svn commit: r193391 - in head/sys: netinet security/mac
security/mac_biba security/mac_lomac security/mac_mls
security/mac_stub security/mac_test
Robert Watson
rwatson at FreeBSD.org
Wed Jun 3 18:46:30 UTC 2009
Author: rwatson
Date: Wed Jun 3 18:46:28 2009
New Revision: 193391
URL: http://svn.freebsd.org/changeset/base/193391
Log:
Continue work to optimize performance of "options MAC" when no MAC policy
modules are loaded by avoiding mbuf label lookups when policies aren't
loaded, pushing further socket locking into MAC policy modules, and
avoiding locking MAC ifnet locks when no policies are loaded:
- Check mac_policies_count before looking for mbuf MAC label m_tags in MAC
Framework entry points. We will still pay label lookup costs if MAC
policies are present but don't require labels (typically a single mbuf
header field read, but perhaps further indirection if IPSEC or other
m_tag consumers are in use).
- Further push socket locking for socket-related access control checks and
events into MAC policies from the MAC Framework, so that sockets are
only locked if a policy specifically requires a lock to protect a label.
This resolves lock order issues during sonewconn() and also in local
domain socket cross-connect where multiple socket locks could not be
held at once for the purposes of propagatig MAC labels across multiple
sockets. Eliminate mac_policy_count check in some entry points where it
no longer avoids locking.
- Add mac_policy_count checking in some entry points relating to network
interfaces that otherwise lock a global MAC ifnet lock used to protect
ifnet labels.
Obtained from: TrustedBSD Project
Modified:
head/sys/netinet/in_pcb.c
head/sys/security/mac/mac_atalk.c
head/sys/security/mac/mac_inet.c
head/sys/security/mac/mac_inet6.c
head/sys/security/mac/mac_net.c
head/sys/security/mac/mac_socket.c
head/sys/security/mac_biba/mac_biba.c
head/sys/security/mac_lomac/mac_lomac.c
head/sys/security/mac_mls/mac_mls.c
head/sys/security/mac_stub/mac_stub.c
head/sys/security/mac_test/mac_test.c
Modified: head/sys/netinet/in_pcb.c
==============================================================================
--- head/sys/netinet/in_pcb.c Wed Jun 3 17:30:10 2009 (r193390)
+++ head/sys/netinet/in_pcb.c Wed Jun 3 18:46:28 2009 (r193391)
@@ -212,9 +212,7 @@ in_pcballoc(struct socket *so, struct in
error = mac_inpcb_init(inp, M_NOWAIT);
if (error != 0)
goto out;
- SOCK_LOCK(so);
mac_inpcb_create(so, inp);
- SOCK_UNLOCK(so);
#endif
#ifdef IPSEC
error = ipsec_init_policy(so, &inp->inp_sp);
Modified: head/sys/security/mac/mac_atalk.c
==============================================================================
--- head/sys/security/mac/mac_atalk.c Wed Jun 3 17:30:10 2009 (r193390)
+++ head/sys/security/mac/mac_atalk.c Wed Jun 3 18:46:28 2009 (r193391)
@@ -61,6 +61,9 @@ mac_netatalk_aarp_send(struct ifnet *ifp
{
struct label *mlabel;
+ if (mac_policy_count == 0)
+ return;
+
mlabel = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
Modified: head/sys/security/mac/mac_inet.c
==============================================================================
--- head/sys/security/mac/mac_inet.c Wed Jun 3 17:30:10 2009 (r193390)
+++ head/sys/security/mac/mac_inet.c Wed Jun 3 18:46:28 2009 (r193391)
@@ -193,6 +193,9 @@ mac_ipq_reassemble(struct ipq *q, struct
{
struct label *label;
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(ipq_reassemble, q, q->ipq_label, m,
@@ -204,6 +207,9 @@ mac_netinet_fragment(struct mbuf *m, str
{
struct label *mlabel, *fraglabel;
