mac_biba.c (104541) | mac_biba.c (104546) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by NAI Labs, --- 20 unchanged lines hidden (view full) --- 29 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 * SUCH DAMAGE. 36 * |
37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 104541 2002-10-05 21:23:47Z rwatson $ | 37 * $FreeBSD: head/sys/security/mac_biba/mac_biba.c 104546 2002-10-06 02:46:26Z rwatson $ |
38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 1513 unchanged lines hidden (view full) --- 1559 1560 if (!mac_biba_dominate_single(obj, subj)) 1561 return (EACCES); 1562 1563 return (0); 1564} 1565 1566static int | 38 */ 39 40/* 41 * Developed by the TrustedBSD Project. 42 * Biba fixed label mandatory integrity policy. 43 */ 44 45#include <sys/types.h> --- 1513 unchanged lines hidden (view full) --- 1559 1560 if (!mac_biba_dominate_single(obj, subj)) 1561 return (EACCES); 1562 1563 return (0); 1564} 1565 1566static int |
1567mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, 1568 struct label *label, int prot) 1569{ 1570 struct mac_biba *subj, *obj; 1571 1572 /* 1573 * Rely on the use of open()-time protections to handle 1574 * non-revocation cases. 1575 */ 1576 if (!mac_biba_enabled || !mac_biba_revocation_enabled) 1577 return (0); 1578 1579 subj = SLOT(&cred->cr_label); 1580 obj = SLOT(label); 1581 1582 if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { 1583 if (!mac_biba_dominate_single(obj, subj)) 1584 return (EACCES); 1585 } 1586 if (prot & VM_PROT_WRITE) { 1587 if (!mac_biba_dominate_single(subj, obj)) 1588 return (EACCES); 1589 } 1590 1591 return (0); 1592} 1593 1594static int |
|
1567mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, 1568 struct label *vnodelabel, mode_t acc_mode) 1569{ 1570 struct mac_biba *subj, *obj; 1571 1572 if (!mac_biba_enabled) 1573 return (0); 1574 --- 329 unchanged lines hidden (view full) --- 1904 obj = SLOT(label); 1905 1906 if (!mac_biba_dominate_single(subj, obj)) 1907 return (EACCES); 1908 1909 return (0); 1910} 1911 | 1595mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, 1596 struct label *vnodelabel, mode_t acc_mode) 1597{ 1598 struct mac_biba *subj, *obj; 1599 1600 if (!mac_biba_enabled) 1601 return (0); 1602 --- 329 unchanged lines hidden (view full) --- 1932 obj = SLOT(label); 1933 1934 if (!mac_biba_dominate_single(subj, obj)) 1935 return (EACCES); 1936 1937 return (0); 1938} 1939 |
1912static vm_prot_t 1913mac_biba_check_vnode_mmap_perms(struct ucred *cred, struct vnode *vp, 1914 struct label *label, int newmapping) 1915{ 1916 struct mac_biba *subj, *obj; 1917 vm_prot_t prot = 0; 1918 1919 if (!mac_biba_enabled || (!mac_biba_revocation_enabled && !newmapping)) 1920 return (VM_PROT_ALL); 1921 1922 subj = SLOT(&cred->cr_label); 1923 obj = SLOT(label); 1924 1925 if (mac_biba_dominate_single(obj, subj)) 1926 prot |= VM_PROT_READ | VM_PROT_EXECUTE; 1927 if (mac_biba_dominate_single(subj, obj)) 1928 prot |= VM_PROT_WRITE; 1929 return (prot); 1930} 1931 | |
