1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 5 * Copyright (c) 2005 SPARTA, Inc. 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson and Ilmar Habibulin for the --- 25 unchanged lines hidden (view full) --- 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 */ 40 41#include <sys/cdefs.h> |
42__FBSDID("$FreeBSD: head/sys/security/mac/mac_socket.c 168955 2007-04-22 19:55:56Z rwatson $"); |
43 44#include "opt_mac.h" 45 46#include <sys/param.h> 47#include <sys/kernel.h> 48#include <sys/lock.h> 49#include <sys/malloc.h> 50#include <sys/mutex.h> --- 99 unchanged lines hidden (view full) --- 150mac_socket_peer_label_free(struct label *label) 151{ 152 153 MAC_PERFORM(destroy_socket_peer_label, label); 154 mac_labelzone_free(label); 155} 156 157void |
158mac_destroy_socket(struct socket *so) |
159{ 160 |
161 mac_socket_label_free(so->so_label); 162 so->so_label = NULL; 163 mac_socket_peer_label_free(so->so_peerlabel); 164 so->so_peerlabel = NULL; |
165} 166 167void 168mac_copy_socket_label(struct label *src, struct label *dest) 169{ 170 171 MAC_PERFORM(copy_socket_label, src, dest); 172} --- 26 unchanged lines hidden (view full) --- 199 int error; 200 201 MAC_INTERNALIZE(socket, label, string); 202 203 return (error); 204} 205 206void |
207mac_create_socket(struct ucred *cred, struct socket *so) |
208{ 209 |
210 MAC_PERFORM(create_socket, cred, so, so->so_label); |
211} 212 213void |
214mac_create_socket_from_socket(struct socket *oldso, struct socket *newso) |
215{ 216 |
217 SOCK_LOCK_ASSERT(oldso); 218 219 MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso, 220 newso->so_label); |
221} 222 223static void |
224mac_relabel_socket(struct ucred *cred, struct socket *so, |
225 struct label *newlabel) 226{ 227 |
228 SOCK_LOCK_ASSERT(so); 229 230 MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel); |
231} 232 233void |
234mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so) |
235{ 236 struct label *label; 237 |
238 SOCK_LOCK_ASSERT(so); |
239 |
240 label = mac_mbuf_to_label(m); |
241 |
242 MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so, 243 so->so_peerlabel); |
244} 245 246void |
247mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso) |
248{ 249 250 /* 251 * XXXRW: only hold the socket lock on one at a time, as one socket 252 * is the original, and one is the new. However, it's called in both 253 * directions, so we can't assert the lock here currently. 254 */ |
255 MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label, 256 newso, newso->so_peerlabel); |
257} 258 259void |
260mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m) |
261{ 262 struct label *label; 263 |
264 SOCK_LOCK_ASSERT(so); |
265 |
266 label = mac_mbuf_to_label(m); 267 268 MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label); |
269} 270 271int |
272mac_check_socket_accept(struct ucred *cred, struct socket *so) |
273{ 274 int error; 275 |
276 SOCK_LOCK_ASSERT(so); |
277 |
278 MAC_CHECK(check_socket_accept, cred, so, so->so_label); |
279 280 return (error); 281} 282 283int |
284mac_check_socket_bind(struct ucred *ucred, struct socket *so, 285 struct sockaddr *sa) |
286{ 287 int error; 288 |
289 SOCK_LOCK_ASSERT(so); |
290 |
291 MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa); |
292 293 return (error); 294} 295 296int |
297mac_check_socket_connect(struct ucred *cred, struct socket *so, 298 struct sockaddr *sa) |
299{ 300 int error; 301 |
302 SOCK_LOCK_ASSERT(so); |
303 |
304 MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa); |
305 306 return (error); 307} 308 309int |
310mac_check_socket_create(struct ucred *cred, int domain, int type, int proto) |
311{ 312 int error; 313 |
314 MAC_CHECK(check_socket_create, cred, domain, type, proto); |
315 316 return (error); 317} 318 319int |
320mac_check_socket_deliver(struct socket *so, struct mbuf *m) |
321{ 322 struct label *label; 323 int error; 324 |
325 SOCK_LOCK_ASSERT(so); |
326 |
327 label = mac_mbuf_to_label(m); |
328 |
329 MAC_CHECK(check_socket_deliver, so, so->so_label, m, label); |
330 331 return (error); 332} 333 334int |
335mac_check_socket_listen(struct ucred *cred, struct socket *so) |
336{ 337 int error; 338 |
339 SOCK_LOCK_ASSERT(so); |
340 |
341 MAC_CHECK(check_socket_listen, cred, so, so->so_label); 342 |
343 return (error); 344} 345 346int 347mac_check_socket_poll(struct ucred *cred, struct socket *so) 348{ 349 int error; 350 351 SOCK_LOCK_ASSERT(so); 352 353 MAC_CHECK(check_socket_poll, cred, so, so->so_label); |
354 |
355 return (error); 356} 357 358int 359mac_check_socket_receive(struct ucred *cred, struct socket *so) 360{ 361 int error; 362 363 SOCK_LOCK_ASSERT(so); 364 365 MAC_CHECK(check_socket_receive, cred, so, so->so_label); 366 367 return (error); 368} 369 370static int |
371mac_check_socket_relabel(struct ucred *cred, struct socket *so, |
372 struct label *newlabel) 373{ 374 int error; 375 |
376 SOCK_LOCK_ASSERT(so); |
377 |
378 MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel); |
379 380 return (error); 381} 382 383int 384mac_check_socket_send(struct ucred *cred, struct socket *so) 385{ 386 int error; --- 13 unchanged lines hidden (view full) --- 400 SOCK_LOCK_ASSERT(so); 401 402 MAC_CHECK(check_socket_stat, cred, so, so->so_label); 403 404 return (error); 405} 406 407int |
408mac_check_socket_visible(struct ucred *cred, struct socket *so) |
409{ 410 int error; 411 |
412 SOCK_LOCK_ASSERT(so); |
413 |
414 MAC_CHECK(check_socket_visible, cred, so, so->so_label); |
415 416 return (error); 417} 418 419int 420mac_socket_label_set(struct ucred *cred, struct socket *so, 421 struct label *label) 422{ --- 132 unchanged lines hidden --- |