1eca8a663SRobert Watson /*-
239cfa591SRobert Watson * Copyright (c) 2003-2004 Networks Associates Technology, Inc.
30142affcSRobert Watson * Copyright (c) 2007 Robert N. M. Watson
4eca8a663SRobert Watson * All rights reserved.
5eca8a663SRobert Watson *
6eca8a663SRobert Watson * This software was developed for the FreeBSD Project in part by Network
7eca8a663SRobert Watson * Associates Laboratories, the Security Research Division of Network
8eca8a663SRobert Watson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
9eca8a663SRobert Watson * as part of the DARPA CHATS research program.
10eca8a663SRobert Watson *
11eca8a663SRobert Watson * Redistribution and use in source and binary forms, with or without
12eca8a663SRobert Watson * modification, are permitted provided that the following conditions
13eca8a663SRobert Watson * are met:
14eca8a663SRobert Watson * 1. Redistributions of source code must retain the above copyright
15eca8a663SRobert Watson * notice, this list of conditions and the following disclaimer.
16eca8a663SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright
17eca8a663SRobert Watson * notice, this list of conditions and the following disclaimer in the
18eca8a663SRobert Watson * documentation and/or other materials provided with the distribution.
19eca8a663SRobert Watson *
20eca8a663SRobert Watson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21eca8a663SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22eca8a663SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23eca8a663SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24eca8a663SRobert Watson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25eca8a663SRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26eca8a663SRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27eca8a663SRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28eca8a663SRobert Watson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29eca8a663SRobert Watson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30eca8a663SRobert Watson * SUCH DAMAGE.
31eca8a663SRobert Watson */
32eca8a663SRobert Watson
33eca8a663SRobert Watson #include <sys/cdefs.h>
34eca8a663SRobert Watson #include "opt_mac.h"
35eca8a663SRobert Watson
36eca8a663SRobert Watson #include <sys/param.h>
370142affcSRobert Watson #include <sys/module.h>
38eca8a663SRobert Watson #include <sys/sysctl.h>
39eca8a663SRobert Watson #include <sys/systm.h>
40eca8a663SRobert Watson
41eca8a663SRobert Watson #include <vm/uma.h>
42eca8a663SRobert Watson
43aed55708SRobert Watson #include <security/mac/mac_framework.h>
44eca8a663SRobert Watson #include <security/mac/mac_internal.h>
450142affcSRobert Watson #include <security/mac/mac_policy.h>
46eca8a663SRobert Watson
475c700f29SRobert Watson /*
48d5fb913fSRobert Watson * zone_label is the UMA zone from which most labels are allocated. Label
495c700f29SRobert Watson * structures are initialized to zero bytes so that policies see a NULL/0
505c700f29SRobert Watson * slot on first use, even if the policy is loaded after the label is
515c700f29SRobert Watson * allocated for an object.
525c700f29SRobert Watson */
535c700f29SRobert Watson static uma_zone_t zone_label;
54eca8a663SRobert Watson
55b23f72e9SBrian Feldman static int mac_labelzone_ctor(void *mem, int size, void *arg, int flags);
56eca8a663SRobert Watson static void mac_labelzone_dtor(void *mem, int size, void *arg);
57eca8a663SRobert Watson
58eca8a663SRobert Watson void
mac_labelzone_init(void)59eca8a663SRobert Watson mac_labelzone_init(void)
60eca8a663SRobert Watson {
61eca8a663SRobert Watson
62eca8a663SRobert Watson zone_label = uma_zcreate("MAC labels", sizeof(struct label),
63eca8a663SRobert Watson mac_labelzone_ctor, mac_labelzone_dtor, NULL, NULL,
64eca8a663SRobert Watson UMA_ALIGN_PTR, 0);
65eca8a663SRobert Watson }
66eca8a663SRobert Watson
67d5fb913fSRobert Watson /*
68d5fb913fSRobert Watson * mac_init_label() and mac_destroy_label() are exported so that they can be
69d5fb913fSRobert Watson * used in mbuf tag initialization, where labels are not slab allocated from
70d5fb913fSRobert Watson * the zone_label zone.
71d5fb913fSRobert Watson */
72d5fb913fSRobert Watson void
mac_init_label(struct label * label)73d5fb913fSRobert Watson mac_init_label(struct label *label)
74d5fb913fSRobert Watson {
75d5fb913fSRobert Watson
76d5fb913fSRobert Watson bzero(label, sizeof(*label));
77d5fb913fSRobert Watson label->l_flags = MAC_FLAG_INITIALIZED;
78d5fb913fSRobert Watson }
79d5fb913fSRobert Watson
80d5fb913fSRobert Watson void
mac_destroy_label(struct label * label)81d5fb913fSRobert Watson mac_destroy_label(struct label *label)
82d5fb913fSRobert Watson {
83d5fb913fSRobert Watson
84d5fb913fSRobert Watson KASSERT(label->l_flags & MAC_FLAG_INITIALIZED,
85d5fb913fSRobert Watson ("destroying uninitialized label"));
86d5fb913fSRobert Watson
87d5fb913fSRobert Watson #ifdef DIAGNOSTIC
88d5fb913fSRobert Watson bzero(label, sizeof(*label));
89d5fb913fSRobert Watson #else
90d5fb913fSRobert Watson label->l_flags &= ~MAC_FLAG_INITIALIZED;
91d5fb913fSRobert Watson #endif
92d5fb913fSRobert Watson }
93d5fb913fSRobert Watson
94b23f72e9SBrian Feldman static int
mac_labelzone_ctor(void * mem,int size,void * arg,int flags)95b23f72e9SBrian Feldman mac_labelzone_ctor(void *mem, int size, void *arg, int flags)
96eca8a663SRobert Watson {
97eca8a663SRobert Watson struct label *label;
98eca8a663SRobert Watson
99eca8a663SRobert Watson KASSERT(size == sizeof(*label), ("mac_labelzone_ctor: wrong size\n"));
100eca8a663SRobert Watson label = mem;
101d5fb913fSRobert Watson mac_init_label(label);
102b23f72e9SBrian Feldman return (0);
103eca8a663SRobert Watson }
104eca8a663SRobert Watson
105eca8a663SRobert Watson static void
mac_labelzone_dtor(void * mem,int size,void * arg)106eca8a663SRobert Watson mac_labelzone_dtor(void *mem, int size, void *arg)
107eca8a663SRobert Watson {
108eca8a663SRobert Watson struct label *label;
109eca8a663SRobert Watson
110eca8a663SRobert Watson KASSERT(size == sizeof(*label), ("mac_labelzone_dtor: wrong size\n"));
111eca8a663SRobert Watson label = mem;
112d5fb913fSRobert Watson mac_destroy_label(label);
113eca8a663SRobert Watson }
114eca8a663SRobert Watson
115eca8a663SRobert Watson struct label *
mac_labelzone_alloc(int flags)116eca8a663SRobert Watson mac_labelzone_alloc(int flags)
117eca8a663SRobert Watson {
118eca8a663SRobert Watson
119eca8a663SRobert Watson return (uma_zalloc(zone_label, flags));
120eca8a663SRobert Watson }
121eca8a663SRobert Watson
122eca8a663SRobert Watson void
mac_labelzone_free(struct label * label)123eca8a663SRobert Watson mac_labelzone_free(struct label *label)
124eca8a663SRobert Watson {
125eca8a663SRobert Watson
126eca8a663SRobert Watson uma_zfree(zone_label, label);
127eca8a663SRobert Watson }
1280142affcSRobert Watson
1290142affcSRobert Watson /*
1300142affcSRobert Watson * Functions used by policy modules to get and set label values.
1310142affcSRobert Watson */
1320142affcSRobert Watson intptr_t
mac_label_get(struct label * l,int slot)1330142affcSRobert Watson mac_label_get(struct label *l, int slot)
1340142affcSRobert Watson {
1350142affcSRobert Watson
1360142affcSRobert Watson KASSERT(l != NULL, ("mac_label_get: NULL label"));
1370142affcSRobert Watson
1380142affcSRobert Watson return (l->l_perpolicy[slot]);
1390142affcSRobert Watson }
1400142affcSRobert Watson
1410142affcSRobert Watson void
mac_label_set(struct label * l,int slot,intptr_t v)1420142affcSRobert Watson mac_label_set(struct label *l, int slot, intptr_t v)
1430142affcSRobert Watson {
1440142affcSRobert Watson
1450142affcSRobert Watson KASSERT(l != NULL, ("mac_label_set: NULL label"));
1460142affcSRobert Watson
1470142affcSRobert Watson l->l_perpolicy[slot] = v;
1480142affcSRobert Watson }
149