From 95c4afbed0766fa2e0e178afbc7d5beb07b7d2da Mon Sep 17 00:00:00 2001 From: rwatson Date: Fri, 8 Nov 2002 18:04:00 +0000 Subject: Add an explicit execlabel argument to exec-related MAC policy entry points, rather than relying on policies to grub around in the image activator instance structure. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/kern/kern_mac.c | 7 ++++--- sys/security/mac/mac_framework.c | 7 ++++--- sys/security/mac/mac_internal.h | 7 ++++--- sys/security/mac/mac_net.c | 7 ++++--- sys/security/mac/mac_pipe.c | 7 ++++--- sys/security/mac/mac_policy.h | 7 ++++--- sys/security/mac/mac_process.c | 7 ++++--- sys/security/mac/mac_syscalls.c | 7 ++++--- sys/security/mac/mac_system.c | 7 ++++--- sys/security/mac/mac_vfs.c | 7 ++++--- sys/sys/mac_policy.h | 7 ++++--- 11 files changed, 44 insertions(+), 33 deletions(-) diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 9f76f05..69fa5ad 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, return; MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); } int @@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); return (result); } @@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + imgp->execlabel); return (error); } diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 9f76f05..69fa5ad 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, return; MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); } int @@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); return (result); } @@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + imgp->execlabel); return (error); } diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 9f76f05..69fa5ad 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, return; MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); } int @@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); return (result); } @@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + imgp->execlabel); return (error); } diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 9f76f05..69fa5ad 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, return; MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); } int @@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); return (result); } @@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + imgp->execlabel); return (error); } diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 9f76f05..69fa5ad 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, return; MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); } int @@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); return (result); } @@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + imgp->execlabel); return (error); } diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 9bed8ff..23ea56b 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -244,11 +244,11 @@ struct mac_policy_ops { void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, - struct image_params *imgp); + struct image_params *imgp, struct label *execlabel); int (*mpo_execve_will_transition)(struct ucred *old, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, - struct image_params *imgp); + struct image_params *imgp, struct label *execlabel); void (*mpo_create_proc0)(struct ucred *cred); void (*mpo_create_proc1)(struct ucred *cred); void (*mpo_relabel_cred)(struct ucred *cred, @@ -342,7 +342,8 @@ struct mac_policy_ops { int (*mpo_check_vnode_deleteacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp); + struct label *label, struct image_params *imgp, + struct label *execlabel); int (*mpo_check_vnode_getacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_getextattr)(struct ucred *cred, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 9f76f05..69fa5ad 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, return; MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); } int @@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); return (result); } @@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + imgp->execlabel); return (error); } diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 9f76f05..69fa5ad 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, return; MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); } int @@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); return (result); } @@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + imgp->execlabel); return (error); } diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 9f76f05..69fa5ad 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, return; MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); } int @@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); return (result); } @@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + imgp->execlabel); return (error); } diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 9f76f05..69fa5ad 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -1307,7 +1307,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, return; MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); } int @@ -1323,7 +1323,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, result = 0; MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, - interpvnodelabel, imgp); + interpvnodelabel, imgp, imgp->execlabel); return (result); } @@ -1428,7 +1428,8 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp); + MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + imgp->execlabel); return (error); } diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 9bed8ff..23ea56b 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -244,11 +244,11 @@ struct mac_policy_ops { void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, - struct image_params *imgp); + struct image_params *imgp, struct label *execlabel); int (*mpo_execve_will_transition)(struct ucred *old, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, - struct image_params *imgp); + struct image_params *imgp, struct label *execlabel); void (*mpo_create_proc0)(struct ucred *cred); void (*mpo_create_proc1)(struct ucred *cred); void (*mpo_relabel_cred)(struct ucred *cred, @@ -342,7 +342,8 @@ struct mac_policy_ops { int (*mpo_check_vnode_deleteacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp, - struct label *label, struct image_params *imgp); + struct label *label, struct image_params *imgp, + struct label *execlabel); int (*mpo_check_vnode_getacl)(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type); int (*mpo_check_vnode_getextattr)(struct ucred *cred, -- cgit v1.1