xref: /freebsd/sys/security/mac_bsdextended/mac_bsdextended.c (revision 71fe318b852b8dfb3e799cb12ef184750f7f8eac)
1 /*-
2  * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3  * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
4  * All rights reserved.
5  *
6  * This software was developed by Robert Watson for the TrustedBSD Project.
7  *
8  * This software was developed for the FreeBSD Project in part by NAI Labs,
9  * the Security Research Division of Network Associates, Inc. under
10  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
11  * CHATS research program.
12  *
13  * Redistribution and use in source and binary forms, with or without
14  * modification, are permitted provided that the following conditions
15  * are met:
16  * 1. Redistributions of source code must retain the above copyright
17  *    notice, this list of conditions and the following disclaimer.
18  * 2. Redistributions in binary form must reproduce the above copyright
19  *    notice, this list of conditions and the following disclaimer in the
20  *    documentation and/or other materials provided with the distribution.
21  * 3. The names of the authors may not be used to endorse or promote
22  *    products derived from this software without specific prior written
23  *    permission.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
26  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
29  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35  * SUCH DAMAGE.
36  *
37  * $FreeBSD$
38  */
39 /*
40  * Developed by the TrustedBSD Project.
41  * "BSD Extended" MAC policy, allowing the administrator to impose
42  * mandatory rules regarding users and some system objects.
43  *
44  * XXX: Much locking support required here.
45  */
46 
47 #include <sys/types.h>
48 #include <sys/param.h>
49 #include <sys/acl.h>
50 #include <sys/conf.h>
51 #include <sys/kernel.h>
52 #include <sys/mac.h>
53 #include <sys/malloc.h>
54 #include <sys/mount.h>
55 #include <sys/proc.h>
56 #include <sys/systm.h>
57 #include <sys/sysproto.h>
58 #include <sys/sysent.h>
59 #include <sys/vnode.h>
60 #include <sys/file.h>
61 #include <sys/socket.h>
62 #include <sys/socketvar.h>
63 #include <sys/sysctl.h>
64 
65 #include <net/bpfdesc.h>
66 #include <net/if.h>
67 #include <net/if_types.h>
68 #include <net/if_var.h>
69 
70 #include <vm/vm.h>
71 
72 #include <sys/mac_policy.h>
73 
74 #include <security/mac_bsdextended/mac_bsdextended.h>
75 
76 SYSCTL_DECL(_security_mac);
77 
78 SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
79     "TrustedBSD extended BSD MAC policy controls");
80 
81 static int	mac_bsdextended_enabled = 1;
82 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW,
83     &mac_bsdextended_enabled, 0, "Enforce extended BSD policy");
84 TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled);
85 
86 MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule");
87 
88 #define	MAC_BSDEXTENDED_MAXRULES	250
89 static struct mac_bsdextended_rule *rules[MAC_BSDEXTENDED_MAXRULES];
90 static int rule_count = 0;
91 static int rule_slots = 0;
92 
93 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD,
94     &rule_count, 0, "Number of defined rules\n");
95 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD,
96     &rule_slots, 0, "Number of used rule slots\n");
97 
98 static int mac_bsdextended_debugging;
99 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, debugging, CTLFLAG_RW,
100     &mac_bsdextended_debugging, 0, "Enable debugging on failure");
101 
102 static int
