From owner-svn-src-head@FreeBSD.ORG  Mon Oct 27 11:46:20 2008
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4D4021065685;
	Mon, 27 Oct 2008 11:46:20 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 392FE8FC08;
	Mon, 27 Oct 2008 11:46:20 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id m9RBkKNI038370;
	Mon, 27 Oct 2008 11:46:20 GMT (envelope-from rwatson@svn.freebsd.org)
Received: (from rwatson@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id m9RBkKZo038368;
	Mon, 27 Oct 2008 11:46:20 GMT (envelope-from rwatson@svn.freebsd.org)
Message-Id: <200810271146.m9RBkKZo038368@svn.freebsd.org>
From: Robert Watson <rwatson@FreeBSD.org>
Date: Mon, 27 Oct 2008 11:46:20 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r184330 - head/sys/security/mac_bsdextended
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2008 11:46:20 -0000

Author: rwatson
Date: Mon Oct 27 11:46:19 2008
New Revision: 184330
URL: http://svn.freebsd.org/changeset/base/184330

Log:
  Copy mac_bsdextended.c to two object-specific files as a prototype for how
  modularize MAC policy layout.
  
  Obtained from:	TrustedBSD Project

Added:
  head/sys/security/mac_bsdextended/ugidfw_system.c   (props changed)
     - copied unchanged from r184328, head/sys/security/mac_bsdextended/mac_bsdextended.c
  head/sys/security/mac_bsdextended/ugidfw_vnode.c   (props changed)
     - copied unchanged from r184328, head/sys/security/mac_bsdextended/mac_bsdextended.c

Copied: head/sys/security/mac_bsdextended/ugidfw_system.c (from r184328, head/sys/security/mac_bsdextended/mac_bsdextended.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/sys/security/mac_bsdextended/ugidfw_system.c	Mon Oct 27 11:46:19 2008	(r184330, copy of r184328, head/sys/security/mac_bsdextended/mac_bsdextended.c)
@@ -0,0 +1,768 @@
+/*-
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 Tom Rhodes
+ * Copyright (c) 2006 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ * It was later enhanced by Tom Rhodes for the TrustedBSD Project.
+ *
+ * This software was developed for the FreeBSD Project in part by Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+ * as part of the DARPA CHATS research program.
+ *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+/*
+ * Developed by the TrustedBSD Project.
+ *
+ * "BSD Extended" MAC policy, allowing the administrator to impose mandatory
+ * firewall-like rules regarding users and file system objects.
+ */
+
+#include <sys/param.h>
+#include <sys/acl.h>
+#include <sys/kernel.h>
+#include <sys/jail.h>
+#include <sys/lock.h>
+#include <sys/malloc.h>
+#include <sys/module.h>
+#include <sys/mount.h>
+#include <sys/mutex.h>
+#include <sys/priv.h>
+#include <sys/systm.h>
+#include <sys/vnode.h>
+#include <sys/sysctl.h>
+#include <sys/syslog.h>
+#include <sys/stat.h>
+
+#include <security/mac/mac_policy.h>
+#include <security/mac_bsdextended/mac_bsdextended.h>
+
+static struct mtx ugidfw_mtx;
+
+SYSCTL_DECL(_security_mac);
+
+SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
+    "TrustedBSD extended BSD MAC policy controls");
+
+static int	ugidfw_enabled = 1;
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW,
+    &ugidfw_enabled, 0, "Enforce extended BSD policy");
+TUNABLE_INT("security.mac.bsdextended.enabled", &ugidfw_enabled);
+
+MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule");
+
+#define	MAC_BSDEXTENDED_MAXRULES	250
+static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
+static int rule_count = 0;
+static int rule_slots = 0;
+static int rule_version = MB_VERSION;
+
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
+    &rule_count, 0, "Number of defined rules\n");
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
+    &rule_slots, 0, "Number of used rule slots\n");
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
+    &rule_version, 0, "Version number for API\n");
+
+/*
+ * This is just used for logging purposes, eventually we would like to log
+ * much more then failed requests.
+ */
+static int ugidfw_logging;
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
+    &ugidfw_logging, 0, "Log failed authorization requests");
+
+/*
+ * This tunable is here for compatibility.  It will allow the user to switch
+ * between the new mode (first rule matches) and the old functionality (all
+ * rules match).
