From 7aa5c2497a67b36cc05ec3c76dca0423b69c9400 Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Sun, 16 Nov 2003 23:31:45 +0000
Subject: Implement sockets support for __mac_get_fd() and __mac_set_fd()
 system calls, and prefer these calls over getsockopt()/setsockopt() for ABI
 reasons.  When addressing UNIX domain sockets, these calls retrieve and
 modify the socket label, not the label of the rendezvous vnode.

- Create mac_copy_socket_label() entry point based on
  mac_copy_pipe_label() entry point, intended to copy the socket
  label into temporary storage that doesn't require a socket lock
  to be held (currently Giant).

- Implement mac_copy_socket_label() for various policies.

- Expose socket label allocation, free, internalize, externalize
  entry points as non-static from mac_net.c.

- Use mac_socket_label_set() in __mac_set_fd().

MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
---
 sys/security/mac/mac_framework.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'sys/security/mac/mac_framework.c')

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index c1710f2..f42b075 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -701,6 +701,7 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 	struct mac mac;
 	struct vnode *vp;
 	struct pipe *pipe;
+	struct socket *so;
 	short label_type;
 	int error;
 
@@ -751,6 +752,19 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
 		mac_pipe_label_free(intlabel);
 		break;
 
+	case DTYPE_SOCKET:
+		so = fp->f_data;
+		intlabel = mac_socket_label_alloc(M_WAITOK);
+		mtx_lock(&Giant);				/* Sockets */
+		/* XXX: Socket lock here. */
+		mac_copy_socket_label(so->so_label, intlabel);
+		/* XXX: Socket unlock here. */
+		mtx_unlock(&Giant);				/* Sockets */
+		error = mac_externalize_socket_label(intlabel, elements,
+		    buffer, mac.m_buflen);
+		mac_socket_label_free(intlabel);
+		break;
+
 	default:
 		error = EINVAL;
 	}
@@ -881,6 +895,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 {
 	struct label *intlabel;
 	struct pipe *pipe;
+	struct socket *so;
 	struct file *fp;
 	struct mount *mp;
 	struct vnode *vp;
@@ -945,6 +960,21 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
 		mac_pipe_label_free(intlabel);
 		break;
 
+	case DTYPE_SOCKET:
+		intlabel = mac_socket_label_alloc(M_WAITOK);
+		error = mac_internalize_socket_label(intlabel, buffer);
+		if (error == 0) {
+			so = fp->f_data;
+			mtx_lock(&Giant);			/* Sockets */
+			/* XXX: Socket lock here. */
+			error = mac_socket_label_set(td->td_ucred, so,
+			    intlabel);
+			/* XXX: Socket unlock here. */
+			mtx_unlock(&Giant);			/* Sockets */
+		}
+		mac_socket_label_free(intlabel);
+		break;
+
 	default:
 		error = EINVAL;
 	}
-- 
cgit v1.1