summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--sys/security/mac/mac_audit.c33
-rw-r--r--sys/security/mac/mac_cred.c15
-rw-r--r--sys/security/mac/mac_framework.c4
-rw-r--r--sys/security/mac/mac_inet.c15
-rw-r--r--sys/security/mac/mac_internal.h71
-rw-r--r--sys/security/mac/mac_net.c15
-rw-r--r--sys/security/mac/mac_pipe.c30
-rw-r--r--sys/security/mac/mac_posix_sem.c34
-rw-r--r--sys/security/mac/mac_posix_shm.c31
-rw-r--r--sys/security/mac/mac_priv.c13
-rw-r--r--sys/security/mac/mac_process.c58
-rw-r--r--sys/security/mac/mac_socket.c56
-rw-r--r--sys/security/mac/mac_system.c47
-rw-r--r--sys/security/mac/mac_sysv_msg.c38
-rw-r--r--sys/security/mac/mac_sysv_sem.c18
-rw-r--r--sys/security/mac/mac_sysv_shm.c24
-rw-r--r--sys/security/mac/mac_vfs.c172
17 files changed, 660 insertions, 14 deletions
diff --git a/sys/security/mac/mac_audit.c b/sys/security/mac/mac_audit.c
index f3fc639..6310b04 100644
--- a/sys/security/mac/mac_audit.c
+++ b/sys/security/mac/mac_audit.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
@@ -15,6 +15,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -40,8 +43,13 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
+
#include <sys/param.h>
+#include <sys/kernel.h>
#include <sys/module.h>
+#include <sys/queue.h>
+#include <sys/sdt.h>
#include <sys/vnode.h>
#include <security/audit/audit.h>
@@ -50,46 +58,64 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_internal.h>
#include <security/mac/mac_policy.h>
+MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit, "struct ucred *",
+ "struct auditinfo *");
+
int
mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
{
int error;
MAC_CHECK(proc_check_setaudit, cred, ai);
+ MAC_CHECK_PROBE2(proc_check_setaudit, error, cred, ai);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit_addr, "struct ucred *",
+ "struct auditinfo_addr *");
+
int
mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
{
int error;
MAC_CHECK(proc_check_setaudit_addr, cred, aia);
+ MAC_CHECK_PROBE2(proc_check_setaudit_addr, error, cred, aia);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(proc_check_setauid, "struct ucred *", "uid_t");
+
int
mac_proc_check_setauid(struct ucred *cred, uid_t auid)
{
int error;
MAC_CHECK(proc_check_setauid, cred, auid);
+ MAC_CHECK_PROBE2(proc_check_setauid, error, cred, auid);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(system_check_audit, "struct ucred *", "void *",
+ "int");
+
int
mac_system_check_audit(struct ucred *cred, void *record, int length)
{
int error;
MAC_CHECK(system_check_audit, cred, record, length);
+ MAC_CHECK_PROBE3(system_check_audit, error, cred, record, length);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(system_check_auditctl, "struct ucred *",
+ "struct vnode *");
+
int
mac_system_check_auditctl(struct ucred *cred, struct vnode *vp)
{
@@ -99,18 +125,21 @@ mac_system_check_auditctl(struct ucred *cred, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl");
vl = (vp != NULL) ? vp->v_label : NULL;
-
MAC_CHECK(system_check_auditctl, cred, vp, vl);
+ MAC_CHECK_PROBE2(system_check_auditctl, error, cred, vp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(system_check_auditon, "struct ucred *", "int");
+
int
mac_system_check_auditon(struct ucred *cred, int cmd)
{
int error;
MAC_CHECK(system_check_auditon, cred, cmd);
+ MAC_CHECK_PROBE2(system_check_auditon, error, cred, cmd);
return (error);
}
diff --git a/sys/security/mac/mac_cred.c b/sys/security/mac/mac_cred.c
index 4d46f9a..8cac7b3 100644
--- a/sys/security/mac/mac_cred.c
+++ b/sys/security/mac/mac_cred.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* Copyright (c) 2005 Samy Al Bahra
@@ -18,6 +18,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -43,6 +46,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -55,6 +59,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mac.h>
#include <sys/proc.h>
#include <sys/sbuf.h>
+#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/mount.h>
@@ -192,22 +197,30 @@ mac_cred_relabel(struct ucred *cred, struct label *newlabel)
MAC_PERFORM(cred_relabel, cred, newlabel);
}
+MAC_CHECK_PROBE_DEFINE2(cred_check_relabel, "struct ucred *",
+ "struct label *");
+
int
mac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
{
int error;
MAC_CHECK(cred_check_relabel, cred, newlabel);
+ MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *",
+ "struct ucred *");
+
int
mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
{
int error;
MAC_CHECK(cred_check_visible, cr1, cr2);
+ MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2);
return (error);
}
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index c1e2e21..26bdd71 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -85,9 +85,11 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_policy.h>
/*
- * DTrace SDT provider for MAC.
+ * DTrace SDT providers for MAC.
*/
SDT_PROVIDER_DEFINE(mac);
+SDT_PROVIDER_DEFINE(mac_framework);
+
SDT_PROBE_DEFINE2(mac, kernel, policy, modevent, "int",
"struct mac_policy_conf *mpc");
SDT_PROBE_DEFINE1(mac, kernel, policy, register, "struct mac_policy_conf *");
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c
index b11f5b7..b62938b 100644
--- a/sys/security/mac/mac_inet.c
+++ b/sys/security/mac/mac_inet.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007, 2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
@@ -17,6 +17,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -42,6 +45,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -50,6 +54,7 @@ __FBSDID("$FreeBSD$");
#include <sys/malloc.h>
#include <sys/mutex.h>
#include <sys/sbuf.h>
+#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/mount.h>
#include <sys/file.h>
@@ -298,6 +303,9 @@ mac_ipq_update(struct mbuf *m, struct ipq *q)
MAC_PERFORM(ipq_update, m, label, q, q->ipq_label);
}
+MAC_CHECK_PROBE_DEFINE2(inpcb_check_deliver, "struct inpcb *",
+ "struct mbuf *");
+
int
mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m)
{
@@ -309,10 +317,14 @@ mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m)
label = mac_mbuf_to_label(m);
MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label);
+ MAC_CHECK_PROBE2(inpcb_check_deliver, error, inp, m);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(inpcb_check_visible, "struct ucred *",
+ "struct inpcb *");
+
int
mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp)
{
@@ -321,6 +333,7 @@ mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp)
INP_LOCK_ASSERT(inp);
MAC_CHECK(inpcb_check_visible, cred, inp, inp->inp_label);
+ MAC_CHECK_PROBE2(inpcb_check_visible, error, cred, inp);
return (error);
}
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 79544c3..34336fc 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2006 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2006, 2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 nCircle Network Security, Inc.
