The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/security/mac/mac_framework.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 1999-2002, 2006, 2009 Robert N. M. Watson
    3  * Copyright (c) 2001 Ilmar S. Habibulin
    4  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
    5  * Copyright (c) 2005-2006 SPARTA, Inc.
    6  * Copyright (c) 2008-2009 Apple Inc.
    7  * All rights reserved.
    8  *
    9  * This software was developed by Robert Watson and Ilmar Habibulin for the
   10  * TrustedBSD Project.
   11  *
   12  * This software was developed for the FreeBSD Project in part by Network
   13  * Associates Laboratories, the Security Research Division of Network
   14  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
   15  * as part of the DARPA CHATS research program.
   16  *
   17  * This software was enhanced by SPARTA ISSO under SPAWAR contract 
   18  * N66001-04-C-6019 ("SEFOS").
   19  *
   20  * This software was developed at the University of Cambridge Computer
   21  * Laboratory with support from a grant from Google, Inc.
   22  *
   23  * Redistribution and use in source and binary forms, with or without
   24  * modification, are permitted provided that the following conditions
   25  * are met:
   26  * 1. Redistributions of source code must retain the above copyright
   27  *    notice, this list of conditions and the following disclaimer.
   28  * 2. Redistributions in binary form must reproduce the above copyright
   29  *    notice, this list of conditions and the following disclaimer in the
   30  *    documentation and/or other materials provided with the distribution.
   31  *
   32  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   33  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   34  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   35  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   36  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   37  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   38  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   39  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   40  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   41  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   42  * SUCH DAMAGE.
   43  */
   44 
   45 /*-
   46  * Framework for extensible kernel access control.  This file contains core
   47  * kernel infrastructure for the TrustedBSD MAC Framework, including policy
   48  * registration, versioning, locking, error composition operator, and system
   49  * calls.
   50  *
   51  * The MAC Framework implements three programming interfaces:
   52  *
   53  * - The kernel MAC interface, defined in mac_framework.h, and invoked
   54  *   throughout the kernel to request security decisions, notify of security
   55  *   related events, etc.
   56  *
   57  * - The MAC policy module interface, defined in mac_policy.h, which is
   58  *   implemented by MAC policy modules and invoked by the MAC Framework to
   59  *   forward kernel security requests and notifications to policy modules.
   60  *
   61  * - The user MAC API, defined in mac.h, which allows user programs to query
   62  *   and set label state on objects.
   63  *
   64  * The majority of the MAC Framework implementation may be found in
   65  * src/sys/security/mac.  Sample policy modules may be found in
   66  * src/sys/security/mac_*.
   67  */
   68 
   69 #include "opt_mac.h"
   70 
   71 #include <sys/cdefs.h>
   72 __FBSDID("$FreeBSD$");
   73 
   74 #include <sys/param.h>
   75 #include <sys/systm.h>
   76 #include <sys/condvar.h>
   77 #include <sys/kernel.h>
   78 #include <sys/lock.h>
   79 #include <sys/mac.h>
   80 #include <sys/module.h>
   81 #include <sys/rmlock.h>
   82 #include <sys/sdt.h>
   83 #include <sys/sx.h>
   84 #include <sys/sysctl.h>
   85 #include <sys/vnode.h>
   86 
   87 #include <security/mac/mac_framework.h>
   88 #include <security/mac/mac_internal.h>
   89 #include <security/mac/mac_policy.h>
   90 
   91 /*
   92  * DTrace SDT providers for MAC.
   93  */
   94 SDT_PROVIDER_DEFINE(mac);
   95 SDT_PROVIDER_DEFINE(mac_framework);
   96 
   97 SDT_PROBE_DEFINE2(mac, , policy, modevent, "int",
   98     "struct mac_policy_conf *");
   99 SDT_PROBE_DEFINE1(mac, , policy, register,
  100     "struct mac_policy_conf *");
  101 SDT_PROBE_DEFINE1(mac, , policy, unregister,
  102     "struct mac_policy_conf *");
  103 
  104 /*
  105  * Root sysctl node for all MAC and MAC policy controls.
  106  */
  107 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
  108     "TrustedBSD MAC policy controls");
  109 
  110 /*
  111  * Declare that the kernel provides MAC support, version 3 (FreeBSD 7.x).
  112  * This permits modules to refuse to be loaded if the necessary support isn't
  113  * present, even if it's pre-boot.
  114  */
  115 MODULE_VERSION(kernel_mac_support, MAC_VERSION);
  116 
  117 static unsigned int     mac_version = MAC_VERSION;
  118 SYSCTL_UINT(_security_mac, OID_AUTO, version, CTLFLAG_RD, &mac_version, 0,
  119     "");
  120 
  121 /*
  122  * Flags for inlined checks. Note this would be best hotpatched at runtime.
  123  * The following is a band-aid.
  124  *
  125  * Use FPFLAG for hooks running in commonly executed paths and FPFLAG_RARE
  126  * for the rest.
  127  */
  128 #define FPFLAG(f)       \
  129 bool __read_frequently mac_##f##_fp_flag
  130 
  131 #define FPFLAG_RARE(f)  \
  132 bool __read_mostly mac_##f##_fp_flag
  133 
  134 FPFLAG(priv_check);
  135 FPFLAG(priv_grant);
  136 FPFLAG(vnode_check_lookup);
  137 FPFLAG(vnode_check_open);
  138 FPFLAG(vnode_check_stat);
  139 FPFLAG(vnode_check_read);
  140 FPFLAG(vnode_check_write);
  141 FPFLAG(vnode_check_mmap);
  142 FPFLAG_RARE(vnode_check_poll);
  143 FPFLAG_RARE(vnode_check_rename_from);
  144 FPFLAG_RARE(vnode_check_access);
  145 FPFLAG_RARE(vnode_check_readlink);
  146 FPFLAG_RARE(pipe_check_stat);
  147 FPFLAG_RARE(pipe_check_poll);
  148 FPFLAG_RARE(ifnet_create_mbuf);
  149 FPFLAG_RARE(ifnet_check_transmit);
  150 
  151 #undef FPFLAG
  152 #undef FPFLAG_RARE
  153 
  154 /*
  155  * Labels consist of a indexed set of "slots", which are allocated policies
  156  * as required.  The MAC Framework maintains a bitmask of slots allocated so
  157  * far to prevent reuse.  Slots cannot be reused, as the MAC Framework
  158  * guarantees that newly allocated slots in labels will be NULL unless
  159  * otherwise initialized, and because we do not have a mechanism to garbage
  160  * collect slots on policy unload.  As labeled policies tend to be statically
  161  * loaded during boot, and not frequently unloaded and reloaded, this is not
  162  * generally an issue.
  163  */
  164 #if MAC_MAX_SLOTS > 32
  165 #error "MAC_MAX_SLOTS too large"
  166 #endif
  167 
  168 static unsigned int mac_max_slots = MAC_MAX_SLOTS;
  169 static unsigned int mac_slot_offsets_free = (1 << MAC_MAX_SLOTS) - 1;
  170 SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD, &mac_max_slots,
  171     0, "");
  172 
  173 /*
  174  * Has the kernel started generating labeled objects yet?  All read/write
  175  * access to this variable is serialized during the boot process.  Following
  176  * the end of serialization, we don't update this flag; no locking.
  177  */
  178 static int      mac_late = 0;
  179 
  180 /*
  181  * Each policy declares a mask of object types requiring labels to be
  182  * allocated for them.  For convenience, we combine and cache the bitwise or
  183  * of the per-policy object flags to track whether we will allocate a label
  184  * for an object type at run-time.
  185  */
  186 uint64_t        mac_labeled;
  187 SYSCTL_UQUAD(_security_mac, OID_AUTO, labeled, CTLFLAG_RD, &mac_labeled, 0,
  188     "Mask of object types being labeled");
  189 
  190 MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage");
  191 
  192 /*
  193  * MAC policy modules are placed in one of two lists: mac_static_policy_list,
  194  * for policies that are loaded early and cannot be unloaded, and
  195  * mac_policy_list, which holds policies either loaded later in the boot
  196  * cycle or that may be unloaded.  The static policy list does not require
  197  * locks to iterate over, but the dynamic list requires synchronization.
