1/*-
2 * Copyright (c) 1999-2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
5 * Copyright (c) 2005 SPARTA, Inc.
6 * All rights reserved.
7 *
8 * This software was developed by Robert Watson and Ilmar Habibulin for the
--- 25 unchanged lines hidden (view full) ---
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * SUCH DAMAGE.
39 */
40
41#include <sys/cdefs.h>
42__FBSDID("$FreeBSD: head/sys/security/mac/mac_socket.c 168955 2007-04-22 19:55:56Z rwatson $");
43
44#include "opt_mac.h"
45
46#include <sys/param.h>
47#include <sys/kernel.h>
48#include <sys/lock.h>
49#include <sys/malloc.h>
50#include <sys/mutex.h>
--- 99 unchanged lines hidden (view full) ---
150mac_socket_peer_label_free(struct label *label)
151{
152
153 MAC_PERFORM(destroy_socket_peer_label, label);
154 mac_labelzone_free(label);
155}
156
157void
158mac_destroy_socket(struct socket *so)
159{
160
161 mac_socket_label_free(so->so_label);
162 so->so_label = NULL;
163 mac_socket_peer_label_free(so->so_peerlabel);
164 so->so_peerlabel = NULL;
165}
166
167void
168mac_copy_socket_label(struct label *src, struct label *dest)
169{
170
171 MAC_PERFORM(copy_socket_label, src, dest);
172}
--- 26 unchanged lines hidden (view full) ---
199 int error;
200
201 MAC_INTERNALIZE(socket, label, string);
202
203 return (error);
204}
205
206void
207mac_create_socket(struct ucred *cred, struct socket *so)
208{
209
210 MAC_PERFORM(create_socket, cred, so, so->so_label);
211}
212
213void
214mac_create_socket_from_socket(struct socket *oldso, struct socket *newso)
215{
216
217 SOCK_LOCK_ASSERT(oldso);
218
219 MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso,
220 newso->so_label);
221}
222
223static void
224mac_relabel_socket(struct ucred *cred, struct socket *so,
225 struct label *newlabel)
226{
227
228 SOCK_LOCK_ASSERT(so);
229
230 MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel);
231}
232
233void
234mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so)
235{
236 struct label *label;
237
238 SOCK_LOCK_ASSERT(so);
239
240 label = mac_mbuf_to_label(m);
241
242 MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so,
243 so->so_peerlabel);
244}
245
246void
247mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso)
248{
249
250 /*
251 * XXXRW: only hold the socket lock on one at a time, as one socket
252 * is the original, and one is the new. However, it's called in both
253 * directions, so we can't assert the lock here currently.
254 */
255 MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label,
256 newso, newso->so_peerlabel);
257}
258
259void
260mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m)
261{
262 struct label *label;
263
264 SOCK_LOCK_ASSERT(so);
265
266 label = mac_mbuf_to_label(m);
267
268 MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label);
269}
270
271int
272mac_check_socket_accept(struct ucred *cred, struct socket *so)
273{
274 int error;
275
276 SOCK_LOCK_ASSERT(so);
277
278 MAC_CHECK(check_socket_accept, cred, so, so->so_label);
279
280 return (error);
281}
282
283int
284mac_check_socket_bind(struct ucred *ucred, struct socket *so,
285 struct sockaddr *sa)
286{
287 int error;
288
289 SOCK_LOCK_ASSERT(so);
290
291 MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa);
292
293 return (error);
294}
295
296int
297mac_check_socket_connect(struct ucred *cred, struct socket *so,
298 struct sockaddr *sa)
299{
300 int error;
301
302 SOCK_LOCK_ASSERT(so);
303
304 MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa);
305
306 return (error);
307}
308
309int
310mac_check_socket_create(struct ucred *cred, int domain, int type, int proto)
311{
312 int error;
313
314 MAC_CHECK(check_socket_create, cred, domain, type, proto);
315
316 return (error);
317}
318
319int
320mac_check_socket_deliver(struct socket *so, struct mbuf *m)
321{
322 struct label *label;
323 int error;
324
325 SOCK_LOCK_ASSERT(so);
326
327 label = mac_mbuf_to_label(m);
328
329 MAC_CHECK(check_socket_deliver, so, so->so_label, m, label);
330
331 return (error);
332}
333
334int
335mac_check_socket_listen(struct ucred *cred, struct socket *so)
336{
337 int error;
338
339 SOCK_LOCK_ASSERT(so);
340
341 MAC_CHECK(check_socket_listen, cred, so, so->so_label);
342
343 return (error);
344}
345
346int
347mac_check_socket_poll(struct ucred *cred, struct socket *so)
348{
349 int error;
350
351 SOCK_LOCK_ASSERT(so);
352
353 MAC_CHECK(check_socket_poll, cred, so, so->so_label);
354
355 return (error);
356}
357
358int
359mac_check_socket_receive(struct ucred *cred, struct socket *so)
360{
361 int error;
362
363 SOCK_LOCK_ASSERT(so);
364
365 MAC_CHECK(check_socket_receive, cred, so, so->so_label);
366
367 return (error);
368}
369
370static int
371mac_check_socket_relabel(struct ucred *cred, struct socket *so,
372 struct label *newlabel)
373{
374 int error;
375
376 SOCK_LOCK_ASSERT(so);
377
378 MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel);
379
380 return (error);
381}
382
383int
384mac_check_socket_send(struct ucred *cred, struct socket *so)
385{
386 int error;
--- 13 unchanged lines hidden (view full) ---
400 SOCK_LOCK_ASSERT(so);
401
402 MAC_CHECK(check_socket_stat, cred, so, so->so_label);
403
404 return (error);
405}
406
407int
408mac_check_socket_visible(struct ucred *cred, struct socket *so)
409{
410 int error;
411
412 SOCK_LOCK_ASSERT(so);
413
414 MAC_CHECK(check_socket_visible, cred, so, so->so_label);
415
416 return (error);
417}
418
419int
420mac_socket_label_set(struct ucred *cred, struct socket *so,
421 struct label *label)
422{
--- 132 unchanged lines hidden ---
2 * Copyright (c) 1999-2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
5 * Copyright (c) 2005 SPARTA, Inc.
6 * All rights reserved.
7 *
8 * This software was developed by Robert Watson and Ilmar Habibulin for the
--- 25 unchanged lines hidden (view full) ---
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * SUCH DAMAGE.
39 */
40
41#include <sys/cdefs.h>
42__FBSDID("$FreeBSD: head/sys/security/mac/mac_socket.c 168955 2007-04-22 19:55:56Z rwatson $");
43
44#include "opt_mac.h"
45
46#include <sys/param.h>
47#include <sys/kernel.h>
48#include <sys/lock.h>
49#include <sys/malloc.h>
50#include <sys/mutex.h>
--- 99 unchanged lines hidden (view full) ---
150mac_socket_peer_label_free(struct label *label)
151{
152
153 MAC_PERFORM(destroy_socket_peer_label, label);
154 mac_labelzone_free(label);
155}
156
157void
158mac_destroy_socket(struct socket *so)
159{
160
161 mac_socket_label_free(so->so_label);
162 so->so_label = NULL;
163 mac_socket_peer_label_free(so->so_peerlabel);
164 so->so_peerlabel = NULL;
165}
166
167void
168mac_copy_socket_label(struct label *src, struct label *dest)
169{
170
171 MAC_PERFORM(copy_socket_label, src, dest);
172}
--- 26 unchanged lines hidden (view full) ---
199 int error;
200
201 MAC_INTERNALIZE(socket, label, string);
202
203 return (error);
204}
205
206void
207mac_create_socket(struct ucred *cred, struct socket *so)
208{
209
210 MAC_PERFORM(create_socket, cred, so, so->so_label);
211}
212
213void
214mac_create_socket_from_socket(struct socket *oldso, struct socket *newso)
215{
216
217 SOCK_LOCK_ASSERT(oldso);
218
219 MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso,
220 newso->so_label);
221}
222
223static void
224mac_relabel_socket(struct ucred *cred, struct socket *so,
225 struct label *newlabel)
226{
227
228 SOCK_LOCK_ASSERT(so);
229
230 MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel);
231}
232
233void
234mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so)
235{
236 struct label *label;
237
238 SOCK_LOCK_ASSERT(so);
239
240 label = mac_mbuf_to_label(m);
241
242 MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so,
243 so->so_peerlabel);
244}
245
246void
247mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso)
248{
249
250 /*
251 * XXXRW: only hold the socket lock on one at a time, as one socket
252 * is the original, and one is the new. However, it's called in both
253 * directions, so we can't assert the lock here currently.
254 */
255 MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label,
256 newso, newso->so_peerlabel);
257}
258
259void
260mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m)
261{
262 struct label *label;
263
264 SOCK_LOCK_ASSERT(so);
265
266 label = mac_mbuf_to_label(m);
267
268 MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label);
269}
270
271int
272mac_check_socket_accept(struct ucred *cred, struct socket *so)
273{
274 int error;
275
276 SOCK_LOCK_ASSERT(so);
277
278 MAC_CHECK(check_socket_accept, cred, so, so->so_label);
279
280 return (error);
281}
282
283int
284mac_check_socket_bind(struct ucred *ucred, struct socket *so,
285 struct sockaddr *sa)
286{
287 int error;
288
289 SOCK_LOCK_ASSERT(so);
290
291 MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa);
292
293 return (error);
294}
295
296int
297mac_check_socket_connect(struct ucred *cred, struct socket *so,
298 struct sockaddr *sa)
299{
300 int error;
301
302 SOCK_LOCK_ASSERT(so);
303
304 MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa);
305
306 return (error);
307}
308
309int
310mac_check_socket_create(struct ucred *cred, int domain, int type, int proto)
311{
312 int error;
313
314 MAC_CHECK(check_socket_create, cred, domain, type, proto);
315
316 return (error);
317}
318
319int
320mac_check_socket_deliver(struct socket *so, struct mbuf *m)
321{
322 struct label *label;
323 int error;
324
325 SOCK_LOCK_ASSERT(so);
326
327 label = mac_mbuf_to_label(m);
328
329 MAC_CHECK(check_socket_deliver, so, so->so_label, m, label);
330
331 return (error);
332}
333
334int
335mac_check_socket_listen(struct ucred *cred, struct socket *so)
336{
337 int error;
338
339 SOCK_LOCK_ASSERT(so);
340
341 MAC_CHECK(check_socket_listen, cred, so, so->so_label);
342
343 return (error);
344}
345
346int
347mac_check_socket_poll(struct ucred *cred, struct socket *so)
348{
349 int error;
350
351 SOCK_LOCK_ASSERT(so);
352
353 MAC_CHECK(check_socket_poll, cred, so, so->so_label);
354
355 return (error);
356}
357
358int
359mac_check_socket_receive(struct ucred *cred, struct socket *so)
360{
361 int error;
362
363 SOCK_LOCK_ASSERT(so);
364
365 MAC_CHECK(check_socket_receive, cred, so, so->so_label);
366
367 return (error);
368}
369
370static int
371mac_check_socket_relabel(struct ucred *cred, struct socket *so,
372 struct label *newlabel)
373{
374 int error;
375
376 SOCK_LOCK_ASSERT(so);
377
378 MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel);
379
380 return (error);
381}
382
383int
384mac_check_socket_send(struct ucred *cred, struct socket *so)
385{
386 int error;
--- 13 unchanged lines hidden (view full) ---
400 SOCK_LOCK_ASSERT(so);
401
402 MAC_CHECK(check_socket_stat, cred, so, so->so_label);
403
404 return (error);
405}
406
407int
408mac_check_socket_visible(struct ucred *cred, struct socket *so)
409{
410 int error;
411
412 SOCK_LOCK_ASSERT(so);
413
414 MAC_CHECK(check_socket_visible, cred, so, so->so_label);
415
416 return (error);
417}
418
419int
420mac_socket_label_set(struct ucred *cred, struct socket *so,
421 struct label *label)
422{
--- 132 unchanged lines hidden ---