diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-07-31 00:48:24 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-07-31 00:48:24 +0000 |
| commit | 8c7dc5b91721b83fb10a236b30dfc43c68105aaf (patch) | |
| tree | 1b3173defa67548391871eff73eac4a3920f489d | |
| parent | cbee25e47b2f15630e6ffca682c0549cad73ea18 (diff) | |
| download | FreeBSD-src-8c7dc5b91721b83fb10a236b30dfc43c68105aaf.zip FreeBSD-src-8c7dc5b91721b83fb10a236b30dfc43c68105aaf.tar.gz | |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Implement inter-process access control entry points for the MAC
framework. This permits policy modules to augment the decision
making process for process and socket visibility, process debugging,
re-scheduling, and signaling.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
| -rw-r--r-- | sys/kern/kern_prot.c | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index d6f07a0..8a7ac62 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1379,6 +1379,10 @@ cr_cansee(struct ucred *u1, struct ucred *u2) if ((error = prison_check(u1, u2))) return (error); +#ifdef MAC + if ((error = mac_check_cred_visible(u1, u2))) + return (error); +#endif if ((error = cr_seeotheruids(u1, u2))) return (error); return (0); @@ -1420,6 +1424,10 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) error = prison_check(cred, proc->p_ucred); if (error) return (error); +#ifdef MAC + if ((error = mac_check_proc_signal(cred, proc, signum))) + return (error); +#endif error = cr_seeotheruids(cred, proc->p_ucred); if (error) return (error); @@ -1521,6 +1529,10 @@ p_cansched(struct thread *td, struct proc *p) return (0); if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); +#ifdef MAC + if ((error = mac_check_proc_sched(td->td_ucred, p))) + return (error); +#endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) return (error); if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) @@ -1578,6 +1590,10 @@ p_candebug(struct thread *td, struct proc *p) return (0); if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); +#ifdef MAC + if ((error = mac_check_proc_debug(td->td_ucred, p))) + return (error); +#endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) return (error); @@ -1652,11 +1668,13 @@ cr_canseesocket(struct ucred *cred, struct socket *so) error = prison_check(cred, so->so_cred); if (error) return (ENOENT); - if (cr_seeotheruids(cred, so->so_cred)) - return (ENOENT); #ifdef MAC - /* XXX: error = mac_cred_check_seesocket() here. */ + error = mac_check_socket_visible(cred, so); + if (error) + return (error); #endif + if (cr_seeotheruids(cred, so->so_cred)) + return (ENOENT); return (0); } |
