d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Break out mac_check_pipe_op() into component check entry points:

Browse Source 
mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(),
and mac_check_pipe_write().  This is improves consistency with other
access control entry points and permits security modules to only
control the object methods that they are interested in, avoiding
switch statements.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
This commit is contained in:
Robert Watson 2002-08-19 16:59:37 +00:00
parent 740f8a4472
commit c024c3eeb1
19 changed files with 684 additions and 122 deletions

50
sys/kern/kern_mac.c

@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_pipe_ioctl =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_OP:
mpc->mpc_ops->mpo_check_pipe_op =
case MAC_CHECK_PIPE_POLL:
mpc->mpc_ops->mpo_check_pipe_poll =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_READ:
mpc->mpc_ops->mpo_check_pipe_read =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_RELABEL:
mpc->mpc_ops->mpo_check_pipe_relabel =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_STAT:
mpc->mpc_ops->mpo_check_pipe_stat =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_WRITE:
mpc->mpc_ops->mpo_check_pipe_write =
mpe->mpe_function;
break;
case MAC_CHECK_PROC_DEBUG:
mpc->mpc_ops->mpo_check_proc_debug =
mpe->mpe_function;
@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
}
int
mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
return (error);
}
@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (error);
}
int
mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{

8
sys/kern/sys_pipe.c

@ -469,7 +469,7 @@ pipe_read(fp, uio, active_cred, flags, td)
goto unlocked_error;
#ifdef MAC
error = mac_check_pipe_op(active_cred, rpipe, MAC_OP_PIPE_READ);
error = mac_check_pipe_read(active_cred, rpipe);
if (error)
goto locked_error;
#endif
@ -885,7 +885,7 @@ pipe_write(fp, uio, active_cred, flags, td)
return (EPIPE);
}
#ifdef MAC
error = mac_check_pipe_op(active_cred, wpipe, MAC_OP_PIPE_WRITE);
error = mac_check_pipe_write(active_cred, wpipe);
if (error) {
PIPE_UNLOCK(rpipe);
return (error);
@ -1233,7 +1233,7 @@ pipe_poll(fp, events, active_cred, td)
wpipe = rpipe->pipe_peer;
PIPE_LOCK(rpipe);
#ifdef MAC
error = mac_check_pipe_op(active_cred, rpipe, MAC_OP_PIPE_POLL);
error = mac_check_pipe_poll(active_cred, rpipe);
if (error)
goto locked_error;
#endif
@ -1289,7 +1289,7 @@ pipe_stat(fp, ub, active_cred, td)
int error;
/* XXXMAC: Pipe should be locked for this check. */
error = mac_check_pipe_op(active_cred, pipe, MAC_OP_PIPE_STAT);
error = mac_check_pipe_stat(active_cred, pipe);
if (error)
return (error);
#endif

50
sys/security/mac/mac_framework.c

@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_pipe_ioctl =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_OP:
mpc->mpc_ops->mpo_check_pipe_op =
case MAC_CHECK_PIPE_POLL:
mpc->mpc_ops->mpo_check_pipe_poll =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_READ:
mpc->mpc_ops->mpo_check_pipe_read =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_RELABEL:
mpc->mpc_ops->mpo_check_pipe_relabel =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_STAT:
mpc->mpc_ops->mpo_check_pipe_stat =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_WRITE:
mpc->mpc_ops->mpo_check_pipe_write =
mpe->mpe_function;
break;
case MAC_CHECK_PROC_DEBUG:
mpc->mpc_ops->mpo_check_proc_debug =
mpe->mpe_function;
@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
}
int
mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
return (error);
}
@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (error);
}
int
mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{

