Date: Thu, 31 Oct 2002 08:01:54 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 20477 for review Message-ID: <200210311601.g9VG1sJ5089818@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=20477 Change 20477 by rwatson@rwatson_tislabs on 2002/10/31 08:01:18 Add mac_check_system_settime(), a MAC Framework entry point to authorize modification of the system time. Right now, we just pass a credential; in the future, potentially it could be desirable to pass other stuff (such as the requested time change), but that introduces locking and structure complexity I'm not sure we want to deal with just now. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#345 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_time.c#9 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#206 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#162 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#345 (text+ko) ==== @@ -2547,6 +2547,19 @@ } int +mac_check_system_settime(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_settime, cred); + + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; ==== //depot/projects/trustedbsd/mac/sys/kern/kern_time.c#9 (text+ko) ==== @@ -34,6 +34,8 @@ * $FreeBSD: src/sys/kern/kern_time.c,v 1.85 2002/09/25 12:00:38 bde Exp $ */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/lock.h> @@ -42,6 +44,7 @@ #include <sys/resourcevar.h> #include <sys/signalvar.h> #include <sys/kernel.h> +#include <sys/mac.h> #include <sys/systm.h> #include <sys/sysent.h> #include <sys/proc.h> @@ -182,6 +185,11 @@ struct timespec ats; int error; +#ifdef MAC + error = mac_check_system_settime(td->td_ucred); + if (error) + return (error); +#endif if ((error = suser(td)) != 0) return (error); if (SCARG(uap, clock_id) != CLOCK_REALTIME) @@ -351,6 +359,11 @@ struct timezone atz; int error = 0; +#ifdef MAC + error = mac_check_system_settime(td->td_ucred); + if (error) + return (error); +#endif if ((error = suser(td))) return (error); /* Verify all parameters before changing time. */ ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#206 (text+ko) ==== @@ -266,6 +266,7 @@ int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_system_acct(struct ucred *cred, struct vnode *vp); int mac_check_system_reboot(struct ucred *cred, int howto); +int mac_check_system_settime(struct ucred *cred); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#162 (text+ko) ==== @@ -324,6 +324,7 @@ int (*mpo_check_system_acct)(struct ucred *cred, struct vnode *vp, struct label *vlabel); int (*mpo_check_system_reboot)(struct ucred *cred, int howto); + int (*mpo_check_system_settime)(struct ucred *cred); int (*mpo_check_system_swapon)(struct ucred *cred, struct vnode *vp, struct label *label); int (*mpo_check_system_sysctl)(struct ucred *cred, int *name, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210311601.g9VG1sJ5089818>