]> git.saurik.com Git - apple/xnu.git/blob - security/mac_base.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-1699.24.23.tar.gz
[apple/xnu.git] / security / mac_base.c
1 /*
2 * Copyright (c) 2007 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*-
29 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
30 * Copyright (c) 2001 Ilmar S. Habibulin
31 * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
32 * Copyright (c) 2005-2006 SPARTA, Inc.
33 *
34 * This software was developed by Robert Watson and Ilmar Habibulin for the
35 * TrustedBSD Project.
36 *
37 * This software was developed for the FreeBSD Project in part by Network
38 * Associates Laboratories, the Security Research Division of Network
39 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
40 * as part of the DARPA CHATS research program.
41 *
42 * Redistribution and use in source and binary forms, with or without
43 * modification, are permitted provided that the following conditions
44 * are met:
45 * 1. Redistributions of source code must retain the above copyright
46 * notice, this list of conditions and the following disclaimer.
47 * 2. Redistributions in binary form must reproduce the above copyright
48 * notice, this list of conditions and the following disclaimer in the
49 * documentation and/or other materials provided with the distribution.
50 *
51 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
52 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
55 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
56 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
57 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
60 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61 * SUCH DAMAGE.
62 *
63 */
64
65 /*-
66 * Framework for extensible kernel access control. This file contains
67 * Kernel and userland interface to the framework, policy registration
68 * and composition. Per-object interfaces, controls, and labeling may be
69 * found in src/sys/mac/. Sample policies may be found in src/sys/mac*.
70 */
71
72 #include <stdarg.h>
73 #include <string.h>
74 #include <security/mac_internal.h>
75 #include <security/mac_mach_internal.h>
76 #include <sys/param.h>
77 #include <sys/vnode.h>
78 #include <sys/vnode_internal.h>
79 #include <sys/vfs_context.h>
80 #include <sys/namei.h>
81 #include <bsd/bsm/audit.h>
82 #include <bsd/security/audit/audit.h>
83 #include <sys/file.h>
84 #include <sys/file_internal.h>
85 #include <sys/filedesc.h>
86 #include <sys/proc.h>
87 #include <sys/proc_internal.h>
88 #include <sys/kauth.h>
89 #include <sys/sysproto.h>
90
91 #include <mach/vm_types.h>
92 #include <mach/vm_prot.h>
93
94 #include <kern/zalloc.h>
95 #include <kern/sched_prim.h>
96 #include <osfmk/kern/task.h>
97 #include <osfmk/kern/kalloc.h>
98
99 #if CONFIG_MACF
100 #include <security/mac.h>
101 #include <security/mac_policy.h>
102 #include <security/mac_framework.h>
103 #include <security/mac_internal.h>
104 #include <security/mac_mach_internal.h>
105 #endif
106
107
108 /*
109 * define MB_DEBUG to display run-time debugging information
110 * #define MB_DEBUG 1
111 */
112
113 #ifdef MB_DEBUG
114 #define DPRINTF(x) printf x
115 #else
116 #define MB_DEBUG
117 #define DPRINTF(x)
118 #endif
119
120 #if CONFIG_MACF
121 SYSCTL_NODE(, OID_AUTO, security, CTLFLAG_RW|CTLFLAG_LOCKED, 0,
122 "Security Controls");
123 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW|CTLFLAG_LOCKED, 0,
124 "TrustedBSD MAC policy controls");
125
126
127
128 /*
129 * Declare that the kernel provides MAC support, version 1. This permits
130 * modules to refuse to be loaded if the necessary support isn't present,
131 * even if it's pre-boot.
132 */
133 #if 0
134 MODULE_VERSION(kernel_mac_support, 1);
135 #endif
136
137 #if MAC_MAX_SLOTS > 32
138 #error "MAC_MAX_SLOTS too large"
139 #endif
140
141 static unsigned int mac_max_slots = MAC_MAX_SLOTS;
142 static unsigned int mac_slot_offsets_free = (1 << MAC_MAX_SLOTS) - 1;
143 SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD | CTLFLAG_LOCKED,
144 &mac_max_slots, 0, "");
145
146 /*
147 * Has the kernel started generating labeled objects yet? All read/write
148 * access to this variable is serialized during the boot process. Following
149 * the end of serialization, we don't update this flag; no locking.
150 */
151 int mac_late = 0;
152
153 /*
154 * Flag to indicate whether or not we should allocate label storage for
155 * new mbufs. Since most dynamic policies we currently work with don't
156 * rely on mbuf labeling, try to avoid paying the cost of mtag allocation
157 * unless specifically notified of interest. One result of this is
158 * that if a dynamically loaded policy requests mbuf labels, it must
159 * be able to deal with a NULL label being returned on any mbufs that
160 * were already in flight when the policy was loaded. Since the policy
161 * already has to deal with uninitialized labels, this probably won't
162 * be a problem. Note: currently no locking. Will this be a problem?
163 */
164 #if CONFIG_MACF_NET
165 unsigned int mac_label_mbufs = 1;
166 SYSCTL_UINT(_security_mac, OID_AUTO, label_mbufs, CTLFLAG_RW | CTLFLAG_LOCKED,
167 &mac_label_mbufs, 0, "Label all MBUFs");
168 #endif
169
170
171 /*
172 * Flag to indicate whether or not we should allocate label storage for
173 * new vnodes. Since most dynamic policies we currently work with don't
174 * rely on vnode labeling, try to avoid paying the cost of mtag allocation
175 * unless specifically notified of interest. One result of this is
176 * that if a dynamically loaded policy requests vnode labels, it must
177 * be able to deal with a NULL label being returned on any vnodes that
178 * were already in flight when the policy was loaded. Since the policy
179 * already has to deal with uninitialized labels, this probably won't
180 * be a problem.
181 */
182 unsigned int mac_label_vnodes = 0;
183 SYSCTL_UINT(_security_mac, OID_AUTO, labelvnodes, CTLFLAG_RW | CTLFLAG_LOCKED,
184 &mac_label_vnodes, 0, "Label all vnodes");
185
186
187 unsigned int mac_mmap_revocation = 0;
188 SYSCTL_UINT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW | CTLFLAG_LOCKED,
189 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
190 "relabel");
191
192 unsigned int mac_mmap_revocation_via_cow = 0;
193 SYSCTL_UINT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW | CTLFLAG_LOCKED,
194 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
195 "copy-on-write semantics, or by removing all write access");
196
197 unsigned int mac_device_enforce = 1;
198 SYSCTL_UINT(_security_mac, OID_AUTO, device_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
199 &mac_device_enforce, 0, "Enforce MAC policy on device operations");
200
201 unsigned int mac_file_enforce = 0;
202 SYSCTL_UINT(_security_mac, OID_AUTO, file_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
203 &mac_file_enforce, 0, "Enforce MAC policy on file operations");
204
205 unsigned int mac_iokit_enforce = 0;
206 SYSCTL_UINT(_security_mac, OID_AUTO, iokit_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
207 &mac_file_enforce, 0, "Enforce MAC policy on IOKit operations");
208
209 unsigned int mac_pipe_enforce = 1;
210 SYSCTL_UINT(_security_mac, OID_AUTO, pipe_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
211 &mac_pipe_enforce, 0, "Enforce MAC policy on pipe operations");
212
213 unsigned int mac_posixsem_enforce = 1;
214 SYSCTL_UINT(_security_mac, OID_AUTO, posixsem_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
215 &mac_posixsem_enforce, 0, "Enforce MAC policy on POSIX semaphores");
216
217 unsigned int mac_posixshm_enforce = 1;
218 SYSCTL_UINT(_security_mac, OID_AUTO, posixshm_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
219 &mac_posixshm_enforce, 0, "Enforce MAC policy on Posix Shared Memory");
220
221 unsigned int mac_proc_enforce = 1;
222 SYSCTL_UINT(_security_mac, OID_AUTO, proc_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
223 &mac_proc_enforce, 0, "Enforce MAC policy on process operations");
224
225 unsigned int mac_socket_enforce = 1;
226 SYSCTL_UINT(_security_mac, OID_AUTO, socket_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
227 &mac_socket_enforce, 0, "Enforce MAC policy on socket operations");
228
229 unsigned int mac_system_enforce = 1;
230 SYSCTL_UINT(_security_mac, OID_AUTO, system_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
231 &mac_system_enforce, 0, "Enforce MAC policy on system-wide interfaces");
232
233 unsigned int mac_sysvmsg_enforce = 1;
234 SYSCTL_UINT(_security_mac, OID_AUTO, sysvmsg_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
235 &mac_sysvmsg_enforce, 0, "Enforce MAC policy on System V IPC message queues");
236
237 unsigned int mac_sysvsem_enforce = 1;
238 SYSCTL_UINT(_security_mac, OID_AUTO, sysvsem_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
239 &mac_sysvsem_enforce, 0, "Enforce MAC policy on System V IPC semaphores");
240
241 unsigned int mac_sysvshm_enforce = 1;
242 SYSCTL_INT(_security_mac, OID_AUTO, sysvshm_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
243 &mac_sysvshm_enforce, 0, "Enforce MAC policy on System V Shared Memory");
244
245 unsigned int mac_vm_enforce = 1;
246 SYSCTL_INT(_security_mac, OID_AUTO, vm_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
247 &mac_vm_enforce, 0, "Enforce MAC policy on VM operations");
248
249 unsigned int mac_vnode_enforce = 1;
250 SYSCTL_UINT(_security_mac, OID_AUTO, vnode_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
251 &mac_vnode_enforce, 0, "Enforce MAC policy on vnode operations");
252
253
254 #if CONFIG_MACF_MACH
255 unsigned int mac_port_enforce = 0;
256 SYSCTL_UINT(_security_mac, OID_AUTO, port_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
257 &mac_port_enforce, 0, "Enforce MAC policy on Mach port operations");
258
259 unsigned int mac_task_enforce = 0;
260 SYSCTL_UINT(_security_mac, OID_AUTO, task_enforce, CTLFLAG_RW | CTLFLAG_LOCKED,
261 &mac_task_enforce, 0, "Enforce MAC policy on Mach task operations");
262 #endif
263
264 #if CONFIG_AUDIT
265 /*
266 * mac_audit_data_zone is the zone used for data pushed into the audit
267 * record by policies. Using a zone simplifies memory management of this
268 * data, and allows tracking of the amount of data in flight.
