Introduce support for Mandatory Access Control and extensible

kernel access control.

Invoke an appropriate MAC entry point to authorize execution of
a file by a process.  The check is placed slightly differently
than it appears in the trustedbsd_mac tree so that it prevents
a little more information leakage about the target of the execve()
operation.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
This commit is contained in:
rwatson 2002-08-01 14:31:58 +00:00
parent 20339d90c0
commit d267bbc6ca

View File

@ -27,6 +27,7 @@
*/
#include "opt_ktrace.h"
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
@ -35,6 +36,7 @@
#include <sys/sysproto.h>
#include <sys/signalvar.h>
#include <sys/kernel.h>
#include <sys/mac.h>
#include <sys/mount.h>
#include <sys/filedesc.h>
#include <sys/fcntl.h>
@ -909,6 +911,13 @@ exec_check_permissions(imgp)
int error;
td = curthread; /* XXXKSE */
#ifdef MAC
error = mac_check_vnode_exec(td->td_ucred, imgp->vp);
if (error)
return (error);
#endif
/* Get file attributes */
error = VOP_GETATTR(vp, attr, td->td_ucred, td);
if (error)