==== //depot/projects/trustedbsd/mac/sys/kern/uipc_socket2.c#36 - /data/p4/rwatson/trustedbsd/mac/sys/kern/uipc_socket2.c ==== @@ -1042,6 +1042,16 @@ } /* + * For protocol types that don't keep cached copies of labels in their + * pcbs, provide a null sosetlabel that does a NOOP. + */ +void +pru_sosetlabel_null(struct socket *so) +{ + +} + +/* * Make a copy of a sockaddr in a malloced buffer of type M_SONAME. */ struct sockaddr * ==== //depot/projects/trustedbsd/mac/sys/kern/uipc_usrreq.c#28 - /data/p4/rwatson/trustedbsd/mac/sys/kern/uipc_usrreq.c ==== @@ -450,7 +450,7 @@ uipc_connect2, pru_control_notsupp, uipc_detach, uipc_disconnect, uipc_listen, uipc_peeraddr, uipc_rcvd, pru_rcvoob_notsupp, uipc_send, uipc_sense, uipc_shutdown, uipc_sockaddr, - sosend, soreceive, sopoll + sosend, soreceive, sopoll, pru_sosetlabel_null }; int ==== //depot/projects/trustedbsd/mac/sys/net/raw_usrreq.c#9 - /data/p4/rwatson/trustedbsd/mac/sys/net/raw_usrreq.c ==== @@ -295,5 +295,5 @@ pru_connect2_notsupp, pru_control_notsupp, raw_udetach, raw_udisconnect, pru_listen_notsupp, raw_upeeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, raw_usend, pru_sense_null, raw_ushutdown, - raw_usockaddr, sosend, soreceive, sopoll + raw_usockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; ==== //depot/projects/trustedbsd/mac/sys/net/rtsock.c#20 - /data/p4/rwatson/trustedbsd/mac/sys/net/rtsock.c ==== @@ -270,7 +270,7 @@ pru_connect2_notsupp, pru_control_notsupp, rts_detach, rts_disconnect, pru_listen_notsupp, rts_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, rts_send, pru_sense_null, rts_shutdown, rts_sockaddr, - sosend, soreceive, sopoll + sosend, soreceive, sopoll, pru_sosetlabel_null }; /*ARGSUSED*/ ==== //depot/projects/trustedbsd/mac/sys/netatalk/ddp_usrreq.c#10 - /data/p4/rwatson/trustedbsd/mac/sys/netatalk/ddp_usrreq.c ==== @@ -590,5 +590,6 @@ at_setsockaddr, sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; ==== //depot/projects/trustedbsd/mac/sys/netatm/atm_aal5.c#6 - /data/p4/rwatson/trustedbsd/mac/sys/netatm/atm_aal5.c ==== @@ -112,7 +112,8 @@ atm_aal5_sockaddr, /* pru_sockaddr */ sosend, /* pru_sosend */ soreceive, /* pru_soreceive */ - sopoll /* pru_sopoll */ + sopoll, /* pru_sopoll */ + pru_sosetlabel_null /* pru_sosetlabel */ }; /* ==== //depot/projects/trustedbsd/mac/sys/netatm/atm_usrreq.c#8 - /data/p4/rwatson/trustedbsd/mac/sys/netatm/atm_usrreq.c ==== @@ -83,6 +83,10 @@ pru_sense_null, /* pru_sense */ atm_proto_notsupp1, /* pru_shutdown */ atm_proto_notsupp3, /* pru_sockaddr */ + NULL, /* pru_sosend */ + NULL, /* pru_soreceive */ + NULL, /* pru_sooll */ + pru_sosetlabel_null /* pru_sosetlabel */ }; ==== //depot/projects/trustedbsd/mac/sys/netgraph/bluetooth/socket/ng_btsocket.c#4 - /data/p4/rwatson/trustedbsd/mac/sys/netgraph/bluetooth/socket/ng_btsocket.c ==== @@ -79,7 +79,8 @@ ng_btsocket_hci_raw_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* @@ -106,7 +107,8 @@ ng_btsocket_l2cap_raw_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* @@ -133,7 +135,8 @@ ng_btsocket_l2cap_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* @@ -160,7 +163,8 @@ ng_btsocket_rfcomm_sockaddr, /* sockaddr */ sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* ==== //depot/projects/trustedbsd/mac/sys/netgraph/ng_socket.c#10 - /data/p4/rwatson/trustedbsd/mac/sys/netgraph/ng_socket.c ==== @@ -978,7 +978,8 @@ ng_setsockaddr, sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; static struct pr_usrreqs ngd_usrreqs = { @@ -1001,7 +1002,8 @@ ng_setsockaddr, sosend, soreceive, - sopoll + sopoll, + pru_sosetlabel_null }; /* ==== //depot/projects/trustedbsd/mac/sys/netinet/in_pcb.c#23 - /data/p4/rwatson/trustedbsd/mac/sys/netinet/in_pcb.c ==== @@ -36,10 +36,12 @@ #include "opt_ipsec.h" #include "opt_inet6.h" +#include "opt_mac.h" #include #include #include +#include #include #include #include @@ -161,26 +163,30 @@ struct thread *td; { register struct inpcb *inp; -#if defined(IPSEC) || defined(FAST_IPSEC) int error; -#endif + INP_INFO_WLOCK_ASSERT(pcbinfo); + error = 0; inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT | M_ZERO); if (inp == NULL) return (ENOBUFS); inp->inp_gencnt = ++pcbinfo->ipi_gencnt; inp->inp_pcbinfo = pcbinfo; inp->inp_socket = so; +#ifdef MAC + error = mac_init_inpcb(inp, M_NOWAIT); + if (error != 0) + goto out; + mac_create_inpcb_from_socket(so, inp); +#endif #if defined(IPSEC) || defined(FAST_IPSEC) #ifdef FAST_IPSEC error = ipsec_init_policy(so, &inp->inp_sp); #else error = ipsec_init_pcbpolicy(so, &inp->inp_sp); #endif - if (error != 0) { - uma_zfree(pcbinfo->ipi_zone, inp); - return error; - } + if (error != 0) + goto out; #endif /*IPSEC*/ #if defined(INET6) if (INP_SOCKAF(so) == AF_INET6) { @@ -197,7 +203,12 @@ if (ip6_auto_flowlabel) inp->inp_flags |= IN6P_AUTOFLOWLABEL; #endif - return (0); +#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC) +out: + if (error != 0) + uma_zfree(pcbinfo->ipi_zone, inp); +#endif + return (error); } int @@ -700,6 +711,9 @@ ip_freemoptions(inp->inp_moptions); inp->inp_vflag = 0; INP_LOCK_DESTROY(inp); +#ifdef MAC + mac_destroy_inpcb(inp); +#endif uma_zfree(ipi->ipi_zone, inp); } @@ -1216,6 +1230,25 @@ pcbinfo->ipi_count--; } +/* + * A set label operation has occurred at the socket layer, propagate the + * label change into the in_pcb for the socket. + */ +void +in_pcbsosetlabel(so) + struct socket *so; +{ +#ifdef MAC + struct inpcb *inp; + + /* XXX: Will assert socket lock when we have them. */ + inp = (struct inpcb *)so->so_pcb; + INP_LOCK(inp); + mac_inpcb_sosetlabel(so, inp); + INP_UNLOCK(inp); +#endif +} + int prison_xinpcb(struct thread *td, struct inpcb *inp) { ==== //depot/projects/trustedbsd/mac/sys/netinet/in_pcb.h#19 - /data/p4/rwatson/trustedbsd/mac/sys/netinet/in_pcb.h ==== @@ -134,6 +134,7 @@ struct inpcbinfo *inp_pcbinfo; /* PCB list info */ struct socket *inp_socket; /* back pointer to socket */ /* list for this PCB's local port */ + struct label *inp_label; /* MAC label */ int inp_flags; /* generic IP/datagram flags */ struct inpcbpolicy *inp_sp; /* for IPSEC */ @@ -369,10 +370,12 @@ void in_pcbnotifyall(struct inpcbinfo *pcbinfo, struct in_addr, int, struct inpcb *(*)(struct inpcb *, int)); void in_pcbrehash(struct inpcb *); +void in_pcbsetsolabel(struct socket *so); int in_setpeeraddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo); int in_setsockaddr(struct socket *so, struct sockaddr **nam, struct inpcbinfo *pcbinfo);; struct sockaddr * in_sockaddr(in_port_t port, struct in_addr *addr); +void in_pcbsosetlabel(struct socket *so); void in_pcbremlists(struct inpcb *inp); int prison_xinpcb(struct thread *td, struct inpcb *inp); #endif /* _KERNEL */ ==== //depot/projects/trustedbsd/mac/sys/netinet/ip_divert.c#17 - /data/p4/rwatson/trustedbsd/mac/sys/netinet/ip_divert.c ==== @@ -651,5 +651,5 @@ pru_connect_notsupp, pru_connect2_notsupp, in_control, div_detach, div_disconnect, pru_listen_notsupp, div_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, div_send, pru_sense_null, div_shutdown, - div_sockaddr, sosend, soreceive, sopoll + div_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#27 - /data/p4/rwatson/trustedbsd/mac/sys/netinet/raw_ip.c ==== @@ -161,7 +161,7 @@ } #endif /*FAST_IPSEC*/ #ifdef MAC - if (!policyfail && mac_check_socket_deliver(last->inp_socket, n) != 0) + if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) policyfail = 1; #endif if (!policyfail) { @@ -838,5 +838,5 @@ pru_connect2_notsupp, in_control, rip_detach, rip_disconnect, pru_listen_notsupp, rip_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, rip_send, pru_sense_null, rip_shutdown, - rip_sockaddr, sosend, soreceive, sopoll + rip_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_input.c#44 - /data/p4/rwatson/trustedbsd/mac/sys/netinet/tcp_input.c ==== @@ -683,11 +683,11 @@ else tiwin = th->th_win; - so = inp->inp_socket; #ifdef MAC - if (mac_check_socket_deliver(so, m)) + if (mac_check_inpcb_deliver(inp, m)) goto drop; #endif + so = inp->inp_socket; #ifdef TCPDEBUG if (so->so_options & SO_DEBUG) { ostate = tp->t_state; ==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_usrreq.c#16 - /data/p4/rwatson/trustedbsd/mac/sys/netinet/tcp_usrreq.c ==== @@ -816,7 +816,7 @@ tcp_usr_connect, pru_connect2_notsupp, in_control, tcp_usr_detach, tcp_usr_disconnect, tcp_usr_listen, tcp_peeraddr, tcp_usr_rcvd, tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown, - tcp_sockaddr, sosend, soreceive, sopoll + tcp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; #ifdef INET6 @@ -825,7 +825,7 @@ tcp6_usr_connect, pru_connect2_notsupp, in6_control, tcp_usr_detach, tcp_usr_disconnect, tcp6_usr_listen, in6_mapped_peeraddr, tcp_usr_rcvd, tcp_usr_rcvoob, tcp_usr_send, pru_sense_null, tcp_usr_shutdown, - in6_mapped_sockaddr, sosend, soreceive, sopoll + in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; #endif /* INET6 */ ==== //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#25 - /data/p4/rwatson/trustedbsd/mac/sys/netinet/udp_usrreq.c ==== @@ -446,7 +446,7 @@ } #endif /*FAST_IPSEC*/ #ifdef MAC - if (mac_check_socket_deliver(last->inp_socket, n) != 0) { + if (mac_check_inpcb_deliver(last, n) != 0) { m_freem(n); return; } @@ -1096,5 +1096,5 @@ pru_connect2_notsupp, in_control, udp_detach, udp_disconnect, pru_listen_notsupp, udp_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, udp_send, pru_sense_null, udp_shutdown, - udp_sockaddr, sosend, soreceive, sopoll + udp_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/mac/sys/netinet6/raw_ip6.c#10 - /data/p4/rwatson/trustedbsd/mac/sys/netinet6/raw_ip6.c ==== @@ -750,5 +750,5 @@ pru_connect2_notsupp, in6_control, rip6_detach, rip6_disconnect, pru_listen_notsupp, in6_setpeeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, rip6_send, pru_sense_null, rip6_shutdown, - in6_setsockaddr, sosend, soreceive, sopoll + in6_setsockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; ==== //depot/projects/trustedbsd/mac/sys/netinet6/udp6_usrreq.c#14 - /data/p4/rwatson/trustedbsd/mac/sys/netinet6/udp6_usrreq.c ==== @@ -767,5 +767,5 @@ pru_connect2_notsupp, in6_control, udp6_detach, udp6_disconnect, pru_listen_notsupp, in6_mapped_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, udp6_send, pru_sense_null, udp_shutdown, - in6_mapped_sockaddr, sosend, soreceive, sopoll + in6_mapped_sockaddr, sosend, soreceive, sopoll, in_pcbsosetlabel }; ==== //depot/projects/trustedbsd/mac/sys/netipsec/keysock.c#5 - /data/p4/rwatson/trustedbsd/mac/sys/netipsec/keysock.c ==== @@ -567,7 +567,8 @@ key_disconnect, pru_listen_notsupp, key_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown, - key_sockaddr, sosend, soreceive, sopoll + key_sockaddr, sosend, soreceive, sopoll, + pru_sosetlabel_null }; /* sysctl */ ==== //depot/projects/trustedbsd/mac/sys/netipx/ipx_usrreq.c#8 - /data/p4/rwatson/trustedbsd/mac/sys/netipx/ipx_usrreq.c ==== @@ -92,7 +92,7 @@ ipx_connect, pru_connect2_notsupp, ipx_control, ipx_detach, ipx_disconnect, pru_listen_notsupp, ipx_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, ipx_send, pru_sense_null, ipx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; struct pr_usrreqs ripx_usrreqs = { @@ -100,7 +100,7 @@ ipx_connect, pru_connect2_notsupp, ipx_control, ipx_detach, ipx_disconnect, pru_listen_notsupp, ipx_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, ipx_send, pru_sense_null, ipx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; /* ==== //depot/projects/trustedbsd/mac/sys/netipx/spx_usrreq.c#7 - /data/p4/rwatson/trustedbsd/mac/sys/netipx/spx_usrreq.c ==== @@ -112,7 +112,7 @@ spx_connect, pru_connect2_notsupp, ipx_control, spx_detach, spx_usr_disconnect, spx_listen, ipx_peeraddr, spx_rcvd, spx_rcvoob, spx_send, pru_sense_null, spx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; struct pr_usrreqs spx_usrreq_sps = { @@ -120,7 +120,7 @@ spx_connect, pru_connect2_notsupp, ipx_control, spx_detach, spx_usr_disconnect, spx_listen, ipx_peeraddr, spx_rcvd, spx_rcvoob, spx_send, pru_sense_null, spx_shutdown, - ipx_sockaddr, sosend, soreceive, sopoll + ipx_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; void ==== //depot/projects/trustedbsd/mac/sys/netkey/keysock.c#13 - /data/p4/rwatson/trustedbsd/mac/sys/netkey/keysock.c ==== @@ -477,7 +477,8 @@ key_disconnect, pru_listen_notsupp, key_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, key_send, pru_sense_null, key_shutdown, - key_sockaddr, sosend, soreceive, sopoll + key_sockaddr, sosend, soreceive, sopoll, + pru_sosetlabel_null }; /* sysctl */ ==== //depot/projects/trustedbsd/mac/sys/netnatm/natm.c#13 - /data/p4/rwatson/trustedbsd/mac/sys/netnatm/natm.c ==== @@ -396,7 +396,7 @@ natm_usr_detach, natm_usr_disconnect, pru_listen_notsupp, natm_usr_peeraddr, pru_rcvd_notsupp, pru_rcvoob_notsupp, natm_usr_send, pru_sense_null, natm_usr_shutdown, - natm_usr_sockaddr, sosend, soreceive, sopoll + natm_usr_sockaddr, sosend, soreceive, sopoll, pru_sosetlabel_null }; #else /* !FREEBSD_USRREQS */ ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_net.c#13 - /data/p4/rwatson/trustedbsd/mac/sys/security/mac/mac_net.c ==== @@ -50,6 +50,7 @@ #include #include #include +#include #include #include #include @@ -61,6 +62,7 @@ #include #include +#include #include #include @@ -77,12 +79,14 @@ #ifdef MAC_DEBUG static unsigned int nmacmbufs, nmacifnets, nmacbpfdescs, nmacsockets, - nmacipqs; + nmacinpcbs, nmacipqs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD, &nmacifnets, 0, "number of ifnets in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, inpcbs, CTLFLAG_RD, + &nmacinpcbs, 0, "number of inpcbs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD, &nmacipqs, 0, "number of ipqs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD, @@ -143,6 +147,35 @@ } static struct label * +mac_inpcb_label_alloc(int flag) +{ + struct label *label; + int error; + + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); + MAC_CHECK(init_inpcb_label, label, flag); + if (error) { + MAC_PERFORM(destroy_inpcb_label, label); + mac_labelzone_free(label); + return (NULL); + } + MAC_DEBUG_COUNTER_INC(&nmacinpcbs); + return (label); +} + +int +mac_init_inpcb(struct inpcb *inp, int flag) +{ + + inp->inp_label = mac_inpcb_label_alloc(flag); + if (inp->inp_label == NULL) + return (ENOMEM); + return (0); +} + +static struct label * mac_ipq_label_alloc(int flag) { struct label *label; @@ -311,6 +344,23 @@ } static void +mac_inpcb_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_inpcb_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacinpcbs); +} + +void +mac_destroy_inpcb(struct inpcb *inp) +{ + + mac_inpcb_label_free(inp->inp_label); + inp->inp_label = NULL; +} + +static void mac_ipq_label_free(struct label *label) { @@ -443,6 +493,14 @@ } void +mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp) +{ + + MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp, + inp->inp_label); +} + +void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { @@ -704,6 +762,24 @@ } int +mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) +{ + struct label *label; + int error; + + M_ASSERTPKTHDR(m); + + if (!mac_enforce_socket) + return (0); + + label = mbuf_to_label(m); + + MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label); + + return (error); +} + +int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { @@ -904,6 +980,15 @@ return (0); } +void +mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) +{ + + /* XXX: assert socket lock. */ + INP_LOCK_ASSERT(inp); + MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); +} + int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *mac) @@ -931,6 +1016,7 @@ return (error); } + /* XXX: Will eventually grab a socket lock here. */ mac_check_socket_relabel(cred, so, intlabel); if (error) { mac_socket_label_free(intlabel); @@ -939,6 +1025,16 @@ mac_relabel_socket(cred, so, intlabel); + /* + * If the protocol has expressed interest in socket layer changes, + * such as if it needs to propagate changes to a cached pcb + * label from the socket, notify it of the label change while + * holding the socket lock. + */ + if (so->so_proto->pr_usrreqs->pru_sosetlabel != NULL) + (so->so_proto->pr_usrreqs->pru_sosetlabel)(so); + /* XXX: Will eventually release a socket lock here. */ + mac_socket_label_free(intlabel); return (0); } ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#231 - /data/p4/rwatson/trustedbsd/mac/sys/security/mac_biba/mac_biba.c ==== @@ -75,6 +75,7 @@ #include #include +#include #include #include @@ -1065,6 +1066,18 @@ * Labeling event operations: IPC object. */ static void +mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_biba_copy_single(source, dest); +} + +static void mac_biba_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -1438,6 +1451,18 @@ /* NOOP: we only accept matching labels, so no need to update */ } +static void +mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_biba_copy(source, dest); +} + /* * Labeling event operations: processes. */ @@ -1662,6 +1687,21 @@ } static int +mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_biba *p, *i; + + if (!mac_biba_enabled) + return (0); + + p = SLOT(mlabel); + i = SLOT(inplabel); + + return (mac_biba_equal_single(p, i) ? 0 : EACCES); +} + +static int mac_biba_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -3112,6 +3152,7 @@ .mpo_init_cred_label = mac_biba_init_label, .mpo_init_devfsdirent_label = mac_biba_init_label, .mpo_init_ifnet_label = mac_biba_init_label, + .mpo_init_inpcb_label = mac_biba_init_label_waitcheck, .mpo_init_ipc_msgmsg_label = mac_biba_init_label, .mpo_init_ipc_msgqueue_label = mac_biba_init_label, .mpo_init_ipc_sema_label = mac_biba_init_label, @@ -3129,6 +3170,7 @@ .mpo_destroy_cred_label = mac_biba_destroy_label, .mpo_destroy_devfsdirent_label = mac_biba_destroy_label, .mpo_destroy_ifnet_label = mac_biba_destroy_label, + .mpo_destroy_inpcb_label = mac_biba_destroy_label, .mpo_destroy_ipc_msgmsg_label = mac_biba_destroy_label, .mpo_destroy_ipc_msgqueue_label = mac_biba_destroy_label, .mpo_destroy_ipc_sema_label = mac_biba_destroy_label, @@ -3181,6 +3223,7 @@ .mpo_create_datagram_from_ipq = mac_biba_create_datagram_from_ipq, .mpo_create_fragment = mac_biba_create_fragment, .mpo_create_ifnet = mac_biba_create_ifnet, + .mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket, .mpo_create_ipc_msgmsg = mac_biba_create_ipc_msgmsg, .mpo_create_ipc_msgqueue = mac_biba_create_ipc_msgqueue, .mpo_create_ipc_sema = mac_biba_create_ipc_sema, @@ -3195,6 +3238,7 @@ .mpo_fragment_match = mac_biba_fragment_match, .mpo_relabel_ifnet = mac_biba_relabel_ifnet, .mpo_update_ipq = mac_biba_update_ipq, + .mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel, .mpo_create_cred = mac_biba_create_cred, .mpo_create_proc0 = mac_biba_create_proc0, .mpo_create_proc1 = mac_biba_create_proc1, @@ -3208,6 +3252,7 @@ .mpo_check_cred_visible = mac_biba_check_cred_visible, .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel, .