From 7f724f8b5126a3125f4a7074c45a89ea793ce1a2 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Mon, 19 Aug 2002 16:43:25 +0000 Subject: [PATCH] Break out mac_check_vnode_op() into three seperate checks: mac_check_vnode_poll(), mac_check_vnode_read(), mac_check_vnode_write(). This improves the consistency with other existing vnode checks, and allows policies to avoid implementing switch statements to determine what operations they do and do not want to authorize. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs --- sys/kern/kern_ktrace.c | 2 +- sys/kern/kern_mac.c | 93 ++++++++++++++++++++++++-------- sys/kern/tty_tty.c | 6 +-- sys/kern/vfs_extattr.c | 12 ++--- sys/kern/vfs_syscalls.c | 12 ++--- sys/kern/vfs_vnops.c | 12 ++--- sys/security/mac/mac_framework.c | 93 ++++++++++++++++++++++++-------- sys/security/mac/mac_framework.h | 4 +- sys/security/mac/mac_internal.h | 93 ++++++++++++++++++++++++-------- sys/security/mac/mac_net.c | 93 ++++++++++++++++++++++++-------- sys/security/mac/mac_pipe.c | 93 ++++++++++++++++++++++++-------- sys/security/mac/mac_policy.h | 12 +++-- sys/security/mac/mac_process.c | 93 ++++++++++++++++++++++++-------- sys/security/mac/mac_syscalls.c | 93 ++++++++++++++++++++++++-------- sys/security/mac/mac_system.c | 93 ++++++++++++++++++++++++-------- sys/security/mac/mac_vfs.c | 93 ++++++++++++++++++++++++-------- sys/security/mac_biba/mac_biba.c | 92 ++++++++++++++++++++----------- sys/security/mac_mls/mac_mls.c | 92 ++++++++++++++++++++----------- sys/security/mac_none/mac_none.c | 30 +++++++++++ sys/security/mac_stub/mac_stub.c | 30 +++++++++++ sys/security/mac_test/mac_test.c | 30 +++++++++++ sys/sys/mac.h | 4 +- sys/sys/mac_policy.h | 12 +++-- 23 files changed, 881 insertions(+), 306 deletions(-) diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 5a40e09660ff..a21f5e2ea692 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -771,7 +771,7 @@ ktr_writerequest(struct ktr_request *req) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); (void)VOP_LEASE(vp, td, cred, LEASE_WRITE); #ifdef MAC - error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(cred, vp); if (error == 0) #endif error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred); diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 0d6a898d1ddd..f8cb676afbb7 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) return (result); } -int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); - - return (error); -} - int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { @@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) return (error); } +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + + return (error); +} + int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/kern/tty_tty.c b/sys/kern/tty_tty.c index f70f585b3222..86132d9369cf 100644 --- a/sys/kern/tty_tty.c +++ b/sys/kern/tty_tty.c @@ -131,7 +131,7 @@ cttyread(dev, uio, flag) vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC /* XXX: Shouldn't the cred below be td->td_ucred not NOCRED? */ - error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_READ); + error = mac_check_vnode_read(td->td_ucred, ttyvp); if (error == 0) #endif error = VOP_READ(ttyvp, uio, flag, NOCRED); @@ -166,7 +166,7 @@ cttywrite(dev, uio, flag) vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC /* XXX: shouldn't the cred below be td->td_ucred not NOCRED? */ - error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, ttyvp); if (error == 0) #endif error = VOP_WRITE(ttyvp, uio, flag, NOCRED); @@ -236,7 +236,7 @@ cttypoll(dev, events, td) return (seltrue(dev, events, td)); #ifdef MAC vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_POLL); + error = mac_check_vnode_poll(td->td_ucred, ttyvp); VOP_UNLOCK(ttyvp, 0, td); if (error) return (error); diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 39f842309deb..fce45fee9c82 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -734,8 +734,7 @@ open(td, uap) vat.va_size = 0; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) #endif error = VOP_SETATTR(vp, &vat, td->td_ucred, td); @@ -2368,8 +2367,7 @@ truncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0 && (error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) { @@ -2426,8 +2424,7 @@ ftruncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0) { VATTR_NULL(&vattr); @@ -3345,8 +3342,7 @@ fhopen(td, uap) VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */ #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) { #endif VATTR_NULL(vap); diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 39f842309deb..fce45fee9c82 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -734,8 +734,7 @@ open(td, uap) vat.va_size = 0; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) #endif error = VOP_SETATTR(vp, &vat, td->td_ucred, td); @@ -2368,8 +2367,7 @@ truncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0 && (error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) { @@ -2426,8 +2424,7 @@ ftruncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0) { VATTR_NULL(&vattr); @@ -3345,8 +3342,7 @@ fhopen(td, uap) VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */ #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) { #endif VATTR_NULL(vap); diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index 07e5fc936022..08bdeb2e6e70 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -402,11 +402,9 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred, #ifdef MAC if ((ioflg & IO_NOMACCHECK) == 0) { if (rw == UIO_READ) - error = mac_check_vnode_op(active_cred, vp, - MAC_OP_VNODE_READ); + error = mac_check_vnode_read(active_cred, vp); else - error = mac_check_vnode_op(active_cred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(active_cred, vp); } #endif if (error == 0) { @@ -507,7 +505,7 @@ vn_read(fp, uio, active_cred, flags, td) ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_READ); + error = mac_check_vnode_read(active_cred, vp); if (error == 0) #endif error = VOP_READ(vp, uio, ioflag, fp->f_cred); @@ -562,7 +560,7 @@ vn_write(fp, uio, active_cred, flags, td) uio->uio_offset = fp->f_offset; ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(active_cred, vp); if (error == 0) #endif error = VOP_WRITE(vp, uio, ioflag, fp->f_cred); @@ -807,7 +805,7 @@ vn_poll(fp, events, active_cred, td) vp = (struct vnode *)fp->f_data; #ifdef MAC vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_POLL); + error = mac_check_vnode_poll(active_cred, vp); VOP_UNLOCK(vp, 0, td); if (error) return (error); diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 0d6a898d1ddd..f8cb676afbb7 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) return (result); } -int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); - - return (error); -} - int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { @@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) return (error); } +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + + return (error); +} + int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index d80387cff013..3d73df4e7977 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -341,9 +341,10 @@ int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, /* XXX This u_char should be vm_prot_t! */ u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping); -int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op); int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode); +int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_read(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, @@ -364,6 +365,7 @@ int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_write(struct ucred *cred, struct vnode *vp); int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 0d6a898d1ddd..f8cb676afbb7 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) return (result); } -int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); - - return (error); -} - int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { @@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) return (error); } +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + + return (error); +} + int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 0d6a898d1ddd..f8cb676afbb7 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) return (result); } -int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); - - return (error); -} - int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { @@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) return (error); } +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + + return (error); +} + int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 0d6a898d1ddd..f8cb676afbb7 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) return (result); } -int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); - - return (error); -} - int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { @@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) return (error); } +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + + return (error); +} + int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 5463fa90efde..9bc28ad730cd 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -286,10 +286,12 @@ struct mac_policy_ops { struct componentname *cnp); vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping); - int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp, - struct label *label, int op); int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); + int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp, + struct label *label); + int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp, + struct label *label); int (*mpo_check_vnode_readdir)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_check_vnode_readlink)(struct ucred *cred, @@ -324,6 +326,8 @@ struct mac_policy_ops { struct timespec atime, struct timespec mtime); int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp, + struct label *label); }; typedef const void *macop_t; @@ -426,8 +430,9 @@ enum mac_op_constant { MAC_CHECK_VNODE_GETEXTATTR, MAC_CHECK_VNODE_LOOKUP, MAC_CHECK_VNODE_MMAP_PERMS, - MAC_CHECK_VNODE_OP, MAC_CHECK_VNODE_OPEN, + MAC_CHECK_VNODE_POLL, + MAC_CHECK_VNODE_READ, MAC_CHECK_VNODE_READDIR, MAC_CHECK_VNODE_READLINK, MAC_CHECK_VNODE_RELABEL, @@ -441,6 +446,7 @@ enum mac_op_constant { MAC_CHECK_VNODE_SETOWNER, MAC_CHECK_VNODE_SETUTIMES, MAC_CHECK_VNODE_STAT, + MAC_CHECK_VNODE_WRITE, }; struct mac_policy_op_entry { diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 0d6a898d1ddd..f8cb676afbb7 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) return (result); } -int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); - - return (error); -} - int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { @@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) return (error); } +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + + return (error); +} + int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 0d6a898d1ddd..f8cb676afbb7 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) return (result); } -int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); - - return (error); -} - int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { @@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) return (error); } +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + + return (error); +} + int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 0d6a898d1ddd..f8cb676afbb7 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) return (result); } -int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); - - return (error); -} - int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { @@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) return (error); } +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + + return (error); +} + int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 0d6a898d1ddd..f8cb676afbb7 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1761,25 +1769,6 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) return (result); } -int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) -{ - int error; - - if (!mac_enforce_fs) - return (0); - - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); - - error = vn_refreshlabel(vp, cred); - if (error) - return (error); - - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); - - return (error); -} - int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { @@ -1798,6 +1787,44 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) return (error); } +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + + return (error); +} + int mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) { @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 83c82e40787b..6e9e38307563 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1688,6 +1688,42 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + static int mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) @@ -1955,6 +1991,24 @@ mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_biba_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + static vm_prot_t mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping) @@ -1975,36 +2029,6 @@ mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, return (prot); } -static int -mac_biba_check_vnode_op(struct ucred *cred, struct vnode *vp, - struct label *label, int op) -{ - struct mac_biba *subj, *obj; - - if (!mac_biba_enabled || !mac_biba_revocation_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(label); - - switch (op) { - case MAC_OP_VNODE_POLL: - case MAC_OP_VNODE_READ: - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - return (0); - - case MAC_OP_VNODE_WRITE: - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - return (0); - - default: - printf("mac_biba_check_vnode_op: unknown operation %d\n", op); - return (EINVAL); - } -} - static struct mac_policy_op_entry mac_biba_ops[] = { { MAC_DESTROY, @@ -2189,6 +2213,10 @@ static struct mac_policy_op_entry mac_biba_ops[] = (macop_t)mac_biba_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_biba_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_biba_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_biba_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_biba_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, @@ -2215,10 +2243,10 @@ static struct mac_policy_op_entry mac_biba_ops[] = (macop_t)mac_biba_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_biba_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_biba_check_vnode_write }, { MAC_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_biba_check_vnode_mmap_perms }, - { MAC_CHECK_VNODE_OP, - (macop_t)mac_biba_check_vnode_op }, { MAC_OP_LAST, NULL } }; diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 958bda9c13ef..4dca58149621 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1638,6 +1638,42 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_mls_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + static int mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) @@ -1906,6 +1942,24 @@ mac_mls_check_vnode_stat(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_mls_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + static vm_prot_t mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping) @@ -1926,36 +1980,6 @@ mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, return (prot); } -static int -mac_mls_check_vnode_op(struct ucred *cred, struct vnode *vp, - struct label *label, int op) -{ - struct mac_mls *subj, *obj; - - if (!mac_mls_enabled || !mac_mls_revocation_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(label); - - switch (op) { - case MAC_OP_VNODE_POLL: - case MAC_OP_VNODE_READ: - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - return (0); - - case MAC_OP_VNODE_WRITE: - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - return (0); - - default: - printf("mac_mls_check_vnode_op: unknown operation %d\n", op); - return (EINVAL); - } -} - static struct mac_policy_op_entry mac_mls_ops[] = { { MAC_DESTROY, @@ -2140,6 +2164,10 @@ static struct mac_policy_op_entry mac_mls_ops[] = (macop_t)mac_mls_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_mls_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_mls_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_mls_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_mls_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, @@ -2166,10 +2194,10 @@ static struct mac_policy_op_entry mac_mls_ops[] = (macop_t)mac_mls_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_mls_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_mls_check_vnode_write }, { MAC_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_mls_check_vnode_mmap_perms }, - { MAC_CHECK_VNODE_OP, - (macop_t)mac_mls_check_vnode_op }, { MAC_OP_LAST, NULL } }; diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c index b1f154e7e116..b7e5fdd186a2 100644 --- a/sys/security/mac_none/mac_none.c +++ b/sys/security/mac_none/mac_none.c @@ -774,6 +774,22 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int +mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static int mac_none_check_vnode_readdir(struct ucred *cred, struct vnode *vp, struct label *dlabel) @@ -880,6 +896,14 @@ mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static struct mac_policy_op_entry mac_none_ops[] = { { MAC_DESTROY, @@ -1072,6 +1096,10 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_none_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_none_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_none_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_none_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, @@ -1098,6 +1126,8 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_none_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_none_check_vnode_write }, { MAC_OP_LAST, NULL } }; diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index b1f154e7e116..b7e5fdd186a2 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -774,6 +774,22 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int +mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static int mac_none_check_vnode_readdir(struct ucred *cred, struct vnode *vp, struct label *dlabel) @@ -880,6 +896,14 @@ mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static struct mac_policy_op_entry mac_none_ops[] = { { MAC_DESTROY, @@ -1072,6 +1096,10 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_none_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_none_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_none_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_none_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, @@ -1098,6 +1126,8 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_none_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_none_check_vnode_write }, { MAC_OP_LAST, NULL } }; diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 2e0d3ca2cb28..5c97a1b0f925 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -982,6 +982,22 @@ mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_test_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int +mac_test_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static int mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) @@ -1088,6 +1104,14 @@ mac_test_check_vnode_stat(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_test_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static struct mac_policy_op_entry mac_test_ops[] = { { MAC_DESTROY, @@ -1278,6 +1302,10 @@ static struct mac_policy_op_entry mac_test_ops[] = (macop_t)mac_test_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_test_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_test_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_test_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_test_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, @@ -1304,6 +1332,8 @@ static struct mac_policy_op_entry mac_test_ops[] = (macop_t)mac_test_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_test_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_test_check_vnode_write }, { MAC_OP_LAST, NULL } }; diff --git a/sys/sys/mac.h b/sys/sys/mac.h index d80387cff013..3d73df4e7977 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -341,9 +341,10 @@ int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, /* XXX This u_char should be vm_prot_t! */ u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping); -int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op); int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode); +int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_read(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, @@ -364,6 +365,7 @@ int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_write(struct ucred *cred, struct vnode *vp); int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 5463fa90efde..9bc28ad730cd 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -286,10 +286,12 @@ struct mac_policy_ops { struct componentname *cnp); vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping); - int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp, - struct label *label, int op); int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); + int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp, + struct label *label); + int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp, + struct label *label); int (*mpo_check_vnode_readdir)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_check_vnode_readlink)(struct ucred *cred, @@ -324,6 +326,8 @@ struct mac_policy_ops { struct timespec atime, struct timespec mtime); int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp, + struct label *label); }; typedef const void *macop_t; @@ -426,8 +430,9 @@ enum mac_op_constant { MAC_CHECK_VNODE_GETEXTATTR, MAC_CHECK_VNODE_LOOKUP, MAC_CHECK_VNODE_MMAP_PERMS, - MAC_CHECK_VNODE_OP, MAC_CHECK_VNODE_OPEN, + MAC_CHECK_VNODE_POLL, + MAC_CHECK_VNODE_READ, MAC_CHECK_VNODE_READDIR, MAC_CHECK_VNODE_READLINK, MAC_CHECK_VNODE_RELABEL, @@ -441,6 +446,7 @@ enum mac_op_constant { MAC_CHECK_VNODE_SETOWNER, MAC_CHECK_VNODE_SETUTIMES, MAC_CHECK_VNODE_STAT, + MAC_CHECK_VNODE_WRITE, }; struct mac_policy_op_entry {