diff options
| author | rwatson <rwatson@FreeBSD.org> | 2008-08-23 15:26:36 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2008-08-23 15:26:36 +0000 |
| commit | 78a117e6fa3ea5484baa385417846432dcafd758 (patch) | |
| tree | 5219c0b4d17dd1dcbcb5fda367c1905a0929ee2b /sys/security/mac_biba | |
| parent | 36dc0db8e1fa12d3f6a38164a5fb1ae82fc45eba (diff) | |
| download | FreeBSD-src-78a117e6fa3ea5484baa385417846432dcafd758.zip FreeBSD-src-78a117e6fa3ea5484baa385417846432dcafd758.tar.gz | |
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
Diffstat (limited to 'sys/security/mac_biba')
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 6b280cf..aaf85b8 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -3474,5 +3474,25 @@ static struct mac_policy_ops mac_biba_ops = .mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr, }; +#define BIBA_OBJECTS (MPC_OBJECT_CRED | \ + /* MPC_OBJECT_PROC | */ \ + MPC_OBJECT_VNODE | \ + MPC_OBJECT_INPCB | \ + MPC_OBJECT_SOCKET | \ + MPC_OBJECT_DEVFS | \ + MPC_OBJECT_MBUF | \ + MPC_OBJECT_IPQ | \ + MPC_OBJECT_IFNET | \ + MPC_OBJECT_BPFDESC | \ + MPC_OBJECT_PIPE | \ + MPC_OBJECT_MOUNT | \ + MPC_OBJECT_POSIXSEM | \ + /* MPC_OBJECT_POSIXSHM | */ \ + MPC_OBJECT_SYSVMSG | \ + MPC_OBJECT_SYSVMSQ | \ + MPC_OBJECT_SYSVSEM | \ + MPC_OBJECT_SYSVSHM | \ + MPC_OBJECT_SYNCACHE) + MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba", - MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &biba_slot); + MPC_LOADTIME_FLAG_NOTLATE, &biba_slot, BIBA_OBJECTS); |