269 */
270 extern zone_t mac_audit_data_zone;
271 #endif
272
273 /*
274 * mac_policy_list holds the list of policy modules. Modules with a
275 * handle lower than staticmax are considered "static" and cannot be
276 * unloaded. Such policies can be invoked without holding the busy count.
277 *
278 * Modules with a handle at or above the staticmax high water mark
279 * are considered to be "dynamic" policies. A busy count is maintained
280 * for the list, stored in mac_policy_busy. The busy count is protected
281 * by mac_policy_mtx; the list may be modified only while the busy
282 * count is 0, requiring that the lock be held to prevent new references
283 * to the list from being acquired. For almost all operations,
284 * incrementing the busy count is sufficient to guarantee consistency,
285 * as the list cannot be modified while the busy count is elevated.
286 * For a few special operations involving a change to the list of
287 * active policies, the mtx itself must be held.
288 */
289 static lck_mtx_t *mac_policy_mtx;
290
291 /*
292 * Policy list array allocation chunk size. Trying to set this so that we
293 * allocate a page at a time.
294 */
295 #define MAC_POLICY_LIST_CHUNKSIZE 512
296
297 static int mac_policy_busy;
298
299 mac_policy_list_t mac_policy_list;
300
301 /*
302 * mac_label_element_list holds the master list of label namespaces for
303 * all the policies. When a policy is loaded, each of it's label namespace
304 * elements is added to the master list if not already present. When a
305 * policy is unloaded, the namespace elements are removed if no other
306 * policy is interested in that namespace element.
307 */
308 struct mac_label_element_list_t mac_label_element_list;
309 struct mac_label_element_list_t mac_static_label_element_list;
310
311 /*
312 * Journal of label operations that occur before policies are loaded.
313 */
314 struct mac_label_journal_list_t mac_label_journal_list;
315
316 int
317 mac_label_journal_add (struct label *l, int type)
318 {
319 struct mac_label_journal *mlj;
320
321 if (mac_label_journal_find(l))
322 return (0);
323
324 MALLOC(mlj, struct mac_label_journal *,
325 sizeof(struct mac_label_journal), M_MACTEMP, M_WAITOK);
326 mlj->l = l;
327 mlj->type = type;
328 TAILQ_INSERT_TAIL(&mac_label_journal_list, mlj, link);
329
330 return (0);
331 }
332
333 int
334 mac_label_journal_remove (struct label *l)
335 {
336 struct mac_label_journal *mlj;
337
338 mlj = mac_label_journal_find(l);
339 if (mlj == NULL)
340 return (-1);
341
342 TAILQ_REMOVE(&mac_label_journal_list, mlj, link);
343 FREE(mlj, M_MACTEMP);
344 return (0);
345 }
346
347 struct mac_label_journal *
348 mac_label_journal_find (struct label *l)
349 {
350 struct mac_label_journal *mlj;
351
352 TAILQ_FOREACH(mlj, &mac_label_journal_list, link) {
353 if (l == mlj->l)
354 return (mlj);
355 }
356
357 return (NULL);
358 }
359
360 int
361 mac_label_journal (struct label *l, int op, ...)
362 {
363 struct mac_label_journal *mlj;
364 va_list ap;
365
366 mlj = mac_label_journal_find(l);
367 if (mlj == NULL) {
368 printf("%s(): Label not in list!\n", __func__);
369 return (-1);
370 }
371
372 if (op == MLJ_PORT_OP_UPDATE) {
373 va_start(ap, op);
374 mlj->kotype = va_arg(ap, int);
375 va_end(ap);
376 }
377
378 mlj->ops |= op;
379 return (0);
380 }
381
382 /*
383 * The assumption during replay is that the system is totally
384 * serialized and no additional tasks/ports will be created.
385 */
386 void
387 mac_label_journal_replay (void)
388 {
389 struct mac_label_journal *mlj;
390
391 TAILQ_FOREACH(mlj, &mac_label_journal_list, link) {
392 switch (mlj->type) {
393 case MLJ_TYPE_PORT:
394 if (mlj->ops & MLJ_PORT_OP_INIT)
395 MAC_PERFORM(port_label_init, mlj->l);
396 if (mlj->ops & MLJ_PORT_OP_CREATE_K)
397 MAC_PERFORM(port_label_associate_kernel, mlj->l, 0);
398 if (mlj->ops & MLJ_PORT_OP_UPDATE)
399 MAC_PERFORM(port_label_update_kobject, mlj->l,
400 mlj->kotype);
401 break;
402 case MLJ_TYPE_TASK:
403 if (mlj->ops & MLJ_TASK_OP_INIT)
404 MAC_PERFORM(task_label_init, mlj->l);
405 #if 0
406 /* Not enough context to replay. */
407 if (mlj->ops & MLJ_TASK_OP_CREATE_K)
408 ;
409 #endif
410 break;
411 default:
412 break;
413 }
414 }
415
416 /* Free list */
417 while (!TAILQ_EMPTY(&mac_label_journal_list)) {
418 mlj = TAILQ_FIRST(&mac_label_journal_list);
419 TAILQ_REMOVE(&mac_label_journal_list, mlj, link);
420 FREE(mlj, M_MACTEMP);
421 }
422 return;
423 }
424
425 static __inline void
426 mac_policy_grab_exclusive(void)
427 {
428 lck_mtx_lock(mac_policy_mtx);
429 while (mac_policy_busy != 0) {
430 lck_mtx_sleep(mac_policy_mtx, LCK_SLEEP_UNLOCK,
431 (event_t)&mac_policy_busy, THREAD_UNINT);
432 lck_mtx_lock(mac_policy_mtx);
433 }
434 }
435
436 static __inline void
437 mac_policy_assert_exclusive(void)
438 {
439 lck_mtx_assert(mac_policy_mtx, LCK_MTX_ASSERT_OWNED);
440 KASSERT(mac_policy_busy == 0,
441 ("mac_policy_assert_exclusive(): not exclusive"));
442 }
443
444 static __inline void
445 mac_policy_release_exclusive(void)
446 {
447
448 KASSERT(mac_policy_busy == 0,
449 ("mac_policy_release_exclusive(): not exclusive"));
450 lck_mtx_unlock(mac_policy_mtx);
451 thread_wakeup((event_t) &mac_policy_busy);
452 }
453
454 void
455 mac_policy_list_busy(void)
456 {
457 lck_mtx_lock(mac_policy_mtx);
458 mac_policy_busy++;
459 lck_mtx_unlock(mac_policy_mtx);
460 }
461
462 int
463 mac_policy_list_conditional_busy(void)
464 {
465 int ret;
466
467 if (mac_policy_list.numloaded <= mac_policy_list.staticmax)
468 return(0);
469
470 lck_mtx_lock(mac_policy_mtx);
471 if (mac_policy_list.numloaded > mac_policy_list.staticmax) {
472 mac_policy_busy++;
473 ret = 1;
474 } else
475 ret = 0;
476 lck_mtx_unlock(mac_policy_mtx);
477 return (ret);
478 }
479
480 void
481 mac_policy_list_unbusy(void)
482 {
483 lck_mtx_lock(mac_policy_mtx);
484 mac_policy_busy--;
485 KASSERT(mac_policy_busy >= 0, ("MAC_POLICY_LIST_LOCK"));
486 if (mac_policy_busy == 0)
487 thread_wakeup(&mac_policy_busy);
488 lck_mtx_unlock(mac_policy_mtx);
489 }
490
491 /*
492 * Early pre-malloc MAC initialization, including appropriate SMP locks.
493 */
494 void
495 mac_policy_init(void)
496 {
497 lck_grp_attr_t *mac_lck_grp_attr;
498 lck_attr_t *mac_lck_attr;
499 lck_grp_t *mac_lck_grp;
500
501 mac_policy_list.numloaded = 0;
502 mac_policy_list.max = MAC_POLICY_LIST_CHUNKSIZE;
503 mac_policy_list.maxindex = 0;
504 mac_policy_list.staticmax = 0;
505 mac_policy_list.freehint = 0;
506 mac_policy_list.chunks = 1;
507
508 mac_policy_list.entries = kalloc(sizeof(struct mac_policy_list_element) * MAC_POLICY_LIST_CHUNKSIZE);
509 bzero(mac_policy_list.entries, sizeof(struct mac_policy_list_element) * MAC_POLICY_LIST_CHUNKSIZE);
510
511 LIST_INIT(&mac_label_element_list);
512 LIST_INIT(&mac_static_label_element_list);
513 TAILQ_INIT(&mac_label_journal_list);
514
515 mac_lck_grp_attr = lck_grp_attr_alloc_init();
516 lck_grp_attr_setstat(mac_lck_grp_attr);
517 mac_lck_grp = lck_grp_alloc_init("MAC lock", mac_lck_grp_attr);
518 mac_lck_attr = lck_attr_alloc_init();
519 lck_attr_setdefault(mac_lck_attr);
520 mac_policy_mtx = lck_mtx_alloc_init(mac_lck_grp, mac_lck_attr);
521 lck_attr_free(mac_lck_attr);
522 lck_grp_attr_free(mac_lck_grp_attr);
523 lck_grp_free(mac_lck_grp);
524
525 mac_labelzone_init();
526 }
527
528 /* Function pointer set up for loading security extensions.
529 * It is set to an actual function after OSlibkernInit()
530 * has been called, and is set back to 0 by OSKextRemoveKextBootstrap()
531 * after bsd_init().
532 */
533 void (*load_security_extensions_function)(void) = 0;
534
535 /*
536 * Init after early Mach startup, but before BSD
537 */
538 void
539 mac_policy_initmach(void)
540 {
541
542 /*
543 * For the purposes of modules that want to know if they were
544 * loaded "early", set the mac_late flag once we've processed
545 * modules either linked into the kernel, or loaded before the
546 * kernel startup.
547 */
548
549 if (load_security_extensions_function) {
550 load_security_extensions_function();
551 }
552 mac_late = 1;
553 #if CONFIG_MACF_MACH
554 mac_label_journal_replay();
555 #endif
556 }
557
558 /*
559 * BSD startup.
