1 /*
2 * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /*-
30 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
31 * Copyright (c) 2001 Ilmar S. Habibulin
32 * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
33 *
34 * This software was developed by Robert Watson and Ilmar Habibulin for the
35 * TrustedBSD Project.
36 *
37 * This software was developed for the FreeBSD Project in part by Network
38 * Associates Laboratories, the Security Research Division of Network
39 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
40 * as part of the DARPA CHATS research program.
41 *
42 * Redistribution and use in source and binary forms, with or without
43 * modification, are permitted provided that the following conditions
44 * are met:
45 * 1. Redistributions of source code must retain the above copyright
46 * notice, this list of conditions and the following disclaimer.
47 * 2. Redistributions in binary form must reproduce the above copyright
48 * notice, this list of conditions and the following disclaimer in the
49 * documentation and/or other materials provided with the distribution.
50 *
51 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
52 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
55 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
56 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
57 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
60 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61 * SUCH DAMAGE.
62 *
63 */
64
65 #include <string.h>
66 #include <sys/param.h>
67 #include <sys/ucred.h>
68 #include <sys/malloc.h>
69 #include <sys/sbuf.h>
70 #include <sys/vnode.h>
71 #include <sys/proc.h>
72 #include <sys/proc_internal.h>
73 #include <sys/kauth.h>
74 #include <sys/imgact.h>
75 #include <mach/mach_types.h>
76 #include <kern/task.h>
77
78 #include <os/hash.h>
79
80 #include <security/mac_internal.h>
81 #include <security/mac_mach_internal.h>
82
83 #include <bsd/security/audit/audit.h>
84
85 struct label *
mac_cred_label_alloc(void)86 mac_cred_label_alloc(void)
87 {
88 struct label *label;
89
90 label = mac_labelzone_alloc(MAC_WAITOK);
91 if (label == NULL) {
92 return NULL;
93 }
94 MAC_PERFORM(cred_label_init, label);
95 return label;
96 }
97
98 void
mac_cred_label_init(struct ucred * cred)99 mac_cred_label_init(struct ucred *cred)
100 {
101 cred->cr_label = mac_cred_label_alloc();
102 }
103
104 void
mac_cred_label_free(struct label * label)105 mac_cred_label_free(struct label *label)
106 {
107 MAC_PERFORM(cred_label_destroy, label);
108 mac_labelzone_free(label);
109 }
110
111 struct label *
mac_cred_label(struct ucred * cred)112 mac_cred_label(struct ucred *cred)
113 {
114 return cred->cr_label;
115 }
116
117 bool
mac_cred_label_is_equal(const struct label * a,const struct label * b)118 mac_cred_label_is_equal(const struct label *a, const struct label *b)
119 {
120 return memcmp(a->l_perpolicy, b->l_perpolicy, sizeof(a->l_perpolicy)) == 0;
121 }
122
123 uint32_t
mac_cred_label_hash_update(const struct label * a,uint32_t hash)124 mac_cred_label_hash_update(const struct label *a, uint32_t hash)
125 {
126 return os_hash_jenkins_update(a->l_perpolicy, sizeof(a->l_perpolicy), hash);
127 }
128
129 int
mac_cred_label_externalize_audit(struct proc * p,struct mac * mac)130 mac_cred_label_externalize_audit(struct proc *p, struct mac *mac)
131 {
132 kauth_cred_t cr;
133 int error;
134
135 cr = kauth_cred_proc_ref(p);
136
137 error = MAC_EXTERNALIZE_AUDIT(cred, mac_cred_label(cr),
138 mac->m_string, mac->m_buflen);
139
140 kauth_cred_unref(&cr);
141 return error;
142 }
143
144 void
mac_cred_label_destroy(kauth_cred_t cred)145 mac_cred_label_destroy(kauth_cred_t cred)
146 {
147 struct label *label = mac_cred_label(cred);
148 cred->cr_label = NULL;
149 mac_cred_label_free(label);
150 }
151
152 int
mac_cred_label_externalize(struct label * label,char * elements,char * outbuf,size_t outbuflen,int flags __unused)153 mac_cred_label_externalize(struct label *label, char *elements,
154 char *outbuf, size_t outbuflen, int flags __unused)
155 {
156 int error = 0;
157
158 error = MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
159
160 return error;
161 }
162
163 int
mac_cred_label_internalize(struct label * label,char * string)164 mac_cred_label_internalize(struct label *label, char *string)
165 {
166 int error;
167
168 error = MAC_INTERNALIZE(cred, label, string);
169
170 return error;
171 }
172
173 /*
174 * By default, fork just adds a reference to the parent
175 * credential. Policies may need to know about this reference
176 * if they are tracking exit calls to know when to free the
177 * label.
178 */
179 void
mac_cred_label_associate_fork(kauth_cred_t cred,proc_t proc)180 mac_cred_label_associate_fork(kauth_cred_t cred, proc_t proc)
181 {
182 MAC_PERFORM(cred_label_associate_fork, cred, proc);
183 }
184
185 /*
186 * Initialize MAC label for the first kernel process, from which other
187 * kernel processes and threads are spawned.
188 */
189 void
mac_cred_label_associate_kernel(kauth_cred_t cred)190 mac_cred_label_associate_kernel(kauth_cred_t cred)
191 {
192 MAC_PERFORM(cred_label_associate_kernel, cred);
193 }
194
195 /*
196 * Initialize MAC label for the first userland process, from which other
197 * userland processes and threads are spawned.
198 */
199 void
mac_cred_label_associate_user(kauth_cred_t cred)200 mac_cred_label_associate_user(kauth_cred_t cred)
201 {
202 MAC_PERFORM(cred_label_associate_user, cred);
203 }
204
205 /*
206 * When a new process is created, its label must be initialized. Generally,
207 * this involves inheritence from the parent process, modulo possible
208 * deltas. This function allows that processing to take place.
209 */
210 void
mac_cred_label_associate(struct ucred * parent_cred,struct ucred * child_cred)211 mac_cred_label_associate(struct ucred *parent_cred, struct ucred *child_cred)
212 {
213 MAC_PERFORM(cred_label_associate, parent_cred, child_cred);
214 }
215
216 int
mac_execve_enter(user_addr_t mac_p,struct image_params * imgp)217 mac_execve_enter(user_addr_t mac_p, struct image_params *imgp)
218 {
219 struct user_mac mac;
220 struct label *execlabel;
221 char *buffer;
222 int error;
223 size_t ulen;
224
225 if (mac_p == USER_ADDR_NULL) {
226 return 0;
227 }
228
229 if (IS_64BIT_PROCESS(current_proc())) {
230 struct user64_mac mac64;
231 error = copyin(mac_p, &mac64, sizeof(mac64));
232 mac.m_buflen = mac64.m_buflen;
233 mac.m_string = mac64.m_string;
234 } else {
235 struct user32_mac mac32;
236 error = copyin(mac_p, &mac32, sizeof(mac32));
237 mac.m_buflen = mac32.m_buflen;
238 mac.m_string = mac32.m_string;
239 }
240 if (error) {
241 return error;
242 }
243
244 error = mac_check_structmac_consistent(&mac);
245 if (error) {
246 return error;
247 }
248
249 execlabel = mac_cred_label_alloc();
250 buffer = kalloc_data(mac.m_buflen, Z_WAITOK);
251 error = copyinstr(CAST_USER_ADDR_T(mac.m_string), buffer, mac.m_buflen, &ulen);
252 if (error) {
253 goto out;
254 }
255 AUDIT_ARG(mac_string, buffer);
256
257 error = mac_cred_label_internalize(execlabel, buffer);
258 out:
259 if (error) {
260 mac_cred_label_free(execlabel);
261 execlabel = NULL;
262 }
263 imgp->ip_execlabelp = execlabel;
264 kfree_data(buffer, mac.m_buflen);
265 return error;
266 }
267
268 /*
269 * When the subject's label changes, it may require revocation of privilege
270 * to mapped objects. This can't be done on-the-fly later with a unified
271 * buffer cache.
272 *
273 * XXX: CRF_MAC_ENFORCE should be in a kauth_cred_t field, rather
274 * XXX: than a posix_cred_t field.
