1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. 9 * 10 * This software was developed for the FreeBSD Project in part by Network 11 * Associates Laboratories, the Security Research Division of Network 12 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 13 * as part of the DARPA CHATS research program. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37#include <sys/cdefs.h>
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. 9 * 10 * This software was developed for the FreeBSD Project in part by Network 11 * Associates Laboratories, the Security Research Division of Network 12 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 13 * as part of the DARPA CHATS research program. 14 * 15 * Redistribution and use in source and binary forms, with or without 16 * modification, are permitted provided that the following conditions 17 * are met: 18 * 1. Redistributions of source code must retain the above copyright 19 * notice, this list of conditions and the following disclaimer. 20 * 2. Redistributions in binary form must reproduce the above copyright 21 * notice, this list of conditions and the following disclaimer in the 22 * documentation and/or other materials provided with the distribution. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37#include <sys/cdefs.h>
|
38__FBSDID("$FreeBSD: head/sys/security/mac/mac_net.c 121507 2003-10-25 15:28:20Z rwatson $");
| 38__FBSDID("$FreeBSD: head/sys/security/mac/mac_net.c 122159 2003-11-06 03:42:43Z rwatson $");
|
39 40#include "opt_mac.h" 41 42#include <sys/param.h> 43#include <sys/kernel.h> 44#include <sys/lock.h> 45#include <sys/malloc.h> 46#include <sys/mutex.h> 47#include <sys/mac.h> 48#include <sys/sbuf.h> 49#include <sys/systm.h> 50#include <sys/mount.h> 51#include <sys/file.h> 52#include <sys/namei.h> 53#include <sys/socket.h> 54#include <sys/socketvar.h> 55#include <sys/sysctl.h> 56 57#include <sys/mac_policy.h> 58 59#include <net/bpfdesc.h> 60#include <net/if.h> 61#include <net/if_var.h> 62 63#include <netinet/in.h> 64#include <netinet/ip_var.h> 65 66#include <security/mac/mac_internal.h> 67 68static int mac_enforce_network = 1; 69SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 70 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); 71TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); 72 73static int mac_enforce_socket = 1; 74SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, 75 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); 76TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); 77 78#ifdef MAC_DEBUG 79static unsigned int nmacmbufs, nmacifnets, nmacbpfdescs, nmacsockets, 80 nmacipqs; 81 82SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, 83 &nmacmbufs, 0, "number of mbufs in use"); 84SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, 85 &nmacifnets, 0, "number of ifnets in use"); 86SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, 87 &nmacipqs, 0, "number of ipqs in use"); 88SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD, 89 &nmacbpfdescs, 0, "number of bpfdescs in use"); 90SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, 91 &nmacsockets, 0, "number of sockets in use"); 92#endif 93 94static void mac_destroy_socket_label(struct label *label); 95 96static struct label * 97mbuf_to_label(struct mbuf *mbuf) 98{ 99 struct m_tag *tag; 100 struct label *label; 101 102 tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL); 103 label = (struct label *)(tag+1); 104 105 return (label); 106} 107 108void 109mac_init_bpfdesc(struct bpf_d *bpf_d) 110{ 111 112 mac_init_label(&bpf_d->bd_label); 113 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); 114 MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); 115} 116 117static void 118mac_init_ifnet_label(struct label *label) 119{ 120 121 mac_init_label(label); 122 MAC_PERFORM(init_ifnet_label, label); 123 MAC_DEBUG_COUNTER_INC(&nmacifnets); 124} 125 126void 127mac_init_ifnet(struct ifnet *ifp) 128{ 129 130 mac_init_ifnet_label(&ifp->if_label); 131} 132 133int 134mac_init_ipq(struct ipq *ipq, int flag) 135{ 136 int error; 137 138 mac_init_label(&ipq->ipq_label); 139 140 MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); 141 if (error) { 142 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 143 mac_destroy_label(&ipq->ipq_label); 144 } else { 145 MAC_DEBUG_COUNTER_INC(&nmacipqs); 146 } 147 return (error); 148} 149 150int 151mac_init_mbuf_tag(struct m_tag *tag, int flag) 152{ 153 struct label *label; 154 int error; 155 156 label = (struct label *) (tag + 1); 157 mac_init_label(label); 158 159 MAC_CHECK(init_mbuf_label, label, flag); 160 if (error) { 161 MAC_PERFORM(destroy_mbuf_label, label); 162 mac_destroy_label(label); 163 } else { 164 MAC_DEBUG_COUNTER_INC(&nmacmbufs); 165 } 166 return (error); 167} 168 169int 170mac_init_mbuf(struct mbuf *m, int flag) 171{ 172 struct m_tag *tag; 173 int error; 174 175 M_ASSERTPKTHDR(m); 176 177#ifndef MAC_ALWAYS_LABEL_MBUF 178 /* 179 * If conditionally allocating mbuf labels, don't allocate unless 180 * they are required. 