From f3748b0c0b9b7ae4a57068095ab2eb98aaea333d Mon Sep 17 00:00:00 2001 From: rwatson Date: Fri, 8 Nov 2002 18:04:36 +0000 Subject: Update MAC modules for changes in arguments for exec MAC policy entry points to include an explicit execlabel. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/security/mac_biba/mac_biba.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'sys/security/mac_biba') diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 2770941..3268dd7 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -2044,9 +2044,23 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, static int mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp) + struct label *label, struct image_params *imgp, + struct label *execlabel) { - struct mac_biba *subj, *obj; + struct mac_biba *subj, *obj, *exec; + int error; + + if (execlabel != NULL) { + /* + * We currently don't permit labels to be changed at + * exec-time as part of Biba, so disallow non-NULL + * Biba label elements in the execlabel. + */ + exec = SLOT(execlabel); + error = biba_atmostflags(exec, 0); + if (error) + return (error); + } if (!mac_biba_enabled) return (0); -- cgit v1.1