mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-27 16:39:08 +00:00
Code Issues Releases Activity

Introduce support for Mandatory Access Control and extensible

Browse Source 
kernel access control.

Instrument the kernel ACL retrieval and modification system calls
to invoke MAC framework entry points to authorize these operations.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
This commit is contained in:
Robert Watson 2002-08-01 01:04:16 +00:00
parent 256e0b2bbb
commit c86ca022eb
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=101122
3 changed files with 84 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
sys/kern/kern_acl.c
View File

@ -32,10 +32,13 @@
* Support for POSIX.1e access control lists.
*/
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/kernel.h>
#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/vnode.h>
#include <sys/lock.h>
@ -582,7 +585,15 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type,
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl);
if (error != 0)
goto out;
#endif
error = VOP_SETACL(vp, type, &inkernacl, td->td_ucred, td);
#ifdef MAC
out:
#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return(error);
@ -600,7 +611,15 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type,
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_getacl(td->td_ucred, vp, type);
if (error != 0)
goto out;
#endif
error = VOP_GETACL(vp, type, &inkernelacl, td->td_ucred, td);
#ifdef MAC
out:
#endif
VOP_UNLOCK(vp, 0, td);
if (error == 0)
error = copyout(&inkernelacl, aclp, sizeof(struct acl));
@ -621,7 +640,15 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type)
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = VOP_SETACL(vp, type, NULL, td->td_ucred, td);
#ifdef MAC
error = mac_check_vnode_deleteacl(td->td_ucred, vp, type);
if (error)
goto out;
#endif
error = VOP_SETACL(vp, type, 0, td->td_ucred, td);
#ifdef MAC
out:
#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return (error);

29
sys/kern/subr_acl_posix1e.c
View File

@ -32,10 +32,13 @@
* Support for POSIX.1e access control lists.
*/
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/kernel.h>
#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/vnode.h>
#include <sys/lock.h>
@ -582,7 +585,15 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type,
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl);
if (error != 0)
goto out;
#endif
error = VOP_SETACL(vp, type, &inkernacl, td->td_ucred, td);
#ifdef MAC
out:
#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return(error);
@ -600,7 +611,15 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type,
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_getacl(td->td_ucred, vp, type);
if (error != 0)
goto out;
#endif
error = VOP_GETACL(vp, type, &inkernelacl, td->td_ucred, td);
#ifdef MAC
out:
#endif
VOP_UNLOCK(vp, 0, td);
if (error == 0)
error = copyout(&inkernelacl, aclp, sizeof(struct acl));
@ -621,7 +640,15 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type)
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = VOP_SETACL(vp, type, NULL, td->td_ucred, td);
#ifdef MAC
error = mac_check_vnode_deleteacl(td->td_ucred, vp, type);
if (error)
goto out;
#endif
error = VOP_SETACL(vp, type, 0, td->td_ucred, td);
#ifdef MAC
out:
#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return (error);

29
sys/kern/vfs_acl.c
View File

@ -32,10 +32,13 @@
* Support for POSIX.1e access control lists.
*/
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/kernel.h>
#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/vnode.h>
#include <sys/lock.h>
@ -582,7 +585,15 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type,
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl);
if (error != 0)
goto out;
#endif
error = VOP_SETACL(vp, type, &inkernacl, td->td_ucred, td);
#ifdef MAC
out:
#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return(error);
@ -600,7 +611,15 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type,
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
#ifdef MAC
error = mac_check_vnode_getacl(td->td_ucred, vp, type);
if (error != 0)
goto out;
#endif
error = VOP_GETACL(vp, type, &inkernelacl, td->td_ucred, td);
#ifdef MAC
out:
#endif
VOP_UNLOCK(vp, 0, td);
if (error == 0)
error = copyout(&inkernelacl, aclp, sizeof(struct acl));
@ -621,7 +640,15 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type)
return (error);
VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = VOP_SETACL(vp, type, NULL, td->td_ucred, td);
#ifdef MAC
error = mac_check_vnode_deleteacl(td->td_ucred, vp, type);
if (error)
goto out;
#endif
error = VOP_SETACL(vp, type, 0, td->td_ucred, td);
#ifdef MAC
out:
#endif
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
return (error);