Date: Fri, 31 Oct 2008 11:27:54 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r184502 - in stable/7/sys: . security/mac_biba security/mac_lomac security/mac_mls security/mac_partition security/mac_seeotheruids security/mac_stub security/mac_test Message-ID: <200810311127.m9VBRscj079392@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Fri Oct 31 11:27:54 2008 New Revision: 184502 URL: http://svn.freebsd.org/changeset/base/184502 Log: MFC: r183980 Add a mac_check_inpcb_visible implementation to all MAC policies that handle mac_check_socket_visible. Approved by: re (rwatson) Modified: stable/7/sys/ (props changed) stable/7/sys/security/mac_biba/mac_biba.c stable/7/sys/security/mac_lomac/mac_lomac.c stable/7/sys/security/mac_mls/mac_mls.c stable/7/sys/security/mac_partition/mac_partition.c stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c stable/7/sys/security/mac_stub/mac_stub.c stable/7/sys/security/mac_test/mac_test.c Modified: stable/7/sys/security/mac_biba/mac_biba.c ============================================================================== --- stable/7/sys/security/mac_biba/mac_biba.c Fri Oct 31 10:38:30 2008 (r184501) +++ stable/7/sys/security/mac_biba/mac_biba.c Fri Oct 31 11:27:54 2008 (r184502) @@ -1599,6 +1599,24 @@ biba_check_inpcb_deliver(struct inpcb *i } static int +biba_check_inpcb_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + struct mac_biba *subj, *obj; + + if (!biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(inplabel); + + if (!biba_dominate_effective(obj, subj)) + return (ENOENT); + + return (0); +} + +static int biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -3333,6 +3351,7 @@ static struct mac_policy_ops mac_biba_op .mpo_check_ifnet_relabel = biba_check_ifnet_relabel, .mpo_check_ifnet_transmit = biba_check_ifnet_transmit, .mpo_check_inpcb_deliver = biba_check_inpcb_deliver, + .mpo_check_inpcb_visible = biba_check_inpcb_visible, .mpo_check_sysv_msgrcv = biba_check_sysv_msgrcv, .mpo_check_sysv_msgrmid = biba_check_sysv_msgrmid, .mpo_check_sysv_msqget = biba_check_sysv_msqget, Modified: stable/7/sys/security/mac_lomac/mac_lomac.c ============================================================================== --- stable/7/sys/security/mac_lomac/mac_lomac.c Fri Oct 31 10:38:30 2008 (r184501) +++ stable/7/sys/security/mac_lomac/mac_lomac.c Fri Oct 31 11:27:54 2008 (r184502) @@ -1742,6 +1742,24 @@ lomac_check_inpcb_deliver(struct inpcb * } static int +lomac_check_inpcb_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + struct mac_lomac *subj, *obj; + + if (!lomac_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(inplabel); + + if (!lomac_dominate_single(obj, subj)) + return (ENOENT); + + return (0); +} + +static int lomac_check_kld_load(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -2893,6 +2911,7 @@ static struct mac_policy_ops lomac_ops = .mpo_check_ifnet_relabel = lomac_check_ifnet_relabel, .mpo_check_ifnet_transmit = lomac_check_ifnet_transmit, .mpo_check_inpcb_deliver = lomac_check_inpcb_deliver, + .mpo_check_inpcb_visible = lomac_check_inpcb_visible, .mpo_check_kld_load = lomac_check_kld_load, .mpo_check_pipe_ioctl = lomac_check_pipe_ioctl, .mpo_check_pipe_read = lomac_check_pipe_read, Modified: stable/7/sys/security/mac_mls/mac_mls.c ============================================================================== --- stable/7/sys/security/mac_mls/mac_mls.c Fri Oct 31 10:38:30 2008 (r184501) +++ stable/7/sys/security/mac_mls/mac_mls.c Fri Oct 31 11:27:54 2008 (r184502) @@ -1540,6 +1540,24 @@ mls_check_inpcb_deliver(struct inpcb *in } static int +mls_check_inpcb_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(inplabel); + + if (!mls_dominate_effective(subj, obj)) + return (ENOENT); + + return (0); +} + +static int mls_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -2957,6 +2975,7 @@ static struct mac_policy_ops mls_ops = .mpo_check_ifnet_relabel = mls_check_ifnet_relabel, .mpo_check_ifnet_transmit = mls_check_ifnet_transmit, .mpo_check_inpcb_deliver = mls_check_inpcb_deliver, + .mpo_check_inpcb_visible = mls_check_inpcb_visible, .mpo_check_sysv_msgrcv = mls_check_sysv_msgrcv, .mpo_check_sysv_msgrmid = mls_check_sysv_msgrmid, .mpo_check_sysv_msqget = mls_check_sysv_msqget, Modified: stable/7/sys/security/mac_partition/mac_partition.c ============================================================================== --- stable/7/sys/security/mac_partition/mac_partition.c Fri Oct 31 10:38:30 2008 (r184501) +++ stable/7/sys/security/mac_partition/mac_partition.c Fri Oct 31 11:27:54 2008 (r184502) @@ -46,10 +46,15 @@ #include <sys/priv.h> #include <sys/proc.h> #include <sys/sbuf.h> +#include <sys/socket.h> #include <sys/socketvar.h> #include <sys/systm.h> #include <sys/sysctl.h> +#include <net/route.h> +#include <netinet/in.h> +#include <netinet/in_pcb.h> + #include <security/mac/mac_policy.h> #include <security/mac_partition/mac_partition.h> @@ -186,6 +191,17 @@ partition_check_cred_visible(struct ucre } static int +partition_check_inpcb_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + int error; + + error = label_on_label(cred->cr_label, inp->inp_cred->cr_label); + + return (error ? ENOENT : 0); +} + +static int partition_check_proc_debug(struct ucred *cred, struct proc *p) { int error; @@ -258,6 +274,7 @@ static struct mac_policy_ops partition_o .mpo_relabel_cred = partition_relabel_cred, .mpo_check_cred_relabel = partition_check_cred_relabel, .mpo_check_cred_visible = partition_check_cred_visible, + .mpo_check_inpcb_visible = partition_check_inpcb_visible, .mpo_check_proc_debug = partition_check_proc_debug, .mpo_check_proc_sched = partition_check_proc_sched, .mpo_check_proc_signal = partition_check_proc_signal, Modified: stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c ============================================================================== --- stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c Fri Oct 31 10:38:30 2008 (r184501) +++ stable/7/sys/security/mac_seeotheruids/mac_seeotheruids.c Fri Oct 31 11:27:54 2008 (r184502) @@ -47,9 +47,14 @@ #include <sys/priv.h> #include <sys/proc.h> #include <sys/systm.h> +#include <sys/socket.h> #include <sys/socketvar.h> #include <sys/sysctl.h> +#include <net/route.h> +#include <netinet/in.h> +#include <netinet/in_pcb.h> + #include <security/mac/mac_policy.h> SYSCTL_DECL(_security_mac); @@ -129,6 +134,14 @@ seeotheruids_check_cred_visible(struct u } static int +seeotheruids_check_inpcb_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + + return (seeotheruids_check(cred, inp->inp_cred)); +} + +static int seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p, int signum) { @@ -161,6 +174,7 @@ seeotheruids_check_socket_visible(struct static struct mac_policy_ops seeotheruids_ops = { .mpo_check_cred_visible = seeotheruids_check_cred_visible, + .mpo_check_inpcb_visible = seeotheruids_check_inpcb_visible, .mpo_check_proc_debug = seeotheruids_check_proc_debug, .mpo_check_proc_sched = seeotheruids_check_proc_sched, .mpo_check_proc_signal = seeotheruids_check_proc_signal, Modified: stable/7/sys/security/mac_stub/mac_stub.c ============================================================================== --- stable/7/sys/security/mac_stub/mac_stub.c Fri Oct 31 10:38:30 2008 (r184501) +++ stable/7/sys/security/mac_stub/mac_stub.c Fri Oct 31 11:27:54 2008 (r184502) @@ -614,6 +614,14 @@ stub_check_inpcb_deliver(struct inpcb *i } static int +stub_check_inpcb_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + + return (0); +} + +static int stub_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel) @@ -1550,6 +1558,7 @@ static struct mac_policy_ops stub_ops = .mpo_check_ifnet_relabel = stub_check_ifnet_relabel, .mpo_check_ifnet_transmit = stub_check_ifnet_transmit, .mpo_check_inpcb_deliver = stub_check_inpcb_deliver, + .mpo_check_inpcb_visible = stub_check_inpcb_visible, .mpo_check_sysv_msgmsq = stub_check_sysv_msgmsq, .mpo_check_sysv_msgrcv = stub_check_sysv_msgrcv, .mpo_check_sysv_msgrmid = stub_check_sysv_msgrmid, Modified: stable/7/sys/security/mac_test/mac_test.c ============================================================================== --- stable/7/sys/security/mac_test/mac_test.c Fri Oct 31 10:38:30 2008 (r184501) +++ stable/7/sys/security/mac_test/mac_test.c Fri Oct 31 11:27:54 2008 (r184502) @@ -1258,6 +1258,19 @@ test_check_inpcb_deliver(struct inpcb *i return (0); } +COUNTER_DECL(check_inpcb_visible); +static int +test_check_inpcb_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + LABEL_CHECK(inplabel, MAGIC_INPCB); + COUNTER_INC(check_inpcb_visible); + + return (0); +} + COUNTER_DECL(check_sysv_msgmsq); static int test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, @@ -2577,6 +2590,7 @@ static struct mac_policy_ops test_ops = .mpo_check_ifnet_relabel = test_check_ifnet_relabel, .mpo_check_ifnet_transmit = test_check_ifnet_transmit, .mpo_check_inpcb_deliver = test_check_inpcb_deliver, + .mpo_check_inpcb_visible = test_check_inpcb_visible, .mpo_check_sysv_msgmsq = test_check_sysv_msgmsq, .mpo_check_sysv_msgrcv = test_check_sysv_msgrcv, .mpo_check_sysv_msgrmid = test_check_sysv_msgrmid,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810311127.m9VBRscj079392>