  198  * Support for dynamic policy loading can be compiled out using the
  199  * MAC_STATIC kernel option.
  200  *
  201  * The dynamic policy list is protected by two locks: modifying the list
  202  * requires both locks to be held exclusively.  One of the locks,
  203  * mac_policy_rm, is acquired over policy entry points that will never sleep;
  204  * the other, mac_policy_rms, is acquired over policy entry points that may
  205  * sleep.  The former category will be used when kernel locks may be held
  206  * over calls to the MAC Framework, during network processing in ithreads,
  207  * etc.  The latter will tend to involve potentially blocking memory
  208  * allocations, extended attribute I/O, etc.
  209  */
  210 #ifndef MAC_STATIC
  211 static struct rmlock mac_policy_rm;     /* Non-sleeping entry points. */
  212 static struct rmslock mac_policy_rms;   /* Sleeping entry points. */
  213 #endif
  214 
  215 struct mac_policy_list_head mac_policy_list;
  216 struct mac_policy_list_head mac_static_policy_list;
  217 u_int mac_policy_count;                 /* Registered policy count. */
  218 
  219 static void     mac_policy_xlock(void);
  220 static void     mac_policy_xlock_assert(void);
  221 static void     mac_policy_xunlock(void);
  222 
  223 void
  224 mac_policy_slock_nosleep(struct rm_priotracker *tracker)
  225 {
  226 
  227 #ifndef MAC_STATIC
  228         if (!mac_late)
  229                 return;
  230 
  231         rm_rlock(&mac_policy_rm, tracker);
  232 #endif
  233 }
  234 
  235 void
  236 mac_policy_slock_sleep(void)
  237 {
  238 
  239         WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
  240             "mac_policy_slock_sleep");
  241 
  242 #ifndef MAC_STATIC
  243         if (!mac_late)
  244                 return;
  245 
  246         rms_rlock(&mac_policy_rms);
  247 #endif
  248 }
  249 
  250 void
  251 mac_policy_sunlock_nosleep(struct rm_priotracker *tracker)
  252 {
  253 
  254 #ifndef MAC_STATIC
  255         if (!mac_late)
  256                 return;
  257 
  258         rm_runlock(&mac_policy_rm, tracker);
  259 #endif
  260 }
  261 
  262 void
  263 mac_policy_sunlock_sleep(void)
  264 {
  265 
  266 #ifndef MAC_STATIC
  267         if (!mac_late)
  268                 return;
  269 
  270         rms_runlock(&mac_policy_rms);
  271 #endif
  272 }
  273 
  274 static void
  275 mac_policy_xlock(void)
  276 {
  277 
  278         WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
  279             "mac_policy_xlock()");
  280 
  281 #ifndef MAC_STATIC
  282         if (!mac_late)
  283                 return;
  284 
  285         rms_wlock(&mac_policy_rms);
  286         rm_wlock(&mac_policy_rm);
  287 #endif
  288 }
  289 
  290 static void
  291 mac_policy_xunlock(void)
  292 {
  293 
  294 #ifndef MAC_STATIC
  295         if (!mac_late)
  296                 return;
  297 
  298         rm_wunlock(&mac_policy_rm);
  299         rms_wunlock(&mac_policy_rms);
  300 #endif
  301 }
  302 
  303 static void
  304 mac_policy_xlock_assert(void)
  305 {
  306 
  307 #ifndef MAC_STATIC
  308         if (!mac_late)
  309                 return;
  310 
  311         rm_assert(&mac_policy_rm, RA_WLOCKED);
  312 #endif
  313 }
  314 
  315 /*
  316  * Initialize the MAC subsystem, including appropriate SMP locks.
  317  */
  318 static void
  319 mac_init(void)
  320 {
  321 
  322         LIST_INIT(&mac_static_policy_list);
  323         LIST_INIT(&mac_policy_list);
  324         mac_labelzone_init();
  325 
  326 #ifndef MAC_STATIC
  327         rm_init_flags(&mac_policy_rm, "mac_policy_rm", RM_NOWITNESS |
  328             RM_RECURSE);
  329         rms_init(&mac_policy_rms, "mac_policy_rms");
  330 #endif
  331 }
  332 
  333 /*
  334  * For the purposes of modules that want to know if they were loaded "early",
  335  * set the mac_late flag once we've processed modules either linked into the
  336  * kernel, or loaded before the kernel startup.
  337  */
  338 static void
  339 mac_late_init(void)
  340 {
  341 
  342         mac_late = 1;
  343 }
  344 
  345 /*
  346  * Given a policy, derive from its set of non-NULL label init methods what
  347  * object types the policy is interested in.
  348  */
  349 static uint64_t
  350 mac_policy_getlabeled(struct mac_policy_conf *mpc)
  351 {
  352         uint64_t labeled;
  353 
  354 #define MPC_FLAG(method, flag)                                  \
  355         if (mpc->mpc_ops->mpo_ ## method != NULL)                       \
  356                 labeled |= (flag);                                      \
  357 
  358         labeled = 0;
  359         MPC_FLAG(cred_init_label, MPC_OBJECT_CRED);
  360         MPC_FLAG(proc_init_label, MPC_OBJECT_PROC);
  361         MPC_FLAG(vnode_init_label, MPC_OBJECT_VNODE);
  362         MPC_FLAG(inpcb_init_label, MPC_OBJECT_INPCB);
  363         MPC_FLAG(socket_init_label, MPC_OBJECT_SOCKET);
  364         MPC_FLAG(devfs_init_label, MPC_OBJECT_DEVFS);
  365         MPC_FLAG(mbuf_init_label, MPC_OBJECT_MBUF);
  366         MPC_FLAG(ipq_init_label, MPC_OBJECT_IPQ);
  367         MPC_FLAG(ifnet_init_label, MPC_OBJECT_IFNET);
  368         MPC_FLAG(bpfdesc_init_label, MPC_OBJECT_BPFDESC);
  369         MPC_FLAG(pipe_init_label, MPC_OBJECT_PIPE);
  370         MPC_FLAG(mount_init_label, MPC_OBJECT_MOUNT);
  371         MPC_FLAG(posixsem_init_label, MPC_OBJECT_POSIXSEM);
  372         MPC_FLAG(posixshm_init_label, MPC_OBJECT_POSIXSHM);
  373         MPC_FLAG(sysvmsg_init_label, MPC_OBJECT_SYSVMSG);
  374         MPC_FLAG(sysvmsq_init_label, MPC_OBJECT_SYSVMSQ);
  375         MPC_FLAG(sysvsem_init_label, MPC_OBJECT_SYSVSEM);
  376         MPC_FLAG(sysvshm_init_label, MPC_OBJECT_SYSVSHM);
  377         MPC_FLAG(syncache_init_label, MPC_OBJECT_SYNCACHE);
  378         MPC_FLAG(ip6q_init_label, MPC_OBJECT_IP6Q);
  379 
  380 #undef MPC_FLAG
  381         return (labeled);
  382 }
  383 
  384 /*
  385  * When policies are loaded or unloaded, walk the list of registered policies
  386  * and built mac_labeled, a bitmask representing the union of all objects
  387  * requiring labels across all policies.
  388  */
  389 static void
  390 mac_policy_update(void)
  391 {
  392         struct mac_policy_conf *mpc;
  393 
  394         mac_policy_xlock_assert();
  395 
  396         mac_labeled = 0;
  397         mac_policy_count = 0;
  398         LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {
  399                 mac_labeled |= mac_policy_getlabeled(mpc);
  400                 mac_policy_count++;
  401         }
  402         LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {
  403                 mac_labeled |= mac_policy_getlabeled(mpc);
  404                 mac_policy_count++;
  405         }
  406 
  407         cache_fast_lookup_enabled_recalc();
  408 }
  409 
  410 /*
  411  * There are frequently used code paths which check for rarely installed
  412  * policies. Gross hack below enables doing it in a cheap manner.
