]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (c) 2007-2012 Apple Inc. All rights reserved. | |
3 | * | |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ | |
5 | * | |
6 | * This file contains Original Code and/or Modifications of Original Code | |
7 | * as defined in and that are subject to the Apple Public Source License | |
8 | * Version 2.0 (the 'License'). You may not use this file except in | |
9 | * compliance with the License. The rights granted to you under the License | |
10 | * may not be used to create, or enable the creation or redistribution of, | |
11 | * unlawful or unlicensed copies of an Apple operating system, or to | |
12 | * circumvent, violate, or enable the circumvention or violation of, any | |
13 | * terms of an Apple operating system software license agreement. | |
14 | * | |
15 | * Please obtain a copy of the License at | |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. | |
17 | * | |
18 | * The Original Code and all software distributed under the License are | |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
23 | * Please see the License for the specific language governing rights and | |
24 | * limitations under the License. | |
25 | * | |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ | |
27 | */ | |
28 | /*- | |
29 | * Copyright (c) 1999-2002 Robert N. M. Watson | |
30 | * Copyright (c) 2001 Ilmar S. Habibulin | |
31 | * Copyright (c) 2001-2005 Networks Associates Technology, Inc. | |
32 | * Copyright (c) 2005 SPARTA, Inc. | |
33 | * All rights reserved. | |
34 | * | |
35 | * This software was developed by Robert Watson and Ilmar Habibulin for the | |
36 | * TrustedBSD Project. | |
37 | * | |
38 | * This software was developed for the FreeBSD Project in part by McAfee | |
39 | * Research, the Technology Research Division of Network Associates, Inc. | |
40 | * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the | |
41 | * DARPA CHATS research program. | |
42 | * | |
43 | * This software was enhanced by SPARTA ISSO under SPAWAR contract | |
44 | * N66001-04-C-6019 ("SEFOS"). | |
45 | * | |
46 | * Redistribution and use in source and binary forms, with or without | |
47 | * modification, are permitted provided that the following conditions | |
48 | * are met: | |
49 | * 1. Redistributions of source code must retain the above copyright | |
50 | * notice, this list of conditions and the following disclaimer. | |
51 | * 2. Redistributions in binary form must reproduce the above copyright | |
52 | * notice, this list of conditions and the following disclaimer in the | |
53 | * documentation and/or other materials provided with the distribution. | |
54 | * | |
55 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |
56 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
57 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
58 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
59 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
60 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
61 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
62 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
63 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
64 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
