next up previous contents
Next: System V IPC Up: Implementation Previous: API extensions   Contents

Control Requirements

To minimize the overhead of permission checks, two AVC entry reference fields (avcr and peer_avcr) were added to the struct sock structure and one AVC entry reference field was added to the struct device structure. The sk_alloc function initializes these fields for new socket objects. The devinet_ioctl function initializes this field for devices when they are first accessed.

Since acceptfrom permission is initially checked by TCP when the open request object is created, an AVC entry reference field (avcr) was added to the struct open_request structure. This field is initialized when an open request object is created by the cookie_v4_check function or the tcp_v4_conn_request function. The field is set in these functions when it is used for the acceptfrom permission check.

To permit the connectto and acceptfrom permissions to be revalidated when traffic is sent or received on an established connection, a connection permission field (conn_perm) was also added to the struct sock structure. When a new TCP server socket is created, the tcp_create_openreq_child function sets conn_perm field to the acceptfrom permission, and it copies the avcr field from the open request object into the peer_avcr field. For client TCP sockets, the tcp_rcv_state_process function sets the conn_perm field to the connectto permission. The peer_avcr field is set in this function when it is used for the connectto permission check. For Unix stream sockets, the conn_perm and peer_avcr fields are set by unix_stream_connect for both the client socket and the server socket.


Table 32: Implementing the control requirements for TCP communication.
  CONTROL REQUIREMENT(S)
FUNCTION(S) CLASS PERM
inet_listen socket listen
  socket newconn
inet_stream_connect socket connect
inet_accept socket accept
inet_sendmsg socket write
inet_recvmsg socket read
tcp_v4_conn_request socket newconn
cookie_v4_check socket acceptfrom
tcp_rcv_state_process socket connectto
tcp_do_sendmsg socket connectto
  socket acceptfrom
tcp_rcv_established socket connectto
  socket acceptfrom
ip_queue_xmit, netif tcp_send
ip_build_and_send_pkt, node tcp_send
ip_forward,  
ipmr_queue_xmit  
ip_recv netif tcp_recv
  node tcp_recv



Table 33: Implementing the control requirements for Unix stream communication.
  CONTROL REQUIREMENT(S)
FUNCTION(S) CLASS PERM
unix_listen socket listen
  socket newconn
unix_accept socket accept
unix_stream_recvmsg socket read
scm_detach_fds fd receive
unix_stream_connect socket connect
  socket connectto
  socket newconn
  socket acceptfrom
unix_stream_sendmsg socket write
  socket connectto
  socket acceptfrom



Table 34: Implementing the control requirements for UDP or raw IP communication.
  CONTROL REQUIREMENT(S)
FUNCTION(S) CLASS PERM
inet_dgram_connect socket connect
inet_sendmsg socket write
inet_recvmsg socket read
udp_sendmsg, socket sendto
raw_sendmsg socket send_msg
udp_deliver, socket recvfrom
raw_rcv_skb socket recv_msg
ip_build_xmit, netif udp/rawip_send
ip_build_xmit_slow, node udp/rawip_send
ip_forward  
ip_rcv netif udp/rawip_recv
  node udp/rawip_recv



Table 35: Implementing the control requirements for Unix datagram communication.
  CONTROL REQUIREMENT(S)
FUNCTION(S) CLASS PERM
unix_dgram_connect socket connect
unix_dgram_recvmsg socket read
scm_detach_fds fd receive
unix_dgram_sendmsg socket write
  socket sendto
  socket send_msg
  socket recvfrom
  socket recv_msg



Table 36: Implementing the control requirements for the other socket calls.
  CONTROL REQUIREMENT(S)
FUNCTION(S) CLASS PERM
inet_create, socket create
unix_create  
inet_bind, socket bind
unix_bind socket name_bind
inet_getname, socket getattr
unix_getname  
sock_getsockopt socket getopt
inet_getsockopt  
sock_setsockopt socket setopt
inet_setsockopt  
inet_shutdown, socket shutdown
unix_shutdown  



Table 37: Implementing the control requirements for ioctl commands.
  CONTROL REQUIREMENT(S)
FUNCTION(S) CLASS PERM
unix_ioctl socket getattr
devinet_ioctl netif getattr
  netif setattr
ip_rt_ioctl system route_control
arp_ioctl system arp_control
rarp_ioctl system rarp_control
inet_ioctl system net_io_control


The control requirements implemented in each kernel function for TCP communication are shown in Table 32. Only the class and permission are shown for each control requirement; the source SID and target SID can be found in the corresponding design table. If connectto permission is denied during connection establishment, a connection refused error is returned to the local process and the socket is shut down. If acceptfrom or newconn permission is denied during connection establishment, a TCP reset is sent in reply to the connection request. The permission stored in the conn_perm field is revalidated by the tcp_do_sendmsg and tcp_rcv_established functions. If permission is no longer granted when tcp_rcv_established receives a message on a connection or when tcp_do_sendmsg attempts to send a message on a connection, then a connection reset error is returned to the local process and the socket is shut down. If tcp_send or tcp_recv permission is denied, then an ICMP port unreachable message is sent if the message was locally generated or an ICMP host unreachable message is sent if the message is being forwarded.

Table 33 shows the control requirements implemented in each kernel function for Unix stream communication. If newconn, acceptfrom, or connectto permission is denied during connection establishment, then a connection refused error is returned to the connecting process. If acceptfrom or connectto permission is no longer granted when data is sent on the connection, then a connection reset error is returned to the sending process and the socket is shut down. If receive permission is not granted for an open file description, then the descriptors and any subsequent descriptors in the message are discarded.

Table 34 shows the control requirements implemented in each kernel function for UDP or raw IP communication. If recvfrom or recv_msg permission is denied when a UDP unicast message is received, then an ICMP port unreachable messsage is sent in reply. If either of these permissions are denied for a UDP multicast or broadcast message or a raw IP message, then the message is silently dropped. If udp_send or rawip_send permission is denied, then a permission denied error is returned to the local process if the message was locally generated or an ICMP host unreachable message is sent if the message is being forwarded. If udp_recv or rawip_recv permission is denied for a unicast message, then an ICMP port unreachable message is sent.

Table 35 shows the control requirements implemented in each kernel function for Unix datagram communication. If recvfrom or recv_msg permission is denied when a message is sent, then a connection refused error is returned to the sending process. If receive permission is not granted for an open file description, then the descriptors and any subsequent descriptors in the message are discarded.

The implementation of the control requirements for the other socket calls is shown in Table 36. The inet_bind function only checks name_bind permission if the port number is outside of the range used to automatically bind sockets. The unix_bind function only checks name_bind permission if the name is in the file system namespace. Table 37 shows the implementation of the control requirements for the ioctl commands.


next up previous contents
Next: System V IPC Up: Implementation Previous: API extensions   Contents