Hook up mac_check_system_reboot(), a MAC Framework entry point that
permits MAC modules to augment system security decisions regarding the reboot() system call, if MAC is compiled into the kernel. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson
parent
03ce2c0c9b
commit
a2ecb9b790
@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
|
||||
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
|
||||
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
|
||||
|
||||
static int mac_enforce_reboot = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
|
||||
&mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
|
||||
TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
|
||||
|
||||
static int mac_enforce_socket = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
|
||||
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
|
||||
@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_check_socket_visible =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_REBOOT:
|
||||
mpc->mpc_ops->mpo_check_system_reboot =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_SWAPON:
|
||||
mpc->mpc_ops->mpo_check_system_swapon =
|
||||
mpe->mpe_function;
|
||||
@ -2996,6 +3005,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot");
|
||||
|
||||
if (!mac_enforce_reboot)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_reboot, cred, howto);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -43,6 +43,7 @@
|
||||
#include "opt_ddb_trace.h"
|
||||
#include "opt_ddb_unattended.h"
|
||||
#include "opt_hw_wdog.h"
|
||||
#include "opt_mac.h"
|
||||
#include "opt_panic.h"
|
||||
#include "opt_show_busybufs.h"
|
||||
|
||||
@ -56,6 +57,7 @@
|
||||
#include <sys/eventhandler.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/kthread.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/proc.h>
|
||||
@ -159,10 +161,17 @@ reboot(struct thread *td, struct reboot_args *uap)
|
||||
{
|
||||
int error;
|
||||
|
||||
mtx_lock(&Giant);
|
||||
if ((error = suser(td)) == 0)
|
||||
error = 0;
|
||||
#ifdef MAC
|
||||
error = mac_check_system_reboot(td->td_ucred, uap->opt);
|
||||
#endif
|
||||
if (error == 0)
|
||||
error = suser(td);
|
||||
if (error == 0) {
|
||||
mtx_lock(&Giant);
|
||||
boot(uap->opt);
|
||||
mtx_unlock(&Giant);
|
||||
mtx_unlock(&Giant);
|
||||
}
|
||||
return (error);
|
||||
}
|
||||
|
||||
|
||||
@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
|
||||
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
|
||||
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
|
||||
|
||||
static int mac_enforce_reboot = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
|
||||
&mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
|
||||
TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
|
||||
|
||||
static int mac_enforce_socket = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
|
||||
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
|
||||
@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_check_socket_visible =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_REBOOT:
|
||||
mpc->mpc_ops->mpo_check_system_reboot =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_SWAPON:
|
||||
mpc->mpc_ops->mpo_check_system_swapon =
|
||||
mpe->mpe_function;
|
||||
@ -2996,6 +3005,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot");
|
||||
|
||||
if (!mac_enforce_reboot)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_reboot, cred, howto);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -297,6 +297,7 @@ int mac_check_socket_listen(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_receive(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_send(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
|
||||
int mac_check_system_reboot(struct ucred *cred, int howto);
|
||||
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
|
||||
int mac_check_vnode_access(struct ucred *cred, struct vnode *vp,
|
||||
int flags);
|
||||
|
||||
@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
|
||||
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
|
||||
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
|
||||
|
||||
static int mac_enforce_reboot = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
|
||||
&mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
|
||||
TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
|
||||
|
||||
static int mac_enforce_socket = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
|
||||
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
|
||||
@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_check_socket_visible =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_REBOOT:
|
||||
mpc->mpc_ops->mpo_check_system_reboot =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_SWAPON:
|
||||
mpc->mpc_ops->mpo_check_system_swapon =
|
||||
mpe->mpe_function;
|
||||
@ -2996,6 +3005,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot");
|
||||
|
||||
if (!mac_enforce_reboot)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_reboot, cred, howto);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
|
||||
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
|
||||
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
|
||||
|
||||
static int mac_enforce_reboot = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
|
||||
&mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
|
||||
TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
|
||||
|
||||
static int mac_enforce_socket = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
|
||||
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
|
||||
@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_check_socket_visible =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_REBOOT:
|
||||
mpc->mpc_ops->mpo_check_system_reboot =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_SWAPON:
|
||||
mpc->mpc_ops->mpo_check_system_swapon =
|
||||
mpe->mpe_function;
|
||||
@ -2996,6 +3005,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot");
|
||||
|
||||
if (!mac_enforce_reboot)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_reboot, cred, howto);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
|
||||
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
|
||||
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
|
||||
|
||||
static int mac_enforce_reboot = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
|
||||
&mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
|
||||
TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
|
||||
|
||||
static int mac_enforce_socket = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
|
||||
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
|
||||
@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_check_socket_visible =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_REBOOT:
|
||||
mpc->mpc_ops->mpo_check_system_reboot =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_SWAPON:
|
||||
mpc->mpc_ops->mpo_check_system_swapon =
|
||||
mpe->mpe_function;
|
||||
@ -2996,6 +3005,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot");
|
||||
|
||||
if (!mac_enforce_reboot)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_reboot, cred, howto);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -310,6 +310,7 @@ struct mac_policy_ops {
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_visible)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_system_reboot)(struct ucred *cred, int howto);
|
||||
int (*mpo_check_system_swapon)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label);
|
||||
int (*mpo_check_vnode_access)(struct ucred *cred,
|
||||
@ -502,6 +503,7 @@ enum mac_op_constant {
|
||||
MAC_CHECK_SOCKET_RELABEL,
|
||||
MAC_CHECK_SOCKET_SEND,
|
||||
MAC_CHECK_SOCKET_VISIBLE,
|
||||
MAC_CHECK_SYSTEM_REBOOT,
|
||||
MAC_CHECK_SYSTEM_SWAPON,
|
||||
MAC_CHECK_VNODE_ACCESS,
|
||||
MAC_CHECK_VNODE_CHDIR,
|
||||
|
||||
@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
|
||||
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
|
||||
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
|
||||
|
||||
static int mac_enforce_reboot = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
|
||||
&mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
|
||||
TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
|
||||
|
||||
static int mac_enforce_socket = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
|
||||
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
|
||||
@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_check_socket_visible =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_REBOOT:
|
||||
mpc->mpc_ops->mpo_check_system_reboot =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_SWAPON:
|
||||
mpc->mpc_ops->mpo_check_system_swapon =
|
||||
mpe->mpe_function;
|
||||
@ -2996,6 +3005,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot");
|
||||
|
||||
if (!mac_enforce_reboot)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_reboot, cred, howto);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
|
||||
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
|
||||
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
|
||||
|
||||
static int mac_enforce_reboot = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
|
||||
&mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
|
||||
TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
|
||||
|
||||
static int mac_enforce_socket = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
|
||||
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
|
||||
@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_check_socket_visible =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_REBOOT:
|
||||
mpc->mpc_ops->mpo_check_system_reboot =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_SWAPON:
|
||||
mpc->mpc_ops->mpo_check_system_swapon =
|
||||
mpe->mpe_function;
|
||||
@ -2996,6 +3005,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot");
|
||||
|
||||
if (!mac_enforce_reboot)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_reboot, cred, howto);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
|
||||
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
|
||||
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
|
||||
|
||||
static int mac_enforce_reboot = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
|
||||
&mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
|
||||
TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
|
||||
|
||||
static int mac_enforce_socket = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
|
||||
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
|
||||
@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_check_socket_visible =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_REBOOT:
|
||||
mpc->mpc_ops->mpo_check_system_reboot =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_SWAPON:
|
||||
mpc->mpc_ops->mpo_check_system_swapon =
|
||||
mpe->mpe_function;
|
||||
@ -2996,6 +3005,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot");
|
||||
|
||||
if (!mac_enforce_reboot)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_reboot, cred, howto);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -141,6 +141,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
|
||||
&mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
|
||||
TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
|
||||
|
||||
static int mac_enforce_reboot = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_reboot, CTLFLAG_RW,
|
||||
&mac_enforce_reboot, 0, "Enforce MAC policy for reboot operations");
|
||||
TUNABLE_INT("security.mac.enforce_reboot", &mac_enforce_reboot);
|
||||
|
||||
static int mac_enforce_socket = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
|
||||
&mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
|
||||
@ -899,6 +904,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
|
||||
mpc->mpc_ops->mpo_check_socket_visible =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_REBOOT:
|
||||
mpc->mpc_ops->mpo_check_system_reboot =
|
||||
mpe->mpe_function;
|
||||
break;
|
||||
case MAC_CHECK_SYSTEM_SWAPON:
|
||||
mpc->mpc_ops->mpo_check_system_swapon =
|
||||
mpe->mpe_function;
|
||||
@ -2996,6 +3005,20 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_reboot(struct ucred *cred, int howto)
|
||||
{
|
||||
int error;
|
||||
|
||||
ASSERT_VOP_LOCKED(vp, "mac_check_system_reboot");
|
||||
|
||||
if (!mac_enforce_reboot)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_system_reboot, cred, howto);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
|
||||
{
|
||||
|
||||
@ -297,6 +297,7 @@ int mac_check_socket_listen(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_receive(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_send(struct ucred *cred, struct socket *so);
|
||||
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
|
||||
int mac_check_system_reboot(struct ucred *cred, int howto);
|
||||
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
|
||||
int mac_check_vnode_access(struct ucred *cred, struct vnode *vp,
|
||||
int flags);
|
||||
|
||||
@ -310,6 +310,7 @@ struct mac_policy_ops {
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_socket_visible)(struct ucred *cred,
|
||||
struct socket *so, struct label *socketlabel);
|
||||
int (*mpo_check_system_reboot)(struct ucred *cred, int howto);
|
||||
int (*mpo_check_system_swapon)(struct ucred *cred,
|
||||
struct vnode *vp, struct label *label);
|
||||
int (*mpo_check_vnode_access)(struct ucred *cred,
|
||||
@ -502,6 +503,7 @@ enum mac_op_constant {
|
||||
MAC_CHECK_SOCKET_RELABEL,
|
||||
MAC_CHECK_SOCKET_SEND,
|
||||
MAC_CHECK_SOCKET_VISIBLE,
|
||||
MAC_CHECK_SYSTEM_REBOOT,
|
||||
MAC_CHECK_SYSTEM_SWAPON,
|
||||
MAC_CHECK_VNODE_ACCESS,
|
||||
MAC_CHECK_VNODE_CHDIR,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user