Add an explicit execlabel argument to exec-related MAC policy entry

points, rather than relying on policies to grub around in the
image activator instance structure.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

9 files changed, 36 insertions, 27 deletions

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 9f76f05..69fa5ad 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
 		return;
 
 	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
 int
@@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
 
 	result = 0;
 	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
 }
@@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
+	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+	    imgp->execlabel);
 
 	return (error);
 }
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 9f76f05..69fa5ad 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
 		return;
 
 	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
 int
@@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
 
 	result = 0;
 	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
 }
@@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
+	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+	    imgp->execlabel);
 
 	return (error);
 }
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 9f76f05..69fa5ad 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
 		return;
 
 	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
 int
@@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
 
 	result = 0;
 	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
 }
@@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
+	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+	    imgp->execlabel);
 
 	return (error);
 }
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 9f76f05..69fa5ad 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
 		return;
 
 	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
 int
@@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
 
 	result = 0;
 	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
 }
@@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
+	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+	    imgp->execlabel);
 
 	return (error);
 }
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 9bed8ff..23ea56b 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -244,11 +244,11 @@ struct mac_policy_ops {
 	void	(*mpo_execve_transition)(struct ucred *old, struct ucred *new,
 		    struct vnode *vp, struct label *vnodelabel,
 		    struct label *interpvnodelabel,
-		    struct image_params *imgp);
+		    struct image_params *imgp, struct label *execlabel);
 	int	(*mpo_execve_will_transition)(struct ucred *old,
 		    struct vnode *vp, struct label *vnodelabel,
 		    struct label *interpvnodelabel,
-		    struct image_params *imgp);
+		    struct image_params *imgp, struct label *execlabel);
 	void	(*mpo_create_proc0)(struct ucred *cred);
 	void	(*mpo_create_proc1)(struct ucred *cred);
 	void	(*mpo_relabel_cred)(struct ucred *cred,
@@ -342,7 +342,8 @@ struct mac_policy_ops {
 	int	(*mpo_check_vnode_deleteacl)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, acl_type_t type);
 	int	(*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp,
-		    struct label *label, struct image_params *imgp);
+		    struct label *label, struct image_params *imgp,
+		    struct label *execlabel);
 	int	(*mpo_check_vnode_getacl)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, acl_type_t type);
 	int	(*mpo_check_vnode_getextattr)(struct ucred *cred,
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 9f76f05..69fa5ad 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
 		return;
 
 	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
 int
@@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
 
 	result = 0;
 	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
 }
@@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
+	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+	    imgp->execlabel);
 
 	return (error);
 }
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index 9f76f05..69fa5ad 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
 		return;
 
 	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
 int
@@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
 
 	result = 0;
 	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
 }
@@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
+	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+	    imgp->execlabel);
 
 	return (error);
 }
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 9f76f05..69fa5ad 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
 		return;
 
 	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
 int
@@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
 
 	result = 0;
 	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
 }
@@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
+	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+	    imgp->execlabel);
 
 	return (error);
 }
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 9f76f05..69fa5ad 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
 		return;
 
 	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
 int
@@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
 
 	result = 0;
 	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
 }
@@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
+	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+	    imgp->execlabel);
 
 	return (error);
 }