1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by McAfee 9 * Research, the Security Research Division of McAfee, Inc. under 10 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 11 * CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * Biba fixed label mandatory integrity policy. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/param.h> 44 #include <sys/acl.h> 45 #include <sys/conf.h> 46 #include <sys/extattr.h> 47 #include <sys/kernel.h> 48 #include <sys/mac.h> 49 #include <sys/malloc.h> 50 #include <sys/mman.h> 51 #include <sys/mount.h> 52 #include <sys/proc.h> 53 #include <sys/sbuf.h> 54 #include <sys/systm.h> 55 #include <sys/sysproto.h> 56 #include <sys/sysent.h> 57 #include <sys/systm.h> 58 #include <sys/vnode.h> 59 #include <sys/file.h> 60 #include <sys/socket.h> 61 #include <sys/socketvar.h> 62 #include <sys/pipe.h> 63 #include <sys/sx.h> 64 #include <sys/sysctl.h> 65 #include <sys/msg.h> 66 #include <sys/sem.h> 67 #include <sys/shm.h> 68 69 #include <posix4/ksem.h> 70 71 #include <fs/devfs/devfs.h> 72 73 #include <net/bpfdesc.h> 74 #include <net/if.h> 75 #include <net/if_types.h> 76 #include <net/if_var.h> 77 78 #include <netinet/in.h> 79 #include <netinet/in_pcb.h> 80 #include <netinet/ip_var.h> 81 82 #include <vm/uma.h> 83 #include <vm/vm.h> 84 85 #include <sys/mac_policy.h> 86 87 #include <security/mac_biba/mac_biba.h> 88 89 SYSCTL_DECL(_security_mac); 90 91 SYSCTL_NODE(_security_mac, OID_AUTO, biba, CTLFLAG_RW, 0, 92 "TrustedBSD mac_biba policy controls"); 93 94 static int mac_biba_label_size = sizeof(struct mac_biba); 95 SYSCTL_INT(_security_mac_biba, OID_AUTO, label_size, CTLFLAG_RD, 96 &mac_biba_label_size, 0, "Size of struct mac_biba"); 97 98 static int mac_biba_enabled = 1; 99 SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW, 100 &mac_biba_enabled, 0, "Enforce MAC/Biba policy"); 101 TUNABLE_INT("security.mac.biba.enabled", &mac_biba_enabled); 102 103 static int destroyed_not_inited; 104 SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, 105 &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); 106 107 static int trust_all_interfaces = 0; 108 SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RD, 109 &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba"); 110 TUNABLE_INT("security.mac.biba.trust_all_interfaces", &trust_all_interfaces); 111 112 static char trusted_interfaces[128]; 113 SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD, 114 trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba"); 115 TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces, 116 sizeof(trusted_interfaces)); 117 118 static int max_compartments = MAC_BIBA_MAX_COMPARTMENTS; 119 SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD, 120 &max_compartments, 0, "Maximum supported compartments"); 121 122 static int ptys_equal = 0; 123 SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW, 124 &ptys_equal, 0, "Label pty devices as biba/equal on create"); 125 TUNABLE_INT("security.mac.biba.ptys_equal", &ptys_equal); 126 127 static int interfaces_equal; 128 SYSCTL_INT(_security_mac_biba, OID_AUTO, interfaces_equal, CTLFLAG_RW, 129 &interfaces_equal, 0, "Label network interfaces as biba/equal on create"); 130 TUNABLE_INT("security.mac.biba.interfaces_equal", &interfaces_equal); 131 132 static int revocation_enabled = 0; 133 SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW, 134 &revocation_enabled, 0, "Revoke access to objects on relabel"); 135 TUNABLE_INT("security.mac.biba.revocation_enabled", &revocation_enabled); 136 137 static int mac_biba_slot; 138 #define SLOT(l) ((struct mac_biba *)LABEL_TO_SLOT((l), mac_biba_slot).l_ptr) 139 #define SLOT_SET(l, val) (LABEL_TO_SLOT((l), mac_biba_slot).l_ptr = (val)) 140 141 static uma_zone_t zone_biba; 142 143 static __inline int 144 biba_bit_set_empty(u_char *set) { 145 int i; 146 147 for (i = 0; i < MAC_BIBA_MAX_COMPARTMENTS >> 3; i++) 148 if (set[i] != 0) 149 return (0); 150 return (1); 151 } 152 153 static struct mac_biba * 154 biba_alloc(int flag) 155 { 156 157 return (uma_zalloc(zone_biba, flag | M_ZERO)); 158 } 159 160 static void 161 biba_free(struct mac_biba *mac_biba) 162 { 163 164 if (mac_biba != NULL) 165 uma_zfree(zone_biba, mac_biba); 166 else 167 atomic_add_int(&destroyed_not_inited, 1); 168 } 169 170 static int 171 biba_atmostflags(struct mac_biba *mac_biba, int flags) 172 { 173 174 if ((mac_biba->mb_flags & flags) != mac_biba->mb_flags) 175 return (EINVAL); 176 return (0); 177 } 178 179 static int 180 mac_biba_dominate_element(struct mac_biba_element *a, 181 struct mac_biba_element *b) 182 { 183 int bit; 184 185 switch (a->mbe_type) { 186 case MAC_BIBA_TYPE_EQUAL: 187 case MAC_BIBA_TYPE_HIGH: 188 return (1); 189 190 case MAC_BIBA_TYPE_LOW: 191 switch (b->mbe_type) { 192 case MAC_BIBA_TYPE_GRADE: 193 case MAC_BIBA_TYPE_HIGH: 194 return (0); 195 196 case MAC_BIBA_TYPE_EQUAL: 197 case MAC_BIBA_TYPE_LOW: 198 return (1); 199 200 default: 201 panic("mac_biba_dominate_element: b->mbe_type invalid"); 202 } 203 204 case MAC_BIBA_TYPE_GRADE: 205 switch (b->mbe_type) { 206 case MAC_BIBA_TYPE_EQUAL: 207 case MAC_BIBA_TYPE_LOW: 208 return (1); 209 210 case MAC_BIBA_TYPE_HIGH: 211 return (0); 212 213 case MAC_BIBA_TYPE_GRADE: 214 for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++) 215 if (!MAC_BIBA_BIT_TEST(bit, 216 a->mbe_compartments) && 217 MAC_BIBA_BIT_TEST(bit, b->mbe_compartments)) 218 return (0); 219 return (a->mbe_grade >= b->mbe_grade); 220 221 default: 222 panic("mac_biba_dominate_element: b->mbe_type invalid"); 223 } 224 225 default: 226 panic("mac_biba_dominate_element: a->mbe_type invalid"); 227 } 228 229 return (0); 230 } 231 232 static int 233 mac_biba_subject_dominate_high(struct mac_biba *mac_biba) 234 { 235 struct mac_biba_element *element; 236 237 KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 238 ("mac_biba_effective_in_range: mac_biba not effective")); 239 element = &mac_biba->mb_effective; 240 241 return (element->mbe_type == MAC_BIBA_TYPE_EQUAL || 242 element->mbe_type == MAC_BIBA_TYPE_HIGH); 243 } 244 245 static int 246 mac_biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb) 247 { 248 249 return (mac_biba_dominate_element(&rangeb->mb_rangehigh, 250 &rangea->mb_rangehigh) && 251 mac_biba_dominate_element(&rangea->mb_rangelow, 252 &rangeb->mb_rangelow)); 253 } 254 255 static int 256 mac_biba_effective_in_range(struct mac_biba *effective, 257 struct mac_biba *range) 258 { 259 260 KASSERT((effective->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 261 ("mac_biba_effective_in_range: a not effective")); 262 KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0, 263 ("mac_biba_effective_in_range: b not range")); 264 265 return (mac_biba_dominate_element(&range->mb_rangehigh, 266 &effective->mb_effective) && 267 mac_biba_dominate_element(&effective->mb_effective, 268 &range->mb_rangelow)); 269 270 return (1); 271 } 272 273 static int 274 mac_biba_dominate_effective(struct mac_biba *a, struct mac_biba *b) 275 { 276 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 277 ("mac_biba_dominate_effective: a not effective")); 278 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 279 ("mac_biba_dominate_effective: b not effective")); 280 281 return (mac_biba_dominate_element(&a->mb_effective, &b->mb_effective)); 282 } 283 284 static int 285 mac_biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b) 286 { 287 288 if (a->mbe_type == MAC_BIBA_TYPE_EQUAL || 289 b->mbe_type == MAC_BIBA_TYPE_EQUAL) 290 return (1); 291 292 return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade); 293 } 294 295 static int 296 mac_biba_equal_effective(struct mac_biba *a, struct mac_biba *b) 297 { 298 299 KASSERT((a->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 300 ("mac_biba_equal_effective: a not effective")); 301 KASSERT((b->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 302 ("mac_biba_equal_effective: b not effective")); 303 304 return (mac_biba_equal_element(&a->mb_effective, &b->mb_effective)); 305 } 306 307 static int 308 mac_biba_contains_equal(struct mac_biba *mac_biba) 309 { 310 311 if (mac_biba->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) 312 if (mac_biba->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL) 313 return (1); 314 315 if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) { 316 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL) 317 return (1); 318 if (mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) 319 return (1); 320 } 321 322 return (0); 323 } 324 325 static int 326 mac_biba_subject_privileged(struct mac_biba *mac_biba) 327 { 328 329 KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) == 330 MAC_BIBA_FLAGS_BOTH, 331 ("mac_biba_subject_privileged: subject doesn't have both labels")); 332 333 /* If the effective is EQUAL, it's ok. */ 334 if (mac_biba->mb_effective.mbe_type == MAC_BIBA_TYPE_EQUAL) 335 return (0); 336 337 /* If either range endpoint is EQUAL, it's ok. */ 338 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL || 339 mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL) 340 return (0); 341 342 /* If the range is low-high, it's ok. */ 343 if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW && 344 mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH) 345 return (0); 346 347 /* It's not ok. */ 348 return (EPERM); 349 } 350 351 static int 352 mac_biba_high_effective(struct mac_biba *mac_biba) 353 { 354 355 KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 356 ("mac_biba_equal_effective: mac_biba not effective")); 357 358 return (mac_biba->mb_effective.mbe_type == MAC_BIBA_TYPE_HIGH); 359 } 360 361 static int 362 mac_biba_valid(struct mac_biba *mac_biba) 363 { 364 365 if (mac_biba->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 366 switch (mac_biba->mb_effective.mbe_type) { 367 case MAC_BIBA_TYPE_GRADE: 368 break; 369 370 case MAC_BIBA_TYPE_EQUAL: 371 case MAC_BIBA_TYPE_HIGH: 372 case MAC_BIBA_TYPE_LOW: 373 if (mac_biba->mb_effective.mbe_grade != 0 || 374 !MAC_BIBA_BIT_SET_EMPTY( 375 mac_biba->mb_effective.mbe_compartments)) 376 return (EINVAL); 377 break; 378 379 default: 380 return (EINVAL); 381 } 382 } else { 383 if (mac_biba->mb_effective.mbe_type != MAC_BIBA_TYPE_UNDEF) 384 return (EINVAL); 385 } 386 387 if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) { 388 switch (mac_biba->mb_rangelow.mbe_type) { 389 case MAC_BIBA_TYPE_GRADE: 390 break; 391 392 case MAC_BIBA_TYPE_EQUAL: 393 case MAC_BIBA_TYPE_HIGH: 394 case MAC_BIBA_TYPE_LOW: 395 if (mac_biba->mb_rangelow.mbe_grade != 0 || 396 !MAC_BIBA_BIT_SET_EMPTY( 397 