From owner-p4-projects Fri Mar 22 10: 3:36 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id BF93437B41A; Fri, 22 Mar 2002 10:03:15 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 15AE937B41B for ; Fri, 22 Mar 2002 10:03:14 -0800 (PST) Received: (from perforce@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2MI3D454676 for perforce@freebsd.org; Fri, 22 Mar 2002 10:03:13 -0800 (PST) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Fri, 22 Mar 2002 10:03:13 -0800 (PST) Message-Id: <200203221803.g2MI3D454676@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 8207 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=8207 Change 8207 by rwatson@rwatson_curry on 2002/03/22 10:02:23 Move the network code from using cr_cansee() to check whether a socket is visible to a requesting credential to using a new function, cr_canseesocket(), which accepts a subject credential and object socket. Implement cr_canseesocket() so that it does a prison check, a uid check, and add a comment where shortly a MAC hook will go. This will allow MAC policies to seperately instrument the visibility of sockets from the visibility of processes. Once recent recent changes to the main tree are MFC'd, the uid-related checks can be centralized. Affected files ... ... //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#13 edit ... //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#8 edit ... //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#10 edit ... //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#7 edit ... //depot/projects/trustedbsd/mac/sys/sys/systm.h#7 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#13 (text+ko) ==== @@ -61,6 +61,8 @@ #include #include #include +#include +#include #include static MALLOC_DEFINE(M_CRED, "cred", "credentials"); @@ -1676,6 +1678,33 @@ return (0); } +/*- + * Determine whether the subject represented by cred can "see" the passed + * socket. + * Returns: 0 for permitted, ENOENT otherwise. + * Locks: Sufficient locks to protect various components of cred and so + * must be held. + * References: cred and so must be valid for the lifetime of the call + */ +int +cr_canseesocket(struct ucred *cred, struct socket *so) +{ + int error; + + error = prison_check(cred, so->so_cred); + if (error) + return (ENOENT); + + if (!see_other_uids && cred->cr_ruid != so->so_cred->cr_ruid) + return (ENOENT); + +#ifdef MAC + /* XXX: error = mac_cred_check_seesocket() here. */ +#endif + + return (0); +} + /* * Allocate a zeroed cred structure. */ ==== //depot/projects/trustedbsd/mac/sys/netinet/raw_ip.c#8 (text+ko) ==== @@ -653,8 +653,8 @@ for (inp = LIST_FIRST(ripcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { if (inp->inp_gencnt <= gencnt) { - if (cr_cansee(req->td->td_ucred, - inp->inp_socket->so_cred)) + if (cr_canseesocket(req->td->td_ucred, + inp->inp_socket)) continue; inp_list[i++] = inp; } ==== //depot/projects/trustedbsd/mac/sys/netinet/tcp_subr.c#10 (text+ko) ==== @@ -866,8 +866,8 @@ for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { if (inp->inp_gencnt <= gencnt) { - if (cr_cansee(req->td->td_ucred, - inp->inp_socket->so_cred)) + if (cr_canseesocket(req->td->td_ucred, + inp->inp_socket)) continue; inp_list[i++] = inp; } @@ -937,7 +937,7 @@ error = ENOENT; goto out; } - error = cr_cansee(req->td->td_ucred, inp->inp_socket->so_cred); + error = cr_canseesocket(req->td->td_ucred, inp->inp_socket); if (error) goto out; cru2x(inp->inp_socket->so_cred, &xuc); @@ -989,7 +989,7 @@ error = ENOENT; goto out; } - error = cr_cansee(req->td->td_ucred, inp->inp_socket->so_cred); + error = cr_canseesocket(req->td->td_ucred, inp->inp_socket); if (error) goto out; cru2x(inp->inp_socket->so_cred, &xuc); ==== //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#7 (text+ko) ==== @@ -609,8 +609,8 @@ for (inp = LIST_FIRST(udbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { if (inp->inp_gencnt <= gencnt) { - if (cr_cansee(req->td->td_ucred, - inp->inp_socket->so_cred)) + if (cr_canseesocket(req->td->td_ucred, + inp->inp_socket)) continue; inp_list[i++] = inp; } @@ -674,7 +674,7 @@ error = ENOENT; goto out; } - error = cr_cansee(req->td->td_ucred, inp->inp_socket->so_cred); + error = cr_canseesocket(req->td->td_ucred, inp->inp_socket); if (error) goto out; cru2x(inp->inp_socket->so_cred, &xuc); ==== //depot/projects/trustedbsd/mac/sys/sys/systm.h#7 (text+ko) ==== @@ -101,6 +101,7 @@ struct mtx; struct proc; struct kse; +struct socket; struct thread; struct tty; struct ucred; @@ -197,6 +198,7 @@ int suser_xxx __P((struct ucred *cred, struct proc *proc, int flag)); int suser_xxx_td __P((struct ucred *cred, struct thread *thread, int flag)); int cr_cansee __P((struct ucred *u1, struct ucred *u2)); +int cr_canseesocket __P((struct ucred *u1, struct socket *so)); char *getenv __P((const char *name)); int getenv_int __P((const char *name, int *data)); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message