From c031391bd5dec6d2e0cd9918295a4d08e86d04e4 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Mon, 30 Sep 2002 20:50:00 +0000 Subject: [PATCH] Add tunables for the existing sysctl twiddles for pipe and vm enforcement so they can be disabled prior to kernel start. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/kern/kern_mac.c | 2 ++ sys/security/mac/mac_framework.c | 2 ++ sys/security/mac/mac_internal.h | 2 ++ sys/security/mac/mac_net.c | 2 ++ sys/security/mac/mac_pipe.c | 2 ++ sys/security/mac/mac_process.c | 2 ++ sys/security/mac/mac_syscalls.c | 2 ++ sys/security/mac/mac_system.c | 2 ++ sys/security/mac/mac_vfs.c | 2 ++ 9 files changed, 18 insertions(+) diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 02bfa94b825..77224304e67 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -133,6 +133,7 @@ TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); +TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, @@ -147,6 +148,7 @@ TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); +TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 02bfa94b825..77224304e67 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -133,6 +133,7 @@ TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); +TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, @@ -147,6 +148,7 @@ TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); +TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 02bfa94b825..77224304e67 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -133,6 +133,7 @@ TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); +TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, @@ -147,6 +148,7 @@ TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); +TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 02bfa94b825..77224304e67 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -133,6 +133,7 @@ TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); +TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, @@ -147,6 +148,7 @@ TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); +TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 02bfa94b825..77224304e67 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -133,6 +133,7 @@ TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); +TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, @@ -147,6 +148,7 @@ TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); +TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 02bfa94b825..77224304e67 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -133,6 +133,7 @@ TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); +TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, @@ -147,6 +148,7 @@ TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); +TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 02bfa94b825..77224304e67 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -133,6 +133,7 @@ TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); +TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, @@ -147,6 +148,7 @@ TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); +TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 02bfa94b825..77224304e67 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -133,6 +133,7 @@ TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); +TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, @@ -147,6 +148,7 @@ TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); +TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD, diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 02bfa94b825..77224304e67 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -133,6 +133,7 @@ TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network); static int mac_enforce_pipe = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); +TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); static int mac_enforce_process = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, @@ -147,6 +148,7 @@ TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); static int mac_enforce_vm = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); +TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); static int mac_label_size = sizeof(struct mac); SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD,