Add MAC Framework and MAC policy entry point mac_check_socket_create(),

which is invoked from socket() and socketpair(), permitting MAC
policy modules to control the creation of sockets by domain, type, and
protocol.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, SPAWAR
Approved by:	re (scottl)
Requested by:	SCC

1 files changed, 18 insertions, 0 deletions

diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c
index d797643..7af1749 100644
--- a/sys/security/mac/mac_socket.c
+++ b/sys/security/mac/mac_socket.c
@@ -2,6 +2,7 @@
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -11,6 +12,9 @@
  * Research, the Technology Research Division of Network Associates, Inc.
  * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
  * DARPA CHATS research program.
+ * 
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -322,6 +326,20 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket,
 }
 
 int
+mac_check_socket_create(struct ucred *cred, int domain, int type,
+    int protocol)
+{
+	int error;
+
+	if (!mac_enforce_socket)
+		return (0);
+
+	MAC_CHECK(check_socket_create, cred, domain, type, protocol);
+
+	return (error);
+}
+
+int
 mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
 {
 	struct label *label;