PERFORCE change 20477 for review

Robert Watson rwatson at freebsd.org
Thu Oct 31 16:01:54 GMT 2002 

http://perforce.freebsd.org/chv.cgi?CH=20477

Change 20477 by rwatson at rwatson_tislabs on 2002/10/31 08:01:18

	Add mac_check_system_settime(), a MAC Framework entry point
	to authorize modification of the system time.  Right now,
	we just pass a credential; in the future, potentially it
	could be desirable to pass other stuff (such as the requested
	time change), but that introduces locking and structure
	complexity I'm not sure we want to deal with just now.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#345 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_time.c#9 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#206 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#162 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#345 (text+ko) ====

@@ -2547,6 +2547,19 @@
 }
 
 int
+mac_check_system_settime(struct ucred *cred)
+{
+	int error;
+
+	if (!mac_enforce_system)
+		return (0);
+
+	MAC_CHECK(check_system_settime, cred);
+
+	return (error);
+}
+
+int
 mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
 {
 	int error;

==== //depot/projects/trustedbsd/mac/sys/kern/kern_time.c#9 (text+ko) ====

@@ -34,6 +34,8 @@
  * $FreeBSD: src/sys/kern/kern_time.c,v 1.85 2002/09/25 12:00:38 bde Exp $
  */
 
+#include "opt_mac.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/lock.h>
@@ -42,6 +44,7 @@
 #include <sys/resourcevar.h>
 #include <sys/signalvar.h>
 #include <sys/kernel.h>
+#include <sys/mac.h>
 #include <sys/systm.h>
 #include <sys/sysent.h>
 #include <sys/proc.h>
@@ -182,6 +185,11 @@
 	struct timespec ats;
 	int error;
 
+#ifdef MAC
+	error = mac_check_system_settime(td->td_ucred);
+	if (error)
+		return (error);
+#endif
 	if ((error = suser(td)) != 0)
 		return (error);
 	if (SCARG(uap, clock_id) != CLOCK_REALTIME)
@@ -351,6 +359,11 @@
 	struct timezone atz;
 	int error = 0;
 
+#ifdef MAC
+	error = mac_check_system_settime(td->td_ucred);
+	if (error)
+		return (error);
+#endif
 	if ((error = suser(td)))
 		return (error);
 	/* Verify all parameters before changing time. */

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#206 (text+ko) ====

@@ -266,6 +266,7 @@
 int	mac_check_socket_visible(struct ucred *cred, struct socket *so);
 int	mac_check_system_acct(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_reboot(struct ucred *cred, int howto);
+int	mac_check_system_settime(struct ucred *cred);
 int	mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
 int	mac_check_system_sysctl(struct ucred *cred, int *name,
 	    u_int namelen, void *old, size_t *oldlenp, int inkernel,

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#162 (text+ko) ====

@@ -324,6 +324,7 @@
 	int	(*mpo_check_system_acct)(struct ucred *cred,
 		    struct vnode *vp, struct label *vlabel);
 	int	(*mpo_check_system_reboot)(struct ucred *cred, int howto);
+	int	(*mpo_check_system_settime)(struct ucred *cred);
 	int	(*mpo_check_system_swapon)(struct ucred *cred,
 		    struct vnode *vp, struct label *label);
 	int	(*mpo_check_system_sysctl)(struct ucred *cred, int *name,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list