int
mac_exc_action_check_exception_send(struct task *victim_task, struct exception_action *action)
{
int error = 0;
struct proc *p = get_bsdtask_info(victim_task);
struct label *bsd_label = NULL;
struct label *label = NULL;
if (p != NULL) {
// Create a label from the still existing bsd process...
label = bsd_label = mac_exc_action_label_alloc();
MAC_PERFORM(exc_action_label_update, p, bsd_label);
} else {
// ... otherwise use the crash label on the task.
label = get_task_crash_label(victim_task);
}
if (label == NULL) {
MAC_MACH_UNEXPECTED("mac_exc_action_check_exception_send: no exc_action label for proc %p", p);
return EPERM;
}
MAC_CHECK(exc_action_check_exception_send, label, action, action->label);
if (bsd_label != NULL) {
mac_exc_action_label_free(bsd_label);
}
return (error);
}
int
mac_file_check_change_offset(struct ucred *cred, struct fileglob *fg)
{
int error;
MAC_CHECK(file_check_change_offset, cred, fg, fg->fg_label);
return (error);
}
int
mac_kext_check_load(kauth_cred_t cred, const char *identifier) {
int error;
MAC_CHECK(kext_check_load, cred, identifier);
return (error);
}
int
mac_file_check_receive(struct ucred *cred, struct fileglob *fg)
{
int error;
MAC_CHECK(file_check_receive, cred, fg, fg->fg_label);
return (error);
}
int
mac_iokit_check_device(char *devtype, struct mac_module_data *mdata)
{
int error;
MAC_CHECK(iokit_check_device, devtype, mdata);
return (error);
}
int
mac_file_check_ioctl(struct ucred *cred, struct fileglob *fg, u_int cmd)
{
int error;
MAC_CHECK(file_check_ioctl, cred, fg, fg->fg_label, cmd);
return (error);
}
int
mac_file_check_dup(struct ucred *cred, struct fileglob *fg, int newfd)
{
int error;
MAC_CHECK(file_check_dup, cred, fg, fg->fg_label, newfd);
return (error);
}
int
mac_file_check_create(struct ucred *cred)
{
int error;
MAC_CHECK(file_check_create, cred);
return (error);
}
int
mac_file_check_lock(struct ucred *cred, struct fileglob *fg, int op,
struct flock *fl)
{
int error;
MAC_CHECK(file_check_lock, cred, fg, fg->fg_label, op, fl);
return (error);
}
int
mac_file_check_set(struct ucred *cred, struct fileglob *fg, char *buf,
int buflen)
{
int error;
MAC_CHECK(file_check_set, cred, fg, buf, buflen);
return (error);
}
int
mac_check_port_hold_receive(struct label *task, struct label *port)
{
int error;
MAC_CHECK(check_port_hold_receive, task, port);
return (error);
}
int
mac_check_port_receive(struct label *task, struct label *sender)
{
int error;
MAC_CHECK(check_port_receive, task, sender);
return (error);
}
int
mac_file_check_fcntl(struct ucred *cred, struct fileglob *fg, int cmd,
user_long_t arg)
{
int error;
MAC_CHECK(file_check_fcntl, cred, fg, fg->fg_label, cmd, arg);
return (error);
}
int
mac_check_port_copy_send(struct label *task, struct label *port)
{
int error;
MAC_CHECK(check_port_copy_send, task, port);
return (error);
}
int
mac_lctx_check_label_update(struct lctx *l, struct label *newlabel)
{
int error;
MAC_CHECK(lctx_check_label_update, l, newlabel);
return (error);
}
int
mac_proc_check_get_task(struct ucred *cred, struct proc *p)
{
int error;
MAC_CHECK(proc_check_get_task, cred, p);
return (error);
}
int
mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr)
{
int error;
MAC_CHECK(sysvsem_check_semget, cred, semakptr, semakptr->label);
return (error);
}
int
mac_check_ipc_method(struct label *task, struct label *port, int msgid)
{
int error;
MAC_CHECK(check_ipc_method, task, port, msgid);
return (error);
}
int
mac_file_check_get(struct ucred *cred, struct fileglob *fg, char *elements,
int len)
{
int error;
MAC_CHECK(file_check_get, cred, fg, elements, len);
return (error);
}
int
mac_check_port_move_send_once(struct label *task, struct label *port)
{
int error;
MAC_CHECK(check_port_move_send_once, task, port);
return (error);
}
int
mac_kenv_check_unset(struct ucred *cred, char *name)
{
int error;
MAC_CHECK(kenv_check_unset, cred, name);
return (error);
}
mac_system_check_sysctl(struct ucred *cred, int *name,
struct sys___sysctl_args *uap, size_t oldlen)
#endif
{
int error;
/*
* XXXMAC: We would very much like to assert the SYSCTL_LOCK here,
* but since it's not exported from kern_sysctl.c, we can't.
*/
#if 0 /* XXX PM: Defined differently in OpenBSD. */
MAC_CHECK(system_check_sysctl, cred, oidp, arg1, arg2, req);
#else
MAC_CHECK(system_check_sysctl, cred, name, uap, oldlen);
#endif
return (error);
}
/*
* MAC Framework entry points relating to overall operation of system,
* including global services such as the kernel environment and loadable
* modules.
*
* System checks often align with existing privilege checks, but provide
* additional security context that may be relevant to policies, such as the
* specific object being operated on.
*/
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/sysctl.h>
#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
#include <security/mac/mac_policy.h>
#define mac_assert_vnode_locked(VP) \
assert((((VP)->v_flag & VLOCKSWORK) == 0) || VOP_ISLOCKED((VP)))
#if 0 /* XXX PM: We don't have the kenv(2) system call in OpenBSD. */
int
mac_kenv_check_dump(struct ucred *cred)
{
int error;
MAC_CHECK(kenv_check_dump, cred);
return (error);
}
int
mac_system_check_reboot(struct ucred *cred, int howto)
{
int error;
MAC_CHECK(system_check_reboot, cred, howto);
return (error);
}
int
mac_kld_check_stat(struct ucred *cred)
{
int error;
MAC_CHECK(kld_check_stat, cred);
return (error);
}
int
mac_check_port_relabel(struct label *task, struct label *old,
struct label *newlabel)
{
int error;
MAC_CHECK(check_port_relabel, task, old, newlabel);
return (error);
}
int
mac_system_check_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
mac_assert_vnode_locked(vp);
MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label);
return (error);
}
int
mac_file_check_library_validation(struct proc *proc,
struct fileglob *fg, off_t slice_offset,
user_long_t error_message, size_t error_message_size)
{
int error;
MAC_CHECK(file_check_library_validation, proc, fg, slice_offset, error_message, error_message_size);
return (error);
}
int
mac_proc_check_run_cs_invalid(proc_t proc)
{
int error;
if (!mac_vm_enforce) return (0);
MAC_CHECK(proc_check_run_cs_invalid, proc);
return (error);
}
/*
* MAC Framework entry points relating to overall operation of system,
* including global services such as the kernel environment and loadable
* modules.
*
* System checks often align with existing privilege checks, but provide
* additional security context that may be relevant to policies, such as the
* specific object being operated on.
*/
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
#include <sys/mutex.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/sysctl.h>
#include <security/mac/mac_framework.h>
#include <security/mac/mac_internal.h>
#include <security/mac/mac_policy.h>
#define mac_assert_vnode_locked(VP) \
assert((((VP)->v_flag & VLOCKSWORK) == 0) || VOP_ISLOCKED((VP)))
#if 0 /* XXX PM: We don't have the kenv(2) system call in OpenBSD. */
int
mac_kenv_check_dump(struct ucred *cred)
{
int error;
MAC_CHECK(kenv_check_dump, cred);
return (error);
}
int
mac_kenv_check_get(struct ucred *cred, char *name)
{
int error;
MAC_CHECK(kenv_check_get, cred, name);
return (error);
}
int
mac_kenv_check_set(struct ucred *cred, char *name, char *value)
{
int error;
MAC_CHECK(kenv_check_set, cred, name, value);
return (error);
}
int
mac_kenv_check_unset(struct ucred *cred, char *name)
{
int error;
MAC_CHECK(kenv_check_unset, cred, name);
return (error);
}
#endif
#if 0 /* XXX PM: We won't support kernel modules. */
int
mac_kld_check_load(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_kld_check_load");
MAC_CHECK(kld_check_load, cred, vp, vp->v_label);
return (error);
}
