diff options
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_audit.c | 33 | ||||
-rw-r--r-- | sys/security/mac/mac_cred.c | 15 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.c | 4 | ||||
-rw-r--r-- | sys/security/mac/mac_inet.c | 15 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 71 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 15 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 30 | ||||
-rw-r--r-- | sys/security/mac/mac_posix_sem.c | 34 | ||||
-rw-r--r-- | sys/security/mac/mac_posix_shm.c | 31 | ||||
-rw-r--r-- | sys/security/mac/mac_priv.c | 13 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 58 | ||||
-rw-r--r-- | sys/security/mac/mac_socket.c | 56 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 47 | ||||
-rw-r--r-- | sys/security/mac/mac_sysv_msg.c | 38 | ||||
-rw-r--r-- | sys/security/mac/mac_sysv_sem.c | 18 | ||||
-rw-r--r-- | sys/security/mac/mac_sysv_shm.c | 24 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 172 |
17 files changed, 660 insertions, 14 deletions
diff --git a/sys/security/mac/mac_audit.c b/sys/security/mac/mac_audit.c index f3fc639..6310b04 100644 --- a/sys/security/mac/mac_audit.c +++ b/sys/security/mac/mac_audit.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. @@ -15,6 +15,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -40,8 +43,13 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" + #include <sys/param.h> +#include <sys/kernel.h> #include <sys/module.h> +#include <sys/queue.h> +#include <sys/sdt.h> #include <sys/vnode.h> #include <security/audit/audit.h> @@ -50,46 +58,64 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_internal.h> #include <security/mac/mac_policy.h> +MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit, "struct ucred *", + "struct auditinfo *"); + int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) { int error; MAC_CHECK(proc_check_setaudit, cred, ai); + MAC_CHECK_PROBE2(proc_check_setaudit, error, cred, ai); return (error); } +MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit_addr, "struct ucred *", + "struct auditinfo_addr *"); + int mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { int error; MAC_CHECK(proc_check_setaudit_addr, cred, aia); + MAC_CHECK_PROBE2(proc_check_setaudit_addr, error, cred, aia); return (error); } +MAC_CHECK_PROBE_DEFINE2(proc_check_setauid, "struct ucred *", "uid_t"); + int mac_proc_check_setauid(struct ucred *cred, uid_t auid) { int error; MAC_CHECK(proc_check_setauid, cred, auid); + MAC_CHECK_PROBE2(proc_check_setauid, error, cred, auid); return (error); } +MAC_CHECK_PROBE_DEFINE3(system_check_audit, "struct ucred *", "void *", + "int"); + int mac_system_check_audit(struct ucred *cred, void *record, int length) { int error; MAC_CHECK(system_check_audit, cred, record, length); + MAC_CHECK_PROBE3(system_check_audit, error, cred, record, length); return (error); } +MAC_CHECK_PROBE_DEFINE2(system_check_auditctl, "struct ucred *", + "struct vnode *"); + int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp) { @@ -99,18 +125,21 @@ mac_system_check_auditctl(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl"); vl = (vp != NULL) ? vp->v_label : NULL; - MAC_CHECK(system_check_auditctl, cred, vp, vl); + MAC_CHECK_PROBE2(system_check_auditctl, error, cred, vp); return (error); } +MAC_CHECK_PROBE_DEFINE2(system_check_auditon, "struct ucred *", "int"); + int mac_system_check_auditon(struct ucred *cred, int cmd) { int error; MAC_CHECK(system_check_auditon, cred, cmd); + MAC_CHECK_PROBE2(system_check_auditon, error, cred, cmd); return (error); } diff --git a/sys/security/mac/mac_cred.c b/sys/security/mac/mac_cred.c index 4d46f9a..8cac7b3 100644 --- a/sys/security/mac/mac_cred.c +++ b/sys/security/mac/mac_cred.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. * Copyright (c) 2005 Samy Al Bahra @@ -18,6 +18,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -43,6 +46,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -55,6 +59,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mac.h> #include <sys/proc.h> #include <sys/sbuf.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/vnode.h> #include <sys/mount.h> @@ -192,22 +197,30 @@ mac_cred_relabel(struct ucred *cred, struct label *newlabel) MAC_PERFORM(cred_relabel, cred, newlabel); } +MAC_CHECK_PROBE_DEFINE2(cred_check_relabel, "struct ucred *", + "struct label *"); + int mac_cred_check_relabel(struct ucred *cred, struct label *newlabel) { int error; MAC_CHECK(cred_check_relabel, cred, newlabel); + MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel); return (error); } +MAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *", + "struct ucred *"); + int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { int error; MAC_CHECK(cred_check_visible, cr1, cr2); + MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2); return (error); } diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index c1e2e21..26bdd71 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -85,9 +85,11 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_policy.h> /* - * DTrace SDT provider for MAC. + * DTrace SDT providers for MAC. */ SDT_PROVIDER_DEFINE(mac); +SDT_PROVIDER_DEFINE(mac_framework); + SDT_PROBE_DEFINE2(mac, kernel, policy, modevent, "int", "struct mac_policy_conf *mpc"); SDT_PROBE_DEFINE1(mac, kernel, policy, register, "struct mac_policy_conf *"); diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index b11f5b7..b62938b 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007, 2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. @@ -17,6 +17,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -42,6 +45,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -50,6 +54,7 @@ __FBSDID("$FreeBSD$"); #include <sys/malloc.h> #include <sys/mutex.h> #include <sys/sbuf.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/mount.h> #include <sys/file.h> @@ -298,6 +303,9 @@ mac_ipq_update(struct mbuf *m, struct ipq *q) MAC_PERFORM(ipq_update, m, label, q, q->ipq_label); } +MAC_CHECK_PROBE_DEFINE2(inpcb_check_deliver, "struct inpcb *", + "struct mbuf *"); + int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m) { @@ -309,10 +317,14 @@ mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m) label = mac_mbuf_to_label(m); MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label); + MAC_CHECK_PROBE2(inpcb_check_deliver, error, inp, m); return (error); } +MAC_CHECK_PROBE_DEFINE2(inpcb_check_visible, "struct ucred *", + "struct inpcb *"); + int mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp) { @@ -321,6 +333,7 @@ mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp) INP_LOCK_ASSERT(inp); MAC_CHECK(inpcb_check_visible, cred, inp, inp->inp_label); + MAC_CHECK_PROBE2(inpcb_check_visible, error, cred, inp); return (error); } diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 79544c3..34336fc 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2006 Robert N. M. Watson + * Copyright (c) 1999-2002, 2006, 2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 nCircle Network Security, Inc. @@ -21,6 +21,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -60,6 +63,72 @@ SYSCTL_DECL(_security_mac); #endif /* SYSCTL_DECL */ /* + * MAC Framework SDT DTrace