From owner-p4-projects Thu Jun 27 7: 9:10 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
id B210937B406; Thu, 27 Jun 2002 07:08:43 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
by hub.freebsd.org (Postfix) with ESMTP id B7EF637B405
for <perforce@freebsd.org>; Thu, 27 Jun 2002 07:08:41 -0700 (PDT)
Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1])
by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g5RE8fJU050282
for <perforce@freebsd.org>; Thu, 27 Jun 2002 07:08:41 -0700 (PDT)
(envelope-from green@freebsd.org)
Received: (from perforce@localhost)
by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g5RE8f0k050279
for perforce@freebsd.org; Thu, 27 Jun 2002 07:08:41 -0700 (PDT)
Date: Thu, 27 Jun 2002 07:08:41 -0700 (PDT)
Message-Id: <200206271408.g5RE8f0k050279@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to green@freebsd.org using -f
From: Brian Feldman <green@FreeBSD.org>
Subject: PERFORCE change 13477 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=13477
Change 13477 by green@green_laptop_2 on 2002/06/27 07:08:17
Update mac_te and mac_none more.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#31 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#33 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#2 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#31 (text+ko) ====
@@ -271,6 +271,13 @@
}
static void
+mac_none_create_vnode_from_exported(struct ucred *cred, struct vnode *vp,
+ struct mac *extmac, struct label *intlabel)
+{
+
+}
+
+static void
mac_none_create_mount(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel)
{
@@ -825,6 +832,8 @@
(macop_t)mac_none_create_devfs_directory },
{ MAC_CREATE_DEVFS_VNODE,
(macop_t)mac_none_create_devfs_vnode },
+ { MAC_CREATE_VNODE_FROM_EXPORTED,
+ (macop_t)mac_none_create_vnode_from_exported },
{ MAC_CREATE_VNODE_FROM_VNODE,
(macop_t)mac_none_create_vnode_from_vnode },
{ MAC_CREATE_MOUNT,
==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#33 (text+ko) ====
@@ -652,6 +652,42 @@
}
static int
+mac_te_cred_check_bind_socket(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel, struct sockaddr *sockaddr)
+{
+
+ if (!mac_te_enabled)
+ return (0);
+
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+ MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_BIND));
+}
+
+static int
+mac_te_cred_check_connect_socket(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel, struct sockaddr *sockaddr)
+{
+
+ if (!mac_te_enabled)
+ return (0);
+
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+ MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_CONNECT));
+}
+
+static int
+mac_te_cred_check_listen_socket(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel)
+{
+
+ if (!mac_te_enabled)
+ return (0);
+
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+ MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_LISTEN));
+}
+
+static int
mac_te_socket_check_receive_mbuf(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
{
@@ -866,6 +902,15 @@
mac_te_init_label_as(SLOT(fslabel), MAC_TE_TYPE_FS);
}
+static void
+mac_te_relabel_vnode(struct ucred *cred, struct vnode *vp,
+ struct label *vnodelabel, struct label *label)
+{
+
+ mac_te_copy_label(SLOT(label), SLOT(vnodelabel));
+}
+
+
static int
mac_te_internalize(struct label *label, const struct mac *extlabel)
{
@@ -914,6 +959,14 @@
}
static void
+mac_te_create_devfs_vnode(struct devfs_dirent *de, struct label *direntlabel,
+ struct vnode *vp, struct label *vnodelabel)
+{
+
+ mac_te_copy_label(SLOT(direntlabel), SLOT(vnodelabel));
+}
+
+static void
mac_te_create_vnode_from_vnode(struct ucred *cred, struct vnode *parent,
struct label *parentlabel, struct vnode *child, struct label *childlabel)
{
@@ -921,6 +974,15 @@
mac_te_create_object(cred, childlabel);
}
+static void
+mac_te_create_vnode_from_exported(struct ucred *cred, struct vnode *vp,
+ struct mac *extmac, struct label *intlabel)
+{
+
+ /* XXX should check return */
+ mac_te_internalize(intlabel, extmac);
+}
+
static int
