2002-10-22 14:36:11 +00:00
|
|
|
/*
|
|
|
|
* Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
* Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
|
2002-10-22 14:36:11 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This software was developed by Robert Watson for the TrustedBSD Project.
|
|
|
|
*
|
2002-11-05 01:42:35 +00:00
|
|
|
* This software was developed for the FreeBSD Project in part by Network
|
|
|
|
* Associates Laboratories, the Security Research Division of Network
|
|
|
|
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
|
|
|
|
* as part of the DARPA CHATS research program.
|
2002-10-22 14:36:11 +00:00
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
2008-03-07 15:25:56 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
2002-10-22 14:36:11 +00:00
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/queue.h>
|
|
|
|
#include <sys/sysctl.h>
|
|
|
|
|
|
|
|
#include <dlfcn.h>
|
|
|
|
#include <errno.h>
|
2002-10-27 17:44:33 +00:00
|
|
|
#include <limits.h>
|
2002-10-22 14:36:11 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
2004-01-06 18:26:15 +00:00
|
|
|
#include <unistd.h>
|
2002-10-22 14:36:11 +00:00
|
|
|
|
|
|
|
#include <sys/mac.h>
|
|
|
|
|
|
|
|
static int internal_initialized;
|
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
/*
|
|
|
|
* Maintain a list of default label preparations for various object
|
|
|
|
* types. Each name will appear only once in the list.
|
|
|
|
*
|
|
|
|
* XXXMAC: Not thread-safe.
|
|
|
|
*/
|
2003-11-17 19:48:35 +00:00
|
|
|
static LIST_HEAD(, label_default) label_default_head;
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
struct label_default {
|
|
|
|
char *ld_name;
|
|
|
|
char *ld_labels;
|
|
|
|
LIST_ENTRY(label_default) ld_entries;
|
|
|
|
};
|
2002-10-22 14:36:11 +00:00
|
|
|
|
|
|
|
static void
|
|
|
|
mac_destroy_labels(void)
|
|
|
|
{
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
struct label_default *ld;
|
2002-10-22 14:36:11 +00:00
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
while ((ld = LIST_FIRST(&label_default_head))) {
|
|
|
|
free(ld->ld_name);
|
|
|
|
free(ld->ld_labels);
|
|
|
|
LIST_REMOVE(ld, ld_entries);
|
|
|
|
free(ld);
|
2002-10-22 14:36:11 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
mac_destroy_internal(void)
|
|
|
|
{
|
|
|
|
|
|
|
|
mac_destroy_labels();
|
|
|
|
|
|
|
|
internal_initialized = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
mac_add_type(const char *name, const char *labels)
|
2002-10-22 14:36:11 +00:00
|
|
|
{
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
struct label_default *ld, *ld_new;
|
|
|
|
char *name_dup, *labels_dup;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Speculatively allocate all the memory now to avoid allocating
|
|
|
|
* later when we will someday hold a mutex.
|
|
|
|
*/
|
|
|
|
name_dup = strdup(name);
|
|
|
|
if (name_dup == NULL) {
|
|
|
|
errno = ENOMEM;
|
|
|
|
return (-1);
|
|
|
|
}
|
|
|
|
labels_dup = strdup(labels);
|
|
|
|
if (labels_dup == NULL) {
|
|
|
|
free(name_dup);
|
|
|
|
errno = ENOMEM;
|
|
|
|
return (-1);
|
|
|
|
}
|
|
|
|
ld_new = malloc(sizeof(*ld));
|
|
|
|
if (ld_new == NULL) {
|
|
|
|
free(name_dup);
|
|
|
|
free(labels_dup);
|
|
|
|
errno = ENOMEM;
|
|
|
|
return (-1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If the type is already present, replace the current entry
|
|
|
|
* rather than add a new instance.
|
|
|
|
*/
|
|
|
|
for (ld = LIST_FIRST(&label_default_head); ld != NULL;
|
|
|
|
ld = LIST_NEXT(ld, ld_entries)) {
|
|
|
|
if (strcmp(name, ld->ld_name) == 0)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ld != NULL) {
|
|
|
|
free(ld->ld_labels);
|
|
|
|
ld->ld_labels = labels_dup;
|
|
|
|
labels_dup = NULL;
|
|
|
|
} else {
|
|
|
|
ld = ld_new;
|
|
|
|
ld->ld_name = name_dup;
|
|
|
|
ld->ld_labels = labels_dup;
|
|
|
|
|
|
|
|
ld_new = NULL;
|
|
|
|
name_dup = NULL;
|
|
|
|
labels_dup = NULL;
|
|
|
|
|
|
|
|
LIST_INSERT_HEAD(&label_default_head, ld, ld_entries);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (name_dup != NULL)
|
|
|
|
free(name_dup);
|
|
|
|
if (labels_dup != NULL)
|
|
|
|
free(labels_dup);
|
|
|
|
if (ld_new != NULL)
|
|
|
|
free(ld_new);
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static char *
|
|
|
|
next_token(char **string)
|
|
|
|
{
|
|
|
|
char *token;
|
|
|
|
|
|
|
|
token = strsep(string, " \t");
|
|
|
|
while (token != NULL && *token == '\0')
|
|
|
|
token = strsep(string, " \t");
|
|
|
|
|
|
|
|
return (token);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
mac_init_internal(int ignore_errors)
|
|
|
|
{
|
|
|
|
const char *filename;
|
2002-10-22 14:36:11 +00:00
|
|
|
char line[LINE_MAX];
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
FILE *file;
|
2002-10-22 14:36:11 +00:00
|
|
|
int error;
|
|
|
|
|
|
|
|
error = 0;
|
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
LIST_INIT(&label_default_head);
|
|
|
|
|
|
|
|
if (!issetugid() && getenv("MAC_CONFFILE") != NULL)
|
|
|
|
filename = getenv("MAC_CONFFILE");
|
|
|
|
else
|
|
|
|
filename = MAC_CONFFILE;
|
|
|
|
file = fopen(filename, "r");
|
2002-10-22 14:36:11 +00:00
|
|
|
if (file == NULL)
|
|
|
|
return (0);
|
|
|
|
|
|
|
|
while (fgets(line, LINE_MAX, file)) {
|
2004-01-06 18:26:15 +00:00
|
|
|
char *comment, *parse, *statement;
|
2002-10-22 14:36:11 +00:00
|
|
|
|
|
|
|
if (line[strlen(line)-1] == '\n')
|
|
|
|
line[strlen(line)-1] = '\0';
|
|
|
|
else {
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
if (ignore_errors)
|
|
|
|
continue;
|
2002-10-22 14:36:11 +00:00
|
|
|
fclose(file);
|
|
|
|
error = EINVAL;
|
|
|
|
goto just_return;
|
|
|
|
}
|
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
/* Remove any comment. */
|
|
|
|
comment = line;
|
|
|
|
parse = strsep(&comment, "#");
|
2002-10-22 14:36:11 +00:00
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
/* Blank lines OK. */
|
|
|
|
statement = next_token(&parse);
|
|
|
|
if (statement == NULL)
|
2002-10-22 14:36:11 +00:00
|
|
|
continue;
|
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
if (strcmp(statement, "default_labels") == 0) {
|
|
|
|
char *name, *labels;
|
|
|
|
|
|
|
|
name = next_token(&parse);
|
|
|
|
labels = next_token(&parse);
|
|
|
|
if (name == NULL || labels == NULL ||
|
|
|
|
next_token(&parse) != NULL) {
|
|
|
|
if (ignore_errors)
|
|
|
|
continue;
|
|
|
|
error = EINVAL;
|
|
|
|
fclose(file);
|
|
|
|
goto just_return;
|
2002-10-22 14:36:11 +00:00
|
|
|
}
|
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
if (mac_add_type(name, labels) == -1) {
|
|
|
|
if (ignore_errors)
|
|
|
|
continue;
|
|
|
|
fclose(file);
|
|
|
|
goto just_return;
|
2002-10-22 14:36:11 +00:00
|
|
|
}
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
} else if (strcmp(statement, "default_ifnet_labels") == 0 ||
|
|
|
|
strcmp(statement, "default_file_labels") == 0 ||
|
|
|
|
strcmp(statement, "default_process_labels") == 0) {
|
|
|
|
char *labels, *type;
|
|
|
|
|
|
|
|
if (strcmp(statement, "default_ifnet_labels") == 0)
|
|
|
|
type = "ifnet";
|
|
|
|
else if (strcmp(statement, "default_file_labels") == 0)
|
|
|
|
type = "file";
|
|
|
|
else if (strcmp(statement, "default_process_labels") ==
|
|
|
|
0)
|
|
|
|
type = "process";
|
|
|
|
|
|
|
|
labels = next_token(&parse);
|
|
|
|
if (labels == NULL || next_token(&parse) != NULL) {
|
|
|
|
if (ignore_errors)
|
|
|
|
continue;
|
|
|
|
error = EINVAL;
|
|
|
|
fclose(file);
|
|
|
|
goto just_return;
|
2002-10-22 14:36:11 +00:00
|
|
|
}
|
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
if (mac_add_type(type, labels) == -1) {
|
|
|
|
if (ignore_errors)
|
|
|
|
continue;
|
|
|
|
fclose(file);
|
|
|
|
goto just_return;
|
2002-10-22 14:36:11 +00:00
|
|
|
}
|
|
|
|
} else {
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
if (ignore_errors)
|
|
|
|
continue;
|
2002-10-22 14:36:11 +00:00
|
|
|
fclose(file);
|
|
|
|
error = EINVAL;
|
|
|
|
goto just_return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
fclose(file);
|
|
|
|
|
|
|
|
internal_initialized = 1;
|
|
|
|
|
|
|
|
just_return:
|
|
|
|
if (error != 0)
|
|
|
|
mac_destroy_internal();
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
mac_maybe_init_internal(void)
|
|
|
|
{
|
|
|
|
|
|
|
|
if (!internal_initialized)
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
return (mac_init_internal(1));
|
2002-10-22 14:36:11 +00:00
|
|
|
else
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
mac_reload(void)
|
|
|
|
{
|
|
|
|
|
|
|
|
if (internal_initialized)
|
|
|
|
mac_destroy_internal();
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
return (mac_init_internal(0));
|
2002-10-22 14:36:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
mac_free(struct mac *mac)
|
|
|
|
{
|
|
|
|
|
|
|
|
if (mac->m_string != NULL)
|
|
|
|
free(mac->m_string);
|
|
|
|
free(mac);
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
mac_from_text(struct mac **mac, const char *text)
|
|
|
|
{
|
|
|
|
|
|
|
|
*mac = (struct mac *) malloc(sizeof(**mac));
|
|
|
|
if (*mac == NULL)
|
|
|
|
return (ENOMEM);
|
|
|
|
|
|
|
|
(*mac)->m_string = strdup(text);
|
|
|
|
if ((*mac)->m_string == NULL) {
|
|
|
|
free(*mac);
|
|
|
|
*mac = NULL;
|
|
|
|
return (ENOMEM);
|
|
|
|
}
|
|
|
|
|
|
|
|
(*mac)->m_buflen = strlen((*mac)->m_string)+1;
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2002-10-24 01:16:56 +00:00
|
|
|
int
|
|
|
|
mac_to_text(struct mac *mac, char **text)
|
|
|
|
{
|
|
|
|
|
|
|
|
*text = strdup(mac->m_string);
|
|
|
|
if (*text == NULL)
|
|
|
|
return (ENOMEM);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2002-10-22 14:36:11 +00:00
|
|
|
int
|
2003-08-22 17:49:59 +00:00
|
|
|
mac_prepare(struct mac **mac, const char *elements)
|
2002-10-22 14:36:11 +00:00
|
|
|
{
|
|
|
|
|
|
|
|
if (strlen(elements) >= MAC_MAX_LABEL_BUF_LEN)
|
|
|
|
return (EINVAL);
|
|
|
|
|
|
|
|
*mac = (struct mac *) malloc(sizeof(**mac));
|
|
|
|
if (*mac == NULL)
|
|
|
|
return (ENOMEM);
|
|
|
|
|
|
|
|
(*mac)->m_string = malloc(MAC_MAX_LABEL_BUF_LEN);
|
|
|
|
if ((*mac)->m_string == NULL) {
|
|
|
|
free(*mac);
|
|
|
|
*mac = NULL;
|
|
|
|
return (ENOMEM);
|
|
|
|
}
|
|
|
|
|
|
|
|
strcpy((*mac)->m_string, elements);
|
|
|
|
(*mac)->m_buflen = MAC_MAX_LABEL_BUF_LEN;
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
mac_prepare_type(struct mac **mac, const char *name)
|
|
|
|
{
|
|
|
|
struct label_default *ld;
|
2003-11-15 03:34:58 +00:00
|
|
|
int error;
|
|
|
|
|
|
|
|
error = mac_maybe_init_internal();
|
|
|
|
if (error != 0)
|
|
|
|
return (error);
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
|
|
|
|
for (ld = LIST_FIRST(&label_default_head); ld != NULL;
|
|
|
|
ld = LIST_NEXT(ld, ld_entries)) {
|
|
|
|
if (strcmp(name, ld->ld_name) == 0)
|
|
|
|
return (mac_prepare(mac, ld->ld_labels));
|
|
|
|
}
|
|
|
|
|
2003-08-30 14:51:01 +00:00
|
|
|
errno = ENOENT;
|
|
|
|
return (-1); /* XXXMAC: ENOLABEL */
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
