diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-10-27 07:03:29 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-10-27 07:03:29 +0000 |
commit | be98961ae9a436687b5316053ddc75281a568984 (patch) | |
tree | 68db4a6fce87a1271d7012e61fc2ce77d4d94f2d /sys/kern/kern_mac.c | |
parent | 8cd9e638192b755dfb25a68d8cef5abe0c9e00be (diff) | |
download | FreeBSD-src-be98961ae9a436687b5316053ddc75281a568984.zip FreeBSD-src-be98961ae9a436687b5316053ddc75281a568984.tar.gz |
Hook up mac_check_system_reboot(), a MAC Framework entry point that
permits MAC modules to augment system security decisions regarding
the reboot() system call, if MAC is compiled into the kernel.
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/kern/kern_mac.c')
-rw-r--r-- | sys/kern/kern_mac.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index b757be6..00ecd04 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); +static int mac_enforce_reboot = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW, + &mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations"); +TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot); + static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); @@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_REBOOT: + mpc->mpc_ops->mpo_check_system_reboot = + mpe->mpe_function; + break; case MAC_CHECK_SYSTEM_SWAPON: mpc->mpc_ops->mpo_check_system_swapon = mpe->mpe_function; @@ -2997,6 +3006,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) } int +mac_check_system_reboot(struct ucred *cred, int howto) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot"); + + if (!mac_enforce_reboot) + return (0); + + MAC_CHECK(check_system_reboot, cred, howto); + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; |