Permit MAC policies to instrument the access control decisions for

system accounting configuration and for nfsd server thread attach.
Policies might use this to protect the integrity or confidentiality
of accounting data, limit the ability to turn on or off accounting,
as well as to prevent inappropriately labeled threads from becoming nfs
server threads.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson 2002-11-04 15:13:36 +00:00
parent d5e4b2427a
commit e5e820fd1f
16 changed files with 315 additions and 2 deletions

View File

@ -40,12 +40,15 @@
* $FreeBSD$
*/
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/lock.h>
#include <sys/mutex.h>
#include <sys/sysproto.h>
#include <sys/proc.h>
#include <sys/mac.h>
#include <sys/mount.h>
#include <sys/vnode.h>
#include <sys/fcntl.h>
@ -144,12 +147,25 @@ acct(td, uap)
if (error)
goto done2;
NDFREE(&nd, NDF_ONLY_PNBUF);
#ifdef MAC
error = mac_check_system_acct(td->td_ucred, nd.ni_vp);
if (error) {
vn_close(nd.ni_vp, flags, td->td_ucred, td);
goto done2;
}
#endif
VOP_UNLOCK(nd.ni_vp, 0, td);
if (nd.ni_vp->v_type != VREG) {
vn_close(nd.ni_vp, flags, td->td_ucred, td);
error = EACCES;
goto done2;
}
#ifdef MAC
} else {
error = mac_check_system_acct(td->td_ucred, NULL);
if (error)
goto done2;
#endif
}
/*

View File

@ -2469,6 +2469,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
return (error);
}
int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
}
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? &vp->v_label : NULL);
return (error);
}
int
mac_check_system_nfsd(struct ucred *cred)
{
int error;
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_nfsd, cred);
return (error);
}
int
mac_check_system_reboot(struct ucred *cred, int howto)
{

View File

@ -5,6 +5,7 @@ KMOD= nfsserver
SRCS= vnode_if.h \
nfs_serv.c nfs_srvsock.c nfs_srvcache.c nfs_srvsubs.c nfs_syscalls.c \
nfs_common.c \
opt_mac.h \
opt_nfs.h
SRCS+= opt_inet6.h
NFS_INET6?= 1 # 0/1 - requires INET6 to be configured in kernel

View File

@ -41,6 +41,7 @@
__FBSDID("$FreeBSD$");
#include "opt_inet6.h"
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
@ -50,6 +51,7 @@ __FBSDID("$FreeBSD$");
#include <sys/file.h>
#include <sys/filedesc.h>
#include <sys/vnode.h>
#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/mount.h>
#include <sys/proc.h>
@ -137,10 +139,15 @@ nfssvc(struct thread *td, struct nfssvc_args *uap)
struct nfsd_args nfsdarg;
int error;
mtx_lock(&Giant);
#ifdef MAC
error = mac_check_system_nfsd(td->td_ucred);
if (error)
return (error);
#endif
error = suser(td);
if (error)
goto done2;
return (error);
mtx_lock(&Giant);
while (nfssvc_sockhead_flag & SLP_INIT) {
nfssvc_sockhead_flag |= SLP_WANTINIT;
(void) tsleep((caddr_t)&nfssvc_sockhead, PSOCK, "nfsd init", 0);

View File

@ -2469,6 +2469,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
return (error);
}
int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
}
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? &vp->v_label : NULL);
return (error);
}
int
mac_check_system_nfsd(struct ucred *cred)
{
int error;
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_nfsd, cred);
return (error);
}
int
mac_check_system_reboot(struct ucred *cred, int howto)
{

View File

@ -251,6 +251,8 @@ int mac_check_socket_listen(struct ucred *cred, struct socket *so);
int mac_check_socket_receive(struct ucred *cred, struct socket *so);
int mac_check_socket_send(struct ucred *cred, struct socket *so);
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
int mac_check_system_acct(struct ucred *cred, struct vnode *vp);
int mac_check_system_nfsd(struct ucred *cred);
int mac_check_system_reboot(struct ucred *cred, int howto);
int mac_check_system_settime(struct ucred *cred);
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);

