| mac_system.c (104524) | mac_system.c (104527) |
|---|---|
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * |
| 39 * $FreeBSD: head/sys/security/mac/mac_system.c 104524 2002-10-05 17:18:43Z rwatson $ | 39 * $FreeBSD: head/sys/security/mac/mac_system.c 104527 2002-10-05 17:38:45Z rwatson $ |
| 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 990 unchanged lines hidden (view full) --- 1038static void 1039mac_init_structmac(struct mac *mac) 1040{ 1041 1042 bzero(mac, sizeof(*mac)); 1043 mac->m_macflags = MAC_FLAG_INITIALIZED; 1044} 1045 | 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 990 unchanged lines hidden (view full) --- 1038static void 1039mac_init_structmac(struct mac *mac) 1040{ 1041 1042 bzero(mac, sizeof(*mac)); 1043 mac->m_macflags = MAC_FLAG_INITIALIZED; 1044} 1045 |
| 1046int 1047mac_init_mbuf(struct mbuf *m, int flag) 1048{ 1049 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); 1050 1051 mac_init_label(&m->m_pkthdr.label); 1052 1053 MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); 1054#ifdef MAC_DEBUG 1055 atomic_add_int(&nmacmbufs, 1); 1056#endif 1057 return (0); 1058} 1059 | |
| 1060void | 1046void |
| 1061mac_destroy_mbuf(struct mbuf *m) | 1047mac_init_bpfdesc(struct bpf_d *bpf_d) |
| 1062{ 1063 | 1048{ 1049 |
| 1064 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); 1065 mac_destroy_label(&m->m_pkthdr.label); | 1050 mac_init_label(&bpf_d->bd_label); 1051 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); |
| 1066#ifdef MAC_DEBUG | 1052#ifdef MAC_DEBUG |
| 1067 atomic_subtract_int(&nmacmbufs, 1); | 1053 atomic_add_int(&nmacbpfdescs, 1); |
| 1068#endif 1069} 1070 1071void 1072mac_init_cred(struct ucred *cr) 1073{ 1074 1075 mac_init_label(&cr->cr_label); 1076 MAC_PERFORM(init_cred_label, &cr->cr_label); 1077#ifdef MAC_DEBUG 1078 atomic_add_int(&nmaccreds, 1); 1079#endif 1080} 1081 1082void | 1054#endif 1055} 1056 1057void 1058mac_init_cred(struct ucred *cr) 1059{ 1060 1061 mac_init_label(&cr->cr_label); 1062 MAC_PERFORM(init_cred_label, &cr->cr_label); 1063#ifdef MAC_DEBUG 1064 atomic_add_int(&nmaccreds, 1); 1065#endif 1066} 1067 1068void |
| 1083mac_destroy_cred(struct ucred *cr) | 1069mac_init_devfsdirent(struct devfs_dirent *de) |
| 1084{ 1085 | 1070{ 1071 |
| 1086 MAC_PERFORM(destroy_cred_label, &cr->cr_label); 1087 mac_destroy_label(&cr->cr_label); | 1072 mac_init_label(&de->de_label); 1073 MAC_PERFORM(init_devfsdirent_label, &de->de_label); |
| 1088#ifdef MAC_DEBUG | 1074#ifdef MAC_DEBUG |
| 1089 atomic_subtract_int(&nmaccreds, 1); | 1075 atomic_add_int(&nmacdevfsdirents, 1); |
| 1090#endif 1091} 1092 1093void 1094mac_init_ifnet(struct ifnet *ifp) 1095{ 1096 1097 mac_init_label(&ifp->if_label); 1098 MAC_PERFORM(init_ifnet_label, &ifp->if_label); 1099#ifdef MAC_DEBUG 1100 atomic_add_int(&nmacifnets, 1); 1101#endif 1102} 1103 1104void | 1076#endif 1077} 1078 1079void 1080mac_init_ifnet(struct ifnet *ifp) 1081{ 1082 1083 mac_init_label(&ifp->if_label); 1084 MAC_PERFORM(init_ifnet_label, &ifp->if_label); 1085#ifdef MAC_DEBUG 1086 atomic_add_int(&nmacifnets, 1); 1087#endif 1088} 1089 1090void |
| 1105mac_destroy_ifnet(struct ifnet *ifp) | 1091mac_init_ipq(struct ipq *ipq) |
| 1106{ 1107 | 1092{ 1093 |
| 1108 MAC_PERFORM(destroy_ifnet_label, &ifp->if_label); 1109 mac_destroy_label(&ifp->if_label); | 1094 mac_init_label(&ipq->ipq_label); 1095 MAC_PERFORM(init_ipq_label, &ipq->ipq_label); |
