PERFORCE change 42555 for review

Robert Watson rwatson at FreeBSD.org
Sun Nov 16 09:23:21 PST 2003


http://perforce.freebsd.org/chv.cgi?CH=42555

Change 42555 by rwatson at rwatson_tislabs on 2003/11/16 09:22:22

	Teach mac_get_fd() to speak DTYPE_SOCKET.  To do this, we need
	a mac_copy_socket_label() operation, which is added to each
	policy that supports socket labels.  This also requires socket
	label allocation and free to be exposed out of mac_net.c,
	so unstaticize.  This permits MAC-aware applications to test
	labels on sockets in a manner consistent with pipes and
	files, which improves support for arbitrary redirection of
	stdio with MAC.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/i386/conf/MAC#51 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#434 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#16 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#15 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#235 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#78 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#189 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#14 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#123 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#203 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/i386/conf/MAC#51 (text+ko) ====

@@ -32,6 +32,7 @@
 
 options 	MAC
 #options 	MAC_ALWAYS_LABEL_MBUF
+options 	MAC_BIBA
 options 	MAC_DEBUG
 options 	MAC_TEST
 #options 	MAC_STATIC

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#434 (text+ko) ====

@@ -726,6 +726,7 @@
 	struct mac mac;
 	struct vnode *vp;
 	struct pipe *pipe;
+	struct socket *so;
 	short label_type;
 	int error;
 
@@ -776,6 +777,19 @@
 		mac_pipe_label_free(intlabel);
 		break;
 
+	case DTYPE_SOCKET:
+		so = fp->f_data;
+		intlabel = mac_socket_label_alloc(M_WAITOK);
+		mtx_lock(&Giant);				/* Sockets */
+		/* XXX: Socket lock here. */
+		mac_copy_socket_label(so->so_label, intlabel);
+		/* XXX: Socket unlock here. */
+		mtx_unlock(&Giant);				/* Sockets */
+		error = mac_externalize_socket_label(intlabel, elements,
+		    buffer, mac.m_buflen);
+		mac_socket_label_free(intlabel);
+		break;
+
 	default:
 		error = EINVAL;
 	}

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_internal.h#16 (text+ko) ====

@@ -105,6 +105,8 @@
  */
 struct label	*mac_pipe_label_alloc(void);
 void		 mac_pipe_label_free(struct label *label);
+struct label	*mac_socket_label_alloc(int flag);
+void		 mac_socket_label_free(struct label *label);
 
 int	mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
 int	mac_externalize_cred_label(struct label *label, char *elements, 
@@ -117,6 +119,11 @@
 	    char *outbuf, size_t outbuflen);
 int	mac_internalize_pipe_label(struct label *label, char *string);
 
+void	mac_copy_socket_label(struct label *src, struct label *dest);
+int	mac_externalize_socket_label(struct label *label, char *elements,
+	    char *outbuf, size_t outbuflen);
+int	mac_internalize_socket_label(struct label *label, char *string);
+
 int	mac_externalize_vnode_label(struct label *label, char *elements,
 	    char *outbuf, size_t outbuflen);
 int	mac_internalize_vnode_label(struct label *label, char *string);

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#15 (text+ko) ====

@@ -95,9 +95,6 @@
     &nmacsockets, 0, "number of sockets in use");
 #endif
 
-static void	mac_socket_label_free(struct label *label);
-
-
 static struct label *
 mbuf_to_label(struct mbuf *mbuf)
 {
@@ -253,7 +250,7 @@
 	return (0);
 }
 
-static struct label *
+struct label *
 mac_socket_label_alloc(int flag)
 {
 	struct label *label;
@@ -389,7 +386,7 @@
 	MAC_DEBUG_COUNTER_DEC(&nmacmbufs);
 }
 
-static void
+void
 mac_socket_label_free(struct label *label)
 {
 
@@ -432,6 +429,13 @@
 	MAC_PERFORM(copy_mbuf_label, src_label, dest_label);
 }
 
+void
+mac_copy_socket_label(struct label *src, struct label *dest)
+{
+
+	MAC_PERFORM(copy_socket_label, src, dest);
+}
+
 static int
 mac_externalize_ifnet_label(struct label *label, char *elements,
     char *outbuf, size_t outbuflen)
@@ -443,7 +447,7 @@
 	return (error);
 }
 
