Date: Mon, 22 Jan 2007 15:53:26 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113336 for review Message-ID: <200701221553.l0MFrQWk023767@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113336 Change 113336 by millert@millert_macbook on 2007/01/22 15:52:46 Implement mpo_socket_check_deliver, which is similar to mpo_inpcb_check_deliver (but for protocols w/o an inpcb). Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#66 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#66 (text+ko) ==== @@ -2662,16 +2662,21 @@ SOCKET__CREATE, NULL)); } -#if 0 static int -sebsd_socket_check_deliver(struct ucred *cred, struct xsocket *xso, - struct label *socklabel) +sebsd_socket_check_deliver(struct xsocket *xso, struct label *socklabel, + struct mbuf *m, struct label *mbuflabel) { + struct network_security_struct *nsec, *msec; + int error; + + nsec = SLOT(socklabel); + msec = SLOT(mbuflabel); - /* XXX - check for NULL socket label? */ - return (socket_has_perm(cred, socklabel, SOCKET__RECV)); + /* XXX - use an audit struct so we can log useful info */ + error = avc_has_perm(msec->sid, nsec->sid, SECCLASS_PACKET, + PACKET__RECV, NULL); + return (error); } -#endif #ifdef SOCKET__POLL static int @@ -3627,6 +3632,7 @@ .mpo_socket_check_bind = sebsd_socket_check_bind, .mpo_socket_check_connect = sebsd_socket_check_connect, .mpo_socket_check_create = sebsd_socket_check_create, + .mpo_socket_check_deliver = sebsd_socket_check_deliver, .mpo_socket_check_label_update = sebsd_socket_check_label_update, .mpo_socket_check_listen = sebsd_socket_check_listen, .mpo_socket_check_receive = sebsd_socket_check_receive,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701221553.l0MFrQWk023767>