PERFORCE change 114585 for review
Todd Miller
millert at FreeBSD.org
Thu Feb 15 20:30:15 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=114585
Change 114585 by millert at millert_p4 on 2007/02/15 20:29:16
Implement more networking entrypoints.
Comment out entrypoints that are not currently supported by the
reference policy.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#44 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#44 (text+ko) ====
@@ -119,6 +119,22 @@
return perm;
}
+static void
+copy_network_label(struct label *src, struct label *dest)
+{
+ if (src == NULL)
+ printf("copy_network_label: src is NULL\n");
+ if (dest == NULL)
+ printf("copy_network_label: dest is NULL\n");
+ if (SLOT(dest) == NULL)
+ printf("copy_network_label: slot(dest) is NULL\n");
+ if (SLOT(src) == NULL)
+ printf("copy_network_label: slot(src) is NULL\n");
+
+ *(struct network_security_struct *) SLOT(dest) =
+ *(struct network_security_struct *) SLOT(src);
+}
+
/*
* Check whether a task is allowed to use a capability.
*/
@@ -430,6 +446,14 @@
}
static void
+sebsd_relabel_ifnet(struct ucred *cred, struct ifnet *ifn,
+ struct label *ilabel, struct label *newlabel)
+{
+
+ copy_network_label(newlabel, ilabel);
+}
+
+static void
sebsd_cleanup_sysv_label(struct label *label)
{
struct ipc_security_struct *ipcsec;
@@ -572,7 +596,106 @@
fsec->sid = tsec->sid;
}
+#if 0
+static void
+sebsd_create_fragment(struct mbuf *datagram, struct label *dlabel,
+ struct mbuf *frag, struct label *flabel)
+{
+
+ copy_network_label(dlabel, flabel);
+}
+#endif
+
+/*
+ * XXX: What's are sensible values to assign to an interface?
+ */
+static void
+sebsd_create_ifnet(struct ifnet *ifn, struct label *iflabel)
+{
+
+ struct network_security_struct *nsec;
+
+ nsec = SLOT(iflabel);
+ nsec->sid = 0;
+ nsec->task_sid = 0;
+}
+
static void
+sebsd_create_inpcb_from_socket(struct socket *so, struct label *solabel,
+ struct inpcb *inp, struct label *ilabel)
+{
+
+ copy_network_label(solabel, ilabel);
+}
+
+#if 0
+static void
+sebsd_create_ipq(struct mbuf *frag, struct label *fraglabel, struct ipq *ipq,
+ struct label *ipqlabel)
+{
+
+ copy_network_label(fraglabel, ipqlabel);
+}
+
+static void
+sebsd_create_mbuf_from_bpfdesc(struct bpf_d *b, struct label *blabel,
+ struct mbuf *m, struct label *mlabel)
+{
+
+ copy_network_label(blabel, mlabel);
+}
+
+static void
+sebsd_create_mbuf_from_ifnet(struct ifnet *ifn, struct label *ilabel,
+ struct mbuf *m, struct label *mlabel)
+{
+
+ copy_network_label(ilabel, mlabel);
+}
+
+static void
+sebsd_create_mbuf_from_inpcb(struct inpcb *in, struct label *ilabel,
+ struct mbuf *m, struct label *mlabel)
+{
+
+ copy_network_label(ilabel, mlabel);
+}
+
+static void
+sebsd_create_mbuf_linklayer(struct ifnet *ifn, struct label *iflabel,
+ struct mbuf *m, struct label *mlabel)
+{
+
+ copy_network_label(iflabel, mlabel);
+}
+
+static void
+sebsd_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldlabel,
+ struct mbuf *newmbuf, struct label *newlabel)
+{
+
+ copy_network_label(oldlabel, newlabel);
+}
+
+static void
+sebsd_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct label *oldlabel,
+ struct ifnet *ifn, struct label *iflabel, struct mbuf *newmbuf,
+ struct label *newlabel)
+{
+
+ copy_network_label(oldlabel, newlabel);
+}
+
+static void
+sebsd_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel,
