Date: Mon, 13 Jan 2003 12:10:21 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 23690 for review Message-ID: <200301132010.h0DKAL95018634@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=23690 Change 23690 by green@green_laptop_2 on 2003/01/13 12:09:28 Add basic SEBSD entry points to implement a basic "KLD capability". Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#66 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#66 (text+ko) ==== @@ -1488,6 +1488,54 @@ *(struct vnode_security_struct *)SLOT(src); } +/* + * Check for permission to load KLDs, given by the overly-broad + * capability:sys_module. + */ +static int +sebsd_check_kld_load(struct ucred *cred, struct vnode *vp, + struct label *vlabel) +{ + struct task_security_struct *tsec; + + tsec = SLOT(&cred->cr_label); + /* + * The vnode doesn't need to be checked here, since the read + * operations inside the kldload(2) implementation are + * individually checked against the same thread credentials. + */ + return (avc_has_perm_audit(tsec->sid, tsec->sid, SECCLASS_CAPABILITY, + CAPABILITY__SYS_MODULE, NULL)); +} + +/* + * Check for permission to query KLDs, given by the overly-broad + * capability:sys_module. + */ +static int +sebsd_check_kld_stat(struct ucred *cred) +{ + struct task_security_struct *tsec; + + tsec = SLOT(&cred->cr_label); + return (avc_has_perm_audit(tsec->sid, tsec->sid, SECCLASS_CAPABILITY, + CAPABILITY__SYS_MODULE, NULL)); +} + +/* + * Check for permission to unload KLDs, given by the overly-broad + * capability:sys_module. + */ +static int +sebsd_check_kld_unload(struct ucred *cred) +{ + struct task_security_struct *tsec; + + tsec = SLOT(&cred->cr_label); + return (avc_has_perm_audit(tsec->sid, tsec->sid, SECCLASS_CAPABILITY, + CAPABILITY__SYS_MODULE, NULL)); +} + static struct mac_policy_ops sebsd_ops = { /* Init Labels */ .mpo_init = sebsd_init, @@ -1530,6 +1578,9 @@ /* Check Labels */ .mpo_check_cred_relabel = sebsd_check_cred_relabel, + .mpo_check_kld_stat = sebsd_check_kld_stat, + .mpo_check_kld_load = sebsd_check_kld_load, + .mpo_check_kld_unload = sebsd_check_kld_unload, .mpo_check_mount_stat = sebsd_check_mount_stat, .mpo_check_proc_signal = sebsd_check_proc_signal, .mpo_check_system_swapon = sebsd_check_system_swapon, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301132010.h0DKAL95018634>