Introduce three additional MAC Framework and MAC Policy entry points to
control socket poll() (select()), fstat(), and accept() operations, required for some policies: poll() mac_check_socket_poll() fstat() mac_check_socket_stat() accept() mac_check_socket_accept() Update mac_stub and mac_test policies to be aware of these entry points. While here, add missing entry point implementations for: mac_stub.c stub_check_socket_receive() mac_stub.c stub_check_socket_send() mac_test.c mac_test_check_socket_send() mac_test.c mac_test_check_socket_visible() Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA
This commit is contained in:
parent
932d3e21cc
commit
7f53207b92
@ -234,6 +234,15 @@ soo_poll(fp, events, active_cred, td)
|
||||
int error;
|
||||
|
||||
NET_LOCK_GIANT();
|
||||
#ifdef MAC
|
||||
SOCK_LOCK(so);
|
||||
error = mac_check_socket_poll(active_cred, so);
|
||||
SOCK_UNLOCK(so);
|
||||
if (error) {
|
||||
NET_UNLOCK_GIANT();
|
||||
return (error);
|
||||
}
|
||||
#endif
|
||||
error = (so->so_proto->pr_usrreqs->pru_sopoll)
|
||||
(so, events, fp->f_cred, td);
|
||||
NET_UNLOCK_GIANT();
|
||||
@ -254,6 +263,15 @@ soo_stat(fp, ub, active_cred, td)
|
||||
bzero((caddr_t)ub, sizeof (*ub));
|
||||
ub->st_mode = S_IFSOCK;
|
||||
NET_LOCK_GIANT();
|
||||
#ifdef MAC
|
||||
SOCK_LOCK(so);
|
||||
error = mac_check_socket_stat(active_cred, so);
|
||||
SOCK_UNLOCK(so);
|
||||
if (error) {
|
||||
NET_UNLOCK_GIANT();
|
||||
return (error);
|
||||
}
|
||||
#endif
|
||||
/*
|
||||
* If SBS_CANTRCVMORE is set, but there's still data left in the
|
||||
* receive buffer, the socket is still readable.
|
||||
|
@ -315,6 +315,13 @@ accept1(td, uap, compat)
|
||||
error = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
#ifdef MAC
|
||||
SOCK_LOCK(head);
|
||||
error = mac_check_socket_accept(td->td_ucred, head);
|
||||
SOCK_UNLOCK(head);
|
||||
if (error != 0)
|
||||
goto done;
|
||||
#endif
|
||||
error = falloc(td, &nfp, &fd);
|
||||
if (error)
|
||||
goto done;
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*-
|
||||
* Copyright (c) 1999-2002 Robert N. M. Watson
|
||||
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed by Robert Watson for the TrustedBSD Project.
|
||||
@ -39,6 +39,7 @@
|
||||
* The POSIX.1e implementation page may be reached at:
|
||||
* http://www.trustedbsd.org/
|
||||
*/
|
||||
|
||||
#ifndef _SYS_MAC_H_
|
||||
#define _SYS_MAC_H_
|
||||
|
||||
@ -350,14 +351,17 @@ int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred,
|
||||
gid_t rgid, gid_t egid, gid_t sgid);
|
||||
int mac_check_proc_signal(struct ucred *cred, struct proc *proc,
|
||||
int signum);
|
||||
int mac_check_socket_accept(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_bind(struct ucred *cred, struct socket *so,
|
||||
struct sockaddr *sockaddr);
|
||||
int mac_check_socket_connect(struct ucred *cred, struct socket *so,
|
||||
struct sockaddr *sockaddr);
|
||||
int mac_check_socket_deliver(struct socket *so, struct mbuf *m);
|
||||
int mac_check_socket_listen(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_poll(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_receive(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_send(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_stat(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
|
||||
int mac_check_sysarch_ioperm(struct ucred *cred);
|
||||
int mac_check_system_acct(struct ucred *cred, struct vnode *vp);
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*-
|
||||
* Copyright (c) 1999-2002 Robert N. M. Watson
|
||||
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed by Robert Watson for the TrustedBSD Project.
