int
mac_cred_check_setauid(struct ucred *cred, uid_t auid)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(cred_check_setauid, cred, auid);
MAC_CHECK_PROBE2(cred_check_setauid, error, cred, auid);
return (error);
}
/*
* Restrict access to a privilege for a credential. Return failure if any
* policy denies access.
*/
int
mac_priv_check(struct ucred *cred, int priv)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(priv_check, cred, priv);
MAC_CHECK_PROBE2(priv_check, error, cred, priv);
return (error);
}
int
mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(cred_check_setaudit, cred, ai);
MAC_CHECK_PROBE2(cred_check_setaudit, error, cred, ai);
return (error);
}
int
mac_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(cred_check_setaudit_addr, cred, aia);
MAC_CHECK_PROBE2(cred_check_setaudit_addr, error, cred, aia);
return (error);
}
int
mac_posixshm_check_create(struct ucred *cred, const char *path)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(posixshm_check_create, cred, path);
MAC_CHECK_PROBE2(posixshm_check_create, error, cred, path);
return (error);
}
int
mac_system_check_auditon(struct ucred *cred, int cmd)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(system_check_auditon, cred, cmd);
MAC_CHECK_PROBE2(system_check_auditon, error, cred, cmd);
return (error);
}
int
mac_socket_check_stat(struct ucred *cred, struct socket *so)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(socket_check_stat, cred, so, so->so_label);
MAC_CHECK_PROBE2(socket_check_stat, error, cred, so);
return (error);
}
int
mac_system_check_reboot(struct ucred *cred, int howto)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(system_check_reboot, cred, howto);
MAC_CHECK_PROBE2(system_check_reboot, error, cred, howto);
return (error);
}
int
mac_kenv_check_get(struct ucred *cred, char *name)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(kenv_check_get, cred, name);
MAC_CHECK_PROBE2(kenv_check_get, error, cred, name);
return (error);
}
int
mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(cred_check_visible, cr1, cr2);
MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2);
return (error);
}
int
mac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel);
MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel);
return (error);
}
int
mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msqrcv, cred, msqkptr,
msqkptr->label);
MAC_CHECK_PROBE2(sysvmsq_check_msqrcv, error, cred, msqkptr);
return (error);
}
int
mac_posixshm_check_unlink(struct ucred *cred, struct shmfd *shmfd)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(posixshm_check_unlink, cred, shmfd,
shmfd->shm_label);
MAC_CHECK_PROBE2(posixshm_check_unlink, error, cred, shmfd);
return (error);
}
int
mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(sysvmsq_check_msgrmid, cred, msgptr,
msgptr->label);
MAC_CHECK_PROBE2(sysvmsq_check_msgrmid, error, cred, msgptr);
return (error);
}
int
mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr)
{
int error;
MAC_POLICY_CHECK_NOSLEEP(sysvshm_check_shmdt, cred, shmsegptr,
shmsegptr->label);
MAC_CHECK_PROBE2(sysvshm_check_shmdt, error, cred, shmsegptr);
return (error);
}
int
mac_proc_check_wait(struct ucred *cred, struct proc *p)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_POLICY_CHECK_NOSLEEP(proc_check_wait, cred, p);
MAC_CHECK_PROBE2(proc_check_wait, error, cred, p);
return (error);
}
int
mac_system_check_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff");
MAC_POLICY_CHECK(system_check_swapoff, cred, vp, vp->v_label);
MAC_CHECK_PROBE2(system_check_swapoff, error, cred, vp);
return (error);
}
int
mac_kld_check_load(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_kld_check_load");
MAC_POLICY_CHECK(kld_check_load, cred, vp, vp->v_label);
MAC_CHECK_PROBE2(kld_check_load, error, cred, vp);
return (error);
}
int
mac_pipe_check_write(struct ucred *cred, struct pipepair *pp)
{
int error;
mtx_assert(&pp->pp_mtx, MA_OWNED);
MAC_POLICY_CHECK_NOSLEEP(pipe_check_write, cred, pp, pp->pp_label);
MAC_CHECK_PROBE2(pipe_check_write, error, cred, pp);
return (error);
}
int
mac_system_check_auditctl(struct ucred *cred, struct vnode *vp)
{
int error;
struct label *vl;
ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl");
vl = (vp != NULL) ? vp->v_label : NULL;
MAC_POLICY_CHECK(system_check_auditctl, cred, vp, vl);
MAC_CHECK_PROBE2(system_check_auditctl, error, cred, vp);
return (error);
}
int
mac_system_check_acct(struct ucred *cred, struct vnode *vp)
{
int error;
if (vp != NULL) {
ASSERT_VOP_LOCKED(vp, "mac_system_check_acct");
}
MAC_POLICY_CHECK(system_check_acct, cred, vp,
vp != NULL ? vp->v_label : NULL);
MAC_CHECK_PROBE2(system_check_acct, error, cred, vp);
return (error);
}
int
mac_socket_check_deliver(struct socket *so, struct mbuf *m)
{
struct label *label;
int error;
if (mac_policy_count == 0)
return (0);
label = mac_mbuf_to_label(m);
MAC_POLICY_CHECK_NOSLEEP(socket_check_deliver, so, so->so_label, m,
label);
MAC_CHECK_PROBE2(socket_check_deliver, error, so, m);
return (error);
}
int
mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp)
{
int error;
BPFD_LOCK_ASSERT(d);
if (mac_policy_count == 0)
return (0);
MAC_IFNET_LOCK(ifp);
MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp,
ifp->if_label);
MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp);
MAC_IFNET_UNLOCK(ifp);
return (error);
}
int
mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
int error;
M_ASSERTPKTHDR(m);
if (mac_policy_count == 0)
return (0);
label = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m,
label);
MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m);
MAC_IFNET_UNLOCK(ifp);
return (error);
}
