Implement per-object type consistency checks for labels passed to

'internalize' operations rather than using a single common check. Obtained from: TrustedBSD Project
svn path=/head/; revision=173163
2024-12-17 10:26:15 +00:00 · 2007-10-30 00:01:28 +00:00 · 2007-10-30 00:01:28 +00:00 · 1876fb2118 · 2020-12-20 02:59:44 +00:00
commit 1876fb2118
parent c8b14fa8f0
1 changed files with 65 additions and 20 deletions
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@ -148,21 +148,6 @@ SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0,
 	    ("%s: destroyed label", __func__));				\
 } while (0)

-/*
- * Functions that span multiple entry points.
- */
-COUNTER_DECL(internalize_label);
-static int
-test_internalize_label(struct label *label, char *element_name,
-    char *element_data, int *claimed)
-{
-
-	LABEL_NOTFREE(label);
-	COUNTER_INC(internalize_label);
-
-	return (0);
-}
-
 /*
 * Object-specific entry point implementations are sorted alphabetically by
 * object type name and then by operation.
@ -284,6 +269,18 @@ test_cred_init_label(struct label *label)
 	COUNTER_INC(cred_init_label);
 }

+COUNTER_DECL(cred_internalize_label);
+static int
+test_cred_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
+{
+
+	LABEL_CHECK(label, MAGIC_CRED);
+	COUNTER_INC(cred_internalize_label);
+
+	return (0);
+}
+
 COUNTER_DECL(cred_relabel);
 static void
 test_cred_relabel(struct ucred *cred, struct label *newlabel)
@ -458,6 +455,18 @@ test_ifnet_init_label(struct label *label)
 	COUNTER_INC(ifnet_init_label);
 }

+COUNTER_DECL(ifnet_internalize_label);
+static int
+test_ifnet_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
+{
+
+	LABEL_CHECK(label, MAGIC_IFNET);
+	COUNTER_INC(ifnet_internalize_label);
+
+	return (0);
+}
+
 COUNTER_DECL(ifnet_relabel);
 static void
 test_ifnet_relabel(struct ucred *cred, struct ifnet *ifp,
@ -976,6 +985,18 @@ test_pipe_init_label(struct label *label)
 	COUNTER_INC(pipe_init_label);
 }

+COUNTER_DECL(pipe_internalize_label);
+static int
+test_pipe_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
+{
+
+	LABEL_CHECK(label, MAGIC_PIPE);
+	COUNTER_INC(pipe_internalize_label);
+
+	return (0);
+}
+
 COUNTER_DECL(pipe_relabel);
 static void
 test_pipe_relabel(struct ucred *cred, struct pipepair *pp,
@ -1527,6 +1548,18 @@ test_socket_init_label(struct label *label, int flag)
 	return (0);
 }

+COUNTER_DECL(socket_internalize_label);
+static int
+test_socket_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
+{
+
+	LABEL_CHECK(label, MAGIC_SOCKET);
+	COUNTER_INC(socket_internalize_label);
+
+	return (0);
+}
+
 COUNTER_DECL(socket_newconn);
 static void
 test_socket_newconn(struct socket *oldso, struct label *oldsolabel,
@ -2621,6 +2654,18 @@ test_vnode_init_label(struct label *label)
 	COUNTER_INC(vnode_init_label);
 }

+COUNTER_DECL(vnode_internalize_label);
+static int
+test_vnode_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
+{
+
+	LABEL_CHECK(label, MAGIC_VNODE);
+	COUNTER_INC(vnode_internalize_label);
+
+	return (0);
+}
+
 COUNTER_DECL(vnode_relabel);
 static void
 test_vnode_relabel(struct ucred *cred, struct vnode *vp,
@ -2661,7 +2706,7 @@ static struct mac_policy_ops test_ops =
 	.mpo_cred_destroy_label = test_cred_destroy_label,
 	.mpo_cred_externalize_label = test_cred_externalize_label,
 	.mpo_cred_init_label = test_cred_init_label,
-	.mpo_cred_internalize_label = test_internalize_label,
+	.mpo_cred_internalize_label = test_cred_internalize_label,
 	.mpo_cred_relabel = test_cred_relabel,

 	.mpo_devfs_create_device = test_devfs_create_device,
@ -2680,7 +2725,7 @@ static struct mac_policy_ops test_ops =
 	.mpo_ifnet_destroy_label = test_ifnet_destroy_label,
 	.mpo_ifnet_externalize_label = test_ifnet_externalize_label,
 	.mpo_ifnet_init_label = test_ifnet_init_label,
-	.mpo_ifnet_internalize_label = test_internalize_label,
+	.mpo_ifnet_internalize_label = test_ifnet_internalize_label,
 	.mpo_ifnet_relabel = test_ifnet_relabel,

 	.mpo_syncache_destroy_label = test_syncache_destroy_label,
@ -2751,7 +2796,7 @@ static struct mac_policy_ops test_ops =
 	.mpo_pipe_destroy_label = test_pipe_destroy_label,
 	.mpo_pipe_externalize_label = test_pipe_externalize_label,
 	.mpo_pipe_init_label = test_pipe_init_label,
-	.mpo_pipe_internalize_label = test_internalize_label,
+	.mpo_pipe_internalize_label = test_pipe_internalize_label,
 	.mpo_pipe_relabel = test_pipe_relabel,

 	.mpo_posixsem_check_destroy = test_posixsem_check_destroy,
@ -2802,7 +2847,7 @@ static struct mac_policy_ops test_ops =
 	.mpo_socket_destroy_label = test_socket_destroy_label,
 	.mpo_socket_externalize_label = test_socket_externalize_label,
 	.mpo_socket_init_label = test_socket_init_label,
-	.mpo_socket_internalize_label = test_internalize_label,
+	.mpo_socket_internalize_label = test_socket_internalize_label,
 	.mpo_socket_newconn = test_socket_newconn,
 	.mpo_socket_relabel = test_socket_relabel,

@ -2892,7 +2937,7 @@ static struct mac_policy_ops test_ops =
 	.mpo_vnode_execve_will_transition = test_vnode_execve_will_transition,
 	.mpo_vnode_externalize_label = test_vnode_externalize_label,
 	.mpo_vnode_init_label = test_vnode_init_label,
-	.mpo_vnode_internalize_label = test_internalize_label,
+	.mpo_vnode_internalize_label = test_vnode_internalize_label,
 	.mpo_vnode_relabel = test_vnode_relabel,
 	.mpo_vnode_setlabel_extattr = test_vnode_setlabel_extattr,
 };