X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/fe8ab488e9161c46dd9885d58fc52996dc0249ff..b226f5e54a60dc81db17b1260381d7dbfea3cdf1:/security/mac_vfs.c diff --git a/security/mac_vfs.c b/security/mac_vfs.c index b318e3b75..b18fc092c 100644 --- a/security/mac_vfs.c +++ b/security/mac_vfs.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007 Apple Inc. All rights reserved. + * Copyright (c) 2007-2016 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -62,6 +62,8 @@ * */ +#include + #include #include #include @@ -75,6 +77,7 @@ #include #include #include +#include #include #include @@ -278,8 +281,11 @@ mac_mount_label_externalize(struct label *label, char *elements, void mac_devfs_label_copy(struct label *src, struct label *dest) { +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ if (!mac_device_enforce) return; +#endif MAC_PERFORM(devfs_label_copy, src, dest); } @@ -288,9 +294,11 @@ void mac_devfs_label_update(struct mount *mp, struct devnode *de, struct vnode *vp) { - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ if (!mac_device_enforce) return; +#endif MAC_PERFORM(devfs_label_update, mp, de, de->dn_label, vp, vp->v_label); @@ -303,8 +311,11 @@ mac_vnode_label_associate(struct mount *mp, struct vnode *vp, vfs_context_t ctx) struct fdescnode *fnp; int error = 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ if (!mac_vnode_enforce) return (error); +#endif /* XXX: should not inspect v_tag in kernel! */ switch (vp->v_tag) { @@ -328,8 +339,11 @@ void mac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de, struct vnode *vp) { +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ if (!mac_device_enforce) return; +#endif MAC_PERFORM(vnode_label_associate_devfs, mp, mp ? mp->mnt_mntlabel : NULL, @@ -351,8 +365,12 @@ mac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp) void mac_vnode_label_associate_singlelabel(struct mount *mp, struct vnode *vp) { - - if (!mac_vnode_enforce || !mac_label_vnodes) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + if (!mac_label_vnodes) return; MAC_PERFORM(vnode_label_associate_singlelabel, mp, @@ -366,11 +384,14 @@ mac_vnode_notify_create(vfs_context_t ctx, struct mount *mp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) return (0); - +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_notify_create, cred, mp, mp->mnt_mntlabel, dvp, dvp->v_label, vp, vp->v_label, cnp); @@ -383,11 +404,14 @@ mac_vnode_notify_rename(vfs_context_t ctx, struct vnode *vp, { kauth_cred_t cred; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) return; - +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; MAC_PERFORM(vnode_notify_rename, cred, vp, vp->v_label, dvp, dvp->v_label, cnp); } @@ -397,11 +421,14 @@ mac_vnode_notify_open(vfs_context_t ctx, struct vnode *vp, int acc_flags) { kauth_cred_t cred; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) return; - +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; MAC_PERFORM(vnode_notify_open, cred, vp, vp->v_label, acc_flags); } @@ -411,14 +438,161 @@ mac_vnode_notify_link(vfs_context_t ctx, struct vnode *vp, { kauth_cred_t cred; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) return; - +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; MAC_PERFORM(vnode_notify_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); } +void +mac_vnode_notify_deleteextattr(vfs_context_t ctx, struct vnode *vp, const char *name) +{ + kauth_cred_t cred; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; + MAC_PERFORM(vnode_notify_deleteextattr, cred, vp, vp->v_label, name); +} + +void +mac_vnode_notify_setacl(vfs_context_t ctx, struct vnode *vp, struct kauth_acl *acl) +{ + kauth_cred_t cred; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; + MAC_PERFORM(vnode_notify_setacl, cred, vp, vp->v_label, acl); +} + +void +mac_vnode_notify_setattrlist(vfs_context_t ctx, struct vnode *vp, struct attrlist *alist) +{ + kauth_cred_t cred; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; + MAC_PERFORM(vnode_notify_setattrlist, cred, vp, vp->v_label, alist); +} + +void +mac_vnode_notify_setextattr(vfs_context_t ctx, struct vnode *vp, const char *name, struct uio *uio) +{ + kauth_cred_t