mac_biba->mb_rangelow.mbe_compartments)) 398 return (EINVAL); 399 break; 400 401 default: 402 return (EINVAL); 403 } 404 405 switch (mac_biba->mb_rangehigh.mbe_type) { 406 case MAC_BIBA_TYPE_GRADE: 407 break; 408 409 case MAC_BIBA_TYPE_EQUAL: 410 case MAC_BIBA_TYPE_HIGH: 411 case MAC_BIBA_TYPE_LOW: 412 if (mac_biba->mb_rangehigh.mbe_grade != 0 || 413 !MAC_BIBA_BIT_SET_EMPTY( 414 mac_biba->mb_rangehigh.mbe_compartments)) 415 return (EINVAL); 416 break; 417 418 default: 419 return (EINVAL); 420 } 421 if (!mac_biba_dominate_element(&mac_biba->mb_rangehigh, 422 &mac_biba->mb_rangelow)) 423 return (EINVAL); 424 } else { 425 if (mac_biba->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF || 426 mac_biba->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF) 427 return (EINVAL); 428 } 429 430 return (0); 431 } 432 433 static void 434 mac_biba_set_range(struct mac_biba *mac_biba, u_short typelow, 435 u_short gradelow, u_char *compartmentslow, u_short typehigh, 436 u_short gradehigh, u_char *compartmentshigh) 437 { 438 439 mac_biba->mb_rangelow.mbe_type = typelow; 440 mac_biba->mb_rangelow.mbe_grade = gradelow; 441 if (compartmentslow != NULL) 442 memcpy(mac_biba->mb_rangelow.mbe_compartments, 443 compartmentslow, 444 sizeof(mac_biba->mb_rangelow.mbe_compartments)); 445 mac_biba->mb_rangehigh.mbe_type = typehigh; 446 mac_biba->mb_rangehigh.mbe_grade = gradehigh; 447 if (compartmentshigh != NULL) 448 memcpy(mac_biba->mb_rangehigh.mbe_compartments, 449 compartmentshigh, 450 sizeof(mac_biba->mb_rangehigh.mbe_compartments)); 451 mac_biba->mb_flags |= MAC_BIBA_FLAG_RANGE; 452 } 453 454 static void 455 mac_biba_set_effective(struct mac_biba *mac_biba, u_short type, u_short grade, 456 u_char *compartments) 457 { 458 459 mac_biba->mb_effective.mbe_type = type; 460 mac_biba->mb_effective.mbe_grade = grade; 461 if (compartments != NULL) 462 memcpy(mac_biba->mb_effective.mbe_compartments, compartments, 463 sizeof(mac_biba->mb_effective.mbe_compartments)); 464 mac_biba->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE; 465 } 466 467 static void 468 mac_biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto) 469 { 470 471 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0, 472 ("mac_biba_copy_range: labelfrom not range")); 473 474 labelto->mb_rangelow = labelfrom->mb_rangelow; 475 labelto->mb_rangehigh = labelfrom->mb_rangehigh; 476 labelto->mb_flags |= MAC_BIBA_FLAG_RANGE; 477 } 478 479 static void 480 mac_biba_copy_effective(struct mac_biba *labelfrom, struct mac_biba *labelto) 481 { 482 483 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) != 0, 484 ("mac_biba_copy_effective: labelfrom not effective")); 485 486 labelto->mb_effective = labelfrom->mb_effective; 487 labelto->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE; 488 } 489 490 static void 491 mac_biba_copy(struct mac_biba *source, struct mac_biba *dest) 492 { 493 494 if (source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) 495 mac_biba_copy_effective(source, dest); 496 if (source->mb_flags & MAC_BIBA_FLAG_RANGE) 497 mac_biba_copy_range(source, dest); 498 } 499 500 /* 501 * Policy module operations. 502 */ 503 static void 504 mac_biba_init(struct mac_policy_conf *conf) 505 { 506 507 zone_biba = uma_zcreate("mac_biba", sizeof(struct mac_biba), NULL, 508 NULL, NULL, NULL, UMA_ALIGN_PTR, 0); 509 } 510 511 /* 512 * Label operations. 513 */ 514 static void 515 mac_biba_init_label(struct label *label) 516 { 517 518 SLOT_SET(label, biba_alloc(M_WAITOK)); 519 } 520 521 static int 522 mac_biba_init_label_waitcheck(struct label *label, int flag) 523 { 524 525 SLOT_SET(label, biba_alloc(flag)); 526 if (SLOT(label) == NULL) 527 return (ENOMEM); 528 529 return (0); 530 } 531 532 static void 533 mac_biba_destroy_label(struct label *label) 534 { 535 536 biba_free(SLOT(label)); 537 SLOT_SET(label, NULL); 538 } 539 540 /* 541 * mac_biba_element_to_string() accepts an sbuf and Biba element. It 542 * converts the Biba element to a string and stores the result in the 543 * sbuf; if there isn't space in the sbuf, -1 is returned. 544 */ 545 static int 546 mac_biba_element_to_string(struct sbuf *sb, struct mac_biba_element *element) 547 { 548 int i, first; 549 550 switch (element->mbe_type) { 551 case MAC_BIBA_TYPE_HIGH: 552 return (sbuf_printf(sb, "high")); 553 554 case MAC_BIBA_TYPE_LOW: 555 return (sbuf_printf(sb, "low")); 556 557 case MAC_BIBA_TYPE_EQUAL: 558 return (sbuf_printf(sb, "equal")); 559 560 case MAC_BIBA_TYPE_GRADE: 561 if (sbuf_printf(sb, "%d", element->mbe_grade) == -1) 562 return (-1); 563 564 first = 1; 565 for (i = 1; i <= MAC_BIBA_MAX_COMPARTMENTS; i++) { 566 if (MAC_BIBA_BIT_TEST(i, element->mbe_compartments)) { 567 if (first) { 568 if (sbuf_putc(sb, ':') == -1) 569 return (-1); 570 if (sbuf_printf(sb, "%d", i) == -1) 571 return (-1); 572 first = 0; 573 } else { 574 if (sbuf_printf(sb, "+%d", i) == -1) 575 return (-1); 576 } 577 } 578 } 579 return (0); 580 581 default: 582 panic("mac_biba_element_to_string: invalid type (%d)", 583 element->mbe_type); 584 } 585 } 586 587 /* 588 * mac_biba_to_string() converts a Biba label to a string, and places 589 * the results in the passed sbuf. It returns 0 on success, or EINVAL 590 * if there isn't room in the sbuf. Note: the sbuf will be modified 591 * even in a failure case, so the caller may need to revert the sbuf 592 * by restoring the offset if that's undesired. 593 */ 594 static int 595 mac_biba_to_string(struct sbuf *sb, struct mac_biba *mac_biba) 596 { 597 598 if (mac_biba->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 599 if (mac_biba_element_to_string(sb, &mac_biba->mb_effective) 600 == -1) 601 return (EINVAL); 602 } 603 604 if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) { 605 if (sbuf_putc(sb, '(') == -1) 606 return (EINVAL); 607 608 if (mac_biba_element_to_string(sb, &mac_biba->mb_rangelow) 609 == -1) 610 return (EINVAL); 611 612 if (sbuf_putc(sb, '-') == -1) 613 return (EINVAL); 614 615 if (mac_biba_element_to_string(sb, &mac_biba->mb_rangehigh) 616 == -1) 617 return (EINVAL); 618 619 if (sbuf_putc(sb, ')') == -1) 620 return (EINVAL); 621 } 622 623 return (0); 624 } 625 626 static int 627 mac_biba_externalize_label(struct label *label, char *element_name, 628 struct sbuf *sb, int *claimed) 629 { 630 struct mac_biba *mac_biba; 631 632 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0) 633 return (0); 634 635 (*claimed)++; 636 637 mac_biba = SLOT(label); 638 return (mac_biba_to_string(sb, mac_biba)); 639 } 640 641 static int 642 mac_biba_parse_element(struct mac_biba_element *element, char *string) 643 { 644 char *compartment, *end, *grade; 645 int value; 646 647 if (strcmp(string, "high") == 0 || 648 strcmp(string, "hi") == 0) { 649 element->mbe_type = MAC_BIBA_TYPE_HIGH; 650 element->mbe_grade = MAC_BIBA_TYPE_UNDEF; 651 } else if (strcmp(string, "low") == 0 || 652 strcmp(string, "lo") == 0) { 653 element->mbe_type = MAC_BIBA_TYPE_LOW; 654 element->mbe_grade = MAC_BIBA_TYPE_UNDEF; 655 } else if (strcmp(string, "equal") == 0 || 656 strcmp(string, "eq") == 0) { 657 element->mbe_type = MAC_BIBA_TYPE_EQUAL; 658 element->mbe_grade = MAC_BIBA_TYPE_UNDEF; 659 } else { 660 element->mbe_type = MAC_BIBA_TYPE_GRADE; 661 662 /* 663 * Numeric grade piece of the element. 664 */ 665 grade = strsep(&string, ":"); 666 value = strtol(grade, &end, 10); 667 if (end == grade || *end != '\0') 668 return (EINVAL); 669 if (value < 0 || value > 65535) 670 return (EINVAL); 671 element->mbe_grade = value; 672 673 /* 674 * Optional compartment piece of the element. If none 675 * are included, we assume that the label has no 676 * compartments. 677 */ 678 if (string == NULL) 679 return (0); 680 if (*string == '\0') 681 return (0); 682 683 while ((compartment = strsep(&string, "+")) != NULL) { 684 value = strtol(compartment, &end, 10); 685 if (compartment == end || *end != '\0') 686 return (EINVAL); 687 if (value < 1 || value > MAC_BIBA_MAX_COMPARTMENTS) 688 return (EINVAL); 689 MAC_BIBA_BIT_SET(value, element->mbe_compartments); 690 } 691 } 692 693 return (0); 694 } 695 696 /* 697 * Note: destructively consumes the string, make a local copy before 698 * calling if that's a problem. 699 */ 700 static int 701 mac_biba_parse(struct mac_biba *mac_biba, char *string) 702 { 703 char *rangehigh, *rangelow, *effective; 704 int error; 705 706 effective = strsep(&string, "("); 707 if (*effective == '\0') 708 effective = NULL; 709 710 if (string != NULL) { 711 rangelow = strsep(&string, "-"); 712 if (string == NULL) 713 return (EINVAL); 714 rangehigh = strsep(&string, ")"); 715 if (string == NULL) 716 return (EINVAL); 717 if (*string != '\0') 718 return (EINVAL); 719 } else { 720 rangelow = NULL; 721 rangehigh = NULL; 722 } 723 724 KASSERT((rangelow != NULL && rangehigh != NULL) || 725 (rangelow == NULL && rangehigh == NULL), 726 ("mac_biba_parse: range mismatch")); 727 728 bzero(mac_biba, sizeof(*mac_biba)); 729 if (effective != NULL) { 730 error = mac_biba_parse_element(&mac_biba->mb_effective, effective); 731 if (error) 732 return (error); 733 mac_biba->mb_flags |= MAC_BIBA_FLAG_EFFECTIVE; 734 } 735 736 if (rangelow != NULL) { 737 error = mac_biba_parse_element(&mac_biba->mb_rangelow, 738 rangelow); 739 if (error) 740 return (error); 741 error = mac_biba_parse_element(&mac_biba->mb_rangehigh, 742 rangehigh); 743 if (error) 744 return (error); 745 mac_biba->mb_flags |= MAC_BIBA_FLAG_RANGE; 746 } 747 748 error = mac_biba_valid(mac_biba); 749 if (error) 750 return (error); 751 752 return (0); 753 } 754 755 static int 756 mac_biba_internalize_label(struct label *label, char *element_name, 757 char *element_data, int *claimed) 758 { 759 struct mac_biba *mac_biba, mac_biba_temp; 760 int error; 761 762 if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0) 763 return (0); 764 765 (*claimed)++; 766 767 error = mac_biba_parse(&mac_biba_temp, element_data); 768 if (error) 769 return (error); 770 771 mac_biba = SLOT(label); 772 *mac_biba = mac_biba_temp; 773 774 return (0); 775 } 776 777 static void 778 mac_biba_copy_label(struct label *src, struct label *dest) 779 { 780 781 *SLOT(dest) = *SLOT(src); 782 } 783 784 /* 785 * Labeling event operations: file system objects, and things that look 786 * a lot like file system objects. 