1/*-
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by Network
--- 17 unchanged lines hidden (view full) ---
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 122824 2003-11-17 01:04:07Z rwatson $
35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 * MLS fixed label mandatory confidentiality policy.
40 */
41
42#include <sys/types.h>
--- 21 unchanged lines hidden (view full) ---
64#include <fs/devfs/devfs.h>
65
66#include <net/bpfdesc.h>
67#include <net/if.h>
68#include <net/if_types.h>
69#include <net/if_var.h>
70
71#include <netinet/in.h>
72#include <netinet/ip_var.h>
73
74#include <vm/vm.h>
75
76#include <sys/mac_policy.h>
77
78#include <security/mac_mls/mac_mls.h>
79
--- 865 unchanged lines hidden (view full) ---
945 MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread);
946 return (error);
947}
948
949/*
950 * Labeling event operations: IPC object.
951 */
952static void
953mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
954 struct mbuf *m, struct label *mbuflabel)
955{
956 struct mac_mls *source, *dest;
957
958 source = SLOT(socketlabel);
959 dest = SLOT(mbuflabel);
960
--- 263 unchanged lines hidden (view full) ---
1224static void
1225mac_mls_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1226 struct ipq *ipq, struct label *ipqlabel)
1227{
1228
1229 /* NOOP: we only accept matching labels, so no need to update */
1230}
1231
1232/*
1233 * Labeling event operations: processes.
1234 */
1235static void
1236mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
1237{
1238 struct mac_mls *source, *dest;
1239
--- 176 unchanged lines hidden (view full) ---
1416
1417 p = SLOT(mbuflabel);
1418 i = SLOT(ifnetlabel);
1419
1420 return (mac_mls_single_in_range(p, i) ? 0 : EACCES);
1421}
1422
1423static int
1424mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp,
1425 struct label *mntlabel)
1426{
1427 struct mac_mls *subj, *obj;
1428
1429 if (!mac_mls_enabled)
1430 return (0);
1431
--- 941 unchanged lines hidden (view full) ---
2373
2374static struct mac_policy_ops mac_mls_ops =
2375{
2376 .mpo_init = mac_mls_init,
2377 .mpo_init_bpfdesc_label = mac_mls_init_label,
2378 .mpo_init_cred_label = mac_mls_init_label,
2379 .mpo_init_devfsdirent_label = mac_mls_init_label,
2380 .mpo_init_ifnet_label = mac_mls_init_label,
2381 .mpo_init_ipq_label = mac_mls_init_label_waitcheck,
2382 .mpo_init_mbuf_label = mac_mls_init_label_waitcheck,
2383 .mpo_init_mount_label = mac_mls_init_label,
2384 .mpo_init_mount_fs_label = mac_mls_init_label,
2385 .mpo_init_pipe_label = mac_mls_init_label,
2386 .mpo_init_socket_label = mac_mls_init_label_waitcheck,
2387 .mpo_init_socket_peer_label = mac_mls_init_label_waitcheck,
2388 .mpo_init_vnode_label = mac_mls_init_label,
2389 .mpo_destroy_bpfdesc_label = mac_mls_destroy_label,
2390 .mpo_destroy_cred_label = mac_mls_destroy_label,
2391 .mpo_destroy_devfsdirent_label = mac_mls_destroy_label,
2392 .mpo_destroy_ifnet_label = mac_mls_destroy_label,
2393 .mpo_destroy_ipq_label = mac_mls_destroy_label,
2394 .mpo_destroy_mbuf_label = mac_mls_destroy_label,
2395 .mpo_destroy_mount_label = mac_mls_destroy_label,
2396 .mpo_destroy_mount_fs_label = mac_mls_destroy_label,
2397 .mpo_destroy_pipe_label = mac_mls_destroy_label,
2398 .mpo_destroy_socket_label = mac_mls_destroy_label,
2399 .mpo_destroy_socket_peer_label = mac_mls_destroy_label,
2400 .mpo_destroy_vnode_label = mac_mls_destroy_label,
--- 31 unchanged lines hidden (view full) ---
2432 .mpo_relabel_pipe = mac_mls_relabel_pipe,
2433 .mpo_relabel_socket = mac_mls_relabel_socket,
