From d1196975a07260e588b5270931563e7fe7d7e672 Mon Sep 17 00:00:00 2001
From: rwatson <rwatson@FreeBSD.org>
Date: Sun, 22 Apr 2007 15:31:22 +0000
Subject: Remove MAC Framework access control check entry points made redundant
 with the introduction of priv(9) and MAC Framework entry points for privilege
 checking/granting.  These entry points exactly aligned with privileges and
 provided no additional security context:

- mac_check_sysarch_ioperm()
- mac_check_kld_unload()
- mac_check_settime()
- mac_check_system_nfsd()

Add mpo_priv_check() implementations to Biba and LOMAC policies, which,
for each privilege, determine if they can be granted to processes
considered unprivileged by those two policies.  These mostly, but not
entirely, align with the set of privileges granted in jails.

Obtained from:	TrustedBSD Project
---
 sys/kern/kern_linker.c |  5 -----
 sys/kern/kern_time.c   | 14 --------------
 2 files changed, 19 deletions(-)

(limited to 'sys/kern')

diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c
index cdbc10b..d8150fe 100644
--- a/sys/kern/kern_linker.c
+++ b/sys/kern/kern_linker.c
@@ -562,11 +562,6 @@ linker_file_unload(linker_file_t file, int flags)
 	/* Refuse to unload modules if securelevel raised. */
 	if (securelevel > 0)
 		return (EPERM);
-#ifdef MAC
-	error = mac_check_kld_unload(curthread->td_ucred);
-	if (error)
-		return (error);
-#endif
 
 	KLD_LOCK_ASSERT();
 	KLD_DPF(FILE, ("linker_file_unload: lf->refs=%d\n", file->refs));
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c
index 2a3df94..c434b93 100644
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@@ -32,8 +32,6 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
-#include "opt_mac.h"
-
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/limits.h>
@@ -56,8 +54,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/timetc.h>
 #include <sys/vnode.h>
 
-#include <security/mac/mac_framework.h>
-
 #include <vm/vm.h>
 #include <vm/vm_extern.h>
 
@@ -272,11 +268,6 @@ kern_clock_settime(struct thread *td, clockid_t clock_id, struct timespec *ats)
 	struct timeval atv;
 	int error;
 
-#ifdef MAC
-	error = mac_check_system_settime(td->td_ucred);
-	if (error)
-		return (error);
-#endif
 	if ((error = priv_check(td, PRIV_CLOCK_SETTIME)) != 0)
 		return (error);
 	if (clock_id != CLOCK_REALTIME)
@@ -479,11 +470,6 @@ kern_settimeofday(struct thread *td, struct timeval *tv, struct timezone *tzp)
 {
 	int error;
 
-#ifdef MAC
-	error = mac_check_system_settime(td->td_ucred);
-	if (error)
-		return (error);
-#endif
 	error = priv_check(td, PRIV_SETTIMEOFDAY);
 	if (error)
 		return (error);
-- 
cgit v1.1