From owner-svn-src-head@FreeBSD.ORG  Fri Oct 17 16:26:17 2008
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 309E0106568E;
	Fri, 17 Oct 2008 16:26:17 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 1423B8FC17;
	Fri, 17 Oct 2008 16:26:17 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id m9HGQGCD092753;
	Fri, 17 Oct 2008 16:26:16 GMT (envelope-from bz@svn.freebsd.org)
Received: (from bz@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id m9HGQG6v092747;
	Fri, 17 Oct 2008 16:26:16 GMT (envelope-from bz@svn.freebsd.org)
Message-Id: <200810171626.m9HGQG6v092747@svn.freebsd.org>
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Fri, 17 Oct 2008 16:26:16 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-head@freebsd.org
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r183982 - in head/sys: kern netinet sys
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
	<svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
	<mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2008 16:26:17 -0000

Author: bz
Date: Fri Oct 17 16:26:16 2008
New Revision: 183982
URL: http://svn.freebsd.org/changeset/base/183982

Log:
  Add cr_canseeinpcb() doing checks using the cached socket
  credentials from inp_cred which is also available after the
  socket is gone.
  Switch cr_canseesocket consumers to cr_canseeinpcb.
  This removes an extra acquisition of the socket lock.
  
  Reviewed by:	rwatson
  MFC after:	3 months (set timer; decide then)

Modified:
  head/sys/kern/kern_prot.c
  head/sys/netinet/ip_divert.c
  head/sys/netinet/raw_ip.c
  head/sys/netinet/tcp_subr.c
  head/sys/netinet/udp_usrreq.c
  head/sys/sys/systm.h

Modified: head/sys/kern/kern_prot.c
==============================================================================
--- head/sys/kern/kern_prot.c	Fri Oct 17 16:03:37 2008	(r183981)
+++ head/sys/kern/kern_prot.c	Fri Oct 17 16:26:16 2008	(r183982)
@@ -45,6 +45,8 @@
 __FBSDID("$FreeBSD$");
 
 #include "opt_compat.h"
+#include "opt_inet.h"
+#include "opt_inet6.h"
 #include "opt_mac.h"
 
 #include <sys/param.h>
@@ -68,6 +70,11 @@ __FBSDID("$FreeBSD$");
 #include <sys/syscallsubr.h>
 #include <sys/sysctl.h>
 
+#if defined(INET) || defined(INET6)
+#include <netinet/in.h>
+#include <netinet/in_pcb.h>
+#endif
+
 #include <security/audit/audit.h>
 #include <security/mac/mac_framework.h>
 
@@ -1704,6 +1711,34 @@ cr_canseesocket(struct ucred *cred, stru
 	return (0);
 }
 
+#if defined(INET) || defined(INET6)
+/*-
+ * Determine whether the subject represented by cred can "see" a socket.
+ * Returns: 0 for permitted, ENOENT otherwise.
+ */
+int
+cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)
+{
+	int error;
+
+	error = prison_check(cred, inp->inp_cred);
+	if (error)
+		return (ENOENT);
+#ifdef MAC
+	INP_LOCK_ASSERT(inp);
+	error = mac_inpcb_check_visible(cred, inp);
+	if (error)
+		return (error);
+#endif
+	if (cr_seeotheruids(cred, inp->inp_cred))
+		return (ENOENT);
+	if (cr_seeothergids(cred, inp->inp_cred))
+		return (ENOENT);
+
+	return (0);
+}
+#endif
+
 /*-
  * Determine whether td can wait for the exit of p.
  * Returns: 0 for permitted, an errno value otherwise

Modified: head/sys/netinet/ip_divert.c
==============================================================================
--- head/sys/netinet/ip_divert.c	Fri Oct 17 16:03:37 2008	(r183981)
+++ head/sys/netinet/ip_divert.c	Fri Oct 17 16:26:16 2008	(r183982)
@@ -627,7 +627,7 @@ div_pcblist(SYSCTL_HANDLER_ARGS)
 	     inp = LIST_NEXT(inp, inp_list)) {
 		INP_RLOCK(inp);
 		if (inp->inp_gencnt <= gencnt &&
-		    cr_canseesocket(req->td->td_ucred, inp->inp_socket) == 0)
+		    cr_canseeinpcb(req->td->td_ucred, inp) == 0)
 			inp_list[i++] = inp;
 		INP_RUNLOCK(inp);
 	}

Modified: head/sys/netinet/raw_ip.c
==============================================================================
--- head/sys/netinet/raw_ip.c	Fri Oct 17 16:03:37 2008	(r183981)
+++ head/sys/netinet/raw_ip.c	Fri Oct 17 16:26:16 2008	(r183982)
@@ -942,7 +942,7 @@ rip_pcblist(SYSCTL_HANDLER_ARGS)
 	     inp = LIST_NEXT(inp, inp_list)) {
 		INP_RLOCK(inp);
 		if (inp->inp_gencnt <= gencnt &&
-		    cr_canseesocket(req->td->td_ucred, inp->inp_socket) == 0) {
+		    cr_canseeinpcb(req->td->td_ucred, inp) == 0) {
 			/* XXX held references? */
 			inp_list[i++] = inp;
 		}

Modified: head/sys/netinet/tcp_subr.c
==============================================================================
--- head/sys/netinet/tcp_subr.c	Fri Oct 17 16:03:37 2008	(r183981)
+++ head/sys/netinet/tcp_subr.c	Fri Oct 17 16:26:16 2008	(r183982)
@@ -1015,8 +1015,7 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS)
 				else
 					error = EINVAL;	/* Skip this inp. */
 			} else
-				error = cr_canseesocket(req->td->td_ucred,
-				    inp->inp_socket);
+				error = cr_canseeinpcb(req->td->td_ucred, inp);
 			if (error == 0)
 				inp_list[i++] = inp;
 		}
@@ -1104,8 +1103,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
 		if (inp->inp_socket == NULL)
 			error = ENOENT;
 		if (error == 0)
-			error = cr_canseesocket(req->td->td_ucred,
-			    inp->inp_socket);
+			error = cr_canseeinpcb(req->td->td_ucred, inp);
 		if (error == 0)
 			cru2x(inp->inp_cred, &xuc);
 		INP_RUNLOCK(inp);
@@ -1168,8 +1166,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
 		if (inp->inp_socket == NULL)
 			error = ENOENT;
 		if (error == 0)
-			error = cr_canseesocket(req->td->td_ucred,
-			    inp->inp_socket);
+			error = cr_canseeinpcb(req->td->td_ucred, inp);
 		if (error == 0)
 			cru2x(inp->inp_cred, &xuc);
 		INP_RUNLOCK(inp);

Modified: head/sys/netinet/udp_usrreq.c
==============================================================================
--- head/sys/netinet/udp_usrreq.c	Fri Oct 17 16:03:37 2008	(r183981)
+++ head/sys/netinet/udp_usrreq.c	Fri Oct 17 16:26:16 2008	(r183982)
@@ -688,7 +688,7 @@ udp_pcblist(SYSCTL_HANDLER_ARGS)
 	     inp = LIST_NEXT(inp, inp_list)) {
 		INP_RLOCK(inp);
 		if (inp->inp_gencnt <= gencnt &&
-		    cr_canseesocket(req->td->td_ucred, inp->inp_socket) == 0)
+		    cr_canseeinpcb(req->td->td_ucred, inp) == 0)
 			inp_list[i++] = inp;
 		INP_RUNLOCK(inp);
 	}
@@ -758,8 +758,7 @@ udp_getcred(SYSCTL_HANDLER_ARGS)
 		if (inp->inp_socket == NULL)
 			error = ENOENT;
 		if (error == 0)
-			error = cr_canseesocket(req->td->td_ucred,
-			    inp->inp_socket);
+			error = cr_canseeinpcb(req->td->td_ucred, inp);
 		if (error == 0)
 			cru2x(inp->inp_cred, &xuc);
 		INP_RUNLOCK(inp);

Modified: head/sys/sys/systm.h
==============================================================================
--- head/sys/sys/systm.h	Fri Oct 17 16:03:37 2008	(r183981)
+++ head/sys/sys/systm.h	Fri Oct 17 16:26:16 2008	(r183982)
@@ -112,6 +112,7 @@ extern char **kenvp;
  * General function declarations.
  */
 
+struct inpcb;
 struct lock_object;
 struct malloc_type;
 struct mtx;
@@ -227,6 +228,7 @@ void	cpu_stopprofclock(void);
 
 int	cr_cansee(struct ucred *u1, struct ucred *u2);
 int	cr_canseesocket(struct ucred *cred, struct socket *so);
+int	cr_canseeinpcb(struct ucred *cred, struct inpcb *inp);
 
 char	*getenv(const char *name);
 void	freeenv(char *env);