Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/security/mac/mac_inet.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * Copyright (c) 1999-2002, 2007, 2009 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2004 Networks Associates Technology, Inc. 5 * Copyright (c) 2006 SPARTA, Inc. 6 * Copyright (c) 2008 Apple Inc. 7 * All rights reserved. 8 * 9 * This software was developed by Robert Watson and Ilmar Habibulin for the 10 * TrustedBSD Project. 11 * 12 * This software was developed for the FreeBSD Project in part by Network 13 * Associates Laboratories, the Security Research Division of Network 14 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 15 * as part of the DARPA CHATS research program. 16 * 17 * This software was enhanced by SPARTA ISSO under SPAWAR contract 18 * N66001-04-C-6019 ("SEFOS"). 19 * 20 * This software was developed at the University of Cambridge Computer 21 * Laboratory with support from a grant from Google, Inc. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the above copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 32 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 33 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 34 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 35 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 36 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 37 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 42 * SUCH DAMAGE. 43 */ 44 45 #include <sys/cdefs.h> 46 __FBSDID("$FreeBSD: releng/10.1/sys/security/mac/mac_inet.c 193391 2009-06-03 18:46:28Z rwatson $"); 47 48 #include "opt_kdtrace.h" 49 #include "opt_mac.h" 50 51 #include <sys/param.h> 52 #include <sys/kernel.h> 53 #include <sys/lock.h> 54 #include <sys/malloc.h> 55 #include <sys/mutex.h> 56 #include <sys/sbuf.h> 57 #include <sys/sdt.h> 58 #include <sys/systm.h> 59 #include <sys/mount.h> 60 #include <sys/file.h> 61 #include <sys/namei.h> 62 #include <sys/protosw.h> 63 #include <sys/socket.h> 64 #include <sys/socketvar.h> 65 #include <sys/sysctl.h> 66 67 #include <net/if.h> 68 #include <net/if_var.h> 69 70 #include <netinet/in.h> 71 #include <netinet/in_pcb.h> 72 #include <netinet/ip_var.h> 73 74 #include <security/mac/mac_framework.h> 75 #include <security/mac/mac_internal.h> 76 #include <security/mac/mac_policy.h> 77 78 static struct label * 79 mac_inpcb_label_alloc(int flag) 80 { 81 struct label *label; 82 int error; 83 84 label = mac_labelzone_alloc(flag); 85 if (label == NULL) 86 return (NULL); 87 if (flag & M_WAITOK) 88 MAC_POLICY_CHECK(inpcb_init_label, label, flag); 89 else 90 MAC_POLICY_CHECK_NOSLEEP(inpcb_init_label, label, flag); 91 if (error) { 92 MAC_POLICY_PERFORM_NOSLEEP(inpcb_destroy_label, label); 93 mac_labelzone_free(label); 94 return (NULL); 95 } 96 return (label); 97 } 98 99 int 100 mac_inpcb_init(struct inpcb *inp, int flag) 101 { 102 103 if (mac_labeled & MPC_OBJECT_INPCB) { 104 inp->inp_label = mac_inpcb_label_alloc(flag); 105 if (inp->inp_label == NULL) 106 return (ENOMEM); 107 } else 108 inp->inp_label = NULL; 109 return (0); 110 } 111 112 static struct label * 113 mac_ipq_label_alloc(int flag) 114 { 115 struct label *label; 116 int error; 117 118 label = mac_labelzone_alloc(flag); 119 if (label == NULL) 120 return (NULL); 121 122 if (flag & M_WAITOK) 123 MAC_POLICY_CHECK(ipq_init_label, label, flag); 124 else 125 MAC_POLICY_CHECK_NOSLEEP(ipq_init_label, label, flag); 126 if (error) { 127 MAC_POLICY_PERFORM_NOSLEEP(ipq_destroy_label, label); 128 mac_labelzone_free(label); 129 return (NULL); 130 } 131 return (label); 132 } 133 134 int 135 mac_ipq_init(struct ipq *q, int flag) 136 { 137 138 if (mac_labeled & MPC_OBJECT_IPQ) { 139 q->ipq_label = mac_ipq_label_alloc(flag); 140 if (q->ipq_label == NULL) 141 return (ENOMEM); 142 } else 143 q->ipq_label = NULL; 144 return (0); 145 } 146 147 static void 148 mac_inpcb_label_free(struct label *label) 149 { 150 151 MAC_POLICY_PERFORM_NOSLEEP(inpcb_destroy_label, label); 152 mac_labelzone_free(label); 