diff options
author | rwatson <rwatson@FreeBSD.org> | 2006-12-20 23:15:27 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2006-12-20 23:15:27 +0000 |
commit | 49509e92ebe633d4a5b772c016f8751bb096d1ee (patch) | |
tree | 05e3f98bc27703a12bfc5ce8f864c0a592cd50eb /sys/security/mac | |
parent | c77864165e31d8da2807ab97b6846c4f9fc4950a (diff) | |
download | FreeBSD-src-49509e92ebe633d4a5b772c016f8751bb096d1ee.zip FreeBSD-src-49509e92ebe633d4a5b772c016f8751bb096d1ee.tar.gz |
Additional comments regarding the interaction between the kernel privilege
model and the MAC Framework.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac')
-rw-r--r-- | sys/security/mac/mac_priv.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/sys/security/mac/mac_priv.c b/sys/security/mac/mac_priv.c index 76ce71e..9832e33 100644 --- a/sys/security/mac/mac_priv.c +++ b/sys/security/mac/mac_priv.c @@ -43,6 +43,20 @@ #include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> +/* + * The MAC Framework interacts with kernel privilege checks in two ways: it + * may restrict the granting of privilege to a subject, and it may grant + * additional privileges to the subject. Policies may implement none, one, + * or both of these entry points. Restriction of privilege by any policy + * always overrides granting of privilege by any policy or other privilege + * mechanism. See kern_priv.c:priv_check_cred() for details of the + * composition. + */ + +/* + * Restrict access to a privilege for a credential. Return failure if any + * policy denies access. + */ int mac_priv_check(struct ucred *cred, int priv) { @@ -53,6 +67,10 @@ mac_priv_check(struct ucred *cred, int priv) return (error); } +/* + * Grant access to a privilege for a credential. Return success if any + * policy grants access. + */ int mac_priv_grant(struct ucred *cred, int priv) { |