]> git.saurik.com Git - apple/xnu.git/blob - security/mac_base.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-3248.60.10.tar.gz
[apple/xnu.git] / security / mac_base.c
1 /*
2 * Copyright (c) 2007-2012 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*-
29 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
30 * Copyright (c) 2001 Ilmar S. Habibulin
31 * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
32 * Copyright (c) 2005-2006 SPARTA, Inc.
33 *
34 * This software was developed by Robert Watson and Ilmar Habibulin for the
35 * TrustedBSD Project.
36 *
37 * This software was developed for the FreeBSD Project in part by Network
38 * Associates Laboratories, the Security Research Division of Network
39 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
40 * as part of the DARPA CHATS research program.
41 *
42 * Redistribution and use in source and binary forms, with or without
43 * modification, are permitted provided that the following conditions
44 * are met:
45 * 1. Redistributions of source code must retain the above copyright
46 * notice, this list of conditions and the following disclaimer.
47 * 2. Redistributions in binary form must reproduce the above copyright
48 * notice, this list of conditions and the following disclaimer in the
49 * documentation and/or other materials provided with the distribution.
50 *
51 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
52 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
55 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
56 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
57 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
60 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61 * SUCH DAMAGE.
62 *
63 */
64
65 /*-
66 * Framework for extensible kernel access control. This file contains
67 * Kernel and userland interface to the framework, policy registration
68 * and composition. Per-object interfaces, controls, and labeling may be
69 * found in src/sys/mac/. Sample policies may be found in src/sys/mac*.
70 */
71
72 #include <stdarg.h>
73 #include <string.h>
74 #include <security/mac_internal.h>
75 #include <security/mac_mach_internal.h>
76 #include <sys/param.h>
77 #include <sys/vnode.h>
78 #include <sys/vnode_internal.h>
79 #include <sys/vfs_context.h>
80 #include <sys/namei.h>
81 #include <bsd/bsm/audit.h>
82 #include <bsd/security/audit/audit.h>
83 #include <sys/file.h>
84 #include <sys/file_internal.h>
85 #include <sys/filedesc.h>
86 #include <sys/proc.h>
87 #include <sys/proc_internal.h>
88 #include <sys/kauth.h>
89 #include <sys/sysproto.h>
90
91 #include <mach/exception_types.h>
92 #include <mach/vm_types.h>
93 #include <mach/vm_prot.h>
94
95 #include <kern/zalloc.h>
96 #include <kern/sched_prim.h>
97 #include <osfmk/kern/task.h>
98 #include <osfmk/kern/kalloc.h>
99
100 #if CONFIG_MACF
101 #include <security/mac.h>
102 #include <security/mac_policy.h>
103 #include <security/mac_framework.h>
104 #include <security/mac_internal.h>
105 #include <security/mac_mach_internal.h>
106 #endif
107
108
109 /*
110 * define MB_DEBUG to display run-time debugging information
111 * #define MB_DEBUG 1
112 */
113
114 #ifdef MB_DEBUG
115 #define DPRINTF(x) printf x
116 #else
117 #define MB_DEBUG
118 #define DPRINTF(x)
119 #endif
120
121 #if CONFIG_MACF
122 SYSCTL_NODE(, OID_AUTO, security, CTLFLAG_RW|CTLFLAG_LOCKED, 0,
123 "Security Controls");
124 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW|CTLFLAG_LOCKED, 0,
125 "TrustedBSD MAC policy controls");
126
127 /*
128 * Declare that the kernel provides MAC support, version 1. This permits
129 * modules to refuse to be loaded if the necessary support isn't present,
130 * even if it's pre-boot.
131 */
132 #if 0
133 MODULE_VERSION(kernel_mac_support, 1);
134 #endif
135
136 #if MAC_MAX_SLOTS > 32
137 #error "MAC_MAX_SLOTS too large"
138 #endif
139
140 static unsigned int mac_max_slots = MAC_MAX_SLOTS;
141 static unsigned int mac_slot_offsets_free = (1 << MAC_MAX_SLOTS) - 1;
142 SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD | CTLFLAG_LOCKED,
143 &mac_max_slots, 0, "");
144
145 /*
146 * Has the kernel started generating labeled objects yet? All read/write
147 * access to this variable is serialized during the boot process. Following
148 * the end of serialization, we don't update this flag; no locking.
149 */
150 int mac_late = 0;
151
152 /*
153 * Flag to indicate whether or not we should allocate label storage for
154 * new mbufs. Since most dynamic policies we currently work with don't
155 * rely on mbuf labeling, try to avoid paying the cost of mtag allocation
156 * unless specifically notified of interest. One result of this is
157 * that if a dynamically loaded policy requests mbuf labels, it must
158 * be able to deal with a NULL label being returned on any mbufs that
159 * were already in flight when the policy was loaded. Since the policy
160 * already has to deal with uninitialized labels, this probably won't
161 * be a problem. Note: currently no locking. Will this be a problem?
162 */
163 #if CONFIG_MACF_NET
164 unsigned int mac_label_mbufs = 1;
165 SYSCTL_UINT(_security_mac, OID_AUTO, label_mbufs, SECURITY_MAC_CTLFLAGS,
166 &mac_label_mbufs, 0, "Label all MBUFs");
167 #endif
168
169
170 /*
171 * Flag to indicate whether or not we should allocate label storage for
172 * new vnodes. Since most dynamic policies we currently work with don't
173 * rely on vnode labeling, try to avoid paying the cost of mtag allocation
174 * unless specifically notified of interest. One result of this is
175 * that if a dynamically loaded policy requests vnode labels, it must
176 * be able to deal with a NULL label being returned on any vnodes that
177 * were already in flight when the policy was loaded. Since the policy
178 * already has to deal with uninitialized labels, this probably won't
179 * be a problem.
180 */
181 unsigned int mac_label_vnodes = 0;
182 SYSCTL_UINT(_security_mac, OID_AUTO, labelvnodes, SECURITY_MAC_CTLFLAGS,
183 &mac_label_vnodes, 0, "Label all vnodes");
184
185
186 unsigned int mac_mmap_revocation = 0;
187 SYSCTL_UINT(_security_mac, OID_AUTO, mmap_revocation, SECURITY_MAC_CTLFLAGS,
188 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
189 "relabel");
190
191 unsigned int mac_mmap_revocation_via_cow = 0;
192 SYSCTL_UINT(_security_mac, OID_AUTO, mmap_revocation_via_cow, SECURITY_MAC_CTLFLAGS,
193 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
194 "copy-on-write semantics, or by removing all write access");
195
196 unsigned int mac_device_enforce = 1;
197 SYSCTL_UINT(_security_mac, OID_AUTO, device_enforce, SECURITY_MAC_CTLFLAGS,
198 &mac_device_enforce, 0, "Enforce MAC policy on device operations");
199
200 unsigned int mac_pipe_enforce = 1;
201 SYSCTL_UINT(_security_mac, OID_AUTO, pipe_enforce, SECURITY_MAC_CTLFLAGS,
202 &mac_pipe_enforce, 0, "Enforce MAC policy on pipe operations");
203
204 unsigned int mac_posixsem_enforce = 1;
205 SYSCTL_UINT(_security_mac, OID_AUTO, posixsem_enforce, SECURITY_MAC_CTLFLAGS,
206 &mac_posixsem_enforce, 0, "Enforce MAC policy on POSIX semaphores");
207
208 unsigned int mac_posixshm_enforce = 1;
209 SYSCTL_UINT(_security_mac, OID_AUTO, posixshm_enforce, SECURITY_MAC_CTLFLAGS,
210 &mac_posixshm_enforce, 0, "Enforce MAC policy on Posix Shared Memory");
211
212 unsigned int mac_proc_enforce = 1;
213 SYSCTL_UINT(_security_mac, OID_AUTO, proc_enforce, SECURITY_MAC_CTLFLAGS,
214 &mac_proc_enforce, 0, "Enforce MAC policy on process operations");
215
216 unsigned int mac_socket_enforce = 1;
217 SYSCTL_UINT(_security_mac, OID_AUTO, socket_enforce, SECURITY_MAC_CTLFLAGS,
218 &mac_socket_enforce, 0, "Enforce MAC policy on socket operations");
219
220 unsigned int mac_system_enforce = 1;
221 SYSCTL_UINT(_security_mac, OID_AUTO, system_enforce, SECURITY_MAC_CTLFLAGS,
222 &mac_system_enforce, 0, "Enforce MAC policy on system-wide interfaces");
223
224 unsigned int mac_sysvmsg_enforce = 1;
225 SYSCTL_UINT(_security_mac, OID_AUTO, sysvmsg_enforce, SECURITY_MAC_CTLFLAGS,
226 &mac_sysvmsg_enforce, 0, "Enforce MAC policy on System V IPC message queues");
227
228 unsigned int mac_sysvsem_enforce = 1;
229 SYSCTL_UINT(_security_mac, OID_AUTO, sysvsem_enforce, SECURITY_MAC_CTLFLAGS,
230 &mac_sysvsem_enforce, 0, "Enforce MAC policy on System V IPC semaphores");
231
232 unsigned int mac_sysvshm_enforce = 1;
233 SYSCTL_INT(_security_mac, OID_AUTO, sysvshm_enforce, SECURITY_MAC_CTLFLAGS,
234 &mac_sysvshm_enforce, 0, "Enforce MAC policy on System V Shared Memory");
235
236 unsigned int mac_vm_enforce = 1;
237 SYSCTL_INT(_security_mac, OID_AUTO, vm_enforce, SECURITY_MAC_CTLFLAGS,
238 &mac_vm_enforce, 0, "Enforce MAC policy on VM operations");
239
240 unsigned int mac_vnode_enforce = 1;
241 SYSCTL_UINT(_security_mac, OID_AUTO, vnode_enforce, SECURITY_MAC_CTLFLAGS,
242 &mac_vnode_enforce, 0, "Enforce MAC policy on vnode operations");
243
244 #if CONFIG_AUDIT
245 /*
246 * mac_audit_data_zone is the zone used for data pushed into the audit
247 * record by policies. Using a zone simplifies memory management of this
248 * data, and allows tracking of the amount of data in flight.
249 */
250 extern zone_t mac_audit_data_zone;
251 #endif
252
253 /*
254 * mac_policy_list holds the list of policy modules. Modules with a
255 * handle lower than staticmax are considered "static" and cannot be
256 * unloaded. Such policies can be invoked without holding the busy count.
257 *
258 * Modules with a handle at or above the staticmax high water mark
259 * are considered to be "dynamic" policies. A busy count is maintained
260 * for the list, stored in mac_policy_busy. The busy count is protected
261 * by mac_policy_mtx; the list may be modified only while the busy
262 * count is 0, requiring that the lock be held to prevent new references
263 * to the list from being acquired. For almost all operations,
264 * incrementing the busy count is sufficient to guarantee consistency,
265 * as the list cannot be modified while the busy count is elevated.
266 * For a few special operations involving a change to the list of
267 * active policies, the mtx itself must be held.
268 */
269 static lck_mtx_t *mac_policy_mtx;
270
271 /*
272 * Policy list array allocation chunk size. Trying to set this so that we
273 * allocate a page at a time.
274 */
275 #define MAC_POLICY_LIST_CHUNKSIZE 512
276
277 static int mac_policy_busy;
278
279 mac_policy_list_t mac_policy_list;
280
281 /*
282 * mac_label_element_list holds the master list of label namespaces for
283 * all the policies. When a policy is loaded, each of it's label namespace
284 * elements is added to the master list if not already present. When a
285 * policy is unloaded, the namespace elements are removed if no other
286 * policy is interested in that namespace element.
287 */
288 struct mac_label_element_list_t mac_label_element_list;
289 struct mac_label_element_list_t mac_static_label_element_list;
290
291 static __inline void
292 mac_policy_grab_exclusive(void)
293 {
294 lck_mtx_lock(mac_policy_mtx);
295 while (mac_policy_busy != 0) {
296 lck_mtx_sleep(mac_policy_mtx, LCK_SLEEP_UNLOCK,
297 (event_t)&mac_policy_busy, THREAD_UNINT);
298 lck_mtx_lock(mac_policy_mtx);
299 }
300 }
301
302 static __inline void
303 mac_policy_release_exclusive(void)
304 {
305
306 KASSERT(mac_policy_busy == 0,
307 ("mac_policy_release_exclusive(): not exclusive"));
308 lck_mtx_unlock(mac_policy_mtx);
309 thread_wakeup((event_t) &mac_policy_busy);
310 }
311
312 void
313 mac_policy_list_busy(void)
314 {
315 lck_mtx_lock(mac_policy_mtx);
316 mac_policy_busy++;
317 lck_mtx_unlock(mac_policy_mtx);
318 }
319
320 int
321 mac_policy_list_conditional_busy(void)
322 {
323 int ret;
324
325 if (mac_policy_list.numloaded <= mac_policy_list.staticmax)
326 return(0);
327
328 lck_mtx_lock(mac_policy_mtx);
329 if (mac_policy_list.numloaded > mac_policy_list.staticmax) {
330 mac_policy_busy++;
331 ret = 1;
332 } else
333 ret = 0;
334 lck_mtx_unlock(mac_policy_mtx);
335 return (ret);
336 }
337
338 void
339 mac_policy_list_unbusy(void)
340 {
341 lck_mtx_lock(mac_policy_mtx);
342 mac_policy_busy--;
343 KASSERT(mac_policy_busy >= 0, ("MAC_POLICY_LIST_LOCK"));
344 if (mac_policy_busy == 0)
345 thread_wakeup(&mac_policy_busy);
346 lck_mtx_unlock(mac_policy_mtx);
347 }
348
349 /*
350 * Early pre-malloc MAC initialization, including appropriate SMP locks.
351 */
352 void
353 mac_policy_init(void)
354 {
355 lck_grp_attr_t *mac_lck_grp_attr;
356 lck_attr_t *mac_lck_attr;
357 lck_grp_t *mac_lck_grp;
358
359 mac_policy_list.numloaded = 0;
360 mac_policy_list.max = MAC_POLICY_LIST_CHUNKSIZE;
361 mac_policy_list.maxindex = 0;
362 mac_policy_list.staticmax = 0;
363 mac_policy_list.freehint = 0;
364 mac_policy_list.chunks = 1;
365
366 mac_policy_list.entries = kalloc(sizeof(struct mac_policy_list_element) * MAC_POLICY_LIST_CHUNKSIZE);
367
368 bzero(mac_policy_list.entries, sizeof(struct mac_policy_list_element) * MAC_POLICY_LIST_CHUNKSIZE);
369
370 LIST_INIT(&mac_label_element_list);
371 LIST_INIT(&mac_static_label_element_list);
372
373 mac_lck_grp_attr = lck_grp_attr_alloc_init();
374 lck_grp_attr_setstat(mac_lck_grp_attr);
375 mac_lck_grp = lck_grp_alloc_init("MAC lock", mac_lck_grp_attr);
376 mac_lck_attr = lck_attr_alloc_init();
377 lck_attr_setdefault(mac_lck_attr);
378 mac_policy_mtx = lck_mtx_alloc_init(mac_lck_grp, mac_lck_attr);
379 lck_attr_free(mac_lck_attr);
380 lck_grp_attr_free(mac_lck_grp_attr);
381 lck_grp_free(mac_lck_grp);
382
383 mac_labelzone_init();
384 }
385
386 /* Function pointer set up for loading security extensions.
387 * It is set to an actual function after OSlibkernInit()
388 * has been called, and is set back to 0 by OSKextRemoveKextBootstrap()
389 * after bsd_init().
390 */
391 void (*load_security_extensions_function)(void) = 0;
392
393 /*
394 * Init after early Mach startup, but before BSD
395 */
396 void
397 mac_policy_initmach(void)
398 {
399
400 /*
401 * For the purposes of modules that want to know if they were
402 * loaded "early", set the mac_late flag once we've processed
403 * modules either linked into the kernel, or loaded before the
404 * kernel startup.
405 */
406
407 if (load_security_extensions_function) {
408 load_security_extensions_function();
409 }
410 mac_late = 1;
411 }
412
413 /*
414 * BSD startup.
415 */
416 void
417 mac_policy_initbsd(void)
418 {
419 struct mac_policy_conf *mpc;
420 u_int i;
421
422 #if CONFIG_AUDIT
423 mac_audit_data_zone = zinit(MAC_AUDIT_DATA_LIMIT,
424 AQ_HIWATER * MAC_AUDIT_DATA_LIMIT,
425 8192, "mac_audit_data_zone");
426 #endif
427
428 printf("MAC Framework successfully initialized\n");
429
430 /* Call bsd init functions of already loaded policies */
431
432 /*
433 * Using the exclusive lock means no other framework entry
434 * points can proceed while initializations are running.
435 * This may not be necessary.
