From 6fac927ccce3ef8b638e9e91c8aacf47f52672ad Mon Sep 17 00:00:00 2001
From: Robert Watson <rwatson@FreeBSD.org>
Date: Thu, 22 Feb 2007 09:37:44 +0000
Subject: [PATCH] Add an additional MAC check to the UNIX domain socket connect
 path: check that the subject has read/write access to the vnode using the
 vnode MAC check.

MFC after:	3 weeks
Submitted by:	Spencer Minear <spencer_minear at securecomputing dot com>
Obtained from:	TrustedBSD Project
---
 sys/kern/uipc_usrreq.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 64fe6997e5b..892253ef9e3 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -965,6 +965,11 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
 		error = ENOTSOCK;
 		goto bad;
 	}
+#ifdef MAC
+	error = mac_check_vnode_open(td->td_ucred, vp, VWRITE | VREAD);
+	if (error)
+		goto bad;
+#endif
 	error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td);
 	if (error)
 		goto bad;