Date: Thu, 27 Jun 2002 07:08:41 -0700 (PDT) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 13477 for review Message-ID: <200206271408.g5RE8f0k050279@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=13477 Change 13477 by green@green_laptop_2 on 2002/06/27 07:08:17 Update mac_te and mac_none more. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#31 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#33 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#2 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#31 (text+ko) ==== @@ -271,6 +271,13 @@ } static void +mac_none_create_vnode_from_exported(struct ucred *cred, struct vnode *vp, + struct mac *extmac, struct label *intlabel) +{ + +} + +static void mac_none_create_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { @@ -825,6 +832,8 @@ (macop_t)mac_none_create_devfs_directory }, { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_none_create_devfs_vnode }, + { MAC_CREATE_VNODE_FROM_EXPORTED, + (macop_t)mac_none_create_vnode_from_exported }, { MAC_CREATE_VNODE_FROM_VNODE, (macop_t)mac_none_create_vnode_from_vnode }, { MAC_CREATE_MOUNT, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#33 (text+ko) ==== @@ -652,6 +652,42 @@ } static int +mac_te_cred_check_bind_socket(struct ucred *cred, struct socket *socket, + struct label *socketlabel, struct sockaddr *sockaddr) +{ + + if (!mac_te_enabled) + return (0); + + return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), + MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_BIND)); +} + +static int +mac_te_cred_check_connect_socket(struct ucred *cred, struct socket *socket, + struct label *socketlabel, struct sockaddr *sockaddr) +{ + + if (!mac_te_enabled) + return (0); + + return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), + MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_CONNECT)); +} + +static int +mac_te_cred_check_listen_socket(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + if (!mac_te_enabled) + return (0); + + return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), + MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_LISTEN)); +} + +static int mac_te_socket_check_receive_mbuf(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -866,6 +902,15 @@ mac_te_init_label_as(SLOT(fslabel), MAC_TE_TYPE_FS); } +static void +mac_te_relabel_vnode(struct ucred *cred, struct vnode *vp, + struct label *vnodelabel, struct label *label) +{ + + mac_te_copy_label(SLOT(label), SLOT(vnodelabel)); +} + + static int mac_te_internalize(struct label *label, const struct mac *extlabel) { @@ -914,6 +959,14 @@ } static void +mac_te_create_devfs_vnode(struct devfs_dirent *de, struct label *direntlabel, + struct vnode *vp, struct label *vnodelabel) +{ + + mac_te_copy_label(SLOT(direntlabel), SLOT(vnodelabel)); +} + +static void mac_te_create_vnode_from_vnode(struct ucred *cred, struct vnode *parent, struct label *parentlabel, struct vnode *child, struct label *childlabel) { @@ -921,6 +974,15 @@ mac_te_create_object(cred, childlabel); } +static void +mac_te_create_vnode_from_exported(struct ucred *cred, struct vnode *vp, + struct mac *extmac, struct label *intlabel) +{ + + /* XXX should check return */ + mac_te_internalize(intlabel, extmac); +} + static int mac_te_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, struct label *filelabel, mode_t acc_mode) @@ -1299,6 +1361,46 @@ return (error); } +static void +mac_te_update_devfsdirent_from_vnode(struct devfs_dirent *devfs_dirent, + struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) +{ + + mac_te_copy_label(SLOT(vnodelabel), SLOT(direntlabel)); +} + +static void +mac_te_update_procfsvnode_from_subject(struct vnode *vp, + struct label *vnodelabel, struct ucred *cred) +{ + + mac_te_copy_label(SLOT(&cred->cr_label), SLOT(vnodelabel)); +} + +static int +mac_te_update_vnode_from_externalized(struct vnode *vp, + struct label *vnodelabel, struct mac *mac) +{ + + return (mac_te_internalize(vnodelabel, mac)); +} + +static void +mac_te_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel, + struct mount *mp, struct label *fslabel) +{ + + mac_te_copy_label(SLOT(fslabel), SLOT(vnodelabel)); +} + +static void +mac_te_update_ipq_from_fragment(struct mbuf *fragment, + struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) +{ + + mac_te_copy_label(SLOT(fragmentlabel), SLOT(ipqlabel)); +} + static struct mac_policy_op_entry mac_te_ops[] = { { MAC_INIT_BPFDESC, (macop_t)mac_te_init_bpfdesc }, @@ -1323,8 +1425,11 @@ { MAC_DESTROY_VNODE, (macop_t)mac_te_destroy_vnode }, { MAC_CREATE_DEVFS_DEVICE, (macop_t)mac_te_create_devfs_device }, { MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_te_create_devfs_directory }, + { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_te_create_devfs_vnode }, { MAC_CREATE_VNODE_FROM_VNODE, (macop_t)mac_te_create_vnode_from_vnode }, + { MAC_CREATE_VNODE_FROM_EXPORTED, + (macop_t)mac_te_create_vnode_from_exported }, { MAC_CREATE_MOUNT, (macop_t)mac_te_create_mount }, { MAC_CREATE_ROOT_MOUNT, (macop_t)mac_te_create_root_mount }, { MAC_CREATE_MBUF_FROM_SOCKET, @@ -1365,10 +1470,16 @@ { MAC_CREATE_PROC0, (macop_t)mac_te_create_proc0 }, { MAC_CREATE_PROC1, (macop_t)mac_te_create_proc1 }, { MAC_RELABEL_SUBJECT, (macop_t)mac_te_relabel_subject }, + { MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode }, { MAC_BPFDESC_CHECK_RECEIVE_FROM_IFNET, (macop_t)mac_te_bpfdesc_check_receive_from_ifnet }, { MAC_CRED_CHECK_SEE_CRED, (macop_t)mac_te_cred_check_see_cred }, { MAC_CRED_CHECK_SEE_SOCKET, (macop_t)mac_te_cred_check_see_socket }, + { MAC_CRED_CHECK_BIND_SOCKET, (macop_t)mac_te_cred_check_bind_socket }, + { MAC_CRED_CHECK_CONNECT_SOCKET, + (macop_t)mac_te_cred_check_connect_socket }, + { MAC_CRED_CHECK_LISTEN_SOCKET, + (macop_t)mac_te_cred_check_listen_socket }, { MAC_CRED_CHECK_RELABEL_IFNET, (macop_t)mac_te_cred_check_relabel_ifnet }, { MAC_CRED_CHECK_RELABEL_SOCKET, @@ -1382,6 +1493,7 @@ { MAC_CRED_CHECK_CHDIR_VNODE, (macop_t)mac_te_cred_check_chdir_vnode }, { MAC_CRED_CHECK_CREATE_VNODE, (macop_t)mac_te_cred_check_create_vnode }, + { MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode }, { MAC_CRED_CHECK_DELETE_VNODE, (macop_t)mac_te_cred_check_delete_vnode }, { MAC_CRED_CHECK_EXEC_VNODE, (macop_t)mac_te_cred_check_exec_vnode }, @@ -1414,6 +1526,16 @@ (macop_t)mac_te_socket_check_receive_mbuf }, { MAC_EXTERNALIZE, (macop_t)mac_te_externalize }, { MAC_INTERNALIZE, (macop_t)mac_te_internalize }, + { MAC_UPDATE_DEVFSDIRENT_FROM_VNODE, + (macop_t)mac_te_update_devfsdirent_from_vnode }, + { MAC_UPDATE_PROCFSVNODE_FROM_SUBJECT, + (macop_t)mac_te_update_procfsvnode_from_subject }, + { MAC_UPDATE_VNODE_FROM_EXTERNALIZED, + (macop_t)mac_te_update_vnode_from_externalized }, + { MAC_UPDATE_VNODE_FROM_MOUNT, + (macop_t)mac_te_update_vnode_from_mount }, + { MAC_UPDATE_IPQ_FROM_FRAGMENT, + (macop_t)mac_te_update_ipq_from_fragment }, { MAC_OP_LAST, NULL } }; ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#2 (text+ko) ==== @@ -96,5 +96,8 @@ #define MAC_TE_CLASS_SOCKET 7 #define MAC_TE_OPERATION_SOCKET_SEE 1 +#define MAC_TE_OPERATION_SOCKET_BIND 2 +#define MAC_TE_OPERATION_SOCKET_CONNECT 3 +#define MAC_TE_OPERATION_SOCKET_LISTEN 4 #endif /* _SYS_SECURITY_MAC_TE_H */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206271408.g5RE8f0k050279>