PERFORCE change 24293 for review
Brian Feldman
green at freebsd.org
Mon Jan 27 20:25:03 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=24293
Change 24293 by green at green_laptop_2 on 2003/01/27 12:24:09
Implement the missing self:fd {create} in SEBSD.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_descrip.c#3 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#3 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_descrip.c#3 (text+ko) ====
@@ -1218,6 +1218,11 @@
register struct file *fp, *fq;
int error, i;
+#ifdef MAC
+ error = mac_check_file_create(td->td_ucred);
+ if (error)
+ return (error);
+#endif
fp = uma_zalloc(file_zone, M_WAITOK | M_ZERO);
sx_xlock(&filelist_lock);
if (nfiles >= maxfiles) {
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#3 (text+ko) ====
@@ -1558,10 +1558,20 @@
CAPABILITY__SYS_MODULE, NULL));
}
+static int
+sebsd_check_file_create(struct ucred *cred)
+{
+ struct task_security_struct *tsec;
+
+ tsec = SLOT(&cred->cr_label);
+ return (avc_has_perm_audit(tsec->sid, tsec->sid, SECCLASS_FD,
+ FD__CREATE, NULL));
+}
+
/*
- * Simplify all fd permissions to just "use" for now. The ones we implement
- * in SEBSD roughly correlate to the SELinux FD__USE permissions, and not
- * the fine-grained FLASK permissions.
+ * Simplify all other fd permissions to just "use" for now. The ones we
+ * implement in SEBSD roughly correlate to the SELinux FD__USE permissions,
+ * and not the fine-grained FLASK permissions.
*/
static int
sebsd_check_file_get_flags(struct ucred *cred, struct file *fp,
@@ -1686,6 +1696,7 @@
/* Check Labels */
.mpo_check_cred_relabel = sebsd_check_cred_relabel,
+ .mpo_check_file_create = sebsd_check_file_create,
.mpo_check_file_get_flags = sebsd_check_file_get_flags,
.mpo_check_file_get_ofileflags = sebsd_check_file_get_ofileflags,
.mpo_check_file_get_offset = sebsd_check_file_get_offset,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list