Changeset View
Changeset View
Standalone View
Standalone View
sys/security/mac/mac_net.c
Show First 20 Lines • Show All 137 Lines • ▼ Show 20 Lines | mac_ifnet_label_alloc(void) | ||||
return (label); | return (label); | ||||
} | } | ||||
void | void | ||||
mac_ifnet_init(struct ifnet *ifp) | mac_ifnet_init(struct ifnet *ifp) | ||||
{ | { | ||||
if (mac_labeled & MPC_OBJECT_IFNET) | if (mac_labeled & MPC_OBJECT_IFNET) | ||||
ifp->if_label = mac_ifnet_label_alloc(); | if_setmaclabel(ifp, mac_ifnet_label_alloc()); | ||||
else | else | ||||
ifp->if_label = NULL; | if_setmaclabel(ifp, NULL); | ||||
} | } | ||||
int | int | ||||
mac_mbuf_tag_init(struct m_tag *tag, int flag) | mac_mbuf_tag_init(struct m_tag *tag, int flag) | ||||
{ | { | ||||
struct label *label; | struct label *label; | ||||
int error; | int error; | ||||
▲ Show 20 Lines • Show All 58 Lines • ▼ Show 20 Lines | mac_ifnet_label_free(struct label *label) | ||||
MAC_POLICY_PERFORM_NOSLEEP(ifnet_destroy_label, label); | MAC_POLICY_PERFORM_NOSLEEP(ifnet_destroy_label, label); | ||||
mac_labelzone_free(label); | mac_labelzone_free(label); | ||||
} | } | ||||
void | void | ||||
mac_ifnet_destroy(struct ifnet *ifp) | mac_ifnet_destroy(struct ifnet *ifp) | ||||
{ | { | ||||
struct label *label = if_getmaclabel(ifp); | |||||
if (ifp->if_label != NULL) { | if (label != NULL) { | ||||
mac_ifnet_label_free(ifp->if_label); | mac_ifnet_label_free(label); | ||||
ifp->if_label = NULL; | if_setmaclabel(ifp, NULL); | ||||
} | } | ||||
} | } | ||||
void | void | ||||
mac_mbuf_tag_destroy(struct m_tag *tag) | mac_mbuf_tag_destroy(struct m_tag *tag) | ||||
{ | { | ||||
struct label *label; | struct label *label; | ||||
▲ Show 20 Lines • Show All 68 Lines • ▼ Show 20 Lines | |||||
mac_ifnet_create(struct ifnet *ifp) | mac_ifnet_create(struct ifnet *ifp) | ||||
{ | { | ||||
int locked; | int locked; | ||||
if (mac_policy_count == 0) | if (mac_policy_count == 0) | ||||
return; | return; | ||||
MAC_IFNET_LOCK(ifp, locked); | MAC_IFNET_LOCK(ifp, locked); | ||||
MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, ifp->if_label); | MAC_POLICY_PERFORM_NOSLEEP(ifnet_create, ifp, if_getmaclabel(ifp)); | ||||
MAC_IFNET_UNLOCK(ifp, locked); | MAC_IFNET_UNLOCK(ifp, locked); | ||||
} | } | ||||
void | void | ||||
mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d) | mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d) | ||||
{ | { | ||||
MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create, cred, d, d->bd_label); | MAC_POLICY_PERFORM_NOSLEEP(bpfdesc_create, cred, d, d->bd_label); | ||||
Show All 20 Lines | |||||
mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m) | mac_ifnet_create_mbuf_impl(struct ifnet *ifp, struct mbuf *m) | ||||
{ | { | ||||
struct label *label; | struct label *label; | ||||
int locked; | int locked; | ||||
label = mac_mbuf_to_label(m); | label = mac_mbuf_to_label(m); | ||||
MAC_IFNET_LOCK(ifp, locked); | MAC_IFNET_LOCK(ifp, locked); | ||||
MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, ifp->if_label, m, | MAC_POLICY_PERFORM_NOSLEEP(ifnet_create_mbuf, ifp, if_getmaclabel(ifp), m, | ||||
label); | label); | ||||
MAC_IFNET_UNLOCK(ifp, locked); | MAC_IFNET_UNLOCK(ifp, locked); | ||||
} | } | ||||
MAC_CHECK_PROBE_DEFINE2(bpfdesc_check_receive, "struct bpf_d *", | MAC_CHECK_PROBE_DEFINE2(bpfdesc_check_receive, "struct bpf_d *", | ||||
"struct ifnet *"); | "struct ifnet *"); | ||||
int | int | ||||
mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp) | mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp) | ||||
{ | { | ||||
int error, locked; | int error, locked; | ||||
/* Assume reader lock is enough. */ | /* Assume reader lock is enough. */ | ||||
BPFD_LOCK_ASSERT(d); | BPFD_LOCK_ASSERT(d); | ||||
if (mac_policy_count == 0) | if (mac_policy_count == 0) | ||||
return (0); | return (0); | ||||
MAC_IFNET_LOCK(ifp, locked); | MAC_IFNET_LOCK(ifp, locked); | ||||
MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp, | MAC_POLICY_CHECK_NOSLEEP(bpfdesc_check_receive, d, d->bd_label, ifp, | ||||
ifp->if_label); | if_getmaclabel(ifp)); | ||||
MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp); | MAC_CHECK_PROBE2(bpfdesc_check_receive, error, d, ifp); | ||||
MAC_IFNET_UNLOCK(ifp, locked); | MAC_IFNET_UNLOCK(ifp, locked); | ||||
return (error); | return (error); | ||||
} | } | ||||
MAC_CHECK_PROBE_DEFINE2(ifnet_check_transmit, "struct ifnet *", | MAC_CHECK_PROBE_DEFINE2(ifnet_check_transmit, "struct ifnet *", | ||||
"struct mbuf *"); | "struct mbuf *"); | ||||
int | int | ||||
mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m) | mac_ifnet_check_transmit_impl(struct ifnet *ifp, struct mbuf *m) | ||||
{ | { | ||||
struct label *label; | struct label *label; | ||||
int error, locked; | int error, locked; | ||||
M_ASSERTPKTHDR(m); | M_ASSERTPKTHDR(m); | ||||
label = mac_mbuf_to_label(m); | label = mac_mbuf_to_label(m); | ||||
MAC_IFNET_LOCK(ifp, locked); | MAC_IFNET_LOCK(ifp, locked); | ||||
MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, ifp->if_label, m, | MAC_POLICY_CHECK_NOSLEEP(ifnet_check_transmit, ifp, if_getmaclabel(ifp), m, | ||||
label); | label); | ||||
MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m); | MAC_CHECK_PROBE2(ifnet_check_transmit, error, ifp, m); | ||||
MAC_IFNET_UNLOCK(ifp, locked); | MAC_IFNET_UNLOCK(ifp, locked); | ||||
return (error); | return (error); | ||||
} | } | ||||
int | int | ||||
Show All 21 Lines | mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, | ||||
if (error) { | if (error) { | ||||
free(elements, M_MACTEMP); | free(elements, M_MACTEMP); | ||||
return (error); | return (error); | ||||
} | } | ||||
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | ||||
intlabel = mac_ifnet_label_alloc(); | intlabel = mac_ifnet_label_alloc(); | ||||
MAC_IFNET_LOCK(ifp, locked); | MAC_IFNET_LOCK(ifp, locked); | ||||
mac_ifnet_copy_label(ifp->if_label, intlabel); | mac_ifnet_copy_label(if_getmaclabel(ifp), intlabel); | ||||
MAC_IFNET_UNLOCK(ifp, locked); | MAC_IFNET_UNLOCK(ifp, locked); | ||||
error = mac_ifnet_externalize_label(intlabel, elements, buffer, | error = mac_ifnet_externalize_label(intlabel, elements, buffer, | ||||
mac.m_buflen); | mac.m_buflen); | ||||
mac_ifnet_label_free(intlabel); | mac_ifnet_label_free(intlabel); | ||||
if (error == 0) | if (error == 0) | ||||
error = copyout(buffer, mac.m_string, strlen(buffer)+1); | error = copyout(buffer, mac.m_string, strlen(buffer)+1); | ||||
free(buffer, M_MACTEMP); | free(buffer, M_MACTEMP); | ||||
▲ Show 20 Lines • Show All 44 Lines • ▼ Show 20 Lines | mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) | ||||
error = priv_check_cred(cred, PRIV_NET_SETIFMAC); | error = priv_check_cred(cred, PRIV_NET_SETIFMAC); | ||||
if (error) { | if (error) { | ||||
mac_ifnet_label_free(intlabel); | mac_ifnet_label_free(intlabel); | ||||
return (error); | return (error); | ||||
} | } | ||||
MAC_IFNET_LOCK(ifp, locked); | MAC_IFNET_LOCK(ifp, locked); | ||||
MAC_POLICY_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp, | MAC_POLICY_CHECK_NOSLEEP(ifnet_check_relabel, cred, ifp, | ||||
ifp->if_label, intlabel); | if_getmaclabel(ifp), intlabel); | ||||
if (error) { | if (error) { | ||||
MAC_IFNET_UNLOCK(ifp, locked); | MAC_IFNET_UNLOCK(ifp, locked); | ||||
mac_ifnet_label_free(intlabel); | mac_ifnet_label_free(intlabel); | ||||
return (error); | return (error); | ||||
} | } | ||||
MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, ifp->if_label, | MAC_POLICY_PERFORM_NOSLEEP(ifnet_relabel, cred, ifp, if_getmaclabel(ifp), | ||||
intlabel); | intlabel); | ||||
MAC_IFNET_UNLOCK(ifp, locked); | MAC_IFNET_UNLOCK(ifp, locked); | ||||
mac_ifnet_label_free(intlabel); | mac_ifnet_label_free(intlabel); | ||||
return (0); | return (0); | ||||
} | } |