Integrate mac_check_socket_send() and mac_check_socket_receive()

checks from the MAC tree: allow policies to perform access control
for the ability of a process to send and receive data via a socket.
At some point, we might also pass in additional address information
if an explicit address is requested on send.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 17 insertions, 0 deletions

diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c
index 46e8384..e41821c 100644
--- a/sys/kern/sys_socket.c
+++ b/sys/kern/sys_socket.c
@@ -34,9 +34,12 @@
  * $FreeBSD$
  */
 
+#include "opt_mac.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/file.h>
+#include <sys/mac.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -68,6 +71,13 @@ soo_read(fp, uio, active_cred, flags, td)
 	int error;
 
 	mtx_lock(&Giant);
+#ifdef MAC
+	error = mac_check_socket_receive(active_cred, so);
+	if (error) {
+		mtx_unlock(&Giant);
+		return (error);
+	}
+#endif
 	error = so->so_proto->pr_usrreqs->pru_soreceive(so, 0, uio, 0, 0, 0);
 	mtx_unlock(&Giant);
 	return (error);
@@ -86,6 +96,13 @@ soo_write(fp, uio, active_cred, flags, td)
 	int error;
 
 	mtx_lock(&Giant);
+#ifdef MAC
+	error = mac_check_socket_send(active_cred, so);
+	if (error) {
+		mtx_unlock(&Giant);
+		return (error);
+	}
+#endif
 	error = so->so_proto->pr_usrreqs->pru_sosend(so, 0, uio, 0, 0, 0,
 						    uio->uio_td);
 	mtx_unlock(&Giant);