summaryrefslogtreecommitdiffstats
path: root/sys/security
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2009-01-10 10:58:41 +0000
committerrwatson <rwatson@FreeBSD.org>2009-01-10 10:58:41 +0000
commit5743072acfd292c98911ffb9ccbb0889d58912a6 (patch)
treea09d92856c004db2e7784d8452b80357e3fc5d22 /sys/security
parentaeaccdebe1a1d60a30f576f94448e6d0bb078a93 (diff)
downloadFreeBSD-src-5743072acfd292c98911ffb9ccbb0889d58912a6.zip
FreeBSD-src-5743072acfd292c98911ffb9ccbb0889d58912a6.tar.gz
Rather than having MAC policies explicitly declare what object types
they label, derive that information implicitly from the set of label initializers in their policy operations set. This avoids a possible class of programmer errors, while retaining the structure that allows us to avoid allocating labels for objects that don't need them. As before, we regenerate a global mask of labeled objects each time a policy is loaded or unloaded, stored in mac_labeled. Discussed with: csjp Suggested by: Jacques Vidrine <nectar at apple.com> Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
Diffstat (limited to 'sys/security')
-rw-r--r--sys/security/mac/mac_framework.c52
-rw-r--r--sys/security/mac/mac_internal.h29
-rw-r--r--sys/security/mac/mac_policy.h33
-rw-r--r--sys/security/mac_biba/mac_biba.c23
-rw-r--r--sys/security/mac_bsdextended/mac_bsdextended.c2
-rw-r--r--sys/security/mac_ifoff/mac_ifoff.c2
-rw-r--r--sys/security/mac_lomac/mac_lomac.c23
-rw-r--r--sys/security/mac_mls/mac_mls.c23
-rw-r--r--sys/security/mac_none/mac_none.c2
-rw-r--r--sys/security/mac_partition/mac_partition.c2
-rw-r--r--sys/security/mac_portacl/mac_portacl.c2
-rw-r--r--sys/security/mac_seeotheruids/mac_seeotheruids.c2
-rw-r--r--sys/security/mac_stub/mac_stub.c23
-rw-r--r--sys/security/mac_test/mac_test.c23
14 files changed, 88 insertions, 153 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 0a7b085..d18f3e5 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -3,7 +3,7 @@
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
- * Copyright (c) 2008 Apple Inc.
+ * Copyright (c) 2008-2009 Apple Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -329,10 +329,48 @@ mac_late_init(void)
}
/*
- * After the policy list has changed, walk the list to update any global
- * flags. Currently, we support only one flag, and it's conditionally
- * defined; as a result, the entire function is conditional. Eventually, the
- * #else case might also iterate across the policies.
+ * Given a policy, derive from its set of non-NULL label init methods what
+ * object types the policy is interested in.
+ */
+static uint64_t
+mac_policy_getlabeled(struct mac_policy_conf *mpc)
+{
+ uint64_t labeled;
+
+#define MPC_FLAG(method, flag) \
+ if (mpc->mpc_ops->mpo_ ## method != NULL) \
+ labeled |= (flag); \
+
+ labeled = 0;
+ MPC_FLAG(cred_init_label, MPC_OBJECT_CRED);
+ MPC_FLAG(proc_init_label, MPC_OBJECT_PROC);
+ MPC_FLAG(vnode_init_label, MPC_OBJECT_VNODE);
+ MPC_FLAG(inpcb_init_label, MPC_OBJECT_INPCB);
+ MPC_FLAG(socket_init_label, MPC_OBJECT_SOCKET);
+ MPC_FLAG(devfs_init_label, MPC_OBJECT_DEVFS);
+ MPC_FLAG(mbuf_init_label, MPC_OBJECT_MBUF);
+ MPC_FLAG(ipq_init_label, MPC_OBJECT_IPQ);
+ MPC_FLAG(ifnet_init_label, MPC_OBJECT_IFNET);
+ MPC_FLAG(bpfdesc_init_label, MPC_OBJECT_BPFDESC);
+ MPC_FLAG(pipe_init_label, MPC_OBJECT_PIPE);
+ MPC_FLAG(mount_init_label, MPC_OBJECT_MOUNT);
+ MPC_FLAG(posixsem_init_label, MPC_OBJECT_POSIXSEM);
+ MPC_FLAG(posixshm_init_label, MPC_OBJECT_POSIXSHM);
+ MPC_FLAG(sysvmsg_init_label, MPC_OBJECT_SYSVMSG);
+ MPC_FLAG(sysvmsq_init_label, MPC_OBJECT_SYSVMSQ);
+ MPC_FLAG(sysvsem_init_label, MPC_OBJECT_SYSVSEM);
+ MPC_FLAG(sysvshm_init_label, MPC_OBJECT_SYSVSHM);
+ MPC_FLAG(syncache_init_label, MPC_OBJECT_SYNCACHE);
+ MPC_FLAG(ip6q_init_label, MPC_OBJECT_IP6Q);
+
+#undef MPC_FLAG
+ return (labeled);
+}
+
+/*
+ * When policies are loaded or unloaded, walk the list of registered policies
+ * and built mac_labeled, a bitmask representing the union of all objects
+ * requiring labels across all policies.
