diff options
-rw-r--r-- | sys/security/mac/mac_framework.h | 119 | ||||
-rw-r--r-- | sys/security/mac/mac_inet.c | 44 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 134 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 2 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 286 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 75 | ||||
-rw-r--r-- | sys/security/mac/mac_socket.c | 117 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 2 |
8 files changed, 384 insertions, 395 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 98b04c0..64b4b90 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -93,23 +93,23 @@ void mac_init_bpfdesc(struct bpf_d *); void mac_init_cred(struct ucred *); void mac_init_devfsdirent(struct devfs_dirent *); void mac_init_ifnet(struct ifnet *); -int mac_init_inpcb(struct inpcb *, int flag); +int mac_init_inpcb(struct inpcb *, int); void mac_init_sysv_msgmsg(struct msg *); -void mac_init_sysv_msgqueue(struct msqid_kernel*); -void mac_init_sysv_sem(struct semid_kernel*); -void mac_init_sysv_shm(struct shmid_kernel*); -int mac_init_ipq(struct ipq *, int flag); -int mac_init_socket(struct socket *, int flag); +void mac_init_sysv_msgqueue(struct msqid_kernel *); +void mac_init_sysv_sem(struct semid_kernel *); +void mac_init_sysv_shm(struct shmid_kernel *); +int mac_init_ipq(struct ipq *, int); +int mac_init_socket(struct socket *, int); void mac_init_pipe(struct pipepair *); void mac_init_posix_sem(struct ksem *); -int mac_init_mbuf(struct mbuf *mbuf, int flag); -int mac_init_mbuf_tag(struct m_tag *, int flag); +int mac_init_mbuf(struct mbuf *, int); +int mac_init_mbuf_tag(struct m_tag *, int); void mac_init_mount(struct mount *); void mac_init_proc(struct proc *); void mac_init_vnode(struct vnode *); -void mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to); +void mac_copy_mbuf(struct mbuf *, struct mbuf *); void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); -void mac_copy_vnode_label(struct label *, struct label *label); +void mac_copy_vnode_label(struct label *, struct label *); void mac_destroy_bpfdesc(struct bpf_d *); void mac_destroy_cred(struct ucred *); void mac_destroy_devfsdirent(struct devfs_dirent *); @@ -129,9 +129,9 @@ void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); struct label *mac_cred_label_alloc(void); -void mac_cred_label_free(struct label *label); +void mac_cred_label_free(struct label *); struct label *mac_vnode_label_alloc(void); -void mac_vnode_label_free(struct label *label); +void mac_vnode_label_free(struct label *); /* * Labeling event operations: file system objects, and things that look a lot @@ -159,13 +159,12 @@ void mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de, * Labeling event operations: IPC objects. */ void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); -void mac_create_socket(struct ucred *cred, struct socket *socket); -void mac_create_socket_from_socket(struct socket *oldsocket, - struct socket *newsocket); -void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, - struct socket *socket); -void mac_set_socket_peer_from_socket(struct socket *oldsocket, - struct socket *newsocket); +void mac_create_socket(struct ucred *cred, struct socket *so); +void mac_create_socket_from_socket(struct socket *oldso, + struct socket *newso); +void mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so); +void mac_set_socket_peer_from_socket(struct socket *oldso, + struct socket *newso); void mac_create_pipe(struct ucred *cred, struct pipepair *pp); /* @@ -188,29 +187,29 @@ void mac_create_posix_sem(struct ucred *cred, struct ksem *ksemptr); /* * Labeling event operations: network objects. */ -void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d); +void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d); void mac_create_ifnet(struct ifnet *ifp); void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); -void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); -void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); -void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); +void mac_create_ipq(struct mbuf *m, struct ipq *ipq); +void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m); +void mac_create_fragment(struct mbuf *m, struct mbuf *frag); void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); -void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m); -void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); -void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *m); -void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, - struct ifnet *ifnet, struct mbuf *newmbuf); -void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); -int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq); +void mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m); +void mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m); +void mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m); +void mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, + struct mbuf *mnew); +void mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew); +int mac_fragment_match(struct mbuf *m, struct ipq *ipq); void mac_reflect_mbuf_icmp(struct mbuf *m); void mac_reflect_mbuf_tcp(struct mbuf *m); -void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); +void mac_update_ipq(struct mbuf *m, struct ipq *ipq); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); void mac_create_mbuf_from_firewall(struct mbuf *m); -void mac_destroy_syncache(struct label **label); -int mac_init_syncache(struct label **label); -void mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp); -void mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m); +void mac_destroy_syncache(struct label **l); +int mac_init_syncache(struct label **l); +void mac_init_syncache_from_inpcb(struct label *l, struct inpcb *inp); +void mac_create_mbuf_from_syncache(struct label *l, struct mbuf *m); /* * Labeling event operations: processes. @@ -218,10 +217,10 @@ void mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m); void mac_copy_cred(struct ucred *cr1, struct ucred *cr2); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); -void mac_execve_transition(struct ucred *old, struct ucred *new, +void mac_execve_transition(struct ucred *oldcred, struct ucred *newcred, struct vnode *vp, struct label *interpvnodelabel, struct image_params *imgp); -int mac_execve_will_transition(struct ucred *old, struct vnode *vp, +int mac_execve_will_transition(struct ucred *cred, struct vnode *vp, struct label *interpvnodelabel, struct image_params *imgp); void mac_create_proc0(struct ucred *cred); void mac_create_proc1(struct ucred *cred); @@ -246,9 +245,9 @@ void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr); /* * Access control checks. */ -int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); -int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); -int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); +int mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp); +int mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2); +int mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m); int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m); int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr); @@ -295,38 +294,38 @@ int mac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr); int mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr); int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr); int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr); -int mac_check_proc_debug(struct ucred *cred, struct proc *proc); -int mac_check_proc_sched(struct ucred *cred, struct proc *proc); +int mac_check_proc_debug(struct ucred *cred, struct proc *p); +int mac_check_proc_sched(struct ucred *cred, struct proc *p); int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai); int mac_check_proc_setauid(struct ucred *cred, uid_t auid); -int mac_check_proc_setuid(struct proc *proc, struct ucred *cred, +int mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid); -int mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, +int mac_check_proc_seteuid(struct proc *p, struct ucred *cred, uid_t euid); -int mac_check_proc_setgid(struct proc *proc, struct ucred *cred, +int mac_check_proc_setgid(struct proc *p, struct ucred *cred, gid_t gid); -int mac_check_proc_setegid(struct proc *proc, struct ucred *cred, +int mac_check_proc_setegid(struct proc *p, struct ucred *cred, gid_t egid); -int mac_check_proc_setgroups(struct proc *proc, struct ucred *cred, +int mac_check_proc_setgroups(struct proc *p, struct ucred *cred, int ngroups, gid_t *gidset); -int mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, +int mac_check_proc_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid); -int mac_check_proc_setregid(struct proc *proc, struct ucred *cred, +int mac_check_proc_setregid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid); -int mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, +int mac_check_proc_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid); -int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, +int mac_check_proc_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); -int mac_check_proc_signal(struct ucred *cred, struct proc *proc, +int mac_check_proc_signal(struct ucred *cred, struct proc *p, int signum); -int mac_check_proc_wait(struct ucred *cred, struct proc *proc); +int mac_check_proc_wait(struct ucred *cred, struct proc *p); int mac_check_socket_accept(struct ucred *cred, struct socket *so); int mac_check_socket_bind(struct ucred *cred, struct socket *so, - struct sockaddr *sockaddr); + struct sockaddr *sa); int mac_check_socket_connect(struct ucred *cred, struct socket *so, - struct sockaddr *sockaddr); + struct sockaddr *sa); int mac_check_socket_create(struct ucred *cred, int domain, int type, - int protocol); + int proto); int mac_check_socket_deliver(struct socket *so, struct mbuf *m); int mac_check_socket_listen(struct ucred *cred, struct socket *so); int mac_check_socket_poll(struct ucred *cred, struct socket *so); @@ -367,8 +366,8 @@ int mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace); int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); -int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, - int prot, int flags); +int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot, + int flags); int mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot); int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, @@ -405,9 +404,9 @@ int mac_getsockopt_label(struct ucred *cred, struct socket *so, int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, - struct ifnet *ifnet); + struct ifnet *ifp); int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, - struct ifnet *ifnet); + struct ifnet *ifp); int mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index b1d8df2..7704d73 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -163,36 +163,34 @@ mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp) } void -mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) +mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m) { struct label *label; - label = mac_mbuf_to_label(datagram); + label = mac_mbuf_to_label(m); - MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, - datagram, label); + MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, m, label); } void -mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment) +mac_create_fragment(struct mbuf *m, struct mbuf *frag) { - struct label *datagramlabel, *fragmentlabel; + struct label *mlabel, *fraglabel; - datagramlabel = mac_mbuf_to_label(datagram); - fragmentlabel = mac_mbuf_to_label(fragment); + mlabel = mac_mbuf_to_label(m); + fraglabel = mac_mbuf_to_label(frag); - MAC_PERFORM(create_fragment, datagram, datagramlabel, fragment, - fragmentlabel); + MAC_PERFORM(create_fragment, m, mlabel, frag, fraglabel); } void -mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) +mac_create_ipq(struct mbuf *m, struct ipq *ipq) { struct label *label; - label = mac_mbuf_to_label(fragment); + label = mac_mbuf_to_label(m); - MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label); + MAC_PERFORM(create_ipq, m, label, ipq, ipq->ipq_label); } void @@ -207,16 +205,15 @@ mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m) } int -mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) +mac_fragment_match(struct mbuf *m, struct ipq *ipq) { struct label *label; int result; - label = mac_mbuf_to_label(fragment); + label = mac_mbuf_to_label(m); result = 1; - MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq, - ipq->ipq_label); + MAC_BOOLEAN(fragment_match, &&, m, label, ipq, ipq->ipq_label); return (result); } @@ -230,6 +227,7 @@ mac_reflect_mbuf_icmp(struct mbuf *m) MAC_PERFORM(reflect_mbuf_icmp, m, label); } + void mac_reflect_mbuf_tcp(struct mbuf *m) { @@ -241,13 +239,13 @@ mac_reflect_mbuf_tcp(struct mbuf *m) } void -mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) +mac_update_ipq(struct mbuf *m, struct ipq *ipq) { struct label *label; - label = mac_mbuf_to_label(fragment); + label = mac_mbuf_to_label(m); - MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label); + MAC_PERFORM(update_ipq, m, label, ipq, ipq->ipq_label); } int @@ -331,9 +329,9 @@ mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) void mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m) { - struct label *mbuf_label; + struct label *mlabel; M_ASSERTPKTHDR(m); - mbuf_label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_syncache, sc_label, m, mbuf_label); + mlabel = mac_mbuf_to_label(m); + MAC_PERFORM(create_mbuf_from_syncache, sc_label, m, mlabel); } diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 49e6664..05a0073 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -82,14 +82,14 @@ MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF); * early loading. */ struct label * -mac_mbuf_to_label(struct mbuf *mbuf) +mac_mbuf_to_label(struct mbuf *m) { struct m_tag *tag; struct label *label; - if (mbuf == NULL) + if (m == NULL) return (NULL); - tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL); + tag = m_tag_find(m, PACKET_TAG_MACLABEL, NULL); if (tag == NULL) return (NULL); label = (struct label *)(tag+1); @@ -107,10 +107,10 @@ mac_bpfdesc_label_alloc(void) } void -mac_init_bpfdesc(struct bpf_d *bpf_d) +mac_init_bpfdesc(struct bpf_d *d) { - bpf_d->bd_label = mac_bpfdesc_label_alloc(); + d->bd_label = mac_bpfdesc_label_alloc(); } static struct label * @@ -185,11 +185,11 @@ mac_bpfdesc_label_free(struct label *label) } void -mac_destroy_bpfdesc(struct bpf_d *bpf_d) +mac_destroy_bpfdesc(struct bpf_d *d) { - mac_bpfdesc_label_free(bpf_d->bd_label); - bpf_d->bd_label = NULL; + mac_bpfdesc_label_free(d->bd_label); + d->bd_label = NULL; } static void @@ -278,123 +278,117 @@ mac_internalize_ifnet_label(struct label *label, char *string) } void -mac_create_ifnet(struct ifnet *ifnet) +mac_create_ifnet(struct ifnet *ifp) { - MAC_IFNET_LOCK(ifnet); - MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label); - MAC_IFNET_UNLOCK(ifnet); + MAC_IFNET_LOCK(ifp); + MAC_PERFORM(create_ifnet, ifp, ifp->if_label); + MAC_IFNET_UNLOCK(ifp); } void -mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) +mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d) { - MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label); + MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label); } void -mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) +mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m) { struct label *label; - BPFD_LOCK_ASSERT(bpf_d); + BPFD_LOCK_ASSERT(d); - label = mac_mbuf_to_label(mbuf); + label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf, - label); + MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label); } void -mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) +mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m) { struct label *label; - label = mac_mbuf_to_label(mbuf); + label = mac_mbuf_to_label(m); - MAC_IFNET_LOCK(ifnet); - MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf, - label); - MAC_IFNET_UNLOCK(ifnet); + MAC_IFNET_LOCK(ifp); + MAC_PERFORM(create_mbuf_linklayer, ifp, ifp->if_label, m, label); + MAC_IFNET_UNLOCK(ifp); } void -mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) +mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m) { struct label *label; - label = mac_mbuf_to_label(mbuf); + label = mac_mbuf_to_label(m); - MAC_IFNET_LOCK(ifnet); - MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf, - label); - MAC_IFNET_UNLOCK(ifnet); + MAC_IFNET_LOCK(ifp); + MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label); + MAC_IFNET_UNLOCK(ifp); } void -mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, - struct mbuf *newmbuf) +mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, + struct mbuf *mnew) { - struct label *oldmbuflabel, *newmbuflabel; + struct label *mlabel, *mnewlabel; - oldmbuflabel = mac_mbuf_to_label(oldmbuf); - newmbuflabel = mac_mbuf_to_label(newmbuf); + mlabel = mac_mbuf_to_label(m); + mnewlabel = mac_mbuf_to_label(mnew); - MAC_IFNET_LOCK(ifnet); - MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel, - ifnet, ifnet->if_label, newmbuf, newmbuflabel); - MAC_IFNET_UNLOCK(ifnet); + MAC_IFNET_LOCK(ifp); + MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp, + ifp->if_label, mnew, mnewlabel); + MAC_IFNET_UNLOCK(ifp); } void -mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf) +mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew) { - struct label *oldmbuflabel, *newmbuflabel; + struct label *mlabel, *mnewlabel; - oldmbuflabel = mac_mbuf_to_label(oldmbuf); - newmbuflabel = mac_mbuf_to_label(newmbuf); + mlabel = mac_mbuf_to_label(m); + mnewlabel = mac_mbuf_to_label(mnew); - MAC_PERFORM(create_mbuf_netlayer, oldmbuf, oldmbuflabel, newmbuf, - newmbuflabel); + MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel); } int -mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) +mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp) { int error; - BPFD_LOCK_ASSERT(bpf_d); + BPFD_LOCK_ASSERT(d); - MAC_IFNET_LOCK(ifnet); - MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet, - ifnet->if_label); - MAC_IFNET_UNLOCK(ifnet); + MAC_IFNET_LOCK(ifp); + MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label); + MAC_IFNET_UNLOCK(ifp); return (error); } int -mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) +mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m) { struct label *label; int error; - M_ASSERTPKTHDR(mbuf); + M_ASSERTPKTHDR(m); - label = mac_mbuf_to_label(mbuf); + label = mac_mbuf_to_label(m); - MAC_IFNET_LOCK(ifnet); - MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf, - label); - MAC_IFNET_UNLOCK(ifnet); + MAC_IFNET_LOCK(ifp); + MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label); + MAC_IFNET_UNLOCK(ifp); return (error); } int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, - struct ifnet *ifnet) + struct ifnet *ifp) { char *elements, *buffer; struct label *intlabel; @@ -418,9 +412,9 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_ifnet_label_alloc(); - MAC_IFNET_LOCK(ifnet); - mac_copy_ifnet_label(ifnet->if_label, intlabel); - MAC_IFNET_UNLOCK(ifnet); + MAC_IFNET_LOCK(ifp); + mac_copy_ifnet_label(ifp->if_label, intlabel); + MAC_IFNET_UNLOCK(ifp); error = mac_externalize_ifnet_label(intlabel, elements, buffer, mac.m_buflen); mac_ifnet_label_free(intlabel); @@ -434,8 +428,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, } int -mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, - struct ifnet *ifnet) +mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) { struct