1 /*- 2 * Copyright (c) 2002, 2003 Networks Associates Technology, Inc. 3 * All rights reserved. 4 * 5 * This software was developed for the FreeBSD Project in part by Network 6 * Associates Laboratories, the Security Research Division of Network 7 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 8 * as part of the DARPA CHATS research program. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include "opt_mac.h" 36 37 #include <sys/param.h> 38 #include <sys/kernel.h> 39 #include <sys/lock.h> 40 #include <sys/malloc.h> 41 #include <sys/module.h> 42 #include <sys/mutex.h> 43 #include <sys/mac.h> 44 #include <sys/systm.h> 45 #include <sys/vnode.h> 46 #include <sys/sysctl.h> 47 48 #include <security/mac/mac_framework.h> 49 #include <security/mac/mac_internal.h> 50 #include <security/mac/mac_policy.h> 51 52 /* 53 * XXXRW: Some of these checks now duplicate privilege checks. However, 54 * others provide additional security context that may be useful to policies. 55 * We need to review these and remove ones that are pure duplicates. 56 */ 57 58 int 59 mac_check_kenv_dump(struct ucred *cred) 60 { 61 int error; 62 63 MAC_CHECK(check_kenv_dump, cred); 64 65 return (error); 66 } 67 68 int 69 mac_check_kenv_get(struct ucred *cred, char *name) 70 { 71 int error; 72 73 MAC_CHECK(check_kenv_get, cred, name); 74 75 return (error); 76 } 77 78 int 79 mac_check_kenv_set(struct ucred *cred, char *name, char *value) 80 { 81 int error; 82 83 MAC_CHECK(check_kenv_set, cred, name, value); 84 85 return (error); 86 } 87 88 int 89 mac_check_kenv_unset(struct ucred *cred, char *name) 90 { 91 int error; 92 93 MAC_CHECK(check_kenv_unset, cred, name); 94 95 return (error); 96 } 97 98 int 99 mac_check_kld_load(struct ucred *cred, struct vnode *vp) 100 { 101 int error; 102 103 ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); 104 105 MAC_CHECK(check_kld_load, cred, vp, vp->v_label); 106 107 return (error); 108 } 109 110 int 111 mac_check_kld_stat(struct ucred *cred) 112 { 113 int error; 114 115 MAC_CHECK(check_kld_stat, cred); 116 117 return (error); 118 } 119 120 int 121 mac_check_kld_unload(struct ucred *cred) 122 { 123 int error; 124 125 MAC_CHECK(check_kld_unload, cred); 126 127 return (error); 128 } 129 130 int 131 mac_check_sysarch_ioperm(struct ucred *cred) 132 { 133 int error; 134 135 MAC_CHECK(check_sysarch_ioperm, cred); 136 return (error); 137 } 138 139 int 140 mac_check_system_acct(struct ucred *cred, struct vnode *vp) 141 { 142 int error; 143 144 if (vp != NULL) { 145 ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); 146 } 147 148 MAC_CHECK(check_system_acct, cred, vp, 149 vp != NULL ? vp->v_label : NULL); 150 151 return (error); 152 } 153 154 int 155 mac_check_system_nfsd(struct ucred *cred) 156 { 157 int error; 158 159 MAC_CHECK(check_system_nfsd, cred); 160 161 return (error); 162 } 163 164 int 165 mac_check_system_reboot(struct ucred *cred, int howto) 166 { 167 int error; 168 169 MAC_CHECK(check_system_reboot, cred, howto); 170 171 return (error); 172 } 173 174 int 175 mac_check_system_settime(struct ucred *cred) 176 { 177 int error; 178 179 MAC_CHECK(check_system_settime, cred); 180 181 return (error); 182 } 183 184 int 185 mac_check_system_swapon(struct ucred *cred, struct vnode *vp) 186 { 187 int error; 188 189 ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon"); 190 191 MAC_CHECK(check_system_swapon, cred, vp, vp->v_label); 192 return (error); 193 } 194 195 int 196 mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) 197 { 198 int error; 199 200 ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); 201 202 MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label); 203 return (error); 204 } 205 206 int 207 mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, 208 int arg2, struct sysctl_req *req) 209 { 210 int error; 211 212 /* 213 * XXXMAC: We would very much like to assert the SYSCTL_LOCK here, 214 * but since it's not exported from kern_sysctl.c, we can't. 215 */ 216 MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req); 217 218 return (error); 219 } 220