153 } 154 155 void 156 mac_inpcb_destroy(struct inpcb *inp) 157 { 158 159 if (inp->inp_label != NULL) { 160 mac_inpcb_label_free(inp->inp_label); 161 inp->inp_label = NULL; 162 } 163 } 164 165 static void 166 mac_ipq_label_free(struct label *label) 167 { 168 169 MAC_POLICY_PERFORM_NOSLEEP(ipq_destroy_label, label); 170 mac_labelzone_free(label); 171 } 172 173 void 174 mac_ipq_destroy(struct ipq *q) 175 { 176 177 if (q->ipq_label != NULL) { 178 mac_ipq_label_free(q->ipq_label); 179 q->ipq_label = NULL; 180 } 181 } 182 183 void 184 mac_inpcb_create(struct socket *so, struct inpcb *inp) 185 { 186 187 MAC_POLICY_PERFORM_NOSLEEP(inpcb_create, so, so->so_label, inp, 188 inp->inp_label); 189 } 190 191 void 192 mac_ipq_reassemble(struct ipq *q, struct mbuf *m) 193 { 194 struct label *label; 195 196 if (mac_policy_count == 0) 197 return; 198 199 label = mac_mbuf_to_label(m); 200 201 MAC_POLICY_PERFORM_NOSLEEP(ipq_reassemble, q, q->ipq_label, m, 202 label); 203 } 204 205 void 206 mac_netinet_fragment(struct mbuf *m, struct mbuf *frag) 207 { 208 struct label *mlabel, *fraglabel; 209 210 if (mac_policy_count == 0) 211 return; 212 213 mlabel = mac_mbuf_to_label(m); 214 fraglabel = mac_mbuf_to_label(frag); 215 216 MAC_POLICY_PERFORM_NOSLEEP(netinet_fragment, m, mlabel, frag, 217 fraglabel); 218 } 219 220 void 221 mac_ipq_create(struct mbuf *m, struct ipq *q) 222 { 223 struct label *label; 224 225 if (mac_policy_count == 0) 226 return; 227 228 label = mac_mbuf_to_label(m); 229 230 MAC_POLICY_PERFORM_NOSLEEP(ipq_create, m, label, q, q->ipq_label); 231 } 232 233 void 234 mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m) 235 { 236 struct label *mlabel; 237 238 INP_LOCK_ASSERT(inp); 239 240 if (mac_policy_count == 0) 241 return; 242 243 mlabel = mac_mbuf_to_label(m); 244 245 MAC_POLICY_PERFORM_NOSLEEP(inpcb_create_mbuf, inp, inp->inp_label, m, 246 mlabel); 247 } 248 249 int 250 mac_ipq_match(struct mbuf *m, struct ipq *q) 251 { 252 struct label *label; 253 int result; 254 255 if (mac_policy_count == 0) 256 return (1); 257 258 label = mac_mbuf_to_label(m); 259 260 result = 1; 261 MAC_POLICY_BOOLEAN_NOSLEEP(ipq_match, &&, m, label, q, q->ipq_label); 262 263 return (result); 264 } 265 266 void 267 mac_netinet_arp_send(struct ifnet *ifp, struct mbuf *m) 268 { 269 struct label *mlabel; 270 271 if (mac_policy_count == 0) 272 return; 273 274 mlabel = mac_mbuf_to_label(m); 275 276 MAC_IFNET_LOCK(ifp); 277 MAC_POLICY_PERFORM_NOSLEEP(netinet_arp_send, ifp, ifp->if_label, m, 278 mlabel); 279 MAC_IFNET_UNLOCK(ifp); 280 } 281 282 void 283 mac_netinet_icmp_reply(struct mbuf *mrecv, struct mbuf *msend) 284 { 285 struct label *mrecvlabel, *msendlabel; 286 287 if (mac_policy_count == 0) 288 return; 289 290 mrecvlabel = mac_mbuf_to_label(mrecv); 291 msendlabel = mac_mbuf_to_label(msend); 292 293 MAC_POLICY_PERFORM_NOSLEEP(netinet_icmp_reply, mrecv, mrecvlabel, 294 msend, msendlabel); 295 } 296 297 void 298 mac_netinet_icmp_replyinplace(struct mbuf *m) 299 { 300 struct label *label; 301 302 if (mac_policy_count == 0) 303 return; 304 305 label = mac_mbuf_to_label(m); 306 307 MAC_POLICY_PERFORM_NOSLEEP(netinet_icmp_replyinplace, m, label); 308 } 309 310 void 311 mac_netinet_igmp_send(struct ifnet *ifp, struct mbuf *m) 312 { 313 struct label *mlabel; 314 315 if (mac_policy_count == 0) 316 return; 317 318 mlabel = mac_mbuf_to_label(m); 319 320 MAC_IFNET_LOCK(ifp); 321 MAC_POLICY_PERFORM_NOSLEEP(netinet_igmp_send, ifp, ifp->if_label, m, 322 mlabel); 323 MAC_IFNET_UNLOCK(ifp); 324 } 325 326 void 327 mac_netinet_tcp_reply(struct mbuf *m) 328 { 329 struct label *label; 330 331 if (mac_policy_count == 0) 332 return; 333 334 label = mac_mbuf_to_label(m); 335 336 MAC_POLICY_PERFORM_NOSLEEP(netinet_tcp_reply, m, label); 337 } 338 339 void 340 mac_ipq_update(struct mbuf *m, struct ipq *q) 341 { 342 struct label *label; 343 344 if (mac_policy_count == 0) 345 return; 346 347 label = mac_mbuf_to_label(m); 348 349 MAC_POLICY_PERFORM_NOSLEEP(ipq_update, m, label, q, q->ipq_label); 