From c9ea2dcf62e79bcc0b527700489c017af2d22985 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Sun, 16 Nov 2003 20:01:50 +0000 Subject: [PATCH] Abstract the label checking and setting logic from mac_setsockopt_label() into mac_socket_label_set(); make it non-static so that it can be invoked from kern_mac.c for mac_set_fd(). Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/security/mac/mac_internal.h | 3 +++ sys/security/mac/mac_net.c | 34 ++++++++++++++++++++------------- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index f4a1598483c..b6983e39c0e 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -121,6 +121,9 @@ int mac_externalize_pipe_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); int mac_internalize_pipe_label(struct label *label, char *string); +int mac_socket_label_set(struct ucred *cred, struct socket *so, + struct label *label); + int mac_externalize_vnode_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); int mac_internalize_vnode_label(struct label *label, char *string); diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 4c040c8aaff..183e79c3562 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -885,6 +885,20 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, return (0); } +int +mac_socket_label_set(struct ucred *cred, struct socket *so, + struct label *label) +{ + int error; + + error = mac_check_socket_relabel(cred, so, label); + if (error) + return (error); + + mac_relabel_socket(cred, so, label); + return (0); +} + int mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) { @@ -906,21 +920,15 @@ mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) intlabel = mac_socket_label_alloc(M_WAITOK); error = mac_internalize_socket_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_socket_label_free(intlabel); - return (error); - } - - mac_check_socket_relabel(cred, so, intlabel); - if (error) { - mac_socket_label_free(intlabel); - return (error); - } - - mac_relabel_socket(cred, so, intlabel); + if (error) + goto out; + /* XXX: Socket lock here. */ + error = mac_socket_label_set(cred, so, intlabel); + /* XXX: Socket unlock here. */ +out: mac_socket_label_free(intlabel); - return (0); + return (error); } int