From owner-svn-src-head@FreeBSD.ORG Sun Mar 8 10:58:38 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9DD7B1065680; Sun, 8 Mar 2009 10:58:38 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 8935A8FC1C; Sun, 8 Mar 2009 10:58:38 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n28AwcNY081581; Sun, 8 Mar 2009 10:58:38 GMT (envelope-from rwatson@svn.freebsd.org) Received: (from rwatson@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n28AwcKj081572; Sun, 8 Mar 2009 10:58:38 GMT (envelope-from rwatson@svn.freebsd.org) Message-Id: <200903081058.n28AwcKj081572@svn.freebsd.org> From: Robert Watson Date: Sun, 8 Mar 2009 10:58:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r189529 - in head/sys: kern security/audit security/mac security/mac_stub security/mac_test X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2009 10:58:39 -0000 Author: rwatson Date: Sun Mar 8 10:58:37 2009 New Revision: 189529 URL: http://svn.freebsd.org/changeset/base/189529 Log: Improve the consistency of MAC Framework and MAC policy entry point naming by renaming certain "proc" entry points to "cred" entry points, reflecting their manipulation of credentials. For some entry points, the process was passed into the framework but not into policies; in these cases, stop passing in the process since we don't need it. mac_proc_check_setaudit -> mac_cred_check_setaudit mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr mac_proc_check_setauid -> mac_cred_check_setauid mac_proc_check_setegid -> mac_cred_check_setegid mac_proc_check_seteuid -> mac_cred_check_seteuid mac_proc_check_setgid -> mac_cred_check_setgid mac_proc_check_setgroups -> mac_cred_ceck_setgroups mac_proc_check_setregid -> mac_cred_check_setregid mac_proc_check_setresgid -> mac_cred_check_setresgid mac_proc_check_setresuid -> mac_cred_check_setresuid mac_proc_check_setreuid -> mac_cred_check_setreuid mac_proc_check_setuid -> mac_cred_check_setuid Obtained from: TrustedBSD Project Sponsored by: Google, Inc. Modified: head/sys/kern/kern_prot.c head/sys/security/audit/audit_syscalls.c head/sys/security/mac/mac_audit.c head/sys/security/mac/mac_cred.c head/sys/security/mac/mac_framework.c head/sys/security/mac/mac_framework.h head/sys/security/mac/mac_policy.h head/sys/security/mac/mac_process.c head/sys/security/mac_stub/mac_stub.c head/sys/security/mac_test/mac_test.c Modified: head/sys/kern/kern_prot.c ============================================================================== --- head/sys/kern/kern_prot.c Sun Mar 8 06:56:13 2009 (r189528) +++ head/sys/kern/kern_prot.c Sun Mar 8 10:58:37 2009 (r189529) @@ -489,7 +489,7 @@ setuid(struct thread *td, struct setuid_ oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setuid(p, oldcred, uid); + error = mac_cred_check_setuid(oldcred, uid); if (error) goto fail; #endif @@ -601,7 +601,7 @@ seteuid(struct thread *td, struct seteui oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_seteuid(p, oldcred, euid); + error = mac_cred_check_seteuid(oldcred, euid); if (error) goto fail; #endif @@ -654,7 +654,7 @@ setgid(struct thread *td, struct setgid_ oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setgid(p, oldcred, gid); + error = mac_cred_check_setgid(oldcred, gid); if (error) goto fail; #endif @@ -753,7 +753,7 @@ setegid(struct thread *td, struct setegi oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setegid(p, oldcred, egid); + error = mac_cred_check_setegid(oldcred, egid); if (error) goto fail; #endif @@ -815,7 +815,7 @@ kern_setgroups(struct thread *td, u_int oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setgroups(p, oldcred, ngrp, groups); + error = mac_cred_check_setgroups(oldcred, ngrp, groups); if (error) goto fail; #endif @@ -880,7 +880,7 @@ setreuid(register struct thread *td, str oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setreuid(p, oldcred, ruid, euid); + error = mac_cred_check_setreuid(oldcred, ruid, euid); if (error) goto fail; #endif @@ -945,7 +945,7 @@ setregid(register struct thread *td, str oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setregid(p, oldcred, rgid, egid); + error = mac_cred_check_setregid(oldcred, rgid, egid); if (error) goto fail; #endif @@ -1016,7 +1016,7 @@ setresuid(register struct thread *td, st oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid); + error = mac_cred_check_setresuid(oldcred, ruid, euid, suid); if (error) goto fail; #endif @@ -1093,7 +1093,7 @@ setresgid(register struct thread *td, st oldcred = p->p_ucred; #ifdef MAC - error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid); + error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid); if (error) goto fail; #endif Modified: head/sys/security/audit/audit_syscalls.c ============================================================================== --- head/sys/security/audit/audit_syscalls.c Sun Mar 8 06:56:13 2009 (r189528) +++ head/sys/security/audit/audit_syscalls.c Sun Mar 8 10:58:37 2009 (r189529) @@ -474,7 +474,7 @@ setauid(struct thread *td, struct setaui oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_proc_check_setauid(oldcred, id); + error = mac_cred_check_setauid(oldcred, id); if (error) goto fail; #endif @@ -539,7 +539,7 @@ setaudit(struct thread *td, struct setau oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_proc_check_setaudit(oldcred, &ai); + error = mac_cred_check_setaudit(oldcred, &ai); if (error) goto fail; #endif @@ -602,7 +602,7 @@ setaudit_addr(struct thread *td, struct oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_proc_check_setaudit_addr(oldcred, &aia); + error = mac_cred_check_setaudit_addr(oldcred, &aia); if (error) goto fail; #endif Modified: head/sys/security/mac/mac_audit.c ============================================================================== --- head/sys/security/mac/mac_audit.c Sun Mar 8 06:56:13 2009 (r189528) +++ head/sys/security/mac/mac_audit.c Sun Mar 8 10:58:37 2009 (r189529) @@ -58,43 +58,43 @@ __FBSDID("$FreeBSD$"); #include #include -MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit, "struct ucred *", +MAC_CHECK_PROBE_DEFINE2(cred_check_setaudit, "struct ucred *", "struct auditinfo *"); int -mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) +mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai) { int error; - MAC_CHECK(proc_check_setaudit, cred, ai); - MAC_CHECK_PROBE2(proc_check_setaudit, error, cred, ai); + MAC_CHECK(cred_check_setaudit, cred, ai); + MAC_CHECK_PROBE2(cred_check_setaudit, error, cred, ai); return (error); } -MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit_addr, "struct ucred *", +MAC_CHECK_PROBE_DEFINE2(cred_check_setaudit_addr, "struct ucred *", "struct auditinfo_addr *"); int -mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +mac_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { int error; - MAC_CHECK(proc_check_setaudit_addr, cred, aia); - MAC_CHECK_PROBE2(proc_check_setaudit_addr, error, cred, aia); + MAC_CHECK(cred_check_setaudit_addr, cred, aia); + MAC_CHECK_PROBE2(cred_check_setaudit_addr, error, cred, aia); return (error); } -MAC_CHECK_PROBE_DEFINE2(proc_check_setauid, "struct ucred *", "uid_t"); +MAC_CHECK_PROBE_DEFINE2(cred_check_setauid, "struct ucred *", "uid_t"); int -mac_proc_check_setauid(struct ucred *cred, uid_t auid) +mac_cred_check_setauid(struct ucred *cred, uid_t auid) { int error; - MAC_CHECK(proc_check_setauid, cred, auid); - MAC_CHECK_PROBE2(proc_check_setauid, error, cred, auid); + MAC_CHECK(cred_check_setauid, cred, auid); + MAC_CHECK_PROBE2(cred_check_setauid, error, cred, auid); return (error); } Modified: head/sys/security/mac/mac_cred.c ============================================================================== --- head/sys/security/mac/mac_cred.c Sun Mar 8 06:56:13 2009 (r189528) +++ head/sys/security/mac/mac_cred.c Sun Mar 8 10:58:37 2009 (r189529) @@ -211,6 +211,132 @@ mac_cred_check_relabel(struct ucred *cre return (error); } +MAC_CHECK_PROBE_DEFINE2(cred_check_setuid, "struct ucred *", "uid_t"); + +int +mac_cred_check_setuid(struct ucred *cred, uid_t uid) +{ + int error; + + MAC_CHECK(cred_check_setuid, cred, uid); + MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE2(cred_check_seteuid, "struct ucred *", "uid_t"); + +int +mac_cred_check_seteuid(struct ucred *cred, uid_t euid) +{ + int error; + + MAC_CHECK(cred_check_seteuid, cred, euid); + MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE2(cred_check_setgid, "struct ucred *", "gid_t"); + +int +mac_cred_check_setgid(struct ucred *cred, gid_t gid) +{ + int error; + + MAC_CHECK(cred_check_setgid, cred, gid); + MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE2(cred_check_setegid, "struct ucred *", "gid_t"); + +int +mac_cred_check_setegid(struct ucred *cred, gid_t egid) +{ + int error; + + MAC_CHECK(cred_check_setegid, cred, egid); + MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE3(cred_check_setgroups, "struct ucred *", "int", + "gid_t *"); + +int +mac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) +{ + int error; + + MAC_CHECK(cred_check_setgroups, cred, ngroups, gidset); + MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE3(cred_check_setreuid, "struct ucred *", "uid_t", + "uid_t"); + +int +mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +{ + int error; + + MAC_CHECK(cred_check_setreuid, cred, ruid, euid); + MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE3(cred_check_setregid, "struct ucred *", "gid_t", + "gid_t"); + +int +mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +{ + int error; + + MAC_CHECK(cred_check_setregid, cred, rgid, egid); + MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE4(cred_check_setresuid, "struct ucred *", "uid_t", + "uid_t", "uid_t"); + +int +mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, + uid_t suid) +{ + int error; + + MAC_CHECK(cred_check_setresuid, cred, ruid, euid, suid); + MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid, + suid); + + return (error); +} + +MAC_CHECK_PROBE_DEFINE4(cred_check_setresgid, "struct ucred *", "gid_t", + "gid_t", "gid_t"); + +int +mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, + gid_t sgid) +{ + int error; + + MAC_CHECK(cred_check_setresgid, cred, rgid, egid, sgid); + MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid, + sgid); + + return (error); +} + MAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *", "struct ucred *"); Modified: head/sys/security/mac/mac_framework.c ============================================================================== --- head/sys/security/mac/mac_framework.c Sun Mar 8 06:56:13 2009 (r189528) +++ head/sys/security/mac/mac_framework.c Sun Mar 8 10:58:37 2009 (r189529) @@ -17,6 +17,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: Modified: head/sys/security/mac/mac_framework.h ============================================================================== --- head/sys/security/mac/mac_framework.h Sun Mar 8 06:56:13 2009 (r189528) +++ head/sys/security/mac/mac_framework.h Sun Mar 8 10:58:37 2009 (r189529) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. @@ -14,6 +14,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -105,6 +108,22 @@ void mac_bpfdesc_destroy(struct bpf_d *) void mac_bpfdesc_init(struct bpf_d *); void mac_cred_associate_nfsd(struct ucred *cred); +int mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai); +int mac_cred_check_setaudit_addr(struct ucred *cred, + struct auditinfo_addr *aia); +int mac_cred_check_setauid(struct ucred *cred, uid_t auid); +int mac_cred_check_setegid(struct ucred *cred, gid_t egid); +int mac_cred_check_seteuid(struct ucred *cred, uid_t euid); +int mac_cred_check_setgid(struct ucred *cred, gid_t gid); +int mac_cred_check_setgroups(struct ucred *cred, int ngroups, + gid_t *gidset); +int mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid); +int mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, + gid_t sgid); +int mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, + uid_t suid); +int mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid); +int mac_cred_check_setuid(struct ucred *cred, uid_t uid); int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); void mac_cred_create_init(struct ucred *cred); @@ -233,28 +252,6 @@ int mac_priv_grant(struct ucred *cred, i int mac_proc_check_debug(struct ucred *cred, struct