FreeBSD source tree https://cgit-dev.freebsd.org/src-test2/atom?h=release%2F5.2.0_cvs 2004-01-10T05:53:29Z 2004-01-10T05:53:29Z cvs2svn cvs2svn@FreeBSD.org 2004-01-10T05:53:29Z urn:sha1:58c9ff44c8041f394c663cb9640e9b77fe07bb13 'RELENG_5_2_0_RELEASE'. This commit was manufactured to restore the state of the 5.2-RELEASE image. Releases prior to 5.3-RELEASE are omitting the secure/ and crypto/ subdirs. 2003-12-07T03:02:28Z cvs2svn cvs2svn@FreeBSD.org 2003-12-07T03:02:28Z urn:sha1:a348451bd8bd6d66bcb5b23f2aaec00e74c1292f 2003-12-06T21:48:03Z Robert Watson rwatson@FreeBSD.org 2003-12-06T21:48:03Z urn:sha1:56d9e932072f81ebaa7bb1bf5995a46813bc91c4 and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency. Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-18T00:39:07Z Robert Watson rwatson@FreeBSD.org 2003-11-18T00:39:07Z urn:sha1:a557af222b70694470f63e2a0f1bf58c9dcc73fd the MAC label referenced from 'struct socket' in the IPv4 and IPv6-based protocols. This permits MAC labels to be checked during network delivery operations without dereferencing inp->inp_socket to get to so->so_label, which will eventually avoid our having to grab the socket lock during delivery at the network layer. This change introduces 'struct inpcb' as a labeled object to the MAC Framework, along with the normal circus of entry points: initialization, creation from socket, destruction, as well as a delivery access control check. For most policies, the inpcb label will simply be a cache of the socket label, so a new protocol switch method is introduced, pr_sosetlabel() to notify protocols that the socket layer label has been updated so that the cache can be updated while holding appropriate locks. Most protocols implement this using pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use the the worker function in_pcbsosetlabel(), which calls into the MAC Framework to perform a cache update. Biba, LOMAC, and MLS implement these entry points, as do the stub policy, and test policy. Reviewed by: sam, bms Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-16T23:31:45Z Robert Watson rwatson@FreeBSD.org 2003-11-16T23:31:45Z urn:sha1:b0323ea3aaf2c98f85c4f28e247ad84759e6d02e system calls, and prefer these calls over getsockopt()/setsockopt() for ABI reasons. When addressing UNIX domain sockets, these calls retrieve and modify the socket label, not the label of the rendezvous vnode. - Create mac_copy_socket_label() entry point based on mac_copy_pipe_label() entry point, intended to copy the socket label into temporary storage that doesn't require a socket lock to be held (currently Giant). - Implement mac_copy_socket_label() for various policies. - Expose socket label allocation, free, internalize, externalize entry points as non-static from mac_net.c. - Use mac_socket_label_set() in __mac_set_fd(). MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and mac_get_peer() to retrieve and set various socket labels without directly invoking the getsockopt() interface. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-16T20:18:24Z Robert Watson rwatson@FreeBSD.org 2003-11-16T20:18:24Z urn:sha1:920325ee1da9e6c8d191ab0b2a3b11ee9a1831c0 SO_PEERLABEL. This provides an interface to query the label of a socket peer without embedding implementation details of mac_t in the application. Previously, sizeof(*mac_t) had to be specified by an application when performing getsockopt(). Document mac_get_peer(3), and expand documentation of the other mac_get(3) functions. Note that it's possible to get EINVAL back from mac_get_fd(3) when pointing it at an inappropriate object. NOTE: mac_get_fd() and mac_set_fd() support for sockets will follow shortly, so the documentation is slightly ahead of the code. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-16T20:01:50Z Robert Watson rwatson@FreeBSD.org 2003-11-16T20:01:50Z urn:sha1:c9ea2dcf62e79bcc0b527700489c017af2d22985 mac_setsockopt_label() into mac_socket_label_set(); make it non-static so that it can be invoked from kern_mac.c for mac_set_fd(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-16T18:25:20Z Robert Watson rwatson@FreeBSD.org 2003-11-16T18:25:20Z urn:sha1:9e71dd0feb2afc33dbcef6000e26208e6fbbdea9 mac_setsockopt_label_set() -> mac_setsockopt_label() mac_getsockopt_label_get() -> mac_getsockopt_label() mac_getsockopt_peerlabel_get() -> mac_getsockopt_peerlabel() Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories 2003-11-16T03:17:30Z Robert Watson rwatson@FreeBSD.org 2003-11-16T03:17:30Z urn:sha1:5d9d409ca98274d86d65b5a9ee3d8015cd06fe43 2003-11-14T21:18:04Z Bruce Evans bde@FreeBSD.org 2003-11-14T21:18:04Z urn:sha1:57f253a4c67b58fdcd56c3329d0be5360e294ffb This fixes a dependency of mac_label.c on namespace pollution in <vm/uma.h>. Similarly for SYSCTL_DECL() although I had no problems with it. This probably makes some includes of <sys/sysctl.h> bogus.