probe namespace, macros for declaring entry + * point probes, macros for invoking them. + */ +#ifdef SDT_PROVIDER_DECLARE +SDT_PROVIDER_DECLARE(mac); /* MAC Framework-level events. */ +SDT_PROVIDER_DECLARE(mac_framework); /* Entry points to MAC. */ + +#define MAC_CHECK_PROBE_DEFINE4(name, arg0, arg1, arg2, arg3) \ + SDT_PROBE_DEFINE5(mac_framework, kernel, name, mac_check_err, \ + "int", arg0, arg1, arg2, arg3); \ + SDT_PROBE_DEFINE5(mac_framework, kernel, name, mac_check_ok, \ + "int", arg0, arg1, arg2, arg3); + +#define MAC_CHECK_PROBE_DEFINE3(name, arg0, arg1, arg2) \ + SDT_PROBE_DEFINE4(mac_framework, kernel, name, mac_check_err, \ + "int", arg0, arg1, arg2); \ + SDT_PROBE_DEFINE4(mac_framework, kernel, name, mac_check_ok, \ + "int", arg0, arg1, arg2); + +#define MAC_CHECK_PROBE_DEFINE2(name, arg0, arg1) \ + SDT_PROBE_DEFINE3(mac_framework, kernel, name, mac_check_err, \ + "int", arg0, arg1); \ + SDT_PROBE_DEFINE3(mac_framework, kernel, name, mac_check_ok, \ + "int", arg0, arg1); + +#define MAC_CHECK_PROBE_DEFINE1(name, arg0) \ + SDT_PROBE_DEFINE2(mac_framework, kernel, name, mac_check_err, \ + "int", arg0); \ + SDT_PROBE_DEFINE2(mac_framework, kernel, name, mac_check_ok, \ + "int", arg0); + +#define MAC_CHECK_PROBE4(name, error, arg0, arg1, arg2, arg3) do { \ + if (error) { \ + SDT_PROBE(mac_framework, kernel, name, mac_check_err, \ + error, arg0, arg1, arg2, arg3); \ + } else { \ + SDT_PROBE(mac_framework, kernel, name, mac_check_ok, \ + 0, arg0, arg1, arg2, arg3); \ + } \ +} while (0) + +#define MAC_CHECK_PROBE3(name, error, arg0, arg1, arg2) \ + MAC_CHECK_PROBE4(name, error, arg0, arg1, arg2, 0) +#define MAC_CHECK_PROBE2(name, error, arg0, arg1) \ + MAC_CHECK_PROBE3(name, error, arg0, arg1, 0) +#define MAC_CHECK_PROBE1(name, error, arg0) \ + MAC_CHECK_PROBE2(name, error, arg0, 0) +#endif + +#define MAC_GRANT_PROBE_DEFINE2(name, arg0, arg1) \ + SDT_PROBE_DEFINE3(mac_framework, kernel, name, mac_grant_err, \ + "int", arg0, arg1); \ + SDT_PROBE_DEFINE3(mac_framework, kernel, name, mac_grant_ok, \ + "INT", arg0, arg1); + +#define MAC_GRANT_PROBE2(name, error, arg0, arg1) do { \ + if (error) { \ + SDT_PROBE(mac_framework, kernel, name, mac_grant_err, \ + error, arg0, arg1, 0, 0); \ + } else { \ + SDT_PROBE(mac_framework, kernel, name, mac_grant_ok, \ + error, arg0, arg1, 0, 0); \ + } \ +} while (0) + +/* * MAC Framework global types and typedefs. */ LIST_HEAD(mac_policy_list_head, mac_policy_conf); diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 8e8afea..4fccbd7 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. @@ -17,6 +17,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -42,6 +45,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -52,6 +56,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mac.h> #include <sys/priv.h> #include <sys/sbuf.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/mount.h> #include <sys/file.h> @@ -324,6 +329,9 @@ mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) MAC_IFNET_UNLOCK(ifp); } +MAC_CHECK_PROBE_DEFINE2(bpfdesc_check_receive, "struct bpf_d *", + "struct ifnet *"); + int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp) { @@ -333,11 +341,15 @@ mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp) MAC_IFNET_LOCK(ifp); MAC_CHECK(bpfdesc_check_receive, d, d->bd_label, ifp, ifp->if_label); + MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp); MAC_IFNET_UNLOCK(ifp); return (error); } +MAC_CHECK_PROBE_DEFINE2(ifnet_check_transmit, "struct ifnet *", + "struct mbuf *"); + int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m) { @@ -350,6 +362,7 @@ mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m) MAC_IFNET_LOCK(ifp); MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, m, label); + MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m); MAC_IFNET_UNLOCK(ifp); return (error); diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 1d8ce04..921fd20 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. + * Copyright (c) 2009 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -11,6 +12,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -36,6 +40,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -45,6 +50,7 @@ __FBSDID("$FreeBSD$"); #include <sys/module.h> #include <sys/mutex.h> #include <sys/sbuf.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/vnode.h> #include <sys/pipe.h> @@ -135,6 +141,9 @@ mac_pipe_relabel(struct ucred *cred, struct pipepair *pp, MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel); } +MAC_CHECK_PROBE_DEFINE4(pipe_check_ioctl, "struct ucred *", + "struct pipepair *", "unsigned long", "void *"); + int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data) @@ -144,10 +153,14 @@ mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, mtx_assert(&pp->pp_mtx, MA_OWNED); MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data); + MAC_CHECK_PROBE4(pipe_check_ioctl, error, cred, pp, cmd, data); return (error); } +MAC_CHECK_PROBE_DEFINE2(pipe_check_poll, "struct ucred *", + "struct pipepair *"); + int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp) { @@ -156,10 +169,14 @@ mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp) mtx_assert(&pp->pp_mtx, MA_OWNED); MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label); + MAC_CHECK_PROBE2(pipe_check_poll, error, cred, pp); return (error); } +MAC_CHECK_PROBE_DEFINE2(pipe_check_read, "struct ucred *", + "struct pipepair *"); + int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp) { @@ -168,10 +185,14 @@ mac_pipe_check_read(struct ucred *cred, struct pipepair *pp) mtx_assert(&pp->pp_mtx, MA_OWNED); MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label); + MAC_CHECK_PROBE2(pipe_check_read, error, cred, pp); return (error); } +MAC_CHECK_PROBE_DEFINE3(pipe_check_relabel, "struct ucred *", + "struct pipepair *", "struct label *"); + static int mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *newlabel) @@ -181,10 +202,14 @@ mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, mtx_assert(&pp->pp_mtx, MA_OWNED); MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel); + MAC_CHECK_PROBE3(pipe_check_relabel, error, cred, pp, newlabel); return (error); } +MAC_CHECK_PROBE_DEFINE2(pipe_check_stat, "struct ucred *", + "struct pipepair *"); + int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp) { @@ -193,10 +218,14 @@ mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp) mtx_assert(&pp->pp_mtx, MA_OWNED); MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label); + MAC_CHECK_PROBE2(pipe_check_stat, error, cred, pp); return (error); } +MAC_CHECK_PROBE_DEFINE2(pipe_check_write, "struct ucred *", + "struct pipepair *"); + int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp) { @@ -205,6 +234,7 @@ mac_pipe_check_write(struct ucred *cred, struct pipepair *pp) mtx_assert(&pp->pp_mtx, MA_OWNED); MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label); + MAC_CHECK_PROBE2(pipe_check_write, error, cred, pp); return (error); } diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c index 1cda22c..2e3560d 100644 --- a/sys/security/mac/mac_posix_sem.c +++ b/sys/security/mac/mac_posix_sem.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2006 SPARTA, Inc. + * Copyright (c) 2009 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -10,6 +11,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -35,6 +39,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include "opt_posix.h" @@ -43,6 +48,7 @@ __FBSDID("$FreeBSD$"); #include <sys/ksem.h> #include <sys/malloc.h> #include <sys/module.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/sysctl.h> @@ -95,16 +101,23 @@ mac_posixsem_create(struct ucred *cred, struct ksem *ks) MAC_PERFORM(posixsem_create, cred, ks, ks->ks_label); } +MAC_CHECK_PROBE_DEFINE2(posixsem_check_open, "struct ucred *", + "struct ksem *"); + int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks) { int error; MAC_CHECK(posixsem_check_open, cred, ks, ks->ks_label); + MAC_CHECK_PROBE2(posixsem_check_open, error, cred, ks); return (error); } +MAC_CHECK_PROBE_DEFINE3(posixsem_check_getvalue, "struct ucred *", + "struct ucred *", "struct ksem *"); + int mac_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks) @@ -113,10 +126,15 @@ mac_posixsem_check_getvalue(struct ucred *active_cred, struct ucred *file_cred, MAC_CHECK(posixsem_check_getvalue, active_cred, file_cred, ks, ks->ks_label); + MAC_CHECK_PROBE3(posixsem_check_getvalue, error, active_cred, + file_cred, ks); return (error); } +MAC_CHECK_PROBE_DEFINE3(posixsem_check_post, "struct ucred *", + "struct ucred *", "struct ksem *"); + int mac_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks) @@ -125,10 +143,15 @@ mac_posixsem_check_post(struct ucred *active_cred, struct ucred *file_cred, MAC_CHECK(posixsem_check_post, active_cred, file_cred, ks, ks->ks_label); + MAC_CHECK_PROBE3(posixsem_check_post, error, active_cred, file_cred, + ks); return (error); } +MAC_CHECK_PROBE_DEFINE3(posixsem_check_stat, "struct ucred *", + "struct ucred *", "struct ksem *"); + int mac_posixsem_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks) @@ -137,20 +160,29 @@ mac_posixsem_check_stat(struct ucred *active_cred, struct ucred *file_cred, MAC_CHECK(posixsem_check_stat, active_cred, file_cred, ks, ks->ks_label); + MAC_CHECK_PROBE3(posixsem_check_stat, error, active_cred, file_cred, + ks); return (error); } +MAC_CHECK_PROBE_DEFINE2(posixsem_check_unlink, "struct ucred *", + "struct ksem *"); + int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks) { int error; MAC_CHECK(posixsem_check_unlink, cred, ks, ks->ks_label); + MAC_CHECK_PROBE2(posixsem_check_unlink, error, cred, ks); return (error); } +MAC_CHECK_PROBE_DEFINE3(posixsem_check_wait, "struct ucred *", + "struct ucred *", "struct ksem *"); + int mac_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred, struct ksem *ks) @@ -159,6 +191,8 @@ mac_posixsem_check_wait(struct ucred *active_cred, struct ucred *file_cred, MAC_CHECK(posixsem_check_wait, active_cred, file_cred, ks, ks->ks_label); + MAC_CHECK_PROBE3(posixsem_check_wait, error, active_cred, file_cred, + ks); return (error); } diff --git a/sys/security/mac/mac_posix_shm.c b/sys/security/mac/mac_posix_shm.c index 97587ad..913cb43 100644 --- a/sys/security/mac/mac_posix_shm.c +++ b/sys/security/mac/mac_posix_shm.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2006 SPARTA, Inc. + * Copyright (c) 2009 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -8,7 +9,10 @@ * as part of the DARPA CHATS research program. * * This software was enhanced by SPARTA ISSO under SPAWAR contract - * N66001-04-C-6019 ("SEFOS"). + * N66001-04-C-6019 ("SEFOS"). * + * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,6 +39,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -42,6 +47,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mman.h> #include <sys/malloc.h> #include <sys/module.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/sysctl.h> @@ -94,6 +100,9 @@ mac_posixshm_create(struct ucred *cred, struct shmfd *shmfd) MAC_PERFORM(posixshm_create, cred, shmfd, shmfd->shm_label); } +MAC_CHECK_PROBE_DEFINE4(posixshm_check_mmap, "struct ucred *", + "struct shmfd *", "int", "int"); + int mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot, int flags) @@ -102,20 +111,29 @@ mac_posixshm_check_mmap(struct ucred *cred, struct shmfd *shmfd, int prot, MAC_CHECK(posixshm_check_mmap, cred, shmfd, shmfd->shm_label, prot, flags); + MAC_CHECK_PROBE4(posixshm_check_mmap, error, cred, shmfd, prot, + flags); return (error); } +MAC_CHECK_PROBE_DEFINE2(posixshm_check_open, "struct ucred *", + "struct shmfd *"); + int mac_posixshm_check_open(struct ucred *cred, struct shmfd *shmfd) { int error; MAC_CHECK(posixshm_check_open, cred, shmfd, shmfd->shm_label); + MAC_CHECK_PROBE2(posixshm_check_open, error, cred, shmfd); return (error); } +MAC_CHECK_PROBE_DEFINE3(posixshm_check_stat, "struct ucred *", + "struct ucred *", "struct shmfd *"); + int mac_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct shmfd *shmfd) @@ -124,10 +142,15 @@ mac_posixshm_check_stat(struct ucred *active_cred, struct ucred *file_cred, MAC_CHECK(posixshm_check_stat, active_cred, file_cred, shmfd, shmfd->shm_label); + MAC_CHECK_PROBE3(posixshm_check_stat, error, active_cred, file_cred, + shmfd); return (error); } +MAC_CHECK_PROBE_DEFINE3(posixshm_check_truncate, "struct ucred *", + "struct ucred *", "struct shmfd *"); + int mac_posixshm_check_truncate(struct ucred *active_cred, struct ucred *file_cred, struct shmfd *shmfd) @@ -136,16 +159,22 @@ mac_posixshm_check_truncate(struct ucred *active_cred, struct ucred *file_cred, MAC_CHECK(posixshm_check_truncate, active_cred, file_cred, shmfd, shmfd->shm_label); + MAC_CHECK_PROBE3(posixshm_check_truncate, error, active_cred, + file_cred, shmfd); return (error); } +MAC_CHECK_PROBE_DEFINE2(posixshm_check_unlink, "struct ucred *", + "struct shmfd *"); + int mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd) { int error; MAC_CHECK(posixshm_check_unlink, cred, shmfd, shmfd->shm_label); + MAC_CHECK_PROBE2(posixshm_check_unlink, error, cred, shmfd); return (error); } diff --git a/sys/security/mac/mac_priv.c b/sys/security/mac/mac_priv.c index 745695c..f12b020 100644 --- a/sys/security/mac/mac_priv.c +++ b/sys/security/mac/mac_priv.c @@ -1,10 +1,14 @@ /*- * Copyright (c) 2006 nCircle Network Security, Inc. + * Copyright (c) 2009 Robert N. M. Watson * All rights reserved. * * This software was developed by Robert N. M. Watson for the TrustedBSD * Project under contract to nCircle Network Security, Inc. * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +38,13 @@ #include "sys/cdefs.h" __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> +#include <sys/kernel.h> #include <sys/priv.h> +#include <sys/sdt.h> #include <sys/module.h> #include <security/mac/mac_framework.h> @@ -54,6 +61,8 @@ __FBSDID("$FreeBSD$"); * composition. */ +MAC_CHECK_PROBE_DEFINE2(priv_check, "struct ucred *", "int"); + /* * Restrict access to a privilege for a credential. Return failure if any * policy denies access. @@ -64,10 +73,13 @@ mac_priv_check(struct ucred *cred, int priv) int error; MAC_CHECK(priv_check, cred, priv); + MAC_CHECK_PROBE2(priv_check, error, cred, priv); return (error); } +MAC_GRANT_PROBE_DEFINE2(priv_grant, "struct ucred *", "int"); + /* * Grant access to a privilege for a credential. Return success if any * policy grants access. @@ -78,6 +90,7 @@ mac_priv_grant(struct ucred *cred, int priv) int error; MAC_GRANT(priv_grant, cred, priv); + MAC_GRANT_PROBE2(priv_grant, error, cred, priv); return (error); } diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index fe8c397..0a98585 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. * Copyright (c) 2005 Samy Al Bahra @@ -18,6 +18,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -43,6 +46,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -55,6 +59,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mac.h> #include <sys/proc.h> #include <sys/sbuf.