diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-10-06 14:39:15 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-10-06 14:39:15 +0000 |
| commit | 1f2df657503291aadbf40ec48f3e8e237ad3c707 (patch) | |
| tree | 0b5cc32d50a169da85cc7b19c39e5529d3450270 | |
| parent | 4b96abfa44e821eda91a0fa4b460990ae2d283b7 (diff) | |
| download | FreeBSD-src-1f2df657503291aadbf40ec48f3e8e237ad3c707.zip FreeBSD-src-1f2df657503291aadbf40ec48f3e8e237ad3c707.tar.gz | |
Integrate mac_check_socket_send() and mac_check_socket_receive()
checks from the MAC tree: allow policies to perform access control
for the ability of a process to send and receive data via a socket.
At some point, we might also pass in additional address information
if an explicit address is requested on send.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
| -rw-r--r-- | sys/compat/svr4/svr4_stream.c | 17 | ||||
| -rw-r--r-- | sys/kern/kern_mac.c | 34 | ||||
| -rw-r--r-- | sys/kern/sys_socket.c | 17 | ||||
| -rw-r--r-- | sys/kern/uipc_syscalls.c | 22 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.c | 34 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 2 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 34 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 34 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 34 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 6 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 34 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 34 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 34 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 34 | ||||
| -rw-r--r-- | sys/sys/mac.h | 2 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 6 |
16 files changed, 378 insertions, 0 deletions
diff --git a/sys/compat/svr4/svr4_stream.c b/sys/compat/svr4/svr4_stream.c index 1618ac1..468bcae 100644 --- a/sys/compat/svr4/svr4_stream.c +++ b/sys/compat/svr4/svr4_stream.c @@ -39,6 +39,8 @@ #define COMPAT_43 1 +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/fcntl.h> @@ -47,6 +49,7 @@ #include <sys/lock.h> #include <sys/malloc.h> #include <sys/file.h> /* Must come after sys/malloc.h */ +#include <sys/mac.h> #include <sys/mbuf.h> #include <sys/mutex.h> #include <sys/proc.h> @@ -165,6 +168,13 @@ svr4_sendit(td, s, mp, flags) if ((error = fgetsock(td, s, &so, NULL)) != 0) return (error); + +#ifdef MAC + error = mac_check_socket_send(td->td_ucred, so); + if (error) + goto done1; +#endif + auio.uio_iov = mp->msg_iov; auio.uio_iovcnt = mp->msg_iovlen; auio.uio_segflg = UIO_USERSPACE; @@ -262,6 +272,13 @@ svr4_recvit(td, s, mp, namelenp) if ((error = fgetsock(td, s, &so, NULL)) != 0) return (error); + +#ifdef MAC + error = mac_check_socket_receive(td->td_ucred, so); + if (error) + goto done1; +#endif + auio.uio_iov = mp->msg_iov; auio.uio_iovcnt = mp->msg_iovlen; auio.uio_segflg = UIO_USERSPACE; diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index bed8a95..eca63c3 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -761,10 +761,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_RECEIVE: + mpc->mpc_ops->mpo_check_socket_receive = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_SEND: + mpc->mpc_ops->mpo_check_socket_send = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; @@ -2961,6 +2969,19 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) return (error); } +int +mac_check_socket_receive(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + + return (error); +} + static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) @@ -2974,6 +2995,19 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, } int +mac_check_socket_send(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_send, cred, so, &so->so_label); + + return (error); +} + +int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c index 46e8384..e41821c 100644 --- a/sys/kern/sys_socket.c +++ b/sys/kern/sys_socket.c @@ -34,9 +34,12 @@ * $FreeBSD$ */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/file.h> +#include <sys/mac.h> #include <sys/protosw.h> #include <sys/socket.h> #include <sys/socketvar.h> @@ -68,6 +71,13 @@ soo_read(fp, uio, active_cred, flags, td) int error; mtx_lock(&Giant); +#ifdef MAC + error = mac_check_socket_receive(active_cred, so); + if (error) { + mtx_unlock(&Giant); + return (error); + } +#endif error = so->so_proto->pr_usrreqs->pru_soreceive(so, 0, uio, 0, 0, 0); mtx_unlock(&Giant); return (error); @@ -86,6 +96,13 @@ soo_write(fp, uio, active_cred, flags, td) int error; mtx_lock(&Giant); +#ifdef MAC + error = mac_check_socket_send(active_cred, so); + if (error) { + mtx_unlock(&Giant); + return (error); + } +#endif error = so->so_proto->pr_usrreqs->pru_sosend(so, 0, uio, 0, 0, 0, uio->uio_td); mtx_unlock(&Giant); diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 24ee646..21aa343 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -607,6 +607,13 @@ sendit(td, s, mp, flags) if ((error = fgetsock(td, s, &so, NULL)) != 0) return (error); + +#ifdef MAC + error = mac_check_socket_send(td->td_ucred, so); + if (error) + goto bad; +#endif + auio.uio_iov = mp->msg_iov; auio.uio_iovcnt = mp->msg_iovlen; auio.uio_segflg = UIO_USERSPACE; @@ -884,6 +891,15 @@ recvit(td, s, mp, namelenp) if ((error = fgetsock(td, s, &so, NULL)) != 0) return (error); + +#ifdef MAC + error = mac_check_socket_receive(td->td_ucred, so); + if (error) { + fputsock(so); + return (error); + } +#endif + auio.uio_iov = mp->msg_iov; auio.uio_iovcnt = mp->msg_iovlen; auio.uio_segflg = UIO_USERSPACE; @@ -1734,6 +1750,12 @@ do_sendfile(struct thread *td, struct sendfile_args *uap, int compat) goto done; } +#ifdef MAC + error = mac_check_socket_send(td->td_ucred, so); + if (error) + goto done; +#endif + /* * If specified, get the pointer to the sf_hdtr struct for * any headers/trailers. diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index bed8a95..eca63c3 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -761,10 +761,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_RECEIVE: + mpc->mpc_ops->mpo_check_socket_receive = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_SEND: + mpc->mpc_ops->mpo_check_socket_send = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; @@ -2961,6 +2969,19 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) return (error); } +int +mac_check_socket_receive(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + + return (error); +} + static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) @@ -2974,6 +2995,19 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, } int +mac_check_socket_send(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_send, cred, so, &so->so_label); + + return (error); +} + +int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index cd82ef5..8a07849 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -319,6 +319,8 @@ int mac_check_socket_connect(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_deliver(struct socket *so, struct mbuf *m); int mac_check_socket_listen(struct ucred *cred, struct socket *so); +int mac_check_socket_receive(struct ucred *cred, struct socket *so); +int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags); diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index bed8a95..eca63c3 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -761,10 +761,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_RECEIVE: + mpc->mpc_ops->mpo_check_socket_receive = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_SEND: + mpc->mpc_ops->mpo_check_socket_send = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; @@ -2961,6 +2969,19 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) return (error); } +int +mac_check_socket_receive(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + + return (error); +} + static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) @@ -2974,6 +2995,19 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, } int +mac_check_socket_send(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_send, cred, so, &so->so_label); + + return (error); +} + +int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index bed8a95..eca63c3 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -761,10 +761,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_RECEIVE: + mpc->mpc_ops->mpo_check_socket_receive = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_SEND: + mpc->mpc_ops->mpo_check_socket_send = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; @@ -2961,6 +2969,19 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) return (error); } +int +mac_check_socket_receive(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + + return (error); +} + static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) @@ -2974,6 +2995,19 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, } int +mac_check_socket_send(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_send, cred, so, &so->so_label); + + return (error); +} + +int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index bed8a95..eca63c3 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -761,10 +761,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_RECEIVE: + mpc->mpc_ops->mpo_check_socket_receive = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_SEND: + mpc->mpc_ops->mpo_check_socket_send = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; @@ -2961,6 +2969,19 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) return (error); } +int +mac_check_socket_receive(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + + return (error); +} + static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) @@ -2974,6 +2995,19 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, } int +mac_check_socket_send(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_send, cred, so, &so->so_label); + + return (error); +} + +int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 5610e01..e003f84 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -271,9 +271,13 @@ struct mac_policy_ops { struct label *mbuflabel); int (*mpo_check_socket_listen)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_socket_receive)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_relabel)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct label *newlabel); + int (*mpo_check_socket_send)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_vnode_access)(struct ucred *cred, @@ -454,7 +458,9 @@ enum mac_op_constant { MAC_CHECK_SOCKET_CONNECT, MAC_CHECK_SOCKET_DELIVER, MAC_CHECK_SOCKET_LISTEN, + MAC_CHECK_SOCKET_RECEIVE, MAC_CHECK_SOCKET_RELABEL, + MAC_CHECK_SOCKET_SEND, MAC_CHECK_SOCKET_VISIBLE, MAC_CHECK_VNODE_ACCESS, MAC_CHECK_VNODE_CHDIR, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index bed8a95..eca63c3 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -761,10 +761,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_RECEIVE: + mpc->mpc_ops->mpo_check_socket_receive = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_SEND: + mpc->mpc_ops->mpo_check_socket_send = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; @@ -2961,6 +2969,19 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) return (error); } +int +mac_check_socket_receive(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + + return (error); +} + static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) @@ -2974,6 +2995,19 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, } int +mac_check_socket_send(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_send, cred, so, &so->so_label); + + return (error); +} + +int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index bed8a95..eca63c3 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -761,10 +761,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_RECEIVE: + mpc->mpc_ops->mpo_check_socket_receive = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_SEND: + mpc->mpc_ops->mpo_check_socket_send = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; @@ -2961,6 +2969,19 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) return (error); } +int +mac_check_socket_receive(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + + return (error); +} + static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) @@ -2974,6 +2995,19 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, } int +mac_check_socket_send(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_send, cred, so, &so->so_label); + + return (error); +} + +int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index bed8a95..eca63c3 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -761,10 +761,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_RECEIVE: + mpc->mpc_ops->mpo_check_socket_receive = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_SEND: + mpc->mpc_ops->mpo_check_socket_send = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; @@ -2961,6 +2969,19 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) return (error); } +int +mac_check_socket_receive(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + + return (error); +} + static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) @@ -2974,6 +2995,19 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, } int +mac_check_socket_send(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_send, cred, so, &so->so_label); + + return (error); +} + +int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index bed8a95..eca63c3 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -761,10 +761,18 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_socket_listen = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_RECEIVE: + mpc->mpc_ops->mpo_check_socket_receive = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_RELABEL: mpc->mpc_ops->mpo_check_socket_relabel = mpe->mpe_function; break; + case MAC_CHECK_SOCKET_SEND: + mpc->mpc_ops->mpo_check_socket_send = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_VISIBLE: mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; @@ -2961,6 +2969,19 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) return (error); } +int +mac_check_socket_receive(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + + return (error); +} + static int mac_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *newlabel) @@ -2974,6 +2995,19 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, } int +mac_check_socket_send(struct ucred *cred, struct socket *so) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_send, cred, so, &so->so_label); + + return (error); +} + +int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { int error; diff --git a/sys/sys/mac.h b/sys/sys/mac.h index cd82ef5..8a07849 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -319,6 +319,8 @@ int mac_check_socket_connect(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_deliver(struct socket *so, struct mbuf *m); int mac_check_socket_listen(struct ucred *cred, struct socket *so); +int mac_check_socket_receive(struct ucred *cred, struct socket *so); +int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 5610e01..e003f84 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -271,9 +271,13 @@ struct mac_policy_ops { struct label *mbuflabel); int (*mpo_check_socket_listen)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_socket_receive)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_relabel)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct label *newlabel); + int (*mpo_check_socket_send)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_vnode_access)(struct ucred *cred, @@ -454,7 +458,9 @@ enum mac_op_constant { MAC_CHECK_SOCKET_CONNECT, MAC_CHECK_SOCKET_DELIVER, MAC_CHECK_SOCKET_LISTEN, + MAC_CHECK_SOCKET_RECEIVE, MAC_CHECK_SOCKET_RELABEL, + MAC_CHECK_SOCKET_SEND, MAC_CHECK_SOCKET_VISIBLE, MAC_CHECK_VNODE_ACCESS, MAC_CHECK_VNODE_CHDIR, |
