summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--sys/kern/kern_prot.c18
-rw-r--r--sys/security/audit/audit_syscalls.c6
-rw-r--r--sys/security/mac/mac_audit.c24
-rw-r--r--sys/security/mac/mac_cred.c126
-rw-r--r--sys/security/mac/mac_framework.c3
-rw-r--r--sys/security/mac/mac_framework.h43
-rw-r--r--sys/security/mac/mac_policy.h67
-rw-r--r--sys/security/mac/mac_process.c148
-rw-r--r--sys/security/mac_stub/mac_stub.c203
-rw-r--r--sys/security/mac_test/mac_test.c301
10 files changed, 463 insertions, 476 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 3089638..9f13644 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -489,7 +489,7 @@ setuid(struct thread *td, struct setuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
- error = mac_proc_check_setuid(p, oldcred, uid);
+ error = mac_cred_check_setuid(oldcred, uid);
if (error)
goto fail;
#endif
@@ -601,7 +601,7 @@ seteuid(struct thread *td, struct seteuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
- error = mac_proc_check_seteuid(p, oldcred, euid);
+ error = mac_cred_check_seteuid(oldcred, euid);
if (error)
goto fail;
#endif
@@ -654,7 +654,7 @@ setgid(struct thread *td, struct setgid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
- error = mac_proc_check_setgid(p, oldcred, gid);
+ error = mac_cred_check_setgid(oldcred, gid);
if (error)
goto fail;
#endif
@@ -753,7 +753,7 @@ setegid(struct thread *td, struct setegid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
- error = mac_proc_check_setegid(p, oldcred, egid);
+ error = mac_cred_check_setegid(oldcred, egid);
if (error)
goto fail;
#endif
@@ -815,7 +815,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups)
oldcred = p->p_ucred;
#ifdef MAC
- error = mac_proc_check_setgroups(p, oldcred, ngrp, groups);
+ error = mac_cred_check_setgroups(oldcred, ngrp, groups);
if (error)
goto fail;
#endif
@@ -880,7 +880,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
- error = mac_proc_check_setreuid(p, oldcred, ruid, euid);
+ error = mac_cred_check_setreuid(oldcred, ruid, euid);
if (error)
goto fail;
#endif
@@ -945,7 +945,7 @@ setregid(register struct thread *td, struct setregid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
- error = mac_proc_check_setregid(p, oldcred, rgid, egid);
+ error = mac_cred_check_setregid(oldcred, rgid, egid);
if (error)
goto fail;
#endif
@@ -1016,7 +1016,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
- error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid);
+ error = mac_cred_check_setresuid(oldcred, ruid, euid, suid);
if (error)
goto fail;
#endif
@@ -1093,7 +1093,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
- error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid);
+ error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid);
if (error)
goto fail;
#endif
diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c
index f8d45fe..b70b10d 100644
--- a/sys/security/audit/audit_syscalls.c
+++ b/sys/security/audit/audit_syscalls.c
@@ -474,7 +474,7 @@ setauid(struct thread *td, struct setauid_args *uap)
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
- error = mac_proc_check_setauid(oldcred, id);
+ error = mac_cred_check_setauid(oldcred, id);
if (error)
goto fail;
#endif
@@ -539,7 +539,7 @@ setaudit(struct thread *td, struct setaudit_args *uap)
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
- error = mac_proc_check_setaudit(oldcred, &ai);
+ error = mac_cred_check_setaudit(oldcred, &ai);
if (error)
goto fail;
#endif
@@ -602,7 +602,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
- error = mac_proc_check_setaudit_addr(oldcred, &aia);
+ error = mac_cred_check_setaudit_addr(oldcred, &aia);
if (error)
goto fail;
#endif
diff --git a/sys/security/mac/mac_audit.c b/sys/security/mac/mac_audit.c
index 6310b04..9bc2e27 100644
--- a/sys/security/mac/mac_audit.c
+++ b/sys/security/mac/mac_audit.c
@@ -58,43 +58,43 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_internal.h>
#include <security/mac/mac_policy.h>
-MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit, "struct ucred *",
+MAC_CHECK_PROBE_DEFINE2(cred_check_setaudit, "struct ucred *",
"struct auditinfo *");
int
-mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
+mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
{
int error;
- MAC_CHECK(proc_check_setaudit, cred, ai);
- MAC_CHECK_PROBE2(proc_check_setaudit, error, cred, ai);
+ MAC_CHECK(cred_check_setaudit, cred, ai);
+ MAC_CHECK_PROBE2(cred_check_setaudit, error, cred, ai);
return (error);
}
-MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit_addr, "struct ucred *",
+MAC_CHECK_PROBE_DEFINE2(cred_check_setaudit_addr, "struct ucred *",
"struct auditinfo_addr *");
int
-mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
+mac_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
{
int error;
- MAC_CHECK(proc_check_setaudit_addr, cred, aia);
- MAC_CHECK_PROBE2(proc_check_setaudit_addr, error, cred, aia);
+ MAC_CHECK(cred_check_setaudit_addr, cred, aia);
+ MAC_CHECK_PROBE2(cred_check_setaudit_addr, error, cred, aia);
return (error);
}
-MAC_CHECK_PROBE_DEFINE2(proc_check_setauid, "struct ucred *", "uid_t");
+MAC_CHECK_PROBE_DEFINE2(cred_check_setauid, "struct ucred *", "uid_t");
int
-mac_proc_check_setauid(struct ucred *cred, uid_t auid)
+mac_cred_check_setauid(struct ucred *cred, uid_t auid)
{
int error;
- MAC_CHECK(proc_check_setauid, cred, auid);
- MAC_CHECK_PROBE2(proc_check_setauid, error, cred, auid);
+ MAC_CHECK(cred_check_setauid, cred, auid);
+ MAC_CHECK_PROBE2(cred_check_setauid, error, cred, auid);
return (error);
}
diff --git a/sys/security/mac/mac_cred.c b/sys/security/mac/mac_cred.c
index 8cac7b3..41c6e66 100644
--- a/sys/security/mac/mac_cred.c
+++ b/sys/security/mac/mac_cred.c
@@ -211,6 +211,132 @@ mac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
return (error);
}
+MAC_CHECK_PROBE_DEFINE2(cred_check_setuid, "struct ucred *", "uid_t");
+
+int
+mac_cred_check_setuid(struct ucred *cred, uid_t uid)
+{
+ int error;
+
+ MAC_CHECK(cred_check_setuid, cred, uid);
+ MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid);
+
+ return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE2(cred_check_seteuid, "struct ucred *", "uid_t");
+
+int
+mac_cred_check_seteuid(struct ucred *cred, uid_t euid)
+{
+ int error;
+
+ MAC_CHECK(cred_check_seteuid, cred, euid);
+ MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid);
+
+ return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE2(cred_check_setgid, "struct ucred *", "gid_t");
+
+int
+mac_cred_check_setgid(struct ucred *cred, gid_t gid)
+{
+ int error;
+
+ MAC_CHECK(cred_check_setgid, cred, gid);
+ MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid);
+
+ return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE2(cred_check_setegid, "struct ucred *", "gid_t");
+
+int
+mac_cred_check_setegid(struct ucred *cred, gid_t egid)
+{
+ int error;
+
+ MAC_CHECK(cred_check_setegid, cred, egid);
+ MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid);
+
+ return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE3(cred_check_setgroups, "struct ucred *", "int",
+ "gid_t *");
+
+int
+mac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset)
+{
+ int error;
+
+ MAC_CHECK(cred_check_setgroups, cred, ngroups, gidset);
+ MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset);
+
+ return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE3(cred_check_setreuid, "struct ucred *", "uid_t",
+ "uid_t");
+
+int
+mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
+{
+ int error;
+
+ MAC_CHECK(cred_check_setreuid, cred, ruid, euid);
+ MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid);
+
+ return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE3(cred_check_setregid, "struct ucred *", "gid_t",
+ "gid_t");
+
+int
+mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
+{
+ int error;
+
+ MAC_CHECK(cred_check_setregid, cred, rgid, egid);
+ MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid);
+
+ return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE4(cred_check_setresuid, "struct ucred *", "uid_t",
+ "uid_t", "uid_t");
+
+int
+mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
+ uid_t suid)
+{
+ int error;
+
+ MAC_CHECK(cred_check_setresuid, cred, ruid, euid, suid);
+ MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid,
+ suid);
+
+ return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE4(cred_check_setresgid, "struct ucred *", "gid_t",
+ "gid_t", "gid_t");
+
+int
+mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
+ gid_t sgid)
+{
+ int error;
+
+ MAC_CHECK(cred_check_setresgid, cred, rgid, egid, sgid);
+ MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid,
+ sgid);
+
+ return (error);
+}
+
MAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *",
"struct ucred *");
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 26bdd71..f434df8 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -17,6 +17,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 4da4af9..dfc48f8 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* All rights reserved.