560 */
561 void
562 mac_policy_initbsd(void)
563 {
564 struct mac_policy_conf *mpc;
565 u_int i;
566
567 #if CONFIG_AUDIT
568 mac_audit_data_zone = zinit(MAC_AUDIT_DATA_LIMIT,
569 AQ_HIWATER * MAC_AUDIT_DATA_LIMIT,
570 8192, "mac_audit_data_zone");
571 #endif
572
573 printf("MAC Framework successfully initialized\n");
574
575 /* Call bsd init functions of already loaded policies */
576
577 /*
578 * Using the exclusive lock means no other framework entry
579 * points can proceed while initializations are running.
580 * This may not be necessary.
581 */
582 mac_policy_grab_exclusive();
583
584 for (i = 0; i <= mac_policy_list.maxindex; i++) {
585 mpc = mac_get_mpc(i);
586 if ((mpc != NULL) && (mpc->mpc_ops->mpo_policy_initbsd != NULL))
587 (*(mpc->mpc_ops->mpo_policy_initbsd))(mpc);
588 }
589
590 mac_policy_release_exclusive();
591 }
592
593 /*
594 * After a policy has been loaded, add the label namespaces managed by the
595 * policy to either the static or non-static label namespace list.
596 * A namespace is added to the the list only if it is not already on one of
597 * the lists.
598 */
599 void
600 mac_policy_addto_labellist(mac_policy_handle_t handle, int static_entry)
601 {
602 struct mac_label_listener **new_mlls;
603 struct mac_label_element *mle, **new_mles;
604 struct mac_label_element_list_t *list;
605 struct mac_policy_conf *mpc;
606 const char *name, *name2;
607 u_int idx, mle_free, mll_free;
608
609 mpc = mac_get_mpc(handle);
610
611 if (mpc->mpc_labelnames == NULL)
612 return;
613
614 if (mpc->mpc_labelname_count == 0)
615 return;
616
617 if (static_entry)
618 list = &mac_static_label_element_list;
619 else
620 list = &mac_label_element_list;
621
622 /*
623 * Before we grab the policy list lock, allocate enough memory
624 * to contain the potential new elements so we don't have to
625 * give up the lock, or allocate with the lock held.
626 */
627 MALLOC(new_mles, struct mac_label_element **,
628 sizeof(struct mac_label_element *) *
629 mpc->mpc_labelname_count, M_MACTEMP, M_WAITOK | M_ZERO);
630 for (idx = 0; idx < mpc->mpc_labelname_count; idx++)
631 MALLOC(new_mles[idx], struct mac_label_element *,
632 sizeof(struct mac_label_element),
633 M_MACTEMP, M_WAITOK);
634 mle_free = 0;
635 MALLOC(new_mlls, struct mac_label_listener **,
636 sizeof(struct mac_label_listener *) *
637 mpc->mpc_labelname_count, M_MACTEMP, M_WAITOK);
638 for (idx = 0; idx < mpc->mpc_labelname_count; idx++)
639 MALLOC(new_mlls[idx], struct mac_label_listener *,
640 sizeof(struct mac_label_listener), M_MACTEMP, M_WAITOK);
641 mll_free = 0;
642
643 if (mac_late)
644 mac_policy_grab_exclusive();
645 for (idx = 0; idx < mpc->mpc_labelname_count; idx++) {
646
647 if (*(name = mpc->mpc_labelnames[idx]) == '?')
648 name++;
649 /*
650 * Check both label element lists and add to the
651 * appropriate list only if not already on a list.
652 */
653 LIST_FOREACH(mle, &mac_static_label_element_list, mle_list) {
654 if (*(name2 = mle->mle_name) == '?')
655 name2++;
656 if (strcmp(name, name2) == 0)
657 break;
658 }
659 if (mle == NULL) {
660 LIST_FOREACH(mle, &mac_label_element_list, mle_list) {
661 if (*(name2 = mle->mle_name) == '?')
662 name2++;
663 if (strcmp(name, name2) == 0)
664 break;
665 }
666 }
667 if (mle == NULL) {
668 mle = new_mles[mle_free];
669 strlcpy(mle->mle_name, mpc->mpc_labelnames[idx],
670 MAC_MAX_LABEL_ELEMENT_NAME);
671 LIST_INIT(&mle->mle_listeners);
672 LIST_INSERT_HEAD(list, mle, mle_list);
673 mle_free++;
674 }
675 /* Add policy handler as a listener. */
676 new_mlls[mll_free]->mll_handle = handle;
677 LIST_INSERT_HEAD(&mle->mle_listeners, new_mlls[mll_free],
678 mll_list);
679 mll_free++;
680 }
681 if (mac_late)
682 mac_policy_release_exclusive();
683
684 /* Free up any unused label elements and listeners */
685 for (idx = mle_free; idx < mpc->mpc_labelname_count; idx++)
686 FREE(new_mles[idx], M_MACTEMP);
687 FREE(new_mles, M_MACTEMP);
688 for (idx = mll_free; idx < mpc->mpc_labelname_count; idx++)
689 FREE(new_mlls[idx], M_MACTEMP);
690 FREE(new_mlls, M_MACTEMP);
691 }
692
693 /*
694 * After a policy has been unloaded, remove the label namespaces that the
695 * the policy manages from the non-static list of namespaces.
696 * The removal only takes place when no other policy is interested in the
697 * namespace.
698 *
699 * Must be called with the policy exclusive lock held.
700 */
701 void
702 mac_policy_removefrom_labellist(mac_policy_handle_t handle)
703 {
704 struct mac_label_listener *mll;
705 struct mac_label_element *mle;
706 struct mac_policy_conf *mpc;
707
708 mpc = mac_get_mpc(handle);
709
710 if (mpc->mpc_labelnames == NULL)
711 return;
712
713 if (mpc->mpc_labelname_count == 0)
714 return;
715
716 /*
717 * Unregister policy as being interested in any label
718 * namespaces. If no other policy is listening, remove
719 * that label element from the list. Note that we only
720 * have to worry about the non-static list.
721 */
722 LIST_FOREACH(mle, &mac_label_element_list, mle_list) {
723 LIST_FOREACH(mll, &mle->mle_listeners, mll_list) {
724 if (mll->mll_handle == handle) {
725 LIST_REMOVE(mll, mll_list);
726 FREE(mll, M_MACTEMP);
727 if (LIST_EMPTY(&mle->mle_listeners)) {
728 LIST_REMOVE(mle, mle_list);
729 FREE(mle, M_MACTEMP);
730 }
731 return;
732 }
733 }
734 }
735 }
736
737 /*
738 * After the policy list has changed, walk the list to update any global
739 * flags.
740 */
741 static void
742 mac_policy_updateflags(void)
743 {
744 }
745
746 static __inline void
747 mac_policy_fixup_mmd_list(struct mac_module_data *new)
748 {
749 struct mac_module_data *old;
750 struct mac_module_data_element *ele, *aele;
751 struct mac_module_data_list *arr, *dict;
752 unsigned int i, j, k;
753
754 old = new->base_addr;
755 DPRINTF(("fixup_mmd: old %p new %p\n", old, new));
756 for (i = 0; i < new->count; i++) {
757 ele = &(new->data[i]);
758 DPRINTF(("fixup_mmd: ele %p\n", ele));
759 DPRINTF((" key %p value %p\n", ele->key, ele->value));
760 mmd_fixup_ele(old, new, ele); /* Fix up key/value ptrs. */
761 DPRINTF((" key %p value %p\n", ele->key, ele->value));
762 if (ele->value_type == MAC_DATA_TYPE_ARRAY) {
763 arr = (struct mac_module_data_list *)ele->value;
764 DPRINTF(("fixup_mmd: array @%p\n", arr));
765 for (j = 0; j < arr->count; j++) {
766 aele = &(arr->list[j]);
767 DPRINTF(("fixup_mmd: aele %p\n", aele));
768 DPRINTF((" key %p value %p\n", aele->key, aele->value));
769 mmd_fixup_ele(old, new, aele);
770 DPRINTF((" key %p value %p\n", aele->key, aele->value));
771 if (arr->type == MAC_DATA_TYPE_DICT) {
772 dict = (struct mac_module_data_list *)aele->value;
773 DPRINTF(("fixup_mmd: dict @%p\n", dict));
774 for (k = 0; k < dict->count; k++)
775 mmd_fixup_ele(old, new,
776 &(dict->list[k]));
777 }
778 }
779 }
780 }
781 new->base_addr = new;
782 }
783
784 int
785 mac_policy_register(struct mac_policy_conf *mpc, mac_policy_handle_t *handlep,
786 void *xd)
787 {
788 struct mac_policy_list_element *tmac_policy_list_element;
789 int error, slot, static_entry = 0;
790 u_int i;
791
792 /*
793 * Some preliminary checks to make sure the policy's conf structure
794 * contains the required fields.
