security/mac_system.c

   1 /*
   2  * Copyright (c) 2007 Apple Inc. All rights reserved.
   3  *
   4  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. The rights granted to you under the License
  10  * may not be used to create, or enable the creation or redistribution of,
  11  * unlawful or unlicensed copies of an Apple operating system, or to
  12  * circumvent, violate, or enable the circumvention or violation of, any
  13  * terms of an Apple operating system software license agreement.
  14  *
  15  * Please obtain a copy of the License at
  16  * http://www.opensource.apple.com/apsl/ and read it before using this file.
  17  *
  18  * The Original Code and all software distributed under the License are
  19  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  20  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  21  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  22  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  23  * Please see the License for the specific language governing rights and
  24  * limitations under the License.
  25  *
  26  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  27  */
  28
  29 /*-
  30  * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
  31  * Copyright (c) 2001 Ilmar S. Habibulin
  32  * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
  33  *
  34  * This software was developed by Robert Watson and Ilmar Habibulin for the
  35  * TrustedBSD Project.
  36  *
  37  * This software was developed for the FreeBSD Project in part by Network
  38  * Associates Laboratories, the Security Research Division of Network
  39  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  40  * as part of the DARPA CHATS research program.
  41  *
  42  * Redistribution and use in source and binary forms, with or without
  43  * modification, are permitted provided that the following conditions
  44  * are met:
  45  * 1. Redistributions of source code must retain the above copyright
  46  *    notice, this list of conditions and the following disclaimer.
  47  * 2. Redistributions in binary form must reproduce the above copyright
  48  *    notice, this list of conditions and the following disclaimer in the
  49  *    documentation and/or other materials provided with the distribution.
  50  *
  51  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  52  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  53  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  54  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  55  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  56  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  57  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  58  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  59  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  60  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  61  * SUCH DAMAGE.
  62  *
  63  */
  64
  65 #include <sys/param.h>
  66 #include <sys/vnode.h>
  67 #include <sys/vnode_internal.h>
  68
  69 #include <security/mac_internal.h>
  70
  71
  72 int
  73 mac_system_check_acct(kauth_cred_t cred, struct vnode *vp)
  74 {
  75         int error;
  76
  77         if (!mac_system_enforce)
  78                 return (0);
  79
  80         MAC_CHECK(system_check_acct, cred, vp,
  81             vp != NULL ? vp->v_label : NULL);
  82
  83         return (error);
  84 }
  85
  86 int
  87 mac_system_check_chud(kauth_cred_t cred)
  88 {
  89         int error;
  90
  91         if (!mac_system_enforce)
  92                 return (0);
  93
  94         MAC_CHECK(system_check_chud, cred);
  95
  96         return (error);
  97 }
  98
  99 int
 100 mac_system_check_host_priv(kauth_cred_t cred)
 101 {
 102         int error;
 103
 104         if (!mac_system_enforce)
 105                 return (0);
 106
 107         MAC_CHECK(system_check_host_priv, cred);
 108
 109         return (error);
 110 }
 111
 112 int
 113 mac_system_check_info(kauth_cred_t cred, const char *info_type)
 114 {
 115         int error;
 116
 117         if (!mac_system_enforce)
 118                 return (0);
 119
 120         MAC_CHECK(system_check_info, cred, info_type);
 121
 122         return (error);
 123 }
 124
 125 int
 126 mac_system_check_nfsd(kauth_cred_t cred)
 127 {
 128         int error;
 129
 130         if (!mac_system_enforce)
 131                 return (0);
 132
 133         MAC_CHECK(system_check_nfsd, cred);
 134
 135         return (error);
 136 }
 137
 138 int
 139 mac_system_check_reboot(kauth_cred_t cred, int howto)
 140 {
 141         int error;
 142
 143         if (!mac_system_enforce)
 144                 return (0);
 145
 146         MAC_CHECK(system_check_reboot, cred, howto);
 147
 148         return (error);
 149 }
 150
 151 int
 152 mac_system_check_settime(kauth_cred_t cred)
 153 {
 154         int error;
 155
 156         if (!mac_system_enforce)
 157                 return (0);
 158
 159         MAC_CHECK(system_check_settime, cred);
 160
 161         return (error);
 162 }
 163
 164 int
 165 mac_system_check_swapon(kauth_cred_t cred, struct vnode *vp)
 166 {
 167         int error;
 168
 169         if (!mac_system_enforce)
 170                 return (0);
 171
 172         MAC_CHECK(system_check_swapon, cred, vp, vp->v_label);
 173         return (error);
 174 }
 175
 176 int
 177 mac_system_check_swapoff(kauth_cred_t cred, struct vnode *vp)
 178 {
 179         int error;
 180
 181
 182
 183         if (!mac_system_enforce)
 184                 return (0);
 185
 186         MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label);
 187         return (error);
 188 }
 189
 190 int
 191 mac_system_check_sysctl(kauth_cred_t cred, int *name, u_int namelen,
 192     user_addr_t old, user_addr_t oldlenp, int inkernel, user_addr_t new, size_t newlen)
 193 {
 194         int error;
 195
 196         /*
 197          * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
 198          * but since it's not exported from kern_sysctl.c, we can't.
 199          */
 200         if (!mac_system_enforce)
 201                 return (0);
 202
 203         MAC_CHECK(system_check_sysctl, cred, name, namelen, old, oldlenp,
 204             inkernel, new, newlen);
 205
 206         return (error);
 207 }
 208
 209 int
 210 mac_system_check_kas_info(kauth_cred_t cred, int selector)
 211 {
 212         int error;
 213
 214         if (!mac_system_enforce)
 215                 return (0);
 216
 217         MAC_CHECK(system_check_kas_info, cred, selector);
 218
 219         return (error);
 220 }