Date: Tue, 14 Nov 2006 19:13:14 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 109974 for review Message-ID: <200611141913.kAEJDEJd018445@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=109974 Change 109974 by millert@millert_g5tower on 2006/11/14 19:12:13 Sort mac_policy.h and mac_framework.h. Add mac_mount_check_fsctl() and mac_vnode_check_ioctl(). Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#13 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#17 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#26 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#19 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/sorted-framework.vim#1 add .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/sorted-policynames.vim#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#21 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#13 (text+ko) ==== @@ -5329,6 +5329,15 @@ NDINIT(&nd, LOOKUP, nameiflags, UIO_USERSPACE, uap->path, &context); if ((error = namei(&nd))) goto FSCtl_Exit; +#ifdef MAC + error = mac_mount_check_fsctl(context.vc_ucred, vnode_mount(nd.ni_vp), cmd, data); + if (error) { + vnode_put(nd.ni_vp); + nameidone(&nd); + goto FSCtl_Exit; + } +#endif + /* Invoke the filesystem-specific code */ error = VNOP_IOCTL(nd.ni_vp, IOCBASECMD(cmd), data, uap->options, &context); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#6 (text+ko) ==== @@ -848,6 +848,12 @@ context.vc_proc = p; context.vc_ucred = p->p_ucred; /* XXX kauth_cred_get() ??? */ +#ifdef MAC + error = mac_vnode_check_ioctl(context.vc_ucred, vp, com, data); + if (error) + goto out; +#endif + switch (vp->v_type) { case VREG: ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#17 (text+ko) ==== @@ -36,6 +36,7 @@ * SUCH DAMAGE. * * $FreeBSD: src/sys/sys/mac.h,v 1.40 2003/04/18 19:57:37 rwatson Exp $ + * */ /* * Kernel interface for Mandatory Access Control -- how kernel services @@ -81,293 +82,177 @@ struct pipe; struct task; -/* - * Framework initialization. - */ -void mac_policy_initbsd(void); +/*@ macros */ +#define VNODE_LABEL_CREATE 1 +#define VNODE_LABEL_NEEDREF 2 +#define mac_task_label_update_cred(cred, task) \ + mac_task_label_update_internal(((cred)->cr_label), task) -/* - * Label operations. - */ -void mac_cred_label_init(struct ucred *); -void mac_devfs_label_init(struct devnode *); -void mac_file_label_init(struct fileglob *fg); -int mac_mbuf_label_init(struct mbuf *, int); -int mac_mbuf_tag_init(struct m_tag *, int); -void mac_mount_label_init(struct mount *); -void mac_pipe_label_init(struct pipe *cpipe); -void mac_posixsem_label_init(struct pseminfo *); -void mac_posixshm_label_init(struct pshminfo *); -void mac_proc_label_init(struct proc *); -int mac_socket_label_init(struct socket *, int waitok); -void mac_sysvmsg_label_init(struct msg *); -void mac_sysvmsq_label_init(struct msqid_kernel *msqptr); -void mac_sysvsem_label_init(struct semid_kernel*); -void mac_sysvshm_label_init(struct shmid_kernel*); -void mac_vnode_label_init(struct vnode *vp); -void mac_vnode_label_copy(struct label *, struct label *label); -void mac_devfs_label_copy(struct label *, struct label *label); -void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *); -void mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to); -void mac_socket_label_copy(struct label *from, struct label *to); -void mac_file_label_associate(struct ucred *cred, struct fileglob *fg); -void mac_cred_label_destroy(struct ucred *); -void mac_devfs_label_destroy(struct devnode *); -void mac_file_label_destroy(struct fileglob *fg); -void mac_mbuf_label_destroy(struct mbuf *); -void mac_mbuf_tag_destroy(struct m_tag *); -void mac_mount_label_destroy(struct mount *); -void mac_pipe_label_destroy(struct pipe *cpipe); -void mac_posixsem_label_destroy(struct pseminfo *); -void mac_posixshm_label_destroy(struct pshminfo *); -void mac_proc_label_destroy(struct proc *); -void mac_socket_label_destroy(struct socket *); -void mac_sysvsem_label_destroy(struct semid_kernel *); -void mac_sysvshm_label_destroy(struct shmid_kernel *); -void mac_vnode_label_destroy(struct vnode *); -int mac_mount_label_internalize(struct label *, char *string); -int mac_mount_label_externalize(struct label *label, char *elements, - char *outbuf, size_t outbuflen); -int mac_mount_label_get(struct mount *mp, user_addr_t mac_p); - +/*@ === */ +int mac_audit_check_postselect(struct ucred *cred, unsigned short syscode, + void *args, int error, int retval, int mac_forced); +int mac_audit_check_preselect(struct ucred *cred, unsigned short syscode, + void *args); +int mac_cred_check_label_update(struct ucred *cred, + struct label *newlabel); +int mac_cred_check_label_update_execve(struct ucred *old, + struct vnode *vp, struct label *scriptvnodelabel, + struct label *execlabel, struct proc *proc); +int mac_cred_check_visible(struct ucred *u1, struct ucred *u2); struct label *mac_cred_label_alloc(void); -void mac_cred_label_free(struct label *label); -int mac_cred_label_externalize_audit(struct proc *p, struct mac *mac); -struct label *mac_vnode_label_alloc(void); -void mac_vnode_label_free(struct label *label); -int mac_vnode_label_externalize_audit(struct vnode *vp, struct mac *mac); -struct label *mac_lctx_label_alloc(void); -void mac_lctx_label_free(struct label *label); - -#define mac_task_label_update_cred(cred, task) \ - mac_task_label_update_internal(((cred)->cr_label), task) - -/* - * Labeling event operations: file system objects, and things that - * look a lot like file system objects. - */ -int mac_vnode_label_associate(struct mount *mp, struct vnode *vp, vfs_context_t ctx); -void mac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de, - struct vnode *vp); -int mac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp); -void mac_vnode_label_associate_singlelabel(struct mount *mp, struct vnode *vp); -int mac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp, - struct vnode *vp, vfs_context_t ctx); +void mac_cred_label_associate(struct ucred *cred_parent, + struct ucred *cred_child); +void mac_cred_label_associate_kernel(struct ucred *cred); +void mac_cred_label_associate_user(struct ucred *cred); +void mac_cred_label_destroy(struct ucred *cred); +int mac_cred_label_externalize_audit(struct proc *p, struct mac *mac); +void mac_cred_label_free(struct label *label); +void mac_cred_label_init(struct ucred *cred); +void mac_cred_label_update(struct ucred *cred, struct label *newlabel); +void mac_cred_label_update_execve(struct ucred *old, struct ucred *newcred, + struct vnode *vp, struct label *scriptvnodelabel, + struct label *execlabel); void mac_devfs_label_associate_device(dev_t dev, struct devnode *de, const char *fullpath); void mac_devfs_label_associate_directory(char *dirname, int dirnamelen, struct devnode *de, const char *fullpath); -int mac_vnode_notify_create(struct ucred *cred, struct mount *mp, - struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -void mac_mount_label_associate(struct ucred *cred, struct mount *mp); -void mac_vnode_label_update(struct ucred *cred, struct vnode *vp, - struct label *newlabel); -void mac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp, - const char *name); +void mac_devfs_label_copy(struct label *, struct label *label); +void mac_devfs_label_destroy(struct devnode *de); +void mac_devfs_label_init(struct devnode *de); void mac_devfs_label_update(struct mount *mp, struct devnode *de, struct vnode *vp); - -#define VNODE_LABEL_CREATE 1 -#define VNODE_LABEL_NEEDREF 2 -int vnode_label(struct mount *mp, struct vnode *dvp, struct vnode *vp, - struct componentname *cnp, int flags, vfs_context_t ctx); -int vnode_label1(struct vnode *vp); -void vnode_relabel(struct vnode *vp); - -/* - * Labeling event operations: Posix IPC primitives - */ -void mac_posixsem_label_associate(struct ucred *cred, struct pseminfo *psem, - const char *name); -void mac_posixshm_label_associate(struct ucred *cred, struct pshminfo *pshm, - const char *name); - -/* - * Labeling event operations: sockets and network IPC - * - * Note: all functions involving sockets (and other network objects yet to be - * implemented) hold (and rely on) the NETWORK_FUNNEL as opposed to the - * KERNEL_FUNNEL. When reading/writing kernel network objects, be sure to - * hold the NETWORK_FUNNEL. When reading/writing other types of kernel - * objects (vnode for example), be sure to hold the KERNEL_FUNNEL. - * - * XXX: Note that cred can be NULL in mac_socket_label_associate() in Darwin. - */ -void mac_socket_label_associate(struct ucred *cred, struct socket *so); -void mac_socket_label_associate_accept(struct socket *oldsocket, - struct socket *newsocket); -void mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); -void mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m); -void mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m); -void mac_socketpeer_label_associate_socket(struct socket *peersocket, - struct socket *socket_to_modify); - -/* - * Labeling event operations: System V IPC primitives - */ -void mac_sysvmsg_label_associate(struct ucred *cred, - struct msqid_kernel *msqptr, struct msg *msgptr); -void mac_sysvmsq_label_associate(struct ucred *cred, - struct msqid_kernel *msqptr); -void mac_sysvsem_label_associate(struct ucred *cred, - struct semid_kernel *semakptr); -void mac_sysvshm_label_associate(struct ucred *cred, - struct shmid_kernel *shmsegptr); - -/* - * Labeling event operations: processes. - */ -void mac_cred_label_update(struct ucred *cred, struct label *newlabel); -void mac_cred_label_associate(struct ucred *cred_parent, struct ucred *cred_child); int mac_execve_enter(user_addr_t mac_p, struct label *execlabel); -#if 0 -void mac_execve_exit(struct image_params *imgp); -#endif -void mac_cred_label_update_execve(struct ucred *old, struct ucred *newcred, - struct vnode *vp, struct label *scriptvnodelabel, - struct label *execlabel); -int mac_cred_check_label_update_execve(struct ucred *old, struct vnode *vp, - struct label *scriptvnodelabel, struct label *execlabel, - struct proc *p); -void mac_cred_label_associate_kernel(struct ucred *cred); -void mac_cred_label_associate_user(struct ucred *cred); -#if 0 -void mac_thread_userret(struct uthread *td); -#endif - -void mac_lctx_label_update(struct lctx *l, struct label *newlabel); - -/* - * Labeling operations for pipes. - */ -struct label *mac_pipe_label_alloc(void); -void mac_pipe_label_free(struct label *label); -void mac_pipe_label_copy(struct label *src, struct label *dest); -void mac_pipe_label_associate(struct ucred *cred, struct pipe *cpipe); -int mac_pipe_label_update(struct ucred *cred, struct pipe *cpipe, - struct label *label); - -/* - * Label cleanup operation: This is the inverse complement for the mac_create - * and associate type of hooks. This hook lets the policy module(s) perform - * a cleanup/flushing operation on the label associated with the objects, - * without freeing up the space