| mac_lomac.c (122824) | mac_lomac.c (122875) |
|---|---|
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * |
| 34 * $FreeBSD: head/sys/security/mac_lomac/mac_lomac.c 122824 2003-11-17 01:04:07Z rwatson $ | 34 * $FreeBSD: head/sys/security/mac_lomac/mac_lomac.c 122875 2003-11-18 00:39:07Z rwatson $ |
| 35 */ 36 37/* 38 * Developed by the TrustedBSD Project. 39 * Low-watermark floating label mandatory integrity policy. 40 */ 41 42#include <sys/types.h> --- 22 unchanged lines hidden (view full) --- 65#include <fs/devfs/devfs.h> 66 67#include <net/bpfdesc.h> 68#include <net/if.h> 69#include <net/if_types.h> 70#include <net/if_var.h> 71 72#include <netinet/in.h> | 35 */ 36 37/* 38 * Developed by the TrustedBSD Project. 39 * Low-watermark floating label mandatory integrity policy. 40 */ 41 42#include <sys/types.h> --- 22 unchanged lines hidden (view full) --- 65#include <fs/devfs/devfs.h> 66 67#include <net/bpfdesc.h> 68#include <net/if.h> 69#include <net/if_types.h> 70#include <net/if_var.h> 71 72#include <netinet/in.h> |
| 73#include <netinet/in_pcb.h> |
|
| 73#include <netinet/ip_var.h> 74 75#include <vm/vm.h> 76 77#include <sys/mac_policy.h> 78 79#include <security/mac_lomac/mac_lomac.h> 80 --- 1033 unchanged lines hidden (view full) --- 1114 MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread); 1115 return (error); 1116} 1117 1118/* 1119 * Labeling event operations: IPC object. 1120 */ 1121static void | 74#include <netinet/ip_var.h> 75 76#include <vm/vm.h> 77 78#include <sys/mac_policy.h> 79 80#include <security/mac_lomac/mac_lomac.h> 81 --- 1033 unchanged lines hidden (view full) --- 1115 MAC_LOMAC_EXTATTR_NAME, buflen, (char *)&temp, curthread); 1116 return (error); 1117} 1118 1119/* 1120 * Labeling event operations: IPC object. 1121 */ 1122static void |
| 1123mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel, 1124 struct inpcb *inp, struct label *inplabel) 1125{ 1126 struct mac_lomac *source, *dest; 1127 1128 source = SLOT(solabel); 1129 dest = SLOT(inplabel); 1130 1131 mac_lomac_copy_single(source, dest); 1132} 1133 1134static void |
|
| 1122mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 1123 struct mbuf *m, struct label *mbuflabel) 1124{ 1125 struct mac_lomac *source, *dest; 1126 1127 source = SLOT(socketlabel); 1128 dest = SLOT(mbuflabel); 1129 --- 304 unchanged lines hidden (view full) --- 1434static void 1435mac_lomac_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1436 struct ipq *ipq, struct label *ipqlabel) 1437{ 1438 1439 /* NOOP: we only accept matching labels, so no need to update */ 1440} 1441 | 1135mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 1136 struct mbuf *m, struct label *mbuflabel) 1137{ 1138 struct mac_lomac *source, *dest; 1139 1140 source = SLOT(socketlabel); 1141 dest = SLOT(mbuflabel); 1142 --- 304 unchanged lines hidden (view full) --- 1447static void 1448mac_lomac_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1449 struct ipq *ipq, struct label *ipqlabel) 1450{ 1451 1452 /* NOOP: we only accept matching labels, so no need to update */ 1453} 1454 |
| 1455static void 1456mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1457 struct inpcb *inp, struct label *inplabel) 1458{ 1459 struct mac_lomac *source, *dest; 1460 1461 source = SLOT(solabel); 1462 dest = SLOT(inplabel); 1463 1464 mac_lomac_copy_single(source, dest); 1465} 1466 |
|
| 1442/* 1443 * Labeling event operations: processes. 1444 */ 1445static void 1446mac_lomac_create_cred(struct ucred *cred_parent, struct ucred *cred_child) 1447{ 1448 struct mac_lomac *source, *dest; 1449 --- 266 unchanged lines hidden (view full) --- 1716 1717 p = SLOT(mbuflabel); 1718 i = SLOT(ifnetlabel); 1719 1720 return (mac_lomac_single_in_range(p, i) ? 0 : EACCES); 1721} 1722 1723static int | 1467/* 1468 * Labeling event operations: processes. 1469 */ 1470static void 1471mac_lomac_create_cred(struct ucred *cred_parent, struct ucred *cred_child) 1472{ 1473 struct mac_lomac *source, *dest; 1474 --- 266 unchanged lines hidden (view full) --- 1741 1742 p = SLOT(mbuflabel); 1743 i = SLOT(ifnetlabel); 1744 1745 return (mac_lomac_single_in_range(p, i) ? 0 : EACCES); 1746} 1747 1748static int |
