diff options
author | rwatson <rwatson@FreeBSD.org> | 2002-08-19 16:59:37 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2002-08-19 16:59:37 +0000 |
commit | fd544421f3cc773adffc30e30d715352a4a0e51e (patch) | |
tree | 179942e973f357333f9720ca7246b8b3ad349cef | |
parent | d0709eea67e0ae904f80928991bf3ce66b3fcbc4 (diff) | |
download | FreeBSD-src-fd544421f3cc773adffc30e30d715352a4a0e51e.zip FreeBSD-src-fd544421f3cc773adffc30e30d715352a4a0e51e.tar.gz |
Break out mac_check_pipe_op() into component check entry points:
mac_check_pipe_poll(), mac_check_pipe_read(), mac_check_pipe_stat(),
and mac_check_pipe_write(). This is improves consistency with other
access control entry points and permits security modules to only
control the object methods that they are interested in, avoiding
switch statements.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
-rw-r--r-- | sys/kern/kern_mac.c | 50 | ||||
-rw-r--r-- | sys/kern/sys_pipe.c | 8 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.c | 50 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 18 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 50 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 50 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 50 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 15 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 50 | ||||
-rw-r--r-- | sys/security/mac/mac_syscalls.c | 50 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 50 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 50 | ||||
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 84 | ||||
-rw-r--r-- | sys/security/mac_mls/mac_mls.c | 84 | ||||
-rw-r--r-- | sys/security/mac_none/mac_none.c | 38 | ||||
-rw-r--r-- | sys/security/mac_stub/mac_stub.c | 38 | ||||
-rw-r--r-- | sys/security/mac_test/mac_test.c | 38 | ||||
-rw-r--r-- | sys/sys/mac.h | 18 | ||||
-rw-r--r-- | sys/sys/mac_policy.h | 15 |
19 files changed, 684 insertions, 122 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index f8cb676..7bf7393 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + +int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index d956501..489aeaf 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -469,7 +469,7 @@ pipe_read(fp, uio, active_cred, flags, td) goto unlocked_error; #ifdef MAC - error = mac_check_pipe_op(active_cred, rpipe, MAC_OP_PIPE_READ); + error = mac_check_pipe_read(active_cred, rpipe); if (error) goto locked_error; #endif @@ -885,7 +885,7 @@ pipe_write(fp, uio, active_cred, flags, td) return (EPIPE); } #ifdef MAC - error = mac_check_pipe_op(active_cred, wpipe, MAC_OP_PIPE_WRITE); + error = mac_check_pipe_write(active_cred, wpipe); if (error) { PIPE_UNLOCK(rpipe); return (error); @@ -1233,7 +1233,7 @@ pipe_poll(fp, events, active_cred, td) wpipe = rpipe->pipe_peer; PIPE_LOCK(rpipe); #ifdef MAC - error = mac_check_pipe_op(active_cred, rpipe, MAC_OP_PIPE_POLL); + error = mac_check_pipe_poll(active_cred, rpipe); if (error) goto locked_error; #endif @@ -1289,7 +1289,7 @@ pipe_stat(fp, ub, active_cred, td) int error; /* XXXMAC: Pipe should be locked for this check. */ - error = mac_check_pipe_op(active_cred, pipe, MAC_OP_PIPE_STAT); + error = mac_check_pipe_stat(active_cred, pipe); if (error) return (error); #endif diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index f8cb676..7bf7393 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + +int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 3d73df4..1f36d55 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -181,19 +181,6 @@ int __mac_set_proc(struct mac *_mac_p); #else /* _KERNEL */ /* - * MAC entry point operations - */ -enum mac_ep_ops { - MAC_OP_VNODE_READ, - MAC_OP_VNODE_WRITE, - MAC_OP_VNODE_POLL, - MAC_OP_PIPE_READ, - MAC_OP_PIPE_WRITE, - MAC_OP_PIPE_STAT, - MAC_OP_PIPE_POLL -}; - -/* * Kernel functions to manage and evaluate labels. */ struct bpf_d; @@ -307,9 +294,12 @@ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); -int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op); int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data); +int mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_read(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_write(struct ucred *cred, struct pipe *pipe); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index f8cb676..7bf7393 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + +int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index f8cb676..7bf7393 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + +int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index f8cb676..7bf7393 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + +int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 9bc28ad..b3707c2 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -233,11 +233,17 @@ struct mac_policy_ops { struct label *mntlabel); int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void *data); - int (*mpo_check_pipe_op)(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op); + int (*mpo_check_pipe_poll)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); + int (*mpo_check_pipe_read)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); int (*mpo_check_pipe_relabel)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel); + int (*mpo_check_pipe_stat)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); + int (*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); int (*mpo_check_proc_debug)(struct ucred *cred, struct proc *proc); int (*mpo_check_proc_sched)(struct ucred *cred, @@ -408,8 +414,11 @@ enum mac_op_constant { MAC_CHECK_IFNET_TRANSMIT, MAC_CHECK_MOUNT_STAT, MAC_CHECK_PIPE_IOCTL, - MAC_CHECK_PIPE_OP, + MAC_CHECK_PIPE_POLL, + MAC_CHECK_PIPE_READ, MAC_CHECK_PIPE_RELABEL, + MAC_CHECK_PIPE_STAT, + MAC_CHECK_PIPE_WRITE, MAC_CHECK_PROC_DEBUG, MAC_CHECK_PROC_SCHED, MAC_CHECK_PROC_SIGNAL, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index f8cb676..7bf7393 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + +int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index f8cb676..7bf7393 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + +int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index f8cb676..7bf7393 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + +int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index f8cb676..7bf7393 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -667,14 +667,26 @@ mac_policy_register(struct mac_policy_conf *mpc) mpc->mpc_ops->mpo_check_pipe_ioctl = mpe->mpe_function; break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = + case MAC_CHECK_PIPE_POLL: + mpc->mpc_ops->mpo_check_pipe_poll = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_READ: + mpc->mpc_ops->mpo_check_pipe_read = mpe->mpe_function; break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; break; + case MAC_CHECK_PIPE_STAT: + mpc->mpc_ops->mpo_check_pipe_stat = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_WRITE: + mpc->mpc_ops->mpo_check_pipe_write = + mpe->mpe_function; + break; case MAC_CHECK_PROC_DEBUG: mpc->mpc_ops->mpo_check_proc_debug = mpe->mpe_function; @@ -2539,11 +2551,21 @@ mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, } int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe) { int error; - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + MAC_CHECK(check_pipe_poll, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_read(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_read, cred, pipe, pipe->pipe_label); return (error); } @@ -2560,6 +2582,26 @@ mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } int +mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_stat, cred, pipe, pipe->pipe_label); + + return (error); +} + +int +mac_check_pipe_write(struct ucred *cred, struct pipe *pipe) +{ + int error; + + MAC_CHECK(check_pipe_write, cred, pipe, pipe->pipe_label); + + return (error); +} + +int mac_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 6e9e383..c830e7c 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1300,8 +1300,8 @@ mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, } static int -mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) +mac_biba_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) { struct mac_biba *subj, *obj; @@ -1311,20 +1311,26 @@ mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe, subj = SLOT(&cred->cr_label); obj = SLOT((pipelabel)); - switch(op) { - case MAC_OP_PIPE_READ: - case MAC_OP_PIPE_STAT: - case MAC_OP_PIPE_POLL: - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - break; - case MAC_OP_PIPE_WRITE: - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - break; - default: - panic("mac_biba_check_pipe_op: invalid pipe operation"); - } + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); return (0); } @@ -1364,6 +1370,42 @@ mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } static int +mac_biba_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc) { struct mac_biba *subj, *obj; @@ -2175,10 +2217,16 @@ static struct mac_policy_op_entry mac_biba_ops[] = (macop_t)mac_biba_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_biba_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_biba_check_pipe_op }, + { MAC_CHECK_PIPE_POLL, + (macop_t)mac_biba_check_pipe_poll }, + { MAC_CHECK_PIPE_READ, + (macop_t)mac_biba_check_pipe_read }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_biba_check_pipe_relabel }, + { MAC_CHECK_PIPE_STAT, + (macop_t)mac_biba_check_pipe_stat }, + { MAC_CHECK_PIPE_WRITE, + (macop_t)mac_biba_check_pipe_write }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_biba_check_proc_debug }, { MAC_CHECK_PROC_SCHED, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 4dca581..a61dd60 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1247,8 +1247,8 @@ mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, } static int -mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) +mac_mls_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) { struct mac_mls *subj, *obj; @@ -1258,20 +1258,26 @@ mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe, subj = SLOT(&cred->cr_label); obj = SLOT((pipelabel)); - switch(op) { - case MAC_OP_PIPE_READ: - case MAC_OP_PIPE_STAT: - case MAC_OP_PIPE_POLL: - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - break; - case MAC_OP_PIPE_WRITE: - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - break; - default: - panic("mac_mls_check_pipe_op: invalid pipe operation"); - } + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); return (0); } @@ -1311,6 +1317,42 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } static int +mac_mls_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc) { struct mac_mls *subj, *obj; @@ -2126,10 +2168,16 @@ static struct mac_policy_op_entry mac_mls_ops[] = (macop_t)mac_mls_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_mls_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_mls_check_pipe_op }, + { MAC_CHECK_PIPE_POLL, + (macop_t)mac_mls_check_pipe_poll }, + { MAC_CHECK_PIPE_READ, + (macop_t)mac_mls_check_pipe_read }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_mls_check_pipe_relabel }, + { MAC_CHECK_PIPE_STAT, + (macop_t)mac_mls_check_pipe_stat }, + { MAC_CHECK_PIPE_WRITE, + (macop_t)mac_mls_check_pipe_write }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_mls_check_proc_debug }, { MAC_CHECK_PROC_SCHED, diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c index b7e5fdd..bc2da67 100644 --- a/sys/security/mac_none/mac_none.c +++ b/sys/security/mac_none/mac_none.c @@ -601,8 +601,16 @@ mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, } static int -mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) +mac_none_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_none_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) { return (0); @@ -617,6 +625,22 @@ mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } static int +mac_none_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_none_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int mac_none_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -1052,10 +1076,16 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_none_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_none_check_pipe_op }, + { MAC_CHECK_PIPE_POLL, + (macop_t)mac_none_check_pipe_poll }, + { MAC_CHECK_PIPE_READ, + (macop_t)mac_none_check_pipe_read }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_none_check_pipe_relabel }, + { MAC_CHECK_PIPE_STAT, + (macop_t)mac_none_check_pipe_stat }, + { MAC_CHECK_PIPE_WRITE, + (macop_t)mac_none_check_pipe_write }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_none_check_proc_debug }, { MAC_CHECK_PROC_SCHED, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index b7e5fdd..bc2da67 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -601,8 +601,16 @@ mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, } static int -mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) +mac_none_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_none_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) { return (0); @@ -617,6 +625,22 @@ mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } static int +mac_none_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_none_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int mac_none_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -1052,10 +1076,16 @@ static struct mac_policy_op_entry mac_none_ops[] = (macop_t)mac_none_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_none_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_none_check_pipe_op }, + { MAC_CHECK_PIPE_POLL, + (macop_t)mac_none_check_pipe_poll }, + { MAC_CHECK_PIPE_READ, + (macop_t)mac_none_check_pipe_read }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_none_check_pipe_relabel }, + { MAC_CHECK_PIPE_STAT, + (macop_t)mac_none_check_pipe_stat }, + { MAC_CHECK_PIPE_WRITE, + (macop_t)mac_none_check_pipe_write }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_none_check_proc_debug }, { MAC_CHECK_PROC_SCHED, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 5c97a1b..76f645d 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -809,8 +809,16 @@ mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, } static int -mac_test_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) +mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) { return (0); @@ -825,6 +833,22 @@ mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, } static int +mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int +mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel) +{ + + return (0); +} + +static int mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) { @@ -1258,10 +1282,16 @@ static struct mac_policy_op_entry mac_test_ops[] = (macop_t)mac_test_check_mount_stat }, { MAC_CHECK_PIPE_IOCTL, (macop_t)mac_test_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_test_check_pipe_op }, + { MAC_CHECK_PIPE_POLL, + (macop_t)mac_test_check_pipe_poll }, + { MAC_CHECK_PIPE_READ, + (macop_t)mac_test_check_pipe_read }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_test_check_pipe_relabel }, + { MAC_CHECK_PIPE_STAT, + (macop_t)mac_test_check_pipe_stat }, + { MAC_CHECK_PIPE_WRITE, + (macop_t)mac_test_check_pipe_write }, { MAC_CHECK_PROC_DEBUG, (macop_t)mac_test_check_proc_debug }, { MAC_CHECK_PROC_SCHED, diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 3d73df4..1f36d55 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -181,19 +181,6 @@ int __mac_set_proc(struct mac *_mac_p); #else /* _KERNEL */ /* - * MAC entry point operations - */ -enum mac_ep_ops { - MAC_OP_VNODE_READ, - MAC_OP_VNODE_WRITE, - MAC_OP_VNODE_POLL, - MAC_OP_PIPE_READ, - MAC_OP_PIPE_WRITE, - MAC_OP_PIPE_STAT, - MAC_OP_PIPE_POLL -}; - -/* * Kernel functions to manage and evaluate labels. */ struct bpf_d; @@ -307,9 +294,12 @@ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); -int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op); int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, void *data); +int mac_check_pipe_poll(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_read(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_stat(struct ucred *cred, struct pipe *pipe); +int mac_check_pipe_write(struct ucred *cred, struct pipe *pipe); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 9bc28ad..b3707c2 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -233,11 +233,17 @@ struct mac_policy_ops { struct label *mntlabel); int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void *data); - int (*mpo_check_pipe_op)(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op); + int (*mpo_check_pipe_poll)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); + int (*mpo_check_pipe_read)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); int (*mpo_check_pipe_relabel)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel); + int (*mpo_check_pipe_stat)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); + int (*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel); int (*mpo_check_proc_debug)(struct ucred *cred, struct proc *proc); int (*mpo_check_proc_sched)(struct ucred *cred, @@ -408,8 +414,11 @@ enum mac_op_constant { MAC_CHECK_IFNET_TRANSMIT, MAC_CHECK_MOUNT_STAT, MAC_CHECK_PIPE_IOCTL, - MAC_CHECK_PIPE_OP, + MAC_CHECK_PIPE_POLL, + MAC_CHECK_PIPE_READ, MAC_CHECK_PIPE_RELABEL, + MAC_CHECK_PIPE_STAT, + MAC_CHECK_PIPE_WRITE, MAC_CHECK_PROC_DEBUG, MAC_CHECK_PROC_SCHED, MAC_CHECK_PROC_SIGNAL, |