allocated. This hook is useful in cases - * where it is desirable to remove any labeling reference when recycling any - * object to a pool. This hook does not replace the mac_destroy hooks. - */ -void mac_sysvmsg_label_recycle(struct msg *msgptr); -void mac_sysvmsq_label_recycle(struct msqid_kernel *msqptr); -void mac_sysvsem_label_recycle(struct semid_kernel *semakptr); -void mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr); -void mac_vnode_label_recycle(struct vnode *vp); - -/* - * Access control checks. - */ -int mac_cred_check_label_update(struct ucred *cred, struct label *newlabel); -int mac_cred_check_visible(struct ucred *u1, struct ucred *u2); -int mac_lctx_check_label_update(struct lctx *l, struct label *newlabel); -int mac_posixsem_check_create(struct ucred *cred, const char *name); -int mac_posixsem_check_open(struct ucred *cred, struct pseminfo *ps); -int mac_posixsem_check_post(struct ucred *cred, struct pseminfo *ps); -int mac_posixsem_check_unlink(struct ucred *cred, struct pseminfo *ps, - const char *name); -int mac_posixsem_check_wait(struct ucred *cred, struct pseminfo *ps); -int mac_posixshm_check_create(struct ucred *cred, const char *name); -int mac_posixshm_check_open(struct ucred *cred, struct pshminfo *ps); -int mac_posixshm_check_mmap(struct ucred *cred, struct pshminfo *ps, - int prot, int flags); -int mac_posixshm_check_stat(struct ucred *cred, struct pshminfo *ps); -int mac_posixshm_check_truncate(struct ucred *cred, struct pshminfo *ps, - size_t s); -int mac_posixshm_check_unlink(struct ucred *cred, struct pshminfo *ps, - const char *name); -int mac_sysvmsq_check_enqueue(struct ucred *cred, struct msg *msgptr, - struct msqid_kernel *msqptr); -int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr); -int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr); -int mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqptr, - int cmd); -int mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqptr); -int mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqptr); -int mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqptr); -int mac_sysvsem_check_semctl(struct ucred *cred, - struct semid_kernel *semakptr, int cmd); +int mac_file_check_change_flags(struct ucred *cred, struct fileglob *fg, + u_int oldflags, u_int newflags); +int mac_file_check_change_offset(struct ucred *cred, struct fileglob *fg); +int mac_file_check_change_ofileflags(struct ucred *cred, + struct fileglob *fg, char oldflags, char newflags); +int mac_file_check_create(struct ucred *cred); +int mac_file_check_dup(struct ucred *cred, struct fileglob *fg, int newfd); int mac_file_check_fcntl(struct ucred *cred, struct fileglob *fg, int cmd, long arg); int mac_file_check_get(struct ucred *cred, struct fileglob *fg, char *elements, int len); -int mac_file_check_create(struct ucred *cred); -int mac_file_check_dup(struct ucred *cred, struct fileglob *fg, int newfd); -int mac_file_check_ioctl(struct ucred *cred, struct fileglob *fg, - u_long com, void *data); -int mac_file_check_inherit(struct ucred *cred, struct fileglob *fg); -int mac_file_check_receive(struct ucred *cred, struct fileglob *fg); int mac_file_check_get_flags(struct ucred *cred, struct fileglob *fg, u_int flags); +int mac_file_check_get_offset(struct ucred *cred, struct fileglob *fg); int mac_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg, char flags); -int mac_file_check_change_flags(struct ucred *cred, struct fileglob *fg, - u_int oldflags, u_int newflags); -int mac_file_check_change_ofileflags(struct ucred *cred, - struct fileglob *fg, char oldflags, char newflags); -int mac_file_check_get_offset(struct ucred *cred, struct fileglob *fg); -int mac_file_check_change_offset(struct ucred *cred, struct fileglob *fg); +int mac_file_check_inherit(struct ucred *cred, struct fileglob *fg); +int mac_file_check_ioctl(struct ucred *cred, struct fileglob *fg, + u_long com, void *data); int mac_file_check_mmap(struct ucred *cred, struct fileglob *fg, int prot, int flags, int *maxprot); void mac_file_check_mmap_downgrade(struct ucred *cred, struct fileglob *fg, int *prot); +int mac_file_check_receive(struct ucred *cred, struct fileglob *fg); int mac_file_check_set(struct ucred *cred, struct fileglob *fg, char *buf, int buflen); -int mac_sysvsem_check_semget(struct ucred *cred, - struct semid_kernel *semakptr); -int mac_sysvsem_check_semop(struct ucred *cred,struct semid_kernel *semakptr, - size_t accesstype); -int mac_sysvshm_check_shmat(struct ucred *cred, - struct shmid_kernel *shmsegptr, int shmflg); -int mac_sysvshm_check_shmctl(struct ucred *cred, - struct shmid_kernel *shmsegptr, int cmd); -int mac_sysvshm_check_shmdt(struct ucred *cred, - struct shmid_kernel *shmsegptr); -int mac_sysvshm_check_shmget(struct ucred *cred, - struct shmid_kernel *shmsegptr, int shmflg); +void mac_file_label_associate(struct ucred *cred, struct fileglob *fg); +void mac_file_label_destroy(struct fileglob *fg); +void mac_file_label_init(struct fileglob *fg); +int mac_lctx_check_label_update(struct lctx *l, struct label *newlabel); +struct label *mac_lctx_label_alloc(void); +void mac_lctx_label_free(struct label *label); +void mac_lctx_label_update(struct lctx *l, struct label *newlabel); +void mac_lctx_notify_create(struct proc *proc, struct lctx *l); +void mac_lctx_notify_join(struct proc *proc, struct lctx *l); +void mac_lctx_notify_leave(struct proc *proc, struct lctx *l); +void mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); +void mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m); +void mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m); +void mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to); +void mac_mbuf_label_destroy(struct mbuf *m); +int mac_mbuf_label_init(struct mbuf *m, int flag); +void mac_mbuf_tag_copy(struct m_tag *m, struct m_tag *mtag); +void mac_mbuf_tag_destroy(struct m_tag *mtag); +int mac_mbuf_tag_init(struct m_tag *, int how); +int mac_mount_check_fsctl(struct ucred *cred, struct mount *mp, + int com, caddr_t data); +int mac_mount_check_getattr(struct ucred *cred, struct mount *mp, + struct vfs_attr *vfa); +int mac_mount_check_label_update(struct ucred *cred, struct mount *mp); int mac_mount_check_mount(struct ucred *cred, struct vnode *vp, const char *vfc_name); int mac_mount_check_remount(struct ucred *cred, struct mount *mp); -int mac_mount_check_umount(struct ucred *cred, struct mount *mp); -int mac_mount_check_getattr(struct ucred *cred, struct mount *mp, - struct vfs_attr *vfa); int mac_mount_check_setattr(struct ucred *cred, struct mount *mp, struct vfs_attr *vfa); int mac_mount_check_stat(struct ucred *cred, struct mount *mp); -int mac_mount_check_label_update(struct ucred *cred, struct mount *mp); +int mac_mount_check_umount(struct ucred *cred, struct mount *mp); +void mac_mount_label_associate(struct ucred *cred, struct mount *mp); +void mac_mount_label_destroy(struct mount *mp); +int mac_mount_label_externalize(struct label *label, char *elements, + char *outbuf, size_t outbuflen); +int mac_mount_label_get(struct mount *mp, user_addr_t mac_p); +void mac_mount_label_init(struct mount *); +int mac_mount_label_internalize(struct label *, char *string); +int mac_pipe_check_ioctl(struct ucred *cred, struct pipe *cpipe, + unsigned long cmd, void *data); int mac_pipe_check_kqfilter(struct ucred *cred, struct knote *kn, struct pipe *cpipe); -int mac_pipe_check_ioctl(struct ucred *cred, struct pipe *cpipe, - unsigned long cmd, void *data); int mac_pipe_check_read(struct ucred *cred, struct pipe *cpipe); int mac_pipe_check_select(struct ucred *cred, struct pipe *cpipe, int which); int mac_pipe_check_stat(struct ucred *cred, struct pipe *cpipe); int mac_pipe_check_write(struct ucred *cred, struct pipe *cpipe); +struct label *mac_pipe_label_alloc(void); +void mac_pipe_label_associate(struct ucred *cred, struct pipe *cpipe); +void mac_pipe_label_copy(struct label *src, struct label *dest); +void mac_pipe_label_destroy(struct pipe *cpipe); +void mac_pipe_label_free(struct label *label); +void mac_pipe_label_init(struct pipe *cpipe); +int mac_pipe_label_update(struct ucred *cred, struct pipe *cpipe, + struct label *label); +void mac_policy_initbsd(void); +int mac_posixsem_check_create(struct ucred *cred, const char *name); +int mac_posixsem_check_open(struct ucred *cred, struct pseminfo *psem); +int mac_posixsem_check_post(struct ucred *cred, struct pseminfo *psem); +int mac_posixsem_check_unlink(struct ucred *cred, struct pseminfo *psem, + const char *name); +int mac_posixsem_check_wait(struct ucred *cred, struct pseminfo *psem); +void mac_posixsem_label_associate(struct ucred *cred, + struct pseminfo *psem, const char *name); +void mac_posixsem_label_destroy(struct pseminfo *psem); +void mac_posixsem_label_init(struct pseminfo *psem); +int mac_posixshm_check_create(struct ucred *cred, const char *name); +int mac_posixshm_check_mmap(struct ucred *cred, struct pshminfo *pshm, + int prot, int flags); +int mac_posixshm_check_open(struct ucred *cred, struct pshminfo *pshm); +int mac_posixshm_check_stat(struct ucred *cred, struct pshminfo *pshm); +int mac_posixshm_check_truncate(struct ucred *cred, struct pshminfo *pshm, + size_t s); +int mac_posixshm_check_unlink(struct ucred *cred, struct pshminfo *pshm, + const char *name); +void mac_posixshm_label_associate(struct ucred *cred, + struct pshminfo *pshm, const char *name); +void mac_posixshm_label_destroy(struct pshminfo *pshm); +void mac_posixshm_label_init(struct pshminfo *pshm); int mac_proc_check_debug(struct ucred *cred, struct proc *proc); int mac_proc_check_getaudit(struct ucred *cred); int mac_proc_check_getauid(struct ucred *cred); +int mac_proc_check_getlcid(struct proc *proc1, struct proc *proc2, + pid_t pid); +int mac_proc_check_mprotect(struct ucred *cred, struct proc *proc, + void *addr, size_t size, int prot); int mac_proc_check_sched(struct ucred *cred, struct proc *proc); int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai); int mac_proc_check_setauid(struct ucred *cred, uid_t auid); +int mac_proc_check_setlcid(struct proc *proc1, struct proc *proc2, + pid_t pid1, pid_t pid2); int mac_proc_check_signal(struct ucred *cred, struct proc *proc, int signum); int mac_proc_check_wait(struct ucred *cred, struct proc *proc); -int mac_proc_check_setlcid(struct proc *, struct proc *, pid_t, pid_t); -int mac_proc_check_getlcid(struct proc *, struct proc *, pid_t); +void mac_proc_label_destroy(struct proc *proc); +void mac_proc_label_init(struct proc *proc); +int mac_setsockopt_label(struct ucred *cred, struct socket *so, + struct mac *extmac); int mac_socket_check_accept(struct ucred *cred, struct socket *so); int mac_socket_check_bind(struct ucred *cred, struct socket *so, struct sockaddr *addr); int mac_socket_check_connect(struct ucred *cred, struct socket *so, struct sockaddr *addr); -int mac_socket_check_create(struct ucred *cred, int domain, int