1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 /* 37 * Developed by the TrustedBSD Project. 38 * "BSD Extended" MAC policy, allowing the administrator to impose 39 * mandatory rules regarding users and some system objects. 40 * 41 * XXX: Much locking support required here. 42 */ 43 44 #include <sys/types.h> 45 #include <sys/param.h> 46 #include <sys/acl.h> 47 #include <sys/conf.h> 48 #include <sys/kernel.h> 49 #include <sys/mac.h> 50 #include <sys/malloc.h> 51 #include <sys/mount.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/sysproto.h> 55 #include <sys/sysent.h> 56 #include <sys/vnode.h> 57 #include <sys/file.h> 58 #include <sys/socket.h> 59 #include <sys/socketvar.h> 60 #include <sys/sysctl.h> 61 62 #include <net/bpfdesc.h> 63 #include <net/if.h> 64 #include <net/if_types.h> 65 #include <net/if_var.h> 66 67 #include <vm/vm.h> 68 69 #include <sys/mac_policy.h> 70 71 #include <security/mac_bsdextended/mac_bsdextended.h> 72 73 SYSCTL_DECL(_security_mac); 74 75 SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0, 76 "TrustedBSD extended BSD MAC policy controls"); 77 78 static int mac_bsdextended_enabled = 1; 79 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW, 80 &mac_bsdextended_enabled, 0, "Enforce extended BSD policy"); 81 TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled); 82 83 MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule"); 84 85 #define MAC_BSDEXTENDED_MAXRULES 250 86 static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES]; 87 static int rule_count = 0; 88 static int rule_slots = 0; 89 90 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD, 91 &rule_count, 0, "Number of defined rules\n"); 92 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD, 93 &rule_slots, 0, "Number of used rule slots\n"); 94 95 static int mac_bsdextended_debugging; 96 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, debugging, CTLFLAG_RW, 97 &mac_bsdextended_debugging, 0, "Enable debugging on failure"); 98 99 static int 100 mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule) 101 { 102 103 if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS) 104 return (EINVAL); 105 106 if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS) 107 return (EINVAL); 108 109 if ((rule->mbr_mode | VALLPERM) != VALLPERM) 110 return (EINVAL); 111 112 return (0); 113 } 114 115 static int 116 sysctl_rule(SYSCTL_HANDLER_ARGS) 117 { 118 struct mac_bsdextended_rule temprule, *ruleptr; 119 u_int namelen; 120 int error, index, *name; 121 122 name = (int *)arg1; 123 namelen = arg2; 124 125 /* printf("bsdextended sysctl handler (namelen %d)\n", namelen); */ 126 127 if (namelen != 1) 128 return (EINVAL); 129 130 index = name[0]; 131 if (index < 0 || index > rule_slots + 1) 132 return (ENOENT); 133 if (rule_slots >= MAC_BSDEXTENDED_MAXRULES) 134 return (ENOENT); 135 136 if (req->oldptr) { 137 if (rules[index] == NULL) 138 return (ENOENT); 139 140 error = SYSCTL_OUT(req, rules[index], sizeof(*rules[index])); 141 if (error) 142 return (error); 143 } 144 145 if (req->newptr) { 146 if (req->newlen == 0) { 147 /* printf("deletion\n"); */ 148 ruleptr = rules[index]; 149 if (ruleptr == NULL) 150 return (ENOENT); 151 rule_count--; 152 rules[index] = NULL; 153 FREE(ruleptr, M_MACBSDEXTENDED); 154 return(0); 155 } 156 error = SYSCTL_IN(req, &temprule, sizeof(temprule)); 157 if (error) 158 return (error); 159 160 error = mac_bsdextended_rule_valid(&temprule); 161 if (error) 162 return (error); 163 164 if (rules[index] == NULL) { 165 /* printf("addition\n"); */ 166 MALLOC(ruleptr, struct mac_bsdextended_rule *, 167 sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | 168 M_ZERO); 169 *ruleptr = temprule; 170 rules[index] = ruleptr; 171 if (index+1 > rule_slots) 172 rule_slots = index+1; 173 rule_count++; 174 } else { 175 /* printf("replacement\n"); */ 176 *rules[index] = temprule; 177 } 178 } 179 180 return (0); 181 } 182 183 SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, 184 CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules"); 185 186 static void 187 mac_bsdextended_init(struct mac_policy_conf *mpc) 188 { 189 190 /* Initialize ruleset lock. */ 191 /* Register dynamic sysctl's for rules. */ 192 } 193 194 static void 195 mac_bsdextended_destroy(struct mac_policy_conf *mpc) 196 { 197 198 /* Tear down sysctls. */ 199 /* Destroy ruleset lock. */ 200 } 201 202 static int 203 mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, 204 struct ucred *cred, uid_t object_uid, gid_t object_gid, int acc_mode) 205 { 206 int match; 207 208 /* 209 * Is there a subject match? 210 */ 211 if (rule->mbr_subject.mbi_flags & MBI_UID_DEFINED) { 212 match = (rule->mbr_subject.mbi_uid == cred->cr_uid || 213 rule->mbr_subject.mbi_uid == cred->cr_ruid || 214 rule->mbr_subject.mbi_uid == cred->cr_svuid); 215 216 if (rule->mbr_subject.mbi_flags & MBI_NEGATED) 217 match = !match; 218 219 if (!match) 220 return (0); 221 } 222 223 if (rule->mbr_subject.mbi_flags & MBI_GID_DEFINED) { 224 match = (groupmember(rule->mbr_subject.mbi_gid, cred) || 225 rule->mbr_subject.mbi_gid == cred->cr_rgid || 226 rule->mbr_subject.mbi_gid == cred->cr_svgid); 227 228 if (rule->mbr_subject.mbi_flags & MBI_NEGATED) 229 match = !match; 230 231 if (!match) 232 return (0); 233 } 234 235 /* 236 * Is there an object match? 