Slightly change the semantics of vnode labels for MAC: rather than
"refreshing" the label on the vnode before use, just get the label right from inception. For single-label file systems, set the label in the generic VFS getnewvnode() code; for multi-label file systems, leave the labeling up to the file system. With UFS1/2, this means reading the extended attribute during vfs_vget() as the inode is pulled off disk, rather than hitting the extended attributes frequently during operations later, improving performance. This also corrects sematics for shared vnode locks, which were not previously present in the system. This chances the cache coherrency properties WRT out-of-band access to label data, but in an acceptable form. With UFS1, there is a small race condition during automatic extended attribute start -- this is not present with UFS2, and occurs because EAs aren't available at vnode inception. We'll introduce a work around for this shortly. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson
parent
49d7a091ac
commit
763bbd2f4f
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=105988
@ -829,7 +829,6 @@ fs/procfs/procfs_ctl.c optional procfs
|
||||
fs/procfs/procfs_dbregs.c optional procfs
|
||||
fs/procfs/procfs_fpregs.c optional procfs
|
||||
fs/procfs/procfs_ioctl.c optional procfs
|
||||
fs/procfs/procfs_mac.c optional procfs
|
||||
fs/procfs/procfs_map.c optional procfs
|
||||
fs/procfs/procfs_mem.c optional procfs
|
||||
fs/procfs/procfs_note.c optional procfs
|
||||
|
||||
@ -167,7 +167,7 @@ devfs_allocv(struct devfs_dirent *de, struct mount *mp, struct vnode **vpp, stru
|
||||
de->de_vnode = vp;
|
||||
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
|
||||
#ifdef MAC
|
||||
mac_create_devfs_vnode(de, vp);
|
||||
mac_associate_vnode_devfs(mp, de, vp);
|
||||
#endif
|
||||
*vpp = vp;
|
||||
return (0);
|
||||
|
||||
@ -153,7 +153,6 @@ procfs_init(PFS_INIT_ARGS)
|
||||
|
||||
dir = pfs_create_dir(root, "pid",
|
||||
procfs_attr, NULL, PFS_PROCDEP);
|
||||
dir->pn_refreshlabel = procfs_piddir_refreshlabel;
|
||||
pfs_create_file(dir, "cmdline", procfs_doproccmdline,
|
||||
NULL, NULL, PFS_RD);
|
||||
pfs_create_file(dir, "ctl", procfs_doprocctl,
|
||||
|
||||
@ -61,9 +61,6 @@ int procfs_close(PFS_CLOSE_ARGS);
|
||||
/* Attributes */
|
||||
int procfs_attr(PFS_ATTR_ARGS);
|
||||
|
||||
/* MAC */
|
||||
int procfs_piddir_refreshlabel(PFS_REFRESHLABEL_ARGS);
|
||||
|
||||
/* Visibility */
|
||||
int procfs_notsystem(PFS_VIS_ARGS);
|
||||
int procfs_candebug(PFS_VIS_ARGS);
|
||||
|
||||
@ -1,68 +0,0 @@
|
||||
/*-
|
||||
* Copyright (c) 2002 Network Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed in part by NAI Labs, the Security Research
|
||||
* Division of Network Associates, Inc. under DARPA/SPAWAR contract
|
||||
* N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The names of the authors may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/ucred.h>
|
||||
#include <sys/vnode.h>
|
||||
|
||||
#include <fs/pseudofs/pseudofs.h>
|
||||
#include <fs/procfs/procfs.h>
|
||||
|
||||
int
|
||||
procfs_piddir_refreshlabel(PFS_REFRESHLABEL_ARGS)
|
||||
{
|
||||
#ifdef MAC
|
||||
|
||||
if (p == NULL)
|
||||
mac_update_vnode_from_mount(vp, vp->v_mount);
|
||||
else {
|
||||
PROC_LOCK(p);
|
||||
mac_update_procfsvnode(vp, p->p_ucred);
|
||||
PROC_UNLOCK(p);
|
||||
}
|
||||
|
||||
return (0);
|
||||
#else
|
||||
return (EOPNOTSUPP);
|
||||
#endif
|
||||
}
|
||||
@ -144,15 +144,6 @@ typedef int (*pfs_ioctl_t)(PFS_IOCTL_ARGS);
|
||||
struct ucred;
|
||||
typedef int (*pfs_getextattr_t)(PFS_GETEXTATTR_ARGS);
|
||||
|
||||
/*
|
||||
* Getlabel callback
|
||||
*/
|
||||
#define PFS_REFRESHLABEL_ARGS \
|
||||
struct thread *td, struct proc *p, struct vnode *vp, \
|
||||
struct pfs_node *pn, struct ucred *cred
|
||||
struct mac;
|
||||
typedef int (*pfs_refreshlabel_t)(PFS_REFRESHLABEL_ARGS);
|
||||
|
||||
/*
|
||||
* Last-close callback
|
||||
*/
|
||||
@ -194,7 +185,6 @@ struct pfs_node {
|
||||
pfs_attr_t pn_attr;
|
||||
pfs_vis_t pn_vis;
|
||||
pfs_getextattr_t pn_getextattr;
|
||||
pfs_refreshlabel_t pn_refreshlabel;
|
||||
void *pn_data;
|
||||
int pn_flags;
|
||||
|
||||
|
||||
@ -28,8 +28,6 @@
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/systm.h>
|
||||
@ -37,7 +35,6 @@
|
||||
#include <sys/dirent.h>
|
||||
#include <sys/fcntl.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/namei.h>
|
||||
@ -732,50 +729,6 @@ pfs_reclaim(struct vop_reclaim_args *va)
|
||||
return (pfs_vncache_free(va->a_vp));
|
||||
}
|
||||
|
||||
#ifdef MAC
|
||||
/*
|
||||
* Refresh the vnode label as appropriate for the pseudo-file system.
|
||||
*/
|
||||
static int
|
||||
pfs_refreshlabel(struct vop_refreshlabel_args *va)
|
||||
{
|
||||
struct vnode *vn = va->a_vp;
|
||||
struct pfs_vdata *pvd = (struct pfs_vdata *)vn->v_data;
|
||||
struct pfs_node *pn = pvd->pvd_pn;
|
||||
struct proc *proc = NULL;
|
||||
int error;
|
||||
|
||||
PFS_TRACE((pd->pn_name));
|
||||
|
||||
if (pn->pn_refreshlabel == NULL) {
|
||||
mac_update_vnode_from_mount(vn, vn->v_mount);
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* This is necessary because either process' privileges may
|
||||
* have changed since the last open() call.
|
||||
*/
|
||||
if (!pfs_visible(curthread, pn, pvd->pvd_pid))
|
||||
PFS_RETURN (EIO);
|
||||
|
||||
/* XXX duplicate bits of pfs_visible() */
|
||||
if (pvd->pvd_pid != NO_PID) {
|
||||
if ((proc = pfind(pvd->pvd_pid)) == NULL)
|
||||
PFS_RETURN (EIO);
|
||||
_PHOLD(proc);
|
||||
PROC_UNLOCK(proc);
|
||||
}
|
||||
|
||||
error = (pn->pn_refreshlabel)(curthread, proc, vn, pn, va->a_cred);
|
||||
|
||||
if (proc != NULL)
|
||||
PRELE(proc);
|
||||
|
||||
PFS_RETURN (error);
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Set attributes
|
||||
*/
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -1004,6 +1004,8 @@ getnewvnode(tag, mp, vops, vpp)
|
||||
VI_UNLOCK(vp);
|
||||
#ifdef MAC
|
||||
mac_init_vnode(vp);
|
||||
if (mp != NULL && (mp->mnt_flag & MNT_MULTILABEL) == 0)
|
||||
mac_associate_vnode_singlelabel(mp, vp);
|
||||
#endif
|
||||
insmntque(vp, mp);
|
||||
|
||||
|
||||
@ -4,13 +4,11 @@
|
||||
|
||||
KMOD= procfs
|
||||
SRCS=
|
||||
SRCS+= opt_mac.h
|
||||
SRCS+= vnode_if.h
|
||||
SRCS+= procfs_ctl.c
|
||||
SRCS+= procfs_dbregs.c
|
||||
SRCS+= procfs_fpregs.c
|
||||
SRCS+= procfs_ioctl.c
|
||||
SRCS+= procfs_mac.c
|
||||
SRCS+= procfs_map.c
|
||||
SRCS+= procfs_mem.c
|
||||
SRCS+= procfs_note.c
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -195,6 +195,8 @@ void mac_init_pipe(struct pipe *);
|
||||
int mac_init_mbuf(struct mbuf *m, int flag);
|
||||
void mac_init_mount(struct mount *);
|
||||
void mac_init_vnode(struct vnode *);
|
||||
void mac_init_vnode_label(struct label *);
|
||||
void mac_copy_vnode_label(struct label *, struct label *label);
|
||||
void mac_destroy_bpfdesc(struct bpf_d *);
|
||||
void mac_destroy_cred(struct ucred *);
|
||||
void mac_destroy_devfsdirent(struct devfs_dirent *);
|
||||
@ -205,26 +207,29 @@ void mac_destroy_pipe(struct pipe *);
|
||||
void mac_destroy_mbuf(struct mbuf *);
|
||||
void mac_destroy_mount(struct mount *);
|
||||
void mac_destroy_vnode(struct vnode *);
|
||||
void mac_destroy_vnode_label(struct label *);
|
||||
|
||||
/*
|
||||
* Labeling event operations: file system objects, and things that
|
||||
* look a lot like file system objects.