@@ -14,6 +14,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -105,6 +108,22 @@ void mac_bpfdesc_destroy(struct bpf_d *);
void mac_bpfdesc_init(struct bpf_d *);
void mac_cred_associate_nfsd(struct ucred *cred);
+int mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai);
+int mac_cred_check_setaudit_addr(struct ucred *cred,
+ struct auditinfo_addr *aia);
+int mac_cred_check_setauid(struct ucred *cred, uid_t auid);
+int mac_cred_check_setegid(struct ucred *cred, gid_t egid);
+int mac_cred_check_seteuid(struct ucred *cred, uid_t euid);
+int mac_cred_check_setgid(struct ucred *cred, gid_t gid);
+int mac_cred_check_setgroups(struct ucred *cred, int ngroups,
+ gid_t *gidset);
+int mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid);
+int mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
+ gid_t sgid);
+int mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
+ uid_t suid);
+int mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid);
+int mac_cred_check_setuid(struct ucred *cred, uid_t uid);
int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);
void mac_cred_copy(struct ucred *cr1, struct ucred *cr2);
void mac_cred_create_init(struct ucred *cred);
@@ -233,28 +252,6 @@ int mac_priv_grant(struct ucred *cred, int priv);
int mac_proc_check_debug(struct ucred *cred, struct proc *p);
int mac_proc_check_sched(struct ucred *cred, struct proc *p);
-int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai);
-int mac_proc_check_setaudit_addr(struct ucred *cred,
- struct auditinfo_addr *aia);
-int mac_proc_check_setauid(struct ucred *cred, uid_t auid);
-int mac_proc_check_setegid(struct proc *p, struct ucred *cred,
- gid_t egid);
-int mac_proc_check_seteuid(struct proc *p, struct ucred *cred,
- uid_t euid);
-int mac_proc_check_setgid(struct proc *p, struct ucred *cred,
- gid_t gid);
-int mac_proc_check_setgroups(struct proc *p, struct ucred *cred,
- int ngroups, gid_t *gidset);
-int mac_proc_check_setregid(struct proc *p, struct ucred *cred,
- gid_t rgid, gid_t egid);
-int mac_proc_check_setresgid(struct proc *p, struct ucred *cred,
- gid_t rgid, gid_t egid, gid_t sgid);
-int mac_proc_check_setresuid(struct proc *p, struct ucred *cred,
- uid_t ruid, uid_t euid, uid_t suid);
-int mac_proc_check_setreuid(struct proc *p, struct ucred *cred,
- uid_t ruid, uid_t euid);
-int mac_proc_check_setuid(struct proc *p, struct ucred *cred,
- uid_t uid);
int mac_proc_check_signal(struct ucred *cred, struct proc *p,
int signum);
int mac_proc_check_wait(struct ucred *cred, struct proc *p);
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index e333409..410906b 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* Copyright (c) 2008 Apple Inc.
