Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Move routing socket security policy back to the subsystem.
details: https://anonhg.NetBSD.org/src/rev/f9f81733f142
branches: trunk
changeset: 747831:f9f81733f142
user: elad <elad%NetBSD.org@localhost>
date: Fri Oct 02 23:16:21 2009 +0000
description:
Move routing socket security policy back to the subsystem.
diffstat:
sys/net/route.c | 26 ++++++++++++++++++++++++--
sys/secmodel/suser/secmodel_suser.c | 13 +++----------
2 files changed, 27 insertions(+), 12 deletions(-)
diffs (104 lines):
diff -r 243f0bf661fa -r f9f81733f142 sys/net/route.c
--- a/sys/net/route.c Fri Oct 02 23:06:33 2009 +0000
+++ b/sys/net/route.c Fri Oct 02 23:16:21 2009 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $ */
+/* $NetBSD: route.c,v 1.119 2009/10/02 23:16:21 elad Exp $ */
/*-
* Copyright (c) 1998, 2008 The NetBSD Foundation, Inc.
@@ -93,7 +93,7 @@
#include "opt_route.h"
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.119 2009/10/02 23:16:21 elad Exp $");
#include <sys/param.h>
#include <sys/sysctl.h>
@@ -108,6 +108,7 @@
#include <sys/kernel.h>
#include <sys/ioctl.h>
#include <sys/pool.h>
+#include <sys/kauth.h>
#include <net/if.h>
#include <net/if_dl.h>
@@ -138,6 +139,8 @@
static int _rtcache_debug = 0;
#endif /* RTFLUSH_DEBUG */
+static kauth_listener_t route_listener;
+
static int rtdeletemsg(struct rtentry *);
static int rtflushclone1(struct rtentry *, void *);
static void rtflushclone(sa_family_t family, struct rtentry *);
@@ -260,6 +263,22 @@
dom->dom_rtoffset);
}
+static int
+route_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+ void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ struct rt_msghdr *rtm;
+ int result;
+
+ result = KAUTH_RESULT_DEFER;
+ rtm = arg1;
+
+ if (rtm->rtm_type == RTM_GET)
+ result = KAUTH_RESULT_ALLOW;
+
+ return result;
+}
+
void
route_init(void)
{
@@ -276,6 +295,9 @@
rt_init();
rn_init(); /* initialize all zeroes, all ones, mask table */
rtable_init((void **)rt_tables);
+
+ route_listener = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
+ route_listener_cb, NULL);
}
void
diff -r 243f0bf661fa -r f9f81733f142 sys/secmodel/suser/secmodel_suser.c
--- a/sys/secmodel/suser/secmodel_suser.c Fri Oct 02 23:06:33 2009 +0000
+++ b/sys/secmodel/suser/secmodel_suser.c Fri Oct 02 23:16:21 2009 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.9 2009/10/02 23:06:33 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.10 2009/10/02 23:16:21 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.9 2009/10/02 23:06:33 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.10 2009/10/02 23:16:21 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -865,16 +865,9 @@
break;
case KAUTH_NETWORK_ROUTE:
- switch (((struct rt_msghdr *)arg1)->rtm_type) {
- case RTM_GET:
+ if (isroot)
result = KAUTH_RESULT_ALLOW;
- break;
- default:
- if (isroot)
- result = KAUTH_RESULT_ALLOW;
- break;
- }
break;
case KAUTH_NETWORK_SOCKET:
Home |
Main Index |
Thread Index |
Old Index