]> git.saurik.com Git - apple/xnu.git/blob - security/mac_vfs.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-4903.241.1.tar.gz
[apple/xnu.git] / security / mac_vfs.c
1 /*
2 * Copyright (c) 2007-2016 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*-
29 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
30 * Copyright (c) 2001 Ilmar S. Habibulin
31 * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
32 * Copyright (c) 2005 SPARTA, Inc.
33 *
34 * This software was developed by Robert Watson and Ilmar Habibulin for the
35 * TrustedBSD Project.
36 *
37 * This software was developed for the FreeBSD Project in part by Network
38 * Associates Laboratories, the Security Research Division of Network
39 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
40 * as part of the DARPA CHATS research program.
41 *
42 * Redistribution and use in source and binary forms, with or without
43 * modification, are permitted provided that the following conditions
44 * are met:
45 * 1. Redistributions of source code must retain the above copyright
46 * notice, this list of conditions and the following disclaimer.
47 * 2. Redistributions in binary form must reproduce the above copyright
48 * notice, this list of conditions and the following disclaimer in the
49 * documentation and/or other materials provided with the distribution.
50 *
51 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
52 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
55 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
56 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
57 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
60 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61 * SUCH DAMAGE.
62 *
63 */
64
65 #include <kern/kalloc.h>
66
67 #include <sys/param.h>
68 #include <sys/systm.h>
69 #include <sys/kernel.h>
70 #include <sys/proc.h>
71 #include <sys/kauth.h>
72
73 #include <sys/file_internal.h>
74 #include <sys/imgact.h>
75 #include <sys/namei.h>
76 #include <sys/mount_internal.h>
77 #include <sys/pipe.h>
78 #include <sys/posix_sem.h>
79 #include <sys/posix_shm.h>
80 #include <sys/reason.h>
81 #include <sys/uio_internal.h>
82 #include <sys/vnode_internal.h>
83
84 #include <miscfs/devfs/devfsdefs.h>
85 #include <miscfs/devfs/fdesc.h>
86
87 #include <security/mac_internal.h>
88
89 /* convert {R,W,X}_OK values to V{READ,WRITE,EXEC} */
90 #define ACCESS_MODE_TO_VNODE_MASK(m) (m << 6)
91
92 static struct label *
93 mac_devfsdirent_label_alloc(void)
94 {
95 struct label *label;
96
97 label = mac_labelzone_alloc(MAC_WAITOK);
98 if (label == NULL)
99 return (NULL);
100 MAC_PERFORM(devfs_label_init, label);
101 return (label);
102 }
103
104 void
105 mac_devfs_label_init(struct devnode *de)
106 {
107
108 de->dn_label = mac_devfsdirent_label_alloc();
109 }
110
111 static struct label *
112 mac_mount_label_alloc(void)
113 {
114 struct label *label;
115
116 label = mac_labelzone_alloc(MAC_WAITOK);
117 if (label == NULL)
118 return (NULL);
119 MAC_PERFORM(mount_label_init, label);
120 return (label);
121 }
122
123 void
124 mac_mount_label_init(struct mount *mp)
125 {
126
127 mp->mnt_mntlabel = mac_mount_label_alloc();
128 }
129
130 struct label *
131 mac_vnode_label_alloc(void)
132 {
133 struct label *label;
134
135 label = mac_labelzone_alloc(MAC_WAITOK);
136 if (label == NULL)
137 return (NULL);
138 MAC_PERFORM(vnode_label_init, label);
139 return (label);
140 }
141
142 void
143 mac_vnode_label_init(vnode_t vp)
144 {
145 vp->v_label = mac_vnode_label_alloc();
146 }
147
148 int
149 mac_vnode_label_init_needed(vnode_t vp)
150 {
151 return (mac_label_vnodes != 0 && vp->v_label == NULL);
152 }
153
154 /*
155 * vnode labels are allocated at the same time as vnodes, but vnodes are never
156 * freed. Instead, we want to remove any sensitive information before putting
157 * them on the free list for reuse.
158 */
159 void
160 mac_vnode_label_recycle(vnode_t vp)
161 {
162
163 MAC_PERFORM(vnode_label_recycle, vp->v_label);
164 }
165
166 static void
167 mac_devfs_label_free(struct label *label)
168 {
169 MAC_PERFORM(devfs_label_destroy, label);
170 mac_labelzone_free(label);
171 }
172
173 void
174 mac_devfs_label_destroy(struct devnode *de)
175 {
176 if (de->dn_label != NULL) {
177 mac_devfs_label_free(de->dn_label);
178 de->dn_label = NULL;
179 }
180 }
181
182 static void
183 mac_mount_label_free(struct label *label)
184 {
185
186 MAC_PERFORM(mount_label_destroy, label);
187 mac_labelzone_free(label);
188 }
189
190 void
191 mac_mount_label_destroy(struct mount *mp)
192 {
193 if (mp->mnt_mntlabel != NULL) {
194 mac_mount_label_free(mp->mnt_mntlabel);
195 mp->mnt_mntlabel = NULL;
196 }
197 }
198
199 void
200 mac_vnode_label_free(struct label *label)
201 {
202 MAC_PERFORM(vnode_label_destroy, label);
203 mac_labelzone_free(label);
204 }
205
206 #ifndef __APPLE__
207 void
208 mac_vnode_label_destroy(struct vnode *vp)
209 {
210 if (vp->v_label != NULL) {
211 mac_vnode_label_free(vp->v_label);
212 vp->v_label = NULL;
213 }
214 }
215 #endif
216
217 void
218 mac_vnode_label_copy(struct label *src, struct label *dest)
219 {
220 if (src == NULL) {
221 MAC_PERFORM(vnode_label_init, dest);
222 } else {
223 MAC_PERFORM(vnode_label_copy, src, dest);
224 }
225 }
226
227 int
228 mac_vnode_label_externalize_audit(struct vnode *vp, struct mac *mac)
229 {
230 int error;
231
232 /* It is assumed that any necessary vnode locking is done on entry */
233 error = MAC_EXTERNALIZE_AUDIT(vnode, vp->v_label,
234 mac->m_string, mac->m_buflen);
235
236 return (error);
237 }
238
239 int
240 mac_vnode_label_externalize(struct label *label, char *elements,
241 char *outbuf, size_t outbuflen, int flags __unused)
242 {
243 int error;
244
245 error = MAC_EXTERNALIZE(vnode, label, elements, outbuf, outbuflen);
246
247 return (error);
248 }
249
250 int
251 mac_vnode_label_internalize(struct label *label, char *string)
252 {
253 int error;
254
255 error = MAC_INTERNALIZE(vnode, label, string);
256
257 return (error);
258 }
259
260 int
261 mac_mount_label_internalize(struct label *label, char *string)
262 {
263 int error;
264
265 error = MAC_INTERNALIZE(mount, label, string);
266
267 return (error);
268 }
269
270 int
271 mac_mount_label_externalize(struct label *label, char *elements,
272 char *outbuf, size_t outbuflen)
273 {
274 int error;
275
276 error = MAC_EXTERNALIZE(mount, label, elements, outbuf, outbuflen);
277
278 return (error);
279 }
280
281 void
282 mac_devfs_label_copy(struct label *src, struct label *dest)
283 {
284 #if SECURITY_MAC_CHECK_ENFORCE
285 /* 21167099 - only check if we allow write */
286 if (!mac_device_enforce)
287 return;
288 #endif
289
290 MAC_PERFORM(devfs_label_copy, src, dest);
291 }
292
293 void
294 mac_devfs_label_update(struct mount *mp, struct devnode *de,
295 struct vnode *vp)
296 {
297 #if SECURITY_MAC_CHECK_ENFORCE
298 /* 21167099 - only check if we allow write */
299 if (!mac_device_enforce)
300 return;
301 #endif
302
303 MAC_PERFORM(devfs_label_update, mp, de, de->dn_label, vp,
304 vp->v_label);
305 }
306
307 int
308 mac_vnode_label_associate(struct mount *mp, struct vnode *vp, vfs_context_t ctx)
309 {
310 struct devnode *dnp;
311 struct fdescnode *fnp;
312 int error = 0;
313
314 #if SECURITY_MAC_CHECK_ENFORCE
315 /* 21167099 - only check if we allow write */
316 if (!mac_vnode_enforce)
317 return (error);
318 #endif
319
320 /* XXX: should not inspect v_tag in kernel! */
321 switch (vp->v_tag) {
322 case VT_DEVFS:
323 dnp = VTODN(vp);
324 mac_vnode_label_associate_devfs(mp, dnp, vp);
325 break;
326 case VT_FDESC:
327 fnp = VTOFDESC(vp);
328 error = mac_vnode_label_associate_fdesc(mp, fnp, vp, ctx);
329 break;
330 default:
331 error = mac_vnode_label_associate_extattr(mp, vp);
332 break;
333 }
334
335 return (error);
336 }
337
338 void
339 mac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de,
340 struct vnode *vp)
341 {
342 #if SECURITY_MAC_CHECK_ENFORCE
343 /* 21167099 - only check if we allow write */
344 if (!mac_device_enforce)
345 return;
346 #endif
347
348 MAC_PERFORM(vnode_label_associate_devfs,
349 mp, mp ? mp->mnt_mntlabel : NULL,
350 de, de->dn_label,
351 vp, vp->v_label);
352 }
353
354 int
355 mac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp)
356 {
357 int error;
358
359 MAC_CHECK(vnode_label_associate_extattr, mp, mp->mnt_mntlabel, vp,
360 vp->v_label);
361
362 return (error);
363 }
364
365 void
