diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c index b12809f508af..7c352beee215 100644 --- a/sys/kern/sys_socket.c +++ b/sys/kern/sys_socket.c @@ -234,6 +234,15 @@ soo_poll(fp, events, active_cred, td) int error; NET_LOCK_GIANT(); +#ifdef MAC + SOCK_LOCK(so); + error = mac_check_socket_poll(active_cred, so); + SOCK_UNLOCK(so); + if (error) { + NET_UNLOCK_GIANT(); + return (error); + } +#endif error = (so->so_proto->pr_usrreqs->pru_sopoll) (so, events, fp->f_cred, td); NET_UNLOCK_GIANT(); @@ -254,6 +263,15 @@ soo_stat(fp, ub, active_cred, td) bzero((caddr_t)ub, sizeof (*ub)); ub->st_mode = S_IFSOCK; NET_LOCK_GIANT(); +#ifdef MAC + SOCK_LOCK(so); + error = mac_check_socket_stat(active_cred, so); + SOCK_UNLOCK(so); + if (error) { + NET_UNLOCK_GIANT(); + return (error); + } +#endif /* * If SBS_CANTRCVMORE is set, but there's still data left in the * receive buffer, the socket is still readable. diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 34d83ee02d91..f4a4b1682ea1 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -315,6 +315,13 @@ accept1(td, uap, compat) error = EINVAL; goto done; } +#ifdef MAC + SOCK_LOCK(head); + error = mac_check_socket_accept(td->td_ucred, head); + SOCK_UNLOCK(head); + if (error != 0) + goto done; +#endif error = falloc(td, &nfp, &fd); if (error) goto done; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 3e6e53ec34e1..f72733d6618d 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2003 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -39,6 +39,7 @@ * The POSIX.1e implementation page may be reached at: * http://www.trustedbsd.org/ */ + #ifndef _SYS_MAC_H_ #define _SYS_MAC_H_ @@ -350,14 +351,17 @@ int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); +int mac_check_socket_accept(struct ucred *cred, struct socket *so); int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_connect(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_deliver(struct socket *so, struct mbuf *m); int mac_check_socket_listen(struct ucred *cred, struct socket *so); +int mac_check_socket_poll(struct ucred *cred, struct socket *so); int mac_check_socket_receive(struct ucred *cred, struct socket *so); int mac_check_socket_send(struct ucred *cred, struct socket *so); +int mac_check_socket_stat(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_sysarch_ioperm(struct ucred *cred); int mac_check_system_acct(struct ucred *cred, struct vnode *vp); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 910690af54c5..402d622b915f 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -424,6 +424,8 @@ struct mac_policy_ops { gid_t egid, gid_t sgid); int (*mpo_check_proc_signal)(struct ucred *cred, struct proc *proc, int signum); + int (*mpo_check_socket_accept)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_bind)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr); @@ -435,6 +437,8 @@ struct mac_policy_ops { struct label *mbuflabel); int (*mpo_check_socket_listen)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_socket_poll)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_receive)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_socket_relabel)(struct ucred *cred, @@ -442,6 +446,8 @@ struct mac_policy_ops { struct label *newlabel); int (*mpo_check_socket_send)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_socket_stat)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_sysarch_ioperm)(struct ucred *cred); diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index 7b48f7976db8..d7976439ed87 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -1,16 +1,16 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * - * This software was developed for the FreeBSD Project in part by Network - * Associates Laboratories, the Security Research Division of Network - * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), - * as part of the DARPA CHATS research program. + * This software was developed for the FreeBSD Project in part by McAfee + * Research, the Technology Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -272,6 +272,21 @@ mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) label); } +int +mac_check_socket_accept(struct ucred *cred, struct socket *socket) +{ + int error; + + SOCK_LOCK_ASSERT(socket); + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_accept, cred, socket, socket->so_label); + + return (error); +} + int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) @@ -339,6 +354,20 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) return (error); } +int +mac_check_socket_poll(struct ucred *cred, struct socket *so) +{ + int error; + + SOCK_LOCK_ASSERT(so); + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_poll, cred, so, so->so_label); + return (error); +} + int mac_check_socket_receive(struct ucred *cred, struct socket *so) { @@ -383,6 +412,21 @@ mac_check_socket_send(struct ucred *cred, struct socket *so) return (error); } +int +mac_check_socket_stat(struct ucred *cred, struct socket *so) +{ + int error; + + SOCK_LOCK_ASSERT(so); + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_stat, cred, so, so->so_label); + + return (error); +} + int mac_check_socket_visible(struct ucred *cred, struct socket *socket) { diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index cc93edfbeb7a..9a7f567afa78 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -907,6 +907,14 @@ stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, return (0); } +static int +stub_check_socket_accept(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + return (0); +} + static int stub_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) @@ -939,6 +947,22 @@ stub_check_socket_listen(struct ucred *cred, struct socket *so, return (0); } +static int +stub_check_socket_poll(struct ucred *cred, struct socket *so, + struct label *socketlabel) +{ + + return (0); +} + +static int +stub_check_socket_receive(struct ucred *cred, struct socket *so, + struct label *socketlabel) +{ + + return (0); +} + static int stub_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) @@ -946,6 +970,21 @@ stub_check_socket_relabel(struct ucred *cred, struct socket *socket, return (0); } +static int +stub_check_socket_send(struct ucred *cred, struct socket *so, + struct label *socketlabel) +{ + + return (0); +} + +static int +stub_check_socket_stat(struct ucred *cred, struct socket *so, + struct label *socketlabel) +{ + + return (0); +} static int stub_check_socket_visible(struct ucred *cred, struct socket *socket, @@ -1417,11 +1456,16 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_proc_setresuid = stub_check_proc_setresuid, .mpo_check_proc_setresgid = stub_check_proc_setresgid, .mpo_check_proc_signal = stub_check_proc_signal, + .mpo_check_socket_accept = stub_check_socket_accept, .mpo_check_socket_bind = stub_check_socket_bind, .mpo_check_socket_connect = stub_check_socket_connect, .mpo_check_socket_deliver = stub_check_socket_deliver, .mpo_check_socket_listen = stub_check_socket_listen, + .mpo_check_socket_poll = stub_check_socket_poll, + .mpo_check_socket_receive = stub_check_socket_receive, .mpo_check_socket_relabel = stub_check_socket_relabel, + .mpo_check_socket_send = stub_check_socket_send, + .mpo_check_socket_stat = stub_check_socket_stat, .mpo_check_socket_visible = stub_check_socket_visible, .mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm, .mpo_check_system_acct = stub_check_system_acct, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 4c7787457432..1ce97a34b0bd 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1790,6 +1790,17 @@ mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, return (0); } +static int +mac_test_check_socket_accept(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_SOCKET_LABEL(socketlabel); + + return (0); +} + static int mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) @@ -1835,7 +1846,18 @@ mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, } static int -mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, +mac_test_check_socket_poll(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_SOCKET_LABEL(socketlabel); + + return (0); +} + +static int +mac_test_check_socket_receive(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -1857,6 +1879,39 @@ mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, return (0); } +static int +mac_test_check_socket_send(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_SOCKET_LABEL(socketlabel); + + return (0); +} + +static int +mac_test_check_socket_stat(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_SOCKET_LABEL(socketlabel); + + return (0); +} + +static int +mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_SOCKET_LABEL(socketlabel); + + return (0); +} + static int mac_test_check_sysarch_ioperm(struct ucred *cred) { @@ -2451,11 +2506,16 @@ static struct mac_policy_ops mac_test_ops = .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, .mpo_check_proc_signal = mac_test_check_proc_signal, + .mpo_check_socket_accept = mac_test_check_socket_accept, .mpo_check_socket_bind = mac_test_check_socket_bind, .mpo_check_socket_connect = mac_test_check_socket_connect, .mpo_check_socket_deliver = mac_test_check_socket_deliver, .mpo_check_socket_listen = mac_test_check_socket_listen, + .mpo_check_socket_poll = mac_test_check_socket_poll, + .mpo_check_socket_receive = mac_test_check_socket_receive, .mpo_check_socket_relabel = mac_test_check_socket_relabel, + .mpo_check_socket_send = mac_test_check_socket_send, + .mpo_check_socket_stat = mac_test_check_socket_stat, .mpo_check_socket_visible = mac_test_check_socket_visible, .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, .mpo_check_system_acct = mac_test_check_system_acct, diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 3e6e53ec34e1..f72733d6618d 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2003 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -39,6 +39,7 @@ * The POSIX.1e implementation page may be reached at: * http://www.trustedbsd.org/ */ + #ifndef _SYS_MAC_H_ #define _SYS_MAC_H_ @@ -350,14 +351,17 @@ int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); +int mac_check_socket_accept(struct ucred *cred, struct socket *so); int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_connect(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); int mac_check_socket_deliver(struct socket *so, struct mbuf *m); int mac_check_socket_listen(struct ucred *cred, struct socket *so); +int mac_check_socket_poll(struct ucred *cred, struct socket *so); int mac_check_socket_receive(struct ucred *cred, struct socket *so); int mac_check_socket_send(struct ucred *cred, struct socket *so); +int mac_check_socket_stat(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_sysarch_ioperm(struct ucred *cred); int mac_check_system_acct(struct ucred *cred, struct vnode *vp); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 910690af54c5..402d622b915f 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -1,6 +1,6 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -424,6 +424,8 @@ struct mac_policy_ops { gid_t egid, gid_t sgid); int (*mpo_check_proc_signal)(struct ucred *cred, struct proc *proc, int signum); + int (*mpo_check_socket_accept)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_bind)(struct ucred *cred, struct socket *so, struct label *socketlabel, struct sockaddr *sockaddr); @@ -435,6 +437,8 @@ struct mac_policy_ops { struct label *mbuflabel); int (*mpo_check_socket_listen)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_socket_poll)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_receive)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_socket_relabel)(struct ucred *cred, @@ -442,6 +446,8 @@ struct mac_policy_ops { struct label *newlabel); int (*mpo_check_socket_send)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_socket_stat)(struct ucred *cred, + struct socket *so, struct label *socketlabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_sysarch_ioperm)(struct ucred *cred);