181 */ 182 if (!mac_labelmbufs) 183 return (0); 184#endif 185 tag = m_tag_get(PACKET_TAG_MACLABEL, sizeof(struct label), 186 flag); 187 if (tag == NULL) 188 return (ENOMEM); 189 error = mac_init_mbuf_tag(tag, flag); 190 if (error) { 191 m_tag_free(tag); 192 return (error); 193 } 194 m_tag_prepend(m, tag); 195 return (0); 196} 197 198static int 199mac_init_socket_label(struct label *label, int flag) 200{ 201 int error; 202 203 mac_init_label(label); 204 205 MAC_CHECK(init_socket_label, label, flag); 206 if (error) { 207 MAC_PERFORM(destroy_socket_label, label); 208 mac_destroy_label(label); 209 } else { 210 MAC_DEBUG_COUNTER_INC(&nmacsockets); 211 } 212 213 return (error); 214} 215 216static int 217mac_init_socket_peer_label(struct label *label, int flag) 218{ 219 int error; 220 221 mac_init_label(label); 222 223 MAC_CHECK(init_socket_peer_label, label, flag); 224 if (error) { 225 MAC_PERFORM(destroy_socket_label, label); 226 mac_destroy_label(label); 227 } 228 229 return (error); 230} 231 232int 233mac_init_socket(struct socket *socket, int flag) 234{ 235 int error; 236 237 error = mac_init_socket_label(&socket->so_label, flag); 238 if (error) 239 return (error); 240 241 error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); 242 if (error) 243 mac_destroy_socket_label(&socket->so_label); 244 245 return (error); 246} 247 248void 249mac_destroy_bpfdesc(struct bpf_d *bpf_d) 250{ 251 252 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); 253 mac_destroy_label(&bpf_d->bd_label); 254 MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); 255} 256 257static void 258mac_destroy_ifnet_label(struct label *label) 259{ 260 261 MAC_PERFORM(destroy_ifnet_label, label); 262 mac_destroy_label(label); 263 MAC_DEBUG_COUNTER_DEC(&nmacifnets); 264} 265 266void 267mac_destroy_ifnet(struct ifnet *ifp) 268{ 269 270 mac_destroy_ifnet_label(&ifp->if_label); 271} 272 273void 274mac_destroy_ipq(struct ipq *ipq) 275{ 276 277 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 278 mac_destroy_label(&ipq->ipq_label); 279 MAC_DEBUG_COUNTER_DEC(&nmacipqs); 280} 281 282void 283mac_destroy_mbuf_tag(struct m_tag *tag) 284{ 285 struct label *label; 286 287 label = (struct label *)(tag+1); 288 289 MAC_PERFORM(destroy_mbuf_label, label); 290 mac_destroy_label(label); 291 MAC_DEBUG_COUNTER_DEC(&nmacmbufs); 292} 293 294static void 295mac_destroy_socket_label(struct label *label) 296{ 297 298 MAC_PERFORM(destroy_socket_label, label); 299 mac_destroy_label(label); 300 MAC_DEBUG_COUNTER_DEC(&nmacsockets); 301} 302 303static void 304mac_destroy_socket_peer_label(struct label *label) 305{ 306 307 MAC_PERFORM(destroy_socket_peer_label, label); 308 mac_destroy_label(label); 309} 310 311void 312mac_destroy_socket(struct socket *socket) 313{ 314 315 mac_destroy_socket_label(&socket->so_label); 316 mac_destroy_socket_peer_label(&socket->so_peerlabel); 317} 318 319void 320mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) 321{ 322 struct label *src_label, *dest_label; 323 324 src_label = (struct label *)(src+1); 325 dest_label = (struct label *)(dest+1); 326 327 /* 328 * mac_init_mbuf_tag() is called on the target tag in 329 * m_tag_copy(), so we don't need to call it here. 330 */ 331 MAC_PERFORM(copy_mbuf_label, src_label, dest_label); 332} 333 334static int 335mac_externalize_ifnet_label(struct label *label, char *elements,
| 39 40#include "opt_mac.h" 41 42#include <sys/param.h> 43#include <sys/kernel.h> 44#include <sys/lock.h> 45#include <sys/malloc.h> 46#include <sys/mutex.h> 47#include <sys/mac.h> 48#include <sys/sbuf.h> 49#include <sys/systm.h> 50#include <sys/mount.h> 51#include <sys/file.h> 52#include <sys/namei.h> 53#include <sys/socket.h> 54#include <sys/socketvar.h> 55#include <sys/sysctl.h> 56 57#include <sys/mac_policy.h> 58 59#include <net/bpfdesc.h> 60#include <net/if.h> 61#include <net/if_var.h> 62 63#include <netinet/in.h> 64#include <netinet/ip_var.h> 65 66#include <security/mac/mac_internal.h> 67 68static int mac_enforce_network = 1; 69SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 70 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); 71TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); 72 73static int mac_enforce_socket = 1; 74SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, 75 &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); 76TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); 77 78#ifdef MAC_DEBUG 79static unsigned int nmacmbufs, nmacifnets, nmacbpfdescs, nmacsockets, 80 nmacipqs; 81 82SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, 83 &nmacmbufs, 0, "number of mbufs in use"); 84SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, 85 &nmacifnets, 0, "number of ifnets in use"); 86SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, 87 &nmacipqs, 0, "number of ipqs in use"); 88SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD, 89 &nmacbpfdescs, 0, "number of bpfdescs in use"); 90SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, 91 &nmacsockets, 0, "number of sockets in use"); 92#endif 93 94static void mac_destroy_socket_label(struct label *label); 95 96static struct label * 97mbuf_to_label(struct mbuf *mbuf) 98{ 99 struct m_tag *tag; 100 struct label *label; 101 102 tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL); 103 label = (struct label *)(tag+1); 104 105 return (label); 106} 107 108void 109mac_init_bpfdesc(struct bpf_d *bpf_d) 110{ 111 112 