d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Provide a mac_check_system_swapoff() entry point, which permits MAC

Browse Source 
modules to authorize disabling of swap against a particular vnode.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson 2003-03-05 23:50:15 +00:00
parent a184d471e2
commit 1b2c2ab29a
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=111936
14 changed files with 140 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
sys/kern/kern_mac.c
View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

14
sys/security/mac/mac_framework.c
View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

1
sys/security/mac/mac_framework.h
View File

@ -269,6 +269,7 @@ int mac_check_system_nfsd(struct ucred *cred);
int mac_check_system_reboot(struct ucred *cred, int howto);
int mac_check_system_settime(struct ucred *cred);
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp);
int mac_check_system_sysctl(struct ucred *cred, int *name,
u_int namelen, void *old, size_t *oldlenp, int inkernel,
void *new, size_t newlen);

14
sys/security/mac/mac_internal.h
View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

14
sys/security/mac/mac_net.c
View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

14
sys/security/mac/mac_pipe.c
View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

2
sys/security/mac/mac_policy.h
View File

@ -329,6 +329,8 @@ struct mac_policy_ops {
int (*mpo_check_system_settime)(struct ucred *cred);
int (*mpo_check_system_swapon)(struct ucred *cred,
struct vnode *vp, struct label *label);
int (*mpo_check_system_swapoff)(struct ucred *cred,
struct vnode *vp, struct label *label);
int (*mpo_check_system_sysctl)(struct ucred *cred, int *name,
u_int namelen, void *old, size_t *oldlenp, int inkernel,
void *new, size_t newlen);

14
sys/security/mac/mac_process.c
View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

14
sys/security/mac/mac_syscalls.c
View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

14
sys/security/mac/mac_system.c
View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

14
sys/security/mac/mac_vfs.c
View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

1
sys/sys/mac.h
View File

@ -269,6 +269,7 @@ int mac_check_system_nfsd(struct ucred *cred);
int mac_check_system_reboot(struct ucred *cred, int howto);
int mac_check_system_settime(struct ucred *cred);
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp);
int mac_check_system_sysctl(struct ucred *cred, int *name,
u_int namelen, void *old, size_t *oldlenp, int inkernel,
void *new, size_t newlen);

2
sys/sys/mac_policy.h
View File

@ -329,6 +329,8 @@ struct mac_policy_ops {
int (*mpo_check_system_settime)(struct ucred *cred);
int (*mpo_check_system_swapon)(struct ucred *cred,
struct vnode *vp, struct label *label);
int (*mpo_check_system_swapoff)(struct ucred *cred,
struct vnode *vp, struct label *label);
int (*mpo_check_system_sysctl)(struct ucred *cred, int *name,
u_int namelen, void *old, size_t *oldlenp, int inkernel,
void *new, size_t newlen);

8
sys/vm/vm_swap.c
View File

@ -433,6 +433,14 @@ swapoff(td, uap)
error = EINVAL;
goto done;
found:
#ifdef MAC
(void) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = mac_check_system_swapoff(td->td_ucred, vp);
(void) VOP_UNLOCK(vp, 0, td);
if (error != 0)
goto done;
#endif
nblks = sp->sw_nblks;
/*