@@ -21,6 +21,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -60,6 +63,72 @@ SYSCTL_DECL(_security_mac);
#endif /* SYSCTL_DECL */
/*
+ * MAC Framework SDT DTrace probe namespace, macros for declaring entry
+ * point probes, macros for invoking them.
+ */
+#ifdef SDT_PROVIDER_DECLARE
+SDT_PROVIDER_DECLARE(mac); /* MAC Framework-level events. */
+SDT_PROVIDER_DECLARE(mac_framework); /* Entry points to MAC. */
+
+#define MAC_CHECK_PROBE_DEFINE4(name, arg0, arg1, arg2, arg3) \
+ SDT_PROBE_DEFINE5(mac_framework, kernel, name, mac_check_err, \
+ "int", arg0, arg1, arg2, arg3); \
+ SDT_PROBE_DEFINE5(mac_framework, kernel, name, mac_check_ok, \
+ "int", arg0, arg1, arg2, arg3);
+
+#define MAC_CHECK_PROBE_DEFINE3(name, arg0, arg1, arg2) \
+ SDT_PROBE_DEFINE4(mac_framework, kernel, name, mac_check_err, \
+ "int", arg0, arg1, arg2); \
+ SDT_PROBE_DEFINE4(mac_framework, kernel, name, mac_check_ok, \
+ "int", arg0, arg1, arg2);
+
+#define MAC_CHECK_PROBE_DEFINE2(name, arg0, arg1) \
+ SDT_PROBE_DEFINE3(mac_framework, kernel, name, mac_check_err, \
+ "int", arg0, arg1); \
+ SDT_PROBE_DEFINE3(mac_framework, kernel, name, mac_check_ok, \
+ "int", arg0, arg1);
+
+#define MAC_CHECK_PROBE_DEFINE1(name, arg0) \
+ SDT_PROBE_DEFINE2(mac_framework, kernel, name, mac_check_err, \
+ "int", arg0); \
+ SDT_PROBE_DEFINE2(mac_framework, kernel, name, mac_check_ok, \
+ "int", arg0);
+
+#define MAC_CHECK_PROBE4(name, error, arg0, arg1, arg2, arg3) do { \
+ if (error) { \
+ SDT_PROBE(mac_framework, kernel, name, mac_check_err, \
+ error, arg0, arg1, arg2, arg3); \
+ } else { \
+ SDT_PROBE(mac_framework, kernel, name, mac_check_ok, \
+ 0, arg0, arg1, arg2, arg3); \
+ } \
+} while (0)
+
+#define MAC_CHECK_PROBE3(name, error, arg0, arg1, arg2) \
+ MAC_CHECK_PROBE4(name, error, arg0, arg1, arg2, 0)
+#define MAC_CHECK_PROBE2(name, error, arg0, arg1) \
+ MAC_CHECK_PROBE3(name, error, arg0, arg1, 0)
+#define MAC_CHECK_PROBE1(name, error, arg0) \
+ MAC_CHECK_PROBE2(name, error, arg0, 0)
+#endif
+
+#define MAC_GRANT_PROBE_DEFINE2(name, arg0, arg1) \
+ SDT_PROBE_DEFINE3(mac_framework, kernel, name, mac_grant_err, \
+ "int", arg0, arg1); \
+ SDT_PROBE_DEFINE3(mac_framework, kernel, name, mac_grant_ok, \
+ "INT", arg0, arg1);
+
+#define MAC_GRANT_PROBE2(name, error, arg0, arg1) do { \
+ if (error) { \
+ SDT_PROBE(mac_framework, kernel, name, mac_grant_err, \
+ error, arg0, arg1, 0, 0); \
+ } else { \
+ SDT_PROBE(mac_framework, kernel, name, mac_grant_ok, \
+ error, arg0, arg1, 0, 0); \
+ } \
+} while (0)
+
+/*
* MAC Framework global types and typedefs.
*/
LIST_HEAD(mac_policy_list_head, mac_policy_conf);
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 8e8afea..4fccbd7 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
@@ -17,6 +17,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -42,6 +45,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -52,6 +56,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mac.h>
#include <sys/priv.h>
#include <sys/sbuf.h>
+#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/mount.h>
#include <sys/file.h>
@@ -324,6 +329,9 @@ mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m)
MAC_IFNET_UNLOCK(ifp);
}
+MAC_CHECK_PROBE_DEFINE2(bpfdesc_check_receive, "struct bpf_d *",
+ "struct ifnet *");
+
int
mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp)
{
@@ -333,11 +341,15 @@ mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp)
MAC_IFNET_LOCK(ifp);
MAC_CHECK(bpfdesc_check_receive, d, d->bd_label, ifp, ifp->if_label);
+ MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp);
MAC_IFNET_UNLOCK(ifp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(ifnet_check_transmit, "struct ifnet *",
+ "struct mbuf *");
+
int
mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
{
@@ -350,6 +362,7 @@ mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
MAC_IFNET_LOCK(ifp);
MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, m, label);
+ MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m);
MAC_IFNET_UNLOCK(ifp);
return (error);
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 1d8ce04..921fd20 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -1,6 +1,7 @@
/*-
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
+ * Copyright (c) 2009 Robert N. M. Watson
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@@ -11,6 +12,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -36,6 +40,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -45,6 +50,7 @@ __FBSDID("$FreeBSD$");
#include <sys/module.h>
#include <sys/mutex.h>
#include <sys/sbuf.h>
+#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/pipe.h>
@@ -135,6 +141,9 @@ mac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel);
}
+MAC_CHECK_PROBE_DEFINE4(pipe_check_ioctl, "struct ucred *",
+ "struct pipepair *", "unsigned long", "void *");
+
int
mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
unsigned long cmd, void *data)
@@ -144,10 +153,14 @@ mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data);
+ MAC_CHECK_PROBE4(pipe_check_ioctl, error, cred, pp, cmd, data);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(pipe_check_poll, "struct ucred *",
+ "struct pipepair *");
+
int
mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)
{
@@ -156,10 +169,14 @@ mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label);
+ MAC_CHECK_PROBE2(pipe_check_poll, error, cred, pp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(pipe_check_read, "struct ucred *",
+ "struct pipepair *");
+
int
mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
{
@@ -168,10 +185,14 @@ mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label);
+ MAC_CHECK_PROBE2(pipe_check_read, error, cred, pp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(pipe_check_relabel, "struct ucred *",
+ "struct pipepair *", "struct label *");
+
static int
mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
struct label *newlabel)
@@ -181,10 +202,14 @@ mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel);
+ MAC_CHECK_PROBE3(pipe_check_relabel, error, cred, pp, newlabel);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(pipe_check_stat, "struct ucred *",
+ "struct pipepair *");
+
int
mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp)
{
@@ -193,10 +218,14 @@ mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp)
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label);
+ MAC_CHECK_PROBE2(pipe_check_stat, error, cred, pp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(pipe_check_write, "struct ucred *",
+ "struct pipepair *");
+
int
mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
{
@@ -205,6 +234,7 @@ mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label);
+ MAC_CHECK_PROBE2(pipe_check_write, error, cred, pp);
return (error);
}
diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c
index 1cda22c..2e3560d 100644
--- a/sys/security/mac/mac_posix_sem.c
+++ b/sys/security/mac/mac_posix_sem.c
@@ -1,5 +1,6 @@
/*-
* Copyright (c) 2003-2006 SPARTA, Inc.
