d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduce support for Mandatory Access Control and extensible

Browse Source 
kernel access control.

Implement MAC framework access control entry points relating to
operations on mountpoints.  Currently, this consists only of
access control on mountpoint listing using the various statfs()
variations.  In the future, it might also be desirable to
implement checks on mount() and unmount().

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
This commit is contained in:
Robert Watson 2002-07-31 01:27:33 +00:00
parent a87cdf8335
commit 2712d0ee89
2 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
sys/kern/vfs_extattr.c
View File

@ -41,6 +41,7 @@
/* For 4.3 integer FS ID compatibility */
#include "opt_compat.h"
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
@ -48,6 +49,7 @@
#include <sys/buf.h>
#include <sys/sysent.h>
#include <sys/malloc.h>
#include <sys/mac.h>
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/sysproto.h>
@ -225,6 +227,11 @@ statfs(td, uap)
sp = &mp->mnt_stat;
NDFREE(&nd, NDF_ONLY_PNBUF);
vrele(nd.ni_vp);
#ifdef MAC
error = mac_check_mount_stat(td->td_ucred, mp);
if (error)
return (error);
#endif
error = VFS_STATFS(mp, sp, td);
if (error)
return (error);
@ -267,6 +274,11 @@ fstatfs(td, uap)
fdrop(fp, td);
if (mp == NULL)
return (EBADF);
#ifdef MAC
error = mac_check_mount_stat(td->td_ucred, mp);
if (error)
return (error);
#endif
sp = &mp->mnt_stat;
error = VFS_STATFS(mp, sp, td);
if (error)
@ -309,6 +321,12 @@ getfsstat(td, uap)
count = 0;
mtx_lock(&mountlist_mtx);
for (mp = TAILQ_FIRST(&mountlist); mp != NULL; mp = nmp) {
#ifdef MAC
if (mac_check_mount_stat(td->td_ucred, mp) != 0) {
nmp = TAILQ_NEXT(mp, mnt_list);
continue;
}
#endif
if (vfs_busy(mp, LK_NOWAIT, &mountlist_mtx, td)) {
nmp = TAILQ_NEXT(mp, mnt_list);
continue;
@ -3415,6 +3433,11 @@ fhstatfs(td, uap)
mp = vp->v_mount;
sp = &mp->mnt_stat;
vput(vp);
#ifdef MAC
error = mac_check_mount_stat(td->td_ucred, mp);
if (error)
return (error);
#endif
if ((error = VFS_STATFS(mp, sp, td)) != 0)
return (error);
sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;

23
sys/kern/vfs_syscalls.c
View File

@ -41,6 +41,7 @@
/* For 4.3 integer FS ID compatibility */
#include "opt_compat.h"
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
@ -48,6 +49,7 @@
#include <sys/buf.h>
#include <sys/sysent.h>
#include <sys/malloc.h>
#include <sys/mac.h>
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/sysproto.h>
@ -225,6 +227,11 @@ statfs(td, uap)
sp = &mp->mnt_stat;
NDFREE(&nd, NDF_ONLY_PNBUF);
vrele(nd.ni_vp);
#ifdef MAC
error = mac_check_mount_stat(td->td_ucred, mp);
if (error)
return (error);
#endif
error = VFS_STATFS(mp, sp, td);
if (error)
return (error);
@ -267,6 +274,11 @@ fstatfs(td, uap)
fdrop(fp, td);
if (mp == NULL)
return (EBADF);
#ifdef MAC
error = mac_check_mount_stat(td->td_ucred, mp);
if (error)
return (error);
#endif
sp = &mp->mnt_stat;
error = VFS_STATFS(mp, sp, td);
if (error)
@ -309,6 +321,12 @@ getfsstat(td, uap)
count = 0;
mtx_lock(&mountlist_mtx);
for (mp = TAILQ_FIRST(&mountlist); mp != NULL; mp = nmp) {
#ifdef MAC
if (mac_check_mount_stat(td->td_ucred, mp) != 0) {
nmp = TAILQ_NEXT(mp, mnt_list);
continue;
}
#endif
if (vfs_busy(mp, LK_NOWAIT, &mountlist_mtx, td)) {
nmp = TAILQ_NEXT(mp, mnt_list);
continue;
@ -3415,6 +3433,11 @@ fhstatfs(td, uap)
mp = vp->v_mount;
sp = &mp->mnt_stat;
vput(vp);
#ifdef MAC
error = mac_check_mount_stat(td->td_ucred, mp);
if (error)
return (error);
#endif
if ((error = VFS_STATFS(mp, sp, td)) != 0)
return (error);
sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;