+ struct mbuf *datagram, struct label *datagramlabel)
+{
+
+ copy_network_label(ipqlabel, datagramlabel);
+}
+#endif
+
+static void
sebsd_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr,
struct label *msqlabel, struct msg *msgptr, struct label *msglabel)
{
@@ -653,7 +776,20 @@
ipcsec = SLOT(ks_label);
ipcsec->sid = tsec->sid;
- ipcsec->sclass = SECCLASS_POSIX_SEM;
+ ipcsec->sclass = SECCLASS_SEM;
+}
+
+static void
+sebsd_create_bpfdesc(struct ucred *cred, struct bpf_d *b,
+ struct label *blabel)
+{
+ struct network_security_struct *nsec;
+ struct task_security_struct *tsec;
+
+ nsec = SLOT(blabel);
+ tsec = SLOT(cred->cr_label);
+
+ nsec->sid = nsec->task_sid = tsec->sid;
}
static void
@@ -834,7 +970,17 @@
SECINITSID_KERNEL);
}
+#if 0
static void
+sebsd_create_mbuf_from_socket(struct socket *so, struct label *solabel,
+ struct mbuf *m, struct label *mlabel)
+{
+
+ copy_network_label(solabel, mlabel);
+}
+#endif
+
+static void
sebsd_create_mount(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel,
struct label *mount_arg_label)
@@ -922,6 +1068,26 @@
}
}
+static void
+sebsd_create_socket(struct ucred *cred, struct socket *so,
+ struct label *solabel)
+{
+ struct task_security_struct *tsec;
+ struct network_security_struct *nsec;
+
+ tsec = SLOT(cred->cr_label);
+ nsec = SLOT(solabel);
+ nsec->sid = nsec->task_sid = tsec->sid;
+}
+
+static void
+sebsd_create_socket_from_socket(struct socket *olds, struct label *oldslabel,
+ struct socket *news, struct label *newslabel)
+{
+
+ copy_network_label(oldslabel, newslabel);
+}
+
static int
sebsd_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct label *fslabel, struct vnode *parent, struct label *parentlabel,
@@ -959,8 +1125,26 @@
security_free_context(context);
return (error);
+}
+
+#if 0
+static void
+sebsd_update_ipq(struct mbuf *frag, struct label *fraglabel, struct ipq *ipq,
+ struct label *ipqlabel)
+{
+
+ copy_network_label(fraglabel, ipqlabel);
}
+#endif
+
+static void
+sebsd_inpcb_sosetlabel(struct socket *so, struct label *solabel,
+ struct inpcb *inp, struct label *ilabel)
+{
+ copy_network_label(solabel, ilabel);
+}
+
static int
sebsd_check_cap(struct ucred *cred, cap_value_t capv)
{
@@ -1060,6 +1244,7 @@
return (pipe_has_perm(cred, pp, FIFO_FILE__IOCTL));
}
+#if 0
static int
sebsd_check_pipe_poll(struct ucred *cred, struct pipepair *pp,
struct label *pipelabel)
@@ -1067,6 +1252,7 @@
return (pipe_has_perm(cred, pp, FIFO_FILE__POLL));
}
+#endif
static int
sebsd_check_pipe_read(struct ucred *cred, struct pipepair *pp,
@@ -1359,6 +1545,14 @@
}
static void
+sebsd_relabel_socket(struct ucred *cred, struct socket *so,
+ struct label *oldlabel, struct label *newlabel)
+{
+
+ copy_network_label(oldlabel, newlabel);
+}
+
+static void
sebsd_relabel_vnode(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, struct label *label)
{
@@ -1402,6 +1596,24 @@
return (error);
}
+#if 0
+static void
+sebsd_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel,
+ struct socket *so, struct label *sopeerlabel)
+{
+
+ copy_network_label(mlabel, sopeerlabel);
+}
+#endif
+
+static void
+sebsd_set_socket_peer_from_socket(struct socket *olds, struct label *oldslabel,
+ struct socket *news, struct label *newsockpeerlabel)
+{
+
+ copy_network_label(oldslabel, newsockpeerlabel);
+}
+
static int
