1 /*-
2 * Copyright (c) 1999-2002, 2006, 2009 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
5 * Copyright (c) 2005-2006 SPARTA, Inc.
6 * Copyright (c) 2008-2009 Apple Inc.
7 * All rights reserved.
8 *
9 * This software was developed by Robert Watson and Ilmar Habibulin for the
10 * TrustedBSD Project.
11 *
12 * This software was developed for the FreeBSD Project in part by Network
13 * Associates Laboratories, the Security Research Division of Network
14 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
15 * as part of the DARPA CHATS research program.
16 *
17 * This software was enhanced by SPARTA ISSO under SPAWAR contract
18 * N66001-04-C-6019 ("SEFOS").
19 *
20 * This software was developed at the University of Cambridge Computer
21 * Laboratory with support from a grant from Google, Inc.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the above copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 *
32 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
33 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
34 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
35 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
36 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
37 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
42 * SUCH DAMAGE.
43 */
44
45 /*-
46 * Framework for extensible kernel access control. This file contains core
47 * kernel infrastructure for the TrustedBSD MAC Framework, including policy
48 * registration, versioning, locking, error composition operator, and system
49 * calls.
50 *
51 * The MAC Framework implements three programming interfaces:
52 *
53 * - The kernel MAC interface, defined in mac_framework.h, and invoked
54 * throughout the kernel to request security decisions, notify of security
55 * related events, etc.
56 *
57 * - The MAC policy module interface, defined in mac_policy.h, which is
58 * implemented by MAC policy modules and invoked by the MAC Framework to
59 * forward kernel security requests and notifications to policy modules.
60 *
61 * - The user MAC API, defined in mac.h, which allows user programs to query
62 * and set label state on objects.
63 *
64 * The majority of the MAC Framework implementation may be found in
65 * src/sys/security/mac. Sample policy modules may be found in
66 * src/sys/security/mac_*.
67 */
68
69 #include "opt_mac.h"
70
71 #include <sys/cdefs.h>
72 __FBSDID("$FreeBSD$");
73
74 #include <sys/param.h>
75 #include <sys/systm.h>
76 #include <sys/condvar.h>
77 #include <sys/kernel.h>
78 #include <sys/lock.h>
79 #include <sys/mac.h>
80 #include <sys/module.h>
81 #include <sys/rmlock.h>
82 #include <sys/sdt.h>
83 #include <sys/sx.h>
84 #include <sys/sysctl.h>
85 #include <sys/vnode.h>
86
87 #include <security/mac/mac_framework.h>
88 #include <security/mac/mac_internal.h>
89 #include <security/mac/mac_policy.h>
90
91 /*
92 * DTrace SDT providers for MAC.
93 */
94 SDT_PROVIDER_DEFINE(mac);
95 SDT_PROVIDER_DEFINE(mac_framework);
96
97 SDT_PROBE_DEFINE2(mac, , policy, modevent, "int",
98 "struct mac_policy_conf *");
99 SDT_PROBE_DEFINE1(mac, , policy, register,
100 "struct mac_policy_conf *");
101 SDT_PROBE_DEFINE1(mac, , policy, unregister,
102 "struct mac_policy_conf *");
103
104 /*
105 * Root sysctl node for all MAC and MAC policy controls.
106 */
107 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
108 "TrustedBSD MAC policy controls");
109
110 /*
111 * Declare that the kernel provides MAC support, version 3 (FreeBSD 7.x).
112 * This permits modules to refuse to be loaded if the necessary support isn't
113 * present, even if it's pre-boot.
114 */
115 MODULE_VERSION(kernel_mac_support, MAC_VERSION);
116
117 static unsigned int mac_version = MAC_VERSION;
118 SYSCTL_UINT(_security_mac, OID_AUTO, version, CTLFLAG_RD, &mac_version, 0,
119 "");
120
121 /*
122 * Flags for inlined checks. Note this would be best hotpatched at runtime.
123 * The following is a band-aid.
124 *
125 * Use FPFLAG for hooks running in commonly executed paths and FPFLAG_RARE
126 * for the rest.
127 */
128 #define FPFLAG(f) \
129 bool __read_frequently mac_##f##_fp_flag
130
131 #define FPFLAG_RARE(f) \
132 bool __read_mostly mac_##f##_fp_flag
133
134 FPFLAG(priv_check);
135 FPFLAG(priv_grant);
136 FPFLAG(vnode_check_lookup);
137 FPFLAG(vnode_check_open);
138 FPFLAG(vnode_check_stat);
139 FPFLAG(vnode_check_read);
140 FPFLAG(vnode_check_write);
141 FPFLAG(vnode_check_mmap);
142 FPFLAG_RARE(vnode_check_poll);
143 FPFLAG_RARE(vnode_check_rename_from);
144 FPFLAG_RARE(vnode_check_access);
145 FPFLAG_RARE(vnode_check_readlink);
146 FPFLAG_RARE(pipe_check_stat);
147 FPFLAG_RARE(pipe_check_poll);
148 FPFLAG_RARE(ifnet_create_mbuf);
149 FPFLAG_RARE(ifnet_check_transmit);
150
151 #undef FPFLAG
152 #undef FPFLAG_RARE
153
154 /*
155 * Labels consist of a indexed set of "slots", which are allocated policies
156 * as required. The MAC Framework maintains a bitmask of slots allocated so
157 * far to prevent reuse. Slots cannot be reused, as the MAC Framework
158 * guarantees that newly allocated slots in labels will be NULL unless
159 * otherwise initialized, and because we do not have a mechanism to garbage
160 * collect slots on policy unload. As labeled policies tend to be statically
161 * loaded during boot, and not frequently unloaded and reloaded, this is not
162 * generally an issue.
163 */
164 #if MAC_MAX_SLOTS > 32
165 #error "MAC_MAX_SLOTS too large"
166 #endif
167
168 static unsigned int mac_max_slots = MAC_MAX_SLOTS;
169 static unsigned int mac_slot_offsets_free = (1 << MAC_MAX_SLOTS) - 1;
170 SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD, &mac_max_slots,
171 0, "");
172
173 /*
174 * Has the kernel started generating labeled objects yet? All read/write
175 * access to this variable is serialized during the boot process. Following
176 * the end of serialization, we don't update this flag; no locking.
177 */
178 static int mac_late = 0;
179
180 /*
181 * Each policy declares a mask of object types requiring labels to be
182 * allocated for them. For convenience, we combine and cache the bitwise or
183 * of the per-policy object flags to track whether we will allocate a label
184 * for an object type at run-time.
185 */
186 uint64_t mac_labeled;
187 SYSCTL_UQUAD(_security_mac, OID_AUTO, labeled, CTLFLAG_RD, &mac_labeled, 0,
188 "Mask of object types being labeled");
189
190 MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage");
191
192 /*
193 * MAC policy modules are placed in one of two lists: mac_static_policy_list,
194 * for policies that are loaded early and cannot be unloaded, and
195 * mac_policy_list, which holds policies either loaded later in the boot
196 * cycle or that may be unloaded. The static policy list does not require
197 * locks to iterate over, but the dynamic list requires synchronization.
198 * Support for dynamic policy loading can be compiled out using the
199 * MAC_STATIC kernel option.
200 *
201 * The dynamic policy list is protected by two locks: modifying the list
202 * requires both locks to be held exclusively. One of the locks,
203 * mac_policy_rm, is acquired over policy entry points that will never sleep;
204 * the other, mac_policy_rms, is acquired over policy entry points that may
205 * sleep. The former category will be used when kernel locks may be held
206 * over calls to the MAC Framework, during network processing in ithreads,
207 * etc. The latter will tend to involve potentially blocking memory
208 * allocations, extended attribute I/O, etc.
209 */
210 #ifndef MAC_STATIC
211 static struct rmlock mac_policy_rm; /* Non-sleeping entry points. */
212 static struct rmslock mac_policy_rms; /* Sleeping entry points. */
213 #endif
214
215 struct mac_policy_list_head mac_policy_list;
216 struct mac_policy_list_head mac_static_policy_list;
217 u_int mac_policy_count; /* Registered policy count. */
218
219 static void mac_policy_xlock(void);
220 static void mac_policy_xlock_assert(void);
221 static void mac_policy_xunlock(void);
222
223 void
224 mac_policy_slock_nosleep(struct rm_priotracker *tracker)
225 {
226
227 #ifndef MAC_STATIC
228 if (!mac_late)
229 return;
230
231 rm_rlock(&mac_policy_rm, tracker);
232 #endif
233 }
234
235 void
236 mac_policy_slock_sleep(void)
237 {
238
239 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
240 "mac_policy_slock_sleep");
241
242 #ifndef MAC_STATIC
243 if (!mac_late)
244 return;
245
246 rms_rlock(&mac_policy_rms);
247 #endif
248 }
249
250 void
251 mac_policy_sunlock_nosleep(struct rm_priotracker *tracker)
252 {
253
254 #ifndef MAC_STATIC
255 if (!mac_late)
256 return;
257
258 rm_runlock(&mac_policy_rm, tracker);
259 #endif
260 }
261
262 void
263 mac_policy_sunlock_sleep(void)
264 {
265
266 #ifndef MAC_STATIC
267 if (!mac_late)
268 return;
269
270 rms_runlock(&mac_policy_rms);
271 #endif
272 }
273
274 static void
275 mac_policy_xlock(void)
276 {
277
278 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
279 "mac_policy_xlock()");
280
281 #ifndef MAC_STATIC
282 if (!mac_late)
283 return;
284
285 rms_wlock(&mac_policy_rms);
286 rm_wlock(&mac_policy_rm);
287 #endif
288 }
289
290 static void
291 mac_policy_xunlock(void)
292 {
293
294 #ifndef MAC_STATIC
295 if (!mac_late)
296 return;
297
298 rm_wunlock(&mac_policy_rm);
299 rms_wunlock(&mac_policy_rms);
300 #endif
301 }
302
303 static void
304 mac_policy_xlock_assert(void)
305 {
306
307 #ifndef MAC_STATIC
308 if (!mac_late)
309 return;
310
311 rm_assert(&mac_policy_rm, RA_WLOCKED);
312 #endif
313 }
314
315 /*
316 * Initialize the MAC subsystem, including appropriate SMP locks.
317 */
318 static void
319 mac_init(void)
320 {
321
322 LIST_INIT(&mac_static_policy_list);
323 LIST_INIT(&mac_policy_list);
324 mac_labelzone_init();
325
326 #ifndef MAC_STATIC
327 rm_init_flags(&mac_policy_rm, "mac_policy_rm", RM_NOWITNESS |
328 RM_RECURSE);
329 rms_init(&mac_policy_rms, "mac_policy_rms");
330 #endif
331 }
332
333 /*
334 * For the purposes of modules that want to know if they were loaded "early",
335 * set the mac_late flag once we've processed modules either linked into the
336 * kernel, or loaded before the kernel startup.
337 */
338 static void
339 mac_late_init(void)
340 {
341
342 mac_late = 1;
343 }
344
345 /*
346 * Given a policy, derive from its set of non-NULL label init methods what
347 * object types the policy is interested in.
348 */
349 static uint64_t
350 mac_policy_getlabeled(struct mac_policy_conf *mpc)
351 {
352 uint64_t labeled;
353
354 #define MPC_FLAG(method, flag) \
355 if (mpc->mpc_ops->mpo_ ## method != NULL) \
356 labeled |= (flag); \
357
358 labeled = 0;
359 MPC_FLAG(cred_init_label, MPC_OBJECT_CRED);
360 MPC_FLAG(proc_init_label, MPC_OBJECT_PROC);
361 MPC_FLAG(vnode_init_label, MPC_OBJECT_VNODE);
362 MPC_FLAG(inpcb_init_label, MPC_OBJECT_INPCB);
363 MPC_FLAG(socket_init_label, MPC_OBJECT_SOCKET);
364 MPC_FLAG(devfs_init_label, MPC_OBJECT_DEVFS);
365 MPC_FLAG(mbuf_init_label, MPC_OBJECT_MBUF);
366 MPC_FLAG(ipq_init_label, MPC_OBJECT_IPQ);
367 MPC_FLAG(ifnet_init_label, MPC_OBJECT_IFNET);
368 MPC_FLAG(bpfdesc_init_label, MPC_OBJECT_BPFDESC);
369 MPC_FLAG(pipe_init_label, MPC_OBJECT_PIPE);
370 MPC_FLAG(mount_init_label, MPC_OBJECT_MOUNT);
371 MPC_FLAG(posixsem_init_label, MPC_OBJECT_POSIXSEM);
372 MPC_FLAG(posixshm_init_label, MPC_OBJECT_POSIXSHM);
373 MPC_FLAG(sysvmsg_init_label, MPC_OBJECT_SYSVMSG);
374 MPC_FLAG(sysvmsq_init_label, MPC_OBJECT_SYSVMSQ);
375 MPC_FLAG(sysvsem_init_label, MPC_OBJECT_SYSVSEM);
376 MPC_FLAG(sysvshm_init_label, MPC_OBJECT_SYSVSHM);
377 MPC_FLAG(syncache_init_label, MPC_OBJECT_SYNCACHE);
378 MPC_FLAG(ip6q_init_label, MPC_OBJECT_IP6Q);
379
380 #undef MPC_FLAG
381 return (labeled);
382 }
383
384 /*
385 * When policies are loaded or unloaded, walk the list of registered policies
386 * and built mac_labeled, a bitmask representing the union of all objects
387 * requiring labels across all policies.
388 */
389 static void
390 mac_policy_update(void)
391 {
392 struct mac_policy_conf *mpc;
393
394 mac_policy_xlock_assert();
395
396 mac_labeled = 0;
397 mac_policy_count = 0;
398 LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {
399 mac_labeled |= mac_policy_getlabeled(mpc);
400 mac_policy_count++;
401 }
402 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {
403 mac_labeled |= mac_policy_getlabeled(mpc);
404 mac_policy_count++;
405 }
406
407 cache_fast_lookup_enabled_recalc();
408 }
409
410 /*
411 * There are frequently used code paths which check for rarely installed
412 * policies. Gross hack below enables doing it in a cheap manner.
413 */
414
415 #define FPO(f) (offsetof(struct mac_policy_ops, mpo_##f) / sizeof(uintptr_t))
416
417 struct mac_policy_fastpath_elem {
418 int count;
419 bool *flag;
420 size_t offset;
421 };
422
423 struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = {
424 { .offset = FPO(priv_check), .flag = &mac_priv_check_fp_flag },
425 { .offset = FPO(priv_grant), .flag = &mac_priv_grant_fp_flag },
426 { .offset = FPO(vnode_check_lookup),
427 .flag = &mac_vnode_check_lookup_fp_flag },
428 { .offset = FPO(vnode_check_readlink),
429 .flag = &mac_vnode_check_readlink_fp_flag },
430 { .offset = FPO(vnode_check_open),
431 .flag = &mac_vnode_check_open_fp_flag },
432 { .offset = FPO(vnode_check_stat),
433 .flag = &mac_vnode_check_stat_fp_flag },
434 { .offset = FPO(vnode_check_read),
435 .flag = &mac_vnode_check_read_fp_flag },
436 { .offset = FPO(vnode_check_write),
437 .flag = &mac_vnode_check_write_fp_flag },
438 { .offset = FPO(vnode_check_mmap),
439 .flag = &mac_vnode_check_mmap_fp_flag },
440 { .offset = FPO(vnode_check_poll),
441 .flag = &mac_vnode_check_poll_fp_flag },
442 { .offset = FPO(vnode_check_rename_from),
443 .flag = &mac_vnode_check_rename_from_fp_flag },
444 { .offset = FPO(vnode_check_access),
445 .flag = &mac_vnode_check_access_fp_flag },
446 { .offset = FPO(pipe_check_stat),
447 .flag = &mac_pipe_check_stat_fp_flag },
448 { .offset = FPO(pipe_check_poll),
449 .flag = &mac_pipe_check_poll_fp_flag },
