When sendto(2) is called with an explicit destination address

argument, call mac_socket_check_connect() on that address before proceeding with the send. Otherwise policies instrumenting the connect entry point for the purposes of checking destination addresses will not have the opportunity to check implicit connect requests. MFC after: 3 weeks Sponsored by: nCircle Network Security, Inc.
author: rwatson <rwatson@FreeBSD.org> 2008-05-22 07:18:54 +0000
committer: rwatson <rwatson@FreeBSD.org> 2008-05-22 07:18:54 +0000
commit: 60b4eaf522405eafec6ba998afa8f7eaa4919166 (patch)
tree: cfbaa2620cd1238e7a9b636dec8e6212b6389a11 /sys/kern/uipc_syscalls.c
parent: a7b5cc6647e71c6885fd4984d8b34e02b065187a (diff)
download: FreeBSD-src-60b4eaf522405eafec6ba998afa8f7eaa4919166.zip
FreeBSD-src-60b4eaf522405eafec6ba998afa8f7eaa4919166.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 0599b22..994605b 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -750,7 +750,11 @@ kern_sendit(td, s, mp, flags, control, segflg)
 
 #ifdef MAC
 	SOCK_LOCK(so);
-	error = mac_socket_check_send(td->td_ucred, so);
+	if (mp->msg_name != NULL)
+		error = mac_socket_check_connect(td->td_ucred, so,
+		    mp->msg_name);
+	if (error == 0)
+		error = mac_socket_check_send(td->td_ucred, so);
 	SOCK_UNLOCK(so);
 	if (error)
 		goto bad;
author	rwatson <rwatson@FreeBSD.org>	2008-05-22 07:18:54 +0000
committer	rwatson <rwatson@FreeBSD.org>	2008-05-22 07:18:54 +0000
commit	60b4eaf522405eafec6ba998afa8f7eaa4919166 (patch)
tree	cfbaa2620cd1238e7a9b636dec8e6212b6389a11 /sys/kern/uipc_syscalls.c
parent	a7b5cc6647e71c6885fd4984d8b34e02b065187a (diff)
download	FreeBSD-src-60b4eaf522405eafec6ba998afa8f7eaa4919166.zip FreeBSD-src-60b4eaf522405eafec6ba998afa8f7eaa4919166.tar.gz