mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-02 08:42:48 +00:00
Code Issues Releases Activity

Add MAC Framework and MAC policy entry point mac_check_socket_create(),

Browse Source 
which is invoked from socket() and socketpair(), permitting MAC
policy modules to control the creation of sockets by domain, type, and
protocol.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, SPAWAR
Approved by:	re (scottl)
Requested by:	SCC
This commit is contained in:
Robert Watson 2005-07-05 22:49:10 +00:00
parent 623b1a868e
commit 6758f88ea4
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=147784
7 changed files with 63 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
sys/kern/uipc_syscalls.c
View File

@ -158,6 +158,12 @@ socket(td, uap)
struct file *fp;
int fd, error;
#ifdef MAC
error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type,
uap->protocol);
if (error)
return (error);
#endif
fdp = td->td_proc->p_fd;
error = falloc(td, &fp, &fd);
if (error)
@ -580,6 +586,14 @@ socketpair(td, uap)
struct socket *so1, *so2;
int fd, error, sv[2];
#ifdef MAC
/* We might want to have a separate check for socket pairs. */
error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type,
uap->protocol);
if (error)
return (error);
#endif
NET_LOCK_GIANT();
error = socreate(uap->domain, &so1, uap->type, uap->protocol,
td->td_ucred, td);

6
sys/security/mac/mac_framework.h
View File

@ -1,6 +1,7 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -10,6 +11,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -372,6 +376,8 @@ int mac_check_socket_bind(struct ucred *cred, struct socket *so,
struct sockaddr *sockaddr);
int mac_check_socket_connect(struct ucred *cred, struct socket *so,
struct sockaddr *sockaddr);
int mac_check_socket_create(struct ucred *cred, int domain, int type,
int protocol);
int mac_check_socket_deliver(struct socket *so, struct mbuf *m);
int mac_check_socket_listen(struct ucred *cred, struct socket *so);
int mac_check_socket_poll(struct ucred *cred, struct socket *so);

3
sys/security/mac/mac_policy.h
View File

@ -1,6 +1,7 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -455,6 +456,8 @@ struct mac_policy_ops {
int (*mpo_check_socket_connect)(struct ucred *cred,
struct socket *so, struct label *socketlabel,
struct sockaddr *sockaddr);
int (*mpo_check_socket_create)(struct ucred *cred, int domain,
int type, int protocol);
int (*mpo_check_socket_deliver)(struct socket *so,
struct label *socketlabel, struct mbuf *m,
struct label *mbuflabel);

18
sys/security/mac/mac_socket.c
View File

@ -2,6 +2,7 @@
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
@ -11,6 +12,9 @@
* Research, the Technology Research Division of Network Associates, Inc.
* under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
* DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -321,6 +325,20 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket,
return (error);
}
int
mac_check_socket_create(struct ucred *cred, int domain, int type,
int protocol)
{
int error;
if (!mac_enforce_socket)
return (0);
MAC_CHECK(check_socket_create, cred, domain, type, protocol);
return (error);
}
int
mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
{

13
sys/security/mac_stub/mac_stub.c
View File

@ -1,6 +1,7 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -10,6 +11,9 @@
* DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
* CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -995,6 +999,14 @@ stub_check_socket_connect(struct ucred *cred, struct socket *socket,
return (0);
}
static int
stub_check_socket_create(struct ucred *cred, int domain, int type,
int protocol)
{
return (0);
}
static int
stub_check_socket_deliver(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
@ -1533,6 +1545,7 @@ static struct mac_policy_ops mac_stub_ops =
.mpo_check_socket_accept = stub_check_socket_accept,
.mpo_check_socket_bind = stub_check_socket_bind,
.mpo_check_socket_connect = stub_check_socket_connect,
.mpo_check_socket_create = stub_check_socket_create,
.mpo_check_socket_deliver = stub_check_socket_deliver,
.mpo_check_socket_listen = stub_check_socket_listen,
.mpo_check_socket_poll = stub_check_socket_poll,

6
sys/sys/mac.h
View File

@ -1,6 +1,7 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -10,6 +11,9 @@
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -372,6 +376,8 @@ int mac_check_socket_bind(struct ucred *cred, struct socket *so,
struct sockaddr *sockaddr);
int mac_check_socket_connect(struct ucred *cred, struct socket *so,
struct sockaddr *sockaddr);
int mac_check_socket_create(struct ucred *cred, int domain, int type,
int protocol);
int mac_check_socket_deliver(struct socket *so, struct mbuf *m);
int mac_check_socket_listen(struct ucred *cred, struct socket *so);
int mac_check_socket_poll(struct ucred *cred, struct socket *so);

3
sys/sys/mac_policy.h
View File

@ -1,6 +1,7 @@
/*-
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@ -455,6 +456,8 @@ struct mac_policy_ops {
int (*mpo_check_socket_connect)(struct ucred *cred,
struct socket *so, struct label *socketlabel,
struct sockaddr *sockaddr);
int (*mpo_check_socket_create)(struct ucred *cred, int domain,
int type, int protocol);
int (*mpo_check_socket_deliver)(struct socket *so,
struct label *socketlabel, struct mbuf *m,
struct label *mbuflabel);