Date: Wed, 24 Jul 2002 06:56:26 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 14832 for review Message-ID: <200207241356.g6ODuQgR020804@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=14832 Change 14832 by rwatson@rwatson_paprika on 2002/07/24 06:56:16 Add MAC_TE_OPERATION_FILE_POLL. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#47 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#47 (text+ko) ==== @@ -92,6 +92,12 @@ TUNABLE_INT("security.mac.te.debug_transitions", &mac_te_debug_transitions); +static int mac_te_revocation_enabled = 0; +SYSCTL_INT(_security_mac_te, OID_AUTO, revocation_enabled, CTLFLAG_RW, + &mac_te_revocation_enabled, 0, "Revoke access to objects on relabel"); +TUNABLE_INT("security.mac.te.revocation_enabled", + &mac_te_revocation_enabled); + static int labelslot; #define SLOT(l) ((struct mac_te *)LABEL_TO_SLOT((l), labelslot).l_ptr) @@ -1498,6 +1504,69 @@ return (error); } +static int +mac_te_cred_check_mmap_perms(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_te *subj, *obj; + vm_prot_t prot = 0; + + if (!mac_biba_revocation_enabled) + return (VM_PROT_ALL); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE, + MAC_TE_OPERATION_FILE_READ) == 0) + prot |= VM_PROT_READ; + if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE, + MAC_TE_OPERATION_FILE_EXEC) == 0) + prot |= VM_PROT_EXECUTE; + if (mac_te_check(subj, obj, MAC_TE_CLASS_FILE, + MAC_TE_OPERATION_FILE_WRITE) == 0) + prot |= VM_PROT_WRITE; + return (prot); +} + +static int +mac_te_cred_check_vnode_op(struct ucred *cred, struct vnode *vp, + struct label *label, int op) +{ + struct mac_te *subj, *obj; + int error, te_class, te_op; + + if (!mac_te_revocation_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(label); + + te_class = MAC_TE_CLASS_FILE; + switch (op) { + case MAC_OP_VNODE_POLL: + te_op = MAC_TE_OPERATION_FILE_POLL; + break; + + case MAC_OP_VNODE_READ: + te_op = MAC_TE_OPERATION_FILE_READ; + break; + + case MAC_OP_VNODE_WRITE: + te_op = MAC_TE_OPERATION_FILE_WRITE; + break; + + default: + printf("mac_te_cred_check_vnode_op: unknown operation %d\n", + op); + return (EINVAL); + } + + error = mac_te_check(subj, obj, MAC_TE_CLASS_FILE, te_op); + + return (error); +} + static void mac_te_update_devfsdirent_from_vnode(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) @@ -1670,6 +1739,10 @@ { MAC_CRED_CHECK_SCHED_PROC, (macop_t)mac_te_cred_check_sched_proc }, { MAC_CRED_CHECK_SIGNAL_PROC, (macop_t)mac_te_cred_check_signal_proc }, { MAC_CRED_CHECK_STAT_VNODE, (macop_t)mac_te_cred_check_stat_vnode }, + { MAC_CRED_CHEKC_VNODE_MMAP_PERMS, + (macop_t)mac_te_cred_check_mmap_perms }, + { MAC_CRED_CHECK_VNODE_OP, + (macop_t)mac_te_cred_check_vnode_op }, { MAC_IFNET_CHECK_SEND_MBUF, (macop_t)mac_te_ifnet_check_send_mbuf }, { MAC_SOCKET_CHECK_RECEIVE_MBUF, (macop_t)mac_te_socket_check_receive_mbuf }, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207241356.g6ODuQgR020804>