Introduce support for Mandatory Access Control and extensible

kernel access control. Invoke the necessary MAC entry points to maintain labels on sockets. In particular, invoke entry points during socket allocation and destruction, as well as creation by a process or during an accept-scenario (sonewconn). For UNIX domain sockets, also assign a peer label. As the socket code isn't locked down yet, locking interactions are not yet clear. Various protocol stack socket operations (such as peer label assignment for IPv4) will follow. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-31 03:03:22 +00:00 · 2002-07-31 03:03:22 +00:00 · 335654d73e
commit 335654d73e
parent bcdff313cf
4 changed files with 29 additions and 0 deletions
--- a/sys/kern/uipc_sockbuf.c
+++ b/sys/kern/uipc_sockbuf.c
@ -34,7 +34,9 @@
 * $FreeBSD$
 */

+#include "opt_mac.h"
 #include "opt_param.h"
+
 #include <sys/param.h>
 #include <sys/aio.h> /* for aio_swake proto */
 #include <sys/domain.h>
@ -43,6 +45,7 @@
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/mutex.h>
 #include <sys/proc.h>
@ -195,6 +198,9 @@ sonewconn(head, connstatus)
 	so->so_proto = head->so_proto;
 	so->so_timeo = head->so_timeo;
 	so->so_cred = crhold(head->so_cred);
+#ifdef MAC
+	mac_create_socket_from_socket(head, so);
+#endif
 	if (soreserve(so, head->so_snd.sb_hiwat, head->so_rcv.sb_hiwat) ||
 	    (*so->so_proto->pr_usrreqs->pru_attach)(so, 0, NULL)) {
 		sotryfree(so);
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@ -35,6 +35,7 @@
 */

 #include "opt_inet.h"
+#include "opt_mac.h"
 #include "opt_zero.h"

 #include <sys/param.h>
@ -42,6 +43,7 @@
 #include <sys/fcntl.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/mutex.h>
 #include <sys/domain.h>
@ -143,6 +145,9 @@ soalloc(waitok)
 		/* sx_init(&so->so_sxlock, "socket sxlock"); */
 		TAILQ_INIT(&so->so_aiojobq);
 		++numopensockets;
+#ifdef MAC
+		mac_init_socket(so);
+#endif
 	}
 	return so;
 }
@ -190,6 +195,9 @@ socreate(dom, aso, type, proto, cred, td)
 	so->so_type = type;
 	so->so_cred = crhold(cred);
 	so->so_proto = prp;
+#ifdef MAC
+	mac_create_socket(td->td_ucred, so);
+#endif
 	soref(so);
 	error = (*prp->pr_usrreqs->pru_attach)(so, proto, td);
 	if (error) {
@ -237,6 +245,9 @@ sodealloc(struct socket *so)
 			FREE(so->so_accf->so_accept_filter_str, M_ACCF);
 		FREE(so->so_accf, M_ACCF);
 	}
+#endif
+#ifdef MAC
+	mac_destroy_socket(so);
 #endif
 	crfree(so->so_cred);
 	/* sx_destroy(&so->so_sxlock); */
--- a/sys/kern/uipc_socket2.c
+++ b/sys/kern/uipc_socket2.c
@ -34,7 +34,9 @@
 * $FreeBSD$
 */

+#include "opt_mac.h"
 #include "opt_param.h"
+
 #include <sys/param.h>
 #include <sys/aio.h> /* for aio_swake proto */
 #include <sys/domain.h>
@ -43,6 +45,7 @@
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/mutex.h>
 #include <sys/proc.h>
@ -195,6 +198,9 @@ sonewconn(head, connstatus)
 	so->so_proto = head->so_proto;
 	so->so_timeo = head->so_timeo;
 	so->so_cred = crhold(head->so_cred);
+#ifdef MAC
+	mac_create_socket_from_socket(head, so);
+#endif
 	if (soreserve(so, head->so_snd.sb_hiwat, head->so_rcv.sb_hiwat) ||
 	    (*so->so_proto->pr_usrreqs->pru_attach)(so, 0, NULL)) {
 		sotryfree(so);
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@ -34,6 +34,8 @@
 * $FreeBSD$
 */

+#include "opt_mac.h"
+
 #include <sys/param.h>
 #include <sys/domain.h>
 #include <sys/fcntl.h>
@ -731,6 +733,10 @@ unp_connect(so, nam, td)
 		memcpy(&unp->unp_peercred, &unp2->unp_peercred,
 		    sizeof(unp->unp_peercred));
 		unp->unp_flags |= UNP_HAVEPC;
+#ifdef MAC
+		mac_set_socket_peer_from_socket(so, so3);
+		mac_set_socket_peer_from_socket(so3, so);
+#endif

 		so2 = so3;
 	}