diff options
Diffstat (limited to 'sys/sys')
-rw-r--r-- | sys/sys/imgact.h | 2 | ||||
-rw-r--r-- | sys/sys/mac.h | 16 | ||||
-rw-r--r-- | sys/sys/mac_policy.h | 10 |
3 files changed, 21 insertions, 7 deletions
diff --git a/sys/sys/imgact.h b/sys/sys/imgact.h index 16b6e74..7455f66 100644 --- a/sys/sys/imgact.h +++ b/sys/sys/imgact.h @@ -38,6 +38,7 @@ #define MAXSHELLCMDLEN 128 +struct label; struct sysentvec; struct thread; struct vm_object; @@ -46,6 +47,7 @@ struct image_params { struct proc *proc; /* our process struct */ char **userspace_argv; /* system call argument */ char **userspace_envv; /* system call argument */ + struct label *execlabel; /* optional exec label */ struct vnode *vp; /* pointer to vnode of file to exec */ struct vm_object *object; /* The vm object for this vp */ struct vattr *attr; /* attributes of file */ diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 904ead3..3d56a17 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -84,6 +84,8 @@ typedef struct mac *mac_t; * Extended non-POSIX.1e interfaces that offer additional services * available from the userland and kernel MAC frameworks. */ +int mac_execve(char *fname, char **argv, char **envv, + mac_t _label); int mac_free(mac_t _label); int mac_from_text(mac_t *_label, const char *_text); int mac_get_fd(int _fd, mac_t _label); @@ -113,6 +115,7 @@ struct componentname; struct devfs_dirent; struct ifnet; struct ifreq; +struct image_params; struct ipq; struct mbuf; struct mount; @@ -129,7 +132,6 @@ struct vnode; #include <sys/acl.h> /* XXX acl_type_t */ -struct vop_refreshlabel_args; struct vop_setlabel_args; /* @@ -216,9 +218,14 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); * Labeling event operations: processes. */ void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); +int mac_execve_enter(struct image_params *imgp, struct mac *mac_p, + struct label *execlabel); +void mac_execve_exit(struct image_params *imgp); void mac_execve_transition(struct ucred *old, struct ucred *new, - struct vnode *vp); -int mac_execve_will_transition(struct ucred *old, struct vnode *vp); + struct vnode *vp, struct label *interpvnodelabel, + struct image_params *imgp); +int mac_execve_will_transition(struct ucred *old, struct vnode *vp, + struct label *interpvnodelabel, struct image_params *imgp); void mac_create_proc0(struct ucred *cred); void mac_create_proc1(struct ucred *cred); void mac_thread_userret(struct thread *td); @@ -269,7 +276,8 @@ int mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type); -int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp); +int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, + struct image_params *imgp); int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index fff7845..9bed8ff 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -242,9 +242,13 @@ struct mac_policy_ops { void (*mpo_create_cred)(struct ucred *parent_cred, struct ucred *child_cred); void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, - struct vnode *vp, struct label *vnodelabel); + struct vnode *vp, struct label *vnodelabel, + struct label *interpvnodelabel, + struct image_params *imgp); int (*mpo_execve_will_transition)(struct ucred *old, - struct vnode *vp, struct label *vnodelabel); + struct vnode *vp, struct label *vnodelabel, + struct label *interpvnodelabel, + struct image_params *imgp); void (*mpo_create_proc0)(struct ucred *cred); void (*mpo_create_proc1)(struct ucred *cred); void (*mpo_relabel_cred)(struct ucred *cred, @@ -338,7 +342,7 @@ struct mac_policy_ops { int (*mpo_check_vnode_deleteacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp, - struct label *label); + struct label *label, struct image_params *imgp); int (*mpo_check_vnode_getacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_getextattr)(struct ucred *cred, |