PERFORCE change 15078 for review
Robert Watson
rwatson at freebsd.org
Sun Jul 28 23:12:25 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15078
Change 15078 by rwatson at rwatson_paprika on 2002/07/28 16:11:27
Rename the various relabel checks to the new entry point
naming convention.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#203 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#80 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#68 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#55 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#9 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#60 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#25 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#17 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#96 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#203 (text+ko) ====
@@ -162,10 +162,10 @@
static int mac_policy_unregister(struct mac_policy_conf *mpc);
static int mac_stdcreatevnode_ea(struct vnode *vp);
-static void mac_subject_mmapped_drop_perms(struct thread *td,
- struct ucred *cred);
-static void mac_subject_mmapped_drop_perms_recurse(struct thread *td,
- struct ucred *cred, struct vm_map *map);
+static void mac_subject_mmapped_drop_perms(struct thread *td,
+ struct ucred *cred);
+static void mac_subject_mmapped_drop_perms_recurse(struct thread *td,
+ struct ucred *cred, struct vm_map *map);
/*
* mac_policy_list_lock protects the consistency of 'mac_policy_list',
@@ -654,10 +654,18 @@
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
break;
+ case MAC_CHECK_CRED_RELABEL:
+ mpc->mpc_ops->mpo_check_cred_relabel =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_CRED_VISIBLE:
mpc->mpc_ops->mpo_check_cred_visible =
mpe->mpe_function;
break;
+ case MAC_CHECK_IFNET_RELABEL:
+ mpc->mpc_ops->mpo_check_ifnet_relabel =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_IFNET_TRANSMIT:
mpc->mpc_ops->mpo_check_ifnet_transmit =
mpe->mpe_function;
@@ -666,6 +674,10 @@
mpc->mpc_ops->mpo_check_mount_stat =
mpe->mpe_function;
break;
+ case MAC_CHECK_PIPE_RELABEL:
+ mpc->mpc_ops->mpo_check_pipe_relabel =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_PROC_DEBUG:
mpc->mpc_ops->mpo_check_proc_debug =
mpe->mpe_function;
@@ -694,30 +706,14 @@
mpc->mpc_ops->mpo_check_socket_receive =
mpe->mpe_function;
break;
+ case MAC_CHECK_SOCKET_RELABEL:
+ mpc->mpc_ops->mpo_check_socket_relabel =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_SOCKET_VISIBLE:
mpc->mpc_ops->mpo_check_socket_visible =
mpe->mpe_function;
break;
- case MAC_CHECK_RELABEL_IFNET:
- mpc->mpc_ops->mpo_check_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CHECK_RELABEL_PIPE:
- mpc->mpc_ops->mpo_check_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_CHECK_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_check_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_CHECK_RELABEL_SUBJECT:
- mpc->mpc_ops->mpo_check_relabel_subject =
- mpe->mpe_function;
- break;
- case MAC_CHECK_RELABEL_VNODE:
- mpc->mpc_ops->mpo_check_relabel_vnode =
- mpe->mpe_function;
- break;
case MAC_CHECK_VNODE_ACCESS:
mpc->mpc_ops->mpo_check_vnode_access =
mpe->mpe_function;
@@ -770,6 +766,10 @@
mpc->mpc_ops->mpo_check_vnode_readlink =
mpe->mpe_function;
break;
+ case MAC_CHECK_VNODE_RELABEL:
+ mpc->mpc_ops->mpo_check_vnode_relabel =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_VNODE_RENAME_FROM:
mpc->mpc_ops->mpo_check_vnode_rename_from =
mpe->mpe_function;
@@ -1667,39 +1667,6 @@
MAC_PERFORM(create_subject, parent_cred, child_cred);
}
-/*
- * Processes may need to modify their current subject label if they
- * perform multi-level activities, or proxy data between levels.
- * This function determines if a particular label change is permitted.
- * 0 is returned for success, otherwise an errno.
- */
-static int
-mac_check_relabel_subject(struct ucred *cred, struct label *newlabel)
-{
- int error;
-
- MAC_CHECK(check_relabel_subject, cred, newlabel);
-
- return (error);
-}
-
-static int
-mac_check_relabel_vnode(struct ucred *cred, struct vnode *vp,
- struct label *newlabel)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_relabel_vnode");
-
- error = vn_refreshlabel(vp, cred);
- if (error)
- return (error);
-
- MAC_CHECK(check_relabel_vnode, cred, vp, &vp->v_label, newlabel);
-
- return (error);
-}
-
int
mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags)
{
@@ -1914,6 +1881,23 @@
return (error);
}
+static int
+mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
+ struct label *newlabel)
+{
+ int error;
+
+ ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
+
+ error = vn_refreshlabel(vp, cred);
+ if (error)
+ return (error);
+
+ MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
+
+ return (error);
+}
+
int
mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
{
@@ -2347,29 +2331,6 @@
&mbuf->m_pkthdr.label);
}
-static int
-mac_check_relabel_socket(struct ucred *cred, struct socket *socket,
- struct label *newlabel)
-{
- int error;
-
- MAC_CHECK(check_relabel_socket, cred, socket, &socket->so_label,
- newlabel);
-
- return (error);
-}
-
-static int
-mac_check_relabel_pipe(struct ucred *cred, struct pipe *pipe,
- struct label *newlabel)
-{
- int error;
-
- MAC_CHECK(check_relabel_pipe, cred, pipe, pipe->pipe_label, newlabel);
-
- return (error);
-}
-
int
mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op)
{
@@ -2421,6 +2382,16 @@
return (error);
}
+static int
+mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
+{
+ int error;
+
+ MAC_CHECK(check_cred_relabel, cred, newlabel);
+
+ return (error);
+}
+
int
mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
@@ -2466,6 +2437,17 @@
return (error);
}
+static int
+mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
+ struct label *newlabel)
+{
+ int error;
+
+ MAC_CHECK(check_pipe_relabel, cred, pipe, pipe->pipe_label, newlabel);
+
+ return (error);
+}
+
int
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
{
@@ -2561,6 +2543,18 @@
return (error);
}
+static int
+mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
+ struct label *newlabel)
+{
+ int error;
+
+ MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label,
+ newlabel);
+
+ return (error);
+}
+
int
mac_check_socket_visible(struct ucred *cred, struct socket *socket)
{
@@ -2613,7 +2607,7 @@
if (error)
goto out;
- MAC_CHECK(check_relabel_ifnet, cred, ifnet, &ifnet->if_label,
+ MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
&intlabel);
if (error)
goto out;
@@ -2722,7 +2716,7 @@
if (error)
return (error);
- mac_check_relabel_socket(cred, so, &intlabel);
+ mac_check_socket_relabel(cred, so, &intlabel);
if (error) {
mac_destroy_temp(&intlabel);
return (error);
@@ -2739,7 +2733,7 @@
{
int error;
- error = mac_check_relabel_pipe(cred, pipe, label);
+ error = mac_check_pipe_relabel(cred, pipe, label);
if (error)
return (error);
@@ -2824,7 +2818,7 @@
* update the actual vnode label. Question: maybe the filesystem
* should update the vnode at the end as part of VOP_SETLABEL()?
*/
- error = mac_check_relabel_vnode(cred, vp, intlabel);
+ error = mac_check_vnode_relabel(cred, vp, intlabel);
if (error)
return (error);
@@ -2890,7 +2884,7 @@
PROC_LOCK(p);
oldcred = p->p_ucred;
- error = mac_check_relabel_subject(oldcred, &intlabel);
+ error = mac_check_cred_relabel(oldcred, &intlabel);
if (error) {
PROC_UNLOCK(p);
mac_destroy_temp(&intlabel);
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#80 (text+ko) ====
@@ -1181,6 +1181,44 @@
}
static int
+mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
+{
+ struct mac_biba *subj, *new;
+
+ subj = SLOT(&cred->cr_label);
+ new = SLOT(newlabel);
+
+ if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
+ return (EINVAL);
+
+ /*
+ * XXX: Allow processes with root privilege to set labels outside
+ * their range, so suid things like "su" work. This WILL go away
+ * when we figure out the 'correct' solution...