+ * Copyright (c) 2009 Robert N. M. Watson
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@@ -10,6 +11,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -35,6 +39,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include "opt_posix.h"
@@ -43,6 +48,7 @@ __FBSDID("$FreeBSD$");
#include <sys/ksem.h>
#include <sys/malloc.h>
#include <sys/module.h>
+#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/sysctl.h>
@@ -95,16 +101,23 @@ mac_posixsem_create(struct ucred *cred, struct ksem *ks)
MAC_PERFORM(posixsem_create, cred, ks, ks->ks_label);
}
+MAC_CHECK_PROBE_DEFINE2(posixsem_check_open, "struct ucred *",
+ "struct ksem *");
+
int
mac_posixsem_check_open(struct ucred *cred, struct ksem *ks)
{
int error;
MAC_CHECK(posixsem_check_open, cred, ks, ks->ks_label);
+ MAC_CHECK_PROBE2(posixsem_check_open, error, cred, ks);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(posixsem_check_getvalue, "struct ucred *",
+ "struct ucred *", "struct ksem *");
+
int
mac_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred,
struct ksem *ks)
@@ -113,10 +126,15 @@ mac_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(posixsem_check_getvalue, active_cred, file_cred, ks,
ks->ks_label);
+ MAC_CHECK_PROBE3(posixsem_check_getvalue, error, active_cred,
+ file_cred, ks);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(posixsem_check_post, "struct ucred *",
+ "struct ucred *", "struct ksem *");
+
int
mac_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred,
struct ksem *ks)
@@ -125,10 +143,15 @@ mac_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(posixsem_check_post, active_cred, file_cred, ks,
ks->ks_label);
+ MAC_CHECK_PROBE3(posixsem_check_post, error, active_cred, file_cred,
+ ks);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(posixsem_check_stat, "struct ucred *",
+ "struct ucred *", "struct ksem *");
+
int
mac_posixsem_check_stat(struct ucred *active_cred, struct ucred *file_cred,
struct ksem *ks)
@@ -137,20 +160,29 @@ mac_posixsem_check_stat(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(posixsem_check_stat, active_cred, file_cred, ks,
ks->ks_label);
+ MAC_CHECK_PROBE3(posixsem_check_stat, error, active_cred, file_cred,
+ ks);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(posixsem_check_unlink, "struct ucred *",
+ "struct ksem *");
+
int
mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks)
{
int error;
MAC_CHECK(posixsem_check_unlink, cred, ks, ks->ks_label);
+ MAC_CHECK_PROBE2(posixsem_check_unlink, error, cred, ks);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(posixsem_check_wait, "struct ucred *",
+ "struct ucred *", "struct ksem *");
+
int
mac_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred,
struct ksem *ks)
@@ -159,6 +191,8 @@ mac_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(posixsem_check_wait, active_cred, file_cred, ks,
ks->ks_label);
+ MAC_CHECK_PROBE3(posixsem_check_wait, error, active_cred, file_cred,
+ ks);
return (error);
}
diff --git a/sys/security/mac/mac_posix_shm.c b/sys/security/mac/mac_posix_shm.c
index 97587ad..913cb43 100644
--- a/sys/security/mac/mac_posix_shm.c
+++ b/sys/security/mac/mac_posix_shm.c
@@ -1,5 +1,6 @@
/*-
* Copyright (c) 2003-2006 SPARTA, Inc.
+ * Copyright (c) 2009 Robert N. M. Watson
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@@ -8,7 +9,10 @@
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
- * N66001-04-C-6019 ("SEFOS").
+ * N66001-04-C-6019 ("SEFOS"). *
+ *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -35,6 +39,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -42,6 +47,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mman.h>
#include <sys/malloc.h>
#include <sys/module.h>
+#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/sysctl.h>
@@ -94,6 +100,9 @@ mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd)
MAC_PERFORM(posixshm_create, cred, shmfd, shmfd->shm_label);
}
+MAC_CHECK_PROBE_DEFINE4(posixshm_check_mmap, "struct ucred *",
+ "struct shmfd *", "int", "int");
+
int
mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot,
int flags)
@@ -102,20 +111,29 @@ mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot,
MAC_CHECK(posixshm_check_mmap, cred, shmfd, shmfd->shm_label, prot,
flags);
+ MAC_CHECK_PROBE4(posixshm_check_mmap, error, cred, shmfd, prot,
+ flags);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(posixshm_check_open, "struct ucred *",
+ "struct shmfd *");
+
int
mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd)
{
int error;
MAC_CHECK(posixshm_check_open, cred, shmfd, shmfd->shm_label);
+ MAC_CHECK_PROBE2(posixshm_check_open, error, cred, shmfd);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(posixshm_check_stat, "struct ucred *",
+ "struct ucred *", "struct shmfd *");
+
int
mac_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
struct shmfd *shmfd)
@@ -124,10 +142,15 @@ mac_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(posixshm_check_stat, active_cred, file_cred, shmfd,
shmfd->shm_label);
+ MAC_CHECK_PROBE3(posixshm_check_stat, error, active_cred, file_cred,
+ shmfd);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(posixshm_check_truncate, "struct ucred *",
+ "struct ucred *", "struct shmfd *");
+
int
mac_posixshm_check_truncate(struct ucred *active_cred, struct ucred *file_cred,
struct shmfd *shmfd)
@@ -136,16 +159,22 @@ mac_posixshm_check_truncate(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(posixshm_check_truncate, active_cred, file_cred, shmfd,
shmfd->shm_label);
+ MAC_CHECK_PROBE3(posixshm_check_truncate, error, active_cred,
+ file_cred, shmfd);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(posixshm_check_unlink, "struct ucred *",
+ "struct shmfd *");
+
int
mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd)
{
int error;
MAC_CHECK(posixshm_check_unlink, cred, shmfd, shmfd->shm_label);
+ MAC_CHECK_PROBE2(posixshm_check_unlink, error, cred, shmfd);
return (error);
}
diff --git a/sys/security/mac/mac_priv.c b/sys/security/mac/mac_priv.c
index 745695c..f12b020 100644
--- a/sys/security/mac/mac_priv.c
+++ b/sys/security/mac/mac_priv.c
@@ -1,10 +1,14 @@
/*-
* Copyright (c) 2006 nCircle Network Security, Inc.
+ * Copyright (c) 2009 Robert N. M. Watson
* All rights reserved.
