diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-07-31 03:03:22 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-07-31 03:03:22 +0000 |
| commit | e9b7aa2f5981bc0df2020d2c17d8b8bec385e7c8 (patch) | |
| tree | d42e6b86c134ad9ea9f6c274e39fe61df8aa248d | |
| parent | ea303967f6e6154b6955681845c280836593153c (diff) | |
| download | FreeBSD-src-e9b7aa2f5981bc0df2020d2c17d8b8bec385e7c8.zip FreeBSD-src-e9b7aa2f5981bc0df2020d2c17d8b8bec385e7c8.tar.gz | |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Invoke the necessary MAC entry points to maintain labels on sockets.
In particular, invoke entry points during socket allocation and
destruction, as well as creation by a process or during an
accept-scenario (sonewconn). For UNIX domain sockets, also assign
a peer label. As the socket code isn't locked down yet, locking
interactions are not yet clear. Various protocol stack socket
operations (such as peer label assignment for IPv4) will follow.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
| -rw-r--r-- | sys/kern/uipc_sockbuf.c | 6 | ||||
| -rw-r--r-- | sys/kern/uipc_socket.c | 11 | ||||
| -rw-r--r-- | sys/kern/uipc_socket2.c | 6 | ||||
| -rw-r--r-- | sys/kern/uipc_usrreq.c | 6 |
4 files changed, 29 insertions, 0 deletions
diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c index 8b36396..45b356e 100644 --- a/sys/kern/uipc_sockbuf.c +++ b/sys/kern/uipc_sockbuf.c @@ -34,7 +34,9 @@ * $FreeBSD$ */ +#include "opt_mac.h" #include "opt_param.h" + #include <sys/param.h> #include <sys/aio.h> /* for aio_swake proto */ #include <sys/domain.h> @@ -43,6 +45,7 @@ #include <sys/kernel.h> #include <sys/lock.h> #include <sys/malloc.h> +#include <sys/mac.h> #include <sys/mbuf.h> #include <sys/mutex.h> #include <sys/proc.h> @@ -195,6 +198,9 @@ sonewconn(head, connstatus) so->so_proto = head->so_proto; so->so_timeo = head->so_timeo; so->so_cred = crhold(head->so_cred); +#ifdef MAC + mac_create_socket_from_socket(head, so); +#endif if (soreserve(so, head->so_snd.sb_hiwat, head->so_rcv.sb_hiwat) || (*so->so_proto->pr_usrreqs->pru_attach)(so, 0, NULL)) { sotryfree(so); diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 3bc0127..96ffa62 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -35,6 +35,7 @@ */ #include "opt_inet.h" +#include "opt_mac.h" #include "opt_zero.h" #include <sys/param.h> @@ -42,6 +43,7 @@ #include <sys/fcntl.h> #include <sys/lock.h> #include <sys/malloc.h> +#include <sys/mac.h> #include <sys/mbuf.h> #include <sys/mutex.h> #include <sys/domain.h> @@ -143,6 +145,9 @@ soalloc(waitok) /* sx_init(&so->so_sxlock, "socket sxlock"); */ TAILQ_INIT(&so->so_aiojobq); ++numopensockets; +#ifdef MAC + mac_init_socket(so); +#endif } return so; } @@ -190,6 +195,9 @@ socreate(dom, aso, type, proto, cred, td) so->so_type = type; so->so_cred = crhold(cred); so->so_proto = prp; +#ifdef MAC + mac_create_socket(td->td_ucred, so); +#endif soref(so); error = (*prp->pr_usrreqs->pru_attach)(so, proto, td); if (error) { @@ -238,6 +246,9 @@ sodealloc(struct socket *so) FREE(so->so_accf, M_ACCF); } #endif +#ifdef MAC + mac_destroy_socket(so); +#endif crfree(so->so_cred); /* sx_destroy(&so->so_sxlock); */ uma_zfree(socket_zone, so); diff --git a/sys/kern/uipc_socket2.c b/sys/kern/uipc_socket2.c index 8b36396..45b356e 100644 --- a/sys/kern/uipc_socket2.c +++ b/sys/kern/uipc_socket2.c @@ -34,7 +34,9 @@ * $FreeBSD$ */ +#include "opt_mac.h" #include "opt_param.h" + #include <sys/param.h> #include <sys/aio.h> /* for aio_swake proto */ #include <sys/domain.h> @@ -43,6 +45,7 @@ #include <sys/kernel.h> #include <sys/lock.h> #include <sys/malloc.h> +#include <sys/mac.h> #include <sys/mbuf.h> #include <sys/mutex.h> #include <sys/proc.h> @@ -195,6 +198,9 @@ sonewconn(head, connstatus) so->so_proto = head->so_proto; so->so_timeo = head->so_timeo; so->so_cred = crhold(head->so_cred); +#ifdef MAC + mac_create_socket_from_socket(head, so); +#endif if (soreserve(so, head->so_snd.sb_hiwat, head->so_rcv.sb_hiwat) || (*so->so_proto->pr_usrreqs->pru_attach)(so, 0, NULL)) { sotryfree(so); diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index b227d91..2a9cf8b 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -34,6 +34,8 @@ * $FreeBSD$ */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/domain.h> #include <sys/fcntl.h> @@ -731,6 +733,10 @@ unp_connect(so, nam, td) memcpy(&unp->unp_peercred, &unp2->unp_peercred, sizeof(unp->unp_peercred)); unp->unp_flags |= UNP_HAVEPC; +#ifdef MAC + mac_set_socket_peer_from_socket(so, so3); + mac_set_socket_peer_from_socket(so3, so); +#endif so2 = so3; } |
