Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/security/mac/mac_system.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * Copyright (c) 2002, 2003 Networks Associates Technology, Inc. 3 * All rights reserved. 4 * 5 * This software was developed for the FreeBSD Project in part by Network 6 * Associates Laboratories, the Security Research Division of Network 7 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 8 * as part of the DARPA CHATS research program. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include "opt_mac.h" 36 37 #include <sys/param.h> 38 #include <sys/kernel.h> 39 #include <sys/lock.h> 40 #include <sys/malloc.h> 41 #include <sys/module.h> 42 #include <sys/mutex.h> 43 #include <sys/mac.h> 44 #include <sys/systm.h> 45 #include <sys/vnode.h> 46 #include <sys/sysctl.h> 47 48 #include <sys/mac_policy.h> 49 50 #include <security/mac/mac_internal.h> 51 52 static int mac_enforce_kld = 1; 53 SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, 54 &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); 55 TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); 56 57 static int mac_enforce_system = 1; 58 SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW, 59 &mac_enforce_system, 0, "Enforce MAC policy on system operations"); 60 TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system); 61 62 int 63 mac_check_kenv_dump(struct ucred *cred) 64 { 65 int error; 66 67 if (!mac_enforce_system) 68 return (0); 69 70 MAC_CHECK(check_kenv_dump, cred); 71 72 return (error); 73 } 74 75 int 76 mac_check_kenv_get(struct ucred *cred, char *name) 77 { 78 int error; 79 80 if (!mac_enforce_system) 81 return (0); 82 83 MAC_CHECK(check_kenv_get, cred, name); 84 85 return (error); 86 } 87 88 int 89 mac_check_kenv_set(struct ucred *cred, char *name, char *value) 90 { 91 int error; 92 93 if (!mac_enforce_system) 94 return (0); 95 96 MAC_CHECK(check_kenv_set, cred, name, value); 97 98 return (error); 99 } 100 101 int 102 mac_check_kenv_unset(struct ucred *cred, char *name) 103 { 104 int error; 105 106 if (!mac_enforce_system) 107 return (0); 108 109 MAC_CHECK(check_kenv_unset, cred, name); 110 111 return (error); 112 } 113 114 int 115 mac_check_kld_load(struct ucred *cred, struct vnode *vp) 116 { 117 int error; 118 119 ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); 120 121 if (!mac_enforce_kld) 122 return (0); 123 124 MAC_CHECK(check_kld_load, cred, vp, vp->v_label); 125 126 return (error); 127 } 128 129 int 130 mac_check_kld_stat(struct ucred *cred) 131 { 132 int error; 133 134 if (!mac_enforce_kld) 135 return (0); 136 137 MAC_CHECK(check_kld_stat, cred); 138 139 return (error); 140 } 141 142 int 143 mac_check_kld_unload(struct ucred *cred) 144 { 145 int error; 146 147 if (!mac_enforce_kld) 148 return (0); 149 150 MAC_CHECK(check_kld_unload, cred); 151 152 return (error); 153 } 154 155 int 156 mac_check_sysarch_ioperm(struct ucred *cred) 157 { 158 int error; 159 160 if (!mac_enforce_system) 161 return (0); 162 163 MAC_CHECK(check_sysarch_ioperm, cred); 164 return (error); 165 } 166 167 int 168 mac_check_system_acct(struct ucred *cred, struct vnode *vp) 169 { 170 int error; 171 172 if (vp != NULL) { 173 ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); 174 } 175 176 if (!mac_enforce_system) 177 return (0); 178 179 MAC_CHECK(check_system_acct, cred, vp, 180 vp != NULL ? vp->v_label : NULL); 181 182 return (error); 183 } 184 185 int 186 mac_check_system_nfsd(struct ucred *cred) 187 { 188 int error; 189 190 if (!mac_enforce_system) 191 return (0); 192 193 MAC_CHECK(check_system_nfsd, cred); 194 195 return (error); 196 } 197 198 int 199 mac_check_system_reboot(struct ucred *cred, int howto) 200 { 201 int error; 202 203 if (!mac_enforce_system) 204 return (0); 205 206 MAC_CHECK(check_system_reboot, cred, howto); 207 208 return (error); 209 } 210 211 int 212 mac_check_system_settime(struct ucred *cred) 213 { 214 int error; 215 216 if (!mac_enforce_system) 217 return (0); 218 219 MAC_CHECK(check_system_settime, cred); 220 221 return (error); 222 } 223 224 int 225 mac_check_system_swapon(struct ucred *cred, struct vnode *vp) 226 { 227 int error; 228 229 ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon"); 230 231 if (!mac_enforce_system) 232 return (0); 233 234 MAC_CHECK(check_system_swapon, cred, vp, vp->v_label); 235 return (error); 236 } 237 238 int 239 mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) 240 { 241 int error; 242 243 ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); 244 245 if (!mac_enforce_system) 246 return (0); 247 248 MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label); 249 return (error); 250 } 251 252 int 253 mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, 254 int arg2, struct sysctl_req *req) 255 { 256 int error; 257 258 /* 259 * XXXMAC: We would very much like to assert the SYSCTL_LOCK here, 260 * but since it's not exported from kern_sysctl.c, we can't. 261 */ 262 if (!mac_enforce_system) 263 return (0); 264 265 MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req); 266 267 return (error); 268 }
Cache object: 2b3012989e5df80d9fae8abf66a0d200
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]