PERFORCE change 15053 for review
Robert Watson
rwatson at freebsd.org
Sun Jul 28 15:43:30 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15053
Change 15053 by rwatson at rwatson_paprika on 2002/07/28 08:43:28
Rename socket bind, connect, and listen entry points to be more
consistent with the mac_check_(objectname)_(methodname) format.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#199 edit
.. //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#14 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#51 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#56 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#21 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#127 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#92 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#199 (text+ko) ====
@@ -650,10 +650,6 @@
mpc->mpc_ops->mpo_relabel_subject =
mpe->mpe_function;
break;
- case MAC_CHECK_BIND_SOCKET:
- mpc->mpc_ops->mpo_check_bind_socket =
- mpe->mpe_function;
- break;
case MAC_CHECK_BPFDESC_RECEIVE:
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
@@ -662,12 +658,20 @@
mpc->mpc_ops->mpo_check_cred_visible =
mpe->mpe_function;
break;
- case MAC_CHECK_CONNECT_SOCKET:
- mpc->mpc_ops->mpo_check_connect_socket =
+ case MAC_CHECK_IFNET_TRANSMIT:
+ mpc->mpc_ops->mpo_check_ifnet_transmit =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_SOCKET_BIND:
+ mpc->mpc_ops->mpo_check_socket_bind =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_SOCKET_CONNECT:
+ mpc->mpc_ops->mpo_check_socket_connect =
mpe->mpe_function;
break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
+ case MAC_CHECK_SOCKET_LISTEN:
+ mpc->mpc_ops->mpo_check_socket_listen =
mpe->mpe_function;
break;
case MAC_CHECK_SOCKET_RECEIVE:
@@ -741,10 +745,6 @@
mpc->mpc_ops->mpo_check_getextattr_vnode =
mpe->mpe_function;
break;
- case MAC_CHECK_LISTEN_SOCKET:
- mpc->mpc_ops->mpo_check_listen_socket =
- mpe->mpe_function;
- break;
case MAC_CHECK_LOOKUP_VNODE:
mpc->mpc_ops->mpo_check_lookup_vnode =
mpe->mpe_function;
@@ -1867,18 +1867,6 @@
}
int
-mac_check_listen_socket(struct ucred *cred, struct socket *socket)
-{
- int error;
-
- if (!mac_enforce_socket)
- return (0);
-
- MAC_CHECK(check_listen_socket, cred, socket, &socket->so_label);
- return (error);
-}
-
-int
mac_check_lookup_vnode(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp)
{
@@ -2459,21 +2447,6 @@
}
int
-mac_check_bind_socket(struct ucred *ucred, struct socket *socket,
- struct sockaddr *sockaddr)
-{
- int error;
-
- if (!mac_enforce_socket)
- return (0);
-
- MAC_CHECK(check_bind_socket, ucred, socket, &socket->so_label,
- sockaddr);
-
- return (error);
-}
-
-int
mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
{
int error;
@@ -2520,7 +2493,22 @@
}
int
-mac_check_connect_socket(struct ucred *cred, struct socket *socket,
+mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
+ struct sockaddr *sockaddr)
+{
+ int error;
+
+ if (!mac_enforce_socket)
+ return (0);
+
+ MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label,
+ sockaddr);
+
+ return (error);
+}
+
+int
+mac_check_socket_connect(struct ucred *cred, struct socket *socket,
struct sockaddr *sockaddr)
{
int error;
@@ -2528,13 +2516,25 @@
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_connect_socket, cred, socket, &socket->so_label,
+ MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label,
sockaddr);
return (error);
}
int
+mac_check_socket_listen(struct ucred *cred, struct socket *socket)
+{
+ int error;
+
+ if (!mac_enforce_socket)
+ return (0);
+
+ MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label);
+ return (error);
+}
+
+int
mac_check_socket_receive(struct socket *socket, struct mbuf *mbuf)
{
int error;
==== //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#14 (text+ko) ====
@@ -179,7 +179,7 @@
if ((error = getsockaddr(&sa, uap->name, uap->namelen)) != 0)
goto done1;
#ifdef MAC
- error = mac_check_bind_socket(td->td_ucred, so, sa);
+ error = mac_check_socket_bind(td->td_ucred, so, sa);
if (error) {
FREE(sa, M_SONAME);
goto done1;
@@ -212,7 +212,7 @@
mtx_lock(&Giant);
if ((error = fgetsock(td, uap->s, &so, NULL)) == 0) {
#ifdef MAC
- error = mac_check_listen_socket(td->td_ucred, so);
+ error = mac_check_socket_listen(td->td_ucred, so);
if (error)
goto done;
#endif
@@ -454,7 +454,7 @@
if (error)
goto done1;
#ifdef MAC
- error = mac_check_connect_socket(td->td_ucred, so, sa);
+ error = mac_check_socket_connect(td->td_ucred, so, sa);
if (error)
goto bad;
#endif
==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#51 (text+ko) ====
@@ -549,14 +549,6 @@
* Access control checks.
*/
static int
-mac_none_check_bind_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
-{
-
- return (0);
-}
-
-static int
mac_none_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
struct ifnet *ifnet, struct label *ifnet_label)
{
@@ -580,7 +572,15 @@
}
static int
-mac_none_check_connect_socket(struct ucred *cred, struct socket *socket,
+mac_none_check_socket_bind(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel, struct sockaddr *sockaddr)
+{
+
+ return (0);
+}
+
+static int
+mac_none_check_socket_connect(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
@@ -588,6 +588,14 @@
}
static int
+mac_none_check_socket_listen(struct ucred *cred, struct vnode *vp,
+ struct label *socketlabel)
+{
+
+ return (0);
+}
+
+static int
mac_none_check_socket_receive(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
{
@@ -731,14 +739,6 @@
}
static int
-mac_none_check_listen_socket(struct ucred *cred, struct vnode *vp,
- struct label *socketlabel)
-{
-
- return (0);
-}
-
-static int
mac_none_check_lookup_vnode(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp)
{
@@ -1016,16 +1016,18 @@
(macop_t)mac_none_create_proc1 },
{ MAC_RELABEL_SUBJECT,
(macop_t)mac_none_relabel_subject },
- { MAC_CHECK_BIND_SOCKET,
- (macop_t)mac_none_check_bind_socket },
{ MAC_CHECK_BPFDESC_RECEIVE,
(macop_t)mac_none_check_bpfdesc_receive },
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_none_check_cred_visible },
{ MAC_CHECK_IFNET_TRANSMIT,
(macop_t)mac_none_check_ifnet_transmit },
- { MAC_CHECK_CONNECT_SOCKET,
- (macop_t)mac_none_check_connect_socket },
+ { MAC_CHECK_SOCKET_BIND,
+ (macop_t)mac_none_check_socket_bind },
+ { MAC_CHECK_SOCKET_CONNECT,
+ (macop_t)mac_none_check_socket_connect },
+ { MAC_CHECK_SOCKET_LISTEN,
+ (macop_t)mac_none_check_socket_listen },
{ MAC_CHECK_SOCKET_RECEIVE,
(macop_t)mac_none_check_socket_receive },
{ MAC_CHECK_SOCKET_VISIBLE,
@@ -1062,8 +1064,6 @@
(macop_t)mac_none_check_getacl_vnode },
{ MAC_CHECK_GETEXTATTR_VNODE,
(macop_t)mac_none_check_getextattr_vnode },
- { MAC_CHECK_LISTEN_SOCKET,
- (macop_t)mac_none_check_listen_socket },
{ MAC_CHECK_LOOKUP_VNODE,
(macop_t)mac_none_check_lookup_vnode },
{ MAC_CHECK_OPEN_VNODE,
==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#56 (text+ko) ====
@@ -660,18 +660,6 @@
}
static int
-mac_te_check_bind_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
-{
-
- if (!mac_te_enabled)
- return (0);
-
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
- MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_BIND));
-}
-
-static int
mac_te_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
struct ifnet *ifnet, struct label *ifnetlabel)
{
@@ -706,7 +694,19 @@
}
static int
-mac_te_check_connect_socket(struct ucred *cred, struct socket *socket,
+mac_te_check_socket_bind(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel, struct sockaddr *sockaddr)
+{
+
+ if (!mac_te_enabled)
+ return (0);
+
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+ MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_BIND));
+}
+
+static int
+mac_te_check_socket_connect(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
@@ -718,7 +718,7 @@
}
static int
-mac_te_check_listen_socket(struct ucred *cred, struct socket *socket,
+mac_te_check_socket_listen(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
@@ -1742,17 +1742,18 @@
{ MAC_CREATE_PROC1, (macop_t)mac_te_create_proc1 },
{ MAC_RELABEL_SUBJECT, (macop_t)mac_te_relabel_subject },
{ MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode },
- { MAC_CHECK_BIND_SOCKET, (macop_t)mac_te_check_bind_socket },
{ MAC_CHECK_BPFDESC_RECEIVE,
(macop_t)mac_te_check_bpfdesc_receive },
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_te_check_cred_visible },
{ MAC_CHECK_IFNET_TRANSMIT,
(macop_t)mac_te_check_ifnet_transmit },
- { MAC_CHECK_CONNECT_SOCKET,
- (macop_t)mac_te_check_connect_socket },
- { MAC_CHECK_LISTEN_SOCKET,
- (macop_t)mac_te_check_listen_socket },
+ { MAC_CHECK_SOCKET_BIND,
+ (macop_t)mac_te_check_socket_bind },
+ { MAC_CHECK_SOCKET_CONNECT,
+ (macop_t)mac_te_check_socket_connect },
+ { MAC_CHECK_SOCKET_LISTEN,
+ (macop_t)mac_te_check_socket_listen },
{ MAC_CHECK_SOCKET_RECEIVE,
(macop_t)mac_te_check_socket_receive },
{ MAC_CHECK_SOCKET_VISIBLE,