103 mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule)
104 {
105 
106 	if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS)
107 		return (EINVAL);
108 
109 	if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS)
110 		return (EINVAL);
111 
112 	if ((rule->mbr_mode | VALLPERM) != VALLPERM)
113 		return (EINVAL);
114 
115 	return (0);
116 }
117 
118 static int
119 sysctl_rule(SYSCTL_HANDLER_ARGS)
120 {
121 	struct mac_bsdextended_rule temprule, *ruleptr;
122 	u_int namelen;
123 	int error, index, *name;
124 
125 	name = (int *)arg1;
126 	namelen = arg2;
127 
128 	/* printf("bsdextended sysctl handler (namelen %d)\n", namelen); */
129 
130 	if (namelen != 1)
131 		return (EINVAL);
132 
133 	index = name[0];
134 	if (index < 0 || index > rule_slots + 1)
135 		return (ENOENT);
136 	if (rule_slots >= MAC_BSDEXTENDED_MAXRULES)
137 		return (ENOENT);
138 
139 	if (req->oldptr) {
140 		if (rules[index] == NULL)
141 			return (ENOENT);
142 
143 		error = SYSCTL_OUT(req, rules[index], sizeof(*rules[index]));
144 		if (error)
145 			return (error);
146 	}
147 
148 	if (req->newptr) {
149 		if (req->newlen == 0) {
150 			/* printf("deletion\n"); */
151 			ruleptr = rules[index];
152 			if (ruleptr == NULL)
153 				return (ENOENT);
154 			rule_count--;
155 			rules[index] = NULL;
156 			FREE(ruleptr, M_MACBSDEXTENDED);
157 			return(0);
158 		}
159 		error = SYSCTL_IN(req, &temprule, sizeof(temprule));
160 		if (error)
161 			return (error);
162 
163 		error = mac_bsdextended_rule_valid(&temprule);
164 		if (error)
165 			return (error);
166 
167 		if (rules[index] == NULL) {
168 			/* printf("addition\n"); */
169 			MALLOC(ruleptr, struct mac_bsdextended_rule *,
170 			    sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK |
171 			    M_ZERO);
172 			*ruleptr = temprule;
173 			rules[index] = ruleptr;
174 			if (index+1 > rule_slots)
175 				rule_slots = index+1;
176 			rule_count++;
177 		} else {
178 			/* printf("replacement\n"); */
179 			*rules[index] = temprule;
180 		}
181 	}
182 
183 	return (0);
184 }
185 
186 SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules,
187     CTLFLAG_RW, sysctl_rule, "BSD extended MAC rules");
188 
189 static void
190 mac_bsdextended_init(struct mac_policy_conf *mpc)
191 {
192 
193 	/* Initialize ruleset lock. */
194 	/* Register dynamic sysctl's for rules. */
195 }
196 
197 static void
198 mac_bsdextended_destroy(struct mac_policy_conf *mpc)
199 {
200 
201 	/* Tear down sysctls. */
202 	/* Destroy ruleset lock. */
203 }
204 
205 static int
206 mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
207     struct ucred *cred, uid_t object_uid, gid_t object_gid, mode_t acc_mode)
208 {
209 	int match;
210 
211 	/*
212 	 * Is there a subject match?
213 	 */
214 	if (rule->mbr_subject.mbi_flags & MBI_UID_DEFINED) {
215 		match =  (rule->mbr_subject.mbi_uid == cred->cr_uid ||
216 		    rule->mbr_subject.mbi_uid == cred->cr_ruid ||
217 		    rule->mbr_subject.mbi_uid == cred->cr_svuid);
218 
219 		if (rule->mbr_subject.mbi_flags & MBI_NEGATED)
220 			match = !match;
221 
222 		if (!match)
223 			return (0);
224 	}
225 
226 	if (rule->mbr_subject.mbi_flags & MBI_GID_DEFINED) {
227 		match = (groupmember(rule->mbr_subject.mbi_gid, cred) ||
228 		    rule->mbr_subject.mbi_gid == cred->cr_rgid ||
229 		    rule->mbr_subject.mbi_gid == cred->cr_svgid);
230 
231 		if (rule->mbr_subject.mbi_flags & MBI_NEGATED)
232 			match = !match;
233 
234 		if (!match)
235 			return (0);
236 	}
237 
238 	/*
239 	 * Is there an object match?
240 	 */
241 	if (rule->mbr_object.mbi_flags & MBI_UID_DEFINED) {
242 		match = (rule->mbr_object.mbi_uid == object_uid);
243 
244 		if (rule->mbr_object.mbi_flags & MBI_NEGATED)
245 			match = !match;
246 
247 		if (!match)
248 			return (0);
249 	}
250 
251 	if (rule->mbr_object.mbi_flags & MBI_GID_DEFINED) {
252 		match = (rule->mbr_object.mbi_gid == object_gid);
253 
254 		if (rule->mbr_object.mbi_flags & MBI_NEGATED)
255 			match = !match;
256 
257 		if (!match)
258 			return (0);
259 	}
260 
261 	/*
262 	 * Is the access permitted?
263 	 */
264 	if ((rule->mbr_mode & acc_mode) != acc_mode) {
265 		if (mac_bsdextended_debugging)
266 			printf("mac_bsdextended: %d:%d request %d on %d:%d"
267 			    " fails\n", cred->cr_ruid, cred->cr_rgid,
268 			    acc_mode, object_uid, object_gid);
269 		return (EACCES);
270 	}
271 
272 	return (0);
273 }
274 
275 static int
276 mac_bsdextended_check(struct ucred *cred, uid_t object_uid, gid_t object_gid,
277     mode_t acc_mode)
278 {
279 	int error, i;
280 
281 	for (i = 0; i < rule_slots; i++) {
282 		if (rules[i] == NULL)
283 			continue;
284 
285 		error = mac_bsdextended_rulecheck(rules[i], cred, object_uid,
286 		    object_gid, acc_mode);
287 		if (error)
288 			return (error);
289 	}
290 
291 	return (0);
292 }
293 
294 static int
295 mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp,
296     struct label *label, mode_t flags)
297 {
298 	struct vattr vap;
299 	int error;
300 
301 	if (!mac_bsdextended_enabled)
302 		return (0);
303 
304 	error = VOP_GETATTR(vp, &vap, cred, curthread);
305 	if (error)
306 		return (error);
307 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, flags));
308 }
309 
310 static int
311 mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
312     struct label *dlabel)
313 {
314 	struct vattr vap;
315 	int error;
316 
317 	if (!mac_bsdextended_enabled)
318 		return (0);
319 
320 	error = VOP_GETATTR(dvp, &vap, cred, curthread);
321 	if (error)
322 		return (error);
323 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC));
324 }
325 
326 static int
327 mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
328     struct label *dlabel)
329 {
330 	struct vattr vap;
331 	int error;
332 
333 	if (!mac_bsdextended_enabled)
334 		return (0);
335 
336 	error = VOP_GETATTR(dvp, &vap, cred, curthread);
337 	if (error)
338 		return (error);
339 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC));
340 }
341 
342 static int
343 mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
344     struct label *dlabel, struct componentname *cnp, struct vattr *vap)
345 {
346 	struct vattr dvap;
347 	int error;
348 
349 	if (!mac_bsdextended_enabled)
350 		return (0);
351 
352 	error = VOP_GETATTR(dvp, &dvap, cred, curthread);
353 	if (error)
354 		return (error);
355 	return (mac_bsdextended_check(cred, dvap.va_uid, dvap.va_gid, VWRITE));
356 }
357 
358 static int
359 mac_bsdextended_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
360     struct label *dlabel, struct vnode *vp, struct label *label,
361     struct componentname *cnp)
362 {
363 	struct vattr vap;
364 	int error;
365 
366 	if (!mac_bsdextended_enabled)
367 		return (0);
368 
369 	error = VOP_GETATTR(dvp, &vap, cred, curthread);
370 	if (error)
371 		return (error);
372 	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
373 	if (error)
374 		return (error);
375 
376 	error = VOP_GETATTR(vp, &vap, cred, curthread);
377 	if (error)
378 		return (error);
379 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE));
380 }
381 
382 static int
383 mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
384     struct label *label, acl_type_t type)
