Introduce three additional MAC Framework and MAC Policy entry points to

control socket poll() (select()), fstat(), and accept() operations,
required for some policies:

        poll()          mac_check_socket_poll()
        fstat()         mac_check_socket_stat()
        accept()        mac_check_socket_accept()

Update mac_stub and mac_test policies to be aware of these entry points.
While here, add missing entry point implementations for:

        mac_stub.c      stub_check_socket_receive()
        mac_stub.c      stub_check_socket_send()
        mac_test.c      mac_test_check_socket_send()
        mac_test.c      mac_test_check_socket_visible()

Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
This commit is contained in:
Robert Watson 2005-04-16 18:46:29 +00:00
parent 932d3e21cc
commit 7f53207b92
9 changed files with 203 additions and 10 deletions

View File

@ -234,6 +234,15 @@ soo_poll(fp, events, active_cred, td)
int error;
NET_LOCK_GIANT();
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_poll(active_cred, so);
SOCK_UNLOCK(so);
if (error) {
NET_UNLOCK_GIANT();
return (error);
}
#endif
error = (so->so_proto->pr_usrreqs->pru_sopoll)
(so, events, fp->f_cred, td);
NET_UNLOCK_GIANT();
@ -254,6 +263,15 @@ soo_stat(fp, ub, active_cred, td)
bzero((caddr_t)ub, sizeof (*ub));
ub->st_mode = S_IFSOCK;
NET_LOCK_GIANT();
#ifdef MAC
SOCK_LOCK(so);
error = mac_check_socket_stat(active_cred, so);
SOCK_UNLOCK(so);
if (error) {
NET_UNLOCK_GIANT();
return (error);
}
#endif
/*
* If SBS_CANTRCVMORE is set, but there's still data left in the
* receive buffer, the socket is still readable.

View File

@ -315,6 +315,13 @@ accept1(td, uap, compat)
error = EINVAL;
goto done;
}
#ifdef MAC
SOCK_LOCK(head);
error = mac_check_socket_accept(td->td_ucred, head);
SOCK_UNLOCK(head);
if (error != 0)
goto done;
#endif
error = falloc(td, &nfp, &fd);
if (error)
goto done;

View File

@ -1,6 +1,6 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -39,6 +39,7 @@
* The POSIX.1e implementation page may be reached at:
* http://www.trustedbsd.org/
*/
#ifndef _SYS_MAC_H_
#define _SYS_MAC_H_
@ -350,14 +351,17 @@ int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred,
gid_t rgid, gid_t egid, gid_t sgid);
int mac_check_proc_signal(struct ucred *cred, struct proc *proc,
int signum);
int mac_check_socket_accept(struct ucred *cred, struct socket *so);
int mac_check_socket_bind(struct ucred *cred, struct socket *so,
struct sockaddr *sockaddr);
int mac_check_socket_connect(struct ucred *cred, struct socket *so,
struct sockaddr *sockaddr);
int mac_check_socket_deliver(struct socket *so, struct mbuf *m);
int mac_check_socket_listen(struct ucred *cred, struct socket *so);
int mac_check_socket_poll(struct ucred *cred, struct socket *so);
int mac_check_socket_receive(struct ucred *cred, struct socket *so);
int mac_check_socket_send(struct ucred *cred, struct socket *so);
int mac_check_socket_stat(struct ucred *cred, struct socket *so);
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
int mac_check_sysarch_ioperm(struct ucred *cred);
int mac_check_system_acct(struct ucred *cred, struct vnode *vp);

View File

@ -1,6 +1,6 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -424,6 +424,8 @@ struct mac_policy_ops {
gid_t egid, gid_t sgid);
int (*mpo_check_proc_signal)(struct ucred *cred,
struct proc *proc, int signum);
int (*mpo_check_socket_accept)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_bind)(struct ucred *cred,
struct socket *so, struct label *socketlabel,
struct sockaddr *sockaddr);
@ -435,6 +437,8 @@ struct mac_policy_ops {
struct label *mbuflabel);
int (*mpo_check_socket_listen)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_poll)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_receive)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_relabel)(struct ucred *cred,
@ -442,6 +446,8 @@ struct mac_policy_ops {
struct label *newlabel);
int (*mpo_check_socket_send)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_stat)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_visible)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_sysarch_ioperm)(struct ucred *cred);

