1 /*
2 * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 /*-
30 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
31 * Copyright (c) 2001 Ilmar S. Habibulin
32 * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
33 *
34 * This software was developed by Robert Watson and Ilmar Habibulin for the
35 * TrustedBSD Project.
36 *
37 * This software was developed for the FreeBSD Project in part by Network
38 * Associates Laboratories, the Security Research Division of Network
39 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
40 * as part of the DARPA CHATS research program.
41 *
42 * Redistribution and use in source and binary forms, with or without
43 * modification, are permitted provided that the following conditions
44 * are met:
45 * 1. Redistributions of source code must retain the above copyright
46 * notice, this list of conditions and the following disclaimer.
47 * 2. Redistributions in binary form must reproduce the above copyright
48 * notice, this list of conditions and the following disclaimer in the
49 * documentation and/or other materials provided with the distribution.
50 *
51 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
52 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
55 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
56 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
57 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
60 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61 * SUCH DAMAGE.
62 *
63 */
64
65 #include <string.h>
66 #include <sys/param.h>
67 #include <sys/ucred.h>
68 #include <sys/malloc.h>
69 #include <sys/sbuf.h>
70 #include <sys/vnode.h>
71 #include <sys/proc.h>
72 #include <sys/proc_internal.h>
73 #include <sys/kauth.h>
74 #include <sys/imgact.h>
75 #include <mach/mach_types.h>
76 #include <kern/task.h>
77
78 #include <os/hash.h>
79
80 #include <security/mac_internal.h>
81 #include <security/mac_mach_internal.h>
82
83 #include <bsd/security/audit/audit.h>
84
85 struct label *
mac_cred_label_alloc(void)86 mac_cred_label_alloc(void)
87 {
88 struct label *label;
89
90 label = mac_labelzone_alloc(MAC_WAITOK);
91 if (label == NULL) {
92 return NULL;
93 }
94 MAC_PERFORM(cred_label_init, label);
95 return label;
96 }
97
98 void
mac_cred_label_init(struct ucred * cred)99 mac_cred_label_init(struct ucred *cred)
100 {
101 cred->cr_label = mac_cred_label_alloc();
102 }
103
104 void
mac_cred_label_free(struct label * label)105 mac_cred_label_free(struct label *label)
106 {
107 MAC_PERFORM(cred_label_destroy, label);
108 mac_labelzone_free(label);
109 }
110
111 struct label *
mac_cred_label(struct ucred * cred)112 mac_cred_label(struct ucred *cred)
113 {
114 return cred->cr_label;
115 }
116
117 bool
mac_cred_label_is_equal(const struct label * a,const struct label * b)118 mac_cred_label_is_equal(const struct label *a, const struct label *b)
119 {
120 return memcmp(a->l_perpolicy, b->l_perpolicy, sizeof(a->l_perpolicy)) == 0;
121 }
122
123 uint32_t
mac_cred_label_hash_update(const struct label * a,uint32_t hash)124 mac_cred_label_hash_update(const struct label *a, uint32_t hash)
125 {
126 return os_hash_jenkins_update(a->l_perpolicy, sizeof(a->l_perpolicy), hash);
127 }
128
129 int
mac_cred_label_externalize_audit(struct proc * p,struct mac * mac)130 mac_cred_label_externalize_audit(struct proc *p, struct mac *mac)
131 {
132 kauth_cred_t cr;
133 int error;
134
135 cr = kauth_cred_proc_ref(p);
136
137 error = MAC_EXTERNALIZE_AUDIT(cred, mac_cred_label(cr),
138 mac->m_string, mac->m_buflen);
139
140 kauth_cred_unref(&cr);
141 return error;
142 }
143
144 void
mac_cred_label_destroy(kauth_cred_t cred)145 mac_cred_label_destroy(kauth_cred_t cred)
146 {
147 struct label *label = mac_cred_label(cred);
148 cred->cr_label = NULL;
149 mac_cred_label_free(label);
150 }
151
152 int
mac_cred_label_externalize(struct label * label,char * elements,char * outbuf,size_t outbuflen,int flags __unused)153 mac_cred_label_externalize(struct label *label, char *elements,
154 char *outbuf, size_t outbuflen, int flags __unused)
155 {
156 int error = 0;
157
158 error = MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
159
160 return error;
161 }
162
163 int
mac_cred_label_internalize(struct label * label,char * string)164 mac_cred_label_internalize(struct label *label, char *string)
165 {
166 int error;
167
168 error = MAC_INTERNALIZE(cred, label, string);
169
170 return error;
171 }
172
173 /*
174 * By default, fork just adds a reference to the parent
175 * credential. Policies may need to know about this reference
176 * if they are tracking exit calls to know when to free the
177 * label.
