void
mac_socket_label_associate(struct ucred *cred, struct socket *so)
{
- if (!mac_socket_enforce)
- return;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return;
+#endif
MAC_PERFORM(socket_label_associate, cred,
(socket_t)so, so->so_label);
mac_socket_label_associate_accept(struct socket *oldsocket,
struct socket *newsocket)
{
- if (!mac_socket_enforce)
- return;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return;
+#endif
MAC_PERFORM(socket_label_associate_accept,
(socket_t)oldsocket, oldsocket->so_label,
{
struct label *label;
- if (!mac_socket_enforce && !mac_net_enforce)
- return;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce && !mac_net_enforce)
+ return;
+#endif
label = mac_mbuf_to_label(mbuf);
mac_socketpeer_label_associate_socket(struct socket *oldsocket,
struct socket *newsocket)
{
- if (!mac_socket_enforce)
- return;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return;
+#endif
MAC_PERFORM(socketpeer_label_associate_socket,
(socket_t)oldsocket, oldsocket->so_label,
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_kqfilter, cred, kn,
(socket_t)so, so->so_label);
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_label_update, cred,
(socket_t)so, so->so_label,
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_select, cred,
(socket_t)so, so->so_label, which);
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_stat, cred,
(socket_t)so, so->so_label);
{
int error;
#if 0
- if (!mac_socket_enforce)
- return;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
#endif
error = mac_socket_check_label_update(cred, so, label);
if (error)
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_accept, cred,
(socket_t)so, so->so_label);
return (error);
}
+#if CONFIG_MACF_SOCKET_SUBSET
int
mac_socket_check_accepted(kauth_cred_t cred, struct socket *so)
{
struct sockaddr *sockaddr;
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
if (sock_getaddr((socket_t)so, &sockaddr, 1) != 0) {
error = ECONNABORTED;
}
return (error);
}
+#endif
int
mac_socket_check_bind(kauth_cred_t ucred, struct socket *so,
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_bind, ucred,
(socket_t)so, so->so_label, sockaddr);
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_connect, cred,
(socket_t)so, so->so_label,
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_create, cred, domain, type, protocol);
return (error);
struct label *label;
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
label = mac_mbuf_to_label(mbuf);
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_listen, cred,
(socket_t)so, so->so_label);
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_receive, cred,
(socket_t)so, so->so_label);
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_received, cred,
so, so->so_label, saddr);
{
int error;
- if (!mac_socket_enforce)
- return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_send, cred,
(socket_t)so, so->so_label, sockaddr);
{
int error;
- if (!mac_socket_enforce)
- return (0);
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_setsockopt, cred,
(socket_t)so, so->so_label, sopt);
{
int error;
- if (!mac_socket_enforce)
- return (0);
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_socket_enforce)
+ return 0;
+#endif
MAC_CHECK(socket_check_getsockopt, cred,
(socket_t)so, so->so_label, sopt);
projects / apple / xnu.git / blobdiff