275 */
276 void
mac_cred_label_update(kauth_cred_t cred,struct label * newlabel)277 mac_cred_label_update(kauth_cred_t cred, struct label *newlabel)
278 {
279 posix_cred_t pcred = posix_cred_get(cred);
280
281 /* force label to be part of "matching" for credential */
282 pcred->cr_flags |= CRF_MAC_ENFORCE;
283
284 /* inform the policies of the update */
285 MAC_PERFORM(cred_label_update, cred, newlabel);
286 }
287
288 int
mac_cred_check_label_update(kauth_cred_t cred,struct label * newlabel)289 mac_cred_check_label_update(kauth_cred_t cred, struct label *newlabel)
290 {
291 int error;
292
293 #if SECURITY_MAC_CHECK_ENFORCE
294 /* 21167099 - only check if we allow write */
295 if (!mac_proc_enforce) {
296 return 0;
297 }
298 #endif
299
300 MAC_CHECK(cred_check_label_update, cred, newlabel);
301
302 return error;
303 }
304
305 int
mac_cred_check_visible(kauth_cred_t u1,kauth_cred_t u2)306 mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2)
307 {
308 int error;
309
310 #if SECURITY_MAC_CHECK_ENFORCE
311 /* 21167099 - only check if we allow write */
312 if (!mac_proc_enforce) {
313 return 0;
314 }
315 #endif
316
317 MAC_CHECK(cred_check_visible, u1, u2);
318
319 return error;
320 }
321
322 int
mac_proc_check_debug(proc_ident_t tracing_ident,kauth_cred_t tracing_cred,proc_ident_t traced_ident)323 mac_proc_check_debug(proc_ident_t tracing_ident, kauth_cred_t tracing_cred, proc_ident_t traced_ident)
324 {
325 int error;
326 bool enforce;
327 proc_t tracingp;
328
329 #if SECURITY_MAC_CHECK_ENFORCE
330 /* 21167099 - only check if we allow write */
331 if (!mac_proc_enforce) {
332 return 0;
333 }
334 #endif
335 /*
336 * Once all mac hooks adopt proc_ident_t, finding proc_t and releasing
337 * it below should go to mac_proc_check_enforce().
338 */
339 if ((tracingp = proc_find_ident(tracing_ident)) == PROC_NULL) {
340 return ESRCH;
341 }
342 enforce = mac_proc_check_enforce(tracingp);
343 proc_rele(tracingp);
344
345 if (!enforce) {
346 return 0;
347 }
348 MAC_CHECK(proc_check_debug, tracing_cred, traced_ident);
349
350 return error;
351 }
352
353 int
mac_proc_check_dump_core(struct proc * proc)354 mac_proc_check_dump_core(struct proc *proc)
355 {
356 int error;
357
358 #if SECURITY_MAC_CHECK_ENFORCE
359 /* 21167099 - only check if we allow write */
360 if (!mac_proc_enforce) {
361 return 0;
362 }
363 #endif
364 if (!mac_proc_check_enforce(proc)) {
365 return 0;
366 }
367
368 MAC_CHECK(proc_check_dump_core, proc);
369
370 return error;
371 }
372
373 int
mac_proc_check_remote_thread_create(struct task * task,int flavor,thread_state_t new_state,mach_msg_type_number_t new_state_count)374 mac_proc_check_remote_thread_create(struct task *task, int flavor, thread_state_t new_state, mach_msg_type_number_t new_state_count)
375 {
376 proc_t curp = current_proc();
377 proc_t proc;
378 kauth_cred_t cred;
379 int error;
380
381 #if SECURITY_MAC_CHECK_ENFORCE
382 /* 21167099 - only check if we allow write */
383 if (!mac_proc_enforce) {
384 return 0;
385 }
386 #endif
387 if (!mac_proc_check_enforce(curp)) {
388 return 0;
389 }
390
391 proc = proc_find(task_pid(task));
392 if (proc == PROC_NULL) {
393 return ESRCH;
394 }
395
396 cred = kauth_cred_proc_ref(curp);
397 MAC_CHECK(proc_check_remote_thread_create, cred, proc, flavor, new_state, new_state_count);
398 kauth_cred_unref(&cred);