==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#21 (text+ko) ====
@@ -757,38 +757,46 @@
* Access control checks.
*/
static int
-mac_test_check_bind_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
+mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
+ struct ifnet *ifnet, struct label *ifnetlabel)
+{
+
+ return (0);
+}
+
+static int
+mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
return (0);
}
static int
-mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
- struct ifnet *ifnet, struct label *ifnetlabel)
+mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
+ struct mbuf *m, struct label *mbuflabel)
{
return (0);
}
static int
-mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
+mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel, struct sockaddr *sockaddr)
{
return (0);
}
static int
-mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
- struct mbuf *m, struct label *mbuflabel)
+mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel, struct sockaddr *sockaddr)
{
return (0);
}
static int
-mac_test_check_connect_socket(struct ucred *cred, struct socket *socket,
+mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
@@ -955,14 +963,6 @@
}
static int
-mac_test_check_listen_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
-{
-
- return (0);
-}
-
-static int
mac_test_check_lookup_vnode(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp)
{
@@ -1222,16 +1222,18 @@
(macop_t)mac_test_create_proc1 },
{ MAC_RELABEL_SUBJECT,
(macop_t)mac_test_relabel_subject },
- { MAC_CHECK_BIND_SOCKET,
- (macop_t)mac_test_check_bind_socket },
{ MAC_CHECK_BPFDESC_RECEIVE,
(macop_t)mac_test_check_bpfdesc_receive },
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_test_check_cred_visible },
{ MAC_CHECK_IFNET_TRANSMIT,
(macop_t)mac_test_check_ifnet_transmit },
- { MAC_CHECK_CONNECT_SOCKET,
- (macop_t)mac_test_check_connect_socket },
+ { MAC_CHECK_SOCKET_BIND,
+ (macop_t)mac_test_check_socket_bind },
+ { MAC_CHECK_SOCKET_CONNECT,
+ (macop_t)mac_test_check_socket_connect },
+ { MAC_CHECK_SOCKET_LISTEN,
+ (macop_t)mac_test_check_socket_listen },
{ MAC_CHECK_SOCKET_RECEIVE,
(macop_t)mac_test_check_socket_receive },
{ MAC_CHECK_SOCKET_VISIBLE,
@@ -1268,8 +1270,6 @@
(macop_t)mac_test_check_getacl_vnode },
{ MAC_CHECK_GETEXTATTR_VNODE,
(macop_t)mac_test_check_getextattr_vnode },
- { MAC_CHECK_LISTEN_SOCKET,
- (macop_t)mac_test_check_listen_socket },
{ MAC_CHECK_LOOKUP_VNODE,
(macop_t)mac_test_check_lookup_vnode },
{ MAC_CHECK_OPEN_VNODE,
==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#127 (text+ko) ====
@@ -259,13 +259,9 @@
/* Authorizational event hooks. */
int mac_check_access_vnode(struct ucred *cred, struct vnode *vp,
int flags);
-int mac_check_bind_socket(struct ucred *cred, struct socket *so,
- struct sockaddr *sa);
int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet);
int mac_check_chdir_vnode(struct ucred *cred, struct vnode *dvp);
int mac_check_chroot_vnode(struct ucred *cred, struct vnode *dvp);
-int mac_check_connect_socket(struct ucred *cred, struct socket *so,
- struct sockaddr *sa);
int mac_check_create_vnode(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp, struct vattr *vap);
int mac_check_deleteacl_vnode(struct ucred *cred, struct vnode *vp,
@@ -274,8 +270,6 @@
acl_type_t type);
int mac_check_getextattr_vnode(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name, struct uio *uio);
-int mac_check_listen_socket(struct ucred *cred,
- struct socket *socket);
int mac_check_lookup_vnode(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp);
int mac_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
@@ -371,6 +365,12 @@
void mac_update_ipq_from_fragment(struct mbuf *fragment, struct ipq *ipq);
int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m);
+
+int mac_check_socket_bind(struct ucred *cred, struct socket *so,
+ struct sockaddr *sockaddr);
+int mac_check_socket_connect(struct ucred *cred, struct socket *so,
+ struct sockaddr *sockaddr);
+int mac_check_socket_listen(struct ucred *cred, struct socket *so);
int mac_check_socket_receive(struct socket *so, struct mbuf *m);
/* Hooks for the proc-based "can"-checks. */
==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#92 (text+ko) ====
@@ -228,9 +228,6 @@
/*
* Access control checks.
*/
- int (*mpo_check_bind_socket)(struct ucred *cred,
- struct socket *socket, struct label *socketlabel,
- struct sockaddr *sockaddr);
int (*mpo_check_bpfdesc_receive)(struct bpf_d *bpf_d,
struct label *bpflabel, struct ifnet *ifnet,
struct label *ifnetlabel);
@@ -238,9 +235,14 @@
int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet,
struct label *ifnetlabel, struct mbuf *m,
struct label *mbuflabel);
- int (*mpo_check_connect_socket)(struct ucred *cred,
- struct socket *socket, struct label *socketlabel,
+ int (*mpo_check_socket_bind)(struct ucred *cred,
+ struct socket *so, struct label *socketlabel,
+ struct sockaddr *sockaddr);
+ int (*mpo_check_socket_connect)(struct ucred *cred,
+ struct socket *so, struct label *socketlabel,
struct sockaddr *sockaddr);
+ int (*mpo_check_socket_listen)(struct ucred *cred,
+ struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_receive)(struct socket *so,
struct label *socketlabel, struct mbuf *m,
struct label *mbuflabel);
@@ -285,8 +287,6 @@
int (*mpo_check_getextattr_vnode)(struct ucred *cred,
struct vnode *vp, struct label *label,
int attrnamespace, const char *name, struct uio *uio);
- int (*mpo_check_listen_socket)(struct ucred *cred,
- struct socket *socket, struct label *socketlabel);
int (*mpo_check_lookup_vnode)(struct ucred *cred,
struct vnode *dvp, struct label *dlabel,
struct componentname *cnp);
@@ -411,10 +411,12 @@
MAC_CREATE_PROC0,
MAC_CREATE_PROC1,
MAC_RELABEL_SUBJECT,
- MAC_CHECK_BIND_SOCKET,
MAC_CHECK_BPFDESC_RECEIVE,
MAC_CHECK_CRED_VISIBLE,
MAC_CHECK_IFNET_TRANSMIT,
+ MAC_CHECK_SOCKET_BIND,
+ MAC_CHECK_SOCKET_CONNECT,
+ MAC_CHECK_SOCKET_LISTEN,
MAC_CHECK_SOCKET_RECEIVE,
MAC_CHECK_SOCKET_VISIBLE,
MAC_CHECK_RELABEL_IFNET,
@@ -427,14 +429,12 @@
MAC_CHECK_ACCESS_VNODE,
MAC_CHECK_CHDIR_VNODE,
MAC_CHECK_CHROOT_VNODE,
- MAC_CHECK_CONNECT_SOCKET,
MAC_CHECK_CREATE_VNODE,
MAC_CHECK_DELETE_VNODE,
MAC_CHECK_DELETEACL_VNODE,
MAC_CHECK_EXEC_VNODE,
MAC_CHECK_GETACL_VNODE,
MAC_CHECK_GETEXTATTR_VNODE,
- MAC_CHECK_LISTEN_SOCKET,
MAC_CHECK_LOOKUP_VNODE,
MAC_CHECK_OPEN_VNODE,
MAC_CHECK_READDIR_VNODE,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list