PERFORCE change 42484 for review
Robert Watson
rwatson at FreeBSD.org
Sat Nov 15 20:08:11 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=42484
Change 42484 by rwatson at rwatson_tislabs on 2003/11/15 12:07:46
Add labels to struct inpcb, which for most policies will simply
cache the label stored in struct socket. This will permit
policies to enforce protections during delivery of an mbuf to
an inpcb without reaching up to the socket layer to read a
label protected by what will eventually be the socket lock.
For all inpcb-related protocols, the inpcb label is now used
for the delivery check. For non-inpcb related protocols
(netatalk, etc), the socket label is still used.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/kern/uipc_socket2.c#37 edit
.. //depot/projects/trustedbsd/mac/sys/kern/uipc_usrreq.c#29 edit
.. //depot/projects/trustedbsd/mac/sys/net/raw_usrreq.c#10 edit
.. //depot/projects/trustedbsd/mac/sys/net/rtsock.c#21 edit
.. //depot/projects/trustedbsd/mac/sys/netatalk/ddp_usrreq.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/netatm/atm_aal5.c#7 edit
.. //depot/projects/trustedbsd/mac/sys/netatm/atm_usrreq.c#9 edit
.. //depot/projects/trustedbsd/mac/sys/netgraph/bluetooth/socket/ng_btsocket.c#5 edit
.. //depot/projects/trustedbsd/mac/sys/netgraph/ng_socket.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/in_pcb.c#24 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/in_pcb.h#20 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/ip_divert.c#18 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#28 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_input.c#45 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_usrreq.c#17 edit
.. //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#26 edit
.. //depot/projects/trustedbsd/mac/sys/netinet6/raw_ip6.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/netinet6/udp6_usrreq.c#15 edit
.. //depot/projects/trustedbsd/mac/sys/netipsec/keysock.c#6 edit
.. //depot/projects/trustedbsd/mac/sys/netipx/ipx_usrreq.c#9 edit
.. //depot/projects/trustedbsd/mac/sys/netipx/spx_usrreq.c#8 edit
.. //depot/projects/trustedbsd/mac/sys/netkey/keysock.c#14 edit
.. //depot/projects/trustedbsd/mac/sys/netnatm/natm.c#14 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#14 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#232 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#23 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#77 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#187 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#121 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#251 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#202 edit
.. //depot/projects/trustedbsd/mac/sys/sys/protosw.h#7 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/kern/uipc_socket2.c#37 (text+ko) ====
@@ -1042,6 +1042,16 @@
}
/*
+ * For protocol types that don't keep cached copies of labels in their
+ * pcbs, provide a null sosetlabel that does a NOOP.
+ */
+void
+pru_sosetlabel_null(struct socket *so)
+{
+
+}
+
+/*
* Make a copy of a sockaddr in a malloced buffer of type M_SONAME.
