diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 30896385ee9b..9f13644f1528 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -489,7 +489,7 @@ setuid(struct thread *td, struct setuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setuid(p, oldcred, uid); + error = mac_cred_check_setuid(oldcred, uid); if (error) goto fail; #endif @@ -601,7 +601,7 @@ seteuid(struct thread *td, struct seteuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_seteuid(p, oldcred, euid); + error = mac_cred_check_seteuid(oldcred, euid); if (error) goto fail; #endif @@ -654,7 +654,7 @@ setgid(struct thread *td, struct setgid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setgid(p, oldcred, gid); + error = mac_cred_check_setgid(oldcred, gid); if (error) goto fail; #endif @@ -753,7 +753,7 @@ setegid(struct thread *td, struct setegid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setegid(p, oldcred, egid); + error = mac_cred_check_setegid(oldcred, egid); if (error) goto fail; #endif @@ -815,7 +815,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setgroups(p, oldcred, ngrp, groups); + error = mac_cred_check_setgroups(oldcred, ngrp, groups); if (error) goto fail; #endif @@ -880,7 +880,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setreuid(p, oldcred, ruid, euid); + error = mac_cred_check_setreuid(oldcred, ruid, euid); if (error) goto fail; #endif @@ -945,7 +945,7 @@ setregid(register struct thread *td, struct setregid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setregid(p, oldcred, rgid, egid); + error = mac_cred_check_setregid(oldcred, rgid, egid); if (error) goto fail; #endif @@ -1016,7 +1016,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid); + error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); if (error) goto fail; #endif @@ -1093,7 +1093,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid); + error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); if (error) goto fail; #endif diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c index f8d45fe6b51c..b70b10d6898d 100644 --- a/sys/security/audit/audit_syscalls.c +++ b/sys/security/audit/audit_syscalls.c @@ -474,7 +474,7 @@ setauid(struct thread *td, struct setauid_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_proc_check_setauid(oldcred, id); + error = mac_cred_check_setauid(oldcred, id); if (error) goto fail; #endif @@ -539,7 +539,7 @@ setaudit(struct thread *td, struct setaudit_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_proc_check_setaudit(oldcred, &ai); + error = mac_cred_check_setaudit(oldcred, &ai); if (error) goto fail; #endif @@ -602,7 +602,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_proc_check_setaudit_addr(oldcred, &aia); + error = mac_cred_check_setaudit_addr(oldcred, &aia); if (error) goto fail; #endif diff --git a/sys/security/mac/mac_audit.c b/sys/security/mac/mac_audit.c index 6310b04e26e9..9bc2e2762586 100644 --- a/sys/security/mac/mac_audit.c +++ b/sys/security/mac/mac_audit.c @@ -58,43 +58,43 @@ __FBSDID("$FreeBSD$"); #include #include -MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit, "struct ucred *", +MAC_CHECK_PROBE_DEFINE2(cred_check_setaudit, "struct ucred *", "struct auditinfo *"); int -mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) +mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai) { int error; - MAC_CHECK(proc_check_setaudit, cred, ai); - MAC_CHECK_PROBE2(proc_check_setaudit, error, cred, ai); + MAC_CHECK(cred_check_setaudit, cred, ai); + MAC_CHECK_PROBE2(cred_check_setaudit, error, cred, ai); return (error); } -MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit_addr, "struct ucred *", +MAC_CHECK_PROBE_DEFINE2(cred_check_setaudit_addr, "struct ucred *", "struct auditinfo_addr *"); int -mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +mac_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { int error; - MAC_CHECK(proc_check_setaudit_addr, cred, aia); - MAC_CHECK_PROBE2(proc_check_setaudit_addr, error, cred, aia); + MAC_CHECK(cred_check_setaudit_addr, cred, aia); + MAC_CHECK_PROBE2(cred_check_setaudit_addr, error, cred, aia); return (error); } -MAC_CHECK_PROBE_DEFINE2(proc_check_setauid, "struct ucred *", "uid_t"); +MAC_CHECK_PROBE_DEFINE2(cred_check_setauid, "struct ucred *", "uid_t"); int -mac_proc_check_setauid(struct ucred *cred, uid_t auid) +mac_cred_check_setauid(struct ucred *cred, uid_t auid) { int error; - MAC_CHECK(proc_check_setauid, cred, auid); - MAC_CHECK_PROBE2(proc_check_setauid, error, cred, auid); + MAC_CHECK(cred_check_setauid, cred, auid); + MAC_CHECK_PROBE2(cred_check_setauid, error, cred, auid); return (error); } diff --git a/sys/security/mac/mac_cred.c b/sys/security/mac/mac_cred.c index 8cac7b30df45..41c6e66c0e39 100644 --- a/sys/security/mac/mac_cred.c +++ b/sys/security/mac/mac_cred.c @@ -211,6 +211,132 @@ mac_cred_check_relabel(struct ucred *cred, struct label *newlabel) return (error); } +MAC_CHECK_PROBE_DEFINE2(cred_check_setuid, "struct ucred *", "uid_t"); + +int +mac_cred_check_setuid(struct ucred *cred, uid_t uid) +{ + int error; + + MAC_CHECK(cred_check_setuid, cred, uid); + MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE2(cred_check_seteuid, "struct ucred *", "uid_t"); + +int +mac_cred_check_seteuid(struct ucred *cred, uid_t euid) +{ + int error; + + MAC_CHECK(cred_check_seteuid, cred, euid); + MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE2(cred_check_setgid, "struct ucred *", "gid_t"); + +int +mac_cred_check_setgid(struct ucred *cred, gid_t gid) +{ + int error; + + MAC_CHECK(cred_check_setgid, cred, gid); + MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE2(cred_check_setegid, "struct ucred *", "gid_t"); + +int +mac_cred_check_setegid(struct ucred *cred, gid_t egid) +{ + int error; + + MAC_CHECK(cred_check_setegid, cred, egid); + MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE3(cred_check_setgroups, "struct ucred *", "int", + "gid_t *"); + +int +mac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) +{ + int error; + + MAC_CHECK(cred_check_setgroups, cred, ngroups, gidset); + MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE3(cred_check_setreuid, "struct ucred *", "uid_t", + "uid_t"); + +int +mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +{ + int error; + + MAC_CHECK(cred_check_setreuid, cred, ruid, euid); + MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE3(cred_check_setregid, "struct ucred *", "gid_t", + "gid_t"); + +int +mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +{ + int error; + + MAC_CHECK(cred_check_setregid, cred, rgid, egid); + MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE4(cred_check_setresuid, "struct ucred *", "uid_t", + "uid_t", "uid_t"); + +int +mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, + uid_t suid) +{ + int error; + + MAC_CHECK(cred_check_setresuid, cred, ruid, euid, suid); + MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid, + suid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE4(cred_check_setresgid, "struct ucred *", "gid_t", + "gid_t", "gid_t"); + +int +mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, + gid_t sgid) +{ + int error; + + MAC_CHECK(cred_check_setresgid, cred, rgid, egid, sgid); + MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid, + sgid); + + return (error); +} + MAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *", "struct ucred *"); diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 26bdd71125d5..f434df8db187 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -17,6 +17,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 4da4af92afac..dfc48f85b58b 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. @@ -14,6 +14,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -105,6 +108,22 @@ void mac_bpfdesc_destroy(struct bpf_d *); void mac_bpfdesc_init(struct bpf_d *); void mac_cred_associate_nfsd(struct ucred *cred); +int mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai); +int mac_cred_check_setaudit_addr(struct ucred *cred, + struct auditinfo_addr *aia); +int mac_cred_check_setauid(struct ucred *cred, uid_t auid); +int mac_cred_check_setegid(struct ucred *cred, gid_t egid); +int mac_cred_check_seteuid(struct ucred *cred, uid_t euid); +int mac_cred_check_setgid(struct ucred *cred, gid_t gid); +int mac_cred_check_setgroups(struct ucred *cred, int ngroups, + gid_t *gidset); +int mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid); +int mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, + gid_t sgid); +int mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, + uid_t suid); +int mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid); +int mac_cred_check_setuid(struct ucred *cred, uid_t uid); int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); void mac_cred_create_init(struct ucred *cred); @@ -233,28 +252,6 @@ int mac_priv_grant(struct ucred *cred, int priv); int mac_proc_check_debug(struct ucred *cred, struct proc *p); int mac_proc_check_sched(struct ucred *cred, struct proc *p); -int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai); -int mac_proc_check_setaudit_addr(struct ucred *cred, - struct auditinfo_addr *aia); -int mac_proc_check_setauid(struct ucred *cred, uid_t auid); -int mac_proc_check_setegid(struct proc *p, struct ucred *cred, - gid_t egid); -int mac_proc_check_seteuid(struct proc *p, struct ucred *cred, - uid_t euid); -int mac_proc_check_setgid(struct proc *p, struct ucred *cred, - gid_t gid); -int mac_proc_check_setgroups(struct proc *p, struct ucred *cred, - int ngroups, gid_t *gidset); -int mac_proc_check_setregid(struct proc *p, struct ucred *cred, - gid_t rgid, gid_t egid); -int mac_proc_check_setresgid(struct proc *p, struct ucred *cred, - gid_t rgid, gid_t egid, gid_t sgid); -int mac_proc_check_setresuid(struct proc *p, struct ucred *cred, - uid_t ruid, uid_t euid, uid_t suid); -int mac_proc_check_setreuid(struct proc *p, struct ucred *cred, - uid_t ruid, uid_t euid); -int mac_proc_check_setuid(struct proc *p, struct ucred *cred, - uid_t uid); int mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum); int mac_proc_check_wait(struct ucred *cred, struct proc *p); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index e3334094ccf4..410906b65488 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -15,6 +15,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -132,6 +135,25 @@ typedef void (*mpo_bpfdesc_init_label_t)(struct label *label); typedef void (*mpo_cred_associate_nfsd_t)(struct ucred *cred); typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred, struct label *newlabel); +typedef int (*mpo_cred_check_setaudit_t)(struct ucred *cred, + struct auditinfo *ai); +typedef int (*mpo_cred_check_setaudit_addr_t)(struct ucred *cred, + struct auditinfo_addr *aia); +typedef int (*mpo_cred_check_setauid_t)(struct ucred *cred, uid_t auid); +typedef int (*mpo_cred_check_setegid_t)(struct ucred *cred, gid_t egid); +typedef int (*mpo_cred_check_seteuid_t)(struct ucred *cred, uid_t euid); +typedef int (*mpo_cred_check_setgid_t)(struct ucred *cred, gid_t gid); +typedef int (*mpo_cred_check_setgroups_t)(struct ucred *cred, int ngroups, + gid_t *gidset); +typedef int (*mpo_cred_check_setregid_t)(struct ucred *cred, gid_t rgid, + gid_t egid); +typedef int (*mpo_cred_check_setresgid_t)(struct ucred *cred, gid_t rgid, + gid_t egid, gid_t sgid); +typedef int (*mpo_cred_check_setresuid_t)(struct ucred *cred, uid_t ruid, + uid_t euid, uid_t suid); +typedef int (*mpo_cred_check_setreuid_t)(struct ucred *cred, uid_t ruid, + uid_t euid); +typedef int (*mpo_cred_check_setuid_t)(struct ucred *cred, uid_t uid); typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1, struct ucred *cr2); typedef void (*mpo_cred_copy_label_t)(struct label *src, @@ -353,25 +375,6 @@ typedef int (*mpo_proc_check_debug_t)(struct ucred *cred, struct proc *p); typedef int (*mpo_proc_check_sched_t)(struct ucred *cred, struct proc *p); -typedef int (*mpo_proc_check_setaudit_t)(struct ucred *cred, - struct auditinfo *ai); -typedef int (*mpo_proc_check_setaudit_addr_t)(struct ucred *cred, - struct auditinfo_addr *aia); -typedef int (*mpo_proc_check_setauid_t)(struct ucred *cred, uid_t auid); -typedef int (*mpo_proc_check_setegid_t)(struct ucred *cred, gid_t egid); -typedef int (*mpo_proc_check_seteuid_t)(struct ucred *cred, uid_t euid); -typedef int (*mpo_proc_check_setgid_t)(struct ucred *cred, gid_t gid); -typedef int (*mpo_proc_check_setgroups_t)(struct ucred *cred, int ngroups, - gid_t *gidset); -typedef int (*mpo_proc_check_setregid_t)(struct ucred *cred, gid_t rgid, - gid_t egid); -typedef int (*mpo_proc_check_setresgid_t)(struct ucred *cred, gid_t rgid, - gid_t egid, gid_t sgid); -typedef int (*mpo_proc_check_setresuid_t)(struct ucred *cred, uid_t ruid, - uid_t euid, uid_t suid); -typedef int (*mpo_proc_check_setreuid_t)(struct