Introduce support for Mandatory Access Control and extensible
kernel access control. Invoke an appropriate MAC entry point to authorize execution of a file by a process. The check is placed slightly differently than it appears in the trustedbsd_mac tree so that it prevents a little more information leakage about the target of the execve() operation. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
This commit is contained in:
parent
20339d90c0
commit
d267bbc6ca
@ -27,6 +27,7 @@
|
||||
*/
|
||||
|
||||
#include "opt_ktrace.h"
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
@ -35,6 +36,7 @@
|
||||
#include <sys/sysproto.h>
|
||||
#include <sys/signalvar.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/filedesc.h>
|
||||
#include <sys/fcntl.h>
|
||||
@ -909,6 +911,13 @@ exec_check_permissions(imgp)
|
||||
int error;
|
||||
|
||||
td = curthread; /* XXXKSE */
|
||||
|
||||
#ifdef MAC
|
||||
error = mac_check_vnode_exec(td->td_ucred, imgp->vp);
|
||||
if (error)
|
||||
return (error);
|
||||
#endif
|
||||
|
||||
/* Get file attributes */
|
||||
error = VOP_GETATTR(vp, attr, td->td_ucred, td);
|
||||
if (error)
|
||||
|
Loading…
Reference in New Issue
Block a user