*/
#include <kern/kalloc.h>
+#include <libkern/OSAtomic.h>
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/reason.h>
#include <sys/uio_internal.h>
#include <sys/vnode_internal.h>
+#include <sys/kdebug.h>
+
#include <miscfs/devfs/devfsdefs.h>
#include <miscfs/devfs/fdesc.h>
/* convert {R,W,X}_OK values to V{READ,WRITE,EXEC} */
#define ACCESS_MODE_TO_VNODE_MASK(m) (m << 6)
+
+/*
+ * Optional tracing of policy operations. Define VFS_TRACE_POLICY_OPS to trace the operations.
+ *
+ * Along with DBG_FSYSTEM and DBG_VFS, dcode in the macros below is used to construct
+ * KDBG_EVENTID(DBG_FSYSTEM, DBG_VFS, dcode) global event id, see bsd/sys/kdebug.h.
+ * Note that dcode is multiplied by 4 and ORed as part of the construction. See bsd/kern/trace_codes
+ * for list of system-wide {global event id, name} pairs. Currently DBG_VFS event ids are in range
+ * [0x3130000, 0x313016C].
+ */
+
+//#define VFS_TRACE_POLICY_OPS
+
+#ifdef VFS_TRACE_POLICY_OPS
+#define DBG_VFS_CODE(dcode) FSDBG_CODE(DBG_VFS, dcode)
+#define VFS_KERNEL_DEBUG_START0(dcode) KERNEL_DEBUG_CONSTANT(DBG_VFS_CODE(dcode) | DBG_FUNC_START, 0, 0, 0, 0, 0)
+#define VFS_KERNEL_DEBUG_END0(dcode) KERNEL_DEBUG_CONSTANT(DBG_VFS_CODE(dcode) | DBG_FUNC_END, 0, 0, 0, 0, 0)
+#define VFS_KERNEL_DEBUG_START1(dcode, darg) KERNEL_DEBUG_CONSTANT(DBG_VFS_CODE(dcode) | DBG_FUNC_START, darg, 0, 0, 0, 0)
+#define VFS_KERNEL_DEBUG_END1(dcode, darg) KERNEL_DEBUG_CONSTANT(DBG_VFS_CODE(dcode) | DBG_FUNC_END, darg, 0, 0, 0, 0)
+#else
+#define VFS_KERNEL_DEBUG_START0(dcode) do {} while (0)
+#define VFS_KERNEL_DEBUG_END0(dcode) do {} while (0)
+#define VFS_KERNEL_DEBUG_START1(dcode, darg) do {} while (0)
+#define VFS_KERNEL_DEBUG_END1(dcode, darg) do {} while (0)
+#endif
+
static struct label *
mac_devfsdirent_label_alloc(void)
{
if (label == NULL) {
return NULL;
}
+ VFS_KERNEL_DEBUG_START0(0);
MAC_PERFORM(devfs_label_init, label);
+ VFS_KERNEL_DEBUG_END0(0);
return label;
}
if (label == NULL) {
return NULL;
}
+ VFS_KERNEL_DEBUG_START0(1);
MAC_PERFORM(mount_label_init, label);
+ VFS_KERNEL_DEBUG_END0(1);
return label;
}
if (label == NULL) {
return NULL;
}
+ VFS_KERNEL_DEBUG_START0(2);
MAC_PERFORM(vnode_label_init, label);
+ VFS_KERNEL_DEBUG_END0(2);
+ OSIncrementAtomic(&mac_vnode_label_count);
return label;
}
int
mac_vnode_label_init_needed(vnode_t vp)
{
+#if CONFIG_MACF_LAZY_VNODE_LABELS
+ (void)vp;
+ return false;
+#else
return mac_label_vnodes != 0 && vp->v_label == NULL;
+#endif
+}
+
+struct label *
+mac_vnode_label_allocate(vnode_t vp)
+{
+ if (mac_vnode_label_init_needed(vp)) {
+ vp->v_label = mac_vnode_label_alloc();
+ }
+ return vp->v_label;
}
/*
mac_vnode_label_recycle(vnode_t vp)
{
MAC_PERFORM(vnode_label_recycle, vp->v_label);
+#if CONFIG_MACF_LAZY_VNODE_LABELS
+ if (vp->v_label) {
+ mac_vnode_label_destroy(vp);
+ vp->v_label = NULL;
+ vp->v_lflag &= ~VL_LABELED;
+ }
+#endif
}
static void
mac_devfs_label_free(struct label *label)
{
+ VFS_KERNEL_DEBUG_START1(3, label);
MAC_PERFORM(devfs_label_destroy, label);
+ VFS_KERNEL_DEBUG_END1(3, label);
mac_labelzone_free(label);
}
static void
mac_mount_label_free(struct label *label)
{
+ VFS_KERNEL_DEBUG_START1(4, label);
MAC_PERFORM(mount_label_destroy, label);
+ VFS_KERNEL_DEBUG_END1(4, label);
mac_labelzone_free(label);
}
void
mac_vnode_label_free(struct label *label)
{
- MAC_PERFORM(vnode_label_destroy, label);
- mac_labelzone_free(label);
+ if (label != NULL) {
+ VFS_KERNEL_DEBUG_START1(5, label);
+ MAC_PERFORM(vnode_label_destroy, label);
+ VFS_KERNEL_DEBUG_END1(5, label);
+ mac_labelzone_free(label);
+ OSDecrementAtomic(&mac_vnode_label_count);
+ }
}
-#ifndef __APPLE__
void
mac_vnode_label_destroy(struct vnode *vp)
{
vp->v_label = NULL;
}
}
-#endif
void
mac_vnode_label_copy(struct label *src, struct label *dest)
{
+ VFS_KERNEL_DEBUG_START1(6, src);
if (src == NULL) {
MAC_PERFORM(vnode_label_init, dest);
} else {
MAC_PERFORM(vnode_label_copy, src, dest);
}
+ VFS_KERNEL_DEBUG_END1(6, src);
}
int
}
#endif
+ VFS_KERNEL_DEBUG_START1(7, src);
MAC_PERFORM(devfs_label_copy, src, dest);
+ VFS_KERNEL_DEBUG_END1(7, src);
}
void
}
#endif
+ VFS_KERNEL_DEBUG_START1(8, vp);
MAC_PERFORM(devfs_label_update, mp, de, de->dn_label, vp,
vp->v_label);
+ VFS_KERNEL_DEBUG_END1(8, vp);
}
int
}
#endif
+ VFS_KERNEL_DEBUG_START1(9, vp);
MAC_PERFORM(vnode_label_associate_devfs,
mp, mp ? mp->mnt_mntlabel : NULL,
de, de->dn_label,
vp, vp->v_label);
+ VFS_KERNEL_DEBUG_END1(9, vp);
}
int
{
int error;
+ VFS_KERNEL_DEBUG_START1(10, vp);
MAC_CHECK(vnode_label_associate_extattr, mp, mp->mnt_mntlabel, vp,
vp->v_label);
+ VFS_KERNEL_DEBUG_END1(10, vp);
return error;
}
return;
}
+ VFS_KERNEL_DEBUG_START1(11, vp);
MAC_PERFORM(vnode_label_associate_singlelabel, mp,
mp ? mp->mnt_mntlabel : NULL, vp, vp->v_label);
+ VFS_KERNEL_DEBUG_END1(11, vp);
}
int
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(12, vp);
MAC_CHECK(vnode_notify_create, cred, mp, mp->mnt_mntlabel,
dvp, dvp->v_label, vp, vp->v_label, cnp);
+ VFS_KERNEL_DEBUG_END1(12, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(13, vp);
MAC_PERFORM(vnode_notify_rename, cred, vp, vp->v_label,
dvp, dvp->v_label, cnp);
+ VFS_KERNEL_DEBUG_END1(13, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(14, vp);
MAC_PERFORM(vnode_notify_open, cred, vp, vp->v_label, acc_flags);
+ VFS_KERNEL_DEBUG_END1(14, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(15, vp);
MAC_PERFORM(vnode_notify_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp);
+ VFS_KERNEL_DEBUG_END1(15, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(16, vp);
MAC_PERFORM(vnode_notify_deleteextattr, cred, vp, vp->v_label, name);
+ VFS_KERNEL_DEBUG_END1(16, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(17, vp);
MAC_PERFORM(vnode_notify_setacl, cred, vp, vp->v_label, acl);
+ VFS_KERNEL_DEBUG_END1(17, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(18, vp);
MAC_PERFORM(vnode_notify_setattrlist, cred, vp, vp->v_label, alist);
+ VFS_KERNEL_DEBUG_END1(18, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(19, vp);
MAC_PERFORM(vnode_notify_setextattr, cred, vp, vp->v_label, name, uio);
+ VFS_KERNEL_DEBUG_END1(19, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(20, vp);
MAC_PERFORM(vnode_notify_setflags, cred, vp, vp->v_label, flags);
+ VFS_KERNEL_DEBUG_END1(20, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(21, vp);
MAC_PERFORM(vnode_notify_setmode, cred, vp, vp->v_label, mode);
+ VFS_KERNEL_DEBUG_END1(21, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(22, vp);
MAC_PERFORM(vnode_notify_setowner, cred, vp, vp->v_label, uid, gid);
+ VFS_KERNEL_DEBUG_END1(22, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(23, vp);
MAC_PERFORM(vnode_notify_setutimes, cred, vp, vp->v_label, atime, mtime);
+ VFS_KERNEL_DEBUG_END1(23, vp);
}
void