795 */
796 if (mpc->mpc_name == NULL)
797 panic("policy's name is not set\n");
798
799 if (mpc->mpc_fullname == NULL)
800 panic("policy's full name is not set\n");
801
802 if (mpc->mpc_labelname_count > MAC_MAX_MANAGED_NAMESPACES)
803 panic("policy's managed label namespaces exceeds maximum\n");
804
805 if (mpc->mpc_ops == NULL)
806 panic("policy's OPs field is NULL\n");
807
808 error = 0;
809
810 if (mac_late) {
811 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE) {
812 printf("Module %s does not support late loading.\n",
813 mpc->mpc_name);
814 return (EPERM);
815 }
816 mac_policy_grab_exclusive();
817 }
818
819 if (mac_policy_list.numloaded >= mac_policy_list.max) {
820 /* allocate new policy list array, zero new chunk */
821 tmac_policy_list_element =
822 kalloc((sizeof(struct mac_policy_list_element) *
823 MAC_POLICY_LIST_CHUNKSIZE) * (mac_policy_list.chunks + 1));
824 bzero(&tmac_policy_list_element[mac_policy_list.max],
825 sizeof(struct mac_policy_list_element) *
826 MAC_POLICY_LIST_CHUNKSIZE);
827
828 /* copy old entries into new list */
829 memcpy(tmac_policy_list_element, mac_policy_list.entries,
830 sizeof(struct mac_policy_list_element) *
831 MAC_POLICY_LIST_CHUNKSIZE * mac_policy_list.chunks);
832
833 /* free old array */
834 kfree(mac_policy_list.entries,
835 sizeof(struct mac_policy_list_element) *
836 MAC_POLICY_LIST_CHUNKSIZE * mac_policy_list.chunks);
837
838 mac_policy_list.entries = tmac_policy_list_element;
839
840 /* Update maximums, etc */
841 mac_policy_list.max += MAC_POLICY_LIST_CHUNKSIZE;
842 mac_policy_list.chunks++;
843 }
844
845 /* Check for policy with same name already loaded */
846 for (i = 0; i <= mac_policy_list.maxindex; i++) {
847 if (mac_policy_list.entries[i].mpc == NULL)
848 continue;
849
850 if (strcmp(mac_policy_list.entries[i].mpc->mpc_name,
851 mpc->mpc_name) == 0) {
852 error = EEXIST;
853 goto out;
854 }
855 }
856
857 if (mpc->mpc_field_off != NULL) {
858 slot = ffs(mac_slot_offsets_free);
859 if (slot == 0) {
860 error = ENOMEM;
861 goto out;
862 }
863 slot--;
864 mac_slot_offsets_free &= ~(1 << slot);
865 *mpc->mpc_field_off = slot;
866 }
867 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED;
868
869 if (xd) {
870 struct mac_module_data *mmd = xd; /* module data from plist */
871
872 /* Make a copy of the data. */
873 mpc->mpc_data = (void *)kalloc(mmd->size);
874 if (mpc->mpc_data != NULL) {
875 memcpy(mpc->mpc_data, mmd, mmd->size);
876
877 /* Fix up pointers after copy. */
878 mac_policy_fixup_mmd_list(mpc->mpc_data);
879 }
880 }
881
882 /* Find the first free handle in the list (using our hint). */
883 for (i = mac_policy_list.freehint; i < mac_policy_list.max; i++) {
884 if (mac_policy_list.entries[i].mpc == NULL) {
885 *handlep = i;
886 mac_policy_list.freehint = ++i;
887 break;
888 }
889 }
890
891 /*
892 * If we are loading a MAC module before the framework has
893 * finished initializing or the module is not unloadable and
894 * we can place its handle adjacent to the last static entry,
895 * bump the static policy high water mark.
896 * Static policies can get by with weaker locking requirements.
897 */
898 if (!mac_late ||
899 ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0 &&
900 *handlep == mac_policy_list.staticmax)) {
901 static_entry = 1;
902 mac_policy_list.staticmax++;
903 }
904
905 mac_policy_list.entries[*handlep].mpc = mpc;
906
907 /* Update counters, etc */
908 if (*handlep > mac_policy_list.maxindex)
909 mac_policy_list.maxindex = *handlep;
910 mac_policy_list.numloaded++;
911
912 /* Per-policy initialization. */
913 printf ("calling mpo_policy_init for %s\n", mpc->mpc_name);
914 if (mpc->mpc_ops->mpo_policy_init != NULL)
915 (*(mpc->mpc_ops->mpo_policy_init))(mpc);
916
917 if (mac_late && mpc->mpc_ops->mpo_policy_initbsd != NULL) {
918 printf ("calling mpo_policy_initbsd for %s\n", mpc->mpc_name);
919 (*(mpc->mpc_ops->mpo_policy_initbsd))(mpc);
920 }
921
922 mac_policy_updateflags();
923
924 if (mac_late)
925 mac_policy_release_exclusive();
926
927 mac_policy_addto_labellist(*handlep, static_entry);
928
929 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname,
930 mpc->mpc_name);
931
932 return (0);
933
934 out:
935 if (mac_late)
936 mac_policy_release_exclusive();
937
938 return (error);
939 }
940
941 int
942 mac_policy_unregister(mac_policy_handle_t handle)
943 {
944 struct mac_policy_conf *mpc;
945
946 /*
947 * If we fail the load, we may get a request to unload. Check
948 * to see if we did the run-time registration, and if not,
949 * silently succeed.
950 */
951 mac_policy_grab_exclusive();
952 mpc = mac_get_mpc(handle);
953 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) {
954 mac_policy_release_exclusive();
955 return (0);
956 }
957
958 #if 0
959 /*
960 * Don't allow unloading modules with private data.
961 */
962 if (mpc->mpc_field_off != NULL) {
963 MAC_POLICY_LIST_UNLOCK();
964 return (EBUSY);
965 }
966 #endif
967 /*
968 * Only allow the unload to proceed if the module is unloadable
969 * by its own definition.
970 */
971 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) {
972 mac_policy_release_exclusive();
973 return (EBUSY);
974 }
975
976 mac_policy_removefrom_labellist(handle);
977
978 mac_get_mpc(handle) = NULL;
979 if (handle < mac_policy_list.freehint &&
980 handle >= mac_policy_list.staticmax)
981 mac_policy_list.freehint = handle;
982
983 if (handle == mac_policy_list.maxindex)
984 mac_policy_list.maxindex--;
985
986 mac_policy_list.numloaded--;
987 if (mpc->mpc_field_off != NULL) {
988 mac_slot_offsets_free |= (1 << *mpc->mpc_field_off);
989 }
990
991 if (mpc->mpc_ops->mpo_policy_destroy != NULL)
992 (*(mpc->mpc_ops->mpo_policy_destroy))(mpc);
993
994 mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
995 mac_policy_updateflags();
996
997 mac_policy_release_exclusive();
998
999 if (mpc->mpc_data) {
1000 struct mac_module_data *mmd = mpc->mpc_data;
1001 kfree(mmd, mmd->size);
1002 mpc->mpc_data = NULL;
1003 }
1004
1005 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
1006 mpc->mpc_name);
1007
1008 return (0);
1009 }
1010
1011 /*
1012 * Define an error value precedence, and given two arguments, selects the
1013 * value with the higher precedence.
1014 */
1015 int
1016 mac_error_select(int error1, int error2)
1017 {
1018
1019 /* Certain decision-making errors take top priority. */
1020 if (error1 == EDEADLK || error2 == EDEADLK)
1021 return (EDEADLK);
1022
1023 /* Invalid arguments should be reported where possible. */
1024 if (error1 == EINVAL || error2 == EINVAL)
1025 return (EINVAL);
1026
1027 /* Precedence goes to "visibility", with both process and file. */
1028 if (error1 == ESRCH || error2 == ESRCH)
1029 return (ESRCH);
1030
1031 if (error1 == ENOENT || error2 == ENOENT)
1032 return (ENOENT);
1033
1034 /* Precedence goes to DAC/MAC protections. */
1035 if (error1 == EACCES || error2 == EACCES)
1036 return (EACCES);
1037
1038 /* Precedence goes to privilege. */
1039 if (error1 == EPERM || error2 == EPERM)
1040 return (EPERM);
1041
1042 /* Precedence goes to error over success; otherwise, arbitrary. */
1043 if (error1 != 0)
1044 return (error1);
1045 return (error2);
1046 }
1047
1048 void
1049 mac_label_init(struct label *label)
1050 {
1051
1052 bzero(label, sizeof(*label));
1053 label->l_flags = MAC_FLAG_INITIALIZED;
1054 }
1055
1056 void
1057 mac_label_destroy(struct label *label)
1058 {
1059
1060 KASSERT(label->l_flags & MAC_FLAG_INITIALIZED,
1061 ("destroying uninitialized label"));
1062
1063 bzero(label, sizeof(*label));
1064 /* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */
1065 }
1066
1067 int
1068 mac_port_check_service (struct label *subj, struct label *obj,
1069 const char *s, const char *p)
1070 {
1071 int error;
1072
1073 MAC_CHECK(port_check_service, subj, obj, s, p);
1074 return (error);
1075 }
1076
1077 int
1078 mac_port_label_compute(struct label *subj, struct label *obj,
1079 const char *s, struct label *out)
1080 {
1081 int error;
1082
1083 MAC_CHECK(port_label_compute, subj, obj, s, out);
1084 return error;
1085 }
1086
1087 int
1088 mac_check_structmac_consistent(struct user_mac *mac)
1089 {
1090
1091 if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN || mac->m_buflen == 0)
1092 return (EINVAL);
1093
1094 return (0);
1095 }
1096
1097 /*
1098 * Get the external forms of labels from all policies, for a single
1099 * label namespace or "*" for all namespaces. Returns ENOENT if no policy
1100 * is registered for the namespace, unless the namespace begins with a '?'.
1101 */
1102 static int
1103 mac_label_externalize(size_t mpo_externalize_off, struct label *label,
1104 const char *element, struct sbuf *sb)
1105 {
1106 struct mac_policy_conf *mpc;
1107 struct mac_label_listener *mll;
1108 struct mac_label_element *mle;
1109 struct mac_label_element_list_t *element_list;
1110 const char *name;
1111 int (*mpo_externalize)(struct label *, char *, struct sbuf *);
1112 int all_labels = 0, ignorenotfound = 0, error = 0, busy = FALSE;
1113 unsigned int count = 0;
1114
1115 if (element[0] == '?') {
1116 element++;
1117 ignorenotfound = 1;
1118 } else if (element[0] == '*' && element[1] == '\0')
1119 all_labels = 1;
1120
1121 element_list = &mac_static_label_element_list;
1122 element_loop:
1123 LIST_FOREACH(mle, element_list, mle_list) {
1124 name = mle->mle_name;
1125 if (all_labels) {
1126 if (*name == '?')
1127 continue;
1128 } else {
1129 if (*name == '?')
1130 name++;
1131 if (strcmp(name, element) != 0)
1132 continue;
1133 }
1134 LIST_FOREACH(mll, &mle->mle_listeners, mll_list) {
1135 mpc = mac_policy_list.entries[mll->mll_handle].mpc;
1136 if (mpc == NULL)
1137 continue;
1138 mpo_externalize = *(typeof(mpo_externalize) *)
1139 ((char *)mpc->mpc_ops + mpo_externalize_off);
1140 if (mpo_externalize == NULL)
1141 continue;
1142 error = sbuf_printf(sb, "%s/", name);
1143 if (error)
1144 goto done;
1145 error = mpo_externalize(label, mle->mle_name, sb);
1146 if (error) {
1147 if (error != ENOENT)
1148 goto done;
1149 /*
1150 * If a policy doesn't have a label to
1151 * externalize it returns ENOENT. This
1152 * may occur for policies that support
1153 * multiple label elements for some
1154 * (but not all) object types.