mac_init_label(&bpf_d->bd_label); 113 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); 114 MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); 115} 116 117static void 118mac_init_ifnet_label(struct label *label) 119{ 120 121 mac_init_label(label); 122 MAC_PERFORM(init_ifnet_label, label); 123 MAC_DEBUG_COUNTER_INC(&nmacifnets); 124} 125 126void 127mac_init_ifnet(struct ifnet *ifp) 128{ 129 130 mac_init_ifnet_label(&ifp->if_label); 131} 132 133int 134mac_init_ipq(struct ipq *ipq, int flag) 135{ 136 int error; 137 138 mac_init_label(&ipq->ipq_label); 139 140 MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); 141 if (error) { 142 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 143 mac_destroy_label(&ipq->ipq_label); 144 } else { 145 MAC_DEBUG_COUNTER_INC(&nmacipqs); 146 } 147 return (error); 148} 149 150int 151mac_init_mbuf_tag(struct m_tag *tag, int flag) 152{ 153 struct label *label; 154 int error; 155 156 label = (struct label *) (tag + 1); 157 mac_init_label(label); 158 159 MAC_CHECK(init_mbuf_label, label, flag); 160 if (error) { 161 MAC_PERFORM(destroy_mbuf_label, label); 162 mac_destroy_label(label); 163 } else { 164 MAC_DEBUG_COUNTER_INC(&nmacmbufs); 165 } 166 return (error); 167} 168 169int 170mac_init_mbuf(struct mbuf *m, int flag) 171{ 172 struct m_tag *tag; 173 int error; 174 175 M_ASSERTPKTHDR(m); 176 177#ifndef MAC_ALWAYS_LABEL_MBUF 178 /* 179 * If conditionally allocating mbuf labels, don't allocate unless 180 * they are required. 181 */ 182 if (!mac_labelmbufs) 183 return (0); 184#endif 185 tag = m_tag_get(PACKET_TAG_MACLABEL, sizeof(struct label), 186 flag); 187 if (tag == NULL) 188 return (ENOMEM); 189 error = mac_init_mbuf_tag(tag, flag); 190 if (error) { 191 m_tag_free(tag); 192 return (error); 193 } 194 m_tag_prepend(m, tag); 195 return (0); 196} 197 198static int 199mac_init_socket_label(struct label *label, int flag) 200{ 201 int error; 202 203 mac_init_label(label); 204 205 MAC_CHECK(init_socket_label, label, flag); 206 if (error) { 207 MAC_PERFORM(destroy_socket_label, label); 208 mac_destroy_label(label); 209 } else { 210 MAC_DEBUG_COUNTER_INC(&nmacsockets); 211 } 212 213 return (error); 214} 215 216static int 217mac_init_socket_peer_label(struct label *label, int flag) 218{ 219 int error; 220 221 mac_init_label(label); 222 223 MAC_CHECK(init_socket_peer_label, label, flag); 224 if (error) { 225 MAC_PERFORM(destroy_socket_label, label); 226 mac_destroy_label(label); 227 } 228 229 return (error); 230} 231 232int 233mac_init_socket(struct socket *socket, int flag) 234{ 235 int error; 236 237 error = mac_init_socket_label(&socket->so_label, flag); 238 if (error) 239 return (error); 240 241 error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); 242 if (error) 243 mac_destroy_socket_label(&socket->so_label); 244 245 return (error); 246} 247 248void 249mac_destroy_bpfdesc(struct bpf_d *bpf_d) 250{ 251 252 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); 253 mac_destroy_label(&bpf_d->bd_label); 254 MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); 255} 256 257static void 258mac_destroy_ifnet_label(struct label *label) 259{ 260 261 MAC_PERFORM(destroy_ifnet_label, label); 262 mac_destroy_label(label); 263 MAC_DEBUG_COUNTER_DEC(&nmacifnets); 264} 265 266void 267mac_destroy_ifnet(struct ifnet *ifp) 268{ 269 270 mac_destroy_ifnet_label(&ifp->if_label); 271} 272 273void 274mac_destroy_ipq(struct ipq *ipq) 275{ 276 277 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 278 mac_destroy_label(&ipq->ipq_label); 279 MAC_DEBUG_COUNTER_DEC(&nmacipqs); 280} 281 282void 283mac_destroy_mbuf_tag(struct m_tag *tag) 284{ 285 struct label *label; 286 287 label = (struct label *)(tag+1); 288 289 MAC_PERFORM(destroy_mbuf_label, label); 290 mac_destroy_label(label); 291 MAC_DEBUG_COUNTER_DEC(&nmacmbufs); 292} 293 294static void 295mac_destroy_socket_label(struct label *label) 296{ 297 298 MAC_PERFORM(destroy_socket_label, label); 299 mac_destroy_label(label); 300 MAC_DEBUG_COUNTER_DEC(&nmacsockets); 301} 302 303static void 304mac_destroy_socket_peer_label(struct label *label) 305{ 306 307 MAC_PERFORM(destroy_socket_peer_label, label); 308 mac_destroy_label(label); 309} 310 311void 312mac_destroy_socket(struct socket *socket) 313{ 314 315 mac_destroy_socket_label(&socket->so_label); 316 mac_destroy_socket_peer_label(&socket->so_peerlabel); 317} 318 319void 320mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) 321{ 322 struct label *src_label, *dest_label; 323 324 src_label = (struct label *)(src+1); 325 dest_label = (struct label *)(dest+1); 326 327 /* 328 * mac_init_mbuf_tag() is called on the target tag in 329 * m_tag_copy(), so we don't need to call it here. 330 */ 331 MAC_PERFORM(copy_mbuf_label, src_label, dest_label); 332} 333 334static int 335mac_externalize_ifnet_label(struct label *label, char *elements,
|
336 char *outbuf, size_t outbuflen, int flags)
| 336 char *outbuf, size_t outbuflen)
|
337{ 338 int error; 339 340 MAC_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen); 341 342 return (error); 343} 344 345static int 346mac_externalize_socket_label(struct label *label, char *elements,
