mac_cred.c (104236) | mac_cred.c (104268) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * |
39 * $FreeBSD: head/sys/security/mac/mac_process.c 104236 2002-09-30 20:50:00Z rwatson $ | 39 * $FreeBSD: head/sys/security/mac/mac_process.c 104268 2002-10-01 03:24:20Z rwatson $ |
40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 44 unchanged lines hidden (view full) --- 92 * even if it's pre-boot. 93 */ 94MODULE_VERSION(kernel_mac_support, 1); 95 96SYSCTL_DECL(_security); 97 98SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, 99 "TrustedBSD MAC policy controls"); | 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 44 unchanged lines hidden (view full) --- 92 * even if it's pre-boot. 93 */ 94MODULE_VERSION(kernel_mac_support, 1); 95 96SYSCTL_DECL(_security); 97 98SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, 99 "TrustedBSD MAC policy controls"); |
100SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, 101 "TrustedBSD MAC debug info"); 102 103static int mac_debug_label_fallback = 0; 104SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, 105 &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" 106 "when label is corrupted."); 107TUNABLE_INT("security.mac.debug_label_fallback", 108 &mac_debug_label_fallback); 109 | |
110#ifndef MAC_MAX_POLICIES 111#define MAC_MAX_POLICIES 8 112#endif 113#if MAC_MAX_POLICIES > 32 114#error "MAC_MAX_POLICIES too large" 115#endif 116static unsigned int mac_max_policies = MAC_MAX_POLICIES; 117static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; --- 54 unchanged lines hidden (view full) --- 172 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " 173 "relabel"); 174static int mac_mmap_revocation_via_cow = 0; 175SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, 176 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " 177 "copy-on-write semantics, or by removing all write access"); 178 179#ifdef MAC_DEBUG | 100#ifndef MAC_MAX_POLICIES 101#define MAC_MAX_POLICIES 8 102#endif 103#if MAC_MAX_POLICIES > 32 104#error "MAC_MAX_POLICIES too large" 105#endif 106static unsigned int mac_max_policies = MAC_MAX_POLICIES; 107static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1; --- 54 unchanged lines hidden (view full) --- 162 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " 163 "relabel"); 164static int mac_mmap_revocation_via_cow = 0; 165SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, 166 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " 167 "copy-on-write semantics, or by removing all write access"); 168 169#ifdef MAC_DEBUG |
170SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, 171 "TrustedBSD MAC debug info"); 172 173static int mac_debug_label_fallback = 0; 174SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW, 175 &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label" 176 "when label is corrupted."); 177TUNABLE_INT("security.mac.debug_label_fallback", 178 &mac_debug_label_fallback); 179 |
|
180static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, 181 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, 182 nmacipqs, nmacpipes; 183SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, 184 &nmacmbufs, 0, "number of mbufs in use"); 185SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, 186 &nmaccreds, 0, "number of ucreds in use"); 187SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, --- 889 unchanged lines hidden (view full) --- 1077 vp->v_vflag |= VV_CACHEDLABEL; 1078 else { 1079 struct vattr va; 1080 1081 printf("Corrupted label on %s", 1082 vp->v_mount->mnt_stat.f_mntonname); 1083 if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) 1084 printf(" inum %ld", va.va_fileid); | 180static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, 181 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, 182 nmacipqs, nmacpipes; 183SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, 184 &nmacmbufs, 0, "number of mbufs in use"); 185SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD, 186 &nmaccreds, 0, "number of ucreds in use"); 187SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD, --- 889 unchanged lines hidden (view full) --- 1077 vp->v_vflag |= VV_CACHEDLABEL; 1078 else { 1079 struct vattr va; 1080 1081 printf("Corrupted label on %s", 1082 vp->v_mount->mnt_stat.f_mntonname); 1083 if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0) 1084 printf(" inum %ld", va.va_fileid); |
1085#ifdef MAC_DEBUG |
|
1085 if (mac_debug_label_fallback) { 1086 printf(", falling back.\n"); 1087 mac_update_vnode_from_mount(vp, vp->v_mount); 1088 error = 0; 1089 } else { | 1086 if (mac_debug_label_fallback) { 1087 printf(", falling back.\n"); 1088 mac_update_vnode_from_mount(vp, vp->v_mount); 1089 error = 0; 1090 } else { |
1091#endif |
|
1090 printf(".\n"); 1091 error = EPERM; | 1092 printf(".\n"); 1093 error = EPERM; |
1094#ifdef MAC_DEBUG |
|
1092 } | 1095 } |
1096#endif |
|
1093 } 1094 1095 return (error); 1096} 1097 1098/* 1099 * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle 1100 * the labeling activity outselves. Filesystems should be careful not --- 2227 unchanged lines hidden --- | 1097 } 1098 1099 return (error); 1100} 1101 1102/* 1103 * Make sure the vnode label is up-to-date. If EOPNOTSUPP, then we handle 1104 * the labeling activity outselves. Filesystems should be careful not --- 2227 unchanged lines hidden --- |