diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-08-01 22:23:02 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-08-01 22:23:02 +0000 |
commit | b246ee0a3cced8c39f5aaa8505242e775d93e8c4 (patch) | |
tree | 1b32476766408c94dcee10b7fe67f140d5da3e23 /sys | |
parent | 41f4dc56d14bda3dbbebfdb61740397a2caf7321 (diff) | |
download | FreeBSD-src-b246ee0a3cced8c39f5aaa8505242e775d93e8c4.zip FreeBSD-src-b246ee0a3cced8c39f5aaa8505242e775d93e8c4.tar.gz |
Introduce support for Mandatory Access Control and extensible
kernel access control.
Invoke appropriate MAC entry points for a number of VFS-related
operations in the Linux ABI module. In particular, handle uselib
in a manner similar to open() (more work is probably needed here),
as well as handle statfs(), and linux readdir()-like calls.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys')
-rw-r--r-- | sys/compat/linux/linux_file.c | 9 | ||||
-rw-r--r-- | sys/compat/linux/linux_getcwd.c | 9 | ||||
-rw-r--r-- | sys/compat/linux/linux_misc.c | 9 | ||||
-rw-r--r-- | sys/compat/linux/linux_stats.c | 20 | ||||
-rw-r--r-- | sys/modules/linux/Makefile | 3 |
5 files changed, 47 insertions, 3 deletions
diff --git a/sys/compat/linux/linux_file.c b/sys/compat/linux/linux_file.c index 4f37d75..3c459dd 100644 --- a/sys/compat/linux/linux_file.c +++ b/sys/compat/linux/linux_file.c @@ -29,6 +29,7 @@ */ #include "opt_compat.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> @@ -38,6 +39,7 @@ #include <sys/file.h> #include <sys/filedesc.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mount.h> #include <sys/mutex.h> @@ -325,6 +327,13 @@ again: cookies = NULL; } +#ifdef MAC + /* + * Do directory search MAC check using non-cached credentials. + */ + if ((error = mac_check_vnode_readdir(td->td_proc->p_ucred, vp)) + goto out; +#endif /* MAC */ if ((error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, &ncookies, &cookies))) goto out; diff --git a/sys/compat/linux/linux_getcwd.c b/sys/compat/linux/linux_getcwd.c index 6e8d0b1..44079b9 100644 --- a/sys/compat/linux/linux_getcwd.c +++ b/sys/compat/linux/linux_getcwd.c @@ -38,6 +38,7 @@ * POSSIBILITY OF SUCH DAMAGE. */ #include "opt_compat.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> @@ -51,6 +52,7 @@ #include <sys/mount.h> #include <sys/proc.h> #include <sys/uio.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/dirent.h> #include <ufs/ufs/dir.h> /* XXX only for DIRBLKSIZ */ @@ -200,7 +202,12 @@ unionread: eofflag = 0; - error = VOP_READDIR(uvp, &uio, td->td_ucred, &eofflag, 0, 0); +#ifdef MAC + error = mac_check_vnode_readdir(td->td_ucred, uvp); + if (error == 0) +#endif /* MAC */ + error = VOP_READDIR(uvp, &uio, td->td_ucred, &eofflag, + 0, 0); off = uio.uio_offset; diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c index c081fc1..7eebf69 100644 --- a/sys/compat/linux/linux_misc.c +++ b/sys/compat/linux/linux_misc.c @@ -29,6 +29,7 @@ */ #include "opt_compat.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> @@ -37,6 +38,7 @@ #include <sys/jail.h> #include <sys/kernel.h> #include <sys/lock.h> +#include <sys/mac.h> #include <sys/mman.h> #include <sys/mount.h> #include <sys/mutex.h> @@ -250,7 +252,7 @@ linux_uselib(struct thread *td, struct linux_uselib_args *args) vp = NULL; /* - * XXX This code should make use of vn_open(), rather than doing + * XXX: This code should make use of vn_open(), rather than doing * all this stuff itself. */ NDINIT(&ni, LOOKUP, FOLLOW|LOCKLEAF, UIO_USERSPACE, args->library, td); @@ -306,6 +308,11 @@ linux_uselib(struct thread *td, struct linux_uselib_args *args) * XXX: This should use vn_open() so that it is properly authorized, * and to reduce code redundancy all over the place here. */ +#ifdef MAC + error = mac_check_vnode_open(td->td_ucred, vp, FREAD); + if (error) + goto cleanup; +#endif error = VOP_OPEN(vp, FREAD, td->td_ucred, td); if (error) goto cleanup; diff --git a/sys/compat/linux/linux_stats.c b/sys/compat/linux/linux_stats.c index 9da9323..5ceb22a 100644 --- a/sys/compat/linux/linux_stats.c +++ b/sys/compat/linux/linux_stats.c @@ -28,12 +28,15 @@ * $FreeBSD$ */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/conf.h> #include <sys/dirent.h> #include <sys/file.h> #include <sys/filedesc.h> #include <sys/proc.h> +#include <sys/mac.h> #include <sys/mount.h> #include <sys/namei.h> #include <sys/stat.h> @@ -247,6 +250,11 @@ linux_statfs(struct thread *td, struct linux_statfs_args *args) mp = ndp->ni_vp->v_mount; bsd_statfs = &mp->mnt_stat; vrele(ndp->ni_vp); +#ifdef MAC + error = mac_check_mount_stat(td->td_proc->p_ucred, mp); + if (error) + return (error); +#endif error = VFS_STATFS(mp, bsd_statfs, td); if (error) return error; @@ -282,6 +290,13 @@ linux_fstatfs(struct thread *td, struct linux_fstatfs_args *args) if (error) return error; mp = ((struct vnode *)fp->f_data)->v_mount; +#ifdef MAC + error = mac_check_mount_stat(td->td_proc->p_ucred, mp); + if (error) { + fdrop(fp, td); + return (error); + } +#endif bsd_statfs = &mp->mnt_stat; error = VFS_STATFS(mp, bsd_statfs, td); if (error) { @@ -344,6 +359,11 @@ linux_ustat(struct thread *td, struct linux_ustat_args *args) if (vfinddev(dev, VCHR, &vp)) { if (vp->v_mount == NULL) return (EINVAL); +#ifdef MAC + error = mac_check_mount_stat(td->td_proc->p_ucred, mp); + if (error) + return (error); +#endif stat = &(vp->v_mount->mnt_stat); error = VFS_STATFS(vp->v_mount, stat, td); if (error) diff --git a/sys/modules/linux/Makefile b/sys/modules/linux/Makefile index 1879240..d839060 100644 --- a/sys/modules/linux/Makefile +++ b/sys/modules/linux/Makefile @@ -8,7 +8,8 @@ KMOD= linux SRCS= linux_dummy.c linux_file.c linux_getcwd.c linux_ioctl.c linux_ipc.c \ linux_machdep.c linux_mib.c linux_misc.c linux_signal.c linux_socket.c \ linux_stats.c linux_sysctl.c linux_sysent.c linux_sysvec.c \ - linux_util.c opt_compat.h opt_linux.h opt_vmpage.h vnode_if.h + linux_util.c opt_compat.h opt_linux.h opt_mac.h opt_vmpage.h \ + vnode_if.h OBJS= linux_locore.o .if ${MACHINE_ARCH} == "i386" |