svn commit: r184502 - in stable/7/sys: . security/mac_biba
security/mac_lomac security/mac_mls security/mac_partition
security/mac_seeotheruids security/mac_stub security/mac_test
Bjoern A. Zeeb
bz at FreeBSD.org
Fri Oct 31 04:27:55 PDT 2008
Author: bz
Date: Fri Oct 31 11:27:54 2008
New Revision: 184502
URL: http://svn.freebsd.org/changeset/base/184502
Log:
MFC: r183980
Add a mac_check_inpcb_visible implementation to all MAC policies
that handle mac_check_socket_visible.
Approved by: re (rwatson)
Modified:
stable/7/sys/ (props changed)
stable/7/sys/security/mac_biba/mac_biba.c
stable/7/sys/security/mac_lomac/mac_lomac.c
stable/7/sys/security/mac_mls/mac_mls.c
stable/7/sys/security/mac_partition/mac_partition.c
stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c
stable/7/sys/security/mac_stub/mac_stub.c
stable/7/sys/security/mac_test/mac_test.c
Modified: stable/7/sys/security/mac_biba/mac_biba.c
==============================================================================
--- stable/7/sys/security/mac_biba/mac_biba.c Fri Oct 31 10:38:30 2008 (r184501)
+++ stable/7/sys/security/mac_biba/mac_biba.c Fri Oct 31 11:27:54 2008 (r184502)
@@ -1599,6 +1599,24 @@ biba_check_inpcb_deliver(struct inpcb *i
}
static int
+biba_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+ struct label *inplabel)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!biba_enabled)
+ return (0);
+
+ subj = SLOT(cred->cr_label);
+ obj = SLOT(inplabel);
+
+ if (!biba_dominate_effective(obj, subj))
+ return (ENOENT);
+
+ return (0);
+}
+
+static int
biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
struct label *msglabel)
{
@@ -3333,6 +3351,7 @@ static struct mac_policy_ops mac_biba_op
.mpo_check_ifnet_relabel = biba_check_ifnet_relabel,
.mpo_check_ifnet_transmit = biba_check_ifnet_transmit,
.mpo_check_inpcb_deliver = biba_check_inpcb_deliver,
+ .mpo_check_inpcb_visible = biba_check_inpcb_visible,
.mpo_check_sysv_msgrcv = biba_check_sysv_msgrcv,
.mpo_check_sysv_msgrmid = biba_check_sysv_msgrmid,
.mpo_check_sysv_msqget = biba_check_sysv_msqget,
Modified: stable/7/sys/security/mac_lomac/mac_lomac.c
==============================================================================
--- stable/7/sys/security/mac_lomac/mac_lomac.c Fri Oct 31 10:38:30 2008 (r184501)
+++ stable/7/sys/security/mac_lomac/mac_lomac.c Fri Oct 31 11:27:54 2008 (r184502)
@@ -1742,6 +1742,24 @@ lomac_check_inpcb_deliver(struct inpcb *
}
static int
+lomac_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+ struct label *inplabel)
+{
+ struct mac_lomac *subj, *obj;
+
+ if (!lomac_enabled)
+ return (0);
+
+ subj = SLOT(cred->cr_label);
+ obj = SLOT(inplabel);
+
+ if (!lomac_dominate_single(obj, subj))
+ return (ENOENT);
+
+ return (0);
+}
+
+static int
lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
@@ -2893,6 +2911,7 @@ static struct mac_policy_ops lomac_ops =
.mpo_check_ifnet_relabel = lomac_check_ifnet_relabel,
.mpo_check_ifnet_transmit = lomac_check_ifnet_transmit,
.mpo_check_inpcb_deliver = lomac_check_inpcb_deliver,
+ .mpo_check_inpcb_visible = lomac_check_inpcb_visible,
.mpo_check_kld_load = lomac_check_kld_load,
.mpo_check_pipe_ioctl = lomac_check_pipe_ioctl,
.mpo_check_pipe_read = lomac_check_pipe_read,
Modified: stable/7/sys/security/mac_mls/mac_mls.c
==============================================================================
--- stable/7/sys/security/mac_mls/mac_mls.c Fri Oct 31 10:38:30 2008 (r184501)
+++ stable/7/sys/security/mac_mls/mac_mls.c Fri Oct 31 11:27:54 2008 (r184502)
@@ -1540,6 +1540,24 @@ mls_check_inpcb_deliver(struct inpcb *in
}
static int
+mls_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+ struct label *inplabel)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mls_enabled)
+ return (0);
+
+ subj = SLOT(cred->cr_label);
+ obj = SLOT(inplabel);
+
+ if (!mls_dominate_effective(subj, obj))
+ return (ENOENT);
+
+ return (0);
+}
+
+static int
mls_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
struct label *msglabel)
{
@@ -2957,6 +2975,7 @@ static struct mac_policy_ops mls_ops =
.mpo_check_ifnet_relabel = mls_check_ifnet_relabel,
.mpo_check_ifnet_transmit = mls_check_ifnet_transmit,
.mpo_check_inpcb_deliver = mls_check_inpcb_deliver,
+ .mpo_check_inpcb_visible = mls_check_inpcb_visible,
.mpo_check_sysv_msgrcv = mls_check_sysv_msgrcv,
.mpo_check_sysv_msgrmid = mls_check_sysv_msgrmid,
.mpo_check_sysv_msqget = mls_check_sysv_msqget,
Modified: stable/7/sys/security/mac_partition/mac_partition.c
==============================================================================
--- stable/7/sys/security/mac_partition/mac_partition.c Fri Oct 31 10:38:30 2008 (r184501)
+++ stable/7/sys/security/mac_partition/mac_partition.c Fri Oct 31 11:27:54 2008 (r184502)
@@ -46,10 +46,15 @@
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/sbuf.h>
+#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/systm.h>
#include <sys/sysctl.h>
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/in_pcb.h>
+
#include <security/mac/mac_policy.h>
#include <security/mac_partition/mac_partition.h>
@@ -186,6 +191,17 @@ partition_check_cred_visible(struct ucre
}
static int
+partition_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+ struct label *inplabel)
+{
+ int error;
+
+ error = label_on_label(cred->cr_label, inp->inp_cred->cr_label);
+
+ return (error ? ENOENT : 0);
+}
+
+static int
partition_check_proc_debug(struct ucred *cred, struct proc *p)
{
int error;
@@ -258,6 +274,7 @@ static struct mac_policy_ops partition_o
.mpo_relabel_cred = partition_relabel_cred,
.mpo_check_cred_relabel = partition_check_cred_relabel,
.mpo_check_cred_visible = partition_check_cred_visible,
+ .mpo_check_inpcb_visible = partition_check_inpcb_visible,
.mpo_check_proc_debug = partition_check_proc_debug,
.mpo_check_proc_sched = partition_check_proc_sched,
.mpo_check_proc_signal = partition_check_proc_signal,
Modified: stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c
==============================================================================
--- stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c Fri Oct 31 10:38:30 2008 (r184501)
+++ stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c Fri Oct 31 11:27:54 2008 (r184502)
@@ -47,9 +47,14 @@
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/systm.h>
+#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/in_pcb.h>
+
#include <security/mac/mac_policy.h>
SYSCTL_DECL(_security_mac);
@@ -129,6 +134,14 @@ seeotheruids_check_cred_visible(struct u
}
static int
+seeotheruids_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+ struct label *inplabel)
+{
+
+ return (seeotheruids_check(cred, inp->inp_cred));
+}
+
+static int
seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p,
int signum)
{
@@ -161,6 +174,7 @@ seeotheruids_check_socket_visible(struct
static struct mac_policy_ops seeotheruids_ops =
{
.mpo_check_cred_visible = seeotheruids_check_cred_visible,
+ .mpo_check_inpcb_visible = seeotheruids_check_inpcb_visible,
.mpo_check_proc_debug = seeotheruids_check_proc_debug,
.mpo_check_proc_sched = seeotheruids_check_proc_sched,
.mpo_check_proc_signal = seeotheruids_check_proc_signal,
Modified: stable/7/sys/security/mac_stub/mac_stub.c
==============================================================================
--- stable/7/sys/security/mac_stub/mac_stub.c Fri Oct 31 10:38:30 2008 (r184501)
+++ stable/7/sys/security/mac_stub/mac_stub.c Fri Oct 31 11:27:54 2008 (r184502)
@@ -614,6 +614,14 @@ stub_check_inpcb_deliver(struct inpcb *i
}
static int
+stub_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+ struct label *inplabel)
+{
+
+ return (0);
+}
+
+static int
stub_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
struct label *msglabel, struct msqid_kernel *msqkptr,
struct label *msqklabel)
@@ -1550,6 +1558,7 @@ static struct mac_policy_ops stub_ops =
.mpo_check_ifnet_relabel = stub_check_ifnet_relabel,
.mpo_check_ifnet_transmit = stub_check_ifnet_transmit,
.mpo_check_inpcb_deliver = stub_check_inpcb_deliver,
+ .mpo_check_inpcb_visible = stub_check_inpcb_visible,
.mpo_check_sysv_msgmsq = stub_check_sysv_msgmsq,
.mpo_check_sysv_msgrcv = stub_check_sysv_msgrcv,
.mpo_check_sysv_msgrmid = stub_check_sysv_msgrmid,
Modified: stable/7/sys/security/mac_test/mac_test.c
==============================================================================
--- stable/7/sys/security/mac_test/mac_test.c Fri Oct 31 10:38:30 2008 (r184501)
+++ stable/7/sys/security/mac_test/mac_test.c Fri Oct 31 11:27:54 2008 (r184502)
@@ -1258,6 +1258,19 @@ test_check_inpcb_deliver(struct inpcb *i
return (0);
}
+COUNTER_DECL(check_inpcb_visible);
+static int
+test_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+ struct label *inplabel)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ LABEL_CHECK(inplabel, MAGIC_INPCB);
+ COUNTER_INC(check_inpcb_visible);
+
+ return (0);
+}
+
COUNTER_DECL(check_sysv_msgmsq);
static int
test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
@@ -2577,6 +2590,7 @@ static struct mac_policy_ops test_ops =
.mpo_check_ifnet_relabel = test_check_ifnet_relabel,
.mpo_check_ifnet_transmit = test_check_ifnet_transmit,
.mpo_check_inpcb_deliver = test_check_inpcb_deliver,
+ .mpo_check_inpcb_visible = test_check_inpcb_visible,
.mpo_check_sysv_msgmsq = test_check_sysv_msgmsq,
.mpo_check_sysv_msgrcv = test_check_sysv_msgrcv,
.mpo_check_sysv_msgrmid = test_check_sysv_msgrmid,
More information about the svn-src-all
mailing list