From owner-p4-projects@FreeBSD.ORG Sun Nov 16 15:46:33 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 6264616A4D0; Sun, 16 Nov 2003 15:46:33 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3480316A4CE for ; Sun, 16 Nov 2003 15:46:33 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96B0443FE9 for ; Sun, 16 Nov 2003 15:46:31 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id hAGNkVXJ029927 for ; Sun, 16 Nov 2003 15:46:31 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.9/8.12.9/Submit) id hAGNkUhg029918 for perforce@freebsd.org; Sun, 16 Nov 2003 15:46:30 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Sun, 16 Nov 2003 15:46:30 -0800 (PST) Message-Id: <200311162346.hAGNkUhg029918@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 42595 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 23:46:33 -0000 http://perforce.freebsd.org/chv.cgi?CH=42595 Change 42595 by rwatson@rwatson_tislabs on 2003/11/16 15:45:54 A variety of MAC Framework infrastructural changes integrated from the MAC branch to the SEBSD branch: MAC library: Initialize the library and configuration file from mac_prepare_type(), not from the calling functions. Add mac_get_peer() to retrieve the label of a socket peer, such as remote TCP connection label, without using the ABI-unclean getsockopt() interface. Update documentation. Kernel: mac_get_fd() and mac_set_fd() system calls now accept socket file descriptors as arguments, and are preferred to getsockopt()/setsockopt() to perform the same operation for ABI reasons. To support this, mac_socket_label_set() is abstracted to support both socket option and mac_set_fd() interfaces. mac_copy_socket_label() is implemented by the MAC Framework to allow socket labels to be copied to temporary storage for externalization purposes while locks are held. mpo_copy_socket_label() implemented for various policies that have a notion of socket labeling. Socket label allocation, free, internalize, and externalize calls are made non-static so they can be invoked from kern_mac.c Socket option functions are renamed to be less gratuitously long and repetitive. protosw->pr_usrreq method "sosetlabel" added so that protocol- specific code can propagate label changes at the socket level to protocol-specific storage. Labels added to struct inpcb so that they may be accessed from the network layer without grabbing socket layer locks. These labels cache the socket labels, and are updated by calls to pr_sosetlabel(). This applies to IPv4 and IPv6. Biba and MLS policies now use UMA zone allocator for policy-specific label storage. *copy* entry points implemented for mac_stub and mac_test. Affected files ... .. //depot/projects/trustedbsd/sebsd/lib/libc/posix1e/mac.c#6 integrate .. //depot/projects/trustedbsd/sebsd/lib/libc/posix1e/mac_get.c#4 integrate .. //depot/projects/trustedbsd/sebsd/sys/i386/conf/MAC#9 integrate .. //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#21 integrate .. //depot/projects/trustedbsd/sebsd/sys/kern/uipc_socket.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/kern/uipc_socket2.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/kern/uipc_usrreq.c#6 integrate .. //depot/projects/trustedbsd/sebsd/sys/net/raw_usrreq.c#6 integrate .. //depot/projects/trustedbsd/sebsd/sys/net/rtsock.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/netatalk/ddp_usrreq.c#6 integrate .. //depot/projects/trustedbsd/sebsd/sys/netatm/atm_aal5.c#5 integrate .. //depot/projects/trustedbsd/sebsd/sys/netatm/atm_usrreq.c#6 integrate .. //depot/projects/trustedbsd/sebsd/sys/netgraph/bluetooth/socket/ng_btsocket.c#6 integrate .. //depot/projects/trustedbsd/sebsd/sys/netgraph/ng_socket.c#5 integrate .. //depot/projects/trustedbsd/sebsd/sys/netinet/in_pcb.c#8 integrate .. //depot/projects/trustedbsd/sebsd/sys/netinet/in_pcb.h#8 integrate .. //depot/projects/trustedbsd/sebsd/sys/netinet/ip_divert.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/netinet/raw_ip.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/netinet/tcp_input.c#8 integrate .. //depot/projects/trustedbsd/sebsd/sys/netinet/tcp_usrreq.c#6 integrate .. //depot/projects/trustedbsd/sebsd/sys/netinet/udp_usrreq.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/netinet6/raw_ip6.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/netinet6/udp6_usrreq.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/netipsec/keysock.c#6 integrate .. //depot/projects/trustedbsd/sebsd/sys/netipx/ipx_usrreq.c#5 integrate .. //depot/projects/trustedbsd/sebsd/sys/netipx/spx_usrreq.c#6 integrate .. //depot/projects/trustedbsd/sebsd/sys/netkey/keysock.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/netnatm/natm.c#6 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#10 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.c#10 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac_ifoff/mac_ifoff.c#5 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac_lomac/mac_lomac.c#10 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac_mls/mac_mls.c#9 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac_stub/mac_stub.c#7 integrate .. //depot/projects/trustedbsd/sebsd/sys/security/mac_test/mac_test.c#9 integrate .. //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#14 integrate .. //depot/projects/trustedbsd/sebsd/sys/sys/mac_policy.h#11 integrate .. //depot/projects/trustedbsd/sebsd/sys/sys/protosw.h#6 integrate Differences ... ==== //depot/projects/trustedbsd/sebsd/lib/libc/posix1e/mac.c#6 (text+ko) ==== @@ -358,7 +358,12 @@ mac_prepare_type(struct mac **mac, const char *name) { struct label_default *ld; + int error; + error = mac_maybe_init_internal(); + if (error != 0) + return (error); + for (ld = LIST_FIRST(&label_default_head); ld != NULL; ld = LIST_NEXT(ld, ld_entries)) { if (strcmp(name, ld->ld_name) == 0) @@ -372,35 +377,20 @@ int mac_prepare_ifnet_label(struct mac **mac) { - int error; - error = mac_maybe_init_internal(); - if (error != 0) - return (error); - return (mac_prepare_type(mac, "ifnet")); } int mac_prepare_file_label(struct mac **mac) { - int error; - error = mac_maybe_init_internal(); - if (error != 0) - return (error); - return (mac_prepare_type(mac, "file")); } int mac_prepare_packet_label(struct mac **mac) { - int error; - - error = mac_maybe_init_internal(); - if (error != 0) - return (error); return (mac_prepare_type(mac, "packet")); } @@ -408,11 +398,6 @@ int mac_prepare_process_label(struct mac **mac) { - int error; - - error = mac_maybe_init_internal(); - if (error != 0) - return (error); return (mac_prepare_type(mac, "process")); } ==== //depot/projects/trustedbsd/sebsd/lib/libc/posix1e/mac_get.c#4 (text+ko) ==== @@ -33,6 +33,7 @@ #include #include +#include extern int __mac_get_fd(int fd, struct mac *mac_p); extern int __mac_get_file(const char *path_p, struct mac *mac_p); @@ -61,6 +62,15 @@ return (__mac_get_link(path, label)); } + +int +mac_get_peer(int fd, struct mac *label) +{ + socklen_t len; + + len = sizeof(*label); + return (getsockopt(fd, SOL_SOCKET, SO_PEERLABEL, label, &len)); +} int mac_get_pid(pid_t pid, struct mac *label) { ==== //depot/projects/trustedbsd/sebsd/sys/i386/conf/MAC#9 (text+ko) ==== @@ -32,7 +32,9 @@ options MAC #options MAC_ALWAYS_LABEL_MBUF +options MAC_BIBA options MAC_DEBUG +options MAC_TEST #options MAC_STATIC options UFS_EXTATTR options UFS_EXTATTR_AUTOSTART ==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#21 (text+ko) ==== @@ -726,6 +726,7 @@ struct mac mac; struct vnode *vp; struct pipe *pipe; + struct socket *so; short label_type; int error; @@ -776,6 +777,19 @@ mac_pipe_label_free(intlabel); break; + case DTYPE_SOCKET: + so = fp->f_data; + intlabel = mac_socket_label_alloc(M_WAITOK); + mtx_lock(&Giant); /* Sockets */ + /* XXX: Socket lock here. */ + mac_copy_socket_label(so->so_label, intlabel); + /* XXX: Socket unlock here. */ + mtx_unlock(&Giant); /* Sockets */ + error = mac_externalize_socket_label(intlabel, elements, + buffer, mac.m_buflen); + mac_socket_label_free(intlabel); + break; + default: error = EINVAL; } @@ -961,6 +975,7 @@ { struct label *intlabel; struct pipe *pipe; + struct socket *so; struct file *fp; struct mount *mp; struct vnode *vp; @@ -1025,6 +1040,21 @@ mac_pipe_label_free(intlabel); break; + case DTYPE_SOCKET: + intlabel = mac_socket_label_alloc(M_WAITOK); + error = mac_internalize_socket_label(intlabel, buffer); + if (error == 0) { + so = fp->f_data; + mtx_lock(&Giant); /* Sockets */ + /* XXX: Socket lock here. */ + error = mac_socket_label_set(td->td_ucred, so, + intlabel); + /* XXX: Socket unlock here. */ + mtx_unlock(&Giant); /* Sockets */ + } + mac_socket_label_free(intlabel); + break; + default: error = EINVAL; } ==== //depot/projects/trustedbsd/sebsd/sys/kern/uipc_socket.c#7 (text+ko) ==== @@ -1452,10 +1452,8 @@ sizeof extmac); if (error) goto bad; - - error = mac_setsockopt_label_set( - sopt->sopt_td->td_ucred, so, &extmac); - + error = mac_setsockopt_label(sopt->sopt_td->td_ucred, + so, &extmac); #else error = EOPNOTSUPP; #endif @@ -1599,8 +1597,12 @@ break; case SO_LABEL: #ifdef MAC - error = mac_getsockopt_label_get( - sopt->sopt_td->td_ucred, so, &extmac); + error = sooptcopyin(sopt, &extmac, sizeof(extmac), + sizeof(extmac)); + if (error) + return (error); + error = mac_getsockopt_label(sopt->sopt_td->td_ucred, + so, &extmac); if (error) return (error); error = sooptcopyout(sopt, &extmac, sizeof extmac); @@ -1610,7 +1612,11 @@ break; case SO_PEERLABEL: #ifdef MAC - error = mac_getsockopt_peerlabel_get( + error = sooptcopyin(sopt, &extmac, sizeof(extmac), + sizeof(extmac)); + if (error) + return (error); + error = mac_getsockopt_peerlabel( sopt->sopt_td->td_ucred, so, &extmac); if (error) return (error); ==== //depot/projects/trustedbsd/sebsd/sys/kern/uipc_socket2.c#7 (text+ko) ==== @@ -1042,6 +1042,16 @@ } /* + * For protocol types that don't keep cached copies of labels in their + * pcbs, provide a null sosetlabel that does a NOOP. + */ +void +pru_sosetlabel_null(struct socket *so) +{ + +} + +/* * Make a copy of a sockaddr in a malloced buffer of type M_SONAME. */ struct sockaddr * ==== //depot/projects/trustedbsd/sebsd/sys/kern/uipc_usrreq.c#6 (text+ko) ==== @@ -450,7 +450,7 @@ uipc_connect2, pru_control_notsupp, uipc_detach, uipc_disconnect, uipc_listen, uipc_peeraddr, uipc_rcvd, pru_rcvoob_notsupp, uipc_send, uipc_sense, uipc_shutdown, uipc_sockaddr, - sosend, soreceive, sopoll + sosend, soreceive, sopoll, pru_sosetlabel_null }; int ==== //depot/projects/trustedbsd/sebsd/sys/net/raw_usrreq.c#6 (text+ko) ==== @@ -296,5 +296,5 @@ pru_connect2_notsupp, pru_control_notsupp, raw_udetach, raw_udisconnect, pru_listen_notsupp, raw_upeeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, raw_usend, pru_sense_null, raw_ushutdown, - raw_usockaddr, sosend, soreceive, sopoll + raw_usockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; ==== //depot/projects/trustedbsd/sebsd/sys/net/rtsock.c#7 (text+ko) ==== @@ -271,7 +271,7 @@ pru_connect2_notsupp, pru_control_notsupp, rts_detach, rts_disconnect, pru_listen_notsupp, rts_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, rts_send, pru_sense_null, rts_shutdown, rts_sockaddr, - sosend, soreceive, sopoll + sosend, soreceive, sopoll, pru_sosetlabel_null }; /*ARGSUSED*/ ==== //depot/projects/trustedbsd/sebsd/sys/netatalk/ddp_usrreq.c#6 (text+ko) ==== @@ -592,5 +592,6 @@ at_setsockaddr, sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; ==== //depot/projects/trustedbsd/sebsd/sys/netatm/atm_aal5.c#5 (text+ko) ==== @@ -112,7 +112,8 @@ atm_aal5_sockaddr, /* pru_sockaddr */ sosend, /* pru_sosend */ soreceive, /* pru_soreceive */ - sopoll /* pru_sopoll */ + sopoll, /* pru_sopoll */ + pru_sosetlabel_null /* pru_sosetlabel */ }; /* ==== //depot/projects/trustedbsd/sebsd/sys/netatm/atm_usrreq.c#6 (text+ko) ==== @@ -85,6 +85,10 @@ pru_sense_null, /* pru_sense */ atm_proto_notsupp1, /* pru_shutdown */ atm_proto_notsupp3, /* pru_sockaddr */ + NULL, /* pru_sosend */ + NULL, /* pru_soreceive */ + NULL, /* pru_sooll */ + pru_sosetlabel_null /* pru_sosetlabel */ }; ==== //depot/projects/trustedbsd/sebsd/sys/netgraph/bluetooth/socket/ng_btsocket.c#6 (text+ko) ==== @@ -79,7 +79,8 @@ ng_btsocket_hci_raw_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* @@ -106,7 +107,8 @@ ng_btsocket_l2cap_raw_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* @@ -133,7 +135,8 @@ ng_btsocket_l2cap_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* @@ -160,7 +163,8 @@ ng_btsocket_rfcomm_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* ==== //depot/projects/trustedbsd/sebsd/sys/netgraph/ng_socket.c#5 (text+ko) ==== @@ -979,7 +979,8 @@ ng_setsockaddr, sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; static struct pr_usrreqs ngd_usrreqs = { @@ -1002,7 +1003,8 @@ ng_setsockaddr, sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* ==== //depot/projects/trustedbsd/sebsd/sys/netinet/in_pcb.c#8 (text+ko) ==== @@ -36,10 +36,12 @@ #include "opt_ipsec.h" #include "opt_inet6.h" +#include "opt_mac.h" #include #include #include +#include #include #include #include @@ -162,26 +164,30 @@ struct thread *td; { register struct inpcb *inp; -#if defined(IPSEC) || defined(FAST_IPSEC) int error; -#endif + INP_INFO_WLOCK_ASSERT(pcbinfo); + error = 0; inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT | M_ZERO); if (inp == NULL) return (ENOBUFS); inp->inp_gencnt = ++pcbinfo->ipi_gencnt; inp->inp_pcbinfo = pcbinfo; inp->inp_socket = so; +#ifdef MAC + error = mac_init_inpcb(inp, M_NOWAIT); + if (error != 0) + goto out; + mac_create_inpcb_from_socket(so, inp); +#endif #if defined(IPSEC) || defined(FAST_IPSEC) #ifdef FAST_IPSEC error = ipsec_init_policy(so, &inp->inp_sp); #else error = ipsec_init_pcbpolicy(so, &inp->inp_sp); #endif - if (error != 0) { - uma_zfree(pcbinfo->ipi_zone, inp); - return error; - } + if (error != 0) + goto out; #endif /*IPSEC*/ #if defined(INET6) if (INP_SOCKAF(so) == AF_INET6) { @@ -198,7 +204,12 @@ if (ip6_auto_flowlabel) inp->inp_flags |= IN6P_AUTOFLOWLABEL; #endif - return (0); +#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC) +out: + if (error != 0) + uma_zfree(pcbinfo->ipi_zone, inp); +#endif + return (error); } int @@ -701,6 +712,9 @@ ip_freemoptions(inp->inp_moptions); inp->inp_vflag = 0; INP_LOCK_DESTROY(inp); +#ifdef MAC + mac_destroy_inpcb(inp); +#endif uma_zfree(ipi->ipi_zone, inp); } @@ -1217,6 +1231,25 @@ pcbinfo->ipi_count--; } +/* + * A set label operation has occurred at the socket layer, propagate the + * label change into the in_pcb for the socket. + */ +void +in_pcbsosetlabel(so) + struct socket *so; +{ +#ifdef MAC + struct inpcb *inp; + + /* XXX: Will assert socket lock when we have them. */ + inp = (struct inpcb *)so->so_pcb; + INP_LOCK(inp); + mac_inpcb_sosetlabel(so, inp); + INP_UNLOCK(inp); +#endif +} + int prison_xinpcb(struct thread *td, struct inpcb *inp) { ==== //depot/projects/trustedbsd/sebsd/sys/netinet/in_pcb.h#8 (text+ko) ==== @@ -134,6 +134,7 @@ struct inpcbinfo *inp_pcbinfo; /* PCB list info */ struct socket *inp_socket; /* back pointer to socket */ /* list for this PCB's local port */ + struct label *inp_label; /* MAC label */ int inp_flags; /* generic IP/datagram flags */ struct inpcbpolicy *inp_sp; /* for IPSEC */ @@ -369,10 +370,12 @@ void in_pcbnotifyall(struct inpcbinfo *pcbinfo, struct in_addr, int, struct inpcb *(*)(struct inpcb *, int)); void in_pcbrehash(struct inpcb *); +void in_pcbsetsolabel(struct socket *so); int in_setpeeraddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo); int in_setsockaddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo);; struct sockaddr * in_sockaddr(in_port_t port, struct in_addr *addr); +void in_pcbsosetlabel(struct socket *so); void in_pcbremlists(struct inpcb *inp); int prison_xinpcb(struct thread *td, struct inpcb *inp); #endif /* _KERNEL */ ==== //depot/projects/trustedbsd/sebsd/sys/netinet/ip_divert.c#7 (text+ko) ==== @@ -652,5 +652,5 @@ pru_connect_notsupp, pru_connect2_notsupp, in_control, div_detach, div_disconnect, pru_listen_notsupp, div_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, div_send, pru_sense_null, div_shutdown, - div_sockaddr, sosend, soreceive, sopoll + div_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/sebsd/sys/netinet/raw_ip.c#7 (text+ko) ==== @@ -162,7 +162,7 @@ } #endif /*FAST_IPSEC*/ #ifdef MAC - if (!policyfail && mac_check_socket_deliver(last->inp_socket, n) != 0) + if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) policyfail = 1; #endif if (!policyfail) { @@ -839,5 +839,5 @@ pru_connect2_notsupp, in_control, rip_detach, rip_disconnect, pru_listen_notsupp, rip_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, rip_send, pru_sense_null, rip_shutdown, - rip_sockaddr, sosend, soreceive, sopoll + rip_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/sebsd/sys/netinet/tcp_input.c#8 (text+ko) ==== @@ -683,11 +683,11 @@ else tiwin = th->th_win; - so = inp->inp_socket; #ifdef MAC - if (mac_check_socket_deliver(so, m)) + if (mac_check_inpcb_deliver(inp, m)) goto drop; #endif + so = inp->inp_socket; #ifdef TCPDEBUG if (so->so_options & SO_DEBUG) { ostate = tp->t_state; ==== //depot/projects/trustedbsd/sebsd/sys/netinet/tcp_usrreq.c#6 (text+ko) ==== @@ -816,7 +816,7 @@ tcp_usr_connect, pru_connect2_notsupp, in_control, tcp_usr_detach, tcp_usr_disconnect, tcp_usr_listen, tcp_peeraddr, tcp_usr_rcvd, tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown, - tcp_sockaddr, sosend, soreceive, sopoll + tcp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; #ifdef INET6 @@ -825,7 +825,7 @@ tcp6_usr_connect, pru_connect2_notsupp, in6_control, tcp_usr_detach, tcp_usr_disconnect, tcp6_usr_listen, in6_mapped_peeraddr, tcp_usr_rcvd, tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown, - in6_mapped_sockaddr, sosend, soreceive, sopoll + in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; #endif /* INET6 */ ==== //depot/projects/trustedbsd/sebsd/sys/netinet/udp_usrreq.c#7 (text+ko) ==== @@ -447,7 +447,7 @@ } #endif /*FAST_IPSEC*/ #ifdef MAC - if (mac_check_socket_deliver(last->inp_socket, n) != 0) { + if (mac_check_inpcb_deliver(last, n) != 0) { m_freem(n); return; } @@ -1097,5 +1097,5 @@ pru_connect2_notsupp, in_control, udp_detach, udp_disconnect, pru_listen_notsupp, udp_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, udp_send, pru_sense_null, udp_shutdown, - udp_sockaddr, sosend, soreceive, sopoll + udp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/sebsd/sys/netinet6/raw_ip6.c#7 (text+ko) ==== @@ -753,5 +753,5 @@ pru_connect2_notsupp, in6_control, rip6_detach, rip6_disconnect, pru_listen_notsupp, in6_setpeeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, rip6_send, pru_sense_null, rip6_shutdown, - in6_setsockaddr, sosend, soreceive, sopoll + in6_setsockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; ==== //depot/projects/trustedbsd/sebsd/sys/netinet6/udp6_usrreq.c#7 (text+ko) ==== @@ -768,5 +768,5 @@ pru_connect2_notsupp, in6_control, udp6_detach, udp6_disconnect, pru_listen_notsupp, in6_mapped_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, udp6_send, pru_sense_null, udp_shutdown, - in6_mapped_sockaddr, sosend, soreceive, sopoll + in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/sebsd/sys/netipsec/keysock.c#6 (text+ko) ==== @@ -567,7 +567,8 @@ key_disconnect, pru_listen_notsupp, key_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown, - key_sockaddr, sosend, soreceive, sopoll + key_sockaddr, sosend, soreceive, sopoll, + pru_sosetlabel_null }; /* sysctl */ ==== //depot/projects/trustedbsd/sebsd/sys/netipx/ipx_usrreq.c#5 (text+ko) ==== @@ -93,7 +93,7 @@ ipx_connect, pru_connect2_notsupp, ipx_control, ipx_detach, ipx_disconnect, pru_listen_notsupp, ipx_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, ipx_send, pru_sense_null, ipx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; struct pr_usrreqs ripx_usrreqs = { @@ -101,7 +101,7 @@ ipx_connect, pru_connect2_notsupp, ipx_control, ipx_detach, ipx_disconnect, pru_listen_notsupp, ipx_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, ipx_send, pru_sense_null, ipx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; /* ==== //depot/projects/trustedbsd/sebsd/sys/netipx/spx_usrreq.c#6 (text+ko) ==== @@ -112,7 +112,7 @@ spx_connect, pru_connect2_notsupp, ipx_control, spx_detach, spx_usr_disconnect, spx_listen, ipx_peeraddr, spx_rcvd, spx_rcvoob, spx_send, pru_sense_null, spx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; struct pr_usrreqs spx_usrreq_sps = { @@ -120,7 +120,7 @@ spx_connect, pru_connect2_notsupp, ipx_control, spx_detach, spx_usr_disconnect, spx_listen, ipx_peeraddr, spx_rcvd, spx_rcvoob, spx_send, pru_sense_null, spx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; void ==== //depot/projects/trustedbsd/sebsd/sys/netkey/keysock.c#7 (text+ko) ==== @@ -477,7 +477,8 @@ key_disconnect, pru_listen_notsupp, key_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown, - key_sockaddr, sosend, soreceive, sopoll + key_sockaddr, sosend, soreceive, sopoll, + pru_sosetlabel_null }; /* sysctl */ ==== //depot/projects/trustedbsd/sebsd/sys/netnatm/natm.c#6 (text+ko) ==== @@ -396,7 +396,7 @@ natm_usr_detach, natm_usr_disconnect, pru_listen_notsupp, natm_usr_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, natm_usr_send, pru_sense_null, natm_usr_shutdown, - natm_usr_sockaddr, sosend, soreceive, sopoll + natm_usr_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; #else /* !FREEBSD_USRREQS */ ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#10 (text+ko) ==== @@ -107,6 +107,8 @@ void mac_mount_label_free(struct label *label); struct label *mac_pipe_label_alloc(void); void mac_pipe_label_free(struct label *label); +struct label *mac_socket_label_alloc(int flag); +void mac_socket_label_free(struct label *label); int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); int mac_externalize_cred_label(struct label *label, char *elements, @@ -123,6 +125,13 @@ char *outbuf, size_t outbuflen); int mac_internalize_pipe_label(struct label *label, char *string); +int mac_socket_label_set(struct ucred *cred, struct socket *so, + struct label *label); +void mac_copy_socket_label(struct