Introduce support for Mandatory Access Control and extensible kernel
access control. Label socket IPC objects, permitting security features to be maintained at the granularity of the socket. Two labels are stored for each socket: the label of the socket itself, and a cached peer label permitting interogation of the remote endpoint. Since socket locking is not yet present in the base tree, these objects are not locked, but are assumed to follow the same semantics as other modifiable entries in the socket structure. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
This commit is contained in:
Robert Watson
parent
87acada933
commit
781caa8157
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=100989
@ -37,6 +37,7 @@
|
||||
#ifndef _SYS_SOCKETVAR_H_
|
||||
#define _SYS_SOCKETVAR_H_
|
||||
|
||||
#include <sys/mac.h> /* for struct label */
|
||||
#include <sys/queue.h> /* for TAILQ macros */
|
||||
#include <sys/selinfo.h> /* for struct selinfo */
|
||||
|
||||
@ -122,6 +123,8 @@ struct socket {
|
||||
void (*so_upcall)(struct socket *, void *, int);
|
||||
void *so_upcallarg;
|
||||
struct ucred *so_cred; /* user credentials */
|
||||
struct label so_label; /* MAC label for socket */
|
||||
struct label so_peerlabel; /* cached MAC label for socket peer */
|
||||
/* NB: generation count must not be first; easiest to make it last. */
|
||||
so_gen_t so_gencnt; /* generation count */
|
||||
void *so_emuldata; /* private data for emulators */
|
||||
|
||||
Loading…
Reference in New Issue
Block a user