Add an additional MAC check to the UNIX domain socket connect path:

check that the subject has read/write access to the vnode using the vnode MAC check. MFC after: 3 weeks Submitted by: Spencer Minear <spencer_minear at securecomputing dot com> Obtained from: TrustedBSD Project
2026-05-28 04:12:45 -04:00 · 2007-02-22 09:37:44 +00:00 · 2007-02-22 09:37:44 +00:00 · 6fac927ccc
commit 6fac927ccc
parent 0cd31a0d75
1 changed files with 5 additions and 0 deletions
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@ -965,6 +965,11 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 		error = ENOTSOCK;
 		goto bad;
 	}
+#ifdef MAC
+	error = mac_check_vnode_open(td->td_ucred, vp, VWRITE | VREAD);
+	if (error)
+		goto bad;
+#endif
 	error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td);
 	if (error)
 		goto bad;