type, - int protocol); +int mac_socket_check_create(struct ucred *cred, int domain, + int type, int protocol); int mac_socket_check_deliver(struct socket *so, struct mbuf *m); int mac_socket_check_kqfilter(struct ucred *cred, struct knote *kn, struct socket *so); @@ -377,6 +262,19 @@ int which); int mac_socket_check_send(struct ucred *cred, struct socket *so); int mac_socket_check_stat(struct ucred *cred, struct socket *so); +void mac_socket_label_associate(struct ucred *cred, struct socket *so); +void mac_socket_label_associate_accept(struct socket *oldsocket, + struct socket *newsocket); +void mac_socket_label_copy(struct label *from, struct label *to); +void mac_socket_label_destroy(struct socket *); +int mac_socket_label_get(struct ucred *cred, struct socket *so, + struct mac *extmac); +int mac_socket_label_init(struct socket *, int waitok); +void mac_socketpeer_label_associate_mbuf(struct mbuf *m, struct socket *so); +void mac_socketpeer_label_associate_socket(struct socket *peersocket, + struct socket *socket_to_modify); +int mac_socketpeer_label_get(struct ucred *cred, struct socket *so, + struct mac *extmac); int mac_system_check_acct(struct ucred *cred, struct vnode *vp); int mac_system_check_audit(struct ucred *cred, void *record, int length); int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp); @@ -384,11 +282,55 @@ int mac_system_check_nfsd(struct ucred *cred); int mac_system_check_reboot(struct ucred *cred, int howto); int mac_system_check_settime(struct ucred *cred); +int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp); int mac_system_check_swapon(struct ucred *cred, struct vnode *vp); -int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp); int mac_system_check_sysctl(struct ucred *cred, int *name, u_int namelen, void *oldctl, size_t *oldlenp, int inkernel, void *newctl, size_t newlen); +void mac_sysvmsg_label_associate(struct ucred *cred, + struct msqid_kernel *msqptr, struct msg *msgptr); +void mac_sysvmsg_label_init(struct msg *msgptr); +void mac_sysvmsg_label_recycle(struct msg *msgptr); +int mac_sysvmsq_check_enqueue(struct ucred *cred, struct msg *msgptr, + struct msqid_kernel *msqptr); +int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr); +int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr); +int mac_sysvmsq_check_msqctl(struct ucred *cred, + struct msqid_kernel *msqptr, int cmd); +int mac_sysvmsq_check_msqget(struct ucred *cred, + struct msqid_kernel *msqptr); +int mac_sysvmsq_check_msqrcv(struct ucred *cred, + struct msqid_kernel *msqptr); +int mac_sysvmsq_check_msqsnd(struct ucred *cred, + struct msqid_kernel *msqptr); +void mac_sysvmsq_label_associate(struct ucred *cred, + struct msqid_kernel *msqptr); +void mac_sysvmsq_label_init(struct msqid_kernel *msqptr); +void mac_sysvmsq_label_recycle(struct msqid_kernel *msqptr); +int mac_sysvsem_check_semctl(struct ucred *cred, + struct semid_kernel *semakptr, int cmd); +int mac_sysvsem_check_semget(struct ucred *cred, + struct semid_kernel *semakptr); +int mac_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, size_t accesstype); +void mac_sysvsem_label_associate(struct ucred *cred, + struct semid_kernel *semakptr); +void mac_sysvsem_label_destroy(struct semid_kernel *semakptr); +void mac_sysvsem_label_init(struct semid_kernel *semakptr); +void mac_sysvsem_label_recycle(struct semid_kernel *semakptr); +int mac_sysvshm_check_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, int shmflg); +int mac_sysvshm_check_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, int cmd); +int mac_sysvshm_check_shmdt(struct ucred *cred, + struct shmid_kernel *shmsegptr); +int mac_sysvshm_check_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, int shmflg); +void mac_sysvshm_label_associate(struct ucred *cred, + struct shmid_kernel *shmsegptr); +void mac_sysvshm_label_destroy(struct shmid_kernel *shmsegptr); +void mac_sysvshm_label_init(struct shmid_kernel* shmsegptr); +void mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr); int mac_task_check_get_port(struct ucred *cred, struct task *task); int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode); @@ -396,43 +338,42 @@ int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vnode_attr *vap); -int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, - struct vnode *vp, struct componentname *cnp); int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, const char *name); int mac_vnode_check_exchangedata(struct ucred *cred, struct vnode *v1, - struct vnode *v2); + struct vnode *v2); int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *execlabel); int mac_vnode_check_getattrlist(struct ucred *cred, struct vnode *vp, - struct attrlist *alist); + struct attrlist *alist); int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, const char *name, struct uio *uio); +int mac_vnode_check_ioctl(struct ucred *cred, struct vnode *vp, int com, + caddr_t data); int mac_vnode_check_kqfilter(struct ucred *active_cred, struct ucred *file_cred, struct knote *kn, struct vnode *vp); +int mac_vnode_check_label_update(struct ucred *cred, struct vnode *vp, + struct label *newlabel); int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp); int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); -int mac_proc_check_mprotect(struct ucred *cred, struct proc *proc, - void *addr, size_t size, int prot); int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode); int mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp); int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp); -int mac_vnode_check_label_update(struct ucred *cred, struct vnode *vp, - struct label *newlabel); int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp); int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp); -int mac_vnode_check_select(struct ucred *cred, struct vnode *vp, int which); +int mac_vnode_check_select(struct ucred *cred, struct vnode *vp, + int which); int mac_vnode_check_setattrlist(struct ucred *cred, struct vnode *vp, - struct attrlist *alist); + struct attrlist *alist); int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, const char *name, struct uio *uio); int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, @@ -447,46 +388,36 @@ struct ucred *file_cred, struct vnode *vp); int mac_vnode_check_truncate(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); +int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp); int mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); - -int mac_socket_label_get(struct ucred *cred, struct socket *so, - struct mac *extmac); -int mac_setsockopt_label(struct ucred *cred, struct socket *so, - struct mac *extmac); -int mac_socketpeer_label_get(struct ucred *cred, struct socket *so, - struct mac *extmac); -#if 0 -void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); -#endif - -/* - * mac_audit_{pre,post}select() allow MAC policies to control whether a given - * event will be audited. For 10.3.3, these functions take precedence over - * the existing pre/post-selection selection in Darwin. That aspect of the - * sematics of these functions will probably change for version 10.3.4 as - * that version has a more complete implementation of the audit subsystem. - */ -int mac_audit_check_preselect(struct ucred *cred, unsigned short syscode, - void *args); -int mac_audit_check_postselect(struct ucred *cred, unsigned short syscode, - void *args, int error, int retval, int mac_forced); - -void mac_lctx_notify_create(struct proc *, struct lctx *); -void mac_lctx_notify_join(struct proc *, struct lctx *); -void mac_lctx_notify_leave(struct proc *, struct lctx *); - -/* - * The semantics of this function are slightly different than the standard - * copy operation. On the first call for a given socket, the peer label has - * been newly allocated. On successive calls, the peer label is in use and - * would be clobbered by a normal copy operation. It was decided to implement - * it this way because its performance has a significant impact on network - * performance. A destroy-init-copy sequence is too inefficient here. - * Some policies may be able to replace data inline, which is more efficient. - * It is up to the policies to determine the most efficient action to take. - */ -void mac_socketpeer_label_associate_mbuf(struct mbuf *m, struct socket *so); +struct label *mac_vnode_label_alloc(void); +int mac_vnode_label_associate(struct mount *mp, struct vnode *vp, + vfs_context_t ctx); +void mac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de, + struct vnode *vp); +int mac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp, + struct vnode *vp, vfs_context_t ctx); +int mac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp); +void mac_vnode_label_associate_singlelabel(struct mount *mp, + struct vnode *vp); +void mac_vnode_label_copy(struct label *l1, struct label *l2); +void mac_vnode_label_destroy(struct vnode *vp); +int mac_vnode_label_externalize_audit(struct vnode *vp, struct mac *mac); +void mac_vnode_label_free(struct label *label); +void mac_vnode_label_init(struct vnode *vp); +void mac_vnode_label_recycle(struct vnode *vp); +void mac_vnode_label_update(struct ucred *cred, struct vnode *vp, + struct label *newlabel); +void mac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp, + const char *name); +int mac_vnode_notify_create(struct ucred *cred, struct mount *mp, + struct vnode *dvp, struct vnode *vp, struct componentname *cnp); +int vnode_label(struct mount *mp, struct vnode *dvp, struct vnode *vp, + struct componentname *cnp, int flags, vfs_context_t ctx); +int vnode_label1(struct vnode *vp); +void vnode_relabel(struct vnode *vp); #endif /* MAC */ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#26 (text+ko) ==== @@ -55,8 +55,8 @@ #include <security/_label.h> +struct attrlist; struct auditinfo; -struct attrlist; struct bpf_d; struct devnode; struct fileglob; @@ -96,11 +96,93 @@ */ /** - @name Entry Points for the Base Policy Module Only + @name Entry Points for Label Management + + These are the entry points corresponding to the life cycle events for + kernel objects, such as initialization, creation, and destruction. + + Most policies (that use labels) will initialize labels by allocating + space for policy-specific data. In most cases, it is permitted to + sleep during label initialization operations; it will be noted when + it is not permitted. + + Initialization usually will not require doing more than allocating a + generic label for the given object. What follows initialization is + creation, where a label is made specific to the object it is associated + with. Destruction occurs when the label is no longer needed, such as + when the corresponding object is destroyed. All necessary cleanup should + be performed in label destroy operations. + + Where possible, the label entry points have identical parameters. If + the policy module does not require structure-specific label + information, the same