PERFORCE change 109974 for review
Todd Miller
millert at FreeBSD.org
Tue Nov 14 19:21:33 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=109974
Change 109974 by millert at millert_g5tower on 2006/11/14 19:12:13
Sort mac_policy.h and mac_framework.h.
Add mac_mount_check_fsctl() and mac_vnode_check_ioctl().
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#13 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#6 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#17 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#26 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#19 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/sorted-framework.vim#1 add
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/sorted-policynames.vim#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#21 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#13 (text+ko) ====
@@ -5329,6 +5329,15 @@
NDINIT(&nd, LOOKUP, nameiflags, UIO_USERSPACE, uap->path, &context);
if ((error = namei(&nd))) goto FSCtl_Exit;
+#ifdef MAC
+ error = mac_mount_check_fsctl(context.vc_ucred, vnode_mount(nd.ni_vp), cmd, data);
+ if (error) {
+ vnode_put(nd.ni_vp);
+ nameidone(&nd);
+ goto FSCtl_Exit;
+ }
+#endif
+
/* Invoke the filesystem-specific code */
error = VNOP_IOCTL(nd.ni_vp, IOCBASECMD(cmd), data, uap->options, &context);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#6 (text+ko) ====
@@ -848,6 +848,12 @@
context.vc_proc = p;
context.vc_ucred = p->p_ucred; /* XXX kauth_cred_get() ??? */
+#ifdef MAC
+ error = mac_vnode_check_ioctl(context.vc_ucred, vp, com, data);
+ if (error)
+ goto out;
+#endif
+
switch (vp->v_type) {
case VREG:
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#17 (text+ko) ====
@@ -36,6 +36,7 @@
* SUCH DAMAGE.
*
* $FreeBSD: src/sys/sys/mac.h,v 1.40 2003/04/18 19:57:37 rwatson Exp $
+ *
*/
/*
* Kernel interface for Mandatory Access Control -- how kernel services
@@ -81,293 +82,177 @@
struct pipe;
struct task;
-/*
- * Framework initialization.
- */
-void mac_policy_initbsd(void);
+/*@ macros */
+#define VNODE_LABEL_CREATE 1
+#define VNODE_LABEL_NEEDREF 2
+#define mac_task_label_update_cred(cred, task) \
+ mac_task_label_update_internal(((cred)->cr_label), task)
-/*
- * Label operations.
- */
-void mac_cred_label_init(struct ucred *);
-void mac_devfs_label_init(struct devnode *);
-void mac_file_label_init(struct fileglob *fg);
-int mac_mbuf_label_init(struct mbuf *, int);
-int mac_mbuf_tag_init(struct m_tag *, int);
-void mac_mount_label_init(struct mount *);
-void mac_pipe_label_init(struct pipe *cpipe);
-void mac_posixsem_label_init(struct pseminfo *);
-void mac_posixshm_label_init(struct pshminfo *);
-void mac_proc_label_init(struct proc *);
-int mac_socket_label_init(struct socket *, int waitok);
-void mac_sysvmsg_label_init(struct msg *);
-void mac_sysvmsq_label_init(struct msqid_kernel *msqptr);
-void mac_sysvsem_label_init(struct semid_kernel*);
-void mac_sysvshm_label_init(struct shmid_kernel*);
-void mac_vnode_label_init(struct vnode *vp);
-void mac_vnode_label_copy(struct label *, struct label *label);
-void mac_devfs_label_copy(struct label *, struct label *label);
-void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *);
-void mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to);
-void mac_socket_label_copy(struct label *from, struct label *to);
-void mac_file_label_associate(struct ucred *cred, struct fileglob *fg);
-void mac_cred_label_destroy(struct ucred *);
-void mac_devfs_label_destroy(struct devnode *);
-void mac_file_label_destroy(struct fileglob *fg);
-void mac_mbuf_label_destroy(struct mbuf *);
-void mac_mbuf_tag_destroy(struct m_tag *);
-void mac_mount_label_destroy(struct mount *);
-void mac_pipe_label_destroy(struct pipe *cpipe);
-void mac_posixsem_label_destroy(struct pseminfo *);
-void mac_posixshm_label_destroy(struct pshminfo *);
-void mac_proc_label_destroy(struct proc *);
-void mac_socket_label_destroy(struct socket *);
-void mac_sysvsem_label_destroy(struct semid_kernel *);
-void mac_sysvshm_label_destroy(struct shmid_kernel *);
-void mac_vnode_label_destroy(struct vnode *);
-int mac_mount_label_internalize(struct label *, char *string);
-int mac_mount_label_externalize(struct label *label, char *elements,
- char *outbuf, size_t outbuflen);
-int mac_mount_label_get(struct mount *mp, user_addr_t mac_p);
-
+/*@ === */
+int mac_audit_check_postselect(struct ucred *cred, unsigned short syscode,
+ void *args, int error, int retval, int mac_forced);
+int mac_audit_check_preselect(struct ucred *cred, unsigned short syscode,
+ void *args);
+int mac_cred_check_label_update(struct ucred *cred,
+ struct label *newlabel);
+int mac_cred_check_label_update_execve(struct ucred *old,
+ struct vnode *vp, struct label *scriptvnodelabel,
+ struct label *execlabel, struct proc *proc);
+int mac_cred_check_visible(struct ucred *u1, struct ucred *u2);
struct label *mac_cred_label_alloc(void);
-void mac_cred_label_free(struct label *label);
-int mac_cred_label_externalize_audit(struct proc *p, struct mac *mac);
-struct label *mac_vnode_label_alloc(void);
-void mac_vnode_label_free(struct label *label);
-int mac_vnode_label_externalize_audit(struct vnode *vp, struct mac *mac);
-struct label *mac_lctx_label_alloc(void);
-void mac_lctx_label_free(struct label *label);
-
-#define mac_task_label_update_cred(cred, task) \
- mac_task_label_update_internal(((cred)->cr_label), task)
-
-/*
- * Labeling event operations: file system objects, and things that
- * look a lot like file system objects.
