Use the credential authorizing the socket creation operation to perform
the jail check and the MAC socket labeling in socreate(). This handles socket creation using a cached credential better (such as in the NFS client code when rebuilding a socket following a disconnect: the new socket should be created using the nfsmount cached cred, not the cred of the thread causing the socket to be rebuilt). Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
This commit is contained in:
rwatson
parent
7a27007bbb
commit
f8156b93ee
@ -177,7 +177,7 @@ socreate(dom, aso, type, proto, cred, td)
|
|||||||
if (prp == 0 || prp->pr_usrreqs->pru_attach == 0)
|
if (prp == 0 || prp->pr_usrreqs->pru_attach == 0)
|
||||||
return (EPROTONOSUPPORT);
|
return (EPROTONOSUPPORT);
|
||||||
|
|
||||||
if (jailed(td->td_ucred) && jail_socket_unixiproute_only &&
|
if (jailed(cred) && jail_socket_unixiproute_only &&
|
||||||
prp->pr_domain->dom_family != PF_LOCAL &&
|
prp->pr_domain->dom_family != PF_LOCAL &&
|
||||||
prp->pr_domain->dom_family != PF_INET &&
|
prp->pr_domain->dom_family != PF_INET &&
|
||||||
prp->pr_domain->dom_family != PF_ROUTE) {
|
prp->pr_domain->dom_family != PF_ROUTE) {
|
||||||
@ -196,7 +196,7 @@ socreate(dom, aso, type, proto, cred, td)
|
|||||||
so->so_cred = crhold(cred);
|
so->so_cred = crhold(cred);
|
||||||
so->so_proto = prp;
|
so->so_proto = prp;
|
||||||
#ifdef MAC
|
#ifdef MAC
|
||||||
mac_create_socket(td->td_ucred, so);
|
mac_create_socket(cred, so);
|
||||||
#endif
|
#endif
|
||||||
soref(so);
|
soref(so);
|
||||||
error = (*prp->pr_usrreqs->pru_attach)(so, proto, td);
|
error = (*prp->pr_usrreqs->pru_attach)(so, proto, td);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user