1 /*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network 9 * Associates Laboratories, the Security Research Division of Network 10 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 11 * as part of the DARPA CHATS research program. 12 * 13 * Redistribution and use in source and binary forms, with or without 14 * modification, are permitted provided that the following conditions 15 * are met: 16 * 1. Redistributions of source code must retain the above copyright 17 * notice, this list of conditions and the following disclaimer. 18 * 2. Redistributions in binary form must reproduce the above copyright 19 * notice, this list of conditions and the following disclaimer in the 20 * documentation and/or other materials provided with the distribution. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * $FreeBSD$ 35 */ 36 37 /* 38 * Developed by the TrustedBSD Project. 39 * 40 * Stub module that implements a NOOP for most (if not all) MAC Framework 41 * policy entry points. 42 */ 43 44 #include <sys/types.h> 45 #include <sys/param.h> 46 #include <sys/acl.h> 47 #include <sys/conf.h> 48 #include <sys/extattr.h> 49 #include <sys/kernel.h> 50 #include <sys/mac.h> 51 #include <sys/mount.h> 52 #include <sys/proc.h> 53 #include <sys/systm.h> 54 #include <sys/sysproto.h> 55 #include <sys/sysent.h> 56 #include <sys/vnode.h> 57 #include <sys/file.h> 58 #include <sys/socket.h> 59 #include <sys/socketvar.h> 60 #include <sys/pipe.h> 61 #include <sys/sysctl.h> 62 63 #include <fs/devfs/devfs.h> 64 65 #include <net/bpfdesc.h> 66 #include <net/if.h> 67 #include <net/if_types.h> 68 #include <net/if_var.h> 69 70 #include <netinet/in.h> 71 #include <netinet/in_pcb.h> 72 #include <netinet/ip_var.h> 73 74 #include <vm/vm.h> 75 76 #include <sys/mac_policy.h> 77 78 SYSCTL_DECL(_security_mac); 79 80 SYSCTL_NODE(_security_mac, OID_AUTO, stub, CTLFLAG_RW, 0, 81 "TrustedBSD mac_stub policy controls"); 82 83 static int stub_enabled = 1; 84 SYSCTL_INT(_security_mac_stub, OID_AUTO, enabled, CTLFLAG_RW, 85 &stub_enabled, 0, "Enforce mac_stub policy"); 86 87 /* 88 * Policy module operations. 89 */ 90 static void 91 stub_destroy(struct mac_policy_conf *conf) 92 { 93 94 } 95 96 static void 97 stub_init(struct mac_policy_conf *conf) 98 { 99 100 } 101 102 static int 103 stub_syscall(struct thread *td, int call, void *arg) 104 { 105 106 return (0); 107 } 108 109 /* 110 * Label operations. 111 */ 112 static void 113 stub_init_label(struct label *label) 114 { 115 116 } 117 118 static int 119 stub_init_label_waitcheck(struct label *label, int flag) 120 { 121 122 return (0); 123 } 124 125 static void 126 stub_destroy_label(struct label *label) 127 { 128 129 } 130 131 static void 132 stub_copy_label(struct label *src, struct label *dest) 133 { 134 135 } 136 137 static int 138 stub_externalize_label(struct label *label, char *element_name, 139 struct sbuf *sb, int *claimed) 140 { 141 142 return (0); 143 } 144 145 static int 146 stub_internalize_label(struct label *label, char *element_name, 147 char *element_data, int *claimed) 148 { 149 150 return (0); 151 } 152 153 /* 154 * Labeling event operations: file system objects, and things that look 155 * a lot like file system objects. 156 */ 157 static void 158 stub_associate_vnode_devfs(struct mount *mp, struct label *fslabel, 159 struct devfs_dirent *de, struct label *delabel, struct vnode *vp, 160 struct label *vlabel) 161 { 162 163 } 164 165 static int 166 stub_associate_vnode_extattr(struct mount *mp, struct label *fslabel, 167 struct vnode *vp, struct label *vlabel) 168 { 169 170 return (0); 171 } 172 173 static void 174 stub_associate_vnode_singlelabel(struct mount *mp, 175 struct label *fslabel, struct vnode *vp, struct label *vlabel) 176 { 177 178 } 179 180 static void 181 stub_create_devfs_device(struct mount *mp, struct cdev *dev, 182 struct devfs_dirent *devfs_dirent, struct label *label) 183 { 184 185 } 186 187 static void 188 stub_create_devfs_directory(struct mount *mp, char *dirname, 189 int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) 190 { 191 192 } 193 194 static void 195 stub_create_devfs_symlink(struct ucred *cred, struct mount *mp, 196 struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, 197 struct label *delabel) 198 { 199 200 } 201 202 static int 203 stub_create_vnode_extattr(struct ucred *cred, struct mount *mp, 204 struct label *fslabel, struct vnode *dvp, struct label *dlabel, 205 struct vnode *vp, struct label *vlabel, struct componentname *cnp) 206 { 207 208 return (0); 209 } 210 211 static void 212 stub_create_mount(struct ucred *cred, struct mount *mp, 213 struct label *mntlabel, struct label *fslabel) 214 { 215 216 } 217 218 static void 219 stub_create_root_mount(struct ucred *cred, struct mount *mp, 220 struct label *mntlabel, struct label *fslabel) 221 { 222 223 } 224 225 static void 226 stub_relabel_vnode(struct ucred *cred, struct vnode *vp, 227 struct label *vnodelabel, struct label *label) 228 { 229 230 } 231 232 static int 233 stub_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, 234 struct label *vlabel, struct label *intlabel) 235 { 236 237 return (0); 238 } 239 240 static void 241 stub_update_devfsdirent(struct mount *mp, 242 struct devfs_dirent *devfs_dirent, struct label *direntlabel, 243 struct vnode *vp, struct label *vnodelabel) 244 { 245 246 } 247 248 /* 249 * Labeling event operations: IPC object. 250 */ 251 static void 252 stub_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 253 struct mbuf *m, struct label *mbuflabel) 254 { 255 256 } 257 258 static void 259 stub_create_socket(struct ucred *cred, struct socket *socket, 260 struct label *socketlabel) 261 { 262 263 } 264 265 static void 266 stub_create_pipe(struct ucred *cred, struct pipepair *pp, 267 struct label *pipelabel) 268 { 269 270 } 271 272 static void 273 stub_create_socket_from_socket(struct socket *oldsocket, 274 struct label *oldsocketlabel, struct socket *newsocket, 275 struct label *newsocketlabel) 276 { 277 278 } 279 280 static void 281 stub_relabel_socket(struct ucred *cred, struct socket *socket, 282 struct label *socketlabel, struct label *newlabel) 283 { 284 285 } 286 287 static void 288 stub_relabel_pipe(struct ucred *cred, struct pipepair *pp, 289 struct label *pipelabel, struct label *newlabel) 290 { 291 292 } 293 294 static void 295 stub_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 296 struct socket *socket, struct label *socketpeerlabel) 297 { 298 299 } 300 301 static void 302 stub_set_socket_peer_from_socket(struct socket *oldsocket, 303 struct label *oldsocketlabel, struct socket *newsocket, 304 struct label *newsocketpeerlabel) 305 { 306 307 } 308 309 /* 310 * Labeling event operations: network objects. 311 */ 312 static void 313 stub_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, 314 struct label *bpflabel) 315 { 316 317 } 318 319 static void 320 stub_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, 321 struct mbuf *datagram, struct label *datagramlabel) 322 { 323 324 } 325 326 static void 327 stub_create_fragment(struct mbuf *datagram, struct label *datagramlabel, 328 struct mbuf *fragment, struct label *fragmentlabel) 329 { 330 331 } 332 333 static void 334 stub_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) 335 { 336 337 } 338 339 static void 340 stub_create_inpcb_from_socket(struct socket *so, struct label *solabel, 341 struct inpcb *inp, struct label *inplabel) 342 { 343 344 } 345 346 static void 347 