+ if (mac_policy_count == 0)
+ return;
+
mlabel = mac_mbuf_to_label(m);
fraglabel = mac_mbuf_to_label(frag);
@@ -216,6 +222,9 @@ mac_ipq_create(struct mbuf *m, struct ip
{
struct label *label;
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(ipq_create, m, label, q, q->ipq_label);
@@ -227,6 +236,10 @@ mac_inpcb_create_mbuf(struct inpcb *inp,
struct label *mlabel;
INP_LOCK_ASSERT(inp);
+
+ if (mac_policy_count == 0)
+ return;
+
mlabel = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(inpcb_create_mbuf, inp, inp->inp_label, m,
@@ -239,6 +252,9 @@ mac_ipq_match(struct mbuf *m, struct ipq
struct label *label;
int result;
+ if (mac_policy_count == 0)
+ return (1);
+
label = mac_mbuf_to_label(m);
result = 1;
@@ -252,6 +268,9 @@ mac_netinet_arp_send(struct ifnet *ifp,
{
struct label *mlabel;
+ if (mac_policy_count == 0)
+ return;
+
mlabel = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
@@ -265,6 +284,9 @@ mac_netinet_icmp_reply(struct mbuf *mrec
{
struct label *mrecvlabel, *msendlabel;
+ if (mac_policy_count == 0)
+ return;
+
mrecvlabel = mac_mbuf_to_label(mrecv);
msendlabel = mac_mbuf_to_label(msend);
@@ -277,6 +299,9 @@ mac_netinet_icmp_replyinplace(struct mbu
{
struct label *label;
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(netinet_icmp_replyinplace, m, label);
@@ -287,6 +312,9 @@ mac_netinet_igmp_send(struct ifnet *ifp,
{
struct label *mlabel;
+ if (mac_policy_count == 0)
+ return;
+
mlabel = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
@@ -300,6 +328,9 @@ mac_netinet_tcp_reply(struct mbuf *m)
{
struct label *label;
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(netinet_tcp_reply, m, label);
@@ -310,6 +341,9 @@ mac_ipq_update(struct mbuf *m, struct ip
{
struct label *label;
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(ipq_update, m, label, q, q->ipq_label);
@@ -326,6 +360,9 @@ mac_inpcb_check_deliver(struct inpcb *in
M_ASSERTPKTHDR(m);
+ if (mac_policy_count == 0)
+ return (0);
+
label = mac_mbuf_to_label(m);
MAC_POLICY_CHECK_NOSLEEP(inpcb_check_deliver, inp, inp->inp_label, m,
@@ -371,6 +408,9 @@ mac_netinet_firewall_reply(struct mbuf *
M_ASSERTPKTHDR(mrecv);
M_ASSERTPKTHDR(msend);
+ if (mac_policy_count == 0)
+ return;
+
mrecvlabel = mac_mbuf_to_label(mrecv);
msendlabel = mac_mbuf_to_label(msend);
@@ -385,6 +425,9 @@ mac_netinet_firewall_send(struct mbuf *m
M_ASSERTPKTHDR(m);
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(netinet_firewall_send, m, label);
@@ -455,6 +498,9 @@ mac_syncache_create_mbuf(struct label *s
M_ASSERTPKTHDR(m);
+ if (mac_policy_count == 0)
+ return;
+
mlabel = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(syncache_create_mbuf, sc_label, m,
Modified: head/sys/security/mac/mac_inet6.c
==============================================================================
--- head/sys/security/mac/mac_inet6.c Wed Jun 3 17:30:10 2009 (r193390)
+++ head/sys/security/mac/mac_inet6.c Wed Jun 3 18:46:28 2009 (r193391)
@@ -118,6 +118,9 @@ mac_ip6q_reassemble(struct ip6q *q6, str
{
struct label *label;
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(ip6q_reassemble, q6, q6->ip6q_label, m,
@@ -129,6 +132,9 @@ mac_ip6q_create(struct mbuf *m, struct i
{
struct label *label;
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(ip6q_create, m, label, q6,
@@ -141,6 +147,9 @@ mac_ip6q_match(struct mbuf *m, struct ip
struct label *label;
int result;
+ if (mac_policy_count == 0)
+ return (1);
+
label = mac_mbuf_to_label(m);
result = 1;
@@ -155,6 +164,9 @@ mac_ip6q_update(struct mbuf *m, struct i