436 */
437 mac_policy_grab_exclusive();
438
439 for (i = 0; i <= mac_policy_list.maxindex; i++) {
440 mpc = mac_get_mpc(i);
441 if ((mpc != NULL) && (mpc->mpc_ops->mpo_policy_initbsd != NULL))
442 (*(mpc->mpc_ops->mpo_policy_initbsd))(mpc);
443 }
444
445 mac_policy_release_exclusive();
446 }
447
448 /*
449 * After a policy has been loaded, add the label namespaces managed by the
450 * policy to either the static or non-static label namespace list.
451 * A namespace is added to the the list only if it is not already on one of
452 * the lists.
453 */
454 void
455 mac_policy_addto_labellist(mac_policy_handle_t handle, int static_entry)
456 {
457 struct mac_label_listener **new_mlls;
458 struct mac_label_element *mle, **new_mles;
459 struct mac_label_element_list_t *list;
460 struct mac_policy_conf *mpc;
461 const char *name, *name2;
462 u_int idx, mle_free, mll_free;
463
464 mpc = mac_get_mpc(handle);
465
466 if (mpc->mpc_labelnames == NULL)
467 return;
468
469 if (mpc->mpc_labelname_count == 0)
470 return;
471
472 if (static_entry)
473 list = &mac_static_label_element_list;
474 else
475 list = &mac_label_element_list;
476
477 /*
478 * Before we grab the policy list lock, allocate enough memory
479 * to contain the potential new elements so we don't have to
480 * give up the lock, or allocate with the lock held.
481 */
482 MALLOC(new_mles, struct mac_label_element **,
483 sizeof(struct mac_label_element *) *
484 mpc->mpc_labelname_count, M_MACTEMP, M_WAITOK | M_ZERO);
485 for (idx = 0; idx < mpc->mpc_labelname_count; idx++)
486 MALLOC(new_mles[idx], struct mac_label_element *,
487 sizeof(struct mac_label_element),
488 M_MACTEMP, M_WAITOK);
489 mle_free = 0;
490 MALLOC(new_mlls, struct mac_label_listener **,
491 sizeof(struct mac_label_listener *) *
492 mpc->mpc_labelname_count, M_MACTEMP, M_WAITOK);
493 for (idx = 0; idx < mpc->mpc_labelname_count; idx++)
494 MALLOC(new_mlls[idx], struct mac_label_listener *,
495 sizeof(struct mac_label_listener), M_MACTEMP, M_WAITOK);
496 mll_free = 0;
497
498 if (mac_late)
499 mac_policy_grab_exclusive();
500 for (idx = 0; idx < mpc->mpc_labelname_count; idx++) {
501
502 if (*(name = mpc->mpc_labelnames[idx]) == '?')
503 name++;
504 /*
505 * Check both label element lists and add to the
506 * appropriate list only if not already on a list.
507 */
508 LIST_FOREACH(mle, &mac_static_label_element_list, mle_list) {
509 if (*(name2 = mle->mle_name) == '?')
510 name2++;
511 if (strcmp(name, name2) == 0)
512 break;
513 }
514 if (mle == NULL) {
515 LIST_FOREACH(mle, &mac_label_element_list, mle_list) {
516 if (*(name2 = mle->mle_name) == '?')
517 name2++;
518 if (strcmp(name, name2) == 0)
519 break;
520 }
521 }
522 if (mle == NULL) {
523 mle = new_mles[mle_free];
524 strlcpy(mle->mle_name, mpc->mpc_labelnames[idx],
525 MAC_MAX_LABEL_ELEMENT_NAME);
526 LIST_INIT(&mle->mle_listeners);
527 LIST_INSERT_HEAD(list, mle, mle_list);
528 mle_free++;
529 }
530 /* Add policy handler as a listener. */
531 new_mlls[mll_free]->mll_handle = handle;
532 LIST_INSERT_HEAD(&mle->mle_listeners, new_mlls[mll_free],
533 mll_list);
534 mll_free++;
535 }
536 if (mac_late)
537 mac_policy_release_exclusive();
538
539 /* Free up any unused label elements and listeners */
540 for (idx = mle_free; idx < mpc->mpc_labelname_count; idx++)
541 FREE(new_mles[idx], M_MACTEMP);
542 FREE(new_mles, M_MACTEMP);
543 for (idx = mll_free; idx < mpc->mpc_labelname_count; idx++)
544 FREE(new_mlls[idx], M_MACTEMP);
545 FREE(new_mlls, M_MACTEMP);
546 }
547
548 /*
549 * After a policy has been unloaded, remove the label namespaces that the
550 * the policy manages from the non-static list of namespaces.
551 * The removal only takes place when no other policy is interested in the
552 * namespace.
553 *
554 * Must be called with the policy exclusive lock held.
555 */
556 void
557 mac_policy_removefrom_labellist(mac_policy_handle_t handle)
558 {
559 struct mac_label_listener *mll;
560 struct mac_label_element *mle;
561 struct mac_policy_conf *mpc;
562
563 mpc = mac_get_mpc(handle);
564
565 if (mpc->mpc_labelnames == NULL)
566 return;
567
568 if (mpc->mpc_labelname_count == 0)
569 return;
570
571 /*
572 * Unregister policy as being interested in any label
573 * namespaces. If no other policy is listening, remove
574 * that label element from the list. Note that we only
575 * have to worry about the non-static list.
576 */
577 LIST_FOREACH(mle, &mac_label_element_list, mle_list) {
578 LIST_FOREACH(mll, &mle->mle_listeners, mll_list) {
579 if (mll->mll_handle == handle) {
580 LIST_REMOVE(mll, mll_list);
581 FREE(mll, M_MACTEMP);
582 if (LIST_EMPTY(&mle->mle_listeners)) {
583 LIST_REMOVE(mle, mle_list);
584 FREE(mle, M_MACTEMP);
585 }
586 return;
587 }
588 }
589 }
590 }
591
592 /*
593 * After the policy list has changed, walk the list to update any global
594 * flags.
595 */
596 static void
597 mac_policy_updateflags(void)
598 {
599 }
600
601 static __inline void
602 mac_policy_fixup_mmd_list(struct mac_module_data *new)
603 {
604 struct mac_module_data *old;
605 struct mac_module_data_element *ele, *aele;
606 struct mac_module_data_list *arr, *dict;
607 unsigned int i, j, k;
608
609 old = new->base_addr;
610 DPRINTF(("fixup_mmd: old %p new %p\n", old, new));
611 for (i = 0; i < new->count; i++) {
612 ele = &(new->data[i]);
613 DPRINTF(("fixup_mmd: ele %p\n", ele));
614 DPRINTF((" key %p value %p\n", ele->key, ele->value));
615 mmd_fixup_ele(old, new, ele); /* Fix up key/value ptrs. */
616 DPRINTF((" key %p value %p\n", ele->key, ele->value));
617 if (ele->value_type == MAC_DATA_TYPE_ARRAY) {
618 arr = (struct mac_module_data_list *)ele->value;
619 DPRINTF(("fixup_mmd: array @%p\n", arr));
620 for (j = 0; j < arr->count; j++) {
621 aele = &(arr->list[j]);
622 DPRINTF(("fixup_mmd: aele %p\n", aele));
623 DPRINTF((" key %p value %p\n", aele->key, aele->value));
624 mmd_fixup_ele(old, new, aele);
625 DPRINTF((" key %p value %p\n", aele->key, aele->value));
626 if (arr->type == MAC_DATA_TYPE_DICT) {
627 dict = (struct mac_module_data_list *)aele->value;
628 DPRINTF(("fixup_mmd: dict @%p\n", dict));
629 for (k = 0; k < dict->count; k++)
630 mmd_fixup_ele(old, new,
631 &(dict->list[k]));
632 }
633 }
634 }
635 }
636 new->base_addr = new;
637 }
638
639 int
640 mac_policy_register(struct mac_policy_conf *mpc, mac_policy_handle_t *handlep,
641 void *xd)
642 {
643 struct mac_policy_list_element *tmac_policy_list_element;
644 int error, slot, static_entry = 0;
645 u_int i;
646
647 /*
648 * Some preliminary checks to make sure the policy's conf structure
649 * contains the required fields.
650 */
651 if (mpc->mpc_name == NULL)
652 panic("policy's name is not set\n");
653
654 if (mpc->mpc_fullname == NULL)
655 panic("policy's full name is not set\n");
656
657 if (mpc->mpc_labelname_count > MAC_MAX_MANAGED_NAMESPACES)
658 panic("policy's managed label namespaces exceeds maximum\n");
659
660 if (mpc->mpc_ops == NULL)
661 panic("policy's OPs field is NULL\n");
662
663 error = 0;
664
665 if (mac_late) {
666 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE) {
667 printf("Module %s does not support late loading.\n",
668 mpc->mpc_name);
669 return (EPERM);
670 }
671 mac_policy_grab_exclusive();
672 }
673
674 if (mac_policy_list.numloaded >= mac_policy_list.max) {
675 /* allocate new policy list array, zero new chunk */
676 tmac_policy_list_element =
677 kalloc((sizeof(struct mac_policy_list_element) *
678 MAC_POLICY_LIST_CHUNKSIZE) * (mac_policy_list.chunks + 1));
679 bzero(&tmac_policy_list_element[mac_policy_list.max],
680 sizeof(struct mac_policy_list_element) *
681 MAC_POLICY_LIST_CHUNKSIZE);
682
683 /* copy old entries into new list */
684 memcpy(tmac_policy_list_element, mac_policy_list.entries,
685 sizeof(struct mac_policy_list_element) *
686 MAC_POLICY_LIST_CHUNKSIZE * mac_policy_list.chunks);
687
688 /* free old array */
689 kfree(mac_policy_list.entries,
690 sizeof(struct mac_policy_list_element) *
691 MAC_POLICY_LIST_CHUNKSIZE * mac_policy_list.chunks);
692
693 mac_policy_list.entries = tmac_policy_list_element;
694
695 /* Update maximums, etc */
696 mac_policy_list.max += MAC_POLICY_LIST_CHUNKSIZE;
697 mac_policy_list.chunks++;
698 }
699
700 /* Check for policy with same name already loaded */
701 for (i = 0; i <= mac_policy_list.maxindex; i++) {
702 if (mac_policy_list.entries[i].mpc == NULL)
703 continue;
704
705 if (strcmp(mac_policy_list.entries[i].mpc->mpc_name,
706 mpc->mpc_name) == 0) {
707 error = EEXIST;
708 goto out;
709 }
710 }
711
712 if (mpc->mpc_field_off != NULL) {
713 slot = ffs(mac_slot_offsets_free);
714 if (slot == 0) {
715 error = ENOMEM;
716 goto out;
717 }
718 slot--;
719 mac_slot_offsets_free &= ~(1 << slot);
720 *mpc->mpc_field_off = slot;
721 }
722 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED;
723
724 if (xd) {
725 struct mac_module_data *mmd = xd; /* module data from plist */
726
727 /* Make a copy of the data. */
728 mpc->mpc_data = (void *)kalloc(mmd->size);
729 if (mpc->mpc_data != NULL) {
730 memcpy(mpc->mpc_data, mmd, mmd->size);
731
732 /* Fix up pointers after copy. */
733 mac_policy_fixup_mmd_list(mpc->mpc_data);
734 }
735 }
736
737 /* Find the first free handle in the list (using our hint). */
738 for (i = mac_policy_list.freehint; i < mac_policy_list.max; i++) {
739 if (mac_policy_list.entries[i].mpc == NULL) {
740 *handlep = i;
741 mac_policy_list.freehint = ++i;
742 break;
743 }
744 }
745
746 /*
747 * If we are loading a MAC module before the framework has
748 * finished initializing or the module is not unloadable and
749 * we can place its handle adjacent to the last static entry,
750 * bump the static policy high water mark.
751 * Static policies can get by with weaker locking requirements.
752 */
753 if (!mac_late ||
754 ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0 &&
755 *handlep == mac_policy_list.staticmax)) {
756 static_entry = 1;
757 mac_policy_list.staticmax++;
758 }
759
760 mac_policy_list.entries[*handlep].mpc = mpc;
761
762 /* Update counters, etc */
763 if (*handlep > mac_policy_list.maxindex)
764 mac_policy_list.maxindex = *handlep;
765 mac_policy_list.numloaded++;
766
767 /* Per-policy initialization. */
768 printf ("calling mpo_policy_init for %s\n", mpc->mpc_name);
769 if (mpc->mpc_ops->mpo_policy_init != NULL)
770 (*(mpc->mpc_ops->mpo_policy_init))(mpc);
771
772 if (mac_late && mpc->mpc_ops->mpo_policy_initbsd != NULL) {
773 printf ("calling mpo_policy_initbsd for %s\n", mpc->mpc_name);
774 (*(mpc->mpc_ops->mpo_policy_initbsd))(mpc);
775 }
776
777 mac_policy_updateflags();
778
779 if (mac_late)
780 mac_policy_release_exclusive();
781
782 mac_policy_addto_labellist(*handlep, static_entry);
783
784 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname,
785 mpc->mpc_name);
786
787 return (0);
788
789 out:
790 if (mac_late)
791 mac_policy_release_exclusive();
792
793 return (error);
794 }
795
796 int
797 mac_policy_unregister(mac_policy_handle_t handle)
798 {
799 struct mac_policy_conf *mpc;
800
801 /*
802 * If we fail the load, we may get a request to unload. Check
803 * to see if we did the run-time registration, and if not,
804 * silently succeed.
805 */
806 mac_policy_grab_exclusive();
807 mpc = mac_get_mpc(handle);
808 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) {
809 mac_policy_release_exclusive();
810 return (0);
811 }
812
813 #if 0
814 /*
815 * Don't allow unloading modules with private data.
816 */
817 if (mpc->mpc_field_off != NULL) {
818 MAC_POLICY_LIST_UNLOCK();
819 return (EBUSY);
820 }
821 #endif
822 /*
823 * Only allow the unload to proceed if the module is unloadable
824 * by its own definition.
825 */
826 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) {
827 mac_policy_release_exclusive();
828 return (EBUSY);
829 }
830
831 mac_policy_removefrom_labellist(handle);
832
833 mac_get_mpc(handle) = NULL;
834 if (handle < mac_policy_list.freehint &&
835 handle >= mac_policy_list.staticmax)
836 mac_policy_list.freehint = handle;
837
838 if (handle == mac_policy_list.maxindex)
839 mac_policy_list.maxindex--;
840
841 mac_policy_list.numloaded--;
842 if (mpc->mpc_field_off != NULL) {
843 mac_slot_offsets_free |= (1 << *mpc->mpc_field_off);
844 }
845
846 if (mpc->mpc_ops->mpo_policy_destroy != NULL)
847 (*(mpc->mpc_ops->mpo_policy_destroy))(mpc);
848
849 mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
850 mac_policy_updateflags();
851
852 mac_policy_release_exclusive();
853
854 if (mpc->mpc_data) {
855 struct mac_module_data *mmd = mpc->mpc_data;
856 kfree(mmd, mmd->size);
857 mpc->mpc_data = NULL;
858 }
859
860 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
861 mpc->mpc_name);
862
863 return (0);
864 }
865
866 /*
867 * Define an error value precedence, and given two arguments, selects the
868 * value with the higher precedence.
869 */
870 int
871 mac_error_select(int error1, int error2)
872 {
873
874 /* Certain decision-making errors take top priority. */
875 if (error1 == EDEADLK || error2 == EDEADLK)
876 return (EDEADLK);
877
878 /* Invalid arguments should be reported where possible. */
879 if (error1 == EINVAL || error2 == EINVAL)
880 return (EINVAL);
881
882 /* Precedence goes to "visibility", with both process and file. */
883 if (error1 == ESRCH || error2 == ESRCH)
884 return (ESRCH);
885
886 if (error1 == ENOENT || error2 == ENOENT)
887 return (ENOENT);
888
889 /* Precedence goes to DAC/MAC protections. */
890 if (error1 == EACCES || error2 == EACCES)
891 return (EACCES);
892
893 /* Precedence goes to privilege. */
894 if (error1 == EPERM || error2 == EPERM)
895 return (EPERM);
896
897 /* Precedence goes to error over success; otherwise, arbitrary. */
898 if (error1 != 0)
899 return (error1);
900 return (error2);
901 }
902
903 void
904 mac_label_init(struct label *label)
905 {
906
907 bzero(label, sizeof(*label));
908 label->l_flags = MAC_FLAG_INITIALIZED;
909 }
910
911 void
912 mac_label_destroy(struct label *label)
913 {
914
915 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED,
916 ("destroying uninitialized label"));
917
918 bzero(label, sizeof(*label));
919 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */
920 }
921
922 int
923 mac_check_structmac_consistent(struct user_mac *mac)
924 {
925
926 if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN || mac->m_buflen == 0)
927 return (EINVAL);
928
929 return (0);
930 }
931
932 /*
933 * Get the external forms of labels from all policies, for a single
934 * label namespace or "*" for all namespaces. Returns ENOENT if no policy
935 * is registered for the namespace, unless the namespace begins with a '?'.
936 */
937 static int
938 mac_label_externalize(size_t mpo_externalize_off, struct label *label,
939 const char *element, struct sbuf *sb)
940 {
941 struct mac_policy_conf *mpc;
942 struct mac_label_listener *mll;
943 struct mac_label_element *mle;
944 struct mac_label_element_list_t *element_list;
945 const char *name;
946 int (*mpo_externalize)(struct label *, char *, struct sbuf *);
947 int all_labels = 0, ignorenotfound = 0, error = 0, busy = FALSE;
948 unsigned int count = 0;
949
950 if (element[0] == '?') {
951 element++;
952 ignorenotfound = 1;
953 } else if (element[0] == '*' && element[1] == '\0')
954 all_labels = 1;
955
956 element_list = &mac_static_label_element_list;
957 element_loop:
958 LIST_FOREACH(mle, element_list, mle_list) {
959 name = mle->mle_name;
960 if (all_labels) {
961 if (*name == '?')
962 continue;
963 } else {
964 if (*name == '?')
965 name++;
966 if (strcmp(name, element) != 0)
967 continue;
968 }
969 LIST_FOREACH(mll, &mle->mle_listeners, mll_list) {
970 mpc = mac_policy_list.entries[mll->mll_handle].mpc;
971 if (mpc == NULL)
972 continue;
973 mpo_externalize = *(typeof(mpo_externalize) *)
974 ((char *)mpc->mpc_ops + mpo_externalize_off);
975 if (mpo_externalize == NULL)
976 continue;
977 error = sbuf_printf(sb, "%s/", name);
978 if (error)
979 goto done;
980 error = mpo_externalize(label, mle->mle_name, sb);
981 if (error) {
982 if (error != ENOENT)
983 goto done;
984 /*
985 * If a policy doesn't have a label to
986 * externalize it returns ENOENT. This
987 * may occur for policies that support
988 * multiple label elements for some
989 * (but not all) object types.
990 */
991 sbuf_setpos(sb, sbuf_len(sb) -
992 (strlen(name) + 1));
993 error = 0;
994 continue;
995 }
996 error = sbuf_putc(sb, ',');
997 if (error)
998 goto done;
999 count++;
1000 }
1001 }
1002 /* If there are dynamic policies present, check their elements too. */
1003 if (!busy && mac_policy_list_conditional_busy() == 1) {
1004 element_list = &mac_label_element_list;
1005 busy = TRUE;
1006 goto element_loop;
1007 }
1008 done:
1009 if (busy)
1010 mac_policy_list_unbusy();
1011 if (!error && count == 0) {
1012 if (!all_labels && !ignorenotfound)
1013 error = ENOENT; /* XXX: ENOLABEL? */
1014 }
1015 return (error);
1016 }
1017
1018 /*
1019 * Get the external forms of labels from all policies, for all label
1020 * namespaces contained in a list.
1021 *
1022 * XXX This may be leaking an sbuf.
1023 */
1024 int
1025 mac_externalize(size_t mpo_externalize_off, struct label *label,
1026 const char *elementlist, char *outbuf, size_t outbuflen)
1027 {
1028 char *element;
1029 char *scratch_base;
1030 char *scratch;
1031 struct sbuf sb;
1032 int error = 0, len;
1033
1034 /* allocate a scratch buffer the size of the string */
1035 MALLOC(scratch_base, char *, strlen(elementlist)+1, M_MACTEMP, M_WAITOK);
1036 if (scratch_base == NULL) {
1037 error = ENOMEM;
1038 goto out;
1039 }
1040
1041 /* copy the elementlist to the scratch buffer */
1042 strlcpy(scratch_base, elementlist, strlen(elementlist)+1);
1043
1044 /*
1045 * set up a temporary pointer that can be used to iterate the
1046 * scratch buffer without losing the allocation address
1047 */
1048 scratch = scratch_base;
1049
1050 /* get an sbuf */
1051 if (sbuf_new(&sb, outbuf, outbuflen, SBUF_FIXEDLEN) == NULL) {
1052 /* could not allocate interior buffer */
1053 error = ENOMEM;
1054 goto out;
1055 }
1056 /* iterate the scratch buffer; NOTE: buffer contents modified! */
1057 while ((element = strsep(&scratch, ",")) != NULL) {
1058 error = mac_label_externalize(mpo_externalize_off, label,
1059 element, &sb);
1060 if (error)
1061 break;
1062 }
1063 if ((len = sbuf_len(&sb)) > 0)
1064 sbuf_setpos(&sb, len - 1); /* trim trailing comma */
1065 sbuf_finish(&sb);
1066
1067 out:
1068 if (scratch_base != NULL)
1069 FREE(scratch_base, M_MACTEMP);
1070
1071 return (error);
1072 }
1073
1074 /*
1075 * Have all policies set the internal form of a label, for a single
1076 * label namespace.
1077 */
1078 static int
1079 mac_label_internalize(size_t mpo_internalize_off, struct label *label,
1080 char *element_name, char *element_data)
1081 {
1082 struct mac_policy_conf *mpc;
1083 struct mac_label_listener *mll;
1084 struct mac_label_element *mle;
1085 struct mac_label_element_list_t *element_list;
1086 int (*mpo_internalize)(struct label *, char *, char *);
1087 int error = 0, busy = FALSE;
1088 unsigned int count = 0;
1089 const char *name;
1090
1091 element_list = &mac_static_label_element_list;
1092 element_loop:
1093 LIST_FOREACH(mle, element_list, mle_list) {
1094 if (*(name = mle->mle_name) == '?')
1095 name++;
1096 if (strcmp(element_name, name) != 0)
1097 continue;
1098 LIST_FOREACH(mll, &mle->mle_listeners, mll_list) {
1099 mpc = mac_policy_list.entries[mll->mll_handle].mpc;
1100 if (mpc == NULL)
1101 continue;
1102 mpo_internalize = *(typeof(mpo_internalize) *)
1103 ((char *)mpc->mpc_ops + mpo_internalize_off);
1104 if (mpo_internalize == NULL)
1105 continue;
1106 error = mpo_internalize(label, element_name,
1107 element_data);
1108 if (error)
1109 goto done;
1110 count++;
1111 }
1112 }
1113 /* If there are dynamic policies present, check their elements too. */
1114 if (!busy && mac_policy_list_conditional_busy() == 1) {
1115 element_list = &mac_label_element_list;
1116 busy = TRUE;
1117 goto element_loop;
1118 }
1119 done:
1120 if (busy)
1121 mac_policy_list_unbusy();
1122 if (!error && count == 0)
1123 error = ENOPOLICY;
1124 return (error);
1125 }
1126
1127 int
1128 mac_internalize(size_t mpo_internalize_off, struct label *label,
1129 char *textlabels)
1130 {
1131 char *element_name, *element_data;
1132 int error = 0;
1133
1134 while (!error && (element_name = strsep(&textlabels, ",")) != NULL) {
1135 element_data = strchr(element_name, '/');
1136 if (element_data == NULL) {
1137 error = EINVAL;
1138 break;
1139 }
1140 *element_data++ = '\0';
1141 error = mac_label_internalize(mpo_internalize_off, label,
1142 element_name, element_data);
1143 }
1144 return (error);
1145 }
1146
1147 /* system calls */
1148
1149 int
1150 __mac_get_pid(struct proc *p, struct __mac_get_pid_args *uap, int *ret __unused)
1151 {
1152 char *elements, *buffer;
1153 struct user_mac mac;
1154 struct proc *tproc;
1155 struct ucred *tcred;
1156 int error;
1157 size_t ulen;
1158
1159 AUDIT_ARG(pid, uap->pid);
1160 if (IS_64BIT_PROCESS(p)) {
1161 struct user64_mac mac64;
1162 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1163 mac.m_buflen = mac64.m_buflen;
1164 mac.m_string = mac64.m_string;
1165 } else {
1166 struct user32_mac mac32;
1167 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1168 mac.m_buflen = mac32.m_buflen;
1169 mac.m_string = mac32.m_string;
1170 }
1171 if (error)
1172 return (error);
1173
1174 error = mac_check_structmac_consistent(&mac);
1175 if (error)
1176 return (error);
1177
1178 tproc = proc_find(uap->pid);
1179 if (tproc == NULL)
1180 return (ESRCH);