*/
static void
mac_policy_updateflags(void)
@@ -343,9 +381,9 @@ mac_policy_updateflags(void)
mac_labeled = 0;
LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list)
- mac_labeled |= mpc->mpc_labeled;
+ mac_labeled |= mac_policy_getlabeled(mpc);
LIST_FOREACH(mpc, &mac_policy_list, mpc_list)
- mac_labeled |= mpc->mpc_labeled;
+ mac_labeled |= mac_policy_getlabeled(mpc);
}
static int
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 23da90a..79544c3 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -4,6 +4,7 @@
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 nCircle Network Security, Inc.
* Copyright (c) 2006 SPARTA, Inc.
+ * Copyright (c) 2009 Apple, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -83,6 +84,34 @@ struct label {
intptr_t l_perpolicy[MAC_MAX_SLOTS];
};
+
+/*
+ * Flags for mac_labeled, a bitmask of object types need across the union of
+ * all policies currently registered with the MAC Framework, used to key
+ * whether or not labels are allocated and constructors for the type are
+ * invoked.
+ */
+#define MPC_OBJECT_CRED 0x0000000000000001
+#define MPC_OBJECT_PROC 0x0000000000000002
+#define MPC_OBJECT_VNODE 0x0000000000000004
+#define MPC_OBJECT_INPCB 0x0000000000000008
+#define MPC_OBJECT_SOCKET 0x0000000000000010
+#define MPC_OBJECT_DEVFS 0x0000000000000020
+#define MPC_OBJECT_MBUF 0x0000000000000040
+#define MPC_OBJECT_IPQ 0x0000000000000080
+#define MPC_OBJECT_IFNET 0x0000000000000100
+#define MPC_OBJECT_BPFDESC 0x0000000000000200
+#define MPC_OBJECT_PIPE 0x0000000000000400
+#define MPC_OBJECT_MOUNT 0x0000000000000800
+#define MPC_OBJECT_POSIXSEM 0x0000000000001000
+#define MPC_OBJECT_POSIXSHM 0x0000000000002000
+#define MPC_OBJECT_SYSVMSG 0x0000000000004000
+#define MPC_OBJECT_SYSVMSQ 0x0000000000008000
+#define MPC_OBJECT_SYSVSEM 0x0000000000010000
+#define MPC_OBJECT_SYSVSHM 0x0000000000020000
+#define MPC_OBJECT_SYNCACHE 0x0000000000040000
+#define MPC_OBJECT_IP6Q 0x0000000000080000
+
/*
* MAC Framework global variables.
*/
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index ecf68a6..e333409 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -956,9 +956,9 @@ struct mac_policy_conf {
int *mpc_field_off; /* security field */
int mpc_runtime_flags; /* flags */
int _mpc_spare1; /* Spare. */
- uint64_t mpc_labeled; /* Labeled objects. */
uint64_t _mpc_spare2; /* Spare. */
- void *_mpc_spare3; /* Spare. */
+ uint64_t _mpc_spare3; /* Spare. */
+ void *_mpc_spare4; /* Spare. */
LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */
};
@@ -969,31 +969,6 @@ struct mac_policy_conf {
/* Flags for the mpc_runtime_flags field. */
#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
-/*
- * Flags for mpc_labeled declaring which objects should have labels allocated
- * for them by the MAC Framework.
