Normalize variable naming in the MAC Framework by adopting the normal
variable name conventions for arguments passed into the framework -- for example, name network interfaces 'ifp', sockets 'so', mounts 'mp', mbufs 'm', processes 'p', etc, wherever possible. Previously there was significant variation in this regard. Normalize copyright lists to ranges where sensible.
This commit is contained in:
parent
eb542415c0
commit
26ae2b86b6
@ -93,23 +93,23 @@ void mac_init_bpfdesc(struct bpf_d *);
|
||||
void mac_init_cred(struct ucred *);
|
||||
void mac_init_devfsdirent(struct devfs_dirent *);
|
||||
void mac_init_ifnet(struct ifnet *);
|
||||
int mac_init_inpcb(struct inpcb *, int flag);
|
||||
int mac_init_inpcb(struct inpcb *, int);
|
||||
void mac_init_sysv_msgmsg(struct msg *);
|
||||
void mac_init_sysv_msgqueue(struct msqid_kernel*);
|
||||
void mac_init_sysv_sem(struct semid_kernel*);
|
||||
void mac_init_sysv_shm(struct shmid_kernel*);
|
||||
int mac_init_ipq(struct ipq *, int flag);
|
||||
int mac_init_socket(struct socket *, int flag);
|
||||
void mac_init_sysv_msgqueue(struct msqid_kernel *);
|
||||
void mac_init_sysv_sem(struct semid_kernel *);
|
||||
void mac_init_sysv_shm(struct shmid_kernel *);
|
||||
int mac_init_ipq(struct ipq *, int);
|
||||
int mac_init_socket(struct socket *, int);
|
||||
void mac_init_pipe(struct pipepair *);
|
||||
void mac_init_posix_sem(struct ksem *);
|
||||
int mac_init_mbuf(struct mbuf *mbuf, int flag);
|
||||
int mac_init_mbuf_tag(struct m_tag *, int flag);
|
||||
int mac_init_mbuf(struct mbuf *, int);
|
||||
int mac_init_mbuf_tag(struct m_tag *, int);
|
||||
void mac_init_mount(struct mount *);
|
||||
void mac_init_proc(struct proc *);
|
||||
void mac_init_vnode(struct vnode *);
|
||||
void mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to);
|
||||
void mac_copy_mbuf(struct mbuf *, struct mbuf *);
|
||||
void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
|
||||
void mac_copy_vnode_label(struct label *, struct label *label);
|
||||
void mac_copy_vnode_label(struct label *, struct label *);
|
||||
void mac_destroy_bpfdesc(struct bpf_d *);
|
||||
void mac_destroy_cred(struct ucred *);
|
||||
void mac_destroy_devfsdirent(struct devfs_dirent *);
|
||||
@ -129,9 +129,9 @@ void mac_destroy_mount(struct mount *);
|
||||
void mac_destroy_vnode(struct vnode *);
|
||||
|
||||
struct label *mac_cred_label_alloc(void);
|
||||
void mac_cred_label_free(struct label *label);
|
||||
void mac_cred_label_free(struct label *);
|
||||
struct label *mac_vnode_label_alloc(void);
|
||||
void mac_vnode_label_free(struct label *label);
|
||||
void mac_vnode_label_free(struct label *);
|
||||
|
||||
/*
|
||||
* Labeling event operations: file system objects, and things that look a lot
|
||||
@ -159,13 +159,12 @@ void mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de,
|
||||
* Labeling event operations: IPC objects.
|
||||
*/
|
||||
void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m);
|
||||
void mac_create_socket(struct ucred *cred, struct socket *socket);
|
||||
void mac_create_socket_from_socket(struct socket *oldsocket,
|
||||
struct socket *newsocket);
|
||||
void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf,
|
||||
struct socket *socket);
|
||||
void mac_set_socket_peer_from_socket(struct socket *oldsocket,
|
||||
struct socket *newsocket);
|
||||
void mac_create_socket(struct ucred *cred, struct socket *so);
|
||||
void mac_create_socket_from_socket(struct socket *oldso,
|
||||
struct socket *newso);
|
||||
void mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so);
|
||||
void mac_set_socket_peer_from_socket(struct socket *oldso,
|
||||
struct socket *newso);
|
||||
void mac_create_pipe(struct ucred *cred, struct pipepair *pp);
|
||||
|
||||
/*
|
||||
@ -188,29 +187,29 @@ void mac_create_posix_sem(struct ucred *cred, struct ksem *ksemptr);
|
||||
/*
|
||||
* Labeling event operations: network objects.
|
||||
*/
|
||||
void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d);
|
||||
void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d);
|
||||
void mac_create_ifnet(struct ifnet *ifp);
|
||||
void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp);
|
||||
void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq);
|
||||
void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram);
|
||||
void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment);
|
||||
void mac_create_ipq(struct mbuf *m, struct ipq *ipq);
|
||||
void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m);
|
||||
void mac_create_fragment(struct mbuf *m, struct mbuf *frag);
|
||||
void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m);
|
||||
void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m);
|
||||
void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
|
||||
void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *m);
|
||||
void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
|
||||
struct ifnet *ifnet, struct mbuf *newmbuf);
|
||||
void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf);
|
||||
int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq);
|
||||
void mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m);
|
||||
void mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m);
|
||||
void mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m);
|
||||
void mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
|
||||
struct mbuf *mnew);
|
||||
void mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew);
|
||||
int mac_fragment_match(struct mbuf *m, struct ipq *ipq);
|
||||
void mac_reflect_mbuf_icmp(struct mbuf *m);
|
||||
void mac_reflect_mbuf_tcp(struct mbuf *m);
|
||||
void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
|
||||
void mac_update_ipq(struct mbuf *m, struct ipq *ipq);
|
||||
void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
|
||||
void mac_create_mbuf_from_firewall(struct mbuf *m);
|
||||
void mac_destroy_syncache(struct label **label);
|
||||
int mac_init_syncache(struct label **label);
|
||||
void mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp);
|
||||
void mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m);
|
||||
void mac_destroy_syncache(struct label **l);
|
||||
int mac_init_syncache(struct label **l);
|
||||
void mac_init_syncache_from_inpcb(struct label *l, struct inpcb *inp);
|
||||
void mac_create_mbuf_from_syncache(struct label *l, struct mbuf *m);
|
||||
|
||||
/*
|
||||
* Labeling event operations: processes.
|
||||
@ -218,10 +217,10 @@ void mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m);
|
||||
void mac_copy_cred(struct ucred *cr1, struct ucred *cr2);
|
||||
int mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
|
||||
void mac_execve_exit(struct image_params *imgp);
|
||||
void mac_execve_transition(struct ucred *old, struct ucred *new,
|
||||
void mac_execve_transition(struct ucred *oldcred, struct ucred *newcred,
|
||||
struct vnode *vp, struct label *interpvnodelabel,
|
||||
struct image_params *imgp);
|
||||
int mac_execve_will_transition(struct ucred *old, struct vnode *vp,
|
||||
int mac_execve_will_transition(struct ucred *cred, struct vnode *vp,
|
||||
struct label *interpvnodelabel, struct image_params *imgp);
|
||||
void mac_create_proc0(struct ucred *cred);
|
||||
void mac_create_proc1(struct ucred *cred);
|
||||
@ -246,9 +245,9 @@ void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr);
|
||||
/*
|
||||
* Access control checks.
