From owner-svn-src-head@FreeBSD.ORG Tue Oct 28 11:33:07 2008 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12478106566C; Tue, 28 Oct 2008 11:33:07 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id F28E98FC0C; Tue, 28 Oct 2008 11:33:06 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id m9SBX6jX092847; Tue, 28 Oct 2008 11:33:06 GMT (envelope-from rwatson@svn.freebsd.org) Received: (from rwatson@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id m9SBX65A092836; Tue, 28 Oct 2008 11:33:06 GMT (envelope-from rwatson@svn.freebsd.org) Message-Id: <200810281133.m9SBX65A092836@svn.freebsd.org> From: Robert Watson Date: Tue, 28 Oct 2008 11:33:06 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r184407 - in head/sys: kern nfsserver security/mac security/mac_biba security/mac_lomac security/mac_mls security/mac_partition security/mac_stub security/mac_test X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2008 11:33:07 -0000 Author: rwatson Date: Tue Oct 28 11:33:06 2008 New Revision: 184407 URL: http://svn.freebsd.org/changeset/base/184407 Log: Rename three MAC entry points from _proc_ to _cred_ to reflect the fact that they operate directly on credentials: mac_proc_create_swapper(), mac_proc_create_init(), and mac_proc_associate_nfsd(). Update policies. Obtained from: TrustedBSD Project Modified: head/sys/kern/init_main.c head/sys/nfsserver/nfs_srvsock.c head/sys/security/mac/mac_framework.h head/sys/security/mac/mac_policy.h head/sys/security/mac/mac_process.c head/sys/security/mac_biba/mac_biba.c head/sys/security/mac_lomac/mac_lomac.c head/sys/security/mac_mls/mac_mls.c head/sys/security/mac_partition/mac_partition.c head/sys/security/mac_stub/mac_stub.c head/sys/security/mac_test/mac_test.c Modified: head/sys/kern/init_main.c ============================================================================== --- head/sys/kern/init_main.c Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/kern/init_main.c Tue Oct 28 11:33:06 2008 (r184407) @@ -456,7 +456,7 @@ proc0_init(void *dummy __unused) audit_cred_kproc0(p->p_ucred); #endif #ifdef MAC - mac_proc_create_swapper(p->p_ucred); + mac_cred_create_swapper(p->p_ucred); #endif td->td_ucred = crhold(p->p_ucred); @@ -736,7 +736,7 @@ create_init(const void *udata __unused) oldcred = initproc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - mac_proc_create_init(newcred); + mac_cred_create_init(newcred); #endif #ifdef AUDIT audit_cred_proc1(newcred); Modified: head/sys/nfsserver/nfs_srvsock.c ============================================================================== --- head/sys/nfsserver/nfs_srvsock.c Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/nfsserver/nfs_srvsock.c Tue Oct 28 11:33:06 2008 (r184407) @@ -360,7 +360,7 @@ nfs_getreq(struct nfsrv_descript *nd, st nd->nd_cr->cr_groups[0] = nd->nd_cr->cr_rgid = nd->nd_cr->cr_svgid = fxdr_unsigned(gid_t, *tl++); #ifdef MAC - mac_proc_associate_nfsd(nd->nd_cr); + mac_cred_associate_nfsd(nd->nd_cr); #endif len = fxdr_unsigned(int, *tl); if (len < 0 || len > RPCAUTH_UNIXGIDS) { Modified: head/sys/security/mac/mac_framework.h ============================================================================== --- head/sys/security/mac/mac_framework.h Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/security/mac/mac_framework.h Tue Oct 28 11:33:06 2008 (r184407) @@ -103,8 +103,11 @@ void mac_bpfdesc_create_mbuf(struct bpf_ void mac_bpfdesc_destroy(struct bpf_d *); void mac_bpfdesc_init(struct bpf_d *); +void mac_cred_associate_nfsd(struct ucred *cred); int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); +void mac_cred_create_init(struct ucred *cred); +void mac_cred_create_swapper(struct ucred *cred); void mac_cred_destroy(struct ucred *); void mac_cred_init(struct ucred *); @@ -227,7 +230,6 @@ void mac_posixshm_init(struct shmfd *); int mac_priv_check(struct