diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-10-06 14:39:15 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-10-06 14:39:15 +0000 |
commit | 1f2df657503291aadbf40ec48f3e8e237ad3c707 (patch) | |
tree | 0b5cc32d50a169da85cc7b19c39e5529d3450270 /sys/kern/sys_socket.c | |
parent | 4b96abfa44e821eda91a0fa4b460990ae2d283b7 (diff) | |
download | FreeBSD-src-1f2df657503291aadbf40ec48f3e8e237ad3c707.zip FreeBSD-src-1f2df657503291aadbf40ec48f3e8e237ad3c707.tar.gz |
Integrate mac_check_socket_send() and mac_check_socket_receive()
checks from the MAC tree: allow policies to perform access control
for the ability of a process to send and receive data via a socket.
At some point, we might also pass in additional address information
if an explicit address is requested on send.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/kern/sys_socket.c')
-rw-r--r-- | sys/kern/sys_socket.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c index 46e8384..e41821c 100644 --- a/sys/kern/sys_socket.c +++ b/sys/kern/sys_socket.c @@ -34,9 +34,12 @@ * $FreeBSD$ */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/file.h> +#include <sys/mac.h> #include <sys/protosw.h> #include <sys/socket.h> #include <sys/socketvar.h> @@ -68,6 +71,13 @@ soo_read(fp, uio, active_cred, flags, td) int error; mtx_lock(&Giant); +#ifdef MAC + error = mac_check_socket_receive(active_cred, so); + if (error) { + mtx_unlock(&Giant); + return (error); + } +#endif error = so->so_proto->pr_usrreqs->pru_soreceive(so, 0, uio, 0, 0, 0); mtx_unlock(&Giant); return (error); @@ -86,6 +96,13 @@ soo_write(fp, uio, active_cred, flags, td) int error; mtx_lock(&Giant); +#ifdef MAC + error = mac_check_socket_send(active_cred, so); + if (error) { + mtx_unlock(&Giant); + return (error); + } +#endif error = so->so_proto->pr_usrreqs->pru_sosend(so, 0, uio, 0, 0, 0, uio->uio_td); mtx_unlock(&Giant); |