From owner-svn-src-head@FreeBSD.ORG Fri Oct 17 12:54:29 2008 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0183C1065689; Fri, 17 Oct 2008 12:54:29 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id E20718FC08; Fri, 17 Oct 2008 12:54:28 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id m9HCsSrk088612; Fri, 17 Oct 2008 12:54:28 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id m9HCsS4Q088609; Fri, 17 Oct 2008 12:54:28 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <200810171254.m9HCsS4Q088609@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Fri, 17 Oct 2008 12:54:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r183973 - head/sys/security/mac X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 12:54:29 -0000 Author: bz Date: Fri Oct 17 12:54:28 2008 New Revision: 183973 URL: http://svn.freebsd.org/changeset/base/183973 Log: Add mac_inpcb_check_visible MAC Framework entry point, which is similar to mac_socket_check_visible but operates on the inpcb. Reviewed by: rwatson MFC after: 3 months (set timer, decide then) Modified: head/sys/security/mac/mac_framework.h head/sys/security/mac/mac_inet.c head/sys/security/mac/mac_policy.h Modified: head/sys/security/mac/mac_framework.h ============================================================================== --- head/sys/security/mac/mac_framework.h Fri Oct 17 12:04:59 2008 (r183972) +++ head/sys/security/mac/mac_framework.h Fri Oct 17 12:54:28 2008 (r183973) @@ -131,6 +131,7 @@ int mac_ifnet_ioctl_set(struct ucred *cr struct ifnet *ifp); int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m); +int mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp); void mac_inpcb_create(struct socket *so, struct inpcb *inp); void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m); void mac_inpcb_destroy(struct inpcb *); Modified: head/sys/security/mac/mac_inet.c ============================================================================== --- head/sys/security/mac/mac_inet.c Fri Oct 17 12:04:59 2008 (r183972) +++ head/sys/security/mac/mac_inet.c Fri Oct 17 12:54:28 2008 (r183973) @@ -313,6 +313,18 @@ mac_inpcb_check_deliver(struct inpcb *in return (error); } +int +mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp) +{ + int error; + + INP_LOCK_ASSERT(inp); + + MAC_CHECK(inpcb_check_visible, cred, inp, inp->inp_label); + + return (error); +} + void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) { Modified: head/sys/security/mac/mac_policy.h ============================================================================== --- head/sys/security/mac/mac_policy.h Fri Oct 17 12:04:59 2008 (r183972) +++ head/sys/security/mac/mac_policy.h Fri Oct 17 12:54:28 2008 (r183973) @@ -187,6 +187,8 @@ typedef void (*mpo_ifnet_relabel_t)(stru typedef int (*mpo_inpcb_check_deliver_t)(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel); +typedef int (*mpo_inpcb_check_visible_t)(struct ucred *cred, + struct inpcb *inp, struct label *inplabel); typedef void (*mpo_inpcb_create_t)(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel); @@ -689,6 +691,7 @@ struct mac_policy_ops { mpo_ifnet_relabel_t mpo_ifnet_relabel; mpo_inpcb_check_deliver_t mpo_inpcb_check_deliver; + mpo_inpcb_check_visible_t mpo_inpcb_check_visible; mpo_inpcb_create_t mpo_inpcb_create; mpo_inpcb_create_mbuf_t mpo_inpcb_create_mbuf; mpo_inpcb_destroy_label_t mpo_inpcb_destroy_label;