xref: /freebsd/sys/security/mac/mac_system.c (revision 511cecafd6f81e86fe43552c72dae3f6e584e71d) 
1 /*-
2  * Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
3  * All rights reserved.
4  *
5  * This software was developed for the FreeBSD Project in part by Network
6  * Associates Laboratories, the Security Research Division of Network
7  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
8  * as part of the DARPA CHATS research program.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
34 
35 #include "opt_mac.h"
36 
37 #include <sys/param.h>
38 #include <sys/kernel.h>
39 #include <sys/lock.h>
40 #include <sys/malloc.h>
41 #include <sys/module.h>
42 #include <sys/mutex.h>
43 #include <sys/systm.h>
44 #include <sys/vnode.h>
45 #include <sys/sysctl.h>
46 
47 #include <security/mac/mac_framework.h>
48 #include <security/mac/mac_internal.h>
49 #include <security/mac/mac_policy.h>
50 
51 /*
52  * XXXRW: Some of these checks now duplicate privilege checks.  However,
53  * others provide additional security context that may be useful to policies.
54  * We need to review these and remove ones that are pure duplicates.
55  */
56 
57 int
58 mac_check_kenv_dump(struct ucred *cred)
59 {
60 	int error;
61 
62 	MAC_CHECK(check_kenv_dump, cred);
63 
64 	return (error);
65 }
66 
67 int
68 mac_check_kenv_get(struct ucred *cred, char *name)
69 {
70 	int error;
71 
72 	MAC_CHECK(check_kenv_get, cred, name);
73 
74 	return (error);
75 }
76 
77 int
78 mac_check_kenv_set(struct ucred *cred, char *name, char *value)
79 {
80 	int error;
81 
82 	MAC_CHECK(check_kenv_set, cred, name, value);
83 
84 	return (error);
85 }
86 
87 int
88 mac_check_kenv_unset(struct ucred *cred, char *name)
89 {
90 	int error;
91 
92 	MAC_CHECK(check_kenv_unset, cred, name);
93 
94 	return (error);
95 }
96 
97 int
98 mac_check_kld_load(struct ucred *cred, struct vnode *vp)
99 {
100 	int error;
101 
102 	ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
103 
104 	MAC_CHECK(check_kld_load, cred, vp, vp->v_label);
105 
106 	return (error);
107 }
108 
109 int
110 mac_check_kld_stat(struct ucred *cred)
111 {
112 	int error;
113 
114 	MAC_CHECK(check_kld_stat, cred);
115 
116 	return (error);
117 }
118 
119 int
120 mac_check_kld_unload(struct ucred *cred)
121 {
122 	int error;
123 
124 	MAC_CHECK(check_kld_unload, cred);
125 
126 	return (error);
127 }
128 
129 int
130 mac_check_sysarch_ioperm(struct ucred *cred)
131 {
132 	int error;
133 
134 	MAC_CHECK(check_sysarch_ioperm, cred);
135 	return (error);
136 }
137 
138 int
139 mac_check_system_acct(struct ucred *cred, struct vnode *vp)
140 {
141 	int error;
142 
143 	if (vp != NULL) {
144 		ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
145 	}
146 
147 	MAC_CHECK(check_system_acct, cred, vp,
148 	    vp != NULL ? vp->v_label : NULL);
149 
150 	return (error);
151 }
152 
153 int
154 mac_check_system_nfsd(struct ucred *cred)
155 {
156 	int error;
157 
158 	MAC_CHECK(check_system_nfsd, cred);
159 
160 	return (error);
161 }
162 
163 int
164 mac_check_system_reboot(struct ucred *cred, int howto)
165 {
166 	int error;
167 
168 	MAC_CHECK(check_system_reboot, cred, howto);
169 
170 	return (error);
171 }
172 
173 int
174 mac_check_system_settime(struct ucred *cred)
175 {
176 	int error;
177 
178 	MAC_CHECK(check_system_settime, cred);
179 
180 	return (error);
181 }
182 
183 int
184 mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
185 {
186 	int error;
187 
188 	ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon");
189 
190 	MAC_CHECK(check_system_swapon, cred, vp, vp->v_label);
191 	return (error);
192 }
193 
194 int
195 mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
196 {
197 	int error;
198 
199 	ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
200 
201 	MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label);
202 	return (error);
203 }
204 
205 int
206 mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1,
207     int arg2, struct sysctl_req *req)
208 {
209 	int error;
210 
211 	/*
212 	 * XXXMAC: We would very much like to assert the SYSCTL_LOCK here,
213 	 * but since it's not exported from kern_sysctl.c, we can't.
214 	 */
215 	MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req);
216 
217 	return (error);
218 }
219