diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-08-01 21:37:34 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-08-01 21:37:34 +0000 |
commit | 3b36c9b2c4682780ac539d4d20d729f32ed5c501 (patch) | |
tree | 5314033e7ec512dfce78729ab65bfc2958dfb8a3 /sys | |
parent | c8a80b5f851358ee788a98b9931ce55664cd1cdd (diff) | |
download | FreeBSD-src-3b36c9b2c4682780ac539d4d20d729f32ed5c501.zip FreeBSD-src-3b36c9b2c4682780ac539d4d20d729f32ed5c501.tar.gz |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Add MAC support for the UDP protocol. Invoke appropriate MAC entry
points to label packets that are generated by local UDP sockets,
and to authorize delivery of mbufs to local sockets both in the
multicast/broadcast case and the unicast case.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys')
-rw-r--r-- | sys/netinet/udp_usrreq.c | 33 |
1 files changed, 29 insertions, 4 deletions
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index b93e99e..37d15d0 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -36,6 +36,7 @@ #include "opt_ipsec.h" #include "opt_inet6.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> @@ -43,6 +44,7 @@ #include <sys/jail.h> #include <sys/kernel.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/proc.h> @@ -166,6 +168,9 @@ udp_input(m, off) int len; struct ip save_ip; struct sockaddr *append_sa; +#ifdef MAC + int error; +#endif udpstat.udps_ipackets++; @@ -303,18 +308,29 @@ udp_input(m, off) if (last != NULL) { struct mbuf *n; + int policyfail; + policyfail = 0; #ifdef IPSEC /* check AH/ESP integrity. */ - if (ipsec4_in_reject_so(m, last->inp_socket)) + if (ipsec4_in_reject_so(m, last->inp_socket)) { ipsecstat.in_polvio++; + policyfail = 1; /* do not inject data to pcb */ - else + } #endif /*IPSEC*/ - if ((n = m_copy(m, 0, M_COPYALL)) != NULL) - udp_append(last, ip, n, +#ifdef MAC + if (mac_check_socket_receive(last->inp_socket, + m) != 0) + policyfail = 1; +#endif + if (!policyfail) { + if ((n = m_copy(m, 0, M_COPYALL)) + != NULL) + udp_append(last, ip, n, iphlen + sizeof(struct udphdr)); + } INP_UNLOCK(last); } last = inp; @@ -389,6 +405,11 @@ udp_input(m, off) goto bad; } #endif /*IPSEC*/ +#ifdef MAC + error = mac_check_socket_receive(inp->inp_socket, m); + if (error) + goto bad; +#endif /* * Construct sockaddr format source address. @@ -718,6 +739,10 @@ udp_output(inp, m, addr, control, td) struct sockaddr_in *sin; int s = 0, error = 0; +#ifdef MAC + mac_create_mbuf_from_socket(inp->inp_socket, m); +#endif + if (control) m_freem(control); /* XXX */ |