PERFORCE change 113363 for review

[Todd Miller]

http://perforce.freebsd.org/chv.cgi?CH=113363

Change 113363 by millert at millert_macbook on 2007/01/22 16:23:09

	Adapt to mac_ifnet_check_transmit() and mac_inpcb_check_deliver()
	API change.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#75 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#75 (text+ko) ====

@@ -3125,18 +3125,33 @@
 #endif
 
 static int
-sebsd_ifnet_check_transmit(struct ifnet *ifp,
-    struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel)
+sebsd_ifnet_check_transmit(struct ifnet *ifp, struct label *ifnetlabel,
+    struct mbuf *m, struct label *mbuflabel, int family, int type)
 {
 	struct network_security_struct *ifsec, *msec;
+	u_int32_t perm;
 	int error;
 
 	ifsec = SLOT(ifnetlabel);
 	msec = SLOT(mbuflabel);
 
+	/* XXX - other types of perm, see selinux_sock_rcv_skb_compat() */
+	switch (type) {
+	case SOCK_STREAM:
+		perm = NETIF__TCP_SEND;
+		break;
+	case SOCK_DGRAM:
+		perm = NETIF__UDP_SEND;
+		break;
+	case SOCK_RAW:
+	default:
+		perm = NETIF__RAWIP_SEND;
+		break;
+	}
+
 	/* XXX - use an audit struct so we can log useful info */
-	error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_PACKET,
-	    PACKET__SEND, NULL);
+	error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_NETIF,
+	    perm, NULL);
 	return (error);
 }
 
@@ -3157,18 +3172,33 @@
 }
 
 static int
-sebsd_inpcb_check_deliver(struct inpcb *inp,
-    struct label *inplabel, struct mbuf *m, struct label *mbuflabel)
+sebsd_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
+    struct mbuf *m, struct label *mbuflabel, int family, int type)
 {
 	struct network_security_struct *ifsec, *msec;
+	u_int32_t perm;
 	int error;
 
 	ifsec = SLOT(inplabel);
 	msec = SLOT(mbuflabel);
 
+	/* XXX - other types of perm, see selinux_sock_rcv_skb_compat() */
+	switch (type) {
+	case SOCK_STREAM:
+		perm = NETIF__TCP_RECV;
+		break;
+	case SOCK_DGRAM:
+		perm = NETIF__UDP_RECV;
+		break;
+	case SOCK_RAW:
+	default:
+		perm = NETIF__RAWIP_RECV;
+		break;
+	}
+
 	/* XXX - use an audit struct so we can log useful info */
-	error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_PACKET,
-	    PACKET__RECV, NULL);
+	error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_NETIF,
+	    perm, NULL);
 	return (error);
 }