Date: Fri, 31 Aug 2007 12:36:56 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 125888 for review Message-ID: <200708311236.l7VCauKP014808@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=125888 Change 125888 by rwatson@rwatson_zoo on 2007/08/31 12:36:24 Finish getting MAC branch building after integration. Affected files ... .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_policy.h#6 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_chkexec/mac_chkexec.c#18 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_suidacl/mac_suidacl.c#5 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_policy.h#6 (text+ko) ==== @@ -519,6 +519,10 @@ typedef int (*mpo_check_system_sysctl_t)(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); +typedef int (*mpo_thread_syscall_enter_t)(struct thread *td, int *args, + int code); +typedef void (*mpo_thread_syscall_exit_t)(struct thread *td, int *args, + int code, int error); typedef int (*mpo_check_vnode_access_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode); typedef int (*mpo_check_vnode_chdir_t)(struct ucred *cred, @@ -868,7 +872,8 @@ mpo_check_system_swapon_t mpo_check_system_swapon; mpo_check_system_swapoff_t mpo_check_system_swapoff; mpo_check_system_sysctl_t mpo_check_system_sysctl; - mpo_placeholder_t _mpo_placeholder23; + mpo_thread_syscall_enter_t mpo_thread_syscall_enter; + mpo_thread_syscall_exit_t mpo_thread_syscall_exit; mpo_check_vnode_access_t mpo_check_vnode_access; mpo_check_vnode_chdir_t mpo_check_vnode_chdir; mpo_check_vnode_chroot_t mpo_check_vnode_chroot; ==== //depot/projects/trustedbsd/mac/sys/security/mac_chkexec/mac_chkexec.c#18 (text+ko) ==== @@ -42,6 +42,7 @@ #include <sys/sysproto.h> #include <sys/sysent.h> #include <sys/sx.h> +#include <sys/priv.h> #include <sys/queue.h> #include <sys/tree.h> #include <sys/vnode.h> @@ -831,7 +832,7 @@ * Only superuser may modify the extended attribute namespace associated * with this files checksum. */ - error = suser(td); + error = priv_check(td, PRIV_VFS_EXTATTR_SYSTEM); if (error) return (error); ha = mac_chkexec_get_algo(); ==== //depot/projects/trustedbsd/mac/sys/security/mac_suidacl/mac_suidacl.c#5 (text+ko) ==== @@ -39,6 +39,7 @@ #include <sys/malloc.h> #include <sys/mount.h> #include <sys/mutex.h> +#include <sys/priv.h> #include <sys/proc.h> #include <sys/systm.h> #include <sys/sysproto.h> @@ -341,7 +342,11 @@ int error = 0; struct rule *current; - if ((mac_suidacl_enabled == 0) || !suser_cred(cred, 0)) + /* + * XXXRW: A better privilege selection might be used here. + */ + if ((mac_suidacl_enabled == 0) || !priv_check_cred(cred, + PRIV_CRED_SETUID, 0)) return (0); mtx_lock(&rule_mtx);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708311236.l7VCauKP014808>