Date: 20 Feb 2004 00:36:53 -0000 From: "Christian S.J.Peron" <maneo@sqrt.ca> To: FreeBSD-gnats-submit@FreeBSD.org Cc: trustedbsd-discuss@watson.org Subject: kern/63096: [patch] MAC entry point for route manipulation Message-ID: <20040220003653.78056.qmail@staff.seccuris.com> Resent-Message-ID: <200402200040.i1K0eNKf090733@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 63096 >Category: kern >Synopsis: [patch] MAC entry point for route manipulation >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Feb 19 16:40:23 PST 2004 >Closed-Date: >Last-Modified: >Originator: Christian S.J. Peron >Release: FreeBSD 5.2-CURRENT i386 >Organization: >Environment: System: FreeBSD 5.2-CURRENT FreeBSD 5.2-CURRENT #11: Thu Feb 19 05:26:09 GMT 2004 cperon@:/usr/src/sys/i386/compile/ROUTER i386 >Description: Currently there is no way to restrict routing table manipulation from userspace using the MAC framework. I think it would be beneficial to have this functionality I have tested this is a static environment, meaning the routes on this box did not change on a regular basis. The following patch(s) define a hook which is invoked by rt_output() in rtsock.c for the MAC framework. How-To-Repeat: N/A >How-To-Repeat: >Fix: --- sys/sys/mac.h.bak Thu Feb 19 03:44:47 2004 +++ sys/sys/mac.h Thu Feb 19 03:44:02 2004 @@ -278,6 +278,7 @@ int mac_check_system_acct(struct ucred *cred, struct vnode *vp); int mac_check_system_nfsd(struct ucred *cred); int mac_check_system_reboot(struct ucred *cred, int howto); +int mac_check_system_route_alter(struct ucred *cred); int mac_check_system_settime(struct ucred *cred); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp); --- sys/sys/mac_policy.h.bak Thu Feb 19 03:45:32 2004 +++ sys/sys/mac_policy.h Thu Feb 19 16:35:12 2004 @@ -356,6 +356,7 @@ struct vnode *vp, struct label *vlabel); int (*mpo_check_system_nfsd)(struct ucred *cred); int (*mpo_check_system_reboot)(struct ucred *cred, int howto); + int (*mpo_check_system_route_alter)(struct ucred *cred); int (*mpo_check_system_settime)(struct ucred *cred); int (*mpo_check_system_swapon)(struct ucred *cred, struct vnode *vp, struct label *label); --- sys/security/mac/mac_system.c.bak Thu Feb 19 01:17:26 2004 +++ sys/security/mac/mac_system.c Thu Feb 19 16:31:13 2004 @@ -152,6 +152,19 @@ } int +mac_check_system_route_alter(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_route_alter, cred); + + return(error); +} + +int mac_check_sysarch_ioperm(struct ucred *cred) { int error; --- sys/net/rtsock.c.orig Thu Nov 20 20:07:37 2003 +++ sys/net/rtsock.c Thu Feb 19 16:33:10 2004 @@ -38,6 +38,7 @@ #include <sys/domain.h> #include <sys/kernel.h> #include <sys/jail.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/proc.h> @@ -52,6 +53,8 @@ #include <net/raw_cb.h> #include <net/route.h> +#include "opt_mac.h" + MALLOC_DEFINE(M_RTABLE, "routetbl", "routing tables"); /* NB: these are not modified */ @@ -343,6 +346,12 @@ */ if (rtm->rtm_type != RTM_GET && (error = suser(curthread)) != 0) senderr(error); + +#ifdef MAC + error = mac_check_system_route_alter(curthread->td_ucred); + if (error) + return(error); +#endif switch (rtm->rtm_type) { struct rtentry *saved_nrt; >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040220003653.78056.qmail>