d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduce support for Mandatory Access Control and extensible

Browse Source 
kernel access control.

Instrument chdir() and chroot()-related system calls to invoke
appropriate MAC entry points to authorize the two operations.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
This commit is contained in:
rwatson 2002-08-01 03:50:08 +00:00
parent 12992268bc
commit fff16f04c3
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
sys/kern/vfs_extattr.c
View File

@ -397,6 +397,10 @@ fchdir(td, uap)
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
if (vp->v_type != VDIR)
error = ENOTDIR;
#ifdef MAC
else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) {
}
#endif
else
error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td);
while (!error && (mp = vp->v_mountedhere) != NULL) {
@ -524,6 +528,10 @@ chroot(td, uap)
mtx_lock(&Giant);
if ((error = change_dir(&nd, td)) != 0)
goto error;
#ifdef MAC
if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp)))
goto error;
#endif
FILEDESC_LOCK(fdp);
if (chroot_allow_open_directories == 0 ||
(chroot_allow_open_directories == 1 && fdp->fd_rdir != rootvnode)) {
@ -567,6 +575,10 @@ change_dir(ndp, td)
vp = ndp->ni_vp;
if (vp->v_type != VDIR)
error = ENOTDIR;
#ifdef MAC
else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) {
}
#endif
else
error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td);
if (error)

12
sys/kern/vfs_syscalls.c
View File

@ -397,6 +397,10 @@ fchdir(td, uap)
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
if (vp->v_type != VDIR)
error = ENOTDIR;
#ifdef MAC
else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) {
}
#endif
else
error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td);
while (!error && (mp = vp->v_mountedhere) != NULL) {
@ -524,6 +528,10 @@ chroot(td, uap)
mtx_lock(&Giant);
if ((error = change_dir(&nd, td)) != 0)
goto error;
#ifdef MAC
if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp)))
goto error;
#endif
FILEDESC_LOCK(fdp);
if (chroot_allow_open_directories == 0 ||
(chroot_allow_open_directories == 1 && fdp->fd_rdir != rootvnode)) {
@ -567,6 +575,10 @@ change_dir(ndp, td)
vp = ndp->ni_vp;
if (vp->v_type != VDIR)
error = ENOTDIR;
#ifdef MAC
else if ((error = mac_check_vnode_chdir(td->td_ucred, vp)) != 0) {
}
#endif
else
error = VOP_ACCESS(vp, VEXEC, td->td_ucred, td);
if (error)