ucred *cred, int priv); int mac_priv_grant(struct ucred *cred, int priv); -void mac_proc_associate_nfsd(struct ucred *cred); int mac_proc_check_debug(struct ucred *cred, struct proc *p); int mac_proc_check_sched(struct ucred *cred, struct proc *p); int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai); @@ -255,8 +257,6 @@ int mac_proc_check_setuid(struct proc *p int mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum); int mac_proc_check_wait(struct ucred *cred, struct proc *p); -void mac_proc_create_init(struct ucred *cred); -void mac_proc_create_swapper(struct ucred *cred); void mac_proc_destroy(struct proc *); void mac_proc_init(struct proc *); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); Modified: head/sys/security/mac/mac_policy.h ============================================================================== --- head/sys/security/mac/mac_policy.h Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/security/mac/mac_policy.h Tue Oct 28 11:33:06 2008 (r184407) @@ -128,12 +128,15 @@ typedef void (*mpo_bpfdesc_create_mbuf_t typedef void (*mpo_bpfdesc_destroy_label_t)(struct label *label); typedef void (*mpo_bpfdesc_init_label_t)(struct label *label); +typedef void (*mpo_cred_associate_nfsd_t)(struct ucred *cred); typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred, struct label *newlabel); typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1, struct ucred *cr2); typedef void (*mpo_cred_copy_label_t)(struct label *src, struct label *dest); +typedef void (*mpo_cred_create_init_t)(struct ucred *cred); +typedef void (*mpo_cred_create_swapper_t)(struct ucred *cred); typedef void (*mpo_cred_destroy_label_t)(struct label *label); typedef int (*mpo_cred_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); @@ -345,7 +348,6 @@ typedef void (*mpo_posixshm_init_label_t typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv); typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv); -typedef void (*mpo_proc_associate_nfsd_t)(struct ucred *cred); typedef int (*mpo_proc_check_debug_t)(struct ucred *cred, struct proc *p); typedef int (*mpo_proc_check_sched_t)(struct ucred *cred, @@ -373,8 +375,6 @@ typedef int (*mpo_proc_check_signal_t)(s struct proc *proc, int signum); typedef int (*mpo_proc_check_wait_t)(struct ucred *cred, struct proc *proc); -typedef void (*mpo_proc_create_init_t)(struct ucred *cred); -typedef void (*mpo_proc_create_swapper_t)(struct ucred *cred); typedef void (*mpo_proc_destroy_label_t)(struct label *label); typedef void (*mpo_proc_init_label_t)(struct label *label); @@ -674,9 +674,12 @@ struct mac_policy_ops { mpo_bpfdesc_destroy_label_t mpo_bpfdesc_destroy_label; mpo_bpfdesc_init_label_t mpo_bpfdesc_init_label; + mpo_cred_associate_nfsd_t mpo_cred_associate_nfsd; mpo_cred_check_relabel_t mpo_cred_check_relabel; mpo_cred_check_visible_t mpo_cred_check_visible; mpo_cred_copy_label_t mpo_cred_copy_label; + mpo_cred_create_swapper_t mpo_cred_create_swapper; + mpo_cred_create_init_t mpo_cred_create_init; mpo_cred_destroy_label_t mpo_cred_destroy_label; mpo_cred_externalize_label_t mpo_cred_externalize_label; mpo_cred_init_label_t mpo_cred_init_label; @@ -790,7 +793,6 @@ struct mac_policy_ops { mpo_priv_check_t mpo_priv_check; mpo_priv_grant_t mpo_priv_grant; - mpo_proc_associate_nfsd_t mpo_proc_associate_nfsd; mpo_proc_check_debug_t mpo_proc_check_debug; mpo_proc_check_sched_t mpo_proc_check_sched; mpo_proc_check_setaudit_t mpo_proc_check_setaudit; @@ -807,8 +809,6 @@ struct mac_policy_ops { mpo_proc_check_setresgid_t mpo_proc_check_setresgid; mpo_proc_check_signal_t mpo_proc_check_signal; mpo_proc_check_wait_t mpo_proc_check_wait; - mpo_proc_create_swapper_t mpo_proc_create_swapper; - mpo_proc_create_init_t mpo_proc_create_init; mpo_proc_destroy_label_t mpo_proc_destroy_label; mpo_proc_init_label_t mpo_proc_init_label; Modified: head/sys/security/mac/mac_process.c ============================================================================== --- head/sys/security/mac/mac_process.c Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/security/mac/mac_process.c Tue Oct 28 11:33:06 2008 (r184407) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2008 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. * Copyright (c) 2005 Samy Al Bahra @@ -160,25 +160,20 @@ mac_proc_destroy(struct proc *p) } } -int -mac_cred_externalize_label(struct label *label, char *elements, - char *outbuf, size_t outbuflen) -{ - int error; - - MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); - - return (error); -} - -int -mac_cred_internalize_label(struct label *label, char *string) +/* + * When a thread becomes an NFS server daemon, its credential may need to be + * updated to reflect this so that policies can recognize when file system + * operations originate from the network. + * + * At some point, it would be desirable if the credential used for each NFS + * RPC could be set based on the RPC context (i.e., source system, etc) to + * provide more fine-grained access control. + */ +void +mac_cred_associate_nfsd(struct ucred *cred) { - int error; - MAC_INTERNALIZE(cred, label, string); - - return (error); + MAC_PERFORM(cred_associate_nfsd, cred); } /* @@ -186,10 +181,10 @@ mac_cred_internalize_label(struct label * processes and threads are spawned. */ void -mac_proc_create_swapper(struct ucred *cred) +mac_cred_create_swapper(struct ucred *cred) { - MAC_PERFORM(proc_create_swapper, cred); + MAC_PERFORM(cred_create_swapper, cred); } /* @@ -197,26 +192,31 @@ mac_proc_create_swapper(struct ucred *cr * userland processes and threads are spawned. */ void -mac_proc_create_init(struct ucred *cred) +mac_cred_create_init(struct ucred *cred) { - MAC_PERFORM(proc_create_init, cred); + MAC_PERFORM(cred_create_init, cred); } -/* - * When a thread becomes an NFS server daemon, its credential may need to be - * updated to reflect this so that policies can recognize when file system - * operations originate from the network. - * - * At some point, it would be desirable if the credential used for each NFS - * RPC could be set based on the RPC context (i.e., source system, etc) to - * provide more fine-grained access control. - */ -void -mac_proc_associate_nfsd(struct ucred *cred) +int +mac_cred_externalize_label(struct label *label, char *elements, + char *outbuf, size_t outbuflen) { + int error; - MAC_PERFORM(proc_associate_nfsd, cred); + MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); + + return (error); +} + +int +mac_cred_internalize_label(struct label *label, char *string) +{ + int error; + + MAC_INTERNALIZE(cred, label, string); + + return (error); } void Modified: head/sys/security/mac_biba/mac_biba.c ============================================================================== --- head/sys/security/mac_biba/mac_biba.c Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/security/mac_biba/mac_biba.c Tue Oct 28 11:33:06 2008 (r184407) @@ -815,6 +815,17 @@ biba_bpfdesc_create_mbuf(struct bpf_d *d biba_copy_effective(source, dest); } +static void +biba_cred_associate_nfsd(struct ucred *cred) +{ + struct mac_biba *label; + + label = SLOT(cred->cr_label); + biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL); + biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, + 0, NULL); +} + static int biba_cred_check_relabel(struct ucred *cred, struct label *newlabel) { @@ -895,6 +906,30 @@ biba_cred_check_visible(struct ucred *u1 } static void +biba_cred_create_init(struct ucred *cred) +{ + struct mac_biba *dest; + + dest = SLOT(cred->cr_label); + + biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); + biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, + 0, NULL); +} + +static void +biba_cred_create_swapper(struct ucred *cred) +{ + struct mac_biba *dest; + + dest = SLOT(cred->cr_label); + + biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); + biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, + 0, NULL); +} + +static void biba_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1818,17 +1853,6 @@ biba_priv_check(struct ucred *cred, int return (0); } -static void -biba_proc_associate_nfsd(struct ucred *cred) -{ - struct mac_biba *label; - - label = SLOT(cred->cr_label); - biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL); - biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, - 0, NULL); -} - static int biba_proc_check_debug(struct ucred *cred, struct proc *p) { @@ -1904,30 +1928,6 @@ biba_socket_check_deliver(struct socket return (biba_equal_effective(p, s) ? 0 : EACCES); } -static void -biba_proc_create_init(struct ucred *cred) -{ - struct mac_biba *dest; - - dest = SLOT(cred->cr_label); - - biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); - biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, - 0, NULL); -} - -static void -biba_proc_create_swapper(struct ucred *cred) -{ - struct mac_biba *dest; - - dest = SLOT(cred->cr_label); - - biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); - biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, - 0, NULL); -} - static int biba_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) @@ -3334,9 +3334,12 @@ static struct mac_policy_ops mac_biba_op .mpo_bpfdesc_destroy_label = biba_destroy_label, .mpo_bpfdesc_init_label = biba_init_label, + .mpo_cred_associate_nfsd = biba_cred_associate_nfsd, .mpo_cred_check_relabel = biba_cred_check_relabel, .mpo_cred_check_visible = biba_cred_check_visible, .mpo_cred_copy_label = biba_copy_label, + .mpo_cred_create_init = biba_cred_create_init, + .mpo_cred_create_swapper = biba_cred_create_swapper, .mpo_cred_destroy_label = biba_destroy_label, .mpo_cred_externalize_label = biba_externalize_label, .mpo_cred_init_label = biba_init_label, @@ -3432,12 +3435,9 @@ static struct mac_policy_ops mac_biba_op .mpo_priv_check = biba_priv_check, - .mpo_proc_associate_nfsd = biba_proc_associate_nfsd, .mpo_proc_check_debug = biba_proc_check_debug, .mpo_proc_check_sched = biba_proc_check_sched, .mpo_proc_check_signal = biba_proc_check_signal, - .mpo_proc_create_init = biba_proc_create_init, - .mpo_proc_create_swapper = biba_proc_create_swapper, .mpo_socket_check_deliver = biba_socket_check_deliver, .mpo_socket_check_relabel = biba_socket_check_relabel, Modified: head/sys/security/mac_lomac/mac_lomac.c ============================================================================== --- head/sys/security/mac_lomac/mac_lomac.c Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/security/mac_lomac/mac_lomac.c Tue Oct 28 11:33:06 2008 (r184407) @@ -993,6 +993,29 @@ lomac_cred_check_visible(struct ucred *c return (0); } + +static void +lomac_cred_create_init(struct ucred *cred) +{ + struct mac_lomac *dest; + + dest = SLOT(cred->cr_label); + + lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0); + lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0); +} + +static void +lomac_cred_create_swapper(struct ucred *cred) +{ + struct mac_lomac *dest; + + dest = SLOT(cred->cr_label); + + lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); + lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0); +} + static void lomac_cred_relabel(struct ucred *cred, struct label *newlabel) { @@ -1885,28 +1908,6 @@ lomac_proc_check_signal(struct ucred *cr } static void -lomac_proc_create_init(struct ucred *cred) -{ - struct mac_lomac *dest; - - dest = SLOT(cred->cr_label); - - lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0); - lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0); -} - -static void -lomac_proc_create_swapper(struct ucred *cred) -{ - struct mac_lomac *dest; - - dest = SLOT(cred->cr_label); - - lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); - lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0); -} - -static void lomac_proc_destroy_label(struct label *label) { @@ -2894,6 +2895,8 @@ static struct mac_policy_ops lomac_ops = .mpo_cred_check_relabel = lomac_cred_check_relabel, .mpo_cred_check_visible = lomac_cred_check_visible, .mpo_cred_copy_label = lomac_copy_label, + .mpo_cred_create_swapper = lomac_cred_create_swapper, + .mpo_cred_create_init = lomac_cred_create_init, .mpo_cred_destroy_label = lomac_destroy_label, .mpo_cred_externalize_label = lomac_externalize_label, .mpo_cred_init_label = lomac_init_label, @@ -2983,8 +2986,6 @@ static struct mac_policy_ops lomac_ops = .mpo_proc_check_debug = lomac_proc_check_debug, .mpo_proc_check_sched = lomac_proc_check_sched, .mpo_proc_check_signal = lomac_proc_check_signal, - .mpo_proc_create_swapper = lomac_proc_create_swapper, - .mpo_proc_create_init = lomac_proc_create_init, .mpo_proc_destroy_label = lomac_proc_destroy_label, .mpo_proc_init_label = lomac_proc_init_label, Modified: head/sys/security/mac_mls/mac_mls.c ============================================================================== --- head/sys/security/mac_mls/mac_mls.c Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/security/mac_mls/mac_mls.c Tue Oct 28 11:33:06 2008 (r184407) @@ -776,6 +776,17 @@ mls_bpfdesc_create_mbuf(struct bpf_d *d, mls_copy_effective(source, dest); } +static void +mls_cred_associate_nfsd(struct ucred *cred) +{ + struct mac_mls *label; + + label = SLOT(cred->cr_label); + mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL); + mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, + NULL); +} + static int mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) { @@ -855,6 +866,30 @@ mls_cred_check_visible(struct ucred *cr1 } static void +mls_cred_create_init(struct ucred *cred) +{ + struct mac_mls *dest; + + dest = SLOT(cred->cr_label); + + mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); + mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, + NULL); +} + +static void +mls_cred_create_swapper(struct ucred *cred) +{ + struct mac_mls *dest; + + dest = SLOT(cred->cr_label); + + mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); + mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, + NULL); +} + +static void mls_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1523,17 +1558,6 @@ mls_posixsem_create(struct ucred *cred, mls_copy_effective(source, dest); } -static void -mls_proc_associate_nfsd(struct ucred *cred) -{ - struct mac_mls *label; - - label = SLOT(cred->cr_label); - mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL); - mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, - NULL); -} - static int mls_proc_check_debug(struct ucred *cred, struct proc *p) { @@ -1594,30 +1618,6 @@ mls_proc_check_signal(struct ucred *cred return (0); } -static void -mls_proc_create_init(struct ucred *cred) -{ - struct mac_mls *dest; - - dest = SLOT(cred->cr_label); - - mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); - mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, - NULL); -} - -static void -mls_proc_create_swapper(struct ucred *cred) -{ - struct mac_mls *dest; - - dest = SLOT(cred->cr_label); - - mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); - mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, - NULL); -} - static int mls_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) @@ -2957,9 +2957,12 @@ static struct mac_policy_ops mls_ops = .mpo_bpfdesc_destroy_label = mls_destroy_label, .mpo_bpfdesc_init_label = mls_init_label, + .mpo_cred_associate_nfsd = mls_cred_associate_nfsd, .mpo_cred_check_relabel = mls_cred_check_relabel, .mpo_cred_check_visible = mls_cred_check_visible, .mpo_cred_copy_label = mls_copy_label, + .mpo_cred_create_init = mls_cred_create_init, + .mpo_cred_create_swapper = mls_cred_create_swapper, .mpo_cred_destroy_label = mls_destroy_label, .mpo_cred_externalize_label = mls_externalize_label, .mpo_cred_init_label = mls_init_label, @@ -3051,12 +3054,9 @@ static struct mac_policy_ops mls_ops = .mpo_posixsem_destroy_label = mls_destroy_label, .mpo_posixsem_init_label = mls_init_label, - .mpo_proc_associate_nfsd = mls_proc_associate_nfsd, .mpo_proc_check_debug = mls_proc_check_debug, .mpo_proc_check_sched = mls_proc_check_sched, .mpo_proc_check_signal = mls_proc_check_signal, - .mpo_proc_create_init = mls_proc_create_init, - .mpo_proc_create_swapper = mls_proc_create_swapper, .mpo_socket_check_deliver = mls_socket_check_deliver, .mpo_socket_check_relabel = mls_socket_check_relabel, Modified: head/sys/security/mac_partition/mac_partition.c ============================================================================== --- head/sys/security/mac_partition/mac_partition.c Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/security/mac_partition/mac_partition.c Tue Oct 28 11:33:06 2008 (r184407) @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002, 2007 Robert N. M. Watson + * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2008 Apple Inc. @@ -155,6 +155,20 @@ partition_cred_copy_label(struct label * } static void +partition_cred_create_init(struct ucred *cred) +{ + + SLOT_SET(cred->cr_label, 0); +} + +static void +partition_cred_create_swapper(struct ucred *cred) +{ + + SLOT_SET(cred->cr_label, 0); +} + +static void partition_cred_destroy_label(struct label *label) { @@ -251,20 +265,6 @@ partition_proc_check_signal(struct ucred return (error ? ESRCH : 0); } -static void -partition_proc_create_init(struct ucred *cred) -{ - - SLOT_SET(cred->cr_label, 0); -} - -static void -partition_proc_create_swapper(struct ucred *cred) -{ - - SLOT_SET(cred->cr_label, 0); -} - static int partition_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) @@ -300,6 +300,8 @@ static struct mac_policy_ops partition_o .mpo_cred_check_relabel = partition_cred_check_relabel, .mpo_cred_check_visible = partition_cred_check_visible, .mpo_cred_copy_label = partition_cred_copy_label, + .mpo_cred_create_init = partition_cred_create_init, + .mpo_cred_create_swapper = partition_cred_create_swapper, .mpo_cred_destroy_label = partition_cred_destroy_label, .mpo_cred_externalize_label = partition_cred_externalize_label, .mpo_cred_init_label = partition_cred_init_label, @@ -309,8 +311,6 @@ static struct mac_policy_ops partition_o .mpo_proc_check_debug = partition_proc_check_debug, .mpo_proc_check_sched = partition_proc_check_sched, .mpo_proc_check_signal = partition_proc_check_signal, - .mpo_proc_create_init = partition_proc_create_init, - .mpo_proc_create_swapper = partition_proc_create_swapper, .mpo_socket_check_visible = partition_socket_check_visible, .mpo_vnode_check_exec = partition_vnode_check_exec, }; Modified: head/sys/security/mac_stub/mac_stub.c ============================================================================== --- head/sys/security/mac_stub/mac_stub.c Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/security/mac_stub/mac_stub.c Tue Oct 28 11:33:06 2008 (r184407) @@ -185,6 +185,12 @@ stub_bpfdesc_create_mbuf(struct bpf_d *d } +static void +stub_cred_associate_nfsd(struct ucred *cred) +{ + +} + static int stub_cred_check_relabel(struct ucred *cred, struct label *newlabel) { @@ -200,6 +206,18 @@ stub_cred_check_visible(struct ucred *cr } static void +stub_cred_create_init(struct ucred *cred) +{ + +} + +static void +stub_cred_create_swapper(struct ucred *cred) +{ + +} + +static void stub_cred_relabel(struct ucred *cred, struct label *newlabel) { @@ -668,12 +686,6 @@ stub_priv_grant(struct ucred *cred, int return (EPERM); } -static void -stub_proc_associate_nfsd(struct ucred *cred) -{ - -} - static int stub_proc_check_debug(struct ucred *cred, struct