mac_vfs.c (106856) | mac_vfs.c (107089) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 19 unchanged lines hidden (view full) --- 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 19 unchanged lines hidden (view full) --- 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 * |
36 * $FreeBSD: head/sys/security/mac/mac_vfs.c 106856 2002-11-13 15:47:09Z rwatson $ | 36 * $FreeBSD: head/sys/security/mac/mac_vfs.c 107089 2002-11-19 22:12:42Z rwatson $ |
37 */ 38/* 39 * Developed by the TrustedBSD Project. 40 * 41 * Framework for extensible kernel access control. Kernel and userland 42 * interface to the framework, policy registration and composition. 43 */ 44 --- 75 unchanged lines hidden (view full) --- 120 */ 121static int ea_warn_once = 0; 122 123static int mac_enforce_fs = 1; 124SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 125 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 126TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 127 | 37 */ 38/* 39 * Developed by the TrustedBSD Project. 40 * 41 * Framework for extensible kernel access control. Kernel and userland 42 * interface to the framework, policy registration and composition. 43 */ 44 --- 75 unchanged lines hidden (view full) --- 120 */ 121static int ea_warn_once = 0; 122 123static int mac_enforce_fs = 1; 124SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 125 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 126TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 127 |
128static int mac_enforce_kld = 1; 129SYSCTL_INT(_security_mac, OID_AUTO, enforce_kld, CTLFLAG_RW, 130 &mac_enforce_kld, 0, "Enforce MAC policy on kld operations"); 131TUNABLE_INT("security.mac.enforce_kld", &mac_enforce_kld); 132 |
|
128static int mac_enforce_network = 1; 129SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 130 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); 131TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); 132 133static int mac_enforce_pipe = 1; 134SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, 135 &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); --- 2152 unchanged lines hidden (view full) --- 2288 return (0); 2289 2290 MAC_CHECK(check_kenv_unset, cred, name); 2291 2292 return (error); 2293} 2294 2295int | 133static int mac_enforce_network = 1; 134SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW, 135 &mac_enforce_network, 0, "Enforce MAC policy on network packets"); 136TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); 137 138static int mac_enforce_pipe = 1; 139SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, 140 &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); --- 2152 unchanged lines hidden (view full) --- 2293 return (0); 2294 2295 MAC_CHECK(check_kenv_unset, cred, name); 2296 2297 return (error); 2298} 2299 2300int |
2301mac_check_kld_load(struct ucred *cred, struct vnode *vp) 2302{ 2303 int error; 2304 2305 ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); 2306 2307 if (!mac_enforce_kld) 2308 return (0); 2309 2310 MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); 2311 2312 return (error); 2313} 2314 2315int 2316mac_check_kld_stat(struct ucred *cred) 2317{ 2318 int error; 2319 2320 if (!mac_enforce_kld) 2321 return (0); 2322 2323 MAC_CHECK(check_kld_stat, cred); 2324 2325 return (error); 2326} 2327 2328int 2329mac_check_kld_unload(struct ucred *cred) 2330{ 2331 int error; 2332 2333 if (!mac_enforce_kld) 2334 return (0); 2335 2336 MAC_CHECK(check_kld_unload, cred); 2337 2338 return (error); 2339} 2340 2341int |
|
2296mac_check_mount_stat(struct ucred *cred, struct mount *mount) 2297{ 2298 int error; 2299 2300 if (!mac_enforce_fs) 2301 return (0); 2302 2303 MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); --- 1306 unchanged lines hidden --- | 2342mac_check_mount_stat(struct ucred *cred, struct mount *mount) 2343{ 2344 int error; 2345 2346 if (!mac_enforce_fs) 2347 return (0); 2348 2349 MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); --- 1306 unchanged lines hidden --- |