1 /*-
2 * Copyright (c) 2005 Tom Rhodes
3 * Copyright (c) 1999-2002 Robert N. M. Watson
4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
5 * All rights reserved.
6 *
7 * This software was developed by Robert Watson for the TrustedBSD Project.
8 * It was later enhanced by Tom Rhodes for the TrustedBSD Project.
9 *
10 * This software was developed for the FreeBSD Project in part by Network
11 * Associates Laboratories, the Security Research Division of Network
12 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
13 * as part of the DARPA CHATS research program.
14 *
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
17 * are met:
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 *
36 * $FreeBSD: releng/6.2/sys/security/mac_bsdextended/mac_bsdextended.c 161513 2006-08-21 15:59:48Z dwmalone $
37 */
38
39 /*
40 * Developed by the TrustedBSD Project.
41 * "BSD Extended" MAC policy, allowing the administrator to impose
42 * mandatory rules regarding users and some system objects.
43 */
44
45 #include <sys/types.h>
46 #include <sys/param.h>
47 #include <sys/acl.h>
48 #include <sys/conf.h>
49 #include <sys/kernel.h>
50 #include <sys/jail.h>
51 #include <sys/lock.h>
52 #include <sys/mac.h>
53 #include <sys/malloc.h>
54 #include <sys/mount.h>
55 #include <sys/mutex.h>
56 #include <sys/proc.h>
57 #include <sys/systm.h>
58 #include <sys/sysproto.h>
59 #include <sys/sysent.h>
60 #include <sys/vnode.h>
61 #include <sys/file.h>
62 #include <sys/socket.h>
63 #include <sys/socketvar.h>
64 #include <sys/sysctl.h>
65 #include <sys/syslog.h>
66 #include <sys/ucred.h>
67
68 #include <net/bpfdesc.h>
69 #include <net/if.h>
70 #include <net/if_types.h>
71 #include <net/if_var.h>
72
73 #include <vm/vm.h>
74
75 #include <sys/mac_policy.h>
76
77 #include <security/mac_bsdextended/mac_bsdextended.h>
78
79 static struct mtx mac_bsdextended_mtx;
80
81 SYSCTL_DECL(_security_mac);
82
83 SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
84 "TrustedBSD extended BSD MAC policy controls");
85
86 static int mac_bsdextended_enabled = 1;
87 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW,
88 &mac_bsdextended_enabled, 0, "Enforce extended BSD policy");
89 TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled);
90
91 MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule");
92
93 #define MAC_BSDEXTENDED_MAXRULES 250
94 static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
95 static int rule_count = 0;
96 static int rule_slots = 0;
97 static int rule_version = MB_VERSION;
98
99 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
100 &rule_count, 0, "Number of defined rules\n");
101 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
102 &rule_slots, 0, "Number of used rule slots\n");
103 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
104 &rule_version, 0, "Version number for API\n");
105
106 /*
107 * This is just used for logging purposes, eventually we would like
108 * to log much more then failed requests.
109 */
110 static int mac_bsdextended_logging;
111 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
112 &mac_bsdextended_logging, 0, "Log failed authorization requests");
113
114 /*
115 * This tunable is here for compatibility. It will allow the user
116 * to switch between the new mode (first rule matches) and the old
117 * functionality (all rules match).
118 */
119 static int
120 mac_bsdextended_firstmatch_enabled;
121 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
122 CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1,
123 "Disable/enable match first rule functionality");
124
125 static int
126 mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule)
127 {
128
129 if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
130 return (EINVAL);
131
132 if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
133 return (EINVAL);
134
135 if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
136 return (EINVAL);
137
138 if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
139 return (EINVAL);
140
141 if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) &&
142 (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
143 return (EINVAL);
144
145 if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
146 return (EINVAL);
147
148 return (0);
149 }
150
151 static int
152 sysctl_rule(SYSCTL_HANDLER_ARGS)
153 {
154 struct mac_bsdextended_rule temprule, *ruleptr;
155 u_int namelen;
156 int error, index, *name;
157
158 error = 0;
159 name = (int *)arg1;
160 namelen = arg2;
161
162 /* printf("bsdextended sysctl handler (namelen %d)\n", namelen); */
163
164 if (namelen != 1)
165 return (EINVAL);
166
167 index = name[0];
168 if (index >= MAC_BSDEXTENDED_MAXRULES)
169 return (ENOENT);
170
171 ruleptr = NULL;
172 if (req->newptr && req->newlen != 0) {
173 error = SYSCTL_IN(req, &temprule, sizeof(temprule));
174 if (error)
175 return (error);
176 MALLOC(ruleptr, struct mac_bsdextended_rule *,
177 sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | M_ZERO);
178 }
179
180 mtx_lock(&mac_bsdextended_mtx);
181
182 if (req->oldptr) {
183 if (index < 0 || index > rule_slots + 1) {
184 error = ENOENT;
185 goto out;
186 }
187 if (rules[index] == NULL) {
188 error = ENOENT;
189 goto out;
190 }
191 temprule = *rules[index];
192 }
193
194 if (req->newptr && req->newlen == 0) {
195 /* printf("deletion\n"); */
196 KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
197 ruleptr = rules[index];
198 if (ruleptr == NULL) {
199 error = ENOENT;
200 goto out;
201 }
202 rule_count--;
203 rules[index] = NULL;
204 } else if (req->newptr) {
205 error = mac_bsdextended_rule_valid(&temprule);
206 if (error)
207 goto out;
208
209 if (rules[index] == NULL) {
210 /* printf("addition\n"); */
211 *ruleptr = temprule;
212 rules[index] = ruleptr;
213 ruleptr = NULL;
214 if (index + 1 > rule_slots)
215 rule_slots = index + 1;
216 rule_count++;
217 } else {
218 /* printf("replacement\n"); */
219 *rules[index] = temprule;
220 }
221 }
222
223 out:
224 mtx_unlock(&mac_bsdextended_mtx);
225 if (ruleptr != NULL)
226 FREE(ruleptr, M_MACBSDEXTENDED);
227 if (req->oldptr && error == 0)
228 error = SYSCTL_OUT(req, &temprule, sizeof(temprule));
229
230 return (error);
231 }
232
233 SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules,
234 CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules");
235
236 static void
237 mac_bsdextended_init(struct mac_policy_conf *mpc)
238 {
239
240 /* Initialize ruleset lock. */
241 mtx_init(&mac_bsdextended_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
242
243 /* Register dynamic sysctl's for rules. */
244 }
245
246 static void
247 mac_bsdextended_destroy(struct mac_policy_conf *mpc)
248 {
249
250 /* Destroy ruleset lock. */
251 mtx_destroy(&mac_bsdextended_mtx);
252
253 /* Tear down sysctls. */
254 }
255
256 static int
257 mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
258 struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
259 {
260 int match;
261 int i;
262
263 /*
264 * Is there a subject match?
265 */
266 mtx_assert(&mac_bsdextended_mtx, MA_OWNED);
267 if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
268 match = ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
269 cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
270 (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&
271 cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||
272 (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&
273 cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));
274
275 if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)
276 match = !match;
277
278 if (!match)
279 return (0);
280 }
281
282 if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {
283 match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&
284 cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||
285 (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&
286 cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));
287
288 if (!match) {
289 for (i = 0; i < cred->cr_ngroups; i++)
290 if (cred->cr_groups[i]
291 <= rule->mbr_subject.mbs_gid_max &&
292 cred->cr_groups[i]
293 >= rule->mbr_subject.mbs_gid_min) {
294 match = 1;
295 break;
296 }
297 }
298
299 if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)
300 match = !match;
301
302 if (!match)
303 return (0);
304 }
305
306 if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
307 match = (cred->cr_prison != NULL &&
308 cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);
309
310 if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)
311 match = !match;
312
313 if (!match)
314 return (0);
315 }
316
317 /*
318 * Is there an object match?
