mac_biba.c (105643) | mac_biba.c (105656) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * |
37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 105643 2002-10-21 18:42:01Z rwatson $ | 37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 105656 2002-10-21 20:55:39Z rwatson $ |
38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 396 unchanged lines hidden (view full) --- 442 443 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, 444 ("mac_biba_copy_single: labelfrom not single")); 445 446 labelto->mb_single = labelfrom->mb_single; 447 labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE; 448} 449 | 38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 396 unchanged lines hidden (view full) --- 442 443 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, 444 ("mac_biba_copy_single: labelfrom not single")); 445 446 labelto->mb_single = labelfrom->mb_single; 447 labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE; 448} 449 |
450static void 451mac_biba_copy(struct mac_biba *source, struct mac_biba *dest) 452{ 453 454 if (source->mb_flags & MAC_BIBA_FLAG_SINGLE) 455 mac_biba_copy_single(source, dest); 456 if (source->mb_flags & MAC_BIBA_FLAG_RANGE) 457 mac_biba_copy_range(source, dest); 458} 459 |
|
450/* 451 * Policy module operations. 452 */ 453static void 454mac_biba_destroy(struct mac_policy_conf *conf) 455{ 456 457} --- 168 unchanged lines hidden (view full) --- 626mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, 627 struct label *vnodelabel, struct label *label) 628{ 629 struct mac_biba *source, *dest; 630 631 source = SLOT(label); 632 dest = SLOT(vnodelabel); 633 | 460/* 461 * Policy module operations. 462 */ 463static void 464mac_biba_destroy(struct mac_policy_conf *conf) 465{ 466 467} --- 168 unchanged lines hidden (view full) --- 636mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, 637 struct label *vnodelabel, struct label *label) 638{ 639 struct mac_biba *source, *dest; 640 641 source = SLOT(label); 642 dest = SLOT(vnodelabel); 643 |
634 mac_biba_copy_single(source, dest); | 644 mac_biba_copy(source, dest); |
635} 636 637static void 638mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent, 639 struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) 640{ 641 struct mac_biba *source, *dest; 642 643 source = SLOT(vnodelabel); 644 dest = SLOT(direntlabel); 645 | 645} 646 647static void 648mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent, 649 struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) 650{ 651 struct mac_biba *source, *dest; 652 653 source = SLOT(vnodelabel); 654 dest = SLOT(direntlabel); 655 |
646 mac_biba_copy_single(source, dest); | 656 mac_biba_copy(source, dest); |
647} 648 649static void 650mac_biba_update_procfsvnode(struct vnode *vp, struct label *vnodelabel, 651 struct ucred *cred) 652{ 653 struct mac_biba *source, *dest; 654 --- 97 unchanged lines hidden (view full) --- 752mac_biba_relabel_socket(struct ucred *cred, struct socket *socket, 753 struct label *socketlabel, struct label *newlabel) 754{ 755 struct mac_biba *source, *dest; 756 757 source = SLOT(newlabel); 758 dest = SLOT(socketlabel); 759 | 657} 658 659static void 660mac_biba_update_procfsvnode(struct vnode *vp, struct label *vnodelabel, 661 struct ucred *cred) 662{ 663 struct mac_biba *source, *dest; 664 --- 97 unchanged lines hidden (view full) --- 762mac_biba_relabel_socket(struct ucred *cred, struct socket *socket, 763 struct label *socketlabel, struct label *newlabel) 764{ 765 struct mac_biba *source, *dest; 766 767 source = SLOT(newlabel); 768 dest = SLOT(socketlabel); 769 |
760 mac_biba_copy_single(source, dest); | 770 mac_biba_copy(source, dest); |
761} 762 763static void 764mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe, 765 struct label *pipelabel, struct label *newlabel) 766{ 767 struct mac_biba *source, *dest; 768 769 source = SLOT(newlabel); 770 dest = SLOT(pipelabel); 771 | 771} 772 773static void 774mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe, 775 struct label *pipelabel, struct label *newlabel) 776{ 777 struct mac_biba *source, *dest; 778 779 source = SLOT(newlabel); 780 dest = SLOT(pipelabel); 781 |
