mac_do.c - OpenGrok cross reference for /freebsd/sys/security/mac_do/mac

Lines Matching full:rules
45     &print_parse_error, 0, "Print parse errors on setting rules "
48 static MALLOC_DEFINE(M_DO, "do_rule", "Rules for mac_do");
78  * required for parsing rules specification strings.
168 struct rules {  struct
316 toast_rules(struct rules *const rules)  in toast_rules()  argument
318 	struct rulehead *const head = &rules->head;  in toast_rules()
326 	free(rules, M_DO);  in toast_rules()
329 static struct rules *
332 	struct rules *const rules = malloc(sizeof(*rules), M_DO, M_WAITOK);  in alloc_rules()  local
335 	rules->string[0] = 0;  in alloc_rules()
336 	STAILQ_INIT(&rules->head);  in alloc_rules()
337 	rules->use_count = 0;  in alloc_rules()
338 	return (rules);  in alloc_rules()
861 parse_single_rule(char *rule, struct rules *const rules,  in parse_single_rule()  argument
876 	/* Freed when the 'struct rules' container is freed. */  in parse_single_rule()
890 		    "the \"from\" part of rules.");  in parse_single_rule()
968 	STAILQ_INSERT_TAIL(&rules->head, new, r_entries);  in parse_single_rule()
984  * Parse rules specification and produce rule structures out of it.
987  * representing the rules.  On error, the returned value is non-zero and
994  * Expected format: A semi-colon-separated list of rules of the form
999  * rules are allowed (and do nothing), and spaces and tabs are allowed (and
1009 parse_rules(const char *const string, struct rules **const rulesp,  in parse_rules()
1014 	struct rules *rules;  in parse_rules()  local
1026 	rules = alloc_rules();  in parse_rules()
1027 	bcopy(string, rules->string, len + 1);  in parse_rules()
1028 	MPASS(rules->string[len] == '\0'); /* Catch some races. */  in parse_rules()
1038 		error = parse_single_rule(rule, rules, parse_error);  in parse_rules()
1041 			toast_rules(rules);  in parse_rules()
1046 	*rulesp = rules;  in parse_rules()
1053  * Find rules applicable to the passed prison.
1055  * Returns the applicable rules (and never NULL).  'pr' must be unlocked.
1057  * once the caller is done accessing the rules.  '*aprp' is equal to 'pr' if and
1058  * only if the current jail has its own set of rules.
1060 static struct rules *
1064 	struct rules *rules;  in find_rules()  local
1069 		rules = osd_jail_get(cpr, osd_jail_slot);  in find_rules()
1070 		if (rules != NULL)  in find_rules()
1075 		MPASS(ppr != NULL); /* prison0 always has rules. */  in find_rules()
1080 	return (rules);  in find_rules()
1084 hold_rules(struct rules *const rules)  in hold_rules()  argument
1086 	refcount_acquire(&rules->use_count);  in hold_rules()
1090 drop_rules(struct rules *const rules)  in drop_rules()  argument
1092 	if (refcount_release(&rules->use_count))  in drop_rules()
1093 		toast_rules(rules);  in drop_rules()
1098 check_rules_use_count(const struct rules *const rules, u_int expected)  in check_rules_use_count()  argument
1100 	const u_int use_count = refcount_load(&rules->use_count);  in check_rules_use_count()
1103 		panic("MAC/do: Rules at %p: Use count is %u, expected %u",  in check_rules_use_count()
1104 		    rules, use_count, expected);  in check_rules_use_count()
1119 	struct rules *const rules = value;  in dealloc_jail_osd()  local
1123 	 * using the rules but us at this point because no threads of that jail  in dealloc_jail_osd()
1129 	 * where the rules' reference count has been bumped to keep them alive  in dealloc_jail_osd()
1130 	 * even if the rules on the "holding" jail has been concurrently  in dealloc_jail_osd()
1135 	check_rules_use_count(rules, 1);  in dealloc_jail_osd()
1136 	toast_rules(rules);  in dealloc_jail_osd()
1140  * Remove the rules specifically associated to a prison.
1142  * In practice, this means that the rules become inherited (from the closest
1150 	struct rules *old_rules;  in remove_rules()
