Expand scope of the Biba policy to include some of the new entry
points available for enforcement: mac_biba_check_sysarch_ioperm() - Require Biba privilege to make use of privileged machine-dependent interfaces, protecting against bypass of the policy via various mechanisms. mac_biba_check_system_swapoff() - Require Biba privilege to disable swapping against a vnode target. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
This commit is contained in:
parent
a1a4db3471
commit
5ad4b8c16b
@ -1877,6 +1877,24 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
|
|||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
mac_biba_check_sysarch_ioperm(struct ucred *cred)
|
||||||
|
{
|
||||||
|
struct mac_biba *subj;
|
||||||
|
int error;
|
||||||
|
|
||||||
|
if (!mac_biba_enabled)
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
subj = SLOT(&cred->cr_label);
|
||||||
|
|
||||||
|
error = mac_biba_subject_privileged(subj);
|
||||||
|
if (error)
|
||||||
|
return (error);
|
||||||
|
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
|
mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
|
||||||
struct label *label)
|
struct label *label)
|
||||||
@ -1944,6 +1962,26 @@ mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp,
|
|||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp,
|
||||||
|
struct label *label)
|
||||||
|
{
|
||||||
|
struct mac_biba *subj, *obj;
|
||||||
|
int error;
|
||||||
|
|
||||||
|
if (!mac_biba_enabled)
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
subj = SLOT(&cred->cr_label);
|
||||||
|
obj = SLOT(label);
|
||||||
|
|
||||||
|
error = mac_biba_subject_privileged(subj);
|
||||||
|
if (error)
|
||||||
|
return (error);
|
||||||
|
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
|
mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
|
||||||
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
|
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
|
||||||
@ -2674,9 +2712,11 @@ static struct mac_policy_ops mac_biba_ops =
|
|||||||
.mpo_check_socket_deliver = mac_biba_check_socket_deliver,
|
.mpo_check_socket_deliver = mac_biba_check_socket_deliver,
|
||||||
.mpo_check_socket_relabel = mac_biba_check_socket_relabel,
|
.mpo_check_socket_relabel = mac_biba_check_socket_relabel,
|
||||||
.mpo_check_socket_visible = mac_biba_check_socket_visible,
|
.mpo_check_socket_visible = mac_biba_check_socket_visible,
|
||||||
|
.mpo_check_sysarch_ioperm = mac_biba_check_sysarch_ioperm,
|
||||||
.mpo_check_system_acct = mac_biba_check_system_acct,
|
.mpo_check_system_acct = mac_biba_check_system_acct,
|
||||||
.mpo_check_system_settime = mac_biba_check_system_settime,
|
.mpo_check_system_settime = mac_biba_check_system_settime,
|
||||||
.mpo_check_system_swapon = mac_biba_check_system_swapon,
|
.mpo_check_system_swapon = mac_biba_check_system_swapon,
|
||||||
|
.mpo_check_system_swapoff = mac_biba_check_system_swapoff,
|
||||||
.mpo_check_system_sysctl = mac_biba_check_system_sysctl,
|
.mpo_check_system_sysctl = mac_biba_check_system_sysctl,
|
||||||
.mpo_check_vnode_access = mac_biba_check_vnode_open,
|
.mpo_check_vnode_access = mac_biba_check_vnode_open,
|
||||||
.mpo_check_vnode_chdir = mac_biba_check_vnode_chdir,
|
.mpo_check_vnode_chdir = mac_biba_check_vnode_chdir,
|
||||||
|
Loading…
Reference in New Issue
Block a user