diff options
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/kern/kern_exit.c | 5 | ||||
| -rw-r--r-- | sys/kern/kern_fork.c | 5 | ||||
| -rw-r--r-- | sys/kern/kern_mac.c | 26 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.c | 26 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 2 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 26 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 26 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 26 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 2 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 26 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 26 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 26 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 26 | ||||
| -rw-r--r-- | sys/sys/mac.h | 2 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 2 | ||||
| -rw-r--r-- | sys/sys/proc.h | 2 |
16 files changed, 245 insertions, 9 deletions
diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 68bebfc..6f745a0 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -41,6 +41,7 @@ #include "opt_compat.h" #include "opt_ktrace.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> @@ -62,6 +63,7 @@ #include <sys/ptrace.h> #include <sys/acct.h> /* for acct_process() function prototype */ #include <sys/filedesc.h> +#include <sys/mac.h> #include <sys/shm.h> #include <sys/sem.h> #include <sys/jail.h> @@ -739,6 +741,9 @@ loop: */ vm_waitproc(p); mtx_destroy(&p->p_mtx); +#ifdef MAC + mac_destroy_proc(p); +#endif KASSERT(FIRST_THREAD_IN_PROC(p), ("wait1: no residual thread!")); uma_zfree(proc_zone, p); diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index 14695fb..caefeff 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -40,6 +40,7 @@ */ #include "opt_ktrace.h" +#include "opt_mac.h" #include <sys/param.h> #include <sys/systm.h> @@ -57,6 +58,7 @@ #include <sys/syscall.h> #include <sys/vnode.h> #include <sys/acct.h> +#include <sys/mac.h> #include <sys/ktr.h> #include <sys/ktrace.h> #include <sys/kthread.h> @@ -305,6 +307,9 @@ fork1(td, flags, pages, procp) /* Allocate new proc. */ newproc = uma_zalloc(proc_zone, M_WAITOK); +#ifdef MAC + mac_init_proc(newproc); +#endif /* * Although process entries are dynamically created, we still keep diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index bf6c999..f9eb44e 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes; + nmacipqs, nmacpipes, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); @@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, + &nmacprocs, 0, "number of procs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, @@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe) mac_init_pipe_label(label); } +void +mac_init_proc(struct proc *p) +{ + + mac_init_label(&p->p_label); + MAC_PERFORM(init_proc_label, &p->p_label); +#ifdef MAC_DEBUG + atomic_add_int(&nmacprocs, 1); +#endif +} + static int mac_init_socket_label(struct label *label, int flag) { @@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe) free(pipe->pipe_label, M_MACPIPELABEL); } +void +mac_destroy_proc(struct proc *p) +{ + + MAC_PERFORM(destroy_proc_label, &p->p_label); + mac_destroy_label(&p->p_label); +#ifdef MAC_DEBUG + atomic_subtract_int(&nmacprocs, 1); +#endif +} + static void mac_destroy_socket_label(struct label *label) { diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index bf6c999..f9eb44e 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes; + nmacipqs, nmacpipes, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); @@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, + &nmacprocs, 0, "number of procs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, @@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe) mac_init_pipe_label(label); } +void +mac_init_proc(struct proc *p) +{ + + mac_init_label(&p->p_label); + MAC_PERFORM(init_proc_label, &p->p_label); +#ifdef MAC_DEBUG + atomic_add_int(&nmacprocs, 1); +#endif +} + static int mac_init_socket_label(struct label *label, int flag) { @@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe) free(pipe->pipe_label, M_MACPIPELABEL); } +void +mac_destroy_proc(struct proc *p) +{ + + MAC_PERFORM(destroy_proc_label, &p->p_label); + mac_destroy_label(&p->p_label); +#ifdef MAC_DEBUG + atomic_subtract_int(&nmacprocs, 1); +#endif +} + static void mac_destroy_socket_label(struct label *label) { diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 3e7e6bb..89c6efc 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -146,6 +146,7 @@ int mac_init_socket(struct socket *, int flag); void mac_init_pipe(struct pipe *); int mac_init_mbuf(struct mbuf *m, int flag); void mac_init_mount(struct mount *); +void mac_init_proc(struct proc *); void mac_init_vnode(struct vnode *); void mac_init_vnode_label(struct label *); void mac_copy_vnode_label(struct label *, struct label *label); @@ -156,6 +157,7 @@ void mac_destroy_ifnet(struct ifnet *); void mac_destroy_ipq(struct ipq *); void mac_destroy_socket(struct socket *); void mac_destroy_pipe(struct pipe *); +void mac_destroy_proc(struct proc *); void mac_destroy_mbuf(struct mbuf *); void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index bf6c999..f9eb44e 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes; + nmacipqs, nmacpipes, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); @@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, + &nmacprocs, 