diff options
| author | rwatson <rwatson@FreeBSD.org> | 2008-08-23 15:26:36 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2008-08-23 15:26:36 +0000 |
| commit | 78a117e6fa3ea5484baa385417846432dcafd758 (patch) | |
| tree | 5219c0b4d17dd1dcbcb5fda367c1905a0929ee2b /sys/security/mac/mac_inet.c | |
| parent | 36dc0db8e1fa12d3f6a38164a5fb1ae82fc45eba (diff) | |
| download | FreeBSD-src-78a117e6fa3ea5484baa385417846432dcafd758.zip FreeBSD-src-78a117e6fa3ea5484baa385417846432dcafd758.tar.gz | |
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
Diffstat (limited to 'sys/security/mac/mac_inet.c')
| -rw-r--r-- | sys/security/mac/mac_inet.c | 74 |
1 files changed, 46 insertions, 28 deletions
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index 76268d3..6d731ce 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -3,6 +3,7 @@ * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. + * Copyright (c) 2008 Apple Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -91,9 +92,12 @@ int mac_inpcb_init(struct inpcb *inp, int flag) { - inp->inp_label = mac_inpcb_label_alloc(flag); - if (inp->inp_label == NULL) - return (ENOMEM); + if (mac_labeled & MPC_OBJECT_INPCB) { + inp->inp_label = mac_inpcb_label_alloc(flag); + if (inp->inp_label == NULL) + return (ENOMEM); + } else + inp->inp_label = NULL; return (0); } @@ -120,9 +124,12 @@ int mac_ipq_init(struct ipq *q, int flag) { - q->ipq_label = mac_ipq_label_alloc(flag); - if (q->ipq_label == NULL) - return (ENOMEM); + if (mac_labeled & MPC_OBJECT_IPQ) { + q->ipq_label = mac_ipq_label_alloc(flag); + if (q->ipq_label == NULL) + return (ENOMEM); + } else + q->ipq_label = NULL; return (0); } @@ -138,8 +145,10 @@ void mac_inpcb_destroy(struct inpcb *inp) { - mac_inpcb_label_free(inp->inp_label); - inp->inp_label = NULL; + if (inp->inp_label != NULL) { + mac_inpcb_label_free(inp->inp_label); + inp->inp_label = NULL; + } } static void @@ -154,8 +163,10 @@ void mac_ipq_destroy(struct ipq *q) { - mac_ipq_label_free(q->ipq_label); - q->ipq_label = NULL; + if (q->ipq_label != NULL) { + mac_ipq_label_free(q->ipq_label); + q->ipq_label = NULL; + } } void @@ -349,9 +360,11 @@ void mac_syncache_destroy(struct label **label) { - MAC_PERFORM(syncache_destroy_label, *label); - mac_labelzone_free(*label); - *label = NULL; + if (*label != NULL) { + MAC_PERFORM(syncache_destroy_label, *label); + mac_labelzone_free(*label); + *label = NULL; + } } int @@ -359,21 +372,26 @@ mac_syncache_init(struct label **label) { int error; - *label = mac_labelzone_alloc(M_NOWAIT); - if (*label == NULL) - return (ENOMEM); - /* - * Since we are holding the inpcb locks the policy can not allocate - * policy specific label storage using M_WAITOK. So we need to do a - * MAC_CHECK instead of the typical MAC_PERFORM so we can propagate - * allocation failures back to the syncache code. - */ - MAC_CHECK(syncache_init_label, *label, M_NOWAIT); - if (error) { - MAC_PERFORM(syncache_destroy_label, *label); - mac_labelzone_free(*label); - } - return (error); + if (mac_labeled & MPC_OBJECT_SYNCACHE) { + *label = mac_labelzone_alloc(M_NOWAIT); + if (*label == NULL) + return (ENOMEM); + /* + * Since we are holding the inpcb locks the policy can not + * allocate policy specific label storage using M_WAITOK. So + * we need to do a MAC_CHECK instead of the typical + * MAC_PERFORM so we can propagate allocation failures back + * to the syncache code. + */ + MAC_CHECK(syncache_init_label, *label, M_NOWAIT); + if (error) { + MAC_PERFORM(syncache_destroy_label, *label); + mac_labelzone_free(*label); + } + return (error); + } else + *label = NULL; + return (0); } void |