- */
-int mac_vnode_label_associate(struct mount *mp, struct vnode *vp, vfs_context_t ctx);
-void mac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de,
- struct vnode *vp);
-int mac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp);
-void mac_vnode_label_associate_singlelabel(struct mount *mp, struct vnode *vp);
-int mac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp,
- struct vnode *vp, vfs_context_t ctx);
+void mac_cred_label_associate(struct ucred *cred_parent,
+ struct ucred *cred_child);
+void mac_cred_label_associate_kernel(struct ucred *cred);
+void mac_cred_label_associate_user(struct ucred *cred);
+void mac_cred_label_destroy(struct ucred *cred);
+int mac_cred_label_externalize_audit(struct proc *p, struct mac *mac);
+void mac_cred_label_free(struct label *label);
+void mac_cred_label_init(struct ucred *cred);
+void mac_cred_label_update(struct ucred *cred, struct label *newlabel);
+void mac_cred_label_update_execve(struct ucred *old, struct ucred *newcred,
+ struct vnode *vp, struct label *scriptvnodelabel,
+ struct label *execlabel);
void mac_devfs_label_associate_device(dev_t dev, struct devnode *de,
const char *fullpath);
void mac_devfs_label_associate_directory(char *dirname, int dirnamelen,
struct devnode *de, const char *fullpath);
-int mac_vnode_notify_create(struct ucred *cred, struct mount *mp,
- struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
-void mac_mount_label_associate(struct ucred *cred, struct mount *mp);
-void mac_vnode_label_update(struct ucred *cred, struct vnode *vp,
- struct label *newlabel);
-void mac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp,
- const char *name);
+void mac_devfs_label_copy(struct label *, struct label *label);
+void mac_devfs_label_destroy(struct devnode *de);
+void mac_devfs_label_init(struct devnode *de);
void mac_devfs_label_update(struct mount *mp, struct devnode *de,
struct vnode *vp);
-
-#define VNODE_LABEL_CREATE 1
-#define VNODE_LABEL_NEEDREF 2
-int vnode_label(struct mount *mp, struct vnode *dvp, struct vnode *vp,
- struct componentname *cnp, int flags, vfs_context_t ctx);
-int vnode_label1(struct vnode *vp);
-void vnode_relabel(struct vnode *vp);
-
-/*
- * Labeling event operations: Posix IPC primitives
- */
-void mac_posixsem_label_associate(struct ucred *cred, struct pseminfo *psem,
- const char *name);
-void mac_posixshm_label_associate(struct ucred *cred, struct pshminfo *pshm,
- const char *name);
-
-/*
- * Labeling event operations: sockets and network IPC
- *
- * Note: all functions involving sockets (and other network objects yet to be
- * implemented) hold (and rely on) the NETWORK_FUNNEL as opposed to the
- * KERNEL_FUNNEL. When reading/writing kernel network objects, be sure to
- * hold the NETWORK_FUNNEL. When reading/writing other types of kernel
- * objects (vnode for example), be sure to hold the KERNEL_FUNNEL.
- *
- * XXX: Note that cred can be NULL in mac_socket_label_associate() in Darwin.
- */
-void mac_socket_label_associate(struct ucred *cred, struct socket *so);
-void mac_socket_label_associate_accept(struct socket *oldsocket,
- struct socket *newsocket);
-void mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
-void mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m);
-void mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m);
-void mac_socketpeer_label_associate_socket(struct socket *peersocket,
- struct socket *socket_to_modify);
-
-/*
- * Labeling event operations: System V IPC primitives
- */
-void mac_sysvmsg_label_associate(struct ucred *cred,
- struct msqid_kernel *msqptr, struct msg *msgptr);
-void mac_sysvmsq_label_associate(struct ucred *cred,
- struct msqid_kernel *msqptr);
-void mac_sysvsem_label_associate(struct ucred *cred,
- struct semid_kernel *semakptr);
-void mac_sysvshm_label_associate(struct ucred *cred,
- struct shmid_kernel *shmsegptr);
-
-/*
- * Labeling event operations: processes.
- */
-void mac_cred_label_update(struct ucred *cred, struct label *newlabel);
-void mac_cred_label_associate(struct ucred *cred_parent, struct ucred *cred_child);
int mac_execve_enter(user_addr_t mac_p, struct label *execlabel);
-#if 0
-void mac_execve_exit(struct image_params *imgp);
-#endif
-void mac_cred_label_update_execve(struct ucred *old, struct ucred *newcred,
- struct vnode *vp, struct label *scriptvnodelabel,
- struct label *execlabel);
-int mac_cred_check_label_update_execve(struct ucred *old, struct vnode *vp,
- struct label *scriptvnodelabel, struct label *execlabel,
- struct proc *p);
-void mac_cred_label_associate_kernel(struct ucred *cred);
-void mac_cred_label_associate_user(struct ucred *cred);
-#if 0
-void mac_thread_userret(struct uthread *td);
-#endif
-
-void mac_lctx_label_update(struct lctx *l, struct label *newlabel);
-
-/*
- * Labeling operations for pipes.
