diff options
-rw-r--r-- | sys/kern/kern_mac.c | 14 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.c | 14 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 14 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 14 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 14 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 2 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 14 | ||||
-rw-r--r-- | sys/security/mac/mac_syscalls.c | 14 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 14 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 14 | ||||
-rw-r--r-- | sys/sys/mac.h | 1 | ||||
-rw-r--r-- | sys/sys/mac_policy.h | 2 | ||||
-rw-r--r-- | sys/vm/vm_swap.c | 8 |
14 files changed, 140 insertions, 0 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index e98a50c..a766006 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -2694,6 +2694,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + return (error); +} + +int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index e98a50c..a766006 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -2694,6 +2694,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + return (error); +} + +int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 18399f7..8e25d0d 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -269,6 +269,7 @@ int mac_check_system_nfsd(struct ucred *cred); int mac_check_system_reboot(struct ucred *cred, int howto); int mac_check_system_settime(struct ucred *cred); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); +int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp); int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen); diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index e98a50c..a766006 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -2694,6 +2694,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + return (error); +} + +int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index e98a50c..a766006 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -2694,6 +2694,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + return (error); +} + +int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index e98a50c..a766006 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -2694,6 +2694,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + return (error); +} + +int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 825e45c..fc08f2a 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -329,6 +329,8 @@ struct mac_policy_ops { int (*mpo_check_system_settime)(struct ucred *cred); int (*mpo_check_system_swapon)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_check_system_swapoff)(struct ucred *cred, + struct vnode *vp, struct label *label); int (*mpo_check_system_sysctl)(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen); diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index e98a50c..a766006 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -2694,6 +2694,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + return (error); +} + +int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index e98a50c..a766006 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -2694,6 +2694,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + return (error); +} + +int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index e98a50c..a766006 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -2694,6 +2694,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + return (error); +} + +int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index e98a50c..a766006 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -2694,6 +2694,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) } int +mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +{ + int error; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + return (error); +} + +int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 18399f7..8e25d0d 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -269,6 +269,7 @@ int mac_check_system_nfsd(struct ucred *cred); int mac_check_system_reboot(struct ucred *cred, int howto); int mac_check_system_settime(struct ucred *cred); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); +int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp); int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 825e45c..fc08f2a 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -329,6 +329,8 @@ struct mac_policy_ops { int (*mpo_check_system_settime)(struct ucred *cred); int (*mpo_check_system_swapon)(struct ucred *cred, struct vnode *vp, struct label *label); + int (*mpo_check_system_swapoff)(struct ucred *cred, + struct vnode *vp, struct label *label); int (*mpo_check_system_sysctl)(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen); diff --git a/sys/vm/vm_swap.c b/sys/vm/vm_swap.c index f968838..057a85d 100644 --- a/sys/vm/vm_swap.c +++ b/sys/vm/vm_swap.c @@ -433,6 +433,14 @@ swapoff(td, uap) error = EINVAL; goto done; found: +#ifdef MAC + (void) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); + error = mac_check_system_swapoff(td->td_ucred, vp); + (void) VOP_UNLOCK(vp, 0, td); + if (error != 0) + goto done; +#endif + nblks = sp->sw_nblks; /* |