d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge first in a series of TrustedBSD MAC Framework KPI changes

Browse Source 
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:

  mac_<object>_<method/action>
  mac_<object>_check_<method/action>

The previous naming scheme was inconsistent and mostly
reversed from the new scheme.  Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier.  Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods.  Also simplify, slightly,
some entry point names.

All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer
This commit is contained in:
Robert Watson 2007-10-24 19:04:04 +00:00
parent 2143962647
commit 30d239bc4c
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=172930
103 changed files with 3601 additions and 3518 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/compat/linux/linux_file.c
View File

@ -467,7 +467,7 @@ getdents_common(struct thread *td, struct linux_getdents64_args *args,
/*
* Do directory search MAC check using non-cached credentials.
*/
if ((error = mac_check_vnode_readdir(td->td_ucred, vp)))
if ((error = mac_vnode_check_readdir(td->td_ucred, vp)))
goto out;
#endif /* MAC */
if ((error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, &ncookies,

4
sys/compat/linux/linux_getcwd.c
View File

@ -170,7 +170,7 @@ linux_getcwd_scandir(lvpp, uvpp, bpp, bufp, td)
* On successful return, *uvpp will be locked
*/
#ifdef MAC
error = mac_check_vnode_lookup(td->td_ucred, lvp, &cn);
error = mac_vnode_check_lookup(td->td_ucred, lvp, &cn);
if (error == 0)
#endif
error = VOP_LOOKUP(lvp, uvpp, &cn);
@ -216,7 +216,7 @@ linux_getcwd_scandir(lvpp, uvpp, bpp, bufp, td)
eofflag = 0;
#ifdef MAC
error = mac_check_vnode_readdir(td->td_ucred, uvp);
error = mac_vnode_check_readdir(td->td_ucred, uvp);
if (error == 0)
#endif /* MAC */
error = VOP_READDIR(uvp, &uio, td->td_ucred, &eofflag,

2
sys/compat/linux/linux_misc.c
View File

@ -301,7 +301,7 @@ linux_uselib(struct thread *td, struct linux_uselib_args *args)
* than vn_open().
*/
#ifdef MAC
error = mac_check_vnode_open(td->td_ucred, vp, FREAD);
error = mac_vnode_check_open(td->td_ucred, vp, FREAD);
if (error)
goto cleanup;
#endif

2
sys/compat/svr4/svr4_fcntl.c
View File

@ -271,7 +271,7 @@ fd_revoke(td, fd)
#ifdef MAC
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = mac_check_vnode_revoke(td->td_ucred, vp);
error = mac_vnode_check_revoke(td->td_ucred, vp);
VOP_UNLOCK(vp, 0, td);
if (error)
goto out;

6
sys/compat/svr4/svr4_misc.c
View File

@ -296,7 +296,7 @@ svr4_sys_getdents64(td, uap)
}
#ifdef MAC
error = mac_check_vnode_readdir(td->td_ucred, vp);
error = mac_vnode_check_readdir(td->td_ucred, vp);
if (error)
goto out;
#endif
@ -461,7 +461,7 @@ svr4_sys_getdents(td, uap)
auio.uio_offset = off;
#ifdef MAC
error = mac_check_vnode_readdir(td->td_ucred, vp);
error = mac_vnode_check_readdir(td->td_ucred, vp);
if (error)
goto out;
#endif
@ -625,7 +625,7 @@ svr4_sys_fchroot(td, uap)
if (error)
goto fail;
#ifdef MAC
error = mac_check_vnode_chroot(td->td_ucred, vp);
error = mac_vnode_check_chroot(td->td_ucred, vp);
if (error)
goto fail;
#endif

4
sys/contrib/pf/net/pf.c
View File

@ -1818,9 +1818,9 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af,
#ifdef __FreeBSD__
#ifdef MAC
if (replyto)
mac_create_mbuf_netlayer(replyto, m);
mac_mbuf_create_netlayer(replyto, m);
else
mac_create_mbuf_from_firewall(m);
mac_mbuf_create_from_firewall(m);
#else
(void)replyto;
#endif

8
sys/fs/devfs/devfs_devs.c
View File

@ -182,7 +182,7 @@ devfs_newdirent(char *name, int namelen)
de->de_links = 1;
de->de_holdcnt = 1;
#ifdef MAC
mac_init_devfs(de);
mac_devfs_init(de);
#endif
return (de);
}
@ -226,7 +226,7 @@ devfs_vmkdir(struct devfs_mount *dmp, char *name, int namelen, struct devfs_dire
}
#ifdef MAC
mac_create_devfs_directory(dmp->dm_mount, name, namelen, dd);
mac_devfs_create_directory(dmp->dm_mount, name, namelen, dd);
#endif
return (dd);
}
@ -274,7 +274,7 @@ devfs_delete(struct devfs_mount *dm, struct devfs_dirent *de, int vp_locked)
de->de_symlink = NULL;
}
#ifdef MAC
mac_destroy_devfs(de);
mac_devfs_destroy(de);
#endif
if (de->de_inode > DEVFS_ROOTINO) {
free_unr(devfs_inos, de->de_inode);
@ -452,7 +452,7 @@ devfs_populate_loop(struct devfs_mount *dm, int cleanup)
de->de_inode = cdp->cdp_inode;
de->de_cdp = cdp;
#ifdef MAC
mac_create_devfs_device(cdp->cdp_c.si_cred, dm->dm_mount,
mac_devfs_create_device(cdp->cdp_c.si_cred, dm->dm_mount,
&cdp->cdp_c, de);
#endif
de->de_dir = dd;

8
sys/fs/devfs/devfs_vnops.c
View File

@ -262,7 +262,7 @@ devfs_allocv(struct devfs_dirent *de, struct mount *mp, struct vnode **vpp, stru
return (ENOENT);
}
#ifdef MAC
mac_associate_vnode_devfs(mp, de, vp);
mac_devfs_vnode_associate(mp, de, vp);
#endif
sx_xunlock(&dmp->dm_lock);
*vpp = vp;
@ -1233,8 +1233,8 @@ devfs_setlabel(struct vop_setlabel_args *ap)
vp = ap->a_vp;
de = vp->v_data;
mac_relabel_vnode(ap->a_cred, vp, ap->a_label);
mac_update_devfs(vp->v_mount, de, vp);
mac_vnode_relabel(ap->a_cred, vp, ap->a_label);
mac_devfs_update(vp->v_mount, de, vp);
return (0);
}
@ -1275,7 +1275,7 @@ devfs_symlink(struct vop_symlink_args *ap)
bcopy(ap->a_target, de->de_symlink, i);
sx_xlock(&dmp->dm_lock);
#ifdef MAC
mac_create_devfs_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de);
mac_devfs_create_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de);
#endif
TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list);
return (devfs_allocv(de, ap->a_dvp->v_mount, ap->a_vpp, td));

4
sys/fs/unionfs/union_subr.c
View File

@ -966,7 +966,7 @@ unionfs_check_rmdir(struct vnode *vp, struct ucred *cred, struct thread *td)
/* open vnode */
#ifdef MAC
if ((error = mac_check_vnode_open(cred, vp, VEXEC|VREAD)) != 0)
if ((error = mac_vnode_check_open(cred, vp, VEXEC|VREAD)) != 0)
return (error);
#endif
if ((error = VOP_ACCESS(vp, VEXEC|VREAD, cred, td)) != 0)
@ -980,7 +980,7 @@ unionfs_check_rmdir(struct vnode *vp, struct ucred *cred, struct thread *td)
uio.uio_offset = 0;
#ifdef MAC
error = mac_check_vnode_readdir(td->td_ucred, lvp);
error = mac_vnode_check_readdir(td->td_ucred, lvp);
#endif
while (!error && !eofflag) {
iov.iov_base = buf;

4
sys/i386/ibcs2/ibcs2_misc.c
View File

@ -374,7 +374,7 @@ ibcs2_getdents(td, uap)
}
#ifdef MAC
error = mac_check_vnode_readdir(td->td_ucred, vp);
error = mac_vnode_check_readdir(td->td_ucred, vp);
if (error)
goto out;
#endif
@ -536,7 +536,7 @@ ibcs2_read(td, uap)
}
#ifdef MAC
error = mac_check_vnode_readdir(td->td_ucred, vp);
error = mac_vnode_check_readdir(td->td_ucred, vp);
if (error)
goto out;
#endif

4
sys/kern/init_main.c
View File

@ -448,7 +448,7 @@ proc0_init(void *dummy __unused)
audit_cred_kproc0(p->p_ucred);
#endif
#ifdef MAC
mac_create_proc0(p->p_ucred);
mac_proc_create_swapper(p->p_ucred);
#endif
td->td_ucred = crhold(p->p_ucred);
@ -714,7 +714,7 @@ create_init(const void *udata __unused)
oldcred = initproc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
mac_create_proc1(newcred);
mac_proc_create_init(newcred);
#endif
#ifdef AUDIT
audit_cred_proc1(newcred);

4
sys/kern/kern_acct.c
View File

@ -218,7 +218,7 @@ acct(struct thread *td, struct acct_args *uap)
vfslocked = NDHASGIANT(&nd);
NDFREE(&nd, NDF_ONLY_PNBUF);
#ifdef MAC
error = mac_check_system_acct(td->td_ucred, nd.ni_vp);
error = mac_system_check_acct(td->td_ucred, nd.ni_vp);
if (error) {
VOP_UNLOCK(nd.ni_vp, 0, td);
vn_close(nd.ni_vp, flags, td->td_ucred, td);
@ -235,7 +235,7 @@ acct(struct thread *td, struct acct_args *uap)
VFS_UNLOCK_GIANT(vfslocked);
#ifdef MAC
} else {
error = mac_check_system_acct(td->td_ucred, NULL);
error = mac_system_check_acct(td->td_ucred, NULL);
if (error)
return (error);
#endif

2
sys/kern/kern_alq.c
View File

@ -300,7 +300,7 @@ alq_doio(struct alq *alq)
* XXX: VOP_WRITE error checks are ignored.
*/
#ifdef MAC
if (mac_check_vnode_write(alq->aq_cred, NOCRED, vp) == 0)
if (mac_vnode_check_write(alq->aq_cred, NOCRED, vp) == 0)
#endif
VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, alq->aq_cred);
VOP_UNLOCK(vp, 0, td);

8
sys/kern/kern_environment.c
View File

@ -95,7 +95,7 @@ kenv(td, uap)
error = 0;
if (uap->what == KENV_DUMP) {
#ifdef MAC
error = mac_check_kenv_dump(td->td_ucred);
error = mac_kenv_check_dump(td->td_ucred);
if (error)
return (error);
#endif
@ -148,7 +148,7 @@ kenv(td, uap)
switch (uap->what) {
case KENV_GET:
#ifdef MAC
error = mac_check_kenv_get(td->td_ucred, name);
error = mac_kenv_check_get(td->td_ucred, name);
if (error)
goto done;
#endif
@ -181,7 +181,7 @@ kenv(td, uap)
goto done;
}
#ifdef MAC
error = mac_check_kenv_set(td->td_ucred, name, value);
error = mac_kenv_check_set(td->td_ucred, name, value);
if (error == 0)
#endif
setenv(name, value);
@ -189,7 +189,7 @@ kenv(td, uap)
break;
case KENV_UNSET:
#ifdef MAC
error = mac_check_kenv_unset(td->td_ucred, name);
error = mac_kenv_check_unset(td->td_ucred, name);
if (error)
goto done;
#endif

8
sys/kern/kern_exec.c
View File

@ -439,7 +439,7 @@ do_execve(td, args, mac_p)
NDFREE(ndp, NDF_ONLY_PNBUF);
#ifdef MAC
interplabel = mac_vnode_label_alloc();
mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel);
mac_vnode_copy_label(ndp->ni_vp->v_label, interplabel);
#endif
vput(ndp->ni_vp);
vm_object_deallocate(imgp->object);
@ -550,7 +550,7 @@ do_execve(td, args, mac_p)
credential_changing |= (attr.va_mode & VSGID) && oldcred->cr_gid !=
attr.va_gid;
#ifdef MAC
will_transition = mac_execve_will_transition(oldcred, imgp->vp,
will_transition = mac_vnode_execve_will_transition(oldcred, imgp->vp,
interplabel, imgp);
credential_changing |= will_transition;
#endif
@ -604,7 +604,7 @@ do_execve(td, args, mac_p)
change_egid(newcred, attr.va_gid);
#ifdef MAC
if (will_transition) {
mac_execve_transition(oldcred, newcred, imgp->vp,
mac_vnode_execve_transition(oldcred, newcred, imgp->vp,
interplabel, imgp);
}
#endif
@ -1191,7 +1191,7 @@ exec_check_permissions(imgp)
return (error);
#ifdef MAC
error = mac_check_vnode_exec(td->td_ucred, imgp->vp, imgp);
error = mac_vnode_check_exec(td->td_ucred, imgp->vp, imgp);
if (error)
return (error);
#endif

2
sys/kern/kern_exit.c
View File

@ -791,7 +791,7 @@ kern_wait(struct thread *td, pid_t pid, int *status, int options,
*/
vm_waitproc(p);
#ifdef MAC
mac_destroy_proc(p);
mac_proc_destroy(p);
#endif
KASSERT(FIRST_THREAD_IN_PROC(p),
("kern_wait: no residual thread!"));

4
sys/kern/kern_fork.c
View File

@ -285,7 +285,7 @@ fork1(td, flags, pages, procp)
/* Allocate new proc. */
newproc = uma_zalloc(proc_zone, M_WAITOK);
#ifdef MAC
mac_init_proc(newproc);
mac_proc_init(newproc);
#endif
knlist_init(&newproc->p_klist, &newproc->p_mtx, NULL, NULL, NULL);
STAILQ_INIT(&newproc->p_ktr);
@ -752,7 +752,7 @@ fork1(td, flags, pages, procp)
td->td_ucred->cr_ruid);
sx_xunlock(&allproc_lock);
#ifdef MAC
mac_destroy_proc(newproc);
mac_proc_destroy(newproc);
#endif
uma_zfree(proc_zone, newproc);
if (p1->p_flag & P_HADTHREADS) {

2
sys/kern/kern_jail.c
View File

@ -258,7 +258,7 @@ jail_attach(struct thread *td, struct jail_attach_args *uap)
if ((error = change_dir(pr->pr_root, td)) != 0)
goto e_unlock;
#ifdef MAC
if ((error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root)))
if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root)))
goto e_unlock;
#endif
VOP_UNLOCK(pr->pr_root, 0, td);

2
sys/kern/kern_ktrace.c
View File

@ -927,7 +927,7 @@ ktr_writerequest(struct thread *td, struct ktr_request *req)
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
(void)VOP_LEASE(vp, td, cred, LEASE_WRITE);
#ifdef MAC
error = mac_check_vnode_write(cred, NOCRED, vp);
error = mac_vnode_check_write(cred, NOCRED, vp);
if (error == 0)
#endif
error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);

12
sys/kern/kern_linker.c
View File

@ -995,7 +995,7 @@ kldfind(struct thread *td, struct kldfind_args *uap)
int error;
#ifdef MAC
error = mac_check_kld_stat(td->td_ucred);
error = mac_kld_check_stat(td->td_ucred);
if (error)
return (error);
#endif
@ -1026,7 +1026,7 @@ kldnext(struct thread *td, struct kldnext_args *uap)
int error = 0;
#ifdef MAC
error = mac_check_kld_stat(td->td_ucred);
error = mac_kld_check_stat(td->td_ucred);
if (error)
return (error);
#endif
@ -1076,7 +1076,7 @@ kldstat(struct thread *td, struct kldstat_args *uap)
return (EINVAL);
#ifdef MAC
error = mac_check_kld_stat(td->td_ucred);
error = mac_kld_check_stat(td->td_ucred);
if (error)
return (error);
#endif
@ -1119,7 +1119,7 @@ kldfirstmod(struct thread *td, struct kldfirstmod_args *uap)
int error = 0;
#ifdef MAC
error = mac_check_kld_stat(td->td_ucred);
error = mac_kld_check_stat(td->td_ucred);
if (error)
return (error);
#endif
@ -1151,7 +1151,7 @@ kldsym(struct thread *td, struct kldsym_args *uap)
int error = 0;
#ifdef MAC
error = mac_check_kld_stat(td->td_ucred);
error = mac_kld_check_stat(td->td_ucred);
if (error)
return (error);
#endif
@ -1997,7 +1997,7 @@ sysctl_kern_function_list(SYSCTL_HANDLER_ARGS)
int error;
#ifdef MAC
error = mac_check_kld_stat(req->td->td_ucred);
error = mac_kld_check_stat(req->td->td_ucred);
if (error)
return (error);
#endif

4
sys/kern/kern_mbuf.c
View File

@ -323,7 +323,7 @@ mb_ctor_mbuf(void *mem, int size, void *arg, int how)
SLIST_INIT(&m->m_pkthdr.tags);
#ifdef MAC
/* If the label init fails, fail the alloc */
error = mac_init_mbuf(m, how);
error = mac_mbuf_init(m, how);
if (error)
return (error);
#endif
@ -543,7 +543,7 @@ mb_ctor_pack(void *mem, int size, void *arg, int how)
SLIST_INIT(&m->m_pkthdr.tags);
#ifdef MAC
/* If the label init fails, fail the alloc */
error = mac_init_mbuf(m, how);
error = mac_mbuf_init(m, how);
if (error)
return (error);
#endif

36
sys/kern/kern_prot.c
View File

@ -482,7 +482,7 @@ setuid(struct thread *td, struct setuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_check_proc_setuid(p, oldcred, uid);
error = mac_proc_check_setuid(p, oldcred, uid);
if (error)
goto fail;
#endif
@ -594,7 +594,7 @@ seteuid(struct thread *td, struct seteuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_check_proc_seteuid(p, oldcred, euid);
error = mac_proc_check_seteuid(p, oldcred, euid);
if (error)
goto fail;
#endif
@ -647,7 +647,7 @@ setgid(struct thread *td, struct setgid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_check_proc_setgid(p, oldcred, gid);
error = mac_proc_check_setgid(p, oldcred, gid);
if (error)
goto fail;
#endif
@ -746,7 +746,7 @@ setegid(struct thread *td, struct setegid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_check_proc_setegid(p, oldcred, egid);
error = mac_proc_check_setegid(p, oldcred, egid);
if (error)
goto fail;
#endif
@ -808,7 +808,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_check_proc_setgroups(p, oldcred, ngrp, groups);
error = mac_proc_check_setgroups(p, oldcred, ngrp, groups);
if (error)
goto fail;
#endif
@ -873,7 +873,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_check_proc_setreuid(p, oldcred, ruid, euid);
error = mac_proc_check_setreuid(p, oldcred, ruid, euid);
if (error)
goto fail;
#endif
@ -938,7 +938,7 @@ setregid(register struct thread *td, struct setregid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_check_proc_setregid(p, oldcred, rgid, egid);
error = mac_proc_check_setregid(p, oldcred, rgid, egid);
if (error)
goto fail;
#endif
@ -1009,7 +1009,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid);
error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid);
if (error)
goto fail;
#endif
@ -1086,7 +1086,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid);
error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid);
if (error)
goto fail;
#endif
@ -1369,7 +1369,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2)
if ((error = prison_check(u1, u2)))
return (error);
#ifdef MAC
if ((error = mac_check_cred_visible(u1, u2)))
if ((error = mac_cred_check_visible(u1, u2)))
return (error);
#endif
if ((error = cr_seeotheruids(u1, u2)))
@ -1430,7 +1430,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
if (error)
return (error);
#ifdef MAC
if ((error = mac_check_proc_signal(cred, proc, signum)))
if ((error = mac_proc_check_signal(cred, proc, signum)))
return (error);
#endif
if ((error = cr_seeotheruids(cred, proc->p_ucred)))
@ -1547,7 +1547,7 @@ p_cansched(struct thread *td, struct proc *p)
if ((error = prison_check(td->td_ucred, p->p_ucred)))
return (error);
#ifdef MAC
if ((error = mac_check_proc_sched(td->td_ucred, p)))
if ((error = mac_proc_check_sched(td->td_ucred, p)))
return (error);
#endif
if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
@ -1604,7 +1604,7 @@ p_candebug(struct thread *td, struct proc *p)
if ((error = prison_check(td->td_ucred, p->p_ucred)))
return (error);
#ifdef MAC
if ((error = mac_check_proc_debug(td->td_ucred, p)))
if ((error = mac_proc_check_debug(td->td_ucred, p)))
return (error);
#endif
if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
@ -1691,7 +1691,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
return (ENOENT);
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_visible(cred, so);
error = mac_socket_check_visible(cred, so);
SOCK_UNLOCK(so);
if (error)
return (error);
@ -1723,7 +1723,7 @@ p_canwait(struct thread *td, struct proc *p)
if ((error = prison_check(td->td_ucred, p->p_ucred)))
return (error);
#ifdef MAC
if ((error = mac_check_proc_wait(td->td_ucred, p)))
if ((error = mac_proc_check_wait(td->td_ucred, p)))
return (error);
#endif
#if 0
@ -1749,7 +1749,7 @@ crget(void)
audit_cred_init(cr);
#endif
#ifdef MAC
mac_init_cred(cr);
mac_cred_init(cr);
#endif
return (cr);
}
@ -1793,7 +1793,7 @@ crfree(struct ucred *cr)
audit_cred_destroy(cr);
#endif
#ifdef MAC
mac_destroy_cred(cr);
mac_cred_destroy(cr);
#endif
FREE(cr, M_CRED);
}
@ -1828,7 +1828,7 @@ crcopy(struct ucred *dest, struct ucred *src)
audit_cred_copy(src, dest);
#endif
#ifdef MAC
mac_copy_cred(src, dest);
mac_cred_copy(src, dest);
#endif
}

2
sys/kern/kern_shutdown.c
View File

@ -160,7 +160,7 @@ reboot(struct thread *td, struct reboot_args *uap)
error = 0;
#ifdef MAC
error = mac_check_system_reboot(td->td_ucred, uap->opt);
error = mac_system_check_reboot(td->td_ucred, uap->opt);
#endif
if (error == 0)
error = priv_check(td, PRIV_REBOOT);

2
sys/kern/kern_sysctl.c
View File

@ -1298,7 +1298,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS)
arg2 = oid->oid_arg2;
}
#ifdef MAC
error = mac_check_system_sysctl(req->td->td_ucred, oid, arg1, arg2,
error = mac_system_check_sysctl(req->td->td_ucred, oid, arg1, arg2,
req);
if (error != 0)
return (error);

2
sys/kern/link_elf.c
View File

@ -572,7 +572,7 @@ link_elf_load_file(linker_class_t cls, const char* filename,
vfslocked = NDHASGIANT(&nd);
NDFREE(&nd, NDF_ONLY_PNBUF);
#ifdef MAC
error = mac_check_kld_load(curthread->td_ucred, nd.ni_vp);
error = mac_kld_check_load(curthread->td_ucred, nd.ni_vp);
if (error) {
firstpage = NULL;
goto out;

2
sys/kern/link_elf_obj.c
View File

@ -410,7 +410,7 @@ link_elf_load_file(linker_class_t cls, const char *filename,
vfslocked = NDHASGIANT(&nd);
NDFREE(&nd, NDF_ONLY_PNBUF);
#ifdef MAC
error = mac_check_kld_load(td->td_ucred, nd.ni_vp);
error = mac_kld_check_load(td->td_ucred, nd.ni_vp);
if (error) {
goto out;
}

18
sys/kern/sys_pipe.c
View File

@ -323,11 +323,11 @@ pipe(td, uap)
#ifdef MAC
/*
* The MAC label is shared between the connected endpoints. As a
* result mac_init_pipe() and mac_create_pipe() are called once
* result mac_pipe_init() and mac_pipe_create() are called once
* for the pair, and not on the endpoints.
*/
mac_init_pipe(pp);
mac_create_pipe(td->td_ucred, pp);
mac_pipe_init(pp);
mac_pipe_create(td->td_ucred, pp);
#endif
rpipe = &pp->pp_rpipe;
wpipe = &pp->pp_wpipe;
@ -576,7 +576,7 @@ pipe_read(fp, uio, active_cred, flags, td)
goto unlocked_error;
#ifdef MAC
error = mac_check_pipe_read(active_cred, rpipe->pipe_pair);
error = mac_pipe_check_read(active_cred, rpipe->pipe_pair);
if (error)
goto locked_error;
#endif
@ -986,7 +986,7 @@ pipe_write(fp, uio, active_cred, flags, td)
return (EPIPE);
}
#ifdef MAC
error = mac_check_pipe_write(active_cred, wpipe->pipe_pair);
error = mac_pipe_check_write(active_cred, wpipe->pipe_pair);
if (error) {
pipeunlock(wpipe);
PIPE_UNLOCK(rpipe);
@ -1252,7 +1252,7 @@ pipe_ioctl(fp, cmd, data, active_cred, td)
PIPE_LOCK(mpipe);
#ifdef MAC
error = mac_check_pipe_ioctl(active_cred, mpipe->pipe_pair, cmd, data);
error = mac_pipe_check_ioctl(active_cred, mpipe->pipe_pair, cmd, data);
if (error) {
PIPE_UNLOCK(mpipe);
return (error);
@ -1326,7 +1326,7 @@ pipe_poll(fp, events, active_cred, td)
wpipe = rpipe->pipe_peer;
PIPE_LOCK(rpipe);
#ifdef MAC
error = mac_check_pipe_poll(active_cred, rpipe->pipe_pair);
error = mac_pipe_check_poll(active_cred, rpipe->pipe_pair);
if (error)
goto locked_error;
#endif
@ -1382,7 +1382,7 @@ pipe_stat(fp, ub, active_cred, td)
int error;
PIPE_LOCK(pipe);
error = mac_check_pipe_stat(active_cred, pipe->pipe_pair);
error = mac_pipe_check_stat(active_cred, pipe->pipe_pair);
PIPE_UNLOCK(pipe);
if (error)
return (error);
@ -1511,7 +1511,7 @@ pipeclose(cpipe)
if (ppipe->pipe_present == 0) {
PIPE_UNLOCK(cpipe);
#ifdef MAC
mac_destroy_pipe(pp);
mac_pipe_destroy(pp);
#endif
uma_zfree(pipe_zone, cpipe->pipe_pair);
} else

8
sys/kern/sys_socket.c
View File

@ -77,7 +77,7 @@ soo_read(struct file *fp, struct uio *uio, struct ucred *active_cred,
int error;
SOCK_LOCK(so);
error = mac_check_socket_receive(active_cred, so);
error = mac_socket_check_receive(active_cred, so);
SOCK_UNLOCK(so);
if (error)
return (error);
@ -95,7 +95,7 @@ soo_write(struct file *fp, struct uio *uio, struct ucred *active_cred,
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_send(active_cred, so);
error = mac_socket_check_send(active_cred, so);
SOCK_UNLOCK(so);
if (error)
return (error);
@ -208,7 +208,7 @@ soo_poll(struct file *fp, int events, struct ucred *active_cred,
int error;
SOCK_LOCK(so);
error = mac_check_socket_poll(active_cred, so);
error = mac_socket_check_poll(active_cred, so);
SOCK_UNLOCK(so);
if (error)
return (error);
@ -229,7 +229,7 @@ soo_stat(struct file *fp, struct stat *ub, struct ucred *active_cred,
ub->st_mode = S_IFSOCK;
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_stat(active_cred, so);
error = mac_socket_check_stat(active_cred, so);
SOCK_UNLOCK(so);
if (error)
return (error);

