PERFORCE change 78294 for review

Thu Jun 9 23:36:29 GMT 2005

http://perforce.freebsd.org/chv.cgi?CH=78294

Change 78294 by rwatson at rwatson_fledge on 2005/06/09 23:35:43

	Add a new MAC Framework entry point to decide whether or not a socket
	of a given domain/type/protocol can be allocated.
	
	Requested by:	SCC

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#50 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_socket.c#8 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#276 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#233 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#50 (text+ko) ====

@@ -158,6 +158,12 @@
 	struct file *fp;
 	int fd, error;
 
+#ifdef MAC
+	error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type,
+	    uap->protocol);
+	if (error)
+		return (error);
+#endif
 	fdp = td->td_proc->p_fd;
 	error = falloc(td, &fp, &fd);
 	if (error)

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_socket.c#8 (text+ko) ====

@@ -2,6 +2,7 @@
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -322,6 +323,20 @@
 }
 
 int
+mac_check_socket_create(struct ucred *cred, int domain, int type,
+    int protocol)
+{
+	int error;
+
+	if (!mac_enforce_socket)
+		return (0);
+
+	MAC_CHECK(check_socket_create, cred, domain, type, protocol);
+
+	return (error);
+}
+
+int
 mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
 {
 	struct label *label;

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#276 (text+ko) ====

@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -374,6 +375,8 @@
 	    struct sockaddr *sockaddr);
 int	mac_check_socket_connect(struct ucred *cred, struct socket *so,
 	    struct sockaddr *sockaddr);
+int	mac_check_socket_create(struct ucred *cred, int domain, int type,
+	    int protocol);
 int	mac_check_socket_deliver(struct socket *so, struct mbuf *m);
 int	mac_check_socket_listen(struct ucred *cred, struct socket *so);
 int	mac_check_socket_poll(struct ucred *cred, struct socket *so);

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#233 (text+ko) ====

@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -460,6 +461,8 @@
 	int	(*mpo_check_socket_connect)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel,
 		    struct sockaddr *sockaddr);
+	int	(*mpo_check_socket_create)(struct ucred *cred, int domain,
+		    int type, int protocol);
 	int	(*mpo_check_socket_deliver)(struct socket *so,
 		    struct label *socketlabel, struct mbuf *m,
 		    struct label *mbuflabel);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