proc *p) { @@ -789,18 +801,6 @@ stub_proc_check_wait(struct ucred *cred, return (0); } -static void -stub_proc_create_init(struct ucred *cred) -{ - -} - -static void -stub_proc_create_swapper(struct ucred *cred) -{ - -} - static int stub_socket_check_accept(struct ucred *cred, struct socket *so, struct label *solabel) @@ -1539,9 +1539,12 @@ static struct mac_policy_ops stub_ops = .mpo_bpfdesc_destroy_label = stub_destroy_label, .mpo_bpfdesc_init_label = stub_init_label, + .mpo_cred_associate_nfsd = stub_cred_associate_nfsd, .mpo_cred_check_relabel = stub_cred_check_relabel, .mpo_cred_check_visible = stub_cred_check_visible, .mpo_cred_copy_label = stub_copy_label, + .mpo_cred_create_init = stub_cred_create_init, + .mpo_cred_create_swapper = stub_cred_create_swapper, .mpo_cred_destroy_label = stub_destroy_label, .mpo_cred_externalize_label = stub_externalize_label, .mpo_cred_init_label = stub_init_label, @@ -1655,7 +1658,6 @@ static struct mac_policy_ops stub_ops = .mpo_priv_check = stub_priv_check, .mpo_priv_grant = stub_priv_grant, - .mpo_proc_associate_nfsd = stub_proc_associate_nfsd, .mpo_proc_check_debug = stub_proc_check_debug, .mpo_proc_check_sched = stub_proc_check_sched, .mpo_proc_check_setaudit = stub_proc_check_setaudit, @@ -1672,8 +1674,6 @@ static struct mac_policy_ops stub_ops = .mpo_proc_check_setuid = stub_proc_check_setuid, .mpo_proc_check_signal = stub_proc_check_signal, .mpo_proc_check_wait = stub_proc_check_wait, - .mpo_proc_create_init = stub_proc_create_init, - .mpo_proc_create_swapper = stub_proc_create_swapper, .mpo_socket_check_accept = stub_socket_check_accept, .mpo_socket_check_bind = stub_socket_check_bind, Modified: head/sys/security/mac_test/mac_test.c ============================================================================== --- head/sys/security/mac_test/mac_test.c Tue Oct 28 10:37:40 2008 (r184406) +++ head/sys/security/mac_test/mac_test.c Tue Oct 28 11:33:06 2008 (r184407) @@ -242,6 +242,24 @@ test_cred_copy_label(struct label *src, COUNTER_INC(cred_copy_label); } +COUNTER_DECL(cred_create_init); +static void +test_cred_create_init(struct ucred *cred) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_create_init); +} + +COUNTER_DECL(cred_create_swapper); +static void +test_cred_create_swapper(struct ucred *cred) +{ + + LABEL_CHECK(cred->cr_label, MAGIC_CRED); + COUNTER_INC(cred_create_swapper); +} + COUNTER_DECL(cred_destroy_label); static void test_cred_destroy_label(struct label *label) @@ -1480,24 +1498,6 @@ test_proc_check_wait(struct ucred *cred, return (0); } -COUNTER_DECL(proc_create_init); -static void -test_proc_create_init(struct ucred *cred) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_create_init); -} - -COUNTER_DECL(proc_create_swapper); -static void -test_proc_create_swapper(struct ucred *cred) -{ - - LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(proc_create_swapper); -} - COUNTER_DECL(proc_destroy_label); static void test_proc_destroy_label(struct label *label) @@ -2883,6 +2883,8 @@ static struct mac_policy_ops test_ops = .mpo_cred_check_relabel = test_cred_check_relabel, .mpo_cred_check_visible = test_cred_check_visible, .mpo_cred_copy_label = test_cred_copy_label, + .mpo_cred_create_init = test_cred_create_init, + .mpo_cred_create_swapper = test_cred_create_swapper, .mpo_cred_destroy_label = test_cred_destroy_label, .mpo_cred_externalize_label = test_cred_externalize_label, .mpo_cred_init_label = test_cred_init_label, @@ -3022,8 +3024,6 @@ static struct mac_policy_ops test_ops = .mpo_proc_check_setuid = test_proc_check_setuid, .mpo_proc_check_signal = test_proc_check_signal, .mpo_proc_check_wait = test_proc_check_wait, - .mpo_proc_create_init = test_proc_create_init, - .mpo_proc_create_swapper = test_proc_create_swapper, .mpo_proc_destroy_label = test_proc_destroy_label, .mpo_proc_init_label = test_proc_init_label,