772 mac_biba_copy_single(source, dest); | 782 mac_biba_copy(source, dest); |
773} 774 775static void 776mac_biba_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 777 struct socket *socket, struct label *socketpeerlabel) 778{ 779 struct mac_biba *source, *dest; 780 --- 126 unchanged lines hidden (view full) --- 907 struct label *oldmbuflabel, struct mbuf *newmbuf, 908 struct label *newmbuflabel) 909{ 910 struct mac_biba *source, *dest; 911 912 source = SLOT(oldmbuflabel); 913 dest = SLOT(newmbuflabel); 914 | 783} 784 785static void 786mac_biba_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 787 struct socket *socket, struct label *socketpeerlabel) 788{ 789 struct mac_biba *source, *dest; 790 --- 126 unchanged lines hidden (view full) --- 917 struct label *oldmbuflabel, struct mbuf *newmbuf, 918 struct label *newmbuflabel) 919{ 920 struct mac_biba *source, *dest; 921 922 source = SLOT(oldmbuflabel); 923 dest = SLOT(newmbuflabel); 924 |
915 mac_biba_copy_single(source, dest); | 925 /* 926 * Because the source mbuf may not yet have been "created", 927 * just initialiezd, we do a conditional copy. Since we don't 928 * allow mbufs to have ranges, do a KASSERT to make sure that 929 * doesn't happen. 930 */ 931 KASSERT((source->mb_flags & MAC_BIBA_FLAG_RANGE) == 0, 932 ("mac_biba_create_mbuf_from_mbuf: source mbuf has range")); 933 mac_biba_copy(source, dest); |
916} 917 918static void 919mac_biba_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 920 struct mbuf *mbuf, struct label *mbuflabel) 921{ 922 struct mac_biba *dest; 923 --- 67 unchanged lines hidden (view full) --- 991mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 992 struct label *ifnetlabel, struct label *newlabel) 993{ 994 struct mac_biba *source, *dest; 995 996 source = SLOT(newlabel); 997 dest = SLOT(ifnetlabel); 998 | 934} 935 936static void 937mac_biba_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 938 struct mbuf *mbuf, struct label *mbuflabel) 939{ 940 struct mac_biba *dest; 941 --- 67 unchanged lines hidden (view full) --- 1009mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1010 struct label *ifnetlabel, struct label *newlabel) 1011{ 1012 struct mac_biba *source, *dest; 1013 1014 source = SLOT(newlabel); 1015 dest = SLOT(ifnetlabel); 1016 |
999 mac_biba_copy_single(source, dest); 1000 mac_biba_copy_range(source, dest); | 1017 mac_biba_copy(source, dest); |
1001} 1002 1003static void 1004mac_biba_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1005 struct ipq *ipq, struct label *ipqlabel) 1006{ 1007 1008 /* NOOP: we only accept matching labels, so no need to update */ --- 62 unchanged lines hidden (view full) --- 1071static void 1072mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) 1073{ 1074 struct mac_biba *source, *dest; 1075 1076 source = SLOT(newlabel); 1077 dest = SLOT(&cred->cr_label); 1078 | 1018} 1019 1020static void 1021mac_biba_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1022 struct ipq *ipq, struct label *ipqlabel) 1023{ 1024 1025 /* NOOP: we only accept matching labels, so no need to update */ --- 62 unchanged lines hidden (view full) --- 1088static void 1089mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) 1090{ 1091 struct mac_biba *source, *dest; 1092 1093 source = SLOT(newlabel); 1094 dest = SLOT(&cred->cr_label); 1095 |
1079 mac_biba_copy_single(source, dest); 1080 mac_biba_copy_range(source, dest); | 1096 mac_biba_copy(source, dest); |
1081} 1082 1083/* 1084 * Access control checks. 1085 */ 1086static int 1087mac_biba_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1088 struct ifnet *ifnet, struct label *ifnetlabel) --- 1266 unchanged lines hidden --- | 1097} 1098 1099/* 1100 * Access control checks. 1101 */ 1102static int 1103mac_biba_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1104 struct ifnet *ifnet, struct label *ifnetlabel) --- 1266 unchanged lines hidden --- |