| 1110#ifdef MAC_DEBUG | 1096#ifdef MAC_DEBUG |
| 1111 atomic_subtract_int(&nmacifnets, 1); | 1097 atomic_add_int(&nmacipqs, 1); |
| 1112#endif 1113} 1114 | 1098#endif 1099} 1100 |
| 1101int 1102mac_init_mbuf(struct mbuf *m, int flag) 1103{ 1104 KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); 1105 1106 mac_init_label(&m->m_pkthdr.label); 1107 1108 MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, flag); 1109#ifdef MAC_DEBUG 1110 atomic_add_int(&nmacmbufs, 1); 1111#endif 1112 return (0); 1113} 1114 |
|
| 1115void | 1115void |
| 1116mac_init_ipq(struct ipq *ipq) | 1116mac_init_mount(struct mount *mp) |
| 1117{ 1118 | 1117{ 1118 |
| 1119 mac_init_label(&ipq->ipq_label); 1120 MAC_PERFORM(init_ipq_label, &ipq->ipq_label); | 1119 mac_init_label(&mp->mnt_mntlabel); 1120 mac_init_label(&mp->mnt_fslabel); 1121 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); 1122 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); |
| 1121#ifdef MAC_DEBUG | 1123#ifdef MAC_DEBUG |
| 1122 atomic_add_int(&nmacipqs, 1); | 1124 atomic_add_int(&nmacmounts, 1); |
| 1123#endif 1124} 1125 1126void | 1125#endif 1126} 1127 1128void |
| 1127mac_destroy_ipq(struct ipq *ipq) | 1129mac_init_pipe(struct pipe *pipe) |
| 1128{ | 1130{ |
| 1131 struct label *label; |
|
| 1129 | 1132 |
| 1130 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 1131 mac_destroy_label(&ipq->ipq_label); | 1133 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); 1134 mac_init_label(label); 1135 pipe->pipe_label = label; 1136 pipe->pipe_peer->pipe_label = label; 1137 MAC_PERFORM(init_pipe_label, pipe->pipe_label); |
| 1132#ifdef MAC_DEBUG | 1138#ifdef MAC_DEBUG |
| 1133 atomic_subtract_int(&nmacipqs, 1); | 1139 atomic_add_int(&nmacpipes, 1); |
| 1134#endif 1135} 1136 1137void 1138mac_init_socket(struct socket *socket) 1139{ 1140 1141 mac_init_label(&socket->so_label); 1142 mac_init_label(&socket->so_peerlabel); 1143 MAC_PERFORM(init_socket_label, &socket->so_label); 1144 MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); 1145#ifdef MAC_DEBUG 1146 atomic_add_int(&nmacsockets, 1); 1147#endif 1148} 1149 | 1140#endif 1141} 1142 1143void 1144mac_init_socket(struct socket *socket) 1145{ 1146 1147 mac_init_label(&socket->so_label); 1148 mac_init_label(&socket->so_peerlabel); 1149 MAC_PERFORM(init_socket_label, &socket->so_label); 1150 MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); 1151#ifdef MAC_DEBUG 1152 atomic_add_int(&nmacsockets, 1); 1153#endif 1154} 1155 |
| 1150void 1151mac_destroy_socket(struct socket *socket) | 1156static void 1157mac_init_temp(struct label *label) |
| 1152{ 1153 | 1158{ 1159 |
| 1154 MAC_PERFORM(destroy_socket_label, &socket->so_label); 1155 MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); 1156 mac_destroy_label(&socket->so_label); 1157 mac_destroy_label(&socket->so_peerlabel); | 1160 mac_init_label(label); 1161 MAC_PERFORM(init_temp_label, label); |
| 1158#ifdef MAC_DEBUG | 1162#ifdef MAC_DEBUG |
| 1159 atomic_subtract_int(&nmacsockets, 1); | 1163 atomic_add_int(&nmactemp, 1); |
| 1160#endif 1161} 1162 1163void | 1164#endif 1165} 1166 1167void |
| 1164mac_init_pipe(struct pipe *pipe) | 1168mac_init_vnode(struct vnode *vp) |
| 1165{ | 1169{ |
| 1166 struct label *label; | |
| 1167 | 1170 |
| 1168 label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); 1169 mac_init_label(label); 1170 pipe->pipe_label = label; 1171 pipe->pipe_peer->pipe_label = label; 1172 MAC_PERFORM(init_pipe_label, pipe->pipe_label); | 1171 mac_init_label(&vp->v_label); 1172 MAC_PERFORM(init_vnode_label, &vp->v_label); |
