The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/security/mac_bsdextended/mac_bsdextended.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
    3  * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
    4  * All rights reserved.
    5  *
    6  * This software was developed by Robert Watson for the TrustedBSD Project.
    7  *
    8  * This software was developed for the FreeBSD Project in part by Network
    9  * Associates Laboratories, the Security Research Division of Network
   10  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
   11  * as part of the DARPA CHATS research program.
   12  *
   13  * Redistribution and use in source and binary forms, with or without
   14  * modification, are permitted provided that the following conditions
   15  * are met:
   16  * 1. Redistributions of source code must retain the above copyright
   17  *    notice, this list of conditions and the following disclaimer.
   18  * 2. Redistributions in binary form must reproduce the above copyright
   19  *    notice, this list of conditions and the following disclaimer in the
   20  *    documentation and/or other materials provided with the distribution.
   21  *
   22  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   32  * SUCH DAMAGE.
   33  *
   34  * $FreeBSD: releng/5.2/sys/security/mac_bsdextended/mac_bsdextended.c 119202 2003-08-21 14:34:54Z rwatson $
   35  */
   36 /*
   37  * Developed by the TrustedBSD Project.
   38  * "BSD Extended" MAC policy, allowing the administrator to impose
   39  * mandatory rules regarding users and some system objects.
   40  *
   41  * XXX: Much locking support required here.
   42  */
   43 
   44 #include <sys/types.h>
   45 #include <sys/param.h>
   46 #include <sys/acl.h>
   47 #include <sys/conf.h>
   48 #include <sys/kernel.h>
   49 #include <sys/mac.h>
   50 #include <sys/malloc.h>
   51 #include <sys/mount.h>
   52 #include <sys/proc.h>
   53 #include <sys/systm.h>
   54 #include <sys/sysproto.h>
   55 #include <sys/sysent.h>
   56 #include <sys/vnode.h>
   57 #include <sys/file.h>
   58 #include <sys/socket.h>
   59 #include <sys/socketvar.h>
   60 #include <sys/sysctl.h>
   61 
   62 #include <net/bpfdesc.h>
   63 #include <net/if.h>
   64 #include <net/if_types.h>
   65 #include <net/if_var.h>
   66 
   67 #include <vm/vm.h>
   68 
   69 #include <sys/mac_policy.h>
   70 
   71 #include <security/mac_bsdextended/mac_bsdextended.h>
   72 
   73 SYSCTL_DECL(_security_mac);
   74 
   75 SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
   76     "TrustedBSD extended BSD MAC policy controls");
   77 
   78 static int      mac_bsdextended_enabled = 1;
   79 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW,
   80     &mac_bsdextended_enabled, 0, "Enforce extended BSD policy");
   81 TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled);
   82 
   83 MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule");
   84 
   85 #define MAC_BSDEXTENDED_MAXRULES        250
   86 static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
   87 static int rule_count = 0;
   88 static int rule_slots = 0;
   89 
   90 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
   91     &rule_count, 0, "Number of defined rules\n");
   92 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
   93     &rule_slots, 0, "Number of used rule slots\n");
   94 
   95 static int mac_bsdextended_debugging;
   96 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, debugging, CTLFLAG_RW,
   97     &mac_bsdextended_debugging, 0, "Enable debugging on failure");
   98 
   99 static int
  100 mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule)
  101 {
  102 
  103         if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS)
  104                 return (EINVAL);
  105 
  106         if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS)
  107                 return (EINVAL);
  108 
  109         if ((rule->mbr_mode | VALLPERM) != VALLPERM)
  110                 return (EINVAL);
  111 
  112         return (0);
  113 }
  114 
  115 static int
  116 sysctl_rule(SYSCTL_HANDLER_ARGS)
  117 {
  118         struct mac_bsdextended_rule temprule, *ruleptr;
  119         u_int namelen;
  120         int error, index, *name;
  121 
  122         name = (int *)arg1;
  123         namelen = arg2;
  124 
  125         /* printf("bsdextended sysctl handler (namelen %d)\n", namelen); */
  126 
  127         if (namelen != 1)
  128                 return (EINVAL);
  129 
  130         index = name[0];
  131         if (index < 0 || index > rule_slots + 1)
  132                 return (ENOENT);
  133         if (rule_slots >= MAC_BSDEXTENDED_MAXRULES)
  134                 return (ENOENT);
  135 
  136         if (req->oldptr) {
  137                 if (rules[index] == NULL)
  138                         return (ENOENT);
  139 
  140                 error = SYSCTL_OUT(req, rules[index], sizeof(*rules[index]));
  141                 if (error)
  142                         return (error);
  143         }
  144 
  145         if (req->newptr) {
  146                 if (req->newlen == 0) {
  147                         /* printf("deletion\n"); */
