Introduce p_label, extensible security label storage for the MAC framework

in struct proc. While the process label is actually stored in the struct ucred pointed to by p_ucred, there is a need for transient storage that may be used when asynchronous (deferred) updates need to be performed on the "real" label for locking reasons. Unlike other label storage, this label has no locking semantics, relying on policies to provide their own protection for the label contents, meaning that a policy leaf mutex may be used, avoiding lock order issues. This permits policies that act based on historical process behavior (such as audit policies, the MAC Framework port of LOMAC, etc) can update process properties even when many existing locks are held without violating the lock order. No currently committed policies implement use of this label storage. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
author: rwatson <rwatson@FreeBSD.org> 2002-11-20 15:41:25 +0000
committer: rwatson <rwatson@FreeBSD.org> 2002-11-20 15:41:25 +0000
commit: 569048d3f90c1ad80a2befd6f45adeda27d5b370 (patch)
tree: 51776de3b9188cb829cfb48dbad3e46d3b37ed4e /sys
parent: 8f7431caeb8e8d1dcbcc57542b08b0328692dbb3 (diff)
download: FreeBSD-src-569048d3f90c1ad80a2befd6f45adeda27d5b370.zip
FreeBSD-src-569048d3f90c1ad80a2befd6f45adeda27d5b370.tar.gz
16 files changed, 245 insertions, 9 deletions
diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c
index 68bebfc..6f745a0 100644
--- a/sys/kern/kern_exit.c
+++ b/sys/kern/kern_exit.c
@@ -41,6 +41,7 @@
 
 #include "opt_compat.h"
 #include "opt_ktrace.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -62,6 +63,7 @@
 #include <sys/ptrace.h>
 #include <sys/acct.h>		/* for acct_process() function prototype */
 #include <sys/filedesc.h>
+#include <sys/mac.h>
 #include <sys/shm.h>
 #include <sys/sem.h>
 #include <sys/jail.h>
@@ -739,6 +741,9 @@ loop:
 			 */
 			vm_waitproc(p);
 			mtx_destroy(&p->p_mtx);
+#ifdef MAC
+			mac_destroy_proc(p);
+#endif
 			KASSERT(FIRST_THREAD_IN_PROC(p),
 			    ("wait1: no residual thread!"));
 			uma_zfree(proc_zone, p);
diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
index 14695fb..caefeff 100644
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -40,6 +40,7 @@
  */
 
 #include "opt_ktrace.h"
+#include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -57,6 +58,7 @@
 #include <sys/syscall.h>
 #include <sys/vnode.h>
 #include <sys/acct.h>
+#include <sys/mac.h>
 #include <sys/ktr.h>
 #include <sys/ktrace.h>
 #include <sys/kthread.h>
@@ -305,6 +307,9 @@ fork1(td, flags, pages, procp)
 
 	/* Allocate new proc. */
 	newproc = uma_zalloc(proc_zone, M_WAITOK);
+#ifdef MAC
+	mac_init_proc(newproc);
+#endif
 
 	/*
 	 * Although process entries are dynamically created, we still keep
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index bf6c999..f9eb44e 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
 
 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
     nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes;
+    nmacipqs, nmacpipes, nmacprocs;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
@@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
+    &nmacprocs, 0, "number of procs in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
     &nmacmounts, 0, "number of mounts in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
@@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe)
 	mac_init_pipe_label(label);
 }
 
+void
+mac_init_proc(struct proc *p)
+{
+
+	mac_init_label(&p->p_label);
+	MAC_PERFORM(init_proc_label, &p->p_label);
+#ifdef MAC_DEBUG
+	atomic_add_int(&nmacprocs, 1);
+#endif
+}
+
 static int
 mac_init_socket_label(struct label *label, int flag)
 {
@@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe)
 	free(pipe->pipe_label, M_MACPIPELABEL);
 }
 
+void
+mac_destroy_proc(struct proc *p)
+{
+
+	MAC_PERFORM(destroy_proc_label, &p->p_label);
+	mac_destroy_label(&p->p_label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacprocs, 1);
+#endif
+}
+
 static void
 mac_destroy_socket_label(struct label *label)
 {
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index bf6c999..f9eb44e 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
 
 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
     nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes;
+    nmacipqs, nmacpipes, nmacprocs;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
@@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
+    &nmacprocs, 0, "number of procs in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
     &nmacmounts, 0, "number of mounts in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
@@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe)
 	mac_init_pipe_label(label);
 }
 