cred; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; + MAC_PERFORM(vnode_notify_setextattr, cred, vp, vp->v_label, name, uio); +} + +void +mac_vnode_notify_setflags(vfs_context_t ctx, struct vnode *vp, u_long flags) +{ + kauth_cred_t cred; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; + MAC_PERFORM(vnode_notify_setflags, cred, vp, vp->v_label, flags); +} + +void +mac_vnode_notify_setmode(vfs_context_t ctx, struct vnode *vp, mode_t mode) +{ + kauth_cred_t cred; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; + MAC_PERFORM(vnode_notify_setmode, cred, vp, vp->v_label, mode); +} + +void +mac_vnode_notify_setowner(vfs_context_t ctx, struct vnode *vp, uid_t uid, gid_t gid) +{ + kauth_cred_t cred; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; + MAC_PERFORM(vnode_notify_setowner, cred, vp, vp->v_label, uid, gid); +} + +void +mac_vnode_notify_setutimes(vfs_context_t ctx, struct vnode *vp, struct timespec atime, struct timespec mtime) +{ + kauth_cred_t cred; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; + MAC_PERFORM(vnode_notify_setutimes, cred, vp, vp->v_label, atime, mtime); +} + +void +mac_vnode_notify_truncate(vfs_context_t ctx, kauth_cred_t file_cred, struct vnode *vp) +{ + kauth_cred_t cred; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return; + MAC_PERFORM(vnode_notify_truncate, cred, file_cred, vp, vp->v_label); +} + /* * Extended attribute 'name' was updated via * vn_setxattr() or vn_removexattr(). Allow the @@ -430,7 +604,12 @@ mac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp, { int error = 0; - if (!mac_vnode_enforce || !mac_label_vnodes) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return; +#endif + if (!mac_label_vnodes) return; MAC_PERFORM(vnode_label_update_extattr, mp, mp->mnt_mntlabel, vp, @@ -451,11 +630,17 @@ mac_vnode_label_store(vfs_context_t ctx, struct vnode *vp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || !mac_label_vnodes || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif + if (!mac_label_vnodes) return 0; cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_label_store, cred, vp, vp->v_label, intlabel); return (error); @@ -471,8 +656,11 @@ mac_cred_label_update_execve(vfs_context_t ctx, kauth_cred_t new, struct vnode * int error; posix_cred_t pcred = posix_cred_get(new); - if (!mac_proc_enforce && !mac_vnode_enforce) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce || !mac_vnode_enforce) return; +#endif /* mark the new cred to indicate "matching" includes the label */ pcred->cr_flags |= CRF_MAC_ENFORCE; @@ -536,8 +724,11 @@ mac_cred_check_label_update_execve(vfs_context_t ctx, struct vnode *vp, off_t of kauth_cred_t cred; int result = 0; - if (!mac_proc_enforce && !mac_vnode_enforce) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce || !mac_vnode_enforce) return result; +#endif cred = vfs_context_ucred(ctx); @@ -594,11 +785,14 @@ mac_vnode_check_access(vfs_context_t ctx, struct vnode *vp, int error; int mask; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) return 0; - +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); /* Convert {R,W,X}_OK values to V{READ,WRITE,EXEC} for entry points */ mask = ACCESS_MODE_TO_VNODE_MASK(acc_mode); MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, mask); @@ -611,11 +805,14 @@ mac_vnode_check_chdir(vfs_context_t ctx, struct vnode *dvp) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label); return (error); } @@ -627,27 +824,52 @@ mac_vnode_check_chroot(vfs_context_t ctx, struct vnode *dvp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label, cnp); return (error); } int -mac_vnode_check_create(vfs_context_t ctx, struct vnode *dvp, - struct componentname *cnp, struct vnode_attr *vap) +mac_vnode_check_clone(vfs_context_t ctx, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) { kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) return (0); + MAC_CHECK(vnode_check_clone, cred, dvp, dvp->v_label, vp, + vp->v_label, cnp); + return (error); +} +int +mac_vnode_check_create(vfs_context_t ctx, struct vnode *dvp, + struct componentname *cnp, struct vnode_attr *vap) +{ + kauth_cred_t cred; + int error; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap); return (error); } @@ -659,11 +881,14 @@ mac_vnode_check_unlink(vfs_context_t ctx, struct vnode *dvp, struct vnode *vp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); @@ -676,11 +901,14 @@ mac_vnode_check_deleteacl(vfs_context_t ctx, struct vnode *vp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type); return (error); } @@ -693,11 +921,14 @@ mac_vnode_check_deleteextattr(vfs_context_t ctx, struct vnode *vp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label, name); return (error); } @@ -708,11 +939,14 @@ mac_vnode_check_exchangedata(vfs_context_t ctx, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_exchangedata, cred, v1, v1->v_label, v2, v2->v_label); @@ -726,28 +960,53 @@ mac_vnode_check_getacl(vfs_context_t ctx, struct vnode *vp, acl_type_t type) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type); return (error); } #endif int -mac_vnode_check_getattrlist(vfs_context_t ctx, struct vnode *vp, - struct attrlist *alist) +mac_vnode_check_getattr(vfs_context_t ctx, struct ucred *file_cred, + struct vnode *vp, struct vnode_attr *va) { kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) return (0); + MAC_CHECK(vnode_check_getattr, cred, file_cred, vp, vp->v_label, va); + return (error); +} +int +mac_vnode_check_getattrlist(vfs_context_t ctx, struct vnode *vp, + struct attrlist *alist) +{ + kauth_cred_t cred; + int error; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_getattrlist, cred, vp, vp->v_label, alist); /* Falsify results instead of returning error? */ @@ -761,8 +1020,11 @@ mac_vnode_check_exec(vfs_context_t ctx, struct vnode *vp, kauth_cred_t cred; int error = 0; - if (!mac_vnode_enforce || !mac_proc_enforce) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce || !mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); @@ -825,29 +1087,127 @@ mac_vnode_check_fsgetpath(vfs_context_t ctx, struct vnode *vp) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_fsgetpath, cred, vp, vp->v_label); return (error); } int -mac_vnode_check_signature(struct vnode *vp, off_t macho_offset, - unsigned char *sha1, - const void *signature, size_t size, - int *is_platform_binary) +mac_vnode_check_signature(struct vnode *vp, struct cs_blob *cs_blob, + struct image_params *imgp, + unsigned int *cs_flags, unsigned int *signer_type, + int flags) { - int error; - - if (!mac_vnode_enforce || !mac_proc_enforce) - return (0); - - MAC_CHECK(vnode_check_signature, vp, vp->v_label, macho_offset, sha1, - signature, size, is_platform_binary); - return (error); + int error; + char *fatal_failure_desc = NULL; + size_t fatal_failure_desc_len = 0; + + char *vn_path = NULL; + vm_size_t vn_pathlen = MAXPATHLEN; + cpu_type_t cpu_type = (imgp == NULL) ? CPU_TYPE_ANY : imgp->ip_origcputype; + + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce || !mac_vnode_enforce) + return 0; +#endif + + MAC_CHECK(vnode_check_signature, vp, vp->v_label, cpu_type, cs_blob, + cs_flags, signer_type, flags, &fatal_failure_desc, &fatal_failure_desc_len); + + if (fatal_failure_desc_len) { + // A fatal code signature validation failure occured, formulate a crash + // reason. + + char const *path = NULL; + + vn_path = (char *)kalloc(MAXPATHLEN); + if (vn_path != NULL) { + if (vn_getpath(vp, vn_path, (int*)&vn_pathlen) == 0) { + path = vn_path; + } else { + path = "(get vnode path failed)"; + } + } else { + path = "(path alloc failed)"; + } + + if (error == 0) { + panic("mac_vnode_check_signature: MAC hook returned no error, " + "but status is claimed to be fatal? " + "path: '%s', fatal_failure_desc_len: %ld, fatal_failure_desc:\n%s\n", + path, fatal_failure_desc_len, fatal_failure_desc); + } + + printf("mac_vnode_check_signature: %s: code signature validation failed fatally: %s", + path, fatal_failure_desc); + + if (imgp == NULL) { + goto out; + } + + os_reason_t reason = os_reason_create(OS_REASON_CODESIGNING, + CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG); + + if (reason == OS_REASON_NULL) { + printf("mac_vnode_check_signature: %s: failure to allocate exit reason for validation failure: %s\n", + path, fatal_failure_desc); + goto out; + } + + imgp->ip_cs_error = reason; + reason->osr_flags = (OS_REASON_FLAG_GENERATE_CRASH_REPORT | + OS_REASON_FLAG_CONSISTENT_FAILURE); + + if (fatal_failure_desc == NULL) { + // This may happen if allocation for the buffer failed. + printf("mac_vnode_check_signature: %s: fatal failure is missing its description.