Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 11 May 2002 17:57:14 -0700 (PDT)
From:      Adam Migus <amigus@FreeBSD.org>
To:        Perforce Change Reviews <perforce@FreeBSD.org>
Subject:   PERFORCE change 11192 for review
Message-ID:  <200205120057.g4C0vEl79631@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=11192

Change 11192 by amigus@amigus_vmganyopa on 2002/05/11 17:56:32

	Added MAC policy check on setsockopt() operations.  Note that
	there's an suser_cred() check that might go away pretty soon
	when I start playing with labels in apache2.

Affected files ...

... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#142 edit
... //depot/projects/trustedbsd/mac/sys/kern/uipc_socket.c#22 edit
... //depot/projects/trustedbsd/mac/sys/sys/mac.h#100 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#142 (text+ko) ====

@@ -1605,6 +1605,23 @@
 
 	return (error);
 }
+int
+mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
+    struct mac *label)
+{
+	int error;
+
+	if (!mac_label_valid(label))
+		return (EINVAL);
+
+	MAC_CHECK(cred_check_relabel_socket, cred, so, label);
+	if (error)
+		return (error);
+
+	MAC_PERFORM(relabel_socket, cred, so, label);
+
+	return (0);
+}
 
 /*
  * MPSAFE

==== //depot/projects/trustedbsd/mac/sys/kern/uipc_socket.c#22 (text+ko) ====

@@ -1155,7 +1155,7 @@
 	struct	timeval tv;
 	u_long  val;
 #ifdef MAC
-	struct mac label, *labelp;
+	struct mac label;
 #endif /* MAC */
 
 	error = 0;
@@ -1282,24 +1282,21 @@
 			break;
 #ifdef MAC
 		case SO_LABEL:
-		case SO_PEERLABEL:
+			/*
+			 * XXX: This will probably have to be removed soon.
+			 */
 			if(sopt->sopt_td != NULL)
 				error = suser_cred(sopt->sopt_td->td_ucred, 0);
 			if(error)
 				goto bad;
 
 			error = sooptcopyin(sopt, &label, sizeof label,
-					    sizeof label);
+			    sizeof label);
 			if (error)
 				goto bad;
 
-			error = mac_validate_label(&label);
-			if (error)
-				goto bad;
-
-			labelp = (sopt->sopt_name == SO_LABEL ?
-				 &so->so_label : &so->so_peerlabel);
-			bcopy(&label, labelp, sizeof label);
+			error = mac_setsockopt_label_set(
+			    sopt->sopt_td->td_ucred, so, &label);
 
 			break;
 #endif /* MAC */

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#100 (text+ko) ====

@@ -290,6 +290,8 @@
 	    struct ifnet *ifnet);
 int	mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
 	    struct ifnet *ifnet);
+int	mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
+	    struct mac *label);
 
 /* Label creation events. */
 void	mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d);

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205120057.g4C0vEl79631>