Introduce support for Mandatory Access Control and extensible

kernel access control.

Provide implementations of some sample operating system security
policy extensions.  These are not yet hooked up to the build as
other infrastructure is still being committed.  Most of these
work fairly well and are in daily use in our development and (limited)
production environments.  Some are not yet in their final form,
and a number of the labeled policies waste a lot of kernel memory
and will be fixed over the next month or so to be more conservative.
They do give good examples of the flexibility of the MAC framework
for implementing a variety of security policies.

mac_biba:	Implementation of fixed-label Biba integrity policy,
		similar to those found in a number of commercial
		trusted operating systems.  All subjects and objects
		are assigned integrity levels, and information flow
		is controlled based on a read-up, write-down
		policy.  Currently, purely hierarchal.

mac_bsdextended:	Implementation of a "file system firewall",
		which allows the administrator to specify a series
		of rules limiting access by users and groups to
		objects owned by other users and groups.  This
		policy is unlabeled, relying on existing system
		security labeling (file permissions/ownership,
		process credentials).

mac_ifoff:	Secure interface silencing.  Special-purpose module
		to limit inappropriate out-going network traffic
		for silent monitoring scenarios.  Prevents the
		various network stacks from generating any output
		despite an interface being live for reception.

mac_mls:	Implementation of fixed-label Multi-Level Security
		confidentiality policy, similar to those found in
		a number of commercial trusted operating systems.
		All subjects and objects are assigned confidentiality
		levels, and information flow is controlled based on
		a write-up, read-down policy.  Currently, purely
		hiearchal, although non-hierarchal support is in the
		works.

mac_none:	Policy module implementing all MAC policy entry
		points with empty stubs.  A good place to start if
		you want all the prototypes types in for you, and
		don't mind a bit of pruning.  Can be loaded, but
		has no access control impact.  Useful also for
		performance measurements.

mac_seeotheruids:	Policy module implementing a security service
		similar to security.bsd.seeotheruids, only a slightly
		more detailed policy involving exceptions for members
		of specific groups, etc.  This policy is unlabeled,
		relying on existing system security labeling
		(process credentials).

mac_test:	Policy module implementing basic sanity tests for
		label handling.  Attempts to ensure that labels are
		not freed multiple times, etc, etc.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

sys/security/mac_biba/mac_biba.h

@@ -0,0 +1,61 @@
+/*-
+ * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
+ * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ *
+ * This software was developed for the FreeBSD Project in part by NAI Labs,
+ * the Security Research Division of Network Associates, Inc. under
+ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
+ * CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The names of the authors may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+/*
+ * Definitions for the TrustedBSD Biba integrity policy module.
+ */
+#ifndef _SYS_SECURITY_MAC_BIBA_H
+#define	_SYS_SECURITY_MAC_BIBA_H
+
+#define	MAC_BIBA_EXTATTR_NAMESPACE	EXTATTR_NAMESPACE_SYSTEM
+#define	MAC_BIBA_EXTATTR_NAME		"mac_biba"
+
+#define	MAC_BIBA_FLAG_SINGLE	0x00000001	/* mb_single initialized */
+#define	MAC_BIBA_FLAG_RANGE	0x00000002	/* mb_range* initialized */
+#define	MAC_BIBA_FLAGS_BOTH	(MAC_BIBA_FLAG_SINGLE | MAC_BIBA_FLAG_RANGE)
+
+#define	MAC_BIBA_TYPE_UNDEF	0	/* Undefined */
+#define	MAC_BIBA_TYPE_GRADE	1	/* Hierarchal grade with mb_grade. */
+#define	MAC_BIBA_TYPE_LOW	2	/* Dominated by any
+					 * MAC_BIBA_TYPE_LABEL. */
+#define	MAC_BIBA_TYPE_HIGH	3	/* Dominates any
+					 * MAC_BIBA_TYPE_LABEL. */
+#define	MAC_BIBA_TYPE_EQUAL	4	/* Equivilent to any
+					 * MAC_BIBA_TYPE_LABEL. */
+
+#endif /* !_SYS_SECURITY_MAC_BIBA_H */