proc *p); int mac_proc_check_sched(struct ucred *cred, struct proc *p); -int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai); -int mac_proc_check_setaudit_addr(struct ucred *cred, - struct auditinfo_addr *aia); -int mac_proc_check_setauid(struct ucred *cred, uid_t auid); -int mac_proc_check_setegid(struct proc *p, struct ucred *cred, - gid_t egid); -int mac_proc_check_seteuid(struct proc *p, struct ucred *cred, - uid_t euid); -int mac_proc_check_setgid(struct proc *p, struct ucred *cred, - gid_t gid); -int mac_proc_check_setgroups(struct proc *p, struct ucred *cred, - int ngroups, gid_t *gidset); -int mac_proc_check_setregid(struct proc *p, struct ucred *cred, - gid_t rgid, gid_t egid); -int mac_proc_check_setresgid(struct proc *p, struct ucred *cred, - gid_t rgid, gid_t egid, gid_t sgid); -int mac_proc_check_setresuid(struct proc *p, struct ucred *cred, - uid_t ruid, uid_t euid, uid_t suid); -int mac_proc_check_setreuid(struct proc *p, struct ucred *cred, - uid_t ruid, uid_t euid); -int mac_proc_check_setuid(struct proc *p, struct ucred *cred, - uid_t uid); int mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum); int mac_proc_check_wait(struct ucred *cred, struct proc *p); Modified: head/sys/security/mac/mac_policy.h ============================================================================== --- head/sys/security/mac/mac_policy.h Sun Mar 8 06:56:13 2009 (r189528) +++ head/sys/security/mac/mac_policy.h Sun Mar 8 10:58:37 2009 (r189529) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -15,6 +15,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -132,6 +135,25 @@ typedef void (*mpo_bpfdesc_init_label_t) typedef void (*mpo_cred_associate_nfsd_t)(struct ucred *cred); typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred, struct label *newlabel); +typedef int (*mpo_cred_check_setaudit_t)(struct ucred *cred, + struct auditinfo *ai); +typedef int (*mpo_cred_check_setaudit_addr_t)(struct ucred *cred, + struct auditinfo_addr *aia); +typedef int (*mpo_cred_check_setauid_t)(struct ucred *cred, uid_t auid); +typedef int (*mpo_cred_check_setegid_t)(struct ucred *cred, gid_t egid); +typedef int (*mpo_cred_check_seteuid_t)(struct ucred *cred, uid_t euid); +typedef int (*mpo_cred_check_setgid_t)(struct ucred *cred, gid_t gid); +typedef int (*mpo_cred_check_setgroups_t)(struct ucred *cred, int ngroups, + gid_t *gidset); +typedef int (*mpo_cred_check_setregid_t)(struct ucred *cred, gid_t rgid, + gid_t egid); +typedef int (*mpo_cred_check_setresgid_t)(struct ucred *cred, gid_t rgid, + gid_t egid, gid_t sgid); +typedef int (*mpo_cred_check_setresuid_t)(struct ucred *cred, uid_t ruid, + uid_t euid, uid_t suid); +typedef int (*mpo_cred_check_setreuid_t)(struct ucred *cred, uid_t ruid, + uid_t euid); +typedef int (*mpo_cred_check_setuid_t)(struct ucred *cred, uid_t uid); typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1, struct ucred *cr2); typedef void (*mpo_cred_copy_label_t)(struct label *src, @@ -353,25 +375,6 @@ typedef int (*mpo_proc_check_debug_t)(st struct proc *p); typedef int (*mpo_proc_check_sched_t)(struct ucred *cred, struct proc *p); -typedef int (*mpo_proc_check_setaudit_t)(struct ucred *cred, - struct auditinfo *ai); -typedef int (*mpo_proc_check_setaudit_addr_t)(struct ucred *cred, - struct auditinfo_addr *aia); -typedef int (*mpo_proc_check_setauid_t)(struct ucred *cred, uid_t auid); -typedef int (*mpo_proc_check_setegid_t)(struct ucred *cred, gid_t egid); -typedef int (*mpo_proc_check_seteuid_t)(struct ucred *cred, uid_t euid); -typedef int (*mpo_proc_check_setgid_t)(struct ucred *cred, gid_t gid); -typedef int (*mpo_proc_check_setgroups_t)(struct ucred *cred, int ngroups, - gid_t *gidset); -typedef int (*mpo_proc_check_setregid_t)(struct ucred *cred, gid_t rgid, - gid_t egid); -typedef int (*mpo_proc_check_setresgid_t)(struct ucred *cred, gid_t rgid, - gid_t egid, gid_t sgid); -typedef int (*mpo_proc_check_setresuid_t)(struct ucred *cred, uid_t ruid, - uid_t euid, uid_t suid); -typedef int (*mpo_proc_check_setreuid_t)(struct ucred *cred, uid_t ruid, - uid_t euid); -typedef