  148                         ruleptr = rules[index];
  149                         if (ruleptr == NULL)
  150                                 return (ENOENT);
  151                         rule_count--;
  152                         rules[index] = NULL;
  153                         FREE(ruleptr, M_MACBSDEXTENDED);
  154                         return(0);
  155                 }
  156                 error = SYSCTL_IN(req, &temprule, sizeof(temprule));
  157                 if (error)
  158                         return (error);
  159 
  160                 error = mac_bsdextended_rule_valid(&temprule);
  161                 if (error)
  162                         return (error);
  163 
  164                 if (rules[index] == NULL) {
  165                         /* printf("addition\n"); */
  166                         MALLOC(ruleptr, struct mac_bsdextended_rule *,
  167                             sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK |
  168                             M_ZERO);
  169                         *ruleptr = temprule;
  170                         rules[index] = ruleptr;
  171                         if (index+1 > rule_slots)
  172                                 rule_slots = index+1;
  173                         rule_count++;
  174                 } else {
  175                         /* printf("replacement\n"); */
  176                         *rules[index] = temprule;
  177                 }
  178         }
  179 
  180         return (0);
  181 }
  182 
  183 SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules,
  184     CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules");
  185 
  186 static void
  187 mac_bsdextended_init(struct mac_policy_conf *mpc)
  188 {
  189 
  190         /* Initialize ruleset lock. */
  191         /* Register dynamic sysctl's for rules. */
  192 }
  193 
  194 static void
  195 mac_bsdextended_destroy(struct mac_policy_conf *mpc)
  196 {
  197 
  198         /* Tear down sysctls. */
  199         /* Destroy ruleset lock. */
  200 }
  201 
  202 static int
  203 mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
  204     struct ucred *cred, uid_t object_uid, gid_t object_gid, int acc_mode)
  205 {
  206         int match;
  207 
  208         /*
  209          * Is there a subject match?
  210          */
  211         if (rule->mbr_subject.mbi_flags & MBI_UID_DEFINED) {
  212                 match =  (rule->mbr_subject.mbi_uid == cred->cr_uid ||
  213                     rule->mbr_subject.mbi_uid == cred->cr_ruid ||
  214                     rule->mbr_subject.mbi_uid == cred->cr_svuid);
  215 
  216                 if (rule->mbr_subject.mbi_flags & MBI_NEGATED)
  217                         match = !match;
  218 
  219                 if (!match)
  220                         return (0);
  221         }
  222 
  223         if (rule->mbr_subject.mbi_flags & MBI_GID_DEFINED) {
  224                 match = (groupmember(rule->mbr_subject.mbi_gid, cred) ||
  225                     rule->mbr_subject.mbi_gid == cred->cr_rgid ||
  226                     rule->mbr_subject.mbi_gid == cred->cr_svgid);
  227 
  228                 if (rule->mbr_subject.mbi_flags & MBI_NEGATED)
  229                         match = !match;
  230 
  231                 if (!match)
  232                         return (0);
  233         }
  234 
  235         /*
  236          * Is there an object match?
  237          */
  238         if (rule->mbr_object.mbi_flags & MBI_UID_DEFINED) {
  239                 match = (rule->mbr_object.mbi_uid == object_uid);
  240 
  241                 if (rule->mbr_object.mbi_flags & MBI_NEGATED)
  242                         match = !match;
  243 
  244                 if (!match)
  245                         return (0);
  246         }
  247 
  248         if (rule->mbr_object.mbi_flags & MBI_GID_DEFINED) {
  249                 match = (rule->mbr_object.mbi_gid == object_gid);
  250 
  251                 if (rule->mbr_object.mbi_flags & MBI_NEGATED)
  252                         match = !match;
  253 
  254                 if (!match)
  255                         return (0);
  256         }
  257 
  258         /*
  259          * Is the access permitted?
  260          */
  261         if ((rule->mbr_mode & acc_mode) != acc_mode) {
  262                 if (mac_bsdextended_debugging)
  263                         printf("mac_bsdextended: %d:%d request %d on %d:%d"
  264                             " fails\n", cred->cr_ruid, cred->cr_rgid,
  265                             acc_mode, object_uid, object_gid);
  266                 return (EACCES);
  267         }
  268 
  269         return (0);
  270 }
  271 
  272 static int
  273 mac_bsdextended_check(struct ucred *cred, uid_t object_uid, gid_t object_gid,
  274     int acc_mode)
  275 {
  276         int error, i;
  277 
  278         for (i = 0; i < rule_slots; i++) {
  279                 if (rules[i] == NULL)
  280                         continue;
  281 
  282                 /*
  283                  * Since we don't separately handle append, map append to
  284                  * write.
  285                  */
  286                 if (acc_mode & VAPPEND) {
  287                         acc_mode &= ~VAPPEND;
  288                         acc_mode |= VWRITE;
  289                 }
  290 
  291                 error = mac_bsdextended_rulecheck(rules[i], cred, object_uid,
  292                     object_gid, acc_mode);
  293                 if (error)
  294                         return (error);
  295         }
  296 
  297         return (0);
  298 }
  299 
  300 static int
  301 mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp,
  302     struct label *label)
  303 {
  304         struct vattr vap;
  305         int error;
  306 
  307         if (!mac_bsdextended_enabled)
  308                 return (0);
  309 
  310         error = VOP_GETATTR(vp, &vap, cred, curthread);
  311         if (error)
  312                 return (error);
  313         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE));
  314 }
  315 
  316 static int
  317 mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
  318     struct label *label, int acc_mode)
  319 {
  320         struct vattr vap;
  321         int error;
  322 
  323         if (!mac_bsdextended_enabled)
  324                 return (0);
  325 
  326         error = VOP_GETATTR(vp, &vap, cred, curthread);
  327         if (error)
  328                 return (error);
  329         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode));
  330 }
  331 
  332 static int
  333 mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
  334     struct label *dlabel)
  335 {
  336         struct vattr vap;
  337         int error;
  338 
  339         if (!mac_bsdextended_enabled)
  340                 return (0);
  341 
  342         error = VOP_GETATTR(dvp, &vap, cred, curthread);
  343         if (error)
  344                 return (error);
  345         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC));
  346 }
  347 
  348 static int
  349 mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
  350     struct label *dlabel)
  351 {
  352         struct vattr vap;
  353         int error;
  354 
  355         if (!mac_bsdextended_enabled)
  356                 return (0);
  357 
  358         error = VOP_GETATTR(dvp, &vap, cred, curthread);
  359         if (error)
  360                 return (error);
  361         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC));
  362 }
  363 
  364 static int
  365 mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
  366     struct label *dlabel, struct componentname *cnp, struct vattr *vap)
  367 {
  368         struct vattr dvap;
  369         int error;
  370 
  371         if (!mac_bsdextended_enabled)
  372                 return (0);
  373 
  374         error = VOP_GETATTR(dvp, &dvap, cred, curthread);
  375         if (error)
  376                 return (error);
  377         return (mac_bsdextended_check(cred, dvap.va_uid, dvap.va_gid, VWRITE));
  378 }
  379 
  380 static int
  381 mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
  382     struct label *dlabel, struct vnode *vp, struct label *label,
  383     struct componentname *cnp)
  384 {
  385         struct vattr vap;
  386         int error;
  387 
  388         if (!mac_bsdextended_enabled)
  389                 return (0);
  390 
  391         error = VOP_GETATTR(dvp, &vap, cred, curthread);
  392         if (error)
  393                 return (error);
  394         error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
  395         if (error)
  396                 return (error);
  397 
  398         error = VOP_GETATTR(vp, &vap, cred, curthread);
  399         if (error)
  400                 return (error);
  401         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE));
  402 }
  403 
  404 static int
  405 mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
  406     struct label *label, acl_type_t type)
  407 {
  408         struct vattr vap;
  409         int error;
  410 
  411         if (!mac_bsdextended_enabled)
  412                 return (0);
  413 
  414         error = VOP_GETATTR(vp, &vap, cred, curthread);
  415         if (error)
  416                 return (error);
  417         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
  418 }
  419 
  420 static int
  421 mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
  422     struct label *label, int attrnamespace, const char *name)
  423 {
  424         struct vattr vap;
  425         int error;
  426 
  427         if (!mac_bsdextended_enabled)
  428                 return (0);
  429 
  430         error = VOP_GETATTR(vp, &vap, cred, curthread);
  431         if (error)
  432                 return (error);
  433         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE));
  434 }
  435 
  436 static int
  437 mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
  438     struct label *label, struct image_params *imgp,
  439     struct label *execlabel)
  440 {
  441         struct vattr vap;
  442         int error;
  443 
  444         if (!mac_bsdextended_enabled)
  445                 return (0);
  446 
  447         error = VOP_GETATTR(vp, &vap, cred, curthread);
  448         if (error)
  449                 return (error);
  450         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
  451             VREAD|VEXEC));
  452 }
  453 
  454 static int
  455 mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
  456     struct label *label, acl_type_t type)
  457 {
  458         struct vattr vap;
  459         int error;
  460 
  461         if (!mac_bsdextended_enabled)
  462                 return (0);
  463 
  464         error = VOP_GETATTR(vp, &vap, cred, curthread);
  465         if (error)
  466                 return (error);
  467         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT));
  468 }
  469 
  470 static int
  471 mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
  472     struct label *label, int attrnamespace, const char *name, struct uio *uio)
