From owner-svn-src-stable-7@FreeBSD.ORG  Fri Oct 31 11:27:55 2008
Return-Path: <owner-svn-src-stable-7@FreeBSD.ORG>
Delivered-To: svn-src-stable-7@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4FBF41065674;
	Fri, 31 Oct 2008 11:27:55 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 3A5228FC20;
	Fri, 31 Oct 2008 11:27:55 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id m9VBRtI4079399;
	Fri, 31 Oct 2008 11:27:55 GMT (envelope-from bz@svn.freebsd.org)
Received: (from bz@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id m9VBRscj079392;
	Fri, 31 Oct 2008 11:27:54 GMT (envelope-from bz@svn.freebsd.org)
Message-Id: <200810311127.m9VBRscj079392@svn.freebsd.org>
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Fri, 31 Oct 2008 11:27:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
X-SVN-Group: stable-7
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r184502 - in stable/7/sys: . security/mac_biba
	security/mac_lomac security/mac_mls security/mac_partition
	security/mac_seeotheruids security/mac_stub security/mac_test
X-BeenThere: svn-src-stable-7@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for only the 7-stable src tree
	<svn-src-stable-7.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable-7>, 
	<mailto:svn-src-stable-7-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable-7>
List-Post: <mailto:svn-src-stable-7@freebsd.org>
List-Help: <mailto:svn-src-stable-7-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable-7>, 
	<mailto:svn-src-stable-7-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2008 11:27:55 -0000

Author: bz
Date: Fri Oct 31 11:27:54 2008
New Revision: 184502
URL: http://svn.freebsd.org/changeset/base/184502

Log:
  MFC: r183980
  
    Add a mac_check_inpcb_visible implementation to all MAC policies
    that handle mac_check_socket_visible.
  
  Approved by:	re (rwatson)

Modified:
  stable/7/sys/   (props changed)
  stable/7/sys/security/mac_biba/mac_biba.c
  stable/7/sys/security/mac_lomac/mac_lomac.c
  stable/7/sys/security/mac_mls/mac_mls.c
  stable/7/sys/security/mac_partition/mac_partition.c
  stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c
  stable/7/sys/security/mac_stub/mac_stub.c
  stable/7/sys/security/mac_test/mac_test.c

Modified: stable/7/sys/security/mac_biba/mac_biba.c
==============================================================================
--- stable/7/sys/security/mac_biba/mac_biba.c	Fri Oct 31 10:38:30 2008	(r184501)
+++ stable/7/sys/security/mac_biba/mac_biba.c	Fri Oct 31 11:27:54 2008	(r184502)
@@ -1599,6 +1599,24 @@ biba_check_inpcb_deliver(struct inpcb *i
 }
 
 static int
+biba_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+    struct label *inplabel)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!biba_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(inplabel);
+
+	if (!biba_dominate_effective(obj, subj))
+		return (ENOENT);
+
+	return (0);
+}
+
+static int
 biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel)
 {
@@ -3333,6 +3351,7 @@ static struct mac_policy_ops mac_biba_op
 	.mpo_check_ifnet_relabel = biba_check_ifnet_relabel,
 	.mpo_check_ifnet_transmit = biba_check_ifnet_transmit,
 	.mpo_check_inpcb_deliver = biba_check_inpcb_deliver,
+	.mpo_check_inpcb_visible = biba_check_inpcb_visible,
 	.mpo_check_sysv_msgrcv = biba_check_sysv_msgrcv,
 	.mpo_check_sysv_msgrmid = biba_check_sysv_msgrmid,
 	.mpo_check_sysv_msqget = biba_check_sysv_msqget,

