Rename mac_associate_nfsd_label() to mac_proc_associate_nfsd(), and move

from mac_vfs.c to mac_process.c to join other functions that setup up
process labels for specific purposes.  Unlike the two proc create calls,
this call is intended to run after creation when a process registers as
the NFS daemon, so remains an _associate_ call..

Obtained from:	TrustedBSD Project

8 files changed, 51 insertions, 51 deletions

diff --git a/sys/nfsserver/nfs_srvsock.c b/sys/nfsserver/nfs_srvsock.c
index 053cffc..678191b 100644
--- a/sys/nfsserver/nfs_srvsock.c
+++ b/sys/nfsserver/nfs_srvsock.c
@@ -361,7 +361,7 @@ nfs_getreq(struct nfsrv_descript *nd, struct nfsd *nfsd, int has_header)
 		nd->nd_cr->cr_groups[0] = nd->nd_cr->cr_rgid =
 		    nd->nd_cr->cr_svgid = fxdr_unsigned(gid_t, *tl++);
 #ifdef MAC
-		mac_associate_nfsd_label(nd->nd_cr);
+		mac_proc_associate_nfsd(nd->nd_cr);
 #endif
 		len = fxdr_unsigned(int, *tl);
 		if (len < 0 || len > RPCAUTH_UNIXGIDS) {
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 44ee79f..098d503 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -224,6 +224,7 @@ int	mac_vnode_execve_will_transition(struct ucred *cred,
 	    struct image_params *imgp);
 void	mac_proc_create_swapper(struct ucred *cred);
 void	mac_proc_create_init(struct ucred *cred);
+void	mac_proc_associate_nfsd(struct ucred *cred);
 void	mac_thread_userret(struct thread *td);
 
 /*
@@ -414,7 +415,6 @@ int	mac_setsockopt_label(struct ucred *cred, struct socket *so,
 int	mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
 	    struct label *label);
 void	mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
-void	mac_associate_nfsd_label(struct ucred *cred);
 int	mac_priv_check(struct ucred *cred, int priv);
 int	mac_priv_grant(struct ucred *cred, int priv);
 
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 2ff8c83..a4eff3d 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -607,7 +607,7 @@ typedef int	(*mpo_vnode_check_unlink_t)(struct ucred *cred,
 typedef int	(*mpo_vnode_check_write_t)(struct ucred *active_cred,
 		    struct ucred *file_cred, struct vnode *vp,
 		    struct label *vplabel);
-typedef void	(*mpo_associate_nfsd_label_t)(struct ucred *cred);
+typedef void	(*mpo_proc_associate_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_priv_check_t)(struct ucred *cred, int priv);
 typedef int	(*mpo_priv_grant_t)(struct ucred *cred, int priv);
 
@@ -765,6 +765,7 @@ struct mac_policy_ops {
 	mpo_vnode_execve_will_transition_t	mpo_vnode_execve_will_transition;
 	mpo_proc_create_swapper_t		mpo_proc_create_swapper;
 	mpo_proc_create_init_t			mpo_proc_create_init;
+	mpo_proc_associate_nfsd_t		mpo_proc_associate_nfsd;
 	mpo_cred_relabel_t			mpo_cred_relabel;
 	mpo_placeholder_t			_mpo_placeholder6;
 	mpo_thread_userret_t			mpo_thread_userret;
@@ -898,7 +899,6 @@ struct mac_policy_ops {
 	mpo_vnode_check_stat_t			mpo_vnode_check_stat;
 	mpo_vnode_check_unlink_t		mpo_vnode_check_unlink;
 	mpo_vnode_check_write_t			mpo_vnode_check_write;
-	mpo_associate_nfsd_label_t		mpo_associate_nfsd_label;
 	mpo_mbuf_create_from_firewall_t		mpo_mbuf_create_from_firewall;
 	mpo_init_syncache_label_t		mpo_init_syncache_label;
 	mpo_destroy_syncache_label_t		mpo_destroy_syncache_label;
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index c6c5cd8..6ed6d91 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -192,6 +192,22 @@ mac_proc_create_init(struct ucred *cred)
 	MAC_PERFORM(proc_create_init, cred);
 }
 
+/*
+ * When a thread becomes an NFS server daemon, its credential may need to be
+ * updated to reflect this so that policies can recognize when file system
+ * operations originate from the network.
+ *
+ * At some point, it would be desirable if the credential used for each NFS
+ * RPC could be set based on the RPC context (i.e., source system, etc) to
+ * provide more fine-grained access control.
+ */
+void
+mac_proc_associate_nfsd(struct ucred *cred)
+{
+
+	MAC_PERFORM(proc_associate_nfsd, cred);
+}
+
 void
 mac_thread_userret(struct thread *td)
 {
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 85af045..0f0fb9c 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -876,19 +876,3 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
 
 	return (0);
 }
-
-/*
- * When a thread becomes an NFS server daemon, its credential may need to be
- * updated to reflect this so that policies can recognize when file system
- * operations originate from the network.
- *
- * At some point, it would be desirable if the credential used for each NFS
- * RPC could be set based on the RPC context (i.e., source system, etc) to
- * provide more fine-grained access control.
- */
-void
-mac_associate_nfsd_label(struct ucred *cred)
-{
-
-	MAC_PERFORM(associate_nfsd_label, cred);
-}
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 80c81ec..d0207bb 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1410,6 +1410,17 @@ biba_proc_create_init(struct ucred *cred)
 }
 
