mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-16 10:20:30 +00:00
Expand scope of the Biba policy to include some of the new entry
points available for enforcement: mac_biba_check_sysarch_ioperm() - Require Biba privilege to make use of privileged machine-dependent interfaces, protecting against bypass of the policy via various mechanisms. mac_biba_check_system_swapoff() - Require Biba privilege to disable swapping against a vnode target. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
This commit is contained in:
parent
436a3d96d7
commit
2b03c68008
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=112574
@ -1877,6 +1877,24 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_check_sysarch_ioperm(struct ucred *cred)
|
||||
{
|
||||
struct mac_biba *subj;
|
||||
int error;
|
||||
|
||||
if (!mac_biba_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(&cred->cr_label);
|
||||
|
||||
error = mac_biba_subject_privileged(subj);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label)
|
||||
@ -1944,6 +1962,26 @@ mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label)
|
||||
{
|
||||
struct mac_biba *subj, *obj;
|
||||
int error;
|
||||
|
||||
if (!mac_biba_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(&cred->cr_label);
|
||||
obj = SLOT(label);
|
||||
|
||||
error = mac_biba_subject_privileged(subj);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
|
||||
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
|
||||
@ -2674,9 +2712,11 @@ static struct mac_policy_ops mac_biba_ops =
|
||||
.mpo_check_socket_deliver = mac_biba_check_socket_deliver,
|
||||
.mpo_check_socket_relabel = mac_biba_check_socket_relabel,
|
||||
.mpo_check_socket_visible = mac_biba_check_socket_visible,
|
||||
.mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm,
|
||||
.mpo_check_system_acct = mac_biba_check_system_acct,
|
||||
.mpo_check_system_settime = mac_biba_check_system_settime,
|
||||
.mpo_check_system_swapon = mac_biba_check_system_swapon,
|
||||
.mpo_check_system_swapoff = mac_biba_check_system_swapoff,
|
||||
.mpo_check_system_sysctl = mac_biba_check_system_sysctl,
|
||||
.mpo_check_vnode_access = mac_biba_check_vnode_open,
|
||||
.mpo_check_vnode_chdir = mac_biba_check_vnode_chdir,
|
||||
|
Loading…
Reference in New Issue
Block a user