if (!mac_cred_check_enforce(cred)) {
return;
}
+ VFS_KERNEL_DEBUG_START1(24, vp);
MAC_PERFORM(vnode_notify_truncate, cred, file_cred, vp, vp->v_label);
+ VFS_KERNEL_DEBUG_END1(24, vp);
}
/*
return;
}
+ VFS_KERNEL_DEBUG_START1(25, vp);
MAC_PERFORM(vnode_label_update_extattr, mp, mp->mnt_mntlabel, vp,
vp->v_label, name);
+ VFS_KERNEL_DEBUG_END1(25, vp);
if (error == 0) {
return;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(26, vp);
MAC_CHECK(vnode_label_store, cred, vp, vp->v_label, intlabel);
+ VFS_KERNEL_DEBUG_END1(26, vp);
return error;
}
* calling exec_spawnattr_getmacpolicyinfo() and before passing the
* spawnattrlen as an argument to the hook.
*/
+ VFS_KERNEL_DEBUG_START1(27, vp);
{
struct mac_policy_conf *mpc;
u_int i;
}
}
*labelupdateerror = error;
+ VFS_KERNEL_DEBUG_END1(27, vp);
}
int
cred = vfs_context_ucred(ctx);
+ VFS_KERNEL_DEBUG_START1(28, vp);
/*
* NB: Cannot use MAC_BOOLEAN macro because we need a sequence point after
* calling exec_spawnattr_getmacpolicyinfo() and before passing the
mac_policy_list_unbusy();
}
}
+ VFS_KERNEL_DEBUG_END1(28, vp);
return result;
}
}
/* Convert {R,W,X}_OK values to V{READ,WRITE,EXEC} for entry points */
mask = ACCESS_MODE_TO_VNODE_MASK(acc_mode);
+ VFS_KERNEL_DEBUG_START1(29, vp);
MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, mask);
+ VFS_KERNEL_DEBUG_END1(29, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(30, dvp);
MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
+ VFS_KERNEL_DEBUG_END1(30, dvp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(31, dvp);
MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label, cnp);
+ VFS_KERNEL_DEBUG_END1(31, dvp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(32, dvp);
MAC_CHECK(vnode_check_clone, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
+ VFS_KERNEL_DEBUG_END1(32, dvp);
return error;
}
int
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(33, dvp);
MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap);
+ VFS_KERNEL_DEBUG_END1(33, dvp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(34, dvp);
MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
+ VFS_KERNEL_DEBUG_END1(34, dvp);
return error;
}
#if 0
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(35, dvp);
MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
+ VFS_KERNEL_DEBUG_END1(35, dvp);
return error;
}
#endif
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(36, vp);
MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label, name);
+ VFS_KERNEL_DEBUG_END1(36, vp);
return error;
}
int
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(37, v1);
MAC_CHECK(vnode_check_exchangedata, cred, v1, v1->v_label,
v2, v2->v_label);
+ VFS_KERNEL_DEBUG_END1(37, v1);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(38, vp);
MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
+ VFS_KERNEL_DEBUG_END1(38, vp);
return error;
}
#endif
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(39, vp);
MAC_CHECK(vnode_check_getattr, cred, file_cred, vp, vp->v_label, va);
+ VFS_KERNEL_DEBUG_END1(39, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(40, vp);
MAC_CHECK(vnode_check_getattrlist, cred, vp, vp->v_label, alist);
+ VFS_KERNEL_DEBUG_END1(40, vp);
/* Falsify results instead of returning error? */
return error;
* calling exec_spawnattr_getmacpolicyinfo() and before passing the
* spawnattrlen as an argument to the hook.
*/
+ VFS_KERNEL_DEBUG_START1(41, vp);
{
struct mac_policy_conf *mpc;
u_int i;
mac_policy_list_unbusy();
}
}
+ VFS_KERNEL_DEBUG_END1(41, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(42, vp);
MAC_CHECK(vnode_check_fsgetpath, cred, vp, vp->v_label);
+ VFS_KERNEL_DEBUG_END1(42, vp);
return error;
}
}
#endif
+ VFS_KERNEL_DEBUG_START1(43, vp);
MAC_CHECK(vnode_check_signature, vp, vp->v_label, cpu_type, cs_blob,
cs_flags, signer_type, flags, &fatal_failure_desc, &fatal_failure_desc_len);
+ VFS_KERNEL_DEBUG_END1(43, vp);
if (fatal_failure_desc_len) {
// A fatal code signature validation failure occured, formulate a crash
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(44, vp);
MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
+ VFS_KERNEL_DEBUG_END1(44, vp);
return error;
}
#endif
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(45, vp);
MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
name, uio);
+ VFS_KERNEL_DEBUG_END1(45, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(46, vp);
MAC_CHECK(vnode_check_ioctl, cred, vp, vp->v_label, cmd);
+ VFS_KERNEL_DEBUG_END1(46, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(47, vp);
MAC_CHECK(vnode_check_kqfilter, cred, file_cred, kn, vp,
vp->v_label);
+ VFS_KERNEL_DEBUG_END1(47, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(48, vp);
MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
+ VFS_KERNEL_DEBUG_END1(48, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(49, vp);
MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label);
+ VFS_KERNEL_DEBUG_END1(49, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(50, dvp);
MAC_CHECK(vnode_check_lookup_preflight, cred, dvp, dvp->v_label, path, pathlen);
+ VFS_KERNEL_DEBUG_END1(50, dvp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(51, dvp);
MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
+ VFS_KERNEL_DEBUG_END1(51, dvp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(52, vp);
MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, acc_mode);
+ VFS_KERNEL_DEBUG_END1(52, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(53, vp);
MAC_CHECK(vnode_check_read, cred, file_cred, vp,
vp->v_label);
+ VFS_KERNEL_DEBUG_END1(53, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(54, dvp);
MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
+ VFS_KERNEL_DEBUG_END1(54, dvp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(55, vp);
MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
+ VFS_KERNEL_DEBUG_END1(55, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(56, vp);
MAC_CHECK(vnode_check_label_update, cred, vp, vp->v_label, newlabel);
+ VFS_KERNEL_DEBUG_END1(56, vp);
return error;
}
return 0;
}
+ VFS_KERNEL_DEBUG_START1(57, vp);
MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
if (error) {
+ VFS_KERNEL_DEBUG_END1(57, vp);
return error;
}
MAC_CHECK(vnode_check_rename_to, cred, tdvp, tdvp->v_label, tvp,
tvp != NULL ? tvp->v_label : NULL, dvp == tdvp, tcnp);
if (error) {
+ VFS_KERNEL_DEBUG_END1(57, vp);
return error;
}
MAC_CHECK(vnode_check_rename, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp, tdvp, tdvp->v_label, tvp,
tvp != NULL ? tvp->v_label : NULL, tcnp);
+ VFS_KERNEL_DEBUG_END1(57, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(58, vp);
MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
+ VFS_KERNEL_DEBUG_END1(58, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(59, vp);