65 | * SUCH DAMAGE. | |
66 | */ | |
67 | ||
68 | #include <sys/cdefs.h> | |
69 | ||
70 | #include <sys/param.h> | |
71 | #include <sys/kernel.h> | |
72 | #include <sys/lock.h> | |
73 | #include <sys/malloc.h> | |
74 | #include <sys/sbuf.h> | |
75 | #include <sys/systm.h> | |
76 | #include <sys/mount.h> | |
77 | #include <sys/file.h> | |
78 | #include <sys/namei.h> | |
79 | #include <sys/protosw.h> | |
80 | #include <sys/socket.h> | |
81 | #include <sys/socketvar.h> | |
82 | #include <sys/sysctl.h> | |
83 | #include <sys/kpi_socket.h> | |
84 | ||
85 | #include <security/mac_internal.h> | |
86 | ||
87 | #if CONFIG_MACF_SOCKET | |
88 | struct label * | |
89 | mac_socket_label_alloc(int flag) | |
90 | { | |
91 | struct label *label; | |
92 | int error; | |
93 | ||
94 | label = mac_labelzone_alloc(flag); | |
95 | if (label == NULL) | |
96 | return (NULL); | |
97 | ||
98 | MAC_CHECK(socket_label_init, label, flag); | |
99 | if (error) { | |
100 | MAC_PERFORM(socket_label_destroy, label); | |
101 | mac_labelzone_free(label); | |
102 | return (NULL); | |
103 | } | |
104 | ||
105 | return (label); | |
106 | } | |
107 | ||
108 | static struct label * | |
109 | mac_socket_peer_label_alloc(int flag) | |
110 | { | |
111 | struct label *label; | |
112 | int error; | |
113 | ||
114 | label = mac_labelzone_alloc(flag); | |
115 | if (label == NULL) | |
116 | return (NULL); | |
117 | ||
118 | MAC_CHECK(socketpeer_label_init, label, flag); | |
119 | if (error) { | |
120 | MAC_PERFORM(socketpeer_label_destroy, label); | |
121 | mac_labelzone_free(label); | |
122 | return (NULL); | |
123 | } | |
124 | ||
125 | return (label); | |
126 | } | |
127 | ||
128 | int | |
129 | mac_socket_label_init(struct socket *so, int flag) | |
130 | { | |
131 | ||
132 | so->so_label = mac_socket_label_alloc(flag); | |
133 | if (so->so_label == NULL) | |
134 | return (ENOMEM); | |
135 | so->so_peerlabel = mac_socket_peer_label_alloc(flag); | |
136 | if (so->so_peerlabel == NULL) { | |
137 | mac_socket_label_free(so->so_label); | |
138 | so->so_label = NULL; | |
139 | return (ENOMEM); | |
140 | } | |
141 | return (0); | |
142 | } | |
143 | ||
144 | void | |
145 | mac_socket_label_free(struct label *label) | |
146 | { | |
147 | ||
148 | MAC_PERFORM(socket_label_destroy, label); | |
149 | mac_labelzone_free(label); | |
150 | } | |
151 | ||
152 | static void | |
153 | mac_socket_peer_label_free(struct label *label) | |
154 | { | |
155 | ||
156 | MAC_PERFORM(socketpeer_label_destroy, label); | |
157 | mac_labelzone_free(label); | |
158 | } | |
159 | ||
160 | void | |
161 | mac_socket_label_destroy(struct socket *so) | |
162 | { | |
163 | ||
164 | if (so->so_label != NULL) { | |
165 | mac_socket_label_free(so->so_label); | |
166 | so->so_label = NULL; | |
167 | } | |
168 | if (so->so_peerlabel != NULL) { | |
169 | mac_socket_peer_label_free(so->so_peerlabel); | |
170 | so->so_peerlabel = NULL; | |
171 | } | |
172 | } | |
173 | ||
174 | void | |
175 | mac_socket_label_copy(struct label *src, struct label *dest) | |
176 | { | |
177 | ||
178 | MAC_PERFORM(socket_label_copy, src, dest); | |
179 | } | |
180 | ||
181 | int | |
182 | mac_socket_label_externalize(struct label *label, char *elements, | |
