Date: Sat, 15 Nov 2003 12:08:11 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 42484 for review Message-ID: <200311152008.hAFK8B7c090174@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=42484 Change 42484 by rwatson@rwatson_tislabs on 2003/11/15 12:07:46 Add labels to struct inpcb, which for most policies will simply cache the label stored in struct socket. This will permit policies to enforce protections during delivery of an mbuf to an inpcb without reaching up to the socket layer to read a label protected by what will eventually be the socket lock. For all inpcb-related protocols, the inpcb label is now used for the delivery check. For non-inpcb related protocols (netatalk, etc), the socket label is still used. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/uipc_socket2.c#37 edit .. //depot/projects/trustedbsd/mac/sys/kern/uipc_usrreq.c#29 edit .. //depot/projects/trustedbsd/mac/sys/net/raw_usrreq.c#10 edit .. //depot/projects/trustedbsd/mac/sys/net/rtsock.c#21 edit .. //depot/projects/trustedbsd/mac/sys/netatalk/ddp_usrreq.c#11 edit .. //depot/projects/trustedbsd/mac/sys/netatm/atm_aal5.c#7 edit .. //depot/projects/trustedbsd/mac/sys/netatm/atm_usrreq.c#9 edit .. //depot/projects/trustedbsd/mac/sys/netgraph/bluetooth/socket/ng_btsocket.c#5 edit .. //depot/projects/trustedbsd/mac/sys/netgraph/ng_socket.c#11 edit .. //depot/projects/trustedbsd/mac/sys/netinet/in_pcb.c#24 edit .. //depot/projects/trustedbsd/mac/sys/netinet/in_pcb.h#20 edit .. //depot/projects/trustedbsd/mac/sys/netinet/ip_divert.c#18 edit .. //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#28 edit .. //depot/projects/trustedbsd/mac/sys/netinet/tcp_input.c#45 edit .. //depot/projects/trustedbsd/mac/sys/netinet/tcp_usrreq.c#17 edit .. //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#26 edit .. //depot/projects/trustedbsd/mac/sys/netinet6/raw_ip6.c#11 edit .. //depot/projects/trustedbsd/mac/sys/netinet6/udp6_usrreq.c#15 edit .. //depot/projects/trustedbsd/mac/sys/netipsec/keysock.c#6 edit .. //depot/projects/trustedbsd/mac/sys/netipx/ipx_usrreq.c#9 edit .. //depot/projects/trustedbsd/mac/sys/netipx/spx_usrreq.c#8 edit .. //depot/projects/trustedbsd/mac/sys/netkey/keysock.c#14 edit .. //depot/projects/trustedbsd/mac/sys/netnatm/natm.c#14 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#14 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#232 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#23 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#77 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#187 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#11 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#121 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#251 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#202 edit .. //depot/projects/trustedbsd/mac/sys/sys/protosw.h#7 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/uipc_socket2.c#37 (text+ko) ==== @@ -1042,6 +1042,16 @@ } /* + * For protocol types that don't keep cached copies of labels in their + * pcbs, provide a null sosetlabel that does a NOOP. + */ +void +pru_sosetlabel_null(struct socket *so) +{ + +} + +/* * Make a copy of a sockaddr in a malloced buffer of type M_SONAME. */ struct sockaddr * ==== //depot/projects/trustedbsd/mac/sys/kern/uipc_usrreq.c#29 (text+ko) ==== @@ -450,7 +450,7 @@ uipc_connect2, pru_control_notsupp, uipc_detach, uipc_disconnect, uipc_listen, uipc_peeraddr, uipc_rcvd, pru_rcvoob_notsupp, uipc_send, uipc_sense, uipc_shutdown, uipc_sockaddr, - sosend, soreceive, sopoll + sosend, soreceive, sopoll, pru_sosetlabel_null }; int ==== //depot/projects/trustedbsd/mac/sys/net/raw_usrreq.c#10 (text+ko) ==== @@ -295,5 +295,5 @@ pru_connect2_notsupp, pru_control_notsupp, raw_udetach, raw_udisconnect, pru_listen_notsupp, raw_upeeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, raw_usend, pru_sense_null, raw_ushutdown, - raw_usockaddr, sosend, soreceive, sopoll + raw_usockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; ==== //depot/projects/trustedbsd/mac/sys/net/rtsock.c#21 (text+ko) ==== @@ -270,7 +270,7 @@ pru_connect2_notsupp, pru_control_notsupp, rts_detach, rts_disconnect, pru_listen_notsupp, rts_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, rts_send, pru_sense_null, rts_shutdown, rts_sockaddr, - sosend, soreceive, sopoll + sosend, soreceive, sopoll, pru_sosetlabel_null }; /*ARGSUSED*/ ==== //depot/projects/trustedbsd/mac/sys/netatalk/ddp_usrreq.c#11 (text+ko) ==== @@ -590,5 +590,6 @@ at_setsockaddr, sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; ==== //depot/projects/trustedbsd/mac/sys/netatm/atm_aal5.c#7 (text+ko) ==== @@ -112,7 +112,8 @@ atm_aal5_sockaddr, /* pru_sockaddr */ sosend, /* pru_sosend */ soreceive, /* pru_soreceive */ - sopoll /* pru_sopoll */ + sopoll, /* pru_sopoll */ + pru_sosetlabel_null /* pru_sosetlabel */ }; /* ==== //depot/projects/trustedbsd/mac/sys/netatm/atm_usrreq.c#9 (text+ko) ==== @@ -83,6 +83,10 @@ pru_sense_null, /* pru_sense */ atm_proto_notsupp1, /* pru_shutdown */ atm_proto_notsupp3, /* pru_sockaddr */ + NULL, /* pru_sosend */ + NULL, /* pru_soreceive */ + NULL, /* pru_sooll */ + pru_sosetlabel_null /* pru_sosetlabel */ }; ==== //depot/projects/trustedbsd/mac/sys/netgraph/bluetooth/socket/ng_btsocket.c#5 (text+ko) ==== @@ -79,7 +79,8 @@ ng_btsocket_hci_raw_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* @@ -106,7 +107,8 @@ ng_btsocket_l2cap_raw_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* @@ -133,7 +135,8 @@ ng_btsocket_l2cap_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* @@ -160,7 +163,8 @@ ng_btsocket_rfcomm_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* ==== //depot/projects/trustedbsd/mac/sys/netgraph/ng_socket.c#11 (text+ko) ==== @@ -978,7 +978,8 @@ ng_setsockaddr, sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; static struct pr_usrreqs ngd_usrreqs = { @@ -1001,7 +1002,8 @@ ng_setsockaddr, sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* ==== //depot/projects/trustedbsd/mac/sys/netinet/in_pcb.c#24 (text+ko) ==== @@ -36,10 +36,12 @@ #include "opt_ipsec.h" #include "opt_inet6.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> #include <sys/limits.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/domain.h> @@ -161,26 +163,30 @@ struct thread *td; { register struct inpcb *inp; -#if defined(IPSEC) || defined(FAST_IPSEC) int error; -#endif + INP_INFO_WLOCK_ASSERT(pcbinfo); + error = 0; inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT | M_ZERO); if (inp == NULL) return (ENOBUFS); inp->inp_gencnt = ++pcbinfo->ipi_gencnt; inp->inp_pcbinfo = pcbinfo; inp->inp_socket = so; +#ifdef MAC + error = mac_init_inpcb(inp, M_NOWAIT); + if (error != 0) + goto out; + mac_create_inpcb_from_socket(so, inp); +#endif #if defined(IPSEC) || defined(FAST_IPSEC) #ifdef FAST_IPSEC error = ipsec_init_policy(so, &inp->inp_sp); #else error = ipsec_init_pcbpolicy(so, &inp->inp_sp); #endif - if (error != 0) { - uma_zfree(pcbinfo->ipi_zone, inp); - return error; - } + if (error != 0) + goto out; #endif /*IPSEC*/ #if defined(INET6) if (INP_SOCKAF(so) == AF_INET6) { @@ -197,7 +203,12 @@ if (ip6_auto_flowlabel) inp->inp_flags |= IN6P_AUTOFLOWLABEL; #endif - return (0); +#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC) +out: + if (error != 0) + uma_zfree(pcbinfo->ipi_zone, inp); +#endif + return (error); } int @@ -700,6 +711,9 @@ ip_freemoptions(inp->inp_moptions); inp->inp_vflag = 0; INP_LOCK_DESTROY(inp); +#ifdef MAC + mac_destroy_inpcb(inp); +#endif uma_zfree(ipi->ipi_zone, inp); } @@ -1216,6 +1230,25 @@ pcbinfo->ipi_count--; } +/* + * A set label operation has occurred at the socket layer, propagate the + * label change into the in_pcb for the socket. + */ +void +in_pcbsosetlabel(so) + struct socket *so; +{ +#ifdef MAC + struct inpcb *inp; + + /* XXX: Will assert socket lock when we have them. */ + inp = (struct inpcb *)so->so_pcb; + INP_LOCK(inp); + mac_inpcb_sosetlabel(so, inp); + INP_UNLOCK(inp); +#endif +} + int prison_xinpcb(struct thread *td, struct inpcb *inp) { ==== //depot/projects/trustedbsd/mac/sys/netinet/in_pcb.h#20 (text+ko) ==== @@ -134,6 +134,7 @@ struct inpcbinfo *inp_pcbinfo; /* PCB list info */ struct socket *inp_socket; /* back pointer to socket */ /* list for this PCB's local port */ + struct label *inp_label; /* MAC label */ int inp_flags; /* generic IP/datagram flags */ struct inpcbpolicy *inp_sp; /* for IPSEC */ @@ -369,10 +370,12 @@ void in_pcbnotifyall(struct inpcbinfo *pcbinfo, struct in_addr, int, struct inpcb *(*)(struct inpcb *, int)); void in_pcbrehash(struct inpcb *); +void in_pcbsetsolabel(struct socket *so); int in_setpeeraddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo); int in_setsockaddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo);; struct sockaddr * in_sockaddr(in_port_t port, struct in_addr *addr); +void in_pcbsosetlabel(struct socket *so); void in_pcbremlists(struct inpcb *inp); int prison_xinpcb(struct thread *td, struct inpcb *inp); #endif /* _KERNEL */ ==== //depot/projects/trustedbsd/mac/sys/netinet/ip_divert.c#18 (text+ko) ==== @@ -651,5 +651,5 @@ pru_connect_notsupp, pru_connect2_notsupp, in_control, div_detach, div_disconnect, pru_listen_notsupp, div_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, div_send, pru_sense_null, div_shutdown, - div_sockaddr, sosend, soreceive, sopoll + div_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#28 (text+ko) ==== @@ -161,7 +161,7 @@ } #endif /*FAST_IPSEC*/ #ifdef MAC - if (!policyfail && mac_check_socket_deliver(last->inp_socket, n) != 0) + if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) policyfail = 1; #endif if (!policyfail) { @@ -838,5 +838,5 @@ pru_connect2_notsupp, in_control, rip_detach, rip_disconnect, pru_listen_notsupp, rip_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, rip_send, pru_sense_null, rip_shutdown, - rip_sockaddr, sosend, soreceive, sopoll + rip_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_input.c#45 (text+ko) ==== @@ -683,11 +683,11 @@ else tiwin = th->th_win; - so = inp->inp_socket; #ifdef MAC - if (mac_check_socket_deliver(so, m)) + if (mac_check_inpcb_deliver(inp, m)) goto drop; #endif + so = inp->inp_socket; #ifdef TCPDEBUG if (so->so_options & SO_DEBUG) { ostate = tp->t_state; ==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_usrreq.c#17 (text+ko) ==== @@ -816,7 +816,7 @@ tcp_usr_connect, pru_connect2_notsupp, in_control, tcp_usr_detach, tcp_usr_disconnect, tcp_usr_listen, tcp_peeraddr, tcp_usr_rcvd, tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown, - tcp_sockaddr, sosend, soreceive, sopoll + tcp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; #ifdef INET6 @@ -825,7 +825,7 @@ tcp6_usr_connect, pru_connect2_notsupp, in6_control, tcp_usr_detach, tcp_usr_disconnect, tcp6_usr_listen, in6_mapped_peeraddr, tcp_usr_rcvd, tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown, - in6_mapped_sockaddr, sosend, soreceive, sopoll + in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; #endif /* INET6 */ ==== //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#26 (text+ko) ==== @@ -446,7 +446,7 @@ } #endif /*FAST_IPSEC*/ #ifdef MAC - if (mac_check_socket_deliver(last->inp_socket, n) != 0) { + if (mac_check_inpcb_deliver(last, n) != 0) { m_freem(n); return; } @@ -1096,5 +1096,5 @@ pru_connect2_notsupp, in_control, udp_detach, udp_disconnect, pru_listen_notsupp, udp_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, udp_send, pru_sense_null, udp_shutdown, - udp_sockaddr, sosend, soreceive, sopoll + udp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/mac/sys/netinet6/raw_ip6.c#11 (text+ko) ==== @@ -750,5 +750,5 @@ pru_connect2_notsupp, in6_control, rip6_detach, rip6_disconnect, pru_listen_notsupp, in6_setpeeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, rip6_send, pru_sense_null, rip6_shutdown, - in6_setsockaddr, sosend, soreceive, sopoll + in6_setsockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; ==== //depot/projects/trustedbsd/mac/sys/netinet6/udp6_usrreq.c#15 (text+ko) ==== @@ -767,5 +767,5 @@ pru_connect2_notsupp, in6_control, udp6_detach, udp6_disconnect, pru_listen_notsupp, in6_mapped_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, udp6_send, pru_sense_null, udp_shutdown, - in6_mapped_sockaddr, sosend, soreceive, sopoll + in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/mac/sys/netipsec/keysock.c#6 (text+ko) ==== @@ -567,7 +567,8 @@ key_disconnect, pru_listen_notsupp, key_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown, - key_sockaddr, sosend, soreceive, sopoll + key_sockaddr, sosend, soreceive, sopoll, + pru_sosetlabel_null }; /* sysctl */ ==== //depot/projects/trustedbsd/mac/sys/netipx/ipx_usrreq.c#9 (text+ko) ==== @@ -92,7 +92,7 @@ ipx_connect, pru_connect2_notsupp, ipx_control, ipx_detach, ipx_disconnect, pru_listen_notsupp, ipx_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, ipx_send, pru_sense_null, ipx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; struct pr_usrreqs ripx_usrreqs = { @@ -100,7 +100,7 @@ ipx_connect, pru_connect2_notsupp, ipx_control, ipx_detach, ipx_disconnect, pru_listen_notsupp, ipx_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, ipx_send, pru_sense_null, ipx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; /* ==== //depot/projects/trustedbsd/mac/sys/netipx/spx_usrreq.c#8 (text+ko) ==== @@ -112,7 +112,7 @@ spx_connect, pru_connect2_notsupp, ipx_control, spx_detach, spx_usr_disconnect, spx_listen, ipx_peeraddr, spx_rcvd, spx_rcvoob, spx_send, pru_sense_null, spx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; struct pr_usrreqs spx_usrreq_sps = { @@ -120,7 +120,7 @@ spx_connect, pru_connect2_notsupp, ipx_control, spx_detach, spx_usr_disconnect, spx_listen, ipx_peeraddr, spx_rcvd, spx_rcvoob, spx_send, pru_sense_null, spx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; void ==== //depot/projects/trustedbsd/mac/sys/netkey/keysock.c#14 (text+ko) ==== @@ -477,7 +477,8 @@ key_disconnect, pru_listen_notsupp, key_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown, - key_sockaddr, sosend, soreceive, sopoll + key_sockaddr, sosend, soreceive, sopoll, + pru_sosetlabel_null }; /* sysctl */ ==== //depot/projects/trustedbsd/mac/sys/netnatm/natm.c#14 (text+ko) ==== @@ -396,7 +396,7 @@ natm_usr_detach, natm_usr_disconnect, pru_listen_notsupp, natm_usr_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, natm_usr_send, pru_sense_null, natm_usr_shutdown, - natm_usr_sockaddr, sosend, soreceive, sopoll + natm_usr_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; #else /* !FREEBSD_USRREQS */ ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#14 (text+ko) ==== @@ -50,6 +50,7 @@ #include <sys/mount.h> #include <sys/file.h> #include <sys/namei.h> +#include <sys/protosw.h> #include <sys/socket.h> #include <sys/socketvar.h> #include <sys/sysctl.h> @@ -61,6 +62,7 @@ #include <net/if_var.h> #include <netinet/in.h> +#include <netinet/in_pcb.h> #include <netinet/ip_var.h> #include <security/mac/mac_internal.h> @@ -77,12 +79,14 @@ #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmacifnets, nmacbpfdescs, nmacsockets, - nmacipqs; + nmacinpcbs, nmacipqs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD, + &nmacinpcbs, 0, "number of inpcbs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD, @@ -143,6 +147,35 @@ } static struct label * +mac_inpcb_label_alloc(int flag) +{ + struct label *label; + int error; + + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); + MAC_CHECK(init_inpcb_label, label, flag); + if (error) { + MAC_PERFORM(destroy_inpcb_label, label); + mac_labelzone_free(label); + return (NULL); + } + MAC_DEBUG_COUNTER_INC(&nmacinpcbs); + return (label); +} + +int +mac_init_inpcb(struct inpcb *inp, int flag) +{ + + inp->inp_label = mac_inpcb_label_alloc(flag); + if (inp->inp_label == NULL) + return (ENOMEM); + return (0); +} + +static struct label * mac_ipq_label_alloc(int flag) { struct label *label; @@ -311,6 +344,23 @@ } static void +mac_inpcb_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_inpcb_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacinpcbs); +} + +void +mac_destroy_inpcb(struct inpcb *inp) +{ + + mac_inpcb_label_free(inp->inp_label); + inp->inp_label = NULL; +} + +static void mac_ipq_label_free(struct label *label) { @@ -443,6 +493,14 @@ } void +mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp) +{ + + MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp, + inp->inp_label); +} + +void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { @@ -704,6 +762,24 @@ } int +mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) +{ + struct label *label; + int error; + + M_ASSERTPKTHDR(m); + + if (!mac_enforce_socket) + return (0); + + label = mbuf_to_label(m); + + MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label); + + return (error); +} + +int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { @@ -904,6 +980,15 @@ return (0); } +void +mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) +{ + + /* XXX: assert socket lock. */ + INP_LOCK_ASSERT(inp); + MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); +} + int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *mac) @@ -931,6 +1016,7 @@ return (error); } + /* XXX: Will eventually grab a socket lock here. */ mac_check_socket_relabel(cred, so, intlabel); if (error) { mac_socket_label_free(intlabel); @@ -939,6 +1025,16 @@ mac_relabel_socket(cred, so, intlabel); + /* + * If the protocol has expressed interest in socket layer changes, + * such as if it needs to propagate changes to a cached pcb + * label from the socket, notify it of the label change while + * holding the socket lock. + */ + if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL) + (so->so_proto->pr_usrreqs->pru_sosetlabel)(so); + /* XXX: Will eventually release a socket lock here. */ + mac_socket_label_free(intlabel); return (0); } ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#232 (text+ko) ==== @@ -75,6 +75,7 @@ #include <net/if_var.h> #include <netinet/in.h> +#include <netinet/in_pcb.h> #include <netinet/ip_var.h> #include <vm/uma.h> @@ -1065,6 +1066,18 @@ * Labeling event operations: IPC