The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/security/mac_bsdextended/mac_bsdextended.c

Version: -  FREEBSD  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-2  -  FREEBSD-11-1  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-4  -  FREEBSD-10-3  -  FREEBSD-10-2  -  FREEBSD-10-1  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-3  -  FREEBSD-9-2  -  FREEBSD-9-1  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-4  -  FREEBSD-8-3  -  FREEBSD-8-2  -  FREEBSD-8-1  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-4  -  FREEBSD-7-3  -  FREEBSD-7-2  -  FREEBSD-7-1  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-4  -  FREEBSD-6-3  -  FREEBSD-6-2  -  FREEBSD-6-1  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-5  -  FREEBSD-5-4  -  FREEBSD-5-3  -  FREEBSD-5-2  -  FREEBSD-5-1  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
    3  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
    4  * Copyright (c) 2005 Tom Rhodes
    5  * Copyright (c) 2006 SPARTA, Inc.
    6  * All rights reserved.
    7  *
    8  * This software was developed by Robert Watson for the TrustedBSD Project.
    9  * It was later enhanced by Tom Rhodes for the TrustedBSD Project.
   10  *
   11  * This software was developed for the FreeBSD Project in part by Network
   12  * Associates Laboratories, the Security Research Division of Network
   13  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
   14  * as part of the DARPA CHATS research program.
   15  *
   16  * This software was enhanced by SPARTA ISSO under SPAWAR contract
   17  * N66001-04-C-6019 ("SEFOS").
   18  *
   19  * Redistribution and use in source and binary forms, with or without
   20  * modification, are permitted provided that the following conditions
   21  * are met:
   22  * 1. Redistributions of source code must retain the above copyright
   23  *    notice, this list of conditions and the following disclaimer.
   24  * 2. Redistributions in binary form must reproduce the above copyright
   25  *    notice, this list of conditions and the following disclaimer in the
   26  *    documentation and/or other materials provided with the distribution.
   27  *
   28  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   29  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   30  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   31  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   32  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   33  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   34  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   35  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   36  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   37  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   38  * SUCH DAMAGE.
   39  *
   40  * $FreeBSD: releng/11.0/sys/security/mac_bsdextended/mac_bsdextended.c 267992 2014-06-28 03:56:17Z hselasky $
   41  */
   42 
   43 /*
   44  * Developed by the TrustedBSD Project.
   45  *
   46  * "BSD Extended" MAC policy, allowing the administrator to impose mandatory
   47  * firewall-like rules regarding users and file system objects.
   48  */
   49 
   50 #include <sys/param.h>
   51 #include <sys/acl.h>
   52 #include <sys/kernel.h>
   53 #include <sys/jail.h>
   54 #include <sys/lock.h>
   55 #include <sys/malloc.h>
   56 #include <sys/module.h>
   57 #include <sys/mount.h>
   58 #include <sys/mutex.h>
   59 #include <sys/priv.h>
   60 #include <sys/proc.h>
   61 #include <sys/systm.h>
   62 #include <sys/vnode.h>
   63 #include <sys/sysctl.h>
   64 #include <sys/syslog.h>
   65 #include <sys/stat.h>
   66 
   67 #include <security/mac/mac_policy.h>
   68 #include <security/mac_bsdextended/mac_bsdextended.h>
   69 #include <security/mac_bsdextended/ugidfw_internal.h>
   70 
   71 static struct mtx ugidfw_mtx;
   72 
   73 SYSCTL_DECL(_security_mac);
   74 
   75 static SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
   76     "TrustedBSD extended BSD MAC policy controls");
   77 
   78 static int      ugidfw_enabled = 1;
   79 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RWTUN,
   80     &ugidfw_enabled, 0, "Enforce extended BSD policy");
   81 
   82 static MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended",
   83     "BSD Extended MAC rule");
   84 
   85 #define MAC_BSDEXTENDED_MAXRULES        250
   86 static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
   87 static int rule_count = 0;
   88 static int rule_slots = 0;
   89 static int rule_version = MB_VERSION;
   90 
   91 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
   92     &rule_count, 0, "Number of defined rules\n");
   93 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
   94     &rule_slots, 0, "Number of used rule slots\n");
   95 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
   96     &rule_version, 0, "Version number for API\n");
   97 
   98 /*
   99  * This is just used for logging purposes, eventually we would like to log
  100  * much more then failed requests.
  101  */
  102 static int ugidfw_logging;
  103 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
  104     &ugidfw_logging, 0, "Log failed authorization requests");
  105 
  106 /*
  107  * This tunable is here for compatibility.  It will allow the user to switch
  108  * between the new mode (first rule matches) and the old functionality (all
  109  * rules match).
  110  */
  111 static int ugidfw_firstmatch_enabled;
  112 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
  113     CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1,
  114     "Disable/enable match first rule functionality");
  115 
  116 static int
  117 ugidfw_rule_valid(struct mac_bsdextended_rule *rule)
  118 {
  119 
  120         if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
  121                 return (EINVAL);
  122         if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
  123                 return (EINVAL);
  124         if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
  125                 return (EINVAL);
  126         if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
  127                 return (EINVAL);
  128         if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) &&
  129             (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
  130                 return (EINVAL);
  131         if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
  132                 return (EINVAL);
  133         return (0);
  134 }
  135 
  136 static int
  137 sysctl_rule(SYSCTL_HANDLER_ARGS)
  138 {
  139         struct mac_bsdextended_rule temprule, *ruleptr;
  140         u_int namelen;
  141         int error, index, *name;
  142 
  143         error = 0;
  144         name = (int *)arg1;
  145         namelen = arg2;
  146         if (namelen != 1)
  147                 return (EINVAL);
  148         index = name[0];
  149         if (index >= MAC_BSDEXTENDED_MAXRULES)
  150                 return (ENOENT);
  151 
  152         ruleptr = NULL;
  153         if (req->newptr && req->newlen != 0) {
  154                 error = SYSCTL_IN(req, &temprule, sizeof(temprule));
  155                 if (error)
  156                         return (error);
  157                 ruleptr = malloc(sizeof(*ruleptr), M_MACBSDEXTENDED,
  158                     M_WAITOK | M_ZERO);
  159         }
  160 
  161         mtx_lock(&ugidfw_mtx);
  162         if (req->oldptr) {
  163                 if (index < 0 || index > rule_slots + 1) {
  164                         error = ENOENT;
  165                         goto out;
  166                 }
  167                 if (rules[index] == NULL) {
  168                         error = ENOENT;
  169                         goto out;
  170                 }
  171                 temprule = *rules[index];
  172         }
  173         if (req->newptr && req->newlen == 0) {
  174                 KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
  175                 ruleptr = rules[index];
  176                 if (ruleptr == NULL) {
  177                         error = ENOENT;
  178                         goto out;
  179                 }
  180                 rule_count--;
  181                 rules[index] = NULL;
  182         } else if (req->newptr) {
  183                 error = ugidfw_rule_valid(&temprule);
  184                 if (error)
  185                         goto out;
  186                 if (rules[index] == NULL) {
  187                         *ruleptr = temprule;
  188                         rules[index] = ruleptr;
  189                         ruleptr = NULL;
  190                         if (index + 1 > rule_slots)
  191                                 rule_slots = index + 1;
  192                         rule_count++;
  193                 } else
  194                         *rules[index] = temprule;
  195         }
  196 out:
  197         mtx_unlock(&ugidfw_mtx);
  198         if (ruleptr != NULL)
  199                 free(ruleptr, M_MACBSDEXTENDED);
  200         if (req->oldptr && error == 0)
  201                 error = SYSCTL_OUT(req, &temprule, sizeof(temprule));
  202         return (error);
  203 }
  204 
  205 static SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules,
  206     CTLFLAG_MPSAFE | CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules");
  207 
  208 static void
  209 ugidfw_init(struct mac_policy_conf *mpc)
  210 {
  211 
  212         mtx_init(&ugidfw_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
  213 }
  214 
  215 static void
  216 ugidfw_destroy(struct mac_policy_conf *mpc)
  217 {
  218         int i;
  219 
  220         for (i = 0; i < MAC_BSDEXTENDED_MAXRULES; i++) {
  221                 if (rules[i] != NULL)
  222                         free(rules[i], M_MACBSDEXTENDED);
  223         }
  224         mtx_destroy(&ugidfw_mtx);
  225 }
  226 
  227 static int
  228 ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
  229     struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
  230 {
  231         int mac_granted, match, priv_granted;
  232         int i;
  233 
  234         /*
  235          * Is there a subject match?
  236          */
  237         mtx_assert(&ugidfw_mtx, MA_OWNED);
  238         if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
  239                 match =  ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
  240                     cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
  241                     (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&
  242                     cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||
  243                     (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&
  244                     cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));
  245                 if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)
  246                         match = !match;
  247                 if (!match)
  248                         return (0);
  249         }
  250 
  251         if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {
  252                 match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&
  253                     cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||
  254                     (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&
  255                     cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));
  256                 if (!match) {
  257                         for (i = 0; i < cred->cr_ngroups; i++) {
  258                                 if (cred->cr_groups[i]
  259                                     <= rule->mbr_subject.mbs_gid_max &&
  260                                     cred->cr_groups[i]
  261                                     >= rule->mbr_subject.mbs_gid_min) {
  262                                         match = 1;
  263                                         break;
  264                                 }
  265                         }
  266                 }
  267                 if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)
  268                         match = !match;
  269                 if (!match)
  270                         return (0);
  271         }
  272 
  273         if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
  274                 match =
  275                     (cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);
  276                 if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)
  277                         match = !match;
  278                 if (!match)
  279                         return (0);
  280         }
  281 
  282         /*
  283          * Is there an object match?
  284          */
  285         if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
  286                 match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&
  287                     vap->va_uid >= rule->mbr_object.mbo_uid_min);
  288                 if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)
  289                         match = !match;
  290                 if (!match)
  291                         return (0);
  292         }
  293 
  294         if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
  295                 match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&
  296                     vap->va_gid >= rule->mbr_object.mbo_gid_min);
  297                 if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)
  298                         match = !match;
  299                 if (!match)
  300                         return (0);
  301         }
  302 
  303         if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
  304                 match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid),
  305                     &(rule->mbr_object.mbo_fsid),
  306                     sizeof(rule->mbr_object.mbo_fsid)) == 0);
  307                 if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)
  308                         match = !match;
  309                 if (!match)
  310                         return (0);
  311         }
  312 
  313         if (rule->mbr_object.mbo_flags & MBO_SUID) {
  314                 match = (vap->va_mode & S_ISUID);
  315                 if (rule->mbr_object.mbo_neg & MBO_SUID)
  316                         match = !match;
  317                 if (!match)
  318                         return (0);
  319         }
  320 
  321         if (rule->mbr_object.mbo_flags & MBO_SGID) {
  322                 match = (vap->va_mode & S_ISGID);
  323                 if (rule->mbr_object.mbo_neg & MBO_SGID)
  324                         match = !match;
  325                 if (!match)
  326                         return (0);
  327         }
  328 
  329         if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
  330                 match = (vap->va_uid == cred->cr_uid ||
  331                     vap->va_uid == cred->cr_ruid ||
  332                     vap->va_uid == cred->cr_svuid);
  333                 if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)
  334                         match = !match;
  335                 if (!match)
  336                         return (0);
  337         }
  338 
  339         if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
  340                 match = (groupmember(vap->va_gid, cred) ||
  341                     vap->va_gid == cred->cr_rgid ||
  342                     vap->va_gid == cred->cr_svgid);
  343                 if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)
  344                         match = !match;
  345                 if (!match)
  346                         return (0);
  347         }
  348 
  349         if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
  350                 switch (vap->va_type) {
  351                 case VREG:
  352                         match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);
  353                         break;
  354                 case VDIR:
  355                         match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);
  356                         break;
  357                 case VBLK:
  358                         match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);
  359                         break;
  360                 case VCHR:
  361                         match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);
  362                         break;
  363                 case VLNK:
  364                         match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);
  365                         break;
  366                 case VSOCK:
  367                         match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);
  368                         break;
  369                 case VFIFO:
  370                         match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);
  371                         break;
  372                 default:
  373                         match = 0;
  374                 }
  375                 if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)
  376                         match = !match;
  377                 if (!match)
  378                         return (0);
  379         }
  380 
  381         /*
  382          * MBI_APPEND should not be here as it should get converted to
  383          * MBI_WRITE.