| 337{ 338 int error; 339 340 MAC_EXTERNALIZE(ifnet, label, elements, outbuf, outbuflen); 341 342 return (error); 343} 344 345static int 346mac_externalize_socket_label(struct label *label, char *elements,
|
347 char *outbuf, size_t outbuflen, int flags)
| 347 char *outbuf, size_t outbuflen)
|
348{ 349 int error; 350 351 MAC_EXTERNALIZE(socket, label, elements, outbuf, outbuflen); 352 353 return (error); 354} 355 356static int 357mac_externalize_socket_peer_label(struct label *label, char *elements,
| 348{ 349 int error; 350 351 MAC_EXTERNALIZE(socket, label, elements, outbuf, outbuflen); 352 353 return (error); 354} 355 356static int 357mac_externalize_socket_peer_label(struct label *label, char *elements,
|
358 char *outbuf, size_t outbuflen, int flags)
| 358 char *outbuf, size_t outbuflen)
|
359{ 360 int error; 361 362 MAC_EXTERNALIZE(socket_peer, label, elements, outbuf, outbuflen); 363 364 return (error); 365} 366 367static int 368mac_internalize_ifnet_label(struct label *label, char *string) 369{ 370 int error; 371 372 MAC_INTERNALIZE(ifnet, label, string); 373 374 return (error); 375} 376 377static int 378mac_internalize_socket_label(struct label *label, char *string) 379{ 380 int error; 381 382 MAC_INTERNALIZE(socket, label, string); 383 384 return (error); 385} 386 387void 388mac_create_ifnet(struct ifnet *ifnet) 389{ 390 391 MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); 392} 393 394void 395mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) 396{ 397 398 MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); 399} 400 401void 402mac_create_socket(struct ucred *cred, struct socket *socket) 403{ 404 405 MAC_PERFORM(create_socket, cred, socket, &socket->so_label); 406} 407 408void 409mac_create_socket_from_socket(struct socket *oldsocket, 410 struct socket *newsocket) 411{ 412 413 MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, 414 newsocket, &newsocket->so_label); 415} 416 417static void 418mac_relabel_socket(struct ucred *cred, struct socket *socket, 419 struct label *newlabel) 420{ 421 422 MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); 423} 424 425void 426mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) 427{ 428 struct label *label; 429 430 label = mbuf_to_label(mbuf); 431 432 MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket, 433 &socket->so_peerlabel); 434} 435 436void 437mac_set_socket_peer_from_socket(struct socket *oldsocket, 438 struct socket *newsocket) 439{ 440 441 MAC_PERFORM(set_socket_peer_from_socket, oldsocket, 442 &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); 443} 444 445void 446mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) 447{ 448 struct label *label; 449 450 label = mbuf_to_label(datagram); 451 452 MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, 453 datagram, label); 454} 455 456void 457mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) 458{ 459 struct label *datagramlabel, *fragmentlabel; 460 461 datagramlabel = mbuf_to_label(datagram); 462 fragmentlabel = mbuf_to_label(fragment); 463 464 MAC_PERFORM(create_fragment, datagram, datagramlabel, fragment, 465 fragmentlabel); 466} 467 468void 469mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) 470{ 471 struct label *label; 472 473 label = mbuf_to_label(fragment); 474 475 MAC_PERFORM(create_ipq, fragment, label, ipq, &ipq->ipq_label); 476} 477 478void 479mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) 480{ 481 struct label *oldmbuflabel, *newmbuflabel; 482 483 oldmbuflabel = mbuf_to_label(oldmbuf); 484 newmbuflabel = mbuf_to_label(newmbuf); 485 486 MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, oldmbuflabel, newmbuf, 487 newmbuflabel); 488} 489 490void 491mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) 492{ 493 struct label *label; 494 495 label = mbuf_to_label(mbuf); 496 497 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, 498 label); 499} 500 501void 502mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) 503{ 504 struct label *label; 505 506 label = mbuf_to_label(mbuf); 507 508 MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, 509 label); 510} 511 512void 513mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) 514{ 515 struct label *label; 516 517 label = mbuf_to_label(mbuf); 518 519 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, 520 label); 521} 522 523void 524mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, 525 struct mbuf *newmbuf) 526{ 527 struct label *oldmbuflabel, *newmbuflabel; 528 529 oldmbuflabel = mbuf_to_label(oldmbuf); 530 newmbuflabel = mbuf_to_label(newmbuf); 531 532 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel, 533 ifnet, &ifnet->if_label, newmbuf, newmbuflabel); 534} 535 536void 537mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) 538{ 539 struct label *oldmbuflabel, *newmbuflabel; 540 541 oldmbuflabel = mbuf_to_label(oldmbuf); 542 newmbuflabel = mbuf_to_label(newmbuf); 543 544 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, oldmbuflabel, newmbuf, 545 newmbuflabel); 546} 547 548int 549mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) 550{ 551 struct label *label; 552 int result; 553 554 label = mbuf_to_label(fragment); 555 556 result = 1; 557 MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq, 558 &ipq->ipq_label); 559 560 return (result); 561} 562 