diff options
Diffstat (limited to 'sys/security/mac')
-rw-r--r-- | sys/security/mac/mac_framework.h | 4 | ||||
-rw-r--r-- | sys/security/mac/mac_inet.c | 54 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 10 |
3 files changed, 68 insertions, 0 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index a895cfe..c8c41c2 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -210,6 +210,10 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); void mac_create_mbuf_from_firewall(struct mbuf *m); +void mac_destroy_syncache(struct label **label); +int mac_init_syncache(struct label **label); +void mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp); +void mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m); /* * Labeling event operations: processes. */ diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index 0d35e48..7896332 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -288,3 +288,57 @@ mac_create_mbuf_from_firewall(struct mbuf *m) label = mac_mbuf_to_label(m); MAC_PERFORM(create_mbuf_from_firewall, m, label); } + +/* + * These functions really should be referencing the syncache structure instead + * of the label. However, due to some of the complexities associated with + * exposing this syncache structure we operate directly on it's label pointer. + * This should be OK since we aren't making any access control decisions within + * this code directly, we are merely allocating and copying label storage so + * we can properly initialize mbuf labels for any packets the syncache code + * might create. + */ +void +mac_destroy_syncache(struct label **label) +{ + + MAC_PERFORM(destroy_syncache_label, *label); + mac_labelzone_free(*label); + *label = NULL; +} + +int +mac_init_syncache(struct label **label) +{ + int error; + + *label = mac_labelzone_alloc(M_NOWAIT); + if (*label == NULL) + return (ENOMEM); + /* + * Since we are holding the inpcb locks the policy can not allocate + * policy specific label storage using M_WAITOK. So we need to do a + * MAC_CHECK instead of the typical MAC_PERFORM so we can propagate + * allocation failures back to the syncache code. + */ + MAC_CHECK(init_syncache_label, *label, M_NOWAIT); + return (error); +} + +void +mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) +{ + + INP_LOCK_ASSERT(inp); + MAC_PERFORM(init_syncache_from_inpcb, label, inp); +} + +void +mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m) +{ + struct label *mbuf_label; + + M_ASSERTPKTHDR(m); + mbuf_label = mac_mbuf_to_label(m); + MAC_PERFORM(create_mbuf_from_syncache, sc_label, m, mbuf_label); +} diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index f7c5670..e75a1e3 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -331,6 +331,12 @@ typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, typedef void (*mpo_create_mbuf_from_firewall_t)(struct mbuf *m, struct label *label); +typedef void (*mpo_destroy_syncache_label_t)(struct label *label); +typedef int (*mpo_init_syncache_label_t)(struct label *label, int flag); +typedef void (*mpo_init_syncache_from_inpcb_t)(struct label *label, + struct inpcb *inp); +typedef void (*mpo_create_mbuf_from_syncache_t)(struct label *sc_label, + struct mbuf *m, struct label *mbuf_label); /* * Labeling event operations: processes. */ @@ -888,6 +894,10 @@ struct mac_policy_ops { mpo_check_vnode_write_t mpo_check_vnode_write; mpo_associate_nfsd_label_t mpo_associate_nfsd_label; mpo_create_mbuf_from_firewall_t mpo_create_mbuf_from_firewall; + mpo_init_syncache_label_t mpo_init_syncache_label; + mpo_destroy_syncache_label_t mpo_destroy_syncache_label; + mpo_init_syncache_from_inpcb_t mpo_init_syncache_from_inpcb; + mpo_create_mbuf_from_syncache_t mpo_create_mbuf_from_syncache; mpo_priv_check_t mpo_priv_check; mpo_priv_grant_t mpo_priv_grant; }; |