Resort TrustedBSD MAC Framework policy entry point implementations and

declarations to match the object, operation sort order in the framework itself. Obtained from: TrustedBSD Project
author: rwatson <rwatson@FreeBSD.org> 2007-10-29 13:33:06 +0000
committer: rwatson <rwatson@FreeBSD.org> 2007-10-29 13:33:06 +0000
commit: a4265719055fe445116eb2743b6aacf518bb1a8d (patch)
tree: b5d3ede5fbbf1cb40c13deb6bb8e406ce58b639e /sys/security/mac_partition
parent: 17e940f736d56194ae75e4a2963c775a59f0a3f6 (diff)
download: FreeBSD-src-a4265719055fe445116eb2743b6aacf518bb1a8d.zip
FreeBSD-src-a4265719055fe445116eb2743b6aacf518bb1a8d.tar.gz
1 files changed, 81 insertions, 77 deletions
diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c
index a3bfbe4..33a036a 100644
--- a/sys/security/mac_partition/mac_partition.c
+++ b/sys/security/mac_partition/mac_partition.c
@@ -69,123 +69,113 @@ static int	partition_slot;
 #define	SLOT(l)	mac_label_get((l), partition_slot)
 #define	SLOT_SET(l, v)	mac_label_set((l), partition_slot, (v))
 
-static void
-partition_init_label(struct label *label)
+static int
+label_on_label(struct label *subject, struct label *object)
 {
 
-	SLOT_SET(label, 0);
-}
-
-static void
-partition_destroy_label(struct label *label)
-{
+	if (mac_partition_enabled == 0)
+		return (0);
 
-	SLOT_SET(label, 0);
-}
+	if (SLOT(subject) == 0)
+		return (0);
 
-static void
-partition_copy_label(struct label *src, struct label *dest)
-{
+	if (SLOT(subject) == SLOT(object))
+		return (0);
 
-	SLOT_SET(dest, SLOT(src));
+	return (EPERM);
 }
 
+/*
+ * Object-specific entry points are sorted alphabetically by object type name
+ * and then by operation.
+ */
 static int
-partition_externalize_label(struct label *label, char *element_name,
-    struct sbuf *sb, int *claimed)
+partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
+	int error;
 
-	if (strcmp(MAC_PARTITION_LABEL_NAME, element_name) != 0)
-		return (0);
+	error = 0;
 
-	(*claimed)++;
+	/* Treat "0" as a no-op request. */
+	if (SLOT(newlabel) != 0) {
+		/*
+		 * Require BSD privilege in order to change the partition.
+		 * Originally we also required that the process not be in a
+		 * partition in the first place, but this didn't interact
+		 * well with sendmail.
+		 */
+		error = priv_check_cred(cred, PRIV_MAC_PARTITION, 0);
+	}
 
-	if (sbuf_printf(sb, "%jd", (intmax_t)SLOT(label)) == -1)
-		return (EINVAL);
-	else
-		return (0);
+	return (error);
 }
 
 static int
-partition_internalize_label(struct label *label, char *element_name,
-    char *element_data, int *claimed)
+partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
+	int error;
 
-	if (strcmp(MAC_PARTITION_LABEL_NAME, element_name) != 0)
-		return (0);
-
-	(*claimed)++;
-	SLOT_SET(label, strtol(element_data, NULL, 10));
-	return (0);
-}
-
-static void
-partition_proc_create_swapper(struct ucred *cred)
-{
+	error = label_on_label(cr1->cr_label, cr2->cr_label);
 
-	SLOT_SET(cred->cr_label, 0);
+	return (error == 0 ? 0 : ESRCH);
 }
 
 static void
-partition_proc_create_init(struct ucred *cred)
+partition_cred_copy_label(struct label *src, struct label *dest)
 {
 
-	SLOT_SET(cred->cr_label, 0);
+	SLOT_SET(dest, SLOT(src));
 }
 
 static void
-partition_cred_relabel(struct ucred *cred, struct label *newlabel)
+partition_cred_destroy_label(struct label *label)
 {
 
-	if (SLOT(newlabel) != 0)
-		SLOT_SET(cred->cr_label, SLOT(newlabel));
+	SLOT_SET(label, 0);
 }
 
 static int
-label_on_label(struct label *subject, struct label *object)
+partition_cred_externalize_label(struct label *label, char *element_name,
+    struct sbuf *sb, int *claimed)
 {
 