-static int
+int
 mac_externalize_socket_label(struct label *label, char *elements,
     char *outbuf, size_t outbuflen)
 {
@@ -475,7 +479,7 @@
 	return (error);
 }
 
-static int
+int
 mac_internalize_socket_label(struct label *label, char *string)
 {
 	int error;

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#235 (text+ko) ====

@@ -3186,6 +3186,7 @@
 	.mpo_destroy_vnode_label = mac_biba_destroy_label,
 	.mpo_copy_mbuf_label = mac_biba_copy_label,
 	.mpo_copy_pipe_label = mac_biba_copy_label,
+	.mpo_copy_socket_label = mac_biba_copy_label,
 	.mpo_copy_vnode_label = mac_biba_copy_label,
 	.mpo_externalize_cred_label = mac_biba_externalize_label,
 	.mpo_externalize_ifnet_label = mac_biba_externalize_label,

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#78 (text+ko) ====

@@ -3114,6 +3114,7 @@
 	.mpo_destroy_vnode_label = mac_lomac_destroy_label,
 	.mpo_copy_mbuf_label = mac_lomac_copy_label,
 	.mpo_copy_pipe_label = mac_lomac_copy_label,
+	.mpo_copy_socket_label = mac_lomac_copy_label,
 	.mpo_copy_vnode_label = mac_lomac_copy_label,
 	.mpo_externalize_cred_label = mac_lomac_externalize_label,
 	.mpo_externalize_ifnet_label = mac_lomac_externalize_label,

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#189 (text+ko) ====

@@ -2963,6 +2963,7 @@
 	.mpo_destroy_vnode_label = mac_mls_destroy_label,
 	.mpo_copy_mbuf_label = mac_mls_copy_label,
 	.mpo_copy_pipe_label = mac_mls_copy_label,
+	.mpo_copy_socket_label = mac_mls_copy_label,
 	.mpo_copy_vnode_label = mac_mls_copy_label,
 	.mpo_externalize_cred_label = mac_mls_externalize_label,
 	.mpo_externalize_ifnet_label = mac_mls_externalize_label,

==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#14 (text+ko) ====

@@ -1328,6 +1328,7 @@
 	.mpo_destroy_vnode_label = stub_destroy_label,
 	.mpo_copy_mbuf_label = stub_copy_label,
 	.mpo_copy_pipe_label = stub_copy_label,
+	.mpo_copy_socket_label = stub_copy_label,
 	.mpo_copy_vnode_label = stub_copy_label,
 	.mpo_externalize_cred_label = stub_externalize_label,
 	.mpo_externalize_ifnet_label = stub_externalize_label,

==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#123 (text+ko) ====

@@ -764,6 +764,14 @@
 }
 
 static void
+mac_test_copy_socket_label(struct label *src, struct label *dest)
+{
+
+	ASSERT_SOCKET_LABEL(src);
+	ASSERT_SOCKET_LABEL(dest);
+}
+
+static void
 mac_test_copy_vnode_label(struct label *src, struct label *dest)
 {
 
@@ -2319,6 +2327,7 @@
 	.mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
 	.mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
 	.mpo_copy_pipe_label = mac_test_copy_pipe_label,
+	.mpo_copy_socket_label = mac_test_copy_socket_label,
 	.mpo_copy_vnode_label = mac_test_copy_vnode_label,
 	.mpo_externalize_cred_label = mac_test_externalize_label,
 	.mpo_externalize_ifnet_label = mac_test_externalize_label,

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#203 (text+ko) ====

@@ -125,6 +125,8 @@
 		    struct label *dest);
 	void	(*mpo_copy_pipe_label)(struct label *src,
 		    struct label *dest);
+	void	(*mpo_copy_socket_label)(struct label *src,
+		    struct label *dest);
 	void	(*mpo_copy_vnode_label)(struct label *src,
 		    struct label *dest);
 	int	(*mpo_externalize_cred_label)(struct label *label,


More information about the p4-projects mailing list