PERFORCE change 15058 for review
Robert Watson
rwatson at freebsd.org
Sun Jul 28 16:43:45 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15058
Change 15058 by rwatson at rwatson_paprika on 2002/07/28 09:43:26
Rename inter-process authorization entry points to match the
mac_check_obj_method naming standard.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#200 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#24 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#76 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#65 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#52 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#8 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#13 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#57 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#22 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#128 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#93 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#200 (text+ko) ====
@@ -662,6 +662,18 @@
mpc->mpc_ops->mpo_check_ifnet_transmit =
mpe->mpe_function;
break;
+ case MAC_CHECK_PROC_DEBUG:
+ mpc->mpc_ops->mpo_check_proc_debug =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_PROC_SCHED:
+ mpc->mpc_ops->mpo_check_proc_sched =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_PROC_SIGNAL:
+ mpc->mpc_ops->mpo_check_proc_signal =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_SOCKET_BIND:
mpc->mpc_ops->mpo_check_socket_bind =
mpe->mpe_function;
@@ -705,10 +717,6 @@
case MAC_CHECK_STATFS:
mpc->mpc_ops->mpo_check_statfs = mpe->mpe_function;
break;
- case MAC_CHECK_DEBUG_PROC:
- mpc->mpc_ops->mpo_check_debug_proc =
- mpe->mpe_function;
- break;
case MAC_CHECK_ACCESS_VNODE:
mpc->mpc_ops->mpo_check_access_vnode =
mpe->mpe_function;
@@ -797,14 +805,6 @@
mpc->mpc_ops->mpo_check_setutimes_vnode =
mpe->mpe_function;
break;
- case MAC_CHECK_SCHED_PROC:
- mpc->mpc_ops->mpo_check_sched_proc =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SIGNAL_PROC:
- mpc->mpc_ops->mpo_check_signal_proc =
- mpe->mpe_function;
- break;
case MAC_CHECK_STAT_VNODE:
mpc->mpc_ops->mpo_check_stat_vnode =
mpe->mpe_function;
@@ -1040,45 +1040,6 @@
return (error2);
}
-int
-mac_cred_cansignal(struct ucred *cred, struct proc *proc, int signum)
-{
- int error;
-
- if (!mac_enforce_process)
- return (0);
-
- MAC_CHECK(check_signal_proc, cred, proc, signum);
-
- return (error);
-}
-
-int
-mac_cred_cansched(struct ucred *cred, struct proc *proc)
-{
- int error;
-
- if (!mac_enforce_process)
- return (0);
-
- MAC_CHECK(check_sched_proc, cred, proc);
-
- return (error);
-}
-
-int
-mac_cred_candebug(struct ucred *cred, struct proc *proc)
-{
- int error;
-
- if (!mac_enforce_process)
- return (0);
-
- MAC_CHECK(check_debug_proc, cred, proc);
-
- return (error);
-}
-
void
mac_update_devfsdirent_from_vnode(struct devfs_dirent *de, struct vnode *vp)
{
@@ -2493,6 +2454,45 @@
}
int
+mac_check_proc_debug(struct ucred *cred, struct proc *proc)
+{
+ int error;
+
+ if (!mac_enforce_process)
+ return (0);
+
+ MAC_CHECK(check_proc_debug, cred, proc);
+
+ return (error);
+}
+
+int
+mac_check_proc_sched(struct ucred *cred, struct proc *proc)
+{
+ int error;
+
+ if (!mac_enforce_process)
+ return (0);
+