|
||||
*/
|
||||
void mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
|
||||
struct vnode *vp);
|
||||
int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp);
|
||||
void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp);
|
||||
void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de);
|
||||
void mac_create_devfs_directory(char *dirname, int dirnamelen,
|
||||
struct devfs_dirent *de);
|
||||
void mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de);
|
||||
void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp);
|
||||
void mac_create_vnode(struct ucred *cred, struct vnode *parent,
|
||||
struct vnode *child);
|
||||
int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
|
||||
struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
|
||||
void mac_create_mount(struct ucred *cred, struct mount *mp);
|
||||
void mac_create_root_mount(struct ucred *cred, struct mount *mp);
|
||||
void mac_relabel_vnode(struct ucred *cred, struct vnode *vp,
|
||||
struct label *newlabel);
|
||||
void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp);
|
||||
void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred);
|
||||
void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp);
|
||||
|
||||
/*
|
||||
* Labeling event operations: IPC objects.
|
||||
@ -362,9 +367,6 @@ int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe,
|
||||
* Calls to help various file systems implement labeling functionality
|
||||
* using their existing EA implementation.
|
||||
*/
|
||||
int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp,
|
||||
struct ucred *cred);
|
||||
int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap);
|
||||
int vop_stdsetlabel_ea(struct vop_setlabel_args *ap);
|
||||
|
||||
#endif /* _KERNEL */
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -118,8 +118,6 @@ struct mac_policy_ops {
|
||||
int (*mpo_externalize_vnode_label)(struct label *label,
|
||||
char *element_name, char *buffer, size_t buflen,
|
||||
size_t *len, int *claimed);
|
||||
int (*mpo_externalize_vnode_oldmac)(struct label *label,
|
||||
struct oldmac *extmac);
|
||||
int (*mpo_internalize_cred_label)(struct label *label,
|
||||
char *element_name, char *element_data, int *claimed);
|
||||
int (*mpo_internalize_ifnet_label)(struct label *label,
|
||||
@ -135,6 +133,16 @@ struct mac_policy_ops {
|
||||
* Labeling event operations: file system objects, and things that
|
||||
* look a lot like file system objects.
|
||||
*/
|
||||
void (*mpo_associate_vnode_devfs)(struct mount *mp,
|
||||
struct label *fslabel, struct devfs_dirent *de,
|
||||
struct label *delabel, struct vnode *vp,
|
||||
struct label *vlabel);
|
||||
int (*mpo_associate_vnode_extattr)(struct mount *mp,
|
||||
struct label *fslabel, struct vnode *vp,
|
||||
struct label *vlabel);
|
||||
void (*mpo_associate_vnode_singlelabel)(struct mount *mp,
|
||||
struct label *fslabel, struct vnode *vp,
|
||||
struct label *vlabel);
|
||||
void (*mpo_create_devfs_device)(dev_t dev, struct devfs_dirent *de,
|
||||
struct label *label);
|
||||
void (*mpo_create_devfs_directory)(char *dirname, int dirnamelen,
|
||||
@ -145,30 +153,23 @@ struct mac_policy_ops {
|
||||
void (*mpo_create_devfs_vnode)(struct devfs_dirent *de,
|
||||
struct label *direntlabel, struct vnode *vp,
|
||||
struct label *vnodelabel);
|
||||
void (*mpo_create_vnode)(struct ucred *cred, struct vnode *parent,
|
||||
struct label *parentlabel, struct vnode *child,
|
||||
struct label *childlabel);
|
||||
int (*mpo_create_vnode_extattr)(struct ucred *cred,
|
||||
struct mount *mp, struct label *fslabel,
|
||||
struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *vlabel,
|
||||
struct componentname *cnp);
|
||||
void (*mpo_create_mount)(struct ucred *cred, struct mount *mp,
|
||||
struct label *mntlabel, struct label *fslabel);
|
||||
void (*mpo_create_root_mount)(struct ucred *cred, struct mount *mp,
|
||||
struct label *mountlabel, struct label *fslabel);
|
||||
void (*mpo_relabel_vnode)(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vnodelabel, struct label *label);
|
||||
int (*mpo_stdcreatevnode_ea)(struct vnode *vp,
|
||||
struct label *vnodelabel);
|
||||
int (*mpo_setlabel_vnode_extattr)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *vlabel,
|
||||
struct label *intlabel);
|
||||
void (*mpo_update_devfsdirent)(struct devfs_dirent *devfs_dirent,
|
||||
struct label *direntlabel, struct vnode *vp,
|
||||
struct label *vnodelabel);
|
||||
void (*mpo_update_procfsvnode)(struct vnode *vp,
|
||||
struct label *vnodelabel, struct ucred *cred);
|
||||
int (*mpo_update_vnode_from_extattr)(struct vnode *vp,
|
||||
struct label *vnodelabel, struct mount *mp,
|
||||
struct label *fslabel);
|
||||
int (*mpo_update_vnode_from_externalized)(struct vnode *vp,
|
||||
struct label *vnodelabel, struct oldmac *extmac);
|
||||
void (*mpo_update_vnode_from_mount)(struct vnode *vp,
|
||||
struct label *vnodelabel, struct mount *mp,
|
||||
struct label *fslabel);
|
||||
|
||||
/*
|
||||
* Labeling event operations: IPC objects.
|
||||
@ -431,7 +432,6 @@ enum mac_op_constant {
|
||||
MAC_EXTERNALIZE_SOCKET_LABEL,
|
||||
MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
|
||||
MAC_EXTERNALIZE_VNODE_LABEL,
|
||||
MAC_EXTERNALIZE_VNODE_OLDMAC,
|
||||
MAC_INTERNALIZE_CRED_LABEL,
|
||||
MAC_INTERNALIZE_IFNET_LABEL,
|
||||
MAC_INTERNALIZE_PIPE_LABEL,
|
||||
@ -441,16 +441,15 @@ enum mac_op_constant {
|
||||
MAC_CREATE_DEVFS_DIRECTORY,
|
||||
MAC_CREATE_DEVFS_SYMLINK,
|
||||
MAC_CREATE_DEVFS_VNODE,
|
||||
MAC_CREATE_VNODE,
|
||||
MAC_CREATE_MOUNT,
|
||||
MAC_CREATE_ROOT_MOUNT,
|
||||
MAC_RELABEL_VNODE,
|
||||
MAC_STDCREATEVNODE_EA,
|
||||
MAC_UPDATE_DEVFSDIRENT,
|
||||
MAC_UPDATE_PROCFSVNODE,
|
||||
MAC_UPDATE_VNODE_FROM_EXTATTR,
|
||||
MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
|
||||
MAC_UPDATE_VNODE_FROM_MOUNT,
|
||||
MAC_ASSOCIATE_VNODE_DEVFS,
|
||||
MAC_ASSOCIATE_VNODE_EXTATTR,
|
||||
MAC_ASSOCIATE_VNODE_SINGLELABEL,
|
||||
MAC_CREATE_VNODE_EXTATTR,
|
||||
MAC_SETLABEL_VNODE_EXTATTR,
|
||||
MAC_CREATE_MBUF_FROM_SOCKET,
|
||||
MAC_CREATE_PIPE,
|
||||
MAC_CREATE_SOCKET,
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -46,6 +46,7 @@
|
||||
#include <sys/param.h>
|
||||
#include <sys/acl.h>
|
||||
#include <sys/conf.h>
|
||||
#include <sys/extattr.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/malloc.h>
|
||||
@ -83,6 +84,10 @@ SYSCTL_DECL(_security_mac);
|
||||
SYSCTL_NODE(_security_mac, OID_AUTO, biba, CTLFLAG_RW, 0,
|
||||
"TrustedBSD mac_biba policy controls");
|
||||
|
||||
static int mac_biba_label_size = sizeof(struct mac_biba);
|
||||
SYSCTL_INT(_security_mac_biba, OID_AUTO, label_size, CTLFLAG_RD,
|
||||
&mac_biba_label_size, 0, "Size of struct mac_biba");
|
||||
|
||||
static int mac_biba_enabled = 0;
|
||||
SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW,
|
||||
&mac_biba_enabled, 0, "Enforce MAC/Biba policy");
|
||||
@ -214,6 +219,19 @@ mac_biba_dominate_element(struct mac_biba_element *a,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_subject_dominate_high(struct mac_biba *mac_biba)
|
||||
{
|
||||
struct mac_biba_element *element;
|
||||
|
||||
KASSERT((mac_biba->mb_single->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
|
||||
("mac_biba_single_in_range: mac_biba not single"));
|
||||
element = &mac_biba->mb_single;
|
||||
|
||||
return (element->mbe_type == MAC_BIBA_TYPE_EQUAL ||
|
||||
element->mbe_type == MAC_BIBA_TYPE_HIGH);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb)
|
||||
{
|
||||
@ -319,6 +337,15 @@ mac_biba_subject_equal_ok(struct mac_biba *mac_biba)
|
||||
return (EPERM);
|
||||
}
|
||||
|
||||
mac_biba_high_single(struct mac_biba *mac_biba)
|
||||
{
|
||||
|
||||
KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
|
||||
("mac_biba_equal_single: mac_biba not single"));
|
||||
|
||||
return (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_HIGH);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_valid(struct mac_biba *mac_biba)
|
||||
{
|
||||
@ -619,23 +646,6 @@ mac_biba_externalize_label(struct label *label, char *element_name,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
|
||||
{
|
||||
struct mac_biba *mac_biba;
|
||||
|
||||
mac_biba = SLOT(label);
|
||||
|
||||
if (mac_biba == NULL) {
|
||||
printf("mac_biba_externalize_vnode_oldmac: NULL pointer\n");
|
||||
return (0);
|
||||
}
|
||||
|
||||
extmac->m_biba = *mac_biba;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_parse_element(struct mac_biba_element *element, char *string)
|
||||
{
|
||||
@ -846,18 +856,6 @@ mac_biba_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
|
||||
mac_biba_copy_single(source, dest);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_biba_create_vnode(struct ucred *cred, struct vnode *parent,
|
||||
struct label *parentlabel, struct vnode *child, struct label *childlabel)
|
||||
{
|
||||
struct mac_biba *source, *dest;
|
||||
|
||||
source = SLOT(&cred->cr_label);
|
||||
dest = SLOT(childlabel);
|
||||
|
||||
mac_biba_copy_single(source, dest);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_biba_create_mount(struct ucred *cred, struct mount *mp,
|
||||
struct label *mntlabel, struct label *fslabel)
|
||||
@ -909,55 +907,116 @@ mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent,
|
||||
}
|
||||
|
||||
static void
|
||||
mac_biba_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
|
||||
struct ucred *cred)
|
||||
mac_biba_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
|
||||
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
|
||||
struct label *vlabel)
|
||||
{
|
||||
struct mac_biba *source, *dest;
|
||||
|
||||
source = SLOT(&cred->cr_label);
|
||||
dest = SLOT(vnodelabel);
|
||||
source = SLOT(delabel);
|
||||
dest = SLOT(vlabel);
|
||||
|
||||
/*
|
||||
* Only copy the single, not the range, since vnodes only have
|
||||
* a single.
|
||||
*/
|
||||
mac_biba_copy_single(source, dest);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_update_vnode_from_externalized(struct vnode *vp,
|
||||
struct label *vnodelabel, struct oldmac *extmac)
|
||||
mac_biba_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
|
||||
struct vnode *vp, struct label *vlabel)
|
||||
{
|
||||
struct mac_biba *source, *dest;
|
||||
struct mac_biba temp, *source, *dest;
|
||||
size_t buflen;
|
||||
int error;
|
||||
|
||||
source = &extmac->m_biba;
|
||||
dest = SLOT(vnodelabel);
|
||||
source = SLOT(fslabel);
|
||||
dest = SLOT(vlabel);
|
||||
|
||||
error = mac_biba_valid(source);
|
||||
if (error)
|
||||
buflen = sizeof(temp);
|
||||
bzero(&temp, buflen);
|
||||
|
||||
error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
|
||||
MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
|
||||
if (error == ENOATTR || error == EOPNOTSUPP) {
|
||||
/* Fall back to the fslabel. */
|
||||
mac_biba_copy_single(source, dest);
|
||||
return (0);
|
||||
} else if (error)
|
||||
return (error);
|
||||
|
||||
if ((source->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
|
||||
return (EINVAL);
|
||||
|
||||
mac_biba_copy_single(source, dest);
|
||||
if (buflen != sizeof(temp)) {
|
||||
printf("mac_biba_associate_vnode_extattr: bad size %d\n",
|
||||
buflen);
|
||||
return (EPERM);
|
||||
}
|
||||
if (mac_biba_valid(&temp) != 0) {
|
||||
printf("mac_biba_associate_vnode_extattr: invalid\n");
|
||||
return (EPERM);
|
||||
}
|
||||
if ((temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE) {
|
||||
printf("mac_biba_associate_vnode_extattr: not single\n");
|
||||
return (EPERM);
|
||||
}
|
||||
|
||||
mac_biba_copy_single(&temp, dest);
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_biba_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel,
|
||||
struct mount *mp, struct label *fslabel)
|
||||
mac_biba_associate_vnode_singlelabel(struct mount *mp,
|
||||
struct label *fslabel, struct vnode *vp, struct label *vlabel)
|
||||
{
|
||||
struct mac_biba *source, *dest;
|
||||
|
||||
source = SLOT(fslabel);
|
||||
dest = SLOT(vnodelabel);
|
||||
dest = SLOT(vlabel);
|
||||
|
||||
mac_biba_copy_single(source, dest);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp,
|
||||
struct label *fslabel, struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
|
||||
{
|
||||
struct mac_biba *source, *dest, temp;
|
||||
size_t buflen;
|
||||
int error;
|
||||
|
||||
buflen = sizeof(temp);
|
||||
bzero(&temp, buflen);
|
||||
|
||||
source = SLOT(&cred->cr_label);
|
||||
dest = SLOT(vlabel);
|
||||
mac_biba_copy_single(source, &temp);
|
||||
|
||||
error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
|
||||
MAC_BIBA_EXTATTR_NAME, buflen, (char *) &temp, curthread);
|
||||
if (error == 0)
|
||||
mac_biba_copy_single(source, dest);
|
||||
return (error);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vlabel, struct label *intlabel)
|
||||
{
|
||||
struct mac_biba *source, temp;
|
||||
size_t buflen;
|
||||
int error;
|
||||
|
||||
buflen = sizeof(temp);
|
||||
bzero(&temp, buflen);
|
||||
|
||||
source = SLOT(intlabel);
|
||||
if ((source->mb_flags & MAC_BIBA_FLAG_SINGLE) == 0)
|
||||
return (0);
|
||||
|
||||
mac_biba_copy_single(source, &temp);
|
||||
|
||||
error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
|
||||
MAC_BIBA_EXTATTR_NAME, buflen, (char *) &temp, curthread);
|
||||
return (error);
|
||||
}
|
||||
|
||||
/*
|
||||
* Labeling event operations: IPC object.
|
||||
*/
|
||||
@ -2450,8 +2509,6 @@ static struct mac_policy_op_entry mac_biba_ops[] =
|
||||
(macop_t)mac_biba_externalize_label },
|
||||
{ MAC_EXTERNALIZE_VNODE_LABEL,
|
||||
(macop_t)mac_biba_externalize_label },
|
||||
{ MAC_EXTERNALIZE_VNODE_OLDMAC,
|
||||
(macop_t)mac_biba_externalize_vnode_oldmac },
|
||||
{ MAC_INTERNALIZE_CRED_LABEL,
|
||||
(macop_t)mac_biba_internalize_label },
|
||||
{ MAC_INTERNALIZE_IFNET_LABEL,
|
||||
@ -2470,8 +2527,6 @@ static struct mac_policy_op_entry mac_biba_ops[] =
|
||||
(macop_t)mac_biba_create_devfs_symlink },
|
||||
{ MAC_CREATE_DEVFS_VNODE,
|
||||
(macop_t)mac_biba_create_devfs_vnode },
|
||||
{ MAC_CREATE_VNODE,
|
||||
(macop_t)mac_biba_create_vnode },
|
||||
{ MAC_CREATE_MOUNT,
|
||||
(macop_t)mac_biba_create_mount },
|
||||
{ MAC_CREATE_ROOT_MOUNT,
|
||||
@ -2480,12 +2535,16 @@ static struct mac_policy_op_entry mac_biba_ops[] =
|
||||
(macop_t)mac_biba_relabel_vnode },
|
||||
{ MAC_UPDATE_DEVFSDIRENT,
|
||||
(macop_t)mac_biba_update_devfsdirent },
|
||||
{ MAC_UPDATE_PROCFSVNODE,
|
||||
(macop_t)mac_biba_update_procfsvnode },
|
||||
{ MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
|
||||
(macop_t)mac_biba_update_vnode_from_externalized },
|
||||
{ MAC_UPDATE_VNODE_FROM_MOUNT,
|
||||
(macop_t)mac_biba_update_vnode_from_mount },
|
||||
{ MAC_ASSOCIATE_VNODE_DEVFS,
|
||||
(macop_t)mac_biba_associate_vnode_devfs },
|
||||
{ MAC_ASSOCIATE_VNODE_EXTATTR,
|
||||
(macop_t)mac_biba_associate_vnode_extattr },
|
||||
{ MAC_ASSOCIATE_VNODE_SINGLELABEL,
|
||||
(macop_t)mac_biba_associate_vnode_singlelabel },
|
||||
{ MAC_CREATE_VNODE_EXTATTR,
|
||||
(macop_t)mac_biba_create_vnode_extattr },
|
||||
{ MAC_SETLABEL_VNODE_EXTATTR,
|
||||
(macop_t)mac_biba_setlabel_vnode_extattr },
|
||||
{ MAC_CREATE_MBUF_FROM_SOCKET,
|
||||
(macop_t)mac_biba_create_mbuf_from_socket },
|
||||
{ MAC_CREATE_PIPE,
|
||||
|
||||
@ -46,6 +46,7 @@
|
||||
#include <sys/param.h>
|
||||
#include <sys/acl.h>
|
||||
#include <sys/conf.h>
|
||||
#include <sys/extattr.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/malloc.h>
|
||||
@ -83,6 +84,10 @@ SYSCTL_DECL(_security_mac);
|
||||
SYSCTL_NODE(_security_mac, OID_AUTO, mls, CTLFLAG_RW, 0,
|
||||
"TrustedBSD mac_mls policy controls");
|
||||
|
||||
static int mac_mls_label_size = sizeof(struct mac_mls);
|
||||
SYSCTL_INT(_security_mac_mls, OID_AUTO, label_size, CTLFLAG_RD,
|
||||
&mac_mls_label_size, 0, "Size of struct mac_mls");
|
||||
|
||||
static int mac_mls_enabled = 0;
|
||||
SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW,
|
||||
&mac_mls_enabled, 0, "Enforce MAC/MLS policy");
|
||||
@ -608,23 +613,6 @@ mac_mls_externalize_label(struct label *label, char *element_name,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_mls_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
|
||||
{
|
||||
struct mac_mls *mac_mls;
|
||||
|
||||
mac_mls = SLOT(label);
|
||||
|
||||
if (mac_mls == NULL) {
|
||||
printf("mac_mls_externalize: NULL pointer\n");
|
||||
return (0);
|
||||
}
|
||||
|
||||
extmac->m_mls = *mac_mls;
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_mls_parse_element(struct mac_mls_element *element, char *string)
|
||||
{
|
||||
@ -838,18 +826,6 @@ mac_mls_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
|
||||
mac_mls_copy_single(source, dest);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_mls_create_vnode(struct ucred *cred, struct vnode *parent,
|
||||
struct label *parentlabel, struct vnode *child, struct label *childlabel)
|
||||
{
|
||||
struct mac_mls *source, *dest;
|
||||
|
||||
source = SLOT(&cred->cr_label);
|
||||
dest = SLOT(childlabel);
|
||||
|
||||
mac_mls_copy_single(source, dest);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_mls_create_mount(struct ucred *cred, struct mount *mp,
|
||||
struct label *mntlabel, struct label *fslabel)
|
||||
@ -901,55 +877,116 @@ mac_mls_update_devfsdirent(struct devfs_dirent *devfs_dirent,
|
||||
}
|
||||
|
||||
static void
|
||||
mac_mls_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
|
||||
struct ucred *cred)
|
||||
mac_mls_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
|
||||
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
|
||||
struct label *vlabel)
|
||||
{
|
||||
struct mac_mls *source, *dest;
|
||||
|
||||
source = SLOT(&cred->cr_label);
|
||||
dest = SLOT(vnodelabel);
|
||||
source = SLOT(delabel);
|
||||
dest = SLOT(vlabel);
|
||||
|
||||
/*
|
||||
* Only copy the single, not the range, since vnodes only have
|
||||
* a single.
|
||||
*/
|
||||
mac_mls_copy_single(source, dest);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_mls_update_vnode_from_externalized(struct vnode *vp,
|
||||
struct label *vnodelabel, struct oldmac *extmac)
|
||||
mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
|
||||
struct vnode *vp, struct label *vlabel)
|
||||
{
|
||||
struct mac_mls *source, *dest;
|
||||
struct mac_mls temp, *source, *dest;
|
||||
size_t buflen;
|
||||
int error;
|
||||
|
||||
source = &extmac->m_mls;
|
||||
dest = SLOT(vnodelabel);
|
||||
source = SLOT(fslabel);
|
||||
dest = SLOT(vlabel);
|
||||
|
||||
error = mac_mls_valid(source);
|
||||
if (error)
|
||||
buflen = sizeof(temp);
|
||||
bzero(&temp, buflen);
|
||||
|
||||
error = vn_extattr_get(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
|
||||
MAC_MLS_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
|
||||
if (error == ENOATTR || error == EOPNOTSUPP) {
|
||||
/* Fall back to the fslabel. */
|
||||
mac_mls_copy_single(source, dest);
|
||||
return (0);
|
||||
} else if (error)
|
||||
return (error);
|
||||
|
||||
if ((source->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE)
|
||||
return (EINVAL);
|
||||
|
||||
mac_mls_copy_single(source, dest);
|
||||
if (buflen != sizeof(temp)) {
|
||||
printf("mac_mls_associate_vnode_extattr: bad size %d\n",
|
||||
buflen);
|
||||
return (EPERM);
|
||||
}
|
||||
if (mac_mls_valid(&temp) != 0) {
|
||||
printf("mac_mls_associate_vnode_extattr: invalid\n");
|
||||
return (EPERM);
|
||||
}
|
||||
if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE) {
|
||||
printf("mac_mls_associated_vnode_extattr: not single\n");
|
||||
return (EPERM);
|
||||
}
|
||||
|
||||
mac_mls_copy_single(&temp, dest);
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_mls_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel,
|
||||
struct mount *mp, struct label *fslabel)
|
||||
mac_mls_associate_vnode_singlelabel(struct mount *mp,
|
||||
struct label *fslabel, struct vnode *vp, struct label *vlabel)
|
||||
{
|
||||
struct mac_mls *source, *dest;
|
||||
|
||||
source = SLOT(fslabel);
|
||||
dest = SLOT(vnodelabel);
|
||||
dest = SLOT(vlabel);
|
||||
|
||||
mac_mls_copy_single(source, dest);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp,
|
||||
struct label *fslabel, struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
|
||||
{
|
||||
struct mac_mls *source, *dest, temp;
|
||||
size_t buflen;
|
||||
int error;
|
||||
|
||||
buflen = sizeof(temp);
|
||||
bzero(&temp, buflen);
|
||||
|
||||
source = SLOT(&cred->cr_label);
|
||||
dest = SLOT(vlabel);
|
||||
mac_mls_copy_single(source, &temp);
|
||||
|
||||
error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
|
||||
MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread);
|
||||
if (error == 0)
|
||||
mac_mls_copy_single(source, dest);
|
||||
return (error);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_mls_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vlabel, struct label *intlabel)
|
||||
{
|
||||
struct mac_mls *source, temp;
|
||||
size_t buflen;
|
||||
int error;
|
||||
|
||||
buflen = sizeof(temp);
|
||||
bzero(&temp, buflen);
|
||||
|
||||
source = SLOT(intlabel);
|
||||
if ((source->mm_flags & MAC_MLS_FLAG_SINGLE) == 0)
|
||||
return (0);
|
||||
|
||||
mac_mls_copy_single(source, &temp);
|
||||
|
||||
error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
|
||||
MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread);
|
||||
return (error);
|
||||
}
|
||||
|
||||
/*
|
||||
* Labeling event operations: IPC object.
|
||||
*/
|
||||
@ -2405,8 +2442,6 @@ static struct mac_policy_op_entry mac_mls_ops[] =
|
||||
(macop_t)mac_mls_externalize_label },
|
||||
{ MAC_EXTERNALIZE_VNODE_LABEL,
|
||||
(macop_t)mac_mls_externalize_label },
|
||||
{ MAC_EXTERNALIZE_VNODE_OLDMAC,
|
||||
(macop_t)mac_mls_externalize_vnode_oldmac },
|
||||
{ MAC_INTERNALIZE_CRED_LABEL,
|
||||
(macop_t)mac_mls_internalize_label },
|
||||
{ MAC_INTERNALIZE_IFNET_LABEL,
|
||||
@ -2425,8 +2460,6 @@ static struct mac_policy_op_entry mac_mls_ops[] =
|
||||
(macop_t)mac_mls_create_devfs_symlink },
|
||||
{ MAC_CREATE_DEVFS_VNODE,
|
||||
(macop_t)mac_mls_create_devfs_vnode },
|
||||
{ MAC_CREATE_VNODE,
|
||||
(macop_t)mac_mls_create_vnode },
|
||||
{ MAC_CREATE_MOUNT,
|
||||
(macop_t)mac_mls_create_mount },
|
||||
{ MAC_CREATE_ROOT_MOUNT,
|
||||
@ -2435,12 +2468,16 @@ static struct mac_policy_op_entry mac_mls_ops[] =
|
||||
(macop_t)mac_mls_relabel_vnode },
|
||||
{ MAC_UPDATE_DEVFSDIRENT,
|
||||
(macop_t)mac_mls_update_devfsdirent },
|
||||
{ MAC_UPDATE_PROCFSVNODE,
|
||||
(macop_t)mac_mls_update_procfsvnode },
|
||||
{ MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
|
||||
(macop_t)mac_mls_update_vnode_from_externalized },
|
||||
{ MAC_UPDATE_VNODE_FROM_MOUNT,
|
||||
(macop_t)mac_mls_update_vnode_from_mount },
|
||||
{ MAC_ASSOCIATE_VNODE_DEVFS,
|
||||
(macop_t)mac_mls_associate_vnode_devfs },
|
||||
{ MAC_ASSOCIATE_VNODE_EXTATTR,
|
||||
(macop_t)mac_mls_associate_vnode_extattr },
|
||||
{ MAC_ASSOCIATE_VNODE_SINGLELABEL,
|
||||
(macop_t)mac_mls_associate_vnode_singlelabel },
|
||||
{ MAC_CREATE_VNODE_EXTATTR,
|
||||
(macop_t)mac_mls_create_vnode_extattr },
|
||||
{ MAC_SETLABEL_VNODE_EXTATTR,
|
||||
(macop_t)mac_mls_setlabel_vnode_extattr },
|
||||
{ MAC_CREATE_MBUF_FROM_SOCKET,
|
||||
(macop_t)mac_mls_create_mbuf_from_socket },
|
||||
{ MAC_CREATE_PIPE,
|
||||
|
||||
@ -46,6 +46,7 @@
|
||||
#include <sys/param.h>
|
||||
#include <sys/acl.h>
|
||||
#include <sys/conf.h>
|
||||
#include <sys/extattr.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mount.h>
|
||||
@ -135,13 +136,6 @@ mac_none_externalize_label(struct label *label, char *element_name,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_none_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_none_internalize_label(struct label *label, char *element_name,
|
||||
char *element_data, int *claimed)
|
||||
@ -154,6 +148,29 @@ mac_none_internalize_label(struct label *label, char *element_name,
|
||||
* Labeling event operations: file system objects, and things that look
|
||||
* a lot like file system objects.
|
||||
*/
|
||||
static void
|
||||
mac_none_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
|
||||
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
|
||||
struct label *vlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static int
|
||||
mac_none_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
|
||||
struct vnode *vp, struct label *vlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_associate_vnode_singlelabel(struct mount *mp,
|
||||
struct label *fslabel, struct vnode *vp, struct label *vlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,
|
||||
struct label *label)
|
||||
@ -182,12 +199,13 @@ mac_none_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_create_vnode(struct ucred *cred, struct vnode *parent,
|
||||
struct label *parentlabel, struct vnode *child,
|
||||
struct label *childlabel)
|
||||
static int
|
||||
mac_none_create_vnode_extattr(struct ucred *cred, struct mount *mp,
|
||||
struct label *fslabel, struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -211,31 +229,17 @@ mac_none_relabel_vnode(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_update_devfsdirent(struct devfs_dirent *devfs_dirent,
|
||||
struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
|
||||
struct ucred *cred)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static int
|
||||
mac_none_update_vnode_from_externalized(struct vnode *vp,
|
||||
struct label *vnodelabel, struct oldmac *extmac)
|
||||
mac_none_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vlabel, struct label *intlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel,
|
||||
struct mount *mp, struct label *fslabel)
|
||||
mac_none_update_devfsdirent(struct devfs_dirent *devfs_dirent,
|
||||
struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
|
||||
{
|
||||
|
||||
}
|
||||
@ -924,8 +928,6 @@ static struct mac_policy_op_entry mac_none_ops[] =
|
||||
(macop_t)mac_none_externalize_label },
|
||||
{ MAC_EXTERNALIZE_VNODE_LABEL,
|
||||
(macop_t)mac_none_externalize_label },
|
||||
{ MAC_EXTERNALIZE_VNODE_OLDMAC,
|
||||
(macop_t)mac_none_externalize_vnode_oldmac },
|
||||
{ MAC_INTERNALIZE_CRED_LABEL,
|
||||
(macop_t)mac_none_internalize_label },
|
||||
{ MAC_INTERNALIZE_IFNET_LABEL,
|
||||
@ -936,6 +938,12 @@ static struct mac_policy_op_entry mac_none_ops[] =
|
||||
(macop_t)mac_none_internalize_label },
|
||||
{ MAC_INTERNALIZE_VNODE_LABEL,
|
||||
(macop_t)mac_none_internalize_label },
|
||||
{ MAC_ASSOCIATE_VNODE_DEVFS,
|
||||
(macop_t)mac_none_associate_vnode_devfs },
|
||||
{ MAC_ASSOCIATE_VNODE_EXTATTR,
|
||||
(macop_t)mac_none_associate_vnode_extattr },
|
||||
{ MAC_ASSOCIATE_VNODE_SINGLELABEL,
|
||||
(macop_t)mac_none_associate_vnode_singlelabel },
|
||||
{ MAC_CREATE_DEVFS_DEVICE,
|
||||
(macop_t)mac_none_create_devfs_device },
|
||||
{ MAC_CREATE_DEVFS_DIRECTORY,
|
||||
@ -944,22 +952,18 @@ static struct mac_policy_op_entry mac_none_ops[] =
|
||||
(macop_t)mac_none_create_devfs_symlink },
|
||||
{ MAC_CREATE_DEVFS_VNODE,
|
||||
(macop_t)mac_none_create_devfs_vnode },
|
||||
{ MAC_CREATE_VNODE,
|
||||
(macop_t)mac_none_create_vnode },
|
||||
{ MAC_CREATE_VNODE_EXTATTR,
|
||||
(macop_t)mac_none_create_vnode_extattr },
|
||||
{ MAC_CREATE_MOUNT,
|
||||
(macop_t)mac_none_create_mount },
|
||||
{ MAC_CREATE_ROOT_MOUNT,
|
||||
(macop_t)mac_none_create_root_mount },
|
||||
{ MAC_RELABEL_VNODE,
|
||||
(macop_t)mac_none_relabel_vnode },
|
||||
{ MAC_SETLABEL_VNODE_EXTATTR,
|
||||
(macop_t)mac_none_setlabel_vnode_extattr },
|
||||
{ MAC_UPDATE_DEVFSDIRENT,
|
||||
(macop_t)mac_none_update_devfsdirent },
|
||||
{ MAC_UPDATE_PROCFSVNODE,
|
||||
(macop_t)mac_none_update_procfsvnode },
|
||||
{ MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
|
||||
(macop_t)mac_none_update_vnode_from_externalized },
|
||||
{ MAC_UPDATE_VNODE_FROM_MOUNT,
|
||||
(macop_t)mac_none_update_vnode_from_mount },
|
||||
{ MAC_CREATE_MBUF_FROM_SOCKET,
|
||||
(macop_t)mac_none_create_mbuf_from_socket },
|
||||
{ MAC_CREATE_PIPE,
|
||||
|
||||
@ -46,6 +46,7 @@
|
||||
#include <sys/param.h>
|
||||
#include <sys/acl.h>
|
||||
#include <sys/conf.h>
|
||||
#include <sys/extattr.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mount.h>
|
||||
@ -135,13 +136,6 @@ mac_none_externalize_label(struct label *label, char *element_name,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_none_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_none_internalize_label(struct label *label, char *element_name,
|
||||
char *element_data, int *claimed)
|
||||
@ -154,6 +148,29 @@ mac_none_internalize_label(struct label *label, char *element_name,
|
||||
* Labeling event operations: file system objects, and things that look
|
||||
* a lot like file system objects.
|
||||
*/
|
||||
static void
|
||||
mac_none_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
|
||||
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
|
||||
struct label *vlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static int
|
||||
mac_none_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
|
||||
struct vnode *vp, struct label *vlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_associate_vnode_singlelabel(struct mount *mp,
|
||||
struct label *fslabel, struct vnode *vp, struct label *vlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,
|
||||
struct label *label)
|
||||
@ -182,12 +199,13 @@ mac_none_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_create_vnode(struct ucred *cred, struct vnode *parent,
|
||||
struct label *parentlabel, struct vnode *child,
|
||||
struct label *childlabel)
|
||||
static int
|
||||
mac_none_create_vnode_extattr(struct ucred *cred, struct mount *mp,
|
||||
struct label *fslabel, struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -211,31 +229,17 @@ mac_none_relabel_vnode(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_update_devfsdirent(struct devfs_dirent *devfs_dirent,
|
||||
struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
|
||||
struct ucred *cred)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static int
|
||||
mac_none_update_vnode_from_externalized(struct vnode *vp,
|
||||
struct label *vnodelabel, struct oldmac *extmac)
|
||||
mac_none_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vlabel, struct label *intlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_none_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel,
|
||||
struct mount *mp, struct label *fslabel)
|
||||
mac_none_update_devfsdirent(struct devfs_dirent *devfs_dirent,
|
||||
struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
|
||||
{
|
||||
|
||||
}
|
||||
@ -924,8 +928,6 @@ static struct mac_policy_op_entry mac_none_ops[] =
|
||||
(macop_t)mac_none_externalize_label },
|
||||
{ MAC_EXTERNALIZE_VNODE_LABEL,
|
||||
(macop_t)mac_none_externalize_label },
|
||||
{ MAC_EXTERNALIZE_VNODE_OLDMAC,
|
||||
(macop_t)mac_none_externalize_vnode_oldmac },
|
||||
{ MAC_INTERNALIZE_CRED_LABEL,
|
||||
(macop_t)mac_none_internalize_label },
|
||||
{ MAC_INTERNALIZE_IFNET_LABEL,
|
||||
@ -936,6 +938,12 @@ static struct mac_policy_op_entry mac_none_ops[] =
|
||||
(macop_t)mac_none_internalize_label },
|
||||
{ MAC_INTERNALIZE_VNODE_LABEL,
|
||||
(macop_t)mac_none_internalize_label },
|
||||
{ MAC_ASSOCIATE_VNODE_DEVFS,
|
||||
(macop_t)mac_none_associate_vnode_devfs },
|
||||
{ MAC_ASSOCIATE_VNODE_EXTATTR,
|
||||
(macop_t)mac_none_associate_vnode_extattr },
|
||||
{ MAC_ASSOCIATE_VNODE_SINGLELABEL,
|
||||
(macop_t)mac_none_associate_vnode_singlelabel },
|
||||
{ MAC_CREATE_DEVFS_DEVICE,
|
||||
(macop_t)mac_none_create_devfs_device },
|
||||
{ MAC_CREATE_DEVFS_DIRECTORY,
|
||||
@ -944,22 +952,18 @@ static struct mac_policy_op_entry mac_none_ops[] =
|
||||
(macop_t)mac_none_create_devfs_symlink },
|
||||
{ MAC_CREATE_DEVFS_VNODE,
|
||||
(macop_t)mac_none_create_devfs_vnode },
|
||||
{ MAC_CREATE_VNODE,
|
||||
(macop_t)mac_none_create_vnode },
|
||||
{ MAC_CREATE_VNODE_EXTATTR,
|
||||
(macop_t)mac_none_create_vnode_extattr },
|
||||
{ MAC_CREATE_MOUNT,
|
||||
(macop_t)mac_none_create_mount },
|
||||
{ MAC_CREATE_ROOT_MOUNT,
|
||||
(macop_t)mac_none_create_root_mount },
|
||||
{ MAC_RELABEL_VNODE,
|
||||
(macop_t)mac_none_relabel_vnode },
|
||||
{ MAC_SETLABEL_VNODE_EXTATTR,
|
||||
(macop_t)mac_none_setlabel_vnode_extattr },
|
||||
{ MAC_UPDATE_DEVFSDIRENT,
|
||||
(macop_t)mac_none_update_devfsdirent },
|
||||
{ MAC_UPDATE_PROCFSVNODE,
|
||||
(macop_t)mac_none_update_procfsvnode },
|
||||
{ MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
|
||||
(macop_t)mac_none_update_vnode_from_externalized },
|
||||
{ MAC_UPDATE_VNODE_FROM_MOUNT,
|
||||
(macop_t)mac_none_update_vnode_from_mount },
|
||||
{ MAC_CREATE_MBUF_FROM_SOCKET,
|
||||
(macop_t)mac_none_create_mbuf_from_socket },
|
||||
{ MAC_CREATE_PIPE,
|
||||
|
||||
@ -46,6 +46,7 @@
|
||||
#include <sys/param.h>
|
||||
#include <sys/acl.h>
|
||||
#include <sys/conf.h>
|
||||
#include <sys/extattr.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mount.h>
|
||||
@ -482,15 +483,6 @@ mac_test_externalize_label(struct label *label, char *element_name,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
|
||||
{
|
||||
|
||||
atomic_add_int(&externalize_count, 1);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_internalize_label(struct label *label, struct mac *mac,
|
||||
char *element_name, char *element_data, int *claimed)
|
||||
@ -505,6 +497,29 @@ mac_test_internalize_label(struct label *label, struct mac *mac,
|
||||
* Labeling event operations: file system objects, and things that look
|
||||
* a lot like file system objects.
