X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/2d21ac55c334faf3a56e5634905ed6987fc787d4..5ba3f43ea354af8ad55bea84372a2bc834d8757c:/security/mac_audit.c diff --git a/security/mac_audit.c b/security/mac_audit.c index cb61c1912..5459cf54a 100644 --- a/security/mac_audit.c +++ b/security/mac_audit.c @@ -68,13 +68,13 @@ #include #include #include -#include +#include #include #include #include #include -#ifdef AUDIT +#if CONFIG_AUDIT /* The zone allocator is initialized in mac_base.c. */ zone_t mac_audit_data_zone; @@ -116,8 +116,13 @@ mac_proc_check_getauid(struct proc *curp) kauth_cred_t cred; int error; - if (!mac_proc_enforce || - !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + + if (!mac_proc_check_enforce(curp)) return 0; cred = kauth_cred_proc_ref(curp); @@ -133,8 +138,12 @@ mac_proc_check_setauid(struct proc *curp, uid_t auid) kauth_cred_t cred; int error; - if (!mac_proc_enforce || - !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp)) return 0; cred = kauth_cred_proc_ref(curp); @@ -150,8 +159,12 @@ mac_proc_check_getaudit(struct proc *curp) kauth_cred_t cred; int error; - if (!mac_proc_enforce || - !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp)) return 0; cred = kauth_cred_proc_ref(curp); @@ -162,13 +175,17 @@ mac_proc_check_getaudit(struct proc *curp) } int -mac_proc_check_setaudit(struct proc *curp, struct auditinfo *ai) +mac_proc_check_setaudit(struct proc *curp, struct auditinfo_addr *ai) { kauth_cred_t cred; int error; - if (!mac_proc_enforce || - !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp)) return 0; cred = kauth_cred_proc_ref(curp); @@ -318,28 +335,28 @@ mac_audit_check_postselect(struct ucred *cred, unsigned short syscode, return (ret); } -#else /* AUDIT */ +#else /* !CONFIG_AUDIT */ /* * Function stubs for when AUDIT isn't defined. */ int -mac_system_check_audit(struct ucred *cred, void *record, int length) +mac_system_check_audit(__unused struct ucred *cred, __unused void *record, __unused int length) { return (0); } int -mac_system_check_auditon(struct ucred *cred, int cmd) +mac_system_check_auditon(__unused struct ucred *cred, __unused int cmd) { return (0); } int -mac_system_check_auditctl(struct ucred *cred, struct vnode *vp) +mac_system_check_auditctl(__unused struct ucred *cred, __unused struct vnode *vp) { return (0); @@ -367,7 +384,8 @@ mac_proc_check_getaudit(__unused struct proc *curp) } int -mac_proc_check_setaudit(__unused struct proc *curp, struct auditinfo *ai) +mac_proc_check_setaudit(__unused struct proc *curp, + __unused struct auditinfo_addr *ai) { return (0); @@ -390,9 +408,8 @@ mac_audit_check_postselect(__unused struct ucred *cred, __unused unsigned short } int -mac_audit(int len, u_char *data) +mac_audit_text(__unused char *text, __unused mac_policy_handle_t handle) { - return (0); } -#endif /* !AUDIT */ +#endif /* !CONFIG_AUDIT */