diff options
Diffstat (limited to 'sys/security/mac_biba/mac_biba.c')
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 202aeed..abb817d 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -2304,6 +2304,50 @@ mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, } static int +mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *vplabel) +{ + struct mac_biba *subj, *obj; + int error; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + + error = mac_biba_subject_privileged(subj); + if (error) + return (error); + + if (vplabel == NULL) + return (0); + + obj = SLOT(vplabel); + if (!mac_biba_high_effective(obj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_system_auditon(struct ucred *cred, int cmd) +{ + struct mac_biba *subj; + int error; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + + error = mac_biba_subject_privileged(subj); + if (error) + return (error); + + return (0); +} + +static int mac_biba_check_system_settime(struct ucred *cred) { struct mac_biba *subj; @@ -3204,6 +3248,8 @@ static struct mac_policy_ops mac_biba_ops = .mpo_check_socket_visible = mac_biba_check_socket_visible, .mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm, .mpo_check_system_acct = mac_biba_check_system_acct, + .mpo_check_system_auditctl = mac_biba_check_system_auditctl, + .mpo_check_system_auditon = mac_biba_check_system_auditon, .mpo_check_system_settime = mac_biba_check_system_settime, .mpo_check_system_swapon = mac_biba_check_system_swapon, .mpo_check_system_swapoff = mac_biba_check_system_swapoff, |