Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(),

and the mpo_create_cred() MAC policy entry point to
mpo_copy_cred_label().  This is more consistent with similar entry
points for creation and label copying, as mac_create_cred() was
called from crdup() as opposed to during process creation.  For
a number of policies, this removes the requirement for special
handling when copying credential labels, and improves consistency.

Approved by:	re (scottl)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

9 files changed, 26 insertions, 68 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 81dad5a..098a2bd 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -229,7 +229,7 @@ void	mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
 /*
  * Labeling event operations: processes.
  */
-void	mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
+void	mac_copy_cred(struct ucred *cr1, struct ucred *cr2);
 int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
 void	mac_execve_exit(struct image_params *imgp);
 void	mac_execve_transition(struct ucred *old, struct ucred *new,
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 518f883..be43253 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -111,6 +111,8 @@ struct mac_policy_ops {
 	void	(*mpo_destroy_pipe_label)(struct label *label);
 	void	(*mpo_destroy_proc_label)(struct label *label);
 	void	(*mpo_destroy_vnode_label)(struct label *label);
+	void	(*mpo_copy_cred_label)(struct label *src,
+		    struct label *dest);
 	void	(*mpo_copy_mbuf_label)(struct label *src,
 		    struct label *dest);
 	void	(*mpo_copy_pipe_label)(struct label *src,
@@ -264,8 +266,6 @@ struct mac_policy_ops {
 	/*
 	 * Labeling event operations: processes.
 	 */
-	void	(*mpo_create_cred)(struct ucred *parent_cred,
-		    struct ucred *child_cred);
 	void	(*mpo_execve_transition)(struct ucred *old, struct ucred *new,
 		    struct vnode *vp, struct label *vnodelabel,
 		    struct label *interpvnodelabel,
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 68d847d..5c82e7c 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -222,10 +222,10 @@ mac_thread_userret(struct thread *td)
  * deltas.  This function allows that processing to take place.
  */
 void
-mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
+mac_copy_cred(struct ucred *src, struct ucred *dest)
 {
 
-	MAC_PERFORM(create_cred, parent_cred, child_cred);
+	MAC_PERFORM(copy_cred_label, src->cr_label, dest->cr_label);
 }
 
 int
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 9c9192f..1239220 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1328,18 +1328,6 @@ mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
  * Labeling event operations: processes.
  */
 static void
-mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(cred_parent->cr_label);
-	dest = SLOT(cred_child->cr_label);
-
-	mac_biba_copy_single(source, dest);
-	mac_biba_copy_range(source, dest);
-}
-
-static void
 mac_biba_create_proc0(struct ucred *cred)
 {
 	struct mac_biba *dest;
@@ -2668,6 +2656,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_destroy_socket_label = mac_biba_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_biba_destroy_label,
 	.mpo_destroy_vnode_label = mac_biba_destroy_label,
+	.mpo_copy_cred_label = mac_biba_copy_label,
 	.mpo_copy_mbuf_label = mac_biba_copy_label,
 	.mpo_copy_pipe_label = mac_biba_copy_label,
 	.mpo_copy_socket_label = mac_biba_copy_label,
@@ -2719,7 +2708,6 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_relabel_ifnet = mac_biba_relabel_ifnet,
 	.mpo_update_ipq = mac_biba_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel,
-	.mpo_create_cred = mac_biba_create_cred,
 	.mpo_create_proc0 = mac_biba_create_proc0,
 	.mpo_create_proc1 = mac_biba_create_proc1,
 	.mpo_relabel_cred = mac_biba_relabel_cred,
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index 52eeaa6..a8a4a98 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1468,18 +1468,6 @@ mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel,
  * Labeling event operations: processes.
  */
 static void
-mac_lomac_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-	struct mac_lomac *source, *dest;
-
-	source = SLOT(cred_parent->cr_label);
-	dest = SLOT(cred_child->cr_label);
-
-	mac_lomac_copy_single(source, dest);
-	mac_lomac_copy_range(source, dest);
-}
-
-static void
 mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vnodelabel,
     struct label *interpvnodelabel, struct image_params *imgp,
@@ -2648,6 +2636,7 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_destroy_socket_label = mac_lomac_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_lomac_destroy_label,
 	.mpo_destroy_vnode_label = mac_lomac_destroy_label,
+	.mpo_copy_cred_label = mac_lomac_copy_label,
 	.mpo_copy_mbuf_label = mac_lomac_copy_label,
 	.mpo_copy_pipe_label = mac_lomac_copy_label,
 	.mpo_copy_socket_label = mac_lomac_copy_label,
@@ -2702,7 +2691,6 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_relabel_ifnet = mac_lomac_relabel_ifnet,
 	.mpo_update_ipq = mac_lomac_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel,
-	.mpo_create_cred = mac_lomac_create_cred,
 	.mpo_execve_transition = mac_lomac_execve_transition,
 	.mpo_execve_will_transition = mac_lomac_execve_will_transition,
 	.mpo_create_proc0 = mac_lomac_create_proc0,
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index e3c2ef4..3a73467 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -1258,18 +1258,6 @@ mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
  * Labeling event operations: processes.
  */
 static void
-mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-	struct mac_mls *source, *dest;
-
-	source = SLOT(cred_parent->cr_label);
-	dest = SLOT(cred_child->cr_label);
-
-	mac_mls_copy_single(source, dest);
-	mac_mls_copy_range(source, dest);
-}
-
-static void
 mac_mls_create_proc0(struct ucred *cred)
 {
 	struct mac_mls *dest;
@@ -2440,6 +2428,7 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_destroy_socket_label = mac_mls_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_mls_destroy_label,
 	.mpo_destroy_vnode_label = mac_mls_destroy_label,
+	.mpo_copy_cred_label = mac_mls_copy_label,
 	.mpo_copy_mbuf_label = mac_mls_copy_label,
 	.mpo_copy_pipe_label = mac_mls_copy_label,
 	.mpo_copy_socket_label = mac_mls_copy_label,
@@ -2491,7 +2480,6 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_relabel_ifnet = mac_mls_relabel_ifnet,
 	.mpo_update_ipq = mac_mls_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel,
-	.mpo_create_cred = mac_mls_create_cred,
 	.mpo_create_proc0 = mac_mls_create_proc0,
 	.mpo_create_proc1 = mac_mls_create_proc1,
 	.mpo_relabel_cred = mac_mls_relabel_cred,
diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c
index 74df98c..e8ee78a 100644
--- a/sys/security/mac_partition/mac_partition.c
+++ b/sys/security/mac_partition/mac_partition.c
@@ -101,6 +101,13 @@ mac_partition_destroy_label(struct label *label)
 	SLOT(label) = 0;
 }
 
+static void
+mac_partition_copy_label(struct label *src, struct label *dest)
+{
+
+	SLOT(dest) = SLOT(src);
+}
+
 static int
 mac_partition_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
@@ -131,13 +138,6 @@ mac_partition_internalize_label(struct label *label, char *element_name,
 }
 
 static void
-mac_partition_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-
-	SLOT(cred_child->cr_label) = SLOT(cred_parent->cr_label);
-}
-
-static void
 mac_partition_create_proc0(struct ucred *cred)
 {
 
@@ -271,9 +271,9 @@ static struct mac_policy_ops mac_partition_ops =
 	.mpo_init = mac_partition_init,
 	.mpo_init_cred_label = mac_partition_init_label,
 	.mpo_destroy_cred_label = mac_partition_destroy_label,
+	.mpo_copy_cred_label = mac_partition_copy_label,
 	.mpo_externalize_cred_label = mac_partition_externalize_label,
 	.mpo_internalize_cred_label = mac_partition_internalize_label,
-	.mpo_create_cred = mac_partition_create_cred,
 	.mpo_create_proc0 = mac_partition_create_proc0,
 	.mpo_create_proc1 = mac_partition_create_proc1,
 	.mpo_relabel_cred = mac_partition_relabel_cred,
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 1b6ad02..ccf3583 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -439,12 +439,6 @@ stub_inpcb_sosetlabel(struct socket *so, struct label *solabel,
  * Labeling event operations: processes.
  */
 static void
-stub_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-
-}
-
-static void
 stub_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vnodelabel,
     struct label *interpvnodelabel, struct image_params *imgp,
@@ -1055,6 +1049,7 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_destroy_socket_label = stub_destroy_label,
 	.mpo_destroy_socket_peer_label = stub_destroy_label,
 	.mpo_destroy_vnode_label = stub_destroy_label,
+	.mpo_copy_cred_label = stub_copy_label,
 	.mpo_copy_mbuf_label = stub_copy_label,
 	.mpo_copy_pipe_label = stub_copy_label,
 	.mpo_copy_socket_label = stub_copy_label,
@@ -1109,7 +1104,6 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_relabel_ifnet = stub_relabel_ifnet,
 	.mpo_update_ipq = stub_update_ipq,
 	.mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel,
-	.mpo_create_cred = stub_create_cred,
 	.mpo_execve_transition = stub_execve_transition,
 	.mpo_execve_will_transition = stub_execve_will_transition,
 	.mpo_create_proc0 = stub_create_proc0,
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 847c9e9..ef8c5b3 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -591,6 +591,14 @@ mac_test_destroy_vnode_label(struct label *label)
 }
 
 static void
+mac_test_copy_cred_label(struct label *src, struct label *dest)
+{
+
+	ASSERT_CRED_LABEL(src);
+	ASSERT_CRED_LABEL(dest);
+}
+
+static void
 mac_test_copy_mbuf_label(struct label *src, struct label *dest)
 {
 
@@ -1021,14 +1029,6 @@ mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
  * Labeling event operations: processes.
  */
 static void
-mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-
-	ASSERT_CRED_LABEL(cred_parent->cr_label);
-	ASSERT_CRED_LABEL(cred_child->cr_label);
-}
-
-static void
 mac_test_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *filelabel,
     struct label *interpvnodelabel, struct image_params *imgp,
@@ -1879,6 +1879,7 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_destroy_socket_label = mac_test_destroy_socket_label,
 	.mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
 	.mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
+	.mpo_copy_cred_label = mac_test_copy_cred_label,
 	.mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
 	.mpo_copy_pipe_label = mac_test_copy_pipe_label,
 	.mpo_copy_socket_label = mac_test_copy_socket_label,
@@ -1932,7 +1933,6 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_relabel_ifnet = mac_test_relabel_ifnet,
 	.mpo_update_ipq = mac_test_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
-	.mpo_create_cred = mac_test_create_cred,
 	.mpo_execve_transition = mac_test_execve_transition,
 	.mpo_execve_will_transition = mac_test_execve_will_transition,
 	.mpo_create_proc0 = mac_test_create_proc0,