 static void
+biba_proc_associate_nfsd(struct ucred *cred)
+{
+	struct mac_biba *label;
+
+	label = SLOT(cred->cr_label);
+	biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
+	biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
+	    0, NULL);
+}
+
+static void
 biba_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_biba *source, *dest;
@@ -3200,17 +3211,6 @@ biba_vnode_check_write(struct ucred *active_cred,
 }
 
 static void
-biba_associate_nfsd_label(struct ucred *cred)
-{
-	struct mac_biba *label;
-
-	label = SLOT(cred->cr_label);
-	biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
-	biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
-	    0, NULL);
-}
-
-static void
 biba_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
 {
 	struct mac_biba *source, *dest;
@@ -3331,6 +3331,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
 	.mpo_proc_create_swapper = biba_proc_create_swapper,
 	.mpo_proc_create_init = biba_proc_create_init,
+	.mpo_proc_associate_nfsd = biba_proc_associate_nfsd,
 	.mpo_cred_relabel = biba_cred_relabel,
 	.mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup,
 	.mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup,
@@ -3411,7 +3412,6 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_vnode_check_stat = biba_vnode_check_stat,
 	.mpo_vnode_check_unlink = biba_vnode_check_unlink,
 	.mpo_vnode_check_write = biba_vnode_check_write,
-	.mpo_associate_nfsd_label = biba_associate_nfsd_label,
 	.mpo_mbuf_create_from_firewall = biba_mbuf_create_from_firewall,
 	.mpo_priv_check = biba_priv_check,
 };
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index cfca2af..5bb5394 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -1355,6 +1355,17 @@ mls_proc_create_init(struct ucred *cred)
 }
 
 static void
+mls_proc_associate_nfsd(struct ucred *cred) 
+{
+	struct mac_mls *label;
+
+	label = SLOT(cred->cr_label);
+	mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
+	mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
+	    NULL);
+}
+
+static void
 mls_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_mls *source, *dest;
@@ -2847,17 +2858,6 @@ mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
 	return (0);
 }
 
-static void
-mls_associate_nfsd_label(struct ucred *cred) 
-{
-	struct mac_mls *label;
-
-	label = SLOT(cred->cr_label);
-	mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
-	mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
-	    NULL);
-}
-
 static struct mac_policy_ops mls_ops =
 {
 	.mpo_init = mls_init,
@@ -2958,6 +2958,7 @@ static struct mac_policy_ops mls_ops =
 	.mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel,
 	.mpo_proc_create_swapper = mls_proc_create_swapper,
 	.mpo_proc_create_init = mls_proc_create_init,
+	.mpo_proc_associate_nfsd = mls_proc_associate_nfsd,
 	.mpo_cred_relabel = mls_cred_relabel,
 	.mpo_sysvmsg_cleanup = mls_sysvmsg_cleanup,
 	.mpo_sysvmsq_cleanup = mls_sysvmsq_cleanup,
@@ -3034,7 +3035,6 @@ static struct mac_policy_ops mls_ops =
 	.mpo_vnode_check_stat = mls_vnode_check_stat,
 	.mpo_vnode_check_unlink = mls_vnode_check_unlink,
 	.mpo_vnode_check_write = mls_vnode_check_write,
-	.mpo_associate_nfsd_label = mls_associate_nfsd_label,
 	.mpo_mbuf_create_from_firewall = mls_mbuf_create_from_firewall,
 };
 
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 40b4e6c..138a099 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -186,12 +186,6 @@ stub_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
 }
 
 static void
-stub_associate_nfsd_label(struct ucred *cred)
-{
-
-}
-
-static void
 stub_devfs_create_device(struct ucred *cred, struct mount *mp,
     struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
 {
@@ -526,6 +520,12 @@ stub_proc_create_init(struct ucred *cred)
 }
 
 static void
+stub_proc_associate_nfsd(struct ucred *cred)
+{
+
+}
+
+static void
 stub_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 
@@ -1492,7 +1492,6 @@ static struct mac_policy_ops stub_ops =
 	.mpo_vnode_internalize_label = stub_internalize_label,
 	.mpo_devfs_vnode_associate = stub_devfs_vnode_associate,
 	.mpo_vnode_associate_extattr = stub_vnode_associate_extattr,
-	.mpo_associate_nfsd_label = stub_associate_nfsd_label,
 	.mpo_vnode_associate_singlelabel = stub_vnode_associate_singlelabel,
 	.mpo_devfs_create_device = stub_devfs_create_device,
 	.mpo_devfs_create_directory = stub_devfs_create_directory,
@@ -1538,6 +1537,7 @@ static struct mac_policy_ops stub_ops =
 	.mpo_vnode_execve_will_transition = stub_vnode_execve_will_transition,
 	.mpo_proc_create_swapper = stub_proc_create_swapper,
 	.mpo_proc_create_init = stub_proc_create_init,
+	.mpo_proc_associate_nfsd = stub_proc_associate_nfsd,
 	.mpo_cred_relabel= stub_cred_relabel,
 	.mpo_thread_userret = stub_thread_userret,
 	.mpo_sysvmsg_cleanup = stub_sysvmsg_cleanup,