+ MAC_CHECK(check_proc_sched, cred, proc);
+
+ return (error);
+}
+
+int
+mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+{
+ int error;
+
+ if (!mac_enforce_process)
+ return (0);
+
+ MAC_CHECK(check_proc_signal, cred, proc, signum);
+
+ return (error);
+}
+
+int
mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
struct sockaddr *sockaddr)
{
==== //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#24 (text+ko) ====
@@ -1429,7 +1429,7 @@
return (error);
#ifdef MAC
- if ((error = mac_cred_cansignal(cred, proc, signum)))
+ if ((error = mac_check_proc_signal(cred, proc, signum)))
return (error);
#endif
@@ -1531,7 +1531,7 @@
if ((error = prison_check(td->td_ucred, p->p_ucred)))
return (error);
#ifdef MAC
- if ((error = mac_cred_cansched(td->td_ucred, p)))
+ if ((error = mac_check_proc_sched(td->td_ucred, p)))
return (error);
#endif
if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
@@ -1595,7 +1595,7 @@
return (error);
#ifdef MAC
- error = mac_cred_candebug(td->td_ucred, p);
+ error = mac_check_proc_debug(td->td_ucred, p);
if (error)
return (error);
#endif
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#76 (text+ko) ====
@@ -1199,6 +1199,66 @@
}
static int
+mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(&proc->p_ucred->cr_label);
+
+ /* XXX: range checks */
+ if (!mac_biba_dominate_single(obj, subj))
+ return (ESRCH);
+ if (!mac_biba_dominate_single(subj, obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_biba_check_proc_sched(struct ucred *cred, struct proc *proc)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(&proc->p_ucred->cr_label);
+
+ /* XXX: range checks */
+ if (!mac_biba_dominate_single(obj, subj))
+ return (ESRCH);
+ if (!mac_biba_dominate_single(subj, obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_biba_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+{
+ struct mac_biba *subj, *obj;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(&proc->p_ucred->cr_label);
+
+ /* XXX: range checks */
+ if (!mac_biba_dominate_single(obj, subj))
+ return (ESRCH);
+ if (!mac_biba_dominate_single(subj, obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
mac_biba_check_socket_receive(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
{
@@ -1422,26 +1482,6 @@
}
static int
-mac_biba_check_debug_proc(struct ucred *cred, struct proc *proc)
-{
- struct mac_biba *subj, *obj;
-
- if (!mac_biba_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(&proc->p_ucred->cr_label);
-
- /* XXX: range checks */
- if (!mac_biba_dominate_single(obj, subj))
- return (ESRCH);
- if (!mac_biba_dominate_single(subj, obj))
- return (EACCES);
-
- return (0);
-}
-
-static int
mac_biba_check_access_vnode(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t flags)
{
@@ -1858,46 +1898,6 @@
}
static int
-mac_biba_check_sched_proc(struct ucred *cred, struct proc *proc)
-{
- struct mac_biba *subj, *obj;
-
- if (!mac_biba_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(&proc->p_ucred->cr_label);
-
- /* XXX: range checks */
- if (!mac_biba_dominate_single(obj, subj))
- return (ESRCH);
- if (!mac_biba_dominate_single(subj, obj))
- return (EACCES);
-
- return (0);
-}
-
-static int
-mac_biba_check_signal_proc(struct ucred *cred, struct proc *proc, int signum)
-{
- struct mac_biba *subj, *obj;
