Index: sys/conf/files =================================================================== --- sys/conf/files +++ sys/conf/files @@ -3730,6 +3730,7 @@ netinet/in_mcast.c optional inet netinet/in_pcb.c optional inet | inet6 netinet/in_pcbgroup.c optional inet pcbgroup | inet6 pcbgroup +netinet/in_prot.c optional inet | inet6 netinet/in_proto.c optional inet | inet6 netinet/in_rmx.c optional inet netinet/in_rss.c optional inet rss Index: sys/kern/kern_prot.c =================================================================== --- sys/kern/kern_prot.c +++ sys/kern/kern_prot.c @@ -76,11 +76,6 @@ "Kernel support for interfaces necessary for regression testing (SECURITY RISK!)"); #endif -#if defined(INET) || defined(INET6) -#include -#include -#endif - #include #include @@ -1342,8 +1337,8 @@ * References: *u1 and *u2 must not change during the call * u1 may equal u2, in which case only one reference is required */ -static int -cr_seeotheruids(struct ucred *u1, struct ucred *u2) +int +cr_canseeotheruids(struct ucred *u1, struct ucred *u2) { if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { @@ -1372,8 +1367,8 @@ * References: *u1 and *u2 must not change during the call * u1 may equal u2, in which case only one reference is required */ -static int -cr_seeothergids(struct ucred *u1, struct ucred *u2) +int +cr_canseeothergids(struct ucred *u1, struct ucred *u2) { int i, match; @@ -1411,9 +1406,9 @@ if ((error = mac_cred_check_visible(u1, u2))) return (error); #endif - if ((error = cr_seeotheruids(u1, u2))) + if ((error = cr_canseeotheruids(u1, u2))) return (error); - if ((error = cr_seeothergids(u1, u2))) + if ((error = cr_canseeothergids(u1, u2))) return (error); return (0); } @@ -1472,9 +1467,9 @@ if ((error = mac_proc_check_signal(cred, proc, signum))) return (error); #endif - if ((error = cr_seeotheruids(cred, proc->p_ucred))) + if ((error = cr_canseeotheruids(cred, proc->p_ucred))) return (error); - if ((error = cr_seeothergids(cred, proc->p_ucred))) + if ((error = cr_canseeothergids(cred, proc->p_ucred))) return (error); /* @@ -1589,9 +1584,9 @@ if ((error = mac_proc_check_sched(td->td_ucred, p))) return (error); #endif - if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) + if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) return (error); - if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) + if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred))) return (error); if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { @@ -1646,9 +1641,9 @@ if ((error = mac_proc_check_debug(td->td_ucred, p))) return (error); #endif - if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) + if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) return (error); - if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) + if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred))) return (error); /* @@ -1740,42 +1735,14 @@ if (error) return (error); #endif - if (cr_seeotheruids(cred, so->so_cred)) + if (cr_canseeotheruids(cred, so->so_cred)) return (ENOENT); - if (cr_seeothergids(cred, so->so_cred)) + if (cr_canseeothergids(cred, so->so_cred)) return (ENOENT); return (0); } -#if defined(INET) || defined(INET6) -/*- - * Determine whether the subject represented by cred can "see" a socket. - * Returns: 0 for permitted, ENOENT otherwise. - */ -int -cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) -{ - int error; - - error = prison_check(cred, inp->inp_cred); - if (error) - return (ENOENT); -#ifdef MAC - INP_LOCK_ASSERT(inp); - error = mac_inpcb_check_visible(cred, inp); - if (error) - return (error); -#endif - if (cr_seeotheruids(cred, inp->inp_cred)) - return (ENOENT); - if (cr_seeothergids(cred, inp->inp_cred)) - return (ENOENT); - - return (0); -} -#endif - /*- * Determine whether td can wait for the exit of p. * Returns: 0 for permitted, an errno value otherwise @@ -1800,7 +1767,7 @@ #endif #if 0 /* XXXMAC: This could have odd effects on some shells. */ - if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) + if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) return (error); #endif Index: sys/netinet/in_prot.c =================================================================== --- /dev/null +++ sys/netinet/in_prot.c @@ -0,0 +1,91 @@ +/*- + * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 + * The Regents of the University of California. + * (c) UNIX System Laboratories, Inc. + * Copyright (c) 2000-2001 Robert N. M. Watson. + * All rights reserved. + * + * All or some portions of this file are derived from material licensed + * to the University of California by American Telephone and Telegraph + * Co. or Unix System Laboratories, Inc. and are reproduced herein with + * the permission of UNIX System Laboratories, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)kern_prot.c 8.6 (Berkeley) 1/21/94 + */ + +/* + * System calls related to processes and protection + */ + +#include +__FBSDID("$FreeBSD$"); + +#include "opt_compat.h" +#include "opt_inet.h" +#include "opt_inet6.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +#include +#include + +/*- + * Determine whether the subject represented by cred can "see" a socket. + * Returns: 0 for permitted, ENOENT otherwise. + */ +int +cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) +{ + int error; + + error = prison_check(cred, inp->inp_cred); + if (error) + return (ENOENT); +#ifdef MAC + INP_LOCK_ASSERT(inp); + error = mac_inpcb_check_visible(cred, inp); + if (error) + return (error); +#endif + if (cr_canseeotheruids(cred, inp->inp_cred)) + return (ENOENT); + if (cr_canseeothergids(cred, inp->inp_cred)) + return (ENOENT); + + return (0); +} Index: sys/netinet/in_systm.h =================================================================== --- sys/netinet/in_systm.h +++ sys/netinet/in_systm.h @@ -55,6 +55,11 @@ typedef u_int32_t n_time; /* ms since 00:00 UTC, byte rev */ #ifdef _KERNEL +struct inpcb; +struct ucred; + +int cr_canseeinpcb(struct ucred *cred, struct inpcb *inp); + uint32_t iptime(void); #endif Index: sys/netinet6/ip6_forward.c =================================================================== --- sys/netinet6/ip6_forward.c +++ sys/netinet6/ip6_forward.c @@ -104,9 +104,6 @@ #ifdef IPSEC struct secpolicy *sp = NULL; #endif -#ifdef SCTP - int sw_csum; -#endif struct m_tag *fwd_tag; char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN]; Index: sys/sys/systm.h =================================================================== --- sys/sys/systm.h +++ sys/sys/systm.h @@ -315,7 +315,8 @@ int cr_cansee(struct ucred *u1, struct ucred *u2); int cr_canseesocket(struct ucred *cred, struct socket *so); -int cr_canseeinpcb(struct ucred *cred, struct inpcb *inp); +int cr_canseeothergids(struct ucred *u1, struct ucred *u2); +int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); char *kern_getenv(const char *name); void freeenv(char *env);