The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/security/mac_bsdextended/mac_bsdextended.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2005 Tom Rhodes
    3  * Copyright (c) 1999-2002 Robert N. M. Watson
    4  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
    5  * All rights reserved.
    6  *
    7  * This software was developed by Robert Watson for the TrustedBSD Project.
    8  * It was later enhanced by Tom Rhodes for the TrustedBSD Project.
    9  *
   10  * This software was developed for the FreeBSD Project in part by Network
   11  * Associates Laboratories, the Security Research Division of Network
   12  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
   13  * as part of the DARPA CHATS research program.
   14  *
   15  * Redistribution and use in source and binary forms, with or without
   16  * modification, are permitted provided that the following conditions
   17  * are met:
   18  * 1. Redistributions of source code must retain the above copyright
   19  *    notice, this list of conditions and the following disclaimer.
   20  * 2. Redistributions in binary form must reproduce the above copyright
   21  *    notice, this list of conditions and the following disclaimer in the
   22  *    documentation and/or other materials provided with the distribution.
   23  *
   24  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
   25  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   26  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   27  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   28  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   29  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   30  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   31  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   32  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   33  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   34  * SUCH DAMAGE.
   35  *
   36  * $FreeBSD: releng/6.4/sys/security/mac_bsdextended/mac_bsdextended.c 161513 2006-08-21 15:59:48Z dwmalone $
   37  */
   38 
   39 /*
   40  * Developed by the TrustedBSD Project.
   41  * "BSD Extended" MAC policy, allowing the administrator to impose
   42  * mandatory rules regarding users and some system objects.
   43  */
   44 
   45 #include <sys/types.h>
   46 #include <sys/param.h>
   47 #include <sys/acl.h>
   48 #include <sys/conf.h>
   49 #include <sys/kernel.h>
   50 #include <sys/jail.h>
   51 #include <sys/lock.h>
   52 #include <sys/mac.h>
   53 #include <sys/malloc.h>
   54 #include <sys/mount.h>
   55 #include <sys/mutex.h>
   56 #include <sys/proc.h>
   57 #include <sys/systm.h>
   58 #include <sys/sysproto.h>
   59 #include <sys/sysent.h>
   60 #include <sys/vnode.h>
   61 #include <sys/file.h>
   62 #include <sys/socket.h>
   63 #include <sys/socketvar.h>
   64 #include <sys/sysctl.h>
   65 #include <sys/syslog.h>
   66 #include <sys/ucred.h>
   67 
   68 #include <net/bpfdesc.h>
   69 #include <net/if.h>
   70 #include <net/if_types.h>
   71 #include <net/if_var.h>
   72 
   73 #include <vm/vm.h>
   74 
   75 #include <sys/mac_policy.h>
   76 
   77 #include <security/mac_bsdextended/mac_bsdextended.h>
   78 
   79 static struct mtx mac_bsdextended_mtx;
   80 
   81 SYSCTL_DECL(_security_mac);
   82 
   83 SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
   84     "TrustedBSD extended BSD MAC policy controls");
   85 
   86 static int      mac_bsdextended_enabled = 1;
   87 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW,
   88     &mac_bsdextended_enabled, 0, "Enforce extended BSD policy");
   89 TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled);
   90 
   91 MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule");
   92 
   93 #define MAC_BSDEXTENDED_MAXRULES        250
   94 static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
   95 static int rule_count = 0;
   96 static int rule_slots = 0;
   97 static int rule_version = MB_VERSION;
   98 
   99 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
  100     &rule_count, 0, "Number of defined rules\n");
  101 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
  102     &rule_slots, 0, "Number of used rule slots\n");
  103 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
  104     &rule_version, 0, "Version number for API\n");
  105 
  106 /*
  107  * This is just used for logging purposes, eventually we would like
  108  * to log much more then failed requests.
  109  */
  110 static int mac_bsdextended_logging;
  111 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
  112     &mac_bsdextended_logging, 0, "Log failed authorization requests");
  113 
  114 /*
  115  * This tunable is here for compatibility.  It will allow the user
  116  * to switch between the new mode (first rule matches) and the old
  117  * functionality (all rules match).
