From owner-p4-projects Sat Jul 27 21:47:56 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 25EC937B401; Sat, 27 Jul 2002 21:46:57 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A360637B400 for ; Sat, 27 Jul 2002 21:46:56 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EED4743E31 for ; Sat, 27 Jul 2002 21:46:55 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6S4ktJU021045 for ; Sat, 27 Jul 2002 21:46:55 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6S4ktvS021042 for perforce@freebsd.org; Sat, 27 Jul 2002 21:46:55 -0700 (PDT) Date: Sat, 27 Jul 2002 21:46:55 -0700 (PDT) Message-Id: <200207280446.g6S4ktvS021042@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 15040 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15040 Change 15040 by rwatson@rwatson_paprika on 2002/07/27 21:46:36 More name consistency for entry points: s/mac_ifnet_check_send_mbuf/mac_check_ifnet_transmit/ s/mac_socket_check_receive_mbuf/mac_check_socket_receive/ Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#198 edit .. //depot/projects/trustedbsd/mac/sys/net/if_atmsubr.c#6 edit .. //depot/projects/trustedbsd/mac/sys/net/if_ethersubr.c#15 edit .. //depot/projects/trustedbsd/mac/sys/net/if_fddisubr.c#8 edit .. //depot/projects/trustedbsd/mac/sys/net/if_gif.c#13 edit .. //depot/projects/trustedbsd/mac/sys/net/if_iso88025subr.c#8 edit .. //depot/projects/trustedbsd/mac/sys/net/if_spppsubr.c#11 edit .. //depot/projects/trustedbsd/mac/sys/net/if_stf.c#16 edit .. //depot/projects/trustedbsd/mac/sys/net/if_tun.c#10 edit .. //depot/projects/trustedbsd/mac/sys/netatalk/ddp_input.c#6 edit .. //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#13 edit .. //depot/projects/trustedbsd/mac/sys/netinet/tcp_input.c#17 edit .. //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#13 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#75 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#11 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#64 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#50 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#55 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#20 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#126 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#91 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#198 (text+ko) ==== @@ -666,6 +666,14 @@ mpc->mpc_ops->mpo_check_connect_socket = mpe->mpe_function; break; + case MAC_CHECK_IFNET_TRANSMIT: + mpc->mpc_ops->mpo_check_ifnet_transmit = + mpe->mpe_function; + break; + case MAC_CHECK_SOCKET_RECEIVE: + mpc->mpc_ops->mpo_check_socket_receive = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; @@ -817,14 +825,6 @@ mpc->mpc_ops->mpo_check_pipe_op = mpe->mpe_function; break; - case MAC_IFNET_CHECK_SEND_MBUF: - mpc->mpc_ops->mpo_ifnet_check_send_mbuf = - mpe->mpe_function; - break; - case MAC_SOCKET_CHECK_RECEIVE_MBUF: - mpc->mpc_ops->mpo_socket_check_receive_mbuf = - mpe->mpe_function; - break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -2459,25 +2459,6 @@ } int -mac_ifnet_can_send(struct ifnet *ifnet, struct mbuf *mbuf) -{ - int error; - - if (!mac_enforce_network) - return (0); - - KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); - if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) - printf("%s%d: not initialized\n", ifnet->if_name, - ifnet->if_unit); - - MAC_CHECK(ifnet_check_send_mbuf, ifnet, &ifnet->if_label, mbuf, - &mbuf->m_pkthdr.label); - - return (error); -} - -int mac_check_bind_socket(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { @@ -2520,6 +2501,25 @@ } int +mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) +{ + int error; + + if (!mac_enforce_network) + return (0); + + KASSERT(mbuf->m_flags & M_PKTHDR, ("packet has no pkthdr")); + if (!