385 {
386 	struct vattr vap;
387 	int error;
388 
389 	if (!mac_bsdextended_enabled)
390 		return (0);
391 
392 	error = VOP_GETATTR(vp, &vap, cred, curthread);
393 	if (error)
394 		return (error);
395 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
396 }
397 
398 static int
399 mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
400     struct label *label)
401 {
402 	struct vattr vap;
403 	int error;
404 
405 	if (!mac_bsdextended_enabled)
406 		return (0);
407 
408 	error = VOP_GETATTR(vp, &vap, cred, curthread);
409 	if (error)
410 		return (error);
411 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
412 	    VREAD|VEXEC));
413 }
414 
415 static int
416 mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
417     struct label *label, acl_type_t type)
418 {
419 	struct vattr vap;
420 	int error;
421 
422 	if (!mac_bsdextended_enabled)
423 		return (0);
424 
425 	error = VOP_GETATTR(vp, &vap, cred, curthread);
426 	if (error)
427 		return (error);
428 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VSTAT));
429 }
430 
431 static int
432 mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
433     struct label *label, int attrnamespace, const char *name, struct uio *uio)
434 {
435 	struct vattr vap;
436 	int error;
437 
438 	if (!mac_bsdextended_enabled)
439 		return (0);
440 
441 	error = VOP_GETATTR(vp, &vap, cred, curthread);
442 	if (error)
443 		return (error);
444 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
445 }
446 
447 static int
448 mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
449     struct label *dlabel, struct vnode *vp, struct label *label,
450     struct componentname *cnp)
451 {
452 	struct vattr vap;
453 	int error;
454 
455 	if (!mac_bsdextended_enabled)
456 		return (0);
457 
458 	error = VOP_GETATTR(dvp, &vap, cred, curthread);
459 	if (error)
460 		return (error);
461 	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
462 		if (error)
463 	return (error);
464 
465 	error = VOP_GETATTR(vp, &vap, cred, curthread);
466 	if (error)
467 		return (error);
468 	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
469 	if (error)
470 		return (error);
471 	return (0);
472 }
473 
474 static int
475 mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
476     struct label *dlabel, struct componentname *cnp)
477 {
478 	struct vattr vap;
479 	int error;
480 
481 	if (!mac_bsdextended_enabled)
482 		return (0);
483 
484 	error = VOP_GETATTR(dvp, &vap, cred, curthread);
485 	if (error)
486 		return (error);
487 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VEXEC));
488 }
489 
490 static int
491 mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp,
492     struct label *filelabel, mode_t acc_mode)
493 {
494 	struct vattr vap;
495 	int error;
496 
497 	if (!mac_bsdextended_enabled)
498 		return (0);
499 
500 	error = VOP_GETATTR(vp, &vap, cred, curthread);
501 	if (error)
502 		return (error);
503 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, acc_mode));
504 }
505 
506 static int
507 mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
508     struct label *dlabel)
509 {
510 	struct vattr vap;
511 	int error;
512 
513 	if (!mac_bsdextended_enabled)
514 		return (0);
515 
516 	error = VOP_GETATTR(dvp, &vap, cred, curthread);
517 	if (error)
518 		return (error);
519 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
520 }
521 
522 static int
523 mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp,
524     struct label *label)
525 {
526 	struct vattr vap;
527 	int error;
528 
529 	if (!mac_bsdextended_enabled)
530 		return (0);
531 
532 	error = VOP_GETATTR(vp, &vap, cred, curthread);