+ */
+static int ugidfw_firstmatch_enabled;
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
+    CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1,
+    "Disable/enable match first rule functionality");
+
+static int
+ugidfw_rule_valid(struct mac_bsdextended_rule *rule)
+{
+
+	if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
+		return (EINVAL);
+	if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
+		return (EINVAL);
+	if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
+		return (EINVAL);
+	if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
+		return (EINVAL);
+	if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) &&
+	    (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
+		return (EINVAL);
+	if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
+		return (EINVAL);
+	return (0);
+}
+
+static int
+sysctl_rule(SYSCTL_HANDLER_ARGS)
+{
+	struct mac_bsdextended_rule temprule, *ruleptr;
+	u_int namelen;
+	int error, index, *name;
+
+	error = 0;
+	name = (int *)arg1;
+	namelen = arg2;
+	if (namelen != 1)
+		return (EINVAL);
+	index = name[0];
+        if (index >= MAC_BSDEXTENDED_MAXRULES)
+		return (ENOENT);
+
+	ruleptr = NULL;
+	if (req->newptr && req->newlen != 0) {
+		error = SYSCTL_IN(req, &temprule, sizeof(temprule));
+		if (error)
+			return (error);
+		ruleptr = malloc(sizeof(*ruleptr), M_MACBSDEXTENDED,
+		    M_WAITOK | M_ZERO);
+	}
+
+	mtx_lock(&ugidfw_mtx);
+	if (req->oldptr) {
+		if (index < 0 || index > rule_slots + 1) {
+			error = ENOENT;
+			goto out;
+		}
+		if (rules[index] == NULL) {
+			error = ENOENT;
+			goto out;
+		}
+		temprule = *rules[index];
+	}
+	if (req->newptr && req->newlen == 0) {
+		KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
+		ruleptr = rules[index];
+		if (ruleptr == NULL) {
+			error = ENOENT;
+			goto out;
+		}
+		rule_count--;
+		rules[index] = NULL;
+	} else if (req->newptr) {
+		error = ugidfw_rule_valid(&temprule);
+		if (error)
+			goto out;
+		if (rules[index] == NULL) {
+			*ruleptr = temprule;
+			rules[index] = ruleptr;
+			ruleptr = NULL;
+			if (index + 1 > rule_slots)
+				rule_slots = index + 1;
+			rule_count++;
+		} else
+			*rules[index] = temprule;
+	}
+out:
+	mtx_unlock(&ugidfw_mtx);
+	if (ruleptr != NULL)
+		free(ruleptr, M_MACBSDEXTENDED);
+	if (req->oldptr && error == 0)
+		error = SYSCTL_OUT(req, &temprule, sizeof(temprule));
+	return (error);
+}
+
+SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, CTLFLAG_RW,
+    sysctl_rule, "BSD extended MAC rules");
+
+static void
+ugidfw_init(struct mac_policy_conf *mpc)
+{
+
+	mtx_init(&ugidfw_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
+}
+
+static void
+ugidfw_destroy(struct mac_policy_conf *mpc)
+{
+
+	mtx_destroy(&ugidfw_mtx);
+}
+
+static int
+ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
+    struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
+{
+	int mac_granted, match, priv_granted;
+	int i;
+
+	/*
+	 * Is there a subject match?
+	 */
+	mtx_assert(&ugidfw_mtx, MA_OWNED);
+	if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
+		match =  ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
+		    cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
+		    (cred->cr_ruid <= rule->mbr_subject.mbs_uid_max &&
+		    cred->cr_ruid >= rule->mbr_subject.mbs_uid_min) ||
+		    (cred->cr_svuid <= rule->mbr_subject.mbs_uid_max &&
+		    cred->cr_svuid >= rule->mbr_subject.mbs_uid_min));
+		if (rule->mbr_subject.mbs_neg & MBS_UID_DEFINED)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_subject.mbs_flags & MBS_GID_DEFINED) {
+		match = ((cred->cr_rgid <= rule->mbr_subject.mbs_gid_max &&
+		    cred->cr_rgid >= rule->mbr_subject.mbs_gid_min) ||
+		    (cred->cr_svgid <= rule->mbr_subject.mbs_gid_max &&
+		    cred->cr_svgid >= rule->mbr_subject.mbs_gid_min));
+		if (!match) {
+			for (i = 0; i < cred->cr_ngroups; i++) {
+				if (cred->cr_groups[i]
+				    <= rule->mbr_subject.mbs_gid_max &&
+				    cred->cr_groups[i]
+				    >= rule->mbr_subject.mbs_gid_min) {
+					match = 1;
+					break;
+				}
+			}
+		}
+		if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) {
+		match = (cred->cr_prison != NULL &&
+		    cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison);
+		if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	/*
+	 * Is there an object match?