563void 564mac_reflect_mbuf_icmp(struct mbuf *m) 565{ 566 struct label *label; 567 568 label = mbuf_to_label(m); 569 570 MAC_PERFORM(reflect_mbuf_icmp, m, label); 571} 572void 573mac_reflect_mbuf_tcp(struct mbuf *m) 574{ 575 struct label *label; 576 577 label = mbuf_to_label(m); 578 579 MAC_PERFORM(reflect_mbuf_tcp, m, label); 580} 581 582void 583mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) 584{ 585 struct label *label; 586 587 label = mbuf_to_label(fragment); 588 589 MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label); 590} 591 592void 593mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) 594{ 595 struct label *label; 596 597 label = mbuf_to_label(mbuf); 598 599 MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, 600 label); 601} 602 603int 604mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) 605{ 606 int error; 607 608 if (!mac_enforce_network) 609 return (0); 610 611 MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, 612 &ifnet->if_label); 613 614 return (error); 615} 616 617int 618mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) 619{ 620 struct label *label; 621 int error; 622 623 M_ASSERTPKTHDR(mbuf); 624 625 if (!mac_enforce_network) 626 return (0); 627 628 label = mbuf_to_label(mbuf); 629 630 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, 631 label); 632 633 return (error); 634} 635 636int 637mac_check_socket_bind(struct ucred *ucred, struct socket *socket, 638 struct sockaddr *sockaddr) 639{ 640 int error; 641 642 if (!mac_enforce_socket) 643 return (0); 644 645 MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, 646 sockaddr); 647 648 return (error); 649} 650 651int 652mac_check_socket_connect(struct ucred *cred, struct socket *socket, 653 struct sockaddr *sockaddr) 654{ 655 int error; 656 657 if (!mac_enforce_socket) 658 return (0); 659 660 MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, 661 sockaddr); 662 663 return (error); 664} 665 666int 667mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) 668{ 669 struct label *label; 670 int error; 671 672 if (!mac_enforce_socket) 673 return (0); 674 675 label = mbuf_to_label(mbuf); 676 677 MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, 678 label); 679 680 return (error); 681} 682 683int 684mac_check_socket_listen(struct ucred *cred, struct socket *socket) 685{ 686 int error; 687 688 if (!mac_enforce_socket) 689 return (0); 690 691 MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); 692 return (error); 693} 694 695int 696mac_check_socket_receive(struct ucred *cred, struct socket *so) 697{ 698 int error; 699 700 if (!mac_enforce_socket) 701 return (0); 702 703 MAC_CHECK(check_socket_receive, cred, so, &so->so_label); 704 705 return (error); 706} 707 708static int 709mac_check_socket_relabel(struct ucred *cred, struct socket *socket, 710 struct label *newlabel) 711{ 712 int error; 713 714 MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, 715 newlabel); 716 717 return (error); 718} 719 720int 721mac_check_socket_send(struct ucred *cred, struct socket *so) 722{ 723 int error; 724 725 if (!mac_enforce_socket) 726 return (0); 727 728 MAC_CHECK(check_socket_send, cred, so, &so->so_label); 729 730 return (error); 731} 732 733int 734mac_check_socket_visible(struct ucred *cred, struct socket *socket) 735{ 736 int error; 737 738 if (!mac_enforce_socket) 739 return (0); 740 741 MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); 742 743 return (error); 744} 745 746int 747mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, 748 struct ifnet *ifnet) 749{ 750 char *elements, *buffer; 751 struct mac mac; 752 int error; 753 754 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 755 if (error) 756 return (error); 757 758 error = mac_check_structmac_consistent(&mac); 759 if (error) 760 return (error); 761 762 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 763 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 764 if (error) { 765 free(elements, M_MACTEMP); 766 return (error); 767 } 768 769 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 770 error = mac_externalize_ifnet_label(&ifnet->if_label, elements,
| 359{ 360 int error; 361 362 MAC_EXTERNALIZE(socket_peer, label, elements, outbuf, outbuflen); 363 364 return (error); 365} 366 367static int 368mac_internalize_ifnet_label(struct label *label, char *string) 369{ 370 int error; 371 372 MAC_INTERNALIZE(ifnet, label, string); 373 374 return (error); 375} 376 377static int 378mac_internalize_socket_label(struct label *label, char *string) 379{ 380 int error; 381 382 MAC_INTERNALIZE(socket, label, string); 383 384 return (error); 385} 386 387void 388mac_create_ifnet(struct ifnet *ifnet) 389{ 390 391 MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); 392} 393 394void 395mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) 396{ 397 398 MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); 399} 400 401void 402mac_create_socket(struct ucred *cred, struct socket *socket) 403{ 404 405 MAC_PERFORM(create_socket, cred, socket, &socket->so_label); 406} 407 408void 409mac_create_socket_from_socket(struct socket *oldsocket, 410 struct socket *newsocket) 411{ 412 413 MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, 414 newsocket, &newsocket->so_label); 415} 416 417static void 418mac_relabel_socket(struct ucred *cred, struct socket *socket, 419 struct label *newlabel) 420{ 421 422 MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); 423} 424 425void 426mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) 427{ 428 struct label *label; 429 430 label = mbuf_to_label(mbuf); 431 432 MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket, 433 &socket->so_peerlabel); 434} 435 436void 437mac_set_socket_peer_from_socket(struct socket *oldsocket, 438 struct socket *newsocket) 439{ 440 441 MAC_PERFORM(set_socket_peer_from_socket, oldsocket, 442 &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); 443} 444 445void 446mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) 447{ 448 struct label *label; 449 450 label = mbuf_to_label(datagram); 451 452 MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, 453 datagram, label); 454} 455 456void 457mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) 458{ 459 struct label *datagramlabel, *fragmentlabel; 460 461 datagramlabel = mbuf_to_label(datagram); 462 fragmentlabel = mbuf_to_label(fragment); 463 464 MAC_PERFORM(create_fragment, datagram, datagramlabel, fragment, 465 fragmentlabel); 466} 467 468void 469mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) 470{ 471 struct label *label; 472 473 label = mbuf_to_label(fragment); 474 475 MAC_PERFORM(create_ipq, fragment, label, ipq, &ipq->ipq_label); 476} 477 478void 479mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) 480{ 481 struct label *oldmbuflabel, *newmbuflabel; 482 483 oldmbuflabel = mbuf_to_label(oldmbuf); 484 newmbuflabel = mbuf_to_label(newmbuf); 485 486 MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, oldmbuflabel, newmbuf, 487 newmbuflabel); 488} 489 490void 491mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) 492{ 493 struct label *label; 494 495 label = mbuf_to_label(mbuf); 496 497 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, 498 label); 499} 500 501void 502mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) 503{ 504 struct label *label; 505 506 label = mbuf_to_label(mbuf); 507 508 MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, 509 label); 510} 511 512void 513mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) 514{ 515 struct label *label; 516 517 label = mbuf_to_label(mbuf); 518 519 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, 520 label); 521} 522 523void 524mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, 525 struct mbuf *newmbuf) 526{ 527 struct label *oldmbuflabel, *newmbuflabel; 528 529 oldmbuflabel = mbuf_to_label(oldmbuf); 530 newmbuflabel = mbuf_to_label(newmbuf); 531 532 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel, 533 ifnet, &ifnet->if_label, newmbuf, newmbuflabel); 534} 535 536void 537mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) 538{ 539 struct label *oldmbuflabel, *newmbuflabel; 540 541 oldmbuflabel = mbuf_to_label(oldmbuf); 542 newmbuflabel = mbuf_to_label(newmbuf); 543 544 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, oldmbuflabel, newmbuf, 545 newmbuflabel); 546} 547 548int 549mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) 550{ 551 struct label *label; 552 int result; 553 554 label = mbuf_to_label(fragment); 555 556 result = 1; 557 MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq, 558 &ipq->ipq_label); 559 560 return (result); 561} 562 563void 564mac_reflect_mbuf_icmp(struct mbuf *m) 565{ 566 struct label *label; 567 568 label = mbuf_to_label(m); 569 570 MAC_PERFORM(reflect_mbuf_icmp, m, label); 571} 572void 573mac_reflect_mbuf_tcp(struct mbuf *m) 574{ 575 struct label *label; 576 577 label = mbuf_to_label(m); 578 579 MAC_PERFORM(reflect_mbuf_tcp, m, label); 580} 581 582void 583mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) 584{ 585 struct label *label; 586 587 label = mbuf_to_label(fragment); 588 589 MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label); 590} 591 592void 593mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) 594{ 595 struct label *label; 596 597 label = mbuf_to_label(mbuf); 598 599 MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, 600 label); 601} 602 603int 604mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) 605{ 606 int error; 607 608 if (!mac_enforce_network) 609 return (0); 610 611 MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, 612 &ifnet->if_label); 613 614 return (error); 615} 616 617int 618mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) 619{ 620 struct label *label; 621 int error; 622 623 M_ASSERTPKTHDR(mbuf); 624 625 if (!mac_enforce_network) 626 return (0); 627 628 label = mbuf_to_label(mbuf); 629 630 MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, 631 label); 632 633 return (error); 634} 635 636int 637mac_check_socket_bind(struct ucred *ucred, struct socket *socket, 638 struct sockaddr *sockaddr) 639{ 640 int error; 641 642 if (!mac_enforce_socket) 643 return (0); 644 645 MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, 646 sockaddr); 647 648 return (error); 649} 650 651int 652mac_check_socket_connect(struct ucred *cred, struct socket *socket, 653 struct sockaddr *sockaddr) 654{ 655 int error; 656 657 if (!mac_enforce_socket) 