PERFORCE change 15040 for review
Robert Watson
rwatson at freebsd.org
Sun Jul 28 04:46:55 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15040
Change 15040 by rwatson at rwatson_paprika on 2002/07/27 21:46:36
More name consistency for entry points:
s/mac_ifnet_check_send_mbuf/mac_check_ifnet_transmit/
s/mac_socket_check_receive_mbuf/mac_check_socket_receive/
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#198 edit
.. //depot/projects/trustedbsd/mac/sys/net/if_atmsubr.c#6 edit
.. //depot/projects/trustedbsd/mac/sys/net/if_ethersubr.c#15 edit
.. //depot/projects/trustedbsd/mac/sys/net/if_fddisubr.c#8 edit
.. //depot/projects/trustedbsd/mac/sys/net/if_gif.c#13 edit
.. //depot/projects/trustedbsd/mac/sys/net/if_iso88025subr.c#8 edit
.. //depot/projects/trustedbsd/mac/sys/net/if_spppsubr.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/net/if_stf.c#16 edit
.. //depot/projects/trustedbsd/mac/sys/net/if_tun.c#10 edit
.. //depot/projects/trustedbsd/mac/sys/netatalk/ddp_input.c#6 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#13 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_input.c#17 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#13 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#75 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#64 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#50 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#55 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#20 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#126 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#91 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#198 (text+ko) ====
@@ -666,6 +666,14 @@
mpc->mpc_ops->mpo_check_connect_socket =
mpe->mpe_function;
break;
+ case MAC_CHECK_IFNET_TRANSMIT:
+ mpc->mpc_ops->mpo_check_ifnet_transmit =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_SOCKET_RECEIVE:
+ mpc->mpc_ops->mpo_check_socket_receive =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_SOCKET_VISIBLE:
mpc->mpc_ops->mpo_check_socket_visible =
mpe->mpe_function;
@@ -817,14 +825,6 @@
mpc->mpc_ops->mpo_check_pipe_op =
mpe->mpe_function;
break;
- case MAC_IFNET_CHECK_SEND_MBUF:
- mpc->mpc_ops->mpo_ifnet_check_send_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SOCKET_CHECK_RECEIVE_MBUF:
- mpc->mpc_ops->mpo_socket_check_receive_mbuf =
- mpe->mpe_function;
- break;
case MAC_INIT_BPFDESC:
mpc->mpc_ops->mpo_init_bpfdesc =
mpe->mpe_function;
@@ -2459,25 +2459,6 @@
}
int
-mac_ifnet_can_send(struct ifnet *ifnet, struct mbuf *mbuf)
-{
- int error;
-
- if (!mac_enforce_network)
- return (0);
-
- KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr"));
- if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED))
- printf("%s%d: not initialized\n", ifnet->if_name,
- ifnet->if_unit);
-
- MAC_CHECK(ifnet_check_send_mbuf, ifnet, &ifnet->if_label, mbuf,
- &mbuf->m_pkthdr.label);
-
- return (error);
-}
-
-int
mac_check_bind_socket(struct ucred *ucred, struct socket *socket,
struct sockaddr *sockaddr)
{
@@ -2520,6 +2501,25 @@
}
int
+mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
+{
+ int error;
+
+ if (!mac_enforce_network)
+ return (0);
+
+ KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr"));
+ if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED))
+ printf("%s%d: not initialized\n", ifnet->if_name,
+ ifnet->if_unit);
+
+ MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
+ &mbuf->m_pkthdr.label);
+
+ return (error);
+}
+
+int
mac_check_connect_socket(struct ucred *cred, struct socket *socket,
struct sockaddr *sockaddr)
{
@@ -2535,14 +2535,14 @@
}
int
-mac_socket_can_receive(struct socket *socket, struct mbuf *mbuf)
+mac_check_socket_receive(struct socket *socket, struct mbuf *mbuf)
{
int error;
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(socket_check_receive_mbuf, socket, &socket->so_label, mbuf,
+ MAC_CHECK(check_socket_receive, socket, &socket->so_label, mbuf,
&mbuf->m_pkthdr.label);
return (error);
==== //depot/projects/trustedbsd/mac/sys/net/if_atmsubr.c#6 (text+ko) ====
@@ -106,7 +106,7 @@
u_int32_t atm_flags;
#ifdef MAC
- error = mac_ifnet_can_send(ifp, m);
+ error = mac_check_ifnet_transmit(ifp, m);
if (error)
senderr(error);
#endif
==== //depot/projects/trustedbsd/mac/sys/net/if_ethersubr.c#15 (text+ko) ====
@@ -157,7 +157,7 @@
struct arpcom *ac = IFP2AC(ifp);
#ifdef MAC
- error = mac_ifnet_can_send(ifp, m);
+ error = mac_check_ifnet_transmit(ifp, m);
if (error)
senderr(error);
#endif
==== //depot/projects/trustedbsd/mac/sys/net/if_fddisubr.c#8 (text+ko) ====
@@ -127,7 +127,7 @@
struct arpcom *ac = IFP2AC(ifp);
#ifdef MAC
- error = mac_ifnet_can_send(ifp, m);
+ error = mac_check_ifnet_transmit(ifp, m);
if (error)
senderr(error);
#endif
==== //depot/projects/trustedbsd/mac/sys/net/if_gif.c#13 (text+ko) ====
@@ -342,7 +342,7 @@
static int called = 0; /* XXX: MUTEX */
#ifdef MAC
- error = mac_ifnet_can_send(ifp, m);
+ error = mac_check_ifnet_transmit(ifp, m);
if (error)
senderr(error);
#endif
==== //depot/projects/trustedbsd/mac/sys/net/if_iso88025subr.c#8 (text+ko) ====
@@ -224,7 +224,7 @@
struct arpcom *ac = (struct arpcom *)ifp;
#ifdef MAC
- error = mac_ifnet_can_send(ifp, m);
+ error = mac_check_ifnet_transmit(ifp, m);
if (error)
senderr(error);
#endif
==== //depot/projects/trustedbsd/mac/sys/net/if_spppsubr.c#11 (text+ko) ====
@@ -790,7 +790,7 @@
s = splimp();
#ifdef MAC
- error = mac_ifnet_can_send(ifp, m);
+ error = mac_check_ifnet_transmit(ifp, m);
if (error) {
m_freem (m);
splx (s);
==== //depot/projects/trustedbsd/mac/sys/net/if_stf.c#16 (text+ko) ====
@@ -359,7 +359,7 @@
#ifdef MAC
int error;
- error = mac_ifnet_can_send(ifp, m);
+ error = mac_check_ifnet_transmit(ifp, m);
if (error) {
m_freem(m);
return (error);
==== //depot/projects/trustedbsd/mac/sys/net/if_tun.c#10 (text+ko) ====
@@ -452,7 +452,7 @@
TUNDEBUG ("%s%d: tunoutput\n", ifp->if_name, ifp->if_unit);
#ifdef MAC
- error = mac_ifnet_can_send(ifp, m0);
+ error = mac_check_ifnet_transmit(ifp, m0);
if (error) {
m_freem(m0);
return (error);
==== //depot/projects/trustedbsd/mac/sys/netatalk/ddp_input.c#6 (text+ko) ====
@@ -398,7 +398,7 @@
}
#ifdef MAC
- if (mac_socket_can_receive(&ddp->ddp_socket, m) != 0) {
+ if (mac_check_socket_receive(&ddp->ddp_socket, m) != 0) {
m_freem( m );
return;
}
==== //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#13 (text+ko) ====
@@ -158,7 +158,7 @@
}
#endif /*IPSEC*/
#ifdef MAC
- if (mac_socket_can_receive(last->inp_socket,
+ if (mac_check_socket_receive(last->inp_socket,
n) != 0)
policyfail = 1;
#endif
@@ -195,7 +195,7 @@
}
#endif /*IPSEC*/
#ifdef MAC
- if (mac_socket_can_receive(last->inp_socket, m) != 0) {
+ if (mac_check_socket_receive(last->inp_socket, m) != 0) {
m_freem(m);
ipstat.ips_delivered--;
return;
==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_input.c#17 (text+ko) ====
@@ -656,7 +656,7 @@
so = inp->inp_socket;
#ifdef MAC
- error = mac_socket_can_receive(so, m);
+ error = mac_check_socket_receive(so, m);
if (error)
goto drop;
#endif
==== //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#13 (text+ko) ====
@@ -324,7 +324,7 @@
}
#endif /*IPSEC*/
#ifdef MAC
- if (mac_socket_can_receive(last->inp_socket,
+ if (mac_check_socket_receive(last->inp_socket,
m) != 0)
policyfail = 1;
#endif
@@ -410,7 +410,7 @@
}
#endif /*IPSEC*/
#ifdef MAC
- error = mac_socket_can_receive(inp->inp_socket, m);
+ error = mac_check_socket_receive(inp->inp_socket, m);
if (error)
goto bad;
#endif
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#75 (text+ko) ====
@@ -1199,6 +1199,21 @@
}
static int
+mac_biba_check_socket_receive(struct socket *so, struct label *socketlabel,
+ struct mbuf *m, struct label *mbuflabel)
+{
+ struct mac_biba *p, *s;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ p = SLOT(mbuflabel);
+ s = SLOT(socketlabel);
+
+ return (mac_biba_equal_single(p, s) ? 0 : EACCES);
+}
+
+static int
mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
@@ -1213,6 +1228,21 @@
return (0);
}
+static int
+mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
+ struct mbuf *m, struct label *mbuflabel)
+{
+ struct mac_biba *p, *i;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ p = SLOT(mbuflabel);
+ i = SLOT(ifnetlabel);
+
+ return (mac_biba_single_in_range(p, i) ? 0 : EACCES);
+}
+
static int
mac_biba_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
struct label *ifnetlabel, struct label *newlabel)
@@ -1885,36 +1915,6 @@
return (0);
}
-static int
-mac_biba_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
-{
- struct mac_biba *p, *i;
-
- if (!mac_biba_enabled)
- return (0);
-
- p = SLOT(mbuflabel);
- i = SLOT(ifnetlabel);
-
- return (mac_biba_single_in_range(p, i) ? 0 : EACCES);
-}
-
-static int
-mac_biba_socket_check_receive_mbuf(struct socket *so,
- struct label *socketlabel, struct mbuf *m, struct label *mbuflabel)
-{
- struct mac_biba *p, *s;
-
- if (!mac_biba_enabled)
- return (0);
-
- p = SLOT(mbuflabel);
- s = SLOT(socketlabel);
-
- return (mac_biba_equal_single(p, s) ? 0 : EACCES);
-}
-
static vm_prot_t
mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
struct label *label, int newmapping)
@@ -2144,6 +2144,10 @@
(macop_t)mac_biba_check_bpfdesc_receive },
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_biba_check_cred_visible },
+ { MAC_CHECK_IFNET_TRANSMIT,
+ (macop_t)mac_biba_check_ifnet_transmit },
+ { MAC_CHECK_SOCKET_RECEIVE,
+ (macop_t)mac_biba_check_socket_receive },
{ MAC_CHECK_SOCKET_VISIBLE,
(macop_t)mac_biba_check_socket_visible },
{ MAC_CHECK_RELABEL_IFNET,
@@ -2214,10 +2218,6 @@
(macop_t)mac_biba_check_signal_proc },
{ MAC_CHECK_STAT_VNODE,
(macop_t)mac_biba_check_stat_vnode },
- { MAC_IFNET_CHECK_SEND_MBUF,
- (macop_t)mac_biba_ifnet_check_send_mbuf },
- { MAC_SOCKET_CHECK_RECEIVE_MBUF,
- (macop_t)mac_biba_socket_check_receive_mbuf },
{ MAC_CHECK_VNODE_MMAP_PERMS,
