From owner-p4-projects  Sat May 11 17:57:25 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 1047037B408; Sat, 11 May 2002 17:57:16 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 2E18937B406
	for <perforce@FreeBSD.org>; Sat, 11 May 2002 17:57:15 -0700 (PDT)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g4C0vEl79631
	for perforce@freebsd.org; Sat, 11 May 2002 17:57:14 -0700 (PDT)
	(envelope-from amigus@FreeBSD.org)
Date: Sat, 11 May 2002 17:57:14 -0700 (PDT)
Message-Id: <200205120057.g4C0vEl79631@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to amigus@FreeBSD.org using -f
From: Adam Migus <amigus@FreeBSD.org>
Subject: PERFORCE change 11192 for review
To: Perforce Change Reviews <perforce@FreeBSD.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=11192

Change 11192 by amigus@amigus_vmganyopa on 2002/05/11 17:56:32

	Added MAC policy check on setsockopt() operations.  Note that
	there's an suser_cred() check that might go away pretty soon
	when I start playing with labels in apache2.

Affected files ...

... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#142 edit
... //depot/projects/trustedbsd/mac/sys/kern/uipc_socket.c#22 edit
... //depot/projects/trustedbsd/mac/sys/sys/mac.h#100 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#142 (text+ko) ====

@@ -1605,6 +1605,23 @@
 
 	return (error);
 }
+int
+mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
+    struct mac *label)
+{
+	int error;
+
+	if (!mac_label_valid(label))
+		return (EINVAL);
+
+	MAC_CHECK(cred_check_relabel_socket, cred, so, label);
+	if (error)
+		return (error);
+
+	MAC_PERFORM(relabel_socket, cred, so, label);
+
+	return (0);
+}
 
 /*
  * MPSAFE

==== //depot/projects/trustedbsd/mac/sys/kern/uipc_socket.c#22 (text+ko) ====

@@ -1155,7 +1155,7 @@
 	struct	timeval tv;
 	u_long  val;
 #ifdef MAC
-	struct mac label, *labelp;
+	struct mac label;
 #endif /* MAC */
 
 	error = 0;
@@ -1282,24 +1282,21 @@
 			break;
 #ifdef MAC
 		case SO_LABEL:
-		case SO_PEERLABEL:
+			/*
+			 * XXX: This will probably have to be removed soon.
+			 */
 			if(sopt->sopt_td != NULL)
 				error = suser_cred(sopt->sopt_td->td_ucred, 0);
 			if(error)
 				goto bad;
 
 			error = sooptcopyin(sopt, &label, sizeof label,
-					    sizeof label);
+			    sizeof label);
 			if (error)
 				goto bad;
 
-			error = mac_validate_label(&label);
-			if (error)
-				goto bad;
-
-			labelp = (sopt->sopt_name == SO_LABEL ?
-				 &so->so_label : &so->so_peerlabel);
-			bcopy(&label, labelp, sizeof label);
+			error = mac_setsockopt_label_set(
+			    sopt->sopt_td->td_ucred, so, &label);
 
 			break;
 #endif /* MAC */

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#100 (text+ko) ====

@@ -290,6 +290,8 @@
 	    struct ifnet *ifnet);
 int	mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
 	    struct ifnet *ifnet);
+int	mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
+	    struct mac *label);
 
 /* Label creation events. */
 void	mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d);

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message