  473 {
  474         struct vattr vap;
  475         int error;
  476 
  477         if (!mac_bsdextended_enabled)
  478                 return (0);
  479 
  480         error = VOP_GETATTR(vp, &vap, cred, curthread);
  481         if (error)
  482                 return (error);
  483         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
  484 }
  485 
  486 static int
  487 mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
  488     struct label *dlabel, struct vnode *vp, struct label *label,
  489     struct componentname *cnp)
  490 {
  491         struct vattr vap;
  492         int error;
  493 
  494         if (!mac_bsdextended_enabled)
  495                 return (0);
  496 
  497         error = VOP_GETATTR(dvp, &vap, cred, curthread);
  498         if (error)
  499                 return (error);
  500         error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
  501         if (error)
  502                 return (error);
  503 
  504         error = VOP_GETATTR(vp, &vap, cred, curthread);
  505         if (error)
  506                 return (error);
  507         error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
  508         if (error)
  509                 return (error);
  510         return (0);
  511 }
  512 
  513 static int
  514 mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
  515     struct label *label, int attrnamespace)
  516 {
  517         struct vattr vap;
  518         int error;
  519 
  520         if (!mac_bsdextended_enabled)
  521                 return (0);
  522 
  523         error = VOP_GETATTR(vp, &vap, cred, curthread);
  524         if (error)
  525                 return (error);
  526         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
  527 }
  528 
  529 static int
  530 mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
  531     struct label *dlabel, struct componentname *cnp)
  532 {
  533         struct vattr vap;
  534         int error;
  535 
  536         if (!mac_bsdextended_enabled)
  537                 return (0);
  538 
  539         error = VOP_GETATTR(dvp, &vap, cred, curthread);
  540         if (error)
  541                 return (error);
  542         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC));
  543 }
  544 
  545 static int
  546 mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp,
  547     struct label *filelabel, int acc_mode)
  548 {
  549         struct vattr vap;
  550         int error;
  551 
  552         if (!mac_bsdextended_enabled)
  553                 return (0);
  554 
  555         error = VOP_GETATTR(vp, &vap, cred, curthread);
  556         if (error)
  557                 return (error);
  558         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode));
  559 }
  560 
  561 static int
  562 mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
  563     struct label *dlabel)
  564 {
  565         struct vattr vap;
  566         int error;
  567 
  568         if (!mac_bsdextended_enabled)
  569                 return (0);
  570 
  571         error = VOP_GETATTR(dvp, &vap, cred, curthread);
  572         if (error)
  573                 return (error);
  574         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
  575 }
  576 
  577 static int
  578 mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp,
  579     struct label *label)
  580 {
  581         struct vattr vap;
  582         int error;
  583 
  584         if (!mac_bsdextended_enabled)
  585                 return (0);
  586 
  587         error = VOP_GETATTR(vp, &vap, cred, curthread);
  588         if (error)
  589                 return (error);
  590         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
  591 }
  592 
  593 static int
  594 mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
  595     struct label *dlabel, struct vnode *vp, struct label *label,
  596     struct componentname *cnp)
  597 {
  598         struct vattr vap;
  599         int error;
  600 
  601         if (!mac_bsdextended_enabled)
  602                 return (0);
  603 
  604         error = VOP_GETATTR(dvp, &vap, cred, curthread);
  605         if (error)
  606                 return (error);
  607         error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
  608         if (error)
  609                 return (error);
  610         error = VOP_GETATTR(vp, &vap, cred, curthread);
  611         if (error)
  612                 return (error);
  613         error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
  614 
  615         return (error);
  616 }
  617 
  618 static int
  619 mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
  620     struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
  621     struct componentname *cnp)
  622 {
  623         struct vattr vap;
  624         int error;
  625 
  626         if (!mac_bsdextended_enabled)
  627                 return (0);
  628 
  629         error = VOP_GETATTR(dvp, &vap, cred, curthread);
  630         if (error)
  631                 return (error);
  632         error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
  633         if (error)
  634                 return (error);
  635 
  636         if (vp != NULL) {
  637                 error = VOP_GETATTR(vp, &vap, cred, curthread);
  638                 if (error)
  639                         return (error);
  640                 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
  641                     VWRITE);
  642         }
  643 
  644         return (error);
  645 }
  646 
  647 static int
  648 mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
  649     struct label *label)
  650 {
  651         struct vattr vap;
  652         int error;
  653 
  654         if (!mac_bsdextended_enabled)
  655                 return (0);
  656 
  657         error = VOP_GETATTR(vp, &vap, cred, curthread);
  658         if (error)
  659                 return (error);
  660         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