- */
-struct label *mac_pipe_label_alloc(void);
-void mac_pipe_label_free(struct label *label);
-void mac_pipe_label_copy(struct label *src, struct label *dest);
-void mac_pipe_label_associate(struct ucred *cred, struct pipe *cpipe);
-int mac_pipe_label_update(struct ucred *cred, struct pipe *cpipe,
- struct label *label);
-
-/*
- * Label cleanup operation: This is the inverse complement for the mac_create
- * and associate type of hooks. This hook lets the policy module(s) perform
- * a cleanup/flushing operation on the label associated with the objects,
- * without freeing up the space allocated. This hook is useful in cases
- * where it is desirable to remove any labeling reference when recycling any
- * object to a pool. This hook does not replace the mac_destroy hooks.
- */
-void mac_sysvmsg_label_recycle(struct msg *msgptr);
-void mac_sysvmsq_label_recycle(struct msqid_kernel *msqptr);
-void mac_sysvsem_label_recycle(struct semid_kernel *semakptr);
-void mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr);
-void mac_vnode_label_recycle(struct vnode *vp);
-
-/*
- * Access control checks.
- */
-int mac_cred_check_label_update(struct ucred *cred, struct label *newlabel);
-int mac_cred_check_visible(struct ucred *u1, struct ucred *u2);
-int mac_lctx_check_label_update(struct lctx *l, struct label *newlabel);
-int mac_posixsem_check_create(struct ucred *cred, const char *name);
-int mac_posixsem_check_open(struct ucred *cred, struct pseminfo *ps);
-int mac_posixsem_check_post(struct ucred *cred, struct pseminfo *ps);
-int mac_posixsem_check_unlink(struct ucred *cred, struct pseminfo *ps,
- const char *name);
-int mac_posixsem_check_wait(struct ucred *cred, struct pseminfo *ps);
-int mac_posixshm_check_create(struct ucred *cred, const char *name);
-int mac_posixshm_check_open(struct ucred *cred, struct pshminfo *ps);
-int mac_posixshm_check_mmap(struct ucred *cred, struct pshminfo *ps,
- int prot, int flags);
-int mac_posixshm_check_stat(struct ucred *cred, struct pshminfo *ps);
-int mac_posixshm_check_truncate(struct ucred *cred, struct pshminfo *ps,
- size_t s);
-int mac_posixshm_check_unlink(struct ucred *cred, struct pshminfo *ps,
- const char *name);
-int mac_sysvmsq_check_enqueue(struct ucred *cred, struct msg *msgptr,
- struct msqid_kernel *msqptr);
-int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr);
-int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr);
-int mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqptr,
- int cmd);
-int mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqptr);
-int mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqptr);
-int mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqptr);
-int mac_sysvsem_check_semctl(struct ucred *cred,
- struct semid_kernel *semakptr, int cmd);
+int mac_file_check_change_flags(struct ucred *cred, struct fileglob *fg,
+ u_int oldflags, u_int newflags);
+int mac_file_check_change_offset(struct ucred *cred, struct fileglob *fg);
+int mac_file_check_change_ofileflags(struct ucred *cred,
+ struct fileglob *fg, char oldflags, char newflags);
+int mac_file_check_create(struct ucred *cred);
+int mac_file_check_dup(struct ucred *cred, struct fileglob *fg, int newfd);
int mac_file_check_fcntl(struct ucred *cred, struct fileglob *fg, int cmd,
long arg);
int mac_file_check_get(struct ucred *cred, struct fileglob *fg,
char *elements, int len);
-int mac_file_check_create(struct ucred *cred);
-int mac_file_check_dup(struct ucred *cred, struct fileglob *fg, int newfd);
-int mac_file_check_ioctl(struct ucred *cred, struct fileglob *fg,
- u_long com, void *data);
-int mac_file_check_inherit(struct ucred *cred, struct fileglob *fg);
-int mac_file_check_receive(struct ucred *cred, struct fileglob *fg);
int mac_file_check_get_flags(struct ucred *cred, struct fileglob *fg,
u_int flags);
+int mac_file_check_get_offset(struct ucred *cred, struct fileglob *fg);
int mac_file_check_get_ofileflags(struct ucred *cred, struct fileglob *fg,
char flags);
-int mac_file_check_change_flags(struct ucred *cred, struct fileglob *fg,
- u_int oldflags, u_int newflags);
-int mac_file_check_change_ofileflags(struct ucred *cred,
- struct fileglob *fg, char oldflags, char newflags);
-int mac_file_check_get_offset(struct ucred *cred, struct fileglob *fg);
-int mac_file_check_change_offset(struct ucred *cred, struct fileglob *fg);
+int mac_file_check_inherit(struct ucred *cred, struct fileglob *fg);
+int mac_file_check_ioctl(struct ucred *cred, struct fileglob *fg,
+ u_long com, void *data);
int mac_file_check_mmap(struct ucred *cred, struct fileglob *fg,
int prot, int flags, int *maxprot);
void mac_file_check_mmap_downgrade(struct ucred *cred, struct fileglob *fg,
int *prot);
+int mac_file_check_receive(struct ucred *cred, struct fileglob *fg);
int mac_file_check_set(struct ucred *cred, struct fileglob *fg,
char *buf, int buflen);
-int mac_sysvsem_check_semget(struct ucred *cred,
- struct semid_kernel *semakptr);
-int mac_sysvsem_check_semop(struct ucred *cred,struct semid_kernel *semakptr,
- size_t accesstype);
-int mac_sysvshm_check_shmat(struct ucred *cred,
- struct shmid_kernel *shmsegptr, int shmflg);
-int mac_sysvshm_check_shmctl(struct ucred *cred,
- struct shmid_kernel *shmsegptr, int cmd);
-int mac_sysvshm_check_shmdt(struct ucred *cred,
- struct shmid_kernel *shmsegptr);
-int mac_sysvshm_check_shmget(struct ucred *cred,
- struct shmid_kernel *shmsegptr, int shmflg);