@@ -15,6 +15,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -132,6 +135,25 @@ typedef void (*mpo_bpfdesc_init_label_t)(struct label *label);
typedef void (*mpo_cred_associate_nfsd_t)(struct ucred *cred);
typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred,
struct label *newlabel);
+typedef int (*mpo_cred_check_setaudit_t)(struct ucred *cred,
+ struct auditinfo *ai);
+typedef int (*mpo_cred_check_setaudit_addr_t)(struct ucred *cred,
+ struct auditinfo_addr *aia);
+typedef int (*mpo_cred_check_setauid_t)(struct ucred *cred, uid_t auid);
+typedef int (*mpo_cred_check_setegid_t)(struct ucred *cred, gid_t egid);
+typedef int (*mpo_cred_check_seteuid_t)(struct ucred *cred, uid_t euid);
+typedef int (*mpo_cred_check_setgid_t)(struct ucred *cred, gid_t gid);
+typedef int (*mpo_cred_check_setgroups_t)(struct ucred *cred, int ngroups,
+ gid_t *gidset);
+typedef int (*mpo_cred_check_setregid_t)(struct ucred *cred, gid_t rgid,
+ gid_t egid);
+typedef int (*mpo_cred_check_setresgid_t)(struct ucred *cred, gid_t rgid,
+ gid_t egid, gid_t sgid);
+typedef int (*mpo_cred_check_setresuid_t)(struct ucred *cred, uid_t ruid,
+ uid_t euid, uid_t suid);
+typedef int (*mpo_cred_check_setreuid_t)(struct ucred *cred, uid_t ruid,
+ uid_t euid);
+typedef int (*mpo_cred_check_setuid_t)(struct ucred *cred, uid_t uid);
typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1,
struct ucred *cr2);
typedef void (*mpo_cred_copy_label_t)(struct label *src,
@@ -353,25 +375,6 @@ typedef int (*mpo_proc_check_debug_t)(struct ucred *cred,
struct proc *p);
typedef int (*mpo_proc_check_sched_t)(struct ucred *cred,
struct proc *p);
-typedef int (*mpo_proc_check_setaudit_t)(struct ucred *cred,
- struct auditinfo *ai);
-typedef int (*mpo_proc_check_setaudit_addr_t)(struct ucred *cred,
- struct auditinfo_addr *aia);
-typedef int (*mpo_proc_check_setauid_t)(struct ucred *cred, uid_t auid);
-typedef int (*mpo_proc_check_setegid_t)(struct ucred *cred, gid_t egid);
-typedef int (*mpo_proc_check_seteuid_t)(struct ucred *cred, uid_t euid);
-typedef int (*mpo_proc_check_setgid_t)(struct ucred *cred, gid_t gid);
-typedef int (*mpo_proc_check_setgroups_t)(struct ucred *cred, int ngroups,
- gid_t *gidset);
-typedef int (*mpo_proc_check_setregid_t)(struct ucred *cred, gid_t rgid,
- gid_t egid);
-typedef int (*mpo_proc_check_setresgid_t)(struct ucred *cred, gid_t rgid,
- gid_t egid, gid_t sgid);
-typedef int (*mpo_proc_check_setresuid_t)(struct ucred *cred, uid_t ruid,
- uid_t euid, uid_t suid);
-typedef int (*mpo_proc_check_setreuid_t)(struct ucred *cred, uid_t ruid,
- uid_t euid);
-typedef int (*mpo_proc_check_setuid_t)(struct ucred *cred, uid_t uid);
typedef int (*mpo_proc_check_signal_t)(struct ucred *cred,
struct proc *proc, int signum);
typedef int (*mpo_proc_check_wait_t)(struct ucred *cred,
@@ -679,6 +682,18 @@ struct mac_policy_ops {
mpo_cred_associate_nfsd_t mpo_cred_associate_nfsd;
mpo_cred_check_relabel_t mpo_cred_check_relabel;
+ mpo_cred_check_setaudit_t mpo_cred_check_setaudit;
+ mpo_cred_check_setaudit_addr_t mpo_cred_check_setaudit_addr;
+ mpo_cred_check_setauid_t mpo_cred_check_setauid;
+ mpo_cred_check_setuid_t mpo_cred_check_setuid;
+ mpo_cred_check_seteuid_t mpo_cred_check_seteuid;
+ mpo_cred_check_setgid_t mpo_cred_check_setgid;
+ mpo_cred_check_setegid_t mpo_cred_check_setegid;
+ mpo_cred_check_setgroups_t mpo_cred_check_setgroups;
+ mpo_cred_check_setreuid_t mpo_cred_check_setreuid;
+ mpo_cred_check_setregid_t mpo_cred_check_setregid;
+ mpo_cred_check_setresuid_t mpo_cred_check_setresuid;
+ mpo_cred_check_setresgid_t mpo_cred_check_setresgid;
mpo_cred_check_visible_t mpo_cred_check_visible;
mpo_cred_copy_label_t mpo_cred_copy_label;
mpo_cred_create_swapper_t mpo_cred_create_swapper;
@@ -798,18 +813,6 @@ struct mac_policy_ops {
mpo_proc_check_debug_t mpo_proc_check_debug;
mpo_proc_check_sched_t mpo_proc_check_sched;
- mpo_proc_check_setaudit_t mpo_proc_check_setaudit;