1181 tcred = kauth_cred_proc_ref(tproc);
1182 proc_rele(tproc);
1183
1184 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1185 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1186 if (error) {
1187 FREE(elements, M_MACTEMP);
1188 kauth_cred_unref(&tcred);
1189 return (error);
1190 }
1191 AUDIT_ARG(mac_string, elements);
1192
1193 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
1194 error = mac_cred_label_externalize(tcred->cr_label, elements,
1195 buffer, mac.m_buflen, M_WAITOK);
1196 if (error == 0)
1197 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
1198
1199 FREE(buffer, M_MACTEMP);
1200 FREE(elements, M_MACTEMP);
1201 kauth_cred_unref(&tcred);
1202 return (error);
1203 }
1204
1205 int
1206 __mac_get_proc(proc_t p, struct __mac_get_proc_args *uap, int *ret __unused)
1207 {
1208 char *elements, *buffer;
1209 struct user_mac mac;
1210 kauth_cred_t cr;
1211 int error;
1212 size_t ulen;
1213
1214 if (IS_64BIT_PROCESS(p)) {
1215 struct user64_mac mac64;
1216 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1217 mac.m_buflen = mac64.m_buflen;
1218 mac.m_string = mac64.m_string;
1219 } else {
1220 struct user32_mac mac32;
1221 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1222 mac.m_buflen = mac32.m_buflen;
1223 mac.m_string = mac32.m_string;
1224 }
1225 if (error)
1226 return (error);
1227
1228 error = mac_check_structmac_consistent(&mac);
1229 if (error)
1230 return (error);
1231
1232 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1233 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1234 if (error) {
1235 FREE(elements, M_MACTEMP);
1236 return (error);
1237 }
1238 AUDIT_ARG(mac_string, elements);
1239
1240 cr = kauth_cred_proc_ref(p);
1241
1242 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
1243 error = mac_cred_label_externalize(cr->cr_label,
1244 elements, buffer, mac.m_buflen, M_WAITOK);
1245 if (error == 0)
1246 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
1247
1248 FREE(buffer, M_MACTEMP);
1249 FREE(elements, M_MACTEMP);
1250 kauth_cred_unref(&cr);
1251 return (error);
1252 }
1253
1254 int
1255 __mac_set_proc(proc_t p, struct __mac_set_proc_args *uap, int *ret __unused)
1256 {
1257 struct label *intlabel;
1258 struct user_mac mac;
1259 char *buffer;
1260 int error;
1261 size_t ulen;
1262
1263 if (IS_64BIT_PROCESS(p)) {
1264 struct user64_mac mac64;
1265 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1266 mac.m_buflen = mac64.m_buflen;
1267 mac.m_string = mac64.m_string;
1268 } else {
1269 struct user32_mac mac32;
1270 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1271 mac.m_buflen = mac32.m_buflen;
1272 mac.m_string = mac32.m_string;
1273 }
1274 if (error)
1275 return (error);
1276
1277 error = mac_check_structmac_consistent(&mac);
1278 if (error)
1279 return (error);
1280
1281 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1282 error = copyinstr(mac.m_string, buffer, mac.m_buflen, &ulen);
1283 if (error) {
1284 FREE(buffer, M_MACTEMP);
1285 return (error);
1286 }
1287 AUDIT_ARG(mac_string, buffer);
1288
1289 intlabel = mac_cred_label_alloc();
1290 error = mac_cred_label_internalize(intlabel, buffer);
1291 FREE(buffer, M_MACTEMP);
1292 if (error)
1293 goto out;
1294
1295 error = mac_cred_check_label_update(kauth_cred_get(), intlabel);
1296 if (error) {
1297 goto out;
1298 }
1299
1300 error = kauth_proc_label_update(p, intlabel);
1301 if (error)
1302 goto out;
1303
1304 out:
1305 mac_cred_label_free(intlabel);
1306 return (error);
1307 }
1308
1309 int
1310 __mac_get_fd(proc_t p, struct __mac_get_fd_args *uap, int *ret __unused)
1311 {
1312 struct fileproc *fp;
1313 struct vnode *vp;
1314 struct user_mac mac;
1315 char *elements, *buffer;
1316 int error;
1317 size_t ulen;
1318 kauth_cred_t my_cred;
1319 #if CONFIG_MACF_SOCKET
1320 struct socket *so;
1321 #endif /* MAC_SOCKET */
1322 struct label *intlabel;
1323
1324 AUDIT_ARG(fd, uap->fd);
1325
1326 if (IS_64BIT_PROCESS(p)) {
1327 struct user64_mac mac64;
1328 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1329 mac.m_buflen = mac64.m_buflen;
1330 mac.m_string = mac64.m_string;
1331 } else {
1332 struct user32_mac mac32;
1333 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1334 mac.m_buflen = mac32.m_buflen;
1335 mac.m_string = mac32.m_string;
1336 }
1337
1338 if (error)
1339 return (error);
1340
1341 error = mac_check_structmac_consistent(&mac);
1342 if (error)
1343 return (error);
1344
1345 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1346 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1347 if (error) {
1348 FREE(elements, M_MACTEMP);
1349 return (error);
1350 }
1351 AUDIT_ARG(mac_string, elements);
1352
1353 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1354 error = fp_lookup(p, uap->fd, &fp, 0);
1355 if (error) {
1356 FREE(buffer, M_MACTEMP);
1357 FREE(elements, M_MACTEMP);
1358 return (error);
1359 }
1360
1361 my_cred = kauth_cred_proc_ref(p);
1362 error = mac_file_check_get(my_cred, fp->f_fglob, elements, mac.m_buflen);
1363 kauth_cred_unref(&my_cred);
1364 if (error) {
1365 fp_drop(p, uap->fd, fp, 0);
1366 FREE(buffer, M_MACTEMP);
1367 FREE(elements, M_MACTEMP);
1368 return (error);
1369 }
1370
1371 switch (FILEGLOB_DTYPE(fp->f_fglob)) {
1372 case DTYPE_VNODE:
1373 intlabel = mac_vnode_label_alloc();
1374 if (intlabel == NULL) {
1375 error = ENOMEM;
1376 break;
1377 }
1378 vp = (struct vnode *)fp->f_fglob->fg_data;
1379 error = vnode_getwithref(vp);
1380 if (error == 0) {
1381 mac_vnode_label_copy(vp->v_label, intlabel);
1382 error = mac_vnode_label_externalize(intlabel,
1383 elements, buffer,
1384 mac.m_buflen, M_WAITOK);
1385 vnode_put(vp);
1386 }
1387 mac_vnode_label_free(intlabel);
1388 break;
1389 case DTYPE_SOCKET:
1390 #if CONFIG_MACF_SOCKET
1391 so = (struct socket *) fp->f_fglob->fg_data;
1392 intlabel = mac_socket_label_alloc(MAC_WAITOK);
1393 sock_lock(so, 1);
1394 mac_socket_label_copy(so->so_label, intlabel);
1395 sock_unlock(so, 1);
1396 error = mac_socket_label_externalize(intlabel, elements, buffer, mac.m_buflen);
1397 mac_socket_label_free(intlabel);
1398 break;
1399 #endif
1400 case DTYPE_PSXSHM:
1401 case DTYPE_PSXSEM:
1402 case DTYPE_PIPE:
1403 case DTYPE_KQUEUE:
1404 case DTYPE_FSEVENTS:
1405 default:
1406 error = ENOSYS; // only sockets/vnodes so far
1407 break;
1408 }
1409 fp_drop(p, uap->fd, fp, 0);
1410
1411 if (error == 0)
1412 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
1413
1414 FREE(buffer, M_MACTEMP);
1415 FREE(elements, M_MACTEMP);
1416 return (error);
1417 }
1418
1419 static int
1420 mac_get_filelink(proc_t p, user_addr_t mac_p, user_addr_t path_p, int follow)
1421 {
1422 struct vnode *vp;
1423 vfs_context_t ctx;
1424 char *elements, *buffer;
1425 struct nameidata nd;
1426 struct label *intlabel;
1427 struct user_mac mac;
1428 int error;
1429 size_t ulen;
1430
1431 if (IS_64BIT_PROCESS(p)) {
1432 struct user64_mac mac64;
1433 error = copyin(mac_p, &mac64, sizeof(mac64));
1434 mac.m_buflen = mac64.m_buflen;
