diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-10-05 21:23:47 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-10-05 21:23:47 +0000 |
| commit | 74ec128a1cc11d5f9f7620636ba845fe578a57fc (patch) | |
| tree | c761fa053a4d22f10903c9ddd53565b138238188 | |
| parent | 6fbe1ed04632e261e3e7c04a4047222500fd0078 (diff) | |
| download | FreeBSD-src-74ec128a1cc11d5f9f7620636ba845fe578a57fc.zip FreeBSD-src-74ec128a1cc11d5f9f7620636ba845fe578a57fc.tar.gz | |
Modify label allocation semantics for sockets: pass in soalloc's malloc
flags so that we can call malloc with M_NOWAIT if necessary, avoiding
potential sleeps while holding mutexes in the TCP syncache code.
Similar to the existing support for mbuf label allocation: if we can't
allocate all the necessary label store in each policy, we back out
the label allocation and fail the socket creation. Sync from MAC tree.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
| -rw-r--r-- | sys/kern/kern_mac.c | 82 | ||||
| -rw-r--r-- | sys/kern/uipc_socket.c | 14 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.c | 82 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 4 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 82 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 82 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 82 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 4 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 82 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 82 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 82 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 82 | ||||
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 4 | ||||
| -rw-r--r-- | sys/security/mac_mls/mac_mls.c | 4 | ||||
| -rw-r--r-- | sys/security/mac_none/mac_none.c | 4 | ||||
| -rw-r--r-- | sys/security/mac_stub/mac_stub.c | 4 | ||||
| -rw-r--r-- | sys/security/mac_test/mac_test.c | 10 | ||||
| -rw-r--r-- | sys/sys/mac.h | 4 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 4 |
19 files changed, 654 insertions, 140 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 8a9de01..69b1772 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -221,6 +221,8 @@ static void mac_cred_mmapped_drop_perms(struct thread *td, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); +static void mac_destroy_socket_label(struct label *label); + MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); @@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe) #endif } -void -mac_init_socket(struct socket *socket) +static int +mac_init_socket_label(struct label *label, int flag) { + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } - mac_init_label(&socket->so_label); - mac_init_label(&socket->so_peerlabel); - MAC_PERFORM(init_socket_label, &socket->so_label); - MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); #ifdef MAC_DEBUG - atomic_add_int(&nmacsockets, 1); + if (error == 0) + atomic_add_int(&nmacsockets, 1); #endif + + return (error); +} + +static int +mac_init_socket_peer_label(struct label *label, int flag) +{ + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_peer_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } + + return (error); +} + +int +mac_init_socket(struct socket *socket, int flag) +{ + int error; + + error = mac_init_socket_label(&socket->so_label, flag); + if (error) + return (error); + + error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); + if (error) + mac_destroy_socket_label(&socket->so_label); + + return (error); } static void @@ -1282,20 +1324,34 @@ mac_destroy_pipe(struct pipe *pipe) #endif } -void -mac_destroy_socket(struct socket *socket) +static void +mac_destroy_socket_label(struct label *label) { - MAC_PERFORM(destroy_socket_label, &socket->so_label); - MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); - mac_destroy_label(&socket->so_label); - mac_destroy_label(&socket->so_peerlabel); + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } static void +mac_destroy_socket_peer_label(struct label *label) +{ + + MAC_PERFORM(destroy_socket_peer_label, label); + mac_destroy_label(label); +} + +void +mac_destroy_socket(struct socket *socket) +{ + + mac_destroy_socket_label(&socket->so_label); + mac_destroy_socket_peer_label(&socket->so_peerlabel); +} + +static void mac_destroy_temp(struct label *label) { diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 7b71f00..4084cb1 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -131,6 +131,9 @@ soalloc(waitok) int waitok; { struct socket *so; +#ifdef MAC + int error; +#endif int flag; if (waitok == 1) @@ -140,14 +143,19 @@ soalloc(waitok) flag |= M_ZERO; so = uma_zalloc(socket_zone, flag); if (so) { +#ifdef MAC + error = mac_init_socket(so, flag); + if (error != 0) { + uma_zfree(socket_zone, so); + so = NULL; + return so; + } +#endif /* XXX race condition for reentrant kernel */ so->so_gencnt = ++so_gencnt; /* sx_init(&so->so_sxlock, "socket sxlock"); */ TAILQ_INIT(&so->so_aiojobq); ++numopensockets; -#ifdef MAC - mac_init_socket(so); -#endif } return so; } diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 8a9de01..69b1772 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -221,6 +221,8 @@ static void mac_cred_mmapped_drop_perms(struct thread *td, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); +static void mac_destroy_socket_label(struct label *label); + MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); @@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe) #endif } -void -mac_init_socket(struct socket *socket) +static int +mac_init_socket_label(struct label *label, int flag) { + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } - mac_init_label(&socket->so_label); - mac_init_label(&socket->so_peerlabel); - MAC_PERFORM(init_socket_label, &socket->so_label); - MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); #ifdef MAC_DEBUG - atomic_add_int(&nmacsockets, 1); + if (error == 0) + atomic_add_int(&nmacsockets, 1); #endif + + return (error); +} + +static int +mac_init_socket_peer_label(struct label *label, int flag) +{ + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_peer_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } + + return (error); +} + +int +mac_init_socket(struct socket *socket, int flag) +{ + int error; + + error = mac_init_socket_label(&socket->so_label, flag); + if (error) + return (error); + + error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); + if (error) + mac_destroy_socket_label(&socket->so_label); + + return (error); } static void @@ -1282,20 +1324,34 @@ mac_destroy_pipe(struct pipe *pipe) #endif } -void -mac_destroy_socket(struct socket *socket) +static void +mac_destroy_socket_label(struct label *label) { - MAC_PERFORM(destroy_socket_label, &socket->so_label); - MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); - mac_destroy_label(&socket->so_label); - mac_destroy_label(&socket->so_peerlabel); + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } static void +mac_destroy_socket_peer_label(struct label *label) +{ + + MAC_PERFORM(destroy_socket_peer_label, label); + mac_destroy_label(label); +} + +void +mac_destroy_socket(struct socket *socket) +{ + + mac_destroy_socket_label(&socket->so_label); + mac_destroy_socket_peer_label(&socket->so_peerlabel); +} + +static void mac_destroy_temp(struct label *label) { diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index b0d0468..fd8b724 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -220,9 +220,9 @@ void mac_init_cred(struct ucred *); void mac_init_devfsdirent(struct devfs_dirent *); void mac_init_ifnet(struct ifnet *); void mac_init_ipq(struct ipq *); -void mac_init_socket(struct socket *); +int mac_init_socket(struct socket *, int flag); void mac_init_pipe(struct pipe *); -int mac_init_mbuf(struct mbuf *m, int how); +int mac_init_mbuf(struct mbuf *m, int flag); void mac_init_mount(struct mount *); void mac_init_vnode(struct vnode *); void mac_destroy_bpfdesc(struct bpf_d *); diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 8a9de01..69b1772 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -221,6 +221,8 @@ static void mac_cred_mmapped_drop_perms(struct thread *td, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); +static void mac_destroy_socket_label(struct label *label); + MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); @@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe) #endif } -void -mac_init_socket(struct socket *socket) +static int +mac_init_socket_label(struct label *label, int flag) { + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } - mac_init_label(&socket->so_label); - mac_init_label(&socket->so_peerlabel); - MAC_PERFORM(init_socket_label, &socket->so_label); - MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); #ifdef MAC_DEBUG - atomic_add_int(&nmacsockets, 1); + if (error == 0) + atomic_add_int(&nmacsockets, 1); #endif + + return (error); +} + +static int +mac_init_socket_peer_label(struct label *label, int flag) +{ + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_peer_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } + + return (error); +} + +int +mac_init_socket(struct socket *socket, int flag) +{ + int error; + + error = mac_init_socket_label(&socket->so_label, flag); + if (error) + return (error); + + error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); + if (error) + mac_destroy_socket_label(&socket->so_label); + + return (error); } static void @@ -1282,20 +1324,34 @@ mac_destroy_pipe(struct pipe *pipe) #endif } -void -mac_destroy_socket(struct socket *socket) +static void +mac_destroy_socket_label(struct label *label) { - MAC_PERFORM(destroy_socket_label, &socket->so_label); - MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); - mac_destroy_label(&socket->so_label); - mac_destroy_label(&socket->so_peerlabel); + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } static void +mac_destroy_socket_peer_label(struct label *label) +{ + + MAC_PERFORM(destroy_socket_peer_label, label); + mac_destroy_label(label); +} + +void +mac_destroy_socket(struct socket *socket) +{ + + mac_destroy_socket_label(&socket->so_label); + mac_destroy_socket_peer_label(&socket->so_peerlabel); +} + +static void mac_destroy_temp(struct label *label) { diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 8a9de01..69b1772 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -221,6 +221,8 @@ static void mac_cred_mmapped_drop_perms(struct thread *td, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); +static void mac_destroy_socket_label(struct label *label); + MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); @@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe) #endif } -void -mac_init_socket(struct socket *socket) +static int +mac_init_socket_label(struct label *label, int flag) { + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } - mac_init_label(&socket->so_label); - mac_init_label(&socket->so_peerlabel); - MAC_PERFORM(init_socket_label, &socket->so_label); - MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); #ifdef MAC_DEBUG - atomic_add_int(&nmacsockets, 1); + if (error == 0) + atomic_add_int(&nmacsockets, 1); #endif + + return (error); +} + +static int +mac_init_socket_peer_label(struct label *label, int flag) +{ + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_peer_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } + + return (error); +} + +int +mac_init_socket(struct socket *socket, int flag) +{ + int error; + + error = mac_init_socket_label(&socket->so_label, flag); + if (error) + return (error); + + error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); + if (error) + mac_destroy_socket_label(&socket->so_label); + + return (error); } static void @@ -1282,20 +1324,34 @@ mac_destroy_pipe(struct pipe *pipe) #endif } -void -mac_destroy_socket(struct socket *socket) +static void +mac_destroy_socket_label(struct label *label) { - MAC_PERFORM(destroy_socket_label, &socket->so_label); - MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); - mac_destroy_label(&socket->so_label); - mac_destroy_label(&socket->so_peerlabel); + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } static void +mac_destroy_socket_peer_label(struct label *label) +{ + + MAC_PERFORM(destroy_socket_peer_label, label); + mac_destroy_label(label); +} + +void +mac_destroy_socket(struct socket *socket) +{ + + mac_destroy_socket_label(&socket->so_label); + mac_destroy_socket_peer_label(&socket->so_peerlabel); +} + +static void mac_destroy_temp(struct label *label) { diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 8a9de01..69b1772 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -221,6 +221,8 @@ static void mac_cred_mmapped_drop_perms(struct thread *td, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); +static void mac_destroy_socket_label(struct label *label); + MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); @@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe) #endif } -void -mac_init_socket(struct socket *socket) +static int +mac_init_socket_label(struct label *label, int flag) { + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } - mac_init_label(&socket->so_label); - mac_init_label(&socket->so_peerlabel); - MAC_PERFORM(init_socket_label, &socket->so_label); - MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); #ifdef MAC_DEBUG - atomic_add_int(&nmacsockets, 1); + if (error == 0) + atomic_add_int(&nmacsockets, 1); #endif + + return (error); +} + +static int +mac_init_socket_peer_label(struct label *label, int flag) +{ + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_peer_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } + + return (error); +} + +int +mac_init_socket(struct socket *socket, int flag) +{ + int error; + + error = mac_init_socket_label(&socket->so_label, flag); + if (error) + return (error); + + error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); + if (error) + mac_destroy_socket_label(&socket->so_label); + + return (error); } static void @@ -1282,20 +1324,34 @@ mac_destroy_pipe(struct pipe *pipe) #endif } -void -mac_destroy_socket(struct socket *socket) +static void +mac_destroy_socket_label(struct label *label) { - MAC_PERFORM(destroy_socket_label, &socket->so_label); - MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); - mac_destroy_label(&socket->so_label); - mac_destroy_label(&socket->so_peerlabel); + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } static void +mac_destroy_socket_peer_label(struct label *label) +{ + + MAC_PERFORM(destroy_socket_peer_label, label); + mac_destroy_label(label); +} + +void +mac_destroy_socket(struct socket *socket) +{ + + mac_destroy_socket_label(&socket->so_label); + mac_destroy_socket_peer_label(&socket->so_peerlabel); +} + +static void mac_destroy_temp(struct label *label) { diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index d455d3c..51a6d37 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -80,8 +80,8 @@ struct mac_policy_ops { int (*mpo_init_mbuf_label)(struct label *label, int flag); void (*mpo_init_mount_label)(struct label *label); void (*mpo_init_mount_fs_label)(struct label *label); - void (*mpo_init_socket_label)(struct label *label); - void (*mpo_init_socket_peer_label)(struct label *label); + int (*mpo_init_socket_label)(struct label *label, int flag); + int (*mpo_init_socket_peer_label)(struct label *label, int flag); void (*mpo_init_pipe_label)(struct label *label); void (*mpo_init_temp_label)(struct label *label); void (*mpo_init_vnode_label)(struct label *label); diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 8a9de01..69b1772 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -221,6 +221,8 @@ static void mac_cred_mmapped_drop_perms(struct thread *td, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); +static void mac_destroy_socket_label(struct label *label); + MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); @@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe) #endif } -void -mac_init_socket(struct socket *socket) +static int +mac_init_socket_label(struct label *label, int flag) { + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } - mac_init_label(&socket->so_label); - mac_init_label(&socket->so_peerlabel); - MAC_PERFORM(init_socket_label, &socket->so_label); - MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); #ifdef MAC_DEBUG - atomic_add_int(&nmacsockets, 1); + if (error == 0) + atomic_add_int(&nmacsockets, 1); #endif + + return (error); +} + +static int +mac_init_socket_peer_label(struct label *label, int flag) +{ + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_peer_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } + + return (error); +} + +int +mac_init_socket(struct socket *socket, int flag) +{ + int error; + + error = mac_init_socket_label(&socket->so_label, flag); + if (error) + return (error); + + error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); + if (error) + mac_destroy_socket_label(&socket->so_label); + + return (error); } static void @@ -1282,20 +1324,34 @@ mac_destroy_pipe(struct pipe *pipe) #endif } -void -mac_destroy_socket(struct socket *socket) +static void +mac_destroy_socket_label(struct label *label) { - MAC_PERFORM(destroy_socket_label, &socket->so_label); - MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); - mac_destroy_label(&socket->so_label); - mac_destroy_label(&socket->so_peerlabel); + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } static void +mac_destroy_socket_peer_label(struct label *label) +{ + + MAC_PERFORM(destroy_socket_peer_label, label); + mac_destroy_label(label); +} + +void +mac_destroy_socket(struct socket *socket) +{ + + mac_destroy_socket_label(&socket->so_label); + mac_destroy_socket_peer_label(&socket->so_peerlabel); +} + +static void mac_destroy_temp(struct label *label) { diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 8a9de01..69b1772 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -221,6 +221,8 @@ static void mac_cred_mmapped_drop_perms(struct thread *td, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); +static void mac_destroy_socket_label(struct label *label); + MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); @@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe) #endif } -void -mac_init_socket(struct socket *socket) +static int +mac_init_socket_label(struct label *label, int flag) { + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } - mac_init_label(&socket->so_label); - mac_init_label(&socket->so_peerlabel); - MAC_PERFORM(init_socket_label, &socket->so_label); - MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); #ifdef MAC_DEBUG - atomic_add_int(&nmacsockets, 1); + if (error == 0) + atomic_add_int(&nmacsockets, 1); #endif + + return (error); +} + +static int +mac_init_socket_peer_label(struct label *label, int flag) +{ + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_peer_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } + + return (error); +} + +int +mac_init_socket(struct socket *socket, int flag) +{ + int error; + + error = mac_init_socket_label(&socket->so_label, flag); + if (error) + return (error); + + error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); + if (error) + mac_destroy_socket_label(&socket->so_label); + + return (error); } static void @@ -1282,20 +1324,34 @@ mac_destroy_pipe(struct pipe *pipe) #endif } -void -mac_destroy_socket(struct socket *socket) +static void +mac_destroy_socket_label(struct label *label) { - MAC_PERFORM(destroy_socket_label, &socket->so_label); - MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); - mac_destroy_label(&socket->so_label); - mac_destroy_label(&socket->so_peerlabel); + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } static void +mac_destroy_socket_peer_label(struct label *label) +{ + + MAC_PERFORM(destroy_socket_peer_label, label); + mac_destroy_label(label); +} + +void +mac_destroy_socket(struct socket *socket) +{ + + mac_destroy_socket_label(&socket->so_label); + mac_destroy_socket_peer_label(&socket->so_peerlabel); +} + +static void mac_destroy_temp(struct label *label) { diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 8a9de01..69b1772 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -221,6 +221,8 @@ static void mac_cred_mmapped_drop_perms(struct thread *td, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); +static void mac_destroy_socket_label(struct label *label); + MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); @@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe) #endif } -void -mac_init_socket(struct socket *socket) +static int +mac_init_socket_label(struct label *label, int flag) { + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } - mac_init_label(&socket->so_label); - mac_init_label(&socket->so_peerlabel); - MAC_PERFORM(init_socket_label, &socket->so_label); - MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); #ifdef MAC_DEBUG - atomic_add_int(&nmacsockets, 1); + if (error == 0) + atomic_add_int(&nmacsockets, 1); #endif + + return (error); +} + +static int +mac_init_socket_peer_label(struct label *label, int flag) +{ + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_peer_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } + + return (error); +} + +int +mac_init_socket(struct socket *socket, int flag) +{ + int error; + + error = mac_init_socket_label(&socket->so_label, flag); + if (error) + return (error); + + error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); + if (error) + mac_destroy_socket_label(&socket->so_label); + + return (error); } static void @@ -1282,20 +1324,34 @@ mac_destroy_pipe(struct pipe *pipe) #endif } -void -mac_destroy_socket(struct socket *socket) +static void +mac_destroy_socket_label(struct label *label) { - MAC_PERFORM(destroy_socket_label, &socket->so_label); - MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); - mac_destroy_label(&socket->so_label); - mac_destroy_label(&socket->so_peerlabel); + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } static void +mac_destroy_socket_peer_label(struct label *label) +{ + + MAC_PERFORM(destroy_socket_peer_label, label); + mac_destroy_label(label); +} + +void +mac_destroy_socket(struct socket *socket) +{ + + mac_destroy_socket_label(&socket->so_label); + mac_destroy_socket_peer_label(&socket->so_peerlabel); +} + +static void mac_destroy_temp(struct label *label) { diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 8a9de01..69b1772 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -221,6 +221,8 @@ static void mac_cred_mmapped_drop_perms(struct thread *td, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); +static void mac_destroy_socket_label(struct label *label); + MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector"); MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); @@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe) #endif } -void -mac_init_socket(struct socket *socket) +static int +mac_init_socket_label(struct label *label, int flag) { + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } - mac_init_label(&socket->so_label); - mac_init_label(&socket->so_peerlabel); - MAC_PERFORM(init_socket_label, &socket->so_label); - MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel); #ifdef MAC_DEBUG - atomic_add_int(&nmacsockets, 1); + if (error == 0) + atomic_add_int(&nmacsockets, 1); #endif + + return (error); +} + +static int +mac_init_socket_peer_label(struct label *label, int flag) +{ + int error; + + mac_init_label(label); + + MAC_CHECK(init_socket_peer_label, label, flag); + if (error) { + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); + } + + return (error); +} + +int +mac_init_socket(struct socket *socket, int flag) +{ + int error; + + error = mac_init_socket_label(&socket->so_label, flag); + if (error) + return (error); + + error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); + if (error) + mac_destroy_socket_label(&socket->so_label); + + return (error); } static void @@ -1282,20 +1324,34 @@ mac_destroy_pipe(struct pipe *pipe) #endif } -void -mac_destroy_socket(struct socket *socket) +static void +mac_destroy_socket_label(struct label *label) { - MAC_PERFORM(destroy_socket_label, &socket->so_label); - MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); - mac_destroy_label(&socket->so_label); - mac_destroy_label(&socket->so_peerlabel); + MAC_PERFORM(destroy_socket_label, label); + mac_destroy_label(label); #ifdef MAC_DEBUG atomic_subtract_int(&nmacsockets, 1); #endif } static void +mac_destroy_socket_peer_label(struct label *label) +{ + + MAC_PERFORM(destroy_socket_peer_label, label); + mac_destroy_label(label); +} + +void +mac_destroy_socket(struct socket *socket) +{ + + mac_destroy_socket_label(&socket->so_label); + mac_destroy_socket_peer_label(&socket->so_peerlabel); +} + +static void mac_destroy_temp(struct label *label) { diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 53d492d..b202cdb 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1954,9 +1954,9 @@ static struct mac_policy_op_entry mac_biba_ops[] = { MAC_INIT_PIPE_LABEL, (macop_t)mac_biba_init_label }, { MAC_INIT_SOCKET_LABEL, - (macop_t)mac_biba_init_label }, + (macop_t)mac_biba_init_label_waitcheck }, { MAC_INIT_SOCKET_PEER_LABEL, - (macop_t)mac_biba_init_label }, + (macop_t)mac_biba_init_label_waitcheck }, { MAC_INIT_TEMP_LABEL, (macop_t)mac_biba_init_label }, { MAC_INIT_VNODE_LABEL, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 57aacd3..0b1e2ef 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1916,9 +1916,9 @@ static struct mac_policy_op_entry mac_mls_ops[] = { MAC_INIT_PIPE_LABEL, (macop_t)mac_mls_init_label }, { MAC_INIT_SOCKET_LABEL, - (macop_t)mac_mls_init_label }, + (macop_t)mac_mls_init_label_waitcheck }, { MAC_INIT_SOCKET_PEER_LABEL, - (macop_t)mac_mls_init_label }, + (macop_t)mac_mls_init_label_waitcheck }, { MAC_INIT_TEMP_LABEL, (macop_t)mac_mls_init_label }, { MAC_INIT_VNODE_LABEL, diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c index 3029e03..9bbc1cd 100644 --- a/sys/security/mac_none/mac_none.c +++ b/sys/security/mac_none/mac_none.c @@ -858,9 +858,9 @@ static struct mac_policy_op_entry mac_none_ops[] = { MAC_INIT_PIPE_LABEL, (macop_t)mac_none_init_label }, { MAC_INIT_SOCKET_LABEL, - (macop_t)mac_none_init_label }, + (macop_t)mac_none_init_label_waitcheck }, { MAC_INIT_SOCKET_PEER_LABEL, - (macop_t)mac_none_init_label }, + (macop_t)mac_none_init_label_waitcheck }, { MAC_INIT_TEMP_LABEL, (macop_t)mac_none_init_label }, { MAC_INIT_VNODE_LABEL, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 3029e03..9bbc1cd 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -858,9 +858,9 @@ static struct mac_policy_op_entry mac_none_ops[] = { MAC_INIT_PIPE_LABEL, (macop_t)mac_none_init_label }, { MAC_INIT_SOCKET_LABEL, - (macop_t)mac_none_init_label }, + (macop_t)mac_none_init_label_waitcheck }, { MAC_INIT_SOCKET_PEER_LABEL, - (macop_t)mac_none_init_label }, + (macop_t)mac_none_init_label_waitcheck }, { MAC_INIT_TEMP_LABEL, (macop_t)mac_none_init_label }, { MAC_INIT_VNODE_LABEL, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 6727aa7..c1caa44 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -277,20 +277,22 @@ mac_test_init_mount_fs_label(struct label *label) atomic_add_int(&init_count_mount_fslabel, 1); } -static void -mac_test_init_socket_label(struct label *label) +static int +mac_test_init_socket_label(struct label *label, int flag) { SLOT(label) = SOCKETMAGIC; atomic_add_int(&init_count_socket, 1); + return (0); } -static void -mac_test_init_socket_peer_label(struct label *label) +static int +mac_test_init_socket_peer_label(struct label *label, int flag) { SLOT(label) = SOCKETMAGIC; atomic_add_int(&init_count_socket_peerlabel, 1); + return (0); } static void diff --git a/sys/sys/mac.h b/sys/sys/mac.h index b0d0468..fd8b724 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -220,9 +220,9 @@ void mac_init_cred(struct ucred *); void mac_init_devfsdirent(struct devfs_dirent *); void mac_init_ifnet(struct ifnet *); void mac_init_ipq(struct ipq *); -void mac_init_socket(struct socket *); +int mac_init_socket(struct socket *, int flag); void mac_init_pipe(struct pipe *); -int mac_init_mbuf(struct mbuf *m, int how); +int mac_init_mbuf(struct mbuf *m, int flag); void mac_init_mount(struct mount *); void mac_init_vnode(struct vnode *); void mac_destroy_bpfdesc(struct bpf_d *); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index d455d3c..51a6d37 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -80,8 +80,8 @@ struct mac_policy_ops { int (*mpo_init_mbuf_label)(struct label *label, int flag); void (*mpo_init_mount_label)(struct label *label); void (*mpo_init_mount_fs_label)(struct label *label); - void (*mpo_init_socket_label)(struct label *label); - void (*mpo_init_socket_peer_label)(struct label *label); + int (*mpo_init_socket_label)(struct label *label, int flag); + int (*mpo_init_socket_peer_label)(struct label *label, int flag); void (*mpo_init_pipe_label)(struct label *label); void (*mpo_init_temp_label)(struct label *label); void (*mpo_init_vnode_label)(struct label *label); |