| 1173#ifdef MAC_DEBUG | 1173#ifdef MAC_DEBUG |
| 1174 atomic_add_int(&nmacpipes, 1); | 1174 atomic_add_int(&nmacvnodes, 1); |
| 1175#endif 1176} 1177 1178void | 1175#endif 1176} 1177 1178void |
| 1179mac_destroy_pipe(struct pipe *pipe) | 1179mac_destroy_bpfdesc(struct bpf_d *bpf_d) |
| 1180{ 1181 | 1180{ 1181 |
| 1182 MAC_PERFORM(destroy_pipe_label, pipe->pipe_label); 1183 mac_destroy_label(pipe->pipe_label); 1184 free(pipe->pipe_label, M_MACPIPELABEL); | 1182 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); 1183 mac_destroy_label(&bpf_d->bd_label); |
| 1185#ifdef MAC_DEBUG | 1184#ifdef MAC_DEBUG |
| 1186 atomic_subtract_int(&nmacpipes, 1); | 1185 atomic_subtract_int(&nmacbpfdescs, 1); |
| 1187#endif 1188} 1189 1190void | 1186#endif 1187} 1188 1189void |
| 1191mac_init_bpfdesc(struct bpf_d *bpf_d) | 1190mac_destroy_cred(struct ucred *cr) |
| 1192{ 1193 | 1191{ 1192 |
| 1194 mac_init_label(&bpf_d->bd_label); 1195 MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); | 1193 MAC_PERFORM(destroy_cred_label, &cr->cr_label); 1194 mac_destroy_label(&cr->cr_label); |
| 1196#ifdef MAC_DEBUG | 1195#ifdef MAC_DEBUG |
| 1197 atomic_add_int(&nmacbpfdescs, 1); | 1196 atomic_subtract_int(&nmaccreds, 1); |
| 1198#endif 1199} 1200 1201void | 1197#endif 1198} 1199 1200void |
| 1202mac_destroy_bpfdesc(struct bpf_d *bpf_d) | 1201mac_destroy_devfsdirent(struct devfs_dirent *de) |
| 1203{ 1204 | 1202{ 1203 |
| 1205 MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); 1206 mac_destroy_label(&bpf_d->bd_label); | 1204 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); 1205 mac_destroy_label(&de->de_label); |
| 1207#ifdef MAC_DEBUG | 1206#ifdef MAC_DEBUG |
| 1208 atomic_subtract_int(&nmacbpfdescs, 1); | 1207 atomic_subtract_int(&nmacdevfsdirents, 1); |
| 1209#endif 1210} 1211 1212void | 1208#endif 1209} 1210 1211void |
| 1213mac_init_mount(struct mount *mp) | 1212mac_destroy_ifnet(struct ifnet *ifp) |
| 1214{ 1215 | 1213{ 1214 |
| 1216 mac_init_label(&mp->mnt_mntlabel); 1217 mac_init_label(&mp->mnt_fslabel); 1218 MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); 1219 MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); | 1215 MAC_PERFORM(destroy_ifnet_label, &ifp->if_label); 1216 mac_destroy_label(&ifp->if_label); |
| 1220#ifdef MAC_DEBUG | 1217#ifdef MAC_DEBUG |
| 1221 atomic_add_int(&nmacmounts, 1); | 1218 atomic_subtract_int(&nmacifnets, 1); |
| 1222#endif 1223} 1224 1225void | 1219#endif 1220} 1221 1222void |
| 1226mac_destroy_mount(struct mount *mp) | 1223mac_destroy_ipq(struct ipq *ipq) |
| 1227{ 1228 | 1224{ 1225 |
| 1229 MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); 1230 MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); 1231 mac_destroy_label(&mp->mnt_fslabel); 1232 mac_destroy_label(&mp->mnt_mntlabel); | 1226 MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); 1227 mac_destroy_label(&ipq->ipq_label); |
| 1233#ifdef MAC_DEBUG | 1228#ifdef MAC_DEBUG |
| 1234 atomic_subtract_int(&nmacmounts, 1); | 1229 atomic_subtract_int(&nmacipqs, 1); |
| 1235#endif 1236} 1237 | 1230#endif 1231} 1232 |
| 1238static void 1239mac_init_temp(struct label *label) | 1233void 1234mac_destroy_mbuf(struct mbuf *m) |
| 1240{ 1241 | 1235{ 1236 |
