1 /*- 2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 3 * Copyright (c) 2006 SPARTA, Inc. 4 * All rights reserved. 5 * 6 * This software was developed for the FreeBSD Project in part by Network 7 * Associates Laboratories, the Security Research Division of Network 8 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 9 * as part of the DARPA CHATS research program. 10 * 11 * This software was enhanced by SPARTA ISSO under SPAWAR contract 12 * N66001-04-C-6019 ("SEFOS"). 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 __FBSDID("$FreeBSD$"); 38 39 #include "opt_mac.h" 40 41 #include <sys/param.h> 42 #include <sys/kernel.h> 43 #include <sys/lock.h> 44 #include <sys/malloc.h> 45 #include <sys/module.h> 46 #include <sys/mutex.h> 47 #include <sys/sbuf.h> 48 #include <sys/systm.h> 49 #include <sys/vnode.h> 50 #include <sys/pipe.h> 51 #include <sys/sysctl.h> 52 53 #include <security/mac/mac_framework.h> 54 #include <security/mac/mac_internal.h> 55 #include <security/mac/mac_policy.h> 56 57 struct label * 58 mac_pipe_label_alloc(void) 59 { 60 struct label *label; 61 62 label = mac_labelzone_alloc(M_WAITOK); 63 MAC_PERFORM(pipe_init_label, label); 64 return (label); 65 } 66 67 void 68 mac_pipe_init(struct pipepair *pp) 69 { 70 71 if (mac_labeled & MPC_OBJECT_PIPE) 72 pp->pp_label = mac_pipe_label_alloc(); 73 else 74 pp->pp_label = NULL; 75 } 76 77 void 78 mac_pipe_label_free(struct label *label) 79 { 80 81 MAC_PERFORM(pipe_destroy_label, label); 82 mac_labelzone_free(label); 83 } 84 85 void 86 mac_pipe_destroy(struct pipepair *pp) 87 { 88 89 if (pp->pp_label != NULL) { 90 mac_pipe_label_free(pp->pp_label); 91 pp->pp_label = NULL; 92 } 93 } 94 95 void 96 mac_pipe_copy_label(struct label *src, struct label *dest) 97 { 98 99 MAC_PERFORM(pipe_copy_label, src, dest); 100 } 101 102 int 103 mac_pipe_externalize_label(struct label *label, char *elements, 104 char *outbuf, size_t outbuflen) 105 { 106 int error; 107 108 MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen); 109 110 return (error); 111 } 112 113 int 114 mac_pipe_internalize_label(struct label *label, char *string) 115 { 116 int error; 117 118 MAC_INTERNALIZE(pipe, label, string); 119 120 return (error); 121 } 122 123 void 124 mac_pipe_create(struct ucred *cred, struct pipepair *pp) 125 { 126 127 MAC_PERFORM(pipe_create, cred, pp, pp->pp_label); 128 } 129 130 static void 131 mac_pipe_relabel(struct ucred *cred, struct pipepair *pp, 132 struct label *newlabel) 133 { 134 135 MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel); 136 } 137 138 int 139 mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, 140 unsigned long cmd, void *data) 141 { 142 int error; 143 144 mtx_assert(&pp->pp_mtx, MA_OWNED); 145 146 MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data); 147 148 return (error); 149 } 150 151 int 152 mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp) 153 { 154 int error; 155 156 mtx_assert(&pp->pp_mtx, MA_OWNED); 157 158 MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label); 159 160 return (error); 161 } 162 163 int 164 mac_pipe_check_read(struct ucred *cred, struct pipepair *pp) 165 { 166 int error; 167 168 mtx_assert(&pp->pp_mtx, MA_OWNED); 169 170 MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label); 171 172 return (error); 173 } 174 175 static int 176 mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, 177 struct label *newlabel) 178 { 179 int error; 180 181 mtx_assert(&pp->pp_mtx, MA_OWNED); 182 183 MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel); 184 185 return (error); 186 } 187 188 int 189 mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp) 190 { 191 int error; 192 193 mtx_assert(&pp->pp_mtx, MA_OWNED); 194 195 MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label); 196 197 return (error); 198 } 199 200 int 201 mac_pipe_check_write(struct ucred *cred, struct pipepair *pp) 202 { 203 int error; 204 205 mtx_assert(&pp->pp_mtx, MA_OWNED); 206 207 MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label); 208 209 return (error); 210 } 211 212 int 213 mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, 214 struct label *label) 215 { 216 int error; 217 218 mtx_assert(&pp->pp_mtx, MA_OWNED); 219 220 error = mac_pipe_check_relabel(cred, pp, label); 221 if (error) 222 return (error); 223 224 mac_pipe_relabel(cred, pp, label); 225 226 return (0); 227 } 228