  384          */
  385         priv_granted = 0;
  386         mac_granted = rule->mbr_mode;
  387         if ((acc_mode & MBI_ADMIN) && (mac_granted & MBI_ADMIN) == 0 &&
  388             priv_check_cred(cred, PRIV_VFS_ADMIN, 0) == 0)
  389                 priv_granted |= MBI_ADMIN;
  390         if ((acc_mode & MBI_EXEC) && (mac_granted & MBI_EXEC) == 0 &&
  391             priv_check_cred(cred, (vap->va_type == VDIR) ? PRIV_VFS_LOOKUP :
  392             PRIV_VFS_EXEC, 0) == 0)
  393                 priv_granted |= MBI_EXEC;
  394         if ((acc_mode & MBI_READ) && (mac_granted & MBI_READ) == 0 &&
  395             priv_check_cred(cred, PRIV_VFS_READ, 0) == 0)
  396                 priv_granted |= MBI_READ;
  397         if ((acc_mode & MBI_STAT) && (mac_granted & MBI_STAT) == 0 &&
  398             priv_check_cred(cred, PRIV_VFS_STAT, 0) == 0)
  399                 priv_granted |= MBI_STAT;
  400         if ((acc_mode & MBI_WRITE) && (mac_granted & MBI_WRITE) == 0 &&
  401             priv_check_cred(cred, PRIV_VFS_WRITE, 0) == 0)
  402                 priv_granted |= MBI_WRITE;
  403         /*
  404          * Is the access permitted?
  405          */
  406         if (((mac_granted | priv_granted) & acc_mode) != acc_mode) {
  407                 if (ugidfw_logging)
  408                         log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d"
  409                             " on %d:%d failed. \n", cred->cr_ruid,
  410                             cred->cr_rgid, acc_mode, vap->va_uid,
  411                             vap->va_gid);
  412                 return (EACCES);
  413         }
  414 
  415         /*
  416          * If the rule matched, permits access, and first match is enabled,
  417          * return success.
  418          */
  419         if (ugidfw_firstmatch_enabled)
  420                 return (EJUSTRETURN);
  421         else
  422                 return (0);
  423 }
  424 
  425 int
  426 ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
  427     int acc_mode)
  428 {
  429         int error, i;
  430 
  431         /*
  432          * Since we do not separately handle append, map append to write.
