mac_pipe.c (103135) | mac_pipe.c (103136) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * |
39 * $FreeBSD: head/sys/security/mac/mac_pipe.c 103135 2002-09-09 17:10:16Z rwatson $ | 39 * $FreeBSD: head/sys/security/mac/mac_pipe.c 103136 2002-09-09 17:12:24Z rwatson $ |
40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 107 unchanged lines hidden (view full) --- 155 &mac_cache_fslabel_in_vnode); 156 157static int mac_vnode_label_cache_hits = 0; 158SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, 159 &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); 160static int mac_vnode_label_cache_misses = 0; 161SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, 162 &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); | 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 107 unchanged lines hidden (view full) --- 155 &mac_cache_fslabel_in_vnode); 156 157static int mac_vnode_label_cache_hits = 0; 158SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD, 159 &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels"); 160static int mac_vnode_label_cache_misses = 0; 161SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD, 162 &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels"); |
163 164static int mac_mmap_revocation = 1; 165SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, 166 &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " 167 "relabel"); |
|
163static int mac_mmap_revocation_via_cow = 0; 164SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, 165 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " 166 "copy-on-write semantics, or by removing all write access"); 167 168#ifdef MAC_DEBUG 169static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, 170 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, --- 1992 unchanged lines hidden (view full) --- 2163 struct vm_map *map) 2164{ 2165 struct vm_map_entry *vme; 2166 vm_prot_t result, revokeperms; 2167 vm_object_t object; 2168 vm_ooffset_t offset; 2169 struct vnode *vp; 2170 | 168static int mac_mmap_revocation_via_cow = 0; 169SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, 170 &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " 171 "copy-on-write semantics, or by removing all write access"); 172 173#ifdef MAC_DEBUG 174static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, 175 nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, --- 1992 unchanged lines hidden (view full) --- 2168 struct vm_map *map) 2169{ 2170 struct vm_map_entry *vme; 2171 vm_prot_t result, revokeperms; 2172 vm_object_t object; 2173 vm_ooffset_t offset; 2174 struct vnode *vp; 2175 |
2176 if (!mac_mmap_revocation) 2177 return; 2178 |
|
2171 vm_map_lock_read(map); 2172 for (vme = map->header.next; vme != &map->header; vme = vme->next) { 2173 if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { 2174 mac_cred_mmapped_drop_perms_recurse(td, cred, 2175 vme->object.sub_map); 2176 continue; 2177 } 2178 /* --- 1133 unchanged lines hidden --- | 2179 vm_map_lock_read(map); 2180 for (vme = map->header.next; vme != &map->header; vme = vme->next) { 2181 if (vme->eflags & MAP_ENTRY_IS_SUB_MAP) { 2182 mac_cred_mmapped_drop_perms_recurse(td, cred, 2183 vme->object.sub_map); 2184 continue; 2185 } 2186 /* --- 1133 unchanged lines hidden --- |