658 return (0); 659 660 MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, 661 sockaddr); 662 663 return (error); 664} 665 666int 667mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) 668{ 669 struct label *label; 670 int error; 671 672 if (!mac_enforce_socket) 673 return (0); 674 675 label = mbuf_to_label(mbuf); 676 677 MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, 678 label); 679 680 return (error); 681} 682 683int 684mac_check_socket_listen(struct ucred *cred, struct socket *socket) 685{ 686 int error; 687 688 if (!mac_enforce_socket) 689 return (0); 690 691 MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); 692 return (error); 693} 694 695int 696mac_check_socket_receive(struct ucred *cred, struct socket *so) 697{ 698 int error; 699 700 if (!mac_enforce_socket) 701 return (0); 702 703 MAC_CHECK(check_socket_receive, cred, so, &so->so_label); 704 705 return (error); 706} 707 708static int 709mac_check_socket_relabel(struct ucred *cred, struct socket *socket, 710 struct label *newlabel) 711{ 712 int error; 713 714 MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, 715 newlabel); 716 717 return (error); 718} 719 720int 721mac_check_socket_send(struct ucred *cred, struct socket *so) 722{ 723 int error; 724 725 if (!mac_enforce_socket) 726 return (0); 727 728 MAC_CHECK(check_socket_send, cred, so, &so->so_label); 729 730 return (error); 731} 732 733int 734mac_check_socket_visible(struct ucred *cred, struct socket *socket) 735{ 736 int error; 737 738 if (!mac_enforce_socket) 739 return (0); 740 741 MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); 742 743 return (error); 744} 745 746int 747mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, 748 struct ifnet *ifnet) 749{ 750 char *elements, *buffer; 751 struct mac mac; 752 int error; 753 754 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 755 if (error) 756 return (error); 757 758 error = mac_check_structmac_consistent(&mac); 759 if (error) 760 return (error); 761 762 elements = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 763 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 764 if (error) { 765 free(elements, M_MACTEMP); 766 return (error); 767 } 768 769 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 770 error = mac_externalize_ifnet_label(&ifnet->if_label, elements,
|
771 buffer, mac.m_buflen, M_WAITOK);
| 771 buffer, mac.m_buflen);
|
772 if (error == 0) 773 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 774 775 free(buffer, M_MACTEMP); 776 free(elements, M_MACTEMP); 777 778 return (error); 779} 780 781int 782mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, 783 struct ifnet *ifnet) 784{ 785 struct label intlabel; 786 struct mac mac; 787 char *buffer; 788 int error; 789 790 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 791 if (error) 792 return (error); 793 794 error = mac_check_structmac_consistent(&mac); 795 if (error) 796 return (error); 797 798 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 799 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 800 if (error) { 801 free(buffer, M_MACTEMP); 802 return (error); 803 } 804 805 mac_init_ifnet_label(&intlabel); 806 error = mac_internalize_ifnet_label(&intlabel, buffer); 807 free(buffer, M_MACTEMP); 808 if (error) { 809 mac_destroy_ifnet_label(&intlabel); 810 return (error); 811 } 812 813 /* 814 * XXX: Note that this is a redundant privilege check, since 815 * policies impose this check themselves if required by the 816 * policy. Eventually, this should go away. 817 */ 818 error = suser_cred(cred, 0); 819 if (error) { 820 mac_destroy_ifnet_label(&intlabel); 821 return (error); 822 } 823 824 MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, 825 &intlabel); 826 if (error) { 827 mac_destroy_ifnet_label(&intlabel); 828 return (error); 829 } 830 831 MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); 832 833 mac_destroy_ifnet_label(&intlabel); 834 return (0); 835} 836 837int 838mac_setsockopt_label_set(struct ucred *cred, struct socket *so, 839 struct mac *mac) 840{ 841 struct label intlabel; 842 char *buffer; 843 int error; 844 845 error = mac_check_structmac_consistent(mac); 846 if (error) 847 return (error); 848 849 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 850 error = copyinstr(mac->m_string, buffer, mac->m_buflen, NULL); 851 if (error) { 852 free(buffer, M_MACTEMP); 853 return (error); 854 } 855 856 mac_init_socket_label(&intlabel, M_WAITOK); 857 error = mac_internalize_socket_label(&intlabel, buffer); 858 free(buffer, M_MACTEMP); 859 if (error) { 860 mac_destroy_socket_label(&intlabel); 861 return (error); 862 } 863 864 mac_check_socket_relabel(cred, so, &intlabel); 865 if (error) { 866 mac_destroy_socket_label(&intlabel); 867 return (error); 868 } 869 870 mac_relabel_socket(cred, so, &intlabel); 871 872 mac_destroy_socket_label(&intlabel); 873 return (0); 874} 875 876int 877mac_getsockopt_label_get(struct ucred *cred, struct socket *so, 878 struct mac *mac) 879{ 880 char *buffer, *elements; 881 int error; 882 883 error = mac_check_structmac_consistent(mac); 884 if (error) 885 return (error); 886 887 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 888 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 889 if (error) { 890 free(elements, M_MACTEMP); 891 return (error); 892 } 893 894 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 895 error = mac_externalize_socket_label(&so->so_label, elements,
