Introduce support for Mandatory Access Control and extensible

kernel access control. Instrument devfs to support per-dirent MAC labels. In particular, invoke MAC framework when devfs directory entries are instantiated due to make_dev() and related calls, and invoke the MAC framework when vnodes are instantiated from these directory entries. Implement vop_setlabel() for devfs, which pushes the label update into the devfs directory entry for semi-persistant store. This permits the MAC framework to assign labels to devices and directories as they are instantiated, and export access control information via devfs vnodes. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
author: rwatson <rwatson@FreeBSD.org> 2002-07-31 15:45:16 +0000
committer: rwatson <rwatson@FreeBSD.org> 2002-07-31 15:45:16 +0000
commit: 751f2d0c51ea2bbdb1625338052d19ecbb5f9f26 (patch)
tree: ed4ec9c3ffc090c01937ac072f89167be5573552 /sys/fs/devfs
parent: d829fd90ded403dd4a4a677af12efeec9fef680d (diff)
download: FreeBSD-src-751f2d0c51ea2bbdb1625338052d19ecbb5f9f26.zip
FreeBSD-src-751f2d0c51ea2bbdb1625338052d19ecbb5f9f26.tar.gz
3 files changed, 90 insertions, 0 deletions
diff --git a/sys/fs/devfs/devfs_devs.c b/sys/fs/devfs/devfs_devs.c
index fd378b8..15a2018 100644
--- a/sys/fs/devfs/devfs_devs.c
+++ b/sys/fs/devfs/devfs_devs.c
@@ -30,6 +30,7 @@
  */
 
 #include "opt_devfs.h"
+#include "opt_mac.h"
 #ifndef NODEVFS
 
 #include <sys/param.h>
@@ -38,6 +39,7 @@
 #include <sys/dirent.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
 #include <sys/sysctl.h>
@@ -207,6 +209,9 @@ devfs_newdirent(char *name, int namelen)
 	vfs_timestamp(&de->de_ctime);
 	de->de_mtime = de->de_atime = de->de_ctime;
 	de->de_links = 1;
+#ifdef MAC
+	mac_init_devfsdirent(de);
+#endif
 	return (de);
 }
 
@@ -254,6 +259,9 @@ devfs_delete(struct devfs_dirent *dd, struct devfs_dirent *de)
 	if (de->de_vnode)
 		de->de_vnode->v_data = NULL;
 	TAILQ_REMOVE(&dd->de_dlist, de, de_list);
+#ifdef MAC
+	mac_destroy_devfsdirent(de);
+#endif
 	FREE(de, M_DEVFS);
 }
 
@@ -325,6 +333,10 @@ devfs_populate(struct devfs_mount *dm)
 				de = devfs_find(dd, s, q - s);
 				if (de == NULL) {
 					de = devfs_vmkdir(s, q - s, dd);
+#ifdef MAC
+					mac_create_devfs_directory(s, q - s,
+					    de);
+#endif
 					de->de_inode = dm->dm_inode++;
 					TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list);
 					dd->de_links++;
@@ -350,6 +362,9 @@ devfs_populate(struct devfs_mount *dm)
 				de->de_mode = dev->si_mode;
 				de->de_dirent->d_type = DT_CHR;
 			}
+#ifdef MAC
+			mac_create_devfs_device(dev, de);
+#endif
 			*dep = de;
 			de->de_dir = dd;
 			devfs_rules_apply(dm, de);
diff --git a/sys/fs/devfs/devfs_vfsops.c b/sys/fs/devfs/devfs_vfsops.c
index a46b0c4..00ad137 100644
--- a/sys/fs/devfs/devfs_vfsops.c
+++ b/sys/fs/devfs/devfs_vfsops.c
@@ -35,12 +35,14 @@
  */
 
 #include "opt_devfs.h"
+#include "opt_mac.h"
 #ifndef NODEVFS
 
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
@@ -83,6 +85,9 @@ devfs_mount(mp, ndp, td)
 	lockinit(&fmp->dm_lock, PVFS, "devfs", 0, LK_NOPAUSE);
 
 	mp->mnt_flag |= MNT_LOCAL;
+#ifdef MAC
+	mp->mnt_flag |= MNT_MULTILABEL;
+#endif
 	mp->mnt_data = (qaddr_t) fmp;
 	vfs_getnewfsid(mp);
 
@@ -90,6 +95,9 @@ devfs_mount(mp, ndp, td)
 
 	fmp->dm_rootdir = devfs_vmkdir("(root)", 6, NULL);
 	fmp->dm_rootdir->de_inode = 2;
+#ifdef MAC
+	mac_create_devfs_directory("", 0, fmp->dm_rootdir);
+#endif
 	fmp->dm_basedir = fmp->dm_rootdir;
 	devfs_rules_newmount(fmp, td);
 
diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c
index 069d224..de86f96 100644
--- a/sys/fs/devfs/devfs_vnops.c
+++ b/sys/fs/devfs/devfs_vnops.c
@@ -42,6 +42,7 @@
  */
 
 #include <opt_devfs.h>
+#include <opt_mac.h>
 #ifndef NODEVFS
 
 #include <sys/param.h>
@@ -50,6 +51,7 @@
 #include <sys/dirent.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/mount.h>
 #include <sys/namei.h>
@@ -71,9 +73,15 @@ static int	devfs_read(struct vop_read_args *ap);
 static int	devfs_readdir(struct vop_readdir_args *ap);
 static int	devfs_readlink(struct vop_readlink_args *ap);
 static int	devfs_reclaim(struct vop_reclaim_args *ap);
+#ifdef MAC
+static int	devfs_refreshlabel(struct vop_refreshlabel_args *ap);
+#endif
 static int	devfs_remove(struct vop_remove_args *ap);
 static int	devfs_revoke(struct vop_revoke_args *ap);
 static int	devfs_setattr(struct vop_setattr_args *ap);
+#ifdef MAC
+static int	devfs_setlabel(struct vop_setlabel_args *ap);
+#endif
 static int	devfs_symlink(struct vop_symlink_args *ap);
 
 /*
@@ -156,6 +164,9 @@ loop:
 	vp->v_data = de;
 	de->de_vnode = vp;
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
+#ifdef MAC
+	mac_create_devfs_vnode(de, vp);
+#endif
 	*vpp = vp;
 	return (0);
 }
@@ -646,6 +657,20 @@ devfs_reclaim(ap)
 	return (0);
 }
 
+#ifdef MAC
+static int
+devfs_refreshlabel(ap)
+	struct vop_refreshlabel_args /* {
+		struct vnode *a_vp;
+		struct ucred *a_cred;
+	} */ *ap;
+{
+
+	/* Labels are always in sync. */
+	return (0);
+}
+#endif
+
 static int
 devfs_remove(ap)
 	struct vop_remove_args /* {
@@ -666,6 +691,9 @@ devfs_remove(ap)
 		TAILQ_REMOVE(&dd->de_dlist, de, de_list);
 		if (de->de_vnode)
 			de->de_vnode->v_data = NULL;
+#ifdef MAC
+		mac_destroy_devfsdirent(de);
+#endif
 		FREE(de, M_DEVFS);
 	} else {
 		de->de_flags |= DE_WHITEOUT;
@@ -786,6 +814,29 @@ devfs_setattr(ap)
 	return (0);
 }
 
+#ifdef MAC
+static int
+devfs_setlabel(ap)
+	struct vop_setlabel_args /* {
+		struct vnode *a_vp;
+		struct mac *a_label;
+		struct ucred *a_cred;
+		struct thread *a_td;
+	} */ *ap;
+{
+	struct vnode *vp;
+	struct devfs_dirent *de;
+
+	vp = ap->a_vp;
+	de = vp->v_data;
+
+	mac_relabel_vnode(ap->a_cred, vp, ap->a_label);
+	mac_update_devfsdirent(de, vp);
+
+	return (0);
+}
+#endif
+
 static int
 devfs_symlink(ap)
 	struct vop_symlink_args /* {
@@ -818,6 +869,10 @@ devfs_symlink(ap)
 	lockmgr(&dmp->dm_lock, LK_EXCLUSIVE, 0, curthread);
 	TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list);
 	devfs_allocv(de, ap->a_dvp->v_mount, ap->a_vpp, 0);
+#ifdef MAC
+	mac_create_vnode(ap->a_cnp->cn_cred, ap->a_dvp, *ap->a_vpp);
+	mac_update_devfsdirent(de, *ap->a_vpp);
+#endif /* MAC */
 	lockmgr(&dmp->dm_lock, LK_RELEASE, 0, curthread);
 	return (0);
 }
@@ -839,8 +894,14 @@ static struct vnodeopv_entry_desc devfs_vnodeop_entries[] = {
 	{ &vop_readlink_desc,		(vop_t *) devfs_readlink },
 	{ &vop_reclaim_desc,		(vop_t *) devfs_reclaim },
 	{ &vop_remove_desc,		(vop_t *) devfs_remove },
+#ifdef MAC
+	{ &vop_refreshlabel_desc,	(vop_t *) devfs_refreshlabel },
+#endif
 	{ &vop_revoke_desc,		(vop_t *) devfs_revoke },
 	{ &vop_setattr_desc,		(vop_t *) devfs_setattr },
+#ifdef MAC
+	{ &vop_setlabel_desc,		(vop_t *) devfs_setlabel },
+#endif
 	{ &vop_symlink_desc,		(vop_t *) devfs_symlink },
 	{ &vop_unlock_desc,		(vop_t *) vop_stdunlock },
 	{ NULL, NULL }
@@ -859,9 +920,15 @@ static struct vnodeopv_entry_desc devfs_specop_entries[] = {
 	{ &vop_lock_desc,		(vop_t *) vop_stdlock },
 	{ &vop_print_desc,		(vop_t *) devfs_print },
 	{ &vop_reclaim_desc,		(vop_t *) devfs_reclaim },
+#ifdef MAC
+	{ &vop_refreshlabel_desc,	(vop_t *) devfs_refreshlabel },
+#endif
 	{ &vop_remove_desc,		(vop_t *) devfs_remove },
 	{ &vop_revoke_desc,		(vop_t *) devfs_revoke },
 	{ &vop_setattr_desc,		(vop_t *) devfs_setattr },
+#ifdef MAC
+	{ &vop_setlabel_desc,		(vop_t *) devfs_setlabel },
+#endif
 	{ &vop_unlock_desc,		(vop_t *) vop_stdunlock },
 	{ NULL, NULL }
 };
author	rwatson <rwatson@FreeBSD.org>	2002-07-31 15:45:16 +0000
committer	rwatson <rwatson@FreeBSD.org>	2002-07-31 15:45:16 +0000
commit	751f2d0c51ea2bbdb1625338052d19ecbb5f9f26 (patch)
tree	ed4ec9c3ffc090c01937ac072f89167be5573552 /sys/fs/devfs
parent	d829fd90ded403dd4a4a677af12efeec9fef680d (diff)
download	FreeBSD-src-751f2d0c51ea2bbdb1625338052d19ecbb5f9f26.zip FreeBSD-src-751f2d0c51ea2bbdb1625338052d19ecbb5f9f26.tar.gz