diff options
author | bz <bz@FreeBSD.org> | 2008-10-17 15:11:12 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2008-10-17 15:11:12 +0000 |
commit | def7b5012b9e97fc0afd28665bac7195bc3c151c (patch) | |
tree | e36de3f0025fae6733ec800ba092329a7347db0b /sys/security/mac_biba | |
parent | 7d341cf135006831850a3a4ac06fdc4742920a83 (diff) | |
download | FreeBSD-src-def7b5012b9e97fc0afd28665bac7195bc3c151c.zip FreeBSD-src-def7b5012b9e97fc0afd28665bac7195bc3c151c.tar.gz |
Add a mac_inpcb_check_visible implementation to all MAC policies
that handle mac_socket_check_visible.
Reviewed by: rwatson
MFC after: 3 months (set timer; decide then)
Diffstat (limited to 'sys/security/mac_biba')
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index aaf85b8..c1520a2 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1115,6 +1115,24 @@ biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, return (biba_equal_effective(p, i) ? 0 : EACCES); } +static int +biba_inpcb_check_visible(struct ucred *cred, struct inpcb *inp, + struct label *inplabel) +{ + struct mac_biba *subj, *obj; + + if (!biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(inplabel); + + if (!biba_dominate_effective(obj, subj)) + return (ENOENT); + + return (0); +} + static void biba_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) @@ -3300,6 +3318,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_ifnet_relabel = biba_ifnet_relabel, .mpo_inpcb_check_deliver = biba_inpcb_check_deliver, + .mpo_inpcb_check_visible = biba_inpcb_check_visible, .mpo_inpcb_create = biba_inpcb_create, .mpo_inpcb_create_mbuf = biba_inpcb_create_mbuf, .mpo_inpcb_destroy_label = biba_destroy_label, |