mac_mls.c (105643) | mac_mls.c (105656) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * |
37 * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 105643 2002-10-21 18:42:01Z rwatson $ | 37 * $FreeBSD: head/sys/security/mac_mls/mac_mls.c 105656 2002-10-21 20:55:39Z rwatson $ |
38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * MLS fixed label mandatory confidentiality policy. 43 */ 44 45#include <sys/types.h> --- 384 unchanged lines hidden (view full) --- 430 431 KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, 432 ("mac_mls_copy_single: labelfrom not single")); 433 434 labelto->mm_single = labelfrom->mm_single; 435 labelto->mm_flags |= MAC_MLS_FLAG_SINGLE; 436} 437 | 38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * MLS fixed label mandatory confidentiality policy. 43 */ 44 45#include <sys/types.h> --- 384 unchanged lines hidden (view full) --- 430 431 KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_SINGLE) != 0, 432 ("mac_mls_copy_single: labelfrom not single")); 433 434 labelto->mm_single = labelfrom->mm_single; 435 labelto->mm_flags |= MAC_MLS_FLAG_SINGLE; 436} 437 |
438static void 439mac_mls_copy(struct mac_mls *source, struct mac_mls *dest) 440{ 441 442 if (source->mm_flags & MAC_MLS_FLAG_SINGLE) 443 mac_mls_copy_single(source, dest); 444 if (source->mm_flags & MAC_MLS_FLAG_RANGE) 445 mac_mls_copy_range(source, dest); 446} 447 |
|
438/* 439 * Policy module operations. 440 */ 441static void 442mac_mls_destroy(struct mac_policy_conf *conf) 443{ 444 445} --- 171 unchanged lines hidden (view full) --- 617mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, 618 struct label *vnodelabel, struct label *label) 619{ 620 struct mac_mls *source, *dest; 621 622 source = SLOT(label); 623 dest = SLOT(vnodelabel); 624 | 448/* 449 * Policy module operations. 450 */ 451static void 452mac_mls_destroy(struct mac_policy_conf *conf) 453{ 454 455} --- 171 unchanged lines hidden (view full) --- 627mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, 628 struct label *vnodelabel, struct label *label) 629{ 630 struct mac_mls *source, *dest; 631 632 source = SLOT(label); 633 dest = SLOT(vnodelabel); 634 |
625 mac_mls_copy_single(source, dest); | 635 mac_mls_copy(source, dest); |
626} 627 628static void 629mac_mls_update_devfsdirent(struct devfs_dirent *devfs_dirent, 630 struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) 631{ 632 struct mac_mls *source, *dest; 633 --- 109 unchanged lines hidden (view full) --- 743mac_mls_relabel_socket(struct ucred *cred, struct socket *socket, 744 struct label *socketlabel, struct label *newlabel) 745{ 746 struct mac_mls *source, *dest; 747 748 source = SLOT(newlabel); 749 dest = SLOT(socketlabel); 750 | 636} 637 638static void 639mac_mls_update_devfsdirent(struct devfs_dirent *devfs_dirent, 640 struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) 641{ 642 struct mac_mls *source, *dest; 643 --- 109 unchanged lines hidden (view full) --- 753mac_mls_relabel_socket(struct ucred *cred, struct socket *socket, 754 struct label *socketlabel, struct label *newlabel) 755{ 756 struct mac_mls *source, *dest; 757 758 source = SLOT(newlabel); 759 dest = SLOT(socketlabel); 760 |
751 mac_mls_copy_single(source, dest); | 761 mac_mls_copy(source, dest); |
752} 753 754static void 755mac_mls_relabel_pipe(struct ucred *cred, struct pipe *pipe, 756 struct label *pipelabel, struct label *newlabel) 757{ 758 struct mac_mls *source, *dest; 759 760 source = SLOT(newlabel); 761 dest = SLOT(pipelabel); 762 | 762} 763 764static void 765mac_mls_relabel_pipe(struct ucred *cred, struct pipe *pipe, 766 struct label *pipelabel, struct label *newlabel) 767{ 768 struct mac_mls *source, *dest; 769 770 source = SLOT(newlabel); 771 dest = SLOT(pipelabel); 772 |
763 mac_mls_copy_single(source, dest); | 773 mac_mls_copy(source, dest); |
