xnu-3789.1.32.tar.gz

[apple/xnu.git] / security / mac_system.c

diff --git a/security/mac_system.c b/security/mac_system.c
index 8089caac842809cc53b8d41e5d335729e772af89..bae10876500379441c38d460953cc86389ea1a7f 100644 (file)
--- a/security/mac_system.c
+++ b/security/mac_system.c
@@ -74,8 +74,11 @@ mac_system_check_acct(kauth_cred_t cred, struct vnode *vp)
 {
        int error;
 
 {
        int error;
 

+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */

        if (!mac_system_enforce)
                return (0);
        if (!mac_system_enforce)
                return (0);

+#endif

 
        MAC_CHECK(system_check_acct, cred, vp,
            vp != NULL ? vp->v_label : NULL);
 
        MAC_CHECK(system_check_acct, cred, vp,
            vp != NULL ? vp->v_label : NULL);


@@ -88,8 +91,11 @@ mac_system_check_chud(kauth_cred_t cred)
 {
        int error;
 
 {
        int error;
 

+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */

        if (!mac_system_enforce)
                return (0);
        if (!mac_system_enforce)
                return (0);

+#endif

 
        MAC_CHECK(system_check_chud, cred);
 
 
        MAC_CHECK(system_check_chud, cred);
 


@@ -101,21 +107,43 @@ mac_system_check_host_priv(kauth_cred_t cred)
 {
        int error;
 
 {
        int error;
 

+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */

        if (!mac_system_enforce)
                return (0);
        if (!mac_system_enforce)
                return (0);

+#endif

 
        MAC_CHECK(system_check_host_priv, cred);
 
        return (error);
 }
 
 
        MAC_CHECK(system_check_host_priv, cred);
 
        return (error);
 }
 

+int
+mac_system_check_info(kauth_cred_t cred, const char *info_type)
+{
+       int error;
+
+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */
+       if (!mac_system_enforce)
+               return (0);
+#endif
+
+       MAC_CHECK(system_check_info, cred, info_type);
+
+       return (error);
+}
+

 int
 mac_system_check_nfsd(kauth_cred_t cred)
 {
        int error;
 
 int
 mac_system_check_nfsd(kauth_cred_t cred)
 {
        int error;
 

+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */

        if (!mac_system_enforce)
                return (0);
        if (!mac_system_enforce)
                return (0);

+#endif

 
        MAC_CHECK(system_check_nfsd, cred);
 
 
        MAC_CHECK(system_check_nfsd, cred);
 


@@ -127,21 +155,28 @@ mac_system_check_reboot(kauth_cred_t cred, int howto)
 {
        int error;
 
 {
        int error;
 

+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */

        if (!mac_system_enforce)
                return (0);
        if (!mac_system_enforce)
                return (0);

+#endif

 
        MAC_CHECK(system_check_reboot, cred, howto);
 
        return (error);
 }
 
 
        MAC_CHECK(system_check_reboot, cred, howto);
 
        return (error);
 }
 

+

 int
 mac_system_check_settime(kauth_cred_t cred)
 {
        int error;
 
 int
 mac_system_check_settime(kauth_cred_t cred)
 {
        int error;
 

+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */

        if (!mac_system_enforce)
                return (0);
        if (!mac_system_enforce)
                return (0);

+#endif

 
        MAC_CHECK(system_check_settime, cred);
 
 
        MAC_CHECK(system_check_settime, cred);
 


@@ -153,8 +188,11 @@ mac_system_check_swapon(kauth_cred_t cred, struct vnode *vp)
 {
        int error;
 
 {
        int error;
 

+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */

        if (!mac_system_enforce)
                return (0);
        if (!mac_system_enforce)
                return (0);

+#endif

 
        MAC_CHECK(system_check_swapon, cred, vp, vp->v_label);
        return (error);
 
        MAC_CHECK(system_check_swapon, cred, vp, vp->v_label);
        return (error);


@@ -165,30 +203,47 @@ mac_system_check_swapoff(kauth_cred_t cred, struct vnode *vp)
 {
        int error;
 
 {
        int error;
 

+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */
+       if (!mac_system_enforce)
+               return (0);
+#endif

 
 

+       MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label);
+       return (error);
+}

 
 

+int
+mac_system_check_sysctlbyname(kauth_cred_t cred, const char *namestring, int *name,
+                             u_int namelen, user_addr_t oldctl, size_t oldlen,
+                             user_addr_t newctl, size_t newlen)
+{
+       int error;
+       
+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */

        if (!mac_system_enforce)
                return (0);
        if (!mac_system_enforce)
                return (0);

+#endif

 
 

-       MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label);
+       MAC_CHECK(system_check_sysctlbyname, cred, namestring,
+           name, namelen, oldctl, oldlen, newctl, newlen);     
+       

        return (error);
 }
 
 int
        return (error);
 }
 
 int

-mac_system_check_sysctl(kauth_cred_t cred, int *name, u_int namelen,
-    user_addr_t old, user_addr_t oldlenp, int inkernel, user_addr_t new, size_t newlen)
+mac_system_check_kas_info(kauth_cred_t cred, int selector)

 {
        int error;
 
 {
        int error;
 

-       /*
-        * XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
-        * but since it's not exported from kern_sysctl.c, we can't.
-        */
+#if SECURITY_MAC_CHECK_ENFORCE
+       /* 21167099 - only check if we allow write */

        if (!mac_system_enforce)
                return (0);
        if (!mac_system_enforce)
                return (0);

+#endif

 
 

-       MAC_CHECK(system_check_sysctl, cred, name, namelen, old, oldlenp,
-           inkernel, new, newlen);
+       MAC_CHECK(system_check_kas_info, cred, selector);

 
        return (error);
 }
 
        return (error);
 }