d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Break out mac_check_vnode_op() into three seperate checks:

Browse Source 
mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write().
This improves the consistency with other existing vnode checks, and
allows policies to avoid implementing switch statements to determine
what operations they do and do not want to authorize.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
This commit is contained in:
Robert Watson 2002-08-19 16:43:25 +00:00
parent c449db6ab2
commit 7f724f8b51
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=102112
23 changed files with 881 additions and 306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/kern/kern_ktrace.c
View File

@ -771,7 +771,7 @@ ktr_writerequest(struct ktr_request *req)
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
(void)VOP_LEASE(vp, td, cred, LEASE_WRITE);
#ifdef MAC
error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE);
error = mac_check_vnode_write(cred, vp);
if (error == 0)
#endif
error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);

93
sys/kern/kern_mac.c
View File

@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OP:
mpc->mpc_ops->mpo_check_vnode_op =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_POLL:
mpc->mpc_ops->mpo_check_vnode_poll =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READ:
mpc->mpc_ops->mpo_check_vnode_read =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_WRITE:
mpc->mpc_ops->mpo_check_vnode_write =
mpe->mpe_function;
break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
return (result);
}
int
mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
{
int error;
if (!mac_enforce_fs)
return (0);
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
return (error);
}
int
mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
return (error);
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
{
@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
return (error);
}
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its

6
sys/kern/tty_tty.c
View File

@ -131,7 +131,7 @@ cttyread(dev, uio, flag)
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
/* XXX: Shouldn't the cred below be td->td_ucred not NOCRED? */
error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_READ);
error = mac_check_vnode_read(td->td_ucred, ttyvp);
if (error == 0)
#endif
error = VOP_READ(ttyvp, uio, flag, NOCRED);
@ -166,7 +166,7 @@ cttywrite(dev, uio, flag)
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
/* XXX: shouldn't the cred below be td->td_ucred not NOCRED? */
error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_WRITE);
error = mac_check_vnode_write(td->td_ucred, ttyvp);
if (error == 0)
#endif
error = VOP_WRITE(ttyvp, uio, flag, NOCRED);
@ -236,7 +236,7 @@ cttypoll(dev, events, td)
return (seltrue(dev, events, td));
#ifdef MAC
vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td);
error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_POLL);
error = mac_check_vnode_poll(td->td_ucred, ttyvp);
VOP_UNLOCK(ttyvp, 0, td);
if (error)
return (error);

12
sys/kern/vfs_extattr.c
View File

@ -734,8 +734,7 @@ open(td, uap)
vat.va_size = 0;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_op(td->td_ucred, vp,
MAC_OP_VNODE_WRITE);
error = mac_check_vnode_write(td->td_ucred, vp);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@ -2368,8 +2367,7 @@ truncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
else if ((error = mac_check_vnode_op(td->td_ucred, vp,
MAC_OP_VNODE_WRITE))) {}
else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
#endif
else if ((error = vn_writechk(vp)) == 0 &&
(error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) {
@ -2426,8 +2424,7 @@ ftruncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
else if ((error = mac_check_vnode_op(td->td_ucred, vp,
MAC_OP_VNODE_WRITE))) {}
else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
#endif
else if ((error = vn_writechk(vp)) == 0) {
VATTR_NULL(&vattr);
@ -3345,8 +3342,7 @@ fhopen(td, uap)
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */
#ifdef MAC
error = mac_check_vnode_op(td->td_ucred, vp,
MAC_OP_VNODE_WRITE);
error = mac_check_vnode_write(td->td_ucred, vp);
if (error == 0) {
#endif
VATTR_NULL(vap);

