diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-11-04 15:13:36 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-11-04 15:13:36 +0000 |
| commit | b8dd64f5ef380fd8a17448566fccf0860a7adc19 (patch) | |
| tree | 2f3ad50bb20fd5ec86fb6ebe751e49c2a3679686 /sys/security | |
| parent | f3f0e34ca816fad9a22f1b465eda33898a571ada (diff) | |
| download | FreeBSD-src-b8dd64f5ef380fd8a17448566fccf0860a7adc19.zip FreeBSD-src-b8dd64f5ef380fd8a17448566fccf0860a7adc19.tar.gz | |
Permit MAC policies to instrument the access control decisions for
system accounting configuration and for nfsd server thread attach.
Policies might use this to protect the integrity or confidentiality
of accounting data, limit the ability to turn on or off accounting,
as well as to prevent inappropriately labeled threads from becoming nfs
server threads.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/security')
| -rw-r--r-- | sys/security/mac/mac_framework.c | 31 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 2 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 31 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 31 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 31 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 3 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 31 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 31 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 31 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 31 |
10 files changed, 253 insertions, 0 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index d36fbea..64b6f09 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -2470,6 +2470,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) } int +mac_check_system_acct(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (vp != NULL) { + ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + } + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_acct, cred, vp, + vp != NULL ? &vp->v_label : NULL); + + return (error); +} + +int +mac_check_system_nfsd(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_nfsd, cred); + + return (error); +} + +int mac_check_system_reboot(struct ucred *cred, int howto) { int error; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 9a27097..904ead3 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -251,6 +251,8 @@ int mac_check_socket_listen(struct ucred *cred, struct socket *so); int mac_check_socket_receive(struct ucred *cred, struct socket *so); int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); +int mac_check_system_acct(struct ucred *cred, struct vnode *vp); +int mac_check_system_nfsd(struct ucred *cred); int mac_check_system_reboot(struct ucred *cred, int howto); int mac_check_system_settime(struct ucred *cred); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index d36fbea..64b6f09 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -2470,6 +2470,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) } int +mac_check_system_acct(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (vp != NULL) { + ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + } + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_acct, cred, vp, + vp != NULL ? &vp->v_label : NULL); + + return (error); +} + +int +mac_check_system_nfsd(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_nfsd, cred); + + return (error); +} + +int mac_check_system_reboot(struct ucred *cred, int howto) { int error; diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index d36fbea..64b6f09 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -2470,6 +2470,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) } int +mac_check_system_acct(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (vp != NULL) { + ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + } + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_acct, cred, vp, + vp != NULL ? &vp->v_label : NULL); + + return (error); +} + +int +mac_check_system_nfsd(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_nfsd, cred); + + return (error); +} + +int mac_check_system_reboot(struct ucred *cred, int howto) { int error; diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index d36fbea..64b6f09 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -2470,6 +2470,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) } int +mac_check_system_acct(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (vp != NULL) { + ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + } + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_acct, cred, vp, + vp != NULL ? &vp->v_label : NULL); + + return (error); +} + +int +mac_check_system_nfsd(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_nfsd, cred); + + return (error); +} + +int mac_check_system_reboot(struct ucred *cred, int howto) { int error; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 53bf0ac..fff7845 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -312,6 +312,9 @@ struct mac_policy_ops { struct socket *so, struct label *socketlabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_system_acct)(struct ucred *cred, + struct vnode *vp, struct label *vlabel); + int (*mpo_check_system_nfsd)(struct ucred *cred); int (*mpo_check_system_reboot)(struct ucred *cred, int howto); int (*mpo_check_system_settime)(struct ucred *cred); int (*mpo_check_system_swapon)(struct ucred *cred, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index d36fbea..64b6f09 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -2470,6 +2470,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) } int +mac_check_system_acct(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (vp != NULL) { + ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + } + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_acct, cred, vp, + vp != NULL ? &vp->v_label : NULL); + + return (error); +} + +int +mac_check_system_nfsd(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_nfsd, cred); + + return (error); +} + +int mac_check_system_reboot(struct ucred *cred, int howto) { int error; diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index d36fbea..64b6f09 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -2470,6 +2470,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) } int +mac_check_system_acct(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (vp != NULL) { + ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + } + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_acct, cred, vp, + vp != NULL ? &vp->v_label : NULL); + + return (error); +} + +int +mac_check_system_nfsd(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_nfsd, cred); + + return (error); +} + +int mac_check_system_reboot(struct ucred *cred, int howto) { int error; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index d36fbea..64b6f09 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -2470,6 +2470,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) } int +mac_check_system_acct(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (vp != NULL) { + ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + } + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_acct, cred, vp, + vp != NULL ? &vp->v_label : NULL); + + return (error); +} + +int +mac_check_system_nfsd(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_nfsd, cred); + + return (error); +} + +int mac_check_system_reboot(struct ucred *cred, int howto) { int error; diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index d36fbea..64b6f09 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -2470,6 +2470,37 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) } int +mac_check_system_acct(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (vp != NULL) { + ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + } + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_acct, cred, vp, + vp != NULL ? &vp->v_label : NULL); + + return (error); +} + +int +mac_check_system_nfsd(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_nfsd, cred); + + return (error); +} + +int mac_check_system_reboot(struct ucred *cred, int howto) { int error; |