mac_prepare_ifnet_label(struct mac **mac)
|
2002-10-22 14:36:11 +00:00
|
|
|
{
|
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
return (mac_prepare_type(mac, "ifnet"));
|
2002-10-22 14:36:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
mac_prepare_file_label(struct mac **mac)
|
2002-10-22 14:36:11 +00:00
|
|
|
{
|
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
return (mac_prepare_type(mac, "file"));
|
|
|
|
}
|
2002-10-22 14:36:11 +00:00
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
int
|
|
|
|
mac_prepare_packet_label(struct mac **mac)
|
|
|
|
{
|
|
|
|
|
|
|
|
return (mac_prepare_type(mac, "packet"));
|
2002-10-22 14:36:11 +00:00
|
|
|
}
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
|
2002-10-22 14:36:11 +00:00
|
|
|
int
|
|
|
|
mac_prepare_process_label(struct mac **mac)
|
|
|
|
{
|
|
|
|
|
As new objects begin to support new labels, start to generalize
the default label support in /etc/mac.conf. Rather than maintain
each default label type in an explicit global variable in mac.c,
keep a list of defaults loaded from the configuration file.
Generalize the parsing so that we support both the older:
default_file_labels foo
default_ifnet_labels foo
default_process_labels foo
And also a new:
default_labels file foo
default_labels ifnet foo
default_labels process foo
We now accept arbitrary object classes in the first argument. If
the same object is specified more than once, we discard the
earlier definition in favor of the later one.
Add a new API, mac_prepare_type(), which accepts a mac_t to
prepare, as well as an object name in the second argument, which
will pull a default label set for the object out of the
configuration loaded by mac_init_internal(). This permits the libc
to adapt to new objects known about by applications but not by libc
at compile-time.
Also liberalize the error handling a bit: if we're using implicit
initialization (i.e., the application didn't explicitly initialize
the MAC code), ignore syntax errors and only use valid lines. In
the future, we may want to add explicit warnings and do this a
bit more consistently.
While here, add support for a MAC_CONFFILE environmental variable,
which may be used to specify an alternative mac.conf configuration
file if the application isn't running with modified privilege
(issetugid()).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
2003-08-22 17:36:23 +00:00
|
|
|
return (mac_prepare_type(mac, "process"));
|
2002-10-22 14:36:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Simply test whether the TrustedBSD/MAC MIB tree is present; if so,
|
|
|
|
* return 1 to indicate that the system has MAC enabled overall or for
|
|
|
|
* a given policy.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
mac_is_present(const char *policyname)
|
|
|
|
{
|
|
|
|
int mib[5];
|
|
|
|
size_t siz;
|
|
|
|
char *mibname;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (policyname != NULL) {
|
|
|
|
if (policyname[strcspn(policyname, ".=")] != '\0') {
|
|
|
|
errno = EINVAL;
|
|
|
|
return (-1);
|
|
|
|
}
|
|
|
|
mibname = malloc(sizeof("security.mac.") - 1 +
|
|
|
|
strlen(policyname) + sizeof(".enabled"));
|
|
|
|
if (mibname == NULL)
|
|
|
|
return (-1);
|
|
|
|
strcpy(mibname, "security.mac.");
|
|
|
|
strcat(mibname, policyname);
|
|
|
|
strcat(mibname, ".enabled");
|
|
|
|
siz = 5;
|
|
|
|
error = sysctlnametomib(mibname, mib, &siz);
|
|
|
|
free(mibname);
|
|
|
|
} else {
|
|
|
|
siz = 3;
|
|
|
|
error = sysctlnametomib("security.mac", mib, &siz);
|
|
|
|
}
|
|
|
|
if (error == -1) {
|
|
|
|
switch (errno) {
|
|
|
|
case ENOTDIR:
|
|
|
|
case ENOENT:
|
|
|
|
return (0);
|
|
|
|
default:
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return (1);
|
|
|
|
}
|