stub_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, 348 struct ipq *ipq, struct label *ipqlabel) 349 { 350 351 } 352 353 static void 354 stub_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, 355 struct mbuf *m, struct label *mlabel) 356 { 357 358 } 359 360 static void 361 stub_create_mbuf_from_mbuf(struct mbuf *oldmbuf, 362 struct label *oldmbuflabel, struct mbuf *newmbuf, 363 struct label *newmbuflabel) 364 { 365 366 } 367 368 static void 369 stub_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 370 struct mbuf *mbuf, struct label *mbuflabel) 371 { 372 373 } 374 375 static void 376 stub_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, 377 struct mbuf *mbuf, struct label *mbuflabel) 378 { 379 380 } 381 382 static void 383 stub_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, 384 struct mbuf *m, struct label *mbuflabel) 385 { 386 387 } 388 389 static void 390 stub_create_mbuf_multicast_encap(struct mbuf *oldmbuf, 391 struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, 392 struct mbuf *newmbuf, struct label *newmbuflabel) 393 { 394 395 } 396 397 static void 398 stub_create_mbuf_netlayer(struct mbuf *oldmbuf, 399 struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) 400 { 401 402 } 403 404 static int 405 stub_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, 406 struct ipq *ipq, struct label *ipqlabel) 407 { 408 409 return (1); 410 } 411 412 static void 413 stub_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) 414 { 415 416 } 417 418 static void 419 stub_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) 420 { 421 422 } 423 424 static void 425 stub_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 426 struct label *ifnetlabel, struct label *newlabel) 427 { 428 429 } 430 431 static void 432 stub_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 433 struct ipq *ipq, struct label *ipqlabel) 434 { 435 436 } 437 438 static void 439 stub_inpcb_sosetlabel(struct socket *so, struct label *solabel, 440 struct inpcb *inp, struct label *inplabel) 441 { 442 443 } 444 445 /* 446 * Labeling event operations: processes. 447 */ 448 static void 449 stub_execve_transition(struct ucred *old, struct ucred *new, 450 struct vnode *vp, struct label *vnodelabel, 451 struct label *interpvnodelabel, struct image_params *imgp, 452 struct label *execlabel) 453 { 454 455 } 456 457 static int 458 stub_execve_will_transition(struct ucred *old, struct vnode *vp, 459 struct label *vnodelabel, struct label *interpvnodelabel, 460 struct image_params *imgp, struct label *execlabel) 461 { 462 463 return (0); 464 } 465 466 static void 467 stub_create_proc0(struct ucred *cred) 468 { 469 470 } 471 472 static void 473 stub_create_proc1(struct ucred *cred) 474 { 475 476 } 477 478 static void 479 stub_relabel_cred(struct ucred *cred, struct label *newlabel) 480 { 481 482 } 483 484 static void 485 stub_thread_userret(struct thread *td) 486 { 487 488 } 489 490 /* 491 * Access control checks. 492 */ 493 static int 494 stub_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 495 struct ifnet *ifnet, struct label *ifnet_label) 496 { 497 498 return (0); 499 } 500 501 static int 502 stub_check_cred_relabel(struct ucred *cred, struct label *newlabel) 503 { 504 505 return (0); 506 } 507 508 static int 509 stub_check_cred_visible(struct ucred *u1, struct ucred *u2) 510 { 511 512 return (0); 513 } 514 515 static int 516 stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, 517 struct label *ifnetlabel, struct label *newlabel) 518 { 519 520 return (0); 521 } 522 523 static int 524 stub_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, 525 struct mbuf *m, struct label *mbuflabel) 526 { 527 528 return (0); 529 } 530 531 static int 532 