From d1196975a07260e588b5270931563e7fe7d7e672 Mon Sep 17 00:00:00 2001 From: rwatson Date: Sun, 22 Apr 2007 15:31:22 +0000 Subject: Remove MAC Framework access control check entry points made redundant with the introduction of priv(9) and MAC Framework entry points for privilege checking/granting. These entry points exactly aligned with privileges and provided no additional security context: - mac_check_sysarch_ioperm() - mac_check_kld_unload() - mac_check_settime() - mac_check_system_nfsd() Add mpo_priv_check() implementations to Biba and LOMAC policies, which, for each privilege, determine if they can be granted to processes considered unprivileged by those two policies. These mostly, but not entirely, align with the set of privileges granted in jails. Obtained from: TrustedBSD Project --- sys/security/mac_stub/mac_stub.c | 32 -------------------------------- 1 file changed, 32 deletions(-) (limited to 'sys/security/mac_stub') diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 9e66145..b06c02b 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -781,13 +781,6 @@ stub_check_kld_stat(struct ucred *cred) } static int -stub_check_kld_unload(struct ucred *cred) -{ - - return (0); -} - -static int stub_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { @@ -1095,13 +1088,6 @@ stub_check_socket_visible(struct ucred *cred, struct socket *socket, } static int -stub_check_sysarch_ioperm(struct ucred *cred) -{ - - return (0); -} - -static int stub_check_system_acct(struct ucred *cred, struct vnode *vp, struct label *vlabel) { @@ -1132,13 +1118,6 @@ stub_check_system_auditon(struct ucred *cred, int cmd) } static int -stub_check_system_nfsd(struct ucred *cred) -{ - - return (0); -} - -static int stub_check_system_reboot(struct ucred *cred, int how) { @@ -1146,13 +1125,6 @@ stub_check_system_reboot(struct ucred *cred, int how) } static int -stub_check_system_settime(struct ucred *cred) -{ - - return (0); -} - -static int stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1596,7 +1568,6 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_kenv_unset = stub_check_kenv_unset, .mpo_check_kld_load = stub_check_kld_load, .mpo_check_kld_stat = stub_check_kld_stat, - .mpo_check_kld_unload = stub_check_kld_unload, .mpo_check_mount_stat = stub_check_mount_stat, .mpo_check_pipe_ioctl = stub_check_pipe_ioctl, .mpo_check_pipe_poll = stub_check_pipe_poll, @@ -1637,14 +1608,11 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_socket_send = stub_check_socket_send, .mpo_check_socket_stat = stub_check_socket_stat, .mpo_check_socket_visible = stub_check_socket_visible, - .mpo_check_sysarch_ioperm = stub_check_sysarch_ioperm, .mpo_check_system_acct = stub_check_system_acct, .mpo_check_system_audit = stub_check_system_audit, .mpo_check_system_auditctl = stub_check_system_auditctl, .mpo_check_system_auditon = stub_check_system_auditon, - .mpo_check_system_nfsd = stub_check_system_nfsd, .mpo_check_system_reboot = stub_check_system_reboot, - .mpo_check_system_settime = stub_check_system_settime, .mpo_check_system_swapoff = stub_check_system_swapoff, .mpo_check_system_swapon = stub_check_system_swapon, .mpo_check_system_sysctl = stub_check_system_sysctl, -- cgit v1.1