Rename three MAC entry points from _proc_ to _cred_ to reflect the fact

that they operate directly on credentials: mac_proc_create_swapper(),
mac_proc_create_init(), and mac_proc_associate_nfsd().  Update policies.

Obtained from:	TrustedBSD Project

3 files changed, 43 insertions, 43 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 790b921..411fddb 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -103,8 +103,11 @@ void	mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m);
 void	mac_bpfdesc_destroy(struct bpf_d *);
 void	mac_bpfdesc_init(struct bpf_d *);
 
+void	mac_cred_associate_nfsd(struct ucred *cred);
 int	mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);
 void	mac_cred_copy(struct ucred *cr1, struct ucred *cr2);
+void	mac_cred_create_init(struct ucred *cred);
+void	mac_cred_create_swapper(struct ucred *cred);
 void	mac_cred_destroy(struct ucred *);
 void	mac_cred_init(struct ucred *);
 
@@ -227,7 +230,6 @@ void	mac_posixshm_init(struct shmfd *);
 int	mac_priv_check(struct ucred *cred, int priv);
 int	mac_priv_grant(struct ucred *cred, int priv);
 
-void	mac_proc_associate_nfsd(struct ucred *cred);
 int	mac_proc_check_debug(struct ucred *cred, struct proc *p);
 int	mac_proc_check_sched(struct ucred *cred, struct proc *p);
 int	mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai);
@@ -255,8 +257,6 @@ int	mac_proc_check_setuid(struct proc *p,  struct ucred *cred,
 int	mac_proc_check_signal(struct ucred *cred, struct proc *p,
 	    int signum);
 int	mac_proc_check_wait(struct ucred *cred, struct proc *p);
-void	mac_proc_create_init(struct ucred *cred);
-void	mac_proc_create_swapper(struct ucred *cred);
 void	mac_proc_destroy(struct proc *);
 void	mac_proc_init(struct proc *);
 int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 8a2f9f2..0188a38 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -128,12 +128,15 @@ typedef void	(*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d,
 typedef void	(*mpo_bpfdesc_destroy_label_t)(struct label *label);
 typedef void	(*mpo_bpfdesc_init_label_t)(struct label *label);
 
+typedef void	(*mpo_cred_associate_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_cred_check_relabel_t)(struct ucred *cred,
 		    struct label *newlabel);
 typedef int	(*mpo_cred_check_visible_t)(struct ucred *cr1,
 		    struct ucred *cr2);
 typedef void	(*mpo_cred_copy_label_t)(struct label *src,
 		    struct label *dest);
+typedef void	(*mpo_cred_create_init_t)(struct ucred *cred);
+typedef void	(*mpo_cred_create_swapper_t)(struct ucred *cred);
 typedef void	(*mpo_cred_destroy_label_t)(struct label *label);
 typedef int	(*mpo_cred_externalize_label_t)(struct label *label,
 		    char *element_name, struct sbuf *sb, int *claimed);
@@ -345,7 +348,6 @@ typedef void	(*mpo_posixshm_init_label_t)(struct label *label);
 typedef int	(*mpo_priv_check_t)(struct ucred *cred, int priv);
 typedef int	(*mpo_priv_grant_t)(struct ucred *cred, int priv);
 
-typedef void	(*mpo_proc_associate_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_proc_check_debug_t)(struct ucred *cred,
 		    struct proc *p);
 typedef int	(*mpo_proc_check_sched_t)(struct ucred *cred,
@@ -373,8 +375,6 @@ typedef int	(*mpo_proc_check_signal_t)(struct ucred *cred,
 		    struct proc *proc, int signum);
 typedef int	(*mpo_proc_check_wait_t)(struct ucred *cred,
 		    struct proc *proc);
-typedef void	(*mpo_proc_create_init_t)(struct ucred *cred);
-typedef void	(*mpo_proc_create_swapper_t)(struct ucred *cred);
 typedef void	(*mpo_proc_destroy_label_t)(struct label *label);
 typedef void	(*mpo_proc_init_label_t)(struct label *label);
 
@@ -674,9 +674,12 @@ struct mac_policy_ops {
 	mpo_bpfdesc_destroy_label_t		mpo_bpfdesc_destroy_label;
 	mpo_bpfdesc_init_label_t		mpo_bpfdesc_init_label;
 