stub_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 533 struct mbuf *m, struct label *mlabel) 534 { 535 536 return (0); 537 } 538 539 static int 540 stub_check_kenv_dump(struct ucred *cred) 541 { 542 543 return (0); 544 } 545 546 static int 547 stub_check_kenv_get(struct ucred *cred, char *name) 548 { 549 550 return (0); 551 } 552 553 static int 554 stub_check_kenv_set(struct ucred *cred, char *name, char *value) 555 { 556 557 return (0); 558 } 559 560 static int 561 stub_check_kenv_unset(struct ucred *cred, char *name) 562 { 563 564 return (0); 565 } 566 567 static int 568 stub_check_kld_load(struct ucred *cred, struct vnode *vp, 569 struct label *vlabel) 570 { 571 572 return (0); 573 } 574 575 static int 576 stub_check_kld_stat(struct ucred *cred) 577 { 578 579 return (0); 580 } 581 582 static int 583 stub_check_kld_unload(struct ucred *cred) 584 { 585 586 return (0); 587 } 588 589 static int 590 stub_check_mount_stat(struct ucred *cred, struct mount *mp, 591 struct label *mntlabel) 592 { 593 594 return (0); 595 } 596 597 static int 598 stub_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, 599 struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) 600 { 601 602 return (0); 603 } 604 605 static int 606 stub_check_pipe_poll(struct ucred *cred, struct pipepair *pp, 607 struct label *pipelabel) 608 { 609 610 return (0); 611 } 612 613 static int 614 stub_check_pipe_read(struct ucred *cred, struct pipepair *pp, 615 struct label *pipelabel) 616 { 617 618 return (0); 619 } 620 621 static int 622 stub_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, 623 struct label *pipelabel, struct label *newlabel) 624 { 625 626 return (0); 627 } 628 629 static int 630 stub_check_pipe_stat(struct ucred *cred, struct pipepair *pp, 631 struct label *pipelabel) 632 { 633 634 return (0); 635 } 636 637 static int 638 stub_check_pipe_write(struct ucred *cred, struct pipepair *pp, 639 struct label *pipelabel) 640 { 641 642 return (0); 643 } 644 645 static int 646 stub_check_proc_debug(struct ucred *cred, struct proc *proc) 647 { 648 649 return (0); 650 } 651 652 static int 653 stub_check_proc_sched(struct ucred *cred, struct proc *proc) 654 { 655 656 return (0); 657 } 658 659 static int 660 stub_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) 661 { 662 663 return (0); 664 } 665 666 static int 667 stub_check_socket_bind(struct ucred *cred, struct socket *socket, 668 struct label *socketlabel, struct sockaddr *sockaddr) 669 { 670 671 return (0); 672 } 673 674 static int 675 stub_check_socket_connect(struct ucred *cred, struct socket *socket, 676 struct label *socketlabel, struct sockaddr *sockaddr) 677 { 678 679 return (0); 680 } 681 682 static int 683 stub_check_socket_deliver(struct socket *so, struct label *socketlabel, 684 struct mbuf *m, struct label *mbuflabel) 685 { 686 687 return (0); 688 } 689 690 static int 691 stub_check_socket_listen(struct ucred *cred, struct socket *so, 692 struct label *socketlabel) 693 { 694 695 return (0); 696 } 697 698 static int 699 stub_check_socket_relabel(struct ucred *cred, struct socket *socket, 700 struct label *socketlabel, struct label *newlabel) 701 { 702 703 return (0); 704 } 705 706 static int 707 stub_check_socket_visible(struct ucred *cred, struct socket *socket, 708 struct label *socketlabel) 709 { 710 711 return (0); 712 } 713 714 static int 715 stub_check_sysarch_ioperm(struct ucred *cred) 716 { 717 718 return (0); 719 } 720 721 static int 722 stub_check_system_acct(struct ucred *cred, struct vnode *vp, 723 struct label *vlabel) 724 { 725 726 return (0); 727 } 728 729 static int 730 stub_check_system_reboot(struct ucred *cred, int how) 731 { 732 733 return (0); 734 } 735 736 static int 737 stub_check_system_settime(struct ucred *cred) 738 { 739 740 return (0); 741 } 742 743 static int 744 stub_check_system_swapon(struct ucred *cred, struct vnode *vp, 745 struct label *label) 746 { 747 748 return (0); 749 } 750 751 static int 752 stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, 753 struct label *label) 754 { 755 756 return (0); 757 } 758 759 static int 760 stub_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, 761 void *arg1, int arg2, struct sysctl_req *req) 762 { 763 764 return (0); 765 } 766 767 static int 768 stub_check_vnode_access(struct ucred *cred, struct vnode *vp, 769 struct label *label, int acc_mode) 770 { 771 772 return (0); 773 } 774 775 static int 776 stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, 777 struct label *dlabel) 778 { 779 780 return (0); 781 } 782 783 static int 784 stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, 785 struct label *dlabel) 786 { 787 788 return (0); 789 } 790 791 static int 792 stub_check_vnode_create(struct ucred *cred, struct vnode *dvp, 793 struct label *dlabel, struct componentname *cnp, struct vattr *vap) 794 { 795 796 return (0); 797 } 798 799 static int 800 stub_check_vnode_delete(struct ucred *cred, struct vnode *dvp, 801 struct label *dlabel, struct vnode *vp, struct label *label, 802 struct componentname *cnp) 803 { 804 805 return (0); 806 } 807 808 static int 809 stub_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, 810 struct label *label, acl_type_t type) 811 { 812 813 return (0); 814 } 815 816 static int 817 stub_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, 818 struct label *label, int attrnamespace, const char *name) 819 { 820 821 return (0); 822 } 823 824 static int 825 stub_check_vnode_exec(struct ucred *cred, struct vnode *vp, 826 struct label *label, struct image_params *imgp, 827 struct label *execlabel) 828 { 829 830 return (0); 831 } 832 833 static int 834 stub_check_vnode_getacl(struct ucred *cred, struct vnode *vp, 835 struct label *label, acl_type_t type) 836 { 837 838 return (0); 839 } 840 841 static int 842 stub_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, 843 struct label *label, int attrnamespace, const char *name, struct uio *uio) 844 { 845 846 return (0); 847 } 848 849 static int 850 stub_check_vnode_link(struct ucred *cred, struct vnode *dvp, 851 struct label *dlabel, struct vnode *vp, struct label *label, 852 struct componentname *cnp) 853 { 854 855 return (0); 856 } 857 858 static int 859 stub_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, 860 struct label *label, int attrnamespace) 861 { 862 863 return (0); 864 } 865 866 static int 867 stub_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 868 struct label *dlabel, struct componentname *cnp) 869 { 870 871 return (0); 872 } 873 874 static int 875 stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 876 struct label *label, int prot) 877 { 878 879 return (0); 880 } 881 882 static int 883 stub_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, 884 struct label *label, int prot) 885 { 886 887 return (0); 888 } 889 890 static int 891 stub_check_vnode_open(struct ucred *cred, struct vnode *vp, 892 struct label *filelabel, int acc_mode) 893 { 894 895 return (0); 896 } 897 898 static int 899 stub_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, 900 struct vnode *vp, struct label *label) 901 { 902 903 return (0); 904 } 905 906 static int 907 stub_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, 908 struct vnode *vp, struct label *label) 909 { 910 911 return (0); 912 } 913 914 static int 915 stub_check_vnode_readdir(struct ucred *cred, struct vnode *vp, 916 struct label *dlabel) 917 { 918 919 return (0); 920 } 921 922 static int 923 stub_check_vnode_readlink(struct ucred *cred, struct vnode *vp, 924 struct label *vnodelabel) 925 { 926 927 return (0); 928 } 929 930 static int 931 stub_check_vnode_relabel(struct ucred *cred, struct vnode *vp, 932 struct label *vnodelabel, struct label *newlabel) 933 { 934 935 return (0); 936 } 937 938 static int 939 stub_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, 940 struct label *dlabel, struct vnode *vp, struct label *label, 941 struct componentname *cnp) 942 { 943 944 return (0); 945 } 946 947 static int 948 stub_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, 949 struct label *dlabel, struct vnode *vp, struct label *label, int samedir, 950 struct componentname *cnp) 951 { 952 953 return (0); 954 } 955 956 static int 957 stub_check_vnode_revoke(struct ucred *cred, struct vnode *vp, 958 struct label *label) 959 { 960 961 return (0); 962 } 963 964 static int 965 stub_check_vnode_setacl(struct ucred *cred, struct vnode *vp, 966 struct label *label, acl_type_t type, struct acl *acl) 967 { 968 969 return (0); 970 } 971 972 static int 973 stub_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, 974 struct label *label, int attrnamespace, const char *name, struct uio *uio) 975 { 976 977 return (0); 978 } 979 980 static int 981 stub_check_vnode_setflags(struct ucred *cred, struct vnode *vp, 982 struct label *label, u_long flags) 983 { 984 985 return (0); 986 } 987 988 static int 989 stub_check_vnode_setmode(struct ucred *cred, struct vnode *vp, 990 struct label *label, mode_t mode) 991 { 992 993 return (0); 994 } 995 996 static int 997 stub_check_vnode_setowner(struct ucred *cred, struct vnode *vp, 998 struct label *label, uid_t uid, gid_t gid) 999 { 1000 1001 return (0); 1002 } 1003 1004 static int 1005 stub_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, 1006 struct label *label, struct timespec atime, struct timespec mtime) 1007 { 1008 1009 return (0); 1010 } 1011 1012 static int 1013 stub_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, 1014 struct vnode *vp, struct label *label) 1015 { 1016 1017 return (0); 1018 } 1019 1020 static int 1021 stub_check_vnode_write(struct ucred *active_cred, 1022 struct ucred *file_cred, struct vnode *vp, struct label *label) 1023 { 1024 1025 return (0); 1026 } 1027 1028 static struct mac_policy_ops mac_stub_ops = 1029 { 1030 .mpo_destroy = stub_destroy, 1031 .mpo_init = stub_init, 1032 .mpo_syscall = stub_syscall, 1033 .mpo_init_bpfdesc_label = stub_init_label, 1034 .mpo_init_cred_label = stub_init_label, 1035 .mpo_init_devfsdirent_label = stub_init_label, 1036 .mpo_init_ifnet_label = stub_init_label, 1037 .mpo_init_inpcb_label = stub_init_label_waitcheck, 1038 .mpo_init_ipq_label = stub_init_label_waitcheck, 1039 .mpo_init_mbuf_label = stub_init_label_waitcheck, 1040 .mpo_init_mount_label = stub_init_label, 1041 .mpo_init_mount_fs_label = stub_init_label, 1042 .mpo_init_pipe_label = stub_init_label, 1043 .mpo_init_socket_label = stub_init_label_waitcheck, 1044 .mpo_init_socket_peer_label = stub_init_label_waitcheck, 1045 .mpo_init_vnode_label = stub_init_label, 1046 .mpo_destroy_bpfdesc_label = stub_destroy_label, 1047 .mpo_destroy_cred_label = stub_destroy_label, 1048 .mpo_destroy_devfsdirent_label = stub_destroy_label, 1049 .mpo_destroy_ifnet_label = stub_destroy_label, 1050 .mpo_destroy_inpcb_label = stub_destroy_label, 1051 .mpo_destroy_ipq_label = stub_destroy_label, 1052 .mpo_destroy_mbuf_label = stub_destroy_label, 1053 .mpo_destroy_mount_label = stub_destroy_label, 1054 .mpo_destroy_mount_fs_label = stub_destroy_label, 1055 .mpo_destroy_pipe_label = stub_destroy_label, 1056 .mpo_destroy_socket_label = stub_destroy_label, 1057 .mpo_destroy_socket_peer_label = stub_destroy_label, 1058 .mpo_destroy_vnode_label = stub_destroy_label, 1059 .mpo_copy_cred_label = stub_copy_label, 1060 .mpo_copy_ifnet_label = stub_copy_label, 1061 .mpo_copy_mbuf_label = stub_copy_label, 1062 .mpo_copy_pipe_label = stub_copy_label, 1063 .mpo_copy_socket_label = stub_copy_label, 1064 .mpo_copy_vnode_label = stub_copy_label, 1065 .mpo_externalize_cred_label = stub_externalize_label, 1066 .mpo_externalize_ifnet_label = stub_externalize_label, 1067 .mpo_externalize_pipe_label = stub_externalize_label, 1068 .mpo_externalize_socket_label = stub_externalize_label, 1069 .mpo_externalize_socket_peer_label = stub_externalize_label, 1070 .mpo_externalize_vnode_label = stub_externalize_label, 1071 .mpo_internalize_cred_label = stub_internalize_label, 1072 .mpo_internalize_ifnet_label = stub_internalize_label, 1073 .mpo_internalize_pipe_label = stub_internalize_label, 1074 .mpo_internalize_socket_label = stub_internalize_label, 1075 .mpo_internalize_vnode_label = stub_internalize_label, 1076 .mpo_associate_vnode_devfs = stub_associate_vnode_devfs, 1077 .mpo_associate_vnode_extattr = stub_associate_vnode_extattr, 1078 .mpo_associate_vnode_singlelabel = stub_associate_vnode_singlelabel, 1079 .mpo_create_devfs_device = stub_create_devfs_device, 1080 .mpo_create_devfs_directory = stub_create_devfs_directory, 1081 .mpo_create_devfs_symlink = stub_create_devfs_symlink, 1082 .mpo_create_vnode_extattr = stub_create_vnode_extattr, 1083 .mpo_create_mount = stub_create_mount, 1084 .mpo_create_root_mount = stub_create_root_mount, 1085 .mpo_relabel_vnode = stub_relabel_vnode, 1086 .mpo_setlabel_vnode_extattr = stub_setlabel_vnode_extattr, 1087 .mpo_update_devfsdirent = stub_update_devfsdirent, 1088 .mpo_create_mbuf_from_socket = stub_create_mbuf_from_socket, 1089 .mpo_create_pipe = stub_create_pipe, 1090 .mpo_create_socket = stub_create_socket, 1091 .mpo_create_socket_from_socket = stub_create_socket_from_socket, 1092 .mpo_relabel_pipe = stub_relabel_pipe, 1093 .mpo_relabel_socket = stub_relabel_socket, 1094 .mpo_set_socket_peer_from_mbuf = stub_set_socket_peer_from_mbuf, 1095 .mpo_set_socket_peer_from_socket = stub_set_socket_peer_from_socket, 1096 .mpo_create_bpfdesc = stub_create_bpfdesc, 1097 .mpo_create_ifnet = stub_create_ifnet, 1098 .mpo_create_inpcb_from_socket = stub_create_inpcb_from_socket, 1099 .mpo_create_ipq = stub_create_ipq, 1100 .mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq, 1101 .mpo_create_fragment = stub_create_fragment, 1102 .mpo_create_ipq = stub_create_ipq, 1103 .mpo_create_mbuf_from_inpcb = stub_create_mbuf_from_inpcb, 1104 .mpo_create_mbuf_from_mbuf = stub_create_mbuf_from_mbuf, 1105 .mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer, 1106 .mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc, 1107 .mpo_create_mbuf_from_ifnet = stub_create_mbuf_from_ifnet, 1108 .mpo_create_mbuf_multicast_encap = stub_create_mbuf_multicast_encap, 1109 .mpo_create_mbuf_netlayer = stub_create_mbuf_netlayer, 1110 .mpo_fragment_match = stub_fragment_match, 1111 .mpo_reflect_mbuf_icmp = stub_reflect_mbuf_icmp, 1112 .mpo_reflect_mbuf_tcp = stub_reflect_mbuf_tcp, 1113 .mpo_relabel_ifnet = stub_relabel_ifnet, 1114 .mpo_update_ipq = stub_update_ipq, 1115 .mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel, 1116 .mpo_execve_transition = stub_execve_transition, 1117 .mpo_execve_will_transition = stub_execve_will_transition, 1118 .mpo_create_proc0 = stub_create_proc0, 1119 .mpo_create_proc1 = stub_create_proc1, 1120 .mpo_relabel_cred = stub_relabel_cred, 1121 .mpo_thread_userret = stub_thread_userret, 1122 .mpo_check_bpfdesc_receive = stub_check_bpfdesc_receive, 1123 .mpo_check_cred_relabel = stub_check_cred_relabel, 1124 .mpo_check_cred_visible = stub_check_cred_visible, 1125 .mpo_check_ifnet_relabel = stub_check_ifnet_relabel, 1126 .mpo_check_ifnet_transmit = stub_check_ifnet_transmit, 1127 .mpo_check_inpcb_deliver = stub_check_inpcb_deliver, 1128 .mpo_check_kenv_dump = stub_check_kenv_dump, 1129 .mpo_check_kenv_get = stub_check_kenv_get, 1130 .mpo_check_kenv_set = stub_check_kenv_set, 1131 .mpo_check_kenv_unset = stub_check_kenv_unset, 1132 .mpo_check_kld_load = stub_check_kld_load, 1133 .mpo_check_kld_stat = stub_check_kld_stat, 1134 .mpo_check_kld_unload = stub_check_kld_unload, 1135 .mpo_check_mount_stat = stub_check_mount_stat, 1136 .mpo_check_pipe_ioctl = stub_check_pipe_ioctl, 1137 .mpo_check_pipe_poll = stub_check_pipe_poll, 1138 .mpo_check_pipe_read = stub_check_pipe_read, 1139 .mpo_check_pipe_relabel = stub_check_pipe_relabel, 1140 .mpo_check_pipe_stat = stub_check_pipe_stat, 1141 .mpo_check_pipe_write = stub_check_pipe_write, 1142 .mpo_check_proc_debug = stub_check_proc_debug, 1143 .mpo_check_proc_sched = stub_check_proc_sched, 1144 .mpo_check_proc_signal = stub_check_proc_signal, 1145 .mpo_check_socket_bind = stub_check_socket_bind, 1146 .mpo_check_socket_connect = stub_check_socket_connect, 1147 .mpo_check_socket_deliver = stub_check_socket_deliver, 1148 .mpo_check_socket_listen = stub_check_socket_listen, 1149 .mpo_check_socket_relabel = stub_check_socket_relabel, 1150 .mpo_check_socket_visible = stub_check_socket_visible, 1151 .mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm, 1152 .mpo_check_system_acct = stub_check_system_acct, 1153 .mpo_check_system_reboot = stub_check_system_reboot, 1154 .mpo_check_system_settime = stub_check_system_settime, 1155 .mpo_check_system_swapon = stub_check_system_swapon, 1156 .mpo_check_system_swapoff = stub_check_system_swapoff, 1157 .mpo_check_system_sysctl = stub_check_system_sysctl, 1158 .mpo_check_vnode_access = stub_check_vnode_access, 1159 .mpo_check_vnode_chdir = stub_check_vnode_chdir, 1160 .mpo_check_vnode_chroot = stub_check_vnode_chroot, 1161 .mpo_check_vnode_create = stub_check_vnode_create, 1162 .mpo_check_vnode_delete = stub_check_vnode_delete, 1163 .mpo_check_vnode_deleteacl = stub_check_vnode_deleteacl, 1164 .mpo_check_vnode_deleteextattr = stub_check_vnode_deleteextattr, 1165 .mpo_check_vnode_exec = stub_check_vnode_exec, 1166 .mpo_check_vnode_getacl = stub_check_vnode_getacl, 1167 .mpo_check_vnode_getextattr = stub_check_vnode_getextattr, 1168 .mpo_check_vnode_link = stub_check_vnode_link, 1169 .mpo_check_vnode_listextattr = stub_check_vnode_listextattr, 1170 .mpo_check_vnode_lookup = stub_check_vnode_lookup, 1171 .mpo_check_vnode_mmap = stub_check_vnode_mmap, 1172 .mpo_check_vnode_mprotect = stub_check_vnode_mprotect, 1173 .mpo_check_vnode_open = stub_check_vnode_open, 1174 .mpo_check_vnode_poll = stub_check_vnode_poll, 1175 .mpo_check_vnode_read = stub_check_vnode_read, 1176 .mpo_check_vnode_readdir = stub_check_vnode_readdir, 1177 .mpo_check_vnode_readlink = stub_check_vnode_readlink, 1178 .mpo_check_vnode_relabel = stub_check_vnode_relabel, 1179 .mpo_check_vnode_rename_from = stub_check_vnode_rename_from, 1180 .mpo_check_vnode_rename_to = stub_check_vnode_rename_to, 1181 .mpo_check_vnode_revoke = stub_check_vnode_revoke, 1182 .mpo_check_vnode_setacl = stub_check_vnode_setacl, 1183 .mpo_check_vnode_setextattr = stub_check_vnode_setextattr, 1184 .mpo_check_vnode_setflags = stub_check_vnode_setflags, 1185 .mpo_check_vnode_setmode = stub_check_vnode_setmode, 1186 .mpo_check_vnode_setowner = stub_check_vnode_setowner, 1187 .mpo_check_vnode_setutimes = stub_check_vnode_setutimes, 1188 .mpo_check_vnode_stat = stub_check_vnode_stat, 1189 .mpo_check_vnode_write = stub_check_vnode_write, 1190 }; 1191 1192 MAC_POLICY_SET(&mac_stub_ops, mac_stub, "TrustedBSD MAC/Stub", 1193 MPC_LOADTIME_FLAG_UNLOADOK, NULL); 1194