diff options
Diffstat (limited to 'sys/security')
| -rw-r--r-- | sys/security/audit/audit_syscalls.c | 44 | ||||
| -rw-r--r-- | sys/security/mac/mac_audit.c | 101 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 6 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 14 | ||||
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 46 | ||||
| -rw-r--r-- | sys/security/mac_bsdextended/mac_bsdextended.c | 27 | ||||
| -rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 64 | ||||
| -rw-r--r-- | sys/security/mac_mls/mac_mls.c | 40 | ||||
| -rw-r--r-- | sys/security/mac_stub/mac_stub.c | 49 | ||||
| -rw-r--r-- | sys/security/mac_test/mac_test.c | 63 |
10 files changed, 446 insertions, 8 deletions
diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c index d227334..96dedba 100644 --- a/sys/security/audit/audit_syscalls.c +++ b/sys/security/audit/audit_syscalls.c @@ -29,6 +29,8 @@ * $FreeBSD$ */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/mount.h> #include <sys/namei.h> @@ -41,8 +43,10 @@ #include <bsm/audit.h> #include <bsm/audit_kevents.h> + #include <security/audit/audit.h> #include <security/audit/audit_private.h> +#include <security/mac/mac_framework.h> #ifdef AUDIT @@ -109,6 +113,12 @@ audit(struct thread *td, struct audit_args *uap) goto free_out; } +#ifdef MAC + error = mac_check_system_audit(td->td_ucred, rec, uap->length); + if (error) + goto free_out; +#endif + /* * Attach the user audit record to the kernel audit record. Because * this system call is an auditable event, we will write the user @@ -153,6 +163,13 @@ auditon(struct thread *td, struct auditon_args *uap) if (jailed(td->td_ucred)) return (ENOSYS); AUDIT_ARG(cmd, uap->cmd); + +#ifdef MAC + error = mac_check_system_auditon(td->td_ucred, uap->cmd); + if (error) + return (error); +#endif + error = priv_check(td, PRIV_AUDIT_CONTROL); if (error) return (error); @@ -451,6 +468,12 @@ setauid(struct thread *td, struct setauid_args *uap) audit_arg_auid(id); +#ifdef MAC + error = mac_check_proc_setauid(td->td_ucred, id); + if (error) + return (error); +#endif + /* * XXX: Integer write on static pointer dereference: doesn't need * locking? @@ -519,6 +542,12 @@ setaudit(struct thread *td, struct setaudit_args *uap) audit_arg_auditinfo(&ai); +#ifdef MAC + error = mac_check_proc_setaudit(td->td_ucred, &ai); + if (error) + return (error); +#endif + /* * XXXRW: Test privilege while holding the proc lock? */ @@ -568,6 +597,11 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) if (error) return (error); +#ifdef MAC + error = mac_check_proc_setaudit(td->td_ucred, NULL); + if (error) + return (error); +#endif error = copyin(uap->auditinfo_addr, &aia, sizeof(aia)); if (error) return (error); @@ -617,7 +651,17 @@ auditctl(struct thread *td, struct auditctl_args *uap) return (error); vfslocked = NDHASGIANT(&nd); vp = nd.ni_vp; +#ifdef MAC + error = mac_check_system_auditctl(td->td_ucred, vp); + VOP_UNLOCK(vp, 0, td); + if (error) { + vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td); + VFS_UNLOCK_GIANT(vfslocked); + return (error); + } +#else VOP_UNLOCK(vp, 0, td); +#endif NDFREE(&nd, NDF_ONLY_PNBUF); if (vp->v_type != VREG) { vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td); diff --git a/sys/security/mac/mac_audit.c b/sys/security/mac/mac_audit.c new file mode 100644 index 0000000..c3aad11 --- /dev/null +++ b/sys/security/mac/mac_audit.c @@ -0,0 +1,101 @@ +/*- + * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 2001 Ilmar S. Habibulin + * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * + * This software was developed by Robert Watson and Ilmar Habibulin for the + * TrustedBSD Project. + * + * This software was developed for the FreeBSD Project in part by Network + * Associates Laboratories, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), + * as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include <sys/param.h> +#include <sys/module.h> +#include <sys/vnode.h> + +#include <security/audit/audit.h> + +#include <security/mac/mac_framework.h> +#include <security/mac/mac_internal.h> +#include <security/mac/mac_policy.h> + +int +mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +{ + int error; + + MAC_CHECK(check_proc_setaudit, cred, ai); + + return (error); +} + +int +mac_check_proc_setauid(struct ucred *cred, uid_t auid) +{ + int error; + + MAC_CHECK(check_proc_setauid, cred, auid); + + return (error); +} + +int +mac_check_system_audit(struct ucred *cred, void *record, int length) +{ + int error; + + MAC_CHECK(check_system_audit, cred, record, length); + + return (error); +} + +int +mac_check_system_auditctl(struct ucred *cred, struct vnode *vp) +{ + int error; + struct label *vl; + + ASSERT_VOP_LOCKED(vp, "mac_check_system_auditctl"); + + vl = (vp != NULL) ? vp->v_label : NULL; + + MAC_CHECK(check_system_auditctl, cred, vp, vl); + + return (error); +} + +int +mac_check_system_auditon(struct ucred *cred, int cmd) +{ + int error; + + MAC_CHECK(check_system_auditon, cred, cmd); + + return (error); +} diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 4a95476..f127456 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -50,6 +50,7 @@ #error "no user-serviceable parts inside" #endif +struct auditinfo; struct bpf_d; struct cdev; struct componentname; @@ -297,6 +298,8 @@ int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr); int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); +int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai); +int mac_check_proc_setauid(struct ucred *cred, uid_t auid); int mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid); int mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, @@ -334,6 +337,9 @@ int mac_check_socket_stat(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_sysarch_ioperm(struct ucred *cred); int mac_check_system_acct(struct ucred *cred, struct vnode *vp); +int mac_check_system_audit(struct ucred *cred, void *record, int length); +int mac_check_system_auditctl(struct ucred *cred, struct vnode *vp); +int mac_check_system_auditon(struct ucred *cred, int cmd); int mac_check_system_nfsd(struct ucred *cred); int mac_check_system_reboot(struct ucred *cred, int howto); int mac_check_system_settime(struct ucred *cred); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index c3c435c..ade77f6 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -62,6 +62,7 @@ #include <sys/acl.h> /* XXX acl_type_t */ struct acl; +struct auditinfo; struct bpf_d; struct cdev; struct componentname; @@ -455,6 +456,9 @@ typedef int (*mpo_check_proc_debug_t)(struct ucred *cred, struct proc *proc); typedef int (*mpo_check_proc_sched_t)(struct ucred *cred, struct proc *proc); +typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred, + struct auditinfo *ai); +typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid); typedef int (*mpo_check_proc_setuid_t)(struct ucred *cred, uid_t uid); typedef int (*mpo_check_proc_seteuid_t)(struct ucred *cred, uid_t euid); typedef int (*mpo_check_proc_setgid_t)(struct ucred *cred, gid_t gid); @@ -504,6 +508,11 @@ typedef int (*mpo_check_socket_visible_t)(struct ucred *cred, typedef int (*mpo_check_sysarch_ioperm_t)(struct ucred *cred); typedef int (*mpo_check_system_acct_t)(struct ucred *cred, struct vnode *vp, struct label *vlabel); +typedef int (*mpo_check_system_audit_t)(struct ucred *cred, void *record, + int length); +typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred, + struct vnode *vp, struct label *vplabel); +typedef int (*mpo_check_system_auditon_t)(struct ucred *cred, int cmd); typedef int (*mpo_check_system_nfsd_t)(struct ucred *cred); typedef int (*mpo_check_system_reboot_t)(struct ucred *cred, int howto); typedef int (*mpo_check_system_settime_t)(struct ucred *cred); @@ -827,6 +836,8 @@ struct mac_policy_ops { mpo_check_posix_sem_wait_t mpo_check_posix_sem_wait; mpo_check_proc_debug_t mpo_check_proc_debug; mpo_check_proc_sched_t mpo_check_proc_sched; + mpo_check_proc_setaudit_t mpo_check_proc_setaudit; + mpo_check_proc_setauid_t mpo_check_proc_setauid; mpo_check_proc_setuid_t mpo_check_proc_setuid; mpo_check_proc_seteuid_t mpo_check_proc_seteuid; mpo_check_proc_setgid_t mpo_check_proc_setgid; @@ -853,6 +864,9 @@ struct mac_policy_ops { mpo_check_socket_visible_t mpo_check_socket_visible; mpo_check_sysarch_ioperm_t mpo_check_sysarch_ioperm; mpo_check_system_acct_t mpo_check_system_acct; + mpo_check_system_audit_t mpo_check_system_audit; + mpo_check_system_auditctl_t mpo_check_system_auditctl; + mpo_check_system_auditon_t mpo_check_system_auditon; mpo_check_system_nfsd_t mpo_check_system_nfsd; mpo_check_system_reboot_t mpo_check_system_reboot; mpo_check_system_settime_t mpo_check_system_settime; diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 202aeed..abb817d 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -2304,6 +2304,50 @@ mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, } static int +mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *vplabel) +{ + struct mac_biba *subj, *obj; + int error; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + + error = mac_biba_subject_privileged(subj); + if (error) + return (error); + + if (vplabel == NULL) + return (0); + + obj = SLOT(vplabel); + if (!mac_biba_high_effective(obj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_system_auditon(struct ucred *cred, int cmd) +{ + struct mac_biba *subj; + int error; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(cred->cr_label); + + error = mac_biba_subject_privileged(subj); + if (error) + return (error); + + return (0); +} + +static int