- */
-#define MPC_OBJECT_CRED 0x0000000000000001
-#define MPC_OBJECT_PROC 0x0000000000000002
-#define MPC_OBJECT_VNODE 0x0000000000000004
-#define MPC_OBJECT_INPCB 0x0000000000000008
-#define MPC_OBJECT_SOCKET 0x0000000000000010
-#define MPC_OBJECT_DEVFS 0x0000000000000020
-#define MPC_OBJECT_MBUF 0x0000000000000040
-#define MPC_OBJECT_IPQ 0x0000000000000080
-#define MPC_OBJECT_IFNET 0x0000000000000100
-#define MPC_OBJECT_BPFDESC 0x0000000000000200
-#define MPC_OBJECT_PIPE 0x0000000000000400
-#define MPC_OBJECT_MOUNT 0x0000000000000800
-#define MPC_OBJECT_POSIXSEM 0x0000000000001000
-#define MPC_OBJECT_POSIXSHM 0x0000000000002000
-#define MPC_OBJECT_SYSVMSG 0x0000000000004000
-#define MPC_OBJECT_SYSVMSQ 0x0000000000008000
-#define MPC_OBJECT_SYSVSEM 0x0000000000010000
-#define MPC_OBJECT_SYSVSHM 0x0000000000020000
-#define MPC_OBJECT_SYNCACHE 0x0000000000040000
-#define MPC_OBJECT_IP6Q 0x0000000000080000
-
/*-
* The TrustedBSD MAC Framework has a major version number, MAC_VERSION,
* which defines the ABI of the Framework present in the kernel (and depended
@@ -1009,15 +984,13 @@ struct mac_policy_conf {
*/
#define MAC_VERSION 4
-#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted, \
- labeled) \
+#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
static struct mac_policy_conf mpname##_mac_policy_conf = { \
.mpc_name = #mpname, \
.mpc_fullname = mpfullname, \
.mpc_ops = mpops, \
.mpc_loadtime_flags = mpflags, \
.mpc_field_off = privdata_wanted, \
- .mpc_labeled = labeled, \
}; \
static moduledata_t mpname##_mod = { \
#mpname, \
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 72a3f0e..26366e3 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -3545,26 +3545,5 @@ static struct mac_policy_ops mac_biba_ops =
.mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr,
};
-#define BIBA_OBJECTS (MPC_OBJECT_CRED | \
- /* MPC_OBJECT_PROC | */ \
- MPC_OBJECT_VNODE | \
- MPC_OBJECT_INPCB | \
- MPC_OBJECT_SOCKET | \
- MPC_OBJECT_DEVFS | \
- MPC_OBJECT_MBUF | \
- MPC_OBJECT_IPQ | \
- MPC_OBJECT_IP6Q | \
- MPC_OBJECT_IFNET | \
- MPC_OBJECT_BPFDESC | \
- MPC_OBJECT_PIPE | \
- MPC_OBJECT_MOUNT | \
- MPC_OBJECT_POSIXSEM | \
- /* MPC_OBJECT_POSIXSHM | */ \
- MPC_OBJECT_SYSVMSG | \
- MPC_OBJECT_SYSVMSQ | \
- MPC_OBJECT_SYSVSEM | \
- MPC_OBJECT_SYSVSHM | \
- MPC_OBJECT_SYNCACHE)
-
MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
- MPC_LOADTIME_FLAG_NOTLATE, &biba_slot, BIBA_OBJECTS);
+ MPC_LOADTIME_FLAG_NOTLATE, &biba_slot);
diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c
index b30b214..fa64011 100644
--- a/sys/security/mac_bsdextended/mac_bsdextended.c
+++ b/sys/security/mac_bsdextended/mac_bsdextended.c
@@ -523,4 +523,4 @@ static struct mac_policy_ops ugidfw_ops =
};
MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended",
- MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);
+ MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_ifoff/mac_ifoff.c b/sys/security/mac_ifoff/mac_ifoff.c
index 8543d2b..e49e3ad 100644
--- a/sys/security/mac_ifoff/mac_ifoff.c
+++ b/sys/security/mac_ifoff/mac_ifoff.c
@@ -170,4 +170,4 @@ static struct mac_policy_ops ifoff_ops =
};
MAC_POLICY_SET(&ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff",
- MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);
+ MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index e2620cd..da3aa30 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -3052,26 +3052,5 @@ static struct mac_policy_ops lomac_ops =
.mpo_vnode_setlabel_extattr = lomac_vnode_setlabel_extattr,
};
-#define LOMAC_OBJECTS (MPC_OBJECT_CRED | \
- /* MPC_OBJECT_PROC | */ \
- MPC_OBJECT_VNODE | \
- MPC_OBJECT_INPCB | \
- MPC_OBJECT_SOCKET | \
- MPC_OBJECT_DEVFS | \
- MPC_OBJECT_MBUF | \
- MPC_OBJECT_IPQ | \
- MPC_OBJECT_IP6Q | \
- MPC_OBJECT_IFNET | \
- MPC_OBJECT_BPFDESC | \
- MPC_OBJECT_PIPE | \
- MPC_OBJECT_MOUNT | \
- /* MPC_OBJECT_POSIXSEM | */ \
- /* MPC_OBJECT_POSIXSHM | */ \
- /* MPC_OBJECT_SYSVMSG | */ \
- /* MPC_OBJECT_SYSVMSQ | */ \
- /* MPC_OBJECT_SYSVSEM | */ \
- /* MPC_OBJECT_SYSVSHM | */ \
- MPC_OBJECT_SYNCACHE)
-
MAC_POLICY_SET(&lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC",
- MPC_LOADTIME_FLAG_NOTLATE, &lomac_slot, LOMAC_OBJECTS);
+ MPC_LOADTIME_FLAG_NOTLATE, &lomac_slot);
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index abfad64..0ca6bf3 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -3162,26 +3162,5 @@ static struct mac_policy_ops mls_ops =
.mpo_vnode_setlabel_extattr = mls_vnode_setlabel_extattr,
};
-#define MLS_OBJECTS (MPC_OBJECT_CRED | \
- /* MPC_OBJECT_PROC | */ \
- MPC_OBJECT_VNODE | \
- MPC_OBJECT_INPCB | \
- MPC_OBJECT_SOCKET | \
- MPC_OBJECT_DEVFS | \
- MPC_OBJECT_MBUF | \
- MPC_OBJECT_IPQ | \
- MPC_OBJECT_IP6Q | \
- MPC_OBJECT_IFNET | \
- MPC_OBJECT_BPFDESC | \
- MPC_OBJECT_PIPE | \
- MPC_OBJECT_MOUNT | \
- MPC_OBJECT_POSIXSEM | \
- /* MPC_OBJECT_POSIXSHM | */ \
- MPC_OBJECT_SYSVMSG | \
- MPC_OBJECT_SYSVMSQ | \
- MPC_OBJECT_SYSVSEM | \
- MPC_OBJECT_SYSVSHM | \
- MPC_OBJECT_SYNCACHE)
-
MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS",
- MPC_LOADTIME_FLAG_NOTLATE, &mls_slot, MLS_OBJECTS);
+ MPC_LOADTIME_FLAG_NOTLATE, &mls_slot);
diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c
index d57c309..8577c73 100644
--- a/sys/security/mac_none/mac_none.c
+++ b/sys/security/mac_none/mac_none.c
@@ -53,4 +53,4 @@ static struct mac_policy_ops none_ops =
};
MAC_POLICY_SET(&none_ops, mac_none, "TrustedBSD MAC/None",
- MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);
+ MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c
index 7eca1f9..2fecb27 100644
--- a/sys/security/mac_partition/mac_partition.c
+++ b/sys/security/mac_partition/mac_partition.c
@@ -316,4 +316,4 @@ static struct mac_policy_ops partition_ops =
};
MAC_POLICY_SET(&partition_ops, mac_partition, "TrustedBSD MAC/Partition",
- MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot, MPC_OBJECT_CRED);
+ MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot);
diff --git a/sys/security/mac_portacl/mac_portacl.c b/sys/security/mac_portacl/mac_portacl.c
index eb388cc..aceda69 100644
--- a/sys/security/mac_portacl/mac_portacl.c
+++ b/sys/security/mac_portacl/mac_portacl.c
@@ -490,4 +490,4 @@ static struct mac_policy_ops portacl_ops =
};
MAC_POLICY_SET(&portacl_ops, mac_portacl, "TrustedBSD MAC/portacl",
- MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);
+ MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_seeotheruids/mac_seeotheruids.c b/sys/security/mac_seeotheruids/mac_seeotheruids.c
index ddbdaec..e1b73e0 100644
--- a/sys/security/mac_seeotheruids/mac_seeotheruids.c
+++ b/sys/security/mac_seeotheruids/mac_seeotheruids.c
@@ -186,4 +186,4 @@ static struct mac_policy_ops seeotheruids_ops =
};
MAC_POLICY_SET(&seeotheruids_ops, mac_seeotheruids,
- "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);
+ "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 63de30f..23228a7 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -1800,26 +1800,5 @@ static struct mac_policy_ops stub_ops =
.mpo_vnode_setlabel_extattr = stub_vnode_setlabel_extattr,
};
-#define STUB_OBJECTS (MPC_OBJECT_CRED | \
- /* XXX: MPC_OBJECT_PROC | */ \
- MPC_OBJECT_VNODE | \
- MPC_OBJECT_INPCB | \
- MPC_OBJECT_SOCKET | \
- MPC_OBJECT_DEVFS | \
- MPC_OBJECT_MBUF | \
- MPC_OBJECT_IPQ | \
- MPC_OBJECT_IP6Q | \
- MPC_OBJECT_IFNET | \
- MPC_OBJECT_BPFDESC | \
- MPC_OBJECT_PIPE | \
- MPC_OBJECT_MOUNT | \
- MPC_OBJECT_POSIXSEM | \
- MPC_OBJECT_POSIXSHM | \
- MPC_OBJECT_SYSVMSG | \
- MPC_OBJECT_SYSVMSQ | \
- MPC_OBJECT_SYSVSEM | \
- MPC_OBJECT_SYSVSHM | \
- MPC_OBJECT_SYNCACHE)
-
MAC_POLICY_SET(&stub_ops, mac_stub, "TrustedBSD MAC/Stub",
- MPC_LOADTIME_FLAG_UNLOADOK, NULL, STUB_OBJECTS);
+ MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 9e8d54e..13086f2 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -3139,26 +3139,5 @@ static struct mac_policy_ops test_ops =
.mpo_vnode_setlabel_extattr = test_vnode_setlabel_extattr,
};
-#define TEST_OBJECTS (MPC_OBJECT_CRED | \
- MPC_OBJECT_PROC | \
- MPC_OBJECT_VNODE | \
- MPC_OBJECT_INPCB | \
- MPC_OBJECT_SOCKET | \
- MPC_OBJECT_DEVFS | \
- MPC_OBJECT_MBUF | \
- MPC_OBJECT_IPQ | \
- MPC_OBJECT_IP6Q | \
- MPC_OBJECT_IFNET | \
- MPC_OBJECT_BPFDESC | \
- MPC_OBJECT_PIPE | \
- MPC_OBJECT_MOUNT | \
- MPC_OBJECT_POSIXSEM | \
- MPC_OBJECT_POSIXSHM | \
- MPC_OBJECT_SYSVMSG | \
- MPC_OBJECT_SYSVMSQ | \
- MPC_OBJECT_SYSVSEM | \
- MPC_OBJECT_SYSVSHM | \
- MPC_OBJECT_SYNCACHE)
-
MAC_POLICY_SET(&test_ops, mac_test, "TrustedBSD MAC/Test",
- MPC_LOADTIME_FLAG_UNLOADOK, &test_slot, TEST_OBJECTS);
+ MPC_LOADTIME_FLAG_UNLOADOK, &test_slot);
OpenPOWER on IntegriCloud