Lines Matching +full:mm +full:- +full:0
1 /*-
2 * Copyright (c) 1999-2002, 2007-2011 Robert N. M. Watson
3 * Copyright (c) 2001-2005 McAfee, Inc.
11 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
15 * N66001-04-C-6019 ("SEFOS").
93 CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
98 &mls_label_size, 0, "Size of struct mac_mls");
101 SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RWTUN, &mls_enabled, 0,
106 &destroyed_not_inited, 0, "Count of labels destroyed but not inited");
108 static int ptys_equal = 0;
110 &ptys_equal, 0, "Label pty devices as mls/equal on create");
112 static int revocation_enabled = 0;
114 &revocation_enabled, 0, "Revoke access to objects on relabel");
118 &max_compartments, 0, "Maximum compartments the policy supports");
130 for (i = 0; i < MAC_MLS_MAX_COMPARTMENTS >> 3; i++) in mls_bit_set_empty()
131 if (set[i] != 0) in mls_bit_set_empty()
132 return (0); in mls_bit_set_empty()
144 mls_free(struct mac_mls *mm) in mls_free() argument
147 if (mm != NULL) in mls_free()
148 uma_zfree(zone_mls, mm); in mls_free()
154 mls_atmostflags(struct mac_mls *mm, int flags) in mls_atmostflags() argument
157 if ((mm->mm_flags & flags) != mm->mm_flags) in mls_atmostflags()
159 return (0); in mls_atmostflags()
167 switch (a->mme_type) { in mls_dominate_element()
173 switch (b->mme_type) { in mls_dominate_element()
176 return (0); in mls_dominate_element()
183 panic("mls_dominate_element: b->mme_type invalid"); in mls_dominate_element()
187 switch (b->mme_type) { in mls_dominate_element()
193 return (0); in mls_dominate_element()
198 a->mme_compartments) && in mls_dominate_element()
199 MAC_MLS_BIT_TEST(bit, b->mme_compartments)) in mls_dominate_element()
200 return (0); in mls_dominate_element()
201 return (a->mme_level >= b->mme_level); in mls_dominate_element()
204 panic("mls_dominate_element: b->mme_type invalid"); in mls_dominate_element()
208 panic("mls_dominate_element: a->mme_type invalid"); in mls_dominate_element()
211 return (0); in mls_dominate_element()
218 return (mls_dominate_element(&rangeb->mm_rangehigh, in mls_range_in_range()
219 &rangea->mm_rangehigh) && in mls_range_in_range()
220 mls_dominate_element(&rangea->mm_rangelow, in mls_range_in_range()
221 &rangeb->mm_rangelow)); in mls_range_in_range()
228 KASSERT((effective->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, in mls_effective_in_range()
230 KASSERT((range->mm_flags & MAC_MLS_FLAG_RANGE) != 0, in mls_effective_in_range()
233 return (mls_dominate_element(&range->mm_rangehigh, in mls_effective_in_range()
234 &effective->mm_effective) && in mls_effective_in_range()
235 mls_dominate_element(&effective->mm_effective, in mls_effective_in_range()
236 &range->mm_rangelow)); in mls_effective_in_range()
244 KASSERT((a->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, in mls_dominate_effective()
246 KASSERT((b->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, in mls_dominate_effective()
249 return (mls_dominate_element(&a->mm_effective, &b->mm_effective)); in mls_dominate_effective()
256 if (a->mme_type == MAC_MLS_TYPE_EQUAL || in mls_equal_element()
257 b->mme_type == MAC_MLS_TYPE_EQUAL) in mls_equal_element()
260 return (a->mme_type == b->mme_type && a->mme_level == b->mme_level); in mls_equal_element()
267 KASSERT((a->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, in mls_equal_effective()
269 KASSERT((b->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, in mls_equal_effective()
272 return (mls_equal_element(&a->mm_effective, &b->mm_effective)); in mls_equal_effective()
276 mls_contains_equal(struct mac_mls *mm) in mls_contains_equal() argument
279 if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) in mls_contains_equal()
280 if (mm->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL) in mls_contains_equal()
283 if (mm->mm_flags & MAC_MLS_FLAG_RANGE) { in mls_contains_equal()
284 if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL) in mls_contains_equal()