  118  */
  119 static int
  120 mac_bsdextended_firstmatch_enabled;
  121 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
  122         CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1,
  123         "Disable/enable match first rule functionality");
  124 
  125 static int
  126 mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule)
  127 {
  128 
  129         if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
  130                 return (EINVAL);
  131 
  132         if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
  133                 return (EINVAL);
  134 
  135         if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
  136                 return (EINVAL);
  137 
  138         if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
  139                 return (EINVAL);
  140 
  141         if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) &&
  142             (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
  143                 return (EINVAL);
  144 
  145         if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
  146                 return (EINVAL);
  147 
  148         return (0);
  149 }
  150 
  151 static int
  152 sysctl_rule(SYSCTL_HANDLER_ARGS)
  153 {
  154         struct mac_bsdextended_rule temprule, *ruleptr;
  155         u_int namelen;
  156         int error, index, *name;
  157 
  158         error = 0;
  159         name = (int *)arg1;
  160         namelen = arg2;
  161 
  162         /* printf("bsdextended sysctl handler (namelen %d)\n", namelen); */
  163 
  164         if (namelen != 1)
  165                 return (EINVAL);
  166 
  167         index = name[0];
  168         if (index >= MAC_BSDEXTENDED_MAXRULES)
  169                 return (ENOENT);
  170 
  171         ruleptr = NULL;
  172         if (req->newptr && req->newlen != 0) {
  173                 error = SYSCTL_IN(req, &temprule, sizeof(temprule));
  174                 if (error)
  175                         return (error);
  176                 MALLOC(ruleptr, struct mac_bsdextended_rule *,
  177                     sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | M_ZERO);
  178         }
  179 
  180         mtx_lock(&mac_bsdextended_mtx);
  181 
  182         if (req->oldptr) {
  183                 if (index < 0 || index > rule_slots + 1) {
  184                         error = ENOENT;
  185                         goto out;
  186                 }
  187                 if (rules[index] == NULL) {
  188                         error = ENOENT;
  189                         goto out;
  190                 }
  191                 temprule = *rules[index];
  192         }
  193 
  194         if (req->newptr && req->newlen == 0) {
  195                 /* printf("deletion\n"); */
  196                 KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
  197                 ruleptr = rules[index];
  198                 if (ruleptr == NULL) {
  199                         error = ENOENT;
  200                         goto out;
  201                 }
  202                 rule_count--;
  203                 rules[index] = NULL;
  204         } else if (req->newptr) {
  205                 error = mac_bsdextended_rule_valid(&temprule);
  206                 if (error)
  207                         goto out;
  208 
  209                 if (rules[index] == NULL) {
  210                         /* printf("addition\n"); */
  211                         *ruleptr = temprule;
  212                         rules[index] = ruleptr;
  213                         ruleptr = NULL;
  214                         if (index + 1 > rule_slots)
  215                                 rule_slots = index + 1;
  216                         rule_count++;
  217                 } else {
  218                         /* printf("replacement\n"); */
  219                         *rules[index] = temprule;
  220                 }
  221         }
  222 
  223 out:
  224         mtx_unlock(&mac_bsdextended_mtx);
  225         if (ruleptr != NULL)
  226                 FREE(ruleptr, M_MACBSDEXTENDED);
  227         if (req->oldptr && error == 0)
  228                 error = SYSCTL_OUT(req, &temprule, sizeof(temprule));
  229 
  230         return (error);
  231 }
  232 
  233 SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules,
  234     CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules");
  235 
  236 static void
  237 mac_bsdextended_init(struct mac_policy_conf *mpc)
  238 {
  239 
  240         /* Initialize ruleset lock. */
  241         mtx_init(&mac_bsdextended_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
  242 
  243         /* Register dynamic sysctl's for rules. */
  244 }
  245 
  246 static void
  247 mac_bsdextended_destroy(struct mac_policy_conf *mpc)
  248 {
  249 
  250         /* Destroy ruleset lock. */
  251         mtx_destroy(&mac_bsdextended_mtx);
  252 
  253         /* Tear down sysctls. */
  254 }
  255 
  256 static int
  257 mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
  258     struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
  259 {
  260         int match;
  261         int i;
  262 
  263         /*
  264          * Is there a subject match?
