Lines Matching +full:mac +full:- +full:s
1 /*-
2 * Copyright (c) 1999-2002, 2006, 2009 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
5 * Copyright (c) 2005-2006 SPARTA, Inc.
6 * Copyright (c) 2008-2009 Apple Inc.
14 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
18 * N66001-04-C-6019 ("SEFOS").
45 /*-
47 * kernel infrastructure for the TrustedBSD MAC Framework, including policy
51 * The MAC Framework implements three programming interfaces:
53 * - The kernel MAC interface, defined in mac_framework.h, and invoked
57 * - The MAC policy module interface, defined in mac_policy.h, which is
58 * implemented by MAC policy modules and invoked by the MAC Framework to
61 * - The user MAC API, defined in mac.h, which allows user programs to query
64 * The majority of the MAC Framework implementation may be found in
65 * src/sys/security/mac. Sample policy modules may be found in
77 #include <sys/mac.h>
85 #include <security/mac/mac_framework.h>
86 #include <security/mac/mac_internal.h>
87 #include <security/mac/mac_policy.h>
90 * DTrace SDT providers for MAC.
92 SDT_PROVIDER_DEFINE(mac);
95 SDT_PROBE_DEFINE2(mac, , policy, modevent, "int",
97 SDT_PROBE_DEFINE1(mac, , policy, register,
99 SDT_PROBE_DEFINE1(mac, , policy, unregister,
103 * Root sysctl node for all MAC and MAC policy controls.
105 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
106 "TrustedBSD MAC policy controls");
109 * Root sysctl node for MAC modules' jail parameters.
111 SYSCTL_JAIL_PARAM_NODE(mac, "Jail parameters for MAC policy controls");
114 * Declare that the kernel provides a specific version of MAC support.
116 * present, even if it's pre-boot.
126 * The following is a band-aid.
160 * as required. The MAC Framework maintains a bitmask of slots allocated so
161 * far to prevent reuse. Slots cannot be reused, as the MAC Framework
173 static unsigned int mac_slot_offsets_free = (1 << MAC_MAX_SLOTS) - 1;
187 * of the per-policy object flags to track whether we will allocate a label
188 * for an object type at run-time.
194 MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage");
197 * MAC policy modules are placed in one of two lists: mac_static_policy_list,
210 * over calls to the MAC Framework, during network processing in ithreads,
215 static struct rmlock mac_policy_rm; /* Non-sleeping entry points. */
320 * Initialize the MAC subsystem, including appropriate SMP locks.
350 * Given a policy, derive from its set of non-NULL label init methods what
359 if (mpc->mpc_ops->mpo_ ## method != NULL) \ in mac_policy_getlabeled()
466 MPASS(mpfe->count >= 0); in mac_policy_fastpath_enable()
467 mpfe->count++; in mac_policy_fastpath_enable()
468 if (mpfe->count == 1) { in mac_policy_fastpath_enable()
469 MPASS(*mpfe->flag == false); in mac_policy_fastpath_enable()
470 *mpfe->flag = true; in mac_policy_fastpath_enable()
478 MPASS(mpfe->count >= 1); in mac_policy_fastpath_disable()
479 mpfe->count--; in mac_policy_fastpath_disable()
480 if (mpfe->count == 0) { in mac_policy_fastpath_disable()
481 MPASS(*mpfe->flag == true); in mac_policy_fastpath_disable()
482 *mpfe->flag = false; in mac_policy_fastpath_disable()
495 ops = (uintptr_t **)mpc->mpc_ops; in mac_policy_fastpath_register()
498 if (ops[mpfe->offset] != NULL) in mac_policy_fastpath_register()
512 ops = (uintptr_t **)mpc->mpc_ops; in mac_policy_fastpath_unregister()
515 if (ops[mpfe->offset] != NULL) in mac_policy_fastpath_unregister()
539 * we have to stick it in the non-static list and pay an extra in mac_policy_register()
544 !(mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK)); in mac_policy_register()
551 if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) { in mac_policy_register()
556 if (mpc->mpc_field_off != NULL) { in mac_policy_register()
562 slot--; in mac_policy_register()
564 *mpc->mpc_field_off = slot; in mac_policy_register()
566 mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; in mac_policy_register()
578 * Per-policy initialization. Currently, this takes place under the in mac_policy_register()
581 * "init" occurring without the lock held. Likewise, on tear-down, in mac_policy_register()
584 if (mpc->mpc_ops->mpo_init != NULL) in mac_policy_register()
585 (*(mpc->mpc_ops->mpo_init))(mpc); in mac_policy_register()
591 SDT_PROBE1(mac, , policy, register, mpc); in mac_policy_register()
592 printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname, in mac_policy_register()
593 mpc->mpc_name); in mac_policy_register()
606 * if we did the run-time registration, and if not, silently succeed. in mac_policy_unregister()
609 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) { in mac_policy_unregister()
617 if (mpc->mpc_field_off != NULL) { in mac_policy_unregister()
626 if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) { in mac_policy_unregister()
633 if (mpc->mpc_ops->mpo_destroy != NULL) in mac_policy_unregister()
634 (*(mpc->mpc_ops->mpo_destroy))(mpc); in mac_policy_unregister()
637 mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED; in mac_policy_unregister()
641 SDT_PROBE1(mac, , policy, unregister, mpc); in mac_policy_unregister()
642 printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname, in mac_policy_unregister()
643 mpc->mpc_name); in mac_policy_unregister()
649 * Allow MAC policy modules to register during boot, etc.
667 SDT_PROBE2(mac, , policy, modevent, type, mpc); in mac_policy_modevent()
670 if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && in mac_policy_modevent()
672 printf("mac_policy_modevent: can't load %s policy " in mac_policy_modevent()
673 "after booting\n", mpc->mpc_name); in mac_policy_modevent()
681 if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) in mac_policy_modevent()
703 /* Certain decision-making errors take top priority. */ in mac_error_select()
718 /* Precedence goes to DAC/MAC protections. */ in mac_error_select()
733 mac_check_structmac_consistent(const struct mac *mac) in mac_check_structmac_consistent() argument
735 /* Require that labels have a non-zero length. */ in mac_check_structmac_consistent()
736 if (mac->m_buflen > MAC_MAX_LABEL_BUF_LEN || in mac_check_structmac_consistent()
737 mac->m_buflen <= sizeof("")) in mac_check_structmac_consistent()
743 SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL);