Remove mac_enforce_subsystem debugging sysctls. Enforcement on
subsystems will be a property of policy modules, which may require access control check entry points to be invoked even when not actively enforcing (i.e., to track information flow without providing protection). Obtained from: TrustedBSD Project Suggested by: Christopher dot Vance at sparta dot com
This commit is contained in:
Robert Watson
parent
94632b9fe1
commit
e66fe0e1db
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=165433
@ -741,9 +741,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
|
||||
crhold(newcred);
|
||||
PROC_UNLOCK(p);
|
||||
|
||||
if (mac_enforce_vm) {
|
||||
mac_cred_mmapped_drop_perms(td, newcred);
|
||||
}
|
||||
mac_cred_mmapped_drop_perms(td, newcred);
|
||||
|
||||
crfree(newcred); /* Free revocation reference. */
|
||||
crfree(oldcred);
|
||||
|
||||
@ -741,9 +741,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
|
||||
crhold(newcred);
|
||||
PROC_UNLOCK(p);
|
||||
|
||||
if (mac_enforce_vm) {
|
||||
mac_cred_mmapped_drop_perms(td, newcred);
|
||||
}
|
||||
mac_cred_mmapped_drop_perms(td, newcred);
|
||||
|
||||
crfree(newcred); /* Free revocation reference. */
|
||||
crfree(oldcred);
|
||||
|
||||
@ -260,9 +260,6 @@ mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m)
|
||||
|
||||
M_ASSERTPKTHDR(m);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
label = mac_mbuf_to_label(m);
|
||||
|
||||
MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label);
|
||||
|
||||
@ -61,10 +61,6 @@ MALLOC_DECLARE(M_MACTEMP);
|
||||
extern struct mac_policy_list_head mac_policy_list;
|
||||
extern struct mac_policy_list_head mac_static_policy_list;
|
||||
extern int mac_late;
|
||||
extern int mac_enforce_network;
|
||||
extern int mac_enforce_process;
|
||||
extern int mac_enforce_socket;
|
||||
extern int mac_enforce_vm;
|
||||
#ifndef MAC_ALWAYS_LABEL_MBUF
|
||||
extern int mac_labelmbufs;
|
||||
#endif
|
||||
|
||||
@ -65,15 +65,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
|
||||
/*
|
||||
* mac_enforce_network is used by IPv4 and IPv6 checks, and so must be
|
||||
* non-static for now.
|
||||
*/
|
||||
int mac_enforce_network = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
|
||||
&mac_enforce_network, 0, "Enforce MAC policy on network packets");
|
||||
TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
|
||||
|
||||
/*
|
||||
* XXXRW: struct ifnet locking is incomplete in the network code, so we use
|
||||
* our own global mutex for struct ifnet. Non-ideal, but should help in the
|
||||
@ -383,9 +374,6 @@ mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
|
||||
|
||||
BPFD_LOCK_ASSERT(bpf_d);
|
||||
|
||||
if (!mac_enforce_network)
|
||||
return (0);
|
||||
|
||||
MAC_IFNET_LOCK(ifnet);
|
||||
MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet,
|
||||
ifnet->if_label);
|
||||
@ -402,9 +390,6 @@ mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
|
||||
|
||||
M_ASSERTPKTHDR(mbuf);
|
||||
|
||||
if (!mac_enforce_network)
|
||||
return (0);
|
||||
|
||||
label = mac_mbuf_to_label(mbuf);
|
||||
|
||||
MAC_IFNET_LOCK(ifnet);
|
||||
|
||||
@ -52,11 +52,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
|
||||
static int mac_enforce_pipe = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
|
||||
&mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
|
||||
TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe);
|
||||
|
||||
struct label *
|
||||
mac_pipe_label_alloc(void)
|
||||
{
|
||||
@ -141,9 +136,6 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp,
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_pipe)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_pipe_ioctl, cred, pp, pp->pp_label, cmd, data);
|
||||
|
||||
return (error);
|
||||
@ -156,9 +148,6 @@ mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp)
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_pipe)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_pipe_poll, cred, pp, pp->pp_label);
|
||||
|
||||
return (error);
|
||||
@ -171,9 +160,6 @@ mac_check_pipe_read(struct ucred *cred, struct pipepair *pp)
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_pipe)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_pipe_read, cred, pp, pp->pp_label);
|
||||
|
||||
return (error);
|
||||
@ -187,9 +173,6 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp,
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_pipe)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_pipe_relabel, cred, pp, pp->pp_label, newlabel);
|
||||
|
||||
return (error);
|
||||
@ -202,9 +185,6 @@ mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp)
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_pipe)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_pipe_stat, cred, pp, pp->pp_label);
|
||||
|
||||
return (error);
|
||||
@ -217,9 +197,6 @@ mac_check_pipe_write(struct ucred *cred, struct pipepair *pp)
|
||||
|
||||
mtx_assert(&pp->pp_mtx, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_pipe)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_pipe_write, cred, pp, pp->pp_label);
|
||||
|
||||
return (error);
|
||||
|
||||
@ -49,11 +49,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
|
||||
static int mac_enforce_posix_sem = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_sem, CTLFLAG_RW,
|
||||
&mac_enforce_posix_sem, 0, "Enforce MAC policy on global POSIX semaphores");
|
||||
TUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem);
|
||||
|
||||
static struct label *
|
||||
mac_posix_sem_label_alloc(void)
|
||||
{
|
||||
@ -98,9 +93,6 @@ mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_posix_sem)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_posix_sem_destroy, cred, ksemptr, ksemptr->ks_label);
|
||||
|
||||
return(error);
|
||||
@ -111,9 +103,6 @@ mac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_posix_sem)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_posix_sem_open, cred, ksemptr, ksemptr->ks_label);
|
||||
|
||||
return(error);
|
||||
@ -124,9 +113,6 @@ mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ksemptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_posix_sem)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_posix_sem_getvalue, cred, ksemptr,
|
||||
ksemptr->ks_label);
|
||||
|
||||
@ -138,9 +124,6 @@ mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_posix_sem)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_posix_sem_post, cred, ksemptr, ksemptr->ks_label);
|
||||
|
||||
return(error);
|
||||
@ -151,9 +134,6 @@ mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_posix_sem)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_posix_sem_unlink, cred, ksemptr, ksemptr->ks_label);
|
||||
|
||||
return(error);
|
||||
@ -164,9 +144,6 @@ mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_posix_sem)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_posix_sem_wait, cred, ksemptr, ksemptr->ks_label);
|
||||
|
||||
return(error);
|
||||
|
||||
@ -67,16 +67,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
|
||||
int mac_enforce_process = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
|
||||
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
|
||||
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
|
||||
|
||||
int mac_enforce_vm = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
|
||||
&mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
|
||||
TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm);
|
||||
|
||||
static int mac_mmap_revocation = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
|
||||
&mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
|
||||
@ -87,11 +77,6 @@ SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
|
||||
&mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
|
||||
"copy-on-write semantics, or by removing all write access");
|
||||
|
||||
static int mac_enforce_suid = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_suid, CTLFLAG_RW,
|
||||
&mac_enforce_suid, 0, "Enforce MAC policy on suid/sgid operations");
|
||||
TUNABLE_INT("security.mac.enforce_suid", &mac_enforce_suid);
|
||||
|
||||
static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
|
||||
struct ucred *cred, struct vm_map *map);
|
||||
|
||||
@ -466,9 +451,6 @@ mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_process)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_cred_visible, u1, u2);
|
||||
|
||||
return (error);
|
||||
@ -481,9 +463,6 @@ mac_check_proc_debug(struct ucred *cred, struct proc *proc)
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_process)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_debug, cred, proc);
|
||||
|
||||
return (error);
|
||||
@ -496,9 +475,6 @@ mac_check_proc_sched(struct ucred *cred, struct proc *proc)
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_process)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_sched, cred, proc);
|
||||
|
||||
return (error);
|
||||
@ -511,9 +487,6 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_process)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_signal, cred, proc, signum);
|
||||
|
||||
return (error);
|
||||
@ -526,9 +499,6 @@ mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid)
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setuid, cred, uid);
|
||||
return (error);
|
||||
}
|
||||
@ -540,9 +510,6 @@ mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, uid_t euid)
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_seteuid, cred, euid);
|
||||
return (error);
|
||||
}
|
||||
@ -554,9 +521,6 @@ mac_check_proc_setgid(struct proc *proc, struct ucred *cred, gid_t gid)
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setgid, cred, gid);
|
||||
return (error);
|
||||
}
|
||||
@ -568,9 +532,6 @@ mac_check_proc_setegid(struct proc *proc, struct ucred *cred, gid_t egid)
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setegid, cred, egid);
|
||||
return (error);
|
||||
}
|
||||
@ -583,9 +544,6 @@ mac_check_proc_setgroups(struct proc *proc, struct ucred *cred,
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset);
|
||||
return (error);
|
||||
}
|
||||
@ -598,9 +556,6 @@ mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, uid_t ruid,
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setreuid, cred, ruid, euid);
|
||||
return (error);
|
||||
}
|
||||
@ -613,9 +568,6 @@ mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setregid, cred, rgid, egid);
|
||||
return (error);
|
||||
}
|
||||
@ -628,9 +580,6 @@ mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, uid_t ruid,
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid);
|
||||
return (error);
|
||||
}
|
||||
@ -643,9 +592,6 @@ mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid,
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid);
|
||||
return (error);
|
||||
}
|
||||
@ -657,9 +603,6 @@ mac_check_proc_wait(struct ucred *cred, struct proc *proc)
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_process)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_wait, cred, proc);
|
||||
|
||||
return (error);
|
||||
|
||||
@ -72,15 +72,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
|
||||
/*
|
||||
* mac_enforce_socket is used by the inet code when delivering to an inpcb
|
||||
* without hitting the socket layer, and has to be non-static for now.
|
||||
*/
|
||||
int mac_enforce_socket = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
|
||||
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
|
||||
TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
|
||||
|
||||
/*
|
||||
* Currently, sockets hold two labels: the label of the socket itself, and a
|
||||
* peer label, which may be used by policies to hold a copy of the label of
|
||||
@ -285,9 +276,6 @@ mac_check_socket_accept(struct ucred *cred, struct socket *socket)
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_accept, cred, socket, socket->so_label);
|
||||
|
||||
return (error);
|
||||
@ -301,9 +289,6 @@ mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label,
|
||||
sockaddr);
|
||||
|
||||
@ -318,9 +303,6 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket,
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_connect, cred, socket, socket->so_label,
|
||||
sockaddr);
|
||||
|
||||
@ -333,9 +315,6 @@ mac_check_socket_create(struct ucred *cred, int domain, int type,
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_create, cred, domain, type, protocol);
|
||||
|
||||
return (error);
|
||||
@ -349,9 +328,6 @@ mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
label = mac_mbuf_to_label(mbuf);
|
||||
|
||||
MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf,
|
||||
@ -367,9 +343,6 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket)
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_listen, cred, socket, socket->so_label);
|
||||
return (error);
|
||||
}
|
||||
@ -381,9 +354,6 @@ mac_check_socket_poll(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_poll, cred, so, so->so_label);
|
||||
return (error);
|
||||
}
|
||||
@ -395,9 +365,6 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_receive, cred, so, so->so_label);
|
||||
|
||||
return (error);
|
||||
@ -424,9 +391,6 @@ mac_check_socket_send(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_send, cred, so, so->so_label);
|
||||
|
||||
return (error);
|
||||
@ -439,9 +403,6 @@ mac_check_socket_stat(struct ucred *cred, struct socket *so)
|
||||
|
||||
SOCK_LOCK_ASSERT(so);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_stat, cred, so, so->so_label);
|
||||
|
||||
return (error);
|
||||
@ -454,9 +415,6 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
|
||||
SOCK_LOCK_ASSERT(socket);
|
||||
|
||||
if (!mac_enforce_socket)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_socket_visible, cred, socket, socket->so_label);
|
||||
|
||||
return (error);
|
||||
|
||||
@ -741,9 +741,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
|
||||
crhold(newcred);
|
||||
PROC_UNLOCK(p);
|
||||
|
||||
if (mac_enforce_vm) {
|
||||
mac_cred_mmapped_drop_perms(td, newcred);
|
||||
}
|
||||
mac_cred_mmapped_drop_perms(td, newcred);
|
||||
|
||||
crfree(newcred); /* Free revocation reference. */
|
||||
crfree(oldcred);
|
||||
|
||||
@ -50,16 +50,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
|
||||
static int mac_enforce_kld = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW,
|
||||
&mac_enforce_kld, 0, "Enforce MAC policy on kld operations");
|
||||
TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld);
|
||||
|
||||
static int mac_enforce_system = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW,
|
||||
&mac_enforce_system, 0, "Enforce MAC policy on system operations");
|
||||
TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system);
|
||||
|
||||
/*
|
||||
* XXXRW: Some of these checks now duplicate privilege checks. However,
|
||||
* others provide additional security context that may be useful to policies.
|
||||
@ -71,9 +61,6 @@ mac_check_kenv_dump(struct ucred *cred)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_kenv_dump, cred);
|
||||
|
||||
return (error);
|
||||
@ -84,9 +71,6 @@ mac_check_kenv_get(struct ucred *cred, char *name)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_kenv_get, cred, name);
|
||||
|
||||
return (error);
|
||||
@ -97,9 +81,6 @@ mac_check_kenv_set(struct ucred *cred, char *name, char *value)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_kenv_set, cred, name, value);
|
||||
|
||||
return (error);
|
||||
@ -110,9 +91,6 @@ mac_check_kenv_unset(struct ucred *cred, char *name)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_kenv_unset, cred, name);
|
||||
|
||||
return (error);
|
||||
@ -125,9 +103,6 @@ mac_check_kld_load(struct ucred *cred, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_kld_load");
|
||||
|
||||
if (!mac_enforce_kld)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_kld_load, cred, vp, vp->v_label);
|
||||
|
||||
return (error);
|
||||
@ -138,9 +113,6 @@ mac_check_kld_stat(struct ucred *cred)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_kld)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_kld_stat, cred);
|
||||
|
||||
return (error);
|
||||
@ -151,9 +123,6 @@ mac_check_kld_unload(struct ucred *cred)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_kld)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_kld_unload, cred);
|
||||
|
||||
return (error);
|
||||
@ -164,9 +133,6 @@ mac_check_sysarch_ioperm(struct ucred *cred)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysarch_ioperm, cred);
|
||||
return (error);
|
||||
}
|
||||
@ -180,9 +146,6 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp)
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
|
||||
}
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_acct, cred, vp,
|
||||
vp != NULL ? vp->v_label : NULL);
|
||||
|
||||
@ -194,9 +157,6 @@ mac_check_system_nfsd(struct ucred *cred)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_nfsd, cred);
|
||||
|
||||
return (error);
|
||||
@ -207,9 +167,6 @@ mac_check_system_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_reboot, cred, howto);
|
||||
|
||||
return (error);
|
||||
@ -220,9 +177,6 @@ mac_check_system_settime(struct ucred *cred)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_settime, cred);
|
||||
|
||||
return (error);
|
||||
@ -235,9 +189,6 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon");
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_swapon, cred, vp, vp->v_label);
|
||||
return (error);
|
||||
}
|
||||
@ -249,9 +200,6 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
|
||||
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label);
|
||||
return (error);
|
||||
}
|
||||
@ -266,9 +214,6 @@ mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1,
|
||||
* XXXMAC: We would very much like to assert the SYSCTL_LOCK here,
|
||||
* but since it's not exported from kern_sysctl.c, we can't.
