diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-10-06 14:39:15 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-10-06 14:39:15 +0000 |
commit | 1f2df657503291aadbf40ec48f3e8e237ad3c707 (patch) | |
tree | 0b5cc32d50a169da85cc7b19c39e5529d3450270 /sys/compat | |
parent | 4b96abfa44e821eda91a0fa4b460990ae2d283b7 (diff) | |
download | FreeBSD-src-1f2df657503291aadbf40ec48f3e8e237ad3c707.zip FreeBSD-src-1f2df657503291aadbf40ec48f3e8e237ad3c707.tar.gz |
Integrate mac_check_socket_send() and mac_check_socket_receive()
checks from the MAC tree: allow policies to perform access control
for the ability of a process to send and receive data via a socket.
At some point, we might also pass in additional address information
if an explicit address is requested on send.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/compat')
-rw-r--r-- | sys/compat/svr4/svr4_stream.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/sys/compat/svr4/svr4_stream.c b/sys/compat/svr4/svr4_stream.c index 1618ac1..468bcae 100644 --- a/sys/compat/svr4/svr4_stream.c +++ b/sys/compat/svr4/svr4_stream.c @@ -39,6 +39,8 @@ #define COMPAT_43 1 +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/fcntl.h> @@ -47,6 +49,7 @@ #include <sys/lock.h> #include <sys/malloc.h> #include <sys/file.h> /* Must come after sys/malloc.h */ +#include <sys/mac.h> #include <sys/mbuf.h> #include <sys/mutex.h> #include <sys/proc.h> @@ -165,6 +168,13 @@ svr4_sendit(td, s, mp, flags) if ((error = fgetsock(td, s, &so, NULL)) != 0) return (error); + +#ifdef MAC + error = mac_check_socket_send(td->td_ucred, so); + if (error) + goto done1; +#endif + auio.uio_iov = mp->msg_iov; auio.uio_iovcnt = mp->msg_iovlen; auio.uio_segflg = UIO_USERSPACE; @@ -262,6 +272,13 @@ svr4_recvit(td, s, mp, namelenp) if ((error = fgetsock(td, s, &so, NULL)) != 0) return (error); + +#ifdef MAC + error = mac_check_socket_receive(td->td_ucred, so); + if (error) + goto done1; +#endif + auio.uio_iov = mp->msg_iov; auio.uio_iovcnt = mp->msg_iovlen; auio.uio_segflg = UIO_USERSPACE; |