PERFORCE change 19968 for review
Robert Watson
rwatson at freebsd.org
Wed Oct 23 15:39:32 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=19968
Change 19968 by rwatson at rwatson_tislabs on 2002/10/23 08:39:25
Integ mac_biba sysctl change into mac_lomac.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#14 integrate
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#14 (text+ko) ====
@@ -305,6 +305,14 @@
}
static int
+mac_lomac_privileged(struct mac_lomac *mac_lomac)
+{
+
+ /* Equate the notion of "equal" with privilege. */
+ return (mac_lomac_subject_equal_ok(mac_lomac));
+}
+
+static int
mac_lomac_valid(struct mac_lomac *mac_lomac)
{
@@ -1763,6 +1771,29 @@
}
static int
+mac_lomac_check_sysctl(struct ucred *cred, int *name, u_int namelen,
+ void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
+{
+ struct mac_lomac *subj;
+
+ if (!mac_lomac_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+
+ /*
+ * Permit sysctl modification only if Biba-privileged; permit
+ * read by any process.
+ */
+ if (new != NULL) {
+ if (!mac_lomac_privileged(subj))
+ return (EPERM);
+ }
+
+ return (0);
+}
+
+static int
mac_lomac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
struct label *dlabel)
{
@@ -2559,6 +2590,8 @@
(macop_t)mac_lomac_check_socket_relabel },
{ MAC_CHECK_SOCKET_VISIBLE,
(macop_t)mac_lomac_check_socket_visible },
+ { MAC_CHECK_SYSCTL,
+ (macop_t)mac_lomac_check_sysctl },
{ MAC_CHECK_VNODE_ACCESS,
(macop_t)mac_lomac_check_vnode_open },
{ MAC_CHECK_VNODE_CHDIR,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list