17bc82500SRobert Watson /*- 26bd11732SRobert Watson * Copyright (c) 2002, 2003 Networks Associates Technology, Inc. 37bc82500SRobert Watson * All rights reserved. 47bc82500SRobert Watson * 56201265bSRobert Watson * This software was developed for the FreeBSD Project in part by Network 66201265bSRobert Watson * Associates Laboratories, the Security Research Division of Network 76201265bSRobert Watson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 86201265bSRobert Watson * as part of the DARPA CHATS research program. 97bc82500SRobert Watson * 107bc82500SRobert Watson * Redistribution and use in source and binary forms, with or without 117bc82500SRobert Watson * modification, are permitted provided that the following conditions 127bc82500SRobert Watson * are met: 137bc82500SRobert Watson * 1. Redistributions of source code must retain the above copyright 147bc82500SRobert Watson * notice, this list of conditions and the following disclaimer. 157bc82500SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright 167bc82500SRobert Watson * notice, this list of conditions and the following disclaimer in the 177bc82500SRobert Watson * documentation and/or other materials provided with the distribution. 187bc82500SRobert Watson * 197bc82500SRobert Watson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 207bc82500SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 217bc82500SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 227bc82500SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 237bc82500SRobert Watson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 247bc82500SRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 257bc82500SRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 267bc82500SRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 277bc82500SRobert Watson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 287bc82500SRobert Watson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 297bc82500SRobert Watson * SUCH DAMAGE. 307bc82500SRobert Watson */ 31677b542eSDavid E. O'Brien 32677b542eSDavid E. O'Brien #include <sys/cdefs.h> 33677b542eSDavid E. O'Brien __FBSDID("$FreeBSD$"); 34677b542eSDavid E. O'Brien 357bc82500SRobert Watson #include "opt_mac.h" 36f9d0d524SRobert Watson 377bc82500SRobert Watson #include <sys/param.h> 3895fab37eSRobert Watson #include <sys/kernel.h> 3995fab37eSRobert Watson #include <sys/lock.h> 40b656366bSBruce Evans #include <sys/malloc.h> 415dba30f1SPoul-Henning Kamp #include <sys/module.h> 4295fab37eSRobert Watson #include <sys/mutex.h> 4395fab37eSRobert Watson #include <sys/mac.h> 4495fab37eSRobert Watson #include <sys/systm.h> 4595fab37eSRobert Watson #include <sys/vnode.h> 4695fab37eSRobert Watson #include <sys/sysctl.h> 4795fab37eSRobert Watson 48aed55708SRobert Watson #include <security/mac/mac_framework.h> 496bd11732SRobert Watson #include <security/mac/mac_internal.h> 500efd6615SRobert Watson #include <security/mac/mac_policy.h> 5195fab37eSRobert Watson 52acd3428bSRobert Watson /* 53acd3428bSRobert Watson * XXXRW: Some of these checks now duplicate privilege checks. However, 54acd3428bSRobert Watson * others provide additional security context that may be useful to policies. 55acd3428bSRobert Watson * We need to review these and remove ones that are pure duplicates. 56acd3428bSRobert Watson */ 57acd3428bSRobert Watson 5895fab37eSRobert Watson int 59e686e5aeSRobert Watson mac_check_kenv_dump(struct ucred *cred) 60e686e5aeSRobert Watson { 61e686e5aeSRobert Watson int error; 62e686e5aeSRobert Watson 63e686e5aeSRobert Watson MAC_CHECK(check_kenv_dump, cred); 64e686e5aeSRobert Watson 65e686e5aeSRobert Watson return (error); 66e686e5aeSRobert Watson } 67e686e5aeSRobert Watson 68e686e5aeSRobert Watson int 69e686e5aeSRobert Watson mac_check_kenv_get(struct ucred *cred, char *name) 70e686e5aeSRobert Watson { 71e686e5aeSRobert Watson int error; 72e686e5aeSRobert Watson 73e686e5aeSRobert Watson MAC_CHECK(check_kenv_get, cred, name); 74e686e5aeSRobert Watson 75e686e5aeSRobert Watson return (error); 76e686e5aeSRobert Watson } 77e686e5aeSRobert Watson 78e686e5aeSRobert Watson int 79e686e5aeSRobert Watson mac_check_kenv_set(struct ucred *cred, char *name, char *value) 80e686e5aeSRobert Watson { 81e686e5aeSRobert Watson int error; 82e686e5aeSRobert Watson 83e686e5aeSRobert Watson MAC_CHECK(check_kenv_set, cred, name, value); 84e686e5aeSRobert Watson 85e686e5aeSRobert Watson return (error); 86e686e5aeSRobert Watson } 87e686e5aeSRobert Watson 88e686e5aeSRobert Watson int 89e686e5aeSRobert Watson mac_check_kenv_unset(struct ucred *cred, char *name) 90e686e5aeSRobert Watson { 91e686e5aeSRobert Watson int error; 92e686e5aeSRobert Watson 93e686e5aeSRobert Watson MAC_CHECK(check_kenv_unset, cred, name); 94e686e5aeSRobert Watson 95e686e5aeSRobert Watson return (error); 96e686e5aeSRobert Watson } 97e686e5aeSRobert Watson 98e686e5aeSRobert Watson int 99a3df768bSRobert Watson mac_check_kld_load(struct ucred *cred, struct vnode *vp) 100a3df768bSRobert Watson { 101a3df768bSRobert Watson int error; 102a3df768bSRobert Watson 103a3df768bSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); 104a3df768bSRobert Watson 105eca8a663SRobert Watson MAC_CHECK(check_kld_load, cred, vp, vp->v_label); 106a3df768bSRobert Watson 107a3df768bSRobert Watson return (error); 108a3df768bSRobert Watson } 109a3df768bSRobert Watson 110a3df768bSRobert Watson int 111a3df768bSRobert Watson mac_check_kld_stat(struct ucred *cred) 112a3df768bSRobert Watson { 113a3df768bSRobert Watson int error; 114a3df768bSRobert Watson 115a3df768bSRobert Watson MAC_CHECK(check_kld_stat, cred); 116a3df768bSRobert Watson 117a3df768bSRobert Watson return (error); 118a3df768bSRobert Watson } 119a3df768bSRobert Watson 120a3df768bSRobert Watson int 121a3df768bSRobert Watson mac_check_kld_unload(struct ucred *cred) 122a3df768bSRobert Watson { 123a3df768bSRobert Watson int error; 124a3df768bSRobert Watson 125a3df768bSRobert Watson MAC_CHECK(check_kld_unload, cred); 126a3df768bSRobert Watson 127a3df768bSRobert Watson return (error); 128a3df768bSRobert Watson } 129a3df768bSRobert Watson 130a3df768bSRobert Watson int 13192835789SRobert Watson mac_check_sysarch_ioperm(struct ucred *cred) 13292835789SRobert Watson { 13392835789SRobert Watson int error; 13492835789SRobert Watson 13592835789SRobert Watson MAC_CHECK(check_sysarch_ioperm, cred); 13692835789SRobert Watson return (error); 13792835789SRobert Watson } 13892835789SRobert Watson 13992835789SRobert Watson int 140e5e820fdSRobert Watson mac_check_system_acct(struct ucred *cred, struct vnode *vp) 141e5e820fdSRobert Watson { 142e5e820fdSRobert Watson int error; 143e5e820fdSRobert Watson 144e5e820fdSRobert Watson if (vp != NULL) { 145e5e820fdSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); 146e5e820fdSRobert Watson } 147e5e820fdSRobert Watson 148e5e820fdSRobert Watson MAC_CHECK(check_system_acct, cred, vp, 149eca8a663SRobert Watson vp != NULL ? vp->v_label : NULL); 150e5e820fdSRobert Watson 151e5e820fdSRobert Watson return (error); 152e5e820fdSRobert Watson } 153e5e820fdSRobert Watson 154e5e820fdSRobert Watson int 155e5e820fdSRobert Watson mac_check_system_nfsd(struct ucred *cred) 156e5e820fdSRobert Watson { 157e5e820fdSRobert Watson int error; 158e5e820fdSRobert Watson 159e5e820fdSRobert Watson MAC_CHECK(check_system_nfsd, cred); 160e5e820fdSRobert Watson 161e5e820fdSRobert Watson return (error); 162e5e820fdSRobert Watson } 163e5e820fdSRobert Watson 164e5e820fdSRobert Watson int 165a2ecb9b7SRobert Watson mac_check_system_reboot(struct ucred *cred, int howto) 166a2ecb9b7SRobert Watson { 167a2ecb9b7SRobert Watson int error; 168a2ecb9b7SRobert Watson 169a2ecb9b7SRobert Watson MAC_CHECK(check_system_reboot, cred, howto); 1709e913ebdSRobert Watson 171a2ecb9b7SRobert Watson return (error); 172a2ecb9b7SRobert Watson } 173a2ecb9b7SRobert Watson 174a2ecb9b7SRobert Watson int 1754b8d5f2dSRobert Watson mac_check_system_settime(struct ucred *cred) 1764b8d5f2dSRobert Watson { 1774b8d5f2dSRobert Watson int error; 1784b8d5f2dSRobert Watson 1794b8d5f2dSRobert Watson MAC_CHECK(check_system_settime, cred); 1804b8d5f2dSRobert Watson 1814b8d5f2dSRobert Watson return (error); 1824b8d5f2dSRobert Watson } 1834b8d5f2dSRobert Watson 1844b8d5f2dSRobert Watson int 18503ce2c0cSRobert Watson mac_check_system_swapon(struct ucred *cred, struct vnode *vp) 18603ce2c0cSRobert Watson { 18703ce2c0cSRobert Watson int error; 18803ce2c0cSRobert Watson 18903ce2c0cSRobert Watson ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon"); 19003ce2c0cSRobert Watson 191eca8a663SRobert Watson MAC_CHECK(check_system_swapon, cred, vp, vp->v_label); 19203ce2c0cSRobert Watson return (error); 19303ce2c0cSRobert Watson } 19403ce2c0cSRobert Watson 19503ce2c0cSRobert Watson int 1961b2c2ab2SRobert Watson mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) 1971b2c2ab2SRobert Watson { 1981b2c2ab2SRobert Watson int error; 1991b2c2ab2SRobert Watson 2001b2c2ab2SRobert Watson ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); 2011b2c2ab2SRobert Watson 202eca8a663SRobert Watson MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label); 2031b2c2ab2SRobert Watson return (error); 2041b2c2ab2SRobert Watson } 2051b2c2ab2SRobert Watson 2061b2c2ab2SRobert Watson int 20763dba32bSPawel Jakub Dawidek mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, 20863dba32bSPawel Jakub Dawidek int arg2, struct sysctl_req *req) 209d3fc69eeSRobert Watson { 210d3fc69eeSRobert Watson int error; 211d3fc69eeSRobert Watson 212d3fc69eeSRobert Watson /* 213578994bbSChristian S.J. Peron * XXXMAC: We would very much like to assert the SYSCTL_LOCK here, 214d3fc69eeSRobert Watson * but since it's not exported from kern_sysctl.c, we can't. 215d3fc69eeSRobert Watson */ 21663dba32bSPawel Jakub Dawidek MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req); 217d3fc69eeSRobert Watson 218d3fc69eeSRobert Watson return (error); 219d3fc69eeSRobert Watson } 220