diff --git a/lib/libc/posix1e/Makefile.inc b/lib/libc/posix1e/Makefile.inc index 3388c8fcea6c..8271901cb7fe 100644 --- a/lib/libc/posix1e/Makefile.inc +++ b/lib/libc/posix1e/Makefile.inc @@ -19,11 +19,9 @@ SRCS+= acl_calc_mask.c \ acl_to_text.c \ acl_valid.c \ extattr.c \ - mac_free.c \ - mac_is_present_np.c \ + mac.c \ mac_get.c \ - mac_set.c \ - mac_text.c + mac_set.c .if ${LIB} == "c" diff --git a/lib/libc/posix1e/mac.c b/lib/libc/posix1e/mac.c new file mode 100644 index 000000000000..ef22a6e72049 --- /dev/null +++ b/lib/libc/posix1e/mac.c @@ -0,0 +1,365 @@ +/* + * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed by Robert Watson for the TrustedBSD Project. + * + * This software was developed for the FreeBSD Project in part by NAI Labs, + * the Security Research Division of Network Associates, Inc. under + * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA + * CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The names of the authors may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include + +static int internal_initialized; + +/* Default sets of labels for various query operations. */ +static char *default_file_labels; +static char *default_ifnet_labels; +static char *default_process_labels; + +static void +mac_destroy_labels(void) +{ + + if (default_file_labels != NULL) { + free(default_file_labels); + default_file_labels = NULL; + } + + if (default_ifnet_labels != NULL) { + free(default_ifnet_labels); + default_ifnet_labels = NULL; + } + + if (default_process_labels != NULL) { + free(default_process_labels); + default_process_labels = NULL; + } +} + +static void +mac_destroy_internal(void) +{ + + mac_destroy_labels(); + + internal_initialized = 0; +} + +static int +mac_init_internal(void) +{ + FILE *file; + char line[LINE_MAX]; + int error; + + error = 0; + + file = fopen(MAC_CONFFILE, "r"); + if (file == NULL) + return (0); + + while (fgets(line, LINE_MAX, file)) { + char *argv[ARG_MAX]; + char *arg, *parse, *statement, *policyname, *modulename; + int argc; + + if (line[strlen(line)-1] == '\n') + line[strlen(line)-1] = '\0'; + else { + fclose(file); + error = EINVAL; + goto just_return; + } + + parse = line; + statement = ""; + while (parse && statement[0] == '\0') + statement = strsep(&parse, " \t"); + + /* Blank lines ok. */ + if (strlen(statement) == 0) + continue; + + /* Lines that consist only of comments ok. */ + if (statement[0] == '#') + continue; + + if (strcmp(statement, "default_file_labels") == 0) { + if (default_file_labels != NULL) { + free(default_file_labels); + default_file_labels = NULL; + } + + arg = strsep(&parse, "# \t"); + if (arg != NULL && arg[0] != '\0') { + default_file_labels = strdup(arg); + if (default_file_labels == NULL) { + error = ENOMEM; + fclose(file); + goto just_return; + } + } + } else if (strcmp(statement, "default_ifnet_labels") == 0) { + if (default_ifnet_labels != NULL) { + free(default_ifnet_labels); + default_ifnet_labels = NULL; + } + + arg = strsep(&parse, "# \t"); + if (arg != NULL && arg[0] != '\0') { + default_ifnet_labels = strdup(arg); + if (default_ifnet_labels == NULL) { + error = ENOMEM; + fclose(file); + goto just_return; + } + } + } else if (strcmp(statement, "default_process_labels") == 0) { + if (default_process_labels != NULL) { + free(default_process_labels); + default_process_labels = NULL; + } + + arg = strsep(&parse, "# \t"); + if (arg != NULL && arg[0] != '\0') { + default_process_labels = strdup(arg); + if (default_process_labels == NULL) { + error = ENOMEM; + fclose(file); + goto just_return; + } + } + } else { + fclose(file); + error = EINVAL; + goto just_return; + } + } + + fclose(file); + + internal_initialized = 1; + +just_return: + if (error != 0) + mac_destroy_internal(); + return (error); +} + +static int +mac_maybe_init_internal(void) +{ + + if (!internal_initialized) + return (mac_init_internal()); + else + return (0); +} + +int +mac_reload(void) +{ + + if (internal_initialized) + mac_destroy_internal(); + return (mac_init_internal()); +} + +int +mac_free(struct mac *mac) +{ + int error; + + if (mac->m_string != NULL) + free(mac->m_string); + free(mac); + + return (0); +} + +int +mac_from_text(struct mac **mac, const char *text) +{ + struct mac *temp; + char *dup, *element, *search; + int count, error; + + *mac = (struct mac *) malloc(sizeof(**mac)); + if (*mac == NULL) + return (ENOMEM); + + (*mac)->m_string = strdup(text); + if ((*mac)->m_string == NULL) { + free(*mac); + *mac = NULL; + return (ENOMEM); + } + + (*mac)->m_buflen = strlen((*mac)->m_string)+1; + + return (0); +} + +int +mac_prepare(struct mac **mac, char *elements) +{ + struct mac *temp; + + if (strlen(elements) >= MAC_MAX_LABEL_BUF_LEN) + return (EINVAL); + + *mac = (struct mac *) malloc(sizeof(**mac)); + if (*mac == NULL) + return (ENOMEM); + + (*mac)->m_string = malloc(MAC_MAX_LABEL_BUF_LEN); + if ((*mac)->m_string == NULL) { + free(*mac); + *mac = NULL; + return (ENOMEM); + } + + strcpy((*mac)->m_string, elements); + (*mac)->m_buflen = MAC_MAX_LABEL_BUF_LEN; + + return (0); +} + +int +mac_to_text(struct mac *mac, char **text) +{ + + *text = strdup(mac->m_string); + if (*text == NULL) + return (ENOMEM); + return (0); +} + +int +mac_prepare_file_label(struct mac **mac) +{ + int error; + + error = mac_maybe_init_internal(); + if (error != 0) + return (error); + + if (default_file_labels == NULL) + return (mac_prepare(mac, "")); + + return (mac_prepare(mac, default_file_labels)); +} + +int +mac_prepare_ifnet_label(struct mac **mac) +{ + int error; + + error = mac_maybe_init_internal(); + if (error != 0) + return (error); + + if (default_ifnet_labels == NULL) + return (mac_prepare(mac, "")); + + return (mac_prepare(mac, default_ifnet_labels)); +} +int +mac_prepare_process_label(struct mac **mac) +{ + int error; + + error = mac_maybe_init_internal(); + if (error != 0) + return (error); + + if (default_process_labels == NULL) + return (mac_prepare(mac, "")); + + return (mac_prepare(mac, default_process_labels)); +} + +/* + * Simply test whether the TrustedBSD/MAC MIB tree is present; if so, + * return 1 to indicate that the system has MAC enabled overall or for + * a given policy. + */ +int +mac_is_present(const char *policyname) +{ + int mib[5]; + size_t siz; + char *mibname; + int error; + + if (policyname != NULL) { + if (policyname[strcspn(policyname, ".=")] != '\0') { + errno = EINVAL; + return (-1); + } + mibname = malloc(sizeof("security.mac.") - 1 + + strlen(policyname) + sizeof(".enabled")); + if (mibname == NULL) + return (-1); + strcpy(mibname, "security.mac."); + strcat(mibname, policyname); + strcat(mibname, ".enabled"); + siz = 5; + error = sysctlnametomib(mibname, mib, &siz); + free(mibname); + } else { + siz = 3; + error = sysctlnametomib("security.mac", mib, &siz); + } + if (error == -1) { + switch (errno) { + case ENOTDIR: + case ENOENT: + return (0); + default: + return (error); + } + } + return (1); +} diff --git a/lib/libc/posix1e/mac_free.c b/lib/libc/posix1e/mac_free.c deleted file mode 100644 index 696ef42f3741..000000000000 --- a/lib/libc/posix1e/mac_free.c +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson - * All rights reserved. - * - * This software was developed by Robert Watson for the TrustedBSD Project. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The names of the authors may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ - -#include -#include - -#include - -int -mac_free(void *buf_p) -{ - - free(buf_p); - return (0); -} diff --git a/lib/libc/posix1e/mac_get.c b/lib/libc/posix1e/mac_get.c index f983ec15dee3..c5f11f351929 100644 --- a/lib/libc/posix1e/mac_get.c +++ b/lib/libc/posix1e/mac_get.c @@ -37,65 +37,37 @@ #include #include -mac_t -mac_get_file(const char *path_p) +int +mac_get_fd(int fd, struct mac *label) { - struct mac *label; - int error; - label = (mac_t) malloc(sizeof(*label)); - if (label == NULL) { - errno = ENOMEM; - return (NULL); - } - - error = __mac_get_file(path_p, label); - if (error) { - mac_free(label); - return (NULL); - } - - return (label); + return (__mac_get_fd(fd, label)); } -mac_t -mac_get_fd(int fd) +int +mac_get_file(const char *path, struct mac *label) { - struct mac *label; - int error; - label = (mac_t) malloc(sizeof(*label)); - if (label == NULL) { - errno = ENOMEM; - return (NULL); - } - - error = __mac_get_fd(fd, label); - if (error) { - mac_free(label); - return (NULL); - } - - return (label); + return (__mac_get_file(path, label)); } -mac_t -mac_get_proc() +int +mac_get_link(const char *path, struct mac *label) { - struct mac *label; - int error; - label = (mac_t) malloc(sizeof(*label)); - if (label == NULL) { - errno = ENOMEM; - return (NULL); - } - - error = __mac_get_proc(label); - if (error) { - mac_free(label); - return (NULL); - } - - return (label); + return (__mac_get_link(path, label)); +} + +int +mac_get_pid(pid_t pid, struct mac *label) +{ + + return (__mac_get_pid(pid, label)); +} + +int +mac_get_proc(struct mac *label) +{ + + return (__mac_get_proc(label)); } diff --git a/lib/libc/posix1e/mac_is_present_np.c b/lib/libc/posix1e/mac_is_present_np.c deleted file mode 100644 index 8ffabe87b512..000000000000 --- a/lib/libc/posix1e/mac_is_present_np.c +++ /dev/null @@ -1,86 +0,0 @@ -/*- - * Copyright (c) 2002 Networks Associates Technology, Inc. - * All rights reserved. - * - * This software was developed for the FreeBSD Project by NAI Labs, the - * Security Research Division of Network Associates, Inc. under - * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA - * CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ -#include -#include -#include - -#include -#include - -/* - * Simply test whether the TrustedBSD/MAC MIB tree is present; if so, - * return 1 to indicate that the system has MAC enabled overall or for - * a given policy. - */ - -int -mac_is_present_np(const char *policyname) -{ - int mib[5]; - size_t siz; - char *mibname; - int error; - - if (policyname != NULL) { - if (policyname[strcspn(policyname, ".=")] != '\0') { - errno = EINVAL; - return (-1); - } - mibname = malloc(sizeof("security.mac.") - 1 + - strlen(policyname) + sizeof(".enabled")); - if (mibname == NULL) - return (-1); - strcpy(mibname, "security.mac."); - strcat(mibname, policyname); - strcat(mibname, ".enabled"); - siz = 5; - error = sysctlnametomib(mibname, mib, &siz); - free(mibname); - } else { - siz = 3; - error = sysctlnametomib("security.mac", mib, &siz); - } - if (error == -1) { - switch (errno) { - case ENOTDIR: - case ENOENT: - return (0); - default: - return (error); - } - } - return (1); -} diff --git a/lib/libc/posix1e/mac_set.c b/lib/libc/posix1e/mac_set.c index fd94244cf12e..4e09576cbb44 100644 --- a/lib/libc/posix1e/mac_set.c +++ b/lib/libc/posix1e/mac_set.c @@ -35,21 +35,28 @@ #include int -mac_set_file(const char *path_p, mac_t label) -{ - - return (__mac_set_file(path_p, label)); -} - -int -mac_set_fd(int fd, mac_t label) +mac_set_fd(int fd, struct mac *label) { return (__mac_set_fd(fd, label)); } int -mac_set_proc(mac_t label) +mac_set_file(const char *path, struct mac *label) +{ + + return (__mac_set_file(path, label)); +} + +int +mac_set_link(const char *path, struct mac *label) +{ + + return (__mac_set_link(path, label)); +} + +int +mac_set_proc(struct mac *label) { return (__mac_set_proc(label)); diff --git a/lib/libc/posix1e/mac_text.c b/lib/libc/posix1e/mac_text.c deleted file mode 100644 index 9c72c1415b07..000000000000 --- a/lib/libc/posix1e/mac_text.c +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson - * Copyright (c) 2002 Networks Associates Technology, Inc. - * All rights reserved. - * - * This software was developed by Robert Watson for the TrustedBSD Project. - * - * This software was developed for the FreeBSD Project in part by NAI Labs, - * the Security Research Division of Network Associates, Inc. under - * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA - * CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The names of the authors may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ - -#include -#include - -#include -#include - -char * -mac_to_text(struct mac *mac_p, size_t *len_p) -{ - - errno = EINVAL; - return (NULL); -} - -struct mac * -mac_from_text(const char *text_p) -{ - - errno = EINVAL; - return (NULL); -}