From 8756317538371eb8709335e44bced5be817fbeec Mon Sep 17 00:00:00 2001 From: rwatson Date: Thu, 25 Oct 2007 12:34:14 +0000 Subject: Rename mac_associate_nfsd_label() to mac_proc_associate_nfsd(), and move from mac_vfs.c to mac_process.c to join other functions that setup up process labels for specific purposes. Unlike the two proc create calls, this call is intended to run after creation when a process registers as the NFS daemon, so remains an _associate_ call.. Obtained from: TrustedBSD Project --- sys/nfsserver/nfs_srvsock.c | 2 +- sys/security/mac/mac_framework.h | 2 +- sys/security/mac/mac_policy.h | 4 ++-- sys/security/mac/mac_process.c | 16 ++++++++++++++++ sys/security/mac/mac_vfs.c | 16 ---------------- sys/security/mac_biba/mac_biba.c | 24 ++++++++++++------------ sys/security/mac_mls/mac_mls.c | 24 ++++++++++++------------ sys/security/mac_stub/mac_stub.c | 14 +++++++------- 8 files changed, 51 insertions(+), 51 deletions(-) diff --git a/sys/nfsserver/nfs_srvsock.c b/sys/nfsserver/nfs_srvsock.c index 053cffc..678191b 100644 --- a/sys/nfsserver/nfs_srvsock.c +++ b/sys/nfsserver/nfs_srvsock.c @@ -361,7 +361,7 @@ nfs_getreq(struct nfsrv_descript *nd, struct nfsd *nfsd, int has_header) nd->nd_cr->cr_groups[0] = nd->nd_cr->cr_rgid = nd->nd_cr->cr_svgid = fxdr_unsigned(gid_t, *tl++); #ifdef MAC - mac_associate_nfsd_label(nd->nd_cr); + mac_proc_associate_nfsd(nd->nd_cr); #endif len = fxdr_unsigned(int, *tl); if (len < 0 || len > RPCAUTH_UNIXGIDS) { diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 44ee79f..098d503 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -224,6 +224,7 @@ int mac_vnode_execve_will_transition(struct ucred *cred, struct image_params *imgp); void mac_proc_create_swapper(struct ucred *cred); void mac_proc_create_init(struct ucred *cred); +void mac_proc_associate_nfsd(struct ucred *cred); void mac_thread_userret(struct thread *td); /* @@ -414,7 +415,6 @@ int mac_setsockopt_label(struct ucred *cred, struct socket *so, int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, struct label *label); void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); -void mac_associate_nfsd_label(struct ucred *cred); int mac_priv_check(struct ucred *cred, int priv); int mac_priv_grant(struct ucred *cred, int priv); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 2ff8c83..a4eff3d 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -607,7 +607,7 @@ typedef int (*mpo_vnode_check_unlink_t)(struct ucred *cred, typedef int (*mpo_vnode_check_write_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); -typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred); +typedef void (*mpo_proc_associate_nfsd_t)(struct ucred *cred); typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv); typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv); @@ -765,6 +765,7 @@ struct mac_policy_ops { mpo_vnode_execve_will_transition_t mpo_vnode_execve_will_transition; mpo_proc_create_swapper_t mpo_proc_create_swapper; mpo_proc_create_init_t mpo_proc_create_init; + mpo_proc_associate_nfsd_t mpo_proc_associate_nfsd; mpo_cred_relabel_t mpo_cred_relabel; mpo_placeholder_t _mpo_placeholder6; mpo_thread_userret_t mpo_thread_userret; @@ -898,7 +899,6 @@ struct mac_policy_ops { mpo_vnode_check_stat_t mpo_vnode_check_stat; mpo_vnode_check_unlink_t mpo_vnode_check_unlink; mpo_vnode_check_write_t mpo_vnode_check_write; - mpo_associate_nfsd_label_t mpo_associate_nfsd_label; mpo_mbuf_create_from_firewall_t mpo_mbuf_create_from_firewall; mpo_init_syncache_label_t mpo_init_syncache_label; mpo_destroy_syncache_label_t mpo_destroy_syncache_label; diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index c6c5cd8..6ed6d91 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -192,6 +192,22 @@ mac_proc_create_init(struct ucred *cred) MAC_PERFORM(proc_create_init, cred); } +/* + * When a thread becomes an NFS server daemon, its credential may need to be + * updated to reflect this so that policies can recognize when file system + * operations originate from the network. + * + * At some point, it would be desirable if the credential used for each NFS + * RPC could be set based on the RPC context (i.e., source system, etc) to + * provide more fine-grained access control. + */ +void +mac_proc_associate_nfsd(struct ucred *cred) +{ + + MAC_PERFORM(proc_associate_nfsd, cred); +} + void mac_thread_userret(struct thread *td) { diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 85af045..0f0fb9c 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -876,19 +876,3 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) return (0); } - -/* - * When a thread becomes an NFS server daemon, its credential may need to be - * updated to reflect this so that policies can recognize when file system - * operations originate from the network. - * - * At some point, it would be desirable if the credential used for each NFS - * RPC could be set based on the RPC context (i.e., source system, etc) to - * provide more fine-grained