+	 */
+	if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {
+		match = (vap->va_uid <= rule->mbr_object.mbo_uid_max &&
+		    vap->va_uid >= rule->mbr_object.mbo_uid_min);
+		if (rule->mbr_object.mbo_neg & MBO_UID_DEFINED)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_object.mbo_flags & MBO_GID_DEFINED) {
+		match = (vap->va_gid <= rule->mbr_object.mbo_gid_max &&
+		    vap->va_gid >= rule->mbr_object.mbo_gid_min);
+		if (rule->mbr_object.mbo_neg & MBO_GID_DEFINED)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_object.mbo_flags & MBO_FSID_DEFINED) {
+		match = (bcmp(&(vp->v_mount->mnt_stat.f_fsid),
+		    &(rule->mbr_object.mbo_fsid),
+		    sizeof(rule->mbr_object.mbo_fsid)) == 0);
+		if (rule->mbr_object.mbo_neg & MBO_FSID_DEFINED)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_object.mbo_flags & MBO_SUID) {
+		match = (vap->va_mode & S_ISUID);
+		if (rule->mbr_object.mbo_neg & MBO_SUID)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_object.mbo_flags & MBO_SGID) {
+		match = (vap->va_mode & S_ISGID);
+		if (rule->mbr_object.mbo_neg & MBO_SGID)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_object.mbo_flags & MBO_UID_SUBJECT) {
+		match = (vap->va_uid == cred->cr_uid ||
+		    vap->va_uid == cred->cr_ruid ||
+		    vap->va_uid == cred->cr_svuid);
+		if (rule->mbr_object.mbo_neg & MBO_UID_SUBJECT)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_object.mbo_flags & MBO_GID_SUBJECT) {
+		match = (groupmember(vap->va_gid, cred) ||
+		    vap->va_gid == cred->cr_rgid ||
+		    vap->va_gid == cred->cr_svgid);
+		if (rule->mbr_object.mbo_neg & MBO_GID_SUBJECT)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	if (rule->mbr_object.mbo_flags & MBO_TYPE_DEFINED) {
+		switch (vap->va_type) {
+		case VREG:
+			match = (rule->mbr_object.mbo_type & MBO_TYPE_REG);
+			break;
+		case VDIR:
+			match = (rule->mbr_object.mbo_type & MBO_TYPE_DIR);
+			break;
+		case VBLK:
+			match = (rule->mbr_object.mbo_type & MBO_TYPE_BLK);
+			break;
+		case VCHR:
+			match = (rule->mbr_object.mbo_type & MBO_TYPE_CHR);
+			break;
+		case VLNK:
+			match = (rule->mbr_object.mbo_type & MBO_TYPE_LNK);
+			break;
+		case VSOCK:
+			match = (rule->mbr_object.mbo_type & MBO_TYPE_SOCK);
+			break;
+		case VFIFO:
+			match = (rule->mbr_object.mbo_type & MBO_TYPE_FIFO);
+			break;
+		default:
+			match = 0;
+		}
+		if (rule->mbr_object.mbo_neg & MBO_TYPE_DEFINED)
+			match = !match;
+		if (!match)
+			return (0);
+	}
+
+	/*
+	 * MBI_APPEND should not be here as it should get converted to
+	 * MBI_WRITE.