label *intlabel; struct mac mac; @@ -476,17 +469,16 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, return (error); } - MAC_IFNET_LOCK(ifnet); - MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label, - intlabel); + MAC_IFNET_LOCK(ifp); + MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel); if (error) { - MAC_IFNET_UNLOCK(ifnet); + MAC_IFNET_UNLOCK(ifp); mac_ifnet_label_free(intlabel); return (error); } - MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel); - MAC_IFNET_UNLOCK(ifnet); + MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel); + MAC_IFNET_UNLOCK(ifp); mac_ifnet_label_free(intlabel); return (0); diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 88d181e..6578517 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2002, 2003 Networks Associates Technology, Inc. + * Copyright (c) 2002-2003 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 77d3f98..75a55bd 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -196,65 +196,64 @@ typedef int (*mpo_internalize_vnode_label_t)(struct label *label, * like file system objects. */ typedef void (*mpo_associate_vnode_devfs_t)(struct mount *mp, - struct label *mntlabel, struct devfs_dirent *de, + struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, - struct label *vlabel); + struct label *vplabel); typedef int (*mpo_associate_vnode_extattr_t)(struct mount *mp, - struct label *mntlabel, struct vnode *vp, - struct label *vlabel); + struct label *mplabel, struct vnode *vp, + struct label *vplabel); typedef void (*mpo_associate_vnode_singlelabel_t)(struct mount *mp, - struct label *mntlabel, struct vnode *vp, - struct label *vlabel); + struct label *mplabel, struct vnode *vp, + struct label *vplabel); typedef void (*mpo_create_devfs_device_t)(struct ucred *cred, struct mount *mp, struct cdev *dev, - struct devfs_dirent *de, struct label *label); + struct devfs_dirent *de, struct label *delabel); typedef void (*mpo_create_devfs_directory_t)(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, - struct label *label); + struct label *delabel); typedef void (*mpo_create_devfs_symlink_t)(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel); typedef int (*mpo_create_vnode_extattr_t)(struct ucred *cred, - struct mount *mp, struct label *mntlabel, - struct vnode *dvp, struct label *dlabel, - struct vnode *vp, struct label *vlabel, + struct mount *mp, struct label *mplabel, + struct vnode *dvp, struct label *dvplabel, + struct vnode *vp, struct label *vplabel, struct componentname *cnp); typedef void (*mpo_create_mount_t)(struct ucred *cred, struct mount *mp, - struct label *mntlabel); + struct label *mplabel); typedef void (*mpo_relabel_vnode_t)(struct ucred *cred, struct vnode *vp, - struct label *vnodelabel, struct label *label); + struct label *vplabel, struct label *label); typedef int (*mpo_setlabel_vnode_extattr_t)(struct ucred *cred, - struct vnode *vp, struct label *vlabel, + struct vnode *vp, struct label *vplabel, struct label *intlabel); typedef void (*mpo_update_devfsdirent_t)(struct mount *mp, - struct devfs_dirent *devfs_dirent, - struct label *direntlabel, struct vnode *vp, - struct label *vnodelabel); + struct devfs_dirent *de, struct label *delabel, + struct vnode *vp, struct label *vplabel); /* * Labeling event operations: IPC objects. */ typedef void (*mpo_create_mbuf_from_socket_t)(struct socket *so, - struct label *socketlabel, struct mbuf *m, - struct label *mbuflabel); + struct label *solabel, struct mbuf *m, + struct label *mlabel); typedef void (*mpo_create_socket_t)(struct ucred *cred, struct socket *so, - struct label *socketlabel); -typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldsocket, - struct label *oldsocketlabel, struct socket *newsocket, - struct label *newsocketlabel); + struct label *solabel); +typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldso, + struct label *oldsolabel, struct socket *newso, + struct label *newsolabel); typedef void (*mpo_relabel_socket_t)(struct ucred *cred, struct socket *so, struct label *oldlabel, struct label *newlabel); typedef void (*mpo_relabel_pipe_t)(struct ucred *cred, struct pipepair *pp, struct label *oldlabel, struct label *newlabel); -typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *mbuf, - struct label *mbuflabel, struct socket *so, - struct label *socketpeerlabel); -typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldsocket, - struct label *oldsocketlabel, struct socket *newsocket, - struct label *newsocketpeerlabel); +typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *m, + struct label *mlabel, struct socket *so, + struct label *sopeerlabel); +typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldso, + struct label *oldsolabel, struct socket *newso, + struct label *newsopeerlabel); typedef void (*mpo_create_pipe_t)(struct ucred *cred, struct pipepair *pp, - struct label *pipelabel); + struct label *pplabel); /* * Labeling event operations: System V IPC primitives. @@ -279,53 +278,49 @@ typedef void (*mpo_create_posix_sem_t)(struct ucred *cred, * Labeling event operations: network objects. */ typedef void (*mpo_create_bpfdesc_t)(struct ucred *cred, - struct bpf_d *bpf_d, struct label *bpflabel); -typedef void (*mpo_create_ifnet_t)(struct ifnet *ifnet, - struct label *ifnetlabel); + struct bpf_d *d, struct label *dlabel); +typedef void (*mpo_create_ifnet_t)(struct ifnet *ifp, + struct label *ifplabel); typedef void (*mpo_create_inpcb_from_socket_t)(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel); -typedef void (*mpo_create_ipq_t)(struct mbuf *fragment, - struct label *fragmentlabel, struct ipq *ipq, - struct label *ipqlabel); +typedef void (*mpo_create_ipq_t)(struct mbuf *m, struct label *mlabel, + struct ipq *ipq, struct label *ipqlabel); typedef void (*mpo_create_datagram_from_ipq) - (struct ipq *ipq, struct label *ipqlabel, - struct mbuf *datagram, struct label *datagramlabel); -typedef void (*mpo_create_fragment_t)(struct mbuf *datagram, - struct label *datagramlabel, struct mbuf *fragment, - struct label *fragmentlabel); + (struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, + struct label *mlabel); +typedef void (*mpo_create_fragment_t)(struct mbuf *m, + struct label *mlabel, struct mbuf *frag, + struct label *fraglabel); typedef void (*mpo_create_mbuf_from_inpcb_t)(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifnet, - struct label *ifnetlabel, struct mbuf *mbuf, - struct label *mbuflabel); -typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *bpf_d, - struct label *bpflabel, struct mbuf *mbuf, - struct label *mbuflabel); -typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifnet, - struct label *ifnetlabel, struct mbuf *mbuf, - struct label *mbuflabel); -typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *oldmbuf, - struct label *oldmbuflabel, struct ifnet *ifnet, - struct label *ifnetlabel, struct mbuf *newmbuf, - struct label *newmbuflabel); -typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *oldmbuf, - struct label *oldmbuflabel, struct mbuf *newmbuf, - struct label *newmbuflabel); -typedef int (*mpo_fragment_match_t)(struct mbuf *fragment, - struct label *fragmentlabel, struct ipq *ipq, - struct label *ipqlabel); +typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); +typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *d, + struct label *dlabel, struct mbuf *m, + struct label *mlabel); +typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); +typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *m, + struct label *mlabel, struct ifnet *ifp, + struct label *ifplabel, struct mbuf *mnew, + struct label *mnewlabel); +typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *m, + struct label *mlabel, struct mbuf *mnew, + struct label *mnewlabel); +typedef int (*mpo_fragment_match_t)(struct mbuf *m, struct label *mlabel, + struct ipq *ipq, struct label *ipqlabel); typedef void (*mpo_reflect_mbuf_icmp_t)(struct mbuf *m, struct label *mlabel); typedef void (*mpo_reflect_mbuf_tcp_t)(struct mbuf *m, struct label *mlabel); -typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred, - struct ifnet *ifnet, struct label *ifnetlabel, - struct label *newlabel); -typedef void (*mpo_update_ipq_t)(struct mbuf *fragment, - struct label *fragmentlabel, struct ipq *ipq, - struct label *ipqlabel); +typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred, struct ifnet *ifp, + struct label *ifplabel, struct label *newlabel); +typedef void (*mpo_update_ipq_t)(struct mbuf *m, struct label *mlabel, + struct ipq *ipq, struct label *ipqlabel); typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); @@ -337,16 +332,16 @@ typedef int (*mpo_init_syncache_label_t)(struct label *label, int flag); typedef void (*mpo_init_syncache_from_inpcb_t)(struct label *label, struct inpcb *inp); typedef void (*mpo_create_mbuf_from_syncache_t)(struct label *sc_label, - struct mbuf *m, struct label *mbuf_label); + struct mbuf *m, struct label *mlabel); /* * Labeling event operations: processes. */ typedef void (*mpo_execve_transition_t)(struct ucred *old, struct ucred *new, struct vnode *vp, - struct label *vnodelabel, struct label *interpvnodelabel, + struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel); typedef int (*mpo_execve_will_transition_t)(struct ucred *old, - struct vnode *vp, struct label *vnodelabel, + struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel); typedef void (*mpo_create_proc0_t)(struct ucred *cred); @@ -358,19 +353,19 @@ typedef void (*mpo_thread_userret_t)(struct thread *thread); /* * Access control checks. */ -typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *bpf_d, - struct label *bpflabel, struct ifnet *ifnet, - struct label *ifnetlabel); +typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *d, + struct label *dlabel, struct ifnet *ifp, + struct label *ifplabel); typedef int (*mpo_check_cred_relabel_t)(struct ucred *cred, struct label *newlabel); -typedef int (*mpo_check_cred_visible_t)(struct ucred *u1, - struct ucred *u2); +typedef int (*mpo_check_cred_visible_t)(struct ucred *cr1, + struct ucred *cr2); typedef int (*mpo_check_ifnet_relabel_t)(struct ucred *cred, - struct ifnet *ifnet, struct label *ifnetlabel, + struct ifnet *ifp, struct label *ifplabel, struct label *newlabel); -typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifnet, - struct label *ifnetlabel, struct mbuf *m, - struct label *mbuflabel); +typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifp, + struct label *ifplabel, struct mbuf *m, + struct label *mlabel); typedef int (*mpo_check_inpcb_deliver_t)(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel); @@ -416,27 +411,27 @@ typedef int (*mpo_check_kenv_set_t)(struct ucred *cred, char *name, char *value); typedef int (*mpo_check_kenv_unset_t)(struct ucred *cred, char *name); typedef int (*mpo_check_kld_load_t)(struct ucred *cred, struct vnode *vp, - struct label *vlabel); + struct label *vplabel); typedef int (*mpo_check_kld_stat_t)(struct ucred *cred); typedef int (*mpo_mpo_placeholder19_t)(void); typedef int (*mpo_mpo_placeholder20_t)(void); typedef int (*mpo_check_mount_stat_t)(struct ucred *cred, - struct mount *mp, struct label *mntlabel); + struct mount *mp, struct label *mplabel); typedef int (*mpo_mpo_placeholder21_t)(void); typedef int (*mpo_check_pipe_ioctl_t)(struct ucred *cred, - struct pipepair *pp, struct label *pipelabel, + struct pipepair *pp, struct label *pplabel, unsigned long cmd, void *data); typedef int (*mpo_check_pipe_poll_t)(struct ucred *cred, - struct pipepair *pp, struct label *pipelabel); + struct pipepair *pp, struct label *pplabel); typedef int (*mpo_check_pipe_read_t)(struct ucred *cred, - struct pipepair *pp, struct label *pipelabel); + struct pipepair *pp, struct label *pplabel); typedef int (*mpo_check_pipe_relabel_t)(struct ucred *cred, - struct pipepair *pp, struct label *pipelabel, + struct pipepair *pp, struct label *pplabel, struct label *newlabel); typedef int (*mpo_check_pipe_stat_t)(struct ucred *cred, - struct pipepair *pp, struct label *pipelabel); + struct pipepair *pp, struct label *pplabel); typedef int (*mpo_check_pipe_write_t)(struct ucred *cred, - struct pipepair *pp, struct label *pipelabel); + struct pipepair *pp, struct label *pplabel); typedef int (*mpo_check_posix_sem_destroy_t)(struct ucred *cred, struct ksem *ksemptr, struct label *ks_label); typedef int (*mpo_check_posix_sem_getvalue_t)(struct ucred *cred, @@ -450,9 +445,9 @@ typedef int (*mpo_check_posix_sem_unlink_t)(struct ucred *cred, typedef int (*mpo_check_posix_sem_wait_t)(struct ucred *cred, struct ksem *ksemptr, struct label *ks_label); typedef int (*mpo_check_proc_debug_t)(struct ucred *cred, - struct proc *proc); + struct proc *p); typedef int (*mpo_check_proc_sched_t)(struct ucred *cred, - struct proc *proc); + struct proc *p); typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred, struct auditinfo *ai); typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid); @@ -475,35 +470,35 @@ typedef int (*mpo_check_proc_signal_t)(struct ucred *cred, typedef int (*mpo_check_proc_wait_t)(struct ucred *cred, struct proc *proc); typedef int (*mpo_check_socket_accept_t)(struct ucred *cred, - struct socket *so, struct label *socketlabel); + struct socket *so, struct label *solabel); typedef int (*mpo_check_socket_bind_t)(struct ucred *cred, - struct socket *so, struct label *socketlabel, - struct sockaddr *sockaddr); + struct socket *so, struct label *solabel, + struct sockaddr *sa); typedef int (*mpo_check_socket_connect_t)(struct ucred *cred, - struct socket *so, struct label *socketlabel, - struct sockaddr *sockaddr); + struct socket *so, struct label *solabel, + struct sockaddr *sa); typedef int (*mpo_check_socket_create_t)(struct ucred *cred, int domain, int type, int protocol); typedef int (*mpo_check_socket_deliver_t)(struct socket *so, - struct label *socketlabel, struct mbuf *m, - struct label *mbuflabel); + struct label *solabel, struct mbuf *m, + struct label *mlabel); typedef int (*mpo_check_socket_listen_t)(struct ucred *cred, - struct socket *so, struct label *socketlabel); + struct socket *so, struct label *solabel); typedef int (*mpo_check_socket_poll_t)(struct ucred *cred, - struct socket *so, struct label *socketlabel); + struct socket *so, struct label *solabel); typedef int (*mpo_check_socket_receive_t)(struct ucred *cred, - struct socket *so, struct label *socketlabel); + struct socket *so, struct label *solabel); typedef int (*mpo_check_socket_relabel_t)(struct ucred *cred, - struct socket *so, struct label *socketlabel, + struct socket *so, struct label *solabel, struct label *newlabel); typedef int (*mpo_check_socket_send_t)(struct ucred *cred, - struct socket *so, struct label *socketlabel); + struct socket *so, struct label *solabel); typedef int (*mpo_check_socket_stat_t)(struct ucred *cred, - struct socket *so, struct label *socketlabel); + struct socket *so, struct label *solabel); typedef int (*mpo_check_socket_visible_t)(struct ucred *cred, - struct socket *so, struct label *socketlabel); + struct socket *so, struct label *solabel); typedef int (*mpo_check_system_acct_t)(struct ucred *cred, - struct vnode *vp, struct label *vlabel); + struct vnode *vp, struct label *vplabel); typedef int (*mpo_check_system_audit_t)(struct ucred *cred, void *record, int length); typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred, @@ -511,101 +506,104 @@ typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred, typedef int (*mpo_check_system_auditon_t)(struct ucred *cred, int cmd); typedef int (*mpo_check_system_reboot_t)(struct ucred *cred, int howto); typedef int (*mpo_check_system_swapon_t)(struct ucred *cred, - struct vnode *vp, struct label *label); + struct vnode *vp, struct label *vplabel); typedef int (*mpo_check_system_swapoff_t)(struct ucred *cred, - struct vnode *vp, struct label *label); + struct vnode *vp, struct label *vplabel); typedef int (*mpo_check_system_sysctl_t)(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); typedef int (*mpo_check_vnode_access_t)(struct ucred *cred, - struct vnode *vp, struct label *label, int acc_mode); + struct vnode *vp, struct label *vplabel, int acc_mode); typedef int (*mpo_check_vnode_chdir_t)(struct ucred *cred, - struct vnode *dvp, struct label *dlabel); + struct vnode *dvp, struct label *dvplabel); typedef int (*mpo_check_vnode_chroot_t)(struct ucred *cred, - struct vnode *dvp, struct label *dlabel); + struct vnode *dvp, struct label *dvplabel); typedef int (*mpo_check_vnode_create_t)(struct ucred *cred, - struct vnode *dvp, struct label *dlabel, + struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap); typedef int (*mpo_check_vnode_delete_t)(struct ucred *cred, - struct vnode *dvp, struct label *dlabel, - struct vnode *vp, struct label *label, + struct vnode *dvp, struct label *dvplabel, + struct vnode *vp, struct label *vplabel, struct componentname *cnp); typedef int (*mpo_check_vnode_deleteacl_t)(struct ucred *cred, - struct vnode *vp, struct label *label, acl_type_t type); + struct vnode *vp, struct label *vplabel, + acl_type_t type); typedef int (*mpo_check_vnode_deleteextattr_t)(struct ucred *cred, - struct vnode *vp, struct label *label, int attrnamespace, - const char *name); + struct vnode *vp, struct label *vplabel, + int attrnamespace, const char *name); typedef int (*mpo_check_vnode_exec_t)(struct ucred *cred, - struct vnode *vp, struct label *label, + struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel); typedef int (*mpo_check_vnode_getacl_t)(struct ucred *cred, - struct vnode *vp, struct label *label, acl_type_t type); + struct vnode *vp, struct label *vplabel, + acl_type_t type); typedef int (*mpo_check_vnode_getextattr_t)(struct ucred *cred, - struct vnode *vp, struct label *label, int attrnamespace, - const char *name, struct uio *uio); + struct vnode *vp, struct label *vplabel, + int attrnamespace, const char *name, struct uio *uio); typedef int (*mpo_check_vnode_link_t)(struct ucred *cred, - struct vnode *dvp, struct label *dlabel, struct vnode *vp, - struct label *label, struct componentname *cnp); + struct vnode *dvp, struct label *dvplabel, + struct vnode *vp, struct label *vplabel, + struct componentname *cnp); typedef int (*mpo_check_vnode_listextattr_t)(struct ucred *cred, - struct vnode *vp, struct label *label, + struct vnode *vp, struct label *vplabel, int attrnamespace); typedef int (*mpo_check_vnode_lookup_t)(struct ucred *cred, - struct vnode *dvp, struct label *dlabel, + struct vnode *dvp, struct label *dvplabel, struct componentname *cnp); typedef int (*mpo_check_vnode_mmap_t)(struct ucred *cred, struct vnode *vp, struct label *label, int prot, int flags); typedef void (*mpo_check_vnode_mmap_downgrade_t)(struct ucred *cred, - struct vnode *vp, struct label *label, int *prot); + struct vnode *vp, struct label *vplabel, int *prot); typedef int (*mpo_check_vnode_mprotect_t)(struct ucred *cred, - struct vnode *vp, struct label *label, int prot); + struct vnode *vp, struct label *vplabel, int prot); typedef int (*mpo_check_vnode_open_t)(struct ucred *cred, - struct vnode *vp, struct label *label, int acc_mode); + struct vnode *vp, struct label *vplabel, int acc_mode); typedef int (*mpo_check_vnode_poll_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, - struct label *label); + struct label *vplabel); typedef int (*mpo_check_vnode_read_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, - struct label *label); + struct label *vplabel); typedef int (*mpo_check_vnode_readdir_t)(struct ucred *cred, - struct vnode *dvp, struct label *dlabel); + struct vnode *dvp, struct label *dvplabel); typedef int (*mpo_check_vnode_readlink_t)(struct ucred *cred, - struct vnode *vp, struct label *label); + struct vnode *vp, struct label *vplabel); typedef int (*mpo_check_vnode_relabel_t)(struct ucred *cred, - struct vnode *vp, struct label *vnodelabel, + struct vnode *vp, struct label *vplabel, struct label *newlabel); typedef int (*mpo_check_vnode_rename_from_t)(struct ucred *cred, - struct vnode *dvp, struct label *dlabel, - struct vnode *vp, struct label *label, + struct vnode *dvp, struct label *dvplabel, + struct vnode *vp, struct label *vplabel, struct componentname *cnp); typedef int (*mpo_check_vnode_rename_to_t)(struct ucred *cred, - struct vnode *dvp, struct label *dlabel, - struct vnode *vp, struct label *label, int samedir, + struct vnode *dvp, struct label *dvplabel, + struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp); typedef int (*mpo_check_vnode_revoke_t)(struct ucred *cred, - struct vnode *vp, struct label *label); + struct vnode *vp, struct label *vplabel); typedef int (*mpo_check_vnode_setacl_t)(struct ucred *cred, - struct vnode *vp, struct label *label, acl_type_t type, + struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl); typedef int (*mpo_check_vnode_setextattr_t)(struct ucred *cred, - struct vnode *vp, struct label *label, int attrnamespace, - const char *name, struct uio *uio); + struct vnode *vp, struct label *vplabel, + int attrnamespace, const char *name, struct uio *uio); typedef int (*mpo_check_vnode_setflags_t)(struct ucred *cred, - struct vnode *vp, struct label *label, u_long flags); + struct vnode *vp, struct label *vplabel, u_long flags); typedef int (*mpo_check_vnode_setmode_t)(struct ucred *cred, - struct vnode *vp, struct label *label, mode_t mode); + struct vnode *vp, struct label *vplabel, mode_t mode); typedef int (*mpo_check_vnode_setowner_t)(struct ucred *cred, - struct vnode *vp, struct label *label, uid_t uid, + struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid); typedef int (*mpo_check_vnode_setutimes_t)(struct ucred *cred, - struct vnode *vp, struct label *label, + struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime); typedef int (*mpo_check_vnode_stat_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, - struct label *label); + struct label *vplabel); typedef int (*mpo_check_vnode_write_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, - struct label *label); + struct label *vplabel); typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred); typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv); typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv); diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index f9c8e2e..abba4a9 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -446,163 +446,168 @@ mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) } int -mac_check_cred_visible(struct ucred *u1, struct ucred *u2) +mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2) { int error; - MAC_CHECK(check_cred_visible, u1, u2); + MAC_CHECK(check_cred_visible, cr1, cr2); return (error); } int -mac_check_proc_debug(struct ucred *cred, struct proc *proc) +mac_check_proc_debug(struct ucred *cred, struct proc *p) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_debug, cred, proc); + MAC_CHECK(check_proc_debug, cred, p); return (error); } int -mac_check_proc_sched(struct ucred *cred, struct proc *proc) +mac_check_proc_sched(struct ucred *cred, struct proc *p) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_sched, cred, proc); + MAC_CHECK(check_proc_sched, cred, p); return (error); } int -mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) +mac_check_proc_signal(struct ucred *cred, struct proc *p, int signum) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_signal, cred, proc, signum); + MAC_CHECK(check_proc_signal, cred, p, signum); return (error); } int -mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid) +mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(check_proc_setuid, cred, uid); return (error); } int -mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, uid_t euid) +mac_check_proc_seteuid(struct proc *p, struct ucred *cred, uid_t euid) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(check_proc_seteuid, cred, euid); return (error); } int -mac_check_proc_setgid(struct proc *proc, struct ucred *cred, gid_t gid) +mac_check_proc_setgid(struct proc *p, struct ucred *cred, gid_t gid) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(check_proc_setgid, cred, gid); + return (error); } int -mac_check_proc_setegid(struct proc *proc, struct ucred *cred, gid_t egid) +mac_check_proc_setegid(struct proc *p, struct ucred *cred, gid_t egid) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(check_proc_setegid, cred, egid); + return (error); } int -mac_check_proc_setgroups(struct proc *proc, struct ucred *cred, - int ngroups, gid_t *gidset) +mac_check_proc_setgroups(struct proc *p, struct ucred *cred, int ngroups, + gid_t *gidset) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset); return (error); } int -mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, uid_t ruid, - uid_t euid) +mac_check_proc_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, + uid_t euid) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(check_proc_setreuid, cred, ruid, euid); + return (error); } int mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, - gid_t egid) + gid_t egid) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); MAC_CHECK(check_proc_setregid, cred, rgid, egid); + return (error); } int -mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, uid_t ruid, - uid_t euid, uid_t suid) +mac_check_proc_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, + uid_t euid, uid_t suid) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid); return (error); } int -mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid, - gid_t egid, gid_t sgid) +mac_check_proc_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, + gid_t egid, gid_t sgid) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid); + return (error); } int -mac_check_proc_wait(struct ucred *cred, struct proc *proc) +mac_check_proc_wait(struct ucred *cred, struct proc *p) { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); + PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_wait, cred, proc); + MAC_CHECK(check_proc_wait, cred, p); return (error); } diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index 1f12ea6..07722ad 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -155,13 +155,13 @@ mac_socket_peer_label_free(struct label *label) } void -mac_destroy_socket(struct socket *socket) +mac_destroy_socket(struct socket *so) { - mac_socket_label_free(socket->so_label); - socket->so_label = NULL; - mac_socket_peer_label_free(socket->so_peerlabel); - socket->so_peerlabel = NULL; + mac_socket_label_free(so->so_label); + so->so_label = NULL; + mac_socket_peer_label_free(so->so_peerlabel); + so->so_peerlabel = NULL; } void @@ -204,47 +204,47 @@ mac_internalize_socket_label(struct label *label, char *string) } void -mac_create_socket(struct ucred *cred, struct socket *socket) +mac_create_socket(struct ucred *cred, struct socket *so) { - MAC_PERFORM(create_socket, cred, socket, socket->so_label); + MAC_PERFORM(create_socket, cred, so, so->so_label); } void -mac_create_socket_from_socket(struct socket *oldsocket, - struct socket *newsocket) +mac_create_socket_from_socket(struct socket *oldso, struct socket *newso) { - SOCK_LOCK_ASSERT(oldsocket); - MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label, - newsocket, newsocket->so_label); + SOCK_LOCK_ASSERT(oldso); + + MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso, + newso->so_label); } static void -mac_relabel_socket(struct ucred *cred, struct socket *socket, +mac_relabel_socket(struct ucred *cred, struct socket *so, struct label *newlabel) { - SOCK_LOCK_ASSERT(socket); - MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel); + SOCK_LOCK_ASSERT(so); + + MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel); } void -mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) +mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so) { struct label *label; - SOCK_LOCK_ASSERT(socket); + SOCK_LOCK_ASSERT(so); - label = mac_mbuf_to_label(mbuf); + label = mac_mbuf_to_label(m); - MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket, - socket->so_peerlabel); + MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so, + so->so_peerlabel); } void -mac_set_socket_peer_from_socket(struct socket *oldsocket, - struct socket *newsocket) +mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso) { /* @@ -252,97 +252,94 @@ mac_set_socket_peer_from_socket(struct socket *oldsocket, * is the original, and one is the new. However, it's called in both * directions, so we can't assert the lock here currently. */ - MAC_PERFORM(set_socket_peer_from_socket, oldsocket, - oldsocket->so_label, newsocket, newsocket->so_peerlabel); + MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label, + newso, newso->so_peerlabel); } void -mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) +mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m) { struct label *label; - label = mac_mbuf_to_label(mbuf); + SOCK_LOCK_ASSERT(so); + + label = mac_mbuf_to_label(m); - SOCK_LOCK_ASSERT(socket); - MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf, - label); + MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label); } int -mac_check_socket_accept(struct ucred *cred, struct socket *socket) +mac_check_socket_accept(struct ucred *cred, struct socket *so) { int error; - SOCK_LOCK_ASSERT(socket); + SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_accept, cred, socket, socket->so_label); + MAC_CHECK(check_socket_accept, cred, so, so->so_label); return (error); } int -mac_check_socket_bind(struct ucred *ucred, struct socket *socket, - struct sockaddr *sockaddr) +mac_check_socket_bind(struct ucred *ucred, struct socket *so, + struct sockaddr *sa) { int error; - SOCK_LOCK_ASSERT(socket); + SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label, - sockaddr); + MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa); return (error); } int -mac_check_socket_connect(struct ucred *cred, struct socket *socket, - struct sockaddr *sockaddr) +mac_check_socket_connect(struct ucred *cred, struct socket *so, + struct sockaddr *sa) { int error; - SOCK_LOCK_ASSERT(socket); + SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_connect, cred, socket, socket->so_label, - sockaddr); + MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa); return (error); } int -mac_check_socket_create(struct ucred *cred, int domain, int type, - int protocol) +mac_check_socket_create(struct ucred *cred, int domain, int type, int proto) { int error; - MAC_CHECK(check_socket_create, cred, domain, type, protocol); + MAC_CHECK(check_socket_create, cred, domain, type, proto); return (error); } int -mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) +mac_check_socket_deliver(struct socket *so, struct mbuf *m) { struct label *label; int error; - SOCK_LOCK_ASSERT(socket); + SOCK_LOCK_ASSERT(so); - label = mac_mbuf_to_label(mbuf); + label = mac_mbuf_to_label(m); - MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf, - label); + MAC_CHECK(check_socket_deliver, so, so->so_label, m, label); return (error); } int -mac_check_socket_listen(struct ucred *cred, struct socket *socket) +mac_check_socket_listen(struct ucred *cred, struct socket *so) { int error; - SOCK_LOCK_ASSERT(socket); + SOCK_LOCK_ASSERT(so); + + MAC_CHECK(check_socket_listen, cred, so, so->so_label); - MAC_CHECK(check_socket_listen, cred, socket, socket->so_label); return (error); } @@ -354,6 +351,7 @@ mac_check_socket_poll(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(check_socket_poll, cred, so, so->so_label); + return (error); } @@ -370,15 +368,14 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so) } static int -mac_check_socket_relabel(struct ucred *cred, struct socket *socket, +mac_check_socket_relabel(struct ucred *cred, struct socket *so, struct label *newlabel) { int error; - SOCK_LOCK_ASSERT(socket); + SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label, - newlabel); + MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel); return (error); } @@ -408,13 +405,13 @@ mac_check_socket_stat(struct ucred *cred, struct socket *so) } int -mac_check_socket_visible(struct ucred *cred, struct socket *socket) +mac_check_socket_visible(struct ucred *cred, struct socket *so) { int error; - SOCK_LOCK_ASSERT(socket); + SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_visible, cred, socket, socket->so_label); + MAC_CHECK(check_socket_visible, cred, so, so->so_label); return (error); } diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 07a975c..380466e 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2002, 2003 Networks Associates Technology, Inc. + * Copyright (c) 2002-2003 Networks Associates Technology, Inc. * Copyright (c) 2007 Robert N. M. Watson * All rights reserved. * |