-
- if (!mac_biba_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(&proc->p_ucred->cr_label);
-
- /* XXX: range checks */
- if (!mac_biba_dominate_single(obj, subj))
- return (ESRCH);
- if (!mac_biba_dominate_single(subj, obj))
- return (EACCES);
-
- return (0);
-}
-
-static int
mac_biba_check_stat_vnode(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel)
{
@@ -2146,6 +2146,12 @@
(macop_t)mac_biba_check_cred_visible },
{ MAC_CHECK_IFNET_TRANSMIT,
(macop_t)mac_biba_check_ifnet_transmit },
+ { MAC_CHECK_PROC_DEBUG,
+ (macop_t)mac_biba_check_proc_debug },
+ { MAC_CHECK_PROC_SCHED,
+ (macop_t)mac_biba_check_proc_sched },
+ { MAC_CHECK_PROC_SIGNAL,
+ (macop_t)mac_biba_check_proc_signal },
{ MAC_CHECK_SOCKET_RECEIVE,
(macop_t)mac_biba_check_socket_receive },
{ MAC_CHECK_SOCKET_VISIBLE,
@@ -2162,8 +2168,6 @@
(macop_t)mac_biba_check_relabel_vnode },
{ MAC_CHECK_STATFS,
(macop_t)mac_biba_check_statfs },
- { MAC_CHECK_DEBUG_PROC,
- (macop_t)mac_biba_check_debug_proc },
{ MAC_CHECK_ACCESS_VNODE,
(macop_t)mac_biba_check_access_vnode },
{ MAC_CHECK_CHDIR_VNODE,
@@ -2212,10 +2216,6 @@
(macop_t)mac_biba_check_setowner_vnode },
{ MAC_CHECK_SETUTIMES_VNODE,
(macop_t)mac_biba_check_setutimes_vnode },
- { MAC_CHECK_SCHED_PROC,
- (macop_t)mac_biba_check_sched_proc },
- { MAC_CHECK_SIGNAL_PROC,
- (macop_t)mac_biba_check_signal_proc },
{ MAC_CHECK_STAT_VNODE,
(macop_t)mac_biba_check_stat_vnode },
{ MAC_CHECK_VNODE_MMAP_PERMS,
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#65 (text+ko) ====
@@ -1160,6 +1160,66 @@
}
static int
+mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(&proc->p_ucred->cr_label);
+
+ /* XXX: range checks */
+ if (!mac_mls_dominate_single(subj, obj))
+ return (ESRCH);
+ if (!mac_mls_dominate_single(obj, subj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_mls_check_proc_sched(struct ucred *cred, struct proc *proc)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(&proc->p_ucred->cr_label);
+
+ /* XXX: range checks */
+ if (!mac_mls_dominate_single(subj, obj))
+ return (ESRCH);
+ if (!mac_mls_dominate_single(obj, subj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_mls_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+{
+ struct mac_mls *subj, *obj;
+
+ if (!mac_mls_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(&proc->p_ucred->cr_label);
+
+ /* XXX: range checks */
+ if (!mac_mls_dominate_single(subj, obj))
+ return (ESRCH);
+ if (!mac_mls_dominate_single(obj, subj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
mac_mls_check_socket_receive(struct socket *so, struct label *socketlabel,
struct mbuf *m, struct label *mbuflabel)
{
@@ -1368,26 +1428,6 @@
}
static int
-mac_mls_check_debug_proc(struct ucred *cred, struct proc *proc)
-{
- struct mac_mls *subj, *obj;
-
- if (!mac_mls_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(&proc->p_ucred->cr_label);
-
- /* XXX: range checks */
- if (!mac_mls_dominate_single(subj, obj))
- return (ESRCH);
- if (!mac_mls_dominate_single(obj, subj))
- return (EACCES);
-
- return (0);
-}
-
-static int
mac_mls_check_access_vnode(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t flags)
{
@@ -1804,46 +1844,6 @@
}
static int
-mac_mls_check_sched_proc(struct ucred *cred, struct proc *proc)
-{
- struct mac_mls *subj, *obj;
