diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index f8cb676afbb7..7bf73931f0ca 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (error); } +int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index d95650161fa9..489aeafa54b4 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -469,7 +469,7 @@ pipe_read(fp, uio, active_cred, flags, td) goto unlocked_error; #ifdef MAC - error = mac_check_pipe_op(active_cred, rpipe, MAC_OP_PIPE_READ); + error = mac_check_pipe_read(active_cred, rpipe); if (error) goto locked_error; #endif @@ -885,7 +885,7 @@ pipe_write(fp, uio, active_cred, flags, td) return (EPIPE); } #ifdef MAC - error = mac_check_pipe_op(active_cred, wpipe, MAC_OP_PIPE_WRITE); + error = mac_check_pipe_write(active_cred, wpipe); if (error) { PIPE_UNLOCK(rpipe); return (error); @@ -1233,7 +1233,7 @@ pipe_poll(fp, events, active_cred, td) wpipe = rpipe->pipe_peer; PIPE_LOCK(rpipe); #ifdef MAC - error = mac_check_pipe_op(active_cred, rpipe, MAC_OP_PIPE_POLL); + error = mac_check_pipe_poll(active_cred, rpipe); if (error) goto locked_error; #endif @@ -1289,7 +1289,7 @@ pipe_stat(fp, ub, active_cred, td) int error; /* XXXMAC: Pipe should be locked for this check. */ - error = mac_check_pipe_op(active_cred, pipe, MAC_OP_PIPE_STAT); + error = mac_check_pipe_stat(active_cred, pipe); if (error) return (error); #endif diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index f8cb676afbb7..7bf73931f0ca 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (error); } +int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 3d73df4e7977..1f36d551fce8 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -180,19 +180,6 @@ int __mac_set_proc(struct mac *_mac_p); #else /* _KERNEL */ -/* - * MAC entry point operations - */ -enum mac_ep_ops { - MAC_OP_VNODE_READ, - MAC_OP_VNODE_WRITE, - MAC_OP_VNODE_POLL, - MAC_OP_PIPE_READ, - MAC_OP_PIPE_WRITE, - MAC_OP_PIPE_STAT, - MAC_OP_PIPE_POLL -}; - /* * Kernel functions to manage and evaluate labels. */ @@ -307,9 +294,12 @@ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); -int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op); int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data); +int mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_read(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_write(struct ucred *cred, struct pipe *pipe); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index f8cb676afbb7..7bf73931f0ca 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (error); } +int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index f8cb676afbb7..7bf73931f0ca 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (error); } +int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index f8cb676afbb7..7bf73931f0ca 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (error); } +int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 9bc28ad730cd..b3707c2b0340 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -233,11 +233,17 @@ struct mac_policy_ops { struct label *mntlabel); int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void *data); - int (*mpo_check_pipe_op)(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op); + int (*mpo_check_pipe_poll)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); + int (*mpo_check_pipe_read)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); int (*mpo_check_pipe_relabel)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel); + int (*mpo_check_pipe_stat)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); + int (*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); int (*mpo_check_proc_debug)(struct ucred *cred, struct proc *proc); int (*mpo_check_proc_sched)(struct ucred *cred, @@ -408,8 +414,11 @@ enum mac_op_constant { MAC_CHECK_IFNET_TRANSMIT, MAC_CHECK_MOUNT_STAT, MAC_CHECK_PIPE_IOCTL, - MAC_CHECK_PIPE_OP, + MAC_CHECK_PIPE_POLL, + MAC_CHECK_PIPE_READ, MAC_CHECK_PIPE_RELABEL, + MAC_CHECK_PIPE_STAT, + MAC_CHECK_PIPE_WRITE, MAC_CHECK_PROC_DEBUG, MAC_CHECK_PROC_SCHED, MAC_CHECK_PROC_SIGNAL, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index f8cb676afbb7..7bf73931f0ca 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (error); } +int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index f8cb676afbb7..7bf73931f0ca 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (error); } +int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index f8cb676afbb7..7bf73931f0ca 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (error); } +int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index f8cb676afbb7..7bf73931f0ca 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2559,6 +2581,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (error); } +int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 