sebsd_check_vnode_access(struct ucred *cred, struct vnode *vp,
struct label *label, int acc_mode)
@@ -1644,6 +1856,7 @@
acc_mode)));
}
+#if 0
static int
sebsd_check_vnode_poll(struct ucred *cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
@@ -1651,6 +1864,7 @@
return (vnode_has_perm(cred, vp, FILE__POLL));
}
+#endif
static int
sebsd_check_vnode_read(struct ucred *cred, struct ucred *file_cred,
@@ -2053,6 +2267,7 @@
*(struct mount_security_struct *)SLOT(src);
}
+#if 0
static int
sebsd_check_file_create(struct ucred *cred)
{
@@ -2062,6 +2277,7 @@
return (avc_has_perm(tsec->sid, tsec->sid, SECCLASS_FD,
FD__CREATE, NULL));
}
+#endif
static int
sebsd_check_file_ioctl(struct ucred *cred, struct file *fp,
@@ -2192,6 +2408,7 @@
return (ipc_has_perm(cred, msglabel, MSG__RECEIVE));
}
+#if 0
static int
sebsd_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr,
struct label *msglabel)
@@ -2199,6 +2416,7 @@
return (ipc_has_perm(cred, msglabel, MSG__DESTROY));
}
+#endif
static int
sebsd_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr,
@@ -2400,7 +2618,7 @@
struct label *ks_label)
{
- return (ipc_has_perm(cred, ks_label, POSIX_SEM__DISASSOCIATE));
+ return (ipc_has_perm(cred, ks_label, SEM__DISASSOCIATE));
}
#endif
@@ -2409,7 +2627,7 @@
struct label *ks_label)
{
- return (ipc_has_perm(cred, ks_label, POSIX_SEM__DESTROY));
+ return (ipc_has_perm(cred, ks_label, SEM__DESTROY));
}
static int
@@ -2417,7 +2635,7 @@
struct label *ks_label)
{
- return (ipc_has_perm(cred, ks_label, POSIX_SEM__READ));
+ return (ipc_has_perm(cred, ks_label, SEM__READ));
}
static int
@@ -2425,7 +2643,7 @@
struct label *ks_label)
{
- return (ipc_has_perm(cred, ks_label, POSIX_SEM__ASSOCIATE));
+ return (ipc_has_perm(cred, ks_label, SEM__ASSOCIATE));
}
static int
@@ -2433,7 +2651,7 @@
struct label *ks_label)
{
- return (ipc_has_perm(cred, ks_label, POSIX_SEM__WRITE));
+ return (ipc_has_perm(cred, ks_label, SEM__WRITE));
}
static int
@@ -2441,7 +2659,7 @@
struct label *ks_label)
{
- return (ipc_has_perm(cred, ks_label, POSIX_SEM__DESTROY));
+ return (ipc_has_perm(cred, ks_label, SEM__DESTROY));
}
static int
@@ -2449,7 +2667,7 @@
struct label *ks_label)
{
- return (ipc_has_perm(cred, ks_label, POSIX_SEM__WRITE));
+ return (ipc_has_perm(cred, ks_label, SEM__WRITE));
}
static struct mac_policy_ops sebsd_ops = {
@@ -2460,12 +2678,13 @@
.mpo_init_devfsdirent_label = sebsd_init_vnode_label,
.mpo_init_file_label = sebsd_init_file_label,
.mpo_init_ifnet_label = sebsd_init_network_label,
+ .mpo_init_inpcb_label = sebsd_init_network_label_waitcheck,
.mpo_init_sysv_msgmsg_label = sebsd_init_sysv_label,
.mpo_init_sysv_msgqueue_label = sebsd_init_sysv_label,
.mpo_init_sysv_sem_label = sebsd_init_sysv_label,
.mpo_init_sysv_shm_label = sebsd_init_sysv_label,
- .mpo_init_ipq_label = sebsd_init_network_label_waitcheck,
- .mpo_init_mbuf_label = sebsd_init_network_label_waitcheck,
+ //.mpo_init_ipq_label = sebsd_init_network_label_waitcheck,
+ //.mpo_init_mbuf_label = sebsd_init_network_label_waitcheck,
.mpo_init_mount_label = sebsd_init_mount_label,
.mpo_init_mount_fs_label = sebsd_init_mount_fs_label,
.mpo_init_pipe_label = sebsd_init_vnode_label,
@@ -2480,12 +2699,13 @@
.mpo_destroy_cred_label = sebsd_destroy_label,
.mpo_destroy_devfsdirent_label = sebsd_destroy_label,
.mpo_destroy_ifnet_label = sebsd_destroy_label,
+ .mpo_destroy_inpcb_label = sebsd_destroy_label,
.mpo_destroy_sysv_msgmsg_label = sebsd_destroy_label,
.mpo_destroy_sysv_msgqueue_label = sebsd_destroy_label,
.mpo_destroy_sysv_sem_label = sebsd_destroy_label,
.mpo_destroy_sysv_shm_label = sebsd_destroy_label,
- .mpo_destroy_ipq_label = sebsd_destroy_label,
- .mpo_destroy_mbuf_label = sebsd_destroy_label,
+ //.mpo_destroy_ipq_label = sebsd_destroy_label,
+ //.mpo_destroy_mbuf_label = sebsd_destroy_label,
.mpo_destroy_file_label = sebsd_destroy_label,
.mpo_destroy_mount_label = sebsd_destroy_label,
.mpo_destroy_mount_fs_label = sebsd_destroy_label,
@@ -2496,7 +2716,10 @@
.mpo_destroy_vnode_label = sebsd_destroy_label,
/* Copy labels */
+ .mpo_copy_ifnet_label = copy_network_label,
+ //.mpo_copy_mbuf_label = copy_network_label,
.mpo_copy_pipe_label = sebsd_copy_vnode_label,
+ .mpo_copy_socket_label = copy_network_label,
.mpo_copy_vnode_label = sebsd_copy_vnode_label,
.mpo_copy_mount_label = sebsd_copy_mount_label,
@@ -2515,45 +2738,40 @@
.mpo_internalize_vnode_label = sebsd_internalize_vnode_label,
.mpo_internalize_mount_label = sebsd_internalize_mount_label,
-#ifdef notdef
- void (*mpo_create_mbuf_from_socket)(struct socket *so,
- struct label *socketlabel, struct mbuf *m,
- struct label *mbuflabel);
- void (*mpo_create_socket)(struct ucred *cred, struct socket *so,
- struct label *socketlabel);
- void (*mpo_create_socket_from_socket)(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketlabel);
- void (*mpo_relabel_socket)(struct ucred *cred, struct socket *so,
- struct label *oldlabel, struct label *newlabel);
- void (*mpo_set_socket_peer_from_mbuf)(struct mbuf *mbuf,
- struct label *mbuflabel, struct socket *so,
- struct label *socketpeerlabel);
- void (*mpo_set_socket_peer_from_socket)(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketpeerlabel);
-#endif
-
/* Create Labels */
.mpo_copy_cred_label = sebsd_copy_cred_label,
+ .mpo_create_bpfdesc = sebsd_create_bpfdesc,
+ //.mpo_create_datagram_from_ipq = sebsd_create_datagram_from_ipq,
.mpo_create_devfs_device = sebsd_create_devfs_device,
.mpo_create_devfs_directory = sebsd_create_devfs_directory,
.mpo_create_devfs_symlink = sebsd_create_devfs_symlink,
.mpo_create_file = sebsd_create_file,
- .mpo_create_sysv_msgmsg = sebsd_create_sysv_msgmsg,
- .mpo_create_sysv_msgqueue = sebsd_create_sysv_msgqueue,
- .mpo_create_sysv_sem = sebsd_create_sysv_sem,
- .mpo_create_sysv_shm = sebsd_create_sysv_shm,
- /* .mpo_create_mbuf_from_socket = sebsd_create_mbuf_from_socket, */
+ //.mpo_create_fragment = sebsd_create_fragment,
+ .mpo_create_ifnet = sebsd_create_ifnet,
+ .mpo_create_inpcb_from_socket = sebsd_create_inpcb_from_socket,
+ //.mpo_create_ipq = sebsd_create_ipq,
+ //.mpo_create_mbuf_from_bpfdesc = sebsd_create_mbuf_from_bpfdesc,
+ //.mpo_create_mbuf_from_ifnet = sebsd_create_mbuf_from_ifnet,
+ //.mpo_create_mbuf_from_inpcb = sebsd_create_mbuf_from_inpcb,
+ //.mpo_create_mbuf_multicast_encap = sebsd_create_mbuf_multicast_encap,
+ //.mpo_create_mbuf_from_socket = sebsd_create_mbuf_from_socket,
+ //.mpo_create_mbuf_linklayer = sebsd_create_mbuf_linklayer,
+ //.mpo_create_mbuf_netlayer = sebsd_create_mbuf_netlayer,
.mpo_create_mount = sebsd_create_mount,
.mpo_create_pipe = sebsd_create_pipe,
.mpo_create_posix_sem = sebsd_create_posix_sem,
.mpo_create_proc0 = sebsd_create_kernel_proc,