-
- if (!mac_mls_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(&proc->p_ucred->cr_label);
-
- /* XXX: range checks */
- if (!mac_mls_dominate_single(subj, obj))
- return (ESRCH);
- if (!mac_mls_dominate_single(obj, subj))
- return (EACCES);
-
- return (0);
-}
-
-static int
-mac_mls_check_signal_proc(struct ucred *cred, struct proc *proc, int signum)
-{
- struct mac_mls *subj, *obj;
-
- if (!mac_mls_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(&proc->p_ucred->cr_label);
-
- /* XXX: range checks */
- if (!mac_mls_dominate_single(subj, obj))
- return (ESRCH);
- if (!mac_mls_dominate_single(obj, subj))
- return (EACCES);
-
- return (0);
-}
-
-static int
mac_mls_check_stat_vnode(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel)
{
@@ -2092,6 +2092,12 @@
(macop_t)mac_mls_check_cred_visible },
{ MAC_CHECK_IFNET_TRANSMIT,
(macop_t)mac_mls_check_ifnet_transmit },
+ { MAC_CHECK_PROC_DEBUG,
+ (macop_t)mac_mls_check_proc_debug },
+ { MAC_CHECK_PROC_SCHED,
+ (macop_t)mac_mls_check_proc_sched },
+ { MAC_CHECK_PROC_SIGNAL,
+ (macop_t)mac_mls_check_proc_signal },
{ MAC_CHECK_SOCKET_RECEIVE,
(macop_t)mac_mls_check_socket_receive },
{ MAC_CHECK_SOCKET_VISIBLE,
@@ -2108,8 +2114,6 @@
(macop_t)mac_mls_check_relabel_vnode },
{ MAC_CHECK_STATFS,
(macop_t)mac_mls_check_statfs },
- { MAC_CHECK_DEBUG_PROC,
- (macop_t)mac_mls_check_debug_proc },
{ MAC_CHECK_ACCESS_VNODE,
(macop_t)mac_mls_check_access_vnode },
{ MAC_CHECK_CHDIR_VNODE,
@@ -2158,10 +2162,6 @@
(macop_t)mac_mls_check_setowner_vnode },
{ MAC_CHECK_SETUTIMES_VNODE,
(macop_t)mac_mls_check_setutimes_vnode },
- { MAC_CHECK_SCHED_PROC,
- (macop_t)mac_mls_check_sched_proc },
- { MAC_CHECK_SIGNAL_PROC,
- (macop_t)mac_mls_check_signal_proc },
{ MAC_CHECK_STAT_VNODE,
(macop_t)mac_mls_check_stat_vnode },
{ MAC_CHECK_VNODE_MMAP_PERMS,
==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#52 (text+ko) ====
@@ -572,6 +572,27 @@
}
static int
+mac_none_check_proc_debug(struct ucred *cred, struct proc *proc)
+{
+
+ return (0);
+}
+
+static int
+mac_none_check_proc_sched(struct ucred *cred, struct proc *proc)
+{
+
+ return (0);
+}
+
+static int
+mac_none_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+{
+
+ return (0);
+}
+
+static int
mac_none_check_socket_bind(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
@@ -659,13 +680,6 @@
}
static int
-mac_none_check_debug_proc(struct ucred *cred, struct proc *proc)
-{
-
- return (0);
-}
-
-static int
mac_none_check_access_vnode(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t flags)
{
@@ -845,20 +859,6 @@
}
static int
-mac_none_check_sched_proc(struct ucred *cred, struct proc *proc)
-{
-
- return (0);
-}
-
-static int
-mac_none_check_signal_proc(struct ucred *cred, struct proc *proc, int signum)
-{
-
- return (0);
-}
-
-static int
mac_none_check_stat_vnode(struct ucred *cred, struct vnode *vp,
struct label *label)
{
@@ -1022,6 +1022,12 @@
(macop_t)mac_none_check_cred_visible },
{ MAC_CHECK_IFNET_TRANSMIT,
(macop_t)mac_none_check_ifnet_transmit },
+ { MAC_CHECK_PROC_DEBUG,
+ (macop_t)mac_none_check_proc_debug },
+ { MAC_CHECK_PROC_SCHED,
+ (macop_t)mac_none_check_proc_sched },
+ { MAC_CHECK_PROC_SIGNAL,
+ (macop_t)mac_none_check_proc_signal },
{ MAC_CHECK_SOCKET_BIND,