sys/security/mac_bsdextended/mac_bsdextended.c

@@ -0,0 +1,749 @@
+/*-
+ * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
+ * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ *
+ * This software was developed for the FreeBSD Project in part by NAI Labs,
+ * the Security Research Division of Network Associates, Inc. under
+ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
+ * CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The names of the authors may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+/*
+ * Developed by the TrustedBSD Project.
+ * "BSD Extended" MAC policy, allowing the administrator to impose
+ * mandatory rules regarding users and some system objects.
+ *
+ * XXX: Much locking support required here.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/acl.h>
+#include <sys/conf.h>
+#include <sys/kernel.h>
+#include <sys/mac.h>
+#include <sys/malloc.h>
+#include <sys/mount.h>
+#include <sys/proc.h>
+#include <sys/systm.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/vnode.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/sysctl.h>
+
+#include <net/bpfdesc.h>
+#include <net/if.h>
+#include <net/if_types.h>
+#include <net/if_var.h>
+
+#include <vm/vm.h>
+
+#include <sys/mac_policy.h>
+
+#include <security/mac_bsdextended/mac_bsdextended.h>
+
+SYSCTL_DECL(_security_mac);
+
+SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
+    "TrustedBSD extended BSD MAC policy controls");
+
+static int	mac_bsdextended_enabled = 1;
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW,
+    &mac_bsdextended_enabled, 0, "Enforce extended BSD policy");
+TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled);
+
+MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule");
+
+#define	MAC_BSDEXTENDED_MAXRULES	250
+static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
+static int rule_count = 0;
+static int rule_slots = 0;
+
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
+    &rule_count, 0, "Number of defined rules\n");
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
+    &rule_slots, 0, "Number of used rule slots\n");
+
+static int mac_bsdextended_debugging;
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, debugging, CTLFLAG_RW,
+    &mac_bsdextended_debugging, 0, "Enable debugging on failure");
+
+static int
+mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule)
+{
+
+	if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS)
+		return (EINVAL);
+
+	if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS)
+		return (EINVAL);
+
+	if ((rule->mbr_mode | VALLPERM) != VALLPERM)
+		return (EINVAL);
+
+	return (0);
+}
+
+static int
+sysctl_rule(SYSCTL_HANDLER_ARGS)
+{
+	struct mac_bsdextended_rule temprule, *ruleptr;
+	u_int namelen;
+	int error, index, *name;
+
+	name = (int *)arg1;
+	namelen = arg2;
+
+	/* printf("bsdextended sysctl handler (namelen %d)\n", namelen); */
+
+	if (namelen != 1)
+		return (EINVAL);
+
+	index = name[0];
+	if (index < 0 || index > rule_slots + 1)
+		return (ENOENT);
+	if (rule_slots >= MAC_BSDEXTENDED_MAXRULES)
+		return (ENOENT);
+
+	if (req->oldptr) {
+		if (rules[index] == NULL)
+			return (ENOENT);
+
+		error = SYSCTL_OUT(req, rules[index], sizeof(*rules[index]));
+		if (error)
+			return (error);
+	}
+
+	if (req->newptr) {
+		if (req->newlen == 0) {
+			/* printf("deletion\n"); */
+			ruleptr = rules[index];
+			if (ruleptr == NULL)
+				return (ENOENT);
+			rule_count--;
+			rules[index] = NULL;
+			FREE(ruleptr, M_MACBSDEXTENDED);
+			return(0);
+		}
+		error = SYSCTL_IN(req, &temprule, sizeof(temprule));
+		if (error)
+			return (error);
+
+		error = mac_bsdextended_rule_valid(&temprule);
+		if (error)
+			return (error);
+
+		if (rules[index] == NULL) {
+			/* printf("addition\n"); */
+			MALLOC(ruleptr, struct mac_bsdextended_rule *,
+			    sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK |
+			    M_ZERO);
+			*ruleptr = temprule;
+			rules[index] = ruleptr;
+			if (index+1 > rule_slots)
+				rule_slots = index+1;
+			rule_count++;
+		} else {
+			/* printf("replacement\n"); */
+			*rules[index] = temprule;
+		}
+	}
+
+	return (0);
+}
+
+SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules,
+    CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules");
+
+static void
+mac_bsdextended_init(struct mac_policy_conf *mpc)
+{
+
+	/* Initialize ruleset lock. */
+	/* Register dynamic sysctl's for rules. */
+}
+
+static void
+mac_bsdextended_destroy(struct mac_policy_conf *mpc)
+{
+
+	/* Tear down sysctls. */
+	/* Destroy ruleset lock. */
+}
+
+static int
+mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
+    struct ucred *cred, uid_t object_uid, gid_t object_gid, mode_t acc_mode)
+{
+	int match;
+
+	/*
+	 * Is there a subject match?
+	 */
+	if (rule->mbr_subject.mbi_flags & MBI_UID_DEFINED) {
+		match =  (rule->mbr_subject.mbi_uid == cred->cr_uid ||
+		    rule->mbr_subject.mbi_uid == cred->cr_ruid ||
+		    rule->mbr_subject.mbi_uid == cred->cr_svuid);
+
+		if (rule->mbr_subject.mbi_flags & MBI_NEGATED)
+			match = !match;
+
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_subject.mbi_flags & MBI_GID_DEFINED) {
+		match = (groupmember(rule->mbr_subject.mbi_gid, cred) ||
+		    rule->mbr_subject.mbi_gid == cred->cr_rgid ||
+		    rule->mbr_subject.mbi_gid == cred->cr_svgid);
+
+		if (rule->mbr_subject.mbi_flags & MBI_NEGATED)
+			match = !match;
+
+		if (!match)
+			return (0);
+	}
+
+	/*
+	 * Is there an object match?
+	 */
+	if (rule->mbr_object.mbi_flags & MBI_UID_DEFINED) {
+		match = (rule->mbr_object.mbi_uid == object_uid);
+
+		if (rule->mbr_object.mbi_flags & MBI_NEGATED)
+			match = !match;
+
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_object.mbi_flags & MBI_GID_DEFINED) {
+		match = (rule->mbr_object.mbi_gid == object_gid);
+
+		if (rule->mbr_object.mbi_flags & MBI_NEGATED)
+			match = !match;
+
+		if (!match)
+			return (0);
+	}
+
+	/*
+	 * Is the access permitted?
+	 */
+	if ((rule->mbr_mode & acc_mode) != acc_mode) {
+		if (mac_bsdextended_debugging)
+			printf("mac_bsdextended: %d:%d request %d on %d:%d"
+			    " fails\n", cred->cr_ruid, cred->cr_rgid,
+			    acc_mode, object_uid, object_gid);
+		return (EACCES);
+	}
+
+	return (0);
+}
+
+static int
+mac_bsdextended_check(struct ucred *cred, uid_t object_uid, gid_t object_gid,
+    mode_t acc_mode)
+{
+	int error, i;
+
+	for (i = 0; i < rule_slots; i++) {
+		if (rules[i] == NULL)
+			continue;
+
+		error = mac_bsdextended_rulecheck(rules[i], cred, object_uid,
+		    object_gid, acc_mode);
+		if (error)
+			return (error);
+	}
+
+	return (0);
+}
+
+static int
+mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
+    struct label *label, mode_t flags)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, flags));
+}
+
+static int
+mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(dvp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC));
+}
+
+static int
+mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(dvp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC));
+}
+
+static int
+mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct componentname *cnp, struct vattr *vap)
+{
+	struct vattr dvap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(dvp, &dvap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, dvap.va_uid, dvap.va_gid, VWRITE));
+}
+
+static int
+mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct vnode *vp, struct label *label,
+    struct componentname *cnp)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(dvp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
+	if (error)
+		return (error);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE));
+}
+
+static int
+mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
+    struct label *label, acl_type_t type)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error) 
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
+}
+
+static int
+mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
+	    VREAD|VEXEC));
+}
+
+static int
+mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
+    struct label *label, acl_type_t type)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT));
+}
+
+static int
+mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
+    struct label *label, int attrnamespace, const char *name, struct uio *uio)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
+}
+
+static int
+mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct componentname *cnp)
+{
+	struct vattr vap;
+	int error;
+  
+	if (!mac_bsdextended_enabled)
+		return (0);
+  
+	error = VOP_GETATTR(dvp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC));
+}
+
+static int
+mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp,
+    struct label *filelabel, mode_t acc_mode)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode));
+}
+
+static int
+mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(dvp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
+}
+
+static int
+mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
+}
+
+static int
+mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct vnode *vp, struct label *label,
+    struct componentname *cnp)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(dvp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
+	if (error)
+		return (error);
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
+
+	return (error);
+}
+
+static int
+mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
+    struct componentname *cnp)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(dvp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
+	if (error)
+		return (error);
+
+	if (vp != NULL) {
+		error = VOP_GETATTR(vp, &vap, cred, curthread);
+		if (error)
+			return (error);
+		error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
+		    VWRITE);
+	}
+
+	return (error);
+}
+
+static int
+mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
+}
+
+static int
+mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
+    struct label *label, acl_type_t type, struct acl *acl)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
+}
+
+static int
+mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
+    struct label *label, int attrnamespace, const char *name, struct uio *uio)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE));
+}
+
+static int
+mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
+    struct label *label, u_long flags)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
+}
+
+static int
+mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
+    struct label *label, mode_t mode)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
+}
+
+static int
+mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
+    struct label *label, uid_t uid, gid_t gid)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
+}
+
+static int
+mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
+    struct label *label, struct timespec atime, struct timespec utime)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
+}
+
+static int
+mac_bsdextended_check_vnode_stat(struct ucred *cred, struct vnode *vp,
+    struct label *label)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT));
+}
+
+static struct mac_policy_op_entry mac_bsdextended_ops[] =
+{
+	{ MAC_DESTROY,
+	    (macop_t)mac_bsdextended_destroy },
+	{ MAC_INIT,
+	    (macop_t)mac_bsdextended_init },
+	{ MAC_CHECK_VNODE_ACCESS,
+	    (macop_t)mac_bsdextended_check_vnode_access },
+	{ MAC_CHECK_VNODE_CHDIR,
+	    (macop_t)mac_bsdextended_check_vnode_chdir },
+	{ MAC_CHECK_VNODE_CHROOT,
+	    (macop_t)mac_bsdextended_check_vnode_chroot },
+	{ MAC_CHECK_VNODE_CREATE,
+	    (macop_t)mac_bsdextended_check_create_vnode },
+	{ MAC_CHECK_VNODE_DELETE,
+	    (macop_t)mac_bsdextended_check_vnode_delete },
+	{ MAC_CHECK_VNODE_DELETEACL,
+	    (macop_t)mac_bsdextended_check_vnode_deleteacl },
+	{ MAC_CHECK_VNODE_EXEC,
+	    (macop_t)mac_bsdextended_check_vnode_exec },
+	{ MAC_CHECK_VNODE_GETACL,
+	    (macop_t)mac_bsdextended_check_vnode_getacl },
+	{ MAC_CHECK_VNODE_GETEXTATTR,
+	    (macop_t)mac_bsdextended_check_vnode_getextattr },
+	{ MAC_CHECK_VNODE_LOOKUP,
+	    (macop_t)mac_bsdextended_check_vnode_lookup },
+	{ MAC_CHECK_VNODE_OPEN,
+	    (macop_t)mac_bsdextended_check_vnode_open },
+	{ MAC_CHECK_VNODE_READDIR,
+	    (macop_t)mac_bsdextended_check_vnode_readdir },
+	{ MAC_CHECK_VNODE_READLINK,
+	    (macop_t)mac_bsdextended_check_vnode_readdlink },
+	{ MAC_CHECK_VNODE_RENAME_FROM,
+	    (macop_t)mac_bsdextended_check_vnode_rename_from },
+	{ MAC_CHECK_VNODE_RENAME_TO,
+	    (macop_t)mac_bsdextended_check_vnode_rename_to },
+	{ MAC_CHECK_VNODE_REVOKE,
+	    (macop_t)mac_bsdextended_check_vnode_revoke },
+	{ MAC_CHECK_VNODE_SETACL,
+	    (macop_t)mac_bsdextended_check_setacl_vnode },
+	{ MAC_CHECK_VNODE_SETEXTATTR,
+	    (macop_t)mac_bsdextended_check_vnode_setextattr },
+	{ MAC_CHECK_VNODE_SETFLAGS,
+	    (macop_t)mac_bsdextended_check_vnode_setflags },
+	{ MAC_CHECK_VNODE_SETMODE,
+	    (macop_t)mac_bsdextended_check_vnode_setmode },
+	{ MAC_CHECK_VNODE_SETOWNER,
+	    (macop_t)mac_bsdextended_check_vnode_setowner },
+	{ MAC_CHECK_VNODE_SETUTIMES,
+	    (macop_t)mac_bsdextended_check_vnode_setutimes },
+	{ MAC_CHECK_VNODE_STAT,
+	    (macop_t)mac_bsdextended_check_vnode_stat },
+	{ MAC_OP_LAST, NULL }
+};
+
+MAC_POLICY_SET(mac_bsdextended_ops, trustedbsd_mac_bsdextended,
+    "TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_bsdextended/mac_bsdextended.h