  661 }
  662 
  663 static int
  664 mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
  665     struct label *label, acl_type_t type, struct acl *acl)
  666 {
  667         struct vattr vap;
  668         int error;
  669 
  670         if (!mac_bsdextended_enabled)
  671                 return (0);
  672 
  673         error = VOP_GETATTR(vp, &vap, cred, curthread);
  674         if (error)
  675                 return (error);
  676         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
  677 }
  678 
  679 static int
  680 mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
  681     struct label *label, int attrnamespace, const char *name, struct uio *uio)
  682 {
  683         struct vattr vap;
  684         int error;
  685 
  686         if (!mac_bsdextended_enabled)
  687                 return (0);
  688 
  689         error = VOP_GETATTR(vp, &vap, cred, curthread);
  690         if (error)
  691                 return (error);
  692         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE));
  693 }
  694 
  695 static int
  696 mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
  697     struct label *label, u_long flags)
  698 {
  699         struct vattr vap;
  700         int error;
  701 
  702         if (!mac_bsdextended_enabled)
  703                 return (0);
  704 
  705         error = VOP_GETATTR(vp, &vap, cred, curthread);
  706         if (error)
  707                 return (error);
  708         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
  709 }
  710 
  711 static int
  712 mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
  713     struct label *label, mode_t mode)
  714 {
  715         struct vattr vap;
  716         int error;
  717 
  718         if (!mac_bsdextended_enabled)
  719                 return (0);
  720 
  721         error = VOP_GETATTR(vp, &vap, cred, curthread);
  722         if (error)
  723                 return (error);
  724         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
  725 }
  726 
  727 static int
  728 mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
  729     struct label *label, uid_t uid, gid_t gid)
  730 {
  731         struct vattr vap;
  732         int error;
  733 
  734         if (!mac_bsdextended_enabled)
  735                 return (0);
  736 
  737         error = VOP_GETATTR(vp, &vap, cred, curthread);
  738         if (error)
  739                 return (error);
  740         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
  741 }
  742 
  743 static int
  744 mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
  745     struct label *label, struct timespec atime, struct timespec utime)
  746 {
  747         struct vattr vap;
  748         int error;
  749 
  750         if (!mac_bsdextended_enabled)
  751                 return (0);
  752 
  753         error = VOP_GETATTR(vp, &vap, cred, curthread);
  754         if (error)
  755                 return (error);
  756         return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
  757 }
  758 
  759 static int
  760 mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
  761     struct ucred *file_cred, struct vnode *vp, struct label *label)
  762 {
  763         struct vattr vap;
  764         int error;
  765 
  766         if (!mac_bsdextended_enabled)
  767                 return (0);
  768 
  769         error = VOP_GETATTR(vp, &vap, active_cred, curthread);
  770         if (error)
  771                 return (error);
  772         return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid,
  773             VSTAT));
  774 }
  775 
  776 static struct mac_policy_ops mac_bsdextended_ops =
  777 {
  778         .mpo_destroy = mac_bsdextended_destroy,
  779         .mpo_init = mac_bsdextended_init,
  780         .mpo_check_system_swapon = mac_bsdextended_check_system_swapon,
  781         .mpo_check_vnode_access = mac_bsdextended_check_vnode_access,
  782         .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir,
  783         .mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot,
  784         .mpo_check_vnode_create = mac_bsdextended_check_create_vnode,
  785         .mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete,
  786         .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl,
  787         .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr,
  788         .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec,
  789         .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl,
  790         .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr,
  791         .mpo_check_vnode_link = mac_bsdextended_check_vnode_link,
  792         .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr,
  793         .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup,
  794         .mpo_check_vnode_open = mac_bsdextended_check_vnode_open,
  795         .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir,
  796         .mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink,
  797         .mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from,
  798         .mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to,
  799         .mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke,
  800         .mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode,
  801         .mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr,
  802         .mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags,
  803         .mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode,
  804         .mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner,
  805         .mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes,
  806         .mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat,
  807 };
  808 
  809 MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended,
  810     "TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL);

Cache object: ab4c0dad6112cba215a0901a7ab18687


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.