int mac_exc_action_check_exception_send(struct task *victim_task, struct exception_action *action) { int error = 0; struct proc *p = get_bsdtask_info(victim_task); struct label *bsd_label = NULL; struct label *label = NULL; if (p != NULL) { // Create a label from the still existing bsd process... label = bsd_label = mac_exc_action_label_alloc(); MAC_PERFORM(exc_action_label_update, p, bsd_label); } else { // ... otherwise use the crash label on the task. label = get_task_crash_label(victim_task); } if (label == NULL) { MAC_MACH_UNEXPECTED("mac_exc_action_check_exception_send: no exc_action label for proc %p", p); return EPERM; } MAC_CHECK(exc_action_check_exception_send, label, action, action->label); if (bsd_label != NULL) { mac_exc_action_label_free(bsd_label); } return (error); }
int mac_file_check_change_offset(struct ucred *cred, struct fileglob *fg) { int error; MAC_CHECK(file_check_change_offset, cred, fg, fg->fg_label); return (error); }
int mac_kext_check_load(kauth_cred_t cred, const char *identifier) { int error; MAC_CHECK(kext_check_load, cred, identifier); return (error); }
int mac_file_check_receive(struct ucred *cred, struct fileglob *fg) { int error; MAC_CHECK(file_check_receive, cred, fg, fg->fg_label); return (error); }
int mac_iokit_check_device(char *devtype, struct mac_module_data *mdata) { int error; MAC_CHECK(iokit_check_device, devtype, mdata); return (error); }
int mac_file_check_ioctl(struct ucred *cred, struct fileglob *fg, u_int cmd) { int error; MAC_CHECK(file_check_ioctl, cred, fg, fg->fg_label, cmd); return (error); }
int mac_file_check_dup(struct ucred *cred, struct fileglob *fg, int newfd) { int error; MAC_CHECK(file_check_dup, cred, fg, fg->fg_label, newfd); return (error); }
int mac_file_check_create(struct ucred *cred) { int error; MAC_CHECK(file_check_create, cred); return (error); }
int mac_file_check_lock(struct ucred *cred, struct fileglob *fg, int op, struct flock *fl) { int error; MAC_CHECK(file_check_lock, cred, fg, fg->fg_label, op, fl); return (error); }
int mac_file_check_set(struct ucred *cred, struct fileglob *fg, char *buf, int buflen) { int error; MAC_CHECK(file_check_set, cred, fg, buf, buflen); return (error); }
int mac_check_port_hold_receive(struct label *task, struct label *port) { int error; MAC_CHECK(check_port_hold_receive, task, port); return (error); }
int mac_check_port_receive(struct label *task, struct label *sender) { int error; MAC_CHECK(check_port_receive, task, sender); return (error); }
int mac_file_check_fcntl(struct ucred *cred, struct fileglob *fg, int cmd, user_long_t arg) { int error; MAC_CHECK(file_check_fcntl, cred, fg, fg->fg_label, cmd, arg); return (error); }
int mac_check_port_copy_send(struct label *task, struct label *port) { int error; MAC_CHECK(check_port_copy_send, task, port); return (error); }
int mac_lctx_check_label_update(struct lctx *l, struct label *newlabel) { int error; MAC_CHECK(lctx_check_label_update, l, newlabel); return (error); }
int mac_proc_check_get_task(struct ucred *cred, struct proc *p) { int error; MAC_CHECK(proc_check_get_task, cred, p); return (error); }
int mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr) { int error; MAC_CHECK(sysvsem_check_semget, cred, semakptr, semakptr->label); return (error); }
int mac_check_ipc_method(struct label *task, struct label *port, int msgid) { int error; MAC_CHECK(check_ipc_method, task, port, msgid); return (error); }
int mac_file_check_get(struct ucred *cred, struct fileglob *fg, char *elements, int len) { int error; MAC_CHECK(file_check_get, cred, fg, elements, len); return (error); }
int mac_check_port_move_send_once(struct label *task, struct label *port) { int error; MAC_CHECK(check_port_move_send_once, task, port); return (error); }
int mac_kenv_check_unset(struct ucred *cred, char *name) { int error; MAC_CHECK(kenv_check_unset, cred, name); return (error); }
mac_system_check_sysctl(struct ucred *cred, int *name, struct sys___sysctl_args *uap, size_t oldlen) #endif { int error; /* * XXXMAC: We would very much like to assert the SYSCTL_LOCK here, * but since it's not exported from kern_sysctl.c, we can't. */ #if 0 /* XXX PM: Defined differently in OpenBSD. */ MAC_CHECK(system_check_sysctl, cred, oidp, arg1, arg2, req); #else MAC_CHECK(system_check_sysctl, cred, name, uap, oldlen); #endif return (error); }
/* * MAC Framework entry points relating to overall operation of system, * including global services such as the kernel environment and loadable * modules. * * System checks often align with existing privilege checks, but provide * additional security context that may be relevant to policies, such as the * specific object being operated on. */ #include <sys/param.h> #include <sys/kernel.h> #include <sys/lock.h> #include <sys/malloc.h> #include <sys/mutex.h> #include <sys/systm.h> #include <sys/vnode.h> #include <sys/sysctl.h> #include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> #include <security/mac/mac_policy.h> #define mac_assert_vnode_locked(VP) \ assert((((VP)->v_flag & VLOCKSWORK) == 0) || VOP_ISLOCKED((VP))) #if 0 /* XXX PM: We don't have the kenv(2) system call in OpenBSD. */ int mac_kenv_check_dump(struct ucred *cred) { int error; MAC_CHECK(kenv_check_dump, cred); return (error); }
int mac_system_check_reboot(struct ucred *cred, int howto) { int error; MAC_CHECK(system_check_reboot, cred, howto); return (error); }
int mac_kld_check_stat(struct ucred *cred) { int error; MAC_CHECK(kld_check_stat, cred); return (error); }
int mac_check_port_relabel(struct label *task, struct label *old, struct label *newlabel) { int error; MAC_CHECK(check_port_relabel, task, old, newlabel); return (error); }
int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp) { int error; mac_assert_vnode_locked(vp); MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label); return (error); }
int mac_file_check_library_validation(struct proc *proc, struct fileglob *fg, off_t slice_offset, user_long_t error_message, size_t error_message_size) { int error; MAC_CHECK(file_check_library_validation, proc, fg, slice_offset, error_message, error_message_size); return (error); }
int mac_proc_check_run_cs_invalid(proc_t proc) { int error; if (!mac_vm_enforce) return (0); MAC_CHECK(proc_check_run_cs_invalid, proc); return (error); }
/* * MAC Framework entry points relating to overall operation of system, * including global services such as the kernel environment and loadable * modules. * * System checks often align with existing privilege checks, but provide * additional security context that may be relevant to policies, such as the * specific object being operated on. */ #include <sys/param.h> #include <sys/kernel.h> #include <sys/lock.h> #include <sys/malloc.h> #include <sys/mutex.h> #include <sys/systm.h> #include <sys/vnode.h> #include <sys/sysctl.h> #include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> #include <security/mac/mac_policy.h> #define mac_assert_vnode_locked(VP) \ assert((((VP)->v_flag & VLOCKSWORK) == 0) || VOP_ISLOCKED((VP))) #if 0 /* XXX PM: We don't have the kenv(2) system call in OpenBSD. */ int mac_kenv_check_dump(struct ucred *cred) { int error; MAC_CHECK(kenv_check_dump, cred); return (error); } int mac_kenv_check_get(struct ucred *cred, char *name) { int error; MAC_CHECK(kenv_check_get, cred, name); return (error); } int mac_kenv_check_set(struct ucred *cred, char *name, char *value) { int error; MAC_CHECK(kenv_check_set, cred, name, value); return (error); } int mac_kenv_check_unset(struct ucred *cred, char *name) { int error; MAC_CHECK(kenv_check_unset, cred, name); return (error); } #endif #if 0 /* XXX PM: We won't support kernel modules. */ int mac_kld_check_load(struct ucred *cred, struct vnode *vp) { int error; ASSERT_VOP_LOCKED(vp, "mac_kld_check_load"); MAC_CHECK(kld_check_load, cred, vp, vp->v_label); return (error); }