1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-16 10:20:30 +00:00

Expand scope of the Biba policy to include some of the new entry

points available for enforcement:

  mac_biba_check_sysarch_ioperm() - Require Biba privilege to make
  use of privileged machine-dependent interfaces, protecting against
  bypass of the policy via various mechanisms.

  mac_biba_check_system_swapoff() - Require Biba privilege to disable
  swapping against a vnode target.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson 2003-03-25 01:10:54 +00:00
parent 436a3d96d7
commit 2b03c68008
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=112574

View File

@ -1877,6 +1877,24 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
return (0);
}
static int
mac_biba_check_sysarch_ioperm(struct ucred *cred)
{
struct mac_biba *subj;
int error;
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
error = mac_biba_subject_privileged(subj);
if (error)
return (error);
return (0);
}
static int
mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
struct label *label)
@ -1944,6 +1962,26 @@ mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp,
return (0);
}
static int
mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp,
struct label *label)
{
struct mac_biba *subj, *obj;
int error;
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(label);
error = mac_biba_subject_privileged(subj);
if (error)
return (error);
return (0);
}
static int
mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
@ -2674,9 +2712,11 @@ static struct mac_policy_ops mac_biba_ops =
.mpo_check_socket_deliver = mac_biba_check_socket_deliver,
.mpo_check_socket_relabel = mac_biba_check_socket_relabel,
.mpo_check_socket_visible = mac_biba_check_socket_visible,
.mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm,
.mpo_check_system_acct = mac_biba_check_system_acct,
.mpo_check_system_settime = mac_biba_check_system_settime,
.mpo_check_system_swapon = mac_biba_check_system_swapon,
.mpo_check_system_swapoff = mac_biba_check_system_swapoff,
.mpo_check_system_sysctl = mac_biba_check_system_sysctl,
.mpo_check_vnode_access = mac_biba_check_vnode_open,
.mpo_check_vnode_chdir = mac_biba_check_vnode_chdir,