| mac_socket.c (165469) | mac_socket.c (168955) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 5 * Copyright (c) 2005 SPARTA, Inc. 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson and Ilmar Habibulin for the --- 25 unchanged lines hidden (view full) --- 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 */ 40 41#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 5 * Copyright (c) 2005 SPARTA, Inc. 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson and Ilmar Habibulin for the --- 25 unchanged lines hidden (view full) --- 34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 38 * SUCH DAMAGE. 39 */ 40 41#include <sys/cdefs.h> |
| 42__FBSDID("$FreeBSD: head/sys/security/mac/mac_socket.c 165469 2006-12-22 23:34:47Z rwatson $"); | 42__FBSDID("$FreeBSD: head/sys/security/mac/mac_socket.c 168955 2007-04-22 19:55:56Z rwatson $"); |
| 43 44#include "opt_mac.h" 45 46#include <sys/param.h> 47#include <sys/kernel.h> 48#include <sys/lock.h> 49#include <sys/malloc.h> 50#include <sys/mutex.h> --- 99 unchanged lines hidden (view full) --- 150mac_socket_peer_label_free(struct label *label) 151{ 152 153 MAC_PERFORM(destroy_socket_peer_label, label); 154 mac_labelzone_free(label); 155} 156 157void | 43 44#include "opt_mac.h" 45 46#include <sys/param.h> 47#include <sys/kernel.h> 48#include <sys/lock.h> 49#include <sys/malloc.h> 50#include <sys/mutex.h> --- 99 unchanged lines hidden (view full) --- 150mac_socket_peer_label_free(struct label *label) 151{ 152 153 MAC_PERFORM(destroy_socket_peer_label, label); 154 mac_labelzone_free(label); 155} 156 157void |
| 158mac_destroy_socket(struct socket *socket) | 158mac_destroy_socket(struct socket *so) |
| 159{ 160 | 159{ 160 |
| 161 mac_socket_label_free(socket->so_label); 162 socket->so_label = NULL; 163 mac_socket_peer_label_free(socket->so_peerlabel); 164 socket->so_peerlabel = NULL; | 161 mac_socket_label_free(so->so_label); 162 so->so_label = NULL; 163 mac_socket_peer_label_free(so->so_peerlabel); 164 so->so_peerlabel = NULL; |
| 165} 166 167void 168mac_copy_socket_label(struct label *src, struct label *dest) 169{ 170 171 MAC_PERFORM(copy_socket_label, src, dest); 172} --- 26 unchanged lines hidden (view full) --- 199 int error; 200 201 MAC_INTERNALIZE(socket, label, string); 202 203 return (error); 204} 205 206void | 165} 166 167void 168mac_copy_socket_label(struct label *src, struct label *dest) 169{ 170 171 MAC_PERFORM(copy_socket_label, src, dest); 172} --- 26 unchanged lines hidden (view full) --- 199 int error; 200 201 MAC_INTERNALIZE(socket, label, string); 202 203 return (error); 204} 205 206void |
| 207mac_create_socket(struct ucred *cred, struct socket *socket) | 207mac_create_socket(struct ucred *cred, struct socket *so) |
| 208{ 209 | 208{ 209 |
| 210 MAC_PERFORM(create_socket, cred, socket, socket->so_label); | 210 MAC_PERFORM(create_socket, cred, so, so->so_label); |
| 211} 212 213void | 211} 212 213void |
| 214mac_create_socket_from_socket(struct socket *oldsocket, 215 struct socket *newsocket) | 214mac_create_socket_from_socket(struct socket *oldso, struct socket *newso) |
| 216{ 217 | 215{ 216 |
| 218 SOCK_LOCK_ASSERT(oldsocket); 219 MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label, 220 newsocket, newsocket->so_label); | 217 SOCK_LOCK_ASSERT(oldso); 218 219 MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso, 220 newso->so_label); |
| 221} 222 223static void | 221} 222 223static void |
| 224mac_relabel_socket(struct ucred *cred, struct socket *socket, | 224mac_relabel_socket(struct ucred *cred, struct socket *so, |
| 225 struct label *newlabel) 226{ 227 | 225 struct label *newlabel) 226{ 227 |
| 228 SOCK_LOCK_ASSERT(socket); 229 MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel); | 228 SOCK_LOCK_ASSERT(so); 229 230 MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel); |
| 230} 231 232void | 231} 232 233void |
