summaryrefslogtreecommitdiffstats
path: root/sys/security/mac_biba/mac_biba.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security/mac_biba/mac_biba.c')
-rw-r--r--sys/security/mac_biba/mac_biba.c92
1 files changed, 60 insertions, 32 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 83c82e4..6e9e383 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1689,6 +1689,42 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
}
static int
+mac_biba_check_vnode_poll(struct ucred *cred, struct vnode *vp,
+ struct label *label)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!mac_biba_enabled || !mac_biba_revocation_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(label);
+
+ if (!mac_biba_dominate_single(obj, subj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_biba_check_vnode_read(struct ucred *cred, struct vnode *vp,
+ struct label *label)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!mac_biba_enabled || !mac_biba_revocation_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(label);
+
+ if (!mac_biba_dominate_single(obj, subj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
struct label *dlabel)
{
@@ -1955,6 +1991,24 @@ mac_biba_check_vnode_stat(struct ucred *cred, struct vnode *vp,
return (0);
}
+static int
+mac_biba_check_vnode_write(struct ucred *cred, struct vnode *vp,
+ struct label *label)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!mac_biba_enabled || !mac_biba_revocation_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(label);
+
+ if (!mac_biba_dominate_single(subj, obj))
+ return (EACCES);
+
+ return (0);
+}
+
static vm_prot_t
mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
struct label *label, int newmapping)
@@ -1975,36 +2029,6 @@ mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp,
return (prot);
}
-static int
-mac_biba_check_vnode_op(struct ucred *cred, struct vnode *vp,
- struct label *label, int op)
-{
- struct mac_biba *subj, *obj;
-
- if (!mac_biba_enabled || !mac_biba_revocation_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(label);
-
- switch (op) {
- case MAC_OP_VNODE_POLL:
- case MAC_OP_VNODE_READ:
- if (!mac_biba_dominate_single(obj, subj))
- return (EACCES);
- return (0);
-
- case MAC_OP_VNODE_WRITE:
- if (!mac_biba_dominate_single(subj, obj))
- return (EACCES);
- return (0);
-
- default:
- printf("mac_biba_check_vnode_op: unknown operation %d\n", op);
- return (EINVAL);
- }
-}
-
static struct mac_policy_op_entry mac_biba_ops[] =
{
{ MAC_DESTROY,
@@ -2189,6 +2213,10 @@ static struct mac_policy_op_entry mac_biba_ops[] =
(macop_t)mac_biba_check_vnode_lookup },
{ MAC_CHECK_VNODE_OPEN,
(macop_t)mac_biba_check_vnode_open },
+ { MAC_CHECK_VNODE_POLL,
+ (macop_t)mac_biba_check_vnode_poll },
+ { MAC_CHECK_VNODE_READ,
+ (macop_t)mac_biba_check_vnode_read },
{ MAC_CHECK_VNODE_READDIR,
(macop_t)mac_biba_check_vnode_readdir },
{ MAC_CHECK_VNODE_READLINK,
@@ -2215,10 +2243,10 @@ static struct mac_policy_op_entry mac_biba_ops[] =
(macop_t)mac_biba_check_vnode_setutimes },
{ MAC_CHECK_VNODE_STAT,
(macop_t)mac_biba_check_vnode_stat },
+ { MAC_CHECK_VNODE_WRITE,
+ (macop_t)mac_biba_check_vnode_write },
{ MAC_CHECK_VNODE_MMAP_PERMS,
(macop_t)mac_biba_check_vnode_mmap_perms },
- { MAC_CHECK_VNODE_OP,
- (macop_t)mac_biba_check_vnode_op },
{ MAC_OP_LAST, NULL }
};
OpenPOWER on IntegriCloud