(macop_t)mac_biba_check_vnode_mmap_perms },
{ MAC_CHECK_VNODE_OP,
==== //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#11 (text+ko) ====
@@ -130,24 +130,24 @@
}
static int
-mac_ifoff_ifnet_check_send_mbuf(struct ifnet *ifnet,
- struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel)
+mac_ifoff_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
+ struct ifnet *ifnet, struct label *ifnetlabel)
{
- return (check_ifnet_outgoing(ifnet));
+ return (check_ifnet_incoming(ifnet, 1));
}
static int
-mac_ifoff_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
- struct ifnet *ifnet, struct label *ifnetlabel)
+mac_ifoff_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
+ struct mbuf *m, struct label *mbuflabel)
{
- return (check_ifnet_incoming(ifnet, 1));
+ return (check_ifnet_outgoing(ifnet));
}
static int
-mac_ifoff_socket_check_receive_mbuf(struct socket *so,
- struct label *socketlabel, struct mbuf *m, struct label *mbuflabel)
+mac_ifoff_check_socket_receive(struct socket *so, struct label *socketlabel,
+ struct mbuf *m, struct label *mbuflabel)
{
if (m->m_flags & M_PKTHDR) {
@@ -162,10 +162,10 @@
{
{ MAC_CHECK_BPFDESC_RECEIVE,
(macop_t)mac_ifoff_check_bpfdesc_receive },
- { MAC_IFNET_CHECK_SEND_MBUF,
- (macop_t)mac_ifoff_ifnet_check_send_mbuf },
- { MAC_SOCKET_CHECK_RECEIVE_MBUF,
- (macop_t)mac_ifoff_socket_check_receive_mbuf },
+ { MAC_CHECK_IFNET_TRANSMIT,
+ (macop_t)mac_ifoff_check_ifnet_transmit },
+ { MAC_CHECK_SOCKET_RECEIVE,
+ (macop_t)mac_ifoff_check_socket_receive },
{ MAC_OP_LAST, NULL }
};
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#64 (text+ko) ====
@@ -1145,6 +1145,36 @@
}
static int
+mac_mls_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
+ struct mbuf *m, struct label *mbuflabel)
+{
+ struct mac_mls *p, *i;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ p = SLOT(mbuflabel);
+ i = SLOT(ifnetlabel);
+
+ return (mac_mls_single_in_range(p, i) ? 0 : EACCES);
+}
+
+static int
+mac_mls_check_socket_receive(struct socket *so, struct label *socketlabel,
+ struct mbuf *m, struct label *mbuflabel)
+{
+ struct mac_mls *p, *s;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ p = SLOT(mbuflabel);
+ s = SLOT(socketlabel);
+
+ return (mac_mls_equal_single(p, s) ? 0 : EACCES);
+}
+
+static int
mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
@@ -1831,36 +1861,6 @@
return (0);
}
-static int
-mac_mls_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
-{
- struct mac_mls *p, *i;
-
- if (!mac_mls_enabled)
- return (0);
-
- p = SLOT(mbuflabel);
- i = SLOT(ifnetlabel);
-
- return (mac_mls_single_in_range(p, i) ? 0 : EACCES);
-}
-
-static int
-mac_mls_socket_check_receive_mbuf(struct socket *so, struct label *socketlabel,
- struct mbuf *m, struct label *mbuflabel)
-{
- struct mac_mls *p, *s;
-
- if (!mac_mls_enabled)
- return (0);
-
- p = SLOT(mbuflabel);
- s = SLOT(socketlabel);
-
- return (mac_mls_equal_single(p, s) ? 0 : EACCES);
-}
-
static vm_prot_t
mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
struct label *label, int newmapping)
@@ -2090,6 +2090,10 @@
(macop_t)mac_mls_check_bpfdesc_receive },
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_mls_check_cred_visible },
+ { MAC_CHECK_IFNET_TRANSMIT,
+ (macop_t)mac_mls_check_ifnet_transmit },
+ { MAC_CHECK_SOCKET_RECEIVE,
