diff options
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/kern/kern_ktrace.c | 2 | ||||
| -rw-r--r-- | sys/kern/kern_mac.c | 67 | ||||
| -rw-r--r-- | sys/kern/tty_tty.c | 6 | ||||
| -rw-r--r-- | sys/kern/vfs_extattr.c | 12 | ||||
| -rw-r--r-- | sys/kern/vfs_syscalls.c | 12 | ||||
| -rw-r--r-- | sys/kern/vfs_vnops.c | 12 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.c | 67 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 4 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 67 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 67 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 67 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 12 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 67 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 67 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 67 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 67 | ||||
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 92 | ||||
| -rw-r--r-- | sys/security/mac_mls/mac_mls.c | 92 | ||||
| -rw-r--r-- | sys/security/mac_none/mac_none.c | 30 | ||||
| -rw-r--r-- | sys/security/mac_stub/mac_stub.c | 30 | ||||
| -rw-r--r-- | sys/security/mac_test/mac_test.c | 30 | ||||
| -rw-r--r-- | sys/sys/mac.h | 4 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 12 |
23 files changed, 764 insertions, 189 deletions
diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 5a40e09..a21f5e2 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -771,7 +771,7 @@ ktr_writerequest(struct ktr_request *req) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); (void)VOP_LEASE(vp, td, cred, LEASE_WRITE); #ifdef MAC - error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(cred, vp); if (error == 0) #endif error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred); diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 0d6a898..f8cb676 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); @@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/kern/tty_tty.c b/sys/kern/tty_tty.c index f70f585..86132d9 100644 --- a/sys/kern/tty_tty.c +++ b/sys/kern/tty_tty.c @@ -131,7 +131,7 @@ cttyread(dev, uio, flag) vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC /* XXX: Shouldn't the cred below be td->td_ucred not NOCRED? */ - error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_READ); + error = mac_check_vnode_read(td->td_ucred, ttyvp); if (error == 0) #endif error = VOP_READ(ttyvp, uio, flag, NOCRED); @@ -166,7 +166,7 @@ cttywrite(dev, uio, flag) vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC /* XXX: shouldn't the cred below be td->td_ucred not NOCRED? */ - error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, ttyvp); if (error == 0) #endif error = VOP_WRITE(ttyvp, uio, flag, NOCRED); @@ -236,7 +236,7 @@ cttypoll(dev, events, td) return (seltrue(dev, events, td)); #ifdef MAC vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_POLL); + error = mac_check_vnode_poll(td->td_ucred, ttyvp); VOP_UNLOCK(ttyvp, 0, td); if (error) return (error); diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 39f8423..fce45fe 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -734,8 +734,7 @@ open(td, uap) vat.va_size = 0; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) #endif error = VOP_SETATTR(vp, &vat, td->td_ucred, td); @@ -2368,8 +2367,7 @@ truncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0 && (error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) { @@ -2426,8 +2424,7 @@ ftruncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0) { VATTR_NULL(&vattr); @@ -3345,8 +3342,7 @@ fhopen(td, uap) VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */ #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) { #endif VATTR_NULL(vap); diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 39f8423..fce45fe 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -734,8 +734,7 @@ open(td, uap) vat.va_size = 0; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) #endif error = VOP_SETATTR(vp, &vat, td->td_ucred, td); @@ -2368,8 +2367,7 @@ truncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0 && (error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td)) == 0) { @@ -2426,8 +2424,7 @@ ftruncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE))) {} + else if ((error = mac_check_vnode_write(td->td_ucred, vp))) {} #endif else if ((error = vn_writechk(vp)) == 0) { VATTR_NULL(&vattr); @@ -3345,8 +3342,7 @@ fhopen(td, uap) VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* XXX */ #ifdef MAC - error = mac_check_vnode_op(td->td_ucred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(td->td_ucred, vp); if (error == 0) { #endif VATTR_NULL(vap); diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index 07e5fc9..08bdeb2 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -402,11 +402,9 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred, #ifdef MAC if ((ioflg & IO_NOMACCHECK) == 0) { if (rw == UIO_READ) - error = mac_check_vnode_op(active_cred, vp, - MAC_OP_VNODE_READ); + error = mac_check_vnode_read(active_cred, vp); else - error = mac_check_vnode_op(active_cred, vp, - MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(active_cred, vp); } #endif if (error == 0) { @@ -507,7 +505,7 @@ vn_read(fp, uio, active_cred, flags, td) ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_READ); + error = mac_check_vnode_read(active_cred, vp); if (error == 0) #endif error = VOP_READ(vp, uio, ioflag, fp->f_cred); @@ -562,7 +560,7 @@ vn_write(fp, uio, active_cred, flags, td) uio->uio_offset = fp->f_offset; ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_WRITE); + error = mac_check_vnode_write(active_cred, vp); if (error == 0) #endif error = VOP_WRITE(vp, uio, ioflag, fp->f_cred); @@ -807,7 +805,7 @@ vn_poll(fp, events, active_cred, td) vp = (struct vnode *)fp->f_data; #ifdef MAC vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_op(active_cred, vp, MAC_OP_VNODE_POLL); + error = mac_check_vnode_poll(active_cred, vp); VOP_UNLOCK(vp, 0, td); if (error) return (error); diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 0d6a898..f8cb676 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); @@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index d80387c..3d73df4 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -341,9 +341,10 @@ int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, /* XXX This u_char should be vm_prot_t! */ u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping); -int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op); int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode); +int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_read(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, @@ -364,6 +365,7 @@ int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_write(struct ucred *cred, struct vnode *vp); int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 0d6a898..f8cb676 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); @@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 0d6a898..f8cb676 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); @@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 0d6a898..f8cb676 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); @@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 5463fa9..9bc28ad 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -286,10 +286,12 @@ struct mac_policy_ops { struct componentname *cnp); vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping); - int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp, - struct label *label, int op); int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); + int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp, + struct label *label); + int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp, + struct label *label); int (*mpo_check_vnode_readdir)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_check_vnode_readlink)(struct ucred *cred, @@ -324,6 +326,8 @@ struct mac_policy_ops { struct timespec atime, struct timespec mtime); int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp, + struct label *label); }; typedef const void *macop_t; @@ -426,8 +430,9 @@ enum mac_op_constant { MAC_CHECK_VNODE_GETEXTATTR, MAC_CHECK_VNODE_LOOKUP, MAC_CHECK_VNODE_MMAP_PERMS, - MAC_CHECK_VNODE_OP, MAC_CHECK_VNODE_OPEN, + MAC_CHECK_VNODE_POLL, + MAC_CHECK_VNODE_READ, MAC_CHECK_VNODE_READDIR, MAC_CHECK_VNODE_READLINK, MAC_CHECK_VNODE_RELABEL, @@ -441,6 +446,7 @@ enum mac_op_constant { MAC_CHECK_VNODE_SETOWNER, MAC_CHECK_VNODE_SETUTIMES, MAC_CHECK_VNODE_STAT, + MAC_CHECK_VNODE_WRITE, }; struct mac_policy_op_entry { diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 0d6a898..f8cb676 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); @@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 0d6a898..f8cb676 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); @@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 0d6a898..f8cb676 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); @@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 0d6a898..f8cb676 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -755,14 +755,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_mmap_perms = mpe->mpe_function; break; - case MAC_CHECK_VNODE_OP: - mpc->mpc_ops->mpo_check_vnode_op = - mpe->mpe_function; - break; case MAC_CHECK_VNODE_OPEN: mpc->mpc_ops->mpo_check_vnode_open = mpe->mpe_function; break; + case MAC_CHECK_VNODE_POLL: + mpc->mpc_ops->mpo_check_vnode_poll = + mpe->mpe_function; + break; + case MAC_CHECK_VNODE_READ: + mpc->mpc_ops->mpo_check_vnode_read = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_READDIR: mpc->mpc_ops->mpo_check_vnode_readdir = mpe->mpe_function; @@ -815,6 +819,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_vnode_stat = mpe->mpe_function; break; + case MAC_CHECK_VNODE_WRITE: + mpc->mpc_ops->mpo_check_vnode_write = + mpe->mpe_function; + break; /* default: printf("MAC policy `%s': unknown operation %d\n", @@ -1762,30 +1770,48 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) } int -mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op) +mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + if (!mac_enforce_fs) return (0); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_op"); + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + return (error); +} + +int +mac_check_vnode_poll(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + + if (!mac_enforce_fs) + return (0); error = vn_refreshlabel(vp, cred); if (error) return (error); - MAC_CHECK(check_vnode_op, cred, vp, &vp->v_label, op); + MAC_CHECK(check_vnode_poll, cred, vp, &vp->v_label); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) +mac_check_vnode_read(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); if (!mac_enforce_fs) return (0); @@ -1794,7 +1820,8 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode) if (error) return (error); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_read, cred, vp, &vp->v_label); + return (error); } @@ -2050,6 +2077,26 @@ mac_check_vnode_stat(struct ucred *cred, struct vnode *vp) return (error); } +int +mac_check_vnode_write(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_write, cred, vp, &vp->v_label); + + return (error); +} + + /* * When relabeling a process, call out to the policies for the maximum * permission allowed for each object type we know about in its diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 83c82e4..6e9e383 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1689,6 +1689,42 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int +mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { @@ -1955,6 +1991,24 @@ mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_biba_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + static vm_prot_t mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping) @@ -1975,36 +2029,6 @@ mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, return (prot); } -static int -mac_biba_check_vnode_op(struct ucred *cred, struct vnode *vp, - struct label *label, int op) -{ - struct mac_biba *subj, *obj; - - if (!mac_biba_enabled || !mac_biba_revocation_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(label); - - switch (op) { - case MAC_OP_VNODE_POLL: - case MAC_OP_VNODE_READ: - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - return (0); - - case MAC_OP_VNODE_WRITE: - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - return (0); - - default: - printf("mac_biba_check_vnode_op: unknown operation %d\n", op); - return (EINVAL); - } -} - static struct mac_policy_op_entry mac_biba_ops[] = { { MAC_DESTROY, @@ -2189,6 +2213,10 @@ static struct mac_policy_op_entry mac_biba_ops[] = (macop_t)mac_biba_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_biba_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_biba_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_biba_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_biba_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, @@ -2215,10 +2243,10 @@ static struct mac_policy_op_entry mac_biba_ops[] = (macop_t)mac_biba_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_biba_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_biba_check_vnode_write }, { MAC_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_biba_check_vnode_mmap_perms }, - { MAC_CHECK_VNODE_OP, - (macop_t)mac_biba_check_vnode_op }, { MAC_OP_LAST, NULL } }; diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 958bda9..4dca581 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1639,6 +1639,42 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int +mac_mls_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { @@ -1906,6 +1942,24 @@ mac_mls_check_vnode_stat(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_mls_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + static vm_prot_t mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping) @@ -1926,36 +1980,6 @@ mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, return (prot); } -static int -mac_mls_check_vnode_op(struct ucred *cred, struct vnode *vp, - struct label *label, int op) -{ - struct mac_mls *subj, *obj; - - if (!mac_mls_enabled || !mac_mls_revocation_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(label); - - switch (op) { - case MAC_OP_VNODE_POLL: - case MAC_OP_VNODE_READ: - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - return (0); - - case MAC_OP_VNODE_WRITE: - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - return (0); - - default: - printf("mac_mls_check_vnode_op: unknown operation %d\n", op); - return (EINVAL); - } -} - static struct mac_policy_op_entry mac_mls_ops[] = { { MAC_DESTROY, @@ -2140,6 +2164,10 @@ static struct mac_policy_op_entry mac_mls_ops[] = (macop_t)mac_mls_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_mls_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_mls_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_mls_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_mls_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, @@ -2166,10 +2194,10 @@ static struct mac_policy_op_entry mac_mls_ops[] = (macop_t)mac_mls_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_mls_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_mls_check_vnode_write }, { MAC_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_mls_check_vnode_mmap_perms }, - { MAC_CHECK_VNODE_OP, - (macop_t)mac_mls_check_vnode_op }, { MAC_OP_LAST, NULL } }; diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c index b1f154e..b7e5fdd 100644 --- a/sys/security/mac_none/mac_none.c +++ b/sys/security/mac_none/mac_none.c @@ -775,6 +775,22 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int +mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int +mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int mac_none_check_vnode_readdir(struct ucred *cred, struct vnode *vp, struct label *dlabel) { @@ -880,6 +896,14 @@ mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static struct mac_policy_op_entry mac_none_ops[] = { { MAC_DESTROY, @@ -1072,6 +1096,10 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_none_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_none_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_none_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_none_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, @@ -1098,6 +1126,8 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_none_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_none_check_vnode_write }, { MAC_OP_LAST, NULL } }; diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index b1f154e..b7e5fdd 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -775,6 +775,22 @@ mac_none_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int +mac_none_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int +mac_none_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int mac_none_check_vnode_readdir(struct ucred *cred, struct vnode *vp, struct label *dlabel) { @@ -880,6 +896,14 @@ mac_none_check_vnode_stat(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_none_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static struct mac_policy_op_entry mac_none_ops[] = { { MAC_DESTROY, @@ -1072,6 +1096,10 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_none_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_none_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_none_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_none_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, @@ -1098,6 +1126,8 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_none_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_none_check_vnode_write }, { MAC_OP_LAST, NULL } }; diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 2e0d3ca..5c97a1b 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -983,6 +983,22 @@ mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int +mac_test_check_vnode_poll(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int +mac_test_check_vnode_read(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + +static int mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { @@ -1088,6 +1104,14 @@ mac_test_check_vnode_stat(struct ucred *cred, struct vnode *vp, return (0); } +static int +mac_test_check_vnode_write(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (0); +} + static struct mac_policy_op_entry mac_test_ops[] = { { MAC_DESTROY, @@ -1278,6 +1302,10 @@ static struct mac_policy_op_entry mac_test_ops[] = (macop_t)mac_test_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_test_check_vnode_open }, + { MAC_CHECK_VNODE_POLL, + (macop_t)mac_test_check_vnode_poll }, + { MAC_CHECK_VNODE_READ, + (macop_t)mac_test_check_vnode_read }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_test_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, @@ -1304,6 +1332,8 @@ static struct mac_policy_op_entry mac_test_ops[] = (macop_t)mac_test_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_test_check_vnode_stat }, + { MAC_CHECK_VNODE_WRITE, + (macop_t)mac_test_check_vnode_write }, { MAC_OP_LAST, NULL } }; diff --git a/sys/sys/mac.h b/sys/sys/mac.h index d80387c..3d73df4 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -341,9 +341,10 @@ int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, /* XXX This u_char should be vm_prot_t! */ u_char mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping); -int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op); int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, mode_t acc_mode); +int mac_check_vnode_poll(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_read(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, @@ -364,6 +365,7 @@ int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); int mac_check_vnode_stat(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_write(struct ucred *cred, struct vnode *vp); int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 5463fa9..9bc28ad 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -286,10 +286,12 @@ struct mac_policy_ops { struct componentname *cnp); vm_prot_t (*mpo_check_vnode_mmap_perms)(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping); - int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp, - struct label *label, int op); int (*mpo_check_vnode_open)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); + int (*mpo_check_vnode_poll)(struct ucred *cred, struct vnode *vp, + struct label *label); + int (*mpo_check_vnode_read)(struct ucred *cred, struct vnode *vp, + struct label *label); int (*mpo_check_vnode_readdir)(struct ucred *cred, struct vnode *dvp, struct label *dlabel); int (*mpo_check_vnode_readlink)(struct ucred *cred, @@ -324,6 +326,8 @@ struct mac_policy_ops { struct timespec atime, struct timespec mtime); int (*mpo_check_vnode_stat)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_check_vnode_write)(struct ucred *cred, struct vnode *vp, + struct label *label); }; typedef const void *macop_t; @@ -426,8 +430,9 @@ enum mac_op_constant { MAC_CHECK_VNODE_GETEXTATTR, MAC_CHECK_VNODE_LOOKUP, MAC_CHECK_VNODE_MMAP_PERMS, - MAC_CHECK_VNODE_OP, MAC_CHECK_VNODE_OPEN, + MAC_CHECK_VNODE_POLL, + MAC_CHECK_VNODE_READ, MAC_CHECK_VNODE_READDIR, MAC_CHECK_VNODE_READLINK, MAC_CHECK_VNODE_RELABEL, @@ -441,6 +446,7 @@ enum mac_op_constant { MAC_CHECK_VNODE_SETOWNER, MAC_CHECK_VNODE_SETUTIMES, MAC_CHECK_VNODE_STAT, + MAC_CHECK_VNODE_WRITE, }; struct mac_policy_op_entry { |