(macop_t)mac_none_check_socket_bind },
{ MAC_CHECK_SOCKET_CONNECT,
@@ -1044,8 +1050,6 @@
(macop_t)mac_none_check_relabel_vnode },
{ MAC_CHECK_STATFS,
(macop_t)mac_none_check_statfs },
- { MAC_CHECK_DEBUG_PROC,
- (macop_t)mac_none_check_debug_proc },
{ MAC_CHECK_ACCESS_VNODE,
(macop_t)mac_none_check_access_vnode },
{ MAC_CHECK_CHDIR_VNODE,
@@ -1090,10 +1094,6 @@
(macop_t)mac_none_check_setowner_vnode },
{ MAC_CHECK_SETUTIMES_VNODE,
(macop_t)mac_none_check_setutimes_vnode },
- { MAC_CHECK_SCHED_PROC,
- (macop_t)mac_none_check_sched_proc },
- { MAC_CHECK_SIGNAL_PROC,
- (macop_t)mac_none_check_signal_proc },
{ MAC_CHECK_STAT_VNODE,
(macop_t)mac_none_check_stat_vnode },
{ MAC_CHECK_PIPE_IOCTL,
==== //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#8 (text+ko) ====
@@ -198,30 +198,28 @@
}
static int
-mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_partition_check_proc_debug(struct ucred *cred, struct proc *proc)
{
int error;
- error = label_on_label(&cred->cr_label, socketlabel);
+ error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label);
- return (error ? ENOENT : 0);
+ return (error ? ESRCH : 0);
}
static int
-mac_partition_check_relabel_subject(struct ucred *cred, struct mac *newlabel)
+mac_partition_check_proc_sched(struct ucred *cred, struct proc *proc)
{
+ int error;
- /* If in a partition, can't re-partition. */
- if (SLOT(&cred->cr_label) != 0)
- return (EPERM);
+ error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label);
- /* If not in a partition, must have privilege */
- return (suser_cred(cred, 0));
+ return (error ? ESRCH : 0);
}
static int
-mac_partition_check_debug_proc(struct ucred *cred, struct proc *proc)
+mac_partition_check_proc_signal(struct ucred *cred, struct proc *proc,
+ int signum)
{
int error;
@@ -231,24 +229,26 @@
}
static int
-mac_partition_check_sched_proc(struct ucred *cred, struct proc *proc)
+mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel)
{
int error;
- error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label);
+ error = label_on_label(&cred->cr_label, socketlabel);
- return (error ? ESRCH : 0);
+ return (error ? ENOENT : 0);
}
static int
-mac_partition_check_signal_proc(struct ucred *cred, struct proc *proc,
- int signum)
+mac_partition_check_relabel_subject(struct ucred *cred, struct mac *newlabel)
{
- int error;
- error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label);
+ /* If in a partition, can't re-partition. */
+ if (SLOT(&cred->cr_label) != 0)
+ return (EPERM);
- return (error ? ESRCH : 0);
+ /* If not in a partition, must have privilege */
+ return (suser_cred(cred, 0));
}
static struct mac_policy_op_entry mac_partition_ops[] =
@@ -279,16 +279,16 @@
(macop_t)mac_partition_relabel_subject },
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_partition_check_cred_visible },
+ { MAC_CHECK_PROC_DEBUG,
+ (macop_t)mac_partition_check_proc_debug },
+ { MAC_CHECK_PROC_SCHED,
+ (macop_t)mac_partition_check_proc_sched },
+ { MAC_CHECK_PROC_SIGNAL,
+ (macop_t)mac_partition_check_proc_signal },
{ MAC_CHECK_SOCKET_VISIBLE,
(macop_t)mac_partition_check_socket_visible },
{ MAC_CHECK_RELABEL_SUBJECT,
(macop_t)mac_partition_check_relabel_subject },
- { MAC_CHECK_DEBUG_PROC,
- (macop_t)mac_partition_check_debug_proc },
- { MAC_CHECK_SCHED_PROC,