\n", path); + } else { + mach_vm_address_t data_addr = 0; + + int reason_error = 0; + int kcdata_error = 0; + + if ((reason_error = os_reason_alloc_buffer_noblock(reason, kcdata_estimate_required_buffer_size + (1, fatal_failure_desc_len))) == 0 && + (kcdata_error = kcdata_get_memory_addr(&reason->osr_kcd_descriptor, + EXIT_REASON_USER_DESC, fatal_failure_desc_len, + &data_addr)) == KERN_SUCCESS) { + kern_return_t mc_error = kcdata_memcpy(&reason->osr_kcd_descriptor, (mach_vm_address_t)data_addr, + fatal_failure_desc, fatal_failure_desc_len); + + if (mc_error != KERN_SUCCESS) { + printf("mac_vnode_check_signature: %s: failed to copy reason string " + "(kcdata_memcpy error: %d, length: %ld)\n", + path, mc_error, fatal_failure_desc_len); + } + } else { + printf("mac_vnode_check_signature: %s: failed to allocate space for reason string " + "(os_reason_alloc_buffer error: %d, kcdata error: %d, length: %ld)\n", + path, reason_error, kcdata_error, fatal_failure_desc_len); + } + + } + } + +out: + if (vn_path) { + kfree(vn_path, MAXPATHLEN); + } + + if (fatal_failure_desc_len > 0 && fatal_failure_desc != NULL) { + kfree(fatal_failure_desc, fatal_failure_desc_len); + } + + return (error); } #if 0 @@ -857,11 +1217,14 @@ mac_vnode_check_getacl(vfs_context_t ctx, struct vnode *vp, acl_type_t type) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type); return (error); } @@ -874,11 +1237,14 @@ mac_vnode_check_getextattr(vfs_context_t ctx, struct vnode *vp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label, name, uio); return (error); @@ -890,11 +1256,14 @@ mac_vnode_check_ioctl(vfs_context_t ctx, struct vnode *vp, u_int cmd) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) return (0); - - cred = vfs_context_ucred(ctx); MAC_CHECK(vnode_check_ioctl, cred, vp, vp->v_label, cmd); return (error); } @@ -906,11 +1275,14 @@ mac_vnode_check_kqfilter(vfs_context_t ctx, kauth_cred_t file_cred, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_kqfilter, cred, file_cred, kn, vp, vp->v_label); @@ -924,11 +1296,14 @@ mac_vnode_check_link(vfs_context_t ctx, struct vnode *dvp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); @@ -940,12 +1315,34 @@ mac_vnode_check_listextattr(vfs_context_t ctx, struct vnode *vp) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) return (0); + MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label); + return (error); +} +int +mac_vnode_check_lookup_preflight(vfs_context_t ctx, struct vnode *dvp, + const char *path, size_t pathlen) +{ + kauth_cred_t cred; + int error; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); - MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label); + if (!mac_cred_check_enforce(cred)) + return (0); + MAC_CHECK(vnode_check_lookup_preflight, cred, dvp, dvp->v_label, path, pathlen); return (error); } @@ -956,11 +1353,14 @@ mac_vnode_check_lookup(vfs_context_t ctx, struct vnode *dvp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp); return (error); } @@ -971,11 +1371,14 @@ mac_vnode_check_open(vfs_context_t ctx, struct vnode *vp, int acc_mode) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, acc_mode); return (error); } @@ -987,11 +1390,14 @@ mac_vnode_check_read(vfs_context_t ctx, struct ucred *file_cred, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_read, cred, file_cred, vp, vp->v_label); @@ -1004,11 +1410,14 @@ mac_vnode_check_readdir(vfs_context_t ctx, struct vnode *dvp) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label); return (error); } @@ -1019,11 +1428,14 @@ mac_vnode_check_readlink(vfs_context_t ctx, struct vnode *vp) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label); return (error); } @@ -1035,11 +1447,14 @@ mac_vnode_check_label_update(vfs_context_t ctx, struct vnode *vp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_label_update, cred, vp, vp->v_label, newlabel); return (error); @@ -1053,11 +1468,14 @@ mac_vnode_check_rename(vfs_context_t