From owner-cvs-all  Sun Oct 27  0:13:34 2002
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8603337B401; Sun, 27 Oct 2002 00:13:33 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 0847243E6E; Sun, 27 Oct 2002 00:13:33 -0700 (PDT)
	(envelope-from rwatson@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id g9R7CZmV076960;
	Sun, 27 Oct 2002 00:12:35 -0700 (PDT)
	(envelope-from rwatson@repoman.freebsd.org)
Received: (from rwatson@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id g9R7CYPG076959;
	Sun, 27 Oct 2002 00:12:34 -0700 (PDT)
Message-Id: <200210270712.g9R7CYPG076959@repoman.freebsd.org>
From: Robert Watson <rwatson@FreeBSD.org>
Date: Sun, 27 Oct 2002 00:12:34 -0700 (PDT)
To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: cvs commit: src/sys/sys mac.h mac_policy.h src/sys/kern kern_mac.c
         kern_sysctl.c
X-FreeBSD-CVS-Branch: HEAD
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

rwatson     2002/10/27 00:12:34 PDT

  Modified files:
    sys/sys              mac.h mac_policy.h 
    sys/kern             kern_mac.c kern_sysctl.c 
  Log:
  Implement mac_check_system_sysctl(), a MAC Framework entry point to
  permit MAC policies to augment the security protections on sysctl()
  operations.  This is not really a wonderful entry point, as we
  only have access to the MIB of the target sysctl entry, rather than
  the more useful entry name, but this is sufficient for policies
  like Biba that wish to use their notions of privilege or integrity
  to prevent inappropriate sysctl modification.  Affects MAC kernels
  only.  Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c,
  we can't assert the SYSCTL subsystem lockin the MAC Framework.
  
  Approved by:    re
  Obtained from:  TrustedBSD Project
  Sponsored by:   DARPA, Network Associates Laboratories
  
  Revision  Changes    Path
  1.52      +28 -0     src/sys/kern/kern_mac.c
  1.135     +11 -0     src/sys/kern/kern_sysctl.c
  1.22      +3 -0      src/sys/sys/mac.h
  1.22      +4 -0      src/sys/sys/mac_policy.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message