- mpo_proc_check_setaudit_addr_t mpo_proc_check_setaudit_addr;
- mpo_proc_check_setauid_t mpo_proc_check_setauid;
- mpo_proc_check_setuid_t mpo_proc_check_setuid;
- mpo_proc_check_seteuid_t mpo_proc_check_seteuid;
- mpo_proc_check_setgid_t mpo_proc_check_setgid;
- mpo_proc_check_setegid_t mpo_proc_check_setegid;
- mpo_proc_check_setgroups_t mpo_proc_check_setgroups;
- mpo_proc_check_setreuid_t mpo_proc_check_setreuid;
- mpo_proc_check_setregid_t mpo_proc_check_setregid;
- mpo_proc_check_setresuid_t mpo_proc_check_setresuid;
- mpo_proc_check_setresgid_t mpo_proc_check_setresgid;
mpo_proc_check_signal_t mpo_proc_check_signal;
mpo_proc_check_wait_t mpo_proc_check_wait;
mpo_proc_destroy_label_t mpo_proc_destroy_label;
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 0a98585..7faa7ae 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -2,7 +2,6 @@
* Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2005 Samy Al Bahra
* Copyright (c) 2006 SPARTA, Inc.
* Copyright (c) 2008 Apple Inc.
* All rights reserved.
@@ -424,153 +423,6 @@ mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
return (error);
}
-MAC_CHECK_PROBE_DEFINE2(proc_check_setuid, "struct ucred *", "uid_t");
-
-int
-mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid)
-{
- int error;
-
- PROC_LOCK_ASSERT(p, MA_OWNED);
-
- MAC_CHECK(proc_check_setuid, cred, uid);
- MAC_CHECK_PROBE2(proc_check_setuid, error, cred, uid);
-
- return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE2(proc_check_seteuid, "struct ucred *", "uid_t");
-
-int
-mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
-{
- int error;
-
- PROC_LOCK_ASSERT(p, MA_OWNED);
-
- MAC_CHECK(proc_check_seteuid, cred, euid);
- MAC_CHECK_PROBE2(proc_check_seteuid, error, cred, euid);
-
- return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE2(proc_check_setgid, "struct ucred *", "gid_t");
-
-int
-mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid)
-{
- int error;
-
- PROC_LOCK_ASSERT(p, MA_OWNED);
-
- MAC_CHECK(proc_check_setgid, cred, gid);
- MAC_CHECK_PROBE2(proc_check_setgid, error, cred, gid);
-
- return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE2(proc_check_setegid, "struct ucred *", "gid_t");
-
-int
-mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid)
-{
- int error;
-
- PROC_LOCK_ASSERT(p, MA_OWNED);
-
- MAC_CHECK(proc_check_setegid, cred, egid);
- MAC_CHECK_PROBE2(proc_check_setegid, error, cred, egid);
-
- return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE3(proc_check_setgroups, "struct ucred *", "int",
- "gid_t *");
-
-int
-mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups,
- gid_t *gidset)
-{
- int error;
-
- PROC_LOCK_ASSERT(p, MA_OWNED);
-
- MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset);
- MAC_CHECK_PROBE3(proc_check_setgroups, error, cred, ngroups, gidset);
-
- return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE3(proc_check_setreuid, "struct ucred *", "uid_t",
- "uid_t");
-
-int
-mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
- uid_t euid)
-{
- int error;
-
- PROC_LOCK_ASSERT(p, MA_OWNED);
-
- MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
- MAC_CHECK_PROBE3(proc_check_setreuid, error, cred, ruid, euid);
-
- return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE3(proc_check_setregid, "struct ucred *", "gid_t",
- "gid_t");
-
-int
-mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
- gid_t egid)
-{
- int error;
-
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- MAC_CHECK(proc_check_setregid, cred, rgid, egid);
- MAC_CHECK_PROBE3(proc_check_setregid, error, cred, rgid, egid);
-
- return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE4(proc_check_setresuid, "struct ucred *", "uid_t",
- "uid_t", "uid_t");
-
-int
-mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
- uid_t euid, uid_t suid)
-{
- int error;
-
- PROC_LOCK_ASSERT(p, MA_OWNED);
-
- MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid);
- MAC_CHECK_PROBE4(proc_check_setresuid, error, cred, ruid, euid,
- suid);
-
- return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE4(proc_check_setresgid, "struct ucred *", "gid_t",
- "gid_t", "gid_t");
-
-int
-mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
- gid_t egid, gid_t sgid)
-{
- int error;
-
- PROC_LOCK_ASSERT(p, MA_OWNED);
-
- MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid);
- MAC_CHECK_PROBE4(proc_check_setresgid, error, cred, rgid, egid,
- sgid);
-
- return (error);
-}
-
MAC_CHECK_PROBE_DEFINE2(proc_check_wait, "struct ucred *", "struct proc *");
int
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index 23228a7..169198a 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* Copyright (c) 2008 Apple Inc.
@@ -15,6 +15,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -199,6 +202,93 @@ stub_cred_check_relabel(struct ucred *cred, struct label *newlabel)
}
static int
+stub_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_setauid(struct ucred *cred, uid_t auid)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_setegid(struct ucred *cred, gid_t egid)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_seteuid(struct ucred *cred, uid_t euid)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_setgid(struct ucred *cred, gid_t gid)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_setgroups(struct ucred *cred, int ngroups,
+ gid_t *gidset)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
+ gid_t sgid)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
+ uid_t suid)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
+{
+
+ return (0);
+}
+
+static int
+stub_cred_check_setuid(struct ucred *cred, uid_t uid)
+{
+
+ return (0);
+}
+
+static int
stub_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
{
@@ -701,93 +791,6 @@ stub_proc_check_sched(struct ucred *cred, struct proc *p)
}
static int
-stub_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_setauid(struct ucred *cred, uid_t auid)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_setegid(struct ucred *cred, gid_t egid)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_seteuid(struct ucred *cred, uid_t euid)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_setgid(struct ucred *cred, gid_t gid)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_setgroups(struct ucred *cred, int ngroups,
- gid_t *gidset)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
- gid_t sgid)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
- uid_t suid)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
-{
-
- return (0);
-}
-
-static int
-stub_proc_check_setuid(struct ucred *cred, uid_t uid)
-{
-
- return (0);
-}
-
-static int
stub_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
{
@@ -1541,6 +1544,18 @@ static struct mac_policy_ops stub_ops =
.mpo_cred_associate_nfsd = stub_cred_associate_nfsd,
.mpo_cred_check_relabel = stub_cred_check_relabel,
+ .mpo_cred_check_setaudit = stub_cred_check_setaudit,
+ .mpo_cred_check_setaudit_addr = stub_cred_check_setaudit_addr,
+ .mpo_cred_check_setauid = stub_cred_check_setauid,
+ .mpo_cred_check_setegid = stub_cred_check_setegid,
+ .mpo_cred_check_seteuid = stub_cred_check_seteuid,
+ .mpo_cred_check_setgid = stub_cred_check_setgid,
+ .mpo_cred_check_setgroups = stub_cred_check_setgroups,
+ .mpo_cred_check_setregid = stub_cred_check_setregid,
+ .mpo_cred_check_setresgid = stub_cred_check_setresgid,
+ .mpo_cred_check_setresuid = stub_cred_check_setresuid,
+ .mpo_cred_check_setreuid = stub_cred_check_setreuid,
+ .mpo_cred_check_setuid = stub_cred_check_setuid,
.mpo_cred_check_visible = stub_cred_check_visible,
.mpo_cred_copy_label = stub_copy_label,
.mpo_cred_create_init = stub_cred_create_init,
@@ -1660,18 +1675,6 @@ static struct mac_policy_ops stub_ops =
.mpo_proc_check_debug = stub_proc_check_debug,
.mpo_proc_check_sched = stub_proc_check_sched,
- .mpo_proc_check_setaudit = stub_proc_check_setaudit,