ucred *cred, uid_t ruid, - uid_t euid); -typedef int (*mpo_proc_check_setuid_t)(struct ucred *cred, uid_t uid); typedef int (*mpo_proc_check_signal_t)(struct ucred *cred, struct proc *proc, int signum); typedef int (*mpo_proc_check_wait_t)(struct ucred *cred, @@ -679,6 +682,18 @@ struct mac_policy_ops { mpo_cred_associate_nfsd_t mpo_cred_associate_nfsd; mpo_cred_check_relabel_t mpo_cred_check_relabel; + mpo_cred_check_setaudit_t mpo_cred_check_setaudit; + mpo_cred_check_setaudit_addr_t mpo_cred_check_setaudit_addr; + mpo_cred_check_setauid_t mpo_cred_check_setauid; + mpo_cred_check_setuid_t mpo_cred_check_setuid; + mpo_cred_check_seteuid_t mpo_cred_check_seteuid; + mpo_cred_check_setgid_t mpo_cred_check_setgid; + mpo_cred_check_setegid_t mpo_cred_check_setegid; + mpo_cred_check_setgroups_t mpo_cred_check_setgroups; + mpo_cred_check_setreuid_t mpo_cred_check_setreuid; + mpo_cred_check_setregid_t mpo_cred_check_setregid; + mpo_cred_check_setresuid_t mpo_cred_check_setresuid; + mpo_cred_check_setresgid_t mpo_cred_check_setresgid; mpo_cred_check_visible_t mpo_cred_check_visible; mpo_cred_copy_label_t mpo_cred_copy_label; mpo_cred_create_swapper_t mpo_cred_create_swapper; @@ -798,18 +813,6 @@ struct mac_policy_ops { mpo_proc_check_debug_t mpo_proc_check_debug; mpo_proc_check_sched_t mpo_proc_check_sched; - mpo_proc_check_setaudit_t mpo_proc_check_setaudit; - mpo_proc_check_setaudit_addr_t mpo_proc_check_setaudit_addr; - mpo_proc_check_setauid_t mpo_proc_check_setauid; - mpo_proc_check_setuid_t mpo_proc_check_setuid; - mpo_proc_check_seteuid_t mpo_proc_check_seteuid; - mpo_proc_check_setgid_t mpo_proc_check_setgid; - mpo_proc_check_setegid_t mpo_proc_check_setegid; - mpo_proc_check_setgroups_t mpo_proc_check_setgroups; - mpo_proc_check_setreuid_t mpo_proc_check_setreuid; - mpo_proc_check_setregid_t mpo_proc_check_setregid; - mpo_proc_check_setresuid_t mpo_proc_check_setresuid; - mpo_proc_check_setresgid_t mpo_proc_check_setresgid; mpo_proc_check_signal_t mpo_proc_check_signal; mpo_proc_check_wait_t mpo_proc_check_wait; mpo_proc_destroy_label_t mpo_proc_destroy_label; diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 0a985853d35b..7faa7ae87b7b 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -2,7 +2,6 @@ * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. - * Copyright (c) 2005 Samy Al Bahra * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. * All rights reserved. @@ -424,153 +423,6 @@ mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum) return (error); } -MAC_CHECK_PROBE_DEFINE2(proc_check_setuid, "struct ucred *", "uid_t"); - -int -mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setuid, cred, uid); - MAC_CHECK_PROBE2(proc_check_setuid, error, cred, uid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE2(proc_check_seteuid, "struct ucred *", "uid_t"); - -int -mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_seteuid, cred, euid); - MAC_CHECK_PROBE2(proc_check_seteuid, error, cred, euid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE2(proc_check_setgid, "struct ucred *", "gid_t"); - -int -mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setgid, cred, gid); - MAC_CHECK_PROBE2(proc_check_setgid, error, cred, gid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE2(proc_check_setegid, "struct ucred *", "gid_t"); - -int -mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setegid, cred, egid); - MAC_CHECK_PROBE2(proc_check_setegid, error, cred, egid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE3(proc_check_setgroups, "struct ucred *", "int", - "gid_t *"); - -int -mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups, - gid_t *gidset) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset); - MAC_CHECK_PROBE3(proc_check_setgroups, error, cred, ngroups, gidset); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE3(proc_check_setreuid, "struct ucred *", "uid_t", - "uid_t"); - -int -mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, - uid_t euid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setreuid, cred, ruid, euid); - MAC_CHECK_PROBE3(proc_check_setreuid, error, cred, ruid, euid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE3(proc_check_setregid, "struct ucred *", "gid_t", - "gid_t"); - -int -mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, - gid_t egid) -{ - int error; - - PROC_LOCK_ASSERT(proc, MA_OWNED); - - MAC_CHECK(proc_check_setregid, cred, rgid, egid); - MAC_CHECK_PROBE3(proc_check_setregid, error, cred, rgid, egid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE4(proc_check_setresuid, "struct ucred *", "uid_t", - "uid_t", "uid_t"); - -int -mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, - uid_t euid, uid_t suid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid); - MAC_CHECK_PROBE4(proc_check_setresuid, error, cred, ruid, euid, - suid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE4(proc_check_setresgid, "struct ucred *", "gid_t", - "gid_t", "gid_t"); - -int -mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, - gid_t egid, gid_t sgid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid); - MAC_CHECK_PROBE4(proc_check_setresgid, error, cred, rgid, egid, - sgid); - - return (error); -} - MAC_CHECK_PROBE_DEFINE2(proc_check_wait, "struct ucred *", "struct proc *"); int diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 23228a7a6ee7..169198ac5938 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -15,6 +15,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -198,6 +201,93 @@ stub_cred_check_relabel(struct ucred *cred, struct label *newlabel) return (0); } +static int +stub_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai) +{ + + return (0); +} + +static int +stub_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +{ + + return (0); +} + +static int +stub_cred_check_setauid(struct ucred *cred, uid_t auid) +{ + + return (0); +} + +static int +stub_cred_check_setegid(struct ucred *cred, gid_t egid) +{ + + return (0); +} + +static int +stub_cred_check_seteuid(struct ucred *cred, uid_t euid) +{ + + return (0); +} + +static int +stub_cred_check_setgid(struct ucred *cred, gid_t gid) +{ + + return (0); +} + +static int +stub_cred_check_setgroups(struct ucred *cred, int ngroups, + gid_t *gidset) +{ + + return (0); +} + +static int +stub_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +{ + + return (0); +} + +static int +stub_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, + gid_t sgid) +{ + + return (0); +} + +static int +stub_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, + uid_t suid) +{ + + return (0); +} + +static int +stub_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +{ + + return (0); +} + +static int +stub_cred_check_setuid(struct ucred *cred, uid_t uid) +{ + + return (0); +} + static int stub_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { @@ -700,93 +790,6 @@ stub_proc_check_sched(struct ucred *cred, struct proc *p) return (0); } -static int -stub_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) -{ - - return (0); -} - -static int -stub_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) -{ - - return (0); -} - -static int -stub_proc_check_setauid(struct ucred *cred, uid_t auid) -{ - - return (0); -} - -static int -stub_proc_check_setegid(struct ucred *cred, gid_t egid) -{ - - return (0); -} - -static int -stub_proc_check_seteuid(struct ucred *cred, uid_t euid) -{ - - return (0); -} - -static int -stub_proc_check_setgid(struct ucred *cred, gid_t gid) -{ - - return (0); -} - -static int -stub_proc_check_setgroups(struct ucred *cred, int ngroups, - gid_t *gidset) -{ - - return (0); -} - -static int -stub_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) -{ - - return (0); -} - -static int -stub_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, - gid_t sgid) -{ - - return (0); -} - -static int -stub_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, - uid_t suid) -{ - - return (0); -} - -static int -stub_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) -{ - - return (0); -} - -static int -stub_proc_check_setuid(struct ucred *cred, uid_t uid) -{ - - return (0); -} - static int stub_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { @@ -1541,6 +1544,18 @@ static struct mac_policy_ops stub_ops = .mpo_cred_associate_nfsd = stub_cred_associate_nfsd, .mpo_cred_check_relabel = stub_cred_check_relabel, + .mpo_cred_check_setaudit = stub_cred_check_setaudit, + .mpo_cred_check_setaudit_addr = stub_cred_check_setaudit_addr, + .mpo_cred_check_setauid = stub_cred_check_setauid, + .mpo_cred_check_setegid = stub_cred_check_setegid, + .mpo_cred_check_seteuid = stub_cred_check_seteuid, + .mpo_cred_check_setgid = stub_cred_check_setgid, + .mpo_cred_check_setgroups = stub_cred_check_setgroups, + .mpo_cred_check_setregid = stub_cred_check_setregid, + .mpo_cred_check_setresgid = stub_cred_check_setresgid, + .mpo_cred_check_setresuid = stub_cred_check_setresuid, + .mpo_cred_check_setreuid = stub_cred_check_setreuid, + .mpo_cred_check_setuid = stub_cred_check_setuid, .mpo_cred_check_visible = stub_cred_check_visible, .mpo_cred_copy_label = stub_copy_label, .mpo_cred_create_init = stub_cred_create_init, @@ -1660,18 +1675,6 @@ static struct mac_policy_ops stub_ops = .mpo_proc_check_debug = stub_proc_check_debug, .mpo_proc_check_sched = stub_proc_check_sched, - .mpo_proc_check_setaudit = stub_proc_check_setaudit, - .mpo_proc_check_setaudit_addr = stub_proc_check_setaudit_addr, - .mpo_proc_check_setauid = stub_proc_check_setauid, - .mpo_proc_check_setegid = stub_proc_check_setegid, - .mpo_proc_check_seteuid = stub_proc_check_seteuid, - .mpo_proc_check_setgid = stub_proc_check_setgid, - .mpo_proc_check_setgroups = stub_proc_check_setgroups, - .mpo_proc_check_setregid = stub_proc_check_setregid, - .mpo_proc_check_setresgid = stub_proc_check_setresgid, - .mpo_proc_check_setresuid = stub_proc_check_setresuid, - .mpo_proc_check_setreuid = stub_proc_check_setreuid, - .mpo_proc_check_setuid = stub_proc_check_setuid, .mpo_proc_check_signal = stub_proc_check_signal, .mpo_proc_check_wait = stub_proc_check_wait, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 13086f274b54..95ce8a3d5fd3 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -15,6 +15,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -220,6 +223,142 @@ test_cred_check_relabel(struct ucred *cred, struct label *newlabel) return (0); } +COUNTER_DECL(cred_check_setaudit); +static int +test_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setaudit); + + return (0); +} + +COUNTER_DECL(cred_check_setaudit_addr); +static int +test_cred_check_setaudit_addr(struct ucred *cred, + struct auditinfo_addr *aia) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setaudit_addr); + + return (0); +} + +COUNTER_DECL(cred_check_setauid); +static int +test_cred_check_setauid(struct ucred *cred, uid_t auid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setauid); + + return (0); +} + +COUNTER_DECL(cred_check_setegid); +static int +test_cred_check_setegid(struct ucred *cred, gid_t egid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setegid); + + return (0); +} + +COUNTER_DECL(proc_check_euid); +static int +test_cred_check_seteuid(struct ucred *cred, uid_t euid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(proc_check_euid); + + return (0); +} + +COUNTER_DECL(cred_check_setregid); +static int +test_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setregid); + + return (0); +} + +COUNTER_DECL(cred_check_setreuid); +static int +test_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setreuid); + + return (0); +} + +COUNTER_DECL(cred_check_setgid); +static int +test_cred_check_setgid(struct ucred *cred, gid_t gid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setgid); + + return (0); +} + +COUNTER_DECL(cred_check_setgroups); +static int +test_cred_check_setgroups(struct ucred *cred, int ngroups, + gid_t *gidset) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setgroups); + + return (0); +} + +COUNTER_DECL(cred_check_setresgid); +static int +test_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, + gid_t sgid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setresgid); + + return (0); +} + +COUNTER_DECL(cred_check_setresuid); +static int +test_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, + uid_t suid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setresuid); + + return (0); +} + +COUNTER_DECL(cred_check_setuid); +static int +test_cred_check_setuid(struct ucred *cred, uid_t uid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setuid); + + return (0); +} + COUNTER_DECL(cred_check_visible); static int test_cred_check_visible(struct ucred *u1, struct ucred *u2) @@ -1350,142 +1489,6 @@ test_proc_check_signal(struct ucred *cred, struct proc *p, int