diff options
| author | rwatson <rwatson@FreeBSD.org> | 2008-08-23 15:26:36 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2008-08-23 15:26:36 +0000 |
| commit | 78a117e6fa3ea5484baa385417846432dcafd758 (patch) | |
| tree | 5219c0b4d17dd1dcbcb5fda367c1905a0929ee2b /sys/security/mac/mac_policy.h | |
| parent | 36dc0db8e1fa12d3f6a38164a5fb1ae82fc45eba (diff) | |
| download | FreeBSD-src-78a117e6fa3ea5484baa385417846432dcafd758.zip FreeBSD-src-78a117e6fa3ea5484baa385417846432dcafd758.tar.gz | |
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
Diffstat (limited to 'sys/security/mac/mac_policy.h')
| -rw-r--r-- | sys/security/mac/mac_policy.h | 45 |
1 files changed, 37 insertions, 8 deletions
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 532ca24..f3104f7 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005-2006 SPARTA, Inc. + * Copyright (c) 2008 Apple Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -929,17 +930,44 @@ struct mac_policy_conf { int mpc_loadtime_flags; /* flags */ int *mpc_field_off; /* security field */ int mpc_runtime_flags; /* flags */ + int _mpc_spare1; /* Spare. */ + uint64_t mpc_labeled; /* Labeled objects. */ + uint64_t _mpc_spare2; /* Spare. */ + void *_mpc_spare3; /* Spare. */ LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ }; /* Flags for the mpc_loadtime_flags field. */ #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 -#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 /* Flags for the mpc_runtime_flags field. */ #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 +/* + * Flags for mpc_labeled declaring which objects should have labels allocated + * for them by the MAC Framework. + */ +#define MPC_OBJECT_CRED 0x0000000000000001 +#define MPC_OBJECT_PROC 0x0000000000000002 +#define MPC_OBJECT_VNODE 0x0000000000000004 +#define MPC_OBJECT_INPCB 0x0000000000000008 +#define MPC_OBJECT_SOCKET 0x0000000000000010 +#define MPC_OBJECT_DEVFS 0x0000000000000020 +#define MPC_OBJECT_MBUF 0x0000000000000040 +#define MPC_OBJECT_IPQ 0x0000000000000080 +#define MPC_OBJECT_IFNET 0x0000000000000100 +#define MPC_OBJECT_BPFDESC 0x0000000000000200 +#define MPC_OBJECT_PIPE 0x0000000000000400 +#define MPC_OBJECT_MOUNT 0x0000000000000800 +#define MPC_OBJECT_POSIXSEM 0x0000000000001000 +#define MPC_OBJECT_POSIXSHM 0x0000000000002000 +#define MPC_OBJECT_SYSVMSG 0x0000000000004000 +#define MPC_OBJECT_SYSVMSQ 0x0000000000008000 +#define MPC_OBJECT_SYSVSEM 0x0000000000010000 +#define MPC_OBJECT_SYSVSHM 0x0000000000020000 +#define MPC_OBJECT_SYNCACHE 0x0000000000040000 + /*- * The TrustedBSD MAC Framework has a major version number, MAC_VERSION, * which defines the ABI of the Framework present in the kernel (and depended @@ -955,14 +983,15 @@ struct mac_policy_conf { */ #define MAC_VERSION 4 -#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \ +#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted, \ + labeled) \ static struct mac_policy_conf mpname##_mac_policy_conf = { \ - #mpname, \ - mpfullname, \ - mpops, \ - mpflags, \ - privdata_wanted, \ - 0, \ + .mpc_name = #mpname, \ + .mpc_fullname = mpfullname, \ + .mpc_ops = mpops, \ + .mpc_loadtime_flags = mpflags, \ + .mpc_field_off = privdata_wanted, \ + .mpc_labeled = labeled, \ }; \ static moduledata_t mpname##_mod = { \ #mpname, \ |
