From owner-p4-projects Sun Jul 28 8:44:23 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 17EC437B401; Sun, 28 Jul 2002 08:43:32 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BFA3237B400 for ; Sun, 28 Jul 2002 08:43:31 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38E9843E3B for ; Sun, 28 Jul 2002 08:43:31 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6SFhVJU037530 for ; Sun, 28 Jul 2002 08:43:31 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6SFhUAc037527 for perforce@freebsd.org; Sun, 28 Jul 2002 08:43:30 -0700 (PDT) Date: Sun, 28 Jul 2002 08:43:30 -0700 (PDT) Message-Id: <200207281543.g6SFhUAc037527@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 15053 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15053 Change 15053 by rwatson@rwatson_paprika on 2002/07/28 08:43:28 Rename socket bind, connect, and listen entry points to be more consistent with the mac_check_(objectname)_(methodname) format. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#199 edit .. //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#14 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#51 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#56 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#21 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#127 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#92 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#199 (text+ko) ==== @@ -650,10 +650,6 @@ mpc->mpc_ops->mpo_relabel_subject = mpe->mpe_function; break; - case MAC_CHECK_BIND_SOCKET: - mpc->mpc_ops->mpo_check_bind_socket = - mpe->mpe_function; - break; case MAC_CHECK_BPFDESC_RECEIVE: mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; @@ -662,12 +658,20 @@ mpc->mpc_ops->mpo_check_cred_visible = mpe->mpe_function; break; - case MAC_CHECK_CONNECT_SOCKET: - mpc->mpc_ops->mpo_check_connect_socket = + case MAC_CHECK_IFNET_TRANSMIT: + mpc->mpc_ops->mpo_check_ifnet_transmit = + mpe->mpe_function; + break; + case MAC_CHECK_SOCKET_BIND: + mpc->mpc_ops->mpo_check_socket_bind = + mpe->mpe_function; + break; + case MAC_CHECK_SOCKET_CONNECT: + mpc->mpc_ops->mpo_check_socket_connect = mpe->mpe_function; break; - case MAC_CHECK_IFNET_TRANSMIT: - mpc->mpc_ops->mpo_check_ifnet_transmit = + case MAC_CHECK_SOCKET_LISTEN: + mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; case MAC_CHECK_SOCKET_RECEIVE: @@ -741,10 +745,6 @@ mpc->mpc_ops->mpo_check_getextattr_vnode = mpe->mpe_function; break; - case MAC_CHECK_LISTEN_SOCKET: - mpc->mpc_ops->mpo_check_listen_socket = - mpe->mpe_function; - break; case MAC_CHECK_LOOKUP_VNODE: mpc->mpc_ops->mpo_check_lookup_vnode = mpe->mpe_function; @@ -1867,18 +1867,6 @@ } int -mac_check_listen_socket(struct ucred *cred, struct socket *socket) -{ - int error; - - if (!mac_enforce_socket) - return (0); - - MAC_CHECK(check_listen_socket, cred, socket, &socket->so_label); - return (error); -} - -int mac_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { @@ -2459,21 +2447,6 @@ } int -mac_check_bind_socket(struct ucred *ucred, struct socket *socket, - struct sockaddr *sockaddr) -{ - int error; - - if (!mac_enforce_socket) - return (0); - - MAC_CHECK(check_bind_socket, ucred, socket, &socket->so_label, - sockaddr); - - return (error); -} - -int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) { int error; @@ -2520,7 +2493,22 @@ } int -mac_check_connect_socket(struct ucred *cred, struct socket *socket, +mac_check_socket_bind(struct ucred *ucred, struct socket *socket, + struct sockaddr *sockaddr) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, + sockaddr); + + return (error); +} + +int +mac_check_socket_connect(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { int error; @@ -2528,13 +2516,25 @@ if (!mac_enforce_socket) return (0); - MAC_CHECK(check_connect_socket, cred, socket, &socket->so_label, + MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, sockaddr); return (error); } int +mac_check_socket_listen(struct ucred *cred, struct socket *socket) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); + return (error); +} + +int mac_check_socket_receive(struct socket *socket, struct mbuf *mbuf) { int error; ==== //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#14 (text+ko) ==== @@ -179,7 +179,7 @@ if ((error = getsockaddr(&sa, uap->name, uap->namelen)) != 0) goto done1; #ifdef MAC - error = mac_check_bind_socket(td->td_ucred, so, sa); + error = mac_check_socket_bind(td->td_ucred, so, sa); if (error) { FREE(sa, M_SONAME); goto done1; @@ -212,7 +212,7 @@ mtx_lock(&Giant); if ((error = fgetsock(td, uap->s, &so, NULL)) == 0) { #ifdef MAC - error = mac_check_listen_socket(td->td_ucred, so); + error = mac_check_socket_listen(td->td_ucred, so); if (error) goto done; #endif @@ -454,7 +454,7 @@ if (error) goto done1; #ifdef MAC - error = mac_check_connect_socket(td->td_ucred, so, sa); + error = mac_check_socket_connect(td->td_ucred, so, sa); if (error) goto bad; #endif ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#51 (text+ko) ==== @@ -549,14 +549,6 @@ * Access control checks. */ static int -mac_none_check_bind_socket(struct ucred *cred, struct socket *socket, - struct label *socketlabel, struct sockaddr *sockaddr) -{ - - return (0); -} - -static int mac_none_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnet_label) { @@ -580,7 +572,15 @@ } static int -mac_none_check_connect_socket(struct ucred *cred, struct socket *socket, +mac_none_check_socket_bind(struct ucred *cred, struct socket *socket, + struct label *socketlabel, struct sockaddr *sockaddr) +{ + + return (0); +} + +static int +mac_none_check_socket_connect(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -588,6 +588,14 @@ } static int +mac_none_check_socket_listen(struct ucred *cred, struct vnode *vp, + struct label *socketlabel) +{ + + return (0); +} + +static int mac_none_check_socket_receive(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -731,14 +739,6 @@ } static int -mac_none_check_listen_socket(struct ucred *cred, struct vnode *vp, - struct label *socketlabel) -{ - - return (0); -} - -static int mac_none_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -1016,16 +1016,18 @@ (macop_t)mac_none_create_proc1 }, { MAC_RELABEL_SUBJECT, (macop_t)mac_none_relabel_subject }, - { MAC_CHECK_BIND_SOCKET, - (macop_t)mac_none_check_bind_socket }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_none_check_bpfdesc_receive }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_none_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_none_check_ifnet_transmit }, - { MAC_CHECK_CONNECT_SOCKET, - (macop_t)mac_none_check_connect_socket }, + { MAC_CHECK_SOCKET_BIND, + (macop_t)mac_none_check_socket_bind }, + { MAC_CHECK_SOCKET_CONNECT, + (macop_t)mac_none_check_socket_connect }, + { MAC_CHECK_SOCKET_LISTEN, + (macop_t)mac_none_check_socket_listen }, { MAC_CHECK_SOCKET_RECEIVE, (macop_t)mac_none_check_socket_receive }, { MAC_CHECK_SOCKET_VISIBLE, @@ -1062,8 +1064,6 @@ (macop_t)mac_none_check_getacl_vnode }, { MAC_CHECK_GETEXTATTR_VNODE, (macop_t)mac_none_check_getextattr_vnode }, - { MAC_CHECK_LISTEN_SOCKET, - (macop_t)mac_none_check_listen_socket }, { MAC_CHECK_LOOKUP_VNODE, (macop_t)mac_none_check_lookup_vnode }, { MAC_CHECK_OPEN_VNODE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#56 (text+ko) ==== @@ -660,18 +660,6 @@ } static int -mac_te_check_bind_socket(struct ucred *cred, struct socket *socket, - struct label *socketlabel, struct sockaddr *sockaddr) -{ - - if (!mac_te_enabled) - return (0); - - return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), - MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_BIND)); -} - -static int mac_te_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel) { @@ -706,7 +694,19 @@ } static int -mac_te_check_connect_socket(struct ucred *cred, struct socket *socket, +mac_te_check_socket_bind(struct ucred *cred, struct socket *socket, + struct label *socketlabel, struct sockaddr *sockaddr) +{ + + if (!mac_te_enabled) + return (0); + + return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), + MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_BIND)); +} + +static int +mac_te_check_socket_connect(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -718,7 +718,7 @@ } static int -mac_te_check_listen_socket(struct ucred *cred, struct socket *socket, +mac_te_check_socket_listen(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -1742,17 +1742,18 @@ { MAC_CREATE_PROC1, (macop_t)mac_te_create_proc1 }, { MAC_RELABEL_SUBJECT, (macop_t)mac_te_relabel_subject }, { MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode }, - { MAC_CHECK_BIND_SOCKET, (macop_t)mac_te_check_bind_socket }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_te_check_bpfdesc_receive }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_te_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_te_check_ifnet_transmit }, - { MAC_CHECK_CONNECT_SOCKET, - (macop_t)mac_te_check_connect_socket }, - { MAC_CHECK_LISTEN_SOCKET, - (macop_t)mac_te_check_listen_socket }, + { MAC_CHECK_SOCKET_BIND, + (macop_t)mac_te_check_socket_bind }, + { MAC_CHECK_SOCKET_CONNECT, + (macop_t)mac_te_check_socket_connect }, + { MAC_CHECK_SOCKET_LISTEN, + (macop_t)mac_te_check_socket_listen }, { MAC_CHECK_SOCKET_RECEIVE, (macop_t)mac_te_check_socket_receive }, { MAC_CHECK_SOCKET_VISIBLE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#21 (text+ko) ==== @@ -757,38 +757,46 @@ * Access control checks. */ static int -mac_test_check_bind_socket(struct ucred *cred, struct socket *socket, - struct label *socketlabel, struct sockaddr *sockaddr) +mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, + struct ifnet *ifnet, struct label *ifnetlabel) +{ + + return (0); +} + +static int +mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) { return (0); } static int -mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, - struct ifnet *ifnet, struct label *ifnetlabel) +mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, + struct mbuf *m, struct label *mbuflabel) { return (0); } static int -mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) +mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, + struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int -mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, - struct mbuf *m, struct label *mbuflabel) +mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, + struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int -mac_test_check_connect_socket(struct ucred *cred, struct socket *socket, +mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -955,14 +963,6 @@ } static int -mac_test_check_listen_socket(struct ucred *cred, struct socket *socket, - struct label *socketlabel, struct sockaddr *sockaddr) -{ - - return (0); -} - -static int mac_test_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -1222,16 +1222,18 @@ (macop_t)mac_test_create_proc1 }, { MAC_RELABEL_SUBJECT, (macop_t)mac_test_relabel_subject }, - { MAC_CHECK_BIND_SOCKET, - (macop_t)mac_test_check_bind_socket }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_test_check_bpfdesc_receive }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_test_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_test_check_ifnet_transmit }, - { MAC_CHECK_CONNECT_SOCKET, - (macop_t)mac_test_check_connect_socket }, + { MAC_CHECK_SOCKET_BIND, + (macop_t)mac_test_check_socket_bind }, + { MAC_CHECK_SOCKET_CONNECT, + (macop_t)mac_test_check_socket_connect }, + { MAC_CHECK_SOCKET_LISTEN, + (macop_t)mac_test_check_socket_listen }, { MAC_CHECK_SOCKET_RECEIVE, (macop_t)mac_test_check_socket_receive }, { MAC_CHECK_SOCKET_VISIBLE, @@ -1268,8 +1270,6 @@ (macop_t)mac_test_check_getacl_vnode }, { MAC_CHECK_GETEXTATTR_VNODE, (macop_t)mac_test_check_getextattr_vnode }, - { MAC_CHECK_LISTEN_SOCKET, - (macop_t)mac_test_check_listen_socket }, { MAC_CHECK_LOOKUP_VNODE, (macop_t)mac_test_check_lookup_vnode }, { MAC_CHECK_OPEN_VNODE, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#127 (text+ko) ==== @@ -259,13 +259,9 @@ /* Authorizational event hooks. */ int mac_check_access_vnode(struct ucred *cred, struct vnode *vp, int flags); -int mac_check_bind_socket(struct ucred *cred, struct socket *so, - struct sockaddr *sa); int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); int mac_check_chdir_vnode(struct ucred *cred, struct vnode *dvp); int mac_check_chroot_vnode(struct ucred *cred, struct vnode *dvp); -int mac_check_connect_socket(struct ucred *cred, struct socket *so, - struct sockaddr *sa); int mac_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap); int mac_check_deleteacl_vnode(struct ucred *cred, struct vnode *vp, @@ -274,8 +270,6 @@ acl_type_t type); int mac_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); -int mac_check_listen_socket(struct ucred *cred, - struct socket *socket); int mac_check_lookup_vnode(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); int mac_check_setacl_vnode(struct ucred *cred, struct vnode *vp, @@ -371,6 +365,12 @@ void mac_update_ipq_from_fragment(struct mbuf *fragment, struct ipq *ipq); int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); + +int mac_check_socket_bind(struct ucred *cred, struct socket *so, + struct sockaddr *sockaddr); +int mac_check_socket_connect(struct ucred *cred, struct socket *so, + struct sockaddr *sockaddr); +int mac_check_socket_listen(struct ucred *cred, struct socket *so); int mac_check_socket_receive(struct socket *so, struct mbuf *m); /* Hooks for the proc-based "can"-checks. */ ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#92 (text+ko) ==== @@ -228,9 +228,6 @@ /* * Access control checks. */ - int (*mpo_check_bind_socket)(struct ucred *cred, - struct socket *socket, struct label *socketlabel, - struct sockaddr *sockaddr); int (*mpo_check_bpfdesc_receive)(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel); @@ -238,9 +235,14 @@ int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel); - int (*mpo_check_connect_socket)(struct ucred *cred, - struct socket *socket, struct label *socketlabel, + int (*mpo_check_socket_bind)(struct ucred *cred, + struct socket *so, struct label *socketlabel, + struct sockaddr *sockaddr); + int (*mpo_check_socket_connect)(struct ucred *cred, + struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr); + int (*mpo_check_socket_listen)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_receive)(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel); @@ -285,8 +287,6 @@ int (*mpo_check_getextattr_vnode)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); - int (*mpo_check_listen_socket)(struct ucred *cred, - struct socket *socket, struct label *socketlabel); int (*mpo_check_lookup_vnode)(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp); @@ -411,10 +411,12 @@ MAC_CREATE_PROC0, MAC_CREATE_PROC1, MAC_RELABEL_SUBJECT, - MAC_CHECK_BIND_SOCKET, MAC_CHECK_BPFDESC_RECEIVE, MAC_CHECK_CRED_VISIBLE, MAC_CHECK_IFNET_TRANSMIT, + MAC_CHECK_SOCKET_BIND, + MAC_CHECK_SOCKET_CONNECT, + MAC_CHECK_SOCKET_LISTEN, MAC_CHECK_SOCKET_RECEIVE, MAC_CHECK_SOCKET_VISIBLE, MAC_CHECK_RELABEL_IFNET, @@ -427,14 +429,12 @@ MAC_CHECK_ACCESS_VNODE, MAC_CHECK_CHDIR_VNODE, MAC_CHECK_CHROOT_VNODE, - MAC_CHECK_CONNECT_SOCKET, MAC_CHECK_CREATE_VNODE, MAC_CHECK_DELETE_VNODE, MAC_CHECK_DELETEACL_VNODE, MAC_CHECK_EXEC_VNODE, MAC_CHECK_GETACL_VNODE, MAC_CHECK_GETEXTATTR_VNODE, - MAC_CHECK_LISTEN_SOCKET, MAC_CHECK_LOOKUP_VNODE, MAC_CHECK_OPEN_VNODE, MAC_CHECK_READDIR_VNODE, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message