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/vnode.h> #include <sys/mount.h> @@ -373,6 +378,8 @@ mac_proc_vm_revoke_recurse(struct thread *td, struct ucred *cred, vm_map_unlock(map); } +MAC_CHECK_PROBE_DEFINE2(proc_check_debug, "struct ucred *", "struct proc *"); + int mac_proc_check_debug(struct ucred *cred, struct proc *p) { @@ -381,10 +388,13 @@ mac_proc_check_debug(struct ucred *cred, struct proc *p) PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_debug, cred, p); + MAC_CHECK_PROBE2(proc_check_debug, error, cred, p); return (error); } +MAC_CHECK_PROBE_DEFINE2(proc_check_sched, "struct ucred *", "struct proc *"); + int mac_proc_check_sched(struct ucred *cred, struct proc *p) { @@ -393,10 +403,14 @@ mac_proc_check_sched(struct ucred *cred, struct proc *p) PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_sched, cred, p); + MAC_CHECK_PROBE2(proc_check_sched, error, cred, p); return (error); } +MAC_CHECK_PROBE_DEFINE3(proc_check_signal, "struct ucred *", "struct proc *", + "int"); + int mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { @@ -405,10 +419,13 @@ mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum) PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_signal, cred, p, signum); + MAC_CHECK_PROBE3(proc_check_signal, error, cred, p, signum); return (error); } +MAC_CHECK_PROBE_DEFINE2(proc_check_setuid, "struct ucred *", "uid_t"); + int mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid) { @@ -417,9 +434,13 @@ mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid) PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_setuid, cred, uid); + MAC_CHECK_PROBE2(proc_check_setuid, error, cred, uid); + return (error); } +MAC_CHECK_PROBE_DEFINE2(proc_check_seteuid, "struct ucred *", "uid_t"); + int mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid) { @@ -428,9 +449,13 @@ mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid) PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_seteuid, cred, euid); + MAC_CHECK_PROBE2(proc_check_seteuid, error, cred, euid); + return (error); } +MAC_CHECK_PROBE_DEFINE2(proc_check_setgid, "struct ucred *", "gid_t"); + int mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid) { @@ -439,10 +464,13 @@ mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid) PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_setgid, cred, gid); + MAC_CHECK_PROBE2(proc_check_setgid, error, cred, gid); return (error); } +MAC_CHECK_PROBE_DEFINE2(proc_check_setegid, "struct ucred *", "gid_t"); + int mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid) { @@ -451,10 +479,14 @@ mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid) PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_setegid, cred, egid); + MAC_CHECK_PROBE2(proc_check_setegid, error, cred, egid); return (error); } +MAC_CHECK_PROBE_DEFINE3(proc_check_setgroups, "struct ucred *", "int", + "gid_t *"); + int mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups, gid_t *gidset) @@ -464,9 +496,14 @@ mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups, PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset); + MAC_CHECK_PROBE3(proc_check_setgroups, error, cred, ngroups, gidset); + return (error); } +MAC_CHECK_PROBE_DEFINE3(proc_check_setreuid, "struct ucred *", "uid_t", + "uid_t"); + int mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid) @@ -476,10 +513,14 @@ mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_setreuid, cred, ruid, euid); + MAC_CHECK_PROBE3(proc_check_setreuid, error, cred, ruid, euid); return (error); } +MAC_CHECK_PROBE_DEFINE3(proc_check_setregid, "struct ucred *", "gid_t", + "gid_t"); + int mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, gid_t egid) @@ -489,10 +530,14 @@ mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, PROC_LOCK_ASSERT(proc, MA_OWNED); MAC_CHECK(proc_check_setregid, cred, rgid, egid); + MAC_CHECK_PROBE3(proc_check_setregid, error, cred, rgid, egid); return (error); } +MAC_CHECK_PROBE_DEFINE4(proc_check_setresuid, "struct ucred *", "uid_t", + "uid_t", "uid_t"); + int mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid) @@ -502,9 +547,15 @@ mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid); + MAC_CHECK_PROBE4(proc_check_setresuid, error, cred, ruid, euid, + suid); + return (error); } +MAC_CHECK_PROBE_DEFINE4(proc_check_setresgid, "struct ucred *", "gid_t", + "gid_t", "gid_t"); + int mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid) @@ -514,10 +565,14 @@ mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid); + MAC_CHECK_PROBE4(proc_check_setresgid, error, cred, rgid, egid, + sgid); return (error); } +MAC_CHECK_PROBE_DEFINE2(proc_check_wait, "struct ucred *", "struct proc *"); + int mac_proc_check_wait(struct ucred *cred, struct proc *p) { @@ -526,6 +581,7 @@ mac_proc_check_wait(struct ucred *cred, struct proc *p) PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(proc_check_wait, cred, p); + MAC_CHECK_PROBE2(proc_check_wait, error, cred, p); return (error); } diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index fe297ce..fa4a970 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. @@ -17,6 +17,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -42,6 +45,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -51,6 +55,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mutex.h> #include <sys/mac.h> #include <sys/sbuf.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/mount.h> #include <sys/file.h> @@ -276,6 +281,9 @@ mac_socket_create_mbuf(struct socket *so, struct mbuf *m) MAC_PERFORM(socket_create_mbuf, so, so->so_label, m, label); } +MAC_CHECK_PROBE_DEFINE2(socket_check_accept, "struct ucred *", + "struct socket *"); + int mac_socket_check_accept(struct ucred *cred, struct socket *so) { @@ -284,10 +292,14 @@ mac_socket_check_accept(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_accept, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_accept, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE3(socket_check_bind, "struct ucred *", + "struct socket *", "struct sockaddr *"); + int mac_socket_check_bind(struct ucred *ucred, struct socket *so, struct sockaddr *sa) @@ -297,10 +309,14 @@ mac_socket_check_bind(struct ucred *ucred, struct socket *so, SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_bind, ucred, so, so->so_label, sa); + MAC_CHECK_PROBE3(socket_check_bind, error, ucred, so, sa); return (error); } +MAC_CHECK_PROBE_DEFINE3(socket_check_connect, "struct ucred *", + "struct socket *", "struct sockaddr *"); + int mac_socket_check_connect(struct ucred *cred, struct socket *so, struct sockaddr *sa) @@ -310,20 +326,29 @@ mac_socket_check_connect(struct ucred *cred, struct