diff options
| -rw-r--r-- | sys/kern/kern_mac.c | 38 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.c | 38 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 7 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 38 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 38 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 38 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 8 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 38 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 38 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 38 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 38 | ||||
| -rw-r--r-- | sys/sys/mac.h | 7 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 8 |
13 files changed, 370 insertions, 2 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 7bf7393..107b2d2 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -381,6 +381,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_init = mpe->mpe_function; break; + case MAC_SYSCALL: + mpc->mpc_ops->mpo_syscall = + mpe->mpe_function; + break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -3213,6 +3217,33 @@ out: return (error); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + struct mac_policy_conf *mpc; + char target[MAC_MAX_POLICY_NAME]; + int error; + + error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); + if (error) + return (error); + + error = ENOSYS; + MAC_POLICY_LIST_BUSY(); + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { + if (strcmp(mpc->mpc_name, target) == 0 && + mpc->mpc_ops->mpo_syscall != NULL) { + error = mpc->mpc_ops->mpo_syscall(td, + SCARG(uap, call), SCARG(uap, arg)); + goto out; + } + } + +out: + MAC_POLICY_LIST_UNBUSY(); + return (error); +} + SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); @@ -3260,4 +3291,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (ENOSYS); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + + return (ENOSYS); +} + #endif /* !MAC */ diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 7bf7393..107b2d2 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -381,6 +381,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_init = mpe->mpe_function; break; + case MAC_SYSCALL: + mpc->mpc_ops->mpo_syscall = + mpe->mpe_function; + break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -3213,6 +3217,33 @@ out: return (error); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + struct mac_policy_conf *mpc; + char target[MAC_MAX_POLICY_NAME]; + int error; + + error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); + if (error) + return (error); + + error = ENOSYS; + MAC_POLICY_LIST_BUSY(); + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { + if (strcmp(mpc->mpc_name, target) == 0 && + mpc->mpc_ops->mpo_syscall != NULL) { + error = mpc->mpc_ops->mpo_syscall(td, + SCARG(uap, call), SCARG(uap, arg)); + goto out; + } + } + +out: + MAC_POLICY_LIST_UNBUSY(); + return (error); +} + SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); @@ -3260,4 +3291,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (ENOSYS); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + + return (ENOSYS); +} + #endif /* !MAC */ diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 1f36d55..0696f3c 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -60,6 +60,11 @@ #define FREEBSD_MAC_EXTATTR_NAMESPACE EXTATTR_NAMESPACE_SYSTEM /* + * MAC framework-related constants and limits. + */ +#define MAC_MAX_POLICY_NAME 32 + +/* * XXXMAC: Per-policy structures will be moved from mac.h to per-policy * include files once the revised user interface is available. */ @@ -166,7 +171,7 @@ int mac_valid(const mac_t _label); * Extensions to POSIX.1e visible in the application namespace. */ int mac_is_present_np(const char *_policyname); -int mac_policy(const char *_policyname, int call, void *arg); +int mac_syscall(const char *_policyname, int call, void *arg); /* * System calls wrapped by some POSIX.1e functions. diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 7bf7393..107b2d2 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -381,6 +381,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_init = mpe->mpe_function; break; + case MAC_SYSCALL: + mpc->mpc_ops->mpo_syscall = + mpe->mpe_function; + break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -3213,6 +3217,33 @@ out: return (error); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + struct mac_policy_conf *mpc; + char target[MAC_MAX_POLICY_NAME]; + int error; + + error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); + if (error) + return (error); + + error = ENOSYS; + MAC_POLICY_LIST_BUSY(); + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { + if (strcmp(mpc->mpc_name, target) == 0 && + mpc->mpc_ops->mpo_syscall != NULL) { + error = mpc->mpc_ops->mpo_syscall(td, + SCARG(uap, call), SCARG(uap, arg)); + goto out; + } + } + +out: + MAC_POLICY_LIST_UNBUSY(); + return (error); +} + SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); @@ -3260,4 +3291,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (ENOSYS); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + + return (ENOSYS); +} + #endif /* !MAC */ diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 7bf7393..107b2d2 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -381,6 +381,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_init = mpe->mpe_function; break; + case MAC_SYSCALL: + mpc->mpc_ops->mpo_syscall = + mpe->mpe_function; + break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -3213,6 +3217,33 @@ out: return (error); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + struct mac_policy_conf *mpc; + char target[MAC_MAX_POLICY_NAME]; + int error; + + error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); + if (error) + return (error); + + error = ENOSYS; + MAC_POLICY_LIST_BUSY(); + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { + if (strcmp(mpc->mpc_name, target) == 0 && + mpc->mpc_ops->mpo_syscall != NULL) { + error = mpc->mpc_ops->mpo_syscall(td, + SCARG(uap, call), SCARG(uap, arg)); + goto out; + } + } + +out: + MAC_POLICY_LIST_UNBUSY(); + return (error); +} + SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); @@ -3260,4 +3291,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (ENOSYS); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + + return (ENOSYS); +} + #endif /* !MAC */ diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 7bf7393..107b2d2 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -381,6 +381,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_init = mpe->mpe_function; break; + case MAC_SYSCALL: + mpc->mpc_ops->mpo_syscall = + mpe->mpe_function; + break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -3213,6 +3217,33 @@ out: return (error); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + struct mac_policy_conf *mpc; + char target[MAC_MAX_POLICY_NAME]; + int error; + + error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); + if (error) + return (error); + + error = ENOSYS; + MAC_POLICY_LIST_BUSY(); + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { + if (strcmp(mpc->mpc_name, target) == 0 && + mpc->mpc_ops->mpo_syscall != NULL) { + error = mpc->mpc_ops->mpo_syscall(td, + SCARG(uap, call), SCARG(uap, arg)); + goto out; + } + } + +out: + MAC_POLICY_LIST_UNBUSY(); + return (error); +} + SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); @@ -3260,4 +3291,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (ENOSYS); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + + return (ENOSYS); +} + #endif /* !MAC */ diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index b3707c2..d0065aa 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -63,6 +63,13 @@ struct mac_policy_ops { void (*mpo_init)(struct mac_policy_conf *mpc); /* + * General policy-directed security system call so that policies + * may implement new services without reserving explicit + * system call numbers. + */ + int (*mpo_syscall)(struct thread *td, int call, void *arg); + + /* * Label operations. */ void (*mpo_init_bpfdesc)(struct bpf_d *, struct label *label); @@ -342,6 +349,7 @@ enum mac_op_constant { MAC_OP_LAST, MAC_DESTROY, MAC_INIT, + MAC_SYSCALL, MAC_INIT_BPFDESC, MAC_INIT_CRED, MAC_INIT_DEVFSDIRENT, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 7bf7393..107b2d2 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -381,6 +381,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_init = mpe->mpe_function; break; + case MAC_SYSCALL: + mpc->mpc_ops->mpo_syscall = + mpe->mpe_function; + break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -3213,6 +3217,33 @@ out: return (error); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + struct mac_policy_conf *mpc; + char target[MAC_MAX_POLICY_NAME]; + int error; + + error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); + if (error) + return (error); + + error = ENOSYS; + MAC_POLICY_LIST_BUSY(); + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { + if (strcmp(mpc->mpc_name, target) == 0 && + mpc->mpc_ops->mpo_syscall != NULL) { + error = mpc->mpc_ops->mpo_syscall(td, + SCARG(uap, call), SCARG(uap, arg)); + goto out; + } + } + +out: + MAC_POLICY_LIST_UNBUSY(); + return (error); +} + SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); @@ -3260,4 +3291,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (ENOSYS); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + + return (ENOSYS); +} + #endif /* !MAC */ diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 7bf7393..107b2d2 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -381,6 +381,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_init = mpe->mpe_function; break; + case MAC_SYSCALL: + mpc->mpc_ops->mpo_syscall = + mpe->mpe_function; + break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -3213,6 +3217,33 @@ out: return (error); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + struct mac_policy_conf *mpc; + char target[MAC_MAX_POLICY_NAME]; + int error; + + error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); + if (error) + return (error); + + error = ENOSYS; + MAC_POLICY_LIST_BUSY(); + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { + if (strcmp(mpc->mpc_name, target) == 0 && + mpc->mpc_ops->mpo_syscall != NULL) { + error = mpc->mpc_ops->mpo_syscall(td, + SCARG(uap, call), SCARG(uap, arg)); + goto out; + } + } + +out: + MAC_POLICY_LIST_UNBUSY(); + return (error); +} + SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); @@ -3260,4 +3291,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (ENOSYS); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + + return (ENOSYS); +} + #endif /* !MAC */ diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 7bf7393..107b2d2 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -381,6 +381,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_init = mpe->mpe_function; break; + case MAC_SYSCALL: + mpc->mpc_ops->mpo_syscall = + mpe->mpe_function; + break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -3213,6 +3217,33 @@ out: return (error); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + struct mac_policy_conf *mpc; + char target[MAC_MAX_POLICY_NAME]; + int error; + + error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); + if (error) + return (error); + + error = ENOSYS; + MAC_POLICY_LIST_BUSY(); + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { + if (strcmp(mpc->mpc_name, target) == 0 && + mpc->mpc_ops->mpo_syscall != NULL) { + error = mpc->mpc_ops->mpo_syscall(td, + SCARG(uap, call), SCARG(uap, arg)); + goto out; + } + } + +out: + MAC_POLICY_LIST_UNBUSY(); + return (error); +} + SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); @@ -3260,4 +3291,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (ENOSYS); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + + return (ENOSYS); +} + #endif /* !MAC */ diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 7bf7393..107b2d2 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -381,6 +381,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_init = mpe->mpe_function; break; + case MAC_SYSCALL: + mpc->mpc_ops->mpo_syscall = + mpe->mpe_function; + break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -3213,6 +3217,33 @@ out: return (error); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + struct mac_policy_conf *mpc; + char target[MAC_MAX_POLICY_NAME]; + int error; + + error = copyinstr(SCARG(uap, policy), target, sizeof(target), NULL); + if (error) + return (error); + + error = ENOSYS; + MAC_POLICY_LIST_BUSY(); + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { + if (strcmp(mpc->mpc_name, target) == 0 && + mpc->mpc_ops->mpo_syscall != NULL) { + error = mpc->mpc_ops->mpo_syscall(td, + SCARG(uap, call), SCARG(uap, arg)); + goto out; + } + } + +out: + MAC_POLICY_LIST_UNBUSY(); + return (error); +} + SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); @@ -3260,4 +3291,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (ENOSYS); } +int +mac_syscall(struct thread *td, struct mac_syscall_args *uap) +{ + + return (ENOSYS); +} + #endif /* !MAC */ diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 1f36d55..0696f3c 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -60,6 +60,11 @@ #define FREEBSD_MAC_EXTATTR_NAMESPACE EXTATTR_NAMESPACE_SYSTEM /* + * MAC framework-related constants and limits. + */ +#define MAC_MAX_POLICY_NAME 32 + +/* * XXXMAC: Per-policy structures will be moved from mac.h to per-policy * include files once the revised user interface is available. */ @@ -166,7 +171,7 @@ int mac_valid(const mac_t _label); * Extensions to POSIX.1e visible in the application namespace. */ int mac_is_present_np(const char *_policyname); -int mac_policy(const char *_policyname, int call, void *arg); +int mac_syscall(const char *_policyname, int call, void *arg); /* * System calls wrapped by some POSIX.1e functions. diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index b3707c2..d0065aa 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -63,6 +63,13 @@ struct mac_policy_ops { void (*mpo_init)(struct mac_policy_conf *mpc); /* + * General policy-directed security system call so that policies + * may implement new services without reserving explicit + * system call numbers. + */ + int (*mpo_syscall)(struct thread *td, int call, void *arg); + + /* * Label operations. */ void (*mpo_init_bpfdesc)(struct bpf_d *, struct label *label); @@ -342,6 +349,7 @@ enum mac_op_constant { MAC_OP_LAST, MAC_DESTROY, MAC_INIT, + MAC_SYSCALL, MAC_INIT_BPFDESC, MAC_INIT_CRED, MAC_INIT_DEVFSDIRENT, |