178 */
179 void
mac_cred_label_associate_fork(kauth_cred_t cred,proc_t proc)180 mac_cred_label_associate_fork(kauth_cred_t cred, proc_t proc)
181 {
182 MAC_PERFORM(cred_label_associate_fork, cred, proc);
183 }
184
185 /*
186 * Initialize MAC label for the first kernel process, from which other
187 * kernel processes and threads are spawned.
188 */
189 void
mac_cred_label_associate_kernel(kauth_cred_t cred)190 mac_cred_label_associate_kernel(kauth_cred_t cred)
191 {
192 MAC_PERFORM(cred_label_associate_kernel, cred);
193 }
194
195 /*
196 * Initialize MAC label for the first userland process, from which other
197 * userland processes and threads are spawned.
198 */
199 void
mac_cred_label_associate_user(kauth_cred_t cred)200 mac_cred_label_associate_user(kauth_cred_t cred)
201 {
202 MAC_PERFORM(cred_label_associate_user, cred);
203 }
204
205 /*
206 * When a new process is created, its label must be initialized. Generally,
207 * this involves inheritence from the parent process, modulo possible
208 * deltas. This function allows that processing to take place.
209 */
210 void
mac_cred_label_associate(struct ucred * parent_cred,struct ucred * child_cred)211 mac_cred_label_associate(struct ucred *parent_cred, struct ucred *child_cred)
212 {
213 MAC_PERFORM(cred_label_associate, parent_cred, child_cred);
214 }
215
216 int
mac_execve_enter(user_addr_t mac_p,struct image_params * imgp)217 mac_execve_enter(user_addr_t mac_p, struct image_params *imgp)
218 {
219 if (mac_p == USER_ADDR_NULL) {
220 return 0;
221 }
222
223 return mac_do_set(current_proc(), mac_p,
224 ^(char *input, __unused size_t len) {
225 struct label *execlabel;
226 int error;
227
228 execlabel = mac_cred_label_alloc();
229 if ((error = mac_cred_label_internalize(execlabel, input))) {
230 mac_cred_label_free(execlabel);
231 execlabel = NULL;
232 }
233
234 imgp->ip_execlabelp = execlabel;
235 return error;
236 });
237 }
238
239 /*
240 * When the subject's label changes, it may require revocation of privilege
241 * to mapped objects. This can't be done on-the-fly later with a unified
242 * buffer cache.
243 *
244 * XXX: CRF_MAC_ENFORCE should be in a kauth_cred_t field, rather
245 * XXX: than a posix_cred_t field.