12
sys/kern/vfs_syscalls.c
View File

@ -734,8 +734,7 @@ open(td, uap)
vat.va_size = 0;
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_op(td->td_ucred, vp,
MAC_OP_VNODE_WRITE);
error = mac_check_vnode_write(td->td_ucred, vp);
if (error == 0)
#endif
error = VOP_SETATTR(vp, &vat, td->td_ucred, td);
@ -2368,8 +2367,7 @@ truncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
else if ((error = mac_check_vnode_op(td->td_ucred, vp,
MAC_OP_VNODE_WRITE))) {}
else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
#endif
else if ((error = vn_writechk(vp)) == 0 &&
(error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) {
@ -2426,8 +2424,7 @@ ftruncate(td, uap)
if (vp->v_type == VDIR)
error = EISDIR;
#ifdef MAC
else if ((error = mac_check_vnode_op(td->td_ucred, vp,
MAC_OP_VNODE_WRITE))) {}
else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {}
#endif
else if ((error = vn_writechk(vp)) == 0) {
VATTR_NULL(&vattr);
@ -3345,8 +3342,7 @@ fhopen(td, uap)
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */
#ifdef MAC
error = mac_check_vnode_op(td->td_ucred, vp,
MAC_OP_VNODE_WRITE);
error = mac_check_vnode_write(td->td_ucred, vp);
if (error == 0) {
#endif
VATTR_NULL(vap);

12
sys/kern/vfs_vnops.c
View File

@ -402,11 +402,9 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred,
#ifdef MAC
if ((ioflg & IO_NOMACCHECK) == 0) {
if (rw == UIO_READ)
error = mac_check_vnode_op(active_cred, vp,
MAC_OP_VNODE_READ);
error = mac_check_vnode_read(active_cred, vp);
else
error = mac_check_vnode_op(active_cred, vp,
MAC_OP_VNODE_WRITE);
error = mac_check_vnode_write(active_cred, vp);
}
#endif
if (error == 0) {
@ -507,7 +505,7 @@ vn_read(fp, uio, active_cred, flags, td)
ioflag |= sequential_heuristic(uio, fp);
#ifdef MAC
error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_READ);
error = mac_check_vnode_read(active_cred, vp);
if (error == 0)
#endif
error = VOP_READ(vp, uio, ioflag, fp->f_cred);
@ -562,7 +560,7 @@ vn_write(fp, uio, active_cred, flags, td)
uio->uio_offset = fp->f_offset;
ioflag |= sequential_heuristic(uio, fp);
#ifdef MAC
error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_WRITE);
error = mac_check_vnode_write(active_cred, vp);
if (error == 0)
#endif
error = VOP_WRITE(vp, uio, ioflag, fp->f_cred);
@ -807,7 +805,7 @@ vn_poll(fp, events, active_cred, td)
vp = (struct vnode *)fp->f_data;
#ifdef MAC
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_POLL);
error = mac_check_vnode_poll(active_cred, vp);
VOP_UNLOCK(vp, 0, td);
if (error)
return (error);

93
sys/security/mac/mac_framework.c
View File

@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OP:
mpc->mpc_ops->mpo_check_vnode_op =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_POLL:
mpc->mpc_ops->mpo_check_vnode_poll =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READ:
mpc->mpc_ops->mpo_check_vnode_read =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_WRITE:
mpc->mpc_ops->mpo_check_vnode_write =
mpe->mpe_function;
break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
return (result);
}
int
mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
{
int error;
if (!mac_enforce_fs)
return (0);
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
return (error);
}
int
mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
return (error);
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
{
@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
return (error);
}
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its

4
sys/security/mac/mac_framework.h
View File

@ -341,9 +341,10 @@ int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
/* XXX This u_char should be vm_prot_t! */
u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp,
int newmapping);
int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op);
int mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
mode_t acc_mode);
int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_read(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
@ -364,6 +365,7 @@ int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
struct timespec atime, struct timespec mtime);
int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_write(struct ucred *cred, struct vnode *vp);
int mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,

93
sys/security/mac/mac_internal.h
View File

@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OP:
mpc->mpc_ops->mpo_check_vnode_op =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_POLL:
mpc->mpc_ops->mpo_check_vnode_poll =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READ:
mpc->mpc_ops->mpo_check_vnode_read =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_WRITE:
mpc->mpc_ops->mpo_check_vnode_write =
mpe->mpe_function;
break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
return (result);
}
int
mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
{
int error;
if (!mac_enforce_fs)
return (0);
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
return (error);
}
int
mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
return (error);
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
{
@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
return (error);
}
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its

93
sys/security/mac/mac_net.c
View File

@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OP:
mpc->mpc_ops->mpo_check_vnode_op =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_POLL:
mpc->mpc_ops->mpo_check_vnode_poll =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READ:
mpc->mpc_ops->mpo_check_vnode_read =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_WRITE:
mpc->mpc_ops->mpo_check_vnode_write =
mpe->mpe_function;
break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
return (result);
}
int
mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
{
int error;
if (!mac_enforce_fs)
return (0);
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
return (error);
}
int
mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
return (error);
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
{
@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
return (error);
}
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its

