Date: Mon, 20 Oct 2003 16:46:37 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 40045 for review Message-ID: <200310202346.h9KNkbS3000645@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=40045 Change 40045 by rwatson@rwatson_tislabs on 2003/10/20 16:46:01 Trim system privilege checks from kern_mac.c since they now live in mac_system.c. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#414 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#414 (text+ko) ==== @@ -145,11 +145,6 @@ &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); -static int mac_enforce_kld = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, - &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); -TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); - static int mac_enforce_network = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, &mac_enforce_network, 0, "Enforce MAC policy on network packets"); @@ -165,11 +160,6 @@ &mac_enforce_socket, 0, "Enforce MAC policy on socket operations"); TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); -static int mac_enforce_system = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW, - &mac_enforce_system, 0, "Enforce MAC policy on system operations"); -TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system); - static int mac_enforce_sysv = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW, &mac_enforce_sysv, 0, "Enforce MAC policy on System V IPC objects"); @@ -2672,99 +2662,6 @@ } int -mac_check_kenv_dump(struct ucred *cred) -{ - int error; - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_kenv_dump, cred); - - return (error); -} - -int -mac_check_kenv_get(struct ucred *cred, char *name) -{ - int error; - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_kenv_get, cred, name); - - return (error); -} - -int -mac_check_kenv_set(struct ucred *cred, char *name, char *value) -{ - int error; - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_kenv_set, cred, name, value); - - return (error); -} - -int -mac_check_kenv_unset(struct ucred *cred, char *name) -{ - int error; - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_kenv_unset, cred, name); - - return (error); -} - -int -mac_check_kld_load(struct ucred *cred, struct vnode *vp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); - - if (!mac_enforce_kld) - return (0); - - MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); - - return (error); -} - -int -mac_check_kld_stat(struct ucred *cred) -{ - int error; - - if (!mac_enforce_kld) - return (0); - - MAC_CHECK(check_kld_stat, cred); - - return (error); -} - -int -mac_check_kld_unload(struct ucred *cred) -{ - int error; - - if (!mac_enforce_kld) - return (0); - - MAC_CHECK(check_kld_unload, cred); - - return (error); -} - -int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; @@ -2948,122 +2845,6 @@ } int -mac_check_sysarch_ioperm(struct ucred *cred) -{ - int error; - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_sysarch_ioperm, cred); - return (error); -} - -int -mac_check_system_acct(struct ucred *cred, struct vnode *vp) -{ - int error; - - if (vp != NULL) { - ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); - } - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_system_acct, cred, vp, - vp != NULL ? &vp->v_label : NULL); - - return (error); -} - -int -mac_check_system_nfsd(struct ucred *cred) -{ - int error; - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_system_nfsd, cred); - - return (error); -} - -int -mac_check_system_reboot(struct ucred *cred, int howto) -{ - int error; - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_system_reboot, cred, howto); - - return (error); -} - -int -mac_check_system_settime(struct ucred *cred) -{ - int error; - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_system_settime, cred); - - return (error); -} - -int -mac_check_system_swapon(struct ucred *cred, struct vnode *vp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon"); - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_system_swapon, cred, vp, &vp->v_label); - return (error); -} - -int -mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) -{ - int error; - - ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); - - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); - return (error); -} - -int -mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, - void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) -{ - int error; - - /* - * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, - * but since it's not exported from kern_sysctl.c, we can't. - */ - if (!mac_enforce_system) - return (0); - - MAC_CHECK(check_system_sysctl, cred, name, namelen, old, oldlenp, - inkernel, new, newlen); - - return (error); -} - -int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310202346.h9KNkbS3000645>