ctx, struct vnode *dvp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); @@ -1081,11 +1499,14 @@ mac_vnode_check_revoke(vfs_context_t ctx, struct vnode *vp) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label); return (error); } @@ -1096,11 +1517,14 @@ mac_vnode_check_searchfs(vfs_context_t ctx, struct vnode *vp, struct attrlist *a kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_searchfs, cred, vp, vp->v_label, alist); return (error); } @@ -1111,32 +1535,36 @@ mac_vnode_check_select(vfs_context_t ctx, struct vnode *vp, int which) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_select, cred, vp, vp->v_label, which); return (error); } -#if 0 int -mac_vnode_check_setacl(vfs_context_t ctx, struct vnode *vp, acl_type_t type, - struct acl *acl) +mac_vnode_check_setacl(vfs_context_t ctx, struct vnode *vp, + struct kauth_acl *acl) { kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); - MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl); + if (!mac_cred_check_enforce(cred)) + return (0); + MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, acl); return (error); } -#endif int mac_vnode_check_setattrlist(vfs_context_t ctx, struct vnode *vp, @@ -1145,11 +1573,14 @@ mac_vnode_check_setattrlist(vfs_context_t ctx, struct vnode *vp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_setattrlist, cred, vp, vp->v_label, alist); return (error); } @@ -1161,11 +1592,14 @@ mac_vnode_check_setextattr(vfs_context_t ctx, struct vnode *vp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label, name, uio); return (error); @@ -1177,11 +1611,14 @@ mac_vnode_check_setflags(vfs_context_t ctx, struct vnode *vp, u_long flags) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags); return (error); } @@ -1192,11 +1629,14 @@ mac_vnode_check_setmode(vfs_context_t ctx, struct vnode *vp, mode_t mode) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode); return (error); } @@ -1208,11 +1648,14 @@ mac_vnode_check_setowner(vfs_context_t ctx, struct vnode *vp, uid_t uid, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid); return (error); } @@ -1224,11 +1667,14 @@ mac_vnode_check_setutimes(vfs_context_t ctx, struct vnode *vp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime, mtime); return (error); @@ -1241,28 +1687,53 @@ mac_vnode_check_stat(vfs_context_t ctx, struct ucred *file_cred, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_stat, cred, file_cred, vp, vp->v_label); return (error); } int -mac_vnode_check_truncate(vfs_context_t ctx, struct ucred *file_cred, - struct vnode *vp) +mac_vnode_check_trigger_resolve(vfs_context_t ctx, struct vnode *dvp, + struct componentname *cnp) { kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) return (0); + MAC_CHECK(vnode_check_trigger_resolve, cred, dvp, dvp->v_label, cnp); + return (error); +} + +int +mac_vnode_check_truncate(vfs_context_t ctx, struct ucred *file_cred, + struct vnode *vp) +{ + kauth_cred_t cred; + int error; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_truncate, cred, file_cred, vp, vp->v_label); @@ -1276,11 +1747,14 @@ mac_vnode_check_write(vfs_context_t ctx, struct ucred *file_cred, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_write, cred, file_cred, vp, vp->v_label); return (error); @@ -1293,27 +1767,33 @@ mac_vnode_check_uipc_bind(vfs_context_t ctx, struct vnode *dvp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(vnode_check_uipc_bind, cred, dvp, dvp->v_label, cnp, vap); return (error); } int -mac_vnode_check_uipc_connect(vfs_context_t ctx, struct vnode *vp) +mac_vnode_check_uipc_connect(vfs_context_t ctx, struct vnode *vp, struct socket *so) { kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); - MAC_CHECK(vnode_check_uipc_connect, cred, vp, vp->v_label); + if (!mac_cred_check_enforce(cred)) + return (0); + MAC_CHECK(vnode_check_uipc_connect, cred, vp, vp->v_label, (socket_t) so); return (error); } @@ -1346,8 +1826,11 @@ mac_vnode_find_sigs(struct proc *p, struct vnode *vp, off_t offset) { int error; - if (!mac_vnode_enforce || !mac_proc_enforce) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce || !mac_vnode_enforce) + return 0; +#endif MAC_CHECK(vnode_find_sigs, p, vp, offset, vp->v_label); @@ -1410,27 +1893,90 @@ mac_mount_check_mount(vfs_context_t ctx, struct vnode *vp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) return (0); + MAC_CHECK(mount_check_mount, cred, vp, vp->v_label, cnp, vfc_name); + + return (error); +} +int +mac_mount_check_snapshot_create(vfs_context_t ctx, struct mount *mp, + const char *name) +{ + kauth_cred_t cred; + int error; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); - MAC_CHECK(mount_check_mount, cred, vp, vp->v_label, cnp, vfc_name); + if (!mac_cred_check_enforce(cred)) + return (0); + MAC_CHECK(mount_check_snapshot_create, cred, mp, name); + return (error); +} + +int +mac_mount_check_snapshot_delete(vfs_context_t ctx, struct mount *mp, + const char *name) +{ + kauth_cred_t cred; + int error; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); + MAC_CHECK(mount_check_snapshot_delete, cred, mp, name); return (error); } int -mac_mount_check_remount(vfs_context_t ctx, struct mount *mp) +mac_mount_check_snapshot_revert(vfs_context_t ctx, struct mount *mp, + const char *name) { kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif + cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) return (0); + MAC_CHECK(mount_check_snapshot_revert, cred, mp, name); + return (error); +} +int +mac_mount_check_remount(vfs_context_t ctx, struct mount *mp) +{ + kauth_cred_t cred; + int error; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(mount_check_remount, cred, mp, mp->mnt_mntlabel); return (error); @@ -1442,11 +1988,14 @@ mac_mount_check_umount(vfs_context_t ctx, struct mount *mp) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(mount_check_umount, cred, mp, mp->mnt_mntlabel); return (error); @@ -1459,11 +2008,14 @@ mac_mount_check_getattr(vfs_context_t ctx, struct mount *mp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(mount_check_getattr, cred, mp, mp->mnt_mntlabel, vfa); return (error); } @@ -1475,11 +2027,14 @@ mac_mount_check_setattr(vfs_context_t ctx, struct mount *mp, kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(mount_check_setattr, cred, mp, mp->mnt_mntlabel, vfa); return (error); } @@ -1490,11 +2045,14 @@ mac_mount_check_stat(vfs_context_t ctx, struct mount *mount) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_mntlabel); return (error); @@ -1506,11 +2064,14 @@ mac_mount_check_label_update(vfs_context_t ctx, struct mount *mount) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(mount_check_label_update, cred, mount, mount->mnt_mntlabel); return (error); @@ -1522,11 +2083,14 @@ mac_mount_check_fsctl(vfs_context_t ctx, struct mount *mp, u_int cmd) kauth_cred_t cred; int error; - if (!mac_vnode_enforce || - !mac_context_check_enforce(ctx, MAC_VNODE_ENFORCE)) - return (0); - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif cred = vfs_context_ucred(ctx); + if (!mac_cred_check_enforce(cred)) + return (0); MAC_CHECK(mount_check_fsctl, cred, mp, mp->mnt_mntlabel, cmd); return (error); @@ -1536,8 +2100,11 @@ void mac_devfs_label_associate_device(dev_t dev, struct devnode *de, const char *fullpath) { +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ if (!mac_device_enforce) return; +#endif MAC_PERFORM(devfs_label_associate_device, dev, de, de->dn_label, fullpath); @@ -1547,8 +2114,11 @@ void mac_devfs_label_associate_directory(const char *dirname, int dirnamelen, struct devnode *de, const char *fullpath) { +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ if (!mac_device_enforce) return; +#endif MAC_PERFORM(devfs_label_associate_directory, dirname, dirnamelen, de, de->dn_label, fullpath); @@ -1559,7 +2129,12 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, vfs_context_t context) { int error; - if (!mac_vnode_enforce || !mac_label_vnodes) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vnode_enforce) + return 0; +#endif + if (!mac_label_vnodes) return (0); if (vp->v_mount == NULL) { @@ -1673,6 +2248,8 @@ mac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp, break; case DTYPE_KQUEUE: case DTYPE_FSEVENTS: + case DTYPE_ATALK: + case DTYPE_NETPOLICY: default: MAC_PERFORM(vnode_label_associate_file, vfs_context_ucred(ctx), mp, mp->mnt_mntlabel, fp->f_fglob, fp->f_fglob->fg_label,