36
sys/kern/sysv_msg.c
View File

@ -224,7 +224,7 @@ msginit()
msghdrs[i-1].msg_next = &msghdrs[i];
msghdrs[i].msg_next = NULL;
#ifdef MAC
mac_init_sysv_msgmsg(&msghdrs[i]);
mac_sysvmsg_init(&msghdrs[i]);
#endif
}
free_msghdrs = &msghdrs[0];
@ -237,7 +237,7 @@ msginit()
msqids[i].u.msg_perm.seq = 0; /* reset to a known value */
msqids[i].u.msg_perm.mode = 0;
#ifdef MAC
mac_init_sysv_msgqueue(&msqids[i]);
mac_sysvmsq_init(&msqids[i]);
#endif
}
mtx_init(&msq_mtx, "msq", NULL, MTX_DEF);
@ -269,9 +269,9 @@ msgunload()
#ifdef MAC
for (i = 0; i < msginfo.msgtql; i++)
mac_destroy_sysv_msgmsg(&msghdrs[i]);
mac_sysvmsg_destroy(&msghdrs[i]);
for (msqid = 0; msqid < msginfo.msgmni; msqid++)
mac_destroy_sysv_msgqueue(&msqids[msqid]);
mac_sysvmsq_destroy(&msqids[msqid]);
#endif
free(msgpool, M_MSG);
free(msgmaps, M_MSG);
@ -369,7 +369,7 @@ msg_freehdr(msghdr)
msghdr->msg_next = free_msghdrs;
free_msghdrs = msghdr;
#ifdef MAC
mac_cleanup_sysv_msgmsg(msghdr);
mac_sysvmsg_cleanup(msghdr);
#endif
}
@ -435,7 +435,7 @@ kern_msgctl(td, msqid, cmd, msqbuf)
goto done2;
}
#ifdef MAC
error = mac_check_sysv_msqctl(td->td_ucred, msqkptr, cmd);
error = mac_sysvmsq_check_msqctl(td->td_ucred, msqkptr, cmd);
if (error != 0)
goto done2;
#endif
@ -463,7 +463,7 @@ kern_msgctl(td, msqid, cmd, msqbuf)
*/
for (msghdr = msqkptr->u.msg_first; msghdr != NULL;
msghdr = msghdr->msg_next) {
error = mac_check_sysv_msgrmid(td->td_ucred, msghdr);
error = mac_sysvmsq_check_msgrmid(td->td_ucred, msghdr);
if (error != 0)
goto done2;
}
@ -490,7 +490,7 @@ kern_msgctl(td, msqid, cmd, msqbuf)
msqkptr->u.msg_qbytes = 0; /* Mark it as free */
#ifdef MAC
mac_cleanup_sysv_msgqueue(msqkptr);
mac_sysvmsq_cleanup(msqkptr);
#endif
wakeup(msqkptr);
@ -589,7 +589,7 @@ msgget(td, uap)
goto done2;
}
#ifdef MAC
error = mac_check_sysv_msqget(cred, msqkptr);
error = mac_sysvmsq_check_msqget(cred, msqkptr);
if (error != 0)
goto done2;
#endif
@ -636,7 +636,7 @@ msgget(td, uap)
msqkptr->u.msg_rtime = 0;
msqkptr->u.msg_ctime = time_second;
#ifdef MAC
mac_create_sysv_msgqueue(cred, msqkptr);
mac_sysvmsq_create(cred, msqkptr);
#endif
} else {
DPRINTF(("didn't find it and wasn't asked to create it\n"));
@ -705,7 +705,7 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype)
}
#ifdef MAC
error = mac_check_sysv_msqsnd(td->td_ucred, msqkptr);
error = mac_sysvmsq_check_msqsnd(td->td_ucred, msqkptr);
if (error != 0)
goto done2;
#endif
@ -830,11 +830,11 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype)
msghdr->msg_type = mtype;
#ifdef MAC
/*
* XXXMAC: Should the mac_check_sysv_msgmsq check follow here
* XXXMAC: Should the mac_sysvmsq_check_msgmsq check follow here
* immediately? Or, should it be checked just before the msg is
* enqueued in the msgq (as it is done now)?
*/
mac_create_sysv_msgmsg(td->td_ucred, msqkptr, msghdr);
mac_sysvmsg_create(td->td_ucred, msqkptr, msghdr);
#endif
/*
@ -928,14 +928,14 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype)
* Note: Since the task/thread allocates the msghdr and usually
* primes it with its own MAC label, for a majority of policies, it
* won't be necessary to check whether the msghdr has access
* permissions to the msgq. The mac_check_sysv_msqsnd check would
* permissions to the msgq. The mac_sysvmsq_check_msqsnd check would
* suffice in that case. However, this hook may be required where
* individual policies derive a non-identical label for the msghdr
* from the current thread label and may want to check the msghdr
* enqueue permissions, along with read/write permissions to the
* msgq.
*/
error = mac_check_sysv_msgmsq(td->td_ucred, msghdr, msqkptr);
error = mac_sysvmsq_check_msgmsq(td->td_ucred, msghdr, msqkptr);
if (error != 0) {
msg_freehdr(msghdr);
wakeup(msqkptr);
@ -1042,7 +1042,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype)
}
#ifdef MAC
error = mac_check_sysv_msqrcv(td->td_ucred, msqkptr);
error = mac_sysvmsq_check_msqrcv(td->td_ucred, msqkptr);
if (error != 0)
goto done2;
#endif
@ -1061,7 +1061,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype)
goto done2;
}
#ifdef MAC
error = mac_check_sysv_msgrcv(td->td_ucred,
error = mac_sysvmsq_check_msgrcv(td->td_ucred,
msghdr);
if (error != 0)
goto done2;
@ -1106,7 +1106,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype)
goto done2;
}
#ifdef MAC
error = mac_check_sysv_msgrcv(
error = mac_sysvmsq_check_msgrcv(
td->td_ucred, msghdr);
if (error != 0)
goto done2;

16
sys/kern/sysv_sem.c
View File

@ -245,7 +245,7 @@ seminit(void)
sema[i].u.sem_perm.mode = 0;
sema[i].u.sem_perm.seq = 0;
#ifdef MAC
mac_init_sysv_sem(&sema[i]);
mac_sysvsem_init(&sema[i]);
#endif
}
for (i = 0; i < seminfo.semmni; i++)
@ -271,7 +271,7 @@ semunload(void)
EVENTHANDLER_DEREGISTER(process_exit, semexit_tag);
#ifdef MAC
for (i = 0; i < seminfo.semmni; i++)
mac_destroy_sysv_sem(&sema[i]);
mac_sysvsem_destroy(&sema[i]);
#endif
free(sem, M_SEM);
free(sema, M_SEM);
@ -639,7 +639,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd,
if ((error = ipcperm(td, &semakptr->u.sem_perm, IPC_R)))
goto done2;
#ifdef MAC
error = mac_check_sysv_semctl(cred, semakptr, cmd);
error = mac_sysvsem_check_semctl(cred, semakptr, cmd);
if (error != 0)
goto done2;
#endif
@ -657,7 +657,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd,
sema_mtxp = &sema_mtx[semidx];
mtx_lock(sema_mtxp);
#ifdef MAC
error = mac_check_sysv_semctl(cred, semakptr, cmd);
error = mac_sysvsem_check_semctl(cred, semakptr, cmd);
if (error != 0)
goto done2;
#endif
@ -683,7 +683,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd,
}
semakptr->u.sem_perm.mode = 0;
#ifdef MAC
mac_cleanup_sysv_sem(semakptr);
mac_sysvsem_cleanup(semakptr);
#endif
SEMUNDO_LOCK();
semundo_clear(semidx, -1);
@ -906,7 +906,7 @@ semget(td, uap)
goto done2;
}
#ifdef MAC
error = mac_check_sysv_semget(cred, &sema[semid]);
error = mac_sysvsem_check_semget(cred, &sema[semid]);
if (error != 0)
goto done2;
#endif
@ -955,7 +955,7 @@ semget(td, uap)
bzero(sema[semid].u.sem_base,
sizeof(sema[semid].u.sem_base[0])*nsems);
#ifdef MAC
mac_create_sysv_sem(cred, &sema[semid]);
mac_sysvsem_create(cred, &sema[semid]);
#endif
DPRINTF(("sembase = %p, next = %p\n",
sema[semid].u.sem_base, &sem[semtot]));
@ -1063,7 +1063,7 @@ semop(td, uap)
goto done2;
}
#ifdef MAC
error = mac_check_sysv_semop(td->td_ucred, semakptr, j);
error = mac_sysvsem_check_semop(td->td_ucred, semakptr, j);
if (error != 0)
goto done2;
#endif

20
sys/kern/sysv_shm.c
View File

@ -255,7 +255,7 @@ shm_deallocate_segment(shmseg)
shm_nused--;
shmseg->u.shm_perm.mode = SHMSEG_FREE;
#ifdef MAC
mac_cleanup_sysv_shm(shmseg);
mac_sysvshm_cleanup(shmseg);
#endif
}
@ -322,7 +322,7 @@ shmdt(td, uap)
}
#ifdef MAC
shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)];
error = mac_check_sysv_shmdt(td->td_ucred, shmsegptr);
error = mac_sysvshm_check_shmdt(td->td_ucred, shmsegptr);
if (error != 0)
goto done2;
#endif
@ -377,7 +377,7 @@ kern_shmat(td, shmid, shmaddr, shmflg)
if (error)
goto done2;
#ifdef MAC
error = mac_check_sysv_shmat(td->td_ucred, shmseg, shmflg);
error = mac_sysvshm_check_shmat(td->td_ucred, shmseg, shmflg);
if (error != 0)
goto done2;
#endif
@ -492,7 +492,7 @@ oshmctl(td, uap)
if (error)
goto done2;
#ifdef MAC
error = mac_check_sysv_shmctl(td->td_ucred, shmseg, uap->cmd);
error = mac_sysvshm_check_shmctl(td->td_ucred, shmseg, uap->cmd);
if (error != 0)
goto done2;
#endif
@ -575,7 +575,7 @@ kern_shmctl(td, shmid, cmd, buf, bufsz)
goto done2;
}
#ifdef MAC
error = mac_check_sysv_shmctl(td->td_ucred, shmseg, cmd);
error = mac_sysvshm_check_shmctl(td->td_ucred, shmseg, cmd);
if (error != 0)
goto done2;
#endif
@ -701,7 +701,7 @@ shmget_existing(td, uap, mode, segnum)
if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL))
return (EEXIST);
#ifdef MAC
error = mac_check_sysv_shmget(td->td_ucred, shmseg, uap->shmflg);
error = mac_sysvshm_check_shmget(td->td_ucred, shmseg, uap->shmflg);
if (error != 0)
return (error);
#endif
@ -779,7 +779,7 @@ shmget_allocate_segment(td, uap, mode)
shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0;
shmseg->u.shm_atime = shmseg->u.shm_dtime = 0;
#ifdef MAC
mac_create_sysv_shm(cred, shmseg);
mac_sysvshm_create(cred, shmseg);
#endif
shmseg->u.shm_ctime = time_second;
shm_committed += btoc(size);
@ -911,7 +911,7 @@ shmrealloc(void)
shmsegs[i].u.shm_perm.mode = SHMSEG_FREE;
shmsegs[i].u.shm_perm.seq = 0;
#ifdef MAC
mac_init_sysv_shm(&shmsegs[i]);
mac_sysvshm_init(&shmsegs[i]);
#endif
}
free(shmsegs, M_SHM);
@ -943,7 +943,7 @@ shminit()
shmsegs[i].u.shm_perm.mode = SHMSEG_FREE;
shmsegs[i].u.shm_perm.seq = 0;
#ifdef MAC
mac_init_sysv_shm(&shmsegs[i]);
mac_sysvshm_init(&shmsegs[i]);
#endif
}
shm_last_free = 0;
@ -965,7 +965,7 @@ shmunload()
#ifdef MAC
for (i = 0; i < shmalloced; i++)
mac_destroy_sysv_shm(&shmsegs[i]);
mac_sysvshm_destroy(&shmsegs[i]);
#endif
free(shmsegs, M_SHM);
shmexit_hook = NULL;

6
sys/kern/uipc_mbuf2.c
View File

@ -309,7 +309,7 @@ m_tag_free_default(struct m_tag *t)
{
#ifdef MAC
if (t->m_tag_id == PACKET_TAG_MACLABEL)
mac_destroy_mbuf_tag(t);
mac_mbuf_tag_destroy(t);
#endif
free(t, M_PACKET_TAGS);
}
@ -413,11 +413,11 @@ m_tag_copy(struct m_tag *t, int how)
* special from the mbuf code?
*/
if (t->m_tag_id == PACKET_TAG_MACLABEL) {
if (mac_init_mbuf_tag(p, how) != 0) {
if (mac_mbuf_tag_init(p, how) != 0) {
m_tag_free(p);
return (NULL);
}
mac_copy_mbuf_tag(t, p);
mac_mbuf_tag_copy(t, p);
} else
#endif
bcopy(t + 1, p + 1, t->m_tag_len); /* Copy the data */

16
sys/kern/uipc_sem.c
View File

@ -215,8 +215,8 @@ sem_create(struct thread *td, const char *name, struct ksem **ksret,
cv_init(&ret->ks_cv, "sem");
LIST_INIT(&ret->ks_users);
#ifdef MAC
mac_init_posix_sem(ret);
mac_create_posix_sem(uc, ret);
mac_posixsem_init(ret);
mac_posixsem_create(uc, ret);
#endif
if (name != NULL)
sem_enter(td->td_proc, ret);
@ -381,7 +381,7 @@ kern_sem_open(struct thread *td, int dir, const char *name, int oflag,
}
} else {
#ifdef MAC
error = mac_check_posix_sem_open(td->td_ucred, ks);
error = mac_posixsem_check_open(td->td_ucred, ks);
if (error)
goto err_open;
#endif
@ -540,7 +540,7 @@ kern_sem_unlink(struct thread *td, const char *name)
ks = sem_lookup_byname(name);
if (ks != NULL) {
#ifdef MAC
error = mac_check_posix_sem_unlink(td->td_ucred, ks);
error = mac_posixsem_check_unlink(td->td_ucred, ks);
if (error) {
mtx_unlock(&sem_lock);
return (error);
@ -614,7 +614,7 @@ kern_sem_post(struct thread *td, semid_t id)
goto err;
}
#ifdef MAC
error = mac_check_posix_sem_post(td->td_ucred, ks);
error = mac_posixsem_check_post(td->td_ucred, ks);
if (error)
goto err;
#endif
@ -709,7 +709,7 @@ kern_sem_wait(struct thread *td, semid_t id, int tryflag,
goto err;
}
#ifdef MAC
error = mac_check_posix_sem_wait(td->td_ucred, ks);
error = mac_posixsem_check_wait(td->td_ucred, ks);
if (error) {
DP(("kern_sem_wait mac failed\n"));
goto err;
@ -772,7 +772,7 @@ ksem_getvalue(struct thread *td, struct ksem_getvalue_args *uap)
return (EINVAL);
}
#ifdef MAC
error = mac_check_posix_sem_getvalue(td->td_ucred, ks);
error = mac_posixsem_check_getvalue(td->td_ucred, ks);
if (error) {
mtx_unlock(&sem_lock);
return (error);
@ -804,7 +804,7 @@ ksem_destroy(struct thread *td, struct ksem_destroy_args *uap)
goto err;
}
#ifdef MAC
error = mac_check_posix_sem_destroy(td->td_ucred, ks);
error = mac_posixsem_check_destroy(td->td_ucred, ks);
if (error)
goto err;
#endif

8
sys/kern/uipc_socket.c
View File

@ -267,7 +267,7 @@ soalloc(void)
if (so == NULL)
return (NULL);
#ifdef MAC
if (mac_init_socket(so, M_NOWAIT) != 0) {
if (mac_socket_init(so, M_NOWAIT) != 0) {
uma_zfree(socket_zone, so);
return (NULL);
}
@ -312,7 +312,7 @@ sodealloc(struct socket *so)
do_setopt_accept_filter(so, NULL);
#endif
#ifdef MAC
mac_destroy_socket(so);
mac_socket_destroy(so);
#endif
crfree(so->so_cred);
sx_destroy(&so->so_snd.sb_sx);
@ -362,7 +362,7 @@ socreate(int dom, struct socket **aso, int type, int proto,
so->so_cred = crhold(cred);
so->so_proto = prp;
#ifdef MAC
mac_create_socket(cred, so);
mac_socket_create(cred, so);
#endif
knlist_init(&so->so_rcv.sb_sel.si_note, SOCKBUF_MTX(&so->so_rcv),
NULL, NULL, NULL);
@ -429,7 +429,7 @@ sonewconn(struct socket *head, int connstatus)
so->so_cred = crhold(head->so_cred);
#ifdef MAC
SOCK_LOCK(head);
mac_create_socket_from_socket(head, so);
mac_socket_newconn(head, so);
SOCK_UNLOCK(head);
#endif
knlist_init(&so->so_rcv.sb_sel.si_note, SOCKBUF_MTX(&so->so_rcv),

24
sys/kern/uipc_syscalls.c
View File

@ -165,7 +165,7 @@ socket(td, uap)
int fd, error;
#ifdef MAC
error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type,
error = mac_socket_check_create(td->td_ucred, uap->domain, uap->type,
uap->protocol);
if (error)
return (error);
@ -229,7 +229,7 @@ kern_bind(td, fd, sa)
so = fp->f_data;
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_bind(td->td_ucred, so, sa);
error = mac_socket_check_bind(td->td_ucred, so, sa);
SOCK_UNLOCK(so);
if (error)
goto done;
@ -260,7 +260,7 @@ listen(td, uap)
so = fp->f_data;
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_listen(td->td_ucred, so);
error = mac_socket_check_listen(td->td_ucred, so);
SOCK_UNLOCK(so);
if (error)
goto done;
@ -360,7 +360,7 @@ kern_accept(struct thread *td, int s, struct sockaddr **name,
}
#ifdef MAC
SOCK_LOCK(head);
error = mac_check_socket_accept(td->td_ucred, head);
error = mac_socket_check_accept(td->td_ucred, head);
SOCK_UNLOCK(head);
if (error != 0)
goto done;
@ -550,7 +550,7 @@ kern_connect(td, fd, sa)
}
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_connect(td->td_ucred, so, sa);
error = mac_socket_check_connect(td->td_ucred, so, sa);
SOCK_UNLOCK(so);
if (error)
goto bad;
@ -604,7 +604,7 @@ socketpair(td, uap)
#ifdef MAC
/* We might want to have a separate check for socket pairs. */
error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type,
error = mac_socket_check_create(td->td_ucred, uap->domain, uap->type,
uap->protocol);
if (error)
return (error);
@ -761,7 +761,7 @@ kern_sendit(td, s, mp, flags, control, segflg)
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_send(td->td_ucred, so);
error = mac_socket_check_send(td->td_ucred, so);
SOCK_UNLOCK(so);
if (error)
goto bad;
@ -956,7 +956,7 @@ kern_recvit(td, s, mp, fromseg, controlp)
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_receive(td->td_ucred, so);
error = mac_socket_check_receive(td->td_ucred, so);
SOCK_UNLOCK(so);
if (error) {
fdrop(fp, td);
@ -1849,7 +1849,7 @@ kern_sendfile(struct thread *td, struct sendfile_args *uap,
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_send(td->td_ucred, so);
error = mac_socket_check_send(td->td_ucred, so);
SOCK_UNLOCK(so);
if (error)
goto out;
@ -2354,7 +2354,7 @@ sctp_generic_sendmsg (td, uap)
so = (struct socket *)fp->f_data;
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_send(td->td_ucred, so);
error = mac_socket_check_send(td->td_ucred, so);
SOCK_UNLOCK(so);
if (error)
goto sctp_bad;
@ -2454,7 +2454,7 @@ sctp_generic_sendmsg_iov(td, uap)
so = (struct socket *)fp->f_data;
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_send(td->td_ucred, so);
error = mac_socket_check_send(td->td_ucred, so);
SOCK_UNLOCK(so);
if (error)
goto sctp_bad;
@ -2551,7 +2551,7 @@ sctp_generic_recvmsg(td, uap)
so = fp->f_data;
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_receive(td->td_ucred, so);
error = mac_socket_check_receive(td->td_ucred, so);
SOCK_UNLOCK(so);
if (error) {
goto out;

8
sys/kern/uipc_usrreq.c
View File

@ -449,7 +449,7 @@ uipc_bind(struct socket *so, struct sockaddr *nam, struct thread *td)
vattr.va_type = VSOCK;
vattr.va_mode = (ACCESSPERMS & ~td->td_proc->p_fd->fd_cmask);
#ifdef MAC
error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
&vattr);
#endif
if (error == 0) {
@ -1159,7 +1159,7 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
goto bad;
}
#ifdef MAC
error = mac_check_vnode_open(td->td_ucred, vp, VWRITE | VREAD);
error = mac_vnode_check_open(td->td_ucred, vp, VWRITE | VREAD);
if (error)
goto bad;
#endif
@ -1236,8 +1236,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
UNP_PCB_UNLOCK(unp);
#ifdef MAC
SOCK_LOCK(so);
mac_set_socket_peer_from_socket(so, so3);
mac_set_socket_peer_from_socket(so3, so);
mac_socketpeer_set_from_socket(so, so3);
mac_socketpeer_set_from_socket(so3, so);
SOCK_UNLOCK(so);
#endif

6
sys/kern/vfs_acl.c
View File

@ -93,7 +93,7 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type,
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl);
error = mac_vnode_check_setacl(td->td_ucred, vp, type, &inkernacl);
if (error != 0)
goto out;
#endif
@ -119,7 +119,7 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type,
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_getacl(td->td_ucred, vp, type);
error = mac_vnode_check_getacl(td->td_ucred, vp, type);
if (error != 0)
goto out;
#endif
@ -148,7 +148,7 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type)
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_deleteacl(td->td_ucred, vp, type);
error = mac_vnode_check_deleteacl(td->td_ucred, vp, type);
if (error)
goto out;
#endif

8
sys/kern/vfs_extattr.c
View File

@ -180,7 +180,7 @@ extattr_set_vp(struct vnode *vp, int attrnamespace, const char *attrname,
cnt = nbytes;
#ifdef MAC
error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace,
error = mac_vnode_check_setextattr(td->td_ucred, vp, attrnamespace,
attrname, &auio);
if (error)
goto done;
@ -358,7 +358,7 @@ extattr_get_vp(struct vnode *vp, int attrnamespace, const char *attrname,
sizep = &size;
#ifdef MAC
error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace,
error = mac_vnode_check_getextattr(td->td_ucred, vp, attrnamespace,
attrname, &auio);
if (error)
goto done;
@ -512,7 +512,7 @@ extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname,
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace,
error = mac_vnode_check_deleteextattr(td->td_ucred, vp, attrnamespace,
attrname);
if (error)
goto done;
@ -676,7 +676,7 @@ extattr_list_vp(struct vnode *vp, int attrnamespace, void *data,
sizep = &size;
#ifdef MAC
error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace);
error = mac_vnode_check_listextattr(td->td_ucred, vp, attrnamespace);
if (error)
goto done;
#endif

4
sys/kern/vfs_lookup.c
View File

@ -252,7 +252,7 @@ namei(struct nameidata *ndp)
}
#ifdef MAC
if ((cnp->cn_flags & NOMACCHECK) == 0) {
error = mac_check_vnode_readlink(td->td_ucred,
error = mac_vnode_check_readlink(td->td_ucred,
ndp->ni_vp);
if (error)
break;
@ -556,7 +556,7 @@ lookup(struct nameidata *ndp)
unionlookup:
#ifdef MAC
if ((cnp->cn_flags & NOMACCHECK) == 0) {
error = mac_check_vnode_lookup(td->td_ucred, dp, cnp);
error = mac_vnode_check_lookup(td->td_ucred, dp, cnp);
if (error)
goto bad;
}

6
sys/kern/vfs_mount.c
View File

@ -488,8 +488,8 @@ vfs_mount_alloc(struct vnode *vp, struct vfsconf *vfsp,
strlcpy(mp->mnt_stat.f_mntonname, fspath, MNAMELEN);
mp->mnt_iosize_max = DFLTPHYS;
#ifdef MAC
mac_init_mount(mp);
mac_create_mount(td->td_ucred, mp);
mac_mount_init(mp);
mac_mount_create(td->td_ucred, mp);
#endif
arc4rand(&mp->mnt_hashseed, sizeof mp->mnt_hashseed, 0);
return (mp);
@ -567,7 +567,7 @@ vfs_mount_destroy(struct mount *mp)
mp->mnt_secondary_writes = -1000;
MNT_IUNLOCK(mp);
#ifdef MAC
mac_destroy_mount(mp);
mac_mount_destroy(mp);
#endif
if (mp->mnt_opt != NULL)
vfs_freeopts(mp->mnt_opt);

6
sys/kern/vfs_subr.c
View File

@ -811,7 +811,7 @@ vdestroy(struct vnode *vp)
VNASSERT(LIST_EMPTY(&vp->v_cache_src), vp, ("vp has namecache src"));
VI_UNLOCK(vp);
#ifdef MAC
mac_destroy_vnode(vp);
mac_vnode_destroy(vp);
#endif
if (vp->v_pollinfo != NULL) {
knlist_destroy(&vp->v_pollinfo->vpi_selinfo.si_note);
@ -955,9 +955,9 @@ getnewvnode(const char *tag, struct mount *mp, struct vop_vector *vops,
v_incr_usecount(vp);
vp->v_data = 0;
#ifdef MAC
mac_init_vnode(vp);
mac_vnode_init(vp);
if (mp != NULL && (mp->mnt_flag & MNT_MULTILABEL) == 0)
mac_associate_vnode_singlelabel(mp, vp);
mac_vnode_associate_singlelabel(mp, vp);
else if (mp == NULL)
printf("NULL mp in getnewvnode()\n");
#endif