  265          */
  266         mtx_assert(&mac_bsdextended_mtx, MA_OWNED);
  267         if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
  268                 match =  ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
  269                     cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
  270                     (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&
  271                     cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||
  272                     (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&
  273                     cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));
  274 
  275                 if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)
  276                         match = !match;
  277 
  278                 if (!match)
  279                         return (0);
  280         }
  281 
  282         if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {
  283                 match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&
  284                     cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||
  285                     (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&
  286                     cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));
  287 
  288                 if (!match) {
  289                         for (i = 0; i < cred->cr_ngroups; i++)
  290                                 if (cred->cr_groups[i]
  291                                     <= rule->mbr_subject.mbs_gid_max &&
  292                                     cred->cr_groups[i]
  293                                     >= rule->mbr_subject.mbs_gid_min) {
  294                                         match = 1;
  295                                         break;
  296                                 }
  297                 }
  298 
  299                 if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)
  300                         match = !match;
  301 
  302                 if (!match)
  303                         return (0);
  304         }
  305 
  306         if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
  307                 match = (cred->cr_prison != NULL &&
  308                     cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);
  309 
  310                 if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)
  311                         match = !match;
  312 
  313                 if (!match)
  314                         return (0);
  315         }
  316 
  317         /*
  318          * Is there an object match?
  319          */
  320         if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
  321                 match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&
  322                     vap->va_uid >= rule->mbr_object.mbo_uid_min);
  323 
  324                 if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)
  325                         match = !match;
  326 
  327                 if (!match)
  328                         return (0);
  329         }
  330 
  331         if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
  332                 match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&
  333                     vap->va_gid >= rule->mbr_object.mbo_gid_min);
  334 
  335                 if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)
  336                         match = !match;
  337 
  338                 if (!match)
  339                         return (0);
  340         }
  341 
  342         if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
  343                 match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid),
  344                     &(rule->mbr_object.mbo_fsid),
  345                     sizeof(rule->mbr_object.mbo_fsid)) == 0);
  346 
  347                 if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)
  348                         match = !match;
  349 
  350                 if (!match)
  351                         return 0;
  352         }
  353 
  354         if (rule->mbr_object.mbo_flags & MBO_SUID) {
  355                 match = (vap->va_mode & VSUID);
  356 
  357                 if (rule->mbr_object.mbo_neg & MBO_SUID)
  358                         match = !match;
  359 
  360                 if (!match)
  361                         return 0;
  362         }
  363 
  364         if (rule->mbr_object.mbo_flags & MBO_SGID) {
  365                 match = (vap->va_mode & VSGID);
  366 
  367                 if (rule->mbr_object.mbo_neg & MBO_SGID)
  368                         match = !match;
  369 
  370                 if (!match)
  371                         return 0;
  372         }
  373 
  374         if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
  375                 match = (vap->va_uid == cred->cr_uid ||
  376                     vap->va_uid == cred->cr_ruid ||
  377                     vap->va_uid == cred->cr_svuid);
  378 
  379                 if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)
  380                         match = !match;
  381 
  382                 if (!match)
  383                         return 0;
  384         }
  385 
  386         if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
  387                 match = (groupmember(vap->va_gid, cred) ||
  388                     vap->va_gid == cred->cr_rgid ||
  389                     vap->va_gid == cred->cr_svgid);
  390 
  391                 if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)
  392                         match = !match;
  393 
  394                 if (!match)
  395                         return 0;
  396         }
  397 
  398         if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
  399                 switch (vap->va_type) {
  400                 case VREG:
  401                         match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);
  402                         break;
  403                 case VDIR:
  404                         match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);
  405                         break;
  406                 case VBLK:
  407                         match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);
  408                         break;
  409                 case VCHR:
  410                         match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);
  411                         break;
  412                 case VLNK:
  413                         match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);
  414                         break;
  415                 case VSOCK:
  416                         match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);
  417                         break;
  418                 case VFIFO:
  419                         match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);
  420                         break;
  421                 default:
  422                         match = 0;
  423                 }
  424 
  425                 if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)
  426                         match = !match;
  427 
  428                 if (!match)
  429                         return 0;
  430         }
  431 
  432         /*
  433          * Is the access permitted?
