diff options
author | rwatson <rwatson@FreeBSD.org> | 2004-02-26 03:51:04 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2004-02-26 03:51:04 +0000 |
commit | 94f1c2c12e72d156571a8216199086ba2d775312 (patch) | |
tree | df95c136876112ff706c8baeb8ea221b480534f1 /sys/security/mac/mac_inet.c | |
parent | 4733577ea0d69a039bfa9c7353c6ec303e191f11 (diff) | |
download | FreeBSD-src-94f1c2c12e72d156571a8216199086ba2d775312.zip FreeBSD-src-94f1c2c12e72d156571a8216199086ba2d775312.tar.gz |
Move inet and inet6 related MAC Framework entry points from mac_net.c
to a new mac_inet.c. This code is now conditionally compiled based
on inet support being compiled into the kernel.
Move socket related MAC Framework entry points from mac_net.c to a new
mac_socket.c.
To do this, some additional _enforce MIB variables are now non-static.
In addition, mbuf_to_label() is now mac_mbuf_to_label() and non-static.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, McAfee Research
Diffstat (limited to 'sys/security/mac/mac_inet.c')
-rw-r--r-- | sys/security/mac/mac_inet.c | 292 |
1 files changed, 292 insertions, 0 deletions
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c new file mode 100644 index 0000000..beb65ef --- /dev/null +++ b/sys/security/mac/mac_inet.c @@ -0,0 +1,292 @@ +/*- + * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 2001 Ilmar S. Habibulin + * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed by Robert Watson and Ilmar Habibulin for the + * TrustedBSD Project. + * + * This software was developed for the FreeBSD Project in part by Network + * Associates Laboratories, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), + * as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_mac.h" + +#include <sys/param.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/malloc.h> +#include <sys/mutex.h> +#include <sys/mac.h> +#include <sys/sbuf.h> +#include <sys/systm.h> +#include <sys/mount.h> +#include <sys/file.h> +#include <sys/namei.h> +#include <sys/protosw.h> +#include <sys/socket.h> +#include <sys/socketvar.h> +#include <sys/sysctl.h> + +#include <sys/mac_policy.h> + +#include <net/if.h> +#include <net/if_var.h> + +#include <netinet/in.h> +#include <netinet/in_pcb.h> +#include <netinet/ip_var.h> + +#include <security/mac/mac_internal.h> + +#ifdef MAC_DEBUG +static unsigned int nmacinpcbs, nmacipqs; + +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD, + &nmacinpcbs, 0, "number of inpcbs in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, + &nmacipqs, 0, "number of ipqs in use"); +#endif + +static struct label * +mac_inpcb_label_alloc(int flag) +{ + struct label *label; + int error; + + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); + MAC_CHECK(init_inpcb_label, label, flag); + if (error) { + MAC_PERFORM(destroy_inpcb_label, label); + mac_labelzone_free(label); + return (NULL); + } + MAC_DEBUG_COUNTER_INC(&nmacinpcbs); + return (label); +} + +int +mac_init_inpcb(struct inpcb *inp, int flag) +{ + + inp->inp_label = mac_inpcb_label_alloc(flag); + if (inp->inp_label == NULL) + return (ENOMEM); + return (0); +} + +static struct label * +mac_ipq_label_alloc(int flag) +{ + struct label *label; + int error; + + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); + + MAC_CHECK(init_ipq_label, label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, label); + mac_labelzone_free(label); + return (NULL); + } + MAC_DEBUG_COUNTER_INC(&nmacipqs); + return (label); +} + +int +mac_init_ipq(struct ipq *ipq, int flag) +{ + + ipq->ipq_label = mac_ipq_label_alloc(flag); + if (ipq->ipq_label == NULL) + return (ENOMEM); + return (0); +} + +static void +mac_inpcb_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_inpcb_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacinpcbs); +} + +void +mac_destroy_inpcb(struct inpcb *inp) +{ + + mac_inpcb_label_free(inp->inp_label); + inp->inp_label = NULL; +} + +static void +mac_ipq_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_ipq_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacipqs); +} + +void +mac_destroy_ipq(struct ipq *ipq) +{ + + mac_ipq_label_free(ipq->ipq_label); + ipq->ipq_label = NULL; +} + +void +mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp) +{ + + MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp, + inp->inp_label); +} + +void +mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) +{ + struct label *label; + + label = mac_mbuf_to_label(datagram); + + MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, + datagram, label); +} + +void +mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) +{ + struct label *datagramlabel, *fragmentlabel; + + datagramlabel = mac_mbuf_to_label(datagram); + fragmentlabel = mac_mbuf_to_label(fragment); + + MAC_PERFORM(create_fragment, datagram, datagramlabel, fragment, + fragmentlabel); +} + +void +mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) +{ + struct label *label; + + label = mac_mbuf_to_label(fragment); + + MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label); +} + +void +mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m) +{ + struct label *mlabel; + + INP_LOCK_ASSERT(inp); + mlabel = mac_mbuf_to_label(m); + + MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel); +} + +int +mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) +{ + struct label *label; + int result; + + label = mac_mbuf_to_label(fragment); + + result = 1; + MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq, + ipq->ipq_label); + + return (result); +} + +void +mac_reflect_mbuf_icmp(struct mbuf *m) +{ + struct label *label; + + label = mac_mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_icmp, m, label); +} +void +mac_reflect_mbuf_tcp(struct mbuf *m) +{ + struct label *label; + + label = mac_mbuf_to_label(m); + + MAC_PERFORM(reflect_mbuf_tcp, m, label); +} + +void +mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) +{ + struct label *label; + + label = mac_mbuf_to_label(fragment); + + MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label); +} + +int +mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) +{ + struct label *label; + int error; + + M_ASSERTPKTHDR(m); + + if (!mac_enforce_socket) + return (0); + + label = mac_mbuf_to_label(m); + + MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label); + + return (error); +} + +void +mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) +{ + + /* XXX: assert socket lock. */ + INP_LOCK_ASSERT(inp); + MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); +} |