62
sys/kern/vfs_syscalls.c
View File

@ -293,7 +293,7 @@ kern_statfs(struct thread *td, char *path, enum uio_seg pathseg,
NDFREE(&nd, NDF_ONLY_PNBUF);
vput(nd.ni_vp);
#ifdef MAC
error = mac_check_mount_stat(td->td_ucred, mp);
error = mac_mount_check_stat(td->td_ucred, mp);
if (error)
goto out;
#endif
@ -378,7 +378,7 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf)
goto out;
}
#ifdef MAC
error = mac_check_mount_stat(td->td_ucred, mp);
error = mac_mount_check_stat(td->td_ucred, mp);
if (error)
goto out;
#endif
@ -470,7 +470,7 @@ kern_getfsstat(struct thread *td, struct statfs **buf, size_t bufsize,
continue;
}
#ifdef MAC
if (mac_check_mount_stat(td->td_ucred, mp) != 0) {
if (mac_mount_check_stat(td->td_ucred, mp) != 0) {
nmp = TAILQ_NEXT(mp, mnt_list);
continue;
}
@ -891,7 +891,7 @@ chroot(td, uap)
if ((error = change_dir(nd.ni_vp, td)) != 0)
goto e_vunlock;
#ifdef MAC
if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp)))
if ((error = mac_vnode_check_chroot(td->td_ucred, nd.ni_vp)))
goto e_vunlock;
#endif
VOP_UNLOCK(nd.ni_vp, 0, td);
@ -923,7 +923,7 @@ change_dir(vp, td)
if (vp->v_type != VDIR)
return (ENOTDIR);
#ifdef MAC
error = mac_check_vnode_chdir(td->td_ucred, vp);
error = mac_vnode_check_chdir(td->td_ucred, vp);
if (error)
return (error);
#endif
@ -933,8 +933,8 @@ change_dir(vp, td)
/*
* Common routine for kern_chroot() and jail_attach(). The caller is
* responsible for invoking priv_check() and mac_check_chroot() to authorize
* this operation.
* responsible for invoking priv_check() and mac_vnode_check_chroot() to
* authorize this operation.
*/
int
change_root(vp, td)
@ -1103,7 +1103,7 @@ kern_open(struct thread *td, char *path, enum uio_seg pathseg, int flags,
vat.va_size = 0;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_write(td->td_ucred, fp->f_cred, vp);
error = mac_vnode_check_write(td->td_ucred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@ -1258,7 +1258,7 @@ kern_mknod(struct thread *td, char *path, enum uio_seg pathseg, int mode,
}
#ifdef MAC
if (error == 0 && !whiteout)
error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp,
error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp,
&nd.ni_cnd, &vattr);
#endif
if (!error) {
@ -1341,7 +1341,7 @@ kern_mkfifo(struct thread *td, char *path, enum uio_seg pathseg, int mode)
vattr.va_mode = (mode & ALLPERMS) & ~td->td_proc->p_fd->fd_cmask;
FILEDESC_SUNLOCK(td->td_proc->p_fd);
#ifdef MAC
error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
&vattr);
if (error)
goto out;
@ -1467,7 +1467,7 @@ kern_link(struct thread *td, char *path, char *link, enum uio_seg segflg)
error = can_hardlink(vp, td, td->td_ucred);
if (error == 0)
#ifdef MAC
error = mac_check_vnode_link(td->td_ucred,
error = mac_vnode_check_link(td->td_ucred,
nd.ni_dvp, vp, &nd.ni_cnd);
if (error == 0)
#endif
@ -1555,7 +1555,7 @@ kern_symlink(struct thread *td, char *path, char *link, enum uio_seg segflg)
FILEDESC_SUNLOCK(td->td_proc->p_fd);
#ifdef MAC
vattr.va_type = VLNK;
error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
&vattr);
if (error)
goto out2;
@ -1693,7 +1693,7 @@ kern_unlink(struct thread *td, char *path, enum uio_seg pathseg)
goto restart;
}
#ifdef MAC
error = mac_check_vnode_unlink(td->td_ucred, nd.ni_dvp, vp,
error = mac_vnode_check_unlink(td->td_ucred, nd.ni_dvp, vp,
&nd.ni_cnd);
if (error)
goto out;
@ -1872,7 +1872,7 @@ vn_access(vp, user_flags, cred, td)
if (user_flags & X_OK)
flags |= VEXEC;
#ifdef MAC
error = mac_check_vnode_access(cred, vp, flags);
error = mac_vnode_check_access(cred, vp, flags);
if (error)
return (error);
#endif
@ -2341,7 +2341,7 @@ kern_readlink(struct thread *td, char *path, enum uio_seg pathseg, char *buf,
vfslocked = NDHASGIANT(&nd);
vp = nd.ni_vp;
#ifdef MAC
error = mac_check_vnode_readlink(td->td_ucred, vp);
error = mac_vnode_check_readlink(td->td_ucred, vp);
if (error) {
vput(vp);
VFS_UNLOCK_GIANT(vfslocked);
@ -2400,7 +2400,7 @@ setfflags(td, vp, flags)
VATTR_NULL(&vattr);
vattr.va_flags = flags;
#ifdef MAC
error = mac_check_vnode_setflags(td->td_ucred, vp, vattr.va_flags);
error = mac_vnode_check_setflags(td->td_ucred, vp, vattr.va_flags);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vattr, td->td_ucred, td);
@ -2528,7 +2528,7 @@ setfmode(td, vp, mode)
VATTR_NULL(&vattr);
vattr.va_mode = mode & ALLPERMS;
#ifdef MAC
error = mac_check_vnode_setmode(td->td_ucred, vp, vattr.va_mode);
error = mac_vnode_check_setmode(td->td_ucred, vp, vattr.va_mode);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vattr, td->td_ucred, td);
@ -2670,7 +2670,7 @@ setfown(td, vp, uid, gid)
vattr.va_uid = uid;
vattr.va_gid = gid;
#ifdef MAC
error = mac_check_vnode_setowner(td->td_ucred, vp, vattr.va_uid,
error = mac_vnode_check_setowner(td->td_ucred, vp, vattr.va_uid,
vattr.va_gid);
if (error == 0)
#endif
@ -2873,7 +2873,7 @@ setutimes(td, vp, ts, numtimes, nullflag)
if (nullflag)
vattr.va_vaflags |= VA_UTIMES_NULL;
#ifdef MAC
error = mac_check_vnode_setutimes(td->td_ucred, vp, vattr.va_atime,
error = mac_vnode_check_setutimes(td->td_ucred, vp, vattr.va_atime,
vattr.va_mtime);
#endif
if (error == 0)
@ -3069,7 +3069,7 @@ kern_truncate(struct thread *td, char *path, enum uio_seg pathseg, off_t length)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
else if ((error = mac_check_vnode_write(td->td_ucred, NOCRED, vp))) {
else if ((error = mac_vnode_check_write(td->td_ucred, NOCRED, vp))) {
}
#endif
else if ((error = vn_writechk(vp)) == 0 &&
@ -3129,7 +3129,7 @@ ftruncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
else if ((error = mac_check_vnode_write(td->td_ucred, fp->f_cred,
else if ((error = mac_vnode_check_write(td->td_ucred, fp->f_cred,
vp))) {
}
#endif
@ -3315,7 +3315,7 @@ kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg)
fvfslocked = NDHASGIANT(&fromnd);
tvfslocked = 0;
#ifdef MAC
error = mac_check_vnode_rename_from(td->td_ucred, fromnd.ni_dvp,
error = mac_vnode_check_rename_from(td->td_ucred, fromnd.ni_dvp,
fromnd.ni_vp, &fromnd.ni_cnd);
VOP_UNLOCK(fromnd.ni_dvp, 0, td);
if (fromnd.ni_dvp != fromnd.ni_vp)
@ -3366,7 +3366,7 @@ kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg)
error = -1;
#ifdef MAC
else
error = mac_check_vnode_rename_to(td->td_ucred, tdvp,
error = mac_vnode_check_rename_to(td->td_ucred, tdvp,
tond.ni_vp, fromnd.ni_dvp == tdvp, &tond.ni_cnd);
#endif
out:
@ -3476,7 +3476,7 @@ kern_mkdir(struct thread *td, char *path, enum uio_seg segflg, int mode)
vattr.va_mode = (mode & ACCESSPERMS) &~ td->td_proc->p_fd->fd_cmask;
FILEDESC_SUNLOCK(td->td_proc->p_fd);
#ifdef MAC
error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
&vattr);
if (error)
goto out;
@ -3550,7 +3550,7 @@ kern_rmdir(struct thread *td, char *path, enum uio_seg pathseg)
goto out;
}
#ifdef MAC
error = mac_check_vnode_unlink(td->td_ucred, nd.ni_dvp, vp,
error = mac_vnode_check_unlink(td->td_ucred, nd.ni_dvp, vp,
&nd.ni_cnd);
if (error)
goto out;
@ -3641,7 +3641,7 @@ ogetdirentries(td, uap)
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
loff = auio.uio_offset = fp->f_offset;
#ifdef MAC
error = mac_check_vnode_readdir(td->td_ucred, vp);
error = mac_vnode_check_readdir(td->td_ucred, vp);
if (error) {
VOP_UNLOCK(vp, 0, td);
VFS_UNLOCK_GIANT(vfslocked);
@ -3785,7 +3785,7 @@ getdirentries(td, uap)
AUDIT_ARG(vnode, vp, ARG_VNODE1);
loff = auio.uio_offset = fp->f_offset;
#ifdef MAC
error = mac_check_vnode_readdir(td->td_ucred, vp);
error = mac_vnode_check_readdir(td->td_ucred, vp);
if (error == 0)
#endif
error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, NULL,
@ -3903,7 +3903,7 @@ revoke(td, uap)
goto out;
}
#ifdef MAC
error = mac_check_vnode_revoke(td->td_ucred, vp);
error = mac_vnode_check_revoke(td->td_ucred, vp);
if (error)
goto out;
#endif
@ -4126,7 +4126,7 @@ fhopen(td, uap)
if (fmode & O_APPEND)
mode |= VAPPEND;
#ifdef MAC
error = mac_check_vnode_open(td->td_ucred, vp, mode);
error = mac_vnode_check_open(td->td_ucred, vp, mode);
if (error)
goto bad;
#endif
@ -4148,7 +4148,7 @@ fhopen(td, uap)
* We don't yet have fp->f_cred, so use td->td_ucred, which
* should be right.
*/
error = mac_check_vnode_write(td->td_ucred, td->td_ucred, vp);
error = mac_vnode_check_write(td->td_ucred, td->td_ucred, vp);
if (error == 0) {
#endif
VATTR_NULL(vap);
@ -4337,7 +4337,7 @@ kern_fhstatfs(struct thread *td, fhandle_t fh, struct statfs *buf)
if (error)
goto out;
#ifdef MAC
error = mac_check_mount_stat(td->td_ucred, mp);
error = mac_mount_check_stat(td->td_ucred, mp);
if (error)
goto out;
#endif

16
sys/kern/vfs_vnops.c
View File

@ -148,7 +148,7 @@ vn_open_cred(ndp, flagp, cmode, cred, fp)
goto restart;
}
#ifdef MAC
error = mac_check_vnode_create(cred, ndp->ni_dvp,
error = mac_vnode_check_create(cred, ndp->ni_dvp,
&ndp->ni_cnd, vap);
if (error == 0) {
#endif
@ -213,7 +213,7 @@ vn_open_cred(ndp, flagp, cmode, cred, fp)
if (fmode & O_APPEND)
mode |= VAPPEND;
#ifdef MAC
error = mac_check_vnode_open(cred, vp, mode);
error = mac_vnode_check_open(cred, vp, mode);
if (error)
goto bad;
#endif
@ -387,10 +387,10 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred,
#ifdef MAC
if ((ioflg & IO_NOMACCHECK) == 0) {
if (rw == UIO_READ)
error = mac_check_vnode_read(active_cred, file_cred,
error = mac_vnode_check_read(active_cred, file_cred,
vp);
else
error = mac_check_vnode_write(active_cred, file_cred,
error = mac_vnode_check_write(active_cred, file_cred,
vp);
}
#endif
@ -520,7 +520,7 @@ vn_read(fp, uio, active_cred, flags, td)
ioflag |= sequential_heuristic(uio, fp);
#ifdef MAC
error = mac_check_vnode_read(active_cred, fp->f_cred, vp);
error = mac_vnode_check_read(active_cred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_READ(vp, uio, ioflag, fp->f_cred);
@ -580,7 +580,7 @@ vn_write(fp, uio, active_cred, flags, td)
uio->uio_offset = fp->f_offset;
ioflag |= sequential_heuristic(uio, fp);
#ifdef MAC
error = mac_check_vnode_write(active_cred, fp->f_cred, vp);
error = mac_vnode_check_write(active_cred, fp->f_cred, vp);
if (error == 0)
#endif
error = VOP_WRITE(vp, uio, ioflag, fp->f_cred);
@ -635,7 +635,7 @@ vn_stat(vp, sb, active_cred, file_cred, td)
u_short mode;
#ifdef MAC
error = mac_check_vnode_stat(active_cred, file_cred, vp);
error = mac_vnode_check_stat(active_cred, file_cred, vp);
if (error)
return (error);
#endif
@ -783,7 +783,7 @@ vn_poll(fp, events, active_cred, td)
vfslocked = VFS_LOCK_GIANT(vp->v_mount);
#ifdef MAC
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = mac_check_vnode_poll(active_cred, fp->f_cred, vp);
error = mac_vnode_check_poll(active_cred, fp->f_cred, vp);
VOP_UNLOCK(vp, 0, td);
if (!error)
#endif

16
sys/net/bpf.c
View File

@ -416,8 +416,8 @@ bpfopen(struct cdev *dev, int flags, int fmt, struct thread *td)
d->bd_direction = BPF_D_INOUT;
d->bd_pid = td->td_proc->p_pid;
#ifdef MAC
mac_init_bpfdesc(d);
mac_create_bpfdesc(td->td_ucred, d);
mac_bpfdesc_init(d);
mac_bpfdesc_create(td->td_ucred, d);
#endif
mtx_init(&d->bd_mtx, devtoname(dev), "bpf cdev lock", MTX_DEF);
callout_init(&d->bd_callout, CALLOUT_MPSAFE);
@ -448,7 +448,7 @@ bpfclose(struct cdev *dev, int flags, int fmt, struct thread *td)
mtx_unlock(&bpf_mtx);
selwakeuppri(&d->bd_sel, PRINET);
#ifdef MAC
mac_destroy_bpfdesc(d);
mac_bpfdesc_destroy(d);
#endif /* MAC */
knlist_destroy(&d->bd_sel.si_note);
bpf_freed(d);
@ -656,9 +656,9 @@ bpfwrite(struct cdev *dev, struct uio *uio, int ioflag)
#ifdef MAC
BPFD_LOCK(d);
mac_create_mbuf_from_bpfdesc(d, m);
mac_bpfdesc_create_mbuf(d, m);
if (mc != NULL)
mac_create_mbuf_from_bpfdesc(d, mc);
mac_bpfdesc_create_mbuf(d, mc);
BPFD_UNLOCK(d);
#endif
@ -1299,7 +1299,7 @@ bpf_tap(struct bpf_if *bp, u_char *pkt, u_int pktlen)
gottime = 1;
}
#ifdef MAC
if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0)
if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0)
#endif
catchpacket(d, pkt, pktlen, slen, bcopy, &tv);
}
@ -1378,7 +1378,7 @@ bpf_mtap(struct bpf_if *bp, struct mbuf *m)
gottime = 1;
}
#ifdef MAC
if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0)
if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0)
#endif
catchpacket(d, (u_char *)m, pktlen, slen,
bpf_mcopy, &tv);
@ -1433,7 +1433,7 @@ bpf_mtap2(struct bpf_if *bp, void *data, u_int dlen, struct mbuf *m)
gottime = 1;
}
#ifdef MAC
if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0)
if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0)
#endif
catchpacket(d, (u_char *)&mb, pktlen, slen,
bpf_mcopy, &tv);

2
sys/net/bsd_comp.c
View File

@ -881,7 +881,7 @@ bsd_decompress(state, cmp, dmpp)
wptr = mtod(dmp, u_char *);
space = M_TRAILINGSPACE(dmp) - PPP_HDRLEN + 1;
#ifdef MAC
mac_copy_mbuf(cmp, dmp);
mac_mbuf_copy(cmp, dmp);
#endif
/*

10
sys/net/if.c
View File

@ -478,8 +478,8 @@ if_attach(struct ifnet *ifp)
ifp->if_data.ifi_datalen = sizeof(struct if_data);
#ifdef MAC
mac_init_ifnet(ifp);
mac_create_ifnet(ifp);
mac_ifnet_init(ifp);
mac_ifnet_create(ifp);
#endif
ifdev_byindex(ifp->if_index) = make_dev(&net_cdevsw,
@ -758,7 +758,7 @@ if_detach(struct ifnet *ifp)
IF_AFDATA_UNLOCK(ifp);
#ifdef MAC
mac_destroy_ifnet(ifp);
mac_ifnet_destroy(ifp);
#endif /* MAC */
KNOTE_UNLOCKED(&ifp->if_klist, NOTE_EXIT);
knlist_clear(&ifp->if_klist, 0);
@ -1534,7 +1534,7 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
#ifdef MAC
case SIOCGIFMAC:
error = mac_ioctl_ifnet_get(td->td_ucred, ifr, ifp);
error = mac_ifnet_ioctl_get(td->td_ucred, ifr, ifp);
break;
#endif
@ -1610,7 +1610,7 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
#ifdef MAC
case SIOCSIFMAC:
error = mac_ioctl_ifnet_set(td->td_ucred, ifr, ifp);
error = mac_ifnet_ioctl_set(td->td_ucred, ifr, ifp);
break;
#endif

4
sys/net/if_atmsubr.c
View File

@ -134,7 +134,7 @@ atm_output(struct ifnet *ifp, struct mbuf *m0, struct sockaddr *dst,
u_int32_t atm_flags;
#ifdef MAC
error = mac_check_ifnet_transmit(ifp, m);
error = mac_ifnet_check_transmit(ifp, m);
if (error)
senderr(error);
#endif
@ -261,7 +261,7 @@ atm_input(struct ifnet *ifp, struct atm_pseudohdr *ah, struct mbuf *m,
return;
}
#ifdef MAC
mac_create_mbuf_from_ifnet(ifp, m);
mac_ifnet_create_mbuf(ifp, m);
#endif
ifp->if_ibytes += m->m_pkthdr.len;

4
sys/net/if_ethersubr.c
View File

@ -157,7 +157,7 @@ ether_output(struct ifnet *ifp, struct mbuf *m,
int hlen; /* link layer header length */
#ifdef MAC
error = mac_check_ifnet_transmit(ifp, m);
error = mac_ifnet_check_transmit(ifp, m);
if (error)
senderr(error);
#endif
@ -570,7 +570,7 @@ ether_input(struct ifnet *ifp, struct mbuf *m)
* Tag the mbuf with an appropriate MAC label before any other
* consumers can get to it.
*/
mac_create_mbuf_from_ifnet(ifp, m);
mac_ifnet_create_mbuf(ifp, m);
#endif
/*

4
sys/net/if_fddisubr.c
View File

@ -121,7 +121,7 @@ fddi_output(ifp, m, dst, rt0)
struct fddi_header *fh;
#ifdef MAC
error = mac_check_ifnet_transmit(ifp, m);
error = mac_ifnet_check_transmit(ifp, m);
if (error)
senderr(error);
#endif
@ -407,7 +407,7 @@ fddi_input(ifp, m)
}
#ifdef MAC
mac_create_mbuf_from_ifnet(ifp, m);
mac_ifnet_create_mbuf(ifp, m);
#endif
/*

4
sys/net/if_fwsubr.c
View File

@ -91,7 +91,7 @@ firewire_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
static int next_dgl;
#ifdef MAC
error = mac_check_ifnet_transmit(ifp, m);
error = mac_ifnet_check_transmit(ifp, m);
if (error)
goto bad;
#endif
@ -557,7 +557,7 @@ firewire_input(struct ifnet *ifp, struct mbuf *m, uint16_t src)
* Tag the mbuf with an appropriate MAC label before any other
* consumers can get to it.
*/
mac_create_mbuf_from_ifnet(ifp, m);
mac_ifnet_create_mbuf(ifp, m);
#endif
/*

4
sys/net/if_gif.c
View File

@ -360,7 +360,7 @@ gif_output(ifp, m, dst, rt)
u_int32_t af;
#ifdef MAC
error = mac_check_ifnet_transmit(ifp, m);
error = mac_ifnet_check_transmit(ifp, m);
if (error) {
m_freem(m);
goto end;
@ -479,7 +479,7 @@ gif_input(m, af, ifp)
m->m_pkthdr.rcvif = ifp;
#ifdef MAC
mac_create_mbuf_from_ifnet(ifp, m);
mac_ifnet_create_mbuf(ifp, m);
#endif
if (bpf_peers_present(ifp->if_bpf)) {

4
sys/net/if_iso88025subr.c
View File

@ -244,7 +244,7 @@ iso88025_output(ifp, m, dst, rt0)
struct rtentry *rt = NULL;
#ifdef MAC
error = mac_check_ifnet_transmit(ifp, m);
error = mac_ifnet_check_transmit(ifp, m);
if (error)
senderr(error);
#endif
@ -503,7 +503,7 @@ iso88025_input(ifp, m)
}
#ifdef MAC
mac_create_mbuf_from_ifnet(ifp, m);
mac_ifnet_create_mbuf(ifp, m);
#endif
/*

8
sys/net/if_ppp.c
View File

@ -815,7 +815,7 @@ pppoutput(ifp, m0, dst, rtp)
int len;
#ifdef MAC
error = mac_check_ifnet_transmit(ifp, m0);
error = mac_ifnet_check_transmit(ifp, m0);
if (error)
goto bad;
#endif
@ -1231,7 +1231,7 @@ pppintr()
if (m == NULL)
break;
#ifdef MAC
mac_create_mbuf_from_ifnet(PPP2IFP(sc), m);
mac_ifnet_create_mbuf(PPP2IFP(sc), m);
#endif
ppp_inproc(sc, m);
}
@ -1509,7 +1509,7 @@ ppp_inproc(sc, m)
}
}
#ifdef MAC
mac_copy_mbuf(m, mp);
mac_mbuf_copy(m, mp);
#endif
cp = mtod(mp, u_char *);
cp[0] = adrs;
@ -1563,7 +1563,7 @@ ppp_inproc(sc, m)
MGETHDR(mp, M_DONTWAIT, MT_DATA);
if (mp != NULL) {
#ifdef MAC
mac_copy_mbuf(m, mp);
mac_mbuf_copy(m, mp);
#endif
m_copydata(m, 0, ilen, mtod(mp, caddr_t));
m_freem(m);

4
sys/net/if_stf.c
View File

@ -406,7 +406,7 @@ stf_output(ifp, m, dst, rt)
#ifdef MAC
int error;
error = mac_check_ifnet_transmit(ifp, m);
error = mac_ifnet_check_transmit(ifp, m);
if (error) {
m_freem(m);
return (error);
@ -674,7 +674,7 @@ in_stf_input(m, off)
ifp = STF2IFP(sc);
#ifdef MAC
mac_create_mbuf_from_ifnet(ifp, m);
mac_ifnet_create_mbuf(ifp, m);
#endif
/*

4
sys/net/if_tun.c
View File

@ -579,7 +579,7 @@ tunoutput(
TUNDEBUG (ifp, "tunoutput\n");
#ifdef MAC
error = mac_check_ifnet_transmit(ifp, m0);
error = mac_ifnet_check_transmit(ifp, m0);
if (error) {
m_freem(m0);
return (error);
@ -875,7 +875,7 @@ tunwrite(struct cdev *dev, struct uio *uio, int flag)
m->m_pkthdr.rcvif = ifp;
#ifdef MAC
mac_create_mbuf_from_ifnet(ifp, m);
mac_ifnet_create_mbuf(ifp, m);
#endif
/* Could be unlocked read? */

2
sys/netatalk/ddp_input.c
View File

@ -411,7 +411,7 @@ ddp_input(struct mbuf *m, struct ifnet *ifp, struct elaphdr *elh, int phase)
#ifdef MAC
SOCK_LOCK(ddp->ddp_socket);
if (mac_check_socket_deliver(ddp->ddp_socket, m) != 0) {
if (mac_socket_check_deliver(ddp->ddp_socket, m) != 0) {
SOCK_UNLOCK(ddp->ddp_socket);
goto out;
}

4
sys/netatalk/ddp_output.c
View File

@ -54,7 +54,7 @@ ddp_output(struct mbuf *m, struct socket *so)
#ifdef MAC
SOCK_LOCK(so);
mac_create_mbuf_from_socket(so, m);
mac_socket_create_mbuf(so, m);
SOCK_UNLOCK(so);
#endif
@ -200,7 +200,7 @@ ddp_route(struct mbuf *m, struct route *ro)
return (ENOBUFS);
}
#ifdef MAC
mac_copy_mbuf(m, m0);
mac_mbuf_copy(m, m0);
#endif
m0->m_next = m;
/* XXX perhaps we ought to align the header? */

6
sys/netinet/in_pcb.c
View File

@ -187,11 +187,11 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
inp->inp_pcbinfo = pcbinfo;
inp->inp_socket = so;
#ifdef MAC
error = mac_init_inpcb(inp, M_NOWAIT);
error = mac_inpcb_init(inp, M_NOWAIT);
if (error != 0)
goto out;
SOCK_LOCK(so);
mac_create_inpcb_from_socket(so, inp);
mac_inpcb_create(so, inp);
SOCK_UNLOCK(so);
#endif
@ -725,7 +725,7 @@ in_pcbfree(struct inpcb *inp)
inp->inp_vflag = 0;
#ifdef MAC
mac_destroy_inpcb(inp);
mac_inpcb_destroy(inp);
#endif
INP_UNLOCK(inp);
uma_zfree(ipi->ipi_zone, inp);

4
sys/netinet/ip_divert.c
View File

@ -376,7 +376,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin,
ipstat.ips_rawout++; /* XXX */
#ifdef MAC
mac_create_mbuf_from_inpcb(inp, m);
mac_inpcb_create_mbuf(inp, m);
#endif
/*
* Get ready to inject the packet into ip_output().
@ -439,7 +439,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin,
}
#ifdef MAC
SOCK_LOCK(so);
mac_create_mbuf_from_socket(so, m);
mac_socket_create_mbuf(so, m);
SOCK_UNLOCK(so);
#endif
/* Send packet to input processing via netisr */

4
sys/netinet/ip_fw2.c
View File

@ -1619,9 +1619,9 @@ send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq,
#ifdef MAC
if (replyto != NULL)
mac_create_mbuf_netlayer(replyto, m);
mac_mbuf_create_netlayer(replyto, m);
else
mac_create_mbuf_from_firewall(m);
mac_mbuf_create_from_firewall(m);
#else
(void)replyto; /* don't warn about unused arg */
#endif

4
sys/netinet/ip_icmp.c
View File

@ -221,7 +221,7 @@ stdreply: icmpelen = max(8, min(icmp_quotelen, oip->ip_len - oiphlen));
if (m == NULL)
goto freeit;
#ifdef MAC
mac_create_mbuf_netlayer(n, m);
mac_mbuf_create_netlayer(n, m);
#endif
icmplen = min(icmplen, M_TRAILINGSPACE(m) - sizeof(struct ip) - ICMP_MINLEN);
m_align(m, ICMP_MINLEN + icmplen);
@ -699,7 +699,7 @@ icmp_reflect(struct mbuf *m)
}
match:
#ifdef MAC
mac_reflect_mbuf_icmp(m);
mac_netinet_icmp_reply(m);
#endif
t = IA_SIN(ia)->sin_addr;
ip->ip_src = t;

12
sys/netinet/ip_input.c
View File

@ -776,7 +776,7 @@ ip_reass(struct mbuf *m)
ip->ip_src.s_addr == fp->ipq_src.s_addr &&
ip->ip_dst.s_addr == fp->ipq_dst.s_addr &&
#ifdef MAC
mac_fragment_match(m, fp) &&
mac_ipq_match(m, fp) &&
#endif
ip->ip_p == fp->ipq_p)
goto found;
@ -852,12 +852,12 @@ ip_reass(struct mbuf *m)
if (fp == NULL)
goto dropfrag;
#ifdef MAC
if (mac_init_ipq(fp, M_NOWAIT) != 0) {
if (mac_ipq_init(fp, M_NOWAIT) != 0) {
uma_zfree(ipq_zone, fp);
fp = NULL;
goto dropfrag;
}
mac_create_ipq(m, fp);
mac_ipq_create(m, fp);
#endif
TAILQ_INSERT_HEAD(head, fp, ipq_list);
nipq++;
@ -873,7 +873,7 @@ ip_reass(struct mbuf *m)
} else {
fp->ipq_nfrags++;
#ifdef MAC
mac_update_ipq(m, fp);
mac_ipq_update(m, fp);
#endif
}
@ -1015,8 +1015,8 @@ ip_reass(struct mbuf *m)
m->m_pkthdr.csum_data =
(m->m_pkthdr.csum_data & 0xffff) + (m->m_pkthdr.csum_data >> 16);
#ifdef MAC
mac_create_datagram_from_ipq(fp, m);
mac_destroy_ipq(fp);
mac_ipq_reassemble(fp, m);
mac_ipq_destroy(fp);
#endif
/*

2
sys/netinet/ip_options.c
View File

@ -508,7 +508,7 @@ ip_insertoptions(struct mbuf *m, struct mbuf *opt, int *phlen)
M_MOVE_PKTHDR(n, m);
n->m_pkthdr.rcvif = NULL;
#ifdef MAC
mac_copy_mbuf(m, n);
mac_mbuf_copy(m, n);
#endif
n->m_pkthdr.len += optlen;
m->m_len -= sizeof(struct ip);

2
sys/netinet/ip_output.c
View File

@ -733,7 +733,7 @@ ip_fragment(struct ip *ip, struct mbuf **m_frag, int mtu,
m->m_pkthdr.len = mhlen + len;
m->m_pkthdr.rcvif = NULL;
#ifdef MAC
mac_create_fragment(m0, m);
mac_netinet_fragment(m0, m);
#endif
m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags;
mhip->ip_off = htons(mhip->ip_off);

4
sys/netinet/raw_ip.c
View File

@ -164,7 +164,7 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
}
#endif /* IPSEC */
#ifdef MAC
if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
if (!policyfail && mac_inpcb_check_deliver(last, n) != 0)
policyfail = 1;
#endif
/* Check the minimum TTL for socket. */
@ -330,7 +330,7 @@ rip_output(struct mbuf *m, struct socket *so, u_long dst)
flags |= IP_SENDONES;
#ifdef MAC
mac_create_mbuf_from_inpcb(inp, m);
mac_inpcb_create_mbuf(inp, m);
#endif
error = ip_output(m, inp->inp_options, NULL, flags,

4
sys/netinet/tcp_input.c
View File

@ -534,7 +534,7 @@ tcp_input(struct mbuf *m, int off0)
#ifdef MAC
INP_LOCK_ASSERT(inp);
if (mac_check_inpcb_deliver(inp, m))
if (mac_inpcb_check_deliver(inp, m))
goto dropunlock;
#endif
so = inp->inp_socket;
@ -1278,7 +1278,7 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, struct socket *so,
soisconnected(so);
#ifdef MAC
SOCK_LOCK(so);
mac_set_socket_peer_from_mbuf(m, so);
mac_socketpeer_set_from_mbuf(m, so);
SOCK_UNLOCK(so);
#endif
/* Do window scaling on this connection? */

2
sys/netinet/tcp_output.c
View File

@ -846,7 +846,7 @@ tcp_output(struct tcpcb *tp)
SOCKBUF_UNLOCK_ASSERT(&so->so_snd);
m->m_pkthdr.rcvif = (struct ifnet *)0;
#ifdef MAC
mac_create_mbuf_from_inpcb(tp->t_inpcb, m);
mac_inpcb_create_mbuf(tp->t_inpcb, m);
#endif
#ifdef INET6
if (isipv6) {

4
sys/netinet/tcp_subr.c
View File

@ -525,13 +525,13 @@ tcp_respond(struct tcpcb *tp, void *ipgen, struct tcphdr *th, struct mbuf *m,
* label of the response to reflect the socket label.
*/
INP_LOCK_ASSERT(inp);
mac_create_mbuf_from_inpcb(inp, m);
mac_inpcb_create_mbuf(inp, m);
} else {
/*
* Packet is not associated with a socket, so possibly
* update the label in place.
*/
mac_reflect_mbuf_tcp(m);
mac_netinet_tcp_reply(m);
}
#endif
nth->th_seq = htonl(seq);

2
sys/netinet/tcp_syncache.c
View File

@ -640,7 +640,7 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m)
}
#ifdef MAC
SOCK_LOCK(so);
mac_set_socket_peer_from_mbuf(m, so);
mac_socketpeer_set_from_mbuf(m, so);
SOCK_UNLOCK(so);
#endif

2
sys/netinet/tcp_timewait.c
View File

@ -540,7 +540,7 @@ tcp_twrespond(struct tcptw *tw, int flags)
m->m_data += max_linkhdr;
#ifdef MAC
mac_create_mbuf_from_inpcb(inp, m);
mac_inpcb_create_mbuf(inp, m);
#endif
#ifdef INET6

4
sys/netinet/udp_usrreq.c
View File

@ -206,7 +206,7 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
}
#endif /* IPSEC */
#ifdef MAC
if (mac_check_inpcb_deliver(inp, n) != 0) {
if (mac_inpcb_check_deliver(inp, n) != 0) {
m_freem(n);
return;
}
@ -843,7 +843,7 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr,
INP_LOCK(inp);
#ifdef MAC
mac_create_mbuf_from_inpcb(inp, m);
mac_inpcb_create_mbuf(inp, m);
#endif
/*