label *src, struct label *dest); +int mac_externalize_socket_label(struct label *label, char *elements, + char *outbuf, size_t outbuflen); +int mac_internalize_socket_label(struct label *label, char *string); + int mac_externalize_vnode_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); int mac_internalize_vnode_label(struct label *label, char *string); ==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#7 (text+ko) ==== @@ -50,6 +50,7 @@ #include #include #include +#include #include #include #include @@ -61,6 +62,7 @@ #include #include +#include #include #include @@ -77,12 +79,14 @@ #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmacifnets, nmacbpfdescs, nmacsockets, - nmacipqs; + nmacinpcbs, nmacipqs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD, + &nmacinpcbs, 0, "number of inpcbs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD, @@ -91,9 +95,6 @@ &nmacsockets, 0, "number of sockets in use"); #endif -static void mac_socket_label_free(struct label *label); - - static struct label * mbuf_to_label(struct mbuf *mbuf) { @@ -143,6 +144,35 @@ } static struct label * +mac_inpcb_label_alloc(int flag) +{ + struct label *label; + int error; + + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); + MAC_CHECK(init_inpcb_label, label, flag); + if (error) { + MAC_PERFORM(destroy_inpcb_label, label); + mac_labelzone_free(label); + return (NULL); + } + MAC_DEBUG_COUNTER_INC(&nmacinpcbs); + return (label); +} + +int +mac_init_inpcb(struct inpcb *inp, int flag) +{ + + inp->inp_label = mac_inpcb_label_alloc(flag); + if (inp->inp_label == NULL) + return (ENOMEM); + return (0); +} + +static struct label * mac_ipq_label_alloc(int flag) { struct label *label; @@ -220,7 +250,7 @@ return (0); } -static struct label * +struct label * mac_socket_label_alloc(int flag) { struct label *label; @@ -234,7 +264,7 @@ if (error) { MAC_PERFORM(destroy_socket_label, label); mac_labelzone_free(label); - return (NULL); + return (NULL); } MAC_DEBUG_COUNTER_INC(&nmacsockets); return (label); @@ -254,7 +284,7 @@ if (error) { MAC_PERFORM(destroy_socket_peer_label, label); mac_labelzone_free(label); - return (NULL); + return (NULL); } MAC_DEBUG_COUNTER_INC(&nmacsockets); return (label); @@ -311,6 +341,23 @@ } static void +mac_inpcb_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_inpcb_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacinpcbs); +} + +void +mac_destroy_inpcb(struct inpcb *inp) +{ + + mac_inpcb_label_free(inp->inp_label); + inp->inp_label = NULL; +} + +static void mac_ipq_label_free(struct label *label) { @@ -339,7 +386,7 @@ MAC_DEBUG_COUNTER_DEC(&nmacmbufs); } -static void +void mac_socket_label_free(struct label *label) { @@ -382,6 +429,13 @@ MAC_PERFORM(copy_mbuf_label, src_label, dest_label); } +void +mac_copy_socket_label(struct label *src, struct label *dest) +{ + + MAC_PERFORM(copy_socket_label, src, dest); +} + static int mac_externalize_ifnet_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) @@ -393,7 +447,7 @@ return (error); } -static int +int mac_externalize_socket_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { @@ -425,7 +479,7 @@ return (error); } -static int +int mac_internalize_socket_label(struct label *label, char *string) { int error; @@ -443,6 +497,14 @@ } void +mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp) +{ + + MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp, + inp->inp_label); +} + +void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { @@ -704,6 +766,24 @@ } int +mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) +{ + struct label *label; + int error; + + M_ASSERTPKTHDR(m); + + if (!mac_enforce_socket) >>> TRUNCATED FOR MAIL (1000 lines) <<<