1155 	 * We go to the burden of extracting rules first instead of just letting  in remove_rules()
1175  * Assign already built rules to a jail.
1178 set_rules(struct prison *const pr, struct rules *const rules)  in set_rules()  argument
1180 	struct rules *old_rules;  in set_rules()
1183 	check_rules_use_count(rules, 0);  in set_rules()
1184 	hold_rules(rules);  in set_rules()
1189 	osd_jail_set_reserved(pr, osd_jail_slot, rsv, rules);  in set_rules()
1196  * Assigns empty rules to a jail.
1201 	struct rules *const rules = alloc_rules();  in set_empty_rules()  local
1203 	set_rules(pr, rules);  in set_empty_rules()
1207  * Parse a rules specification and assign them to a jail.
1215 	struct rules *rules;  in parse_and_set_rules()  local
1218 	error = parse_rules(rules_string, &rules, parse_error);  in parse_and_set_rules()
1221 	set_rules(pr, rules);  in parse_and_set_rules()
1231 	struct rules *rules;  in mac_do_sysctl_rules()  local
1235 	rules = find_rules(td_pr, &pr);  in mac_do_sysctl_rules()
1236 	strlcpy(buf, rules->string, MAC_RULE_STRING_LEN);  in mac_do_sysctl_rules()
1243 	/* Set our prison's rules, not that of the jail we inherited from. */  in mac_do_sysctl_rules()
1256 SYSCTL_PROC(_security_mac_do, OID_AUTO, rules,
1259     "Rules");
1263 SYSCTL_JAIL_PARAM_STRING(_mac_do, rules, CTLFLAG_RW, MAC_RULE_STRING_LEN,
1264     "Jail MAC/do rules");
1281 	struct rules *rules;  in mac_do_jail_get()  local
1284 	rules = find_rules(pr, &ppr);  in mac_do_jail_get()
1287 	    (STAILQ_EMPTY(&rules->head) ? JAIL_SYS_DISABLE : JAIL_SYS_NEW) :  in mac_do_jail_get()
1293 	error = vfs_setopts(opts, "mac.do.rules", rules->string);  in mac_do_jail_get()
1311  * We perform only cheap checks here, i.e., we do not really parse the rules
1338 	error = vfs_getopt(opts, "mac.do.rules", (void**)&rules_string, &size);  in mac_do_jail_check()
1341 		 * Default (in absence of "mac.do.rules") is to disable (and, in  in mac_do_jail_check()
1348 			vfs_opterror(opts, "'mac.do.rules' must be specified "  in mac_do_jail_check()
1353 		/* Absence of "mac.do.rules" at this point is OK. */  in mac_do_jail_check()
1361 			vfs_opterror(opts, "'mac.do.rules' not a proper string");  in mac_do_jail_check()
1366 			vfs_opterror(opts, "'mdo.rules' too long");  in mac_do_jail_check()
1371 			/* Default (if "mac.do.rules" is present). */  in mac_do_jail_check()
1377 		 * with an explicit empty rules specification.  in mac_do_jail_check()
1383 				vfs_opterror(opts, "'mac.do.rules' specified "  in mac_do_jail_check()
1413 	rules_string = vfs_getopts(opts, "mac.do.rules", &error);  in mac_do_jail_set()
1418 			/* Default (if "mac.do.rules" is present). */  in mac_do_jail_set()
1430 			 * Default (in absence of "mac.do.rules") is to disable  in mac_do_jail_set()
1493 	/* Rules to apply. */
1494 	struct rules	*rules;  member
1506  * a call to setcred() is in progress by storing the rules per-thread
1537 		drop_rules(hdr->rules);  in clear_data()
1559     struct rules *const rules)  in set_data_header()  argument
1568 	hdr->rules = rules;  in set_data_header()
1934 	const struct rules *rules;  in mac_do_priv_grant()  local
1951 	rules = data->hdr.rules;  in mac_do_priv_grant()
1960 	 * we are actually going to check.  Currently, this rules out the  in mac_do_priv_grant()
1971 	 * Browse rules, and for those that match the requestor, call specific  in mac_do_priv_grant()
1975 	STAILQ_FOREACH(rule, &rules->head, r_entries)  in mac_do_priv_grant()
2015 	struct rules *rules;  in mac_do_setcred_enter()  local
2037 	 * Find the currently applicable rules.  in mac_do_setcred_enter()
2039 	rules = find_rules(curproc->p_ucred->cr_prison, &pr);  in mac_do_setcred_enter()
2040 	hold_rules(rules);  in mac_do_setcred_enter()
2049 	set_data_header(data, sizeof(*data), PRIV_CRED_SETCRED, rules);  in mac_do_setcred_enter()
In current file

In project "undefined"

On Google