@@ -0,0 +1,60 @@
+/*-
+ * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
+ * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ *
+ * This software was developed for the FreeBSD Project in part by NAI Labs,
+ * the Security Research Division of Network Associates, Inc. under
+ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
+ * CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The names of the authors may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef _SYS_SECURITY_MAC_BSDEXTENDED_H
+#define	_SYS_SECURITY_MAC_BSDEXTENDED_H
+
+#define	MBI_UID_DEFINED	0x00000001	/* uid field should be used */
+#define	MBI_GID_DEFINED	0x00000002	/* gid field should be used */
+#define	MBI_NEGATED	0x00000004	/* negate uid/gid matches */
+#define	MBI_BITS	(MBI_UID_DEFINED | MBI_GID_DEFINED | MBI_NEGATED)
+
+struct mac_bsdextended_identity {
+	int	mbi_flags;
+	uid_t	mbi_uid;
+	gid_t	mbi_gid;
+};
+
+struct mac_bsdextended_rule {
+	struct mac_bsdextended_identity	mbr_subject;
+	struct mac_bsdextended_identity	mbr_object;
+	mode_t				mbr_mode;	/* maximum access */
+};
+
+#endif /* _SYS_SECURITY_MAC_BSDEXTENDED_H */

sys/security/mac_ifoff/mac_ifoff.c

@@ -0,0 +1,173 @@
+/*-
+ * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
+ * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ *
+ * This software was developed for the FreeBSD Project in part by NAI Labs,
+ * the Security Research Division of Network Associates, Inc. under
+ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
+ * CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The names of the authors may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+/*
+ * Developed by the TrustedBSD Project.
+ * Limit access to interfaces until they are specifically administratively
+ * enabled.  Prevents protocol stack-driven packet leakage in unsafe
+ * environments.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/conf.h>
+#include <sys/kernel.h>
+#include <sys/mac.h>
+#include <sys/mount.h>
+#include <sys/proc.h>
+#include <sys/systm.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/vnode.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/sysctl.h>
+
+#include <net/bpfdesc.h>
+#include <net/if.h>
+#include <net/if_types.h>
+#include <net/if_var.h>
+
+#include <vm/vm.h>
+
+#include <sys/mac_policy.h>
+
+SYSCTL_DECL(_security_mac);
+
+SYSCTL_NODE(_security_mac, OID_AUTO, ifoff, CTLFLAG_RW, 0,
+    "TrustedBSD mac_ifoff policy controls");
+
+static int	mac_ifoff_enabled = 1;
+SYSCTL_INT(_security_mac_ifoff, OID_AUTO, enabled, CTLFLAG_RW,
+    &mac_ifoff_enabled, 0, "Enforce ifoff policy");
+TUNABLE_INT("security.mac.ifoff.enabled", &mac_ifoff_enabled);
+
+static int	mac_ifoff_lo_enabled = 1;
+SYSCTL_INT(_security_mac_ifoff, OID_AUTO, lo_enabled, CTLFLAG_RW,
+    &mac_ifoff_lo_enabled, 0, "Enable loopback interfaces");
+TUNABLE_INT("security.mac.ifoff.lo_enabled", &mac_ifoff_lo_enabled);
+
+static int	mac_ifoff_other_enabled = 0;
+SYSCTL_INT(_security_mac_ifoff, OID_AUTO, other_enabled, CTLFLAG_RW,
+    &mac_ifoff_other_enabled, 0, "Enable other interfaces");
+TUNABLE_INT("security.mac.ifoff.other_enabled", &mac_ifoff_other_enabled);
+
+static int	mac_ifoff_bpfrecv_enabled = 0;
+SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW,
+    &mac_ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface "
+    "is disabled");
+TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled);
+
+static int
+check_ifnet_outgoing(struct ifnet *ifnet)
+{
+
+	if (!mac_ifoff_enabled)
+		return (0);
+
+	if (mac_ifoff_lo_enabled && ifnet->if_type == IFT_LOOP)
+		return (0);
+
+	if (mac_ifoff_other_enabled && ifnet->if_type != IFT_LOOP)
+		return (0);
+
+	return (EPERM);
+}
+
+static int
+check_ifnet_incoming(struct ifnet *ifnet, int viabpf)
+{
+	if (!mac_ifoff_enabled)
+		return (0);
+
+	if (mac_ifoff_lo_enabled && ifnet->if_type == IFT_LOOP)  
+		return (0);
+
+	if (mac_ifoff_other_enabled && ifnet->if_type != IFT_LOOP)
+		return (0);
+
+	if (viabpf && mac_ifoff_bpfrecv_enabled)
+		return (0);
+
+	return (EPERM);
+}
+
+static int
+mac_ifoff_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
+    struct ifnet *ifnet, struct label *ifnetlabel)
+{
+
+	return (check_ifnet_incoming(ifnet, 1));
+}
+
+static int
+mac_ifoff_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
+    struct mbuf *m, struct label *mbuflabel)
+{
+
+	return (check_ifnet_outgoing(ifnet));
+}
+
+static int
+mac_ifoff_check_socket_receive(struct socket *so, struct label *socketlabel,
+    struct mbuf *m, struct label *mbuflabel)
+{
+
+	if (m->m_flags & M_PKTHDR) {
+		if (m->m_pkthdr.rcvif != NULL)
+			return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0));
+	}
+
+	return (0);
+}
+
+static struct mac_policy_op_entry mac_ifoff_ops[] =
+{
+	{ MAC_CHECK_BPFDESC_RECEIVE,
+	    (macop_t)mac_ifoff_check_bpfdesc_receive },
+	{ MAC_CHECK_IFNET_TRANSMIT,
+	    (macop_t)mac_ifoff_check_ifnet_transmit },
+	{ MAC_CHECK_SOCKET_RECEIVE,
+	    (macop_t)mac_ifoff_check_socket_receive },
+	{ MAC_OP_LAST, NULL }
+};
+
+MAC_POLICY_SET(mac_ifoff_ops, trustedbsd_mac_ifoff, "TrustedBSD MAC/ifoff",
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_mls/mac_mls.h

@@ -0,0 +1,61 @@
+/*-
+ * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
+ * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ *
+ * This software was developed for the FreeBSD Project in part by NAI Labs,
+ * the Security Research Division of Network Associates, Inc. under
+ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
+ * CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The names of the authors may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+/*
+ * Definitions for the TrustedBSD MLS confidentiality policy module.
+ */
+#ifndef _SYS_SECURITY_MAC_MLS_H
+#define	_SYS_SECURITY_MAC_MLS_H
+
+#define	MAC_MLS_EXTATTR_NAMESPACE	EXTATTR_NAMESPACE_SYSTEM
+#define	MAC_MLS_EXTATTR_NAME		"mac_biba"
+
+#define	MAC_MLS_FLAG_SINGLE	0x00000001	/* mm_single initialized */
+#define	MAC_MLS_FLAG_RANGE	0x00000002	/* mm_range* initialized */
+#define	MAC_MLS_FLAGS_BOTH	(MAC_MLS_FLAG_SINGLE | MAC_MLS_FLAG_RANGE)
+
+#define	MAC_MLS_TYPE_UNDEF	0	/* Undefined */
+#define	MAC_MLS_TYPE_LEVEL	1	/* Hierarchal level with mm_level. */
+#define	MAC_MLS_TYPE_LOW	2	/* Dominated by any
+					 * MAC_MLS_TYPE_LABEL. */
+#define	MAC_MLS_TYPE_HIGH	3	/* Dominates any
+					 * MAC_MLS_TYPE_LABEL. */
+#define	MAC_MLS_TYPE_EQUAL	4	/* Equivilent to any
+					 * MAC_MLS_TYPE_LABEL. */
+
+#endif /* !_SYS_SECURITY_MAC_MLS_H */