|
||||
*/
|
||||
static void
|
||||
mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
|
||||
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
|
||||
struct label *vlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
|
||||
struct vnode *vp, struct label *vlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_test_associate_vnode_singlelabel(struct mount *mp,
|
||||
struct label *fslabel, struct vnode *vp, struct label *vlabel)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_test_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,
|
||||
struct label *label)
|
||||
@ -533,11 +548,13 @@ mac_test_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_test_create_vnode(struct ucred *cred, struct vnode *parent,
|
||||
struct label *parentlabel, struct vnode *child, struct label *childlabel)
|
||||
static int
|
||||
mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
|
||||
struct label *fslabel, struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -561,31 +578,17 @@ mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_test_update_devfsdirent(struct devfs_dirent *devfs_dirent,
|
||||
struct vnode *vp)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
mac_test_update_procfsvnode(struct vnode *vp, struct label *vnodelabel,
|
||||
struct ucred *cred)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_update_vnode_from_externalized(struct vnode *vp,
|
||||
struct label *vnodelabel, struct mac *extmac)
|
||||
mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vlabel, struct label *intlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_test_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel,
|
||||
struct mount *mp, struct label *fslabel)
|
||||
mac_test_update_devfsdirent(struct devfs_dirent *devfs_dirent,
|
||||
struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
|
||||
{
|
||||
|
||||
}
|
||||
@ -1275,8 +1278,6 @@ static struct mac_policy_op_entry mac_test_ops[] =
|
||||
(macop_t)mac_test_externalize_label },
|
||||
{ MAC_EXTERNALIZE_VNODE_LABEL,
|
||||
(macop_t)mac_test_externalize_label },
|
||||
{ MAC_EXTERNALIZE_VNODE_OLDMAC,
|
||||
(macop_t)mac_test_externalize_vnode_oldmac },
|
||||
{ MAC_INTERNALIZE_CRED_LABEL,
|
||||
(macop_t)mac_test_internalize_label },
|
||||
{ MAC_INTERNALIZE_IFNET_LABEL,
|
||||
@ -1287,6 +1288,12 @@ static struct mac_policy_op_entry mac_test_ops[] =
|
||||
(macop_t)mac_test_internalize_label },
|
||||
{ MAC_INTERNALIZE_VNODE_LABEL,
|
||||
(macop_t)mac_test_internalize_label },
|
||||
{ MAC_ASSOCIATE_VNODE_DEVFS,
|
||||
(macop_t)mac_test_associate_vnode_devfs },
|
||||
{ MAC_ASSOCIATE_VNODE_EXTATTR,
|
||||
(macop_t)mac_test_associate_vnode_extattr },
|
||||
{ MAC_ASSOCIATE_VNODE_SINGLELABEL,
|
||||
(macop_t)mac_test_associate_vnode_singlelabel },
|
||||
{ MAC_CREATE_DEVFS_DEVICE,
|
||||
(macop_t)mac_test_create_devfs_device },
|
||||
{ MAC_CREATE_DEVFS_DIRECTORY,
|
||||
@ -1295,22 +1302,18 @@ static struct mac_policy_op_entry mac_test_ops[] =
|
||||
(macop_t)mac_test_create_devfs_symlink },
|
||||
{ MAC_CREATE_DEVFS_VNODE,
|
||||
(macop_t)mac_test_create_devfs_vnode },
|
||||
{ MAC_CREATE_VNODE,
|
||||
(macop_t)mac_test_create_vnode },
|
||||
{ MAC_CREATE_VNODE_EXTATTR,
|
||||
(macop_t)mac_test_create_vnode_extattr },
|
||||
{ MAC_CREATE_MOUNT,
|
||||
(macop_t)mac_test_create_mount },
|
||||
{ MAC_CREATE_ROOT_MOUNT,
|
||||
(macop_t)mac_test_create_root_mount },
|
||||
{ MAC_RELABEL_VNODE,
|
||||
(macop_t)mac_test_relabel_vnode },
|
||||
{ MAC_SETLABEL_VNODE_EXTATTR,
|
||||
(macop_t)mac_test_setlabel_vnode_extattr },
|
||||
{ MAC_UPDATE_DEVFSDIRENT,
|
||||
(macop_t)mac_test_update_devfsdirent },
|
||||
{ MAC_UPDATE_PROCFSVNODE,
|
||||
(macop_t)mac_test_update_procfsvnode },
|
||||
{ MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
|
||||
(macop_t)mac_test_update_vnode_from_externalized },
|
||||
{ MAC_UPDATE_VNODE_FROM_MOUNT,
|
||||
(macop_t)mac_test_update_vnode_from_mount },
|
||||
{ MAC_CREATE_MBUF_FROM_SOCKET,
|
||||
(macop_t)mac_test_create_mbuf_from_socket },
|
||||
{ MAC_CREATE_PIPE,
|
||||
|
||||
@ -195,6 +195,8 @@ void mac_init_pipe(struct pipe *);
|
||||
int mac_init_mbuf(struct mbuf *m, int flag);
|
||||
void mac_init_mount(struct mount *);
|
||||
void mac_init_vnode(struct vnode *);
|
||||
void mac_init_vnode_label(struct label *);
|
||||
void mac_copy_vnode_label(struct label *, struct label *label);
|
||||
void mac_destroy_bpfdesc(struct bpf_d *);
|
||||
void mac_destroy_cred(struct ucred *);
|
||||
void mac_destroy_devfsdirent(struct devfs_dirent *);
|
||||
@ -205,26 +207,29 @@ void mac_destroy_pipe(struct pipe *);
|
||||
void mac_destroy_mbuf(struct mbuf *);
|
||||
void mac_destroy_mount(struct mount *);
|
||||
void mac_destroy_vnode(struct vnode *);
|
||||
void mac_destroy_vnode_label(struct label *);
|
||||
|
||||
/*
|
||||
* Labeling event operations: file system objects, and things that
|
||||
* look a lot like file system objects.
|
||||
*/
|
||||
void mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
|
||||
struct vnode *vp);
|
||||
int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp);
|
||||
void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp);
|
||||
void mac_create_devfs_device(dev_t dev, struct devfs_dirent *de);
|
||||
void mac_create_devfs_directory(char *dirname, int dirnamelen,
|
||||
struct devfs_dirent *de);
|
||||
void mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
|
||||
struct devfs_dirent *de);
|
||||
void mac_create_devfs_vnode(struct devfs_dirent *de, struct vnode *vp);
|
||||
void mac_create_vnode(struct ucred *cred, struct vnode *parent,
|
||||
struct vnode *child);
|
||||
int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
|
||||
struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
|
||||
void mac_create_mount(struct ucred *cred, struct mount *mp);
|
||||
void mac_create_root_mount(struct ucred *cred, struct mount *mp);
|
||||
void mac_relabel_vnode(struct ucred *cred, struct vnode *vp,
|
||||
struct label *newlabel);
|
||||
void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp);
|
||||
void mac_update_procfsvnode(struct vnode *vp, struct ucred *cred);
|
||||
void mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp);
|
||||
|
||||
/*
|
||||
* Labeling event operations: IPC objects.
|
||||
@ -362,9 +367,6 @@ int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe,
|
||||
* Calls to help various file systems implement labeling functionality
|
||||
* using their existing EA implementation.
|
||||
*/
|
||||
int vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp,
|
||||
struct ucred *cred);
|
||||
int vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap);
|
||||
int vop_stdsetlabel_ea(struct vop_setlabel_args *ap);
|
||||
|
||||
#endif /* _KERNEL */
|
||||
|
||||
@ -118,8 +118,6 @@ struct mac_policy_ops {
|
||||
int (*mpo_externalize_vnode_label)(struct label *label,
|
||||
char *element_name, char *buffer, size_t buflen,
|
||||
size_t *len, int *claimed);
|
||||
int (*mpo_externalize_vnode_oldmac)(struct label *label,
|
||||
struct oldmac *extmac);
|
||||
int (*mpo_internalize_cred_label)(struct label *label,
|
||||
char *element_name, char *element_data, int *claimed);
|
||||
int (*mpo_internalize_ifnet_label)(struct label *label,
|
||||
@ -135,6 +133,16 @@ struct mac_policy_ops {
|
||||
* Labeling event operations: file system objects, and things that
|
||||
* look a lot like file system objects.
