Move routing socket security policy back to the subsystem.

2009-10-02 23:16:21 +00:00 · 2009-10-02 23:16:21 +00:00 · 9f0d81cf10
parent 198c6aa6f5
commit 9f0d81cf10
2 changed files with 27 additions and 12 deletions
--- a/sys/net/route.c
+++ b/sys/net/route.c
@ -1,4 +1,4 @@
-/*	$NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $	*/
+/*	$NetBSD: route.c,v 1.119 2009/10/02 23:16:21 elad Exp $	*/

 /*-
 * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc.
@ -93,7 +93,7 @@
 #include "opt_route.h"

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: route.c,v 1.119 2009/10/02 23:16:21 elad Exp $");

 #include <sys/param.h>
 #include <sys/sysctl.h>
@ -108,6 +108,7 @@ __KERNEL_RCSID(0, "$NetBSD: route.c,v 1.118 2009/09/16 15:23:04 pooka Exp $");
 #include <sys/kernel.h>
 #include <sys/ioctl.h>
 #include <sys/pool.h>
+#include <sys/kauth.h>

 #include <net/if.h>
 #include <net/if_dl.h>
@ -138,6 +139,8 @@ struct callout rt_timer_ch; /* callout for rt_timer_timer() */
 static int _rtcache_debug = 0;
 #endif /* RTFLUSH_DEBUG */

+static kauth_listener_t route_listener;
+
 static int rtdeletemsg(struct rtentry *);
 static int rtflushclone1(struct rtentry *, void *);
 static void rtflushclone(sa_family_t family, struct rtentry *);
@ -260,6 +263,22 @@ rtable_init(void **table)
 			    dom->dom_rtoffset);
 }

+static int
+route_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+    void *arg0, void *arg1, void *arg2, void *arg3)
+{
+	struct rt_msghdr *rtm;
+	int result;
+
+	result = KAUTH_RESULT_DEFER;
+	rtm = arg1;
+
+	if (rtm->rtm_type == RTM_GET)
+		result = KAUTH_RESULT_ALLOW;
+
+	return result;
+}
+
 void
 route_init(void)
 {
@ -276,6 +295,9 @@ route_init(void)
 	rt_init();
 	rn_init();	/* initialize all zeroes, all ones, mask table */
 	rtable_init((void **)rt_tables);
+
+	route_listener = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
+	    route_listener_cb, NULL);
 }

 void
--- a/sys/secmodel/suser/secmodel_suser.c
+++ b/sys/secmodel/suser/secmodel_suser.c
@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.9 2009/10/02 23:06:33 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.10 2009/10/02 23:16:21 elad Exp $ */
 /*-
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 * All rights reserved.
@ -38,7 +38,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.9 2009/10/02 23:06:33 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.10 2009/10/02 23:16:21 elad Exp $");

 #include <sys/types.h>
 #include <sys/param.h>
@ -865,16 +865,9 @@ secmodel_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
 		break;

 	case KAUTH_NETWORK_ROUTE:
-		switch (((struct rt_msghdr *)arg1)->rtm_type) {
-		case RTM_GET:
+		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
-			break;

-		default:
-			if (isroot)
-				result = KAUTH_RESULT_ALLOW;
-			break;
-		}
 		break;

 	case KAUTH_NETWORK_SOCKET: