac_lomac.ml_rangelow = objlabel->ml_single;
subj->mac_lomac.ml_rangehigh = objlabel->ml_single;
subj->mac_lomac.ml_flags |= MAC_LOMAC_FLAG_UPDATE;
- mtx_lock_spin(&sched_lock);
- curthread->td_flags |= TDF_ASTPENDING;
- curthread->td_proc->p_sflag |= PS_MACPEND;
- mtx_unlock_spin(&sched_lock);
+ thread_lock(curthread);
+ curthread->td_flags |= TDF_ASTPENDING | TDF_MACPEND;
+ thread_unlock(curthread);
/*
* Avoid memory allocation while holding a mutex; cache the
@@ -563,14 +563,14 @@
objlabeltext = sbuf_data(&objlabel_sb);
pgid = p->p_pgrp->pg_id; /* XXX could be stale? */
- if (vpq != NULL && VOP_GETATTR(vpq, &va, curthread->td_ucred,
+ if (vp != NULL && VOP_GETATTR(vp, &va, curthread->td_ucred,
curthread) == 0) {
log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
" level %s after %s a level-%s %s (inode=%ld, "
"mountpount=%s)\n",
subjlabeltext, p->p_pid, pgid, curthread->td_ucred->cr_uid,
p->p_comm, subjtext, actionname, objlabeltext, objname,
- va.va_fileid, vpq->v_mount->mnt_stat.f_mntonname);
+ va.va_fileid, vp->v_mount->mnt_stat.f_mntonname);
} else {
log(LOG_INFO, "LOMAC: level-%s subject p%dg%du%d:%s demoted to"
" level %s after %s a level-%s %s\n",
@@ -902,12 +902,12 @@
*/
static void
mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp,
- struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
+ struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
{
struct mac_lomac *mac_lomac;
int lomac_type;
- mac_lomac = SLOT(label);
+ mac_lomac = SLOT(delabel);
if (strcmp(dev->si_name, "null") == 0 ||
strcmp(dev->si_name, "zero") == 0 ||
strcmp(dev->si_name, "random") == 0 ||
@@ -925,11 +925,11 @@
static void
mac_lomac_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
+ int dirnamelen, struct devfs_dirent *de, struct label *delabel)
{
struct mac_lomac *mac_lomac;
- mac_lomac = SLOT(label);
+ mac_lomac = SLOT(delabel);
mac_lomac_set_single(mac_lomac, MAC_LOMAC_TYPE_HIGH, 0);
}
@@ -948,64 +948,61 @@
static void
mac_lomac_create_mount(struct ucred *cred, struct mount *mp,
- struct label *mntlabel, struct label *fslabel)
+ struct label *mplabel)
{
struct mac_lomac *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(mntlabel);
- mac_lomac_copy_single(source, dest);
- dest = SLOT(fslabel);
+ dest = SLOT(mplabel);
mac_lomac_copy_single(source, dest);
}
static void
mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *label)
+ struct label *vplabel, struct label *newlabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(label);
- dest = SLOT(vnodelabel);
+ source = SLOT(newlabel);
+ dest = SLOT(vplabel);
try_relabel(source, dest);
}
static void
-mac_lomac_update_devfsdirent(struct mount *mp,
- struct devfs_dirent *devfs_dirent, struct label *direntlabel,
- struct vnode *vp, struct label *vnodelabel)
+mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de,
+ struct label *delabel, struct vnode *vp, struct label *vplabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(vnodelabel);
- dest = SLOT(direntlabel);
+ source = SLOT(vplabel);
+ dest = SLOT(delabel);
mac_lomac_copy(source, dest);
}
static void
-mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
+mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
- struct label *vlabel)
+ struct label *vplabel)
{
struct mac_lomac *source, *dest;
source = SLOT(delabel);
- dest = SLOT(vlabel);
+ dest = SLOT(vplabel);
mac_lomac_copy_single(source, dest);
}
static int
-mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
- struct vnode *vp, struct label *vlabel)
+mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
+ struct vnode *vp, struct label *vplabel)
{
struct mac_lomac temp, *source, *dest;
int buflen, error;
- source = SLOT(fslabel);
- dest = SLOT(vlabel);
+ source = SLOT(mplabel);
+ dest = SLOT(vplabel);
buflen = sizeof(temp);
bzero(&temp, buflen);
@@ -1013,7 +1010,7 @@
error = vn_extattr_get(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
MAC_LOMAC_EXTATTR_NAME, &buflen, (char *)&temp, curthread);
if (error == ENOATTR || error == EOPNOTSUPP) {
- /* Fall back to the fslabel. */
+ /* Fall back to the mntlabel. */
mac_lomac_copy_single(source, dest);
return (0);
} else if (error)
@@ -1046,20 +1043,20 @@
static void
mac_lomac_associate_vnode_singlelabel(struct mount *mp,
- struct label *fslabel, struct vnode *vp, struct label *vlabel)
+ struct label *mplabel, struct vnode *vp, struct label *vplabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(fslabel);
- dest = SLOT(vlabel);
+ source = SLOT(mplabel);
+ dest = SLOT(vplabel);
mac_lomac_copy_single(source, dest);
}
static int
mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
- struct label *fslabel, struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, struct label *vlabel, struct componentname *cnp)
+ struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
+ struct vnode *vp, struct label *vplabel, struct componentname *cnp)
{
struct mac_lomac *source, *dest, *dir, temp;
size_t buflen;
@@ -1069,8 +1066,8 @@
bzero(&temp, buflen);
source = SLOT(cred->cr_label);
- dest = SLOT(vlabel);
- dir = SLOT(dlabel);
+ dest = SLOT(vplabel);
+ dir = SLOT(dvplabel);
if (dir->ml_flags & MAC_LOMAC_FLAG_AUX) {
mac_lomac_copy_auxsingle(dir, &temp);
mac_lomac_set_single(&temp, dir->ml_auxsingle.mle_type,
@@ -1088,7 +1085,7 @@
static int
mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
- struct label *vlabel, struct label *intlabel)
+ struct label *vplabel, struct label *intlabel)
{
struct mac_lomac *source, temp;
size_t buflen;
@@ -1123,86 +1120,85 @@
}
static void
-mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(socketlabel);
- dest = SLOT(mbuflabel);
+ source = SLOT(solabel);
+ dest = SLOT(mlabel);
mac_lomac_copy_single(source, dest);
}
static void
-mac_lomac_create_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_lomac_create_socket(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
struct mac_lomac *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(socketlabel);
+ dest = SLOT(solabel);
mac_lomac_copy_single(source, dest);
}
static void
mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_lomac *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(pipelabel);
+ dest = SLOT(pplabel);
mac_lomac_copy_single(source, dest);
}
static void
-mac_lomac_create_socket_from_socket(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketlabel)
+mac_lomac_create_socket_from_socket(struct socket *oldso,
+ struct label *oldsolabel, struct socket *newso, struct label *newsolabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(oldsocketlabel);
- dest = SLOT(newsocketlabel);
+ source = SLOT(oldsolabel);
+ dest = SLOT(newsolabel);
mac_lomac_copy_single(source, dest);
}
static void
-mac_lomac_relabel_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct label *newlabel)
+mac_lomac_relabel_socket(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct label *newlabel)
{
struct mac_lomac *source, *dest;
source = SLOT(newlabel);
- dest = SLOT(socketlabel);
+ dest = SLOT(solabel);
try_relabel(source, dest);
}
static void
mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, struct label *newlabel)
+ struct label *pplabel, struct label *newlabel)
{
struct mac_lomac *source, *dest;
source = SLOT(newlabel);
- dest = SLOT(pipelabel);
+ dest = SLOT(pplabel);
try_relabel(source, dest);
}
static void
-mac_lomac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
- struct socket *socket, struct label *socketpeerlabel)
+mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel,
+ struct socket *so, struct label *sopeerlabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(mbuflabel);
- dest = SLOT(socketpeerlabel);
+ source = SLOT(mlabel);
+ dest = SLOT(sopeerlabel);
mac_lomac_copy_single(source, dest);
}
@@ -1211,41 +1207,41 @@
* Labeling event operations: network objects.
*/
static void
-mac_lomac_set_socket_peer_from_socket(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketpeerlabel)
+mac_lomac_set_socket_peer_from_socket(struct socket *oldso,
+ struct label *oldsolabel, struct socket *newso,
+ struct label *newsopeerlabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(oldsocketlabel);
- dest = SLOT(newsocketpeerlabel);
+ source = SLOT(oldsolabel);
+ dest = SLOT(newsopeerlabel);
mac_lomac_copy_single(source, dest);
}
static void
-mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
- struct label *bpflabel)
+mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d,
+ struct label *dlabel)
{
struct mac_lomac *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(bpflabel);
+ dest = SLOT(dlabel);
mac_lomac_copy_single(source, dest);
}
static void
-mac_lomac_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
+mac_lomac_create_ifnet(struct ifnet *ifp, struct label *ifplabel)
{
char tifname[IFNAMSIZ], *p, *q;
char tiflist[sizeof(trusted_interfaces)];
struct mac_lomac *dest;
int len, grade;
- dest = SLOT(ifnetlabel);
+ dest = SLOT(ifplabel);
- if (ifnet->if_type == IFT_LOOP) {
+ if (ifp->if_type == IFT_LOOP) {
grade = MAC_LOMAC_TYPE_EQUAL;
goto set;
}
@@ -1272,7 +1268,7 @@
if (len < IFNAMSIZ) {
bzero(tifname, sizeof(tifname));
bcopy(q, tifname, len);
- if (strcmp(tifname, ifnet->if_xname) == 0) {
+ if (strcmp(tifname, ifp->if_xname) == 0) {
grade = MAC_LOMAC_TYPE_HIGH;
break;
}
@@ -1294,12 +1290,12 @@
}
static void
-mac_lomac_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
- struct ipq *ipq, struct label *ipqlabel)
+mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+ struct label *ipqlabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(fragmentlabel);
+ source = SLOT(mlabel);
dest = SLOT(ipqlabel);
mac_lomac_copy_single(source, dest);
@@ -1307,25 +1303,25 @@
static void
mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
- struct mbuf *datagram, struct label *datagramlabel)
+ struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *source, *dest;
source = SLOT(ipqlabel);
- dest = SLOT(datagramlabel);
+ dest = SLOT(mlabel);
/* Just use the head, since we require them all to match. */
mac_lomac_copy_single(source, dest);
}
static void
-mac_lomac_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
- struct mbuf *fragment, struct label *fragmentlabel)
+mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel,
+ struct mbuf *frag, struct label *fraglabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(datagramlabel);
- dest = SLOT(fragmentlabel);
+ source = SLOT(mlabel);
+ dest = SLOT(fraglabel);
mac_lomac_copy_single(source, dest);
}
@@ -1343,92 +1339,92 @@
}
static void
-mac_lomac_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *mbuf, struct label *mbuflabel)
+mac_lomac_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *dest;
- dest = SLOT(mbuflabel);
+ dest = SLOT(mlabel);
mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
}
static void
-mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
- struct mbuf *mbuf, struct label *mbuflabel)
+mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(bpflabel);
- dest = SLOT(mbuflabel);
+ source = SLOT(dlabel);
+ dest = SLOT(mlabel);
mac_lomac_copy_single(source, dest);
}
static void
-mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(ifnetlabel);
- dest = SLOT(mbuflabel);
+ source = SLOT(ifplabel);
+ dest = SLOT(mlabel);
mac_lomac_copy_single(source, dest);
}
static void
-mac_lomac_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
- struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *newmbuf, struct label *newmbuflabel)
+mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel,
+ struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew,
+ struct label *mnewlabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(oldmbuflabel);
- dest = SLOT(newmbuflabel);
+ source = SLOT(mlabel);
+ dest = SLOT(mnewlabel);
mac_lomac_copy_single(source, dest);
}
static void
-mac_lomac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel,
- struct mbuf *newmbuf, struct label *newmbuflabel)
+mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel,
+ struct mbuf *mnew, struct label *mnewlabel)
{
struct mac_lomac *source, *dest;
- source = SLOT(oldmbuflabel);
- dest = SLOT(newmbuflabel);
+ source = SLOT(mlabel);
+ dest = SLOT(mnewlabel);
mac_lomac_copy_single(source, dest);
}
static int
-mac_lomac_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
+mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel,
struct ipq *ipq, struct label *ipqlabel)
{
struct mac_lomac *a, *b;
a = SLOT(ipqlabel);
- b = SLOT(fragmentlabel);
+ b = SLOT(mlabel);
return (mac_lomac_equal_single(a, b));
}
static void
-mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
- struct label *ifnetlabel, struct label *newlabel)
+mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp,
+ struct label *ifplabel, struct label *newlabel)
{
struct mac_lomac *source, *dest;
source = SLOT(newlabel);
- dest = SLOT(ifnetlabel);
+ dest = SLOT(ifplabel);
try_relabel(source, dest);
}
static void
-mac_lomac_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
- struct ipq *ipq, struct label *ipqlabel)
+mac_lomac_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+ struct label *ipqlabel)
{
/* NOOP: we only accept matching labels, so no need to update */
@@ -1446,20 +1442,51 @@
mac_lomac_copy_single(source, dest);
}
+static void
+mac_lomac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
+{
+ struct mac_lomac *source, *dest;
+
+ source = SLOT(inp->inp_label);
+ dest = SLOT(label);
+ mac_lomac_copy(source, dest);
+}
+
+static void
+mac_lomac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
+ struct label *mlabel)
+{
+ struct mac_lomac *source, *dest;
+
+ source = SLOT(sc_label);
+ dest = SLOT(mlabel);
+ mac_lomac_copy(source, dest);
+}
+
+static void
+mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel)
+{
+ struct mac_lomac *dest;
+
+ dest = SLOT(mlabel);
+
+ /* XXX: where is the label for the firewall really comming from? */
+ mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
+}
+
/*
* Labeling event operations: processes.
*/
static void
mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
- struct vnode *vp, struct label *vnodelabel,
- struct label *interpvnodelabel, struct image_params *imgp,
- struct label *execlabel)
+ struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel,
+ struct image_params *imgp, struct label *execlabel)
{
struct mac_lomac *source, *dest, *obj, *robj;
source = SLOT(old->cr_label);
dest = SLOT(new->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
robj = interpvnodelabel != NULL ? SLOT(interpvnodelabel) : obj;
mac_lomac_copy(source, dest);
@@ -1488,7 +1515,7 @@
static int
mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *vnodelabel, struct label *interpvnodelabel,
+ struct label *vplabel, struct label *interpvnodelabel,
struct image_params *imgp, struct label *execlabel)
{
struct mac_lomac *subj, *obj, *robj;
@@ -1497,7 +1524,7 @@
return (0);
subj = SLOT(old->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
robj = interpvnodelabel != NULL ? SLOT(interpvnodelabel) : obj;
return ((robj->ml_flags & MAC_LOMAC_FLAG_AUX &&
@@ -1545,16 +1572,16 @@
* Access control checks.
*/
static int
-mac_lomac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
- struct ifnet *ifnet, struct label *ifnetlabel)
+mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
+ struct ifnet *ifp, struct label *ifplabel)
{
struct mac_lomac *a, *b;
if (!mac_lomac_enabled)
return (0);
- a = SLOT(bpflabel);
- b = SLOT(ifnetlabel);
+ a = SLOT(dlabel);
+ b = SLOT(ifplabel);
if (mac_lomac_equal_single(a, b))
return (0);
@@ -1628,15 +1655,15 @@
}
static int
-mac_lomac_check_cred_visible(struct ucred *u1, struct ucred *u2)
+mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
{
struct mac_lomac *subj, *obj;
if (!mac_lomac_enabled)
return (0);
- subj = SLOT(u1->cr_label);
- obj = SLOT(u2->cr_label);
+ subj = SLOT(cr1->cr_label);
+ obj = SLOT(cr2->cr_label);
/* XXX: range */
if (!mac_lomac_dominate_single(obj, subj))
@@ -1646,8 +1673,8 @@
}
static int
-mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
- struct label *ifnetlabel, struct label *newlabel)
+mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
+ struct label *ifplabel, struct label *newlabel)
{
struct mac_lomac *subj, *new;
int error;
@@ -1686,8 +1713,10 @@
* Rely on the traditional superuser status for the LOMAC
* interface relabel requirements. XXXMAC: This will go
* away.
+ *
+ * XXXRW: This is also redundant to a higher layer check.
*/
- error = suser_cred(cred, 0);
+ error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0);
if (error)
return (EPERM);
@@ -1701,16 +1730,16 @@
}
static int
-mac_lomac_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *p, *i;
if (!mac_lomac_enabled)
return (0);
- p = SLOT(mbuflabel);
- i = SLOT(ifnetlabel);
+ p = SLOT(mlabel);
+ i = SLOT(ifplabel);
return (mac_lomac_single_in_range(p, i) ? 0 : EACCES);
}
@@ -1732,7 +1761,7 @@
static int
mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@@ -1740,7 +1769,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (mac_lomac_subject_privileged(subj))
return (EPERM);
@@ -1752,27 +1781,11 @@
}
static int
-mac_lomac_check_kld_unload(struct ucred *cred)
-{
- struct mac_lomac *subj;
-
- if (!mac_lomac_enabled)
- return (0);
-
- subj = SLOT(cred->cr_label);
-
- if (mac_lomac_subject_privileged(subj))
- return (EPERM);
-
- return (0);
-}
-
-static int
mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
+ struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
{
- if(!mac_lomac_enabled)
+ if (!mac_lomac_enabled)
return (0);
/* XXX: This will be implemented soon... */
@@ -1782,7 +1795,7 @@
static int
mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_lomac *subj, *obj;
@@ -1790,7 +1803,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((pipelabel));
+ obj = SLOT(pplabel);
if (!mac_lomac_dominate_single(obj, subj))
return (maybe_demote(subj, obj, "reading", "pipe", NULL));
@@ -1800,14 +1813,14 @@
static int
mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, struct label *newlabel)
+ struct label *pplabel, struct label *newlabel)
{
struct mac_lomac *subj, *obj, *new;
int error;
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
- obj = SLOT(pipelabel);
+ obj = SLOT(pplabel);
/*
* If there is a LOMAC label update for a pipe, it must be a
@@ -1851,7 +1864,7 @@
static int
mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_lomac *subj, *obj;
@@ -1859,7 +1872,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((pipelabel));
+ obj = SLOT(pplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -1868,7 +1881,7 @@
}
static int
-mac_lomac_check_proc_debug(struct ucred *cred, struct proc *proc)
+mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p)
{
struct mac_lomac *subj, *obj;
@@ -1876,7 +1889,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(proc->p_ucred->cr_label);
+ obj = SLOT(p->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_lomac_dominate_single(obj, subj))
@@ -1888,7 +1901,7 @@
}
static int
-mac_lomac_check_proc_sched(struct ucred *cred, struct proc *proc)
+mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p)
{
struct mac_lomac *subj, *obj;
@@ -1896,7 +1909,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(proc->p_ucred->cr_label);
+ obj = SLOT(p->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_lomac_dominate_single(obj, subj))
@@ -1908,7 +1921,7 @@
}
static int
-mac_lomac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
{
struct mac_lomac *subj, *obj;
@@ -1916,7 +1929,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(proc->p_ucred->cr_label);
+ obj = SLOT(p->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_lomac_dominate_single(obj, subj))
@@ -1928,30 +1941,30 @@
}
static int
-mac_lomac_check_socket_deliver(struct socket *so, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *p, *s;
if (!mac_lomac_enabled)
return (0);
- p = SLOT(mbuflabel);
- s = SLOT(socketlabel);
+ p = SLOT(mlabel);
+ s = SLOT(solabel);
return (mac_lomac_equal_single(p, s) ? 0 : EACCES);
}
static int
-mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct label *newlabel)
+mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct label *newlabel)
{
struct mac_lomac *subj, *obj, *new;
int error;
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
- obj = SLOT(socketlabel);
+ obj = SLOT(solabel);
/*
* If there is a LOMAC label update for the socket, it may be
@@ -1994,8 +2007,8 @@
}
static int
-mac_lomac_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_lomac_check_socket_visible(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
struct mac_lomac *subj, *obj;
@@ -2003,7 +2016,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(socketlabel);
+ obj = SLOT(solabel);
if (!mac_lomac_dominate_single(obj, subj))
return (ENOENT);
@@ -2011,9 +2024,258 @@
return (0);
}
+/*
+ * Some system privileges are allowed regardless of integrity grade; others
+ * are allowed only when running with privilege with respect to the LOMAC
+ * policy as they might otherwise allow bypassing of the integrity policy.
+ */
+static int
+mac_lomac_priv_check(struct ucred *cred, int priv)
+{
+ struct mac_lomac *subj;
+ int error;
+
+ if (!mac_lomac_enabled)
+ return (0);
+
+ /*
+ * Exempt only specific privileges from the LOMAC integrity policy.
+ */
+ switch (priv) {
+ case PRIV_KTRACE:
+ case PRIV_MSGBUF:
+
+ /*
+ * Allow processes to manipulate basic process audit properties, and
+ * to submit audit records.
+ */
+ case PRIV_AUDIT_GETAUDIT:
+ case PRIV_AUDIT_SETAUDIT:
+ case PRIV_AUDIT_SUBMIT:
+
+ /*
+ * Allow processes to manipulate their regular UNIX credentials.
+ */
+ case PRIV_CRED_SETUID:
+ case PRIV_CRED_SETEUID:
+ case PRIV_CRED_SETGID:
+ case PRIV_CRED_SETEGID:
+ case PRIV_CRED_SETGROUPS:
+ case PRIV_CRED_SETREUID:
+ case PRIV_CRED_SETREGID:
+ case PRIV_CRED_SETRESUID:
+ case PRIV_CRED_SETRESGID:
+
+ /*
+ * Allow processes to perform system monitoring.
+ */
+ case PRIV_SEEOTHERGIDS:
+ case PRIV_SEEOTHERUIDS:
+ break;
+
+ /*
+ * Allow access to general process debugging facilities. We
+ * separately control debugging based on MAC label.
+ */
+ case PRIV_DEBUG_DIFFCRED:
+ case PRIV_DEBUG_SUGID:
+ case PRIV_DEBUG_UNPRIV:
+
+ /*
+ * Allow manipulating jails.
+ */
+ case PRIV_JAIL_ATTACH:
+
+ /*
+ * Allow privilege with respect to the Partition policy, but not the
+ * Privs policy.
+ */
+ case PRIV_MAC_PARTITION:
+
+ /*
+ * Allow privilege with respect to process resource limits and login
+ * context.
+ */
+ case PRIV_PROC_LIMIT:
+ case PRIV_PROC_SETLOGIN:
+ case PRIV_PROC_SETRLIMIT:
+
+ /*
+ * Allow System V and POSIX IPC privileges.
+ */
+ case PRIV_IPC_READ:
+ case PRIV_IPC_WRITE:
+ case PRIV_IPC_ADMIN:
+ case PRIV_IPC_MSGSIZE:
+ case PRIV_MQ_ADMIN:
+
+ /*
+ * Allow certain scheduler manipulations -- possibly this should be
+ * controlled by more fine-grained policy, as potentially low
+ * integrity processes can deny CPU to higher integrity ones.
+ */
+ case PRIV_SCHED_DIFFCRED:
+ case PRIV_SCHED_SETPRIORITY:
+ case PRIV_SCHED_RTPRIO:
+ case PRIV_SCHED_SETPOLICY:
+ case PRIV_SCHED_SET:
+ case PRIV_SCHED_SETPARAM:
+
+ /*
+ * More IPC privileges.
+ */
+ case PRIV_SEM_WRITE:
+
+ /*
+ * Allow signaling privileges subject to integrity policy.
+ */
+ case PRIV_SIGNAL_DIFFCRED:
+ case PRIV_SIGNAL_SUGID:
+
+ /*
+ * Allow access to only limited sysctls from lower integrity levels;
+ * piggy-back on the Jail definition.