MAC_CHECK(vnode_check_searchfs, cred, vp, vp->v_label, alist);
+ VFS_KERNEL_DEBUG_END1(59, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(60, vp);
MAC_CHECK(vnode_check_select, cred, vp, vp->v_label, which);
+ VFS_KERNEL_DEBUG_END1(60, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(61, vp);
MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, acl);
+ VFS_KERNEL_DEBUG_END1(61, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(62, vp);
MAC_CHECK(vnode_check_setattrlist, cred, vp, vp->v_label, alist);
+ VFS_KERNEL_DEBUG_END1(62, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(63, vp);
MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
name, uio);
+ VFS_KERNEL_DEBUG_END1(63, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(64, vp);
MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
+ VFS_KERNEL_DEBUG_END1(64, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(65, vp);
MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
+ VFS_KERNEL_DEBUG_END1(65, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(66, vp);
MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
+ VFS_KERNEL_DEBUG_END1(66, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(67, vp);
MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
mtime);
+ VFS_KERNEL_DEBUG_END1(67, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(68, vp);
MAC_CHECK(vnode_check_stat, cred, file_cred, vp,
vp->v_label);
+ VFS_KERNEL_DEBUG_END1(68, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(69, dvp);
MAC_CHECK(vnode_check_trigger_resolve, cred, dvp, dvp->v_label, cnp);
+ VFS_KERNEL_DEBUG_END1(69, dvp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(70, vp);
MAC_CHECK(vnode_check_truncate, cred, file_cred, vp,
vp->v_label);
+ VFS_KERNEL_DEBUG_END1(70, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(71, vp);
MAC_CHECK(vnode_check_write, cred, file_cred, vp, vp->v_label);
+ VFS_KERNEL_DEBUG_END1(71, vp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(72, dvp);
MAC_CHECK(vnode_check_uipc_bind, cred, dvp, dvp->v_label, cnp, vap);
+ VFS_KERNEL_DEBUG_END1(72, dvp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(73, vp);
MAC_CHECK(vnode_check_uipc_connect, cred, vp, vp->v_label, (socket_t) so);
+ VFS_KERNEL_DEBUG_END1(73, vp);
return error;
}
tmpl = NULL;
}
+ VFS_KERNEL_DEBUG_START1(74, vp);
MAC_PERFORM(vnode_label_update, cred, vp, vp->v_label, newlabel);
+ VFS_KERNEL_DEBUG_END1(74, vp);
vnode_unlock(vp);
if (tmpl != NULL) {
}
#endif
+ VFS_KERNEL_DEBUG_START1(75, vp);
MAC_CHECK(vnode_find_sigs, p, vp, offset, vp->v_label);
+ VFS_KERNEL_DEBUG_END1(75, vp);
return error;
}
}
}
+ VFS_KERNEL_DEBUG_START1(76, mp);
MAC_PERFORM(mount_label_associate, cred, mp, mp->mnt_mntlabel);
+ VFS_KERNEL_DEBUG_END1(76, mp);
#if DEBUG
printf("MAC Framework enabling %s support: %s -> %s (%s)\n",
mp->mnt_flag & MNT_MULTILABEL ? "multilabel" : "singlelabel",
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(77, vp);
MAC_CHECK(mount_check_mount, cred, vp, vp->v_label, cnp, vfc_name);
+ VFS_KERNEL_DEBUG_END1(77, vp);
+
+ return error;
+}
+
+int
+mac_mount_check_mount_late(vfs_context_t ctx, struct mount *mp)
+{
+ kauth_cred_t cred;
+ int error;
+
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_vnode_enforce) {
+ return 0;
+ }
+#endif
+ cred = vfs_context_ucred(ctx);
+ if (!mac_cred_check_enforce(cred)) {
+ return 0;
+ }
+ VFS_KERNEL_DEBUG_START1(78, mp);
+ MAC_CHECK(mount_check_mount_late, cred, mp);
