Update MAC modules for changes in arguments for exec MAC policy

entry points to include an explicit execlabel.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 16 insertions, 2 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 2770941..3268dd7 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -2044,9 +2044,23 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
 
 static int
 mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
-	struct mac_biba *subj, *obj;
+	struct mac_biba *subj, *obj, *exec;
+	int error;
+
+	if (execlabel != NULL) {
+		/*
+		 * We currently don't permit labels to be changed at
+		 * exec-time as part of Biba, so disallow non-NULL
+		 * Biba label elements in the execlabel.
+		 */
+		exec = SLOT(execlabel);
+		error = biba_atmostflags(exec, 0);
+		if (error)
+			return (error);
+	}
 
 	if (!mac_biba_enabled)
 		return (0);