{
struct label *label;
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(ip6q_update, m, label, q6,
@@ -166,6 +178,9 @@ mac_netinet6_nd6_send(struct ifnet *ifp,
{
struct label *mlabel;
+ if (mac_policy_count == 0)
+ return;
+
mlabel = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(netinet6_nd6_send, ifp, ifp->if_label, m,
Modified: head/sys/security/mac/mac_net.c
==============================================================================
--- head/sys/security/mac/mac_net.c Wed Jun 3 17:30:10 2009 (r193390)
+++ head/sys/security/mac/mac_net.c Wed Jun 3 18:46:28 2009 (r193391)
@@ -296,6 +296,9 @@ void
mac_ifnet_create(struct ifnet *ifp)
{
+ if (mac_policy_count == 0)
+ return;
+
MAC_IFNET_LOCK(ifp);
MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label);
MAC_IFNET_UNLOCK(ifp);
@@ -315,6 +318,9 @@ mac_bpfdesc_create_mbuf(struct bpf_d *d,
BPFD_LOCK_ASSERT(d);
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create_mbuf, d, d->bd_label, m,
@@ -326,6 +332,9 @@ mac_ifnet_create_mbuf(struct ifnet *ifp,
{
struct label *label;
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
@@ -344,6 +353,9 @@ mac_bpfdesc_check_receive(struct bpf_d *
BPFD_LOCK_ASSERT(d);
+ if (mac_policy_count == 0)
+ return (0);
+
MAC_IFNET_LOCK(ifp);
MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp,
ifp->if_label);
@@ -364,6 +376,9 @@ mac_ifnet_check_transmit(struct ifnet *i
M_ASSERTPKTHDR(m);
+ if (mac_policy_count == 0)
+ return (0);
+
label = mac_mbuf_to_label(m);
MAC_IFNET_LOCK(ifp);
Modified: head/sys/security/mac/mac_socket.c
==============================================================================
--- head/sys/security/mac/mac_socket.c Wed Jun 3 17:30:10 2009 (r193390)
+++ head/sys/security/mac/mac_socket.c Wed Jun 3 18:46:28 2009 (r193391)
@@ -88,6 +88,16 @@ __FBSDID("$FreeBSD$");
* remote socket for UNIX domain sockets rather than keeping a local copy on
* this endpoint, but be cached and updated based on packets received for
* TCP/IP.
+ *
+ * Unlike with many other object types, the lock protecting MAC labels on
+ * sockets (the socket lock) is not frequently held at the points in code
+ * where socket-related checks are called. The MAC Framework acquires the
+ * lock over some entry points in order to enforce atomicity (such as label
+ * copies) but in other cases the policy modules will have to acquire the
+ * lock themselves if they use labels. This approach (a) avoids lock
+ * acquisitions when policies don't require labels and (b) solves a number of
+ * potential lock order issues when multiple sockets are used in the same
+ * entry point.
*/
struct label *
@@ -234,13 +244,8 @@ void
mac_socket_newconn(struct socket *oldso, struct socket *newso)
{
- if (mac_policy_count == 0)
- return;
-
- SOCK_LOCK(oldso);
MAC_POLICY_PERFORM_NOSLEEP(socket_newconn, oldso, oldso->so_label,
newso, newso->so_label);
- SOCK_UNLOCK(oldso);
}
static void
@@ -259,12 +264,13 @@ mac_socketpeer_set_from_mbuf(struct mbuf
{
struct label *label;
+ if (mac_policy_count == 0)
+ return;
+
label = mac_mbuf_to_label(m);
- SOCK_LOCK(so);
MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_mbuf, m, label, so,
so->so_peerlabel);
- SOCK_UNLOCK(so);
}
void
@@ -274,15 +280,8 @@ mac_socketpeer_set_from_socket(struct so
if (mac_policy_count == 0)
return;
- /*
- * XXXRW: We want to hold locks on both sockets, but can't currently
- * due to lock order -- opt to lock the socket where we're accessing
- * so_label as it's more likely to change.