93
sys/security/mac/mac_pipe.c
View File

@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OP:
mpc->mpc_ops->mpo_check_vnode_op =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_POLL:
mpc->mpc_ops->mpo_check_vnode_poll =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READ:
mpc->mpc_ops->mpo_check_vnode_read =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_WRITE:
mpc->mpc_ops->mpo_check_vnode_write =
mpe->mpe_function;
break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
return (result);
}
int
mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
{
int error;
if (!mac_enforce_fs)
return (0);
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
return (error);
}
int
mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
return (error);
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
{
@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
return (error);
}
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its

12
sys/security/mac/mac_policy.h
View File

@ -286,10 +286,12 @@ struct mac_policy_ops {
struct componentname *cnp);
vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred,
struct vnode *vp, struct label *label, int newmapping);
int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp,
struct label *label, int op);
int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t acc_mode);
int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_readdir)(struct ucred *cred,
struct vnode *dvp, struct label *dlabel);
int (*mpo_check_vnode_readlink)(struct ucred *cred,
@ -324,6 +326,8 @@ struct mac_policy_ops {
struct timespec atime, struct timespec mtime);
int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp,
struct label *label);
};
typedef const void *macop_t;
@ -426,8 +430,9 @@ enum mac_op_constant {
MAC_CHECK_VNODE_GETEXTATTR,
MAC_CHECK_VNODE_LOOKUP,
MAC_CHECK_VNODE_MMAP_PERMS,
MAC_CHECK_VNODE_OP,
MAC_CHECK_VNODE_OPEN,
MAC_CHECK_VNODE_POLL,
MAC_CHECK_VNODE_READ,
MAC_CHECK_VNODE_READDIR,
MAC_CHECK_VNODE_READLINK,
MAC_CHECK_VNODE_RELABEL,
@ -441,6 +446,7 @@ enum mac_op_constant {
MAC_CHECK_VNODE_SETOWNER,
MAC_CHECK_VNODE_SETUTIMES,
MAC_CHECK_VNODE_STAT,
MAC_CHECK_VNODE_WRITE,
};
struct mac_policy_op_entry {

93
sys/security/mac/mac_process.c
View File

@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OP:
mpc->mpc_ops->mpo_check_vnode_op =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_POLL:
mpc->mpc_ops->mpo_check_vnode_poll =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READ:
mpc->mpc_ops->mpo_check_vnode_read =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_WRITE:
mpc->mpc_ops->mpo_check_vnode_write =
mpe->mpe_function;
break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
return (result);
}
int
mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
{
int error;
if (!mac_enforce_fs)
return (0);
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
return (error);
}
int
mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
return (error);
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
{
@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
return (error);
}
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its

93
sys/security/mac/mac_syscalls.c
View File

@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OP:
mpc->mpc_ops->mpo_check_vnode_op =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_POLL:
mpc->mpc_ops->mpo_check_vnode_poll =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READ:
mpc->mpc_ops->mpo_check_vnode_read =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_WRITE:
mpc->mpc_ops->mpo_check_vnode_write =
mpe->mpe_function;
break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
return (result);
}
int
mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
{
int error;
if (!mac_enforce_fs)
return (0);
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
return (error);
}
int
mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
return (error);
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
{
@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
return (error);
}
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its

93
sys/security/mac/mac_system.c
View File

@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OP:
mpc->mpc_ops->mpo_check_vnode_op =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_POLL:
mpc->mpc_ops->mpo_check_vnode_poll =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READ:
mpc->mpc_ops->mpo_check_vnode_read =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_WRITE:
mpc->mpc_ops->mpo_check_vnode_write =
mpe->mpe_function;
break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
return (result);
}
int
mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
{
int error;
if (!mac_enforce_fs)
return (0);
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
return (error);
}
int
mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
return (error);
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
{
@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
return (error);
}
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its

93
sys/security/mac/mac_vfs.c
View File

@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_mmap_perms =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OP:
mpc->mpc_ops->mpo_check_vnode_op =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_OPEN:
mpc->mpc_ops->mpo_check_vnode_open =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_POLL:
mpc->mpc_ops->mpo_check_vnode_poll =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READ:
mpc->mpc_ops->mpo_check_vnode_read =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_READDIR:
mpc->mpc_ops->mpo_check_vnode_readdir =
mpe->mpe_function;
@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_vnode_stat =
mpe->mpe_function;
break;
case MAC_CHECK_VNODE_WRITE:
mpc->mpc_ops->mpo_check_vnode_write =
mpe->mpe_function;
break;
/*
default:
printf("MAC policy `%s': unknown operation %d\n",
@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping)
return (result);
}
int
mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op)
{
int error;
if (!mac_enforce_fs)
return (0);
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op");
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op);
return (error);
}
int
mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
{
@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
return (error);
}
int
mac_check_vnode_poll(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_read(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
{
@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_vnode_write(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
if (!mac_enforce_fs)
return (0);
error = vn_refreshlabel(vp, cred);
if (error)
return (error);
MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label);
return (error);
}
/*
* When relabeling a process, call out to the policies for the maximum
* permission allowed for each object type we know about in its

92
sys/security/mac_biba/mac_biba.c
View File

@ -1688,6 +1688,42 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp,
struct label *label)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled || !mac_biba_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
return (EACCES);
return (0);
}
static int
mac_biba_check_vnode_read(struct ucred *cred, struct vnode *vp,
struct label *label)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled || !mac_biba_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
return (EACCES);
return (0);
}
static int
mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
struct label *dlabel)
@ -1955,6 +1991,24 @@ mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_biba_check_vnode_write(struct ucred *cred, struct vnode *vp,
struct label *label)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled || !mac_biba_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(subj, obj))
return (EACCES);
return (0);
}
static vm_prot_t
mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
struct label *label, int newmapping)
@ -1975,36 +2029,6 @@ mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
return (prot);
}
static int
mac_biba_check_vnode_op(struct ucred *cred, struct vnode *vp,
struct label *label, int op)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled || !mac_biba_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(label);
switch (op) {
case MAC_OP_VNODE_POLL:
case MAC_OP_VNODE_READ:
if (!mac_biba_dominate_single(obj, subj))
return (EACCES);
return (0);
case MAC_OP_VNODE_WRITE:
if (!mac_biba_dominate_single(subj, obj))
return (EACCES);
return (0);
default:
printf("mac_biba_check_vnode_op: unknown operation %d\n", op);
return (EINVAL);
}
}
static struct mac_policy_op_entry mac_biba_ops[] =
{
{ MAC_DESTROY,
@ -2189,6 +2213,10 @@ static struct mac_policy_op_entry mac_biba_ops[] =
(macop_t)mac_biba_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN,
(macop_t)mac_biba_check_vnode_open },
{ MAC_CHECK_VNODE_POLL,
(macop_t)mac_biba_check_vnode_poll },
{ MAC_CHECK_VNODE_READ,
(macop_t)mac_biba_check_vnode_read },
{ MAC_CHECK_VNODE_READDIR,
(macop_t)mac_biba_check_vnode_readdir },
{ MAC_CHECK_VNODE_READLINK,
@ -2215,10 +2243,10 @@ static struct mac_policy_op_entry mac_biba_ops[] =
(macop_t)mac_biba_check_vnode_setutimes },
{ MAC_CHECK_VNODE_STAT,
(macop_t)mac_biba_check_vnode_stat },
{ MAC_CHECK_VNODE_WRITE,
(macop_t)mac_biba_check_vnode_write },
{ MAC_CHECK_VNODE_MMAP_PERMS,
(macop_t)mac_biba_check_vnode_mmap_perms },
{ MAC_CHECK_VNODE_OP,
(macop_t)mac_biba_check_vnode_op },
{ MAC_OP_LAST, NULL }
};

92
sys/security/mac_mls/mac_mls.c
View File

@ -1638,6 +1638,42 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_mls_check_vnode_poll(struct ucred *cred, struct vnode *vp,
struct label *label)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled || !mac_mls_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(subj, obj))
return (EACCES);
return (0);
}
static int
mac_mls_check_vnode_read(struct ucred *cred, struct vnode *vp,
struct label *label)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled || !mac_mls_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(subj, obj))
return (EACCES);
return (0);
}
static int
mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
struct label *dlabel)
@ -1906,6 +1942,24 @@ mac_mls_check_vnode_stat(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_mls_check_vnode_write(struct ucred *cred, struct vnode *vp,
struct label *label)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled || !mac_mls_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(obj, subj))
return (EACCES);
return (0);
}
static vm_prot_t
mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
struct label *label, int newmapping)
@ -1926,36 +1980,6 @@ mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
return (prot);
}
static int
mac_mls_check_vnode_op(struct ucred *cred, struct vnode *vp,
struct label *label, int op)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled || !mac_mls_revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(label);
switch (op) {
case MAC_OP_VNODE_POLL:
case MAC_OP_VNODE_READ:
if (!mac_mls_dominate_single(subj, obj))
return (EACCES);
return (0);
case MAC_OP_VNODE_WRITE:
if (!mac_mls_dominate_single(obj, subj))
return (EACCES);
return (0);
default:
printf("mac_mls_check_vnode_op: unknown operation %d\n", op);
return (EINVAL);
}
}
static struct mac_policy_op_entry mac_mls_ops[] =
{
{ MAC_DESTROY,
@ -2140,6 +2164,10 @@ static struct mac_policy_op_entry mac_mls_ops[] =
(macop_t)mac_mls_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN,
(macop_t)mac_mls_check_vnode_open },
{ MAC_CHECK_VNODE_POLL,
(macop_t)mac_mls_check_vnode_poll },
{ MAC_CHECK_VNODE_READ,
(macop_t)mac_mls_check_vnode_read },
{ MAC_CHECK_VNODE_READDIR,
(macop_t)mac_mls_check_vnode_readdir },
{ MAC_CHECK_VNODE_READLINK,
@ -2166,10 +2194,10 @@ static struct mac_policy_op_entry mac_mls_ops[] =
(macop_t)mac_mls_check_vnode_setutimes },
{ MAC_CHECK_VNODE_STAT,
(macop_t)mac_mls_check_vnode_stat },
{ MAC_CHECK_VNODE_WRITE,
(macop_t)mac_mls_check_vnode_write },
{ MAC_CHECK_VNODE_MMAP_PERMS,
(macop_t)mac_mls_check_vnode_mmap_perms },
{ MAC_CHECK_VNODE_OP,
(macop_t)mac_mls_check_vnode_op },
{ MAC_OP_LAST, NULL }
};

30
sys/security/mac_none/mac_none.c
View File

@ -774,6 +774,22 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp,
struct label *label)
{
return (0);
}
static int
mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp,
struct label *label)
{
return (0);
}
static int
mac_none_check_vnode_readdir(struct ucred *cred, struct vnode *vp,
struct label *dlabel)
@ -880,6 +896,14 @@ mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp,
struct label *label)
{
return (0);
}
static struct mac_policy_op_entry mac_none_ops[] =
{
{ MAC_DESTROY,
@ -1072,6 +1096,10 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN,
(macop_t)mac_none_check_vnode_open },
{ MAC_CHECK_VNODE_POLL,
(macop_t)mac_none_check_vnode_poll },
{ MAC_CHECK_VNODE_READ,
(macop_t)mac_none_check_vnode_read },
{ MAC_CHECK_VNODE_READDIR,
(macop_t)mac_none_check_vnode_readdir },
{ MAC_CHECK_VNODE_READLINK,
@ -1098,6 +1126,8 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_check_vnode_setutimes },
{ MAC_CHECK_VNODE_STAT,
(macop_t)mac_none_check_vnode_stat },
{ MAC_CHECK_VNODE_WRITE,
(macop_t)mac_none_check_vnode_write },
{ MAC_OP_LAST, NULL }
};

30
sys/security/mac_stub/mac_stub.c
View File

@ -774,6 +774,22 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp,
struct label *label)
{
return (0);
}
static int
mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp,
struct label *label)
{
return (0);
}
static int
mac_none_check_vnode_readdir(struct ucred *cred, struct vnode *vp,
struct label *dlabel)
@ -880,6 +896,14 @@ mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp,
struct label *label)
{
return (0);
}
static struct mac_policy_op_entry mac_none_ops[] =
{
{ MAC_DESTROY,
@ -1072,6 +1096,10 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN,
(macop_t)mac_none_check_vnode_open },
{ MAC_CHECK_VNODE_POLL,
(macop_t)mac_none_check_vnode_poll },
{ MAC_CHECK_VNODE_READ,
(macop_t)mac_none_check_vnode_read },
{ MAC_CHECK_VNODE_READDIR,
(macop_t)mac_none_check_vnode_readdir },
{ MAC_CHECK_VNODE_READLINK,
@ -1098,6 +1126,8 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_check_vnode_setutimes },
{ MAC_CHECK_VNODE_STAT,
(macop_t)mac_none_check_vnode_stat },
{ MAC_CHECK_VNODE_WRITE,
(macop_t)mac_none_check_vnode_write },
{ MAC_OP_LAST, NULL }
};

30
sys/security/mac_test/mac_test.c
View File

@ -982,6 +982,22 @@ mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_test_check_vnode_poll(struct ucred *cred, struct vnode *vp,
struct label *label)
{
return (0);
}
static int
mac_test_check_vnode_read(struct ucred *cred, struct vnode *vp,
struct label *label)
{
return (0);
}
static int
mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
struct label *dlabel)
@ -1088,6 +1104,14 @@ mac_test_check_vnode_stat(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_test_check_vnode_write(struct ucred *cred, struct vnode *vp,
struct label *label)
{
return (0);
}
static struct mac_policy_op_entry mac_test_ops[] =
{
{ MAC_DESTROY,
@ -1278,6 +1302,10 @@ static struct mac_policy_op_entry mac_test_ops[] =
(macop_t)mac_test_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN,
(macop_t)mac_test_check_vnode_open },
{ MAC_CHECK_VNODE_POLL,
(macop_t)mac_test_check_vnode_poll },
{ MAC_CHECK_VNODE_READ,
(macop_t)mac_test_check_vnode_read },
{ MAC_CHECK_VNODE_READDIR,
(macop_t)mac_test_check_vnode_readdir },
{ MAC_CHECK_VNODE_READLINK,
@ -1304,6 +1332,8 @@ static struct mac_policy_op_entry mac_test_ops[] =
(macop_t)mac_test_check_vnode_setutimes },
{ MAC_CHECK_VNODE_STAT,
(macop_t)mac_test_check_vnode_stat },
{ MAC_CHECK_VNODE_WRITE,
(macop_t)mac_test_check_vnode_write },
{ MAC_OP_LAST, NULL }
};

4
sys/sys/mac.h
View File

@ -341,9 +341,10 @@ int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
/* XXX This u_char should be vm_prot_t! */
u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp,
int newmapping);
int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op);
int mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
mode_t acc_mode);
int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_read(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
@ -364,6 +365,7 @@ int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
struct timespec atime, struct timespec mtime);
int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp);
int mac_check_vnode_write(struct ucred *cred, struct vnode *vp);
int mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,

12
sys/sys/mac_policy.h
View File

@ -286,10 +286,12 @@ struct mac_policy_ops {
struct componentname *cnp);
vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred,
struct vnode *vp, struct label *label, int newmapping);
int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp,
struct label *label, int op);
int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t acc_mode);
int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_readdir)(struct ucred *cred,
struct vnode *dvp, struct label *dlabel);
int (*mpo_check_vnode_readlink)(struct ucred *cred,
@ -324,6 +326,8 @@ struct mac_policy_ops {
struct timespec atime, struct timespec mtime);
int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp,
struct label *label);
int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp,
struct label *label);
};
typedef const void *macop_t;
@ -426,8 +430,9 @@ enum mac_op_constant {
MAC_CHECK_VNODE_GETEXTATTR,
MAC_CHECK_VNODE_LOOKUP,
MAC_CHECK_VNODE_MMAP_PERMS,
MAC_CHECK_VNODE_OP,
MAC_CHECK_VNODE_OPEN,
MAC_CHECK_VNODE_POLL,
MAC_CHECK_VNODE_READ,
MAC_CHECK_VNODE_READDIR,
MAC_CHECK_VNODE_READLINK,
MAC_CHECK_VNODE_RELABEL,
@ -441,6 +446,7 @@ enum mac_op_constant {
MAC_CHECK_VNODE_SETOWNER,
MAC_CHECK_VNODE_SETUTIMES,
MAC_CHECK_VNODE_STAT,
MAC_CHECK_VNODE_WRITE,
};
struct mac_policy_op_entry {