function may be registered in the policy + operation vector. Many policies will implement two such generic + allocation calls: one to handle sleepable requests, and one to handle + potentially non-sleepable requests. +*/ + + +/** + @brief Audit event postselection + @param cred Subject credential + @param syscode Syscall number + @param args Syscall arguments + @param error Syscall errno + @param retval Syscall return value + + This is the MAC Framework audit postselect, which is called before + exiting a syscall to determine if an audit event should be committed. + A return value of MAC_AUDIT_NO forces the audit record to be suppressed. + Any other return value results in the audit record being committed. + + @warning The suppression behavior will probably go away in Apple's + future version of the audit implementation. + + @return Return MAC_AUDIT_NO to force suppression of the audit record. + Any other value results in the audit record being committed. + */ +typedef int mpo_audit_check_postselect_t( + struct ucred *cred, + unsigned short syscode, + void *args, + int error, + int retval +); +/** + @brief Audit event preselection + @param cred Subject credential + @param syscode Syscall number + @param args Syscall arguments + + This is the MAC Framework audit preselect, which is called before a + syscall is entered to determine if an audit event should be created. + If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be + returned. A return value of MAC_AUDIT_NO causes the audit record to + be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants + to defer to the system's existing preselection mechanism. + + When policies return different preferences, the Framework decides what action + to take based on the following policy. If any policy returns MAC_AUDIT_YES, + then create an audit record, else if any policy returns MAC_AUDIT_NO, then + suppress the creations of an audit record, else defer to the system's + existing preselection mechanism. + + @warning The audit implementation in Apple's current version is + incomplete, so the MAC policies have priority over the system's existing + mechanisms. This will probably change in the future version where + the audit implementation is more complete. -/*@{*/ + @return Return MAC_AUDIT_YES to force auditing of the syscall, + MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT + to allow auditing mechanisms to determine if the syscall is audited. +*/ +typedef int mpo_audit_check_preselect_t( + struct ucred *cred, + unsigned short syscode, + void *args +); /** @brief Base Policy approve MAC module load event @param mpc MAC policy configuration @@ -116,7 +198,6 @@ typedef int mpo_base_check_module_load_t( struct mac_policy_conf *mpc ); - /** @brief Base Policy approve MAC module unload event @param mpc MAC policy configuration @@ -132,7 +213,6 @@ typedef int mpo_base_check_module_unload_t( struct mac_policy_conf *mpc ); - /** @brief Base Policy finalize event @@ -145,896 +225,746 @@ */ typedef void mpo_base_notify_finalize_t(void); +/** + @brief Indicate desire to change the process label at exec time + @param old Existing subject credential + @param vp File being executed + @param vnodelabel Label corresponding to vp + @param scriptvnodelabel Script vnode label + @param execlabel Userspace provided execution label + @param proc Object process + @see mac_execve + @see mpo_cred_label_update_execve_t + @see mpo_vnode_check_exec_t -/*@}*/ + Indicate whether this policy intends to update the label of a newly + created credential from the existing subject credential (old). This + call occurs when a process executes the passed vnode. If a policy + returns success from this entry point, the mpo_cred_label_update_execve + entry point will later be called with the same parameters. Access + has already been checked via the mpo_vnode_check_exec entry point, + this entry point is necessary to preserve kernel locking constraints + during program execution. -/** - @name Entry Points for Module Operations -*/ + The supplied vnode and vnodelabel correspond with the file actually + being executed; in the case that the file is interpreted (for + example, a script), the label of the original exec-time vnode has + been preserved in scriptvnodelabel. -/*@{*/ + The final label, execlabel, corresponds to a label supplied by a + user space application through the use of the mac_execve system call. -/** - @brief Policy unload event - @param mpc MAC policy configuration + The vnode lock is held during this operation. No changes should be + made to the old credential structure. - This is the MAC Framework policy unload event. This entry point will - only be called if the module's policy configuration allows unload (if - the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't - want to be unloaded; they should set their flags to prevent this - entry point from being called. + @warning Even if a policy returns 0, it should behave correctly in + the presence of an invocation of mpo_cred_label_update_execve, as that + call may happen as a result of another policy requesting a transition. - @warning During this call, the mac policy list mutex is held, so - sleep operations cannot be performed, and calls out to other kernel - subsystems must be made with caution. - - @see MPC_LOADTIME_FLAG_UNLOADOK + @return Non-zero if a transition is required, 0 otherwise. */ -typedef void mpo_policy_destroy_t( - struct mac_policy_conf *mpc +typedef