+ */
+ if (!suser_cred(cred, 0))
+ return (0);
+
+ /*
+ * The new single must be in the old range.
+ */
+ if (!mac_biba_single_in_range(new, subj))
+ return (EPERM);
+
+ /*
+ * The new range must be in the old range.
+ */
+ if (!mac_biba_range_in_range(new, subj))
+ return (EPERM);
+
+ /*
+ * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+ */
+
+ return (0);
+}
+
+static int
mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
struct mac_biba *subj, *obj;
@@ -1198,6 +1236,26 @@
return (0);
}
+static int
+mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
+ struct label *ifnetlabel, struct label *newlabel)
+{
+ struct mac_biba *subj, *new;
+
+ subj = SLOT(&cred->cr_label);
+ new = SLOT(newlabel);
+
+ if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
+ return (EINVAL);
+
+ /*
+ * XXX: Only Biba HIGH subjects may relabel interfaces. */
+ if (!mac_biba_high_single(subj))
+ return (EPERM);
+
+ return (suser_cred(cred, 0));
+}
+
static int
mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
struct mbuf *m, struct label *mbuflabel)
@@ -1232,6 +1290,40 @@
}
static int
+mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel, struct label *newlabel)
+{
+ struct mac_biba *subj, *obj, *new;
+
+ new = SLOT(newlabel);
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(pipelabel);
+
+ if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
+ return (EINVAL);
+
+ /*
+ * To relabel a pipe, the old pipe label must be in the subject
+ * range.
+ */
+ if (!mac_biba_single_in_range(obj, subj))
+ return (EPERM);
+
+ /*
+ * To relabel a pipe, the new pipe label must be in the subject
+ * range.
+ */
+ if (!mac_biba_single_in_range(new, subj))
+ return (EPERM);
+
+ /*
+ * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+ */
+
+ return (0);
+}
+
+static int
mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc)
{
struct mac_biba *subj, *obj;
@@ -1307,42 +1399,7 @@
}
static int
-mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
-{
- struct mac_biba *subj, *obj;
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(socketlabel);
-
- if (!mac_biba_dominate_single(obj, subj))
- return (ENOENT);
-
- return (0);
-}
-
-static int
-mac_biba_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
- struct label *ifnetlabel, struct label *newlabel)
-{
- struct mac_biba *subj, *new;
-
- subj = SLOT(&cred->cr_label);
- new = SLOT(newlabel);
-
- if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
- return (EINVAL);
-
- /*
- * XXX: Only Biba HIGH subjects may relabel interfaces. */
- if (!mac_biba_high_single(subj))
- return (EPERM);
-
- return (suser_cred(cred, 0));
-}
-
-static int
-mac_biba_check_relabel_socket(struct ucred *cred, struct socket *socket,
+mac_biba_check_socket_relabel(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct label *newlabel)
{
struct mac_biba *subj, *obj, *new;
@@ -1376,112 +1433,21 @@
}
static int
-mac_biba_check_relabel_pipe(struct ucred *cred, struct pipe *pipe,
- struct label *pipelabel, struct label *newlabel)
+mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel)
{
- struct mac_biba *subj, *obj, *new;
+ struct mac_biba *subj, *obj;
- new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
- obj = SLOT(pipelabel);
+ obj = SLOT(socketlabel);
- if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
- return (EINVAL);
-
- /*
- * To relabel a pipe, the old pipe label must be in the subject
- * range.
- */
- if (!mac_biba_single_in_range(obj, subj))
- return (EPERM);
-
- /*
- * To relabel a pipe, the new pipe label must be in the subject
- * range.
- */
- if (!mac_biba_single_in_range(new, subj))
- return (EPERM);
-
- /*
- * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
- */
-
- return (0);
-}
-
-static int
-mac_biba_check_relabel_subject(struct ucred *cred, struct label *newlabel)
-{
- struct mac_biba *subj, *new;
-
- subj = SLOT(&cred->cr_label);
- new = SLOT(newlabel);
-
- if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAGS_BOTH)
- return (EINVAL);
-
- /*
- * XXX: Allow processes with root privilege to set labels outside
- * their range, so suid things like "su" work. This WILL go away
- * when we figure out the 'correct' solution...