183 | char *outbuf, size_t outbuflen) | |
184 | { | |
185 | int error; | |
186 | ||
187 | error = MAC_EXTERNALIZE(socket, label, elements, outbuf, outbuflen); | |
188 | ||
189 | return (error); | |
190 | } | |
191 | ||
192 | static int | |
193 | mac_socketpeer_label_externalize(struct label *label, char *elements, | |
194 | char *outbuf, size_t outbuflen) | |
195 | { | |
196 | int error; | |
197 | ||
198 | error = MAC_EXTERNALIZE(socketpeer, label, elements, outbuf, outbuflen); | |
199 | ||
200 | return (error); | |
201 | } | |
202 | ||
203 | int | |
204 | mac_socket_label_internalize(struct label *label, char *string) | |
205 | { | |
206 | int error; | |
207 | ||
208 | error = MAC_INTERNALIZE(socket, label, string); | |
209 | ||
210 | return (error); | |
211 | } | |
212 | ||
213 | void | |
214 | mac_socket_label_associate(struct ucred *cred, struct socket *so) | |
215 | { | |
216 | #if SECURITY_MAC_CHECK_ENFORCE | |
217 | /* 21167099 - only check if we allow write */ | |
218 | if (!mac_socket_enforce) | |
219 | return; | |
220 | #endif | |
221 | ||
222 | MAC_PERFORM(socket_label_associate, cred, | |
223 | (socket_t)so, so->so_label); | |
224 | } | |
225 | ||
226 | void | |
227 | mac_socket_label_associate_accept(struct socket *oldsocket, | |
228 | struct socket *newsocket) | |
229 | { | |
230 | #if SECURITY_MAC_CHECK_ENFORCE | |
231 | /* 21167099 - only check if we allow write */ | |
232 | if (!mac_socket_enforce) | |
233 | return; | |
234 | #endif | |
235 | ||
236 | MAC_PERFORM(socket_label_associate_accept, | |
237 | (socket_t)oldsocket, oldsocket->so_label, | |
238 | (socket_t)newsocket, newsocket->so_label); | |
239 | } | |
240 | ||
241 | #if CONFIG_MACF_SOCKET && CONFIG_MACF_NET | |
242 | void | |
243 | mac_socketpeer_label_associate_mbuf(struct mbuf *mbuf, struct socket *so) | |
244 | { | |
245 | struct label *label; | |
246 | ||
247 | #if SECURITY_MAC_CHECK_ENFORCE | |
248 | /* 21167099 - only check if we allow write */ | |
249 | if (!mac_socket_enforce && !mac_net_enforce) | |
250 | return; | |
251 | #endif | |
252 | ||
253 | label = mac_mbuf_to_label(mbuf); | |
254 | ||
255 | /* Policy must deal with NULL label (unlabeled mbufs) */ | |
256 | MAC_PERFORM(socketpeer_label_associate_mbuf, mbuf, label, | |
257 | (socket_t)so, so->so_peerlabel); | |
258 | } | |
259 | #else | |
260 | void | |
261 | mac_socketpeer_label_associate_mbuf(__unused struct mbuf *mbuf, | |
262 | __unused struct socket *so) | |
263 | { | |
264 | return; | |
265 | } | |
266 | #endif | |
267 | ||
268 | void | |
269 | mac_socketpeer_label_associate_socket(struct socket *oldsocket, | |
270 | struct socket *newsocket) | |
271 | { | |
272 | #if SECURITY_MAC_CHECK_ENFORCE | |
273 | /* 21167099 - only check if we allow write */ | |
274 | if (!mac_socket_enforce) | |
275 | return; | |
276 | #endif | |
277 | ||
278 | MAC_PERFORM(socketpeer_label_associate_socket, | |
279 | (socket_t)oldsocket, oldsocket->so_label, | |
280 | (socket_t)newsocket, newsocket->so_peerlabel); | |
281 | } | |
282 | ||
283 | int | |
284 | mac_socket_check_kqfilter(kauth_cred_t cred, struct knote *kn, | |
285 | struct socket *so) | |
286 | { | |
287 | int error; | |
288 | ||
289 | #if SECURITY_MAC_CHECK_ENFORCE | |
290 | /* 21167099 - only check if we allow write */ | |
291 | if (!mac_socket_enforce) | |
292 | return 0; | |
293 | #endif | |
294 | ||
295 | MAC_CHECK(socket_check_kqfilter, cred, kn, | |
296 | (socket_t)so, so->so_label); | |
297 | return (error); | |
298 | } | |
299 | ||
300 | static int | |
301 | int | |
302 | mac_socket_check_select(kauth_cred_t cred, struct socket *so, int which) | |
303 | { | |
304 | int error; | |
305 | ||
306 | #if SECURITY_MAC_CHECK_ENFORCE | |
307 | /* 21167099 - only check if we allow write */ | |
308 | if (!mac_socket_enforce) | |
309 | return 0; | |
310 | #endif | |
311 | ||
312 | MAC_CHECK(socket_check_select, cred, | |
313 | (socket_t)so, so->so_label, which); | |
314 | return (error); | |
315 | } | |
316 | ||
317 | mac_socket_check_label_update(kauth_cred_t cred, struct socket *so, | |
318 | struct label *newlabel) | |
319 | { | |
320 | int error; | |
321 | ||
322 | #if SECURITY_MAC_CHECK_ENFORCE | |
323 | /* 21167099 - only check if we allow write */ | |
324 | if (!mac_socket_enforce) | |
325 | return 0; | |
326 | #endif | |
327 | ||
328 | MAC_CHECK(socket_check_label_update, cred, | |
329 | (socket_t)so, so->so_label, | |
330 | newlabel); | |
331 | return (error); | |
332 | } | |
333 | ||
334 | int | |
335 | mac_socket_label_update(kauth_cred_t cred, struct socket *so, struct label *label) | |
336 | { | |
337 | int error; | |
338 | #if 0 | |
339 | #if SECURITY_MAC_CHECK_ENFORCE | |
340 | /* 21167099 - only check if we allow write */ | |
341 | if (!mac_socket_enforce) | |
342 | return 0; | |
343 | #endif | |
344 | #endif | |
345 | error = mac_socket_check_label_update(cred, so, label); | |
346 | if (error) | |
347 | return (error); | |
348 | ||
349 | MAC_PERFORM(socket_label_update, cred, | |
350 | (socket_t)so, so->so_label, label); | |
351 | ||
352 | #if CONFIG_MACF_NET | |
353 | /* | |
354 | * If the protocol has expressed interest in socket layer changes, | |
355 | * such as if it needs to propagate changes to a cached pcb | |
356 | * label from the socket, notify it of the label change while | |
357 | * holding the socket lock. | |
358 | * XXXMAC - are there cases when we should not do this? | |
359 | */ | |
360 | mac_inpcb_label_update(so); | |
361 | #endif | |
362 | return (0); | |
363 | } | |
364 | ||
365 | int | |
366 | mac_setsockopt_label(kauth_cred_t cred, struct socket *so, struct mac *mac) | |
367 | { | |
368 | struct label *intlabel; | |
369 | char *buffer; | |
370 | int error; | |
371 | size_t len; | |
372 | ||
373 | error = mac_check_structmac_consistent(mac); | |
374 | if (error) | |
375 | return (error); | |
376 | ||
377 | MALLOC(buffer, char *, mac->m_buflen, M_MACTEMP, M_WAITOK); | |
378 | error = copyinstr(CAST_USER_ADDR_T(mac->m_string), buffer, | |
379 | mac->m_buflen, &len); | |
380 | if (error) { | |
381 | FREE(buffer, M_MACTEMP); | |
382 | return (error); | |
383 | } | |
384 | ||
385 | intlabel = mac_socket_label_alloc(MAC_WAITOK); | |
386 | error = mac_socket_label_internalize(intlabel, buffer); | |
387 | FREE(buffer, M_MACTEMP); | |
388 | if (error) | |
389 | goto out; | |
390 | ||
391 | error = mac_socket_label_update(cred, so, intlabel); | |
392 | out: | |
393 | mac_socket_label_free(intlabel); | |
394 | return (error); | |
395 | } | |
396 | ||
397 | int | |
398 | mac_socket_label_get(__unused kauth_cred_t cred, struct socket *so, | |
399 | struct mac *mac) | |
400 | { | |
401 | char *buffer, *elements; | |
402 | struct label *intlabel; | |
403 | int error; | |
404 | size_t len; | |
405 | ||
406 | error = mac_check_structmac_consistent(mac); | |
407 | if (error) | |
408 | return (error); | |
409 | ||
410 | MALLOC(elements, char *, mac->m_buflen, M_MACTEMP, M_WAITOK); | |
411 | error = copyinstr(CAST_USER_ADDR_T(mac->m_string), elements, | |
412 | mac->m_buflen, &len); | |
413 | if (error) { | |
414 | FREE(elements, M_MACTEMP); | |
415 | return (error); | |
416 | } | |
417 | ||
418 | MALLOC(buffer, char *, mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | |
419 | intlabel = mac_socket_label_alloc(MAC_WAITOK); | |
420 | mac_socket_label_copy(so->so_label, intlabel); | |
421 | error = mac_socket_label_externalize(intlabel, elements, buffer, | |
422 | mac->m_buflen); | |
423 | mac_socket_label_free(intlabel); | |
424 | if (error == 0) | |
425 | error = copyout(buffer, CAST_USER_ADDR_T(mac->m_string), | |
426 | strlen(buffer)+1); | |
427 | ||
428 | FREE(buffer, M_MACTEMP); | |
429 | FREE(elements, M_MACTEMP); | |
430 | ||
431 | return (error); | |
432 | } | |
433 | ||
434 | int | |
435 | mac_socketpeer_label_get(__unused kauth_cred_t cred, struct socket *so, | |
436 | struct mac *mac) | |
437 | { | |
438 | char *elements, *buffer; | |
439 | struct label *intlabel; | |
440 | int error; | |
441 | size_t len; | |
442 | ||
443 | error = mac_check_structmac_consistent(mac); | |
444 | if (error) | |
445 | return (error); | |
446 | ||
447 | MALLOC(elements, char *, mac->m_buflen, M_MACTEMP, M_WAITOK); | |
448 | error = copyinstr(CAST_USER_ADDR_T(mac->m_string), elements, | |
449 | mac->m_buflen, &len); | |
450 | if (error) { | |
451 | FREE(elements, M_MACTEMP); | |
452 | return (error); | |
453 | } | |
454 | ||
455 | MALLOC(buffer, char *, mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); | |
456 | intlabel = mac_socket_label_alloc(MAC_WAITOK); | |
457 | mac_socket_label_copy(so->so_peerlabel, intlabel); | |
458 | error = mac_socketpeer_label_externalize(intlabel, elements, buffer, | |
459 | mac->m_buflen); | |
460 | mac_socket_label_free(intlabel); | |
461 | if (error == 0) | |
462 | error = copyout(buffer, CAST_USER_ADDR_T(mac->m_string), | |
463 | strlen(buffer)+1); | |
464 | ||
465 | FREE(buffer, M_MACTEMP); | |
466 | FREE(elements, M_MACTEMP); | |
467 | ||
468 | return (error); | |
469 | } | |
470 | ||
471 | #endif /* MAC_SOCKET */ | |
472 | ||
473 | int | |
474 | mac_socket_check_accept(kauth_cred_t cred, struct socket *so) | |
475 | { | |
476 | int error; | |
477 | ||
478 | #if SECURITY_MAC_CHECK_ENFORCE | |
479 | /* 21167099 - only check if we allow write */ | |
480 | if (!mac_socket_enforce) | |
481 | return 0; | |
482 | #endif | |
483 | ||
484 | MAC_CHECK(socket_check_accept, cred, | |
485 | (socket_t)so, so->so_label); | |
486 | return (error); | |
487 | } | |
488 | ||
489 | #if CONFIG_MACF_SOCKET_SUBSET | |
490 | int | |
491 | mac_socket_check_accepted(kauth_cred_t cred, struct socket *so) | |
492 | { | |
493 | struct sockaddr *sockaddr; | |
494 | int error; | |
495 | ||
496 | #if SECURITY_MAC_CHECK_ENFORCE | |
497 | /* 21167099 - only check if we allow write */ | |
498 | if (!mac_socket_enforce) | |
499 | return 0; | |
500 | #endif | |
501 | ||
502 | if (sock_getaddr((socket_t)so, &sockaddr, 1) != 0) { | |
503 | error = ECONNABORTED; | |
504 | } else { | |
505 | MAC_CHECK(socket_check_accepted, cred, | |
506 | (socket_t)so, so->so_label, sockaddr); | |
507 | sock_freeaddr(sockaddr); | |
508 | } | |
509 | return (error); | |
510 | } | |
511 | #endif | |
512 | ||
513 | int | |
514 | mac_socket_check_bind(kauth_cred_t ucred, struct socket *so, | |
515 | struct sockaddr *sockaddr) | |
516 | { | |
517 | int error; | |
518 | ||
519 | #if SECURITY_MAC_CHECK_ENFORCE | |
520 | /* 21167099 - only check if we allow write */ | |
521 | if (!mac_socket_enforce) | |
522 | return 0; | |
523 | #endif | |
524 | ||
525 | MAC_CHECK(socket_check_bind, ucred, | |
526 | (socket_t)so, so->so_label, sockaddr); | |
527 | return (error); | |
528 | } | |
529 | ||
530 | int | |
531 | mac_socket_check_connect(kauth_cred_t cred, struct socket *so, | |
532 | struct sockaddr *sockaddr) | |
533 | { | |
534 | int error; | |
535 | ||
536 | #if SECURITY_MAC_CHECK_ENFORCE | |
537 | /* 21167099 - only check if we allow write */ | |
538 | if (!mac_socket_enforce) | |
539 | return 0; | |
540 | #endif | |
541 | ||
542 | MAC_CHECK(socket_check_connect, cred, | |
543 | (socket_t)so, so->so_label, | |
544 | sockaddr); | |
545 | return (error); | |
546 | } | |
547 | ||
548 | int | |
549 | mac_socket_check_create(kauth_cred_t cred, int domain, int type, int protocol) | |
550 | { | |
551 | int error; | |
552 | ||
553 | #if SECURITY_MAC_CHECK_ENFORCE | |
554 | /* 21167099 - only check if we allow write */ | |
555 | if (!mac_socket_enforce) | |
556 | return 0; | |
557 | #endif | |
558 | ||
559 | MAC_CHECK(socket_check_create, cred, domain, type, protocol); | |
560 | return (error); | |
561 | } | |
562 | ||
563 | #if CONFIG_MACF_SOCKET && CONFIG_MACF_NET | |
564 | int | |
565 | mac_socket_check_deliver(struct socket *so, struct mbuf *mbuf) | |
566 | { | |
567 | struct label *label; | |
568 | int error; | |
569 | ||
570 | #if SECURITY_MAC_CHECK_ENFORCE | |
571 | /* 21167099 - only check if we allow write */ | |
572 | if (!mac_socket_enforce) | |
573 | return 0; | |
574 | #endif | |
575 | ||
576 | label = mac_mbuf_to_label(mbuf); | |
577 | ||
578 | /* Policy must deal with NULL label (unlabeled mbufs) */ | |
579 | MAC_CHECK(socket_check_deliver, | |
580 | (socket_t)so, so->so_label, mbuf, label); | |
581 | return (error); | |
582 | } | |
583 | #else | |
584 | int | |
585 | mac_socket_check_deliver(__unused struct socket *so, __unused struct mbuf *mbuf) | |
586 | { | |
587 | return (0); | |
588 | } | |
589 | #endif | |
590 | ||
591 | int | |
592 | mac_socket_check_ioctl(kauth_cred_t cred, struct socket *so, | |
593 | unsigned int cmd) | |
594 | { | |
595 | int error; | |
596 | ||
597 | #if SECURITY_MAC_CHECK_ENFORCE | |
598 | /* 21167099 - only check if we allow write */ | |
599 | if (!mac_socket_enforce) | |
600 | return 0; | |
601 | #endif | |
602 | ||
603 | MAC_CHECK(socket_check_ioctl, cred, | |
604 | (socket_t)so, cmd, so->so_label); | |
605 | return (error); | |
606 | } | |
607 | ||
608 | int | |
609 | mac_socket_check_stat(kauth_cred_t cred, struct socket *so) | |
610 | { | |
611 | int error; | |
612 | ||
613 | #if SECURITY_MAC_CHECK_ENFORCE | |
614 | /* 21167099 - only check if we allow write */ | |
615 | if (!mac_socket_enforce) | |
616 | return 0; | |
617 | #endif | |
618 | ||
619 | MAC_CHECK(socket_check_stat, cred, | |
620 | (socket_t)so, so->so_label); | |
621 | return (error); | |
622 | } | |
623 | ||
624 | int | |
625 | mac_socket_check_listen(kauth_cred_t cred, struct socket *so) | |
626 | { | |
627 | int error; | |
628 | ||
629 | #if SECURITY_MAC_CHECK_ENFORCE | |
630 | /* 21167099 - only check if we allow write */ | |
631 | if (!mac_socket_enforce) | |
632 | return 0; | |
633 | #endif | |
634 | ||
635 | MAC_CHECK(socket_check_listen, cred, | |
636 | (socket_t)so, so->so_label); | |
637 | return (error); | |
638 | } | |
639 | ||
640 | int | |
641 | mac_socket_check_receive(kauth_cred_t cred, struct socket *so) | |
642 | { | |
643 | int error; | |
644 | ||
645 | #if SECURITY_MAC_CHECK_ENFORCE | |
646 | /* 21167099 - only check if we allow write */ | |
647 | if (!mac_socket_enforce) | |
648 | return 0; | |
649 | #endif | |
650 | ||
651 | MAC_CHECK(socket_check_receive, cred, | |
652 | (socket_t)so, so->so_label); | |
653 | return (error); | |
654 | } | |
655 | ||
656 | int | |
657 | mac_socket_check_received(kauth_cred_t cred, struct socket *so, struct sockaddr *saddr) | |
658 | { | |
659 | int error; | |
660 | ||
661 | #if SECURITY_MAC_CHECK_ENFORCE | |
662 | /* 21167099 - only check if we allow write */ | |
663 | if (!mac_socket_enforce) | |
664 | return 0; | |
665 | #endif | |
666 | ||
667 | MAC_CHECK(socket_check_received, cred, | |
668 | so, so->so_label, saddr); | |
669 | return (error); | |
670 | } | |
671 | ||
672 | int | |
673 | mac_socket_check_send(kauth_cred_t cred, struct socket *so, | |
674 | struct sockaddr *sockaddr) | |
675 | { | |
676 | int error; | |
677 | ||
678 | #if SECURITY_MAC_CHECK_ENFORCE | |
679 | /* 21167099 - only check if we allow write */ | |
680 | if (!mac_socket_enforce) | |
681 | return 0; | |
682 | #endif | |
683 | ||
684 | MAC_CHECK(socket_check_send, cred, | |
685 | (socket_t)so, so->so_label, sockaddr); | |
686 | return (error); | |
687 | } | |
688 | ||
689 | int | |
690 | mac_socket_check_setsockopt(kauth_cred_t cred, struct socket *so, | |
691 | struct sockopt *sopt) | |
692 | { | |
693 | int error; | |
694 | ||
695 | #if SECURITY_MAC_CHECK_ENFORCE | |
696 | /* 21167099 - only check if we allow write */ | |
697 | if (!mac_socket_enforce) | |
698 | return 0; | |
699 | #endif | |
700 | ||
701 | MAC_CHECK(socket_check_setsockopt, cred, | |
702 | (socket_t)so, so->so_label, sopt); | |
703 | return (error); | |
704 | } | |
705 | ||
706 | int mac_socket_check_getsockopt(kauth_cred_t cred, struct socket *so, | |
707 | struct sockopt *sopt) | |
708 | { | |
709 | int error; | |
710 | ||
711 | #if SECURITY_MAC_CHECK_ENFORCE | |
712 | /* 21167099 - only check if we allow write */ | |
713 | if (!mac_socket_enforce) | |
714 | return 0; | |
715 | #endif | |
716 | ||
717 | MAC_CHECK(socket_check_getsockopt, cred, | |
718 | (socket_t)so, so->so_label, sopt); | |
719 | return (error); | |
720 | } |