Move routing socket security policy back to the subsystem.
This commit is contained in:
parent
198c6aa6f5
commit
9f0d81cf10
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $ */
|
||||
/* $NetBSD: route.c,v 1.119 2009/10/02 23:16:21 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1998, 2008 The NetBSD Foundation, Inc.
|
||||
|
@ -93,7 +93,7 @@
|
|||
#include "opt_route.h"
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.119 2009/10/02 23:16:21 elad Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/sysctl.h>
|
||||
|
@ -108,6 +108,7 @@ __KERNEL_RCSID(0, "$NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $");
|
|||
#include <sys/kernel.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/pool.h>
|
||||
#include <sys/kauth.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/if_dl.h>
|
||||
|
@ -138,6 +139,8 @@ struct callout rt_timer_ch; /* callout for rt_timer_timer() */
|
|||
static int _rtcache_debug = 0;
|
||||
#endif /* RTFLUSH_DEBUG */
|
||||
|
||||
static kauth_listener_t route_listener;
|
||||
|
||||
static int rtdeletemsg(struct rtentry *);
|
||||
static int rtflushclone1(struct rtentry *, void *);
|
||||
static void rtflushclone(sa_family_t family, struct rtentry *);
|
||||
|
@ -260,6 +263,22 @@ rtable_init(void **table)
|
|||
dom->dom_rtoffset);
|
||||
}
|
||||
|
||||
static int
|
||||
route_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
|
||||
void *arg0, void *arg1, void *arg2, void *arg3)
|
||||
{
|
||||
struct rt_msghdr *rtm;
|
||||
int result;
|
||||
|
||||
result = KAUTH_RESULT_DEFER;
|
||||
rtm = arg1;
|
||||
|
||||
if (rtm->rtm_type == RTM_GET)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
void
|
||||
route_init(void)
|
||||
{
|
||||
|
@ -276,6 +295,9 @@ route_init(void)
|
|||
rt_init();
|
||||
rn_init(); /* initialize all zeroes, all ones, mask table */
|
||||
rtable_init((void **)rt_tables);
|
||||
|
||||
route_listener = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
|
||||
route_listener_cb, NULL);
|
||||
}
|
||||
|
||||
void
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: secmodel_suser.c,v 1.9 2009/10/02 23:06:33 elad Exp $ */
|
||||
/* $NetBSD: secmodel_suser.c,v 1.10 2009/10/02 23:16:21 elad Exp $ */
|
||||
/*-
|
||||
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||
* All rights reserved.
|
||||
|
@ -38,7 +38,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.9 2009/10/02 23:06:33 elad Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.10 2009/10/02 23:16:21 elad Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
|
@ -865,16 +865,9 @@ secmodel_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
|
|||
break;
|
||||
|
||||
case KAUTH_NETWORK_ROUTE:
|
||||
switch (((struct rt_msghdr *)arg1)->rtm_type) {
|
||||
case RTM_GET:
|
||||
if (isroot)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
break;
|
||||
|
||||
default:
|
||||
if (isroot)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
break;
|
||||
}
|
||||
break;
|
||||
|
||||
case KAUTH_NETWORK_SOCKET:
|
||||
|
|
Loading…
Reference in New Issue