0, "number of procs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, @@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe) mac_init_pipe_label(label); } +void +mac_init_proc(struct proc *p) +{ + + mac_init_label(&p->p_label); + MAC_PERFORM(init_proc_label, &p->p_label); +#ifdef MAC_DEBUG + atomic_add_int(&nmacprocs, 1); +#endif +} + static int mac_init_socket_label(struct label *label, int flag) { @@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe) free(pipe->pipe_label, M_MACPIPELABEL); } +void +mac_destroy_proc(struct proc *p) +{ + + MAC_PERFORM(destroy_proc_label, &p->p_label); + mac_destroy_label(&p->p_label); +#ifdef MAC_DEBUG + atomic_subtract_int(&nmacprocs, 1); +#endif +} + static void mac_destroy_socket_label(struct label *label) { diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index bf6c999..f9eb44e 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes; + nmacipqs, nmacpipes, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); @@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, + &nmacprocs, 0, "number of procs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, @@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe) mac_init_pipe_label(label); } +void +mac_init_proc(struct proc *p) +{ + + mac_init_label(&p->p_label); + MAC_PERFORM(init_proc_label, &p->p_label); +#ifdef MAC_DEBUG + atomic_add_int(&nmacprocs, 1); +#endif +} + static int mac_init_socket_label(struct label *label, int flag) { @@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe) free(pipe->pipe_label, M_MACPIPELABEL); } +void +mac_destroy_proc(struct proc *p) +{ + + MAC_PERFORM(destroy_proc_label, &p->p_label); + mac_destroy_label(&p->p_label); +#ifdef MAC_DEBUG + atomic_subtract_int(&nmacprocs, 1); +#endif +} + static void mac_destroy_socket_label(struct label *label) { diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index bf6c999..f9eb44e 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes; + nmacipqs, nmacpipes, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); @@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, + &nmacprocs, 0, "number of procs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, @@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe) mac_init_pipe_label(label); } +void +mac_init_proc(struct proc *p) +{ + + mac_init_label(&p->p_label); + MAC_PERFORM(init_proc_label, &p->p_label); +#ifdef MAC_DEBUG + atomic_add_int(&nmacprocs, 1); +#endif +} + static int mac_init_socket_label(struct label *label, int flag) { @@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe) free(pipe->pipe_label, M_MACPIPELABEL); } +void +mac_destroy_proc(struct proc *p) +{ + + MAC_PERFORM(destroy_proc_label, &p->p_label); + mac_destroy_label(&p->p_label); +#ifdef MAC_DEBUG + atomic_subtract_int(&nmacprocs, 1); +#endif +} + static void mac_destroy_socket_label(struct label *label) { diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 96fc060..454e6c6 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -80,6 +80,7 @@ struct mac_policy_ops { int (*mpo_init_socket_label)(struct label *label, int flag); int (*mpo_init_socket_peer_label)(struct label *label, int flag); void (*mpo_init_pipe_label)(struct label *label); + void (*mpo_init_proc_label)(struct label *label); void (*mpo_init_vnode_label)(struct label *label); void (*mpo_destroy_bpfdesc_label)(struct label *label); void (*mpo_destroy_cred_label)(struct label *label); @@ -92,6 +93,7 @@ struct mac_policy_ops { void (*mpo_destroy_socket_label)(struct label *label); void (*mpo_destroy_socket_peer_label)(struct label *label); void (*mpo_destroy_pipe_label)(struct label *label); + void (*mpo_destroy_proc_label)(struct label *label); void (*mpo_destroy_vnode_label)(struct label *label); void (*mpo_copy_pipe_label)(struct label *src, struct label *dest); diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index bf6c999..f9eb44e 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes; + nmacipqs, nmacpipes, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); @@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, + &nmacprocs, 0, "number of procs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, @@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe) mac_init_pipe_label(label); } +void +mac_init_proc(struct proc *p) +{ + + mac_init_label(&p->p_label); + MAC_PERFORM(init_proc_label, &p->p_label); +#ifdef MAC_DEBUG + atomic_add_int(&nmacprocs, 1); +#endif +} + static int mac_init_socket_label(struct label *label, int flag) { @@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe) free(pipe->pipe_label, M_MACPIPELABEL); } +void +mac_destroy_proc(struct proc *p) +{ + + MAC_PERFORM(destroy_proc_label, &p->p_label); + mac_destroy_label(&p->p_label); +#ifdef MAC_DEBUG + atomic_subtract_int(&nmacprocs, 1); +#endif +} + static void mac_destroy_socket_label(struct label *label) { diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index bf6c999..f9eb44e 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes; + nmacipqs, nmacpipes, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); @@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, + &nmacprocs, 0, "number of procs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, @@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe) mac_init_pipe_label(label); } +void +mac_init_proc(struct proc *p) +{ + + mac_init_label(&p->p_label); + MAC_PERFORM(init_proc_label, &p->p_label); +#ifdef MAC_DEBUG + atomic_add_int(&nmacprocs, 1); +#endif +} + static int mac_init_socket_label(struct label *label, int flag) { @@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe) free(pipe->pipe_label, M_MACPIPELABEL); } +void +mac_destroy_proc(struct proc *p) +{ + + MAC_PERFORM(destroy_proc_label, &p->p_label); + mac_destroy_label(&p->p_label); +#ifdef MAC_DEBUG + atomic_subtract_int(&nmacprocs, 1); +#endif +} + static void mac_destroy_socket_label(struct label *label) { diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index bf6c999..f9eb44e 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes; + nmacipqs, nmacpipes, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); @@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, + &nmacprocs, 0, "number of procs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, @@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe) mac_init_pipe_label(label); } +void +mac_init_proc(struct proc *p) +{ + + mac_init_label(&p->p_label); + MAC_PERFORM(init_proc_label, &p->p_label); +#ifdef MAC_DEBUG + atomic_add_int(&nmacprocs, 1); +#endif +} + static int mac_init_socket_label(struct label *label, int flag) { @@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe) free(pipe->pipe_label, M_MACPIPELABEL); } +void +mac_destroy_proc(struct proc *p) +{ + + MAC_PERFORM(destroy_proc_label, &p->p_label); + mac_destroy_label(&p->p_label); +#ifdef MAC_DEBUG + atomic_subtract_int(&nmacprocs, 1); +#endif +} + static void mac_destroy_socket_label(struct label *label) { diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index bf6c999..f9eb44e 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -185,7 +185,7 @@ SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0, static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs, nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents, - nmacipqs, nmacpipes; + nmacipqs, nmacpipes, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); @@ -201,6 +201,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); +SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, + &nmacprocs, 0, "number of procs in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD, &nmacmounts, 0, "number of mounts in use"); SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD, @@ -762,6 +764,17 @@ mac_init_pipe(struct pipe *pipe) mac_init_pipe_label(label); } +void +mac_init_proc(struct proc *p) +{ + + mac_init_label(&p->p_label); + MAC_PERFORM(init_proc_label, &p->p_label); +#ifdef MAC_DEBUG + atomic_add_int(&nmacprocs, 1); +#endif +} + static int mac_init_socket_label(struct label *label, int flag) { @@ -945,6 +958,17 @@ mac_destroy_pipe(struct pipe *pipe) free(pipe->pipe_label, M_MACPIPELABEL); } +void +mac_destroy_proc(struct proc *p) +{ + + MAC_PERFORM(destroy_proc_label, &p->p_label); + mac_destroy_label(&p->p_label); +#ifdef MAC_DEBUG + atomic_subtract_int(&nmacprocs, 1); +#endif +} + static void mac_destroy_socket_label(struct label *label) { diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 3e7e6bb..89c6efc 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -146,6 +146,7 @@ int mac_init_socket(struct socket *, int flag); void mac_init_pipe(struct pipe *); int mac_init_mbuf(struct mbuf *m, int flag); void mac_init_mount(struct mount *); +void mac_init_proc(struct proc *); void mac_init_vnode(struct vnode *); void mac_init_vnode_label(struct label *); void mac_copy_vnode_label(struct label *, struct label *label); @@ -156,6 +157,7 @@ void mac_destroy_ifnet(struct ifnet *); void mac_destroy_ipq(struct ipq *); void mac_destroy_socket(struct socket *); void mac_destroy_pipe(struct pipe *); +void mac_destroy_proc(struct proc *); void mac_destroy_mbuf(struct mbuf *); void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 96fc060..454e6c6 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -80,6 +80,7 @@ struct mac_policy_ops { int (*mpo_init_socket_label)(struct label *label, int flag); int (*mpo_init_socket_peer_label)(struct label *label, int flag); void (*mpo_init_pipe_label)(struct label *label); + void (*mpo_init_proc_label)(struct label *label); void (*mpo_init_vnode_label)(struct label *label); void (*mpo_destroy_bpfdesc_label)(struct label *label); void (*mpo_destroy_cred_label)(struct label *label); @@ -92,6 +93,7 @@ struct mac_policy_ops { void (*mpo_destroy_socket_label)(struct label *label); void (*mpo_destroy_socket_peer_label)(struct label *label); void (*mpo_destroy_pipe_label)(struct label *label); + void (*mpo_destroy_proc_label)(struct label *label); void (*mpo_destroy_vnode_label)(struct label *label); void (*mpo_copy_pipe_label)(struct label *src, struct label *dest); diff --git a/sys/sys/proc.h b/sys/sys/proc.h index a8f392c..6a64f96 100644 --- a/sys/sys/proc.h +++ b/sys/sys/proc.h @@ -50,6 +50,7 @@ #include <sys/rtprio.h> /* XXX */ #include <sys/runq.h> #include <sys/signal.h> +#include <sys/_label.h> #ifndef _KERNEL #include <sys/time.h> /* For structs itimerval, timeval. */ #else @@ -592,6 +593,7 @@ struct proc { struct proc *p_peers; /* (r) */ struct proc *p_leader; /* (b) */ void *p_emuldata; /* (c) Emulator state data. */ + struct label p_label; /* process (not subject) MAC label */ }; #define p_rlimit p_limit->pl_rlimit |