*
* This software was developed by Robert N. M. Watson for the TrustedBSD
* Project under contract to nCircle Network Security, Inc.
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -34,10 +38,13 @@
#include "sys/cdefs.h"
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
+#include <sys/kernel.h>
#include <sys/priv.h>
+#include <sys/sdt.h>
#include <sys/module.h>
#include <security/mac/mac_framework.h>
@@ -54,6 +61,8 @@ __FBSDID("$FreeBSD$");
* composition.
*/
+MAC_CHECK_PROBE_DEFINE2(priv_check, "struct ucred *", "int");
+
/*
* Restrict access to a privilege for a credential. Return failure if any
* policy denies access.
@@ -64,10 +73,13 @@ mac_priv_check(struct ucred *cred, int priv)
int error;
MAC_CHECK(priv_check, cred, priv);
+ MAC_CHECK_PROBE2(priv_check, error, cred, priv);
return (error);
}
+MAC_GRANT_PROBE_DEFINE2(priv_grant, "struct ucred *", "int");
+
/*
* Grant access to a privilege for a credential. Return success if any
* policy grants access.
@@ -78,6 +90,7 @@ mac_priv_grant(struct ucred *cred, int priv)
int error;
MAC_GRANT(priv_grant, cred, priv);
+ MAC_GRANT_PROBE2(priv_grant, error, cred, priv);
return (error);
}
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index fe8c397..0a98585 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* Copyright (c) 2005 Samy Al Bahra
@@ -18,6 +18,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -43,6 +46,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -55,6 +59,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mac.h>
#include <sys/proc.h>
#include <sys/sbuf.h>
+#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/mount.h>
@@ -373,6 +378,8 @@ mac_proc_vm_revoke_recurse(struct thread *td, struct ucred *cred,
vm_map_unlock(map);
}
+MAC_CHECK_PROBE_DEFINE2(proc_check_debug, "struct ucred *", "struct proc *");
+
int
mac_proc_check_debug(struct ucred *cred, struct proc *p)
{
@@ -381,10 +388,13 @@ mac_proc_check_debug(struct ucred *cred, struct proc *p)
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_debug, cred, p);
+ MAC_CHECK_PROBE2(proc_check_debug, error, cred, p);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(proc_check_sched, "struct ucred *", "struct proc *");
+
int
mac_proc_check_sched(struct ucred *cred, struct proc *p)
{
@@ -393,10 +403,14 @@ mac_proc_check_sched(struct ucred *cred, struct proc *p)
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_sched, cred, p);
+ MAC_CHECK_PROBE2(proc_check_sched, error, cred, p);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(proc_check_signal, "struct ucred *", "struct proc *",
+ "int");
+
int
mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
{
@@ -405,10 +419,13 @@ mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_signal, cred, p, signum);
+ MAC_CHECK_PROBE3(proc_check_signal, error, cred, p, signum);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(proc_check_setuid, "struct ucred *", "uid_t");
+
int
mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid)
{
@@ -417,9 +434,13 @@ mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid)
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setuid, cred, uid);
+ MAC_CHECK_PROBE2(proc_check_setuid, error, cred, uid);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(proc_check_seteuid, "struct ucred *", "uid_t");
+
int
mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
{
@@ -428,9 +449,13 @@ mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_seteuid, cred, euid);
+ MAC_CHECK_PROBE2(proc_check_seteuid, error, cred, euid);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(proc_check_setgid, "struct ucred *", "gid_t");
+
int
mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid)
{
@@ -439,10 +464,13 @@ mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid)
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setgid, cred, gid);
+ MAC_CHECK_PROBE2(proc_check_setgid, error, cred, gid);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(proc_check_setegid, "struct ucred *", "gid_t");
+
int
mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid)
{
@@ -451,10 +479,14 @@ mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid)
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setegid, cred, egid);
+ MAC_CHECK_PROBE2(proc_check_setegid, error, cred, egid);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(proc_check_setgroups, "struct ucred *", "int",
+ "gid_t *");
+
int
mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups,
gid_t *gidset)
@@ -464,9 +496,14 @@ mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups,
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset);
+ MAC_CHECK_PROBE3(proc_check_setgroups, error, cred, ngroups, gidset);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(proc_check_setreuid, "struct ucred *", "uid_t",
+ "uid_t");
+
int
mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
uid_t euid)
@@ -476,10 +513,14 @@ mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
+ MAC_CHECK_PROBE3(proc_check_setreuid, error, cred, ruid, euid);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(proc_check_setregid, "struct ucred *", "gid_t",
+ "gid_t");
+
int
mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
gid_t egid)
@@ -489,10 +530,14 @@ mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
PROC_LOCK_ASSERT(proc, MA_OWNED);
MAC_CHECK(proc_check_setregid, cred, rgid, egid);
+ MAC_CHECK_PROBE3(proc_check_setregid, error, cred, rgid, egid);
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(proc_check_setresuid, "struct ucred *", "uid_t",
+ "uid_t", "uid_t");
+
int
mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
uid_t euid, uid_t suid)
@@ -502,9 +547,15 @@ mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid);
+ MAC_CHECK_PROBE4(proc_check_setresuid, error, cred, ruid, euid,
+ suid);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(proc_check_setresgid, "struct ucred *", "gid_t",
+ "gid_t", "gid_t");
+
int
mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
gid_t egid, gid_t sgid)
@@ -514,10 +565,14 @@ mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid);
+ MAC_CHECK_PROBE4(proc_check_setresgid, error, cred, rgid, egid,
+ sgid);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(proc_check_wait, "struct ucred *", "struct proc *");
+
int
mac_proc_check_wait(struct ucred *cred, struct proc *p)
{
@@ -526,6 +581,7 @@ mac_proc_check_wait(struct ucred *cred, struct proc *p)
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_wait, cred, p);
+ MAC_CHECK_PROBE2(proc_check_wait, error, cred, p);
return (error);
}
diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c
index fe297ce..fa4a970 100644
--- a/sys/security/mac/mac_socket.c
+++ b/sys/security/mac/mac_socket.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
@@ -17,6 +17,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -42,6 +45,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -51,6 +55,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mutex.h>
#include <sys/mac.h>
#include <sys/sbuf.h>
+#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/mount.h>
#include <sys/file.h>
@@ -276,6 +281,9 @@ mac_socket_create_mbuf(struct socket *so, struct mbuf *m)
MAC_PERFORM(socket_create_mbuf, so, so->so_label, m, label);
}
+MAC_CHECK_PROBE_DEFINE2(socket_check_accept, "struct ucred *",
+ "struct socket *");
+
int
mac_socket_check_accept(struct ucred *cred, struct socket *so)
{
@@ -284,10 +292,14 @@ mac_socket_check_accept(struct ucred *cred, struct socket *so)
SOCK_LOCK_ASSERT(so);
