| mac_net.c (165600) | mac_net.c (168955) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 21 unchanged lines hidden (view full) --- 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 21 unchanged lines hidden (view full) --- 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37#include <sys/cdefs.h> |
| 38__FBSDID("$FreeBSD: head/sys/security/mac/mac_net.c 165600 2006-12-28 21:57:59Z rwatson $"); | 38__FBSDID("$FreeBSD: head/sys/security/mac/mac_net.c 168955 2007-04-22 19:55:56Z rwatson $"); |
| 39 40#include "opt_mac.h" 41 42#include <sys/param.h> 43#include <sys/kernel.h> 44#include <sys/lock.h> 45#include <sys/malloc.h> 46#include <sys/mutex.h> --- 30 unchanged lines hidden (view full) --- 77/* 78 * Retrieve the label associated with an mbuf by searching for the tag. 79 * Depending on the value of mac_labelmbufs, it's possible that a label will 80 * not be present, in which case NULL is returned. Policies must handle the 81 * possibility of an mbuf not having label storage if they do not enforce 82 * early loading. 83 */ 84struct label * | 39 40#include "opt_mac.h" 41 42#include <sys/param.h> 43#include <sys/kernel.h> 44#include <sys/lock.h> 45#include <sys/malloc.h> 46#include <sys/mutex.h> --- 30 unchanged lines hidden (view full) --- 77/* 78 * Retrieve the label associated with an mbuf by searching for the tag. 79 * Depending on the value of mac_labelmbufs, it's possible that a label will 80 * not be present, in which case NULL is returned. Policies must handle the 81 * possibility of an mbuf not having label storage if they do not enforce 82 * early loading. 83 */ 84struct label * |
| 85mac_mbuf_to_label(struct mbuf *mbuf) | 85mac_mbuf_to_label(struct mbuf *m) |
| 86{ 87 struct m_tag *tag; 88 struct label *label; 89 | 86{ 87 struct m_tag *tag; 88 struct label *label; 89 |
| 90 if (mbuf == NULL) | 90 if (m == NULL) |
| 91 return (NULL); | 91 return (NULL); |
| 92 tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL); | 92 tag = m_tag_find(m, PACKET_TAG_MACLABEL, NULL); |
| 93 if (tag == NULL) 94 return (NULL); 95 label = (struct label *)(tag+1); 96 return (label); 97} 98 99static struct label * 100mac_bpfdesc_label_alloc(void) 101{ 102 struct label *label; 103 104 label = mac_labelzone_alloc(M_WAITOK); 105 MAC_PERFORM(init_bpfdesc_label, label); 106 return (label); 107} 108 109void | 93 if (tag == NULL) 94 return (NULL); 95 label = (struct label *)(tag+1); 96 return (label); 97} 98 99static struct label * 100mac_bpfdesc_label_alloc(void) 101{ 102 struct label *label; 103 104 label = mac_labelzone_alloc(M_WAITOK); 105 MAC_PERFORM(init_bpfdesc_label, label); 106 return (label); 107} 108 109void |
| 110mac_init_bpfdesc(struct bpf_d *bpf_d) | 110mac_init_bpfdesc(struct bpf_d *d) |
| 111{ 112 | 111{ 112 |
| 113 bpf_d->bd_label = mac_bpfdesc_label_alloc(); | 113 d->bd_label = mac_bpfdesc_label_alloc(); |
| 114} 115 116static struct label * 117mac_ifnet_label_alloc(void) 118{ 119 struct label *label; 120 121 label = mac_labelzone_alloc(M_WAITOK); --- 58 unchanged lines hidden (view full) --- 180mac_bpfdesc_label_free(struct label *label) 181{ 182 183 MAC_PERFORM(destroy_bpfdesc_label, label); 184 mac_labelzone_free(label); 185} 186 187void | 114} 115 116static struct label * 117mac_ifnet_label_alloc(void) 118{ 119 struct label *label; 120 121 label = mac_labelzone_alloc(M_WAITOK); --- 58 unchanged lines hidden (view full) --- 180mac_bpfdesc_label_free(struct label *label) 181{ 182 183 MAC_PERFORM(destroy_bpfdesc_label, label); 184 mac_labelzone_free(label); 185} 186 187void |
| 188mac_destroy_bpfdesc(struct bpf_d *bpf_d) | 188mac_destroy_bpfdesc(struct bpf_d *d) |
| 189{ 190 | 189{ 190 |
| 191 mac_bpfdesc_label_free(bpf_d->bd_label); 192 bpf_d->bd_label = NULL; | 191 mac_bpfdesc_label_free(d->bd_label); 192 d->bd_label = NULL; |
| 193} 194 195static void 196mac_ifnet_label_free(struct label *label) 197{ 198 199 MAC_PERFORM(destroy_ifnet_label, label); 200 mac_labelzone_free(label); --- 72 unchanged lines hidden (view full) --- 273 int error; 274 275 MAC_INTERNALIZE(ifnet, label, string); 276 277 return (error); 278} 279 280void | 193} 194 195static void 196mac_ifnet_label_free(struct label *label) 197{ 198 199 MAC_PERFORM(destroy_ifnet_label, label); 200 mac_labelzone_free(label); --- 72 unchanged lines hidden (view full) --- 273 int error; 274 275 MAC_INTERNALIZE(ifnet, label, string); 276 277 return (error); 278} 279 280void |
