1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * |
39 * $FreeBSD: head/sys/security/mac/mac_vfs.c 104541 2002-10-05 21:23:47Z rwatson $ |
40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 168 unchanged lines hidden (view full) --- 216static int mac_policy_unregister(struct mac_policy_conf *mpc); 217 218static int mac_stdcreatevnode_ea(struct vnode *vp); 219static void mac_cred_mmapped_drop_perms(struct thread *td, 220 struct ucred *cred); 221static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 222 struct ucred *cred, struct vm_map *map); 223 |
224static void mac_destroy_socket_label(struct label *label); 225 |
226MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); 227MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); 228 229/* 230 * mac_policy_list_lock protects the consistency of 'mac_policy_list', 231 * the linked list of attached policy modules. Read-only consumers of 232 * the list must acquire a shared lock for the duration of their use; 233 * writers must acquire an exclusive lock. Note that for compound --- 919 unchanged lines hidden (view full) --- 1153 pipe->pipe_label = label; 1154 pipe->pipe_peer->pipe_label = label; 1155 MAC_PERFORM(init_pipe_label, pipe->pipe_label); 1156#ifdef MAC_DEBUG 1157 atomic_add_int(&nmacpipes, 1); 1158#endif 1159} 1160 |
1161static int 1162mac_init_socket_label(struct label *label, int flag) |
1163{ |
1164 int error; |
1165 |
1166 mac_init_label(label); 1167 1168 MAC_CHECK(init_socket_label, label, flag); 1169 if (error) { 1170 MAC_PERFORM(destroy_socket_label, label); 1171 mac_destroy_label(label); 1172 } 1173 |
1174#ifdef MAC_DEBUG |
1175 if (error == 0) 1176 atomic_add_int(&nmacsockets, 1); |
1177#endif |
1178 1179 return (error); |
1180} 1181 |
1182static int 1183mac_init_socket_peer_label(struct label *label, int flag) 1184{ 1185 int error; 1186 1187 mac_init_label(label); 1188 1189 MAC_CHECK(init_socket_peer_label, label, flag); 1190 if (error) { 1191 MAC_PERFORM(destroy_socket_label, label); 1192 mac_destroy_label(label); 1193 } 1194 1195 return (error); 1196} 1197 1198int 1199mac_init_socket(struct socket *socket, int flag) 1200{ 1201 int error; 1202 1203 error = mac_init_socket_label(&socket->so_label, flag); 1204 if (error) 1205 return (error); 1206 1207 error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); 1208 if (error) 1209 mac_destroy_socket_label(&socket->so_label); 1210 1211 return (error); 1212} 1213 |
1214static void 1215mac_init_temp(struct label *label) 1216{ 1217 1218 mac_init_label(label); 1219 MAC_PERFORM(init_temp_label, label); 1220#ifdef MAC_DEBUG 1221 atomic_add_int(&nmactemp, 1); --- 97 unchanged lines hidden (view full) --- 1319 MAC_PERFORM(destroy_pipe_label, pipe->pipe_label); 1320 mac_destroy_label(pipe->pipe_label); 1321 free(pipe->pipe_label, M_MACPIPELABEL); 1322#ifdef MAC_DEBUG 1323 atomic_subtract_int(&nmacpipes, 1); 1324#endif 1325} 1326 |
1327static void 1328mac_destroy_socket_label(struct label *label) |
1329{ 1330 |
1331 MAC_PERFORM(destroy_socket_label, label); 1332 mac_destroy_label(label); |
1333#ifdef MAC_DEBUG 1334 atomic_subtract_int(&nmacsockets, 1); 1335#endif 1336} 1337 1338static void |
1339mac_destroy_socket_peer_label(struct label *label) 1340{ 1341 1342 MAC_PERFORM(destroy_socket_peer_label, label); 1343 mac_destroy_label(label); 1344} 1345 1346void 1347mac_destroy_socket(struct socket *socket) 1348{ 1349 1350 mac_destroy_socket_label(&socket->so_label); 1351 mac_destroy_socket_peer_label(&socket->so_peerlabel); 1352} 1353 1354static void |
1355mac_destroy_temp(struct label *label) 1356{ 1357 1358 MAC_PERFORM(destroy_temp_label, label); 1359 mac_destroy_label(label); 1360#ifdef MAC_DEBUG 1361 atomic_subtract_int(&nmactemp, 1); 1362#endif --- 2169 unchanged lines hidden --- |