Add a mac_inpcb_check_visible implementation to all MAC policies
that handle mac_socket_check_visible. Reviewed by: rwatson MFC after: 3 months (set timer; decide then)
This commit is contained in:
parent
7d341cf135
commit
def7b5012b
@ -1115,6 +1115,24 @@ biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
|
||||
return (biba_equal_effective(p, i) ? 0 : EACCES);
|
||||
}
|
||||
|
||||
static int
|
||||
biba_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
|
||||
struct label *inplabel)
|
||||
{
|
||||
struct mac_biba *subj, *obj;
|
||||
|
||||
if (!biba_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(cred->cr_label);
|
||||
obj = SLOT(inplabel);
|
||||
|
||||
if (!biba_dominate_effective(obj, subj))
|
||||
return (ENOENT);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_inpcb_create(struct socket *so, struct label *solabel,
|
||||
struct inpcb *inp, struct label *inplabel)
|
||||
@ -3300,6 +3318,7 @@ static struct mac_policy_ops mac_biba_ops =
|
||||
.mpo_ifnet_relabel = biba_ifnet_relabel,
|
||||
|
||||
.mpo_inpcb_check_deliver = biba_inpcb_check_deliver,
|
||||
.mpo_inpcb_check_visible = biba_inpcb_check_visible,
|
||||
.mpo_inpcb_create = biba_inpcb_create,
|
||||
.mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf,
|
||||
.mpo_inpcb_destroy_label = biba_destroy_label,
|
||||
|
@ -1244,6 +1244,24 @@ lomac_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
|
||||
return (lomac_equal_single(p, i) ? 0 : EACCES);
|
||||
}
|
||||
|
||||
static int
|
||||
lomac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
|
||||
struct label *inplabel)
|
||||
{
|
||||
struct mac_lomac *subj, *obj;
|
||||
|
||||
if (!lomac_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(cred->cr_label);
|
||||
obj = SLOT(inplabel);
|
||||
|
||||
if (!lomac_dominate_single(obj, subj))
|
||||
return (ENOENT);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
lomac_inpcb_create(struct socket *so, struct label *solabel,
|
||||
struct inpcb *inp, struct label *inplabel)
|
||||
@ -2861,6 +2879,7 @@ static struct mac_policy_ops lomac_ops =
|
||||
.mpo_syncache_init_label = lomac_init_label_waitcheck,
|
||||
|
||||
.mpo_inpcb_check_deliver = lomac_inpcb_check_deliver,
|
||||
.mpo_inpcb_check_visible = lomac_inpcb_check_visible,
|
||||
.mpo_inpcb_create = lomac_inpcb_create,
|
||||
.mpo_inpcb_create_mbuf = lomac_inpcb_create_mbuf,
|
||||
.mpo_inpcb_destroy_label = lomac_destroy_label,
|
||||
|
@ -1033,6 +1033,24 @@ mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
|
||||
return (mls_equal_effective(p, i) ? 0 : EACCES);
|
||||
}
|
||||
|
||||
static int
|
||||
mls_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
|
||||
struct label *inplabel)
|
||||
{
|
||||
struct mac_mls *subj, *obj;
|
||||
|
||||
if (!mls_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(cred->cr_label);
|
||||
obj = SLOT(inplabel);
|
||||
|
||||
if (!mls_dominate_effective(subj, obj))
|
||||
return (ENOENT);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp,
|
||||
struct label *inplabel)
|
||||
@ -2923,6 +2941,7 @@ static struct mac_policy_ops mls_ops =
|
||||
.mpo_ifnet_relabel = mls_ifnet_relabel,
|
||||
|
||||
.mpo_inpcb_check_deliver = mls_inpcb_check_deliver,
|
||||
.mpo_inpcb_check_visible = mls_inpcb_check_visible,
|
||||
.mpo_inpcb_create = mls_inpcb_create,
|
||||
.mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf,
|
||||
.mpo_inpcb_destroy_label = mls_destroy_label,
|
||||
|
@ -51,10 +51,15 @@
|
||||
#include <sys/priv.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/sbuf.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/socketvar.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_pcb.h>
|
||||
|
||||
#include <security/mac/mac_policy.h>
|
||||
#include <security/mac_partition/mac_partition.h>
|
||||
|
||||
@ -198,6 +203,17 @@ partition_cred_relabel(struct ucred *cred, struct label *newlabel)
|
||||
SLOT_SET(cred->cr_label, SLOT(newlabel));
|
||||