View File

@ -1,16 +1,16 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
* TrustedBSD Project.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
* This software was developed for the FreeBSD Project in part by McAfee
* Research, the Technology Research Division of Network Associates, Inc.
* under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
* DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -272,6 +272,21 @@ mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
label);
}
int
mac_check_socket_accept(struct ucred *cred, struct socket *socket)
{
int error;
SOCK_LOCK_ASSERT(socket);
if (!mac_enforce_socket)
return (0);
MAC_CHECK(check_socket_accept, cred, socket, socket->so_label);
return (error);
}
int
mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
struct sockaddr *sockaddr)
@ -339,6 +354,20 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket)
return (error);
}
int
mac_check_socket_poll(struct ucred *cred, struct socket *so)
{
int error;
SOCK_LOCK_ASSERT(so);
if (!mac_enforce_socket)
return (0);
MAC_CHECK(check_socket_poll, cred, so, so->so_label);
return (error);
}
int
mac_check_socket_receive(struct ucred *cred, struct socket *so)
{
@ -383,6 +412,21 @@ mac_check_socket_send(struct ucred *cred, struct socket *so)
return (error);
}
int
mac_check_socket_stat(struct ucred *cred, struct socket *so)
{
int error;
SOCK_LOCK_ASSERT(so);
if (!mac_enforce_socket)
return (0);
MAC_CHECK(check_socket_stat, cred, so, so->so_label);
return (error);
}
int
mac_check_socket_visible(struct ucred *cred, struct socket *socket)
{

View File

@ -907,6 +907,14 @@ stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
return (0);
}
static int
stub_check_socket_accept(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
return (0);
}
static int
stub_check_socket_bind(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
@ -939,6 +947,22 @@ stub_check_socket_listen(struct ucred *cred, struct socket *so,
return (0);
}
static int
stub_check_socket_poll(struct ucred *cred, struct socket *so,
struct label *socketlabel)
{
return (0);
}
static int
stub_check_socket_receive(struct ucred *cred, struct socket *so,
struct label *socketlabel)
{
return (0);
}
static int
stub_check_socket_relabel(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct label *newlabel)
@ -946,6 +970,21 @@ stub_check_socket_relabel(struct ucred *cred, struct socket *socket,
return (0);
}
static int
stub_check_socket_send(struct ucred *cred, struct socket *so,
struct label *socketlabel)
{
return (0);
}
static int
stub_check_socket_stat(struct ucred *cred, struct socket *so,
struct label *socketlabel)
{
return (0);
}
static int
stub_check_socket_visible(struct ucred *cred, struct socket *socket,
@ -1417,11 +1456,16 @@ static struct mac_policy_ops mac_stub_ops =
.mpo_check_proc_setresuid = stub_check_proc_setresuid,
.mpo_check_proc_setresgid = stub_check_proc_setresgid,
.mpo_check_proc_signal = stub_check_proc_signal,
.mpo_check_socket_accept = stub_check_socket_accept,
.mpo_check_socket_bind = stub_check_socket_bind,
.mpo_check_socket_connect = stub_check_socket_connect,
.mpo_check_socket_deliver = stub_check_socket_deliver,
.mpo_check_socket_listen = stub_check_socket_listen,
.mpo_check_socket_poll = stub_check_socket_poll,
.mpo_check_socket_receive = stub_check_socket_receive,
.mpo_check_socket_relabel = stub_check_socket_relabel,
.mpo_check_socket_send = stub_check_socket_send,
.mpo_check_socket_stat = stub_check_socket_stat,
.mpo_check_socket_visible = stub_check_socket_visible,
.mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm,
.mpo_check_system_acct = stub_check_system_acct,