366 mac_vnode_label_associate_singlelabel(struct mount *mp, struct vnode *vp)
367 {
368 #if SECURITY_MAC_CHECK_ENFORCE
369 /* 21167099 - only check if we allow write */
370 if (!mac_vnode_enforce)
371 return;
372 #endif
373 if (!mac_label_vnodes)
374 return;
375
376 MAC_PERFORM(vnode_label_associate_singlelabel, mp,
377 mp ? mp->mnt_mntlabel : NULL, vp, vp->v_label);
378 }
379
380 int
381 mac_vnode_notify_create(vfs_context_t ctx, struct mount *mp,
382 struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
383 {
384 kauth_cred_t cred;
385 int error;
386
387 #if SECURITY_MAC_CHECK_ENFORCE
388 /* 21167099 - only check if we allow write */
389 if (!mac_vnode_enforce)
390 return (0);
391 #endif
392 cred = vfs_context_ucred(ctx);
393 if (!mac_cred_check_enforce(cred))
394 return (0);
395 MAC_CHECK(vnode_notify_create, cred, mp, mp->mnt_mntlabel,
396 dvp, dvp->v_label, vp, vp->v_label, cnp);
397
398 return (error);
399 }
400
401 void
402 mac_vnode_notify_rename(vfs_context_t ctx, struct vnode *vp,
403 struct vnode *dvp, struct componentname *cnp)
404 {
405 kauth_cred_t cred;
406
407 #if SECURITY_MAC_CHECK_ENFORCE
408 /* 21167099 - only check if we allow write */
409 if (!mac_vnode_enforce)
410 return;
411 #endif
412 cred = vfs_context_ucred(ctx);
413 if (!mac_cred_check_enforce(cred))
414 return;
415 MAC_PERFORM(vnode_notify_rename, cred, vp, vp->v_label,
416 dvp, dvp->v_label, cnp);
417 }
418
419 void
420 mac_vnode_notify_open(vfs_context_t ctx, struct vnode *vp, int acc_flags)
421 {
422 kauth_cred_t cred;
423
424 #if SECURITY_MAC_CHECK_ENFORCE
425 /* 21167099 - only check if we allow write */
426 if (!mac_vnode_enforce)
427 return;
428 #endif
429 cred = vfs_context_ucred(ctx);
430 if (!mac_cred_check_enforce(cred))
431 return;
432 MAC_PERFORM(vnode_notify_open, cred, vp, vp->v_label, acc_flags);
433 }
434
435 void
436 mac_vnode_notify_link(vfs_context_t ctx, struct vnode *vp,
437 struct vnode *dvp, struct componentname *cnp)
438 {
439 kauth_cred_t cred;
440
441 #if SECURITY_MAC_CHECK_ENFORCE
442 /* 21167099 - only check if we allow write */
443 if (!mac_vnode_enforce)
444 return;
445 #endif
446 cred = vfs_context_ucred(ctx);
447 if (!mac_cred_check_enforce(cred))
448 return;
449 MAC_PERFORM(vnode_notify_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp);
450 }
451
452 void
453 mac_vnode_notify_deleteextattr(vfs_context_t ctx, struct vnode *vp, const char *name)
454 {
455 kauth_cred_t cred;
456
457 #if SECURITY_MAC_CHECK_ENFORCE
458 /* 21167099 - only check if we allow write */
459 if (!mac_vnode_enforce)
460 return;
461 #endif
462 cred = vfs_context_ucred(ctx);
463 if (!mac_cred_check_enforce(cred))
464 return;
465 MAC_PERFORM(vnode_notify_deleteextattr, cred, vp, vp->v_label, name);
466 }
467
468 void
469 mac_vnode_notify_setacl(vfs_context_t ctx, struct vnode *vp, struct kauth_acl *acl)
470 {
471 kauth_cred_t cred;
472
473 #if SECURITY_MAC_CHECK_ENFORCE
474 /* 21167099 - only check if we allow write */
475 if (!mac_vnode_enforce)
476 return;
477 #endif
478 cred = vfs_context_ucred(ctx);
479 if (!mac_cred_check_enforce(cred))
480 return;
481 MAC_PERFORM(vnode_notify_setacl, cred, vp, vp->v_label, acl);
482 }
483
484 void
485 mac_vnode_notify_setattrlist(vfs_context_t ctx, struct vnode *vp, struct attrlist *alist)
486 {
487 kauth_cred_t cred;
488
489 #if SECURITY_MAC_CHECK_ENFORCE
490 /* 21167099 - only check if we allow write */
491 if (!mac_vnode_enforce)
492 return;
493 #endif
494 cred = vfs_context_ucred(ctx);
495 if (!mac_cred_check_enforce(cred))
496 return;
497 MAC_PERFORM(vnode_notify_setattrlist, cred, vp, vp->v_label, alist);
498 }
499
500 void
501 mac_vnode_notify_setextattr(vfs_context_t ctx, struct vnode *vp, const char *name, struct uio *uio)
502 {
503 kauth_cred_t cred;
504
505 #if SECURITY_MAC_CHECK_ENFORCE
506 /* 21167099 - only check if we allow write */
507 if (!mac_vnode_enforce)
508 return;
509 #endif
510 cred = vfs_context_ucred(ctx);
511 if (!mac_cred_check_enforce(cred))
512 return;
513 MAC_PERFORM(vnode_notify_setextattr, cred, vp, vp->v_label, name, uio);
514 }
515
516 void
517 mac_vnode_notify_setflags(vfs_context_t ctx, struct vnode *vp, u_long flags)
518 {
519 kauth_cred_t cred;
520
521 #if SECURITY_MAC_CHECK_ENFORCE
522 /* 21167099 - only check if we allow write */
523 if (!mac_vnode_enforce)
524 return;
525 #endif
526 cred = vfs_context_ucred(ctx);
527 if (!mac_cred_check_enforce(cred))
528 return;
529 MAC_PERFORM(vnode_notify_setflags, cred, vp, vp->v_label, flags);
530 }
531
532 void
533 mac_vnode_notify_setmode(vfs_context_t ctx, struct vnode *vp, mode_t mode)
534 {
535 kauth_cred_t cred;
536
537 #if SECURITY_MAC_CHECK_ENFORCE
538 /* 21167099 - only check if we allow write */
539 if (!mac_vnode_enforce)
540 return;
541 #endif
542 cred = vfs_context_ucred(ctx);
543 if (!mac_cred_check_enforce(cred))
544 return;
545 MAC_PERFORM(vnode_notify_setmode, cred, vp, vp->v_label, mode);
546 }
547
548 void
549 mac_vnode_notify_setowner(vfs_context_t ctx, struct vnode *vp, uid_t uid, gid_t gid)
550 {
551 kauth_cred_t cred;
552
553 #if SECURITY_MAC_CHECK_ENFORCE
554 /* 21167099 - only check if we allow write */
555 if (!mac_vnode_enforce)
556 return;
557 #endif
558 cred = vfs_context_ucred(ctx);
559 if (!mac_cred_check_enforce(cred))
560 return;
561 MAC_PERFORM(vnode_notify_setowner, cred, vp, vp->v_label, uid, gid);
562 }
563
564 void
565 mac_vnode_notify_setutimes(vfs_context_t ctx, struct vnode *vp, struct timespec atime, struct timespec mtime)
566 {
567 kauth_cred_t cred;
568
569 #if SECURITY_MAC_CHECK_ENFORCE
570 /* 21167099 - only check if we allow write */
571 if (!mac_vnode_enforce)
572 return;
573 #endif
574 cred = vfs_context_ucred(ctx);
575 if (!mac_cred_check_enforce(cred))
576 return;
577 MAC_PERFORM(vnode_notify_setutimes, cred, vp, vp->v_label, atime, mtime);
578 }
579
580 void
581 mac_vnode_notify_truncate(vfs_context_t ctx, kauth_cred_t file_cred, struct vnode *vp)
582 {
583 kauth_cred_t cred;
584
585 #if SECURITY_MAC_CHECK_ENFORCE
586 /* 21167099 - only check if we allow write */
587 if (!mac_vnode_enforce)
588 return;
589 #endif
590 cred = vfs_context_ucred(ctx);
591 if (!mac_cred_check_enforce(cred))
592 return;
593 MAC_PERFORM(vnode_notify_truncate, cred, file_cred, vp, vp->v_label);
594 }
595
596 /*
597 * Extended attribute 'name' was updated via
598 * vn_setxattr() or vn_removexattr(). Allow the
599 * policy to update the vnode label.
600 */
601 void
602 mac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp,
603 const char *name)
604 {
605 int error = 0;
606
607 #if SECURITY_MAC_CHECK_ENFORCE
608 /* 21167099 - only check if we allow write */
609 if (!mac_vnode_enforce)
610 return;
611 #endif
612 if (!mac_label_vnodes)
613 return;
614
615 MAC_PERFORM(vnode_label_update_extattr, mp, mp->mnt_mntlabel, vp,
616 vp->v_label, name);
617 if (error == 0)
618 return;
619
620 vnode_lock(vp);
621 vnode_relabel(vp);
622 vnode_unlock(vp);
623 return;
624 }
625
626 static int
627 mac_vnode_label_store(vfs_context_t ctx, struct vnode *vp,
628 struct label *intlabel)
629 {
630 kauth_cred_t cred;
631 int error;
632
633 #if SECURITY_MAC_CHECK_ENFORCE
634 /* 21167099 - only check if we allow write */
635 if (!mac_vnode_enforce)
636 return 0;
637 #endif
638 if (!mac_label_vnodes)
639 return 0;
640
641 cred = vfs_context_ucred(ctx);
642 if (!mac_cred_check_enforce(cred))
643 return (0);
644 MAC_CHECK(vnode_label_store, cred, vp, vp->v_label, intlabel);
645
646 return (error);
647 }
648
649 void
650 mac_cred_label_update_execve(vfs_context_t ctx, kauth_cred_t new, struct vnode *vp, off_t offset,
651 struct vnode *scriptvp, struct label *scriptvnodelabel, struct label *execl, u_int *csflags,
652 void *macextensions, int *disjoint, int *labelupdateerror)
653 {
654 kauth_cred_t cred;
655 *disjoint = 0;
656 int error;
657 posix_cred_t pcred = posix_cred_get(new);
658
659 #if SECURITY_MAC_CHECK_ENFORCE
660 /* 21167099 - only check if we allow write */
661 if (!mac_proc_enforce || !mac_vnode_enforce)
662 return;
663 #endif
664
665 /* mark the new cred to indicate "matching" includes the label */
666 pcred->cr_flags |= CRF_MAC_ENFORCE;
667
668 cred = vfs_context_ucred(ctx);
669
670 /*
671 * NB: Cannot use MAC_CHECK macro because we need a sequence point after
672 * calling exec_spawnattr_getmacpolicyinfo() and before passing the
673 * spawnattrlen as an argument to the hook.