| 772 if (error == 0) 773 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 774 775 free(buffer, M_MACTEMP); 776 free(elements, M_MACTEMP); 777 778 return (error); 779} 780 781int 782mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, 783 struct ifnet *ifnet) 784{ 785 struct label intlabel; 786 struct mac mac; 787 char *buffer; 788 int error; 789 790 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 791 if (error) 792 return (error); 793 794 error = mac_check_structmac_consistent(&mac); 795 if (error) 796 return (error); 797 798 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK); 799 error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL); 800 if (error) { 801 free(buffer, M_MACTEMP); 802 return (error); 803 } 804 805 mac_init_ifnet_label(&intlabel); 806 error = mac_internalize_ifnet_label(&intlabel, buffer); 807 free(buffer, M_MACTEMP); 808 if (error) { 809 mac_destroy_ifnet_label(&intlabel); 810 return (error); 811 } 812 813 /* 814 * XXX: Note that this is a redundant privilege check, since 815 * policies impose this check themselves if required by the 816 * policy. Eventually, this should go away. 817 */ 818 error = suser_cred(cred, 0); 819 if (error) { 820 mac_destroy_ifnet_label(&intlabel); 821 return (error); 822 } 823 824 MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, 825 &intlabel); 826 if (error) { 827 mac_destroy_ifnet_label(&intlabel); 828 return (error); 829 } 830 831 MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); 832 833 mac_destroy_ifnet_label(&intlabel); 834 return (0); 835} 836 837int 838mac_setsockopt_label_set(struct ucred *cred, struct socket *so, 839 struct mac *mac) 840{ 841 struct label intlabel; 842 char *buffer; 843 int error; 844 845 error = mac_check_structmac_consistent(mac); 846 if (error) 847 return (error); 848 849 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 850 error = copyinstr(mac->m_string, buffer, mac->m_buflen, NULL); 851 if (error) { 852 free(buffer, M_MACTEMP); 853 return (error); 854 } 855 856 mac_init_socket_label(&intlabel, M_WAITOK); 857 error = mac_internalize_socket_label(&intlabel, buffer); 858 free(buffer, M_MACTEMP); 859 if (error) { 860 mac_destroy_socket_label(&intlabel); 861 return (error); 862 } 863 864 mac_check_socket_relabel(cred, so, &intlabel); 865 if (error) { 866 mac_destroy_socket_label(&intlabel); 867 return (error); 868 } 869 870 mac_relabel_socket(cred, so, &intlabel); 871 872 mac_destroy_socket_label(&intlabel); 873 return (0); 874} 875 876int 877mac_getsockopt_label_get(struct ucred *cred, struct socket *so, 878 struct mac *mac) 879{ 880 char *buffer, *elements; 881 int error; 882 883 error = mac_check_structmac_consistent(mac); 884 if (error) 885 return (error); 886 887 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 888 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 889 if (error) { 890 free(elements, M_MACTEMP); 891 return (error); 892 } 893 894 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 895 error = mac_externalize_socket_label(&so->so_label, elements,
|
896 buffer, mac->m_buflen, M_WAITOK);
| 896 buffer, mac->m_buflen);
|
897 if (error == 0) 898 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 899 900 free(buffer, M_MACTEMP); 901 free(elements, M_MACTEMP); 902 903 return (error); 904} 905 906int 907mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, 908 struct mac *mac) 909{ 910 char *elements, *buffer; 911 int error; 912 913 error = mac_check_structmac_consistent(mac); 914 if (error) 915 return (error); 916 917 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 918 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 919 if (error) { 920 free(elements, M_MACTEMP); 921 return (error); 922 } 923 924 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 925 error = mac_externalize_socket_peer_label(&so->so_peerlabel,
| 897 if (error == 0) 898 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 899 900 free(buffer, M_MACTEMP); 901 free(elements, M_MACTEMP); 902 903 return (error); 904} 905 906int 907mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, 908 struct mac *mac) 909{ 910 char *elements, *buffer; 911 int error; 912 913 error = mac_check_structmac_consistent(mac); 914 if (error) 915 return (error); 916 917 elements = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK); 918 error = copyinstr(mac->m_string, elements, mac->m_buflen, NULL); 919 if (error) { 920 free(elements, M_MACTEMP); 921 return (error); 922 } 923 924 buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 925 error = mac_externalize_socket_peer_label(&so->so_peerlabel,
|
926 elements, buffer, mac->m_buflen, M_WAITOK);
| 926 elements, buffer, mac->m_buflen);
|
927 if (error == 0) 928 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 929 930 free(buffer, M_MACTEMP); 931 free(elements, M_MACTEMP); 932 933 return (error); 934}
| 927 if (error == 0) 928 error = copyout(buffer, mac->m_string, strlen(buffer)+1); 929 930 free(buffer, M_MACTEMP); 931 free(elements, M_MACTEMP); 932 933 return (error); 934}
|