- (macop_t)mac_partition_check_sched_proc },
- { MAC_CHECK_SIGNAL_PROC,
- (macop_t)mac_partition_check_signal_proc },
{ MAC_OP_LAST, NULL }
};
==== //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#13 (text+ko) ====
@@ -131,47 +131,47 @@
}
static int
-mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
+mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *proc,
+ int signum)
{
- return (mac_seeotheruids_check(cred, socket->so_cred));
+ return (mac_seeotheruids_check(cred, proc->p_ucred));
}
static int
-mac_seeotheruids_check_signal_proc(struct ucred *cred, struct proc *proc,
- int signum)
+mac_seeotheruids_check_proc_sched(struct ucred *cred, struct proc *proc)
{
return (mac_seeotheruids_check(cred, proc->p_ucred));
}
static int
-mac_seeotheruids_check_sched_proc(struct ucred *cred, struct proc *proc)
+mac_seeotheruids_check_proc_debug(struct ucred *cred, struct proc *proc)
{
return (mac_seeotheruids_check(cred, proc->p_ucred));
}
static int
-mac_seeotheruids_check_debug_proc(struct ucred *cred, struct proc *proc)
+mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel)
{
- return (mac_seeotheruids_check(cred, proc->p_ucred));
+ return (mac_seeotheruids_check(cred, socket->so_cred));
}
static struct mac_policy_op_entry mac_seeotheruids_ops[] =
{
{ MAC_CHECK_CRED_VISIBLE,
(macop_t)mac_seeotheruids_check_cred_visible },
+ { MAC_CHECK_PROC_DEBUG,
+ (macop_t)mac_seeotheruids_check_proc_debug },
+ { MAC_CHECK_PROC_SCHED,
+ (macop_t)mac_seeotheruids_check_proc_sched },
+ { MAC_CHECK_PROC_SIGNAL,
+ (macop_t)mac_seeotheruids_check_proc_signal },
{ MAC_CHECK_SOCKET_VISIBLE,
(macop_t)mac_seeotheruids_check_socket_visible },
- { MAC_CHECK_DEBUG_PROC,
- (macop_t)mac_seeotheruids_check_debug_proc },
- { MAC_CHECK_SCHED_PROC,
- (macop_t)mac_seeotheruids_check_sched_proc },
- { MAC_CHECK_SIGNAL_PROC,
- (macop_t)mac_seeotheruids_check_signal_proc },
{ MAC_OP_LAST, NULL }
};
==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#57 (text+ko) ====
@@ -694,6 +694,33 @@
}
static int
+mac_te_check_proc_debug(struct ucred *cred, struct proc *proc)
+{
+
+ return (mac_te_check(SLOT(&cred->cr_label),
+ SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
+ MAC_TE_OPERATION_PROC_DEBUG));
+}
+
+static int
+mac_te_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+{
+
+ return (mac_te_check(SLOT(&cred->cr_label),
+ SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
+ MAC_TE_OPERATION_PROC_SIGNAL));
+}
+
+static int
+mac_te_check_proc_sched(struct ucred *cred, struct proc *proc)
+{
+
+ return (mac_te_check(SLOT(&cred->cr_label),
+ SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
+ MAC_TE_OPERATION_PROC_SCHED));
+}
+
+static int
mac_te_check_socket_bind(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
@@ -1144,33 +1171,6 @@
}
static int
-mac_te_check_signal_proc(struct ucred *cred, struct proc *proc, int signum)
-{
-
- return (mac_te_check(SLOT(&cred->cr_label),
- SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
- MAC_TE_OPERATION_PROC_SIGNAL));
-}
-
-static int
-mac_te_check_sched_proc(struct ucred *cred, struct proc *proc)
-{
-
- return (mac_te_check(SLOT(&cred->cr_label),
- SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
- MAC_TE_OPERATION_PROC_SCHED));
-}
-
-static int