399 proc_rele(proc);
400
401 return error;
402 }
403
404 int
mac_proc_check_fork(proc_t curp)405 mac_proc_check_fork(proc_t curp)
406 {
407 kauth_cred_t cred;
408 int error;
409
410 #if SECURITY_MAC_CHECK_ENFORCE
411 /* 21167099 - only check if we allow write */
412 if (!mac_proc_enforce) {
413 return 0;
414 }
415 #endif
416 if (!mac_proc_check_enforce(curp)) {
417 return 0;
418 }
419
420 cred = kauth_cred_proc_ref(curp);
421 MAC_CHECK(proc_check_fork, cred, curp);
422 kauth_cred_unref(&cred);
423
424 return error;
425 }
426
427 int
mac_proc_check_get_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)428 mac_proc_check_get_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
429 {
430 int error;
431
432 assert(flavor <= TASK_FLAVOR_NAME);
433
434 /* Also call the old hook for compatability, deprecating in rdar://66356944. */
435 if (flavor == TASK_FLAVOR_CONTROL) {
436 MAC_CHECK(proc_check_get_task, cred, pident);
437 if (error) {
438 return error;
439 }
440 }
441
442 if (flavor == TASK_FLAVOR_NAME) {
443 MAC_CHECK(proc_check_get_task_name, cred, pident);
444 if (error) {
445 return error;
446 }
447 }
448
449 MAC_CHECK(proc_check_get_task_with_flavor, cred, pident, flavor);
450
451 return error;
452 }
453
454 int
mac_proc_check_expose_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)455 mac_proc_check_expose_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
456 {
457 int error;
458
459 assert(flavor <= TASK_FLAVOR_NAME);
460
461 /* Also call the old hook for compatability, deprecating in rdar://66356944. */
462 if (flavor == TASK_FLAVOR_CONTROL) {
463 MAC_CHECK(proc_check_expose_task, cred, pident);
464 if (error) {
465 return error;
466 }
467 }
468
469 MAC_CHECK(proc_check_expose_task_with_flavor, cred, pident, flavor);
470
471 return error;
472 }
473
474 int
mac_proc_check_inherit_ipc_ports(struct proc * p,struct vnode * cur_vp,off_t cur_offset,struct vnode * img_vp,off_t img_offset,struct vnode * scriptvp)475 mac_proc_check_inherit_ipc_ports(struct proc *p, struct vnode *cur_vp, off_t cur_offset, struct vnode *img_vp, off_t img_offset, struct vnode *scriptvp)
476 {
477 int error;
478
479 MAC_CHECK(proc_check_inherit_ipc_ports, p, cur_vp, cur_offset, img_vp, img_offset, scriptvp);
480
481 return error;
482 }
483
484 /*
485 * The type of maxprot in proc_check_map_anon must be equivalent to vm_prot_t
486 * (defined in <mach/vm_prot.h>). mac_policy.h does not include any header
487 * files, so cannot use the typedef itself.
488 */
489 int
mac_proc_check_map_anon(proc_t proc,user_addr_t u_addr,user_size_t u_size,int prot,int flags,int * maxprot)490 mac_proc_check_map_anon(proc_t proc, user_addr_t u_addr,
491 user_size_t u_size, int prot, int flags, int *maxprot)
492 {
493 kauth_cred_t cred;
494 int error;
495
496 #if SECURITY_MAC_CHECK_ENFORCE
497 /* 21167099 - only check if we allow write */
498 if (!mac_vm_enforce) {
499 return 0;
500 }
501 #endif
502 if (!mac_proc_check_enforce(proc)) {
503 return 0;
504 }
505
506 cred = kauth_cred_proc_ref(proc);
507 MAC_CHECK(proc_check_map_anon, proc, cred, u_addr, u_size, prot, flags, maxprot);
508 kauth_cred_unref(&cred);
509
510 return error;
511 }
512
513
514 int
mac_proc_check_memorystatus_control(proc_t proc,uint32_t command,pid_t pid)515 mac_proc_check_memorystatus_control(proc_t proc, uint32_t command, pid_t pid)
516 {
517 kauth_cred_t cred;
518 int error;
519
520 #if SECURITY_MAC_CHECK_ENFORCE
521 /* 21167099 - only check if we allow write */
522 if (!mac_proc_enforce) {
523 return 0;
524 }
525 #endif
526 if (!mac_proc_check_enforce(proc)) {
527 return 0;
528 }
529
530 cred = kauth_cred_proc_ref(proc);
531 MAC_CHECK(proc_check_memorystatus_control, cred, command, pid);
532 kauth_cred_unref(&cred);
533
534 return error;
535 }
536
537 int
mac_proc_check_mprotect(proc_t proc,user_addr_t addr,user_size_t size,int prot)538 mac_proc_check_mprotect(proc_t proc,
539 user_addr_t addr, user_size_t size, int prot)
540 {
541 kauth_cred_t cred;
542 int error;
543
544 #if SECURITY_MAC_CHECK_ENFORCE
545 /* 21167099 - only check if we allow write */
546 if (!mac_vm_enforce) {
547 return 0;
548 }
549 #endif
550 if (!mac_proc_check_enforce(proc)) {
551 return 0;
552 }
553
554 cred = kauth_cred_proc_ref(proc);
555 MAC_CHECK(proc_check_mprotect, cred, proc, addr, size, prot);
556 kauth_cred_unref(&cred);
557
558 return error;
559 }
560
561 int
mac_proc_check_run_cs_invalid(proc_t proc)562 mac_proc_check_run_cs_invalid(proc_t proc)
563 {
564 int error;
565
566 #if SECURITY_MAC_CHECK_ENFORCE
567 /* 21167099 - only check if we allow write */
568 if (!mac_vm_enforce) {
569 return 0;
570 }
571 #endif
572
573 MAC_CHECK(proc_check_run_cs_invalid, proc);
574
575 return error;
576 }
577
578 void
mac_proc_notify_cs_invalidated(proc_t proc)579 mac_proc_notify_cs_invalidated(proc_t proc)
580 {
581 MAC_PERFORM(proc_notify_cs_invalidated, proc);
582 }
583
584 int
mac_proc_check_sched(proc_t curp,struct proc * proc)585 mac_proc_check_sched(proc_t curp, struct proc *proc)
586 {
587 kauth_cred_t cred;
588 int error;
589
590 #if SECURITY_MAC_CHECK_ENFORCE
591 /* 21167099 - only check if we allow write */
592 if (!mac_proc_enforce) {
593 return 0;
594 }
595 #endif
596 if (!mac_proc_check_enforce(curp)) {
597 return 0;
598 }
599
600 cred = kauth_cred_proc_ref(curp);
601 MAC_CHECK(proc_check_sched, cred, proc);
602 kauth_cred_unref(&cred);
603
604 return error;
605 }
606
607 int
mac_proc_check_signal(proc_t curp,struct proc * proc,int signum)608 mac_proc_check_signal(proc_t curp, struct proc *proc, int signum)
609 {
610 kauth_cred_t cred;
611 int error;
612
613 #if SECURITY_MAC_CHECK_ENFORCE
614 /* 21167099 - only check if we allow write */
615 if (!mac_proc_enforce) {
616 return 0;
617 }
618 #endif
619 if (!mac_proc_check_enforce(curp)) {
620 return 0;
621 }
622
623 cred = kauth_cred_proc_ref(curp);
624 MAC_CHECK(proc_check_signal, cred, proc, signum);
625 kauth_cred_unref(&cred);
626
627 return error;
628 }
629
630 int
mac_proc_check_syscall_unix(proc_t curp,int scnum)631 mac_proc_check_syscall_unix(proc_t curp, int scnum)
632 {
633 int error;
634
635 #if SECURITY_MAC_CHECK_ENFORCE
636 /* 21167099 - only check if we allow write */
637 if (!mac_proc_enforce) {
638 return 0;
639 }
640 #endif
641 if (!mac_proc_check_enforce(curp)) {
642 return 0;
643 }
644
645 MAC_CHECK(proc_check_syscall_unix, curp, scnum);
646
647 return error;
648 }
649
650 int
mac_proc_check_wait(proc_t curp,struct proc * proc)651 mac_proc_check_wait(proc_t curp, struct proc *proc)
652 {
653 kauth_cred_t cred;
654 int error;
655
656 #if SECURITY_MAC_CHECK_ENFORCE
657 /* 21167099 - only check if we allow write */
658 if (!mac_proc_enforce) {
659 return 0;
660 }
661 #endif
662 if (!mac_proc_check_enforce(curp)) {
663 return 0;
664 }
665
666 cred = kauth_cred_proc_ref(curp);
667 MAC_CHECK(proc_check_wait, cred, proc);
668 kauth_cred_unref(&cred);
669
670 return error;
671 }
672
673 void
mac_proc_notify_exit(struct proc * proc)674 mac_proc_notify_exit(struct proc *proc)
675 {
676 MAC_PERFORM(proc_notify_exit, proc);
677 }
678
679 int
mac_proc_check_suspend_resume(proc_t proc,int sr)680 mac_proc_check_suspend_resume(proc_t proc, int sr)
681 {
682 kauth_cred_t cred;
683 int error;
684
685 #if SECURITY_MAC_CHECK_ENFORCE
686 /* 21167099 - only check if we allow write */
687 if (!mac_proc_enforce) {
688 return 0;
689 }
690 #endif
691 if (!mac_proc_check_enforce(current_proc())) {
692 return 0;
693 }
694
695 cred = kauth_cred_proc_ref(current_proc());
696 MAC_CHECK(proc_check_suspend_resume, cred, proc, sr);
697 kauth_cred_unref(&cred);
698
699 return error;
700 }
701
702 int
mac_proc_check_ledger(proc_t curp,proc_t proc,int ledger_op)703 mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op)
704 {
705 kauth_cred_t cred;
706 int error = 0;
707
708 #if SECURITY_MAC_CHECK_ENFORCE
709 /* 21167099 - only check if we allow write */
710 if (!mac_proc_enforce) {
711 return 0;
712 }
713 #endif
714 if (!mac_proc_check_enforce(curp)) {
715 return 0;
716 }
717
718 cred = kauth_cred_proc_ref(curp);
719 MAC_CHECK(proc_check_ledger, cred, proc, ledger_op);
720 kauth_cred_unref(&cred);
721
722 return error;
723 }
724
725 int
mac_proc_check_proc_info(proc_t curp,proc_t target,int callnum,int flavor)726 mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor)
727 {
728 kauth_cred_t cred;
729 int error = 0;
730
731 #if SECURITY_MAC_CHECK_ENFORCE
732 /* 21167099 - only check if we allow write */
733 if (!mac_proc_enforce) {
734 return 0;
735 }
736 #endif
737 if (!mac_proc_check_enforce(curp)) {
738 return 0;
739 }
740
741 cred = kauth_cred_proc_ref(curp);
742 MAC_CHECK(proc_check_proc_info, cred, target, callnum, flavor);
743 kauth_cred_unref(&cred);
744
745 return error;
746 }
747
748 int
mac_proc_check_get_cs_info(proc_t curp,proc_t target,unsigned int op)749 mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op)
750 {
751 kauth_cred_t cred;
752 int error = 0;
753
754 #if SECURITY_MAC_CHECK_ENFORCE
755 /* 21167099 - only check if we allow write */
756 if (!mac_proc_enforce) {
757 return 0;
758 }
759 #endif
760 if (!mac_proc_check_enforce(curp)) {
761 return 0;
762 }
763
764 cred = kauth_cred_proc_ref(curp);
765 MAC_CHECK(proc_check_get_cs_info, cred, target, op);
766 kauth_cred_unref(&cred);
767
768 return error;
769 }
770
771 int
mac_proc_check_set_cs_info(proc_t curp,proc_t target,unsigned int op)772 mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op)
773 {
774 kauth_cred_t cred;
775 int error = 0;
776
777 #if SECURITY_MAC_CHECK_ENFORCE
778 /* 21167099 - only check if we allow write */
779 if (!mac_proc_enforce) {
780 return 0;
781 }
782 #endif
783 if (!mac_proc_check_enforce(curp)) {
784 return 0;
785 }
786
787 cred = kauth_cred_proc_ref(curp);
788 MAC_CHECK(proc_check_set_cs_info, cred, target, op);
789 kauth_cred_unref(&cred);
790
791 return error;
792 }
793
794 int
mac_proc_check_setuid(proc_t curp,kauth_cred_t cred,uid_t uid)795 mac_proc_check_setuid(proc_t curp, kauth_cred_t cred, uid_t uid)
