From 3193aa5601a04fee992eea32323269eed2ca7161 Mon Sep 17 00:00:00 2001 From: csjp Date: Wed, 13 Dec 2006 06:03:22 +0000 Subject: Teach the MAC policies which utilize mbuf labeling the new syncache entry points. Properly initialize the mbuf label based on the label we copy from the PCB. This fixes an LOR between the PCB and syncache code. --- sys/security/mac_biba/mac_biba.c | 25 +++++++++++++++++++++++++ sys/security/mac_lomac/mac_lomac.c | 25 +++++++++++++++++++++++++ sys/security/mac_mls/mac_mls.c | 25 +++++++++++++++++++++++++ 3 files changed, 75 insertions(+) (limited to 'sys') diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index cfafc6c..5aa404c 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -3040,6 +3040,27 @@ mac_biba_associate_nfsd_label(struct ucred *cred) MAC_BIBA_TYPE_HIGH, 0, NULL); } +static void +mac_biba_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) +{ + struct mac_biba *source, *dest; + + source = SLOT(inp->inp_label); + dest = SLOT(label); + mac_biba_copy_effective(source, dest); +} + +static void +mac_biba_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, + struct label *mbuf_label) +{ + struct mac_biba *source, *dest; + + source = SLOT(sc_label); + dest = SLOT(mbuf_label); + mac_biba_copy_effective(source, dest); +} + static struct mac_policy_ops mac_biba_ops = { .mpo_init = mac_biba_init, @@ -3048,6 +3069,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_init_devfsdirent_label = mac_biba_init_label, .mpo_init_ifnet_label = mac_biba_init_label, .mpo_init_inpcb_label = mac_biba_init_label_waitcheck, + .mpo_init_syncache_label = mac_biba_init_label_waitcheck, .mpo_init_sysv_msgmsg_label = mac_biba_init_label, .mpo_init_sysv_msgqueue_label = mac_biba_init_label, .mpo_init_sysv_sem_label = mac_biba_init_label, @@ -3060,12 +3082,14 @@ static struct mac_policy_ops mac_biba_ops = .mpo_init_posix_sem_label = mac_biba_init_label, .mpo_init_socket_label = mac_biba_init_label_waitcheck, .mpo_init_socket_peer_label = mac_biba_init_label_waitcheck, + .mpo_init_syncache_from_inpcb = mac_biba_init_syncache_from_inpcb, .mpo_init_vnode_label = mac_biba_init_label, .mpo_destroy_bpfdesc_label = mac_biba_destroy_label, .mpo_destroy_cred_label = mac_biba_destroy_label, .mpo_destroy_devfsdirent_label = mac_biba_destroy_label, .mpo_destroy_ifnet_label = mac_biba_destroy_label, .mpo_destroy_inpcb_label = mac_biba_destroy_label, + .mpo_destroy_syncache_label = mac_biba_destroy_label, .mpo_destroy_sysv_msgmsg_label = mac_biba_destroy_label, .mpo_destroy_sysv_msgqueue_label = mac_biba_destroy_label, .mpo_destroy_sysv_sem_label = mac_biba_destroy_label, @@ -3108,6 +3132,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_create_vnode_extattr = mac_biba_create_vnode_extattr, .mpo_setlabel_vnode_extattr = mac_biba_setlabel_vnode_extattr, .mpo_create_mbuf_from_socket = mac_biba_create_mbuf_from_socket, + .mpo_create_mbuf_from_syncache = mac_biba_create_mbuf_from_syncache, .mpo_create_pipe = mac_biba_create_pipe, .mpo_create_posix_sem = mac_biba_create_posix_sem, .mpo_create_socket = mac_biba_create_socket, diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 7ca6e77..3364b78 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1448,6 +1448,27 @@ mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel, } static void +mac_lomac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) +{ + struct mac_lomac *source, *dest; + + source = SLOT(inp->inp_label); + dest = SLOT(label); + mac_lomac_copy(source, dest); +} + +static void +mac_lomac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, + struct label *mbuf_label) +{ + struct mac_lomac *source, *dest; + + source = SLOT(sc_label); + dest = SLOT(mbuf_label); + mac_lomac_copy(source, dest); +} + +static void mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *label) { struct mac_lomac *dest; @@ -2574,6 +2595,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_init_cred_label = mac_lomac_init_label, .mpo_init_devfsdirent_label = mac_lomac_init_label, .mpo_init_ifnet_label = mac_lomac_init_label, + .mpo_init_syncache_label = mac_lomac_init_label_waitcheck, .mpo_init_inpcb_label = mac_lomac_init_label_waitcheck, .mpo_init_ipq_label = mac_lomac_init_label_waitcheck, .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck, @@ -2584,6 +2606,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_init_socket_label = mac_lomac_init_label_waitcheck, .mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck, .mpo_init_vnode_label = mac_lomac_init_label, + .mpo_init_syncache_from_inpcb = mac_lomac_init_syncache_from_inpcb, .mpo_destroy_bpfdesc_label = mac_lomac_destroy_label, .mpo_destroy_cred_label = mac_lomac_destroy_label, .mpo_destroy_devfsdirent_label = mac_lomac_destroy_label, @@ -2595,6 +2618,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_destroy_mount_fs_label = mac_lomac_destroy_label, .mpo_destroy_pipe_label = mac_lomac_destroy_label, .mpo_destroy_proc_label = mac_lomac_destroy_proc_label, + .mpo_destroy_syncache_label = mac_lomac_destroy_label, .mpo_destroy_socket_label = mac_lomac_destroy_label, .mpo_destroy_socket_peer_label = mac_lomac_destroy_label, .mpo_destroy_vnode_label = mac_lomac_destroy_label, @@ -2628,6 +2652,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr, .mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr, .mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket, + .mpo_create_mbuf_from_syncache = mac_lomac_create_mbuf_from_syncache, .mpo_create_pipe = mac_lomac_create_pipe, .mpo_create_socket = mac_lomac_create_socket, .mpo_create_socket_from_socket = mac_lomac_create_socket_from_socket, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index d02f034..2c4a67c 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1315,6 +1315,27 @@ mac_mls_create_mbuf_from_firewall(struct mbuf *m, struct label *mbuflabel) mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); } +static void +mac_mls_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) +{ + struct mac_mls *source, *dest; + + source = SLOT(inp->inp_label); + dest = SLOT(label); + mac_mls_copy_effective(source, dest); +} + +static void +mac_mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, + struct label *mbuf_label) +{ + struct mac_mls *source, *dest; + + source = SLOT(sc_label); + dest = SLOT(mbuf_label); + mac_mls_copy_effective(source, dest); +} + /* * Labeling event operations: processes. */ @@ -2817,6 +2838,7 @@ static struct mac_policy_ops mac_mls_ops = .mpo_init_devfsdirent_label = mac_mls_init_label, .mpo_init_ifnet_label = mac_mls_init_label, .mpo_init_inpcb_label = mac_mls_init_label_waitcheck, + .mpo_init_syncache_label = mac_mls_init_label_waitcheck, .mpo_init_sysv_msgmsg_label = mac_mls_init_label, .mpo_init_sysv_msgqueue_label = mac_mls_init_label, .mpo_init_sysv_sem_label = mac_mls_init_label, @@ -2835,6 +2857,7 @@ static struct mac_policy_ops mac_mls_ops = .mpo_destroy_devfsdirent_label = mac_mls_destroy_label, .mpo_destroy_ifnet_label = mac_mls_destroy_label, .mpo_destroy_inpcb_label = mac_mls_destroy_label, + .mpo_destroy_syncache_label = mac_mls_destroy_label, .mpo_destroy_sysv_msgmsg_label = mac_mls_destroy_label, .mpo_destroy_sysv_msgqueue_label = mac_mls_destroy_label, .mpo_destroy_sysv_sem_label = mac_mls_destroy_label, @@ -2877,6 +2900,7 @@ static struct mac_policy_ops mac_mls_ops = .mpo_create_vnode_extattr = mac_mls_create_vnode_extattr, .mpo_setlabel_vnode_extattr = mac_mls_setlabel_vnode_extattr, .mpo_create_mbuf_from_socket = mac_mls_create_mbuf_from_socket, + .mpo_create_mbuf_from_syncache = mac_mls_create_mbuf_from_syncache, .mpo_create_pipe = mac_mls_create_pipe, .mpo_create_posix_sem = mac_mls_create_posix_sem, .mpo_create_socket = mac_mls_create_socket, @@ -2890,6 +2914,7 @@ static struct mac_policy_ops mac_mls_ops = .mpo_create_fragment = mac_mls_create_fragment, .mpo_create_ifnet = mac_mls_create_ifnet, .mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket, + .mpo_init_syncache_from_inpcb = mac_mls_init_syncache_from_inpcb, .mpo_create_ipq = mac_mls_create_ipq, .mpo_create_sysv_msgmsg = mac_mls_create_sysv_msgmsg, .mpo_create_sysv_msgqueue = mac_mls_create_sysv_msgqueue, -- cgit v1.1