From b8ec51a0644d5d4a236c0c33065626ec72465e69 Mon Sep 17 00:00:00 2001 From: rwatson Date: Wed, 20 Dec 2006 23:16:41 +0000 Subject: Document socket labeling model. Clean up comment white space and wrapping. Obtained from: TrustedBSD Project --- sys/security/mac/mac_socket.c | 42 +++++++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 15 deletions(-) (limited to 'sys/security/mac/mac_socket.c') diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index 2766716..2a2dfa4 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -12,7 +12,7 @@ * Research, the Technology Research Division of Network Associates, Inc. * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the * DARPA CHATS research program. - * + * * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * @@ -81,6 +81,19 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +/* + * Currently, sockets hold two labels: the label of the socket itself, and a + * peer label, which may be used by policies to hold a copy of the label of + * any remote endpoint. + * + * Possibly, this peer label should be maintained at the protocol layer + * (inpcb, unpcb, etc), as this would allow protocol-aware code to maintain + * the label consistently. For example, it might be copied live from a + * remote socket for UNIX domain sockets rather than keeping a local copy on + * this endpoint, but be cached and updated based on packets received for + * TCP/IP. + */ + struct label * mac_socket_label_alloc(int flag) { @@ -245,10 +258,9 @@ mac_set_socket_peer_from_socket(struct socket *oldsocket, { /* - * XXXRW: only hold the socket lock on one at a time, as one - * socket is the original, and one is the new. However, it's - * called in both directions, so we can't assert the lock - * here currently. + * XXXRW: only hold the socket lock on one at a time, as one socket + * is the original, and one is the new. However, it's called in both + * directions, so we can't assert the lock here currently. */ MAC_PERFORM(set_socket_peer_from_socket, oldsocket, oldsocket->so_label, newsocket, newsocket->so_peerlabel); @@ -457,13 +469,12 @@ mac_socket_label_set(struct ucred *cred, struct socket *so, int error; /* - * We acquire the socket lock when we perform the test and set, - * but have to release it as the pcb code needs to acquire the - * pcb lock, which will precede the socket lock in the lock - * order. However, this is fine, as any race will simply - * result in the inpcb being refreshed twice, but still - * consistently, as the inpcb code will acquire the socket lock - * before refreshing, holding both locks. + * We acquire the socket lock when we perform the test and set, but + * have to release it as the pcb code needs to acquire the pcb lock, + * which will precede the socket lock in the lock order. However, + * this is fine, as any race will simply result in the inpcb being + * refreshed twice, but still consistently, as the inpcb code will + * acquire the socket lock before refreshing, holding both locks. */ SOCK_LOCK(so); error = mac_check_socket_relabel(cred, so, label); @@ -474,11 +485,12 @@ mac_socket_label_set(struct ucred *cred, struct socket *so, mac_relabel_socket(cred, so, label); SOCK_UNLOCK(so); + /* * If the protocol has expressed interest in socket layer changes, - * such as if it needs to propagate changes to a cached pcb - * label from the socket, notify it of the label change while - * holding the socket lock. + * such as if it needs to propagate changes to a cached pcb label + * from the socket, notify it of the label change while holding the + * socket lock. */ if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL) (so->so_proto->pr_usrreqs->pru_sosetlabel)(so); -- cgit v1.1