d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a new sysctl/tunable to mac_portacl:

Browse Source 
security.mac.portacl.autoport_exempt

This sysctl exempts to bind port '0' as long as IP_PORTRANGELOW hasn't
been set on the socket.  This is quite useful as it allows applications
to use automatic binding without adding overly broad rules for the
binding of port 0.  This sysctl defaults to enabled.

This is a slight variation on the patch submitted by the contributor.

MFC after:	2 weeks
Submitted by:	Michal Mertl <mime at traveller dot cz>
This commit is contained in:
Robert Watson 2004-12-08 11:46:44 +00:00
parent 88bdf804ed
commit 0d74c18651
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=138556
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
sys/security/mac_portacl/mac_portacl.c
View File

@ -79,6 +79,7 @@
#include <sys/sysctl.h>
#include <netinet/in.h>
#include <netinet/in_pcb.h>
#include <vm/vm.h>
@ -100,6 +101,13 @@ SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RW,
TUNABLE_INT("security.mac.portacl.suser_exempt",
&mac_portacl_suser_exempt);
static int mac_portacl_autoport_exempt = 1;
SYSCTL_INT(_security_mac_portacl, OID_AUTO, autoport_exempt, CTLFLAG_RW,
&mac_portacl_autoport_exempt, 0, "Allow automatic allocation through "
"binding port 0 if not IP_PORTRANGELOW");
TUNABLE_INT("security.mac.portacl.autoport_exempt",
&mac_portacl_autoport_exempt);
static int mac_portacl_port_high = 1023;
SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RW,
&mac_portacl_port_high, 0, "Highest port to enforce for");
@ -434,6 +442,7 @@ check_socket_bind(struct ucred *cred, struct socket *so,
struct label *socketlabel, struct sockaddr *sockaddr)
{
struct sockaddr_in *sin;
struct inpcb *inp;
int family, type;
u_int16_t port;
@ -461,6 +470,20 @@ check_socket_bind(struct ucred *cred, struct socket *so,
sin = (struct sockaddr_in *) sockaddr;
port = ntohs(sin->sin_port);
/*
* Sockets are frequently bound with a specific IP address but a port
* number of '0' to request automatic port allocation. This is often
* desirable as long as IP_PORTRANGELOW isn't set, which might permit
* automatic allocation of a "privileged" port. The autoport exempt
* flag exempts port 0 allocation from rule checking as long as a low
* port isn't required.
*/
if (mac_portacl_autoport_exempt && port == 0) {
inp = sotoinpcb(so);
if ((inp->inp_flags & INP_LOWPORT) == 0)
return (0);
}
return (rules_check(cred, family, type, port));
}