| ugidfw_system.c (132563) | ugidfw_system.c (134131) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * | 1/*- 2 * Copyright (c) 1999-2002 Robert N. M. Watson 3 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 4 * All rights reserved. 5 * 6 * This software was developed by Robert Watson for the TrustedBSD Project. 7 * 8 * This software was developed for the FreeBSD Project in part by Network --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * |
| 34 * $FreeBSD: head/sys/security/mac_bsdextended/mac_bsdextended.c 132563 2004-07-23 01:53:28Z rwatson $ | 34 * $FreeBSD: head/sys/security/mac_bsdextended/mac_bsdextended.c 134131 2004-08-21 20:15:08Z trhodes $ |
| 35 */ 36/* 37 * Developed by the TrustedBSD Project. 38 * "BSD Extended" MAC policy, allowing the administrator to impose 39 * mandatory rules regarding users and some system objects. 40 * 41 * XXX: Much locking support required here. 42 */ --- 48 unchanged lines hidden (view full) --- 91 &rule_count, 0, "Number of defined rules\n"); 92SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD, 93 &rule_slots, 0, "Number of used rule slots\n"); 94 95static int mac_bsdextended_debugging; 96SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, debugging, CTLFLAG_RW, 97 &mac_bsdextended_debugging, 0, "Enable debugging on failure"); 98 | 35 */ 36/* 37 * Developed by the TrustedBSD Project. 38 * "BSD Extended" MAC policy, allowing the administrator to impose 39 * mandatory rules regarding users and some system objects. 40 * 41 * XXX: Much locking support required here. 42 */ --- 48 unchanged lines hidden (view full) --- 91 &rule_count, 0, "Number of defined rules\n"); 92SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD, 93 &rule_slots, 0, "Number of used rule slots\n"); 94 95static int mac_bsdextended_debugging; 96SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, debugging, CTLFLAG_RW, 97 &mac_bsdextended_debugging, 0, "Enable debugging on failure"); 98 |
| 99/* 100 * This tunable is here for compatibility. It will allow the user 101 * to switch between the new mode (first rule matches) and the old 102 * functionality (all rules match). 103 */ |
|
| 99static int | 104static int |
| 105mac_bsdextended_firstmatch_enabled; 106SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, 107 CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 0, 108 "Disable/enable match first rule functionality"); 109 110static int |
|
| 100mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule) 101{ 102 103 if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS) 104 return (EINVAL); 105 106 if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS) 107 return (EINVAL); --- 152 unchanged lines hidden (view full) --- 260 */ 261 if ((rule->mbr_mode & acc_mode) != acc_mode) { 262 if (mac_bsdextended_debugging) 263 printf("mac_bsdextended: %d:%d request %d on %d:%d" 264 " fails\n", cred->cr_ruid, cred->cr_rgid, 265 acc_mode, object_uid, object_gid); 266 return (EACCES); 267 } | 111mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule) 112{ 113 114 if ((rule->mbr_subject.mbi_flags | MBI_BITS) != MBI_BITS) 115 return (EINVAL); 116 117 if ((rule->mbr_object.mbi_flags | MBI_BITS) != MBI_BITS) 118 return (EINVAL); --- 152 unchanged lines hidden (view full) --- 271 */ 272 if ((rule->mbr_mode & acc_mode) != acc_mode) { 273 if (mac_bsdextended_debugging) 274 printf("mac_bsdextended: %d:%d request %d on %d:%d" 275 " fails\n", cred->cr_ruid, cred->cr_rgid, 276 acc_mode, object_uid, object_gid); 277 return (EACCES); 278 } |
| 268 269 return (0); | 279 /* 280 * If the rule matched and allowed access and first match is 281 * enabled, then return success. 282 */ 283 if (mac_bsdextended_firstmatch_enabled) 284 return (EJUSTRETURN); 285 else 286 return(0); |
| 270} 271 272static int 273mac_bsdextended_check(struct ucred *cred, uid_t object_uid, gid_t object_gid, 274 int acc_mode) 275{ 276 int error, i; 277 --- 10 unchanged lines hidden (view full) --- 288 */ 289 if (acc_mode & VAPPEND) { 290 acc_mode &= ~VAPPEND; 291 acc_mode |= VWRITE; 292 } 293 294 error = mac_bsdextended_rulecheck(rules[i], cred, object_uid, 295 object_gid, acc_mode); | 287} 288 289static int 290mac_bsdextended_check(struct ucred *cred, uid_t object_uid, gid_t object_gid, 291 int acc_mode) 292{ 293 int error, i; 294 --- 10 unchanged lines hidden (view full) --- 305 */ 306 if (acc_mode & VAPPEND) { 307 acc_mode &= ~VAPPEND; 308 acc_mode |= VWRITE; 309 } 310 311 error = mac_bsdextended_rulecheck(rules[i], cred, object_uid, 312 object_gid, acc_mode); |
| 313 if (error == EJUSTRETURN) 314 break; |
|
| 296 if (error) 297 return (error); 298 } 299 300 return (0); 301} 302 303static int --- 510 unchanged lines hidden --- | 315 if (error) 316 return (error); 317 } 318 319 return (0); 320} 321 322static int --- 510 unchanged lines hidden --- |