diff options
| author | rwatson <rwatson@FreeBSD.org> | 2003-11-16 23:31:45 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2003-11-16 23:31:45 +0000 |
| commit | 7aa5c2497a67b36cc05ec3c76dca0423b69c9400 (patch) | |
| tree | fede3115e7ef270fd4883e1c4206febe55c2efa7 /sys/kern/kern_mac.c | |
| parent | 44e24b4739d0c28d3ffa69afb7e63d3229969a27 (diff) | |
| download | FreeBSD-src-7aa5c2497a67b36cc05ec3c76dca0423b69c9400.zip FreeBSD-src-7aa5c2497a67b36cc05ec3c76dca0423b69c9400.tar.gz | |
Implement sockets support for __mac_get_fd() and __mac_set_fd()
system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons. When addressing UNIX domain sockets, these calls
retrieve and modify the socket label, not the label of the
rendezvous vnode.
- Create mac_copy_socket_label() entry point based on
mac_copy_pipe_label() entry point, intended to copy the socket
label into temporary storage that doesn't require a socket lock
to be held (currently Giant).
- Implement mac_copy_socket_label() for various policies.
- Expose socket label allocation, free, internalize, externalize
entry points as non-static from mac_net.c.
- Use mac_socket_label_set() in __mac_set_fd().
MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/kern/kern_mac.c')
| -rw-r--r-- | sys/kern/kern_mac.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index c1710f2..f42b075 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -701,6 +701,7 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) struct mac mac; struct vnode *vp; struct pipe *pipe; + struct socket *so; short label_type; int error; @@ -751,6 +752,19 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) mac_pipe_label_free(intlabel); break; + case DTYPE_SOCKET: + so = fp->f_data; + intlabel = mac_socket_label_alloc(M_WAITOK); + mtx_lock(&Giant); /* Sockets */ + /* XXX: Socket lock here. */ + mac_copy_socket_label(so->so_label, intlabel); + /* XXX: Socket unlock here. */ + mtx_unlock(&Giant); /* Sockets */ + error = mac_externalize_socket_label(intlabel, elements, + buffer, mac.m_buflen); + mac_socket_label_free(intlabel); + break; + default: error = EINVAL; } @@ -881,6 +895,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { struct label *intlabel; struct pipe *pipe; + struct socket *so; struct file *fp; struct mount *mp; struct vnode *vp; @@ -945,6 +960,21 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) mac_pipe_label_free(intlabel); break; + case DTYPE_SOCKET: + intlabel = mac_socket_label_alloc(M_WAITOK); + error = mac_internalize_socket_label(intlabel, buffer); + if (error == 0) { + so = fp->f_data; + mtx_lock(&Giant); /* Sockets */ + /* XXX: Socket lock here. */ + error = mac_socket_label_set(td->td_ucred, so, + intlabel); + /* XXX: Socket unlock here. */ + mtx_unlock(&Giant); /* Sockets */ + } + mac_socket_label_free(intlabel); + break; + default: error = EINVAL; } |