+ */
+ case PRIV_SYSCTL_WRITEJAIL:
+
+ /*
+ * Allow TTY-based privileges, subject to general device access using
+ * labels on TTY device nodes, but not console privilege.
+ */
+ case PRIV_TTY_DRAINWAIT:
+ case PRIV_TTY_DTRWAIT:
+ case PRIV_TTY_EXCLUSIVE:
+ case PRIV_TTY_PRISON:
+ case PRIV_TTY_STI:
+ case PRIV_TTY_SETA:
+
+ /*
+ * Grant most VFS privileges, as almost all are in practice bounded
+ * by more specific checks using labels.
+ */
+ case PRIV_VFS_READ:
+ case PRIV_VFS_WRITE:
+ case PRIV_VFS_ADMIN:
+ case PRIV_VFS_EXEC:
+ case PRIV_VFS_LOOKUP:
+ case PRIV_VFS_CHFLAGS_DEV:
+ case PRIV_VFS_CHOWN:
+ case PRIV_VFS_CHROOT:
+ case PRIV_VFS_RETAINSUGID:
+ case PRIV_VFS_EXCEEDQUOTA:
+ case PRIV_VFS_FCHROOT:
+ case PRIV_VFS_FHOPEN:
+ case PRIV_VFS_FHSTATFS:
+ case PRIV_VFS_GENERATION:
+ case PRIV_VFS_GETFH:
+ case PRIV_VFS_GETQUOTA:
+ case PRIV_VFS_LINK:
+ case PRIV_VFS_MOUNT:
+ case PRIV_VFS_MOUNT_OWNER:
+ case PRIV_VFS_MOUNT_PERM:
+ case PRIV_VFS_MOUNT_SUIDDIR:
+ case PRIV_VFS_MOUNT_NONUSER:
+ case PRIV_VFS_SETGID:
+ case PRIV_VFS_STICKYFILE:
+ case PRIV_VFS_SYSFLAGS:
+ case PRIV_VFS_UNMOUNT:
+
+ /*
+ * Allow VM privileges; it would be nice if these were subject to
+ * resource limits.
+ */
+ case PRIV_VM_MADV_PROTECT:
+ case PRIV_VM_MLOCK:
+ case PRIV_VM_MUNLOCK:
+
+ /*
+ * Allow some but not all network privileges. In general, dont allow
+ * reconfiguring the network stack, just normal use.
+ */
+ case PRIV_NETATALK_RESERVEDPORT:
+ case PRIV_NETINET_RESERVEDPORT:
+ case PRIV_NETINET_RAW:
+ case PRIV_NETINET_REUSEPORT:
+ case PRIV_NETIPX_RESERVEDPORT:
+ case PRIV_NETIPX_RAW:
+ break;
+
+ /*
+ * All remaining system privileges are allow only if the process
+ * holds privilege with respect to the LOMAC policy.
+ */
+ default:
+ subj = SLOT(cred->cr_label);
+ error = mac_lomac_subject_privileged(subj);
+ if (error)
+ return (error);
+ }
+ return (0);
+}
+
+
+static int
+mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
+{
+ struct mac_lomac *subj, *obj;
+
+ if (!mac_lomac_enabled)
+ return (0);
+
+ subj = SLOT(cred->cr_label);
+ obj = SLOT(vplabel);
+
+ if (mac_lomac_subject_privileged(subj))
+ return (EPERM);
+
+ if (!mac_lomac_high_single(obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
+{
+ struct mac_lomac *subj, *obj;
+
+ if (!mac_lomac_enabled)
+ return (0);
+
+ subj = SLOT(cred->cr_label);
+ obj = SLOT(vplabel);
+
+ if (mac_lomac_subject_privileged(subj))
+ return (EPERM);
+
+ if (!mac_lomac_high_single(obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
+{
+ struct mac_lomac *subj;
+
+ if (!mac_lomac_enabled)
+ return (0);
+
+ subj = SLOT(cred->cr_label);
+
+ if (mac_lomac_subject_privileged(subj))
+ return (EPERM);
+
+ return (0);
+}
+
static int
mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@@ -2021,7 +2283,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (mac_lomac_subject_privileged(subj))
return (EPERM);
@@ -2062,7 +2324,7 @@
static int
mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp, struct vattr *vap)
+ struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
{
struct mac_lomac *subj, *obj;
@@ -2070,7 +2332,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2082,32 +2344,8 @@
}
static int
-mac_lomac_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
- struct componentname *cnp)
-{
- struct mac_lomac *subj, *obj;
-
- if (!mac_lomac_enabled)
- return (0);
-
- subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
-
- if (!mac_lomac_subject_dominate(subj, obj))
- return (EACCES);
-
- obj = SLOT(label);
-
- if (!mac_lomac_subject_dominate(subj, obj))
- return (EACCES);
-
- return (0);
-}
-
-static int
mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
struct mac_lomac *subj, *obj;
@@ -2115,7 +2353,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2125,7 +2363,7 @@
static int
mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
struct mac_lomac *subj, *obj;
@@ -2134,12 +2372,12 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2149,7 +2387,7 @@
static int
mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
- struct label *label, int prot, int flags)
+ struct label *vplabel, int prot, int flags)
{
struct mac_lomac *subj, *obj;
@@ -2161,7 +2399,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) {
if (!mac_lomac_subject_dominate(subj, obj))
@@ -2177,7 +2415,7 @@
static void
mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
- struct label *label, /* XXX vm_prot_t */ int *prot)
+ struct label *vplabel, /* XXX vm_prot_t */ int *prot)
{
struct mac_lomac *subj, *obj;
@@ -2189,7 +2427,7 @@
return;
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
*prot &= ~VM_PROT_WRITE;
@@ -2197,7 +2435,7 @@
static int
mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, int acc_mode)
+ struct label *vplabel, int acc_mode)
{
struct mac_lomac *subj, *obj;
@@ -2205,7 +2443,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
/* XXX privilege override for admin? */
if (acc_mode & (VWRITE | VAPPEND | VADMIN)) {
@@ -2218,7 +2456,7 @@
static int
mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@@ -2226,7 +2464,7 @@
return (0);
subj = SLOT(active_cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_lomac_dominate_single(obj, subj))
return (maybe_demote(subj, obj, "reading", "file", vp));
@@ -2236,12 +2474,12 @@
static int
mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *newlabel)
+ struct label *vplabel, struct label *newlabel)
{
struct mac_lomac *old, *new, *subj;
int error;
- old = SLOT(vnodelabel);
+ old = SLOT(vplabel);
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
@@ -2312,7 +2550,7 @@
static int
mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
struct mac_lomac *subj, *obj;
@@ -2321,12 +2559,12 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2336,8 +2574,8 @@
static int
mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
- struct componentname *cnp)
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ int samedir, struct componentname *cnp)
{
struct mac_lomac *subj, *obj;
@@ -2345,13 +2583,13 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
if (vp != NULL) {
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2362,7 +2600,7 @@
static int
mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@@ -2370,7 +2608,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2380,7 +2618,7 @@
static int
mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type, struct acl *acl)
+ struct label *vplabel, acl_type_t type, struct acl *acl)
{
struct mac_lomac *subj, *obj;
@@ -2388,7 +2626,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2398,7 +2636,7 @@
static int
mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, int attrnamespace, const char *name,
+ struct label *vplabel, int attrnamespace, const char *name,
struct uio *uio)
{
struct mac_lomac *subj, *obj;
@@ -2407,7 +2645,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2419,7 +2657,7 @@
static int
mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, u_long flags)
+ struct label *vplabel, u_long flags)
{
struct mac_lomac *subj, *obj;
@@ -2427,7 +2665,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2437,7 +2675,7 @@
static int
mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, mode_t mode)
+ struct label *vplabel, mode_t mode)
{
struct mac_lomac *subj, *obj;
@@ -2445,7 +2683,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2455,7 +2693,7 @@
static int
mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, uid_t uid, gid_t gid)
+ struct label *vplabel, uid_t uid, gid_t gid)
{
struct mac_lomac *subj, *obj;
@@ -2463,7 +2701,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2473,7 +2711,26 @@
static int
mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct timespec atime, struct timespec mtime)
+ struct label *vplabel, struct timespec atime, struct timespec mtime)
+{
+ struct mac_lomac *subj, *obj;
+
+ if (!mac_lomac_enabled)
+ return (0);
+
+ subj = SLOT(cred->cr_label);
+ obj = SLOT(vplabel);
+
+ if (!mac_lomac_subject_dominate(subj, obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ struct componentname *cnp)
{
struct mac_lomac *subj, *obj;
@@ -2481,7 +2738,12 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(dvplabel);
+
+ if (!mac_lomac_subject_dominate(subj, obj))
+ return (EACCES);
+
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2491,7 +2753,7 @@
static int
mac_lomac_check_vnode_write(struct ucred *active_cred,
- struct ucred *file_cred, struct vnode *vp, struct label *label)
+ struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@@ -2499,7 +2761,7 @@
return (0);
subj = SLOT(active_cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_lomac_subject_dominate(subj, obj))
return (EACCES);
@@ -2558,29 +2820,30 @@
.mpo_init = mac_lomac_init,
.mpo_init_bpfdesc_label = mac_lomac_init_label,
.mpo_init_cred_label = mac_lomac_init_label,
- .mpo_init_devfsdirent_label = mac_lomac_init_label,
+ .mpo_init_devfs_label = mac_lomac_init_label,
.mpo_init_ifnet_label = mac_lomac_init_label,
+ .mpo_init_syncache_label = mac_lomac_init_label_waitcheck,
.mpo_init_inpcb_label = mac_lomac_init_label_waitcheck,
.mpo_init_ipq_label = mac_lomac_init_label_waitcheck,
.mpo_init_mbuf_label = mac_lomac_init_label_waitcheck,
.mpo_init_mount_label = mac_lomac_init_label,
- .mpo_init_mount_fs_label = mac_lomac_init_label,
.mpo_init_pipe_label = mac_lomac_init_label,
.mpo_init_proc_label = mac_lomac_init_proc_label,
.mpo_init_socket_label = mac_lomac_init_label_waitcheck,
.mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck,
.mpo_init_vnode_label = mac_lomac_init_label,
+ .mpo_init_syncache_from_inpcb = mac_lomac_init_syncache_from_inpcb,
.mpo_destroy_bpfdesc_label = mac_lomac_destroy_label,
.mpo_destroy_cred_label = mac_lomac_destroy_label,
- .mpo_destroy_devfsdirent_label = mac_lomac_destroy_label,
+ .mpo_destroy_devfs_label = mac_lomac_destroy_label,
.mpo_destroy_ifnet_label = mac_lomac_destroy_label,
.mpo_destroy_inpcb_label = mac_lomac_destroy_label,
.mpo_destroy_ipq_label = mac_lomac_destroy_label,
.mpo_destroy_mbuf_label = mac_lomac_destroy_label,
.mpo_destroy_mount_label = mac_lomac_destroy_label,
- .mpo_destroy_mount_fs_label = mac_lomac_destroy_label,
.mpo_destroy_pipe_label = mac_lomac_destroy_label,
.mpo_destroy_proc_label = mac_lomac_destroy_proc_label,
+ .mpo_destroy_syncache_label = mac_lomac_destroy_label,
.mpo_destroy_socket_label = mac_lomac_destroy_label,
.mpo_destroy_socket_peer_label = mac_lomac_destroy_label,
.mpo_destroy_vnode_label = mac_lomac_destroy_label,
@@ -2606,7 +2869,7 @@
.mpo_create_devfs_symlink = mac_lomac_create_devfs_symlink,
.mpo_create_mount = mac_lomac_create_mount,
.mpo_relabel_vnode = mac_lomac_relabel_vnode,
- .mpo_update_devfsdirent = mac_lomac_update_devfsdirent,
+ .mpo_update_devfs = mac_lomac_update_devfs,
.mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs,
.mpo_associate_vnode_extattr = mac_lomac_associate_vnode_extattr,
.mpo_associate_vnode_singlelabel =
@@ -2614,6 +2877,7 @@
.mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr,
.mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr,
.mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket,
+ .mpo_create_mbuf_from_syncache = mac_lomac_create_mbuf_from_syncache,
.mpo_create_pipe = mac_lomac_create_pipe,
.mpo_create_socket = mac_lomac_create_socket,
.mpo_create_socket_from_socket = mac_lomac_create_socket_from_socket,
@@ -2651,7 +2915,6 @@
.mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit,
.mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver,
.mpo_check_kld_load = mac_lomac_check_kld_load,
- .mpo_check_kld_unload = mac_lomac_check_kld_unload,
.mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl,
.mpo_check_pipe_read = mac_lomac_check_pipe_read,
.mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel,
@@ -2662,11 +2925,13 @@
.mpo_check_socket_deliver = mac_lomac_check_socket_deliver,
.mpo_check_socket_relabel = mac_lomac_check_socket_relabel,
.mpo_check_socket_visible = mac_lomac_check_socket_visible,
+ .mpo_check_system_acct = mac_lomac_check_system_acct,
+ .mpo_check_system_auditctl = mac_lomac_check_system_auditctl,
+ .mpo_check_system_swapoff = mac_lomac_check_system_swapoff,
.mpo_check_system_swapon = mac_lomac_check_system_swapon,
.mpo_check_system_sysctl = mac_lomac_check_system_sysctl,
.mpo_check_vnode_access = mac_lomac_check_vnode_open,
.mpo_check_vnode_create = mac_lomac_check_vnode_create,
- .mpo_check_vnode_delete = mac_lomac_check_vnode_delete,
.mpo_check_vnode_deleteacl = mac_lomac_check_vnode_deleteacl,
.mpo_check_vnode_link = mac_lomac_check_vnode_link,
.mpo_check_vnode_mmap = mac_lomac_check_vnode_mmap,
@@ -2683,8 +2948,11 @@
.mpo_check_vnode_setmode = mac_lomac_check_vnode_setmode,
.mpo_check_vnode_setowner = mac_lomac_check_vnode_setowner,
.mpo_check_vnode_setutimes = mac_lomac_check_vnode_setutimes,
+ .mpo_check_vnode_unlink = mac_lomac_check_vnode_unlink,
.mpo_check_vnode_write = mac_lomac_check_vnode_write,
.mpo_thread_userret = mac_lomac_thread_userret,
+ .mpo_create_mbuf_from_firewall = mac_lomac_create_mbuf_from_firewall,
+ .mpo_priv_check = mac_lomac_priv_check,
};
MAC_POLICY_SET(&mac_lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC",
Index: mac_mls.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_mls/mac_mls.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac_mls/mac_mls.c -L sys/security/mac_mls/mac_mls.c -u -r1.1.1.1 -r1.2
--- sys/security/mac_mls/mac_mls.c
+++ sys/security/mac_mls/mac_mls.c
@@ -31,11 +31,12 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_mls/mac_mls.c,v 1.72.2.3 2005/10/05 10:31:04 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_mls/mac_mls.c,v 1.88.2.1 2007/11/06 14:46:59 rwatson Exp $
*/
/*
* Developed by the TrustedBSD Project.
+ *
* MLS fixed label mandatory confidentiality policy.
*/
@@ -45,7 +46,7 @@
#include <sys/conf.h>
#include <sys/extattr.h>
#include <sys/kernel.h>
-#include <sys/mac.h>
+#include <sys/ksem.h>
#include <sys/mman.h>
#include <sys/malloc.h>
#include <sys/mount.h>
@@ -66,8 +67,6 @@
#include <sys/sem.h>
#include <sys/shm.h>
-#include <posix4/ksem.h>
-
#include <fs/devfs/devfs.h>
#include <net/bpfdesc.h>
@@ -82,8 +81,7 @@
#include <vm/uma.h>
#include <vm/vm.h>
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_policy.h>
#include <security/mac_mls/mac_mls.h>
SYSCTL_DECL(_security_mac);
@@ -119,8 +117,8 @@
&max_compartments, 0, "Maximum compartments the policy supports");
static int mac_mls_slot;
-#define SLOT(l) ((struct mac_mls *)LABEL_TO_SLOT((l), mac_mls_slot).l_ptr)
-#define SLOT_SET(l, val) (LABEL_TO_SLOT((l), mac_mls_slot).l_ptr = (val))
+#define SLOT(l) ((struct mac_mls *)mac_label_get((l), mac_mls_slot))
+#define SLOT_SET(l, val) mac_label_set((l), mac_mls_slot, (uintptr_t)(val))
static uma_zone_t zone_mls;
@@ -748,12 +746,12 @@
*/
static void
mac_mls_create_devfs_device(struct ucred *cred, struct mount *mp,
- struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
+ struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
{
struct mac_mls *mac_mls;
int mls_type;
- mac_mls = SLOT(label);
+ mac_mls = SLOT(delabel);
if (strcmp(dev->si_name, "null") == 0 ||
strcmp(dev->si_name, "zero") == 0 ||
strcmp(dev->si_name, "random") == 0 ||
@@ -773,11 +771,11 @@
static void
mac_mls_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
+ int dirnamelen, struct devfs_dirent *de, struct label *delabel)
{
struct mac_mls *mac_mls;
- mac_mls = SLOT(label);
+ mac_mls = SLOT(delabel);
mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL);
}
@@ -796,64 +794,61 @@
static void
mac_mls_create_mount(struct ucred *cred, struct mount *mp,
- struct label *mntlabel, struct label *fslabel)
+ struct label *mplabel)
{
struct mac_mls *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(mntlabel);
- mac_mls_copy_effective(source, dest);
- dest = SLOT(fslabel);
+ dest = SLOT(mplabel);
mac_mls_copy_effective(source, dest);
}
static void
mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *label)
+ struct label *vplabel, struct label *label)
{
struct mac_mls *source, *dest;
source = SLOT(label);
- dest = SLOT(vnodelabel);
+ dest = SLOT(vplabel);
mac_mls_copy(source, dest);
}
static void
-mac_mls_update_devfsdirent(struct mount *mp,
- struct devfs_dirent *devfs_dirent, struct label *direntlabel,
- struct vnode *vp, struct label *vnodelabel)
+mac_mls_update_devfs(struct mount *mp, struct devfs_dirent *de,
+ struct label *delabel, struct vnode *vp, struct label *vplabel)
{
struct mac_mls *source, *dest;
- source = SLOT(vnodelabel);
- dest = SLOT(direntlabel);
+ source = SLOT(vplabel);
+ dest = SLOT(delabel);
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
+mac_mls_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
- struct label *vlabel)
+ struct label *vplabel)
{
struct mac_mls *source, *dest;
source = SLOT(delabel);
- dest = SLOT(vlabel);
+ dest = SLOT(vplabel);
mac_mls_copy_effective(source, dest);
}
static int
-mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
- struct vnode *vp, struct label *vlabel)
+mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
+ struct vnode *vp, struct label *vplabel)
{
struct mac_mls temp, *source, *dest;
int buflen, error;
- source = SLOT(fslabel);
- dest = SLOT(vlabel);
+ source = SLOT(mplabel);
+ dest = SLOT(vplabel);
buflen = sizeof(temp);
bzero(&temp, buflen);
@@ -861,7 +856,7 @@
error = vn_extattr_get(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
MAC_MLS_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
if (error == ENOATTR || error == EOPNOTSUPP) {
- /* Fall back to the fslabel. */
+ /* Fall back to the mntlabel. */
mac_mls_copy_effective(source, dest);
return (0);
} else if (error)
@@ -887,20 +882,20 @@
static void
mac_mls_associate_vnode_singlelabel(struct mount *mp,
- struct label *fslabel, struct vnode *vp, struct label *vlabel)
+ struct label *mplabel, struct vnode *vp, struct label *vplabel)
{
struct mac_mls *source, *dest;
- source = SLOT(fslabel);
- dest = SLOT(vlabel);
+ source = SLOT(mplabel);
+ dest = SLOT(vplabel);
mac_mls_copy_effective(source, dest);
}
static int
mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp,
- struct label *fslabel, struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, struct label *vlabel, struct componentname *cnp)
+ struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
+ struct vnode *vp, struct label *vplabel, struct componentname *cnp)
{
struct mac_mls *source, *dest, temp;
size_t buflen;
@@ -910,7 +905,7 @@
bzero(&temp, buflen);
source = SLOT(cred->cr_label);
- dest = SLOT(vlabel);
+ dest = SLOT(vplabel);
mac_mls_copy_effective(source, &temp);
error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
@@ -922,7 +917,7 @@
static int
mac_mls_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
- struct label *vlabel, struct label *intlabel)
+ struct label *vplabel, struct label *intlabel)
{
struct mac_mls *source, temp;
size_t buflen;
@@ -958,98 +953,97 @@
}
static void
-mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_mls_create_mbuf_from_socket(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_mls *source, *dest;
- source = SLOT(socketlabel);
- dest = SLOT(mbuflabel);
+ source = SLOT(solabel);
+ dest = SLOT(mlabel);
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_create_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_mls_create_socket(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
struct mac_mls *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(socketlabel);
+ dest = SLOT(solabel);
mac_mls_copy_effective(source, dest);
}
static void
mac_mls_create_pipe(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_mls *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(pipelabel);
+ dest = SLOT(pplabel);
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_create_posix_sem(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+mac_mls_create_posix_sem(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
struct mac_mls *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(ks_label);
+ dest = SLOT(kslabel);
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_create_socket_from_socket(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketlabel)
+mac_mls_create_socket_from_socket(struct socket *oldso,
+ struct label *oldsolabel, struct socket *newso, struct label *newsolabel)
{
struct mac_mls *source, *dest;
- source = SLOT(oldsocketlabel);
- dest = SLOT(newsocketlabel);
+ source = SLOT(oldsolabel);
+ dest = SLOT(newsolabel);
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_relabel_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct label *newlabel)
+mac_mls_relabel_socket(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct label *newlabel)
{
struct mac_mls *source, *dest;
source = SLOT(newlabel);
- dest = SLOT(socketlabel);
+ dest = SLOT(solabel);
mac_mls_copy(source, dest);
}
static void
mac_mls_relabel_pipe(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, struct label *newlabel)
+ struct label *pplabel, struct label *newlabel)
{
struct mac_mls *source, *dest;
source = SLOT(newlabel);
- dest = SLOT(pipelabel);
+ dest = SLOT(pplabel);
mac_mls_copy(source, dest);
}
static void
-mac_mls_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
- struct socket *socket, struct label *socketpeerlabel)
+mac_mls_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel,
+ struct socket *so, struct label *sopeerlabel)
{
struct mac_mls *source, *dest;
- source = SLOT(mbuflabel);
- dest = SLOT(socketpeerlabel);
+ source = SLOT(mlabel);
+ dest = SLOT(sopeerlabel);
mac_mls_copy_effective(source, dest);
}
@@ -1057,14 +1051,13 @@
/*
* Labeling event operations: System V IPC objects.
*/
-
static void
mac_mls_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
{
struct mac_mls *source, *dest;
- /* Ignore the msgq label */
+ /* Ignore the msgq label. */
source = SLOT(cred->cr_label);
dest = SLOT(msglabel);
@@ -1111,39 +1104,39 @@
* Labeling event operations: network objects.
*/
static void
-mac_mls_set_socket_peer_from_socket(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketpeerlabel)
+mac_mls_set_socket_peer_from_socket(struct socket *oldso,
+ struct label *oldsolabel, struct socket *newso,
+ struct label *newsopeerlabel)
{
struct mac_mls *source, *dest;
- source = SLOT(oldsocketlabel);
- dest = SLOT(newsocketpeerlabel);
+ source = SLOT(oldsolabel);
+ dest = SLOT(newsopeerlabel);
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
- struct label *bpflabel)
+mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *d,
+ struct label *dlabel)
{
struct mac_mls *source, *dest;
source = SLOT(cred->cr_label);
- dest = SLOT(bpflabel);
+ dest = SLOT(dlabel);
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
+mac_mls_create_ifnet(struct ifnet *ifp, struct label *ifplabel)
{
struct mac_mls *dest;
int type;
- dest = SLOT(ifnetlabel);
+ dest = SLOT(ifplabel);
- if (ifnet->if_type == IFT_LOOP)
+ if (ifp->if_type == IFT_LOOP)
type = MAC_MLS_TYPE_EQUAL;
else
type = MAC_MLS_TYPE_LOW;
@@ -1153,12 +1146,12 @@
}
static void
-mac_mls_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
- struct ipq *ipq, struct label *ipqlabel)
+mac_mls_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+ struct label *ipqlabel)
{
struct mac_mls *source, *dest;
- source = SLOT(fragmentlabel);
+ source = SLOT(mlabel);
dest = SLOT(ipqlabel);
mac_mls_copy_effective(source, dest);
@@ -1166,25 +1159,25 @@
static void
mac_mls_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
- struct mbuf *datagram, struct label *datagramlabel)
+ struct mbuf *m, struct label *mlabel)
{
struct mac_mls *source, *dest;
source = SLOT(ipqlabel);
- dest = SLOT(datagramlabel);
+ dest = SLOT(mlabel);
/* Just use the head, since we require them all to match. */
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
- struct mbuf *fragment, struct label *fragmentlabel)
+mac_mls_create_fragment(struct mbuf *m, struct label *mlabel,
+ struct mbuf *frag, struct label *fraglabel)
{
struct mac_mls *source, *dest;
- source = SLOT(datagramlabel);
- dest = SLOT(fragmentlabel);
+ source = SLOT(mlabel);
+ dest = SLOT(fraglabel);
mac_mls_copy_effective(source, dest);
}
@@ -1202,92 +1195,92 @@
}
static void
-mac_mls_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *mbuf, struct label *mbuflabel)
+mac_mls_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_mls *dest;
- dest = SLOT(mbuflabel);
+ dest = SLOT(mlabel);
mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
}
static void
-mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
- struct mbuf *mbuf, struct label *mbuflabel)
+mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_mls *source, *dest;
- source = SLOT(bpflabel);
- dest = SLOT(mbuflabel);
+ source = SLOT(dlabel);
+ dest = SLOT(mlabel);
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_mls_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_mls *source, *dest;
- source = SLOT(ifnetlabel);
- dest = SLOT(mbuflabel);
+ source = SLOT(ifplabel);
+ dest = SLOT(mlabel);
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
- struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *newmbuf, struct label *newmbuflabel)
+mac_mls_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel,
+ struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew,
+ struct label *mnewlabel)
{
struct mac_mls *source, *dest;
- source = SLOT(oldmbuflabel);
- dest = SLOT(newmbuflabel);
+ source = SLOT(mlabel);
+ dest = SLOT(mnewlabel);
mac_mls_copy_effective(source, dest);
}
static void
-mac_mls_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel,
- struct mbuf *newmbuf, struct label *newmbuflabel)
+mac_mls_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel,
+ struct mbuf *mnew, struct label *mnewlabel)
{
struct mac_mls *source, *dest;
- source = SLOT(oldmbuflabel);
- dest = SLOT(newmbuflabel);
+ source = SLOT(mlabel);
+ dest = SLOT(mnewlabel);
mac_mls_copy_effective(source, dest);
}
static int
-mac_mls_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
- struct ipq *ipq, struct label *ipqlabel)
+mac_mls_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+ struct label *ipqlabel)
{
struct mac_mls *a, *b;
a = SLOT(ipqlabel);
- b = SLOT(fragmentlabel);
+ b = SLOT(mlabel);
return (mac_mls_equal_effective(a, b));
}
static void
-mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
- struct label *ifnetlabel, struct label *newlabel)
+mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifp,
+ struct label *ifplabel, struct label *newlabel)
{
struct mac_mls *source, *dest;
source = SLOT(newlabel);
- dest = SLOT(ifnetlabel);
+ dest = SLOT(ifplabel);
mac_mls_copy(source, dest);
}
static void
-mac_mls_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
- struct ipq *ipq, struct label *ipqlabel)
+mac_mls_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+ struct label *ipqlabel)
{
/* NOOP: we only accept matching labels, so no need to update */
@@ -1305,6 +1298,38 @@
mac_mls_copy(source, dest);
}
+static void
+mac_mls_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel)
+{
+ struct mac_mls *dest;
+
+ dest = SLOT(mlabel);
+
+ /* XXX: where is the label for the firewall really comming from? */
+ mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
+}
+
+static void
+mac_mls_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
+{
+ struct mac_mls *source, *dest;
+
+ source = SLOT(inp->inp_label);
+ dest = SLOT(label);
+ mac_mls_copy_effective(source, dest);
+}
+
+static void
+mac_mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
+ struct label *mlabel)
+{
+ struct mac_mls *source, *dest;
+
+ source = SLOT(sc_label);
+ dest = SLOT(mlabel);
+ mac_mls_copy_effective(source, dest);
+}
+
/*
* Labeling event operations: processes.
*/
@@ -1378,16 +1403,16 @@
* Access control checks.
*/
static int
-mac_mls_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
- struct ifnet *ifnet, struct label *ifnetlabel)
+mac_mls_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
+ struct ifnet *ifp, struct label *ifplabel)
{
struct mac_mls *a, *b;
if (!mac_mls_enabled)
return (0);
- a = SLOT(bpflabel);
- b = SLOT(ifnetlabel);
+ a = SLOT(dlabel);
+ b = SLOT(ifplabel);
if (mac_mls_equal_effective(a, b))
return (0);
@@ -1457,15 +1482,15 @@
}
static int
-mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2)
+mac_mls_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled)
return (0);
- subj = SLOT(u1->cr_label);
- obj = SLOT(u2->cr_label);
+ subj = SLOT(cr1->cr_label);
+ obj = SLOT(cr2->cr_label);
/* XXX: range */
if (!mac_mls_dominate_effective(subj, obj))
@@ -1475,8 +1500,8 @@
}
static int
-mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
- struct label *ifnetlabel, struct label *newlabel)
+mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
+ struct label *ifplabel, struct label *newlabel)
{
struct mac_mls *subj, *new;
int error;
@@ -1501,16 +1526,16 @@
}
static int
-mac_mls_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_mls_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_mls *p, *i;
if (!mac_mls_enabled)
return (0);
- p = SLOT(mbuflabel);
- i = SLOT(ifnetlabel);
+ p = SLOT(mlabel);
+ i = SLOT(ifplabel);
return (mac_mls_effective_in_range(p, i) ? 0 : EACCES);
}
@@ -1821,7 +1846,7 @@
static int
mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
+ struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
{
if(!mac_mls_enabled)
@@ -1834,7 +1859,7 @@
static int
mac_mls_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_mls *subj, *obj;
@@ -1842,7 +1867,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((pipelabel));
+ obj = SLOT(pplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -1852,7 +1877,7 @@
static int
mac_mls_check_pipe_read(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_mls *subj, *obj;
@@ -1860,7 +1885,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((pipelabel));
+ obj = SLOT(pplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -1870,14 +1895,14 @@
static int
mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, struct label *newlabel)
+ struct label *pplabel, struct label *newlabel)
{
struct mac_mls *subj, *obj, *new;
int error;
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
- obj = SLOT(pipelabel);
+ obj = SLOT(pplabel);
/*
* If there is an MLS label update for a pipe, it must be a
@@ -1921,7 +1946,7 @@
static int
mac_mls_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_mls *subj, *obj;
@@ -1929,7 +1954,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((pipelabel));
+ obj = SLOT(pplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -1939,7 +1964,7 @@
static int
mac_mls_check_pipe_write(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
struct mac_mls *subj, *obj;
@@ -1947,7 +1972,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((pipelabel));
+ obj = SLOT(pplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -1956,8 +1981,8 @@
}
static int
-mac_mls_check_posix_sem_write(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+mac_mls_check_posix_sem_write(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
struct mac_mls *subj, *obj;
@@ -1965,7 +1990,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(ks_label);
+ obj = SLOT(kslabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -1974,8 +1999,8 @@
}
static int
-mac_mls_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+mac_mls_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
struct mac_mls *subj, *obj;
@@ -1983,7 +2008,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(ks_label);
+ obj = SLOT(kslabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -1992,7 +2017,7 @@
}
static int
-mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc)
+mac_mls_check_proc_debug(struct ucred *cred, struct proc *p)
{
struct mac_mls *subj, *obj;
@@ -2000,7 +2025,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(proc->p_ucred->cr_label);
+ obj = SLOT(p->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_mls_dominate_effective(subj, obj))
@@ -2012,7 +2037,7 @@
}
static int
-mac_mls_check_proc_sched(struct ucred *cred, struct proc *proc)
+mac_mls_check_proc_sched(struct ucred *cred, struct proc *p)
{
struct mac_mls *subj, *obj;
@@ -2020,7 +2045,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(proc->p_ucred->cr_label);
+ obj = SLOT(p->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_mls_dominate_effective(subj, obj))
@@ -2032,7 +2057,7 @@
}
static int
-mac_mls_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+mac_mls_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
{
struct mac_mls *subj, *obj;
@@ -2040,7 +2065,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(proc->p_ucred->cr_label);
+ obj = SLOT(p->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_mls_dominate_effective(subj, obj))
@@ -2052,30 +2077,30 @@
}
static int
-mac_mls_check_socket_deliver(struct socket *so, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_mls_check_socket_deliver(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
{
struct mac_mls *p, *s;
if (!mac_mls_enabled)
return (0);
- p = SLOT(mbuflabel);
- s = SLOT(socketlabel);
+ p = SLOT(mlabel);
+ s = SLOT(solabel);
return (mac_mls_equal_effective(p, s) ? 0 : EACCES);
}
static int
-mac_mls_check_socket_relabel(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct label *newlabel)
+mac_mls_check_socket_relabel(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct label *newlabel)
{
struct mac_mls *subj, *obj, *new;
int error;
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
- obj = SLOT(socketlabel);
+ obj = SLOT(solabel);
/*
* If there is an MLS label update for the socket, it may be
@@ -2118,8 +2143,8 @@
}
static int
-mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_mls_check_socket_visible(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
struct mac_mls *subj, *obj;
@@ -2127,7 +2152,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(socketlabel);
+ obj = SLOT(solabel);
if (!mac_mls_dominate_effective(subj, obj))
return (ENOENT);
@@ -2136,8 +2161,8 @@
}
static int
-mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp,
- struct label *label)
+mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
struct mac_mls *subj, *obj;
@@ -2145,7 +2170,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj) ||
!mac_mls_dominate_effective(subj, obj))
@@ -2155,8 +2180,8 @@
}
static int
-mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
struct mac_mls *subj, *obj;
@@ -2164,17 +2189,18 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(vplabel);
- if (!mac_mls_dominate_effective(subj, obj))
+ if (!mac_mls_dominate_effective(obj, subj) ||
+ !mac_mls_dominate_effective(subj, obj))
return (EACCES);
return (0);
}
static int
-mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
struct mac_mls *subj, *obj;
@@ -2182,17 +2208,18 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(vplabel);
- if (!mac_mls_dominate_effective(subj, obj))
+ if (!mac_mls_dominate_effective(obj, subj) ||
+ !mac_mls_dominate_effective(subj, obj))
return (EACCES);
return (0);
}
static int
-mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp, struct vattr *vap)
+mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel)
{
struct mac_mls *subj, *obj;
@@ -2200,18 +2227,17 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
- if (!mac_mls_dominate_effective(obj, subj))
+ if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
return (0);
}
static int
-mac_mls_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
- struct componentname *cnp)
+mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel)
{
struct mac_mls *subj, *obj;
@@ -2219,12 +2245,25 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
- if (!mac_mls_dominate_effective(obj, subj))
+ if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
- obj = SLOT(label);
+ return (0);
+}
+
+static int
+mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(cred->cr_label);
+ obj = SLOT(dvplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2234,7 +2273,7 @@
static int
mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
struct mac_mls *subj, *obj;
@@ -2242,7 +2281,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2252,7 +2291,7 @@
static int
mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name)
+ struct label *vplabel, int attrnamespace, const char *name)
{
struct mac_mls *subj, *obj;
@@ -2260,7 +2299,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2270,7 +2309,7 @@
static int
mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label, struct image_params *imgp,
+ struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
struct mac_mls *subj, *obj, *exec;
@@ -2292,7 +2331,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -2302,7 +2341,7 @@
static int
mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
struct mac_mls *subj, *obj;
@@ -2310,7 +2349,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -2320,7 +2359,8 @@
static int
mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name, struct uio *uio)
+ struct label *vplabel, int attrnamespace, const char *name,
+ struct uio *uio)
{
struct mac_mls *subj, *obj;
@@ -2328,7 +2368,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -2338,7 +2378,7 @@
static int
mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
struct mac_mls *subj, *obj;
@@ -2347,12 +2387,12 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
- obj = SLOT(dlabel);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2361,7 +2401,7 @@
static int
mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace)
+ struct label *vplabel, int attrnamespace)
{
struct mac_mls *subj, *obj;
@@ -2370,7 +2410,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -2380,7 +2420,7 @@
static int
mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp)
+ struct label *dvplabel, struct componentname *cnp)
{
struct mac_mls *subj, *obj;
@@ -2388,7 +2428,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -2398,7 +2438,7 @@
static int
mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
- struct label *label, int prot, int flags)
+ struct label *vplabel, int prot, int flags)
{
struct mac_mls *subj, *obj;
@@ -2410,7 +2450,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
if (!mac_mls_dominate_effective(subj, obj))
@@ -2426,7 +2466,7 @@
static int
mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, int acc_mode)
+ struct label *vplabel, int acc_mode)
{
struct mac_mls *subj, *obj;
@@ -2434,7 +2474,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
/* XXX privilege override for admin? */
if (acc_mode & (VREAD | VEXEC | VSTAT)) {
@@ -2451,7 +2491,7 @@
static int
mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
{
struct mac_mls *subj, *obj;
@@ -2459,7 +2499,7 @@
return (0);
subj = SLOT(active_cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -2469,7 +2509,7 @@
static int
mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
{
struct mac_mls *subj, *obj;
@@ -2477,7 +2517,7 @@
return (0);
subj = SLOT(active_cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -2487,7 +2527,7 @@
static int
mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+ struct label *dvplabel)
{
struct mac_mls *subj, *obj;
@@ -2495,7 +2535,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -2505,7 +2545,7 @@
static int
mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel)
+ struct label *vplabel)
{
struct mac_mls *subj, *obj;
@@ -2513,7 +2553,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -2523,12 +2563,12 @@
static int
mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *newlabel)
+ struct label *vplabel, struct label *newlabel)
{
struct mac_mls *old, *new, *subj;
int error;
- old = SLOT(vnodelabel);
+ old = SLOT(vplabel);
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
@@ -2572,10 +2612,9 @@
return (0);
}
-
static int
mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
struct mac_mls *subj, *obj;
@@ -2584,12 +2623,12 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2599,8 +2638,8 @@
static int
mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
- struct componentname *cnp)
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ int samedir, struct componentname *cnp)
{
struct mac_mls *subj, *obj;
@@ -2608,13 +2647,13 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(dlabel);
+ obj = SLOT(dvplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
if (vp != NULL) {
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2625,7 +2664,7 @@
static int
mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
struct mac_mls *subj, *obj;
@@ -2633,7 +2672,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2643,7 +2682,7 @@
static int
mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type, struct acl *acl)
+ struct label *vplabel, acl_type_t type, struct acl *acl)
{
struct mac_mls *subj, *obj;
@@ -2651,7 +2690,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2661,7 +2700,7 @@
static int
mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, int attrnamespace, const char *name,
+ struct label *vplabel, int attrnamespace, const char *name,
struct uio *uio)
{
struct mac_mls *subj, *obj;
@@ -2670,7 +2709,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2682,7 +2721,7 @@
static int
mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, u_long flags)
+ struct label *vplabel, u_long flags)
{
struct mac_mls *subj, *obj;
@@ -2690,7 +2729,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2700,7 +2739,7 @@
static int
mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, mode_t mode)
+ struct label *vplabel, mode_t mode)
{
struct mac_mls *subj, *obj;
@@ -2708,7 +2747,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2718,7 +2757,7 @@
static int
mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, uid_t uid, gid_t gid)
+ struct label *vplabel, uid_t uid, gid_t gid)
{
struct mac_mls *subj, *obj;
@@ -2726,7 +2765,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2736,7 +2775,7 @@
static int
mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct timespec atime, struct timespec mtime)
+ struct label *vplabel, struct timespec atime, struct timespec mtime)
{
struct mac_mls *subj, *obj;
@@ -2744,7 +2783,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2754,7 +2793,7 @@
static int
mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *vnodelabel)
+ struct vnode *vp, struct label *vplabel)
{
struct mac_mls *subj, *obj;
@@ -2762,7 +2801,7 @@
return (0);
subj = SLOT(active_cred->cr_label);
- obj = SLOT(vnodelabel);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
@@ -2771,8 +2810,32 @@
}
static int
+mac_mls_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ struct componentname *cnp)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(cred->cr_label);
+ obj = SLOT(dvplabel);
+
+ if (!mac_mls_dominate_effective(obj, subj))
+ return (EACCES);
+
+ obj = SLOT(vplabel);
+
+ if (!mac_mls_dominate_effective(obj, subj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
{
struct mac_mls *subj, *obj;
@@ -2780,7 +2843,7 @@
return (0);
subj = SLOT(active_cred->cr_label);
- obj = SLOT(label);
+ obj = SLOT(vplabel);
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
@@ -2788,14 +2851,26 @@
return (0);
}
+static void
+mac_mls_associate_nfsd_label(struct ucred *cred)
+{
+ struct mac_mls *label;
+
+ label = SLOT(cred->cr_label);
+ mac_mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
+ mac_mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL,
+ MAC_MLS_TYPE_HIGH, 0, NULL);
+}
+
static struct mac_policy_ops mac_mls_ops =
{
.mpo_init = mac_mls_init,
.mpo_init_bpfdesc_label = mac_mls_init_label,
.mpo_init_cred_label = mac_mls_init_label,
- .mpo_init_devfsdirent_label = mac_mls_init_label,
+ .mpo_init_devfs_label = mac_mls_init_label,
.mpo_init_ifnet_label = mac_mls_init_label,
.mpo_init_inpcb_label = mac_mls_init_label_waitcheck,
+ .mpo_init_syncache_label = mac_mls_init_label_waitcheck,
.mpo_init_sysv_msgmsg_label = mac_mls_init_label,
.mpo_init_sysv_msgqueue_label = mac_mls_init_label,
.mpo_init_sysv_sem_label = mac_mls_init_label,
@@ -2803,7 +2878,6 @@
.mpo_init_ipq_label = mac_mls_init_label_waitcheck,
.mpo_init_mbuf_label = mac_mls_init_label_waitcheck,
.mpo_init_mount_label = mac_mls_init_label,
- .mpo_init_mount_fs_label = mac_mls_init_label,
.mpo_init_pipe_label = mac_mls_init_label,
.mpo_init_posix_sem_label = mac_mls_init_label,
.mpo_init_socket_label = mac_mls_init_label_waitcheck,
@@ -2811,9 +2885,10 @@
.mpo_init_vnode_label = mac_mls_init_label,
.mpo_destroy_bpfdesc_label = mac_mls_destroy_label,
.mpo_destroy_cred_label = mac_mls_destroy_label,
- .mpo_destroy_devfsdirent_label = mac_mls_destroy_label,
+ .mpo_destroy_devfs_label = mac_mls_destroy_label,
.mpo_destroy_ifnet_label = mac_mls_destroy_label,
.mpo_destroy_inpcb_label = mac_mls_destroy_label,
+ .mpo_destroy_syncache_label = mac_mls_destroy_label,
.mpo_destroy_sysv_msgmsg_label = mac_mls_destroy_label,
.mpo_destroy_sysv_msgqueue_label = mac_mls_destroy_label,
.mpo_destroy_sysv_sem_label = mac_mls_destroy_label,
@@ -2821,7 +2896,6 @@
.mpo_destroy_ipq_label = mac_mls_destroy_label,
.mpo_destroy_mbuf_label = mac_mls_destroy_label,
.mpo_destroy_mount_label = mac_mls_destroy_label,
- .mpo_destroy_mount_fs_label = mac_mls_destroy_label,
.mpo_destroy_pipe_label = mac_mls_destroy_label,
.mpo_destroy_posix_sem_label = mac_mls_destroy_label,
.mpo_destroy_socket_label = mac_mls_destroy_label,
@@ -2849,13 +2923,14 @@
.mpo_create_devfs_symlink = mac_mls_create_devfs_symlink,
.mpo_create_mount = mac_mls_create_mount,
.mpo_relabel_vnode = mac_mls_relabel_vnode,
- .mpo_update_devfsdirent = mac_mls_update_devfsdirent,
+ .mpo_update_devfs = mac_mls_update_devfs,
.mpo_associate_vnode_devfs = mac_mls_associate_vnode_devfs,
.mpo_associate_vnode_extattr = mac_mls_associate_vnode_extattr,
.mpo_associate_vnode_singlelabel = mac_mls_associate_vnode_singlelabel,
.mpo_create_vnode_extattr = mac_mls_create_vnode_extattr,
.mpo_setlabel_vnode_extattr = mac_mls_setlabel_vnode_extattr,
.mpo_create_mbuf_from_socket = mac_mls_create_mbuf_from_socket,
+ .mpo_create_mbuf_from_syncache = mac_mls_create_mbuf_from_syncache,
.mpo_create_pipe = mac_mls_create_pipe,
.mpo_create_posix_sem = mac_mls_create_posix_sem,
.mpo_create_socket = mac_mls_create_socket,
@@ -2869,6 +2944,7 @@
.mpo_create_fragment = mac_mls_create_fragment,
.mpo_create_ifnet = mac_mls_create_ifnet,
.mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket,
+ .mpo_init_syncache_from_inpcb = mac_mls_init_syncache_from_inpcb,
.mpo_create_ipq = mac_mls_create_ipq,
.mpo_create_sysv_msgmsg = mac_mls_create_sysv_msgmsg,
.mpo_create_sysv_msgqueue = mac_mls_create_sysv_msgqueue,
@@ -2928,12 +3004,13 @@
.mpo_check_socket_deliver = mac_mls_check_socket_deliver,
.mpo_check_socket_relabel = mac_mls_check_socket_relabel,
.mpo_check_socket_visible = mac_mls_check_socket_visible,
+ .mpo_check_system_acct = mac_mls_check_system_acct,
+ .mpo_check_system_auditctl = mac_mls_check_system_auditctl,
.mpo_check_system_swapon = mac_mls_check_system_swapon,
.mpo_check_vnode_access = mac_mls_check_vnode_open,
.mpo_check_vnode_chdir = mac_mls_check_vnode_chdir,
.mpo_check_vnode_chroot = mac_mls_check_vnode_chroot,
.mpo_check_vnode_create = mac_mls_check_vnode_create,
- .mpo_check_vnode_delete = mac_mls_check_vnode_delete,
.mpo_check_vnode_deleteacl = mac_mls_check_vnode_deleteacl,
.mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr,
.mpo_check_vnode_exec = mac_mls_check_vnode_exec,
@@ -2959,7 +3036,10 @@
.mpo_check_vnode_setowner = mac_mls_check_vnode_setowner,
.mpo_check_vnode_setutimes = mac_mls_check_vnode_setutimes,
.mpo_check_vnode_stat = mac_mls_check_vnode_stat,
+ .mpo_check_vnode_unlink = mac_mls_check_vnode_unlink,
.mpo_check_vnode_write = mac_mls_check_vnode_write,
+ .mpo_associate_nfsd_label = mac_mls_associate_nfsd_label,
+ .mpo_create_mbuf_from_firewall = mac_mls_create_mbuf_from_firewall,
};
MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS",
Index: mac_none.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_none/mac_none.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac_none/mac_none.c -L sys/security/mac_none/mac_none.c -u -r1.1.1.1 -r1.2
--- sys/security/mac_none/mac_none.c
+++ sys/security/mac_none/mac_none.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* All rights reserved.
*
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_none/mac_none.c,v 1.31.8.1 2005/09/26 14:36:53 phk Exp $
+ * $FreeBSD: src/sys/security/mac_none/mac_none.c,v 1.36 2007/02/23 11:21:26 rwatson Exp $
*/
/*
@@ -42,48 +42,11 @@
* on, try mac_stub.
*/
-#include <sys/types.h>
#include <sys/param.h>
-#include <sys/acl.h>
-#include <sys/conf.h>
-#include <sys/extattr.h>
#include <sys/kernel.h>
-#include <sys/mac.h>
-#include <sys/mount.h>
-#include <sys/proc.h>
-#include <sys/systm.h>
-#include <sys/sysproto.h>
-#include <sys/sysent.h>
-#include <sys/vnode.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/socketvar.h>
-#include <sys/pipe.h>
-#include <sys/sx.h>
-#include <sys/sysctl.h>
+#include <sys/module.h>
-#include <fs/devfs/devfs.h>
-
-#include <net/bpfdesc.h>
-#include <net/if.h>
-#include <net/if_types.h>
-#include <net/if_var.h>
-
-#include <netinet/in.h>
-#include <netinet/ip_var.h>
-
-#include <vm/vm.h>
-
-#include <sys/mac_policy.h>
-
-SYSCTL_DECL(_security_mac);
-
-SYSCTL_NODE(_security_mac, OID_AUTO, none, CTLFLAG_RW, 0,
- "TrustedBSD mac_none policy controls");
-
-static int mac_none_enabled = 1;
-SYSCTL_INT(_security_mac_none, OID_AUTO, enabled, CTLFLAG_RW,
- &mac_none_enabled, 0, "Enforce none policy");
+#include <security/mac/mac_policy.h>
static struct mac_policy_ops mac_none_ops =
{
Index: mac_partition.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_partition/mac_partition.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac_partition/mac_partition.c -L sys/security/mac_partition/mac_partition.c -u -r1.1.1.1 -r1.2
--- sys/security/mac_partition/mac_partition.c
+++ sys/security/mac_partition/mac_partition.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2002 Networks Associates Technology, Inc.
* All rights reserved.
*
@@ -31,7 +31,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_partition/mac_partition.c,v 1.10.8.1 2005/09/26 14:36:53 phk Exp $
+ * $FreeBSD: src/sys/security/mac_partition/mac_partition.c,v 1.19 2007/04/23 13:15:22 rwatson Exp $
*/
/*
@@ -39,35 +39,16 @@
* Experiment with a partition-like model.
*/
-#include <sys/types.h>
#include <sys/param.h>
-#include <sys/conf.h>
#include <sys/kernel.h>
-#include <sys/mac.h>
-#include <sys/mount.h>
+#include <sys/module.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
-#include <sys/sysproto.h>
-#include <sys/sysent.h>
-#include <sys/vnode.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/socketvar.h>
-#include <sys/sx.h>
#include <sys/sysctl.h>
-#include <fs/devfs/devfs.h>
-
-#include <net/bpfdesc.h>
-#include <net/if.h>
-#include <net/if_types.h>
-#include <net/if_var.h>
-
-#include <vm/vm.h>
-
-#include <sys/mac_policy.h>
-
+#include <security/mac/mac_policy.h>
#include <security/mac_partition/mac_partition.h>
SYSCTL_DECL(_security_mac);
@@ -80,33 +61,28 @@
&mac_partition_enabled, 0, "Enforce partition policy");
static int partition_slot;
-#define SLOT(l) (LABEL_TO_SLOT((l), partition_slot).l_long)
-
-static void
-mac_partition_init(struct mac_policy_conf *conf)
-{
-
-}
+#define SLOT(l) mac_label_get((l), partition_slot)
+#define SLOT_SET(l, v) mac_label_set((l), partition_slot, (v))
static void
mac_partition_init_label(struct label *label)
{
- SLOT(label) = 0;
+ SLOT_SET(label, 0);
}
static void
mac_partition_destroy_label(struct label *label)
{
- SLOT(label) = 0;
+ SLOT_SET(label, 0);
}
static void
mac_partition_copy_label(struct label *src, struct label *dest)
{
- SLOT(dest) = SLOT(src);
+ SLOT_SET(dest, SLOT(src));
}
static int
@@ -119,7 +95,7 @@
(*claimed)++;
- if (sbuf_printf(sb, "%ld", SLOT(label)) == -1)
+ if (sbuf_printf(sb, "%jd", (intmax_t)SLOT(label)) == -1)
return (EINVAL);
else
return (0);
@@ -134,7 +110,7 @@
return (0);
(*claimed)++;
- SLOT(label) = strtol(element_data, NULL, 10);
+ SLOT_SET(label, strtol(element_data, NULL, 10));
return (0);
}
@@ -142,14 +118,14 @@
mac_partition_create_proc0(struct ucred *cred)
{
- SLOT(cred->cr_label) = 0;
+ SLOT_SET(cred->cr_label, 0);
}
static void
mac_partition_create_proc1(struct ucred *cred)
{
- SLOT(cred->cr_label) = 0;
+ SLOT_SET(cred->cr_label, 0);
}
static void
@@ -157,7 +133,7 @@
{
if (SLOT(newlabel) != 0)
- SLOT(cred->cr_label) = SLOT(newlabel);
+ SLOT_SET(cred->cr_label, SLOT(newlabel));
}
static int
@@ -191,67 +167,68 @@
* in a partition in the first place, but this didn't
* interact well with sendmail.
*/
- error = suser_cred(cred, 0);
+ error = priv_check_cred(cred, PRIV_MAC_PARTITION, 0);
}
return (error);
}
static int
-mac_partition_check_cred_visible(struct ucred *u1, struct ucred *u2)
+mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
{
int error;
- error = label_on_label(u1->cr_label, u2->cr_label);
+ error = label_on_label(cr1->cr_label, cr2->cr_label);
return (error == 0 ? 0 : ESRCH);
}
static int
-mac_partition_check_proc_debug(struct ucred *cred, struct proc *proc)
+mac_partition_check_proc_debug(struct ucred *cred, struct proc *p)
{
int error;
- error = label_on_label(cred->cr_label, proc->p_ucred->cr_label);
+ error = label_on_label(cred->cr_label, p->p_ucred->cr_label);
return (error ? ESRCH : 0);
}
static int
-mac_partition_check_proc_sched(struct ucred *cred, struct proc *proc)
+mac_partition_check_proc_sched(struct ucred *cred, struct proc *p)
{
int error;
- error = label_on_label(cred->cr_label, proc->p_ucred->cr_label);
+ error = label_on_label(cred->cr_label, p->p_ucred->cr_label);
return (error ? ESRCH : 0);
}
static int
-mac_partition_check_proc_signal(struct ucred *cred, struct proc *proc,
+mac_partition_check_proc_signal(struct ucred *cred, struct proc *p,
int signum)
{
int error;
- error = label_on_label(cred->cr_label, proc->p_ucred->cr_label);
+ error = label_on_label(cred->cr_label, p->p_ucred->cr_label);
return (error ? ESRCH : 0);
}
static int
-mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_partition_check_socket_visible(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
int error;
- error = label_on_label(cred->cr_label, socketlabel);
+ error = label_on_label(cred->cr_label, solabel);
return (error ? ENOENT : 0);
}
static int
mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label, struct image_params *imgp, struct label *execlabel)
+ struct label *vplabel, struct image_params *imgp,
+ struct label *execlabel)
{
if (execlabel != NULL) {
@@ -269,7 +246,6 @@
static struct mac_policy_ops mac_partition_ops =
{
- .mpo_init = mac_partition_init,
.mpo_init_cred_label = mac_partition_init_label,
.mpo_destroy_cred_label = mac_partition_destroy_label,
.mpo_copy_cred_label = mac_partition_copy_label,
Index: mac_portacl.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_portacl/mac_portacl.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac_portacl/mac_portacl.c -L sys/security/mac_portacl/mac_portacl.c -u -r1.1.1.1 -r1.2
--- sys/security/mac_portacl/mac_portacl.c
+++ sys/security/mac_portacl/mac_portacl.c
@@ -28,7 +28,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_portacl/mac_portacl.c,v 1.7 2004/12/08 11:46:44 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_portacl/mac_portacl.c,v 1.15 2007/06/12 00:12:00 rwatson Exp $
*/
/*
@@ -55,24 +55,18 @@
* because the kernel only knows about uids and gids.
*/
-#include <sys/types.h>
#include <sys/param.h>
-#include <sys/conf.h>
#include <sys/domain.h>
#include <sys/kernel.h>
-#include <sys/libkern.h>
#include <sys/lock.h>
-#include <sys/mac.h>
#include <sys/malloc.h>
-#include <sys/mount.h>
+#include <sys/module.h>
#include <sys/mutex.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/protosw.h>
#include <sys/queue.h>
#include <sys/systm.h>
-#include <sys/sysproto.h>
-#include <sys/sysent.h>
-#include <sys/file.h>
#include <sys/sbuf.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
@@ -81,9 +75,7 @@
#include <netinet/in.h>
#include <netinet/in_pcb.h>
-#include <vm/vm.h>
-
-#include <sys/mac_policy.h>
+#include <security/mac/mac_policy.h>
SYSCTL_DECL(_security_mac);
@@ -113,7 +105,7 @@
&mac_portacl_port_high, 0, "Highest port to enforce for");
TUNABLE_INT("security.mac.portacl.port_high", &mac_portacl_port_high);
-MALLOC_DEFINE(M_PORTACL, "portacl rule", "Rules for mac_portacl");
+MALLOC_DEFINE(M_PORTACL, "mac_portacl_rule", "Rules for mac_portacl");
#define MAC_RULE_STRING_LEN 1024
@@ -427,7 +419,7 @@
mtx_unlock(&rule_mtx);
if (error != 0 && mac_portacl_suser_exempt != 0)
- error = suser_cred(cred, 0);
+ error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0);
return (error);
}
@@ -439,7 +431,7 @@
*/
static int
check_socket_bind(struct ucred *cred, struct socket *so,
- struct label *socketlabel, struct sockaddr *sockaddr)
+ struct label *solabel, struct sockaddr *sa)
{
struct sockaddr_in *sin;
struct inpcb *inp;
@@ -461,13 +453,12 @@
return (0);
/* Reject addresses we don't understand; fail closed. */
- if (sockaddr->sa_family != AF_INET &&
- sockaddr->sa_family != AF_INET6)
+ if (sa->sa_family != AF_INET && sa->sa_family != AF_INET6)
return (EINVAL);
family = so->so_proto->pr_domain->dom_family;
type = so->so_type;
- sin = (struct sockaddr_in *) sockaddr;
+ sin = (struct sockaddr_in *) sa;
port = ntohs(sin->sin_port);
/*
Index: mac_seeotheruids.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac_seeotheruids/mac_seeotheruids.c -L sys/security/mac_seeotheruids/mac_seeotheruids.c -u -r1.1.1.1 -r1.2
--- sys/security/mac_seeotheruids/mac_seeotheruids.c
+++ sys/security/mac_seeotheruids/mac_seeotheruids.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2002 Networks Associates Technology, Inc.
* All rights reserved.
*
@@ -31,39 +31,26 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v 1.7 2005/01/03 12:08:18 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v 1.15 2007/06/12 00:12:01 rwatson Exp $
*/
/*
* Developed by the TrustedBSD Project.
+ *
* Prevent processes owned by a particular uid from seeing various transient
* kernel objects associated with other uids.
*/
-#include <sys/types.h>
#include <sys/param.h>
-#include <sys/conf.h>
#include <sys/kernel.h>
-#include <sys/mac.h>
-#include <sys/mount.h>
+#include <sys/module.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/systm.h>
-#include <sys/sysproto.h>
-#include <sys/sysent.h>
-#include <sys/vnode.h>
-#include <sys/file.h>
-#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
-#include <net/bpfdesc.h>
-#include <net/if.h>
-#include <net/if_types.h>
-#include <net/if_var.h>
-
-#include <vm/vm.h>
-
-#include <sys/mac_policy.h>
+#include <security/mac/mac_policy.h>
SYSCTL_DECL(_security_mac);
@@ -84,6 +71,14 @@
"with the same real primary group id");
/*
+ * Exception: allow the root user to be aware of other credentials by virtue
+ * of privilege.
+ */
+static int suser_privileged = 1;
+SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, suser_privileged,
+ CTLFLAG_RW, &suser_privileged, 0, "Make an exception for superuser");
+
+/*
* Exception: allow processes with a specific gid to be exempt from the
* policy. One sysctl enables this functionality; the other sets the
* exempt gid.
@@ -98,66 +93,69 @@
&specificgid, 0, "Specific gid to be exempt from seeotheruids policy");
static int
-mac_seeotheruids_check(struct ucred *u1, struct ucred *u2)
+mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
{
if (!mac_seeotheruids_enabled)
return (0);
if (primarygroup_enabled) {
- if (u1->cr_rgid == u2->cr_rgid)
+ if (cr1->cr_rgid == cr2->cr_rgid)
return (0);
}
if (specificgid_enabled) {
- if (u1->cr_rgid == specificgid || groupmember(specificgid, u1))
+ if (cr1->cr_rgid == specificgid ||
+ groupmember(specificgid, cr1))
return (0);
}
- if (u1->cr_ruid == u2->cr_ruid)
+ if (cr1->cr_ruid == cr2->cr_ruid)
return (0);
- if (suser_cred(u1, 0) == 0)
- return (0);
+ if (suser_privileged) {
+ if (priv_check_cred(cr1, PRIV_SEEOTHERUIDS, 0) == 0)
+ return (0);
+ }
return (ESRCH);
}
static int
-mac_seeotheruids_check_cred_visible(struct ucred *u1, struct ucred *u2)
+mac_seeotheruids_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
{
- return (mac_seeotheruids_check(u1, u2));
+ return (mac_seeotheruids_check(cr1, cr2));
}
static int
-mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *proc,
+mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p,
int signum)
{
- return (mac_seeotheruids_check(cred, proc->p_ucred));
+ return (mac_seeotheruids_check(cred, p->p_ucred));
}
static int
-mac_seeotheruids_check_proc_sched(struct ucred *cred, struct proc *proc)
+mac_seeotheruids_check_proc_sched(struct ucred *cred, struct proc *p)
{
- return (mac_seeotheruids_check(cred, proc->p_ucred));
+ return (mac_seeotheruids_check(cred, p->p_ucred));
}
static int
-mac_seeotheruids_check_proc_debug(struct ucred *cred, struct proc *proc)
+mac_seeotheruids_check_proc_debug(struct ucred *cred, struct proc *p)
{
- return (mac_seeotheruids_check(cred, proc->p_ucred));
+ return (mac_seeotheruids_check(cred, p->p_ucred));
}
static int
-mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
- return (mac_seeotheruids_check(cred, socket->so_cred));
+ return (mac_seeotheruids_check(cred, so->so_cred));
}
static struct mac_policy_ops mac_seeotheruids_ops =
Index: mac_stub.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_stub/mac_stub.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac_stub/mac_stub.c -L sys/security/mac_stub/mac_stub.c -u -r1.1.1.1 -r1.2
--- sys/security/mac_stub/mac_stub.c
+++ sys/security/mac_stub/mac_stub.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
@@ -35,7 +35,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_stub/mac_stub.c,v 1.52.2.4 2005/10/05 10:31:04 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_stub/mac_stub.c,v 1.68.2.1 2007/11/06 14:46:59 rwatson Exp $
*/
/*
@@ -51,7 +51,7 @@
#include <sys/conf.h>
#include <sys/extattr.h>
#include <sys/kernel.h>
-#include <sys/mac.h>
+#include <sys/ksem.h>
#include <sys/mount.h>
#include <sys/proc.h>
#include <sys/systm.h>
@@ -68,8 +68,6 @@
#include <sys/sem.h>
#include <sys/shm.h>
-#include <posix4/ksem.h>
-
#include <fs/devfs/devfs.h>
#include <net/bpfdesc.h>
@@ -83,7 +81,7 @@
#include <vm/vm.h>
-#include <sys/mac_policy.h>
+#include <security/mac/mac_policy.h>
SYSCTL_DECL(_security_mac);
@@ -165,16 +163,16 @@
* a lot like file system objects.
*/
static void
-stub_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
+stub_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
- struct label *vlabel)
+ struct label *vplabel)
{
}
static int
-stub_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
- struct vnode *vp, struct label *vlabel)
+stub_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
+ struct vnode *vp, struct label *vplabel)
{
return (0);
@@ -182,21 +180,27 @@
static void
stub_associate_vnode_singlelabel(struct mount *mp,
- struct label *fslabel, struct vnode *vp, struct label *vlabel)
+ struct label *mplabel, struct vnode *vp, struct label *vplabel)
+{
+
+}
+
+static void
+stub_associate_nfsd_label(struct ucred *cred)
{
}
static void
stub_create_devfs_device(struct ucred *cred, struct mount *mp,
- struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
+ struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
{
}
static void
stub_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
+ int dirnamelen, struct devfs_dirent *de, struct label *delabel)
{
}
@@ -211,8 +215,8 @@
static int
stub_create_vnode_extattr(struct ucred *cred, struct mount *mp,
- struct label *fslabel, struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, struct label *vlabel, struct componentname *cnp)
+ struct label *mntlabel, struct vnode *dvp, struct label *dvplabel,
+ struct vnode *vp, struct label *vplabel, struct componentname *cnp)
{
return (0);
@@ -220,30 +224,29 @@
static void
stub_create_mount(struct ucred *cred, struct mount *mp,
- struct label *mntlabel, struct label *fslabel)
+ struct label *mplabel)
{
}
static void
stub_relabel_vnode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *label)
+ struct label *vplabel, struct label *label)
{
}
static int
stub_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
- struct label *vlabel, struct label *intlabel)
+ struct label *vplabel, struct label *intlabel)
{
return (0);
}
static void
-stub_update_devfsdirent(struct mount *mp,
- struct devfs_dirent *devfs_dirent, struct label *direntlabel,
- struct vnode *vp, struct label *vnodelabel)
+stub_update_devfs(struct mount *mp, struct devfs_dirent *de,
+ struct label *delabel, struct vnode *vp, struct label *vplabel)
{
}
@@ -252,66 +255,65 @@
* Labeling event operations: IPC object.
*/
static void
-stub_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
+stub_create_mbuf_from_socket(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
{
}
static void
-stub_create_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+stub_create_socket(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
}
static void
stub_create_pipe(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
}
static void
-stub_create_posix_sem(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+stub_create_posix_sem(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
}
static void
-stub_create_socket_from_socket(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketlabel)
+stub_create_socket_from_socket(struct socket *oldso,
+ struct label *oldsolabel, struct socket *newso, struct label *newsolabel)
{
}
static void
-stub_relabel_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct label *newlabel)
+stub_relabel_socket(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct label *newlabel)
{
}
static void
stub_relabel_pipe(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, struct label *newlabel)
+ struct label *pplabel, struct label *newlabel)
{
}
static void
-stub_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
- struct socket *socket, struct label *socketpeerlabel)
+stub_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel,
+ struct socket *so, struct label *sopeerlabel)
{
}
static void
-stub_set_socket_peer_from_socket(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketpeerlabel)
+stub_set_socket_peer_from_socket(struct socket *oldso,
+ struct label *oldsolabel, struct socket *newso,
+ struct label *newsopeerlabel)
{
}
@@ -320,28 +322,28 @@
* Labeling event operations: network objects.
*/
static void
-stub_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
- struct label *bpflabel)
+stub_create_bpfdesc(struct ucred *cred, struct bpf_d *d,
+ struct label *dlabel)
{
}
static void
stub_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
- struct mbuf *datagram, struct label *datagramlabel)
+ struct mbuf *m, struct label *mlabel)
{
}
static void
-stub_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
- struct mbuf *fragment, struct label *fragmentlabel)
+stub_create_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag,
+ struct label *fraglabel)
{
}
static void
-stub_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
+stub_create_ifnet(struct ifnet *ifp, struct label *ifplabel)
{
}
@@ -354,6 +356,12 @@
}
static void
+stub_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
+{
+
+}
+
+static void
stub_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
{
@@ -382,8 +390,8 @@
}
static void
-stub_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
- struct ipq *ipq, struct label *ipqlabel)
+stub_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+ struct label *ipqlabel)
{
}
@@ -396,44 +404,57 @@
}
static void
+stub_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
+ struct label *mlabel)
+{
+
+}
+
+static void
stub_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *mbuf, struct label *mbuflabel)
+ struct mbuf *m, struct label *mlabel)
+{
+
+}
+
+static void
+stub_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel,
+ struct mbuf *m, struct label *mlabel)
{
}
static void
-stub_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
- struct mbuf *mbuf, struct label *mbuflabel)
+stub_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
}
static void
-stub_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
+stub_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel,
+ struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew,
+ struct label *mnewlabel)
{
}
static void
-stub_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
- struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *newmbuf, struct label *newmbuflabel)
+stub_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel,
+ struct mbuf *mnew, struct label *mnewlabel)
{
}
static void
-stub_create_mbuf_netlayer(struct mbuf *oldmbuf,
- struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel)
+stub_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel)
{
}
static int
-stub_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
- struct ipq *ipq, struct label *ipqlabel)
+stub_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+ struct label *ipqlabel)
{
return (1);
@@ -452,15 +473,15 @@
}
static void
-stub_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
- struct label *ifnetlabel, struct label *newlabel)
+stub_relabel_ifnet(struct ucred *cred, struct ifnet *ifp,
+ struct label *ifplabel, struct label *newlabel)
{
}
static void
-stub_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
- struct ipq *ipq, struct label *ipqlabel)
+stub_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
+ struct label *ipqlabel)
{
}
@@ -477,16 +498,15 @@
*/
static void
stub_execve_transition(struct ucred *old, struct ucred *new,
- struct vnode *vp, struct label *vnodelabel,
- struct label *interpvnodelabel, struct image_params *imgp,
- struct label *execlabel)
+ struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel,
+ struct image_params *imgp, struct label *execlabel)
{
}
static int
stub_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *vnodelabel, struct label *interpvnodelabel,
+ struct label *vplabel, struct label *interpvnodelabel,
struct image_params *imgp, struct label *execlabel)
{
@@ -548,8 +568,8 @@
* Access control checks.
