PERFORCE change 20238 for review

Robert Watson rwatson at freebsd.org
Sun Oct 27 07:30:23 GMT 2002 

http://perforce.freebsd.org/chv.cgi?CH=20238

Change 20238 by rwatson at rwatson_tislabs on 2002/10/27 00:29:22

	Enforce protection of acct() system call using
	mac_check_system_acct() -- a non-NULL vp is passed if this
	is an enable operation, in which case policies can inspect/...
	the vnode and label; NULL is passed to disable accounting.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_acct.c#13 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#335 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#198 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#153 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_acct.c#13 (text+ko) ====

@@ -40,12 +40,15 @@
  * $FreeBSD: src/sys/kern/kern_acct.c,v 1.52 2002/10/05 20:05:23 rwatson Exp $
  */
 
+#include "opt_mac.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
 #include <sys/sysproto.h>
 #include <sys/proc.h>
+#include <sys/mac.h>
 #include <sys/mount.h>
 #include <sys/vnode.h>
 #include <sys/fcntl.h>
@@ -144,13 +147,31 @@
 		if (error)
 			goto done2;
 		NDFREE(&nd, NDF_ONLY_PNBUF);
+#ifdef MAC
+		error = mac_check_system_acct(td->td_ucred, nd.ni_vp);
+		if (error) {
+			vn_close(nd.ni_vp, flags, td->td_ucred, td);
+			goto done2;
+		}
+#endif
+
 		VOP_UNLOCK(nd.ni_vp, 0, td);
 		if (nd.ni_vp->v_type != VREG) {
 			vn_close(nd.ni_vp, flags, td->td_ucred, td);
 			error = EACCES;
 			goto done2;
 		}
+#ifdef MAC
+	} else {
+		error = mac_check_system_acct(td->td_ucred, NULL);
+		if (error) {
+			mtx_unlock(&Giant);
+			return (error);
+		}
 	}
+#else
+	}
+#endif
 
 	/*
 	 * If accounting was previously enabled, kill the old space-watcher,

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#335 (text+ko) ====

@@ -143,20 +143,15 @@
     &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
 TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
 
-static int	mac_enforce_reboot = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
-    &mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
-TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
-
 static int	mac_enforce_socket = 1;
 SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
     &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
 TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
 
-static int	mac_enforce_sysctl = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW,
-    &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations");
-TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl);
+static int	mac_enforce_system = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW,
+    &mac_enforce_system, 0, "Enforce MAC policy on system operations");
+TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system);
 
 static int	mac_enforce_vm = 1;
 SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
@@ -920,6 +915,10 @@
 			mpc->mpc_ops->mpo_check_socket_visible =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_SYSTEM_ACCT:
+			mpc->mpc_ops->mpo_check_system_acct =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_SYSTEM_REBOOT:
 			mpc->mpc_ops->mpo_check_system_reboot =
 			    mpe->mpe_function;
@@ -3059,11 +3058,29 @@
 }
 
 int
+mac_check_system_acct(struct ucred *cred, struct vnode *vp)
+{
+	int error;
+
+	if (vp != NULL) {
+		ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
+	}
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_system_acct, cred, vp,
+	    vp != NULL ? &vp->v_label : NULL);
+
+	return (error);
+}
+
+int
 mac_check_system_reboot(struct ucred *cred, int howto)
 {
 	int error;
 
-	if (!mac_enforce_reboot)
+	if (!mac_enforce_system)
 		return (0);
 
 	MAC_CHECK(check_system_reboot, cred, howto);
@@ -3078,7 +3095,7 @@
 
 	ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon");
 
-	if (!mac_enforce_fs)
+	if (!mac_enforce_system)
 		return (0);
 
 	MAC_CHECK(check_system_swapon, cred, vp, &vp->v_label);
@@ -3095,7 +3112,7 @@
 	 * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
 	 * but since it's not exported from kern_sysctl.c, we can't.
 	 */
-	if (!mac_enforce_sysctl)
+	if (!mac_enforce_system)
 		return (0);
 
 	MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#198 (text+ko) ====

@@ -307,6 +307,7 @@
 int	mac_check_socket_receive(struct ucred *cred, struct socket *so);
 int	mac_check_socket_send(struct ucred *cred, struct socket *so);
 int	mac_check_socket_visible(struct ucred *cred, struct socket *so);
+int	mac_check_system_acct(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_reboot(struct ucred *cred, int howto);
 int	mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_sysctl(struct ucred *cred, int *name,

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#153 (text+ko) ====

@@ -316,6 +316,8 @@
 		    struct socket *so, struct label *socketlabel);
 	int	(*mpo_check_socket_visible)(struct ucred *cred,
 		    struct socket *so, struct label *socketlabel);
+	int	(*mpo_check_system_acct)(struct ucred *cred,
+		    struct vnode *vp, struct label *vlabel);
 	int	(*mpo_check_system_reboot)(struct ucred *cred, int howto);
 	int	(*mpo_check_system_swapon)(struct ucred *cred,
 		    struct vnode *vp, struct label *label);
@@ -514,6 +516,7 @@
 	MAC_CHECK_SOCKET_RELABEL,
 	MAC_CHECK_SOCKET_SEND,
 	MAC_CHECK_SOCKET_VISIBLE,
+	MAC_CHECK_SYSTEM_ACCT,
 	MAC_CHECK_SYSTEM_REBOOT,
 	MAC_CHECK_SYSTEM_SWAPON,
 	MAC_CHECK_SYSTEM_SYSCTL,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list