diff options
| author | rwatson <rwatson@FreeBSD.org> | 2007-02-22 09:37:44 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2007-02-22 09:37:44 +0000 |
| commit | 61cab71be12011d7bf42673e57afd5434ed86ec4 (patch) | |
| tree | 01e5f4c25e101b4a927bbb548e58c2041b89fc56 /sys/kern | |
| parent | e4e74de1c278ee8f4f1b1780e8225ecc7cbbd084 (diff) | |
| download | FreeBSD-src-61cab71be12011d7bf42673e57afd5434ed86ec4.zip FreeBSD-src-61cab71be12011d7bf42673e57afd5434ed86ec4.tar.gz | |
Add an additional MAC check to the UNIX domain socket connect path:
check that the subject has read/write access to the vnode using the
vnode MAC check.
MFC after: 3 weeks
Submitted by: Spencer Minear <spencer_minear at securecomputing dot com>
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/uipc_usrreq.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 64fe699..892253e 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -965,6 +965,11 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) error = ENOTSOCK; goto bad; } +#ifdef MAC + error = mac_check_vnode_open(td->td_ucred, vp, VWRITE | VREAD); + if (error) + goto bad; +#endif error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td); if (error) goto bad; |