450 { .offset = FPO(ifnet_create_mbuf),
451 .flag = &mac_ifnet_create_mbuf_fp_flag },
452 { .offset = FPO(ifnet_check_transmit),
453 .flag = &mac_ifnet_check_transmit_fp_flag },
454 };
455
456 static void
457 mac_policy_fastpath_enable(struct mac_policy_fastpath_elem *mpfe)
458 {
459
460 MPASS(mpfe->count >= 0);
461 mpfe->count++;
462 if (mpfe->count == 1) {
463 MPASS(*mpfe->flag == false);
464 *mpfe->flag = true;
465 }
466 }
467
468 static void
469 mac_policy_fastpath_disable(struct mac_policy_fastpath_elem *mpfe)
470 {
471
472 MPASS(mpfe->count >= 1);
473 mpfe->count--;
474 if (mpfe->count == 0) {
475 MPASS(*mpfe->flag == true);
476 *mpfe->flag = false;
477 }
478 }
479
480 static void
481 mac_policy_fastpath_register(struct mac_policy_conf *mpc)
482 {
483 struct mac_policy_fastpath_elem *mpfe;
484 uintptr_t **ops;
485 int i;
486
487 mac_policy_xlock_assert();
488
489 ops = (uintptr_t **)mpc->mpc_ops;
490 for (i = 0; i < nitems(mac_policy_fastpath_array); i++) {
491 mpfe = &mac_policy_fastpath_array[i];
492 if (ops[mpfe->offset] != NULL)
493 mac_policy_fastpath_enable(mpfe);
494 }
495 }
496
497 static void
498 mac_policy_fastpath_unregister(struct mac_policy_conf *mpc)
499 {
500 struct mac_policy_fastpath_elem *mpfe;
501 uintptr_t **ops;
502 int i;
503
504 mac_policy_xlock_assert();
505
506 ops = (uintptr_t **)mpc->mpc_ops;
507 for (i = 0; i < nitems(mac_policy_fastpath_array); i++) {
508 mpfe = &mac_policy_fastpath_array[i];
509 if (ops[mpfe->offset] != NULL)
510 mac_policy_fastpath_disable(mpfe);
511 }
512 }
513
514 #undef FPO
515
516 static int
517 mac_policy_register(struct mac_policy_conf *mpc)
518 {
519 struct mac_policy_conf *tmpc;
520 int error, slot, static_entry;
521
522 error = 0;
523
524 /*
525 * We don't technically need exclusive access while !mac_late, but
526 * hold it for assertion consistency.
527 */
528 mac_policy_xlock();
529
530 /*
531 * If the module can potentially be unloaded, or we're loading late,
532 * we have to stick it in the non-static list and pay an extra
533 * performance overhead. Otherwise, we can pay a light locking cost
534 * and stick it in the static list.
535 */
536 static_entry = (!mac_late &&
537 !(mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK));
538
539 if (static_entry) {
540 LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) {
541 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
542 error = EEXIST;
543 goto out;
544 }
545 }
546 } else {
547 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
548 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
549 error = EEXIST;
550 goto out;
551 }
552 }
553 }
554 if (mpc->mpc_field_off != NULL) {
555 slot = ffs(mac_slot_offsets_free);
556 if (slot == 0) {
557 error = ENOMEM;
558 goto out;
559 }
560 slot--;
561 mac_slot_offsets_free &= ~(1 << slot);
562 *mpc->mpc_field_off = slot;
563 }
564 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED;
565
566 /*
567 * If we're loading a MAC module after the framework has initialized,
568 * it has to go into the dynamic list. If we're loading it before
569 * we've finished initializing, it can go into the static list with
570 * weaker locker requirements.
571 */
572 if (static_entry)
573 LIST_INSERT_HEAD(&mac_static_policy_list, mpc, mpc_list);
574 else
575 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list);
576
577 /*
578 * Per-policy initialization. Currently, this takes place under the
579 * exclusive lock, so policies must not sleep in their init method.
580 * In the future, we may want to separate "init" from "start", with
581 * "init" occurring without the lock held. Likewise, on tear-down,
582 * breaking out "stop" from "destroy".
