From owner-p4-projects@FreeBSD.ORG Wed Mar 16 20:47:45 2005 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 2962816A4D0; Wed, 16 Mar 2005 20:47:45 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C888216A4CE for ; Wed, 16 Mar 2005 20:47:44 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F4AB43D39 for ; Wed, 16 Mar 2005 20:47:44 +0000 (GMT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j2GKliBZ008257 for ; Wed, 16 Mar 2005 20:47:44 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j2GKli3l008254 for perforce@freebsd.org; Wed, 16 Mar 2005 20:47:44 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Wed, 16 Mar 2005 20:47:44 GMT Message-Id: <200503162047.j2GKli3l008254@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Subject: PERFORCE change 73335 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Mar 2005 20:47:45 -0000 http://perforce.freebsd.org/chv.cgi?CH=73335 Change 73335 by rwatson@rwatson_paprika on 2005/03/16 20:47:42 Add MAC Framework access control check for accept() system call. Pointed out by: sherman@nailabs.com, pleblanc@nailabs.com Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#47 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_socket.c#5 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#29 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#268 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#225 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#47 (text+ko) ==== @@ -315,6 +315,13 @@ error = EINVAL; goto done; } +#ifdef MAC + SOCK_LOCK(head); + error = mac_check_socket_accept(td->td_ucred, head); + SOCK_UNLOCK(head); + if (error != 0) + goto done; +#endif error = falloc(td, &nfp, &fd); if (error) goto done; ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_socket.c#5 (text+ko) ==== @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -273,6 +273,21 @@ } int +mac_check_socket_accept(struct ucred *cred, struct socket *socket) +{ + int error; + + SOCK_LOCK_ASSERT(socket); + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_accept, cred, socket, socket->so_label); + + return (error); +} + +int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { ==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#29 (text+ko) ==== @@ -982,6 +982,14 @@ } static int +stub_check_socket_accept(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + return (0); +} + +static int stub_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -1502,6 +1510,7 @@ .mpo_check_proc_setresgid = stub_check_proc_setresgid, .mpo_check_proc_signal = stub_check_proc_signal, .mpo_check_proc_wait = stub_check_proc_wait, + .mpo_check_socket_accept = stub_check_socket_accept, .mpo_check_socket_bind = stub_check_socket_bind, .mpo_check_socket_connect = stub_check_socket_connect, .mpo_check_socket_deliver = stub_check_socket_deliver, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#268 (text+ko) ==== @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2003 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -369,6 +369,7 @@ int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); int mac_check_proc_wait(struct ucred *cred, struct proc *proc); +int mac_check_socket_accept(struct ucred *cred, struct socket *so); int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_connect(struct ucred *cred, struct socket *so, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#225 (text+ko) ==== @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -451,6 +451,8 @@ struct proc *proc, int signum); int (*mpo_check_proc_wait)(struct ucred *cred, struct proc *proc); + int (*mpo_check_socket_accept)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_bind)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr);