void mac_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *newlabel) { MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel); }
void mac_create_posix_sem(struct ucred *cred, struct pseminfo *psem, const char *name) { MAC_PERFORM(create_posix_sem, cred, psem, psem->psem_label, name); }
void mac_init_port_label(struct label *l) { mac_init_label(l); MAC_PERFORM (init_port_label, l); }
void mac_pipe_label_free(struct label *label) { MAC_PERFORM(pipe_destroy_label, label); mac_labelpool_free(label); }
void mac_thread_userret(int code, int error, struct thread *thread) { if (mac_late) MAC_PERFORM(thread_userret, code, error, thread); }
static void mac_socket_peer_label_free(struct label *label) { MAC_PERFORM(socketpeer_label_destroy, label); mac_labelzone_free(label); }
int mac_exc_action_check_exception_send(struct task *victim_task, struct exception_action *action) { int error = 0; struct proc *p = get_bsdtask_info(victim_task); struct label *bsd_label = NULL; struct label *label = NULL; if (p != NULL) { // Create a label from the still existing bsd process... label = bsd_label = mac_exc_action_label_alloc(); MAC_PERFORM(exc_action_label_update, p, bsd_label); } else { // ... otherwise use the crash label on the task. label = get_task_crash_label(victim_task); } if (label == NULL) { MAC_MACH_UNEXPECTED("mac_exc_action_check_exception_send: no exc_action label for proc %p", p); return EPERM; } MAC_CHECK(exc_action_check_exception_send, label, action, action->label); if (bsd_label != NULL) { mac_exc_action_label_free(bsd_label); } return (error); }
void mac_lctx_label_free(struct label *label) { MAC_PERFORM(lctx_label_destroy, label); mac_labelzone_free(label); }
static void mac_file_label_free(struct label *label) { MAC_PERFORM(file_label_destroy, label); mac_labelzone_free(label); }
void mac_sysv_sem_label_free(struct label *label) { MAC_PERFORM(sysvsem_destroy_label, label); mac_labelpool_free(label); }
int mac_socket_label_update(kauth_cred_t cred, struct socket *so, struct label *label) { int error; #if 0 #if SECURITY_MAC_CHECK_ENFORCE /* 21167099 - only check if we allow write */ if (!mac_socket_enforce) return 0; #endif #endif error = mac_socket_check_label_update(cred, so, label); if (error) return (error); MAC_PERFORM(socket_label_update, cred, (socket_t)so, so->so_label, label); #if CONFIG_MACF_NET /* * If the protocol has expressed interest in socket layer changes, * such as if it needs to propagate changes to a cached pcb * label from the socket, notify it of the label change while * holding the socket lock. * XXXMAC - are there cases when we should not do this? */ mac_inpcb_label_update(so); #endif return (0); }
void mac_destroy_port_label(struct label *l) { MAC_PERFORM (destroy_port_label, l); mac_destroy_label(l); }
static void mac_posix_sem_label_free(struct label *label) { MAC_PERFORM(destroy_posix_sem_label, label); mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmac_psem); }
static struct label * mac_exc_action_label_alloc(void) { struct label *label = mac_labelzone_alloc(MAC_WAITOK); MAC_PERFORM(exc_action_label_init, label); return label; }
void mac_sysvmsg_label_associate(kauth_cred_t cred, struct msqid_kernel *msqptr, struct msg *msgptr) { MAC_PERFORM(sysvmsg_label_associate, cred, msqptr, msqptr->label, msgptr, msgptr->label); }
struct label * mac_sysv_sem_label_alloc(void) { struct label *label; label = mac_labelpool_alloc(M_WAITOK); MAC_PERFORM(sysvsem_init_label, label); return (label); }
void mac_socket_label_associate(struct ucred *cred, struct socket *so) { if (!mac_socket_enforce) return; MAC_PERFORM(socket_label_associate, cred, (socket_t)so, so->so_label); }
