diff options
author | rwatson <rwatson@FreeBSD.org> | 2005-04-16 13:29:15 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2005-04-16 13:29:15 +0000 |
commit | 51183f0f84c55dbff5987158aa92cc12382f45c9 (patch) | |
tree | e1ac2c88c9e8206122edd042d8c77dd7a8d385b4 /sys/sys/mac.h | |
parent | 8973ecaa77eb9d84b96a485dfdc1fffc5276fd2a (diff) | |
download | FreeBSD-src-51183f0f84c55dbff5987158aa92cc12382f45c9.zip FreeBSD-src-51183f0f84c55dbff5987158aa92cc12382f45c9.tar.gz |
Introduce new MAC Framework and MAC Policy entry points to control the use
of system calls to manipulate elements of the process credential,
including:
setuid() mac_check_proc_setuid()
seteuid() mac_check_proc_seteuid()
setgid() mac_check_proc_setgid()
setegid() mac_check_proc_setegid()
setgroups() mac_check_proc_setgroups()
setreuid() mac_check_proc_setreuid()
setregid() mac_check_proc_setregid()
setresuid() mac_check_proc_setresuid()
setresgid() mac_check_rpoc_setresgid()
MAC checks are performed before other existing security checks; both
current credential and intended modifications are passed as arguments
to the entry points. The mac_test and mac_stub policies are updated.
Submitted by: Samy Al Bahra <samy@kerneled.org>
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/sys/mac.h')
-rw-r--r-- | sys/sys/mac.h | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 055a5ad..3e6e53e 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -330,6 +330,24 @@ int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp); int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); +int mac_check_proc_setuid(struct proc *proc, struct ucred *cred, + uid_t uid); +int mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, + uid_t euid); +int mac_check_proc_setgid(struct proc *proc, struct ucred *cred, + gid_t gid); +int mac_check_proc_setegid(struct proc *proc, struct ucred *cred, + gid_t egid); +int mac_check_proc_setgroups(struct proc *proc, struct ucred *cred, + int ngroups, gid_t *gidset); +int mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, + uid_t ruid, uid_t euid); +int mac_check_proc_setregid(struct proc *proc, struct ucred *cred, + gid_t rgid, gid_t egid); +int mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, + uid_t ruid, uid_t euid, uid_t suid); +int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, + gid_t rgid, gid_t egid, gid_t sgid); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); int mac_check_socket_bind(struct ucred *cred, struct socket *so, |