1/* 2 * Copyright (c) 2007 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28/*- 29 * Copyright (c) 2002, 2003 Networks Associates Technology, Inc. 30 * Copyright (c) 2005 SPARTA, Inc. 31 * All rights reserved. 32 * 33 * This software was developed for the FreeBSD Project in part by Network 34 * Associates Laboratories, the Security Research Division of Network 35 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 36 * as part of the DARPA CHATS research program. 37 * 38 * Redistribution and use in source and binary forms, with or without 39 * modification, are permitted provided that the following conditions 40 * are met: 41 * 1. Redistributions of source code must retain the above copyright 42 * notice, this list of conditions and the following disclaimer. 43 * 2. Redistributions in binary form must reproduce the above copyright 44 * notice, this list of conditions and the following disclaimer in the 45 * documentation and/or other materials provided with the distribution. 46 * 47 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 48 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 49 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 50 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 51 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 52 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 53 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 54 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 55 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 56 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 57 * SUCH DAMAGE. 58 */ 59 60#include <sys/cdefs.h> 61 62#include <sys/param.h> 63#include <sys/kernel.h> 64#include <sys/lock.h> 65#include <sys/malloc.h> 66#include <sys/sbuf.h> 67#include <sys/systm.h> 68#include <sys/vnode.h> 69#include <sys/pipe.h> 70#include <sys/sysctl.h> 71 72#include <security/mac_internal.h> 73 74 75struct label * 76mac_pipe_label_alloc(void) 77{ 78 struct label *label; 79 80 label = mac_labelzone_alloc(MAC_WAITOK); 81 if (label == NULL) 82 return (NULL); 83 MAC_PERFORM(pipe_label_init, label); 84 return (label); 85} 86 87void 88mac_pipe_label_init(struct pipe *cpipe) 89{ 90 91 cpipe->pipe_label = mac_pipe_label_alloc(); 92} 93 94void 95mac_pipe_label_free(struct label *label) 96{ 97 98 MAC_PERFORM(pipe_label_destroy, label); 99 mac_labelzone_free(label); 100} 101 102void 103mac_pipe_label_destroy(struct pipe *cpipe) 104{ 105 106 mac_pipe_label_free(cpipe->pipe_label); 107 cpipe->pipe_label = NULL; 108} 109 110void 111mac_pipe_label_copy(struct label *src, struct label *dest) 112{ 113 114 MAC_PERFORM(pipe_label_copy, src, dest); 115} 116 117int 118mac_pipe_label_externalize(struct label *label, char *elements, 119 char *outbuf, size_t outbuflen) 120{ 121 int error; 122 123 error = MAC_EXTERNALIZE(pipe, label, elements, outbuf, outbuflen); 124 125 return (error); 126} 127 128int 129mac_pipe_label_internalize(struct label *label, char *string) 130{ 131 int error; 132 133 error = MAC_INTERNALIZE(pipe, label, string); 134 135 return (error); 136} 137 138void 139mac_pipe_label_associate(kauth_cred_t cred, struct pipe *cpipe) 140{ 141 142 MAC_PERFORM(pipe_label_associate, cred, cpipe, cpipe->pipe_label); 143} 144 145int 146mac_pipe_check_kqfilter(kauth_cred_t cred, struct knote *kn, 147 struct pipe *cpipe) 148{ 149 int error; 150 151 if (!mac_pipe_enforce) 152 return (0); 153 154 MAC_CHECK(pipe_check_kqfilter, cred, kn, cpipe, cpipe->pipe_label); 155 return (error); 156} 157int 158mac_pipe_check_ioctl(kauth_cred_t cred, struct pipe *cpipe, u_int cmd) 159{ 160 int error; 161 162 if (!mac_pipe_enforce) 163 return (0); 164 165 MAC_CHECK(pipe_check_ioctl, cred, cpipe, cpipe->pipe_label, cmd); 166 167 return (error); 168} 169 170int 171mac_pipe_check_read(kauth_cred_t cred, struct pipe *cpipe) 172{ 173 int error; 174 175 if (!mac_pipe_enforce) 176 return (0); 177 178 MAC_CHECK(pipe_check_read, cred, cpipe, cpipe->pipe_label); 179 180 return (error); 181} 182 183static int 184mac_pipe_check_label_update(kauth_cred_t cred, struct pipe *cpipe, 185 struct label *newlabel) 186{ 187 int error; 188 189 if (!mac_pipe_enforce) 190 return (0); 191 192 MAC_CHECK(pipe_check_label_update, cred, cpipe, cpipe->pipe_label, newlabel); 193 194 return (error); 195} 196 197int 198mac_pipe_check_select(kauth_cred_t cred, struct pipe *cpipe, int which) 199{ 200 int error; 201 202 if (!mac_pipe_enforce) 203 return (0); 204 205 MAC_CHECK(pipe_check_select, cred, cpipe, cpipe->pipe_label, which); 206 207 return (error); 208} 209 210int 211mac_pipe_check_stat(kauth_cred_t cred, struct pipe *cpipe) 212{ 213 int error; 214 215 if (!mac_pipe_enforce) 216 return (0); 217 218 MAC_CHECK(pipe_check_stat, cred, cpipe, cpipe->pipe_label); 219 220 return (error); 221} 222 223int 224mac_pipe_check_write(kauth_cred_t cred, struct pipe *cpipe) 225{ 226 int error; 227 228 if (!mac_pipe_enforce) 229 return (0); 230 231 MAC_CHECK(pipe_check_write, cred, cpipe, cpipe->pipe_label); 232 233 return (error); 234} 235 236int 237mac_pipe_label_update(kauth_cred_t cred, struct pipe *cpipe, 238 struct label *label) 239{ 240 int error; 241 242 error = mac_pipe_check_label_update(cred, cpipe, label); 243 if (error) 244 return (error); 245 246 MAC_PERFORM(pipe_label_update, cred, cpipe, cpipe->pipe_label, label); 247 248 return (0); 249} 250