|
||||
*/
|
||||
void (*mpo_associate_vnode_devfs)(struct mount *mp,
|
||||
struct label *fslabel, struct devfs_dirent *de,
|
||||
struct label *delabel, struct vnode *vp,
|
||||
struct label *vlabel);
|
||||
int (*mpo_associate_vnode_extattr)(struct mount *mp,
|
||||
struct label *fslabel, struct vnode *vp,
|
||||
struct label *vlabel);
|
||||
void (*mpo_associate_vnode_singlelabel)(struct mount *mp,
|
||||
struct label *fslabel, struct vnode *vp,
|
||||
struct label *vlabel);
|
||||
void (*mpo_create_devfs_device)(dev_t dev, struct devfs_dirent *de,
|
||||
struct label *label);
|
||||
void (*mpo_create_devfs_directory)(char *dirname, int dirnamelen,
|
||||
@ -145,30 +153,23 @@ struct mac_policy_ops {
|
||||
void (*mpo_create_devfs_vnode)(struct devfs_dirent *de,
|
||||
struct label *direntlabel, struct vnode *vp,
|
||||
struct label *vnodelabel);
|
||||
void (*mpo_create_vnode)(struct ucred *cred, struct vnode *parent,
|
||||
struct label *parentlabel, struct vnode *child,
|
||||
struct label *childlabel);
|
||||
int (*mpo_create_vnode_extattr)(struct ucred *cred,
|
||||
struct mount *mp, struct label *fslabel,
|
||||
struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *vlabel,
|
||||
struct componentname *cnp);
|
||||
void (*mpo_create_mount)(struct ucred *cred, struct mount *mp,
|
||||
struct label *mntlabel, struct label *fslabel);
|
||||
void (*mpo_create_root_mount)(struct ucred *cred, struct mount *mp,
|
||||
struct label *mountlabel, struct label *fslabel);
|
||||
void (*mpo_relabel_vnode)(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vnodelabel, struct label *label);
|
||||
int (*mpo_stdcreatevnode_ea)(struct vnode *vp,
|
||||
struct label *vnodelabel);
|
||||
int (*mpo_setlabel_vnode_extattr)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *vlabel,
|
||||
struct label *intlabel);
|
||||
void (*mpo_update_devfsdirent)(struct devfs_dirent *devfs_dirent,
|
||||
struct label *direntlabel, struct vnode *vp,
|
||||
struct label *vnodelabel);
|
||||
void (*mpo_update_procfsvnode)(struct vnode *vp,
|
||||
struct label *vnodelabel, struct ucred *cred);
|
||||
int (*mpo_update_vnode_from_extattr)(struct vnode *vp,
|
||||
struct label *vnodelabel, struct mount *mp,
|
||||
struct label *fslabel);
|
||||
int (*mpo_update_vnode_from_externalized)(struct vnode *vp,
|
||||
struct label *vnodelabel, struct oldmac *extmac);
|
||||
void (*mpo_update_vnode_from_mount)(struct vnode *vp,
|
||||
struct label *vnodelabel, struct mount *mp,
|
||||
struct label *fslabel);
|
||||
|
||||
/*
|
||||
* Labeling event operations: IPC objects.
|
||||
@ -431,7 +432,6 @@ enum mac_op_constant {
|
||||
MAC_EXTERNALIZE_SOCKET_LABEL,
|
||||
MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
|
||||
MAC_EXTERNALIZE_VNODE_LABEL,
|
||||
MAC_EXTERNALIZE_VNODE_OLDMAC,
|
||||
MAC_INTERNALIZE_CRED_LABEL,
|
||||
MAC_INTERNALIZE_IFNET_LABEL,
|
||||
MAC_INTERNALIZE_PIPE_LABEL,
|
||||
@ -441,16 +441,15 @@ enum mac_op_constant {
|
||||
MAC_CREATE_DEVFS_DIRECTORY,
|
||||
MAC_CREATE_DEVFS_SYMLINK,
|
||||
MAC_CREATE_DEVFS_VNODE,
|
||||
MAC_CREATE_VNODE,
|
||||
MAC_CREATE_MOUNT,
|
||||
MAC_CREATE_ROOT_MOUNT,
|
||||
MAC_RELABEL_VNODE,
|
||||
MAC_STDCREATEVNODE_EA,
|
||||
MAC_UPDATE_DEVFSDIRENT,
|
||||
MAC_UPDATE_PROCFSVNODE,
|
||||
MAC_UPDATE_VNODE_FROM_EXTATTR,
|
||||
MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
|
||||
MAC_UPDATE_VNODE_FROM_MOUNT,
|
||||
MAC_ASSOCIATE_VNODE_DEVFS,
|
||||
MAC_ASSOCIATE_VNODE_EXTATTR,
|
||||
MAC_ASSOCIATE_VNODE_SINGLELABEL,
|
||||
MAC_CREATE_VNODE_EXTATTR,
|
||||
MAC_SETLABEL_VNODE_EXTATTR,
|
||||
MAC_CREATE_MBUF_FROM_SOCKET,
|
||||
MAC_CREATE_PIPE,
|
||||
MAC_CREATE_SOCKET,
|
||||
|
||||
@ -44,6 +44,7 @@
|
||||
#include <sys/namei.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/vnode.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/bio.h>
|
||||
@ -1337,6 +1338,23 @@ ffs_vget(mp, ino, flags, vpp)
|
||||
ip->i_gid = ip->i_din1->di_ogid; /* XXX */
|
||||
} /* XXX */
|
||||
|
||||
#ifdef MAC
|
||||
if ((mp->mnt_flag & MNT_MULTILABEL) && ip->i_mode) {
|
||||
/*
|
||||
* If this vnode is already allocated, and we're running
|
||||
* multi-label, attempt to perform a label association
|
||||
* from the extended attributes on the inode.
|
||||
*/
|
||||
error = mac_associate_vnode_extattr(mp, vp);
|
||||
if (error) {
|
||||
/* ufs_inactive will release ip->i_devvp ref. */
|
||||
vput(vp);
|
||||
*vpp = NULL;
|
||||
return (error);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
*vpp = vp;
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -1523,9 +1523,12 @@ ufs_mkdir(ap)
|
||||
if (error)
|
||||
goto bad;
|
||||
#ifdef MAC
|
||||
error = vop_stdcreatevnode_ea(dvp, tvp, cnp->cn_cred);
|
||||
if (error)
|
||||
goto bad;
|
||||
if (dvp->v_mount->mnt_flag & MNT_MULTILABEL) {
|
||||
error = mac_create_vnode_extattr(cnp->cn_cred, dvp->v_mount,
|
||||
dvp, tvp, cnp);
|
||||
if (error)
|
||||
goto bad;
|
||||
}
|
||||
#endif
|
||||
#ifdef UFS_ACL
|
||||
if (acl != NULL) {
|
||||
@ -2459,9 +2462,12 @@ ufs_makeinode(mode, dvp, vpp, cnp)
|
||||
if (error)
|
||||
goto bad;
|
||||
#ifdef MAC
|
||||
error = vop_stdcreatevnode_ea(dvp, tvp, cnp->cn_cred);
|
||||
if (error)
|
||||
goto bad;
|
||||
if (dvp->v_mount->mnt_flag & MNT_MULTILABEL) {
|
||||
error = mac_create_vnode_extattr(cnp->cn_cred, dvp->v_mount,
|
||||
dvp, tvp, cnp);
|
||||
if (error)
|
||||
goto bad;
|
||||
}
|
||||
#endif
|
||||
#ifdef UFS_ACL
|
||||
if (acl != NULL) {
|
||||
@ -2649,9 +2655,6 @@ static struct vnodeopv_entry_desc ufs_vnodeop_entries[] = {
|
||||
{ &vop_readdir_desc, (vop_t *) ufs_readdir },
|
||||
{ &vop_readlink_desc, (vop_t *) ufs_readlink },
|
||||
{ &vop_reclaim_desc, (vop_t *) ufs_reclaim },
|
||||
#ifdef MAC
|
||||
{ &vop_refreshlabel_desc, (vop_t *) vop_stdrefreshlabel_ea },
|
||||
#endif
|
||||
{ &vop_remove_desc, (vop_t *) ufs_remove },
|
||||
{ &vop_rename_desc, (vop_t *) ufs_rename },
|
||||
{ &vop_rmdir_desc, (vop_t *) ufs_rmdir },
|
||||
@ -2690,9 +2693,6 @@ static struct vnodeopv_entry_desc ufs_specop_entries[] = {
|
||||
{ &vop_print_desc, (vop_t *) ufs_print },
|
||||
{ &vop_read_desc, (vop_t *) ufsspec_read },
|
||||
{ &vop_reclaim_desc, (vop_t *) ufs_reclaim },
|
||||
#ifdef MAC
|
||||
{ &vop_refreshlabel_desc, (vop_t *) vop_stdrefreshlabel_ea },
|
||||
#endif
|
||||
{ &vop_setattr_desc, (vop_t *) ufs_setattr },
|
||||
#ifdef MAC
|
||||
{ &vop_setlabel_desc, (vop_t *) vop_stdsetlabel_ea },
|
||||
@ -2727,9 +2727,6 @@ static struct vnodeopv_entry_desc ufs_fifoop_entries[] = {
|
||||
{ &vop_print_desc, (vop_t *) ufs_print },
|
||||
{ &vop_read_desc, (vop_t *) ufsfifo_read },
|
||||
{ &vop_reclaim_desc, (vop_t *) ufs_reclaim },
|
||||
#ifdef MAC
|
||||
{ &vop_refreshlabel_desc, (vop_t *) vop_stdrefreshlabel_ea },
|
||||
#endif
|
||||
{ &vop_setattr_desc, (vop_t *) ufs_setattr },
|
||||
#ifdef MAC
|
||||
{ &vop_setlabel_desc, (vop_t *) vop_stdsetlabel_ea },
|
||||
|
||||
Loading…
Reference in New Issue
Block a user