674 */
675 {
676 struct mac_policy_conf *mpc;
677 u_int i;
678
679 error = 0;
680 for (i = 0; i< mac_policy_list.staticmax; i++) {
681 mpc = mac_policy_list.entries[i].mpc;
682 if (mpc == NULL)
683 continue;
684
685 mpo_cred_label_update_execve_t *hook = mpc->mpc_ops->mpo_cred_label_update_execve;
686 if (hook == NULL)
687 continue;
688
689 size_t spawnattrlen = 0;
690 void *spawnattr = exec_spawnattr_getmacpolicyinfo(macextensions, mpc->mpc_name, &spawnattrlen);
691
692 error = mac_error_select(hook(cred, new, vfs_context_proc(ctx), vp, offset, scriptvp,
693 vp->v_label, scriptvnodelabel, execl, csflags, spawnattr, spawnattrlen, disjoint),
694 error);
695 }
696 if (mac_policy_list_conditional_busy() != 0) {
697 for (; i <= mac_policy_list.maxindex; i++) {
698 mpc = mac_policy_list.entries[i].mpc;
699 if (mpc == NULL)
700 continue;
701
702 mpo_cred_label_update_execve_t *hook = mpc->mpc_ops->mpo_cred_label_update_execve;
703 if (hook == NULL)
704 continue;
705
706 size_t spawnattrlen = 0;
707 void *spawnattr = exec_spawnattr_getmacpolicyinfo(macextensions, mpc->mpc_name, &spawnattrlen);
708
709 error = mac_error_select(hook(cred, new, vfs_context_proc(ctx), vp, offset, scriptvp,
710 vp->v_label, scriptvnodelabel, execl, csflags, spawnattr, spawnattrlen, disjoint),
711 error);
712 }
713 mac_policy_list_unbusy();
714 }
715 }
716 *labelupdateerror = error;
717 }
718
719 int
720 mac_cred_check_label_update_execve(vfs_context_t ctx, struct vnode *vp, off_t offset,
721 struct vnode *scriptvp, struct label *scriptvnodelabel, struct label *execlabel,
722 struct proc *p, void *macextensions)
723 {
724 kauth_cred_t cred;
725 int result = 0;
726
727 #if SECURITY_MAC_CHECK_ENFORCE
728 /* 21167099 - only check if we allow write */
729 if (!mac_proc_enforce || !mac_vnode_enforce)
730 return result;
731 #endif
732
733 cred = vfs_context_ucred(ctx);
734
735 /*
736 * NB: Cannot use MAC_BOOLEAN macro because we need a sequence point after
737 * calling exec_spawnattr_getmacpolicyinfo() and before passing the
738 * spawnattrlen as an argument to the hook.
739 */
740 {
741 struct mac_policy_conf *mpc;
742 u_int i;
743
744 for (i = 0; i< mac_policy_list.staticmax; i++) {
745 mpc = mac_policy_list.entries[i].mpc;
746 if (mpc == NULL)
747 continue;
748
749 mpo_cred_check_label_update_execve_t *hook = mpc->mpc_ops->mpo_cred_check_label_update_execve;
750 if (hook == NULL)
751 continue;
752
753 size_t spawnattrlen = 0;
754 void *spawnattr = exec_spawnattr_getmacpolicyinfo(macextensions, mpc->mpc_name, &spawnattrlen);
755
756 result = result || hook(cred, vp, offset, scriptvp, vp->v_label, scriptvnodelabel, execlabel, p, spawnattr, spawnattrlen);
757 }
758 if (mac_policy_list_conditional_busy() != 0) {
759 for (; i <= mac_policy_list.maxindex; i++) {
760 mpc = mac_policy_list.entries[i].mpc;
761 if (mpc == NULL)
762 continue;
763
764 mpo_cred_check_label_update_execve_t *hook = mpc->mpc_ops->mpo_cred_check_label_update_execve;
765 if (hook == NULL)
766 continue;
767
768 size_t spawnattrlen = 0;
769 void *spawnattr = exec_spawnattr_getmacpolicyinfo(macextensions, mpc->mpc_name, &spawnattrlen);
770
771 result = result || hook(cred, vp, offset, scriptvp, vp->v_label, scriptvnodelabel, execlabel, p, spawnattr, spawnattrlen);
772 }
773 mac_policy_list_unbusy();
774 }
775 }
776
777 return (result);
778 }
779
780 int
781 mac_vnode_check_access(vfs_context_t ctx, struct vnode *vp,
782 int acc_mode)
783 {
784 kauth_cred_t cred;
785 int error;
786 int mask;
787
788 #if SECURITY_MAC_CHECK_ENFORCE
789 /* 21167099 - only check if we allow write */
790 if (!mac_vnode_enforce)
791 return 0;
792 #endif
793 cred = vfs_context_ucred(ctx);
794 if (!mac_cred_check_enforce(cred))
795 return (0);
796 /* Convert {R,W,X}_OK values to V{READ,WRITE,EXEC} for entry points */
797 mask = ACCESS_MODE_TO_VNODE_MASK(acc_mode);
798 MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, mask);
799 return (error);
800 }
801
802 int
803 mac_vnode_check_chdir(vfs_context_t ctx, struct vnode *dvp)
804 {
805 kauth_cred_t cred;
806 int error;
807
808 #if SECURITY_MAC_CHECK_ENFORCE
809 /* 21167099 - only check if we allow write */
810 if (!mac_vnode_enforce)
811 return 0;
812 #endif
813 cred = vfs_context_ucred(ctx);
814 if (!mac_cred_check_enforce(cred))
815 return (0);
816 MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
817 return (error);
818 }
819
820 int
821 mac_vnode_check_chroot(vfs_context_t ctx, struct vnode *dvp,
822 struct componentname *cnp)
823 {
824 kauth_cred_t cred;
825 int error;
826
827 #if SECURITY_MAC_CHECK_ENFORCE
828 /* 21167099 - only check if we allow write */
829 if (!mac_vnode_enforce)
830 return 0;
831 #endif
832 cred = vfs_context_ucred(ctx);
833 if (!mac_cred_check_enforce(cred))
834 return (0);
835 MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label, cnp);
836 return (error);
837 }
838
839 int
840 mac_vnode_check_clone(vfs_context_t ctx, struct vnode *dvp,
841 struct vnode *vp, struct componentname *cnp)
842 {
843 kauth_cred_t cred;
844 int error;
845
846 #if SECURITY_MAC_CHECK_ENFORCE
847 /* 21167099 - only check if we allow write */
848 if (!mac_vnode_enforce)
849 return 0;
850 #endif
851 cred = vfs_context_ucred(ctx);
852 if (!mac_cred_check_enforce(cred))
853 return (0);
854 MAC_CHECK(vnode_check_clone, cred, dvp, dvp->v_label, vp,
855 vp->v_label, cnp);
856 return (error);
857 }
858 int
859 mac_vnode_check_create(vfs_context_t ctx, struct vnode *dvp,
860 struct componentname *cnp, struct vnode_attr *vap)
861 {
862 kauth_cred_t cred;
863 int error;
864
865 #if SECURITY_MAC_CHECK_ENFORCE
866 /* 21167099 - only check if we allow write */
867 if (!mac_vnode_enforce)
868 return 0;
869 #endif
870 cred = vfs_context_ucred(ctx);
871 if (!mac_cred_check_enforce(cred))
872 return (0);
873 MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap);
874 return (error);
875 }
876
877 int
878 mac_vnode_check_unlink(vfs_context_t ctx, struct vnode *dvp, struct vnode *vp,
879 struct componentname *cnp)
880 {
881 kauth_cred_t cred;
882 int error;
883
884 #if SECURITY_MAC_CHECK_ENFORCE
885 /* 21167099 - only check if we allow write */
886 if (!mac_vnode_enforce)
887 return 0;
888 #endif
889 cred = vfs_context_ucred(ctx);
890 if (!mac_cred_check_enforce(cred))
891 return (0);
892 MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
893 vp->v_label, cnp);
894 return (error);
895 }
896 #if 0
897 int
898 mac_vnode_check_deleteacl(vfs_context_t ctx, struct vnode *vp,
899 acl_type_t type)
900 {
901 kauth_cred_t cred;
902 int error;
903
904 #if SECURITY_MAC_CHECK_ENFORCE
905 /* 21167099 - only check if we allow write */
906 if (!mac_vnode_enforce)
907 return 0;
908 #endif
909 cred = vfs_context_ucred(ctx);
910 if (!mac_cred_check_enforce(cred))
911 return (0);
912 MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
913 return (error);
914 }
915 #endif
916
917 int
918 mac_vnode_check_deleteextattr(vfs_context_t ctx, struct vnode *vp,
919 const char *name)
920 {
921 kauth_cred_t cred;
922 int error;
923
924 #if SECURITY_MAC_CHECK_ENFORCE
925 /* 21167099 - only check if we allow write */
926 if (!mac_vnode_enforce)
927 return 0;
928 #endif
929 cred = vfs_context_ucred(ctx);
930 if (!mac_cred_check_enforce(cred))
931 return (0);
932 MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label, name);
933 return (error);
934 }
935 int
936 mac_vnode_check_exchangedata(vfs_context_t ctx,
937 struct vnode *v1, struct vnode *v2)
938 {
939 kauth_cred_t cred;
940 int error;
941
942 #if SECURITY_MAC_CHECK_ENFORCE
943 /* 21167099 - only check if we allow write */
944 if (!mac_vnode_enforce)
945 return 0;
946 #endif
947 cred = vfs_context_ucred(ctx);
948 if (!mac_cred_check_enforce(cred))
949 return (0);
950 MAC_CHECK(vnode_check_exchangedata, cred, v1, v1->v_label,
951 v2, v2->v_label);
952
953 return (error);
954 }
955
956 #if 0
957 int
958 mac_vnode_check_getacl(vfs_context_t ctx, struct vnode *vp, acl_type_t type)
959 {
960 kauth_cred_t cred;
961 int error;
962
963 #if SECURITY_MAC_CHECK_ENFORCE
964 /* 21167099 - only check if we allow write */
965 if (!mac_vnode_enforce)
966 return 0;
967 #endif
968 cred = vfs_context_ucred(ctx);
969 if (!mac_cred_check_enforce(cred))
970 return (0);
971 MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
972 return (error);
973 }
974 #endif
975
976 int
977 mac_vnode_check_getattr(vfs_context_t ctx, struct ucred *file_cred,
978 struct vnode *vp, struct vnode_attr *va)
979 {
980 kauth_cred_t cred;
981 int error;
982
983 #if SECURITY_MAC_CHECK_ENFORCE
984 /* 21167099 - only check if we allow write */
985 if (!mac_vnode_enforce)
986 return 0;
987 #endif
988 cred = vfs_context_ucred(ctx);
989 if (!mac_cred_check_enforce(cred))
990 return (0);
991 MAC_CHECK(vnode_check_getattr, cred, file_cred, vp, vp->v_label, va);
992 return (error);
993 }
994
995 int
996 mac_vnode_check_getattrlist(vfs_context_t ctx, struct vnode *vp,
997 struct attrlist *alist)
998 {
999 kauth_cred_t cred;
1000 int error;
1001
1002 #if SECURITY_MAC_CHECK_ENFORCE
1003 /* 21167099 - only check if we allow write */
1004 if (!mac_vnode_enforce)
1005 return 0;
1006 #endif
1007 cred = vfs_context_ucred(ctx);
1008 if (!mac_cred_check_enforce(cred))
1009 return (0);
1010 MAC_CHECK(vnode_check_getattrlist, cred, vp, vp->v_label, alist);
1011
1012 /* Falsify results instead of returning error? */
1013 return (error);
1014 }
1015
1016 int
1017 mac_vnode_check_exec(vfs_context_t ctx, struct vnode *vp,
1018 struct image_params *imgp)
1019 {
1020 kauth_cred_t cred;
1021 int error = 0;
1022
1023 #if SECURITY_MAC_CHECK_ENFORCE
1024 /* 21167099 - only check if we allow write */
1025 if (!mac_proc_enforce || !mac_vnode_enforce)
1026 return 0;
1027 #endif
1028
1029 cred = vfs_context_ucred(ctx);
1030
1031 /*
1032 * NB: Cannot use MAC_CHECK macro because we need a sequence point after
1033 * calling exec_spawnattr_getmacpolicyinfo() and before passing the
1034 * spawnattrlen as an argument to the hook.
1035 */
1036 {
1037 struct mac_policy_conf *mpc;
1038 u_int i;
1039
1040 for (i = 0; i< mac_policy_list.staticmax; i++) {
1041 mpc = mac_policy_list.entries[i].mpc;
1042 if (mpc == NULL)
1043 continue;
1044
1045 mpo_vnode_check_exec_t *hook = mpc->mpc_ops->mpo_vnode_check_exec;
1046 if (hook == NULL)
1047 continue;
1048
1049 size_t spawnattrlen = 0;
1050 void *spawnattr = exec_spawnattr_getmacpolicyinfo(imgp->ip_px_smpx, mpc->mpc_name, &spawnattrlen);
1051
1052 error = mac_error_select(
1053 hook(cred,
1054 vp, imgp->ip_scriptvp, vp->v_label, imgp->ip_scriptlabelp,
1055 imgp->ip_execlabelp, &imgp->ip_ndp->ni_cnd, &imgp->ip_csflags,
1056 spawnattr, spawnattrlen), error);
1057 }
1058 if (mac_policy_list_conditional_busy() != 0) {
1059 for (; i <= mac_policy_list.maxindex; i++) {
1060 mpc = mac_policy_list.entries[i].mpc;
1061 if (mpc == NULL)
1062 continue;
1063
1064 mpo_vnode_check_exec_t *hook = mpc->mpc_ops->mpo_vnode_check_exec;
1065 if (hook == NULL)
1066 continue;
1067
1068 size_t spawnattrlen = 0;
1069 void *spawnattr = exec_spawnattr_getmacpolicyinfo(imgp->ip_px_smpx, mpc->mpc_name, &spawnattrlen);
1070
1071 error = mac_error_select(
1072 hook(cred,
1073 vp, imgp->ip_scriptvp, vp->v_label, imgp->ip_scriptlabelp,
1074 imgp->ip_execlabelp, &imgp->ip_ndp->ni_cnd, &imgp->ip_csflags,
1075 spawnattr, spawnattrlen), error);
1076 }
1077 mac_policy_list_unbusy();
1078 }
1079 }
1080
1081 return (error);
1082 }
1083
1084 int
1085 mac_vnode_check_fsgetpath(vfs_context_t ctx, struct vnode *vp)
1086 {
1087 kauth_cred_t cred;
1088 int error;
1089
1090 #if SECURITY_MAC_CHECK_ENFORCE
1091 /* 21167099 - only check if we allow write */
1092 if (!mac_vnode_enforce)
1093 return 0;
1094 #endif
1095 cred = vfs_context_ucred(ctx);
1096 if (!mac_cred_check_enforce(cred))
1097 return (0);
1098 MAC_CHECK(vnode_check_fsgetpath, cred, vp, vp->v_label);
1099 return (error);
1100 }
1101
1102 int
1103 mac_vnode_check_signature(struct vnode *vp, struct cs_blob *cs_blob,
1104 struct image_params *imgp,
1105 unsigned int *cs_flags, unsigned int *signer_type,
1106 int flags)
1107 {
1108 int error;
1109 char *fatal_failure_desc = NULL;
1110 size_t fatal_failure_desc_len = 0;
1111
1112 char *vn_path = NULL;
1113 vm_size_t vn_pathlen = MAXPATHLEN;
1114 cpu_type_t cpu_type = (imgp == NULL) ? CPU_TYPE_ANY : imgp->ip_origcputype;
1115
1116
1117 #if SECURITY_MAC_CHECK_ENFORCE
1118 /* 21167099 - only check if we allow write */
1119 if (!mac_proc_enforce || !mac_vnode_enforce)
1120 return 0;
1121 #endif
1122
1123 MAC_CHECK(vnode_check_signature, vp, vp->v_label, cpu_type, cs_blob,
1124 cs_flags, signer_type, flags, &fatal_failure_desc, &fatal_failure_desc_len);
1125
1126 if (fatal_failure_desc_len) {
1127 // A fatal code signature validation failure occured, formulate a crash
1128 // reason.
1129
1130 char const *path = NULL;
1131
1132 vn_path = (char *)kalloc(MAXPATHLEN);
1133 if (vn_path != NULL) {
1134 if (vn_getpath(vp, vn_path, (int*)&vn_pathlen) == 0) {
1135 path = vn_path;
1136 } else {
1137 path = "(get vnode path failed)";
1138 }
1139 } else {
1140 path = "(path alloc failed)";
1141 }
1142
1143 if (error == 0) {
1144 panic("mac_vnode_check_signature: MAC hook returned no error, "
1145 "but status is claimed to be fatal? "
1146 "path: '%s', fatal_failure_desc_len: %ld, fatal_failure_desc:\n%s\n",
1147 path, fatal_failure_desc_len, fatal_failure_desc);
1148 }
1149
1150 printf("mac_vnode_check_signature: %s: code signature validation failed fatally: %s",
1151 path, fatal_failure_desc);
1152
1153 if (imgp == NULL) {
1154 goto out;
1155 }
1156
1157 os_reason_t reason = os_reason_create(OS_REASON_CODESIGNING,
1158 CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG);
1159
1160 if (reason == OS_REASON_NULL) {
1161 printf("mac_vnode_check_signature: %s: failure to allocate exit reason for validation failure: %s\n",
1162 path, fatal_failure_desc);
1163 goto out;
1164 }
1165
1166 imgp->ip_cs_error = reason;
1167 reason->osr_flags = (OS_REASON_FLAG_GENERATE_CRASH_REPORT |
1168 OS_REASON_FLAG_CONSISTENT_FAILURE);
1169
1170 if (fatal_failure_desc == NULL) {
1171 // This may happen if allocation for the buffer failed.
1172 printf("mac_vnode_check_signature: %s: fatal failure is missing its description.\n", path);
1173 } else {
1174 mach_vm_address_t data_addr = 0;
1175
1176 int reason_error = 0;
1177 int kcdata_error = 0;
1178
1179 if ((reason_error = os_reason_alloc_buffer_noblock(reason, kcdata_estimate_required_buffer_size
1180 (1, fatal_failure_desc_len))) == 0 &&
1181 (kcdata_error = kcdata_get_memory_addr(&reason->osr_kcd_descriptor,
1182 EXIT_REASON_USER_DESC, fatal_failure_desc_len,
1183 &data_addr)) == KERN_SUCCESS) {
1184 kern_return_t mc_error = kcdata_memcpy(&reason->osr_kcd_descriptor, (mach_vm_address_t)data_addr,
1185 fatal_failure_desc, fatal_failure_desc_len);
1186
1187 if (mc_error != KERN_SUCCESS) {
1188 printf("mac_vnode_check_signature: %s: failed to copy reason string "
1189 "(kcdata_memcpy error: %d, length: %ld)\n",
1190 path, mc_error, fatal_failure_desc_len);
1191 }
1192 } else {
1193 printf("mac_vnode_check_signature: %s: failed to allocate space for reason string "
1194 "(os_reason_alloc_buffer error: %d, kcdata error: %d, length: %ld)\n",
1195 path, reason_error, kcdata_error, fatal_failure_desc_len);
1196 }
1197
1198 }
1199 }
1200
1201 out:
1202 if (vn_path) {
1203 kfree(vn_path, MAXPATHLEN);
1204 }
1205
1206 if (fatal_failure_desc_len > 0 && fatal_failure_desc != NULL) {
1207 kfree(fatal_failure_desc, fatal_failure_desc_len);
1208 }
1209
1210 return (error);
1211 }
1212
1213 #if 0
1214 int
1215 mac_vnode_check_getacl(vfs_context_t ctx, struct vnode *vp, acl_type_t type)
1216 {
1217 kauth_cred_t cred;
1218 int error;
1219
1220 #if SECURITY_MAC_CHECK_ENFORCE
1221 /* 21167099 - only check if we allow write */
1222 if (!mac_vnode_enforce)
1223 return 0;
1224 #endif
1225 cred = vfs_context_ucred(ctx);
1226 if (!mac_cred_check_enforce(cred))
1227 return (0);
1228 MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
1229 return (error);
1230 }
1231 #endif
1232
1233 int
1234 mac_vnode_check_getextattr(vfs_context_t ctx, struct vnode *vp,
1235 const char *name, struct uio *uio)
1236 {
1237 kauth_cred_t cred;
1238 int error;
1239
1240 #if SECURITY_MAC_CHECK_ENFORCE
1241 /* 21167099 - only check if we allow write */
1242 if (!mac_vnode_enforce)
1243 return 0;
1244 #endif
1245 cred = vfs_context_ucred(ctx);
1246 if (!mac_cred_check_enforce(cred))
1247 return (0);
1248 MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
1249 name, uio);
1250 return (error);
1251 }
1252
1253 int
1254 mac_vnode_check_ioctl(vfs_context_t ctx, struct vnode *vp, u_int cmd)
1255 {
1256 kauth_cred_t cred;
1257 int error;
1258
1259 #if SECURITY_MAC_CHECK_ENFORCE
1260 /* 21167099 - only check if we allow write */
1261 if (!mac_vnode_enforce)
1262 return 0;
1263 #endif
1264 cred = vfs_context_ucred(ctx);
1265 if (!mac_cred_check_enforce(cred))
1266 return (0);
1267 MAC_CHECK(vnode_check_ioctl, cred, vp, vp->v_label, cmd);
1268 return (error);
1269 }
1270
1271 int
1272 mac_vnode_check_kqfilter(vfs_context_t ctx, kauth_cred_t file_cred,
1273 struct knote *kn, struct vnode *vp)
1274 {
1275 kauth_cred_t cred;
1276 int error;
1277
1278 #if SECURITY_MAC_CHECK_ENFORCE
1279 /* 21167099 - only check if we allow write */
1280 if (!mac_vnode_enforce)
1281 return 0;
1282 #endif
1283 cred = vfs_context_ucred(ctx);
1284 if (!mac_cred_check_enforce(cred))
1285 return (0);
1286 MAC_CHECK(vnode_check_kqfilter, cred, file_cred, kn, vp,
1287 vp->v_label);
1288
1289 return (error);
1290 }
1291
1292 int
1293 mac_vnode_check_link(vfs_context_t ctx, struct vnode *dvp,
1294 struct vnode *vp, struct componentname *cnp)
1295 {
1296 kauth_cred_t cred;
1297 int error;
1298
1299 #if SECURITY_MAC_CHECK_ENFORCE
1300 /* 21167099 - only check if we allow write */
1301 if (!mac_vnode_enforce)
1302 return 0;
1303 #endif
1304 cred = vfs_context_ucred(ctx);
1305 if (!mac_cred_check_enforce(cred))
1306 return (0);
1307 MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
1308 vp->v_label, cnp);
1309 return (error);
1310 }
1311
1312 int
1313 mac_vnode_check_listextattr(vfs_context_t ctx, struct vnode *vp)
1314 {
1315 kauth_cred_t cred;
1316 int error;
1317
1318 #if SECURITY_MAC_CHECK_ENFORCE
1319 /* 21167099 - only check if we allow write */
1320 if (!mac_vnode_enforce)
1321 return 0;
1322 #endif
1323 cred = vfs_context_ucred(ctx);
1324 if (!mac_cred_check_enforce(cred))
1325 return (0);
1326 MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label);
1327 return (error);
1328 }
1329
1330 int
1331 mac_vnode_check_lookup_preflight(vfs_context_t ctx, struct vnode *dvp,
1332 const char *path, size_t pathlen)
1333 {
1334 kauth_cred_t cred;
1335 int error;
1336
1337 #if SECURITY_MAC_CHECK_ENFORCE
1338 /* 21167099 - only check if we allow write */
1339 if (!mac_vnode_enforce)
1340 return 0;
1341 #endif
1342 cred = vfs_context_ucred(ctx);
1343 if (!mac_cred_check_enforce(cred))
1344 return (0);
1345 MAC_CHECK(vnode_check_lookup_preflight, cred, dvp, dvp->v_label, path, pathlen);
1346 return (error);
1347 }
1348
1349 int
1350 mac_vnode_check_lookup(vfs_context_t ctx, struct vnode *dvp,
1351 struct componentname *cnp)
1352 {
1353 kauth_cred_t cred;
1354 int error;
1355
1356 #if SECURITY_MAC_CHECK_ENFORCE
1357 /* 21167099 - only check if we allow write */
1358 if (!mac_vnode_enforce)
1359 return 0;
1360 #endif
1361 cred = vfs_context_ucred(ctx);
1362 if (!mac_cred_check_enforce(cred))
1363 return (0);
1364 MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
1365 return (error);
1366 }
1367
1368 int
1369 mac_vnode_check_open(vfs_context_t ctx, struct vnode *vp, int acc_mode)
1370 {
1371 kauth_cred_t cred;
1372 int error;
1373
1374 #if SECURITY_MAC_CHECK_ENFORCE
1375 /* 21167099 - only check if we allow write */
1376 if (!mac_vnode_enforce)
1377 return 0;
1378 #endif
1379 cred = vfs_context_ucred(ctx);
1380 if (!mac_cred_check_enforce(cred))
1381 return (0);
1382 MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, acc_mode);
1383 return (error);
1384 }
1385
1386 int
1387 mac_vnode_check_read(vfs_context_t ctx, struct ucred *file_cred,
1388 struct vnode *vp)
1389 {
1390 kauth_cred_t cred;
1391 int error;
1392
1393 #if SECURITY_MAC_CHECK_ENFORCE
1394 /* 21167099 - only check if we allow write */
1395 if (!mac_vnode_enforce)
1396 return 0;
1397 #endif
1398 cred = vfs_context_ucred(ctx);
1399 if (!mac_cred_check_enforce(cred))
1400 return (0);
1401 MAC_CHECK(vnode_check_read, cred, file_cred, vp,
1402 vp->v_label);
1403
1404 return (error);
1405 }
1406
1407 int
1408 mac_vnode_check_readdir(vfs_context_t ctx, struct vnode *dvp)
1409 {
1410 kauth_cred_t cred;
1411 int error;
1412
1413 #if SECURITY_MAC_CHECK_ENFORCE
1414 /* 21167099 - only check if we allow write */
1415 if (!mac_vnode_enforce)
1416 return 0;
1417 #endif
1418 cred = vfs_context_ucred(ctx);
1419 if (!mac_cred_check_enforce(cred))
1420 return (0);
1421 MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
1422 return (error);
1423 }
1424
1425 int
1426 mac_vnode_check_readlink(vfs_context_t ctx, struct vnode *vp)
1427 {
1428 kauth_cred_t cred;
1429 int error;
1430
1431 #if SECURITY_MAC_CHECK_ENFORCE
1432 /* 21167099 - only check if we allow write */
1433 if (!mac_vnode_enforce)
1434 return 0;
1435 #endif
1436 cred = vfs_context_ucred(ctx);
1437 if (!mac_cred_check_enforce(cred))
1438 return (0);
1439 MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
1440 return (error);
1441 }
