diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-08-01 17:23:22 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-08-01 17:23:22 +0000 |
| commit | b7cdf5f4bed19ecc345a80394d8e4729efa80dd4 (patch) | |
| tree | c4aeb18ea2f00385ba2e9c575fa42b10261f31fc | |
| parent | 9c8ad2f838c68d2850f36632e2fe9a9ed9a12af9 (diff) | |
| download | FreeBSD-src-b7cdf5f4bed19ecc345a80394d8e4729efa80dd4.zip FreeBSD-src-b7cdf5f4bed19ecc345a80394d8e4729efa80dd4.tar.gz | |
Introduce support for Mandatory Access Control and extensible
kernel access control
Invoke appropriate MAC framework entry points to authorize a number
of vnode operations, including read, write, stat, poll. This permits
MAC policies to revoke access to files following label changes,
and to limit information spread about the file to user processes.
Note: currently the file cached credential is used for some of
these authorization check. We will need to expand some of the
MAC entry point APIs to permit multiple creds to be passed to
the access control check to allow diverse policy behavior.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
| -rw-r--r-- | sys/kern/vfs_vnops.c | 43 |
1 files changed, 39 insertions, 4 deletions
diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index 402b9f9..a8ca4c9 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -393,9 +393,17 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td) auio.uio_rw = rw; auio.uio_td = td; if (rw == UIO_READ) { - error = VOP_READ(vp, &auio, ioflg, cred); +#ifdef MAC + error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_READ); + if (error == 0) +#endif + error = VOP_READ(vp, &auio, ioflg, cred); } else { - error = VOP_WRITE(vp, &auio, ioflg, cred); +#ifdef MAC + error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE); + if (error == 0) +#endif + error = VOP_WRITE(vp, &auio, ioflg, cred); } if (aresid) *aresid = auio.uio_resid; @@ -482,7 +490,11 @@ vn_read(fp, uio, cred, flags, td) ioflag |= sequential_heuristic(uio, fp); - error = VOP_READ(vp, uio, ioflag, cred); +#ifdef MAC + error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_READ); + if (error == 0) +#endif + error = VOP_READ(vp, uio, ioflag, cred); if ((flags & FOF_OFFSET) == 0) fp->f_offset = uio->uio_offset; fp->f_nextoff = uio->uio_offset; @@ -533,7 +545,11 @@ vn_write(fp, uio, cred, flags, td) if ((flags & FOF_OFFSET) == 0) uio->uio_offset = fp->f_offset; ioflag |= sequential_heuristic(uio, fp); - error = VOP_WRITE(vp, uio, ioflag, cred); +#ifdef MAC + error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE); + if (error == 0) +#endif + error = VOP_WRITE(vp, uio, ioflag, cred); if ((flags & FOF_OFFSET) == 0) fp->f_offset = uio->uio_offset; fp->f_nextoff = uio->uio_offset; @@ -576,6 +592,12 @@ vn_stat(vp, sb, td) int error; u_short mode; +#ifdef MAC + error = mac_check_vnode_stat(td->td_ucred, vp); + if (error) + return (error); +#endif + vap = &vattr; error = VOP_GETATTR(vp, vap, td->td_ucred, td); if (error) @@ -757,6 +779,19 @@ vn_poll(fp, events, cred, td) struct ucred *cred; struct thread *td; { + struct vnode *vp; +#ifdef MAC + int error; +#endif + + vp = (struct vnode *)fp->f_data; +#ifdef MAC + vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); + error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_POLL); + VOP_UNLOCK(vp, 0, td); + if (error) + return (error); +#endif return (VOP_POLL(((struct vnode *)fp->f_data), events, cred, td)); } |
