diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2007-06-26 14:14:01 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2007-06-26 14:14:01 +0000 |
commit | f1e8bf6dd4ae5a1dc8ab028911da059811bd3a9c (patch) | |
tree | 6ace3718f53e161903fa580eccd02a909bc33998 /sys | |
parent | 544970d64e0af5e3c03710d48dcd7cb10a35927f (diff) | |
download | src-f1e8bf6dd4ae5a1dc8ab028911da059811bd3a9c.tar.gz src-f1e8bf6dd4ae5a1dc8ab028911da059811bd3a9c.zip |
Add a new MAC framework and policy entry point,
mpo_check_proc_setaudit_addr to be used when controlling use of
setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a
different argument type.
Reviewed by: csjp
Approved by: re (kensmith)
Notes
Notes:
svn path=/head/; revision=171047
Diffstat (limited to 'sys')
-rw-r--r-- | sys/security/audit/audit_syscalls.c | 2 | ||||
-rw-r--r-- | sys/security/mac/mac_audit.c | 10 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 3 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 3 | ||||
-rw-r--r-- | sys/security/mac_stub/mac_stub.c | 8 | ||||
-rw-r--r-- | sys/security/mac_test/mac_test.c | 13 |
6 files changed, 38 insertions, 1 deletions
diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c index 2a12b92b7520..660c2ee648bc 100644 --- a/sys/security/audit/audit_syscalls.c +++ b/sys/security/audit/audit_syscalls.c @@ -591,7 +591,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_check_proc_setaudit(oldcred, NULL); + error = mac_check_proc_setaudit_addr(oldcred, &aia); if (error) goto fail; #endif diff --git a/sys/security/mac/mac_audit.c b/sys/security/mac/mac_audit.c index c3aad11c4458..69731c7f7c81 100644 --- a/sys/security/mac/mac_audit.c +++ b/sys/security/mac/mac_audit.c @@ -56,6 +56,16 @@ mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) } int +mac_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +{ + int error; + + MAC_CHECK(check_proc_setaudit_addr, cred, aia); + + return (error); +} + +int mac_check_proc_setauid(struct ucred *cred, uid_t auid) { int error; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 772fe3783da0..a6df18d68ff7 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -51,6 +51,7 @@ #endif struct auditinfo; +struct auditinfo_addr; struct bpf_d; struct cdev; struct componentname; @@ -297,6 +298,8 @@ int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr); int mac_check_proc_debug(struct ucred *cred, struct proc *p); int mac_check_proc_sched(struct ucred *cred, struct proc *p); int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai); +int mac_check_proc_setaudit_addr(struct ucred *cred, + struct auditinfo_addr *aia); int mac_check_proc_setauid(struct ucred *cred, uid_t auid); int mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index efe0118a7b67..3728853ea3d2 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -450,6 +450,8 @@ typedef int (*mpo_check_proc_sched_t)(struct ucred *cred, struct proc *p); typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred, struct auditinfo *ai); +typedef int (*mpo_check_proc_setaudit_addr_t)(struct ucred *cred, + struct auditinfo_addr *aia); typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid); typedef int (*mpo_check_proc_setuid_t)(struct ucred *cred, uid_t uid); typedef int (*mpo_check_proc_seteuid_t)(struct ucred *cred, uid_t euid); @@ -826,6 +828,7 @@ struct mac_policy_ops { mpo_check_proc_debug_t mpo_check_proc_debug; mpo_check_proc_sched_t mpo_check_proc_sched; mpo_check_proc_setaudit_t mpo_check_proc_setaudit; + mpo_check_proc_setaudit_addr_t mpo_check_proc_setaudit_addr; mpo_check_proc_setauid_t mpo_check_proc_setauid; mpo_check_proc_setuid_t mpo_check_proc_setuid; mpo_check_proc_seteuid_t mpo_check_proc_seteuid; diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 1934d6abf357..7bd23885cf49 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -916,6 +916,13 @@ stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) } static int +stub_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +{ + + return (0); +} + +static int stub_check_proc_setauid(struct ucred *cred, uid_t auid) { @@ -1579,6 +1586,7 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_proc_debug = stub_check_proc_debug, .mpo_check_proc_sched = stub_check_proc_sched, .mpo_check_proc_setaudit = stub_check_proc_setaudit, + .mpo_check_proc_setaudit_addr = stub_check_proc_setaudit_addr, .mpo_check_proc_setauid = stub_check_proc_setauid, .mpo_check_proc_setuid = stub_check_proc_setuid, .mpo_check_proc_seteuid = stub_check_proc_seteuid, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index ad49d145d5d3..bbc3cf2d022a 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1668,6 +1668,18 @@ mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) return (0); } +COUNTER_DECL(check_proc_setaudit_addr); +static int +mac_test_check_proc_setaudit_addr(struct ucred *cred, + struct auditinfo_addr *aia) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(check_proc_setaudit_addr); + + return (0); +} + COUNTER_DECL(check_proc_setauid); static int mac_test_check_proc_setauid(struct ucred *cred, uid_t auid) @@ -2608,6 +2620,7 @@ static struct mac_policy_ops mac_test_ops = .mpo_check_proc_debug = mac_test_check_proc_debug, .mpo_check_proc_sched = mac_test_check_proc_sched, .mpo_check_proc_setaudit = mac_test_check_proc_setaudit, + .mpo_check_proc_setaudit_addr = mac_test_check_proc_setaudit_addr, .mpo_check_proc_setauid = mac_test_check_proc_setauid, .mpo_check_proc_setuid = mac_test_check_proc_setuid, .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, |