Date: Sun, 27 Oct 2002 00:30:23 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 20238 for review Message-ID: <200210270730.g9R7UNr0078310@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=20238 Change 20238 by rwatson@rwatson_tislabs on 2002/10/27 00:29:22 Enforce protection of acct() system call using mac_check_system_acct() -- a non-NULL vp is passed if this is an enable operation, in which case policies can inspect/... the vnode and label; NULL is passed to disable accounting. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_acct.c#13 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#335 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#198 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#153 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_acct.c#13 (text+ko) ==== @@ -40,12 +40,15 @@ * $FreeBSD: src/sys/kern/kern_acct.c,v 1.52 2002/10/05 20:05:23 rwatson Exp $ */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/lock.h> #include <sys/mutex.h> #include <sys/sysproto.h> #include <sys/proc.h> +#include <sys/mac.h> #include <sys/mount.h> #include <sys/vnode.h> #include <sys/fcntl.h> @@ -144,13 +147,31 @@ if (error) goto done2; NDFREE(&nd, NDF_ONLY_PNBUF); +#ifdef MAC + error = mac_check_system_acct(td->td_ucred, nd.ni_vp); + if (error) { + vn_close(nd.ni_vp, flags, td->td_ucred, td); + goto done2; + } +#endif + VOP_UNLOCK(nd.ni_vp, 0, td); if (nd.ni_vp->v_type != VREG) { vn_close(nd.ni_vp, flags, td->td_ucred, td); error = EACCES; goto done2; } +#ifdef MAC + } else { + error = mac_check_system_acct(td->td_ucred, NULL); + if (error) { + mtx_unlock(&Giant); + return (error); + } } +#else + } +#endif /* * If accounting was previously enabled, kill the old space-watcher, ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#335 (text+ko) ==== @@ -143,20 +143,15 @@ &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); -static int mac_enforce_reboot = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW, - &mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations"); -TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot); - static int mac_enforce_socket = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); -static int mac_enforce_sysctl = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysctl, CTLFLAG_RW, - &mac_enforce_sysctl, 0, "Enforce MAC policy on sysctl operations"); -TUNABLE_INT("security.mac.enforce_sysctl", &mac_enforce_sysctl); +static int mac_enforce_system = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW, + &mac_enforce_system, 0, "Enforce MAC policy on system operations"); +TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system); static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, @@ -920,6 +915,10 @@ mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; + case MAC_CHECK_SYSTEM_ACCT: + mpc->mpc_ops->mpo_check_system_acct = + mpe->mpe_function; + break; case MAC_CHECK_SYSTEM_REBOOT: mpc->mpc_ops->mpo_check_system_reboot = mpe->mpe_function; @@ -3059,11 +3058,29 @@ } int +mac_check_system_acct(struct ucred *cred, struct vnode *vp) +{ + int error; + + if (vp != NULL) { + ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + } + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_acct, cred, vp, + vp != NULL ? &vp->v_label : NULL); + + return (error); +} + +int mac_check_system_reboot(struct ucred *cred, int howto) { int error; - if (!mac_enforce_reboot) + if (!mac_enforce_system) return (0); MAC_CHECK(check_system_reboot, cred, howto); @@ -3078,7 +3095,7 @@ ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon"); - if (!mac_enforce_fs) + if (!mac_enforce_system) return (0); MAC_CHECK(check_system_swapon, cred, vp, &vp->v_label); @@ -3095,7 +3112,7 @@ * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, * but since it's not exported from kern_sysctl.c, we can't. */ - if (!mac_enforce_sysctl) + if (!mac_enforce_system) return (0); MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#198 (text+ko) ==== @@ -307,6 +307,7 @@ int mac_check_socket_receive(struct ucred *cred, struct socket *so); int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); +int mac_check_system_acct(struct ucred *cred, struct vnode *vp); int mac_check_system_reboot(struct ucred *cred, int howto); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); int mac_check_system_sysctl(struct ucred *cred, int *name, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#153 (text+ko) ==== @@ -316,6 +316,8 @@ struct socket *so, struct label *socketlabel); int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); + int (*mpo_check_system_acct)(struct ucred *cred, + struct vnode *vp, struct label *vlabel); int (*mpo_check_system_reboot)(struct ucred *cred, int howto); int (*mpo_check_system_swapon)(struct ucred *cred, struct vnode *vp, struct label *label); @@ -514,6 +516,7 @@ MAC_CHECK_SOCKET_RELABEL, MAC_CHECK_SOCKET_SEND, MAC_CHECK_SOCKET_VISIBLE, + MAC_CHECK_SYSTEM_ACCT, MAC_CHECK_SYSTEM_REBOOT, MAC_CHECK_SYSTEM_SWAPON, MAC_CHECK_SYSTEM_SYSCTL, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210270730.g9R7UNr0078310>