| mac_mls.c (184308) | mac_mls.c (184407) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * Copyright (c) 2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * --- 21 unchanged lines hidden (view full) --- 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * | 1/*- 2 * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson 3 * Copyright (c) 2001-2005 McAfee, Inc. 4 * Copyright (c) 2006 SPARTA, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson for the TrustedBSD Project. 8 * --- 21 unchanged lines hidden (view full) --- 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 * |
| 38 * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 184308 2008-10-26 22:46:37Z rwatson $ | 38 * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 184407 2008-10-28 11:33:06Z rwatson $ |
| 39 */ 40 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * MLS fixed label mandatory confidentiality policy. 45 */ 46 --- 724 unchanged lines hidden (view full) --- 771 struct mac_mls *source, *dest; 772 773 source = SLOT(dlabel); 774 dest = SLOT(mlabel); 775 776 mls_copy_effective(source, dest); 777} 778 | 39 */ 40 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * MLS fixed label mandatory confidentiality policy. 45 */ 46 --- 724 unchanged lines hidden (view full) --- 771 struct mac_mls *source, *dest; 772 773 source = SLOT(dlabel); 774 dest = SLOT(mlabel); 775 776 mls_copy_effective(source, dest); 777} 778 |
| 779static void 780mls_cred_associate_nfsd(struct ucred *cred) 781{ 782 struct mac_mls *label; 783 784 label = SLOT(cred->cr_label); 785 mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL); 786 mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, 787 NULL); 788} 789 |
|
| 779static int 780mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) 781{ 782 struct mac_mls *subj, *new; 783 int error; 784 785 subj = SLOT(cred->cr_label); 786 new = SLOT(newlabel); --- 63 unchanged lines hidden (view full) --- 850 /* XXX: range */ 851 if (!mls_dominate_effective(subj, obj)) 852 return (ESRCH); 853 854 return (0); 855} 856 857static void | 790static int 791mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) 792{ 793 struct mac_mls *subj, *new; 794 int error; 795 796 subj = SLOT(cred->cr_label); 797 new = SLOT(newlabel); --- 63 unchanged lines hidden (view full) --- 861 /* XXX: range */ 862 if (!mls_dominate_effective(subj, obj)) 863 return (ESRCH); 864 865 return (0); 866} 867 868static void |
| 869mls_cred_create_init(struct ucred *cred) 870{ 871 struct mac_mls *dest; 872 873 dest = SLOT(cred->cr_label); 874 875 mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); 876 mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, 877 NULL); 878} 879 880static void 881mls_cred_create_swapper(struct ucred *cred) 882{ 883 struct mac_mls *dest; 884 885 dest = SLOT(cred->cr_label); 886 887 mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); 888 mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, 889 NULL); 890} 891 892static void |
|
| 858mls_cred_relabel(struct ucred *cred, struct label *newlabel) 859{ 860 struct mac_mls *source, *dest; 861 862 source = SLOT(newlabel); 863 dest = SLOT(cred->cr_label); 864 865 mls_copy(source, dest); --- 652 unchanged lines hidden (view full) --- 1518 struct mac_mls *source, *dest; 1519 1520 source = SLOT(cred->cr_label); 1521 dest = SLOT(kslabel); 1522 1523 mls_copy_effective(source, dest); 1524} 1525 | 893mls_cred_relabel(struct ucred *cred, struct label *newlabel) 894{ 895 struct mac_mls *source, *dest; 896 897 source = SLOT(newlabel); 898 dest = SLOT(cred->cr_label); 899 900 mls_copy(source, dest); --- 652 unchanged lines hidden (view full) --- 1553 struct mac_mls *source, *dest; 1554 1555 source = SLOT(cred->cr_label); 1556 dest = SLOT(kslabel); 1557 1558 mls_copy_effective(source, dest); 1559} 1560 |
| 1526static void 1527mls_proc_associate_nfsd(struct ucred *cred) 1528{ 1529 struct mac_mls *label; 1530 1531 label = SLOT(cred->cr_label); 1532 mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL); 1533 mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, 1534 NULL); 1535} 1536 | |
| 1537static int 1538mls_proc_check_debug(struct ucred *cred, struct proc *p) 1539{ 1540 struct mac_mls *subj, *obj; 1541 1542 if (!mls_enabled) 1543 return (0); 1544 --- 44 unchanged lines hidden (view full) --- 1589 if (!mls_dominate_effective(subj, obj)) 1590 return (ESRCH); 1591 if (!mls_dominate_effective(obj, subj)) 1592 return (EACCES); 1593 1594 return (0); 1595} 1596 | 1561static int 1562mls_proc_check_debug(struct ucred *cred, struct proc *p) 1563{ 1564 struct mac_mls *subj, *obj; 1565 1566 if (!mls_enabled) 1567 return (0); 1568 --- 44 unchanged lines hidden (view full) --- 1613 if (!mls_dominate_effective(subj, obj)) 1614 return (ESRCH); 1615 if (!mls_dominate_effective(obj, subj)) 1616 return (EACCES); 1617 1618 return (0); 1619} 1620 |
| 1597static void 1598mls_proc_create_init(struct ucred *cred) 1599{ 1600 struct mac_mls *dest; 1601 1602 dest = SLOT(cred->cr_label); 1603 1604 mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); 1605 mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, 1606 NULL); 1607} 1608 1609static void 1610mls_proc_create_swapper(struct ucred *cred) 1611{ 1612 struct mac_mls *dest; 1613 1614 dest = SLOT(cred->cr_label); 1615 1616 mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); 1617 mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, 1618 NULL); 1619} 1620 | |
| 1621static int 1622mls_socket_check_deliver(struct socket *so, struct label *solabel, 1623 struct mbuf *m, struct label *mlabel) 1624{ 1625 struct mac_mls *p, *s; 1626 1627 if (!mls_enabled) 1628 return (0); --- 1323 unchanged lines hidden (view full) --- 2952 .mpo_init = mls_init, 2953 2954 .mpo_bpfdesc_check_receive = mls_bpfdesc_check_receive, 2955 .mpo_bpfdesc_create = mls_bpfdesc_create, 2956 .mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf, 2957 .mpo_bpfdesc_destroy_label = mls_destroy_label, 2958 .mpo_bpfdesc_init_label = mls_init_label, 2959 | 1621static int 1622mls_socket_check_deliver(struct socket *so, struct label *solabel, 1623 struct mbuf *m, struct label *mlabel) 1624{ 1625 struct mac_mls *p, *s; 1626 1627 if (!mls_enabled) 1628 return (0); --- 1323 unchanged lines hidden (view full) --- 2952 .mpo_init = mls_init, 2953 2954 .mpo_bpfdesc_check_receive = mls_bpfdesc_check_receive, 2955 .mpo_bpfdesc_create = mls_bpfdesc_create, 2956 .mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf, 2957 .mpo_bpfdesc_destroy_label = mls_destroy_label, 2958 .mpo_bpfdesc_init_label = mls_init_label, 2959 |
| 2960 .mpo_cred_associate_nfsd = mls_cred_associate_nfsd, |
|
| 2960 .mpo_cred_check_relabel = mls_cred_check_relabel, 2961 .mpo_cred_check_visible = mls_cred_check_visible, 2962 .mpo_cred_copy_label = mls_copy_label, | 2961 .mpo_cred_check_relabel = mls_cred_check_relabel, 2962 .mpo_cred_check_visible = mls_cred_check_visible, 2963 .mpo_cred_copy_label = mls_copy_label, |
| 2964 .mpo_cred_create_init = mls_cred_create_init, 2965 .mpo_cred_create_swapper = mls_cred_create_swapper, |
|
| 2963 .mpo_cred_destroy_label = mls_destroy_label, 2964 .mpo_cred_externalize_label = mls_externalize_label, 2965 .mpo_cred_init_label = mls_init_label, 2966 .mpo_cred_internalize_label = mls_internalize_label, 2967 .mpo_cred_relabel = mls_cred_relabel, 2968 2969 .mpo_devfs_create_device = mls_devfs_create_device, 2970 .mpo_devfs_create_directory = mls_devfs_create_directory, --- 75 unchanged lines hidden (view full) --- 3046 .mpo_posixsem_check_post = mls_posixsem_check_write, 3047 .mpo_posixsem_check_stat = mls_posixsem_check_rdonly, 3048 .mpo_posixsem_check_unlink = mls_posixsem_check_openunlink, 3049 .mpo_posixsem_check_wait = mls_posixsem_check_write, 3050 .mpo_posixsem_create = mls_posixsem_create, 3051 .mpo_posixsem_destroy_label = mls_destroy_label, 3052 .mpo_posixsem_init_label = mls_init_label, 3053 | 2966 .mpo_cred_destroy_label = mls_destroy_label, 2967 .mpo_cred_externalize_label = mls_externalize_label, 2968 .mpo_cred_init_label = mls_init_label, 2969 .mpo_cred_internalize_label = mls_internalize_label, 2970 .mpo_cred_relabel = mls_cred_relabel, 2971 2972 .mpo_devfs_create_device = mls_devfs_create_device, 2973 .mpo_devfs_create_directory = mls_devfs_create_directory, --- 75 unchanged lines hidden (view full) --- 3049 .mpo_posixsem_check_post = mls_posixsem_check_write, 3050 .mpo_posixsem_check_stat = mls_posixsem_check_rdonly, 3051 .mpo_posixsem_check_unlink = mls_posixsem_check_openunlink, 3052 .mpo_posixsem_check_wait = mls_posixsem_check_write, 3053 .mpo_posixsem_create = mls_posixsem_create, 3054 .mpo_posixsem_destroy_label = mls_destroy_label, 3055 .mpo_posixsem_init_label = mls_init_label, 3056 |
| 3054 .mpo_proc_associate_nfsd = mls_proc_associate_nfsd, | |
| 3055 .mpo_proc_check_debug = mls_proc_check_debug, 3056 .mpo_proc_check_sched = mls_proc_check_sched, 3057 .mpo_proc_check_signal = mls_proc_check_signal, | 3057 .mpo_proc_check_debug = mls_proc_check_debug, 3058 .mpo_proc_check_sched = mls_proc_check_sched, 3059 .mpo_proc_check_signal = mls_proc_check_signal, |
| 3058 .mpo_proc_create_init = mls_proc_create_init, 3059 .mpo_proc_create_swapper = mls_proc_create_swapper, | |
| 3060 3061 .mpo_socket_check_deliver = mls_socket_check_deliver, 3062 .mpo_socket_check_relabel = mls_socket_check_relabel, 3063 .mpo_socket_check_visible = mls_socket_check_visible, 3064 .mpo_socket_copy_label = mls_copy_label, 3065 .mpo_socket_create = mls_socket_create, 3066 .mpo_socket_create_mbuf = mls_socket_create_mbuf, 3067 .mpo_socket_destroy_label = mls_destroy_label, --- 119 unchanged lines hidden --- | 3060 3061 .mpo_socket_check_deliver = mls_socket_check_deliver, 3062 .mpo_socket_check_relabel = mls_socket_check_relabel, 3063 .mpo_socket_check_visible = mls_socket_check_visible, 3064 .mpo_socket_copy_label = mls_copy_label, 3065 .mpo_socket_create = mls_socket_create, 3066 .mpo_socket_create_mbuf = mls_socket_create_mbuf, 3067 .mpo_socket_destroy_label = mls_destroy_label, --- 119 unchanged lines hidden --- |