PERFORCE change 19553 for review

Chris Vance cvance at freebsd.org
Fri Oct 18 17:19:29 GMT 2002


http://perforce.freebsd.org/chv.cgi?CH=19553

Change 19553 by cvance at cvance_laptop on 2002/10/18 10:18:55

	Add audit data for avc calls in sebsd_check_vnode_exec
	Comment out currently unused thread_has_perm helper function

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#45 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#45 (text+ko) ====

@@ -93,11 +93,13 @@
 				perm, &target->avcr);
 }
 
+#if 0
 static int
 thread_has_perm(struct thread *td, struct proc *proc, access_vector_t perm)
 {
 	return (cred_has_perm(td->td_proc->p_ucred, proc, perm));
 }
+#endif
 
 static int
 cred_has_system(struct ucred *cred, access_vector_t perm)
@@ -706,6 +708,7 @@
 	struct task_security_struct *task;
 	struct vnode_security_struct *file;
 	security_id_t newsid;
+	avc_audit_data_t ad;
 	int rc;
 
 	task = SLOT(&cred->cr_label);
@@ -720,20 +723,27 @@
 		    SLOT(imgp->execlabel))->sid;
 	}
 
+	AVC_AUDIT_DATA_INIT(&ad, FS);
+	ad.u.fs.vp = vp;
+
         if (newsid == task->sid) {
-		rc = avc_has_perm(task->sid, file->sid,
-				  SECCLASS_FILE, FILE__EXECUTE_NO_TRANS);
+		rc = avc_has_perm_audit(task->sid, file->sid, SECCLASS_FILE, 
+		    FILE__EXECUTE_NO_TRANS, &ad);
+
 		if (rc)
 			return EACCES;
+
 	} else {
 		/* Check permissions for the transition. */
-		rc = avc_has_perm(task->sid, newsid, SECCLASS_PROCESS,
-				  PROCESS__TRANSITION);
+		rc = avc_has_perm_audit(task->sid, newsid, SECCLASS_PROCESS,
+		    PROCESS__TRANSITION, &ad);
+
 		if (rc)
 			return EACCES;
 
-		rc = avc_has_perm(newsid, file->sid, 
-				  SECCLASS_FILE, FILE__ENTRYPOINT);
+		rc = avc_has_perm_audit(newsid, file->sid, SECCLASS_FILE, 
+		    FILE__ENTRYPOINT, &ad);
+
 		if (rc)
 			return EACCES;
 
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list