| mac_vfs.c (104533) | mac_vfs.c (104541) |
|---|---|
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * |
| 39 * $FreeBSD: head/sys/security/mac/mac_vfs.c 104533 2002-10-05 18:40:10Z rwatson $ | 39 * $FreeBSD: head/sys/security/mac/mac_vfs.c 104541 2002-10-05 21:23:47Z rwatson $ |
| 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 168 unchanged lines hidden (view full) --- 216static int mac_policy_unregister(struct mac_policy_conf *mpc); 217 218static int mac_stdcreatevnode_ea(struct vnode *vp); 219static void mac_cred_mmapped_drop_perms(struct thread *td, 220 struct ucred *cred); 221static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 222 struct ucred *cred, struct vm_map *map); 223 | 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 168 unchanged lines hidden (view full) --- 216static int mac_policy_unregister(struct mac_policy_conf *mpc); 217 218static int mac_stdcreatevnode_ea(struct vnode *vp); 219static void mac_cred_mmapped_drop_perms(struct thread *td, 220 struct ucred *cred); 221static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 222 struct ucred *cred, struct vm_map *map); 223 |
| 224static void mac_destroy_socket_label(struct label *label); 225 |
|
| 224MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); 225MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); 226 227/* 228 * mac_policy_list_lock protects the consistency of 'mac_policy_list', 229 * the linked list of attached policy modules. Read-only consumers of 230 * the list must acquire a shared lock for the duration of their use; 231 * writers must acquire an exclusive lock. Note that for compound --- 919 unchanged lines hidden (view full) --- 1151 pipe->pipe_label = label; 1152 pipe->pipe_peer->pipe_label = label; 1153 MAC_PERFORM(init_pipe_label, pipe->pipe_label); 1154#ifdef MAC_DEBUG 1155 atomic_add_int(&nmacpipes, 1); 1156#endif 1157} 1158 | 226MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); 227MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); 228 229/* 230 * mac_policy_list_lock protects the consistency of 'mac_policy_list', 231 * the linked list of attached policy modules. Read-only consumers of 232 * the list must acquire a shared lock for the duration of their use; 233 * writers must acquire an exclusive lock. Note that for compound --- 919 unchanged lines hidden (view full) --- 1153 pipe->pipe_label = label; 1154 pipe->pipe_peer->pipe_label = label; 1155 MAC_PERFORM(init_pipe_label, pipe->pipe_label); 1156#ifdef MAC_DEBUG 1157 atomic_add_int(&nmacpipes, 1); 1158#endif 1159} 1160 |
| 1159void 1160mac_init_socket(struct socket *socket) | 1161static int 1162mac_init_socket_label(struct label *label, int flag) |
| 1161{ | 1163{ |
| 1164 int error; |
|
| 1162 | 1165 |
| 1163 mac_init_label(&socket->so_label); 1164 mac_init_label(&socket->so_peerlabel); 1165 MAC_PERFORM(init_socket_label, &socket->so_label); 1166 MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); | 1166 mac_init_label(label); 1167 1168 MAC_CHECK(init_socket_label, label, flag); 1169 if (error) { 1170 MAC_PERFORM(destroy_socket_label, label); 1171 mac_destroy_label(label); 1172 } 1173 |
| 1167#ifdef MAC_DEBUG | 1174#ifdef MAC_DEBUG |
| 1168 atomic_add_int(&nmacsockets, 1); | 1175 if (error == 0) 1176 atomic_add_int(&nmacsockets, 1); |
| 1169#endif | 1177#endif |
| 1178 1179 return (error); |
|
| 1170} 1171 | 1180} 1181 |
| 1182static int 1183mac_init_socket_peer_label(struct label *label, int flag) 1184{ 1185 int error; 1186 1187 mac_init_label(label); 1188 1189 MAC_CHECK(init_socket_peer_label, label, flag); 1190 if (error) { 1191 MAC_PERFORM(destroy_socket_label, label); 1192 mac_destroy_label(label); 1193 } 1194 1195 return (error); 1196} 1197 1198int 1199mac_init_socket(struct socket *socket, int flag) 1200{ 1201 int error; 1202 1203 error = mac_init_socket_label(&socket->so_label, flag); 1204 if (error) 1205 return (error); 1206 1207 error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); 1208 if (error) 1209 mac_destroy_socket_label(&socket->so_label); 1210 1211 return (error); 1212} 1213 |
|
| 1172static void 1173mac_init_temp(struct label *label) 1174{ 1175 1176 mac_init_label(label); 1177 MAC_PERFORM(init_temp_label, label); 1178#ifdef MAC_DEBUG 1179 atomic_add_int(&nmactemp, 1); --- 97 unchanged lines hidden (view full) --- 1277 MAC_PERFORM(destroy_pipe_label, pipe->pipe_label); 1278 mac_destroy_label(pipe->pipe_label); 1279 free(pipe->pipe_label, M_MACPIPELABEL); 1280#ifdef MAC_DEBUG 1281 atomic_subtract_int(&nmacpipes, 1); 1282#endif 1283} 1284 | 1214static void 1215mac_init_temp(struct label *label) 1216{ 1217 1218 mac_init_label(label); 1219 MAC_PERFORM(init_temp_label, label); 1220#ifdef MAC_DEBUG 1221 atomic_add_int(&nmactemp, 1); --- 97 unchanged lines hidden (view full) --- 1319 MAC_PERFORM(destroy_pipe_label, pipe->pipe_label); 1320 mac_destroy_label(pipe->pipe_label); 1321 free(pipe->pipe_label, M_MACPIPELABEL); 1322#ifdef MAC_DEBUG 1323 atomic_subtract_int(&nmacpipes, 1); 1324#endif 1325} 1326 |
| 1285void 1286mac_destroy_socket(struct socket *socket) | 1327static void 1328mac_destroy_socket_label(struct label *label) |
| 1287{ 1288 | 1329{ 1330 |
| 1289 MAC_PERFORM(destroy_socket_label, &socket->so_label); 1290 MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); 1291 mac_destroy_label(&socket->so_label); 1292 mac_destroy_label(&socket->so_peerlabel); | 1331 MAC_PERFORM(destroy_socket_label, label); 1332 mac_destroy_label(label); |
| 1293#ifdef MAC_DEBUG 1294 atomic_subtract_int(&nmacsockets, 1); 1295#endif 1296} 1297 1298static void | 1333#ifdef MAC_DEBUG 1334 atomic_subtract_int(&nmacsockets, 1); 1335#endif 1336} 1337 1338static void |
| 1339mac_destroy_socket_peer_label(struct label *label) 1340{ 1341 1342 MAC_PERFORM(destroy_socket_peer_label, label); 1343 mac_destroy_label(label); 1344} 1345 1346void 1347mac_destroy_socket(struct socket *socket) 1348{ 1349 1350 mac_destroy_socket_label(&socket->so_label); 1351 mac_destroy_socket_peer_label(&socket->so_peerlabel); 1352} 1353 1354static void |
|
| 1299mac_destroy_temp(struct label *label) 1300{ 1301 1302 MAC_PERFORM(destroy_temp_label, label); 1303 mac_destroy_label(label); 1304#ifdef MAC_DEBUG 1305 atomic_subtract_int(&nmactemp, 1); 1306#endif --- 2169 unchanged lines hidden --- | 1355mac_destroy_temp(struct label *label) 1356{ 1357 1358 MAC_PERFORM(destroy_temp_label, label); 1359 mac_destroy_label(label); 1360#ifdef MAC_DEBUG 1361 atomic_subtract_int(&nmactemp, 1); 1362#endif --- 2169 unchanged lines hidden --- |