1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 21 unchanged lines hidden (view full) --- 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37#include <sys/cdefs.h> |
38__FBSDID("$FreeBSD: head/sys/security/mac/mac_net.c 168955 2007-04-22 19:55:56Z rwatson $"); |
39 40#include "opt_mac.h" 41 42#include <sys/param.h> 43#include <sys/kernel.h> 44#include <sys/lock.h> 45#include <sys/malloc.h> 46#include <sys/mutex.h> --- 30 unchanged lines hidden (view full) --- 77/* 78 * Retrieve the label associated with an mbuf by searching for the tag. 79 * Depending on the value of mac_labelmbufs, it's possible that a label will 80 * not be present, in which case NULL is returned. Policies must handle the 81 * possibility of an mbuf not having label storage if they do not enforce 82 * early loading. 83 */ 84struct label * |
85mac_mbuf_to_label(struct mbuf *m) |
86{ 87 struct m_tag *tag; 88 struct label *label; 89 |
90 if (m == NULL) |
91 return (NULL); |
92 tag = m_tag_find(m, PACKET_TAG_MACLABEL, NULL); |
93 if (tag == NULL) 94 return (NULL); 95 label = (struct label *)(tag+1); 96 return (label); 97} 98 99static struct label * 100mac_bpfdesc_label_alloc(void) 101{ 102 struct label *label; 103 104 label = mac_labelzone_alloc(M_WAITOK); 105 MAC_PERFORM(init_bpfdesc_label, label); 106 return (label); 107} 108 109void |
110mac_init_bpfdesc(struct bpf_d *d) |
111{ 112 |
113 d->bd_label = mac_bpfdesc_label_alloc(); |
114} 115 116static struct label * 117mac_ifnet_label_alloc(void) 118{ 119 struct label *label; 120 121 label = mac_labelzone_alloc(M_WAITOK); --- 58 unchanged lines hidden (view full) --- 180mac_bpfdesc_label_free(struct label *label) 181{ 182 183 MAC_PERFORM(destroy_bpfdesc_label, label); 184 mac_labelzone_free(label); 185} 186 187void |
188mac_destroy_bpfdesc(struct bpf_d *d) |
189{ 190 |
191 mac_bpfdesc_label_free(d->bd_label); 192 d->bd_label = NULL; |
193} 194 195static void 196mac_ifnet_label_free(struct label *label) 197{ 198 199 MAC_PERFORM(destroy_ifnet_label, label); 200 mac_labelzone_free(label); --- 72 unchanged lines hidden (view full) --- 273 int error; 274 275 MAC_INTERNALIZE(ifnet, label, string); 276 277 return (error); 278} 279 280void |
281mac_create_ifnet(struct ifnet *ifp) |
282{ 283 |
284 MAC_IFNET_LOCK(ifp); 285 MAC_PERFORM(create_ifnet, ifp, ifp->if_label); 286 MAC_IFNET_UNLOCK(ifp); |
287} 288 289void |
290mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d) |
291{ 292 |
293 MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label); |
294} 295 296void |
297mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m) |
298{ 299 struct label *label; 300 |
301 BPFD_LOCK_ASSERT(d); |
302 |
303 label = mac_mbuf_to_label(m); |
304 |
305 MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label); |
306} 307 308void |
309mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m) |
310{ 311 struct label *label; 312 |
313 label = mac_mbuf_to_label(m); |
314 |
315 MAC_IFNET_LOCK(ifp); 316 MAC_PERFORM(create_mbuf_linklayer, ifp, ifp->if_label, m, label); 317 MAC_IFNET_UNLOCK(ifp); |
318} 319 320void |
321mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m) |
322{ 323 struct label *label; 324 |
325 label = mac_mbuf_to_label(m); |
326 |
327 MAC_IFNET_LOCK(ifp); 328 MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label); 329 MAC_IFNET_UNLOCK(ifp); |
330} 331 332void |
333mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, 334 struct mbuf *mnew) |
335{ |
336 struct label *mlabel, *mnewlabel; |
337 |
338 mlabel = mac_mbuf_to_label(m); 339 mnewlabel = mac_mbuf_to_label(mnew); |
340 |
341 MAC_IFNET_LOCK(ifp); 342 MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp, 343 ifp->if_label, mnew, mnewlabel); 344 MAC_IFNET_UNLOCK(ifp); |
345} 346 347void |
348mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew) |
349{ |
350 struct label *mlabel, *mnewlabel; |
351 |
352 mlabel = mac_mbuf_to_label(m); 353 mnewlabel = mac_mbuf_to_label(mnew); |
354 |
355 MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel); |
356} 357 358int |
359mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp) |
360{ 361 int error; 362 |
363 BPFD_LOCK_ASSERT(d); |
364 |
365 MAC_IFNET_LOCK(ifp); 366 MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label); 367 MAC_IFNET_UNLOCK(ifp); |
368 369 return (error); 370} 371 372int |
373mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m) |
374{ 375 struct label *label; 376 int error; 377 |
378 M_ASSERTPKTHDR(m); |
379 |
380 label = mac_mbuf_to_label(m); |
381 |
382 MAC_IFNET_LOCK(ifp); 383 MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label); 384 MAC_IFNET_UNLOCK(ifp); |
385 386 return (error); 387} 388 389int 390mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, |
391 struct ifnet *ifp) |
392{ 393 char *elements, *buffer; 394 struct label *intlabel; 395 struct mac mac; 396 int error; 397 398 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 399 if (error) --- 7 unchanged lines hidden (view full) --- 407 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 408 if (error) { 409 free(elements, M_MACTEMP); 410 return (error); 411 } 412 413 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 414 intlabel = mac_ifnet_label_alloc(); |
415 MAC_IFNET_LOCK(ifp); 416 mac_copy_ifnet_label(ifp->if_label, intlabel); 417 MAC_IFNET_UNLOCK(ifp); |
418 error = mac_externalize_ifnet_label(intlabel, elements, buffer, 419 mac.m_buflen); 420 mac_ifnet_label_free(intlabel); 421 if (error == 0) 422 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 423 424 free(buffer, M_MACTEMP); 425 free(elements, M_MACTEMP); 426 427 return (error); 428} 429 430int |
431mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) |
432{ 433 struct label *intlabel; 434 struct mac mac; 435 char *buffer; 436 int error; 437 438 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 439 if (error) --- 24 unchanged lines hidden (view full) --- 464 * Eventually, this should go away. 465 */ 466 error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0); 467 if (error) { 468 mac_ifnet_label_free(intlabel); 469 return (error); 470 } 471 |
472 MAC_IFNET_LOCK(ifp); 473 MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel); |
474 if (error) { |
475 MAC_IFNET_UNLOCK(ifp); |
476 mac_ifnet_label_free(intlabel); 477 return (error); 478 } 479 |
480 MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel); 481 MAC_IFNET_UNLOCK(ifp); |
482 483 mac_ifnet_label_free(intlabel); 484 return (0); 485} |