1 | /* |
2 | * Copyright (c) 2007-2012 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | /*- |
29 | * Copyright (c) 1999-2002 Robert N. M. Watson |
30 | * Copyright (c) 2001 Ilmar S. Habibulin |
31 | * Copyright (c) 2001-2005 Networks Associates Technology, Inc. |
32 | * Copyright (c) 2005 SPARTA, Inc. |
33 | * All rights reserved. |
34 | * |
35 | * This software was developed by Robert Watson and Ilmar Habibulin for the |
36 | * TrustedBSD Project. |
37 | * |
38 | * This software was developed for the FreeBSD Project in part by McAfee |
39 | * Research, the Technology Research Division of Network Associates, Inc. |
40 | * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the |
41 | * DARPA CHATS research program. |
42 | * |
43 | * This software was enhanced by SPARTA ISSO under SPAWAR contract |
44 | * N66001-04-C-6019 ("SEFOS"). |
45 | * |
46 | * Redistribution and use in source and binary forms, with or without |
47 | * modification, are permitted provided that the following conditions |
48 | * are met: |
49 | * 1. Redistributions of source code must retain the above copyright |
50 | * notice, this list of conditions and the following disclaimer. |
51 | * 2. Redistributions in binary form must reproduce the above copyright |
52 | * notice, this list of conditions and the following disclaimer in the |
53 | * documentation and/or other materials provided with the distribution. |
54 | * |
55 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND |
56 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
57 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
58 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
59 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
60 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
61 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
62 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
63 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
64 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
65 | * SUCH DAMAGE. |
66 | */ |
67 | |
68 | #include <sys/cdefs.h> |
69 | |
70 | #include <sys/param.h> |
71 | #include <sys/kernel.h> |
72 | #include <sys/lock.h> |
73 | #include <sys/malloc.h> |
74 | #include <sys/sbuf.h> |
75 | #include <sys/systm.h> |
76 | #include <sys/mount.h> |
77 | #include <sys/file.h> |
78 | #include <sys/namei.h> |
79 | #include <sys/protosw.h> |
80 | #include <sys/socket.h> |
81 | #include <sys/socketvar.h> |
82 | #include <sys/sysctl.h> |
83 | #include <sys/kpi_socket.h> |
84 | |
85 | #include <security/mac_internal.h> |
86 | |
87 | #if CONFIG_MACF_SOCKET |
88 | struct label * |
89 | mac_socket_label_alloc(int flag) |
90 | { |
91 | struct label *label; |
92 | int error; |
93 | |
94 | label = mac_labelzone_alloc(flag); |
95 | if (label == NULL) |
96 | return (NULL); |
97 | |
98 | MAC_CHECK(socket_label_init, label, flag); |
99 | if (error) { |
100 | MAC_PERFORM(socket_label_destroy, label); |
101 | mac_labelzone_free(label); |
102 | return (NULL); |
103 | } |
104 | |
105 | return (label); |
106 | } |
107 | |
108 | static struct label * |
109 | mac_socket_peer_label_alloc(int flag) |
110 | { |
111 | struct label *label; |
112 | int error; |
113 | |
114 | label = mac_labelzone_alloc(flag); |
115 | if (label == NULL) |
116 | return (NULL); |
117 | |
118 | MAC_CHECK(socketpeer_label_init, label, flag); |
119 | if (error) { |
