From owner-p4-projects@FreeBSD.ORG  Thu Jun  9 23:36:30 2005
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 6EE1B16A420; Thu,  9 Jun 2005 23:36:30 +0000 (GMT)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 296D716A41C
	for <perforce@freebsd.org>; Thu,  9 Jun 2005 23:36:30 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F1B7A43D1F
	for <perforce@freebsd.org>; Thu,  9 Jun 2005 23:36:29 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j59NaTI1076574
	for <perforce@freebsd.org>; Thu, 9 Jun 2005 23:36:29 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j59NaTj7076571
	for perforce@freebsd.org; Thu, 9 Jun 2005 23:36:29 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Thu, 9 Jun 2005 23:36:29 GMT
Message-Id: <200506092336.j59NaTj7076571@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 78294 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2005 23:36:31 -0000

http://perforce.freebsd.org/chv.cgi?CH=78294

Change 78294 by rwatson@rwatson_fledge on 2005/06/09 23:35:43

	Add a new MAC Framework entry point to decide whether or not a socket
	of a given domain/type/protocol can be allocated.
	
	Requested by:	SCC

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#50 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_socket.c#8 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#276 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#233 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#50 (text+ko) ====

@@ -158,6 +158,12 @@
 	struct file *fp;
 	int fd, error;
 
+#ifdef MAC
+	error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type,
+	    uap->protocol);
+	if (error)
+		return (error);
+#endif
 	fdp = td->td_proc->p_fd;
 	error = falloc(td, &fp, &fd);
 	if (error)

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_socket.c#8 (text+ko) ====

@@ -2,6 +2,7 @@
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -322,6 +323,20 @@
 }
 
 int
+mac_check_socket_create(struct ucred *cred, int domain, int type,
+    int protocol)
+{
+	int error;
+
+	if (!mac_enforce_socket)
+		return (0);
+
+	MAC_CHECK(check_socket_create, cred, domain, type, protocol);
+
+	return (error);
+}
+
+int
 mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
 {
 	struct label *label;

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#276 (text+ko) ====

@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -374,6 +375,8 @@
 	    struct sockaddr *sockaddr);
 int	mac_check_socket_connect(struct ucred *cred, struct socket *so,
 	    struct sockaddr *sockaddr);
+int	mac_check_socket_create(struct ucred *cred, int domain, int type,
+	    int protocol);
 int	mac_check_socket_deliver(struct socket *so, struct mbuf *m);
 int	mac_check_socket_listen(struct ucred *cred, struct socket *so);
 int	mac_check_socket_poll(struct ucred *cred, struct socket *so);

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#233 (text+ko) ====

@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -460,6 +461,8 @@
 	int	(*mpo_check_socket_connect)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel,
 		    struct sockaddr *sockaddr);
+	int	(*mpo_check_socket_create)(struct ucred *cred, int domain,
+		    int type, int protocol);
 	int	(*mpo_check_socket_deliver)(struct socket *so,
 		    struct label *socketlabel, struct mbuf *m,
 		    struct label *mbuflabel);