PERFORCE change 113336 for review
Todd Miller
millert at FreeBSD.org
Mon Jan 22 15:53:27 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=113336
Change 113336 by millert at millert_macbook on 2007/01/22 15:52:46
Implement mpo_socket_check_deliver, which is similar to
mpo_inpcb_check_deliver (but for protocols w/o an inpcb).
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#66 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#66 (text+ko) ====
@@ -2662,16 +2662,21 @@
SOCKET__CREATE, NULL));
}
-#if 0
static int
-sebsd_socket_check_deliver(struct ucred *cred, struct xsocket *xso,
- struct label *socklabel)
+sebsd_socket_check_deliver(struct xsocket *xso, struct label *socklabel,
+ struct mbuf *m, struct label *mbuflabel)
{
+ struct network_security_struct *nsec, *msec;
+ int error;
+
+ nsec = SLOT(socklabel);
+ msec = SLOT(mbuflabel);
- /* XXX - check for NULL socket label? */
- return (socket_has_perm(cred, socklabel, SOCKET__RECV));
+ /* XXX - use an audit struct so we can log useful info */
+ error = avc_has_perm(msec->sid, nsec->sid, SECCLASS_PACKET,
+ PACKET__RECV, NULL);
+ return (error);
}
-#endif
#ifdef SOCKET__POLL
static int
@@ -3627,6 +3632,7 @@
.mpo_socket_check_bind = sebsd_socket_check_bind,
.mpo_socket_check_connect = sebsd_socket_check_connect,
.mpo_socket_check_create = sebsd_socket_check_create,
+ .mpo_socket_check_deliver = sebsd_socket_check_deliver,
.mpo_socket_check_label_update = sebsd_socket_check_label_update,
.mpo_socket_check_listen = sebsd_socket_check_listen,
.mpo_socket_check_receive = sebsd_socket_check_receive,
More information about the p4-projects
mailing list