*/
struct sockaddr *
==== //depot/projects/trustedbsd/mac/sys/kern/uipc_usrreq.c#29 (text+ko) ====
@@ -450,7 +450,7 @@
uipc_connect2, pru_control_notsupp, uipc_detach, uipc_disconnect,
uipc_listen, uipc_peeraddr, uipc_rcvd, pru_rcvoob_notsupp,
uipc_send, uipc_sense, uipc_shutdown, uipc_sockaddr,
- sosend, soreceive, sopoll
+ sosend, soreceive, sopoll, pru_sosetlabel_null
};
int
==== //depot/projects/trustedbsd/mac/sys/net/raw_usrreq.c#10 (text+ko) ====
@@ -295,5 +295,5 @@
pru_connect2_notsupp, pru_control_notsupp, raw_udetach,
raw_udisconnect, pru_listen_notsupp, raw_upeeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, raw_usend, pru_sense_null, raw_ushutdown,
- raw_usockaddr, sosend, soreceive, sopoll
+ raw_usockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
==== //depot/projects/trustedbsd/mac/sys/net/rtsock.c#21 (text+ko) ====
@@ -270,7 +270,7 @@
pru_connect2_notsupp, pru_control_notsupp, rts_detach, rts_disconnect,
pru_listen_notsupp, rts_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp,
rts_send, pru_sense_null, rts_shutdown, rts_sockaddr,
- sosend, soreceive, sopoll
+ sosend, soreceive, sopoll, pru_sosetlabel_null
};
/*ARGSUSED*/
==== //depot/projects/trustedbsd/mac/sys/netatalk/ddp_usrreq.c#11 (text+ko) ====
@@ -590,5 +590,6 @@
at_setsockaddr,
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
==== //depot/projects/trustedbsd/mac/sys/netatm/atm_aal5.c#7 (text+ko) ====
@@ -112,7 +112,8 @@
atm_aal5_sockaddr, /* pru_sockaddr */
sosend, /* pru_sosend */
soreceive, /* pru_soreceive */
- sopoll /* pru_sopoll */
+ sopoll, /* pru_sopoll */
+ pru_sosetlabel_null /* pru_sosetlabel */
};
/*
==== //depot/projects/trustedbsd/mac/sys/netatm/atm_usrreq.c#9 (text+ko) ====
@@ -83,6 +83,10 @@
pru_sense_null, /* pru_sense */
atm_proto_notsupp1, /* pru_shutdown */
atm_proto_notsupp3, /* pru_sockaddr */
+ NULL, /* pru_sosend */
+ NULL, /* pru_soreceive */
+ NULL, /* pru_sooll */
+ pru_sosetlabel_null /* pru_sosetlabel */
};
==== //depot/projects/trustedbsd/mac/sys/netgraph/bluetooth/socket/ng_btsocket.c#5 (text+ko) ====
@@ -79,7 +79,8 @@
ng_btsocket_hci_raw_sockaddr, /* sockaddr */
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
/*
@@ -106,7 +107,8 @@
ng_btsocket_l2cap_raw_sockaddr, /* sockaddr */
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
/*
@@ -133,7 +135,8 @@
ng_btsocket_l2cap_sockaddr, /* sockaddr */
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
/*
@@ -160,7 +163,8 @@
ng_btsocket_rfcomm_sockaddr, /* sockaddr */
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
/*
==== //depot/projects/trustedbsd/mac/sys/netgraph/ng_socket.c#11 (text+ko) ====
@@ -978,7 +978,8 @@
ng_setsockaddr,
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
static struct pr_usrreqs ngd_usrreqs = {
@@ -1001,7 +1002,8 @@
ng_setsockaddr,
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
/*
==== //depot/projects/trustedbsd/mac/sys/netinet/in_pcb.c#24 (text+ko) ====
@@ -36,10 +36,12 @@
#include "opt_ipsec.h"
#include "opt_inet6.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/limits.h>
+#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/domain.h>
@@ -161,26 +163,30 @@
struct thread *td;
{
register struct inpcb *inp;
-#if defined(IPSEC) || defined(FAST_IPSEC)
int error;
-#endif
+
INP_INFO_WLOCK_ASSERT(pcbinfo);
+ error = 0;
inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT | M_ZERO);
if (inp == NULL)
return (ENOBUFS);
inp->inp_gencnt = ++pcbinfo->ipi_gencnt;
inp->inp_pcbinfo = pcbinfo;
inp->inp_socket = so;
+#ifdef MAC
+ error = mac_init_inpcb(inp, M_NOWAIT);
+ if (error != 0)
+ goto out;
+ mac_create_inpcb_from_socket(so, inp);
+#endif
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
error = ipsec_init_policy(so, &inp->inp_sp);
#else
error = ipsec_init_pcbpolicy(so, &inp->inp_sp);
#endif
- if (error != 0) {
- uma_zfree(pcbinfo->ipi_zone, inp);
- return error;
- }
+ if (error != 0)
+ goto out;
#endif /*IPSEC*/
#if defined(INET6)
if (INP_SOCKAF(so) == AF_INET6) {
@@ -197,7 +203,12 @@
if (ip6_auto_flowlabel)
inp->inp_flags |= IN6P_AUTOFLOWLABEL;
#endif
- return (0);
+#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC)
+out:
+ if (error != 0)
+ uma_zfree(pcbinfo->ipi_zone, inp);
+#endif
+ return (error);
}
int
@@ -700,6 +711,9 @@
ip_freemoptions(inp->inp_moptions);
inp->inp_vflag = 0;
INP_LOCK_DESTROY(inp);
+#ifdef MAC
+ mac_destroy_inpcb(inp);
+#endif
uma_zfree(ipi->ipi_zone, inp);
}
@@ -1216,6 +1230,25 @@
pcbinfo->ipi_count--;
}
+/*
+ * A set label operation has occurred at the socket layer, propagate the
+ * label change into the in_pcb for the socket.