|
||||
*/
|
||||
int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet);
|
||||
int mac_check_cred_visible(struct ucred *u1, struct ucred *u2);
|
||||
int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m);
|
||||
int mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp);
|
||||
int mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2);
|
||||
int mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m);
|
||||
int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m);
|
||||
int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
|
||||
struct msqid_kernel *msqkptr);
|
||||
@ -295,38 +294,38 @@ int mac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr);
|
||||
int mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr);
|
||||
int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr);
|
||||
int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr);
|
||||
int mac_check_proc_debug(struct ucred *cred, struct proc *proc);
|
||||
int mac_check_proc_sched(struct ucred *cred, struct proc *proc);
|
||||
int mac_check_proc_debug(struct ucred *cred, struct proc *p);
|
||||
int mac_check_proc_sched(struct ucred *cred, struct proc *p);
|
||||
int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai);
|
||||
int mac_check_proc_setauid(struct ucred *cred, uid_t auid);
|
||||
int mac_check_proc_setuid(struct proc *proc, struct ucred *cred,
|
||||
int mac_check_proc_setuid(struct proc *p, struct ucred *cred,
|
||||
uid_t uid);
|
||||
int mac_check_proc_seteuid(struct proc *proc, struct ucred *cred,
|
||||
int mac_check_proc_seteuid(struct proc *p, struct ucred *cred,
|
||||
uid_t euid);
|
||||
int mac_check_proc_setgid(struct proc *proc, struct ucred *cred,
|
||||
int mac_check_proc_setgid(struct proc *p, struct ucred *cred,
|
||||
gid_t gid);
|
||||
int mac_check_proc_setegid(struct proc *proc, struct ucred *cred,
|
||||
int mac_check_proc_setegid(struct proc *p, struct ucred *cred,
|
||||
gid_t egid);
|
||||
int mac_check_proc_setgroups(struct proc *proc, struct ucred *cred,
|
||||
int mac_check_proc_setgroups(struct proc *p, struct ucred *cred,
|
||||
int ngroups, gid_t *gidset);
|
||||
int mac_check_proc_setreuid(struct proc *proc, struct ucred *cred,
|
||||
int mac_check_proc_setreuid(struct proc *p, struct ucred *cred,
|
||||
uid_t ruid, uid_t euid);
|
||||
int mac_check_proc_setregid(struct proc *proc, struct ucred *cred,
|
||||
int mac_check_proc_setregid(struct proc *p, struct ucred *cred,
|
||||
gid_t rgid, gid_t egid);
|
||||
int mac_check_proc_setresuid(struct proc *proc, struct ucred *cred,
|
||||
int mac_check_proc_setresuid(struct proc *p, struct ucred *cred,
|
||||
uid_t ruid, uid_t euid, uid_t suid);
|
||||
int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred,
|
||||
int mac_check_proc_setresgid(struct proc *p, struct ucred *cred,
|
||||
gid_t rgid, gid_t egid, gid_t sgid);
|
||||
int mac_check_proc_signal(struct ucred *cred, struct proc *proc,
|
||||
int mac_check_proc_signal(struct ucred *cred, struct proc *p,
|
||||
int signum);
|
||||
int mac_check_proc_wait(struct ucred *cred, struct proc *proc);
|
||||
int mac_check_proc_wait(struct ucred *cred, struct proc *p);
|
||||
int mac_check_socket_accept(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_bind(struct ucred *cred, struct socket *so,
|
||||
struct sockaddr *sockaddr);
|
||||
struct sockaddr *sa);
|
||||
int mac_check_socket_connect(struct ucred *cred, struct socket *so,
|
||||
struct sockaddr *sockaddr);
|
||||
struct sockaddr *sa);
|
||||
int mac_check_socket_create(struct ucred *cred, int domain, int type,
|
||||
int protocol);
|
||||
int proto);
|
||||
int mac_check_socket_deliver(struct socket *so, struct mbuf *m);
|
||||
int mac_check_socket_listen(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_poll(struct ucred *cred, struct socket *so);
|
||||
@ -367,8 +366,8 @@ int mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
|
||||
int attrnamespace);
|
||||
int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
|
||||
struct componentname *cnp);
|
||||
int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
|
||||
int prot, int flags);
|
||||
int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot,
|
||||
int flags);
|
||||
int mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
|
||||
int prot);
|
||||
int mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
|
||||
@ -405,9 +404,9 @@ int mac_getsockopt_label(struct ucred *cred, struct socket *so,
|
||||
int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
|
||||
struct mac *extmac);
|
||||
int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
|
||||
struct ifnet *ifnet);
|
||||
struct ifnet *ifp);
|
||||
int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
|
||||
struct ifnet *ifnet);
|
||||
struct ifnet *ifp);
|
||||
int mac_setsockopt_label(struct ucred *cred, struct socket *so,
|
||||
struct mac *extmac);
|
||||
int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
|
||||
|
@ -163,36 +163,34 @@ mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp)
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram)
|
||||
mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m)
|
||||
{
|
||||
struct label *label;
|
||||
|
||||
label = mac_mbuf_to_label(datagram);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label,
|
||||
datagram, label);
|
||||
MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, m, label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment)
|
||||
mac_create_fragment(struct mbuf *m, struct mbuf *frag)
|
||||
{
|
||||
struct label *datagramlabel, *fragmentlabel;
|
||||
struct label *mlabel, *fraglabel;
|
||||
|
||||
datagramlabel = mac_mbuf_to_label(datagram);
|
||||
fragmentlabel = mac_mbuf_to_label(fragment);
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
fraglabel = mac_mbuf_to_label(frag);
|
||||
|
||||
MAC_PERFORM(create_fragment, datagram, datagramlabel, fragment,
|
||||
fragmentlabel);
|
||||
MAC_PERFORM(create_fragment, m, mlabel, frag, fraglabel);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
|
||||
mac_create_ipq(struct mbuf *m, struct ipq *ipq)
|
||||
{
|
||||
struct label *label;
|
||||
|
||||
label = mac_mbuf_to_label(fragment);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label);
|
||||
MAC_PERFORM(create_ipq, m, label, ipq, ipq->ipq_label);
|
||||
}
|
||||
|
||||
void
|
||||
@ -207,16 +205,15 @@ mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m)
|
||||
}
|
||||
|
||||
int
|
||||
mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
|
||||
mac_fragment_match(struct mbuf *m, struct ipq *ipq)
|
||||
{
|
||||
struct label *label;
|
||||
int result;
|
||||
|
||||
label = mac_mbuf_to_label(fragment);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
result = 1;
|
||||
MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq,
|
||||
ipq->ipq_label);
|
||||
MAC_BOOLEAN(fragment_match, &&, m, label, ipq, ipq->ipq_label);
|
||||
|
||||
return (result);
|
||||
}
|
||||
@ -230,6 +227,7 @@ mac_reflect_mbuf_icmp(struct mbuf *m)
|
||||
|
||||
MAC_PERFORM(reflect_mbuf_icmp, m, label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_reflect_mbuf_tcp(struct mbuf *m)
|
||||
{
|
||||
@ -241,13 +239,13 @@ mac_reflect_mbuf_tcp(struct mbuf *m)
|
||||
}
|
||||
|
||||
void
|
||||
mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
|
||||
mac_update_ipq(struct mbuf *m, struct ipq *ipq)
|
||||
{
|
||||
struct label *label;
|
||||
|
||||
label = mac_mbuf_to_label(fragment);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label);
|
||||
MAC_PERFORM(update_ipq, m, label, ipq, ipq->ipq_label);
|
||||
}
|
||||
|
||||
int
|
||||
@ -331,9 +329,9 @@ mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
|
||||
void
|
||||
mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m)
|
||||
{
|
||||
struct label *mbuf_label;
|
||||
struct label *mlabel;
|
||||
|
||||
M_ASSERTPKTHDR(m);
|
||||
mbuf_label = mac_mbuf_to_label(m);
|
||||
MAC_PERFORM(create_mbuf_from_syncache, sc_label, m, mbuf_label);
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
MAC_PERFORM(create_mbuf_from_syncache, sc_label, m, mlabel);
|
||||
}
|
||||
|
@ -82,14 +82,14 @@ MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF);
|
||||
* early loading.
|
||||
*/
|
||||
struct label *
|
||||
mac_mbuf_to_label(struct mbuf *mbuf)
|
||||
mac_mbuf_to_label(struct mbuf *m)
|
||||
{
|
||||
struct m_tag *tag;
|
||||
struct label *label;
|
||||
|
||||
if (mbuf == NULL)
|
||||
if (m == NULL)
|
||||
return (NULL);
|
||||
tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL);
|
||||
tag = m_tag_find(m, PACKET_TAG_MACLABEL, NULL);
|
||||
if (tag == NULL)
|
||||
return (NULL);
|
||||
label = (struct label *)(tag+1);
|
||||
@ -107,10 +107,10 @@ mac_bpfdesc_label_alloc(void)
|
||||
}
|
||||
|
||||
void
|
||||
mac_init_bpfdesc(struct bpf_d *bpf_d)
|
||||
mac_init_bpfdesc(struct bpf_d *d)
|
||||
{
|
||||
|
||||
bpf_d->bd_label = mac_bpfdesc_label_alloc();
|
||||
d->bd_label = mac_bpfdesc_label_alloc();
|
||||
}
|
||||
|
||||
static struct label *
|
||||
@ -185,11 +185,11 @@ mac_bpfdesc_label_free(struct label *label)
|
||||
}
|
||||
|
||||
void
|
||||
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
|
||||
mac_destroy_bpfdesc(struct bpf_d *d)
|
||||
{
|
||||
|
||||
mac_bpfdesc_label_free(bpf_d->bd_label);
|
||||
bpf_d->bd_label = NULL;
|
||||
mac_bpfdesc_label_free(d->bd_label);
|
||||
d->bd_label = NULL;
|
||||
}
|
||||
|
||||
static void
|
||||
@ -278,123 +278,117 @@ mac_internalize_ifnet_label(struct label *label, char *string)
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_ifnet(struct ifnet *ifnet)
|
||||
mac_create_ifnet(struct ifnet *ifp)
|
||||
{
|
||||
|
||||
MAC_IFNET_LOCK(ifnet);
|
||||
MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label);
|
||||
MAC_IFNET_UNLOCK(ifnet);
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM(create_ifnet, ifp, ifp->if_label);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
|
||||
mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label);
|
||||
MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
|
||||
mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m)
|
||||
{
|
||||
struct label *label;
|
||||
|
||||
BPFD_LOCK_ASSERT(bpf_d);
|
||||
BPFD_LOCK_ASSERT(d);
|
||||
|
||||
label = mac_mbuf_to_label(mbuf);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf,
|
||||
label);
|
||||
MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf)
|
||||
mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m)
|
||||
{
|
||||
struct label *label;
|
||||
|
||||
label = mac_mbuf_to_label(mbuf);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifnet);
|
||||
MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf,
|
||||
label);
|
||||
MAC_IFNET_UNLOCK(ifnet);
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM(create_mbuf_linklayer, ifp, ifp->if_label, m, label);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf)
|
||||
mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m)
|
||||
{
|
||||
struct label *label;
|
||||
|
||||
label = mac_mbuf_to_label(mbuf);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifnet);
|
||||
MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf,
|
||||
label);
|
||||
MAC_IFNET_UNLOCK(ifnet);
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet,
|
||||
struct mbuf *newmbuf)
|
||||
mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
|
||||
struct mbuf *mnew)
|
||||
{
|
||||
struct label *oldmbuflabel, *newmbuflabel;
|
||||
struct label *mlabel, *mnewlabel;
|
||||
|
||||
oldmbuflabel = mac_mbuf_to_label(oldmbuf);
|
||||
newmbuflabel = mac_mbuf_to_label(newmbuf);
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
mnewlabel = mac_mbuf_to_label(mnew);
|
||||
|
||||
MAC_IFNET_LOCK(ifnet);
|
||||
MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel,
|
||||
ifnet, ifnet->if_label, newmbuf, newmbuflabel);
|
||||
MAC_IFNET_UNLOCK(ifnet);
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp,
|
||||
ifp->if_label, mnew, mnewlabel);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf)
|
||||
mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew)
|
||||
{
|
||||
struct label *oldmbuflabel, *newmbuflabel;
|
||||
struct label *mlabel, *mnewlabel;
|
||||
|
||||
oldmbuflabel = mac_mbuf_to_label(oldmbuf);
|
||||
newmbuflabel = mac_mbuf_to_label(newmbuf);
|
||||
mlabel = mac_mbuf_to_label(m);
|
||||
mnewlabel = mac_mbuf_to_label(mnew);
|
||||
|
||||
MAC_PERFORM(create_mbuf_netlayer, oldmbuf, oldmbuflabel, newmbuf,
|
||||
newmbuflabel);
|
||||
MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
|
||||
mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp)
|
||||
{
|
||||
int error;
|
||||
|
||||
BPFD_LOCK_ASSERT(bpf_d);
|
||||
BPFD_LOCK_ASSERT(d);
|
||||
|
||||
MAC_IFNET_LOCK(ifnet);
|
||||
MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet,
|
||||
ifnet->if_label);
|
||||
MAC_IFNET_UNLOCK(ifnet);
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
|
||||
mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m)
|
||||
{
|
||||
struct label *label;
|
||||
int error;
|
||||
|
||||
M_ASSERTPKTHDR(mbuf);
|
||||
M_ASSERTPKTHDR(m);
|
||||
|
||||
label = mac_mbuf_to_label(mbuf);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_IFNET_LOCK(ifnet);
|
||||
MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf,
|
||||
label);
|
||||
MAC_IFNET_UNLOCK(ifnet);
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
|
||||
struct ifnet *ifnet)
|
||||
struct ifnet *ifp)
|
||||
{
|
||||
char *elements, *buffer;
|
||||
struct label *intlabel;
|
||||
@ -418,9 +412,9 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
|
||||
|
||||
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
|
||||
intlabel = mac_ifnet_label_alloc();
|
||||
MAC_IFNET_LOCK(ifnet);
|
||||
mac_copy_ifnet_label(ifnet->if_label, intlabel);
|
||||
MAC_IFNET_UNLOCK(ifnet);
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
mac_copy_ifnet_label(ifp->if_label, intlabel);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
error = mac_externalize_ifnet_label(intlabel, elements, buffer,
|
||||
mac.m_buflen);
|
||||
mac_ifnet_label_free(intlabel);
|
||||
@ -434,8 +428,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
|
||||
}
|
||||
|
||||
int
|
||||
mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
|
||||
struct ifnet *ifnet)
|
||||
mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
|
||||
{
|
||||
struct label *intlabel;
|
||||
struct mac mac;
|
||||
@ -476,17 +469,16 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
|
||||
return (error);
|
||||
}
|
||||
|
||||
MAC_IFNET_LOCK(ifnet);
|
||||
MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label,
|
||||
intlabel);
|
||||
MAC_IFNET_LOCK(ifp);
|
||||
MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel);
|
||||
if (error) {
|
||||
MAC_IFNET_UNLOCK(ifnet);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
mac_ifnet_label_free(intlabel);
|
||||
return (error);
|
||||
}
|
||||
|
||||
MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel);
|
||||
MAC_IFNET_UNLOCK(ifnet);
|
||||
MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel);
|
||||
MAC_IFNET_UNLOCK(ifp);
|
||||
|
||||
mac_ifnet_label_free(intlabel);
|
||||
return (0);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*-
|
||||
* Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project in part by Network
|
||||
|
@ -196,65 +196,64 @@ typedef int (*mpo_internalize_vnode_label_t)(struct label *label,
|
||||
* like file system objects.
|
||||
*/
|
||||
typedef void (*mpo_associate_vnode_devfs_t)(struct mount *mp,
|
||||
struct label *mntlabel, struct devfs_dirent *de,
|
||||
struct label *mplabel, struct devfs_dirent *de,
|
||||
struct label *delabel, struct vnode *vp,
|
||||
struct label *vlabel);
|
||||
struct label *vplabel);
|
||||
typedef int (*mpo_associate_vnode_extattr_t)(struct mount *mp,
|
||||
struct label *mntlabel, struct vnode *vp,
|
||||
struct label *vlabel);
|
||||
struct label *mplabel, struct vnode *vp,
|
||||
struct label *vplabel);
|
||||
typedef void (*mpo_associate_vnode_singlelabel_t)(struct mount *mp,
|
||||
struct label *mntlabel, struct vnode *vp,
|
||||
struct label *vlabel);
|
||||
struct label *mplabel, struct vnode *vp,
|
||||
struct label *vplabel);
|
||||
typedef void (*mpo_create_devfs_device_t)(struct ucred *cred,
|
||||
struct mount *mp, struct cdev *dev,
|
||||
struct devfs_dirent *de, struct label *label);
|
||||
struct devfs_dirent *de, struct label *delabel);
|
||||
typedef void (*mpo_create_devfs_directory_t)(struct mount *mp,
|
||||
char *dirname, int dirnamelen, struct devfs_dirent *de,
|
||||
struct label *label);
|
||||
struct label *delabel);
|
||||
typedef void (*mpo_create_devfs_symlink_t)(struct ucred *cred,
|
||||
struct mount *mp, struct devfs_dirent *dd,
|
||||
struct label *ddlabel, struct devfs_dirent *de,
|
||||
struct label *delabel);
|
||||
typedef int (*mpo_create_vnode_extattr_t)(struct ucred *cred,
|
||||
struct mount *mp, struct label *mntlabel,
|
||||
struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *vlabel,
|
||||
struct mount *mp, struct label *mplabel,
|
||||
struct vnode *dvp, struct label *dvplabel,
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
struct componentname *cnp);
|
||||
typedef void (*mpo_create_mount_t)(struct ucred *cred, struct mount *mp,
|
||||
struct label *mntlabel);
|
||||
struct label *mplabel);
|
||||
typedef void (*mpo_relabel_vnode_t)(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vnodelabel, struct label *label);
|
||||
struct label *vplabel, struct label *label);
|
||||
typedef int (*mpo_setlabel_vnode_extattr_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *vlabel,
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
struct label *intlabel);
|
||||
typedef void (*mpo_update_devfsdirent_t)(struct mount *mp,
|
||||
struct devfs_dirent *devfs_dirent,
|
||||
struct label *direntlabel, struct vnode *vp,
|
||||
struct label *vnodelabel);
|
||||
struct devfs_dirent *de, struct label *delabel,
|
||||
struct vnode *vp, struct label *vplabel);
|
||||
|
||||
/*
|
||||
* Labeling event operations: IPC objects.
|
||||
*/
|
||||
typedef void (*mpo_create_mbuf_from_socket_t)(struct socket *so,
|
||||
struct label *socketlabel, struct mbuf *m,
|
||||
struct label *mbuflabel);
|
||||
struct label *solabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_create_socket_t)(struct ucred *cred, struct socket *so,
|
||||
struct label *socketlabel);
|
||||
typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldsocket,
|
||||
struct label *oldsocketlabel, struct socket *newsocket,
|
||||
struct label *newsocketlabel);
|
||||
struct label *solabel);
|
||||
typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldso,
|
||||
struct label *oldsolabel, struct socket *newso,
|
||||
struct label *newsolabel);
|
||||
typedef void (*mpo_relabel_socket_t)(struct ucred *cred, struct socket *so,
|
||||
struct label *oldlabel, struct label *newlabel);
|
||||
typedef void (*mpo_relabel_pipe_t)(struct ucred *cred, struct pipepair *pp,
|
||||
struct label *oldlabel, struct label *newlabel);
|
||||
typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *mbuf,
|
||||
struct label *mbuflabel, struct socket *so,
|
||||
struct label *socketpeerlabel);
|
||||
typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldsocket,
|
||||
struct label *oldsocketlabel, struct socket *newsocket,
|
||||
struct label *newsocketpeerlabel);
|
||||
typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *m,
|
||||
struct label *mlabel, struct socket *so,
|
||||
struct label *sopeerlabel);
|
||||
typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldso,
|
||||
struct label *oldsolabel, struct socket *newso,
|
||||
struct label *newsopeerlabel);
|
||||
typedef void (*mpo_create_pipe_t)(struct ucred *cred, struct pipepair *pp,
|
||||
struct label *pipelabel);
|
||||
struct label *pplabel);
|
||||
|
||||
/*
|
||||
* Labeling event operations: System V IPC primitives.
|
||||
@ -279,53 +278,49 @@ typedef void (*mpo_create_posix_sem_t)(struct ucred *cred,
|
||||
* Labeling event operations: network objects.
|
||||
*/
|
||||
typedef void (*mpo_create_bpfdesc_t)(struct ucred *cred,
|
||||
struct bpf_d *bpf_d, struct label *bpflabel);
|
||||
typedef void (*mpo_create_ifnet_t)(struct ifnet *ifnet,
|
||||
struct label *ifnetlabel);
|
||||
struct bpf_d *d, struct label *dlabel);
|
||||
typedef void (*mpo_create_ifnet_t)(struct ifnet *ifp,
|
||||
struct label *ifplabel);
|
||||
typedef void (*mpo_create_inpcb_from_socket_t)(struct socket *so,
|
||||
struct label *solabel, struct inpcb *inp,
|
||||
struct label *inplabel);
|
||||
typedef void (*mpo_create_ipq_t)(struct mbuf *fragment,
|
||||
struct label *fragmentlabel, struct ipq *ipq,
|
||||
struct label *ipqlabel);
|
||||
typedef void (*mpo_create_ipq_t)(struct mbuf *m, struct label *mlabel,
|
||||
struct ipq *ipq, struct label *ipqlabel);
|
||||
typedef void (*mpo_create_datagram_from_ipq)
|
||||
(struct ipq *ipq, struct label *ipqlabel,
|
||||
struct mbuf *datagram, struct label *datagramlabel);
|
||||
typedef void (*mpo_create_fragment_t)(struct mbuf *datagram,
|
||||
struct label *datagramlabel, struct mbuf *fragment,
|
||||
struct label *fragmentlabel);
|
||||
(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_create_fragment_t)(struct mbuf *m,
|
||||
struct label *mlabel, struct mbuf *frag,
|
||||
struct label *fraglabel);
|
||||
typedef void (*mpo_create_mbuf_from_inpcb_t)(struct inpcb *inp,
|
||||
struct label *inplabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifnet,
|
||||
struct label *ifnetlabel, struct mbuf *mbuf,
|
||||
struct label *mbuflabel);
|
||||
typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *bpf_d,
|
||||
struct label *bpflabel, struct mbuf *mbuf,
|
||||
struct label *mbuflabel);
|
||||
typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifnet,
|
||||
struct label *ifnetlabel, struct mbuf *mbuf,
|
||||
struct label *mbuflabel);
|
||||
typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *oldmbuf,
|
||||
struct label *oldmbuflabel, struct ifnet *ifnet,
|
||||
struct label *ifnetlabel, struct mbuf *newmbuf,
|
||||
struct label *newmbuflabel);
|
||||
typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *oldmbuf,
|
||||
struct label *oldmbuflabel, struct mbuf *newmbuf,
|
||||
struct label *newmbuflabel);
|
||||
typedef int (*mpo_fragment_match_t)(struct mbuf *fragment,
|
||||
struct label *fragmentlabel, struct ipq *ipq,
|
||||
struct label *ipqlabel);
|
||||
typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifp,
|
||||
struct label *ifplabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *d,
|
||||
struct label *dlabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifp,
|
||||
struct label *ifplabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *m,
|
||||
struct label *mlabel, struct ifnet *ifp,
|
||||
struct label *ifplabel, struct mbuf *mnew,
|
||||
struct label *mnewlabel);
|
||||
typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *m,
|
||||
struct label *mlabel, struct mbuf *mnew,
|
||||
struct label *mnewlabel);
|
||||
typedef int (*mpo_fragment_match_t)(struct mbuf *m, struct label *mlabel,
|
||||
struct ipq *ipq, struct label *ipqlabel);
|
||||
typedef void (*mpo_reflect_mbuf_icmp_t)(struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_reflect_mbuf_tcp_t)(struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred,
|
||||
struct ifnet *ifnet, struct label *ifnetlabel,
|
||||
struct label *newlabel);
|
||||
typedef void (*mpo_update_ipq_t)(struct mbuf *fragment,
|
||||
struct label *fragmentlabel, struct ipq *ipq,
|
||||
struct label *ipqlabel);
|
||||
typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred, struct ifnet *ifp,
|
||||
struct label *ifplabel, struct label *newlabel);
|
||||
typedef void (*mpo_update_ipq_t)(struct mbuf *m, struct label *mlabel,
|
||||
struct ipq *ipq, struct label *ipqlabel);
|
||||
typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so,
|
||||
struct label *label, struct inpcb *inp,
|
||||
struct label *inplabel);
|
||||
@ -337,16 +332,16 @@ typedef int (*mpo_init_syncache_label_t)(struct label *label, int flag);
|
||||
typedef void (*mpo_init_syncache_from_inpcb_t)(struct label *label,
|
||||
struct inpcb *inp);
|
||||
typedef void (*mpo_create_mbuf_from_syncache_t)(struct label *sc_label,
|
||||
struct mbuf *m, struct label *mbuf_label);
|
||||
struct mbuf *m, struct label *mlabel);
|
||||
/*
|
||||
* Labeling event operations: processes.
|
||||
*/
|
||||
typedef void (*mpo_execve_transition_t)(struct ucred *old,
|
||||
struct ucred *new, struct vnode *vp,
|
||||
struct label *vnodelabel, struct label *interpvnodelabel,
|
||||
struct label *vplabel, struct label *interpvnodelabel,
|
||||
struct image_params *imgp, struct label *execlabel);
|
||||
typedef int (*mpo_execve_will_transition_t)(struct ucred *old,
|
||||
struct vnode *vp, struct label *vnodelabel,
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
struct label *interpvnodelabel,
|
||||
struct image_params *imgp, struct label *execlabel);
|
||||
typedef void (*mpo_create_proc0_t)(struct ucred *cred);
|
||||
@ -358,19 +353,19 @@ typedef void (*mpo_thread_userret_t)(struct thread *thread);
|
||||
/*
|
||||
* Access control checks.
|
||||
*/
|
||||
typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *bpf_d,
|
||||
struct label *bpflabel, struct ifnet *ifnet,
|
||||
struct label *ifnetlabel);
|
||||
typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *d,
|
||||
struct label *dlabel, struct ifnet *ifp,
|
||||
struct label *ifplabel);
|
||||
typedef int (*mpo_check_cred_relabel_t)(struct ucred *cred,
|
||||
struct label *newlabel);
|
||||
typedef int (*mpo_check_cred_visible_t)(struct ucred *u1,
|
||||
struct ucred *u2);
|
||||
typedef int (*mpo_check_cred_visible_t)(struct ucred *cr1,
|
||||
struct ucred *cr2);
|
||||
typedef int (*mpo_check_ifnet_relabel_t)(struct ucred *cred,
|
||||
struct ifnet *ifnet, struct label *ifnetlabel,
|
||||
struct ifnet *ifp, struct label *ifplabel,
|
||||
struct label *newlabel);
|
||||
typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifnet,
|
||||
struct label *ifnetlabel, struct mbuf *m,
|
||||
struct label *mbuflabel);
|
||||
typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifp,
|
||||
struct label *ifplabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef int (*mpo_check_inpcb_deliver_t)(struct inpcb *inp,
|
||||
struct label *inplabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
@ -416,27 +411,27 @@ typedef int (*mpo_check_kenv_set_t)(struct ucred *cred, char *name,
|
||||
char *value);
|
||||
typedef int (*mpo_check_kenv_unset_t)(struct ucred *cred, char *name);
|
||||
typedef int (*mpo_check_kld_load_t)(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vlabel);
|
||||
struct label *vplabel);
|
||||
typedef int (*mpo_check_kld_stat_t)(struct ucred *cred);
|
||||
typedef int (*mpo_mpo_placeholder19_t)(void);
|
||||
typedef int (*mpo_mpo_placeholder20_t)(void);
|
||||
typedef int (*mpo_check_mount_stat_t)(struct ucred *cred,
|
||||
struct mount *mp, struct label *mntlabel);
|
||||
struct mount *mp, struct label *mplabel);
|
||||
typedef int (*mpo_mpo_placeholder21_t)(void);
|
||||
typedef int (*mpo_check_pipe_ioctl_t)(struct ucred *cred,
|
||||
struct pipepair *pp, struct label *pipelabel,
|
||||
struct pipepair *pp, struct label *pplabel,
|
||||
unsigned long cmd, void *data);
|
||||
typedef int (*mpo_check_pipe_poll_t)(struct ucred *cred,
|
||||
struct pipepair *pp, struct label *pipelabel);
|
||||
struct pipepair *pp, struct label *pplabel);
|
||||
typedef int (*mpo_check_pipe_read_t)(struct ucred *cred,
|
||||
struct pipepair *pp, struct label *pipelabel);
|
||||
struct pipepair *pp, struct label *pplabel);
|
||||
typedef int (*mpo_check_pipe_relabel_t)(struct ucred *cred,
|
||||
struct pipepair *pp, struct label *pipelabel,
|
||||
struct pipepair *pp, struct label *pplabel,
|
||||
struct label *newlabel);
|
||||
typedef int (*mpo_check_pipe_stat_t)(struct ucred *cred,
|
||||
struct pipepair *pp, struct label *pipelabel);
|
||||
struct pipepair *pp, struct label *pplabel);
|
||||
typedef int (*mpo_check_pipe_write_t)(struct ucred *cred,
|
||||
struct pipepair *pp, struct label *pipelabel);
|
||||
struct pipepair *pp, struct label *pplabel);
|
||||
typedef int (*mpo_check_posix_sem_destroy_t)(struct ucred *cred,
|
||||
struct ksem *ksemptr, struct label *ks_label);
|
||||
typedef int (*mpo_check_posix_sem_getvalue_t)(struct ucred *cred,
|
||||
@ -450,9 +445,9 @@ typedef int (*mpo_check_posix_sem_unlink_t)(struct ucred *cred,
|
||||
typedef int (*mpo_check_posix_sem_wait_t)(struct ucred *cred,
|
||||
struct ksem *ksemptr, struct label *ks_label);
|
||||
typedef int (*mpo_check_proc_debug_t)(struct ucred *cred,
|
||||
struct proc *proc);
|
||||
struct proc *p);
|
||||
typedef int (*mpo_check_proc_sched_t)(struct ucred *cred,
|
||||
struct proc *proc);
|
||||
struct proc *p);
|
||||
typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred,
|
||||
struct auditinfo *ai);
|
||||
typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid);
|
||||
@ -475,35 +470,35 @@ typedef int (*mpo_check_proc_signal_t)(struct ucred *cred,
|
||||
typedef int (*mpo_check_proc_wait_t)(struct ucred *cred,
|
||||
struct proc *proc);
|
||||
typedef int (*mpo_check_socket_accept_t)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
struct socket *so, struct label *solabel);
|
||||
typedef int (*mpo_check_socket_bind_t)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel,
|
||||
struct sockaddr *sockaddr);
|
||||
struct socket *so, struct label *solabel,
|
||||
struct sockaddr *sa);
|
||||
typedef int (*mpo_check_socket_connect_t)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel,
|
||||
struct sockaddr *sockaddr);
|
||||
struct socket *so, struct label *solabel,
|
||||
struct sockaddr *sa);
|
||||
typedef int (*mpo_check_socket_create_t)(struct ucred *cred, int domain,
|
||||
int type, int protocol);
|
||||
typedef int (*mpo_check_socket_deliver_t)(struct socket *so,
|
||||
struct label *socketlabel, struct mbuf *m,
|
||||
struct label *mbuflabel);
|
||||
struct label *solabel, struct mbuf *m,
|
||||
struct label *mlabel);
|
||||
typedef int (*mpo_check_socket_listen_t)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
struct socket *so, struct label *solabel);
|
||||
typedef int (*mpo_check_socket_poll_t)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
struct socket *so, struct label *solabel);
|
||||
typedef int (*mpo_check_socket_receive_t)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
struct socket *so, struct label *solabel);
|
||||
typedef int (*mpo_check_socket_relabel_t)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel,
|
||||
struct socket *so, struct label *solabel,
|
||||
struct label *newlabel);
|
||||
typedef int (*mpo_check_socket_send_t)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
struct socket *so, struct label *solabel);
|
||||
typedef int (*mpo_check_socket_stat_t)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
struct socket *so, struct label *solabel);
|
||||
typedef int (*mpo_check_socket_visible_t)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
struct socket *so, struct label *solabel);
|
||||
typedef int (*mpo_check_system_acct_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *vlabel);
|
||||
struct vnode *vp, struct label *vplabel);
|
||||
typedef int (*mpo_check_system_audit_t)(struct ucred *cred, void *record,
|
||||
int length);
|
||||
typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred,
|
||||
@ -511,101 +506,104 @@ typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred,
|
||||
typedef int (*mpo_check_system_auditon_t)(struct ucred *cred, int cmd);
|
||||
typedef int (*mpo_check_system_reboot_t)(struct ucred *cred, int howto);
|
||||
typedef int (*mpo_check_system_swapon_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label);
|
||||
struct vnode *vp, struct label *vplabel);
|
||||
typedef int (*mpo_check_system_swapoff_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label);
|
||||
struct vnode *vp, struct label *vplabel);
|
||||
typedef int (*mpo_check_system_sysctl_t)(struct ucred *cred,
|
||||
struct sysctl_oid *oidp, void *arg1, int arg2,
|
||||
struct sysctl_req *req);
|
||||
typedef int (*mpo_check_vnode_access_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, int acc_mode);
|
||||
struct vnode *vp, struct label *vplabel, int acc_mode);
|
||||
typedef int (*mpo_check_vnode_chdir_t)(struct ucred *cred,
|
||||
struct vnode *dvp, struct label *dlabel);
|
||||
struct vnode *dvp, struct label *dvplabel);
|
||||
typedef int (*mpo_check_vnode_chroot_t)(struct ucred *cred,
|
||||
struct vnode *dvp, struct label *dlabel);
|
||||
struct vnode *dvp, struct label *dvplabel);
|
||||
typedef int (*mpo_check_vnode_create_t)(struct ucred *cred,
|
||||
struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *dvp, struct label *dvplabel,
|
||||
struct componentname *cnp, struct vattr *vap);
|
||||
typedef int (*mpo_check_vnode_delete_t)(struct ucred *cred,
|
||||
struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *label,
|
||||
struct vnode *dvp, struct label *dvplabel,
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