533 	if (error)
534 		return (error);
535 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VREAD));
536 }
537 
538 static int
539 mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
540     struct label *dlabel, struct vnode *vp, struct label *label,
541     struct componentname *cnp)
542 {
543 	struct vattr vap;
544 	int error;
545 
546 	if (!mac_bsdextended_enabled)
547 		return (0);
548 
549 	error = VOP_GETATTR(dvp, &vap, cred, curthread);
550 	if (error)
551 		return (error);
552 	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
553 	if (error)
554 		return (error);
555 	error = VOP_GETATTR(vp, &vap, cred, curthread);
556 	if (error)
557 		return (error);
558 	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
559 
560 	return (error);
561 }
562 
563 static int
564 mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
565     struct label *dlabel, struct vnode *vp, struct label *label, int samedir,
566     struct componentname *cnp)
567 {
568 	struct vattr vap;
569 	int error;
570 
571 	if (!mac_bsdextended_enabled)
572 		return (0);
573 
574 	error = VOP_GETATTR(dvp, &vap, cred, curthread);
575 	if (error)
576 		return (error);
577 	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
578 	if (error)
579 		return (error);
580 
581 	if (vp != NULL) {
582 		error = VOP_GETATTR(vp, &vap, cred, curthread);
583 		if (error)
584 			return (error);
585 		error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid,
586 		    VWRITE);
587 	}
588 
589 	return (error);
590 }
591 
592 static int
593 mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
594     struct label *label)
595 {
596 	struct vattr vap;
597 	int error;
598 
599 	if (!mac_bsdextended_enabled)
600 		return (0);
601 
602 	error = VOP_GETATTR(vp, &vap, cred, curthread);
603 	if (error)
604 		return (error);
605 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
606 }
607 
608 static int
609 mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
610     struct label *label, acl_type_t type, struct acl *acl)
611 {
612 	struct vattr vap;
613 	int error;
614 
615 	if (!mac_bsdextended_enabled)
616 		return (0);
617 
618 	error = VOP_GETATTR(vp, &vap, cred, curthread);
619 	if (error)
620 		return (error);
621 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
622 }
623 
624 static int
625 mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
626     struct label *label, int attrnamespace, const char *name, struct uio *uio)
627 {
628 	struct vattr vap;
629 	int error;
630 
631 	if (!mac_bsdextended_enabled)
632 		return (0);
633 
634 	error = VOP_GETATTR(vp, &vap, cred, curthread);
635 	if (error)
636 		return (error);
637 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE));
638 }
639 
640 static int
641 mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
642     struct label *label, u_long flags)
643 {
644 	struct vattr vap;
645 	int error;
646 
647 	if (!mac_bsdextended_enabled)
648 		return (0);
649 
650 	error = VOP_GETATTR(vp, &vap, cred, curthread);
651 	if (error)
652 		return (error);
653 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
654 }
655 
656 static int
657 mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
658     struct label *label, mode_t mode)
659 {
660 	struct vattr vap;
661 	int error;
662 
663 	if (!mac_bsdextended_enabled)
664 		return (0);
665 
666 	error = VOP_GETATTR(vp, &vap, cred, curthread);
667 	if (error)
668 		return (error);
669 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
670 }
671 
672 static int
673 mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
674     struct label *label, uid_t uid, gid_t gid)
675 {
