Date: Fri, 17 Oct 2008 15:11:12 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r183980 - in head/sys/security: mac_biba mac_lomac mac_mls mac_partition mac_seeotheruids mac_stub mac_test Message-ID: <200810171511.m9HFBC6c091384@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Fri Oct 17 15:11:12 2008 New Revision: 183980 URL: http://svn.freebsd.org/changeset/base/183980 Log: Add a mac_inpcb_check_visible implementation to all MAC policies that handle mac_socket_check_visible. Reviewed by: rwatson MFC after: 3 months (set timer; decide then) Modified: head/sys/security/mac_biba/mac_biba.c head/sys/security/mac_lomac/mac_lomac.c head/sys/security/mac_mls/mac_mls.c head/sys/security/mac_partition/mac_partition.c head/sys/security/mac_seeotheruids/mac_seeotheruids.c head/sys/security/mac_stub/mac_stub.c head/sys/security/mac_test/mac_test.c Modified: head/sys/security/mac_biba/mac_biba.c ============================================================================== --- head/sys/security/mac_biba/mac_biba.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_biba/mac_biba.c Fri Oct 17 15:11:12 2008 (r183980) @@ -1115,6 +1115,24 @@ biba_inpcb_check_deliver(struct inpcb *i return (biba_equal_effective(p, i) ? 0 : EACCES); } +static int +biba_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + struct mac_biba *subj, *obj; + + if (!biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(inplabel); + + if (!biba_dominate_effective(obj, subj)) + return (ENOENT); + + return (0); +} + static void biba_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) @@ -3300,6 +3318,7 @@ static struct mac_policy_ops mac_biba_op .mpo_ifnet_relabel = biba_ifnet_relabel, .mpo_inpcb_check_deliver = biba_inpcb_check_deliver, + .mpo_inpcb_check_visible = biba_inpcb_check_visible, .mpo_inpcb_create = biba_inpcb_create, .mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf, .mpo_inpcb_destroy_label = biba_destroy_label, Modified: head/sys/security/mac_lomac/mac_lomac.c ============================================================================== --- head/sys/security/mac_lomac/mac_lomac.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_lomac/mac_lomac.c Fri Oct 17 15:11:12 2008 (r183980) @@ -1244,6 +1244,24 @@ lomac_inpcb_check_deliver(struct inpcb * return (lomac_equal_single(p, i) ? 0 : EACCES); } +static int +lomac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + struct mac_lomac *subj, *obj; + + if (!lomac_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(inplabel); + + if (!lomac_dominate_single(obj, subj)) + return (ENOENT); + + return (0); +} + static void lomac_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) @@ -2861,6 +2879,7 @@ static struct mac_policy_ops lomac_ops = .mpo_syncache_init_label = lomac_init_label_waitcheck, .mpo_inpcb_check_deliver = lomac_inpcb_check_deliver, + .mpo_inpcb_check_visible = lomac_inpcb_check_visible, .mpo_inpcb_create = lomac_inpcb_create, .mpo_inpcb_create_mbuf = lomac_inpcb_create_mbuf, .mpo_inpcb_destroy_label = lomac_destroy_label, Modified: head/sys/security/mac_mls/mac_mls.c ============================================================================== --- head/sys/security/mac_mls/mac_mls.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_mls/mac_mls.c Fri Oct 17 15:11:12 2008 (r183980) @@ -1033,6 +1033,24 @@ mls_inpcb_check_deliver(struct inpcb *in return (mls_equal_effective(p, i) ? 0 : EACCES); } +static int +mls_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(inplabel); + + if (!mls_dominate_effective(subj, obj)) + return (ENOENT); + + return (0); +} + static void mls_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) @@ -2923,6 +2941,7 @@ static struct mac_policy_ops mls_ops = .mpo_ifnet_relabel = mls_ifnet_relabel, .mpo_inpcb_check_deliver = mls_inpcb_check_deliver, + .mpo_inpcb_check_visible = mls_inpcb_check_visible, .mpo_inpcb_create = mls_inpcb_create, .mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf, .mpo_inpcb_destroy_label = mls_destroy_label, Modified: head/sys/security/mac_partition/mac_partition.c ============================================================================== --- head/sys/security/mac_partition/mac_partition.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_partition/mac_partition.c Fri Oct 17 15:11:12 2008 (r183980) @@ -51,10 +51,15 @@ #include <sys/priv.h> #include <sys/proc.h> #include <sys/sbuf.h> +#include <sys/socket.h> #include <sys/socketvar.h> #include <sys/systm.h> #include <sys/sysctl.h> +#include <net/route.h> +#include <netinet/in.h> +#include <netinet/in_pcb.h> + #include <security/mac/mac_policy.h> #include <security/mac_partition/mac_partition.h> @@ -199,6 +204,17 @@ partition_cred_relabel(struct ucred *cre } static int +partition_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + int error; + + error = label_on_label(cred->cr_label, inp->inp_cred->cr_label); + + return (error ? ENOENT : 0); +} + +static int partition_proc_check_debug(struct ucred *cred, struct proc *p) { int error; @@ -283,6 +299,7 @@ static struct mac_policy_ops partition_o .mpo_cred_init_label = partition_cred_init_label, .mpo_cred_internalize_label = partition_cred_internalize_label, .mpo_cred_relabel = partition_cred_relabel, + .mpo_inpcb_check_visible = partition_inpcb_check_visible, .mpo_proc_check_debug = partition_proc_check_debug, .mpo_proc_check_sched = partition_proc_check_sched, .mpo_proc_check_signal = partition_proc_check_signal, Modified: head/sys/security/mac_seeotheruids/mac_seeotheruids.c ============================================================================== --- head/sys/security/mac_seeotheruids/mac_seeotheruids.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_seeotheruids/mac_seeotheruids.c Fri Oct 17 15:11:12 2008 (r183980) @@ -51,9 +51,14 @@ #include <sys/priv.h> #include <sys/proc.h> #include <sys/systm.h> +#include <sys/socket.h> #include <sys/socketvar.h> #include <sys/sysctl.h> +#include <net/route.h> +#include <netinet/in.h> +#include <netinet/in_pcb.h> + #include <security/mac/mac_policy.h> SYSCTL_DECL(_security_mac); @@ -155,6 +160,14 @@ seeotheruids_cred_check_visible(struct u } static int +seeotheruids_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + + return (seeotheruids_check(cred, inp->inp_cred)); +} + +static int seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -168,6 +181,7 @@ static struct mac_policy_ops seeotheruid .mpo_proc_check_sched = seeotheruids_proc_check_sched, .mpo_proc_check_signal = seeotheruids_proc_check_signal, .mpo_cred_check_visible = seeotheruids_cred_check_visible, + .mpo_inpcb_check_visible = seeotheruids_inpcb_check_visible, .mpo_socket_check_visible = seeotheruids_socket_check_visible, }; Modified: head/sys/security/mac_stub/mac_stub.c ============================================================================== --- head/sys/security/mac_stub/mac_stub.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_stub/mac_stub.c Fri Oct 17 15:11:12 2008 (r183980) @@ -859,6 +859,14 @@ stub_socket_check_stat(struct ucred *cre } static int +stub_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + + return (0); +} + +static int stub_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1531,6 +1539,7 @@ static struct mac_policy_ops stub_ops = .mpo_ifnet_relabel = stub_ifnet_relabel, .mpo_inpcb_check_deliver = stub_inpcb_check_deliver, + .mpo_inpcb_check_visible = stub_inpcb_check_visible, .mpo_inpcb_create = stub_inpcb_create, .mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf, .mpo_inpcb_destroy_label = stub_destroy_label, Modified: head/sys/security/mac_test/mac_test.c ============================================================================== --- head/sys/security/mac_test/mac_test.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_test/mac_test.c Fri Oct 17 15:11:12 2008 (r183980) @@ -494,6 +494,19 @@ test_inpcb_check_deliver(struct inpcb *i return (0); } +COUNTER_DECL(inpcb_check_visible); +static int +test_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + LABEL_CHECK(inplabel, MAGIC_INPCB); + COUNTER_INC(inpcb_check_visible); + + return (0); +} + COUNTER_DECL(inpcb_create); static void test_inpcb_create(struct socket *so, struct label *solabel, @@ -2840,6 +2853,7 @@ static struct mac_policy_ops test_ops = .mpo_sysvshm_init_label = test_sysvshm_init_label, .mpo_inpcb_check_deliver = test_inpcb_check_deliver, + .mpo_inpcb_check_visible = test_inpcb_check_visible, .mpo_inpcb_create = test_inpcb_create, .mpo_inpcb_create_mbuf = test_inpcb_create_mbuf, .mpo_inpcb_destroy_label = test_inpcb_destroy_label,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810171511.m9HFBC6c091384>