Date: Sun, 28 Jul 2002 09:43:45 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 15058 for review Message-ID: <200207281643.g6SGhjBH046815@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15058 Change 15058 by rwatson@rwatson_paprika on 2002/07/28 09:43:26 Rename inter-process authorization entry points to match the mac_check_obj_method naming standard. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#200 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#24 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#76 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#65 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#52 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#8 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#13 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#57 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#22 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#128 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#93 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#200 (text+ko) ==== @@ -662,6 +662,18 @@ mpc->mpc_ops->mpo_check_ifnet_transmit = mpe->mpe_function; break; + case MAC_CHECK_PROC_DEBUG: + mpc->mpc_ops->mpo_check_proc_debug = + mpe->mpe_function; + break; + case MAC_CHECK_PROC_SCHED: + mpc->mpc_ops->mpo_check_proc_sched = + mpe->mpe_function; + break; + case MAC_CHECK_PROC_SIGNAL: + mpc->mpc_ops->mpo_check_proc_signal = + mpe->mpe_function; + break; case MAC_CHECK_SOCKET_BIND: mpc->mpc_ops->mpo_check_socket_bind = mpe->mpe_function; @@ -705,10 +717,6 @@ case MAC_CHECK_STATFS: mpc->mpc_ops->mpo_check_statfs = mpe->mpe_function; break; - case MAC_CHECK_DEBUG_PROC: - mpc->mpc_ops->mpo_check_debug_proc = - mpe->mpe_function; - break; case MAC_CHECK_ACCESS_VNODE: mpc->mpc_ops->mpo_check_access_vnode = mpe->mpe_function; @@ -797,14 +805,6 @@ mpc->mpc_ops->mpo_check_setutimes_vnode = mpe->mpe_function; break; - case MAC_CHECK_SCHED_PROC: - mpc->mpc_ops->mpo_check_sched_proc = - mpe->mpe_function; - break; - case MAC_CHECK_SIGNAL_PROC: - mpc->mpc_ops->mpo_check_signal_proc = - mpe->mpe_function; - break; case MAC_CHECK_STAT_VNODE: mpc->mpc_ops->mpo_check_stat_vnode = mpe->mpe_function; @@ -1040,45 +1040,6 @@ return (error2); } -int -mac_cred_cansignal(struct ucred *cred, struct proc *proc, int signum) -{ - int error; - - if (!mac_enforce_process) - return (0); - - MAC_CHECK(check_signal_proc, cred, proc, signum); - - return (error); -} - -int -mac_cred_cansched(struct ucred *cred, struct proc *proc) -{ - int error; - - if (!mac_enforce_process) - return (0); - - MAC_CHECK(check_sched_proc, cred, proc); - - return (error); -} - -int -mac_cred_candebug(struct ucred *cred, struct proc *proc) -{ - int error; - - if (!mac_enforce_process) - return (0); - - MAC_CHECK(check_debug_proc, cred, proc); - - return (error); -} - void mac_update_devfsdirent_from_vnode(struct devfs_dirent *de, struct vnode *vp) { @@ -2493,6 +2454,45 @@ } int +mac_check_proc_debug(struct ucred *cred, struct proc *proc) +{ + int error; + + if (!mac_enforce_process) + return (0); + + MAC_CHECK(check_proc_debug, cred, proc); + + return (error); +} + +int +mac_check_proc_sched(struct ucred *cred, struct proc *proc) +{ + int error; + + if (!mac_enforce_process) + return (0); + + MAC_CHECK(check_proc_sched, cred, proc); + + return (error); +} + +int +mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) +{ + int error; + + if (!mac_enforce_process) + return (0); + + MAC_CHECK(check_proc_signal, cred, proc, signum); + + return (error); +} + +int mac_check_socket_bind(struct ucred *ucred, struct socket *socket, struct sockaddr *sockaddr) { ==== //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#24 (text+ko) ==== @@ -1429,7 +1429,7 @@ return (error); #ifdef MAC - if ((error = mac_cred_cansignal(cred, proc, signum))) + if ((error = mac_check_proc_signal(cred, proc, signum))) return (error); #endif @@ -1531,7 +1531,7 @@ if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_cred_cansched(td->td_ucred, p))) + if ((error = mac_check_proc_sched(td->td_ucred, p))) return (error); #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) @@ -1595,7 +1595,7 @@ return (error); #ifdef MAC - error = mac_cred_candebug(td->td_ucred, p); + error = mac_check_proc_debug(td->td_ucred, p); if (error) return (error); #endif ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#76 (text+ko) ==== @@ -1199,6 +1199,66 @@ } static int +mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(&proc->p_ucred->cr_label); + + /* XXX: range checks */ + if (!mac_biba_dominate_single(obj, subj)) + return (ESRCH); + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_proc_sched(struct ucred *cred, struct proc *proc) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(&proc->p_ucred->cr_label); + + /* XXX: range checks */ + if (!mac_biba_dominate_single(obj, subj)) + return (ESRCH); + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int +mac_biba_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(&proc->p_ucred->cr_label); + + /* XXX: range checks */ + if (!mac_biba_dominate_single(obj, subj)) + return (ESRCH); + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_biba_check_socket_receive(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -1422,26 +1482,6 @@ } static int -mac_biba_check_debug_proc(struct ucred *cred, struct proc *proc) -{ - struct mac_biba *subj, *obj; - - if (!mac_biba_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); - - /* XXX: range checks */ - if (!mac_biba_dominate_single(obj, subj)) - return (ESRCH); - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - - return (0); -} - -static int mac_biba_check_access_vnode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -1858,46 +1898,6 @@ } static int -mac_biba_check_sched_proc(struct ucred *cred, struct proc *proc) -{ - struct mac_biba *subj, *obj; - - if (!mac_biba_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); - - /* XXX: range checks */ - if (!mac_biba_dominate_single(obj, subj)) - return (ESRCH); - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - - return (0); -} - -static int -mac_biba_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) -{ - struct mac_biba *subj, *obj; - - if (!mac_biba_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); - - /* XXX: range checks */ - if (!mac_biba_dominate_single(obj, subj)) - return (ESRCH); - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - - return (0); -} - -static int mac_biba_check_stat_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { @@ -2146,6 +2146,12 @@ (macop_t)mac_biba_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_biba_check_ifnet_transmit }, + { MAC_CHECK_PROC_DEBUG, + (macop_t)mac_biba_check_proc_debug }, + { MAC_CHECK_PROC_SCHED, + (macop_t)mac_biba_check_proc_sched }, + { MAC_CHECK_PROC_SIGNAL, + (macop_t)mac_biba_check_proc_signal }, { MAC_CHECK_SOCKET_RECEIVE, (macop_t)mac_biba_check_socket_receive }, { MAC_CHECK_SOCKET_VISIBLE, @@ -2162,8 +2168,6 @@ (macop_t)mac_biba_check_relabel_vnode }, { MAC_CHECK_STATFS, (macop_t)mac_biba_check_statfs }, - { MAC_CHECK_DEBUG_PROC, - (macop_t)mac_biba_check_debug_proc }, { MAC_CHECK_ACCESS_VNODE, (macop_t)mac_biba_check_access_vnode }, { MAC_CHECK_CHDIR_VNODE, @@ -2212,10 +2216,6 @@ (macop_t)mac_biba_check_setowner_vnode }, { MAC_CHECK_SETUTIMES_VNODE, (macop_t)mac_biba_check_setutimes_vnode }, - { MAC_CHECK_SCHED_PROC, - (macop_t)mac_biba_check_sched_proc }, - { MAC_CHECK_SIGNAL_PROC, - (macop_t)mac_biba_check_signal_proc }, { MAC_CHECK_STAT_VNODE, (macop_t)mac_biba_check_stat_vnode }, { MAC_CHECK_VNODE_MMAP_PERMS, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#65 (text+ko) ==== @@ -1160,6 +1160,66 @@ } static int +mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(&proc->p_ucred->cr_label); + + /* XXX: range checks */ + if (!mac_mls_dominate_single(subj, obj)) + return (ESRCH); + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_proc_sched(struct ucred *cred, struct proc *proc) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(&proc->p_ucred->cr_label); + + /* XXX: range checks */ + if (!mac_mls_dominate_single(subj, obj)) + return (ESRCH); + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int +mac_mls_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(&proc->p_ucred->cr_label); + + /* XXX: range checks */ + if (!mac_mls_dominate_single(subj, obj)) + return (ESRCH); + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + +static int mac_mls_check_socket_receive(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { @@ -1368,26 +1428,6 @@ } static int -mac_mls_check_debug_proc(struct ucred *cred, struct proc *proc) -{ - struct mac_mls *subj, *obj; - - if (!mac_mls_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); - - /* XXX: range checks */ - if (!mac_mls_dominate_single(subj, obj)) - return (ESRCH); - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - - return (0); -} - -static int mac_mls_check_access_vnode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -1804,46 +1844,6 @@ } static int -mac_mls_check_sched_proc(struct ucred *cred, struct proc *proc) -{ - struct mac_mls *subj, *obj; - - if (!mac_mls_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); - - /* XXX: range checks */ - if (!mac_mls_dominate_single(subj, obj)) - return (ESRCH); - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - - return (0); -} - -static int -mac_mls_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) -{ - struct mac_mls *subj, *obj; - - if (!mac_mls_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); - - /* XXX: range checks */ - if (!mac_mls_dominate_single(subj, obj)) - return (ESRCH); - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - - return (0); -} - -static int mac_mls_check_stat_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { @@ -2092,6 +2092,12 @@ (macop_t)mac_mls_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_mls_check_ifnet_transmit }, + { MAC_CHECK_PROC_DEBUG, + (macop_t)mac_mls_check_proc_debug }, + { MAC_CHECK_PROC_SCHED, + (macop_t)mac_mls_check_proc_sched }, + { MAC_CHECK_PROC_SIGNAL, + (macop_t)mac_mls_check_proc_signal }, { MAC_CHECK_SOCKET_RECEIVE, (macop_t)mac_mls_check_socket_receive }, { MAC_CHECK_SOCKET_VISIBLE, @@ -2108,8 +2114,6 @@ (macop_t)mac_mls_check_relabel_vnode }, { MAC_CHECK_STATFS, (macop_t)mac_mls_check_statfs }, - { MAC_CHECK_DEBUG_PROC, - (macop_t)mac_mls_check_debug_proc }, { MAC_CHECK_ACCESS_VNODE, (macop_t)mac_mls_check_access_vnode }, { MAC_CHECK_CHDIR_VNODE, @@ -2158,10 +2162,6 @@ (macop_t)mac_mls_check_setowner_vnode }, { MAC_CHECK_SETUTIMES_VNODE, (macop_t)mac_mls_check_setutimes_vnode }, - { MAC_CHECK_SCHED_PROC, - (macop_t)mac_mls_check_sched_proc }, - { MAC_CHECK_SIGNAL_PROC, - (macop_t)mac_mls_check_signal_proc }, { MAC_CHECK_STAT_VNODE, (macop_t)mac_mls_check_stat_vnode }, { MAC_CHECK_VNODE_MMAP_PERMS, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#52 (text+ko) ==== @@ -572,6 +572,27 @@ } static int +mac_none_check_proc_debug(struct ucred *cred, struct proc *proc) +{ + + return (0); +} + +static