| 1242 mac_init_label(label); 1243 MAC_PERFORM(init_temp_label, label); | 1237 MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); 1238 mac_destroy_label(&m->m_pkthdr.label); |
| 1244#ifdef MAC_DEBUG | 1239#ifdef MAC_DEBUG |
| 1245 atomic_add_int(&nmactemp, 1); | 1240 atomic_subtract_int(&nmacmbufs, 1); |
| 1246#endif 1247} 1248 | 1241#endif 1242} 1243 |
| 1249static void 1250mac_destroy_temp(struct label *label) | 1244void 1245mac_destroy_mount(struct mount *mp) |
| 1251{ 1252 | 1246{ 1247 |
| 1253 MAC_PERFORM(destroy_temp_label, label); 1254 mac_destroy_label(label); | 1248 MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); 1249 MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); 1250 mac_destroy_label(&mp->mnt_fslabel); 1251 mac_destroy_label(&mp->mnt_mntlabel); |
| 1255#ifdef MAC_DEBUG | 1252#ifdef MAC_DEBUG |
| 1256 atomic_subtract_int(&nmactemp, 1); | 1253 atomic_subtract_int(&nmacmounts, 1); |
| 1257#endif 1258} 1259 1260void | 1254#endif 1255} 1256 1257void |
| 1261mac_init_vnode(struct vnode *vp) | 1258mac_destroy_pipe(struct pipe *pipe) |
| 1262{ 1263 | 1259{ 1260 |
| 1264 mac_init_label(&vp->v_label); 1265 MAC_PERFORM(init_vnode_label, &vp->v_label); | 1261 MAC_PERFORM(destroy_pipe_label, pipe->pipe_label); 1262 mac_destroy_label(pipe->pipe_label); 1263 free(pipe->pipe_label, M_MACPIPELABEL); |
| 1266#ifdef MAC_DEBUG | 1264#ifdef MAC_DEBUG |
| 1267 atomic_add_int(&nmacvnodes, 1); | 1265 atomic_subtract_int(&nmacpipes, 1); |
| 1268#endif 1269} 1270 1271void | 1266#endif 1267} 1268 1269void |
| 1272mac_destroy_vnode(struct vnode *vp) | 1270mac_destroy_socket(struct socket *socket) |
| 1273{ 1274 | 1271{ 1272 |
| 1275 MAC_PERFORM(destroy_vnode_label, &vp->v_label); 1276 mac_destroy_label(&vp->v_label); | 1273 MAC_PERFORM(destroy_socket_label, &socket->so_label); 1274 MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); 1275 mac_destroy_label(&socket->so_label); 1276 mac_destroy_label(&socket->so_peerlabel); |
| 1277#ifdef MAC_DEBUG | 1277#ifdef MAC_DEBUG |
| 1278 atomic_subtract_int(&nmacvnodes, 1); | 1278 atomic_subtract_int(&nmacsockets, 1); |
| 1279#endif 1280} 1281 | 1279#endif 1280} 1281 |
| 1282void 1283mac_init_devfsdirent(struct devfs_dirent *de) | 1282static void 1283mac_destroy_temp(struct label *label) |
| 1284{ 1285 | 1284{ 1285 |
| 1286 mac_init_label(&de->de_label); 1287 MAC_PERFORM(init_devfsdirent_label, &de->de_label); | 1286 MAC_PERFORM(destroy_temp_label, label); 1287 mac_destroy_label(label); |
| 1288#ifdef MAC_DEBUG | 1288#ifdef MAC_DEBUG |
| 1289 atomic_add_int(&nmacdevfsdirents, 1); | 1289 atomic_subtract_int(&nmactemp, 1); |
| 1290#endif 1291} 1292 1293void | 1290#endif 1291} 1292 1293void |
| 1294mac_destroy_devfsdirent(struct devfs_dirent *de) | 1294mac_destroy_vnode(struct vnode *vp) |
| 1295{ 1296 | 1295{ 1296 |
| 1297 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); 1298 mac_destroy_label(&de->de_label); | 1297 MAC_PERFORM(destroy_vnode_label, &vp->v_label); 1298 mac_destroy_label(&vp->v_label); |
| 1299#ifdef MAC_DEBUG | 1299#ifdef MAC_DEBUG |
| 1300 atomic_subtract_int(&nmacdevfsdirents, 1); | 1300 atomic_subtract_int(&nmacvnodes, 1); |
| 1301#endif 1302} 1303 1304static int 1305mac_externalize(struct label *label, struct mac *mac) 1306{ 1307 int error; 1308 --- 2116 unchanged lines hidden --- | 1301#endif 1302} 1303 1304static int 1305mac_externalize(struct label *label, struct mac *mac) 1306{ 1307 int error; 1308 --- 2116 unchanged lines hidden --- |