796 {
797 int error = 0;
798
799 #if SECURITY_MAC_CHECK_ENFORCE
800 /* 21167099 - only check if we allow write */
801 if (!mac_proc_enforce) {
802 return 0;
803 }
804 #endif
805 if (!mac_proc_check_enforce(curp)) {
806 return 0;
807 }
808
809 MAC_CHECK(proc_check_setuid, cred, uid);
810
811 return error;
812 }
813
814 int
mac_proc_check_seteuid(proc_t curp,kauth_cred_t cred,uid_t euid)815 mac_proc_check_seteuid(proc_t curp, kauth_cred_t cred, uid_t euid)
816 {
817 int error = 0;
818
819 #if SECURITY_MAC_CHECK_ENFORCE
820 /* 21167099 - only check if we allow write */
821 if (!mac_proc_enforce) {
822 return 0;
823 }
824 #endif
825 if (!mac_proc_check_enforce(curp)) {
826 return 0;
827 }
828
829 MAC_CHECK(proc_check_seteuid, cred, euid);
830
831 return error;
832 }
833
834 int
mac_proc_check_setreuid(proc_t curp,kauth_cred_t cred,uid_t ruid,uid_t euid)835 mac_proc_check_setreuid(proc_t curp, kauth_cred_t cred, uid_t ruid, uid_t euid)
836 {
837 int error = 0;
838
839 #if SECURITY_MAC_CHECK_ENFORCE
840 /* 21167099 - only check if we allow write */
841 if (!mac_proc_enforce) {
842 return 0;
843 }
844 #endif
845 if (!mac_proc_check_enforce(curp)) {
846 return 0;
847 }
848
849 MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
850
851 return error;
852 }
853
854 int
mac_proc_check_setgid(proc_t curp,kauth_cred_t cred,gid_t gid)855 mac_proc_check_setgid(proc_t curp, kauth_cred_t cred, gid_t gid)
856 {
857 int error = 0;
858
859 #if SECURITY_MAC_CHECK_ENFORCE
860 /* 21167099 - only check if we allow write */
861 if (!mac_proc_enforce) {
862 return 0;
863 }
864 #endif
865 if (!mac_proc_check_enforce(curp)) {
866 return 0;
867 }
868
869 MAC_CHECK(proc_check_setgid, cred, gid);
870
871 return error;
872 }
873
874 int
mac_proc_check_setegid(proc_t curp,kauth_cred_t cred,gid_t egid)875 mac_proc_check_setegid(proc_t curp, kauth_cred_t cred, gid_t egid)
876 {
877 int error = 0;
878
879 #if SECURITY_MAC_CHECK_ENFORCE
880 /* 21167099 - only check if we allow write */
881 if (!mac_proc_enforce) {
882 return 0;
883 }
884 #endif
885 if (!mac_proc_check_enforce(curp)) {
886 return 0;
887 }
888
889 MAC_CHECK(proc_check_setegid, cred, egid);
890
891 return error;
892 }
893
894 int
mac_proc_check_setregid(proc_t curp,kauth_cred_t cred,gid_t rgid,gid_t egid)895 mac_proc_check_setregid(proc_t curp, kauth_cred_t cred, gid_t rgid, gid_t egid)
896 {
897 int error = 0;
898
899 #if SECURITY_MAC_CHECK_ENFORCE
900 /* 21167099 - only check if we allow write */
901 if (!mac_proc_enforce) {
902 return 0;
903 }
904 #endif
905 if (!mac_proc_check_enforce(curp)) {
906 return 0;
907 }
908
909 MAC_CHECK(proc_check_setregid, cred, rgid, egid);
910
911 return error;
912 }
913
914 int
mac_proc_check_settid(proc_t curp,uid_t uid,gid_t gid)915 mac_proc_check_settid(proc_t curp, uid_t uid, gid_t gid)
916 {
917 kauth_cred_t pcred, tcred;
918 int error = 0;
919
920 #if SECURITY_MAC_CHECK_ENFORCE
921 /* 21167099 - only check if we allow write */
922 if (!mac_proc_enforce) {
923 return 0;
924 }
925 #endif
926 if (!mac_proc_check_enforce(curp)) {
927 return 0;
928 }
929
930 pcred = kauth_cred_proc_ref(curp);
931 tcred = kauth_cred_get_with_ref();
932 MAC_CHECK(proc_check_settid, pcred, tcred, uid, gid);
933 kauth_cred_unref(&tcred);
934 kauth_cred_unref(&pcred);
935
936 return error;
937 }
938