Integrate mac_check_socket_send() and mac_check_socket_receive()

checks from the MAC tree: allow policies to perform access control
for the ability of a process to send and receive data via a socket.
At some point, we might also pass in additional address information
if an explicit address is requested on send.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 22 insertions, 0 deletions

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 24ee646e75e4..21aa343c7939 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -607,6 +607,13 @@ sendit(td, s, mp, flags)
 
 	if ((error = fgetsock(td, s, &so, NULL)) != 0)
 		return (error);
+
+#ifdef MAC
+	error = mac_check_socket_send(td->td_ucred, so);
+	if (error)
+		goto bad;
+#endif
+
 	auio.uio_iov = mp->msg_iov;
 	auio.uio_iovcnt = mp->msg_iovlen;
 	auio.uio_segflg = UIO_USERSPACE;
@@ -884,6 +891,15 @@ recvit(td, s, mp, namelenp)
 
 	if ((error = fgetsock(td, s, &so, NULL)) != 0)
 		return (error);
+
+#ifdef MAC
+	error = mac_check_socket_receive(td->td_ucred, so);
+	if (error) {
+		fputsock(so);
+		return (error);
+	}
+#endif
+
 	auio.uio_iov = mp->msg_iov;
 	auio.uio_iovcnt = mp->msg_iovlen;
 	auio.uio_segflg = UIO_USERSPACE;
@@ -1734,6 +1750,12 @@ do_sendfile(struct thread *td, struct sendfile_args *uap, int compat)
 		goto done;
 	}
 
+#ifdef MAC
+	error = mac_check_socket_send(td->td_ucred, so);
+	if (error)
+		goto done;
+#endif
+
 	/*
 	 * If specified, get the pointer to the sf_hdtr struct for
 	 * any headers/trailers.