diff options
| author | rwatson <rwatson@FreeBSD.org> | 2003-11-16 23:31:45 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2003-11-16 23:31:45 +0000 |
| commit | 7aa5c2497a67b36cc05ec3c76dca0423b69c9400 (patch) | |
| tree | fede3115e7ef270fd4883e1c4206febe55c2efa7 /sys/security/mac/mac_internal.h | |
| parent | 44e24b4739d0c28d3ffa69afb7e63d3229969a27 (diff) | |
| download | FreeBSD-src-7aa5c2497a67b36cc05ec3c76dca0423b69c9400.zip FreeBSD-src-7aa5c2497a67b36cc05ec3c76dca0423b69c9400.tar.gz | |
Implement sockets support for __mac_get_fd() and __mac_set_fd()
system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons. When addressing UNIX domain sockets, these calls
retrieve and modify the socket label, not the label of the
rendezvous vnode.
- Create mac_copy_socket_label() entry point based on
mac_copy_pipe_label() entry point, intended to copy the socket
label into temporary storage that doesn't require a socket lock
to be held (currently Giant).
- Implement mac_copy_socket_label() for various policies.
- Expose socket label allocation, free, internalize, externalize
entry points as non-static from mac_net.c.
- Use mac_socket_label_set() in __mac_set_fd().
MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/security/mac/mac_internal.h')
| -rw-r--r-- | sys/security/mac/mac_internal.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index b6983e3..b214528 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -109,6 +109,8 @@ int mac_allocate_slot(void); */ struct label *mac_pipe_label_alloc(void); void mac_pipe_label_free(struct label *label); +struct label *mac_socket_label_alloc(int flag); +void mac_socket_label_free(struct label *label); int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); int mac_externalize_cred_label(struct label *label, char *elements, @@ -123,6 +125,10 @@ int mac_internalize_pipe_label(struct label *label, char *string); int mac_socket_label_set(struct ucred *cred, struct socket *so, struct label *label); +void mac_copy_socket_label(struct label *src, struct label *dest); +int mac_externalize_socket_label(struct label *label, char *elements, + char *outbuf, size_t outbuflen); +int mac_internalize_socket_label(struct label *label, char *string); int mac_externalize_vnode_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); |
