kern/63096: [patch] MAC entry point for route manipulation
Christian S.J.Peron
maneo at sqrt.ca
Thu Feb 19 16:40:24 PST 2004
>Number: 63096
>Category: kern
>Synopsis: [patch] MAC entry point for route manipulation
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 19 16:40:23 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Christian S.J. Peron
>Release: FreeBSD 5.2-CURRENT i386
>Organization:
>Environment:
System: FreeBSD 5.2-CURRENT FreeBSD 5.2-CURRENT #11: Thu Feb 19 05:26:09 GMT 2004 cperon@:/usr/src/sys/i386/compile/ROUTER i386
>Description:
Currently there is no way to restrict routing table manipulation from
userspace using the MAC framework.
I think it would be beneficial to have this functionality
I have tested this is a static environment, meaning the routes
on this box did not change on a regular basis.
The following patch(s) define a hook which is invoked by
rt_output() in rtsock.c for the MAC framework.
How-To-Repeat:
N/A
>How-To-Repeat:
>Fix:
--- sys/sys/mac.h.bak Thu Feb 19 03:44:47 2004
+++ sys/sys/mac.h Thu Feb 19 03:44:02 2004
@@ -278,6 +278,7 @@
int mac_check_system_acct(struct ucred *cred, struct vnode *vp);
int mac_check_system_nfsd(struct ucred *cred);
int mac_check_system_reboot(struct ucred *cred, int howto);
+int mac_check_system_route_alter(struct ucred *cred);
int mac_check_system_settime(struct ucred *cred);
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp);
--- sys/sys/mac_policy.h.bak Thu Feb 19 03:45:32 2004
+++ sys/sys/mac_policy.h Thu Feb 19 16:35:12 2004
@@ -356,6 +356,7 @@
struct vnode *vp, struct label *vlabel);
int (*mpo_check_system_nfsd)(struct ucred *cred);
int (*mpo_check_system_reboot)(struct ucred *cred, int howto);
+ int (*mpo_check_system_route_alter)(struct ucred *cred);
int (*mpo_check_system_settime)(struct ucred *cred);
int (*mpo_check_system_swapon)(struct ucred *cred,
struct vnode *vp, struct label *label);
--- sys/security/mac/mac_system.c.bak Thu Feb 19 01:17:26 2004
+++ sys/security/mac/mac_system.c Thu Feb 19 16:31:13 2004
@@ -152,6 +152,19 @@
}
int
+mac_check_system_route_alter(struct ucred *cred)
+{
+ int error;
+
+ if (!mac_enforce_system)
+ return (0);
+
+ MAC_CHECK(check_system_route_alter, cred);
+
+ return(error);
+}
+
+int
mac_check_sysarch_ioperm(struct ucred *cred)
{
int error;
--- sys/net/rtsock.c.orig Thu Nov 20 20:07:37 2003
+++ sys/net/rtsock.c Thu Feb 19 16:33:10 2004
@@ -38,6 +38,7 @@
#include <sys/domain.h>
#include <sys/kernel.h>
#include <sys/jail.h>
+#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/proc.h>
@@ -52,6 +53,8 @@
#include <net/raw_cb.h>
#include <net/route.h>
+#include "opt_mac.h"
+
MALLOC_DEFINE(M_RTABLE, "routetbl", "routing tables");
/* NB: these are not modified */
@@ -343,6 +346,12 @@
*/
if (rtm->rtm_type != RTM_GET && (error = suser(curthread)) != 0)
senderr(error);
+
+#ifdef MAC
+ error = mac_check_system_route_alter(curthread->td_ucred);
+ if (error)
+ return(error);
+#endif
switch (rtm->rtm_type) {
struct rtentry *saved_nrt;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list