286 if (mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL) in mls_contains_equal()
290 return (0); in mls_contains_equal()
294 mls_subject_privileged(struct mac_mls *mm) in mls_subject_privileged() argument
297 KASSERT((mm->mm_flags & MAC_MLS_FLAGS_BOTH) == MAC_MLS_FLAGS_BOTH, in mls_subject_privileged()
301 if (mm->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL) in mls_subject_privileged()
302 return (0); in mls_subject_privileged()
305 if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL || in mls_subject_privileged()
306 mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL) in mls_subject_privileged()
307 return (0); in mls_subject_privileged()
309 /* If the range is low-high, it's ok. */ in mls_subject_privileged()
310 if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_LOW && in mls_subject_privileged()
311 mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_HIGH) in mls_subject_privileged()
312 return (0); in mls_subject_privileged()
319 mls_valid(struct mac_mls *mm) in mls_valid() argument
322 if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { in mls_valid()
323 switch (mm->mm_effective.mme_type) { in mls_valid()
330 if (mm->mm_effective.mme_level != 0 || in mls_valid()
332 mm->mm_effective.mme_compartments)) in mls_valid()
340 if (mm->mm_effective.mme_type != MAC_MLS_TYPE_UNDEF) in mls_valid()
344 if (mm->mm_flags & MAC_MLS_FLAG_RANGE) { in mls_valid()
345 switch (mm->mm_rangelow.mme_type) { in mls_valid()
352 if (mm->mm_rangelow.mme_level != 0 || in mls_valid()
354 mm->mm_rangelow.mme_compartments)) in mls_valid()
362 switch (mm->mm_rangehigh.mme_type) { in mls_valid()
369 if (mm->mm_rangehigh.mme_level != 0 || in mls_valid()
371 mm->mm_rangehigh.mme_compartments)) in mls_valid()
378 if (!mls_dominate_element(&mm->mm_rangehigh, in mls_valid()
379 &mm->mm_rangelow)) in mls_valid()
382 if (mm->mm_rangelow.mme_type != MAC_MLS_TYPE_UNDEF || in mls_valid()
383 mm->mm_rangehigh.mme_type != MAC_MLS_TYPE_UNDEF) in mls_valid()
387 return (0); in mls_valid()
391 mls_set_range(struct mac_mls *mm, u_short typelow, u_short levellow, in mls_set_range() argument
396 mm->mm_rangelow.mme_type = typelow; in mls_set_range()
397 mm->mm_rangelow.mme_level = levellow; in mls_set_range()
399 memcpy(mm->mm_rangelow.mme_compartments, compartmentslow, in mls_set_range()
400 sizeof(mm->mm_rangelow.mme_compartments)); in mls_set_range()
401 mm->mm_rangehigh.mme_type = typehigh; in mls_set_range()
402 mm->mm_rangehigh.mme_level = levelhigh; in mls_set_range()
404 memcpy(mm->mm_rangehigh.mme_compartments, compartmentshigh, in mls_set_range()
405 sizeof(mm->mm_rangehigh.mme_compartments)); in mls_set_range()
406 mm->mm_flags |= MAC_MLS_FLAG_RANGE; in mls_set_range()
410 mls_set_effective(struct mac_mls *mm, u_short type, u_short level, in mls_set_effective() argument
414 mm->mm_effective.mme_type = type; in mls_set_effective()
415 mm->mm_effective.mme_level = level; in mls_set_effective()
417 memcpy(mm->mm_effective.mme_compartments, compartments, in mls_set_effective()
418 sizeof(mm->mm_effective.mme_compartments)); in mls_set_effective()
419 mm->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; in mls_set_effective()
426 KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_RANGE) != 0, in mls_copy_range()
429 labelto->mm_rangelow = labelfrom->mm_rangelow; in mls_copy_range()
430 labelto->mm_rangehigh = labelfrom->mm_rangehigh; in mls_copy_range()
431 labelto->mm_flags |= MAC_MLS_FLAG_RANGE; in mls_copy_range()
438 KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, in mls_copy_effective()
441 labelto->mm_effective = labelfrom->mm_effective; in mls_copy_effective()
442 labelto->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; in mls_copy_effective()
449 if (source->mm_flags & MAC_MLS_FLAG_EFFECTIVE) in mls_copy()
451 if (source->mm_flags & MAC_MLS_FLAG_RANGE) in mls_copy()
463 NULL, NULL, NULL, UMA_ALIGN_PTR, 0); in mls_init()
484 return (0); in mls_init_label_waitcheck()
498 * space in the sbuf, -1 is returned.
505 switch (element->mme_type) { in mls_element_to_string()
516 if (sbuf_printf(sb, "%d", element->mme_level) == -1) in mls_element_to_string()
517 return (-1); in mls_element_to_string()
521 if (MAC_MLS_BIT_TEST(i, element->mme_compartments)) { in mls_element_to_string()
523 if (sbuf_putc(sb, ':') == -1) in mls_element_to_string()
524 return (-1); in mls_element_to_string()
525 if (sbuf_printf(sb, "%d", i) == -1) in mls_element_to_string()
526 return (-1); in mls_element_to_string()
527 first = 0; in mls_element_to_string()
529 if (sbuf_printf(sb, "+%d", i) == -1) in mls_element_to_string()
530 return (-1); in mls_element_to_string()
534 return (0); in mls_element_to_string()
538 element->mme_type); in mls_element_to_string()
544 * in the passed sbuf. It returns 0 on success, or EINVAL if there isn't
550 mls_to_string(struct sbuf *sb, struct mac_mls *mm) in mls_to_string() argument
553 if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { in mls_to_string()
554 if (mls_element_to_string(sb, &mm->mm_effective) == -1) in mls_to_string()
558 if (mm->mm_flags & MAC_MLS_FLAG_RANGE) { in mls_to_string()
559 if (sbuf_putc(sb, '(') == -1) in mls_to_string()
562 if (mls_element_to_string(sb, &mm->mm_rangelow) == -1) in mls_to_string()
565 if (sbuf_putc(sb, '-') == -1) in mls_to_string()
568 if (mls_element_to_string(sb, &mm->mm_rangehigh) == -1) in mls_to_string()
571 if (sbuf_putc(sb, ')') == -1) in mls_to_string()
575 return (0); in mls_to_string()
582 struct mac_mls *mm; in mls_externalize_label() local
584 if (strcmp(MAC_MLS_LABEL_NAME, element_name) != 0) in mls_externalize_label()
585 return (0); in mls_externalize_label()
589 mm = SLOT(label); in mls_externalize_label()
591 return (mls_to_string(sb, mm)); in mls_externalize_label()
600 if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) { in mls_parse_element()
601 element->mme_type = MAC_MLS_TYPE_HIGH; in mls_parse_element()
602 element->mme_level = MAC_MLS_TYPE_UNDEF; in mls_parse_element()
603 } else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) { in mls_parse_element()
604 element->mme_type = MAC_MLS_TYPE_LOW; in mls_parse_element()
605 element->mme_level = MAC_MLS_TYPE_UNDEF; in mls_parse_element()
606 } else if (strcmp(string, "equal") == 0 || in mls_parse_element()
607 strcmp(string, "eq") == 0) { in mls_parse_element()
608 element->mme_type = MAC_MLS_TYPE_EQUAL; in mls_parse_element()
609 element->mme_level = MAC_MLS_TYPE_UNDEF; in mls_parse_element()
611 element->mme_type = MAC_MLS_TYPE_LEVEL; in mls_parse_element()
618 if (end == level || *end != '\0') in mls_parse_element()
620 if (value < 0 || value > 65535) in mls_parse_element()
622 element->mme_level = value; in mls_parse_element()
629 return (0); in mls_parse_element()
630 if (*string == '\0') in mls_parse_element()
631 return (0); in mls_parse_element()
635 if (compartment == end || *end != '\0') in mls_parse_element()
639 MAC_MLS_BIT_SET(value, element->mme_compartments); in mls_parse_element()
643 return (0); in mls_parse_element()
651 mls_parse(struct mac_mls *mm, char *string) in mls_parse() argument
657 if (*effective == '\0') in mls_parse()
661 rangelow = strsep(&string, "-"); in mls_parse()
667 if (*string != '\0') in mls_parse()
678 bzero(mm, sizeof(*mm)); in mls_parse()
680 error = mls_parse_element(&mm->mm_effective, effective); in mls_parse()
683 mm->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; in mls_parse()
687 error = mls_parse_element(&mm->mm_rangelow, rangelow); in mls_parse()