319 */
320 if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
321 match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&
322 vap->va_uid >= rule->mbr_object.mbo_uid_min);
323
324 if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)
325 match = !match;
326
327 if (!match)
328 return (0);
329 }
330
331 if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
332 match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&
333 vap->va_gid >= rule->mbr_object.mbo_gid_min);
334
335 if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)
336 match = !match;
337
338 if (!match)
339 return (0);
340 }
341
342 if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
343 match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid),
344 &(rule->mbr_object.mbo_fsid),
345 sizeof(rule->mbr_object.mbo_fsid)) == 0);
346
347 if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)
348 match = !match;
349
350 if (!match)
351 return 0;
352 }
353
354 if (rule->mbr_object.mbo_flags & MBO_SUID) {
355 match = (vap->va_mode & VSUID);
356
357 if (rule->mbr_object.mbo_neg & MBO_SUID)
358 match = !match;
359
360 if (!match)
361 return 0;
362 }
363
364 if (rule->mbr_object.mbo_flags & MBO_SGID) {
365 match = (vap->va_mode & VSGID);
366
367 if (rule->mbr_object.mbo_neg & MBO_SGID)
368 match = !match;
369
370 if (!match)
371 return 0;
372 }
373
374 if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
375 match = (vap->va_uid == cred->cr_uid ||
376 vap->va_uid == cred->cr_ruid ||
377 vap->va_uid == cred->cr_svuid);
378
379 if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)
380 match = !match;
381
382 if (!match)
383 return 0;
384 }
385
386 if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
387 match = (groupmember(vap->va_gid, cred) ||
388 vap->va_gid == cred->cr_rgid ||
389 vap->va_gid == cred->cr_svgid);
390
391 if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)
392 match = !match;
393
394 if (!match)
395 return 0;
396 }
397
398 if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
399 switch (vap->va_type) {
400 case VREG:
401 match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);
402 break;
403 case VDIR:
404 match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);
405 break;
406 case VBLK:
407 match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);
408 break;
409 case VCHR:
410 match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);
411 break;
412 case VLNK:
413 match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);
414 break;
415 case VSOCK:
416 match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);
417 break;
418 case VFIFO:
419 match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);
420 break;
421 default:
422 match = 0;
423 }
424
425 if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)
426 match = !match;
427
428 if (!match)
429 return 0;
430 }
431
432 /*
433 * Is the access permitted?
434 */
435 if ((rule->mbr_mode & acc_mode) != acc_mode) {
436 if (mac_bsdextended_logging)
437 log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d"
438 " on %d:%d failed. \n", cred->cr_ruid,
439 cred->cr_rgid, acc_mode, vap->va_uid, vap->va_gid);
440 return (EACCES); /* Matching rule denies access */
441 }
442
443 /*
444 * If the rule matched, permits access, and first match is enabled,
445 * return success.
446 */
447 if (mac_bsdextended_firstmatch_enabled)
448 return (EJUSTRETURN);
449 else
450 return(0);
451 }
452
453 static int
454 mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
455 int acc_mode)
456 {
457 int error, i;
458
459 if (suser_cred(cred, 0) == 0)
460 return (0);
461
462 mtx_lock(&mac_bsdextended_mtx);
463 for (i = 0; i < rule_slots; i++) {
464 if (rules[i] == NULL)
465 continue;
466
467 /*
468 * Since we do not separately handle append, map append to
469 * write.
470 */
471 if (acc_mode & MBI_APPEND) {
472 acc_mode &= ~MBI_APPEND;
473 acc_mode |= MBI_WRITE;
474 }
475
476 error = mac_bsdextended_rulecheck(rules[i], cred,
477 vp, vap, acc_mode);
478 if (error == EJUSTRETURN)
479 break;
480 if (error) {
481 mtx_unlock(&mac_bsdextended_mtx);
482 return (error);
483 }
484 }
485 mtx_unlock(&mac_bsdextended_mtx);
486 return (0);
487 }
488
489 static int
490 mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
491 {
492 int error;
493 struct vattr vap;
494
495 if (!mac_bsdextended_enabled)
496 return (0);
497
498 error = VOP_GETATTR(vp, &vap, cred, curthread);
499 if (error)
500 return (error);
501
502 return (mac_bsdextended_check(cred, vp, &vap, acc_mode));
503 }
504
505 static int
506 mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp,
507 struct label *label)
508 {
509
510 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
511 }
512
513 static int
514 mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
515 struct label *label, int acc_mode)
516 {
517
518 return (mac_bsdextended_check_vp(cred, vp, acc_mode));
519 }
520
521 static int
522 mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
523 struct label *dlabel)
524 {
525
526 return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
527 }
528
529 static int
530 mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
531 struct label *dlabel)
532 {
533
534 return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
535 }
536
537 static int
538 mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
539 struct label *dlabel, struct componentname *cnp, struct vattr *vap)
540 {
541
542 return (mac_bsdextended_check_vp(cred, dvp, MBI_WRITE));
543 }
544
545 static int
546 mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
547 struct label *dlabel, struct vnode *vp, struct label *label,
548 struct componentname *cnp)
549 {
550 int error;
551
552 error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
553 if (error)
554 return (error);
555
556 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
557 }
558
559 static int
560 mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
561 struct label *label, acl_type_t type)
562 {
563
564 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
565 }
566
567 static int
568 mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
569 struct label *label, int attrnamespace, const char *name)
570 {
571
572 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
573 }
574
575 static int
576 mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
577 struct label *label, struct image_params *imgp,
578 struct label *execlabel)
579 {
580
581 return (mac_bsdextended_check_vp(cred, vp, MBI_READ|MBI_EXEC));
582 }
583
584 static int
585 mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
586 struct label *label, acl_type_t type)
587 {
588
589 return (mac_bsdextended_check_vp(cred, vp, MBI_STAT));
590 }
591
592 static int
593 mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
594 struct label *label, int attrnamespace, const char *name, struct uio *uio)
595 {
596
597 return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
598 }
599
600 static int
601 mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
602 struct label *dlabel, struct vnode *vp, struct label *label,
603 struct componentname *cnp)
604 {
605 int error;
606
607 error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
608 if (error)
609 return (error);
610
611 error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
612 if (error)
613 return (error);
614 return (0);
615 }
616
617 static int
618 mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
619 struct label *label, int attrnamespace)
620 {
621
622 return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
623 }
624
625 static int
626 mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
627 struct label *dlabel, struct componentname *cnp)
628 {
629
630 return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
631 }
632
633 static int
634 mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp,
635 struct label *filelabel, int acc_mode)
636 {
637
638 return (mac_bsdextended_check_vp(cred, vp, acc_mode));
639 }
640
641 static int
642 mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
643 struct label *dlabel)
644 {
645
646 return (mac_bsdextended_check_vp(cred, dvp, MBI_READ));
647 }
648
649 static int
650 mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp,
651 struct label *label)
652 {
653
654 return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
655 }
656
657 static int
658 mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
659 struct label *dlabel, struct vnode *vp, struct label *label,
660 struct componentname *cnp)
661 {
662 int error;
663
664 error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
665 if (error)
666 return (error);
667 error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
668
669 return (error);
670 }
671
672 static int
673 mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
674 struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
675 struct componentname *cnp)
676 {
677 int error;
678
679 error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
680 if (error)
681 return (error);
682
683 if (vp != NULL)
684 error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
685
686 return (error);
687 }
688
689 static int
690 mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
691 struct label *label)
692 {
693
694 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
695 }
696
697 static int
698 mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
699 struct label *label, acl_type_t type, struct acl *acl)
700 {
701
702 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
703 }
704
705 static int
706 mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
707 struct label *label, int attrnamespace, const char *name, struct uio *uio)
708 {
709
710 return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
711 }
712
713 static int
714 mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
715 struct label *label, u_long flags)
716 {
717
718 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
719 }
720
721 static int
722 mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
723 struct label *label, mode_t mode)
724 {
725
726 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
727 }
728
729 static int
730 mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
731 struct label *label, uid_t uid, gid_t gid)
732 {
733
734 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
735 }
736
737 static int
738 mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
739 struct label *label, struct timespec atime, struct timespec utime)
740 {
741
742 return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
743 }
744
745 static int
746 mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
747 struct ucred *file_cred, struct vnode *vp, struct label *label)
748 {
749
750 return (mac_bsdextended_check_vp(active_cred, vp, MBI_STAT));
751 }
752
753 static struct mac_policy_ops mac_bsdextended_ops =
754 {
755 .mpo_destroy = mac_bsdextended_destroy,
756 .mpo_init = mac_bsdextended_init,
757 .mpo_check_system_swapon = mac_bsdextended_check_system_swapon,
758 .mpo_check_vnode_access = mac_bsdextended_check_vnode_access,
759 .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir,
760 .mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot,
761 .mpo_check_vnode_create = mac_bsdextended_check_create_vnode,
762 .mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete,
763 .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl,
764 .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr,
765 .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec,
766 .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl,
767 .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr,
768 .mpo_check_vnode_link = mac_bsdextended_check_vnode_link,
769 .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr,
770 .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup,
771 .mpo_check_vnode_open = mac_bsdextended_check_vnode_open,
772 .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir,
773 .mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink,
774 .mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from,
775 .mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to,
776 .mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke,
777 .mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode,
778 .mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr,
779 .mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags,
780 .mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode,
781 .mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner,
782 .mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes,
783 .mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat,
784 };
785
786 MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended,
787 "TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
Cache object: 55f5a9717730d8a70ecf8559917918f3
|