18
sys/security/mac/mac_framework.h

@ -180,19 +180,6 @@ int __mac_set_proc(struct mac *_mac_p);
#else /* _KERNEL */
/*
* MAC entry point operations
*/
enum mac_ep_ops {
MAC_OP_VNODE_READ,
MAC_OP_VNODE_WRITE,
MAC_OP_VNODE_POLL,
MAC_OP_PIPE_READ,
MAC_OP_PIPE_WRITE,
MAC_OP_PIPE_STAT,
MAC_OP_PIPE_POLL
};
/*
* Kernel functions to manage and evaluate labels.
*/
@ -307,9 +294,12 @@ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet);
int mac_check_cred_visible(struct ucred *u1, struct ucred *u2);
int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m);
int mac_check_mount_stat(struct ucred *cred, struct mount *mp);
int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op);
int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
unsigned long cmd, void *data);
int mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe);
int mac_check_pipe_read(struct ucred *cred, struct pipe *pipe);
int mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe);
int mac_check_pipe_write(struct ucred *cred, struct pipe *pipe);
int mac_check_proc_debug(struct ucred *cred, struct proc *proc);
int mac_check_proc_sched(struct ucred *cred, struct proc *proc);
int mac_check_proc_signal(struct ucred *cred, struct proc *proc,

50
sys/security/mac/mac_internal.h

@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_pipe_ioctl =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_OP:
mpc->mpc_ops->mpo_check_pipe_op =
case MAC_CHECK_PIPE_POLL:
mpc->mpc_ops->mpo_check_pipe_poll =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_READ:
mpc->mpc_ops->mpo_check_pipe_read =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_RELABEL:
mpc->mpc_ops->mpo_check_pipe_relabel =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_STAT:
mpc->mpc_ops->mpo_check_pipe_stat =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_WRITE:
mpc->mpc_ops->mpo_check_pipe_write =
mpe->mpe_function;
break;
case MAC_CHECK_PROC_DEBUG:
mpc->mpc_ops->mpo_check_proc_debug =
mpe->mpe_function;
@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
}
int
mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
return (error);
}
@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (error);
}
int
mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{

50
sys/security/mac/mac_net.c

@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_pipe_ioctl =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_OP:
mpc->mpc_ops->mpo_check_pipe_op =
case MAC_CHECK_PIPE_POLL:
mpc->mpc_ops->mpo_check_pipe_poll =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_READ:
mpc->mpc_ops->mpo_check_pipe_read =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_RELABEL:
mpc->mpc_ops->mpo_check_pipe_relabel =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_STAT:
mpc->mpc_ops->mpo_check_pipe_stat =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_WRITE:
mpc->mpc_ops->mpo_check_pipe_write =
mpe->mpe_function;
break;
case MAC_CHECK_PROC_DEBUG:
mpc->mpc_ops->mpo_check_proc_debug =
mpe->mpe_function;
@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
}
int
mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
return (error);
}
@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (error);
}
int
mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{

50
sys/security/mac/mac_pipe.c

@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_pipe_ioctl =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_OP:
mpc->mpc_ops->mpo_check_pipe_op =
case MAC_CHECK_PIPE_POLL:
mpc->mpc_ops->mpo_check_pipe_poll =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_READ:
mpc->mpc_ops->mpo_check_pipe_read =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_RELABEL:
mpc->mpc_ops->mpo_check_pipe_relabel =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_STAT:
mpc->mpc_ops->mpo_check_pipe_stat =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_WRITE:
mpc->mpc_ops->mpo_check_pipe_write =
mpe->mpe_function;
break;
case MAC_CHECK_PROC_DEBUG:
mpc->mpc_ops->mpo_check_proc_debug =
mpe->mpe_function;
@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
}
int
mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
return (error);
}
@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (error);
}
int
mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{