sys/security/mac_seeotheruids/mac_seeotheruids.c

@@ -0,0 +1,179 @@
+/*-
+ * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
+ * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ *
+ * This software was developed for the FreeBSD Project in part by NAI Labs,
+ * the Security Research Division of Network Associates, Inc. under
+ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
+ * CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The names of the authors may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+/*
+ * Developed by the TrustedBSD Project.
+ * Prevent processes owned by a particular uid from seeing various transient
+ * kernel objects associated with other uids.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/conf.h>
+#include <sys/kernel.h>
+#include <sys/mac.h>
+#include <sys/mount.h>
+#include <sys/proc.h>
+#include <sys/systm.h>
+#include <sys/sysproto.h>
+#include <sys/sysent.h>
+#include <sys/vnode.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/socketvar.h>
+#include <sys/sysctl.h>
+
+#include <net/bpfdesc.h>
+#include <net/if.h>
+#include <net/if_types.h>
+#include <net/if_var.h>
+
+#include <vm/vm.h>
+
+#include <sys/mac_policy.h>
+
+SYSCTL_DECL(_security_mac);
+
+SYSCTL_NODE(_security_mac, OID_AUTO, seeotheruids, CTLFLAG_RW, 0,
+    "TrustedBSD mac_seeotheruids policy controls");
+
+static int	mac_seeotheruids_enabled = 0;
+SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, enabled, CTLFLAG_RW,
+    &mac_seeotheruids_enabled, 0, "Enforce seeotheruids policy");
+
+/*
+ * Exception: allow credentials to be aware of other credentials with the
+ * same primary gid.
+ */
+static int	primarygroup_enabled = 0;
+SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, primarygroup_enabled,
+    CTLFLAG_RW, &primarygroup_enabled, 0, "Make an exception for credentials "
+    "with the same real primary group id");
+
+/*
+ * Exception: allow processes with a specific gid to be exempt from the
+ * policy.  One sysctl enables this functionality; the other sets the
+ * exempt gid.
+ */
+static int	specificgid_enabled = 0;
+SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid_enabled,
+    CTLFLAG_RW, &specificgid_enabled, 0, "Make an exception for credentials "
+    "with a specific gid as their real primary group id or group set");
+
+static gid_t	specificgid = 0;
+SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid, CTLFLAG_RW,
+    &specificgid, 0, "Specific gid to be exempt from seeotheruids policy");
+
+static int
+mac_seeotheruids_check(struct ucred *u1, struct ucred *u2)
+{
+
+	if (!mac_seeotheruids_enabled)
+		return (0);
+
+	if (primarygroup_enabled) {
+		if (u1->cr_rgid == u2->cr_rgid)
+			return (0);
+	}
+
+	if (specificgid_enabled) {
+		if (u1->cr_rgid == specificgid || groupmember(specificgid, u1))
+			return (0);
+	}
+
+	if (u1->cr_ruid == u2->cr_ruid)
+		return (0);
+
+	return (ESRCH);
+}
+
+static int
+mac_seeotheruids_check_cred_visible(struct ucred *u1, struct ucred *u2)
+{
+
+	return (mac_seeotheruids_check(u1, u2));
+}
+
+static int
+mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *proc,
+    int signum)
+{
+
+	return (mac_seeotheruids_check(cred, proc->p_ucred));
+}
+
+static int
+mac_seeotheruids_check_proc_sched(struct ucred *cred, struct proc *proc)
+{
+
+	return (mac_seeotheruids_check(cred, proc->p_ucred));
+}
+
+static int
+mac_seeotheruids_check_proc_debug(struct ucred *cred, struct proc *proc)
+{
+
+	return (mac_seeotheruids_check(cred, proc->p_ucred));
+}
+
+static int
+mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *socket,
+    struct label *socketlabel)
+{
+
+	return (mac_seeotheruids_check(cred, socket->so_cred));
+}
+
+static struct mac_policy_op_entry mac_seeotheruids_ops[] =
+{
+	{ MAC_CHECK_CRED_VISIBLE,
+	    (macop_t)mac_seeotheruids_check_cred_visible },
+	{ MAC_CHECK_PROC_DEBUG,
+	    (macop_t)mac_seeotheruids_check_proc_debug },
+	{ MAC_CHECK_PROC_SCHED,
+	    (macop_t)mac_seeotheruids_check_proc_sched },
+	{ MAC_CHECK_PROC_SIGNAL,
+	    (macop_t)mac_seeotheruids_check_proc_signal },
+	{ MAC_CHECK_SOCKET_VISIBLE,
+	    (macop_t)mac_seeotheruids_check_socket_visible },
+	{ MAC_OP_LAST, NULL }
+};
+
+MAC_POLICY_SET(mac_seeotheruids_ops, trustedbsd_mac_seeotheruids,
+    "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL);