Date: Wed, 16 Mar 2005 20:47:44 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 73335 for review Message-ID: <200503162047.j2GKli3l008254@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=73335 Change 73335 by rwatson@rwatson_paprika on 2005/03/16 20:47:42 Add MAC Framework access control check for accept() system call. Pointed out by: sherman@nailabs.com, pleblanc@nailabs.com Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#47 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_socket.c#5 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#29 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#268 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#225 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#47 (text+ko) ==== @@ -315,6 +315,13 @@ error = EINVAL; goto done; } +#ifdef MAC + SOCK_LOCK(head); + error = mac_check_socket_accept(td->td_ucred, head); + SOCK_UNLOCK(head); + if (error != 0) + goto done; +#endif error = falloc(td, &nfp, &fd); if (error) goto done; ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_socket.c#5 (text+ko) ==== @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -273,6 +273,21 @@ } int +mac_check_socket_accept(struct ucred *cred, struct socket *socket) +{ + int error; + + SOCK_LOCK_ASSERT(socket); + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_accept, cred, socket, socket->so_label); + + return (error); +} + +int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { ==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#29 (text+ko) ==== @@ -982,6 +982,14 @@ } static int +stub_check_socket_accept(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + return (0); +} + +static int stub_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -1502,6 +1510,7 @@ .mpo_check_proc_setresgid = stub_check_proc_setresgid, .mpo_check_proc_signal = stub_check_proc_signal, .mpo_check_proc_wait = stub_check_proc_wait, + .mpo_check_socket_accept = stub_check_socket_accept, .mpo_check_socket_bind = stub_check_socket_bind, .mpo_check_socket_connect = stub_check_socket_connect, .mpo_check_socket_deliver = stub_check_socket_deliver, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#268 (text+ko) ==== @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2003 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -369,6 +369,7 @@ int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); int mac_check_proc_wait(struct ucred *cred, struct proc *proc); +int mac_check_socket_accept(struct ucred *cred, struct socket *so); int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_connect(struct ucred *cred, struct socket *so, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#225 (text+ko) ==== @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -451,6 +451,8 @@ struct proc *proc, int signum); int (*mpo_check_proc_wait)(struct ucred *cred, struct proc *proc); + int (*mpo_check_socket_accept)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_bind)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200503162047.j2GKli3l008254>