*/
static int
-stub_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
- struct ifnet *ifnet, struct label *ifnet_label)
+stub_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
+ struct ifnet *ifp, struct label *ifplabel)
{
return (0);
@@ -563,23 +583,23 @@
}
static int
-stub_check_cred_visible(struct ucred *u1, struct ucred *u2)
+stub_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
{
return (0);
}
static int
-stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
- struct label *ifnetlabel, struct label *newlabel)
+stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
+ struct label *ifplabel, struct label *newlabel)
{
return (0);
}
static int
-stub_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
+stub_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
+ struct mbuf *m, struct label *mlabel)
{
return (0);
@@ -743,7 +763,7 @@
static int
stub_check_kld_load(struct ucred *cred, struct vnode *vp,
- struct label *vlabel)
+ struct label *vplabel)
{
return (0);
@@ -757,15 +777,8 @@
}
static int
-stub_check_kld_unload(struct ucred *cred)
-{
-
- return (0);
-}
-
-static int
stub_check_mount_stat(struct ucred *cred, struct mount *mp,
- struct label *mntlabel)
+ struct label *mplabel)
{
return (0);
@@ -773,7 +786,7 @@
static int
stub_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
+ struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
{
return (0);
@@ -781,7 +794,7 @@
static int
stub_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
return (0);
@@ -789,7 +802,7 @@
static int
stub_check_pipe_read(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
return (0);
@@ -797,7 +810,7 @@
static int
stub_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel, struct label *newlabel)
+ struct label *pplabel, struct label *newlabel)
{
return (0);
@@ -805,7 +818,7 @@
static int
stub_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
{
return (0);
@@ -813,83 +826,104 @@
static int
stub_check_pipe_write(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel)
+ struct label *pplabel)
+{
+
+ return (0);
+}
+
+static int
+stub_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
return (0);
}
static int
-stub_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+stub_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
return (0);
}
static int
-stub_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+stub_check_posix_sem_open(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
return (0);
}
static int
-stub_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+stub_check_posix_sem_post(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
return (0);
}
static int
-stub_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+stub_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
return (0);
}
static int
-stub_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+stub_check_posix_sem_wait(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
return (0);
}
static int
-stub_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+stub_check_proc_debug(struct ucred *cred, struct proc *p)
{
return (0);
}
static int
-stub_check_proc_debug(struct ucred *cred, struct proc *proc)
+stub_check_proc_sched(struct ucred *cred, struct proc *p)
{
return (0);
}
static int
-stub_check_proc_sched(struct ucred *cred, struct proc *proc)
+stub_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
{
return (0);
}
static int
-stub_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+stub_check_proc_wait(struct ucred *cred, struct proc *p)
{
return (0);
}
static int
-stub_check_proc_wait(struct ucred *cred, struct proc *proc)
+stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
+{
+
+ return (0);
+}
+
+static int
+stub_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
+{
+
+ return (0);
+}
+
+static int
+stub_check_proc_setauid(struct ucred *cred, uid_t auid)
{
return (0);
@@ -962,40 +996,39 @@
}
static int
-stub_check_socket_accept(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+stub_check_socket_accept(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
return (0);
}
static int
-stub_check_socket_bind(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
+stub_check_socket_bind(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct sockaddr *sa)
{
return (0);
}
static int
-stub_check_socket_connect(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
+stub_check_socket_connect(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct sockaddr *sa)
{
return (0);
}
static int
-stub_check_socket_create(struct ucred *cred, int domain, int type,
- int protocol)
+stub_check_socket_create(struct ucred *cred, int domain, int type, int proto)
{
return (0);
}
static int
-stub_check_socket_deliver(struct socket *so, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
+stub_check_socket_deliver(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
{
return (0);
@@ -1003,7 +1036,7 @@
static int
stub_check_socket_listen(struct ucred *cred, struct socket *so,
- struct label *socketlabel)
+ struct label *solabel)
{
return (0);
@@ -1011,7 +1044,7 @@
static int
stub_check_socket_poll(struct ucred *cred, struct socket *so,
- struct label *socketlabel)
+ struct label *solabel)
{
return (0);
@@ -1019,22 +1052,22 @@
static int
stub_check_socket_receive(struct ucred *cred, struct socket *so,
- struct label *socketlabel)
+ struct label *solabel)
{
return (0);
}
static int
-stub_check_socket_relabel(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct label *newlabel)
+stub_check_socket_relabel(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct label *newlabel)
{
return (0);
}
static int
stub_check_socket_send(struct ucred *cred, struct socket *so,
- struct label *socketlabel)
+ struct label *solabel)
{
return (0);
@@ -1042,52 +1075,52 @@
static int
stub_check_socket_stat(struct ucred *cred, struct socket *so,
- struct label *socketlabel)
+ struct label *solabel)
{
return (0);
}
static int
-stub_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+stub_check_socket_visible(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
return (0);
}
static int
-stub_check_sysarch_ioperm(struct ucred *cred)
+stub_check_system_acct(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
return (0);
}
static int
-stub_check_system_acct(struct ucred *cred, struct vnode *vp,
- struct label *vlabel)
+stub_check_system_audit(struct ucred *cred, void *record, int length)
{
return (0);
}
static int
-stub_check_system_reboot(struct ucred *cred, int how)
+stub_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
return (0);
}
static int
-stub_check_system_settime(struct ucred *cred)
+stub_check_system_auditon(struct ucred *cred, int cmd)
{
return (0);
}
static int
-stub_check_system_swapon(struct ucred *cred, struct vnode *vp,
- struct label *label)
+stub_check_system_reboot(struct ucred *cred, int how)
{
return (0);
@@ -1095,56 +1128,55 @@
static int
stub_check_system_swapoff(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
return (0);
}
static int
-stub_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
- void *arg1, int arg2, struct sysctl_req *req)
+stub_check_system_swapon(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
return (0);
}
static int
-stub_check_vnode_access(struct ucred *cred, struct vnode *vp,
- struct label *label, int acc_mode)
+stub_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
+ void *arg1, int arg2, struct sysctl_req *req)
{
return (0);
}
static int
-stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+stub_check_vnode_access(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel, int acc_mode)
{
return (0);
}
static int
-stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel)
{
return (0);
}
static int
-stub_check_vnode_create(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp, struct vattr *vap)
+stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel)
{
return (0);
}
static int
-stub_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
- struct componentname *cnp)
+stub_check_vnode_create(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
{
return (0);
@@ -1152,7 +1184,7 @@
static int
stub_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
return (0);
@@ -1160,7 +1192,7 @@
static int
stub_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name)
+ struct label *vplabel, int attrnamespace, const char *name)
{
return (0);
@@ -1168,7 +1200,7 @@
static int
stub_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label, struct image_params *imgp,
+ struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
@@ -1177,7 +1209,7 @@
static int
stub_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
return (0);
@@ -1185,7 +1217,8 @@
static int
stub_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name, struct uio *uio)
+ struct label *vplabel, int attrnamespace, const char *name,
+ struct uio *uio)
{
return (0);
@@ -1193,7 +1226,7 @@
static int
stub_check_vnode_link(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
@@ -1202,7 +1235,7 @@
static int
stub_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace)
+ struct label *vplabel, int attrnamespace)
{
return (0);
@@ -1210,7 +1243,7 @@
static int
stub_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp)
+ struct label *dvplabel, struct componentname *cnp)
{
return (0);
@@ -1218,7 +1251,22 @@
static int
stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
- struct label *label, int prot, int flags)
+ struct label *vplabel, int prot, int flags)
+{
+
+ return (0);
+}
+
+static void
+stub_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel, int *prot)
+{
+
+}
+
+static int
+stub_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel, int prot)
{
return (0);
@@ -1226,7 +1274,7 @@
static int
stub_check_vnode_open(struct ucred *cred, struct vnode *vp,
- struct label *filelabel, int acc_mode)
+ struct label *vplabel, int acc_mode)
{
return (0);
@@ -1234,7 +1282,7 @@
static int
stub_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
{
return (0);
@@ -1242,7 +1290,7 @@
static int
stub_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
{
return (0);
@@ -1250,7 +1298,7 @@
static int
stub_check_vnode_readdir(struct ucred *cred, struct vnode *vp,
- struct label *dlabel)
+ struct label *dvplabel)
{
return (0);
@@ -1258,7 +1306,7 @@
static int
stub_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel)
+ struct label *vplabel)
{
return (0);
@@ -1266,7 +1314,7 @@
static int
stub_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *newlabel)
+ struct label *vplabel, struct label *newlabel)
{
return (0);
@@ -1274,7 +1322,7 @@
static int
stub_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
@@ -1283,8 +1331,8 @@
static int
stub_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
- struct componentname *cnp)
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ int samedir, struct componentname *cnp)
{
return (0);
@@ -1292,7 +1340,7 @@
static int
stub_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
return (0);
@@ -1300,7 +1348,7 @@
static int
stub_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type, struct acl *acl)
+ struct label *vplabel, acl_type_t type, struct acl *acl)
{
return (0);
@@ -1308,7 +1356,8 @@
static int
stub_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name, struct uio *uio)
+ struct label *vplabel, int attrnamespace, const char *name,
+ struct uio *uio)
{
return (0);
@@ -1316,7 +1365,7 @@
static int
stub_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
- struct label *label, u_long flags)
+ struct label *vplabel, u_long flags)
{
return (0);
@@ -1324,7 +1373,7 @@
static int
stub_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
- struct label *label, mode_t mode)
+ struct label *vplabel, mode_t mode)
{
return (0);
@@ -1332,7 +1381,7 @@
static int
stub_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
- struct label *label, uid_t uid, gid_t gid)
+ struct label *vplabel, uid_t uid, gid_t gid)
{
return (0);
@@ -1340,7 +1389,7 @@
static int
stub_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
- struct label *label, struct timespec atime, struct timespec mtime)
+ struct label *vplabel, struct timespec atime, struct timespec mtime)
{
return (0);
@@ -1348,20 +1397,43 @@
static int
stub_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
+{
+
+ return (0);
+}
+
+static int
+stub_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ struct componentname *cnp)
{
return (0);
}
static int
-stub_check_vnode_write(struct ucred *active_cred,
- struct ucred *file_cred, struct vnode *vp, struct label *label)
+stub_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
+ struct vnode *vp, struct label *vplabel)
{
return (0);
}
+static int
+stub_priv_check(struct ucred *cred, int priv)
+{
+
+ return (0);
+}
+
+static int
+stub_priv_grant(struct ucred *cred, int priv)
+{
+
+ return (EPERM);
+}
+
static struct mac_policy_ops mac_stub_ops =
{
.mpo_destroy = stub_destroy,
@@ -1369,7 +1441,7 @@
.mpo_syscall = stub_syscall,
.mpo_init_bpfdesc_label = stub_init_label,
.mpo_init_cred_label = stub_init_label,
- .mpo_init_devfsdirent_label = stub_init_label,
+ .mpo_init_devfs_label = stub_init_label,
.mpo_init_ifnet_label = stub_init_label,
.mpo_init_inpcb_label = stub_init_label_waitcheck,
.mpo_init_sysv_msgmsg_label = stub_init_label,
@@ -1379,7 +1451,6 @@
.mpo_init_ipq_label = stub_init_label_waitcheck,
.mpo_init_mbuf_label = stub_init_label_waitcheck,
.mpo_init_mount_label = stub_init_label,
- .mpo_init_mount_fs_label = stub_init_label,
.mpo_init_pipe_label = stub_init_label,
.mpo_init_posix_sem_label = stub_init_label,
.mpo_init_socket_label = stub_init_label_waitcheck,
@@ -1387,7 +1458,7 @@
.mpo_init_vnode_label = stub_init_label,
.mpo_destroy_bpfdesc_label = stub_destroy_label,
.mpo_destroy_cred_label = stub_destroy_label,
- .mpo_destroy_devfsdirent_label = stub_destroy_label,
+ .mpo_destroy_devfs_label = stub_destroy_label,
.mpo_destroy_ifnet_label = stub_destroy_label,
.mpo_destroy_inpcb_label = stub_destroy_label,
.mpo_destroy_sysv_msgmsg_label = stub_destroy_label,
@@ -1397,7 +1468,6 @@
.mpo_destroy_ipq_label = stub_destroy_label,
.mpo_destroy_mbuf_label = stub_destroy_label,
.mpo_destroy_mount_label = stub_destroy_label,
- .mpo_destroy_mount_fs_label = stub_destroy_label,
.mpo_destroy_pipe_label = stub_destroy_label,
.mpo_destroy_posix_sem_label = stub_destroy_label,
.mpo_destroy_socket_label = stub_destroy_label,
@@ -1422,6 +1492,7 @@
.mpo_internalize_vnode_label = stub_internalize_label,
.mpo_associate_vnode_devfs = stub_associate_vnode_devfs,
.mpo_associate_vnode_extattr = stub_associate_vnode_extattr,
+ .mpo_associate_nfsd_label = stub_associate_nfsd_label,
.mpo_associate_vnode_singlelabel = stub_associate_vnode_singlelabel,
.mpo_create_devfs_device = stub_create_devfs_device,
.mpo_create_devfs_directory = stub_create_devfs_directory,
@@ -1434,7 +1505,7 @@
.mpo_create_mount = stub_create_mount,
.mpo_relabel_vnode = stub_relabel_vnode,
.mpo_setlabel_vnode_extattr = stub_setlabel_vnode_extattr,
- .mpo_update_devfsdirent = stub_update_devfsdirent,
+ .mpo_update_devfs = stub_update_devfs,
.mpo_create_mbuf_from_socket = stub_create_mbuf_from_socket,
.mpo_create_pipe = stub_create_pipe,
.mpo_create_posix_sem = stub_create_posix_sem,
@@ -1456,6 +1527,7 @@
.mpo_create_mbuf_from_ifnet = stub_create_mbuf_from_ifnet,
.mpo_create_mbuf_multicast_encap = stub_create_mbuf_multicast_encap,
.mpo_create_mbuf_netlayer = stub_create_mbuf_netlayer,
+ .mpo_create_mbuf_from_firewall = stub_create_mbuf_from_firewall,
.mpo_fragment_match = stub_fragment_match,
.mpo_reflect_mbuf_icmp = stub_reflect_mbuf_icmp,
.mpo_reflect_mbuf_tcp = stub_reflect_mbuf_tcp,
@@ -1498,7 +1570,6 @@
.mpo_check_kenv_unset = stub_check_kenv_unset,
.mpo_check_kld_load = stub_check_kld_load,
.mpo_check_kld_stat = stub_check_kld_stat,
- .mpo_check_kld_unload = stub_check_kld_unload,
.mpo_check_mount_stat = stub_check_mount_stat,
.mpo_check_pipe_ioctl = stub_check_pipe_ioctl,
.mpo_check_pipe_poll = stub_check_pipe_poll,
@@ -1514,6 +1585,9 @@
.mpo_check_posix_sem_wait = stub_check_posix_sem_wait,
.mpo_check_proc_debug = stub_check_proc_debug,
.mpo_check_proc_sched = stub_check_proc_sched,
+ .mpo_check_proc_setaudit = stub_check_proc_setaudit,
+ .mpo_check_proc_setaudit_addr = stub_check_proc_setaudit_addr,
+ .mpo_check_proc_setauid = stub_check_proc_setauid,
.mpo_check_proc_setuid = stub_check_proc_setuid,
.mpo_check_proc_seteuid = stub_check_proc_seteuid,
.mpo_check_proc_setgid = stub_check_proc_setgid,
@@ -1537,18 +1611,18 @@
.mpo_check_socket_send = stub_check_socket_send,
.mpo_check_socket_stat = stub_check_socket_stat,
.mpo_check_socket_visible = stub_check_socket_visible,
- .mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm,
.mpo_check_system_acct = stub_check_system_acct,
+ .mpo_check_system_audit = stub_check_system_audit,
+ .mpo_check_system_auditctl = stub_check_system_auditctl,
+ .mpo_check_system_auditon = stub_check_system_auditon,
.mpo_check_system_reboot = stub_check_system_reboot,
- .mpo_check_system_settime = stub_check_system_settime,
- .mpo_check_system_swapon = stub_check_system_swapon,
.mpo_check_system_swapoff = stub_check_system_swapoff,
+ .mpo_check_system_swapon = stub_check_system_swapon,
.mpo_check_system_sysctl = stub_check_system_sysctl,
.mpo_check_vnode_access = stub_check_vnode_access,
.mpo_check_vnode_chdir = stub_check_vnode_chdir,
.mpo_check_vnode_chroot = stub_check_vnode_chroot,
.mpo_check_vnode_create = stub_check_vnode_create,
- .mpo_check_vnode_delete = stub_check_vnode_delete,
.mpo_check_vnode_deleteacl = stub_check_vnode_deleteacl,
.mpo_check_vnode_deleteextattr = stub_check_vnode_deleteextattr,
.mpo_check_vnode_exec = stub_check_vnode_exec,
@@ -1558,6 +1632,8 @@
.mpo_check_vnode_listextattr = stub_check_vnode_listextattr,
.mpo_check_vnode_lookup = stub_check_vnode_lookup,
.mpo_check_vnode_mmap = stub_check_vnode_mmap,
+ .mpo_check_vnode_mmap_downgrade = stub_check_vnode_mmap_downgrade,
+ .mpo_check_vnode_mprotect = stub_check_vnode_mprotect,
.mpo_check_vnode_open = stub_check_vnode_open,
.mpo_check_vnode_poll = stub_check_vnode_poll,
.mpo_check_vnode_read = stub_check_vnode_read,
@@ -1574,7 +1650,14 @@
.mpo_check_vnode_setowner = stub_check_vnode_setowner,
.mpo_check_vnode_setutimes = stub_check_vnode_setutimes,
.mpo_check_vnode_stat = stub_check_vnode_stat,
+ .mpo_check_vnode_unlink = stub_check_vnode_unlink,
.mpo_check_vnode_write = stub_check_vnode_write,
+ .mpo_priv_check = stub_priv_check,
+ .mpo_priv_grant = stub_priv_grant,
+ .mpo_init_syncache_label = stub_init_label_waitcheck,
+ .mpo_destroy_syncache_label = stub_destroy_label,
+ .mpo_init_syncache_from_inpcb = stub_init_syncache_from_inpcb,
+ .mpo_create_mbuf_from_syncache = stub_create_mbuf_from_syncache,
};
MAC_POLICY_SET(&mac_stub_ops, mac_stub, "TrustedBSD MAC/Stub",
Index: mac_test.c
===================================================================
RCS file: /home/cvs/src/sys/security/mac_test/mac_test.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L sys/security/mac_test/mac_test.c -L sys/security/mac_test/mac_test.c -u -r1.1.1.1 -r1.2
--- sys/security/mac_test/mac_test.c
+++ sys/security/mac_test/mac_test.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* All rights reserved.
*
@@ -31,39 +31,35 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_test/mac_test.c,v 1.60.2.3 2005/10/05 10:31:05 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_test/mac_test.c,v 1.78.2.1 2007/11/06 14:46:59 rwatson Exp $
*/
/*
* Developed by the TrustedBSD Project.
- * Generic mandatory access module that does nothing.
+ *
+ * MAC Test policy - tests MAC Framework labeling by assigning object class
+ * magic numbers to each label and validates that each time an object label
+ * is passed into the policy, it has a consistent object type, catching
+ * incorrectly passed labels, labels passed after free, etc.
*/
-#include <sys/types.h>
#include <sys/param.h>
#include <sys/acl.h>
-#include <sys/conf.h>
#include <sys/kdb.h>
-#include <sys/extattr.h>
#include <sys/kernel.h>
-#include <sys/mac.h>
+#include <sys/ksem.h>
#include <sys/malloc.h>
+#include <sys/module.h>
#include <sys/mount.h>
+#include <sys/msg.h>
#include <sys/proc.h>
-#include <sys/systm.h>
-#include <sys/sysproto.h>
-#include <sys/sysent.h>
#include <sys/vnode.h>
-#include <sys/file.h>
+#include <sys/sem.h>
+#include <sys/shm.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sx.h>
#include <sys/sysctl.h>
-#include <sys/msg.h>
-#include <sys/sem.h>
-#include <sys/shm.h>
-
-#include <posix4/ksem.h>
#include <fs/devfs/devfs.h>
@@ -72,269 +68,121 @@
#include <net/if_types.h>
#include <net/if_var.h>
-#include <vm/vm.h>
-
-#include <sys/mac_policy.h>
+#include <security/mac/mac_policy.h>
SYSCTL_DECL(_security_mac);
SYSCTL_NODE(_security_mac, OID_AUTO, test, CTLFLAG_RW, 0,
"TrustedBSD mac_test policy controls");
-static int mac_test_enabled = 1;
-SYSCTL_INT(_security_mac_test, OID_AUTO, enabled, CTLFLAG_RW,
- &mac_test_enabled, 0, "Enforce test policy");
-
-#define BPFMAGIC 0xfe1ad1b6
-#define DEVFSMAGIC 0x9ee79c32
-#define IFNETMAGIC 0xc218b120
-#define INPCBMAGIC 0x4440f7bb
-#define IPQMAGIC 0x206188ef
-#define MBUFMAGIC 0xbbefa5bb
-#define MOUNTMAGIC 0xc7c46e47
-#define SOCKETMAGIC 0x9199c6cd
-#define SYSVIPCMSQMAGIC 0xea672391
-#define SYSVIPCMSGMAGIC 0x8bbba61e
-#define SYSVIPCSEMMAGIC 0x896e8a0b
-#define SYSVIPCSHMMAGIC 0x76119ab0
-#define PIPEMAGIC 0xdc6c9919
-#define POSIXSEMMAGIC 0x78ae980c
-#define PROCMAGIC 0x3b4be98f
-#define CREDMAGIC 0x9a5a4987
-#define VNODEMAGIC 0x1a67a45c
-#define EXMAGIC 0x849ba1fd
-
-#define SLOT(x) LABEL_TO_SLOT((x), test_slot).l_long
-
-#define ASSERT_BPF_LABEL(x) KASSERT(SLOT(x) == BPFMAGIC || \
- SLOT(x) == 0, ("%s: Bad BPF label", __func__ ))
-#define ASSERT_DEVFS_LABEL(x) KASSERT(SLOT(x) == DEVFSMAGIC || \
- SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ ))
-#define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \
- SLOT(x) == 0, ("%s: Bad IFNET label", __func__ ))
-#define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \
- SLOT(x) == 0, ("%s: Bad INPCB label", __func__ ))
-#define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \
- SLOT(x) == 0, ("%s: Bad IPQ label", __func__ ))
-#define ASSERT_MBUF_LABEL(x) KASSERT(x == NULL || \
- SLOT(x) == MBUFMAGIC || SLOT(x) == 0, \
- ("%s: Bad MBUF label", __func__ ))
-#define ASSERT_MOUNT_LABEL(x) KASSERT(SLOT(x) == MOUNTMAGIC || \
- SLOT(x) == 0, ("%s: Bad MOUNT label", __func__ ))
-#define ASSERT_SOCKET_LABEL(x) KASSERT(SLOT(x) == SOCKETMAGIC || \
- SLOT(x) == 0, ("%s: Bad SOCKET label", __func__ ))
-#define ASSERT_SYSVIPCMSQ_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSQMAGIC || \
- SLOT(x) == 0, ("%s: Bad SYSVIPCMSQ label", __func__ ))
-#define ASSERT_SYSVIPCMSG_LABEL(x) KASSERT(SLOT(x) == SYSVIPCMSGMAGIC || \
- SLOT(x) == 0, ("%s: Bad SYSVIPCMSG label", __func__ ))
-#define ASSERT_SYSVIPCSEM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSEMMAGIC || \
- SLOT(x) == 0, ("%s: Bad SYSVIPCSEM label", __func__ ))
-#define ASSERT_SYSVIPCSHM_LABEL(x) KASSERT(SLOT(x) == SYSVIPCSHMMAGIC || \
- SLOT(x) == 0, ("%s: Bad SYSVIPCSHM label", __func__ ))
-#define ASSERT_PIPE_LABEL(x) KASSERT(SLOT(x) == PIPEMAGIC || \
- SLOT(x) == 0, ("%s: Bad PIPE label", __func__ ))
-#define ASSERT_POSIX_LABEL(x) KASSERT(SLOT(x) == POSIXSEMMAGIC || \
- SLOT(x) == 0, ("%s: Bad POSIX ksem label", __func__ ))
-#define ASSERT_PROC_LABEL(x) KASSERT(SLOT(x) == PROCMAGIC || \
- SLOT(x) == 0, ("%s: Bad PROC label", __func__ ))
-#define ASSERT_CRED_LABEL(x) KASSERT(SLOT(x) == CREDMAGIC || \
- SLOT(x) == 0, ("%s: Bad CRED label", __func__ ))
-#define ASSERT_VNODE_LABEL(x) KASSERT(SLOT(x) == VNODEMAGIC || \
- SLOT(x) == 0, ("%s: Bad VNODE label", __func__ ))
+#define MAGIC_BPF 0xfe1ad1b6
+#define MAGIC_DEVFS 0x9ee79c32
+#define MAGIC_IFNET 0xc218b120
+#define MAGIC_INPCB 0x4440f7bb
+#define MAGIC_IPQ 0x206188ef
+#define MAGIC_MBUF 0xbbefa5bb
+#define MAGIC_MOUNT 0xc7c46e47
+#define MAGIC_SOCKET 0x9199c6cd
+#define MAGIC_SYSV_MSG 0x8bbba61e
+#define MAGIC_SYSV_MSQ 0xea672391
+#define MAGIC_SYSV_SEM 0x896e8a0b
+#define MAGIC_SYSV_SHM 0x76119ab0
+#define MAGIC_PIPE 0xdc6c9919
+#define MAGIC_POSIX_SEM 0x78ae980c
+#define MAGIC_PROC 0x3b4be98f
+#define MAGIC_CRED 0x9a5a4987
+#define MAGIC_VNODE 0x1a67a45c
+#define MAGIC_FREE 0x849ba1fd
+
+#define SLOT(x) mac_label_get((x), test_slot)
+#define SLOT_SET(x, v) mac_label_set((x), test_slot, (v))
static int test_slot;
SYSCTL_INT(_security_mac_test, OID_AUTO, slot, CTLFLAG_RD,
&test_slot, 0, "Slot allocated by framework");
-static int init_count_bpfdesc;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_bpfdesc, CTLFLAG_RD,
- &init_count_bpfdesc, 0, "bpfdesc init calls");
-static int init_count_cred;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_cred, CTLFLAG_RD,
- &init_count_cred, 0, "cred init calls");
-static int init_count_devfsdirent;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_devfsdirent, CTLFLAG_RD,
- &init_count_devfsdirent, 0, "devfsdirent init calls");
-static int init_count_ifnet;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD,
- &init_count_ifnet, 0, "ifnet init calls");
-static int init_count_inpcb;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD,
- &init_count_inpcb, 0, "inpcb init calls");
-static int init_count_sysv_msg;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msg, CTLFLAG_RD,
- &init_count_sysv_msg, 0, "ipc_msg init calls");
-static int init_count_sysv_msq;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_msq, CTLFLAG_RD,
- &init_count_sysv_msq, 0, "ipc_msq init calls");
-static int init_count_sysv_sem;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_sem, CTLFLAG_RD,
- &init_count_sysv_sem, 0, "ipc_sema init calls");
-static int init_count_sysv_shm;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_sysv_shm, CTLFLAG_RD,
- &init_count_sysv_shm, 0, "ipc_shm init calls");
-static int init_count_ipq;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipq, CTLFLAG_RD,
- &init_count_ipq, 0, "ipq init calls");
-static int init_count_mbuf;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
- &init_count_mbuf, 0, "mbuf init calls");
-static int init_count_mount;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
- &init_count_mount, 0, "mount init calls");
-static int init_count_mount_fslabel;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
- &init_count_mount_fslabel, 0, "mount_fslabel init calls");
-static int init_count_socket;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
- &init_count_socket, 0, "socket init calls");
-static int init_count_socket_peerlabel;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
- CTLFLAG_RD, &init_count_socket_peerlabel, 0,
- "socket_peerlabel init calls");
-static int init_count_pipe;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
- &init_count_pipe, 0, "pipe init calls");
-static int init_count_posixsems;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_posixsems, CTLFLAG_RD,
- &init_count_posixsems, 0, "posix sems init calls");
-static int init_count_proc;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_proc, CTLFLAG_RD,
- &init_count_proc, 0, "proc init calls");
-static int init_count_vnode;
-SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_vnode, CTLFLAG_RD,
- &init_count_vnode, 0, "vnode init calls");
-
-static int destroy_count_bpfdesc;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_bpfdesc, CTLFLAG_RD,
- &destroy_count_bpfdesc, 0, "bpfdesc destroy calls");
-static int destroy_count_cred;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_cred, CTLFLAG_RD,
- &destroy_count_cred, 0, "cred destroy calls");
-static int destroy_count_devfsdirent;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_devfsdirent, CTLFLAG_RD,
- &destroy_count_devfsdirent, 0, "devfsdirent destroy calls");
-static int destroy_count_ifnet;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD,
- &destroy_count_ifnet, 0, "ifnet destroy calls");
-static int destroy_count_inpcb;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD,
- &destroy_count_inpcb, 0, "inpcb destroy calls");
-static int destroy_count_sysv_msg;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msg, CTLFLAG_RD,
- &destroy_count_sysv_msg, 0, "ipc_msg destroy calls");
-static int destroy_count_sysv_msq;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_msq, CTLFLAG_RD,
- &destroy_count_sysv_msq, 0, "ipc_msq destroy calls");
-static int destroy_count_sysv_sem;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_sem, CTLFLAG_RD,
- &destroy_count_sysv_sem, 0, "ipc_sema destroy calls");
-static int destroy_count_sysv_shm;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_sysv_shm, CTLFLAG_RD,
- &destroy_count_sysv_shm, 0, "ipc_shm destroy calls");
-static int destroy_count_ipq;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipq, CTLFLAG_RD,
- &destroy_count_ipq, 0, "ipq destroy calls");
-static int destroy_count_mbuf;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
- &destroy_count_mbuf, 0, "mbuf destroy calls");
-static int destroy_count_mount;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
- &destroy_count_mount, 0, "mount destroy calls");
-static int destroy_count_mount_fslabel;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
- CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
- "mount_fslabel destroy calls");
-static int destroy_count_socket;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
- &destroy_count_socket, 0, "socket destroy calls");
-static int destroy_count_socket_peerlabel;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
- CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
- "socket_peerlabel destroy calls");
-static int destroy_count_pipe;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
- &destroy_count_pipe, 0, "pipe destroy calls");
-static int destroy_count_posixsems;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_posixsems, CTLFLAG_RD,
- &destroy_count_posixsems, 0, "posix sems destroy calls");
-static int destroy_count_proc;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_proc, CTLFLAG_RD,
- &destroy_count_proc, 0, "proc destroy calls");
-static int destroy_count_vnode;
-SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_vnode, CTLFLAG_RD,
- &destroy_count_vnode, 0, "vnode destroy calls");
-
-static int externalize_count;
-SYSCTL_INT(_security_mac_test, OID_AUTO, externalize_count, CTLFLAG_RD,
- &externalize_count, 0, "Subject/object externalize calls");
-static int internalize_count;
-SYSCTL_INT(_security_mac_test, OID_AUTO, internalize_count, CTLFLAG_RD,
- &internalize_count, 0, "Subject/object internalize calls");
+SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0,
+ "TrustedBSD mac_test counters controls");
+
+#define COUNTER_DECL(variable) \
+ static int counter_##variable; \
+ SYSCTL_INT(_security_mac_test_counter, OID_AUTO, variable, \
+ CTLFLAG_RD, &counter_##variable, 0, #variable)
+
+#define COUNTER_INC(variable) atomic_add_int(&counter_##variable, 1)
#ifdef KDB
-#define DEBUGGER(x) kdb_enter(x)
+#define DEBUGGER(func, string) kdb_enter((string))
#else
-#define DEBUGGER(x) printf("mac_test: %s\n", (x))
+#define DEBUGGER(func, string) printf("mac_test: %s: %s\n", (func), (string))
#endif
-/*
- * Policy module operations.
- */
-static void
-mac_test_destroy(struct mac_policy_conf *conf)
-{
-
-}
-
-static void
-mac_test_init(struct mac_policy_conf *conf)
-{
-
-}
-
-static int
-mac_test_syscall(struct thread *td, int call, void *arg)
-{
-
- return (0);
-}
+#define LABEL_CHECK(label, magic) do { \
+ if (label != NULL) { \
+ KASSERT(SLOT(label) == magic || SLOT(label) == 0, \
+ ("%s: bad %s label", __func__, #magic)); \
+ } \
+} while (0)
+
+#define LABEL_DESTROY(label, magic) do { \
+ if (SLOT(label) == magic || SLOT(label) == 0) { \
+ SLOT_SET(label, MAGIC_FREE); \
+ } else if (SLOT(label) == MAGIC_FREE) { \
+ DEBUGGER("%s: dup destroy", __func__); \
+ } else { \
+ DEBUGGER("%s: corrupted label", __func__); \
+ } \
+} while (0)
+
+#define LABEL_INIT(label, magic) do { \
+ SLOT_SET(label, magic); \
+} while (0)
+
+#define LABEL_NOTFREE(label) do { \
+ KASSERT(SLOT(label) != MAGIC_FREE, \
+ ("%s: destroyed label", __func__)); \
+} while (0)
/*
* Label operations.
*/
+COUNTER_DECL(init_bpfdesc_label);
static void
mac_test_init_bpfdesc_label(struct label *label)
{
- SLOT(label) = BPFMAGIC;
- atomic_add_int(&init_count_bpfdesc, 1);
+ LABEL_INIT(label, MAGIC_BPF);
+ COUNTER_INC(init_bpfdesc_label);
}
+COUNTER_DECL(init_cred_label);
static void
mac_test_init_cred_label(struct label *label)
{
- SLOT(label) = CREDMAGIC;
- atomic_add_int(&init_count_cred, 1);
+ LABEL_INIT(label, MAGIC_CRED);
+ COUNTER_INC(init_cred_label);
}
+COUNTER_DECL(init_devfs_label);
static void
-mac_test_init_devfsdirent_label(struct label *label)
+mac_test_init_devfs_label(struct label *label)
{
- SLOT(label) = DEVFSMAGIC;
- atomic_add_int(&init_count_devfsdirent, 1);
+ LABEL_INIT(label, MAGIC_DEVFS);
+ COUNTER_INC(init_devfs_label);
}
+COUNTER_DECL(init_ifnet_label);
static void
mac_test_init_ifnet_label(struct label *label)
{
- SLOT(label) = IFNETMAGIC;
- atomic_add_int(&init_count_ifnet, 1);
+ LABEL_INIT(label, MAGIC_IFNET);
+ COUNTER_INC(init_ifnet_label);
}
+COUNTER_DECL(init_inpcb_label);
static int
mac_test_init_inpcb_label(struct label *label, int flag)
{
@@ -344,39 +192,44 @@
"mac_test_init_inpcb_label() at %s:%d", __FILE__,
__LINE__);
- SLOT(label) = INPCBMAGIC;
- atomic_add_int(&init_count_inpcb, 1);
+ LABEL_INIT(label, MAGIC_INPCB);
+ COUNTER_INC(init_inpcb_label);
return (0);
}
+COUNTER_DECL(init_sysv_msg_label);
static void
mac_test_init_sysv_msgmsg_label(struct label *label)
{
- SLOT(label) = SYSVIPCMSGMAGIC;
- atomic_add_int(&init_count_sysv_msg, 1);
+ LABEL_INIT(label, MAGIC_SYSV_MSG);
+ COUNTER_INC(init_sysv_msg_label);
}
+COUNTER_DECL(init_sysv_msq_label);
static void
mac_test_init_sysv_msgqueue_label(struct label *label)
{
- SLOT(label) = SYSVIPCMSQMAGIC;
- atomic_add_int(&init_count_sysv_msq, 1);
+ LABEL_INIT(label, MAGIC_SYSV_MSQ);
+ COUNTER_INC(init_sysv_msq_label);
}
+COUNTER_DECL(init_sysv_sem_label);
static void
mac_test_init_sysv_sem_label(struct label *label)
{
- SLOT(label) = SYSVIPCSEMMAGIC;
- atomic_add_int(&init_count_sysv_sem, 1);
+ LABEL_INIT(label, MAGIC_SYSV_SEM);
+ COUNTER_INC(init_sysv_sem_label);
}
+COUNTER_DECL(init_sysv_shm_label);
static void
mac_test_init_sysv_shm_label(struct label *label)
{
- SLOT(label) = SYSVIPCSHMMAGIC;
- atomic_add_int(&init_count_sysv_shm, 1);
+ LABEL_INIT(label, MAGIC_SYSV_SHM);
+ COUNTER_INC(init_sysv_shm_label);
}
+COUNTER_DECL(init_ipq_label);
static int
mac_test_init_ipq_label(struct label *label, int flag)
{
@@ -386,11 +239,12 @@
"mac_test_init_ipq_label() at %s:%d", __FILE__,
__LINE__);
- SLOT(label) = IPQMAGIC;
- atomic_add_int(&init_count_ipq, 1);
+ LABEL_INIT(label, MAGIC_IPQ);
+ COUNTER_INC(init_ipq_label);
return (0);
}
+COUNTER_DECL(init_mbuf_label);
static int
mac_test_init_mbuf_label(struct label *label, int flag)
{
@@ -400,27 +254,21 @@
"mac_test_init_mbuf_label() at %s:%d", __FILE__,
__LINE__);
- SLOT(label) = MBUFMAGIC;
- atomic_add_int(&init_count_mbuf, 1);
+ LABEL_INIT(label, MAGIC_MBUF);
+ COUNTER_INC(init_mbuf_label);
return (0);
}
+COUNTER_DECL(init_mount_label);
static void
mac_test_init_mount_label(struct label *label)
{
- SLOT(label) = MOUNTMAGIC;
- atomic_add_int(&init_count_mount, 1);
-}
-
-static void
-mac_test_init_mount_fs_label(struct label *label)
-{
-
- SLOT(label) = MOUNTMAGIC;
- atomic_add_int(&init_count_mount_fslabel, 1);
+ LABEL_INIT(label, MAGIC_MOUNT);
+ COUNTER_INC(init_mount_label);
}
+COUNTER_DECL(init_socket_label);
static int
mac_test_init_socket_label(struct label *label, int flag)
{
@@ -430,11 +278,12 @@
"mac_test_init_socket_label() at %s:%d", __FILE__,
__LINE__);
- SLOT(label) = SOCKETMAGIC;
- atomic_add_int(&init_count_socket, 1);
+ LABEL_INIT(label, MAGIC_SOCKET);
+ COUNTER_INC(init_socket_label);
return (0);
}
+COUNTER_DECL(init_socket_peer_label);
static int
mac_test_init_socket_peer_label(struct label *label, int flag)
{
@@ -444,185 +293,138 @@
"mac_test_init_socket_peer_label() at %s:%d", __FILE__,
__LINE__);
- SLOT(label) = SOCKETMAGIC;
- atomic_add_int(&init_count_socket_peerlabel, 1);
+ LABEL_INIT(label, MAGIC_SOCKET);
+ COUNTER_INC(init_socket_peer_label);
return (0);
}
+COUNTER_DECL(init_pipe_label);
static void
mac_test_init_pipe_label(struct label *label)
{
- SLOT(label) = PIPEMAGIC;
- atomic_add_int(&init_count_pipe, 1);
+ LABEL_INIT(label, MAGIC_PIPE);
+ COUNTER_INC(init_pipe_label);
}
+COUNTER_DECL(init_posix_sem_label);
static void
mac_test_init_posix_sem_label(struct label *label)
{
- SLOT(label) = POSIXSEMMAGIC;
- atomic_add_int(&init_count_posixsems, 1);
+ LABEL_INIT(label, MAGIC_POSIX_SEM);
+ COUNTER_INC(init_posix_sem_label);
}
+COUNTER_DECL(init_proc_label);
static void
mac_test_init_proc_label(struct label *label)
{
- SLOT(label) = PROCMAGIC;
- atomic_add_int(&init_count_proc, 1);
+ LABEL_INIT(label, MAGIC_PROC);
+ COUNTER_INC(init_proc_label);
}
+COUNTER_DECL(init_vnode_label);
static void
mac_test_init_vnode_label(struct label *label)
{
- SLOT(label) = VNODEMAGIC;
- atomic_add_int(&init_count_vnode, 1);
+ LABEL_INIT(label, MAGIC_VNODE);
+ COUNTER_INC(init_vnode_label);
}
+COUNTER_DECL(destroy_bpfdesc_label);
static void
mac_test_destroy_bpfdesc_label(struct label *label)
{
- if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_bpfdesc, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_bpfdesc: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_bpfdesc: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_BPF);
+ COUNTER_INC(destroy_bpfdesc_label);
}
+COUNTER_DECL(destroy_cred_label);
static void
mac_test_destroy_cred_label(struct label *label)
{
- if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_cred, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_cred: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_cred: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_CRED);
+ COUNTER_INC(destroy_cred_label);
}
+COUNTER_DECL(destroy_devfs_label);
static void
-mac_test_destroy_devfsdirent_label(struct label *label)
-{
-
- if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_devfsdirent, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_devfsdirent: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_devfsdirent: corrupted label");
- }
+mac_test_destroy_devfs_label(struct label *label)
+{
+
+ LABEL_DESTROY(label, MAGIC_DEVFS);
+ COUNTER_INC(destroy_devfs_label);
}
+COUNTER_DECL(destroy_ifnet_label);
static void
mac_test_destroy_ifnet_label(struct label *label)
{
- if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_ifnet, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_ifnet: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_ifnet: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_IFNET);
+ COUNTER_INC(destroy_ifnet_label);
}
+COUNTER_DECL(destroy_inpcb_label);
static void
mac_test_destroy_inpcb_label(struct label *label)
{
- if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_inpcb, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_inpcb: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_inpcb: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_INPCB);
+ COUNTER_INC(destroy_inpcb_label);
}
+COUNTER_DECL(destroy_sysv_msg_label);
static void
mac_test_destroy_sysv_msgmsg_label(struct label *label)
{
- if (SLOT(label) == SYSVIPCMSGMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_sysv_msg, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_sysv_msgmsg_label: dup destroy");
- } else {
- DEBUGGER(
- "mac_test_destroy_sysv_msgmsg_label: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_SYSV_MSG);
+ COUNTER_INC(destroy_sysv_msg_label);
}
+COUNTER_DECL(destroy_sysv_msq_label);
static void
mac_test_destroy_sysv_msgqueue_label(struct label *label)
{
- if (SLOT(label) == SYSVIPCMSQMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_sysv_msq, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_sysv_msgqueue_label: dup destroy");
- } else {
- DEBUGGER(
- "mac_test_destroy_sysv_msgqueue_label: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_SYSV_MSQ);
+ COUNTER_INC(destroy_sysv_msq_label);
}
+COUNTER_DECL(destroy_sysv_sem_label);
static void
mac_test_destroy_sysv_sem_label(struct label *label)
{
- if (SLOT(label) == SYSVIPCSEMMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_sysv_sem, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_sysv_sem_label: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_sysv_sem_label: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_SYSV_SEM);
+ COUNTER_INC(destroy_sysv_sem_label);
}
+COUNTER_DECL(destroy_sysv_shm_label);
static void
mac_test_destroy_sysv_shm_label(struct label *label)
{
- if (SLOT(label) == SYSVIPCSHMMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_sysv_shm, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_sysv_shm_label: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_sysv_shm_label: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_SYSV_SHM);
+ COUNTER_INC(destroy_sysv_shm_label);
}
+COUNTER_DECL(destroy_ipq_label);
static void
mac_test_destroy_ipq_label(struct label *label)
{
- if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_ipq, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_ipq: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_ipq: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_IPQ);
+ COUNTER_INC(destroy_ipq_label);
}
+COUNTER_DECL(destroy_mbuf_label);
static void
mac_test_destroy_mbuf_label(struct label *label)
{
@@ -635,198 +437,153 @@
if (label == NULL)
return;
- if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_mbuf, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_mbuf: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_mbuf: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_MBUF);
+ COUNTER_INC(destroy_mbuf_label);
}
+COUNTER_DECL(destroy_mount_label);
static void
mac_test_destroy_mount_label(struct label *label)
{
- if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
- atomic_add_int(&destroy_count_mount, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_mount: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_mount: corrupted label");
- }
-}
-
-static void
-mac_test_destroy_mount_fs_label(struct label *label)
-{
-
- if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
- atomic_add_int(&destroy_count_mount_fslabel, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_mount_fslabel: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_mount_fslabel: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_MOUNT);
+ COUNTER_INC(destroy_mount_label);
}
+COUNTER_DECL(destroy_socket_label);
static void
mac_test_destroy_socket_label(struct label *label)
{
- if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
- atomic_add_int(&destroy_count_socket, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_socket: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_socket: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_SOCKET);
+ COUNTER_INC(destroy_socket_label);
}
+COUNTER_DECL(destroy_socket_peer_label);
static void
mac_test_destroy_socket_peer_label(struct label *label)
{
- if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
- atomic_add_int(&destroy_count_socket_peerlabel, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_socket_peerlabel: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_socket_peerlabel: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_SOCKET);
+ COUNTER_INC(destroy_socket_peer_label);
}
+COUNTER_DECL(destroy_pipe_label);
static void
mac_test_destroy_pipe_label(struct label *label)
{
- if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
- atomic_add_int(&destroy_count_pipe, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_pipe: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_pipe: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_PIPE);
+ COUNTER_INC(destroy_pipe_label);
}
+COUNTER_DECL(destroy_posix_sem_label);
static void
mac_test_destroy_posix_sem_label(struct label *label)
{
- if ((SLOT(label) == POSIXSEMMAGIC || SLOT(label) == 0)) {
- atomic_add_int(&destroy_count_posixsems, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_posix_sem: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_posix_sem: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_POSIX_SEM);
+ COUNTER_INC(destroy_posix_sem_label);
}
+COUNTER_DECL(destroy_proc_label);
static void
mac_test_destroy_proc_label(struct label *label)
{
- if ((SLOT(label) == PROCMAGIC || SLOT(label) == 0)) {
- atomic_add_int(&destroy_count_proc, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_proc: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_proc: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_PROC);
+ COUNTER_INC(destroy_proc_label);
}
+COUNTER_DECL(destroy_vnode_label);
static void
mac_test_destroy_vnode_label(struct label *label)
{
- if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
- atomic_add_int(&destroy_count_vnode, 1);
- SLOT(label) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC) {
- DEBUGGER("mac_test_destroy_vnode: dup destroy");
- } else {
- DEBUGGER("mac_test_destroy_vnode: corrupted label");
- }
+ LABEL_DESTROY(label, MAGIC_VNODE);
+ COUNTER_INC(destroy_vnode_label);
}
+COUNTER_DECL(copy_cred_label);
static void
mac_test_copy_cred_label(struct label *src, struct label *dest)
{
- ASSERT_CRED_LABEL(src);
- ASSERT_CRED_LABEL(dest);
+ LABEL_CHECK(src, MAGIC_CRED);
+ LABEL_CHECK(dest, MAGIC_CRED);
+ COUNTER_INC(copy_cred_label);
}
+COUNTER_DECL(copy_ifnet_label);
static void
mac_test_copy_ifnet_label(struct label *src, struct label *dest)
{
- ASSERT_IFNET_LABEL(src);
- ASSERT_IFNET_LABEL(dest);
+ LABEL_CHECK(src, MAGIC_IFNET);
+ LABEL_CHECK(dest, MAGIC_IFNET);
+ COUNTER_INC(copy_ifnet_label);
}
+COUNTER_DECL(copy_mbuf_label);
static void
mac_test_copy_mbuf_label(struct label *src, struct label *dest)
{
- ASSERT_MBUF_LABEL(src);
- ASSERT_MBUF_LABEL(dest);
+ LABEL_CHECK(src, MAGIC_MBUF);
+ LABEL_CHECK(dest, MAGIC_MBUF);
+ COUNTER_INC(copy_mbuf_label);
}
+COUNTER_DECL(copy_pipe_label);
static void
mac_test_copy_pipe_label(struct label *src, struct label *dest)
{
- ASSERT_PIPE_LABEL(src);
- ASSERT_PIPE_LABEL(dest);
+ LABEL_CHECK(src, MAGIC_PIPE);
+ LABEL_CHECK(dest, MAGIC_PIPE);
+ COUNTER_INC(copy_pipe_label);
}
+COUNTER_DECL(copy_socket_label);
static void
mac_test_copy_socket_label(struct label *src, struct label *dest)
{
- ASSERT_SOCKET_LABEL(src);
- ASSERT_SOCKET_LABEL(dest);
+ LABEL_CHECK(src, MAGIC_SOCKET);
+ LABEL_CHECK(dest, MAGIC_SOCKET);
+ COUNTER_INC(copy_socket_label);
}
+COUNTER_DECL(copy_vnode_label);
static void
mac_test_copy_vnode_label(struct label *src, struct label *dest)
{
- ASSERT_VNODE_LABEL(src);
- ASSERT_VNODE_LABEL(dest);
+ LABEL_CHECK(src, MAGIC_VNODE);
+ LABEL_CHECK(dest, MAGIC_VNODE);
+ COUNTER_INC(copy_vnode_label);
}
+COUNTER_DECL(externalize_label);
static int
mac_test_externalize_label(struct label *label, char *element_name,
struct sbuf *sb, int *claimed)
{
- atomic_add_int(&externalize_count, 1);
-
- KASSERT(SLOT(label) != EXMAGIC,
- ("mac_test_externalize_label: destroyed label"));
+ LABEL_NOTFREE(label);
+ COUNTER_INC(externalize_label);
return (0);
}
+COUNTER_DECL(internalize_label);
static int
mac_test_internalize_label(struct label *label, char *element_name,
char *element_data, int *claimed)
{
- atomic_add_int(&internalize_count, 1);
-
- KASSERT(SLOT(label) != EXMAGIC,
- ("mac_test_internalize_label: destroyed label"));
+ LABEL_NOTFREE(label);
+ COUNTER_INC(internalize_label);
return (0);
}
@@ -835,1573 +592,1889 @@
* Labeling event operations: file system objects, and things that look
* a lot like file system objects.
