diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-11-19 22:12:42 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-11-19 22:12:42 +0000 |
| commit | 3753917a2e3632a0a83440ab69ab298ffbac8b21 (patch) | |
| tree | 27f9795d43925d8d413f84523fd30688a07d2995 /sys/kern/kern_linker.c | |
| parent | ed9ee57838aaff75e6f849cc92da8379cb766734 (diff) | |
| download | FreeBSD-src-3753917a2e3632a0a83440ab69ab298ffbac8b21.zip FreeBSD-src-3753917a2e3632a0a83440ab69ab298ffbac8b21.tar.gz | |
Merge kld access control checks from the MAC tree: these access control
checks permit policy modules to augment the system policy for permitting
kld operations. This permits policies to limit access to kld operations
based on credential (and other) properties, as well as to perform checks
on the kld being loaded (integrity, etc).
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/kern/kern_linker.c')
| -rw-r--r-- | sys/kern/kern_linker.c | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c index b936159..eab20b1 100644 --- a/sys/kern/kern_linker.c +++ b/sys/kern/kern_linker.c @@ -27,6 +27,7 @@ */ #include "opt_ddb.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/kernel.h> @@ -38,6 +39,7 @@ #include <sys/lock.h> #include <sys/mutex.h> #include <sys/sx.h> +#include <sys/mac.h> #include <sys/module.h> #include <sys/linker.h> #include <sys/fcntl.h> @@ -474,6 +476,11 @@ linker_file_unload(linker_file_t file) /* Refuse to unload modules if securelevel raised. */ if (securelevel > 0) return (EPERM); +#ifdef MAC + error = mac_check_kld_unload(curthread->td_ucred); + if (error) + return (error); +#endif KLD_DPF(FILE, ("linker_file_unload: lf->refs=%d\n", file->refs)); if (file->refs == 1) { @@ -824,6 +831,12 @@ kldfind(struct thread *td, struct kldfind_args *uap) linker_file_t lf; int error = 0; +#ifdef MAC + error = mac_check_kld_stat(td->td_ucred); + if (error) + return (error); +#endif + mtx_lock(&Giant); td->td_retval[0] = -1; @@ -854,6 +867,12 @@ kldnext(struct thread *td, struct kldnext_args *uap) linker_file_t lf; int error = 0; +#ifdef MAC + error = mac_check_kld_stat(td->td_ucred); + if (error) + return (error); +#endif + mtx_lock(&Giant); if (SCARG(uap, fileid) == 0) { @@ -889,6 +908,12 @@ kldstat(struct thread *td, struct kldstat_args *uap) int namelen, version; struct kld_file_stat *stat; +#ifdef MAC + error = mac_check_kld_stat(td->td_ucred); + if (error) + return (error); +#endif + mtx_lock(&Giant); lf = linker_find_file_by_id(SCARG(uap, fileid)); @@ -938,6 +963,12 @@ kldfirstmod(struct thread *td, struct kldfirstmod_args *uap) module_t mp; int error = 0; +#ifdef MAC + error = mac_check_kld_stat(td->td_ucred); + if (error) + return (error); +#endif + mtx_lock(&Giant); lf = linker_find_file_by_id(SCARG(uap, fileid)); if (lf) { @@ -967,6 +998,12 @@ kldsym(struct thread *td, struct kldsym_args *uap) struct kld_sym_lookup lookup; int error = 0; +#ifdef MAC + error = mac_check_kld_stat(td->td_ucred); + if (error) + return (error); +#endif + mtx_lock(&Giant); if ((error = copyin(SCARG(uap, data), &lookup, sizeof(lookup))) != 0) @@ -1800,6 +1837,11 @@ sysctl_kern_function_list(SYSCTL_HANDLER_ARGS) linker_file_t lf; int error; +#ifdef MAC + error = mac_check_kld_stat(req->td->td_ucred); + if (error) + return (error); +#endif sysctl_wire_old_buffer(req, 0); mtx_lock(&kld_mtx); TAILQ_FOREACH(lf, &linker_files, link) { |