object. */ static void +mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_biba_copy_single(source, dest); +} + +static void mac_biba_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -1438,6 +1451,18 @@ /* NOOP: we only accept matching labels, so no need to update */ } +static void +mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_biba_copy(source, dest); +} + /* * Labeling event operations: processes. */ @@ -1662,6 +1687,21 @@ } static int +mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_biba *p, *i; + + if (!mac_biba_enabled) + return (0); + + p = SLOT(mlabel); + i = SLOT(inplabel); + + return (mac_biba_equal_single(p, i) ? 0 : EACCES); +} + +static int mac_biba_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -3112,6 +3152,7 @@ .mpo_init_cred_label = mac_biba_init_label, .mpo_init_devfsdirent_label = mac_biba_init_label, .mpo_init_ifnet_label = mac_biba_init_label, + .mpo_init_inpcb_label = mac_biba_init_label_waitcheck, .mpo_init_ipc_msgmsg_label = mac_biba_init_label, .mpo_init_ipc_msgqueue_label = mac_biba_init_label, .mpo_init_ipc_sema_label = mac_biba_init_label, @@ -3129,6 +3170,7 @@ .mpo_destroy_cred_label = mac_biba_destroy_label, .mpo_destroy_devfsdirent_label = mac_biba_destroy_label, .mpo_destroy_ifnet_label = mac_biba_destroy_label, + .mpo_destroy_inpcb_label = mac_biba_destroy_label, .mpo_destroy_ipc_msgmsg_label = mac_biba_destroy_label, .mpo_destroy_ipc_msgqueue_label = mac_biba_destroy_label, .mpo_destroy_ipc_sema_label = mac_biba_destroy_label, @@ -3181,6 +3223,7 @@ .mpo_create_datagram_from_ipq = mac_biba_create_datagram_from_ipq, .mpo_create_fragment = mac_biba_create_fragment, .mpo_create_ifnet = mac_biba_create_ifnet, + .mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket, .mpo_create_ipc_msgmsg = mac_biba_create_ipc_msgmsg, .mpo_create_ipc_msgqueue = mac_biba_create_ipc_msgqueue, .mpo_create_ipc_sema = mac_biba_create_ipc_sema, @@ -3195,6 +3238,7 @@ .mpo_fragment_match = mac_biba_fragment_match, .mpo_relabel_ifnet = mac_biba_relabel_ifnet, .mpo_update_ipq = mac_biba_update_ipq, + .mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel, .mpo_create_cred = mac_biba_create_cred, .mpo_create_proc0 = mac_biba_create_proc0, .mpo_create_proc1 = mac_biba_create_proc1, @@ -3208,6 +3252,7 @@ .mpo_check_cred_visible = mac_biba_check_cred_visible, .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel, .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit, + .mpo_check_inpcb_deliver = mac_biba_check_inpcb_deliver, .mpo_check_ipc_msgrcv = mac_biba_check_ipc_msgrcv, .mpo_check_ipc_msgrmid = mac_biba_check_ipc_msgrmid, .mpo_check_ipc_msqget = mac_biba_check_ipc_msqget, ==== //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#23 (text+ko) ==== @@ -143,6 +143,18 @@ } static int +mac_ifoff_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + + M_ASSERTPKTHDR(m); + if (m->m_pkthdr.rcvif != NULL) + return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0)); + + return (0); +} + +static int mac_ifoff_check_socket_deliver(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -158,6 +170,7 @@ { .mpo_check_bpfdesc_receive = mac_ifoff_check_bpfdesc_receive, .mpo_check_ifnet_transmit = mac_ifoff_check_ifnet_transmit, + .mpo_check_inpcb_deliver = mac_ifoff_check_inpcb_deliver, .mpo_check_socket_deliver = mac_ifoff_check_socket_deliver, }; ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#77 (text+ko) ==== @@ -75,6 +75,7 @@ #include <net/if_var.h> #include <netinet/in.h> +#include <netinet/in_pcb.h> #include <netinet/ip_var.h> #include <vm/vm.h> @@ -1138,6 +1139,18 @@ * Labeling event operations: IPC object. */ static void +mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_lomac *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_lomac_copy_single(source, dest); +} + +static void mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -1522,6 +1535,18 @@ /* NOOP: we only accept matching labels, so no need to update */ } +static void +mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_lomac *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_lomac_copy_single(source, dest); +} + /* * Labeling event operations: processes. */ @@ -1835,6 +1860,21 @@ } static int +mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_lomac *p, *i; + + if (!mac_lomac_enabled) + return (0); + + p = SLOT(mlabel); + i = SLOT(inplabel); + + return (mac_lomac_equal_single(p, i) ? 0 : EACCES); +} + +static int mac_lomac_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -3038,6 +3078,7 @@ .mpo_init_cred_label = mac_lomac_init_label, .mpo_init_devfsdirent_label = mac_lomac_init_label, .mpo_init_ifnet_label = mac_lomac_init_label, + .mpo_init_inpcb_label = mac_lomac_init_label_waitcheck, .mpo_init_ipc_msgmsg_label = mac_lomac_init_label, .mpo_init_ipc_msgqueue_label = mac_lomac_init_label, .mpo_init_ipc_sema_label = mac_lomac_init_label, @@ -3056,6 +3097,7 @@ .mpo_destroy_cred_label = mac_lomac_destroy_label, .mpo_destroy_devfsdirent_label = mac_lomac_destroy_label, .mpo_destroy_ifnet_label = mac_lomac_destroy_label, + .mpo_destroy_inpcb_label = mac_lomac_destroy_label, .mpo_destroy_ipc_msgmsg_label = mac_lomac_destroy_label, .mpo_destroy_ipc_msgqueue_label = mac_lomac_destroy_label, .mpo_destroy_ipc_sema_label = mac_lomac_destroy_label, @@ -3111,6 +3153,7 @@ .mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq, .mpo_create_fragment = mac_lomac_create_fragment, .mpo_create_ifnet = mac_lomac_create_ifnet, + .mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket, .mpo_create_ipc_msgmsg = mac_lomac_create_ipc_msgmsg, .mpo_create_ipc_msgqueue = mac_lomac_create_ipc_msgqueue, .mpo_create_ipc_sema = mac_lomac_create_ipc_sema, @@ -3126,6 +3169,7 @@ .mpo_fragment_match = mac_lomac_fragment_match, .mpo_relabel_ifnet = mac_lomac_relabel_ifnet, .mpo_update_ipq = mac_lomac_update_ipq, + .mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel, .mpo_create_cred = mac_lomac_create_cred, .mpo_execve_transition = mac_lomac_execve_transition, .mpo_execve_will_transition = mac_lomac_execve_will_transition, @@ -3141,6 +3185,7 @@ .mpo_check_cred_visible = mac_lomac_check_cred_visible, .mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel, .mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit, + .mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver, /* .mpo_check_ipc_msgmsq = mac_lomac_check_ipc_msgmsq, */ .mpo_check_ipc_msgrcv = mac_lomac_check_ipc_msgrcv, .mpo_check_ipc_msgrmid = mac_lomac_check_ipc_msgrmid, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#187 (text+ko) ==== @@ -75,6 +75,7 @@ #include <net/if_var.h> #include <netinet/in.h> +#include <netinet/in_pcb.h> #include <netinet/ip_var.h> #include <vm/uma.h> @@ -1033,6 +1034,18 @@ * Labeling event operations: IPC object. */ static void +mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_mls_copy_single(source, dest); +} + +static void mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -1377,6 +1390,18 @@ /* NOOP: we only accept matching labels, so no need to update */ } +static void +mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_mls_copy(source, dest); +} + /* * Labeling event operations: processes. */ @@ -1600,6 +1625,21 @@ } >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311152008.hAFK8B7c090174>