From owner-p4-projects Fri Oct 18 10:19:48 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 2278D37B404; Fri, 18 Oct 2002 10:19:45 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39D4E37B401 for ; Fri, 18 Oct 2002 10:19:44 -0700 (PDT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id E679143E9C for ; Fri, 18 Oct 2002 10:19:43 -0700 (PDT) (envelope-from cvance@tislabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id g9IHJUmV064314 for ; Fri, 18 Oct 2002 10:19:30 -0700 (PDT) (envelope-from cvance@tislabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id g9IHJTdI064311 for perforce@freebsd.org; Fri, 18 Oct 2002 10:19:29 -0700 (PDT) Date: Fri, 18 Oct 2002 10:19:29 -0700 (PDT) Message-Id: <200210181719.g9IHJTdI064311@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to cvance@tislabs.com using -f From: Chris Vance Subject: PERFORCE change 19553 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=19553 Change 19553 by cvance@cvance_laptop on 2002/10/18 10:18:55 Add audit data for avc calls in sebsd_check_vnode_exec Comment out currently unused thread_has_perm helper function Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#45 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#45 (text+ko) ==== @@ -93,11 +93,13 @@ perm, &target->avcr); } +#if 0 static int thread_has_perm(struct thread *td, struct proc *proc, access_vector_t perm) { return (cred_has_perm(td->td_proc->p_ucred, proc, perm)); } +#endif static int cred_has_system(struct ucred *cred, access_vector_t perm) @@ -706,6 +708,7 @@ struct task_security_struct *task; struct vnode_security_struct *file; security_id_t newsid; + avc_audit_data_t ad; int rc; task = SLOT(&cred->cr_label); @@ -720,20 +723,27 @@ SLOT(imgp->execlabel))->sid; } + AVC_AUDIT_DATA_INIT(&ad, FS); + ad.u.fs.vp = vp; + if (newsid == task->sid) { - rc = avc_has_perm(task->sid, file->sid, - SECCLASS_FILE, FILE__EXECUTE_NO_TRANS); + rc = avc_has_perm_audit(task->sid, file->sid, SECCLASS_FILE, + FILE__EXECUTE_NO_TRANS, &ad); + if (rc) return EACCES; + } else { /* Check permissions for the transition. */ - rc = avc_has_perm(task->sid, newsid, SECCLASS_PROCESS, - PROCESS__TRANSITION); + rc = avc_has_perm_audit(task->sid, newsid, SECCLASS_PROCESS, + PROCESS__TRANSITION, &ad); + if (rc) return EACCES; - rc = avc_has_perm(newsid, file->sid, - SECCLASS_FILE, FILE__ENTRYPOINT); + rc = avc_has_perm_audit(newsid, file->sid, SECCLASS_FILE, + FILE__ENTRYPOINT, &ad); + if (rc) return EACCES; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message