246 */
247 void
mac_cred_label_update(kauth_cred_t cred,struct label * newlabel)248 mac_cred_label_update(kauth_cred_t cred, struct label *newlabel)
249 {
250 posix_cred_t pcred = posix_cred_get(cred);
251
252 /* force label to be part of "matching" for credential */
253 pcred->cr_flags |= CRF_MAC_ENFORCE;
254
255 /* inform the policies of the update */
256 MAC_PERFORM(cred_label_update, cred, newlabel);
257 }
258
259 int
mac_cred_check_label_update(kauth_cred_t cred,struct label * newlabel)260 mac_cred_check_label_update(kauth_cred_t cred, struct label *newlabel)
261 {
262 int error;
263
264 #if SECURITY_MAC_CHECK_ENFORCE
265 /* 21167099 - only check if we allow write */
266 if (!mac_proc_enforce) {
267 return 0;
268 }
269 #endif
270
271 MAC_CHECK(cred_check_label_update, cred, newlabel);
272
273 return error;
274 }
275
276 int
mac_cred_check_visible(kauth_cred_t u1,kauth_cred_t u2)277 mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2)
278 {
279 int error;
280
281 #if SECURITY_MAC_CHECK_ENFORCE
282 /* 21167099 - only check if we allow write */
283 if (!mac_proc_enforce) {
284 return 0;
285 }
286 #endif
287
288 MAC_CHECK(cred_check_visible, u1, u2);
289
290 return error;
291 }
292
293 int
mac_proc_check_debug(proc_ident_t tracing_ident,kauth_cred_t tracing_cred,proc_ident_t traced_ident)294 mac_proc_check_debug(proc_ident_t tracing_ident, kauth_cred_t tracing_cred, proc_ident_t traced_ident)
295 {
296 int error;
297 bool enforce;
298 proc_t tracingp;
299
300 #if SECURITY_MAC_CHECK_ENFORCE
301 /* 21167099 - only check if we allow write */
302 if (!mac_proc_enforce) {
303 return 0;
304 }
305 #endif
306 /*
307 * Once all mac hooks adopt proc_ident_t, finding proc_t and releasing
308 * it below should go to mac_proc_check_enforce().
309 */
310 if ((tracingp = proc_find_ident(tracing_ident)) == PROC_NULL) {
311 return ESRCH;
312 }
313 enforce = mac_proc_check_enforce(tracingp);
314 proc_rele(tracingp);
315
316 if (!enforce) {
317 return 0;
318 }
319 MAC_CHECK(proc_check_debug, tracing_cred, traced_ident);
320
321 return error;
322 }
323
324 int
mac_proc_check_dump_core(struct proc * proc)325 mac_proc_check_dump_core(struct proc *proc)
326 {
327 int error;
328
329 #if SECURITY_MAC_CHECK_ENFORCE
330 /* 21167099 - only check if we allow write */
331 if (!mac_proc_enforce) {
332 return 0;
333 }
334 #endif
335 if (!mac_proc_check_enforce(proc)) {
336 return 0;
337 }
338
339 MAC_CHECK(proc_check_dump_core, proc);
340
341 return error;
342 }
343
344 int
mac_proc_check_remote_thread_create(struct task * task,int flavor,thread_state_t new_state,mach_msg_type_number_t new_state_count)345 mac_proc_check_remote_thread_create(struct task *task, int flavor, thread_state_t new_state, mach_msg_type_number_t new_state_count)
346 {
347 proc_t curp = current_proc();
348 proc_t proc;
349 kauth_cred_t cred;
350 int error;
351
352 #if SECURITY_MAC_CHECK_ENFORCE
353 /* 21167099 - only check if we allow write */
354 if (!mac_proc_enforce) {
355 return 0;
356 }
357 #endif
358 if (!mac_proc_check_enforce(curp)) {
359 return 0;
360 }
361
362 proc = proc_find(task_pid(task));
363 if (proc == PROC_NULL) {
364 return ESRCH;
365 }
366
367 cred = kauth_cred_proc_ref(curp);
368 MAC_CHECK(proc_check_remote_thread_create, cred, proc, flavor, new_state, new_state_count);
369 kauth_cred_unref(&cred);
