PERFORCE change 42559 for review

Sun Nov 16 18:11:20 GMT 2003

http://perforce.freebsd.org/chv.cgi?CH=42559

Change 42559 by rwatson at rwatson_tislabs on 2003/11/16 10:10:34

	Implement support for mac_set_fd() for sockets, allowing MAC-aware
	programs to treat sockets in the same manner as pipes, fifos,
	and vnodes.
	
	To do this, abstract check/set logic for socket labels from
	mac_setsockopt_label() into mac_socket_label_set() congruent
	to mac_pipe_label_set().

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#435 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#17 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#17 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#435 (text+ko) ====

@@ -920,6 +920,7 @@
 {
 	struct label *intlabel;
 	struct pipe *pipe;
+	struct socket *so;
 	struct file *fp;
 	struct mount *mp;
 	struct vnode *vp;
@@ -984,6 +985,21 @@
 		mac_pipe_label_free(intlabel);
 		break;
 
+	case DTYPE_SOCKET:
+		intlabel = mac_socket_label_alloc(M_WAITOK);
+		error = mac_internalize_socket_label(intlabel, buffer);
+		if (error == 0) {
+			so = fp->f_data;
+			mtx_lock(&Giant);			/* Sockets */
+			/* XXX: Socket lock here. */
+			error = mac_socket_label_set(td->td_ucred, so,
+			    intlabel);
+			/* XXX: Socket unlock here. */
+			mtx_unlock(&Giant);			/* Sockets */
+		}
+		mac_socket_label_free(intlabel);
+		break;
+
 	default:
 		error = EINVAL;
 	}

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#17 (text+ko) ====

@@ -119,6 +119,8 @@
 	    char *outbuf, size_t outbuflen);
 int	mac_internalize_pipe_label(struct label *label, char *string);
 
+int	mac_socket_label_set(struct ucred *cred, struct socket *so,
+	    struct label *label);
 void	mac_copy_socket_label(struct label *src, struct label *dest);
 int	mac_externalize_socket_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#17 (text+ko) ====

@@ -994,6 +994,30 @@
 }
 
 int
+mac_socket_label_set(struct ucred *cred, struct socket *so,
+    struct label *label)
+{
+	int error;
+
+	error = mac_check_socket_relabel(cred, so, label);
+	if (error)
+		return (error);
+
+	mac_relabel_socket(cred, so, label);
+
+	/*
+	 * If the protocol has expressed interest in socket layer changes,
+	 * such as if it needs to propagate changes to a cached pcb
+	 * label from the socket, notify it of the label change while
+	 * holding the socket lock.
+	 */
+	if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL)
+		(so->so_proto->pr_usrreqs->pru_sosetlabel)(so);
+
+	return (0);
+}
+
+int
 mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac)
 {
 	struct label *intlabel;
@@ -1014,32 +1038,15 @@
 	intlabel = mac_socket_label_alloc(M_WAITOK);
 	error = mac_internalize_socket_label(intlabel, buffer);
 	free(buffer, M_MACTEMP);
-	if (error) {
-		mac_socket_label_free(intlabel);
-		return (error);
-	}
+	if (error)
+		goto out;
 
-	/* XXX: Will eventually grab a socket lock here. */
-	mac_check_socket_relabel(cred, so, intlabel);
-	if (error) {
-		mac_socket_label_free(intlabel);
-		return (error);
-	}
-
-	mac_relabel_socket(cred, so, intlabel);
-
-	/*
-	 * If the protocol has expressed interest in socket layer changes,
-	 * such as if it needs to propagate changes to a cached pcb
-	 * label from the socket, notify it of the label change while
-	 * holding the socket lock.
-	 */
-	if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL)
-		(so->so_proto->pr_usrreqs->pru_sosetlabel)(so);
-	/* XXX: Will eventually release a socket lock here. */
-
+	/* XXX: Socket lock here. */
+	error = mac_socket_label_set(cred, so, intlabel);
+	/* XXX: Socket unlock here. */
+out:
 	mac_socket_label_free(intlabel);
-	return (0);
+	return (error);
 }
 
 int
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