237 */ 238 if (rule->mbr_object.mbi_flags & MBI_UID_DEFINED) { 239 match = (rule->mbr_object.mbi_uid == object_uid); 240 241 if (rule->mbr_object.mbi_flags & MBI_NEGATED) 242 match = !match; 243 244 if (!match) 245 return (0); 246 } 247 248 if (rule->mbr_object.mbi_flags & MBI_GID_DEFINED) { 249 match = (rule->mbr_object.mbi_gid == object_gid); 250 251 if (rule->mbr_object.mbi_flags & MBI_NEGATED) 252 match = !match; 253 254 if (!match) 255 return (0); 256 } 257 258 /* 259 * Is the access permitted? 260 */ 261 if ((rule->mbr_mode & acc_mode) != acc_mode) { 262 if (mac_bsdextended_debugging) 263 printf("mac_bsdextended: %d:%d request %d on %d:%d" 264 " fails\n", cred->cr_ruid, cred->cr_rgid, 265 acc_mode, object_uid, object_gid); 266 return (EACCES); 267 } 268 269 return (0); 270 } 271 272 static int 273 mac_bsdextended_check(struct ucred *cred, uid_t object_uid, gid_t object_gid, 274 int acc_mode) 275 { 276 int error, i; 277 278 if (suser_cred(cred, 0) == 0) 279 return (0); 280 281 for (i = 0; i < rule_slots; i++) { 282 if (rules[i] == NULL) 283 continue; 284 285 /* 286 * Since we don't separately handle append, map append to 287 * write. 288 */ 289 if (acc_mode & VAPPEND) { 290 acc_mode &= ~VAPPEND; 291 acc_mode |= VWRITE; 292 } 293 294 error = mac_bsdextended_rulecheck(rules[i], cred, object_uid, 295 object_gid, acc_mode); 296 if (error) 297 return (error); 298 } 299 300 return (0); 301 } 302 303 static int 304 mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, 305 struct label *label) 306 { 307 struct vattr vap; 308 int error; 309 310 if (!mac_bsdextended_enabled) 311 return (0); 312 313 error = VOP_GETATTR(vp, &vap, cred, curthread); 314 if (error) 315 return (error); 316 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); 317 } 318 319 static int 320 mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, 321 struct label *label, int acc_mode) 322 { 323 struct vattr vap; 324 int error; 325 326 if (!mac_bsdextended_enabled) 327 return (0); 328 329 error = VOP_GETATTR(vp, &vap, cred, curthread); 330 if (error) 331 return (error); 332 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode)); 333 } 334 335 static int 336 mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 337 struct label *dlabel) 338 { 339 struct vattr vap; 340 int error; 341 342 if (!mac_bsdextended_enabled) 343 return (0); 344 345 error = VOP_GETATTR(dvp, &vap, cred, curthread); 346 if (error) 347 return (error); 348 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); 349 } 350 351 static int 352 mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 353 struct label *dlabel) 354 { 355 struct vattr vap; 356 int error; 357 358 if (!mac_bsdextended_enabled) 359 return (0); 360 361 error = VOP_GETATTR(dvp, &vap, cred, curthread); 362 if (error) 363 return (error); 364 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); 365 } 366 367 static int 368 mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp, 369 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 370 { 371 struct vattr dvap; 372 int error; 373 374 if (!mac_bsdextended_enabled) 375 return (0); 376 377 error = VOP_GETATTR(dvp, &dvap, cred, curthread); 378 if (error) 379 return (error); 380 return (mac_bsdextended_check(cred, dvap.va_uid, dvap.va_gid, VWRITE)); 381 } 382 383 static int 384 mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 385 struct label *dlabel, struct vnode *vp, struct label *label, 386 struct componentname *cnp) 387 { 388 struct vattr vap; 389 int error; 390 391 if (!mac_bsdextended_enabled) 392 return (0); 393 394 error = VOP_GETATTR(dvp, &vap, cred, curthread); 395 if (error) 396 return (error); 397 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 398 if (error) 399 return (error); 400 401 error = VOP_GETATTR(vp, &vap, cred, curthread); 402 if (error) 403 return (error); 404 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); 405 } 406 407 static int 408 mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 409 struct label *label, acl_type_t type) 410 { 411 struct vattr vap; 412 int error; 413 414 if (!mac_bsdextended_enabled) 415 return (0); 416 417 error = VOP_GETATTR(vp, &vap, cred, curthread); 418 if (error) 419 return (error); 420 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 421 } 422 423 static int 424 mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 425 struct label *label, int attrnamespace, const char *name) 426 { 427 struct vattr vap; 428 int error; 429 430 if (!mac_bsdextended_enabled) 431 return (0); 432 433 error = VOP_GETATTR(vp, &vap, cred, curthread); 434 if (error) 435 return (error); 436 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); 437 } 438 439 static int 440 mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, 441 struct label *label, struct image_params *imgp, 442 struct label *execlabel) 443 { 444 struct vattr vap; 445 int error; 446 447 if (!mac_bsdextended_enabled) 448 return (0); 449 450 error = VOP_GETATTR(vp, &vap, cred, curthread); 451 if (error) 452 return (error); 453 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 454 VREAD|VEXEC)); 455 } 456 457 static int 458 mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 459 struct label *label, acl_type_t type) 460 { 461 struct vattr vap; 462 int error; 463 464 if (!mac_bsdextended_enabled) 465 return (0); 466 467 error = VOP_GETATTR(vp, &vap, cred, curthread); 468 if (error) 469 return (error); 470 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT)); 471 } 472 473 static int 474 mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 475 struct label *label, int attrnamespace, const char *name, struct uio *uio) 476 { 477 struct vattr vap; 478 int error; 479 480 if (!mac_bsdextended_enabled) 481 return (0); 482 483 error = VOP_GETATTR(vp, &vap, cred, curthread); 484 if (error) 485 return (error); 486 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 487 } 488 489 static int 490 mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, 491 struct label *dlabel, struct vnode *vp, struct label *label, 492 struct componentname *cnp) 493 { 494 struct vattr vap; 495 int error; 496 497 if (!mac_bsdextended_enabled) 498 return (0); 499 500 error = VOP_GETATTR(dvp, &vap, cred, curthread); 501 if (error) 502 return (error); 503 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 504 if (error) 505 return (error); 506 507 error = VOP_GETATTR(vp, &vap, cred, curthread); 508 if (error) 509 return (error); 510 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 511 if (error) 512 return (error); 513 return (0); 514 } 515 516 static int 517 mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 518 struct label *label, int attrnamespace) 519 { 520 struct vattr vap; 521 int error; 522 523 if (!mac_bsdextended_enabled) 524 return (0); 525 526 error = VOP_GETATTR(vp, &vap, cred, curthread); 527 if (error) 528 return (error); 529 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 530 } 531 532 static int 533 mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 534 struct label *dlabel, struct componentname *cnp) 535 { 536 struct vattr vap; 537 int error; 538 539 if (!mac_bsdextended_enabled) 540 return (0); 541 542 error = VOP_GETATTR(dvp, &vap, cred, curthread); 543 if (error) 544 return (error); 545 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC)); 546 } 547 548 static int 549 mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, 550 struct label *filelabel, int acc_mode) 551 { 552 struct vattr vap; 553 int error; 554 555 if (!mac_bsdextended_enabled) 556 return (0); 557 558 error = VOP_GETATTR(vp, &vap, cred, curthread); 559 if (error) 560 return (error); 561 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode)); 562 } 563 564 static int 565 mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, 566 struct label *dlabel) 567 { 568 struct vattr vap; 569 int error; 570 571 if (!mac_bsdextended_enabled) 572 return (0); 573 574 error = VOP_GETATTR(dvp, &vap, cred, curthread); 575 if (error) 576 return (error); 577 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 578 } 579 580 static int 581 mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, 582 struct label *label) 583 { 584 struct vattr vap; 585 int error; 586 587 if (!mac_bsdextended_enabled) 588 return (0); 589 590 error = VOP_GETATTR(vp, &vap, cred, curthread); 591 if (error) 592 return (error); 593 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD)); 594 } 595 596 static int 597 mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 598 struct label *dlabel, struct vnode *vp, struct label *label, 599 struct componentname *cnp) 600 { 601 struct vattr vap; 602 int error; 603 604 if (!mac_bsdextended_enabled) 605 return (0); 606 607 error = VOP_GETATTR(dvp, &vap, cred, curthread); 608 if (error) 609 return (error); 610 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 611 if (error) 612 return (error); 613 error = VOP_GETATTR(vp, &vap, cred, curthread); 614 if (error) 615 return (error); 616 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 617 618 return (error); 619 } 620 621 static int 622 mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 623 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 624 struct componentname *cnp) 625 { 626 struct vattr vap; 627 int error; 628 629 if (!mac_bsdextended_enabled) 630 return (0); 631 632 error = VOP_GETATTR(dvp, &vap, cred, curthread); 633 if (error) 634 return (error); 635 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); 636 if (error) 637 return (error); 638 639 if (vp != NULL) { 640 error = VOP_GETATTR(vp, &vap, cred, curthread); 641 if (error) 642 return (error); 643 error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, 644 VWRITE); 645 } 646 647 return (error); 648 } 649 650 static int 651 mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 652 struct label *label) 653 { 654 struct vattr vap; 655 int error; 656 657 if (!mac_bsdextended_enabled) 658 return (0); 659 660 error = VOP_GETATTR(vp, &vap, cred, curthread); 661 if (error) 662 return (error); 663 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 664 } 665 666 static int 667 mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp, 668 struct label *label, acl_type_t type, struct acl *acl) 669 { 670 struct vattr vap; 671 int error; 672 673 if (!mac_bsdextended_enabled) 674 return (0); 675 676 error = VOP_GETATTR(vp, &vap, cred, curthread); 677 if (error) 678 return (error); 679 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 680 } 681 682 static int 683 mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 684 struct label *label, int attrnamespace, const char *name, struct uio *uio) 685 { 686 struct vattr vap; 687 int error; 688 689 if (!mac_bsdextended_enabled) 690 return (0); 691 692 error = VOP_GETATTR(vp, &vap, cred, curthread); 693 if (error) 694 return (error); 695 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE)); 696 } 697 698 static int 699 mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 700 struct label *label, u_long flags) 701 { 702 struct vattr vap; 703 int error; 704 705 if (!mac_bsdextended_enabled) 706 return (0); 707 708 error = VOP_GETATTR(vp, &vap, cred, curthread); 709 if (error) 710 return (error); 711 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 712 } 713 714 static int 715 mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 716 struct label *label, mode_t mode) 717 { 718 struct vattr vap; 719 int error; 720 721 if (!mac_bsdextended_enabled) 722 return (0); 723 724 error = VOP_GETATTR(vp, &vap, cred, curthread); 725 if (error) 726 return (error); 727 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 728 } 729 730 static int 731 mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 732 struct label *label, uid_t uid, gid_t gid) 733 { 734 struct vattr vap; 735 int error; 736 737 if (!mac_bsdextended_enabled) 738 return (0); 739 740 error = VOP_GETATTR(vp, &vap, cred, curthread); 741 if (error) 742 return (error); 743 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 744 } 745 746 static int 747 mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 748 struct label *label, struct timespec atime, struct timespec utime) 749 { 750 struct vattr vap; 751 int error; 752 753 if (!mac_bsdextended_enabled) 754 return (0); 755 756 error = VOP_GETATTR(vp, &vap, cred, curthread); 757 if (error) 758 return (error); 759 return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN)); 760 } 761 762 static int 763 mac_bsdextended_check_vnode_stat(struct ucred *active_cred, 764 struct ucred *file_cred, struct vnode *vp, struct label *label) 765 { 766 struct vattr vap; 767 int error; 768 769 if (!mac_bsdextended_enabled) 770 return (0); 771 772 error = VOP_GETATTR(vp, &vap, active_cred, curthread); 773 if (error) 774 return (error); 775 return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid, 776 VSTAT)); 777 } 778 779 static struct mac_policy_ops mac_bsdextended_ops = 780 { 781 .mpo_destroy = mac_bsdextended_destroy, 782 .mpo_init = mac_bsdextended_init, 783 .mpo_check_system_swapon = mac_bsdextended_check_system_swapon, 784 .mpo_check_vnode_access = mac_bsdextended_check_vnode_access, 785 .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir, 786 .mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot, 787 .mpo_check_vnode_create = mac_bsdextended_check_create_vnode, 788 .mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete, 789 .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl, 790 .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr, 791 .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec, 792 .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl, 793 .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr, 794 .mpo_check_vnode_link = mac_bsdextended_check_vnode_link, 795 .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr, 796 .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup, 797 .mpo_check_vnode_open = mac_bsdextended_check_vnode_open, 798 .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir, 799 .mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink, 800 .mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from, 801 .mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to, 802 .mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke, 803 .mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode, 804 .mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr, 805 .mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags, 806 .mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode, 807 .mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner, 808 .mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes, 809 .mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat, 810 }; 811 812 MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended, 813 "TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL); 814