diff options
| author | Robert Watson <rwatson@FreeBSD.org> | 2002-11-03 02:39:42 +0000 |
|---|---|---|
| committer | Robert Watson <rwatson@FreeBSD.org> | 2002-11-03 02:39:42 +0000 |
| commit | 4b8d5f2d978412b376ae759882916c566f58afae (patch) | |
| tree | 13c3b22f9d0fec4fd6fd7b545bd326917f19839c | |
| parent | 62b693d7db46a2f0de2e00bcc733ee729ae37a20 (diff) | |
Notes
| -rw-r--r-- | sys/kern/kern_mac.c | 13 | ||||
| -rw-r--r-- | sys/kern/kern_time.c | 13 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.c | 13 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 1 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 13 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 13 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 13 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 1 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 13 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 13 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 13 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 13 | ||||
| -rw-r--r-- | sys/sys/mac.h | 1 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 1 |
14 files changed, 134 insertions, 0 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index f4cfa8ab2fc1..ff5c43a71f17 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -2492,6 +2492,19 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int +mac_check_system_settime(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_settime, cred); + + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c index 46645ea9b0d5..865ee0a37088 100644 --- a/sys/kern/kern_time.c +++ b/sys/kern/kern_time.c @@ -34,6 +34,8 @@ * $FreeBSD$ */ +#include "opt_mac.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/lock.h> @@ -42,6 +44,7 @@ #include <sys/resourcevar.h> #include <sys/signalvar.h> #include <sys/kernel.h> +#include <sys/mac.h> #include <sys/systm.h> #include <sys/sysent.h> #include <sys/proc.h> @@ -182,6 +185,11 @@ clock_settime(struct thread *td, struct clock_settime_args *uap) struct timespec ats; int error; +#ifdef MAC + error = mac_check_system_settime(td->td_ucred); + if (error) + return (error); +#endif if ((error = suser(td)) != 0) return (error); if (SCARG(uap, clock_id) != CLOCK_REALTIME) @@ -351,6 +359,11 @@ settimeofday(struct thread *td, struct settimeofday_args *uap) struct timezone atz; int error = 0; +#ifdef MAC + error = mac_check_system_settime(td->td_ucred); + if (error) + return (error); +#endif if ((error = suser(td))) return (error); /* Verify all parameters before changing time. */ diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index f4cfa8ab2fc1..ff5c43a71f17 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -2492,6 +2492,19 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int +mac_check_system_settime(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_settime, cred); + + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index e50aaa7a97ed..efa811d669db 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -255,6 +255,7 @@ int mac_check_socket_receive(struct ucred *cred, struct socket *so); int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_system_reboot(struct ucred *cred, int howto); +int mac_check_system_settime(struct ucred *cred); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index f4cfa8ab2fc1..ff5c43a71f17 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -2492,6 +2492,19 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int +mac_check_system_settime(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_settime, cred); + + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index f4cfa8ab2fc1..ff5c43a71f17 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -2492,6 +2492,19 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int +mac_check_system_settime(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_settime, cred); + + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index f4cfa8ab2fc1..ff5c43a71f17 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -2492,6 +2492,19 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int +mac_check_system_settime(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_settime, cred); + + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 7be466f24117..2ea7afe0a96a 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -316,6 +316,7 @@ struct mac_policy_ops { int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_system_reboot)(struct ucred *cred, int howto); + int (*mpo_check_system_settime)(struct ucred *cred); int (*mpo_check_system_swapon)(struct ucred *cred, struct vnode *vp, struct label *label); int (*mpo_check_system_sysctl)(struct ucred *cred, int *name, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index f4cfa8ab2fc1..ff5c43a71f17 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -2492,6 +2492,19 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int +mac_check_system_settime(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_settime, cred); + + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index f4cfa8ab2fc1..ff5c43a71f17 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -2492,6 +2492,19 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int +mac_check_system_settime(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_settime, cred); + + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index f4cfa8ab2fc1..ff5c43a71f17 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -2492,6 +2492,19 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int +mac_check_system_settime(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_settime, cred); + + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index f4cfa8ab2fc1..ff5c43a71f17 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -2492,6 +2492,19 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int +mac_check_system_settime(struct ucred *cred) +{ + int error; + + if (!mac_enforce_system) + return (0); + + MAC_CHECK(check_system_settime, cred); + + return (error); +} + +int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; diff --git a/sys/sys/mac.h b/sys/sys/mac.h index e50aaa7a97ed..efa811d669db 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -255,6 +255,7 @@ int mac_check_socket_receive(struct ucred *cred, struct socket *so); int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_check_system_reboot(struct ucred *cred, int howto); +int mac_check_system_settime(struct ucred *cred); int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); int mac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 7be466f24117..2ea7afe0a96a 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -316,6 +316,7 @@ struct mac_policy_ops { int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_system_reboot)(struct ucred *cred, int howto); + int (*mpo_check_system_settime)(struct ucred *cred); int (*mpo_check_system_swapon)(struct ucred *cred, struct vnode *vp, struct label *label); int (*mpo_check_system_sysctl)(struct ucred *cred, int *name, |