Implement mpo_check_kld_load() and mpo_check_kld_unload() for the Biba
MAC policy. To load a KLD, require that the subject hold Biba privilege, and the the kernel module be marked as high integrity. To unload a KLD, require that the subject hold Biba privilege. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
This commit is contained in:
parent
61099be7de
commit
22a1b720c1
@ -1542,6 +1542,43 @@ mac_biba_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel,
|
||||
return (mac_biba_single_in_range(p, i) ? 0 : EACCES);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp,
|
||||
struct label *label)
|
||||
{
|
||||
struct mac_biba *subj, *obj;
|
||||
int error;
|
||||
|
||||
if (!mac_biba_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(&cred->cr_label);
|
||||
|
||||
error = mac_biba_subject_privileged(subj);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
obj = SLOT(label);
|
||||
if (!mac_biba_high_single(obj))
|
||||
return (EACCES);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
mac_biba_check_kld_unload(struct ucred *cred)
|
||||
{
|
||||
struct mac_biba *subj;
|
||||
|
||||
if (!mac_biba_enabled)
|
||||
return (0);
|
||||
|
||||
subj = SLOT(&cred->cr_label);
|
||||
|
||||
return (mac_biba_subject_privileged(subj));
|
||||
}
|
||||
|
||||
static int
|
||||
mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp,
|
||||
struct label *mntlabel)
|
||||
@ -2622,6 +2659,8 @@ static struct mac_policy_ops mac_biba_ops =
|
||||
.mpo_check_cred_visible = mac_biba_check_cred_visible,
|
||||
.mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel,
|
||||
.mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit,
|
||||
.mpo_check_kld_load = mac_biba_check_kld_load,
|
||||
.mpo_check_kld_unload = mac_biba_check_kld_unload,
|
||||
.mpo_check_mount_stat = mac_biba_check_mount_stat,
|
||||
.mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl,
|
||||
.mpo_check_pipe_poll = mac_biba_check_pipe_poll,
|
||||
|
Loading…
Reference in New Issue
Block a user