socket *so, SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_connect, cred, so, so->so_label, sa); + MAC_CHECK_PROBE3(socket_check_connect, error, cred, so, sa); return (error); } +MAC_CHECK_PROBE_DEFINE4(socket_check_create, "struct ucred *", "int", "int", + "int"); + int mac_socket_check_create(struct ucred *cred, int domain, int type, int proto) { int error; MAC_CHECK(socket_check_create, cred, domain, type, proto); + MAC_CHECK_PROBE4(socket_check_create, error, cred, domain, type, + proto); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_deliver, "struct socket *", + "struct mbuf *"); + int mac_socket_check_deliver(struct socket *so, struct mbuf *m) { @@ -335,10 +360,14 @@ mac_socket_check_deliver(struct socket *so, struct mbuf *m) label = mac_mbuf_to_label(m); MAC_CHECK(socket_check_deliver, so, so->so_label, m, label); + MAC_CHECK_PROBE2(socket_check_deliver, error, so, m); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_listen, "struct ucred *", + "struct socket *"); + int mac_socket_check_listen(struct ucred *cred, struct socket *so) { @@ -347,10 +376,14 @@ mac_socket_check_listen(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_listen, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_listen, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_poll, "struct ucred *", + "struct socket *"); + int mac_socket_check_poll(struct ucred *cred, struct socket *so) { @@ -359,10 +392,14 @@ mac_socket_check_poll(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_poll, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_poll, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_receive, "struct ucred *", + "struct socket *"); + int mac_socket_check_receive(struct ucred *cred, struct socket *so) { @@ -371,10 +408,14 @@ mac_socket_check_receive(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_receive, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_receive, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE3(socket_check_relabel, "struct ucred *", + "struct socket *", "struct label *"); + static int mac_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *newlabel) @@ -384,10 +425,14 @@ mac_socket_check_relabel(struct ucred *cred, struct socket *so, SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_relabel, cred, so, so->so_label, newlabel); + MAC_CHECK_PROBE3(socket_check_relabel, error, cred, so, newlabel); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_send, "struct ucred *", + "struct socket *"); + int mac_socket_check_send(struct ucred *cred, struct socket *so) { @@ -396,10 +441,14 @@ mac_socket_check_send(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_send, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_send, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_stat, "struct ucred *", + "struct socket *"); + int mac_socket_check_stat(struct ucred *cred, struct socket *so) { @@ -408,10 +457,14 @@ mac_socket_check_stat(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_stat, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_stat, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_visible, "struct ucred *", + "struct socket *"); + int mac_socket_check_visible(struct ucred *cred, struct socket *so) { @@ -420,6 +473,7 @@ mac_socket_check_visible(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_visible, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_visible, error, cred, so); return (error); } diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 588e019..a8e351e 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1,7 +1,7 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. - * Copyright (c) 2007 Robert N. M. Watson + * Copyright (c) 2007, 2009 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -15,6 +15,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -50,6 +53,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -58,6 +62,7 @@ __FBSDID("$FreeBSD$"); #include <sys/malloc.h> #include <sys/module.h> #include <sys/mutex.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/vnode.h> #include <sys/sysctl.h> @@ -66,46 +71,61 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_internal.h> #include <security/mac/mac_policy.h> +MAC_CHECK_PROBE_DEFINE1(kenv_check_dump, "struct ucred *"); + int mac_kenv_check_dump(struct ucred *cred) { int error; MAC_CHECK(kenv_check_dump, cred); + MAC_CHECK_PROBE1(kenv_check_dump, error, cred); return (error); } +MAC_CHECK_PROBE_DEFINE2(kenv_check_get, "struct ucred *", "char *"); + int mac_kenv_check_get(struct ucred *cred, char *name) { int error; MAC_CHECK(kenv_check_get, cred, name); + MAC_CHECK_PROBE2(kenv_check_get, error, cred, name); return (error); } +MAC_CHECK_PROBE_DEFINE3(kenv_check_set, "struct ucred *", "char *", + "char *"); + int mac_kenv_check_set(struct ucred *cred, char *name, char *value) { int error; MAC_CHECK(kenv_check_set, cred, name, value); + MAC_CHECK_PROBE3(kenv_check_set, error, cred, name, value); return (error); } +MAC_CHECK_PROBE_DEFINE2(kenv_check_unset, "struct ucred *", "char *"); + int mac_kenv_check_unset(struct ucred *cred, char *name) { int error; MAC_CHECK(kenv_check_unset, cred, name); + MAC_CHECK_PROBE2(kenv_check_unset, error, cred, name); return (error); } +MAC_CHECK_PROBE_DEFINE2(kld_check_load, "struct ucred *", "struct vnode *"); + int mac_kld_check_load(struct ucred *cred, struct vnode *vp) { @@ -114,20 +134,27 @@ mac_kld_check_load(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_kld_check_load"); MAC_CHECK(kld_check_load, cred, vp, vp->v_label); + MAC_CHECK_PROBE2(kld_check_load, error, cred, vp); return (error); } +MAC_CHECK_PROBE_DEFINE1(kld_check_stat, "struct ucred *"); + int mac_kld_check_stat(struct ucred *cred) { int error; MAC_CHECK(kld_check_stat, cred); + MAC_CHECK_PROBE1(kld_check_stat, error, cred); return (error); } +MAC_CHECK_PROBE_DEFINE2(system_check_acct, "struct ucred *", + "struct vnode *"); + int mac_system_check_acct(struct ucred *cred, struct vnode *vp) { @@ -139,20 +166,27 @@ mac_system_check_acct(struct ucred *cred, struct vnode *vp) MAC_CHECK(system_check_acct, cred, vp, vp != NULL ? vp->v_label : NULL); + MAC_CHECK_PROBE2(system_check_acct, error, cred, vp); return (error); } +MAC_CHECK_PROBE_DEFINE2(system_check_reboot, "struct ucred *", "int"); + int mac_system_check_reboot(struct ucred *cred, int howto) { int error; MAC_CHECK(system_check_reboot, cred, howto); + MAC_CHECK_PROBE2(system_check_reboot, error, cred, howto); return (error); } +MAC_CHECK_PROBE_DEFINE2(system_check_swapon, "struct ucred *", + "struct vnode *"); + int mac_system_check_swapon(struct ucred *cred, struct vnode *vp) { @@ -161,9 +195,14 @@ mac_system_check_swapon(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon"); MAC_CHECK(system_check_swapon, cred, vp, vp->v_label); + MAC_CHECK_PROBE2(system_check_swapon, error, cred, vp); + return (error); } +MAC_CHECK_PROBE_DEFINE2(system_check_swapoff, "struct ucred *", + "struct vnode *"); + int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp) { @@ -172,9 +211,14 @@ mac_system_check_swapoff(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff"); MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label); + MAC_CHECK_PROBE2(system_check_swapoff, error, cred, vp); + return (error); } +MAC_CHECK_PROBE_DEFINE3(system_check_sysctl, "struct ucred *", + "struct sysctl_oid *", "struct sysctl_req *"); + int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) @@ -186,6 +230,7 @@ mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, * but since it's not exported from kern_sysctl.c, we can't. */ MAC_CHECK(system_check_sysctl, cred, oidp, arg1, arg2, req); + MAC_CHECK_PROBE3(system_check_sysctl, error, cred, oidp, req); return (error); } diff --git a/sys/security/mac/mac_sysv_msg.c b/sys/security/mac/mac_sysv_msg.c index 2c5bbca..1053871 100644 --- a/sys/security/mac/mac_sysv_msg.c +++ b/sys/security/mac/mac_sysv_msg.c @@ -2,6 +2,7 @@ * Copyright (c) 2003-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. + * Copyright (c) 2009 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -12,6 +13,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -37,6 +41,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -45,6 +50,7 @@ __FBSDID("$FreeBSD$"); #include <sys/malloc.h> #include <sys/mutex.h> #include <sys/sbuf.