1442
1443 int
1444 mac_vnode_check_label_update(vfs_context_t ctx, struct vnode *vp,
1445 struct label *newlabel)
1446 {
1447 kauth_cred_t cred;
1448 int error;
1449
1450 #if SECURITY_MAC_CHECK_ENFORCE
1451 /* 21167099 - only check if we allow write */
1452 if (!mac_vnode_enforce)
1453 return 0;
1454 #endif
1455 cred = vfs_context_ucred(ctx);
1456 if (!mac_cred_check_enforce(cred))
1457 return (0);
1458 MAC_CHECK(vnode_check_label_update, cred, vp, vp->v_label, newlabel);
1459
1460 return (error);
1461 }
1462
1463 int
1464 mac_vnode_check_rename(vfs_context_t ctx, struct vnode *dvp,
1465 struct vnode *vp, struct componentname *cnp, struct vnode *tdvp,
1466 struct vnode *tvp, struct componentname *tcnp)
1467 {
1468 kauth_cred_t cred;
1469 int error;
1470
1471 #if SECURITY_MAC_CHECK_ENFORCE
1472 /* 21167099 - only check if we allow write */
1473 if (!mac_vnode_enforce)
1474 return 0;
1475 #endif
1476 cred = vfs_context_ucred(ctx);
1477 if (!mac_cred_check_enforce(cred))
1478 return (0);
1479
1480 MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
1481 vp->v_label, cnp);
1482 if (error)
1483 return (error);
1484
1485 MAC_CHECK(vnode_check_rename_to, cred, tdvp, tdvp->v_label, tvp,
1486 tvp != NULL ? tvp->v_label : NULL, dvp == tdvp, tcnp);
1487 if (error)
1488 return (error);
1489
1490 MAC_CHECK(vnode_check_rename, cred, dvp, dvp->v_label, vp,
1491 vp->v_label, cnp, tdvp, tdvp->v_label, tvp,
1492 tvp != NULL ? tvp->v_label : NULL, tcnp);
1493 return (error);
1494 }
1495
1496 int
1497 mac_vnode_check_revoke(vfs_context_t ctx, struct vnode *vp)
1498 {
1499 kauth_cred_t cred;
1500 int error;
1501
1502 #if SECURITY_MAC_CHECK_ENFORCE
1503 /* 21167099 - only check if we allow write */
1504 if (!mac_vnode_enforce)
1505 return 0;
1506 #endif
1507 cred = vfs_context_ucred(ctx);
1508 if (!mac_cred_check_enforce(cred))
1509 return (0);
1510 MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
1511 return (error);
1512 }
1513
1514 int
1515 mac_vnode_check_searchfs(vfs_context_t ctx, struct vnode *vp, struct attrlist *alist)
1516 {
1517 kauth_cred_t cred;
1518 int error;
1519
1520 #if SECURITY_MAC_CHECK_ENFORCE
1521 /* 21167099 - only check if we allow write */
1522 if (!mac_vnode_enforce)
1523 return 0;
1524 #endif
1525 cred = vfs_context_ucred(ctx);
1526 if (!mac_cred_check_enforce(cred))
1527 return (0);
1528 MAC_CHECK(vnode_check_searchfs, cred, vp, vp->v_label, alist);
1529 return (error);
1530 }
1531
1532 int
1533 mac_vnode_check_select(vfs_context_t ctx, struct vnode *vp, int which)
1534 {
1535 kauth_cred_t cred;
1536 int error;
1537
1538 #if SECURITY_MAC_CHECK_ENFORCE
1539 /* 21167099 - only check if we allow write */
1540 if (!mac_vnode_enforce)
1541 return 0;
1542 #endif
1543 cred = vfs_context_ucred(ctx);
1544 if (!mac_cred_check_enforce(cred))
1545 return (0);
1546 MAC_CHECK(vnode_check_select, cred, vp, vp->v_label, which);
1547 return (error);
1548 }
1549
1550 int
1551 mac_vnode_check_setacl(vfs_context_t ctx, struct vnode *vp,
1552 struct kauth_acl *acl)
1553 {
1554 kauth_cred_t cred;
1555 int error;
1556
1557 #if SECURITY_MAC_CHECK_ENFORCE
1558 /* 21167099 - only check if we allow write */
1559 if (!mac_vnode_enforce)
1560 return 0;
1561 #endif
1562 cred = vfs_context_ucred(ctx);
1563 if (!mac_cred_check_enforce(cred))
1564 return (0);
1565 MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, acl);
1566 return (error);
1567 }
1568
1569 int
1570 mac_vnode_check_setattrlist(vfs_context_t ctx, struct vnode *vp,
1571 struct attrlist *alist)
1572 {
1573 kauth_cred_t cred;
1574 int error;
1575
1576 #if SECURITY_MAC_CHECK_ENFORCE
1577 /* 21167099 - only check if we allow write */
1578 if (!mac_vnode_enforce)
1579 return 0;
1580 #endif
1581 cred = vfs_context_ucred(ctx);
1582 if (!mac_cred_check_enforce(cred))
1583 return (0);
1584 MAC_CHECK(vnode_check_setattrlist, cred, vp, vp->v_label, alist);
1585 return (error);
1586 }
1587
1588 int
1589 mac_vnode_check_setextattr(vfs_context_t ctx, struct vnode *vp,
1590 const char *name, struct uio *uio)
1591 {
1592 kauth_cred_t cred;
1593 int error;
1594
1595 #if SECURITY_MAC_CHECK_ENFORCE
1596 /* 21167099 - only check if we allow write */
1597 if (!mac_vnode_enforce)
1598 return 0;
1599 #endif
1600 cred = vfs_context_ucred(ctx);
1601 if (!mac_cred_check_enforce(cred))
1602 return (0);
1603 MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
1604 name, uio);
1605 return (error);
1606 }
1607
1608 int
1609 mac_vnode_check_setflags(vfs_context_t ctx, struct vnode *vp, u_long flags)
1610 {
1611 kauth_cred_t cred;
1612 int error;
1613
1614 #if SECURITY_MAC_CHECK_ENFORCE
1615 /* 21167099 - only check if we allow write */
1616 if (!mac_vnode_enforce)
1617 return 0;
1618 #endif
1619 cred = vfs_context_ucred(ctx);
1620 if (!mac_cred_check_enforce(cred))
1621 return (0);
1622 MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
1623 return (error);
1624 }
1625
1626 int
1627 mac_vnode_check_setmode(vfs_context_t ctx, struct vnode *vp, mode_t mode)
1628 {
1629 kauth_cred_t cred;
1630 int error;
1631
1632 #if SECURITY_MAC_CHECK_ENFORCE
1633 /* 21167099 - only check if we allow write */
1634 if (!mac_vnode_enforce)
1635 return 0;
1636 #endif
1637 cred = vfs_context_ucred(ctx);
1638 if (!mac_cred_check_enforce(cred))
1639 return (0);
1640 MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
1641 return (error);
1642 }
1643
1644 int
1645 mac_vnode_check_setowner(vfs_context_t ctx, struct vnode *vp, uid_t uid,
1646 gid_t gid)
1647 {
1648 kauth_cred_t cred;
1649 int error;
1650
1651 #if SECURITY_MAC_CHECK_ENFORCE
1652 /* 21167099 - only check if we allow write */
1653 if (!mac_vnode_enforce)
1654 return 0;
1655 #endif
1656 cred = vfs_context_ucred(ctx);
1657 if (!mac_cred_check_enforce(cred))
1658 return (0);
1659 MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
1660 return (error);
1661 }
1662
1663 int
1664 mac_vnode_check_setutimes(vfs_context_t ctx, struct vnode *vp,
1665 struct timespec atime, struct timespec mtime)
1666 {
1667 kauth_cred_t cred;
1668 int error;
1669
1670 #if SECURITY_MAC_CHECK_ENFORCE
1671 /* 21167099 - only check if we allow write */
1672 if (!mac_vnode_enforce)
1673 return 0;
1674 #endif
1675 cred = vfs_context_ucred(ctx);
1676 if (!mac_cred_check_enforce(cred))
1677 return (0);
1678 MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
1679 mtime);
1680 return (error);
1681 }
1682
1683 int
1684 mac_vnode_check_stat(vfs_context_t ctx, struct ucred *file_cred,
1685 struct vnode *vp)
1686 {
1687 kauth_cred_t cred;
1688 int error;
1689
1690 #if SECURITY_MAC_CHECK_ENFORCE
1691 /* 21167099 - only check if we allow write */
1692 if (!mac_vnode_enforce)
1693 return 0;
1694 #endif
1695 cred = vfs_context_ucred(ctx);
1696 if (!mac_cred_check_enforce(cred))
1697 return (0);
1698 MAC_CHECK(vnode_check_stat, cred, file_cred, vp,
1699 vp->v_label);
1700 return (error);
1701 }
1702
1703 int
1704 mac_vnode_check_trigger_resolve(vfs_context_t ctx, struct vnode *dvp,
1705 struct componentname *cnp)
1706 {
1707 kauth_cred_t cred;
1708 int error;
1709
1710 #if SECURITY_MAC_CHECK_ENFORCE
1711 /* 21167099 - only check if we allow write */
1712 if (!mac_vnode_enforce)
1713 return 0;
1714 #endif
1715 cred = vfs_context_ucred(ctx);
1716 if (!mac_cred_check_enforce(cred))
1717 return (0);
1718 MAC_CHECK(vnode_check_trigger_resolve, cred, dvp, dvp->v_label, cnp);
1719 return (error);
1720 }
1721
1722 int
1723 mac_vnode_check_truncate(vfs_context_t ctx, struct ucred *file_cred,
1724 struct vnode *vp)
1725 {
1726 kauth_cred_t cred;
1727 int error;
1728
1729 #if SECURITY_MAC_CHECK_ENFORCE
1730 /* 21167099 - only check if we allow write */
1731 if (!mac_vnode_enforce)
1732 return 0;
1733 #endif
1734 cred = vfs_context_ucred(ctx);
1735 if (!mac_cred_check_enforce(cred))
1736 return (0);
1737 MAC_CHECK(vnode_check_truncate, cred, file_cred, vp,
1738 vp->v_label);
1739
1740 return (error);
1741 }
1742
1743 int
1744 mac_vnode_check_write(vfs_context_t ctx, struct ucred *file_cred,
1745 struct vnode *vp)
1746 {
1747 kauth_cred_t cred;
1748 int error;
1749
1750 #if SECURITY_MAC_CHECK_ENFORCE
1751 /* 21167099 - only check if we allow write */
1752 if (!mac_vnode_enforce)
1753 return 0;
1754 #endif
1755 cred = vfs_context_ucred(ctx);
1756 if (!mac_cred_check_enforce(cred))
1757 return (0);
1758 MAC_CHECK(vnode_check_write, cred, file_cred, vp, vp->v_label);
1759
1760 return (error);
1761 }
1762
1763 int
1764 mac_vnode_check_uipc_bind(vfs_context_t ctx, struct vnode *dvp,
1765 struct componentname *cnp, struct vnode_attr *vap)
1766 {
1767 kauth_cred_t cred;
1768 int error;
1769
1770 #if SECURITY_MAC_CHECK_ENFORCE
1771 /* 21167099 - only check if we allow write */
1772 if (!mac_vnode_enforce)
1773 return 0;
1774 #endif
1775 cred = vfs_context_ucred(ctx);
1776 if (!mac_cred_check_enforce(cred))
1777 return (0);
1778 MAC_CHECK(vnode_check_uipc_bind, cred, dvp, dvp->v_label, cnp, vap);
1779 return (error);
1780 }
1781
1782 int
1783 mac_vnode_check_uipc_connect(vfs_context_t ctx, struct vnode *vp, struct socket *so)
1784 {
1785 kauth_cred_t cred;
1786 int error;
1787
1788 #if SECURITY_MAC_CHECK_ENFORCE
1789 /* 21167099 - only check if we allow write */
1790 if (!mac_vnode_enforce)
1791 return 0;
1792 #endif
1793 cred = vfs_context_ucred(ctx);
1794 if (!mac_cred_check_enforce(cred))
1795 return (0);
1796 MAC_CHECK(vnode_check_uipc_connect, cred, vp, vp->v_label, (socket_t) so);
1797 return (error);
1798 }
1799
1800 void
1801 mac_vnode_label_update(vfs_context_t ctx, struct vnode *vp, struct label *newlabel)
1802 {
1803 kauth_cred_t cred = vfs_context_ucred(ctx);
1804 struct label *tmpl = NULL;
1805
1806 if (vp->v_label == NULL)
1807 tmpl = mac_vnode_label_alloc();
1808
1809 vnode_lock(vp);
1810
1811 /* recheck after lock */
1812 if (vp->v_label == NULL) {
1813 vp->v_label = tmpl;
1814 tmpl = NULL;
1815 }
1816
1817 MAC_PERFORM(vnode_label_update, cred, vp, vp->v_label, newlabel);
1818 vnode_unlock(vp);
1819
1820 if (tmpl != NULL)
1821 mac_vnode_label_free(tmpl);
1822 }
1823
1824 int
1825 mac_vnode_find_sigs(struct proc *p, struct vnode *vp, off_t offset)
1826 {
1827 int error;
1828
1829 #if SECURITY_MAC_CHECK_ENFORCE
1830 /* 21167099 - only check if we allow write */
1831 if (!mac_proc_enforce || !mac_vnode_enforce)
1832 return 0;
1833 #endif
1834
1835 MAC_CHECK(vnode_find_sigs, p, vp, offset, vp->v_label);
1836
1837 return (error);
1838 }
1839
1840 void
1841 mac_mount_label_associate(vfs_context_t ctx, struct mount *mp)
1842 {
1843 kauth_cred_t cred = vfs_context_ucred(ctx);
1844
1845 /* XXX: eventually this logic may be handled by the policy? */
1846
1847 /* We desire MULTILABEL for the root filesystem. */
1848 if ((mp->mnt_flag & MNT_ROOTFS) &&
1849 (strcmp(mp->mnt_vfsstat.f_fstypename, "hfs") == 0))
1850 mp->mnt_flag |= MNT_MULTILABEL;
1851
1852 /* MULTILABEL on DEVFS. */
1853 if (strcmp(mp->mnt_vfsstat.f_fstypename, "devfs") == 0)
1854 mp->mnt_flag |= MNT_MULTILABEL;
1855
1856 /* MULTILABEL on FDESC pseudo-filesystem. */
1857 if (strcmp(mp->mnt_vfsstat.f_fstypename, "fdesc") == 0)
1858 mp->mnt_flag |= MNT_MULTILABEL;
1859
1860 /* MULTILABEL on all NFS filesystems. */
1861 if (strcmp(mp->mnt_vfsstat.f_fstypename, "nfs") == 0)
1862 mp->mnt_flag |= MNT_MULTILABEL;
1863
1864 /* MULTILABEL on all AFP filesystems. */
1865 if (strcmp(mp->mnt_vfsstat.f_fstypename, "afpfs") == 0)
1866 mp->mnt_flag |= MNT_MULTILABEL;
1867
1868 if (mp->mnt_vtable != NULL) {
1869 /* Any filesystem that supports native XATTRs. */
1870 if ((mp->mnt_vtable->vfc_vfsflags & VFC_VFSNATIVEXATTR))
1871 mp->mnt_flag |= MNT_MULTILABEL;
1872
1873 /* Filesystem does not support multilabel. */
1874 if ((mp->mnt_vtable->vfc_vfsflags & VFC_VFSNOMACLABEL) &&
1875 (mp->mnt_flag & MNT_MULTILABEL))
1876 mp->mnt_flag &= ~MNT_MULTILABEL;
1877 }
1878
1879 MAC_PERFORM(mount_label_associate, cred, mp, mp->mnt_mntlabel);
1880 #if DEBUG
1881 printf("MAC Framework enabling %s support: %s -> %s (%s)\n",
1882 mp->mnt_flag & MNT_MULTILABEL ? "multilabel" : "singlelabel",
1883 mp->mnt_vfsstat.f_mntfromname,
1884 mp->mnt_vfsstat.f_mntonname,
1885 mp->mnt_vfsstat.f_fstypename);
1886 #endif
1887 }
1888
1889 int
1890 mac_mount_check_mount(vfs_context_t ctx, struct vnode *vp,
1891 struct componentname *cnp, const char *vfc_name)
1892 {
1893 kauth_cred_t cred;
1894 int error;
1895
1896 #if SECURITY_MAC_CHECK_ENFORCE
1897 /* 21167099 - only check if we allow write */
1898 if (!mac_vnode_enforce)
1899 return 0;
1900 #endif
1901 cred = vfs_context_ucred(ctx);
1902 if (!mac_cred_check_enforce(cred))
1903 return (0);
1904 MAC_CHECK(mount_check_mount, cred, vp, vp->v_label, cnp, vfc_name);
1905
1906 return (error);
1907 }
1908
1909 int
1910 mac_mount_check_snapshot_create(vfs_context_t ctx, struct mount *mp,
1911 const char *name)
1912 {
1913 kauth_cred_t cred;
1914 int error;
1915
1916 #if SECURITY_MAC_CHECK_ENFORCE
1917 /* 21167099 - only check if we allow write */
1918 if (!mac_vnode_enforce)
1919 return 0;
1920 #endif
1921 cred = vfs_context_ucred(ctx);
1922 if (!mac_cred_check_enforce(cred))
1923 return (0);
1924 MAC_CHECK(mount_check_snapshot_create, cred, mp, name);
1925 return (error);
1926 }
1927
1928 int
1929 mac_mount_check_snapshot_delete(vfs_context_t ctx, struct mount *mp,
1930 const char *name)
1931 {
1932 kauth_cred_t cred;
1933 int error;
1934
1935 #if SECURITY_MAC_CHECK_ENFORCE
1936 /* 21167099 - only check if we allow write */
1937 if (!mac_vnode_enforce)
1938 return 0;
1939 #endif
1940 cred = vfs_context_ucred(ctx);
1941 if (!mac_cred_check_enforce(cred))
1942 return (0);
1943 MAC_CHECK(mount_check_snapshot_delete, cred, mp, name);
1944 return (error);
1945 }
1946
1947 int
1948 mac_mount_check_snapshot_revert(vfs_context_t ctx, struct mount *mp,
1949 const char *name)
1950 {
1951 kauth_cred_t cred;
1952 int error;
1953
1954 #if SECURITY_MAC_CHECK_ENFORCE
1955 /* 21167099 - only check if we allow write */
1956 if (!mac_vnode_enforce)
1957 return 0;
1958 #endif
1959 cred = vfs_context_ucred(ctx);
1960 if (!mac_cred_check_enforce(cred))
1961 return (0);
1962 MAC_CHECK(mount_check_snapshot_revert, cred, mp, name);
1963 return (error);
1964 }
1965
1966 int
1967 mac_mount_check_remount(vfs_context_t ctx, struct mount *mp)
1968 {
1969 kauth_cred_t cred;
1970 int error;
1971
1972 #if SECURITY_MAC_CHECK_ENFORCE
1973 /* 21167099 - only check if we allow write */
1974 if (!mac_vnode_enforce)
1975 return 0;
1976 #endif
1977 cred = vfs_context_ucred(ctx);
1978 if (!mac_cred_check_enforce(cred))
1979 return (0);
1980 MAC_CHECK(mount_check_remount, cred, mp, mp->mnt_mntlabel);
1981
1982 return (error);
1983 }
1984
1985 int
1986 mac_mount_check_umount(vfs_context_t ctx, struct mount *mp)
1987 {
1988 kauth_cred_t cred;
1989 int error;
1990
1991 #if SECURITY_MAC_CHECK_ENFORCE
1992 /* 21167099 - only check if we allow write */
1993 if (!mac_vnode_enforce)
1994 return 0;
1995 #endif
1996 cred = vfs_context_ucred(ctx);
1997 if (!mac_cred_check_enforce(cred))
1998 return (0);
1999 MAC_CHECK(mount_check_umount, cred, mp, mp->mnt_mntlabel);
2000
2001 return (error);
2002 }
2003
2004 int
2005 mac_mount_check_getattr(vfs_context_t ctx, struct mount *mp,
2006 struct vfs_attr *vfa)
2007 {
2008 kauth_cred_t cred;
2009 int error;
2010
2011 #if SECURITY_MAC_CHECK_ENFORCE
2012 /* 21167099 - only check if we allow write */
2013 if (!mac_vnode_enforce)
2014 return 0;
2015 #endif
2016 cred = vfs_context_ucred(ctx);
2017 if (!mac_cred_check_enforce(cred))
2018 return (0);
2019 MAC_CHECK(mount_check_getattr, cred, mp, mp->mnt_mntlabel, vfa);
2020 return (error);
2021 }
2022
2023 int
2024 mac_mount_check_setattr(vfs_context_t ctx, struct mount *mp,
2025 struct vfs_attr *vfa)
2026 {
2027 kauth_cred_t cred;
2028 int error;
2029
2030 #if SECURITY_MAC_CHECK_ENFORCE
2031 /* 21167099 - only check if we allow write */
2032 if (!mac_vnode_enforce)
2033 return 0;
2034 #endif
2035 cred = vfs_context_ucred(ctx);
2036 if (!mac_cred_check_enforce(cred))
2037 return (0);
2038 MAC_CHECK(mount_check_setattr, cred, mp, mp->mnt_mntlabel, vfa);
2039 return (error);
2040 }
2041
2042 int
2043 mac_mount_check_stat(vfs_context_t ctx, struct mount *mount)
2044 {
2045 kauth_cred_t cred;
2046 int error;
2047
2048 #if SECURITY_MAC_CHECK_ENFORCE
2049 /* 21167099 - only check if we allow write */
2050 if (!mac_vnode_enforce)
2051 return 0;
2052 #endif
2053 cred = vfs_context_ucred(ctx);
2054 if (!mac_cred_check_enforce(cred))
2055 return (0);
2056 MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_mntlabel);
2057
2058 return (error);
2059 }
2060
2061 int
2062 mac_mount_check_label_update(vfs_context_t ctx, struct mount *mount)
2063 {
2064 kauth_cred_t cred;
2065 int error;
2066
2067 #if SECURITY_MAC_CHECK_ENFORCE
2068 /* 21167099 - only check if we allow write */
2069 if (!mac_vnode_enforce)
2070 return 0;
2071 #endif
2072 cred = vfs_context_ucred(ctx);
2073 if (!mac_cred_check_enforce(cred))
2074 return (0);
2075 MAC_CHECK(mount_check_label_update, cred, mount, mount->mnt_mntlabel);
2076
2077 return (error);
2078 }
2079
2080 int
2081 mac_mount_check_fsctl(vfs_context_t ctx, struct mount *mp, u_int cmd)
2082 {
2083 kauth_cred_t cred;
2084 int error;
2085
2086 #if SECURITY_MAC_CHECK_ENFORCE
2087 /* 21167099 - only check if we allow write */
2088 if (!mac_vnode_enforce)
2089 return 0;
2090 #endif
2091 cred = vfs_context_ucred(ctx);
2092 if (!mac_cred_check_enforce(cred))
2093 return (0);
2094 MAC_CHECK(mount_check_fsctl, cred, mp, mp->mnt_mntlabel, cmd);
2095
2096 return (error);
2097 }
2098
2099 void
2100 mac_devfs_label_associate_device(dev_t dev, struct devnode *de,
2101 const char *fullpath)
2102 {
2103 #if SECURITY_MAC_CHECK_ENFORCE
2104 /* 21167099 - only check if we allow write */
2105 if (!mac_device_enforce)
2106 return;
2107 #endif
2108
2109 MAC_PERFORM(devfs_label_associate_device, dev, de, de->dn_label,
2110 fullpath);
2111 }
2112
2113 void
2114 mac_devfs_label_associate_directory(const char *dirname, int dirnamelen,
2115 struct devnode *de, const char *fullpath)
2116 {
2117 #if SECURITY_MAC_CHECK_ENFORCE
2118 /* 21167099 - only check if we allow write */
2119 if (!mac_device_enforce)
2120 return;
2121 #endif
2122
2123 MAC_PERFORM(devfs_label_associate_directory, dirname, dirnamelen, de,
2124 de->dn_label, fullpath);
2125 }
2126
2127 int
2128 vn_setlabel(struct vnode *vp, struct label *intlabel, vfs_context_t context)
2129 {
2130 int error;
2131
2132 #if SECURITY_MAC_CHECK_ENFORCE
2133 /* 21167099 - only check if we allow write */
2134 if (!mac_vnode_enforce)
2135 return 0;
2136 #endif
2137 if (!mac_label_vnodes)
2138 return (0);
2139
2140 if (vp->v_mount == NULL) {
2141 printf("vn_setlabel: null v_mount\n");
2142 if (vp->v_type != VNON)
2143 printf("vn_setlabel: null v_mount with non-VNON\n");
2144 return (EBADF);
2145 }
2146
2147 if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0)
2148 return (ENOTSUP);
2149
2150 /*
2151 * Multi-phase commit. First check the policies to confirm the
2152 * change is OK. Then commit via the filesystem. Finally,
2153 * update the actual vnode label. Question: maybe the filesystem
2154 * should update the vnode at the end as part of VNOP_SETLABEL()?
2155 */
2156 error = mac_vnode_check_label_update(context, vp, intlabel);
2157 if (error)
2158 return (error);
2159
2160 error = VNOP_SETLABEL(vp, intlabel, context);
2161 if (error == ENOTSUP) {
2162 error = mac_vnode_label_store(context, vp,
2163 intlabel);
2164 if (error) {
2165 printf("%s: mac_vnode_label_store failed %d\n",
2166 __func__, error);
2167 return (error);
2168 }
2169 mac_vnode_label_update(context, vp, intlabel);
2170 } else
2171 if (error) {
2172 printf("vn_setlabel: vop setlabel failed %d\n", error);
2173 return (error);
2174 }
2175
2176 return (0);
2177 }
2178
2179 int
2180 mac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp,
2181 struct vnode *vp, vfs_context_t ctx)
2182 {
2183 struct fileproc *fp;
2184 #if CONFIG_MACF_SOCKET_SUBSET
2185 struct socket *so;
2186 #endif
2187 struct pipe *cpipe;
2188 struct vnode *fvp;
2189 struct proc *p;
2190 int error;
2191
2192 error = 0;
2193
2194 /*
2195 * If no backing file, let the policy choose which label to use.
2196 */
2197 if (fnp->fd_fd == -1) {
2198 MAC_PERFORM(vnode_label_associate_file, vfs_context_ucred(ctx),
2199 mp, mp->mnt_mntlabel, NULL, NULL, vp, vp->v_label);
2200 return (0);
2201 }
2202
2203 p = vfs_context_proc(ctx);
2204 error = fp_lookup(p, fnp->fd_fd, &fp, 0);
2205 if (error)
2206 return (error);
2207
2208 if (fp->f_fglob == NULL) {
2209 error = EBADF;
2210 goto out;
2211 }
2212
2213 switch (FILEGLOB_DTYPE(fp->f_fglob)) {
2214 case DTYPE_VNODE:
2215 fvp = (struct vnode *)fp->f_fglob->fg_data;
2216 if ((error = vnode_getwithref(fvp)))
2217 goto out;
2218 MAC_PERFORM(vnode_label_copy, fvp->v_label, vp->v_label);
2219 (void)vnode_put(fvp);
2220 break;
2221 #if CONFIG_MACF_SOCKET_SUBSET
2222 case DTYPE_SOCKET:
2223 so = (struct socket *)fp->f_fglob->fg_data;
2224 socket_lock(so, 1);
2225 MAC_PERFORM(vnode_label_associate_socket,
2226 vfs_context_ucred(ctx), (socket_t)so, so->so_label,
2227 vp, vp->v_label);
2228 socket_unlock(so, 1);
2229 break;
2230 #endif
2231 case DTYPE_PSXSHM:
2232 pshm_label_associate(fp, vp, ctx);
2233 break;
2234 case DTYPE_PSXSEM:
2235 psem_label_associate(fp, vp, ctx);
2236 break;
2237 case DTYPE_PIPE:
2238 cpipe = (struct pipe *)fp->f_fglob->fg_data;
2239 /* kern/sys_pipe.c:pipe_select() suggests this test. */
2240 if (cpipe == (struct pipe *)-1) {
2241 error = EINVAL;
2242 goto out;
2243 }
2244 PIPE_LOCK(cpipe);
2245 MAC_PERFORM(vnode_label_associate_pipe, vfs_context_ucred(ctx),
2246 cpipe, cpipe->pipe_label, vp, vp->v_label);
2247 PIPE_UNLOCK(cpipe);
2248 break;
2249 case DTYPE_KQUEUE:
2250 case DTYPE_FSEVENTS:
2251 case DTYPE_ATALK:
2252 case DTYPE_NETPOLICY:
2253 default:
2254 MAC_PERFORM(vnode_label_associate_file, vfs_context_ucred(ctx),
2255 mp, mp->mnt_mntlabel, fp->f_fglob, fp->f_fglob->fg_label,
2256 vp, vp->v_label);
2257 break;
2258 }
2259 out:
2260 fp_drop(p, fnp->fd_fd, fp, 0);
2261 return (error);
2262 }
mirror of XNU