+ */
+void
+in_pcbsosetlabel(so)
+ struct socket *so;
+{
+#ifdef MAC
+ struct inpcb *inp;
+
+ /* XXX: Will assert socket lock when we have them. */
+ inp = (struct inpcb *)so->so_pcb;
+ INP_LOCK(inp);
+ mac_inpcb_sosetlabel(so, inp);
+ INP_UNLOCK(inp);
+#endif
+}
+
int
prison_xinpcb(struct thread *td, struct inpcb *inp)
{
==== //depot/projects/trustedbsd/mac/sys/netinet/in_pcb.h#20 (text+ko) ====
@@ -134,6 +134,7 @@
struct inpcbinfo *inp_pcbinfo; /* PCB list info */
struct socket *inp_socket; /* back pointer to socket */
/* list for this PCB's local port */
+ struct label *inp_label; /* MAC label */
int inp_flags; /* generic IP/datagram flags */
struct inpcbpolicy *inp_sp; /* for IPSEC */
@@ -369,10 +370,12 @@
void in_pcbnotifyall(struct inpcbinfo *pcbinfo, struct in_addr,
int, struct inpcb *(*)(struct inpcb *, int));
void in_pcbrehash(struct inpcb *);
+void in_pcbsetsolabel(struct socket *so);
int in_setpeeraddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo);
int in_setsockaddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo);;
struct sockaddr *
in_sockaddr(in_port_t port, struct in_addr *addr);
+void in_pcbsosetlabel(struct socket *so);
void in_pcbremlists(struct inpcb *inp);
int prison_xinpcb(struct thread *td, struct inpcb *inp);
#endif /* _KERNEL */
==== //depot/projects/trustedbsd/mac/sys/netinet/ip_divert.c#18 (text+ko) ====
@@ -651,5 +651,5 @@
pru_connect_notsupp, pru_connect2_notsupp, in_control, div_detach,
div_disconnect, pru_listen_notsupp, div_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, div_send, pru_sense_null, div_shutdown,
- div_sockaddr, sosend, soreceive, sopoll
+ div_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
==== //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#28 (text+ko) ====
@@ -161,7 +161,7 @@
}
#endif /*FAST_IPSEC*/
#ifdef MAC
- if (!policyfail && mac_check_socket_deliver(last->inp_socket, n) != 0)
+ if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
policyfail = 1;
#endif
if (!policyfail) {
@@ -838,5 +838,5 @@
pru_connect2_notsupp, in_control, rip_detach, rip_disconnect,
pru_listen_notsupp, rip_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, rip_send, pru_sense_null, rip_shutdown,
- rip_sockaddr, sosend, soreceive, sopoll
+ rip_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_input.c#45 (text+ko) ====
@@ -683,11 +683,11 @@
else
tiwin = th->th_win;
- so = inp->inp_socket;
#ifdef MAC
- if (mac_check_socket_deliver(so, m))
+ if (mac_check_inpcb_deliver(inp, m))
goto drop;
#endif
+ so = inp->inp_socket;
#ifdef TCPDEBUG
if (so->so_options & SO_DEBUG) {
ostate = tp->t_state;
==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_usrreq.c#17 (text+ko) ====
@@ -816,7 +816,7 @@
tcp_usr_connect, pru_connect2_notsupp, in_control, tcp_usr_detach,
tcp_usr_disconnect, tcp_usr_listen, tcp_peeraddr, tcp_usr_rcvd,
tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown,
- tcp_sockaddr, sosend, soreceive, sopoll
+ tcp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
#ifdef INET6
@@ -825,7 +825,7 @@
tcp6_usr_connect, pru_connect2_notsupp, in6_control, tcp_usr_detach,
tcp_usr_disconnect, tcp6_usr_listen, in6_mapped_peeraddr, tcp_usr_rcvd,
tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown,
- in6_mapped_sockaddr, sosend, soreceive, sopoll
+ in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
#endif /* INET6 */
==== //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#26 (text+ko) ====
@@ -446,7 +446,7 @@
}
#endif /*FAST_IPSEC*/
#ifdef MAC
- if (mac_check_socket_deliver(last->inp_socket, n) != 0) {
+ if (mac_check_inpcb_deliver(last, n) != 0) {
m_freem(n);
return;
}
@@ -1096,5 +1096,5 @@
pru_connect2_notsupp, in_control, udp_detach, udp_disconnect,
pru_listen_notsupp, udp_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, udp_send, pru_sense_null, udp_shutdown,
- udp_sockaddr, sosend, soreceive, sopoll
+ udp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
==== //depot/projects/trustedbsd/mac/sys/netinet6/raw_ip6.c#11 (text+ko) ====
@@ -750,5 +750,5 @@
pru_connect2_notsupp, in6_control, rip6_detach, rip6_disconnect,
pru_listen_notsupp, in6_setpeeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, rip6_send, pru_sense_null, rip6_shutdown,
- in6_setsockaddr, sosend, soreceive, sopoll
+ in6_setsockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
==== //depot/projects/trustedbsd/mac/sys/netinet6/udp6_usrreq.c#15 (text+ko) ====
@@ -767,5 +767,5 @@
pru_connect2_notsupp, in6_control, udp6_detach, udp6_disconnect,
pru_listen_notsupp, in6_mapped_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, udp6_send, pru_sense_null, udp_shutdown,
- in6_mapped_sockaddr, sosend, soreceive, sopoll
+ in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
==== //depot/projects/trustedbsd/mac/sys/netipsec/keysock.c#6 (text+ko) ====
@@ -567,7 +567,8 @@
key_disconnect, pru_listen_notsupp, key_peeraddr,
pru_rcvd_notsupp,
pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown,
- key_sockaddr, sosend, soreceive, sopoll
+ key_sockaddr, sosend, soreceive, sopoll,
+ pru_sosetlabel_null
};
/* sysctl */
==== //depot/projects/trustedbsd/mac/sys/netipx/ipx_usrreq.c#9 (text+ko) ====
@@ -92,7 +92,7 @@
ipx_connect, pru_connect2_notsupp, ipx_control, ipx_detach,
ipx_disconnect, pru_listen_notsupp, ipx_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, ipx_send, pru_sense_null, ipx_shutdown,
- ipx_sockaddr, sosend, soreceive, sopoll
+ ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
struct pr_usrreqs ripx_usrreqs = {
@@ -100,7 +100,7 @@
ipx_connect, pru_connect2_notsupp, ipx_control, ipx_detach,
ipx_disconnect, pru_listen_notsupp, ipx_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, ipx_send, pru_sense_null, ipx_shutdown,
- ipx_sockaddr, sosend, soreceive, sopoll
+ ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
/*
==== //depot/projects/trustedbsd/mac/sys/netipx/spx_usrreq.c#8 (text+ko) ====
@@ -112,7 +112,7 @@
spx_connect, pru_connect2_notsupp, ipx_control, spx_detach,
spx_usr_disconnect, spx_listen, ipx_peeraddr, spx_rcvd,
spx_rcvoob, spx_send, pru_sense_null, spx_shutdown,
- ipx_sockaddr, sosend, soreceive, sopoll
+ ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
struct pr_usrreqs spx_usrreq_sps = {
@@ -120,7 +120,7 @@
spx_connect, pru_connect2_notsupp, ipx_control, spx_detach,
spx_usr_disconnect, spx_listen, ipx_peeraddr, spx_rcvd,
spx_rcvoob, spx_send, pru_sense_null, spx_shutdown,
- ipx_sockaddr, sosend, soreceive, sopoll
+ ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
void
==== //depot/projects/trustedbsd/mac/sys/netkey/keysock.c#14 (text+ko) ====
@@ -477,7 +477,8 @@
key_disconnect, pru_listen_notsupp, key_peeraddr,
pru_rcvd_notsupp,
pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown,
- key_sockaddr, sosend, soreceive, sopoll
+ key_sockaddr, sosend, soreceive, sopoll,
+ pru_sosetlabel_null
};
/* sysctl */
==== //depot/projects/trustedbsd/mac/sys/netnatm/natm.c#14 (text+ko) ====
@@ -396,7 +396,7 @@
natm_usr_detach, natm_usr_disconnect, pru_listen_notsupp,
natm_usr_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp,
natm_usr_send, pru_sense_null, natm_usr_shutdown,
- natm_usr_sockaddr, sosend, soreceive, sopoll
+ natm_usr_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
#else /* !FREEBSD_USRREQS */
==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#14 (text+ko) ====
@@ -50,6 +50,7 @@
#include <sys/mount.h>
#include <sys/file.h>
#include <sys/namei.h>
+#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
@@ -61,6 +62,7 @@
#include <net/if_var.h>
#include <netinet/in.h>
+#include <netinet/in_pcb.h>
#include <netinet/ip_var.h>
#include <security/mac/mac_internal.h>
@@ -77,12 +79,14 @@
#ifdef MAC_DEBUG
static unsigned int nmacmbufs, nmacifnets, nmacbpfdescs, nmacsockets,
- nmacipqs;
+ nmacinpcbs, nmacipqs;
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
&nmacmbufs, 0, "number of mbufs in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
&nmacifnets, 0, "number of ifnets in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD,
+ &nmacinpcbs, 0, "number of inpcbs in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD,
&nmacipqs, 0, "number of ipqs in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD,
@@ -143,6 +147,35 @@
}
static struct label *
+mac_inpcb_label_alloc(int flag)
+{
+ struct label *label;
+ int error;
+
+ label = mac_labelzone_alloc(flag);
+ if (label == NULL)
+ return (NULL);
+ MAC_CHECK(init_inpcb_label, label, flag);
+ if (error) {
+ MAC_PERFORM(destroy_inpcb_label, label);
+ mac_labelzone_free(label);
+ return (NULL);
+ }
+ MAC_DEBUG_COUNTER_INC(&nmacinpcbs);
+ return (label);
+}
+
+int
+mac_init_inpcb(struct inpcb *inp, int flag)
+{
+
+ inp->inp_label = mac_inpcb_label_alloc(flag);
+ if (inp->inp_label == NULL)
+ return (ENOMEM);
+ return (0);
+}
+
+static struct label *
mac_ipq_label_alloc(int flag)
{
struct label *label;
@@ -311,6 +344,23 @@
}
static void
+mac_inpcb_label_free(struct label *label)
+{
+
+ MAC_PERFORM(destroy_inpcb_label, label);
+ mac_labelzone_free(label);
+ MAC_DEBUG_COUNTER_DEC(&nmacinpcbs);
+}
+
+void
+mac_destroy_inpcb(struct inpcb *inp)
+{
+
+ mac_inpcb_label_free(inp->inp_label);
+ inp->inp_label = NULL;
+}
+
+static void
mac_ipq_label_free(struct label *label)
{
@@ -443,6 +493,14 @@
}
void
+mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp)
+{
+
+ MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp,
+ inp->inp_label);
+}
+
+void
mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
{
@@ -704,6 +762,24 @@
}
int
+mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m)
+{
+ struct label *label;
+ int error;
+
+ M_ASSERTPKTHDR(m);
+
+ if (!mac_enforce_socket)
+ return (0);
+
+ label = mbuf_to_label(m);
+
+ MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label);
+
+ return (error);
+}
+
+int
mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
struct sockaddr *sockaddr)
{
@@ -904,6 +980,15 @@
return (0);
}
+void
+mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp)
+{
+
+ /* XXX: assert socket lock. */
+ INP_LOCK_ASSERT(inp);
+ MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label);
+}
+
int
mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
struct mac *mac)
@@ -931,6 +1016,7 @@
return (error);
}
+ /* XXX: Will eventually grab a socket lock here. */
mac_check_socket_relabel(cred, so, intlabel);
if (error) {
mac_socket_label_free(intlabel);
@@ -939,6 +1025,16 @@
mac_relabel_socket(cred, so, intlabel);
+ /*
+ * If the protocol has expressed interest in socket layer changes,
+ * such as if it needs to propagate changes to a cached pcb
+ * label from the socket, notify it of the label change while
+ * holding the socket lock.
+ */
+ if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL)
+ (so->so_proto->pr_usrreqs->pru_sosetlabel)(so);
+ /* XXX: Will eventually release a socket lock here. */
+
mac_socket_label_free(intlabel);
return (0);
}
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#232 (text+ko) ====
@@ -75,6 +75,7 @@
#include <net/if_var.h>
#include <netinet/in.h>
+#include <netinet/in_pcb.h>
#include <netinet/ip_var.h>
#include <vm/uma.h>
@@ -1065,6 +1066,18 @@
* Labeling event operations: IPC object.
*/
static void
+mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel,
+ struct inpcb *inp, struct label *inplabel)
+{
+ struct mac_biba *source, *dest;
+
+ source = SLOT(solabel);
+ dest = SLOT(inplabel);
+
+ mac_biba_copy_single(source, dest);
+}
+
+static void
mac_biba_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
{
@@ -1438,6 +1451,18 @@
/* NOOP: we only accept matching labels, so no need to update */
}
+static void
+mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
+ struct inpcb *inp, struct label *inplabel)
+{
+ struct mac_biba *source, *dest;
+
+ source = SLOT(solabel);
+ dest = SLOT(inplabel);
+
+ mac_biba_copy(source, dest);
+}
+
/*
* Labeling event operations: processes.
*/
@@ -1662,6 +1687,21 @@
}
static int
+mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
+ struct mbuf *m, struct label *mlabel)
+{
+ struct mac_biba *p, *i;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ p = SLOT(mlabel);
+ i = SLOT(inplabel);
+
+ return (mac_biba_equal_single(p, i) ? 0 : EACCES);
+}
+
+static int
mac_biba_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr,
struct label *msglabel)
{
@@ -3112,6 +3152,7 @@
.mpo_init_cred_label = mac_biba_init_label,
.mpo_init_devfsdirent_label = mac_biba_init_label,
.mpo_init_ifnet_label = mac_biba_init_label,
+ .mpo_init_inpcb_label = mac_biba_init_label_waitcheck,
.mpo_init_ipc_msgmsg_label = mac_biba_init_label,
.mpo_init_ipc_msgqueue_label = mac_biba_init_label,
.mpo_init_ipc_sema_label = mac_biba_init_label,
@@ -3129,6 +3170,7 @@
.mpo_destroy_cred_label = mac_biba_destroy_label,
.mpo_destroy_devfsdirent_label = mac_biba_destroy_label,
.mpo_destroy_ifnet_label = mac_biba_destroy_label,
+ .mpo_destroy_inpcb_label = mac_biba_destroy_label,
.mpo_destroy_ipc_msgmsg_label = mac_biba_destroy_label,
.mpo_destroy_ipc_msgqueue_label = mac_biba_destroy_label,
.mpo_destroy_ipc_sema_label = mac_biba_destroy_label,
@@ -3181,6 +3223,7 @@
.mpo_create_datagram_from_ipq = mac_biba_create_datagram_from_ipq,
.mpo_create_fragment = mac_biba_create_fragment,
.mpo_create_ifnet = mac_biba_create_ifnet,
+ .mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket,
.mpo_create_ipc_msgmsg = mac_biba_create_ipc_msgmsg,
.mpo_create_ipc_msgqueue = mac_biba_create_ipc_msgqueue,
.mpo_create_ipc_sema = mac_biba_create_ipc_sema,
@@ -3195,6 +3238,7 @@
.mpo_fragment_match = mac_biba_fragment_match,
.mpo_relabel_ifnet = mac_biba_relabel_ifnet,
.mpo_update_ipq = mac_biba_update_ipq,
+ .mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel,
.mpo_create_cred = mac_biba_create_cred,
.mpo_create_proc0 = mac_biba_create_proc0,
.mpo_create_proc1 = mac_biba_create_proc1,
@@ -3208,6 +3252,7 @@
.mpo_check_cred_visible = mac_biba_check_cred_visible,
.mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel,
.mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit,
+ .mpo_check_inpcb_deliver = mac_biba_check_inpcb_deliver,
.mpo_check_ipc_msgrcv = mac_biba_check_ipc_msgrcv,
.mpo_check_ipc_msgrmid = mac_biba_check_ipc_msgrmid,
.mpo_check_ipc_msqget = mac_biba_check_ipc_msqget,
==== //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#23 (text+ko) ====
@@ -143,6 +143,18 @@
}
static int
+mac_ifoff_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
+ struct mbuf *m, struct label *mlabel)
+{
+
+ M_ASSERTPKTHDR(m);
+ if (m->m_pkthdr.rcvif != NULL)
+ return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0));
+
+ return (0);
+}
+
+static int
mac_ifoff_check_socket_deliver(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
{
@@ -158,6 +170,7 @@
{
.mpo_check_bpfdesc_receive = mac_ifoff_check_bpfdesc_receive,
.mpo_check_ifnet_transmit = mac_ifoff_check_ifnet_transmit,
+ .mpo_check_inpcb_deliver = mac_ifoff_check_inpcb_deliver,
.mpo_check_socket_deliver = mac_ifoff_check_socket_deliver,
};
==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#77 (text+ko) ====
@@ -75,6 +75,7 @@
#include <net/if_var.h>
#include <netinet/in.h>
+#include <netinet/in_pcb.h>
#include <netinet/ip_var.h>
#include <vm/vm.h>
@@ -1138,6 +1139,18 @@
* Labeling event operations: IPC object.
*/
static void
+mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel,
+ struct inpcb *inp, struct label *inplabel)
+{
+ struct mac_lomac *source, *dest;
+
+ source = SLOT(solabel);
+ dest = SLOT(inplabel);
+
+ mac_lomac_copy_single(source, dest);
+}
+
+static void
mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
{
@@ -1522,6 +1535,18 @@
/* NOOP: we only accept matching labels, so no need to update */
}
+static void
+mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel,
+ struct inpcb *inp, struct label *inplabel)
+{
+ struct mac_lomac *source, *dest;
+
+ source = SLOT(solabel);
+ dest = SLOT(inplabel);
+
+ mac_lomac_copy_single(source, dest);
+}
+
/*
* Labeling event operations: processes.
*/
@@ -1835,6 +1860,21 @@
}
static int
+mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel,
+ struct mbuf *m, struct label *mlabel)
+{
+ struct mac_lomac *p, *i;
+
+ if (!mac_lomac_enabled)
+ return (0);
+
+ p = SLOT(mlabel);
+ i = SLOT(inplabel);
+
+ return (mac_lomac_equal_single(p, i) ? 0 : EACCES);
+}
+
+static int
mac_lomac_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr,
struct label *msglabel)
{
@@ -3038,6 +3078,7 @@
.mpo_init_cred_label = mac_lomac_init_label,
.mpo_init_devfsdirent_label = mac_lomac_init_label,
.mpo_init_ifnet_label = mac_lomac_init_label,
+ .mpo_init_inpcb_label = mac_lomac_init_label_waitcheck,
.mpo_init_ipc_msgmsg_label = mac_lomac_init_label,
.mpo_init_ipc_msgqueue_label = mac_lomac_init_label,
.mpo_init_ipc_sema_label = mac_lomac_init_label,
@@ -3056,6 +3097,7 @@
.mpo_destroy_cred_label = mac_lomac_destroy_label,
.mpo_destroy_devfsdirent_label = mac_lomac_destroy_label,
.mpo_destroy_ifnet_label = mac_lomac_destroy_label,
+ .mpo_destroy_inpcb_label = mac_lomac_destroy_label,
.mpo_destroy_ipc_msgmsg_label = mac_lomac_destroy_label,
.mpo_destroy_ipc_msgqueue_label = mac_lomac_destroy_label,
.mpo_destroy_ipc_sema_label = mac_lomac_destroy_label,
@@ -3111,6 +3153,7 @@
.mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq,
.mpo_create_fragment = mac_lomac_create_fragment,
.mpo_create_ifnet = mac_lomac_create_ifnet,
+ .mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket,
.mpo_create_ipc_msgmsg = mac_lomac_create_ipc_msgmsg,
.mpo_create_ipc_msgqueue = mac_lomac_create_ipc_msgqueue,
.mpo_create_ipc_sema = mac_lomac_create_ipc_sema,
@@ -3126,6 +3169,7 @@
.mpo_fragment_match = mac_lomac_fragment_match,
.mpo_relabel_ifnet = mac_lomac_relabel_ifnet,
.mpo_update_ipq = mac_lomac_update_ipq,
+ .mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel,
.mpo_create_cred = mac_lomac_create_cred,
.mpo_execve_transition = mac_lomac_execve_transition,
.mpo_execve_will_transition = mac_lomac_execve_will_transition,
@@ -3141,6 +3185,7 @@
.mpo_check_cred_visible = mac_lomac_check_cred_visible,
.mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel,
.mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit,
+ .mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver,
/* .mpo_check_ipc_msgmsq = mac_lomac_check_ipc_msgmsq, */
.mpo_check_ipc_msgrcv = mac_lomac_check_ipc_msgrcv,
.mpo_check_ipc_msgrmid = mac_lomac_check_ipc_msgrmid,
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#187 (text+ko) ====
@@ -75,6 +75,7 @@
#include <net/if_var.h>
#include <netinet/in.h>
+#include <netinet/in_pcb.h>
#include <netinet/ip_var.h>
#include <vm/uma.h>
@@ -1033,6 +1034,18 @@
* Labeling event operations: IPC object.
*/
static void
+mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel,
+ struct inpcb *inp, struct label *inplabel)
+{
+ struct mac_mls *source, *dest;
+
+ source = SLOT(solabel);
+ dest = SLOT(inplabel);
+
+ mac_mls_copy_single(source, dest);
+}
+
+static void
mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
{
@@ -1377,6 +1390,18 @@
/* NOOP: we only accept matching labels, so no need to update */
}
+static void
+mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
+ struct inpcb *inp, struct label *inplabel)
+{
+ struct mac_mls *source, *dest;
+
+ source = SLOT(solabel);
+ dest = SLOT(inplabel);
+
+ mac_mls_copy(source, dest);
+}
+
/*
* Labeling event operations: processes.
*/
@@ -1600,6 +1625,21 @@
}
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list