350 } 351 352 MAC_CHECK_PROBE_DEFINE2(inpcb_check_deliver, "struct inpcb *", 353 "struct mbuf *"); 354 355 int 356 mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m) 357 { 358 struct label *label; 359 int error; 360 361 M_ASSERTPKTHDR(m); 362 363 if (mac_policy_count == 0) 364 return (0); 365 366 label = mac_mbuf_to_label(m); 367 368 MAC_POLICY_CHECK_NOSLEEP(inpcb_check_deliver, inp, inp->inp_label, m, 369 label); 370 MAC_CHECK_PROBE2(inpcb_check_deliver, error, inp, m); 371 372 return (error); 373 } 374 375 MAC_CHECK_PROBE_DEFINE2(inpcb_check_visible, "struct ucred *", 376 "struct inpcb *"); 377 378 int 379 mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp) 380 { 381 int error; 382 383 INP_LOCK_ASSERT(inp); 384 385 MAC_POLICY_CHECK_NOSLEEP(inpcb_check_visible, cred, inp, 386 inp->inp_label); 387 MAC_CHECK_PROBE2(inpcb_check_visible, error, cred, inp); 388 389 return (error); 390 } 391 392 void 393 mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) 394 { 395 396 INP_WLOCK_ASSERT(inp); 397 SOCK_LOCK_ASSERT(so); 398 399 MAC_POLICY_PERFORM_NOSLEEP(inpcb_sosetlabel, so, so->so_label, inp, 400 inp->inp_label); 401 } 402 403 void 404 mac_netinet_firewall_reply(struct mbuf *mrecv, struct mbuf *msend) 405 { 406 struct label *mrecvlabel, *msendlabel; 407 408 M_ASSERTPKTHDR(mrecv); 409 M_ASSERTPKTHDR(msend); 410 411 if (mac_policy_count == 0) 412 return; 413 414 mrecvlabel = mac_mbuf_to_label(mrecv); 415 msendlabel = mac_mbuf_to_label(msend); 416 417 MAC_POLICY_PERFORM_NOSLEEP(netinet_firewall_reply, mrecv, mrecvlabel, 418 msend, msendlabel); 419 } 420 421 void 422 mac_netinet_firewall_send(struct mbuf *m) 423 { 424 struct label *label; 425 426 M_ASSERTPKTHDR(m); 427 428 if (mac_policy_count == 0) 429 return; 430 431 label = mac_mbuf_to_label(m); 432 433 MAC_POLICY_PERFORM_NOSLEEP(netinet_firewall_send, m, label); 434 } 435 436 /* 437 * These functions really should be referencing the syncache structure 438 * instead of the label. However, due to some of the complexities associated 439 * with exposing this syncache structure we operate directly on it's label 440 * pointer. This should be OK since we aren't making any access control 441 * decisions within this code directly, we are merely allocating and copying 442 * label storage so we can properly initialize mbuf labels for any packets 443 * the syncache code might create. 444 */ 445 void 446 mac_syncache_destroy(struct label **label) 447 { 448 449 if (*label != NULL) { 450 MAC_POLICY_PERFORM_NOSLEEP(syncache_destroy_label, *label); 451 mac_labelzone_free(*label); 452 *label = NULL; 453 } 454 } 455 456 int 457 mac_syncache_init(struct label **label) 458 { 459 int error; 460 461 if (mac_labeled & MPC_OBJECT_SYNCACHE) { 462 *label = mac_labelzone_alloc(M_NOWAIT); 463 if (*label == NULL) 464 return (ENOMEM); 465 /* 466 * Since we are holding the inpcb locks the policy can not 467 * allocate policy specific label storage using M_WAITOK. So 468 * we need to do a MAC_CHECK instead of the typical 469 * MAC_PERFORM so we can propagate allocation failures back 470 * to the syncache code. 471 */ 472 MAC_POLICY_CHECK_NOSLEEP(syncache_init_label, *label, 473 M_NOWAIT); 474 if (error) { 475 MAC_POLICY_PERFORM_NOSLEEP(syncache_destroy_label, 476 *label); 477 mac_labelzone_free(*label); 478 } 479 return (error); 480 } else 481 *label = NULL; 482 return (0); 483 } 484 485 void 486 mac_syncache_create(struct label *label, struct inpcb *inp) 487 { 488 489 INP_WLOCK_ASSERT(inp); 490 491 MAC_POLICY_PERFORM_NOSLEEP(syncache_create, label, inp); 492 } 493 494 void 495 mac_syncache_create_mbuf(struct label *sc_label, struct mbuf *m) 496 { 497 struct label *mlabel; 498 499 M_ASSERTPKTHDR(m); 500 501 if (mac_policy_count == 0) 502 return; 503 504 mlabel = mac_mbuf_to_label(m); 505 506 MAC_POLICY_PERFORM_NOSLEEP(syncache_create_mbuf, sc_label, m, 507 mlabel); 508 }
Cache object: da76aeebfd0ad453884b70e7b575878a
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]