1eca8a663SRobert Watson /*- 239cfa591SRobert Watson * Copyright (c) 2003-2004 Networks Associates Technology, Inc. 30142affcSRobert Watson * Copyright (c) 2007 Robert N. M. Watson 4eca8a663SRobert Watson * All rights reserved. 5eca8a663SRobert Watson * 6eca8a663SRobert Watson * This software was developed for the FreeBSD Project in part by Network 7eca8a663SRobert Watson * Associates Laboratories, the Security Research Division of Network 8eca8a663SRobert Watson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 9eca8a663SRobert Watson * as part of the DARPA CHATS research program. 10eca8a663SRobert Watson * 11eca8a663SRobert Watson * Redistribution and use in source and binary forms, with or without 12eca8a663SRobert Watson * modification, are permitted provided that the following conditions 13eca8a663SRobert Watson * are met: 14eca8a663SRobert Watson * 1. Redistributions of source code must retain the above copyright 15eca8a663SRobert Watson * notice, this list of conditions and the following disclaimer. 16eca8a663SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright 17eca8a663SRobert Watson * notice, this list of conditions and the following disclaimer in the 18eca8a663SRobert Watson * documentation and/or other materials provided with the distribution. 19eca8a663SRobert Watson * 20eca8a663SRobert Watson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 21eca8a663SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22eca8a663SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23eca8a663SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 24eca8a663SRobert Watson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25eca8a663SRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26eca8a663SRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27eca8a663SRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28eca8a663SRobert Watson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29eca8a663SRobert Watson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30eca8a663SRobert Watson * SUCH DAMAGE. 31eca8a663SRobert Watson */ 32eca8a663SRobert Watson 33eca8a663SRobert Watson #include <sys/cdefs.h> 34eca8a663SRobert Watson __FBSDID("$FreeBSD$"); 35eca8a663SRobert Watson 36eca8a663SRobert Watson #include "opt_mac.h" 37eca8a663SRobert Watson 38eca8a663SRobert Watson #include <sys/param.h> 390142affcSRobert Watson #include <sys/module.h> 40eca8a663SRobert Watson #include <sys/sysctl.h> 41eca8a663SRobert Watson #include <sys/systm.h> 42eca8a663SRobert Watson 43eca8a663SRobert Watson #include <vm/uma.h> 44eca8a663SRobert Watson 45aed55708SRobert Watson #include <security/mac/mac_framework.h> 46eca8a663SRobert Watson #include <security/mac/mac_internal.h> 470142affcSRobert Watson #include <security/mac/mac_policy.h> 48eca8a663SRobert Watson 495c700f29SRobert Watson /* 50d5fb913fSRobert Watson * zone_label is the UMA zone from which most labels are allocated. Label 515c700f29SRobert Watson * structures are initialized to zero bytes so that policies see a NULL/0 525c700f29SRobert Watson * slot on first use, even if the policy is loaded after the label is 535c700f29SRobert Watson * allocated for an object. 545c700f29SRobert Watson */ 555c700f29SRobert Watson static uma_zone_t zone_label; 56eca8a663SRobert Watson 57b23f72e9SBrian Feldman static int mac_labelzone_ctor(void *mem, int size, void *arg, int flags); 58eca8a663SRobert Watson static void mac_labelzone_dtor(void *mem, int size, void *arg); 59eca8a663SRobert Watson 60eca8a663SRobert Watson void 61eca8a663SRobert Watson mac_labelzone_init(void) 62eca8a663SRobert Watson { 63eca8a663SRobert Watson 64eca8a663SRobert Watson zone_label = uma_zcreate("MAC labels", sizeof(struct label), 65eca8a663SRobert Watson mac_labelzone_ctor, mac_labelzone_dtor, NULL, NULL, 66eca8a663SRobert Watson UMA_ALIGN_PTR, 0); 67eca8a663SRobert Watson } 68eca8a663SRobert Watson 69d5fb913fSRobert Watson /* 70d5fb913fSRobert Watson * mac_init_label() and mac_destroy_label() are exported so that they can be 71d5fb913fSRobert Watson * used in mbuf tag initialization, where labels are not slab allocated from 72d5fb913fSRobert Watson * the zone_label zone. 73d5fb913fSRobert Watson */ 74d5fb913fSRobert Watson void 75d5fb913fSRobert Watson mac_init_label(struct label *label) 76d5fb913fSRobert Watson { 77d5fb913fSRobert Watson 78d5fb913fSRobert Watson bzero(label, sizeof(*label)); 79d5fb913fSRobert Watson label->l_flags = MAC_FLAG_INITIALIZED; 80d5fb913fSRobert Watson } 81d5fb913fSRobert Watson 82d5fb913fSRobert Watson void 83d5fb913fSRobert Watson mac_destroy_label(struct label *label) 84d5fb913fSRobert Watson { 85d5fb913fSRobert Watson 86d5fb913fSRobert Watson KASSERT(label->l_flags & MAC_FLAG_INITIALIZED, 87d5fb913fSRobert Watson ("destroying uninitialized label")); 88d5fb913fSRobert Watson 89d5fb913fSRobert Watson #ifdef DIAGNOSTIC 90d5fb913fSRobert Watson bzero(label, sizeof(*label)); 91d5fb913fSRobert Watson #else 92d5fb913fSRobert Watson label->l_flags &= ~MAC_FLAG_INITIALIZED; 93d5fb913fSRobert Watson #endif 94d5fb913fSRobert Watson } 95d5fb913fSRobert Watson 96d5fb913fSRobert Watson 97b23f72e9SBrian Feldman static int 98b23f72e9SBrian Feldman mac_labelzone_ctor(void *mem, int size, void *arg, int flags) 99eca8a663SRobert Watson { 100eca8a663SRobert Watson struct label *label; 101eca8a663SRobert Watson 102eca8a663SRobert Watson KASSERT(size == sizeof(*label), ("mac_labelzone_ctor: wrong size\n")); 103eca8a663SRobert Watson label = mem; 104d5fb913fSRobert Watson mac_init_label(label); 105b23f72e9SBrian Feldman return (0); 106eca8a663SRobert Watson } 107eca8a663SRobert Watson 108eca8a663SRobert Watson static void 109eca8a663SRobert Watson mac_labelzone_dtor(void *mem, int size, void *arg) 110eca8a663SRobert Watson { 111eca8a663SRobert Watson struct label *label; 112eca8a663SRobert Watson 113eca8a663SRobert Watson KASSERT(size == sizeof(*label), ("mac_labelzone_dtor: wrong size\n")); 114eca8a663SRobert Watson label = mem; 115d5fb913fSRobert Watson mac_destroy_label(label); 116eca8a663SRobert Watson } 117eca8a663SRobert Watson 118eca8a663SRobert Watson struct label * 119eca8a663SRobert Watson mac_labelzone_alloc(int flags) 120eca8a663SRobert Watson { 121eca8a663SRobert Watson 122eca8a663SRobert Watson return (uma_zalloc(zone_label, flags)); 123eca8a663SRobert Watson } 124eca8a663SRobert Watson 125eca8a663SRobert Watson void 126eca8a663SRobert Watson mac_labelzone_free(struct label *label) 127eca8a663SRobert Watson { 128eca8a663SRobert Watson 129eca8a663SRobert Watson uma_zfree(zone_label, label); 130eca8a663SRobert Watson } 1310142affcSRobert Watson 1320142affcSRobert Watson /* 1330142affcSRobert Watson * Functions used by policy modules to get and set label values. 1340142affcSRobert Watson */ 1350142affcSRobert Watson intptr_t 1360142affcSRobert Watson mac_label_get(struct label *l, int slot) 1370142affcSRobert Watson { 1380142affcSRobert Watson 1390142affcSRobert Watson KASSERT(l != NULL, ("mac_label_get: NULL label")); 1400142affcSRobert Watson 1410142affcSRobert Watson return (l->l_perpolicy[slot]); 1420142affcSRobert Watson } 1430142affcSRobert Watson 1440142affcSRobert Watson void 1450142affcSRobert Watson mac_label_set(struct label *l, int slot, intptr_t v) 1460142affcSRobert Watson { 1470142affcSRobert Watson 1480142affcSRobert Watson KASSERT(l != NULL, ("mac_label_set: NULL label")); 1490142affcSRobert Watson 1500142affcSRobert Watson l->l_perpolicy[slot] = v; 1510142affcSRobert Watson } 152