xref: /freebsd/sys/security/mac/mac_pipe.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e) 
1 /*-
2  * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3  * Copyright (c) 2006 SPARTA, Inc.
4  * All rights reserved.
5  *
6  * This software was developed for the FreeBSD Project in part by Network
7  * Associates Laboratories, the Security Research Division of Network
8  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
9  * as part of the DARPA CHATS research program.
10  *
11  * This software was enhanced by SPARTA ISSO under SPAWAR contract
12  * N66001-04-C-6019 ("SEFOS").
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
38 
39 #include "opt_mac.h"
40 
41 #include <sys/param.h>
42 #include <sys/kernel.h>
43 #include <sys/lock.h>
44 #include <sys/malloc.h>
45 #include <sys/module.h>
46 #include <sys/mutex.h>
47 #include <sys/sbuf.h>
48 #include <sys/systm.h>
49 #include <sys/vnode.h>
50 #include <sys/pipe.h>
51 #include <sys/sysctl.h>
52 
53 #include <security/mac/mac_framework.h>
54 #include <security/mac/mac_internal.h>
55 #include <security/mac/mac_policy.h>
56 
57 struct label *
58 mac_pipe_label_alloc(void)
59 {
60 	struct label *label;
61 
62 	label = mac_labelzone_alloc(M_WAITOK);
63 	MAC_PERFORM(pipe_init_label, label);
64 	return (label);
65 }
66 
67 void
68 mac_pipe_init(struct pipepair *pp)
69 {
70 
71 	pp->pp_label = mac_pipe_label_alloc();
72 }
73 
74 void
75 mac_pipe_label_free(struct label *label)
76 {
77 
78 	MAC_PERFORM(pipe_destroy_label, label);
79 	mac_labelzone_free(label);
80 }
81 
82 void
83 mac_pipe_destroy(struct pipepair *pp)
84 {
85 
86 	mac_pipe_label_free(pp->pp_label);
87 	pp->pp_label = NULL;
88 }
89 
90 void
91 mac_pipe_copy_label(struct label *src, struct label *dest)
92 {
93 
94 	MAC_PERFORM(pipe_copy_label, src, dest);
95 }
96 
97 int
98 mac_pipe_externalize_label(struct label *label, char *elements,
99     char *outbuf, size_t outbuflen)
100 {
101 	int error;
102 
103 	MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen);
104 
105 	return (error);
106 }
107 
108 int
109 mac_pipe_internalize_label(struct label *label, char *string)
110 {
111 	int error;
112 
113 	MAC_INTERNALIZE(pipe, label, string);
114 
115 	return (error);
116 }
117 
118 void
119 mac_pipe_create(struct ucred *cred, struct pipepair *pp)
120 {
121 
122 	MAC_PERFORM(pipe_create, cred, pp, pp->pp_label);
123 }
124 
125 static void
126 mac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
127     struct label *newlabel)
128 {
129 
130 	MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel);
131 }
132 
133 int
134 mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
135     unsigned long cmd, void *data)
136 {
137 	int error;
138 
139 	mtx_assert(&pp->pp_mtx, MA_OWNED);
140 
141 	MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data);
142 
143 	return (error);
144 }
145 
146 int
147 mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)
148 {
149 	int error;
150 
151 	mtx_assert(&pp->pp_mtx, MA_OWNED);
152 
153 	MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label);
154 
155 	return (error);
156 }
157 
158 int
159 mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
160 {
161 	int error;
162 
163 	mtx_assert(&pp->pp_mtx, MA_OWNED);
164 
165 	MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label);
166 
167 	return (error);
168 }
169 
170 static int
171 mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
172     struct label *newlabel)
173 {
174 	int error;
175 
176 	mtx_assert(&pp->pp_mtx, MA_OWNED);
177 
178 	MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel);
179 
180 	return (error);
181 }
182 
183 int
184 mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp)
185 {
186 	int error;
187 
188 	mtx_assert(&pp->pp_mtx, MA_OWNED);
189 
190 	MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label);
191 
192 	return (error);
193 }
194 
195 int
196 mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
197 {
198 	int error;
199 
200 	mtx_assert(&pp->pp_mtx, MA_OWNED);
201 
202 	MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label);
203 
204 	return (error);
205 }
206 
207 int
208 mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
209     struct label *label)
210 {
211 	int error;
212 
213 	mtx_assert(&pp->pp_mtx, MA_OWNED);
214 
215 	error = mac_pipe_check_relabel(cred, pp, label);
216 	if (error)
217 		return (error);
218 
219 	mac_pipe_relabel(cred, pp, label);
220 
221 	return (0);
222 }
223