MAC_CHECK(socket_check_accept, cred, so, so->so_label);
+ MAC_CHECK_PROBE2(socket_check_accept, error, cred, so);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(socket_check_bind, "struct ucred *",
+ "struct socket *", "struct sockaddr *");
+
int
mac_socket_check_bind(struct ucred *ucred, struct socket *so,
struct sockaddr *sa)
@@ -297,10 +309,14 @@ mac_socket_check_bind(struct ucred *ucred, struct socket *so,
SOCK_LOCK_ASSERT(so);
MAC_CHECK(socket_check_bind, ucred, so, so->so_label, sa);
+ MAC_CHECK_PROBE3(socket_check_bind, error, ucred, so, sa);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(socket_check_connect, "struct ucred *",
+ "struct socket *", "struct sockaddr *");
+
int
mac_socket_check_connect(struct ucred *cred, struct socket *so,
struct sockaddr *sa)
@@ -310,20 +326,29 @@ mac_socket_check_connect(struct ucred *cred, struct socket *so,
SOCK_LOCK_ASSERT(so);
MAC_CHECK(socket_check_connect, cred, so, so->so_label, sa);
+ MAC_CHECK_PROBE3(socket_check_connect, error, cred, so, sa);
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(socket_check_create, "struct ucred *", "int", "int",
+ "int");
+
int
mac_socket_check_create(struct ucred *cred, int domain, int type, int proto)
{
int error;
MAC_CHECK(socket_check_create, cred, domain, type, proto);
+ MAC_CHECK_PROBE4(socket_check_create, error, cred, domain, type,
+ proto);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(socket_check_deliver, "struct socket *",
+ "struct mbuf *");
+
int
mac_socket_check_deliver(struct socket *so, struct mbuf *m)
{
@@ -335,10 +360,14 @@ mac_socket_check_deliver(struct socket *so, struct mbuf *m)
label = mac_mbuf_to_label(m);
MAC_CHECK(socket_check_deliver, so, so->so_label, m, label);
+ MAC_CHECK_PROBE2(socket_check_deliver, error, so, m);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(socket_check_listen, "struct ucred *",
+ "struct socket *");
+
int
mac_socket_check_listen(struct ucred *cred, struct socket *so)
{
@@ -347,10 +376,14 @@ mac_socket_check_listen(struct ucred *cred, struct socket *so)
SOCK_LOCK_ASSERT(so);
MAC_CHECK(socket_check_listen, cred, so, so->so_label);
+ MAC_CHECK_PROBE2(socket_check_listen, error, cred, so);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(socket_check_poll, "struct ucred *",
+ "struct socket *");
+
int
mac_socket_check_poll(struct ucred *cred, struct socket *so)
{
@@ -359,10 +392,14 @@ mac_socket_check_poll(struct ucred *cred, struct socket *so)
SOCK_LOCK_ASSERT(so);
MAC_CHECK(socket_check_poll, cred, so, so->so_label);
+ MAC_CHECK_PROBE2(socket_check_poll, error, cred, so);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(socket_check_receive, "struct ucred *",
+ "struct socket *");
+
int
mac_socket_check_receive(struct ucred *cred, struct socket *so)
{
@@ -371,10 +408,14 @@ mac_socket_check_receive(struct ucred *cred, struct socket *so)
SOCK_LOCK_ASSERT(so);
MAC_CHECK(socket_check_receive, cred, so, so->so_label);
+ MAC_CHECK_PROBE2(socket_check_receive, error, cred, so);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(socket_check_relabel, "struct ucred *",
+ "struct socket *", "struct label *");
+
static int
mac_socket_check_relabel(struct ucred *cred, struct socket *so,
struct label *newlabel)
@@ -384,10 +425,14 @@ mac_socket_check_relabel(struct ucred *cred, struct socket *so,
SOCK_LOCK_ASSERT(so);
MAC_CHECK(socket_check_relabel, cred, so, so->so_label, newlabel);
+ MAC_CHECK_PROBE3(socket_check_relabel, error, cred, so, newlabel);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(socket_check_send, "struct ucred *",
+ "struct socket *");
+
int
mac_socket_check_send(struct ucred *cred, struct socket *so)
{
@@ -396,10 +441,14 @@ mac_socket_check_send(struct ucred *cred, struct socket *so)
SOCK_LOCK_ASSERT(so);
MAC_CHECK(socket_check_send, cred, so, so->so_label);
+ MAC_CHECK_PROBE2(socket_check_send, error, cred, so);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(socket_check_stat, "struct ucred *",
+ "struct socket *");
+
int
mac_socket_check_stat(struct ucred *cred, struct socket *so)
{
@@ -408,10 +457,14 @@ mac_socket_check_stat(struct ucred *cred, struct socket *so)
SOCK_LOCK_ASSERT(so);
MAC_CHECK(socket_check_stat, cred, so, so->so_label);
+ MAC_CHECK_PROBE2(socket_check_stat, error, cred, so);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(socket_check_visible, "struct ucred *",
+ "struct socket *");
+
int
mac_socket_check_visible(struct ucred *cred, struct socket *so)
{
@@ -420,6 +473,7 @@ mac_socket_check_visible(struct ucred *cred, struct socket *so)
SOCK_LOCK_ASSERT(so);
MAC_CHECK(socket_check_visible, cred, so, so->so_label);
+ MAC_CHECK_PROBE2(socket_check_visible, error, cred, so);
return (error);
}
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 588e019..a8e351e 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -1,7 +1,7 @@
/*-
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
- * Copyright (c) 2007 Robert N. M. Watson
+ * Copyright (c) 2007, 2009 Robert N. M. Watson
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@@ -15,6 +15,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -50,6 +53,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -58,6 +62,7 @@ __FBSDID("$FreeBSD$");
#include <sys/malloc.h>
#include <sys/module.h>
#include <sys/mutex.h>
+#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/sysctl.h>
@@ -66,46 +71,61 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_internal.h>
#include <security/mac/mac_policy.h>
+MAC_CHECK_PROBE_DEFINE1(kenv_check_dump, "struct ucred *");
+
int
mac_kenv_check_dump(struct ucred *cred)
{
int error;
MAC_CHECK(kenv_check_dump, cred);
+ MAC_CHECK_PROBE1(kenv_check_dump, error, cred);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(kenv_check_get, "struct ucred *", "char *");
+
int
mac_kenv_check_get(struct ucred *cred, char *name)
{
int error;
MAC_CHECK(kenv_check_get, cred, name);
+ MAC_CHECK_PROBE2(kenv_check_get, error, cred, name);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(kenv_check_set, "struct ucred *", "char *",
+ "char *");
+
int
mac_kenv_check_set(struct ucred *cred, char *name, char *value)
{
int error;
MAC_CHECK(kenv_check_set, cred, name, value);
+ MAC_CHECK_PROBE3(kenv_check_set, error, cred, name, value);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(kenv_check_unset, "struct ucred *", "char *");
+
int
mac_kenv_check_unset(struct ucred *cred, char *name)
{
int error;
MAC_CHECK(kenv_check_unset, cred, name);
+ MAC_CHECK_PROBE2(kenv_check_unset, error, cred, name);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(kld_check_load, "struct ucred *", "struct vnode *");
+
int
mac_kld_check_load(struct ucred *cred, struct vnode *vp)
{
@@ -114,20 +134,27 @@ mac_kld_check_load(struct ucred *cred, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_kld_check_load");
MAC_CHECK(kld_check_load, cred, vp, vp->v_label);
+ MAC_CHECK_PROBE2(kld_check_load, error, cred, vp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE1(kld_check_stat, "struct ucred *");
+
int
mac_kld_check_stat(struct ucred *cred)
{
int error;
MAC_CHECK(kld_check_stat, cred);
+ MAC_CHECK_PROBE1(kld_check_stat, error, cred);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(system_check_acct, "struct ucred *",
+ "struct vnode *");
+
int
mac_system_check_acct(struct ucred *cred, struct vnode *vp)
{
@@ -139,20 +166,27 @@ mac_system_check_acct(struct ucred *cred, struct vnode *vp)
MAC_CHECK(system_check_acct, cred, vp,
vp != NULL ? vp->v_label : NULL);
