Merge from TrustedBSD MAC branch:

    Move the network code from using cr_cansee() to check whether a
    socket is visible to a requesting credential to using a new
    function, cr_canseesocket(), which accepts a subject credential
    and object socket.  Implement cr_canseesocket() so that it does a
    prison check, a uid check, and add a comment where shortly a MAC
    hook will go.  This will allow MAC policies to seperately
    instrument the visibility of sockets from the visibility of
    processes.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index fb71ac7..db910e0 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -849,8 +849,8 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS)
 	for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n;
 	     inp = LIST_NEXT(inp, inp_list)) {
 		if (inp->inp_gencnt <= gencnt) {
-			if (cr_cansee(req->td->td_ucred,
-			    inp->inp_socket->so_cred))
+			if (cr_canseesocket(req->td->td_ucred,
+			    inp->inp_socket))
 				continue;
 			inp_list[i++] = inp;
 		}
@@ -920,7 +920,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
 		error = ENOENT;
 		goto out;
 	}
-	error = cr_cansee(req->td->td_ucred, inp->inp_socket->so_cred);
+	error = cr_canseesocket(req->td->td_ucred, inp->inp_socket);
 	if (error)
 		goto out;
 	cru2x(inp->inp_socket->so_cred, &xuc);
@@ -972,7 +972,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
 		error = ENOENT;
 		goto out;
 	}
-	error = cr_cansee(req->td->td_ucred, inp->inp_socket->so_cred);
+	error = cr_canseesocket(req->td->td_ucred, inp->inp_socket);
 	if (error)
 		goto out;
 	cru2x(inp->inp_socket->so_cred, &xuc);