15
sys/security/mac/mac_policy.h

@ -233,11 +233,17 @@ struct mac_policy_ops {
struct label *mntlabel);
int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, unsigned long cmd, void *data);
int (*mpo_check_pipe_op)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, int op);
int (*mpo_check_pipe_poll)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
int (*mpo_check_pipe_read)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
int (*mpo_check_pipe_relabel)(struct ucred *cred,
struct pipe *pipe, struct label *pipelabel,
struct label *newlabel);
int (*mpo_check_pipe_stat)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
int (*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
int (*mpo_check_proc_debug)(struct ucred *cred,
struct proc *proc);
int (*mpo_check_proc_sched)(struct ucred *cred,
@ -408,8 +414,11 @@ enum mac_op_constant {
MAC_CHECK_IFNET_TRANSMIT,
MAC_CHECK_MOUNT_STAT,
MAC_CHECK_PIPE_IOCTL,
MAC_CHECK_PIPE_OP,
MAC_CHECK_PIPE_POLL,
MAC_CHECK_PIPE_READ,
MAC_CHECK_PIPE_RELABEL,
MAC_CHECK_PIPE_STAT,
MAC_CHECK_PIPE_WRITE,
MAC_CHECK_PROC_DEBUG,
MAC_CHECK_PROC_SCHED,
MAC_CHECK_PROC_SIGNAL,

50
sys/security/mac/mac_process.c

@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_pipe_ioctl =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_OP:
mpc->mpc_ops->mpo_check_pipe_op =
case MAC_CHECK_PIPE_POLL:
mpc->mpc_ops->mpo_check_pipe_poll =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_READ:
mpc->mpc_ops->mpo_check_pipe_read =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_RELABEL:
mpc->mpc_ops->mpo_check_pipe_relabel =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_STAT:
mpc->mpc_ops->mpo_check_pipe_stat =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_WRITE:
mpc->mpc_ops->mpo_check_pipe_write =
mpe->mpe_function;
break;
case MAC_CHECK_PROC_DEBUG:
mpc->mpc_ops->mpo_check_proc_debug =
mpe->mpe_function;
@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
}
int
mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
return (error);
}
@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (error);
}
int
mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{

50
sys/security/mac/mac_syscalls.c

@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_pipe_ioctl =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_OP:
mpc->mpc_ops->mpo_check_pipe_op =
case MAC_CHECK_PIPE_POLL:
mpc->mpc_ops->mpo_check_pipe_poll =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_READ:
mpc->mpc_ops->mpo_check_pipe_read =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_RELABEL:
mpc->mpc_ops->mpo_check_pipe_relabel =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_STAT:
mpc->mpc_ops->mpo_check_pipe_stat =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_WRITE:
mpc->mpc_ops->mpo_check_pipe_write =
mpe->mpe_function;
break;
case MAC_CHECK_PROC_DEBUG:
mpc->mpc_ops->mpo_check_proc_debug =
mpe->mpe_function;
@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
}
int
mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
return (error);
}
@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (error);
}
int
mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{

50
sys/security/mac/mac_system.c

@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_pipe_ioctl =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_OP:
mpc->mpc_ops->mpo_check_pipe_op =
case MAC_CHECK_PIPE_POLL:
mpc->mpc_ops->mpo_check_pipe_poll =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_READ:
mpc->mpc_ops->mpo_check_pipe_read =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_RELABEL:
mpc->mpc_ops->mpo_check_pipe_relabel =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_STAT:
mpc->mpc_ops->mpo_check_pipe_stat =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_WRITE:
mpc->mpc_ops->mpo_check_pipe_write =
mpe->mpe_function;
break;
case MAC_CHECK_PROC_DEBUG:
mpc->mpc_ops->mpo_check_proc_debug =
mpe->mpe_function;
@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
}
int
mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
return (error);
}
@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (error);
}
int
mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{

50
sys/security/mac/mac_vfs.c

@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_check_pipe_ioctl =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_OP:
mpc->mpc_ops->mpo_check_pipe_op =
case MAC_CHECK_PIPE_POLL:
mpc->mpc_ops->mpo_check_pipe_poll =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_READ:
mpc->mpc_ops->mpo_check_pipe_read =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_RELABEL:
mpc->mpc_ops->mpo_check_pipe_relabel =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_STAT:
mpc->mpc_ops->mpo_check_pipe_stat =
mpe->mpe_function;
break;
case MAC_CHECK_PIPE_WRITE:
mpc->mpc_ops->mpo_check_pipe_write =
mpe->mpe_function;
break;
case MAC_CHECK_PROC_DEBUG:
mpc->mpc_ops->mpo_check_proc_debug =
mpe->mpe_function;
@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd,
}
int
mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op);
MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_read(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label);
return (error);
}
@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (error);
}
int
mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_pipe_write(struct ucred *cred, struct pipe *pipe)
{
int error;
MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label);
return (error);
}
int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{