787 */ 788 static void 789 mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp, 790 struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label) 791 { 792 struct mac_biba *mac_biba; 793 int biba_type; 794 795 mac_biba = SLOT(label); 796 if (strcmp(dev->si_name, "null") == 0 || 797 strcmp(dev->si_name, "zero") == 0 || 798 strcmp(dev->si_name, "random") == 0 || 799 strncmp(dev->si_name, "fd/", strlen("fd/")) == 0) 800 biba_type = MAC_BIBA_TYPE_EQUAL; 801 else if (ptys_equal && 802 (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || 803 strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) 804 biba_type = MAC_BIBA_TYPE_EQUAL; 805 else 806 biba_type = MAC_BIBA_TYPE_HIGH; 807 mac_biba_set_effective(mac_biba, biba_type, 0, NULL); 808 } 809 810 static void 811 mac_biba_create_devfs_directory(struct mount *mp, char *dirname, 812 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 813 { 814 struct mac_biba *mac_biba; 815 816 mac_biba = SLOT(label); 817 mac_biba_set_effective(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL); 818 } 819 820 static void 821 mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, 822 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 823 struct label *delabel) 824 { 825 struct mac_biba *source, *dest; 826 827 source = SLOT(cred->cr_label); 828 dest = SLOT(delabel); 829 830 mac_biba_copy_effective(source, dest); 831 } 832 833 static void 834 mac_biba_create_mount(struct ucred *cred, struct mount *mp, 835 struct label *mntlabel, struct label *fslabel) 836 { 837 struct mac_biba *source, *dest; 838 839 source = SLOT(cred->cr_label); 840 dest = SLOT(mntlabel); 841 mac_biba_copy_effective(source, dest); 842 dest = SLOT(fslabel); 843 mac_biba_copy_effective(source, dest); 844 } 845 846 static void 847 mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, 848 struct label *vnodelabel, struct label *label) 849 { 850 struct mac_biba *source, *dest; 851 852 source = SLOT(label); 853 dest = SLOT(vnodelabel); 854 855 mac_biba_copy(source, dest); 856 } 857 858 static void 859 mac_biba_update_devfsdirent(struct mount *mp, 860 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 861 struct vnode *vp, struct label *vnodelabel) 862 { 863 struct mac_biba *source, *dest; 864 865 source = SLOT(vnodelabel); 866 dest = SLOT(direntlabel); 867 868 mac_biba_copy(source, dest); 869 } 870 871 static void 872 mac_biba_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 873 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 874 struct label *vlabel) 875 { 876 struct mac_biba *source, *dest; 877 878 source = SLOT(delabel); 879 dest = SLOT(vlabel); 880 881 mac_biba_copy_effective(source, dest); 882 } 883 884 static int 885 mac_biba_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 886 struct vnode *vp, struct label *vlabel) 887 { 888 struct mac_biba temp, *source, *dest; 889 int buflen, error; 890 891 source = SLOT(fslabel); 892 dest = SLOT(vlabel); 893 894 buflen = sizeof(temp); 895 bzero(&temp, buflen); 896 897 error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, 898 MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &temp, curthread); 899 if (error == ENOATTR || error == EOPNOTSUPP) { 900 /* Fall back to the fslabel. */ 901 mac_biba_copy_effective(source, dest); 902 return (0); 903 } else if (error) 904 return (error); 905 906 if (buflen != sizeof(temp)) { 907 printf("mac_biba_associate_vnode_extattr: bad size %d\n", 908 buflen); 909 return (EPERM); 910 } 911 if (mac_biba_valid(&temp) != 0) { 912 printf("mac_biba_associate_vnode_extattr: invalid\n"); 913 return (EPERM); 914 } 915 if ((temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_EFFECTIVE) { 916 printf("mac_biba_associate_vnode_extattr: not effective\n"); 917 return (EPERM); 918 } 919 920 mac_biba_copy_effective(&temp, dest); 921 return (0); 922 } 923 924 static void 925 mac_biba_associate_vnode_singlelabel(struct mount *mp, 926 struct label *fslabel, struct vnode *vp, struct label *vlabel) 927 { 928 struct mac_biba *source, *dest; 929 930 source = SLOT(fslabel); 931 dest = SLOT(vlabel); 932 933 mac_biba_copy_effective(source, dest); 934 } 935 936 static int 937 mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp, 938 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 939 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 940 { 941 struct mac_biba *source, *dest, temp; 942 size_t buflen; 943 int error; 944 945 buflen = sizeof(temp); 946 bzero(&temp, buflen); 947 948 source = SLOT(cred->cr_label); 949 dest = SLOT(vlabel); 950 mac_biba_copy_effective(source, &temp); 951 952 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, 953 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &temp, curthread); 954 if (error == 0) 955 mac_biba_copy_effective(source, dest); 956 return (error); 957 } 958 959 static int 960 mac_biba_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 961 struct label *vlabel, struct label *intlabel) 962 { 963 struct mac_biba *source, temp; 964 size_t buflen; 965 int error; 966 967 buflen = sizeof(temp); 968 bzero(&temp, buflen); 969 970 source = SLOT(intlabel); 971 if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0) 972 return (0); 973 974 mac_biba_copy_effective(source, &temp); 975 976 error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, 977 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &temp, curthread); 978 return (error); 979 } 980 981 /* 982 * Labeling event operations: IPC object. 983 */ 984 static void 985 mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel, 986 struct inpcb *inp, struct label *inplabel) 987 { 988 struct mac_biba *source, *dest; 989 990 source = SLOT(solabel); 991 dest = SLOT(inplabel); 992 993 mac_biba_copy_effective(source, dest); 994 } 995 996 static void 997 mac_biba_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 998 struct mbuf *m, struct label *mbuflabel) 999 { 1000 struct mac_biba *source, *dest; 1001 1002 source = SLOT(socketlabel); 1003 dest = SLOT(mbuflabel); 1004 1005 mac_biba_copy_effective(source, dest); 1006 } 1007 1008 static void 1009 mac_biba_create_socket(struct ucred *cred, struct socket *socket, 1010 struct label *socketlabel) 1011 { 1012 struct mac_biba *source, *dest; 1013 1014 source = SLOT(cred->cr_label); 1015 dest = SLOT(socketlabel); 1016 1017 mac_biba_copy_effective(source, dest); 1018 } 1019 1020 static void 1021 mac_biba_create_pipe(struct ucred *cred, struct pipepair *pp, 1022 struct label *pipelabel) 1023 { 1024 struct mac_biba *source, *dest; 1025 1026 source = SLOT(cred->cr_label); 1027 dest = SLOT(pipelabel); 1028 1029 mac_biba_copy_effective(source, dest); 1030 } 1031 1032 static void 1033 mac_biba_create_posix_sem(struct ucred *cred, struct ksem *ksemptr, 1034 struct label *ks_label) 1035 { 1036 struct mac_biba *source, *dest; 1037 1038 source = SLOT(cred->cr_label); 1039 dest = SLOT(ks_label); 1040 1041 mac_biba_copy_effective(source, dest); 1042 } 1043 1044 static void 1045 mac_biba_create_socket_from_socket(struct socket *oldsocket, 1046 struct label *oldsocketlabel, struct socket *newsocket, 1047 struct label *newsocketlabel) 1048 { 1049 struct mac_biba *source, *dest; 1050 1051 source = SLOT(oldsocketlabel); 1052 dest = SLOT(newsocketlabel); 1053 1054 mac_biba_copy_effective(source, dest); 1055 } 1056 1057 static void 1058 mac_biba_relabel_socket(struct ucred *cred, struct socket *socket, 1059 struct label *socketlabel, struct label *newlabel) 1060 { 1061 struct mac_biba *source, *dest; 1062 1063 source = SLOT(newlabel); 1064 dest = SLOT(socketlabel); 1065 1066 mac_biba_copy(source, dest); 1067 } 1068 1069 static void 1070 mac_biba_relabel_pipe(struct ucred *cred, struct pipepair *pp, 1071 struct label *pipelabel, struct label *newlabel) 1072 { 1073 struct mac_biba *source, *dest; 1074 1075 source = SLOT(newlabel); 1076 dest = SLOT(pipelabel); 1077 1078 mac_biba_copy(source, dest); 1079 } 1080 1081 static void 1082 mac_biba_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 1083 struct socket *socket, struct label *socketpeerlabel) 1084 { 1085 struct mac_biba *source, *dest; 1086 1087 source = SLOT(mbuflabel); 1088 dest = SLOT(socketpeerlabel); 1089 1090 mac_biba_copy_effective(source, dest); 1091 } 1092 1093 /* 1094 * Labeling event operations: System V IPC objects. 1095 */ 1096 1097 static void 1098 mac_biba_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, 1099 struct label *msqlabel, struct msg *msgptr, struct label *msglabel) 1100 { 1101 struct mac_biba *source, *dest; 1102 1103 /* Ignore the msgq label */ 1104 source = SLOT(cred->cr_label); 1105 dest = SLOT(msglabel); 1106 1107 mac_biba_copy_effective(source, dest); 1108 } 1109 1110 static void 1111 mac_biba_create_sysv_msgqueue(struct ucred *cred, 1112 struct msqid_kernel *msqkptr, struct label *msqlabel) 1113 { 1114 struct mac_biba *source, *dest; 1115 1116 source = SLOT(cred->cr_label); 1117 dest = SLOT(msqlabel); 1118 1119 mac_biba_copy_effective(source, dest); 1120 } 1121 1122 static void 1123 mac_biba_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, 1124 struct label *semalabel) 1125 { 1126 struct mac_biba *source, *dest; 1127 1128 source = SLOT(cred->cr_label); 1129 dest = SLOT(semalabel); 1130 1131 mac_biba_copy_effective(source, dest); 1132 } 1133 1134 static void 1135 mac_biba_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, 1136 struct label *shmlabel) 1137 { 1138 struct mac_biba *source, *dest; 1139 1140 source = SLOT(cred->cr_label); 1141 dest = SLOT(shmlabel); 1142 1143 mac_biba_copy_effective(source, dest); 1144 } 1145 1146 /* 1147 * Labeling event operations: network objects. 