diff options
| author | Mateusz Guzik <mjg@FreeBSD.org> | 2020-11-19 06:30:25 +0000 |
|---|---|---|
| committer | Mateusz Guzik <mjg@FreeBSD.org> | 2020-11-19 06:30:25 +0000 |
| commit | 89744405e64b2116fbdd7d0e866a34731c96e4d5 (patch) | |
| tree | 28f63053df17fc5af704822a00dace1f8b1051cf /sys/security/mac | |
| parent | a90c7d9aa82430454b3194d6750e0c0c748ac6dc (diff) | |
Notes
Diffstat (limited to 'sys/security/mac')
| -rw-r--r-- | sys/security/mac/mac_framework.c | 6 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 25 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 2 |
3 files changed, 30 insertions, 3 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 60431b020782..3ec932147637 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -141,6 +141,8 @@ FPFLAG(vnode_check_mmap); FPFLAG_RARE(vnode_check_poll); FPFLAG_RARE(vnode_check_rename_from); FPFLAG_RARE(vnode_check_access); +FPFLAG_RARE(pipe_check_stat); +FPFLAG_RARE(pipe_check_poll); #undef FPFLAG #undef FPFLAG_RARE @@ -433,6 +435,10 @@ struct mac_policy_fastpath_elem mac_policy_fastpath_array[] = { .flag = &mac_vnode_check_rename_from_fp_flag }, { .offset = FPO(vnode_check_access), .flag = &mac_vnode_check_access_fp_flag }, + { .offset = FPO(pipe_check_stat), + .flag = &mac_pipe_check_stat_fp_flag }, + { .offset = FPO(pipe_check_poll), + .flag = &mac_pipe_check_poll_fp_flag }, }; static void diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index c9a0ae3ce1da..ea061d6258ff 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -208,9 +208,30 @@ void mac_netinet6_nd6_send(struct ifnet *ifp, struct mbuf *m); int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data); -int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp); -int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_poll_impl(struct ucred *cred, struct pipepair *pp); +#ifdef MAC +extern bool mac_pipe_check_poll_fp_flag; +#else +#define mac_pipe_check_poll_fp_flag 0 +#endif +#define mac_pipe_check_poll_enabled() __predict_false(mac_pipe_check_poll_fp_flag) +static inline int +mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp) +{ + + if (mac_pipe_check_poll_enabled()) + return (mac_pipe_check_poll_impl(cred, pp)); + return (0); +} + +#ifdef MAC +extern bool mac_pipe_check_stat_fp_flag; +#else +#define mac_pipe_check_stat_fp_flag 0 +#endif +#define mac_pipe_check_stat_enabled() __predict_false(mac_pipe_check_stat_fp_flag) int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp); int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp); void mac_pipe_create(struct ucred *cred, struct pipepair *pp); void mac_pipe_destroy(struct pipepair *); diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index d7cb86c1284d..799801905d54 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -163,7 +163,7 @@ MAC_CHECK_PROBE_DEFINE2(pipe_check_poll, "struct ucred *", "struct pipepair *"); int -mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_poll_impl(struct ucred *cred, struct pipepair *pp) { int error; |