Update MAC modules for changes in arguments for exec MAC policy
entry points to include an explicit execlabel. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
This commit is contained in:
parent
9fa3506ecd
commit
ef5def596d
@ -2044,9 +2044,23 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
static int
|
||||
mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, struct image_params *imgp)
|
||||
struct label *label, struct image_params *imgp,
|
||||
struct label *execlabel)
|
||||
{
|
||||
struct mac_biba *subj, *obj;
|
||||
struct mac_biba *subj, *obj, *exec;
|
||||
int error;
|
||||
|
||||
if (execlabel != NULL) {
|
||||
/*
|
||||
* We currently don't permit labels to be changed at
|
||||
* exec-time as part of Biba, so disallow non-NULL
|
||||
* Biba label elements in the execlabel.
|
||||
*/
|
||||
exec = SLOT(execlabel);
|
||||
error = biba_atmostflags(exec, 0);
|
||||
if (error)
|
||||
return (error);
|
||||
}
|
||||
|
||||
if (!mac_biba_enabled)
|
||||
return (0);
|
||||
|
@ -394,7 +394,8 @@ mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
static int
|
||||
mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, struct image_params *imgp)
|
||||
struct label *label, struct image_params *imgp,
|
||||
struct label *execlabel)
|
||||
{
|
||||
struct vattr vap;
|
||||
int error;
|
||||
|
@ -1862,9 +1862,23 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
static int
|
||||
mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, struct image_params *imgp)
|
||||
struct label *label, struct image_params *imgp,
|
||||
struct label *execlabel)
|
||||
{
|
||||
struct mac_mls *subj, *obj;
|
||||
struct mac_mls *subj, *obj, *exec;
|
||||
int error;
|
||||
|
||||
if (execlabel != NULL) {
|
||||
/*
|
||||
* We currently don't permit labels to be changed at
|
||||
* exec-time as part of MLS, so disallow non-NULL
|
||||
* MLS label elements in the execlabel.
|
||||
*/
|
||||
exec = SLOT(execlabel);
|
||||
error = mls_atmostflags(exec, 0);
|
||||
if (error)
|
||||
return (error);
|
||||
}
|
||||
|
||||
if (!mac_mls_enabled)
|
||||
return (0);
|
||||
|
@ -417,7 +417,8 @@ mac_none_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
|
||||
static void
|
||||
mac_none_execve_transition(struct ucred *old, struct ucred *new,
|
||||
struct vnode *vp, struct label *vnodelabel,
|
||||
struct label *interpvnodelabel, struct image_params *imgp)
|
||||
struct label *interpvnodelabel, struct image_params *imgp,
|
||||
struct label *execlabel)
|
||||
{
|
||||
|
||||
}
|
||||
@ -425,7 +426,7 @@ mac_none_execve_transition(struct ucred *old, struct ucred *new,
|
||||
static int
|
||||
mac_none_execve_will_transition(struct ucred *old, struct vnode *vp,
|
||||
struct label *vnodelabel, struct label *interpvnodelabel,
|
||||
struct image_params *imgp)
|
||||
struct image_params *imgp, struct label *execlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
@ -689,7 +690,8 @@ mac_none_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
static int
|
||||
mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, struct image_params *imgp)
|
||||
struct label *label, struct image_params *imgp,
|
||||
struct label *execlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
|
@ -244,6 +244,24 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket,
|
||||
return (error ? ENOENT : 0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, struct image_params *imgp, struct label *execlabel)
|
||||
{
|
||||
|
||||
if (execlabel != NULL) {
|
||||
/*
|
||||
* We currently don't permit labels to be changed at
|
||||
* exec-time as part of the partition model, so disallow
|
||||
* non-NULL partition label changes in execlabel.
|
||||
*/
|
||||
if (SLOT(execlabel) != 0)
|
||||
return (EINVAL);
|
||||
}
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static struct mac_policy_ops mac_partition_ops =
|
||||
{
|
||||
.mpo_init = mac_partition_init,
|
||||
@ -261,6 +279,7 @@ static struct mac_policy_ops mac_partition_ops =
|
||||
.mpo_check_proc_sched = mac_partition_check_proc_sched,
|
||||
.mpo_check_proc_signal = mac_partition_check_proc_signal,
|
||||
.mpo_check_socket_visible = mac_partition_check_socket_visible,
|
||||
.mpo_check_vnode_exec = mac_partition_check_vnode_exec,
|
||||
};
|
||||
|
||||
MAC_POLICY_SET(&mac_partition_ops, trustedbsd_mac_partition,
|
||||
|
@ -417,7 +417,8 @@ mac_none_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
|
||||
static void
|
||||
mac_none_execve_transition(struct ucred *old, struct ucred *new,
|
||||
struct vnode *vp, struct label *vnodelabel,
|
||||
struct label *interpvnodelabel, struct image_params *imgp)
|
||||
struct label *interpvnodelabel, struct image_params *imgp,
|
||||
struct label *execlabel)
|
||||
{
|
||||
|
||||
}
|
||||
@ -425,7 +426,7 @@ mac_none_execve_transition(struct ucred *old, struct ucred *new,
|
||||
static int
|
||||
mac_none_execve_will_transition(struct ucred *old, struct vnode *vp,
|
||||
struct label *vnodelabel, struct label *interpvnodelabel,
|
||||
struct image_params *imgp)
|
||||
struct image_params *imgp, struct label *execlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
@ -689,7 +690,8 @@ mac_none_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
static int
|
||||
mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, struct image_params *imgp)
|
||||
struct label *label, struct image_params *imgp,
|
||||
struct label *execlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
|
@ -767,7 +767,8 @@ mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
|
||||
static void
|
||||
mac_test_execve_transition(struct ucred *old, struct ucred *new,
|
||||
struct vnode *vp, struct label *filelabel,
|
||||
struct label *interpvnodelabel, struct image_params *imgp)
|
||||
struct label *interpvnodelabel, struct image_params *imgp,
|
||||
struct label *execlabel)
|
||||
{
|
||||
|
||||
}
|
||||
@ -775,7 +776,7 @@ mac_test_execve_transition(struct ucred *old, struct ucred *new,
|
||||
static int
|
||||
mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
|
||||
struct label *filelabel, struct label *interpvnodelabel,
|
||||
struct image_params *imgp)
|
||||
struct image_params *imgp, struct label *execlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
@ -1016,7 +1017,8 @@ mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
|
||||
|
||||
static int
|
||||
mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label, struct image_params *imgp)
|
||||
struct label *label, struct image_params *imgp,
|
||||
struct label *execlabel)
|
||||
{
|
||||
|
||||
return (0);
|
||||
|
Loading…
x
Reference in New Issue
Block a user