  413  */
  414 
  415 #define FPO(f)  (offsetof(struct mac_policy_ops, mpo_##f) / sizeof(uintptr_t))
  416 
  417 struct mac_policy_fastpath_elem {
  418         int     count;
  419         bool    *flag;
  420         size_t  offset;
  421 };
  422 
  423 struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = {
  424         { .offset = FPO(priv_check), .flag = &mac_priv_check_fp_flag },
  425         { .offset = FPO(priv_grant), .flag = &mac_priv_grant_fp_flag },
  426         { .offset = FPO(vnode_check_lookup),
  427                 .flag = &mac_vnode_check_lookup_fp_flag },
  428         { .offset = FPO(vnode_check_readlink),
  429                 .flag = &mac_vnode_check_readlink_fp_flag },
  430         { .offset = FPO(vnode_check_open),
  431                 .flag = &mac_vnode_check_open_fp_flag },
  432         { .offset = FPO(vnode_check_stat),
  433                 .flag = &mac_vnode_check_stat_fp_flag },
  434         { .offset = FPO(vnode_check_read),
  435                 .flag = &mac_vnode_check_read_fp_flag },
  436         { .offset = FPO(vnode_check_write),
  437                 .flag = &mac_vnode_check_write_fp_flag },
  438         { .offset = FPO(vnode_check_mmap),
  439                 .flag = &mac_vnode_check_mmap_fp_flag },
  440         { .offset = FPO(vnode_check_poll),
  441                 .flag = &mac_vnode_check_poll_fp_flag },
  442         { .offset = FPO(vnode_check_rename_from),
  443                 .flag = &mac_vnode_check_rename_from_fp_flag },
  444         { .offset = FPO(vnode_check_access),
  445                 .flag = &mac_vnode_check_access_fp_flag },
  446         { .offset = FPO(pipe_check_stat),
  447                 .flag = &mac_pipe_check_stat_fp_flag },
  448         { .offset = FPO(pipe_check_poll),
  449                 .flag = &mac_pipe_check_poll_fp_flag },
  450         { .offset = FPO(ifnet_create_mbuf),
  451                 .flag = &mac_ifnet_create_mbuf_fp_flag },
  452         { .offset = FPO(ifnet_check_transmit),
  453                 .flag = &mac_ifnet_check_transmit_fp_flag },
  454 };
  455 
  456 static void
  457 mac_policy_fastpath_enable(struct mac_policy_fastpath_elem *mpfe)
  458 {
  459 
  460         MPASS(mpfe->count >= 0);
  461         mpfe->count++;
  462         if (mpfe->count == 1) {
  463                 MPASS(*mpfe->flag == false);
  464                 *mpfe->flag = true;
  465         }
  466 }
  467 
  468 static void
  469 mac_policy_fastpath_disable(struct mac_policy_fastpath_elem *mpfe)
  470 {
  471 
  472         MPASS(mpfe->count >= 1);
  473         mpfe->count--;
  474         if (mpfe->count == 0) {
  475                 MPASS(*mpfe->flag == true);
  476                 *mpfe->flag = false;
  477         }
  478 }
  479 
  480 static void
  481 mac_policy_fastpath_register(struct mac_policy_conf *mpc)
  482 {
  483         struct mac_policy_fastpath_elem *mpfe;
  484         uintptr_t **ops;
  485         int i;
  486 
  487         mac_policy_xlock_assert();
  488 
  489         ops = (uintptr_t **)mpc->mpc_ops;
  490         for (i = 0; i < nitems(mac_policy_fastpath_array); i++) {
  491                 mpfe = &mac_policy_fastpath_array[i];
  492                 if (ops[mpfe->offset] != NULL)
  493                         mac_policy_fastpath_enable(mpfe);
  494         }
  495 }
  496 
  497 static void
  498 mac_policy_fastpath_unregister(struct mac_policy_conf *mpc)
  499 {
  500         struct mac_policy_fastpath_elem *mpfe;
  501         uintptr_t **ops;
  502         int i;
  503 
  504         mac_policy_xlock_assert();
  505 
  506         ops = (uintptr_t **)mpc->mpc_ops;
  507         for (i = 0; i < nitems(mac_policy_fastpath_array); i++) {
  508                 mpfe = &mac_policy_fastpath_array[i];
  509                 if (ops[mpfe->offset] != NULL)
  510                         mac_policy_fastpath_disable(mpfe);
  511         }
  512 }
  513 
  514 #undef FPO
  515 
  516 static int
  517 mac_policy_register(struct mac_policy_conf *mpc)
  518 {
  519         struct mac_policy_conf *tmpc;
  520         int error, slot, static_entry;
  521 
  522         error = 0;
  523 
  524         /*
  525          * We don't technically need exclusive access while !mac_late, but
  526          * hold it for assertion consistency.
