From owner-svn-src-head@FreeBSD.ORG Fri Oct 17 15:11:12 2008 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2E841065687; Fri, 17 Oct 2008 15:11:12 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 8C1C48FC0A; Fri, 17 Oct 2008 15:11:12 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id m9HFBCg8091391; Fri, 17 Oct 2008 15:11:12 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id m9HFBC6c091384; Fri, 17 Oct 2008 15:11:12 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <200810171511.m9HFBC6c091384@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Fri, 17 Oct 2008 15:11:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r183980 - in head/sys/security: mac_biba mac_lomac mac_mls mac_partition mac_seeotheruids mac_stub mac_test X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 15:11:12 -0000 Author: bz Date: Fri Oct 17 15:11:12 2008 New Revision: 183980 URL: http://svn.freebsd.org/changeset/base/183980 Log: Add a mac_inpcb_check_visible implementation to all MAC policies that handle mac_socket_check_visible. Reviewed by: rwatson MFC after: 3 months (set timer; decide then) Modified: head/sys/security/mac_biba/mac_biba.c head/sys/security/mac_lomac/mac_lomac.c head/sys/security/mac_mls/mac_mls.c head/sys/security/mac_partition/mac_partition.c head/sys/security/mac_seeotheruids/mac_seeotheruids.c head/sys/security/mac_stub/mac_stub.c head/sys/security/mac_test/mac_test.c Modified: head/sys/security/mac_biba/mac_biba.c ============================================================================== --- head/sys/security/mac_biba/mac_biba.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_biba/mac_biba.c Fri Oct 17 15:11:12 2008 (r183980) @@ -1115,6 +1115,24 @@ biba_inpcb_check_deliver(struct inpcb *i return (biba_equal_effective(p, i) ? 0 : EACCES); } +static int +biba_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + struct mac_biba *subj, *obj; + + if (!biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(inplabel); + + if (!biba_dominate_effective(obj, subj)) + return (ENOENT); + + return (0); +} + static void biba_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) @@ -3300,6 +3318,7 @@ static struct mac_policy_ops mac_biba_op .mpo_ifnet_relabel = biba_ifnet_relabel, .mpo_inpcb_check_deliver = biba_inpcb_check_deliver, + .mpo_inpcb_check_visible = biba_inpcb_check_visible, .mpo_inpcb_create = biba_inpcb_create, .mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf, .mpo_inpcb_destroy_label = biba_destroy_label, Modified: head/sys/security/mac_lomac/mac_lomac.c ============================================================================== --- head/sys/security/mac_lomac/mac_lomac.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_lomac/mac_lomac.c Fri Oct 17 15:11:12 2008 (r183980) @@ -1244,6 +1244,24 @@ lomac_inpcb_check_deliver(struct inpcb * return (lomac_equal_single(p, i) ? 0 : EACCES); } +static int +lomac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + struct mac_lomac *subj, *obj; + + if (!lomac_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(inplabel); + + if (!lomac_dominate_single(obj, subj)) + return (ENOENT); + + return (0); +} + static void lomac_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) @@ -2861,6 +2879,7 @@ static struct mac_policy_ops lomac_ops = .mpo_syncache_init_label = lomac_init_label_waitcheck, .mpo_inpcb_check_deliver = lomac_inpcb_check_deliver, + .mpo_inpcb_check_visible = lomac_inpcb_check_visible, .mpo_inpcb_create = lomac_inpcb_create, .mpo_inpcb_create_mbuf = lomac_inpcb_create_mbuf, .mpo_inpcb_destroy_label = lomac_destroy_label, Modified: head/sys/security/mac_mls/mac_mls.c ============================================================================== --- head/sys/security/mac_mls/mac_mls.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_mls/mac_mls.c Fri Oct 17 15:11:12 2008 (r183980) @@ -1033,6 +1033,24 @@ mls_inpcb_check_deliver(struct inpcb *in return (mls_equal_effective(p, i) ? 0 : EACCES); } +static int +mls_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + struct mac_mls *subj, *obj; + + if (!mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(inplabel); + + if (!mls_dominate_effective(subj, obj)) + return (ENOENT); + + return (0); +} + static void mls_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) @@ -2923,6 +2941,7 @@ static struct mac_policy_ops mls_ops = .mpo_ifnet_relabel = mls_ifnet_relabel, .mpo_inpcb_check_deliver = mls_inpcb_check_deliver, + .mpo_inpcb_check_visible = mls_inpcb_check_visible, .mpo_inpcb_create = mls_inpcb_create, .mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf, .mpo_inpcb_destroy_label = mls_destroy_label, Modified: head/sys/security/mac_partition/mac_partition.c ============================================================================== --- head/sys/security/mac_partition/mac_partition.