1932static struct mac_policy_op_entry mac_biba_ops[] = 1933{ 1934 { MAC_DESTROY, 1935 (macop_t)mac_biba_destroy }, 1936 { MAC_INIT, 1937 (macop_t)mac_biba_init }, 1938 { MAC_INIT_BPFDESC_LABEL, 1939 (macop_t)mac_biba_init_label }, --- 184 unchanged lines hidden (view full) --- 2124 { MAC_CHECK_VNODE_GETACL, 2125 (macop_t)mac_biba_check_vnode_getacl }, 2126 { MAC_CHECK_VNODE_GETEXTATTR, 2127 (macop_t)mac_biba_check_vnode_getextattr }, 2128 { MAC_CHECK_VNODE_LINK, 2129 (macop_t)mac_biba_check_vnode_link }, 2130 { MAC_CHECK_VNODE_LOOKUP, 2131 (macop_t)mac_biba_check_vnode_lookup }, | 1940static struct mac_policy_op_entry mac_biba_ops[] = 1941{ 1942 { MAC_DESTROY, 1943 (macop_t)mac_biba_destroy }, 1944 { MAC_INIT, 1945 (macop_t)mac_biba_init }, 1946 { MAC_INIT_BPFDESC_LABEL, 1947 (macop_t)mac_biba_init_label }, --- 184 unchanged lines hidden (view full) --- 2132 { MAC_CHECK_VNODE_GETACL, 2133 (macop_t)mac_biba_check_vnode_getacl }, 2134 { MAC_CHECK_VNODE_GETEXTATTR, 2135 (macop_t)mac_biba_check_vnode_getextattr }, 2136 { MAC_CHECK_VNODE_LINK, 2137 (macop_t)mac_biba_check_vnode_link }, 2138 { MAC_CHECK_VNODE_LOOKUP, 2139 (macop_t)mac_biba_check_vnode_lookup }, |
2140 { MAC_CHECK_VNODE_MMAP, 2141 (macop_t)mac_biba_check_vnode_mmap }, 2142 { MAC_CHECK_VNODE_MPROTECT, 2143 (macop_t)mac_biba_check_vnode_mmap }, |
|
2132 { MAC_CHECK_VNODE_OPEN, 2133 (macop_t)mac_biba_check_vnode_open }, 2134 { MAC_CHECK_VNODE_POLL, 2135 (macop_t)mac_biba_check_vnode_poll }, 2136 { MAC_CHECK_VNODE_READ, 2137 (macop_t)mac_biba_check_vnode_read }, 2138 { MAC_CHECK_VNODE_READDIR, 2139 (macop_t)mac_biba_check_vnode_readdir }, --- 18 unchanged lines hidden (view full) --- 2158 { MAC_CHECK_VNODE_SETOWNER, 2159 (macop_t)mac_biba_check_vnode_setowner }, 2160 { MAC_CHECK_VNODE_SETUTIMES, 2161 (macop_t)mac_biba_check_vnode_setutimes }, 2162 { MAC_CHECK_VNODE_STAT, 2163 (macop_t)mac_biba_check_vnode_stat }, 2164 { MAC_CHECK_VNODE_WRITE, 2165 (macop_t)mac_biba_check_vnode_write }, | 2144 { MAC_CHECK_VNODE_OPEN, 2145 (macop_t)mac_biba_check_vnode_open }, 2146 { MAC_CHECK_VNODE_POLL, 2147 (macop_t)mac_biba_check_vnode_poll }, 2148 { MAC_CHECK_VNODE_READ, 2149 (macop_t)mac_biba_check_vnode_read }, 2150 { MAC_CHECK_VNODE_READDIR, 2151 (macop_t)mac_biba_check_vnode_readdir }, --- 18 unchanged lines hidden (view full) --- 2170 { MAC_CHECK_VNODE_SETOWNER, 2171 (macop_t)mac_biba_check_vnode_setowner }, 2172 { MAC_CHECK_VNODE_SETUTIMES, 2173 (macop_t)mac_biba_check_vnode_setutimes }, 2174 { MAC_CHECK_VNODE_STAT, 2175 (macop_t)mac_biba_check_vnode_stat }, 2176 { MAC_CHECK_VNODE_WRITE, 2177 (macop_t)mac_biba_check_vnode_write }, |
2166 { MAC_CHECK_VNODE_MMAP_PERMS, 2167 (macop_t)mac_biba_check_vnode_mmap_perms }, | |
2168 { MAC_OP_LAST, NULL } 2169}; 2170 2171MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba", 2172 MPC_LOADTIME_FLAG_NOTLATE, &mac_biba_slot); | 2178 { MAC_OP_LAST, NULL } 2179}; 2180 2181MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba", 2182 MPC_LOADTIME_FLAG_NOTLATE, &mac_biba_slot); |