From d267bbc6cae03d2263872111708186e38133343e Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Thu, 1 Aug 2002 14:31:58 +0000
Subject: Introduce support for Mandatory Access Control and extensible kernel
 access control.

Invoke an appropriate MAC entry point to authorize execution of
a file by a process.  The check is placed slightly differently
than it appears in the trustedbsd_mac tree so that it prevents
a little more information leakage about the target of the execve()
operation.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
---
 sys/kern/kern_exec.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'sys/kern/kern_exec.c')

diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index 14f5bad..0d6689f 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -27,6 +27,7 @@
  */
 
 #include "opt_ktrace.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -35,6 +36,7 @@
 #include <sys/sysproto.h>
 #include <sys/signalvar.h>
 #include <sys/kernel.h>
+#include <sys/mac.h>
 #include <sys/mount.h>
 #include <sys/filedesc.h>
 #include <sys/fcntl.h>
@@ -909,6 +911,13 @@ exec_check_permissions(imgp)
 	int error;
 
 	td = curthread;			/* XXXKSE */
+
+#ifdef MAC
+	error = mac_check_vnode_exec(td->td_ucred, imgp->vp);
+	if (error)
+		return (error);
+#endif
+	
 	/* Get file attributes */
 	error = VOP_GETATTR(vp, attr, td->td_ucred, td);
 	if (error)
-- 
cgit v1.1