Date: Sun, 16 Nov 2003 09:23:19 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 42555 for review Message-ID: <200311161723.hAGHNJlK000408@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=42555 Change 42555 by rwatson@rwatson_tislabs on 2003/11/16 09:22:22 Teach mac_get_fd() to speak DTYPE_SOCKET. To do this, we need a mac_copy_socket_label() operation, which is added to each policy that supports socket labels. This also requires socket label allocation and free to be exposed out of mac_net.c, so unstaticize. This permits MAC-aware applications to test labels on sockets in a manner consistent with pipes and files, which improves support for arbitrary redirection of stdio with MAC. Affected files ... .. //depot/projects/trustedbsd/mac/sys/i386/conf/MAC#51 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#434 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#16 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#15 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#235 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#78 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#189 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#14 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#123 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#203 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/i386/conf/MAC#51 (text+ko) ==== @@ -32,6 +32,7 @@ options MAC #options MAC_ALWAYS_LABEL_MBUF +options MAC_BIBA options MAC_DEBUG options MAC_TEST #options MAC_STATIC ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#434 (text+ko) ==== @@ -726,6 +726,7 @@ struct mac mac; struct vnode *vp; struct pipe *pipe; + struct socket *so; short label_type; int error; @@ -776,6 +777,19 @@ mac_pipe_label_free(intlabel); break; + case DTYPE_SOCKET: + so = fp->f_data; + intlabel = mac_socket_label_alloc(M_WAITOK); + mtx_lock(&Giant); /* Sockets */ + /* XXX: Socket lock here. */ + mac_copy_socket_label(so->so_label, intlabel); + /* XXX: Socket unlock here. */ + mtx_unlock(&Giant); /* Sockets */ + error = mac_externalize_socket_label(intlabel, elements, + buffer, mac.m_buflen); + mac_socket_label_free(intlabel); + break; + default: error = EINVAL; } ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#16 (text+ko) ==== @@ -105,6 +105,8 @@ */ struct label *mac_pipe_label_alloc(void); void mac_pipe_label_free(struct label *label); +struct label *mac_socket_label_alloc(int flag); +void mac_socket_label_free(struct label *label); int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); int mac_externalize_cred_label(struct label *label, char *elements, @@ -117,6 +119,11 @@ char *outbuf, size_t outbuflen); int mac_internalize_pipe_label(struct label *label, char *string); +void mac_copy_socket_label(struct label *src, struct label *dest); +int mac_externalize_socket_label(struct label *label, char *elements, + char *outbuf, size_t outbuflen); +int mac_internalize_socket_label(struct label *label, char *string); + int mac_externalize_vnode_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); int mac_internalize_vnode_label(struct label *label, char *string); ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#15 (text+ko) ==== @@ -95,9 +95,6 @@ &nmacsockets, 0, "number of sockets in use"); #endif -static void mac_socket_label_free(struct label *label); - - static struct label * mbuf_to_label(struct mbuf *mbuf) { @@ -253,7 +250,7 @@ return (0); } -static struct label * +struct label * mac_socket_label_alloc(int flag) { struct label *label; @@ -389,7 +386,7 @@ MAC_DEBUG_COUNTER_DEC(&nmacmbufs); } -static void +void mac_socket_label_free(struct label *label) { @@ -432,6 +429,13 @@ MAC_PERFORM(copy_mbuf_label, src_label, dest_label); } +void +mac_copy_socket_label(struct label *src, struct label *dest) +{ + + MAC_PERFORM(copy_socket_label, src, dest); +} + static int mac_externalize_ifnet_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) @@ -443,7 +447,7 @@ return (error); } -static int +int mac_externalize_socket_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { @@ -475,7 +479,7 @@ return (error); } -static int +int mac_internalize_socket_label(struct label *label, char *string) { int error; ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#235 (text+ko) ==== @@ -3186,6 +3186,7 @@ .mpo_destroy_vnode_label = mac_biba_destroy_label, .mpo_copy_mbuf_label = mac_biba_copy_label, .mpo_copy_pipe_label = mac_biba_copy_label, + .mpo_copy_socket_label = mac_biba_copy_label, .mpo_copy_vnode_label = mac_biba_copy_label, .mpo_externalize_cred_label = mac_biba_externalize_label, .mpo_externalize_ifnet_label = mac_biba_externalize_label, ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#78 (text+ko) ==== @@ -3114,6 +3114,7 @@ .mpo_destroy_vnode_label = mac_lomac_destroy_label, .mpo_copy_mbuf_label = mac_lomac_copy_label, .mpo_copy_pipe_label = mac_lomac_copy_label, + .mpo_copy_socket_label = mac_lomac_copy_label, .mpo_copy_vnode_label = mac_lomac_copy_label, .mpo_externalize_cred_label = mac_lomac_externalize_label, .mpo_externalize_ifnet_label = mac_lomac_externalize_label, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#189 (text+ko) ==== @@ -2963,6 +2963,7 @@ .mpo_destroy_vnode_label = mac_mls_destroy_label, .mpo_copy_mbuf_label = mac_mls_copy_label, .mpo_copy_pipe_label = mac_mls_copy_label, + .mpo_copy_socket_label = mac_mls_copy_label, .mpo_copy_vnode_label = mac_mls_copy_label, .mpo_externalize_cred_label = mac_mls_externalize_label, .mpo_externalize_ifnet_label = mac_mls_externalize_label, ==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#14 (text+ko) ==== @@ -1328,6 +1328,7 @@ .mpo_destroy_vnode_label = stub_destroy_label, .mpo_copy_mbuf_label = stub_copy_label, .mpo_copy_pipe_label = stub_copy_label, + .mpo_copy_socket_label = stub_copy_label, .mpo_copy_vnode_label = stub_copy_label, .mpo_externalize_cred_label = stub_externalize_label, .mpo_externalize_ifnet_label = stub_externalize_label, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#123 (text+ko) ==== @@ -764,6 +764,14 @@ } static void +mac_test_copy_socket_label(struct label *src, struct label *dest) +{ + + ASSERT_SOCKET_LABEL(src); + ASSERT_SOCKET_LABEL(dest); +} + +static void mac_test_copy_vnode_label(struct label *src, struct label *dest) { @@ -2319,6 +2327,7 @@ .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, .mpo_copy_pipe_label = mac_test_copy_pipe_label, + .mpo_copy_socket_label = mac_test_copy_socket_label, .mpo_copy_vnode_label = mac_test_copy_vnode_label, .mpo_externalize_cred_label = mac_test_externalize_label, .mpo_externalize_ifnet_label = mac_test_externalize_label, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#203 (text+ko) ==== @@ -125,6 +125,8 @@ struct label *dest); void (*mpo_copy_pipe_label)(struct label *src, struct label *dest); + void (*mpo_copy_socket_label)(struct label *src, + struct label *dest); void (*mpo_copy_vnode_label)(struct label *src, struct label *dest); int (*mpo_externalize_cred_label)(struct label *label,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311161723.hAGHNJlK000408>