PERFORCE change 19553 for review
Chris Vance
cvance at freebsd.org
Fri Oct 18 17:19:29 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=19553
Change 19553 by cvance at cvance_laptop on 2002/10/18 10:18:55
Add audit data for avc calls in sebsd_check_vnode_exec
Comment out currently unused thread_has_perm helper function
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#45 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#45 (text+ko) ====
@@ -93,11 +93,13 @@
perm, &target->avcr);
}
+#if 0
static int
thread_has_perm(struct thread *td, struct proc *proc, access_vector_t perm)
{
return (cred_has_perm(td->td_proc->p_ucred, proc, perm));
}
+#endif
static int
cred_has_system(struct ucred *cred, access_vector_t perm)
@@ -706,6 +708,7 @@
struct task_security_struct *task;
struct vnode_security_struct *file;
security_id_t newsid;
+ avc_audit_data_t ad;
int rc;
task = SLOT(&cred->cr_label);
@@ -720,20 +723,27 @@
SLOT(imgp->execlabel))->sid;
}
+ AVC_AUDIT_DATA_INIT(&ad, FS);
+ ad.u.fs.vp = vp;
+
if (newsid == task->sid) {
- rc = avc_has_perm(task->sid, file->sid,
- SECCLASS_FILE, FILE__EXECUTE_NO_TRANS);
+ rc = avc_has_perm_audit(task->sid, file->sid, SECCLASS_FILE,
+ FILE__EXECUTE_NO_TRANS, &ad);
+
if (rc)
return EACCES;
+
} else {
/* Check permissions for the transition. */
- rc = avc_has_perm(task->sid, newsid, SECCLASS_PROCESS,
- PROCESS__TRANSITION);
+ rc = avc_has_perm_audit(task->sid, newsid, SECCLASS_PROCESS,
+ PROCESS__TRANSITION, &ad);
+
if (rc)
return EACCES;
- rc = avc_has_perm(newsid, file->sid,
- SECCLASS_FILE, FILE__ENTRYPOINT);
+ rc = avc_has_perm_audit(newsid, file->sid, SECCLASS_FILE,
+ FILE__ENTRYPOINT, &ad);
+
if (rc)
return EACCES;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list