(mbuf->m_pkthdr.label.l_flags & MAC_FLAG_INITIALIZED)) + printf("%s%d: not initialized\n", ifnet->if_name, + ifnet->if_unit); + + MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, + &mbuf->m_pkthdr.label); + + return (error); +} + +int mac_check_connect_socket(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { @@ -2535,14 +2535,14 @@ } int -mac_socket_can_receive(struct socket *socket, struct mbuf *mbuf) +mac_check_socket_receive(struct socket *socket, struct mbuf *mbuf) { int error; if (!mac_enforce_socket) return (0); - MAC_CHECK(socket_check_receive_mbuf, socket, &socket->so_label, mbuf, + MAC_CHECK(check_socket_receive, socket, &socket->so_label, mbuf, &mbuf->m_pkthdr.label); return (error); ==== //depot/projects/trustedbsd/mac/sys/net/if_atmsubr.c#6 (text+ko) ==== @@ -106,7 +106,7 @@ u_int32_t atm_flags; #ifdef MAC - error = mac_ifnet_can_send(ifp, m); + error = mac_check_ifnet_transmit(ifp, m); if (error) senderr(error); #endif ==== //depot/projects/trustedbsd/mac/sys/net/if_ethersubr.c#15 (text+ko) ==== @@ -157,7 +157,7 @@ struct arpcom *ac = IFP2AC(ifp); #ifdef MAC - error = mac_ifnet_can_send(ifp, m); + error = mac_check_ifnet_transmit(ifp, m); if (error) senderr(error); #endif ==== //depot/projects/trustedbsd/mac/sys/net/if_fddisubr.c#8 (text+ko) ==== @@ -127,7 +127,7 @@ struct arpcom *ac = IFP2AC(ifp); #ifdef MAC - error = mac_ifnet_can_send(ifp, m); + error = mac_check_ifnet_transmit(ifp, m); if (error) senderr(error); #endif ==== //depot/projects/trustedbsd/mac/sys/net/if_gif.c#13 (text+ko) ==== @@ -342,7 +342,7 @@ static int called = 0; /* XXX: MUTEX */ #ifdef MAC - error = mac_ifnet_can_send(ifp, m); + error = mac_check_ifnet_transmit(ifp, m); if (error) senderr(error); #endif ==== //depot/projects/trustedbsd/mac/sys/net/if_iso88025subr.c#8 (text+ko) ==== @@ -224,7 +224,7 @@ struct arpcom *ac = (struct arpcom *)ifp; #ifdef MAC - error = mac_ifnet_can_send(ifp, m); + error = mac_check_ifnet_transmit(ifp, m); if (error) senderr(error); #endif ==== //depot/projects/trustedbsd/mac/sys/net/if_spppsubr.c#11 (text+ko) ==== @@ -790,7 +790,7 @@ s = splimp(); #ifdef MAC - error = mac_ifnet_can_send(ifp, m); + error = mac_check_ifnet_transmit(ifp, m); if (error) { m_freem (m); splx (s); ==== //depot/projects/trustedbsd/mac/sys/net/if_stf.c#16 (text+ko) ==== @@ -359,7 +359,7 @@ #ifdef MAC int error; - error = mac_ifnet_can_send(ifp, m); + error = mac_check_ifnet_transmit(ifp, m); if (error) { m_freem(m); return (error); ==== //depot/projects/trustedbsd/mac/sys/net/if_tun.c#10 (text+ko) ==== @@ -452,7 +452,7 @@ TUNDEBUG ("%s%d: tunoutput\n", ifp->if_name, ifp->if_unit); #ifdef MAC - error = mac_ifnet_can_send(ifp, m0); + error = mac_check_ifnet_transmit(ifp, m0); if (error) { m_freem(m0); return (error); ==== //depot/projects/trustedbsd/mac/sys/netatalk/ddp_input.c#6 (text+ko) ==== @@ -398,7 +398,7 @@ } #ifdef MAC - if (mac_socket_can_receive(&ddp->ddp_socket, m) != 0) { + if (mac_check_socket_receive(&ddp->ddp_socket, m) != 0) { m_freem( m ); return; } ==== //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#13 (text+ko) ==== @@ -158,7 +158,7 @@ } #endif /*IPSEC*/ #ifdef MAC - if (mac_socket_can_receive(last->inp_socket, + if (mac_check_socket_receive(last->inp_socket, n) != 0) policyfail = 1; #endif @@ -195,7 +195,7 @@ } #endif /*IPSEC*/ #ifdef MAC - if (mac_socket_can_receive(last->inp_socket, m) != 0) { + if (mac_check_socket_receive(last->inp_socket, m) != 0) { m_freem(m); ipstat.ips_delivered--; return; ==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_input.c#17 (text+ko) ==== @@ -656,7 +656,7 @@ so = inp->inp_socket; #ifdef MAC - error = mac_socket_can_receive(so, m); + error = mac_check_socket_receive(so, m); if (error) goto drop; #endif ==== //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#13 (text+ko) ==== @@ -324,7 +324,7 @@ } #endif /*IPSEC*/ #ifdef MAC - if (mac_socket_can_receive(last->inp_socket, + if (mac_check_socket_receive(last->inp_socket, m) != 0) policyfail = 1; #endif @@ -410,7 +410,7 @@ } #endif /*IPSEC*/ #ifdef MAC - error = mac_socket_can_receive(inp->inp_socket, m); + error = mac_check_socket_receive(inp->inp_socket, m); if (error) goto bad; #endif ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#75 (text+ko) ==== @@ -1199,6 +1199,21 @@ } static int +mac_biba_check_socket_receive(struct socket *so, struct label *socketlabel, + struct mbuf *m, struct label *mbuflabel) +{ + struct mac_biba *p, *s; + + if (!mac_biba_enabled) + return (0); + + p = SLOT(mbuflabel); + s = SLOT(socketlabel); + + return (mac_biba_equal_single(p, s) ? 0 : EACCES); +} + +static int mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -1213,6 +1228,21 @@ return (0); } +static int +mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, + struct mbuf *m, struct label *mbuflabel) +{ + struct mac_biba *p, *i; + + if (!mac_biba_enabled) + return (0); + + p = SLOT(mbuflabel); + i = SLOT(ifnetlabel); + + return (mac_biba_single_in_range(p, i) ? 0 : EACCES); +} + static int mac_biba_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) @@ -1885,36 +1915,6 @@ return (0); } -static int -mac_biba_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel, - struct mbuf *m, struct label *mbuflabel) -{ - struct mac_biba *p, *i; - - if (!mac_biba_enabled) - return (0); - - p = SLOT(mbuflabel); - i = SLOT(ifnetlabel); - - return (mac_biba_single_in_range(p, i) ? 0 : EACCES); -} - -static int -mac_biba_socket_check_receive_mbuf(struct socket *so, - struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) -{ - struct mac_biba *p, *s; - - if (!mac_biba_enabled) - return (0); - - p = SLOT(mbuflabel); - s = SLOT(socketlabel); - - return (mac_biba_equal_single(p, s) ? 0 : EACCES); -} - static vm_prot_t mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping) @@ -2144,6 +2144,10 @@ (macop_t)mac_biba_check_bpfdesc_receive }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_biba_check_cred_visible }, + { MAC_CHECK_IFNET_TRANSMIT, + (macop_t)mac_biba_check_ifnet_transmit }, + { MAC_CHECK_SOCKET_RECEIVE, + (macop_t)mac_biba_check_socket_receive }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_biba_check_socket_visible }, { MAC_CHECK_RELABEL_IFNET, @@ -2214,10 +2218,6 @@ (macop_t)mac_biba_check_signal_proc }, { MAC_CHECK_STAT_VNODE, (macop_t)mac_biba_check_stat_vnode }, - { MAC_IFNET_CHECK_SEND_MBUF, - (macop_t)mac_biba_ifnet_check_send_mbuf }, - { MAC_SOCKET_CHECK_RECEIVE_MBUF, - (macop_t)mac_biba_socket_check_receive_mbuf }, { MAC_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_biba_check_vnode_mmap_perms }, { MAC_CHECK_VNODE_OP, ==== //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#11 (text+ko) ==== @@ -130,24 +130,24 @@ } static int -mac_ifoff_ifnet_check_send_mbuf(struct ifnet *ifnet, - struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) +mac_ifoff_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, + struct ifnet *ifnet, struct label *ifnetlabel) { - return (check_ifnet_outgoing(ifnet)); + return (check_ifnet_incoming(ifnet, 1)); } static int -mac_ifoff_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, - struct ifnet *ifnet, struct label *ifnetlabel) +mac_ifoff_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, + struct mbuf *m, struct label *mbuflabel) { - return (check_ifnet_incoming(ifnet, 1)); + return (check_ifnet_outgoing(ifnet)); } static int -mac_ifoff_socket_check_receive_mbuf(struct socket *so, - struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) +mac_ifoff_check_socket_receive(struct socket *so, struct label *socketlabel, + struct mbuf *m, struct label *mbuflabel) { if (m->m_flags & M_PKTHDR) { @@ -162,10 +162,10 @@ { { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_ifoff_check_bpfdesc_receive }, - { MAC_IFNET_CHECK_SEND_MBUF, - (macop_t)mac_ifoff_ifnet_check_send_mbuf }, - { MAC_SOCKET_CHECK_RECEIVE_MBUF, - (macop_t)mac_ifoff_socket_check_receive_mbuf }, + { MAC_CHECK_IFNET_TRANSMIT, + (macop_t)mac_ifoff_check_ifnet_transmit }, + { MAC_CHECK_SOCKET_RECEIVE, + (macop_t)mac_ifoff_check_socket_receive }, { MAC_OP_LAST, NULL } }; ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#64 (text+ko) ==== @@ -1145,6 +1145,36 @@ } static int +mac_mls_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, + struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *p, *i; + + if (!mac_mls_enabled) + return (0); + + p = SLOT(mbuflabel); + i = SLOT(ifnetlabel); + + return (mac_mls_single_in_range(p, i) ? 0 : EACCES); +} + +static int +mac_mls_check_socket_receive(struct socket *so, struct label *socketlabel, + struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *p, *s; + + if (!mac_mls_enabled) + return (0); + + p = SLOT(mbuflabel); + s = SLOT(socketlabel); + + return (mac_mls_equal_single(p, s) ? 0 : EACCES); +} + +static int mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -1831,36 +1861,6 @@ return (0); } -static int -mac_mls_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel, - struct mbuf *m, struct label *mbuflabel) -{ - struct mac_mls *p, *i; - - if (!mac_mls_enabled) - return (0); - - p = SLOT(mbuflabel); - i = SLOT(ifnetlabel); - - return (mac_mls_single_in_range(p, i) ? 0 : EACCES); -} - -static int -mac_mls_socket_check_receive_mbuf(struct socket *so, struct label *socketlabel, - struct mbuf *m, struct label *mbuflabel) -{ - struct mac_mls *p, *s; - - if (!mac_mls_enabled) - return (0); - - p = SLOT(mbuflabel); - s = SLOT(socketlabel); - - return (mac_mls_equal_single(p, s) ? 0 : EACCES); -} - static vm_prot_t mac_mls_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, struct label *label, int newmapping) @@ -2090,6 +2090,10 @@ (macop_t)mac_mls_check_bpfdesc_receive }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_mls_check_cred_visible }, + { MAC_CHECK_IFNET_TRANSMIT, + (macop_t)mac_mls_check_ifnet_transmit }, + { MAC_CHECK_SOCKET_RECEIVE, + (macop_t)mac_mls_check_socket_receive }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_mls_check_socket_visible }, { MAC_CHECK_RELABEL_IFNET, @@ -2160,10 +2164,6 @@ (macop_t)mac_mls_check_signal_proc }, { MAC_CHECK_STAT_VNODE, (macop_t)mac_mls_check_stat_vnode }, - { MAC_IFNET_CHECK_SEND_MBUF, - (macop_t)mac_mls_ifnet_check_send_mbuf }, - { MAC_SOCKET_CHECK_RECEIVE_MBUF, - (macop_t)mac_mls_socket_check_receive_mbuf }, { MAC_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_mls_check_vnode_mmap_perms }, { MAC_CHECK_VNODE_OP, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#50 (text+ko) ==== @@ -572,6 +572,14 @@ } static int +mac_none_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, + struct mbuf *m, struct label *mbuflabel) +{ + + return (0); +} + +static int mac_none_check_connect_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -580,6 +588,14 @@ } static int +mac_none_check_socket_receive(struct socket *so, struct label *socketlabel, + struct mbuf *m, struct label *mbuflabel) +{ + + return (0); +} + +static int mac_none_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -851,22 +867,6 @@ } static int -mac_none_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel, - struct mbuf *m, struct label *mbuflabel) -{ - - return (0); -} - -static int -mac_none_socket_check_receive_mbuf(struct socket *so, - struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) -{ - - return (0); -} - -static int mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, int op) { @@ -1022,8 +1022,12 @@ (macop_t)mac_none_check_bpfdesc_receive }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_none_check_cred_visible }, + { MAC_CHECK_IFNET_TRANSMIT, + (macop_t)mac_none_check_ifnet_transmit }, { MAC_CHECK_CONNECT_SOCKET, (macop_t)mac_none_check_connect_socket }, + { MAC_CHECK_SOCKET_RECEIVE, + (macop_t)mac_none_check_socket_receive }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_none_check_socket_visible }, { MAC_CHECK_RELABEL_IFNET, @@ -1092,10 +1096,6 @@ (macop_t)mac_none_check_signal_proc }, { MAC_CHECK_STAT_VNODE, (macop_t)mac_none_check_stat_vnode }, - { MAC_IFNET_CHECK_SEND_MBUF, - (macop_t)mac_none_ifnet_check_send_mbuf }, - { MAC_SOCKET_CHECK_RECEIVE_MBUF, - (macop_t)mac_none_socket_check_receive_mbuf }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_none_check_pipe_ioctl }, { MAC_CHECK_PIPE_OP, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#55 (text+ko) ==== @@ -644,20 +644,6 @@ } static int -mac_te_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel, - struct mbuf *m, struct label *mbuflabel) -{ - - /* - * XXX: This treats the interface as a subject, sending the - * mbuf as an object. Since sockets are objects, this is - * probably wrong. - */ - return (mac_te_check(SLOT(ifnetlabel), SLOT(mbuflabel), - MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_SEND)); -} - -static int mac_te_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, struct label *newlabel) { @@ -703,7 +689,21 @@ return (mac_te_check(SLOT(&u1->cr_label), SLOT(&u2->cr_label), MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SEE)); -} +} + +static int +mac_te_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, + struct mbuf *m, struct label *mbuflabel) +{ + + /* + * XXX: This treats the interface as a subject, sending the + * mbuf as an object. Since sockets are objects, this is + * probably wrong. + */ + return (mac_te_check(SLOT(ifnetlabel), SLOT(mbuflabel), + MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_SEND)); +} static int mac_te_check_connect_socket(struct ucred *cred, struct socket *socket, @@ -730,15 +730,10 @@ } static int -mac_te_socket_check_receive_mbuf(struct socket *so, struct label *socketlabel, +mac_te_check_socket_receive(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { - /* - * XXX: This treats the socket as a subject, reading the - * mbuf as an object. Since sockets are objects, this is - * probably wrong. - */ return (mac_te_check(SLOT(socketlabel), SLOT(mbuflabel), MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_RECEIVE)); } @@ -1748,13 +1743,18 @@ { MAC_RELABEL_SUBJECT, (macop_t)mac_te_relabel_subject }, { MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode }, { MAC_CHECK_BIND_SOCKET, (macop_t)mac_te_check_bind_socket }, - { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_te_check_bpfdesc_receive }, + { MAC_CHECK_BPFDESC_RECEIVE, + (macop_t)mac_te_check_bpfdesc_receive }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_te_check_cred_visible }, + { MAC_CHECK_IFNET_TRANSMIT, + (macop_t)mac_te_check_ifnet_transmit }, { MAC_CHECK_CONNECT_SOCKET, (macop_t)mac_te_check_connect_socket }, { MAC_CHECK_LISTEN_SOCKET, (macop_t)mac_te_check_listen_socket }, + { MAC_CHECK_SOCKET_RECEIVE, + (macop_t)mac_te_check_socket_receive }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_te_check_socket_visible }, { MAC_CHECK_RELABEL_IFNET, @@ -1822,9 +1822,6 @@ (macop_t)mac_te_check_vnode_mmap_perms }, { MAC_CHECK_VNODE_OP, (macop_t)mac_te_check_vnode_op }, - { MAC_IFNET_CHECK_SEND_MBUF, (macop_t)mac_te_ifnet_check_send_mbuf }, - { MAC_SOCKET_CHECK_RECEIVE_MBUF, - (macop_t)mac_te_socket_check_receive_mbuf }, { MAC_EXTERNALIZE, (macop_t)mac_te_externalize }, { MAC_INTERNALIZE, (macop_t)mac_te_internalize }, { MAC_UPDATE_DEVFSDIRENT_FROM_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#20 (text+ko) ==== @@ -780,6 +780,14 @@ } static int +mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, + struct mbuf *m, struct label *mbuflabel) +{ + + return (0); +} + +static