tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Socket reuse policy adaptation to kauth(9)
Hi,
The attached diff moves the socket reuse policy to a kauth(9) listener.
It has been tested and reviewed, but just in case I'd like to see if
someone else has any comments.
Please review. :)
Thanks,
-e.
Index: sys/netinet/in_pcb.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/in_pcb.c,v
retrieving revision 1.137
diff -u -p -r1.137 in_pcb.c
--- sys/netinet/in_pcb.c 12 May 2009 22:22:46 -0000 1.137
+++ sys/netinet/in_pcb.c 30 Dec 2009 21:19:13 -0000
@@ -155,6 +155,34 @@ int lowportmin = IPPORT_RESERVEDMIN;
int lowportmax = IPPORT_RESERVEDMAX;
static struct pool inpcb_pool;
+static kauth_listener_t in_listener;
+
+static int
+in_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+ void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ struct socket *so, *current_so;
+ enum kauth_network_req req;
+ int result;
+
+ result = KAUTH_RESULT_DEFER;
+ req = (enum kauth_network_req)arg0;
+
+ if ((action != KAUTH_NETWORK_BIND) ||
+ (req != KAUTH_REQ_NETWORK_BIND_REUSEPORT))
+ return result;
+
+ /* XXX-elad: Make sure this is an IPv4 socket. */
+
+ so = arg1;
+ current_so = arg3;
+
+ if (kauth_cred_geteuid(so->so_cred) ==
+ kauth_cred_geteuid(current_so->so_cred))
+ result = KAUTH_RESULT_ALLOW;
+
+ return result;
+}
static int
inpcb_poolinit(void)
@@ -162,6 +190,10 @@ inpcb_poolinit(void)
pool_init(&inpcb_pool, sizeof(struct inpcb), 0, 0, 0, "inpcbpl", NULL,
IPL_NET);
+
+ in_listener = kauth_listen_scope(KAUTH_SCOPE_NETWORK, in_listener_cb,
+ NULL);
+
return 0;
}
@@ -378,9 +410,9 @@ in_pcbbind_port(struct inpcb *inp, struc
return (EADDRINUSE);
#endif
- /* XXX-kauth */
- if (so->so_uidinfo->ui_uid &&
!IN_MULTICAST(sin->sin_addr.s_addr)) {
+ if (!IN_MULTICAST(sin->sin_addr.s_addr)) {
t = in_pcblookup_port(table, sin->sin_addr,
sin->sin_port, 1);
+
/*
* XXX: investigate ramifications of loosening this
* restriction so that as long as both ports have
@@ -389,11 +421,20 @@ in_pcbbind_port(struct inpcb *inp, struc
if (t &&
(!in_nullhost(sin->sin_addr) ||
!in_nullhost(t->inp_laddr) ||
- (t->inp_socket->so_options & SO_REUSEPORT) == 0)
- && (so->so_uidinfo->ui_uid !=
t->inp_socket->so_uidinfo->ui_uid)) {
- return (EADDRINUSE);
+ (t->inp_socket->so_options & SO_REUSEPORT) == 0)) {
+ /*
+ * Check if allowed to overrule the "in use"
+ * policy.
+ */
+ error = kauth_authorize_network(so->so_cred,
+ KAUTH_NETWORK_BIND,
+ KAUTH_REQ_NETWORK_BIND_REUSEPORT, so, sin,
+ t->inp_socket);
+ if (error)
+ return (EADDRINUSE);
}
}
+
t = in_pcblookup_port(table, sin->sin_addr, sin->sin_port,
wild);
if (t && (reuseport & t->inp_socket->so_options) == 0)
return (EADDRINUSE);
Index: sys/secmodel/suser/secmodel_suser.c
===================================================================
RCS file: /cvsroot/src/sys/secmodel/suser/secmodel_suser.c,v
retrieving revision 1.34
diff -u -p -r1.34 secmodel_suser.c
--- sys/secmodel/suser/secmodel_suser.c 29 Dec 2009 04:25:30 -0000 1.34
+++ sys/secmodel/suser/secmodel_suser.c 30 Dec 2009 21:19:13 -0000
@@ -622,6 +622,7 @@ secmodel_suser_network_cb(kauth_cred_t c
switch (req) {
case KAUTH_REQ_NETWORK_BIND_PORT:
case KAUTH_REQ_NETWORK_BIND_PRIVPORT:
+ case KAUTH_REQ_NETWORK_BIND_REUSEPORT:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
Index: sys/sys/kauth.h
===================================================================
RCS file: /cvsroot/src/sys/sys/kauth.h,v
retrieving revision 1.64
diff -u -p -r1.64 kauth.h
--- sys/sys/kauth.h 24 Dec 2009 19:02:07 -0000 1.64
+++ sys/sys/kauth.h 30 Dec 2009 21:19:14 -0000
@@ -226,6 +226,7 @@ enum kauth_network_req {
KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD,
KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD,
KAUTH_REQ_NETWORK_INTERFACE_TUN_ADD,
+ KAUTH_REQ_NETWORK_BIND_REUSEPORT,
};
/*
Home |
Main Index |
Thread Index |
Old Index