+ (macop_t)mac_mls_check_socket_receive },
{ MAC_CHECK_SOCKET_VISIBLE,
(macop_t)mac_mls_check_socket_visible },
{ MAC_CHECK_RELABEL_IFNET,
@@ -2160,10 +2164,6 @@
(macop_t)mac_mls_check_signal_proc },
{ MAC_CHECK_STAT_VNODE,
(macop_t)mac_mls_check_stat_vnode },
- { MAC_IFNET_CHECK_SEND_MBUF,
- (macop_t)mac_mls_ifnet_check_send_mbuf },
- { MAC_SOCKET_CHECK_RECEIVE_MBUF,
- (macop_t)mac_mls_socket_check_receive_mbuf },
{ MAC_CHECK_VNODE_MMAP_PERMS,
(macop_t)mac_mls_check_vnode_mmap_perms },
{ MAC_CHECK_VNODE_OP,
==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#50 (text+ko) ====
@@ -572,6 +572,14 @@
}
static int
+mac_none_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
+ struct mbuf *m, struct label *mbuflabel)
+{
+
+ return (0);
+}
+
+static int
mac_none_check_connect_socket(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
@@ -580,6 +588,14 @@
}
static int
+mac_none_check_socket_receive(struct socket *so, struct label *socketlabel,
+ struct mbuf *m, struct label *mbuflabel)
+{
+
+ return (0);
+}
+
+static int
mac_none_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
@@ -851,22 +867,6 @@
}
static int
-mac_none_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
-{
-
- return (0);
-}
-
-static int
-mac_none_socket_check_receive_mbuf(struct socket *so,
- struct label *socketlabel, struct mbuf *m, struct label *mbuflabel)
-{
-
- return (0);
-}
-
-static int
mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, int op)
{
@@ -1022,8 +1022,12 @@
(macop_t)mac_none_check_bpfdesc_receive },
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_none_check_cred_visible },
+ { MAC_CHECK_IFNET_TRANSMIT,
+ (macop_t)mac_none_check_ifnet_transmit },
{ MAC_CHECK_CONNECT_SOCKET,
(macop_t)mac_none_check_connect_socket },
+ { MAC_CHECK_SOCKET_RECEIVE,
+ (macop_t)mac_none_check_socket_receive },
{ MAC_CHECK_SOCKET_VISIBLE,
(macop_t)mac_none_check_socket_visible },
{ MAC_CHECK_RELABEL_IFNET,
@@ -1092,10 +1096,6 @@
(macop_t)mac_none_check_signal_proc },
{ MAC_CHECK_STAT_VNODE,
(macop_t)mac_none_check_stat_vnode },
- { MAC_IFNET_CHECK_SEND_MBUF,
- (macop_t)mac_none_ifnet_check_send_mbuf },
- { MAC_SOCKET_CHECK_RECEIVE_MBUF,
- (macop_t)mac_none_socket_check_receive_mbuf },
{ MAC_CHECK_PIPE_IOCTL,
(macop_t)mac_none_check_pipe_ioctl },
{ MAC_CHECK_PIPE_OP,
==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#55 (text+ko) ====
@@ -644,20 +644,6 @@
}
static int
-mac_te_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
-{
-
- /*
- * XXX: This treats the interface as a subject, sending the
- * mbuf as an object. Since sockets are objects, this is
- * probably wrong.
- */
- return (mac_te_check(SLOT(ifnetlabel), SLOT(mbuflabel),
- MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_SEND));
-}
-
-static int
mac_te_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
struct label *newlabel)
{
@@ -703,7 +689,21 @@
return (mac_te_check(SLOT(&u1->cr_label), SLOT(&u2->cr_label),
MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SEE));
-}
+}
+
+static int
+mac_te_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
+ struct mbuf *m, struct label *mbuflabel)
+{
+
+ /*
+ * XXX: This treats the interface as a subject, sending the
+ * mbuf as an object. Since sockets are objects, this is
+ * probably wrong.
+ */
+ return (mac_te_check(SLOT(ifnetlabel), SLOT(mbuflabel),
+ MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_SEND));
+}
static int
mac_te_check_connect_socket(struct ucred *cred, struct socket *socket,
@@ -730,15 +730,10 @@
}
static int
-mac_te_socket_check_receive_mbuf(struct socket *so, struct label *socketlabel,
+mac_te_check_socket_receive(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
{
- /*
- * XXX: This treats the socket as a subject, reading the
- * mbuf as an object. Since sockets are objects, this is
- * probably wrong.
- */
return (mac_te_check(SLOT(socketlabel), SLOT(mbuflabel),
MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_RECEIVE));
}
@@ -1748,13 +1743,18 @@
{ MAC_RELABEL_SUBJECT, (macop_t)mac_te_relabel_subject },
{ MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode },
{ MAC_CHECK_BIND_SOCKET, (macop_t)mac_te_check_bind_socket },
- { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_te_check_bpfdesc_receive },
+ { MAC_CHECK_BPFDESC_RECEIVE,
+ (macop_t)mac_te_check_bpfdesc_receive },
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_te_check_cred_visible },
+ { MAC_CHECK_IFNET_TRANSMIT,
+ (macop_t)mac_te_check_ifnet_transmit },
{ MAC_CHECK_CONNECT_SOCKET,
(macop_t)mac_te_check_connect_socket },
{ MAC_CHECK_LISTEN_SOCKET,
(macop_t)mac_te_check_listen_socket },
+ { MAC_CHECK_SOCKET_RECEIVE,
+ (macop_t)mac_te_check_socket_receive },
{ MAC_CHECK_SOCKET_VISIBLE,
(macop_t)mac_te_check_socket_visible },
{ MAC_CHECK_RELABEL_IFNET,
@@ -1822,9 +1822,6 @@
(macop_t)mac_te_check_vnode_mmap_perms },
{ MAC_CHECK_VNODE_OP,
(macop_t)mac_te_check_vnode_op },
- { MAC_IFNET_CHECK_SEND_MBUF, (macop_t)mac_te_ifnet_check_send_mbuf },
- { MAC_SOCKET_CHECK_RECEIVE_MBUF,
- (macop_t)mac_te_socket_check_receive_mbuf },
{ MAC_EXTERNALIZE, (macop_t)mac_te_externalize },
{ MAC_INTERNALIZE, (macop_t)mac_te_internalize },
{ MAC_UPDATE_DEVFSDIRENT_FROM_VNODE,
==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#20 (text+ko) ====
@@ -780,6 +780,14 @@
}
static int
+mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
+ struct mbuf *m, struct label *mbuflabel)
+{
+
+ return (0);
+}
+
+static int
mac_test_check_connect_socket(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
@@ -788,6 +796,14 @@
}
static int
+mac_test_check_socket_receive(struct socket *socket, struct label *socketlabel,
+ struct mbuf *m, struct label *mbuflabel)
+{
+
+ return (0);
+}
+
+static int
mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
@@ -1074,22 +1090,6 @@
return (0);
}
-static int
-mac_test_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
-{
-
- return (0);
-}
-
-static int
-mac_test_socket_check_receive_mbuf(struct socket *so,
- struct label *socketlabel, struct mbuf *m, struct label *mbuflabel)
-{
-
- return (0);
-}
-
static struct mac_policy_op_entry mac_test_ops[] =
{
{ MAC_DESTROY,
@@ -1228,8 +1228,12 @@
(macop_t)mac_test_check_bpfdesc_receive },
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_test_check_cred_visible },
+ { MAC_CHECK_IFNET_TRANSMIT,
