X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/b0d623f7f2ae71ed96e60569f61f9a9a27016e80..eee3565979933af707c711411001ba11fe406a3c:/security/mac_audit.c

diff --git a/security/mac_audit.c b/security/mac_audit.c
index 504c55ae8..2454b57aa 100644
--- a/security/mac_audit.c
+++ b/security/mac_audit.c
@@ -74,10 +74,6 @@
 #include <kern/kalloc.h>
 #include <kern/zalloc.h>
 
-
-int mac_audit(__unused int len, __unused u_char *data);
-
-
 #if CONFIG_AUDIT
 
 /* The zone allocator is initialized in mac_base.c. */
@@ -120,8 +116,13 @@ mac_proc_check_getauid(struct proc *curp)
 	kauth_cred_t cred;
 	int error;
 
-	if (!mac_proc_enforce ||
-	    !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
+#if SECURITY_MAC_CHECK_ENFORCE
+    /* 21167099 - only check if we allow write */
+    if (!mac_proc_enforce)
+        return 0;
+#endif
+    
+	if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
 		return 0;
 
 	cred = kauth_cred_proc_ref(curp);
@@ -137,9 +138,13 @@ mac_proc_check_setauid(struct proc *curp, uid_t auid)
 	kauth_cred_t cred;
 	int error;
 
-	if (!mac_proc_enforce ||
-	    !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
-		return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+    /* 21167099 - only check if we allow write */
+    if (!mac_proc_enforce)
+        return 0;
+#endif
+    if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
+        return 0;
 
 	cred = kauth_cred_proc_ref(curp);
 	MAC_CHECK(proc_check_setauid, cred, auid);
@@ -154,9 +159,13 @@ mac_proc_check_getaudit(struct proc *curp)
 	kauth_cred_t cred;
 	int error;
 
-	if (!mac_proc_enforce ||
-	    !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
-		return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+    /* 21167099 - only check if we allow write */
+    if (!mac_proc_enforce)
+        return 0;
+#endif
+    if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
+        return 0;
 
 	cred = kauth_cred_proc_ref(curp);
 	MAC_CHECK(proc_check_getaudit, cred);
@@ -171,9 +180,13 @@ mac_proc_check_setaudit(struct proc *curp, struct auditinfo_addr *ai)
 	kauth_cred_t cred;
 	int error;
 
-	if (!mac_proc_enforce ||
-	    !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
-		return 0;
+#if SECURITY_MAC_CHECK_ENFORCE
+    /* 21167099 - only check if we allow write */
+    if (!mac_proc_enforce)
+        return 0;
+#endif
+    if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
+        return 0;
 
 	cred = kauth_cred_proc_ref(curp);
 	MAC_CHECK(proc_check_setaudit, cred, ai);
@@ -394,13 +407,6 @@ mac_audit_check_postselect(__unused struct ucred *cred, __unused unsigned short
 	return (MAC_AUDIT_DEFAULT);
 }
 
-int
-mac_audit(__unused int len, __unused u_char *data)
-{
-
-	return (0);
-}
-
 int
 mac_audit_text(__unused char *text, __unused mac_policy_handle_t handle)
 {