1435 mac.m_string = mac64.m_string;
1436 } else {
1437 struct user32_mac mac32;
1438 error = copyin(mac_p, &mac32, sizeof(mac32));
1439 mac.m_buflen = mac32.m_buflen;
1440 mac.m_string = mac32.m_string;
1441 }
1442
1443 if (error)
1444 return (error);
1445
1446 error = mac_check_structmac_consistent(&mac);
1447 if (error)
1448 return (error);
1449
1450 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1451 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
1452
1453 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1454 if (error) {
1455 FREE(buffer, M_MACTEMP);
1456 FREE(elements, M_MACTEMP);
1457 return (error);
1458 }
1459 AUDIT_ARG(mac_string, elements);
1460
1461 ctx = vfs_context_current();
1462
1463 NDINIT(&nd, LOOKUP, OP_LOOKUP,
1464 LOCKLEAF | (follow ? FOLLOW : NOFOLLOW) | AUDITVNPATH1,
1465 UIO_USERSPACE, path_p, ctx);
1466 error = namei(&nd);
1467 if (error) {
1468 FREE(buffer, M_MACTEMP);
1469 FREE(elements, M_MACTEMP);
1470 return (error);
1471 }
1472 vp = nd.ni_vp;
1473
1474 nameidone(&nd);
1475
1476 intlabel = mac_vnode_label_alloc();
1477 mac_vnode_label_copy(vp->v_label, intlabel);
1478 error = mac_vnode_label_externalize(intlabel, elements, buffer,
1479 mac.m_buflen, M_WAITOK);
1480 mac_vnode_label_free(intlabel);
1481 if (error == 0)
1482 error = copyout(buffer, mac.m_string, strlen(buffer) + 1);
1483
1484 vnode_put(vp);
1485
1486 FREE(buffer, M_MACTEMP);
1487 FREE(elements, M_MACTEMP);
1488
1489 return (error);
1490 }
1491
1492 int
1493 __mac_get_file(proc_t p, struct __mac_get_file_args *uap,
1494 int *ret __unused)
1495 {
1496
1497 return (mac_get_filelink(p, uap->mac_p, uap->path_p, 1));
1498 }
1499
1500 int
1501 __mac_get_link(proc_t p, struct __mac_get_link_args *uap,
1502 int *ret __unused)
1503 {
1504
1505 return (mac_get_filelink(p, uap->mac_p, uap->path_p, 0));
1506 }
1507
1508 int
1509 __mac_set_fd(proc_t p, struct __mac_set_fd_args *uap, int *ret __unused)
1510 {
1511
1512 struct fileproc *fp;
1513 struct user_mac mac;
1514 struct vfs_context *ctx = vfs_context_current();
1515 int error;
1516 size_t ulen;
1517 char *buffer;
1518 struct label *intlabel;
1519 #if CONFIG_MACF_SOCKET
1520 struct socket *so;
1521 #endif
1522 struct vnode *vp;
1523
1524 AUDIT_ARG(fd, uap->fd);
1525
1526 if (IS_64BIT_PROCESS(p)) {
1527 struct user64_mac mac64;
1528 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1529 mac.m_buflen = mac64.m_buflen;
1530 mac.m_string = mac64.m_string;
1531 } else {
1532 struct user32_mac mac32;
1533 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1534 mac.m_buflen = mac32.m_buflen;
1535 mac.m_string = mac32.m_string;
1536 }
1537 if (error)
1538 return (error);
1539
1540 error = mac_check_structmac_consistent(&mac);
1541 if (error)
1542 return (error);
1543
1544 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1545 error = copyinstr(mac.m_string, buffer, mac.m_buflen, &ulen);
1546 if (error) {
1547 FREE(buffer, M_MACTEMP);
1548 return (error);
1549 }
1550 AUDIT_ARG(mac_string, buffer);
1551
1552 error = fp_lookup(p, uap->fd, &fp, 0);
1553 if (error) {
1554 FREE(buffer, M_MACTEMP);
1555 return (error);
1556 }
1557
1558
1559 error = mac_file_check_set(vfs_context_ucred(ctx), fp->f_fglob, buffer, mac.m_buflen);
1560 if (error) {
1561 fp_drop(p, uap->fd, fp, 0);
1562 FREE(buffer, M_MACTEMP);
1563 return (error);
1564 }
1565
1566 switch (FILEGLOB_DTYPE(fp->f_fglob)) {
1567
1568 case DTYPE_VNODE:
1569 if (mac_label_vnodes == 0) {
1570 error = ENOSYS;
1571 break;
1572 }
1573
1574 intlabel = mac_vnode_label_alloc();
1575
1576 error = mac_vnode_label_internalize(intlabel, buffer);
1577 if (error) {
1578 mac_vnode_label_free(intlabel);
1579 break;
1580 }
1581
1582
1583 vp = (struct vnode *)fp->f_fglob->fg_data;
1584
1585 error = vnode_getwithref(vp);
1586 if (error == 0) {
1587 error = vn_setlabel(vp, intlabel, ctx);
1588 vnode_put(vp);
1589 }
1590 mac_vnode_label_free(intlabel);
1591 break;
1592
1593 case DTYPE_SOCKET:
1594 #if CONFIG_MACF_SOCKET
1595 intlabel = mac_socket_label_alloc(MAC_WAITOK);
1596 error = mac_socket_label_internalize(intlabel, buffer);
1597 if (error == 0) {
1598 so = (struct socket *) fp->f_fglob->fg_data;
1599 SOCK_LOCK(so);
1600 error = mac_socket_label_update(vfs_context_ucred(ctx), so, intlabel);
1601 SOCK_UNLOCK(so);
1602 }
1603 mac_socket_label_free(intlabel);
1604 break;
1605 #endif
1606 case DTYPE_PSXSHM:
1607 case DTYPE_PSXSEM:
1608 case DTYPE_PIPE:
1609 case DTYPE_KQUEUE:
1610 case DTYPE_FSEVENTS:
1611 default:
1612 error = ENOSYS; // only sockets/vnodes so far
1613 break;
1614 }
1615
1616 fp_drop(p, uap->fd, fp, 0);
1617 FREE(buffer, M_MACTEMP);
1618 return (error);
1619 }
1620
1621 static int
1622 mac_set_filelink(proc_t p, user_addr_t mac_p, user_addr_t path_p,
1623 int follow)
1624 {
1625 register struct vnode *vp;
1626 struct vfs_context *ctx = vfs_context_current();
1627 struct label *intlabel;
1628 struct nameidata nd;
1629 struct user_mac mac;
1630 char *buffer;
1631 int error;
1632 size_t ulen;
1633
1634 if (mac_label_vnodes == 0)
1635 return ENOSYS;
1636
1637 if (IS_64BIT_PROCESS(p)) {
1638 struct user64_mac mac64;
1639 error = copyin(mac_p, &mac64, sizeof(mac64));
1640 mac.m_buflen = mac64.m_buflen;
1641 mac.m_string = mac64.m_string;
1642 } else {
1643 struct user32_mac mac32;
1644 error = copyin(mac_p, &mac32, sizeof(mac32));
1645 mac.m_buflen = mac32.m_buflen;
1646 mac.m_string = mac32.m_string;
1647 }
1648 if (error)
1649 return (error);
1650
1651 error = mac_check_structmac_consistent(&mac);
1652 if (error) {
1653 printf("mac_set_file: failed structure consistency check\n");
1654 return (error);
1655 }
1656
1657 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1658 error = copyinstr(mac.m_string, buffer, mac.m_buflen, &ulen);
1659 if (error) {
1660 FREE(buffer, M_MACTEMP);
1661 return (error);
1662 }
1663 AUDIT_ARG(mac_string, buffer);
1664
1665 intlabel = mac_vnode_label_alloc();
1666 error = mac_vnode_label_internalize(intlabel, buffer);
1667 FREE(buffer, M_MACTEMP);
1668 if (error) {
1669 mac_vnode_label_free(intlabel);
1670 return (error);
1671 }
1672
1673 NDINIT(&nd, LOOKUP, OP_LOOKUP,
1674 LOCKLEAF | (follow ? FOLLOW : NOFOLLOW) | AUDITVNPATH1,
1675 UIO_USERSPACE, path_p, ctx);
1676 error = namei(&nd);
1677 if (error) {
1678 mac_vnode_label_free(intlabel);
1679 return (error);
1680 }
1681 vp = nd.ni_vp;
1682
1683 nameidone(&nd);
1684
1685 error = vn_setlabel(vp, intlabel, ctx);
1686 vnode_put(vp);
1687 mac_vnode_label_free(intlabel);
1688
1689 return (error);
1690 }
1691
1692 int
1693 __mac_set_file(proc_t p, struct __mac_set_file_args *uap,
1694 int *ret __unused)
1695 {
1696
1697 return (mac_set_filelink(p, uap->mac_p, uap->path_p, 1));
1698 }
1699
1700 int
1701 __mac_set_link(proc_t p, struct __mac_set_link_args *uap,
1702 int *ret __unused)
1703 {
1704
1705 return (mac_set_filelink(p, uap->mac_p, uap->path_p, 0));
1706 }
1707
1708 /*
1709 * __mac_syscall: Perform a MAC policy system call
1710 *
1711 * Parameters: p Process calling this routine
1712 * uap User argument descriptor (see below)
1713 * retv (Unused)
1714 *
1715 * Indirect: uap->policy Name of target MAC policy
1716 * uap->call MAC policy-specific system call to perform
1717 * uap->arg MAC policy-specific system call arguments
1718 *
1719 * Returns: 0 Success
1720 * !0 Not success
1721 *
1722 */
1723 int
1724 __mac_syscall(proc_t p, struct __mac_syscall_args *uap, int *retv __unused)
1725 {
1726 struct mac_policy_conf *mpc;
1727 char target[MAC_MAX_POLICY_NAME];
1728 int error;
1729 u_int i;
1730 size_t ulen;
1731
1732 error = copyinstr(uap->policy, target, sizeof(target), &ulen);
1733 if (error)
1734 return (error);
1735 AUDIT_ARG(value32, uap->call);
1736 AUDIT_ARG(mac_string, target);
1737
1738 error = ENOPOLICY;
1739
1740 for (i = 0; i < mac_policy_list.staticmax; i++) {
1741 mpc = mac_policy_list.entries[i].mpc;
1742 if (mpc == NULL)
1743 continue;
1744
1745 if (strcmp(mpc->mpc_name, target) == 0 &&
1746 mpc->mpc_ops->mpo_policy_syscall != NULL) {
1747 error = mpc->mpc_ops->mpo_policy_syscall(p,
1748 uap->call, uap->arg);
1749 goto done;
1750 }
1751 }
1752 if (mac_policy_list_conditional_busy() != 0) {
1753 for (; i <= mac_policy_list.maxindex; i++) {
1754 mpc = mac_policy_list.entries[i].mpc;
1755 if (mpc == NULL)
1756 continue;
1757
1758 if (strcmp(mpc->mpc_name, target) == 0 &&
1759 mpc->mpc_ops->mpo_policy_syscall != NULL) {
1760 error = mpc->mpc_ops->mpo_policy_syscall(p,
1761 uap->call, uap->arg);
1762 break;
1763 }
1764 }
1765 mac_policy_list_unbusy();
1766 }
1767
1768 done:
1769 return (error);
1770 }
1771
1772 int
1773 mac_mount_label_get(struct mount *mp, user_addr_t mac_p)
1774 {
1775 char *elements, *buffer;
1776 struct label *label;
1777 struct user_mac mac;
1778 int error;
1779 size_t ulen;
1780
1781 if (IS_64BIT_PROCESS(current_proc())) {
1782 struct user64_mac mac64;
1783 error = copyin(mac_p, &mac64, sizeof(mac64));
1784 mac.m_buflen = mac64.m_buflen;
1785 mac.m_string = mac64.m_string;
1786 } else {
1787 struct user32_mac mac32;
1788 error = copyin(mac_p, &mac32, sizeof(mac32));
1789 mac.m_buflen = mac32.m_buflen;
1790 mac.m_string = mac32.m_string;
1791 }
1792 if (error)
1793 return (error);
1794
1795 error = mac_check_structmac_consistent(&mac);
1796 if (error)
1797 return (error);
1798
1799 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1800 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1801 if (error) {
1802 FREE(elements, M_MACTEMP);
1803 return (error);
1804 }
1805 AUDIT_ARG(mac_string, elements);
1806
1807 label = mp->mnt_mntlabel;
1808 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
1809 error = mac_mount_label_externalize(label, elements, buffer,
1810 mac.m_buflen);
1811 FREE(elements, M_MACTEMP);
1812
1813 if (error == 0)
1814 error = copyout(buffer, mac.m_string, strlen(buffer) + 1);
1815 FREE(buffer, M_MACTEMP);
1816
1817 return (error);
1818 }
1819
1820 /*
1821 * __mac_get_mount: Get mount point label information for a given pathname
1822 *
1823 * Parameters: p (ignored)
1824 * uap User argument descriptor (see below)
1825 * ret (ignored)
1826 *
1827 * Indirect: uap->path Pathname
1828 * uap->mac_p MAC info
1829 *
1830 * Returns: 0 Success
1831 * !0 Not success
1832 */
1833 int
1834 __mac_get_mount(proc_t p __unused, struct __mac_get_mount_args *uap,
1835 int *ret __unused)
1836 {
1837 struct nameidata nd;
1838 struct vfs_context *ctx = vfs_context_current();
1839 struct mount *mp;
1840 int error;
1841
1842 NDINIT(&nd, LOOKUP, OP_LOOKUP, FOLLOW | AUDITVNPATH1,
1843 UIO_USERSPACE, uap->path, ctx);
1844 error = namei(&nd);
1845 if (error) {
1846 return (error);
1847 }
1848 mp = nd.ni_vp->v_mount;
1849 vnode_put(nd.ni_vp);
1850 nameidone(&nd);
1851
1852 return mac_mount_label_get(mp, uap->mac_p);
1853 }
1854
1855 /*
1856 * mac_schedule_userret()
1857 *
1858 * Schedule a callback to the mpo_thread_userret hook. The mpo_thread_userret
1859 * hook is called just before the thread exit from the kernel in ast_taken().
1860 *
1861 * Returns: 0 Success
1862 * !0 Not successful
1863 */
1864 int
1865 mac_schedule_userret(void)
1866 {
1867
1868 act_set_astmacf(current_thread());
1869 return (0);
1870 }
1871
1872 /*
1873 * mac_do_machexc()
1874 *
1875 * Do a Mach exception. This should only be done in the mpo_thread_userret
1876 * callback.
1877 *
1878 * params: code exception code
1879 * subcode exception subcode
1880 * flags flags:
1881 * MAC_DOEXCF_TRACED Only do exception if being
1882 * ptrace()'ed.
1883 *
1884 *
1885 * Returns: 0 Success
1886 * !0 Not successful
1887 */
1888 int
1889 mac_do_machexc(int64_t code, int64_t subcode, uint32_t flags)
1890 {
1891 mach_exception_data_type_t codes[EXCEPTION_CODE_MAX];
1892 proc_t p = current_proc();
1893
1894 /* Only allow execption codes in MACF's reserved range. */
1895 if ((code < EXC_MACF_MIN) || (code > EXC_MACF_MAX))
1896 return (1);
1897
1898 if (flags & MAC_DOEXCF_TRACED &&
1899 !(p->p_lflag & P_LTRACED && (p->p_lflag & P_LPPWAIT) == 0))
1900 return (0);
1901
1902
1903 /* Send the Mach exception */
1904 codes[0] = (mach_exception_data_type_t)code;
1905 codes[1] = (mach_exception_data_type_t)subcode;
1906
1907 return (bsd_exception(EXC_SOFTWARE, codes, 2) != KERN_SUCCESS);
1908 }
1909
1910 #else /* MAC */
1911
1912 void (*load_security_extensions_function)(void) = 0;
1913
1914 struct sysctl_oid_list sysctl__security_mac_children;
1915
1916 int
1917 mac_policy_register(struct mac_policy_conf *mpc __unused,
1918 mac_policy_handle_t *handlep __unused, void *xd __unused)
1919 {
1920
1921 return (0);
1922 }
1923
1924 int
1925 mac_policy_unregister(mac_policy_handle_t handle __unused)
1926 {
1927
1928 return (0);
1929 }
1930
1931 int
1932 mac_audit_text(char *text __unused, mac_policy_handle_t handle __unused)
1933 {
1934
1935 return (0);
1936 }
1937
1938 int
1939 mac_vnop_setxattr(struct vnode *vp __unused, const char *name __unused, char *buf __unused, size_t len __unused)
1940 {
1941
1942 return (ENOENT);
1943 }
1944
1945 int
1946 mac_vnop_getxattr(struct vnode *vp __unused, const char *name __unused,
1947 char *buf __unused, size_t len __unused, size_t *attrlen __unused)
1948 {
1949
1950 return (ENOENT);
1951 }
1952
1953 int
1954 mac_vnop_removexattr(struct vnode *vp __unused, const char *name __unused)
1955 {
1956
1957 return (ENOENT);
1958 }
1959
1960 intptr_t mac_label_get(struct label *l __unused, int slot __unused)
1961 {
1962 return 0;
1963 }
1964
1965 void mac_label_set(struct label *l __unused, int slot __unused, intptr_t v __unused)
1966 {
1967 return;
1968 }
1969
1970 void mac_proc_set_enforce(proc_t p, int enforce_flags);
1971 void mac_proc_set_enforce(proc_t p __unused, int enforce_flags __unused)
1972 {
1973 return;
1974 }
1975
1976 int mac_iokit_check_hid_control(kauth_cred_t cred __unused);
1977 int mac_iokit_check_hid_control(kauth_cred_t cred __unused)
1978 {
1979 return 0;
1980 }
1981
1982 #endif /* !MAC */
mirror of XNU