xref: /freebsd/sys/security/mac/mac_pipe.c (revision 8655c70597b0e0918c82114b1186df5669b83eb6)
1 /*-
2  * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3  * Copyright (c) 2006 SPARTA, Inc.
4  * All rights reserved.
5  *
6  * This software was developed for the FreeBSD Project in part by Network
7  * Associates Laboratories, the Security Research Division of Network
8  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
9  * as part of the DARPA CHATS research program.
10  *
11  * This software was enhanced by SPARTA ISSO under SPAWAR contract
12  * N66001-04-C-6019 ("SEFOS").
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
38 
39 #include "opt_mac.h"
40 
41 #include <sys/param.h>
42 #include <sys/kernel.h>
43 #include <sys/lock.h>
44 #include <sys/malloc.h>
45 #include <sys/module.h>
46 #include <sys/mutex.h>
47 #include <sys/sbuf.h>
48 #include <sys/systm.h>
49 #include <sys/vnode.h>
50 #include <sys/pipe.h>
51 #include <sys/sysctl.h>
52 
53 #include <security/mac/mac_framework.h>
54 #include <security/mac/mac_internal.h>
55 #include <security/mac/mac_policy.h>
56 
57 struct label *
58 mac_pipe_label_alloc(void)
59 {
60 	struct label *label;
61 
62 	label = mac_labelzone_alloc(M_WAITOK);
63 	MAC_PERFORM(pipe_init_label, label);
64 	return (label);
65 }
66 
67 void
68 mac_pipe_init(struct pipepair *pp)
69 {
70 
71 	if (mac_labeled & MPC_OBJECT_PIPE)
72 		pp->pp_label = mac_pipe_label_alloc();
73 	else
74 		pp->pp_label = NULL;
75 }
76 
77 void
78 mac_pipe_label_free(struct label *label)
79 {
80 
81 	MAC_PERFORM(pipe_destroy_label, label);
82 	mac_labelzone_free(label);
83 }
84 
85 void
86 mac_pipe_destroy(struct pipepair *pp)
87 {
88 
89 	if (pp->pp_label != NULL) {
90 		mac_pipe_label_free(pp->pp_label);
91 		pp->pp_label = NULL;
92 	}
93 }
94 
95 void
96 mac_pipe_copy_label(struct label *src, struct label *dest)
97 {
98 
99 	MAC_PERFORM(pipe_copy_label, src, dest);
100 }
101 
102 int
103 mac_pipe_externalize_label(struct label *label, char *elements,
104     char *outbuf, size_t outbuflen)
105 {
106 	int error;
107 
108 	MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen);
109 
110 	return (error);
111 }
112 
113 int
114 mac_pipe_internalize_label(struct label *label, char *string)
115 {
116 	int error;
117 
118 	MAC_INTERNALIZE(pipe, label, string);
119 
120 	return (error);
121 }
122 
123 void
124 mac_pipe_create(struct ucred *cred, struct pipepair *pp)
125 {
126 
127 	MAC_PERFORM(pipe_create, cred, pp, pp->pp_label);
128 }
129 
130 static void
131 mac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
132     struct label *newlabel)
133 {
134 
135 	MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel);
136 }
137 
138 int
139 mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp,
140     unsigned long cmd, void *data)
141 {
142 	int error;
143 
144 	mtx_assert(&pp->pp_mtx, MA_OWNED);
145 
146 	MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data);
147 
148 	return (error);
149 }
150 
151 int
152 mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp)
153 {
154 	int error;
155 
156 	mtx_assert(&pp->pp_mtx, MA_OWNED);
157 
158 	MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label);
159 
160 	return (error);
161 }
162 
163 int
164 mac_pipe_check_read(struct ucred *cred, struct pipepair *pp)
165 {
166 	int error;
167 
168 	mtx_assert(&pp->pp_mtx, MA_OWNED);
169 
170 	MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label);
171 
172 	return (error);
173 }
174 
175 static int
176 mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp,
177     struct label *newlabel)
178 {
179 	int error;
180 
181 	mtx_assert(&pp->pp_mtx, MA_OWNED);
182 
183 	MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel);
184 
185 	return (error);
186 }
187 
188 int
189 mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp)
190 {
191 	int error;
192 
193 	mtx_assert(&pp->pp_mtx, MA_OWNED);
194 
195 	MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label);
196 
197 	return (error);
198 }
199 
200 int
201 mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
202 {
203 	int error;
204 
205 	mtx_assert(&pp->pp_mtx, MA_OWNED);
206 
207 	MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label);
208 
209 	return (error);
210 }
211 
212 int
213 mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
214     struct label *label)
215 {
216 	int error;
217 
218 	mtx_assert(&pp->pp_mtx, MA_OWNED);
219 
220 	error = mac_pipe_check_relabel(cred, pp, label);
221 	if (error)
222 		return (error);
223 
224 	mac_pipe_relabel(cred, pp, label);
225 
226 	return (0);
227 }
228