diff options
| author | Robert Watson <rwatson@FreeBSD.org> | 2007-04-22 15:31:22 +0000 |
|---|---|---|
| committer | Robert Watson <rwatson@FreeBSD.org> | 2007-04-22 15:31:22 +0000 |
| commit | c14d15ae3eb84fc6db4c95414c7a051a05ebe2a1 (patch) | |
| tree | 1c8d3b15d3ba425f41f9ad0bc9e628b32aba6083 /sys/security/mac/mac_system.c | |
| parent | 5d83ecf9653cc94ce225d156fa63e45613c9bf42 (diff) | |
Notes
Diffstat (limited to 'sys/security/mac/mac_system.c')
| -rw-r--r-- | sys/security/mac/mac_system.c | 63 |
1 files changed, 16 insertions, 47 deletions
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 32a9b79b78b5..07a975c0ef31 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2002, 2003 Networks Associates Technology, Inc. + * Copyright (c) 2007 Robert N. M. Watson * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * Portions of this software were developed by Robert Watson for the + * TrustedBSD Project. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -29,6 +33,16 @@ * SUCH DAMAGE. */ +/* + * MAC Framework entry points relating to overall operation of system, + * including global services such as the kernel environment and loadable + * modules. + * + * System checks often align with existing privilege checks, but provide + * additional security context that may be relevant to policies, such as the + * specific object being operated on. + */ + #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); @@ -48,12 +62,6 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_internal.h> #include <security/mac/mac_policy.h> -/* - * XXXRW: Some of these checks now duplicate privilege checks. However, - * others provide additional security context that may be useful to policies. - * We need to review these and remove ones that are pure duplicates. - */ - int mac_check_kenv_dump(struct ucred *cred) { @@ -117,25 +125,6 @@ mac_check_kld_stat(struct ucred *cred) } int -mac_check_kld_unload(struct ucred *cred) -{ - int error; - - MAC_CHECK(check_kld_unload, cred); - - return (error); -} - -int -mac_check_sysarch_ioperm(struct ucred *cred) -{ - int error; - - MAC_CHECK(check_sysarch_ioperm, cred); - return (error); -} - -int mac_check_system_acct(struct ucred *cred, struct vnode *vp) { int error; @@ -151,16 +140,6 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp) } int -mac_check_system_nfsd(struct ucred *cred) -{ - int error; - - MAC_CHECK(check_system_nfsd, cred); - - return (error); -} - -int mac_check_system_reboot(struct ucred *cred, int howto) { int error; @@ -171,16 +150,6 @@ mac_check_system_reboot(struct ucred *cred, int howto) } int -mac_check_system_settime(struct ucred *cred) -{ - int error; - - MAC_CHECK(check_system_settime, cred); - - return (error); -} - -int mac_check_system_swapon(struct ucred *cred, struct vnode *vp) { int error; @@ -203,8 +172,8 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) } int -mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, - int arg2, struct sysctl_req *req) +mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, + void *arg1, int arg2, struct sysctl_req *req) { int error; |
