diff options
author | rwatson <rwatson@FreeBSD.org> | 2003-03-06 04:47:47 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2003-03-06 04:47:47 +0000 |
commit | 7974609efe6613beae1bcfd4fd3819be79c5bc40 (patch) | |
tree | 8d2085967adb12a8e49ec975378d82e26b7c136e /sys/sys/mac.h | |
parent | 1d6788bfb79e60b1f5e19a600aa922df603c38ad (diff) | |
download | FreeBSD-src-7974609efe6613beae1bcfd4fd3819be79c5bc40.zip FreeBSD-src-7974609efe6613beae1bcfd4fd3819be79c5bc40.tar.gz |
Instrument sysarch() MD privileged I/O access interfaces with a MAC
check, mac_check_sysarch_ioperm(), permitting MAC security policy
modules to control access to these interfaces. Currently, they
protect access to IOPL on i386, and setting HAE on Alpha.
Additional checks might be required on other platforms to prevent
bypass of kernel security protections by unauthorized processes.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/sys/mac.h')
-rw-r--r-- | sys/sys/mac.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 8e25d0d..c6b9c73 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -264,6 +264,7 @@ int mac_check_socket_listen(struct ucred *cred, struct socket *so); int mac_check_socket_receive(struct ucred *cred, struct socket *so); int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); +int mac_check_sysarch_ioperm(struct ucred *cred); int mac_check_system_acct(struct ucred *cred, struct vnode *vp); int mac_check_system_nfsd(struct ucred *cred); int mac_check_system_reboot(struct ucred *cred, int howto); |