Modified: stable/7/sys/security/mac_lomac/mac_lomac.c
==============================================================================
--- stable/7/sys/security/mac_lomac/mac_lomac.c	Fri Oct 31 10:38:30 2008	(r184501)
+++ stable/7/sys/security/mac_lomac/mac_lomac.c	Fri Oct 31 11:27:54 2008	(r184502)
@@ -1742,6 +1742,24 @@ lomac_check_inpcb_deliver(struct inpcb *
 }
 
 static int
+lomac_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+    struct label *inplabel)
+{
+	struct mac_lomac *subj, *obj;
+
+	if (!lomac_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(inplabel);
+
+	if (!lomac_dominate_single(obj, subj))
+		return (ENOENT);
+
+	return (0);
+}
+
+static int
 lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)
 {
@@ -2893,6 +2911,7 @@ static struct mac_policy_ops lomac_ops =
 	.mpo_check_ifnet_relabel = lomac_check_ifnet_relabel,
 	.mpo_check_ifnet_transmit = lomac_check_ifnet_transmit,
 	.mpo_check_inpcb_deliver = lomac_check_inpcb_deliver,
+	.mpo_check_inpcb_visible = lomac_check_inpcb_visible,
 	.mpo_check_kld_load = lomac_check_kld_load,
 	.mpo_check_pipe_ioctl = lomac_check_pipe_ioctl,
 	.mpo_check_pipe_read = lomac_check_pipe_read,

Modified: stable/7/sys/security/mac_mls/mac_mls.c
==============================================================================
--- stable/7/sys/security/mac_mls/mac_mls.c	Fri Oct 31 10:38:30 2008	(r184501)
+++ stable/7/sys/security/mac_mls/mac_mls.c	Fri Oct 31 11:27:54 2008	(r184502)
@@ -1540,6 +1540,24 @@ mls_check_inpcb_deliver(struct inpcb *in
 }
 
 static int
+mls_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+    struct label *inplabel)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mls_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(inplabel);
+
+	if (!mls_dominate_effective(subj, obj))
+		return (ENOENT);
+
+	return (0);
+}
+
+static int
 mls_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel)
 {
@@ -2957,6 +2975,7 @@ static struct mac_policy_ops mls_ops =
 	.mpo_check_ifnet_relabel = mls_check_ifnet_relabel,
 	.mpo_check_ifnet_transmit = mls_check_ifnet_transmit,
 	.mpo_check_inpcb_deliver = mls_check_inpcb_deliver,
+	.mpo_check_inpcb_visible = mls_check_inpcb_visible,
 	.mpo_check_sysv_msgrcv = mls_check_sysv_msgrcv,
 	.mpo_check_sysv_msgrmid = mls_check_sysv_msgrmid,
 	.mpo_check_sysv_msqget = mls_check_sysv_msqget,

Modified: stable/7/sys/security/mac_partition/mac_partition.c
==============================================================================
--- stable/7/sys/security/mac_partition/mac_partition.c	Fri Oct 31 10:38:30 2008	(r184501)
+++ stable/7/sys/security/mac_partition/mac_partition.c	Fri Oct 31 11:27:54 2008	(r184502)
@@ -46,10 +46,15 @@
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
+#include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/systm.h>
 #include <sys/sysctl.h>
 
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/in_pcb.h>
+
 #include <security/mac/mac_policy.h>
 #include <security/mac_partition/mac_partition.h>
 
@@ -186,6 +191,17 @@ partition_check_cred_visible(struct ucre
 }
 
 static int
+partition_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+    struct label *inplabel)
+{
+	int error;
+
+	error = label_on_label(cred->cr_label, inp->inp_cred->cr_label);
+
+	return (error ? ENOENT : 0);
+}
+
+static int
 partition_check_proc_debug(struct ucred *cred, struct proc *p)
 {
 	int error;
@@ -258,6 +274,7 @@ static struct mac_policy_ops partition_o
 	.mpo_relabel_cred = partition_relabel_cred,
 	.mpo_check_cred_relabel = partition_check_cred_relabel,
 	.mpo_check_cred_visible = partition_check_cred_visible,
+	.mpo_check_inpcb_visible = partition_check_inpcb_visible,
 	.mpo_check_proc_debug = partition_check_proc_debug,
 	.mpo_check_proc_sched = partition_check_proc_sched,
 	.mpo_check_proc_signal = partition_check_proc_signal,

Modified: stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c
==============================================================================
--- stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c	Fri Oct 31 10:38:30 2008	(r184501)
+++ stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c	Fri Oct 31 11:27:54 2008	(r184502)
@@ -47,9 +47,14 @@
 #include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
+#include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
 
+#include <net/route.h>
+#include <netinet/in.h>
+#include <netinet/in_pcb.h>
+
 #include <security/mac/mac_policy.h>
 
 SYSCTL_DECL(_security_mac);
@@ -129,6 +134,14 @@ seeotheruids_check_cred_visible(struct u
 }
 
 static int
+seeotheruids_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+    struct label *inplabel)
+{
+
+	return (seeotheruids_check(cred, inp->inp_cred));
+}
+
+static int
 seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p,
     int signum)
 {
@@ -161,6 +174,7 @@ seeotheruids_check_socket_visible(struct
 static struct mac_policy_ops seeotheruids_ops =
 {
 	.mpo_check_cred_visible = seeotheruids_check_cred_visible,
+	.mpo_check_inpcb_visible = seeotheruids_check_inpcb_visible,
 	.mpo_check_proc_debug = seeotheruids_check_proc_debug,
 	.mpo_check_proc_sched = seeotheruids_check_proc_sched,
 	.mpo_check_proc_signal = seeotheruids_check_proc_signal,

Modified: stable/7/sys/security/mac_stub/mac_stub.c
==============================================================================
--- stable/7/sys/security/mac_stub/mac_stub.c	Fri Oct 31 10:38:30 2008	(r184501)
+++ stable/7/sys/security/mac_stub/mac_stub.c	Fri Oct 31 11:27:54 2008	(r184502)
@@ -614,6 +614,14 @@ stub_check_inpcb_deliver(struct inpcb *i
 }
 
 static int
+stub_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+   struct label *inplabel)
+{
+
+	return (0);
+}
+
+static int
 stub_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
     struct label *msglabel, struct msqid_kernel *msqkptr,
     struct label *msqklabel)
@@ -1550,6 +1558,7 @@ static struct mac_policy_ops stub_ops =
 	.mpo_check_ifnet_relabel = stub_check_ifnet_relabel,
 	.mpo_check_ifnet_transmit = stub_check_ifnet_transmit,
 	.mpo_check_inpcb_deliver = stub_check_inpcb_deliver,
+	.mpo_check_inpcb_visible = stub_check_inpcb_visible,
 	.mpo_check_sysv_msgmsq = stub_check_sysv_msgmsq,
 	.mpo_check_sysv_msgrcv = stub_check_sysv_msgrcv,
 	.mpo_check_sysv_msgrmid = stub_check_sysv_msgrmid,

Modified: stable/7/sys/security/mac_test/mac_test.c
==============================================================================
--- stable/7/sys/security/mac_test/mac_test.c	Fri Oct 31 10:38:30 2008	(r184501)
+++ stable/7/sys/security/mac_test/mac_test.c	Fri Oct 31 11:27:54 2008	(r184502)
@@ -1258,6 +1258,19 @@ test_check_inpcb_deliver(struct inpcb *i
 	return (0);
 }
 
+COUNTER_DECL(check_inpcb_visible);
+static int
+test_check_inpcb_visible(struct ucred *cred, struct inpcb *inp,
+    struct label *inplabel)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	LABEL_CHECK(inplabel, MAGIC_INPCB);
+	COUNTER_INC(check_inpcb_visible);
+
+	return (0);
+}
+
 COUNTER_DECL(check_sysv_msgmsq);
 static int
 test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
@@ -2577,6 +2590,7 @@ static struct mac_policy_ops test_ops =
 	.mpo_check_ifnet_relabel = test_check_ifnet_relabel,
 	.mpo_check_ifnet_transmit = test_check_ifnet_transmit,
 	.mpo_check_inpcb_deliver = test_check_inpcb_deliver,
+	.mpo_check_inpcb_visible = test_check_inpcb_visible,
 	.mpo_check_sysv_msgmsq = test_check_sysv_msgmsq,
 	.mpo_check_sysv_msgrcv = test_check_sysv_msgrcv,
 	.mpo_check_sysv_msgrmid = test_check_sysv_msgrmid,