Date: Tue, 29 Oct 2002 14:01:54 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 20378 for review Message-ID: <200210292201.g9TM1s0J060969@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=20378 Change 20378 by rwatson@rwatson_tislabs on 2002/10/29 14:01:12 Teach Biba about acct() -- note that if the target label is NULL (i.e., we're turning off accounting), we require only privilege; if it's non-NULL, then we require privilege and that the target file be high integrity. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#167 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#167 (text+ko) ==== @@ -1873,6 +1873,29 @@ } static int +mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, + struct label *label) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + + if (!mac_biba_subject_privileged(subj)) + return (EPERM); + + if (label == NULL) + return (0); + + obj = SLOT(label); + if (!mac_biba_high_single(obj)) + return (EACCES); + + return (0); +} +static int mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -2708,6 +2731,8 @@ (macop_t)mac_biba_check_socket_relabel }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_biba_check_socket_visible }, + { MAC_CHECK_SYSTEM_ACCT, + (macop_t)mac_biba_check_system_acct }, { MAC_CHECK_SYSTEM_SWAPON, (macop_t)mac_biba_check_system_swapon }, { MAC_CHECK_SYSTEM_SYSCTL, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210292201.g9TM1s0J060969>