Date: Thu, 15 Feb 2007 20:30:14 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 114585 for review Message-ID: <200702152030.l1FKUETx073950@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=114585 Change 114585 by millert@millert_p4 on 2007/02/15 20:29:16 Implement more networking entrypoints. Comment out entrypoints that are not currently supported by the reference policy. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#44 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#44 (text+ko) ==== @@ -119,6 +119,22 @@ return perm; } +static void +copy_network_label(struct label *src, struct label *dest) +{ + if (src == NULL) + printf("copy_network_label: src is NULL\n"); + if (dest == NULL) + printf("copy_network_label: dest is NULL\n"); + if (SLOT(dest) == NULL) + printf("copy_network_label: slot(dest) is NULL\n"); + if (SLOT(src) == NULL) + printf("copy_network_label: slot(src) is NULL\n"); + + *(struct network_security_struct *) SLOT(dest) = + *(struct network_security_struct *) SLOT(src); +} + /* * Check whether a task is allowed to use a capability. */ @@ -430,6 +446,14 @@ } static void +sebsd_relabel_ifnet(struct ucred *cred, struct ifnet *ifn, + struct label *ilabel, struct label *newlabel) +{ + + copy_network_label(newlabel, ilabel); +} + +static void sebsd_cleanup_sysv_label(struct label *label) { struct ipc_security_struct *ipcsec; @@ -572,7 +596,106 @@ fsec->sid = tsec->sid; } +#if 0 +static void +sebsd_create_fragment(struct mbuf *datagram, struct label *dlabel, + struct mbuf *frag, struct label *flabel) +{ + + copy_network_label(dlabel, flabel); +} +#endif + +/* + * XXX: What's are sensible values to assign to an interface? + */ +static void +sebsd_create_ifnet(struct ifnet *ifn, struct label *iflabel) +{ + + struct network_security_struct *nsec; + + nsec = SLOT(iflabel); + nsec->sid = 0; + nsec->task_sid = 0; +} + static void +sebsd_create_inpcb_from_socket(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *ilabel) +{ + + copy_network_label(solabel, ilabel); +} + +#if 0 +static void +sebsd_create_ipq(struct mbuf *frag, struct label *fraglabel, struct ipq *ipq, + struct label *ipqlabel) +{ + + copy_network_label(fraglabel, ipqlabel); +} + +static void +sebsd_create_mbuf_from_bpfdesc(struct bpf_d *b, struct label *blabel, + struct mbuf *m, struct label *mlabel) +{ + + copy_network_label(blabel, mlabel); +} + +static void +sebsd_create_mbuf_from_ifnet(struct ifnet *ifn, struct label *ilabel, + struct mbuf *m, struct label *mlabel) +{ + + copy_network_label(ilabel, mlabel); +} + +static void +sebsd_create_mbuf_from_inpcb(struct inpcb *in, struct label *ilabel, + struct mbuf *m, struct label *mlabel) +{ + + copy_network_label(ilabel, mlabel); +} + +static void +sebsd_create_mbuf_linklayer(struct ifnet *ifn, struct label *iflabel, + struct mbuf *m, struct label *mlabel) +{ + + copy_network_label(iflabel, mlabel); +} + +static void +sebsd_create_mbuf_netlayer(struct mbuf *oldmbuf, struct label *oldlabel, + struct mbuf *newmbuf, struct label *newlabel) +{ + + copy_network_label(oldlabel, newlabel); +} + +static void +sebsd_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct label *oldlabel, + struct ifnet *ifn, struct label *iflabel, struct mbuf *newmbuf, + struct label *newlabel) +{ + + copy_network_label(oldlabel, newlabel); +} + +static void +sebsd_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, + struct mbuf *datagram, struct label *datagramlabel) +{ + + copy_network_label(ipqlabel, datagramlabel); +} +#endif + +static void sebsd_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { @@ -653,7 +776,20 @@ ipcsec = SLOT(ks_label); ipcsec->sid = tsec->sid; - ipcsec->sclass = SECCLASS_POSIX_SEM; + ipcsec->sclass = SECCLASS_SEM; +} + +static void +sebsd_create_bpfdesc(struct ucred *cred, struct bpf_d *b, + struct label *blabel) +{ + struct network_security_struct *nsec; + struct task_security_struct *tsec; + + nsec = SLOT(blabel); + tsec = SLOT(cred->cr_label); + + nsec->sid = nsec->task_sid = tsec->sid; } static void @@ -834,7 +970,17 @@ SECINITSID_KERNEL); } +#if 0 static void +sebsd_create_mbuf_from_socket(struct socket *so, struct label *solabel, + struct mbuf *m, struct label *mlabel) +{ + + copy_network_label(solabel, mlabel); +} +#endif + +static void sebsd_create_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel, struct label *mount_arg_label) @@ -922,6 +1068,26 @@ } } +static void +sebsd_create_socket(struct ucred *cred, struct socket *so, + struct label *solabel) +{ + struct task_security_struct *tsec; + struct network_security_struct *nsec; + + tsec = SLOT(cred->cr_label); + nsec = SLOT(solabel); + nsec->sid = nsec->task_sid = tsec->sid; +} + +static void +sebsd_create_socket_from_socket(struct socket *olds, struct label *oldslabel, + struct socket *news, struct label *newslabel) +{ + + copy_network_label(oldslabel, newslabel); +} + static int sebsd_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct label *fslabel, struct vnode *parent, struct label *parentlabel, @@ -959,8 +1125,26 @@ security_free_context(context); return (error); +} + +#if 0 +static void +sebsd_update_ipq(struct mbuf *frag, struct label *fraglabel, struct ipq *ipq, + struct label *ipqlabel) +{ + + copy_network_label(fraglabel, ipqlabel); } +#endif + +static void +sebsd_inpcb_sosetlabel(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *ilabel) +{ + copy_network_label(solabel, ilabel); +} + static int sebsd_check_cap(struct ucred *cred, cap_value_t capv) { @@ -1060,6 +1244,7 @@ return (pipe_has_perm(cred, pp, FIFO_FILE__IOCTL)); } +#if 0 static int sebsd_check_pipe_poll(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) @@ -1067,6 +1252,7 @@ return (pipe_has_perm(cred, pp, FIFO_FILE__POLL)); } +#endif static int sebsd_check_pipe_read(struct ucred *cred, struct pipepair *pp, @@ -1359,6 +1545,14 @@ } static void +sebsd_relabel_socket(struct ucred *cred, struct socket *so, + struct label *oldlabel, struct label *newlabel) +{ + + copy_network_label(oldlabel, newlabel); +} + +static void sebsd_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) { @@ -1402,6 +1596,24 @@ return (error); } +#if 0 +static void +sebsd_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, + struct socket *so, struct label *sopeerlabel) +{ + + copy_network_label(mlabel, sopeerlabel); +} +#endif + +static void +sebsd_set_socket_peer_from_socket(struct socket *olds, struct label *oldslabel, + struct socket *news, struct label *newsockpeerlabel) +{ + + copy_network_label(oldslabel, newsockpeerlabel); +} + static int sebsd_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) @@ -1644,6 +1856,7 @@ acc_mode))); } +#if 0 static