struct componentname *cnp);
|
||||
typedef int (*mpo_check_vnode_deleteacl_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, acl_type_t type);
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
acl_type_t type);
|
||||
typedef int (*mpo_check_vnode_deleteextattr_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, int attrnamespace,
|
||||
const char *name);
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
int attrnamespace, const char *name);
|
||||
typedef int (*mpo_check_vnode_exec_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label,
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
struct image_params *imgp, struct label *execlabel);
|
||||
typedef int (*mpo_check_vnode_getacl_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, acl_type_t type);
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
acl_type_t type);
|
||||
typedef int (*mpo_check_vnode_getextattr_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, int attrnamespace,
|
||||
const char *name, struct uio *uio);
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
int attrnamespace, const char *name, struct uio *uio);
|
||||
typedef int (*mpo_check_vnode_link_t)(struct ucred *cred,
|
||||
struct vnode *dvp, struct label *dlabel, struct vnode *vp,
|
||||
struct label *label, struct componentname *cnp);
|
||||
struct vnode *dvp, struct label *dvplabel,
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
struct componentname *cnp);
|
||||
typedef int (*mpo_check_vnode_listextattr_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label,
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
int attrnamespace);
|
||||
typedef int (*mpo_check_vnode_lookup_t)(struct ucred *cred,
|
||||
struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *dvp, struct label *dvplabel,
|
||||
struct componentname *cnp);
|
||||
typedef int (*mpo_check_vnode_mmap_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, int prot,
|
||||
int flags);
|
||||
typedef void (*mpo_check_vnode_mmap_downgrade_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, int *prot);
|
||||
struct vnode *vp, struct label *vplabel, int *prot);
|
||||
typedef int (*mpo_check_vnode_mprotect_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, int prot);
|
||||
struct vnode *vp, struct label *vplabel, int prot);
|
||||
typedef int (*mpo_check_vnode_open_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, int acc_mode);
|
||||
struct vnode *vp, struct label *vplabel, int acc_mode);
|
||||
typedef int (*mpo_check_vnode_poll_t)(struct ucred *active_cred,
|
||||
struct ucred *file_cred, struct vnode *vp,
|
||||
struct label *label);
|
||||
struct label *vplabel);
|
||||
typedef int (*mpo_check_vnode_read_t)(struct ucred *active_cred,
|
||||
struct ucred *file_cred, struct vnode *vp,
|
||||
struct label *label);
|
||||
struct label *vplabel);
|
||||
typedef int (*mpo_check_vnode_readdir_t)(struct ucred *cred,
|
||||
struct vnode *dvp, struct label *dlabel);
|
||||
struct vnode *dvp, struct label *dvplabel);
|
||||
typedef int (*mpo_check_vnode_readlink_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label);
|
||||
struct vnode *vp, struct label *vplabel);
|
||||
typedef int (*mpo_check_vnode_relabel_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *vnodelabel,
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
struct label *newlabel);
|
||||
typedef int (*mpo_check_vnode_rename_from_t)(struct ucred *cred,
|
||||
struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *label,
|
||||
struct vnode *dvp, struct label *dvplabel,
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
struct componentname *cnp);
|
||||
typedef int (*mpo_check_vnode_rename_to_t)(struct ucred *cred,
|
||||
struct vnode *dvp, struct label *dlabel,
|
||||
struct vnode *vp, struct label *label, int samedir,
|
||||
struct vnode *dvp, struct label *dvplabel,
|
||||
struct vnode *vp, struct label *vplabel, int samedir,
|
||||
struct componentname *cnp);
|
||||
typedef int (*mpo_check_vnode_revoke_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label);
|
||||
struct vnode *vp, struct label *vplabel);
|
||||
typedef int (*mpo_check_vnode_setacl_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, acl_type_t type,
|
||||
struct vnode *vp, struct label *vplabel, acl_type_t type,
|
||||
struct acl *acl);
|
||||
typedef int (*mpo_check_vnode_setextattr_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, int attrnamespace,
|
||||
const char *name, struct uio *uio);
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
int attrnamespace, const char *name, struct uio *uio);
|
||||
typedef int (*mpo_check_vnode_setflags_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, u_long flags);
|
||||
struct vnode *vp, struct label *vplabel, u_long flags);
|
||||
typedef int (*mpo_check_vnode_setmode_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, mode_t mode);
|
||||
struct vnode *vp, struct label *vplabel, mode_t mode);
|
||||
typedef int (*mpo_check_vnode_setowner_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label, uid_t uid,
|
||||
struct vnode *vp, struct label *vplabel, uid_t uid,
|
||||
gid_t gid);
|
||||
typedef int (*mpo_check_vnode_setutimes_t)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label,
|
||||
struct vnode *vp, struct label *vplabel,
|
||||
struct timespec atime, struct timespec mtime);
|
||||
typedef int (*mpo_check_vnode_stat_t)(struct ucred *active_cred,
|
||||
struct ucred *file_cred, struct vnode *vp,
|
||||
struct label *label);
|
||||
struct label *vplabel);
|
||||
typedef int (*mpo_check_vnode_write_t)(struct ucred *active_cred,
|
||||
struct ucred *file_cred, struct vnode *vp,
|
||||
struct label *label);
|
||||
struct label *vplabel);
|
||||
typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred);
|
||||
typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv);
|
||||
typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv);
|
||||
|
@ -446,163 +446,168 @@ mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
|
||||
mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK(check_cred_visible, u1, u2);
|
||||
MAC_CHECK(check_cred_visible, cr1, cr2);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_debug(struct ucred *cred, struct proc *proc)
|
||||
mac_check_proc_debug(struct ucred *cred, struct proc *p)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_debug, cred, proc);
|
||||
MAC_CHECK(check_proc_debug, cred, p);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_sched(struct ucred *cred, struct proc *proc)
|
||||
mac_check_proc_sched(struct ucred *cred, struct proc *p)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_sched, cred, proc);
|
||||
MAC_CHECK(check_proc_sched, cred, p);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
|
||||
mac_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_signal, cred, proc, signum);
|
||||
MAC_CHECK(check_proc_signal, cred, p, signum);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid)
|
||||
mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_setuid, cred, uid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, uid_t euid)
|
||||
mac_check_proc_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_seteuid, cred, euid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setgid(struct proc *proc, struct ucred *cred, gid_t gid)
|
||||
mac_check_proc_setgid(struct proc *p, struct ucred *cred, gid_t gid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_setgid, cred, gid);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setegid(struct proc *proc, struct ucred *cred, gid_t egid)
|
||||
mac_check_proc_setegid(struct proc *p, struct ucred *cred, gid_t egid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_setegid, cred, egid);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setgroups(struct proc *proc, struct ucred *cred,
|
||||
int ngroups, gid_t *gidset)
|
||||
mac_check_proc_setgroups(struct proc *p, struct ucred *cred, int ngroups,
|
||||
gid_t *gidset)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, uid_t ruid,
