PERFORCE change 20378 for review
Robert Watson
rwatson at freebsd.org
Tue Oct 29 22:01:54 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=20378
Change 20378 by rwatson at rwatson_tislabs on 2002/10/29 14:01:12
Teach Biba about acct() -- note that if the target label is
NULL (i.e., we're turning off accounting), we require only
privilege; if it's non-NULL, then we require privilege and
that the target file be high integrity.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#167 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#167 (text+ko) ====
@@ -1873,6 +1873,29 @@
}
static int
+mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
+ struct label *label)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+
+ if (!mac_biba_subject_privileged(subj))
+ return (EPERM);
+
+ if (label == NULL)
+ return (0);
+
+ obj = SLOT(label);
+ if (!mac_biba_high_single(obj))
+ return (EACCES);
+
+ return (0);
+}
+static int
mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp,
struct label *label)
{
@@ -2708,6 +2731,8 @@
(macop_t)mac_biba_check_socket_relabel },
{ MAC_CHECK_SOCKET_VISIBLE,
(macop_t)mac_biba_check_socket_visible },
+ { MAC_CHECK_SYSTEM_ACCT,
+ (macop_t)mac_biba_check_system_acct },
{ MAC_CHECK_SYSTEM_SWAPON,
(macop_t)mac_biba_check_system_swapon },
{ MAC_CHECK_SYSTEM_SYSCTL,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list