int +mac_none_check_proc_sched(struct ucred *cred, struct proc *proc) +{ + + return (0); +} + +static int +mac_none_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) +{ + + return (0); +} + +static int mac_none_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -659,13 +680,6 @@ } static int -mac_none_check_debug_proc(struct ucred *cred, struct proc *proc) -{ - - return (0); -} - -static int mac_none_check_access_vnode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -845,20 +859,6 @@ } static int -mac_none_check_sched_proc(struct ucred *cred, struct proc *proc) -{ - - return (0); -} - -static int -mac_none_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) -{ - - return (0); -} - -static int mac_none_check_stat_vnode(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1022,6 +1022,12 @@ (macop_t)mac_none_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_none_check_ifnet_transmit }, + { MAC_CHECK_PROC_DEBUG, + (macop_t)mac_none_check_proc_debug }, + { MAC_CHECK_PROC_SCHED, + (macop_t)mac_none_check_proc_sched }, + { MAC_CHECK_PROC_SIGNAL, + (macop_t)mac_none_check_proc_signal }, { MAC_CHECK_SOCKET_BIND, (macop_t)mac_none_check_socket_bind }, { MAC_CHECK_SOCKET_CONNECT, @@ -1044,8 +1050,6 @@ (macop_t)mac_none_check_relabel_vnode }, { MAC_CHECK_STATFS, (macop_t)mac_none_check_statfs }, - { MAC_CHECK_DEBUG_PROC, - (macop_t)mac_none_check_debug_proc }, { MAC_CHECK_ACCESS_VNODE, (macop_t)mac_none_check_access_vnode }, { MAC_CHECK_CHDIR_VNODE, @@ -1090,10 +1094,6 @@ (macop_t)mac_none_check_setowner_vnode }, { MAC_CHECK_SETUTIMES_VNODE, (macop_t)mac_none_check_setutimes_vnode }, - { MAC_CHECK_SCHED_PROC, - (macop_t)mac_none_check_sched_proc }, - { MAC_CHECK_SIGNAL_PROC, - (macop_t)mac_none_check_signal_proc }, { MAC_CHECK_STAT_VNODE, (macop_t)mac_none_check_stat_vnode }, { MAC_CHECK_PIPE_IOCTL, ==== //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#8 (text+ko) ==== @@ -198,30 +198,28 @@ } static int -mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket, - struct label *socketlabel) +mac_partition_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; - error = label_on_label(&cred->cr_label, socketlabel); + error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label); - return (error ? ENOENT : 0); + return (error ? ESRCH : 0); } static int -mac_partition_check_relabel_subject(struct ucred *cred, struct mac *newlabel) +mac_partition_check_proc_sched(struct ucred *cred, struct proc *proc) { + int error; - /* If in a partition, can't re-partition. */ - if (SLOT(&cred->cr_label) != 0) - return (EPERM); + error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label); - /* If not in a partition, must have privilege */ - return (suser_cred(cred, 0)); + return (error ? ESRCH : 0); } static int -mac_partition_check_debug_proc(struct ucred *cred, struct proc *proc) +mac_partition_check_proc_signal(struct ucred *cred, struct proc *proc, + int signum) { int error; @@ -231,24 +229,26 @@ } static int -mac_partition_check_sched_proc(struct ucred *cred, struct proc *proc) +mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket, + struct label *socketlabel) { int error; - error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label); + error = label_on_label(&cred->cr_label, socketlabel); - return (error ? ESRCH : 0); + return (error ? ENOENT : 0); } static int -mac_partition_check_signal_proc(struct ucred *cred, struct proc *proc, - int signum) +mac_partition_check_relabel_subject(struct ucred *cred, struct mac *newlabel) { - int error; - error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label); + /* If in a partition, can't re-partition. */ + if (SLOT(&cred->cr_label) != 