+ MAC_CHECK_PROBE2(system_check_acct, error, cred, vp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(system_check_reboot, "struct ucred *", "int");
+
int
mac_system_check_reboot(struct ucred *cred, int howto)
{
int error;
MAC_CHECK(system_check_reboot, cred, howto);
+ MAC_CHECK_PROBE2(system_check_reboot, error, cred, howto);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(system_check_swapon, "struct ucred *",
+ "struct vnode *");
+
int
mac_system_check_swapon(struct ucred *cred, struct vnode *vp)
{
@@ -161,9 +195,14 @@ mac_system_check_swapon(struct ucred *cred, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon");
MAC_CHECK(system_check_swapon, cred, vp, vp->v_label);
+ MAC_CHECK_PROBE2(system_check_swapon, error, cred, vp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(system_check_swapoff, "struct ucred *",
+ "struct vnode *");
+
int
mac_system_check_swapoff(struct ucred *cred, struct vnode *vp)
{
@@ -172,9 +211,14 @@ mac_system_check_swapoff(struct ucred *cred, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff");
MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label);
+ MAC_CHECK_PROBE2(system_check_swapoff, error, cred, vp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(system_check_sysctl, "struct ucred *",
+ "struct sysctl_oid *", "struct sysctl_req *");
+
int
mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
void *arg1, int arg2, struct sysctl_req *req)
@@ -186,6 +230,7 @@ mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
* but since it's not exported from kern_sysctl.c, we can't.
*/
MAC_CHECK(system_check_sysctl, cred, oidp, arg1, arg2, req);
+ MAC_CHECK_PROBE3(system_check_sysctl, error, cred, oidp, req);
return (error);
}
diff --git a/sys/security/mac/mac_sysv_msg.c b/sys/security/mac/mac_sysv_msg.c
index 2c5bbca..1053871 100644
--- a/sys/security/mac/mac_sysv_msg.c
+++ b/sys/security/mac/mac_sysv_msg.c
@@ -2,6 +2,7 @@
* Copyright (c) 2003-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* Copyright (c) 2008 Apple Inc.
+ * Copyright (c) 2009 Robert N. M. Watson
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@@ -12,6 +13,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -37,6 +41,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -45,6 +50,7 @@ __FBSDID("$FreeBSD$");
#include <sys/malloc.h>
#include <sys/mutex.h>
#include <sys/sbuf.h>
+#include <sys/sdt.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/mount.h>
@@ -163,68 +169,95 @@ mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr)
MAC_PERFORM(sysvmsq_cleanup, msqkptr->label);
}
+MAC_CHECK_PROBE_DEFINE3(sysvmsq_check_msgmsq, "struct ucred *",
+ "struct msg *", "struct msqid_kernel *");
+
int
mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
struct msqid_kernel *msqkptr)
{
int error;
- MAC_CHECK(sysvmsq_check_msgmsq, cred, msgptr, msgptr->label,
+ MAC_CHECK(sysvmsq_check_msgmsq, cred, msgptr, msgptr->label,
msqkptr, msqkptr->label);
+ MAC_CHECK_PROBE3(sysvmsq_check_msgmsq, error, cred, msgptr, msqkptr);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msgrcv, "struct ucred *",
+ "struct msg *");
+
int
mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr)
{
int error;
MAC_CHECK(sysvmsq_check_msgrcv, cred, msgptr, msgptr->label);
+ MAC_CHECK_PROBE2(sysvmsq_check_msgrcv, error, cred, msgptr);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msgrmid, "struct ucred *",
+ "struct msg *");
+
int
mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr)
{
int error;
- MAC_CHECK(sysvmsq_check_msgrmid, cred, msgptr, msgptr->label);
+ MAC_CHECK(sysvmsq_check_msgrmid, cred, msgptr, msgptr->label);
+ MAC_CHECK_PROBE2(sysvmsq_check_msgrmid, error, cred, msgptr);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msqget, "struct ucred *",
+ "struct msqid_kernel *");
+
int
mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr)
{
int error;
MAC_CHECK(sysvmsq_check_msqget, cred, msqkptr, msqkptr->label);
+ MAC_CHECK_PROBE2(sysvmsq_check_msqget, error, cred, msqkptr);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msqsnd, "struct ucred *",
+ "struct msqid_kernel *");
+
int
mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr)
{
int error;
MAC_CHECK(sysvmsq_check_msqsnd, cred, msqkptr, msqkptr->label);
+ MAC_CHECK_PROBE2(sysvmsq_check_msqsnd, error, cred, msqkptr);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msqrcv, "struct ucred *",
+ "struct msqid_kernel *");
+
int
mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
{
int error;
MAC_CHECK(sysvmsq_check_msqrcv, cred, msqkptr, msqkptr->label);
+ MAC_CHECK_PROBE2(sysvmsq_check_msqrcv, error, cred, msqkptr);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(sysvmsq_check_msqctl, "struct ucred *",
+ "struct msqid_kernel *", "int");
+
int
mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
int cmd)
@@ -232,6 +265,7 @@ mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
int error;
MAC_CHECK(sysvmsq_check_msqctl, cred, msqkptr, msqkptr->label, cmd);
+ MAC_CHECK_PROBE3(sysvmsq_check_msqctl, error, cred, msqkptr, cmd);
return (error);
}
diff --git a/sys/security/mac/mac_sysv_sem.c b/sys/security/mac/mac_sysv_sem.c
index 94a1107..9fc13fa 100644
--- a/sys/security/mac/mac_sysv_sem.c
+++ b/sys/security/mac/mac_sysv_sem.c
@@ -1,6 +1,7 @@
/*-
* Copyright (c) 2003-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
+ * Copyright (c) 2009 Robert N. M. Watson
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@@ -11,6 +12,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -36,6 +40,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -49,6 +54,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mount.h>
#include <sys/file.h>
#include <sys/namei.h>
+#include <sys/sdt.h>
#include <sys/sysctl.h>
#include <sys/sem.h>
@@ -108,6 +114,9 @@ mac_sysvsem_cleanup(struct semid_kernel *semakptr)
MAC_PERFORM(sysvsem_cleanup, semakptr->label);
}
+MAC_CHECK_PROBE_DEFINE3(sysvsem_check_semctl, "struct ucred *",
+ "struct semid_kernel *", "int");
+
int
mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
int cmd)
@@ -116,10 +125,14 @@ mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr,
MAC_CHECK(sysvsem_check_semctl, cred, semakptr, semakptr->label,
cmd);
+ MAC_CHECK_PROBE3(sysvsem_check_semctl, error, cred, semakptr, cmd);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(sysvsem_check_semget, "struct ucred *",
+ "struct semid_kernel *");
+
int
mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr)
{
@@ -130,6 +143,9 @@ mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr)
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(sysvsem_check_semop, "struct ucred *",
+ "struct semid_kernel *", "size_t");
+
int
mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
size_t accesstype)
@@ -138,6 +154,8 @@ mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr,
MAC_CHECK(sysvsem_check_semop, cred, semakptr, semakptr->label,
accesstype);
+ MAC_CHECK_PROBE3(sysvsem_check_semop, error, cred, semakptr,
+ accesstype);
return (error);
}
diff --git a/sys/security/mac/mac_sysv_shm.c b/sys/security/mac/mac_sysv_shm.c
index 950c23e..d42cb0b 100644
--- a/sys/security/mac/mac_sysv_shm.c
+++ b/sys/security/mac/mac_sysv_shm.c
@@ -1,6 +1,7 @@
/*-
* Copyright (c) 2003-2004 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
+ * Copyright (c) 2009 Robert N. M. Watson
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
@@ -11,6 +12,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -36,6 +40,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -49,6 +54,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mount.h>