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit, + .mpo_check_inpcb_deliver = mac_biba_check_inpcb_deliver, .mpo_check_ipc_msgrcv = mac_biba_check_ipc_msgrcv, .mpo_check_ipc_msgrmid = mac_biba_check_ipc_msgrmid, .mpo_check_ipc_msqget = mac_biba_check_ipc_msqget, ==== //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#22 - /data/p4/rwatson/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c ==== @@ -143,6 +143,18 @@ } static int +mac_ifoff_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + + M_ASSERTPKTHDR(m); + if (m->m_pkthdr.rcvif != NULL) + return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0)); + + return (0); +} + +static int mac_ifoff_check_socket_deliver(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -158,6 +170,7 @@ { .mpo_check_bpfdesc_receive = mac_ifoff_check_bpfdesc_receive, .mpo_check_ifnet_transmit = mac_ifoff_check_ifnet_transmit, + .mpo_check_inpcb_deliver = mac_ifoff_check_inpcb_deliver, .mpo_check_socket_deliver = mac_ifoff_check_socket_deliver, }; ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#76 - /data/p4/rwatson/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c ==== @@ -75,6 +75,7 @@ #include #include +#include #include #include @@ -1138,6 +1139,18 @@ * Labeling event operations: IPC object. */ static void +mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_lomac *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_lomac_copy_single(source, dest); +} + +static void mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -1522,6 +1535,18 @@ /* NOOP: we only accept matching labels, so no need to update */ } +static void +mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_lomac *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_lomac_copy_single(source, dest); +} + /* * Labeling event operations: processes. */ @@ -1835,6 +1860,21 @@ } static int +mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_lomac *p, *i; + + if (!mac_lomac_enabled) + return (0); + + p = SLOT(mlabel); + i = SLOT(inplabel); + + return (mac_lomac_equal_single(p, i) ? 0 : EACCES); +} + +static int mac_lomac_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -3038,6 +3078,7 @@ .mpo_init_cred_label = mac_lomac_init_label, .mpo_init_devfsdirent_label = mac_lomac_init_label, .mpo_init_ifnet_label = mac_lomac_init_label, + .mpo_init_inpcb_label = mac_lomac_init_label_waitcheck, .mpo_init_ipc_msgmsg_label = mac_lomac_init_label, .mpo_init_ipc_msgqueue_label = mac_lomac_init_label, .mpo_init_ipc_sema_label = mac_lomac_init_label, @@ -3056,6 +3097,7 @@ .mpo_destroy_cred_label = mac_lomac_destroy_label, .mpo_destroy_devfsdirent_label = mac_lomac_destroy_label, .mpo_destroy_ifnet_label = mac_lomac_destroy_label, + .mpo_destroy_inpcb_label = mac_lomac_destroy_label, .mpo_destroy_ipc_msgmsg_label = mac_lomac_destroy_label, .mpo_destroy_ipc_msgqueue_label = mac_lomac_destroy_label, .mpo_destroy_ipc_sema_label = mac_lomac_destroy_label, @@ -3111,6 +3153,7 @@ .mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq, .mpo_create_fragment = mac_lomac_create_fragment, .mpo_create_ifnet = mac_lomac_create_ifnet, + .mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket, .mpo_create_ipc_msgmsg = mac_lomac_create_ipc_msgmsg, .mpo_create_ipc_msgqueue = mac_lomac_create_ipc_msgqueue, .mpo_create_ipc_sema = mac_lomac_create_ipc_sema, @@ -3126,6 +3169,7 @@ .mpo_fragment_match = mac_lomac_fragment_match, .mpo_relabel_ifnet = mac_lomac_relabel_ifnet, .mpo_update_ipq = mac_lomac_update_ipq, + .mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel, .mpo_create_cred = mac_lomac_create_cred, .mpo_execve_transition = mac_lomac_execve_transition, .mpo_execve_will_transition = mac_lomac_execve_will_transition, @@ -3141,6 +3185,7 @@ .mpo_check_cred_visible = mac_lomac_check_cred_visible, .mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel, .mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit, + .mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver, /* .mpo_check_ipc_msgmsq = mac_lomac_check_ipc_msgmsq, */ .mpo_check_ipc_msgrcv = mac_lomac_check_ipc_msgrcv, .mpo_check_ipc_msgrmid = mac_lomac_check_ipc_msgrmid, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#186 - /data/p4/rwatson/trustedbsd/mac/sys/security/mac_mls/mac_mls.c ==== @@ -75,6 +75,7 @@ #include #include +#include #include #include @@ -1033,6 +1034,18 @@ * Labeling event operations: IPC object. */ static void +mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_mls_copy_single(source, dest); +} + +static void mac_mls_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -1377,6 +1390,18 @@ /* NOOP: we only accept matching labels, so no need to update */ } +static void +mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(solabel); + dest = SLOT(inplabel); + + mac_mls_copy(source, dest); +} + /* * Labeling event operations: processes. */ @@ -1600,6 +1625,21 @@ } static int +mac_mls_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + struct mac_mls *p, *i; + + if (!mac_mls_enabled) + return (0); + + p = SLOT(mlabel); + i = SLOT(inplabel); + + return (mac_mls_equal_single(p, i) ? 0 : EACCES); +} + +static int mac_mls_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -2889,6 +2929,7 @@ .mpo_init_cred_label = mac_mls_init_label, .mpo_init_devfsdirent_label = mac_mls_init_label, .mpo_init_ifnet_label = mac_mls_init_label, + .mpo_init_inpcb_label = mac_mls_init_label_waitcheck, .mpo_init_ipc_msgmsg_label = mac_mls_init_label, .mpo_init_ipc_msgqueue_label = mac_mls_init_label, .mpo_init_ipc_sema_label = mac_mls_init_label, @@ -2906,6 +2947,7 @@ .mpo_destroy_cred_label = mac_mls_destroy_label, .mpo_destroy_devfsdirent_label = mac_mls_destroy_label, .mpo_destroy_ifnet_label = mac_mls_destroy_label, + .mpo_destroy_inpcb_label = mac_mls_destroy_label, .mpo_destroy_ipc_msgmsg_label = mac_mls_destroy_label, .mpo_destroy_ipc_msgqueue_label = mac_mls_destroy_label, .mpo_destroy_ipc_sema_label = mac_mls_destroy_label, @@ -2958,6 +3000,7 @@ .mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq, .mpo_create_fragment = mac_mls_create_fragment, .mpo_create_ifnet = mac_mls_create_ifnet, + .mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket, .mpo_create_ipq = mac_mls_create_ipq, .mpo_create_ipc_msgmsg = mac_mls_create_ipc_msgmsg, .mpo_create_ipc_msgqueue = mac_mls_create_ipc_msgqueue, @@ -2972,6 +3015,7 @@ .mpo_fragment_match = mac_mls_fragment_match, .mpo_relabel_ifnet = mac_mls_relabel_ifnet, .mpo_update_ipq = mac_mls_update_ipq, + .mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel, .mpo_create_cred = mac_mls_create_cred, .mpo_create_proc0 = mac_mls_create_proc0, .mpo_create_proc1 = mac_mls_create_proc1, @@ -2985,6 +3029,7 @@ .mpo_check_cred_visible = mac_mls_check_cred_visible, .mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel, .mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit, + .mpo_check_inpcb_deliver = mac_mls_check_inpcb_deliver, .mpo_check_ipc_msgrcv = mac_mls_check_ipc_msgrcv, .mpo_check_ipc_msgrmid = mac_mls_check_ipc_msgrmid, .mpo_check_ipc_msqget = mac_mls_check_ipc_msqget, ==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#10 - /data/p4/rwatson/trustedbsd/mac/sys/security/mac_stub/mac_stub.c ==== @@ -74,6 +74,7 @@ #include #include +#include #include #include @@ -345,6 +346,13 @@ } static void +stub_create_inpcb_from_socket(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + +} + +static void stub_create_ipc_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { @@ -465,6 +473,13 @@ return (0); } +static void +stub_inpcb_sosetlabel(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + +} + /* * Labeling event operations: processes. */ @@ -585,6 +600,14 @@ } static int +stub_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + + return (0); +} + +static int stub_check_ipc_msgmsq(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel) @@ -1265,6 +1288,7 @@ .mpo_init_cred_label = stub_init_label, .mpo_init_devfsdirent_label = stub_init_label, .mpo_init_ifnet_label = stub_init_label, + .mpo_init_inpcb_label = stub_init_label_waitcheck, .mpo_init_ipc_msgmsg_label = stub_init_label, .mpo_init_ipc_msgqueue_label = stub_init_label, .mpo_init_ipc_sema_label = stub_init_label, @@ -1282,6 +1306,7 @@ .mpo_destroy_cred_label = stub_destroy_label, .mpo_destroy_devfsdirent_label = stub_destroy_label, .mpo_destroy_ifnet_label = stub_destroy_label, + .mpo_destroy_inpcb_label = stub_destroy_label, .mpo_destroy_ipc_msgmsg_label = stub_destroy_label, .mpo_destroy_ipc_msgqueue_label = stub_destroy_label, .mpo_destroy_ipc_sema_label = stub_destroy_label, @@ -1312,6 +1337,7 @@ .mpo_create_devfs_device = stub_create_devfs_device, .mpo_create_devfs_directory = stub_create_devfs_directory, .mpo_create_devfs_symlink = stub_create_devfs_symlink, + .mpo_create_inpcb_from_socket = stub_create_inpcb_from_socket, .mpo_create_ipc_msgmsg = stub_create_ipc_msgmsg, .mpo_create_ipc_msgqueue = stub_create_ipc_msgqueue, .mpo_create_ipc_sema = stub_create_ipc_sema, @@ -1349,6 +1375,7 @@ .mpo_relabel_ifnet = stub_relabel_ifnet, .mpo_update_ipq = stub_update_ipq, .mpo_update_mbuf_from_cipso = stub_update_mbuf_from_cipso, + .mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel, .mpo_create_cred = stub_create_cred, .mpo_execve_transition = stub_execve_transition, .mpo_execve_will_transition = stub_execve_will_transition, @@ -1365,6 +1392,7 @@ .mpo_check_cred_visible = stub_check_cred_visible, .mpo_check_ifnet_relabel = stub_check_ifnet_relabel, .mpo_check_ifnet_transmit = stub_check_ifnet_transmit, + .mpo_check_inpcb_deliver = stub_check_inpcb_deliver, .mpo_check_ipc_msgmsq = stub_check_ipc_msgmsq, .mpo_check_ipc_msgrcv = stub_check_ipc_msgrcv, .mpo_check_ipc_msgrmid = stub_check_ipc_msgrmid, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#120 - /data/p4/rwatson/trustedbsd/mac/sys/security/mac_test/mac_test.c ==== @@ -87,6 +87,7 @@ #define BPFMAGIC 0xfe1ad1b6 #define DEVFSMAGIC 0x9ee79c32 #define IFNETMAGIC 0xc218b120 +#define INPCBMAGIC 0x4440f7bb #define IPQMAGIC 0x206188ef #define MBUFMAGIC 0xbbefa5bb #define MOUNTMAGIC 0xc7c46e47 @@ -110,6 +111,8 @@ SLOT(x) == 0, ("%s: Bad DEVFS label", __func__ )) #define ASSERT_IFNET_LABEL(x) KASSERT(SLOT(x) == IFNETMAGIC || \ SLOT(x) == 0, ("%s: Bad IFNET label", __func__ )) +#define ASSERT_INPCB_LABEL(x) KASSERT(SLOT(x) == INPCBMAGIC || \ + SLOT(x) == 0, ("%s: Bad INPCB label", __func__ )) #define ASSERT_IPQ_LABEL(x) KASSERT(SLOT(x) == IPQMAGIC || \ SLOT(x) == 0, ("%s: Bad IPQ label", __func__ )) #define ASSERT_MBUF_LABEL(x) KASSERT(SLOT(x) == MBUFMAGIC || \ @@ -153,6 +156,9 @@ static int init_count_ifnet; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ifnet, CTLFLAG_RD, &init_count_ifnet, 0, "ifnet init calls"); +static int init_count_inpcb; +SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_inpcb, CTLFLAG_RD, + &init_count_inpcb, 0, "inpcb init calls"); static int init_count_ipc_msg; SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_ipc_msg, CTLFLAG_RD, &init_count_ipc_msg, 0, "ipc_msg init calls"); @@ -209,6 +215,9 @@ static int destroy_count_ifnet; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ifnet, CTLFLAG_RD, &destroy_count_ifnet, 0, "ifnet destroy calls"); +static int destroy_count_inpcb; +SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_inpcb, CTLFLAG_RD, + &destroy_count_inpcb, 0, "inpcb destroy calls"); static int destroy_count_ipc_msg; SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_ipc_msg, CTLFLAG_RD, &destroy_count_ipc_msg, 0, "ipc_msg destroy calls"); @@ -318,6 +327,20 @@ atomic_add_int(&init_count_ifnet, 1); } +static int +mac_test_init_inpcb_label(struct label *label, int flag) +{ + + if (flag & M_WAITOK) + WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, + "mac_test_init_inpcb_label() at %s:%d", __FILE__, + __LINE__); + + SLOT(label) = INPCBMAGIC; + atomic_add_int(&init_count_inpcb, 1); + return (0); +} + static void mac_test_init_ipc_msgmsg_label(struct label *label) { @@ -507,6 +530,20 @@ } static void +mac_test_destroy_inpcb_label(struct label *label) +{ + + if (SLOT(label) == INPCBMAGIC || SLOT(label) == 0) { + atomic_add_int(&destroy_count_inpcb, 1); + SLOT(label) = EXMAGIC; + } else if (SLOT(label) == EXMAGIC) { + Debugger("mac_test_destroy_inpcb: dup destroy"); + } else { + Debugger("mac_test_destroy_inpcb: corrupted label"); + } +} + +static void mac_test_destroy_ipc_msgmsg_label(struct label *label) { @@ -988,6 +1025,15 @@ } static void +mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + + ASSERT_SOCKET_LABEL(solabel); + ASSERT_INPCB_LABEL(inplabel); +} + +static void mac_test_create_ipc_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { @@ -1142,6 +1188,15 @@ return (0); } +static void +mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, + struct inpcb *inp, struct label *inplabel) +{ + + ASSERT_SOCKET_LABEL(solabel); + ASSERT_INPCB_LABEL(inplabel); +} + /* * Labeling event operations: processes. */ @@ -1320,6 +1375,17 @@ } static int +mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, + struct mbuf *m, struct label *mlabel) +{ + + ASSERT_INPCB_LABEL(inplabel); + ASSERT_MBUF_LABEL(mlabel); + + return (0); +} + +static int mac_test_check_ipc_msgmsq(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel) @@ -2197,6 +2263,7 @@ .mpo_init_ipc_msgqueue_label = mac_test_init_ipc_msgqueue_label, .mpo_init_ipc_sema_label = mac_test_init_ipc_sema_label, .mpo_init_ipc_shm_label = mac_test_init_ipc_shm_label, + .mpo_init_inpcb_label = mac_test_init_inpcb_label, .mpo_init_ipq_label = mac_test_init_ipq_label, .mpo_init_mbuf_label = mac_test_init_mbuf_label, .mpo_init_mount_label = mac_test_init_mount_label, @@ -2215,6 +2282,7 @@ .mpo_destroy_ipc_msgqueue_label = mac_test_destroy_ipc_msgqueue_label, .mpo_destroy_ipc_sema_label = mac_test_destroy_ipc_sema_label, .mpo_destroy_ipc_shm_label = mac_test_destroy_ipc_shm_label, + .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, .mpo_destroy_mount_label = mac_test_destroy_mount_label, @@ -2259,6 +2327,7 @@ .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, .mpo_create_bpfdesc = mac_test_create_bpfdesc, .mpo_create_ifnet = mac_test_create_ifnet, + .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, .mpo_create_ipc_msgmsg = mac_test_create_ipc_msgmsg, .mpo_create_ipc_msgqueue = mac_test_create_ipc_msgqueue, .mpo_create_ipc_sema = mac_test_create_ipc_sema, @@ -2278,6 +2347,7 @@ .mpo_relabel_ifnet = mac_test_relabel_ifnet, .mpo_update_ipq = mac_test_update_ipq, .mpo_update_mbuf_from_cipso = mac_test_update_mbuf_from_cipso, + .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, .mpo_create_cred = mac_test_create_cred, .mpo_execve_transition = mac_test_execve_transition, .mpo_execve_will_transition = mac_test_execve_will_transition, @@ -2294,6 +2364,7 @@ .mpo_check_cred_visible = mac_test_check_cred_visible, .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, + .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, .mpo_check_ipc_msgmsq = mac_test_check_ipc_msgmsq, .mpo_check_ipc_msgrcv = mac_test_check_ipc_msgrcv, .mpo_check_ipc_msgrmid = mac_test_check_ipc_msgrmid, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#250 - /data/p4/rwatson/trustedbsd/mac/sys/sys/mac.h ==== @@ -111,6 +111,7 @@ struct ifnet; struct ifreq; struct image_params; +struct inpcb; struct ipq; struct ksem; struct m_tag; @@ -142,6 +143,7 @@ void mac_init_cred(struct ucred *); void mac_init_devfsdirent(struct devfs_dirent *); void mac_init_ifnet(struct ifnet *); +int mac_init_inpcb(struct inpcb *, int flag); void mac_init_ipc_msgmsg(struct msg *); void mac_init_ipc_msgqueue(struct msqid_kernel*); void mac_init_ipc_sema(struct semid_kernel*); @@ -161,6 +163,7 @@ void mac_destroy_cred(struct ucred *); void mac_destroy_devfsdirent(struct devfs_dirent *); void mac_destroy_ifnet(struct ifnet *); +void mac_destroy_inpcb(struct inpcb *); void mac_destroy_ipc_msgmsg(struct msg *); void mac_destroy_ipc_msgqueue(struct msqid_kernel *); void mac_destroy_ipc_sema(struct semid_kernel *); @@ -239,6 +242,7 @@ */ void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d); void mac_create_ifnet(struct ifnet *ifp); +void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); @@ -254,6 +258,7 @@ void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); int mac_update_mbuf_from_cipso(struct mbuf *m, char *cp, int *code); +void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); /* * Labeling event operations: processes. @@ -288,6 +293,7 @@ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); +int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m); int mac_check_ipc_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr); int mac_check_ipc_msgrcv(struct ucred *cred, struct msg *msgptr); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#201 - /data/p4/rwatson/trustedbsd/mac/sys/sys/mac_policy.h ==== @@ -54,6 +54,7 @@ struct acl; struct componentname; struct devfs_dirent; +struct inpcb; struct ipq; struct label; struct mac_policy_conf; @@ -86,6 +87,7 @@ void (*mpo_init_cred_label)(struct label *label); void (*mpo_init_devfsdirent_label)(struct label *label); void (*mpo_init_ifnet_label)(struct label *label); + int (*mpo_init_inpcb_label)(struct label *label, int flag); void (*mpo_init_ipc_msgmsg_label)(struct label *label); void (*mpo_init_ipc_msgqueue_label)(struct label* label); void (*mpo_init_ipc_sema_label)(struct label* label); @@ -104,6 +106,7 @@ void (*mpo_destroy_cred_label)(struct label *label); void (*mpo_destroy_devfsdirent_label)(struct label *label); void (*mpo_destroy_ifnet_label)(struct label *label); + void (*mpo_destroy_inpcb_label)(struct label *label); void (*mpo_destroy_ipc_msgmsg_label)(struct label* label); void (*mpo_destroy_ipc_msgqueue_label)(struct label* label); void (*mpo_destroy_ipc_sema_label)(struct label* label); @@ -242,6 +245,9 @@ struct label *bpflabel); void (*mpo_create_ifnet)(struct ifnet *ifnet, struct label *ifnetlabel); + void (*mpo_create_inpcb_from_socket)(struct socket *so, + struct label *solabel, struct inpcb *inp, + struct label *inplabel); void (*mpo_create_ipq)(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel); @@ -284,6 +290,9 @@ int (*mpo_update_mbuf_from_cipso)(struct mbuf *m, struct label *mlabel, struct ifnet *ifnet, struct label *ifnetlabel, char *cp, int *code); + void (*mpo_inpcb_sosetlabel)(struct socket *so, + struct label *label, struct inpcb *inp, + struct label *inplabel); /* * Labeling event operations: processes. @@ -333,6 +342,9 @@ int (*mpo_check_ifnet_transmit)(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel); + int (*mpo_check_inpcb_deliver)(struct inpcb *inp, + struct label *inplabel, struct mbuf *m, + struct label *mlabel); int (*mpo_check_ipc_msgmsq)(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel); ==== //depot/projects/trustedbsd/mac/sys/sys/protosw.h#6 - /data/p4/rwatson/trustedbsd/mac/sys/sys/protosw.h ==== @@ -232,6 +232,7 @@ int *flagsp); int (*pru_sopoll)(struct socket *so, int events, struct ucred *cred, struct thread *td); + void (*pru_sosetlabel)(struct socket *so); }; int pru_accept_notsupp(struct socket *so, struct sockaddr **nam); @@ -244,6 +245,7 @@ int pru_rcvd_notsupp(struct socket *so, int flags); int pru_rcvoob_notsupp(struct socket *so, struct mbuf *m, int flags); int pru_sense_null(struct socket *so, struct stat *sb); +void pru_sosetlabel_null(struct socket *so); #endif /* _KERNEL */