diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2004-11-17 13:14:24 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2004-11-17 13:14:24 +0000 |
commit | 8b099b734bce728538add2fed7f20da627f777a2 (patch) | |
tree | c0a930218ec17a6a33fbda8d400f2c8d4aa5f085 /sys/security | |
parent | 21335a5e45f54fba1b75469144b47273c2852e1a (diff) | |
download | src-8b099b734bce728538add2fed7f20da627f777a2.tar.gz src-8b099b734bce728538add2fed7f20da627f777a2.zip |
Implement MAC entry points relating to System V IPC, calling into the
MAC policies to perform object life cycle operations and access
control checks.
Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research
Notes
Notes:
svn path=/head/; revision=137817
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_sysv_msg.c | 263 | ||||
-rw-r--r-- | sys/security/mac/mac_sysv_sem.c | 156 | ||||
-rw-r--r-- | sys/security/mac/mac_sysv_shm.c | 173 |
3 files changed, 592 insertions, 0 deletions
diff --git a/sys/security/mac/mac_sysv_msg.c b/sys/security/mac/mac_sysv_msg.c new file mode 100644 index 000000000000..5e6174b03041 --- /dev/null +++ b/sys/security/mac/mac_sysv_msg.c @@ -0,0 +1,263 @@ +/*- + * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project in part by Network + * Associates Laboratories, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), + * as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_mac.h" + +#include <sys/param.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/malloc.h> +#include <sys/mutex.h> +#include <sys/mac.h> +#include <sys/sbuf.h> +#include <sys/systm.h> +#include <sys/vnode.h> +#include <sys/mount.h> +#include <sys/file.h> +#include <sys/namei.h> +#include <sys/sysctl.h> +#include <sys/msg.h> + +#include <sys/mac_policy.h> + +#include <security/mac/mac_internal.h> + +static int mac_enforce_sysv_msg = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_msg, CTLFLAG_RW, + &mac_enforce_sysv_msg, 0, + "Enforce MAC policy on System V IPC Message Queues"); +TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg); + +#ifdef MAC_DEBUG +static unsigned int nmacipcmsgs, nmacipcmsqs; +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msgs, CTLFLAG_RD, + &nmacipcmsgs, 0, "number of sysv ipc messages inuse"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_msqs, CTLFLAG_RD, + &nmacipcmsqs, 0, "number of sysv ipc message queue identifiers inuse"); +#endif + +static struct label * +mac_sysv_msgmsg_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_sysv_msgmsg_label, label); + MAC_DEBUG_COUNTER_INC(&nmacipcmsgs); + return (label); +} + +void +mac_init_sysv_msgmsg(struct msg *msgptr) +{ + + msgptr->label = mac_sysv_msgmsg_label_alloc(); +} + +static struct label * +mac_sysv_msgqueue_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_sysv_msgqueue_label, label); + MAC_DEBUG_COUNTER_INC(&nmacipcmsqs); + return (label); +} + +void +mac_init_sysv_msgqueue(struct msqid_kernel *msqkptr) +{ + + msqkptr->label = mac_sysv_msgqueue_label_alloc(); + msqkptr->label = NULL; +} + +static void +mac_sysv_msgmsg_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_sysv_msgmsg_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacipcmsgs); +} + +void +mac_destroy_sysv_msgmsg(struct msg *msgptr) +{ + + mac_sysv_msgmsg_label_free(msgptr->label); + msgptr->label = NULL; +} + +static void +mac_sysv_msgqueue_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_sysv_msgqueue_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacipcmsqs); +} + +void +mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr) +{ + + mac_sysv_msgqueue_label_free(msqkptr->label); + msqkptr->label = NULL; +} + +void +mac_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, + struct msg *msgptr) +{ + + MAC_PERFORM(create_sysv_msgmsg, cred, msqkptr, msqkptr->label, + msgptr, msgptr->label); +} + +void +mac_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr) +{ + + MAC_PERFORM(create_sysv_msgqueue, cred, msqkptr, msqkptr->label); +} + +void +mac_cleanup_sysv_msgmsg(struct msg *msgptr) +{ + + MAC_PERFORM(cleanup_sysv_msgmsg, msgptr->label); +} + +void +mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr) +{ + + MAC_PERFORM(cleanup_sysv_msgqueue, msqkptr->label); +} + +int +mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, + struct msqid_kernel *msqkptr) +{ + int error; + + if (!mac_enforce_sysv_msg) + return (0); + + MAC_CHECK(check_sysv_msgmsq, cred, msgptr, msgptr->label, msqkptr, + msqkptr->label); + + return(error); +} + +int +mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr) +{ + int error; + + if (!mac_enforce_sysv_msg) + return (0); + + MAC_CHECK(check_sysv_msgrcv, cred, msgptr, msgptr->label); + + return(error); +} + +int +mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr) +{ + int error; + + if (!mac_enforce_sysv_msg) + return (0); + + MAC_CHECK(check_sysv_msgrmid, cred, msgptr, msgptr->label); + + return(error); +} + +int +mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) +{ + int error; + + if (!mac_enforce_sysv_msg) + return (0); + + MAC_CHECK(check_sysv_msqget, cred, msqkptr, msqkptr->label); + + return(error); +} + +int +mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) +{ + int error; + + if (!mac_enforce_sysv_msg) + return (0); + + MAC_CHECK(check_sysv_msqsnd, cred, msqkptr, msqkptr->label); + + return(error); +} + +int +mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) +{ + int error; + + if (!mac_enforce_sysv_msg) + return (0); + + MAC_CHECK(check_sysv_msqrcv, cred, msqkptr, msqkptr->label); + + return(error); +} + +int +mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, + int cmd) +{ + int error; + + if (!mac_enforce_sysv_msg) + return (0); + + MAC_CHECK(check_sysv_msqctl, cred, msqkptr, msqkptr->label, cmd); + + return(error); +} diff --git a/sys/security/mac/mac_sysv_sem.c b/sys/security/mac/mac_sysv_sem.c new file mode 100644 index 000000000000..8dc0fcb683d3 --- /dev/null +++ b/sys/security/mac/mac_sysv_sem.c @@ -0,0 +1,156 @@ +/*- + * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project in part by Network + * Associates Laboratories, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), + * as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_mac.h" + +#include <sys/param.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/malloc.h> +#include <sys/mutex.h> +#include <sys/mac.h> +#include <sys/sbuf.h> +#include <sys/systm.h> +#include <sys/vnode.h> +#include <sys/mount.h> +#include <sys/file.h> +#include <sys/namei.h> +#include <sys/sysctl.h> +#include <sys/sem.h> + +#include <sys/mac_policy.h> + +#include <security/mac/mac_internal.h> + +static int mac_enforce_sysv_sem = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_sem, CTLFLAG_RW, + &mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores"); +TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_sem); + +#ifdef MAC_DEBUG +static unsigned int nmacipcsemas; +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_semas, CTLFLAG_RD, + &nmacipcsemas, 0, "number of sysv ipc semaphore identifiers inuse"); +#endif + +static struct label * +mac_sysv_sema_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_sysv_sema_label, label); + MAC_DEBUG_COUNTER_INC(&nmacipcsemas); + return (label); +} + +void +mac_init_sysv_sema(struct semid_kernel *semakptr) +{ + + semakptr->label = mac_sysv_sema_label_alloc(); +} + +static void +mac_sysv_sema_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_sysv_sema_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacipcsemas); +} + +void +mac_destroy_sysv_sema(struct semid_kernel *semakptr) +{ + + mac_sysv_sema_label_free(semakptr->label); + semakptr->label = NULL; +} + +void +mac_create_sysv_sema(struct ucred *cred, struct semid_kernel *semakptr) +{ + + MAC_PERFORM(create_sysv_sema, cred, semakptr, semakptr->label); +} + +void +mac_cleanup_sysv_sema(struct semid_kernel *semakptr) +{ + + MAC_PERFORM(cleanup_sysv_sema, semakptr->label); +} + +int +mac_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, + int cmd) +{ + int error; + + if (!mac_enforce_sysv_sem) + return (0); + + MAC_CHECK(check_sysv_semctl, cred, semakptr, semakptr->label, cmd); + + return(error); +} + +int +mac_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr) +{ + int error; + + if (!mac_enforce_sysv_sem) + return (0); + + MAC_CHECK(check_sysv_semget, cred, semakptr, semakptr->label); + + return(error); +} + +int +mac_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, + size_t accesstype) +{ + int error; + + if (!mac_enforce_sysv_sem) + return (0); + + MAC_CHECK(check_sysv_semop, cred, semakptr, semakptr->label, + accesstype); + + return(error); +} diff --git a/sys/security/mac/mac_sysv_shm.c b/sys/security/mac/mac_sysv_shm.c new file mode 100644 index 000000000000..175774fd7e43 --- /dev/null +++ b/sys/security/mac/mac_sysv_shm.c @@ -0,0 +1,173 @@ +/*- + * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project in part by Network + * Associates Laboratories, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), + * as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_mac.h" + +#include <sys/param.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/malloc.h> +#include <sys/mutex.h> +#include <sys/mac.h> +#include <sys/sbuf.h> +#include <sys/systm.h> +#include <sys/vnode.h> +#include <sys/mount.h> +#include <sys/file.h> +#include <sys/namei.h> +#include <sys/sysctl.h> +#include <sys/shm.h> + +#include <sys/mac_policy.h> + +#include <security/mac/mac_internal.h> + +static int mac_enforce_sysv_shm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_shm, CTLFLAG_RW, + &mac_enforce_sysv_shm, 0, + "Enforce MAC policy on System V IPC shared memory"); +TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm); + +#ifdef MAC_DEBUG +static unsigned int nmacipcshms; +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipc_shms, CTLFLAG_RD, + &nmacipcshms, 0, "number of sysv ipc shm identifiers inuse"); +#endif + +static struct label * +mac_sysv_shm_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_sysv_shm_label, label); + MAC_DEBUG_COUNTER_INC(&nmacipcshms); + return (label); +} + +void +mac_init_sysv_shm(struct shmid_kernel *shmsegptr) +{ + + shmsegptr->label = mac_sysv_shm_label_alloc(); +} + +static void +mac_sysv_shm_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_sysv_shm_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacipcshms); +} + +void +mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr) +{ + + mac_sysv_shm_label_free(shmsegptr->label); + shmsegptr->label = NULL; +} + +void +mac_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr) +{ + + MAC_PERFORM(create_sysv_shm, cred, shmsegptr, shmsegptr->label); +} + +void +mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr) +{ + + MAC_PERFORM(cleanup_sysv_shm, shmsegptr->label); +} + +int +mac_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, + int shmflg) +{ + int error; + + if (!mac_enforce_sysv_shm) + return (0); + + MAC_CHECK(check_sysv_shmat, cred, shmsegptr, shmsegptr->label, + shmflg); + + return(error); +} + +int +mac_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, + int cmd) +{ + int error; + + if (!mac_enforce_sysv_shm) + return (0); + + MAC_CHECK(check_sysv_shmctl, cred, shmsegptr, shmsegptr->label, + cmd); + + return(error); +} + +int +mac_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) +{ + int error; + + if (!mac_enforce_sysv_shm) + return (0); + + MAC_CHECK(check_sysv_shmdt, cred, shmsegptr, shmsegptr->label); + + return(error); +} + +int +mac_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, + int shmflg) +{ + int error; + + if (!mac_enforce_sysv_shm) + return (0); + + MAC_CHECK(check_sysv_shmget, cred, shmsegptr, shmsegptr->label, + shmflg); + + return(error); +} |