View File

@ -1790,6 +1790,17 @@ mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
return (0);
}
static int
mac_test_check_socket_accept(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
return (0);
}
static int
mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
@ -1835,7 +1846,18 @@ mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
}
static int
mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
mac_test_check_socket_poll(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
return (0);
}
static int
mac_test_check_socket_receive(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
@ -1857,6 +1879,39 @@ mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
return (0);
}
static int
mac_test_check_socket_send(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
return (0);
}
static int
mac_test_check_socket_stat(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
return (0);
}
static int
mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
return (0);
}
static int
mac_test_check_sysarch_ioperm(struct ucred *cred)
{
@ -2451,11 +2506,16 @@ static struct mac_policy_ops mac_test_ops =
.mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
.mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
.mpo_check_proc_signal = mac_test_check_proc_signal,
.mpo_check_socket_accept = mac_test_check_socket_accept,
.mpo_check_socket_bind = mac_test_check_socket_bind,
.mpo_check_socket_connect = mac_test_check_socket_connect,
.mpo_check_socket_deliver = mac_test_check_socket_deliver,
.mpo_check_socket_listen = mac_test_check_socket_listen,
.mpo_check_socket_poll = mac_test_check_socket_poll,
.mpo_check_socket_receive = mac_test_check_socket_receive,
.mpo_check_socket_relabel = mac_test_check_socket_relabel,
.mpo_check_socket_send = mac_test_check_socket_send,
.mpo_check_socket_stat = mac_test_check_socket_stat,
.mpo_check_socket_visible = mac_test_check_socket_visible,
.mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
.mpo_check_system_acct = mac_test_check_system_acct,

View File

@ -1,6 +1,6 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -39,6 +39,7 @@
* The POSIX.1e implementation page may be reached at:
* http://www.trustedbsd.org/
*/
#ifndef _SYS_MAC_H_
#define _SYS_MAC_H_
@ -350,14 +351,17 @@ int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred,
gid_t rgid, gid_t egid, gid_t sgid);
int mac_check_proc_signal(struct ucred *cred, struct proc *proc,
int signum);
int mac_check_socket_accept(struct ucred *cred, struct socket *so);
int mac_check_socket_bind(struct ucred *cred, struct socket *so,
struct sockaddr *sockaddr);
int mac_check_socket_connect(struct ucred *cred, struct socket *so,
struct sockaddr *sockaddr);
int mac_check_socket_deliver(struct socket *so, struct mbuf *m);
int mac_check_socket_listen(struct ucred *cred, struct socket *so);
int mac_check_socket_poll(struct ucred *cred, struct socket *so);
int mac_check_socket_receive(struct ucred *cred, struct socket *so);
int mac_check_socket_send(struct ucred *cred, struct socket *so);
int mac_check_socket_stat(struct ucred *cred, struct socket *so);
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
int mac_check_sysarch_ioperm(struct ucred *cred);
int mac_check_system_acct(struct ucred *cred, struct vnode *vp);

View File

@ -1,6 +1,6 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2004 Networks Associates Technology, Inc.
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -424,6 +424,8 @@ struct mac_policy_ops {
gid_t egid, gid_t sgid);
int (*mpo_check_proc_signal)(struct ucred *cred,
struct proc *proc, int signum);
int (*mpo_check_socket_accept)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_bind)(struct ucred *cred,
struct socket *so, struct label *socketlabel,
struct sockaddr *sockaddr);
@ -435,6 +437,8 @@ struct mac_policy_ops {
struct label *mbuflabel);
int (*mpo_check_socket_listen)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_poll)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_receive)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_relabel)(struct ucred *cred,
@ -442,6 +446,8 @@ struct mac_policy_ops {
struct label *newlabel);
int (*mpo_check_socket_send)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_stat)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_socket_visible)(struct ucred *cred,
struct socket *so, struct label *socketlabel);
int (*mpo_check_sysarch_ioperm)(struct ucred *cred);