diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2002-10-06 14:39:15 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2002-10-06 14:39:15 +0000 |
commit | b371c939ce74b0eb0741e9411bd98d624ccebe39 (patch) | |
tree | 0b5cc32d50a169da85cc7b19c39e5529d3450270 /sys/kern/uipc_syscalls.c | |
parent | 1f6973c5b44cf0a7509373d8624f95eb29e11d6b (diff) | |
download | src-b371c939ce74b0eb0741e9411bd98d624ccebe39.tar.gz src-b371c939ce74b0eb0741e9411bd98d624ccebe39.zip |
Integrate mac_check_socket_send() and mac_check_socket_receive()
checks from the MAC tree: allow policies to perform access control
for the ability of a process to send and receive data via a socket.
At some point, we might also pass in additional address information
if an explicit address is requested on send.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Notes
Notes:
svn path=/head/; revision=104571
Diffstat (limited to 'sys/kern/uipc_syscalls.c')
-rw-r--r-- | sys/kern/uipc_syscalls.c | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 24ee646e75e4..21aa343c7939 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -607,6 +607,13 @@ sendit(td, s, mp, flags) if ((error = fgetsock(td, s, &so, NULL)) != 0) return (error); + +#ifdef MAC + error = mac_check_socket_send(td->td_ucred, so); + if (error) + goto bad; +#endif + auio.uio_iov = mp->msg_iov; auio.uio_iovcnt = mp->msg_iovlen; auio.uio_segflg = UIO_USERSPACE; @@ -884,6 +891,15 @@ recvit(td, s, mp, namelenp) if ((error = fgetsock(td, s, &so, NULL)) != 0) return (error); + +#ifdef MAC + error = mac_check_socket_receive(td->td_ucred, so); + if (error) { + fputsock(so); + return (error); + } +#endif + auio.uio_iov = mp->msg_iov; auio.uio_iovcnt = mp->msg_iovlen; auio.uio_segflg = UIO_USERSPACE; @@ -1734,6 +1750,12 @@ do_sendfile(struct thread *td, struct sendfile_args *uap, int compat) goto done; } +#ifdef MAC + error = mac_check_socket_send(td->td_ucred, so); + if (error) + goto done; +#endif + /* * If specified, get the pointer to the sf_hdtr struct for * any headers/trailers. |