summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_mac.c
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2002-09-09 17:12:24 +0000
committerrwatson <rwatson@FreeBSD.org>2002-09-09 17:12:24 +0000
commit990d7cf43ea7779fe8dfd09f49b1bab42b11b286 (patch)
tree966b601da2a5a540f06318e81218029dec4300a7 /sys/kern/kern_mac.c
parentbb152917727d1faa614c80067f9ee9b60dcdb7c7 (diff)
downloadFreeBSD-src-990d7cf43ea7779fe8dfd09f49b1bab42b11b286.zip
FreeBSD-src-990d7cf43ea7779fe8dfd09f49b1bab42b11b286.tar.gz
Add security.mac.mmap_revocation, a flag indicating whether we
should revoke access to memory maps on a process label change. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys/kern/kern_mac.c')
-rw-r--r--sys/kern/kern_mac.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index b3a5f65..07d7b2d 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -160,6 +160,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD,
static int mac_vnode_label_cache_misses = 0;
SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD,
&mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels");
+
+static int mac_mmap_revocation = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
+ &mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
+ "relabel");
static int mac_mmap_revocation_via_cow = 0;
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
&mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
@@ -2168,6 +2173,9 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred,
vm_ooffset_t offset;
struct vnode *vp;
+ if (!mac_mmap_revocation)
+ return;
+
vm_map_lock_read(map);
for (vme = map->header.next; vme != &map->header; vme = vme->next) {
if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) {
OpenPOWER on IntegriCloud