370 proc_rele(proc);
371
372 return error;
373 }
374
375 int
mac_proc_check_fork(proc_t curp)376 mac_proc_check_fork(proc_t curp)
377 {
378 kauth_cred_t cred;
379 int error;
380
381 #if SECURITY_MAC_CHECK_ENFORCE
382 /* 21167099 - only check if we allow write */
383 if (!mac_proc_enforce) {
384 return 0;
385 }
386 #endif
387 if (!mac_proc_check_enforce(curp)) {
388 return 0;
389 }
390
391 cred = kauth_cred_proc_ref(curp);
392 MAC_CHECK(proc_check_fork, cred, curp);
393 kauth_cred_unref(&cred);
394
395 return error;
396 }
397
398 int
mac_proc_check_get_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)399 mac_proc_check_get_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
400 {
401 int error;
402
403 assert(flavor <= TASK_FLAVOR_NAME);
404
405 /* Also call the old hook for compatability, deprecating in rdar://66356944. */
406 if (flavor == TASK_FLAVOR_CONTROL) {
407 MAC_CHECK(proc_check_get_task, cred, pident);
408 if (error) {
409 return error;
410 }
411 }
412
413 if (flavor == TASK_FLAVOR_NAME) {
414 MAC_CHECK(proc_check_get_task_name, cred, pident);
415 if (error) {
416 return error;
417 }
418 }
419
420 MAC_CHECK(proc_check_get_task_with_flavor, cred, pident, flavor);
421
422 return error;
423 }
424
425 int
mac_proc_check_expose_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)426 mac_proc_check_expose_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
427 {
428 int error;
429
430 assert(flavor <= TASK_FLAVOR_NAME);
431
432 /* Also call the old hook for compatability, deprecating in rdar://66356944. */
433 if (flavor == TASK_FLAVOR_CONTROL) {
434 MAC_CHECK(proc_check_expose_task, cred, pident);
435 if (error) {
436 return error;
437 }
438 }
439
440 MAC_CHECK(proc_check_expose_task_with_flavor, cred, pident, flavor);
441
442 return error;
443 }
444
445 int
mac_proc_check_inherit_ipc_ports(struct proc * p,struct vnode * cur_vp,off_t cur_offset,struct vnode * img_vp,off_t img_offset,struct vnode * scriptvp)446 mac_proc_check_inherit_ipc_ports(struct proc *p, struct vnode *cur_vp, off_t cur_offset, struct vnode *img_vp, off_t img_offset, struct vnode *scriptvp)
447 {
448 int error;
449
450 MAC_CHECK(proc_check_inherit_ipc_ports, p, cur_vp, cur_offset, img_vp, img_offset, scriptvp);
451
452 return error;
453 }
454
455 /*
456 * The type of maxprot in proc_check_map_anon must be equivalent to vm_prot_t
457 * (defined in <mach/vm_prot.h>). mac_policy.h does not include any header
458 * files, so cannot use the typedef itself.
459 */
460 int
mac_proc_check_map_anon(proc_t proc,user_addr_t u_addr,user_size_t u_size,int prot,int flags,int * maxprot)461 mac_proc_check_map_anon(proc_t proc, user_addr_t u_addr,
462 user_size_t u_size, int prot, int flags, int *maxprot)
463 {
464 kauth_cred_t cred;
465 int error;
466
467 #if SECURITY_MAC_CHECK_ENFORCE
468 /* 21167099 - only check if we allow write */
469 if (!mac_vm_enforce) {
470 return 0;
471 }
472 #endif
473 if (!mac_proc_check_enforce(proc)) {
474 return 0;
475 }
476
477 cred = kauth_cred_proc_ref(proc);
478 MAC_CHECK(proc_check_map_anon, proc, cred, u_addr, u_size, prot, flags, maxprot);
479 kauth_cred_unref(&cred);
480
481 return error;
482 }
483
484
485 int
mac_proc_check_memorystatus_control(proc_t proc,uint32_t command,pid_t pid)486 mac_proc_check_memorystatus_control(proc_t proc, uint32_t command, pid_t pid)
487 {
488 kauth_cred_t cred;
489 int error;
490
491 #if SECURITY_MAC_CHECK_ENFORCE
492 /* 21167099 - only check if we allow write */
493 if (!mac_proc_enforce) {
494 return 0;
495 }
496 #endif
497 if (!mac_proc_check_enforce(proc)) {
498 return 0;
499 }
500
501 cred = kauth_cred_proc_ref(proc);
502 MAC_CHECK(proc_check_memorystatus_control, cred, command, pid);
503 kauth_cred_unref(&cred);
504
505 return error;
506 }
507
508 int
mac_proc_check_mprotect(proc_t proc,user_addr_t addr,user_size_t size,int prot)509 mac_proc_check_mprotect(proc_t proc,
510 user_addr_t addr, user_size_t size, int prot)
511 {
512 kauth_cred_t cred;
513 int error;
514
515 #if SECURITY_MAC_CHECK_ENFORCE
516 /* 21167099 - only check if we allow write */
517 if (!mac_vm_enforce) {
518 return 0;
519 }
520 #endif
521 if (!mac_proc_check_enforce(proc)) {
522 return 0;
523 }
524
525 cred = kauth_cred_proc_ref(proc);
526 MAC_CHECK(proc_check_mprotect, cred, proc, addr, size, prot);
527 kauth_cred_unref(&cred);
528
529 return error;
530 }
531
532 int
mac_proc_check_run_cs_invalid(proc_t proc)533 mac_proc_check_run_cs_invalid(proc_t proc)
534 {
535 int error;
536
537 #if SECURITY_MAC_CHECK_ENFORCE
538 /* 21167099 - only check if we allow write */
539 if (!mac_vm_enforce) {
540 return 0;
541 }
542 #endif
543
544 MAC_CHECK(proc_check_run_cs_invalid, proc);
545
546 return error;
547 }
548
549 void
mac_proc_notify_cs_invalidated(proc_t proc)550 mac_proc_notify_cs_invalidated(proc_t proc)
551 {
552 MAC_PERFORM(proc_notify_cs_invalidated, proc);
553 }
554
555 int
mac_proc_check_sched(proc_t curp,struct proc * proc)556 mac_proc_check_sched(proc_t curp, struct proc *proc)
557 {
558 kauth_cred_t cred;
559 int error;
560
561 #if SECURITY_MAC_CHECK_ENFORCE
562 /* 21167099 - only check if we allow write */
563 if (!mac_proc_enforce) {
564 return 0;
565 }
566 #endif
567 if (!mac_proc_check_enforce(curp)) {
568 return 0;
569 }
570
571 cred = kauth_cred_proc_ref(curp);
572 MAC_CHECK(proc_check_sched, cred, proc);
573 kauth_cred_unref(&cred);
574
575 return error;
576 }
577
578 int
mac_proc_check_signal(proc_t curp,struct proc * proc,int signum)579 mac_proc_check_signal(proc_t curp, struct proc *proc, int signum)
580 {
581 kauth_cred_t cred;
582 int error;
583
584 #if SECURITY_MAC_CHECK_ENFORCE
585 /* 21167099 - only check if we allow write */
586 if (!mac_proc_enforce) {
587 return 0;
588 }
589 #endif
590 if (!mac_proc_check_enforce(curp)) {
591 return 0;
592 }
593
594 cred = kauth_cred_proc_ref(curp);
595 MAC_CHECK(proc_check_signal, cred, proc, signum);
596 kauth_cred_unref(&cred);
597
598 return error;
599 }
600
601 int
mac_proc_check_syscall_unix(proc_t curp,int scnum)602 mac_proc_check_syscall_unix(proc_t curp, int scnum)
603 {
604 int error;
605
606 #if SECURITY_MAC_CHECK_ENFORCE
607 /* 21167099 - only check if we allow write */
608 if (!mac_proc_enforce) {
609 return 0;
610 }
611 #endif
612 if (!mac_proc_check_enforce(curp)) {
613 return 0;
614 }
615
616 MAC_CHECK(proc_check_syscall_unix, curp, scnum);
617
618 return error;
619 }
620
621 int
mac_proc_check_wait(proc_t curp,struct proc * proc)622 mac_proc_check_wait(proc_t curp, struct proc *proc)
623 {
624 kauth_cred_t cred;
625 int error;
626
627 #if SECURITY_MAC_CHECK_ENFORCE
628 /* 21167099 - only check if we allow write */
