18b099b73SRobert Watson /*-
28b099b73SRobert Watson * Copyright (c) 2003-2004 Networks Associates Technology, Inc.
330d239bcSRobert Watson * Copyright (c) 2006 SPARTA, Inc.
46356dba0SRobert Watson * Copyright (c) 2008 Apple Inc.
52087a58cSRobert Watson * Copyright (c) 2009 Robert N. M. Watson
68b099b73SRobert Watson * All rights reserved.
78b099b73SRobert Watson *
88b099b73SRobert Watson * This software was developed for the FreeBSD Project in part by Network
98b099b73SRobert Watson * Associates Laboratories, the Security Research Division of Network
108b099b73SRobert Watson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
118b099b73SRobert Watson * as part of the DARPA CHATS research program.
128b099b73SRobert Watson *
1330d239bcSRobert Watson * This software was enhanced by SPARTA ISSO under SPAWAR contract
1430d239bcSRobert Watson * N66001-04-C-6019 ("SEFOS").
1530d239bcSRobert Watson *
162087a58cSRobert Watson * This software was developed at the University of Cambridge Computer
172087a58cSRobert Watson * Laboratory with support from a grant from Google, Inc.
182087a58cSRobert Watson *
198b099b73SRobert Watson * Redistribution and use in source and binary forms, with or without
208b099b73SRobert Watson * modification, are permitted provided that the following conditions
218b099b73SRobert Watson * are met:
228b099b73SRobert Watson * 1. Redistributions of source code must retain the above copyright
238b099b73SRobert Watson * notice, this list of conditions and the following disclaimer.
248b099b73SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright
258b099b73SRobert Watson * notice, this list of conditions and the following disclaimer in the
268b099b73SRobert Watson * documentation and/or other materials provided with the distribution.
278b099b73SRobert Watson *
288b099b73SRobert Watson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
298b099b73SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
308b099b73SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
318b099b73SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
328b099b73SRobert Watson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
338b099b73SRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
348b099b73SRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
358b099b73SRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
368b099b73SRobert Watson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
378b099b73SRobert Watson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
388b099b73SRobert Watson * SUCH DAMAGE.
398b099b73SRobert Watson */
408b099b73SRobert Watson
418b099b73SRobert Watson #include <sys/cdefs.h>
428b099b73SRobert Watson #include "opt_mac.h"
438b099b73SRobert Watson
448b099b73SRobert Watson #include <sys/param.h>
458b099b73SRobert Watson #include <sys/kernel.h>
468b099b73SRobert Watson #include <sys/lock.h>
478b099b73SRobert Watson #include <sys/malloc.h>
488b099b73SRobert Watson #include <sys/mutex.h>
498b099b73SRobert Watson #include <sys/sbuf.h>
502087a58cSRobert Watson #include <sys/sdt.h>
518b099b73SRobert Watson #include <sys/systm.h>
528b099b73SRobert Watson #include <sys/vnode.h>
538b099b73SRobert Watson #include <sys/mount.h>
548b099b73SRobert Watson #include <sys/file.h>
558b099b73SRobert Watson #include <sys/namei.h>
568b099b73SRobert Watson #include <sys/sysctl.h>
578b099b73SRobert Watson #include <sys/msg.h>
588b099b73SRobert Watson
59aed55708SRobert Watson #include <security/mac/mac_framework.h>
608b099b73SRobert Watson #include <security/mac/mac_internal.h>
610efd6615SRobert Watson #include <security/mac/mac_policy.h>
628b099b73SRobert Watson
638b099b73SRobert Watson static struct label *
mac_sysv_msgmsg_label_alloc(void)648b099b73SRobert Watson mac_sysv_msgmsg_label_alloc(void)
658b099b73SRobert Watson {
668b099b73SRobert Watson struct label *label;
678b099b73SRobert Watson
688b099b73SRobert Watson label = mac_labelzone_alloc(M_WAITOK);
69fa765671SRobert Watson MAC_POLICY_PERFORM(sysvmsg_init_label, label);
708b099b73SRobert Watson return (label);
718b099b73SRobert Watson }
728b099b73SRobert Watson
738b099b73SRobert Watson void
mac_sysvmsg_init(struct msg * msgptr)7430d239bcSRobert Watson mac_sysvmsg_init(struct msg *msgptr)
758b099b73SRobert Watson {
768b099b73SRobert Watson
776356dba0SRobert Watson if (mac_labeled & MPC_OBJECT_SYSVMSG)
788b099b73SRobert Watson msgptr->label = mac_sysv_msgmsg_label_alloc();
796356dba0SRobert Watson else
806356dba0SRobert Watson msgptr->label = NULL;
818b099b73SRobert Watson }
828b099b73SRobert Watson
838b099b73SRobert Watson static struct label *
mac_sysv_msgqueue_label_alloc(void)848b099b73SRobert Watson mac_sysv_msgqueue_label_alloc(void)
858b099b73SRobert Watson {
868b099b73SRobert Watson struct label *label;
878b099b73SRobert Watson
888b099b73SRobert Watson label = mac_labelzone_alloc(M_WAITOK);
89fa765671SRobert Watson MAC_POLICY_PERFORM(sysvmsq_init_label, label);
908b099b73SRobert Watson return (label);
918b099b73SRobert Watson }
928b099b73SRobert Watson
938b099b73SRobert Watson void
mac_sysvmsq_init(struct msqid_kernel * msqkptr)9430d239bcSRobert Watson mac_sysvmsq_init(struct msqid_kernel *msqkptr)
958b099b73SRobert Watson {
968b099b73SRobert Watson
976356dba0SRobert Watson if (mac_labeled & MPC_OBJECT_SYSVMSQ)
988b099b73SRobert Watson msqkptr->label = mac_sysv_msgqueue_label_alloc();
996356dba0SRobert Watson else
1006356dba0SRobert Watson msqkptr->label = NULL;
1018b099b73SRobert Watson }
1028b099b73SRobert Watson
1038b099b73SRobert Watson static void
mac_sysv_msgmsg_label_free(struct label * label)1048b099b73SRobert Watson mac_sysv_msgmsg_label_free(struct label *label)
1058b099b73SRobert Watson {
1068b099b73SRobert Watson
107fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(sysvmsg_destroy_label, label);
1088b099b73SRobert Watson mac_labelzone_free(label);
1098b099b73SRobert Watson }
1108b099b73SRobert Watson
1118b099b73SRobert Watson void
mac_sysvmsg_destroy(struct msg * msgptr)11230d239bcSRobert Watson mac_sysvmsg_destroy(struct msg *msgptr)
1138b099b73SRobert Watson {
1148b099b73SRobert Watson
1156356dba0SRobert Watson if (msgptr->label != NULL) {
1168b099b73SRobert Watson mac_sysv_msgmsg_label_free(msgptr->label);
1178b099b73SRobert Watson msgptr->label = NULL;
1188b099b73SRobert Watson }
1196356dba0SRobert Watson }
1208b099b73SRobert Watson
1218b099b73SRobert Watson static void
mac_sysv_msgqueue_label_free(struct label * label)1228b099b73SRobert Watson mac_sysv_msgqueue_label_free(struct label *label)
1238b099b73SRobert Watson {
1248b099b73SRobert Watson
125fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(sysvmsq_destroy_label, label);
1268b099b73SRobert Watson mac_labelzone_free(label);
1278b099b73SRobert Watson }
1288b099b73SRobert Watson
1298b099b73SRobert Watson void
mac_sysvmsq_destroy(struct msqid_kernel * msqkptr)13030d239bcSRobert Watson mac_sysvmsq_destroy(struct msqid_kernel *msqkptr)
1318b099b73SRobert Watson {
1328b099b73SRobert Watson
1336356dba0SRobert Watson if (msqkptr->label != NULL) {
1348b099b73SRobert Watson mac_sysv_msgqueue_label_free(msqkptr->label);
1358b099b73SRobert Watson msqkptr->label = NULL;
1368b099b73SRobert Watson }
1376356dba0SRobert Watson }
1388b099b73SRobert Watson
1398b099b73SRobert Watson void
