diff options
author | rwatson <rwatson@FreeBSD.org> | 2005-04-16 18:46:29 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2005-04-16 18:46:29 +0000 |
commit | 155bfd878978f99010445371b93e58a81456db93 (patch) | |
tree | c3e19716c1afb3af8444e481993e054ecb22006b /sys/security | |
parent | 7abff596b298a9f0dbd3afb63911b0e93ad3db39 (diff) | |
download | FreeBSD-src-155bfd878978f99010445371b93e58a81456db93.zip FreeBSD-src-155bfd878978f99010445371b93e58a81456db93.tar.gz |
Introduce three additional MAC Framework and MAC Policy entry points to
control socket poll() (select()), fstat(), and accept() operations,
required for some policies:
poll() mac_check_socket_poll()
fstat() mac_check_socket_stat()
accept() mac_check_socket_accept()
Update mac_stub and mac_test policies to be aware of these entry points.
While here, add missing entry point implementations for:
mac_stub.c stub_check_socket_receive()
mac_stub.c stub_check_socket_send()
mac_test.c mac_test_check_socket_send()
mac_test.c mac_test_check_socket_visible()
Obtained from: TrustedBSD Project
Sponsored by: SPAWAR, SPARTA
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_framework.h | 6 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 8 | ||||
-rw-r--r-- | sys/security/mac/mac_socket.c | 54 | ||||
-rw-r--r-- | sys/security/mac_stub/mac_stub.c | 44 | ||||
-rw-r--r-- | sys/security/mac_test/mac_test.c | 62 |
5 files changed, 166 insertions, 8 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 3e6e53e..f72733d 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2003 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -39,6 +39,7 @@ * The POSIX.1e implementation page may be reached at: * http://www.trustedbsd.org/ */ + #ifndef _SYS_MAC_H_ #define _SYS_MAC_H_ @@ -350,14 +351,17 @@ int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); +int mac_check_socket_accept(struct ucred *cred, struct socket *so); int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_connect(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_deliver(struct socket *so, struct mbuf *m); int mac_check_socket_listen(struct ucred *cred, struct socket *so); +int mac_check_socket_poll(struct ucred *cred, struct socket *so); int mac_check_socket_receive(struct ucred *cred, struct socket *so); int mac_check_socket_send(struct ucred *cred, struct socket *so); +int mac_check_socket_stat(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_sysarch_ioperm(struct ucred *cred); int mac_check_system_acct(struct ucred *cred, struct vnode *vp); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 910690a..402d622 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -424,6 +424,8 @@ struct mac_policy_ops { gid_t egid, gid_t sgid); int (*mpo_check_proc_signal)(struct ucred *cred, struct proc *proc, int signum); + int (*mpo_check_socket_accept)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_bind)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr); @@ -435,6 +437,8 @@ struct mac_policy_ops { struct label *mbuflabel); int (*mpo_check_socket_listen)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_socket_poll)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_receive)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_socket_relabel)(struct ucred *cred, @@ -442,6 +446,8 @@ struct mac_policy_ops { struct label *newlabel); int (*mpo_check_socket_send)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_socket_stat)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_sysarch_ioperm)(struct ucred *cred); diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index 7b48f79..d797643 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -1,16 +1,16 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * - * This software was developed for the FreeBSD Project in part by Network - * Associates Laboratories, the Security Research Division of Network - * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), - * as part of the DARPA CHATS research program. + * This software was developed for the FreeBSD Project in part by McAfee + * Research, the Technology Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -273,6 +273,21 @@ mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) } int +mac_check_socket_accept(struct ucred *cred, struct socket *socket) +{ + int error; + + SOCK_LOCK_ASSERT(socket); + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_accept, cred, socket, socket->so_label); + + return (error); +} + +int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { @@ -340,6 +355,20 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) } int +mac_check_socket_poll(struct ucred *cred, struct socket *so) +{ + int error; + + SOCK_LOCK_ASSERT(so); + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_poll, cred, so, so->so_label); + return (error); +} + +int mac_check_socket_receive(struct ucred *cred, struct socket *so) { int error; @@ -384,6 +413,21 @@ mac_check_socket_send(struct ucred *cred, struct socket *so) } int +mac_check_socket_stat(struct ucred *cred, struct socket *so) +{ + int error; + + SOCK_LOCK_ASSERT(so); + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_stat, cred, so, so->so_label); + + return (error); +} + +int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index cc93edf..9a7f567 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -908,6 +908,14 @@ stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, } static int +stub_check_socket_accept(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + return (0); +} + +static int stub_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -940,12 +948,43 @@ stub_check_socket_listen(struct ucred *cred, struct socket *so, } static int +stub_check_socket_poll(struct ucred *cred, struct socket *so, + struct label *socketlabel) +{ + + return (0); +} + +static int +stub_check_socket_receive(struct ucred *cred, struct socket *so, + struct label *socketlabel) +{ + + return (0); +} + +static int stub_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { return (0); } +static int +stub_check_socket_send(struct ucred *cred, struct socket *so, + struct label *socketlabel) +{ + + return (0); +} + +static int +stub_check_socket_stat(struct ucred *cred, struct socket *so, + struct label *socketlabel) +{ + + return (0); +} static int stub_check_socket_visible(struct ucred *cred, struct socket *socket, @@ -1417,11 +1456,16 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_proc_setresuid = stub_check_proc_setresuid, .mpo_check_proc_setresgid = stub_check_proc_setresgid, .mpo_check_proc_signal = stub_check_proc_signal, + .mpo_check_socket_accept = stub_check_socket_accept, .mpo_check_socket_bind = stub_check_socket_bind, .mpo_check_socket_connect = stub_check_socket_connect, .mpo_check_socket_deliver = stub_check_socket_deliver, .mpo_check_socket_listen = stub_check_socket_listen, + .mpo_check_socket_poll = stub_check_socket_poll, + .mpo_check_socket_receive = stub_check_socket_receive, .mpo_check_socket_relabel = stub_check_socket_relabel, + .mpo_check_socket_send = stub_check_socket_send, + .mpo_check_socket_stat = stub_check_socket_stat, .mpo_check_socket_visible = stub_check_socket_visible, .mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm, .mpo_check_system_acct = stub_check_system_acct, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 4c77874..1ce97a3 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1791,6 +1791,17 @@ mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, } static int +mac_test_check_socket_accept(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_SOCKET_LABEL(socketlabel); + + return (0); +} + +static int mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -1835,7 +1846,18 @@ mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, } static int -mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, +mac_test_check_socket_poll(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_SOCKET_LABEL(socketlabel); + + return (0); +} + +static int +mac_test_check_socket_receive(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -1858,6 +1880,39 @@ mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, } static int +mac_test_check_socket_send(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_SOCKET_LABEL(socketlabel); + + return (0); +} + +static int +mac_test_check_socket_stat(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_SOCKET_LABEL(socketlabel); + + return (0); +} + +static int +mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_SOCKET_LABEL(socketlabel); + + return (0); +} + +static int mac_test_check_sysarch_ioperm(struct ucred *cred) { @@ -2451,11 +2506,16 @@ static struct mac_policy_ops mac_test_ops = .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, .mpo_check_proc_signal = mac_test_check_proc_signal, + .mpo_check_socket_accept = mac_test_check_socket_accept, .mpo_check_socket_bind = mac_test_check_socket_bind, .mpo_check_socket_connect = mac_test_check_socket_connect, .mpo_check_socket_deliver = mac_test_check_socket_deliver, .mpo_check_socket_listen = mac_test_check_socket_listen, + .mpo_check_socket_poll = mac_test_check_socket_poll, + .mpo_check_socket_receive = mac_test_check_socket_receive, .mpo_check_socket_relabel = mac_test_check_socket_relabel, + .mpo_check_socket_send = mac_test_check_socket_send, + .mpo_check_socket_stat = mac_test_check_socket_stat, .mpo_check_socket_visible = mac_test_check_socket_visible, .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, .mpo_check_system_acct = mac_test_check_system_acct, |