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_partition/mac_partition.c Fri Oct 17 15:11:12 2008 (r183980) @@ -51,10 +51,15 @@ #include #include #include +#include #include #include #include +#include +#include +#include + #include #include @@ -199,6 +204,17 @@ partition_cred_relabel(struct ucred *cre } static int +partition_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + int error; + + error = label_on_label(cred->cr_label, inp->inp_cred->cr_label); + + return (error ? ENOENT : 0); +} + +static int partition_proc_check_debug(struct ucred *cred, struct proc *p) { int error; @@ -283,6 +299,7 @@ static struct mac_policy_ops partition_o .mpo_cred_init_label = partition_cred_init_label, .mpo_cred_internalize_label = partition_cred_internalize_label, .mpo_cred_relabel = partition_cred_relabel, + .mpo_inpcb_check_visible = partition_inpcb_check_visible, .mpo_proc_check_debug = partition_proc_check_debug, .mpo_proc_check_sched = partition_proc_check_sched, .mpo_proc_check_signal = partition_proc_check_signal, Modified: head/sys/security/mac_seeotheruids/mac_seeotheruids.c ============================================================================== --- head/sys/security/mac_seeotheruids/mac_seeotheruids.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_seeotheruids/mac_seeotheruids.c Fri Oct 17 15:11:12 2008 (r183980) @@ -51,9 +51,14 @@ #include #include #include +#include #include #include +#include +#include +#include + #include SYSCTL_DECL(_security_mac); @@ -155,6 +160,14 @@ seeotheruids_cred_check_visible(struct u } static int +seeotheruids_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + + return (seeotheruids_check(cred, inp->inp_cred)); +} + +static int seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -168,6 +181,7 @@ static struct mac_policy_ops seeotheruid .mpo_proc_check_sched = seeotheruids_proc_check_sched, .mpo_proc_check_signal = seeotheruids_proc_check_signal, .mpo_cred_check_visible = seeotheruids_cred_check_visible, + .mpo_inpcb_check_visible = seeotheruids_inpcb_check_visible, .mpo_socket_check_visible = seeotheruids_socket_check_visible, }; Modified: head/sys/security/mac_stub/mac_stub.c ============================================================================== --- head/sys/security/mac_stub/mac_stub.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_stub/mac_stub.c Fri Oct 17 15:11:12 2008 (r183980) @@ -859,6 +859,14 @@ stub_socket_check_stat(struct ucred *cre } static int +stub_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + + return (0); +} + +static int stub_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1531,6 +1539,7 @@ static struct mac_policy_ops stub_ops = .mpo_ifnet_relabel = stub_ifnet_relabel, .mpo_inpcb_check_deliver = stub_inpcb_check_deliver, + .mpo_inpcb_check_visible = stub_inpcb_check_visible, .mpo_inpcb_create = stub_inpcb_create, .mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf, .mpo_inpcb_destroy_label = stub_destroy_label, Modified: head/sys/security/mac_test/mac_test.c ============================================================================== --- head/sys/security/mac_test/mac_test.c Fri Oct 17 15:10:45 2008 (r183979) +++ head/sys/security/mac_test/mac_test.c Fri Oct 17 15:11:12 2008 (r183980) @@ -494,6 +494,19 @@ test_inpcb_check_deliver(struct inpcb *i return (0); } +COUNTER_DECL(inpcb_check_visible); +static int +test_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + LABEL_CHECK(inplabel, MAGIC_INPCB); + COUNTER_INC(inpcb_check_visible); + + return (0); +} + COUNTER_DECL(inpcb_create); static void test_inpcb_create(struct socket *so, struct label *solabel, @@ -2840,6 +2853,7 @@ static struct mac_policy_ops test_ops = .mpo_sysvshm_init_label = test_sysvshm_init_label, .mpo_inpcb_check_deliver = test_inpcb_check_deliver, + .mpo_inpcb_check_visible = test_inpcb_check_visible, .mpo_inpcb_create = test_inpcb_create, .mpo_inpcb_create_mbuf = test_inpcb_create_mbuf, .mpo_inpcb_destroy_label = test_inpcb_destroy_label,