mac_sysvmsg_create(struct ucred * cred,struct msqid_kernel * msqkptr,struct msg * msgptr)14030d239bcSRobert Watson mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr,
1418b099b73SRobert Watson struct msg *msgptr)
1428b099b73SRobert Watson {
1438b099b73SRobert Watson
144fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(sysvmsg_create, cred, msqkptr,
145fa765671SRobert Watson msqkptr->label, msgptr, msgptr->label);
1468b099b73SRobert Watson }
1478b099b73SRobert Watson
1488b099b73SRobert Watson void
mac_sysvmsq_create(struct ucred * cred,struct msqid_kernel * msqkptr)14930d239bcSRobert Watson mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr)
1508b099b73SRobert Watson {
1518b099b73SRobert Watson
152fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(sysvmsq_create, cred, msqkptr,
153fa765671SRobert Watson msqkptr->label);
1548b099b73SRobert Watson }
1558b099b73SRobert Watson
1568b099b73SRobert Watson void
mac_sysvmsg_cleanup(struct msg * msgptr)15730d239bcSRobert Watson mac_sysvmsg_cleanup(struct msg *msgptr)
1588b099b73SRobert Watson {
1598b099b73SRobert Watson
160fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(sysvmsg_cleanup, msgptr->label);
1618b099b73SRobert Watson }
1628b099b73SRobert Watson
1638b099b73SRobert Watson void
mac_sysvmsq_cleanup(struct msqid_kernel * msqkptr)16430d239bcSRobert Watson mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr)
1658b099b73SRobert Watson {
1668b099b73SRobert Watson
167fa765671SRobert Watson MAC_POLICY_PERFORM_NOSLEEP(sysvmsq_cleanup, msqkptr->label);
1688b099b73SRobert Watson }
1698b099b73SRobert Watson
1702087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(sysvmsq_check_msgmsq, "struct ucred *",
1712087a58cSRobert Watson "struct msg *", "struct msqid_kernel *");
1722087a58cSRobert Watson
1738b099b73SRobert Watson int
mac_sysvmsq_check_msgmsq(struct ucred * cred,struct msg * msgptr,struct msqid_kernel * msqkptr)17430d239bcSRobert Watson mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr,
1758b099b73SRobert Watson struct msqid_kernel *msqkptr)
1768b099b73SRobert Watson {
1778b099b73SRobert Watson int error;
1788b099b73SRobert Watson
179fa765671SRobert Watson MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msgmsq, cred, msgptr,
180fa765671SRobert Watson msgptr->label, msqkptr, msqkptr->label);
1812087a58cSRobert Watson MAC_CHECK_PROBE3(sysvmsq_check_msgmsq, error, cred, msgptr, msqkptr);
1828b099b73SRobert Watson
1838b099b73SRobert Watson return (error);
1848b099b73SRobert Watson }
1858b099b73SRobert Watson
1862087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msgrcv, "struct ucred *",
1872087a58cSRobert Watson "struct msg *");
1882087a58cSRobert Watson
1898b099b73SRobert Watson int
mac_sysvmsq_check_msgrcv(struct ucred * cred,struct msg * msgptr)19030d239bcSRobert Watson mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr)
1918b099b73SRobert Watson {
1928b099b73SRobert Watson int error;
1938b099b73SRobert Watson
194fa765671SRobert Watson MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msgrcv, cred, msgptr,
195fa765671SRobert Watson msgptr->label);
1962087a58cSRobert Watson MAC_CHECK_PROBE2(sysvmsq_check_msgrcv, error, cred, msgptr);
1978b099b73SRobert Watson
1988b099b73SRobert Watson return (error);
1998b099b73SRobert Watson }
2008b099b73SRobert Watson
2012087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msgrmid, "struct ucred *",
2022087a58cSRobert Watson "struct msg *");
2032087a58cSRobert Watson
2048b099b73SRobert Watson int
mac_sysvmsq_check_msgrmid(struct ucred * cred,struct msg * msgptr)20530d239bcSRobert Watson mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr)
2068b099b73SRobert Watson {
2078b099b73SRobert Watson int error;
