1 /*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * 40 * Stub module that implements a NOOP for most (if not all) MAC Framework 41 * policy entry points. 42 */ 43 44 #include <sys/types.h> 45 #include <sys/param.h> 46 #include <sys/acl.h> 47 #include <sys/conf.h> 48 #include <sys/extattr.h> 49 #include <sys/kernel.h> 50 #include <sys/mac.h> 51 #include <sys/mount.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/sysproto.h> 55 #include <sys/sysent.h> 56 #include <sys/vnode.h> 57 #include <sys/file.h> 58 #include <sys/socket.h> 59 #include <sys/socketvar.h> 60 #include <sys/pipe.h> 61 #include <sys/sysctl.h> 62 63 #include <fs/devfs/devfs.h> 64 65 #include <net/bpfdesc.h> 66 #include <net/if.h> 67 #include <net/if_types.h> 68 #include <net/if_var.h> 69 70 #include <netinet/in.h> 71 #include <netinet/ip_var.h> 72 73 #include <vm/vm.h> 74 75 #include <sys/mac_policy.h> 76 77 SYSCTL_DECL(_security_mac); 78 79 SYSCTL_NODE(_security_mac, OID_AUTO, stub, CTLFLAG_RW, 0, 80 "TrustedBSD mac_stub policy controls"); 81 82 static int stub_enabled = 1; 83 SYSCTL_INT(_security_mac_stub, OID_AUTO, enabled, CTLFLAG_RW, 84 &stub_enabled, 0, "Enforce mac_stub policy"); 85 86 /* 87 * Policy module operations. 88 */ 89 static void 90 stub_destroy(struct mac_policy_conf *conf) 91 { 92 93 } 94 95 static void 96 stub_init(struct mac_policy_conf *conf) 97 { 98 99 } 100 101 static int 102 stub_syscall(struct thread *td, int call, void *arg) 103 { 104 105 return (0); 106 } 107 108 /* 109 * Label operations. 110 */ 111 static void 112 stub_init_label(struct label *label) 113 { 114 115 } 116 117 static int 118 stub_init_label_waitcheck(struct label *label, int flag) 119 { 120 121 return (0); 122 } 123 124 static void 125 stub_destroy_label(struct label *label) 126 { 127 128 } 129 130 static int 131 stub_externalize_label(struct label *label, char *element_name, 132 struct sbuf *sb, int *claimed) 133 { 134 135 return (0); 136 } 137 138 static int 139 stub_internalize_label(struct label *label, char *element_name, 140 char *element_data, int *claimed) 141 { 142 143 return (0); 144 } 145 146 /* 147 * Labeling event operations: file system objects, and things that look 148 * a lot like file system objects. 149 */ 150 static void 151 stub_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 152 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 153 struct label *vlabel) 154 { 155 156 } 157 158 static int 159 stub_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 160 struct vnode *vp, struct label *vlabel) 161 { 162 163 return (0); 164 } 165 166 static void 167 stub_associate_vnode_singlelabel(struct mount *mp, 168 struct label *fslabel, struct vnode *vp, struct label *vlabel) 169 { 170 171 } 172 173 static void 174 stub_create_devfs_device(struct mount *mp, dev_t dev, 175 struct devfs_dirent *devfs_dirent, struct label *label) 176 { 177 178 } 179 180 static void 181 stub_create_devfs_directory(struct mount *mp, char *dirname, 182 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 183 { 184 185 } 186 187 static void 188 stub_create_devfs_symlink(struct ucred *cred, struct mount *mp, 189 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 190 struct label *delabel) 191 { 192 193 } 194 195 static int 196 stub_create_vnode_extattr(struct ucred *cred, struct mount *mp, 197 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 198 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 199 { 200 201 return (0); 202 } 203 204 static void 205 stub_create_mount(struct ucred *cred, struct mount *mp, 206 struct label *mntlabel, struct label *fslabel) 207 { 208 209 } 210 211 static void 212 stub_create_root_mount(struct ucred *cred, struct mount *mp, 213 struct label *mntlabel, struct label *fslabel) 214 { 215 216 } 217 218 static void 219 stub_relabel_vnode(struct ucred *cred, struct vnode *vp, 220 struct label *vnodelabel, struct label *label) 221 { 222 223 } 224 225 static int 226 stub_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 227 struct label *vlabel, struct label *intlabel) 228 { 229 230 return (0); 231 } 232 233 static void 234 stub_update_devfsdirent(struct mount *mp, 235 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 236 struct vnode *vp, struct label *vnodelabel) 237 { 238 239 } 240 241 /* 242 * Labeling event operations: IPC object. 