d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduce support for Mandatory Access Control and extensible

Browse Source 
kernel access control

Invoke appropriate MAC framework entry points to authorize a number
of vnode operations, including read, write, stat, poll.  This permits
MAC policies to revoke access to files following label changes,
and to limit information spread about the file to user processes.

Note: currently the file cached credential is used for some of
these authorization check.  We will need to expand some of the
MAC entry point APIs to permit multiple creds to be passed to
the access control check to allow diverse policy behavior.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
This commit is contained in:
Robert Watson 2002-08-01 17:23:22 +00:00
parent c0727dcbfe
commit 4a58340e98
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=101166
1 changed files with 39 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
sys/kern/vfs_vnops.c
View File

@ -393,9 +393,17 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, cred, aresid, td)
auio.uio_rw = rw;
auio.uio_td = td;
if (rw == UIO_READ) {
error = VOP_READ(vp, &auio, ioflg, cred);
#ifdef MAC
error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_READ);
if (error == 0)
#endif
error = VOP_READ(vp, &auio, ioflg, cred);
} else {
error = VOP_WRITE(vp, &auio, ioflg, cred);
#ifdef MAC
error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE);
if (error == 0)
#endif
error = VOP_WRITE(vp, &auio, ioflg, cred);
}
if (aresid)
*aresid = auio.uio_resid;
@ -482,7 +490,11 @@ vn_read(fp, uio, cred, flags, td)
ioflag |= sequential_heuristic(uio, fp);
error = VOP_READ(vp, uio, ioflag, cred);
#ifdef MAC
error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_READ);
if (error == 0)
#endif
error = VOP_READ(vp, uio, ioflag, cred);
if ((flags & FOF_OFFSET) == 0)
fp->f_offset = uio->uio_offset;
fp->f_nextoff = uio->uio_offset;
@ -533,7 +545,11 @@ vn_write(fp, uio, cred, flags, td)
if ((flags & FOF_OFFSET) == 0)
uio->uio_offset = fp->f_offset;
ioflag |= sequential_heuristic(uio, fp);
error = VOP_WRITE(vp, uio, ioflag, cred);
#ifdef MAC
error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_WRITE);
if (error == 0)
#endif
error = VOP_WRITE(vp, uio, ioflag, cred);
if ((flags & FOF_OFFSET) == 0)
fp->f_offset = uio->uio_offset;
fp->f_nextoff = uio->uio_offset;
@ -576,6 +592,12 @@ vn_stat(vp, sb, td)
int error;
u_short mode;
#ifdef MAC
error = mac_check_vnode_stat(td->td_ucred, vp);
if (error)
return (error);
#endif
vap = &vattr;
error = VOP_GETATTR(vp, vap, td->td_ucred, td);
if (error)
@ -757,6 +779,19 @@ vn_poll(fp, events, cred, td)
struct ucred *cred;
struct thread *td;
{
struct vnode *vp;
#ifdef MAC
int error;
#endif
vp = (struct vnode *)fp->f_data;
#ifdef MAC
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = mac_check_vnode_op(cred, vp, MAC_OP_VNODE_POLL);
VOP_UNLOCK(vp, 0, td);
if (error)
return (error);
#endif
return (VOP_POLL(((struct vnode *)fp->f_data), events, cred, td));
}