| mac_net.c (189797) | mac_net.c (191731) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2002, 2009 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 5 * Copyright (c) 2006 SPARTA, Inc. 6 * Copyright (c) 2008 Apple Inc. 7 * All rights reserved. 8 * --- 29 unchanged lines hidden (view full) --- 38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 42 * SUCH DAMAGE. 43 */ 44 45#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999-2002, 2009 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 5 * Copyright (c) 2006 SPARTA, Inc. 6 * Copyright (c) 2008 Apple Inc. 7 * All rights reserved. 8 * --- 29 unchanged lines hidden (view full) --- 38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 42 * SUCH DAMAGE. 43 */ 44 45#include <sys/cdefs.h> |
| 46__FBSDID("$FreeBSD: head/sys/security/mac/mac_net.c 189797 2009-03-14 16:06:06Z rwatson $"); | 46__FBSDID("$FreeBSD: head/sys/security/mac/mac_net.c 191731 2009-05-01 21:05:40Z rwatson $"); |
| 47 48#include "opt_kdtrace.h" 49#include "opt_mac.h" 50 51#include <sys/param.h> 52#include <sys/kernel.h> 53#include <sys/lock.h> 54#include <sys/malloc.h> --- 50 unchanged lines hidden (view full) --- 105} 106 107static struct label * 108mac_bpfdesc_label_alloc(void) 109{ 110 struct label *label; 111 112 label = mac_labelzone_alloc(M_WAITOK); | 47 48#include "opt_kdtrace.h" 49#include "opt_mac.h" 50 51#include <sys/param.h> 52#include <sys/kernel.h> 53#include <sys/lock.h> 54#include <sys/malloc.h> --- 50 unchanged lines hidden (view full) --- 105} 106 107static struct label * 108mac_bpfdesc_label_alloc(void) 109{ 110 struct label *label; 111 112 label = mac_labelzone_alloc(M_WAITOK); |
| 113 MAC_PERFORM(bpfdesc_init_label, label); | 113 MAC_POLICY_PERFORM(bpfdesc_init_label, label); |
| 114 return (label); 115} 116 117void 118mac_bpfdesc_init(struct bpf_d *d) 119{ 120 121 if (mac_labeled & MPC_OBJECT_BPFDESC) 122 d->bd_label = mac_bpfdesc_label_alloc(); 123 else 124 d->bd_label = NULL; 125} 126 127static struct label * 128mac_ifnet_label_alloc(void) 129{ 130 struct label *label; 131 132 label = mac_labelzone_alloc(M_WAITOK); | 114 return (label); 115} 116 117void 118mac_bpfdesc_init(struct bpf_d *d) 119{ 120 121 if (mac_labeled & MPC_OBJECT_BPFDESC) 122 d->bd_label = mac_bpfdesc_label_alloc(); 123 else 124 d->bd_label = NULL; 125} 126 127static struct label * 128mac_ifnet_label_alloc(void) 129{ 130 struct label *label; 131 132 label = mac_labelzone_alloc(M_WAITOK); |
| 133 MAC_PERFORM(ifnet_init_label, label); | 133 MAC_POLICY_PERFORM(ifnet_init_label, label); |
| 134 return (label); 135} 136 137void 138mac_ifnet_init(struct ifnet *ifp) 139{ 140 141 if (mac_labeled & MPC_OBJECT_IFNET) --- 7 unchanged lines hidden (view full) --- 149{ 150 struct label *label; 151 int error; 152 153 label = (struct label *) (tag + 1); 154 mac_init_label(label); 155 156 if (flag & M_WAITOK) | 134 return (label); 135} 136 137void 138mac_ifnet_init(struct ifnet *ifp) 139{ 140 141 if (mac_labeled & MPC_OBJECT_IFNET) --- 7 unchanged lines hidden (view full) --- 149{ 150 struct label *label; 151 int error; 152 153 label = (struct label *) (tag + 1); 154 mac_init_label(label); 155 156 if (flag & M_WAITOK) |
| 157 MAC_CHECK(mbuf_init_label, label, flag); | 157 MAC_POLICY_CHECK(mbuf_init_label, label, flag); |
| 158 else | 158 else |
| 159 MAC_CHECK_NOSLEEP(mbuf_init_label, label, flag); | 159 MAC_POLICY_CHECK_NOSLEEP(mbuf_init_label, label, flag); |
| 160 if (error) { | 160 if (error) { |
| 161 MAC_PERFORM_NOSLEEP(mbuf_destroy_label, label); | 161 MAC_POLICY_PERFORM_NOSLEEP(mbuf_destroy_label, label); |
| 162 mac_destroy_label(label); 163 } 164 return (error); 165} 166 167int 168mac_mbuf_init(struct mbuf *m, int flag) 169{ --- 16 unchanged lines hidden (view full) --- 186 } 187 return (0); 188} 189 190static void 191mac_bpfdesc_label_free(struct label *label) 192{ 193 | 162 mac_destroy_label(label); 163 } 164 return (error); 165} 166 167int 168mac_mbuf_init(struct mbuf *m, int flag) 169{ --- 16 unchanged lines hidden (view full) --- 186 } 187 return (0); 188} 189 190static void 191mac_bpfdesc_label_free(struct label *label) 192{ 193 |
| 194 MAC_PERFORM_NOSLEEP(bpfdesc_destroy_label, label); | 194 MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_destroy_label, label); |
| 195 mac_labelzone_free(label); 196} 197 198void 199mac_bpfdesc_destroy(struct bpf_d *d) 200{ 201 202 if (d->bd_label != NULL) { 203 mac_bpfdesc_label_free(d->bd_label); 204 d->bd_label = NULL; 205 } 206} 207 208static void 209mac_ifnet_label_free(struct label *label) 210{ 211 | 195 mac_labelzone_free(label); 196} 197 198void 199mac_bpfdesc_destroy(struct bpf_d *d) 200{ 201 202 if (d->bd_label != NULL) { 203 mac_bpfdesc_label_free(d->bd_label); 204 d->bd_label = NULL; 205 } 206} 207 208static void 209mac_ifnet_label_free(struct label *label) 210{ 211 |
| 212 MAC_PERFORM_NOSLEEP(ifnet_destroy_label, label); | 212 MAC_POLICY_PERFORM_NOSLEEP(ifnet_destroy_label, label); |
| 213 mac_labelzone_free(label); 214} 215 216void 217mac_ifnet_destroy(struct ifnet *ifp) 218{ 219 220 if (ifp->if_label != NULL) { --- 4 unchanged lines hidden (view full) --- 225 226void 227mac_mbuf_tag_destroy(struct m_tag *tag) 228{ 229 struct label *label; 230 231 label = (struct label *)(tag+1); 232 | 213 mac_labelzone_free(label); 214} 215 216void 217mac_ifnet_destroy(struct ifnet *ifp) 218{ 219 220 if (ifp->if_label != NULL) { --- 4 unchanged lines hidden (view full) --- 225 226void 227mac_mbuf_tag_destroy(struct m_tag *tag) 228{ 229 struct label *label; 230 231 label = (struct label *)(tag+1); 232 |
| 233 MAC_PERFORM_NOSLEEP(mbuf_destroy_label, label); | 233 MAC_POLICY_PERFORM_NOSLEEP(mbuf_destroy_label, label); |
| 234 mac_destroy_label(label); 235} 236 237/* 238 * mac_mbuf_tag_copy is called when an mbuf header is duplicated, in which 239 * case the labels must also be duplicated. 240 */ 241void 242mac_mbuf_tag_copy(struct m_tag *src, struct m_tag *dest) 243{ 244 struct label *src_label, *dest_label; 245 246 src_label = (struct label *)(src+1); 247 dest_label = (struct label *)(dest+1); 248 249 /* 250 * mac_mbuf_tag_init() is called on the target tag in m_tag_copy(), 251 * so we don't need to call it here. 252 */ | 234 mac_destroy_label(label); 235} 236 237/* 238 * mac_mbuf_tag_copy is called when an mbuf header is duplicated, in which 239 * case the labels must also be duplicated. 240 */ 241void 242mac_mbuf_tag_copy(struct m_tag *src, struct m_tag *dest) 243{ 244 struct label *src_label, *dest_label; 245 246 src_label = (struct label *)(src+1); 247 dest_label = (struct label *)(dest+1); 248 249 /* 250 * mac_mbuf_tag_init() is called on the target tag in m_tag_copy(), 251 * so we don't need to call it here. 252 */ |
| 253 MAC_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label); | 253 MAC_POLICY_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label); |
| 254} 255 256void 257mac_mbuf_copy(struct mbuf *m_from, struct mbuf *m_to) 258{ 259 struct label *src_label, *dest_label; 260 261 src_label = mac_mbuf_to_label(m_from); 262 dest_label = mac_mbuf_to_label(m_to); 263 | 254} 255 256void 257mac_mbuf_copy(struct mbuf *m_from, struct mbuf *m_to) 258{ 259 struct label *src_label, *dest_label; 260 261 src_label = mac_mbuf_to_label(m_from); 262 dest_label = mac_mbuf_to_label(m_to); 263 |
| 264 MAC_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label); | 264 MAC_POLICY_PERFORM_NOSLEEP(mbuf_copy_label, src_label, dest_label); |
| 265} 266 267static void 268mac_ifnet_copy_label(struct label *src, struct label *dest) 269{ 270 | 265} 266 267static void 268mac_ifnet_copy_label(struct label *src, struct label *dest) 269{ 270 |
| 271 MAC_PERFORM_NOSLEEP(ifnet_copy_label, src, dest); | 271 MAC_POLICY_PERFORM_NOSLEEP(ifnet_copy_label, src, dest); |
| 272} 273 274static int 275mac_ifnet_externalize_label(struct label *label, char *elements, 276 char *outbuf, size_t outbuflen) 277{ 278 int error; 279 | 272} 273 274static int 275mac_ifnet_externalize_label(struct label *label, char *elements, 276 char *outbuf, size_t outbuflen) 277{ 278 int error; 279 |
| 280 MAC_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen); | 280 MAC_POLICY_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen); |
| 281 282 return (error); 283} 284 285static int 286mac_ifnet_internalize_label(struct label *label, char *string) 287{ 288 int error; 289 | 281 282 return (error); 283} 284 285static int 286mac_ifnet_internalize_label(struct label *label, char *string) 287{ 288 int error; 289 |
| 290 MAC_INTERNALIZE(ifnet, label, string); | 290 MAC_POLICY_INTERNALIZE(ifnet, label, string); |
| 291 292 return (error); 293} 294 295void 296mac_ifnet_create(struct ifnet *ifp) 297{ 298 299 MAC_IFNET_LOCK(ifp); | 291 292 return (error); 293} 294 295void 296mac_ifnet_create(struct ifnet *ifp) 297{ 298 299 MAC_IFNET_LOCK(ifp); |
| 300 MAC_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label); | 300 MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label); |
| 301 MAC_IFNET_UNLOCK(ifp); 302} 303 304void 305mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d) 306{ 307 | 301 MAC_IFNET_UNLOCK(ifp); 302} 303 304void 305mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d) 306{ 307 |
| 308 MAC_PERFORM_NOSLEEP(bpfdesc_create, cred, d, d->bd_label); | 308 MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create, cred, d, d->bd_label); |
| 309} 310 311void 312mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m) 313{ 314 struct label *label; 315 316 BPFD_LOCK_ASSERT(d); 317 318 label = mac_mbuf_to_label(m); 319 | 309} 310 311void 312mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m) 313{ 314 struct label *label; 315 316 BPFD_LOCK_ASSERT(d); 317 318 label = mac_mbuf_to_label(m); 319 |
| 320 MAC_PERFORM_NOSLEEP(bpfdesc_create_mbuf, d, d->bd_label, m, label); | 320 MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create_mbuf, d, d->bd_label, m, 321 label); |
| 321} 322 323void 324mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) 325{ 326 struct label *label; 327 328 label = mac_mbuf_to_label(m); 329 330 MAC_IFNET_LOCK(ifp); | 322} 323 324void 325mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) 326{ 327 struct label *label; 328 329 label = mac_mbuf_to_label(m); 330 331 MAC_IFNET_LOCK(ifp); |
| 331 MAC_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m, label); | 332 MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m, 333 label); |
| 332 MAC_IFNET_UNLOCK(ifp); 333} 334 335MAC_CHECK_PROBE_DEFINE2(bpfdesc_check_receive, "struct bpf_d *", 336 "struct ifnet *"); 337 338int 339mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp) 340{ 341 int error; 342 343 BPFD_LOCK_ASSERT(d); 344 345 MAC_IFNET_LOCK(ifp); | 334 MAC_IFNET_UNLOCK(ifp); 335} 336 337MAC_CHECK_PROBE_DEFINE2(bpfdesc_check_receive, "struct bpf_d *", 338 "struct ifnet *"); 339 340int 341mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp) 342{ 343 int error; 344 345 BPFD_LOCK_ASSERT(d); 346 347 MAC_IFNET_LOCK(ifp); |
| 346 MAC_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp, | 348 MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp, |
| 347 ifp->if_label); 348 MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp); 349 MAC_IFNET_UNLOCK(ifp); 350 351 return (error); 352} 353 354MAC_CHECK_PROBE_DEFINE2(ifnet_check_transmit, "struct ifnet *", --- 5 unchanged lines hidden (view full) --- 360 struct label *label; 361 int error; 362 363 M_ASSERTPKTHDR(m); 364 365 label = mac_mbuf_to_label(m); 366 367 MAC_IFNET_LOCK(ifp); | 349 ifp->if_label); 350 MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp); 351 MAC_IFNET_UNLOCK(ifp); 352 353 return (error); 354} 355 356MAC_CHECK_PROBE_DEFINE2(ifnet_check_transmit, "struct ifnet *", --- 5 unchanged lines hidden (view full) --- 362 struct label *label; 363 int error; 364 365 M_ASSERTPKTHDR(m); 366 367 label = mac_mbuf_to_label(m); 368 369 MAC_IFNET_LOCK(ifp); |
| 368 MAC_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m, | 370 MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m, |
| 369 label); 370 MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m); 371 MAC_IFNET_UNLOCK(ifp); 372 373 return (error); 374} 375 376int --- 81 unchanged lines hidden (view full) --- 458 */ 459 error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0); 460 if (error) { 461 mac_ifnet_label_free(intlabel); 462 return (error); 463 } 464 465 MAC_IFNET_LOCK(ifp); | 371 label); 372 MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m); 373 MAC_IFNET_UNLOCK(ifp); 374 375 return (error); 376} 377 378int --- 81 unchanged lines hidden (view full) --- 460 */ 461 error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0); 462 if (error) { 463 mac_ifnet_label_free(intlabel); 464 return (error); 465 } 466 467 MAC_IFNET_LOCK(ifp); |
| 466 MAC_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp, ifp->if_label, 467 intlabel); | 468 MAC_POLICY_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp, 469 ifp->if_label, intlabel); |
| 468 if (error) { 469 MAC_IFNET_UNLOCK(ifp); 470 mac_ifnet_label_free(intlabel); 471 return (error); 472 } 473 | 470 if (error) { 471 MAC_IFNET_UNLOCK(ifp); 472 mac_ifnet_label_free(intlabel); 473 return (error); 474 } 475 |
| 474 MAC_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label, | 476 MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label, |
| 475 intlabel); 476 MAC_IFNET_UNLOCK(ifp); 477 478 mac_ifnet_label_free(intlabel); 479 return (0); 480} | 477 intlabel); 478 MAC_IFNET_UNLOCK(ifp); 479 480 mac_ifnet_label_free(intlabel); 481 return (0); 482} |