Date: Mon, 22 Jan 2007 16:23:18 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113363 for review Message-ID: <200701221623.l0MGNIbu031248@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113363 Change 113363 by millert@millert_macbook on 2007/01/22 16:23:09 Adapt to mac_ifnet_check_transmit() and mac_inpcb_check_deliver() API change. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#75 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#75 (text+ko) ==== @@ -3125,18 +3125,33 @@ #endif static int -sebsd_ifnet_check_transmit(struct ifnet *ifp, - struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) +sebsd_ifnet_check_transmit(struct ifnet *ifp, struct label *ifnetlabel, + struct mbuf *m, struct label *mbuflabel, int family, int type) { struct network_security_struct *ifsec, *msec; + u_int32_t perm; int error; ifsec = SLOT(ifnetlabel); msec = SLOT(mbuflabel); + /* XXX - other types of perm, see selinux_sock_rcv_skb_compat() */ + switch (type) { + case SOCK_STREAM: + perm = NETIF__TCP_SEND; + break; + case SOCK_DGRAM: + perm = NETIF__UDP_SEND; + break; + case SOCK_RAW: + default: + perm = NETIF__RAWIP_SEND; + break; + } + /* XXX - use an audit struct so we can log useful info */ - error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_PACKET, - PACKET__SEND, NULL); + error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_NETIF, + perm, NULL); return (error); } @@ -3157,18 +3172,33 @@ } static int -sebsd_inpcb_check_deliver(struct inpcb *inp, - struct label *inplabel, struct mbuf *m, struct label *mbuflabel) +sebsd_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mbuflabel, int family, int type) { struct network_security_struct *ifsec, *msec; + u_int32_t perm; int error; ifsec = SLOT(inplabel); msec = SLOT(mbuflabel); + /* XXX - other types of perm, see selinux_sock_rcv_skb_compat() */ + switch (type) { + case SOCK_STREAM: + perm = NETIF__TCP_RECV; + break; + case SOCK_DGRAM: + perm = NETIF__UDP_RECV; + break; + case SOCK_RAW: + default: + perm = NETIF__RAWIP_RECV; + break; + } + /* XXX - use an audit struct so we can log useful info */ - error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_PACKET, - PACKET__RECV, NULL); + error = avc_has_perm(msec->sid, ifsec->sid, SECCLASS_NETIF, + perm, NULL); return (error); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701221623.l0MGNIbu031248>