- .mpo_proc_check_setaudit_addr = stub_proc_check_setaudit_addr,
- .mpo_proc_check_setauid = stub_proc_check_setauid,
- .mpo_proc_check_setegid = stub_proc_check_setegid,
- .mpo_proc_check_seteuid = stub_proc_check_seteuid,
- .mpo_proc_check_setgid = stub_proc_check_setgid,
- .mpo_proc_check_setgroups = stub_proc_check_setgroups,
- .mpo_proc_check_setregid = stub_proc_check_setregid,
- .mpo_proc_check_setresgid = stub_proc_check_setresgid,
- .mpo_proc_check_setresuid = stub_proc_check_setresuid,
- .mpo_proc_check_setreuid = stub_proc_check_setreuid,
- .mpo_proc_check_setuid = stub_proc_check_setuid,
.mpo_proc_check_signal = stub_proc_check_signal,
.mpo_proc_check_wait = stub_proc_check_wait,
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 13086f2..95ce8a3 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* Copyright (c) 2008 Apple Inc.
@@ -15,6 +15,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -220,6 +223,142 @@ test_cred_check_relabel(struct ucred *cred, struct label *newlabel)
return (0);
}
+COUNTER_DECL(cred_check_setaudit);
+static int
+test_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setaudit);
+
+ return (0);
+}
+
+COUNTER_DECL(cred_check_setaudit_addr);
+static int
+test_cred_check_setaudit_addr(struct ucred *cred,
+ struct auditinfo_addr *aia)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setaudit_addr);
+
+ return (0);
+}
+
+COUNTER_DECL(cred_check_setauid);
+static int
+test_cred_check_setauid(struct ucred *cred, uid_t auid)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setauid);
+
+ return (0);
+}
+
+COUNTER_DECL(cred_check_setegid);
+static int
+test_cred_check_setegid(struct ucred *cred, gid_t egid)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setegid);
+
+ return (0);
+}
+
+COUNTER_DECL(proc_check_euid);
+static int
+test_cred_check_seteuid(struct ucred *cred, uid_t euid)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(proc_check_euid);
+
+ return (0);
+}
+
+COUNTER_DECL(cred_check_setregid);
+static int
+test_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setregid);
+
+ return (0);
+}
+
+COUNTER_DECL(cred_check_setreuid);
+static int
+test_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setreuid);
+
+ return (0);
+}
+
+COUNTER_DECL(cred_check_setgid);
+static int
+test_cred_check_setgid(struct ucred *cred, gid_t gid)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setgid);
+
+ return (0);
+}
+
+COUNTER_DECL(cred_check_setgroups);
+static int
+test_cred_check_setgroups(struct ucred *cred, int ngroups,
+ gid_t *gidset)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setgroups);
+
+ return (0);
+}
+
+COUNTER_DECL(cred_check_setresgid);
+static int
+test_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
+ gid_t sgid)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setresgid);
+
+ return (0);
+}
+
+COUNTER_DECL(cred_check_setresuid);
+static int
+test_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
+ uid_t suid)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setresuid);
+
+ return (0);
+}
+
+COUNTER_DECL(cred_check_setuid);
+static int
+test_cred_check_setuid(struct ucred *cred, uid_t uid)
+{
+
+ LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+ COUNTER_INC(cred_check_setuid);
+
+ return (0);
+}
+
COUNTER_DECL(cred_check_visible);
static int
test_cred_check_visible(struct ucred *u1, struct ucred *u2)
@@ -1350,142 +1489,6 @@ test_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
return (0);
}
-COUNTER_DECL(proc_check_setaudit);
-static int
-test_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setaudit);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_setaudit_addr);
-static int
-test_proc_check_setaudit_addr(struct ucred *cred,
- struct auditinfo_addr *aia)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setaudit_addr);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_setauid);
-static int
-test_proc_check_setauid(struct ucred *cred, uid_t auid)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setauid);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_setegid);
-static int
-test_proc_check_setegid(struct ucred *cred, gid_t egid)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setegid);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_euid);
-static int
-test_proc_check_seteuid(struct ucred *cred, uid_t euid)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_euid);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_setregid);
-static int
-test_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setregid);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_setreuid);
-static int
-test_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setreuid);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_setgid);
-static int
-test_proc_check_setgid(struct ucred *cred, gid_t gid)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setgid);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_setgroups);
-static int
-test_proc_check_setgroups(struct ucred *cred, int ngroups,
- gid_t *gidset)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setgroups);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_setresgid);
-static int
-test_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
- gid_t sgid)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setresgid);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_setresuid);
-static int
-test_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
- uid_t suid)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setresuid);
-
- return (0);
-}
-
-COUNTER_DECL(proc_check_setuid);
-static int
-test_proc_check_setuid(struct ucred *cred, uid_t uid)
-{
-
- LABEL_CHECK(cred->cr_label, MAGIC_CRED);
- COUNTER_INC(proc_check_setuid);
-
- return (0);
-}
-
COUNTER_DECL(proc_check_wait);
static int
test_proc_check_wait(struct ucred *cred, struct proc *p)
@@ -2881,6 +2884,18 @@ static struct mac_policy_ops test_ops =
.mpo_bpfdesc_init_label = test_bpfdesc_init_label,
.mpo_cred_check_relabel = test_cred_check_relabel,
+ .mpo_cred_check_setaudit = test_cred_check_setaudit,
+ .mpo_cred_check_setaudit_addr = test_cred_check_setaudit_addr,
+ .mpo_cred_check_setauid = test_cred_check_setauid,
+ .mpo_cred_check_seteuid = test_cred_check_seteuid,
+ .mpo_cred_check_setegid = test_cred_check_setegid,
+ .mpo_cred_check_setgid = test_cred_check_setgid,
+ .mpo_cred_check_setgroups = test_cred_check_setgroups,
+ .mpo_cred_check_setregid = test_cred_check_setregid,
+ .mpo_cred_check_setresgid = test_cred_check_setresgid,
+ .mpo_cred_check_setresuid = test_cred_check_setresuid,
+ .mpo_cred_check_setreuid = test_cred_check_setreuid,
+ .mpo_cred_check_setuid = test_cred_check_setuid,
.mpo_cred_check_visible = test_cred_check_visible,
.mpo_cred_copy_label = test_cred_copy_label,
.mpo_cred_create_init = test_cred_create_init,
@@ -3010,18 +3025,6 @@ static struct mac_policy_ops test_ops =
.mpo_proc_check_debug = test_proc_check_debug,
.mpo_proc_check_sched = test_proc_check_sched,
- .mpo_proc_check_setaudit = test_proc_check_setaudit,
- .mpo_proc_check_setaudit_addr = test_proc_check_setaudit_addr,
- .mpo_proc_check_setauid = test_proc_check_setauid,
- .mpo_proc_check_seteuid = test_proc_check_seteuid,
- .mpo_proc_check_setegid = test_proc_check_setegid,
- .mpo_proc_check_setgid = test_proc_check_setgid,
- .mpo_proc_check_setgroups = test_proc_check_setgroups,
- .mpo_proc_check_setregid = test_proc_check_setregid,
- .mpo_proc_check_setresgid = test_proc_check_setresgid,
- .mpo_proc_check_setresuid = test_proc_check_setresuid,
- .mpo_proc_check_setreuid = test_proc_check_setreuid,
- .mpo_proc_check_setuid = test_proc_check_setuid,
.mpo_proc_check_signal = test_proc_check_signal,
.mpo_proc_check_wait = test_proc_check_wait,
.mpo_proc_destroy_label = test_proc_destroy_label,
OpenPOWER on IntegriCloud