1/*-
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
5 * All rights reserved.
6 *
7 * This software was developed by Robert Watson and Ilmar Habibulin for the
8 * TrustedBSD Project.
--- 22 unchanged lines hidden (view full) ---
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 *
39 * $FreeBSD: head/sys/security/mac/mac_process.c 105959 2002-10-25 20:45:27Z rwatson $
40 */
41/*
42 * Developed by the TrustedBSD Project.
43 *
44 * Framework for extensible kernel access control. Kernel and userland
45 * interface to the framework, policy registration and composition.
46 */
47
--- 55 unchanged lines hidden (view full) ---
103#error "MAC_MAX_POLICIES too large"
104#endif
105
106static unsigned int mac_max_policies = MAC_MAX_POLICIES;
107static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1;
108SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD,
109 &mac_max_policies, 0, "");
110
111/*
112 * Has the kernel started generating labeled objects yet? All read/write
113 * access to this variable is serialized during the boot process. Following
114 * the end of serialization, we don't update this flag; no locking.
115 */
116static int mac_late = 0;
117
118static int mac_enforce_fs = 1;
119SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
120 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
121TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
122
123static int mac_enforce_network = 1;
--- 2490 unchanged lines hidden (view full) ---
2614
2615int
2616mac_check_vnode_swapon(struct ucred *cred, struct vnode *vp)
2617{
2618 int error;
2619
2620 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_swapon");
2621
2622 if (!mac_enforce_fs)
2623 return (0);
2624
2625 error = vn_refreshlabel(vp, cred);
2626 if (error)
2627 return (error);
2628
2629 MAC_CHECK(check_vnode_swapon, cred, vp, &vp->v_label);
2630 return (error);
--- 1753 unchanged lines hidden ---
2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
3 * Copyright (c) 2001 Ilmar S. Habibulin
4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
5 * All rights reserved.
6 *
7 * This software was developed by Robert Watson and Ilmar Habibulin for the
8 * TrustedBSD Project.
--- 22 unchanged lines hidden (view full) ---
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * SUCH DAMAGE.
38 *
39 * $FreeBSD: head/sys/security/mac/mac_process.c 105959 2002-10-25 20:45:27Z rwatson $
40 */
41/*
42 * Developed by the TrustedBSD Project.
43 *
44 * Framework for extensible kernel access control. Kernel and userland
45 * interface to the framework, policy registration and composition.
46 */
47
--- 55 unchanged lines hidden (view full) ---
103#error "MAC_MAX_POLICIES too large"
104#endif
105
106static unsigned int mac_max_policies = MAC_MAX_POLICIES;
107static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1;
108SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD,
109 &mac_max_policies, 0, "");
110
111/*
112 * Has the kernel started generating labeled objects yet? All read/write
113 * access to this variable is serialized during the boot process. Following
114 * the end of serialization, we don't update this flag; no locking.
115 */
116static int mac_late = 0;
117
118static int mac_enforce_fs = 1;
119SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
120 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
121TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
122
123static int mac_enforce_network = 1;
--- 2490 unchanged lines hidden (view full) ---
2614
2615int
2616mac_check_vnode_swapon(struct ucred *cred, struct vnode *vp)
2617{
2618 int error;
2619
2620 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_swapon");
2621
2622 if (!mac_enforce_fs)
2623 return (0);
2624
2625 error = vn_refreshlabel(vp, cred);
2626 if (error)
2627 return (error);
2628
2629 MAC_CHECK(check_vnode_swapon, cred, vp, &vp->v_label);
2630 return (error);
--- 1753 unchanged lines hidden ---