X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/39236c6e673c41db228275375ab7fdb0f837b292..a39ff7e25e19b3a8c3020042a3872ca9ec9659f1:/bsd/kern/sys_socket.c

diff --git a/bsd/kern/sys_socket.c b/bsd/kern/sys_socket.c
index 11df996b6..cc4d778bd 100644
--- a/bsd/kern/sys_socket.c
+++ b/bsd/kern/sys_socket.c
@@ -98,14 +98,14 @@ static int soo_close(struct fileglob *, vfs_context_t ctx);
 static int soo_drain(struct fileproc *, vfs_context_t ctx);
 
 const struct fileops socketops = {
-	DTYPE_SOCKET,
-	soo_read,
-	soo_write,
-	soo_ioctl,
-	soo_select,
-	soo_close,
-	soo_kqfilter,
-	soo_drain
+	.fo_type = DTYPE_SOCKET,
+	.fo_read = soo_read,
+	.fo_write = soo_write,
+	.fo_ioctl = soo_ioctl,
+	.fo_select = soo_select,
+	.fo_close = soo_close,
+	.fo_kqfilter = soo_kqfilter,
+	.fo_drain = soo_drain,
 };
 
 /* ARGSUSED */
@@ -189,6 +189,12 @@ soioctl(struct socket *so, u_long cmd, caddr_t data, struct proc *p)
 	int error = 0;
 	int int_arg;
 
+#if CONFIG_MACF_SOCKET_SUBSET
+	error = mac_socket_check_ioctl(kauth_cred_get(), so, cmd);
+	if (error)
+		return (error);
+#endif
+
 	socket_lock(so, 1);
 
 	/* call the socket filter's ioctl handler anything but ours */
@@ -374,7 +380,7 @@ soo_stat(struct socket *so, void *ub, int isstat64)
 	/* warning avoidance ; protected by isstat64 */
 	struct stat64 *sb64 = (struct stat64 *)0;
 
-#if CONFIG_MACF_SOCKET
+#if CONFIG_MACF_SOCKET_SUBSET
 	ret = mac_socket_check_stat(kauth_cred_get(), so);
 	if (ret)
 		return (ret);