int sebsd_check_vnode_poll(struct ucred *cred, struct ucred *file_cred, struct vnode *vp, struct label *label) @@ -1651,6 +1864,7 @@ return (vnode_has_perm(cred, vp, FILE__POLL)); } +#endif static int sebsd_check_vnode_read(struct ucred *cred, struct ucred *file_cred, @@ -2053,6 +2267,7 @@ *(struct mount_security_struct *)SLOT(src); } +#if 0 static int sebsd_check_file_create(struct ucred *cred) { @@ -2062,6 +2277,7 @@ return (avc_has_perm(tsec->sid, tsec->sid, SECCLASS_FD, FD__CREATE, NULL)); } +#endif static int sebsd_check_file_ioctl(struct ucred *cred, struct file *fp, @@ -2192,6 +2408,7 @@ return (ipc_has_perm(cred, msglabel, MSG__RECEIVE)); } +#if 0 static int sebsd_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) @@ -2199,6 +2416,7 @@ return (ipc_has_perm(cred, msglabel, MSG__DESTROY)); } +#endif static int sebsd_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, @@ -2400,7 +2618,7 @@ struct label *ks_label) { - return (ipc_has_perm(cred, ks_label, POSIX_SEM__DISASSOCIATE)); + return (ipc_has_perm(cred, ks_label, SEM__DISASSOCIATE)); } #endif @@ -2409,7 +2627,7 @@ struct label *ks_label) { - return (ipc_has_perm(cred, ks_label, POSIX_SEM__DESTROY)); + return (ipc_has_perm(cred, ks_label, SEM__DESTROY)); } static int @@ -2417,7 +2635,7 @@ struct label *ks_label) { - return (ipc_has_perm(cred, ks_label, POSIX_SEM__READ)); + return (ipc_has_perm(cred, ks_label, SEM__READ)); } static int @@ -2425,7 +2643,7 @@ struct label *ks_label) { - return (ipc_has_perm(cred, ks_label, POSIX_SEM__ASSOCIATE)); + return (ipc_has_perm(cred, ks_label, SEM__ASSOCIATE)); } static int @@ -2433,7 +2651,7 @@ struct label *ks_label) { - return (ipc_has_perm(cred, ks_label, POSIX_SEM__WRITE)); + return (ipc_has_perm(cred, ks_label, SEM__WRITE)); } static int @@ -2441,7 +2659,7 @@ struct label *ks_label) { - return (ipc_has_perm(cred, ks_label, POSIX_SEM__DESTROY)); + return (ipc_has_perm(cred, ks_label, SEM__DESTROY)); } static int @@ -2449,7 +2667,7 @@ struct label *ks_label) { - return (ipc_has_perm(cred, ks_label, POSIX_SEM__WRITE)); + return (ipc_has_perm(cred, ks_label, SEM__WRITE)); } static struct mac_policy_ops sebsd_ops = { @@ -2460,12 +2678,13 @@ .mpo_init_devfsdirent_label = sebsd_init_vnode_label, .mpo_init_file_label = sebsd_init_file_label, .mpo_init_ifnet_label = sebsd_init_network_label, + .mpo_init_inpcb_label = sebsd_init_network_label_waitcheck, .mpo_init_sysv_msgmsg_label = sebsd_init_sysv_label, .mpo_init_sysv_msgqueue_label = sebsd_init_sysv_label, .mpo_init_sysv_sem_label = sebsd_init_sysv_label, .mpo_init_sysv_shm_label = sebsd_init_sysv_label, - .mpo_init_ipq_label = sebsd_init_network_label_waitcheck, - .mpo_init_mbuf_label = sebsd_init_network_label_waitcheck, + //.mpo_init_ipq_label = sebsd_init_network_label_waitcheck, + //.mpo_init_mbuf_label = sebsd_init_network_label_waitcheck, .mpo_init_mount_label = sebsd_init_mount_label, .mpo_init_mount_fs_label = sebsd_init_mount_fs_label, .mpo_init_pipe_label = sebsd_init_vnode_label, @@ -2480,12 +2699,13 @@ .mpo_destroy_cred_label = sebsd_destroy_label, .mpo_destroy_devfsdirent_label = sebsd_destroy_label, .mpo_destroy_ifnet_label = sebsd_destroy_label, + .mpo_destroy_inpcb_label = sebsd_destroy_label, .mpo_destroy_sysv_msgmsg_label = sebsd_destroy_label, .mpo_destroy_sysv_msgqueue_label = sebsd_destroy_label, .mpo_destroy_sysv_sem_label = sebsd_destroy_label, .mpo_destroy_sysv_shm_label = sebsd_destroy_label, - .mpo_destroy_ipq_label = sebsd_destroy_label, - .mpo_destroy_mbuf_label = sebsd_destroy_label, + //.mpo_destroy_ipq_label = sebsd_destroy_label, + //.mpo_destroy_mbuf_label = sebsd_destroy_label, .mpo_destroy_file_label = sebsd_destroy_label, .mpo_destroy_mount_label = sebsd_destroy_label, .mpo_destroy_mount_fs_label = sebsd_destroy_label, @@ -2496,7 +2716,10 @@ .mpo_destroy_vnode_label = sebsd_destroy_label, /* Copy labels */ + .mpo_copy_ifnet_label = copy_network_label, + //.mpo_copy_mbuf_label = copy_network_label, .mpo_copy_pipe_label = sebsd_copy_vnode_label, + .mpo_copy_socket_label = copy_network_label, .mpo_copy_vnode_label = sebsd_copy_vnode_label, .mpo_copy_mount_label = sebsd_copy_mount_label, @@ -2515,45 +2738,40 @@ .mpo_internalize_vnode_label = sebsd_internalize_vnode_label, .mpo_internalize_mount_label = sebsd_internalize_mount_label, -#ifdef notdef - void (*mpo_create_mbuf_from_socket)(struct socket *so, - struct label *socketlabel, struct mbuf *m, - struct label *mbuflabel); - void (*mpo_create_socket)(struct ucred *cred, struct socket *so, - struct label *socketlabel); - void (*mpo_create_socket_from_socket)(struct socket *oldsocket, - struct label *oldsocketlabel, struct socket *newsocket, - struct label *newsocketlabel); - void (*mpo_relabel_socket)(struct ucred *cred, struct socket *so, - struct label *oldlabel, struct label *newlabel); - void (*mpo_set_socket_peer_from_mbuf)(struct mbuf *mbuf, - struct label *mbuflabel, struct socket *so, - struct label *socketpeerlabel); - void (*mpo_set_socket_peer_from_socket)(struct socket *oldsocket, - struct label *oldsocketlabel, struct socket *newsocket, - struct label *newsocketpeerlabel); -#endif - /* Create Labels */ .mpo_copy_cred_label = sebsd_copy_cred_label, + .mpo_create_bpfdesc = sebsd_create_bpfdesc, + //.mpo_create_datagram_from_ipq = sebsd_create_datagram_from_ipq, .mpo_create_devfs_device = sebsd_create_devfs_device, .mpo_create_devfs_directory = sebsd_create_devfs_directory, .mpo_create_devfs_symlink = sebsd_create_devfs_symlink, .mpo_create_file = sebsd_create_file, - .mpo_create_sysv_msgmsg = sebsd_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = sebsd_create_sysv_msgqueue, - .mpo_create_sysv_sem = sebsd_create_sysv_sem, - .mpo_create_sysv_shm = sebsd_create_sysv_shm, - /* .mpo_create_mbuf_from_socket = sebsd_create_mbuf_from_socket, */ + //.mpo_create_fragment = sebsd_create_fragment, + .mpo_create_ifnet = sebsd_create_ifnet, + .mpo_create_inpcb_from_socket = sebsd_create_inpcb_from_socket, + //.mpo_create_ipq = sebsd_create_ipq, + //.mpo_create_mbuf_from_bpfdesc = sebsd_create_mbuf_from_bpfdesc, + //.mpo_create_mbuf_from_ifnet = sebsd_create_mbuf_from_ifnet, + //.mpo_create_mbuf_from_inpcb = sebsd_create_mbuf_from_inpcb, + //.mpo_create_mbuf_multicast_encap = sebsd_create_mbuf_multicast_encap, + //.mpo_create_mbuf_from_socket = sebsd_create_mbuf_from_socket, + //.mpo_create_mbuf_linklayer = sebsd_create_mbuf_linklayer, + //.mpo_create_mbuf_netlayer = sebsd_create_mbuf_netlayer, .mpo_create_mount = sebsd_create_mount, .mpo_create_pipe = sebsd_create_pipe, .mpo_create_posix_sem = sebsd_create_posix_sem, .mpo_create_proc0 = sebsd_create_kernel_proc, .mpo_create_proc1 = sebsd_create_kernel_proc, - /* .mpo_create_socket = sebsd_create_socket, */ - /* .mpo_create_socket_from_socket = sebsd_create_socket_from_socket, */ + .mpo_create_socket = sebsd_create_socket, + .mpo_create_socket_from_socket = sebsd_create_socket_from_socket, + .mpo_create_sysv_msgmsg = sebsd_create_sysv_msgmsg, + .mpo_create_sysv_msgqueue = sebsd_create_sysv_msgqueue, + .mpo_create_sysv_sem = sebsd_create_sysv_sem, + .mpo_create_sysv_shm = sebsd_create_sysv_shm, .mpo_create_vnode_extattr = sebsd_create_vnode_extattr, .mpo_update_devfsdirent = sebsd_update_devfsdirent, + //.mpo_update_ipq = sebsd_update_ipq, + .mpo_inpcb_sosetlabel = sebsd_inpcb_sosetlabel, .mpo_associate_vnode_devfs = sebsd_associate_vnode_devfs, .mpo_associate_vnode_singlelabel = sebsd_associate_vnode_singlelabel, .mpo_associate_vnode_extattr = sebsd_associate_vnode_extattr, @@ -2561,7 +2779,7 @@ /* Check Labels */ .mpo_check_cap = sebsd_check_cap, .mpo_check_cred_relabel = sebsd_check_cred_relabel, - .mpo_check_file_create = sebsd_check_file_create, + /* .mpo_check_file_create = sebsd_check_file_create, */ .mpo_check_file_ioctl = sebsd_check_file_ioctl, /* @@ -2580,7 +2798,7 @@ .mpo_check_remount = sebsd_check_remount, .mpo_check_sysv_msgmsq = sebsd_check_sysv_msgmsq, .mpo_check_sysv_msgrcv = sebsd_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = sebsd_check_sysv_msgrmid, + /* .mpo_check_sysv_msgrmid = sebsd_check_sysv_msgrmid, */ .mpo_check_sysv_msqget = sebsd_check_sysv_msqget, .mpo_check_sysv_msqsnd = sebsd_check_sysv_msqsnd, .mpo_check_sysv_msqrcv = sebsd_check_sysv_msqrcv, @@ -2595,7 +2813,7 @@ .mpo_check_mount_stat = sebsd_check_mount_stat, .mpo_check_pipe_ioctl = sebsd_check_pipe_ioctl, - .mpo_check_pipe_poll = sebsd_check_pipe_poll, + /* .mpo_check_pipe_poll = sebsd_check_pipe_poll, */ .mpo_check_pipe_read = sebsd_check_pipe_read, .mpo_check_pipe_relabel = sebsd_check_pipe_relabel, .mpo_check_pipe_stat = sebsd_check_pipe_stat, @@ -2644,7 +2862,7 @@ .mpo_check_vnode_mprotect = sebsd_check_vnode_mmap, #endif .mpo_check_vnode_open = sebsd_check_vnode_open, - .mpo_check_vnode_poll = sebsd_check_vnode_poll, + /* .mpo_check_vnode_poll = sebsd_check_vnode_poll, */ .mpo_check_vnode_read = sebsd_check_vnode_read, .mpo_check_vnode_readdir = sebsd_check_vnode_readdir, .mpo_check_vnode_readlink = sebsd_check_vnode_readlink, @@ -2665,12 +2883,13 @@ .mpo_execve_transition = sebsd_execve_transition, .mpo_execve_will_transition = sebsd_execve_will_transition, .mpo_relabel_cred = sebsd_relabel_cred, + .mpo_relabel_ifnet = sebsd_relabel_ifnet, .mpo_relabel_pipe = sebsd_relabel_pipe, - /* .mpo_relabel_socket = sebsd_relabel_socket, */ + .mpo_relabel_socket = sebsd_relabel_socket, .mpo_relabel_vnode = sebsd_relabel_vnode, .mpo_setlabel_vnode_extattr = sebsd_setlabel_vnode_extattr, - /*.mpo_set_socket_peer_from_mbuf = sebsd_set_socket_peer_from_mbuf,*/ - /*.mpo_set_socket_peer_from_socket = sebsd_set_socket_peer_from_socket,*/ + //.mpo_set_socket_peer_from_mbuf = sebsd_set_socket_peer_from_mbuf, + .mpo_set_socket_peer_from_socket = sebsd_set_socket_peer_from_socket, .mpo_cleanup_sysv_msgmsg = sebsd_cleanup_sysv_label, .mpo_cleanup_sysv_msgqueue = sebsd_cleanup_sysv_label, .mpo_cleanup_sysv_sem = sebsd_cleanup_sysv_label,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702152030.l1FKUETx073950>