src-test2/sys/security/mac/mac_socket.c, branch release/7.2.0_cvs

Copy releng/7.2 to release/7.2.0 for FreeBSD 7.2-RELEASE.

2009-05-01T02:51:58Z

Approved by: re (implicit) This commit was manufactured to restore the state of the 7.2-RELEASE image.

Normalize variable naming in the MAC Framework by adopting the normal

2007-04-22T19:55:56Z

variable name conventions for arguments passed into the framework -- for example, name network interfaces 'ifp', sockets 'so', mounts 'mp', mbufs 'm', processes 'p', etc, wherever possible. Previously there was significant variation in this regard. Normalize copyright lists to ranges where sensible.

Move src/sys/sys/mac_policy.h, the kernel interface between the MAC

2006-12-22T23:34:47Z

Framework and security modules, to src/sys/security/mac/mac_policy.h, completing the removal of kernel-only MAC Framework include files from src/sys/sys. Update the MAC Framework and MAC policy modules. Delete the old mac_policy.h. Third party policy modules will need similar updating. Obtained from: TrustedBSD Project

Remove mac_enforce_subsystem debugging sysctls. Enforcement on

2006-12-21T09:51:34Z

subsystems will be a property of policy modules, which may require access control check entry points to be invoked even when not actively enforcing (i.e., to track information flow without providing protection). Obtained from: TrustedBSD Project Suggested by: Christopher dot Vance at sparta dot com

Document socket labeling model.

2006-12-20T23:16:41Z

Clean up comment white space and wrapping. Obtained from: TrustedBSD Project

Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h

2006-10-22T11:52:19Z

begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead. This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd. Obtained from: TrustedBSD Project Sponsored by: SPARTA

Remove MAC_DEBUG label counters, which were used to debug leaks and

2006-09-20T13:33:41Z

other problems while labels were first being added to various kernel objects. They have outlived their usefulness. MFC after: 1 month Suggested by: Christopher dot Vance at SPARTA dot com Obtained from: TrustedBSD Project

Add MAC Framework and MAC policy entry point mac_check_socket_create(),

2005-07-05T22:49:10Z

which is invoked from socket() and socketpair(), permitting MAC policy modules to control the creation of sockets by domain, type, and protocol. Obtained from: TrustedBSD Project Sponsored by: SPARTA, SPAWAR Approved by: re (scottl) Requested by: SCC

Introduce three additional MAC Framework and MAC Policy entry points to

2005-04-16T18:46:29Z

control socket poll() (select()), fstat(), and accept() operations, required for some policies: poll() mac_check_socket_poll() fstat() mac_check_socket_stat() accept() mac_check_socket_accept() Update mac_stub and mac_test policies to be aware of these entry points. While here, add missing entry point implementations for: mac_stub.c stub_check_socket_receive() mac_stub.c stub_check_socket_send() mac_test.c mac_test_check_socket_send() mac_test.c mac_test_check_socket_visible() Obtained from: TrustedBSD Project Sponsored by: SPAWAR, SPARTA

Socket MAC labels so_label and so_peerlabel are now protected by

2004-06-13T02:50:07Z

SOCK_LOCK(so): - Hold socket lock over calls to MAC entry points reading or manipulating socket labels. - Assert socket lock in MAC entry point implementations. - When externalizing the socket label, first make a thread-local copy while holding the socket lock, then release the socket lock to externalize to userspace.