summaryrefslogtreecommitdiffstats
path: root/sys/security/mac/mac_vfs.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security/mac/mac_vfs.c')
-rw-r--r--sys/security/mac/mac_vfs.c172
1 files changed, 171 insertions, 1 deletions
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 42da76c..1ebf520 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
@@ -17,6 +17,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -42,6 +45,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_kdtrace.h"
#include "opt_mac.h"
#include <sys/param.h>
@@ -59,6 +63,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mount.h>
#include <sys/file.h>
#include <sys/namei.h>
+#include <sys/sdt.h>
#include <sys/sysctl.h>
#include <vm/vm.h>
@@ -361,6 +366,9 @@ mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp,
return (result);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_access, "struct ucred *",
+ "struct vnode *", "accmode_t");
+
int
mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode)
{
@@ -369,9 +377,14 @@ mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access");
MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, accmode);
+ MAC_CHECK_PROBE3(vnode_check_access, error, cred, vp, accmode);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(vnode_check_chdir, "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp)
{
@@ -380,9 +393,14 @@ mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp)
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir");
MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label);
+ MAC_CHECK_PROBE2(vnode_check_chdir, error, cred, dvp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(vnode_check_chroot, "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp)
{
@@ -391,9 +409,14 @@ mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp)
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot");
MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label);
+ MAC_CHECK_PROBE2(vnode_check_chroot, error, cred, dvp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_create, "struct ucred *",
+ "struct vnode *", "struct componentname *", "struct vattr *");
+
int
mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp, struct vattr *vap)
@@ -403,9 +426,14 @@ mac_vnode_check_create(struct ucred *cred, struct vnode *dvp,
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create");
MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap);
+ MAC_CHECK_PROBE4(vnode_check_create, error, cred, dvp, cnp, vap);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_deleteacl, "struct ucred *",
+ "struct vnode *", "acl_type_t");
+
int
mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
acl_type_t type)
@@ -415,9 +443,14 @@ mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl");
MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type);
+ MAC_CHECK_PROBE3(vnode_check_deleteacl, error, cred, vp, type);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_deleteextattr, "struct ucred *",
+ "struct vnode *", "int", "const char *");
+
int
mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name)
@@ -428,9 +461,15 @@ mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label,
attrnamespace, name);
+ MAC_CHECK_PROBE4(vnode_check_deleteextattr, error, cred, vp,
+ attrnamespace, name);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_exec, "struct ucred *", "struct vnode *",
+ "struct image_params *");
+
int
mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct image_params *imgp)
@@ -441,10 +480,14 @@ mac_vnode_check_exec(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp,
imgp->execlabel);
+ MAC_CHECK_PROBE3(vnode_check_exec, error, cred, vp, imgp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_getacl, "struct ucred *",
+ "struct vnode *", "acl_type_t");
+
int
mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
{
@@ -453,9 +496,14 @@ mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl");
MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type);
+ MAC_CHECK_PROBE3(vnode_check_getacl, error, cred, vp, type);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_getextattr, "struct ucred *",
+ "struct vnode *", "int", "const char *");
+
int
mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio)
@@ -466,9 +514,15 @@ mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
+ MAC_CHECK_PROBE4(vnode_check_getextattr, error, cred, vp,
+ attrnamespace, name);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_link, "struct ucred *", "struct vnode *",
+ "struct vnode *", "struct componentname *");
+
int
mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp)
@@ -480,9 +534,14 @@ mac_vnode_check_link(struct ucred *cred, struct vnode *dvp,
MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
+ MAC_CHECK_PROBE4(vnode_check_link, error, cred, dvp, vp, cnp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_listextattr, "struct ucred *",
+ "struct vnode *", "int");
+
int
mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace)
@@ -493,9 +552,15 @@ mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label,
attrnamespace);
+ MAC_CHECK_PROBE3(vnode_check_listextattr, error, cred, vp,
+ attrnamespace);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_lookup, "struct ucred *",
+ "struct vnode *", "struct componentname *");
+
int
mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp)
@@ -505,9 +570,14 @@ mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup");
MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp);
+ MAC_CHECK_PROBE3(vnode_check_lookup, error, cred, dvp, cnp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_mmap, "struct ucred *", "struct vnode *",
+ "int", "int");
+
int
mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
int flags)
@@ -517,6 +587,8 @@ mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap");
MAC_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags);
+ MAC_CHECK_PROBE4(vnode_check_mmap, error, cred, vp, prot, flags);
+
return (error);
}
@@ -534,6 +606,9 @@ mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp,
*prot = result;
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_mprotect, "struct ucred *",
+ "struct vnode *", "int");
+
int
mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
{
@@ -542,9 +617,14 @@ mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect");
MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot);
+ MAC_CHECK_PROBE3(vnode_check_mprotect, error, cred, vp, prot);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_open, "struct ucred *", "struct vnode *",
+ "accmode_t");
+
int
mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode)
{
@@ -556,6 +636,9 @@ mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode)
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_poll, "struct ucred *", "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
@@ -566,10 +649,15 @@ mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(vnode_check_poll, active_cred, file_cred, vp,