4
sys/netinet6/udp6_usrreq.c
View File

@ -138,7 +138,7 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off,
}
#endif /* IPSEC */
#ifdef MAC
if (mac_check_inpcb_deliver(inp, n) != 0) {
if (mac_inpcb_check_deliver(inp, n) != 0) {
m_freem(n);
return;
}
@ -990,7 +990,7 @@ udp6_send(struct socket *so, int flags, struct mbuf *m,
}
#endif
#ifdef MAC
mac_create_mbuf_from_inpcb(inp, m);
mac_inpcb_create_mbuf(inp, m);
#endif
error = udp6_output(inp, m, addr, control, td);
out:

12
sys/security/audit/audit_syscalls.c
View File

@ -114,7 +114,7 @@ audit(struct thread *td, struct audit_args *uap)
}
#ifdef MAC
error = mac_check_system_audit(td->td_ucred, rec, uap->length);
error = mac_system_check_audit(td->td_ucred, rec, uap->length);
if (error)
goto free_out;
#endif
@ -166,7 +166,7 @@ auditon(struct thread *td, struct auditon_args *uap)
AUDIT_ARG(cmd, uap->cmd);
#ifdef MAC
error = mac_check_system_auditon(td->td_ucred, uap->cmd);
error = mac_system_check_auditon(td->td_ucred, uap->cmd);
if (error)
return (error);
#endif
@ -470,7 +470,7 @@ setauid(struct thread *td, struct setauid_args *uap)
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
error = mac_check_proc_setauid(oldcred, id);
error = mac_proc_check_setauid(oldcred, id);
if (error)
goto fail;
#endif
@ -533,7 +533,7 @@ setaudit(struct thread *td, struct setaudit_args *uap)
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
error = mac_check_proc_setaudit(oldcred, &ai);
error = mac_proc_check_setaudit(oldcred, &ai);
if (error)
goto fail;
#endif
@ -596,7 +596,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
error = mac_check_proc_setaudit_addr(oldcred, &aia);
error = mac_proc_check_setaudit_addr(oldcred, &aia);
if (error)
goto fail;
#endif
@ -655,7 +655,7 @@ auditctl(struct thread *td, struct auditctl_args *uap)
vfslocked = NDHASGIANT(&nd);
vp = nd.ni_vp;
#ifdef MAC
error = mac_check_system_auditctl(td->td_ucred, vp);
error = mac_system_check_auditctl(td->td_ucred, vp);
VOP_UNLOCK(vp, 0, td);
if (error) {
vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td);

30
sys/security/mac/mac_audit.c
View File

@ -2,6 +2,7 @@
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
* TrustedBSD Project.
@ -11,6 +12,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -46,66 +50,66 @@
#include <security/mac/mac_policy.h>
int
mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
{
int error;
MAC_CHECK(check_proc_setaudit, cred, ai);
MAC_CHECK(proc_check_setaudit, cred, ai);
return (error);
}
int
mac_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
{
int error;
MAC_CHECK(check_proc_setaudit_addr, cred, aia);
MAC_CHECK(proc_check_setaudit_addr, cred, aia);
return (error);
}
int
mac_check_proc_setauid(struct ucred *cred, uid_t auid)
mac_proc_check_setauid(struct ucred *cred, uid_t auid)
{
int error;
MAC_CHECK(check_proc_setauid, cred, auid);
MAC_CHECK(proc_check_setauid, cred, auid);
return (error);
}
int
mac_check_system_audit(struct ucred *cred, void *record, int length)
mac_system_check_audit(struct ucred *cred, void *record, int length)
{
int error;
MAC_CHECK(check_system_audit, cred, record, length);
MAC_CHECK(system_check_audit, cred, record, length);
return (error);
}
int
mac_check_system_auditctl(struct ucred *cred, struct vnode *vp)
mac_system_check_auditctl(struct ucred *cred, struct vnode *vp)
{
int error;
struct label *vl;
ASSERT_VOP_LOCKED(vp, "mac_check_system_auditctl");
ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl");
vl = (vp != NULL) ? vp->v_label : NULL;
MAC_CHECK(check_system_auditctl, cred, vp, vl);
MAC_CHECK(system_check_auditctl, cred, vp, vl);
return (error);
}
int
mac_check_system_auditon(struct ucred *cred, int cmd)
mac_system_check_auditon(struct ucred *cred, int cmd)
{
int error;
MAC_CHECK(check_system_auditon, cred, cmd);
MAC_CHECK(system_check_auditon, cred, cmd);
return (error);
}

385
sys/security/mac/mac_framework.h
View File

@ -90,44 +90,44 @@ struct vop_setlabel_args;
/*
* Kernel functions to manage and evaluate labels.
*/
void mac_init_bpfdesc(struct bpf_d *);
void mac_init_cred(struct ucred *);
void mac_init_devfs(struct devfs_dirent *);
void mac_init_ifnet(struct ifnet *);
int mac_init_inpcb(struct inpcb *, int);
void mac_init_sysv_msgmsg(struct msg *);
void mac_init_sysv_msgqueue(struct msqid_kernel *);
void mac_init_sysv_sem(struct semid_kernel *);
void mac_init_sysv_shm(struct shmid_kernel *);
int mac_init_ipq(struct ipq *, int);
int mac_init_socket(struct socket *, int);
void mac_init_pipe(struct pipepair *);
void mac_init_posix_sem(struct ksem *);
int mac_init_mbuf(struct mbuf *, int);
int mac_init_mbuf_tag(struct m_tag *, int);
void mac_init_mount(struct mount *);
void mac_init_proc(struct proc *);
void mac_init_vnode(struct vnode *);
void mac_copy_mbuf(struct mbuf *, struct mbuf *);
void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
void mac_copy_vnode_label(struct label *, struct label *);
void mac_destroy_bpfdesc(struct bpf_d *);
void mac_destroy_cred(struct ucred *);
void mac_destroy_devfs(struct devfs_dirent *);
void mac_destroy_ifnet(struct ifnet *);
void mac_destroy_inpcb(struct inpcb *);
void mac_destroy_sysv_msgmsg(struct msg *);
void mac_destroy_sysv_msgqueue(struct msqid_kernel *);
void mac_destroy_sysv_sem(struct semid_kernel *);
void mac_destroy_sysv_shm(struct shmid_kernel *);
void mac_destroy_ipq(struct ipq *);
void mac_destroy_socket(struct socket *);
void mac_destroy_pipe(struct pipepair *);
void mac_destroy_posix_sem(struct ksem *);
void mac_destroy_proc(struct proc *);
void mac_destroy_mbuf_tag(struct m_tag *);
void mac_destroy_mount(struct mount *);
void mac_destroy_vnode(struct vnode *);
void mac_bpfdesc_init(struct bpf_d *);
void mac_cred_init(struct ucred *);
void mac_devfs_init(struct devfs_dirent *);
void mac_ifnet_init(struct ifnet *);
int mac_inpcb_init(struct inpcb *, int);
void mac_sysvmsg_init(struct msg *);
void mac_sysvmsq_init(struct msqid_kernel *);
void mac_sysvsem_init(struct semid_kernel *);
void mac_sysvshm_init(struct shmid_kernel *);
int mac_ipq_init(struct ipq *, int);
int mac_socket_init(struct socket *, int);
void mac_pipe_init(struct pipepair *);
void mac_posixsem_init(struct ksem *);
int mac_mbuf_init(struct mbuf *, int);
int mac_mbuf_tag_init(struct m_tag *, int);
void mac_mount_init(struct mount *);
void mac_proc_init(struct proc *);
void mac_vnode_init(struct vnode *);
void mac_mbuf_copy(struct mbuf *, struct mbuf *);
void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *);
void mac_vnode_copy_label(struct label *, struct label *);
void mac_bpfdesc_destroy(struct bpf_d *);
void mac_cred_destroy(struct ucred *);
void mac_devfs_destroy(struct devfs_dirent *);
void mac_ifnet_destroy(struct ifnet *);
void mac_inpcb_destroy(struct inpcb *);
void mac_sysvmsg_destroy(struct msg *);
void mac_sysvmsq_destroy(struct msqid_kernel *);
void mac_sysvsem_destroy(struct semid_kernel *);
void mac_sysvshm_destroy(struct shmid_kernel *);
void mac_ipq_destroy(struct ipq *);
void mac_socket_destroy(struct socket *);
void mac_pipe_destroy(struct pipepair *);
void mac_posixsem_destroy(struct ksem *);
void mac_proc_destroy(struct proc *);
void mac_mbuf_tag_destroy(struct m_tag *);
void mac_mount_destroy(struct mount *);
void mac_vnode_destroy(struct vnode *);
struct label *mac_cred_label_alloc(void);
void mac_cred_label_free(struct label *);
@ -138,75 +138,73 @@ void mac_vnode_label_free(struct label *);
* Labeling event operations: file system objects, and things that look a lot
* like file system objects.
*/
void mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp);
int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp);
void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp);
void mac_create_devfs_device(struct ucred *cred, struct mount *mp,
int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp);
void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp);
void mac_devfs_create_device(struct ucred *cred, struct mount *mp,
struct cdev *dev, struct devfs_dirent *de);
void mac_create_devfs_directory(struct mount *mp, char *dirname,
void mac_devfs_create_directory(struct mount *mp, char *dirname,
int dirnamelen, struct devfs_dirent *de);
void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct devfs_dirent *de);
int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
void mac_create_mount(struct ucred *cred, struct mount *mp);
void mac_relabel_vnode(struct ucred *cred, struct vnode *vp,
void mac_mount_create(struct ucred *cred, struct mount *mp);
void mac_vnode_relabel(struct ucred *cred, struct vnode *vp,
struct label *newlabel);
void mac_update_devfs(struct mount *mp, struct devfs_dirent *de,
void mac_devfs_update(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp);
/*
* Labeling event operations: IPC objects.
*/
void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m);
void mac_create_socket(struct ucred *cred, struct socket *so);
void mac_create_socket_from_socket(struct socket *oldso,
void mac_socket_create_mbuf(struct socket *so, struct mbuf *m);
void mac_socket_create(struct ucred *cred, struct socket *so);
void mac_socket_newconn(struct socket *oldso, struct socket *newso);
void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so);
void mac_socketpeer_set_from_socket(struct socket *oldso,
struct socket *newso);
void mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so);
void mac_set_socket_peer_from_socket(struct socket *oldso,
struct socket *newso);
void mac_create_pipe(struct ucred *cred, struct pipepair *pp);
void mac_pipe_create(struct ucred *cred, struct pipepair *pp);
/*
* Labeling event operations: System V IPC primitives
*/
void mac_create_sysv_msgmsg(struct ucred *cred,
struct msqid_kernel *msqkptr, struct msg *msgptr);
void mac_create_sysv_msgqueue(struct ucred *cred,
struct msqid_kernel *msqkptr);
void mac_create_sysv_sem(struct ucred *cred,
void mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
struct msg *msgptr);
void mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr);
void mac_sysvsem_create(struct ucred *cred,
struct semid_kernel *semakptr);
void mac_create_sysv_shm(struct ucred *cred,
void mac_sysvshm_create(struct ucred *cred,
struct shmid_kernel *shmsegptr);
/*
* Labeling event operations: POSIX (global/inter-process) semaphores.
*/
void mac_create_posix_sem(struct ucred *cred, struct ksem *ks);
void mac_posixsem_create(struct ucred *cred, struct ksem *ks);
/*
* Labeling event operations: network objects.
*/
void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d);
void mac_create_ifnet(struct ifnet *ifp);
void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp);
void mac_create_ipq(struct mbuf *m, struct ipq *ipq);
void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m);
void mac_create_fragment(struct mbuf *m, struct mbuf *frag);
void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m);
void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d);
void mac_ifnet_create(struct ifnet *ifp);
void mac_inpcb_create(struct socket *so, struct inpcb *inp);
void mac_ipq_create(struct mbuf *m, struct ipq *ipq);
void mac_ipq_reassemble(struct ipq *ipq, struct mbuf *m);
void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag);
void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m);
void mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m);
void mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m);
void mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m);
void mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m);
void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m);
void mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp,
struct mbuf *mnew);
void mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew);
int mac_fragment_match(struct mbuf *m, struct ipq *ipq);
void mac_reflect_mbuf_icmp(struct mbuf *m);
void mac_reflect_mbuf_tcp(struct mbuf *m);
void mac_update_ipq(struct mbuf *m, struct ipq *ipq);
void mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew);
int mac_ipq_match(struct mbuf *m, struct ipq *ipq);
void mac_netinet_icmp_reply(struct mbuf *m);
void mac_netinet_tcp_reply(struct mbuf *m);
void mac_ipq_update(struct mbuf *m, struct ipq *ipq);
void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
void mac_create_mbuf_from_firewall(struct mbuf *m);
void mac_mbuf_create_from_firewall(struct mbuf *m);
void mac_destroy_syncache(struct label **l);
int mac_init_syncache(struct label **l);
void mac_init_syncache_from_inpcb(struct label *l, struct inpcb *inp);
@ -215,16 +213,17 @@ void mac_create_mbuf_from_syncache(struct label *l, struct mbuf *m);
/*
* Labeling event operations: processes.
*/
void mac_copy_cred(struct ucred *cr1, struct ucred *cr2);
void mac_cred_copy(struct ucred *cr1, struct ucred *cr2);
int mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
void mac_execve_exit(struct image_params *imgp);
void mac_execve_transition(struct ucred *oldcred, struct ucred *newcred,
void mac_vnode_execve_transition(struct ucred *oldcred,
struct ucred *newcred, struct vnode *vp,
struct label *interpvnodelabel, struct image_params *imgp);
int mac_vnode_execve_will_transition(struct ucred *cred,
struct vnode *vp, struct label *interpvnodelabel,
struct image_params *imgp);
int mac_execve_will_transition(struct ucred *cred, struct vnode *vp,
struct label *interpvnodelabel, struct image_params *imgp);
void mac_create_proc0(struct ucred *cred);
void mac_create_proc1(struct ucred *cred);
void mac_proc_create_swapper(struct ucred *cred);
void mac_proc_create_init(struct ucred *cred);
void mac_thread_userret(struct thread *td);
/*
@ -238,177 +237,177 @@ void mac_thread_userret(struct thread *td);
* XXXRW: These object methods are inconsistent with the life cycles of other
* objects, and likely should be revised to be more consistent.
*/
void mac_cleanup_sysv_msgmsg(struct msg *msgptr);
void mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr);
void mac_cleanup_sysv_sem(struct semid_kernel *semakptr);
void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr);
void mac_sysvmsg_cleanup(struct msg *msgptr);
void mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr);
void mac_sysvsem_cleanup(struct semid_kernel *semakptr);
void mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr);
/*
* Access control checks.
*/
int mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp);
int mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2);
int mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m);
int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m);
int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp);
int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);
int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m);
int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m);
int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
struct msqid_kernel *msqkptr);
int mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr);
int mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr);
int mac_check_sysv_msqget(struct ucred *cred,
int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr);
int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr);
int mac_sysvmsq_check_msqget(struct ucred *cred,
struct msqid_kernel *msqkptr);
int mac_check_sysv_msqsnd(struct ucred *cred,
int mac_sysvmsq_check_msqsnd(struct ucred *cred,
struct msqid_kernel *msqkptr);
int mac_check_sysv_msqrcv(struct ucred *cred,
int mac_sysvmsq_check_msqrcv(struct ucred *cred,
struct msqid_kernel *msqkptr);
int mac_check_sysv_msqctl(struct ucred *cred,
int mac_sysvmsq_check_msqctl(struct ucred *cred,
struct msqid_kernel *msqkptr, int cmd);
int mac_check_sysv_semctl(struct ucred *cred,
int mac_sysvsem_check_semctl(struct ucred *cred,
struct semid_kernel *semakptr, int cmd);
int mac_check_sysv_semget(struct ucred *cred,
int mac_sysvsem_check_semget(struct ucred *cred,
struct semid_kernel *semakptr);
int mac_check_sysv_semop(struct ucred *cred,struct semid_kernel *semakptr,
size_t accesstype);
int mac_check_sysv_shmat(struct ucred *cred,
int mac_sysvsem_check_semop(struct ucred *cred,
struct semid_kernel *semakptr, size_t accesstype);
int mac_sysvshm_check_shmat(struct ucred *cred,
struct shmid_kernel *shmsegptr, int shmflg);
int mac_check_sysv_shmctl(struct ucred *cred,
int mac_sysvshm_check_shmctl(struct ucred *cred,
struct shmid_kernel *shmsegptr, int cmd);
int mac_check_sysv_shmdt(struct ucred *cred,
int mac_sysvshm_check_shmdt(struct ucred *cred,
struct shmid_kernel *shmsegptr);
int mac_check_sysv_shmget(struct ucred *cred,
int mac_sysvshm_check_shmget(struct ucred *cred,
struct shmid_kernel *shmsegptr, int shmflg);
int mac_check_kenv_dump(struct ucred *cred);
int mac_check_kenv_get(struct ucred *cred, char *name);
int mac_check_kenv_set(struct ucred *cred, char *name, char *value);
int mac_check_kenv_unset(struct ucred *cred, char *name);
int mac_check_kld_load(struct ucred *cred, struct vnode *vp);
int mac_check_kld_stat(struct ucred *cred);
int mac_check_mount_stat(struct ucred *cred, struct mount *mp);
int mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
int mac_kenv_check_dump(struct ucred *cred);
int mac_kenv_check_get(struct ucred *cred, char *name);
int mac_kenv_check_set(struct ucred *cred, char *name, char *value);
int mac_kenv_check_unset(struct ucred *cred, char *name);
int mac_kld_check_load(struct ucred *cred, struct vnode *vp);
int mac_kld_check_stat(struct ucred *cred);
int mac_mount_check_stat(struct ucred *cred, struct mount *mp);
int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
unsigned long cmd, void *data);
int mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp);
int mac_check_pipe_read(struct ucred *cred, struct pipepair *pp);
int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp);
int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp);
int mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks);
int mac_check_posix_sem_getvalue(struct ucred *cred,struct ksem *ks);
int mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks);
int mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks);
int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks);
int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks);
int mac_check_proc_debug(struct ucred *cred, struct proc *p);
int mac_check_proc_sched(struct ucred *cred, struct proc *p);
int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai);
int mac_check_proc_setaudit_addr(struct ucred *cred,
int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp);
int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp);
int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp);
int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp);
int mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks);
int mac_posixsem_check_getvalue(struct ucred *cred,struct ksem *ks);
int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks);
int mac_posixsem_check_post(struct ucred *cred, struct ksem *ks);
int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks);
int mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks);
int mac_proc_check_debug(struct ucred *cred, struct proc *p);
int mac_proc_check_sched(struct ucred *cred, struct proc *p);
int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai);
int mac_proc_check_setaudit_addr(struct ucred *cred,
struct auditinfo_addr *aia);
int mac_check_proc_setauid(struct ucred *cred, uid_t auid);
int mac_check_proc_setuid(struct proc *p, struct ucred *cred,
int mac_proc_check_setauid(struct ucred *cred, uid_t auid);
int mac_proc_check_setuid(struct proc *p, struct ucred *cred,
uid_t uid);
int mac_check_proc_seteuid(struct proc *p, struct ucred *cred,
int mac_proc_check_seteuid(struct proc *p, struct ucred *cred,
uid_t euid);
int mac_check_proc_setgid(struct proc *p, struct ucred *cred,
int mac_proc_check_setgid(struct proc *p, struct ucred *cred,
gid_t gid);
int mac_check_proc_setegid(struct proc *p, struct ucred *cred,
int mac_proc_check_setegid(struct proc *p, struct ucred *cred,
gid_t egid);
int mac_check_proc_setgroups(struct proc *p, struct ucred *cred,
int mac_proc_check_setgroups(struct proc *p, struct ucred *cred,
int ngroups, gid_t *gidset);
int mac_check_proc_setreuid(struct proc *p, struct ucred *cred,
int mac_proc_check_setreuid(struct proc *p, struct ucred *cred,
uid_t ruid, uid_t euid);
int mac_check_proc_setregid(struct proc *p, struct ucred *cred,
int mac_proc_check_setregid(struct proc *p, struct ucred *cred,
gid_t rgid, gid_t egid);
int mac_check_proc_setresuid(struct proc *p, struct ucred *cred,
int mac_proc_check_setresuid(struct proc *p, struct ucred *cred,
uid_t ruid, uid_t euid, uid_t suid);
int mac_check_proc_setresgid(struct proc *p, struct ucred *cred,
int mac_proc_check_setresgid(struct proc *p, struct ucred *cred,
gid_t rgid, gid_t egid, gid_t sgid);
int mac_check_proc_signal(struct ucred *cred, struct proc *p,
int mac_proc_check_signal(struct ucred *cred, struct proc *p,
int signum);
int mac_check_proc_wait(struct ucred *cred, struct proc *p);
int mac_check_socket_accept(struct ucred *cred, struct socket *so);
int mac_check_socket_bind(struct ucred *cred, struct socket *so,
int mac_proc_check_wait(struct ucred *cred, struct proc *p);
int mac_socket_check_accept(struct ucred *cred, struct socket *so);
int mac_socket_check_bind(struct ucred *cred, struct socket *so,
struct sockaddr *sa);
int mac_check_socket_connect(struct ucred *cred, struct socket *so,
int mac_socket_check_connect(struct ucred *cred, struct socket *so,
struct sockaddr *sa);
int mac_check_socket_create(struct ucred *cred, int domain, int type,
int mac_socket_check_create(struct ucred *cred, int domain, int type,
int proto);
int mac_check_socket_deliver(struct socket *so, struct mbuf *m);
int mac_check_socket_listen(struct ucred *cred, struct socket *so);
int mac_check_socket_poll(struct ucred *cred, struct socket *so);
int mac_check_socket_receive(struct ucred *cred, struct socket *so);
int mac_check_socket_send(struct ucred *cred, struct socket *so);
int mac_check_socket_stat(struct ucred *cred, struct socket *so);
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
int mac_check_system_acct(struct ucred *cred, struct vnode *vp);
int mac_check_system_audit(struct ucred *cred, void *record, int length);
int mac_check_system_auditctl(struct ucred *cred, struct vnode *vp);
int mac_check_system_auditon(struct ucred *cred, int cmd);
int mac_check_system_reboot(struct ucred *cred, int howto);
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp);
int mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
int mac_socket_check_deliver(struct socket *so, struct mbuf *m);
int mac_socket_check_listen(struct ucred *cred, struct socket *so);
int mac_socket_check_poll(struct ucred *cred, struct socket *so);
int mac_socket_check_receive(struct ucred *cred, struct socket *so);
int mac_socket_check_send(struct ucred *cred, struct socket *so);
int mac_socket_check_stat(struct ucred *cred, struct socket *so);
int mac_socket_check_visible(struct ucred *cred, struct socket *so);
int mac_system_check_acct(struct ucred *cred, struct vnode *vp);
int mac_system_check_audit(struct ucred *cred, void *record, int length);
int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp);
int mac_system_check_auditon(struct ucred *cred, int cmd);
int mac_system_check_reboot(struct ucred *cred, int howto);
int mac_system_check_swapon(struct ucred *cred, struct vnode *vp);
int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp);
int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
void *arg1, int arg2, struct sysctl_req *req);
int mac_check_vnode_access(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_access(struct ucred *cred, struct vnode *vp,
int acc_mode);
int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp);
int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp);
int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp);
int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp);
int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp, struct vattr *vap);
int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
acl_type_t type);
int mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name);
int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct image_params *imgp);
int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
acl_type_t type);
int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio);
int mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace);
int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp);
int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot,
int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
int flags);
int mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp,
int prot);
int mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_open(struct ucred *cred, struct vnode *vp,
int acc_mode);
int mac_check_vnode_poll(struct ucred *active_cred,
int mac_vnode_check_poll(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_check_vnode_read(struct ucred *active_cred,
int mac_vnode_check_read(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp);
int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp);
int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, int samedir, struct componentname *cnp);
int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp);
int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
acl_type_t type, struct acl *acl);
int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio);
int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
u_long flags);
int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
mode_t mode);
int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
uid_t uid, gid_t gid);
int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
struct timespec atime, struct timespec mtime);
int mac_check_vnode_stat(struct ucred *active_cred,
int mac_vnode_check_stat(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_check_vnode_write(struct ucred *active_cred,
int mac_vnode_check_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_getsockopt_label(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifp);
int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
int mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifp);
int mac_setsockopt_label(struct ucred *cred, struct socket *so,
struct mac *extmac);

69
sys/security/mac/mac_inet.c
View File

@ -2,6 +2,7 @@
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
@ -12,6 +13,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -74,9 +78,9 @@ mac_inpcb_label_alloc(int flag)
label = mac_labelzone_alloc(flag);
if (label == NULL)
return (NULL);
MAC_CHECK(init_inpcb_label, label, flag);
MAC_CHECK(inpcb_init_label, label, flag);
if (error) {
MAC_PERFORM(destroy_inpcb_label, label);
MAC_PERFORM(inpcb_destroy_label, label);
mac_labelzone_free(label);
return (NULL);
}
@ -84,7 +88,7 @@ mac_inpcb_label_alloc(int flag)
}
int
mac_init_inpcb(struct inpcb *inp, int flag)
mac_inpcb_init(struct inpcb *inp, int flag)
{
inp->inp_label = mac_inpcb_label_alloc(flag);
@ -103,9 +107,9 @@ mac_ipq_label_alloc(int flag)
if (label == NULL)
return (NULL);
MAC_CHECK(init_ipq_label, label, flag);
MAC_CHECK(ipq_init_label, label, flag);
if (error) {
MAC_PERFORM(destroy_ipq_label, label);
MAC_PERFORM(ipq_destroy_label, label);
mac_labelzone_free(label);
return (NULL);
}
@ -113,7 +117,7 @@ mac_ipq_label_alloc(int flag)
}
int
mac_init_ipq(struct ipq *ipq, int flag)
mac_ipq_init(struct ipq *ipq, int flag)
{
ipq->ipq_label = mac_ipq_label_alloc(flag);
@ -126,12 +130,12 @@ static void
mac_inpcb_label_free(struct label *label)
{
MAC_PERFORM(destroy_inpcb_label, label);
MAC_PERFORM(inpcb_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_inpcb(struct inpcb *inp)
mac_inpcb_destroy(struct inpcb *inp)
{
mac_inpcb_label_free(inp->inp_label);
@ -142,12 +146,12 @@ static void
mac_ipq_label_free(struct label *label)
{
MAC_PERFORM(destroy_ipq_label, label);
MAC_PERFORM(ipq_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_ipq(struct ipq *ipq)
mac_ipq_destroy(struct ipq *ipq)
{
mac_ipq_label_free(ipq->ipq_label);
@ -155,57 +159,56 @@ mac_destroy_ipq(struct ipq *ipq)
}
void
mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp)
mac_inpcb_create(struct socket *so, struct inpcb *inp)
{
MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp,
inp->inp_label);
MAC_PERFORM(inpcb_create, so, so->so_label, inp, inp->inp_label);
}
void
mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m)
mac_ipq_reassemble(struct ipq *ipq, struct mbuf *m)
{
struct label *label;
label = mac_mbuf_to_label(m);
MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, m, label);
MAC_PERFORM(ipq_reassemble, ipq, ipq->ipq_label, m, label);
}
void
mac_create_fragment(struct mbuf *m, struct mbuf *frag)
mac_netinet_fragment(struct mbuf *m, struct mbuf *frag)
{
struct label *mlabel, *fraglabel;
mlabel = mac_mbuf_to_label(m);
fraglabel = mac_mbuf_to_label(frag);
MAC_PERFORM(create_fragment, m, mlabel, frag, fraglabel);
MAC_PERFORM(netinet_fragment, m, mlabel, frag, fraglabel);
}
void
mac_create_ipq(struct mbuf *m, struct ipq *ipq)
mac_ipq_create(struct mbuf *m, struct ipq *ipq)
{
struct label *label;
label = mac_mbuf_to_label(m);
MAC_PERFORM(create_ipq, m, label, ipq, ipq->ipq_label);
MAC_PERFORM(ipq_create, m, label, ipq, ipq->ipq_label);
}
void
mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m)
mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m)
{
struct label *mlabel;
INP_LOCK_ASSERT(inp);
mlabel = mac_mbuf_to_label(m);
MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel);
MAC_PERFORM(inpcb_create_mbuf, inp, inp->inp_label, m, mlabel);
}
int
mac_fragment_match(struct mbuf *m, struct ipq *ipq)
mac_ipq_match(struct mbuf *m, struct ipq *ipq)
{
struct label *label;
int result;
@ -213,43 +216,43 @@ mac_fragment_match(struct mbuf *m, struct ipq *ipq)
label = mac_mbuf_to_label(m);
result = 1;
MAC_BOOLEAN(fragment_match, &&, m, label, ipq, ipq->ipq_label);
MAC_BOOLEAN(ipq_match, &&, m, label, ipq, ipq->ipq_label);
return (result);
}
void
mac_reflect_mbuf_icmp(struct mbuf *m)
mac_netinet_icmp_reply(struct mbuf *m)
{
struct label *label;
label = mac_mbuf_to_label(m);
MAC_PERFORM(reflect_mbuf_icmp, m, label);
MAC_PERFORM(netinet_icmp_reply, m, label);
}
void
mac_reflect_mbuf_tcp(struct mbuf *m)
mac_netinet_tcp_reply(struct mbuf *m)
{
struct label *label;
label = mac_mbuf_to_label(m);
MAC_PERFORM(reflect_mbuf_tcp, m, label);
MAC_PERFORM(netinet_tcp_reply, m, label);
}
void
mac_update_ipq(struct mbuf *m, struct ipq *ipq)
mac_ipq_update(struct mbuf *m, struct ipq *ipq)
{
struct label *label;
label = mac_mbuf_to_label(m);
MAC_PERFORM(update_ipq, m, label, ipq, ipq->ipq_label);
MAC_PERFORM(ipq_update, m, label, ipq, ipq->ipq_label);
}
int
mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m)
mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m)
{
struct label *label;
int error;
@ -258,7 +261,7 @@ mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m)
label = mac_mbuf_to_label(m);
MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label);
MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label);
return (error);
}
@ -273,13 +276,13 @@ mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp)
}
void
mac_create_mbuf_from_firewall(struct mbuf *m)
mac_mbuf_create_from_firewall(struct mbuf *m)
{
struct label *label;
M_ASSERTPKTHDR(m);
label = mac_mbuf_to_label(m);
MAC_PERFORM(create_mbuf_from_firewall, m, label);
MAC_PERFORM(mbuf_create_from_firewall, m, label);
}
/*

