Date: Thu, 20 Nov 2003 11:44:20 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 42812 for review Message-ID: <200311201944.hAKJiKNk090941@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=42812 Change 42812 by rwatson@rwatson_tislabs on 2003/11/20 11:43:33 Rename mac_create_cred() to mac_cred_copy(), and rename mpo_create_cred() to mpo_cred_copy_label(), which better reflects the way credential labels are actually exposed to the MAC Framework. Unlike other objects/subjects, credentials are rarely "created" -- crdup() copies a credential for later updates. This slightly simplifies some of our policies by letting us reuse a generic label copy routine, rather than having a special-purpose credential copy routine. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#38 edit .. //depot/projects/trustedbsd/mac/sys/security/mac/mac_process.c#11 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#238 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#80 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#192 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#29 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#16 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#125 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#256 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#205 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#38 (text+ko) ==== @@ -1786,7 +1786,7 @@ if (jailed(dest)) prison_hold(dest->cr_prison); #ifdef MAC - mac_create_cred(src, dest); + mac_copy_cred(src, dest); #endif } ==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_process.c#11 (text+ko) ==== @@ -222,10 +222,10 @@ * deltas. This function allows that processing to take place. */ void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +mac_copy_cred(struct ucred *src, struct ucred *dest) { - MAC_PERFORM(create_cred, parent_cred, child_cred); + MAC_PERFORM(copy_cred_label, src->cr_label, dest->cr_label); } int ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#238 (text+ko) ==== @@ -1467,18 +1467,6 @@ * Labeling event operations: processes. */ static void -mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - struct mac_biba *source, *dest; - - source = SLOT(cred_parent->cr_label); - dest = SLOT(cred_child->cr_label); - - mac_biba_copy_single(source, dest); - mac_biba_copy_range(source, dest); -} - -static void mac_biba_create_proc0(struct ucred *cred) { struct mac_biba *dest; @@ -3184,6 +3172,7 @@ .mpo_destroy_socket_label = mac_biba_destroy_label, .mpo_destroy_socket_peer_label = mac_biba_destroy_label, .mpo_destroy_vnode_label = mac_biba_destroy_label, + .mpo_copy_cred_label = mac_biba_copy_label, .mpo_copy_mbuf_label = mac_biba_copy_label, .mpo_copy_pipe_label = mac_biba_copy_label, .mpo_copy_socket_label = mac_biba_copy_label, @@ -3240,7 +3229,6 @@ .mpo_relabel_ifnet = mac_biba_relabel_ifnet, .mpo_update_ipq = mac_biba_update_ipq, .mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel, - .mpo_create_cred = mac_biba_create_cred, .mpo_create_proc0 = mac_biba_create_proc0, .mpo_create_proc1 = mac_biba_create_proc1, .mpo_relabel_cred = mac_biba_relabel_cred, ==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#80 (text+ko) ==== @@ -1551,18 +1551,6 @@ * Labeling event operations: processes. */ static void -mac_lomac_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - struct mac_lomac *source, *dest; - - source = SLOT(cred_parent->cr_label); - dest = SLOT(cred_child->cr_label); - - mac_lomac_copy_single(source, dest); - mac_lomac_copy_range(source, dest); -} - -static void mac_lomac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, struct image_params *imgp, @@ -3112,6 +3100,7 @@ .mpo_destroy_socket_label = mac_lomac_destroy_label, .mpo_destroy_socket_peer_label = mac_lomac_destroy_label, .mpo_destroy_vnode_label = mac_lomac_destroy_label, + .mpo_copy_cred_label = mac_lomac_copy_label, .mpo_copy_mbuf_label = mac_lomac_copy_label, .mpo_copy_pipe_label = mac_lomac_copy_label, .mpo_copy_socket_label = mac_lomac_copy_label, @@ -3171,7 +3160,6 @@ .mpo_relabel_ifnet = mac_lomac_relabel_ifnet, .mpo_update_ipq = mac_lomac_update_ipq, .mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel, - .mpo_create_cred = mac_lomac_create_cred, .mpo_execve_transition = mac_lomac_execve_transition, .mpo_execve_will_transition = mac_lomac_execve_will_transition, .mpo_create_proc0 = mac_lomac_create_proc0, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#192 (text+ko) ==== @@ -1406,18 +1406,6 @@ * Labeling event operations: processes. */ static void -mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - struct mac_mls *source, *dest; - - source = SLOT(cred_parent->cr_label); - dest = SLOT(cred_child->cr_label); - - mac_mls_copy_single(source, dest); - mac_mls_copy_range(source, dest); -} - -static void mac_mls_create_proc0(struct ucred *cred) { struct mac_mls *dest; @@ -2961,6 +2949,7 @@ .mpo_destroy_socket_label = mac_mls_destroy_label, .mpo_destroy_socket_peer_label = mac_mls_destroy_label, .mpo_destroy_vnode_label = mac_mls_destroy_label, + .mpo_copy_cred_label = mac_mls_copy_label, .mpo_copy_mbuf_label = mac_mls_copy_label, .mpo_copy_pipe_label = mac_mls_copy_label, .mpo_copy_socket_label = mac_mls_copy_label, @@ -3017,7 +3006,6 @@ .mpo_relabel_ifnet = mac_mls_relabel_ifnet, .mpo_update_ipq = mac_mls_update_ipq, .mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel, - .mpo_create_cred = mac_mls_create_cred, .mpo_create_proc0 = mac_mls_create_proc0, .mpo_create_proc1 = mac_mls_create_proc1, .mpo_relabel_cred = mac_mls_relabel_cred, ==== //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#29 (text+ko) ==== @@ -101,6 +101,13 @@ SLOT(label) = 0; } +static void +mac_partition_copy_label(struct label *src, struct label *dest) +{ + + SLOT(dest) = SLOT(src); +} + static int mac_partition_externalize_label(struct label *label, char *element_name, struct sbuf *sb, int *claimed) @@ -131,13 +138,6 @@ } static void -mac_partition_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - - SLOT(cred_child->cr_label) = SLOT(cred_parent->cr_label); -} - -static void mac_partition_create_proc0(struct ucred *cred) { @@ -271,9 +271,9 @@ .mpo_init = mac_partition_init, .mpo_init_cred_label = mac_partition_init_label, .mpo_destroy_cred_label = mac_partition_destroy_label, + .mpo_copy_cred_label = mac_partition_copy_label, .mpo_externalize_cred_label = mac_partition_externalize_label, .mpo_internalize_cred_label = mac_partition_internalize_label, - .mpo_create_cred = mac_partition_create_cred, .mpo_create_proc0 = mac_partition_create_proc0, .mpo_create_proc1 = mac_partition_create_proc1, .mpo_relabel_cred = mac_partition_relabel_cred, ==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#16 (text+ko) ==== @@ -490,12 +490,6 @@ * Labeling event operations: processes. */ static void -stub_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - -} - -static void stub_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, struct image_params *imgp, @@ -1326,6 +1320,7 @@ .mpo_destroy_socket_label = stub_destroy_label, .mpo_destroy_socket_peer_label = stub_destroy_label, .mpo_destroy_vnode_label = stub_destroy_label, + .mpo_copy_cred_label = stub_copy_label, .mpo_copy_mbuf_label = stub_copy_label, .mpo_copy_pipe_label = stub_copy_label, .mpo_copy_socket_label = stub_copy_label, @@ -1386,7 +1381,6 @@ .mpo_update_ipq = stub_update_ipq, .mpo_update_mbuf_from_cipso = stub_update_mbuf_from_cipso, .mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel, - .mpo_create_cred = stub_create_cred, .mpo_execve_transition = stub_execve_transition, .mpo_execve_will_transition = stub_execve_will_transition, .mpo_create_proc0 = stub_create_proc0, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#125 (text+ko) ==== @@ -748,6 +748,14 @@ } static void +mac_test_copy_cred_label(struct label *src, struct label *dest) +{ + + ASSERT_CRED_LABEL(src); + ASSERT_CRED_LABEL(dest); +} + +static void mac_test_copy_mbuf_label(struct label *src, struct label *dest) { @@ -1233,14 +1241,6 @@ * Labeling event operations: processes. */ static void -mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - - ASSERT_CRED_LABEL(cred_parent->cr_label); - ASSERT_CRED_LABEL(cred_child->cr_label); -} - -static void mac_test_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *filelabel, struct label *interpvnodelabel, struct image_params *imgp, @@ -2325,6 +2325,7 @@ .mpo_destroy_socket_label = mac_test_destroy_socket_label, .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, + .mpo_copy_cred_label = mac_test_copy_cred_label, .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, .mpo_copy_pipe_label = mac_test_copy_pipe_label, .mpo_copy_socket_label = mac_test_copy_socket_label, @@ -2384,7 +2385,6 @@ .mpo_update_ipq = mac_test_update_ipq, .mpo_update_mbuf_from_cipso = mac_test_update_mbuf_from_cipso, .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, - .mpo_create_cred = mac_test_create_cred, .mpo_execve_transition = mac_test_execve_transition, .mpo_execve_will_transition = mac_test_execve_will_transition, .mpo_create_proc0 = mac_test_create_proc0, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#256 (text+ko) ==== @@ -265,7 +265,7 @@ /* * Labeling event operations: processes. */ -void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); +void mac_copy_cred(struct ucred *cr1, struct ucred *cr2); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); void mac_execve_transition(struct ucred *old, struct ucred *new, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#205 (text+ko) ==== @@ -121,6 +121,8 @@ void (*mpo_destroy_posix_ksem_label)(struct label *label); void (*mpo_destroy_proc_label)(struct label *label); void (*mpo_destroy_vnode_label)(struct label *label); + void (*mpo_copy_cred_label)(struct label *src, + struct label *dest); void (*mpo_copy_mbuf_label)(struct label *src, struct label *dest); void (*mpo_copy_pipe_label)(struct label *src, @@ -299,8 +301,6 @@ /* * Labeling event operations: processes. */ - void (*mpo_create_cred)(struct ucred *parent_cred, - struct ucred *child_cred); void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311201944.hAKJiKNk090941>