|
||||
@ -424,6 +424,8 @@ struct mac_policy_ops {
|
||||
gid_t egid, gid_t sgid);
|
||||
int (*mpo_check_proc_signal)(struct ucred *cred,
|
||||
struct proc *proc, int signum);
|
||||
int (*mpo_check_socket_accept)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_bind)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel,
|
||||
struct sockaddr *sockaddr);
|
||||
@ -435,6 +437,8 @@ struct mac_policy_ops {
|
||||
struct label *mbuflabel);
|
||||
int (*mpo_check_socket_listen)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_poll)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_receive)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_relabel)(struct ucred *cred,
|
||||
@ -442,6 +446,8 @@ struct mac_policy_ops {
|
||||
struct label *newlabel);
|
||||
int (*mpo_check_socket_send)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_stat)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_visible)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_sysarch_ioperm)(struct ucred *cred);
|
||||
|
@ -1,16 +1,16 @@
|
||||
/*-
|
||||
* Copyright (c) 1999-2002 Robert N. M. Watson
|
||||
* Copyright (c) 2001 Ilmar S. Habibulin
|
||||
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed by Robert Watson and Ilmar Habibulin for the
|
||||
* TrustedBSD Project.
|
||||
*
|
||||
* This software was developed for the FreeBSD Project in part by Network
|
||||
* Associates Laboratories, the Security Research Division of Network
|
||||
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
|
||||
* as part of the DARPA CHATS research program.
|
||||
* This software was developed for the FreeBSD Project in part by McAfee
|
||||
* Research, the Technology Research Division of Network Associates, Inc.
|
||||
* under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
|
||||
* DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -272,6 +272,21 @@ mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
|
||||
label);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_accept(struct ucred *cred, struct socket *socket)
|
||||
{
|
||||
int error;
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_accept, cred, socket, socket->so_label);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
|
||||
struct sockaddr *sockaddr)
|
||||
@ -339,6 +354,20 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_poll(struct ucred *cred, struct socket *so)
|
||||
{
|
||||
int error;
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_poll, cred, so, so->so_label);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_receive(struct ucred *cred, struct socket *so)
|
||||
{
|
||||
@ -383,6 +412,21 @@ mac_check_socket_send(struct ucred *cred, struct socket *so)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_stat(struct ucred *cred, struct socket *so)
|
||||
{
|
||||
int error;
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_stat, cred, so, so->so_label);
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
{
|
||||
|
@ -907,6 +907,14 @@ stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_socket_accept(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_socket_bind(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel, struct sockaddr *sockaddr)
|
||||
@ -939,6 +947,22 @@ stub_check_socket_listen(struct ucred *cred, struct socket *so,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_socket_poll(struct ucred *cred, struct socket *so,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_socket_receive(struct ucred *cred, struct socket *so,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_socket_relabel(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel, struct label *newlabel)
|
||||
@ -946,6 +970,21 @@ stub_check_socket_relabel(struct ucred *cred, struct socket *socket,
|
||||
|
||||
return (0);
|
||||
}
|
||||
static int
|
||||
stub_check_socket_send(struct ucred *cred, struct socket *so,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_socket_stat(struct ucred *cred, struct socket *so,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_socket_visible(struct ucred *cred, struct socket *socket,
|
||||
@ -1417,11 +1456,16 @@ static struct mac_policy_ops mac_stub_ops =
|
||||
.mpo_check_proc_setresuid = stub_check_proc_setresuid,
|
||||
.mpo_check_proc_setresgid = stub_check_proc_setresgid,
|
||||
.mpo_check_proc_signal = stub_check_proc_signal,
|
||||
.mpo_check_socket_accept = stub_check_socket_accept,
|
||||
.mpo_check_socket_bind = stub_check_socket_bind,
|
||||
.mpo_check_socket_connect = stub_check_socket_connect,
|
||||
.mpo_check_socket_deliver = stub_check_socket_deliver,
|
||||
.mpo_check_socket_listen = stub_check_socket_listen,
|
||||
.mpo_check_socket_poll = stub_check_socket_poll,
|
||||
.mpo_check_socket_receive = stub_check_socket_receive,
|
||||
.mpo_check_socket_relabel = stub_check_socket_relabel,
|
||||
.mpo_check_socket_send = stub_check_socket_send,
|
||||
.mpo_check_socket_stat = stub_check_socket_stat,
|
||||
.mpo_check_socket_visible = stub_check_socket_visible,
|
||||
.mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm,
|
||||
.mpo_check_system_acct = stub_check_system_acct,
|
||||
|
@ -1790,6 +1790,17 @@ mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_socket_accept(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
ASSERT_SOCKET_LABEL(socketlabel);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel, struct sockaddr *sockaddr)
|
||||
@ -1835,7 +1846,18 @@ mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
|
||||
mac_test_check_socket_poll(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
ASSERT_SOCKET_LABEL(socketlabel);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_socket_receive(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
@ -1857,6 +1879,39 @@ mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_socket_send(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
ASSERT_SOCKET_LABEL(socketlabel);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_socket_stat(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
ASSERT_SOCKET_LABEL(socketlabel);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
ASSERT_SOCKET_LABEL(socketlabel);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_sysarch_ioperm(struct ucred *cred)
|
||||
{
|
||||
@ -2451,11 +2506,16 @@ static struct mac_policy_ops mac_test_ops =
|
||||
.mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
|
||||
.mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
|
||||
.mpo_check_proc_signal = mac_test_check_proc_signal,
|
||||
.mpo_check_socket_accept = mac_test_check_socket_accept,
|
||||
.mpo_check_socket_bind = mac_test_check_socket_bind,
|
||||
.mpo_check_socket_connect = mac_test_check_socket_connect,
|
||||
.mpo_check_socket_deliver = mac_test_check_socket_deliver,
|
||||
.mpo_check_socket_listen = mac_test_check_socket_listen,
|
||||
.mpo_check_socket_poll = mac_test_check_socket_poll,
|
||||
.mpo_check_socket_receive = mac_test_check_socket_receive,
|
||||
.mpo_check_socket_relabel = mac_test_check_socket_relabel,
|
||||
.mpo_check_socket_send = mac_test_check_socket_send,
|
||||
.mpo_check_socket_stat = mac_test_check_socket_stat,
|
||||
.mpo_check_socket_visible = mac_test_check_socket_visible,
|
||||
.mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
|
||||
.mpo_check_system_acct = mac_test_check_system_acct,
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*-
|
||||
* Copyright (c) 1999-2002 Robert N. M. Watson
|
||||
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed by Robert Watson for the TrustedBSD Project.
|
||||
@ -39,6 +39,7 @@
|
||||
* The POSIX.1e implementation page may be reached at:
|
||||
* http://www.trustedbsd.org/
|
||||
*/
|
||||
|
||||
#ifndef _SYS_MAC_H_
|
||||
#define _SYS_MAC_H_
|
||||
|
||||
@ -350,14 +351,17 @@ int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred,
|
||||
gid_t rgid, gid_t egid, gid_t sgid);
|
||||
int mac_check_proc_signal(struct ucred *cred, struct proc *proc,
|
||||
int signum);
|
||||
int mac_check_socket_accept(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_bind(struct ucred *cred, struct socket *so,
|
||||
struct sockaddr *sockaddr);
|
||||
int mac_check_socket_connect(struct ucred *cred, struct socket *so,
|
||||
struct sockaddr *sockaddr);
|
||||
int mac_check_socket_deliver(struct socket *so, struct mbuf *m);
|
||||
int mac_check_socket_listen(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_poll(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_receive(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_send(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_stat(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
|
||||
int mac_check_sysarch_ioperm(struct ucred *cred);
|
||||
int mac_check_system_acct(struct ucred *cred, struct vnode *vp);
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*-
|
||||
* Copyright (c) 1999-2002 Robert N. M. Watson
|
||||
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed by Robert Watson for the TrustedBSD Project.
|
||||
@ -424,6 +424,8 @@ struct mac_policy_ops {
|
||||
gid_t egid, gid_t sgid);
|
||||
int (*mpo_check_proc_signal)(struct ucred *cred,
|
||||
struct proc *proc, int signum);
|
||||
int (*mpo_check_socket_accept)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_bind)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel,
|
||||
struct sockaddr *sockaddr);
|
||||
@ -435,6 +437,8 @@ struct mac_policy_ops {
|
||||
struct label *mbuflabel);
|
||||
int (*mpo_check_socket_listen)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_poll)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_receive)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_relabel)(struct ucred *cred,
|
||||
@ -442,6 +446,8 @@ struct mac_policy_ops {
|
||||
struct label *newlabel);
|
||||
int (*mpo_check_socket_send)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_stat)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_visible)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_sysarch_ioperm)(struct ucred *cred);
|
||||
|
Loading…
Reference in New Issue
Block a user