mac_portacl.c (163208) | mac_portacl.c (164033) |
---|---|
1/*- 2 * Copyright (c) 2003-2004 Networks Associates Technology, Inc. 3 * All rights reserved. 4 * 5 * This software was developed for the FreeBSD Project by Network 6 * Associates Laboratories, the Security Research Division of Network 7 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 8 * as part of the DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * | 1/*- 2 * Copyright (c) 2003-2004 Networks Associates Technology, Inc. 3 * All rights reserved. 4 * 5 * This software was developed for the FreeBSD Project by Network 6 * Associates Laboratories, the Security Research Division of Network 7 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 8 * as part of the DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * |
31 * $FreeBSD: head/sys/security/mac_portacl/mac_portacl.c 163208 2006-10-10 17:04:19Z rwatson $ | 31 * $FreeBSD: head/sys/security/mac_portacl/mac_portacl.c 164033 2006-11-06 13:42:10Z rwatson $ |
32 */ 33 34/* 35 * Developed by the TrustedBSD Project. 36 * 37 * Administratively limit access to local UDP/TCP ports for binding purposes. 38 * Intended to be combined with net.inet.ip.portrange.reservedhigh to allow 39 * specific uids and gids to bind specific ports for specific purposes, --- 21 unchanged lines hidden (view full) --- 61#include <sys/domain.h> 62#include <sys/kernel.h> 63#include <sys/libkern.h> 64#include <sys/lock.h> 65#include <sys/mac.h> 66#include <sys/malloc.h> 67#include <sys/mount.h> 68#include <sys/mutex.h> | 32 */ 33 34/* 35 * Developed by the TrustedBSD Project. 36 * 37 * Administratively limit access to local UDP/TCP ports for binding purposes. 38 * Intended to be combined with net.inet.ip.portrange.reservedhigh to allow 39 * specific uids and gids to bind specific ports for specific purposes, --- 21 unchanged lines hidden (view full) --- 61#include <sys/domain.h> 62#include <sys/kernel.h> 63#include <sys/libkern.h> 64#include <sys/lock.h> 65#include <sys/mac.h> 66#include <sys/malloc.h> 67#include <sys/mount.h> 68#include <sys/mutex.h> |
69#include <sys/priv.h> |
|
69#include <sys/proc.h> 70#include <sys/protosw.h> 71#include <sys/queue.h> 72#include <sys/systm.h> 73#include <sys/sysproto.h> 74#include <sys/sysent.h> 75#include <sys/file.h> 76#include <sys/sbuf.h> --- 345 unchanged lines hidden (view full) --- 422 } 423 } else 424 panic("rules_check: unknown rule type %d", 425 rule->r_idtype); 426 } 427 mtx_unlock(&rule_mtx); 428 429 if (error != 0 && mac_portacl_suser_exempt != 0) | 70#include <sys/proc.h> 71#include <sys/protosw.h> 72#include <sys/queue.h> 73#include <sys/systm.h> 74#include <sys/sysproto.h> 75#include <sys/sysent.h> 76#include <sys/file.h> 77#include <sys/sbuf.h> --- 345 unchanged lines hidden (view full) --- 423 } 424 } else 425 panic("rules_check: unknown rule type %d", 426 rule->r_idtype); 427 } 428 mtx_unlock(&rule_mtx); 429 430 if (error != 0 && mac_portacl_suser_exempt != 0) |
430 error = suser_cred(cred, SUSER_ALLOWJAIL); | 431 error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 432 SUSER_ALLOWJAIL); |
431 432 return (error); 433} 434 435/* 436 * Note, this only limits the ability to explicitly bind a port, it 437 * doesn't limit implicitly bound ports for outgoing connections where 438 * the source port is left up to the IP stack to determine automatically. --- 60 unchanged lines hidden --- | 433 434 return (error); 435} 436 437/* 438 * Note, this only limits the ability to explicitly bind a port, it 439 * doesn't limit implicitly bound ports for outgoing connections where 440 * the source port is left up to the IP stack to determine automatically. --- 60 unchanged lines hidden --- |