243 */ 244 static void 245 stub_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 246 struct mbuf *m, struct label *mbuflabel) 247 { 248 249 } 250 251 static void 252 stub_create_socket(struct ucred *cred, struct socket *socket, 253 struct label *socketlabel) 254 { 255 256 } 257 258 static void 259 stub_create_pipe(struct ucred *cred, struct pipe *pipe, 260 struct label *pipelabel) 261 { 262 263 } 264 265 static void 266 stub_create_socket_from_socket(struct socket *oldsocket, 267 struct label *oldsocketlabel, struct socket *newsocket, 268 struct label *newsocketlabel) 269 { 270 271 } 272 273 static void 274 stub_relabel_socket(struct ucred *cred, struct socket *socket, 275 struct label *socketlabel, struct label *newlabel) 276 { 277 278 } 279 280 static void 281 stub_relabel_pipe(struct ucred *cred, struct pipe *pipe, 282 struct label *pipelabel, struct label *newlabel) 283 { 284 285 } 286 287 static void 288 stub_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 289 struct socket *socket, struct label *socketpeerlabel) 290 { 291 292 } 293 294 static void 295 stub_set_socket_peer_from_socket(struct socket *oldsocket, 296 struct label *oldsocketlabel, struct socket *newsocket, 297 struct label *newsocketpeerlabel) 298 { 299 300 } 301 302 /* 303 * Labeling event operations: network objects. 304 */ 305 static void 306 stub_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 307 struct label *bpflabel) 308 { 309 310 } 311 312 static void 313 stub_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 314 struct mbuf *datagram, struct label *datagramlabel) 315 { 316 317 } 318 319 static void 320 stub_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 321 struct mbuf *fragment, struct label *fragmentlabel) 322 { 323 324 } 325 326 static void 327 stub_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 328 { 329 330 } 331 332 static void 333 stub_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 334 struct ipq *ipq, struct label *ipqlabel) 335 { 336 337 } 338 339 static void 340 stub_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 341 struct label *oldmbuflabel, struct mbuf *newmbuf, 342 struct label *newmbuflabel) 343 { 344 345 } 346 347 static void 348 stub_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 349 struct mbuf *mbuf, struct label *mbuflabel) 350 { 351 352 } 353 354 static void 355 stub_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 356 struct mbuf *mbuf, struct label *mbuflabel) 357 { 358 359 } 360 361 static void 362 stub_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 363 struct mbuf *m, struct label *mbuflabel) 364 { 365 366 } 367 368 static void 369 stub_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 370 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 371 struct mbuf *newmbuf, struct label *newmbuflabel) 372 { 373 374 } 375 376 static void 377 stub_create_mbuf_netlayer(struct mbuf *oldmbuf, 378 struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) 379 { 380 381 } 382 383 static int 384 stub_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 385 struct ipq *ipq, struct label *ipqlabel) 386 { 387 388 return (1); 389 } 390 391 static void 392 stub_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 393 { 394 395 } 396 397 static void 398 stub_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 399 { 400 401 } 402 403 static void 404 stub_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 405 struct label *ifnetlabel, struct label *newlabel) 406 { 407 408 } 409 410 static void 411 stub_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 412 struct ipq *ipq, struct label *ipqlabel) 413 { 414 415 } 416 417 /* 418 * Labeling event operations: processes. 419 */ 420 static void 421 stub_create_cred(struct ucred *cred_parent, struct ucred *cred_child) 422 { 423 424 } 425 426 static void 427 stub_execve_transition(struct ucred *old, struct ucred *new, 428 struct vnode *vp, struct label *vnodelabel, 429 struct label *interpvnodelabel, struct image_params *imgp, 430 struct label *execlabel) 431 { 432 433 } 434 435 static int 436 stub_execve_will_transition(struct ucred *old, struct vnode *vp, 437 struct label *vnodelabel, struct label *interpvnodelabel, 438 struct image_params *imgp, struct label *execlabel) 439 { 440 441 return (0); 442 } 443 444 static void 445 stub_create_proc0(struct ucred *cred) 446 { 447 448 } 449 450 static void 451 stub_create_proc1(struct ucred *cred) 452 { 453 454 } 455 456 static void 457 stub_relabel_cred(struct ucred *cred, struct label *newlabel) 458 { 459 460 } 461 462 static void 463 stub_thread_userret(struct thread *td) 464 { 465 466 } 467 468 /* 469 * Access control checks. 470 */ 471 static int 472 stub_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 473 struct ifnet *ifnet, struct label *ifnet_label) 474 { 475 476 return (0); 477 } 478 479 static int 480 stub_check_cred_relabel(struct ucred *cred, struct label *newlabel) 481 { 482 483 return (0); 484 } 485 486 static int 487 stub_check_cred_visible(struct ucred *u1, struct ucred *u2) 488 { 489 490 return (0); 491 } 492 493 static int 494 stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 495 struct label *ifnetlabel, struct label *newlabel) 496 { 497 498 return (0); 499 } 500 501 static int 502 stub_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 503 struct mbuf *m, struct label *mbuflabel) 504 { 505 506 return (0); 507 } 508 509 static int 510 stub_check_kenv_dump(struct ucred *cred) 511 { 512 513 return (0); 514 } 515 516 static int 517 stub_check_kenv_get(struct ucred *cred, char *name) 518 { 519 520 return (0); 521 } 522 523 static int 524 stub_check_kenv_set(struct ucred *cred, char *name, char *value) 525 { 526 527 return (0); 528 } 529 530 static int 531 stub_check_kenv_unset(struct ucred *cred, char *name) 532 { 533 534 return (0); 535 } 536 537 static int 538 stub_check_kld_load(struct ucred *cred, struct vnode *vp, 539 struct label *vlabel) 540 { 541 542 return (0); 543 } 544 545 static int 546 stub_check_kld_stat(struct ucred *cred) 547 { 548 549 return (0); 550 } 551 552 static int 553 stub_check_kld_unload(struct ucred *cred) 554 { 555 556 return (0); 557 } 558 559 static int 560 stub_check_mount_stat(struct ucred *cred, struct mount *mp, 561 struct label *mntlabel) 562 { 563 564 return (0); 565 } 566 567 static int 568 stub_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, 569 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 570 { 571 572 return (0); 573 } 574 575 static int 576 stub_check_pipe_poll(struct ucred *cred, struct pipe *pipe, 577 struct label *pipelabel) 578 { 579 580 return (0); 581 } 582 583 static int 584 stub_check_pipe_read(struct ucred *cred, struct pipe *pipe, 585 struct label *pipelabel) 586 { 587 588 return (0); 589 } 590 591 static int 592 stub_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, 593 struct label *pipelabel, struct label *newlabel) 594 { 595 596 return (0); 597 } 598 599 static int 600 stub_check_pipe_stat(struct ucred *cred, struct pipe *pipe, 601 struct label *pipelabel) 602 { 603 604 return (0); 605 } 606 607 static int 608 stub_check_pipe_write(struct ucred *cred, struct pipe *pipe, 609 struct label *pipelabel) 610 { 611 612 return (0); 613 } 614 615 static int 616 stub_check_proc_debug(struct ucred *cred, struct proc *proc) 617 { 618 619 return (0); 620 } 621 622 static int 623 stub_check_proc_sched(struct ucred *cred, struct proc *proc) 624 { 625 626 return (0); 627 } 628 629 static int 630 stub_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 631 { 632 633 return (0); 634 } 635 636 static int 637 stub_check_socket_bind(struct ucred *cred, struct socket *socket, 638 struct label *socketlabel, struct sockaddr *sockaddr) 639 { 640 641 return (0); 642 } 643 644 static int 645 stub_check_socket_connect(struct ucred *cred, struct socket *socket, 646 struct label *socketlabel, struct sockaddr *sockaddr) 647 { 648 649 return (0); 650 } 651 652 static int 653 stub_check_socket_deliver(struct socket *so, struct label *socketlabel, 654 struct mbuf *m, struct label *mbuflabel) 655 { 656 657 return (0); 658 } 659 660 static int 661 stub_check_socket_listen(struct ucred *cred, struct socket *so, 662 struct label *socketlabel) 663 { 664 665 return (0); 666 } 667 668 static int 669 stub_check_socket_relabel(struct ucred *cred, struct socket *socket, 670 struct label *socketlabel, struct label *newlabel) 671 { 672 673 return (0); 674 } 675 676 static int 677 stub_check_socket_visible(struct ucred *cred, struct socket *socket, 678 struct label *socketlabel) 679 { 680 681 return (0); 682 } 683 684 static int 685 stub_check_sysarch_ioperm(struct ucred *cred) 686 { 687 688 return (0); 689 } 690 691 static int 692 stub_check_system_acct(struct ucred *cred, struct vnode *vp, 693 struct label *vlabel) 694 { 695 696 return (0); 697 } 698 699 static int 700 stub_check_system_reboot(struct ucred *cred, int how) 701 { 702 703 return (0); 704 } 705 706 static int 707 stub_check_system_settime(struct ucred *cred) 708 { 709 710 return (0); 711 } 712 713 static int 714 stub_check_system_swapon(struct ucred *cred, struct vnode *vp, 715 struct label *label) 716 { 717 718 return (0); 719 } 720 721 static int 722 stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, 723 struct label *label) 724 { 725 726 return (0); 727 } 728 729 static int 730 stub_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, 731 void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) 732 { 733 734 return (0); 735 } 736 737 static int 738 stub_check_vnode_access(struct ucred *cred, struct vnode *vp, 739 struct label *label, int acc_mode) 740 { 741 742 return (0); 743 } 744 745 static int 746 stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 747 struct label *dlabel) 748 { 749 750 return (0); 751 } 752 753 static int 754 stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 755 struct label *dlabel) 756 { 757 758 return (0); 759 } 760 761 static int 762 stub_check_vnode_create(struct ucred *cred, struct vnode *dvp, 763 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 764 { 765 766 return (0); 767 } 768 769 static int 770 stub_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 771 struct label *dlabel, struct vnode *vp, struct label *label, 772 struct componentname *cnp) 773 { 774 775 return (0); 776 } 777 778 static int 779 stub_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 780 struct label *label, acl_type_t type) 781 { 782 783 return (0); 784 } 785 786 static int 787 stub_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 788 struct label *label, int attrnamespace, const char *name) 789 { 790 791 return (0); 792 } 793 794 static int 795 stub_check_vnode_exec(struct ucred *cred, struct vnode *vp, 796 struct label *label, struct image_params *imgp, 797 struct label *execlabel) 798 { 799 800 return (0); 801 } 802 803 static int 804 stub_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 805 struct label *label, acl_type_t type) 806 { 807 808 return (0); 809 } 810 811 static int 812 stub_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 813 struct label *label, int attrnamespace, const char *name, struct uio *uio) 814 { 815 816 return (0); 817 } 818 819 static int 820 stub_check_vnode_link(struct ucred *cred, struct vnode *dvp, 821 struct label *dlabel, struct vnode *vp, struct label *label, 822 struct componentname *cnp) 823 { 824 825 return (0); 826 } 827 828 static int 829 stub_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 830 struct label *label, int attrnamespace) 831 { 832 833 return (0); 834 } 835 836 static int 837 stub_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 838 struct label *dlabel, struct componentname *cnp) 839 { 840 841 return (0); 842 } 843 844 static int 845 stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 846 struct label *label, int prot) 847 { 848 849 return (0); 850 } 851 852 static int 853 stub_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 854 struct label *label, int prot) 855 { 856 857 return (0); 858 } 859 860 static int 861 stub_check_vnode_open(struct ucred *cred, struct vnode *vp, 862 struct label *filelabel, int acc_mode) 863 { 864 865 return (0); 866 } 867 868 static int 869 stub_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 870 struct vnode *vp, struct label *label) 871 { 872 873 return (0); 874 } 875 876 static int 877 stub_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 878 struct vnode *vp, struct label *label) 879 { 880 881 return (0); 882 } 883 884 static int 885 stub_check_vnode_readdir(struct ucred *cred, struct vnode *vp, 886 struct label *dlabel) 887 { 888 889 return (0); 890 } 891 892 static int 893 stub_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 894 struct label *vnodelabel) 895 { 896 897 return (0); 898 } 899 900 static int 901 stub_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 902 struct label *vnodelabel, struct label *newlabel) 903 { 904 905 return (0); 906 } 907 908 static int 909 stub_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 910 struct label *dlabel, struct vnode *vp, struct label *label, 911 struct componentname *cnp) 912 { 913 914 return (0); 915 } 916 917 static int 918 stub_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 919 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 920 struct componentname *cnp) 921 { 922 923 return (0); 924 } 925 926 static int 927 stub_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 928 struct label *label) 929 { 930 931 return (0); 932 } 933 934 static int 935 stub_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 936 struct label *label, acl_type_t type, struct acl *acl) 937 { 938 939 return (0); 940 } 941 942 static int 943 stub_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 944 struct label *label, int attrnamespace, const char *name, struct uio *uio) 945 { 946 947 return (0); 948 } 949 950 static int 951 stub_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 952 struct label *label, u_long flags) 953 { 954 955 return (0); 956 } 957 958 static int 959 stub_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 960 struct label *label, mode_t mode) 961 { 962 963 return (0); 964 } 965 966 static int 967 stub_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 968 struct label *label, uid_t uid, gid_t gid) 969 { 970 971 return (0); 972 } 973 974 static int 975 stub_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 976 struct label *label, struct timespec atime, struct timespec mtime) 977 { 978 979 return (0); 980 } 981 982 static int 983 stub_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 984 struct vnode *vp, struct label *label) 985 { 986 987 return (0); 988 } 989 990 static int 991 stub_check_vnode_write(struct ucred *active_cred, 992 struct ucred *file_cred, struct vnode *vp, struct label *label) 993 { 994 995 return (0); 996 } 997 998 static struct mac_policy_ops mac_stub_ops = 999 { 1000 .mpo_destroy = stub_destroy, 1001 .mpo_init = stub_init, 1002 .mpo_syscall = stub_syscall, 1003 .mpo_init_bpfdesc_label = stub_init_label, 1004 .mpo_init_cred_label = stub_init_label, 1005 .mpo_init_devfsdirent_label = stub_init_label, 1006 .mpo_init_ifnet_label = stub_init_label, 1007 .mpo_init_ipq_label = stub_init_label_waitcheck, 1008 .mpo_init_mbuf_label = stub_init_label_waitcheck, 1009 .mpo_init_mount_label = stub_init_label, 1010 .mpo_init_mount_fs_label = stub_init_label, 1011 .mpo_init_pipe_label = stub_init_label, 1012 .mpo_init_socket_label = stub_init_label_waitcheck, 1013 .mpo_init_socket_peer_label = stub_init_label_waitcheck, 1014 .mpo_init_vnode_label = stub_init_label, 1015 .mpo_destroy_bpfdesc_label = stub_destroy_label, 1016 .mpo_destroy_cred_label = stub_destroy_label, 1017 .mpo_destroy_devfsdirent_label = stub_destroy_label, 1018 .mpo_destroy_ifnet_label = stub_destroy_label, 1019 .mpo_destroy_ipq_label = stub_destroy_label, 1020 .mpo_destroy_mbuf_label = stub_destroy_label, 1021 .mpo_destroy_mount_label = stub_destroy_label, 1022 .mpo_destroy_mount_fs_label = stub_destroy_label, 1023 .mpo_destroy_pipe_label = stub_destroy_label, 1024 .mpo_destroy_socket_label = stub_destroy_label, 1025 .mpo_destroy_socket_peer_label = stub_destroy_label, 1026 .mpo_destroy_vnode_label = stub_destroy_label, 1027 .mpo_externalize_cred_label = stub_externalize_label, 1028 .mpo_externalize_ifnet_label = stub_externalize_label, 1029 .mpo_externalize_pipe_label = stub_externalize_label, 1030 .mpo_externalize_socket_label = stub_externalize_label, 1031 .mpo_externalize_socket_peer_label = stub_externalize_label, 1032 .mpo_externalize_vnode_label = stub_externalize_label, 1033 .mpo_internalize_cred_label = stub_internalize_label, 1034 .mpo_internalize_ifnet_label = stub_internalize_label, 1035 .mpo_internalize_pipe_label = stub_internalize_label, 1036 .mpo_internalize_socket_label = stub_internalize_label, 1037 .mpo_internalize_vnode_label = stub_internalize_label, 1038 .mpo_associate_vnode_devfs = stub_associate_vnode_devfs, 1039 .mpo_associate_vnode_extattr = stub_associate_vnode_extattr, 1040 .mpo_associate_vnode_singlelabel = stub_associate_vnode_singlelabel, 1041 .mpo_create_devfs_device = stub_create_devfs_device, 1042 .mpo_create_devfs_directory = stub_create_devfs_directory, 1043 .mpo_create_devfs_symlink = stub_create_devfs_symlink, 1044 .mpo_create_vnode_extattr = stub_create_vnode_extattr, 1045 .mpo_create_mount = stub_create_mount, 1046 .mpo_create_root_mount = stub_create_root_mount, 1047 .mpo_relabel_vnode = stub_relabel_vnode, 1048 .mpo_setlabel_vnode_extattr = stub_setlabel_vnode_extattr, 1049 .mpo_update_devfsdirent = stub_update_devfsdirent, 1050 .mpo_create_mbuf_from_socket = stub_create_mbuf_from_socket, 1051 .mpo_create_pipe = stub_create_pipe, 1052 .mpo_create_socket = stub_create_socket, 1053 .mpo_create_socket_from_socket = stub_create_socket_from_socket, 1054 .mpo_relabel_pipe = stub_relabel_pipe, 1055 .mpo_relabel_socket = stub_relabel_socket, 1056 .mpo_set_socket_peer_from_mbuf = stub_set_socket_peer_from_mbuf, 1057 .mpo_set_socket_peer_from_socket = stub_set_socket_peer_from_socket, 1058 .mpo_create_bpfdesc = stub_create_bpfdesc, 1059 .mpo_create_ifnet = stub_create_ifnet, 1060 .mpo_create_ipq = stub_create_ipq, 1061 .mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq, 1062 .mpo_create_fragment = stub_create_fragment, 1063 .mpo_create_ipq = stub_create_ipq, 1064 .mpo_create_mbuf_from_mbuf = stub_create_mbuf_from_mbuf, 1065 .mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer, 1066 .mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc, 1067 .mpo_create_mbuf_from_ifnet = stub_create_mbuf_from_ifnet, 1068 .mpo_create_mbuf_multicast_encap = stub_create_mbuf_multicast_encap, 1069 .mpo_create_mbuf_netlayer = stub_create_mbuf_netlayer, 1070 .mpo_fragment_match = stub_fragment_match, 1071 .mpo_reflect_mbuf_icmp = stub_reflect_mbuf_icmp, 1072 .mpo_reflect_mbuf_tcp = stub_reflect_mbuf_tcp, 1073 .mpo_relabel_ifnet = stub_relabel_ifnet, 1074 .mpo_update_ipq = stub_update_ipq, 1075 .mpo_create_cred = stub_create_cred, 1076 .mpo_execve_transition = stub_execve_transition, 1077 .mpo_execve_will_transition = stub_execve_will_transition, 1078 .mpo_create_proc0 = stub_create_proc0, 1079 .mpo_create_proc1 = stub_create_proc1, 1080 .mpo_relabel_cred = stub_relabel_cred, 1081 .mpo_thread_userret = stub_thread_userret, 1082 .mpo_check_bpfdesc_receive = stub_check_bpfdesc_receive, 1083 .mpo_check_cred_relabel = stub_check_cred_relabel, 1084 .mpo_check_cred_visible = stub_check_cred_visible, 1085 .mpo_check_ifnet_relabel = stub_check_ifnet_relabel, 1086 .mpo_check_ifnet_transmit = stub_check_ifnet_transmit, 1087 .mpo_check_kenv_dump = stub_check_kenv_dump, 1088 .mpo_check_kenv_get = stub_check_kenv_get, 1089 .mpo_check_kenv_set = stub_check_kenv_set, 1090 .mpo_check_kenv_unset = stub_check_kenv_unset, 1091 .mpo_check_kld_load = stub_check_kld_load, 1092 .mpo_check_kld_stat = stub_check_kld_stat, 1093 .mpo_check_kld_unload = stub_check_kld_unload, 1094 .mpo_check_mount_stat = stub_check_mount_stat, 1095 .mpo_check_pipe_ioctl = stub_check_pipe_ioctl, 1096 .mpo_check_pipe_poll = stub_check_pipe_poll, 1097 .mpo_check_pipe_read = stub_check_pipe_read, 1098 .mpo_check_pipe_relabel = stub_check_pipe_relabel, 1099 .mpo_check_pipe_stat = stub_check_pipe_stat, 1100 .mpo_check_pipe_write = stub_check_pipe_write, 1101 .mpo_check_proc_debug = stub_check_proc_debug, 1102 .mpo_check_proc_sched = stub_check_proc_sched, 1103 .mpo_check_proc_signal = stub_check_proc_signal, 1104 .mpo_check_socket_bind = stub_check_socket_bind, 1105 .mpo_check_socket_connect = stub_check_socket_connect, 1106 .mpo_check_socket_deliver = stub_check_socket_deliver, 1107 .mpo_check_socket_listen = stub_check_socket_listen, 1108 .mpo_check_socket_relabel = stub_check_socket_relabel, 1109 .mpo_check_socket_visible = stub_check_socket_visible, 1110 .mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm, 1111 .mpo_check_system_acct = stub_check_system_acct, 1112 .mpo_check_system_reboot = stub_check_system_reboot, 1113 .mpo_check_system_settime = stub_check_system_settime, 1114 .mpo_check_system_swapon = stub_check_system_swapon, 1115 .mpo_check_system_swapoff = stub_check_system_swapoff, 1116 .mpo_check_system_sysctl = stub_check_system_sysctl, 1117 .mpo_check_vnode_access = stub_check_vnode_access, 1118 .mpo_check_vnode_chdir = stub_check_vnode_chdir, 1119 .mpo_check_vnode_chroot = stub_check_vnode_chroot, 1120 .mpo_check_vnode_create = stub_check_vnode_create, 1121 .mpo_check_vnode_delete = stub_check_vnode_delete, 1122 .mpo_check_vnode_deleteacl = stub_check_vnode_deleteacl, 1123 .mpo_check_vnode_deleteextattr = stub_check_vnode_deleteextattr, 1124 .mpo_check_vnode_exec = stub_check_vnode_exec, 1125 .mpo_check_vnode_getacl = stub_check_vnode_getacl, 1126 .mpo_check_vnode_getextattr = stub_check_vnode_getextattr, 1127 .mpo_check_vnode_link = stub_check_vnode_link, 1128 .mpo_check_vnode_listextattr = stub_check_vnode_listextattr, 1129 .mpo_check_vnode_lookup = stub_check_vnode_lookup, 1130 .mpo_check_vnode_mmap = stub_check_vnode_mmap, 1131 .mpo_check_vnode_mprotect = stub_check_vnode_mprotect, 1132 .mpo_check_vnode_open = stub_check_vnode_open, 1133 .mpo_check_vnode_poll = stub_check_vnode_poll, 1134 .mpo_check_vnode_read = stub_check_vnode_read, 1135 .mpo_check_vnode_readdir = stub_check_vnode_readdir, 1136 .mpo_check_vnode_readlink = stub_check_vnode_readlink, 1137 .mpo_check_vnode_relabel = stub_check_vnode_relabel, 1138 .mpo_check_vnode_rename_from = stub_check_vnode_rename_from, 1139 .mpo_check_vnode_rename_to = stub_check_vnode_rename_to, 1140 .mpo_check_vnode_revoke = stub_check_vnode_revoke, 1141 .mpo_check_vnode_setacl = stub_check_vnode_setacl, 1142 .mpo_check_vnode_setextattr = stub_check_vnode_setextattr, 1143 .mpo_check_vnode_setflags = stub_check_vnode_setflags, 1144 .mpo_check_vnode_setmode = stub_check_vnode_setmode, 1145 .mpo_check_vnode_setowner = stub_check_vnode_setowner, 1146 .mpo_check_vnode_setutimes = stub_check_vnode_setutimes, 1147 .mpo_check_vnode_stat = stub_check_vnode_stat, 1148 .mpo_check_vnode_write = stub_check_vnode_write, 1149 }; 1150 1151 MAC_POLICY_SET(&mac_stub_ops, mac_stub, "TrustedBSD MAC/Stub", 1152 MPC_LOADTIME_FLAG_UNLOADOK, NULL); 1153