CVS commit: src/sys

Elad Efrat Fri, 02 Oct 2009 16:16:35 -0700

Module Name:    src
Committed By:   elad
Date:           Fri Oct  2 23:16:22 UTC 2009


Modified Files:
        src/sys/net: route.c
        src/sys/secmodel/suser: secmodel_suser.c

Log Message:
Move routing socket security policy back to the subsystem.


To generate a diff of this commit:
cvs rdiff -u -r1.118 -r1.119 src/sys/net/route.c
cvs rdiff -u -r1.9 -r1.10 src/sys/secmodel/suser/secmodel_suser.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/net/route.c
diff -u src/sys/net/route.c:1.118 src/sys/net/route.c:1.119
--- src/sys/net/route.c:1.118	Wed Sep 16 15:23:04 2009
+++ src/sys/net/route.c	Fri Oct  2 23:16:21 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $	*/
+/*	$NetBSD: route.c,v 1.119 2009/10/02 23:16:21 elad Exp $	*/
 
 /*-
  * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc.
@@ -93,7 +93,7 @@
 #include "opt_route.h"
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.119 2009/10/02 23:16:21 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/sysctl.h>
@@ -108,6 +108,7 @@
 #include <sys/kernel.h>
 #include <sys/ioctl.h>
 #include <sys/pool.h>
+#include <sys/kauth.h>
 
 #include <net/if.h>
 #include <net/if_dl.h>
@@ -138,6 +139,8 @@
 static int _rtcache_debug = 0;
 #endif /* RTFLUSH_DEBUG */
 
+static kauth_listener_t route_listener;
+
 static int rtdeletemsg(struct rtentry *);
 static int rtflushclone1(struct rtentry *, void *);
 static void rtflushclone(sa_family_t family, struct rtentry *);
@@ -260,6 +263,22 @@
 			    dom->dom_rtoffset);
 }
 
+static int
+route_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+    void *arg0, void *arg1, void *arg2, void *arg3)
+{
+	struct rt_msghdr *rtm;
+	int result;
+
+	result = KAUTH_RESULT_DEFER;
+	rtm = arg1;
+
+	if (rtm->rtm_type == RTM_GET)
+		result = KAUTH_RESULT_ALLOW;
+
+	return result;
+}
+
 void
 route_init(void)
 {
@@ -276,6 +295,9 @@
 	rt_init();
 	rn_init();	/* initialize all zeroes, all ones, mask table */
 	rtable_init((void **)rt_tables);
+
+	route_listener = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
+	    route_listener_cb, NULL);
 }
 
 void

Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.9 src/sys/secmodel/suser/secmodel_suser.c:1.10
--- src/sys/secmodel/suser/secmodel_suser.c:1.9	Fri Oct  2 23:06:33 2009
+++ src/sys/secmodel/suser/secmodel_suser.c	Fri Oct  2 23:16:21 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.9 2009/10/02 23:06:33 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.10 2009/10/02 23:16:21 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.9 2009/10/02 23:06:33 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.10 2009/10/02 23:16:21 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -865,16 +865,9 @@
 		break;
 
 	case KAUTH_NETWORK_ROUTE:
-		switch (((struct rt_msghdr *)arg1)->rtm_type) {
-		case RTM_GET:
+		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
-			break;
 
-		default:
-			if (isroot)
-				result = KAUTH_RESULT_ALLOW;
-			break;
-		}
 		break;
 
 	case KAUTH_NETWORK_SOCKET:

CVS commit: src/sys

Reply via email to