int mac_test_check_connect_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -788,6 +796,14 @@ } static int +mac_test_check_socket_receive(struct socket *socket, struct label *socketlabel, + struct mbuf *m, struct label *mbuflabel) +{ + + return (0); +} + +static int mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -1074,22 +1090,6 @@ return (0); } -static int -mac_test_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel, - struct mbuf *m, struct label *mbuflabel) -{ - - return (0); -} - -static int -mac_test_socket_check_receive_mbuf(struct socket *so, - struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) -{ - - return (0); -} - static struct mac_policy_op_entry mac_test_ops[] = { { MAC_DESTROY, @@ -1228,8 +1228,12 @@ (macop_t)mac_test_check_bpfdesc_receive }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_test_check_cred_visible }, + { MAC_CHECK_IFNET_TRANSMIT, + (macop_t)mac_test_check_ifnet_transmit }, { MAC_CHECK_CONNECT_SOCKET, (macop_t)mac_test_check_connect_socket }, + { MAC_CHECK_SOCKET_RECEIVE, + (macop_t)mac_test_check_socket_receive }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_test_check_socket_visible }, { MAC_CHECK_RELABEL_IFNET, @@ -1302,10 +1306,6 @@ (macop_t)mac_test_check_pipe_ioctl }, { MAC_CHECK_PIPE_OP, (macop_t)mac_test_check_pipe_op }, - { MAC_IFNET_CHECK_SEND_MBUF, - (macop_t)mac_test_ifnet_check_send_mbuf }, - { MAC_SOCKET_CHECK_RECEIVE_MBUF, - (macop_t)mac_test_socket_check_receive_mbuf }, { MAC_OP_LAST, NULL } }; ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#126 (text+ko) ==== @@ -368,9 +368,10 @@ /* Network event miscellany. */ int mac_fragment_matches_ipq(struct mbuf *fragment, struct ipq *ipq); -int mac_ifnet_can_send(struct ifnet *ifnet, struct mbuf *m); void mac_update_ipq_from_fragment(struct mbuf *fragment, struct ipq *ipq); -int mac_socket_can_receive(struct socket *so, struct mbuf *m); + +int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); +int mac_check_socket_receive(struct socket *so, struct mbuf *m); /* Hooks for the proc-based "can"-checks. */ int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#91 (text+ko) ==== @@ -235,9 +235,15 @@ struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel); int (*mpo_check_cred_visible)(struct ucred *u1, struct ucred *u2); + int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet, + struct label *ifnetlabel, struct mbuf *m, + struct label *mbuflabel); int (*mpo_check_connect_socket)(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr); + int (*mpo_check_socket_receive)(struct socket *so, + struct label *socketlabel, struct mbuf *m, + struct label *mbuflabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *socket, struct label *socketlabel); int (*mpo_check_relabel_ifnet)(struct ucred *cred, @@ -327,12 +333,6 @@ struct vnode *vp, struct label *label, int newmapping); int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp, struct label *label, int op); - int (*mpo_ifnet_check_send_mbuf)(struct ifnet *ifnet, - struct label *ifnetlabel, struct mbuf *mbuf, - struct label *mbuflabel); - int (*mpo_socket_check_receive_mbuf)(struct socket *socket, - struct label *socketlabel, struct mbuf *mbuf, - struct label *mbuflabel); int (*mpo_check_pipe_op)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, int op); int (*mpo_check_pipe_ioctl)(struct ucred *cred, @@ -414,6 +414,8 @@ MAC_CHECK_BIND_SOCKET, MAC_CHECK_BPFDESC_RECEIVE, MAC_CHECK_CRED_VISIBLE, + MAC_CHECK_IFNET_TRANSMIT, + MAC_CHECK_SOCKET_RECEIVE, MAC_CHECK_SOCKET_VISIBLE, MAC_CHECK_RELABEL_IFNET, MAC_CHECK_RELABEL_PIPE, @@ -451,8 +453,6 @@ MAC_CHECK_STAT_VNODE, MAC_CHECK_VNODE_MMAP_PERMS, MAC_CHECK_VNODE_OP, - MAC_IFNET_CHECK_SEND_MBUF, - MAC_SOCKET_CHECK_RECEIVE_MBUF, MAC_CHECK_PIPE_IOCTL, MAC_CHECK_PIPE_OP }; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message