1155 */
1156 sbuf_setpos(sb, sbuf_len(sb) -
1157 (strlen(name) + 1));
1158 error = 0;
1159 continue;
1160 }
1161 error = sbuf_putc(sb, ',');
1162 if (error)
1163 goto done;
1164 count++;
1165 }
1166 }
1167 /* If there are dynamic policies present, check their elements too. */
1168 if (!busy && mac_policy_list_conditional_busy() == 1) {
1169 element_list = &mac_label_element_list;
1170 busy = TRUE;
1171 goto element_loop;
1172 }
1173 done:
1174 if (busy)
1175 mac_policy_list_unbusy();
1176 if (!error && count == 0) {
1177 if (!all_labels && !ignorenotfound)
1178 error = ENOENT; /* XXX: ENOLABEL? */
1179 }
1180 return (error);
1181 }
1182
1183 /*
1184 * Get the external forms of labels from all policies, for all label
1185 * namespaces contained in a list.
1186 *
1187 * XXX This may be leaking an sbuf.
1188 */
1189 int
1190 mac_externalize(size_t mpo_externalize_off, struct label *label,
1191 const char *elementlist, char *outbuf, size_t outbuflen)
1192 {
1193 char *element;
1194 char *scratch_base;
1195 char *scratch;
1196 struct sbuf sb;
1197 int error = 0, len;
1198
1199 /* allocate a scratch buffer the size of the string */
1200 MALLOC(scratch_base, char *, strlen(elementlist)+1, M_MACTEMP, M_WAITOK);
1201 if (scratch_base == NULL) {
1202 error = ENOMEM;
1203 goto out;
1204 }
1205
1206 /* copy the elementlist to the scratch buffer */
1207 strlcpy(scratch_base, elementlist, strlen(elementlist)+1);
1208
1209 /*
1210 * set up a temporary pointer that can be used to iterate the
1211 * scratch buffer without losing the allocation address
1212 */
1213 scratch = scratch_base;
1214
1215 /* get an sbuf */
1216 if (sbuf_new(&sb, outbuf, outbuflen, SBUF_FIXEDLEN) == NULL) {
1217 /* could not allocate interior buffer */
1218 error = ENOMEM;
1219 goto out;
1220 }
1221 /* iterate the scratch buffer; NOTE: buffer contents modified! */
1222 while ((element = strsep(&scratch, ",")) != NULL) {
1223 error = mac_label_externalize(mpo_externalize_off, label,
1224 element, &sb);
1225 if (error)
1226 break;
1227 }
1228 if ((len = sbuf_len(&sb)) > 0)
1229 sbuf_setpos(&sb, len - 1); /* trim trailing comma */
1230 sbuf_finish(&sb);
1231
1232 out:
1233 if (scratch_base != NULL)
1234 FREE(scratch_base, M_MACTEMP);
1235
1236 return (error);
1237 }
1238
1239 /*
1240 * Have all policies set the internal form of a label, for a single
1241 * label namespace.
1242 */
1243 static int
1244 mac_label_internalize(size_t mpo_internalize_off, struct label *label,
1245 char *element_name, char *element_data)
1246 {
1247 struct mac_policy_conf *mpc;
1248 struct mac_label_listener *mll;
1249 struct mac_label_element *mle;
1250 struct mac_label_element_list_t *element_list;
1251 int (*mpo_internalize)(struct label *, char *, char *);
1252 int error = 0, busy = FALSE;
1253 unsigned int count = 0;
1254 const char *name;
1255
1256 element_list = &mac_static_label_element_list;
1257 element_loop:
1258 LIST_FOREACH(mle, element_list, mle_list) {
1259 if (*(name = mle->mle_name) == '?')
1260 name++;
1261 if (strcmp(element_name, name) != 0)
1262 continue;
1263 LIST_FOREACH(mll, &mle->mle_listeners, mll_list) {
1264 mpc = mac_policy_list.entries[mll->mll_handle].mpc;
1265 if (mpc == NULL)
1266 continue;
1267 mpo_internalize = *(typeof(mpo_internalize) *)
1268 ((char *)mpc->mpc_ops + mpo_internalize_off);
1269 if (mpo_internalize == NULL)
1270 continue;
1271 error = mpo_internalize(label, element_name,
1272 element_data);
1273 if (error)
1274 goto done;
1275 count++;
1276 }
1277 }
1278 /* If there are dynamic policies present, check their elements too. */
1279 if (!busy && mac_policy_list_conditional_busy() == 1) {
1280 element_list = &mac_label_element_list;
1281 busy = TRUE;
1282 goto element_loop;
1283 }
1284 done:
1285 if (busy)
1286 mac_policy_list_unbusy();
1287 if (!error && count == 0)
1288 error = ENOPOLICY;
1289 return (error);
1290 }
1291
1292 int
1293 mac_internalize(size_t mpo_internalize_off, struct label *label,
1294 char *textlabels)
1295 {
1296 char *element_name, *element_data;
1297 int error = 0;
1298
1299 while (!error && (element_name = strsep(&textlabels, ",")) != NULL) {
1300 element_data = strchr(element_name, '/');
1301 if (element_data == NULL) {
1302 error = EINVAL;
1303 break;
1304 }
1305 *element_data++ = '\0';
1306 error = mac_label_internalize(mpo_internalize_off, label,
1307 element_name, element_data);
1308 }
1309 return (error);
1310 }
1311
1312 /* system calls */
1313
1314 int
1315 __mac_get_pid(struct proc *p, struct __mac_get_pid_args *uap, int *ret __unused)
1316 {
1317 char *elements, *buffer;
1318 struct user_mac mac;
1319 struct proc *tproc;
1320 struct ucred *tcred;
1321 int error;
1322 size_t ulen;
1323
1324 AUDIT_ARG(pid, uap->pid);
1325 if (IS_64BIT_PROCESS(p)) {
1326 struct user64_mac mac64;
1327 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1328 mac.m_buflen = mac64.m_buflen;
1329 mac.m_string = mac64.m_string;
1330 } else {
1331 struct user32_mac mac32;
1332 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1333 mac.m_buflen = mac32.m_buflen;
1334 mac.m_string = mac32.m_string;
1335 }
1336 if (error)
1337 return (error);
1338
1339 error = mac_check_structmac_consistent(&mac);
1340 if (error)
1341 return (error);
1342
1343 tproc = proc_find(uap->pid);
1344 if (tproc == NULL)
1345 return (ESRCH);
1346 tcred = kauth_cred_proc_ref(tproc);
1347 proc_rele(tproc);
1348
1349 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1350 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1351 if (error) {
1352 FREE(elements, M_MACTEMP);
1353 kauth_cred_unref(&tcred);
1354 return (error);
1355 }
1356 AUDIT_ARG(mac_string, elements);
1357
1358 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
1359 error = mac_cred_label_externalize(tcred->cr_label, elements,
1360 buffer, mac.m_buflen, M_WAITOK);
1361 if (error == 0)
1362 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
1363
1364 FREE(buffer, M_MACTEMP);
1365 FREE(elements, M_MACTEMP);
1366 kauth_cred_unref(&tcred);
1367 return (error);
1368 }
1369
1370 int
1371 __mac_get_proc(proc_t p, struct __mac_get_proc_args *uap, int *ret __unused)
1372 {
1373 char *elements, *buffer;
1374 struct user_mac mac;
1375 kauth_cred_t cr;
1376 int error;
1377 size_t ulen;
1378
1379 if (IS_64BIT_PROCESS(p)) {
1380 struct user64_mac mac64;
1381 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1382 mac.m_buflen = mac64.m_buflen;
1383 mac.m_string = mac64.m_string;
1384 } else {
1385 struct user32_mac mac32;
1386 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1387 mac.m_buflen = mac32.m_buflen;
1388 mac.m_string = mac32.m_string;
1389 }
1390 if (error)
1391 return (error);
1392
1393 error = mac_check_structmac_consistent(&mac);
1394 if (error)
1395 return (error);
1396
1397 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1398 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1399 if (error) {
1400 FREE(elements, M_MACTEMP);
1401 return (error);
1402 }
1403 AUDIT_ARG(mac_string, elements);
1404
1405 cr = kauth_cred_proc_ref(p);
1406
1407 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
1408 error = mac_cred_label_externalize(cr->cr_label,
1409 elements, buffer, mac.m_buflen, M_WAITOK);
1410 if (error == 0)
1411 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
1412
1413 FREE(buffer, M_MACTEMP);
1414 FREE(elements, M_MACTEMP);
1415 kauth_cred_unref(&cr);
1416 return (error);
1417 }
1418
1419 int
1420 __mac_set_proc(proc_t p, struct __mac_set_proc_args *uap, int *ret __unused)
1421 {
1422 kauth_cred_t newcred;
1423 struct label *intlabel;
1424 struct user_mac mac;
1425 char *buffer;
1426 int error;
1427 size_t ulen;
1428
1429 if (IS_64BIT_PROCESS(p)) {
1430 struct user64_mac mac64;
1431 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1432 mac.m_buflen = mac64.m_buflen;
1433 mac.m_string = mac64.m_string;
1434 } else {
1435 struct user32_mac mac32;
1436 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1437 mac.m_buflen = mac32.m_buflen;
1438 mac.m_string = mac32.m_string;
1439 }
1440 if (error)
1441 return (error);
1442
1443 error = mac_check_structmac_consistent(&mac);
1444 if (error)
1445 return (error);
1446
1447 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1448 error = copyinstr(mac.m_string, buffer, mac.m_buflen, &ulen);
1449 if (error) {
1450 FREE(buffer, M_MACTEMP);
1451 return (error);
1452 }
1453 AUDIT_ARG(mac_string, buffer);
1454
1455 intlabel = mac_cred_label_alloc();
1456 error = mac_cred_label_internalize(intlabel, buffer);
1457 FREE(buffer, M_MACTEMP);
1458 if (error)
1459 goto out;
1460
1461 error = mac_cred_check_label_update(kauth_cred_get(), intlabel);
1462 if (error) {
1463 goto out;
1464 }
1465
1466 error = kauth_proc_label_update(p, intlabel);
1467 if (error)
1468 goto out;
1469
1470 newcred = kauth_cred_proc_ref(p);
1471 mac_task_label_update_cred(newcred, p->task);
1472
1473 #if 0
1474 if (mac_vm_enforce) {
1475 mutex_lock(Giant); /* XXX FUNNEL? */
1476 mac_cred_mmapped_drop_perms(p, newcred);
1477 mutex_unlock(Giant); /* XXX FUNNEL? */
1478 }
1479 #endif
1480
1481 kauth_cred_unref(&newcred);
1482 out:
1483 mac_cred_label_free(intlabel);
1484 return (error);
1485 }
1486
1487 #if CONFIG_LCTX
1488 /*
1489 * __mac_get_lcid:
1490 * Get login context ID. A login context associates a BSD process
1491 * with an instance of a user. For more information see getlcid(2) man page.
1492 *
1493 * Parameters: p Process requesting the get
1494 * uap User argument descriptor (see below)
1495 * ret (ignored)
1496 *
1497 * Indirect: uap->lcid login context ID to search
1498 * uap->mac_p.m_buflen MAC info buffer size
1499 * uap->mac_p.m_string MAC info user address
1500 *
1501 * Returns: 0 Success
1502 * !0 Not success
1503 */
1504 int
1505 __mac_get_lcid(proc_t p, struct __mac_get_lcid_args *uap, int *ret __unused)
1506 {
1507 char *elements, *buffer;
1508 struct user_mac mac;
1509 struct lctx *l;
1510 int error;
1511 size_t ulen;
1512
1513 AUDIT_ARG(value32, uap->lcid);
1514 if (IS_64BIT_PROCESS(p)) {
1515 struct user64_mac mac64;
1516 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1517 mac.m_buflen = mac64.m_buflen;
1518 mac.m_string = mac64.m_string;
1519 } else {
1520 struct user32_mac mac32;
1521 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1522 mac.m_buflen = mac32.m_buflen;
1523 mac.m_string = mac32.m_string;
1524 }
1525
1526 if (error)
1527 return (error);
1528
1529 error = mac_check_structmac_consistent(&mac);
1530 if (error)
1531 return (error);
1532
1533 l = lcfind(uap->lcid);
1534 if (l == NULL)
1535 return (ESRCH);
1536
1537 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1538 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1539 if (error) {
1540 LCTX_UNLOCK(l);
1541 FREE(elements, M_MACTEMP);
1542 return (error);
1543 }
1544 AUDIT_ARG(mac_string, elements);
1545 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1546 error = mac_lctx_label_externalize(l->lc_label, elements,
1547 buffer, mac.m_buflen);
1548 if (error == 0)
1549 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
1550
1551 LCTX_UNLOCK(l);
1552 FREE(buffer, M_MACTEMP);
1553 FREE(elements, M_MACTEMP);
1554 return (error);
1555 }
1556
1557 /*
1558 * __mac_get_lctx:
1559 * Get login context label. A login context associates a BSD process
1560 * associated with an instance of a user.
1561 *
1562 * Parameters: p Process requesting the get
1563 * uap User argument descriptor (see below)
1564 * ret (ignored)
1565 *
1566 * Indirect: uap->lcid login context ID to search
1567 * uap->mac_p MAC info
1568 *
1569 * Returns: 0 Success
1570 * !0 Not success
1571 *
1572 */
1573 int
1574 __mac_get_lctx(proc_t p, struct __mac_get_lctx_args *uap, int *ret __unused)
1575 {
1576 char *elements, *buffer;
1577 struct user_mac mac;
1578 int error;
1579 size_t ulen;
1580
1581 if (IS_64BIT_PROCESS(p)) {
1582 struct user64_mac mac64;
1583 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1584 mac.m_buflen = mac64.m_buflen;
1585 mac.m_string = mac64.m_string;
1586 } else {
1587 struct user32_mac mac32;
1588 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1589 mac.m_buflen = mac32.m_buflen;
1590 mac.m_string = mac32.m_string;
1591 }
1592
1593 if (error)
1594 return (error);
1595
1596 error = mac_check_structmac_consistent(&mac);
1597 if (error)
1598 return (error);
1599
1600 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1601 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1602 if (error) {
1603 FREE(elements, M_MACTEMP);
1604 return (error);
1605 }
1606 AUDIT_ARG(mac_string, elements);
1607 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1608
1609 proc_lock(p);
1610 if (p->p_lctx == NULL) {
1611 proc_unlock(p);
1612 error = ENOENT;
1613 goto out;
1614 }
1615
1616 error = mac_lctx_label_externalize(p->p_lctx->lc_label,
1617 elements, buffer, mac.m_buflen);
1618 proc_unlock(p);
1619 if (error == 0)
1620 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
1621
1622 out:
1623 FREE(buffer, M_MACTEMP);
1624 FREE(elements, M_MACTEMP);
1625 return (error);
1626 }
1627
1628 int
1629 __mac_set_lctx(proc_t p, struct __mac_set_lctx_args *uap, int *ret __unused)
1630 {
1631 struct user_mac mac;
1632 struct label *intlabel;
1633 char *buffer;
1634 int error;
1635 size_t ulen;
1636
1637 if (IS_64BIT_PROCESS(p)) {
1638 struct user64_mac mac64;
1639 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1640 mac.m_buflen = mac64.m_buflen;
1641 mac.m_string = mac64.m_string;
1642 } else {
1643 struct user32_mac mac32;
1644 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1645 mac.m_buflen = mac32.m_buflen;
1646 mac.m_string = mac32.m_string;
1647 }
1648 if (error)
1649 return (error);
1650
1651 error = mac_check_structmac_consistent(&mac);
1652 if (error)
1653 return (error);
1654
1655 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1656 error = copyinstr(mac.m_string, buffer, mac.m_buflen, &ulen);
1657 if (error) {
1658 FREE(buffer, M_MACTEMP);
1659 return (error);
1660 }
1661 AUDIT_ARG(mac_string, buffer);
1662
1663 intlabel = mac_lctx_label_alloc();
1664 error = mac_lctx_label_internalize(intlabel, buffer);
1665 FREE(buffer, M_MACTEMP);
1666 if (error)
1667 goto out;
1668
1669 proc_lock(p);
1670 if (p->p_lctx == NULL) {
1671 proc_unlock(p);
1672 error = ENOENT;
1673 goto out;
1674 }
1675
1676 error = mac_lctx_check_label_update(p->p_lctx, intlabel);
1677 if (error) {
1678 proc_unlock(p);
1679 goto out;
1680 }
1681 mac_lctx_label_update(p->p_lctx, intlabel);
1682 proc_unlock(p);
1683 out:
1684 mac_lctx_label_free(intlabel);
1685 return (error);
1686 }
1687
1688 #else /* LCTX */
1689
1690 int
1691 __mac_get_lcid(proc_t p __unused, struct __mac_get_lcid_args *uap __unused, int *ret __unused)
1692 {
1693
1694 return (ENOSYS);
1695 }
1696
1697 int
1698 __mac_get_lctx(proc_t p __unused, struct __mac_get_lctx_args *uap __unused, int *ret __unused)
1699 {
1700
1701 return (ENOSYS);
1702 }
1703
1704 int
1705 __mac_set_lctx(proc_t p __unused, struct __mac_set_lctx_args *uap __unused, int *ret __unused)
1706 {
1707
1708 return (ENOSYS);
1709 }
1710 #endif /* !LCTX */
1711
1712 int
1713 __mac_get_fd(proc_t p, struct __mac_get_fd_args *uap, int *ret __unused)
1714 {
1715 struct fileproc *fp;
1716 struct vnode *vp;
1717 struct user_mac mac;
1718 char *elements, *buffer;
1719 int error;
1720 size_t ulen;
1721 kauth_cred_t my_cred;
1722 #if CONFIG_MACF_SOCKET
1723 struct socket *so;
1724 #endif /* MAC_SOCKET */
1725 struct label *intlabel;
1726
1727 AUDIT_ARG(fd, uap->fd);
1728
1729 if (IS_64BIT_PROCESS(p)) {
1730 struct user64_mac mac64;
1731 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1732 mac.m_buflen = mac64.m_buflen;
1733 mac.m_string = mac64.m_string;
1734 } else {
1735 struct user32_mac mac32;
1736 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1737 mac.m_buflen = mac32.m_buflen;
1738 mac.m_string = mac32.m_string;
1739 }
1740
1741 if (error)
1742 return (error);
1743
1744 error = mac_check_structmac_consistent(&mac);
1745 if (error)
1746 return (error);
1747
1748 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1749 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1750 if (error) {
1751 FREE(elements, M_MACTEMP);
1752 return (error);
1753 }
1754 AUDIT_ARG(mac_string, elements);
1755
1756 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1757 error = fp_lookup(p, uap->fd, &fp, 0);
1758 if (error) {
1759 FREE(buffer, M_MACTEMP);
1760 FREE(elements, M_MACTEMP);
1761 return (error);
1762 }
1763
1764 my_cred = kauth_cred_proc_ref(p);
1765 error = mac_file_check_get(my_cred, fp->f_fglob, elements, mac.m_buflen);
1766 kauth_cred_unref(&my_cred);
1767 if (error) {
1768 fp_drop(p, uap->fd, fp, 0);
1769 FREE(buffer, M_MACTEMP);
1770 FREE(elements, M_MACTEMP);
1771 return (error);
1772 }
1773
1774 switch (fp->f_fglob->fg_type) {
1775 case DTYPE_VNODE:
1776 intlabel = mac_vnode_label_alloc();
1777 if (intlabel == NULL) {
1778 error = ENOMEM;
1779 break;
1780 }
1781 vp = (struct vnode *)fp->f_fglob->fg_data;
1782 error = vnode_getwithref(vp);
1783 if (error == 0) {
1784 mac_vnode_label_copy(vp->v_label, intlabel);
1785 error = mac_vnode_label_externalize(intlabel,
