From owner-cvs-src@FreeBSD.ORG  Thu Jul 14 10:22:10 2005
Return-Path: <owner-cvs-src@FreeBSD.ORG>
X-Original-To: cvs-src@FreeBSD.org
Delivered-To: cvs-src@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 51F1116A41C;
	Thu, 14 Jul 2005 10:22:10 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0AEF543D49;
	Thu, 14 Jul 2005 10:22:10 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j6EAM9un061147;
	Thu, 14 Jul 2005 10:22:09 GMT
	(envelope-from rwatson@repoman.freebsd.org)
Received: (from rwatson@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j6EAM9pQ061146;
	Thu, 14 Jul 2005 10:22:09 GMT (envelope-from rwatson)
Message-Id: <200507141022.j6EAM9pQ061146@repoman.freebsd.org>
From: Robert Watson <rwatson@FreeBSD.org>
Date: Thu, 14 Jul 2005 10:22:09 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Cc: 
Subject: cvs commit: src/sys/sys conf.h mac.h mac_policy.h src/sys/kern
 kern_conf.c tty_pty.c src/sys/security/mac mac_vfs.c
 src/sys/security/mac_biba mac_biba.c src/sys/security/mac_lomac
 mac_lomac.c src/sys/security/mac_mls mac_mls.c ...
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2005 10:22:10 -0000

rwatson     2005-07-14 10:22:09 UTC

  FreeBSD src repository

  Modified files:
    sys/sys              conf.h mac.h mac_policy.h 
    sys/kern             kern_conf.c tty_pty.c 
    sys/security/mac     mac_vfs.c 
    sys/security/mac_biba mac_biba.c 
    sys/security/mac_lomac mac_lomac.c 
    sys/security/mac_mls mac_mls.c 
    sys/security/mac_stub mac_stub.c 
    sys/security/mac_test mac_test.c 
    sys/fs/devfs         devfs_devs.c devfs_vnops.c 
  Log:
  When devfs cloning takes place, provide access to the credential of the
  process that caused the clone event to take place for the device driver
  creating the device.  This allows cloned device drivers to adapt the
  device node based on security aspects of the process, such as the uid,
  gid, and MAC label.
  
  - Add a cred reference to struct cdev, so that when a device node is
    instantiated as a vnode, the cloning credential can be exposed to
    MAC.
  
  - Add make_dev_cred(), a version of make_dev() that additionally
    accepts the credential to stick in the struct cdev.  Implement it and
    make_dev() in terms of a back-end make_dev_credv().
  
  - Add a new event handler, dev_clone_cred, which can be registered to
    receive the credential instead of dev_clone, if desired.
  
  - Modify the MAC entry point mac_create_devfs_device() to accept an
    optional credential pointer (may be NULL), so that MAC policies can
    inspect and act on the label or other elements of the credential
    when initializing the skeleton device protections.
  
  - Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(),
    so that the pty clone credential is exposed to the MAC Framework.
  
  While currently primarily focussed on MAC policies, this change is also
  a prerequisite for changes to allow ptys to be instantiated with the UID
  of the process looking up the pty.  This requires further changes to the
  pty driver -- in particular, to immediately recycle pty nodes on last
  close so that the credential-related state can be recreated on next
  lookup.
  
  Submitted by:   Andrew Reisse <andrew.reisse@sparta.com>
  Obtained from:  TrustedBSD Project
  Sponsored by:   SPAWAR, SPARTA
  MFC after:      1 week
  MFC note:       Merge to 6.x, but not 5.x for ABI reasons
  
  Revision  Changes    Path
  1.37      +2 -1      src/sys/fs/devfs/devfs_devs.c
  1.115     +7 -3      src/sys/fs/devfs/devfs_vnops.c
  1.187     +40 -5     src/sys/kern/kern_conf.c
  1.138     +8 -7      src/sys/kern/tty_pty.c
  1.109     +7 -2      src/sys/security/mac/mac_vfs.c
  1.88      +2 -2      src/sys/security/mac_biba/mac_biba.c
  1.36      +2 -2      src/sys/security/mac_lomac/mac_lomac.c
  1.73      +2 -2      src/sys/security/mac_mls/mac_mls.c
  1.53      +2 -2      src/sys/security/mac_stub/mac_stub.c
  1.61      +5 -2      src/sys/security/mac_test/mac_test.c
  1.223     +8 -0      src/sys/sys/conf.h
  1.68      +2 -2      src/sys/sys/mac.h
  1.67      +5 -1      src/sys/sys/mac_policy.h