diff options
| author | pjd <pjd@FreeBSD.org> | 2004-02-22 12:31:44 +0000 |
|---|---|---|
| committer | pjd <pjd@FreeBSD.org> | 2004-02-22 12:31:44 +0000 |
| commit | 01d59d6bbb5b5f5108b1f5454d11ff3b3be2dad6 (patch) | |
| tree | 1c4d31f4b056d45cd39f0c68f6aad1b1af2ebd1c /sys/security | |
| parent | fb7918f5d7ebb7e391b17203a42b3a5a6d07af2b (diff) | |
| download | FreeBSD-src-01d59d6bbb5b5f5108b1f5454d11ff3b3be2dad6.zip FreeBSD-src-01d59d6bbb5b5f5108b1f5454d11ff3b3be2dad6.tar.gz | |
Reimplement sysctls handling by MAC framework.
Now I believe it is done in the right way.
Removed some XXMAC cases, we now assume 'high' integrity level for all
sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.
Reviewed by: rwatson
Approved by: rwatson, scottl (mentor)
Tested with: LINT (compilation), mac_biba(4) (functionality)
Diffstat (limited to 'sys/security')
| -rw-r--r-- | sys/security/mac/mac_framework.h | 7 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 8 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 7 | ||||
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 16 | ||||
| -rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 16 | ||||
| -rw-r--r-- | sys/security/mac_stub/mac_stub.c | 4 | ||||
| -rw-r--r-- | sys/security/mac_test/mac_test.c | 4 |
7 files changed, 26 insertions, 36 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 895c7e3..59c247a 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -120,6 +120,8 @@ struct mount; struct proc; struct sockaddr; struct socket; +struct sysctl_oid; +struct sysctl_req; struct pipepair; struct thread; struct timespec; @@ -281,9 +283,8 @@ int mac_check_system_reboot(struct ucred *cred, int howto); int mac_check_system_settime(struct ucred *cred); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp); -int mac_check_system_sysctl(struct ucred *cred, int *name, - u_int namelen, void *old, size_t *oldlenp, int inkernel, - void *new, size_t newlen); +int mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, + void *arg1, int arg2, struct sysctl_req *req); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode); int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index f1d45b2..9060438 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -63,6 +63,8 @@ struct mount; struct pipepair; struct sbuf; struct socket; +struct sysctl_oid; +struct sysctl_req; struct ucred; struct uio; struct vnode; @@ -362,9 +364,9 @@ struct mac_policy_ops { struct vnode *vp, struct label *label); int (*mpo_check_system_swapoff)(struct ucred *cred, struct vnode *vp, struct label *label); - int (*mpo_check_system_sysctl)(struct ucred *cred, int *name, - u_int namelen, void *old, size_t *oldlenp, int inkernel, - void *new, size_t newlen); + int (*mpo_check_system_sysctl)(struct ucred *cred, + struct sysctl_oid *oidp, void *arg1, int arg2, + struct sysctl_req *req); int (*mpo_check_vnode_access)(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode); int (*mpo_check_vnode_chdir)(struct ucred *cred, diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 14755cf..128f2c5 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -249,8 +249,8 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) } int -mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, - void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, + int arg2, struct sysctl_req *req) { int error; @@ -261,8 +261,7 @@ mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, if (!mac_enforce_system) return (0); - MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, - inkernel, new, newlen); + MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req); return (error); } diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 63bea16..545ba43 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1973,8 +1973,8 @@ mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, - void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +mac_biba_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, + void *arg1, int arg2, struct sysctl_req *req) { struct mac_biba *subj; int error; @@ -1985,16 +1985,10 @@ mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, subj = SLOT(cred->cr_label); /* - * In general, treat sysctl variables as biba/high, but also - * require privilege to change them, since they are a - * communications channel between grades. Exempt MIB - * queries from this due to undocmented sysctl magic. - * XXXMAC: This probably requires some more review. + * Treat sysctl variables without CTLFLAG_ANYBODY flag as + * biba/high, but also require privilege to change them. */ - if (new != NULL) { - if (namelen > 0 && name[0] == 0) - return (0); - + if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) { if (!mac_biba_subject_dominate_high(subj)) return (EACCES); diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index f1e7a28..9502c05 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -2063,8 +2063,8 @@ mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, - void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, + void *arg1, int arg2, struct sysctl_req *req) { struct mac_lomac *subj; @@ -2074,16 +2074,10 @@ mac_lomac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, subj = SLOT(cred->cr_label); /* - * In general, treat sysctl variables as lomac/high, but also - * require privilege to change them, since they are a - * communications channel between grades. Exempt MIB - * queries from this due to undocmented sysctl magic. - * XXXMAC: This probably requires some more review. + * Treat sysctl variables without CTLFLAG_ANYBODY flag as + * lomac/high, but also require privilege to change them. */ - if (new != NULL) { - if (namelen > 0 && name[0] == 0) - return (0); - + if (req->newptr != NULL && (oidp->oid_kind & CTLFLAG_ANYBODY) == 0) { #ifdef notdef if (!mac_lomac_subject_dominate_high(subj)) return (EACCES); diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 1b573ed..ea113e1 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -757,8 +757,8 @@ stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, - void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +stub_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, + void *arg1, int arg2, struct sysctl_req *req) { return (0); diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index f329f8b..b02b36a 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1470,8 +1470,8 @@ mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_test_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, - void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) +mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, + void *arg1, int arg2, struct sysctl_req *req) { ASSERT_CRED_LABEL(cred->cr_label); |
