diff options
| author | rwatson <rwatson@FreeBSD.org> | 2003-03-06 04:47:47 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2003-03-06 04:47:47 +0000 |
| commit | 7974609efe6613beae1bcfd4fd3819be79c5bc40 (patch) | |
| tree | 8d2085967adb12a8e49ec975378d82e26b7c136e /sys/alpha | |
| parent | 1d6788bfb79e60b1f5e19a600aa922df603c38ad (diff) | |
| download | FreeBSD-src-7974609efe6613beae1bcfd4fd3819be79c5bc40.zip FreeBSD-src-7974609efe6613beae1bcfd4fd3819be79c5bc40.tar.gz | |
Instrument sysarch() MD privileged I/O access interfaces with a MAC
check, mac_check_sysarch_ioperm(), permitting MAC security policy
modules to control access to these interfaces. Currently, they
protect access to IOPL on i386, and setting HAE on Alpha.
Additional checks might be required on other platforms to prevent
bypass of kernel security protections by unauthorized processes.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/alpha')
| -rw-r--r-- | sys/alpha/alpha/sys_machdep.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/sys/alpha/alpha/sys_machdep.c b/sys/alpha/alpha/sys_machdep.c index e2e23ec..94334bc 100644 --- a/sys/alpha/alpha/sys_machdep.c +++ b/sys/alpha/alpha/sys_machdep.c @@ -35,9 +35,12 @@ * */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/mutex.h> #include <sys/proc.h> #include <sys/sysent.h> @@ -114,6 +117,12 @@ alpha_sethae(struct thread *td, char *args) if (error) return (error); +#ifdef MAC + error = mac_check_sysarch_ioperm(td->td_ucred); + if (error) + return (error); +#endif + error = securelevel_gt(td->td_ucred, 0); if (error) return (error); |