764} 765 766static void 767mac_mls_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 768 struct socket *socket, struct label *socketpeerlabel) 769{ 770 struct mac_mls *source, *dest; 771 --- 90 unchanged lines hidden (view full) --- 862 struct label *oldmbuflabel, struct mbuf *newmbuf, 863 struct label *newmbuflabel) 864{ 865 struct mac_mls *source, *dest; 866 867 source = SLOT(oldmbuflabel); 868 dest = SLOT(newmbuflabel); 869 | 774} 775 776static void 777mac_mls_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 778 struct socket *socket, struct label *socketpeerlabel) 779{ 780 struct mac_mls *source, *dest; 781 --- 90 unchanged lines hidden (view full) --- 872 struct label *oldmbuflabel, struct mbuf *newmbuf, 873 struct label *newmbuflabel) 874{ 875 struct mac_mls *source, *dest; 876 877 source = SLOT(oldmbuflabel); 878 dest = SLOT(newmbuflabel); 879 |
870 mac_mls_copy_single(source, dest); | 880 /* 881 * Because the source mbuf may not yet have been "created", 882 * just initialized, we do a conditional copy. Since we don't 883 * allow mbufs to have ranges, do a KASSERT to make sure that 884 * doesn't happen. 885 */ 886 KASSERT((source->mm_flags & MAC_MLS_FLAG_RANGE) == 0, 887 ("mac_mls_create_mbuf_from_mbuf: source mbuf has range")); 888 mac_mls_copy(source, dest); |
871} 872 873static void 874mac_mls_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 875 struct mbuf *mbuf, struct label *mbuflabel) 876{ 877 struct mac_mls *dest; 878 --- 67 unchanged lines hidden (view full) --- 946mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 947 struct label *ifnetlabel, struct label *newlabel) 948{ 949 struct mac_mls *source, *dest; 950 951 source = SLOT(newlabel); 952 dest = SLOT(ifnetlabel); 953 | 889} 890 891static void 892mac_mls_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 893 struct mbuf *mbuf, struct label *mbuflabel) 894{ 895 struct mac_mls *dest; 896 --- 67 unchanged lines hidden (view full) --- 964mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 965 struct label *ifnetlabel, struct label *newlabel) 966{ 967 struct mac_mls *source, *dest; 968 969 source = SLOT(newlabel); 970 dest = SLOT(ifnetlabel); 971 |
954 mac_mls_copy_single(source, dest); 955 mac_mls_copy_range(source, dest); | 972 mac_mls_copy(source, dest); |
956} 957 958static void 959mac_mls_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 960 struct ipq *ipq, struct label *ipqlabel) 961{ 962 963 /* NOOP: we only accept matching labels, so no need to update */ --- 62 unchanged lines hidden (view full) --- 1026static void 1027mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) 1028{ 1029 struct mac_mls *source, *dest; 1030 1031 source = SLOT(newlabel); 1032 dest = SLOT(&cred->cr_label); 1033 | 973} 974 975static void 976mac_mls_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 977 struct ipq *ipq, struct label *ipqlabel) 978{ 979 980 /* NOOP: we only accept matching labels, so no need to update */ --- 62 unchanged lines hidden (view full) --- 1043static void 1044mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) 1045{ 1046 struct mac_mls *source, *dest; 1047 1048 source = SLOT(newlabel); 1049 dest = SLOT(&cred->cr_label); 1050 |
1034 mac_mls_copy_single(source, dest); 1035 mac_mls_copy_range(source, dest); | 1051 mac_mls_copy(source, dest); |
1036} 1037 1038/* 1039 * Access control checks. 1040 */ 1041static int 1042mac_mls_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1043 struct ifnet *ifnet, struct label *ifnetlabel) --- 1268 unchanged lines hidden --- | 1052} 1053 1054/* 1055 * Access control checks. 1056 */ 1057static int 1058mac_mls_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1059 struct ifnet *ifnet, struct label *ifnetlabel) --- 1268 unchanged lines hidden --- |