diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-08-01 03:50:08 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-08-01 03:50:08 +0000 |
| commit | fff16f04c31f0d67256a1b7f7d58b136b269c39d (patch) | |
| tree | 7bf1a51ec214152f958825679cc61b3d0a81302f /sys/kern | |
| parent | 12992268bcfc67dfa1b52a8b66ccae39baccbaa0 (diff) | |
| download | FreeBSD-src-fff16f04c31f0d67256a1b7f7d58b136b269c39d.zip FreeBSD-src-fff16f04c31f0d67256a1b7f7d58b136b269c39d.tar.gz | |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Instrument chdir() and chroot()-related system calls to invoke
appropriate MAC entry points to authorize the two operations.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/vfs_extattr.c | 12 | ||||
| -rw-r--r-- | sys/kern/vfs_syscalls.c | 12 |
2 files changed, 24 insertions, 0 deletions
diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index a6a2982..bf43908 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -397,6 +397,10 @@ fchdir(td, uap) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (vp->v_type != VDIR) error = ENOTDIR; +#ifdef MAC + else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { + } +#endif else error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td); while (!error && (mp = vp->v_mountedhere) != NULL) { @@ -524,6 +528,10 @@ chroot(td, uap) mtx_lock(&Giant); if ((error = change_dir(&nd, td)) != 0) goto error; +#ifdef MAC + if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) + goto error; +#endif FILEDESC_LOCK(fdp); if (chroot_allow_open_directories == 0 || (chroot_allow_open_directories == 1 && fdp->fd_rdir != rootvnode)) { @@ -567,6 +575,10 @@ change_dir(ndp, td) vp = ndp->ni_vp; if (vp->v_type != VDIR) error = ENOTDIR; +#ifdef MAC + else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { + } +#endif else error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td); if (error) diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index a6a2982..bf43908 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -397,6 +397,10 @@ fchdir(td, uap) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); if (vp->v_type != VDIR) error = ENOTDIR; +#ifdef MAC + else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { + } +#endif else error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td); while (!error && (mp = vp->v_mountedhere) != NULL) { @@ -524,6 +528,10 @@ chroot(td, uap) mtx_lock(&Giant); if ((error = change_dir(&nd, td)) != 0) goto error; +#ifdef MAC + if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) + goto error; +#endif FILEDESC_LOCK(fdp); if (chroot_allow_open_directories == 0 || (chroot_allow_open_directories == 1 && fdp->fd_rdir != rootvnode)) { @@ -567,6 +575,10 @@ change_dir(ndp, td) vp = ndp->ni_vp; if (vp->v_type != VDIR) error = ENOTDIR; +#ifdef MAC + else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) { + } +#endif else error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td); if (error) |