1786 elements, buffer,
1787 mac.m_buflen, M_WAITOK);
1788 vnode_put(vp);
1789 }
1790 mac_vnode_label_free(intlabel);
1791 break;
1792 case DTYPE_SOCKET:
1793 #if CONFIG_MACF_SOCKET
1794 so = (struct socket *) fp->f_fglob->fg_data;
1795 intlabel = mac_socket_label_alloc(MAC_WAITOK);
1796 sock_lock(so, 1);
1797 mac_socket_label_copy(so->so_label, intlabel);
1798 sock_unlock(so, 1);
1799 error = mac_socket_label_externalize(intlabel, elements, buffer, mac.m_buflen);
1800 mac_socket_label_free(intlabel);
1801 break;
1802 #endif
1803 case DTYPE_PSXSHM:
1804 case DTYPE_PSXSEM:
1805 case DTYPE_PIPE:
1806 case DTYPE_KQUEUE:
1807 case DTYPE_FSEVENTS:
1808 default:
1809 error = ENOSYS; // only sockets/vnodes so far
1810 break;
1811 }
1812 fp_drop(p, uap->fd, fp, 0);
1813
1814 if (error == 0)
1815 error = copyout(buffer, mac.m_string, strlen(buffer)+1);
1816
1817 FREE(buffer, M_MACTEMP);
1818 FREE(elements, M_MACTEMP);
1819 return (error);
1820 }
1821
1822 static int
1823 mac_get_filelink(proc_t p, user_addr_t mac_p, user_addr_t path_p, int follow)
1824 {
1825 struct vnode *vp;
1826 vfs_context_t ctx;
1827 char *elements, *buffer;
1828 struct nameidata nd;
1829 struct label *intlabel;
1830 struct user_mac mac;
1831 int error;
1832 size_t ulen;
1833
1834 if (IS_64BIT_PROCESS(p)) {
1835 struct user64_mac mac64;
1836 error = copyin(mac_p, &mac64, sizeof(mac64));
1837 mac.m_buflen = mac64.m_buflen;
1838 mac.m_string = mac64.m_string;
1839 } else {
1840 struct user32_mac mac32;
1841 error = copyin(mac_p, &mac32, sizeof(mac32));
1842 mac.m_buflen = mac32.m_buflen;
1843 mac.m_string = mac32.m_string;
1844 }
1845
1846 if (error)
1847 return (error);
1848
1849 error = mac_check_structmac_consistent(&mac);
1850 if (error)
1851 return (error);
1852
1853 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1854 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
1855
1856 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
1857 if (error) {
1858 FREE(buffer, M_MACTEMP);
1859 FREE(elements, M_MACTEMP);
1860 return (error);
1861 }
1862 AUDIT_ARG(mac_string, elements);
1863
1864 ctx = vfs_context_current();
1865
1866 NDINIT(&nd, LOOKUP, OP_LOOKUP,
1867 LOCKLEAF | (follow ? FOLLOW : NOFOLLOW) | AUDITVNPATH1,
1868 UIO_USERSPACE, path_p, ctx);
1869 error = namei(&nd);
1870 if (error) {
1871 FREE(buffer, M_MACTEMP);
1872 FREE(elements, M_MACTEMP);
1873 return (error);
1874 }
1875 vp = nd.ni_vp;
1876
1877 nameidone(&nd);
1878
1879 intlabel = mac_vnode_label_alloc();
1880 mac_vnode_label_copy(vp->v_label, intlabel);
1881 error = mac_vnode_label_externalize(intlabel, elements, buffer,
1882 mac.m_buflen, M_WAITOK);
1883 mac_vnode_label_free(intlabel);
1884 if (error == 0)
1885 error = copyout(buffer, mac.m_string, strlen(buffer) + 1);
1886
1887 vnode_put(vp);
1888
1889 FREE(buffer, M_MACTEMP);
1890 FREE(elements, M_MACTEMP);
1891
1892 return (error);
1893 }
1894
1895 int
1896 __mac_get_file(proc_t p, struct __mac_get_file_args *uap,
1897 int *ret __unused)
1898 {
1899
1900 return (mac_get_filelink(p, uap->mac_p, uap->path_p, 1));
1901 }
1902
1903 int
1904 __mac_get_link(proc_t p, struct __mac_get_link_args *uap,
1905 int *ret __unused)
1906 {
1907
1908 return (mac_get_filelink(p, uap->mac_p, uap->path_p, 0));
1909 }
1910
1911 int
1912 __mac_set_fd(proc_t p, struct __mac_set_fd_args *uap, int *ret __unused)
1913 {
1914
1915 struct fileproc *fp;
1916 struct user_mac mac;
1917 struct vfs_context *ctx = vfs_context_current();
1918 int error;
1919 size_t ulen;
1920 char *buffer;
1921 struct label *intlabel;
1922 #if CONFIG_MACF_SOCKET
1923 struct socket *so;
1924 #endif
1925 struct vnode *vp;
1926
1927 AUDIT_ARG(fd, uap->fd);
1928
1929 if (IS_64BIT_PROCESS(p)) {
1930 struct user64_mac mac64;
1931 error = copyin(uap->mac_p, &mac64, sizeof(mac64));
1932 mac.m_buflen = mac64.m_buflen;
1933 mac.m_string = mac64.m_string;
1934 } else {
1935 struct user32_mac mac32;
1936 error = copyin(uap->mac_p, &mac32, sizeof(mac32));
1937 mac.m_buflen = mac32.m_buflen;
1938 mac.m_string = mac32.m_string;
1939 }
1940 if (error)
1941 return (error);
1942
1943 error = mac_check_structmac_consistent(&mac);
1944 if (error)
1945 return (error);
1946
1947 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
1948 error = copyinstr(mac.m_string, buffer, mac.m_buflen, &ulen);
1949 if (error) {
1950 FREE(buffer, M_MACTEMP);
1951 return (error);
1952 }
1953 AUDIT_ARG(mac_string, buffer);
1954
1955 error = fp_lookup(p, uap->fd, &fp, 0);
1956 if (error) {
1957 FREE(buffer, M_MACTEMP);
1958 return (error);
1959 }
1960
1961
1962 error = mac_file_check_set(vfs_context_ucred(ctx), fp->f_fglob, buffer, mac.m_buflen);
1963 if (error) {
1964 fp_drop(p, uap->fd, fp, 0);
1965 FREE(buffer, M_MACTEMP);
1966 return (error);
1967 }
1968
1969 switch (fp->f_fglob->fg_type) {
1970
1971 case DTYPE_VNODE:
1972 if (mac_label_vnodes == 0) {
1973 error = ENOSYS;
1974 break;
1975 }
1976
1977 intlabel = mac_vnode_label_alloc();
1978
1979 error = mac_vnode_label_internalize(intlabel, buffer);
1980 if (error) {
1981 mac_vnode_label_free(intlabel);
1982 break;
1983 }
1984
1985
1986 vp = (struct vnode *)fp->f_fglob->fg_data;
1987
1988 error = vnode_getwithref(vp);
1989 if (error == 0) {
1990 error = vn_setlabel(vp, intlabel, ctx);
1991 vnode_put(vp);
1992 }
1993 mac_vnode_label_free(intlabel);
1994 break;
1995
1996 case DTYPE_SOCKET:
1997 #if CONFIG_MACF_SOCKET
1998 intlabel = mac_socket_label_alloc(MAC_WAITOK);
1999 error = mac_socket_label_internalize(intlabel, buffer);
2000 if (error == 0) {
2001 so = (struct socket *) fp->f_fglob->fg_data;
2002 SOCK_LOCK(so);
2003 error = mac_socket_label_update(vfs_context_ucred(ctx), so, intlabel);
2004 SOCK_UNLOCK(so);
2005 }
2006 mac_socket_label_free(intlabel);
2007 break;
2008 #endif
2009 case DTYPE_PSXSHM:
2010 case DTYPE_PSXSEM:
2011 case DTYPE_PIPE:
2012 case DTYPE_KQUEUE:
2013 case DTYPE_FSEVENTS:
2014 default:
2015 error = ENOSYS; // only sockets/vnodes so far
2016 break;
2017 }
2018
2019 fp_drop(p, uap->fd, fp, 0);
2020 FREE(buffer, M_MACTEMP);
2021 return (error);
2022 }
2023
2024 static int
2025 mac_set_filelink(proc_t p, user_addr_t mac_p, user_addr_t path_p,
2026 int follow)
2027 {
2028 register struct vnode *vp;
2029 struct vfs_context *ctx = vfs_context_current();
2030 struct label *intlabel;
2031 struct nameidata nd;
2032 struct user_mac mac;
2033 char *buffer;
2034 int error;
2035 size_t ulen;
2036
2037 if (mac_label_vnodes == 0)
2038 return ENOSYS;
2039
2040 if (IS_64BIT_PROCESS(p)) {
2041 struct user64_mac mac64;
2042 error = copyin(mac_p, &mac64, sizeof(mac64));
2043 mac.m_buflen = mac64.m_buflen;
2044 mac.m_string = mac64.m_string;
2045 } else {
2046 struct user32_mac mac32;
2047 error = copyin(mac_p, &mac32, sizeof(mac32));
2048 mac.m_buflen = mac32.m_buflen;
2049 mac.m_string = mac32.m_string;
2050 }
2051 if (error)
2052 return (error);
2053
2054 error = mac_check_structmac_consistent(&mac);
2055 if (error) {
2056 printf("mac_set_file: failed structure consistency check\n");
2057 return (error);
2058 }
2059
2060 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
2061 error = copyinstr(mac.m_string, buffer, mac.m_buflen, &ulen);
2062 if (error) {
2063 FREE(buffer, M_MACTEMP);
2064 return (error);
2065 }
2066 AUDIT_ARG(mac_string, buffer);
2067
2068 intlabel = mac_vnode_label_alloc();
2069 error = mac_vnode_label_internalize(intlabel, buffer);
2070 FREE(buffer, M_MACTEMP);
2071 if (error) {
2072 mac_vnode_label_free(intlabel);
2073 return (error);
2074 }
2075
2076 NDINIT(&nd, LOOKUP, OP_LOOKUP,
2077 LOCKLEAF | (follow ? FOLLOW : NOFOLLOW) | AUDITVNPATH1,
2078 UIO_USERSPACE, path_p, ctx);
2079 error = namei(&nd);
2080 if (error) {
2081 mac_vnode_label_free(intlabel);