|
||||
*/
|
||||
if (!mac_enforce_system)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req);
|
||||
|
||||
return (error);
|
||||
|
||||
@ -54,12 +54,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
|
||||
static int mac_enforce_sysv_msg = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_msg, CTLFLAG_RW,
|
||||
&mac_enforce_sysv_msg, 0,
|
||||
"Enforce MAC policy on System V IPC Message Queues");
|
||||
TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg);
|
||||
|
||||
static struct label *
|
||||
mac_sysv_msgmsg_label_alloc(void)
|
||||
{
|
||||
@ -162,9 +156,6 @@ mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_msg)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_msgmsq, cred, msgptr, msgptr->label, msqkptr,
|
||||
msqkptr->label);
|
||||
|
||||
@ -176,9 +167,6 @@ mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_msg)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_msgrcv, cred, msgptr, msgptr->label);
|
||||
|
||||
return(error);
|
||||
@ -189,9 +177,6 @@ mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_msg)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_msgrmid, cred, msgptr, msgptr->label);
|
||||
|
||||
return(error);
|
||||
@ -202,9 +187,6 @@ mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_msg)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_msqget, cred, msqkptr, msqkptr->label);
|
||||
|
||||
return(error);
|
||||
@ -215,9 +197,6 @@ mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_msg)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_msqsnd, cred, msqkptr, msqkptr->label);
|
||||
|
||||
return(error);
|
||||
@ -228,9 +207,6 @@ mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_msg)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_msqrcv, cred, msqkptr, msqkptr->label);
|
||||
|
||||
return(error);
|
||||
@ -242,9 +218,6 @@ mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_msg)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_msqctl, cred, msqkptr, msqkptr->label, cmd);
|
||||
|
||||
return(error);
|
||||
|
||||
@ -54,11 +54,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
|
||||
static int mac_enforce_sysv_sem = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_sem, CTLFLAG_RW,
|
||||
&mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores");
|
||||
TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_sem);
|
||||
|
||||
static struct label *
|
||||
mac_sysv_sem_label_alloc(void)
|
||||
{
|
||||
@ -112,9 +107,6 @@ mac_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_sem)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_semctl, cred, semakptr, semakptr->label, cmd);
|
||||
|
||||
return(error);
|
||||
@ -125,9 +117,6 @@ mac_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_sem)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_semget, cred, semakptr, semakptr->label);
|
||||
|
||||
return(error);
|
||||
@ -139,9 +128,6 @@ mac_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_sem)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_semop, cred, semakptr, semakptr->label,
|
||||
accesstype);
|
||||
|
||||
|
||||
@ -54,12 +54,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/mac/mac_framework.h>
|
||||
#include <security/mac/mac_internal.h>
|
||||
|
||||
static int mac_enforce_sysv_shm = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_shm, CTLFLAG_RW,
|
||||
&mac_enforce_sysv_shm, 0,
|
||||
"Enforce MAC policy on System V IPC shared memory");
|
||||
TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm);
|
||||
|
||||
static struct label *
|
||||
mac_sysv_shm_label_alloc(void)
|
||||
{
|
||||
@ -113,9 +107,6 @@ mac_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_shm)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_shmat, cred, shmsegptr, shmsegptr->label,
|
||||
shmflg);
|
||||
|
||||
@ -128,9 +119,6 @@ mac_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_shm)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_shmctl, cred, shmsegptr, shmsegptr->label,
|
||||
cmd);
|
||||
|
||||
@ -142,9 +130,6 @@ mac_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_shm)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_shmdt, cred, shmsegptr, shmsegptr->label);
|
||||
|
||||
return(error);
|
||||
@ -156,9 +141,6 @@ mac_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr,
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_sysv_shm)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_sysv_shmget, cred, shmsegptr, shmsegptr->label,
|
||||
shmflg);
|
||||
|
||||
|
||||
@ -79,11 +79,6 @@ __FBSDID("$FreeBSD$");
|
||||
*/
|
||||
static int ea_warn_once = 0;
|
||||
|
||||
static int mac_enforce_fs = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
|
||||
&mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
|
||||
TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
|
||||
|
||||
static int mac_setlabel_vnode_extattr(struct ucred *cred,
|
||||
struct vnode *vp, struct label *intlabel);
|
||||
|
||||
@ -351,9 +346,6 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
|
||||
|
||||
if (!mac_enforce_process && !mac_enforce_fs)
|
||||
return;
|
||||
|
||||
MAC_PERFORM(execve_transition, old, new, vp, vp->v_label,
|
||||
interpvnodelabel, imgp, imgp->execlabel);
|
||||
}
|
||||
@ -366,9 +358,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition");
|
||||
|
||||
if (!mac_enforce_process && !mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
result = 0;
|
||||
MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label,
|
||||
interpvnodelabel, imgp, imgp->execlabel);
|
||||
@ -383,9 +372,6 @@ mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode);
|
||||
return (error);
|
||||
}
|
||||
@ -397,9 +383,6 @@ mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
|
||||
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label);
|
||||
return (error);
|
||||
}
|
||||
@ -411,9 +394,6 @@ mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
|
||||
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label);
|
||||
return (error);
|
||||
}
|
||||
@ -426,9 +406,6 @@ mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
|
||||
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap);
|
||||
return (error);
|
||||
}
|
||||
@ -442,9 +419,6 @@ mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_delete");
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_delete");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_delete, cred, dvp, dvp->v_label, vp,
|
||||
vp->v_label, cnp);
|
||||
return (error);
|
||||
@ -458,9 +432,6 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type);
|
||||
return (error);
|
||||
}
|
||||
@ -473,9 +444,6 @@ mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label,
|
||||
attrnamespace, name);
|
||||
return (error);
|
||||
@ -489,9 +457,6 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec");
|
||||
|
||||
if (!mac_enforce_process && !mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp,
|
||||
imgp->execlabel);
|
||||
|
||||
@ -505,9 +470,6 @@ mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type);
|
||||
return (error);
|
||||
}
|
||||
@ -520,9 +482,6 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label,
|
||||
attrnamespace, name, uio);
|
||||
return (error);
|
||||
@ -537,9 +496,6 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link");
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp,
|
||||
vp->v_label, cnp);
|
||||
return (error);
|
||||
@ -553,9 +509,6 @@ mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label,
|
||||
attrnamespace);
|
||||
return (error);
|
||||
@ -569,9 +522,6 @@ mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
|
||||
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp);
|
||||
return (error);
|
||||
}
|
||||
@ -584,9 +534,6 @@ mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap");
|
||||
|
||||
if (!mac_enforce_fs || !mac_enforce_vm)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot, flags);
|
||||
return (error);
|
||||
}
|
||||
@ -598,9 +545,6 @@ mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade");
|
||||
|
||||
if (!mac_enforce_fs || !mac_enforce_vm)
|
||||
return;
|
||||
|
||||
MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label,
|
||||
&result);
|
||||
|
||||
@ -614,9 +558,6 @@ mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect");
|
||||
|
||||
if (!mac_enforce_fs || !mac_enforce_vm)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot);
|
||||
return (error);
|
||||
}
|
||||
@ -628,9 +569,6 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode);
|
||||
return (error);
|
||||
}
|
||||
@ -643,9 +581,6 @@ mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
|
||||
vp->v_label);
|
||||
|
||||
@ -660,9 +595,6 @@ mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
|
||||
vp->v_label);
|
||||
|
||||
@ -676,9 +608,6 @@ mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
|
||||
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label);
|
||||
return (error);
|
||||
}
|
||||
@ -690,9 +619,6 @@ mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label);
|
||||
return (error);
|
||||
}
|
||||
@ -719,9 +645,6 @@ mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from");
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp,
|
||||
vp->v_label, cnp);
|
||||
return (error);
|
||||
@ -736,9 +659,6 @@ mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
|
||||
ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to");
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp,
|
||||
vp != NULL ? vp->v_label : NULL, samedir, cnp);
|
||||
return (error);
|
||||
@ -751,9 +671,6 @@ mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label);
|
||||
return (error);
|
||||
}
|
||||
@ -766,9 +683,6 @@ mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl);
|
||||
return (error);
|
||||
}
|
||||
@ -781,9 +695,6 @@ mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label,
|
||||
attrnamespace, name, uio);
|
||||
return (error);
|
||||
@ -796,9 +707,6 @@ mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags);
|
||||
return (error);
|
||||
}
|
||||
@ -810,9 +718,6 @@ mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode);
|
||||
return (error);
|
||||
}
|
||||
@ -825,9 +730,6 @@ mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid);
|
||||
return (error);
|
||||
}
|
||||
@ -840,9 +742,6 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime,
|
||||
mtime);
|
||||
return (error);
|
||||
@ -856,9 +755,6 @@ mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
|
||||
vp->v_label);
|
||||
return (error);
|
||||
@ -872,9 +768,6 @@ mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write");
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
|
||||
vp->v_label);
|
||||
|
||||
@ -901,9 +794,6 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (!mac_enforce_fs)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel);
|
||||
|
||||
return (error);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user