struct label * mac_pipe_label_alloc(void) { struct label *label; label = mac_labelpool_alloc(M_WAITOK); MAC_PERFORM(pipe_init_label, label); return (label); }
static struct label * mac_posix_sem_label_alloc(void) { struct label *label; label = mac_labelzone_alloc(MAC_WAITOK); MAC_PERFORM(init_posix_sem_label, label); MAC_DEBUG_COUNTER_INC(&nmac_psem); return (label); }
/* * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. */ void mac_cred_label_update(kauth_cred_t cred, struct label *newlabel) { /* force label to be part of "matching" for credential */ cred->cr_flags |= CRF_MAC_ENFORCE; /* inform the policies of the update */ MAC_PERFORM(cred_label_update, cred, newlabel); }
void mac_exc_action_label_task_update(struct task *task, struct proc *proc) { if (get_task_crash_label(task) != NULL) { MAC_MACH_UNEXPECTED("task already has a crash_label attached to it"); return; } struct label *label = mac_exc_action_label_alloc(); MAC_PERFORM(exc_action_label_update, proc, label); set_task_crash_label(task, label); }
static struct label * mac_sysv_msgqueue_label_alloc(void) { struct label *label; label = mac_labelzone_alloc(MAC_WAITOK); if (label == NULL) return (NULL); MAC_PERFORM(sysvmsq_label_init, label); return (label); }
void mac_socketpeer_label_associate_socket(struct socket *oldsocket, struct socket *newsocket) { if (!mac_socket_enforce) return; MAC_PERFORM(socketpeer_label_associate_socket, (socket_t)oldsocket, oldsocket->so_label, (socket_t)newsocket, newsocket->so_peerlabel); }
static struct label * mac_file_label_alloc(void) { struct label *label; label = mac_labelzone_alloc(MAC_WAITOK); if (label == NULL) return (NULL); MAC_PERFORM(file_label_init, label); return (label); }
void mac_file_check_mmap_downgrade(struct ucred *cred, struct fileglob *fg, int *prot) { int result = *prot; MAC_PERFORM(file_check_mmap_downgrade, cred, fg, fg->fg_label, &result); *prot = result; }
void mac_socket_label_associate(struct ucred *cred, struct socket *so) { #if SECURITY_MAC_CHECK_ENFORCE /* 21167099 - only check if we allow write */ if (!mac_socket_enforce) return; #endif MAC_PERFORM(socket_label_associate, cred, (socket_t)so, so->so_label); }
void mac_socketpeer_label_associate_mbuf(struct mbuf *mbuf, struct socket *so) { struct label *label; if (!mac_socket_enforce && !mac_net_enforce) return; label = mac_mbuf_to_label(mbuf); /* Policy must deal with NULL label (unlabeled mbufs) */ MAC_PERFORM(socketpeer_label_associate_mbuf, mbuf, label, (socket_t)so, so->so_peerlabel); }
int mac_exc_action_label_update(struct task *task, struct exception_action *action) { if (task == kernel_task) { // The kernel may set exception ports without any check. return 0; } struct proc *p = mac_task_get_proc(task); if (p == NULL) return ESRCH; MAC_PERFORM(exc_action_label_update, p, action->label); proc_rele(p); return 0; }
void mac_socketpeer_label_associate_socket(struct socket *oldsocket, struct socket *newsocket) { #if SECURITY_MAC_CHECK_ENFORCE /* 21167099 - only check if we allow write */ if (!mac_socket_enforce) return; #endif MAC_PERFORM(socketpeer_label_associate_socket, (socket_t)oldsocket, oldsocket->so_label, (socket_t)newsocket, newsocket->so_peerlabel); }
void mac_socketpeer_label_associate_mbuf(struct mbuf *mbuf, struct socket *so) { struct label *label; #if SECURITY_MAC_CHECK_ENFORCE /* 21167099 - only check if we allow write */ if (!mac_socket_enforce && !mac_net_enforce) return; #endif label = mac_mbuf_to_label(mbuf); /* Policy must deal with NULL label (unlabeled mbufs) */ MAC_PERFORM(socketpeer_label_associate_mbuf, mbuf, label, (socket_t)so, so->so_peerlabel); }