- */
- SOCK_LOCK(oldso);
MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_socket, oldso,
oldso->so_label, newso, newso->so_peerlabel);
- SOCK_UNLOCK(oldso);
}
void
@@ -295,10 +294,8 @@ mac_socket_create_mbuf(struct socket *so
label = mac_mbuf_to_label(m);
- SOCK_LOCK(so);
MAC_POLICY_PERFORM_NOSLEEP(socket_create_mbuf, so, so->so_label, m,
label);
- SOCK_UNLOCK(so);
}
MAC_CHECK_PROBE_DEFINE2(socket_check_accept, "struct ucred *",
@@ -309,14 +306,9 @@ mac_socket_check_accept(struct ucred *cr
{
int error;
- if (mac_policy_count == 0)
- return (0);
-
- SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_accept, cred, so,
so->so_label);
MAC_CHECK_PROBE2(socket_check_accept, error, cred, so);
- SOCK_UNLOCK(so);
return (error);
}
@@ -330,14 +322,9 @@ mac_socket_check_bind(struct ucred *cred
{
int error;
- if (mac_policy_count == 0)
- return (0);
-
- SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_bind, cred, so, so->so_label,
sa);
MAC_CHECK_PROBE3(socket_check_bind, error, cred, so, sa);
- SOCK_UNLOCK(so);
return (error);
}
@@ -351,14 +338,9 @@ mac_socket_check_connect(struct ucred *c
{
int error;
- if (mac_policy_count == 0)
- return (0);
-
- SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_connect, cred, so,
so->so_label, sa);
MAC_CHECK_PROBE3(socket_check_connect, error, cred, so, sa);
- SOCK_UNLOCK(so);
return (error);
}
@@ -393,11 +375,9 @@ mac_socket_check_deliver(struct socket *
label = mac_mbuf_to_label(m);
- SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_deliver, so, so->so_label, m,
label);
MAC_CHECK_PROBE2(socket_check_deliver, error, so, m);
- SOCK_UNLOCK(so);
return (error);
}
@@ -410,14 +390,9 @@ mac_socket_check_listen(struct ucred *cr
{
int error;
- if (mac_policy_count == 0)
- return (0);
-
- SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_listen, cred, so,
so->so_label);
MAC_CHECK_PROBE2(socket_check_listen, error, cred, so);
- SOCK_UNLOCK(so);
return (error);
}
@@ -430,13 +405,8 @@ mac_socket_check_poll(struct ucred *cred
{
int error;
- if (mac_policy_count == 0)
- return (0);
-
- SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_poll, cred, so, so->so_label);
MAC_CHECK_PROBE2(socket_check_poll, error, cred, so);
- SOCK_UNLOCK(so);
return (error);
}
@@ -449,14 +419,9 @@ mac_socket_check_receive(struct ucred *c
{
int error;
- if (mac_policy_count == 0)
- return (0);
-
- SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_receive, cred, so,
so->so_label);
MAC_CHECK_PROBE2(socket_check_receive, error, cred, so);
- SOCK_UNLOCK(so);
return (error);
}
@@ -487,13 +452,8 @@ mac_socket_check_send(struct ucred *cred
{
int error;
- if (mac_policy_count == 0)
- return (0);
-
- SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_send, cred, so, so->so_label);
MAC_CHECK_PROBE2(socket_check_send, error, cred, so);
- SOCK_UNLOCK(so);