| 233mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) | 234mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so) |
| 234{ 235 struct label *label; 236 | 235{ 236 struct label *label; 237 |
| 237 SOCK_LOCK_ASSERT(socket); | 238 SOCK_LOCK_ASSERT(so); |
| 238 | 239 |
| 239 label = mac_mbuf_to_label(mbuf); | 240 label = mac_mbuf_to_label(m); |
| 240 | 241 |
| 241 MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket, 242 socket->so_peerlabel); | 242 MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so, 243 so->so_peerlabel); |
| 243} 244 245void | 244} 245 246void |
| 246mac_set_socket_peer_from_socket(struct socket *oldsocket, 247 struct socket *newsocket) | 247mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso) |
| 248{ 249 250 /* 251 * XXXRW: only hold the socket lock on one at a time, as one socket 252 * is the original, and one is the new. However, it's called in both 253 * directions, so we can't assert the lock here currently. 254 */ | 248{ 249 250 /* 251 * XXXRW: only hold the socket lock on one at a time, as one socket 252 * is the original, and one is the new. However, it's called in both 253 * directions, so we can't assert the lock here currently. 254 */ |
| 255 MAC_PERFORM(set_socket_peer_from_socket, oldsocket, 256 oldsocket->so_label, newsocket, newsocket->so_peerlabel); | 255 MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label, 256 newso, newso->so_peerlabel); |
| 257} 258 259void | 257} 258 259void |
| 260mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) | 260mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m) |
| 261{ 262 struct label *label; 263 | 261{ 262 struct label *label; 263 |
| 264 label = mac_mbuf_to_label(mbuf); | 264 SOCK_LOCK_ASSERT(so); |
| 265 | 265 |
| 266 SOCK_LOCK_ASSERT(socket); 267 MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf, 268 label); | 266 label = mac_mbuf_to_label(m); 267 268 MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label); |
| 269} 270 271int | 269} 270 271int |
| 272mac_check_socket_accept(struct ucred *cred, struct socket *socket) | 272mac_check_socket_accept(struct ucred *cred, struct socket *so) |
| 273{ 274 int error; 275 | 273{ 274 int error; 275 |
| 276 SOCK_LOCK_ASSERT(socket); | 276 SOCK_LOCK_ASSERT(so); |
| 277 | 277 |
| 278 MAC_CHECK(check_socket_accept, cred, socket, socket->so_label); | 278 MAC_CHECK(check_socket_accept, cred, so, so->so_label); |
| 279 280 return (error); 281} 282 283int | 279 280 return (error); 281} 282 283int |
| 284mac_check_socket_bind(struct ucred *ucred, struct socket *socket, 285 struct sockaddr *sockaddr) | 284mac_check_socket_bind(struct ucred *ucred, struct socket *so, 285 struct sockaddr *sa) |
| 286{ 287 int error; 288 | 286{ 287 int error; 288 |
| 289 SOCK_LOCK_ASSERT(socket); | 289 SOCK_LOCK_ASSERT(so); |
| 290 | 290 |
| 291 MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label, 292 sockaddr); | 291 MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa); |
| 293 294 return (error); 295} 296 297int | 292 293 return (error); 294} 295 296int |
| 298mac_check_socket_connect(struct ucred *cred, struct socket *socket, 299 struct sockaddr *sockaddr) | 297mac_check_socket_connect(struct ucred *cred, struct socket *so, 298 struct sockaddr *sa) |
| 300{ 301 int error; 302 | 299{ 300 int error; 301 |
| 303 SOCK_LOCK_ASSERT(socket); | 302 SOCK_LOCK_ASSERT(so); |
| 304 | 303 |
| 305 MAC_CHECK(check_socket_connect, cred, socket, socket->so_label, 306 sockaddr); | 304 MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa); |
| 307 308 return (error); 309} 310 311int | 305 306 return (error); 307} 308 309int |
| 312mac_check_socket_create(struct ucred *cred, int domain, int type, 313 int protocol) | 310mac_check_socket_create(struct ucred *cred, int domain, int type, int proto) |
| 314{ 315 int error; 316 | 311{ 312 int error; 313 |
| 317 MAC_CHECK(check_socket_create, cred, domain, type, protocol); | 314 MAC_CHECK(check_socket_create, cred, domain, type, proto); |
| 318 319 return (error); 320} 321 322int | 315 316 return (error); 317} 318 319int |
| 323mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) | 320mac_check_socket_deliver(struct socket *so, struct mbuf *m) |
| 324{ 325 struct label *label; 326 int error; 327 | 321{ 322 struct label *label; 323 int error; 324 |
| 328 SOCK_LOCK_ASSERT(socket); | 325 SOCK_LOCK_ASSERT(so); |
| 329 | 326 |
| 330 label = mac_mbuf_to_label(mbuf); | 327 label = mac_mbuf_to_label(m); |
| 331 | 328 |
| 332 MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf, 333 label); | 329 MAC_CHECK(check_socket_deliver, so, so->so_label, m, label); |
| 334 335 return (error); 336} 337 338int | 330 331 return (error); 332} 333 334int |
| 339mac_check_socket_listen(struct ucred *cred, struct socket *socket) | 335mac_check_socket_listen(struct ucred *cred, struct socket *so) |
| 340{ 341 int error; 342 | 336{ 337 int error; 338 |
| 343 SOCK_LOCK_ASSERT(socket); | 339 SOCK_LOCK_ASSERT(so); |
| 344 | 340 |
| 345 MAC_CHECK(check_socket_listen, cred, socket, socket->so_label); | 341 MAC_CHECK(check_socket_listen, cred, so, so->so_label); 342 |
| 346 return (error); 347} 348 349int 350mac_check_socket_poll(struct ucred *cred, struct socket *so) 351{ 352 int error; 353 354 SOCK_LOCK_ASSERT(so); 355 356 MAC_CHECK(check_socket_poll, cred, so, so->so_label); | 343 return (error); 344} 345 346int 347mac_check_socket_poll(struct ucred *cred, struct socket *so) 348{ 349 int error; 350 351 SOCK_LOCK_ASSERT(so); 352 353 MAC_CHECK(check_socket_poll, cred, so, so->so_label); |
| 354 |
|
| 357 return (error); 358} 359 360int 361mac_check_socket_receive(struct ucred *cred, struct socket *so) 362{ 363 int error; 364 365 SOCK_LOCK_ASSERT(so); 366 367 MAC_CHECK(check_socket_receive, cred, so, so->so_label); 368 369 return (error); 370} 371 372static int | 355 return (error); 356} 357 358int 359mac_check_socket_receive(struct ucred *cred, struct socket *so) 360{ 361 int error; 362 363 SOCK_LOCK_ASSERT(so); 364 365 MAC_CHECK(check_socket_receive, cred, so, so->so_label); 366 367 return (error); 368} 369 370static int |
| 373mac_check_socket_relabel(struct ucred *cred, struct socket *socket, | 371mac_check_socket_relabel(struct ucred *cred, struct socket *so, |
| 374 struct label *newlabel) 375{ 376 int error; 377 | 372 struct label *newlabel) 373{ 374 int error; 375 |
| 378 SOCK_LOCK_ASSERT(socket); | 376 SOCK_LOCK_ASSERT(so); |
| 379 | 377 |
| 380 MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label, 381 newlabel); | 378 MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel); |
| 382 383 return (error); 384} 385 386int 387mac_check_socket_send(struct ucred *cred, struct socket *so) 388{ 389 int error; --- 13 unchanged lines hidden (view full) --- 403 SOCK_LOCK_ASSERT(so); 404 405 MAC_CHECK(check_socket_stat, cred, so, so->so_label); 406 407 return (error); 408} 409 410int | 379 380 return (error); 381} 382 383int 384mac_check_socket_send(struct ucred *cred, struct socket *so) 385{ 386 int error; --- 13 unchanged lines hidden (view full) --- 400 SOCK_LOCK_ASSERT(so); 401 402 MAC_CHECK(check_socket_stat, cred, so, so->so_label); 403 404 return (error); 405} 406 407int |
| 411mac_check_socket_visible(struct ucred *cred, struct socket *socket) | 408mac_check_socket_visible(struct ucred *cred, struct socket *so) |
| 412{ 413 int error; 414 | 409{ 410 int error; 411 |
| 415 SOCK_LOCK_ASSERT(socket); | 412 SOCK_LOCK_ASSERT(so); |
| 416 | 413 |
| 417 MAC_CHECK(check_socket_visible, cred, socket, socket->so_label); | 414 MAC_CHECK(check_socket_visible, cred, so, so->so_label); |
| 418 419 return (error); 420} 421 422int 423mac_socket_label_set(struct ucred *cred, struct socket *so, 424 struct label *label) 425{ --- 132 unchanged lines hidden --- | 415 416 return (error); 417} 418 419int 420mac_socket_label_set(struct ucred *cred, struct socket *so, 421 struct label *label) 422{ --- 132 unchanged lines hidden --- |