access control. - */ -void -mac_associate_nfsd_label(struct ucred *cred) -{ - - MAC_PERFORM(associate_nfsd_label, cred); -} diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 80c81ec..d0207bb 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1410,6 +1410,17 @@ biba_proc_create_init(struct ucred *cred) } static void +biba_proc_associate_nfsd(struct ucred *cred) +{ + struct mac_biba *label; + + label = SLOT(cred->cr_label); + biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL); + biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, + 0, NULL); +} + +static void biba_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_biba *source, *dest; @@ -3200,17 +3211,6 @@ biba_vnode_check_write(struct ucred *active_cred, } static void -biba_associate_nfsd_label(struct ucred *cred) -{ - struct mac_biba *label; - - label = SLOT(cred->cr_label); - biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL); - biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH, - 0, NULL); -} - -static void biba_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) { struct mac_biba *source, *dest; @@ -3331,6 +3331,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel, .mpo_proc_create_swapper = biba_proc_create_swapper, .mpo_proc_create_init = biba_proc_create_init, + .mpo_proc_associate_nfsd = biba_proc_associate_nfsd, .mpo_cred_relabel = biba_cred_relabel, .mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup, .mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup, @@ -3411,7 +3412,6 @@ static struct mac_policy_ops mac_biba_ops = .mpo_vnode_check_stat = biba_vnode_check_stat, .mpo_vnode_check_unlink = biba_vnode_check_unlink, .mpo_vnode_check_write = biba_vnode_check_write, - .mpo_associate_nfsd_label = biba_associate_nfsd_label, .mpo_mbuf_create_from_firewall = biba_mbuf_create_from_firewall, .mpo_priv_check = biba_priv_check, }; diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index cfca2af..5bb5394 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1355,6 +1355,17 @@ mls_proc_create_init(struct ucred *cred) } static void +mls_proc_associate_nfsd(struct ucred *cred) +{ + struct mac_mls *label; + + label = SLOT(cred->cr_label); + mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL); + mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, + NULL); +} + +static void mls_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *source, *dest; @@ -2847,17 +2858,6 @@ mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, return (0); } -static void -mls_associate_nfsd_label(struct ucred *cred) -{ - struct mac_mls *label; - - label = SLOT(cred->cr_label); - mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL); - mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, - NULL); -} - static struct mac_policy_ops mls_ops = { .mpo_init = mls_init, @@ -2958,6 +2958,7 @@ static struct mac_policy_ops mls_ops = .mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel, .mpo_proc_create_swapper = mls_proc_create_swapper, .mpo_proc_create_init = mls_proc_create_init, + .mpo_proc_associate_nfsd = mls_proc_associate_nfsd, .mpo_cred_relabel = mls_cred_relabel, .mpo_sysvmsg_cleanup = mls_sysvmsg_cleanup, .mpo_sysvmsq_cleanup = mls_sysvmsq_cleanup, @@ -3034,7 +3035,6 @@ static struct mac_policy_ops mls_ops = .mpo_vnode_check_stat = mls_vnode_check_stat, .mpo_vnode_check_unlink = mls_vnode_check_unlink, .mpo_vnode_check_write = mls_vnode_check_write, - .mpo_associate_nfsd_label = mls_associate_nfsd_label, .mpo_mbuf_create_from_firewall = mls_mbuf_create_from_firewall, }; diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 40b4e6c..138a099 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -186,12 +186,6 @@ stub_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, } static void -stub_associate_nfsd_label(struct ucred *cred) -{ - -} - -static void stub_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { @@ -526,6 +520,12 @@ stub_proc_create_init(struct ucred *cred) } static void +stub_proc_associate_nfsd(struct ucred *cred) +{ + +} + +static void stub_cred_relabel(struct ucred *cred, struct label *newlabel) { @@ -1492,7 +1492,6 @@ static struct mac_policy_ops stub_ops = .mpo_vnode_internalize_label = stub_internalize_label, .mpo_devfs_vnode_associate = stub_devfs_vnode_associate, .mpo_vnode_associate_extattr = stub_vnode_associate_extattr, - .mpo_associate_nfsd_label = stub_associate_nfsd_label, .mpo_vnode_associate_singlelabel = stub_vnode_associate_singlelabel, .mpo_devfs_create_device = stub_devfs_create_device, .mpo_devfs_create_directory = stub_devfs_create_directory, @@ -1538,6 +1537,7 @@ static struct mac_policy_ops stub_ops = .mpo_vnode_execve_will_transition = stub_vnode_execve_will_transition, .mpo_proc_create_swapper = stub_proc_create_swapper, .mpo_proc_create_init = stub_proc_create_init, + .mpo_proc_associate_nfsd = stub_proc_associate_nfsd, .mpo_cred_relabel= stub_cred_relabel, .mpo_thread_userret = stub_thread_userret, .mpo_sysvmsg_cleanup = stub_sysvmsg_cleanup, -- cgit v1.1