1148 */ 1149 static void 1150 mac_biba_set_socket_peer_from_socket(struct socket *oldsocket, 1151 struct label *oldsocketlabel, struct socket *newsocket, 1152 struct label *newsocketpeerlabel) 1153 { 1154 struct mac_biba *source, *dest; 1155 1156 source = SLOT(oldsocketlabel); 1157 dest = SLOT(newsocketpeerlabel); 1158 1159 mac_biba_copy_effective(source, dest); 1160 } 1161 1162 static void 1163 mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 1164 struct label *bpflabel) 1165 { 1166 struct mac_biba *source, *dest; 1167 1168 source = SLOT(cred->cr_label); 1169 dest = SLOT(bpflabel); 1170 1171 mac_biba_copy_effective(source, dest); 1172 } 1173 1174 static void 1175 mac_biba_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 1176 { 1177 char tifname[IFNAMSIZ], *p, *q; 1178 char tiflist[sizeof(trusted_interfaces)]; 1179 struct mac_biba *dest; 1180 int len, type; 1181 1182 dest = SLOT(ifnetlabel); 1183 1184 if (ifnet->if_type == IFT_LOOP || interfaces_equal != 0) { 1185 type = MAC_BIBA_TYPE_EQUAL; 1186 goto set; 1187 } 1188 1189 if (trust_all_interfaces) { 1190 type = MAC_BIBA_TYPE_HIGH; 1191 goto set; 1192 } 1193 1194 type = MAC_BIBA_TYPE_LOW; 1195 1196 if (trusted_interfaces[0] == '\0' || 1197 !strvalid(trusted_interfaces, sizeof(trusted_interfaces))) 1198 goto set; 1199 1200 bzero(tiflist, sizeof(tiflist)); 1201 for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++) 1202 if(*p != ' ' && *p != '\t') 1203 *q = *p; 1204 1205 for (p = q = tiflist;; p++) { 1206 if (*p == ',' || *p == '\0') { 1207 len = p - q; 1208 if (len < IFNAMSIZ) { 1209 bzero(tifname, sizeof(tifname)); 1210 bcopy(q, tifname, len); 1211 if (strcmp(tifname, ifnet->if_xname) == 0) { 1212 type = MAC_BIBA_TYPE_HIGH; 1213 break; 1214 } 1215 } else { 1216 *p = '\0'; 1217 printf("mac_biba warning: interface name " 1218 "\"%s\" is too long (must be < %d)\n", 1219 q, IFNAMSIZ); 1220 } 1221 if (*p == '\0') 1222 break; 1223 q = p + 1; 1224 } 1225 } 1226 set: 1227 mac_biba_set_effective(dest, type, 0, NULL); 1228 mac_biba_set_range(dest, type, 0, NULL, type, 0, NULL); 1229 } 1230 1231 static void 1232 mac_biba_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1233 struct ipq *ipq, struct label *ipqlabel) 1234 { 1235 struct mac_biba *source, *dest; 1236 1237 source = SLOT(fragmentlabel); 1238 dest = SLOT(ipqlabel); 1239 1240 mac_biba_copy_effective(source, dest); 1241 } 1242 1243 static void 1244 mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 1245 struct mbuf *datagram, struct label *datagramlabel) 1246 { 1247 struct mac_biba *source, *dest; 1248 1249 source = SLOT(ipqlabel); 1250 dest = SLOT(datagramlabel); 1251 1252 /* Just use the head, since we require them all to match. */ 1253 mac_biba_copy_effective(source, dest); 1254 } 1255 1256 static void 1257 mac_biba_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 1258 struct mbuf *fragment, struct label *fragmentlabel) 1259 { 1260 struct mac_biba *source, *dest; 1261 1262 source = SLOT(datagramlabel); 1263 dest = SLOT(fragmentlabel); 1264 1265 mac_biba_copy_effective(source, dest); 1266 } 1267 1268 static void 1269 mac_biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 1270 struct mbuf *m, struct label *mlabel) 1271 { 1272 struct mac_biba *source, *dest; 1273 1274 source = SLOT(inplabel); 1275 dest = SLOT(mlabel); 1276 1277 mac_biba_copy_effective(source, dest); 1278 } 1279 1280 static void 1281 mac_biba_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 1282 struct mbuf *mbuf, struct label *mbuflabel) 1283 { 1284 struct mac_biba *dest; 1285 1286 dest = SLOT(mbuflabel); 1287 1288 mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); 1289 } 1290 1291 static void 1292 mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 1293 struct mbuf *mbuf, struct label *mbuflabel) 1294 { 1295 struct mac_biba *source, *dest; 1296 1297 source = SLOT(bpflabel); 1298 dest = SLOT(mbuflabel); 1299 1300 mac_biba_copy_effective(source, dest); 1301 } 1302 1303 static void 1304 mac_biba_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 1305 struct mbuf *m, struct label *mbuflabel) 1306 { 1307 struct mac_biba *source, *dest; 1308 1309 source = SLOT(ifnetlabel); 1310 dest = SLOT(mbuflabel); 1311 1312 mac_biba_copy_effective(source, dest); 1313 } 1314 1315 static void 1316 mac_biba_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 1317 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 1318 struct mbuf *newmbuf, struct label *newmbuflabel) 1319 { 1320 struct mac_biba *source, *dest; 1321 1322 source = SLOT(oldmbuflabel); 1323 dest = SLOT(newmbuflabel); 1324 1325 mac_biba_copy_effective(source, dest); 1326 } 1327 1328 static void 1329 mac_biba_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel, 1330 struct mbuf *newmbuf, struct label *newmbuflabel) 1331 { 1332 struct mac_biba *source, *dest; 1333 1334 source = SLOT(oldmbuflabel); 1335 dest = SLOT(newmbuflabel); 1336 1337 mac_biba_copy_effective(source, dest); 1338 } 1339 1340 static int 1341 mac_biba_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 1342 struct ipq *ipq, struct label *ipqlabel) 1343 { 1344 struct mac_biba *a, *b; 1345 1346 a = SLOT(ipqlabel); 1347 b = SLOT(fragmentlabel); 1348 1349 return (mac_biba_equal_effective(a, b)); 1350 } 1351 1352 static void 1353 mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1354 struct label *ifnetlabel, struct label *newlabel) 1355 { 1356 struct mac_biba *source, *dest; 1357 1358 source = SLOT(newlabel); 1359 dest = SLOT(ifnetlabel); 1360 1361 mac_biba_copy(source, dest); 1362 } 1363 1364 static void 1365 mac_biba_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1366 struct ipq *ipq, struct label *ipqlabel) 1367 { 1368 1369 /* NOOP: we only accept matching labels, so no need to update */ 1370 } 1371 1372 static void 1373 mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1374 struct inpcb *inp, struct label *inplabel) 1375 { 1376 struct mac_biba *source, *dest; 1377 1378 source = SLOT(solabel); 1379 dest = SLOT(inplabel); 1380 1381 mac_biba_copy(source, dest); 1382 } 1383 1384 /* 1385 * Labeling event operations: processes. 1386 */ 1387 static void 1388 mac_biba_create_proc0(struct ucred *cred) 1389 { 1390 struct mac_biba *dest; 1391 1392 dest = SLOT(cred->cr_label); 1393 1394 mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); 1395 mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, 1396 MAC_BIBA_TYPE_HIGH, 0, NULL); 1397 } 1398 1399 static void 1400 mac_biba_create_proc1(struct ucred *cred) 1401 { 1402 struct mac_biba *dest; 1403 1404 dest = SLOT(cred->cr_label); 1405 1406 mac_biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); 1407 mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, 1408 MAC_BIBA_TYPE_HIGH, 0, NULL); 1409 } 1410 1411 static void 1412 mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) 1413 { 1414 struct mac_biba *source, *dest; 1415 1416 source = SLOT(newlabel); 1417 dest = SLOT(cred->cr_label); 1418 1419 mac_biba_copy(source, dest); 1420 } 1421 1422 /* 1423 * Label cleanup/flush operations 1424 */ 1425 static void 1426 mac_biba_cleanup_sysv_msgmsg(struct label *msglabel) 1427 { 1428 1429 bzero(SLOT(msglabel), sizeof(struct mac_biba)); 1430 } 1431 1432 static void 1433 mac_biba_cleanup_sysv_msgqueue(struct label *msqlabel) 1434 { 1435 1436 bzero(SLOT(msqlabel), sizeof(struct mac_biba)); 1437 } 1438 1439 static void 1440 mac_biba_cleanup_sysv_sem(struct label *semalabel) 1441 { 1442 1443 bzero(SLOT(semalabel), sizeof(struct mac_biba)); 1444 } 1445 1446 static void 1447 mac_biba_cleanup_sysv_shm(struct label *shmlabel) 1448 { 1449 bzero(SLOT(shmlabel), sizeof(struct mac_biba)); 1450 } 1451 1452 /* 1453 * Access control checks. 1454 */ 1455 static int 1456 mac_biba_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1457 struct ifnet *ifnet, struct label *ifnetlabel) 1458 { 1459 struct mac_biba *a, *b; 1460 1461 if (!mac_biba_enabled) 1462 return (0); 1463 1464 a = SLOT(bpflabel); 1465 b = SLOT(ifnetlabel); 1466 1467 if (mac_biba_equal_effective(a, b)) 1468 return (0); 1469 return (EACCES); 1470 } 1471 1472 static int 1473 mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) 1474 { 1475 struct mac_biba *subj, *new; 1476 int error; 1477 1478 subj = SLOT(cred->cr_label); 1479 new = SLOT(newlabel); 1480 1481 /* 1482 * If there is a Biba label update for the credential, it may 1483 * be an update of the effective, range, or both. 1484 */ 1485 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); 1486 if (error) 1487 return (error); 1488 1489 /* 1490 * If the Biba label is to be changed, authorize as appropriate. 1491 */ 1492 if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { 1493 /* 1494 * If the change request modifies both the Biba label 1495 * effective and range, check that the new effective will be 1496 * in the new range. 1497 */ 1498 if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) == 1499 MAC_BIBA_FLAGS_BOTH && 1500 !mac_biba_effective_in_range(new, new)) 1501 return (EINVAL); 1502 1503 /* 1504 * To change the Biba effective label on a credential, the 1505 * new effective label must be in the current range. 1506 */ 1507 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE && 1508 !mac_biba_effective_in_range(new, subj)) 1509 return (EPERM); 1510 1511 /* 1512 * To change the Biba range on a credential, the new 1513 * range label must be in the current range. 1514 */ 1515 if (new->mb_flags & MAC_BIBA_FLAG_RANGE && 1516 !mac_biba_range_in_range(new, subj)) 1517 return (EPERM); 1518 1519 /* 1520 * To have EQUAL in any component of the new credential 1521 * Biba label, the subject must already have EQUAL in 1522 * their label. 1523 */ 1524 if (mac_biba_contains_equal(new)) { 1525 error = mac_biba_subject_privileged(subj); 1526 if (error) 1527 return (error); 1528 } 1529 } 1530 1531 return (0); 1532 } 1533 1534 static int 1535 mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) 1536 { 1537 struct mac_biba *subj, *obj; 1538 1539 if (!mac_biba_enabled) 1540 return (0); 1541 1542 subj = SLOT(u1->cr_label); 1543 obj = SLOT(u2->cr_label); 1544 1545 /* XXX: range */ 1546 if (!mac_biba_dominate_effective(obj, subj)) 1547 return (ESRCH); 1548 1549 return (0); 1550 } 1551 1552 static int 1553 mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 1554 struct label *ifnetlabel, struct label *newlabel) 1555 { 1556 struct mac_biba *subj, *new; 1557 int error; 1558 1559 subj = SLOT(cred->cr_label); 1560 new = SLOT(newlabel); 1561 1562 /* 1563 * If there is a Biba label update for the interface, it may 1564 * be an update of the effective, range, or both. 1565 */ 1566 error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); 1567 if (error) 1568 return (error); 1569 1570 /* 1571 * Relabling network interfaces requires Biba privilege. 1572 */ 1573 error = mac_biba_subject_privileged(subj); 1574 if (error) 1575 return (error); 1576 1577 return (0); 1578 } 1579 1580 static int 1581 mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 1582 struct mbuf *m, struct label *mbuflabel) 1583 { 1584 struct mac_biba *p, *i; 1585 1586 if (!mac_biba_enabled) 1587 return (0); 1588 1589 p = SLOT(mbuflabel); 1590 i = SLOT(ifnetlabel); 1591 1592 return (mac_biba_effective_in_range(p, i) ? 0 : EACCES); 1593 } 1594 1595 static int 1596 mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1597 struct mbuf *m, struct label *mlabel) 1598 { 1599 struct mac_biba *p, *i; 1600 1601 if (!mac_biba_enabled) 1602 return (0); 1603 1604 p = SLOT(mlabel); 1605 i = SLOT(inplabel); 1606 1607 return (mac_biba_equal_effective(p, i) ? 