+	 */
+	priv_granted = 0;
+	mac_granted = rule->mbr_mode;
+	if ((acc_mode & MBI_ADMIN) && (mac_granted & MBI_ADMIN) == 0 &&
+	    priv_check_cred(cred, PRIV_VFS_ADMIN, 0) == 0)
+		priv_granted |= MBI_ADMIN;
+	if ((acc_mode & MBI_EXEC) && (mac_granted & MBI_EXEC) == 0 &&
+	    priv_check_cred(cred, (vap->va_type == VDIR) ? PRIV_VFS_LOOKUP :
+	    PRIV_VFS_EXEC, 0) == 0)
+		priv_granted |= MBI_EXEC;
+	if ((acc_mode & MBI_READ) && (mac_granted & MBI_READ) == 0 &&
+	    priv_check_cred(cred, PRIV_VFS_READ, 0) == 0)
+		priv_granted |= MBI_READ;
+	if ((acc_mode & MBI_STAT) && (mac_granted & MBI_STAT) == 0 &&
+	    priv_check_cred(cred, PRIV_VFS_STAT, 0) == 0)
+		priv_granted |= MBI_STAT;
+	if ((acc_mode & MBI_WRITE) && (mac_granted & MBI_WRITE) == 0 &&
+	    priv_check_cred(cred, PRIV_VFS_WRITE, 0) == 0)
+		priv_granted |= MBI_WRITE;
+	/*
+	 * Is the access permitted?
+	 */
+	if (((mac_granted | priv_granted) & acc_mode) != acc_mode) {
+		if (ugidfw_logging)
+			log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d"
+			    " on %d:%d failed. \n", cred->cr_ruid,
+			    cred->cr_rgid, acc_mode, vap->va_uid,
+			    vap->va_gid);
+		return (EACCES);
+	}
+
+	/*
+	 * If the rule matched, permits access, and first match is enabled,
+	 * return success.
+	 */
+	if (ugidfw_firstmatch_enabled)
+		return (EJUSTRETURN);
+	else
+		return (0);
+}
+
+static int
+ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
+    int acc_mode)
+{
+	int error, i;
+
+	/*
+	 * Since we do not separately handle append, map append to write.
+	 */
+	if (acc_mode & MBI_APPEND) {
+		acc_mode &= ~MBI_APPEND;
+		acc_mode |= MBI_WRITE;
+	}
+	mtx_lock(&ugidfw_mtx);
+	for (i = 0; i < rule_slots; i++) {
+		if (rules[i] == NULL)
+			continue;
+		error = ugidfw_rulecheck(rules[i], cred,
+		    vp, vap, acc_mode);
+		if (error == EJUSTRETURN)
+			break;
+		if (error) {
+			mtx_unlock(&ugidfw_mtx);
+			return (error);
+		}
+	}
+	mtx_unlock(&ugidfw_mtx);
+	return (0);
+}
+
+static int
+ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
+{
+	int error;
+	struct vattr vap;
+
+	if (!ugidfw_enabled)
+		return (0);
+	error = VOP_GETATTR(vp, &vap, cred);
+	if (error)
+		return (error);
+	return (ugidfw_check(cred, vp, &vap, acc_mode));
+}
+
+/*
+ * Object-specific entry point implementations are sorted alphabetically by
+ * object type and then by operation.
+ */
+static int
+ugidfw_system_check_acct(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel)
+{
+
+	if (vp != NULL)
+		return (ugidfw_check_vp(cred, vp, MBI_WRITE));
+	else
+		return (0);
+}
+
+static int
+ugidfw_system_check_auditctl(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel)
+{
+
+	if (vp != NULL)
+		return (ugidfw_check_vp(cred, vp, MBI_WRITE));
+	else
+		return (0);
+}
+
+static int
+ugidfw_system_check_swapon(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
+}
+
+static int
+ugidfw_vnode_check_access(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, int acc_mode)
+{
+
+	return (ugidfw_check_vp(cred, vp, acc_mode));
+}
+
+static int
+ugidfw_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
+    struct label *dvplabel)
+{
+
+	return (ugidfw_check_vp(cred, dvp, MBI_EXEC));
+}
+
+static int
+ugidfw_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
+    struct label *dvplabel)
+{
+
+	return (ugidfw_check_vp(cred, dvp, MBI_EXEC));
+}
+
+static int
+ugidfw_check_create_vnode(struct ucred *cred, struct vnode *dvp,
+    struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
+{
+
+	return (ugidfw_check_vp(cred, dvp, MBI_WRITE));
+}
+
+static int
+ugidfw_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, acl_type_t type)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
+}
+
+static int
+ugidfw_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, int attrnamespace, const char *name)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
+}
+
+static int
+ugidfw_vnode_check_exec(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, struct image_params *imgp,
+    struct label *execlabel)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_READ|MBI_EXEC));
+}
+
+static int
+ugidfw_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, acl_type_t type)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_STAT));
+}
+
+static int
+ugidfw_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, int attrnamespace, const char *name,
+    struct uio *uio)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_READ));
+}
+
+static int
+ugidfw_vnode_check_link(struct ucred *cred, struct vnode *dvp,
+    struct label *dvplabel, struct vnode *vp, struct label *label,
+    struct componentname *cnp)
+{
+	int error;
+
+	error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
+	if (error)
+		return (error);
+	error = ugidfw_check_vp(cred, vp, MBI_WRITE);
+	if (error)
+		return (error);
+	return (0);
+}
+
+static int
+ugidfw_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, int attrnamespace)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_READ));
+}
+
+static int
+ugidfw_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
+    struct label *dvplabel, struct componentname *cnp)
+{
+
+	return (ugidfw_check_vp(cred, dvp, MBI_EXEC));
+}
+
+static int
+ugidfw_vnode_check_open(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, int acc_mode)
+{
+
+	return (ugidfw_check_vp(cred, vp, acc_mode));
+}
+
+static int
+ugidfw_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
+    struct label *dvplabel)
+{
+
+	return (ugidfw_check_vp(cred, dvp, MBI_READ));
+}
+
+static int
+ugidfw_vnode_check_readdlink(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_READ));
+}
+
+static int
+ugidfw_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
+    struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+    struct componentname *cnp)
+{
+	int error;
+
+	error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
+	if (error)
+		return (error);
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
+}
+
+static int
+ugidfw_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
+    struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+    int samedir, struct componentname *cnp)
+{
+	int error;
+
+	error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
+	if (error)
+		return (error);
+	if (vp != NULL)
+		error = ugidfw_check_vp(cred, vp, MBI_WRITE);
+	return (error);
+}
+
+static int
+ugidfw_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
+}
+
+static int
+ugidfw_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, acl_type_t type, struct acl *acl)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
+}
+
+static int
+ugidfw_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, int attrnamespace, const char *name,
+    struct uio *uio)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
+}
+
+static int
+ugidfw_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, u_long flags)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
+}
+
+static int
+ugidfw_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, mode_t mode)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
+}
+
+static int
+ugidfw_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, uid_t uid, gid_t gid)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
+}
+
+static int
+ugidfw_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
+    struct label *vplabel, struct timespec atime, struct timespec utime)
+{
+
+	return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
+}
+
+static int
+ugidfw_vnode_check_stat(struct ucred *active_cred,
+    struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
+{
+
+	return (ugidfw_check_vp(active_cred, vp, MBI_STAT));
+}
+
+static int
+ugidfw_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
+    struct label *dvplabel, struct vnode *vp, struct label *vplabel,
+    struct componentname *cnp)
+{
+	int error;
+
+	error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
+	if (error)
+		return (error);
+	return (ugidfw_check_vp(cred, vp, MBI_WRITE));
+}
+
+static struct mac_policy_ops ugidfw_ops =
+{
+	.mpo_destroy = ugidfw_destroy,
+	.mpo_init = ugidfw_init,
+	.mpo_system_check_acct = ugidfw_system_check_acct,
+	.mpo_system_check_auditctl = ugidfw_system_check_auditctl,
+	.mpo_system_check_swapon = ugidfw_system_check_swapon,
+	.mpo_vnode_check_access = ugidfw_vnode_check_access,
+	.mpo_vnode_check_chdir = ugidfw_vnode_check_chdir,
+	.mpo_vnode_check_chroot = ugidfw_vnode_check_chroot,
+	.mpo_vnode_check_create = ugidfw_check_create_vnode,
+	.mpo_vnode_check_deleteacl = ugidfw_vnode_check_deleteacl,
+	.mpo_vnode_check_deleteextattr = ugidfw_vnode_check_deleteextattr,
+	.mpo_vnode_check_exec = ugidfw_vnode_check_exec,
+	.mpo_vnode_check_getacl = ugidfw_vnode_check_getacl,
+	.mpo_vnode_check_getextattr = ugidfw_vnode_check_getextattr,
+	.mpo_vnode_check_link = ugidfw_vnode_check_link,
+	.mpo_vnode_check_listextattr = ugidfw_vnode_check_listextattr,
+	.mpo_vnode_check_lookup = ugidfw_vnode_check_lookup,
+	.mpo_vnode_check_open = ugidfw_vnode_check_open,
+	.mpo_vnode_check_readdir = ugidfw_vnode_check_readdir,
+	.mpo_vnode_check_readlink = ugidfw_vnode_check_readdlink,
+	.mpo_vnode_check_rename_from = ugidfw_vnode_check_rename_from,
+	.mpo_vnode_check_rename_to = ugidfw_vnode_check_rename_to,
+	.mpo_vnode_check_revoke = ugidfw_vnode_check_revoke,
+	.mpo_vnode_check_setacl = ugidfw_check_setacl_vnode,
+	.mpo_vnode_check_setextattr = ugidfw_vnode_check_setextattr,
+	.mpo_vnode_check_setflags = ugidfw_vnode_check_setflags,
+	.mpo_vnode_check_setmode = ugidfw_vnode_check_setmode,
+	.mpo_vnode_check_setowner = ugidfw_vnode_check_setowner,
+	.mpo_vnode_check_setutimes = ugidfw_vnode_check_setutimes,
+	.mpo_vnode_check_stat = ugidfw_vnode_check_stat,
+	.mpo_vnode_check_unlink = ugidfw_vnode_check_unlink,
+};
+
+MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended",
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);

Copied: head/sys/security/mac_bsdextended/ugidfw_vnode.c (from r184328, head/sys/security/mac_bsdextended/mac_bsdextended.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/sys/security/mac_bsdextended/ugidfw_vnode.c	Mon Oct 27 11:46:19 2008	(r184330, copy of r184328, head/sys/security/mac_bsdextended/mac_bsdextended.c)
@@ -0,0 +1,768 @@
+/*-
+ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 Tom Rhodes
+ * Copyright (c) 2006 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert Watson for the TrustedBSD Project.
+ * It was later enhanced by Tom Rhodes for the TrustedBSD Project.
+ *
+ * This software was developed for the FreeBSD Project in part by Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+ * as part of the DARPA CHATS research program.
+ *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+/*
+ * Developed by the TrustedBSD Project.
+ *
+ * "BSD Extended" MAC policy, allowing the administrator to impose mandatory
+ * firewall-like rules regarding users and file system objects.
+ */
+
+#include <sys/param.h>
+#include <sys/acl.h>
+#include <sys/kernel.h>
+#include <sys/jail.h>
+#include <sys/lock.h>
+#include <sys/malloc.h>
+#include <sys/module.h>
+#include <sys/mount.h>
+#include <sys/mutex.h>
+#include <sys/priv.h>
+#include <sys/systm.h>
+#include <sys/vnode.h>
+#include <sys/sysctl.h>
+#include <sys/syslog.h>
+#include <sys/stat.h>
+
+#include <security/mac/mac_policy.h>
+#include <security/mac_bsdextended/mac_bsdextended.h>
+
+static struct mtx ugidfw_mtx;
+
+SYSCTL_DECL(_security_mac);
+
+SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
+    "TrustedBSD extended BSD MAC policy controls");
+
+static int	ugidfw_enabled = 1;
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW,
+    &ugidfw_enabled, 0, "Enforce extended BSD policy");
+TUNABLE_INT("security.mac.bsdextended.enabled", &ugidfw_enabled);
+
+MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule");
+
+#define	MAC_BSDEXTENDED_MAXRULES	250
+static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
+static int rule_count = 0;
+static int rule_slots = 0;
+static int rule_version = MB_VERSION;
+
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
+    &rule_count, 0, "Number of defined rules\n");
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
+    &rule_slots, 0, "Number of used rule slots\n");
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
+    &rule_version, 0, "Version number for API\n");
+
+/*
+ * This is just used for logging purposes, eventually we would like to log
+ * much more then failed requests.