| 281mac_create_ifnet(struct ifnet *ifnet) | 281mac_create_ifnet(struct ifnet *ifp) |
| 282{ 283 | 282{ 283 |
| 284 MAC_IFNET_LOCK(ifnet); 285 MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label); 286 MAC_IFNET_UNLOCK(ifnet); | 284 MAC_IFNET_LOCK(ifp); 285 MAC_PERFORM(create_ifnet, ifp, ifp->if_label); 286 MAC_IFNET_UNLOCK(ifp); |
| 287} 288 289void | 287} 288 289void |
| 290mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) | 290mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d) |
| 291{ 292 | 291{ 292 |
| 293 MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label); | 293 MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label); |
| 294} 295 296void | 294} 295 296void |
| 297mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) | 297mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m) |
| 298{ 299 struct label *label; 300 | 298{ 299 struct label *label; 300 |
| 301 BPFD_LOCK_ASSERT(bpf_d); | 301 BPFD_LOCK_ASSERT(d); |
| 302 | 302 |
| 303 label = mac_mbuf_to_label(mbuf); | 303 label = mac_mbuf_to_label(m); |
| 304 | 304 |
| 305 MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf, 306 label); | 305 MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label); |
| 307} 308 309void | 306} 307 308void |
| 310mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) | 309mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m) |
| 311{ 312 struct label *label; 313 | 310{ 311 struct label *label; 312 |
| 314 label = mac_mbuf_to_label(mbuf); | 313 label = mac_mbuf_to_label(m); |
| 315 | 314 |
| 316 MAC_IFNET_LOCK(ifnet); 317 MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf, 318 label); 319 MAC_IFNET_UNLOCK(ifnet); | 315 MAC_IFNET_LOCK(ifp); 316 MAC_PERFORM(create_mbuf_linklayer, ifp, ifp->if_label, m, label); 317 MAC_IFNET_UNLOCK(ifp); |
| 320} 321 322void | 318} 319 320void |
| 323mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) | 321mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m) |
| 324{ 325 struct label *label; 326 | 322{ 323 struct label *label; 324 |
| 327 label = mac_mbuf_to_label(mbuf); | 325 label = mac_mbuf_to_label(m); |
| 328 | 326 |
| 329 MAC_IFNET_LOCK(ifnet); 330 MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf, 331 label); 332 MAC_IFNET_UNLOCK(ifnet); | 327 MAC_IFNET_LOCK(ifp); 328 MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label); 329 MAC_IFNET_UNLOCK(ifp); |
| 333} 334 335void | 330} 331 332void |
| 336mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, 337 struct mbuf *newmbuf) | 333mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, 334 struct mbuf *mnew) |
| 338{ | 335{ |
| 339 struct label *oldmbuflabel, *newmbuflabel; | 336 struct label *mlabel, *mnewlabel; |
| 340 | 337 |
| 341 oldmbuflabel = mac_mbuf_to_label(oldmbuf); 342 newmbuflabel = mac_mbuf_to_label(newmbuf); | 338 mlabel = mac_mbuf_to_label(m); 339 mnewlabel = mac_mbuf_to_label(mnew); |
| 343 | 340 |
| 344 MAC_IFNET_LOCK(ifnet); 345 MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel, 346 ifnet, ifnet->if_label, newmbuf, newmbuflabel); 347 MAC_IFNET_UNLOCK(ifnet); | 341 MAC_IFNET_LOCK(ifp); 342 MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp, 343 ifp->if_label, mnew, mnewlabel); 344 MAC_IFNET_UNLOCK(ifp); |
| 348} 349 350void | 345} 346 347void |
| 351mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) | 348mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew) |
| 352{ | 349{ |
| 353 struct label *oldmbuflabel, *newmbuflabel; | 350 struct label *mlabel, *mnewlabel; |
| 354 | 351 |
| 355 oldmbuflabel = mac_mbuf_to_label(oldmbuf); 356 newmbuflabel = mac_mbuf_to_label(newmbuf); | 352 mlabel = mac_mbuf_to_label(m); 353 mnewlabel = mac_mbuf_to_label(mnew); |
| 357 | 354 |
| 358 MAC_PERFORM(create_mbuf_netlayer, oldmbuf, oldmbuflabel, newmbuf, 359 newmbuflabel); | 355 MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel); |
| 360} 361 362int | 356} 357 358int |
| 363mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) | 359mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp) |
| 364{ 365 int error; 366 | 360{ 361 int error; 362 |
| 367 BPFD_LOCK_ASSERT(bpf_d); | 363 BPFD_LOCK_ASSERT(d); |
| 368 | 364 |
| 369 MAC_IFNET_LOCK(ifnet); 370 MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet, 371 ifnet->if_label); 372 MAC_IFNET_UNLOCK(ifnet); | 365 MAC_IFNET_LOCK(ifp); 366 MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label); 367 MAC_IFNET_UNLOCK(ifp); |
| 373 374 return (error); 375} 376 377int | 368 369 return (error); 370} 371 372int |
| 378mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) | 373mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m) |
| 379{ 380 struct label *label; 381 int error; 382 | 374{ 375 struct label *label; 376 int error; 377 |
| 383 M_ASSERTPKTHDR(mbuf); | 378 M_ASSERTPKTHDR(m); |
| 384 | 379 |
| 385 label = mac_mbuf_to_label(mbuf); | 380 label = mac_mbuf_to_label(m); |
| 386 | 381 |
| 387 MAC_IFNET_LOCK(ifnet); 388 MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf, 389 label); 390 MAC_IFNET_UNLOCK(ifnet); | 382 MAC_IFNET_LOCK(ifp); 383 MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label); 384 MAC_IFNET_UNLOCK(ifp); |
| 391 392 return (error); 393} 394 395int 396mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, | 385 386 return (error); 387} 388 389int 390mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, |
| 397 struct ifnet *ifnet) | 391 struct ifnet *ifp) |
| 398{ 399 char *elements, *buffer; 400 struct label *intlabel; 401 struct mac mac; 402 int error; 403 404 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 405 if (error) --- 7 unchanged lines hidden (view full) --- 413 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 414 if (error) { 415 free(elements, M_MACTEMP); 416 return (error); 417 } 418 419 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 420 intlabel = mac_ifnet_label_alloc(); | 392{ 393 char *elements, *buffer; 394 struct label *intlabel; 395 struct mac mac; 396 int error; 397 398 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 399 if (error) --- 7 unchanged lines hidden (view full) --- 407 error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL); 408 if (error) { 409 free(elements, M_MACTEMP); 410 return (error); 411 } 412 413 buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); 414 intlabel = mac_ifnet_label_alloc(); |
| 421 MAC_IFNET_LOCK(ifnet); 422 mac_copy_ifnet_label(ifnet->if_label, intlabel); 423 MAC_IFNET_UNLOCK(ifnet); | 415 MAC_IFNET_LOCK(ifp); 416 mac_copy_ifnet_label(ifp->if_label, intlabel); 417 MAC_IFNET_UNLOCK(ifp); |
| 424 error = mac_externalize_ifnet_label(intlabel, elements, buffer, 425 mac.m_buflen); 426 mac_ifnet_label_free(intlabel); 427 if (error == 0) 428 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 429 430 free(buffer, M_MACTEMP); 431 free(elements, M_MACTEMP); 432 433 return (error); 434} 435 436int | 418 error = mac_externalize_ifnet_label(intlabel, elements, buffer, 419 mac.m_buflen); 420 mac_ifnet_label_free(intlabel); 421 if (error == 0) 422 error = copyout(buffer, mac.m_string, strlen(buffer)+1); 423 424 free(buffer, M_MACTEMP); 425 free(elements, M_MACTEMP); 426 427 return (error); 428} 429 430int |
| 437mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, 438 struct ifnet *ifnet) | 431mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) |
| 439{ 440 struct label *intlabel; 441 struct mac mac; 442 char *buffer; 443 int error; 444 445 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 446 if (error) --- 24 unchanged lines hidden (view full) --- 471 * Eventually, this should go away. 472 */ 473 error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0); 474 if (error) { 475 mac_ifnet_label_free(intlabel); 476 return (error); 477 } 478 | 432{ 433 struct label *intlabel; 434 struct mac mac; 435 char *buffer; 436 int error; 437 438 error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac)); 439 if (error) --- 24 unchanged lines hidden (view full) --- 464 * Eventually, this should go away. 465 */ 466 error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0); 467 if (error) { 468 mac_ifnet_label_free(intlabel); 469 return (error); 470 } 471 |
| 479 MAC_IFNET_LOCK(ifnet); 480 MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label, 481 intlabel); | 472 MAC_IFNET_LOCK(ifp); 473 MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel); |
| 482 if (error) { | 474 if (error) { |
| 483 MAC_IFNET_UNLOCK(ifnet); | 475 MAC_IFNET_UNLOCK(ifp); |
| 484 mac_ifnet_label_free(intlabel); 485 return (error); 486 } 487 | 476 mac_ifnet_label_free(intlabel); 477 return (error); 478 } 479 |
| 488 MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel); 489 MAC_IFNET_UNLOCK(ifnet); | 480 MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel); 481 MAC_IFNET_UNLOCK(ifp); |
| 490 491 mac_ifnet_label_free(intlabel); 492 return (0); 493} | 482 483 mac_ifnet_label_free(intlabel); 484 return (0); 485} |