Date: Sat, 5 Oct 2002 18:37:21 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 18773 for review Message-ID: <200210060137.g961bLEv009209@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18773 Change 18773 by rwatson@rwatson_tislabs on 2002/10/05 18:37:07 Move the mmap protection limitations to the correct place in the file based on our sort order for access control checks. Change return types to int from vm_prot_t (left-over from the old mmap protection approach). Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#126 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#109 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#126 (text+ko) ==== @@ -1933,6 +1933,34 @@ } static int +mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, + struct label *label, int prot) +{ + struct mac_biba *subj, *obj; + + /* + * Rely on the use of open()-time protections to handle + * non-revocation cases. + */ + if (!mac_biba_enabled || !mac_biba_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + } + if (prot & VM_PROT_WRITE) { + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + } + + return (0); +} + +static int mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, mode_t acc_mode) { @@ -2296,34 +2324,6 @@ return (0); } -static vm_prot_t -mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, - struct label *label, int prot) -{ - struct mac_biba *subj, *obj; - - /* - * Rely on the use of open()-time protections to handle - * non-revocation cases. - */ - if (!mac_biba_enabled || !mac_biba_revocation_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(label); - - if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - } - if (prot & VM_PROT_WRITE) { - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - } - - return (0); -} - static struct mac_policy_op_entry mac_biba_ops[] = { { MAC_DESTROY, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#109 (text+ko) ==== @@ -1983,6 +1983,34 @@ } static int +mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, + struct label *label, int prot) +{ + struct mac_mls *subj, *obj; + + /* + * Rely on the use of open()-time protections to handle + * non-revocation cases. + */ + if (!mac_mls_enabled || !mac_mls_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + } + if (prot & VM_PROT_WRITE) { + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + } + + return (0); +} + +static int mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, mode_t acc_mode) { @@ -2346,34 +2374,6 @@ return (0); } -static vm_prot_t -mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, - struct label *label, int prot) -{ - struct mac_mls *subj, *obj; - - /* - * Rely on the use of open()-time protections to handle - * non-revocation cases. - */ - if (!mac_mls_enabled || !mac_mls_revocation_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(label); - - if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - } - if (prot & VM_PROT_WRITE) { - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - } - - return (0); -} - static struct mac_policy_op_entry mac_mls_ops[] = { { MAC_DESTROY, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210060137.g961bLEv009209>