PERFORCE change 79863 for review
Robert Watson
rwatson at FreeBSD.org
Sat Jul 9 19:41:05 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=79863
Change 79863 by rwatson at rwatson_zoo on 2005/07/09 19:40:47
Update SEBSD policy for a number of MAC Framework entry point
changes:
- dev_t has become struct cdev *.
- sysctl() check now accepts complete oid context.
- mmap() check accepts a flags argument that includes information on
whether the map will be shared. Only if it's shared should we
check for write access (otherwise it's copy-on-write and private).
- The mprotect() check is not currently implemented, and the
prototype now diffs from mmap(), so leave it commented out for now.
Update the copyright to reflect recent work.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#37 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#37 (text+ko) ====
@@ -1,5 +1,6 @@
/*-
* Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project by NAI Labs, the
@@ -7,6 +8,9 @@
* DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
* CHATS research program.
*
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract
+ * N66001-04-C-6019 ("SEFOS").
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -620,8 +624,8 @@
}
static void
-sebsd_create_devfs_device(struct ucred *cr, struct mount *mp, dev_t dev,
- struct devfs_dirent *devfs_dirent, struct label *label,
+sebsd_create_devfs_device(struct ucred *cr, struct mount *mp,
+ struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label,
const char *fullpath)
{
char *path;
@@ -1838,9 +1842,8 @@
* TBD: Sysctl access control is not currently implemented
*/
static int
-sebsd_check_system_sysctl(struct ucred *cred, int *name,
- u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new,
- size_t newlen)
+sebsd_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp,
+ void *arg1, int arg2, struct sysctl_req *req)
{
return (0);
@@ -1859,7 +1862,7 @@
*/
static int
sebsd_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
- struct label *label, int newmapping)
+ struct label *label, int prot, int flags)
{
access_vector_t av;
@@ -1870,10 +1873,10 @@
if (vp) {
av = FILE__READ;
- if (newmapping & PROT_WRITE)
+ if (prot & PROT_WRITE && flags & MAP_SHARED)
av |= FILE__WRITE;
- if (newmapping & PROT_EXEC)
+ if (prot & PROT_EXEC)
av |= FILE__EXECUTE;
return (vnode_has_perm(cred, vp, av, NULL));
@@ -2534,7 +2537,10 @@
.mpo_check_vnode_link = sebsd_check_vnode_link,
.mpo_check_vnode_lookup = sebsd_check_vnode_lookup,
.mpo_check_vnode_mmap = sebsd_check_vnode_mmap,
+#if 0
+ /* XXXMAC: mprotect() is not checked by the MAC Framework. */
.mpo_check_vnode_mprotect = sebsd_check_vnode_mmap,
+#endif
.mpo_check_vnode_open = sebsd_check_vnode_open,
.mpo_check_vnode_poll = sebsd_check_vnode_poll,
.mpo_check_vnode_read = sebsd_check_vnode_read,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list