vp->v_label);
+ MAC_CHECK_PROBE3(vnode_check_poll, error, active_cred, file_cred,
+ vp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_read, "struct ucred *", "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
@@ -580,10 +668,15 @@ mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(vnode_check_read, active_cred, file_cred, vp,
vp->v_label);
+ MAC_CHECK_PROBE3(vnode_check_read, error, active_cred, file_cred,
+ vp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(vnode_check_readdir, "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp)
{
@@ -592,9 +685,14 @@ mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp)
ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir");
MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label);
+ MAC_CHECK_PROBE2(vnode_check_readdir, error, cred, dvp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(vnode_check_readlink, "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp)
{
@@ -603,9 +701,14 @@ mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink");
MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label);
+ MAC_CHECK_PROBE2(vnode_check_readlink, error, cred, vp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_relabel, "struct ucred *",
+ "struct vnode *", "struct label *");
+
static int
mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
struct label *newlabel)
@@ -615,10 +718,14 @@ mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp,
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel");
MAC_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel);
+ MAC_CHECK_PROBE3(vnode_check_relabel, error, cred, vp, newlabel);
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_from, "struct ucred *",
+ "struct vnode *", "struct vnode *", "struct componentname *");
+
int
mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp)
@@ -630,9 +737,14 @@ mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
+ MAC_CHECK_PROBE4(vnode_check_rename_from, error, cred, dvp, vp, cnp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_to, "struct ucred *",
+ "struct vnode *", "struct vnode *", "struct componentname *");
+
int
mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, int samedir, struct componentname *cnp)
@@ -644,9 +756,13 @@ mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
MAC_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp,
vp != NULL ? vp->v_label : NULL, samedir, cnp);
+ MAC_CHECK_PROBE4(vnode_check_rename_to, error, cred, dvp, vp, cnp);
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(vnode_check_revoke, "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp)
{
@@ -655,9 +771,14 @@ mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke");
MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label);
+ MAC_CHECK_PROBE2(vnode_check_revoke, error, cred, vp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_setacl, "struct ucred *",
+ "struct vnode *", "acl_tpe_t", "struct acl *");
+
int
mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
struct acl *acl)
@@ -667,9 +788,14 @@ mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl");
MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl);
+ MAC_CHECK_PROBE4(vnode_check_setacl, error, cred, vp, type, acl);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_setextattr, "struct ucred *",
+ "struct vnode *", "int", "const char *");
+
int
mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio)
@@ -680,9 +806,15 @@ mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
+ MAC_CHECK_PROBE4(vnode_check_setextattr, error, cred, vp,
+ attrnamespace, name);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_setflags, "struct ucred *",
+ "struct vnode *", "u_long");
+
int
mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
{
@@ -691,9 +823,14 @@ mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags");
MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags);
+ MAC_CHECK_PROBE3(vnode_check_setflags, error, cred, vp, flags);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_setmode, "struct ucred *",
+ "struct vnode *", "mode_t");
+
int
mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
{
@@ -702,9 +839,14 @@ mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode");
MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode);
+ MAC_CHECK_PROBE3(vnode_check_setmode, error, cred, vp, mode);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_setowner, "struct ucred *",
+ "struct vnode *", "uid_t", "gid_t");
+
int
mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
gid_t gid)
@@ -714,9 +856,14 @@ mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner");
MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid);
+ MAC_CHECK_PROBE4(vnode_check_setowner, error, cred, vp, uid, gid);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_setutimes, "struct ucred *",
+ "struct vnode *", "struct timespec *", "struct timespec *");
+
int
mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
struct timespec atime, struct timespec mtime)
@@ -727,9 +874,15 @@ mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime,
mtime);
+ MAC_CHECK_PROBE4(vnode_check_setutimes, error, cred, vp, &atime,
+ &mtime);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_stat, "struct ucred *", "struct ucred *",
+ "struct vnode *");
+
int
mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
@@ -740,9 +893,15 @@ mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(vnode_check_stat, active_cred, file_cred, vp,
vp->v_label);
+ MAC_CHECK_PROBE3(vnode_check_stat, error, active_cred, file_cred,
+ vp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE4(vnode_check_unlink, "struct ucred *",
+ "struct vnode *", "struct vnode *", "struct componentname *");
+
int
mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
struct vnode *vp, struct componentname *cnp)
@@ -754,9 +913,14 @@ mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
+ MAC_CHECK_PROBE4(vnode_check_unlink, error, cred, dvp, vp, cnp);
+
return (error);
}
+MAC_CHECK_PROBE_DEFINE3(vnode_check_write, "struct ucred *",
+ "struct ucred *", "struct vnode *");
+
int
mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp)
@@ -767,6 +931,8 @@ mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
MAC_CHECK(vnode_check_write, active_cred, file_cred, vp,
vp->v_label);
+ MAC_CHECK_PROBE3(vnode_check_write, error, active_cred, file_cred,
+ vp);
return (error);
}
@@ -786,12 +952,16 @@ mac_mount_create(struct ucred *cred, struct mount *mp)
MAC_PERFORM(mount_create, cred, mp, mp->mnt_label);
}
+MAC_CHECK_PROBE_DEFINE2(mount_check_stat, "struct ucred *",
+ "struct mount *");
+
int
mac_mount_check_stat(struct ucred *cred, struct mount *mount)
{
int error;
MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_label);
+ MAC_CHECK_PROBE2(mount_check_stat, error, cred, mount);
return (error);
}
OpenPOWER on IntegriCloud