  433          */
  434         if (acc_mode & MBI_APPEND) {
  435                 acc_mode &= ~MBI_APPEND;
  436                 acc_mode |= MBI_WRITE;
  437         }
  438         mtx_lock(&ugidfw_mtx);
  439         for (i = 0; i < rule_slots; i++) {
  440                 if (rules[i] == NULL)
  441                         continue;
  442                 error = ugidfw_rulecheck(rules[i], cred,
  443                     vp, vap, acc_mode);
  444                 if (error == EJUSTRETURN)
  445                         break;
  446                 if (error) {
  447                         mtx_unlock(&ugidfw_mtx);
  448                         return (error);
  449                 }
  450         }
  451         mtx_unlock(&ugidfw_mtx);
  452         return (0);
  453 }
  454 
  455 int
  456 ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
  457 {
  458         int error;
  459         struct vattr vap;
  460 
  461         if (!ugidfw_enabled)
  462                 return (0);
  463         error = VOP_GETATTR(vp, &vap, cred);
  464         if (error)
  465                 return (error);
  466         return (ugidfw_check(cred, vp, &vap, acc_mode));
  467 }
  468 
  469 int
  470 ugidfw_accmode2mbi(accmode_t accmode)
  471 {
  472         int mbi;
  473 
  474         mbi = 0;
  475         if (accmode & VEXEC)
  476                 mbi |= MBI_EXEC;
  477         if (accmode & VWRITE)
  478                 mbi |= MBI_WRITE;
  479         if (accmode & VREAD)
  480                 mbi |= MBI_READ;
  481         if (accmode & VADMIN_PERMS)
  482                 mbi |= MBI_ADMIN;
  483         if (accmode & VSTAT_PERMS)
  484                 mbi |= MBI_STAT;
  485         if (accmode & VAPPEND)
  486                 mbi |= MBI_APPEND;
  487         return (mbi);
  488 }
  489 
  490 static struct mac_policy_ops ugidfw_ops =
  491 {
  492         .mpo_destroy = ugidfw_destroy,
  493         .mpo_init = ugidfw_init,
  494         .mpo_system_check_acct = ugidfw_system_check_acct,
  495         .mpo_system_check_auditctl = ugidfw_system_check_auditctl,
  496         .mpo_system_check_swapon = ugidfw_system_check_swapon,
  497         .mpo_vnode_check_access = ugidfw_vnode_check_access,
  498         .mpo_vnode_check_chdir = ugidfw_vnode_check_chdir,
  499         .mpo_vnode_check_chroot = ugidfw_vnode_check_chroot,
  500         .mpo_vnode_check_create = ugidfw_check_create_vnode,
  501         .mpo_vnode_check_deleteacl = ugidfw_vnode_check_deleteacl,
  502         .mpo_vnode_check_deleteextattr = ugidfw_vnode_check_deleteextattr,
  503         .mpo_vnode_check_exec = ugidfw_vnode_check_exec,
  504         .mpo_vnode_check_getacl = ugidfw_vnode_check_getacl,
  505         .mpo_vnode_check_getextattr = ugidfw_vnode_check_getextattr,
  506         .mpo_vnode_check_link = ugidfw_vnode_check_link,
  507         .mpo_vnode_check_listextattr = ugidfw_vnode_check_listextattr,
  508         .mpo_vnode_check_lookup = ugidfw_vnode_check_lookup,
  509         .mpo_vnode_check_open = ugidfw_vnode_check_open,
  510         .mpo_vnode_check_readdir = ugidfw_vnode_check_readdir,
  511         .mpo_vnode_check_readlink = ugidfw_vnode_check_readdlink,
  512         .mpo_vnode_check_rename_from = ugidfw_vnode_check_rename_from,
  513         .mpo_vnode_check_rename_to = ugidfw_vnode_check_rename_to,
  514         .mpo_vnode_check_revoke = ugidfw_vnode_check_revoke,
  515         .mpo_vnode_check_setacl = ugidfw_check_setacl_vnode,
  516         .mpo_vnode_check_setextattr = ugidfw_vnode_check_setextattr,
  517         .mpo_vnode_check_setflags = ugidfw_vnode_check_setflags,
  518         .mpo_vnode_check_setmode = ugidfw_vnode_check_setmode,
  519         .mpo_vnode_check_setowner = ugidfw_vnode_check_setowner,
  520         .mpo_vnode_check_setutimes = ugidfw_vnode_check_setutimes,
  521         .mpo_vnode_check_stat = ugidfw_vnode_check_stat,
  522         .mpo_vnode_check_unlink = ugidfw_vnode_check_unlink,
  523 };
  524 
  525 MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended",
  526     MPC_LOADTIME_FLAG_UNLOADOK, NULL);

Cache object: 4ec73e1daf35b6bfccf79f8013903c2a


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.