PERFORCE change 23060 for review
Chris Vance
cvance at freebsd.org
Thu Jan 2 20:29:00 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=23060
Change 23060 by cvance at cvance_laptop on 2003/01/02 12:28:25
Allow SEBSD to be pushed into enforcing mode via a sysctl.
We'll leave the system call intact for now as well. This should
permit the very special pain of booting in enforcing mode.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#12 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.h#10 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#7 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#12 (text+ko) ====
@@ -875,7 +875,23 @@
return 0;
}
+int
+sys_avc_set_enforcing(struct thread *td, int enforcing)
+{
+ int error;
+
+ error = thread_has_system(td, SYSTEM__AVC_TOGGLE);
+ if (error)
+ return (error);
+ if (enforcing && avc_debug_always_allow) {
+ avc_ss_reset(avc_cache.latest_notif);
+ if (!ss_initialized && security_init() != 0)
+ panic("SELinux: Could not initialize\n");
+ }
+ avc_debug_always_allow = !enforcing;
+ return (0);
+}
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
/*
* TBD: should have build-time non development mode that does not permit
==== //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.h#10 (text+ko) ====
@@ -344,6 +344,7 @@
#ifdef _KERNEL
extern int sys_avc_toggle(struct thread *td);
extern int sys_avc_enforcing(struct thread *td);
+extern int sys_avc_set_enforcing(struct thread *td, int enforcing);
#endif
#endif /* _LINUX_AVC_H_ */
==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#7 (text+ko) ====
@@ -47,6 +47,8 @@
#include <security/sebsd/ss/security.h>
#include <security/sebsd/ss/sidtab.h>
+#include <security/sebsd/avc/avc.h>
+
/*
* Sysctl handler for security.mac.sebsd.sids
* Lists the SIDs currently active in the security server
@@ -93,7 +95,6 @@
return (error);
}
-#if 0
/*
* Sysctl handler for security.mac.sebsd.enforcing
* Get and/or set whether the avc is in enforcement mode.
@@ -103,30 +104,21 @@
{
int error, enforcing;
- if (req->oldptr != NULL) {
- /* XXX Always allow the users to find out? */
- enforcing = !avc_debug_always_allow;
- error = SYSCTL_OUT(req, &enforcing, sizeof(enforcing));
- if (error)
- return (error);
- }
+ /* TBD: XXX Always allow the users to find out? */
+ enforcing = !avc_debug_always_allow;
+ error = SYSCTL_OUT(req, &enforcing, sizeof(enforcing));
+ if (error)
+ return (error);
+
if (req->newptr != NULL) {
- error = thread_has_system(curthread, SYSTEM__AVC_TOGGLE);
- if (error)
- return (error);
error = SYSCTL_IN(req, &enforcing, sizeof(enforcing));
if (error)
return (error);
- if (enforcing && avc_debug_always_allow) {
- avc_ss_reset(avc_cache.latest_notif);
- if (!ss_initialized && security_init() != 0)
- panic("SELinux: Could not initialize\n");
- }
- avc_debug_always_allow = !enforcing;
+ return(sys_avc_set_enforcing(curthread, enforcing));
}
+
return (0);
}
-#endif
/*
* Sysctl handler for security.mac.sebsd.user_sids
@@ -257,8 +249,5 @@
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, change_sid, CTLTYPE_STRING |
CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_change_sid, "A",
"SEBSD (tty) SID relabel to perform along with transition");
-
-#if 0
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW,
- 0, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement");
-#endif
+ NULL, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement");
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list