diff options
| -rw-r--r-- | sys/kern/uipc_syscalls.c | 14 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 6 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 3 | ||||
| -rw-r--r-- | sys/security/mac/mac_socket.c | 18 | ||||
| -rw-r--r-- | sys/security/mac_stub/mac_stub.c | 13 | ||||
| -rw-r--r-- | sys/sys/mac.h | 6 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 3 |
7 files changed, 63 insertions, 0 deletions
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 2f59d87..d9944fe 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -158,6 +158,12 @@ socket(td, uap) struct file *fp; int fd, error; +#ifdef MAC + error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type, + uap->protocol); + if (error) + return (error); +#endif fdp = td->td_proc->p_fd; error = falloc(td, &fp, &fd); if (error) @@ -580,6 +586,14 @@ socketpair(td, uap) struct socket *so1, *so2; int fd, error, sv[2]; +#ifdef MAC + /* We might want to have a separate check for socket pairs. */ + error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type, + uap->protocol); + if (error) + return (error); +#endif + NET_LOCK_GIANT(); error = socreate(uap->domain, &so1, uap->type, uap->protocol, td->td_ucred, td); diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index f33e289..e071c8a 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. + * Copyright (c) 2005 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -372,6 +376,8 @@ int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_connect(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); +int mac_check_socket_create(struct ucred *cred, int domain, int type, + int protocol); int mac_check_socket_deliver(struct socket *so, struct mbuf *m); int mac_check_socket_listen(struct ucred *cred, struct socket *so); int mac_check_socket_poll(struct ucred *cred, struct socket *so); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 336dd6e..9076493 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. + * Copyright (c) 2005 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -455,6 +456,8 @@ struct mac_policy_ops { int (*mpo_check_socket_connect)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr); + int (*mpo_check_socket_create)(struct ucred *cred, int domain, + int type, int protocol); int (*mpo_check_socket_deliver)(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel); diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index d797643..7af1749 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 Networks Associates Technology, Inc. + * Copyright (c) 2005 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -11,6 +12,9 @@ * Research, the Technology Research Division of Network Associates, Inc. * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the * DARPA CHATS research program. + * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -322,6 +326,20 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket, } int +mac_check_socket_create(struct ucred *cred, int domain, int type, + int protocol) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_create, cred, domain, type, protocol); + + return (error); +} + +int mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) { struct label *label; diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 7cabaf0..16551d7 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2005 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -996,6 +1000,14 @@ stub_check_socket_connect(struct ucred *cred, struct socket *socket, } static int +stub_check_socket_create(struct ucred *cred, int domain, int type, + int protocol) +{ + + return (0); +} + +static int stub_check_socket_deliver(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -1533,6 +1545,7 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_socket_accept = stub_check_socket_accept, .mpo_check_socket_bind = stub_check_socket_bind, .mpo_check_socket_connect = stub_check_socket_connect, + .mpo_check_socket_create = stub_check_socket_create, .mpo_check_socket_deliver = stub_check_socket_deliver, .mpo_check_socket_listen = stub_check_socket_listen, .mpo_check_socket_poll = stub_check_socket_poll, diff --git a/sys/sys/mac.h b/sys/sys/mac.h index f33e289..e071c8a 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. + * Copyright (c) 2005 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -372,6 +376,8 @@ int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_connect(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); +int mac_check_socket_create(struct ucred *cred, int domain, int type, + int protocol); int mac_check_socket_deliver(struct socket *so, struct mbuf *m); int mac_check_socket_listen(struct ucred *cred, struct socket *so); int mac_check_socket_poll(struct ucred *cred, struct socket *so); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 336dd6e..9076493 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. + * Copyright (c) 2005 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -455,6 +456,8 @@ struct mac_policy_ops { int (*mpo_check_socket_connect)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr); + int (*mpo_check_socket_create)(struct ucred *cred, int domain, + int type, int protocol); int (*mpo_check_socket_deliver)(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel); |