-	if (mac_partition_enabled == 0)
+	if (strcmp(MAC_PARTITION_LABEL_NAME, element_name) != 0)
 		return (0);
 
-	if (SLOT(subject) == 0)
-		return (0);
+	(*claimed)++;
 
-	if (SLOT(subject) == SLOT(object))
+	if (sbuf_printf(sb, "%jd", (intmax_t)SLOT(label)) == -1)
+		return (EINVAL);
+	else
 		return (0);
+}
 
-	return (EPERM);
+static void
+partition_cred_init_label(struct label *label)
+{
+
+	SLOT_SET(label, 0);
 }
 
 static int
-partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
+partition_cred_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
 {
-	int error;
-
-	error = 0;
 
-	/* Treat "0" as a no-op request. */
-	if (SLOT(newlabel) != 0) {
-		/*
-		 * Require BSD privilege in order to change the partition.
-		 * Originally we also required that the process not be in a
-		 * partition in the first place, but this didn't interact
-		 * well with sendmail.
-		 */
-		error = priv_check_cred(cred, PRIV_MAC_PARTITION, 0);
-	}
+	if (strcmp(MAC_PARTITION_LABEL_NAME, element_name) != 0)
+		return (0);
 
-	return (error);
+	(*claimed)++;
+	SLOT_SET(label, strtol(element_data, NULL, 10));
+	return (0);
 }
 
-static int
-partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
+static void
+partition_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
-	int error;
 
-	error = label_on_label(cr1->cr_label, cr2->cr_label);
-
-	return (error == 0 ? 0 : ESRCH);
+	if (SLOT(newlabel) != 0)
+		SLOT_SET(cred->cr_label, SLOT(newlabel));
 }
 
 static int
@@ -219,6 +209,20 @@ partition_proc_check_signal(struct ucred *cred, struct proc *p,
 	return (error ? ESRCH : 0);
 }
 
+static void
+partition_proc_create_init(struct ucred *cred)
+{
+
+	SLOT_SET(cred->cr_label, 0);
+}
+
+static void
+partition_proc_create_swapper(struct ucred *cred)
+{
+
+	SLOT_SET(cred->cr_label, 0);
+}
+
 static int
 partition_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
@@ -251,19 +255,19 @@ partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
 
 static struct mac_policy_ops partition_ops =
 {
-	.mpo_cred_init_label = partition_init_label,
-	.mpo_cred_destroy_label = partition_destroy_label,
-	.mpo_cred_copy_label = partition_copy_label,
-	.mpo_cred_externalize_label = partition_externalize_label,
-	.mpo_cred_internalize_label = partition_internalize_label,
-	.mpo_proc_create_swapper = partition_proc_create_swapper,
-	.mpo_proc_create_init = partition_proc_create_init,
-	.mpo_cred_relabel = partition_cred_relabel,
 	.mpo_cred_check_relabel = partition_cred_check_relabel,
 	.mpo_cred_check_visible = partition_cred_check_visible,
+	.mpo_cred_copy_label = partition_cred_copy_label,
+	.mpo_cred_destroy_label = partition_cred_destroy_label,
+	.mpo_cred_externalize_label = partition_cred_externalize_label,
+	.mpo_cred_init_label = partition_cred_init_label,
+	.mpo_cred_internalize_label = partition_cred_internalize_label,
+	.mpo_cred_relabel = partition_cred_relabel,
 	.mpo_proc_check_debug = partition_proc_check_debug,
 	.mpo_proc_check_sched = partition_proc_check_sched,
 	.mpo_proc_check_signal = partition_proc_check_signal,
+	.mpo_proc_create_init = partition_proc_create_init,
+	.mpo_proc_create_swapper = partition_proc_create_swapper,
 	.mpo_socket_check_visible = partition_socket_check_visible,
 	.mpo_vnode_check_exec = partition_vnode_check_exec,
 };
author	rwatson <rwatson@FreeBSD.org>	2007-10-29 13:33:06 +0000
committer	rwatson <rwatson@FreeBSD.org>	2007-10-29 13:33:06 +0000
commit	a4265719055fe445116eb2743b6aacf518bb1a8d (patch)
tree	b5d3ede5fbbf1cb40c13deb6bb8e406ce58b639e /sys/security/mac_partition
parent	17e940f736d56194ae75e4a2963c775a59f0a3f6 (diff)
download	FreeBSD-src-a4265719055fe445116eb2743b6aacf518bb1a8d.zip FreeBSD-src-a4265719055fe445116eb2743b6aacf518bb1a8d.tar.gz