+ VFS_KERNEL_DEBUG_END1(78, mp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(79, mp);
MAC_CHECK(mount_check_snapshot_create, cred, mp, name);
+ VFS_KERNEL_DEBUG_END1(79, mp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(80, mp);
MAC_CHECK(mount_check_snapshot_delete, cred, mp, name);
+ VFS_KERNEL_DEBUG_END1(80, mp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(81, mp);
MAC_CHECK(mount_check_snapshot_revert, cred, mp, name);
+ VFS_KERNEL_DEBUG_END1(81, mp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(82, mp);
MAC_CHECK(mount_check_remount, cred, mp, mp->mnt_mntlabel);
+ VFS_KERNEL_DEBUG_END1(82, mp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(83, mp);
MAC_CHECK(mount_check_umount, cred, mp, mp->mnt_mntlabel);
+ VFS_KERNEL_DEBUG_END1(83, mp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(84, mp);
MAC_CHECK(mount_check_getattr, cred, mp, mp->mnt_mntlabel, vfa);
+ VFS_KERNEL_DEBUG_END1(84, mp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(85, mp);
MAC_CHECK(mount_check_setattr, cred, mp, mp->mnt_mntlabel, vfa);
+ VFS_KERNEL_DEBUG_END1(85, mp);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(86, mount);
MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_mntlabel);
+ VFS_KERNEL_DEBUG_END1(86, mount);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(87, mount);
MAC_CHECK(mount_check_label_update, cred, mount, mount->mnt_mntlabel);
+ VFS_KERNEL_DEBUG_END1(87, mount);
return error;
}
if (!mac_cred_check_enforce(cred)) {
return 0;
}
+ VFS_KERNEL_DEBUG_START1(88, mp);
MAC_CHECK(mount_check_fsctl, cred, mp, mp->mnt_mntlabel, cmd);
+ VFS_KERNEL_DEBUG_END1(88, mp);
return error;
}
}
#endif
+ VFS_KERNEL_DEBUG_START1(89, de);
MAC_PERFORM(devfs_label_associate_device, dev, de, de->dn_label,
fullpath);
+ VFS_KERNEL_DEBUG_END1(89, de);
}
void
}
#endif
+ VFS_KERNEL_DEBUG_START1(90, de);
MAC_PERFORM(devfs_label_associate_directory, dirname, dirnamelen, de,
de->dn_label, fullpath);
+ VFS_KERNEL_DEBUG_END1(90, de);
}
int
error = 0;
+ VFS_KERNEL_DEBUG_START1(91, vp);
/*
* If no backing file, let the policy choose which label to use.
*/
if (fnp->fd_fd == -1) {
MAC_PERFORM(vnode_label_associate_file, vfs_context_ucred(ctx),
mp, mp->mnt_mntlabel, NULL, NULL, vp, vp->v_label);
+ VFS_KERNEL_DEBUG_END1(91, vp);
return 0;
}
p = vfs_context_proc(ctx);
error = fp_lookup(p, fnp->fd_fd, &fp, 0);
if (error) {
+ VFS_KERNEL_DEBUG_END1(91, vp);
return error;
}
if ((error = vnode_getwithref(fvp))) {
goto out;
}
- MAC_PERFORM(vnode_label_copy, fvp->v_label, vp->v_label);
+ if (fvp->v_label != NULL) {
+ if (mac_label_vnodes != 0 && vp->v_label == NULL) {
+ mac_vnode_label_init(vp); /* init dst label */
+ }
+ MAC_PERFORM(vnode_label_copy, fvp->v_label, vp->v_label);
+ }
(void)vnode_put(fvp);
break;
#if CONFIG_MACF_SOCKET_SUBSET
break;
}
out:
+ VFS_KERNEL_DEBUG_END1(91, vp);
fp_drop(p, fnp->fd_fd, fp, 0);
return error;
}
+
+intptr_t
+mac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel)
+{
+ struct label *l;
+
+ KASSERT(vp != NULL, ("mac_vnode_label_get: NULL vnode"));
+ l = vp->v_label;
+ if (l != NULL) {
+ return mac_label_get(l, slot);
+ } else {
+ return sentinel;
+ }
+}
+
+void
+mac_vnode_label_set(struct vnode *vp, int slot, intptr_t v)
+{
+ struct label *l;
+ KASSERT(vp != NULL, ("mac_vnode_label_set: NULL vnode"));
+ l = vp->v_label;
+ if (l == NULL) {
+ mac_vnode_label_init(vp);
+ l = vp->v_label;
+ }
+ mac_label_set(l, slot, v);
+}
projects / apple / xnu.git / blobdiff