.mpo_create_proc1 = sebsd_create_kernel_proc,
- /* .mpo_create_socket = sebsd_create_socket, */
- /* .mpo_create_socket_from_socket = sebsd_create_socket_from_socket, */
+ .mpo_create_socket = sebsd_create_socket,
+ .mpo_create_socket_from_socket = sebsd_create_socket_from_socket,
+ .mpo_create_sysv_msgmsg = sebsd_create_sysv_msgmsg,
+ .mpo_create_sysv_msgqueue = sebsd_create_sysv_msgqueue,
+ .mpo_create_sysv_sem = sebsd_create_sysv_sem,
+ .mpo_create_sysv_shm = sebsd_create_sysv_shm,
.mpo_create_vnode_extattr = sebsd_create_vnode_extattr,
.mpo_update_devfsdirent = sebsd_update_devfsdirent,
+ //.mpo_update_ipq = sebsd_update_ipq,
+ .mpo_inpcb_sosetlabel = sebsd_inpcb_sosetlabel,
.mpo_associate_vnode_devfs = sebsd_associate_vnode_devfs,
.mpo_associate_vnode_singlelabel = sebsd_associate_vnode_singlelabel,
.mpo_associate_vnode_extattr = sebsd_associate_vnode_extattr,
@@ -2561,7 +2779,7 @@
/* Check Labels */
.mpo_check_cap = sebsd_check_cap,
.mpo_check_cred_relabel = sebsd_check_cred_relabel,
- .mpo_check_file_create = sebsd_check_file_create,
+ /* .mpo_check_file_create = sebsd_check_file_create, */
.mpo_check_file_ioctl = sebsd_check_file_ioctl,
/*
@@ -2580,7 +2798,7 @@
.mpo_check_remount = sebsd_check_remount,
.mpo_check_sysv_msgmsq = sebsd_check_sysv_msgmsq,
.mpo_check_sysv_msgrcv = sebsd_check_sysv_msgrcv,
- .mpo_check_sysv_msgrmid = sebsd_check_sysv_msgrmid,
+ /* .mpo_check_sysv_msgrmid = sebsd_check_sysv_msgrmid, */
.mpo_check_sysv_msqget = sebsd_check_sysv_msqget,
.mpo_check_sysv_msqsnd = sebsd_check_sysv_msqsnd,
.mpo_check_sysv_msqrcv = sebsd_check_sysv_msqrcv,
@@ -2595,7 +2813,7 @@
.mpo_check_mount_stat = sebsd_check_mount_stat,
.mpo_check_pipe_ioctl = sebsd_check_pipe_ioctl,
- .mpo_check_pipe_poll = sebsd_check_pipe_poll,
+ /* .mpo_check_pipe_poll = sebsd_check_pipe_poll, */
.mpo_check_pipe_read = sebsd_check_pipe_read,
.mpo_check_pipe_relabel = sebsd_check_pipe_relabel,
.mpo_check_pipe_stat = sebsd_check_pipe_stat,
@@ -2644,7 +2862,7 @@
.mpo_check_vnode_mprotect = sebsd_check_vnode_mmap,
#endif
.mpo_check_vnode_open = sebsd_check_vnode_open,
- .mpo_check_vnode_poll = sebsd_check_vnode_poll,
+ /* .mpo_check_vnode_poll = sebsd_check_vnode_poll, */
.mpo_check_vnode_read = sebsd_check_vnode_read,
.mpo_check_vnode_readdir = sebsd_check_vnode_readdir,
.mpo_check_vnode_readlink = sebsd_check_vnode_readlink,
@@ -2665,12 +2883,13 @@
.mpo_execve_transition = sebsd_execve_transition,
.mpo_execve_will_transition = sebsd_execve_will_transition,
.mpo_relabel_cred = sebsd_relabel_cred,
+ .mpo_relabel_ifnet = sebsd_relabel_ifnet,
.mpo_relabel_pipe = sebsd_relabel_pipe,
- /* .mpo_relabel_socket = sebsd_relabel_socket, */
+ .mpo_relabel_socket = sebsd_relabel_socket,
.mpo_relabel_vnode = sebsd_relabel_vnode,
.mpo_setlabel_vnode_extattr = sebsd_setlabel_vnode_extattr,
- /*.mpo_set_socket_peer_from_mbuf = sebsd_set_socket_peer_from_mbuf,*/
- /*.mpo_set_socket_peer_from_socket = sebsd_set_socket_peer_from_socket,*/
+ //.mpo_set_socket_peer_from_mbuf = sebsd_set_socket_peer_from_mbuf,
+ .mpo_set_socket_peer_from_socket = sebsd_set_socket_peer_from_socket,
.mpo_cleanup_sysv_msgmsg = sebsd_cleanup_sysv_label,
.mpo_cleanup_sysv_msgqueue = sebsd_cleanup_sysv_label,
.mpo_cleanup_sysv_sem = sebsd_cleanup_sysv_label,
More information about the p4-projects
mailing list