diff options
author | rwatson <rwatson@FreeBSD.org> | 2003-02-04 22:38:33 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2003-02-04 22:38:33 +0000 |
commit | 22a1b720c108d485855437d1036c4a29ab44ae0e (patch) | |
tree | bc39d2bce0b8a706f0e4d74d4b20e27e2ed42fc3 /sys/security/mac_biba | |
parent | 61099be7ded96edfdddde587d72ce15118df4e18 (diff) | |
download | FreeBSD-src-22a1b720c108d485855437d1036c4a29ab44ae0e.zip FreeBSD-src-22a1b720c108d485855437d1036c4a29ab44ae0e.tar.gz |
Implement mpo_check_kld_load() and mpo_check_kld_unload() for the Biba
MAC policy. To load a KLD, require that the subject hold Biba privilege,
and the the kernel module be marked as high integrity. To unload a
KLD, require that the subject hold Biba privilege.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/security/mac_biba')
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index fd3f41a..83ba804 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1543,6 +1543,43 @@ mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, } static int +mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + int error; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + + error = mac_biba_subject_privileged(subj); + if (error) + return (error); + + obj = SLOT(label); + if (!mac_biba_high_single(obj)) + return (EACCES); + + return (0); +} + + +static int +mac_biba_check_kld_unload(struct ucred *cred) +{ + struct mac_biba *subj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + + return (mac_biba_subject_privileged(subj)); +} + +static int mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { @@ -2622,6 +2659,8 @@ static struct mac_policy_ops mac_biba_ops = .mpo_check_cred_visible = mac_biba_check_cred_visible, .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel, .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit, + .mpo_check_kld_load = mac_biba_check_kld_load, + .mpo_check_kld_unload = mac_biba_check_kld_unload, .mpo_check_mount_stat = mac_biba_check_mount_stat, .mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl, .mpo_check_pipe_poll = mac_biba_check_pipe_poll, |