+ (macop_t)mac_test_check_ifnet_transmit },
{ MAC_CHECK_CONNECT_SOCKET,
(macop_t)mac_test_check_connect_socket },
+ { MAC_CHECK_SOCKET_RECEIVE,
+ (macop_t)mac_test_check_socket_receive },
{ MAC_CHECK_SOCKET_VISIBLE,
(macop_t)mac_test_check_socket_visible },
{ MAC_CHECK_RELABEL_IFNET,
@@ -1302,10 +1306,6 @@
(macop_t)mac_test_check_pipe_ioctl },
{ MAC_CHECK_PIPE_OP,
(macop_t)mac_test_check_pipe_op },
- { MAC_IFNET_CHECK_SEND_MBUF,
- (macop_t)mac_test_ifnet_check_send_mbuf },
- { MAC_SOCKET_CHECK_RECEIVE_MBUF,
- (macop_t)mac_test_socket_check_receive_mbuf },
{ MAC_OP_LAST, NULL }
};
==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#126 (text+ko) ====
@@ -368,9 +368,10 @@
/* Network event miscellany. */
int mac_fragment_matches_ipq(struct mbuf *fragment, struct ipq *ipq);
-int mac_ifnet_can_send(struct ifnet *ifnet, struct mbuf *m);
void mac_update_ipq_from_fragment(struct mbuf *fragment, struct ipq *ipq);
-int mac_socket_can_receive(struct socket *so, struct mbuf *m);
+
+int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m);
+int mac_check_socket_receive(struct socket *so, struct mbuf *m);
/* Hooks for the proc-based "can"-checks. */
int mac_check_cred_visible(struct ucred *u1, struct ucred *u2);
==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#91 (text+ko) ====
@@ -235,9 +235,15 @@
struct label *bpflabel, struct ifnet *ifnet,
struct label *ifnetlabel);
int (*mpo_check_cred_visible)(struct ucred *u1, struct ucred *u2);
+ int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet,
+ struct label *ifnetlabel, struct mbuf *m,
+ struct label *mbuflabel);
int (*mpo_check_connect_socket)(struct ucred *cred,
struct socket *socket, struct label *socketlabel,
struct sockaddr *sockaddr);
+ int (*mpo_check_socket_receive)(struct socket *so,
+ struct label *socketlabel, struct mbuf *m,
+ struct label *mbuflabel);
int (*mpo_check_socket_visible)(struct ucred *cred,
struct socket *socket, struct label *socketlabel);
int (*mpo_check_relabel_ifnet)(struct ucred *cred,
@@ -327,12 +333,6 @@
struct vnode *vp, struct label *label, int newmapping);
int (*mpo_check_vnode_op)(struct ucred *cred,
struct vnode *vp, struct label *label, int op);
- int (*mpo_ifnet_check_send_mbuf)(struct ifnet *ifnet,
- struct label *ifnetlabel, struct mbuf *mbuf,
- struct label *mbuflabel);
- int (*mpo_socket_check_receive_mbuf)(struct socket *socket,
- struct label *socketlabel, struct mbuf *mbuf,
- struct label *mbuflabel);
int (*mpo_check_pipe_op)(struct ucred *cred,
struct pipe *pipe, struct label *pipelabel, int op);
int (*mpo_check_pipe_ioctl)(struct ucred *cred,
@@ -414,6 +414,8 @@
MAC_CHECK_BIND_SOCKET,
MAC_CHECK_BPFDESC_RECEIVE,
MAC_CHECK_CRED_VISIBLE,
+ MAC_CHECK_IFNET_TRANSMIT,
+ MAC_CHECK_SOCKET_RECEIVE,
MAC_CHECK_SOCKET_VISIBLE,
MAC_CHECK_RELABEL_IFNET,
MAC_CHECK_RELABEL_PIPE,
@@ -451,8 +453,6 @@
MAC_CHECK_STAT_VNODE,
MAC_CHECK_VNODE_MMAP_PERMS,
MAC_CHECK_VNODE_OP,
- MAC_IFNET_CHECK_SEND_MBUF,
- MAC_SOCKET_CHECK_RECEIVE_MBUF,
MAC_CHECK_PIPE_IOCTL,
MAC_CHECK_PIPE_OP
};
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list