583 */
584 if (mpc->mpc_ops->mpo_init != NULL)
585 (*(mpc->mpc_ops->mpo_init))(mpc);
586
587 mac_policy_fastpath_register(mpc);
588
589 mac_policy_update();
590
591 SDT_PROBE1(mac, , policy, register, mpc);
592 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname,
593 mpc->mpc_name);
594
595 out:
596 mac_policy_xunlock();
597 return (error);
598 }
599
600 static int
601 mac_policy_unregister(struct mac_policy_conf *mpc)
602 {
603
604 /*
605 * If we fail the load, we may get a request to unload. Check to see
606 * if we did the run-time registration, and if not, silently succeed.
607 */
608 mac_policy_xlock();
609 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) {
610 mac_policy_xunlock();
611 return (0);
612 }
613 #if 0
614 /*
615 * Don't allow unloading modules with private data.
616 */
617 if (mpc->mpc_field_off != NULL) {
618 mac_policy_xunlock();
619 return (EBUSY);
620 }
621 #endif
622 /*
623 * Only allow the unload to proceed if the module is unloadable by
624 * its own definition.
625 */
626 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) {
627 mac_policy_xunlock();
628 return (EBUSY);
629 }
630
631 mac_policy_fastpath_unregister(mpc);
632
633 if (mpc->mpc_ops->mpo_destroy != NULL)
634 (*(mpc->mpc_ops->mpo_destroy))(mpc);
635
636 LIST_REMOVE(mpc, mpc_list);
637 mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
638 mac_policy_update();
639 mac_policy_xunlock();
640
641 SDT_PROBE1(mac, , policy, unregister, mpc);
642 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
643 mpc->mpc_name);
644
645 return (0);
646 }
647
648 /*
649 * Allow MAC policy modules to register during boot, etc.
650 */
651 int
652 mac_policy_modevent(module_t mod, int type, void *data)
653 {
654 struct mac_policy_conf *mpc;
655 int error;
656
657 error = 0;
658 mpc = (struct mac_policy_conf *) data;
659
660 #ifdef MAC_STATIC
661 if (mac_late) {
662 printf("mac_policy_modevent: MAC_STATIC and late\n");
663 return (EBUSY);
664 }
665 #endif
666
667 SDT_PROBE2(mac, , policy, modevent, type, mpc);
668 switch (type) {
669 case MOD_LOAD:
670 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE &&
671 mac_late) {
672 printf("mac_policy_modevent: can't load %s policy "
673 "after booting\n", mpc->mpc_name);
674 error = EBUSY;
675 break;
676 }
677 error = mac_policy_register(mpc);
678 break;
679 case MOD_UNLOAD:
680 /* Don't unregister the module if it was never registered. */
681 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED)
682 != 0)
683 error = mac_policy_unregister(mpc);
684 else
685 error = 0;
686 break;
687 default:
688 error = EOPNOTSUPP;
689 break;
690 }
691
692 return (error);
693 }
694
695 /*
696 * Define an error value precedence, and given two arguments, selects the
697 * value with the higher precedence.
698 */
699 int
700 mac_error_select(int error1, int error2)
701 {
702
703 /* Certain decision-making errors take top priority. */
704 if (error1 == EDEADLK || error2 == EDEADLK)
705 return (EDEADLK);
706
707 /* Invalid arguments should be reported where possible. */
708 if (error1 == EINVAL || error2 == EINVAL)
709 return (EINVAL);
710
711 /* Precedence goes to "visibility", with both process and file. */
712 if (error1 == ESRCH || error2 == ESRCH)
713 return (ESRCH);
714
715 if (error1 == ENOENT || error2 == ENOENT)
716 return (ENOENT);
717
718 /* Precedence goes to DAC/MAC protections. */
719 if (error1 == EACCES || error2 == EACCES)
720 return (EACCES);
721
722 /* Precedence goes to privilege. */
723 if (error1 == EPERM || error2 == EPERM)
724 return (EPERM);
725
726 /* Precedence goes to error over success; otherwise, arbitrary. */
727 if (error1 != 0)
728 return (error1);
729 return (error2);
730 }
731
732 int
733 mac_check_structmac_consistent(struct mac *mac)
734 {
735
736 /* Require that labels have a non-zero length. */
737 if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN ||
738 mac->m_buflen <= sizeof(""))
739 return (EINVAL);
740
741 return (0);
742 }
743
744 SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL);
745 SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL);
Cache object: a2efb11215ef6cb6979ac4d6d4263084
|