#include <sys/file.h>
#include <sys/namei.h>
+#include <sys/sdt.h>
#include <sys/sysctl.h>
#include <sys/shm.h>
@@ -108,6 +114,9 @@ mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr)
MAC_PERFORM(sysvshm_cleanup, shmsegptr->label);
}
+MAC_CHECK_PROBE_DEFINE3(sysvshm_check_shmat, "struct ucred *",
+ "struct shmid_kernel *", "int");
+
int
mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
int shmflg)
@@ -116,10 +125,15 @@ mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
MAC_CHECK(sysvshm_check_shmat, cred, shmsegptr, shmsegptr->label,
shmflg);
+ MAC_CHECK_PROBE3(sysvshm_check_shmat, error, cred, shmsegptr,
+ shmflg);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(sysvshm_check_shmctl, "struct ucred *",
+ "struct shmid_kernel *", "int");
+
int
mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
int cmd)
@@ -128,20 +142,28 @@ mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
MAC_CHECK(sysvshm_check_shmctl, cred, shmsegptr, shmsegptr->label,
cmd);
+ MAC_CHECK_PROBE3(sysvshm_check_shmctl, error, cred, shmsegptr, cmd);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(sysvshm_check_shmdt, "struct ucred *",
+ "struct shmid *");
+
int
mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr)
{
int error;
MAC_CHECK(sysvshm_check_shmdt, cred, shmsegptr, shmsegptr->label);
+ MAC_CHECK_PROBE2(sysvshm_check_shmdt, error, cred, shmsegptr);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(sysvshm_check_shmget, "struct ucred *",
+ "struct shmid_kernel *", "int");
+
int
mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
int shmflg)
@@ -150,6 +172,8 @@ mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
MAC_CHECK(sysvshm_check_shmget, cred, shmsegptr, shmsegptr->label,
shmflg);
+ MAC_CHECK_PROBE3(sysvshm_check_shmget, error, cred, shmsegptr,
+ shmflg);
return (error);
}
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 42da76c..1ebf520 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
@@ -17,6 +17,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -42,6 +45,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -59,6 +63,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mount.h>
#include <sys/file.h>
#include <sys/namei.h>
+#include <sys/sdt.h>
#include <sys/sysctl.h>
#include <vm/vm.h>
@@ -361,6 +366,9 @@ mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
return (result);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_access, "struct ucred *",
+ "struct vnode *", "accmode_t");
+
int
mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode)
{
@@ -369,9 +377,14 @@ mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access");
MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, accmode);
+ MAC_CHECK_PROBE3(vnode_check_access, error, cred, vp, accmode);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(vnode_check_chdir, "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp)
{
@@ -380,9 +393,14 @@ mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp)
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir");
MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
+ MAC_CHECK_PROBE2(vnode_check_chdir, error, cred, dvp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(vnode_check_chroot, "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp)
{
@@ -391,9 +409,14 @@ mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp)
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot");
MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label);
+ MAC_CHECK_PROBE2(vnode_check_chroot, error, cred, dvp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_create, "struct ucred *",
+ "struct vnode *", "struct componentname *", "struct vattr *");
+
int
mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp, struct vattr *vap)
@@ -403,9 +426,14 @@ mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create");
MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap);
+ MAC_CHECK_PROBE4(vnode_check_create, error, cred, dvp, cnp, vap);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_deleteacl, "struct ucred *",
+ "struct vnode *", "acl_type_t");
+
int
mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
acl_type_t type)
@@ -415,9 +443,14 @@ mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl");
MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
+ MAC_CHECK_PROBE3(vnode_check_deleteacl, error, cred, vp, type);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_deleteextattr, "struct ucred *",
+ "struct vnode *", "int", "const char *");
+
int
mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name)
@@ -428,9 +461,15 @@ mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label,
attrnamespace, name);
+ MAC_CHECK_PROBE4(vnode_check_deleteextattr, error, cred, vp,
+ attrnamespace, name);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_exec, "struct ucred *", "struct vnode *",
+ "struct image_params *");
+
int
mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct image_params *imgp)
@@ -441,10 +480,14 @@ mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp,
imgp->execlabel);
+ MAC_CHECK_PROBE3(vnode_check_exec, error, cred, vp, imgp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_getacl, "struct ucred *",
+ "struct vnode *", "acl_type_t");
+
int
mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
{
@@ -453,9 +496,14 @@ mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl");
MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
+ MAC_CHECK_PROBE3(vnode_check_getacl, error, cred, vp, type);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_getextattr, "struct ucred *",
+ "struct vnode *", "int", "const char *");
+
int
mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio)
@@ -466,9 +514,15 @@ mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
+ MAC_CHECK_PROBE4(vnode_check_getextattr, error, cred, vp,
+ attrnamespace, name);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_link, "struct ucred *", "struct vnode *",
+ "struct vnode *", "struct componentname *");
+
int
mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp)
@@ -480,9 +534,14 @@ mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
+ MAC_CHECK_PROBE4(vnode_check_link, error, cred, dvp, vp, cnp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_listextattr, "struct ucred *",
+ "struct vnode *", "int");
+
int
mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace)
@@ -493,9 +552,15 @@ mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label,
attrnamespace);
+ MAC_CHECK_PROBE3(vnode_check_listextattr, error, cred, vp,
+ attrnamespace);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_lookup, "struct ucred *",
+ "struct vnode *", "struct componentname *");
+
int
mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp)
@@ -505,9 +570,14 @@ mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup");
MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
+ MAC_CHECK_PROBE3(vnode_check_lookup, error, cred, dvp, cnp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_mmap, "struct ucred *", "struct vnode *",
+ "int", "int");
+
int
mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
int flags)
@@ -517,6 +587,8 @@ mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap");
MAC_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags);
+ MAC_CHECK_PROBE4(vnode_check_mmap, error, cred, vp, prot, flags);
+
return (error);
}
@@ -534,6 +606,9 @@ mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
*prot = result;
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_mprotect, "struct ucred *",
+ "struct vnode *", "int");
+
int
mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
{
@@ -542,9 +617,14 @@ mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect");
MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot);
+ MAC_CHECK_PROBE3(vnode_check_mprotect, error, cred, vp, prot);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_open, "struct ucred *", "struct vnode *",
+ "accmode_t");
+
int
mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode)
{
@@ -556,6 +636,9 @@ mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode)
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_poll, "struct ucred *", "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
@@ -566,10 +649,15 @@ mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(vnode_check_poll, active_cred, file_cred, vp,
vp->v_label);
+ MAC_CHECK_PROBE3(vnode_check_poll, error, active_cred, file_cred,
+ vp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_read, "struct ucred *", "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
@@ -580,10 +668,15 @@ mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(vnode_check_read, active_cred, file_cred, vp,
vp->v_label);
+ MAC_CHECK_PROBE3(vnode_check_read, error, active_cred, file_cred,
+ vp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(vnode_check_readdir, "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp)
{
@@ -592,9 +685,14 @@ mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp)
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir");
MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
+ MAC_CHECK_PROBE2(vnode_check_readdir, error, cred, dvp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(vnode_check_readlink, "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp)
{
@@ -603,9 +701,14 @@ mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink");
MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
+ MAC_CHECK_PROBE2(vnode_check_readlink, error, cred, vp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_relabel, "struct ucred *",
+ "struct vnode *", "struct label *");
+
static int
mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
struct label *newlabel)
@@ -615,10 +718,14 @@ mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel");
MAC_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel);
+ MAC_CHECK_PROBE3(vnode_check_relabel, error, cred, vp, newlabel);
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_from, "struct ucred *",
+ "struct vnode *", "struct vnode *", "struct componentname *");
+
int
mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp)
@@ -630,9 +737,14 @@ mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
+ MAC_CHECK_PROBE4(vnode_check_rename_from, error, cred, dvp, vp, cnp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_to, "struct ucred *",
+ "struct vnode *", "struct vnode *", "struct componentname *");
+
int
mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, int samedir, struct componentname *cnp)
@@ -644,9 +756,13 @@ mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
MAC_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp,
vp != NULL ? vp->v_label : NULL, samedir, cnp);
+ MAC_CHECK_PROBE4(vnode_check_rename_to, error, cred, dvp, vp, cnp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(vnode_check_revoke, "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp)
{
@@ -655,9 +771,14 @@ mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke");
MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
+ MAC_CHECK_PROBE2(vnode_check_revoke, error, cred, vp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_setacl, "struct ucred *",
+ "struct vnode *", "acl_tpe_t", "struct acl *");
+
int
mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
struct acl *acl)
@@ -667,9 +788,14 @@ mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl");
MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl);
+ MAC_CHECK_PROBE4(vnode_check_setacl, error, cred, vp, type, acl);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_setextattr, "struct ucred *",
+ "struct vnode *", "int", "const char *");
+
int
mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio)
@@ -680,9 +806,15 @@ mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
+ MAC_CHECK_PROBE4(vnode_check_setextattr, error, cred, vp,
+ attrnamespace, name);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_setflags, "struct ucred *",
+ "struct vnode *", "u_long");
+
int
mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
{
@@ -691,9 +823,14 @@ mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags");
MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
+ MAC_CHECK_PROBE3(vnode_check_setflags, error, cred, vp, flags);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_setmode, "struct ucred *",
+ "struct vnode *", "mode_t");
+
int
mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
{
@@ -702,9 +839,14 @@ mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode");
MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
+ MAC_CHECK_PROBE3(vnode_check_setmode, error, cred, vp, mode);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_setowner, "struct ucred *",
+ "struct vnode *", "uid_t", "gid_t");
+
int
mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
gid_t gid)
@@ -714,9 +856,14 @@ mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner");
MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
+ MAC_CHECK_PROBE4(vnode_check_setowner, error, cred, vp, uid, gid);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_setutimes, "struct ucred *",
+ "struct vnode *", "struct timespec *", "struct timespec *");
+
int
mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
struct timespec atime, struct timespec mtime)
@@ -727,9 +874,15 @@ mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
mtime);
+ MAC_CHECK_PROBE4(vnode_check_setutimes, error, cred, vp, &atime,
+ &mtime);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_stat, "struct ucred *", "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
@@ -740,9 +893,15 @@ mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(vnode_check_stat, active_cred, file_cred, vp,
vp->v_label);
+ MAC_CHECK_PROBE3(vnode_check_stat, error, active_cred, file_cred,
+ vp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_unlink, "struct ucred *",
+ "struct vnode *", "struct vnode *", "struct componentname *");
+
int
mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp)
@@ -754,9 +913,14 @@ mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
+ MAC_CHECK_PROBE4(vnode_check_unlink, error, cred, dvp, vp, cnp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_write, "struct ucred *",
+ "struct ucred *", "struct vnode *");
+
int
mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
@@ -767,6 +931,8 @@ mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(vnode_check_write, active_cred, file_cred, vp,
vp->v_label);
+ MAC_CHECK_PROBE3(vnode_check_write, error, active_cred, file_cred,
+ vp);
return (error);
}
@@ -786,12 +952,16 @@ mac_mount_create(struct ucred *cred, struct mount *mp)
MAC_PERFORM(mount_create, cred, mp, mp->mnt_label);
}
+MAC_CHECK_PROBE_DEFINE2(mount_check_stat, "struct ucred *",
+ "struct mount *");
+
int
mac_mount_check_stat(struct ucred *cred, struct mount *mount)
{
int error;
MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_label);
+ MAC_CHECK_PROBE2(mount_check_stat, error, cred, mount);
return (error);
}
OpenPOWER on IntegriCloud