2088b099b73SRobert Watson
209fa765671SRobert Watson MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msgrmid, cred, msgptr,
21040202729SRobert Watson msgptr->label);
2112087a58cSRobert Watson MAC_CHECK_PROBE2(sysvmsq_check_msgrmid, error, cred, msgptr);
2128b099b73SRobert Watson
2138b099b73SRobert Watson return (error);
2148b099b73SRobert Watson }
2158b099b73SRobert Watson
2162087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msqget, "struct ucred *",
2172087a58cSRobert Watson "struct msqid_kernel *");
2182087a58cSRobert Watson
2198b099b73SRobert Watson int
mac_sysvmsq_check_msqget(struct ucred * cred,struct msqid_kernel * msqkptr)22030d239bcSRobert Watson mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr)
2218b099b73SRobert Watson {
2228b099b73SRobert Watson int error;
2238b099b73SRobert Watson
224fa765671SRobert Watson MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msqget, cred, msqkptr,
22540202729SRobert Watson msqkptr->label);
2262087a58cSRobert Watson MAC_CHECK_PROBE2(sysvmsq_check_msqget, error, cred, msqkptr);
2278b099b73SRobert Watson
2288b099b73SRobert Watson return (error);
2298b099b73SRobert Watson }
2308b099b73SRobert Watson
2312087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msqsnd, "struct ucred *",
2322087a58cSRobert Watson "struct msqid_kernel *");
2332087a58cSRobert Watson
2348b099b73SRobert Watson int
mac_sysvmsq_check_msqsnd(struct ucred * cred,struct msqid_kernel * msqkptr)23530d239bcSRobert Watson mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr)
2368b099b73SRobert Watson {
2378b099b73SRobert Watson int error;
2388b099b73SRobert Watson
239fa765671SRobert Watson MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msqsnd, cred, msqkptr,
24040202729SRobert Watson msqkptr->label);
2412087a58cSRobert Watson MAC_CHECK_PROBE2(sysvmsq_check_msqsnd, error, cred, msqkptr);
2428b099b73SRobert Watson
2438b099b73SRobert Watson return (error);
2448b099b73SRobert Watson }
2458b099b73SRobert Watson
2462087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(sysvmsq_check_msqrcv, "struct ucred *",
2472087a58cSRobert Watson "struct msqid_kernel *");
2482087a58cSRobert Watson
2498b099b73SRobert Watson int
mac_sysvmsq_check_msqrcv(struct ucred * cred,struct msqid_kernel * msqkptr)25030d239bcSRobert Watson mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
2518b099b73SRobert Watson {
2528b099b73SRobert Watson int error;
2538b099b73SRobert Watson
254fa765671SRobert Watson MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msqrcv, cred, msqkptr,
25540202729SRobert Watson msqkptr->label);
2562087a58cSRobert Watson MAC_CHECK_PROBE2(sysvmsq_check_msqrcv, error, cred, msqkptr);
2578b099b73SRobert Watson
2588b099b73SRobert Watson return (error);
2598b099b73SRobert Watson }
2608b099b73SRobert Watson
2612087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE3(sysvmsq_check_msqctl, "struct ucred *",
2622087a58cSRobert Watson "struct msqid_kernel *", "int");
2632087a58cSRobert Watson
2648b099b73SRobert Watson int
mac_sysvmsq_check_msqctl(struct ucred * cred,struct msqid_kernel * msqkptr,int cmd)26530d239bcSRobert Watson mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
2668b099b73SRobert Watson int cmd)
2678b099b73SRobert Watson {
2688b099b73SRobert Watson int error;
2698b099b73SRobert Watson
270fa765671SRobert Watson MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msqctl, cred, msqkptr,
27140202729SRobert Watson msqkptr->label, cmd);
2722087a58cSRobert Watson MAC_CHECK_PROBE3(sysvmsq_check_msqctl, error, cred, msqkptr, cmd);
2738b099b73SRobert Watson
2748b099b73SRobert Watson return (error);
2758b099b73SRobert Watson }
276