diff options
author | rwatson <rwatson@FreeBSD.org> | 2008-10-28 11:33:06 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2008-10-28 11:33:06 +0000 |
commit | a2129bd144d95f5685e28f05aec7ce6f4efa6b04 (patch) | |
tree | c420c1b771a2ef873bf25185956726906057b6fe /sys/security/mac | |
parent | bbf1e3cc5ba01988dfb88601dbd3cc26ea619ad5 (diff) | |
download | FreeBSD-src-a2129bd144d95f5685e28f05aec7ce6f4efa6b04.zip FreeBSD-src-a2129bd144d95f5685e28f05aec7ce6f4efa6b04.tar.gz |
Rename three MAC entry points from _proc_ to _cred_ to reflect the fact
that they operate directly on credentials: mac_proc_create_swapper(),
mac_proc_create_init(), and mac_proc_associate_nfsd(). Update policies.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac')
-rw-r--r-- | sys/security/mac/mac_framework.h | 6 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 12 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 68 |
3 files changed, 43 insertions, 43 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 790b921..411fddb 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -103,8 +103,11 @@ void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m); void mac_bpfdesc_destroy(struct bpf_d *); void mac_bpfdesc_init(struct bpf_d *); +void mac_cred_associate_nfsd(struct ucred *cred); int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); +void mac_cred_create_init(struct ucred *cred); +void mac_cred_create_swapper(struct ucred *cred); void mac_cred_destroy(struct ucred *); void mac_cred_init(struct ucred *); @@ -227,7 +230,6 @@ void mac_posixshm_init(struct shmfd *); int mac_priv_check(struct ucred *cred, int priv); int mac_priv_grant(struct ucred *cred, int priv); -void mac_proc_associate_nfsd(struct ucred *cred); int mac_proc_check_debug(struct ucred *cred, struct proc *p); int mac_proc_check_sched(struct ucred *cred, struct proc *p); int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai); @@ -255,8 +257,6 @@ int mac_proc_check_setuid(struct proc *p, struct ucred *cred, int mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum); int mac_proc_check_wait(struct ucred *cred, struct proc *p); -void mac_proc_create_init(struct ucred *cred); -void mac_proc_create_swapper(struct ucred *cred); void mac_proc_destroy(struct proc *); void mac_proc_init(struct proc *); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 8a2f9f2..0188a38 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -128,12 +128,15 @@ typedef void (*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d, typedef void (*mpo_bpfdesc_destroy_label_t)(struct label *label); typedef void (*mpo_bpfdesc_init_label_t)(struct label *label); +typedef void (*mpo_cred_associate_nfsd_t)(struct ucred *cred); typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred, struct label *newlabel); typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1, struct ucred *cr2); typedef void (*mpo_cred_copy_label_t)(struct label *src, struct label *dest); +typedef void (*mpo_cred_create_init_t)(struct ucred *cred); +typedef void (*mpo_cred_create_swapper_t)(struct ucred *cred); typedef void (*mpo_cred_destroy_label_t)(struct label *label); typedef int (*mpo_cred_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); @@ -345,7 +348,6 @@ typedef void (*mpo_posixshm_init_label_t)(struct label *label); typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv); typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv); -typedef void (*mpo_proc_associate_nfsd_t)(struct ucred *cred); typedef int (*mpo_proc_check_debug_t)(struct ucred *cred, struct proc *p); typedef int (*mpo_proc_check_sched_t)(struct ucred *cred, @@ -373,8 +375,6 @@ typedef int (*mpo_proc_check_signal_t)(struct ucred *cred, struct proc *proc, int signum); typedef int (*mpo_proc_check_wait_t)(struct ucred *cred, struct proc *proc); -typedef void (*mpo_proc_create_init_t)(struct ucred *cred); -typedef void (*mpo_proc_create_swapper_t)(struct ucred *cred); typedef void (*mpo_proc_destroy_label_t)(struct label *label); typedef void (*mpo_proc_init_label_t)(struct label *label); @@ -674,9 +674,12 @@ struct mac_policy_ops { mpo_bpfdesc_destroy_label_t mpo_bpfdesc_destroy_label; mpo_bpfdesc_init_label_t mpo_bpfdesc_init_label; + mpo_cred_associate_nfsd_t mpo_cred_associate_nfsd; mpo_cred_check_relabel_t mpo_cred_check_relabel; mpo_cred_check_visible_t mpo_cred_check_visible; mpo_cred_copy_label_t mpo_cred_copy_label; + mpo_cred_create_swapper_t mpo_cred_create_swapper; + mpo_cred_create_init_t mpo_cred_create_init; mpo_cred_destroy_label_t mpo_cred_destroy_label; mpo_cred_externalize_label_t mpo_cred_externalize_label; mpo_cred_init_label_t mpo_cred_init_label; @@ -790,7 +793,6 @@ struct mac_policy_ops { mpo_priv_check_t mpo_priv_check; mpo_priv_grant_t mpo_priv_grant; - mpo_proc_associate_nfsd_t mpo_proc_associate_nfsd; mpo_proc_check_debug_t mpo_proc_check_debug; mpo_proc_check_sched_t mpo_proc_check_sched; mpo_proc_check_setaudit_t mpo_proc_check_setaudit; @@ -807,8 +809,6 @@ struct mac_policy_ops { mpo_proc_check_setresgid_t mpo_proc_check_setresgid; mpo_proc_check_signal_t mpo_proc_check_signal; mpo_proc_check_wait_t mpo_proc_check_wait; - mpo_proc_create_swapper_t mpo_proc_create_swapper; - mpo_proc_create_init_t mpo_proc_create_init; mpo_proc_destroy_label_t mpo_proc_destroy_label; mpo_proc_init_label_t mpo_proc_init_label; diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 3594586..98ee6cf 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999-2002 Robert N. M. Watson + * Copyright (c) 1999-2002, 2008 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. * Copyright (c) 2005 Samy Al Bahra @@ -160,25 +160,20 @@ mac_proc_destroy(struct proc *p) } } -int -mac_cred_externalize_label(struct label *label, char *elements, - char *outbuf, size_t outbuflen) -{ - int error; - - MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); - - return (error); -} - -int -mac_cred_internalize_label(struct label *label, char *string) +/* + * When a thread becomes an NFS server daemon, its credential may need to be + * updated to reflect this so that policies can recognize when file system + * operations originate from the network. + * + * At some point, it would be desirable if the credential used for each NFS + * RPC could be set based on the RPC context (i.e., source system, etc) to + * provide more fine-grained access control. + */ +void +mac_cred_associate_nfsd(struct ucred *cred) { - int error; - MAC_INTERNALIZE(cred, label, string); - - return (error); + MAC_PERFORM(cred_associate_nfsd, cred); } /* @@ -186,10 +181,10 @@ mac_cred_internalize_label(struct label *label, char *string) * processes and threads are spawned. */ void -mac_proc_create_swapper(struct ucred *cred) +mac_cred_create_swapper(struct ucred *cred) { - MAC_PERFORM(proc_create_swapper, cred); + MAC_PERFORM(cred_create_swapper, cred); } /* @@ -197,26 +192,31 @@ mac_proc_create_swapper(struct ucred *cred) * userland processes and threads are spawned. */ void -mac_proc_create_init(struct ucred *cred) +mac_cred_create_init(struct ucred *cred) { - MAC_PERFORM(proc_create_init, cred); + MAC_PERFORM(cred_create_init, cred); } -/* - * When a thread becomes an NFS server daemon, its credential may need to be - * updated to reflect this so that policies can recognize when file system - * operations originate from the network. - * - * At some point, it would be desirable if the credential used for each NFS - * RPC could be set based on the RPC context (i.e., source system, etc) to - * provide more fine-grained access control. - */ -void -mac_proc_associate_nfsd(struct ucred *cred) +int +mac_cred_externalize_label(struct label *label, char *elements, + char *outbuf, size_t outbuflen) { + int error; - MAC_PERFORM(proc_associate_nfsd, cred); + MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); + + return (error); +} + +int +mac_cred_internalize_label(struct label *label, char *string) +{ + int error; + + MAC_INTERNALIZE(cred, label, string); + + return (error); } void |