d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a new MAC framework and policy entry point,

Browse Source 
mpo_check_proc_setaudit_addr to be used when controlling use of
setaudit_addr(), rather than mpo_check_proc_setaudit(), which takes a
different argument type.

Reviewed by:	csjp
Approved by:	re (kensmith)
This commit is contained in:
Robert Watson 2007-06-26 14:14:01 +00:00
parent 544970d64e
commit f1e8bf6dd4
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=171047
6 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/security/audit/audit_syscalls.c
View File

@ -591,7 +591,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
error = mac_check_proc_setaudit(oldcred, NULL);
error = mac_check_proc_setaudit_addr(oldcred, &aia);
if (error)
goto fail;
#endif

10
sys/security/mac/mac_audit.c
View File

@ -55,6 +55,16 @@ mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
return (error);
}
int
mac_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
{
int error;
MAC_CHECK(check_proc_setaudit_addr, cred, aia);
return (error);
}
int
mac_check_proc_setauid(struct ucred *cred, uid_t auid)
{

3
sys/security/mac/mac_framework.h
View File

@ -51,6 +51,7 @@
#endif
struct auditinfo;
struct auditinfo_addr;
struct bpf_d;
struct cdev;
struct componentname;
@ -297,6 +298,8 @@ int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr);
int mac_check_proc_debug(struct ucred *cred, struct proc *p);
int mac_check_proc_sched(struct ucred *cred, struct proc *p);
int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai);
int mac_check_proc_setaudit_addr(struct ucred *cred,
struct auditinfo_addr *aia);
int mac_check_proc_setauid(struct ucred *cred, uid_t auid);
int mac_check_proc_setuid(struct proc *p, struct ucred *cred,
uid_t uid);

3
sys/security/mac/mac_policy.h
View File

@ -450,6 +450,8 @@ typedef int (*mpo_check_proc_sched_t)(struct ucred *cred,
struct proc *p);
typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred,
struct auditinfo *ai);
typedef int (*mpo_check_proc_setaudit_addr_t)(struct ucred *cred,
struct auditinfo_addr *aia);
typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid);
typedef int (*mpo_check_proc_setuid_t)(struct ucred *cred, uid_t uid);
typedef int (*mpo_check_proc_seteuid_t)(struct ucred *cred, uid_t euid);
@ -826,6 +828,7 @@ struct mac_policy_ops {
mpo_check_proc_debug_t mpo_check_proc_debug;
mpo_check_proc_sched_t mpo_check_proc_sched;
mpo_check_proc_setaudit_t mpo_check_proc_setaudit;
mpo_check_proc_setaudit_addr_t mpo_check_proc_setaudit_addr;
mpo_check_proc_setauid_t mpo_check_proc_setauid;
mpo_check_proc_setuid_t mpo_check_proc_setuid;
mpo_check_proc_seteuid_t mpo_check_proc_seteuid;

8
sys/security/mac_stub/mac_stub.c
View File

@ -915,6 +915,13 @@ stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
return (0);
}
static int
stub_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
{
return (0);
}
static int
stub_check_proc_setauid(struct ucred *cred, uid_t auid)
{
@ -1579,6 +1586,7 @@ static struct mac_policy_ops mac_stub_ops =
.mpo_check_proc_debug = stub_check_proc_debug,
.mpo_check_proc_sched = stub_check_proc_sched,
.mpo_check_proc_setaudit = stub_check_proc_setaudit,
.mpo_check_proc_setaudit_addr = stub_check_proc_setaudit_addr,
.mpo_check_proc_setauid = stub_check_proc_setauid,
.mpo_check_proc_setuid = stub_check_proc_setuid,
.mpo_check_proc_seteuid = stub_check_proc_seteuid,

13
sys/security/mac_test/mac_test.c
View File

@ -1668,6 +1668,18 @@ mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
return (0);
}
COUNTER_DECL(check_proc_setaudit_addr);
static int
mac_test_check_proc_setaudit_addr(struct ucred *cred,
struct auditinfo_addr *aia)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(check_proc_setaudit_addr);
return (0);
}
COUNTER_DECL(check_proc_setauid);
static int
mac_test_check_proc_setauid(struct ucred *cred, uid_t auid)
@ -2608,6 +2620,7 @@ static struct mac_policy_ops mac_test_ops =
.mpo_check_proc_debug = mac_test_check_proc_debug,
.mpo_check_proc_sched = mac_test_check_proc_sched,
.mpo_check_proc_setaudit = mac_test_check_proc_setaudit,
.mpo_check_proc_setaudit_addr = mac_test_check_proc_setaudit_addr,
.mpo_check_proc_setauid = mac_test_check_proc_setauid,
.mpo_check_proc_setuid = mac_test_check_proc_setuid,
.mpo_check_proc_seteuid = mac_test_check_proc_seteuid,