+	mpo_cred_associate_nfsd_t		mpo_cred_associate_nfsd;
 	mpo_cred_check_relabel_t		mpo_cred_check_relabel;
 	mpo_cred_check_visible_t		mpo_cred_check_visible;
 	mpo_cred_copy_label_t			mpo_cred_copy_label;
+	mpo_cred_create_swapper_t		mpo_cred_create_swapper;
+	mpo_cred_create_init_t			mpo_cred_create_init;
 	mpo_cred_destroy_label_t		mpo_cred_destroy_label;
 	mpo_cred_externalize_label_t		mpo_cred_externalize_label;
 	mpo_cred_init_label_t			mpo_cred_init_label;
@@ -790,7 +793,6 @@ struct mac_policy_ops {
 	mpo_priv_check_t			mpo_priv_check;
 	mpo_priv_grant_t			mpo_priv_grant;
 
-	mpo_proc_associate_nfsd_t		mpo_proc_associate_nfsd;
 	mpo_proc_check_debug_t			mpo_proc_check_debug;
 	mpo_proc_check_sched_t			mpo_proc_check_sched;
 	mpo_proc_check_setaudit_t		mpo_proc_check_setaudit;
@@ -807,8 +809,6 @@ struct mac_policy_ops {
 	mpo_proc_check_setresgid_t		mpo_proc_check_setresgid;
 	mpo_proc_check_signal_t			mpo_proc_check_signal;
 	mpo_proc_check_wait_t			mpo_proc_check_wait;
-	mpo_proc_create_swapper_t		mpo_proc_create_swapper;
-	mpo_proc_create_init_t			mpo_proc_create_init;
 	mpo_proc_destroy_label_t		mpo_proc_destroy_label;
 	mpo_proc_init_label_t			mpo_proc_init_label;
 
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 3594586..98ee6cf 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2008 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
  * Copyright (c) 2005 Samy Al Bahra
@@ -160,25 +160,20 @@ mac_proc_destroy(struct proc *p)
 	}
 }
 
-int
-mac_cred_externalize_label(struct label *label, char *elements,
-    char *outbuf, size_t outbuflen)
-{
-	int error;
-
-	MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
-
-	return (error);
-}
-
-int
-mac_cred_internalize_label(struct label *label, char *string)
+/*
+ * When a thread becomes an NFS server daemon, its credential may need to be
+ * updated to reflect this so that policies can recognize when file system
+ * operations originate from the network.
+ *
+ * At some point, it would be desirable if the credential used for each NFS
+ * RPC could be set based on the RPC context (i.e., source system, etc) to
+ * provide more fine-grained access control.
+ */
+void
+mac_cred_associate_nfsd(struct ucred *cred)
 {
-	int error;
 
-	MAC_INTERNALIZE(cred, label, string);
-
-	return (error);
+	MAC_PERFORM(cred_associate_nfsd, cred);
 }
 
 /*
@@ -186,10 +181,10 @@ mac_cred_internalize_label(struct label *label, char *string)
  * processes and threads are spawned.
  */
 void
-mac_proc_create_swapper(struct ucred *cred)
+mac_cred_create_swapper(struct ucred *cred)
 {
 
-	MAC_PERFORM(proc_create_swapper, cred);
+	MAC_PERFORM(cred_create_swapper, cred);
 }
 
 /*
@@ -197,26 +192,31 @@ mac_proc_create_swapper(struct ucred *cred)
  * userland processes and threads are spawned.
  */
 void
-mac_proc_create_init(struct ucred *cred)
+mac_cred_create_init(struct ucred *cred)
 {
 
-	MAC_PERFORM(proc_create_init, cred);
+	MAC_PERFORM(cred_create_init, cred);
 }
 
-/*
- * When a thread becomes an NFS server daemon, its credential may need to be
- * updated to reflect this so that policies can recognize when file system
- * operations originate from the network.
- *
- * At some point, it would be desirable if the credential used for each NFS
- * RPC could be set based on the RPC context (i.e., source system, etc) to
- * provide more fine-grained access control.
- */
-void
-mac_proc_associate_nfsd(struct ucred *cred)
+int
+mac_cred_externalize_label(struct label *label, char *elements,
+    char *outbuf, size_t outbuflen)
 {
+	int error;
 
-	MAC_PERFORM(proc_associate_nfsd, cred);
+	MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
+
+	return (error);
+}
+
+int
+mac_cred_internalize_label(struct label *label, char *string)
+{
+	int error;
+
+	MAC_INTERNALIZE(cred, label, string);
+
+	return (error);
 }
 
 void