34
sys/security/mac/mac_internal.h
View File

@ -3,6 +3,7 @@
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 nCircle Network Security, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
@ -16,6 +17,9 @@
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -118,30 +122,30 @@ void mac_pipe_label_free(struct label *label);
struct label *mac_socket_label_alloc(int flag);
void mac_socket_label_free(struct label *label);
int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
int mac_externalize_cred_label(struct label *label, char *elements,
int mac_cred_check_relabel(struct ucred *cred, struct label *newlabel);
int mac_cred_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
int mac_internalize_cred_label(struct label *label, char *string);
void mac_relabel_cred(struct ucred *cred, struct label *newlabel);
int mac_cred_internalize_label(struct label *label, char *string);
void mac_cred_relabel(struct ucred *cred, struct label *newlabel);
struct label *mac_mbuf_to_label(struct mbuf *m);
void mac_copy_pipe_label(struct label *src, struct label *dest);
int mac_externalize_pipe_label(struct label *label, char *elements,
void mac_pipe_copy_label(struct label *src, struct label *dest);
int mac_pipe_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
int mac_internalize_pipe_label(struct label *label, char *string);
int mac_pipe_internalize_label(struct label *label, char *string);
int mac_socket_label_set(struct ucred *cred, struct socket *so,
struct label *label);
void mac_copy_socket_label(struct label *src, struct label *dest);
int mac_externalize_socket_label(struct label *label, char *elements,
void mac_socket_copy_label(struct label *src, struct label *dest);
int mac_socket_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
int mac_internalize_socket_label(struct label *label, char *string);
int mac_socket_internalize_label(struct label *label, char *string);
int mac_externalize_vnode_label(struct label *label, char *elements,
int mac_vnode_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
int mac_internalize_vnode_label(struct label *label, char *string);
void mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
int mac_vnode_internalize_label(struct label *label, char *string);
void mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
int *prot);
int vn_setlabel(struct vnode *vp, struct label *intlabel,
struct ucred *cred);
@ -263,7 +267,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
break; \
} \
claimed = 0; \
MAC_CHECK(externalize_ ## type ## _label, label, \
MAC_CHECK(type ## _externalize_label, label, \
element_name, &sb, &claimed); \
if (error) \
break; \
@ -299,7 +303,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel,
break; \
} \
claimed = 0; \
MAC_CHECK(internalize_ ## type ## _label, label, \
MAC_CHECK(type ## _internalize_label, label, \
element_name, element_data, &claimed); \
if (error) \
break; \

100
sys/security/mac/mac_net.c
View File

@ -2,11 +2,15 @@
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
* TrustedBSD Project.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
@ -102,12 +106,12 @@ mac_bpfdesc_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_bpfdesc_label, label);
MAC_PERFORM(bpfdesc_init_label, label);
return (label);
}
void
mac_init_bpfdesc(struct bpf_d *d)
mac_bpfdesc_init(struct bpf_d *d)
{
d->bd_label = mac_bpfdesc_label_alloc();
@ -119,19 +123,19 @@ mac_ifnet_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_ifnet_label, label);
MAC_PERFORM(ifnet_init_label, label);
return (label);
}
void
mac_init_ifnet(struct ifnet *ifp)
mac_ifnet_init(struct ifnet *ifp)
{
ifp->if_label = mac_ifnet_label_alloc();
}
int
mac_init_mbuf_tag(struct m_tag *tag, int flag)
mac_mbuf_tag_init(struct m_tag *tag, int flag)
{
struct label *label;
int error;
@ -139,16 +143,16 @@ mac_init_mbuf_tag(struct m_tag *tag, int flag)
label = (struct label *) (tag + 1);
mac_init_label(label);
MAC_CHECK(init_mbuf_label, label, flag);
MAC_CHECK(mbuf_init_label, label, flag);
if (error) {
MAC_PERFORM(destroy_mbuf_label, label);
MAC_PERFORM(mbuf_destroy_label, label);
mac_destroy_label(label);
}
return (error);
}
int
mac_init_mbuf(struct mbuf *m, int flag)
mac_mbuf_init(struct mbuf *m, int flag)
{
struct m_tag *tag;
int error;
@ -167,7 +171,7 @@ mac_init_mbuf(struct mbuf *m, int flag)
flag);
if (tag == NULL)
return (ENOMEM);
error = mac_init_mbuf_tag(tag, flag);
error = mac_mbuf_tag_init(tag, flag);
if (error) {
m_tag_free(tag);
return (error);
@ -180,12 +184,12 @@ static void
mac_bpfdesc_label_free(struct label *label)
{
MAC_PERFORM(destroy_bpfdesc_label, label);
MAC_PERFORM(bpfdesc_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_bpfdesc(struct bpf_d *d)
mac_bpfdesc_destroy(struct bpf_d *d)
{
mac_bpfdesc_label_free(d->bd_label);
@ -196,12 +200,12 @@ static void
mac_ifnet_label_free(struct label *label)
{
MAC_PERFORM(destroy_ifnet_label, label);
MAC_PERFORM(ifnet_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_ifnet(struct ifnet *ifp)
mac_ifnet_destroy(struct ifnet *ifp)
{
mac_ifnet_label_free(ifp->if_label);
@ -209,22 +213,22 @@ mac_destroy_ifnet(struct ifnet *ifp)
}
void
mac_destroy_mbuf_tag(struct m_tag *tag)
mac_mbuf_tag_destroy(struct m_tag *tag)
{
struct label *label;
label = (struct label *)(tag+1);
MAC_PERFORM(destroy_mbuf_label, label);
MAC_PERFORM(mbuf_destroy_label, label);
mac_destroy_label(label);
}
/*
* mac_copy_mbuf_tag is called when an mbuf header is duplicated, in which
* mac_mbuf_tag_copy is called when an mbuf header is duplicated, in which
* case the labels must also be duplicated.
*/
void
mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest)
mac_mbuf_tag_copy(struct m_tag *src, struct m_tag *dest)
{
struct label *src_label, *dest_label;
@ -232,32 +236,32 @@ mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest)
dest_label = (struct label *)(dest+1);
/*
* mac_init_mbuf_tag() is called on the target tag in m_tag_copy(),
* mac_mbuf_tag_init() is called on the target tag in m_tag_copy(),
* so we don't need to call it here.
*/
MAC_PERFORM(copy_mbuf_label, src_label, dest_label);
MAC_PERFORM(mbuf_copy_label, src_label, dest_label);
}
void
mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to)
mac_mbuf_copy(struct mbuf *m_from, struct mbuf *m_to)
{
struct label *src_label, *dest_label;
src_label = mac_mbuf_to_label(m_from);
dest_label = mac_mbuf_to_label(m_to);
MAC_PERFORM(copy_mbuf_label, src_label, dest_label);
MAC_PERFORM(mbuf_copy_label, src_label, dest_label);
}
static void
mac_copy_ifnet_label(struct label *src, struct label *dest)
mac_ifnet_copy_label(struct label *src, struct label *dest)
{
MAC_PERFORM(copy_ifnet_label, src, dest);
MAC_PERFORM(ifnet_copy_label, src, dest);
}
static int
mac_externalize_ifnet_label(struct label *label, char *elements,
mac_ifnet_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen)
{
int error;
@ -268,7 +272,7 @@ mac_externalize_ifnet_label(struct label *label, char *elements,
}
static int
mac_internalize_ifnet_label(struct label *label, char *string)
mac_ifnet_internalize_label(struct label *label, char *string)
{
int error;
@ -278,23 +282,23 @@ mac_internalize_ifnet_label(struct label *label, char *string)
}
void
mac_create_ifnet(struct ifnet *ifp)
mac_ifnet_create(struct ifnet *ifp)
{
MAC_IFNET_LOCK(ifp);
MAC_PERFORM(create_ifnet, ifp, ifp->if_label);
MAC_PERFORM(ifnet_create, ifp, ifp->if_label);
MAC_IFNET_UNLOCK(ifp);
}
void
mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d)
mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d)
{
MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label);
MAC_PERFORM(bpfdesc_create, cred, d, d->bd_label);
}
void
mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m)
mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m)
{
struct label *label;
@ -302,7 +306,7 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m)
label = mac_mbuf_to_label(m);
MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label);
MAC_PERFORM(bpfdesc_create_mbuf, d, d->bd_label, m, label);
}
void
@ -318,19 +322,19 @@ mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m)
}
void
mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m)
mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
label = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label);
MAC_PERFORM(ifnet_create_mbuf, ifp, ifp->if_label, m, label);
MAC_IFNET_UNLOCK(ifp);
}
void
mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp,
struct mbuf *mnew)
{
struct label *mlabel, *mnewlabel;
@ -339,38 +343,38 @@ mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
mnewlabel = mac_mbuf_to_label(mnew);
MAC_IFNET_LOCK(ifp);
MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp,
MAC_PERFORM(mbuf_create_multicast_encap, m, mlabel, ifp,
ifp->if_label, mnew, mnewlabel);
MAC_IFNET_UNLOCK(ifp);
}
void
mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew)
mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew)
{
struct label *mlabel, *mnewlabel;
mlabel = mac_mbuf_to_label(m);
mnewlabel = mac_mbuf_to_label(mnew);
MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel);
MAC_PERFORM(mbuf_create_netlayer, m, mlabel, mnew, mnewlabel);
}
int
mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp)
mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp)
{
int error;
BPFD_LOCK_ASSERT(d);
MAC_IFNET_LOCK(ifp);
MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label);
MAC_CHECK(bpfdesc_check_receive, d, d->bd_label, ifp, ifp->if_label);
MAC_IFNET_UNLOCK(ifp);
return (error);
}
int
mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m)
mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
int error;
@ -380,14 +384,14 @@ mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m)
label = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label);
MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, m, label);
MAC_IFNET_UNLOCK(ifp);
return (error);
}
int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifp)
{
char *elements, *buffer;
@ -413,9 +417,9 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
intlabel = mac_ifnet_label_alloc();
MAC_IFNET_LOCK(ifp);
mac_copy_ifnet_label(ifp->if_label, intlabel);
mac_ifnet_copy_label(ifp->if_label, intlabel);
MAC_IFNET_UNLOCK(ifp);
error = mac_externalize_ifnet_label(intlabel, elements, buffer,
error = mac_ifnet_externalize_label(intlabel, elements, buffer,
mac.m_buflen);
mac_ifnet_label_free(intlabel);
if (error == 0)
@ -428,7 +432,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
}
int
mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
{
struct label *intlabel;
struct mac mac;
@ -451,7 +455,7 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
}
intlabel = mac_ifnet_label_alloc();
error = mac_internalize_ifnet_label(intlabel, buffer);
error = mac_ifnet_internalize_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_ifnet_label_free(intlabel);
@ -470,14 +474,14 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
}
MAC_IFNET_LOCK(ifp);
MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel);
MAC_CHECK(ifnet_check_relabel, cred, ifp, ifp->if_label, intlabel);
if (error) {
MAC_IFNET_UNLOCK(ifp);
mac_ifnet_label_free(intlabel);
return (error);
}
MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel);
MAC_PERFORM(ifnet_relabel, cred, ifp, ifp->if_label, intlabel);
MAC_IFNET_UNLOCK(ifp);
mac_ifnet_label_free(intlabel);

56
sys/security/mac/mac_pipe.c
View File

@ -1,5 +1,6 @@
/*-
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@ -7,6 +8,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -56,12 +60,12 @@ mac_pipe_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_pipe_label, label);
MAC_PERFORM(pipe_init_label, label);
return (label);
}
void
mac_init_pipe(struct pipepair *pp)
mac_pipe_init(struct pipepair *pp)
{
pp->pp_label = mac_pipe_label_alloc();
@ -71,12 +75,12 @@ void
mac_pipe_label_free(struct label *label)
{
MAC_PERFORM(destroy_pipe_label, label);
MAC_PERFORM(pipe_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_pipe(struct pipepair *pp)
mac_pipe_destroy(struct pipepair *pp)
{
mac_pipe_label_free(pp->pp_label);
@ -84,14 +88,14 @@ mac_destroy_pipe(struct pipepair *pp)
}
void
mac_copy_pipe_label(struct label *src, struct label *dest)
mac_pipe_copy_label(struct label *src, struct label *dest)
{
MAC_PERFORM(copy_pipe_label, src, dest);
MAC_PERFORM(pipe_copy_label, src, dest);
}
int
mac_externalize_pipe_label(struct label *label, char *elements,
mac_pipe_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen)
{
int error;
@ -102,7 +106,7 @@ mac_externalize_pipe_label(struct label *label, char *elements,
}
int
mac_internalize_pipe_label(struct label *label, char *string)
mac_pipe_internalize_label(struct label *label, char *string)
{
int error;
@ -112,90 +116,90 @@ mac_internalize_pipe_label(struct label *label, char *string)
}
void
mac_create_pipe(struct ucred *cred, struct pipepair *pp)
mac_pipe_create(struct ucred *cred, struct pipepair *pp)
{
MAC_PERFORM(create_pipe, cred, pp, pp->pp_label);
MAC_PERFORM(pipe_create, cred, pp, pp->pp_label);
}
static void
mac_relabel_pipe(struct ucred *cred, struct pipepair *pp,
mac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
struct label *newlabel)
{
MAC_PERFORM(relabel_pipe, cred, pp, pp->pp_label, newlabel);
MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel);
}
int
mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
unsigned long cmd, void *data)
{
int error;
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(check_pipe_ioctl, cred, pp, pp->pp_label, cmd, data);
MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data);
return (error);
}
int
mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp)
mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)
{
int error;
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(check_pipe_poll, cred, pp, pp->pp_label);
MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label);
return (error);
}
int
mac_check_pipe_read(struct ucred *cred, struct pipepair *pp)
mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
{
int error;
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(check_pipe_read, cred, pp, pp->pp_label);
MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label);
return (error);
}
static int
mac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
struct label *newlabel)
{
int error;
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(check_pipe_relabel, cred, pp, pp->pp_label, newlabel);
MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel);
return (error);
}
int
mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp)
mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp)
{
int error;
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(check_pipe_stat, cred, pp, pp->pp_label);
MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label);
return (error);
}
int
mac_check_pipe_write(struct ucred *cred, struct pipepair *pp)
mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
{
int error;
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(check_pipe_write, cred, pp, pp->pp_label);
MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label);
return (error);
}
@ -208,11 +212,11 @@ mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
mtx_assert(&pp->pp_mtx, MA_OWNED);
error = mac_check_pipe_relabel(cred, pp, label);
error = mac_pipe_check_relabel(cred, pp, label);
if (error)
return (error);
mac_relabel_pipe(cred, pp, label);
mac_pipe_relabel(cred, pp, label);
return (0);
}

844
sys/security/mac/mac_policy.h
View File

File diff suppressed because it is too large Load Diff

49
sys/security/mac/mac_posix_sem.c
View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 2003-2005 SPARTA, Inc.
* Copyright (c) 2003-2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@ -7,6 +7,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -48,100 +51,100 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_policy.h>
static struct label *
mac_posix_sem_label_alloc(void)
mac_posixsem_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_posix_sem_label, label);
MAC_PERFORM(posixsem_init_label, label);
return (label);
}
void
mac_init_posix_sem(struct ksem *ks)
mac_posixsem_init(struct ksem *ks)
{
ks->ks_label = mac_posix_sem_label_alloc();
ks->ks_label = mac_posixsem_label_alloc();
}
static void
mac_posix_sem_label_free(struct label *label)
mac_posixsem_label_free(struct label *label)
{
MAC_PERFORM(destroy_posix_sem_label, label);
MAC_PERFORM(posixsem_destroy_label, label);
}
void
mac_destroy_posix_sem(struct ksem *ks)
mac_posixsem_destroy(struct ksem *ks)
{
mac_posix_sem_label_free(ks->ks_label);
mac_posixsem_label_free(ks->ks_label);
ks->ks_label = NULL;
}
void
mac_create_posix_sem(struct ucred *cred, struct ksem *ks)
mac_posixsem_create(struct ucred *cred, struct ksem *ks)
{
MAC_PERFORM(create_posix_sem, cred, ks, ks->ks_label);
MAC_PERFORM(posixsem_create, cred, ks, ks->ks_label);
}
int
mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks)
mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks)
{
int error;
MAC_CHECK(check_posix_sem_destroy, cred, ks, ks->ks_label);
MAC_CHECK(posixsem_check_destroy, cred, ks, ks->ks_label);
return (error);
}
int
mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks)
mac_posixsem_check_open(struct ucred *cred, struct ksem *ks)
{
int error;
MAC_CHECK(check_posix_sem_open, cred, ks, ks->ks_label);
MAC_CHECK(posixsem_check_open, cred, ks, ks->ks_label);
return (error);
}
int
mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks)
mac_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks)
{
int error;
MAC_CHECK(check_posix_sem_getvalue, cred, ks, ks->ks_label);
MAC_CHECK(posixsem_check_getvalue, cred, ks, ks->ks_label);
return (error);
}
int
mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks)
mac_posixsem_check_post(struct ucred *cred, struct ksem *ks)
{
int error;
MAC_CHECK(check_posix_sem_post, cred, ks, ks->ks_label);
MAC_CHECK(posixsem_check_post, cred, ks, ks->ks_label);
return (error);
}
int
mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks)
mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks)
{
int error;
MAC_CHECK(check_posix_sem_unlink, cred, ks, ks->ks_label);
MAC_CHECK(posixsem_check_unlink, cred, ks, ks->ks_label);
return (error);
}
int
mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks)
mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks)
{
int error;
MAC_CHECK(check_posix_sem_wait, cred, ks, ks->ks_label);
MAC_CHECK(posixsem_check_wait, cred, ks, ks->ks_label);
return (error);
}

104
sys/security/mac/mac_process.c
View File

@ -3,6 +3,7 @@
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* Copyright (c) 2005 Samy Al Bahra
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
@ -13,6 +14,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -85,12 +89,12 @@ mac_cred_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_cred_label, label);
MAC_PERFORM(cred_init_label, label);
return (label);
}
void
mac_init_cred(struct ucred *cred)
mac_cred_init(struct ucred *cred)
{
cred->cr_label = mac_cred_label_alloc();
@ -102,12 +106,12 @@ mac_proc_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_proc_label, label);
MAC_PERFORM(proc_init_label, label);
return (label);
}
void
mac_init_proc(struct proc *p)
mac_proc_init(struct proc *p)
{
p->p_label = mac_proc_label_alloc();
@ -117,12 +121,12 @@ void
mac_cred_label_free(struct label *label)
{
MAC_PERFORM(destroy_cred_label, label);
MAC_PERFORM(cred_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_cred(struct ucred *cred)
mac_cred_destroy(struct ucred *cred)
{
mac_cred_label_free(cred->cr_label);
@ -133,12 +137,12 @@ static void
mac_proc_label_free(struct label *label)
{
MAC_PERFORM(destroy_proc_label, label);
MAC_PERFORM(proc_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_proc(struct proc *p)
mac_proc_destroy(struct proc *p)
{
mac_proc_label_free(p->p_label);
@ -146,7 +150,7 @@ mac_destroy_proc(struct proc *p)
}
int
mac_externalize_cred_label(struct label *label, char *elements,
mac_cred_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen)
{
int error;
@ -157,7 +161,7 @@ mac_externalize_cred_label(struct label *label, char *elements,
}
int
mac_internalize_cred_label(struct label *label, char *string)
mac_cred_internalize_label(struct label *label, char *string)
{
int error;
@ -171,10 +175,10 @@ mac_internalize_cred_label(struct label *label, char *string)
* processes and threads are spawned.
*/
void
mac_create_proc0(struct ucred *cred)
mac_proc_create_swapper(struct ucred *cred)
{
MAC_PERFORM(create_proc0, cred);
MAC_PERFORM(proc_create_swapper, cred);
}
/*
@ -182,10 +186,10 @@ mac_create_proc0(struct ucred *cred)
* userland processes and threads are spawned.
*/
void
mac_create_proc1(struct ucred *cred)
mac_proc_create_init(struct ucred *cred)
{
MAC_PERFORM(create_proc1, cred);
MAC_PERFORM(proc_create_init, cred);
}
void
@ -201,10 +205,10 @@ mac_thread_userret(struct thread *td)
* This function allows that processing to take place.
*/
void
mac_copy_cred(struct ucred *src, struct ucred *dest)
mac_cred_copy(struct ucred *src, struct ucred *dest)
{
MAC_PERFORM(copy_cred_label, src->cr_label, dest->cr_label);
MAC_PERFORM(cred_copy_label, src->cr_label, dest->cr_label);
}
int
@ -234,7 +238,7 @@ mac_execve_enter(struct image_params *imgp, struct mac *mac_p)
}
label = mac_cred_label_alloc();
error = mac_internalize_cred_label(label, buffer);
error = mac_cred_internalize_label(label, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_cred_label_free(label);
@ -347,7 +351,7 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
vfslocked = VFS_LOCK_GIANT(vp->v_mount);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
result = vme->max_protection;
mac_check_vnode_mmap_downgrade(cred, vp, &result);
mac_vnode_check_mmap_downgrade(cred, vp, &result);
VOP_UNLOCK(vp, 0, td);
/*
* Find out what maximum protection we may be allowing now
@ -429,185 +433,185 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
* buffer cache.
*/
void
mac_relabel_cred(struct ucred *cred, struct label *newlabel)
mac_cred_relabel(struct ucred *cred, struct label *newlabel)
{
MAC_PERFORM(relabel_cred, cred, newlabel);
MAC_PERFORM(cred_relabel, cred, newlabel);
}
int
mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
mac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
{
int error;
MAC_CHECK(check_cred_relabel, cred, newlabel);
MAC_CHECK(cred_check_relabel, cred, newlabel);
return (error);
}
int
mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
{
int error;
MAC_CHECK(check_cred_visible, cr1, cr2);
MAC_CHECK(cred_check_visible, cr1, cr2);
return (error);
}
int
mac_check_proc_debug(struct ucred *cred, struct proc *p)
mac_proc_check_debug(struct ucred *cred, struct proc *p)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_debug, cred, p);
MAC_CHECK(proc_check_debug, cred, p);
return (error);
}
int
mac_check_proc_sched(struct ucred *cred, struct proc *p)
mac_proc_check_sched(struct ucred *cred, struct proc *p)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_sched, cred, p);
MAC_CHECK(proc_check_sched, cred, p);
return (error);
}
int
mac_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_signal, cred, p, signum);
MAC_CHECK(proc_check_signal, cred, p, signum);
return (error);
}
int
mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid)
mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setuid, cred, uid);
MAC_CHECK(proc_check_setuid, cred, uid);
return (error);
}
int
mac_check_proc_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_seteuid, cred, euid);
MAC_CHECK(proc_check_seteuid, cred, euid);
return (error);
}
int
mac_check_proc_setgid(struct proc *p, struct ucred *cred, gid_t gid)
mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setgid, cred, gid);
MAC_CHECK(proc_check_setgid, cred, gid);
return (error);
}
int
mac_check_proc_setegid(struct proc *p, struct ucred *cred, gid_t egid)
mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setegid, cred, egid);
MAC_CHECK(proc_check_setegid, cred, egid);
return (error);
}
int
mac_check_proc_setgroups(struct proc *p, struct ucred *cred, int ngroups,
mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups,
gid_t *gidset)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset);
MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset);
return (error);
}
int
mac_check_proc_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
uid_t euid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setreuid, cred, ruid, euid);
MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
return (error);
}
int
mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
gid_t egid)
{
int error;
PROC_LOCK_ASSERT(proc, MA_OWNED);
MAC_CHECK(check_proc_setregid, cred, rgid, egid);
MAC_CHECK(proc_check_setregid, cred, rgid, egid);
return (error);
}
int
mac_check_proc_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
uid_t euid, uid_t suid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid);
MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid);
return (error);
}
int
mac_check_proc_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
gid_t egid, gid_t sgid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid);
MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid);
return (error);
}
int
mac_check_proc_wait(struct ucred *cred, struct proc *p)
mac_proc_check_wait(struct ucred *cred, struct proc *p)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_wait, cred, p);
MAC_CHECK(proc_check_wait, cred, p);
return (error);
}

