Date: Mon, 10 Jun 2002 18:15:23 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 12679 for review Message-ID: <200206110115.g5B1FNl77309@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=12679 Change 12679 by rwatson@rwatson_paprika on 2002/06/10 18:15:13 Add mac check entry points for bind, connect, and listen. Fix mac_enable_fs checking for many vnode operations. Affected files ... ... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#150 edit ... //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#10 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac.h#104 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#64 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#150 (text+ko) ==== @@ -448,6 +448,14 @@ mpc->mpc_ops.mpo_bpfdesc_check_receive_from_ifnet = mpe->mpe_function; break; + case MAC_CRED_CHECK_BIND_SOCKET: + mpc->mpc_ops.mpo_cred_check_bind_socket = + mpe->mpe_function; + break; + case MAC_CRED_CHECK_CONNECT_SOCKET: + mpc->mpc_ops.mpo_cred_check_connect_socket = + mpe->mpe_function; + break; case MAC_CRED_CHECK_SEE_CRED: mpc->mpc_ops.mpo_cred_check_see_cred = mpe->mpe_function; @@ -499,6 +507,10 @@ mpc->mpc_ops.mpo_cred_check_getextattr_vnode = mpe->mpe_function; break; + case MAC_CRED_CHECK_LISTEN_SOCKET: + mpc->mpc_ops.mpo_cred_check_listen_socket = + mpe->mpe_function; + break; case MAC_CRED_CHECK_OPEN_VNODE: mpc->mpc_ops.mpo_cred_check_open_vnode = mpe->mpe_function; @@ -996,7 +1008,7 @@ { int error; - if (!mac_enforce_process) + if (!mac_enforce_process && !mac_enforce_fs) return (0); error = vn_refreshlabel(vp, cred); @@ -1402,6 +1414,9 @@ ASSERT_VOP_LOCKED(dvp, "mac_cred_check_chdir_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(dvp, cred); if (error) return (error); @@ -1418,6 +1433,9 @@ ASSERT_VOP_LOCKED(dvp, "mac_cred_check_create_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(dvp, cred); if (error) return (error); @@ -1434,6 +1452,9 @@ ASSERT_VOP_LOCKED(vp, "mac_cred_check_getextattr_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); @@ -1444,17 +1465,34 @@ } int +mac_cred_check_listen_socket(struct ucred *cred, struct socket *socket) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(cred_check_listen_socket, cred, socket, &socket->so_label); + return (error); +} + +int mac_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, mode_t acc_mode) { int error; ASSERT_VOP_LOCKED(vp, "mac_cred_check_open_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); MAC_CHECK(cred_check_open_vnode, cred, vp, &vp->v_label, acc_mode); + if (error) + printf("mac_cred_check_open_vnode returns %d\n", error); return (error); } @@ -1465,6 +1503,9 @@ ASSERT_VOP_LOCKED(vp, "mac_cred_check_revoke_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); @@ -1480,6 +1521,9 @@ ASSERT_VOP_LOCKED(dvp, "mac_cred_check_search_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(dvp, cred); if (error) return (error); @@ -1496,6 +1540,9 @@ ASSERT_VOP_LOCKED(vp, "mac_cred_check_setextattr_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); @@ -1512,6 +1559,10 @@ int error; ASSERT_VOP_LOCKED(vp, "mac_cred_check_setflags_vnode"); + + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); @@ -1528,6 +1579,9 @@ ASSERT_VOP_LOCKED(vp, "mac_cred_check_setmode_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); @@ -1544,6 +1598,9 @@ ASSERT_VOP_LOCKED(vp, "mac_cred_check_setowner_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); @@ -1560,6 +1617,9 @@ ASSERT_VOP_LOCKED(vp, "mac_cred_check_setutimes_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); @@ -1578,6 +1638,9 @@ ASSERT_VOP_LOCKED(dvp, "mac_cred_check_delete_vnode"); ASSERT_VOP_LOCKED(vp, "mac_cred_check_delete_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(dvp, cred); if (error) return (error); @@ -1599,6 +1662,9 @@ ASSERT_VOP_LOCKED(dvp, "mac_cred_check_rename_from_vnode"); ASSERT_VOP_LOCKED(vp, "mac_cred_check_rename_from_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(dvp, cred); if (error) return (error); @@ -1620,6 +1686,9 @@ ASSERT_VOP_LOCKED(dvp, "mac_cred_check_rename_to_vnode"); ASSERT_VOP_LOCKED(vp, "mac_cred_check_rename_to_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(dvp, cred); if (error) return (error); @@ -1640,6 +1709,9 @@ ASSERT_VOP_LOCKED(vp, "mac_cred_check_stat_vnode"); + if (!mac_enforce_fs) + return (0); + error = vn_refreshlabel(vp, cred); if (error) return (error); @@ -1881,6 +1953,36 @@ } int +mac_cred_check_bind_socket(struct ucred *ucred, struct socket *socket, + struct sockaddr *sockaddr) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(cred_check_bind_socket, ucred, socket, &socket->so_label, + sockaddr); + + return (error); +} + +int +mac_cred_check_connect_socket(struct ucred *cred, struct socket *socket, + struct sockaddr *sockaddr) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(cred_check_connect_socket, cred, socket, &socket->so_label, + sockaddr); + + return (error); +} + +int mac_socket_can_receive(struct socket *socket, struct mbuf *mbuf) { int error; ==== //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#10 (text+ko) ==== @@ -39,6 +39,7 @@ #include "opt_compat.h" #include "opt_ktrace.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> @@ -178,6 +179,13 @@ goto done2; if ((error = getsockaddr(&sa, uap->name, uap->namelen)) != 0) goto done1; +#ifdef MAC + error = mac_cred_check_bind_socket(td->td_ucred, so, sa); + if (error) { + FREE(sa, M_SONAME); + goto done1; + } +#endif error = sobind(so, sa, td); FREE(sa, M_SONAME); done1: @@ -204,7 +212,15 @@ mtx_lock(&Giant); if ((error = fgetsock(td, uap->s, &so, NULL)) == 0) { +#ifdef MAC + error = mac_cred_check_listen_socket(td->td_ucred, so); + if (error) + goto done; +#endif error = solisten(so, uap->backlog, td); +#ifdef MAC +done: +#endif fputsock(so); } mtx_unlock(&Giant); @@ -439,6 +455,11 @@ error = getsockaddr(&sa, uap->name, uap->namelen); if (error) goto done1; +#ifdef MAC + error = mac_cred_check_connect_socket(td->td_ucred, so, sa); + if (error) + goto bad; +#endif error = soconnect(so, sa, td); if (error) goto bad; ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#104 (text+ko) ==== @@ -218,6 +218,7 @@ struct mbuf; struct mount; struct proc; +struct sockaddr; struct socket; struct timespec; struct ucred; @@ -255,11 +256,17 @@ /* Authorizational event hooks. */ int mac_bpfdesc_check_receive_from_ifnet(struct bpf_d *bpf_d, struct ifnet *ifnet); +int mac_cred_check_bind_socket(struct ucred *cred, struct socket *so, + struct sockaddr *sa); int mac_cred_check_chdir_vnode(struct ucred *cred, struct vnode *dvp); +int mac_cred_check_connect_socket(struct ucred *cred, struct socket *so, + struct sockaddr *sa); int mac_cred_check_create_vnode(struct ucred *cred, struct vnode *dvp, struct vattr *vap); int mac_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); +int mac_cred_check_listen_socket(struct ucred *cred, + struct socket *socket); int mac_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp); int mac_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#64 (text+ko) ==== @@ -222,6 +222,12 @@ int (*mpo_bpfdesc_check_receive_from_ifnet)(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel); + int (*mpo_cred_check_bind_socket)(struct ucred *cred, + struct socket *socket, struct label *socketlabel, + struct sockaddr *sockaddr); + int (*mpo_cred_check_connect_socket)(struct ucred *cred, + struct socket *socket, struct label *socketlabel, + struct sockaddr *sockaddr); int (*mpo_cred_check_see_cred)(struct ucred *u1, struct ucred *u2); int (*mpo_cred_check_see_socket)(struct ucred *cred, struct socket *socket, struct label *socketlabel); @@ -253,6 +259,8 @@ int (*mpo_cred_check_getextattr_vnode)(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio); + int (*mpo_cred_check_listen_socket)(struct ucred *cred, + struct socket *socket, struct label *socketlabel); int (*mpo_cred_check_open_vnode)(struct ucred *cred, struct vnode *vp, struct label *label, mode_t acc_mode); @@ -360,6 +368,7 @@ MAC_CREATE_PROC1, MAC_RELABEL_SUBJECT, MAC_BPFDESC_CHECK_RECEIVE_FROM_IFNET, + MAC_CRED_CHECK_BIND_SOCKET, MAC_CRED_CHECK_SEE_CRED, MAC_CRED_CHECK_SEE_SOCKET, MAC_CRED_CHECK_RELABEL_IFNET, @@ -369,10 +378,12 @@ MAC_CRED_CHECK_STATFS, MAC_CRED_CHECK_DEBUG_PROC, MAC_CRED_CHECK_CHDIR_VNODE, + MAC_CRED_CHECK_CONNECT_SOCKET, MAC_CRED_CHECK_CREATE_VNODE, MAC_CRED_CHECK_DELETE_VNODE, MAC_CRED_CHECK_EXEC_VNODE, MAC_CRED_CHECK_GETEXTATTR_VNODE, + MAC_CRED_CHECK_LISTEN_SOCKET, MAC_CRED_CHECK_OPEN_VNODE, MAC_CRED_CHECK_RENAME_FROM_VNODE, MAC_CRED_CHECK_RENAME_TO_VNODE, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206110115.g5B1FNl77309>