int (*mpo_proc_check_setuid_t)(struct ucred *cred, uid_t uid); typedef int (*mpo_proc_check_signal_t)(struct ucred *cred, struct proc *proc, int signum); typedef int (*mpo_proc_check_wait_t)(struct ucred *cred, @@ -679,6 +682,18 @@ struct mac_policy_ops { mpo_cred_associate_nfsd_t mpo_cred_associate_nfsd; mpo_cred_check_relabel_t mpo_cred_check_relabel; + mpo_cred_check_setaudit_t mpo_cred_check_setaudit; + mpo_cred_check_setaudit_addr_t mpo_cred_check_setaudit_addr; + mpo_cred_check_setauid_t mpo_cred_check_setauid; + mpo_cred_check_setuid_t mpo_cred_check_setuid; + mpo_cred_check_seteuid_t mpo_cred_check_seteuid; + mpo_cred_check_setgid_t mpo_cred_check_setgid; + mpo_cred_check_setegid_t mpo_cred_check_setegid; + mpo_cred_check_setgroups_t mpo_cred_check_setgroups; + mpo_cred_check_setreuid_t mpo_cred_check_setreuid; + mpo_cred_check_setregid_t mpo_cred_check_setregid; + mpo_cred_check_setresuid_t mpo_cred_check_setresuid; + mpo_cred_check_setresgid_t mpo_cred_check_setresgid; mpo_cred_check_visible_t mpo_cred_check_visible; mpo_cred_copy_label_t mpo_cred_copy_label; mpo_cred_create_swapper_t mpo_cred_create_swapper; @@ -798,18 +813,6 @@ struct mac_policy_ops { mpo_proc_check_debug_t mpo_proc_check_debug; mpo_proc_check_sched_t mpo_proc_check_sched; - mpo_proc_check_setaudit_t mpo_proc_check_setaudit; - mpo_proc_check_setaudit_addr_t mpo_proc_check_setaudit_addr; - mpo_proc_check_setauid_t mpo_proc_check_setauid; - mpo_proc_check_setuid_t mpo_proc_check_setuid; - mpo_proc_check_seteuid_t mpo_proc_check_seteuid; - mpo_proc_check_setgid_t mpo_proc_check_setgid; - mpo_proc_check_setegid_t mpo_proc_check_setegid; - mpo_proc_check_setgroups_t mpo_proc_check_setgroups; - mpo_proc_check_setreuid_t mpo_proc_check_setreuid; - mpo_proc_check_setregid_t mpo_proc_check_setregid; - mpo_proc_check_setresuid_t mpo_proc_check_setresuid; - mpo_proc_check_setresgid_t mpo_proc_check_setresgid; mpo_proc_check_signal_t mpo_proc_check_signal; mpo_proc_check_wait_t mpo_proc_check_wait; mpo_proc_destroy_label_t mpo_proc_destroy_label; Modified: head/sys/security/mac/mac_process.c ============================================================================== --- head/sys/security/mac/mac_process.c Sun Mar 8 06:56:13 2009 (r189528) +++ head/sys/security/mac/mac_process.c Sun Mar 8 10:58:37 2009 (r189529) @@ -2,7 +2,6 @@ * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. - * Copyright (c) 2005 Samy Al Bahra * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. * All rights reserved. @@ -424,153 +423,6 @@ mac_proc_check_signal(struct ucred *cred return (error); } -MAC_CHECK_PROBE_DEFINE2(proc_check_setuid, "struct ucred *", "uid_t"); - -int -mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setuid, cred, uid); - MAC_CHECK_PROBE2(proc_check_setuid, error, cred, uid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE2(proc_check_seteuid, "struct ucred *", "uid_t"); - -int -mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_seteuid, cred, euid); - MAC_CHECK_PROBE2(proc_check_seteuid, error, cred, euid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE2(proc_check_setgid, "struct ucred *", "gid_t"); - -int -mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setgid, cred, gid); - MAC_CHECK_PROBE2(proc_check_setgid, error, cred, gid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE2(proc_check_setegid, "struct ucred *", "gid_t"); - -int -mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setegid, cred, egid); - MAC_CHECK_PROBE2(proc_check_setegid, error, cred, egid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE3(proc_check_setgroups, "struct ucred *", "int", - "gid_t *"); - -int -mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups, - gid_t *gidset) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset); - MAC_CHECK_PROBE3(proc_check_setgroups, error, cred, ngroups, gidset); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE3(proc_check_setreuid, "struct ucred *", "uid_t", - "uid_t"); - -int -mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, - uid_t