diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-09-09 17:12:24 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-09-09 17:12:24 +0000 |
commit | 990d7cf43ea7779fe8dfd09f49b1bab42b11b286 (patch) | |
tree | 966b601da2a5a540f06318e81218029dec4300a7 /sys/kern/kern_mac.c | |
parent | bb152917727d1faa614c80067f9ee9b60dcdb7c7 (diff) | |
download | FreeBSD-src-990d7cf43ea7779fe8dfd09f49b1bab42b11b286.zip FreeBSD-src-990d7cf43ea7779fe8dfd09f49b1bab42b11b286.tar.gz |
Add security.mac.mmap_revocation, a flag indicating whether we
should revoke access to memory maps on a process label change.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys/kern/kern_mac.c')
-rw-r--r-- | sys/kern/kern_mac.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index b3a5f65..07d7b2d 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -160,6 +160,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, static int mac_vnode_label_cache_misses = 0; SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); + +static int mac_mmap_revocation = 1; +SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, + &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " + "relabel"); static int mac_mmap_revocation_via_cow = 0; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " @@ -2168,6 +2173,9 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, vm_ooffset_t offset; struct vnode *vp; + if (!mac_mmap_revocation) + return; + vm_map_lock_read(map); for (vme = map->header.next; vme != &map->header; vme = vme->next) { if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { |