| mac_net.c (122820) | mac_net.c (122875) |
|---|---|
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 21 unchanged lines hidden (view full) --- 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 21 unchanged lines hidden (view full) --- 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37#include <sys/cdefs.h> |
| 38__FBSDID("$FreeBSD: head/sys/security/mac/mac_net.c 122820 2003-11-16 23:31:45Z rwatson $"); | 38__FBSDID("$FreeBSD: head/sys/security/mac/mac_net.c 122875 2003-11-18 00:39:07Z rwatson $"); |
| 39 40#include "opt_mac.h" 41 42#include <sys/param.h> 43#include <sys/kernel.h> 44#include <sys/lock.h> 45#include <sys/malloc.h> 46#include <sys/mutex.h> 47#include <sys/mac.h> 48#include <sys/sbuf.h> 49#include <sys/systm.h> 50#include <sys/mount.h> 51#include <sys/file.h> 52#include <sys/namei.h> | 39 40#include "opt_mac.h" 41 42#include <sys/param.h> 43#include <sys/kernel.h> 44#include <sys/lock.h> 45#include <sys/malloc.h> 46#include <sys/mutex.h> 47#include <sys/mac.h> 48#include <sys/sbuf.h> 49#include <sys/systm.h> 50#include <sys/mount.h> 51#include <sys/file.h> 52#include <sys/namei.h> |
| 53#include <sys/protosw.h> |
|
| 53#include <sys/socket.h> 54#include <sys/socketvar.h> 55#include <sys/sysctl.h> 56 57#include <sys/mac_policy.h> 58 59#include <net/bpfdesc.h> 60#include <net/if.h> 61#include <net/if_var.h> 62 63#include <netinet/in.h> | 54#include <sys/socket.h> 55#include <sys/socketvar.h> 56#include <sys/sysctl.h> 57 58#include <sys/mac_policy.h> 59 60#include <net/bpfdesc.h> 61#include <net/if.h> 62#include <net/if_var.h> 63 64#include <netinet/in.h> |
| 65#include <netinet/in_pcb.h> |
|
| 64#include <netinet/ip_var.h> 65 66#include <security/mac/mac_internal.h> 67 68static int mac_enforce_network = 1; 69SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 70 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); 71TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); 72 73static int mac_enforce_socket = 1; 74SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, 75 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); 76TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); 77 78#ifdef MAC_DEBUG 79static unsigned int nmacmbufs, nmacifnets, nmacbpfdescs, nmacsockets, | 66#include <netinet/ip_var.h> 67 68#include <security/mac/mac_internal.h> 69 70static int mac_enforce_network = 1; 71SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 72 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); 73TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); 74 75static int mac_enforce_socket = 1; 76SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, 77 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); 78TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); 79 80#ifdef MAC_DEBUG 81static unsigned int nmacmbufs, nmacifnets, nmacbpfdescs, nmacsockets, |
| 80 nmacipqs; | 82 nmacinpcbs, nmacipqs; |
| 81 82SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, 83 &nmacmbufs, 0, "number of mbufs in use"); 84SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, 85 &nmacifnets, 0, "number of ifnets in use"); | 83 84SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, 85 &nmacmbufs, 0, "number of mbufs in use"); 86SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, 87 &nmacifnets, 0, "number of ifnets in use"); |
| 88SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD, 89 &nmacinpcbs, 0, "number of inpcbs in use"); |
|
| 86SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, 87 &nmacipqs, 0, "number of ipqs in use"); 88SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD, 89 &nmacbpfdescs, 0, "number of bpfdescs in use"); 90SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, 91 &nmacsockets, 0, "number of sockets in use"); 92#endif 93 --- 41 unchanged lines hidden (view full) --- 135void 136mac_init_ifnet(struct ifnet *ifp) 137{ 138 139 ifp->if_label = mac_ifnet_label_alloc(); 140} 141 142static struct label * | 90SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, 91 &nmacipqs, 0, "number of ipqs in use"); 92SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD, 93 &nmacbpfdescs, 0, "number of bpfdescs in use"); 94SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, 95 &nmacsockets, 0, "number of sockets in use"); 96#endif 97 --- 41 unchanged lines hidden (view full) --- 139void 140mac_init_ifnet(struct ifnet *ifp) 141{ 142 143 ifp->if_label = mac_ifnet_label_alloc(); 144} 145 146static struct label * |
| 147mac_inpcb_label_alloc(int flag) 148{ 149 struct label *label; 150 int error; 151 152 label = mac_labelzone_alloc(flag); 153 if (label == NULL) 154 return (NULL); 155 MAC_CHECK(init_inpcb_label, label, flag); 156 if (error) { 157 MAC_PERFORM(destroy_inpcb_label, label); 158 mac_labelzone_free(label); 159 return (NULL); 160 } 161 MAC_DEBUG_COUNTER_INC(&nmacinpcbs); 162 return (label); 163} 164 165int 166mac_init_inpcb(struct inpcb *inp, int flag) 167{ 168 169 inp->inp_label = mac_inpcb_label_alloc(flag); 170 if (inp->inp_label == NULL) 171 return (ENOMEM); 172 return (0); 173} 174 175static struct label * |
|
| 143mac_ipq_label_alloc(int flag) 144{ 145 struct label *label; 146 int error; 147 148 label = mac_labelzone_alloc(flag); 149 if (label == NULL) 150 return (NULL); --- 152 unchanged lines hidden (view full) --- 303mac_destroy_ifnet(struct ifnet *ifp) 304{ 305 306 mac_ifnet_label_free(ifp->if_label); 307 ifp->if_label = NULL; 308} 309 310static void | 176mac_ipq_label_alloc(int flag) 177{ 178 struct label *label; 179 int error; 180 181 label = mac_labelzone_alloc(flag); 182 if (label == NULL) 183 return (NULL); --- 152 unchanged lines hidden (view full) --- 336mac_destroy_ifnet(struct ifnet *ifp) 337{ 338 339 mac_ifnet_label_free(ifp->if_label); 340 ifp->if_label = NULL; 341} 342 343static void |
| 344mac_inpcb_label_free(struct label *label) 345{ 346 347 MAC_PERFORM(destroy_inpcb_label, label); 348 mac_labelzone_free(label); 349 MAC_DEBUG_COUNTER_DEC(&nmacinpcbs); 350} 351 352void 353mac_destroy_inpcb(struct inpcb *inp) 354{ 355 356 mac_inpcb_label_free(inp->inp_label); 357 inp->inp_label = NULL; 358} 359 360static void |
|
| 311mac_ipq_label_free(struct label *label) 312{ 313 314 MAC_PERFORM(destroy_ipq_label, label); 315 mac_labelzone_free(label); 316 MAC_DEBUG_COUNTER_DEC(&nmacipqs); 317} 318 --- 123 unchanged lines hidden (view full) --- 442void 443mac_create_ifnet(struct ifnet *ifnet) 444{ 445 446 MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label); 447} 448 449void | 361mac_ipq_label_free(struct label *label) 362{ 363 364 MAC_PERFORM(destroy_ipq_label, label); 365 mac_labelzone_free(label); 366 MAC_DEBUG_COUNTER_DEC(&nmacipqs); 367} 368 --- 123 unchanged lines hidden (view full) --- 492void 493mac_create_ifnet(struct ifnet *ifnet) 494{ 495 496 MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label); 497} 498 499void |
| 500mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp) 501{ 502 503 MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp, 504 inp->inp_label); 505} 506 507void |
|
| 450mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) 451{ 452 453 MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label); 454} 455 456void 457mac_create_socket(struct ucred *cred, struct socket *socket) --- 226 unchanged lines hidden (view full) --- 684 685 MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf, 686 label); 687 688 return (error); 689} 690 691int | 508mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) 509{ 510 511 MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label); 512} 513 514void 515mac_create_socket(struct ucred *cred, struct socket *socket) --- 226 unchanged lines hidden (view full) --- 742 743 MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf, 744 label); 745 746 return (error); 747} 748 749int |
| 750mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) 751{ 752 struct label *label; 753 int error; 754 755 M_ASSERTPKTHDR(m); 756 757 if (!mac_enforce_socket) 758 return (0); 759 760 label = mbuf_to_label(m); 761 762 MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label); 763 764 return (error); 765} 766 767int |
|
| 692mac_check_socket_bind(struct ucred *ucred, struct socket *socket, 693 struct sockaddr *sockaddr) 694{ 695 int error; 696 697 if (!mac_enforce_socket) 698 return (0); 699 --- 184 unchanged lines hidden (view full) --- 884 } 885 886 MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel); 887 888 mac_ifnet_label_free(intlabel); 889 return (0); 890} 891 | 768mac_check_socket_bind(struct ucred *ucred, struct socket *socket, 769 struct sockaddr *sockaddr) 770{ 771 int error; 772 773 if (!mac_enforce_socket) 774 return (0); 775 --- 184 unchanged lines hidden (view full) --- 960 } 961 962 MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel); 963 964 mac_ifnet_label_free(intlabel); 965 return (0); 966} 967 |
| 968void 969mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) 970{ 971 972 /* XXX: assert socket lock. */ 973 INP_LOCK_ASSERT(inp); 974 MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); 975} 976 |
|
| 892int 893mac_socket_label_set(struct ucred *cred, struct socket *so, 894 struct label *label) 895{ 896 int error; 897 898 error = mac_check_socket_relabel(cred, so, label); 899 if (error) 900 return (error); 901 902 mac_relabel_socket(cred, so, label); | 977int 978mac_socket_label_set(struct ucred *cred, struct socket *so, 979 struct label *label) 980{ 981 int error; 982 983 error = mac_check_socket_relabel(cred, so, label); 984 if (error) 985 return (error); 986 987 mac_relabel_socket(cred, so, label); |
| 988 989 /* 990 * If the protocol has expressed interest in socket layer changes, 991 * such as if it needs to propagate changes to a cached pcb 992 * label from the socket, notify it of the label change while 993 * holding the socket lock. 994 */ 995 if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL) 996 (so->so_proto->pr_usrreqs->pru_sosetlabel)(so); 997 |
|
| 903 return (0); 904} 905 906int 907mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) 908{ 909 struct label *intlabel; 910 char *buffer; --- 85 unchanged lines hidden --- | 998 return (0); 999} 1000 1001int 1002mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) 1003{ 1004 struct label *intlabel; 1005 char *buffer; --- 85 unchanged lines hidden --- |