void
mac_pipe_relabel(struct ucred *cred, struct pipepair *pp,
struct label *newlabel)
{
MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel);
}
void
mac_create_posix_sem(struct ucred *cred, struct pseminfo *psem,
const char *name)
{
MAC_PERFORM(create_posix_sem, cred, psem, psem->psem_label, name);
}
void
mac_init_port_label(struct label *l)
{
mac_init_label(l);
MAC_PERFORM (init_port_label, l);
}
void
mac_pipe_label_free(struct label *label)
{
MAC_PERFORM(pipe_destroy_label, label);
mac_labelpool_free(label);
}
void
mac_thread_userret(int code, int error, struct thread *thread)
{
if (mac_late)
MAC_PERFORM(thread_userret, code, error, thread);
}
static void
mac_socket_peer_label_free(struct label *label)
{
MAC_PERFORM(socketpeer_label_destroy, label);
mac_labelzone_free(label);
}
int
mac_exc_action_check_exception_send(struct task *victim_task, struct exception_action *action)
{
int error = 0;
struct proc *p = get_bsdtask_info(victim_task);
struct label *bsd_label = NULL;
struct label *label = NULL;
if (p != NULL) {
// Create a label from the still existing bsd process...
label = bsd_label = mac_exc_action_label_alloc();
MAC_PERFORM(exc_action_label_update, p, bsd_label);
} else {
// ... otherwise use the crash label on the task.
label = get_task_crash_label(victim_task);
}
if (label == NULL) {
MAC_MACH_UNEXPECTED("mac_exc_action_check_exception_send: no exc_action label for proc %p", p);
return EPERM;
}
MAC_CHECK(exc_action_check_exception_send, label, action, action->label);
if (bsd_label != NULL) {
mac_exc_action_label_free(bsd_label);
}
return (error);
}
void
mac_lctx_label_free(struct label *label)
{
MAC_PERFORM(lctx_label_destroy, label);
mac_labelzone_free(label);
}
static void
mac_file_label_free(struct label *label)
{
MAC_PERFORM(file_label_destroy, label);
mac_labelzone_free(label);
}
void
mac_sysv_sem_label_free(struct label *label)
{
MAC_PERFORM(sysvsem_destroy_label, label);
mac_labelpool_free(label);
}
int
mac_socket_label_update(kauth_cred_t cred, struct socket *so, struct label *label)
{
int error;
#if 0
#if SECURITY_MAC_CHECK_ENFORCE
/* 21167099 - only check if we allow write */
if (!mac_socket_enforce)
return 0;
#endif
#endif
error = mac_socket_check_label_update(cred, so, label);
if (error)
return (error);
MAC_PERFORM(socket_label_update, cred,
(socket_t)so, so->so_label, label);
#if CONFIG_MACF_NET
/*
* If the protocol has expressed interest in socket layer changes,
* such as if it needs to propagate changes to a cached pcb
* label from the socket, notify it of the label change while
* holding the socket lock.
* XXXMAC - are there cases when we should not do this?
*/
mac_inpcb_label_update(so);
#endif
return (0);
}
void
mac_destroy_port_label(struct label *l)
{
MAC_PERFORM (destroy_port_label, l);
mac_destroy_label(l);
}
static void
mac_posix_sem_label_free(struct label *label)
{
MAC_PERFORM(destroy_posix_sem_label, label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmac_psem);
}
static struct label *
mac_exc_action_label_alloc(void)
{
struct label *label = mac_labelzone_alloc(MAC_WAITOK);
MAC_PERFORM(exc_action_label_init, label);
return label;
}
void
mac_sysvmsg_label_associate(kauth_cred_t cred, struct msqid_kernel *msqptr,
struct msg *msgptr)
{
MAC_PERFORM(sysvmsg_label_associate, cred, msqptr, msqptr->label,
msgptr, msgptr->label);
}
struct label *
mac_sysv_sem_label_alloc(void)
{
struct label *label;
label = mac_labelpool_alloc(M_WAITOK);
MAC_PERFORM(sysvsem_init_label, label);
return (label);
}
void
mac_socket_label_associate(struct ucred *cred, struct socket *so)
{
if (!mac_socket_enforce)
return;
MAC_PERFORM(socket_label_associate, cred,
(socket_t)so, so->so_label);
}
struct label *
mac_pipe_label_alloc(void)
{
struct label *label;
label = mac_labelpool_alloc(M_WAITOK);
MAC_PERFORM(pipe_init_label, label);
return (label);
}
static struct label *
mac_posix_sem_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(MAC_WAITOK);
MAC_PERFORM(init_posix_sem_label, label);
MAC_DEBUG_COUNTER_INC(&nmac_psem);
return (label);
}
/*
* When the subject's label changes, it may require revocation of privilege
* to mapped objects. This can't be done on-the-fly later with a unified
* buffer cache.
*/
void
mac_cred_label_update(kauth_cred_t cred, struct label *newlabel)
{
/* force label to be part of "matching" for credential */
cred->cr_flags |= CRF_MAC_ENFORCE;
/* inform the policies of the update */
MAC_PERFORM(cred_label_update, cred, newlabel);
}
void mac_exc_action_label_task_update(struct task *task, struct proc *proc) {
if (get_task_crash_label(task) != NULL) {
MAC_MACH_UNEXPECTED("task already has a crash_label attached to it");
return;
}
struct label *label = mac_exc_action_label_alloc();
MAC_PERFORM(exc_action_label_update, proc, label);
set_task_crash_label(task, label);
}
static struct label *
mac_sysv_msgqueue_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(MAC_WAITOK);
if (label == NULL)
return (NULL);
MAC_PERFORM(sysvmsq_label_init, label);
return (label);
}
void
mac_socketpeer_label_associate_socket(struct socket *oldsocket,
struct socket *newsocket)
{
if (!mac_socket_enforce)
return;
MAC_PERFORM(socketpeer_label_associate_socket,
(socket_t)oldsocket, oldsocket->so_label,
(socket_t)newsocket, newsocket->so_peerlabel);
}
static struct label *
mac_file_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(MAC_WAITOK);
if (label == NULL)
return (NULL);
MAC_PERFORM(file_label_init, label);
return (label);
}
void
mac_file_check_mmap_downgrade(struct ucred *cred, struct fileglob *fg,
int *prot)
{
int result = *prot;
MAC_PERFORM(file_check_mmap_downgrade, cred, fg, fg->fg_label,
&result);
*prot = result;
}
void
mac_socket_label_associate(struct ucred *cred, struct socket *so)
{
#if SECURITY_MAC_CHECK_ENFORCE
/* 21167099 - only check if we allow write */
if (!mac_socket_enforce)
return;
#endif
MAC_PERFORM(socket_label_associate, cred,
(socket_t)so, so->so_label);
}
void
mac_socketpeer_label_associate_mbuf(struct mbuf *mbuf, struct socket *so)
{
struct label *label;
if (!mac_socket_enforce && !mac_net_enforce)
return;
label = mac_mbuf_to_label(mbuf);
/* Policy must deal with NULL label (unlabeled mbufs) */
MAC_PERFORM(socketpeer_label_associate_mbuf, mbuf, label,
(socket_t)so, so->so_peerlabel);
}
int mac_exc_action_label_update(struct task *task, struct exception_action *action) {
if (task == kernel_task) {
// The kernel may set exception ports without any check.
return 0;
}
struct proc *p = mac_task_get_proc(task);
if (p == NULL)
return ESRCH;
MAC_PERFORM(exc_action_label_update, p, action->label);
proc_rele(p);
return 0;
}
void
mac_socketpeer_label_associate_socket(struct socket *oldsocket,
struct socket *newsocket)
{
#if SECURITY_MAC_CHECK_ENFORCE
/* 21167099 - only check if we allow write */
if (!mac_socket_enforce)
return;
#endif
MAC_PERFORM(socketpeer_label_associate_socket,
(socket_t)oldsocket, oldsocket->so_label,
(socket_t)newsocket, newsocket->so_peerlabel);
}
void
mac_socketpeer_label_associate_mbuf(struct mbuf *mbuf, struct socket *so)
{
struct label *label;
#if SECURITY_MAC_CHECK_ENFORCE
/* 21167099 - only check if we allow write */
if (!mac_socket_enforce && !mac_net_enforce)
return;
#endif
label = mac_mbuf_to_label(mbuf);
/* Policy must deal with NULL label (unlabeled mbufs) */
MAC_PERFORM(socketpeer_label_associate_mbuf, mbuf, label,
(socket_t)so, so->so_peerlabel);
}
