In mac_bsdextended's auditctl and acct policy access control checks,
return success if the passed vnode pointer is NULL (rather than panicking). This can occur if either audit or accounting are disabled while the policy is running. Since the swapoff control has no real relevance to this policy, which is concerned about intent to write rather than water under the bridge, remove it. PR: kern/126100 Reported by: Alan Amesbury <amesbury at umn dot edu> MFC after: 3 days
This commit is contained in:
parent
006c3d2eb6
commit
80794edc05
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=181069
@ -451,7 +451,10 @@ ugidfw_system_check_acct(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vplabel)
|
||||
{
|
||||
|
||||
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
|
||||
if (vp != NULL)
|
||||
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
|
||||
else
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
@ -459,15 +462,10 @@ ugidfw_system_check_auditctl(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vplabel)
|
||||
{
|
||||
|
||||
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
|
||||
}
|
||||
|
||||
static int
|
||||
ugidfw_system_check_swapoff(struct ucred *cred, struct vnode *vp,
|
||||
struct label *vplabel)
|
||||
{
|
||||
|
||||
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
|
||||
if (vp != NULL)
|
||||
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
|
||||
else
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
@ -720,7 +718,6 @@ static struct mac_policy_ops ugidfw_ops =
|
||||
.mpo_init = ugidfw_init,
|
||||
.mpo_system_check_acct = ugidfw_system_check_acct,
|
||||
.mpo_system_check_auditctl = ugidfw_system_check_auditctl,
|
||||
.mpo_system_check_swapoff = ugidfw_system_check_swapoff,
|
||||
.mpo_system_check_swapon = ugidfw_system_check_swapon,
|
||||
.mpo_vnode_check_access = ugidfw_vnode_check_access,
|
||||
.mpo_vnode_check_chdir = ugidfw_vnode_check_chdir,
|
||||
|
Loading…
Reference in New Issue
Block a user