From owner-p4-projects  Mon Jun 10 18:16: 6 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 99FA137B411; Mon, 10 Jun 2002 18:15:25 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id CE19537B407
	for <perforce@freebsd.org>; Mon, 10 Jun 2002 18:15:23 -0700 (PDT)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g5B1FNl77309
	for perforce@freebsd.org; Mon, 10 Jun 2002 18:15:23 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Mon, 10 Jun 2002 18:15:23 -0700 (PDT)
Message-Id: <200206110115.g5B1FNl77309@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Subject: PERFORCE change 12679 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=12679

Change 12679 by rwatson@rwatson_paprika on 2002/06/10 18:15:13

	Add mac check entry points for bind, connect, and listen.
	
	Fix mac_enable_fs checking for many vnode operations.

Affected files ...

... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#150 edit
... //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#10 edit
... //depot/projects/trustedbsd/mac/sys/sys/mac.h#104 edit
... //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#64 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#150 (text+ko) ====

@@ -448,6 +448,14 @@
 			mpc->mpc_ops.mpo_bpfdesc_check_receive_from_ifnet =
 			    mpe->mpe_function;
 			break;
+		case MAC_CRED_CHECK_BIND_SOCKET:
+			mpc->mpc_ops.mpo_cred_check_bind_socket =
+			    mpe->mpe_function;
+			break;
+		case MAC_CRED_CHECK_CONNECT_SOCKET:
+			mpc->mpc_ops.mpo_cred_check_connect_socket =
+			    mpe->mpe_function;
+			break;
 		case MAC_CRED_CHECK_SEE_CRED:
 			mpc->mpc_ops.mpo_cred_check_see_cred =
 			    mpe->mpe_function;
@@ -499,6 +507,10 @@
 			mpc->mpc_ops.mpo_cred_check_getextattr_vnode =
 			    mpe->mpe_function;
 			break;
+		case MAC_CRED_CHECK_LISTEN_SOCKET:
+			mpc->mpc_ops.mpo_cred_check_listen_socket =
+			    mpe->mpe_function;
+			break;
 		case MAC_CRED_CHECK_OPEN_VNODE:
 			mpc->mpc_ops.mpo_cred_check_open_vnode =
 			    mpe->mpe_function;
@@ -996,7 +1008,7 @@
 {
 	int error;
 
-	if (!mac_enforce_process)
+	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
 	error = vn_refreshlabel(vp, cred);
@@ -1402,6 +1414,9 @@
 
 	ASSERT_VOP_LOCKED(dvp, "mac_cred_check_chdir_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(dvp, cred);
 	if (error)
 		return (error);
@@ -1418,6 +1433,9 @@
 
 	ASSERT_VOP_LOCKED(dvp, "mac_cred_check_create_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(dvp, cred);
 	if (error)
 		return (error);
@@ -1434,6 +1452,9 @@
 
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_getextattr_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
@@ -1444,17 +1465,34 @@
 }
 
 int
+mac_cred_check_listen_socket(struct ucred *cred, struct socket *socket)
+{
+	int error;
+
+	if (!mac_enforce_socket)
+		return (0);
+
+	MAC_CHECK(cred_check_listen_socket, cred, socket, &socket->so_label);
+	return (error);
+}
+
+int
 mac_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, mode_t acc_mode)
 {
 	int error;
 
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_open_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
 
 	MAC_CHECK(cred_check_open_vnode, cred, vp, &vp->v_label, acc_mode);
+	if (error)
+		printf("mac_cred_check_open_vnode returns %d\n", error);
 	return (error);
 }
 
@@ -1465,6 +1503,9 @@
 
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_revoke_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
@@ -1480,6 +1521,9 @@
 
 	ASSERT_VOP_LOCKED(dvp, "mac_cred_check_search_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(dvp, cred);
 	if (error)
 		return (error);
@@ -1496,6 +1540,9 @@
 
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_setextattr_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
@@ -1512,6 +1559,10 @@
 	int error;
 
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_setflags_vnode");
+
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
@@ -1528,6 +1579,9 @@
 
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_setmode_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
@@ -1544,6 +1598,9 @@
 
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_setowner_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
@@ -1560,6 +1617,9 @@
 
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_setutimes_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
@@ -1578,6 +1638,9 @@
 	ASSERT_VOP_LOCKED(dvp, "mac_cred_check_delete_vnode");
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_delete_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(dvp, cred);
 	if (error)
 		return (error);
@@ -1599,6 +1662,9 @@
 	ASSERT_VOP_LOCKED(dvp, "mac_cred_check_rename_from_vnode");
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_rename_from_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(dvp, cred);
 	if (error)
 		return (error);
@@ -1620,6 +1686,9 @@
 	ASSERT_VOP_LOCKED(dvp, "mac_cred_check_rename_to_vnode");
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_rename_to_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(dvp, cred);
 	if (error)
 		return (error);
@@ -1640,6 +1709,9 @@
 
 	ASSERT_VOP_LOCKED(vp, "mac_cred_check_stat_vnode");
 
+	if (!mac_enforce_fs)
+		return (0);
+
 	error = vn_refreshlabel(vp, cred);
 	if (error)
 		return (error);
@@ -1881,6 +1953,36 @@
 }
 
 int
+mac_cred_check_bind_socket(struct ucred *ucred, struct socket *socket,
+    struct sockaddr *sockaddr)
+{
+	int error;
+
+	if (!mac_enforce_socket)
+		return (0);
+
+	MAC_CHECK(cred_check_bind_socket, ucred, socket, &socket->so_label,
+	    sockaddr);
+
+	return (error);
+}
+
+int
+mac_cred_check_connect_socket(struct ucred *cred, struct socket *socket,
+    struct sockaddr *sockaddr)
+{
+	int error;
+
+	if (!mac_enforce_socket)
+		return (0);
+
+	MAC_CHECK(cred_check_connect_socket, cred, socket, &socket->so_label,
+	    sockaddr);
+
+	return (error);
+}
+
+int
 mac_socket_can_receive(struct socket *socket, struct mbuf *mbuf)
 {
 	int error;

==== //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#10 (text+ko) ====

@@ -39,6 +39,7 @@
 
 #include "opt_compat.h"
 #include "opt_ktrace.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -178,6 +179,13 @@
 		goto done2;
 	if ((error = getsockaddr(&sa, uap->name, uap->namelen)) != 0)
 		goto done1;
+#ifdef MAC
+	error = mac_cred_check_bind_socket(td->td_ucred, so, sa);
+	if (error) {
+		FREE(sa, M_SONAME);
+		goto done1;
+	}
+#endif
 	error = sobind(so, sa, td);
 	FREE(sa, M_SONAME);
 done1:
@@ -204,7 +212,15 @@
 
 	mtx_lock(&Giant);
 	if ((error = fgetsock(td, uap->s, &so, NULL)) == 0) {
+#ifdef MAC
+		error = mac_cred_check_listen_socket(td->td_ucred, so);
+		if (error)
+			goto done;
+#endif
 		error = solisten(so, uap->backlog, td);
+#ifdef MAC
+done:
+#endif
 		fputsock(so);
 	}
 	mtx_unlock(&Giant);
@@ -439,6 +455,11 @@
 	error = getsockaddr(&sa, uap->name, uap->namelen);
 	if (error)
 		goto done1;
+#ifdef MAC
+	error = mac_cred_check_connect_socket(td->td_ucred, so, sa);
+	if (error)
+		goto bad;
+#endif
 	error = soconnect(so, sa, td);
 	if (error)
 		goto bad;

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#104 (text+ko) ====

@@ -218,6 +218,7 @@
 struct mbuf;
 struct mount;
 struct proc;
+struct sockaddr;
 struct socket;
 struct timespec;
 struct ucred;
@@ -255,11 +256,17 @@
 /* Authorizational event hooks. */
 int	mac_bpfdesc_check_receive_from_ifnet(struct bpf_d *bpf_d,
 	    struct ifnet *ifnet);
+int	mac_cred_check_bind_socket(struct ucred *cred, struct socket *so,
+	    struct sockaddr *sa);
 int	mac_cred_check_chdir_vnode(struct ucred *cred, struct vnode *dvp);
+int	mac_cred_check_connect_socket(struct ucred *cred, struct socket *so,
+	    struct sockaddr *sa);
 int	mac_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp,
 	    struct vattr *vap);
 int	mac_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp,
 	    int attrnamespace, const char *name, struct uio *uio);
+int	mac_cred_check_listen_socket(struct ucred *cred,
+	    struct socket *socket);
 int	mac_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp);
 int	mac_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp,
 	    int attrnamespace, const char *name, struct uio *uio);

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#64 (text+ko) ====

@@ -222,6 +222,12 @@
 	int	(*mpo_bpfdesc_check_receive_from_ifnet)(struct bpf_d *bpf_d,
 		    struct label *bpflabel, struct ifnet *ifnet,
 		    struct label *ifnetlabel);
+	int	(*mpo_cred_check_bind_socket)(struct ucred *cred,
+		    struct socket *socket, struct label *socketlabel,
+		    struct sockaddr *sockaddr);
+	int	(*mpo_cred_check_connect_socket)(struct ucred *cred,
+		    struct socket *socket, struct label *socketlabel,
+		    struct sockaddr *sockaddr);
 	int	(*mpo_cred_check_see_cred)(struct ucred *u1, struct ucred *u2);
 	int	(*mpo_cred_check_see_socket)(struct ucred *cred,
 		    struct socket *socket, struct label *socketlabel);
@@ -253,6 +259,8 @@
 	int	(*mpo_cred_check_getextattr_vnode)(struct ucred *cred,
 		    struct vnode *vp, struct label *label,
 		    int attrnamespace, const char *name, struct uio *uio);
+	int	(*mpo_cred_check_listen_socket)(struct ucred *cred,
+		    struct socket *socket, struct label *socketlabel);
 	int	(*mpo_cred_check_open_vnode)(struct ucred *cred,
 		    struct vnode *vp, struct label *label,
 		    mode_t acc_mode);
@@ -360,6 +368,7 @@
 	MAC_CREATE_PROC1,
 	MAC_RELABEL_SUBJECT,
 	MAC_BPFDESC_CHECK_RECEIVE_FROM_IFNET,
+	MAC_CRED_CHECK_BIND_SOCKET,
 	MAC_CRED_CHECK_SEE_CRED,
 	MAC_CRED_CHECK_SEE_SOCKET,
 	MAC_CRED_CHECK_RELABEL_IFNET,
@@ -369,10 +378,12 @@
 	MAC_CRED_CHECK_STATFS,
 	MAC_CRED_CHECK_DEBUG_PROC,
 	MAC_CRED_CHECK_CHDIR_VNODE,
+	MAC_CRED_CHECK_CONNECT_SOCKET,
 	MAC_CRED_CHECK_CREATE_VNODE,
 	MAC_CRED_CHECK_DELETE_VNODE,
 	MAC_CRED_CHECK_EXEC_VNODE,
 	MAC_CRED_CHECK_GETEXTATTR_VNODE,
+	MAC_CRED_CHECK_LISTEN_SOCKET,
 	MAC_CRED_CHECK_OPEN_VNODE,
 	MAC_CRED_CHECK_RENAME_FROM_VNODE,
 	MAC_CRED_CHECK_RENAME_TO_VNODE,

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message