*/
+COUNTER_DECL(associate_vnode_devfs);
static void
-mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
+mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
- struct label *vlabel)
+ struct label *vplabel)
{
- ASSERT_MOUNT_LABEL(fslabel);
- ASSERT_DEVFS_LABEL(delabel);
- ASSERT_VNODE_LABEL(vlabel);
+ LABEL_CHECK(mplabel, MAGIC_MOUNT);
+ LABEL_CHECK(delabel, MAGIC_DEVFS);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(associate_vnode_devfs);
}
+COUNTER_DECL(associate_vnode_extattr);
static int
-mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
- struct vnode *vp, struct label *vlabel)
+mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
+ struct vnode *vp, struct label *vplabel)
{
- ASSERT_MOUNT_LABEL(fslabel);
- ASSERT_VNODE_LABEL(vlabel);
+ LABEL_CHECK(mplabel, MAGIC_MOUNT);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(associate_vnode_extattr);
+
return (0);
}
+COUNTER_DECL(associate_vnode_singlelabel);
static void
-mac_test_associate_vnode_singlelabel(struct mount *mp,
- struct label *fslabel, struct vnode *vp, struct label *vlabel)
+mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel,
+ struct vnode *vp, struct label *vplabel)
{
- ASSERT_MOUNT_LABEL(fslabel);
- ASSERT_VNODE_LABEL(vlabel);
+ LABEL_CHECK(mplabel, MAGIC_MOUNT);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(associate_vnode_singlelabel);
}
+COUNTER_DECL(create_devfs_device);
static void
mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
- struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
+ struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
{
- if (cred != NULL) {
- ASSERT_CRED_LABEL(cred->cr_label);
- }
- ASSERT_DEVFS_LABEL(label);
+ if (cred != NULL)
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(delabel, MAGIC_DEVFS);
+ COUNTER_INC(create_devfs_device);
}
+COUNTER_DECL(create_devfs_directory);
static void
mac_test_create_devfs_directory(struct mount *mp, char *dirname,
- int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label)
+ int dirnamelen, struct devfs_dirent *de, struct label *delabel)
{
- ASSERT_DEVFS_LABEL(label);
+ LABEL_CHECK(delabel, MAGIC_DEVFS);
+ COUNTER_INC(create_devfs_directory);
}
+COUNTER_DECL(create_devfs_symlink);
static void
mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
struct label *delabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_DEVFS_LABEL(ddlabel);
- ASSERT_DEVFS_LABEL(delabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(ddlabel, MAGIC_DEVFS);
+ LABEL_CHECK(delabel, MAGIC_DEVFS);
+ COUNTER_INC(create_devfs_symlink);
}
+COUNTER_DECL(create_vnode_extattr);
static int
mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
- struct label *fslabel, struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, struct label *vlabel, struct componentname *cnp)
+ struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
+ struct vnode *vp, struct label *vplabel, struct componentname *cnp)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_MOUNT_LABEL(fslabel);
- ASSERT_VNODE_LABEL(dlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(mplabel, MAGIC_MOUNT);
+ LABEL_CHECK(dvplabel, MAGIC_VNODE);
+ COUNTER_INC(create_vnode_extattr);
return (0);
}
+COUNTER_DECL(create_mount);
static void
mac_test_create_mount(struct ucred *cred, struct mount *mp,
- struct label *mntlabel, struct label *fslabel)
+ struct label *mplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_MOUNT_LABEL(mntlabel);
- ASSERT_MOUNT_LABEL(fslabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(mplabel, MAGIC_MOUNT);
+ COUNTER_INC(create_mount);
}
+COUNTER_DECL(relabel_vnode);
static void
mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *label)
+ struct label *vplabel, struct label *label)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(vnodelabel);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ LABEL_CHECK(label, MAGIC_VNODE);
+ COUNTER_INC(relabel_vnode);
}
+COUNTER_DECL(setlabel_vnode_extattr);
static int
mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
- struct label *vlabel, struct label *intlabel)
+ struct label *vplabel, struct label *intlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(vlabel);
- ASSERT_VNODE_LABEL(intlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ LABEL_CHECK(intlabel, MAGIC_VNODE);
+ COUNTER_INC(setlabel_vnode_extattr);
+
return (0);
}
+COUNTER_DECL(update_devfs);
static void
-mac_test_update_devfsdirent(struct mount *mp,
- struct devfs_dirent *devfs_dirent, struct label *direntlabel,
- struct vnode *vp, struct label *vnodelabel)
+mac_test_update_devfs(struct mount *mp, struct devfs_dirent *devfs_dirent,
+ struct label *direntlabel, struct vnode *vp, struct label *vplabel)
{
- ASSERT_DEVFS_LABEL(direntlabel);
- ASSERT_VNODE_LABEL(vnodelabel);
+ LABEL_CHECK(direntlabel, MAGIC_DEVFS);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(update_devfs);
}
/*
* Labeling event operations: IPC object.
*/
+COUNTER_DECL(create_mbuf_from_socket);
static void
mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
{
- ASSERT_SOCKET_LABEL(socketlabel);
- ASSERT_MBUF_LABEL(mbuflabel);
+ LABEL_CHECK(socketlabel, MAGIC_SOCKET);
+ LABEL_CHECK(mbuflabel, MAGIC_MBUF);
+ COUNTER_INC(create_mbuf_from_socket);
}
+COUNTER_DECL(create_socket);
static void
mac_test_create_socket(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(socketlabel, MAGIC_SOCKET);
+ COUNTER_INC(create_socket);
}
+COUNTER_DECL(create_pipe);
static void
mac_test_create_pipe(struct ucred *cred, struct pipepair *pp,
struct label *pipelabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_PIPE_LABEL(pipelabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(pipelabel, MAGIC_PIPE);
+ COUNTER_INC(create_pipe);
}
+COUNTER_DECL(create_posix_sem);
static void
-mac_test_create_posix_sem(struct ucred *cred, struct ksem *ksem,
- struct label *posixlabel)
+mac_test_create_posix_sem(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_POSIX_LABEL(posixlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
+ COUNTER_INC(create_posix_sem);
}
+COUNTER_DECL(create_socket_from_socket);
static void
mac_test_create_socket_from_socket(struct socket *oldsocket,
struct label *oldsocketlabel, struct socket *newsocket,
struct label *newsocketlabel)
{
- ASSERT_SOCKET_LABEL(oldsocketlabel);
- ASSERT_SOCKET_LABEL(newsocketlabel);
+ LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
+ LABEL_CHECK(newsocketlabel, MAGIC_SOCKET);
+ COUNTER_INC(create_socket_from_socket);
}
+COUNTER_DECL(relabel_socket);
static void
mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct label *newlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(newlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(newlabel, MAGIC_SOCKET);
+ COUNTER_INC(relabel_socket);
}
+COUNTER_DECL(relabel_pipe);
static void
mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp,
struct label *pipelabel, struct label *newlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_PIPE_LABEL(pipelabel);
- ASSERT_PIPE_LABEL(newlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(pipelabel, MAGIC_PIPE);
+ LABEL_CHECK(newlabel, MAGIC_PIPE);
+ COUNTER_INC(relabel_pipe);
}
+COUNTER_DECL(set_socket_peer_from_mbuf);
static void
mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel,
struct socket *socket, struct label *socketpeerlabel)
{
- ASSERT_MBUF_LABEL(mbuflabel);
- ASSERT_SOCKET_LABEL(socketpeerlabel);
+ LABEL_CHECK(mbuflabel, MAGIC_MBUF);
+ LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET);
+ COUNTER_INC(set_socket_peer_from_mbuf);
}
/*
* Labeling event operations: network objects.
*/
+COUNTER_DECL(set_socket_peer_from_socket);
static void
mac_test_set_socket_peer_from_socket(struct socket *oldsocket,
struct label *oldsocketlabel, struct socket *newsocket,
struct label *newsocketpeerlabel)
{
- ASSERT_SOCKET_LABEL(oldsocketlabel);
- ASSERT_SOCKET_LABEL(newsocketpeerlabel);
+ LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET);
+ LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET);
+ COUNTER_INC(set_socket_peer_from_socket);
}
+COUNTER_DECL(create_bpfdesc);
static void
mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
struct label *bpflabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_BPF_LABEL(bpflabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(bpflabel, MAGIC_BPF);
+ COUNTER_INC(create_bpfdesc);
}
+COUNTER_DECL(create_datagram_from_ipq);
static void
mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
struct mbuf *datagram, struct label *datagramlabel)
{
- ASSERT_IPQ_LABEL(ipqlabel);
- ASSERT_MBUF_LABEL(datagramlabel);
+ LABEL_CHECK(ipqlabel, MAGIC_IPQ);
+ LABEL_CHECK(datagramlabel, MAGIC_MBUF);
+ COUNTER_INC(create_datagram_from_ipq);
}
+COUNTER_DECL(create_fragment);
static void
mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel,
struct mbuf *fragment, struct label *fragmentlabel)
{
- ASSERT_MBUF_LABEL(datagramlabel);
- ASSERT_MBUF_LABEL(fragmentlabel);
+ LABEL_CHECK(datagramlabel, MAGIC_MBUF);
+ LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
+ COUNTER_INC(create_fragment);
}
+COUNTER_DECL(create_ifnet);
static void
mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
{
- ASSERT_IFNET_LABEL(ifnetlabel);
+ LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
+ COUNTER_INC(create_ifnet);
}
+COUNTER_DECL(create_inpcb_from_socket);
static void
mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel,
struct inpcb *inp, struct label *inplabel)
{
- ASSERT_SOCKET_LABEL(solabel);
- ASSERT_INPCB_LABEL(inplabel);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ LABEL_CHECK(inplabel, MAGIC_INPCB);
+ COUNTER_INC(create_inpcb_from_socket);
}
+COUNTER_DECL(create_sysv_msgmsg);
static void
mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
{
- ASSERT_SYSVIPCMSG_LABEL(msglabel);
- ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
+ LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
+ LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
+ COUNTER_INC(create_sysv_msgmsg);
}
+COUNTER_DECL(create_sysv_msgqueue);
static void
mac_test_create_sysv_msgqueue(struct ucred *cred,
struct msqid_kernel *msqkptr, struct label *msqlabel)
{
- ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
+ LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
+ COUNTER_INC(create_sysv_msgqueue);
}
+COUNTER_DECL(create_sysv_sem);
static void
mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr,
struct label *semalabel)
{
- ASSERT_SYSVIPCSEM_LABEL(semalabel);
+ LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
+ COUNTER_INC(create_sysv_sem);
}
+COUNTER_DECL(create_sysv_shm);
static void
mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr,
struct label *shmlabel)
{
- ASSERT_SYSVIPCSHM_LABEL(shmlabel);
+ LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
+ COUNTER_INC(create_sysv_shm);
}
+COUNTER_DECL(create_ipq);
static void
mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel,
struct ipq *ipq, struct label *ipqlabel)
{
- ASSERT_MBUF_LABEL(fragmentlabel);
- ASSERT_IPQ_LABEL(ipqlabel);
+ LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
+ LABEL_CHECK(ipqlabel, MAGIC_IPQ);
+ COUNTER_INC(create_ipq);
}
+COUNTER_DECL(create_mbuf_from_inpcb);
static void
mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
struct mbuf *m, struct label *mlabel)
{
- ASSERT_INPCB_LABEL(inplabel);
- ASSERT_MBUF_LABEL(mlabel);
+ LABEL_CHECK(inplabel, MAGIC_INPCB);
+ LABEL_CHECK(mlabel, MAGIC_MBUF);
+ COUNTER_INC(create_mbuf_from_inpcb);
}
+COUNTER_DECL(create_mbuf_linklayer);
static void
mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
struct mbuf *mbuf, struct label *mbuflabel)
{
- ASSERT_IFNET_LABEL(ifnetlabel);
- ASSERT_MBUF_LABEL(mbuflabel);
+ LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
+ LABEL_CHECK(mbuflabel, MAGIC_MBUF);
+ COUNTER_INC(create_mbuf_linklayer);
}
+COUNTER_DECL(create_mbuf_from_bpfdesc);
static void
mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel,
struct mbuf *mbuf, struct label *mbuflabel)
{
- ASSERT_BPF_LABEL(bpflabel);
- ASSERT_MBUF_LABEL(mbuflabel);
+ LABEL_CHECK(bpflabel, MAGIC_BPF);
+ LABEL_CHECK(mbuflabel, MAGIC_MBUF);
+ COUNTER_INC(create_mbuf_from_bpfdesc);
}
+COUNTER_DECL(create_mbuf_from_ifnet);
static void
mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel,
struct mbuf *m, struct label *mbuflabel)
{
- ASSERT_IFNET_LABEL(ifnetlabel);
- ASSERT_MBUF_LABEL(mbuflabel);
+ LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
+ LABEL_CHECK(mbuflabel, MAGIC_MBUF);
+ COUNTER_INC(create_mbuf_from_ifnet);
}
+COUNTER_DECL(create_mbuf_multicast_encap);
static void
mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel,
struct mbuf *newmbuf, struct label *newmbuflabel)
{
- ASSERT_MBUF_LABEL(oldmbuflabel);
- ASSERT_IFNET_LABEL(ifnetlabel);
- ASSERT_MBUF_LABEL(newmbuflabel);
+ LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
+ LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
+ LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
+ COUNTER_INC(create_mbuf_multicast_encap);
}
+COUNTER_DECL(create_mbuf_netlayer);
static void
mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf,
struct label *oldmbuflabel, struct mbuf *newmbuf,
struct label *newmbuflabel)
{
- ASSERT_MBUF_LABEL(oldmbuflabel);
- ASSERT_MBUF_LABEL(newmbuflabel);
+ LABEL_CHECK(oldmbuflabel, MAGIC_MBUF);
+ LABEL_CHECK(newmbuflabel, MAGIC_MBUF);
+ COUNTER_INC(create_mbuf_netlayer);
}
+COUNTER_DECL(fragment_match);
static int
mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel,
struct ipq *ipq, struct label *ipqlabel)
{
- ASSERT_MBUF_LABEL(fragmentlabel);
- ASSERT_IPQ_LABEL(ipqlabel);
+ LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
+ LABEL_CHECK(ipqlabel, MAGIC_IPQ);
+ COUNTER_INC(fragment_match);
return (1);
}
+COUNTER_DECL(reflect_mbuf_icmp);
static void
mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
{
- ASSERT_MBUF_LABEL(mlabel);
+ LABEL_CHECK(mlabel, MAGIC_MBUF);
+ COUNTER_INC(reflect_mbuf_icmp);
}
+COUNTER_DECL(reflect_mbuf_tcp);
static void
mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
{
- ASSERT_MBUF_LABEL(mlabel);
+ LABEL_CHECK(mlabel, MAGIC_MBUF);
+ COUNTER_INC(reflect_mbuf_tcp);
}
+COUNTER_DECL(relabel_ifnet);
static void
mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
struct label *ifnetlabel, struct label *newlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_IFNET_LABEL(ifnetlabel);
- ASSERT_IFNET_LABEL(newlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
+ LABEL_CHECK(newlabel, MAGIC_IFNET);
+ COUNTER_INC(relabel_ifnet);
}
+COUNTER_DECL(update_ipq);
static void
mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
struct ipq *ipq, struct label *ipqlabel)
{
- ASSERT_MBUF_LABEL(fragmentlabel);
- ASSERT_IPQ_LABEL(ipqlabel);
+ LABEL_CHECK(fragmentlabel, MAGIC_MBUF);
+ LABEL_CHECK(ipqlabel, MAGIC_IPQ);
+ COUNTER_INC(update_ipq);
}
+COUNTER_DECL(inpcb_sosetlabel);
static void
mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
struct inpcb *inp, struct label *inplabel)
{
- ASSERT_SOCKET_LABEL(solabel);
- ASSERT_INPCB_LABEL(inplabel);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ LABEL_CHECK(inplabel, MAGIC_INPCB);
+ COUNTER_INC(inpcb_sosetlabel);
}
/*
* Labeling event operations: processes.
*/
+COUNTER_DECL(execve_transition);
static void
mac_test_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *filelabel,
- struct label *interpvnodelabel, struct image_params *imgp,
+ struct label *interpvplabel, struct image_params *imgp,
struct label *execlabel)
{
- ASSERT_CRED_LABEL(old->cr_label);
- ASSERT_CRED_LABEL(new->cr_label);
- ASSERT_VNODE_LABEL(filelabel);
- if (interpvnodelabel != NULL) {
- ASSERT_VNODE_LABEL(interpvnodelabel);
- }
- if (execlabel != NULL) {
- ASSERT_CRED_LABEL(execlabel);
- }
+ LABEL_CHECK(old->cr_label, MAGIC_CRED);
+ LABEL_CHECK(new->cr_label, MAGIC_CRED);
+ LABEL_CHECK(filelabel, MAGIC_VNODE);
+ LABEL_CHECK(interpvplabel, MAGIC_VNODE);
+ LABEL_CHECK(execlabel, MAGIC_CRED);
+ COUNTER_INC(execve_transition);
}
+COUNTER_DECL(execve_will_transition);
static int
mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *filelabel, struct label *interpvnodelabel,
+ struct label *filelabel, struct label *interpvplabel,
struct image_params *imgp, struct label *execlabel)
{
- ASSERT_CRED_LABEL(old->cr_label);
- ASSERT_VNODE_LABEL(filelabel);
- if (interpvnodelabel != NULL) {
- ASSERT_VNODE_LABEL(interpvnodelabel);
- }
- if (execlabel != NULL) {
- ASSERT_CRED_LABEL(execlabel);
- }
+ LABEL_CHECK(old->cr_label, MAGIC_CRED);
+ LABEL_CHECK(filelabel, MAGIC_VNODE);
+ LABEL_CHECK(interpvplabel, MAGIC_VNODE);
+ LABEL_CHECK(execlabel, MAGIC_CRED);
+ COUNTER_INC(execve_will_transition);
return (0);
}
+COUNTER_DECL(create_proc0);
static void
mac_test_create_proc0(struct ucred *cred)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(create_proc0);
}
+COUNTER_DECL(create_proc1);
static void
mac_test_create_proc1(struct ucred *cred)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(create_proc1);
}
+COUNTER_DECL(relabel_cred);
static void
mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_CRED_LABEL(newlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(newlabel, MAGIC_CRED);
+ COUNTER_INC(relabel_cred);
}
+COUNTER_DECL(thread_userret);
static void
mac_test_thread_userret(struct thread *td)
{
- printf("mac_test_thread_userret(process = %d)\n",
- curthread->td_proc->p_pid);
+ COUNTER_INC(thread_userret);
}
/*
* Label cleanup/flush operations
*/
+COUNTER_DECL(cleanup_sysv_msgmsg);
static void
mac_test_cleanup_sysv_msgmsg(struct label *msglabel)
{
- ASSERT_SYSVIPCMSG_LABEL(msglabel);
+ LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
+ COUNTER_INC(cleanup_sysv_msgmsg);
}
+COUNTER_DECL(cleanup_sysv_msgqueue);
static void
mac_test_cleanup_sysv_msgqueue(struct label *msqlabel)
{
- ASSERT_SYSVIPCMSQ_LABEL(msqlabel);
+ LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ);
+ COUNTER_INC(cleanup_sysv_msgqueue);
}
+COUNTER_DECL(cleanup_sysv_sem);
static void
mac_test_cleanup_sysv_sem(struct label *semalabel)
{
- ASSERT_SYSVIPCSEM_LABEL(semalabel);
+ LABEL_CHECK(semalabel, MAGIC_SYSV_SEM);
+ COUNTER_INC(cleanup_sysv_sem);
}
+COUNTER_DECL(cleanup_sysv_shm);
static void
mac_test_cleanup_sysv_shm(struct label *shmlabel)
{
- ASSERT_SYSVIPCSHM_LABEL(shmlabel);
+ LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM);
+ COUNTER_INC(cleanup_sysv_shm);
}
/*
* Access control checks.
