Date: Thu, 2 Jan 2003 12:29:00 -0800 (PST) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 23060 for review Message-ID: <200301022029.h02KT0nh014990@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=23060 Change 23060 by cvance@cvance_laptop on 2003/01/02 12:28:25 Allow SEBSD to be pushed into enforcing mode via a sysctl. We'll leave the system call intact for now as well. This should permit the very special pain of booting in enforcing mode. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#12 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.h#10 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#7 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.c#12 (text+ko) ==== @@ -875,7 +875,23 @@ return 0; } +int +sys_avc_set_enforcing(struct thread *td, int enforcing) +{ + int error; + + error = thread_has_system(td, SYSTEM__AVC_TOGGLE); + if (error) + return (error); + if (enforcing && avc_debug_always_allow) { + avc_ss_reset(avc_cache.latest_notif); + if (!ss_initialized && security_init() != 0) + panic("SELinux: Could not initialize\n"); + } + avc_debug_always_allow = !enforcing; + return (0); +} #ifdef CONFIG_SECURITY_SELINUX_DEVELOP /* * TBD: should have build-time non development mode that does not permit ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/avc/avc.h#10 (text+ko) ==== @@ -344,6 +344,7 @@ #ifdef _KERNEL extern int sys_avc_toggle(struct thread *td); extern int sys_avc_enforcing(struct thread *td); +extern int sys_avc_set_enforcing(struct thread *td, int enforcing); #endif #endif /* _LINUX_AVC_H_ */ ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd_sysctl.c#7 (text+ko) ==== @@ -47,6 +47,8 @@ #include <security/sebsd/ss/security.h> #include <security/sebsd/ss/sidtab.h> +#include <security/sebsd/avc/avc.h> + /* * Sysctl handler for security.mac.sebsd.sids * Lists the SIDs currently active in the security server @@ -93,7 +95,6 @@ return (error); } -#if 0 /* * Sysctl handler for security.mac.sebsd.enforcing * Get and/or set whether the avc is in enforcement mode. @@ -103,30 +104,21 @@ { int error, enforcing; - if (req->oldptr != NULL) { - /* XXX Always allow the users to find out? */ - enforcing = !avc_debug_always_allow; - error = SYSCTL_OUT(req, &enforcing, sizeof(enforcing)); - if (error) - return (error); - } + /* TBD: XXX Always allow the users to find out? */ + enforcing = !avc_debug_always_allow; + error = SYSCTL_OUT(req, &enforcing, sizeof(enforcing)); + if (error) + return (error); + if (req->newptr != NULL) { - error = thread_has_system(curthread, SYSTEM__AVC_TOGGLE); - if (error) - return (error); error = SYSCTL_IN(req, &enforcing, sizeof(enforcing)); if (error) return (error); - if (enforcing && avc_debug_always_allow) { - avc_ss_reset(avc_cache.latest_notif); - if (!ss_initialized && security_init() != 0) - panic("SELinux: Could not initialize\n"); - } - avc_debug_always_allow = !enforcing; + return(sys_avc_set_enforcing(curthread, enforcing)); } + return (0); } -#endif /* * Sysctl handler for security.mac.sebsd.user_sids @@ -257,8 +249,5 @@ SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, change_sid, CTLTYPE_STRING | CTLFLAG_RW | CTLFLAG_ANYBODY, NULL, 0, sysctl_change_sid, "A", "SEBSD (tty) SID relabel to perform along with transition"); - -#if 0 SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW, - 0, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement"); -#endif + NULL, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement"); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301022029.h02KT0nh014990>