| 1749mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1750 struct mbuf *m, struct label *mlabel) 1751{ 1752 struct mac_lomac *p, *i; 1753 1754 if (!mac_lomac_enabled) 1755 return (0); 1756 1757 p = SLOT(mlabel); 1758 i = SLOT(inplabel); 1759 1760 return (mac_lomac_equal_single(p, i) ? 0 : EACCES); 1761} 1762 1763static int |
|
| 1724mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, 1725 struct label *label) 1726{ 1727 struct mac_lomac *subj, *obj; 1728 1729 if (!mac_lomac_enabled) 1730 return (0); 1731 --- 847 unchanged lines hidden (view full) --- 2579 2580static struct mac_policy_ops mac_lomac_ops = 2581{ 2582 .mpo_init = mac_lomac_init, 2583 .mpo_init_bpfdesc_label = mac_lomac_init_label, 2584 .mpo_init_cred_label = mac_lomac_init_label, 2585 .mpo_init_devfsdirent_label = mac_lomac_init_label, 2586 .mpo_init_ifnet_label = mac_lomac_init_label, | 1764mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, 1765 struct label *label) 1766{ 1767 struct mac_lomac *subj, *obj; 1768 1769 if (!mac_lomac_enabled) 1770 return (0); 1771 --- 847 unchanged lines hidden (view full) --- 2619 2620static struct mac_policy_ops mac_lomac_ops = 2621{ 2622 .mpo_init = mac_lomac_init, 2623 .mpo_init_bpfdesc_label = mac_lomac_init_label, 2624 .mpo_init_cred_label = mac_lomac_init_label, 2625 .mpo_init_devfsdirent_label = mac_lomac_init_label, 2626 .mpo_init_ifnet_label = mac_lomac_init_label, |
| 2627 .mpo_init_inpcb_label = mac_lomac_init_label_waitcheck, |
|
| 2587 .mpo_init_ipq_label = mac_lomac_init_label_waitcheck, 2588 .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck, 2589 .mpo_init_mount_label = mac_lomac_init_label, 2590 .mpo_init_mount_fs_label = mac_lomac_init_label, 2591 .mpo_init_pipe_label = mac_lomac_init_label, 2592 .mpo_init_proc_label = mac_lomac_init_proc_label, 2593 .mpo_init_socket_label = mac_lomac_init_label_waitcheck, 2594 .mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck, 2595 .mpo_init_vnode_label = mac_lomac_init_label, 2596 .mpo_destroy_bpfdesc_label = mac_lomac_destroy_label, 2597 .mpo_destroy_cred_label = mac_lomac_destroy_label, 2598 .mpo_destroy_devfsdirent_label = mac_lomac_destroy_label, 2599 .mpo_destroy_ifnet_label = mac_lomac_destroy_label, | 2628 .mpo_init_ipq_label = mac_lomac_init_label_waitcheck, 2629 .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck, 2630 .mpo_init_mount_label = mac_lomac_init_label, 2631 .mpo_init_mount_fs_label = mac_lomac_init_label, 2632 .mpo_init_pipe_label = mac_lomac_init_label, 2633 .mpo_init_proc_label = mac_lomac_init_proc_label, 2634 .mpo_init_socket_label = mac_lomac_init_label_waitcheck, 2635 .mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck, 2636 .mpo_init_vnode_label = mac_lomac_init_label, 2637 .mpo_destroy_bpfdesc_label = mac_lomac_destroy_label, 2638 .mpo_destroy_cred_label = mac_lomac_destroy_label, 2639 .mpo_destroy_devfsdirent_label = mac_lomac_destroy_label, 2640 .mpo_destroy_ifnet_label = mac_lomac_destroy_label, |
| 2641 .mpo_destroy_inpcb_label = mac_lomac_destroy_label, |
|
| 2600 .mpo_destroy_ipq_label = mac_lomac_destroy_label, 2601 .mpo_destroy_mbuf_label = mac_lomac_destroy_label, 2602 .mpo_destroy_mount_label = mac_lomac_destroy_label, 2603 .mpo_destroy_mount_fs_label = mac_lomac_destroy_label, 2604 .mpo_destroy_pipe_label = mac_lomac_destroy_label, 2605 .mpo_destroy_proc_label = mac_lomac_destroy_proc_label, 2606 .mpo_destroy_socket_label = mac_lomac_destroy_label, 2607 .mpo_destroy_socket_peer_label = mac_lomac_destroy_label, --- 34 unchanged lines hidden (view full) --- 2642 .mpo_relabel_socket = mac_lomac_relabel_socket, 2643 .mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf, 2644 .mpo_set_socket_peer_from_socket = 2645 mac_lomac_set_socket_peer_from_socket, 2646 .mpo_create_bpfdesc = mac_lomac_create_bpfdesc, 2647 .mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq, 2648 .mpo_create_fragment = mac_lomac_create_fragment, 2649 .mpo_create_ifnet = mac_lomac_create_ifnet, | 2642 .mpo_destroy_ipq_label = mac_lomac_destroy_label, 2643 .mpo_destroy_mbuf_label = mac_lomac_destroy_label, 2644 .mpo_destroy_mount_label = mac_lomac_destroy_label, 2645 .mpo_destroy_mount_fs_label = mac_lomac_destroy_label, 2646 .mpo_destroy_pipe_label = mac_lomac_destroy_label, 2647 .mpo_destroy_proc_label = mac_lomac_destroy_proc_label, 2648 .mpo_destroy_socket_label = mac_lomac_destroy_label, 2649 .mpo_destroy_socket_peer_label = mac_lomac_destroy_label, --- 34 unchanged lines hidden (view full) --- 2684 .mpo_relabel_socket = mac_lomac_relabel_socket, 2685 .mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf, 2686 .mpo_set_socket_peer_from_socket = 2687 mac_lomac_set_socket_peer_from_socket, 2688 .mpo_create_bpfdesc = mac_lomac_create_bpfdesc, 2689 .mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq, 2690 .mpo_create_fragment = mac_lomac_create_fragment, 2691 .mpo_create_ifnet = mac_lomac_create_ifnet, |
| 2692 .mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket, |
|
| 2650 .mpo_create_ipq = mac_lomac_create_ipq, 2651 .mpo_create_mbuf_from_mbuf = mac_lomac_create_mbuf_from_mbuf, 2652 .mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer, 2653 .mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc, 2654 .mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet, 2655 .mpo_create_mbuf_multicast_encap = 2656 mac_lomac_create_mbuf_multicast_encap, 2657 .mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer, 2658 .mpo_fragment_match = mac_lomac_fragment_match, 2659 .mpo_relabel_ifnet = mac_lomac_relabel_ifnet, 2660 .mpo_update_ipq = mac_lomac_update_ipq, | 2693 .mpo_create_ipq = mac_lomac_create_ipq, 2694 .mpo_create_mbuf_from_mbuf = mac_lomac_create_mbuf_from_mbuf, 2695 .mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer, 2696 .mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc, 2697 .mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet, 2698 .mpo_create_mbuf_multicast_encap = 2699 mac_lomac_create_mbuf_multicast_encap, 2700 .mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer, 2701 .mpo_fragment_match = mac_lomac_fragment_match, 2702 .mpo_relabel_ifnet = mac_lomac_relabel_ifnet, 2703 .mpo_update_ipq = mac_lomac_update_ipq, |
| 2704 .mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel, |
|
| 2661 .mpo_create_cred = mac_lomac_create_cred, 2662 .mpo_execve_transition = mac_lomac_execve_transition, 2663 .mpo_execve_will_transition = mac_lomac_execve_will_transition, 2664 .mpo_create_proc0 = mac_lomac_create_proc0, 2665 .mpo_create_proc1 = mac_lomac_create_proc1, 2666 .mpo_relabel_cred = mac_lomac_relabel_cred, 2667 .mpo_check_bpfdesc_receive = mac_lomac_check_bpfdesc_receive, 2668 .mpo_check_cred_relabel = mac_lomac_check_cred_relabel, 2669 .mpo_check_cred_visible = mac_lomac_check_cred_visible, 2670 .mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel, 2671 .mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit, | 2705 .mpo_create_cred = mac_lomac_create_cred, 2706 .mpo_execve_transition = mac_lomac_execve_transition, 2707 .mpo_execve_will_transition = mac_lomac_execve_will_transition, 2708 .mpo_create_proc0 = mac_lomac_create_proc0, 2709 .mpo_create_proc1 = mac_lomac_create_proc1, 2710 .mpo_relabel_cred = mac_lomac_relabel_cred, 2711 .mpo_check_bpfdesc_receive = mac_lomac_check_bpfdesc_receive, 2712 .mpo_check_cred_relabel = mac_lomac_check_cred_relabel, 2713 .mpo_check_cred_visible = mac_lomac_check_cred_visible, 2714 .mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel, 2715 .mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit, |
| 2716 .mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver, |
|
| 2672 .mpo_check_kld_load = mac_lomac_check_kld_load, 2673 .mpo_check_kld_unload = mac_lomac_check_kld_unload, 2674 .mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl, 2675 .mpo_check_pipe_read = mac_lomac_check_pipe_read, 2676 .mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel, 2677 .mpo_check_pipe_write = mac_lomac_check_pipe_write, 2678 .mpo_check_proc_debug = mac_lomac_check_proc_debug, 2679 .mpo_check_proc_sched = mac_lomac_check_proc_sched, --- 33 unchanged lines hidden --- | 2717 .mpo_check_kld_load = mac_lomac_check_kld_load, 2718 .mpo_check_kld_unload = mac_lomac_check_kld_unload, 2719 .mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl, 2720 .mpo_check_pipe_read = mac_lomac_check_pipe_read, 2721 .mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel, 2722 .mpo_check_pipe_write = mac_lomac_check_pipe_write, 2723 .mpo_check_proc_debug = mac_lomac_check_proc_debug, 2724 .mpo_check_proc_sched = mac_lomac_check_proc_sched, --- 33 unchanged lines hidden --- |