  434          */
  435         if ((rule->mbr_mode & acc_mode) != acc_mode) {
  436                 if (mac_bsdextended_logging)
  437                         log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d"
  438                             " on %d:%d failed. \n", cred->cr_ruid,
  439                             cred->cr_rgid, acc_mode, vap->va_uid, vap->va_gid);
  440                 return (EACCES); /* Matching rule denies access */
  441         }
  442 
  443         /*
  444          * If the rule matched, permits access, and first match is enabled,
  445          * return success.
  446          */
  447         if (mac_bsdextended_firstmatch_enabled)
  448                 return (EJUSTRETURN);
  449         else
  450                 return(0);
  451 }
  452 
  453 static int
  454 mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
  455     int acc_mode)
  456 {
  457         int error, i;
  458 
  459         if (suser_cred(cred, 0) == 0)
  460                 return (0);
  461 
  462         mtx_lock(&mac_bsdextended_mtx);
  463         for (i = 0; i < rule_slots; i++) {
  464                 if (rules[i] == NULL)
  465                         continue;
  466 
  467                 /*
  468                  * Since we do not separately handle append, map append to
  469                  * write.
  470                  */
  471                 if (acc_mode & MBI_APPEND) {
  472                         acc_mode &= ~MBI_APPEND;
  473                         acc_mode |= MBI_WRITE;
  474                 }
  475 
  476                 error = mac_bsdextended_rulecheck(rules[i], cred,
  477                     vp, vap, acc_mode);
  478                 if (error == EJUSTRETURN)
  479                         break;
  480                 if (error) {
  481                         mtx_unlock(&mac_bsdextended_mtx);
  482                         return (error);
  483                 }
  484         }
  485         mtx_unlock(&mac_bsdextended_mtx);
  486         return (0);
  487 }
  488 
  489 static int
  490 mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
  491 {
  492         int error;
  493         struct vattr vap;
  494 
  495         if (!mac_bsdextended_enabled)
  496                 return (0);
  497 
  498         error = VOP_GETATTR(vp, &vap, cred, curthread);
  499         if (error)
  500                 return (error);
  501 
  502         return (mac_bsdextended_check(cred, vp, &vap, acc_mode));
  503 }
  504 
  505 static int
  506 mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp,
  507     struct label *label)
  508 {
  509 
  510         return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
  511 }
  512 
  513 static int
  514 mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
  515     struct label *label, int acc_mode)
  516 {
  517 
  518         return (mac_bsdextended_check_vp(cred, vp, acc_mode));
  519 }
  520 
  521 static int
  522 mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
  523     struct label *dlabel)
  524 {
  525 
  526         return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
  527 }
  528 
  529 static int
  530 mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
  531     struct label *dlabel)
  532 {
  533 
  534         return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
  535 }
  536 
  537 static int
  538 mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
  539     struct label *dlabel, struct componentname *cnp, struct vattr *vap)
  540 {
  541 
  542         return (mac_bsdextended_check_vp(cred, dvp, MBI_WRITE));
  543 }
  544 
  545 static int
  546 mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
  547     struct label *dlabel, struct vnode *vp, struct label *label,
  548     struct componentname *cnp)
  549 {
  550         int error;
  551 
  552         error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
  553         if (error)
  554                 return (error);
  555 
  556         return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
  557 }
  558 
  559 static int
  560 mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
  561     struct label *label, acl_type_t type)
  562 {
  563 
  564         return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
  565 }
  566 
  567 static int
  568 mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
  569     struct label *label, int attrnamespace, const char *name)
  570 {
  571 
  572         return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
  573 }
  574 
  575 static int
  576 mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
  577     struct label *label, struct image_params *imgp,
  578     struct label *execlabel)
  579 {
  580 
  581         return (mac_bsdextended_check_vp(cred, vp, MBI_READ|MBI_EXEC));
  582 }
  583 
  584 static int
  585 mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
  586     struct label *label, acl_type_t type)
  587 {
  588 
  589         return (mac_bsdextended_check_vp(cred, vp, MBI_STAT));
  590 }
  591 
  592 static int
  593 mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
  594     struct label *label, int attrnamespace, const char *name, struct uio *uio)
  595 {
  596 
  597         return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
  598 }
  599 
  600 static int
  601 mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
  602     struct label *dlabel, struct vnode *vp, struct label *label,
  603     struct componentname *cnp)
  604 {
  605         int error;
  606 
  607         error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
  608         if (error)
  609                 return (error);
  610 
  611         error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
  612         if (error)
  613                 return (error);
  614         return (0);
  615 }
  616 
  617 static int
  618 mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
  619     struct label *label, int attrnamespace)
  620 {
  621 
  622         return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
  623 }
  624 
  625 static int
  626 mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
