PERFORCE change 73335 for review

Wed Mar 16 20:47:44 GMT 2005

http://perforce.freebsd.org/chv.cgi?CH=73335

Change 73335 by rwatson at rwatson_paprika on 2005/03/16 20:47:42

	Add MAC Framework access control check for accept() system call.
	
	Pointed out by:	sherman at nailabs.com, pleblanc at nailabs.com

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#47 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_socket.c#5 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#29 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#268 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#225 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/uipc_syscalls.c#47 (text+ko) ====

@@ -315,6 +315,13 @@
 		error = EINVAL;
 		goto done;
 	}
+#ifdef MAC
+	SOCK_LOCK(head);
+	error = mac_check_socket_accept(td->td_ucred, head);
+	SOCK_UNLOCK(head);
+	if (error != 0)
+		goto done;
+#endif
 	error = falloc(td, &nfp, &fd);
 	if (error)
 		goto done;

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_socket.c#5 (text+ko) ====

@@ -1,7 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
- * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -273,6 +273,21 @@
 }
 
 int
+mac_check_socket_accept(struct ucred *cred, struct socket *socket)
+{
+	int error;
+
+	SOCK_LOCK_ASSERT(socket);
+
+	if (!mac_enforce_socket)
+		return (0);
+
+	MAC_CHECK(check_socket_accept, cred, socket, socket->so_label);
+
+	return (error);
+}
+
+int
 mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
     struct sockaddr *sockaddr)
 {

==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#29 (text+ko) ====

@@ -982,6 +982,14 @@
 }
 
 static int
+stub_check_socket_accept(struct ucred *cred, struct socket *socket,
+    struct label *socketlabel)
+{
+
+	return (0);
+}
+
+static int
 stub_check_socket_bind(struct ucred *cred, struct socket *socket,
     struct label *socketlabel, struct sockaddr *sockaddr)
 {
@@ -1502,6 +1510,7 @@
 	.mpo_check_proc_setresgid = stub_check_proc_setresgid,
 	.mpo_check_proc_signal = stub_check_proc_signal,
 	.mpo_check_proc_wait = stub_check_proc_wait,
+	.mpo_check_socket_accept = stub_check_socket_accept,
 	.mpo_check_socket_bind = stub_check_socket_bind,
 	.mpo_check_socket_connect = stub_check_socket_connect,
 	.mpo_check_socket_deliver = stub_check_socket_deliver,

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#268 (text+ko) ====

@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
- * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -369,6 +369,7 @@
 int	mac_check_proc_signal(struct ucred *cred, struct proc *proc,
 	    int signum);
 int	mac_check_proc_wait(struct ucred *cred, struct proc *proc);
+int	mac_check_socket_accept(struct ucred *cred, struct socket *so);
 int	mac_check_socket_bind(struct ucred *cred, struct socket *so,
 	    struct sockaddr *sockaddr);
 int	mac_check_socket_connect(struct ucred *cred, struct socket *so,

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#225 (text+ko) ====

@@ -1,6 +1,6 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
- * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
+ * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -451,6 +451,8 @@
 		    struct proc *proc, int signum);
 	int	(*mpo_check_proc_wait)(struct ucred *cred,
 		    struct proc *proc);
+	int	(*mpo_check_socket_accept)(struct ucred *cred,
+		    struct socket *so, struct label *socketlabel);
 	int	(*mpo_check_socket_bind)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel,
 		    struct sockaddr *sockaddr);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

