diff options
-rw-r--r-- | sys/kern/kern_mac.c | 30 | ||||
-rw-r--r-- | sys/kern/vfs_extattr.c | 7 | ||||
-rw-r--r-- | sys/kern/vfs_syscalls.c | 7 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.c | 30 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 2 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 30 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 30 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 30 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 4 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 30 | ||||
-rw-r--r-- | sys/security/mac/mac_syscalls.c | 30 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 30 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 30 | ||||
-rw-r--r-- | sys/sys/mac.h | 2 | ||||
-rw-r--r-- | sys/sys/mac_policy.h | 4 |
15 files changed, 294 insertions, 2 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index d21d5df..5719b01f 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -799,6 +799,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -1832,6 +1836,32 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) +{ + + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 7c72a8c..4cba8b5 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -1031,7 +1031,12 @@ kern_link(struct thread *td, char *path, char *link, enum uio_seg segflg) == 0) { VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); - error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd); +#ifdef MAC + error = mac_check_vnode_link(td->td_ucred, nd.ni_dvp, + vp, &nd.ni_cnd); + if (error == 0) +#endif + error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd); VOP_UNLOCK(vp, 0, td); } NDFREE(&nd, NDF_ONLY_PNBUF); diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 7c72a8c..4cba8b5 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -1031,7 +1031,12 @@ kern_link(struct thread *td, char *path, char *link, enum uio_seg segflg) == 0) { VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); - error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd); +#ifdef MAC + error = mac_check_vnode_link(td->td_ucred, nd.ni_dvp, + vp, &nd.ni_cnd); + if (error == 0) +#endif + error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd); VOP_UNLOCK(vp, 0, td); } NDFREE(&nd, NDF_ONLY_PNBUF); diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index d21d5df..5719b01f 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -799,6 +799,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -1832,6 +1836,32 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) +{ + + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index ebb65cb..a646ad3 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -333,6 +333,8 @@ int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); +int mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp); int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); /* XXX This u_char should be vm_prot_t! */ diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index d21d5df..5719b01f 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -799,6 +799,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -1832,6 +1836,32 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) +{ + + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index d21d5df..5719b01f 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -799,6 +799,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -1832,6 +1836,32 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) +{ + + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index d21d5df..5719b01f 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -799,6 +799,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -1832,6 +1836,32 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) +{ + + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index a54e925..d9f1a8e 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -294,6 +294,9 @@ struct mac_policy_ops { int (*mpo_check_vnode_getextattr)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); + int (*mpo_check_vnode_link)(struct ucred *cred, struct vnode *dvp, + struct label *dlabel, struct vnode *vp, + struct label *label, struct componentname *cnp); int (*mpo_check_vnode_lookup)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp); @@ -454,6 +457,7 @@ enum mac_op_constant { MAC_CHECK_VNODE_EXEC, MAC_CHECK_VNODE_GETACL, MAC_CHECK_VNODE_GETEXTATTR, + MAC_CHECK_VNODE_LINK, MAC_CHECK_VNODE_LOOKUP, MAC_CHECK_VNODE_MMAP_PERMS, MAC_CHECK_VNODE_OPEN, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index d21d5df..5719b01f 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -799,6 +799,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -1832,6 +1836,32 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) +{ + + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index d21d5df..5719b01f 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -799,6 +799,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -1832,6 +1836,32 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) +{ + + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index d21d5df..5719b01f 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -799,6 +799,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -1832,6 +1836,32 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) +{ + + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index d21d5df..5719b01f 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -799,6 +799,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -1832,6 +1836,32 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) +{ + + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { diff --git a/sys/sys/mac.h b/sys/sys/mac.h index ebb65cb..a646ad3 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -333,6 +333,8 @@ int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); +int mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp); int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); /* XXX This u_char should be vm_prot_t! */ diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index a54e925..d9f1a8e 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -294,6 +294,9 @@ struct mac_policy_ops { int (*mpo_check_vnode_getextattr)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); + int (*mpo_check_vnode_link)(struct ucred *cred, struct vnode *dvp, + struct label *dlabel, struct vnode *vp, + struct label *label, struct componentname *cnp); int (*mpo_check_vnode_lookup)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp); @@ -454,6 +457,7 @@ enum mac_op_constant { MAC_CHECK_VNODE_EXEC, MAC_CHECK_VNODE_GETACL, MAC_CHECK_VNODE_GETEXTATTR, + MAC_CHECK_VNODE_LINK, MAC_CHECK_VNODE_LOOKUP, MAC_CHECK_VNODE_MMAP_PERMS, MAC_CHECK_VNODE_OPEN, |