| mac_biba.c (122824) | mac_biba.c (122875) |
|---|---|
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * |
| 34 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 122824 2003-11-17 01:04:07Z rwatson $ | 34 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 122875 2003-11-18 00:39:07Z rwatson $ |
| 35 */ 36 37/* 38 * Developed by the TrustedBSD Project. 39 * Biba fixed label mandatory integrity policy. 40 */ 41 42#include <sys/types.h> --- 21 unchanged lines hidden (view full) --- 64#include <fs/devfs/devfs.h> 65 66#include <net/bpfdesc.h> 67#include <net/if.h> 68#include <net/if_types.h> 69#include <net/if_var.h> 70 71#include <netinet/in.h> | 35 */ 36 37/* 38 * Developed by the TrustedBSD Project. 39 * Biba fixed label mandatory integrity policy. 40 */ 41 42#include <sys/types.h> --- 21 unchanged lines hidden (view full) --- 64#include <fs/devfs/devfs.h> 65 66#include <net/bpfdesc.h> 67#include <net/if.h> 68#include <net/if_types.h> 69#include <net/if_var.h> 70 71#include <netinet/in.h> |
| 72#include <netinet/in_pcb.h> |
|
| 72#include <netinet/ip_var.h> 73 74#include <vm/vm.h> 75 76#include <sys/mac_policy.h> 77 78#include <security/mac_biba/mac_biba.h> 79 --- 895 unchanged lines hidden (view full) --- 975 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &temp, curthread); 976 return (error); 977} 978 979/* 980 * Labeling event operations: IPC object. 981 */ 982static void | 73#include <netinet/ip_var.h> 74 75#include <vm/vm.h> 76 77#include <sys/mac_policy.h> 78 79#include <security/mac_biba/mac_biba.h> 80 --- 895 unchanged lines hidden (view full) --- 976 MAC_BIBA_EXTATTR_NAME, buflen, (char *) &temp, curthread); 977 return (error); 978} 979 980/* 981 * Labeling event operations: IPC object. 982 */ 983static void |
| 984mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel, 985 struct inpcb *inp, struct label *inplabel) 986{ 987 struct mac_biba *source, *dest; 988 989 source = SLOT(solabel); 990 dest = SLOT(inplabel); 991 992 mac_biba_copy_single(source, dest); 993} 994 995static void |
|
| 983mac_biba_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 984 struct mbuf *m, struct label *mbuflabel) 985{ 986 struct mac_biba *source, *dest; 987 988 source = SLOT(socketlabel); 989 dest = SLOT(mbuflabel); 990 --- 303 unchanged lines hidden (view full) --- 1294static void 1295mac_biba_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1296 struct ipq *ipq, struct label *ipqlabel) 1297{ 1298 1299 /* NOOP: we only accept matching labels, so no need to update */ 1300} 1301 | 996mac_biba_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 997 struct mbuf *m, struct label *mbuflabel) 998{ 999 struct mac_biba *source, *dest; 1000 1001 source = SLOT(socketlabel); 1002 dest = SLOT(mbuflabel); 1003 --- 303 unchanged lines hidden (view full) --- 1307static void 1308mac_biba_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1309 struct ipq *ipq, struct label *ipqlabel) 1310{ 1311 1312 /* NOOP: we only accept matching labels, so no need to update */ 1313} 1314 |
| 1315static void 1316mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1317 struct inpcb *inp, struct label *inplabel) 1318{ 1319 struct mac_biba *source, *dest; 1320 1321 source = SLOT(solabel); 1322 dest = SLOT(inplabel); 1323 1324 mac_biba_copy(source, dest); 1325} 1326 |
|
| 1302/* 1303 * Labeling event operations: processes. 1304 */ 1305static void 1306mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child) 1307{ 1308 struct mac_biba *source, *dest; 1309 --- 178 unchanged lines hidden (view full) --- 1488 1489 p = SLOT(mbuflabel); 1490 i = SLOT(ifnetlabel); 1491 1492 return (mac_biba_single_in_range(p, i) ? 0 : EACCES); 1493} 1494 1495static int | 1327/* 1328 * Labeling event operations: processes. 1329 */ 1330static void 1331mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child) 1332{ 1333 struct mac_biba *source, *dest; 1334 --- 178 unchanged lines hidden (view full) --- 1513 1514 p = SLOT(mbuflabel); 1515 i = SLOT(ifnetlabel); 1516 1517 return (mac_biba_single_in_range(p, i) ? 0 : EACCES); 1518} 1519 1520static int |