mac_biba_check_system_settime(struct ucred *cred) { struct mac_biba *subj; @@ -3204,6 +3248,8 @@ static struct mac_policy_ops mac_biba_ops = .mpo_check_socket_visible = mac_biba_check_socket_visible, .mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm, .mpo_check_system_acct = mac_biba_check_system_acct, + .mpo_check_system_auditctl = mac_biba_check_system_auditctl, + .mpo_check_system_auditon = mac_biba_check_system_auditon, .mpo_check_system_settime = mac_biba_check_system_settime, .mpo_check_system_swapon = mac_biba_check_system_swapon, .mpo_check_system_swapoff = mac_biba_check_system_swapoff, diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index a0bb805..da99f2b 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -488,6 +488,30 @@ mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) } static int +mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); +} + +static int +mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); +} + +static int +mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE)); +} + +static int mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -739,6 +763,9 @@ static struct mac_policy_ops mac_bsdextended_ops = { .mpo_destroy = mac_bsdextended_destroy, .mpo_init = mac_bsdextended_init, + .mpo_check_system_acct = mac_bsdextended_check_system_acct, + .mpo_check_system_auditctl = mac_bsdextended_check_system_auditctl, + .mpo_check_system_swapoff = mac_bsdextended_check_system_swapoff, .mpo_check_system_swapon = mac_bsdextended_check_system_swapon, .mpo_check_vnode_access = mac_bsdextended_check_vnode_access, .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir, diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 3beb701..d24e63f 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * All rights reserved. * @@ -2046,6 +2046,65 @@ mac_lomac_check_socket_visible(struct ucred *cred, struct socket *socket, } static int +mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_lomac *subj, *obj; + + if (!mac_lomac_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(label); + + if (mac_lomac_subject_privileged(subj)) + return (EPERM); + + if (!mac_lomac_high_single(obj)) + return (EACCES); + + return (0); +} + +static int +mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_lomac *subj, *obj; + + if (!mac_lomac_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(label); + + if (mac_lomac_subject_privileged(subj)) + return (EPERM); + + if (!mac_lomac_high_single(obj)) + return (EACCES); + + return (0); +} + +static int +mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_lomac *subj; + + if (!mac_lomac_enabled) + return (0); + + subj = SLOT(cred->cr_label); + + if (mac_lomac_subject_privileged(subj)) + return (EPERM); + + return (0); +} + +static int mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -2700,6 +2759,9 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_check_socket_deliver = mac_lomac_check_socket_deliver, .mpo_check_socket_relabel = mac_lomac_check_socket_relabel, .mpo_check_socket_visible = mac_lomac_check_socket_visible, + .mpo_check_system_acct = mac_lomac_check_system_acct, + .mpo_check_system_auditctl = mac_lomac_check_system_auditctl, + .mpo_check_system_swapoff = mac_lomac_check_system_swapoff, .mpo_check_system_swapon = mac_lomac_check_system_swapon, .mpo_check_system_sysctl = mac_lomac_check_system_sysctl, .mpo_check_vnode_access = mac_lomac_check_vnode_open, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index b900120..e1cbc91 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -2165,6 +2165,44 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket, } static int +mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_effective(obj, subj) || + !mac_mls_dominate_effective(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(label); + + if (!mac_mls_dominate_effective(obj, subj) || + !mac_mls_dominate_effective(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -2972,6 +3010,8 @@ static struct mac_policy_ops mac_mls_ops = .mpo_check_socket_deliver = mac_mls_check_socket_deliver, .mpo_check_socket_relabel = mac_mls_check_socket_relabel, .mpo_check_socket_visible = mac_mls_check_socket_visible, + .mpo_check_system_acct = mac_mls_check_system_acct, + .mpo_check_system_auditctl = mac_mls_check_system_auditctl, .mpo_check_system_swapon = mac_mls_check_system_swapon, .mpo_check_vnode_access = mac_mls_check_vnode_open, .mpo_check_vnode_chdir = mac_mls_check_vnode_chdir, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index e80da0402..9e66145 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2005 SPARTA, Inc. * All rights reserved. @@ -920,6 +920,20 @@ stub_check_proc_wait(struct ucred *cred, struct proc *proc) } static int +stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +{ + + return (0); +} + +static