120 | MAC_PERFORM(socketpeer_label_destroy, label); |
121 | mac_labelzone_free(label); |
122 | return (NULL); |
123 | } |
124 | |
125 | return (label); |
126 | } |
127 | |
128 | int |
129 | mac_socket_label_init(struct socket *so, int flag) |
130 | { |
131 | |
132 | so->so_label = mac_socket_label_alloc(flag); |
133 | if (so->so_label == NULL) |
134 | return (ENOMEM); |
135 | so->so_peerlabel = mac_socket_peer_label_alloc(flag); |
136 | if (so->so_peerlabel == NULL) { |
137 | mac_socket_label_free(so->so_label); |
138 | so->so_label = NULL; |
139 | return (ENOMEM); |
140 | } |
141 | return (0); |
142 | } |
143 | |
144 | void |
145 | mac_socket_label_free(struct label *label) |
146 | { |
147 | |
148 | MAC_PERFORM(socket_label_destroy, label); |
149 | mac_labelzone_free(label); |
150 | } |
151 | |
152 | static void |
153 | mac_socket_peer_label_free(struct label *label) |
154 | { |
155 | |
156 | MAC_PERFORM(socketpeer_label_destroy, label); |
157 | mac_labelzone_free(label); |
158 | } |
159 | |
160 | void |
161 | mac_socket_label_destroy(struct socket *so) |
162 | { |
163 | |
164 | if (so->so_label != NULL) { |
165 | mac_socket_label_free(so->so_label); |
166 | so->so_label = NULL; |
167 | } |
168 | if (so->so_peerlabel != NULL) { |
169 | mac_socket_peer_label_free(so->so_peerlabel); |
170 | so->so_peerlabel = NULL; |
171 | } |
172 | } |
173 | |
174 | void |
175 | mac_socket_label_copy(struct label *src, struct label *dest) |
176 | { |
177 | |
178 | MAC_PERFORM(socket_label_copy, src, dest); |
179 | } |
180 | |
181 | int |
182 | mac_socket_label_externalize(struct label *label, char *elements, |
183 | char *outbuf, size_t outbuflen) |
184 | { |
185 | int error; |
186 | |
187 | error = MAC_EXTERNALIZE(socket, label, elements, outbuf, outbuflen); |
188 | |
189 | return (error); |
190 | } |
191 | |
192 | static int |
193 | mac_socketpeer_label_externalize(struct label *label, char *elements, |
194 | char *outbuf, size_t outbuflen) |
195 | { |
196 | int error; |
197 | |
198 | error = MAC_EXTERNALIZE(socketpeer, label, elements, outbuf, outbuflen); |
199 | |
200 | return (error); |
201 | } |
202 | |
203 | int |
204 | mac_socket_label_internalize(struct label *label, char *string) |
205 | { |
206 | int error; |
207 | |
208 | error = MAC_INTERNALIZE(socket, label, string); |
209 | |
210 | return (error); |
211 | } |
212 | |
213 | void |
214 | mac_socket_label_associate(struct ucred *cred, struct socket *so) |
215 | { |
216 | #if SECURITY_MAC_CHECK_ENFORCE |
217 | /* 21167099 - only check if we allow write */ |
218 | if (!mac_socket_enforce) |
219 | return; |
220 | #endif |
221 | |
222 | MAC_PERFORM(socket_label_associate, cred, |
223 | (socket_t)so, so->so_label); |
224 | } |
225 | |
226 | void |
227 | mac_socket_label_associate_accept(struct socket *oldsocket, |
228 | struct socket *newsocket) |
229 | { |
230 | #if SECURITY_MAC_CHECK_ENFORCE |
231 | /* 21167099 - only check if we allow write */ |
232 | if (!mac_socket_enforce) |
233 | return; |
234 | #endif |
235 | |
236 | MAC_PERFORM(socket_label_associate_accept, |
237 | (socket_t)oldsocket, oldsocket->so_label, |
238 | (socket_t)newsocket, newsocket->so_label); |
239 | } |
240 | |
241 | #if CONFIG_MACF_SOCKET && CONFIG_MACF_NET |
242 | void |
243 | mac_socketpeer_label_associate_mbuf(struct mbuf *mbuf, struct socket *so) |
244 | { |
245 | struct label *label; |
246 | |
247 | #if SECURITY_MAC_CHECK_ENFORCE |
248 | /* 21167099 - only check if we allow write */ |
249 | if (!mac_socket_enforce && !mac_net_enforce) |
250 | return; |
251 | #endif |
252 | |
253 | label = mac_mbuf_to_label(mbuf); |
254 | |
255 | /* Policy must deal with NULL label (unlabeled mbufs) */ |
256 | MAC_PERFORM(socketpeer_label_associate_mbuf, mbuf, label, |
257 | (socket_t)so, so->so_peerlabel); |
258 | } |
259 | #else |
260 | void |
261 | mac_socketpeer_label_associate_mbuf(__unused struct mbuf *mbuf, |
262 | __unused struct socket *so) |
263 | { |
264 | return; |
265 | } |
266 | #endif |
267 | |
268 | void |
269 | mac_socketpeer_label_associate_socket(struct socket *oldsocket, |
270 | struct socket *newsocket) |
271 | { |
272 | #if SECURITY_MAC_CHECK_ENFORCE |
273 | /* 21167099 - only check if we allow write */ |
274 | if (!mac_socket_enforce) |
275 | return; |
276 | #endif |
277 | |
278 | MAC_PERFORM(socketpeer_label_associate_socket, |
279 | (socket_t)oldsocket, oldsocket->so_label, |
280 | (socket_t)newsocket, newsocket->so_peerlabel); |
281 | } |
282 | |
283 | int |
284 | mac_socket_check_kqfilter(kauth_cred_t cred, struct knote *kn, |
285 | struct socket *so) |
286 | { |
287 | int error; |
288 | |
289 | #if SECURITY_MAC_CHECK_ENFORCE |
290 | /* 21167099 - only check if we allow write */ |
291 | if (!mac_socket_enforce) |
292 | return 0; |
293 | #endif |
294 | |
295 | MAC_CHECK(socket_check_kqfilter, cred, kn, |
296 | (socket_t)so, so->so_label); |
297 | return (error); |
298 | } |
299 | |
300 | static int |
301 | int |
302 | mac_socket_check_select(kauth_cred_t cred, struct socket *so, int which) |
303 | { |
304 | int error; |
305 | |
306 | #if SECURITY_MAC_CHECK_ENFORCE |
307 | /* 21167099 - only check if we allow write */ |
308 | if (!mac_socket_enforce) |
309 | return 0; |
310 | #endif |
311 | |
312 | MAC_CHECK(socket_check_select, cred, |
313 | (socket_t)so, so->so_label, which); |
314 | return (error); |
315 | } |
316 | |
317 | mac_socket_check_label_update(kauth_cred_t cred, struct socket *so, |
318 | struct label *newlabel) |
319 | { |
320 | int error; |
321 | |
322 | #if SECURITY_MAC_CHECK_ENFORCE |
323 | /* 21167099 - only check if we allow write */ |
324 | if (!mac_socket_enforce) |
325 | return 0; |
326 | #endif |
327 | |
328 | MAC_CHECK(socket_check_label_update, cred, |
329 | (socket_t)so, so->so_label, |
330 | newlabel); |
331 | return (error); |
332 | } |
333 | |
334 | int |
335 | mac_socket_label_update(kauth_cred_t cred, struct socket *so, struct label *label) |
336 | { |
337 | int error; |
338 | #if 0 |
339 | #if SECURITY_MAC_CHECK_ENFORCE |
340 | /* 21167099 - only check if we allow write */ |
341 | if (!mac_socket_enforce) |
342 | return 0; |
343 | #endif |
344 | #endif |
345 | error = mac_socket_check_label_update(cred, so, label); |
346 | if (error) |
347 | return (error); |
348 | |
349 | MAC_PERFORM(socket_label_update, cred, |
350 | (socket_t)so, so->so_label, label); |
351 | |
352 | #if CONFIG_MACF_NET |
353 | /* |
354 | * If the protocol has expressed interest in socket layer changes, |
355 | * such as if it needs to propagate changes to a cached pcb |
356 | * label from the socket, notify it of the label change while |
357 | * holding the socket lock. |
358 | * XXXMAC - are there cases when we should not do this? |
359 | */ |
