Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys Move routing socket security policy back to the subsystem.



details:   https://anonhg.NetBSD.org/src/rev/f9f81733f142
branches:  trunk
changeset: 747831:f9f81733f142
user:      elad <elad%NetBSD.org@localhost>
date:      Fri Oct 02 23:16:21 2009 +0000

description:
Move routing socket security policy back to the subsystem.

diffstat:

 sys/net/route.c                     |  26 ++++++++++++++++++++++++--
 sys/secmodel/suser/secmodel_suser.c |  13 +++----------
 2 files changed, 27 insertions(+), 12 deletions(-)

diffs (104 lines):

diff -r 243f0bf661fa -r f9f81733f142 sys/net/route.c
--- a/sys/net/route.c   Fri Oct 02 23:06:33 2009 +0000
+++ b/sys/net/route.c   Fri Oct 02 23:16:21 2009 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $        */
+/*     $NetBSD: route.c,v 1.119 2009/10/02 23:16:21 elad Exp $ */
 
 /*-
  * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc.
@@ -93,7 +93,7 @@
 #include "opt_route.h"
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.119 2009/10/02 23:16:21 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/sysctl.h>
@@ -108,6 +108,7 @@
 #include <sys/kernel.h>
 #include <sys/ioctl.h>
 #include <sys/pool.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_dl.h>
@@ -138,6 +139,8 @@
 static int _rtcache_debug = 0;
 #endif /* RTFLUSH_DEBUG */
 
+static kauth_listener_t route_listener;
+
 static int rtdeletemsg(struct rtentry *);
 static int rtflushclone1(struct rtentry *, void *);
 static void rtflushclone(sa_family_t family, struct rtentry *);
@@ -260,6 +263,22 @@
                            dom->dom_rtoffset);
 }
 
+static int
+route_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+    void *arg0, void *arg1, void *arg2, void *arg3)
+{
+       struct rt_msghdr *rtm;
+       int result;
+
+       result = KAUTH_RESULT_DEFER;
+       rtm = arg1;
+
+       if (rtm->rtm_type == RTM_GET)
+               result = KAUTH_RESULT_ALLOW;
+
+       return result;
+}
+
 void
 route_init(void)
 {
@@ -276,6 +295,9 @@
        rt_init();
        rn_init();      /* initialize all zeroes, all ones, mask table */
        rtable_init((void **)rt_tables);
+
+       route_listener = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
+           route_listener_cb, NULL);
 }
 
 void
diff -r 243f0bf661fa -r f9f81733f142 sys/secmodel/suser/secmodel_suser.c
--- a/sys/secmodel/suser/secmodel_suser.c       Fri Oct 02 23:06:33 2009 +0000
+++ b/sys/secmodel/suser/secmodel_suser.c       Fri Oct 02 23:16:21 2009 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.9 2009/10/02 23:06:33 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.10 2009/10/02 23:16:21 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.9 2009/10/02 23:06:33 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.10 2009/10/02 23:16:21 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -865,16 +865,9 @@
                break;
 
        case KAUTH_NETWORK_ROUTE:
-               switch (((struct rt_msghdr *)arg1)->rtm_type) {
-               case RTM_GET:
+               if (isroot)
                        result = KAUTH_RESULT_ALLOW;
-                       break;
 
-               default:
-                       if (isroot)
-                               result = KAUTH_RESULT_ALLOW;
-                       break;
-               }
                break;
 
        case KAUTH_NETWORK_SOCKET:



Home | Main Index | Thread Index | Old Index