-mac_te_check_debug_proc(struct ucred *cred, struct proc *proc)
-{
-
- return (mac_te_check(SLOT(&cred->cr_label),
- SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC,
- MAC_TE_OPERATION_PROC_DEBUG));
-}
-
-static int
mac_te_check_exec_vnode(struct ucred *cred, struct vnode *vp,
struct label *label)
{
@@ -1748,6 +1748,12 @@
(macop_t)mac_te_check_cred_visible },
{ MAC_CHECK_IFNET_TRANSMIT,
(macop_t)mac_te_check_ifnet_transmit },
+ { MAC_CHECK_PROC_DEBUG,
+ (macop_t)mac_te_check_proc_debug },
+ { MAC_CHECK_PROC_SCHED,
+ (macop_t)mac_te_check_proc_sched },
+ { MAC_CHECK_PROC_SIGNAL,
+ (macop_t)mac_te_check_proc_signal },
{ MAC_CHECK_SOCKET_BIND,
(macop_t)mac_te_check_socket_bind },
{ MAC_CHECK_SOCKET_CONNECT,
@@ -1769,7 +1775,6 @@
{ MAC_CHECK_RELABEL_VNODE,
(macop_t)mac_te_check_relabel_vnode },
{ MAC_CHECK_STATFS, (macop_t)mac_te_check_statfs },
- { MAC_CHECK_DEBUG_PROC, (macop_t)mac_te_check_debug_proc },
{ MAC_CHECK_ACCESS_VNODE,
(macop_t)mac_te_check_access_vnode },
{ MAC_CHECK_CHDIR_VNODE, (macop_t)mac_te_check_chdir_vnode },
@@ -1816,8 +1821,6 @@
(macop_t)mac_te_check_pipe_ioctl },
{ MAC_CHECK_PIPE_OP,
(macop_t)mac_te_check_pipe_op },
- { MAC_CHECK_SCHED_PROC, (macop_t)mac_te_check_sched_proc },
- { MAC_CHECK_SIGNAL_PROC, (macop_t)mac_te_check_signal_proc },
{ MAC_CHECK_STAT_VNODE, (macop_t)mac_te_check_stat_vnode },
{ MAC_CHECK_VNODE_MMAP_PERMS,
(macop_t)mac_te_check_vnode_mmap_perms },
==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#22 (text+ko) ====
@@ -780,6 +780,27 @@
}
static int
+mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
+{
+
+ return (0);
+}
+
+static int
+mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
+{
+
+ return (0);
+}
+
+static int
+mac_test_check_proc_signal(struct ucred *cred, struct proc *proc)
+{
+
+ return (0);
+}
+
+static int
mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
@@ -883,13 +904,6 @@
}
static int
-mac_test_check_debug_proc(struct ucred *cred, struct proc *proc)
-{
-
- return (0);
-}
-
-static int
mac_test_check_access_vnode(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t flags)
{
@@ -1069,20 +1083,6 @@
}
static int
-mac_test_check_sched_proc(struct ucred *cred, struct proc *proc)
-{
-
- return (0);
-}
-
-static int
-mac_test_check_signal_proc(struct ucred *cred, struct proc *proc, int signum)
-{
-
- return (0);
-}
-
-static int
mac_test_check_stat_vnode(struct ucred *cred, struct vnode *vp,
struct label *label)
{
@@ -1228,6 +1228,12 @@
(macop_t)mac_test_check_cred_visible },
{ MAC_CHECK_IFNET_TRANSMIT,
(macop_t)mac_test_check_ifnet_transmit },
+ { MAC_CHECK_PROC_DEBUG,
+ (macop_t)mac_test_check_proc_debug },
+ { MAC_CHECK_PROC_SCHED,
+ (macop_t)mac_test_check_proc_sched },
+ { MAC_CHECK_PROC_SIGNAL,
+ (macop_t)mac_test_check_proc_signal },
{ MAC_CHECK_SOCKET_BIND,
(macop_t)mac_test_check_socket_bind },
{ MAC_CHECK_SOCKET_CONNECT,
@@ -1250,8 +1256,6 @@
(macop_t)mac_test_check_relabel_vnode },
{ MAC_CHECK_STATFS,
(macop_t)mac_test_check_statfs },
- { MAC_CHECK_DEBUG_PROC,
- (macop_t)mac_test_check_debug_proc },
{ MAC_CHECK_ACCESS_VNODE,
(macop_t)mac_test_check_access_vnode },
{ MAC_CHECK_CHDIR_VNODE,
@@ -1296,10 +1300,6 @@
(macop_t)mac_test_check_setowner_vnode },
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list