| mac_mls.c (122824) | mac_mls.c (122875) |
|---|---|
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * |
| 34 * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 122824 2003-11-17 01:04:07Z rwatson $ | 34 * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 122875 2003-11-18 00:39:07Z rwatson $ |
| 35 */ 36 37/* 38 * Developed by the TrustedBSD Project. 39 * MLS fixed label mandatory confidentiality policy. 40 */ 41 42#include <sys/types.h> --- 21 unchanged lines hidden (view full) --- 64#include <fs/devfs/devfs.h> 65 66#include <net/bpfdesc.h> 67#include <net/if.h> 68#include <net/if_types.h> 69#include <net/if_var.h> 70 71#include <netinet/in.h> | 35 */ 36 37/* 38 * Developed by the TrustedBSD Project. 39 * MLS fixed label mandatory confidentiality policy. 40 */ 41 42#include <sys/types.h> --- 21 unchanged lines hidden (view full) --- 64#include <fs/devfs/devfs.h> 65 66#include <net/bpfdesc.h> 67#include <net/if.h> 68#include <net/if_types.h> 69#include <net/if_var.h> 70 71#include <netinet/in.h> |
| 72#include <netinet/in_pcb.h> |
|
| 72#include <netinet/ip_var.h> 73 74#include <vm/vm.h> 75 76#include <sys/mac_policy.h> 77 78#include <security/mac_mls/mac_mls.h> 79 --- 865 unchanged lines hidden (view full) --- 945 MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread); 946 return (error); 947} 948 949/* 950 * Labeling event operations: IPC object. 951 */ 952static void | 73#include <netinet/ip_var.h> 74 75#include <vm/vm.h> 76 77#include <sys/mac_policy.h> 78 79#include <security/mac_mls/mac_mls.h> 80 --- 865 unchanged lines hidden (view full) --- 946 MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread); 947 return (error); 948} 949 950/* 951 * Labeling event operations: IPC object. 952 */ 953static void |
| 954mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel, 955 struct inpcb *inp, struct label *inplabel) 956{ 957 struct mac_mls *source, *dest; 958 959 source = SLOT(solabel); 960 dest = SLOT(inplabel); 961 962 mac_mls_copy_single(source, dest); 963} 964 965static void |
|
| 953mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 954 struct mbuf *m, struct label *mbuflabel) 955{ 956 struct mac_mls *source, *dest; 957 958 source = SLOT(socketlabel); 959 dest = SLOT(mbuflabel); 960 --- 263 unchanged lines hidden (view full) --- 1224static void 1225mac_mls_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1226 struct ipq *ipq, struct label *ipqlabel) 1227{ 1228 1229 /* NOOP: we only accept matching labels, so no need to update */ 1230} 1231 | 966mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, 967 struct mbuf *m, struct label *mbuflabel) 968{ 969 struct mac_mls *source, *dest; 970 971 source = SLOT(socketlabel); 972 dest = SLOT(mbuflabel); 973 --- 263 unchanged lines hidden (view full) --- 1237static void 1238mac_mls_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1239 struct ipq *ipq, struct label *ipqlabel) 1240{ 1241 1242 /* NOOP: we only accept matching labels, so no need to update */ 1243} 1244 |
| 1245static void 1246mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, 1247 struct inpcb *inp, struct label *inplabel) 1248{ 1249 struct mac_mls *source, *dest; 1250 1251 source = SLOT(solabel); 1252 dest = SLOT(inplabel); 1253 1254 mac_mls_copy(source, dest); 1255} 1256 |
|
| 1232/* 1233 * Labeling event operations: processes. 1234 */ 1235static void 1236mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child) 1237{ 1238 struct mac_mls *source, *dest; 1239 --- 176 unchanged lines hidden (view full) --- 1416 1417 p = SLOT(mbuflabel); 1418 i = SLOT(ifnetlabel); 1419 1420 return (mac_mls_single_in_range(p, i) ? 0 : EACCES); 1421} 1422 1423static int | 1257/* 1258 * Labeling event operations: processes. 1259 */ 1260static void 1261mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child) 1262{ 1263 struct mac_mls *source, *dest; 1264 --- 176 unchanged lines hidden (view full) --- 1441 1442 p = SLOT(mbuflabel); 1443 i = SLOT(ifnetlabel); 1444 1445 return (mac_mls_single_in_range(p, i) ? 0 : EACCES); 1446} 1447 1448static int |
| 1449mac_mls_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, 1450 struct mbuf *m, struct label *mlabel) 1451{ 1452 struct mac_mls *p, *i; 1453 1454 if (!mac_mls_enabled) 1455 return (0); 1456 1457 p = SLOT(mlabel); 1458 i = SLOT(inplabel); 1459 1460 return (mac_mls_equal_single(p, i) ? 0 : EACCES); 1461} 1462 1463static int |
|
| 1424mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, 1425 struct label *mntlabel) 1426{ 1427 struct mac_mls *subj, *obj; 1428 1429 if (!mac_mls_enabled) 1430 return (0); 1431 --- 941 unchanged lines hidden (view full) --- 2373 2374static struct mac_policy_ops mac_mls_ops = 2375{ 2376 .mpo_init = mac_mls_init, 2377 .mpo_init_bpfdesc_label = mac_mls_init_label, 2378 .mpo_init_cred_label = mac_mls_init_label, 2379 .mpo_init_devfsdirent_label = mac_mls_init_label, 2380 .mpo_init_ifnet_label = mac_mls_init_label, | 1464mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, 1465 struct label *mntlabel) 1466{ 1467 struct mac_mls *subj, *obj; 1468 1469 if (!mac_mls_enabled) 1470 return (0); 1471 --- 941 unchanged lines hidden (view full) --- 2413 2414static struct mac_policy_ops mac_mls_ops = 2415{ 2416 .mpo_init = mac_mls_init, 2417 .mpo_init_bpfdesc_label = mac_mls_init_label, 2418 .mpo_init_cred_label = mac_mls_init_label, 2419 .mpo_init_devfsdirent_label = mac_mls_init_label, 2420 .mpo_init_ifnet_label = mac_mls_init_label, |
| 2421 .mpo_init_inpcb_label = mac_mls_init_label_waitcheck, |
|
| 2381 .mpo_init_ipq_label = mac_mls_init_label_waitcheck, 2382 .mpo_init_mbuf_label = mac_mls_init_label_waitcheck, 2383 .mpo_init_mount_label = mac_mls_init_label, 2384 .mpo_init_mount_fs_label = mac_mls_init_label, 2385 .mpo_init_pipe_label = mac_mls_init_label, 2386 .mpo_init_socket_label = mac_mls_init_label_waitcheck, 2387 .mpo_init_socket_peer_label = mac_mls_init_label_waitcheck, 2388 .mpo_init_vnode_label = mac_mls_init_label, 2389 .mpo_destroy_bpfdesc_label = mac_mls_destroy_label, 2390 .mpo_destroy_cred_label = mac_mls_destroy_label, 2391 .mpo_destroy_devfsdirent_label = mac_mls_destroy_label, 2392 .mpo_destroy_ifnet_label = mac_mls_destroy_label, | 2422 .mpo_init_ipq_label = mac_mls_init_label_waitcheck, 2423 .mpo_init_mbuf_label = mac_mls_init_label_waitcheck, 2424 .mpo_init_mount_label = mac_mls_init_label, 2425 .mpo_init_mount_fs_label = mac_mls_init_label, 2426 .mpo_init_pipe_label = mac_mls_init_label, 2427 .mpo_init_socket_label = mac_mls_init_label_waitcheck, 2428 .mpo_init_socket_peer_label = mac_mls_init_label_waitcheck, 2429 .mpo_init_vnode_label = mac_mls_init_label, 2430 .mpo_destroy_bpfdesc_label = mac_mls_destroy_label, 2431 .mpo_destroy_cred_label = mac_mls_destroy_label, 2432 .mpo_destroy_devfsdirent_label = mac_mls_destroy_label, 2433 .mpo_destroy_ifnet_label = mac_mls_destroy_label, |
| 2434 .mpo_destroy_inpcb_label = mac_mls_destroy_label, |
|
| 2393 .mpo_destroy_ipq_label = mac_mls_destroy_label, 2394 .mpo_destroy_mbuf_label = mac_mls_destroy_label, 2395 .mpo_destroy_mount_label = mac_mls_destroy_label, 2396 .mpo_destroy_mount_fs_label = mac_mls_destroy_label, 2397 .mpo_destroy_pipe_label = mac_mls_destroy_label, 2398 .mpo_destroy_socket_label = mac_mls_destroy_label, 2399 .mpo_destroy_socket_peer_label = mac_mls_destroy_label, 2400 .mpo_destroy_vnode_label = mac_mls_destroy_label, --- 31 unchanged lines hidden (view full) --- 2432 .mpo_relabel_pipe = mac_mls_relabel_pipe, 2433 .mpo_relabel_socket = mac_mls_relabel_socket, 2434 .mpo_set_socket_peer_from_mbuf = mac_mls_set_socket_peer_from_mbuf, 2435 .mpo_set_socket_peer_from_socket = mac_mls_set_socket_peer_from_socket, 2436 .mpo_create_bpfdesc = mac_mls_create_bpfdesc, 2437 .mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq, 2438 .mpo_create_fragment = mac_mls_create_fragment, 2439 .mpo_create_ifnet = mac_mls_create_ifnet, | 2435 .mpo_destroy_ipq_label = mac_mls_destroy_label, 2436 .mpo_destroy_mbuf_label = mac_mls_destroy_label, 2437 .mpo_destroy_mount_label = mac_mls_destroy_label, 2438 .mpo_destroy_mount_fs_label = mac_mls_destroy_label, 