Introduce support for Mandatory Access Control and extensible

kernel access control. Invoke an appropriate MAC entry point to authorize execution of a file by a process. The check is placed slightly differently than it appears in the trustedbsd_mac tree so that it prevents a little more information leakage about the target of the execve() operation. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-08-01 14:31:58 +00:00 · 2002-08-01 14:31:58 +00:00 · 339b79b939
commit 339b79b939
parent abc1263a51
1 changed files with 9 additions and 0 deletions
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@ -27,6 +27,7 @@
 */

 #include "opt_ktrace.h"
+#include "opt_mac.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -35,6 +36,7 @@
 #include <sys/sysproto.h>
 #include <sys/signalvar.h>
 #include <sys/kernel.h>
+#include <sys/mac.h>
 #include <sys/mount.h>
 #include <sys/filedesc.h>
 #include <sys/fcntl.h>
@ -909,6 +911,13 @@ exec_check_permissions(imgp)
 	int error;

 	td = curthread;			/* XXXKSE */
+
+#ifdef MAC
+	error = mac_check_vnode_exec(td->td_ucred, imgp->vp);
+	if (error)
+		return (error);
+#endif
+	
 	/* Get file attributes */
 	error = VOP_GETATTR(vp, attr, td->td_ucred, td);
 	if (error)