diff options
Diffstat (limited to 'sys/security/mac/mac_socket.c')
-rw-r--r-- | sys/security/mac/mac_socket.c | 56 |
1 files changed, 55 insertions, 1 deletions
diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index fe297ce..fa4a970 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. @@ -17,6 +17,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -42,6 +45,7 @@ #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/param.h> @@ -51,6 +55,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mutex.h> #include <sys/mac.h> #include <sys/sbuf.h> +#include <sys/sdt.h> #include <sys/systm.h> #include <sys/mount.h> #include <sys/file.h> @@ -276,6 +281,9 @@ mac_socket_create_mbuf(struct socket *so, struct mbuf *m) MAC_PERFORM(socket_create_mbuf, so, so->so_label, m, label); } +MAC_CHECK_PROBE_DEFINE2(socket_check_accept, "struct ucred *", + "struct socket *"); + int mac_socket_check_accept(struct ucred *cred, struct socket *so) { @@ -284,10 +292,14 @@ mac_socket_check_accept(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_accept, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_accept, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE3(socket_check_bind, "struct ucred *", + "struct socket *", "struct sockaddr *"); + int mac_socket_check_bind(struct ucred *ucred, struct socket *so, struct sockaddr *sa) @@ -297,10 +309,14 @@ mac_socket_check_bind(struct ucred *ucred, struct socket *so, SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_bind, ucred, so, so->so_label, sa); + MAC_CHECK_PROBE3(socket_check_bind, error, ucred, so, sa); return (error); } +MAC_CHECK_PROBE_DEFINE3(socket_check_connect, "struct ucred *", + "struct socket *", "struct sockaddr *"); + int mac_socket_check_connect(struct ucred *cred, struct socket *so, struct sockaddr *sa) @@ -310,20 +326,29 @@ mac_socket_check_connect(struct ucred *cred, struct socket *so, SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_connect, cred, so, so->so_label, sa); + MAC_CHECK_PROBE3(socket_check_connect, error, cred, so, sa); return (error); } +MAC_CHECK_PROBE_DEFINE4(socket_check_create, "struct ucred *", "int", "int", + "int"); + int mac_socket_check_create(struct ucred *cred, int domain, int type, int proto) { int error; MAC_CHECK(socket_check_create, cred, domain, type, proto); + MAC_CHECK_PROBE4(socket_check_create, error, cred, domain, type, + proto); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_deliver, "struct socket *", + "struct mbuf *"); + int mac_socket_check_deliver(struct socket *so, struct mbuf *m) { @@ -335,10 +360,14 @@ mac_socket_check_deliver(struct socket *so, struct mbuf *m) label = mac_mbuf_to_label(m); MAC_CHECK(socket_check_deliver, so, so->so_label, m, label); + MAC_CHECK_PROBE2(socket_check_deliver, error, so, m); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_listen, "struct ucred *", + "struct socket *"); + int mac_socket_check_listen(struct ucred *cred, struct socket *so) { @@ -347,10 +376,14 @@ mac_socket_check_listen(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_listen, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_listen, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_poll, "struct ucred *", + "struct socket *"); + int mac_socket_check_poll(struct ucred *cred, struct socket *so) { @@ -359,10 +392,14 @@ mac_socket_check_poll(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_poll, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_poll, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_receive, "struct ucred *", + "struct socket *"); + int mac_socket_check_receive(struct ucred *cred, struct socket *so) { @@ -371,10 +408,14 @@ mac_socket_check_receive(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_receive, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_receive, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE3(socket_check_relabel, "struct ucred *", + "struct socket *", "struct label *"); + static int mac_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *newlabel) @@ -384,10 +425,14 @@ mac_socket_check_relabel(struct ucred *cred, struct socket *so, SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_relabel, cred, so, so->so_label, newlabel); + MAC_CHECK_PROBE3(socket_check_relabel, error, cred, so, newlabel); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_send, "struct ucred *", + "struct socket *"); + int mac_socket_check_send(struct ucred *cred, struct socket *so) { @@ -396,10 +441,14 @@ mac_socket_check_send(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_send, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_send, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_stat, "struct ucred *", + "struct socket *"); + int mac_socket_check_stat(struct ucred *cred, struct socket *so) { @@ -408,10 +457,14 @@ mac_socket_check_stat(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_stat, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_stat, error, cred, so); return (error); } +MAC_CHECK_PROBE_DEFINE2(socket_check_visible, "struct ucred *", + "struct socket *"); + int mac_socket_check_visible(struct ucred *cred, struct socket *so) { @@ -420,6 +473,7 @@ mac_socket_check_visible(struct ucred *cred, struct socket *so) SOCK_LOCK_ASSERT(so); MAC_CHECK(socket_check_visible, cred, so, so->so_label); + MAC_CHECK_PROBE2(socket_check_visible, error, cred, so); return (error); } |