Date: Mon, 27 Jan 2003 12:25:03 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 24293 for review Message-ID: <200301272025.h0RKP3b8006477@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=24293 Change 24293 by green@green_laptop_2 on 2003/01/27 12:24:09 Implement the missing self:fd {create} in SEBSD. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/kern/kern_descrip.c#3 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#3 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_descrip.c#3 (text+ko) ==== @@ -1218,6 +1218,11 @@ register struct file *fp, *fq; int error, i; +#ifdef MAC + error = mac_check_file_create(td->td_ucred); + if (error) + return (error); +#endif fp = uma_zalloc(file_zone, M_WAITOK | M_ZERO); sx_xlock(&filelist_lock); if (nfiles >= maxfiles) { ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#3 (text+ko) ==== @@ -1558,10 +1558,20 @@ CAPABILITY__SYS_MODULE, NULL)); } +static int +sebsd_check_file_create(struct ucred *cred) +{ + struct task_security_struct *tsec; + + tsec = SLOT(&cred->cr_label); + return (avc_has_perm_audit(tsec->sid, tsec->sid, SECCLASS_FD, + FD__CREATE, NULL)); +} + /* - * Simplify all fd permissions to just "use" for now. The ones we implement - * in SEBSD roughly correlate to the SELinux FD__USE permissions, and not - * the fine-grained FLASK permissions. + * Simplify all other fd permissions to just "use" for now. The ones we + * implement in SEBSD roughly correlate to the SELinux FD__USE permissions, + * and not the fine-grained FLASK permissions. */ static int sebsd_check_file_get_flags(struct ucred *cred, struct file *fp, @@ -1686,6 +1696,7 @@ /* Check Labels */ .mpo_check_cred_relabel = sebsd_check_cred_relabel, + .mpo_check_file_create = sebsd_check_file_create, .mpo_check_file_get_flags = sebsd_check_file_get_flags, .mpo_check_file_get_ofileflags = sebsd_check_file_get_ofileflags, .mpo_check_file_get_offset = sebsd_check_file_get_offset, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301272025.h0RKP3b8006477>