2082 return (error);
2083 }
2084 vp = nd.ni_vp;
2085
2086 nameidone(&nd);
2087
2088 error = vn_setlabel(vp, intlabel, ctx);
2089 vnode_put(vp);
2090 mac_vnode_label_free(intlabel);
2091
2092 return (error);
2093 }
2094
2095 int
2096 __mac_set_file(proc_t p, struct __mac_set_file_args *uap,
2097 int *ret __unused)
2098 {
2099
2100 return (mac_set_filelink(p, uap->mac_p, uap->path_p, 1));
2101 }
2102
2103 int
2104 __mac_set_link(proc_t p, struct __mac_set_link_args *uap,
2105 int *ret __unused)
2106 {
2107
2108 return (mac_set_filelink(p, uap->mac_p, uap->path_p, 0));
2109 }
2110
2111 /*
2112 * __mac_syscall: Perform a MAC policy system call
2113 *
2114 * Parameters: p Process calling this routine
2115 * uap User argument descriptor (see below)
2116 * retv (Unused)
2117 *
2118 * Indirect: uap->policy Name of target MAC policy
2119 * uap->call MAC policy-specific system call to perform
2120 * uap->arg MAC policy-specific system call arguments
2121 *
2122 * Returns: 0 Success
2123 * !0 Not success
2124 *
2125 */
2126 int
2127 __mac_syscall(proc_t p, struct __mac_syscall_args *uap, int *retv __unused)
2128 {
2129 struct mac_policy_conf *mpc;
2130 char target[MAC_MAX_POLICY_NAME];
2131 int error;
2132 u_int i;
2133 size_t ulen;
2134
2135 error = copyinstr(uap->policy, target, sizeof(target), &ulen);
2136 if (error)
2137 return (error);
2138 AUDIT_ARG(value32, uap->call);
2139 AUDIT_ARG(mac_string, target);
2140
2141 error = ENOPOLICY;
2142
2143 for (i = 0; i < mac_policy_list.staticmax; i++) {
2144 mpc = mac_policy_list.entries[i].mpc;
2145 if (mpc == NULL)
2146 continue;
2147
2148 if (strcmp(mpc->mpc_name, target) == 0 &&
2149 mpc->mpc_ops->mpo_policy_syscall != NULL) {
2150 error = mpc->mpc_ops->mpo_policy_syscall(p,
2151 uap->call, uap->arg);
2152 goto done;
2153 }
2154 }
2155 if (mac_policy_list_conditional_busy() != 0) {
2156 for (; i <= mac_policy_list.maxindex; i++) {
2157 mpc = mac_policy_list.entries[i].mpc;
2158 if (mpc == NULL)
2159 continue;
2160
2161 if (strcmp(mpc->mpc_name, target) == 0 &&
2162 mpc->mpc_ops->mpo_policy_syscall != NULL) {
2163 error = mpc->mpc_ops->mpo_policy_syscall(p,
2164 uap->call, uap->arg);
2165 break;
2166 }
2167 }
2168 mac_policy_list_unbusy();
2169 }
2170
2171 done:
2172 return (error);
2173 }
2174
2175 int
2176 mac_mount_label_get(struct mount *mp, user_addr_t mac_p)
2177 {
2178 char *elements, *buffer;
2179 struct label *label;
2180 struct user_mac mac;
2181 int error;
2182 size_t ulen;
2183
2184 if (IS_64BIT_PROCESS(current_proc())) {
2185 struct user64_mac mac64;
2186 error = copyin(mac_p, &mac64, sizeof(mac64));
2187 mac.m_buflen = mac64.m_buflen;
2188 mac.m_string = mac64.m_string;
2189 } else {
2190 struct user32_mac mac32;
2191 error = copyin(mac_p, &mac32, sizeof(mac32));
2192 mac.m_buflen = mac32.m_buflen;
2193 mac.m_string = mac32.m_string;
2194 }
2195 if (error)
2196 return (error);
2197
2198 error = mac_check_structmac_consistent(&mac);
2199 if (error)
2200 return (error);
2201
2202 MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
2203 error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
2204 if (error) {
2205 FREE(elements, M_MACTEMP);
2206 return (error);
2207 }
2208 AUDIT_ARG(mac_string, elements);
2209
2210 label = mp->mnt_mntlabel;
2211 MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
2212 error = mac_mount_label_externalize(label, elements, buffer,
2213 mac.m_buflen);
2214 FREE(elements, M_MACTEMP);
2215
2216 if (error == 0)
2217 error = copyout(buffer, mac.m_string, strlen(buffer) + 1);
2218 FREE(buffer, M_MACTEMP);
2219
2220 return (error);
2221 }
2222
2223 /*
2224 * __mac_get_mount: Get mount point label information for a given pathname
2225 *
2226 * Parameters: p (ignored)
2227 * uap User argument descriptor (see below)
2228 * ret (ignored)
2229 *
2230 * Indirect: uap->path Pathname
2231 * uap->mac_p MAC info
2232 *
2233 * Returns: 0 Success
2234 * !0 Not success
2235 */
2236 int
2237 __mac_get_mount(proc_t p __unused, struct __mac_get_mount_args *uap,
2238 int *ret __unused)
2239 {
2240 struct nameidata nd;
2241 struct vfs_context *ctx = vfs_context_current();
2242 struct mount *mp;
2243 int error;
2244
2245 NDINIT(&nd, LOOKUP, OP_LOOKUP, FOLLOW | AUDITVNPATH1,
2246 UIO_USERSPACE, uap->path, ctx);
2247 error = namei(&nd);
2248 if (error) {
2249 return (error);
2250 }
2251 mp = nd.ni_vp->v_mount;
2252 nameidone(&nd);
2253
2254 return mac_mount_label_get(mp, uap->mac_p);
2255 }
2256
2257 #else /* MAC */
2258
2259 int
2260 mac_policy_register(struct mac_policy_conf *mpc __unused,
2261 mac_policy_handle_t *handlep __unused, void *xd __unused)
2262 {
2263
2264 return (0);
2265 }
2266
2267 int
2268 mac_policy_unregister(mac_policy_handle_t handle __unused)
2269 {
2270
2271 return (0);
2272 }
2273
2274 int
2275 mac_audit_text(char *text __unused, mac_policy_handle_t handle __unused)
2276 {
2277
2278 return (0);
2279 }
2280
2281 int
2282 mac_mount_label_get(struct mount *mp __unused, user_addr_t mac_p __unused)
2283 {
2284 return (ENOSYS);
2285 }
2286
2287 int
2288 mac_vnop_setxattr(struct vnode *vp __unused, const char *name __unused, char *buf __unused, size_t len __unused)
2289 {
2290
2291 return (ENOENT);
2292 }
2293
2294 int
2295 mac_vnop_getxattr(struct vnode *vp __unused, const char *name __unused,
2296 char *buf __unused, size_t len __unused, size_t *attrlen __unused)
2297 {
2298
2299 return (ENOENT);
2300 }
2301
2302 int
2303 mac_vnop_removexattr(struct vnode *vp __unused, const char *name __unused)
2304 {
2305
2306 return (ENOENT);
2307 }
2308
2309 int
2310 __mac_get_pid(proc_t p __unused, struct __mac_get_pid_args *uap __unused, int *ret __unused)
2311 {
2312
2313 return (ENOSYS);
2314 }
2315
2316 int
2317 __mac_get_proc(proc_t p __unused, struct __mac_get_proc_args *uap __unused, int *ret __unused)
2318 {
2319
2320 return (ENOSYS);
2321 }
2322
2323 int
2324 __mac_set_proc(proc_t p __unused, struct __mac_set_proc_args *uap __unused, int *ret __unused)
2325 {
2326
2327 return (ENOSYS);
2328 }
2329
2330 int
2331 __mac_get_file(proc_t p __unused, struct __mac_get_file_args *uap __unused, int *ret __unused)
2332 {
2333
2334 return (ENOSYS);
2335 }
2336
2337 int
2338 __mac_get_link(proc_t p __unused, struct __mac_get_link_args *uap __unused, int *ret __unused)
2339 {
2340
2341 return (ENOSYS);
2342 }
2343
2344 int
2345 __mac_set_file(proc_t p __unused, struct __mac_set_file_args *uap __unused, int *ret __unused)
2346 {
2347
2348 return (ENOSYS);
2349 }
2350
2351 int
2352 __mac_set_link(proc_t p __unused, struct __mac_set_link_args *uap __unused, int *ret __unused)
2353 {
2354
2355 return (ENOSYS);
2356 }
2357
2358 int
2359 __mac_get_fd(proc_t p __unused, struct __mac_get_fd_args *uap __unused, int *ret __unused)
2360 {
2361
2362 return (ENOSYS);
2363 }
2364
2365 int
2366 __mac_set_fd(proc_t p __unused, struct __mac_set_fd_args *uap __unused, int *ret __unused)
2367 {
2368
2369 return (ENOSYS);
2370 }
2371
2372 int
2373 __mac_syscall(proc_t p __unused, struct __mac_syscall_args *uap __unused, int *ret __unused)
2374 {
2375
2376 return (ENOSYS);
2377 }
2378
2379 int
2380 __mac_get_lcid(proc_t p __unused, struct __mac_get_lcid_args *uap __unused, int *ret __unused)
2381 {
2382
2383 return (ENOSYS);
2384 }
2385
2386 int
2387 __mac_get_lctx(proc_t p __unused, struct __mac_get_lctx_args *uap __unused, int *ret __unused)
2388 {
2389
2390 return (ENOSYS);
2391 }
2392
2393 int
2394 __mac_set_lctx(proc_t p __unused, struct __mac_set_lctx_args *uap __unused, int *ret __unused)
2395 {
2396
2397 return (ENOSYS);
2398 }
2399
2400 int
2401 __mac_get_mount(proc_t p __unused,
2402 struct __mac_get_mount_args *uap __unused, int *ret __unused)
2403 {
2404
2405 return (ENOSYS);
2406 }
2407 #endif /* !MAC */
mirror of XNU