0) + return (EPERM); - return (error ? ESRCH : 0); + /* If not in a partition, must have privilege */ + return (suser_cred(cred, 0)); } static struct mac_policy_op_entry mac_partition_ops[] = @@ -279,16 +279,16 @@ (macop_t)mac_partition_relabel_subject }, { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_partition_check_cred_visible }, + { MAC_CHECK_PROC_DEBUG, + (macop_t)mac_partition_check_proc_debug }, + { MAC_CHECK_PROC_SCHED, + (macop_t)mac_partition_check_proc_sched }, + { MAC_CHECK_PROC_SIGNAL, + (macop_t)mac_partition_check_proc_signal }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_partition_check_socket_visible }, { MAC_CHECK_RELABEL_SUBJECT, (macop_t)mac_partition_check_relabel_subject }, - { MAC_CHECK_DEBUG_PROC, - (macop_t)mac_partition_check_debug_proc }, - { MAC_CHECK_SCHED_PROC, - (macop_t)mac_partition_check_sched_proc }, - { MAC_CHECK_SIGNAL_PROC, - (macop_t)mac_partition_check_signal_proc }, { MAC_OP_LAST, NULL } }; ==== //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#13 (text+ko) ==== @@ -131,47 +131,47 @@ } static int -mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *socket, - struct label *socketlabel) +mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *proc, + int signum) { - return (mac_seeotheruids_check(cred, socket->so_cred)); + return (mac_seeotheruids_check(cred, proc->p_ucred)); } static int -mac_seeotheruids_check_signal_proc(struct ucred *cred, struct proc *proc, - int signum) +mac_seeotheruids_check_proc_sched(struct ucred *cred, struct proc *proc) { return (mac_seeotheruids_check(cred, proc->p_ucred)); } static int -mac_seeotheruids_check_sched_proc(struct ucred *cred, struct proc *proc) +mac_seeotheruids_check_proc_debug(struct ucred *cred, struct proc *proc) { return (mac_seeotheruids_check(cred, proc->p_ucred)); } static int -mac_seeotheruids_check_debug_proc(struct ucred *cred, struct proc *proc) +mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *socket, + struct label *socketlabel) { - return (mac_seeotheruids_check(cred, proc->p_ucred)); + return (mac_seeotheruids_check(cred, socket->so_cred)); } static struct mac_policy_op_entry mac_seeotheruids_ops[] = { { MAC_CHECK_CRED_VISIBLE, (macop_t)mac_seeotheruids_check_cred_visible }, + { MAC_CHECK_PROC_DEBUG, + (macop_t)mac_seeotheruids_check_proc_debug }, + { MAC_CHECK_PROC_SCHED, + (macop_t)mac_seeotheruids_check_proc_sched }, + { MAC_CHECK_PROC_SIGNAL, + (macop_t)mac_seeotheruids_check_proc_signal }, { MAC_CHECK_SOCKET_VISIBLE, (macop_t)mac_seeotheruids_check_socket_visible }, - { MAC_CHECK_DEBUG_PROC, - (macop_t)mac_seeotheruids_check_debug_proc }, - { MAC_CHECK_SCHED_PROC, - (macop_t)mac_seeotheruids_check_sched_proc }, - { MAC_CHECK_SIGNAL_PROC, - (macop_t)mac_seeotheruids_check_signal_proc }, { MAC_OP_LAST, NULL } }; ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#57 (text+ko) ==== @@ -694,6 +694,33 @@ } static int +mac_te_check_proc_debug(struct ucred *cred, struct proc *proc) +{ + + return (mac_te_check(SLOT(&cred->cr_label), + SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, + MAC_TE_OPERATION_PROC_DEBUG)); +} + +static int +mac_te_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) +{ + + return (mac_te_check(SLOT(&cred->cr_label), + SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, + MAC_TE_OPERATION_PROC_SIGNAL)); +} + +static int +mac_te_check_proc_sched(struct ucred *cred, struct proc *proc) +{ + + return (mac_te_check(SLOT(&cred->cr_label), + SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, + MAC_TE_OPERATION_PROC_SCHED)); +} + +static int mac_te_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -1144,33 +1171,6 @@ } static int -mac_te_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) -{ - - return (mac_te_check(SLOT(&cred->cr_label), - SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, - MAC_TE_OPERATION_PROC_SIGNAL)); -} - -static int -mac_te_check_sched_proc(struct ucred *cred, struct proc *proc) -{ - - return (mac_te_check(SLOT(&cred->cr_label), - SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, - MAC_TE_OPERATION_PROC_SCHED)); -} - -static int -mac_te_check_debug_proc(struct ucred *cred, struct proc *proc) -{ - - return (mac_te_check(SLOT(&cred->cr_label), - SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, - MAC_TE_OPERATION_PROC_DEBUG)); -} - -static int mac_te_check_exec_vnode(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1748,6 +1748,12 @@ (macop_t)mac_te_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_te_check_ifnet_transmit }, + { MAC_CHECK_PROC_DEBUG, + (macop_t)mac_te_check_proc_debug }, + { MAC_CHECK_PROC_SCHED, + (macop_t)mac_te_check_proc_sched }, + { MAC_CHECK_PROC_SIGNAL, + (macop_t)mac_te_check_proc_signal }, { MAC_CHECK_SOCKET_BIND, (macop_t)mac_te_check_socket_bind }, { MAC_CHECK_SOCKET_CONNECT, @@ -1769,7 +1775,6 @@ { MAC_CHECK_RELABEL_VNODE, (macop_t)mac_te_check_relabel_vnode }, { MAC_CHECK_STATFS, (macop_t)mac_te_check_statfs }, - { MAC_CHECK_DEBUG_PROC, (macop_t)mac_te_check_debug_proc }, { MAC_CHECK_ACCESS_VNODE, (macop_t)mac_te_check_access_vnode }, { MAC_CHECK_CHDIR_VNODE, (macop_t)mac_te_check_chdir_vnode }, @@ -1816,8 +1821,6 @@ (macop_t)mac_te_check_pipe_ioctl }, { MAC_CHECK_PIPE_OP, (macop_t)mac_te_check_pipe_op }, - { MAC_CHECK_SCHED_PROC, (macop_t)mac_te_check_sched_proc }, - { MAC_CHECK_SIGNAL_PROC, (macop_t)mac_te_check_signal_proc }, { MAC_CHECK_STAT_VNODE, (macop_t)mac_te_check_stat_vnode }, { MAC_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_te_check_vnode_mmap_perms }, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#22 (text+ko) ==== @@ -780,6 +780,27 @@ } static int +mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) +{ + + return (0); +} + +static int +mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) +{ + + return (0); +} + +static int +mac_test_check_proc_signal(struct ucred *cred, struct proc *proc) +{ + + return (0); +} + +static int mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -883,13 +904,6 @@ } static int -mac_test_check_debug_proc(struct ucred *cred, struct proc *proc) -{ - - return (0); -} - -static int mac_test_check_access_vnode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -1069,20 +1083,6 @@ } static int -mac_test_check_sched_proc(struct ucred *cred, struct proc *proc) -{ - - return (0); -} - -static int -mac_test_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) -{ - - return (0); -} - -static int mac_test_check_stat_vnode(struct ucred *cred, struct vnode *vp, struct label *label) { @@ -1228,6 +1228,12 @@ (macop_t)mac_test_check_cred_visible }, { MAC_CHECK_IFNET_TRANSMIT, (macop_t)mac_test_check_ifnet_transmit }, + { MAC_CHECK_PROC_DEBUG, + (macop_t)mac_test_check_proc_debug }, + { MAC_CHECK_PROC_SCHED, + (macop_t)mac_test_check_proc_sched }, + { MAC_CHECK_PROC_SIGNAL, + (macop_t)mac_test_check_proc_signal }, { MAC_CHECK_SOCKET_BIND, (macop_t)mac_test_check_socket_bind }, { MAC_CHECK_SOCKET_CONNECT, @@ -1250,8 +1256,6 @@ (macop_t)mac_test_check_relabel_vnode }, { MAC_CHECK_STATFS, (macop_t)mac_test_check_statfs }, - { MAC_CHECK_DEBUG_PROC, - (macop_t)mac_test_check_debug_proc }, { MAC_CHECK_ACCESS_VNODE, (macop_t)mac_test_check_access_vnode }, { MAC_CHECK_CHDIR_VNODE, @@ -1296,10 +1300,6 @@ (macop_t)mac_test_check_setowner_vnode }, >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207281643.g6SGhjBH046815>