0 : EACCES); 1608 } 1609 1610 static int 1611 mac_biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, 1612 struct label *msglabel) 1613 { 1614 struct mac_biba *subj, *obj; 1615 1616 if (!mac_biba_enabled) 1617 return (0); 1618 1619 subj = SLOT(cred->cr_label); 1620 obj = SLOT(msglabel); 1621 1622 if (!mac_biba_dominate_effective(obj, subj)) 1623 return (EACCES); 1624 1625 return (0); 1626 } 1627 1628 static int 1629 mac_biba_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, 1630 struct label *msglabel) 1631 { 1632 struct mac_biba *subj, *obj; 1633 1634 if (!mac_biba_enabled) 1635 return (0); 1636 1637 subj = SLOT(cred->cr_label); 1638 obj = SLOT(msglabel); 1639 1640 if (!mac_biba_dominate_effective(subj, obj)) 1641 return (EACCES); 1642 1643 return (0); 1644 } 1645 1646 static int 1647 mac_biba_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, 1648 struct label *msqklabel) 1649 { 1650 struct mac_biba *subj, *obj; 1651 1652 if (!mac_biba_enabled) 1653 return (0); 1654 1655 subj = SLOT(cred->cr_label); 1656 obj = SLOT(msqklabel); 1657 1658 if (!mac_biba_dominate_effective(obj, subj)) 1659 return (EACCES); 1660 1661 return (0); 1662 } 1663 1664 static int 1665 mac_biba_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, 1666 struct label *msqklabel) 1667 { 1668 struct mac_biba *subj, *obj; 1669 1670 if (!mac_biba_enabled) 1671 return (0); 1672 1673 subj = SLOT(cred->cr_label); 1674 obj = SLOT(msqklabel); 1675 1676 if (!mac_biba_dominate_effective(subj, obj)) 1677 return (EACCES); 1678 1679 return (0); 1680 } 1681 1682 static int 1683 mac_biba_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, 1684 struct label *msqklabel) 1685 { 1686 struct mac_biba *subj, *obj; 1687 1688 if (!mac_biba_enabled) 1689 return (0); 1690 1691 subj = SLOT(cred->cr_label); 1692 obj = SLOT(msqklabel); 1693 1694 if (!mac_biba_dominate_effective(obj, subj)) 1695 return (EACCES); 1696 1697 return (0); 1698 } 1699 1700 1701 static int 1702 mac_biba_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, 1703 struct label *msqklabel, int cmd) 1704 { 1705 struct mac_biba *subj, *obj; 1706 1707 if (!mac_biba_enabled) 1708 return (0); 1709 1710 subj = SLOT(cred->cr_label); 1711 obj = SLOT(msqklabel); 1712 1713 switch(cmd) { 1714 case IPC_RMID: 1715 case IPC_SET: 1716 if (!mac_biba_dominate_effective(subj, obj)) 1717 return (EACCES); 1718 break; 1719 1720 case IPC_STAT: 1721 if (!mac_biba_dominate_effective(obj, subj)) 1722 return (EACCES); 1723 break; 1724 1725 default: 1726 return (EACCES); 1727 } 1728 1729 return (0); 1730 } 1731 1732 static int 1733 mac_biba_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, 1734 struct label *semaklabel, int cmd) 1735 { 1736 struct mac_biba *subj, *obj; 1737 1738 if (!mac_biba_enabled) 1739 return (0); 1740 1741 subj = SLOT(cred->cr_label); 1742 obj = SLOT(semaklabel); 1743 1744 switch(cmd) { 1745 case IPC_RMID: 1746 case IPC_SET: 1747 case SETVAL: 1748 case SETALL: 1749 if (!mac_biba_dominate_effective(subj, obj)) 1750 return (EACCES); 1751 break; 1752 1753 case IPC_STAT: 1754 case GETVAL: 1755 case GETPID: 1756 case GETNCNT: 1757 case GETZCNT: 1758 case GETALL: 1759 if (!mac_biba_dominate_effective(obj, subj)) 1760 return (EACCES); 1761 break; 1762 1763 default: 1764 return (EACCES); 1765 } 1766 1767 return (0); 1768 } 1769 1770 1771 static int 1772 mac_biba_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, 1773 struct label *semaklabel) 1774 { 1775 struct mac_biba *subj, *obj; 1776 1777 if (!mac_biba_enabled) 1778 return (0); 1779 1780 subj = SLOT(cred->cr_label); 1781 obj = SLOT(semaklabel); 1782 1783 if (!mac_biba_dominate_effective(obj, subj)) 1784 return (EACCES); 1785 1786 return (0); 1787 } 1788 1789 1790 static int 1791 mac_biba_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, 1792 struct label *semaklabel, size_t accesstype) 1793 { 1794 struct mac_biba *subj, *obj; 1795 1796 if (!mac_biba_enabled) 1797 return (0); 1798 1799 subj = SLOT(cred->cr_label); 1800 obj = SLOT(semaklabel); 1801 1802 if (accesstype & SEM_R) 1803 if (!mac_biba_dominate_effective(obj, subj)) 1804 return (EACCES); 1805 1806 if (accesstype & SEM_A) 1807 if (!mac_biba_dominate_effective(subj, obj)) 1808 return (EACCES); 1809 1810 return (0); 1811 } 1812 1813 static int 1814 mac_biba_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, 1815 struct label *shmseglabel, int shmflg) 1816 { 1817 struct mac_biba *subj, *obj; 1818 1819 if (!mac_biba_enabled) 1820 return (0); 1821 1822 subj = SLOT(cred->cr_label); 1823 obj = SLOT(shmseglabel); 1824 1825 if (!mac_biba_dominate_effective(obj, subj)) 1826 return (EACCES); 1827 if ((shmflg & SHM_RDONLY) == 0) { 1828 if (!mac_biba_dominate_effective(subj, obj)) 1829 return (EACCES); 1830 } 1831 1832 return (0); 1833 } 1834 1835 static int 1836 mac_biba_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, 1837 struct label *shmseglabel, int cmd) 1838 { 1839 struct mac_biba *subj, *obj; 1840 1841 if (!mac_biba_enabled) 1842 return (0); 1843 1844 subj = SLOT(cred->cr_label); 1845 obj = SLOT(shmseglabel); 1846 1847 switch(cmd) { 1848 case IPC_RMID: 1849 case IPC_SET: 1850 if (!mac_biba_dominate_effective(subj, obj)) 1851 return (EACCES); 1852 break; 1853 1854 case IPC_STAT: 1855 case SHM_STAT: 1856 if (!mac_biba_dominate_effective(obj, subj)) 1857 return (EACCES); 1858 break; 1859 1860 default: 1861 return (EACCES); 1862 } 1863 1864 return (0); 1865 } 1866 1867 static int 1868 mac_biba_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, 1869 struct label *shmseglabel, int shmflg) 1870 { 1871 struct mac_biba *subj, *obj; 1872 1873 if (!mac_biba_enabled) 1874 return (0); 1875 1876 subj = SLOT(cred->cr_label); 1877 obj = SLOT(shmseglabel); 1878 1879 if (!mac_biba_dominate_effective(obj, subj)) 1880 return (EACCES); 1881 1882 return (0); 1883 } 1884 1885 static int 1886 mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, 1887 struct label *label) 1888 { 1889 struct mac_biba *subj, *obj; 1890 int error; 1891 1892 if (!mac_biba_enabled) 1893 return (0); 1894 1895 subj = SLOT(cred->cr_label); 1896 1897 error = mac_biba_subject_privileged(subj); 1898 if (error) 1899 return (error); 1900 1901 obj = SLOT(label); 1902 if (!mac_biba_high_effective(obj)) 1903 return (EACCES); 1904 1905 return (0); 1906 } 1907 1908 1909 static int 1910 mac_biba_check_kld_unload(struct ucred *cred) 1911 { 1912 struct mac_biba *subj; 1913 1914 if (!mac_biba_enabled) 1915 return (0); 1916 1917 subj = SLOT(cred->cr_label); 1918 1919 return (mac_biba_subject_privileged(subj)); 1920 } 1921 1922 static int 1923 mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, 1924 struct label *mntlabel) 1925 { 1926 struct mac_biba *subj, *obj; 1927 1928 if (!mac_biba_enabled) 1929 return (0); 1930 1931 subj = SLOT(cred->cr_label); 1932 obj = SLOT(mntlabel); 1933 1934 if (!mac_biba_dominate_effective(obj, subj)) 1935 return (EACCES); 1936 1937 return (0); 1938 } 1939 1940 static int 1941 mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 1942 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 1943 { 1944 1945 if(!mac_biba_enabled) 1946 return (0); 1947 1948 /* XXX: This will be implemented soon... */ 1949 1950 return (0); 1951 } 1952 1953 static int 1954 mac_biba_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 1955 struct label *pipelabel) 1956 { 1957 struct mac_biba *subj, *obj; 1958 1959 if (!mac_biba_enabled) 1960 return (0); 1961 1962 subj = SLOT(cred->cr_label); 1963 obj = SLOT((pipelabel)); 1964 1965 if (!mac_biba_dominate_effective(obj, subj)) 1966 return (EACCES); 1967 1968 return (0); 1969 } 1970 1971 static int 1972 mac_biba_check_pipe_read(struct ucred *cred, struct pipepair *pp, 1973 struct label *pipelabel) 1974 { 1975 struct mac_biba *subj, *obj; 1976 1977 if (!mac_biba_enabled) 1978 return (0); 1979 1980 subj = SLOT(cred->cr_label); 1981 obj = SLOT((pipelabel)); 1982 1983 if (!mac_biba_dominate_effective(obj, subj)) 1984 return (EACCES); 1985 1986 return (0); 1987 } 1988 1989 static int 1990 mac_biba_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 1991 struct label *pipelabel, struct label *newlabel) 1992 { 1993 struct mac_biba *subj, *obj, *new; 1994 int error; 1995 1996 new = SLOT(newlabel); 1997 subj = SLOT(cred->cr_label); 1998 obj = SLOT(pipelabel); 1999 2000 /* 2001 * If there is a Biba label update for a pipe, it must be a 2002 * effective update. 2003 */ 2004 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE); 2005 if (error) 2006 return (error); 2007 2008 /* 2009 * To perform a relabel of a pipe (Biba label or not), Biba must 2010 * authorize the relabel. 2011 */ 2012 if (!mac_biba_effective_in_range(obj, subj)) 2013 return (EPERM); 2014 2015 /* 2016 * If the Biba label is to be changed, authorize as appropriate. 2017 */ 2018 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 2019 /* 2020 * To change the Biba label on a pipe, the new pipe label 2021 * must be in the subject range. 2022 */ 2023 if (!mac_biba_effective_in_range(new, subj)) 2024 return (EPERM); 2025 2026 /* 2027 * To change the Biba label on a pipe to be EQUAL, the 2028 * subject must have appropriate privilege. 2029 */ 2030 if (mac_biba_contains_equal(new)) { 2031 error = mac_biba_subject_privileged(subj); 2032 if (error) 2033 return (error); 2034 } 2035 } 2036 2037 return (0); 2038 } 2039 2040 static int 2041 mac_biba_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 2042 struct label *pipelabel) 2043 { 2044 struct mac_biba *subj, *obj; 2045 2046 if (!mac_biba_enabled) 2047 return (0); 2048 2049 subj = SLOT(cred->cr_label); 2050 obj = SLOT((pipelabel)); 2051 2052 if (!mac_biba_dominate_effective(obj, subj)) 2053 return (EACCES); 2054 2055 return (0); 2056 } 2057 2058 static int 2059 mac_biba_check_pipe_write(struct ucred *cred, struct pipepair *pp, 2060 struct label *pipelabel) 2061 { 2062 struct mac_biba *subj, *obj; 2063 2064 if (!mac_biba_enabled) 2065 return (0); 2066 2067 subj = SLOT(cred->cr_label); 2068 obj = SLOT((pipelabel)); 2069 2070 if (!mac_biba_dominate_effective(subj, obj)) 2071 return (EACCES); 2072 2073 return (0); 2074 } 2075 2076 static int 2077 mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ksemptr, 2078 struct label *ks_label) 2079 { 2080 struct mac_biba *subj, *obj; 2081 2082 if (!mac_biba_enabled) 2083 return (0); 2084 2085 subj = SLOT(cred->cr_label); 2086 obj = SLOT(ks_label); 2087 2088 if (!mac_biba_dominate_effective(subj, obj)) 2089 return (EACCES); 2090 2091 return (0); 2092 } 2093 2094 static int 2095 mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ksemptr, 2096 struct label *ks_label) 2097 { 2098 struct mac_biba *subj, *obj; 2099 2100 if (!mac_biba_enabled) 2101 return (0); 2102 2103 subj = SLOT(cred->cr_label); 2104 obj = SLOT(ks_label); 2105 2106 if (!mac_biba_dominate_effective(obj, subj)) 2107 return (EACCES); 2108 2109 return (0); 2110 } 2111 2112 static int 2113 mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc) 2114 { 2115 struct mac_biba *subj, *obj; 2116 2117 if (!mac_biba_enabled) 2118 return (0); 2119 2120 subj = SLOT(cred->cr_label); 2121 obj = SLOT(proc->p_ucred->cr_label); 2122 2123 /* XXX: range checks */ 2124 if (!mac_biba_dominate_effective(obj, subj)) 2125 return (ESRCH); 2126 if (!mac_biba_dominate_effective(subj, obj)) 2127 return (EACCES); 2128 2129 return (0); 2130 } 2131 2132 static int 2133 mac_biba_check_proc_sched(struct ucred *cred, struct proc *proc) 2134 { 2135 struct mac_biba *subj, *obj; 2136 2137 if (!mac_biba_enabled) 2138 return (0); 2139 2140 subj = SLOT(cred->cr_label); 2141 obj = SLOT(proc->p_ucred->cr_label); 2142 2143 /* XXX: range checks */ 2144 if (!mac_biba_dominate_effective(obj, subj)) 2145 return (ESRCH); 2146 if (!mac_biba_dominate_effective(subj, obj)) 2147 return (EACCES); 2148 2149 return (0); 2150 } 2151 2152 static int 2153 mac_biba_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 2154 { 2155 struct mac_biba *subj, *obj; 2156 2157 if (!mac_biba_enabled) 2158 return (0); 2159 2160 subj = SLOT(cred->cr_label); 2161 obj = SLOT(proc->p_ucred->cr_label); 2162 2163 /* XXX: range checks */ 2164 if (!mac_biba_dominate_effective(obj, subj)) 2165 return (ESRCH); 2166 if (!mac_biba_dominate_effective(subj, obj)) 2167 return (EACCES); 2168 2169 return (0); 2170 } 2171 2172 static int 2173 mac_biba_check_socket_deliver(struct socket *so, struct label *socketlabel, 2174 struct mbuf *m, struct label *mbuflabel) 2175 { 2176 struct mac_biba *p, *s; 2177 2178 if (!mac_biba_enabled) 2179 return (0); 2180 2181 p = SLOT(mbuflabel); 2182 s = SLOT(socketlabel); 2183 2184 return (mac_biba_equal_effective(p, s) ? 0 : EACCES); 2185 } 2186 2187 static int 2188 mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so, 2189 struct label *socketlabel, struct label *newlabel) 2190 { 2191 struct mac_biba *subj, *obj, *new; 2192 int error; 2193 2194 new = SLOT(newlabel); 2195 subj = SLOT(cred->cr_label); 2196 obj = SLOT(socketlabel); 2197 2198 /* 2199 * If there is a Biba label update for the socket, it may be 2200 * an update of effective. 2201 */ 2202 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE); 2203 if (error) 2204 return (error); 2205 2206 /* 2207 * To relabel a socket, the old socket effective must be in the subject 2208 * range. 2209 */ 2210 if (!mac_biba_effective_in_range(obj, subj)) 2211 return (EPERM); 2212 2213 /* 2214 * If the Biba label is to be changed, authorize as appropriate. 2215 */ 2216 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 2217 /* 2218 * To relabel a socket, the new socket effective must be in 2219 * the subject range. 2220 */ 2221 if (!mac_biba_effective_in_range(new, subj)) 2222 return (EPERM); 2223 2224 /* 2225 * To change the Biba label on the socket to contain EQUAL, 2226 * the subject must have appropriate privilege. 2227 */ 2228 if (mac_biba_contains_equal(new)) { 2229 error = mac_biba_subject_privileged(subj); 2230 if (error) 2231 return (error); 2232 } 2233 } 2234 2235 return (0); 2236 } 2237 2238 static int 2239 mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, 2240 struct label *socketlabel) 2241 { 2242 struct mac_biba *subj, *obj; 2243 2244 if (!mac_biba_enabled) 2245 return (0); 2246 2247 subj = SLOT(cred->cr_label); 2248 obj = SLOT(socketlabel); 2249 2250 if (!mac_biba_dominate_effective(obj, subj)) 2251 return (ENOENT); 2252 2253 return (0); 2254 } 2255 2256 static int 2257 mac_biba_check_sysarch_ioperm(struct ucred *cred) 2258 { 2259 struct mac_biba *subj; 2260 int error; 2261 2262 if (!mac_biba_enabled) 2263 return (0); 2264 2265 subj = SLOT(cred->cr_label); 2266 2267 error = mac_biba_subject_privileged(subj); 2268 if (error) 2269 return (error); 2270 2271 return (0); 2272 } 2273 2274 static int 2275 mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, 2276 struct label *label) 2277 { 2278 struct mac_biba *subj, *obj; 2279 int error; 2280 2281 if (!mac_biba_enabled) 2282 return (0); 2283 2284 subj = SLOT(cred->cr_label); 2285 2286 error = mac_biba_subject_privileged(subj); 2287 if (error) 2288 return (error); 2289 2290 if (label == NULL) 2291 return (0); 2292 2293 obj = SLOT(label); 2294 if (!mac_biba_high_effective(obj)) 2295 return (EACCES); 2296 2297 return (0); 2298 } 2299 2300 static int 2301 mac_biba_check_system_settime(struct ucred *cred) 2302 { 2303 struct mac_biba *subj; 2304 int error; 2305 2306 if (!mac_biba_enabled) 2307 return (0); 2308 2309 subj = SLOT(cred->cr_label); 2310 2311 error = mac_biba_subject_privileged(subj); 2312 if (error) 2313 return (error); 2314 2315 return (0); 2316 } 2317 2318 static int 2319 mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, 2320 struct label *label) 2321 { 2322 struct mac_biba *subj, *obj; 2323 int error; 2324 2325 if (!mac_biba_enabled) 2326 return (0); 2327 2328 subj = SLOT(cred->cr_label); 2329 obj = SLOT(label); 2330 2331 error = mac_biba_subject_privileged(subj); 2332 if (error) 2333 return (error); 2334 2335 if (!mac_biba_high_effective(obj)) 2336 return (EACCES); 2337 2338 return (0); 2339 } 2340 2341 static int 2342 mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp, 2343 struct label *label) 2344 { 2345 struct mac_biba *subj, *obj; 2346 int error; 2347 2348 if (!mac_biba_enabled) 2349 return (0); 2350 2351 subj = SLOT(cred->cr_label); 2352 obj = SLOT(label); 2353 2354 error = mac_biba_subject_privileged(subj); 2355 if (error) 2356 return (error); 2357 2358 return (0); 2359 } 2360 2361 static int 2362 mac_biba_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 2363 void *arg1, int arg2, struct sysctl_req *req) 2364 { 2365 struct mac_biba *subj; 2366 int error; 2367 2368 if (!mac_biba_enabled) 2369 return (0); 2370 2371 subj = SLOT(cred->cr_label); 2372 2373 /* 2374 * Treat sysctl variables without CTLFLAG_ANYBODY flag as 2375 * biba/high, but also require privilege to change them. 2376 */ 2377 if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) { 2378 if (!mac_biba_subject_dominate_high(subj)) 2379 return (EACCES); 2380 2381 error = mac_biba_subject_privileged(subj); 2382 if (error) 2383 return (error); 2384 } 2385 2386 return (0); 2387 } 2388 2389 static int 2390 mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 2391 struct label *dlabel) 2392 { 2393 struct mac_biba *subj, *obj; 2394 2395 if (!mac_biba_enabled) 2396 return (0); 2397 2398 subj = SLOT(cred->cr_label); 2399 obj = SLOT(dlabel); 2400 2401 if (!mac_biba_dominate_effective(obj, subj)) 2402 return (EACCES); 2403 2404 return (0); 2405 } 2406 2407 static int 2408 mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 2409 struct label *dlabel) 2410 { 2411 struct mac_biba *subj, *obj; 2412 2413 if (!mac_biba_enabled) 2414 return (0); 2415 2416 subj = SLOT(cred->cr_label); 2417 obj = SLOT(dlabel); 2418 2419 if (!mac_biba_dominate_effective(obj, subj)) 2420 return (EACCES); 2421 2422 return (0); 2423 } 2424 2425 static int 2426 mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp, 2427 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 2428 { 2429 struct mac_biba *subj, *obj; 2430 2431 if (!mac_biba_enabled) 2432 return (0); 2433 2434 subj = SLOT(cred->cr_label); 2435 obj = SLOT(dlabel); 2436 2437 if (!mac_biba_dominate_effective(subj, obj)) 2438 return (EACCES); 2439 2440 return (0); 2441 } 2442 2443 static int 2444 mac_biba_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 2445 struct label *dlabel, struct vnode *vp, struct label *label, 2446 struct componentname *cnp) 2447 { 2448 struct mac_biba *subj, *obj; 2449 2450 if (!mac_biba_enabled) 2451 return (0); 2452 2453 subj = SLOT(cred->cr_label); 2454 obj = SLOT(dlabel); 2455 2456 if (!mac_biba_dominate_effective(subj, obj)) 2457 return (EACCES); 2458 2459 obj = SLOT(label); 2460 2461 if (!mac_biba_dominate_effective(subj, obj)) 2462 return (EACCES); 2463 2464 return (0); 2465 } 2466 2467 static int 2468 mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 2469 struct label *label, acl_type_t type) 2470 { 2471 struct mac_biba *subj, *obj; 2472 2473 if (!mac_biba_enabled) 2474 return (0); 2475 2476 subj = SLOT(cred->cr_label); 2477 obj = SLOT(label); 2478 2479 if (!mac_biba_dominate_effective(subj, obj)) 2480 return (EACCES); 2481 2482 return (0); 2483 } 2484 2485 static int 2486 mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 2487 struct label *label, int attrnamespace, const char *name) 2488 { 2489 struct mac_biba *subj, *obj; 2490 2491 if (!mac_biba_enabled) 2492 return (0); 2493 2494 subj = SLOT(cred->cr_label); 2495 obj = SLOT(label); 2496 2497 if (!mac_biba_dominate_effective(subj, obj)) 2498 return (EACCES); 2499 2500 return (0); 2501 } 2502 2503 static int 2504 mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, 2505 struct label *label, struct image_params *imgp, 2506 struct label *execlabel) 2507 { 2508 struct mac_biba *subj, *obj, *exec; 2509 int error; 2510 2511 if (execlabel != NULL) { 2512 /* 2513 * We currently don't permit labels to be changed at 2514 * exec-time as part of Biba, so disallow non-NULL 2515 * Biba label elements in the execlabel. 2516 */ 2517 exec = SLOT(execlabel); 2518 error = biba_atmostflags(exec, 0); 2519 if (error) 2520 return (error); 2521 } 2522 2523 if (!mac_biba_enabled) 2524 return (0); 2525 2526 subj = SLOT(cred->cr_label); 2527 obj = SLOT(label); 2528 2529 if (!mac_biba_dominate_effective(obj, subj)) 2530 return (EACCES); 2531 2532 return (0); 2533 } 2534 2535 static int 2536 mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 2537 struct label *label, acl_type_t type) 2538 { 2539 struct mac_biba *subj, *obj; 2540 2541 if (!mac_biba_enabled) 2542 return (0); 2543 2544 subj = SLOT(cred->cr_label); 2545 obj = SLOT(label); 2546 2547 if (!mac_biba_dominate_effective(obj, subj)) 2548 return (EACCES); 2549 2550 return (0); 2551 } 2552 2553 static int 2554 mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 2555 struct label *label, int attrnamespace, const char *name, struct uio *uio) 2556 { 2557 struct mac_biba *subj, *obj; 2558 2559 if (!mac_biba_enabled) 2560 return (0); 2561 2562 subj = SLOT(cred->cr_label); 2563 obj = SLOT(label); 2564 2565 if (!mac_biba_dominate_effective(obj, subj)) 2566 return (EACCES); 2567 2568 return (0); 2569 } 2570 2571 static int 2572 mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp, 2573 struct label *dlabel, struct vnode *vp, struct label *label, 2574 struct componentname *cnp) 2575 { 2576 struct mac_biba *subj, *obj; 2577 2578 if (!mac_biba_enabled) 2579 return (0); 2580 2581 subj = SLOT(cred->cr_label); 2582 obj = SLOT(dlabel); 2583 2584 if (!mac_biba_dominate_effective(subj, obj)) 2585 return (EACCES); 2586 2587 obj = SLOT(label); 2588 2589 if (!mac_biba_dominate_effective(subj, obj)) 2590 return (EACCES); 2591 2592 return (0); 2593 } 2594 2595 static int 2596 mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 2597 struct label *label, int attrnamespace) 2598 { 2599 struct mac_biba *subj, *obj; 2600 2601 if (!mac_biba_enabled) 2602 return (0); 2603 2604 subj = SLOT(cred->cr_label); 2605 obj = SLOT(label); 2606 2607 if (!mac_biba_dominate_effective(obj, subj)) 2608 return (EACCES); 2609 2610 return (0); 2611 } 2612 2613 static int 2614 mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 2615 struct label *dlabel, struct componentname *cnp) 2616 { 2617 struct mac_biba *subj, *obj; 2618 2619 if (!mac_biba_enabled) 2620 return (0); 2621 2622 subj = SLOT(cred->cr_label); 2623 obj = SLOT(dlabel); 2624 2625 if (!mac_biba_dominate_effective(obj, subj)) 2626 return (EACCES); 2627 2628 return (0); 2629 } 2630 2631 static int 2632 mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 2633 struct label *label, int prot, int flags) 2634 { 2635 struct mac_biba *subj, *obj; 2636 2637 /* 2638 * Rely on the use of open()-time protections to handle 2639 * non-revocation cases. 2640 */ 2641 if (!mac_biba_enabled || !revocation_enabled) 2642 return (0); 2643 2644 subj = SLOT(cred->cr_label); 2645 obj = SLOT(label); 2646 2647 if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { 2648 if (!mac_biba_dominate_effective(obj, subj)) 2649 return (EACCES); 2650 } 2651 if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) { 2652 if (!mac_biba_dominate_effective(subj, obj)) 2653 return (EACCES); 2654 } 2655 2656 return (0); 2657 } 2658 2659 static int 2660 mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, 2661 struct label *vnodelabel, int acc_mode) 2662 { 2663 struct mac_biba *subj, *obj; 2664 2665 if (!mac_biba_enabled) 2666 return (0); 2667 2668 subj = SLOT(cred->cr_label); 2669 obj = SLOT(vnodelabel); 2670 2671 /* XXX privilege override for admin? */ 2672 if (acc_mode & (VREAD | VEXEC | VSTAT)) { 2673 if (!mac_biba_dominate_effective(obj, subj)) 2674 return (EACCES); 2675 } 2676 if (acc_mode & (VWRITE | VAPPEND | VADMIN)) { 2677 if (!mac_biba_dominate_effective(subj, obj)) 2678 return (EACCES); 2679 } 2680 2681 return (0); 2682 } 2683 2684 static int 2685 mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 2686 struct vnode *vp, struct label *label) 2687 { 2688 struct mac_biba *subj, *obj; 2689 2690 if (!mac_biba_enabled || !revocation_enabled) 2691 return (0); 2692 2693 subj = SLOT(active_cred->cr_label); 2694 obj = SLOT(label); 2695 2696 if (!mac_biba_dominate_effective(obj, subj)) 2697 return (EACCES); 2698 2699 return (0); 2700 } 2701 2702 static int 2703 mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 2704 struct vnode *vp, struct label *label) 2705 { 2706 struct mac_biba *subj, *obj; 2707 2708 if (!mac_biba_enabled || !revocation_enabled) 2709 return (0); 2710 2711 subj = SLOT(active_cred->cr_label); 2712 obj = SLOT(label); 2713 2714 if (!mac_biba_dominate_effective(obj, subj)) 2715 return (EACCES); 2716 2717 return (0); 2718 } 2719 2720 static int 2721 mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 2722 struct label *dlabel) 2723 { 2724 struct mac_biba *subj, *obj; 2725 2726 if (!mac_biba_enabled) 2727 return (0); 2728 2729 subj = SLOT(cred->cr_label); 2730 obj = SLOT(dlabel); 2731 2732 if (!mac_biba_dominate_effective(obj, subj)) 2733 return (EACCES); 2734 2735 return (0); 2736 } 2737 2738 static int 2739 mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 2740 struct label *label) 2741 { 2742 struct mac_biba *subj, *obj; 2743 2744 if (!mac_biba_enabled) 2745 return (0); 2746 2747 subj = SLOT(cred->cr_label); 2748 obj = SLOT(label); 2749 2750 if (!mac_biba_dominate_effective(obj, subj)) 2751 return (EACCES); 2752 2753 return (0); 2754 } 2755 2756 static int 2757 mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 2758 struct label *vnodelabel, struct label *newlabel) 2759 { 2760 struct mac_biba *old, *new, *subj; 2761 int error; 2762 2763 old = SLOT(vnodelabel); 2764 new = SLOT(newlabel); 2765 subj = SLOT(cred->cr_label); 2766 2767 /* 2768 * If there is a Biba label update for the vnode, it must be a 2769 * effective label. 2770 */ 2771 error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE); 2772 if (error) 2773 return (error); 2774 2775 /* 2776 * To perform a relabel of the vnode (Biba label or not), Biba must 2777 * authorize the relabel. 2778 */ 2779 if (!mac_biba_effective_in_range(old, subj)) 2780 return (EPERM); 2781 2782 /* 2783 * If the Biba label is to be changed, authorize as appropriate. 2784 */ 2785 if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { 2786 /* 2787 * To change the Biba label on a vnode, the new vnode label 2788 * must be in the subject range. 2789 */ 2790 if (!mac_biba_effective_in_range(new, subj)) 2791 return (EPERM); 2792 2793 /* 2794 * To change the Biba label on the vnode to be EQUAL, 2795 * the subject must have appropriate privilege. 2796 */ 2797 if (mac_biba_contains_equal(new)) { 2798 error = mac_biba_subject_privileged(subj); 2799 if (error) 2800 return (error); 2801 } 2802 } 2803 2804 return (0); 2805 } 2806 2807 static int 2808 mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 2809 struct label *dlabel, struct vnode *vp, struct label *label, 2810 struct componentname *cnp) 2811 { 2812 struct mac_biba *subj, *obj; 2813 2814 if (!mac_biba_enabled) 2815 return (0); 2816 2817 subj = SLOT(cred->cr_label); 2818 obj = SLOT(dlabel); 2819 2820 if (!mac_biba_dominate_effective(subj, obj)) 2821 return (EACCES); 2822 2823 obj = SLOT(label); 2824 2825 if (!mac_biba_dominate_effective(subj, obj)) 2826 return (EACCES); 2827 2828 return (0); 2829 } 2830 2831 static int 2832 mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 2833 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 2834 struct componentname *cnp) 2835 { 2836 struct mac_biba *subj, *obj; 2837 2838 if (!mac_biba_enabled) 2839 return (0); 2840 2841 subj = SLOT(cred->cr_label); 2842 obj = SLOT(dlabel); 2843 2844 if (!mac_biba_dominate_effective(subj, obj)) 2845 return (EACCES); 2846 2847 if (vp != NULL) { 2848 obj = SLOT(label); 2849 2850 if (!mac_biba_dominate_effective(subj, obj)) 2851 return (EACCES); 2852 } 2853 2854 return (0); 2855 } 2856 2857 static int 2858 mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 2859 struct label *label) 2860 { 2861 struct mac_biba *subj, *obj; 2862 2863 if (!mac_biba_enabled) 2864 return (0); 2865 2866 subj = SLOT(cred->cr_label); 2867 obj = SLOT(label); 2868 2869 if (!mac_biba_dominate_effective(subj, obj)) 2870 return (EACCES); 2871 2872 return (0); 2873 } 2874 2875 static int 2876 mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 2877 struct label *label, acl_type_t type, struct acl *acl) 2878 { 2879 struct mac_biba *subj, *obj; 2880 2881 if (!mac_biba_enabled) 2882 return (0); 2883 2884 subj = SLOT(cred->cr_label); 2885 obj = SLOT(label); 2886 2887 if (!mac_biba_dominate_effective(subj, obj)) 2888 return (EACCES); 2889 2890 return (0); 2891 } 2892 2893 static int 2894 mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 2895 struct label *vnodelabel, int attrnamespace, const char *name, 2896 struct uio *uio) 2897 { 2898 struct mac_biba *subj, *obj; 2899 2900 if (!mac_biba_enabled) 2901 return (0); 2902 2903 subj = SLOT(cred->cr_label); 2904 obj = SLOT(vnodelabel); 2905 2906 if (!mac_biba_dominate_effective(subj, obj)) 2907 return (EACCES); 2908 2909 /* XXX: protect the MAC EA in a special way? */ 2910 2911 return (0); 2912 } 2913 2914 static int 2915 mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 2916 struct label *vnodelabel, u_long flags) 2917 { 2918 struct mac_biba *subj, *obj; 2919 2920 if (!mac_biba_enabled) 2921 return (0); 2922 2923 subj = SLOT(cred->cr_label); 2924 obj = SLOT(vnodelabel); 2925 2926 if (!mac_biba_dominate_effective(subj, obj)) 2927 return (EACCES); 2928 2929 return (0); 2930 } 2931 2932 static int 2933 mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 2934 struct label *vnodelabel, mode_t mode) 2935 { 2936 struct mac_biba *subj, *obj; 2937 2938 if (!mac_biba_enabled) 2939 return (0); 2940 2941 subj = SLOT(cred->cr_label); 2942 obj = SLOT(vnodelabel); 2943 2944 if (!mac_biba_dominate_effective(subj, obj)) 2945 return (EACCES); 2946 2947 return (0); 2948 } 2949 2950 static int 2951 mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 2952 struct label *vnodelabel, uid_t uid, gid_t gid) 2953 { 2954 struct mac_biba *subj, *obj; 2955 2956 if (!mac_biba_enabled) 2957 return (0); 2958 2959 subj = SLOT(cred->cr_label); 2960 obj = SLOT(vnodelabel); 2961 2962 if (!mac_biba_dominate_effective(subj, obj)) 2963 return (EACCES); 2964 2965 return (0); 2966 } 2967 2968 static int 2969 mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 2970 struct label *vnodelabel, struct timespec atime, struct timespec mtime) 2971 { 2972 struct mac_biba *subj, *obj; 2973 2974 if (!mac_biba_enabled) 2975 return (0); 2976 2977 subj = SLOT(cred->cr_label); 2978 obj = SLOT(vnodelabel); 2979 2980 if (!mac_biba_dominate_effective(subj, obj)) 2981 return (EACCES); 2982 2983 return (0); 2984 } 2985 2986 static int 2987 mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 2988 struct vnode *vp, struct label *vnodelabel) 2989 { 2990 struct mac_biba *subj, *obj; 2991 2992 if (!mac_biba_enabled) 2993 return (0); 2994 2995 subj = SLOT(active_cred->cr_label); 2996 obj = SLOT(vnodelabel); 2997 2998 if (!mac_biba_dominate_effective(obj, subj)) 2999 return (EACCES); 3000 3001 return (0); 3002 } 3003 3004 static int 3005 mac_biba_check_vnode_write(struct ucred *active_cred, 3006 struct ucred *file_cred, struct vnode *vp, struct label *label) 3007 { 3008 struct mac_biba *subj, *obj; 3009 3010 if (!mac_biba_enabled || !revocation_enabled) 3011 return (0); 3012 3013 subj = SLOT(active_cred->cr_label); 3014 obj = SLOT(label); 3015 3016 if (!mac_biba_dominate_effective(subj, obj)) 3017 return (EACCES); 3018 3019 return (0); 3020 } 3021 3022 static int 3023 mac_biba_associate_nfsd_label(struct ucred *cred) 3024 { 3025 struct mac_biba *label; 3026 3027 label = SLOT(cred->cr_label); 3028 mac_biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL); 3029 mac_biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, 3030 MAC_BIBA_TYPE_HIGH, 0, NULL); 3031 return (0); 3032 } 3033 3034 static struct mac_policy_ops mac_biba_ops = 3035 { 3036 .mpo_init = mac_biba_init, 3037 .mpo_init_bpfdesc_label = mac_biba_init_label, 3038 .mpo_init_cred_label = mac_biba_init_label, 3039 .mpo_init_devfsdirent_label = mac_biba_init_label, 3040 .mpo_init_ifnet_label = mac_biba_init_label, 3041 .mpo_init_inpcb_label = mac_biba_init_label_waitcheck, 3042 .mpo_init_sysv_msgmsg_label = mac_biba_init_label, 3043 .mpo_init_sysv_msgqueue_label = mac_biba_init_label, 3044 .mpo_init_sysv_sem_label = mac_biba_init_label, 3045 .mpo_init_sysv_shm_label = mac_biba_init_label, 3046 .mpo_init_ipq_label = mac_biba_init_label_waitcheck, 3047 .mpo_init_mbuf_label = mac_biba_init_label_waitcheck, 3048 .mpo_init_mount_label = mac_biba_init_label, 3049 .mpo_init_mount_fs_label = mac_biba_init_label, 3050 .mpo_init_pipe_label = mac_biba_init_label, 3051 .mpo_init_posix_sem_label = mac_biba_init_label, 3052 .mpo_init_socket_label = mac_biba_init_label_waitcheck, 3053 .mpo_init_socket_peer_label = mac_biba_init_label_waitcheck, 3054 .mpo_init_vnode_label = mac_biba_init_label, 3055 .mpo_destroy_bpfdesc_label = mac_biba_destroy_label, 3056 .mpo_destroy_cred_label = mac_biba_destroy_label, 3057 .mpo_destroy_devfsdirent_label = mac_biba_destroy_label, 3058 .mpo_destroy_ifnet_label = mac_biba_destroy_label, 3059 .mpo_destroy_inpcb_label = mac_biba_destroy_label, 3060 .mpo_destroy_sysv_msgmsg_label = mac_biba_destroy_label, 3061 .mpo_destroy_sysv_msgqueue_label = mac_biba_destroy_label, 3062 .mpo_destroy_sysv_sem_label = mac_biba_destroy_label, 3063 .mpo_destroy_sysv_shm_label = mac_biba_destroy_label, 3064 .mpo_destroy_ipq_label = mac_biba_destroy_label, 3065 .mpo_destroy_mbuf_label = mac_biba_destroy_label, 3066 .mpo_destroy_mount_label = mac_biba_destroy_label, 3067 .mpo_destroy_mount_fs_label = mac_biba_destroy_label, 3068 .mpo_destroy_pipe_label = mac_biba_destroy_label, 3069 .mpo_destroy_posix_sem_label = mac_biba_destroy_label, 3070 .mpo_destroy_socket_label = mac_biba_destroy_label, 3071 .mpo_destroy_socket_peer_label = mac_biba_destroy_label, 3072 .mpo_destroy_vnode_label = mac_biba_destroy_label, 3073 .mpo_copy_cred_label = mac_biba_copy_label, 3074 .mpo_copy_ifnet_label = mac_biba_copy_label, 3075 .mpo_copy_mbuf_label = mac_biba_copy_label, 3076 .mpo_copy_pipe_label = mac_biba_copy_label, 3077 .mpo_copy_socket_label = mac_biba_copy_label, 3078 .mpo_copy_vnode_label = mac_biba_copy_label, 3079 .mpo_externalize_cred_label = mac_biba_externalize_label, 3080 .mpo_externalize_ifnet_label = mac_biba_externalize_label, 3081 .mpo_externalize_pipe_label = mac_biba_externalize_label, 3082 .mpo_externalize_socket_label = mac_biba_externalize_label, 3083 .mpo_externalize_socket_peer_label = mac_biba_externalize_label, 3084 .mpo_externalize_vnode_label = mac_biba_externalize_label, 3085 .mpo_internalize_cred_label = mac_biba_internalize_label, 3086 .mpo_internalize_ifnet_label = mac_biba_internalize_label, 3087 .mpo_internalize_pipe_label = mac_biba_internalize_label, 3088 .mpo_internalize_socket_label = mac_biba_internalize_label, 3089 .mpo_internalize_vnode_label = mac_biba_internalize_label, 3090 .mpo_create_devfs_device = mac_biba_create_devfs_device, 3091 .mpo_create_devfs_directory = mac_biba_create_devfs_directory, 3092 .mpo_create_devfs_symlink = mac_biba_create_devfs_symlink, 3093 .mpo_create_mount = mac_biba_create_mount, 3094 .mpo_relabel_vnode = mac_biba_relabel_vnode, 3095 .mpo_update_devfsdirent = mac_biba_update_devfsdirent, 3096 .mpo_associate_vnode_devfs = mac_biba_associate_vnode_devfs, 3097 .mpo_associate_vnode_extattr = mac_biba_associate_vnode_extattr, 3098 .mpo_associate_vnode_singlelabel = mac_biba_associate_vnode_singlelabel, 3099 .mpo_create_vnode_extattr = mac_biba_create_vnode_extattr, 3100 .mpo_setlabel_vnode_extattr = mac_biba_setlabel_vnode_extattr, 3101 .mpo_create_mbuf_from_socket = mac_biba_create_mbuf_from_socket, 3102 .mpo_create_pipe = mac_biba_create_pipe, 3103 .mpo_create_posix_sem = mac_biba_create_posix_sem, 3104 .mpo_create_socket = mac_biba_create_socket, 3105 .mpo_create_socket_from_socket = mac_biba_create_socket_from_socket, 3106 .mpo_relabel_pipe = mac_biba_relabel_pipe, 3107 .mpo_relabel_socket = mac_biba_relabel_socket, 3108 .mpo_set_socket_peer_from_mbuf = mac_biba_set_socket_peer_from_mbuf, 3109 .mpo_set_socket_peer_from_socket = mac_biba_set_socket_peer_from_socket, 3110 .mpo_create_bpfdesc = mac_biba_create_bpfdesc, 3111 .mpo_create_datagram_from_ipq = mac_biba_create_datagram_from_ipq, 3112 .mpo_create_fragment = mac_biba_create_fragment, 3113 .mpo_create_ifnet = mac_biba_create_ifnet, 3114 .mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket, 3115 .mpo_create_sysv_msgmsg = mac_biba_create_sysv_msgmsg, 3116 .mpo_create_sysv_msgqueue = mac_biba_create_sysv_msgqueue, 3117 .mpo_create_sysv_sem = mac_biba_create_sysv_sem, 3118 .mpo_create_sysv_shm = mac_biba_create_sysv_shm, 3119 .mpo_create_ipq = mac_biba_create_ipq, 3120 .mpo_create_mbuf_from_inpcb = mac_biba_create_mbuf_from_inpcb, 3121 .mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer, 3122 .mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc, 3123 .mpo_create_mbuf_from_ifnet = mac_biba_create_mbuf_from_ifnet, 3124 .mpo_create_mbuf_multicast_encap = mac_biba_create_mbuf_multicast_encap, 3125 .mpo_create_mbuf_netlayer = mac_biba_create_mbuf_netlayer, 3126 .mpo_fragment_match = mac_biba_fragment_match, 3127 .mpo_relabel_ifnet = mac_biba_relabel_ifnet, 3128 .mpo_update_ipq = mac_biba_update_ipq, 3129 .mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel, 3130 .mpo_create_proc0 = mac_biba_create_proc0, 3131 .mpo_create_proc1 = mac_biba_create_proc1, 3132 .mpo_relabel_cred = mac_biba_relabel_cred, 3133 .mpo_cleanup_sysv_msgmsg = mac_biba_cleanup_sysv_msgmsg, 3134 .mpo_cleanup_sysv_msgqueue = mac_biba_cleanup_sysv_msgqueue, 3135 .mpo_cleanup_sysv_sem = mac_biba_cleanup_sysv_sem, 3136 .mpo_cleanup_sysv_shm = mac_biba_cleanup_sysv_shm, 3137 .mpo_check_bpfdesc_receive = mac_biba_check_bpfdesc_receive, 3138 .mpo_check_cred_relabel = mac_biba_check_cred_relabel, 3139 .mpo_check_cred_visible = mac_biba_check_cred_visible, 3140 .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel, 3141 .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit, 3142 .mpo_check_inpcb_deliver = mac_biba_check_inpcb_deliver, 3143 .mpo_check_sysv_msgrcv = mac_biba_check_sysv_msgrcv, 3144 .mpo_check_sysv_msgrmid = mac_biba_check_sysv_msgrmid, 3145 .mpo_check_sysv_msqget = mac_biba_check_sysv_msqget, 3146 .mpo_check_sysv_msqsnd = mac_biba_check_sysv_msqsnd, 3147 .mpo_check_sysv_msqrcv = mac_biba_check_sysv_msqrcv, 3148 .mpo_check_sysv_msqctl = mac_biba_check_sysv_msqctl, 3149 .mpo_check_sysv_semctl = mac_biba_check_sysv_semctl, 3150 .mpo_check_sysv_semget = mac_biba_check_sysv_semget, 3151 .mpo_check_sysv_semop = mac_biba_check_sysv_semop, 3152 .mpo_check_sysv_shmat = mac_biba_check_sysv_shmat, 3153 .mpo_check_sysv_shmctl = mac_biba_check_sysv_shmctl, 3154 .mpo_check_sysv_shmget = mac_biba_check_sysv_shmget, 3155 .mpo_check_kld_load = mac_biba_check_kld_load, 3156 .mpo_check_kld_unload = mac_biba_check_kld_unload, 3157 .mpo_check_mount_stat = mac_biba_check_mount_stat, 3158 .mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl, 3159 .mpo_check_pipe_poll = mac_biba_check_pipe_poll, 3160 .mpo_check_pipe_read = mac_biba_check_pipe_read, 3161 .mpo_check_pipe_relabel = mac_biba_check_pipe_relabel, 3162 .mpo_check_pipe_stat = mac_biba_check_pipe_stat, 3163 .mpo_check_pipe_write = mac_biba_check_pipe_write, 3164 .mpo_check_posix_sem_destroy = mac_biba_check_posix_sem_write, 3165 .mpo_check_posix_sem_getvalue = mac_biba_check_posix_sem_rdonly, 3166 .mpo_check_posix_sem_open = mac_biba_check_posix_sem_write, 3167 .mpo_check_posix_sem_post = mac_biba_check_posix_sem_write, 3168 .mpo_check_posix_sem_unlink = mac_biba_check_posix_sem_write, 3169 .mpo_check_posix_sem_wait = mac_biba_check_posix_sem_write, 3170 .mpo_check_proc_debug = mac_biba_check_proc_debug, 3171 .mpo_check_proc_sched = mac_biba_check_proc_sched, 3172 .mpo_check_proc_signal = mac_biba_check_proc_signal, 3173 .mpo_check_socket_deliver = mac_biba_check_socket_deliver, 3174 .mpo_check_socket_relabel = mac_biba_check_socket_relabel, 3175 .mpo_check_socket_visible = mac_biba_check_socket_visible, 3176 .mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm, 3177 .mpo_check_system_acct = mac_biba_check_system_acct, 3178 .mpo_check_system_settime = mac_biba_check_system_settime, 3179 .mpo_check_system_swapon = mac_biba_check_system_swapon, 3180 .mpo_check_system_swapoff = mac_biba_check_system_swapoff, 3181 .mpo_check_system_sysctl = mac_biba_check_system_sysctl, 3182 .mpo_check_vnode_access = mac_biba_check_vnode_open, 3183 .mpo_check_vnode_chdir = mac_biba_check_vnode_chdir, 3184 .mpo_check_vnode_chroot = mac_biba_check_vnode_chroot, 3185 .mpo_check_vnode_create = mac_biba_check_vnode_create, 3186 .mpo_check_vnode_delete = mac_biba_check_vnode_delete, 3187 .mpo_check_vnode_deleteacl = mac_biba_check_vnode_deleteacl, 3188 .mpo_check_vnode_deleteextattr = mac_biba_check_vnode_deleteextattr, 3189 .mpo_check_vnode_exec = mac_biba_check_vnode_exec, 3190 .mpo_check_vnode_getacl = mac_biba_check_vnode_getacl, 3191 .mpo_check_vnode_getextattr = mac_biba_check_vnode_getextattr, 3192 .mpo_check_vnode_link = mac_biba_check_vnode_link, 3193 .mpo_check_vnode_listextattr = mac_biba_check_vnode_listextattr, 3194 .mpo_check_vnode_lookup = mac_biba_check_vnode_lookup, 3195 .mpo_check_vnode_mmap = mac_biba_check_vnode_mmap, 3196 .mpo_check_vnode_open = mac_biba_check_vnode_open, 3197 .mpo_check_vnode_poll = mac_biba_check_vnode_poll, 3198 .mpo_check_vnode_read = mac_biba_check_vnode_read, 3199 .mpo_check_vnode_readdir = mac_biba_check_vnode_readdir, 3200 .mpo_check_vnode_readlink = mac_biba_check_vnode_readlink, 3201 .mpo_check_vnode_relabel = mac_biba_check_vnode_relabel, 3202 .mpo_check_vnode_rename_from = mac_biba_check_vnode_rename_from, 3203 .mpo_check_vnode_rename_to = mac_biba_check_vnode_rename_to, 3204 .mpo_check_vnode_revoke = mac_biba_check_vnode_revoke, 3205 .mpo_check_vnode_setacl = mac_biba_check_vnode_setacl, 3206 .mpo_check_vnode_setextattr = mac_biba_check_vnode_setextattr, 3207 .mpo_check_vnode_setflags = mac_biba_check_vnode_setflags, 3208 .mpo_check_vnode_setmode = mac_biba_check_vnode_setmode, 3209 .mpo_check_vnode_setowner = mac_biba_check_vnode_setowner, 3210 .mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes, 3211 .mpo_check_vnode_stat = mac_biba_check_vnode_stat, 3212 .mpo_check_vnode_write = mac_biba_check_vnode_write, 3213 .mpo_associate_nfsd_label = mac_biba_associate_nfsd_label, 3214 }; 3215 3216 MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba", 3217 MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mac_biba_slot); 3218