return (error);
}
@@ -506,13 +466,8 @@ mac_socket_check_stat(struct ucred *cred
{
int error;
- if (mac_policy_count == 0)
- return (0);
-
- SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_stat, cred, so, so->so_label);
MAC_CHECK_PROBE2(socket_check_stat, error, cred, so);
- SOCK_UNLOCK(so);
return (error);
}
@@ -525,14 +480,9 @@ mac_socket_check_visible(struct ucred *c
{
int error;
- if (mac_policy_count == 0)
- return (0);
-
- SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_visible, cred, so,
so->so_label);
MAC_CHECK_PROBE2(socket_check_visible, error, cred, so);
- SOCK_UNLOCK(so);
return (error);
}
Modified: head/sys/security/mac_biba/mac_biba.c
==============================================================================
--- head/sys/security/mac_biba/mac_biba.c Wed Jun 3 17:30:10 2009 (r193390)
+++ head/sys/security/mac_biba/mac_biba.c Wed Jun 3 18:46:28 2009 (r193391)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
@@ -1177,7 +1177,9 @@ biba_inpcb_create(struct socket *so, str
source = SLOT(solabel);
dest = SLOT(inplabel);
+ SOCK_LOCK(so);
biba_copy_effective(source, dest);
+ SOCK_UNLOCK(so);
}
static void
@@ -1198,6 +1200,8 @@ biba_inpcb_sosetlabel(struct socket *so,
{
struct mac_biba *source, *dest;
+ SOCK_LOCK_ASSERT(so);
+
source = SLOT(solabel);
dest = SLOT(inplabel);
@@ -1918,6 +1922,7 @@ biba_socket_check_deliver(struct socket
struct mbuf *m, struct label *mlabel)
{
struct mac_biba *p, *s;
+ int error;
if (!biba_enabled)
return (0);
@@ -1925,7 +1930,10 @@ biba_socket_check_deliver(struct socket
p = SLOT(mlabel);
s = SLOT(solabel);
- return (biba_equal_effective(p, s) ? 0 : EACCES);
+ SOCK_LOCK(so);
+ error = biba_equal_effective(p, s) ? 0 : EACCES;
+ SOCK_UNLOCK(so);
+ return (error);
}
static int
@@ -1935,6 +1943,8 @@ biba_socket_check_relabel(struct ucred *
struct mac_biba *subj, *obj, *new;
int error;
+ SOCK_LOCK_ASSERT(so);
+
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
obj = SLOT(solabel);
@@ -1991,8 +2001,12 @@ biba_socket_check_visible(struct ucred *
subj = SLOT(cred->cr_label);
obj = SLOT(solabel);
- if (!biba_dominate_effective(obj, subj))
+ SOCK_LOCK(so);
+ if (!biba_dominate_effective(obj, subj)) {
+ SOCK_UNLOCK(so);
return (ENOENT);
+ }
+ SOCK_UNLOCK(so);
return (0);
}
@@ -2018,19 +2032,26 @@ biba_socket_create_mbuf(struct socket *s
source = SLOT(solabel);
dest = SLOT(mlabel);
+ SOCK_LOCK(so);
biba_copy_effective(source, dest);
+ SOCK_UNLOCK(so);
}
static void
biba_socket_newconn(struct socket *oldso, struct label *oldsolabel,
struct socket *newso, struct label *newsolabel)
{
- struct mac_biba *source, *dest;
+ struct mac_biba source, *dest;
+
+ SOCK_LOCK(oldso);
+ source = *SLOT(oldsolabel);
+ SOCK_UNLOCK(oldso);
- source = SLOT(oldsolabel);
dest = SLOT(newsolabel);
- biba_copy_effective(source, dest);