int mpo_cred_check_label_update_execve_t( + struct ucred *old, + struct vnode *vp, + struct label *vnodelabel, + struct label *scriptvnodelabel, + struct label *execlabel, + struct proc *proc ); - /** - @brief Policy initialization event - @param mpc MAC policy configuration - @see mac_policy_register - @see mpo_policy_initbsd_t + @brief Access control check for relabelling processes + @param cred Subject credential + @param newlabel New label to apply to the user credential + @see mpo_cred_label_update_t + @see mac_set_proc - This is the MAC Framework policy initialization event. This entry - point is called during mac_policy_register, when the policy module - is first registered with the MAC Framework. This is often done very - early in the boot process, after the kernel Mach subsystem has been - initialized, but prior to the BSD subsystem being initialized. - Since the kernel BSD services are not yet available, it is possible - that some initialization must occur later, possibly in the - mpo_policy_initbsd_t policy entry point, such as registering BSD system - controls (sysctls). Policy modules loaded at boot time will be - registered and initialized before labeled Mach objects are created. + Determine whether the subject identified by the credential can relabel + itself to the supplied new label (newlabel). This access control check + is called when the mac_set_proc system call is invoked. A user space + application will supply a new value, the value will be internalized + and provided in newlabel. - @warning During this call, the mac policy list mutex is held, so - sleep operations cannot be performed, and calls out to other kernel - subsystems must be made with caution. + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. */ -typedef void mpo_policy_init_t( - struct mac_policy_conf *mpc +typedef int mpo_cred_check_label_update_t( + struct ucred *cred, + struct label *newlabel ); - /** - @brief Policy BSD initialization event - @param mpc MAC policy configuration - @see mpo_policy_init_t + @brief Access control check for visibility of other subjects + @param u1 Subject credential + @param u2 Object credential - This entry point is called after the kernel BSD subsystem has been - initialized. By this point, the module should already be loaded, - registered, and initialized. Since policy modules are initialized - before kernel BSD services are available, this second initialization - phase is necessary. At this point, BSD services (memory management, - synchronization primitives, vfs, etc.) are available, but the first - process has not yet been created. Mach-related objects and tasks - will already be fully initialized and may be in use--policies requiring - ubiquitous labeling may also want to implement mpo_policy_init_t. + Determine whether the subject identified by the credential u1 can + "see" other subjects with the passed subject credential u2. This call + may be made in a number of situations, including inter-process status + sysctls used by ps, and in procfs lookups. - @warning During this call, the mac policy list mutex is held, so - sleep operations cannot be performed, and calls out to other kernel - subsystems must be made with caution. + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. Suggested failure: EACCES for label mismatch, + EPERM for lack of privilege, or ESRCH to hide visibility. */ -typedef void mpo_policy_initbsd_t( - struct mac_policy_conf *mpc +typedef int mpo_cred_check_visible_t( + struct ucred *u1, + struct ucred *u2 ); - /** - @brief Policy extension service - @param p Calling process - @param call Policy-specific syscall number - @param arg Pointer to syscall arguments + @brief Create the first process + @param cred Subject credential to be labeled - This entry point provides a policy-multiplexed system call so that - policies may provide additional services to user processes without - registering specific system calls. The policy name provided during - registration is used to demux calls from userland, and the arguments - will be forwarded to this entry point. When implementing new - services, security modules should be sure to invoke appropriate - access control checks from the MAC framework as needed. For - example, if a policy implements an augmented signal functionality, - it should call the necessary signal access control checks to invoke - the MAC framework and other registered policies. - - @warning Since the format and contents of the policy-specific - arguments are unknown to the MAC Framework, modules must perform the - required copyin() of the syscall data on their own. No policy - mediation is performed, so policies must perform any necessary - access control checks themselves. If multiple policies are loaded, - they will currently be unable to mediate calls to other policies. - - @return In the event of an error, an appropriate value for errno - should be returned, otherwise return 0 upon success. + Create the subject credential of process 0, the parent of all BSD + kernel processes. Policies should update the label in the + previously initialized credential structure. */ -typedef int mpo_policy_syscall_t( - struct proc *p, - int call, - user_addr_t arg +typedef void mpo_cred_label_associate_kernel_t( + struct ucred *cred ); - -/*@}*/ - /** - @name Entry Points for Label Management + @brief Create a credential label >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200611141913.kAEJDEJd018445>