From owner-p4-projects Mon Jan 27 12:25: 7 2003 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 9E01237B405; Mon, 27 Jan 2003 12:25:04 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 336D037B401 for ; Mon, 27 Jan 2003 12:25:04 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC6FA43ED8 for ; Mon, 27 Jan 2003 12:25:03 -0800 (PST) (envelope-from green@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h0RKP3bv006484 for ; Mon, 27 Jan 2003 12:25:03 -0800 (PST) (envelope-from green@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h0RKP3b8006477 for perforce@freebsd.org; Mon, 27 Jan 2003 12:25:03 -0800 (PST) Date: Mon, 27 Jan 2003 12:25:03 -0800 (PST) Message-Id: <200301272025.h0RKP3b8006477@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to green@freebsd.org using -f From: Brian Feldman Subject: PERFORCE change 24293 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=24293 Change 24293 by green@green_laptop_2 on 2003/01/27 12:24:09 Implement the missing self:fd {create} in SEBSD. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/kern/kern_descrip.c#3 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#3 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_descrip.c#3 (text+ko) ==== @@ -1218,6 +1218,11 @@ register struct file *fp, *fq; int error, i; +#ifdef MAC + error = mac_check_file_create(td->td_ucred); + if (error) + return (error); +#endif fp = uma_zalloc(file_zone, M_WAITOK | M_ZERO); sx_xlock(&filelist_lock); if (nfiles >= maxfiles) { ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/sebsd.c#3 (text+ko) ==== @@ -1558,10 +1558,20 @@ CAPABILITY__SYS_MODULE, NULL)); } +static int +sebsd_check_file_create(struct ucred *cred) +{ + struct task_security_struct *tsec; + + tsec = SLOT(&cred->cr_label); + return (avc_has_perm_audit(tsec->sid, tsec->sid, SECCLASS_FD, + FD__CREATE, NULL)); +} + /* - * Simplify all fd permissions to just "use" for now. The ones we implement - * in SEBSD roughly correlate to the SELinux FD__USE permissions, and not - * the fine-grained FLASK permissions. + * Simplify all other fd permissions to just "use" for now. The ones we + * implement in SEBSD roughly correlate to the SELinux FD__USE permissions, + * and not the fine-grained FLASK permissions. */ static int sebsd_check_file_get_flags(struct ucred *cred, struct file *fp, @@ -1686,6 +1696,7 @@ /* Check Labels */ .mpo_check_cred_relabel = sebsd_check_cred_relabel, + .mpo_check_file_create = sebsd_check_file_create, .mpo_check_file_get_flags = sebsd_check_file_get_flags, .mpo_check_file_get_ofileflags = sebsd_check_file_get_ofileflags, .mpo_check_file_get_offset = sebsd_check_file_get_offset, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message