Date: Thu, 31 Oct 2002 14:29:53 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 20495 for review Message-ID: <200210312229.g9VMTr7T024203@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=20495 Change 20495 by rwatson@rwatson_tislabs on 2002/10/31 14:29:13 Don't permit a process to bind to nfsd services in the kernel unless MAC policies permit it to. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#346 edit .. //depot/projects/trustedbsd/mac/sys/nfsserver/nfs_syscalls.c#9 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#207 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#163 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#346 (text+ko) ==== @@ -2534,6 +2534,19 @@ } int +mac_check_system_nfsd(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_nfsd, cred); + + return (error); +} + +int mac_check_system_reboot(struct ucred *cred, int howto) { int error; ==== //depot/projects/trustedbsd/mac/sys/nfsserver/nfs_syscalls.c#9 (text+ko) ==== @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD: src/sys/nfsserver/nfs_syscalls.c,v 1.81 2002/09/18 19:44:14 phk Exp $"); #include "opt_inet6.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> @@ -50,6 +51,7 @@ #include <sys/file.h> #include <sys/filedesc.h> #include <sys/vnode.h> +#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mount.h> #include <sys/proc.h> @@ -137,10 +139,15 @@ struct nfsd_args nfsdarg; int error; - mtx_lock(&Giant); +#ifdef MAC + error = mac_check_system_nfsd(td->td_ucred); + if (error) + return (error); +#endif error = suser(td); if (error) - goto done2; + return (error); + mtx_lock(&Giant); while (nfssvc_sockhead_flag & SLP_INIT) { nfssvc_sockhead_flag |= SLP_WANTINIT; (void) tsleep((caddr_t)&nfssvc_sockhead, PSOCK, "nfsd init", 0); ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#207 (text+ko) ==== @@ -265,6 +265,7 @@ int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_system_acct(struct ucred *cred, struct vnode *vp); +int mac_check_system_nfsd(struct ucred *cred); int mac_check_system_reboot(struct ucred *cred, int howto); int mac_check_system_settime(struct ucred *cred); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#163 (text+ko) ==== @@ -323,6 +323,7 @@ struct socket *so, struct label *socketlabel); int (*mpo_check_system_acct)(struct ucred *cred, struct vnode *vp, struct label *vlabel); + int (*mpo_check_system_nfsd)(struct ucred *cred); int (*mpo_check_system_reboot)(struct ucred *cred, int howto); int (*mpo_check_system_settime)(struct ucred *cred); int (*mpo_check_system_swapon)(struct ucred *cred, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210312229.g9VMTr7T024203>