PERFORCE change 36686 for review
Andrew Reisse
areisse at FreeBSD.org
Fri Aug 22 17:51:59 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=36686
Change 36686 by areisse at areisse_tislabs on 2003/08/22 10:51:44
Removed mpo_check_system checks from sebsd that are covered by capabilities.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#17 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#17 (text+ko) ====
@@ -1632,21 +1632,7 @@
return vnode_has_perm(cred, vp, FILE__GETATTR, NULL);
}
-static int
-sebsd_check_sysarch_ioperm(struct ucred *cred)
-{
-
- return(cred_has_capability(cred, CAPABILITY__SYS_RAWIO));
-}
-static int
-sebsd_check_system_acct(struct ucred *cred, struct vnode *vp,
- struct label *vlabel)
-{
-
- return(cred_has_capability(cred, CAPABILITY__SYS_PACCT));
-}
-
/*
* TBD: LSM/SELinux doesn't have a nfsd hook
*/
@@ -1659,20 +1645,6 @@
static int
-sebsd_check_system_reboot(struct ucred *cred, int howto)
-{
-
- return(cred_has_capability(cred, CAPABILITY__SYS_BOOT));
-}
-
-static int
-sebsd_check_system_settime(struct ucred *cred)
-{
-
- return(cred_has_capability(cred, CAPABILITY__SYS_TIME));
-}
-
-static int
sebsd_check_system_swapon(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel)
{
@@ -1796,46 +1768,7 @@
*(struct vnode_security_struct *)SLOT(src);
}
-/*
- * Check for permission to load KLDs, given by the overly-broad
- * capability:sys_module.
- */
-static int
-sebsd_check_kld_load(struct ucred *cred, struct vnode *vp,
- struct label *vlabel)
-{
-
- /*
- * The vnode doesn't need to be checked here, since the read
- * operations inside the kldload(2) implementation are
- * individually checked against the same thread credentials.
- */
- return (cred_has_capability(cred, CAPABILITY__SYS_MODULE));
-}
-
-/*
- * Check for permission to query KLDs, given by the overly-broad
- * capability:sys_module.
- */
static int
-sebsd_check_kld_stat(struct ucred *cred)
-{
-
- return (cred_has_capability(cred, CAPABILITY__SYS_MODULE));
-}
-
-/*
- * Check for permission to unload KLDs, given by the overly-broad
- * capability:sys_module.
- */
-static int
-sebsd_check_kld_unload(struct ucred *cred)
-{
-
- return (cred_has_capability(cred, CAPABILITY__SYS_MODULE));
-}
-
-static int
sebsd_check_file_create(struct ucred *cred)
{
struct task_security_struct *tsec;
@@ -2032,9 +1965,6 @@
.mpo_check_file_change_flags = sebsd_check_file_change_flags,
.mpo_check_file_change_ofileflags = sebsd_check_file_change_ofileflags,
.mpo_check_file_change_offset = sebsd_check_file_change_offset,
- .mpo_check_kld_stat = sebsd_check_kld_stat,
- .mpo_check_kld_load = sebsd_check_kld_load,
- .mpo_check_kld_unload = sebsd_check_kld_unload,
.mpo_check_mount_stat = sebsd_check_mount_stat,
.mpo_check_pipe_ioctl = sebsd_check_pipe_ioctl,
@@ -2047,11 +1977,7 @@
.mpo_check_proc_debug = sebsd_check_proc_debug,
.mpo_check_proc_sched = sebsd_check_proc_sched,
.mpo_check_proc_signal = sebsd_check_proc_signal,
- .mpo_check_sysarch_ioperm = sebsd_check_sysarch_ioperm,
- .mpo_check_system_acct = sebsd_check_system_acct,
.mpo_check_system_nfsd = sebsd_check_system_nfsd,
- .mpo_check_system_reboot = sebsd_check_system_reboot,
- .mpo_check_system_settime = sebsd_check_system_settime,
.mpo_check_system_swapon = sebsd_check_system_swapon,
.mpo_check_system_swapoff = sebsd_check_system_swapoff,
.mpo_check_system_sysctl = sebsd_check_system_sysctl,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list