Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/netinet/in_prot.c
39475 views
1
/*-

2
 * Copyright (c) 2000-2001 Robert N. M. Watson.

3
 * All rights reserved.

4
 *

5
 * Redistribution and use in source and binary forms, with or without

6
 * modification, are permitted provided that the following conditions

7
 * are met:

8
 * 1. Redistributions of source code must retain the above copyright

9
 *    notice, this list of conditions and the following disclaimer.

10
 * 2. Redistributions in binary form must reproduce the above copyright

11
 *    notice, this list of conditions and the following disclaimer in the

12
 *    documentation and/or other materials provided with the distribution.

13
 *

14
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND

15
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

16
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

17
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

18
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

19
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

20
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

21
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

22
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

23
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

24
 * SUCH DAMAGE.

25
 *

26
 */

27


28
/*

29
 * Helpers related to visibility and protection of sockets and inpcb.

30
 */

31


32
#include <sys/systm.h>

33
#include <sys/jail.h>

34
#include <sys/kernel.h>

35
#include <sys/lock.h>

36
#include <sys/mutex.h>

37
#include <sys/priv.h>

38
#include <sys/proc.h>

39
#include <sys/socket.h>

40


41
#include <netinet/in.h>

42
#include <netinet/in_pcb.h>

43
#include <netinet/in_systm.h>

44


45
#include <security/audit/audit.h>

46
#include <security/mac/mac_framework.h>

47


48
/*-

49
 * Determine whether the subject represented by cred can "see" a socket.

50
 * Returns: 0 for permitted, ENOENT otherwise.

51
 */

52
int

53
cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)

54
{

55
	int error;

56


57
	error = prison_check(cred, inp->inp_cred);

58
	if (error)

59
		return (ENOENT);

60
#ifdef MAC

61
	INP_LOCK_ASSERT(inp);

62
	error = mac_inpcb_check_visible(cred, inp);

63
	if (error)

64
		return (error);

65
#endif

66
	if (cr_bsd_visible(cred, inp->inp_cred))

67
		return (ENOENT);

68


69
	return (0);

70
}

71


72
bool

73
cr_canexport_ktlskeys(struct thread *td, struct inpcb *inp)

74
{

75
	int error;

76


77
	if (cr_canseeinpcb(td->td_ucred, inp) == 0 &&

78
	    cr_xids_subset(td->td_ucred, inp->inp_cred))

79
		return (true);

80
	error = priv_check(td, PRIV_NETINET_KTLSKEYS);

81
	return (error == 0);

82


83
}

84


85