PERFORCE change 118475 for review
Robert Watson
rwatson at FreeBSD.org
Fri Apr 20 14:27:40 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=118475
Change 118475 by rwatson at rwatson_zoo on 2007/04/20 14:26:55
Don't add MAC checks for audit calls where there is no further
information available than via the existing privilege checks (which
can also be instrumented with MAC).
Affected files ...
.. //depot/projects/trustedbsd/audit3/sys/security/audit/audit_syscalls.c#35 edit
.. //depot/projects/trustedbsd/audit3/sys/security/mac/mac_audit.c#7 edit
.. //depot/projects/trustedbsd/audit3/sys/security/mac/mac_framework.h#5 edit
.. //depot/projects/trustedbsd/audit3/sys/security/mac/mac_policy.h#5 edit
Differences ...
==== //depot/projects/trustedbsd/audit3/sys/security/audit/audit_syscalls.c#35 (text+ko) ====
@@ -444,12 +444,6 @@
int error;
au_id_t id;
-#ifdef MAC
- error = mac_check_proc_getauid(td->td_ucred);
- if (error)
- return (error);
-#endif
-
if (jailed(td->td_ucred))
return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
@@ -518,12 +512,6 @@
struct auditinfo ai;
int error;
-#ifdef MAC
- error = mac_check_proc_getaudit(td->td_ucred);
- if (error)
- return (error);
-#endif
-
if (jailed(td->td_ucred))
return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
@@ -594,12 +582,6 @@
struct auditinfo_addr aia;
int error;
-#ifdef MAC
- error = mac_check_proc_getaudit(td->td_ucred);
- if (error)
- return (error);
-#endif
-
if (jailed(td->td_ucred))
return (ENOSYS);
error = priv_check(td, PRIV_AUDIT_GETAUDIT);
==== //depot/projects/trustedbsd/audit3/sys/security/mac/mac_audit.c#7 (text+ko) ====
@@ -81,16 +81,6 @@
}
int
-mac_check_proc_getauid(struct ucred *cred)
-{
- int error;
-
- MAC_CHECK(check_proc_getauid, cred);
-
- return (error);
-}
-
-int
mac_check_proc_setauid(struct ucred *cred, uid_t auid)
{
int error;
@@ -101,16 +91,6 @@
}
int
-mac_check_proc_getaudit(struct ucred *cred)
-{
- int error;
-
- MAC_CHECK(check_proc_getaudit, cred);
-
- return (error);
-}
-
-int
mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
{
int error;
==== //depot/projects/trustedbsd/audit3/sys/security/mac/mac_framework.h#5 (text+ko) ====
@@ -423,9 +423,7 @@
int mac_check_system_audit(struct ucred *cred, void *record, int length);
int mac_check_system_auditon(struct ucred *cred, int cmd);
int mac_check_system_auditctl(struct ucred *cred, struct vnode *vp);
-int mac_check_proc_getauid(struct ucred *cred);
int mac_check_proc_setauid(struct ucred *cred, uid_t auid);
-int mac_check_proc_getaudit(struct ucred *cred);
int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai);
/*
==== //depot/projects/trustedbsd/audit3/sys/security/mac/mac_policy.h#5 (text+ko) ====
@@ -617,9 +617,7 @@
typedef int (*mpo_check_system_auditon_t)(struct ucred *cred, int cmd);
typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred,
struct vnode *vp, struct label *vplabel);
-typedef int (*mpo_check_proc_getauid_t)(struct ucred *cred);
typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid);
-typedef int (*mpo_check_proc_getaudit_t)(struct ucred *cred);
typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred,
struct auditinfo *ai);
@@ -926,9 +924,7 @@
mpo_check_system_audit_t mpo_check_system_audit;
mpo_check_system_auditon_t mpo_check_system_auditon;
mpo_check_system_auditctl_t mpo_check_system_auditctl;
- mpo_check_proc_getauid_t mpo_check_proc_getauid;
mpo_check_proc_setauid_t mpo_check_proc_setauid;
- mpo_check_proc_getaudit_t mpo_check_proc_getaudit;
mpo_check_proc_setaudit_t mpo_check_proc_setaudit;
};
More information about the p4-projects
mailing list