signum) return (0); } -COUNTER_DECL(proc_check_setaudit); -static int -test_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setaudit); - - return (0); -} - -COUNTER_DECL(proc_check_setaudit_addr); -static int -test_proc_check_setaudit_addr(struct ucred *cred, - struct auditinfo_addr *aia) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setaudit_addr); - - return (0); -} - -COUNTER_DECL(proc_check_setauid); -static int -test_proc_check_setauid(struct ucred *cred, uid_t auid) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setauid); - - return (0); -} - -COUNTER_DECL(proc_check_setegid); -static int -test_proc_check_setegid(struct ucred *cred, gid_t egid) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setegid); - - return (0); -} - -COUNTER_DECL(proc_check_euid); -static int -test_proc_check_seteuid(struct ucred *cred, uid_t euid) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_euid); - - return (0); -} - -COUNTER_DECL(proc_check_setregid); -static int -test_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setregid); - - return (0); -} - -COUNTER_DECL(proc_check_setreuid); -static int -test_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setreuid); - - return (0); -} - -COUNTER_DECL(proc_check_setgid); -static int -test_proc_check_setgid(struct ucred *cred, gid_t gid) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setgid); - - return (0); -} - -COUNTER_DECL(proc_check_setgroups); -static int -test_proc_check_setgroups(struct ucred *cred, int ngroups, - gid_t *gidset) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setgroups); - - return (0); -} - -COUNTER_DECL(proc_check_setresgid); -static int -test_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, - gid_t sgid) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setresgid); - - return (0); -} - -COUNTER_DECL(proc_check_setresuid); -static int -test_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, - uid_t suid) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setresuid); - - return (0); -} - -COUNTER_DECL(proc_check_setuid); -static int -test_proc_check_setuid(struct ucred *cred, uid_t uid) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_check_setuid); - - return (0); -} - COUNTER_DECL(proc_check_wait); static int test_proc_check_wait(struct ucred *cred, struct proc *p) @@ -2881,6 +2884,18 @@ static struct mac_policy_ops test_ops = .mpo_bpfdesc_init_label = test_bpfdesc_init_label, .mpo_cred_check_relabel = test_cred_check_relabel, + .mpo_cred_check_setaudit = test_cred_check_setaudit, + .mpo_cred_check_setaudit_addr = test_cred_check_setaudit_addr, + .mpo_cred_check_setauid = test_cred_check_setauid, + .mpo_cred_check_seteuid = test_cred_check_seteuid, + .mpo_cred_check_setegid = test_cred_check_setegid, + .mpo_cred_check_setgid = test_cred_check_setgid, + .mpo_cred_check_setgroups = test_cred_check_setgroups, + .mpo_cred_check_setregid = test_cred_check_setregid, + .mpo_cred_check_setresgid = test_cred_check_setresgid, + .mpo_cred_check_setresuid = test_cred_check_setresuid, + .mpo_cred_check_setreuid = test_cred_check_setreuid, + .mpo_cred_check_setuid = test_cred_check_setuid, .mpo_cred_check_visible = test_cred_check_visible, .mpo_cred_copy_label = test_cred_copy_label, .mpo_cred_create_init = test_cred_create_init, @@ -3010,18 +3025,6 @@ static struct mac_policy_ops test_ops = .mpo_proc_check_debug = test_proc_check_debug, .mpo_proc_check_sched = test_proc_check_sched, - .mpo_proc_check_setaudit = test_proc_check_setaudit, - .mpo_proc_check_setaudit_addr = test_proc_check_setaudit_addr, - .mpo_proc_check_setauid = test_proc_check_setauid, - .mpo_proc_check_seteuid = test_proc_check_seteuid, - .mpo_proc_check_setegid = test_proc_check_setegid, - .mpo_proc_check_setgid = test_proc_check_setgid, - .mpo_proc_check_setgroups = test_proc_check_setgroups, - .mpo_proc_check_setregid = test_proc_check_setregid, - .mpo_proc_check_setresgid = test_proc_check_setresgid, - .mpo_proc_check_setresuid = test_proc_check_setresuid, - .mpo_proc_check_setreuid = test_proc_check_setreuid, - .mpo_proc_check_setuid = test_proc_check_setuid, .mpo_proc_check_signal = test_proc_check_signal, .mpo_proc_check_wait = test_proc_check_wait, .mpo_proc_destroy_label = test_proc_destroy_label,