To minimize the overhead of permission checks, two AVC entry reference fields (avcr and peer_avcr) were added to the struct sock structure and one AVC entry reference field was added to the struct device structure. The sk_alloc function initializes these fields for new socket objects. The devinet_ioctl function initializes this field for devices when they are first accessed.
Since acceptfrom permission is initially checked by TCP when the open request object is created, an AVC entry reference field (avcr) was added to the struct open_request structure. This field is initialized when an open request object is created by the cookie_v4_check function or the tcp_v4_conn_request function. The field is set in these functions when it is used for the acceptfrom permission check.
To permit the connectto and acceptfrom permissions to be revalidated when traffic is sent or received on an established connection, a connection permission field (conn_perm) was also added to the struct sock structure. When a new TCP server socket is created, the tcp_create_openreq_child function sets conn_perm field to the acceptfrom permission, and it copies the avcr field from the open request object into the peer_avcr field. For client TCP sockets, the tcp_rcv_state_process function sets the conn_perm field to the connectto permission. The peer_avcr field is set in this function when it is used for the connectto permission check. For Unix stream sockets, the conn_perm and peer_avcr fields are set by unix_stream_connect for both the client socket and the server socket.
|
|
|
|
|
The control requirements implemented in each kernel function for TCP communication are shown in Table 32. Only the class and permission are shown for each control requirement; the source SID and target SID can be found in the corresponding design table. If connectto permission is denied during connection establishment, a connection refused error is returned to the local process and the socket is shut down. If acceptfrom or newconn permission is denied during connection establishment, a TCP reset is sent in reply to the connection request. The permission stored in the conn_perm field is revalidated by the tcp_do_sendmsg and tcp_rcv_established functions. If permission is no longer granted when tcp_rcv_established receives a message on a connection or when tcp_do_sendmsg attempts to send a message on a connection, then a connection reset error is returned to the local process and the socket is shut down. If tcp_send or tcp_recv permission is denied, then an ICMP port unreachable message is sent if the message was locally generated or an ICMP host unreachable message is sent if the message is being forwarded.
Table 33 shows the control requirements implemented in each kernel function for Unix stream communication. If newconn, acceptfrom, or connectto permission is denied during connection establishment, then a connection refused error is returned to the connecting process. If acceptfrom or connectto permission is no longer granted when data is sent on the connection, then a connection reset error is returned to the sending process and the socket is shut down. If receive permission is not granted for an open file description, then the descriptors and any subsequent descriptors in the message are discarded.
Table 34 shows the control requirements implemented in each kernel function for UDP or raw IP communication. If recvfrom or recv_msg permission is denied when a UDP unicast message is received, then an ICMP port unreachable messsage is sent in reply. If either of these permissions are denied for a UDP multicast or broadcast message or a raw IP message, then the message is silently dropped. If udp_send or rawip_send permission is denied, then a permission denied error is returned to the local process if the message was locally generated or an ICMP host unreachable message is sent if the message is being forwarded. If udp_recv or rawip_recv permission is denied for a unicast message, then an ICMP port unreachable message is sent.
Table 35 shows the control requirements implemented in each kernel function for Unix datagram communication. If recvfrom or recv_msg permission is denied when a message is sent, then a connection refused error is returned to the sending process. If receive permission is not granted for an open file description, then the descriptors and any subsequent descriptors in the message are discarded.
The implementation of the control requirements for the other socket calls is shown in Table 36. The inet_bind function only checks name_bind permission if the port number is outside of the range used to automatically bind sockets. The unix_bind function only checks name_bind permission if the name is in the file system namespace. Table 37 shows the implementation of the control requirements for the ioctl commands.