diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-08-01 01:09:54 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-08-01 01:09:54 +0000 |
| commit | b151c78a3fe26af02191161cab9a9d9a7ef2bd04 (patch) | |
| tree | b7f3d0d027d05b3f40d45a0cab6b9f74baaba815 /sys/kern | |
| parent | 1dd92f70c32d48ea51b244c524e88577b031dd97 (diff) | |
| download | FreeBSD-src-b151c78a3fe26af02191161cab9a9d9a7ef2bd04.zip FreeBSD-src-b151c78a3fe26af02191161cab9a9d9a7ef2bd04.tar.gz | |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Instrument ctty driver invocations of various vnode operations on the
terminal controlling tty to perform appropriate MAC framework
authorization checks.
Note: VOP_IOCTL() on the ctty appears to be authorized using NOCRED in
the existing code rather than td->td_ucred. Why?
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/tty_tty.c | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/sys/kern/tty_tty.c b/sys/kern/tty_tty.c index e1e03bd..ab04328 100644 --- a/sys/kern/tty_tty.c +++ b/sys/kern/tty_tty.c @@ -38,12 +38,15 @@ * Indirect driver for controlling tty. */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/conf.h> #include <sys/kernel.h> #include <sys/lock.h> #include <sys/mutex.h> +#include <sys/mac.h> #include <sys/sx.h> #include <sys/proc.h> #include <sys/ttycom.h> @@ -94,6 +97,13 @@ cttyopen(dev, flag, mode, td) if (ttyvp == NULL) return (ENXIO); vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); +#ifdef MAC + error = mac_check_vnode_open(td->td_ucred, ttyvp, flag); + if (error) { + VOP_UNLOCK(ttyvp, 0, td); + return (error); + } +#endif error = VOP_OPEN(ttyvp, flag, NOCRED, td); VOP_UNLOCK(ttyvp, 0, td); return (error); @@ -149,7 +159,12 @@ cttywrite(dev, uio, flag) (error = vn_start_write(ttyvp, &mp, V_WAIT | PCATCH)) != 0) return (error); vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); - error = VOP_WRITE(ttyvp, uio, flag, NOCRED); +#ifdef MAC + /* XXX: shouldn't the cred below be td->td_ucred not NOCRED? */ + error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_WRITE); + if (error == 0) +#endif + error = VOP_WRITE(ttyvp, uio, flag, NOCRED); VOP_UNLOCK(ttyvp, 0, td); vn_finished_write(mp); return (error); @@ -189,6 +204,7 @@ cttyioctl(dev, cmd, addr, flag, td) PROC_UNLOCK(td->td_proc); return (error); } + /* XXXMAC: Should this be td->td_ucred below? */ return (VOP_IOCTL(ttyvp, cmd, addr, flag, NOCRED, td)); } @@ -200,6 +216,9 @@ cttypoll(dev, events, td) struct thread *td; { struct vnode *ttyvp; +#ifdef MAC + int error; +#endif PROC_LOCK(td->td_proc); SESS_LOCK(td->td_proc->p_session); @@ -210,6 +229,13 @@ cttypoll(dev, events, td) if (ttyvp == NULL) /* try operation to get EOF/failure */ return (seltrue(dev, events, td)); +#ifdef MAC + vn_lock(ttyvp, LK_EXCLUSIVE | LK_RETRY, td); + error = mac_check_vnode_op(td->td_ucred, ttyvp, MAC_OP_VNODE_POLL); + VOP_UNLOCK(ttyvp, 0, td); + if (error) + return (error); +#endif return (VOP_POLL(ttyvp, events, td->td_ucred, td)); } |
