diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-10-05 16:57:16 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-10-05 16:57:16 +0000 |
| commit | 7c754b7adc577626a5a8fb262d66bd6ce466a3a2 (patch) | |
| tree | 16a0080bad15f87b9a65562243d530ecda3f659f | |
| parent | aece5c85f0c9210962c62cd0f80289cf81bf1e8e (diff) | |
| download | FreeBSD-src-7c754b7adc577626a5a8fb262d66bd6ce466a3a2.zip FreeBSD-src-7c754b7adc577626a5a8fb262d66bd6ce466a3a2.tar.gz | |
Another big diff, little functional change: move label internalization,
externalization, and cred label life cycle events to entirely above
devfs and vnode events. Sync from MAC tree.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
| -rw-r--r-- | sys/kern/kern_mac.c | 130 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.c | 130 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 130 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 130 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 130 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 130 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 130 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 130 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 130 |
9 files changed, 585 insertions, 585 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index c56a1cc..d96abb2 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -1301,6 +1301,71 @@ mac_destroy_devfsdirent(struct devfs_dirent *de) #endif } +static int +mac_externalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_structmac(mac); + MAC_CHECK(externalize, label, mac); + + return (error); +} + +static int +mac_internalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_temp(label); + MAC_CHECK(internalize, label, mac); + if (error) + mac_destroy_temp(label); + + return (error); +} + +/* + * Initialize MAC label for the first kernel process, from which other + * kernel processes and threads are spawned. + */ +void +mac_create_proc0(struct ucred *cred) +{ + + MAC_PERFORM(create_proc0, cred); +} + +/* + * Initialize MAC label for the first userland process, from which other + * userland processes and threads are spawned. + */ +void +mac_create_proc1(struct ucred *cred) +{ + + MAC_PERFORM(create_proc1, cred); +} + +void +mac_thread_userret(struct thread *td) +{ + + MAC_PERFORM(thread_userret, td); +} + +/* + * When a new process is created, its label must be initialized. Generally, + * this involves inheritence from the parent process, modulo possible + * deltas. This function allows that processing to take place. + */ +void +mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +{ + + MAC_PERFORM(create_cred, parent_cred, child_cred); +} + void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { @@ -1586,71 +1651,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp) return (result); } -static int -mac_externalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_structmac(mac); - MAC_CHECK(externalize, label, mac); - - return (error); -} - -static int -mac_internalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_temp(label); - MAC_CHECK(internalize, label, mac); - if (error) - mac_destroy_temp(label); - - return (error); -} - -/* - * Initialize MAC label for the first kernel process, from which other - * kernel processes and threads are spawned. - */ -void -mac_create_proc0(struct ucred *cred) -{ - - MAC_PERFORM(create_proc0, cred); -} - -/* - * Initialize MAC label for the first userland process, from which other - * userland processes and threads are spawned. - */ -void -mac_create_proc1(struct ucred *cred) -{ - - MAC_PERFORM(create_proc1, cred); -} - -void -mac_thread_userret(struct thread *td) -{ - - MAC_PERFORM(thread_userret, td); -} - -/* - * When a new process is created, its label must be initialized. Generally, - * this involves inheritence from the parent process, modulo possible - * deltas. This function allows that processing to take place. - */ -void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) -{ - - MAC_PERFORM(create_cred, parent_cred, child_cred); -} - int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index c56a1cc..d96abb2 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -1301,6 +1301,71 @@ mac_destroy_devfsdirent(struct devfs_dirent *de) #endif } +static int +mac_externalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_structmac(mac); + MAC_CHECK(externalize, label, mac); + + return (error); +} + +static int +mac_internalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_temp(label); + MAC_CHECK(internalize, label, mac); + if (error) + mac_destroy_temp(label); + + return (error); +} + +/* + * Initialize MAC label for the first kernel process, from which other + * kernel processes and threads are spawned. + */ +void +mac_create_proc0(struct ucred *cred) +{ + + MAC_PERFORM(create_proc0, cred); +} + +/* + * Initialize MAC label for the first userland process, from which other + * userland processes and threads are spawned. + */ +void +mac_create_proc1(struct ucred *cred) +{ + + MAC_PERFORM(create_proc1, cred); +} + +void +mac_thread_userret(struct thread *td) +{ + + MAC_PERFORM(thread_userret, td); +} + +/* + * When a new process is created, its label must be initialized. Generally, + * this involves inheritence from the parent process, modulo possible + * deltas. This function allows that processing to take place. + */ +void +mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +{ + + MAC_PERFORM(create_cred, parent_cred, child_cred); +} + void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { @@ -1586,71 +1651,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp) return (result); } -static int -mac_externalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_structmac(mac); - MAC_CHECK(externalize, label, mac); - - return (error); -} - -static int -mac_internalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_temp(label); - MAC_CHECK(internalize, label, mac); - if (error) - mac_destroy_temp(label); - - return (error); -} - -/* - * Initialize MAC label for the first kernel process, from which other - * kernel processes and threads are spawned. - */ -void -mac_create_proc0(struct ucred *cred) -{ - - MAC_PERFORM(create_proc0, cred); -} - -/* - * Initialize MAC label for the first userland process, from which other - * userland processes and threads are spawned. - */ -void -mac_create_proc1(struct ucred *cred) -{ - - MAC_PERFORM(create_proc1, cred); -} - -void -mac_thread_userret(struct thread *td) -{ - - MAC_PERFORM(thread_userret, td); -} - -/* - * When a new process is created, its label must be initialized. Generally, - * this involves inheritence from the parent process, modulo possible - * deltas. This function allows that processing to take place. - */ -void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) -{ - - MAC_PERFORM(create_cred, parent_cred, child_cred); -} - int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index c56a1cc..d96abb2 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -1301,6 +1301,71 @@ mac_destroy_devfsdirent(struct devfs_dirent *de) #endif } +static int +mac_externalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_structmac(mac); + MAC_CHECK(externalize, label, mac); + + return (error); +} + +static int +mac_internalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_temp(label); + MAC_CHECK(internalize, label, mac); + if (error) + mac_destroy_temp(label); + + return (error); +} + +/* + * Initialize MAC label for the first kernel process, from which other + * kernel processes and threads are spawned. + */ +void +mac_create_proc0(struct ucred *cred) +{ + + MAC_PERFORM(create_proc0, cred); +} + +/* + * Initialize MAC label for the first userland process, from which other + * userland processes and threads are spawned. + */ +void +mac_create_proc1(struct ucred *cred) +{ + + MAC_PERFORM(create_proc1, cred); +} + +void +mac_thread_userret(struct thread *td) +{ + + MAC_PERFORM(thread_userret, td); +} + +/* + * When a new process is created, its label must be initialized. Generally, + * this involves inheritence from the parent process, modulo possible + * deltas. This function allows that processing to take place. + */ +void +mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +{ + + MAC_PERFORM(create_cred, parent_cred, child_cred); +} + void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { @@ -1586,71 +1651,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp) return (result); } -static int -mac_externalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_structmac(mac); - MAC_CHECK(externalize, label, mac); - - return (error); -} - -static int -mac_internalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_temp(label); - MAC_CHECK(internalize, label, mac); - if (error) - mac_destroy_temp(label); - - return (error); -} - -/* - * Initialize MAC label for the first kernel process, from which other - * kernel processes and threads are spawned. - */ -void -mac_create_proc0(struct ucred *cred) -{ - - MAC_PERFORM(create_proc0, cred); -} - -/* - * Initialize MAC label for the first userland process, from which other - * userland processes and threads are spawned. - */ -void -mac_create_proc1(struct ucred *cred) -{ - - MAC_PERFORM(create_proc1, cred); -} - -void -mac_thread_userret(struct thread *td) -{ - - MAC_PERFORM(thread_userret, td); -} - -/* - * When a new process is created, its label must be initialized. Generally, - * this involves inheritence from the parent process, modulo possible - * deltas. This function allows that processing to take place. - */ -void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) -{ - - MAC_PERFORM(create_cred, parent_cred, child_cred); -} - int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index c56a1cc..d96abb2 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -1301,6 +1301,71 @@ mac_destroy_devfsdirent(struct devfs_dirent *de) #endif } +static int +mac_externalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_structmac(mac); + MAC_CHECK(externalize, label, mac); + + return (error); +} + +static int +mac_internalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_temp(label); + MAC_CHECK(internalize, label, mac); + if (error) + mac_destroy_temp(label); + + return (error); +} + +/* + * Initialize MAC label for the first kernel process, from which other + * kernel processes and threads are spawned. + */ +void +mac_create_proc0(struct ucred *cred) +{ + + MAC_PERFORM(create_proc0, cred); +} + +/* + * Initialize MAC label for the first userland process, from which other + * userland processes and threads are spawned. + */ +void +mac_create_proc1(struct ucred *cred) +{ + + MAC_PERFORM(create_proc1, cred); +} + +void +mac_thread_userret(struct thread *td) +{ + + MAC_PERFORM(thread_userret, td); +} + +/* + * When a new process is created, its label must be initialized. Generally, + * this involves inheritence from the parent process, modulo possible + * deltas. This function allows that processing to take place. + */ +void +mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +{ + + MAC_PERFORM(create_cred, parent_cred, child_cred); +} + void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { @@ -1586,71 +1651,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp) return (result); } -static int -mac_externalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_structmac(mac); - MAC_CHECK(externalize, label, mac); - - return (error); -} - -static int -mac_internalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_temp(label); - MAC_CHECK(internalize, label, mac); - if (error) - mac_destroy_temp(label); - - return (error); -} - -/* - * Initialize MAC label for the first kernel process, from which other - * kernel processes and threads are spawned. - */ -void -mac_create_proc0(struct ucred *cred) -{ - - MAC_PERFORM(create_proc0, cred); -} - -/* - * Initialize MAC label for the first userland process, from which other - * userland processes and threads are spawned. - */ -void -mac_create_proc1(struct ucred *cred) -{ - - MAC_PERFORM(create_proc1, cred); -} - -void -mac_thread_userret(struct thread *td) -{ - - MAC_PERFORM(thread_userret, td); -} - -/* - * When a new process is created, its label must be initialized. Generally, - * this involves inheritence from the parent process, modulo possible - * deltas. This function allows that processing to take place. - */ -void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) -{ - - MAC_PERFORM(create_cred, parent_cred, child_cred); -} - int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index c56a1cc..d96abb2 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -1301,6 +1301,71 @@ mac_destroy_devfsdirent(struct devfs_dirent *de) #endif } +static int +mac_externalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_structmac(mac); + MAC_CHECK(externalize, label, mac); + + return (error); +} + +static int +mac_internalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_temp(label); + MAC_CHECK(internalize, label, mac); + if (error) + mac_destroy_temp(label); + + return (error); +} + +/* + * Initialize MAC label for the first kernel process, from which other + * kernel processes and threads are spawned. + */ +void +mac_create_proc0(struct ucred *cred) +{ + + MAC_PERFORM(create_proc0, cred); +} + +/* + * Initialize MAC label for the first userland process, from which other + * userland processes and threads are spawned. + */ +void +mac_create_proc1(struct ucred *cred) +{ + + MAC_PERFORM(create_proc1, cred); +} + +void +mac_thread_userret(struct thread *td) +{ + + MAC_PERFORM(thread_userret, td); +} + +/* + * When a new process is created, its label must be initialized. Generally, + * this involves inheritence from the parent process, modulo possible + * deltas. This function allows that processing to take place. + */ +void +mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +{ + + MAC_PERFORM(create_cred, parent_cred, child_cred); +} + void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { @@ -1586,71 +1651,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp) return (result); } -static int -mac_externalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_structmac(mac); - MAC_CHECK(externalize, label, mac); - - return (error); -} - -static int -mac_internalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_temp(label); - MAC_CHECK(internalize, label, mac); - if (error) - mac_destroy_temp(label); - - return (error); -} - -/* - * Initialize MAC label for the first kernel process, from which other - * kernel processes and threads are spawned. - */ -void -mac_create_proc0(struct ucred *cred) -{ - - MAC_PERFORM(create_proc0, cred); -} - -/* - * Initialize MAC label for the first userland process, from which other - * userland processes and threads are spawned. - */ -void -mac_create_proc1(struct ucred *cred) -{ - - MAC_PERFORM(create_proc1, cred); -} - -void -mac_thread_userret(struct thread *td) -{ - - MAC_PERFORM(thread_userret, td); -} - -/* - * When a new process is created, its label must be initialized. Generally, - * this involves inheritence from the parent process, modulo possible - * deltas. This function allows that processing to take place. - */ -void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) -{ - - MAC_PERFORM(create_cred, parent_cred, child_cred); -} - int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index c56a1cc..d96abb2 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -1301,6 +1301,71 @@ mac_destroy_devfsdirent(struct devfs_dirent *de) #endif } +static int +mac_externalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_structmac(mac); + MAC_CHECK(externalize, label, mac); + + return (error); +} + +static int +mac_internalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_temp(label); + MAC_CHECK(internalize, label, mac); + if (error) + mac_destroy_temp(label); + + return (error); +} + +/* + * Initialize MAC label for the first kernel process, from which other + * kernel processes and threads are spawned. + */ +void +mac_create_proc0(struct ucred *cred) +{ + + MAC_PERFORM(create_proc0, cred); +} + +/* + * Initialize MAC label for the first userland process, from which other + * userland processes and threads are spawned. + */ +void +mac_create_proc1(struct ucred *cred) +{ + + MAC_PERFORM(create_proc1, cred); +} + +void +mac_thread_userret(struct thread *td) +{ + + MAC_PERFORM(thread_userret, td); +} + +/* + * When a new process is created, its label must be initialized. Generally, + * this involves inheritence from the parent process, modulo possible + * deltas. This function allows that processing to take place. + */ +void +mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +{ + + MAC_PERFORM(create_cred, parent_cred, child_cred); +} + void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { @@ -1586,71 +1651,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp) return (result); } -static int -mac_externalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_structmac(mac); - MAC_CHECK(externalize, label, mac); - - return (error); -} - -static int -mac_internalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_temp(label); - MAC_CHECK(internalize, label, mac); - if (error) - mac_destroy_temp(label); - - return (error); -} - -/* - * Initialize MAC label for the first kernel process, from which other - * kernel processes and threads are spawned. - */ -void -mac_create_proc0(struct ucred *cred) -{ - - MAC_PERFORM(create_proc0, cred); -} - -/* - * Initialize MAC label for the first userland process, from which other - * userland processes and threads are spawned. - */ -void -mac_create_proc1(struct ucred *cred) -{ - - MAC_PERFORM(create_proc1, cred); -} - -void -mac_thread_userret(struct thread *td) -{ - - MAC_PERFORM(thread_userret, td); -} - -/* - * When a new process is created, its label must be initialized. Generally, - * this involves inheritence from the parent process, modulo possible - * deltas. This function allows that processing to take place. - */ -void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) -{ - - MAC_PERFORM(create_cred, parent_cred, child_cred); -} - int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index c56a1cc..d96abb2 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -1301,6 +1301,71 @@ mac_destroy_devfsdirent(struct devfs_dirent *de) #endif } +static int +mac_externalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_structmac(mac); + MAC_CHECK(externalize, label, mac); + + return (error); +} + +static int +mac_internalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_temp(label); + MAC_CHECK(internalize, label, mac); + if (error) + mac_destroy_temp(label); + + return (error); +} + +/* + * Initialize MAC label for the first kernel process, from which other + * kernel processes and threads are spawned. + */ +void +mac_create_proc0(struct ucred *cred) +{ + + MAC_PERFORM(create_proc0, cred); +} + +/* + * Initialize MAC label for the first userland process, from which other + * userland processes and threads are spawned. + */ +void +mac_create_proc1(struct ucred *cred) +{ + + MAC_PERFORM(create_proc1, cred); +} + +void +mac_thread_userret(struct thread *td) +{ + + MAC_PERFORM(thread_userret, td); +} + +/* + * When a new process is created, its label must be initialized. Generally, + * this involves inheritence from the parent process, modulo possible + * deltas. This function allows that processing to take place. + */ +void +mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +{ + + MAC_PERFORM(create_cred, parent_cred, child_cred); +} + void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { @@ -1586,71 +1651,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp) return (result); } -static int -mac_externalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_structmac(mac); - MAC_CHECK(externalize, label, mac); - - return (error); -} - -static int -mac_internalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_temp(label); - MAC_CHECK(internalize, label, mac); - if (error) - mac_destroy_temp(label); - - return (error); -} - -/* - * Initialize MAC label for the first kernel process, from which other - * kernel processes and threads are spawned. - */ -void -mac_create_proc0(struct ucred *cred) -{ - - MAC_PERFORM(create_proc0, cred); -} - -/* - * Initialize MAC label for the first userland process, from which other - * userland processes and threads are spawned. - */ -void -mac_create_proc1(struct ucred *cred) -{ - - MAC_PERFORM(create_proc1, cred); -} - -void -mac_thread_userret(struct thread *td) -{ - - MAC_PERFORM(thread_userret, td); -} - -/* - * When a new process is created, its label must be initialized. Generally, - * this involves inheritence from the parent process, modulo possible - * deltas. This function allows that processing to take place. - */ -void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) -{ - - MAC_PERFORM(create_cred, parent_cred, child_cred); -} - int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index c56a1cc..d96abb2 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1301,6 +1301,71 @@ mac_destroy_devfsdirent(struct devfs_dirent *de) #endif } +static int +mac_externalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_structmac(mac); + MAC_CHECK(externalize, label, mac); + + return (error); +} + +static int +mac_internalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_temp(label); + MAC_CHECK(internalize, label, mac); + if (error) + mac_destroy_temp(label); + + return (error); +} + +/* + * Initialize MAC label for the first kernel process, from which other + * kernel processes and threads are spawned. + */ +void +mac_create_proc0(struct ucred *cred) +{ + + MAC_PERFORM(create_proc0, cred); +} + +/* + * Initialize MAC label for the first userland process, from which other + * userland processes and threads are spawned. + */ +void +mac_create_proc1(struct ucred *cred) +{ + + MAC_PERFORM(create_proc1, cred); +} + +void +mac_thread_userret(struct thread *td) +{ + + MAC_PERFORM(thread_userret, td); +} + +/* + * When a new process is created, its label must be initialized. Generally, + * this involves inheritence from the parent process, modulo possible + * deltas. This function allows that processing to take place. + */ +void +mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +{ + + MAC_PERFORM(create_cred, parent_cred, child_cred); +} + void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { @@ -1586,71 +1651,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp) return (result); } -static int -mac_externalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_structmac(mac); - MAC_CHECK(externalize, label, mac); - - return (error); -} - -static int -mac_internalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_temp(label); - MAC_CHECK(internalize, label, mac); - if (error) - mac_destroy_temp(label); - - return (error); -} - -/* - * Initialize MAC label for the first kernel process, from which other - * kernel processes and threads are spawned. - */ -void -mac_create_proc0(struct ucred *cred) -{ - - MAC_PERFORM(create_proc0, cred); -} - -/* - * Initialize MAC label for the first userland process, from which other - * userland processes and threads are spawned. - */ -void -mac_create_proc1(struct ucred *cred) -{ - - MAC_PERFORM(create_proc1, cred); -} - -void -mac_thread_userret(struct thread *td) -{ - - MAC_PERFORM(thread_userret, td); -} - -/* - * When a new process is created, its label must be initialized. Generally, - * this involves inheritence from the parent process, modulo possible - * deltas. This function allows that processing to take place. - */ -void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) -{ - - MAC_PERFORM(create_cred, parent_cred, child_cred); -} - int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index c56a1cc..d96abb2 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -1301,6 +1301,71 @@ mac_destroy_devfsdirent(struct devfs_dirent *de) #endif } +static int +mac_externalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_structmac(mac); + MAC_CHECK(externalize, label, mac); + + return (error); +} + +static int +mac_internalize(struct label *label, struct mac *mac) +{ + int error; + + mac_init_temp(label); + MAC_CHECK(internalize, label, mac); + if (error) + mac_destroy_temp(label); + + return (error); +} + +/* + * Initialize MAC label for the first kernel process, from which other + * kernel processes and threads are spawned. + */ +void +mac_create_proc0(struct ucred *cred) +{ + + MAC_PERFORM(create_proc0, cred); +} + +/* + * Initialize MAC label for the first userland process, from which other + * userland processes and threads are spawned. + */ +void +mac_create_proc1(struct ucred *cred) +{ + + MAC_PERFORM(create_proc1, cred); +} + +void +mac_thread_userret(struct thread *td) +{ + + MAC_PERFORM(thread_userret, td); +} + +/* + * When a new process is created, its label must be initialized. Generally, + * this involves inheritence from the parent process, modulo possible + * deltas. This function allows that processing to take place. + */ +void +mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +{ + + MAC_PERFORM(create_cred, parent_cred, child_cred); +} + void mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) { @@ -1586,71 +1651,6 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp) return (result); } -static int -mac_externalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_structmac(mac); - MAC_CHECK(externalize, label, mac); - - return (error); -} - -static int -mac_internalize(struct label *label, struct mac *mac) -{ - int error; - - mac_init_temp(label); - MAC_CHECK(internalize, label, mac); - if (error) - mac_destroy_temp(label); - - return (error); -} - -/* - * Initialize MAC label for the first kernel process, from which other - * kernel processes and threads are spawned. - */ -void -mac_create_proc0(struct ucred *cred) -{ - - MAC_PERFORM(create_proc0, cred); -} - -/* - * Initialize MAC label for the first userland process, from which other - * userland processes and threads are spawned. - */ -void -mac_create_proc1(struct ucred *cred) -{ - - MAC_PERFORM(create_proc1, cred); -} - -void -mac_thread_userret(struct thread *td) -{ - - MAC_PERFORM(thread_userret, td); -} - -/* - * When a new process is created, its label must be initialized. Generally, - * this involves inheritence from the parent process, modulo possible - * deltas. This function allows that processing to take place. - */ -void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) -{ - - MAC_PERFORM(create_cred, parent_cred, child_cred); -} - int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) { |
