1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * |
37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 105656 2002-10-21 20:55:39Z rwatson $ |
38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 396 unchanged lines hidden (view full) --- 442 443 KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0, 444 ("mac_biba_copy_single: labelfrom not single")); 445 446 labelto->mb_single = labelfrom->mb_single; 447 labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE; 448} 449 |
450static void 451mac_biba_copy(struct mac_biba *source, struct mac_biba *dest) 452{ 453 454 if (source->mb_flags & MAC_BIBA_FLAG_SINGLE) 455 mac_biba_copy_single(source, dest); 456 if (source->mb_flags & MAC_BIBA_FLAG_RANGE) 457 mac_biba_copy_range(source, dest); 458} 459 |
460/* 461 * Policy module operations. 462 */ 463static void 464mac_biba_destroy(struct mac_policy_conf *conf) 465{ 466 467} --- 168 unchanged lines hidden (view full) --- 636mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, 637 struct label *vnodelabel, struct label *label) 638{ 639 struct mac_biba *source, *dest; 640 641 source = SLOT(label); 642 dest = SLOT(vnodelabel); 643 |
644 mac_biba_copy(source, dest); |
645} 646 647static void 648mac_biba_update_devfsdirent(struct devfs_dirent *devfs_dirent, 649 struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) 650{ 651 struct mac_biba *source, *dest; 652 653 source = SLOT(vnodelabel); 654 dest = SLOT(direntlabel); 655 |
656 mac_biba_copy(source, dest); |
657} 658 659static void 660mac_biba_update_procfsvnode(struct vnode *vp, struct label *vnodelabel, 661 struct ucred *cred) 662{ 663 struct mac_biba *source, *dest; 664 --- 97 unchanged lines hidden (view full) --- 762mac_biba_relabel_socket(struct ucred *cred, struct socket *socket, 763 struct label *socketlabel, struct label *newlabel) 764{ 765 struct mac_biba *source, *dest; 766 767 source = SLOT(newlabel); 768 dest = SLOT(socketlabel); 769 |
770 mac_biba_copy(source, dest); |
771} 772 773static void 774mac_biba_relabel_pipe(struct ucred *cred, struct pipe *pipe, 775 struct label *pipelabel, struct label *newlabel) 776{ 777 struct mac_biba *source, *dest; 778 779 source = SLOT(newlabel); 780 dest = SLOT(pipelabel); 781 |
782 mac_biba_copy(source, dest); |
783} 784 785static void 786mac_biba_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, 787 struct socket *socket, struct label *socketpeerlabel) 788{ 789 struct mac_biba *source, *dest; 790 --- 126 unchanged lines hidden (view full) --- 917 struct label *oldmbuflabel, struct mbuf *newmbuf, 918 struct label *newmbuflabel) 919{ 920 struct mac_biba *source, *dest; 921 922 source = SLOT(oldmbuflabel); 923 dest = SLOT(newmbuflabel); 924 |
925 /* 926 * Because the source mbuf may not yet have been "created", 927 * just initialiezd, we do a conditional copy. Since we don't 928 * allow mbufs to have ranges, do a KASSERT to make sure that 929 * doesn't happen. 930 */ 931 KASSERT((source->mb_flags & MAC_BIBA_FLAG_RANGE) == 0, 932 ("mac_biba_create_mbuf_from_mbuf: source mbuf has range")); 933 mac_biba_copy(source, dest); |
934} 935 936static void 937mac_biba_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, 938 struct mbuf *mbuf, struct label *mbuflabel) 939{ 940 struct mac_biba *dest; 941 --- 67 unchanged lines hidden (view full) --- 1009mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, 1010 struct label *ifnetlabel, struct label *newlabel) 1011{ 1012 struct mac_biba *source, *dest; 1013 1014 source = SLOT(newlabel); 1015 dest = SLOT(ifnetlabel); 1016 |
1017 mac_biba_copy(source, dest); |
1018} 1019 1020static void 1021mac_biba_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, 1022 struct ipq *ipq, struct label *ipqlabel) 1023{ 1024 1025 /* NOOP: we only accept matching labels, so no need to update */ --- 62 unchanged lines hidden (view full) --- 1088static void 1089mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) 1090{ 1091 struct mac_biba *source, *dest; 1092 1093 source = SLOT(newlabel); 1094 dest = SLOT(&cred->cr_label); 1095 |
1096 mac_biba_copy(source, dest); |
1097} 1098 1099/* 1100 * Access control checks. 1101 */ 1102static int 1103mac_biba_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, 1104 struct ifnet *ifnet, struct label *ifnetlabel) --- 1266 unchanged lines hidden --- |