*/
+COUNTER_DECL(check_bpfdesc_receive);
static int
mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
struct ifnet *ifnet, struct label *ifnetlabel)
{
- ASSERT_BPF_LABEL(bpflabel);
- ASSERT_IFNET_LABEL(ifnetlabel);
+ LABEL_CHECK(bpflabel, MAGIC_BPF);
+ LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
+ COUNTER_INC(check_bpfdesc_receive);
return (0);
}
+COUNTER_DECL(check_cred_relabel);
static int
mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_CRED_LABEL(newlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(newlabel, MAGIC_CRED);
+ COUNTER_INC(check_cred_relabel);
return (0);
}
+COUNTER_DECL(check_cred_visible);
static int
mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
- ASSERT_CRED_LABEL(u1->cr_label);
- ASSERT_CRED_LABEL(u2->cr_label);
+ LABEL_CHECK(u1->cr_label, MAGIC_CRED);
+ LABEL_CHECK(u2->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_cred_visible);
return (0);
}
+COUNTER_DECL(check_ifnet_relabel);
static int
mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
struct label *ifnetlabel, struct label *newlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_IFNET_LABEL(ifnetlabel);
- ASSERT_IFNET_LABEL(newlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
+ LABEL_CHECK(newlabel, MAGIC_IFNET);
+ COUNTER_INC(check_ifnet_relabel);
+
return (0);
}
+COUNTER_DECL(check_ifnet_transmit);
static int
mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
struct mbuf *m, struct label *mbuflabel)
{
- ASSERT_IFNET_LABEL(ifnetlabel);
- ASSERT_MBUF_LABEL(mbuflabel);
+ LABEL_CHECK(ifnetlabel, MAGIC_IFNET);
+ LABEL_CHECK(mbuflabel, MAGIC_MBUF);
+ COUNTER_INC(check_ifnet_transmit);
return (0);
}
+COUNTER_DECL(check_inpcb_deliver);
static int
mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
struct mbuf *m, struct label *mlabel)
{
- ASSERT_INPCB_LABEL(inplabel);
- ASSERT_MBUF_LABEL(mlabel);
+ LABEL_CHECK(inplabel, MAGIC_INPCB);
+ LABEL_CHECK(mlabel, MAGIC_MBUF);
+ COUNTER_INC(check_inpcb_deliver);
return (0);
}
+COUNTER_DECL(check_sysv_msgmsq);
static int
mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
struct label *msglabel, struct msqid_kernel *msqkptr,
struct label *msqklabel)
{
- ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
- ASSERT_SYSVIPCMSG_LABEL(msglabel);
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
+ LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_sysv_msgmsq);
return (0);
}
+COUNTER_DECL(check_sysv_msgrcv);
static int
mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
struct label *msglabel)
{
- ASSERT_SYSVIPCMSG_LABEL(msglabel);
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_sysv_msgrcv);
- return (0);
+ return (0);
}
-
+COUNTER_DECL(check_sysv_msgrmid);
static int
mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
struct label *msglabel)
{
- ASSERT_SYSVIPCMSG_LABEL(msglabel);
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(msglabel, MAGIC_SYSV_MSG);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_sysv_msgrmid);
return (0);
}
+COUNTER_DECL(check_sysv_msqget);
static int
mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
struct label *msqklabel)
{
- ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_sysv_msqget);
return (0);
}
+COUNTER_DECL(check_sysv_msqsnd);
static int
mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr,
struct label *msqklabel)
{
- ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_sysv_msqsnd);
return (0);
}
+COUNTER_DECL(check_sysv_msqrcv);
static int
mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr,
struct label *msqklabel)
{
- ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_sysv_msqrcv);
return (0);
}
+COUNTER_DECL(check_sysv_msqctl);
static int
mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
struct label *msqklabel, int cmd)
{
- ASSERT_SYSVIPCMSQ_LABEL(msqklabel);
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_sysv_msqctl);
return (0);
}
+COUNTER_DECL(check_sysv_semctl);
static int
mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
struct label *semaklabel, int cmd)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SYSVIPCSEM_LABEL(semaklabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
+ COUNTER_INC(check_sysv_semctl);
return (0);
}
+COUNTER_DECL(check_sysv_semget);
static int
mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr,
struct label *semaklabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SYSVIPCSEM_LABEL(semaklabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
+ COUNTER_INC(check_sysv_semget);
return (0);
}
+COUNTER_DECL(check_sysv_semop);
static int
mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
struct label *semaklabel, size_t accesstype)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SYSVIPCSEM_LABEL(semaklabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
+ COUNTER_INC(check_sysv_semop);
return (0);
}
+COUNTER_DECL(check_sysv_shmat);
static int
mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
struct label *shmseglabel, int shmflg)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
+ COUNTER_INC(check_sysv_shmat);
return (0);
}
+COUNTER_DECL(check_sysv_shmctl);
static int
mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
struct label *shmseglabel, int cmd)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
+ COUNTER_INC(check_sysv_shmctl);
return (0);
}
+COUNTER_DECL(check_sysv_shmdt);
static int
mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr,
struct label *shmseglabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
+ COUNTER_INC(check_sysv_shmdt);
return (0);
}
+COUNTER_DECL(check_sysv_shmget);
static int
mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
struct label *shmseglabel, int shmflg)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SYSVIPCSHM_LABEL(shmseglabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM);
+ COUNTER_INC(check_sysv_shmget);
return (0);
}
+COUNTER_DECL(check_kenv_dump);
static int
mac_test_check_kenv_dump(struct ucred *cred)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_kenv_dump);
return (0);
}
+COUNTER_DECL(check_kenv_get);
static int
mac_test_check_kenv_get(struct ucred *cred, char *name)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_kenv_get);
return (0);
}
+COUNTER_DECL(check_kenv_set);
static int
mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_kenv_set);
return (0);
}
+COUNTER_DECL(check_kenv_unset);
static int
mac_test_check_kenv_unset(struct ucred *cred, char *name)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_kenv_unset);
return (0);
}
+COUNTER_DECL(check_kld_load);
static int
mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
struct label *label)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(label, MAGIC_VNODE);
+ COUNTER_INC(check_kld_load);
return (0);
}
+COUNTER_DECL(check_kld_stat);
static int
mac_test_check_kld_stat(struct ucred *cred)
{
- ASSERT_CRED_LABEL(cred->cr_label);
-
- return (0);
-}
-
-static int
-mac_test_check_kld_unload(struct ucred *cred)
-{
-
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_kld_stat);
return (0);
}
+COUNTER_DECL(check_mount_stat);
static int
mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
- struct label *mntlabel)
+ struct label *mplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_MOUNT_LABEL(mntlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(mplabel, MAGIC_MOUNT);
+ COUNTER_INC(check_mount_stat);
return (0);
}
+COUNTER_DECL(check_pipe_ioctl);
static int
mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_PIPE_LABEL(pipelabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(pipelabel, MAGIC_PIPE);
+ COUNTER_INC(check_pipe_ioctl);
return (0);
}
+COUNTER_DECL(check_pipe_poll);
static int
mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
struct label *pipelabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_PIPE_LABEL(pipelabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(pipelabel, MAGIC_PIPE);
+ COUNTER_INC(check_pipe_poll);
return (0);
}
+COUNTER_DECL(check_pipe_read);
static int
mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp,
struct label *pipelabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_PIPE_LABEL(pipelabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(pipelabel, MAGIC_PIPE);
+ COUNTER_INC(check_pipe_read);
return (0);
}
+COUNTER_DECL(check_pipe_relabel);
static int
mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
struct label *pipelabel, struct label *newlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_PIPE_LABEL(pipelabel);
- ASSERT_PIPE_LABEL(newlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(pipelabel, MAGIC_PIPE);
+ LABEL_CHECK(newlabel, MAGIC_PIPE);
+ COUNTER_INC(check_pipe_relabel);
return (0);
}
+COUNTER_DECL(check_pipe_stat);
static int
mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp,
struct label *pipelabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_PIPE_LABEL(pipelabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(pipelabel, MAGIC_PIPE);
+ COUNTER_INC(check_pipe_stat);
return (0);
}
+COUNTER_DECL(check_pipe_write);
static int
mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp,
struct label *pipelabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_PIPE_LABEL(pipelabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(pipelabel, MAGIC_PIPE);
+ COUNTER_INC(check_pipe_write);
+
+ return (0);
+}
+
+COUNTER_DECL(check_posix_sem);
+static int
+mac_test_check_posix_sem(struct ucred *cred, struct ksem *ks,
+ struct label *kslabel)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(kslabel, MAGIC_POSIX_SEM);
+ COUNTER_INC(check_posix_sem);
+
+ return (0);
+}
+
+COUNTER_DECL(check_proc_debug);
+static int
+mac_test_check_proc_debug(struct ucred *cred, struct proc *p)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_debug);
+
+ return (0);
+}
+
+COUNTER_DECL(check_proc_sched);
+static int
+mac_test_check_proc_sched(struct ucred *cred, struct proc *p)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_sched);
return (0);
}
+COUNTER_DECL(check_proc_signal);
static int
-mac_test_check_posix_sem(struct ucred *cred, struct ksem *ksemptr,
- struct label *ks_label)
+mac_test_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_POSIX_LABEL(ks_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_signal);
return (0);
}
+COUNTER_DECL(check_proc_setaudit);
static int
-mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
+mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setaudit);
return (0);
}
+COUNTER_DECL(check_proc_setaudit_addr);
static int
-mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
+mac_test_check_proc_setaudit_addr(struct ucred *cred,
+ struct auditinfo_addr *aia)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setaudit_addr);
return (0);
}
+COUNTER_DECL(check_proc_setauid);
static int
-mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+mac_test_check_proc_setauid(struct ucred *cred, uid_t auid)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setauid);
return (0);
}
+COUNTER_DECL(check_proc_setuid);
static int
mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setuid);
return (0);
}
+COUNTER_DECL(check_proc_euid);
static int
mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_euid);
return (0);
}
+COUNTER_DECL(check_proc_setgid);
static int
mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setgid);
return (0);
}
+COUNTER_DECL(check_proc_setegid);
static int
mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setegid);
return (0);
}
+COUNTER_DECL(check_proc_setgroups);
static int
mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
gid_t *gidset)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setgroups);
return (0);
}
+COUNTER_DECL(check_proc_setreuid);
static int
mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setreuid);
return (0);
}
+COUNTER_DECL(check_proc_setregid);
static int
mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setregid);
return (0);
}
+COUNTER_DECL(check_proc_setresuid);
static int
mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
uid_t suid)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setresuid);
return (0);
}
+COUNTER_DECL(check_proc_setresgid);
static int
mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
gid_t sgid)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_setresgid);
return (0);
}
+COUNTER_DECL(check_proc_wait);
static int
-mac_test_check_proc_wait(struct ucred *cred, struct proc *proc)
+mac_test_check_proc_wait(struct ucred *cred, struct proc *p)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_proc_wait);
return (0);
}
+COUNTER_DECL(check_socket_accept);
static int
-mac_test_check_socket_accept(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_test_check_socket_accept(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ COUNTER_INC(check_socket_accept);
return (0);
}
+COUNTER_DECL(check_socket_bind);
static int
-mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
+mac_test_check_socket_bind(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct sockaddr *sa)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ COUNTER_INC(check_socket_bind);
return (0);
}
+COUNTER_DECL(check_socket_connect);
static int
-mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
+mac_test_check_socket_connect(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct sockaddr *sa)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ COUNTER_INC(check_socket_connect);
return (0);
}
+COUNTER_DECL(check_socket_deliver);
static int
-mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_test_check_socket_deliver(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
{
- ASSERT_SOCKET_LABEL(socketlabel);
- ASSERT_MBUF_LABEL(mbuflabel);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ LABEL_CHECK(mlabel, MAGIC_MBUF);
+ COUNTER_INC(check_socket_deliver);
return (0);
}
+COUNTER_DECL(check_socket_listen);
static int
-mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_test_check_socket_listen(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ COUNTER_INC(check_socket_listen);
return (0);
}
+COUNTER_DECL(check_socket_poll);
static int
-mac_test_check_socket_poll(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_test_check_socket_poll(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ COUNTER_INC(check_socket_poll);
return (0);
}
+COUNTER_DECL(check_socket_receive);
static int
-mac_test_check_socket_receive(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_test_check_socket_receive(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ COUNTER_INC(check_socket_receive);
return (0);
}
+COUNTER_DECL(check_socket_relabel);
static int
-mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct label *newlabel)
+mac_test_check_socket_relabel(struct ucred *cred, struct socket *so,
+ struct label *solabel, struct label *newlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
- ASSERT_SOCKET_LABEL(newlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ LABEL_CHECK(newlabel, MAGIC_SOCKET);
+ COUNTER_INC(check_socket_relabel);
return (0);
}
+COUNTER_DECL(check_socket_send);
static int
-mac_test_check_socket_send(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_test_check_socket_send(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ COUNTER_INC(check_socket_send);
return (0);
}
+COUNTER_DECL(check_socket_stat);
static int
-mac_test_check_socket_stat(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_test_check_socket_stat(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ COUNTER_INC(check_socket_stat);
return (0);
}
+COUNTER_DECL(check_socket_visible);
static int
-mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_test_check_socket_visible(struct ucred *cred, struct socket *so,
+ struct label *solabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_SOCKET_LABEL(socketlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(solabel, MAGIC_SOCKET);
+ COUNTER_INC(check_socket_visible);
return (0);
}
+COUNTER_DECL(check_system_acct);
static int
-mac_test_check_sysarch_ioperm(struct ucred *cred)
+mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_system_acct);
return (0);
}
+COUNTER_DECL(check_system_audit);
static int
-mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
- struct label *label)
+mac_test_check_system_audit(struct ucred *cred, void *record, int length)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_system_audit);
return (0);
}
+COUNTER_DECL(check_system_auditctl);
static int
-mac_test_check_system_reboot(struct ucred *cred, int how)
+mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_system_auditctl);
return (0);
}
+COUNTER_DECL(check_system_auditon);
static int
-mac_test_check_system_settime(struct ucred *cred)
+mac_test_check_system_auditon(struct ucred *cred, int cmd)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_system_auditon);
return (0);
}
+COUNTER_DECL(check_system_reboot);
static int
-mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
- struct label *label)
+mac_test_check_system_reboot(struct ucred *cred, int how)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_system_reboot);
return (0);
}
+COUNTER_DECL(check_system_swapoff);
static int
mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_system_swapoff);
return (0);
}
+COUNTER_DECL(check_system_swapon);
static int
-mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
- void *arg1, int arg2, struct sysctl_req *req)
+mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_system_swapon);
return (0);
}
+COUNTER_DECL(check_system_sysctl);
static int
-mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
- struct label *label, int acc_mode)
+mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
+ void *arg1, int arg2, struct sysctl_req *req)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(check_system_sysctl);
return (0);
}
+COUNTER_DECL(check_vnode_access);
static int
-mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
+ struct label *vplabel, int acc_mode)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(dlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_access);
return (0);
}
+COUNTER_DECL(check_vnode_chdir);
static int
-mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(dlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(dvplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_chdir);
return (0);
}
+COUNTER_DECL(check_vnode_chroot);
static int
-mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp, struct vattr *vap)
+mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(dlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(dvplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_chroot);
return (0);
}
+COUNTER_DECL(check_vnode_create);
static int
-mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
- struct componentname *cnp)
+mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(dlabel);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(dvplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_create);
return (0);
}
+COUNTER_DECL(check_vnode_deleteacl);
static int
mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_deleteacl);
return (0);
}
+COUNTER_DECL(check_vnode_deleteextattr);
static int
mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name)
+ struct label *vplabel, int attrnamespace, const char *name)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_deleteextattr);
return (0);
}
+COUNTER_DECL(check_vnode_exec);
static int
mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
- struct label *label, struct image_params *imgp,
+ struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
- if (execlabel != NULL) {
- ASSERT_CRED_LABEL(execlabel);
- }
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ LABEL_CHECK(execlabel, MAGIC_CRED);
+ COUNTER_INC(check_vnode_exec);
return (0);
}
+COUNTER_DECL(check_vnode_getacl);
static int
mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type)
+ struct label *vplabel, acl_type_t type)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_getacl);
return (0);
}
+COUNTER_DECL(check_vnode_getextattr);
static int
mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name, struct uio *uio)
+ struct label *vplabel, int attrnamespace, const char *name,
+ struct uio *uio)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_getextattr);
return (0);
}
+COUNTER_DECL(check_vnode_link);
static int
mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(dlabel);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(dvplabel, MAGIC_VNODE);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_link);
return (0);
}
+COUNTER_DECL(check_vnode_listextattr);
static int
mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace)
+ struct label *vplabel, int attrnamespace)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_listextattr);
return (0);
}
+COUNTER_DECL(check_vnode_lookup);
static int
mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct componentname *cnp)
+ struct label *dvplabel, struct componentname *cnp)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(dlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(dvplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_lookup);
return (0);
}
+COUNTER_DECL(check_vnode_mmap);
static int
mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
- struct label *label, int prot, int flags)
+ struct label *vplabel, int prot, int flags)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_mmap);
return (0);
}
+COUNTER_DECL(check_vnode_open);
static int
mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
- struct label *filelabel, int acc_mode)
+ struct label *vplabel, int acc_mode)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(filelabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_open);
return (0);
}
+COUNTER_DECL(check_vnode_poll);
static int
mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
{
- ASSERT_CRED_LABEL(active_cred->cr_label);
- ASSERT_CRED_LABEL(file_cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
+ if (file_cred != NULL)
+ LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_poll);
return (0);
}
+COUNTER_DECL(check_vnode_read);
static int
mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
{
- ASSERT_CRED_LABEL(active_cred->cr_label);
- if (file_cred != NULL) {
- ASSERT_CRED_LABEL(file_cred->cr_label);
- }
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
+ if (file_cred != NULL)
+ LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_read);
return (0);
}
+COUNTER_DECL(check_vnode_readdir);
static int
mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel)
+ struct label *dvplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(dlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(dvplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_readdir);
return (0);
}
+COUNTER_DECL(check_vnode_readlink);
static int
mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel)
+ struct label *vplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(vnodelabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_readlink);
return (0);
}
+COUNTER_DECL(check_vnode_relabel);
static int
mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *newlabel)
+ struct label *vplabel, struct label *newlabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(vnodelabel);
- ASSERT_VNODE_LABEL(newlabel);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ LABEL_CHECK(newlabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_relabel);
return (0);
}
+COUNTER_DECL(check_vnode_rename_from);
static int
mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(dlabel);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(dvplabel, MAGIC_VNODE);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_rename_from);
return (0);
}
+COUNTER_DECL(check_vnode_rename_to);
static int
mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
- struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
- struct componentname *cnp)
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ int samedir, struct componentname *cnp)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(dlabel);
-
- if (vp != NULL) {
- ASSERT_VNODE_LABEL(label);
- }
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(dvplabel, MAGIC_VNODE);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_rename_to);
return (0);
}
+COUNTER_DECL(check_vnode_revoke);
static int
mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
- struct label *label)
+ struct label *vplabel)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_revoke);
return (0);
}
+COUNTER_DECL(check_vnode_setacl);
static int
mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
- struct label *label, acl_type_t type, struct acl *acl)
+ struct label *vplabel, acl_type_t type, struct acl *acl)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_setacl);
return (0);
}
+COUNTER_DECL(check_vnode_setextattr);
static int
mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
- struct label *label, int attrnamespace, const char *name, struct uio *uio)
+ struct label *vplabel, int attrnamespace, const char *name,
+ struct uio *uio)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_setextattr);
return (0);
}
+COUNTER_DECL(check_vnode_setflags);
static int
mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
- struct label *label, u_long flags)
+ struct label *vplabel, u_long flags)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_setflags);
return (0);
}
+COUNTER_DECL(check_vnode_setmode);
static int
mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
- struct label *label, mode_t mode)
+ struct label *vplabel, mode_t mode)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_setmode);
return (0);
}
+COUNTER_DECL(check_vnode_setowner);
static int
mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
- struct label *label, uid_t uid, gid_t gid)
+ struct label *vplabel, uid_t uid, gid_t gid)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_setowner);
return (0);
}
+COUNTER_DECL(check_vnode_setutimes);
static int
mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
- struct label *label, struct timespec atime, struct timespec mtime)
+ struct label *vplabel, struct timespec atime, struct timespec mtime)
{
- ASSERT_CRED_LABEL(cred->cr_label);
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_setutimes);
return (0);
}
+COUNTER_DECL(check_vnode_stat);
static int
mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
- struct vnode *vp, struct label *label)
+ struct vnode *vp, struct label *vplabel)
+{
+
+ LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
+ if (file_cred != NULL)
+ LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_stat);
+
+ return (0);
+}
+
+COUNTER_DECL(check_vnode_unlink);
+static int
+mac_test_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
+ struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+ struct componentname *cnp)
{
- ASSERT_CRED_LABEL(active_cred->cr_label);
- if (file_cred != NULL) {
- ASSERT_CRED_LABEL(file_cred->cr_label);
- }
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(dvplabel, MAGIC_VNODE);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_unlink);
return (0);
}
+COUNTER_DECL(check_vnode_write);
static int
mac_test_check_vnode_write(struct ucred *active_cred,
- struct ucred *file_cred, struct vnode *vp, struct label *label)
+ struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
{
- ASSERT_CRED_LABEL(active_cred->cr_label);
- if (file_cred != NULL) {
- ASSERT_CRED_LABEL(file_cred->cr_label);
- }
- ASSERT_VNODE_LABEL(label);
+ LABEL_CHECK(active_cred->cr_label, MAGIC_CRED);
+ if (file_cred != NULL)
+ LABEL_CHECK(file_cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(vplabel, MAGIC_VNODE);
+ COUNTER_INC(check_vnode_write);
return (0);
}
static struct mac_policy_ops mac_test_ops =
{
- .mpo_destroy = mac_test_destroy,
- .mpo_init = mac_test_init,
- .mpo_syscall = mac_test_syscall,
.mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
.mpo_init_cred_label = mac_test_init_cred_label,
- .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
+ .mpo_init_devfs_label = mac_test_init_devfs_label,
.mpo_init_ifnet_label = mac_test_init_ifnet_label,
.mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label,
.mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label,
@@ -2411,7 +2484,6 @@
.mpo_init_ipq_label = mac_test_init_ipq_label,
.mpo_init_mbuf_label = mac_test_init_mbuf_label,
.mpo_init_mount_label = mac_test_init_mount_label,
- .mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
.mpo_init_pipe_label = mac_test_init_pipe_label,
.mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
.mpo_init_proc_label = mac_test_init_proc_label,
@@ -2420,7 +2492,7 @@
.mpo_init_vnode_label = mac_test_init_vnode_label,
.mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
.mpo_destroy_cred_label = mac_test_destroy_cred_label,
- .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
+ .mpo_destroy_devfs_label = mac_test_destroy_devfs_label,
.mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
.mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label,
.mpo_destroy_sysv_msgqueue_label =
@@ -2431,7 +2503,6 @@
.mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
.mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
.mpo_destroy_mount_label = mac_test_destroy_mount_label,
- .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
.mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
.mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
.mpo_destroy_proc_label = mac_test_destroy_proc_label,
@@ -2465,7 +2536,7 @@
.mpo_create_mount = mac_test_create_mount,
.mpo_relabel_vnode = mac_test_relabel_vnode,
.mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
- .mpo_update_devfsdirent = mac_test_update_devfsdirent,
+ .mpo_update_devfs = mac_test_update_devfs,
.mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
.mpo_create_pipe = mac_test_create_pipe,
.mpo_create_posix_sem = mac_test_create_posix_sem,
@@ -2533,7 +2604,6 @@
.mpo_check_kenv_unset = mac_test_check_kenv_unset,
.mpo_check_kld_load = mac_test_check_kld_load,
.mpo_check_kld_stat = mac_test_check_kld_stat,
- .mpo_check_kld_unload = mac_test_check_kld_unload,
.mpo_check_mount_stat = mac_test_check_mount_stat,
.mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
.mpo_check_pipe_poll = mac_test_check_pipe_poll,
@@ -2549,6 +2619,9 @@
.mpo_check_posix_sem_wait = mac_test_check_posix_sem,
.mpo_check_proc_debug = mac_test_check_proc_debug,
.mpo_check_proc_sched = mac_test_check_proc_sched,
+ .mpo_check_proc_setaudit = mac_test_check_proc_setaudit,
+ .mpo_check_proc_setaudit_addr = mac_test_check_proc_setaudit_addr,
+ .mpo_check_proc_setauid = mac_test_check_proc_setauid,
.mpo_check_proc_setuid = mac_test_check_proc_setuid,
.mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
.mpo_check_proc_setgid = mac_test_check_proc_setgid,
@@ -2571,18 +2644,18 @@
.mpo_check_socket_send = mac_test_check_socket_send,
.mpo_check_socket_stat = mac_test_check_socket_stat,
.mpo_check_socket_visible = mac_test_check_socket_visible,
- .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
.mpo_check_system_acct = mac_test_check_system_acct,
+ .mpo_check_system_audit = mac_test_check_system_audit,
+ .mpo_check_system_auditctl = mac_test_check_system_auditctl,
+ .mpo_check_system_auditon = mac_test_check_system_auditon,
.mpo_check_system_reboot = mac_test_check_system_reboot,
- .mpo_check_system_settime = mac_test_check_system_settime,
- .mpo_check_system_swapon = mac_test_check_system_swapon,
.mpo_check_system_swapoff = mac_test_check_system_swapoff,
+ .mpo_check_system_swapon = mac_test_check_system_swapon,
.mpo_check_system_sysctl = mac_test_check_system_sysctl,
.mpo_check_vnode_access = mac_test_check_vnode_access,
.mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
.mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
.mpo_check_vnode_create = mac_test_check_vnode_create,
- .mpo_check_vnode_delete = mac_test_check_vnode_delete,
.mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
.mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr,
.mpo_check_vnode_exec = mac_test_check_vnode_exec,
@@ -2608,6 +2681,7 @@
.mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
.mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
.mpo_check_vnode_stat = mac_test_check_vnode_stat,
+ .mpo_check_vnode_unlink = mac_test_check_vnode_unlink,
.mpo_check_vnode_write = mac_test_check_vnode_write,
};
More information about the Midnightbsd-cvs
mailing list