84
sys/security/mac_biba/mac_biba.c

@ -1300,8 +1300,8 @@ mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
}
static int
mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, int op)
mac_biba_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
struct mac_biba *subj, *obj;
@ -1311,20 +1311,26 @@ mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe,
subj = SLOT(&cred->cr_label);
obj = SLOT((pipelabel));
switch(op) {
case MAC_OP_PIPE_READ:
case MAC_OP_PIPE_STAT:
case MAC_OP_PIPE_POLL:
if (!mac_biba_dominate_single(obj, subj))
return (EACCES);
break;
case MAC_OP_PIPE_WRITE:
if (!mac_biba_dominate_single(subj, obj))
return (EACCES);
break;
default:
panic("mac_biba_check_pipe_op: invalid pipe operation");
}
if (!mac_biba_dominate_single(obj, subj))
return (EACCES);
return (0);
}
static int
mac_biba_check_pipe_read(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_biba_dominate_single(obj, subj))
return (EACCES);
return (0);
}
@ -1363,6 +1369,42 @@ mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (0);
}
static int
mac_biba_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_biba_dominate_single(obj, subj))
return (EACCES);
return (0);
}
static int
mac_biba_check_pipe_write(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
struct mac_biba *subj, *obj;
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_biba_dominate_single(subj, obj))
return (EACCES);
return (0);
}
static int
mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc)
{
@ -2175,10 +2217,16 @@ static struct mac_policy_op_entry mac_biba_ops[] =
(macop_t)mac_biba_check_mount_stat },
{ MAC_CHECK_PIPE_IOCTL,
(macop_t)mac_biba_check_pipe_ioctl },
{ MAC_CHECK_PIPE_OP,
(macop_t)mac_biba_check_pipe_op },
{ MAC_CHECK_PIPE_POLL,
(macop_t)mac_biba_check_pipe_poll },
{ MAC_CHECK_PIPE_READ,
(macop_t)mac_biba_check_pipe_read },
{ MAC_CHECK_PIPE_RELABEL,
(macop_t)mac_biba_check_pipe_relabel },
{ MAC_CHECK_PIPE_STAT,
(macop_t)mac_biba_check_pipe_stat },
{ MAC_CHECK_PIPE_WRITE,
(macop_t)mac_biba_check_pipe_write },
{ MAC_CHECK_PROC_DEBUG,
(macop_t)mac_biba_check_proc_debug },
{ MAC_CHECK_PROC_SCHED,

84
sys/security/mac_mls/mac_mls.c

@ -1247,8 +1247,8 @@ mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
}
static int
mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, int op)
mac_mls_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
struct mac_mls *subj, *obj;
@ -1258,20 +1258,26 @@ mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe,
subj = SLOT(&cred->cr_label);
obj = SLOT((pipelabel));
switch(op) {
case MAC_OP_PIPE_READ:
case MAC_OP_PIPE_STAT:
case MAC_OP_PIPE_POLL:
if (!mac_mls_dominate_single(subj, obj))
return (EACCES);
break;
case MAC_OP_PIPE_WRITE:
if (!mac_mls_dominate_single(obj, subj))
return (EACCES);
break;
default:
panic("mac_mls_check_pipe_op: invalid pipe operation");
}
if (!mac_mls_dominate_single(subj, obj))
return (EACCES);
return (0);
}
static int
mac_mls_check_pipe_read(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_mls_dominate_single(subj, obj))
return (EACCES);
return (0);
}
@ -1310,6 +1316,42 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (0);
}
static int
mac_mls_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_mls_dominate_single(subj, obj))
return (EACCES);
return (0);
}
static int
mac_mls_check_pipe_write(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
struct mac_mls *subj, *obj;
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_mls_dominate_single(obj, subj))
return (EACCES);
return (0);
}
static int
mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc)
{
@ -2126,10 +2168,16 @@ static struct mac_policy_op_entry mac_mls_ops[] =
(macop_t)mac_mls_check_mount_stat },
{ MAC_CHECK_PIPE_IOCTL,
(macop_t)mac_mls_check_pipe_ioctl },
{ MAC_CHECK_PIPE_OP,
(macop_t)mac_mls_check_pipe_op },
{ MAC_CHECK_PIPE_POLL,
(macop_t)mac_mls_check_pipe_poll },
{ MAC_CHECK_PIPE_READ,
(macop_t)mac_mls_check_pipe_read },
{ MAC_CHECK_PIPE_RELABEL,
(macop_t)mac_mls_check_pipe_relabel },
{ MAC_CHECK_PIPE_STAT,
(macop_t)mac_mls_check_pipe_stat },
{ MAC_CHECK_PIPE_WRITE,
(macop_t)mac_mls_check_pipe_write },
{ MAC_CHECK_PROC_DEBUG,
(macop_t)mac_mls_check_proc_debug },
{ MAC_CHECK_PROC_SCHED,

38
sys/security/mac_none/mac_none.c

@ -601,8 +601,16 @@ mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
}
static int
mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, int op)
mac_none_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
}
static int
mac_none_check_pipe_read(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
@ -616,6 +624,22 @@ mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (0);
}
static int
mac_none_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
}
static int
mac_none_check_pipe_write(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
}
static int
mac_none_check_proc_debug(struct ucred *cred, struct proc *proc)
{
@ -1052,10 +1076,16 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_check_mount_stat },
{ MAC_CHECK_PIPE_IOCTL,
(macop_t)mac_none_check_pipe_ioctl },
{ MAC_CHECK_PIPE_OP,
(macop_t)mac_none_check_pipe_op },
{ MAC_CHECK_PIPE_POLL,
(macop_t)mac_none_check_pipe_poll },
{ MAC_CHECK_PIPE_READ,
(macop_t)mac_none_check_pipe_read },
{ MAC_CHECK_PIPE_RELABEL,
(macop_t)mac_none_check_pipe_relabel },
{ MAC_CHECK_PIPE_STAT,
(macop_t)mac_none_check_pipe_stat },
{ MAC_CHECK_PIPE_WRITE,
(macop_t)mac_none_check_pipe_write },
{ MAC_CHECK_PROC_DEBUG,
(macop_t)mac_none_check_proc_debug },
{ MAC_CHECK_PROC_SCHED,

38
sys/security/mac_stub/mac_stub.c

@ -601,8 +601,16 @@ mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
}
static int
mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, int op)
mac_none_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
}
static int
mac_none_check_pipe_read(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
@ -616,6 +624,22 @@ mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (0);
}
static int
mac_none_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
}
static int
mac_none_check_pipe_write(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
}
static int
mac_none_check_proc_debug(struct ucred *cred, struct proc *proc)
{
@ -1052,10 +1076,16 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_check_mount_stat },
{ MAC_CHECK_PIPE_IOCTL,
(macop_t)mac_none_check_pipe_ioctl },
{ MAC_CHECK_PIPE_OP,
(macop_t)mac_none_check_pipe_op },
{ MAC_CHECK_PIPE_POLL,
(macop_t)mac_none_check_pipe_poll },
{ MAC_CHECK_PIPE_READ,
(macop_t)mac_none_check_pipe_read },
{ MAC_CHECK_PIPE_RELABEL,
(macop_t)mac_none_check_pipe_relabel },
{ MAC_CHECK_PIPE_STAT,
(macop_t)mac_none_check_pipe_stat },
{ MAC_CHECK_PIPE_WRITE,
(macop_t)mac_none_check_pipe_write },
{ MAC_CHECK_PROC_DEBUG,
(macop_t)mac_none_check_proc_debug },
{ MAC_CHECK_PROC_SCHED,

38
sys/security/mac_test/mac_test.c

@ -809,8 +809,16 @@ mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
}
static int
mac_test_check_pipe_op(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, int op)
mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
}
static int
mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
@ -824,6 +832,22 @@ mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
return (0);
}
static int
mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
}
static int
mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
return (0);
}
static int
mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
{
@ -1258,10 +1282,16 @@ static struct mac_policy_op_entry mac_test_ops[] =
(macop_t)mac_test_check_mount_stat },
{ MAC_CHECK_PIPE_IOCTL,
(macop_t)mac_test_check_pipe_ioctl },
{ MAC_CHECK_PIPE_OP,
(macop_t)mac_test_check_pipe_op },
{ MAC_CHECK_PIPE_POLL,
(macop_t)mac_test_check_pipe_poll },
{ MAC_CHECK_PIPE_READ,
(macop_t)mac_test_check_pipe_read },
{ MAC_CHECK_PIPE_RELABEL,
(macop_t)mac_test_check_pipe_relabel },
{ MAC_CHECK_PIPE_STAT,
(macop_t)mac_test_check_pipe_stat },
{ MAC_CHECK_PIPE_WRITE,
(macop_t)mac_test_check_pipe_write },
{ MAC_CHECK_PROC_DEBUG,
(macop_t)mac_test_check_proc_debug },
{ MAC_CHECK_PROC_SCHED,

18
sys/sys/mac.h

@ -180,19 +180,6 @@ int __mac_set_proc(struct mac *_mac_p);
#else /* _KERNEL */
/*
* MAC entry point operations
*/
enum mac_ep_ops {
MAC_OP_VNODE_READ,
MAC_OP_VNODE_WRITE,
MAC_OP_VNODE_POLL,
MAC_OP_PIPE_READ,
MAC_OP_PIPE_WRITE,
MAC_OP_PIPE_STAT,
MAC_OP_PIPE_POLL
};
/*
* Kernel functions to manage and evaluate labels.
*/
@ -307,9 +294,12 @@ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet);
int mac_check_cred_visible(struct ucred *u1, struct ucred *u2);
int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m);
int mac_check_mount_stat(struct ucred *cred, struct mount *mp);
int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op);
int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
unsigned long cmd, void *data);
int mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe);
int mac_check_pipe_read(struct ucred *cred, struct pipe *pipe);
int mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe);
int mac_check_pipe_write(struct ucred *cred, struct pipe *pipe);
int mac_check_proc_debug(struct ucred *cred, struct proc *proc);
int mac_check_proc_sched(struct ucred *cred, struct proc *proc);
int mac_check_proc_signal(struct ucred *cred, struct proc *proc,

15
sys/sys/mac_policy.h

@ -233,11 +233,17 @@ struct mac_policy_ops {
struct label *mntlabel);
int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, unsigned long cmd, void *data);
int (*mpo_check_pipe_op)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, int op);
int (*mpo_check_pipe_poll)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
int (*mpo_check_pipe_read)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
int (*mpo_check_pipe_relabel)(struct ucred *cred,
struct pipe *pipe, struct label *pipelabel,
struct label *newlabel);
int (*mpo_check_pipe_stat)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
int (*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
int (*mpo_check_proc_debug)(struct ucred *cred,
struct proc *proc);
int (*mpo_check_proc_sched)(struct ucred *cred,
@ -408,8 +414,11 @@ enum mac_op_constant {
MAC_CHECK_IFNET_TRANSMIT,
MAC_CHECK_MOUNT_STAT,
MAC_CHECK_PIPE_IOCTL,
MAC_CHECK_PIPE_OP,
MAC_CHECK_PIPE_POLL,
MAC_CHECK_PIPE_READ,
MAC_CHECK_PIPE_RELABEL,
MAC_CHECK_PIPE_STAT,
MAC_CHECK_PIPE_WRITE,
MAC_CHECK_PROC_DEBUG,
MAC_CHECK_PROC_SCHED,
MAC_CHECK_PROC_SIGNAL,