diff options
author | rwatson <rwatson@FreeBSD.org> | 2004-06-13 02:50:07 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2004-06-13 02:50:07 +0000 |
commit | f1bc833e9552e6874a5343bfd4a0b2999a185b42 (patch) | |
tree | b82bb2c8445f7117f831d6287d086e05ebd1953e /sys/kern | |
parent | b173c880aa20391adf396c098a510e93c583ec02 (diff) | |
download | FreeBSD-src-f1bc833e9552e6874a5343bfd4a0b2999a185b42.zip FreeBSD-src-f1bc833e9552e6874a5343bfd4a0b2999a185b42.tar.gz |
Socket MAC labels so_label and so_peerlabel are now protected by
SOCK_LOCK(so):
- Hold socket lock over calls to MAC entry points reading or
manipulating socket labels.
- Assert socket lock in MAC entry point implementations.
- When externalizing the socket label, first make a thread-local
copy while holding the socket lock, then release the socket lock
to externalize to userspace.
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_prot.c | 2 | ||||
-rw-r--r-- | sys/kern/sys_socket.c | 4 | ||||
-rw-r--r-- | sys/kern/uipc_sockbuf.c | 2 | ||||
-rw-r--r-- | sys/kern/uipc_socket2.c | 2 | ||||
-rw-r--r-- | sys/kern/uipc_syscalls.c | 12 | ||||
-rw-r--r-- | sys/kern/uipc_usrreq.c | 2 |
6 files changed, 24 insertions, 0 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index ab2ae0a..a964592 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1685,7 +1685,9 @@ cr_canseesocket(struct ucred *cred, struct socket *so) if (error) return (ENOENT); #ifdef MAC + SOCK_LOCK(so); error = mac_check_socket_visible(cred, so); + SOCK_UNLOCK(so); if (error) return (error); #endif diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c index 5331574..5f14608 100644 --- a/sys/kern/sys_socket.c +++ b/sys/kern/sys_socket.c @@ -77,7 +77,9 @@ soo_read(fp, uio, active_cred, flags, td) NET_LOCK_GIANT(); #ifdef MAC + SOCK_LOCK(so); error = mac_check_socket_receive(active_cred, so); + SOCK_UNLOCK(so); if (error) { NET_UNLOCK_GIANT(); return (error); @@ -102,7 +104,9 @@ soo_write(fp, uio, active_cred, flags, td) NET_LOCK_GIANT(); #ifdef MAC + SOCK_LOCK(so); error = mac_check_socket_send(active_cred, so); + SOCK_UNLOCK(so); if (error) { NET_UNLOCK_GIANT(); return (error); diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c index 0d75abe..7dbc19d 100644 --- a/sys/kern/uipc_sockbuf.c +++ b/sys/kern/uipc_sockbuf.c @@ -209,7 +209,9 @@ sonewconn(head, connstatus) so->so_timeo = head->so_timeo; so->so_cred = crhold(head->so_cred); #ifdef MAC + SOCK_LOCK(head); mac_create_socket_from_socket(head, so); + SOCK_UNLOCK(head); #endif if (soreserve(so, head->so_snd.sb_hiwat, head->so_rcv.sb_hiwat) || (*so->so_proto->pr_usrreqs->pru_attach)(so, 0, NULL)) { diff --git a/sys/kern/uipc_socket2.c b/sys/kern/uipc_socket2.c index 0d75abe..7dbc19d 100644 --- a/sys/kern/uipc_socket2.c +++ b/sys/kern/uipc_socket2.c @@ -209,7 +209,9 @@ sonewconn(head, connstatus) so->so_timeo = head->so_timeo; so->so_cred = crhold(head->so_cred); #ifdef MAC + SOCK_LOCK(head); mac_create_socket_from_socket(head, so); + SOCK_UNLOCK(head); #endif if (soreserve(so, head->so_snd.sb_hiwat, head->so_rcv.sb_hiwat) || (*so->so_proto->pr_usrreqs->pru_attach)(so, 0, NULL)) { diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 53d4962..18a5e24 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -190,7 +190,9 @@ kern_bind(td, fd, sa) if ((error = fgetsock(td, fd, &so, NULL)) != 0) goto done2; #ifdef MAC + SOCK_LOCK(so); error = mac_check_socket_bind(td->td_ucred, so, sa); + SOCK_UNLOCK(so); if (error) goto done1; #endif @@ -223,7 +225,9 @@ listen(td, uap) NET_LOCK_GIANT(); if ((error = fgetsock(td, uap->s, &so, NULL)) == 0) { #ifdef MAC + SOCK_LOCK(so); error = mac_check_socket_listen(td->td_ucred, so); + SOCK_UNLOCK(so); if (error) goto done; #endif @@ -482,7 +486,9 @@ kern_connect(td, fd, sa) goto done1; } #ifdef MAC + SOCK_LOCK(so); error = mac_check_socket_connect(td->td_ucred, so, sa); + SOCK_UNLOCK(so); if (error) goto bad; #endif @@ -701,7 +707,9 @@ kern_sendit(td, s, mp, flags, control) goto bad2; #ifdef MAC + SOCK_LOCK(so); error = mac_check_socket_send(td->td_ucred, so); + SOCK_UNLOCK(so); if (error) goto bad; #endif @@ -944,7 +952,9 @@ recvit(td, s, mp, namelenp) } #ifdef MAC + SOCK_LOCK(so); error = mac_check_socket_receive(td->td_ucred, so); + SOCK_UNLOCK(so); if (error) { fputsock(so); NET_UNLOCK_GIANT(); @@ -1750,7 +1760,9 @@ do_sendfile(struct thread *td, struct sendfile_args *uap, int compat) } #ifdef MAC + SOCK_LOCK(so); error = mac_check_socket_send(td->td_ucred, so); + SOCK_UNLOCK(so); if (error) goto done; #endif diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 6660d7b..aa435f2 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -846,8 +846,10 @@ unp_connect(so, nam, td) sizeof(unp->unp_peercred)); unp->unp_flags |= UNP_HAVEPC; #ifdef MAC + SOCK_LOCK(so); mac_set_socket_peer_from_socket(so, so3); mac_set_socket_peer_from_socket(so3, so); + SOCK_UNLOCK(so); #endif so2 = so3; |