diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-09-18 02:02:08 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-09-18 02:02:08 +0000 |
commit | 90f35dab01cd0251ff48ff81a65bdaa9752e0b06 (patch) | |
tree | abf66cfa058d01bb1b5f776b9c829906a6f33800 | |
parent | 22d6bef96d7f7f126802d0ea7652fe4b6f014386 (diff) | |
download | FreeBSD-src-90f35dab01cd0251ff48ff81a65bdaa9752e0b06.zip FreeBSD-src-90f35dab01cd0251ff48ff81a65bdaa9752e0b06.tar.gz |
Add a toggle to disable VM enforcement.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
-rw-r--r-- | sys/kern/kern_mac.c | 7 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.c | 7 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 7 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 7 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 7 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 7 | ||||
-rw-r--r-- | sys/security/mac/mac_syscalls.c | 7 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 7 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 7 |
9 files changed, 63 insertions, 0 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 0bdffc7..3eed0a6 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -144,6 +144,10 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_vm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, + &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); + static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); @@ -1779,6 +1783,9 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; + if (!mac_enforce_vm) + return (result); + /* * This should be some sort of MAC_BITWISE, maybe :) */ diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 0bdffc7..3eed0a6 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -144,6 +144,10 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_vm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, + &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); + static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); @@ -1779,6 +1783,9 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; + if (!mac_enforce_vm) + return (result); + /* * This should be some sort of MAC_BITWISE, maybe :) */ diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 0bdffc7..3eed0a6 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -144,6 +144,10 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_vm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, + &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); + static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); @@ -1779,6 +1783,9 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; + if (!mac_enforce_vm) + return (result); + /* * This should be some sort of MAC_BITWISE, maybe :) */ diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 0bdffc7..3eed0a6 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -144,6 +144,10 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_vm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, + &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); + static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); @@ -1779,6 +1783,9 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; + if (!mac_enforce_vm) + return (result); + /* * This should be some sort of MAC_BITWISE, maybe :) */ diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 0bdffc7..3eed0a6 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -144,6 +144,10 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_vm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, + &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); + static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); @@ -1779,6 +1783,9 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; + if (!mac_enforce_vm) + return (result); + /* * This should be some sort of MAC_BITWISE, maybe :) */ diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 0bdffc7..3eed0a6 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -144,6 +144,10 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_vm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, + &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); + static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); @@ -1779,6 +1783,9 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; + if (!mac_enforce_vm) + return (result); + /* * This should be some sort of MAC_BITWISE, maybe :) */ diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 0bdffc7..3eed0a6 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -144,6 +144,10 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_vm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, + &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); + static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); @@ -1779,6 +1783,9 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; + if (!mac_enforce_vm) + return (result); + /* * This should be some sort of MAC_BITWISE, maybe :) */ diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 0bdffc7..3eed0a6 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -144,6 +144,10 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_vm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, + &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); + static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); @@ -1779,6 +1783,9 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; + if (!mac_enforce_vm) + return (result); + /* * This should be some sort of MAC_BITWISE, maybe :) */ diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 0bdffc7..3eed0a6 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -144,6 +144,10 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); +static int mac_enforce_vm = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, + &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); + static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, &mac_label_size, 0, "Pre-compiled MAC label size"); @@ -1779,6 +1783,9 @@ mac_check_vnode_mmap_prot(struct ucred *cred, struct vnode *vp, int newmapping) { vm_prot_t result = VM_PROT_ALL; + if (!mac_enforce_vm) + return (result); + /* * This should be some sort of MAC_BITWISE, maybe :) */ |