When devfs cloning takes place, provide access to the credential of the

process that caused the clone event to take place for the device driver
creating the device.  This allows cloned device drivers to adapt the
device node based on security aspects of the process, such as the uid,
gid, and MAC label.

- Add a cred reference to struct cdev, so that when a device node is
  instantiated as a vnode, the cloning credential can be exposed to
  MAC.

- Add make_dev_cred(), a version of make_dev() that additionally
  accepts the credential to stick in the struct cdev.  Implement it and
  make_dev() in terms of a back-end make_dev_credv().

- Add a new event handler, dev_clone_cred, which can be registered to
  receive the credential instead of dev_clone, if desired.

- Modify the MAC entry point mac_create_devfs_device() to accept an
  optional credential pointer (may be NULL), so that MAC policies can
  inspect and act on the label or other elements of the credential
  when initializing the skeleton device protections.

- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(),
  so that the pty clone credential is exposed to the MAC Framework.

While currently primarily focussed on MAC policies, this change is also
a prerequisite for changes to allow ptys to be instantiated with the UID
of the process looking up the pty.  This requires further changes to the
pty driver -- in particular, to immediately recycle pty nodes on last
close so that the credential-related state can be recreated on next
lookup.

Submitted by:	Andrew Reisse <andrew.reisse@sparta.com>
Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
MFC after:	1 week
MFC note:	Merge to 6.x, but not 5.x for ABI reasons

8 files changed, 27 insertions, 15 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 810c320..e21edec 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -200,8 +200,8 @@ void	mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
 	    struct vnode *vp);
 int	mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp);
 void	mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp);
-void	mac_create_devfs_device(struct mount *mp, struct cdev *dev,
-	    struct devfs_dirent *de);
+void	mac_create_devfs_device(struct ucred *cred, struct mount *mp,
+	    struct cdev *dev, struct devfs_dirent *de);
 void	mac_create_devfs_directory(struct mount *mp, char *dirname,
 	    int dirnamelen, struct devfs_dirent *de);
 void	mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 6f10638..506f7d0 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -11,6 +11,9 @@
  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
  * as part of the DARPA CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract 
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -191,7 +194,8 @@ struct mac_policy_ops {
 	void	(*mpo_associate_vnode_singlelabel)(struct mount *mp,
 		    struct label *fslabel, struct vnode *vp,
 		    struct label *vlabel);
-	void	(*mpo_create_devfs_device)(struct mount *mp, struct cdev *dev,
+	void	(*mpo_create_devfs_device)(struct ucred *cred,
+		    struct mount *mp, struct cdev *dev,
 		    struct devfs_dirent *de, struct label *label);
 	void	(*mpo_create_devfs_directory)(struct mount *mp, char *dirname,
 		    int dirnamelen, struct devfs_dirent *de,
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index acf21a5..647697b 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -2,6 +2,7 @@
  * Copyright (c) 1999-2002 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2005 McAfee, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -12,6 +13,9 @@
  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
  * CHATS research program.
  *
+ * This software was enhanced by SPARTA ISSO under SPAWAR contract 
+ * N66001-04-C-6019 ("SEFOS").
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -939,10 +943,11 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount)
 }
 
 void
-mac_create_devfs_device(struct mount *mp, struct cdev *dev, struct devfs_dirent *de)
+mac_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *de)
 {
 
-	MAC_PERFORM(create_devfs_device, mp, dev, de, de->de_label);
+	MAC_PERFORM(create_devfs_device, cred, mp, dev, de, de->de_label);
 }
 
 void
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 8faf806..8d5e9db 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -780,8 +780,8 @@ mac_biba_copy_label(struct label *src, struct label *dest)
  * a lot like file system objects.
  */
 static void
-mac_biba_create_devfs_device(struct mount *mp, struct cdev *dev,
-    struct devfs_dirent *devfs_dirent, struct label *label)
+mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
 {
 	struct mac_biba *mac_biba;
 	int biba_type;
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index 1a090ec..cb2ebdf 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -900,8 +900,8 @@ mac_lomac_copy_label(struct label *src, struct label *dest)
  * a lot like file system objects.
  */
 static void
-mac_lomac_create_devfs_device(struct mount *mp, struct cdev *dev,
-    struct devfs_dirent *devfs_dirent, struct label *label)
+mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
 {
 	struct mac_lomac *mac_lomac;
 	int lomac_type;
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index a6c1511..1599cc0 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -746,8 +746,8 @@ mac_mls_copy_label(struct label *src, struct label *dest)
  * a lot like file system objects.
  */
 static void
-mac_mls_create_devfs_device(struct mount *mp, struct cdev *dev,
-    struct devfs_dirent *devfs_dirent, struct label *label)
+mac_mls_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
 {
 	struct mac_mls *mac_mls;
 	int mls_type;
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index f22a48a..8a520a1 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -187,8 +187,8 @@ stub_associate_vnode_singlelabel(struct mount *mp,
 }
 
 static void
-stub_create_devfs_device(struct mount *mp, struct cdev *dev,
-    struct devfs_dirent *devfs_dirent, struct label *label)
+stub_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
 {
 
 }
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 312287e..3c51215 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -865,10 +865,13 @@ mac_test_associate_vnode_singlelabel(struct mount *mp,
 }
 
 static void
-mac_test_create_devfs_device(struct mount *mp, struct cdev *dev,
-    struct devfs_dirent *devfs_dirent, struct label *label)
+mac_test_create_devfs_device(struct ucred *cred, struct mount *mp,
+    struct cdev *dev, struct devfs_dirent *devfs_dirent, struct label *label)
 {
 
+	if (cred != NULL) {
+		ASSERT_CRED_LABEL(cred->cr_label);
+	}
 	ASSERT_DEVFS_LABEL(label);
 }