+void mac_file_label_associate(struct ucred *cred, struct fileglob *fg);
+void mac_file_label_destroy(struct fileglob *fg);
+void mac_file_label_init(struct fileglob *fg);
+int mac_lctx_check_label_update(struct lctx *l, struct label *newlabel);
+struct label *mac_lctx_label_alloc(void);
+void mac_lctx_label_free(struct label *label);
+void mac_lctx_label_update(struct lctx *l, struct label *newlabel);
+void mac_lctx_notify_create(struct proc *proc, struct lctx *l);
+void mac_lctx_notify_join(struct proc *proc, struct lctx *l);
+void mac_lctx_notify_leave(struct proc *proc, struct lctx *l);
+void mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
+void mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m);
+void mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m);
+void mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to);
+void mac_mbuf_label_destroy(struct mbuf *m);
+int mac_mbuf_label_init(struct mbuf *m, int flag);
+void mac_mbuf_tag_copy(struct m_tag *m, struct m_tag *mtag);
+void mac_mbuf_tag_destroy(struct m_tag *mtag);
+int mac_mbuf_tag_init(struct m_tag *, int how);
+int mac_mount_check_fsctl(struct ucred *cred, struct mount *mp,
+ int com, caddr_t data);
+int mac_mount_check_getattr(struct ucred *cred, struct mount *mp,
+ struct vfs_attr *vfa);
+int mac_mount_check_label_update(struct ucred *cred, struct mount *mp);
int mac_mount_check_mount(struct ucred *cred, struct vnode *vp,
const char *vfc_name);
int mac_mount_check_remount(struct ucred *cred, struct mount *mp);
-int mac_mount_check_umount(struct ucred *cred, struct mount *mp);
-int mac_mount_check_getattr(struct ucred *cred, struct mount *mp,
- struct vfs_attr *vfa);
int mac_mount_check_setattr(struct ucred *cred, struct mount *mp,
struct vfs_attr *vfa);
int mac_mount_check_stat(struct ucred *cred, struct mount *mp);
-int mac_mount_check_label_update(struct ucred *cred, struct mount *mp);
+int mac_mount_check_umount(struct ucred *cred, struct mount *mp);
+void mac_mount_label_associate(struct ucred *cred, struct mount *mp);
+void mac_mount_label_destroy(struct mount *mp);
+int mac_mount_label_externalize(struct label *label, char *elements,
+ char *outbuf, size_t outbuflen);
+int mac_mount_label_get(struct mount *mp, user_addr_t mac_p);
+void mac_mount_label_init(struct mount *);
+int mac_mount_label_internalize(struct label *, char *string);
+int mac_pipe_check_ioctl(struct ucred *cred, struct pipe *cpipe,
+ unsigned long cmd, void *data);
int mac_pipe_check_kqfilter(struct ucred *cred, struct knote *kn,
struct pipe *cpipe);
-int mac_pipe_check_ioctl(struct ucred *cred, struct pipe *cpipe,
- unsigned long cmd, void *data);
int mac_pipe_check_read(struct ucred *cred, struct pipe *cpipe);
int mac_pipe_check_select(struct ucred *cred, struct pipe *cpipe,
int which);
int mac_pipe_check_stat(struct ucred *cred, struct pipe *cpipe);
int mac_pipe_check_write(struct ucred *cred, struct pipe *cpipe);
+struct label *mac_pipe_label_alloc(void);
+void mac_pipe_label_associate(struct ucred *cred, struct pipe *cpipe);
+void mac_pipe_label_copy(struct label *src, struct label *dest);
+void mac_pipe_label_destroy(struct pipe *cpipe);
+void mac_pipe_label_free(struct label *label);
+void mac_pipe_label_init(struct pipe *cpipe);
+int mac_pipe_label_update(struct ucred *cred, struct pipe *cpipe,
+ struct label *label);
+void mac_policy_initbsd(void);
+int mac_posixsem_check_create(struct ucred *cred, const char *name);
+int mac_posixsem_check_open(struct ucred *cred, struct pseminfo *psem);
+int mac_posixsem_check_post(struct ucred *cred, struct pseminfo *psem);
+int mac_posixsem_check_unlink(struct ucred *cred, struct pseminfo *psem,
+ const char *name);
+int mac_posixsem_check_wait(struct ucred *cred, struct pseminfo *psem);
+void mac_posixsem_label_associate(struct ucred *cred,
+ struct pseminfo *psem, const char *name);
+void mac_posixsem_label_destroy(struct pseminfo *psem);
+void mac_posixsem_label_init(struct pseminfo *psem);
+int mac_posixshm_check_create(struct ucred *cred, const char *name);
+int mac_posixshm_check_mmap(struct ucred *cred, struct pshminfo *pshm,
+ int prot, int flags);
+int mac_posixshm_check_open(struct ucred *cred, struct pshminfo *pshm);
+int mac_posixshm_check_stat(struct ucred *cred, struct pshminfo *pshm);
+int mac_posixshm_check_truncate(struct ucred *cred, struct pshminfo *pshm,
+ size_t s);
+int mac_posixshm_check_unlink(struct ucred *cred, struct pshminfo *pshm,
+ const char *name);
+void mac_posixshm_label_associate(struct ucred *cred,
+ struct pshminfo *pshm, const char *name);
+void mac_posixshm_label_destroy(struct pshminfo *pshm);
+void mac_posixshm_label_init(struct pshminfo *pshm);
int mac_proc_check_debug(struct ucred *cred, struct proc *proc);
int mac_proc_check_getaudit(struct ucred *cred);
int mac_proc_check_getauid(struct ucred *cred);
+int mac_proc_check_getlcid(struct proc *proc1, struct proc *proc2,
+ pid_t pid);
+int mac_proc_check_mprotect(struct ucred *cred, struct proc *proc,
+ void *addr, size_t size, int prot);
int mac_proc_check_sched(struct ucred *cred, struct proc *proc);
int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai);
int mac_proc_check_setauid(struct ucred *cred, uid_t auid);
+int mac_proc_check_setlcid(struct proc *proc1, struct proc *proc2,
+ pid_t pid1, pid_t pid2);
int mac_proc_check_signal(struct ucred *cred, struct proc *proc,
int signum);
int mac_proc_check_wait(struct ucred *cred, struct proc *proc);
-int mac_proc_check_setlcid(struct proc *, struct proc *, pid_t, pid_t);
