diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-11-19 22:12:42 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-11-19 22:12:42 +0000 |
commit | 3753917a2e3632a0a83440ab69ab298ffbac8b21 (patch) | |
tree | 27f9795d43925d8d413f84523fd30688a07d2995 /sys/security/mac | |
parent | ed9ee57838aaff75e6f849cc92da8379cb766734 (diff) | |
download | FreeBSD-src-3753917a2e3632a0a83440ab69ab298ffbac8b21.zip FreeBSD-src-3753917a2e3632a0a83440ab69ab298ffbac8b21.tar.gz |
Merge kld access control checks from the MAC tree: these access control
checks permit policy modules to augment the system policy for permitting
kld operations. This permits policies to limit access to kld operations
based on credential (and other) properties, as well as to perform checks
on the kld being loaded (integrity, etc).
Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/security/mac')
-rw-r--r-- | sys/security/mac/mac_framework.c | 46 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 3 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 46 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 46 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 46 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 4 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 46 | ||||
-rw-r--r-- | sys/security/mac/mac_syscalls.c | 46 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 46 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 46 |
10 files changed, 375 insertions, 0 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 82eded8..bf6c999 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); +static int mac_enforce_kld = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, + &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); +TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); + static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); @@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name) } int +mac_check_kld_load(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_kld_stat(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_stat, cred); + + return (error); +} + +int +mac_check_kld_unload(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_unload, cred); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 17cf52e..3e7e6bb 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -237,6 +237,9 @@ int mac_check_kenv_dump(struct ucred *cred); int mac_check_kenv_get(struct ucred *cred, char *name); int mac_check_kenv_set(struct ucred *cred, char *name, char *value); int mac_check_kenv_unset(struct ucred *cred, char *name); +int mac_check_kld_load(struct ucred *cred, struct vnode *vp); +int mac_check_kld_stat(struct ucred *cred); +int mac_check_kld_unload(struct ucred *cred); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data); diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 82eded8..bf6c999 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); +static int mac_enforce_kld = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, + &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); +TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); + static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); @@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name) } int +mac_check_kld_load(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_kld_stat(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_stat, cred); + + return (error); +} + +int +mac_check_kld_unload(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_unload, cred); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 82eded8..bf6c999 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); +static int mac_enforce_kld = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, + &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); +TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); + static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); @@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name) } int +mac_check_kld_load(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_kld_stat(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_stat, cred); + + return (error); +} + +int +mac_check_kld_unload(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_unload, cred); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 82eded8..bf6c999 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); +static int mac_enforce_kld = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, + &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); +TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); + static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); @@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name) } int +mac_check_kld_load(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_kld_stat(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_stat, cred); + + return (error); +} + +int +mac_check_kld_unload(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_unload, cred); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 20988fa..96fc060 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -272,6 +272,10 @@ struct mac_policy_ops { int (*mpo_check_kenv_set)(struct ucred *cred, char *name, char *value); int (*mpo_check_kenv_unset)(struct ucred *cred, char *name); + int (*mpo_check_kld_load)(struct ucred *cred, struct vnode *vp, + struct label *vlabel); + int (*mpo_check_kld_stat)(struct ucred *cred); + int (*mpo_check_kld_unload)(struct ucred *cred); int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp, struct label *mntlabel); int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 82eded8..bf6c999 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); +static int mac_enforce_kld = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, + &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); +TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); + static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); @@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name) } int +mac_check_kld_load(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_kld_stat(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_stat, cred); + + return (error); +} + +int +mac_check_kld_unload(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_unload, cred); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 82eded8..bf6c999 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); +static int mac_enforce_kld = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, + &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); +TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); + static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); @@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name) } int +mac_check_kld_load(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_kld_stat(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_stat, cred); + + return (error); +} + +int +mac_check_kld_unload(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_unload, cred); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 82eded8..bf6c999 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); +static int mac_enforce_kld = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, + &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); +TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); + static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); @@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name) } int +mac_check_kld_load(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_kld_stat(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_stat, cred); + + return (error); +} + +int +mac_check_kld_unload(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_unload, cred); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 82eded8..bf6c999 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -125,6 +125,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); +static int mac_enforce_kld = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, + &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); +TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); + static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); @@ -2293,6 +2298,47 @@ mac_check_kenv_unset(struct ucred *cred, char *name) } int +mac_check_kld_load(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + + return (error); +} + +int +mac_check_kld_stat(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_stat, cred); + + return (error); +} + +int +mac_check_kld_unload(struct ucred *cred) +{ + int error; + + if (!mac_enforce_kld) + return (0); + + MAC_CHECK(check_kld_unload, cred); + + return (error); +} + +int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; |