  527          */
  528         mac_policy_xlock();
  529 
  530         /*
  531          * If the module can potentially be unloaded, or we're loading late,
  532          * we have to stick it in the non-static list and pay an extra
  533          * performance overhead.  Otherwise, we can pay a light locking cost
  534          * and stick it in the static list.
  535          */
  536         static_entry = (!mac_late &&
  537             !(mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK));
  538 
  539         if (static_entry) {
  540                 LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) {
  541                         if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
  542                                 error = EEXIST;
  543                                 goto out;
  544                         }
  545                 }
  546         } else {
  547                 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
  548                         if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
  549                                 error = EEXIST;
  550                                 goto out;
  551                         }
  552                 }
  553         }
  554         if (mpc->mpc_field_off != NULL) {
  555                 slot = ffs(mac_slot_offsets_free);
  556                 if (slot == 0) {
  557                         error = ENOMEM;
  558                         goto out;
  559                 }
  560                 slot--;
  561                 mac_slot_offsets_free &= ~(1 << slot);
  562                 *mpc->mpc_field_off = slot;
  563         }
  564         mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED;
  565 
  566         /*
  567          * If we're loading a MAC module after the framework has initialized,
  568          * it has to go into the dynamic list.  If we're loading it before
  569          * we've finished initializing, it can go into the static list with
  570          * weaker locker requirements.
  571          */
  572         if (static_entry)
  573                 LIST_INSERT_HEAD(&mac_static_policy_list, mpc, mpc_list);
  574         else
  575                 LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list);
  576 
  577         /*
  578          * Per-policy initialization.  Currently, this takes place under the
  579          * exclusive lock, so policies must not sleep in their init method.
  580          * In the future, we may want to separate "init" from "start", with
  581          * "init" occurring without the lock held.  Likewise, on tear-down,
  582          * breaking out "stop" from "destroy".
  583          */
  584         if (mpc->mpc_ops->mpo_init != NULL)
  585                 (*(mpc->mpc_ops->mpo_init))(mpc);
  586 
  587         mac_policy_fastpath_register(mpc);
  588 
  589         mac_policy_update();
  590 
  591         SDT_PROBE1(mac, , policy, register, mpc);
  592         printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname,
  593             mpc->mpc_name);
  594 
  595 out:
  596         mac_policy_xunlock();
  597         return (error);
  598 }
  599 
  600 static int
  601 mac_policy_unregister(struct mac_policy_conf *mpc)
  602 {
  603 
  604         /*
  605          * If we fail the load, we may get a request to unload.  Check to see
  606          * if we did the run-time registration, and if not, silently succeed.
  607          */
  608         mac_policy_xlock();
  609         if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) {
  610                 mac_policy_xunlock();
  611                 return (0);
  612         }
  613 #if 0
  614         /*
  615          * Don't allow unloading modules with private data.
  616          */
  617         if (mpc->mpc_field_off != NULL) {
  618                 mac_policy_xunlock();
  619                 return (EBUSY);
  620         }
  621 #endif
  622         /*
  623          * Only allow the unload to proceed if the module is unloadable by
  624          * its own definition.
  625          */
  626         if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) {
  627                 mac_policy_xunlock();
  628                 return (EBUSY);
  629         }
  630 
  631         mac_policy_fastpath_unregister(mpc);
  632 
  633         if (mpc->mpc_ops->mpo_destroy != NULL)
  634                 (*(mpc->mpc_ops->mpo_destroy))(mpc);
  635 
  636         LIST_REMOVE(mpc, mpc_list);
  637         mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
  638         mac_policy_update();
  639         mac_policy_xunlock();
  640 
  641         SDT_PROBE1(mac, , policy, unregister, mpc);
  642         printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
  643             mpc->mpc_name);
  644 
  645         return (0);
  646 }
  647 
  648 /*
  649  * Allow MAC policy modules to register during boot, etc.
  650  */
  651 int
  652 mac_policy_modevent(module_t mod, int type, void *data)
  653 {
  654         struct mac_policy_conf *mpc;
  655         int error;
  656 
  657         error = 0;
  658         mpc = (struct mac_policy_conf *) data;
  659 
  660 #ifdef MAC_STATIC
  661         if (mac_late) {
  662                 printf("mac_policy_modevent: MAC_STATIC and late\n");
  663                 return (EBUSY);
  664         }
  665 #endif
  666 
  667         SDT_PROBE2(mac, , policy, modevent, type, mpc);
  668         switch (type) {
  669         case MOD_LOAD:
  670                 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE &&
  671                     mac_late) {
  672                         printf("mac_policy_modevent: can't load %s policy "
  673                             "after booting\n", mpc->mpc_name);
  674                         error = EBUSY;
  675                         break;
  676                 }
  677                 error = mac_policy_register(mpc);
  678                 break;
  679         case MOD_UNLOAD:
  680                 /* Don't unregister the module if it was never registered. */
  681                 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED)
  682                     != 0)
  683                         error = mac_policy_unregister(mpc);
  684                 else
  685                         error = 0;
  686                 break;
  687         default:
  688                 error = EOPNOTSUPP;
  689                 break;
  690         }
  691 
  692         return (error);
  693 }
  694 
  695 /*
  696  * Define an error value precedence, and given two arguments, selects the
  697  * value with the higher precedence.
  698  */
  699 int
  700 mac_error_select(int error1, int error2)
  701 {
  702 
  703         /* Certain decision-making errors take top priority. */
  704         if (error1 == EDEADLK || error2 == EDEADLK)
  705                 return (EDEADLK);
  706 
  707         /* Invalid arguments should be reported where possible. */
  708         if (error1 == EINVAL || error2 == EINVAL)
  709                 return (EINVAL);
  710 
  711         /* Precedence goes to "visibility", with both process and file. */
  712         if (error1 == ESRCH || error2 == ESRCH)
  713                 return (ESRCH);
  714 
  715         if (error1 == ENOENT || error2 == ENOENT)
  716                 return (ENOENT);
  717 
  718         /* Precedence goes to DAC/MAC protections. */
  719         if (error1 == EACCES || error2 == EACCES)
  720                 return (EACCES);
  721 
  722         /* Precedence goes to privilege. */
  723         if (error1 == EPERM || error2 == EPERM)
  724                 return (EPERM);
  725 
  726         /* Precedence goes to error over success; otherwise, arbitrary. */
  727         if (error1 != 0)
  728                 return (error1);
  729         return (error2);
  730 }
  731 
  732 int
  733 mac_check_structmac_consistent(struct mac *mac)
  734 {
  735 
  736         /* Require that labels have a non-zero length. */
  737         if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN ||
  738             mac->m_buflen <= sizeof(""))
  739                 return (EINVAL);
  740 
  741         return (0);
  742 }
  743 
  744 SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL);
  745 SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL);

Cache object: a2efb11215ef6cb6979ac4d6d4263084


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.