From 6758f88ea476f8a5d8c956d2b4ab41a2c0aa6bd6 Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Tue, 5 Jul 2005 22:49:10 +0000
Subject: [PATCH] Add MAC Framework and MAC policy entry point
 mac_check_socket_create(), which is invoked from socket() and socketpair(),
 permitting MAC policy modules to control the creation of sockets by domain,
 type, and protocol.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, SPAWAR
Approved by:	re (scottl)
Requested by:	SCC
---
 sys/kern/uipc_syscalls.c         | 14 ++++++++++++++
 sys/security/mac/mac_framework.h |  6 ++++++
 sys/security/mac/mac_policy.h    |  3 +++
 sys/security/mac/mac_socket.c    | 18 ++++++++++++++++++
 sys/security/mac_stub/mac_stub.c | 13 +++++++++++++
 sys/sys/mac.h                    |  6 ++++++
 sys/sys/mac_policy.h             |  3 +++
 7 files changed, 63 insertions(+)

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 2f59d87ba155..d9944fe08573 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -158,6 +158,12 @@ socket(td, uap)
 	struct file *fp;
 	int fd, error;
 
+#ifdef MAC
+	error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type,
+	    uap->protocol);
+	if (error)
+		return (error);
+#endif
 	fdp = td->td_proc->p_fd;
 	error = falloc(td, &fp, &fd);
 	if (error)
@@ -580,6 +586,14 @@ socketpair(td, uap)
 	struct socket *so1, *so2;
 	int fd, error, sv[2];
 
+#ifdef MAC
+	/* We might want to have a separate check for socket pairs. */
+	error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type,
+	    uap->protocol);
+	if (error)
+		return (error);
+#endif
+
 	NET_LOCK_GIANT();
 	error = socreate(uap->domain, &so1, uap->type, uap->protocol,
 	    td->td_ucred, td);
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index f33e2899539f..e071c8acc30c 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -10,6 +11,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -372,6 +376,8 @@ int	mac_check_socket_bind(struct ucred *cred, struct socket *so,
 	    struct sockaddr *sockaddr);
 int	mac_check_socket_connect(struct ucred *cred, struct socket *so,
 	    struct sockaddr *sockaddr);
+int	mac_check_socket_create(struct ucred *cred, int domain, int type,
+	    int protocol);
 int	mac_check_socket_deliver(struct socket *so, struct mbuf *m);
 int	mac_check_socket_listen(struct ucred *cred, struct socket *so);
 int	mac_check_socket_poll(struct ucred *cred, struct socket *so);
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 336dd6ea1238..9076493c2342 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -455,6 +456,8 @@ struct mac_policy_ops {
 	int	(*mpo_check_socket_connect)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel,
 		    struct sockaddr *sockaddr);
+	int	(*mpo_check_socket_create)(struct ucred *cred, int domain,
+		    int type, int protocol);
 	int	(*mpo_check_socket_deliver)(struct socket *so,
 		    struct label *socketlabel, struct mbuf *m,
 		    struct label *mbuflabel);
diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c
index d7976439ed87..7af1749ca838 100644
--- a/sys/security/mac/mac_socket.c
+++ b/sys/security/mac/mac_socket.c
@@ -2,6 +2,7 @@
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -11,6 +12,9 @@
  * Research, the Technology Research Division of Network Associates, Inc.
  * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
  * DARPA CHATS research program.
+ * 
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -321,6 +325,20 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket,
 	return (error);
 }
 
+int
+mac_check_socket_create(struct ucred *cred, int domain, int type,
+    int protocol)
+{
+	int error;
+
+	if (!mac_enforce_socket)
+		return (0);
+
+	MAC_CHECK(check_socket_create, cred, domain, type, protocol);
+
+	return (error);
+}
+
 int
 mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
 {
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 7cabaf0bacc6..16551d776489 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -10,6 +11,9 @@
  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
  * CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -995,6 +999,14 @@ stub_check_socket_connect(struct ucred *cred, struct socket *socket,
 	return (0);
 }
 
+static int
+stub_check_socket_create(struct ucred *cred, int domain, int type,
+    int protocol)
+{
+
+	return (0);
+}
+
 static int
 stub_check_socket_deliver(struct socket *so, struct label *socketlabel,
     struct mbuf *m, struct label *mbuflabel)
@@ -1533,6 +1545,7 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_check_socket_accept = stub_check_socket_accept,
 	.mpo_check_socket_bind = stub_check_socket_bind,
 	.mpo_check_socket_connect = stub_check_socket_connect,
+	.mpo_check_socket_create = stub_check_socket_create,
 	.mpo_check_socket_deliver = stub_check_socket_deliver,
 	.mpo_check_socket_listen = stub_check_socket_listen,
 	.mpo_check_socket_poll = stub_check_socket_poll,
diff --git a/sys/sys/mac.h b/sys/sys/mac.h
index f33e2899539f..e071c8acc30c 100644
--- a/sys/sys/mac.h
+++ b/sys/sys/mac.h
@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -10,6 +11,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -372,6 +376,8 @@ int	mac_check_socket_bind(struct ucred *cred, struct socket *so,
 	    struct sockaddr *sockaddr);
 int	mac_check_socket_connect(struct ucred *cred, struct socket *so,
 	    struct sockaddr *sockaddr);
+int	mac_check_socket_create(struct ucred *cred, int domain, int type,
+	    int protocol);
 int	mac_check_socket_deliver(struct socket *so, struct mbuf *m);
 int	mac_check_socket_listen(struct ucred *cred, struct socket *so);
 int	mac_check_socket_poll(struct ucred *cred, struct socket *so);
diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h
index 336dd6ea1238..9076493c2342 100644
--- a/sys/sys/mac_policy.h
+++ b/sys/sys/mac_policy.h
@@ -1,6 +1,7 @@
 /*-
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson for the TrustedBSD Project.
@@ -455,6 +456,8 @@ struct mac_policy_ops {
 	int	(*mpo_check_socket_connect)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel,
 		    struct sockaddr *sockaddr);
+	int	(*mpo_check_socket_create)(struct ucred *cred, int domain,
+		    int type, int protocol);
 	int	(*mpo_check_socket_deliver)(struct socket *so,
 		    struct label *socketlabel, struct mbuf *m,
 		    struct label *mbuflabel);