|
||||
uid_t euid)
|
||||
mac_check_proc_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
|
||||
uid_t euid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_setreuid, cred, ruid, euid);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
|
||||
gid_t egid)
|
||||
gid_t egid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_setregid, cred, rgid, egid);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, uid_t ruid,
|
||||
uid_t euid, uid_t suid)
|
||||
mac_check_proc_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
|
||||
uid_t euid, uid_t suid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid,
|
||||
gid_t egid, gid_t sgid)
|
||||
mac_check_proc_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
|
||||
gid_t egid, gid_t sgid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_wait(struct ucred *cred, struct proc *proc)
|
||||
mac_check_proc_wait(struct ucred *cred, struct proc *p)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
PROC_LOCK_ASSERT(p, MA_OWNED);
|
||||
|
||||
MAC_CHECK(check_proc_wait, cred, proc);
|
||||
MAC_CHECK(check_proc_wait, cred, p);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
@ -155,13 +155,13 @@ mac_socket_peer_label_free(struct label *label)
|
||||
}
|
||||
|
||||
void
|
||||
mac_destroy_socket(struct socket *socket)
|
||||
mac_destroy_socket(struct socket *so)
|
||||
{
|
||||
|
||||
mac_socket_label_free(socket->so_label);
|
||||
socket->so_label = NULL;
|
||||
mac_socket_peer_label_free(socket->so_peerlabel);
|
||||
socket->so_peerlabel = NULL;
|
||||
mac_socket_label_free(so->so_label);
|
||||
so->so_label = NULL;
|
||||
mac_socket_peer_label_free(so->so_peerlabel);
|
||||
so->so_peerlabel = NULL;
|
||||
}
|
||||
|
||||
void
|
||||
@ -204,47 +204,47 @@ mac_internalize_socket_label(struct label *label, char *string)
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_socket(struct ucred *cred, struct socket *socket)
|
||||
mac_create_socket(struct ucred *cred, struct socket *so)
|
||||
{
|
||||
|
||||
MAC_PERFORM(create_socket, cred, socket, socket->so_label);
|
||||
MAC_PERFORM(create_socket, cred, so, so->so_label);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_socket_from_socket(struct socket *oldsocket,
|
||||
struct socket *newsocket)
|
||||
mac_create_socket_from_socket(struct socket *oldso, struct socket *newso)
|
||||
{
|
||||
|
||||
SOCK_LOCK_ASSERT(oldsocket);
|
||||
MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label,
|
||||
newsocket, newsocket->so_label);
|
||||
SOCK_LOCK_ASSERT(oldso);
|
||||
|
||||
MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso,
|
||||
newso->so_label);
|
||||
}
|
||||
|
||||
static void
|
||||
mac_relabel_socket(struct ucred *cred, struct socket *socket,
|
||||
mac_relabel_socket(struct ucred *cred, struct socket *so,
|
||||
struct label *newlabel)
|
||||
{
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel);
|
||||
}
|
||||
|
||||
void
|
||||
mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket)
|
||||
mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so)
|
||||
{
|
||||
struct label *label;
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
label = mac_mbuf_to_label(mbuf);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket,
|
||||
socket->so_peerlabel);
|
||||
MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so,
|
||||
so->so_peerlabel);
|
||||
}
|
||||
|
||||
void
|
||||
mac_set_socket_peer_from_socket(struct socket *oldsocket,
|
||||
struct socket *newsocket)
|
||||
mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso)
|
||||
{
|
||||
|
||||
/*
|
||||
@ -252,97 +252,94 @@ mac_set_socket_peer_from_socket(struct socket *oldsocket,
|
||||
* is the original, and one is the new. However, it's called in both
|
||||
* directions, so we can't assert the lock here currently.
|
||||
*/
|
||||
MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
|
||||
oldsocket->so_label, newsocket, newsocket->so_peerlabel);
|
||||
MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label,
|
||||
newso, newso->so_peerlabel);
|
||||
}
|
||||
|
||||
void
|
||||
mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
|
||||
mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m)
|
||||
{
|
||||
struct label *label;
|
||||
|
||||
label = mac_mbuf_to_label(mbuf);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf,
|
||||
label);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_accept(struct ucred *cred, struct socket *socket)
|
||||
mac_check_socket_accept(struct ucred *cred, struct socket *so)
|
||||
{
|
||||
int error;
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK(check_socket_accept, cred, socket, socket->so_label);
|
||||
MAC_CHECK(check_socket_accept, cred, so, so->so_label);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
|
||||
struct sockaddr *sockaddr)
|
||||
mac_check_socket_bind(struct ucred *ucred, struct socket *so,
|
||||
struct sockaddr *sa)
|
||||
{
|
||||
int error;
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label,
|
||||
sockaddr);
|
||||
MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_connect(struct ucred *cred, struct socket *socket,
|
||||
struct sockaddr *sockaddr)
|
||||
mac_check_socket_connect(struct ucred *cred, struct socket *so,
|
||||
struct sockaddr *sa)
|
||||
{
|
||||
int error;
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK(check_socket_connect, cred, socket, socket->so_label,
|
||||
sockaddr);
|
||||
MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_create(struct ucred *cred, int domain, int type,
|
||||
int protocol)
|
||||
mac_check_socket_create(struct ucred *cred, int domain, int type, int proto)
|
||||
{
|
||||
int error;
|
||||
|
||||
MAC_CHECK(check_socket_create, cred, domain, type, protocol);
|
||||
MAC_CHECK(check_socket_create, cred, domain, type, proto);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
|
||||
mac_check_socket_deliver(struct socket *so, struct mbuf *m)
|
||||
{
|
||||
struct label *label;
|
||||
int error;
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
label = mac_mbuf_to_label(mbuf);
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf,
|
||||
label);
|
||||
MAC_CHECK(check_socket_deliver, so, so->so_label, m, label);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_listen(struct ucred *cred, struct socket *socket)
|
||||
mac_check_socket_listen(struct ucred *cred, struct socket *so)
|
||||
{
|
||||
int error;
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK(check_socket_listen, cred, so, so->so_label);
|
||||
|
||||
MAC_CHECK(check_socket_listen, cred, socket, socket->so_label);
|
||||
return (error);
|
||||
}
|
||||
|
||||
@ -354,6 +351,7 @@ mac_check_socket_poll(struct ucred *cred, struct socket *so)
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK(check_socket_poll, cred, so, so->so_label);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
@ -370,15 +368,14 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so)
|
||||
}
|
||||
|
||||
static int
|
||||
mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
|
||||
mac_check_socket_relabel(struct ucred *cred, struct socket *so,
|
||||
struct label *newlabel)
|
||||
{
|
||||
int error;
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label,
|
||||
newlabel);
|
||||
MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel);
|
||||
|
||||
return (error);
|
||||
}
|
||||
@ -408,13 +405,13 @@ mac_check_socket_stat(struct ucred *cred, struct socket *so)
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
mac_check_socket_visible(struct ucred *cred, struct socket *so)
|
||||
{
|
||||
int error;
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
MAC_CHECK(check_socket_visible, cred, socket, socket->so_label);
|
||||
MAC_CHECK(check_socket_visible, cred, so, so->so_label);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*-
|
||||
* Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2007 Robert N. M. Watson
|
||||
* All rights reserved.
|
||||
*
|
||||
|
Loading…
Reference in New Issue
Block a user