+void
+mac_init_proc(struct proc *p)
+{
+
+	mac_init_label(&p->p_label);
+	MAC_PERFORM(init_proc_label, &p->p_label);
+#ifdef MAC_DEBUG
+	atomic_add_int(&nmacprocs, 1);
+#endif
+}
+
 static int
 mac_init_socket_label(struct label *label, int flag)
 {
@@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe)
 	free(pipe->pipe_label, M_MACPIPELABEL);
 }
 
+void
+mac_destroy_proc(struct proc *p)
+{
+
+	MAC_PERFORM(destroy_proc_label, &p->p_label);
+	mac_destroy_label(&p->p_label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacprocs, 1);
+#endif
+}
+
 static void
 mac_destroy_socket_label(struct label *label)
 {
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 3e7e6bb..89c6efc 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -146,6 +146,7 @@ int	mac_init_socket(struct socket *, int flag);
 void	mac_init_pipe(struct pipe *);
 int	mac_init_mbuf(struct mbuf *m, int flag);
 void	mac_init_mount(struct mount *);
+void	mac_init_proc(struct proc *);
 void	mac_init_vnode(struct vnode *);
 void	mac_init_vnode_label(struct label *);
 void	mac_copy_vnode_label(struct label *, struct label *label);
@@ -156,6 +157,7 @@ void	mac_destroy_ifnet(struct ifnet *);
 void	mac_destroy_ipq(struct ipq *);
 void	mac_destroy_socket(struct socket *);
 void	mac_destroy_pipe(struct pipe *);
+void	mac_destroy_proc(struct proc *);
 void	mac_destroy_mbuf(struct mbuf *);
 void	mac_destroy_mount(struct mount *);
 void	mac_destroy_vnode(struct vnode *);
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index bf6c999..f9eb44e 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
 
 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
     nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes;
+    nmacipqs, nmacpipes, nmacprocs;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
@@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
+    &nmacprocs, 0, "number of procs in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
     &nmacmounts, 0, "number of mounts in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
@@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe)
 	mac_init_pipe_label(label);
 }
 
+void
+mac_init_proc(struct proc *p)
+{
+
+	mac_init_label(&p->p_label);
+	MAC_PERFORM(init_proc_label, &p->p_label);
+#ifdef MAC_DEBUG
+	atomic_add_int(&nmacprocs, 1);
+#endif
+}
+
 static int
 mac_init_socket_label(struct label *label, int flag)
 {
@@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe)
 	free(pipe->pipe_label, M_MACPIPELABEL);
 }
 
+void
+mac_destroy_proc(struct proc *p)
+{
+
+	MAC_PERFORM(destroy_proc_label, &p->p_label);
+	mac_destroy_label(&p->p_label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacprocs, 1);
+#endif
+}
+
 static void
 mac_destroy_socket_label(struct label *label)
 {
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index bf6c999..f9eb44e 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
 
 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
     nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes;
+    nmacipqs, nmacpipes, nmacprocs;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
@@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
+    &nmacprocs, 0, "number of procs in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
     &nmacmounts, 0, "number of mounts in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
@@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe)
 	mac_init_pipe_label(label);
 }
 
+void
+mac_init_proc(struct proc *p)
+{
+
+	mac_init_label(&p->p_label);
+	MAC_PERFORM(init_proc_label, &p->p_label);
+#ifdef MAC_DEBUG
+	atomic_add_int(&nmacprocs, 1);
+#endif
+}
+
 static int
 mac_init_socket_label(struct label *label, int flag)
 {
@@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe)
 	free(pipe->pipe_label, M_MACPIPELABEL);
 }
 
+void
+mac_destroy_proc(struct proc *p)
+{
+
+	MAC_PERFORM(destroy_proc_label, &p->p_label);
+	mac_destroy_label(&p->p_label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacprocs, 1);
+#endif
+}
+
 static void
 mac_destroy_socket_label(struct label *label)
 {
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index bf6c999..f9eb44e 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
 
 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
     nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes;
+    nmacipqs, nmacpipes, nmacprocs;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
@@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
+    &nmacprocs, 0, "number of procs in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
     &nmacmounts, 0, "number of mounts in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
@@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe)
 	mac_init_pipe_label(label);
 }
 
+void
+mac_init_proc(struct proc *p)
+{
+
+	mac_init_label(&p->p_label);
+	MAC_PERFORM(init_proc_label, &p->p_label);
+#ifdef MAC_DEBUG
+	atomic_add_int(&nmacprocs, 1);
+#endif
+}
+
 static int
 mac_init_socket_label(struct label *label, int flag)
 {
@@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe)
 	free(pipe->pipe_label, M_MACPIPELABEL);
 }
 
+void
+mac_destroy_proc(struct proc *p)
+{
+
+	MAC_PERFORM(destroy_proc_label, &p->p_label);
+	mac_destroy_label(&p->p_label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacprocs, 1);
+#endif
+}
+
 static void
 mac_destroy_socket_label(struct label *label)
 {
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 96fc060..454e6c6 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -80,6 +80,7 @@ struct mac_policy_ops {
 	int	(*mpo_init_socket_label)(struct label *label, int flag);
 	int	(*mpo_init_socket_peer_label)(struct label *label, int flag);
 	void	(*mpo_init_pipe_label)(struct label *label);
+	void	(*mpo_init_proc_label)(struct label *label);
 	void	(*mpo_init_vnode_label)(struct label *label);
 	void	(*mpo_destroy_bpfdesc_label)(struct label *label);
 	void	(*mpo_destroy_cred_label)(struct label *label);
@@ -92,6 +93,7 @@ struct mac_policy_ops {
 	void	(*mpo_destroy_socket_label)(struct label *label);
 	void	(*mpo_destroy_socket_peer_label)(struct label *label);
 	void	(*mpo_destroy_pipe_label)(struct label *label);
+	void	(*mpo_destroy_proc_label)(struct label *label);
 	void	(*mpo_destroy_vnode_label)(struct label *label);
 	void	(*mpo_copy_pipe_label)(struct label *src,
 		    struct label *dest);
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index bf6c999..f9eb44e 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
 
 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
     nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes;
+    nmacipqs, nmacpipes, nmacprocs;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
@@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
+    &nmacprocs, 0, "number of procs in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
     &nmacmounts, 0, "number of mounts in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
@@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe)
 	mac_init_pipe_label(label);
 }
 
+void
+mac_init_proc(struct proc *p)
+{
+
+	mac_init_label(&p->p_label);
+	MAC_PERFORM(init_proc_label, &p->p_label);
+#ifdef MAC_DEBUG
+	atomic_add_int(&nmacprocs, 1);
+#endif
+}
+
 static int
 mac_init_socket_label(struct label *label, int flag)
 {
@@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe)
 	free(pipe->pipe_label, M_MACPIPELABEL);
 }
 
+void
+mac_destroy_proc(struct proc *p)
+{
+
+	MAC_PERFORM(destroy_proc_label, &p->p_label);
+	mac_destroy_label(&p->p_label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacprocs, 1);
+#endif
+}
+
 static void
 mac_destroy_socket_label(struct label *label)
 {
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index bf6c999..f9eb44e 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
 
 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
     nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes;
+    nmacipqs, nmacpipes, nmacprocs;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
@@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
+    &nmacprocs, 0, "number of procs in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
     &nmacmounts, 0, "number of mounts in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
@@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe)
 	mac_init_pipe_label(label);
 }
 
+void
+mac_init_proc(struct proc *p)
+{
+
+	mac_init_label(&p->p_label);
+	MAC_PERFORM(init_proc_label, &p->p_label);
+#ifdef MAC_DEBUG
+	atomic_add_int(&nmacprocs, 1);
+#endif
+}
+
 static int
 mac_init_socket_label(struct label *label, int flag)
 {
@@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe)
 	free(pipe->pipe_label, M_MACPIPELABEL);
 }
 
+void
+mac_destroy_proc(struct proc *p)
+{
+
+	MAC_PERFORM(destroy_proc_label, &p->p_label);
+	mac_destroy_label(&p->p_label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacprocs, 1);
+#endif
+}
+
 static void
 mac_destroy_socket_label(struct label *label)
 {
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index bf6c999..f9eb44e 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
 
 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
     nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes;
+    nmacipqs, nmacpipes, nmacprocs;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
@@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
+    &nmacprocs, 0, "number of procs in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
     &nmacmounts, 0, "number of mounts in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
@@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe)
 	mac_init_pipe_label(label);
 }
 
+void
+mac_init_proc(struct proc *p)
+{
+
+	mac_init_label(&p->p_label);
+	MAC_PERFORM(init_proc_label, &p->p_label);
+#ifdef MAC_DEBUG
+	atomic_add_int(&nmacprocs, 1);
+#endif
+}
+
 static int
 mac_init_socket_label(struct label *label, int flag)
 {
@@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe)
 	free(pipe->pipe_label, M_MACPIPELABEL);
 }
 
+void
+mac_destroy_proc(struct proc *p)
+{
+
+	MAC_PERFORM(destroy_proc_label, &p->p_label);
+	mac_destroy_label(&p->p_label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacprocs, 1);
+#endif
+}
+
 static void
 mac_destroy_socket_label(struct label *label)
 {
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index bf6c999..f9eb44e 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
 
 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
     nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
-    nmacipqs, nmacpipes;
+    nmacipqs, nmacpipes, nmacprocs;
 
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
@@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
+    &nmacprocs, 0, "number of procs in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
     &nmacmounts, 0, "number of mounts in use");
 SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
@@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe)
 	mac_init_pipe_label(label);
 }
 
+void
+mac_init_proc(struct proc *p)
+{
+
+	mac_init_label(&p->p_label);
+	MAC_PERFORM(init_proc_label, &p->p_label);
+#ifdef MAC_DEBUG
+	atomic_add_int(&nmacprocs, 1);
+#endif
+}
+
 static int
 mac_init_socket_label(struct label *label, int flag)
 {
@@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe)
 	free(pipe->pipe_label, M_MACPIPELABEL);
 }
 
+void
+mac_destroy_proc(struct proc *p)
+{
+
+	MAC_PERFORM(destroy_proc_label, &p->p_label);
+	mac_destroy_label(&p->p_label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacprocs, 1);
+#endif
+}
+
 static void
 mac_destroy_socket_label(struct label *label)
 {
diff --git a/sys/sys/mac.h b/sys/sys/mac.h
index 3e7e6bb..89c6efc 100644
--- a/sys/sys/mac.h
+++ b/sys/sys/mac.h
@@ -146,6 +146,7 @@ int	mac_init_socket(struct socket *, int flag);
 void	mac_init_pipe(struct pipe *);
 int	mac_init_mbuf(struct mbuf *m, int flag);
 void	mac_init_mount(struct mount *);
+void	mac_init_proc(struct proc *);
 void	mac_init_vnode(struct vnode *);
 void	mac_init_vnode_label(struct label *);
 void	mac_copy_vnode_label(struct label *, struct label *label);
@@ -156,6 +157,7 @@ void	mac_destroy_ifnet(struct ifnet *);
 void	mac_destroy_ipq(struct ipq *);
 void	mac_destroy_socket(struct socket *);
 void	mac_destroy_pipe(struct pipe *);
+void	mac_destroy_proc(struct proc *);
 void	mac_destroy_mbuf(struct mbuf *);
 void	mac_destroy_mount(struct mount *);
 void	mac_destroy_vnode(struct vnode *);
diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h
index 96fc060..454e6c6 100644
--- a/sys/sys/mac_policy.h
+++ b/sys/sys/mac_policy.h
@@ -80,6 +80,7 @@ struct mac_policy_ops {
 	int	(*mpo_init_socket_label)(struct label *label, int flag);
 	int	(*mpo_init_socket_peer_label)(struct label *label, int flag);
 	void	(*mpo_init_pipe_label)(struct label *label);
+	void	(*mpo_init_proc_label)(struct label *label);
 	void	(*mpo_init_vnode_label)(struct label *label);
 	void	(*mpo_destroy_bpfdesc_label)(struct label *label);
 	void	(*mpo_destroy_cred_label)(struct label *label);
@@ -92,6 +93,7 @@ struct mac_policy_ops {
 	void	(*mpo_destroy_socket_label)(struct label *label);
 	void	(*mpo_destroy_socket_peer_label)(struct label *label);
 	void	(*mpo_destroy_pipe_label)(struct label *label);
+	void	(*mpo_destroy_proc_label)(struct label *label);
 	void	(*mpo_destroy_vnode_label)(struct label *label);
 	void	(*mpo_copy_pipe_label)(struct label *src,
 		    struct label *dest);
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index a8f392c..6a64f96 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -50,6 +50,7 @@
 #include <sys/rtprio.h>			/* XXX */
 #include <sys/runq.h>
 #include <sys/signal.h>
+#include <sys/_label.h>
 #ifndef _KERNEL
 #include <sys/time.h>			/* For structs itimerval, timeval. */
 #else
@@ -592,6 +593,7 @@ struct proc {
 	struct proc	*p_peers;	/* (r) */
 	struct proc	*p_leader;	/* (b) */
 	void		*p_emuldata;	/* (c) Emulator state data. */
+	struct label	p_label;	/* process (not subject) MAC label */
 };
 
 #define	p_rlimit	p_limit->pl_rlimit
author	rwatson <rwatson@FreeBSD.org>	2002-11-20 15:41:25 +0000
committer	rwatson <rwatson@FreeBSD.org>	2002-11-20 15:41:25 +0000
commit	569048d3f90c1ad80a2befd6f45adeda27d5b370 (patch)
tree	51776de3b9188cb829cfb48dbad3e46d3b37ed4e /sys
parent	8f7431caeb8e8d1dcbcc57542b08b0328692dbb3 (diff)
download	FreeBSD-src-569048d3f90c1ad80a2befd6f45adeda27d5b370.zip FreeBSD-src-569048d3f90c1ad80a2befd6f45adeda27d5b370.tar.gz