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/vnode.h> #include <sys/mount.h> @@ -163,68 +169,95 @@ mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr) MAC_PERFORM(sysvmsq_cleanup, msqkptr->label); } +MAC_CHECK_PROBE_DEFINE3(sysvmsq_check_msgmsq, "struct ucred *", + "struct msg *", "struct msqid_kernel *"); + int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(sysvmsq_check_msgmsq, cred, msgptr, msgptr->label, + MAC_CHECK(sysvmsq_check_msgmsq, cred, msgptr, msgptr->label, msqkptr, msqkptr->label); + MAC_CHECK_PROBE3(sysvmsq_check_msgmsq, error, cred, msgptr, msqkptr); return (error); } +MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msgrcv, "struct ucred *", + "struct msg *"); + int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr) { int error; MAC_CHECK(sysvmsq_check_msgrcv, cred, msgptr, msgptr->label); + MAC_CHECK_PROBE2(sysvmsq_check_msgrcv, error, cred, msgptr); return (error); } +MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msgrmid, "struct ucred *", + "struct msg *"); + int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr) { int error; - MAC_CHECK(sysvmsq_check_msgrmid, cred, msgptr, msgptr->label); + MAC_CHECK(sysvmsq_check_msgrmid, cred, msgptr, msgptr->label); + MAC_CHECK_PROBE2(sysvmsq_check_msgrmid, error, cred, msgptr); return (error); } +MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msqget, "struct ucred *", + "struct msqid_kernel *"); + int mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; MAC_CHECK(sysvmsq_check_msqget, cred, msqkptr, msqkptr->label); + MAC_CHECK_PROBE2(sysvmsq_check_msqget, error, cred, msqkptr); return (error); } +MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msqsnd, "struct ucred *", + "struct msqid_kernel *"); + int mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; MAC_CHECK(sysvmsq_check_msqsnd, cred, msqkptr, msqkptr->label); + MAC_CHECK_PROBE2(sysvmsq_check_msqsnd, error, cred, msqkptr); return (error); } +MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msqrcv, "struct ucred *", + "struct msqid_kernel *"); + int mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; MAC_CHECK(sysvmsq_check_msqrcv, cred, msqkptr, msqkptr->label); + MAC_CHECK_PROBE2(sysvmsq_check_msqrcv, error, cred, msqkptr); return (error); } +MAC_CHECK_PROBE_DEFINE3(sysvmsq_check_msqctl, "struct ucred *", + "struct msqid_kernel *", "int"); + int mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, int cmd) @@ -232,6 +265,7 @@ mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, int error; MAC_CHECK(sysvmsq_check_msqctl, cred, msqkptr, msqkptr->label, cmd); + MAC_CHECK_PROBE3(sysvmsq_check_msqctl, error, cred, msqkptr, cmd); return (error); } diff --git a/sys/security/mac/mac_sysv_sem.c b/sys/security/mac/mac_sysv_sem.c index 94a1107..9fc13fa 100644 --- a/sys/security/mac/mac_sysv_sem.c +++ b/sys/security/mac/mac_sysv_sem.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. + * Copyright (c) 2009 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -11,6 +12,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -36,6 +40,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -49,6 +54,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mount.h> #include <sys/file.h> #include <sys/namei.h> +#include <sys/sdt.h> #include <sys/sysctl.h> #include <sys/sem.h> @@ -108,6 +114,9 @@ mac_sysvsem_cleanup(struct semid_kernel *semakptr) MAC_PERFORM(sysvsem_cleanup, semakptr->label); } +MAC_CHECK_PROBE_DEFINE3(sysvsem_check_semctl, "struct ucred *", + "struct semid_kernel *", "int"); + int mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, int cmd) @@ -116,10 +125,14 @@ mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, MAC_CHECK(sysvsem_check_semctl, cred, semakptr, semakptr->label, cmd); + MAC_CHECK_PROBE3(sysvsem_check_semctl, error, cred, semakptr, cmd); return (error); } +MAC_CHECK_PROBE_DEFINE2(sysvsem_check_semget, "struct ucred *", + "struct semid_kernel *"); + int mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr) { @@ -130,6 +143,9 @@ mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr) return (error); } +MAC_CHECK_PROBE_DEFINE3(sysvsem_check_semop, "struct ucred *", + "struct semid_kernel *", "size_t"); + int mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, size_t accesstype) @@ -138,6 +154,8 @@ mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, MAC_CHECK(sysvsem_check_semop, cred, semakptr, semakptr->label, accesstype); + MAC_CHECK_PROBE3(sysvsem_check_semop, error, cred, semakptr, + accesstype); return (error); } diff --git a/sys/security/mac/mac_sysv_shm.c b/sys/security/mac/mac_sysv_shm.c index 950c23e..d42cb0b 100644 --- a/sys/security/mac/mac_sysv_shm.c +++ b/sys/security/mac/mac_sysv_shm.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. + * Copyright (c) 2009 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -11,6 +12,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -36,6 +40,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -49,6 +54,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mount.h> #include <sys/file.h> #include <sys/namei.h> +#include <sys/sdt.h> #include <sys/sysctl.h> #include <sys/shm.h> @@ -108,6 +114,9 @@ mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr) MAC_PERFORM(sysvshm_cleanup, shmsegptr->label); } +MAC_CHECK_PROBE_DEFINE3(sysvshm_check_shmat, "struct ucred *", + "struct shmid_kernel *", "int"); + int mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg) @@ -116,10 +125,15 @@ mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, MAC_CHECK(sysvshm_check_shmat, cred, shmsegptr, shmsegptr->label, shmflg); + MAC_CHECK_PROBE3(sysvshm_check_shmat, error, cred, shmsegptr, + shmflg); return (error); } +MAC_CHECK_PROBE_DEFINE3(sysvshm_check_shmctl, "struct ucred *", + "struct shmid_kernel *", "int"); + int mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, int cmd) @@ -128,20 +142,28 @@ mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, MAC_CHECK(sysvshm_check_shmctl, cred, shmsegptr, shmsegptr->label, cmd); + MAC_CHECK_PROBE3(sysvshm_check_shmctl, error, cred, shmsegptr, cmd); return (error); } +MAC_CHECK_PROBE_DEFINE2(sysvshm_check_shmdt, "struct ucred *", + "struct shmid *"); + int mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) { int error; MAC_CHECK(sysvshm_check_shmdt, cred, shmsegptr, shmsegptr->label); + MAC_CHECK_PROBE2(sysvshm_check_shmdt, error, cred, shmsegptr); return (error); } +MAC_CHECK_PROBE_DEFINE3(sysvshm_check_shmget, "struct ucred *", + "struct shmid_kernel *", "int"); + int mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg) @@ -150,6 +172,8 @@ mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, MAC_CHECK(sysvshm_check_shmget, cred, shmsegptr, shmsegptr->label, shmflg); + MAC_CHECK_PROBE3(sysvshm_check_shmget, error, cred, shmsegptr, + shmflg); return (error); } diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 42da76c..1ebf520 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. @@ -17,6 +17,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -42,6 +45,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -59,6 +63,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mount.h> #include <sys/file.h> #include <sys/namei.h> +#include <sys/sdt.h> #include <sys/sysctl.h> #include <vm/vm.h> @@ -361,6 +366,9 @@ mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, return (result); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_access, "struct ucred *", + "struct vnode *", "accmode_t"); + int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode) { @@ -369,9 +377,14 @@ mac_vnode_check_access(struct ucred *cred, struct vnode *vp, accmode_t accmode) ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access"); MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, accmode); + MAC_CHECK_PROBE3(vnode_check_access, error, cred, vp, accmode); + return (error); } +MAC_CHECK_PROBE_DEFINE2(vnode_check_chdir, "struct ucred *", + "struct vnode *"); + int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp) { @@ -380,9 +393,14 @@ mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp) ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir"); MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label); + MAC_CHECK_PROBE2(vnode_check_chdir, error, cred, dvp); + return (error); } +MAC_CHECK_PROBE_DEFINE2(vnode_check_chroot, "struct ucred *", + "struct vnode *"); + int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp) { @@ -391,9 +409,14 @@ mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp) ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot"); MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label); + MAC_CHECK_PROBE2(vnode_check_chroot, error, cred, dvp); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_create, "struct ucred *", + "struct vnode *", "struct componentname *", "struct vattr *"); + int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) @@ -403,9 +426,14 @@ mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create"); MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap); + MAC_CHECK_PROBE4(vnode_check_create, error, cred, dvp, cnp, vap); + return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_deleteacl, "struct ucred *", + "struct vnode *", "acl_type_t"); + int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) @@ -415,9 +443,14 @@ mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl"); MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type); + MAC_CHECK_PROBE3(vnode_check_deleteacl, error, cred, vp, type); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_deleteextattr, "struct ucred *", + "struct vnode *", "int", "const char *"); + int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name) @@ -428,9 +461,15 @@ mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label, attrnamespace, name); + MAC_CHECK_PROBE4(vnode_check_deleteextattr, error, cred, vp, + attrnamespace, name); + return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_exec, "struct ucred *", "struct vnode *", + "struct image_params *"); + int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp) @@ -441,10 +480,14 @@ mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, MAC_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp, imgp->execlabel); + MAC_CHECK_PROBE3(vnode_check_exec, error, cred, vp, imgp); return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_getacl, "struct ucred *", + "struct vnode *", "acl_type_t"); + int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { @@ -453,9 +496,14 @@ mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl"); MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type); + MAC_CHECK_PROBE3(vnode_check_getacl, error, cred, vp, type); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_getextattr, "struct ucred *", + "struct vnode *", "int", "const char *"); + int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) @@ -466,9 +514,15 @@ mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label, attrnamespace, name, uio); + MAC_CHECK_PROBE4(vnode_check_getextattr, error, cred, vp, + attrnamespace, name); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_link, "struct ucred *", "struct vnode *", + "struct vnode *", "struct componentname *"); + int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) @@ -480,9 +534,14 @@ mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); + MAC_CHECK_PROBE4(vnode_check_link, error, cred, dvp, vp, cnp); + return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_listextattr, "struct ucred *", + "struct vnode *", "int"); + int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace) @@ -493,9 +552,15 @@ mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label, attrnamespace); + MAC_CHECK_PROBE3(vnode_check_listextattr, error, cred, vp, + attrnamespace); + return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_lookup, "struct ucred *", + "struct vnode *", "struct componentname *"); + int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) @@ -505,9 +570,14 @@ mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup"); MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp); + MAC_CHECK_PROBE3(vnode_check_lookup, error, cred, dvp, cnp); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_mmap, "struct ucred *", "struct vnode *", + "int", "int"); + int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, int flags) @@ -517,6 +587,8 @@ mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap"); MAC_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags); + MAC_CHECK_PROBE4(vnode_check_mmap, error, cred, vp, prot, flags); + return (error); } @@ -534,6 +606,9 @@ mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, *prot = result; } +MAC_CHECK_PROBE_DEFINE3(vnode_check_mprotect, "struct ucred *", + "struct vnode *", "int"); + int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot) { @@ -542,9 +617,14 @@ mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot) ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect"); MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot); + MAC_CHECK_PROBE3(vnode_check_mprotect, error, cred, vp, prot); + return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_open, "struct ucred *", "struct vnode *", + "accmode_t"); + int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode) { @@ -556,6 +636,9 @@ mac_vnode_check_open(struct ucred *cred, struct vnode *vp, accmode_t accmode) return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_poll, "struct ucred *", "struct ucred *", + "struct vnode *"); + int mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) @@ -566,10 +649,15 @@ mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, MAC_CHECK(vnode_check_poll, active_cred, file_cred, vp, vp->v_label); + MAC_CHECK_PROBE3(vnode_check_poll, error, active_cred, file_cred, + vp); return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_read, "struct ucred *", "struct ucred *", + "struct vnode *"); + int mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) @@ -580,10 +668,15 @@ mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, MAC_CHECK(vnode_check_read, active_cred, file_cred, vp, vp->v_label); + MAC_CHECK_PROBE3(vnode_check_read, error, active_cred, file_cred, + vp); return (error); } +MAC_CHECK_PROBE_DEFINE2(vnode_check_readdir, "struct ucred *", + "struct vnode *"); + int mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp) { @@ -592,9 +685,14 @@ mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp) ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir"); MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label); + MAC_CHECK_PROBE2(vnode_check_readdir, error, cred, dvp); + return (error); } +MAC_CHECK_PROBE_DEFINE2(vnode_check_readlink, "struct ucred *", + "struct vnode *"); + int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp) { @@ -603,9 +701,14 @@ mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink"); MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label); + MAC_CHECK_PROBE2(vnode_check_readlink, error, cred, vp); + return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_relabel, "struct ucred *", + "struct vnode *", "struct label *"); + static int mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) @@ -615,10 +718,14 @@ mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel"); MAC_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel); + MAC_CHECK_PROBE3(vnode_check_relabel, error, cred, vp, newlabel); return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_from, "struct ucred *", + "struct vnode *", "struct vnode *", "struct componentname *"); + int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) @@ -630,9 +737,14 @@ mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); + MAC_CHECK_PROBE4(vnode_check_rename_from, error, cred, dvp, vp, cnp); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_rename_to, "struct ucred *", + "struct vnode *", "struct vnode *", "struct componentname *"); + int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) @@ -644,9 +756,13 @@ mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, MAC_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp, vp != NULL ? vp->v_label : NULL, samedir, cnp); + MAC_CHECK_PROBE4(vnode_check_rename_to, error, cred, dvp, vp, cnp); return (error); } +MAC_CHECK_PROBE_DEFINE2(vnode_check_revoke, "struct ucred *", + "struct vnode *"); + int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp) { @@ -655,9 +771,14 @@ mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke"); MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label); + MAC_CHECK_PROBE2(vnode_check_revoke, error, cred, vp); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_setacl, "struct ucred *", + "struct vnode *", "acl_tpe_t", "struct acl *"); + int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) @@ -667,9 +788,14 @@ mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl"); MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl); + MAC_CHECK_PROBE4(vnode_check_setacl, error, cred, vp, type, acl); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_setextattr, "struct ucred *", + "struct vnode *", "int", "const char *"); + int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) @@ -680,9 +806,15 @@ mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label, attrnamespace, name, uio); + MAC_CHECK_PROBE4(vnode_check_setextattr, error, cred, vp, + attrnamespace, name); + return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_setflags, "struct ucred *", + "struct vnode *", "u_long"); + int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { @@ -691,9 +823,14 @@ mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags) ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags"); MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags); + MAC_CHECK_PROBE3(vnode_check_setflags, error, cred, vp, flags); + return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_setmode, "struct ucred *", + "struct vnode *", "mode_t"); + int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { @@ -702,9 +839,14 @@ mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode"); MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode); + MAC_CHECK_PROBE3(vnode_check_setmode, error, cred, vp, mode); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_setowner, "struct ucred *", + "struct vnode *", "uid_t", "gid_t"); + int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) @@ -714,9 +856,14 @@ mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner"); MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid); + MAC_CHECK_PROBE4(vnode_check_setowner, error, cred, vp, uid, gid); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_setutimes, "struct ucred *", + "struct vnode *", "struct timespec *", "struct timespec *"); + int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) @@ -727,9 +874,15 @@ mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime, mtime); + MAC_CHECK_PROBE4(vnode_check_setutimes, error, cred, vp, &atime, + &mtime); + return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_stat, "struct ucred *", "struct ucred *", + "struct vnode *"); + int mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) @@ -740,9 +893,15 @@ mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, MAC_CHECK(vnode_check_stat, active_cred, file_cred, vp, vp->v_label); + MAC_CHECK_PROBE3(vnode_check_stat, error, active_cred, file_cred, + vp); + return (error); } +MAC_CHECK_PROBE_DEFINE4(vnode_check_unlink, "struct ucred *", + "struct vnode *", "struct vnode *", "struct componentname *"); + int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) @@ -754,9 +913,14 @@ mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); + MAC_CHECK_PROBE4(vnode_check_unlink, error, cred, dvp, vp, cnp); + return (error); } +MAC_CHECK_PROBE_DEFINE3(vnode_check_write, "struct ucred *", + "struct ucred *", "struct vnode *"); + int mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) @@ -767,6 +931,8 @@ mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, MAC_CHECK(vnode_check_write, active_cred, file_cred, vp, vp->v_label); + MAC_CHECK_PROBE3(vnode_check_write, error, active_cred, file_cred, + vp); return (error); } @@ -786,12 +952,16 @@ mac_mount_create(struct ucred *cred, struct mount *mp) MAC_PERFORM(mount_create, cred, mp, mp->mnt_label); } +MAC_CHECK_PROBE_DEFINE2(mount_check_stat, "struct ucred *", + "struct mount *"); + int mac_mount_check_stat(struct ucred *cred, struct mount *mount) { int error; MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_label); + MAC_CHECK_PROBE2(mount_check_stat, error, cred, mount); return (error); } |