PERFORCE change 40045 for review
Robert Watson
rwatson at FreeBSD.org
Mon Oct 20 23:46:37 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=40045
Change 40045 by rwatson at rwatson_tislabs on 2003/10/20 16:46:01
Trim system privilege checks from kern_mac.c since they now
live in mac_system.c.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#414 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#414 (text+ko) ====
@@ -145,11 +145,6 @@
&mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
-static int mac_enforce_kld = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW,
- &mac_enforce_kld, 0, "Enforce MAC policy on kld operations");
-TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld);
-
static int mac_enforce_network = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
&mac_enforce_network, 0, "Enforce MAC policy on network packets");
@@ -165,11 +160,6 @@
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
-static int mac_enforce_system = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW,
- &mac_enforce_system, 0, "Enforce MAC policy on system operations");
-TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system);
-
static int mac_enforce_sysv = 1;
SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW,
&mac_enforce_sysv, 0, "Enforce MAC policy on System V IPC objects");
@@ -2672,99 +2662,6 @@
}
int
-mac_check_kenv_dump(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_kenv_dump, cred);
-
- return (error);
-}
-
-int
-mac_check_kenv_get(struct ucred *cred, char *name)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_kenv_get, cred, name);
-
- return (error);
-}
-
-int
-mac_check_kenv_set(struct ucred *cred, char *name, char *value)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_kenv_set, cred, name, value);
-
- return (error);
-}
-
-int
-mac_check_kenv_unset(struct ucred *cred, char *name)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_kenv_unset, cred, name);
-
- return (error);
-}
-
-int
-mac_check_kld_load(struct ucred *cred, struct vnode *vp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
-
- if (!mac_enforce_kld)
- return (0);
-
- MAC_CHECK(check_kld_load, cred, vp, &vp->v_label);
-
- return (error);
-}
-
-int
-mac_check_kld_stat(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_kld)
- return (0);
-
- MAC_CHECK(check_kld_stat, cred);
-
- return (error);
-}
-
-int
-mac_check_kld_unload(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_kld)
- return (0);
-
- MAC_CHECK(check_kld_unload, cred);
-
- return (error);
-}
-
-int
mac_check_mount_stat(struct ucred *cred, struct mount *mount)
{
int error;
@@ -2948,122 +2845,6 @@
}
int
-mac_check_sysarch_ioperm(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_sysarch_ioperm, cred);
- return (error);
-}
-
-int
-mac_check_system_acct(struct ucred *cred, struct vnode *vp)
-{
- int error;
-
- if (vp != NULL) {
- ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
- }
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_acct, cred, vp,
- vp != NULL ? &vp->v_label : NULL);
-
- return (error);
-}
-
-int
-mac_check_system_nfsd(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_nfsd, cred);
-
- return (error);
-}
-
-int
-mac_check_system_reboot(struct ucred *cred, int howto)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_reboot, cred, howto);
-
- return (error);
-}
-
-int
-mac_check_system_settime(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_settime, cred);
-
- return (error);
-}
-
-int
-mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon");
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_swapon, cred, vp, &vp->v_label);
- return (error);
-}
-
-int
-mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
-{
- int error;
-
- ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
- return (error);
-}
-
-int
-mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
- void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
-{
- int error;
-
- /*
- * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
- * but since it's not exported from kern_sysctl.c, we can't.
- */
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp,
- inkernel, new, newlen);
-
- return (error);
-}
-
-int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list