629 if (!mac_proc_enforce) {
630 return 0;
631 }
632 #endif
633 if (!mac_proc_check_enforce(curp)) {
634 return 0;
635 }
636
637 cred = kauth_cred_proc_ref(curp);
638 MAC_CHECK(proc_check_wait, cred, proc);
639 kauth_cred_unref(&cred);
640
641 return error;
642 }
643
644 void
mac_proc_notify_exit(struct proc * proc)645 mac_proc_notify_exit(struct proc *proc)
646 {
647 MAC_PERFORM(proc_notify_exit, proc);
648 }
649
650 int
mac_proc_check_suspend_resume(proc_t proc,int sr)651 mac_proc_check_suspend_resume(proc_t proc, int sr)
652 {
653 kauth_cred_t cred;
654 int error;
655
656 #if SECURITY_MAC_CHECK_ENFORCE
657 /* 21167099 - only check if we allow write */
658 if (!mac_proc_enforce) {
659 return 0;
660 }
661 #endif
662 if (!mac_proc_check_enforce(current_proc())) {
663 return 0;
664 }
665
666 cred = kauth_cred_proc_ref(current_proc());
667 MAC_CHECK(proc_check_suspend_resume, cred, proc, sr);
668 kauth_cred_unref(&cred);
669
670 return error;
671 }
672
673 int
mac_proc_check_ledger(proc_t curp,proc_t proc,int ledger_op)674 mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op)
675 {
676 kauth_cred_t cred;
677 int error = 0;
678
679 #if SECURITY_MAC_CHECK_ENFORCE
680 /* 21167099 - only check if we allow write */
681 if (!mac_proc_enforce) {
682 return 0;
683 }
684 #endif
685 if (!mac_proc_check_enforce(curp)) {
686 return 0;
687 }
688
689 cred = kauth_cred_proc_ref(curp);
690 MAC_CHECK(proc_check_ledger, cred, proc, ledger_op);
691 kauth_cred_unref(&cred);
692
693 return error;
694 }
695
696 int
mac_proc_check_proc_info(proc_t curp,proc_t target,int callnum,int flavor)697 mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor)
698 {
699 kauth_cred_t cred;
700 int error = 0;
701
702 #if SECURITY_MAC_CHECK_ENFORCE
703 /* 21167099 - only check if we allow write */
704 if (!mac_proc_enforce) {
705 return 0;
706 }
707 #endif
708 if (!mac_proc_check_enforce(curp)) {
709 return 0;
710 }
711
712 cred = kauth_cred_proc_ref(curp);
713 MAC_CHECK(proc_check_proc_info, cred, target, callnum, flavor);
714 kauth_cred_unref(&cred);
715
716 return error;
717 }
718
719 int
mac_proc_check_get_cs_info(proc_t curp,proc_t target,unsigned int op)720 mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op)
721 {
722 kauth_cred_t cred;
723 int error = 0;
724
725 #if SECURITY_MAC_CHECK_ENFORCE
726 /* 21167099 - only check if we allow write */
727 if (!mac_proc_enforce) {
728 return 0;
729 }
730 #endif
731 if (!mac_proc_check_enforce(curp)) {
732 return 0;
733 }
734
735 cred = kauth_cred_proc_ref(curp);
736 MAC_CHECK(proc_check_get_cs_info, cred, target, op);
737 kauth_cred_unref(&cred);
738
739 return error;
740 }
741
742 int
mac_proc_check_set_cs_info(proc_t curp,proc_t target,unsigned int op)743 mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op)
744 {
745 kauth_cred_t cred;
746 int error = 0;
747
748 #if SECURITY_MAC_CHECK_ENFORCE
749 /* 21167099 - only check if we allow write */
750 if (!mac_proc_enforce) {
751 return 0;
752 }
753 #endif
754 if (!mac_proc_check_enforce(curp)) {
755 return 0;
756 }
757
758 cred = kauth_cred_proc_ref(curp);
759 MAC_CHECK(proc_check_set_cs_info, cred, target, op);
760 kauth_cred_unref(&cred);
761
762 return error;
763 }
764
765 int
mac_proc_check_setuid(proc_t curp,kauth_cred_t cred,uid_t uid)766 mac_proc_check_setuid(proc_t curp, kauth_cred_t cred, uid_t uid)
767 {
768 int error = 0;
769
770 #if SECURITY_MAC_CHECK_ENFORCE
771 /* 21167099 - only check if we allow write */
772 if (!mac_proc_enforce) {
773 return 0;
774 }
775 #endif
776 if (!mac_proc_check_enforce(curp)) {
777 return 0;
778 }
779
780 MAC_CHECK(proc_check_setuid, cred, uid);
781
782 return error;
783 }
784
785 int
mac_proc_check_seteuid(proc_t curp,kauth_cred_t cred,uid_t euid)786 mac_proc_check_seteuid(proc_t curp, kauth_cred_t cred, uid_t euid)
787 {
788 int error = 0;
789
790 #if SECURITY_MAC_CHECK_ENFORCE
791 /* 21167099 - only check if we allow write */
792 if (!mac_proc_enforce) {
793 return 0;
794 }
795 #endif
796 if (!mac_proc_check_enforce(curp)) {
797 return 0;
798 }
799
800 MAC_CHECK(proc_check_seteuid, cred, euid);
801
802 return error;
803 }
804
805 int
mac_proc_check_setreuid(proc_t curp,kauth_cred_t cred,uid_t ruid,uid_t euid)806 mac_proc_check_setreuid(proc_t curp, kauth_cred_t cred, uid_t ruid, uid_t euid)
807 {
808 int error = 0;
809
810 #if SECURITY_MAC_CHECK_ENFORCE
811 /* 21167099 - only check if we allow write */
812 if (!mac_proc_enforce) {
813 return 0;
814 }
815 #endif
816 if (!mac_proc_check_enforce(curp)) {
817 return 0;
818 }
819
820 MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
821
822 return error;
823 }
824
825 int
mac_proc_check_setgid(proc_t curp,kauth_cred_t cred,gid_t gid)826 mac_proc_check_setgid(proc_t curp, kauth_cred_t cred, gid_t gid)
827 {
828 int error = 0;
829
830 #if SECURITY_MAC_CHECK_ENFORCE
831 /* 21167099 - only check if we allow write */
832 if (!mac_proc_enforce) {
833 return 0;
834 }
835 #endif
836 if (!mac_proc_check_enforce(curp)) {
837 return 0;
838 }
839
840 MAC_CHECK(proc_check_setgid, cred, gid);
841
842 return error;
843 }
844
845 int
mac_proc_check_setegid(proc_t curp,kauth_cred_t cred,gid_t egid)846 mac_proc_check_setegid(proc_t curp, kauth_cred_t cred, gid_t egid)
847 {
848 int error = 0;
849
850 #if SECURITY_MAC_CHECK_ENFORCE
851 /* 21167099 - only check if we allow write */
852 if (!mac_proc_enforce) {
853 return 0;
854 }
855 #endif
856 if (!mac_proc_check_enforce(curp)) {
857 return 0;
858 }
859
860 MAC_CHECK(proc_check_setegid, cred, egid);
861
862 return error;
863 }
864
865 int
mac_proc_check_setregid(proc_t curp,kauth_cred_t cred,gid_t rgid,gid_t egid)866 mac_proc_check_setregid(proc_t curp, kauth_cred_t cred, gid_t rgid, gid_t egid)
867 {
868 int error = 0;
869
870 #if SECURITY_MAC_CHECK_ENFORCE
871 /* 21167099 - only check if we allow write */
872 if (!mac_proc_enforce) {
873 return 0;
874 }
875 #endif
876 if (!mac_proc_check_enforce(curp)) {
877 return 0;
878 }
879
880 MAC_CHECK(proc_check_setregid, cred, rgid, egid);
881
882 return error;
883 }
884
885 int
mac_proc_check_settid(proc_t curp,uid_t uid,gid_t gid)886 mac_proc_check_settid(proc_t curp, uid_t uid, gid_t gid)
887 {
888 kauth_cred_t pcred, tcred;
889 int error = 0;
890
891 #if SECURITY_MAC_CHECK_ENFORCE
892 /* 21167099 - only check if we allow write */
893 if (!mac_proc_enforce) {
894 return 0;
895 }
896 #endif
897 if (!mac_proc_check_enforce(curp)) {
898 return 0;
899 }
900
901 pcred = kauth_cred_proc_ref(curp);
902 tcred = kauth_cred_get_with_ref();
903 MAC_CHECK(proc_check_settid, pcred, tcred, uid, gid);
904 kauth_cred_unref(&tcred);
905 kauth_cred_unref(&pcred);
906
907 return error;
908 }
909