- */
- if (!suser_cred(cred, 0))
- return (0);
-
- /*
- * The new single must be in the old range.
- */
- if (!mac_biba_single_in_range(new, subj))
- return (EPERM);
-
- /*
- * The new range must be in the old range.
- */
- if (!mac_biba_range_in_range(new, subj))
- return (EPERM);
-
- /*
- * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
- */
+ if (!mac_biba_dominate_single(obj, subj))
+ return (ENOENT);
return (0);
}
static int
-mac_biba_check_relabel_vnode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *newlabel)
-{
- struct mac_biba *old, *new, *subj;
-
- old = SLOT(vnodelabel);
- new = SLOT(newlabel);
- subj = SLOT(&cred->cr_label);
-
- if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
- return (EINVAL);
-
- /*
- * To relabel a vnode, the old vnode label must be in the subject
- * range.
- */
- if (!mac_biba_single_in_range(old, subj))
- return (EPERM);
-
- /*
- * To relabel a vnode, the new vnode label must be in the subject
- * range.
- */
- if (!mac_biba_single_in_range(new, subj))
- return (EPERM);
-
- /*
- * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
- */
-
- return (suser_cred(cred, 0));
-}
-
-static int
mac_biba_check_vnode_access(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t flags)
{
@@ -1719,6 +1685,40 @@
}
static int
+mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
+ struct label *vnodelabel, struct label *newlabel)
+{
+ struct mac_biba *old, *new, *subj;
+
+ old = SLOT(vnodelabel);
+ new = SLOT(newlabel);
+ subj = SLOT(&cred->cr_label);
+
+ if ((new->mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_SINGLE)
+ return (EINVAL);
+
+ /*
+ * To relabel a vnode, the old vnode label must be in the subject
+ * range.
+ */
+ if (!mac_biba_single_in_range(old, subj))
+ return (EPERM);
+
+ /*
+ * To relabel a vnode, the new vnode label must be in the subject
+ * range.
+ */
+ if (!mac_biba_single_in_range(new, subj))
+ return (EPERM);
+
+ /*
+ * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+ */
+
+ return (suser_cred(cred, 0));
+}
+
+static int
mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
@@ -2142,12 +2142,18 @@
(macop_t)mac_biba_relabel_subject },
{ MAC_CHECK_BPFDESC_RECEIVE,
(macop_t)mac_biba_check_bpfdesc_receive },
+ { MAC_CHECK_CRED_RELABEL,
+ (macop_t)mac_biba_check_cred_relabel },
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_biba_check_cred_visible },
+ { MAC_CHECK_IFNET_RELABEL,
+ (macop_t)mac_biba_check_ifnet_relabel },
{ MAC_CHECK_IFNET_TRANSMIT,
(macop_t)mac_biba_check_ifnet_transmit },
{ MAC_CHECK_MOUNT_STAT,
(macop_t)mac_biba_check_mount_stat },
+ { MAC_CHECK_PIPE_RELABEL,
+ (macop_t)mac_biba_check_pipe_relabel },
{ MAC_CHECK_PROC_DEBUG,
(macop_t)mac_biba_check_proc_debug },
{ MAC_CHECK_PROC_SCHED,
@@ -2156,18 +2162,10 @@
(macop_t)mac_biba_check_proc_signal },
{ MAC_CHECK_SOCKET_RECEIVE,
(macop_t)mac_biba_check_socket_receive },
+ { MAC_CHECK_SOCKET_RELABEL,
+ (macop_t)mac_biba_check_socket_relabel },
{ MAC_CHECK_SOCKET_VISIBLE,
(macop_t)mac_biba_check_socket_visible },
- { MAC_CHECK_RELABEL_IFNET,
- (macop_t)mac_biba_check_relabel_ifnet },
- { MAC_CHECK_RELABEL_PIPE,
- (macop_t)mac_biba_check_relabel_pipe },
- { MAC_CHECK_RELABEL_SOCKET,
- (macop_t)mac_biba_check_relabel_socket },
- { MAC_CHECK_RELABEL_SUBJECT,
- (macop_t)mac_biba_check_relabel_subject },
- { MAC_CHECK_RELABEL_VNODE,
- (macop_t)mac_biba_check_relabel_vnode },
{ MAC_CHECK_VNODE_ACCESS,
(macop_t)mac_biba_check_vnode_access },
{ MAC_CHECK_VNODE_CHDIR,
@@ -2198,6 +2196,8 @@
(macop_t)mac_biba_check_vnode_readdir },
{ MAC_CHECK_VNODE_READLINK,
(macop_t)mac_biba_check_vnode_readlink },
+ { MAC_CHECK_VNODE_RELABEL,
+ (macop_t)mac_biba_check_vnode_relabel },
{ MAC_CHECK_VNODE_RENAME_FROM,
(macop_t)mac_biba_check_vnode_rename_from },
{ MAC_CHECK_VNODE_RENAME_TO,
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#68 (text+ko) ====
@@ -1130,6 +1130,45 @@
}
static int
+mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel)
+{
+ struct mac_mls *subj, *new;
+
+ subj = SLOT(&cred->cr_label);
+ new = SLOT(newlabel);
+
+ if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAGS_BOTH)
+ return (EINVAL);
+
+ /*
+ * XXX: Allow processes with root privilege to set labels outside
+ * their range, so suid things like "su" work. This WILL go away
+ * when we figure out the 'correct' solution...
+ */
+ if (!suser_cred(cred, 0))
+ return (0);
+
+ /*
+ * The new single must be in the old range.
+ */
+ if (!mac_mls_single_in_range(new, subj))
+ return (EPERM);
+
+ /*
+ * The new range must be in the old range.
+ */
+ if (!mac_mls_range_in_range(new, subj))
+ return (EPERM);
+
+ /*
+ * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+ */
+
+ return (0);
+}
+
+
+static int
mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
struct mac_mls *subj, *obj;
@@ -1148,6 +1187,23 @@
}
static int
+mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
+ struct label *ifnetlabel, struct label *newlabel)
+{
+ struct mac_mls *subj, *new;
+
+ subj = SLOT(&cred->cr_label);
+ new = SLOT(newlabel);
+
+ if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAGS_BOTH)
+ return (EINVAL);
+
+ /* XXX: privilege model here? */
+
+ return (suser_cred(cred, 0));
+}
+
+static int
mac_mls_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
struct mbuf *m, struct label *mbuflabel)
{
@@ -1181,6 +1237,40 @@
}
static int
+mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
+ struct label *pipelabel, struct label *newlabel)
+{
+ struct mac_mls *subj, *obj, *new;
+
+ new = SLOT(newlabel);
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(pipelabel);
+
+ if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE)
+ return (EINVAL);
+
+ /*
+ * To relabel a pipe, the old pipe label must be in the subject
+ * range.
+ */
+ if (!mac_mls_single_in_range(obj, subj))
+ return (EPERM);
+
+ /*
+ * To relabel a pipe, the new pipe label must be in the subject
+ * range.
+ */
+ if (!mac_mls_single_in_range(new, subj))
+ return (EPERM);
+
+ /*
+ * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+ */
+
+ return (0);
+}
+
+static int
mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc)
{
struct mac_mls *subj, *obj;
@@ -1256,42 +1346,7 @@
}
static int
-mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
-{
- struct mac_mls *subj, *obj;
-
- if (!mac_mls_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(socketlabel);
-
- if (!mac_mls_dominate_single(subj, obj))
- return (ENOENT);
-
- return (0);
-}
-
-static int
-mac_mls_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
- struct label *ifnetlabel, struct label *newlabel)
-{
- struct mac_mls *subj, *new;
-
- subj = SLOT(&cred->cr_label);
- new = SLOT(newlabel);
-
- if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAGS_BOTH)
- return (EINVAL);
-
- /* XXX: privilege model here? */
-
- return (suser_cred(cred, 0));
-}
-
-static int
-mac_mls_check_relabel_socket(struct ucred *cred, struct socket *socket,
+mac_mls_check_socket_relabel(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct label *newlabel)
{
struct mac_mls *subj, *obj, *new;
@@ -1325,112 +1380,24 @@
}
static int
-mac_mls_check_relabel_pipe(struct ucred *cred, struct pipe *pipe,
- struct label *pipelabel, struct label *newlabel)
+mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel)
{
- struct mac_mls *subj, *obj, *new;
+ struct mac_mls *subj, *obj;
- new = SLOT(newlabel);
- subj = SLOT(&cred->cr_label);
- obj = SLOT(pipelabel);
-
- if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE)
- return (EINVAL);
-
- /*
- * To relabel a pipe, the old pipe label must be in the subject
- * range.