+ */
+static int ugidfw_logging;
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
+    &ugidfw_logging, 0, "Log failed authorization requests");
+
+/*
+ * This tunable is here for compatibility.  It will allow the user to switch
+ * between the new mode (first rule matches) and the old functionality (all
+ * rules match).
+ */
+static int ugidfw_firstmatch_enabled;
+SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
+    CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1,
+    "Disable/enable match first rule functionality");
+
+static int
+ugidfw_rule_valid(struct mac_bsdextended_rule *rule)
+{
+
+	if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
+		return (EINVAL);
+	if ((rule->mbr_subject.mbs_neg | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
+		return (EINVAL);
+	if ((rule->mbr_object.mbo_flags | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
+		return (EINVAL);
+	if ((rule->mbr_object.mbo_neg | MBO_ALL_FLAGS) != MBO_ALL_FLAGS)
+		return (EINVAL);
+	if ((rule->mbr_object.mbo_neg | MBO_TYPE_DEFINED) &&
+	    (rule->mbr_object.mbo_type | MBO_ALL_TYPE) != MBO_ALL_TYPE)
+		return (EINVAL);
+	if ((rule->mbr_mode | MBI_ALLPERM) != MBI_ALLPERM)
+		return (EINVAL);
+	return (0);
+}
+
+static int
+sysctl_rule(SYSCTL_HANDLER_ARGS)
+{
+	struct mac_bsdextended_rule temprule, *ruleptr;
+	u_int namelen;
+	int error, index, *name;
+
+	error = 0;
+	name = (int *)arg1;
+	namelen = arg2;
+	if (namelen != 1)
+		return (EINVAL);
+	index = name[0];
+        if (index >= MAC_BSDEXTENDED_MAXRULES)
+		return (ENOENT);
+
+	ruleptr = NULL;
+	if (req->newptr && req->newlen != 0) {
+		error = SYSCTL_IN(req, &temprule, sizeof(temprule));
+		if (error)
+			return (error);
+		ruleptr = malloc(sizeof(*ruleptr), M_MACBSDEXTENDED,
+		    M_WAITOK | M_ZERO);
+	}
+
+	mtx_lock(&ugidfw_mtx);
+	if (req->oldptr) {
+		if (index < 0 || index > rule_slots + 1) {
+			error = ENOENT;
+			goto out;
+		}
+		if (rules[index] == NULL) {
+			error = ENOENT;
+			goto out;
+		}
+		temprule = *rules[index];
+	}
+	if (req->newptr && req->newlen == 0) {
+		KASSERT(ruleptr == NULL, ("sysctl_rule: ruleptr != NULL"));
+		ruleptr = rules[index];
+		if (ruleptr == NULL) {
+			error = ENOENT;
+			goto out;
+		}
+		rule_count--;
+		rules[index] = NULL;
+	} else if (req->newptr) {
+		error = ugidfw_rule_valid(&temprule);
+		if (error)
+			goto out;
+		if (rules[index] == NULL) {
+			*ruleptr = temprule;
+			rules[index] = ruleptr;
+			ruleptr = NULL;
+			if (index + 1 > rule_slots)
+				rule_slots = index + 1;
+			rule_count++;
+		} else
+			*rules[index] = temprule;
+	}
+out:
+	mtx_unlock(&ugidfw_mtx);
+	if (ruleptr != NULL)
+		free(ruleptr, M_MACBSDEXTENDED);
+	if (req->oldptr && error == 0)
+		error = SYSCTL_OUT(req, &temprule, sizeof(temprule));
+	return (error);
+}
+
+SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, CTLFLAG_RW,
+    sysctl_rule, "BSD extended MAC rules");
+
+static void
+ugidfw_init(struct mac_policy_conf *mpc)
+{
+
+	mtx_init(&ugidfw_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
+}
+
+static void
+ugidfw_destroy(struct mac_policy_conf *mpc)
+{
+
+	mtx_destroy(&ugidfw_mtx);
+}
+
+static int
+ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
+    struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
+{
+	int mac_granted, match, priv_granted;
+	int i;
+

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***