+ SOCK_LOCK(newso);
+ biba_copy_effective(&source, dest);
+ SOCK_UNLOCK(newso);
}
static void
@@ -2039,6 +2060,8 @@ biba_socket_relabel(struct ucred *cred,
{
struct mac_biba *source, *dest;
+ SOCK_LOCK_ASSERT(so);
+
source = SLOT(newlabel);
dest = SLOT(solabel);
@@ -2054,7 +2077,9 @@ biba_socketpeer_set_from_mbuf(struct mbu
source = SLOT(mlabel);
dest = SLOT(sopeerlabel);
+ SOCK_LOCK(so);
biba_copy_effective(source, dest);
+ SOCK_UNLOCK(so);
}
static void
@@ -2062,12 +2087,16 @@ biba_socketpeer_set_from_socket(struct s
struct label *oldsolabel, struct socket *newso,
struct label *newsopeerlabel)
{
- struct mac_biba *source, *dest;
+ struct mac_biba source, *dest;
- source = SLOT(oldsolabel);
+ SOCK_LOCK(oldso);
+ source = *SLOT(oldsolabel);
+ SOCK_UNLOCK(oldso);
dest = SLOT(newsopeerlabel);
- biba_copy_effective(source, dest);
+ SOCK_LOCK(newso);
+ biba_copy_effective(&source, dest);
+ SOCK_UNLOCK(newso);
}
static void
Modified: head/sys/security/mac_lomac/mac_lomac.c
==============================================================================
--- head/sys/security/mac_lomac/mac_lomac.c Wed Jun 3 17:30:10 2009 (r193390)
+++ head/sys/security/mac_lomac/mac_lomac.c Wed Jun 3 18:46:28 2009 (r193391)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
@@ -1315,6 +1315,8 @@ lomac_inpcb_sosetlabel(struct socket *so
{
struct mac_lomac *source, *dest;
+ SOCK_LOCK_ASSERT(so);
+
source = SLOT(solabel);
dest = SLOT(inplabel);
@@ -1930,6 +1932,7 @@ lomac_socket_check_deliver(struct socket
struct mbuf *m, struct label *mlabel)
{
struct mac_lomac *p, *s;
+ int error;
if (!lomac_enabled)
return (0);
@@ -1937,7 +1940,10 @@ lomac_socket_check_deliver(struct socket
p = SLOT(mlabel);
s = SLOT(solabel);
- return (lomac_equal_single(p, s) ? 0 : EACCES);
+ SOCK_LOCK(so);
+ error = lomac_equal_single(p, s) ? 0 : EACCES;
+ SOCK_UNLOCK(so);
+ return (error);
}
static int
@@ -1947,6 +1953,8 @@ lomac_socket_check_relabel(struct ucred
struct mac_lomac *subj, *obj, *new;
int error;
+ SOCK_LOCK_ASSERT(so);
+
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
obj = SLOT(solabel);
@@ -2003,8 +2011,12 @@ lomac_socket_check_visible(struct ucred
subj = SLOT(cred->cr_label);
obj = SLOT(solabel);
- if (!lomac_dominate_single(obj, subj))
+ SOCK_LOCK(so);
+ if (!lomac_dominate_single(obj, subj)) {
+ SOCK_UNLOCK(so);
return (ENOENT);
+ }
+ SOCK_UNLOCK(so);
return (0);
}
@@ -2030,19 +2042,26 @@ lomac_socket_create_mbuf(struct socket *
source = SLOT(solabel);
dest = SLOT(mlabel);
+ SOCK_LOCK(so);
lomac_copy_single(source, dest);
+ SOCK_UNLOCK(so);
}
static void
lomac_socket_newconn(struct socket *oldso, struct label *oldsolabel,
struct socket *newso, struct label *newsolabel)
{
- struct mac_lomac *source, *dest;
+ struct mac_lomac source, *dest;
+
+ SOCK_LOCK(oldso);
+ source = *SLOT(oldsolabel);
+ SOCK_UNLOCK(oldso);