124
sys/security/mac/mac_socket.c
View File

@ -2,7 +2,7 @@
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
@ -94,9 +94,9 @@ mac_socket_label_alloc(int flag)
if (label == NULL)
return (NULL);
MAC_CHECK(init_socket_label, label, flag);
MAC_CHECK(socket_init_label, label, flag);
if (error) {
MAC_PERFORM(destroy_socket_label, label);
MAC_PERFORM(socket_destroy_label, label);
mac_labelzone_free(label);
return (NULL);
}
@ -104,7 +104,7 @@ mac_socket_label_alloc(int flag)
}
static struct label *
mac_socket_peer_label_alloc(int flag)
mac_socketpeer_label_alloc(int flag)
{
struct label *label;
int error;
@ -113,9 +113,9 @@ mac_socket_peer_label_alloc(int flag)
if (label == NULL)
return (NULL);
MAC_CHECK(init_socket_peer_label, label, flag);
MAC_CHECK(socketpeer_init_label, label, flag);
if (error) {
MAC_PERFORM(destroy_socket_peer_label, label);
MAC_PERFORM(socketpeer_destroy_label, label);
mac_labelzone_free(label);
return (NULL);
}
@ -123,13 +123,13 @@ mac_socket_peer_label_alloc(int flag)
}
int
mac_init_socket(struct socket *so, int flag)
mac_socket_init(struct socket *so, int flag)
{
so->so_label = mac_socket_label_alloc(flag);
if (so->so_label == NULL)
return (ENOMEM);
so->so_peerlabel = mac_socket_peer_label_alloc(flag);
so->so_peerlabel = mac_socketpeer_label_alloc(flag);
if (so->so_peerlabel == NULL) {
mac_socket_label_free(so->so_label);
so->so_label = NULL;
@ -142,37 +142,37 @@ void
mac_socket_label_free(struct label *label)
{
MAC_PERFORM(destroy_socket_label, label);
MAC_PERFORM(socket_destroy_label, label);
mac_labelzone_free(label);
}
static void
mac_socket_peer_label_free(struct label *label)
mac_socketpeer_label_free(struct label *label)
{
MAC_PERFORM(destroy_socket_peer_label, label);
MAC_PERFORM(socketpeer_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_socket(struct socket *so)
mac_socket_destroy(struct socket *so)
{
mac_socket_label_free(so->so_label);
so->so_label = NULL;
mac_socket_peer_label_free(so->so_peerlabel);
mac_socketpeer_label_free(so->so_peerlabel);
so->so_peerlabel = NULL;
}
void
mac_copy_socket_label(struct label *src, struct label *dest)
mac_socket_copy_label(struct label *src, struct label *dest)
{
MAC_PERFORM(copy_socket_label, src, dest);
MAC_PERFORM(socket_copy_label, src, dest);
}
int
mac_externalize_socket_label(struct label *label, char *elements,
mac_socket_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen)
{
int error;
@ -183,18 +183,18 @@ mac_externalize_socket_label(struct label *label, char *elements,
}
static int
mac_externalize_socket_peer_label(struct label *label, char *elements,
mac_socketpeer_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen)
{
int error;
MAC_EXTERNALIZE(socket_peer, label, elements, outbuf, outbuflen);
MAC_EXTERNALIZE(socketpeer, label, elements, outbuf, outbuflen);
return (error);
}
int
mac_internalize_socket_label(struct label *label, char *string)
mac_socket_internalize_label(struct label *label, char *string)
{
int error;
@ -204,34 +204,34 @@ mac_internalize_socket_label(struct label *label, char *string)
}
void
mac_create_socket(struct ucred *cred, struct socket *so)
mac_socket_create(struct ucred *cred, struct socket *so)
{
MAC_PERFORM(create_socket, cred, so, so->so_label);
MAC_PERFORM(socket_create, cred, so, so->so_label);
}
void
mac_create_socket_from_socket(struct socket *oldso, struct socket *newso)
mac_socket_newconn(struct socket *oldso, struct socket *newso)
{
SOCK_LOCK_ASSERT(oldso);
MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso,
MAC_PERFORM(socket_newconn, oldso, oldso->so_label, newso,
newso->so_label);
}
static void
mac_relabel_socket(struct ucred *cred, struct socket *so,
mac_socket_relabel(struct ucred *cred, struct socket *so,
struct label *newlabel)
{
SOCK_LOCK_ASSERT(so);
MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel);
MAC_PERFORM(socket_relabel, cred, so, so->so_label, newlabel);
}
void
mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so)
mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so)
{
struct label *label;
@ -239,12 +239,12 @@ mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so)
label = mac_mbuf_to_label(m);
MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so,
MAC_PERFORM(socketpeer_set_from_mbuf, m, label, so,
so->so_peerlabel);
}
void
mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso)
mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso)
{
/*
@ -252,12 +252,12 @@ mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso)
* is the original, and one is the new. However, it's called in both
* directions, so we can't assert the lock here currently.
*/
MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label,
MAC_PERFORM(socketpeer_set_from_socket, oldso, oldso->so_label,
newso, newso->so_peerlabel);
}
void
mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m)
mac_socket_create_mbuf(struct socket *so, struct mbuf *m)
{
struct label *label;
@ -265,59 +265,59 @@ mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m)
label = mac_mbuf_to_label(m);
MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label);
MAC_PERFORM(socket_create_mbuf, so, so->so_label, m, label);
}
int
mac_check_socket_accept(struct ucred *cred, struct socket *so)
mac_socket_check_accept(struct ucred *cred, struct socket *so)
{
int error;
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_accept, cred, so, so->so_label);
MAC_CHECK(socket_check_accept, cred, so, so->so_label);
return (error);
}
int
mac_check_socket_bind(struct ucred *ucred, struct socket *so,
mac_socket_check_bind(struct ucred *ucred, struct socket *so,
struct sockaddr *sa)
{
int error;
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa);
MAC_CHECK(socket_check_bind, ucred, so, so->so_label, sa);
return (error);
}
int
mac_check_socket_connect(struct ucred *cred, struct socket *so,
mac_socket_check_connect(struct ucred *cred, struct socket *so,
struct sockaddr *sa)
{
int error;
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa);
MAC_CHECK(socket_check_connect, cred, so, so->so_label, sa);
return (error);
}
int
mac_check_socket_create(struct ucred *cred, int domain, int type, int proto)
mac_socket_check_create(struct ucred *cred, int domain, int type, int proto)
{
int error;
MAC_CHECK(check_socket_create, cred, domain, type, proto);
MAC_CHECK(socket_check_create, cred, domain, type, proto);
return (error);
}
int
mac_check_socket_deliver(struct socket *so, struct mbuf *m)
mac_socket_check_deliver(struct socket *so, struct mbuf *m)
{
struct label *label;
int error;
@ -326,92 +326,92 @@ mac_check_socket_deliver(struct socket *so, struct mbuf *m)
label = mac_mbuf_to_label(m);
MAC_CHECK(check_socket_deliver, so, so->so_label, m, label);
MAC_CHECK(socket_check_deliver, so, so->so_label, m, label);
return (error);
}
int
mac_check_socket_listen(struct ucred *cred, struct socket *so)
mac_socket_check_listen(struct ucred *cred, struct socket *so)
{
int error;
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_listen, cred, so, so->so_label);
MAC_CHECK(socket_check_listen, cred, so, so->so_label);
return (error);
}
int
mac_check_socket_poll(struct ucred *cred, struct socket *so)
mac_socket_check_poll(struct ucred *cred, struct socket *so)
{
int error;
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_poll, cred, so, so->so_label);
MAC_CHECK(socket_check_poll, cred, so, so->so_label);
return (error);
}
int
mac_check_socket_receive(struct ucred *cred, struct socket *so)
mac_socket_check_receive(struct ucred *cred, struct socket *so)
{
int error;
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_receive, cred, so, so->so_label);
MAC_CHECK(socket_check_receive, cred, so, so->so_label);
return (error);
}
static int
mac_check_socket_relabel(struct ucred *cred, struct socket *so,
mac_socket_check_relabel(struct ucred *cred, struct socket *so,
struct label *newlabel)
{
int error;
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel);
MAC_CHECK(socket_check_relabel, cred, so, so->so_label, newlabel);
return (error);
}
int
mac_check_socket_send(struct ucred *cred, struct socket *so)
mac_socket_check_send(struct ucred *cred, struct socket *so)
{
int error;
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_send, cred, so, so->so_label);
MAC_CHECK(socket_check_send, cred, so, so->so_label);
return (error);
}
int
mac_check_socket_stat(struct ucred *cred, struct socket *so)
mac_socket_check_stat(struct ucred *cred, struct socket *so)
{
int error;
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_stat, cred, so, so->so_label);
MAC_CHECK(socket_check_stat, cred, so, so->so_label);
return (error);
}
int
mac_check_socket_visible(struct ucred *cred, struct socket *so)
mac_socket_check_visible(struct ucred *cred, struct socket *so)
{
int error;
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_visible, cred, so, so->so_label);
MAC_CHECK(socket_check_visible, cred, so, so->so_label);
return (error);
}
@ -431,13 +431,13 @@ mac_socket_label_set(struct ucred *cred, struct socket *so,
* acquire the socket lock before refreshing, holding both locks.
*/
SOCK_LOCK(so);
error = mac_check_socket_relabel(cred, so, label);
error = mac_socket_check_relabel(cred, so, label);
if (error) {
SOCK_UNLOCK(so);
return (error);
}
mac_relabel_socket(cred, so, label);
mac_socket_relabel(cred, so, label);
SOCK_UNLOCK(so);
/*
@ -471,7 +471,7 @@ mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
}
intlabel = mac_socket_label_alloc(M_WAITOK);
error = mac_internalize_socket_label(intlabel, buffer);
error = mac_socket_internalize_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error)
goto out;
@ -503,9 +503,9 @@ mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
intlabel = mac_socket_label_alloc(M_WAITOK);
SOCK_LOCK(so);
mac_copy_socket_label(so->so_label, intlabel);
mac_socket_copy_label(so->so_label, intlabel);
SOCK_UNLOCK(so);
error = mac_externalize_socket_label(intlabel, elements, buffer,
error = mac_socket_externalize_label(intlabel, elements, buffer,
mac->m_buflen);
mac_socket_label_free(intlabel);
if (error == 0)
@ -539,9 +539,9 @@ mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
intlabel = mac_socket_label_alloc(M_WAITOK);
SOCK_LOCK(so);
mac_copy_socket_label(so->so_peerlabel, intlabel);
mac_socket_copy_label(so->so_peerlabel, intlabel);
SOCK_UNLOCK(so);
error = mac_externalize_socket_peer_label(intlabel, elements, buffer,
error = mac_socketpeer_externalize_label(intlabel, elements, buffer,
mac->m_buflen);
mac_socket_label_free(intlabel);
if (error == 0)

40
sys/security/mac/mac_syscalls.c
View File

@ -105,7 +105,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_cred_label(tcred->cr_label, elements,
error = mac_cred_externalize_label(tcred->cr_label, elements,
buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -139,7 +139,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_cred_label(td->td_ucred->cr_label,
error = mac_cred_externalize_label(td->td_ucred->cr_label,
elements, buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -175,7 +175,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
}
intlabel = mac_cred_label_alloc();
error = mac_internalize_cred_label(intlabel, buffer);
error = mac_cred_internalize_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error)
goto out;
@ -186,7 +186,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
PROC_LOCK(p);
oldcred = p->p_ucred;
error = mac_check_cred_relabel(oldcred, intlabel);
error = mac_cred_check_relabel(oldcred, intlabel);
if (error) {
PROC_UNLOCK(p);
crfree(newcred);
@ -195,7 +195,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
setsugid(p);
crcopy(newcred, oldcred);
mac_relabel_cred(newcred, intlabel);
mac_cred_relabel(newcred, intlabel);
p->p_ucred = newcred;
/*
@ -256,10 +256,10 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
intlabel = mac_vnode_label_alloc();
vfslocked = VFS_LOCK_GIANT(vp->v_mount);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
mac_copy_vnode_label(vp->v_label, intlabel);
mac_vnode_copy_label(vp->v_label, intlabel);
VOP_UNLOCK(vp, 0, td);
VFS_UNLOCK_GIANT(vfslocked);
error = mac_externalize_vnode_label(intlabel, elements,
error = mac_vnode_externalize_label(intlabel, elements,
buffer, mac.m_buflen);
mac_vnode_label_free(intlabel);
break;
@ -268,9 +268,9 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
pipe = fp->f_data;
intlabel = mac_pipe_label_alloc();
PIPE_LOCK(pipe);
mac_copy_pipe_label(pipe->pipe_pair->pp_label, intlabel);
mac_pipe_copy_label(pipe->pipe_pair->pp_label, intlabel);
PIPE_UNLOCK(pipe);
error = mac_externalize_pipe_label(intlabel, elements,
error = mac_pipe_externalize_label(intlabel, elements,
buffer, mac.m_buflen);
mac_pipe_label_free(intlabel);
break;
@ -279,9 +279,9 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
so = fp->f_data;
intlabel = mac_socket_label_alloc(M_WAITOK);
SOCK_LOCK(so);
mac_copy_socket_label(so->so_label, intlabel);
mac_socket_copy_label(so->so_label, intlabel);
SOCK_UNLOCK(so);
error = mac_externalize_socket_label(intlabel, elements,
error = mac_socket_externalize_label(intlabel, elements,
buffer, mac.m_buflen);
mac_socket_label_free(intlabel);
break;
@ -332,8 +332,8 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
intlabel = mac_vnode_label_alloc();
vfslocked = NDHASGIANT(&nd);
mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac_vnode_copy_label(nd.ni_vp->v_label, intlabel);
error = mac_vnode_externalize_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
@ -382,8 +382,8 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
intlabel = mac_vnode_label_alloc();
vfslocked = NDHASGIANT(&nd);
mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac_vnode_copy_label(nd.ni_vp->v_label, intlabel);
error = mac_vnode_externalize_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
VFS_UNLOCK_GIANT(vfslocked);
@ -435,7 +435,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
case DTYPE_FIFO:
case DTYPE_VNODE:
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
error = mac_vnode_internalize_label(intlabel, buffer);
if (error) {
mac_vnode_label_free(intlabel);
break;
@ -458,7 +458,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
case DTYPE_PIPE:
intlabel = mac_pipe_label_alloc();
error = mac_internalize_pipe_label(intlabel, buffer);
error = mac_pipe_internalize_label(intlabel, buffer);
if (error == 0) {
pipe = fp->f_data;
PIPE_LOCK(pipe);
@ -471,7 +471,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
case DTYPE_SOCKET:
intlabel = mac_socket_label_alloc(M_WAITOK);
error = mac_internalize_socket_label(intlabel, buffer);
error = mac_socket_internalize_label(intlabel, buffer);
if (error == 0) {
so = fp->f_data;
error = mac_socket_label_set(td->td_ucred, so,
@ -515,7 +515,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
}
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
error = mac_vnode_internalize_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error)
goto out;
@ -566,7 +566,7 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
}
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
error = mac_vnode_internalize_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error)
goto out;

56
sys/security/mac/mac_system.c
View File

@ -1,5 +1,6 @@
/*-
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* Copyright (c) 2007 Robert N. M. Watson
* All rights reserved.
*
@ -11,6 +12,9 @@
* Portions of this software were developed by Robert Watson for the
* TrustedBSD Project.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -63,116 +67,116 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_policy.h>
int
mac_check_kenv_dump(struct ucred *cred)
mac_kenv_check_dump(struct ucred *cred)
{
int error;
MAC_CHECK(check_kenv_dump, cred);
MAC_CHECK(kenv_check_dump, cred);
return (error);
}
int
mac_check_kenv_get(struct ucred *cred, char *name)
mac_kenv_check_get(struct ucred *cred, char *name)
{
int error;
MAC_CHECK(check_kenv_get, cred, name);
MAC_CHECK(kenv_check_get, cred, name);
return (error);
}
int
mac_check_kenv_set(struct ucred *cred, char *name, char *value)
mac_kenv_check_set(struct ucred *cred, char *name, char *value)
{
int error;
MAC_CHECK(check_kenv_set, cred, name, value);
MAC_CHECK(kenv_check_set, cred, name, value);
return (error);
}
int
mac_check_kenv_unset(struct ucred *cred, char *name)
mac_kenv_check_unset(struct ucred *cred, char *name)
{
int error;
MAC_CHECK(check_kenv_unset, cred, name);
MAC_CHECK(kenv_check_unset, cred, name);
return (error);
}
int
mac_check_kld_load(struct ucred *cred, struct vnode *vp)
mac_kld_check_load(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
ASSERT_VOP_LOCKED(vp, "mac_kld_check_load");
MAC_CHECK(check_kld_load, cred, vp, vp->v_label);
MAC_CHECK(kld_check_load, cred, vp, vp->v_label);
return (error);
}
int
mac_check_kld_stat(struct ucred *cred)
mac_kld_check_stat(struct ucred *cred)
{
int error;
MAC_CHECK(check_kld_stat, cred);
MAC_CHECK(kld_check_stat, cred);
return (error);
}
int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
mac_system_check_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
ASSERT_VOP_LOCKED(vp, "mac_system_check_acct");
}
MAC_CHECK(check_system_acct, cred, vp,
MAC_CHECK(system_check_acct, cred, vp,
vp != NULL ? vp->v_label : NULL);
return (error);
}
int
mac_check_system_reboot(struct ucred *cred, int howto)
mac_system_check_reboot(struct ucred *cred, int howto)
{
int error;
MAC_CHECK(check_system_reboot, cred, howto);
MAC_CHECK(system_check_reboot, cred, howto);
return (error);
}
int
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
mac_system_check_swapon(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon");
ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon");
MAC_CHECK(check_system_swapon, cred, vp, vp->v_label);
MAC_CHECK(system_check_swapon, cred, vp, vp->v_label);
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
mac_system_check_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff");
MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label);
MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
void *arg1, int arg2, struct sysctl_req *req)
{
int error;
@ -181,7 +185,7 @@ mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
* XXXMAC: We would very much like to assert the SYSCTL_LOCK here,
* but since it's not exported from kern_sysctl.c, we can't.
*/
MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req);
MAC_CHECK(system_check_sysctl, cred, oidp, arg1, arg2, req);
return (error);
}

66
sys/security/mac/mac_sysv_msg.c
View File

@ -1,5 +1,6 @@
/*-
* Copyright (c) 2003-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@ -7,6 +8,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -58,12 +62,12 @@ mac_sysv_msgmsg_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_sysv_msgmsg_label, label);
MAC_PERFORM(sysvmsg_init_label, label);
return (label);
}
void
mac_init_sysv_msgmsg(struct msg *msgptr)
mac_sysvmsg_init(struct msg *msgptr)
{
msgptr->label = mac_sysv_msgmsg_label_alloc();
@ -75,12 +79,12 @@ mac_sysv_msgqueue_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_sysv_msgqueue_label, label);
MAC_PERFORM(sysvmsq_init_label, label);
return (label);
}
void
mac_init_sysv_msgqueue(struct msqid_kernel *msqkptr)
mac_sysvmsq_init(struct msqid_kernel *msqkptr)
{
msqkptr->label = mac_sysv_msgqueue_label_alloc();
@ -90,12 +94,12 @@ static void
mac_sysv_msgmsg_label_free(struct label *label)
{
MAC_PERFORM(destroy_sysv_msgmsg_label, label);
MAC_PERFORM(sysvmsg_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_sysv_msgmsg(struct msg *msgptr)
mac_sysvmsg_destroy(struct msg *msgptr)
{
mac_sysv_msgmsg_label_free(msgptr->label);
@ -106,12 +110,12 @@ static void
mac_sysv_msgqueue_label_free(struct label *label)
{
MAC_PERFORM(destroy_sysv_msgqueue_label, label);
MAC_PERFORM(sysvmsq_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr)
mac_sysvmsq_destroy(struct msqid_kernel *msqkptr)
{
mac_sysv_msgqueue_label_free(msqkptr->label);
@ -119,104 +123,104 @@ mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr)
}
void
mac_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
struct msg *msgptr)
{
MAC_PERFORM(create_sysv_msgmsg, cred, msqkptr, msqkptr->label,
MAC_PERFORM(sysvmsg_create, cred, msqkptr, msqkptr->label,
msgptr, msgptr->label);
}
void
mac_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr)
mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr)
{
MAC_PERFORM(create_sysv_msgqueue, cred, msqkptr, msqkptr->label);
MAC_PERFORM(sysvmsq_create, cred, msqkptr, msqkptr->label);
}
void
mac_cleanup_sysv_msgmsg(struct msg *msgptr)
mac_sysvmsg_cleanup(struct msg *msgptr)
{
MAC_PERFORM(cleanup_sysv_msgmsg, msgptr->label);
MAC_PERFORM(sysvmsg_cleanup, msgptr->label);
}
void
mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr)
mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr)
{
MAC_PERFORM(cleanup_sysv_msgqueue, msqkptr->label);
MAC_PERFORM(sysvmsq_cleanup, msqkptr->label);
}
int
mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
struct msqid_kernel *msqkptr)
{
int error;
MAC_CHECK(check_sysv_msgmsq, cred, msgptr, msgptr->label, msqkptr,
msqkptr->label);
MAC_CHECK(sysvmsq_check_msgmsq, cred, msgptr, msgptr->label,
msqkptr, msqkptr->label);
return (error);
}
int
mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr)
mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr)
{
int error;
MAC_CHECK(check_sysv_msgrcv, cred, msgptr, msgptr->label);
MAC_CHECK(sysvmsq_check_msgrcv, cred, msgptr, msgptr->label);
return (error);
}
int
mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr)
mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr)
{
int error;
MAC_CHECK(check_sysv_msgrmid, cred, msgptr, msgptr->label);
MAC_CHECK(sysvmsq_check_msgrmid, cred, msgptr, msgptr->label);
return (error);
}
int
mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr)
mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr)
{
int error;
MAC_CHECK(check_sysv_msqget, cred, msqkptr, msqkptr->label);
MAC_CHECK(sysvmsq_check_msqget, cred, msqkptr, msqkptr->label);
return (error);
}
int
mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr)
mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr)
{
int error;
MAC_CHECK(check_sysv_msqsnd, cred, msqkptr, msqkptr->label);
MAC_CHECK(sysvmsq_check_msqsnd, cred, msqkptr, msqkptr->label);
return (error);
}
int
mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
{
int error;
MAC_CHECK(check_sysv_msqrcv, cred, msqkptr, msqkptr->label);
MAC_CHECK(sysvmsq_check_msqrcv, cred, msqkptr, msqkptr->label);
return (error);
}
int
mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
int cmd)
{
int error;
MAC_CHECK(check_sysv_msqctl, cred, msqkptr, msqkptr->label, cmd);
MAC_CHECK(sysvmsq_check_msqctl, cred, msqkptr, msqkptr->label, cmd);
return (error);
}

33
sys/security/mac/mac_sysv_sem.c
View File

@ -1,5 +1,6 @@
/*-
* Copyright (c) 2003-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@ -7,6 +8,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -58,12 +62,12 @@ mac_sysv_sem_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_sysv_sem_label, label);
MAC_PERFORM(sysvsem_init_label, label);
return (label);
}
void
mac_init_sysv_sem(struct semid_kernel *semakptr)
mac_sysvsem_init(struct semid_kernel *semakptr)
{
semakptr->label = mac_sysv_sem_label_alloc();
@ -73,12 +77,12 @@ static void
mac_sysv_sem_label_free(struct label *label)
{
MAC_PERFORM(destroy_sysv_sem_label, label);
MAC_PERFORM(sysvsem_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_sysv_sem(struct semid_kernel *semakptr)
mac_sysvsem_destroy(struct semid_kernel *semakptr)
{
mac_sysv_sem_label_free(semakptr->label);
@ -86,47 +90,48 @@ mac_destroy_sysv_sem(struct semid_kernel *semakptr)
}
void
mac_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr)
mac_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr)
{
MAC_PERFORM(create_sysv_sem, cred, semakptr, semakptr->label);
MAC_PERFORM(sysvsem_create, cred, semakptr, semakptr->label);
}
void
mac_cleanup_sysv_sem(struct semid_kernel *semakptr)
mac_sysvsem_cleanup(struct semid_kernel *semakptr)
{
MAC_PERFORM(cleanup_sysv_sem, semakptr->label);
MAC_PERFORM(sysvsem_cleanup, semakptr->label);
}
int
mac_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
int cmd)
{
int error;
MAC_CHECK(check_sysv_semctl, cred, semakptr, semakptr->label, cmd);
MAC_CHECK(sysvsem_check_semctl, cred, semakptr, semakptr->label,
cmd);
return (error);
}
int
mac_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr)
mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr)
{
int error;
MAC_CHECK(check_sysv_semget, cred, semakptr, semakptr->label);
MAC_CHECK(sysvsem_check_semget, cred, semakptr, semakptr->label);
return (error);
}
int
mac_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
size_t accesstype)
{
int error;
MAC_CHECK(check_sysv_semop, cred, semakptr, semakptr->label,
MAC_CHECK(sysvsem_check_semop, cred, semakptr, semakptr->label,
accesstype);
return (error);

36
sys/security/mac/mac_sysv_shm.c
View File

@ -1,5 +1,6 @@
/*-
* Copyright (c) 2003-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@ -7,6 +8,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -58,12 +62,12 @@ mac_sysv_shm_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_sysv_shm_label, label);
MAC_PERFORM(sysvshm_init_label, label);
return (label);
}
void
mac_init_sysv_shm(struct shmid_kernel *shmsegptr)
mac_sysvshm_init(struct shmid_kernel *shmsegptr)
{
shmsegptr->label = mac_sysv_shm_label_alloc();
@ -73,12 +77,12 @@ static void
mac_sysv_shm_label_free(struct label *label)
{
MAC_PERFORM(destroy_sysv_shm_label, label);
MAC_PERFORM(sysvshm_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr)
mac_sysvshm_destroy(struct shmid_kernel *shmsegptr)
{
mac_sysv_shm_label_free(shmsegptr->label);
@ -86,60 +90,60 @@ mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr)
}
void
mac_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr)
mac_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr)
{
MAC_PERFORM(create_sysv_shm, cred, shmsegptr, shmsegptr->label);
MAC_PERFORM(sysvshm_create, cred, shmsegptr, shmsegptr->label);
}
void
mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr)
mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr)
{
MAC_PERFORM(cleanup_sysv_shm, shmsegptr->label);
MAC_PERFORM(sysvshm_cleanup, shmsegptr->label);
}
int
mac_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
int shmflg)
{
int error;
MAC_CHECK(check_sysv_shmat, cred, shmsegptr, shmsegptr->label,
MAC_CHECK(sysvshm_check_shmat, cred, shmsegptr, shmsegptr->label,
shmflg);
return (error);
}
int
mac_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
int cmd)
{
int error;
MAC_CHECK(check_sysv_shmctl, cred, shmsegptr, shmsegptr->label,
MAC_CHECK(sysvshm_check_shmctl, cred, shmsegptr, shmsegptr->label,
cmd);
return (error);
}
int
mac_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr)
mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr)
{
int error;
MAC_CHECK(check_sysv_shmdt, cred, shmsegptr, shmsegptr->label);
MAC_CHECK(sysvshm_check_shmdt, cred, shmsegptr, shmsegptr->label);
return (error);
}
int
mac_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
int shmflg)
{
int error;
MAC_CHECK(check_sysv_shmget, cred, shmsegptr, shmsegptr->label,
MAC_CHECK(sysvshm_check_shmget, cred, shmsegptr, shmsegptr->label,
shmflg);
return (error);

317
sys/security/mac/mac_vfs.c
View File

@ -77,7 +77,7 @@ __FBSDID("$FreeBSD$");
*/
static int ea_warn_once = 0;
static int mac_setlabel_vnode_extattr(struct ucred *cred,
static int mac_vnode_setlabel_extattr(struct ucred *cred,
struct vnode *vp, struct label *intlabel);
static struct label *
@ -86,12 +86,12 @@ mac_devfs_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_devfs_label, label);
MAC_PERFORM(devfs_init_label, label);
return (label);
}
void
mac_init_devfs(struct devfs_dirent *de)
mac_devfs_init(struct devfs_dirent *de)
{
de->de_label = mac_devfs_label_alloc();
@ -103,12 +103,12 @@ mac_mount_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_mount_label, label);
MAC_PERFORM(mount_init_label, label);
return (label);
}
void
mac_init_mount(struct mount *mp)
mac_mount_init(struct mount *mp)
{
mp->mnt_label = mac_mount_label_alloc();
@ -120,12 +120,12 @@ mac_vnode_label_alloc(void)
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_vnode_label, label);
MAC_PERFORM(vnode_init_label, label);
return (label);
}
void
mac_init_vnode(struct vnode *vp)
mac_vnode_init(struct vnode *vp)
{
vp->v_label = mac_vnode_label_alloc();
@ -135,12 +135,12 @@ static void
mac_devfs_label_free(struct label *label)
{
MAC_PERFORM(destroy_devfs_label, label);
MAC_PERFORM(devfs_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_devfs(struct devfs_dirent *de)
mac_devfs_destroy(struct devfs_dirent *de)
{
mac_devfs_label_free(de->de_label);
@ -151,12 +151,12 @@ static void
mac_mount_label_free(struct label *label)
{
MAC_PERFORM(destroy_mount_label, label);
MAC_PERFORM(mount_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_mount(struct mount *mp)
mac_mount_destroy(struct mount *mp)
{
mac_mount_label_free(mp->mnt_label);
@ -167,12 +167,12 @@ void
mac_vnode_label_free(struct label *label)
{
MAC_PERFORM(destroy_vnode_label, label);
MAC_PERFORM(vnode_destroy_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_vnode(struct vnode *vp)
mac_vnode_destroy(struct vnode *vp)
{
mac_vnode_label_free(vp->v_label);
@ -180,14 +180,14 @@ mac_destroy_vnode(struct vnode *vp)
}
void
mac_copy_vnode_label(struct label *src, struct label *dest)
mac_vnode_copy_label(struct label *src, struct label *dest)
{
MAC_PERFORM(copy_vnode_label, src, dest);
MAC_PERFORM(vnode_copy_label, src, dest);
}
int
mac_externalize_vnode_label(struct label *label, char *elements,
mac_vnode_externalize_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen)
{
int error;
@ -198,7 +198,7 @@ mac_externalize_vnode_label(struct label *label, char *elements,
}
int
mac_internalize_vnode_label(struct label *label, char *string)
mac_vnode_internalize_label(struct label *label, char *string)
{
int error;
@ -208,39 +208,39 @@ mac_internalize_vnode_label(struct label *label, char *string)
}
void
mac_update_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp)
mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp)
{
MAC_PERFORM(update_devfs, mp, de, de->de_label, vp, vp->v_label);
MAC_PERFORM(devfs_update, mp, de, de->de_label, vp, vp->v_label);
}
void
mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp)
{
MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_label, de,
MAC_PERFORM(devfs_vnode_associate, mp, mp->mnt_label, de,
de->de_label, vp, vp->v_label);
}
int
mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp)
mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
ASSERT_VOP_LOCKED(vp, "mac_vnode_associate_extattr");
MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_label, vp,
MAC_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp,
vp->v_label);
return (error);
}
void
mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp)
{
MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_label, vp,
MAC_PERFORM(vnode_associate_singlelabel, mp, mp->mnt_label, vp,
vp->v_label);
}
@ -254,13 +254,13 @@ mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
* printf warning.
*/
int
mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
mac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr");
ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr");
ASSERT_VOP_LOCKED(dvp, "mac_vnode_create_extattr");
ASSERT_VOP_LOCKED(vp, "mac_vnode_create_extattr");
error = VOP_OPENEXTATTR(vp, cred, curthread);
if (error == EOPNOTSUPP) {
@ -272,7 +272,7 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
} else if (error)
return (error);
MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_label, dvp,
MAC_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp,
dvp->v_label, vp, vp->v_label, cnp);
if (error) {
@ -288,12 +288,12 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
}
static int
mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
struct label *intlabel)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr");
ASSERT_VOP_LOCKED(vp, "mac_vnode_setlabel_extattr");
error = VOP_OPENEXTATTR(vp, cred, curthread);
if (error == EOPNOTSUPP) {
@ -305,7 +305,7 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
} else if (error)
return (error);
MAC_CHECK(setlabel_vnode_extattr, cred, vp, vp->v_label, intlabel);
MAC_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label, intlabel);
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
@ -320,487 +320,488 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
}
void
mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
struct label *interpvnodelabel, struct image_params *imgp)
mac_vnode_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *interpvnodelabel,
struct image_params *imgp)
{
ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_transition");
MAC_PERFORM(execve_transition, old, new, vp, vp->v_label,
MAC_PERFORM(vnode_execve_transition, old, new, vp, vp->v_label,
interpvnodelabel, imgp, imgp->execlabel);
}
int
mac_execve_will_transition(struct ucred *old, struct vnode *vp,
mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
struct label *interpvnodelabel, struct image_params *imgp)
{
int result;
ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition");
ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_will_transition");
result = 0;
MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label,
MAC_BOOLEAN(vnode_execve_will_transition, ||, old, vp, vp->v_label,
interpvnodelabel, imgp, imgp->execlabel);
return (result);
}
int
mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access");
MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode);
MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, acc_mode);
return (error);
}
int
mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir");
MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label);
MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
return (error);
}
int
mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot");
MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label);
MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label);
return (error);
}
int
mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp, struct vattr *vap)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create");
MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap);
MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap);
return (error);
}
int
mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
acl_type_t type)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl");
MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type);
MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
return (error);
}
int
mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteextattr");
MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label,
MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label,
attrnamespace, name);
return (error);
}
int
mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct image_params *imgp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_exec");
MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp,
MAC_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp,
imgp->execlabel);
return (error);
}
int
mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl");
MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type);
MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
return (error);
}
int
mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getextattr");
MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label,
MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
return (error);
}
int
mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link");
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link");
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_link");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_link");
MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp,
MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
}
int
mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_listextattr");
MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label,
MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label,
attrnamespace);
return (error);
}
int
mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup");
MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp);
MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
return (error);
}
int
mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
int prot, int flags)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap");
MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot, flags);
MAC_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags);
return (error);
}
void
mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
{
int result = *prot;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap_downgrade");
MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label,
MAC_PERFORM(vnode_check_mmap_downgrade, cred, vp, vp->v_label,
&result);
*prot = result;
}
int
mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect");
MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot);
MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot);
return (error);
}
int
mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode)
mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_open");
MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode);
MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, acc_mode);
return (error);
}
int
mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_poll");
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
MAC_CHECK(vnode_check_poll, active_cred, file_cred, vp,
vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_read");
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
MAC_CHECK(vnode_check_read, active_cred, file_cred, vp,
vp->v_label);
return (error);
}
int
mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir");
MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label);
MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
return (error);
}
int
mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink");
MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label);
MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
return (error);
}
static int
mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
struct label *newlabel)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel");
MAC_CHECK(check_vnode_relabel, cred, vp, vp->v_label, newlabel);
MAC_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel);
return (error);
}
int
mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_from");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_from");
MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp,
MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
}
int
mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, int samedir, struct componentname *cnp)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_to");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_to");
MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp,
MAC_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp,
vp != NULL ? vp->v_label : NULL, samedir, cnp);
return (error);
}
int
mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke");
MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label);
MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
return (error);
}
int
mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
struct acl *acl)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl");
MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl);
MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl);
return (error);
}
int
mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setextattr");
MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label,
MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
return (error);
}
int
mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags");
MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags);
MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
return (error);
}
int
mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode");
MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode);
MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
return (error);
}
int
mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
gid_t gid)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner");
MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid);
MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
return (error);
}
int
mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
struct timespec atime, struct timespec mtime)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setutimes");
MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime,
MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
mtime);
return (error);
}
int
mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_stat");
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
MAC_CHECK(vnode_check_stat, active_cred, file_cred, vp,
vp->v_label);
return (error);
}
int
mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
struct componentname *cnp)
{
int error;
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_unlink");
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_unlink");
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_unlink");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_unlink");
MAC_CHECK(check_vnode_unlink, cred, dvp, dvp->v_label, vp,
MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
}
int
mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_write");
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
MAC_CHECK(vnode_check_write, active_cred, file_cred, vp,
vp->v_label);
return (error);
}
void
mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel)
{
MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel);
MAC_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel);
}
void
mac_create_mount(struct ucred *cred, struct mount *mp)
mac_mount_create(struct ucred *cred, struct mount *mp)
{
MAC_PERFORM(create_mount, cred, mp, mp->mnt_label);
MAC_PERFORM(mount_create, cred, mp, mp->mnt_label);
}
int
mac_check_mount_stat(struct ucred *cred, struct mount *mount)
mac_mount_check_stat(struct ucred *cred, struct mount *mount)
{
int error;
MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_label);
MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_label);
return (error);
}
void
mac_create_devfs_device(struct ucred *cred, struct mount *mp,
mac_devfs_create_device(struct ucred *cred, struct mount *mp,
struct cdev *dev, struct devfs_dirent *de)
{
MAC_PERFORM(create_devfs_device, cred, mp, dev, de, de->de_label);
MAC_PERFORM(devfs_create_device, cred, mp, dev, de, de->de_label);
}
void
mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
mac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct devfs_dirent *de)
{
MAC_PERFORM(create_devfs_symlink, cred, mp, dd, dd->de_label, de,
MAC_PERFORM(devfs_create_symlink, cred, mp, dd, dd->de_label, de,
de->de_label);
}
void
mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen,
mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen,
struct devfs_dirent *de)
{
MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de,
MAC_PERFORM(devfs_create_directory, mp, dirname, dirnamelen, de,
de->de_label);
}
@ -821,11 +822,11 @@ vop_stdsetlabel_ea(struct vop_setlabel_args *ap)
if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
return (EOPNOTSUPP);
error = mac_setlabel_vnode_extattr(ap->a_cred, vp, intlabel);
error = mac_vnode_setlabel_extattr(ap->a_cred, vp, intlabel);
if (error)
return (error);
mac_relabel_vnode(ap->a_cred, vp, intlabel);
mac_vnode_relabel(ap->a_cred, vp, intlabel);
return (0);
}
@ -853,7 +854,7 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
* Question: maybe the filesystem should update the vnode at the end
* as part of VOP_SETLABEL()?
*/
error = mac_check_vnode_relabel(cred, vp, intlabel);
error = mac_vnode_check_relabel(cred, vp, intlabel);
if (error)
return (error);

611
sys/security/mac_biba/mac_biba.c
View File

File diff suppressed because it is too large Load Diff

120
sys/security/mac_bsdextended/mac_bsdextended.c
View File

@ -2,6 +2,7 @@
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005 Tom Rhodes
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -12,6 +13,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -440,7 +444,7 @@ mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
}
static int
mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp,
mac_bsdextended_system_check_acct(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
@ -448,7 +452,7 @@ mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp,
mac_bsdextended_system_check_auditctl(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
@ -456,7 +460,7 @@ mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp,
mac_bsdextended_system_check_swapoff(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
@ -464,7 +468,7 @@ mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp,
mac_bsdextended_system_check_swapon(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
@ -472,7 +476,7 @@ mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_access(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int acc_mode)
{
@ -480,7 +484,7 @@ mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
mac_bsdextended_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel)
{
@ -488,7 +492,7 @@ mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
}
static int
mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
mac_bsdextended_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel)
{
@ -504,7 +508,7 @@ mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
}
static int
mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
struct label *vplabel, acl_type_t type)
{
@ -512,7 +516,7 @@ mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred,
mac_bsdextended_vnode_check_deleteextattr(struct ucred *cred,
struct vnode *vp, struct label *vplabel, int attrnamespace,
const char *name)
{
@ -521,7 +525,7 @@ mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred,
}
static int
mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
@ -530,7 +534,7 @@ mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
struct label *vplabel, acl_type_t type)
{
@ -538,7 +542,7 @@ mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int attrnamespace, const char *name,
struct uio *uio)
{
@ -547,7 +551,7 @@ mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
mac_bsdextended_vnode_check_link(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
{
@ -563,7 +567,7 @@ mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
}
static int
mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int attrnamespace)
{
@ -571,7 +575,7 @@ mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
mac_bsdextended_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct componentname *cnp)
{
@ -579,7 +583,7 @@ mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
}
static int
mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_open(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int acc_mode)
{
@ -587,7 +591,7 @@ mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
mac_bsdextended_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel)
{
@ -595,7 +599,7 @@ mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
}
static int
mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_readdlink(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
@ -603,7 +607,7 @@ mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
mac_bsdextended_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
@ -616,7 +620,7 @@ mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
}
static int
mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
mac_bsdextended_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
int samedir, struct componentname *cnp)
{
@ -631,7 +635,7 @@ mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
}
static int
mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
@ -647,7 +651,7 @@ mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int attrnamespace, const char *name,
struct uio *uio)
{
@ -656,7 +660,7 @@ mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
struct label *vplabel, u_long flags)
{
@ -664,7 +668,7 @@ mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
struct label *vplabel, mode_t mode)
{
@ -672,7 +676,7 @@ mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
struct label *vplabel, uid_t uid, gid_t gid)
{
@ -680,7 +684,7 @@ mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
mac_bsdextended_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct timespec atime, struct timespec utime)
{
@ -688,7 +692,7 @@ mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
static int
mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
mac_bsdextended_vnode_check_stat(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
{
@ -696,7 +700,7 @@ mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
}
static int
mac_bsdextended_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
mac_bsdextended_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
@ -712,36 +716,36 @@ static struct mac_policy_ops mac_bsdextended_ops =
{
.mpo_destroy = mac_bsdextended_destroy,
.mpo_init = mac_bsdextended_init,
.mpo_check_system_acct = mac_bsdextended_check_system_acct,
.mpo_check_system_auditctl = mac_bsdextended_check_system_auditctl,
.mpo_check_system_swapoff = mac_bsdextended_check_system_swapoff,
.mpo_check_system_swapon = mac_bsdextended_check_system_swapon,
.mpo_check_vnode_access = mac_bsdextended_check_vnode_access,
.mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir,
.mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot,
.mpo_check_vnode_create = mac_bsdextended_check_create_vnode,
.mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl,
.mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr,
.mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec,
.mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl,
.mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr,
.mpo_check_vnode_link = mac_bsdextended_check_vnode_link,
.mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr,
.mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup,
.mpo_check_vnode_open = mac_bsdextended_check_vnode_open,
.mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir,
.mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink,
.mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from,
.mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to,
.mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke,
.mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode,
.mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr,
.mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags,
.mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode,
.mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner,
.mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes,
.mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat,
.mpo_check_vnode_unlink = mac_bsdextended_check_vnode_unlink,
.mpo_system_check_acct = mac_bsdextended_system_check_acct,
.mpo_system_check_auditctl = mac_bsdextended_system_check_auditctl,
.mpo_system_check_swapoff = mac_bsdextended_system_check_swapoff,
.mpo_system_check_swapon = mac_bsdextended_system_check_swapon,
.mpo_vnode_check_access = mac_bsdextended_vnode_check_access,
.mpo_vnode_check_chdir = mac_bsdextended_vnode_check_chdir,
.mpo_vnode_check_chroot = mac_bsdextended_vnode_check_chroot,
.mpo_vnode_check_create = mac_bsdextended_check_create_vnode,
.mpo_vnode_check_deleteacl = mac_bsdextended_vnode_check_deleteacl,
.mpo_vnode_check_deleteextattr = mac_bsdextended_vnode_check_deleteextattr,
.mpo_vnode_check_exec = mac_bsdextended_vnode_check_exec,
.mpo_vnode_check_getacl = mac_bsdextended_vnode_check_getacl,
.mpo_vnode_check_getextattr = mac_bsdextended_vnode_check_getextattr,
.mpo_vnode_check_link = mac_bsdextended_vnode_check_link,
.mpo_vnode_check_listextattr = mac_bsdextended_vnode_check_listextattr,
.mpo_vnode_check_lookup = mac_bsdextended_vnode_check_lookup,
.mpo_vnode_check_open = mac_bsdextended_vnode_check_open,
.mpo_vnode_check_readdir = mac_bsdextended_vnode_check_readdir,
.mpo_vnode_check_readlink = mac_bsdextended_vnode_check_readdlink,
.mpo_vnode_check_rename_from = mac_bsdextended_vnode_check_rename_from,
.mpo_vnode_check_rename_to = mac_bsdextended_vnode_check_rename_to,
.mpo_vnode_check_revoke = mac_bsdextended_vnode_check_revoke,
.mpo_vnode_check_setacl = mac_bsdextended_check_setacl_vnode,
.mpo_vnode_check_setextattr = mac_bsdextended_vnode_check_setextattr,
.mpo_vnode_check_setflags = mac_bsdextended_vnode_check_setflags,
.mpo_vnode_check_setmode = mac_bsdextended_vnode_check_setmode,
.mpo_vnode_check_setowner = mac_bsdextended_vnode_check_setowner,
.mpo_vnode_check_setutimes = mac_bsdextended_vnode_check_setutimes,
.mpo_vnode_check_stat = mac_bsdextended_vnode_check_stat,
.mpo_vnode_check_unlink = mac_bsdextended_vnode_check_unlink,
};
MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended,

32
sys/security/mac_ifoff/mac_ifoff.c
View File

@ -1,6 +1,7 @@
/*-
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2002 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -10,6 +11,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -79,7 +83,7 @@ SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW,
TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled);
static int
check_ifnet_outgoing(struct ifnet *ifp)
ifnet_check_outgoing(struct ifnet *ifp)
{
if (!mac_ifoff_enabled)
@ -95,7 +99,7 @@ check_ifnet_outgoing(struct ifnet *ifp)
}
static int
check_ifnet_incoming(struct ifnet *ifp, int viabpf)
ifnet_check_incoming(struct ifnet *ifp, int viabpf)
{
if (!mac_ifoff_enabled)
return (0);
@ -113,51 +117,51 @@ check_ifnet_incoming(struct ifnet *ifp, int viabpf)
}
static int
mac_ifoff_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
mac_ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
struct ifnet *ifp, struct label *ifplabel)
{
return (check_ifnet_incoming(ifp, 1));
return (ifnet_check_incoming(ifp, 1));
}
static int
mac_ifoff_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
mac_ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
return (check_ifnet_outgoing(ifp));
return (ifnet_check_outgoing(ifp));
}
static int
mac_ifoff_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
mac_ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
struct mbuf *m, struct label *mlabel)
{
M_ASSERTPKTHDR(m);
if (m->m_pkthdr.rcvif != NULL)
return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0));
return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0));
return (0);
}
static int
mac_ifoff_check_socket_deliver(struct socket *so, struct label *solabel,
mac_ifoff_socket_check_deliver(struct socket *so, struct label *solabel,
struct mbuf *m, struct label *mlabel)
{
M_ASSERTPKTHDR(m);
if (m->m_pkthdr.rcvif != NULL)
return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0));
return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0));
return (0);
}
static struct mac_policy_ops mac_ifoff_ops =
{
.mpo_check_bpfdesc_receive = mac_ifoff_check_bpfdesc_receive,
.mpo_check_ifnet_transmit = mac_ifoff_check_ifnet_transmit,
.mpo_check_inpcb_deliver = mac_ifoff_check_inpcb_deliver,
.mpo_check_socket_deliver = mac_ifoff_check_socket_deliver,
.mpo_bpfdesc_check_receive = mac_ifoff_bpfdesc_check_receive,
.mpo_ifnet_check_transmit = mac_ifoff_ifnet_check_transmit,
.mpo_inpcb_check_deliver = mac_ifoff_inpcb_check_deliver,
.mpo_socket_check_deliver = mac_ifoff_socket_check_deliver,
};
MAC_POLICY_SET(&mac_ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff",

433
sys/security/mac_lomac/mac_lomac.c
View File

@ -1,6 +1,7 @@
/*-
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -10,6 +11,9 @@
* DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
* CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -631,7 +635,7 @@ mac_lomac_init_label_waitcheck(struct label *label, int flag)
}
static void
mac_lomac_init_proc_label(struct label *label)
mac_lomac_proc_init_label(struct label *label)
{
PSLOT_SET(label, malloc(sizeof(struct mac_lomac_proc), M_MACLOMAC,
@ -648,7 +652,7 @@ mac_lomac_destroy_label(struct label *label)
}
static void
mac_lomac_destroy_proc_label(struct label *label)
mac_lomac_proc_destroy_label(struct label *label)
{
mtx_destroy(&PSLOT(label)->mtx);
@ -901,7 +905,7 @@ mac_lomac_copy_label(struct label *src, struct label *dest)
* a lot like file system objects.
*/
static void
mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp,
mac_lomac_devfs_create_device(struct ucred *cred, struct mount *mp,
struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
{
struct mac_lomac *mac_lomac;
@ -924,7 +928,7 @@ mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp,
}
static void
mac_lomac_create_devfs_directory(struct mount *mp, char *dirname,
mac_lomac_devfs_create_directory(struct mount *mp, char *dirname,
int dirnamelen, struct devfs_dirent *de, struct label *delabel)
{
struct mac_lomac *mac_lomac;
@ -934,7 +938,7 @@ mac_lomac_create_devfs_directory(struct mount *mp, char *dirname,
}
static void
mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
mac_lomac_devfs_create_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
struct label *delabel)
{
@ -947,7 +951,7 @@ mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
}
static void
mac_lomac_create_mount(struct ucred *cred, struct mount *mp,
mac_lomac_mount_create(struct ucred *cred, struct mount *mp,
struct label *mplabel)
{
struct mac_lomac *source, *dest;
@ -958,7 +962,7 @@ mac_lomac_create_mount(struct ucred *cred, struct mount *mp,
}
static void
mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_relabel(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct label *newlabel)
{
struct mac_lomac *source, *dest;
@ -970,7 +974,7 @@ mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp,
}
static void
mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de,
mac_lomac_devfs_update(struct mount *mp, struct devfs_dirent *de,
struct label *delabel, struct vnode *vp, struct label *vplabel)
{
struct mac_lomac *source, *dest;
@ -982,7 +986,7 @@ mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de,
}
static void
mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
mac_lomac_devfs_vnode_associate(struct mount *mp, struct label *mplabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
struct label *vplabel)
{
@ -995,7 +999,7 @@ mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel,
}
static int
mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
mac_lomac_vnode_associate_extattr(struct mount *mp, struct label *mplabel,
struct vnode *vp, struct label *vplabel)
{
struct mac_lomac temp, *source, *dest;
@ -1018,7 +1022,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
if (buflen != sizeof(temp)) {
if (buflen != sizeof(temp) - sizeof(temp.ml_auxsingle)) {
printf("mac_lomac_associate_vnode_extattr: bad size %d\n",
printf("mac_lomac_vnode_associate_extattr: bad size %d\n",
buflen);
return (EPERM);
}
@ -1029,11 +1033,11 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
buflen, (char *)&temp, curthread);
}
if (mac_lomac_valid(&temp) != 0) {
printf("mac_lomac_associate_vnode_extattr: invalid\n");
printf("mac_lomac_vnode_associate_extattr: invalid\n");
return (EPERM);
}
if ((temp.ml_flags & MAC_LOMAC_FLAGS_BOTH) != MAC_LOMAC_FLAG_SINGLE) {
printf("mac_lomac_associate_vnode_extattr: not single\n");
printf("mac_lomac_vnode_associate_extattr: not single\n");
return (EPERM);
}
@ -1042,7 +1046,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel,
}
static void
mac_lomac_associate_vnode_singlelabel(struct mount *mp,
mac_lomac_vnode_associate_singlelabel(struct mount *mp,
struct label *mplabel, struct vnode *vp, struct label *vplabel)
{
struct mac_lomac *source, *dest;
@ -1054,7 +1058,7 @@ mac_lomac_associate_vnode_singlelabel(struct mount *mp,
}
static int
mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
mac_lomac_vnode_create_extattr(struct ucred *cred, struct mount *mp,
struct label *mplabel, struct vnode *dvp, struct label *dvplabel,
struct vnode *vp, struct label *vplabel, struct componentname *cnp)
{
@ -1084,7 +1088,7 @@ mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
}
static int
mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct label *intlabel)
{
struct mac_lomac *source, temp;
@ -1108,7 +1112,7 @@ mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
* Labeling event operations: IPC object.
*/
static void
mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel,
mac_lomac_inpcb_create(struct socket *so, struct label *solabel,
struct inpcb *inp, struct label *inplabel)
{
struct mac_lomac *source, *dest;
@ -1120,7 +1124,7 @@ mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel,
}
static void
mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel,
mac_lomac_socket_create_mbuf(struct socket *so, struct label *solabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *source, *dest;
@ -1132,7 +1136,7 @@ mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel,
}
static void
mac_lomac_create_socket(struct ucred *cred, struct socket *so,
mac_lomac_socket_create(struct ucred *cred, struct socket *so,
struct label *solabel)
{
struct mac_lomac *source, *dest;
@ -1144,7 +1148,7 @@ mac_lomac_create_socket(struct ucred *cred, struct socket *so,
}
static void
mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp,
mac_lomac_pipe_create(struct ucred *cred, struct pipepair *pp,
struct label *pplabel)
{
struct mac_lomac *source, *dest;
@ -1156,8 +1160,8 @@ mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp,
}
static void
mac_lomac_create_socket_from_socket(struct socket *oldso,
struct label *oldsolabel, struct socket *newso, struct label *newsolabel)
mac_lomac_socket_newconn(struct socket *oldso, struct label *oldsolabel,
struct socket *newso, struct label *newsolabel)
{
struct mac_lomac *source, *dest;
@ -1168,7 +1172,7 @@ mac_lomac_create_socket_from_socket(struct socket *oldso,
}
static void
mac_lomac_relabel_socket(struct ucred *cred, struct socket *so,
mac_lomac_socket_relabel(struct ucred *cred, struct socket *so,
struct label *solabel, struct label *newlabel)
{
struct mac_lomac *source, *dest;
@ -1180,7 +1184,7 @@ mac_lomac_relabel_socket(struct ucred *cred, struct socket *so,
}
static void
mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp,
mac_lomac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
struct label *pplabel, struct label *newlabel)
{
struct mac_lomac *source, *dest;
@ -1192,7 +1196,7 @@ mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp,
}
static void
mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel,
mac_lomac_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,
struct socket *so, struct label *sopeerlabel)
{
struct mac_lomac *source, *dest;
@ -1207,7 +1211,7 @@ mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel,
* Labeling event operations: network objects.
*/
static void
mac_lomac_set_socket_peer_from_socket(struct socket *oldso,
mac_lomac_socketpeer_set_from_socket(struct socket *oldso,
struct label *oldsolabel, struct socket *newso,
struct label *newsopeerlabel)
{
@ -1220,7 +1224,7 @@ mac_lomac_set_socket_peer_from_socket(struct socket *oldso,
}
static void
mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d,
mac_lomac_bpfdesc_create(struct ucred *cred, struct bpf_d *d,
struct label *dlabel)
{
struct mac_lomac *source, *dest;
@ -1232,7 +1236,7 @@ mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d,
}
static void
mac_lomac_create_ifnet(struct ifnet *ifp, struct label *ifplabel)
mac_lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel)
{
char tifname[IFNAMSIZ], *p, *q;
char tiflist[sizeof(trusted_interfaces)];
@ -1290,7 +1294,7 @@ mac_lomac_create_ifnet(struct ifnet *ifp, struct label *ifplabel)
}
static void
mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
mac_lomac_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
struct label *ipqlabel)
{
struct mac_lomac *source, *dest;
@ -1302,7 +1306,7 @@ mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
}
static void
mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
mac_lomac_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *source, *dest;
@ -1315,7 +1319,7 @@ mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
}
static void
mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel,
mac_lomac_netinet_fragment(struct mbuf *m, struct label *mlabel,
struct mbuf *frag, struct label *fraglabel)
{
struct mac_lomac *source, *dest;
@ -1327,7 +1331,7 @@ mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel,
}
static void
mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
mac_lomac_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *source, *dest;
@ -1350,7 +1354,7 @@ mac_lomac_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel,
}
static void
mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel,
mac_lomac_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *source, *dest;
@ -1362,7 +1366,7 @@ mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel,
}
static void
mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel,
mac_lomac_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *source, *dest;
@ -1374,7 +1378,7 @@ mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel,
}
static void
mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel,
mac_lomac_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel,
struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew,
struct label *mnewlabel)
{
@ -1387,7 +1391,7 @@ mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel,
}
static void
mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel,
mac_lomac_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel,
struct mbuf *mnew, struct label *mnewlabel)
{
struct mac_lomac *source, *dest;
@ -1399,8 +1403,8 @@ mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel,
}
static int
mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel,
struct ipq *ipq, struct label *ipqlabel)
mac_lomac_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
struct label *ipqlabel)
{
struct mac_lomac *a, *b;
@ -1411,7 +1415,7 @@ mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel,
}
static void
mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp,
mac_lomac_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
struct label *ifplabel, struct label *newlabel)
{
struct mac_lomac *source, *dest;
@ -1423,7 +1427,7 @@ mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp,
}
static void
mac_lomac_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
mac_lomac_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq,
struct label *ipqlabel)
{
@ -1464,7 +1468,7 @@ mac_lomac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
}
static void
mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel)
mac_lomac_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *dest;
@ -1478,7 +1482,7 @@ mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel)
* Labeling event operations: processes.
*/
static void
mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
mac_lomac_vnode_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel,
struct image_params *imgp, struct label *execlabel)
{
@ -1514,7 +1518,7 @@ mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
}
static int
mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp,
mac_lomac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
struct label *vplabel, struct label *interpvnodelabel,
struct image_params *imgp, struct label *execlabel)
{
@ -1534,7 +1538,7 @@ mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp,
}
static void
mac_lomac_create_proc0(struct ucred *cred)
mac_lomac_proc_create_swapper(struct ucred *cred)
{
struct mac_lomac *dest;
@ -1546,7 +1550,7 @@ mac_lomac_create_proc0(struct ucred *cred)
}
static void
mac_lomac_create_proc1(struct ucred *cred)
mac_lomac_proc_create_init(struct ucred *cred)
{
struct mac_lomac *dest;
@ -1558,7 +1562,7 @@ mac_lomac_create_proc1(struct ucred *cred)
}
static void
mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel)
mac_lomac_cred_relabel(struct ucred *cred, struct label *newlabel)
{
struct mac_lomac *source, *dest;
@ -1572,7 +1576,7 @@ mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel)
* Access control checks.
*/
static int
mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
mac_lomac_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
struct ifnet *ifp, struct label *ifplabel)
{
struct mac_lomac *a, *b;
@ -1589,7 +1593,7 @@ mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel,
}
static int
mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
mac_lomac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
{
struct mac_lomac *subj, *new;
int error;
@ -1655,7 +1659,7 @@ mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
}
static int
mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
mac_lomac_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
{
struct mac_lomac *subj, *obj;
@ -1673,7 +1677,7 @@ mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
}
static int
mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
mac_lomac_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp,
struct label *ifplabel, struct label *newlabel)
{
struct mac_lomac *subj, *new;
@ -1730,7 +1734,7 @@ mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
}
static int
mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
mac_lomac_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *p, *i;
@ -1745,7 +1749,7 @@ mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel,
}
static int
mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
mac_lomac_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *p, *i;
@ -1760,7 +1764,7 @@ mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
}
static int
mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
mac_lomac_kld_check_load(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@ -1781,7 +1785,7 @@ mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
mac_lomac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data)
{
@ -1794,7 +1798,7 @@ mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
}
static int
mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp,
mac_lomac_pipe_check_read(struct ucred *cred, struct pipepair *pp,
struct label *pplabel)
{
struct mac_lomac *subj, *obj;
@ -1812,7 +1816,7 @@ mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp,
}
static int
mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
mac_lomac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
struct label *pplabel, struct label *newlabel)
{
struct mac_lomac *subj, *obj, *new;
@ -1863,7 +1867,7 @@ mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
}
static int
mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp,
mac_lomac_pipe_check_write(struct ucred *cred, struct pipepair *pp,
struct label *pplabel)
{
struct mac_lomac *subj, *obj;
@ -1881,7 +1885,7 @@ mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp,
}
static int
mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p)
mac_lomac_proc_check_debug(struct ucred *cred, struct proc *p)
{
struct mac_lomac *subj, *obj;
@ -1901,7 +1905,7 @@ mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p)
}
static int
mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p)
mac_lomac_proc_check_sched(struct ucred *cred, struct proc *p)
{
struct mac_lomac *subj, *obj;
@ -1921,7 +1925,7 @@ mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p)
}
static int
mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
mac_lomac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
{
struct mac_lomac *subj, *obj;
@ -1941,7 +1945,7 @@ mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
}
static int
mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel,
mac_lomac_socket_check_deliver(struct socket *so, struct label *solabel,
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *p, *s;
@ -1956,7 +1960,7 @@ mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel,
}
static int
mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so,
mac_lomac_socket_check_relabel(struct ucred *cred, struct socket *so,
struct label *solabel, struct label *newlabel)
{
struct mac_lomac *subj, *obj, *new;
@ -2007,7 +2011,7 @@ mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so,
}
static int
mac_lomac_check_socket_visible(struct ucred *cred, struct socket *so,
mac_lomac_socket_check_visible(struct ucred *cred, struct socket *so,
struct label *solabel)
{
struct mac_lomac *subj, *obj;
@ -2215,7 +2219,7 @@ mac_lomac_priv_check(struct ucred *cred, int priv)
static int
mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp,
mac_lomac_system_check_acct(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@ -2236,7 +2240,7 @@ mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp,
mac_lomac_system_check_auditctl(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@ -2257,7 +2261,7 @@ mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp,
mac_lomac_system_check_swapoff(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
struct mac_lomac *subj;
@ -2274,7 +2278,7 @@ mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp,
mac_lomac_system_check_swapon(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@ -2295,7 +2299,7 @@ mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
mac_lomac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
void *arg1, int arg2, struct sysctl_req *req)
{
struct mac_lomac *subj;
@ -2323,7 +2327,7 @@ mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
}
static int
mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
mac_lomac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
{
struct mac_lomac *subj, *obj;
@ -2344,7 +2348,7 @@ mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
}
static int
mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
struct label *vplabel, acl_type_t type)
{
struct mac_lomac *subj, *obj;
@ -2362,7 +2366,7 @@ mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
mac_lomac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
@ -2386,7 +2390,7 @@ mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
}
static int
mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_mmap(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int prot, int flags)
{
struct mac_lomac *subj, *obj;
@ -2414,7 +2418,7 @@ mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
}
static void
mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
struct label *vplabel, /* XXX vm_prot_t */ int *prot)
{
struct mac_lomac *subj, *obj;
@ -2434,7 +2438,7 @@ mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_open(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int acc_mode)
{
struct mac_lomac *subj, *obj;
@ -2455,7 +2459,7 @@ mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
mac_lomac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@ -2473,7 +2477,7 @@ mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
}
static int
mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct label *newlabel)
{
struct mac_lomac *old, *new, *subj;
@ -2549,7 +2553,7 @@ mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
mac_lomac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
@ -2573,7 +2577,7 @@ mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
}
static int
mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
mac_lomac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
int samedir, struct componentname *cnp)
{
@ -2599,7 +2603,7 @@ mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
}
static int
mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@ -2617,7 +2621,7 @@ mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_setacl(struct ucred *cred, struct vnode *vp,
struct label *vplabel, acl_type_t type, struct acl *acl)
{
struct mac_lomac *subj, *obj;
@ -2635,7 +2639,7 @@ mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int attrnamespace, const char *name,
struct uio *uio)
{
@ -2656,7 +2660,7 @@ mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
struct label *vplabel, u_long flags)
{
struct mac_lomac *subj, *obj;
@ -2674,7 +2678,7 @@ mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
struct label *vplabel, mode_t mode)
{
struct mac_lomac *subj, *obj;
@ -2692,7 +2696,7 @@ mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
struct label *vplabel, uid_t uid, gid_t gid)
{
struct mac_lomac *subj, *obj;
@ -2710,7 +2714,7 @@ mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
mac_lomac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct timespec atime, struct timespec mtime)
{
struct mac_lomac *subj, *obj;
@ -2728,7 +2732,7 @@ mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
}
static int
mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
mac_lomac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
@ -2752,7 +2756,7 @@ mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp,
}
static int
mac_lomac_check_vnode_write(struct ucred *active_cred,
mac_lomac_vnode_check_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
{
struct mac_lomac *subj, *obj;
@ -2818,140 +2822,141 @@ mac_lomac_thread_userret(struct thread *td)
static struct mac_policy_ops mac_lomac_ops =
{
.mpo_init = mac_lomac_init,
.mpo_init_bpfdesc_label = mac_lomac_init_label,
.mpo_init_cred_label = mac_lomac_init_label,
.mpo_init_devfs_label = mac_lomac_init_label,
.mpo_init_ifnet_label = mac_lomac_init_label,
.mpo_bpfdesc_init_label = mac_lomac_init_label,
.mpo_cred_init_label = mac_lomac_init_label,
.mpo_devfs_init_label = mac_lomac_init_label,
.mpo_ifnet_init_label = mac_lomac_init_label,
.mpo_init_syncache_label = mac_lomac_init_label_waitcheck,
.mpo_init_inpcb_label = mac_lomac_init_label_waitcheck,
.mpo_init_ipq_label = mac_lomac_init_label_waitcheck,
.mpo_init_mbuf_label = mac_lomac_init_label_waitcheck,
.mpo_init_mount_label = mac_lomac_init_label,
.mpo_init_pipe_label = mac_lomac_init_label,
.mpo_init_proc_label = mac_lomac_init_proc_label,
.mpo_init_socket_label = mac_lomac_init_label_waitcheck,
.mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck,
.mpo_init_vnode_label = mac_lomac_init_label,
.mpo_inpcb_init_label = mac_lomac_init_label_waitcheck,
.mpo_ipq_init_label = mac_lomac_init_label_waitcheck,
.mpo_mbuf_init_label = mac_lomac_init_label_waitcheck,
.mpo_mount_init_label = mac_lomac_init_label,
.mpo_pipe_init_label = mac_lomac_init_label,
.mpo_proc_init_label = mac_lomac_proc_init_label,
.mpo_socket_init_label = mac_lomac_init_label_waitcheck,
.mpo_socketpeer_init_label = mac_lomac_init_label_waitcheck,
.mpo_vnode_init_label = mac_lomac_init_label,
.mpo_init_syncache_from_inpcb = mac_lomac_init_syncache_from_inpcb,
.mpo_destroy_bpfdesc_label = mac_lomac_destroy_label,
.mpo_destroy_cred_label = mac_lomac_destroy_label,
.mpo_destroy_devfs_label = mac_lomac_destroy_label,
.mpo_destroy_ifnet_label = mac_lomac_destroy_label,
.mpo_destroy_inpcb_label = mac_lomac_destroy_label,
.mpo_destroy_ipq_label = mac_lomac_destroy_label,
.mpo_destroy_mbuf_label = mac_lomac_destroy_label,
.mpo_destroy_mount_label = mac_lomac_destroy_label,
.mpo_destroy_pipe_label = mac_lomac_destroy_label,
.mpo_destroy_proc_label = mac_lomac_destroy_proc_label,
.mpo_bpfdesc_destroy_label = mac_lomac_destroy_label,
.mpo_cred_destroy_label = mac_lomac_destroy_label,
.mpo_devfs_destroy_label = mac_lomac_destroy_label,
.mpo_ifnet_destroy_label = mac_lomac_destroy_label,
.mpo_inpcb_destroy_label = mac_lomac_destroy_label,
.mpo_ipq_destroy_label = mac_lomac_destroy_label,
.mpo_mbuf_destroy_label = mac_lomac_destroy_label,
.mpo_mount_destroy_label = mac_lomac_destroy_label,
.mpo_pipe_destroy_label = mac_lomac_destroy_label,
.mpo_proc_destroy_label = mac_lomac_proc_destroy_label,
.mpo_destroy_syncache_label = mac_lomac_destroy_label,
.mpo_destroy_socket_label = mac_lomac_destroy_label,
.mpo_destroy_socket_peer_label = mac_lomac_destroy_label,
.mpo_destroy_vnode_label = mac_lomac_destroy_label,
.mpo_copy_cred_label = mac_lomac_copy_label,
.mpo_copy_ifnet_label = mac_lomac_copy_label,
.mpo_copy_mbuf_label = mac_lomac_copy_label,
.mpo_copy_pipe_label = mac_lomac_copy_label,
.mpo_copy_socket_label = mac_lomac_copy_label,
.mpo_copy_vnode_label = mac_lomac_copy_label,
.mpo_externalize_cred_label = mac_lomac_externalize_label,
.mpo_externalize_ifnet_label = mac_lomac_externalize_label,
.mpo_externalize_pipe_label = mac_lomac_externalize_label,
.mpo_externalize_socket_label = mac_lomac_externalize_label,
.mpo_externalize_socket_peer_label = mac_lomac_externalize_label,
.mpo_externalize_vnode_label = mac_lomac_externalize_label,
.mpo_internalize_cred_label = mac_lomac_internalize_label,
.mpo_internalize_ifnet_label = mac_lomac_internalize_label,
.mpo_internalize_pipe_label = mac_lomac_internalize_label,
.mpo_internalize_socket_label = mac_lomac_internalize_label,
.mpo_internalize_vnode_label = mac_lomac_internalize_label,
.mpo_create_devfs_device = mac_lomac_create_devfs_device,
.mpo_create_devfs_directory = mac_lomac_create_devfs_directory,
.mpo_create_devfs_symlink = mac_lomac_create_devfs_symlink,
.mpo_create_mount = mac_lomac_create_mount,
.mpo_relabel_vnode = mac_lomac_relabel_vnode,
.mpo_update_devfs = mac_lomac_update_devfs,
.mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs,
.mpo_associate_vnode_extattr = mac_lomac_associate_vnode_extattr,
.mpo_associate_vnode_singlelabel =
mac_lomac_associate_vnode_singlelabel,
.mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr,
.mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr,
.mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket,
.mpo_socket_destroy_label = mac_lomac_destroy_label,
.mpo_socketpeer_destroy_label = mac_lomac_destroy_label,
.mpo_vnode_destroy_label = mac_lomac_destroy_label,
.mpo_cred_copy_label = mac_lomac_copy_label,
.mpo_ifnet_copy_label = mac_lomac_copy_label,
.mpo_mbuf_copy_label = mac_lomac_copy_label,
.mpo_pipe_copy_label = mac_lomac_copy_label,
.mpo_socket_copy_label = mac_lomac_copy_label,
.mpo_vnode_copy_label = mac_lomac_copy_label,
.mpo_cred_externalize_label = mac_lomac_externalize_label,
.mpo_ifnet_externalize_label = mac_lomac_externalize_label,
.mpo_pipe_externalize_label = mac_lomac_externalize_label,
.mpo_socket_externalize_label = mac_lomac_externalize_label,
.mpo_socketpeer_externalize_label = mac_lomac_externalize_label,
.mpo_vnode_externalize_label = mac_lomac_externalize_label,
.mpo_cred_internalize_label = mac_lomac_internalize_label,
.mpo_ifnet_internalize_label = mac_lomac_internalize_label,
.mpo_pipe_internalize_label = mac_lomac_internalize_label,
.mpo_socket_internalize_label = mac_lomac_internalize_label,
.mpo_vnode_internalize_label = mac_lomac_internalize_label,
.mpo_devfs_create_device = mac_lomac_devfs_create_device,
.mpo_devfs_create_directory = mac_lomac_devfs_create_directory,
.mpo_devfs_create_symlink = mac_lomac_devfs_create_symlink,
.mpo_mount_create = mac_lomac_mount_create,
.mpo_vnode_relabel = mac_lomac_vnode_relabel,
.mpo_devfs_update = mac_lomac_devfs_update,
.mpo_devfs_vnode_associate = mac_lomac_devfs_vnode_associate,
.mpo_vnode_associate_extattr = mac_lomac_vnode_associate_extattr,
.mpo_vnode_associate_singlelabel =
mac_lomac_vnode_associate_singlelabel,
.mpo_vnode_create_extattr = mac_lomac_vnode_create_extattr,
.mpo_vnode_setlabel_extattr = mac_lomac_vnode_setlabel_extattr,
.mpo_socket_create_mbuf = mac_lomac_socket_create_mbuf,
.mpo_create_mbuf_from_syncache = mac_lomac_create_mbuf_from_syncache,
.mpo_create_pipe = mac_lomac_create_pipe,
.mpo_create_socket = mac_lomac_create_socket,
.mpo_create_socket_from_socket = mac_lomac_create_socket_from_socket,
.mpo_relabel_pipe = mac_lomac_relabel_pipe,
.mpo_relabel_socket = mac_lomac_relabel_socket,
.mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf,
.mpo_set_socket_peer_from_socket =
mac_lomac_set_socket_peer_from_socket,
.mpo_create_bpfdesc = mac_lomac_create_bpfdesc,
.mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq,
.mpo_create_fragment = mac_lomac_create_fragment,
.mpo_create_ifnet = mac_lomac_create_ifnet,
.mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket,
.mpo_create_ipq = mac_lomac_create_ipq,
.mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb,
.mpo_pipe_create = mac_lomac_pipe_create,
.mpo_socket_create = mac_lomac_socket_create,
.mpo_socket_newconn = mac_lomac_socket_newconn,
.mpo_pipe_relabel = mac_lomac_pipe_relabel,
.mpo_socket_relabel = mac_lomac_socket_relabel,
.mpo_socketpeer_set_from_mbuf = mac_lomac_socketpeer_set_from_mbuf,
.mpo_socketpeer_set_from_socket =
mac_lomac_socketpeer_set_from_socket,
.mpo_bpfdesc_create = mac_lomac_bpfdesc_create,
.mpo_ipq_reassemble = mac_lomac_ipq_reassemble,
.mpo_netinet_fragment = mac_lomac_netinet_fragment,
.mpo_ifnet_create = mac_lomac_ifnet_create,
.mpo_inpcb_create = mac_lomac_inpcb_create,
.mpo_ipq_create = mac_lomac_ipq_create,
.mpo_inpcb_create_mbuf = mac_lomac_inpcb_create_mbuf,
.mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer,
.mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc,
.mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet,
.mpo_create_mbuf_multicast_encap =
mac_lomac_create_mbuf_multicast_encap,
.mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer,
.mpo_fragment_match = mac_lomac_fragment_match,
.mpo_relabel_ifnet = mac_lomac_relabel_ifnet,
.mpo_update_ipq = mac_lomac_update_ipq,
.mpo_bpfdesc_create_mbuf = mac_lomac_bpfdesc_create_mbuf,
.mpo_ifnet_create_mbuf = mac_lomac_ifnet_create_mbuf,
.mpo_mbuf_create_multicast_encap =
mac_lomac_mbuf_create_multicast_encap,
.mpo_mbuf_create_netlayer = mac_lomac_mbuf_create_netlayer,
.mpo_ipq_match = mac_lomac_ipq_match,
.mpo_ifnet_relabel = mac_lomac_ifnet_relabel,
.mpo_ipq_update = mac_lomac_ipq_update,
.mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel,
.mpo_execve_transition = mac_lomac_execve_transition,
.mpo_execve_will_transition = mac_lomac_execve_will_transition,
.mpo_create_proc0 = mac_lomac_create_proc0,
.mpo_create_proc1 = mac_lomac_create_proc1,
.mpo_relabel_cred = mac_lomac_relabel_cred,
.mpo_check_bpfdesc_receive = mac_lomac_check_bpfdesc_receive,
.mpo_check_cred_relabel = mac_lomac_check_cred_relabel,
.mpo_check_cred_visible = mac_lomac_check_cred_visible,
.mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel,
.mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit,
.mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver,
.mpo_check_kld_load = mac_lomac_check_kld_load,
.mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl,
.mpo_check_pipe_read = mac_lomac_check_pipe_read,
.mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel,
.mpo_check_pipe_write = mac_lomac_check_pipe_write,
.mpo_check_proc_debug = mac_lomac_check_proc_debug,
.mpo_check_proc_sched = mac_lomac_check_proc_sched,
.mpo_check_proc_signal = mac_lomac_check_proc_signal,
.mpo_check_socket_deliver = mac_lomac_check_socket_deliver,
.mpo_check_socket_relabel = mac_lomac_check_socket_relabel,
.mpo_check_socket_visible = mac_lomac_check_socket_visible,
.mpo_check_system_acct = mac_lomac_check_system_acct,
.mpo_check_system_auditctl = mac_lomac_check_system_auditctl,
.mpo_check_system_swapoff = mac_lomac_check_system_swapoff,
.mpo_check_system_swapon = mac_lomac_check_system_swapon,
.mpo_check_system_sysctl = mac_lomac_check_system_sysctl,
.mpo_check_vnode_access = mac_lomac_check_vnode_open,
.mpo_check_vnode_create = mac_lomac_check_vnode_create,
.mpo_check_vnode_deleteacl = mac_lomac_check_vnode_deleteacl,
.mpo_check_vnode_link = mac_lomac_check_vnode_link,
.mpo_check_vnode_mmap = mac_lomac_check_vnode_mmap,
.mpo_check_vnode_mmap_downgrade = mac_lomac_check_vnode_mmap_downgrade,
.mpo_check_vnode_open = mac_lomac_check_vnode_open,
.mpo_check_vnode_read = mac_lomac_check_vnode_read,
.mpo_check_vnode_relabel = mac_lomac_check_vnode_relabel,
.mpo_check_vnode_rename_from = mac_lomac_check_vnode_rename_from,
.mpo_check_vnode_rename_to = mac_lomac_check_vnode_rename_to,
.mpo_check_vnode_revoke = mac_lomac_check_vnode_revoke,
.mpo_check_vnode_setacl = mac_lomac_check_vnode_setacl,
.mpo_check_vnode_setextattr = mac_lomac_check_vnode_setextattr,
.mpo_check_vnode_setflags = mac_lomac_check_vnode_setflags,
.mpo_check_vnode_setmode = mac_lomac_check_vnode_setmode,
.mpo_check_vnode_setowner = mac_lomac_check_vnode_setowner,
.mpo_check_vnode_setutimes = mac_lomac_check_vnode_setutimes,
.mpo_check_vnode_unlink = mac_lomac_check_vnode_unlink,
.mpo_check_vnode_write = mac_lomac_check_vnode_write,
.mpo_vnode_execve_transition = mac_lomac_vnode_execve_transition,
.mpo_vnode_execve_will_transition =
mac_lomac_vnode_execve_will_transition,
.mpo_proc_create_swapper = mac_lomac_proc_create_swapper,
.mpo_proc_create_init = mac_lomac_proc_create_init,
.mpo_cred_relabel = mac_lomac_cred_relabel,
.mpo_bpfdesc_check_receive = mac_lomac_bpfdesc_check_receive,
.mpo_cred_check_relabel = mac_lomac_cred_check_relabel,
.mpo_cred_check_visible = mac_lomac_cred_check_visible,
.mpo_ifnet_check_relabel = mac_lomac_ifnet_check_relabel,
.mpo_ifnet_check_transmit = mac_lomac_ifnet_check_transmit,
.mpo_inpcb_check_deliver = mac_lomac_inpcb_check_deliver,
.mpo_kld_check_load = mac_lomac_kld_check_load,
.mpo_pipe_check_ioctl = mac_lomac_pipe_check_ioctl,
.mpo_pipe_check_read = mac_lomac_pipe_check_read,
.mpo_pipe_check_relabel = mac_lomac_pipe_check_relabel,
.mpo_pipe_check_write = mac_lomac_pipe_check_write,
.mpo_proc_check_debug = mac_lomac_proc_check_debug,
.mpo_proc_check_sched = mac_lomac_proc_check_sched,
.mpo_proc_check_signal = mac_lomac_proc_check_signal,
.mpo_socket_check_deliver = mac_lomac_socket_check_deliver,
.mpo_socket_check_relabel = mac_lomac_socket_check_relabel,
.mpo_socket_check_visible = mac_lomac_socket_check_visible,
.mpo_system_check_acct = mac_lomac_system_check_acct,
.mpo_system_check_auditctl = mac_lomac_system_check_auditctl,
.mpo_system_check_swapoff = mac_lomac_system_check_swapoff,
.mpo_system_check_swapon = mac_lomac_system_check_swapon,
.mpo_system_check_sysctl = mac_lomac_system_check_sysctl,
.mpo_vnode_check_access = mac_lomac_vnode_check_open,
.mpo_vnode_check_create = mac_lomac_vnode_check_create,
.mpo_vnode_check_deleteacl = mac_lomac_vnode_check_deleteacl,
.mpo_vnode_check_link = mac_lomac_vnode_check_link,
.mpo_vnode_check_mmap = mac_lomac_vnode_check_mmap,
.mpo_vnode_check_mmap_downgrade = mac_lomac_vnode_check_mmap_downgrade,
.mpo_vnode_check_open = mac_lomac_vnode_check_open,
.mpo_vnode_check_read = mac_lomac_vnode_check_read,
.mpo_vnode_check_relabel = mac_lomac_vnode_check_relabel,
.mpo_vnode_check_rename_from = mac_lomac_vnode_check_rename_from,
.mpo_vnode_check_rename_to = mac_lomac_vnode_check_rename_to,
.mpo_vnode_check_revoke = mac_lomac_vnode_check_revoke,
.mpo_vnode_check_setacl = mac_lomac_vnode_check_setacl,
.mpo_vnode_check_setextattr = mac_lomac_vnode_check_setextattr,
.mpo_vnode_check_setflags = mac_lomac_vnode_check_setflags,
.mpo_vnode_check_setmode = mac_lomac_vnode_check_setmode,
.mpo_vnode_check_setowner = mac_lomac_vnode_check_setowner,
.mpo_vnode_check_setutimes = mac_lomac_vnode_check_setutimes,
.mpo_vnode_check_unlink = mac_lomac_vnode_check_unlink,
.mpo_vnode_check_write = mac_lomac_vnode_check_write,
.mpo_thread_userret = mac_lomac_thread_userret,
.mpo_create_mbuf_from_firewall = mac_lomac_create_mbuf_from_firewall,
.mpo_mbuf_create_from_firewall = mac_lomac_mbuf_create_from_firewall,
.mpo_priv_check = mac_lomac_priv_check,
};

591
sys/security/mac_mls/mac_mls.c
View File

File diff suppressed because it is too large Load Diff

54
sys/security/mac_partition/mac_partition.c
View File

@ -1,6 +1,7 @@
/*-
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2002 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -10,6 +11,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -115,21 +119,21 @@ mac_partition_internalize_label(struct label *label, char *element_name,
}
static void
mac_partition_create_proc0(struct ucred *cred)
mac_partition_proc_create_swapper(struct ucred *cred)
{
SLOT_SET(cred->cr_label, 0);
}
static void
mac_partition_create_proc1(struct ucred *cred)
mac_partition_proc_create_init(struct ucred *cred)
{
SLOT_SET(cred->cr_label, 0);
}
static void
mac_partition_relabel_cred(struct ucred *cred, struct label *newlabel)
mac_partition_cred_relabel(struct ucred *cred, struct label *newlabel)
{
if (SLOT(newlabel) != 0)
@ -153,7 +157,7 @@ label_on_label(struct label *subject, struct label *object)
}
static int
mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel)
mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
{
int error;
@ -174,7 +178,7 @@ mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel)
}
static int
mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
mac_partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
{
int error;
@ -184,7 +188,7 @@ mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
}
static int
mac_partition_check_proc_debug(struct ucred *cred, struct proc *p)
mac_partition_proc_check_debug(struct ucred *cred, struct proc *p)
{
int error;
@ -194,7 +198,7 @@ mac_partition_check_proc_debug(struct ucred *cred, struct proc *p)
}
static int
mac_partition_check_proc_sched(struct ucred *cred, struct proc *p)
mac_partition_proc_check_sched(struct ucred *cred, struct proc *p)
{
int error;
@ -204,7 +208,7 @@ mac_partition_check_proc_sched(struct ucred *cred, struct proc *p)
}
static int
mac_partition_check_proc_signal(struct ucred *cred, struct proc *p,
mac_partition_proc_check_signal(struct ucred *cred, struct proc *p,
int signum)
{
int error;
@ -215,7 +219,7 @@ mac_partition_check_proc_signal(struct ucred *cred, struct proc *p,
}
static int
mac_partition_check_socket_visible(struct ucred *cred, struct socket *so,
mac_partition_socket_check_visible(struct ucred *cred, struct socket *so,
struct label *solabel)
{
int error;
@ -226,7 +230,7 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *so,
}
static int
mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp,
mac_partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
@ -246,21 +250,21 @@ mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp,
static struct mac_policy_ops mac_partition_ops =
{
.mpo_init_cred_label = mac_partition_init_label,
.mpo_destroy_cred_label = mac_partition_destroy_label,
.mpo_copy_cred_label = mac_partition_copy_label,
.mpo_externalize_cred_label = mac_partition_externalize_label,
.mpo_internalize_cred_label = mac_partition_internalize_label,
.mpo_create_proc0 = mac_partition_create_proc0,
.mpo_create_proc1 = mac_partition_create_proc1,
.mpo_relabel_cred = mac_partition_relabel_cred,
.mpo_check_cred_relabel = mac_partition_check_cred_relabel,
.mpo_check_cred_visible = mac_partition_check_cred_visible,
.mpo_check_proc_debug = mac_partition_check_proc_debug,
.mpo_check_proc_sched = mac_partition_check_proc_sched,
.mpo_check_proc_signal = mac_partition_check_proc_signal,
.mpo_check_socket_visible = mac_partition_check_socket_visible,
.mpo_check_vnode_exec = mac_partition_check_vnode_exec,
.mpo_cred_init_label = mac_partition_init_label,
.mpo_cred_destroy_label = mac_partition_destroy_label,
.mpo_cred_copy_label = mac_partition_copy_label,
.mpo_cred_externalize_label = mac_partition_externalize_label,
.mpo_cred_internalize_label = mac_partition_internalize_label,
.mpo_proc_create_swapper = mac_partition_proc_create_swapper,
.mpo_proc_create_init = mac_partition_proc_create_init,
.mpo_cred_relabel = mac_partition_cred_relabel,
.mpo_cred_check_relabel = mac_partition_cred_check_relabel,
.mpo_cred_check_visible = mac_partition_cred_check_visible,
.mpo_proc_check_debug = mac_partition_proc_check_debug,
.mpo_proc_check_sched = mac_partition_proc_check_sched,
.mpo_proc_check_signal = mac_partition_proc_check_signal,
.mpo_socket_check_visible = mac_partition_socket_check_visible,
.mpo_vnode_check_exec = mac_partition_vnode_check_exec,
};
MAC_POLICY_SET(&mac_partition_ops, mac_partition, "TrustedBSD MAC/Partition",

8
sys/security/mac_portacl/mac_portacl.c
View File

@ -1,5 +1,6 @@
/*-
* Copyright (c) 2003-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project by Network
@ -7,6 +8,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -430,7 +434,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port)
* the source port is left up to the IP stack to determine automatically.
*/
static int
check_socket_bind(struct ucred *cred, struct socket *so,
socket_check_bind(struct ucred *cred, struct socket *so,
struct label *solabel, struct sockaddr *sa)
{
struct sockaddr_in *sin;
@ -482,7 +486,7 @@ static struct mac_policy_ops mac_portacl_ops =
{
.mpo_destroy = destroy,
.mpo_init = init,
.mpo_check_socket_bind = check_socket_bind,
.mpo_socket_check_bind = socket_check_bind,
};
MAC_POLICY_SET(&mac_portacl_ops, trustedbsd_mac_portacl,

24
sys/security/mac_seeotheruids/mac_seeotheruids.c
View File

@ -1,6 +1,7 @@
/*-
* Copyright (c) 1999-2002, 2007 Robert N. M. Watson
* Copyright (c) 2001-2002 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -10,6 +11,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -122,14 +126,14 @@ mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
}
static int
mac_seeotheruids_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
mac_seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
{
return (mac_seeotheruids_check(cr1, cr2));
}
static int
mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p,
mac_seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p,
int signum)
{
@ -137,21 +141,21 @@ mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p,
}
static int
mac_seeotheruids_check_proc_sched(struct ucred *cred, struct proc *p)
mac_seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p)
{
return (mac_seeotheruids_check(cred, p->p_ucred));
}
static int
mac_seeotheruids_check_proc_debug(struct ucred *cred, struct proc *p)
mac_seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p)
{
return (mac_seeotheruids_check(cred, p->p_ucred));
}
static int
mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so,
mac_seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so,
struct label *solabel)
{
@ -160,11 +164,11 @@ mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so,
static struct mac_policy_ops mac_seeotheruids_ops =
{
.mpo_check_cred_visible = mac_seeotheruids_check_cred_visible,
.mpo_check_proc_debug = mac_seeotheruids_check_proc_debug,
.mpo_check_proc_sched = mac_seeotheruids_check_proc_sched,
.mpo_check_proc_signal = mac_seeotheruids_check_proc_signal,
.mpo_check_socket_visible = mac_seeotheruids_check_socket_visible,
.mpo_cred_check_visible = mac_seeotheruids_cred_check_visible,
.mpo_proc_check_debug = mac_seeotheruids_proc_check_debug,
.mpo_proc_check_sched = mac_seeotheruids_proc_check_sched,
.mpo_proc_check_signal = mac_seeotheruids_proc_check_signal,
.mpo_socket_check_visible = mac_seeotheruids_socket_check_visible,
};
MAC_POLICY_SET(&mac_seeotheruids_ops, mac_seeotheruids,

738
sys/security/mac_stub/mac_stub.c
View File

File diff suppressed because it is too large Load Diff

1599
sys/security/mac_test/mac_test.c
View File

File diff suppressed because it is too large Load Diff

2
sys/ufs/ffs/ffs_vfsops.c
View File

@ -1464,7 +1464,7 @@ ffs_vget(mp, ino, flags, vpp)
* multi-label, attempt to perform a label association
* from the extended attributes on the inode.
*/
error = mac_associate_vnode_extattr(mp, vp);
error = mac_vnode_associate_extattr(mp, vp);
if (error) {
/* ufs_inactive will release ip->i_devvp ref. */
vput(vp);

Some files were not shown because too many files have changed in this diff Show More