X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/2d21ac55c334faf3a56e5634905ed6987fc787d4..7e41aa883dd258f888d0470250eead40a53ef1f5:/security/mac_socket.c diff --git a/security/mac_socket.c b/security/mac_socket.c index bd35170ee..2151c0915 100644 --- a/security/mac_socket.c +++ b/security/mac_socket.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007 Apple Inc. All rights reserved. + * Copyright (c) 2007-2012 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -82,12 +82,6 @@ #include #include -#include -#include - -#include -#include - #include #if CONFIG_MACF_SOCKET @@ -219,8 +213,11 @@ mac_socket_label_internalize(struct label *label, char *string) void mac_socket_label_associate(struct ucred *cred, struct socket *so) { - if (!mac_socket_enforce) - return; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return; +#endif MAC_PERFORM(socket_label_associate, cred, (socket_t)so, so->so_label); @@ -230,8 +227,11 @@ void mac_socket_label_associate_accept(struct socket *oldsocket, struct socket *newsocket) { - if (!mac_socket_enforce) - return; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return; +#endif MAC_PERFORM(socket_label_associate_accept, (socket_t)oldsocket, oldsocket->so_label, @@ -244,8 +244,11 @@ mac_socketpeer_label_associate_mbuf(struct mbuf *mbuf, struct socket *so) { struct label *label; - if (!mac_socket_enforce && !mac_net_enforce) - return; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce && !mac_net_enforce) + return; +#endif label = mac_mbuf_to_label(mbuf); @@ -266,8 +269,11 @@ void mac_socketpeer_label_associate_socket(struct socket *oldsocket, struct socket *newsocket) { - if (!mac_socket_enforce) - return; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return; +#endif MAC_PERFORM(socketpeer_label_associate_socket, (socket_t)oldsocket, oldsocket->so_label, @@ -280,8 +286,11 @@ mac_socket_check_kqfilter(kauth_cred_t cred, struct knote *kn, { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_kqfilter, cred, kn, (socket_t)so, so->so_label); @@ -294,8 +303,11 @@ mac_socket_check_label_update(kauth_cred_t cred, struct socket *so, { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_label_update, cred, (socket_t)so, so->so_label, @@ -308,8 +320,11 @@ mac_socket_check_select(kauth_cred_t cred, struct socket *so, int which) { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_select, cred, (socket_t)so, so->so_label, which); @@ -321,8 +336,11 @@ mac_socket_check_stat(kauth_cred_t cred, struct socket *so) { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_stat, cred, (socket_t)so, so->so_label); @@ -335,8 +353,11 @@ mac_socket_label_update(kauth_cred_t cred, struct socket *so, struct label *labe { int error; #if 0 - if (!mac_socket_enforce) - return; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif #endif error = mac_socket_check_label_update(cred, so, label); if (error) @@ -470,22 +491,29 @@ mac_socket_check_accept(kauth_cred_t cred, struct socket *so) { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_accept, cred, (socket_t)so, so->so_label); return (error); } +#if CONFIG_MACF_SOCKET_SUBSET int mac_socket_check_accepted(kauth_cred_t cred, struct socket *so) { struct sockaddr *sockaddr; int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif if (sock_getaddr((socket_t)so, &sockaddr, 1) != 0) { error = ECONNABORTED; @@ -496,6 +524,7 @@ mac_socket_check_accepted(kauth_cred_t cred, struct socket *so) } return (error); } +#endif int mac_socket_check_bind(kauth_cred_t ucred, struct socket *so, @@ -503,8 +532,11 @@ mac_socket_check_bind(kauth_cred_t ucred, struct socket *so, { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_bind, ucred, (socket_t)so, so->so_label, sockaddr); @@ -517,8 +549,11 @@ mac_socket_check_connect(kauth_cred_t cred, struct socket *so, { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_connect, cred, (socket_t)so, so->so_label, @@ -531,8 +566,11 @@ mac_socket_check_create(kauth_cred_t cred, int domain, int type, int protocol) { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_create, cred, domain, type, protocol); return (error); @@ -545,8 +583,11 @@ mac_socket_check_deliver(struct socket *so, struct mbuf *mbuf) struct label *label; int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif label = mac_mbuf_to_label(mbuf); @@ -568,8 +609,11 @@ mac_socket_check_listen(kauth_cred_t cred, struct socket *so) { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_listen, cred, (socket_t)so, so->so_label); @@ -581,8 +625,11 @@ mac_socket_check_receive(kauth_cred_t cred, struct socket *so) { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_receive, cred, (socket_t)so, so->so_label); @@ -594,11 +641,14 @@ mac_socket_check_received(kauth_cred_t cred, struct socket *so, struct sockaddr { int error; - if (!mac_socket_enforce) - return 0; - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif + MAC_CHECK(socket_check_received, cred, - (socket_t)so, so->so_label, saddr); + so, so->so_label, saddr); return (error); } @@ -608,8 +658,11 @@ mac_socket_check_send(kauth_cred_t cred, struct socket *so, { int error; - if (!mac_socket_enforce) - return 0; +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_send, cred, (socket_t)so, so->so_label, sockaddr); @@ -622,8 +675,11 @@ mac_socket_check_setsockopt(kauth_cred_t cred, struct socket *so, { int error; - if (!mac_socket_enforce) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_setsockopt, cred, (socket_t)so, so->so_label, sopt); @@ -635,8 +691,11 @@ int mac_socket_check_getsockopt(kauth_cred_t cred, struct socket *so, { int error; - if (!mac_socket_enforce) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_socket_enforce) + return 0; +#endif MAC_CHECK(socket_check_getsockopt, cred, (socket_t)so, so->so_label, sopt);