-int mac_proc_check_getlcid(struct proc *, struct proc *, pid_t);
+void mac_proc_label_destroy(struct proc *proc);
+void mac_proc_label_init(struct proc *proc);
+int mac_setsockopt_label(struct ucred *cred, struct socket *so,
+ struct mac *extmac);
int mac_socket_check_accept(struct ucred *cred, struct socket *so);
int mac_socket_check_bind(struct ucred *cred, struct socket *so,
struct sockaddr *addr);
int mac_socket_check_connect(struct ucred *cred, struct socket *so,
struct sockaddr *addr);
-int mac_socket_check_create(struct ucred *cred, int domain, int type,
- int protocol);
+int mac_socket_check_create(struct ucred *cred, int domain,
+ int type, int protocol);
int mac_socket_check_deliver(struct socket *so, struct mbuf *m);
int mac_socket_check_kqfilter(struct ucred *cred, struct knote *kn,
struct socket *so);
@@ -377,6 +262,19 @@
int which);
int mac_socket_check_send(struct ucred *cred, struct socket *so);
int mac_socket_check_stat(struct ucred *cred, struct socket *so);
+void mac_socket_label_associate(struct ucred *cred, struct socket *so);
+void mac_socket_label_associate_accept(struct socket *oldsocket,
+ struct socket *newsocket);
+void mac_socket_label_copy(struct label *from, struct label *to);
+void mac_socket_label_destroy(struct socket *);
+int mac_socket_label_get(struct ucred *cred, struct socket *so,
+ struct mac *extmac);
+int mac_socket_label_init(struct socket *, int waitok);
+void mac_socketpeer_label_associate_mbuf(struct mbuf *m, struct socket *so);
+void mac_socketpeer_label_associate_socket(struct socket *peersocket,
+ struct socket *socket_to_modify);
+int mac_socketpeer_label_get(struct ucred *cred, struct socket *so,
+ struct mac *extmac);
int mac_system_check_acct(struct ucred *cred, struct vnode *vp);
int mac_system_check_audit(struct ucred *cred, void *record, int length);
int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp);
@@ -384,11 +282,55 @@
int mac_system_check_nfsd(struct ucred *cred);
int mac_system_check_reboot(struct ucred *cred, int howto);
int mac_system_check_settime(struct ucred *cred);
+int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp);
int mac_system_check_swapon(struct ucred *cred, struct vnode *vp);
-int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp);
int mac_system_check_sysctl(struct ucred *cred, int *name,
u_int namelen, void *oldctl, size_t *oldlenp, int inkernel,
void *newctl, size_t newlen);
+void mac_sysvmsg_label_associate(struct ucred *cred,
+ struct msqid_kernel *msqptr, struct msg *msgptr);
+void mac_sysvmsg_label_init(struct msg *msgptr);
+void mac_sysvmsg_label_recycle(struct msg *msgptr);
+int mac_sysvmsq_check_enqueue(struct ucred *cred, struct msg *msgptr,
+ struct msqid_kernel *msqptr);
+int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr);
+int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr);
+int mac_sysvmsq_check_msqctl(struct ucred *cred,
+ struct msqid_kernel *msqptr, int cmd);
+int mac_sysvmsq_check_msqget(struct ucred *cred,
+ struct msqid_kernel *msqptr);
+int mac_sysvmsq_check_msqrcv(struct ucred *cred,
+ struct msqid_kernel *msqptr);
+int mac_sysvmsq_check_msqsnd(struct ucred *cred,
+ struct msqid_kernel *msqptr);
+void mac_sysvmsq_label_associate(struct ucred *cred,
+ struct msqid_kernel *msqptr);
+void mac_sysvmsq_label_init(struct msqid_kernel *msqptr);
+void mac_sysvmsq_label_recycle(struct msqid_kernel *msqptr);
+int mac_sysvsem_check_semctl(struct ucred *cred,
+ struct semid_kernel *semakptr, int cmd);
+int mac_sysvsem_check_semget(struct ucred *cred,
+ struct semid_kernel *semakptr);
+int mac_sysvsem_check_semop(struct ucred *cred,
+ struct semid_kernel *semakptr, size_t accesstype);
+void mac_sysvsem_label_associate(struct ucred *cred,
+ struct semid_kernel *semakptr);
+void mac_sysvsem_label_destroy(struct semid_kernel *semakptr);
+void mac_sysvsem_label_init(struct semid_kernel *semakptr);
+void mac_sysvsem_label_recycle(struct semid_kernel *semakptr);
+int mac_sysvshm_check_shmat(struct ucred *cred,
+ struct shmid_kernel *shmsegptr, int shmflg);
+int mac_sysvshm_check_shmctl(struct ucred *cred,
+ struct shmid_kernel *shmsegptr, int cmd);
+int mac_sysvshm_check_shmdt(struct ucred *cred,
+ struct shmid_kernel *shmsegptr);
+int mac_sysvshm_check_shmget(struct ucred *cred,
+ struct shmid_kernel *shmsegptr, int shmflg);
+void mac_sysvshm_label_associate(struct ucred *cred,
+ struct shmid_kernel *shmsegptr);
+void mac_sysvshm_label_destroy(struct shmid_kernel *shmsegptr);
+void mac_sysvshm_label_init(struct shmid_kernel* shmsegptr);
+void mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr);
int mac_task_check_get_port(struct ucred *cred, struct task *task);
int mac_vnode_check_access(struct ucred *cred, struct vnode *vp,
int acc_mode);
@@ -396,43 +338,42 @@
int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp);
int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp, struct vnode_attr *vap);
-int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
- struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
const char *name);
int mac_vnode_check_exchangedata(struct ucred *cred, struct vnode *v1,
- struct vnode *v2);
+ struct vnode *v2);
int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct label *execlabel);
int mac_vnode_check_getattrlist(struct ucred *cred, struct vnode *vp,
- struct attrlist *alist);
+ struct attrlist *alist);
int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