- source = SLOT(oldsolabel);
dest = SLOT(newsolabel);
- lomac_copy_single(source, dest);
+ SOCK_LOCK(newso);
+ lomac_copy_single(&source, dest);
+ SOCK_UNLOCK(newso);
}
static void
@@ -2051,6 +2070,8 @@ lomac_socket_relabel(struct ucred *cred,
{
struct mac_lomac *source, *dest;
+ SOCK_LOCK_ASSERT(so);
+
source = SLOT(newlabel);
dest = SLOT(solabel);
@@ -2066,7 +2087,9 @@ lomac_socketpeer_set_from_mbuf(struct mb
source = SLOT(mlabel);
dest = SLOT(sopeerlabel);
+ SOCK_LOCK(so);
lomac_copy_single(source, dest);
+ SOCK_UNLOCK(so);
}
static void
@@ -2074,12 +2097,17 @@ lomac_socketpeer_set_from_socket(struct
struct label *oldsolabel, struct socket *newso,
struct label *newsopeerlabel)
{
- struct mac_lomac *source, *dest;
+ struct mac_lomac source, *dest;
+
+ SOCK_LOCK(oldso);
+ source = *SLOT(oldsolabel);
+ SOCK_UNLOCK(oldso);
- source = SLOT(oldsolabel);
dest = SLOT(newsopeerlabel);
- lomac_copy_single(source, dest);
+ SOCK_LOCK(newso);
+ lomac_copy_single(&source, dest);
+ SOCK_UNLOCK(newso);
}
static void
Modified: head/sys/security/mac_mls/mac_mls.c
==============================================================================
--- head/sys/security/mac_mls/mac_mls.c Wed Jun 3 17:30:10 2009 (r193390)
+++ head/sys/security/mac_mls/mac_mls.c Wed Jun 3 18:46:28 2009 (r193391)
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* All rights reserved.
@@ -1116,6 +1116,8 @@ mls_inpcb_sosetlabel(struct socket *so,
{
struct mac_mls *source, *dest;
+ SOCK_LOCK_ASSERT(so);
+
source = SLOT(solabel);
dest = SLOT(inplabel);
@@ -1623,6 +1625,7 @@ mls_socket_check_deliver(struct socket *
struct mbuf *m, struct label *mlabel)
{
struct mac_mls *p, *s;
+ int error;
if (!mls_enabled)
return (0);
@@ -1630,7 +1633,11 @@ mls_socket_check_deliver(struct socket *
p = SLOT(mlabel);
s = SLOT(solabel);
- return (mls_equal_effective(p, s) ? 0 : EACCES);
+ SOCK_LOCK(so);
+ error = mls_equal_effective(p, s) ? 0 : EACCES;
+ SOCK_UNLOCK(so);
+
+ return (error);
}
static int
@@ -1640,6 +1647,8 @@ mls_socket_check_relabel(struct ucred *c
struct mac_mls *subj, *obj, *new;
int error;
+ SOCK_LOCK_ASSERT(so);
+
new = SLOT(newlabel);
subj = SLOT(cred->cr_label);
obj = SLOT(solabel);
@@ -1696,8 +1705,12 @@ mls_socket_check_visible(struct ucred *c
subj = SLOT(cred->cr_label);
obj = SLOT(solabel);
- if (!mls_dominate_effective(subj, obj))
+ SOCK_LOCK(so);
+ if (!mls_dominate_effective(subj, obj)) {
+ SOCK_UNLOCK(so);
return (ENOENT);
+ }
+ SOCK_UNLOCK(so);
return (0);
}
@@ -1723,19 +1736,26 @@ mls_socket_create_mbuf(struct socket *so
source = SLOT(solabel);
dest = SLOT(mlabel);
+ SOCK_LOCK(so);
mls_copy_effective(source, dest);
+ SOCK_UNLOCK(so);
}
static void
mls_socket_newconn(struct socket *oldso, struct label *oldsolabel,
struct socket *newso, struct label *newsolabel)
{
- struct mac_mls *source, *dest;
+ struct mac_mls source, *dest;
+
+ SOCK_LOCK(oldso);
+ source = *SLOT(oldsolabel);
+ SOCK_UNLOCK(oldso);
- source = SLOT(oldsolabel);
dest = SLOT(newsolabel);
- mls_copy_effective(source, dest);
+ SOCK_LOCK(newso);
+ mls_copy_effective(&source, dest);
+ SOCK_UNLOCK(newso);
}
static void
@@ -1744,6 +1764,8 @@ mls_socket_relabel(struct ucred *cred, s
{
struct mac_mls *source, *dest;
+ SOCK_LOCK_ASSERT(so);
+
source = SLOT(newlabel);
dest = SLOT(solabel);
@@ -1759,7 +1781,9 @@ mls_socketpeer_set_from_mbuf(struct mbuf
source = SLOT(mlabel);
dest = SLOT(sopeerlabel);
+ SOCK_LOCK(so);
mls_copy_effective(source, dest);
+ SOCK_UNLOCK(so);
}
static void
@@ -1767,12 +1791,17 @@ mls_socketpeer_set_from_socket(struct so
struct label *oldsolabel, struct socket *newso,
struct label *newsopeerlabel)
{
- struct mac_mls *source, *dest;
+ struct mac_mls source, *dest;
+
+ SOCK_LOCK(oldso);
+ source = *SLOT(oldsolabel);
+ SOCK_UNLOCK(oldso);
- source = SLOT(oldsolabel);
dest = SLOT(newsopeerlabel);
- mls_copy_effective(source, dest);
+ SOCK_LOCK(newso);
+ mls_copy_effective(&source, dest);
+ SOCK_UNLOCK(newso);
}
static void
Modified: head/sys/security/mac_stub/mac_stub.c
==============================================================================
--- head/sys/security/mac_stub/mac_stub.c Wed Jun 3 17:30:10 2009 (r193390)
+++ head/sys/security/mac_stub/mac_stub.c Wed Jun 3 18:46:28 2009 (r193391)
@@ -413,6 +413,8 @@ stub_inpcb_sosetlabel(struct socket *so,
struct inpcb *inp, struct label *inplabel)
{
+ SOCK_LOCK_ASSERT(so);
+
}
static void
@@ -809,6 +811,11 @@ stub_socket_check_accept(struct ucred *c
struct label *solabel)
{
+#if 0
+ SOCK_LOCK(so);
+ SOCK_UNLOCK(so);
+#endif
+
return (0);
}
@@ -817,6 +824,11 @@ stub_socket_check_bind(struct ucred *cre
struct label *solabel, struct sockaddr *sa)
{
+#if 0
+ SOCK_LOCK(so);
+ SOCK_UNLOCK(so);
+#endif
+
return (0);
}
@@ -825,6 +837,11 @@ stub_socket_check_connect(struct ucred *
struct label *solabel, struct sockaddr *sa)
{
+#if 0
+ SOCK_LOCK(so);
+ SOCK_UNLOCK(so);
+#endif
+
return (0);
}
@@ -840,6 +857,11 @@ stub_socket_check_deliver(struct socket
struct mbuf *m, struct label *mlabel)
{
+#if 0
+ SOCK_LOCK(so);
+ SOCK_UNLOCK(so);
+#endif
+
return (0);
}
@@ -848,6 +870,11 @@ stub_socket_check_listen(struct ucred *c
struct label *solabel)
{
+#if 0
+ SOCK_LOCK(so);
+ SOCK_UNLOCK(so);
+#endif
+
return (0);
}
@@ -856,6 +883,11 @@ stub_socket_check_poll(struct ucred *cre
struct label *solabel)
{
+#if 0
+ SOCK_LOCK(so);
+ SOCK_UNLOCK(so);
+#endif
+
return (0);
}
@@ -864,6 +896,11 @@ stub_socket_check_receive(struct ucred *
struct label *solabel)
{
+#if 0
+ SOCK_LOCK(so);
+ SOCK_UNLOCK(so);
+#endif
+
return (0);
}
@@ -872,6 +909,8 @@ stub_socket_check_relabel(struct ucred *
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-all
mailing list