2434 .mpo_set_socket_peer_from_mbuf = mac_mls_set_socket_peer_from_mbuf,
2435 .mpo_set_socket_peer_from_socket = mac_mls_set_socket_peer_from_socket,
2436 .mpo_create_bpfdesc = mac_mls_create_bpfdesc,
2437 .mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq,
2438 .mpo_create_fragment = mac_mls_create_fragment,
2439 .mpo_create_ifnet = mac_mls_create_ifnet,
2440 .mpo_create_ipq = mac_mls_create_ipq,
2441 .mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf,
2442 .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
2443 .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc,
2444 .mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet,
2445 .mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap,
2446 .mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer,
2447 .mpo_fragment_match = mac_mls_fragment_match,
2448 .mpo_relabel_ifnet = mac_mls_relabel_ifnet,
2449 .mpo_update_ipq = mac_mls_update_ipq,
2450 .mpo_create_cred = mac_mls_create_cred,
2451 .mpo_create_proc0 = mac_mls_create_proc0,
2452 .mpo_create_proc1 = mac_mls_create_proc1,
2453 .mpo_relabel_cred = mac_mls_relabel_cred,
2454 .mpo_check_bpfdesc_receive = mac_mls_check_bpfdesc_receive,
2455 .mpo_check_cred_relabel = mac_mls_check_cred_relabel,
2456 .mpo_check_cred_visible = mac_mls_check_cred_visible,
2457 .mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel,
2458 .mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit,
2459 .mpo_check_mount_stat = mac_mls_check_mount_stat,
2460 .mpo_check_pipe_ioctl = mac_mls_check_pipe_ioctl,
2461 .mpo_check_pipe_poll = mac_mls_check_pipe_poll,
2462 .mpo_check_pipe_read = mac_mls_check_pipe_read,
2463 .mpo_check_pipe_relabel = mac_mls_check_pipe_relabel,
2464 .mpo_check_pipe_stat = mac_mls_check_pipe_stat,
2465 .mpo_check_pipe_write = mac_mls_check_pipe_write,
2466 .mpo_check_proc_debug = mac_mls_check_proc_debug,
--- 42 unchanged lines hidden ---
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc.
4 * All rights reserved.
5 *
6 * This software was developed by Robert Watson for the TrustedBSD Project.
7 *
8 * This software was developed for the FreeBSD Project in part by Network
--- 17 unchanged lines hidden (view full) ---
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 122824 2003-11-17 01:04:07Z rwatson $
35 */
36
37/*
38 * Developed by the TrustedBSD Project.
39 * MLS fixed label mandatory confidentiality policy.
40 */
41
42#include <sys/types.h>
--- 21 unchanged lines hidden (view full) ---
64#include <fs/devfs/devfs.h>
65
66#include <net/bpfdesc.h>
67#include <net/if.h>
68#include <net/if_types.h>
69#include <net/if_var.h>
70
71#include <netinet/in.h>
72#include <netinet/ip_var.h>
73
74#include <vm/vm.h>
75
76#include <sys/mac_policy.h>
77
78#include <security/mac_mls/mac_mls.h>
79
--- 865 unchanged lines hidden (view full) ---
945 MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread);
946 return (error);
947}
948
949/*
950 * Labeling event operations: IPC object.
951 */
952static void
953mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel,
954 struct mbuf *m, struct label *mbuflabel)
955{
956 struct mac_mls *source, *dest;
957
958 source = SLOT(socketlabel);
959 dest = SLOT(mbuflabel);
960
--- 263 unchanged lines hidden (view full) ---
1224static void
1225mac_mls_update_ipq(struct mbuf *fragment, struct label *fragmentlabel,
1226 struct ipq *ipq, struct label *ipqlabel)
1227{
1228
1229 /* NOOP: we only accept matching labels, so no need to update */
1230}
1231
1232/*
1233 * Labeling event operations: processes.
1234 */
1235static void
1236mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
1237{
1238 struct mac_mls *source, *dest;
1239
--- 176 unchanged lines hidden (view full) ---
1416
1417 p = SLOT(mbuflabel);
1418 i = SLOT(ifnetlabel);
1419
1420 return (mac_mls_single_in_range(p, i) ? 0 : EACCES);
1421}
1422
1423static int
1424mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp,
1425 struct label *mntlabel)
1426{
1427 struct mac_mls *subj, *obj;
1428
1429 if (!mac_mls_enabled)
1430 return (0);
1431
--- 941 unchanged lines hidden (view full) ---
2373
2374static struct mac_policy_ops mac_mls_ops =
2375{
2376 .mpo_init = mac_mls_init,
2377 .mpo_init_bpfdesc_label = mac_mls_init_label,
2378 .mpo_init_cred_label = mac_mls_init_label,
2379 .mpo_init_devfsdirent_label = mac_mls_init_label,
2380 .mpo_init_ifnet_label = mac_mls_init_label,
2381 .mpo_init_ipq_label = mac_mls_init_label_waitcheck,
2382 .mpo_init_mbuf_label = mac_mls_init_label_waitcheck,
2383 .mpo_init_mount_label = mac_mls_init_label,
2384 .mpo_init_mount_fs_label = mac_mls_init_label,
2385 .mpo_init_pipe_label = mac_mls_init_label,
2386 .mpo_init_socket_label = mac_mls_init_label_waitcheck,
2387 .mpo_init_socket_peer_label = mac_mls_init_label_waitcheck,
2388 .mpo_init_vnode_label = mac_mls_init_label,
2389 .mpo_destroy_bpfdesc_label = mac_mls_destroy_label,
2390 .mpo_destroy_cred_label = mac_mls_destroy_label,
2391 .mpo_destroy_devfsdirent_label = mac_mls_destroy_label,
2392 .mpo_destroy_ifnet_label = mac_mls_destroy_label,
2393 .mpo_destroy_ipq_label = mac_mls_destroy_label,
2394 .mpo_destroy_mbuf_label = mac_mls_destroy_label,
2395 .mpo_destroy_mount_label = mac_mls_destroy_label,
2396 .mpo_destroy_mount_fs_label = mac_mls_destroy_label,
2397 .mpo_destroy_pipe_label = mac_mls_destroy_label,
2398 .mpo_destroy_socket_label = mac_mls_destroy_label,
2399 .mpo_destroy_socket_peer_label = mac_mls_destroy_label,
2400 .mpo_destroy_vnode_label = mac_mls_destroy_label,
--- 31 unchanged lines hidden (view full) ---
2432 .mpo_relabel_pipe = mac_mls_relabel_pipe,
2433 .mpo_relabel_socket = mac_mls_relabel_socket,
2434 .mpo_set_socket_peer_from_mbuf = mac_mls_set_socket_peer_from_mbuf,
2435 .mpo_set_socket_peer_from_socket = mac_mls_set_socket_peer_from_socket,
2436 .mpo_create_bpfdesc = mac_mls_create_bpfdesc,
2437 .mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq,
2438 .mpo_create_fragment = mac_mls_create_fragment,
2439 .mpo_create_ifnet = mac_mls_create_ifnet,
2440 .mpo_create_ipq = mac_mls_create_ipq,
2441 .mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf,
2442 .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
2443 .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc,
2444 .mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet,
2445 .mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap,
2446 .mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer,
2447 .mpo_fragment_match = mac_mls_fragment_match,
2448 .mpo_relabel_ifnet = mac_mls_relabel_ifnet,
2449 .mpo_update_ipq = mac_mls_update_ipq,
2450 .mpo_create_cred = mac_mls_create_cred,
2451 .mpo_create_proc0 = mac_mls_create_proc0,
2452 .mpo_create_proc1 = mac_mls_create_proc1,
2453 .mpo_relabel_cred = mac_mls_relabel_cred,
2454 .mpo_check_bpfdesc_receive = mac_mls_check_bpfdesc_receive,
2455 .mpo_check_cred_relabel = mac_mls_check_cred_relabel,
2456 .mpo_check_cred_visible = mac_mls_check_cred_visible,
2457 .mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel,
2458 .mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit,
2459 .mpo_check_mount_stat = mac_mls_check_mount_stat,
2460 .mpo_check_pipe_ioctl = mac_mls_check_pipe_ioctl,
2461 .mpo_check_pipe_poll = mac_mls_check_pipe_poll,
2462 .mpo_check_pipe_read = mac_mls_check_pipe_read,
2463 .mpo_check_pipe_relabel = mac_mls_check_pipe_relabel,
2464 .mpo_check_pipe_stat = mac_mls_check_pipe_stat,
2465 .mpo_check_pipe_write = mac_mls_check_pipe_write,
2466 .mpo_check_proc_debug = mac_mls_check_proc_debug,
--- 42 unchanged lines hidden ---