676 	struct vattr vap;
677 	int error;
678 
679 	if (!mac_bsdextended_enabled)
680 		return (0);
681 
682 	error = VOP_GETATTR(vp, &vap, cred, curthread);
683 	if (error)
684 		return (error);
685 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
686 }
687 
688 static int
689 mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
690     struct label *label, struct timespec atime, struct timespec utime)
691 {
692 	struct vattr vap;
693 	int error;
694 
695 	if (!mac_bsdextended_enabled)
696 		return (0);
697 
698 	error = VOP_GETATTR(vp, &vap, cred, curthread);
699 	if (error)
700 		return (error);
701 	return (mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VADMIN));
702 }
703 
704 static int
705 mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
706     struct ucred *file_cred, struct vnode *vp, struct label *label)
707 {
708 	struct vattr vap;
709 	int error;
710 
711 	if (!mac_bsdextended_enabled)
712 		return (0);
713 
714 	error = VOP_GETATTR(vp, &vap, active_cred, curthread);
715 	if (error)
716 		return (error);
717 	return (mac_bsdextended_check(active_cred, vap.va_uid, vap.va_gid,
718 	    VSTAT));
719 }
720 
721 static struct mac_policy_op_entry mac_bsdextended_ops[] =
722 {
723 	{ MAC_DESTROY,
724 	    (macop_t)mac_bsdextended_destroy },
725 	{ MAC_INIT,
726 	    (macop_t)mac_bsdextended_init },
727 	{ MAC_CHECK_VNODE_ACCESS,
728 	    (macop_t)mac_bsdextended_check_vnode_access },
729 	{ MAC_CHECK_VNODE_CHDIR,
730 	    (macop_t)mac_bsdextended_check_vnode_chdir },
731 	{ MAC_CHECK_VNODE_CHROOT,
732 	    (macop_t)mac_bsdextended_check_vnode_chroot },
733 	{ MAC_CHECK_VNODE_CREATE,
734 	    (macop_t)mac_bsdextended_check_create_vnode },
735 	{ MAC_CHECK_VNODE_DELETE,
736 	    (macop_t)mac_bsdextended_check_vnode_delete },
737 	{ MAC_CHECK_VNODE_DELETEACL,
738 	    (macop_t)mac_bsdextended_check_vnode_deleteacl },
739 	{ MAC_CHECK_VNODE_EXEC,
740 	    (macop_t)mac_bsdextended_check_vnode_exec },
741 	{ MAC_CHECK_VNODE_GETACL,
742 	    (macop_t)mac_bsdextended_check_vnode_getacl },
743 	{ MAC_CHECK_VNODE_GETEXTATTR,
744 	    (macop_t)mac_bsdextended_check_vnode_getextattr },
745 	{ MAC_CHECK_VNODE_LINK,
746 	    (macop_t)mac_bsdextended_check_vnode_link },
747 	{ MAC_CHECK_VNODE_LOOKUP,
748 	    (macop_t)mac_bsdextended_check_vnode_lookup },
749 	{ MAC_CHECK_VNODE_OPEN,
750 	    (macop_t)mac_bsdextended_check_vnode_open },
751 	{ MAC_CHECK_VNODE_READDIR,
752 	    (macop_t)mac_bsdextended_check_vnode_readdir },
753 	{ MAC_CHECK_VNODE_READLINK,
754 	    (macop_t)mac_bsdextended_check_vnode_readdlink },
755 	{ MAC_CHECK_VNODE_RENAME_FROM,
756 	    (macop_t)mac_bsdextended_check_vnode_rename_from },
757 	{ MAC_CHECK_VNODE_RENAME_TO,
758 	    (macop_t)mac_bsdextended_check_vnode_rename_to },
759 	{ MAC_CHECK_VNODE_REVOKE,
760 	    (macop_t)mac_bsdextended_check_vnode_revoke },
761 	{ MAC_CHECK_VNODE_SETACL,
762 	    (macop_t)mac_bsdextended_check_setacl_vnode },
763 	{ MAC_CHECK_VNODE_SETEXTATTR,
764 	    (macop_t)mac_bsdextended_check_vnode_setextattr },
765 	{ MAC_CHECK_VNODE_SETFLAGS,
766 	    (macop_t)mac_bsdextended_check_vnode_setflags },
767 	{ MAC_CHECK_VNODE_SETMODE,
768 	    (macop_t)mac_bsdextended_check_vnode_setmode },
769 	{ MAC_CHECK_VNODE_SETOWNER,
770 	    (macop_t)mac_bsdextended_check_vnode_setowner },
771 	{ MAC_CHECK_VNODE_SETUTIMES,
772 	    (macop_t)mac_bsdextended_check_vnode_setutimes },
773 	{ MAC_CHECK_VNODE_STAT,
774 	    (macop_t)mac_bsdextended_check_vnode_stat },
775 	{ MAC_OP_LAST, NULL }
776 };
777 
778 MAC_POLICY_SET(mac_bsdextended_ops, trustedbsd_mac_bsdextended,
779     "TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
780