690 error = mls_parse_element(&mm->mm_rangehigh, rangehigh); in mls_parse()
693 mm->mm_flags |= MAC_MLS_FLAG_RANGE; in mls_parse()
696 error = mls_valid(mm); in mls_parse()
700 return (0); in mls_parse()
707 struct mac_mls *mm, mm_temp; in mls_internalize_label() local
710 if (strcmp(MAC_MLS_LABEL_NAME, element_name) != 0) in mls_internalize_label()
711 return (0); in mls_internalize_label()
719 mm = SLOT(label); in mls_internalize_label()
720 *mm = mm_temp; in mls_internalize_label()
722 return (0); in mls_internalize_label()
733 * Object-specific entry point implementations are sorted alphabetically by
743 return (0); in mls_bpfdesc_check_receive()
749 return (0); in mls_bpfdesc_check_receive()
758 source = SLOT(cred->cr_label); in mls_bpfdesc_create()
781 label = SLOT(cred->cr_label); in mls_cred_associate_nfsd()
782 mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL); in mls_cred_associate_nfsd()
783 mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, in mls_cred_associate_nfsd()
793 subj = SLOT(cred->cr_label); in mls_cred_check_relabel()
807 if (new->mm_flags & MAC_MLS_FLAGS_BOTH) { in mls_cred_check_relabel()
813 if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) == in mls_cred_check_relabel()
821 if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE && in mls_cred_check_relabel()
829 if (new->mm_flags & MAC_MLS_FLAG_RANGE && in mls_cred_check_relabel()
844 return (0); in mls_cred_check_relabel()
853 return (0); in mls_cred_check_visible()
855 subj = SLOT(cr1->cr_label); in mls_cred_check_visible()
856 obj = SLOT(cr2->cr_label); in mls_cred_check_visible()
862 return (0); in mls_cred_check_visible()
870 dest = SLOT(cred->cr_label); in mls_cred_create_init()
872 mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); in mls_cred_create_init()
873 mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, in mls_cred_create_init()
882 dest = SLOT(cred->cr_label); in mls_cred_create_swapper()
884 mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); in mls_cred_create_swapper()
885 mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, in mls_cred_create_swapper()
895 dest = SLOT(cred->cr_label); in mls_cred_relabel()
904 struct mac_mls *mm; in mls_devfs_create_device() local
908 mm = SLOT(delabel); in mls_devfs_create_device()
910 if (strcmp(dn, "null") == 0 || in mls_devfs_create_device()
911 strcmp(dn, "zero") == 0 || in mls_devfs_create_device()
912 strcmp(dn, "random") == 0 || in mls_devfs_create_device()
913 strncmp(dn, "fd/", strlen("fd/")) == 0) in mls_devfs_create_device()
915 else if (strcmp(dn, "kmem") == 0 || in mls_devfs_create_device()
916 strcmp(dn, "mem") == 0) in mls_devfs_create_device()
919 (strncmp(dn, "ttyp", strlen("ttyp")) == 0 || in mls_devfs_create_device()
920 strncmp(dn, "pts/", strlen("pts/")) == 0 || in mls_devfs_create_device()
921 strncmp(dn, "ptyp", strlen("ptyp")) == 0)) in mls_devfs_create_device()
925 mls_set_effective(mm, mls_type, 0, NULL); in mls_devfs_create_device()
932 struct mac_mls *mm; in mls_devfs_create_directory() local
934 mm = SLOT(delabel); in mls_devfs_create_directory()
935 mls_set_effective(mm, MAC_MLS_TYPE_LOW, 0, NULL); in mls_devfs_create_directory()
945 source = SLOT(cred->cr_label); in mls_devfs_create_symlink()
983 subj = SLOT(cred->cr_label); in mls_ifnet_check_relabel()
1007 return (0); in mls_ifnet_check_transmit()
1012 return (mls_effective_in_range(p, i) ? 0 : EACCES); in mls_ifnet_check_transmit()
1028 mls_set_effective(dest, type, 0, NULL); in mls_ifnet_create()
1029 mls_set_range(dest, type, 0, NULL, type, 0, NULL); in mls_ifnet_create()
1063 return (0); in mls_inpcb_check_deliver()
1068 return (mls_equal_effective(p, i) ? 0 : EACCES); in mls_inpcb_check_deliver()
1078 return (0); in mls_inpcb_check_visible()
1080 subj = SLOT(cred->cr_label); in mls_inpcb_check_visible()
1086 return (0); in mls_inpcb_check_visible()
1224 return (0); in mls_mount_check_stat()
1226 subj = SLOT(cred->cr_label); in mls_mount_check_stat()
1232 return (0); in mls_mount_check_stat()
1240 source = SLOT(cred->cr_label); in mls_mount_create()
1254 mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); in mls_netinet_arp_send()
1277 mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); in mls_netinet_firewall_send()
1312 mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); in mls_netinet_igmp_send()
1323 mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); in mls_netinet6_nd6_send()
1332 return (0); in mls_pipe_check_ioctl()
1336 return (0); in mls_pipe_check_ioctl()
1346 return (0); in mls_pipe_check_poll()
1348 subj = SLOT(cred->cr_label); in mls_pipe_check_poll()
1354 return (0); in mls_pipe_check_poll()
1364 return (0); in mls_pipe_check_read()
1366 subj = SLOT(cred->cr_label); in mls_pipe_check_read()
1372 return (0); in mls_pipe_check_read()
1383 subj = SLOT(cred->cr_label); in mls_pipe_check_relabel()
1404 if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { in mls_pipe_check_relabel()
1423 return (0); in mls_pipe_check_relabel()
1433 return (0); in mls_pipe_check_stat()
1435 subj = SLOT(cred->cr_label); in mls_pipe_check_stat()
1441 return (0); in mls_pipe_check_stat()
1451 return (0); in mls_pipe_check_write()
1453 subj = SLOT(cred->cr_label); in mls_pipe_check_write()
1459 return (0); in mls_pipe_check_write()
1468 source = SLOT(cred->cr_label); in mls_pipe_create()
1493 return (0); in mls_posixsem_check_openunlink()
1495 subj = SLOT(cred->cr_label); in mls_posixsem_check_openunlink()
1501 return (0); in mls_posixsem_check_openunlink()
1511 return (0); in mls_posixsem_check_rdonly()
1513 subj = SLOT(active_cred->cr_label); in mls_posixsem_check_rdonly()
1519 return (0); in mls_posixsem_check_rdonly()
1529 return (0); in mls_posixsem_check_setmode()
1531 subj = SLOT(cred->cr_label); in mls_posixsem_check_setmode()
1537 return (0); in mls_posixsem_check_setmode()
1547 return (0); in mls_posixsem_check_setowner()
1549 subj = SLOT(cred->cr_label); in mls_posixsem_check_setowner()
1555 return (0); in mls_posixsem_check_setowner()
1565 return (0); in mls_posixsem_check_write()
1567 subj = SLOT(active_cred->cr_label); in mls_posixsem_check_write()
1573 return (0); in mls_posixsem_check_write()
1582 source = SLOT(cred->cr_label); in mls_posixsem_create()
1595 return (0); in mls_posixshm_check_mmap()
1597 subj = SLOT(cred->cr_label); in mls_posixshm_check_mmap()
1604 if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) { in mls_posixshm_check_mmap()
1609 return (0); in mls_posixshm_check_mmap()
1619 return (0); in mls_posixshm_check_open()
1621 subj = SLOT(cred->cr_label); in mls_posixshm_check_open()
1633 return (0); in mls_posixshm_check_open()
1643 return (0); in mls_posixshm_check_read()
1645 subj = SLOT(active_cred->cr_label); in mls_posixshm_check_read()
1651 return (0); in mls_posixshm_check_read()
1661 return (0); in mls_posixshm_check_setmode()
1663 subj = SLOT(cred->cr_label); in mls_posixshm_check_setmode()
1669 return (0); in mls_posixshm_check_setmode()
1679 return (0); in mls_posixshm_check_setowner()
1681 subj = SLOT(cred->cr_label); in mls_posixshm_check_setowner()
1687 return (0); in mls_posixshm_check_setowner()
1697 return (0); in mls_posixshm_check_stat()
1699 subj = SLOT(active_cred->cr_label); in mls_posixshm_check_stat()
1705 return (0); in mls_posixshm_check_stat()
1715 return (0); in mls_posixshm_check_truncate()
1717 subj = SLOT(active_cred->cr_label); in mls_posixshm_check_truncate()
1723 return (0); in mls_posixshm_check_truncate()
1733 return (0); in mls_posixshm_check_unlink()
1735 subj = SLOT(cred->cr_label); in mls_posixshm_check_unlink()
1741 return (0); in mls_posixshm_check_unlink()
1751 return (0); in mls_posixshm_check_write()
1753 subj = SLOT(active_cred->cr_label); in mls_posixshm_check_write()
1759 return (0); in mls_posixshm_check_write()
1768 source = SLOT(cred->cr_label); in mls_posixshm_create()
1780 return (0); in mls_proc_check_debug()
1782 subj = SLOT(cred->cr_label); in mls_proc_check_debug()
1783 obj = SLOT(p->p_ucred->cr_label); in mls_proc_check_debug()
1791 return (0); in mls_proc_check_debug()
1800 return (0); in mls_proc_check_sched()
1802 subj = SLOT(cred->cr_label); in mls_proc_check_sched()
1803 obj = SLOT(p->p_ucred->cr_label); in mls_proc_check_sched()
1811 return (0); in mls_proc_check_sched()
1820 return (0); in mls_proc_check_signal()
1822 subj = SLOT(cred->cr_label); in mls_proc_check_signal()
1823 obj = SLOT(p->p_ucred->cr_label); in mls_proc_check_signal()
1831 return (0); in mls_proc_check_signal()
1842 return (0); in mls_socket_check_deliver()
1848 error = mls_equal_effective(p, s) ? 0 : EACCES; in mls_socket_check_deliver()
1864 subj = SLOT(cred->cr_label); in mls_socket_check_relabel()
1885 if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { in mls_socket_check_relabel()
1904 return (0); in mls_socket_check_relabel()
1914 return (0); in mls_socket_check_visible()
1916 subj = SLOT(cred->cr_label); in mls_socket_check_visible()
1926 return (0); in mls_socket_check_visible()
1935 source = SLOT(cred->cr_label); in mls_socket_create()
2023 source = SLOT(inp->inp_label); in mls_syncache_create()
2048 return (0); in mls_system_check_acct()
2051 return (0); in mls_system_check_acct()
2053 subj = SLOT(cred->cr_label); in mls_system_check_acct()
2060 return (0); in mls_system_check_acct()
2070 return (0); in mls_system_check_auditctl()
2072 subj = SLOT(cred->cr_label); in mls_system_check_auditctl()
2079 return (0); in mls_system_check_auditctl()
2089 return (0); in mls_system_check_swapon()
2091 subj = SLOT(cred->cr_label); in mls_system_check_swapon()
2098 return (0); in mls_system_check_swapon()
2115 source = SLOT(cred->cr_label); in mls_sysvmsg_create()
2128 return (0); in mls_sysvmsq_check_msgrcv()
2130 subj = SLOT(cred->cr_label); in mls_sysvmsq_check_msgrcv()
2136 return (0); in mls_sysvmsq_check_msgrcv()
2146 return (0); in mls_sysvmsq_check_msgrmid()
2148 subj = SLOT(cred->cr_label); in mls_sysvmsq_check_msgrmid()
2154 return (0); in mls_sysvmsq_check_msgrmid()
2164 return (0); in mls_sysvmsq_check_msqget()
2166 subj = SLOT(cred->cr_label); in mls_sysvmsq_check_msqget()
2172 return (0); in mls_sysvmsq_check_msqget()
2182 return (0); in mls_sysvmsq_check_msqsnd()
2184 subj = SLOT(cred->cr_label); in mls_sysvmsq_check_msqsnd()
2190 return (0); in mls_sysvmsq_check_msqsnd()
2200 return (0); in mls_sysvmsq_check_msqrcv()
2202 subj = SLOT(cred->cr_label); in mls_sysvmsq_check_msqrcv()
2208 return (0); in mls_sysvmsq_check_msqrcv()
2218 return (0); in mls_sysvmsq_check_msqctl()
2220 subj = SLOT(cred->cr_label); in mls_sysvmsq_check_msqctl()
2239 return (0); in mls_sysvmsq_check_msqctl()
2255 source = SLOT(cred->cr_label); in mls_sysvmsq_create()
2268 return (0); in mls_sysvsem_check_semctl()
2270 subj = SLOT(cred->cr_label); in mls_sysvsem_check_semctl()
2296 return (0); in mls_sysvsem_check_semctl()
2306 return (0); in mls_sysvsem_check_semget()
2308 subj = SLOT(cred->cr_label); in mls_sysvsem_check_semget()
2314 return (0); in mls_sysvsem_check_semget()
2324 return (0); in mls_sysvsem_check_semop()
2326 subj = SLOT(cred->cr_label); in mls_sysvsem_check_semop()
2337 return (0); in mls_sysvsem_check_semop()
2353 source = SLOT(cred->cr_label); in mls_sysvsem_create()
2366 return (0); in mls_sysvshm_check_shmat()
2368 subj = SLOT(cred->cr_label); in mls_sysvshm_check_shmat()
2373 if ((shmflg & SHM_RDONLY) == 0) { in mls_sysvshm_check_shmat()
2378 return (0); in mls_sysvshm_check_shmat()
2388 return (0); in mls_sysvshm_check_shmctl()
2390 subj = SLOT(cred->cr_label); in mls_sysvshm_check_shmctl()
2410 return (0); in mls_sysvshm_check_shmctl()
2420 return (0); in mls_sysvshm_check_shmget()
2422 subj = SLOT(cred->cr_label); in mls_sysvshm_check_shmget()
2428 return (0); in mls_sysvshm_check_shmget()
2444 source = SLOT(cred->cr_label); in mls_sysvshm_create()
2468 return (0); in mls_vnode_associate_extattr()
2476 if (mls_valid(&mm_temp) != 0) { in mls_vnode_associate_extattr()
2487 return (0); in mls_vnode_associate_extattr()
2509 return (0); in mls_vnode_check_chdir()
2511 subj = SLOT(cred->cr_label); in mls_vnode_check_chdir()
2517 return (0); in mls_vnode_check_chdir()
2527 return (0); in mls_vnode_check_chroot()
2529 subj = SLOT(cred->cr_label); in mls_vnode_check_chroot()
2535 return (0); in mls_vnode_check_chroot()
2545 return (0); in mls_vnode_check_create()
2547 subj = SLOT(cred->cr_label); in mls_vnode_check_create()
2553 return (0); in mls_vnode_check_create()
2563 return (0); in mls_vnode_check_deleteacl()
2565 subj = SLOT(cred->cr_label); in mls_vnode_check_deleteacl()
2571 return (0); in mls_vnode_check_deleteacl()
2581 return (0); in mls_vnode_check_deleteextattr()
2583 subj = SLOT(cred->cr_label); in mls_vnode_check_deleteextattr()
2589 return (0); in mls_vnode_check_deleteextattr()
2603 * exec-time as part of MLS, so disallow non-NULL MLS label in mls_vnode_check_exec()
2607 error = mls_atmostflags(exec, 0); in mls_vnode_check_exec()
2613 return (0); in mls_vnode_check_exec()
2615 subj = SLOT(cred->cr_label); in mls_vnode_check_exec()
2621 return (0); in mls_vnode_check_exec()
2631 return (0); in mls_vnode_check_getacl()
2633 subj = SLOT(cred->cr_label); in mls_vnode_check_getacl()
2639 return (0); in mls_vnode_check_getacl()
2649 return (0); in mls_vnode_check_getextattr()
2651 subj = SLOT(cred->cr_label); in mls_vnode_check_getextattr()
2657 return (0); in mls_vnode_check_getextattr()
2668 return (0); in mls_vnode_check_link()
2670 subj = SLOT(cred->cr_label); in mls_vnode_check_link()
2680 return (0); in mls_vnode_check_link()
2691 return (0); in mls_vnode_check_listextattr()
2693 subj = SLOT(cred->cr_label); in mls_vnode_check_listextattr()
2699 return (0); in mls_vnode_check_listextattr()
2709 return (0); in mls_vnode_check_lookup()
2711 subj = SLOT(cred->cr_label); in mls_vnode_check_lookup()
2717 return (0); in mls_vnode_check_lookup()