360 | mac_inpcb_label_update(so); |
361 | #endif |
362 | return (0); |
363 | } |
364 | |
365 | int |
366 | mac_setsockopt_label(kauth_cred_t cred, struct socket *so, struct mac *mac) |
367 | { |
368 | struct label *intlabel; |
369 | char *buffer; |
370 | int error; |
371 | size_t len; |
372 | |
373 | error = mac_check_structmac_consistent(mac); |
374 | if (error) |
375 | return (error); |
376 | |
377 | MALLOC(buffer, char *, mac->m_buflen, M_MACTEMP, M_WAITOK); |
378 | error = copyinstr(CAST_USER_ADDR_T(mac->m_string), buffer, |
379 | mac->m_buflen, &len); |
380 | if (error) { |
381 | FREE(buffer, M_MACTEMP); |
382 | return (error); |
383 | } |
384 | |
385 | intlabel = mac_socket_label_alloc(MAC_WAITOK); |
386 | error = mac_socket_label_internalize(intlabel, buffer); |
387 | FREE(buffer, M_MACTEMP); |
388 | if (error) |
389 | goto out; |
390 | |
391 | error = mac_socket_label_update(cred, so, intlabel); |
392 | out: |
393 | mac_socket_label_free(intlabel); |
394 | return (error); |
395 | } |
396 | |
397 | int |
398 | mac_socket_label_get(__unused kauth_cred_t cred, struct socket *so, |
399 | struct mac *mac) |
400 | { |
401 | char *buffer, *elements; |
402 | struct label *intlabel; |
403 | int error; |
404 | size_t len; |
405 | |
406 | error = mac_check_structmac_consistent(mac); |
407 | if (error) |
408 | return (error); |
409 | |
410 | MALLOC(elements, char *, mac->m_buflen, M_MACTEMP, M_WAITOK); |
411 | error = copyinstr(CAST_USER_ADDR_T(mac->m_string), elements, |
412 | mac->m_buflen, &len); |
413 | if (error) { |
414 | FREE(elements, M_MACTEMP); |
415 | return (error); |
416 | } |
417 | |
418 | MALLOC(buffer, char *, mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
419 | intlabel = mac_socket_label_alloc(MAC_WAITOK); |
420 | mac_socket_label_copy(so->so_label, intlabel); |
421 | error = mac_socket_label_externalize(intlabel, elements, buffer, |
422 | mac->m_buflen); |
423 | mac_socket_label_free(intlabel); |
424 | if (error == 0) |
425 | error = copyout(buffer, CAST_USER_ADDR_T(mac->m_string), |
426 | strlen(buffer)+1); |
427 | |
428 | FREE(buffer, M_MACTEMP); |
429 | FREE(elements, M_MACTEMP); |
430 | |
431 | return (error); |
432 | } |
433 | |
434 | int |
435 | mac_socketpeer_label_get(__unused kauth_cred_t cred, struct socket *so, |
436 | struct mac *mac) |
437 | { |
438 | char *elements, *buffer; |
439 | struct label *intlabel; |
440 | int error; |
441 | size_t len; |
442 | |
443 | error = mac_check_structmac_consistent(mac); |
444 | if (error) |
445 | return (error); |
446 | |
447 | MALLOC(elements, char *, mac->m_buflen, M_MACTEMP, M_WAITOK); |
448 | error = copyinstr(CAST_USER_ADDR_T(mac->m_string), elements, |
449 | mac->m_buflen, &len); |
450 | if (error) { |
451 | FREE(elements, M_MACTEMP); |
452 | return (error); |
453 | } |
454 | |
455 | MALLOC(buffer, char *, mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); |
456 | intlabel = mac_socket_label_alloc(MAC_WAITOK); |
457 | mac_socket_label_copy(so->so_peerlabel, intlabel); |
458 | error = mac_socketpeer_label_externalize(intlabel, elements, buffer, |
459 | mac->m_buflen); |
460 | mac_socket_label_free(intlabel); |
461 | if (error == 0) |
462 | error = copyout(buffer, CAST_USER_ADDR_T(mac->m_string), |
463 | strlen(buffer)+1); |
464 | |
465 | FREE(buffer, M_MACTEMP); |
466 | FREE(elements, M_MACTEMP); |
467 | |
468 | return (error); |
469 | } |
470 | |
471 | #endif /* MAC_SOCKET */ |
472 | |
473 | int |
474 | mac_socket_check_accept(kauth_cred_t cred, struct socket *so) |
475 | { |
476 | int error; |
477 | |
478 | #if SECURITY_MAC_CHECK_ENFORCE |
479 | /* 21167099 - only check if we allow write */ |
480 | if (!mac_socket_enforce) |
481 | return 0; |
482 | #endif |
483 | |
484 | MAC_CHECK(socket_check_accept, cred, |
485 | (socket_t)so, so->so_label); |
486 | return (error); |
487 | } |
488 | |
489 | #if CONFIG_MACF_SOCKET_SUBSET |
490 | int |
491 | mac_socket_check_accepted(kauth_cred_t cred, struct socket *so) |
492 | { |
493 | struct sockaddr *sockaddr; |
494 | int error; |
495 | |
496 | #if SECURITY_MAC_CHECK_ENFORCE |
497 | /* 21167099 - only check if we allow write */ |
498 | if (!mac_socket_enforce) |
499 | return 0; |
500 | #endif |
501 | |
502 | if (sock_getaddr((socket_t)so, &sockaddr, 1) != 0) { |
503 | error = ECONNABORTED; |
504 | } else { |
505 | MAC_CHECK(socket_check_accepted, cred, |
506 | (socket_t)so, so->so_label, sockaddr); |
507 | sock_freeaddr(sockaddr); |
508 | } |
509 | return (error); |
510 | } |
511 | #endif |
512 | |
513 | int |
514 | mac_socket_check_bind(kauth_cred_t ucred, struct socket *so, |
515 | struct sockaddr *sockaddr) |
516 | { |
517 | int error; |
518 | |
519 | #if SECURITY_MAC_CHECK_ENFORCE |
520 | /* 21167099 - only check if we allow write */ |
521 | if (!mac_socket_enforce) |
522 | return 0; |
523 | #endif |
524 | |
525 | MAC_CHECK(socket_check_bind, ucred, |
526 | (socket_t)so, so->so_label, sockaddr); |
527 | return (error); |
528 | } |
529 | |
530 | int |
531 | mac_socket_check_connect(kauth_cred_t cred, struct socket *so, |
532 | struct sockaddr *sockaddr) |
533 | { |
534 | int error; |
535 | |
536 | #if SECURITY_MAC_CHECK_ENFORCE |
537 | /* 21167099 - only check if we allow write */ |
538 | if (!mac_socket_enforce) |
539 | return 0; |
540 | #endif |
541 | |
542 | MAC_CHECK(socket_check_connect, cred, |
543 | (socket_t)so, so->so_label, |
544 | sockaddr); |
545 | return (error); |
546 | } |
547 | |
548 | int |
549 | mac_socket_check_create(kauth_cred_t cred, int domain, int type, int protocol) |
550 | { |
551 | int error; |
552 | |
553 | #if SECURITY_MAC_CHECK_ENFORCE |
554 | /* 21167099 - only check if we allow write */ |
555 | if (!mac_socket_enforce) |
556 | return 0; |
557 | #endif |
558 | |
559 | MAC_CHECK(socket_check_create, cred, domain, type, protocol); |
560 | return (error); |
561 | } |
562 | |
563 | #if CONFIG_MACF_SOCKET && CONFIG_MACF_NET |
564 | int |
565 | mac_socket_check_deliver(struct socket *so, struct mbuf *mbuf) |
566 | { |
567 | struct label *label; |
568 | int error; |
569 | |
570 | #if SECURITY_MAC_CHECK_ENFORCE |
571 | /* 21167099 - only check if we allow write */ |
572 | if (!mac_socket_enforce) |
573 | return 0; |
574 | #endif |
575 | |
576 | label = mac_mbuf_to_label(mbuf); |
577 | |
578 | /* Policy must deal with NULL label (unlabeled mbufs) */ |
579 | MAC_CHECK(socket_check_deliver, |
580 | (socket_t)so, so->so_label, mbuf, label); |
581 | return (error); |
582 | } |
583 | #else |
584 | int |
585 | mac_socket_check_deliver(__unused struct socket *so, __unused struct mbuf *mbuf) |
586 | { |
587 | return (0); |
588 | } |
589 | #endif |
590 | |
591 | int |
592 | mac_socket_check_ioctl(kauth_cred_t cred, struct socket *so, |
593 | unsigned int cmd) |
594 | { |
595 | int error; |
596 | |
597 | #if SECURITY_MAC_CHECK_ENFORCE |
598 | /* 21167099 - only check if we allow write */ |
599 | if (!mac_socket_enforce) |
600 | return 0; |
601 | #endif |
602 | |
603 | MAC_CHECK(socket_check_ioctl, cred, |
604 | (socket_t)so, cmd, so->so_label); |
605 | return (error); |
606 | } |
607 | |
608 | int |
609 | mac_socket_check_stat(kauth_cred_t cred, struct socket *so) |
610 | { |
611 | int error; |
612 | |
613 | #if SECURITY_MAC_CHECK_ENFORCE |
614 | /* 21167099 - only check if we allow write */ |
615 | if (!mac_socket_enforce) |
616 | return 0; |
617 | #endif |
618 | |
619 | MAC_CHECK(socket_check_stat, cred, |
620 | (socket_t)so, so->so_label); |
621 | return (error); |
622 | } |
623 | |
624 | int |
625 | mac_socket_check_listen(kauth_cred_t cred, struct socket *so) |
626 | { |
627 | int error; |
628 | |
629 | #if SECURITY_MAC_CHECK_ENFORCE |
630 | /* 21167099 - only check if we allow write */ |
631 | if (!mac_socket_enforce) |
632 | return 0; |
633 | #endif |
634 | |
635 | MAC_CHECK(socket_check_listen, cred, |
636 | (socket_t)so, so->so_label); |
637 | return (error); |
638 | } |
639 | |
640 | int |
641 | mac_socket_check_receive(kauth_cred_t cred, struct socket *so) |
642 | { |
643 | int error; |
644 | |
645 | #if SECURITY_MAC_CHECK_ENFORCE |
646 | /* 21167099 - only check if we allow write */ |
647 | if (!mac_socket_enforce) |
648 | return 0; |
649 | #endif |
650 | |
651 | MAC_CHECK(socket_check_receive, cred, |
652 | (socket_t)so, so->so_label); |
653 | return (error); |
654 | } |
655 | |
656 | int |
657 | mac_socket_check_received(kauth_cred_t cred, struct socket *so, struct sockaddr *saddr) |
658 | { |
659 | int error; |
660 | |
661 | #if SECURITY_MAC_CHECK_ENFORCE |
662 | /* 21167099 - only check if we allow write */ |
663 | if (!mac_socket_enforce) |
664 | return 0; |
665 | #endif |
666 | |
667 | MAC_CHECK(socket_check_received, cred, |
668 | so, so->so_label, saddr); |
669 | return (error); |
670 | } |
671 | |
672 | int |
673 | mac_socket_check_send(kauth_cred_t cred, struct socket *so, |
674 | struct sockaddr *sockaddr) |
675 | { |
676 | int error; |
677 | |
678 | #if SECURITY_MAC_CHECK_ENFORCE |
679 | /* 21167099 - only check if we allow write */ |
680 | if (!mac_socket_enforce) |
681 | return 0; |
682 | #endif |
683 | |
684 | MAC_CHECK(socket_check_send, cred, |
685 | (socket_t)so, so->so_label, sockaddr); |
686 | return (error); |
687 | } |
688 | |
689 | int |
690 | mac_socket_check_setsockopt(kauth_cred_t cred, struct socket *so, |
691 | struct sockopt *sopt) |
692 | { |
693 | int error; |
694 | |
695 | #if SECURITY_MAC_CHECK_ENFORCE |
696 | /* 21167099 - only check if we allow write */ |
697 | if (!mac_socket_enforce) |
698 | return 0; |
699 | #endif |
700 | |
701 | MAC_CHECK(socket_check_setsockopt, cred, |
702 | (socket_t)so, so->so_label, sopt); |
703 | return (error); |
704 | } |
705 | |
706 | int mac_socket_check_getsockopt(kauth_cred_t cred, struct socket *so, |
707 | struct sockopt *sopt) |
708 | { |
709 | int error; |
710 | |
711 | #if SECURITY_MAC_CHECK_ENFORCE |
712 | /* 21167099 - only check if we allow write */ |
713 | if (!mac_socket_enforce) |
714 | return 0; |
715 | #endif |
716 | |
717 | MAC_CHECK(socket_check_getsockopt, cred, |
718 | (socket_t)so, so->so_label, sopt); |
719 | return (error); |
720 | } |
721 | |