View File

@ -2469,6 +2469,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
return (error);
}
int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
}
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? &vp->v_label : NULL);
return (error);
}
int
mac_check_system_nfsd(struct ucred *cred)
{
int error;
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_nfsd, cred);
return (error);
}
int
mac_check_system_reboot(struct ucred *cred, int howto)
{

View File

@ -2469,6 +2469,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
return (error);
}
int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
}
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? &vp->v_label : NULL);
return (error);
}
int
mac_check_system_nfsd(struct ucred *cred)
{
int error;
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_nfsd, cred);
return (error);
}
int
mac_check_system_reboot(struct ucred *cred, int howto)
{

View File

@ -2469,6 +2469,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
return (error);
}
int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
}
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? &vp->v_label : NULL);
return (error);
}
int
mac_check_system_nfsd(struct ucred *cred)
{
int error;
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_nfsd, cred);
return (error);
}
int
mac_check_system_reboot(struct ucred *cred, int howto)
{

View File

@ -312,6 +312,9 @@ struct mac_policy_ops {
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_visible)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_system_acct)(struct ucred *cred,
struct vnode *vp, struct label *vlabel);
int (*mpo_check_system_nfsd)(struct ucred *cred);
int (*mpo_check_system_reboot)(struct ucred *cred, int howto);
int (*mpo_check_system_settime)(struct ucred *cred);
int (*mpo_check_system_swapon)(struct ucred *cred,

View File

@ -2469,6 +2469,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
return (error);
}
int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
}
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? &vp->v_label : NULL);
return (error);
}
int
mac_check_system_nfsd(struct ucred *cred)
{
int error;
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_nfsd, cred);
return (error);
}
int
mac_check_system_reboot(struct ucred *cred, int howto)
{

View File

@ -2469,6 +2469,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
return (error);
}
int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
}
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? &vp->v_label : NULL);
return (error);
}
int
mac_check_system_nfsd(struct ucred *cred)
{
int error;
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_nfsd, cred);
return (error);
}
int
mac_check_system_reboot(struct ucred *cred, int howto)
{

View File

@ -2469,6 +2469,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
return (error);
}
int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
}
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? &vp->v_label : NULL);
return (error);
}
int
mac_check_system_nfsd(struct ucred *cred)
{
int error;
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_nfsd, cred);
return (error);
}
int
mac_check_system_reboot(struct ucred *cred, int howto)
{

View File

@ -2469,6 +2469,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
return (error);
}
int
mac_check_system_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
}
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? &vp->v_label : NULL);
return (error);
}
int
mac_check_system_nfsd(struct ucred *cred)
{
int error;
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_nfsd, cred);
return (error);
}
int
mac_check_system_reboot(struct ucred *cred, int howto)
{

View File

@ -251,6 +251,8 @@ int mac_check_socket_listen(struct ucred *cred, struct socket *so);
int mac_check_socket_receive(struct ucred *cred, struct socket *so);
int mac_check_socket_send(struct ucred *cred, struct socket *so);
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
int mac_check_system_acct(struct ucred *cred, struct vnode *vp);
int mac_check_system_nfsd(struct ucred *cred);
int mac_check_system_reboot(struct ucred *cred, int howto);
int mac_check_system_settime(struct ucred *cred);
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);

View File

@ -312,6 +312,9 @@ struct mac_policy_ops {
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_visible)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_system_acct)(struct ucred *cred,
struct vnode *vp, struct label *vlabel);
int (*mpo_check_system_nfsd)(struct ucred *cred);
int (*mpo_check_system_reboot)(struct ucred *cred, int howto);
int (*mpo_check_system_settime)(struct ucred *cred);
int (*mpo_check_system_swapon)(struct ucred *cred,