From 3b36c9b2c4682780ac539d4d20d729f32ed5c501 Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Thu, 1 Aug 2002 21:37:34 +0000
Subject: Introduce support for Mandatory Access Control and extensible kernel
 access control.

Add MAC support for the UDP protocol.  Invoke appropriate MAC entry
points to label packets that are generated by local UDP sockets,
and to authorize delivery of mbufs to local sockets both in the
multicast/broadcast case and the unicast case.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
---
 sys/netinet/udp_usrreq.c | 33 +++++++++++++++++++++++++++++----
 1 file changed, 29 insertions(+), 4 deletions(-)

(limited to 'sys')

diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index b93e99e..37d15d0 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -36,6 +36,7 @@
 
 #include "opt_ipsec.h"
 #include "opt_inet6.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -43,6 +44,7 @@
 #include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
@@ -166,6 +168,9 @@ udp_input(m, off)
 	int len;
 	struct ip save_ip;
 	struct sockaddr *append_sa;
+#ifdef MAC
+	int error;
+#endif
 
 	udpstat.udps_ipackets++;
 
@@ -303,18 +308,29 @@ udp_input(m, off)
 
 			if (last != NULL) {
 				struct mbuf *n;
+				int policyfail;
 
+				policyfail = 0;
 #ifdef IPSEC
 				/* check AH/ESP integrity. */
-				if (ipsec4_in_reject_so(m, last->inp_socket))
+				if (ipsec4_in_reject_so(m, last->inp_socket)) {
 					ipsecstat.in_polvio++;
+					policyfail = 1;
 					/* do not inject data to pcb */
-				else
+				}
 #endif /*IPSEC*/
-				if ((n = m_copy(m, 0, M_COPYALL)) != NULL)
-					udp_append(last, ip, n,
+#ifdef MAC
+				if (mac_check_socket_receive(last->inp_socket,
+				    m) != 0)
+					policyfail = 1;
+#endif
+				if (!policyfail) {
+					if ((n = m_copy(m, 0, M_COPYALL))
+					    != NULL)
+						udp_append(last, ip, n,
 						   iphlen +
 						   sizeof(struct udphdr));
+				}
 				INP_UNLOCK(last);
 			}
 			last = inp;
@@ -389,6 +405,11 @@ udp_input(m, off)
 		goto bad;
 	}
 #endif /*IPSEC*/
+#ifdef MAC
+	error = mac_check_socket_receive(inp->inp_socket, m);
+	if (error)
+		goto bad;
+#endif
 
 	/*
 	 * Construct sockaddr format source address.
@@ -718,6 +739,10 @@ udp_output(inp, m, addr, control, td)
 	struct sockaddr_in *sin;
 	int s = 0, error = 0;
 
+#ifdef MAC
+	mac_create_mbuf_from_socket(inp->inp_socket, m);
+#endif
+
 	if (control)
 		m_freem(control);		/* XXX */
 
-- 
cgit v1.1