diff options
author | rwatson <rwatson@FreeBSD.org> | 2003-03-06 04:47:47 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2003-03-06 04:47:47 +0000 |
commit | 7974609efe6613beae1bcfd4fd3819be79c5bc40 (patch) | |
tree | 8d2085967adb12a8e49ec975378d82e26b7c136e /sys/amd64 | |
parent | 1d6788bfb79e60b1f5e19a600aa922df603c38ad (diff) | |
download | FreeBSD-src-7974609efe6613beae1bcfd4fd3819be79c5bc40.zip FreeBSD-src-7974609efe6613beae1bcfd4fd3819be79c5bc40.tar.gz |
Instrument sysarch() MD privileged I/O access interfaces with a MAC
check, mac_check_sysarch_ioperm(), permitting MAC security policy
modules to control access to these interfaces. Currently, they
protect access to IOPL on i386, and setting HAE on Alpha.
Additional checks might be required on other platforms to prevent
bypass of kernel security protections by unauthorized processes.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/amd64')
-rw-r--r-- | sys/amd64/amd64/sys_machdep.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c index 3e2ec74..ce26093 100644 --- a/sys/amd64/amd64/sys_machdep.c +++ b/sys/amd64/amd64/sys_machdep.c @@ -36,10 +36,12 @@ */ #include "opt_kstack_pages.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mutex.h> #include <sys/proc.h> @@ -183,6 +185,10 @@ i386_set_ioperm(td, args) if ((error = copyin(args, &ua, sizeof(struct i386_ioperm_args))) != 0) return (error); +#ifdef MAC + if ((error = mac_check_sysarch_ioperm(td->td_ucred)) != 0) + return (error); +#endif if ((error = suser(td)) != 0) return (error); if ((error = securelevel_gt(td->td_ucred, 0)) != 0) |