  627     struct label *dlabel, struct componentname *cnp)
  628 {
  629 
  630         return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
  631 }
  632 
  633 static int
  634 mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp,
  635     struct label *filelabel, int acc_mode)
  636 {
  637 
  638         return (mac_bsdextended_check_vp(cred, vp, acc_mode));
  639 }
  640 
  641 static int
  642 mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
  643     struct label *dlabel)
  644 {
  645 
  646         return (mac_bsdextended_check_vp(cred, dvp, MBI_READ));
  647 }
  648 
  649 static int
  650 mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp,
  651     struct label *label)
  652 {
  653 
  654         return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
  655 }
  656 
  657 static int
  658 mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
  659     struct label *dlabel, struct vnode *vp, struct label *label,
  660     struct componentname *cnp)
  661 {
  662         int error;
  663 
  664         error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
  665         if (error)
  666                 return (error);
  667         error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
  668 
  669         return (error);
  670 }
  671 
  672 static int
  673 mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
  674     struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
  675     struct componentname *cnp)
  676 {
  677         int error;
  678 
  679         error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
  680         if (error)
  681                 return (error);
  682 
  683         if (vp != NULL)
  684                 error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
  685 
  686         return (error);
  687 }
  688 
  689 static int
  690 mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
  691     struct label *label)
  692 {
  693 
  694         return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
  695 }
  696 
  697 static int
  698 mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
  699     struct label *label, acl_type_t type, struct acl *acl)
  700 {
  701 
  702         return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
  703 }
  704 
  705 static int
  706 mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
  707     struct label *label, int attrnamespace, const char *name, struct uio *uio)
  708 {
  709 
  710         return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
  711 }
  712 
  713 static int
  714 mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
  715     struct label *label, u_long flags)
  716 {
  717 
  718         return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
  719 }
  720 
  721 static int
  722 mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
  723     struct label *label, mode_t mode)
  724 {
  725 
  726         return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
  727 }
  728 
  729 static int
  730 mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
  731     struct label *label, uid_t uid, gid_t gid)
  732 {
  733 
  734         return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
  735 }
  736 
  737 static int
  738 mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
  739     struct label *label, struct timespec atime, struct timespec utime)
  740 {
  741 
  742         return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
  743 }
  744 
  745 static int
  746 mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
  747     struct ucred *file_cred, struct vnode *vp, struct label *label)
  748 {
  749 
  750         return (mac_bsdextended_check_vp(active_cred, vp, MBI_STAT));
  751 }
  752 
  753 static struct mac_policy_ops mac_bsdextended_ops =
  754 {
  755         .mpo_destroy = mac_bsdextended_destroy,
  756         .mpo_init = mac_bsdextended_init,
  757         .mpo_check_system_swapon = mac_bsdextended_check_system_swapon,
  758         .mpo_check_vnode_access = mac_bsdextended_check_vnode_access,
  759         .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir,
  760         .mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot,
  761         .mpo_check_vnode_create = mac_bsdextended_check_create_vnode,
  762         .mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete,
  763         .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl,
  764         .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr,
  765         .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec,
  766         .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl,
  767         .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr,
  768         .mpo_check_vnode_link = mac_bsdextended_check_vnode_link,
  769         .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr,
  770         .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup,
  771         .mpo_check_vnode_open = mac_bsdextended_check_vnode_open,
  772         .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir,
  773         .mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink,
  774         .mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from,
  775         .mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to,
  776         .mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke,
  777         .mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode,
  778         .mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr,
  779         .mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags,
  780         .mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode,
  781         .mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner,
  782         .mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes,
  783         .mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat,
  784 };
  785 
  786 MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended,
  787     "TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL);

Cache object: ee5ba9e250761bac438bfd8b795a10ac


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.