- */
- if (!mac_mls_single_in_range(obj, subj))
- return (EPERM);
-
- /*
- * To relabel a pipe, the new pipe label must be in the subject
- * range.
- */
- if (!mac_mls_single_in_range(new, subj))
- return (EPERM);
-
- /*
- * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
- */
-
- return (0);
-}
+ if (!mac_mls_enabled)
+ return (0);
-static int
-mac_mls_check_relabel_subject(struct ucred *cred, struct label *newlabel)
-{
- struct mac_mls *subj, *new;
-
subj = SLOT(&cred->cr_label);
- new = SLOT(newlabel);
+ obj = SLOT(socketlabel);
- if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAGS_BOTH)
- return (EINVAL);
-
- /*
- * XXX: Allow processes with root privilege to set labels outside
- * their range, so suid things like "su" work. This WILL go away
- * when we figure out the 'correct' solution...
- */
- if (!suser_cred(cred, 0))
- return (0);
-
- /*
- * The new single must be in the old range.
- */
- if (!mac_mls_single_in_range(new, subj))
- return (EPERM);
-
- /*
- * The new range must be in the old range.
- */
- if (!mac_mls_range_in_range(new, subj))
- return (EPERM);
-
- /*
- * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
- */
+ if (!mac_mls_dominate_single(subj, obj))
+ return (ENOENT);
return (0);
}
static int
-mac_mls_check_relabel_vnode(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *newlabel)
-{
- struct mac_mls *old, *new, *subj;
-
- old = SLOT(vnodelabel);
- new = SLOT(newlabel);
- subj = SLOT(&cred->cr_label);
-
- if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE)
- return (EINVAL);
-
- /*
- * To relabel a vnode, the old vnode label must be in the subject
- * range.
- */
- if (!mac_mls_single_in_range(old, subj))
- return (EPERM);
-
- /*
- * To relabel a vnode, the new vnode label must be in the subject
- * range.
- */
- if (!mac_mls_single_in_range(new, subj))
- return (EPERM);
-
- /*
- * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
- */
-
- return (suser_cred(cred, 0));
-}
-
-static int
mac_mls_check_vnode_access(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t flags)
{
@@ -1668,6 +1635,41 @@
}
static int
+mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
+ struct label *vnodelabel, struct label *newlabel)
+{
+ struct mac_mls *old, *new, *subj;
+
+ old = SLOT(vnodelabel);
+ new = SLOT(newlabel);
+ subj = SLOT(&cred->cr_label);
+
+ if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_SINGLE)
+ return (EINVAL);
+
+ /*
+ * To relabel a vnode, the old vnode label must be in the subject
+ * range.
+ */
+ if (!mac_mls_single_in_range(old, subj))
+ return (EPERM);
+
+ /*
+ * To relabel a vnode, the new vnode label must be in the subject
+ * range.
+ */
+ if (!mac_mls_single_in_range(new, subj))
+ return (EPERM);
+
+ /*
+ * XXX: Don't permit EQUAL in a label unless the subject has EQUAL.
+ */
+
+ return (suser_cred(cred, 0));
+}
+
+
+static int
mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
@@ -2091,12 +2093,18 @@
(macop_t)mac_mls_relabel_subject },
{ MAC_CHECK_BPFDESC_RECEIVE,
(macop_t)mac_mls_check_bpfdesc_receive },
+ { MAC_CHECK_CRED_RELABEL,
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list