mac_te_cred_check_open_vnode(struct ucred *cred, struct vnode *vp,
struct label *filelabel, mode_t acc_mode)
@@ -1299,6 +1361,46 @@
return (error);
}
+static void
+mac_te_update_devfsdirent_from_vnode(struct devfs_dirent *devfs_dirent,
+ struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
+{
+
+ mac_te_copy_label(SLOT(vnodelabel), SLOT(direntlabel));
+}
+
+static void
+mac_te_update_procfsvnode_from_subject(struct vnode *vp,
+ struct label *vnodelabel, struct ucred *cred)
+{
+
+ mac_te_copy_label(SLOT(&cred->cr_label), SLOT(vnodelabel));
+}
+
+static int
+mac_te_update_vnode_from_externalized(struct vnode *vp,
+ struct label *vnodelabel, struct mac *mac)
+{
+
+ return (mac_te_internalize(vnodelabel, mac));
+}
+
+static void
+mac_te_update_vnode_from_mount(struct vnode *vp, struct label *vnodelabel,
+ struct mount *mp, struct label *fslabel)
+{
+
+ mac_te_copy_label(SLOT(fslabel), SLOT(vnodelabel));
+}
+
+static void
+mac_te_update_ipq_from_fragment(struct mbuf *fragment,
+ struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel)
+{
+
+ mac_te_copy_label(SLOT(fragmentlabel), SLOT(ipqlabel));
+}
+
static struct mac_policy_op_entry mac_te_ops[] =
{
{ MAC_INIT_BPFDESC, (macop_t)mac_te_init_bpfdesc },
@@ -1323,8 +1425,11 @@
{ MAC_DESTROY_VNODE, (macop_t)mac_te_destroy_vnode },
{ MAC_CREATE_DEVFS_DEVICE, (macop_t)mac_te_create_devfs_device },
{ MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_te_create_devfs_directory },
+ { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_te_create_devfs_vnode },
{ MAC_CREATE_VNODE_FROM_VNODE,
(macop_t)mac_te_create_vnode_from_vnode },
+ { MAC_CREATE_VNODE_FROM_EXPORTED,
+ (macop_t)mac_te_create_vnode_from_exported },
{ MAC_CREATE_MOUNT, (macop_t)mac_te_create_mount },
{ MAC_CREATE_ROOT_MOUNT, (macop_t)mac_te_create_root_mount },
{ MAC_CREATE_MBUF_FROM_SOCKET,
@@ -1365,10 +1470,16 @@
{ MAC_CREATE_PROC0, (macop_t)mac_te_create_proc0 },
{ MAC_CREATE_PROC1, (macop_t)mac_te_create_proc1 },
{ MAC_RELABEL_SUBJECT, (macop_t)mac_te_relabel_subject },
+ { MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode },
{ MAC_BPFDESC_CHECK_RECEIVE_FROM_IFNET,
(macop_t)mac_te_bpfdesc_check_receive_from_ifnet },
{ MAC_CRED_CHECK_SEE_CRED, (macop_t)mac_te_cred_check_see_cred },
{ MAC_CRED_CHECK_SEE_SOCKET, (macop_t)mac_te_cred_check_see_socket },
+ { MAC_CRED_CHECK_BIND_SOCKET, (macop_t)mac_te_cred_check_bind_socket },
+ { MAC_CRED_CHECK_CONNECT_SOCKET,
+ (macop_t)mac_te_cred_check_connect_socket },
+ { MAC_CRED_CHECK_LISTEN_SOCKET,
+ (macop_t)mac_te_cred_check_listen_socket },
{ MAC_CRED_CHECK_RELABEL_IFNET,
(macop_t)mac_te_cred_check_relabel_ifnet },
{ MAC_CRED_CHECK_RELABEL_SOCKET,
@@ -1382,6 +1493,7 @@
{ MAC_CRED_CHECK_CHDIR_VNODE, (macop_t)mac_te_cred_check_chdir_vnode },
{ MAC_CRED_CHECK_CREATE_VNODE,
(macop_t)mac_te_cred_check_create_vnode },
+ { MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode },
{ MAC_CRED_CHECK_DELETE_VNODE,
(macop_t)mac_te_cred_check_delete_vnode },
{ MAC_CRED_CHECK_EXEC_VNODE, (macop_t)mac_te_cred_check_exec_vnode },
@@ -1414,6 +1526,16 @@
(macop_t)mac_te_socket_check_receive_mbuf },
{ MAC_EXTERNALIZE, (macop_t)mac_te_externalize },
{ MAC_INTERNALIZE, (macop_t)mac_te_internalize },
+ { MAC_UPDATE_DEVFSDIRENT_FROM_VNODE,
+ (macop_t)mac_te_update_devfsdirent_from_vnode },
+ { MAC_UPDATE_PROCFSVNODE_FROM_SUBJECT,
+ (macop_t)mac_te_update_procfsvnode_from_subject },
+ { MAC_UPDATE_VNODE_FROM_EXTERNALIZED,
+ (macop_t)mac_te_update_vnode_from_externalized },
+ { MAC_UPDATE_VNODE_FROM_MOUNT,
+ (macop_t)mac_te_update_vnode_from_mount },
+ { MAC_UPDATE_IPQ_FROM_FRAGMENT,
+ (macop_t)mac_te_update_ipq_from_fragment },
{ MAC_OP_LAST, NULL }
};
==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#2 (text+ko) ====
@@ -96,5 +96,8 @@
#define MAC_TE_CLASS_SOCKET 7
#define MAC_TE_OPERATION_SOCKET_SEE 1
+#define MAC_TE_OPERATION_SOCKET_BIND 2
+#define MAC_TE_OPERATION_SOCKET_CONNECT 3
+#define MAC_TE_OPERATION_SOCKET_LISTEN 4
#endif /* _SYS_SECURITY_MAC_TE_H */
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message