src - FreeBSD source tree

diff options


context:
space:
mode:

author	Robert Watson <rwatson@FreeBSD.org>	2009-06-03 18:46:28 +0000
committer	Robert Watson <rwatson@FreeBSD.org>	2009-06-03 18:46:28 +0000
commit	3de4046939a04576ede9d97f48f6a02d1a2ccc8c (patch)
tree	c959f41a3828e52e4d9970ee9fff5c64a88ca36e /sys/security/mac_mls
parent	097695e97aae6604b78e60aafcf3aebdfc9dbe92 (diff)
download	src-3de4046939a04576ede9d97f48f6a02d1a2ccc8c.tar.gz src-3de4046939a04576ede9d97f48f6a02d1a2ccc8c.zip

Notes

Diffstat (limited to 'sys/security/mac_mls')

-rw-r--r--

sys/security/mac_mls/mac_mls.c

1 files changed, 38 insertions, 9 deletions

diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 6d13505c19d4..a0669c7eb54b 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c

@@ -1,5 +1,5 @@

/*-

@@ -1116,6 +1116,8 @@ mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,

{

struct mac_mls *source, *dest;

+ SOCK_LOCK_ASSERT(so);

source = SLOT(solabel);

dest = SLOT(inplabel);

@@ -1623,6 +1625,7 @@ mls_socket_check_deliver(struct socket *so, struct label *solabel,

struct mbuf *m, struct label *mlabel)

{

struct mac_mls *p, *s;

+ int error;

if (!mls_enabled)

return (0);

@@ -1630,7 +1633,11 @@ mls_socket_check_deliver(struct socket *so, struct label *solabel,

p = SLOT(mlabel);

s = SLOT(solabel);

- return (mls_equal_effective(p, s) ? 0 : EACCES);

+ SOCK_LOCK(so);

+ error = mls_equal_effective(p, s) ? 0 : EACCES;

+ SOCK_UNLOCK(so);

+ return (error);

}

static int

@@ -1640,6 +1647,8 @@ mls_socket_check_relabel(struct ucred *cred, struct socket *so,

struct mac_mls *subj, *obj, *new;

int error;

+ SOCK_LOCK_ASSERT(so);

new = SLOT(newlabel);

subj = SLOT(cred->cr_label);

obj = SLOT(solabel);

@@ -1696,8 +1705,12 @@ mls_socket_check_visible(struct ucred *cred, struct socket *so,

subj = SLOT(cred->cr_label);

obj = SLOT(solabel);

- if (!mls_dominate_effective(subj, obj))

+ SOCK_LOCK(so);

+ if (!mls_dominate_effective(subj, obj)) {

+ SOCK_UNLOCK(so);

return (ENOENT);

+ }

+ SOCK_UNLOCK(so);

return (0);

}

@@ -1723,19 +1736,26 @@ mls_socket_create_mbuf(struct socket *so, struct label *solabel,

source = SLOT(solabel);

dest = SLOT(mlabel);

+ SOCK_LOCK(so);

mls_copy_effective(source, dest);

+ SOCK_UNLOCK(so);

}

static void

mls_socket_newconn(struct socket *oldso, struct label *oldsolabel,

struct socket *newso, struct label *newsolabel)

{

- struct mac_mls *source, *dest;

+ struct mac_mls source, *dest;

+ SOCK_LOCK(oldso);

+ source = *SLOT(oldsolabel);

+ SOCK_UNLOCK(oldso);

- source = SLOT(oldsolabel);

dest = SLOT(newsolabel);

- mls_copy_effective(source, dest);

+ SOCK_LOCK(newso);

+ mls_copy_effective(&source, dest);

+ SOCK_UNLOCK(newso);

}

static void

@@ -1744,6 +1764,8 @@ mls_socket_relabel(struct ucred *cred, struct socket *so,

{

struct mac_mls *source, *dest;

+ SOCK_LOCK_ASSERT(so);

source = SLOT(newlabel);

dest = SLOT(solabel);

@@ -1759,7 +1781,9 @@ mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel,

source = SLOT(mlabel);

dest = SLOT(sopeerlabel);

+ SOCK_LOCK(so);

mls_copy_effective(source, dest);

+ SOCK_UNLOCK(so);

}

static void

@@ -1767,12 +1791,17 @@ mls_socketpeer_set_from_socket(struct socket *oldso,

struct label *oldsolabel, struct socket *newso,

struct label *newsopeerlabel)

{

- struct mac_mls *source, *dest;

+ struct mac_mls source, *dest;

+ SOCK_LOCK(oldso);

+ source = *SLOT(oldsolabel);

+ SOCK_UNLOCK(oldso);

- source = SLOT(oldsolabel);

dest = SLOT(newsopeerlabel);

- mls_copy_effective(source, dest);

+ SOCK_LOCK(newso);

+ mls_copy_effective(&source, dest);

+ SOCK_UNLOCK(newso);

}

static void