PERFORCE change 42595 for review
Robert Watson
rwatson at FreeBSD.org
Sun Nov 16 23:46:30 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=42595
Change 42595 by rwatson at rwatson_tislabs on 2003/11/16 15:45:54
A variety of MAC Framework infrastructural changes integrated from
the MAC branch to the SEBSD branch:
MAC library:
Initialize the library and configuration file from
mac_prepare_type(), not from the calling functions.
Add mac_get_peer() to retrieve the label of a socket peer,
such as remote TCP connection label, without using the
ABI-unclean getsockopt() interface.
Update documentation.
Kernel:
mac_get_fd() and mac_set_fd() system calls now accept
socket file descriptors as arguments, and are preferred
to getsockopt()/setsockopt() to perform the same operation
for ABI reasons.
To support this, mac_socket_label_set() is abstracted
to support both socket option and mac_set_fd() interfaces.
mac_copy_socket_label() is implemented by the MAC Framework
to allow socket labels to be copied to temporary storage
for externalization purposes while locks are held.
mpo_copy_socket_label() implemented for various policies
that have a notion of socket labeling.
Socket label allocation, free, internalize, and externalize
calls are made non-static so they can be invoked from kern_mac.c
Socket option functions are renamed to be less gratuitously
long and repetitive.
protosw->pr_usrreq method "sosetlabel" added so that protocol-
specific code can propagate label changes at the socket level
to protocol-specific storage.
Labels added to struct inpcb so that they may be accessed
from the network layer without grabbing socket layer locks.
These labels cache the socket labels, and are updated by
calls to pr_sosetlabel(). This applies to IPv4 and IPv6.
Biba and MLS policies now use UMA zone allocator for
policy-specific label storage.
*copy* entry points implemented for mac_stub and mac_test.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/lib/libc/posix1e/mac.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/lib/libc/posix1e/mac_get.c#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/i386/conf/MAC#9 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#21 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/uipc_socket.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/uipc_socket2.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/uipc_usrreq.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/net/raw_usrreq.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/net/rtsock.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netatalk/ddp_usrreq.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netatm/atm_aal5.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netatm/atm_usrreq.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netgraph/bluetooth/socket/ng_btsocket.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netgraph/ng_socket.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netinet/in_pcb.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netinet/in_pcb.h#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netinet/ip_divert.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netinet/raw_ip.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netinet/tcp_input.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netinet/tcp_usrreq.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netinet/udp_usrreq.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netinet6/raw_ip6.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netinet6/udp6_usrreq.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netipsec/keysock.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netipx/ipx_usrreq.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netipx/spx_usrreq.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netkey/keysock.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/netnatm/natm.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#10 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.c#10 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_ifoff/mac_ifoff.c#5 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#10 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_mls/mac_mls.c#9 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_stub/mac_stub.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_test/mac_test.c#9 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#14 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/mac_policy.h#11 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/protosw.h#6 integrate
Differences ...
==== //depot/projects/trustedbsd/sebsd/lib/libc/posix1e/mac.c#6 (text+ko) ====
@@ -358,7 +358,12 @@
mac_prepare_type(struct mac **mac, const char *name)
{
struct label_default *ld;
+ int error;
+ error = mac_maybe_init_internal();
+ if (error != 0)
+ return (error);
+
for (ld = LIST_FIRST(&label_default_head); ld != NULL;
ld = LIST_NEXT(ld, ld_entries)) {
if (strcmp(name, ld->ld_name) == 0)
@@ -372,35 +377,20 @@
int
mac_prepare_ifnet_label(struct mac **mac)
{
- int error;
- error = mac_maybe_init_internal();
- if (error != 0)
- return (error);
-
return (mac_prepare_type(mac, "ifnet"));
}
int
mac_prepare_file_label(struct mac **mac)
{
- int error;
- error = mac_maybe_init_internal();
- if (error != 0)
- return (error);
-
return (mac_prepare_type(mac, "file"));
}
int
mac_prepare_packet_label(struct mac **mac)
{
- int error;
-
- error = mac_maybe_init_internal();
- if (error != 0)
- return (error);
return (mac_prepare_type(mac, "packet"));
}
@@ -408,11 +398,6 @@
int
mac_prepare_process_label(struct mac **mac)
{
- int error;
-
- error = mac_maybe_init_internal();
- if (error != 0)
- return (error);
return (mac_prepare_type(mac, "process"));
}
==== //depot/projects/trustedbsd/sebsd/lib/libc/posix1e/mac_get.c#4 (text+ko) ====
@@ -33,6 +33,7 @@
#include <sys/types.h>
#include <sys/mac.h>
+#include <sys/socket.h>
extern int __mac_get_fd(int fd, struct mac *mac_p);
extern int __mac_get_file(const char *path_p, struct mac *mac_p);
@@ -61,6 +62,15 @@
return (__mac_get_link(path, label));
}
+
+int
+mac_get_peer(int fd, struct mac *label)
+{
+ socklen_t len;
+
+ len = sizeof(*label);
+ return (getsockopt(fd, SOL_SOCKET, SO_PEERLABEL, label, &len));
+}
int
mac_get_pid(pid_t pid, struct mac *label)
{
==== //depot/projects/trustedbsd/sebsd/sys/i386/conf/MAC#9 (text+ko) ====
@@ -32,7 +32,9 @@
options MAC
#options MAC_ALWAYS_LABEL_MBUF
+options MAC_BIBA
options MAC_DEBUG
+options MAC_TEST
#options MAC_STATIC
options UFS_EXTATTR
options UFS_EXTATTR_AUTOSTART
==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#21 (text+ko) ====
@@ -726,6 +726,7 @@
struct mac mac;
struct vnode *vp;
struct pipe *pipe;
+ struct socket *so;
short label_type;
int error;
@@ -776,6 +777,19 @@
mac_pipe_label_free(intlabel);
break;
+ case DTYPE_SOCKET:
+ so = fp->f_data;
+ intlabel = mac_socket_label_alloc(M_WAITOK);
+ mtx_lock(&Giant); /* Sockets */
+ /* XXX: Socket lock here. */
+ mac_copy_socket_label(so->so_label, intlabel);
+ /* XXX: Socket unlock here. */
+ mtx_unlock(&Giant); /* Sockets */
+ error = mac_externalize_socket_label(intlabel, elements,
+ buffer, mac.m_buflen);
+ mac_socket_label_free(intlabel);
+ break;
+
default:
error = EINVAL;
}
@@ -961,6 +975,7 @@
{
struct label *intlabel;
struct pipe *pipe;
+ struct socket *so;
struct file *fp;
struct mount *mp;
struct vnode *vp;
@@ -1025,6 +1040,21 @@
mac_pipe_label_free(intlabel);
break;
+ case DTYPE_SOCKET:
+ intlabel = mac_socket_label_alloc(M_WAITOK);
+ error = mac_internalize_socket_label(intlabel, buffer);
+ if (error == 0) {
+ so = fp->f_data;
+ mtx_lock(&Giant); /* Sockets */
+ /* XXX: Socket lock here. */
+ error = mac_socket_label_set(td->td_ucred, so,
+ intlabel);
+ /* XXX: Socket unlock here. */
+ mtx_unlock(&Giant); /* Sockets */
+ }
+ mac_socket_label_free(intlabel);
+ break;
+
default:
error = EINVAL;
}
==== //depot/projects/trustedbsd/sebsd/sys/kern/uipc_socket.c#7 (text+ko) ====
@@ -1452,10 +1452,8 @@
sizeof extmac);
if (error)
goto bad;
-
- error = mac_setsockopt_label_set(
- sopt->sopt_td->td_ucred, so, &extmac);
-
+ error = mac_setsockopt_label(sopt->sopt_td->td_ucred,
+ so, &extmac);
#else
error = EOPNOTSUPP;
#endif
@@ -1599,8 +1597,12 @@
break;
case SO_LABEL:
#ifdef MAC
- error = mac_getsockopt_label_get(
- sopt->sopt_td->td_ucred, so, &extmac);
+ error = sooptcopyin(sopt, &extmac, sizeof(extmac),
+ sizeof(extmac));
+ if (error)
+ return (error);
+ error = mac_getsockopt_label(sopt->sopt_td->td_ucred,
+ so, &extmac);
if (error)
return (error);
error = sooptcopyout(sopt, &extmac, sizeof extmac);
@@ -1610,7 +1612,11 @@
break;
case SO_PEERLABEL:
#ifdef MAC
- error = mac_getsockopt_peerlabel_get(
+ error = sooptcopyin(sopt, &extmac, sizeof(extmac),
+ sizeof(extmac));
+ if (error)
+ return (error);
+ error = mac_getsockopt_peerlabel(
sopt->sopt_td->td_ucred, so, &extmac);
if (error)
return (error);
==== //depot/projects/trustedbsd/sebsd/sys/kern/uipc_socket2.c#7 (text+ko) ====
@@ -1042,6 +1042,16 @@
}
/*
+ * For protocol types that don't keep cached copies of labels in their
+ * pcbs, provide a null sosetlabel that does a NOOP.
+ */
+void
+pru_sosetlabel_null(struct socket *so)
+{
+
+}
+
+/*
* Make a copy of a sockaddr in a malloced buffer of type M_SONAME.
*/
struct sockaddr *
==== //depot/projects/trustedbsd/sebsd/sys/kern/uipc_usrreq.c#6 (text+ko) ====
@@ -450,7 +450,7 @@
uipc_connect2, pru_control_notsupp, uipc_detach, uipc_disconnect,
uipc_listen, uipc_peeraddr, uipc_rcvd, pru_rcvoob_notsupp,
uipc_send, uipc_sense, uipc_shutdown, uipc_sockaddr,
- sosend, soreceive, sopoll
+ sosend, soreceive, sopoll, pru_sosetlabel_null
};
int
==== //depot/projects/trustedbsd/sebsd/sys/net/raw_usrreq.c#6 (text+ko) ====
@@ -296,5 +296,5 @@
pru_connect2_notsupp, pru_control_notsupp, raw_udetach,
raw_udisconnect, pru_listen_notsupp, raw_upeeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, raw_usend, pru_sense_null, raw_ushutdown,
- raw_usockaddr, sosend, soreceive, sopoll
+ raw_usockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
==== //depot/projects/trustedbsd/sebsd/sys/net/rtsock.c#7 (text+ko) ====
@@ -271,7 +271,7 @@
pru_connect2_notsupp, pru_control_notsupp, rts_detach, rts_disconnect,
pru_listen_notsupp, rts_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp,
rts_send, pru_sense_null, rts_shutdown, rts_sockaddr,
- sosend, soreceive, sopoll
+ sosend, soreceive, sopoll, pru_sosetlabel_null
};
/*ARGSUSED*/
==== //depot/projects/trustedbsd/sebsd/sys/netatalk/ddp_usrreq.c#6 (text+ko) ====
@@ -592,5 +592,6 @@
at_setsockaddr,
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
==== //depot/projects/trustedbsd/sebsd/sys/netatm/atm_aal5.c#5 (text+ko) ====
@@ -112,7 +112,8 @@
atm_aal5_sockaddr, /* pru_sockaddr */
sosend, /* pru_sosend */
soreceive, /* pru_soreceive */
- sopoll /* pru_sopoll */
+ sopoll, /* pru_sopoll */
+ pru_sosetlabel_null /* pru_sosetlabel */
};
/*
==== //depot/projects/trustedbsd/sebsd/sys/netatm/atm_usrreq.c#6 (text+ko) ====
@@ -85,6 +85,10 @@
pru_sense_null, /* pru_sense */
atm_proto_notsupp1, /* pru_shutdown */
atm_proto_notsupp3, /* pru_sockaddr */
+ NULL, /* pru_sosend */
+ NULL, /* pru_soreceive */
+ NULL, /* pru_sooll */
+ pru_sosetlabel_null /* pru_sosetlabel */
};
==== //depot/projects/trustedbsd/sebsd/sys/netgraph/bluetooth/socket/ng_btsocket.c#6 (text+ko) ====
@@ -79,7 +79,8 @@
ng_btsocket_hci_raw_sockaddr, /* sockaddr */
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
/*
@@ -106,7 +107,8 @@
ng_btsocket_l2cap_raw_sockaddr, /* sockaddr */
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
/*
@@ -133,7 +135,8 @@
ng_btsocket_l2cap_sockaddr, /* sockaddr */
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
/*
@@ -160,7 +163,8 @@
ng_btsocket_rfcomm_sockaddr, /* sockaddr */
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
/*
==== //depot/projects/trustedbsd/sebsd/sys/netgraph/ng_socket.c#5 (text+ko) ====
@@ -979,7 +979,8 @@
ng_setsockaddr,
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
static struct pr_usrreqs ngd_usrreqs = {
@@ -1002,7 +1003,8 @@
ng_setsockaddr,
sosend,
soreceive,
- sopoll
+ sopoll,
+ pru_sosetlabel_null
};
/*
==== //depot/projects/trustedbsd/sebsd/sys/netinet/in_pcb.c#8 (text+ko) ====
@@ -36,10 +36,12 @@
#include "opt_ipsec.h"
#include "opt_inet6.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/limits.h>
+#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/domain.h>
@@ -162,26 +164,30 @@
struct thread *td;
{
register struct inpcb *inp;
-#if defined(IPSEC) || defined(FAST_IPSEC)
int error;
-#endif
+
INP_INFO_WLOCK_ASSERT(pcbinfo);
+ error = 0;
inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT | M_ZERO);
if (inp == NULL)
return (ENOBUFS);
inp->inp_gencnt = ++pcbinfo->ipi_gencnt;
inp->inp_pcbinfo = pcbinfo;
inp->inp_socket = so;
+#ifdef MAC
+ error = mac_init_inpcb(inp, M_NOWAIT);
+ if (error != 0)
+ goto out;
+ mac_create_inpcb_from_socket(so, inp);
+#endif
#if defined(IPSEC) || defined(FAST_IPSEC)
#ifdef FAST_IPSEC
error = ipsec_init_policy(so, &inp->inp_sp);
#else
error = ipsec_init_pcbpolicy(so, &inp->inp_sp);
#endif
- if (error != 0) {
- uma_zfree(pcbinfo->ipi_zone, inp);
- return error;
- }
+ if (error != 0)
+ goto out;
#endif /*IPSEC*/
#if defined(INET6)
if (INP_SOCKAF(so) == AF_INET6) {
@@ -198,7 +204,12 @@
if (ip6_auto_flowlabel)
inp->inp_flags |= IN6P_AUTOFLOWLABEL;
#endif
- return (0);
+#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC)
+out:
+ if (error != 0)
+ uma_zfree(pcbinfo->ipi_zone, inp);
+#endif
+ return (error);
}
int
@@ -701,6 +712,9 @@
ip_freemoptions(inp->inp_moptions);
inp->inp_vflag = 0;
INP_LOCK_DESTROY(inp);
+#ifdef MAC
+ mac_destroy_inpcb(inp);
+#endif
uma_zfree(ipi->ipi_zone, inp);
}
@@ -1217,6 +1231,25 @@
pcbinfo->ipi_count--;
}
+/*
+ * A set label operation has occurred at the socket layer, propagate the
+ * label change into the in_pcb for the socket.
+ */
+void
+in_pcbsosetlabel(so)
+ struct socket *so;
+{
+#ifdef MAC
+ struct inpcb *inp;
+
+ /* XXX: Will assert socket lock when we have them. */
+ inp = (struct inpcb *)so->so_pcb;
+ INP_LOCK(inp);
+ mac_inpcb_sosetlabel(so, inp);
+ INP_UNLOCK(inp);
+#endif
+}
+
int
prison_xinpcb(struct thread *td, struct inpcb *inp)
{
==== //depot/projects/trustedbsd/sebsd/sys/netinet/in_pcb.h#8 (text+ko) ====
@@ -134,6 +134,7 @@
struct inpcbinfo *inp_pcbinfo; /* PCB list info */
struct socket *inp_socket; /* back pointer to socket */
/* list for this PCB's local port */
+ struct label *inp_label; /* MAC label */
int inp_flags; /* generic IP/datagram flags */
struct inpcbpolicy *inp_sp; /* for IPSEC */
@@ -369,10 +370,12 @@
void in_pcbnotifyall(struct inpcbinfo *pcbinfo, struct in_addr,
int, struct inpcb *(*)(struct inpcb *, int));
void in_pcbrehash(struct inpcb *);
+void in_pcbsetsolabel(struct socket *so);
int in_setpeeraddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo);
int in_setsockaddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo);;
struct sockaddr *
in_sockaddr(in_port_t port, struct in_addr *addr);
+void in_pcbsosetlabel(struct socket *so);
void in_pcbremlists(struct inpcb *inp);
int prison_xinpcb(struct thread *td, struct inpcb *inp);
#endif /* _KERNEL */
==== //depot/projects/trustedbsd/sebsd/sys/netinet/ip_divert.c#7 (text+ko) ====
@@ -652,5 +652,5 @@
pru_connect_notsupp, pru_connect2_notsupp, in_control, div_detach,
div_disconnect, pru_listen_notsupp, div_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, div_send, pru_sense_null, div_shutdown,
- div_sockaddr, sosend, soreceive, sopoll
+ div_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
==== //depot/projects/trustedbsd/sebsd/sys/netinet/raw_ip.c#7 (text+ko) ====
@@ -162,7 +162,7 @@
}
#endif /*FAST_IPSEC*/
#ifdef MAC
- if (!policyfail && mac_check_socket_deliver(last->inp_socket, n) != 0)
+ if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
policyfail = 1;
#endif
if (!policyfail) {
@@ -839,5 +839,5 @@
pru_connect2_notsupp, in_control, rip_detach, rip_disconnect,
pru_listen_notsupp, rip_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, rip_send, pru_sense_null, rip_shutdown,
- rip_sockaddr, sosend, soreceive, sopoll
+ rip_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
==== //depot/projects/trustedbsd/sebsd/sys/netinet/tcp_input.c#8 (text+ko) ====
@@ -683,11 +683,11 @@
else
tiwin = th->th_win;
- so = inp->inp_socket;
#ifdef MAC
- if (mac_check_socket_deliver(so, m))
+ if (mac_check_inpcb_deliver(inp, m))
goto drop;
#endif
+ so = inp->inp_socket;
#ifdef TCPDEBUG
if (so->so_options & SO_DEBUG) {
ostate = tp->t_state;
==== //depot/projects/trustedbsd/sebsd/sys/netinet/tcp_usrreq.c#6 (text+ko) ====
@@ -816,7 +816,7 @@
tcp_usr_connect, pru_connect2_notsupp, in_control, tcp_usr_detach,
tcp_usr_disconnect, tcp_usr_listen, tcp_peeraddr, tcp_usr_rcvd,
tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown,
- tcp_sockaddr, sosend, soreceive, sopoll
+ tcp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
#ifdef INET6
@@ -825,7 +825,7 @@
tcp6_usr_connect, pru_connect2_notsupp, in6_control, tcp_usr_detach,
tcp_usr_disconnect, tcp6_usr_listen, in6_mapped_peeraddr, tcp_usr_rcvd,
tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown,
- in6_mapped_sockaddr, sosend, soreceive, sopoll
+ in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
#endif /* INET6 */
==== //depot/projects/trustedbsd/sebsd/sys/netinet/udp_usrreq.c#7 (text+ko) ====
@@ -447,7 +447,7 @@
}
#endif /*FAST_IPSEC*/
#ifdef MAC
- if (mac_check_socket_deliver(last->inp_socket, n) != 0) {
+ if (mac_check_inpcb_deliver(last, n) != 0) {
m_freem(n);
return;
}
@@ -1097,5 +1097,5 @@
pru_connect2_notsupp, in_control, udp_detach, udp_disconnect,
pru_listen_notsupp, udp_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, udp_send, pru_sense_null, udp_shutdown,
- udp_sockaddr, sosend, soreceive, sopoll
+ udp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
==== //depot/projects/trustedbsd/sebsd/sys/netinet6/raw_ip6.c#7 (text+ko) ====
@@ -753,5 +753,5 @@
pru_connect2_notsupp, in6_control, rip6_detach, rip6_disconnect,
pru_listen_notsupp, in6_setpeeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, rip6_send, pru_sense_null, rip6_shutdown,
- in6_setsockaddr, sosend, soreceive, sopoll
+ in6_setsockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
==== //depot/projects/trustedbsd/sebsd/sys/netinet6/udp6_usrreq.c#7 (text+ko) ====
@@ -768,5 +768,5 @@
pru_connect2_notsupp, in6_control, udp6_detach, udp6_disconnect,
pru_listen_notsupp, in6_mapped_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, udp6_send, pru_sense_null, udp_shutdown,
- in6_mapped_sockaddr, sosend, soreceive, sopoll
+ in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel
};
==== //depot/projects/trustedbsd/sebsd/sys/netipsec/keysock.c#6 (text+ko) ====
@@ -567,7 +567,8 @@
key_disconnect, pru_listen_notsupp, key_peeraddr,
pru_rcvd_notsupp,
pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown,
- key_sockaddr, sosend, soreceive, sopoll
+ key_sockaddr, sosend, soreceive, sopoll,
+ pru_sosetlabel_null
};
/* sysctl */
==== //depot/projects/trustedbsd/sebsd/sys/netipx/ipx_usrreq.c#5 (text+ko) ====
@@ -93,7 +93,7 @@
ipx_connect, pru_connect2_notsupp, ipx_control, ipx_detach,
ipx_disconnect, pru_listen_notsupp, ipx_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, ipx_send, pru_sense_null, ipx_shutdown,
- ipx_sockaddr, sosend, soreceive, sopoll
+ ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
struct pr_usrreqs ripx_usrreqs = {
@@ -101,7 +101,7 @@
ipx_connect, pru_connect2_notsupp, ipx_control, ipx_detach,
ipx_disconnect, pru_listen_notsupp, ipx_peeraddr, pru_rcvd_notsupp,
pru_rcvoob_notsupp, ipx_send, pru_sense_null, ipx_shutdown,
- ipx_sockaddr, sosend, soreceive, sopoll
+ ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
/*
==== //depot/projects/trustedbsd/sebsd/sys/netipx/spx_usrreq.c#6 (text+ko) ====
@@ -112,7 +112,7 @@
spx_connect, pru_connect2_notsupp, ipx_control, spx_detach,
spx_usr_disconnect, spx_listen, ipx_peeraddr, spx_rcvd,
spx_rcvoob, spx_send, pru_sense_null, spx_shutdown,
- ipx_sockaddr, sosend, soreceive, sopoll
+ ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
struct pr_usrreqs spx_usrreq_sps = {
@@ -120,7 +120,7 @@
spx_connect, pru_connect2_notsupp, ipx_control, spx_detach,
spx_usr_disconnect, spx_listen, ipx_peeraddr, spx_rcvd,
spx_rcvoob, spx_send, pru_sense_null, spx_shutdown,
- ipx_sockaddr, sosend, soreceive, sopoll
+ ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
void
==== //depot/projects/trustedbsd/sebsd/sys/netkey/keysock.c#7 (text+ko) ====
@@ -477,7 +477,8 @@
key_disconnect, pru_listen_notsupp, key_peeraddr,
pru_rcvd_notsupp,
pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown,
- key_sockaddr, sosend, soreceive, sopoll
+ key_sockaddr, sosend, soreceive, sopoll,
+ pru_sosetlabel_null
};
/* sysctl */
==== //depot/projects/trustedbsd/sebsd/sys/netnatm/natm.c#6 (text+ko) ====
@@ -396,7 +396,7 @@
natm_usr_detach, natm_usr_disconnect, pru_listen_notsupp,
natm_usr_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp,
natm_usr_send, pru_sense_null, natm_usr_shutdown,
- natm_usr_sockaddr, sosend, soreceive, sopoll
+ natm_usr_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null
};
#else /* !FREEBSD_USRREQS */
==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#10 (text+ko) ====
@@ -107,6 +107,8 @@
void mac_mount_label_free(struct label *label);
struct label *mac_pipe_label_alloc(void);
void mac_pipe_label_free(struct label *label);
+struct label *mac_socket_label_alloc(int flag);
+void mac_socket_label_free(struct label *label);
int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
int mac_externalize_cred_label(struct label *label, char *elements,
@@ -123,6 +125,13 @@
char *outbuf, size_t outbuflen);
int mac_internalize_pipe_label(struct label *label, char *string);
+int mac_socket_label_set(struct ucred *cred, struct socket *so,
+ struct label *label);
+void mac_copy_socket_label(struct label *src, struct label *dest);
+int mac_externalize_socket_label(struct label *label, char *elements,
+ char *outbuf, size_t outbuflen);
+int mac_internalize_socket_label(struct label *label, char *string);
+
int mac_externalize_vnode_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
int mac_internalize_vnode_label(struct label *label, char *string);
==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#7 (text+ko) ====
@@ -50,6 +50,7 @@
#include <sys/mount.h>
#include <sys/file.h>
#include <sys/namei.h>
+#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
@@ -61,6 +62,7 @@
#include <net/if_var.h>
#include <netinet/in.h>
+#include <netinet/in_pcb.h>
#include <netinet/ip_var.h>
#include <security/mac/mac_internal.h>
@@ -77,12 +79,14 @@
#ifdef MAC_DEBUG