const char *name, struct uio *uio);
+int mac_vnode_check_ioctl(struct ucred *cred, struct vnode *vp, int com,
+ caddr_t data);
int mac_vnode_check_kqfilter(struct ucred *active_cred,
struct ucred *file_cred, struct knote *kn, struct vnode *vp);
+int mac_vnode_check_label_update(struct ucred *cred, struct vnode *vp,
+ struct label *newlabel);
int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp);
int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp);
-int mac_proc_check_mprotect(struct ucred *cred, struct proc *proc,
- void *addr, size_t size, int prot);
int mac_vnode_check_open(struct ucred *cred, struct vnode *vp,
int acc_mode);
int mac_vnode_check_read(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp);
int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp);
-int mac_vnode_check_label_update(struct ucred *cred, struct vnode *vp,
- struct label *newlabel);
int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, int samedir, struct componentname *cnp);
int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp);
-int mac_vnode_check_select(struct ucred *cred, struct vnode *vp, int which);
+int mac_vnode_check_select(struct ucred *cred, struct vnode *vp,
+ int which);
int mac_vnode_check_setattrlist(struct ucred *cred, struct vnode *vp,
- struct attrlist *alist);
+ struct attrlist *alist);
int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
const char *name, struct uio *uio);
int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
@@ -447,46 +388,36 @@
struct ucred *file_cred, struct vnode *vp);
int mac_vnode_check_truncate(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
+int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
+ struct vnode *vp, struct componentname *cnp);
int mac_vnode_check_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
-
-int mac_socket_label_get(struct ucred *cred, struct socket *so,
- struct mac *extmac);
-int mac_setsockopt_label(struct ucred *cred, struct socket *so,
- struct mac *extmac);
-int mac_socketpeer_label_get(struct ucred *cred, struct socket *so,
- struct mac *extmac);
-#if 0
-void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
-#endif
-
-/*
- * mac_audit_{pre,post}select() allow MAC policies to control whether a given
- * event will be audited. For 10.3.3, these functions take precedence over
- * the existing pre/post-selection selection in Darwin. That aspect of the
- * sematics of these functions will probably change for version 10.3.4 as
- * that version has a more complete implementation of the audit subsystem.
- */
-int mac_audit_check_preselect(struct ucred *cred, unsigned short syscode,
- void *args);
-int mac_audit_check_postselect(struct ucred *cred, unsigned short syscode,
- void *args, int error, int retval, int mac_forced);
-
-void mac_lctx_notify_create(struct proc *, struct lctx *);
-void mac_lctx_notify_join(struct proc *, struct lctx *);
-void mac_lctx_notify_leave(struct proc *, struct lctx *);
-
-/*
- * The semantics of this function are slightly different than the standard
- * copy operation. On the first call for a given socket, the peer label has
- * been newly allocated. On successive calls, the peer label is in use and
- * would be clobbered by a normal copy operation. It was decided to implement
- * it this way because its performance has a significant impact on network
- * performance. A destroy-init-copy sequence is too inefficient here.
- * Some policies may be able to replace data inline, which is more efficient.
- * It is up to the policies to determine the most efficient action to take.
- */
-void mac_socketpeer_label_associate_mbuf(struct mbuf *m, struct socket *so);
+struct label *mac_vnode_label_alloc(void);
+int mac_vnode_label_associate(struct mount *mp, struct vnode *vp,
+ vfs_context_t ctx);
+void mac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de,
+ struct vnode *vp);
+int mac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp,
+ struct vnode *vp, vfs_context_t ctx);
+int mac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp);
+void mac_vnode_label_associate_singlelabel(struct mount *mp,
+ struct vnode *vp);
+void mac_vnode_label_copy(struct label *l1, struct label *l2);
+void mac_vnode_label_destroy(struct vnode *vp);
+int mac_vnode_label_externalize_audit(struct vnode *vp, struct mac *mac);
+void mac_vnode_label_free(struct label *label);
+void mac_vnode_label_init(struct vnode *vp);
+void mac_vnode_label_recycle(struct vnode *vp);
+void mac_vnode_label_update(struct ucred *cred, struct vnode *vp,
+ struct label *newlabel);
+void mac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp,
+ const char *name);
+int mac_vnode_notify_create(struct ucred *cred, struct mount *mp,
+ struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
+int vnode_label(struct mount *mp, struct vnode *dvp, struct vnode *vp,
+ struct componentname *cnp, int flags, vfs_context_t ctx);
+int vnode_label1(struct vnode *vp);
+void vnode_relabel(struct vnode *vp);
#endif /* MAC */
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#26 (text+ko) ====
@@ -55,8 +55,8 @@
#include <security/_label.h>
+struct attrlist;
struct auditinfo;
-struct attrlist;
struct bpf_d;
struct devnode;
struct fileglob;
@@ -96,11 +96,93 @@
*/
/**
- @name Entry Points for the Base Policy Module Only
+ @name Entry Points for Label Management
+
+ These are the entry points corresponding to the life cycle events for
+ kernel objects, such as initialization, creation, and destruction.