}
|
||||
|
||||
static int
|
||||
partition_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
|
||||
struct label *inplabel)
|
||||
{
|
||||
int error;
|
||||
|
||||
error = label_on_label(cred->cr_label, inp->inp_cred->cr_label);
|
||||
|
||||
return (error ? ENOENT : 0);
|
||||
}
|
||||
|
||||
static int
|
||||
partition_proc_check_debug(struct ucred *cred, struct proc *p)
|
||||
{
|
||||
@ -283,6 +299,7 @@ static struct mac_policy_ops partition_ops =
|
||||
.mpo_cred_init_label = partition_cred_init_label,
|
||||
.mpo_cred_internalize_label = partition_cred_internalize_label,
|
||||
.mpo_cred_relabel = partition_cred_relabel,
|
||||
.mpo_inpcb_check_visible = partition_inpcb_check_visible,
|
||||
.mpo_proc_check_debug = partition_proc_check_debug,
|
||||
.mpo_proc_check_sched = partition_proc_check_sched,
|
||||
.mpo_proc_check_signal = partition_proc_check_signal,
|
||||
|
@ -51,9 +51,14 @@
|
||||
#include <sys/priv.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/socketvar.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
||||
#include <net/route.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_pcb.h>
|
||||
|
||||
#include <security/mac/mac_policy.h>
|
||||
|
||||
SYSCTL_DECL(_security_mac);
|
||||
@ -154,6 +159,14 @@ seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
|
||||
return (seeotheruids_check(cr1, cr2));
|
||||
}
|
||||
|
||||
static int
|
||||
seeotheruids_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
|
||||
struct label *inplabel)
|
||||
{
|
||||
|
||||
return (seeotheruids_check(cred, inp->inp_cred));
|
||||
}
|
||||
|
||||
static int
|
||||
seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so,
|
||||
struct label *solabel)
|
||||
@ -168,6 +181,7 @@ static struct mac_policy_ops seeotheruids_ops =
|
||||
.mpo_proc_check_sched = seeotheruids_proc_check_sched,
|
||||
.mpo_proc_check_signal = seeotheruids_proc_check_signal,
|
||||
.mpo_cred_check_visible = seeotheruids_cred_check_visible,
|
||||
.mpo_inpcb_check_visible = seeotheruids_inpcb_check_visible,
|
||||
.mpo_socket_check_visible = seeotheruids_socket_check_visible,
|
||||
};
|
||||
|
||||
|
@ -858,6 +858,14 @@ stub_socket_check_stat(struct ucred *cred, struct socket *so,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
|
||||
struct label *inplabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_socket_check_visible(struct ucred *cred, struct socket *so,
|
||||
struct label *solabel)
|
||||
@ -1531,6 +1539,7 @@ static struct mac_policy_ops stub_ops =
|
||||
.mpo_ifnet_relabel = stub_ifnet_relabel,
|
||||
|
||||
.mpo_inpcb_check_deliver = stub_inpcb_check_deliver,
|
||||
.mpo_inpcb_check_visible = stub_inpcb_check_visible,
|
||||
.mpo_inpcb_create = stub_inpcb_create,
|
||||
.mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf,
|
||||
.mpo_inpcb_destroy_label = stub_destroy_label,
|
||||
|
@ -494,6 +494,19 @@ test_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
|
||||
return (0);
|
||||
}
|
||||
|
||||
COUNTER_DECL(inpcb_check_visible);
|
||||
static int
|
||||
test_inpcb_check_visible(struct ucred *cred, struct inpcb *inp,
|
||||
struct label *inplabel)
|
||||
{
|
||||
|
||||
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
|
||||
LABEL_CHECK(inplabel, MAGIC_INPCB);
|
||||
COUNTER_INC(inpcb_check_visible);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
COUNTER_DECL(inpcb_create);
|
||||
static void
|
||||
test_inpcb_create(struct socket *so, struct label *solabel,
|
||||
@ -2840,6 +2853,7 @@ static struct mac_policy_ops test_ops =
|
||||
.mpo_sysvshm_init_label = test_sysvshm_init_label,
|
||||
|
||||
.mpo_inpcb_check_deliver = test_inpcb_check_deliver,
|
||||
.mpo_inpcb_check_visible = test_inpcb_check_visible,
|
||||
.mpo_inpcb_create = test_inpcb_create,
|
||||
.mpo_inpcb_create_mbuf = test_inpcb_create_mbuf,
|
||||
.mpo_inpcb_destroy_label = test_inpcb_destroy_label,
|
||||
|
Loading…
x
Reference in New Issue
Block a user