2439 .mpo_destroy_pipe_label = mac_mls_destroy_label, 2440 .mpo_destroy_socket_label = mac_mls_destroy_label, 2441 .mpo_destroy_socket_peer_label = mac_mls_destroy_label, 2442 .mpo_destroy_vnode_label = mac_mls_destroy_label, --- 31 unchanged lines hidden (view full) --- 2474 .mpo_relabel_pipe = mac_mls_relabel_pipe, 2475 .mpo_relabel_socket = mac_mls_relabel_socket, 2476 .mpo_set_socket_peer_from_mbuf = mac_mls_set_socket_peer_from_mbuf, 2477 .mpo_set_socket_peer_from_socket = mac_mls_set_socket_peer_from_socket, 2478 .mpo_create_bpfdesc = mac_mls_create_bpfdesc, 2479 .mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq, 2480 .mpo_create_fragment = mac_mls_create_fragment, 2481 .mpo_create_ifnet = mac_mls_create_ifnet, |
| 2482 .mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket, |
|
| 2440 .mpo_create_ipq = mac_mls_create_ipq, 2441 .mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf, 2442 .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer, 2443 .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc, 2444 .mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet, 2445 .mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap, 2446 .mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer, 2447 .mpo_fragment_match = mac_mls_fragment_match, 2448 .mpo_relabel_ifnet = mac_mls_relabel_ifnet, 2449 .mpo_update_ipq = mac_mls_update_ipq, | 2483 .mpo_create_ipq = mac_mls_create_ipq, 2484 .mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf, 2485 .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer, 2486 .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc, 2487 .mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet, 2488 .mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap, 2489 .mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer, 2490 .mpo_fragment_match = mac_mls_fragment_match, 2491 .mpo_relabel_ifnet = mac_mls_relabel_ifnet, 2492 .mpo_update_ipq = mac_mls_update_ipq, |
| 2493 .mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel, |
|
| 2450 .mpo_create_cred = mac_mls_create_cred, 2451 .mpo_create_proc0 = mac_mls_create_proc0, 2452 .mpo_create_proc1 = mac_mls_create_proc1, 2453 .mpo_relabel_cred = mac_mls_relabel_cred, 2454 .mpo_check_bpfdesc_receive = mac_mls_check_bpfdesc_receive, 2455 .mpo_check_cred_relabel = mac_mls_check_cred_relabel, 2456 .mpo_check_cred_visible = mac_mls_check_cred_visible, 2457 .mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel, 2458 .mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit, | 2494 .mpo_create_cred = mac_mls_create_cred, 2495 .mpo_create_proc0 = mac_mls_create_proc0, 2496 .mpo_create_proc1 = mac_mls_create_proc1, 2497 .mpo_relabel_cred = mac_mls_relabel_cred, 2498 .mpo_check_bpfdesc_receive = mac_mls_check_bpfdesc_receive, 2499 .mpo_check_cred_relabel = mac_mls_check_cred_relabel, 2500 .mpo_check_cred_visible = mac_mls_check_cred_visible, 2501 .mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel, 2502 .mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit, |
| 2503 .mpo_check_inpcb_deliver = mac_mls_check_inpcb_deliver, |
|
| 2459 .mpo_check_mount_stat = mac_mls_check_mount_stat, 2460 .mpo_check_pipe_ioctl = mac_mls_check_pipe_ioctl, 2461 .mpo_check_pipe_poll = mac_mls_check_pipe_poll, 2462 .mpo_check_pipe_read = mac_mls_check_pipe_read, 2463 .mpo_check_pipe_relabel = mac_mls_check_pipe_relabel, 2464 .mpo_check_pipe_stat = mac_mls_check_pipe_stat, 2465 .mpo_check_pipe_write = mac_mls_check_pipe_write, 2466 .mpo_check_proc_debug = mac_mls_check_proc_debug, --- 42 unchanged lines hidden --- | 2504 .mpo_check_mount_stat = mac_mls_check_mount_stat, 2505 .mpo_check_pipe_ioctl = mac_mls_check_pipe_ioctl, 2506 .mpo_check_pipe_poll = mac_mls_check_pipe_poll, 2507 .mpo_check_pipe_read = mac_mls_check_pipe_read, 2508 .mpo_check_pipe_relabel = mac_mls_check_pipe_relabel, 2509 .mpo_check_pipe_stat = mac_mls_check_pipe_stat, 2510 .mpo_check_pipe_write = mac_mls_check_pipe_write, 2511 .mpo_check_proc_debug = mac_mls_check_proc_debug, --- 42 unchanged lines hidden --- |