Expand scope of the Biba policy to include some of the new entry

points available for enforcement:

  mac_biba_check_sysarch_ioperm() - Require Biba privilege to make
  use of privileged machine-dependent interfaces, protecting against
  bypass of the policy via various mechanisms.

  mac_biba_check_system_swapoff() - Require Biba privilege to disable
  swapping against a vnode target.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
rwatson 2003-03-25 01:10:54 +00:00
parent a1a4db3471
commit 5ad4b8c16b

View File

@ -1877,6 +1877,24 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
return (0); return (0);
} }
static int
mac_biba_check_sysarch_ioperm(struct ucred *cred)
{
struct mac_biba *subj;
int error;
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
error = mac_biba_subject_privileged(subj);
if (error)
return (error);
return (0);
}
static int static int
mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
struct label *label) struct label *label)
@ -1944,6 +1962,26 @@ mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp,
return (0); return (0);
} }
static int
mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp,
struct label *label)
{
struct mac_biba *subj, *obj;
int error;
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(label);
error = mac_biba_subject_privileged(subj);
if (error)
return (error);
return (0);
}
static int static int
mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
@ -2674,9 +2712,11 @@ static struct mac_policy_ops mac_biba_ops =
.mpo_check_socket_deliver = mac_biba_check_socket_deliver, .mpo_check_socket_deliver = mac_biba_check_socket_deliver,
.mpo_check_socket_relabel = mac_biba_check_socket_relabel, .mpo_check_socket_relabel = mac_biba_check_socket_relabel,
.mpo_check_socket_visible = mac_biba_check_socket_visible, .mpo_check_socket_visible = mac_biba_check_socket_visible,
.mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm,
.mpo_check_system_acct = mac_biba_check_system_acct, .mpo_check_system_acct = mac_biba_check_system_acct,
.mpo_check_system_settime = mac_biba_check_system_settime, .mpo_check_system_settime = mac_biba_check_system_settime,
.mpo_check_system_swapon = mac_biba_check_system_swapon, .mpo_check_system_swapon = mac_biba_check_system_swapon,
.mpo_check_system_swapoff = mac_biba_check_system_swapoff,
.mpo_check_system_sysctl = mac_biba_check_system_sysctl, .mpo_check_system_sysctl = mac_biba_check_system_sysctl,
.mpo_check_vnode_access = mac_biba_check_vnode_open, .mpo_check_vnode_access = mac_biba_check_vnode_open,
.mpo_check_vnode_chdir = mac_biba_check_vnode_chdir, .mpo_check_vnode_chdir = mac_biba_check_vnode_chdir,