static unsigned int nmacmbufs, nmacifnets, nmacbpfdescs, nmacsockets,
- nmacipqs;
+ nmacinpcbs, nmacipqs;
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
&nmacmbufs, 0, "number of mbufs in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
&nmacifnets, 0, "number of ifnets in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD,
+ &nmacinpcbs, 0, "number of inpcbs in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD,
&nmacipqs, 0, "number of ipqs in use");
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD,
@@ -91,9 +95,6 @@
&nmacsockets, 0, "number of sockets in use");
#endif
-static void mac_socket_label_free(struct label *label);
-
-
static struct label *
mbuf_to_label(struct mbuf *mbuf)
{
@@ -143,6 +144,35 @@
}
static struct label *
+mac_inpcb_label_alloc(int flag)
+{
+ struct label *label;
+ int error;
+
+ label = mac_labelzone_alloc(flag);
+ if (label == NULL)
+ return (NULL);
+ MAC_CHECK(init_inpcb_label, label, flag);
+ if (error) {
+ MAC_PERFORM(destroy_inpcb_label, label);
+ mac_labelzone_free(label);
+ return (NULL);
+ }
+ MAC_DEBUG_COUNTER_INC(&nmacinpcbs);
+ return (label);
+}
+
+int
+mac_init_inpcb(struct inpcb *inp, int flag)
+{
+
+ inp->inp_label = mac_inpcb_label_alloc(flag);
+ if (inp->inp_label == NULL)
+ return (ENOMEM);
+ return (0);
+}
+
+static struct label *
mac_ipq_label_alloc(int flag)
{
struct label *label;
@@ -220,7 +250,7 @@
return (0);
}
-static struct label *
+struct label *
mac_socket_label_alloc(int flag)
{
struct label *label;
@@ -234,7 +264,7 @@
if (error) {
MAC_PERFORM(destroy_socket_label, label);
mac_labelzone_free(label);
- return (NULL);
+ return (NULL);
}
MAC_DEBUG_COUNTER_INC(&nmacsockets);
return (label);
@@ -254,7 +284,7 @@
if (error) {
MAC_PERFORM(destroy_socket_peer_label, label);
mac_labelzone_free(label);
- return (NULL);
+ return (NULL);
}
MAC_DEBUG_COUNTER_INC(&nmacsockets);
return (label);
@@ -311,6 +341,23 @@
}
static void
+mac_inpcb_label_free(struct label *label)
+{
+
+ MAC_PERFORM(destroy_inpcb_label, label);
+ mac_labelzone_free(label);
+ MAC_DEBUG_COUNTER_DEC(&nmacinpcbs);
+}
+
+void
+mac_destroy_inpcb(struct inpcb *inp)
+{
+
+ mac_inpcb_label_free(inp->inp_label);
+ inp->inp_label = NULL;
+}
+
+static void
mac_ipq_label_free(struct label *label)
{
@@ -339,7 +386,7 @@
MAC_DEBUG_COUNTER_DEC(&nmacmbufs);
}
-static void
+void
mac_socket_label_free(struct label *label)
{
@@ -382,6 +429,13 @@
MAC_PERFORM(copy_mbuf_label, src_label, dest_label);
}
+void
+mac_copy_socket_label(struct label *src, struct label *dest)
+{
+
+ MAC_PERFORM(copy_socket_label, src, dest);
+}
+
static int
mac_externalize_ifnet_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen)
@@ -393,7 +447,7 @@
return (error);
}
-static int
+int
mac_externalize_socket_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen)
{
@@ -425,7 +479,7 @@
return (error);
}
-static int
+int
mac_internalize_socket_label(struct label *label, char *string)
{
int error;
@@ -443,6 +497,14 @@
}
void
+mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp)
+{
+
+ MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp,
+ inp->inp_label);
+}
+
+void
mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
{
@@ -704,6 +766,24 @@
}
int
+mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m)
+{
+ struct label *label;
+ int error;
+
+ M_ASSERTPKTHDR(m);
+
+ if (!mac_enforce_socket)
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list