euid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setreuid, cred, ruid, euid); - MAC_CHECK_PROBE3(proc_check_setreuid, error, cred, ruid, euid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE3(proc_check_setregid, "struct ucred *", "gid_t", - "gid_t"); - -int -mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, - gid_t egid) -{ - int error; - - PROC_LOCK_ASSERT(proc, MA_OWNED); - - MAC_CHECK(proc_check_setregid, cred, rgid, egid); - MAC_CHECK_PROBE3(proc_check_setregid, error, cred, rgid, egid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE4(proc_check_setresuid, "struct ucred *", "uid_t", - "uid_t", "uid_t"); - -int -mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, - uid_t euid, uid_t suid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid); - MAC_CHECK_PROBE4(proc_check_setresuid, error, cred, ruid, euid, - suid); - - return (error); -} - -MAC_CHECK_PROBE_DEFINE4(proc_check_setresgid, "struct ucred *", "gid_t", - "gid_t", "gid_t"); - -int -mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, - gid_t egid, gid_t sgid) -{ - int error; - - PROC_LOCK_ASSERT(p, MA_OWNED); - - MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid); - MAC_CHECK_PROBE4(proc_check_setresgid, error, cred, rgid, egid, - sgid); - - return (error); -} - MAC_CHECK_PROBE_DEFINE2(proc_check_wait, "struct ucred *", "struct proc *"); int Modified: head/sys/security/mac_stub/mac_stub.c ============================================================================== --- head/sys/security/mac_stub/mac_stub.c Sun Mar 8 06:56:13 2009 (r189528) +++ head/sys/security/mac_stub/mac_stub.c Sun Mar 8 10:58:37 2009 (r189529) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -15,6 +15,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -199,6 +202,93 @@ stub_cred_check_relabel(struct ucred *cr } static int +stub_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai) +{ + + return (0); +} + +static int +stub_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +{ + + return (0); +} + +static int +stub_cred_check_setauid(struct ucred *cred, uid_t auid) +{ + + return (0); +} + +static int +stub_cred_check_setegid(struct ucred *cred, gid_t egid) +{ + + return (0); +} + +static int +stub_cred_check_seteuid(struct ucred *cred, uid_t euid) +{ + + return (0); +} + +static int +stub_cred_check_setgid(struct ucred *cred, gid_t gid) +{ + + return (0); +} + +static int +stub_cred_check_setgroups(struct ucred *cred, int ngroups, + gid_t *gidset) +{ + + return (0); +} + +static int +stub_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +{ + + return (0); +} + +static int +stub_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, + gid_t sgid) +{ + + return (0); +} + +static int +stub_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, + uid_t suid) +{ + + return (0); +} + +static int +stub_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +{ + + return (0); +} + +static int +stub_cred_check_setuid(struct ucred *cred, uid_t uid) +{ + + return (0); +} + +static int stub_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { @@ -701,93 +791,6 @@ stub_proc_check_sched(struct ucred *cred } static int -stub_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) -{ - - return (0); -} - -static int -stub_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) -{ - - return (0); -} - -static int -stub_proc_check_setauid(struct ucred *cred, uid_t auid) -{ - - return (0); -} - -static int -stub_proc_check_setegid(struct ucred *cred, gid_t egid) -{ - - return (0); -} - -static int -stub_proc_check_seteuid(struct ucred *cred, uid_t euid) -{ - - return (0); -} - -static int -stub_proc_check_setgid(struct ucred *cred, gid_t gid) -{ - - return (0); -} - -static int -stub_proc_check_setgroups(struct ucred *cred, int ngroups, - gid_t *gidset) -{ - - return (0); -} - -static int -stub_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) -{ - - return (0); -} - -static int -stub_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, - gid_t sgid) -{ - - return (0); -} - -static int -stub_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, - uid_t suid) -{ - - return (0); -} - -static int -stub_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) -{ - - return (0); -} - -static int -stub_proc_check_setuid(struct ucred *cred, uid_t uid) -{ - - return (0); -} - -static int stub_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { @@ -1541,6 +1544,18 @@ static struct mac_policy_ops stub_ops = .mpo_cred_associate_nfsd = stub_cred_associate_nfsd, .mpo_cred_check_relabel = stub_cred_check_relabel, + .mpo_cred_check_setaudit = stub_cred_check_setaudit, + .mpo_cred_check_setaudit_addr = stub_cred_check_setaudit_addr, + .mpo_cred_check_setauid = stub_cred_check_setauid, + .mpo_cred_check_setegid = stub_cred_check_setegid, + .mpo_cred_check_seteuid = stub_cred_check_seteuid, + .mpo_cred_check_setgid = stub_cred_check_setgid, + .mpo_cred_check_setgroups = stub_cred_check_setgroups, + .mpo_cred_check_setregid = stub_cred_check_setregid, + .mpo_cred_check_setresgid = stub_cred_check_setresgid, + .mpo_cred_check_setresuid = stub_cred_check_setresuid, + .mpo_cred_check_setreuid = stub_cred_check_setreuid, + .mpo_cred_check_setuid = stub_cred_check_setuid, .mpo_cred_check_visible = stub_cred_check_visible, .mpo_cred_copy_label = stub_copy_label, .mpo_cred_create_init = stub_cred_create_init, @@ -1660,18 +1675,6 @@ static struct mac_policy_ops stub_ops = .mpo_proc_check_debug = stub_proc_check_debug, .mpo_proc_check_sched = stub_proc_check_sched, - .mpo_proc_check_setaudit = stub_proc_check_setaudit, - .mpo_proc_check_setaudit_addr = stub_proc_check_setaudit_addr, - .mpo_proc_check_setauid = stub_proc_check_setauid, - .mpo_proc_check_setegid = stub_proc_check_setegid, - .mpo_proc_check_seteuid = stub_proc_check_seteuid, - .mpo_proc_check_setgid = stub_proc_check_setgid, - .mpo_proc_check_setgroups = stub_proc_check_setgroups, - .mpo_proc_check_setregid = stub_proc_check_setregid, - .mpo_proc_check_setresgid = stub_proc_check_setresgid, - .mpo_proc_check_setresuid = stub_proc_check_setresuid, - .mpo_proc_check_setreuid = stub_proc_check_setreuid, - .mpo_proc_check_setuid = stub_proc_check_setuid, .mpo_proc_check_signal = stub_proc_check_signal, .mpo_proc_check_wait = stub_proc_check_wait, Modified: head/sys/security/mac_test/mac_test.c ============================================================================== --- head/sys/security/mac_test/mac_test.c Sun Mar 8 06:56:13 2009 (r189528) +++ head/sys/security/mac_test/mac_test.c Sun Mar 8 10:58:37 2009 (r189529) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -15,6 +15,9 @@ * This software was enhanced by SPARTA ISSO under SPAWAR contract * N66001-04-C-6019 ("SEFOS"). * + * This software was developed at the University of Cambridge Computer + * Laboratory with support from a grant from Google, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -220,6 +223,142 @@ test_cred_check_relabel(struct ucred *cr return (0); } +COUNTER_DECL(cred_check_setaudit); +static int +test_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setaudit); + + return (0); +} + +COUNTER_DECL(cred_check_setaudit_addr); +static int +test_cred_check_setaudit_addr(struct ucred *cred, + struct auditinfo_addr *aia) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setaudit_addr); + + return (0); +} + +COUNTER_DECL(cred_check_setauid); +static int +test_cred_check_setauid(struct ucred *cred, uid_t auid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setauid); + + return (0); +} + +COUNTER_DECL(cred_check_setegid); +static int +test_cred_check_setegid(struct ucred *cred, gid_t egid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setegid); + + return (0); +} + +COUNTER_DECL(proc_check_euid); +static int +test_cred_check_seteuid(struct ucred *cred, uid_t euid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(proc_check_euid); + + return (0); +} + +COUNTER_DECL(cred_check_setregid); +static int +test_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_check_setregid); + + return (0); +} + +COUNTER_DECL(cred_check_setreuid); +static int +test_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +{ *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***