Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 22 Jan 2007 20:22:51 GMT
From:      Todd Miller <millert@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 113430 for review
Message-ID:  <200701222022.l0MKMp3q095168@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help 
http://perforce.freebsd.org/chv.cgi?CH=113430

Change 113430 by millert@millert_macbook on 2007/01/22 20:22:07

	Allow the kernel to send TCP packets that didn't
	originate from userland.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/corenetwork.if.in#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/corenetwork.te.in#5 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/corenetwork.if.in#4 (text+ko) ====

@@ -180,6 +180,24 @@
 
 ########################################
 ## <summary>
+##	Send TCP network traffic on all interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_send_all_if',`
+	gen_require(`
+		attribute netif_type;
+	')
+
+	allow $1 netif_type:netif { tcp_send };
+')
+
+########################################
+## <summary>
 ##	Send and receive TCP network traffic on all interfaces.
 ## </summary>
 ## <param name="domain">

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/policy/modules/kernel/corenetwork.te.in#5 (text+ko) ====

@@ -188,8 +188,10 @@
 type netif_t, netif_type;
 sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
 
-# Allow in-kernel transmission for ICMP replies and the like
+# Allow in-kernel transmission for ICMP replies and TCP connections
+# without a user socket associated with them.
 corenet_raw_send_all_if(netif_t)
+corenet_tcp_send_all_if(netif_t)
 
 build_option(`enable_mls',`
 network_interface(lo, lo,s0 - mls_systemhigh)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701222022.l0MKMp3q095168>