| 1521mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1522 struct mbuf *m, struct label *mlabel) 1523{ 1524 struct mac_biba *p, *i; 1525 1526 if (!mac_biba_enabled) 1527 return (0); 1528 1529 p = SLOT(mlabel); 1530 i = SLOT(inplabel); 1531 1532 return (mac_biba_equal_single(p, i) ? 0 : EACCES); 1533} 1534 1535static int |
|
| 1496mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, 1497 struct label *label) 1498{ 1499 struct mac_biba *subj, *obj; 1500 int error; 1501 1502 if (!mac_biba_enabled) 1503 return (0); --- 1097 unchanged lines hidden (view full) --- 2601 2602static struct mac_policy_ops mac_biba_ops = 2603{ 2604 .mpo_init = mac_biba_init, 2605 .mpo_init_bpfdesc_label = mac_biba_init_label, 2606 .mpo_init_cred_label = mac_biba_init_label, 2607 .mpo_init_devfsdirent_label = mac_biba_init_label, 2608 .mpo_init_ifnet_label = mac_biba_init_label, | 1536mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, 1537 struct label *label) 1538{ 1539 struct mac_biba *subj, *obj; 1540 int error; 1541 1542 if (!mac_biba_enabled) 1543 return (0); --- 1097 unchanged lines hidden (view full) --- 2641 2642static struct mac_policy_ops mac_biba_ops = 2643{ 2644 .mpo_init = mac_biba_init, 2645 .mpo_init_bpfdesc_label = mac_biba_init_label, 2646 .mpo_init_cred_label = mac_biba_init_label, 2647 .mpo_init_devfsdirent_label = mac_biba_init_label, 2648 .mpo_init_ifnet_label = mac_biba_init_label, |
| 2649 .mpo_init_inpcb_label = mac_biba_init_label_waitcheck, |
|
| 2609 .mpo_init_ipq_label = mac_biba_init_label_waitcheck, 2610 .mpo_init_mbuf_label = mac_biba_init_label_waitcheck, 2611 .mpo_init_mount_label = mac_biba_init_label, 2612 .mpo_init_mount_fs_label = mac_biba_init_label, 2613 .mpo_init_pipe_label = mac_biba_init_label, 2614 .mpo_init_socket_label = mac_biba_init_label_waitcheck, 2615 .mpo_init_socket_peer_label = mac_biba_init_label_waitcheck, 2616 .mpo_init_vnode_label = mac_biba_init_label, 2617 .mpo_destroy_bpfdesc_label = mac_biba_destroy_label, 2618 .mpo_destroy_cred_label = mac_biba_destroy_label, 2619 .mpo_destroy_devfsdirent_label = mac_biba_destroy_label, 2620 .mpo_destroy_ifnet_label = mac_biba_destroy_label, | 2650 .mpo_init_ipq_label = mac_biba_init_label_waitcheck, 2651 .mpo_init_mbuf_label = mac_biba_init_label_waitcheck, 2652 .mpo_init_mount_label = mac_biba_init_label, 2653 .mpo_init_mount_fs_label = mac_biba_init_label, 2654 .mpo_init_pipe_label = mac_biba_init_label, 2655 .mpo_init_socket_label = mac_biba_init_label_waitcheck, 2656 .mpo_init_socket_peer_label = mac_biba_init_label_waitcheck, 2657 .mpo_init_vnode_label = mac_biba_init_label, 2658 .mpo_destroy_bpfdesc_label = mac_biba_destroy_label, 2659 .mpo_destroy_cred_label = mac_biba_destroy_label, 2660 .mpo_destroy_devfsdirent_label = mac_biba_destroy_label, 2661 .mpo_destroy_ifnet_label = mac_biba_destroy_label, |
| 2662 .mpo_destroy_inpcb_label = mac_biba_destroy_label, |
|
| 2621 .mpo_destroy_ipq_label = mac_biba_destroy_label, 2622 .mpo_destroy_mbuf_label = mac_biba_destroy_label, 2623 .mpo_destroy_mount_label = mac_biba_destroy_label, 2624 .mpo_destroy_mount_fs_label = mac_biba_destroy_label, 2625 .mpo_destroy_pipe_label = mac_biba_destroy_label, 2626 .mpo_destroy_socket_label = mac_biba_destroy_label, 2627 .mpo_destroy_socket_peer_label = mac_biba_destroy_label, 2628 .mpo_destroy_vnode_label = mac_biba_destroy_label, --- 31 unchanged lines hidden (view full) --- 2660 .mpo_relabel_pipe = mac_biba_relabel_pipe, 2661 .mpo_relabel_socket = mac_biba_relabel_socket, 2662 .mpo_set_socket_peer_from_mbuf = mac_biba_set_socket_peer_from_mbuf, 2663 .mpo_set_socket_peer_from_socket = mac_biba_set_socket_peer_from_socket, 2664 .mpo_create_bpfdesc = mac_biba_create_bpfdesc, 2665 .mpo_create_datagram_from_ipq = mac_biba_create_datagram_from_ipq, 2666 .mpo_create_fragment = mac_biba_create_fragment, 2667 .mpo_create_ifnet = mac_biba_create_ifnet, | 2663 .mpo_destroy_ipq_label = mac_biba_destroy_label, 2664 .mpo_destroy_mbuf_label = mac_biba_destroy_label, 2665 .mpo_destroy_mount_label = mac_biba_destroy_label, 2666 .mpo_destroy_mount_fs_label = mac_biba_destroy_label, 2667 .mpo_destroy_pipe_label = mac_biba_destroy_label, 2668 .mpo_destroy_socket_label = mac_biba_destroy_label, 2669 .mpo_destroy_socket_peer_label = mac_biba_destroy_label, 2670 .mpo_destroy_vnode_label = mac_biba_destroy_label, --- 31 unchanged lines hidden (view full) --- 2702 .mpo_relabel_pipe = mac_biba_relabel_pipe, 2703 .mpo_relabel_socket = mac_biba_relabel_socket, 2704 .mpo_set_socket_peer_from_mbuf = mac_biba_set_socket_peer_from_mbuf, 2705 .mpo_set_socket_peer_from_socket = mac_biba_set_socket_peer_from_socket, 2706 .mpo_create_bpfdesc = mac_biba_create_bpfdesc, 2707 .mpo_create_datagram_from_ipq = mac_biba_create_datagram_from_ipq, 2708 .mpo_create_fragment = mac_biba_create_fragment, 2709 .mpo_create_ifnet = mac_biba_create_ifnet, |
| 2710 .mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket, |
|
| 2668 .mpo_create_ipq = mac_biba_create_ipq, 2669 .mpo_create_mbuf_from_mbuf = mac_biba_create_mbuf_from_mbuf, 2670 .mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer, 2671 .mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc, 2672 .mpo_create_mbuf_from_ifnet = mac_biba_create_mbuf_from_ifnet, 2673 .mpo_create_mbuf_multicast_encap = mac_biba_create_mbuf_multicast_encap, 2674 .mpo_create_mbuf_netlayer = mac_biba_create_mbuf_netlayer, 2675 .mpo_fragment_match = mac_biba_fragment_match, 2676 .mpo_relabel_ifnet = mac_biba_relabel_ifnet, 2677 .mpo_update_ipq = mac_biba_update_ipq, | 2711 .mpo_create_ipq = mac_biba_create_ipq, 2712 .mpo_create_mbuf_from_mbuf = mac_biba_create_mbuf_from_mbuf, 2713 .mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer, 2714 .mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc, 2715 .mpo_create_mbuf_from_ifnet = mac_biba_create_mbuf_from_ifnet, 2716 .mpo_create_mbuf_multicast_encap = mac_biba_create_mbuf_multicast_encap, 2717 .mpo_create_mbuf_netlayer = mac_biba_create_mbuf_netlayer, 2718 .mpo_fragment_match = mac_biba_fragment_match, 2719 .mpo_relabel_ifnet = mac_biba_relabel_ifnet, 2720 .mpo_update_ipq = mac_biba_update_ipq, |
| 2721 .mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel, |
|
| 2678 .mpo_create_cred = mac_biba_create_cred, 2679 .mpo_create_proc0 = mac_biba_create_proc0, 2680 .mpo_create_proc1 = mac_biba_create_proc1, 2681 .mpo_relabel_cred = mac_biba_relabel_cred, 2682 .mpo_check_bpfdesc_receive = mac_biba_check_bpfdesc_receive, 2683 .mpo_check_cred_relabel = mac_biba_check_cred_relabel, 2684 .mpo_check_cred_visible = mac_biba_check_cred_visible, 2685 .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel, 2686 .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit, | 2722 .mpo_create_cred = mac_biba_create_cred, 2723 .mpo_create_proc0 = mac_biba_create_proc0, 2724 .mpo_create_proc1 = mac_biba_create_proc1, 2725 .mpo_relabel_cred = mac_biba_relabel_cred, 2726 .mpo_check_bpfdesc_receive = mac_biba_check_bpfdesc_receive, 2727 .mpo_check_cred_relabel = mac_biba_check_cred_relabel, 2728 .mpo_check_cred_visible = mac_biba_check_cred_visible, 2729 .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel, 2730 .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit, |
| 2731 .mpo_check_inpcb_deliver = mac_biba_check_inpcb_deliver, |
|
| 2687 .mpo_check_kld_load = mac_biba_check_kld_load, 2688 .mpo_check_kld_unload = mac_biba_check_kld_unload, 2689 .mpo_check_mount_stat = mac_biba_check_mount_stat, 2690 .mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl, 2691 .mpo_check_pipe_poll = mac_biba_check_pipe_poll, 2692 .mpo_check_pipe_read = mac_biba_check_pipe_read, 2693 .mpo_check_pipe_relabel = mac_biba_check_pipe_relabel, 2694 .mpo_check_pipe_stat = mac_biba_check_pipe_stat, --- 49 unchanged lines hidden --- | 2732 .mpo_check_kld_load = mac_biba_check_kld_load, 2733 .mpo_check_kld_unload = mac_biba_check_kld_unload, 2734 .mpo_check_mount_stat = mac_biba_check_mount_stat, 2735 .mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl, 2736 .mpo_check_pipe_poll = mac_biba_check_pipe_poll, 2737 .mpo_check_pipe_read = mac_biba_check_pipe_read, 2738 .mpo_check_pipe_relabel = mac_biba_check_pipe_relabel, 2739 .mpo_check_pipe_stat = mac_biba_check_pipe_stat, --- 49 unchanged lines hidden --- |