int +stub_check_proc_setauid(struct ucred *cred, uid_t auid) +{ + + return (0); +} + +static int stub_check_proc_setuid(struct ucred *cred, uid_t uid) { @@ -1096,6 +1110,28 @@ stub_check_system_acct(struct ucred *cred, struct vnode *vp, } static int +stub_check_system_audit(struct ucred *cred, void *record, int length) +{ + + return (0); +} + +static int +stub_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *vlabel) +{ + + return (0); +} + +static int +stub_check_system_auditon(struct ucred *cred, int cmd) +{ + + return (0); +} + +static int stub_check_system_nfsd(struct ucred *cred) { @@ -1117,7 +1153,7 @@ stub_check_system_settime(struct ucred *cred) } static int -stub_check_system_swapon(struct ucred *cred, struct vnode *vp, +stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1125,7 +1161,7 @@ stub_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, +stub_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1576,6 +1612,8 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_posix_sem_wait = stub_check_posix_sem_wait, .mpo_check_proc_debug = stub_check_proc_debug, .mpo_check_proc_sched = stub_check_proc_sched, + .mpo_check_proc_setaudit = stub_check_proc_setaudit, + .mpo_check_proc_setauid = stub_check_proc_setauid, .mpo_check_proc_setuid = stub_check_proc_setuid, .mpo_check_proc_seteuid = stub_check_proc_seteuid, .mpo_check_proc_setgid = stub_check_proc_setgid, @@ -1601,11 +1639,14 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_socket_visible = stub_check_socket_visible, .mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm, .mpo_check_system_acct = stub_check_system_acct, + .mpo_check_system_audit = stub_check_system_audit, + .mpo_check_system_auditctl = stub_check_system_auditctl, + .mpo_check_system_auditon = stub_check_system_auditon, .mpo_check_system_nfsd = stub_check_system_nfsd, .mpo_check_system_reboot = stub_check_system_reboot, .mpo_check_system_settime = stub_check_system_settime, - .mpo_check_system_swapon = stub_check_system_swapon, .mpo_check_system_swapoff = stub_check_system_swapoff, + .mpo_check_system_swapon = stub_check_system_swapon, .mpo_check_system_sysctl = stub_check_system_sysctl, .mpo_check_vnode_access = stub_check_vnode_access, .mpo_check_vnode_chdir = stub_check_vnode_chdir, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 0ca31e1..cff35f6 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1712,6 +1712,24 @@ mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) } static int +mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_proc_setauid(struct ucred *cred, uid_t auid) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) { @@ -1942,6 +1960,40 @@ mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, { ASSERT_CRED_LABEL(cred->cr_label); + if (label != NULL) { + ASSERT_VNODE_LABEL(label); + } + + return (0); +} + +static int +mac_test_check_system_audit(struct ucred *cred, void *record, int length) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + if (label != NULL) { + ASSERT_VNODE_LABEL(label); + } + + return (0); +} + +static int +mac_test_check_system_auditon(struct ucred *cred, int cmd) +{ + + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1965,7 +2017,7 @@ mac_test_check_system_settime(struct ucred *cred) } static int -mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1976,7 +2028,7 @@ mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -2515,6 +2567,8 @@ static struct mac_policy_ops mac_test_ops = .mpo_check_posix_sem_wait = mac_test_check_posix_sem, .mpo_check_proc_debug = mac_test_check_proc_debug, .mpo_check_proc_sched = mac_test_check_proc_sched, + .mpo_check_proc_setaudit = mac_test_check_proc_setaudit, + .mpo_check_proc_setauid = mac_test_check_proc_setauid, .mpo_check_proc_setuid = mac_test_check_proc_setuid, .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, .mpo_check_proc_setgid = mac_test_check_proc_setgid, @@ -2539,10 +2593,13 @@ static struct mac_policy_ops mac_test_ops = .mpo_check_socket_visible = mac_test_check_socket_visible, .mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, .mpo_check_system_acct = mac_test_check_system_acct, + .mpo_check_system_audit = mac_test_check_system_audit, + .mpo_check_system_auditctl = mac_test_check_system_auditctl, + .mpo_check_system_auditon = mac_test_check_system_auditon, .mpo_check_system_reboot = mac_test_check_system_reboot, .mpo_check_system_settime = mac_test_check_system_settime, - .mpo_check_system_swapon = mac_test_check_system_swapon, .mpo_check_system_swapoff = mac_test_check_system_swapoff, + .mpo_check_system_swapon = mac_test_check_system_swapon, .mpo_check_system_sysctl = mac_test_check_system_sysctl, .mpo_check_vnode_access = mac_test_check_vnode_access, .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, |