2727 * Rely on the use of open()-time protections to handle in mls_vnode_check_mmap()
2728 * non-revocation cases. in mls_vnode_check_mmap()
2731 return (0); in mls_vnode_check_mmap()
2733 subj = SLOT(cred->cr_label); in mls_vnode_check_mmap()
2740 if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) { in mls_vnode_check_mmap()
2745 return (0); in mls_vnode_check_mmap()
2755 return (0); in mls_vnode_check_open()
2757 subj = SLOT(cred->cr_label); in mls_vnode_check_open()
2770 return (0); in mls_vnode_check_open()
2780 return (0); in mls_vnode_check_poll()
2782 subj = SLOT(active_cred->cr_label); in mls_vnode_check_poll()
2788 return (0); in mls_vnode_check_poll()
2798 return (0); in mls_vnode_check_read()
2800 subj = SLOT(active_cred->cr_label); in mls_vnode_check_read()
2806 return (0); in mls_vnode_check_read()
2816 return (0); in mls_vnode_check_readdir()
2818 subj = SLOT(cred->cr_label); in mls_vnode_check_readdir()
2824 return (0); in mls_vnode_check_readdir()
2834 return (0); in mls_vnode_check_readlink()
2836 subj = SLOT(cred->cr_label); in mls_vnode_check_readlink()
2842 return (0); in mls_vnode_check_readlink()
2854 subj = SLOT(cred->cr_label); in mls_vnode_check_relabel()
2874 if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { in mls_vnode_check_relabel()
2893 return (0); in mls_vnode_check_relabel()
2904 return (0); in mls_vnode_check_rename_from()
2906 subj = SLOT(cred->cr_label); in mls_vnode_check_rename_from()
2917 return (0); in mls_vnode_check_rename_from()
2928 return (0); in mls_vnode_check_rename_to()
2930 subj = SLOT(cred->cr_label); in mls_vnode_check_rename_to()
2943 return (0); in mls_vnode_check_rename_to()
2953 return (0); in mls_vnode_check_revoke()
2955 subj = SLOT(cred->cr_label); in mls_vnode_check_revoke()
2961 return (0); in mls_vnode_check_revoke()
2971 return (0); in mls_vnode_check_setacl()
2973 subj = SLOT(cred->cr_label); in mls_vnode_check_setacl()
2979 return (0); in mls_vnode_check_setacl()
2989 return (0); in mls_vnode_check_setextattr()
2991 subj = SLOT(cred->cr_label); in mls_vnode_check_setextattr()
2999 return (0); in mls_vnode_check_setextattr()
3009 return (0); in mls_vnode_check_setflags()
3011 subj = SLOT(cred->cr_label); in mls_vnode_check_setflags()
3017 return (0); in mls_vnode_check_setflags()
3027 return (0); in mls_vnode_check_setmode()
3029 subj = SLOT(cred->cr_label); in mls_vnode_check_setmode()
3035 return (0); in mls_vnode_check_setmode()
3045 return (0); in mls_vnode_check_setowner()
3047 subj = SLOT(cred->cr_label); in mls_vnode_check_setowner()
3053 return (0); in mls_vnode_check_setowner()
3063 return (0); in mls_vnode_check_setutimes()
3065 subj = SLOT(cred->cr_label); in mls_vnode_check_setutimes()
3071 return (0); in mls_vnode_check_setutimes()
3081 return (0); in mls_vnode_check_stat()
3083 subj = SLOT(active_cred->cr_label); in mls_vnode_check_stat()
3089 return (0); in mls_vnode_check_stat()
3100 return (0); in mls_vnode_check_unlink()
3102 subj = SLOT(cred->cr_label); in mls_vnode_check_unlink()
3113 return (0); in mls_vnode_check_unlink()
3123 return (0); in mls_vnode_check_write()
3125 subj = SLOT(active_cred->cr_label); in mls_vnode_check_write()
3131 return (0); in mls_vnode_check_write()
3146 source = SLOT(cred->cr_label); in mls_vnode_create_extattr()
3152 if (error == 0) in mls_vnode_create_extattr()
3181 if ((source->mm_flags & MAC_MLS_FLAG_EFFECTIVE) == 0) in mls_vnode_setlabel_extattr()
3182 return (0); in mls_vnode_setlabel_extattr()