Update MAC modules for changes in arguments for exec MAC policy

entry points to include an explicit execlabel.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

7 files changed, 68 insertions, 14 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 2770941..3268dd7 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -2044,9 +2044,23 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 
 static int
 mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
-	struct mac_biba *subj, *obj;
+	struct mac_biba *subj, *obj, *exec;
+	int error;
+
+	if (execlabel != NULL) {
+		/*
+		 * We currently don't permit labels to be changed at
+		 * exec-time as part of Biba, so disallow non-NULL
+		 * Biba label elements in the execlabel.
+		 */
+		exec = SLOT(execlabel);
+		error = biba_atmostflags(exec, 0);
+		if (error)
+			return (error);
+	}
 
 	if (!mac_biba_enabled)
 		return (0);
diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c
index 840a456..d090884 100644
--- a/sys/security/mac_bsdextended/mac_bsdextended.c
+++ b/sys/security/mac_bsdextended/mac_bsdextended.c
@@ -394,7 +394,8 @@ mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 
 static int
 mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
 	struct vattr vap;
 	int error;
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 71f03c2..898630e 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -1862,9 +1862,23 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 
 static int
 mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
-	struct mac_mls *subj, *obj;
+	struct mac_mls *subj, *obj, *exec;
+	int error;
+
+	if (execlabel != NULL) {
+		/*
+		 * We currently don't permit labels to be changed at
+		 * exec-time as part of MLS, so disallow non-NULL
+		 * MLS label elements in the execlabel.
+		 */
+		exec = SLOT(execlabel);
+		error = mls_atmostflags(exec, 0);
+		if (error)
+			return (error);
+	}
 
 	if (!mac_mls_enabled)
 		return (0);
diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c
index 127746b..7039420 100644
--- a/sys/security/mac_none/mac_none.c
+++ b/sys/security/mac_none/mac_none.c
@@ -417,7 +417,8 @@ mac_none_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
 static void
 mac_none_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vnodelabel,
-    struct label *interpvnodelabel, struct image_params *imgp)
+    struct label *interpvnodelabel, struct image_params *imgp,
+    struct label *execlabel)
 {
 
 }
@@ -425,7 +426,7 @@ mac_none_execve_transition(struct ucred *old, struct ucred *new,
 static int
 mac_none_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *vnodelabel, struct label *interpvnodelabel,
-    struct image_params *imgp)
+    struct image_params *imgp, struct label *execlabel)
 {
 
 	return (0);
@@ -689,7 +690,8 @@ mac_none_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 
 static int
 mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
 
 	return (0);
diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c
index 3465eab..d7fc25c 100644
--- a/sys/security/mac_partition/mac_partition.c
+++ b/sys/security/mac_partition/mac_partition.c
@@ -244,6 +244,24 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket,
 	return (error ? ENOENT : 0);
 }
 
+static int
+mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp,
+    struct label *label, struct image_params *imgp, struct label *execlabel)
+{
+
+	if (execlabel != NULL) {
+		/*
+		 * We currently don't permit labels to be changed at
+		 * exec-time as part of the partition model, so disallow
+		 * non-NULL partition label changes in execlabel.
+		 */
+		if (SLOT(execlabel) != 0)
+			return (EINVAL);
+	}
+
+	return (0);
+}
+
 static struct mac_policy_ops mac_partition_ops =
 {
 	.mpo_init = mac_partition_init,
@@ -261,6 +279,7 @@ static struct mac_policy_ops mac_partition_ops =
 	.mpo_check_proc_sched = mac_partition_check_proc_sched,
 	.mpo_check_proc_signal = mac_partition_check_proc_signal,
 	.mpo_check_socket_visible = mac_partition_check_socket_visible,
+	.mpo_check_vnode_exec = mac_partition_check_vnode_exec,
 };
 
 MAC_POLICY_SET(&mac_partition_ops, trustedbsd_mac_partition,
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 127746b..7039420 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -417,7 +417,8 @@ mac_none_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
 static void
 mac_none_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vnodelabel,
-    struct label *interpvnodelabel, struct image_params *imgp)
+    struct label *interpvnodelabel, struct image_params *imgp,
+    struct label *execlabel)
 {
 
 }
@@ -425,7 +426,7 @@ mac_none_execve_transition(struct ucred *old, struct ucred *new,
 static int
 mac_none_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *vnodelabel, struct label *interpvnodelabel,
-    struct image_params *imgp)
+    struct image_params *imgp, struct label *execlabel)
 {
 
 	return (0);
@@ -689,7 +690,8 @@ mac_none_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 
 static int
 mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
 
 	return (0);
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index d630c57..7ab30d0 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -767,7 +767,8 @@ mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
 static void
 mac_test_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *filelabel,
-    struct label *interpvnodelabel, struct image_params *imgp)
+    struct label *interpvnodelabel, struct image_params *imgp,
+    struct label *execlabel)
 {
 
 }
@@ -775,7 +776,7 @@ mac_test_execve_transition(struct ucred *old, struct ucred *new,
 static int
 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *filelabel, struct label *interpvnodelabel,
-    struct image_params *imgp)
+    struct image_params *imgp, struct label *execlabel)
 {
 
 	return (0);
@@ -1016,7 +1017,8 @@ mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 
 static int
 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
 
 	return (0);