Provide a mac_check_system_swapoff() entry point, which permits MAC

modules to authorize disabling of swap against a particular vnode.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson 2003-03-05 23:50:15 +00:00
parent a184d471e2
commit 1b2c2ab29a
14 changed files with 140 additions and 0 deletions

View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

View File

@ -269,6 +269,7 @@ int mac_check_system_nfsd(struct ucred *cred);
int mac_check_system_reboot(struct ucred *cred, int howto);
int mac_check_system_settime(struct ucred *cred);
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp);
int mac_check_system_sysctl(struct ucred *cred, int *name,
u_int namelen, void *old, size_t *oldlenp, int inkernel,
void *new, size_t newlen);

View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

View File

@ -329,6 +329,8 @@ struct mac_policy_ops {
int (*mpo_check_system_settime)(struct ucred *cred);
int (*mpo_check_system_swapon)(struct ucred *cred,
struct vnode *vp, struct label *label);
int (*mpo_check_system_swapoff)(struct ucred *cred,
struct vnode *vp, struct label *label);
int (*mpo_check_system_sysctl)(struct ucred *cred, int *name,
u_int namelen, void *old, size_t *oldlenp, int inkernel,
void *new, size_t newlen);

View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

View File

@ -2693,6 +2693,20 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
return (error);
}
int
mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
{
int error;
ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff");
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
return (error);
}
int
mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)

View File

@ -269,6 +269,7 @@ int mac_check_system_nfsd(struct ucred *cred);
int mac_check_system_reboot(struct ucred *cred, int howto);
int mac_check_system_settime(struct ucred *cred);
int mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp);
int mac_check_system_sysctl(struct ucred *cred, int *name,
u_int namelen, void *old, size_t *oldlenp, int inkernel,
void *new, size_t newlen);

View File

@ -329,6 +329,8 @@ struct mac_policy_ops {
int (*mpo_check_system_settime)(struct ucred *cred);
int (*mpo_check_system_swapon)(struct ucred *cred,
struct vnode *vp, struct label *label);
int (*mpo_check_system_swapoff)(struct ucred *cred,
struct vnode *vp, struct label *label);
int (*mpo_check_system_sysctl)(struct ucred *cred, int *name,
u_int namelen, void *old, size_t *oldlenp, int inkernel,
void *new, size_t newlen);

View File

@ -433,6 +433,14 @@ swapoff(td, uap)
error = EINVAL;
goto done;
found:
#ifdef MAC
(void) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = mac_check_system_swapoff(td->td_ucred, vp);
(void) VOP_UNLOCK(vp, 0, td);
if (error != 0)
goto done;
#endif
nblks = sp->sw_nblks;
/*