6e9e38307563..c830e7cd1d56 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1300,8 +1300,8 @@ mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, } static int -mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) +mac_biba_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) { struct mac_biba *subj, *obj; @@ -1311,20 +1311,26 @@ mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe, subj = SLOT(&cred->cr_label); obj = SLOT((pipelabel)); - switch(op) { - case MAC_OP_PIPE_READ: - case MAC_OP_PIPE_STAT: - case MAC_OP_PIPE_POLL: - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - break; - case MAC_OP_PIPE_WRITE: - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - break; - default: - panic("mac_biba_check_pipe_op: invalid pipe operation"); - } + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); return (0); } @@ -1363,6 +1369,42 @@ mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (0); } +static int +mac_biba_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + static int mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -2175,10 +2217,16 @@ static struct mac_policy_op_entry mac_biba_ops[] = (macop_t)mac_biba_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_biba_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_biba_check_pipe_op }, + { MAC_CHECK_PIPE_POLL, + (macop_t)mac_biba_check_pipe_poll }, + { MAC_CHECK_PIPE_READ, + (macop_t)mac_biba_check_pipe_read }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_biba_check_pipe_relabel }, + { MAC_CHECK_PIPE_STAT, + (macop_t)mac_biba_check_pipe_stat }, + { MAC_CHECK_PIPE_WRITE, + (macop_t)mac_biba_check_pipe_write }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_biba_check_proc_debug }, { MAC_CHECK_PROC_SCHED, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 4dca58149621..a61dd606bcf4 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1247,8 +1247,8 @@ mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, } static int -mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) +mac_mls_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) { struct mac_mls *subj, *obj; @@ -1258,20 +1258,26 @@ mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe, subj = SLOT(&cred->cr_label); obj = SLOT((pipelabel)); - switch(op) { - case MAC_OP_PIPE_READ: - case MAC_OP_PIPE_STAT: - case MAC_OP_PIPE_POLL: - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - break; - case MAC_OP_PIPE_WRITE: - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - break; - default: - panic("mac_mls_check_pipe_op: invalid pipe operation"); - } + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); return (0); } @@ -1310,6 +1316,42 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (0); } +static int +mac_mls_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + static int mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -2126,10 +2168,16 @@ static struct mac_policy_op_entry mac_mls_ops[] = (macop_t)mac_mls_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_mls_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_mls_check_pipe_op }, + { MAC_CHECK_PIPE_POLL, + (macop_t)mac_mls_check_pipe_poll }, + { MAC_CHECK_PIPE_READ, + (macop_t)mac_mls_check_pipe_read }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_mls_check_pipe_relabel }, + { MAC_CHECK_PIPE_STAT, + (macop_t)mac_mls_check_pipe_stat }, + { MAC_CHECK_PIPE_WRITE, + (macop_t)mac_mls_check_pipe_write }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_mls_check_proc_debug }, { MAC_CHECK_PROC_SCHED, diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c index b7e5fdd186a2..bc2da6705046 100644 --- a/sys/security/mac_none/mac_none.c +++ b/sys/security/mac_none/mac_none.c @@ -601,8 +601,16 @@ mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, } static int -mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) +mac_none_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_none_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) { return (0); @@ -616,6 +624,22 @@ mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (0); } +static int +mac_none_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_none_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + static int mac_none_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -1052,10 +1076,16 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_none_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_none_check_pipe_op }, + { MAC_CHECK_PIPE_POLL, + (macop_t)mac_none_check_pipe_poll }, + { MAC_CHECK_PIPE_READ, + (macop_t)mac_none_check_pipe_read }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_none_check_pipe_relabel }, + { MAC_CHECK_PIPE_STAT, + (macop_t)mac_none_check_pipe_stat }, + { MAC_CHECK_PIPE_WRITE, + (macop_t)mac_none_check_pipe_write }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_none_check_proc_debug }, { MAC_CHECK_PROC_SCHED, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index b7e5fdd186a2..bc2da6705046 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -601,8 +601,16 @@ mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, } static int -mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) +mac_none_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_none_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) { return (0); @@ -616,6 +624,22 @@ mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (0); } +static int +mac_none_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_none_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + static int mac_none_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -1052,10 +1076,16 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_none_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_none_check_pipe_op }, + { MAC_CHECK_PIPE_POLL, + (macop_t)mac_none_check_pipe_poll }, + { MAC_CHECK_PIPE_READ, + (macop_t)mac_none_check_pipe_read }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_none_check_pipe_relabel }, + { MAC_CHECK_PIPE_STAT, + (macop_t)mac_none_check_pipe_stat }, + { MAC_CHECK_PIPE_WRITE, + (macop_t)mac_none_check_pipe_write }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_none_check_proc_debug }, { MAC_CHECK_PROC_SCHED, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 5c97a1b0f925..76f645d4a1ba 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -809,8 +809,16 @@ mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, } static int -mac_test_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) +mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) { return (0); @@ -824,6 +832,22 @@ mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, return (0); } +static int +mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + static int mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -1258,10 +1282,16 @@ static struct mac_policy_op_entry mac_test_ops[] = (macop_t)mac_test_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_test_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_test_check_pipe_op }, + { MAC_CHECK_PIPE_POLL, + (macop_t)mac_test_check_pipe_poll }, + { MAC_CHECK_PIPE_READ, + (macop_t)mac_test_check_pipe_read }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_test_check_pipe_relabel }, + { MAC_CHECK_PIPE_STAT, + (macop_t)mac_test_check_pipe_stat }, + { MAC_CHECK_PIPE_WRITE, + (macop_t)mac_test_check_pipe_write }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_test_check_proc_debug }, { MAC_CHECK_PROC_SCHED, diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 3d73df4e7977..1f36d551fce8 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -180,19 +180,6 @@ int __mac_set_proc(struct mac *_mac_p); #else /* _KERNEL */ -/* - * MAC entry point operations - */ -enum mac_ep_ops { - MAC_OP_VNODE_READ, - MAC_OP_VNODE_WRITE, - MAC_OP_VNODE_POLL, - MAC_OP_PIPE_READ, - MAC_OP_PIPE_WRITE, - MAC_OP_PIPE_STAT, - MAC_OP_PIPE_POLL -}; - /* * Kernel functions to manage and evaluate labels. */ @@ -307,9 +294,12 @@ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); -int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op); int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data); +int mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_read(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_write(struct ucred *cred, struct pipe *pipe); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 9bc28ad730cd..b3707c2b0340 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -233,11 +233,17 @@ struct mac_policy_ops { struct label *mntlabel); int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void *data); - int (*mpo_check_pipe_op)(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op); + int (*mpo_check_pipe_poll)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); + int (*mpo_check_pipe_read)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); int (*mpo_check_pipe_relabel)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel); + int (*mpo_check_pipe_stat)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); + int (*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); int (*mpo_check_proc_debug)(struct ucred *cred, struct proc *proc); int (*mpo_check_proc_sched)(struct ucred *cred, @@ -408,8 +414,11 @@ enum mac_op_constant { MAC_CHECK_IFNET_TRANSMIT, MAC_CHECK_MOUNT_STAT, MAC_CHECK_PIPE_IOCTL, - MAC_CHECK_PIPE_OP, + MAC_CHECK_PIPE_POLL, + MAC_CHECK_PIPE_READ, MAC_CHECK_PIPE_RELABEL, + MAC_CHECK_PIPE_STAT, + MAC_CHECK_PIPE_WRITE, MAC_CHECK_PROC_DEBUG, MAC_CHECK_PROC_SCHED, MAC_CHECK_PROC_SIGNAL,