+
+ Most policies (that use labels) will initialize labels by allocating
+ space for policy-specific data. In most cases, it is permitted to
+ sleep during label initialization operations; it will be noted when
+ it is not permitted.
+
+ Initialization usually will not require doing more than allocating a
+ generic label for the given object. What follows initialization is
+ creation, where a label is made specific to the object it is associated
+ with. Destruction occurs when the label is no longer needed, such as
+ when the corresponding object is destroyed. All necessary cleanup should
+ be performed in label destroy operations.
+
+ Where possible, the label entry points have identical parameters. If
+ the policy module does not require structure-specific label
+ information, the same function may be registered in the policy
+ operation vector. Many policies will implement two such generic
+ allocation calls: one to handle sleepable requests, and one to handle
+ potentially non-sleepable requests.
+*/
+
+
+/**
+ @brief Audit event postselection
+ @param cred Subject credential
+ @param syscode Syscall number
+ @param args Syscall arguments
+ @param error Syscall errno
+ @param retval Syscall return value
+
+ This is the MAC Framework audit postselect, which is called before
+ exiting a syscall to determine if an audit event should be committed.
+ A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
+ Any other return value results in the audit record being committed.
+
+ @warning The suppression behavior will probably go away in Apple's
+ future version of the audit implementation.
+
+ @return Return MAC_AUDIT_NO to force suppression of the audit record.
+ Any other value results in the audit record being committed.
+
*/
+typedef int mpo_audit_check_postselect_t(
+ struct ucred *cred,
+ unsigned short syscode,
+ void *args,
+ int error,
+ int retval
+);
+/**
+ @brief Audit event preselection
+ @param cred Subject credential
+ @param syscode Syscall number
+ @param args Syscall arguments
+
+ This is the MAC Framework audit preselect, which is called before a
+ syscall is entered to determine if an audit event should be created.
+ If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
+ returned. A return value of MAC_AUDIT_NO causes the audit record to
+ be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
+ to defer to the system's existing preselection mechanism.
+
+ When policies return different preferences, the Framework decides what action
+ to take based on the following policy. If any policy returns MAC_AUDIT_YES,
+ then create an audit record, else if any policy returns MAC_AUDIT_NO, then
+ suppress the creations of an audit record, else defer to the system's
+ existing preselection mechanism.
+
+ @warning The audit implementation in Apple's current version is
+ incomplete, so the MAC policies have priority over the system's existing
+ mechanisms. This will probably change in the future version where
+ the audit implementation is more complete.
-/*@{*/
+ @return Return MAC_AUDIT_YES to force auditing of the syscall,
+ MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
+ to allow auditing mechanisms to determine if the syscall is audited.
+*/
+typedef int mpo_audit_check_preselect_t(
+ struct ucred *cred,
+ unsigned short syscode,
+ void *args
+);
/**
@brief Base Policy approve MAC module load event
@param mpc MAC policy configuration
@@ -116,7 +198,6 @@
typedef int mpo_base_check_module_load_t(
struct mac_policy_conf *mpc
);
-
/**
@brief Base Policy approve MAC module unload event
@param mpc MAC policy configuration
@@ -132,7 +213,6 @@
typedef int mpo_base_check_module_unload_t(
struct mac_policy_conf *mpc
);
-
/**
@brief Base Policy finalize event
@@ -145,896 +225,746 @@
*/
typedef void mpo_base_notify_finalize_t(void);
+/**
+ @brief Indicate desire to change the process label at exec time
+ @param old Existing subject credential
+ @param vp File being executed
+ @param vnodelabel Label corresponding to vp
+ @param scriptvnodelabel Script vnode label
+ @param execlabel Userspace provided execution label
+ @param proc Object process
+ @see mac_execve
+ @see mpo_cred_label_update_execve_t
+ @see mpo_vnode_check_exec_t
-/*@}*/
+ Indicate whether this policy intends to update the label of a newly
+ created credential from the existing subject credential (old). This
+ call occurs when a process executes the passed vnode. If a policy
+ returns success from this entry point, the mpo_cred_label_update_execve
+ entry point will later be called with the same parameters. Access
+ has already been checked via the mpo_vnode_check_exec entry point,
+ this entry point is necessary to preserve kernel locking constraints
+ during program execution.
-/**
- @name Entry Points for Module Operations
-*/
+ The supplied vnode and vnodelabel correspond with the file actually
+ being executed; in the case that the file is interpreted (for
+ example, a script), the label of the original exec-time vnode has
+ been preserved in scriptvnodelabel.
-/*@{*/
+ The final label, execlabel, corresponds to a label supplied by a
+ user space application through the use of the mac_execve system call.
-/**
- @brief Policy unload event
- @param mpc MAC policy configuration
+ The vnode lock is held during this operation. No changes should be
+ made to the old credential structure.
- This is the MAC Framework policy unload event. This entry point will
- only be called if the module's policy configuration allows unload (if
- the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
- want to be unloaded; they should set their flags to prevent this
- entry point from being called.
+ @warning Even if a policy returns 0, it should behave correctly in
+ the presence of an invocation of mpo_cred_label_update_execve, as that
+ call may happen as a result of another policy requesting a transition.
- @warning During this call, the mac policy list mutex is held, so
- sleep operations cannot be performed, and calls out to other kernel
- subsystems must be made with caution.
-
- @see MPC_LOADTIME_FLAG_UNLOADOK
+ @return Non-zero if a transition is required, 0 otherwise.
*/
-typedef void mpo_policy_destroy_t(
- struct mac_policy_conf *mpc
+typedef int mpo_cred_check_label_update_execve_t(
+ struct ucred *old,
+ struct vnode *vp,
+ struct label *vnodelabel,
+ struct label *scriptvnodelabel,
+ struct label *execlabel,
+ struct proc *proc
);
-
/**
- @brief Policy initialization event
- @param mpc MAC policy configuration
- @see mac_policy_register
- @see mpo_policy_initbsd_t
+ @brief Access control check for relabelling processes
+ @param cred Subject credential
+ @param newlabel New label to apply to the user credential
+ @see mpo_cred_label_update_t
+ @see mac_set_proc
- This is the MAC Framework policy initialization event. This entry
- point is called during mac_policy_register, when the policy module
- is first registered with the MAC Framework. This is often done very
- early in the boot process, after the kernel Mach subsystem has been
- initialized, but prior to the BSD subsystem being initialized.
- Since the kernel BSD services are not yet available, it is possible
- that some initialization must occur later, possibly in the
- mpo_policy_initbsd_t policy entry point, such as registering BSD system
- controls (sysctls). Policy modules loaded at boot time will be
- registered and initialized before labeled Mach objects are created.
+ Determine whether the subject identified by the credential can relabel
+ itself to the supplied new label (newlabel). This access control check
+ is called when the mac_set_proc system call is invoked. A user space
+ application will supply a new value, the value will be internalized
+ and provided in newlabel.
- @warning During this call, the mac policy list mutex is held, so
- sleep operations cannot be performed, and calls out to other kernel
- subsystems must be made with caution.
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned.
*/
-typedef void mpo_policy_init_t(
- struct mac_policy_conf *mpc
+typedef int mpo_cred_check_label_update_t(
+ struct ucred *cred,
+ struct label *newlabel
);
-
/**
- @brief Policy BSD initialization event
- @param mpc MAC policy configuration
- @see mpo_policy_init_t
+ @brief Access control check for visibility of other subjects
+ @param u1 Subject credential
+ @param u2 Object credential
- This entry point is called after the kernel BSD subsystem has been
- initialized. By this point, the module should already be loaded,
- registered, and initialized. Since policy modules are initialized
- before kernel BSD services are available, this second initialization
- phase is necessary. At this point, BSD services (memory management,
- synchronization primitives, vfs, etc.) are available, but the first
- process has not yet been created. Mach-related objects and tasks
- will already be fully initialized and may be in use--policies requiring
- ubiquitous labeling may also want to implement mpo_policy_init_t.
+ Determine whether the subject identified by the credential u1 can
+ "see" other subjects with the passed subject credential u2. This call
+ may be made in a number of situations, including inter-process status
+ sysctls used by ps, and in procfs lookups.
- @warning During this call, the mac policy list mutex is held, so
- sleep operations cannot be performed, and calls out to other kernel
- subsystems must be made with caution.
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned. Suggested failure: EACCES for label mismatch,
+ EPERM for lack of privilege, or ESRCH to hide visibility.
*/
-typedef void mpo_policy_initbsd_t(
- struct mac_policy_conf *mpc
+typedef int mpo_cred_check_visible_t(
+ struct ucred *u1,
+ struct ucred *u2
);
-
/**
- @brief Policy extension service
- @param p Calling process
- @param call Policy-specific syscall number
- @param arg Pointer to syscall arguments
+ @brief Create the first process
+ @param cred Subject credential to be labeled
- This entry point provides a policy-multiplexed system call so that
- policies may provide additional services to user processes without
- registering specific system calls. The policy name provided during
- registration is used to demux calls from userland, and the arguments
- will be forwarded to this entry point. When implementing new
- services, security modules should be sure to invoke appropriate
- access control checks from the MAC framework as needed. For
- example, if a policy implements an augmented signal functionality,
- it should call the necessary signal access control checks to invoke
- the MAC framework and other registered policies.
-
- @warning Since the format and contents of the policy-specific
- arguments are unknown to the MAC Framework, modules must perform the
- required copyin() of the syscall data on their own. No policy
- mediation is performed, so policies must perform any necessary
- access control checks themselves. If multiple policies are loaded,
- they will currently be unable to mediate calls to other policies.
-
- @return In the event of an error, an appropriate value for errno
- should be returned, otherwise return 0 upon success.
+ Create the subject credential of process 0, the parent of all BSD
+ kernel processes. Policies should update the label in the
+ previously initialized credential structure.
*/
-typedef int mpo_policy_syscall_t(
- struct proc *p,
- int call,
- user_addr_t arg
+typedef void mpo_cred_label_associate_kernel_t(
+ struct ucred *cred
);
-
-/*@}*/
-
/**
- @name Entry Points for Label Management
+ @brief Create a credential label
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list