diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2007-10-29 13:33:06 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2007-10-29 13:33:06 +0000 |
commit | eb320b0ee7503d0bf2b7c0ecdc59c2d82cf301d0 (patch) | |
tree | b5d3ede5fbbf1cb40c13deb6bb8e406ce58b639e /sys/security/mac_biba | |
parent | e0cb3d9c5cd1d02f0feff1bc79515ced8a278825 (diff) | |
download | src-test2-eb320b0ee7503d0bf2b7c0ecdc59c2d82cf301d0.tar.gz src-test2-eb320b0ee7503d0bf2b7c0ecdc59c2d82cf301d0.zip |
Notes
Diffstat (limited to 'sys/security/mac_biba')
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 2248 |
1 files changed, 1128 insertions, 1120 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 72f974519c7f..052e8f326ee6 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -774,391 +774,252 @@ biba_copy_label(struct label *src, struct label *dest) } /* - * Labeling event operations: file system objects, and things that look a lot - * like file system objects. + * Object-specific entry point implementations are sorted alphabetically by + * object type name and then by operation. */ -static void -biba_devfs_create_device(struct ucred *cred, struct mount *mp, - struct cdev *dev, struct devfs_dirent *de, struct label *delabel) -{ - struct mac_biba *mb; - int biba_type; - - mb = SLOT(delabel); - if (strcmp(dev->si_name, "null") == 0 || - strcmp(dev->si_name, "zero") == 0 || - strcmp(dev->si_name, "random") == 0 || - strncmp(dev->si_name, "fd/", strlen("fd/")) == 0) - biba_type = MAC_BIBA_TYPE_EQUAL; - else if (ptys_equal && - (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || - strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) - biba_type = MAC_BIBA_TYPE_EQUAL; - else - biba_type = MAC_BIBA_TYPE_HIGH; - biba_set_effective(mb, biba_type, 0, NULL); -} - -static void -biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, - struct devfs_dirent *de, struct label *delabel) +static int +biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, + struct ifnet *ifp, struct label *ifplabel) { - struct mac_biba *mb; - - mb = SLOT(delabel); - - biba_set_effective(mb, MAC_BIBA_TYPE_HIGH, 0, NULL); -} + struct mac_biba *a, *b; -static void -biba_devfs_create_symlink(struct ucred *cred, struct mount *mp, - struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) -{ - struct mac_biba *source, *dest; + if (!biba_enabled) + return (0); - source = SLOT(cred->cr_label); - dest = SLOT(delabel); + a = SLOT(dlabel); + b = SLOT(ifplabel); - biba_copy_effective(source, dest); + if (biba_equal_effective(a, b)) + return (0); + return (EACCES); } static void -biba_mount_create(struct ucred *cred, struct mount *mp, - struct label *mplabel) +biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d, + struct label *dlabel) { struct mac_biba *source, *dest; source = SLOT(cred->cr_label); - dest = SLOT(mplabel); + dest = SLOT(dlabel); biba_copy_effective(source, dest); } static void -biba_vnode_relabel(struct ucred *cred, struct vnode *vp, - struct label *vplabel, struct label *newlabel) -{ - struct mac_biba *source, *dest; - - source = SLOT(newlabel); - dest = SLOT(vplabel); - - biba_copy(source, dest); -} - -static void -biba_devfs_update(struct mount *mp, struct devfs_dirent *de, - struct label *delabel, struct vnode *vp, struct label *vplabel) -{ - struct mac_biba *source, *dest; - - source = SLOT(vplabel); - dest = SLOT(delabel); - - biba_copy(source, dest); -} - -static void -biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel, - struct devfs_dirent *de, struct label *delabel, struct vnode *vp, - struct label *vplabel) +biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, + struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; - source = SLOT(delabel); - dest = SLOT(vplabel); + source = SLOT(dlabel); + dest = SLOT(mlabel); biba_copy_effective(source, dest); } static int -biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel, - struct vnode *vp, struct label *vplabel) +biba_cred_check_relabel(struct ucred *cred, struct label *newlabel) { - struct mac_biba mb_temp, *source, *dest; - int buflen, error; - - source = SLOT(mplabel); - dest = SLOT(vplabel); + struct mac_biba *subj, *new; + int error; - buflen = sizeof(mb_temp); - bzero(&mb_temp, buflen); + subj = SLOT(cred->cr_label); + new = SLOT(newlabel); - error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, - MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &mb_temp, curthread); - if (error == ENOATTR || error == EOPNOTSUPP) { - /* Fall back to the mntlabel. */ - biba_copy_effective(source, dest); - return (0); - } else if (error) + /* + * If there is a Biba label update for the credential, it may + * be an update of the effective, range, or both. + */ + error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + if (error) return (error); - if (buflen != sizeof(mb_temp)) { - printf("biba_vnode_associate_extattr: bad size %d\n", - buflen); - return (EPERM); - } - if (biba_valid(&mb_temp) != 0) { - printf("biba_vnode_associate_extattr: invalid\n"); - return (EPERM); - } - if ((mb_temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != - MAC_BIBA_FLAG_EFFECTIVE) { - printf("biba_vnode_associate_extattr: not effective\n"); - return (EPERM); - } - - biba_copy_effective(&mb_temp, dest); - return (0); -} - -static void -biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, - struct vnode *vp, struct label *vplabel) -{ - struct mac_biba *source, *dest; - - source = SLOT(mplabel); - dest = SLOT(vplabel); - - biba_copy_effective(source, dest); -} + /* + * If the Biba label is to be changed, authorize as appropriate. + */ + if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { + /* + * If the change request modifies both the Biba label + * effective and range, check that the new effective will be + * in the new range. + */ + if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) == + MAC_BIBA_FLAGS_BOTH && + !biba_effective_in_range(new, new)) + return (EINVAL); -static int -biba_vnode_create_extattr(struct ucred *cred, struct mount *mp, - struct label *mplabel, struct vnode *dvp, struct label *dvplabel, - struct vnode *vp, struct label *vplabel, struct componentname *cnp) -{ - struct mac_biba *source, *dest, mb_temp; - size_t buflen; - int error; + /* + * To change the Biba effective label on a credential, the + * new effective label must be in the current range. + */ + if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE && + !biba_effective_in_range(new, subj)) + return (EPERM); - buflen = sizeof(mb_temp); - bzero(&mb_temp, buflen); + /* + * To change the Biba range on a credential, the new range + * label must be in the current range. + */ + if (new->mb_flags & MAC_BIBA_FLAG_RANGE && + !biba_range_in_range(new, subj)) + return (EPERM); - source = SLOT(cred->cr_label); - dest = SLOT(vplabel); - biba_copy_effective(source, &mb_temp); + /* + * To have EQUAL in any component of the new credential Biba + * label, the subject must already have EQUAL in their label. + */ + if (biba_contains_equal(new)) { + error = biba_subject_privileged(subj); + if (error) + return (error); + } + } - error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, - MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread); - if (error == 0) - biba_copy_effective(source, dest); - return (error); + return (0); } static int -biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, - struct label *vplabel, struct label *intlabel) +biba_cred_check_visible(struct ucred *u1, struct ucred *u2) { - struct mac_biba *source, mb_temp; - size_t buflen; - int error; - - buflen = sizeof(mb_temp); - bzero(&mb_temp, buflen); + struct mac_biba *subj, *obj; - source = SLOT(intlabel); - if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0) + if (!biba_enabled) return (0); - biba_copy_effective(source, &mb_temp); - - error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, - MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread); - return (error); -} - -/* - * Labeling event operations: IPC object. - */ -static void -biba_inpcb_create(struct socket *so, struct label *solabel, - struct inpcb *inp, struct label *inplabel) -{ - struct mac_biba *source, *dest; - - source = SLOT(solabel); - dest = SLOT(inplabel); - - biba_copy_effective(source, dest); -} - -static void -biba_socket_create_mbuf(struct socket *so, struct label *solabel, - struct mbuf *m, struct label *mlabel) -{ - struct mac_biba *source, *dest; - - source = SLOT(solabel); - dest = SLOT(mlabel); - - biba_copy_effective(source, dest); -} - -static void -biba_socket_create(struct ucred *cred, struct socket *so, - struct label *solabel) -{ - struct mac_biba *source, *dest; - - source = SLOT(cred->cr_label); - dest = SLOT(solabel); - - biba_copy_effective(source, dest); -} - -static void -biba_pipe_create(struct ucred *cred, struct pipepair *pp, - struct label *pplabel) -{ - struct mac_biba *source, *dest; - - source = SLOT(cred->cr_label); - dest = SLOT(pplabel); - - biba_copy_effective(source, dest); -} - -static void -biba_posixsem_create(struct ucred *cred, struct ksem *ks, - struct label *kslabel) -{ - struct mac_biba *source, *dest; - - source = SLOT(cred->cr_label); - dest = SLOT(kslabel); - - biba_copy_effective(source, dest); -} - -static void -biba_socket_newconn(struct socket *oldso, struct label *oldsolabel, - struct socket *newso, struct label *newsolabel) -{ - struct mac_biba *source, *dest; + subj = SLOT(u1->cr_label); + obj = SLOT(u2->cr_label); - source = SLOT(oldsolabel); - dest = SLOT(newsolabel); + /* XXX: range */ + if (!biba_dominate_effective(obj, subj)) + return (ESRCH); - biba_copy_effective(source, dest); + return (0); } static void -biba_socket_relabel(struct ucred *cred, struct socket *so, - struct label *solabel, struct label *newlabel) +biba_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_biba *source, *dest; source = SLOT(newlabel); - dest = SLOT(solabel); + dest = SLOT(cred->cr_label); biba_copy(source, dest); } static void -biba_pipe_relabel(struct ucred *cred, struct pipepair *pp, - struct label *pplabel, struct label *newlabel) +biba_devfs_create_device(struct ucred *cred, struct mount *mp, + struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { - struct mac_biba *source, *dest; - - source = SLOT(newlabel); - dest = SLOT(pplabel); + struct mac_biba *mb; + int biba_type; - biba_copy(source, dest); + mb = SLOT(delabel); + if (strcmp(dev->si_name, "null") == 0 || + strcmp(dev->si_name, "zero") == 0 || + strcmp(dev->si_name, "random") == 0 || + strncmp(dev->si_name, "fd/", strlen("fd/")) == 0) + biba_type = MAC_BIBA_TYPE_EQUAL; + else if (ptys_equal && + (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 || + strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0)) + biba_type = MAC_BIBA_TYPE_EQUAL; + else + biba_type = MAC_BIBA_TYPE_HIGH; + biba_set_effective(mb, biba_type, 0, NULL); } static void -biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, - struct socket *so, struct label *sopeerlabel) +biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, + struct devfs_dirent *de, struct label *delabel) { - struct mac_biba *source, *dest; + struct mac_biba *mb; - source = SLOT(mlabel); - dest = SLOT(sopeerlabel); + mb = SLOT(delabel); - biba_copy_effective(source, dest); + biba_set_effective(mb, MAC_BIBA_TYPE_HIGH, 0, NULL); } -/* - * Labeling event operations: System V IPC objects. - */ static void -biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqlabel, struct msg *msgptr, struct label *msglabel) +biba_devfs_create_symlink(struct ucred *cred, struct mount *mp, + struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, + struct label *delabel) { struct mac_biba *source, *dest; - /* Ignore the msgq label */ source = SLOT(cred->cr_label); - dest = SLOT(msglabel); + dest = SLOT(delabel); biba_copy_effective(source, dest); } static void -biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqlabel) +biba_devfs_update(struct mount *mp, struct devfs_dirent *de, + struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_biba *source, *dest; - source = SLOT(cred->cr_label); - dest = SLOT(msqlabel); + source = SLOT(vplabel); + dest = SLOT(delabel); - biba_copy_effective(source, dest); + biba_copy(source, dest); } static void -biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semalabel) +biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel, + struct devfs_dirent *de, struct label *delabel, struct vnode *vp, + struct label *vplabel) { struct mac_biba *source, *dest; - source = SLOT(cred->cr_label); - dest = SLOT(semalabel); + source = SLOT(delabel); + dest = SLOT(vplabel); biba_copy_effective(source, dest); } -static void -biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmlabel) +static int +biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, + struct label *ifplabel, struct label *newlabel) { - struct mac_biba *source, *dest; - - source = SLOT(cred->cr_label); - dest = SLOT(shmlabel); + struct mac_biba *subj, *new; + int error; - biba_copy_effective(source, dest); -} + subj = SLOT(cred->cr_label); + new = SLOT(newlabel); -/* - * Labeling event operations: network objects. - */ -static void -biba_socketpeer_set_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, - struct label *newsopeerlabel) -{ - struct mac_biba *source, *dest; + /* + * If there is a Biba label update for the interface, it may be an + * update of the effective, range, or both. + */ + error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + if (error) + return (error); - source = SLOT(oldsolabel); - dest = SLOT(newsopeerlabel); + /* + * Relabling network interfaces requires Biba privilege. + */ + error = biba_subject_privileged(subj); + if (error) + return (error); - biba_copy_effective(source, dest); + return (0); } -static void -biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d, - struct label *dlabel) +static int +biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) { - struct mac_biba *source, *dest; + struct mac_biba *p, *i; - source = SLOT(cred->cr_label); - dest = SLOT(dlabel); + if (!biba_enabled) + return (0); - biba_copy_effective(source, dest); + p = SLOT(mlabel); + i = SLOT(ifplabel); + + return (biba_effective_in_range(p, i) ? 0 : EACCES); } static void @@ -1219,38 +1080,52 @@ set: } static void -biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, - struct label *ipqlabel) +biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, + struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; - source = SLOT(mlabel); - dest = SLOT(ipqlabel); + source = SLOT(ifplabel); + dest = SLOT(mlabel); biba_copy_effective(source, dest); } static void -biba_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, - struct label *mlabel) +biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, + struct label *ifplabel, struct label *newlabel) { struct mac_biba *source, *dest; - source = SLOT(ipqlabel); - dest = SLOT(mlabel); + source = SLOT(newlabel); + dest = SLOT(ifplabel); - /* Just use the head, since we require them all to match. */ - biba_copy_effective(source, dest); + biba_copy(source, dest); +} + +static int +biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_biba *p, *i; + + if (!biba_enabled) + return (0); + + p = SLOT(mlabel); + i = SLOT(inplabel); + + return (biba_equal_effective(p, i) ? 0 : EACCES); } static void -biba_netinet_fragment(struct mbuf *m, struct label *mlabel, - struct mbuf *frag, struct label *fraglabel) +biba_inpcb_create(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) { struct mac_biba *source, *dest; - source = SLOT(mlabel); - dest = SLOT(fraglabel); + source = SLOT(solabel); + dest = SLOT(inplabel); biba_copy_effective(source, dest); } @@ -1268,25 +1143,25 @@ biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, } static void -biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, - struct mbuf *m, struct label *mlabel) +biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) { struct mac_biba *source, *dest; - source = SLOT(dlabel); - dest = SLOT(mlabel); + source = SLOT(solabel); + dest = SLOT(inplabel); - biba_copy_effective(source, dest); + biba_copy(source, dest); } static void -biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, - struct mbuf *m, struct label *mlabel) +biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, + struct label *ipqlabel) { struct mac_biba *source, *dest; - source = SLOT(ifplabel); - dest = SLOT(mlabel); + source = SLOT(mlabel); + dest = SLOT(ipqlabel); biba_copy_effective(source, dest); } @@ -1304,15 +1179,16 @@ biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, - struct label *ifplabel, struct label *newlabel) +biba_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, + struct label *mlabel) { struct mac_biba *source, *dest; - source = SLOT(newlabel); - dest = SLOT(ifplabel); + source = SLOT(ipqlabel); + dest = SLOT(mlabel); - biba_copy(source, dest); + /* Just use the head, since we require them all to match. */ + biba_copy_effective(source, dest); } static void @@ -1323,16 +1199,57 @@ biba_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, /* NOOP: we only accept matching labels, so no need to update */ } +static int +biba_kld_check_load(struct ucred *cred, struct vnode *vp, + struct label *vplabel) +{ + struct mac_biba *subj, *obj; + int error; + + if (!biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + + error = biba_subject_privileged(subj); + if (error) + return (error); + + obj = SLOT(vplabel); + if (!biba_high_effective(obj)) + return (EACCES); + + return (0); +} + +static int +biba_mount_check_stat(struct ucred *cred, struct mount *mp, + struct label *mplabel) +{ + struct mac_biba *subj, *obj; + + if (!biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(mplabel); + + if (!biba_dominate_effective(obj, subj)) + return (EACCES); + + return (0); +} + static void -biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, - struct inpcb *inp, struct label *inplabel) +biba_mount_create(struct ucred *cred, struct mount *mp, + struct label *mplabel) { struct mac_biba *source, *dest; - source = SLOT(solabel); - dest = SLOT(inplabel); + source = SLOT(cred->cr_label); + dest = SLOT(mplabel); - biba_copy(source, dest); + biba_copy_effective(source, dest); } static void @@ -1381,6 +1298,18 @@ biba_netinet_firewall_send(struct mbuf *m, struct label *mlabel) } static void +biba_netinet_fragment(struct mbuf *m, struct label *mlabel, + struct mbuf *frag, struct label *fraglabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(mlabel); + dest = SLOT(fraglabel); + + biba_copy_effective(source, dest); +} + +static void biba_netinet_icmp_reply(struct mbuf *mrecv, struct label *mrecvlabel, struct mbuf *msend, struct label *msendlabel) { @@ -1414,155 +1343,95 @@ biba_netinet6_nd6_send(struct ifnet *ifp, struct label *ifplabel, biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); } -/* - * Labeling event operations: processes. - */ -static void -biba_proc_create_swapper(struct ucred *cred) -{ - struct mac_biba *dest; - - dest = SLOT(cred->cr_label); - - biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); - biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, - 0, NULL); -} - -static void -biba_proc_create_init(struct ucred *cred) -{ - struct mac_biba *dest; - - dest = SLOT(cred->cr_label); - - biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); - biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, - 0, NULL); -} - -static void -biba_proc_associate_nfsd(struct ucred *cred) -{ - struct mac_biba *label; - - label = SLOT(cred->cr_label); - biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL); - biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, - 0, NULL); -} - -static void -biba_cred_relabel(struct ucred *cred, struct label *newlabel) +static int +biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, + struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { - struct mac_biba *source, *dest; - - source = SLOT(newlabel); - dest = SLOT(cred->cr_label); - biba_copy(source, dest); -} + if(!biba_enabled) + return (0); -/* - * Label cleanup/flush operations - */ -static void -biba_sysvmsg_cleanup(struct label *msglabel) -{ + /* XXX: This will be implemented soon... */ - bzero(SLOT(msglabel), sizeof(struct mac_biba)); + return (0); } -static void -biba_sysvmsq_cleanup(struct label *msqlabel) +static int +biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp, + struct label *pplabel) { + struct mac_biba *subj, *obj; - bzero(SLOT(msqlabel), sizeof(struct mac_biba)); -} + if (!biba_enabled) + return (0); -static void -biba_sysvsem_cleanup(struct label *semalabel) -{ + subj = SLOT(cred->cr_label); + obj = SLOT(pplabel); - bzero(SLOT(semalabel), sizeof(struct mac_biba)); -} + if (!biba_dominate_effective(obj, subj)) + return (EACCES); -static void -biba_sysvshm_cleanup(struct label *shmlabel) -{ - bzero(SLOT(shmlabel), sizeof(struct mac_biba)); + return (0); } -/* - * Access control checks. - */ static int -biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, - struct ifnet *ifp, struct label *ifplabel) +biba_pipe_check_read(struct ucred *cred, struct pipepair *pp, + struct label *pplabel) { - struct mac_biba *a, *b; + struct mac_biba *subj, *obj; if (!biba_enabled) return (0); - a = SLOT(dlabel); - b = SLOT(ifplabel); + subj = SLOT(cred->cr_label); + obj = SLOT(pplabel); - if (biba_equal_effective(a, b)) - return (0); - return (EACCES); + if (!biba_dominate_effective(obj, subj)) + return (EACCES); + + return (0); } static int -biba_cred_check_relabel(struct ucred *cred, struct label *newlabel) +biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, + struct label *pplabel, struct label *newlabel) { - struct mac_biba *subj, *new; + struct mac_biba *subj, *obj, *new; int error; - subj = SLOT(cred->cr_label); new = SLOT(newlabel); + subj = SLOT(cred->cr_label); + obj = SLOT(pplabel); /* - * If there is a Biba label update for the credential, it may - * be an update of the effective, range, or both. + * If there is a Biba label update for a pipe, it must be a effective + * update. */ - error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); + error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE); if (error) return (error); /* - * If the Biba label is to be changed, authorize as appropriate. + * To perform a relabel of a pipe (Biba label or not), Biba must + * authorize the relabel. */ - if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) { - /* - * If the change request modifies both the Biba label - * effective and range, check that the new effective will be - * in the new range. - */ - if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) == - MAC_BIBA_FLAGS_BOTH && - !biba_effective_in_range(new, new)) - return (EINVAL); - - /* - * To change the Biba effective label on a credential, the - * new effective label must be in the current range. - */ - if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE && - !biba_effective_in_range(new, subj)) - return (EPERM); + if (!biba_effective_in_range(obj, subj)) + return (EPERM); + /* + * If the Biba label is to be changed, authorize as appropriate. + */ + if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { /* - * To change the Biba range on a credential, the new range - * label must be in the current range. + * To change the Biba label on a pipe, the new pipe label + * must be in the subject range. */ - if (new->mb_flags & MAC_BIBA_FLAG_RANGE && - !biba_range_in_range(new, subj)) + if (!biba_effective_in_range(new, subj)) return (EPERM); /* - * To have EQUAL in any component of the new credential Biba - * label, the subject must already have EQUAL in their label. + * To change the Biba label on a pipe to be EQUAL, the + * subject must have appropriate privilege. */ if (biba_contains_equal(new)) { error = biba_subject_privileged(subj); @@ -1575,84 +1444,86 @@ biba_cred_check_relabel(struct ucred *cred, struct label *newlabel) } static int -biba_cred_check_visible(struct ucred *u1, struct ucred *u2) +biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp, + struct label *pplabel) { struct mac_biba *subj, *obj; if (!biba_enabled) return (0); - subj = SLOT(u1->cr_label); - obj = SLOT(u2->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(pplabel); - /* XXX: range */ if (!biba_dominate_effective(obj, subj)) - return (ESRCH); + return (EACCES); return (0); } static int -biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, - struct label *ifplabel, struct label *newlabel) +biba_pipe_check_write(struct ucred *cred, struct pipepair *pp, + struct label *pplabel) { - struct mac_biba *subj, *new; - int error; + struct mac_biba *subj, *obj; - subj = SLOT(cred->cr_label); - new = SLOT(newlabel); + if (!biba_enabled) + return (0); - /* - * If there is a Biba label update for the interface, it may be an - * update of the effective, range, or both. - */ - error = biba_atmostflags(new, MAC_BIBA_FLAGS_BOTH); - if (error) - return (error); + subj = SLOT(cred->cr_label); + obj = SLOT(pplabel); - /* - * Relabling network interfaces requires Biba privilege. - */ - error = biba_subject_privileged(subj); - if (error) - return (error); + if (!biba_dominate_effective(subj, obj)) + return (EACCES); return (0); } -static int -biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, - struct mbuf *m, struct label *mlabel) +static void +biba_pipe_create(struct ucred *cred, struct pipepair *pp, + struct label *pplabel) { - struct mac_biba *p, *i; + struct mac_biba *source, *dest; - if (!biba_enabled) - return (0); + source = SLOT(cred->cr_label); + dest = SLOT(pplabel); - p = SLOT(mlabel); - i = SLOT(ifplabel); + biba_copy_effective(source, dest); +} - return (biba_effective_in_range(p, i) ? 0 : EACCES); +static void +biba_pipe_relabel(struct ucred *cred, struct pipepair *pp, + struct label *pplabel, struct label *newlabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(newlabel); + dest = SLOT(pplabel); + + biba_copy(source, dest); } static int -biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, - struct mbuf *m, struct label *mlabel) +biba_posixsem_check_write(struct ucred *cred, struct ksem *ks, + struct label *kslabel) { - struct mac_biba *p, *i; + struct mac_biba *subj, *obj; if (!biba_enabled) return (0); - p = SLOT(mlabel); - i = SLOT(inplabel); + subj = SLOT(cred->cr_label); + obj = SLOT(kslabel); - return (biba_equal_effective(p, i) ? 0 : EACCES); + if (!biba_dominate_effective(subj, obj)) + return (EACCES); + + return (0); } static int -biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, - struct label *msglabel) +biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, + struct label *kslabel) { struct mac_biba *subj, *obj; @@ -1660,7 +1531,7 @@ biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, return (0); subj = SLOT(cred->cr_label); - obj = SLOT(msglabel); + obj = SLOT(kslabel); if (!biba_dominate_effective(obj, subj)) return (EACCES); @@ -1668,27 +1539,220 @@ biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, return (0); } +static void +biba_posixsem_create(struct ucred *cred, struct ksem *ks, + struct label *kslabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(cred->cr_label); + dest = SLOT(kslabel); + + biba_copy_effective(source, dest); +} + +/* + * Some system privileges are allowed regardless of integrity grade; others + * are allowed only when running with privilege with respect to the Biba + * policy as they might otherwise allow bypassing of the integrity policy. + */ static int -biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, - struct label *msglabel) +biba_priv_check(struct ucred *cred, int priv) { - struct mac_biba *subj, *obj; + struct mac_biba *subj; + int error; if (!biba_enabled) return (0); - subj = SLOT(cred->cr_label); - obj = SLOT(msglabel); + /* + * Exempt only specific privileges from the Biba integrity policy. + */ + switch (priv) { + case PRIV_KTRACE: + case PRIV_MSGBUF: - if (!biba_dominate_effective(subj, obj)) - return (EACCES); + /* + * Allow processes to manipulate basic process audit properties, and + * to submit audit records. + */ + case PRIV_AUDIT_GETAUDIT: + case PRIV_AUDIT_SETAUDIT: + case PRIV_AUDIT_SUBMIT: + /* + * Allow processes to manipulate their regular UNIX credentials. + */ + case PRIV_CRED_SETUID: + case PRIV_CRED_SETEUID: + case PRIV_CRED_SETGID: + case PRIV_CRED_SETEGID: + case PRIV_CRED_SETGROUPS: + case PRIV_CRED_SETREUID: + case PRIV_CRED_SETREGID: + case PRIV_CRED_SETRESUID: + case PRIV_CRED_SETRESGID: + + /* + * Allow processes to perform system monitoring. + */ + case PRIV_SEEOTHERGIDS: + case PRIV_SEEOTHERUIDS: + break; + + /* + * Allow access to general process debugging facilities. We + * separately control debugging based on MAC label. + */ + case PRIV_DEBUG_DIFFCRED: + case PRIV_DEBUG_SUGID: + case PRIV_DEBUG_UNPRIV: + + /* + * Allow manipulating jails. + */ + case PRIV_JAIL_ATTACH: + + /* + * Allow privilege with respect to the Partition policy, but not the + * Privs policy. + */ + case PRIV_MAC_PARTITION: + + /* + * Allow privilege with respect to process resource limits and login + * context. + */ + case PRIV_PROC_LIMIT: + case PRIV_PROC_SETLOGIN: + case PRIV_PROC_SETRLIMIT: + + /* + * Allow System V and POSIX IPC privileges. + */ + case PRIV_IPC_READ: + case PRIV_IPC_WRITE: + case PRIV_IPC_ADMIN: + case PRIV_IPC_MSGSIZE: + case PRIV_MQ_ADMIN: + + /* + * Allow certain scheduler manipulations -- possibly this should be + * controlled by more fine-grained policy, as potentially low + * integrity processes can deny CPU to higher integrity ones. + */ + case PRIV_SCHED_DIFFCRED: + case PRIV_SCHED_SETPRIORITY: + case PRIV_SCHED_RTPRIO: + case PRIV_SCHED_SETPOLICY: + case PRIV_SCHED_SET: + case PRIV_SCHED_SETPARAM: + + /* + * More IPC privileges. + */ + case PRIV_SEM_WRITE: + + /* + * Allow signaling privileges subject to integrity policy. + */ + case PRIV_SIGNAL_DIFFCRED: + case PRIV_SIGNAL_SUGID: + + /* + * Allow access to only limited sysctls from lower integrity levels; + * piggy-back on the Jail definition. + */ + case PRIV_SYSCTL_WRITEJAIL: + + /* + * Allow TTY-based privileges, subject to general device access using + * labels on TTY device nodes, but not console privilege. + */ + case PRIV_TTY_DRAINWAIT: + case PRIV_TTY_DTRWAIT: + case PRIV_TTY_EXCLUSIVE: + case PRIV_TTY_PRISON: + case PRIV_TTY_STI: + case PRIV_TTY_SETA: + + /* + * Grant most VFS privileges, as almost all are in practice bounded + * by more specific checks using labels. + */ + case PRIV_VFS_READ: + case PRIV_VFS_WRITE: + case PRIV_VFS_ADMIN: + case PRIV_VFS_EXEC: + case PRIV_VFS_LOOKUP: + case PRIV_VFS_CHFLAGS_DEV: + case PRIV_VFS_CHOWN: + case PRIV_VFS_CHROOT: + case PRIV_VFS_RETAINSUGID: + case PRIV_VFS_EXCEEDQUOTA: + case PRIV_VFS_FCHROOT: + case PRIV_VFS_FHOPEN: + case PRIV_VFS_FHSTATFS: + case PRIV_VFS_GENERATION: + case PRIV_VFS_GETFH: + case PRIV_VFS_GETQUOTA: + case PRIV_VFS_LINK: + case PRIV_VFS_MOUNT: + case PRIV_VFS_MOUNT_OWNER: + case PRIV_VFS_MOUNT_PERM: + case PRIV_VFS_MOUNT_SUIDDIR: + case PRIV_VFS_MOUNT_NONUSER: + case PRIV_VFS_SETGID: + case PRIV_VFS_STICKYFILE: + case PRIV_VFS_SYSFLAGS: + case PRIV_VFS_UNMOUNT: + + /* + * Allow VM privileges; it would be nice if these were subject to + * resource limits. + */ + case PRIV_VM_MADV_PROTECT: + case PRIV_VM_MLOCK: + case PRIV_VM_MUNLOCK: + + /* + * Allow some but not all network privileges. In general, dont allow + * reconfiguring the network stack, just normal use. + */ + case PRIV_NETATALK_RESERVEDPORT: + case PRIV_NETINET_RESERVEDPORT: + case PRIV_NETINET_RAW: + case PRIV_NETINET_REUSEPORT: + case PRIV_NETIPX_RESERVEDPORT: + case PRIV_NETIPX_RAW: + break; + + /* + * All remaining system privileges are allow only if the process + * holds privilege with respect to the Biba policy. + */ + default: + subj = SLOT(cred->cr_label); + error = biba_subject_privileged(subj); + if (error) + return (error); + } return (0); } +static void +biba_proc_associate_nfsd(struct ucred *cred) +{ + struct mac_biba *label; + + label = SLOT(cred->cr_label); + biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL); + biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, + 0, NULL); +} + static int -biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +biba_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_biba *subj, *obj; @@ -1696,17 +1760,19 @@ biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, return (0); subj = SLOT(cred->cr_label); - obj = SLOT(msqklabel); + obj = SLOT(p->p_ucred->cr_label); + /* XXX: range checks */ if (!biba_dominate_effective(obj, subj)) + return (ESRCH); + if (!biba_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +biba_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_biba *subj, *obj; @@ -1714,8 +1780,11 @@ biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, return (0); subj = SLOT(cred->cr_label); - obj = SLOT(msqklabel); + obj = SLOT(p->p_ucred->cr_label); + /* XXX: range checks */ + if (!biba_dominate_effective(obj, subj)) + return (ESRCH); if (!biba_dominate_effective(subj, obj)) return (EACCES); @@ -1723,8 +1792,7 @@ biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_biba *subj, *obj; @@ -1732,86 +1800,110 @@ biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, return (0); subj = SLOT(cred->cr_label); - obj = SLOT(msqklabel); + obj = SLOT(p->p_ucred->cr_label); + /* XXX: range checks */ if (!biba_dominate_effective(obj, subj)) + return (ESRCH); + if (!biba_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -biba_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel, int cmd) +biba_socket_check_deliver(struct socket *so, struct label *solabel, + struct mbuf *m, struct label *mlabel) { - struct mac_biba *subj, *obj; + struct mac_biba *p, *s; if (!biba_enabled) return (0); - subj = SLOT(cred->cr_label); - obj = SLOT(msqklabel); + p = SLOT(mlabel); + s = SLOT(solabel); - switch(cmd) { - case IPC_RMID: - case IPC_SET: - if (!biba_dominate_effective(subj, obj)) - return (EACCES); - break; + return (biba_equal_effective(p, s) ? 0 : EACCES); +} - case IPC_STAT: - if (!biba_dominate_effective(obj, subj)) - return (EACCES); - break; +static void +biba_proc_create_init(struct ucred *cred) +{ + struct mac_biba *dest; - default: - return (EACCES); - } + dest = SLOT(cred->cr_label); - return (0); + biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); + biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, + 0, NULL); } -static int -biba_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, int cmd) +static void +biba_proc_create_swapper(struct ucred *cred) { - struct mac_biba *subj, *obj; + struct mac_biba *dest; - if (!biba_enabled) - return (0); + dest = SLOT(cred->cr_label); + biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); + biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, + 0, NULL); +} + +static int +biba_socket_check_relabel(struct ucred *cred, struct socket *so, + struct label *solabel, struct label *newlabel) +{ + struct mac_biba *subj, *obj, *new; + int error; + + new = SLOT(newlabel); subj = SLOT(cred->cr_label); - obj = SLOT(semaklabel); + obj = SLOT(solabel); - switch(cmd) { - case IPC_RMID: - case IPC_SET: - case SETVAL: - case SETALL: - if (!biba_dominate_effective(subj, obj)) - return (EACCES); - break; + /* + * If there is a Biba label update for the socket, it may be an + * update of effective. + */ + error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE); + if (error) + return (error); - case IPC_STAT: - case GETVAL: - case GETPID: - case GETNCNT: - case GETZCNT: - case GETALL: - if (!biba_dominate_effective(obj, subj)) - return (EACCES); - break; + /* + * To relabel a socket, the old socket effective must be in the + * subject range. + */ + if (!biba_effective_in_range(obj, subj)) + return (EPERM); - default: - return (EACCES); + /* + * If the Biba label is to be changed, authorize as appropriate. + */ + if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { + /* + * To relabel a socket, the new socket effective must be in + * the subject range. + */ + if (!biba_effective_in_range(new, subj)) + return (EPERM); + + /* + * To change the Biba label on the socket to contain EQUAL, + * the subject must have appropriate privilege. + */ + if (biba_contains_equal(new)) { + error = biba_subject_privileged(subj); + if (error) + return (error); + } } return (0); } static int -biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel) +biba_socket_check_visible(struct ucred *cred, struct socket *so, + struct label *solabel) { struct mac_biba *subj, *obj; @@ -1819,111 +1911,110 @@ biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr, return (0); subj = SLOT(cred->cr_label); - obj = SLOT(semaklabel); + obj = SLOT(solabel); if (!biba_dominate_effective(obj, subj)) - return (EACCES); + return (ENOENT); return (0); } -static int -biba_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, size_t accesstype) +static void +biba_socket_create(struct ucred *cred, struct socket *so, + struct label *solabel) { - struct mac_biba *subj, *obj; + struct mac_biba *source, *dest; - if (!biba_enabled) - return (0); + source = SLOT(cred->cr_label); + dest = SLOT(solabel); - subj = SLOT(cred->cr_label); - obj = SLOT(semaklabel); + biba_copy_effective(source, dest); +} - if (accesstype & SEM_R) - if (!biba_dominate_effective(obj, subj)) - return (EACCES); +static void +biba_socket_create_mbuf(struct socket *so, struct label *solabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_biba *source, *dest; - if (accesstype & SEM_A) - if (!biba_dominate_effective(subj, obj)) - return (EACCES); + source = SLOT(solabel); + dest = SLOT(mlabel); - return (0); + biba_copy_effective(source, dest); } -static int -biba_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +static void +biba_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { - struct mac_biba *subj, *obj; - - if (!biba_enabled) - return (0); + struct mac_biba *source, *dest; - subj = SLOT(cred->cr_label); - obj = SLOT(shmseglabel); + source = SLOT(oldsolabel); + dest = SLOT(newsolabel); - if (!biba_dominate_effective(obj, subj)) - return (EACCES); - if ((shmflg & SHM_RDONLY) == 0) { - if (!biba_dominate_effective(subj, obj)) - return (EACCES); - } - - return (0); + biba_copy_effective(source, dest); } -static int -biba_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int cmd) +static void +biba_socket_relabel(struct ucred *cred, struct socket *so, + struct label *solabel, struct label *newlabel) { - struct mac_biba *subj, *obj; - - if (!biba_enabled) - return (0); + struct mac_biba *source, *dest; - subj = SLOT(cred->cr_label); - obj = SLOT(shmseglabel); + source = SLOT(newlabel); + dest = SLOT(solabel); - switch(cmd) { - case IPC_RMID: - case IPC_SET: - if (!biba_dominate_effective(subj, obj)) - return (EACCES); - break; + biba_copy(source, dest); +} - case IPC_STAT: - case SHM_STAT: - if (!biba_dominate_effective(obj, subj)) - return (EACCES); - break; +static void +biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, + struct socket *so, struct label *sopeerlabel) +{ + struct mac_biba *source, *dest; - default: - return (EACCES); - } + source = SLOT(mlabel); + dest = SLOT(sopeerlabel); - return (0); + biba_copy_effective(source, dest); } -static int -biba_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +static void +biba_socketpeer_set_from_socket(struct socket *oldso, + struct label *oldsolabel, struct socket *newso, + struct label *newsopeerlabel) { - struct mac_biba *subj, *obj; + struct mac_biba *source, *dest; - if (!biba_enabled) - return (0); + source = SLOT(oldsolabel); + dest = SLOT(newsopeerlabel); - subj = SLOT(cred->cr_label); - obj = SLOT(shmseglabel); + biba_copy_effective(source, dest); +} - if (!biba_dominate_effective(obj, subj)) - return (EACCES); +static void +biba_syncache_create(struct label *label, struct inpcb *inp) +{ + struct mac_biba *source, *dest; - return (0); + source = SLOT(inp->inp_label); + dest = SLOT(label); + biba_copy_effective(source, dest); +} + +static void +biba_syncache_create_mbuf(struct label *sc_label, struct mbuf *m, + struct label *mlabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(sc_label); + dest = SLOT(mlabel); + biba_copy_effective(source, dest); } static int -biba_kld_check_load(struct ucred *cred, struct vnode *vp, +biba_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -1938,6 +2029,9 @@ biba_kld_check_load(struct ucred *cred, struct vnode *vp, if (error) return (error); + if (vplabel == NULL) + return (0); + obj = SLOT(vplabel); if (!biba_high_effective(obj)) return (EACCES); @@ -1946,144 +2040,142 @@ biba_kld_check_load(struct ucred *cred, struct vnode *vp, } static int -biba_mount_check_stat(struct ucred *cred, struct mount *mp, - struct label *mplabel) +biba_system_check_auditctl(struct ucred *cred, struct vnode *vp, + struct label *vplabel) { struct mac_biba *subj, *obj; + int error; if (!biba_enabled) return (0); subj = SLOT(cred->cr_label); - obj = SLOT(mplabel); - if (!biba_dominate_effective(obj, subj)) + error = biba_subject_privileged(subj); + if (error) + return (error); + + if (vplabel == NULL) + return (0); + + obj = SLOT(vplabel); + if (!biba_high_effective(obj)) return (EACCES); return (0); } static int -biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, - struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) +biba_system_check_auditon(struct ucred *cred, int cmd) { + struct mac_biba *subj; + int error; - if(!biba_enabled) + if (!biba_enabled) return (0); - /* XXX: This will be implemented soon... */ + subj = SLOT(cred->cr_label); + + error = biba_subject_privileged(subj); + if (error) + return (error); return (0); } static int -biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp, - struct label *pplabel) +biba_system_check_swapoff(struct ucred *cred, struct vnode *vp, + struct label *label) { - struct mac_biba *subj, *obj; + struct mac_biba *subj; + int error; if (!biba_enabled) return (0); subj = SLOT(cred->cr_label); - obj = SLOT(pplabel); - if (!biba_dominate_effective(obj, subj)) - return (EACCES); + error = biba_subject_privileged(subj); + if (error) + return (error); return (0); } static int -biba_pipe_check_read(struct ucred *cred, struct pipepair *pp, - struct label *pplabel) +biba_system_check_swapon(struct ucred *cred, struct vnode *vp, + struct label *vplabel) { struct mac_biba *subj, *obj; + int error; if (!biba_enabled) return (0); subj = SLOT(cred->cr_label); - obj = SLOT(pplabel); + obj = SLOT(vplabel); - if (!biba_dominate_effective(obj, subj)) + error = biba_subject_privileged(subj); + if (error) + return (error); + + if (!biba_high_effective(obj)) return (EACCES); return (0); } static int -biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, - struct label *pplabel, struct label *newlabel) +biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, + void *arg1, int arg2, struct sysctl_req *req) { - struct mac_biba *subj, *obj, *new; + struct mac_biba *subj; int error; - new = SLOT(newlabel); - subj = SLOT(cred->cr_label); - obj = SLOT(pplabel); - - /* - * If there is a Biba label update for a pipe, it must be a effective - * update. - */ - error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE); - if (error) - return (error); + if (!biba_enabled) + return (0); - /* - * To perform a relabel of a pipe (Biba label or not), Biba must - * authorize the relabel. - */ - if (!biba_effective_in_range(obj, subj)) - return (EPERM); + subj = SLOT(cred->cr_label); /* - * If the Biba label is to be changed, authorize as appropriate. + * Treat sysctl variables without CTLFLAG_ANYBODY flag as biba/high, + * but also require privilege to change them. */ - if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { - /* - * To change the Biba label on a pipe, the new pipe label - * must be in the subject range. - */ - if (!biba_effective_in_range(new, subj)) - return (EPERM); + if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) { + if (!biba_subject_dominate_high(subj)) + return (EACCES); - /* - * To change the Biba label on a pipe to be EQUAL, the - * subject must have appropriate privilege. - */ - if (biba_contains_equal(new)) { - error = biba_subject_privileged(subj); - if (error) - return (error); - } + error = biba_subject_privileged(subj); + if (error) + return (error); } return (0); } -static int -biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp, - struct label *pplabel) +static void +biba_sysvmsg_cleanup(struct label *msglabel) { - struct mac_biba *subj, *obj; - if (!biba_enabled) - return (0); + bzero(SLOT(msglabel), sizeof(struct mac_biba)); +} - subj = SLOT(cred->cr_label); - obj = SLOT(pplabel); +static void +biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqlabel, struct msg *msgptr, struct label *msglabel) +{ + struct mac_biba *source, *dest; - if (!biba_dominate_effective(obj, subj)) - return (EACCES); + /* Ignore the msgq label */ + source = SLOT(cred->cr_label); + dest = SLOT(msglabel); - return (0); + biba_copy_effective(source, dest); } static int -biba_pipe_check_write(struct ucred *cred, struct pipepair *pp, - struct label *pplabel) +biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, + struct label *msglabel) { struct mac_biba *subj, *obj; @@ -2091,17 +2183,17 @@ biba_pipe_check_write(struct ucred *cred, struct pipepair *pp, return (0); subj = SLOT(cred->cr_label); - obj = SLOT(pplabel); + obj = SLOT(msglabel); - if (!biba_dominate_effective(subj, obj)) + if (!biba_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -biba_posixsem_check_write(struct ucred *cred, struct ksem *ks, - struct label *kslabel) +biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, + struct label *msglabel) { struct mac_biba *subj, *obj; @@ -2109,7 +2201,7 @@ biba_posixsem_check_write(struct ucred *cred, struct ksem *ks, return (0); subj = SLOT(cred->cr_label); - obj = SLOT(kslabel); + obj = SLOT(msglabel); if (!biba_dominate_effective(subj, obj)) return (EACCES); @@ -2118,8 +2210,8 @@ biba_posixsem_check_write(struct ucred *cred, struct ksem *ks, } static int -biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, - struct label *kslabel) +biba_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -2127,7 +2219,7 @@ biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, return (0); subj = SLOT(cred->cr_label); - obj = SLOT(kslabel); + obj = SLOT(msqklabel); if (!biba_dominate_effective(obj, subj)) return (EACCES); @@ -2136,7 +2228,8 @@ biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, } static int -biba_proc_check_debug(struct ucred *cred, struct proc *p) +biba_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -2144,11 +2237,8 @@ biba_proc_check_debug(struct ucred *cred, struct proc *p) return (0); subj = SLOT(cred->cr_label); - obj = SLOT(p->p_ucred->cr_label); + obj = SLOT(msqklabel); - /* XXX: range checks */ - if (!biba_dominate_effective(obj, subj)) - return (ESRCH); if (!biba_dominate_effective(subj, obj)) return (EACCES); @@ -2156,7 +2246,8 @@ biba_proc_check_debug(struct ucred *cred, struct proc *p) } static int -biba_proc_check_sched(struct ucred *cred, struct proc *p) +biba_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -2164,19 +2255,17 @@ biba_proc_check_sched(struct ucred *cred, struct proc *p) return (0); subj = SLOT(cred->cr_label); - obj = SLOT(p->p_ucred->cr_label); + obj = SLOT(msqklabel); - /* XXX: range checks */ if (!biba_dominate_effective(obj, subj)) - return (ESRCH); - if (!biba_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum) +biba_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqklabel, int cmd) { struct mac_biba *subj, *obj; @@ -2184,86 +2273,87 @@ biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum) return (0); subj = SLOT(cred->cr_label); - obj = SLOT(p->p_ucred->cr_label); + obj = SLOT(msqklabel); - /* XXX: range checks */ - if (!biba_dominate_effective(obj, subj)) - return (ESRCH); - if (!biba_dominate_effective(subj, obj)) + switch(cmd) { + case IPC_RMID: + case IPC_SET: + if (!biba_dominate_effective(subj, obj)) + return (EACCES); + break; + + case IPC_STAT: + if (!biba_dominate_effective(obj, subj)) + return (EACCES); + break; + + default: return (EACCES); + } return (0); } -static int -biba_socket_check_deliver(struct socket *so, struct label *solabel, - struct mbuf *m, struct label *mlabel) +static void +biba_sysvmsq_cleanup(struct label *msqlabel) { - struct mac_biba *p, *s; - if (!biba_enabled) - return (0); + bzero(SLOT(msqlabel), sizeof(struct mac_biba)); +} - p = SLOT(mlabel); - s = SLOT(solabel); +static void +biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqlabel) +{ + struct mac_biba *source, *dest; - return (biba_equal_effective(p, s) ? 0 : EACCES); + source = SLOT(cred->cr_label); + dest = SLOT(msqlabel); + + biba_copy_effective(source, dest); } static int -biba_socket_check_relabel(struct ucred *cred, struct socket *so, - struct label *solabel, struct label *newlabel) +biba_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, + struct label *semaklabel, int cmd) { - struct mac_biba *subj, *obj, *new; - int error; + struct mac_biba *subj, *obj; - new = SLOT(newlabel); - subj = SLOT(cred->cr_label); - obj = SLOT(solabel); + if (!biba_enabled) + return (0); - /* - * If there is a Biba label update for the socket, it may be an - * update of effective. - */ - error = biba_atmostflags(new, MAC_BIBA_FLAG_EFFECTIVE); - if (error) - return (error); + subj = SLOT(cred->cr_label); + obj = SLOT(semaklabel); - /* - * To relabel a socket, the old socket effective must be in the - * subject range. - */ - if (!biba_effective_in_range(obj, subj)) - return (EPERM); + switch(cmd) { + case IPC_RMID: + case IPC_SET: + case SETVAL: + case SETALL: + if (!biba_dominate_effective(subj, obj)) + return (EACCES); + break; - /* - * If the Biba label is to be changed, authorize as appropriate. - */ - if (new->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) { - /* - * To relabel a socket, the new socket effective must be in - * the subject range. - */ - if (!biba_effective_in_range(new, subj)) - return (EPERM); + case IPC_STAT: + case GETVAL: + case GETPID: + case GETNCNT: + case GETZCNT: + case GETALL: + if (!biba_dominate_effective(obj, subj)) + return (EACCES); + break; - /* - * To change the Biba label on the socket to contain EQUAL, - * the subject must have appropriate privilege. - */ - if (biba_contains_equal(new)) { - error = biba_subject_privileged(subj); - if (error) - return (error); - } + default: + return (EACCES); } return (0); } static int -biba_socket_check_visible(struct ucred *cred, struct socket *so, - struct label *solabel) +biba_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr, + struct label *semaklabel) { struct mac_biba *subj, *obj; @@ -2271,341 +2361,198 @@ biba_socket_check_visible(struct ucred *cred, struct socket *so, return (0); subj = SLOT(cred->cr_label); - obj = SLOT(solabel); + obj = SLOT(semaklabel); if (!biba_dominate_effective(obj, subj)) - return (ENOENT); + return (EACCES); return (0); } -/* - * Some system privileges are allowed regardless of integrity grade; others - * are allowed only when running with privilege with respect to the Biba - * policy as they might otherwise allow bypassing of the integrity policy. - */ static int -biba_priv_check(struct ucred *cred, int priv) +biba_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, + struct label *semaklabel, size_t accesstype) { - struct mac_biba *subj; - int error; + struct mac_biba *subj, *obj; if (!biba_enabled) return (0); - /* - * Exempt only specific privileges from the Biba integrity policy. - */ - switch (priv) { - case PRIV_KTRACE: - case PRIV_MSGBUF: - - /* - * Allow processes to manipulate basic process audit properties, and - * to submit audit records. - */ - case PRIV_AUDIT_GETAUDIT: - case PRIV_AUDIT_SETAUDIT: - case PRIV_AUDIT_SUBMIT: - - /* - * Allow processes to manipulate their regular UNIX credentials. - */ - case PRIV_CRED_SETUID: - case PRIV_CRED_SETEUID: - case PRIV_CRED_SETGID: - case PRIV_CRED_SETEGID: - case PRIV_CRED_SETGROUPS: - case PRIV_CRED_SETREUID: - case PRIV_CRED_SETREGID: - case PRIV_CRED_SETRESUID: - case PRIV_CRED_SETRESGID: - - /* - * Allow processes to perform system monitoring. - */ - case PRIV_SEEOTHERGIDS: - case PRIV_SEEOTHERUIDS: - break; - - /* - * Allow access to general process debugging facilities. We - * separately control debugging based on MAC label. - */ - case PRIV_DEBUG_DIFFCRED: - case PRIV_DEBUG_SUGID: - case PRIV_DEBUG_UNPRIV: - - /* - * Allow manipulating jails. - */ - case PRIV_JAIL_ATTACH: - - /* - * Allow privilege with respect to the Partition policy, but not the - * Privs policy. - */ - case PRIV_MAC_PARTITION: - - /* - * Allow privilege with respect to process resource limits and login - * context. - */ - case PRIV_PROC_LIMIT: - case PRIV_PROC_SETLOGIN: - case PRIV_PROC_SETRLIMIT: - - /* - * Allow System V and POSIX IPC privileges. - */ - case PRIV_IPC_READ: - case PRIV_IPC_WRITE: - case PRIV_IPC_ADMIN: - case PRIV_IPC_MSGSIZE: - case PRIV_MQ_ADMIN: - - /* - * Allow certain scheduler manipulations -- possibly this should be - * controlled by more fine-grained policy, as potentially low - * integrity processes can deny CPU to higher integrity ones. - */ - case PRIV_SCHED_DIFFCRED: - case PRIV_SCHED_SETPRIORITY: - case PRIV_SCHED_RTPRIO: - case PRIV_SCHED_SETPOLICY: - case PRIV_SCHED_SET: - case PRIV_SCHED_SETPARAM: + subj = SLOT(cred->cr_label); + obj = SLOT(semaklabel); - /* - * More IPC privileges. - */ - case PRIV_SEM_WRITE: + if (accesstype & SEM_R) + if (!biba_dominate_effective(obj, subj)) + return (EACCES); - /* - * Allow signaling privileges subject to integrity policy. - */ - case PRIV_SIGNAL_DIFFCRED: - case PRIV_SIGNAL_SUGID: + if (accesstype & SEM_A) + if (!biba_dominate_effective(subj, obj)) + return (EACCES); - /* - * Allow access to only limited sysctls from lower integrity levels; - * piggy-back on the Jail definition. - */ - case PRIV_SYSCTL_WRITEJAIL: + return (0); +} - /* - * Allow TTY-based privileges, subject to general device access using - * labels on TTY device nodes, but not console privilege. - */ - case PRIV_TTY_DRAINWAIT: - case PRIV_TTY_DTRWAIT: - case PRIV_TTY_EXCLUSIVE: - case PRIV_TTY_PRISON: - case PRIV_TTY_STI: - case PRIV_TTY_SETA: +static void +biba_sysvsem_cleanup(struct label *semalabel) +{ - /* - * Grant most VFS privileges, as almost all are in practice bounded - * by more specific checks using labels. - */ - case PRIV_VFS_READ: - case PRIV_VFS_WRITE: - case PRIV_VFS_ADMIN: - case PRIV_VFS_EXEC: - case PRIV_VFS_LOOKUP: - case PRIV_VFS_CHFLAGS_DEV: - case PRIV_VFS_CHOWN: - case PRIV_VFS_CHROOT: - case PRIV_VFS_RETAINSUGID: - case PRIV_VFS_EXCEEDQUOTA: - case PRIV_VFS_FCHROOT: - case PRIV_VFS_FHOPEN: - case PRIV_VFS_FHSTATFS: - case PRIV_VFS_GENERATION: - case PRIV_VFS_GETFH: - case PRIV_VFS_GETQUOTA: - case PRIV_VFS_LINK: - case PRIV_VFS_MOUNT: - case PRIV_VFS_MOUNT_OWNER: - case PRIV_VFS_MOUNT_PERM: - case PRIV_VFS_MOUNT_SUIDDIR: - case PRIV_VFS_MOUNT_NONUSER: - case PRIV_VFS_SETGID: - case PRIV_VFS_STICKYFILE: - case PRIV_VFS_SYSFLAGS: - case PRIV_VFS_UNMOUNT: + bzero(SLOT(semalabel), sizeof(struct mac_biba)); +} - /* - * Allow VM privileges; it would be nice if these were subject to - * resource limits. - */ - case PRIV_VM_MADV_PROTECT: - case PRIV_VM_MLOCK: - case PRIV_VM_MUNLOCK: +static void +biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, + struct label *semalabel) +{ + struct mac_biba *source, *dest; - /* - * Allow some but not all network privileges. In general, dont allow - * reconfiguring the network stack, just normal use. - */ - case PRIV_NETATALK_RESERVEDPORT: - case PRIV_NETINET_RESERVEDPORT: - case PRIV_NETINET_RAW: - case PRIV_NETINET_REUSEPORT: - case PRIV_NETIPX_RESERVEDPORT: - case PRIV_NETIPX_RAW: - break; + source = SLOT(cred->cr_label); + dest = SLOT(semalabel); - /* - * All remaining system privileges are allow only if the process - * holds privilege with respect to the Biba policy. - */ - default: - subj = SLOT(cred->cr_label); - error = biba_subject_privileged(subj); - if (error) - return (error); - } - return (0); + biba_copy_effective(source, dest); } static int -biba_system_check_acct(struct ucred *cred, struct vnode *vp, - struct label *vplabel) +biba_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, + struct label *shmseglabel, int shmflg) { struct mac_biba *subj, *obj; - int error; if (!biba_enabled) return (0); subj = SLOT(cred->cr_label); + obj = SLOT(shmseglabel); - error = biba_subject_privileged(subj); - if (error) - return (error); - - if (vplabel == NULL) - return (0); - - obj = SLOT(vplabel); - if (!biba_high_effective(obj)) + if (!biba_dominate_effective(obj, subj)) return (EACCES); - + if ((shmflg & SHM_RDONLY) == 0) { + if (!biba_dominate_effective(subj, obj)) + return (EACCES); + } + return (0); } static int -biba_system_check_auditctl(struct ucred *cred, struct vnode *vp, - struct label *vplabel) +biba_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, + struct label *shmseglabel, int cmd) { struct mac_biba *subj, *obj; - int error; if (!biba_enabled) return (0); subj = SLOT(cred->cr_label); + obj = SLOT(shmseglabel); - error = biba_subject_privileged(subj); - if (error) - return (error); + switch(cmd) { + case IPC_RMID: + case IPC_SET: + if (!biba_dominate_effective(subj, obj)) + return (EACCES); + break; - if (vplabel == NULL) - return (0); + case IPC_STAT: + case SHM_STAT: + if (!biba_dominate_effective(obj, subj)) + return (EACCES); + break; - obj = SLOT(vplabel); - if (!biba_high_effective(obj)) + default: return (EACCES); + } return (0); } static int -biba_system_check_auditon(struct ucred *cred, int cmd) +biba_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, + struct label *shmseglabel, int shmflg) { - struct mac_biba *subj; - int error; + struct mac_biba *subj, *obj; if (!biba_enabled) return (0); subj = SLOT(cred->cr_label); + obj = SLOT(shmseglabel); - error = biba_subject_privileged(subj); - if (error) - return (error); + if (!biba_dominate_effective(obj, subj)) + return (EACCES); return (0); } -static int -biba_system_check_swapon(struct ucred *cred, struct vnode *vp, - struct label *vplabel) +static void +biba_sysvshm_cleanup(struct label *shmlabel) { - struct mac_biba *subj, *obj; - int error; - if (!biba_enabled) - return (0); - - subj = SLOT(cred->cr_label); - obj = SLOT(vplabel); + bzero(SLOT(shmlabel), sizeof(struct mac_biba)); +} - error = biba_subject_privileged(subj); - if (error) - return (error); +static void +biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, + struct label *shmlabel) +{ + struct mac_biba *source, *dest; - if (!biba_high_effective(obj)) - return (EACCES); + source = SLOT(cred->cr_label); + dest = SLOT(shmlabel); - return (0); + biba_copy_effective(source, dest); } static int -biba_system_check_swapoff(struct ucred *cred, struct vnode *vp, - struct label *label) +biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel, + struct vnode *vp, struct label *vplabel) { - struct mac_biba *subj; - int error; + struct mac_biba mb_temp, *source, *dest; + int buflen, error; - if (!biba_enabled) - return (0); + source = SLOT(mplabel); + dest = SLOT(vplabel); - subj = SLOT(cred->cr_label); + buflen = sizeof(mb_temp); + bzero(&mb_temp, buflen); - error = biba_subject_privileged(subj); - if (error) + error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, + MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &mb_temp, curthread); + if (error == ENOATTR || error == EOPNOTSUPP) { + /* Fall back to the mntlabel. */ + biba_copy_effective(source, dest); + return (0); + } else if (error) return (error); + if (buflen != sizeof(mb_temp)) { + printf("biba_vnode_associate_extattr: bad size %d\n", + buflen); + return (EPERM); + } + if (biba_valid(&mb_temp) != 0) { + printf("biba_vnode_associate_extattr: invalid\n"); + return (EPERM); + } + if ((mb_temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != + MAC_BIBA_FLAG_EFFECTIVE) { + printf("biba_vnode_associate_extattr: not effective\n"); + return (EPERM); + } + + biba_copy_effective(&mb_temp, dest); return (0); } -static int -biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, - void *arg1, int arg2, struct sysctl_req *req) +static void +biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, + struct vnode *vp, struct label *vplabel) { - struct mac_biba *subj; - int error; - - if (!biba_enabled) - return (0); - - subj = SLOT(cred->cr_label); - - /* - * Treat sysctl variables without CTLFLAG_ANYBODY flag as biba/high, - * but also require privilege to change them. - */ - if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) { - if (!biba_subject_dominate_high(subj)) - return (EACCES); + struct mac_biba *source, *dest; - error = biba_subject_privileged(subj); - if (error) - return (error); - } + source = SLOT(mplabel); + dest = SLOT(vplabel); - return (0); + biba_copy_effective(source, dest); } static int @@ -3242,174 +3189,235 @@ biba_vnode_check_write(struct ucred *active_cred, return (0); } -static void -biba_syncache_create(struct label *label, struct inpcb *inp) +static int +biba_vnode_create_extattr(struct ucred *cred, struct mount *mp, + struct label *mplabel, struct vnode *dvp, struct label *dvplabel, + struct vnode *vp, struct label *vplabel, struct componentname *cnp) { - struct mac_biba *source, *dest; + struct mac_biba *source, *dest, mb_temp; + size_t buflen; + int error; - source = SLOT(inp->inp_label); - dest = SLOT(label); - biba_copy_effective(source, dest); + buflen = sizeof(mb_temp); + bzero(&mb_temp, buflen); + + source = SLOT(cred->cr_label); + dest = SLOT(vplabel); + biba_copy_effective(source, &mb_temp); + + error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, + MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread); + if (error == 0) + biba_copy_effective(source, dest); + return (error); } static void -biba_syncache_create_mbuf(struct label *sc_label, struct mbuf *m, - struct label *mlabel) +biba_vnode_relabel(struct ucred *cred, struct vnode *vp, + struct label *vplabel, struct label *newlabel) { struct mac_biba *source, *dest; - source = SLOT(sc_label); - dest = SLOT(mlabel); - biba_copy_effective(source, dest); + source = SLOT(newlabel); + dest = SLOT(vplabel); + + biba_copy(source, dest); +} + +static int +biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, + struct label *vplabel, struct label *intlabel) +{ + struct mac_biba *source, mb_temp; + size_t buflen; + int error; + + buflen = sizeof(mb_temp); + bzero(&mb_temp, buflen); + + source = SLOT(intlabel); + if ((source->mb_flags & MAC_BIBA_FLAG_EFFECTIVE) == 0) + return (0); + + biba_copy_effective(source, &mb_temp); + + error = vn_extattr_set(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, + MAC_BIBA_EXTATTR_NAME, buflen, (char *) &mb_temp, curthread); + return (error); } static struct mac_policy_ops mac_biba_ops = { .mpo_init = biba_init, - .mpo_bpfdesc_init_label = biba_init_label, - .mpo_cred_init_label = biba_init_label, - .mpo_devfs_init_label = biba_init_label, - .mpo_ifnet_init_label = biba_init_label, - .mpo_inpcb_init_label = biba_init_label_waitcheck, - .mpo_syncache_init_label = biba_init_label_waitcheck, - .mpo_sysvmsg_init_label = biba_init_label, - .mpo_sysvmsq_init_label = biba_init_label, - .mpo_sysvsem_init_label = biba_init_label, - .mpo_sysvshm_init_label = biba_init_label, - .mpo_ipq_init_label = biba_init_label_waitcheck, - .mpo_mbuf_init_label = biba_init_label_waitcheck, - .mpo_mount_init_label = biba_init_label, - .mpo_pipe_init_label = biba_init_label, - .mpo_posixsem_init_label = biba_init_label, - .mpo_socket_init_label = biba_init_label_waitcheck, - .mpo_socketpeer_init_label = biba_init_label_waitcheck, - .mpo_syncache_create = biba_syncache_create, - .mpo_vnode_init_label = biba_init_label, + + .mpo_bpfdesc_check_receive = biba_bpfdesc_check_receive, + .mpo_bpfdesc_create = biba_bpfdesc_create, + .mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf, .mpo_bpfdesc_destroy_label = biba_destroy_label, - .mpo_cred_destroy_label = biba_destroy_label, - .mpo_devfs_destroy_label = biba_destroy_label, - .mpo_ifnet_destroy_label = biba_destroy_label, - .mpo_inpcb_destroy_label = biba_destroy_label, - .mpo_syncache_destroy_label = biba_destroy_label, - .mpo_sysvmsg_destroy_label = biba_destroy_label, - .mpo_sysvmsq_destroy_label = biba_destroy_label, - .mpo_sysvsem_destroy_label = biba_destroy_label, - .mpo_sysvshm_destroy_label = biba_destroy_label, - .mpo_ipq_destroy_label = biba_destroy_label, - .mpo_mbuf_destroy_label = biba_destroy_label, - .mpo_mount_destroy_label = biba_destroy_label, - .mpo_pipe_destroy_label = biba_destroy_label, - .mpo_posixsem_destroy_label = biba_destroy_label, - .mpo_socket_destroy_label = biba_destroy_label, - .mpo_socketpeer_destroy_label = biba_destroy_label, - .mpo_vnode_destroy_label = biba_destroy_label, + .mpo_bpfdesc_init_label = biba_init_label, + + .mpo_cred_check_relabel = biba_cred_check_relabel, + .mpo_cred_check_visible = biba_cred_check_visible, .mpo_cred_copy_label = biba_copy_label, - .mpo_ifnet_copy_label = biba_copy_label, - .mpo_mbuf_copy_label = biba_copy_label, - .mpo_pipe_copy_label = biba_copy_label, - .mpo_socket_copy_label = biba_copy_label, - .mpo_vnode_copy_label = biba_copy_label, + .mpo_cred_destroy_label = biba_destroy_label, .mpo_cred_externalize_label = biba_externalize_label, - .mpo_ifnet_externalize_label = biba_externalize_label, - .mpo_pipe_externalize_label = biba_externalize_label, - .mpo_socket_externalize_label = biba_externalize_label, - .mpo_socketpeer_externalize_label = biba_externalize_label, - .mpo_vnode_externalize_label = biba_externalize_label, + .mpo_cred_init_label = biba_init_label, .mpo_cred_internalize_label = biba_internalize_label, - .mpo_ifnet_internalize_label = biba_internalize_label, - .mpo_pipe_internalize_label = biba_internalize_label, - .mpo_socket_internalize_label = biba_internalize_label, - .mpo_vnode_internalize_label = biba_internalize_label, + .mpo_cred_relabel = biba_cred_relabel, + .mpo_devfs_create_device = biba_devfs_create_device, .mpo_devfs_create_directory = biba_devfs_create_directory, .mpo_devfs_create_symlink = biba_devfs_create_symlink, - .mpo_mount_create = biba_mount_create, - .mpo_vnode_relabel = biba_vnode_relabel, + .mpo_devfs_destroy_label = biba_destroy_label, + .mpo_devfs_init_label = biba_init_label, .mpo_devfs_update = biba_devfs_update, .mpo_devfs_vnode_associate = biba_devfs_vnode_associate, - .mpo_vnode_associate_extattr = biba_vnode_associate_extattr, - .mpo_vnode_associate_singlelabel = biba_vnode_associate_singlelabel, - .mpo_vnode_create_extattr = biba_vnode_create_extattr, - .mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr, - .mpo_socket_create_mbuf = biba_socket_create_mbuf, - .mpo_syncache_create_mbuf = biba_syncache_create_mbuf, - .mpo_pipe_create = biba_pipe_create, - .mpo_posixsem_create = biba_posixsem_create, - .mpo_socket_create = biba_socket_create, - .mpo_socket_newconn = biba_socket_newconn, - .mpo_pipe_relabel = biba_pipe_relabel, - .mpo_socket_relabel = biba_socket_relabel, - .mpo_socketpeer_set_from_mbuf = biba_socketpeer_set_from_mbuf, - .mpo_socketpeer_set_from_socket = biba_socketpeer_set_from_socket, - .mpo_bpfdesc_create = biba_bpfdesc_create, - .mpo_ipq_reassemble = biba_ipq_reassemble, - .mpo_netinet_fragment = biba_netinet_fragment, + + .mpo_ifnet_check_relabel = biba_ifnet_check_relabel, + .mpo_ifnet_check_transmit = biba_ifnet_check_transmit, + .mpo_ifnet_copy_label = biba_copy_label, .mpo_ifnet_create = biba_ifnet_create, + .mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf, + .mpo_ifnet_destroy_label = biba_destroy_label, + .mpo_ifnet_externalize_label = biba_externalize_label, + .mpo_ifnet_init_label = biba_init_label, + .mpo_ifnet_internalize_label = biba_internalize_label, + .mpo_ifnet_relabel = biba_ifnet_relabel, + + .mpo_inpcb_check_deliver = biba_inpcb_check_deliver, .mpo_inpcb_create = biba_inpcb_create, - .mpo_sysvmsg_create = biba_sysvmsg_create, - .mpo_sysvmsq_create = biba_sysvmsq_create, - .mpo_sysvsem_create = biba_sysvsem_create, - .mpo_sysvshm_create = biba_sysvshm_create, - .mpo_ipq_create = biba_ipq_create, .mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf, - .mpo_bpfdesc_create_mbuf = biba_bpfdesc_create_mbuf, - .mpo_ifnet_create_mbuf = biba_ifnet_create_mbuf, + .mpo_inpcb_destroy_label = biba_destroy_label, + .mpo_inpcb_init_label = biba_init_label_waitcheck, + .mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel, + + .mpo_ipq_create = biba_ipq_create, + .mpo_ipq_destroy_label = biba_destroy_label, + .mpo_ipq_init_label = biba_init_label_waitcheck, .mpo_ipq_match = biba_ipq_match, - .mpo_ifnet_relabel = biba_ifnet_relabel, + .mpo_ipq_reassemble = biba_ipq_reassemble, .mpo_ipq_update = biba_ipq_update, - .mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel, - .mpo_proc_create_swapper = biba_proc_create_swapper, - .mpo_proc_create_init = biba_proc_create_init, - .mpo_proc_associate_nfsd = biba_proc_associate_nfsd, - .mpo_cred_relabel = biba_cred_relabel, - .mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup, - .mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup, - .mpo_sysvsem_cleanup = biba_sysvsem_cleanup, - .mpo_sysvshm_cleanup = biba_sysvshm_cleanup, - .mpo_bpfdesc_check_receive = biba_bpfdesc_check_receive, - .mpo_cred_check_relabel = biba_cred_check_relabel, - .mpo_cred_check_visible = biba_cred_check_visible, - .mpo_ifnet_check_relabel = biba_ifnet_check_relabel, - .mpo_ifnet_check_transmit = biba_ifnet_check_transmit, - .mpo_inpcb_check_deliver = biba_inpcb_check_deliver, - .mpo_sysvmsq_check_msgrcv = biba_sysvmsq_check_msgrcv, - .mpo_sysvmsq_check_msgrmid = biba_sysvmsq_check_msgrmid, - .mpo_sysvmsq_check_msqget = biba_sysvmsq_check_msqget, - .mpo_sysvmsq_check_msqsnd = biba_sysvmsq_check_msqsnd, - .mpo_sysvmsq_check_msqrcv = biba_sysvmsq_check_msqrcv, - .mpo_sysvmsq_check_msqctl = biba_sysvmsq_check_msqctl, - .mpo_sysvsem_check_semctl = biba_sysvsem_check_semctl, - .mpo_sysvsem_check_semget = biba_sysvsem_check_semget, - .mpo_sysvsem_check_semop = biba_sysvsem_check_semop, - .mpo_sysvshm_check_shmat = biba_sysvshm_check_shmat, - .mpo_sysvshm_check_shmctl = biba_sysvshm_check_shmctl, - .mpo_sysvshm_check_shmget = biba_sysvshm_check_shmget, + .mpo_kld_check_load = biba_kld_check_load, + + .mpo_mbuf_copy_label = biba_copy_label, + .mpo_mbuf_destroy_label = biba_destroy_label, + .mpo_mbuf_init_label = biba_init_label_waitcheck, + .mpo_mount_check_stat = biba_mount_check_stat, + .mpo_mount_create = biba_mount_create, + .mpo_mount_destroy_label = biba_destroy_label, + .mpo_mount_init_label = biba_init_label, + + .mpo_netatalk_aarp_send = biba_netatalk_aarp_send, + + .mpo_netinet_arp_send = biba_netinet_arp_send, + .mpo_netinet_firewall_reply = biba_netinet_firewall_reply, + .mpo_netinet_firewall_send = biba_netinet_firewall_send, + .mpo_netinet_fragment = biba_netinet_fragment, + .mpo_netinet_icmp_reply = biba_netinet_icmp_reply, + .mpo_netinet_igmp_send = biba_netinet_igmp_send, + + .mpo_netinet6_nd6_send = biba_netinet6_nd6_send, + .mpo_pipe_check_ioctl = biba_pipe_check_ioctl, .mpo_pipe_check_poll = biba_pipe_check_poll, .mpo_pipe_check_read = biba_pipe_check_read, .mpo_pipe_check_relabel = biba_pipe_check_relabel, .mpo_pipe_check_stat = biba_pipe_check_stat, .mpo_pipe_check_write = biba_pipe_check_write, + .mpo_pipe_copy_label = biba_copy_label, + .mpo_pipe_create = biba_pipe_create, + .mpo_pipe_destroy_label = biba_destroy_label, + .mpo_pipe_externalize_label = biba_externalize_label, + .mpo_pipe_init_label = biba_init_label, + .mpo_pipe_internalize_label = biba_internalize_label, + .mpo_pipe_relabel = biba_pipe_relabel, + .mpo_posixsem_check_destroy = biba_posixsem_check_write, .mpo_posixsem_check_getvalue = biba_posixsem_check_rdonly, .mpo_posixsem_check_open = biba_posixsem_check_write, .mpo_posixsem_check_post = biba_posixsem_check_write, .mpo_posixsem_check_unlink = biba_posixsem_check_write, .mpo_posixsem_check_wait = biba_posixsem_check_write, + .mpo_posixsem_create = biba_posixsem_create, + .mpo_posixsem_destroy_label = biba_destroy_label, + .mpo_posixsem_init_label = biba_init_label, + + .mpo_priv_check = biba_priv_check, + + .mpo_proc_associate_nfsd = biba_proc_associate_nfsd, .mpo_proc_check_debug = biba_proc_check_debug, .mpo_proc_check_sched = biba_proc_check_sched, .mpo_proc_check_signal = biba_proc_check_signal, + .mpo_proc_create_init = biba_proc_create_init, + .mpo_proc_create_swapper = biba_proc_create_swapper, + .mpo_socket_check_deliver = biba_socket_check_deliver, .mpo_socket_check_relabel = biba_socket_check_relabel, .mpo_socket_check_visible = biba_socket_check_visible, + .mpo_socket_copy_label = biba_copy_label, + .mpo_socket_create = biba_socket_create, + .mpo_socket_create_mbuf = biba_socket_create_mbuf, + .mpo_socket_destroy_label = biba_destroy_label, + .mpo_socket_externalize_label = biba_externalize_label, + .mpo_socket_init_label = biba_init_label_waitcheck, + .mpo_socket_internalize_label = biba_internalize_label, + .mpo_socket_newconn = biba_socket_newconn, + .mpo_socket_relabel = biba_socket_relabel, + + .mpo_socketpeer_destroy_label = biba_destroy_label, + .mpo_socketpeer_externalize_label = biba_externalize_label, + .mpo_socketpeer_init_label = biba_init_label_waitcheck, + .mpo_socketpeer_set_from_mbuf = biba_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = biba_socketpeer_set_from_socket, + + .mpo_syncache_create = biba_syncache_create, + .mpo_syncache_create_mbuf = biba_syncache_create_mbuf, + .mpo_syncache_destroy_label = biba_destroy_label, + .mpo_syncache_init_label = biba_init_label_waitcheck, + .mpo_system_check_acct = biba_system_check_acct, .mpo_system_check_auditctl = biba_system_check_auditctl, .mpo_system_check_auditon = biba_system_check_auditon, - .mpo_system_check_swapon = biba_system_check_swapon, .mpo_system_check_swapoff = biba_system_check_swapoff, + .mpo_system_check_swapon = biba_system_check_swapon, .mpo_system_check_sysctl = biba_system_check_sysctl, + + .mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup, + .mpo_sysvmsg_create = biba_sysvmsg_create, + .mpo_sysvmsg_destroy_label = biba_destroy_label, + .mpo_sysvmsg_init_label = biba_init_label, + + .mpo_sysvmsq_check_msgrcv = biba_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = biba_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = biba_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = biba_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = biba_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = biba_sysvmsq_check_msqctl, + .mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup, + .mpo_sysvmsq_create = biba_sysvmsq_create, + .mpo_sysvmsq_destroy_label = biba_destroy_label, + .mpo_sysvmsq_init_label = biba_init_label, + + .mpo_sysvsem_check_semctl = biba_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = biba_sysvsem_check_semget, + .mpo_sysvsem_check_semop = biba_sysvsem_check_semop, + .mpo_sysvsem_cleanup = biba_sysvsem_cleanup, + .mpo_sysvsem_create = biba_sysvsem_create, + .mpo_sysvsem_destroy_label = biba_destroy_label, + .mpo_sysvsem_init_label = biba_init_label, + + .mpo_sysvshm_check_shmat = biba_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = biba_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmget = biba_sysvshm_check_shmget, + .mpo_sysvshm_cleanup = biba_sysvshm_cleanup, + .mpo_sysvshm_create = biba_sysvshm_create, + .mpo_sysvshm_destroy_label = biba_destroy_label, + .mpo_sysvshm_init_label = biba_init_label, + + .mpo_vnode_associate_extattr = biba_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = biba_vnode_associate_singlelabel, .mpo_vnode_check_access = biba_vnode_check_open, .mpo_vnode_check_chdir = biba_vnode_check_chdir, .mpo_vnode_check_chroot = biba_vnode_check_chroot, @@ -3441,14 +3449,14 @@ static struct mac_policy_ops mac_biba_ops = .mpo_vnode_check_stat = biba_vnode_check_stat, .mpo_vnode_check_unlink = biba_vnode_check_unlink, .mpo_vnode_check_write = biba_vnode_check_write, - .mpo_netatalk_aarp_send = biba_netatalk_aarp_send, - .mpo_netinet_arp_send = biba_netinet_arp_send, - .mpo_netinet_firewall_reply = biba_netinet_firewall_reply, - .mpo_netinet_firewall_send = biba_netinet_firewall_send, - .mpo_netinet_icmp_reply = biba_netinet_icmp_reply, - .mpo_netinet_igmp_send = biba_netinet_igmp_send, - .mpo_netinet6_nd6_send = biba_netinet6_nd6_send, - .mpo_priv_check = biba_priv_check, + .mpo_vnode_create_extattr = biba_vnode_create_extattr, + .mpo_vnode_copy_label = biba_copy_label, + .mpo_vnode_destroy_label = biba_destroy_label, + .mpo_vnode_externalize_label = biba_externalize_label, + .mpo_vnode_init_label = biba_init_label, + .mpo_vnode_internalize_label = biba_internalize_label, + .mpo_vnode_relabel = biba_vnode_relabel, + .mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr, }; MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba", |