PERFORCE change 41858 for review
Robert Watson
rwatson at FreeBSD.org
Mon Nov 10 03:46:11 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=41858
Change 41858 by rwatson at rwatson_paprika on 2003/11/09 19:45:50
Integrate the TrustedBSD SEBSD branch with recent changes from the
TrustedBSD MAC branch:
- Use zone allocated temporary labels rather than stack-allocated
storage for credentials, pipes, vnodes, during query/set/
transition/...
- Simplify mac_execve_enter() API and interpreter code.
- Remove old _init() and _destroy() APIs for caller-owned memory
initialization/destruction. GC.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_exec.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#18 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_pipe.c#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_process.c#4 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#6 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.c#8 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#11 integrate
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_exec.c#8 (text+ko) ====
@@ -168,9 +168,8 @@
int credential_changing;
int textset;
#ifdef MAC
- struct label interplabel; /* label of the interpreted vnode */
- struct label execlabel; /* optional label argument */
- int will_transition, interplabelvalid = 0;
+ struct label *interplabel = NULL;
+ int will_transition;
#endif
imgp = &image_params;
@@ -223,7 +222,7 @@
imgp->auxarg_size = 0;
#ifdef MAC
- error = mac_execve_enter(imgp, mac_p, &execlabel);
+ error = mac_execve_enter(imgp, mac_p);
if (error) {
mtx_lock(&Giant);
goto exec_fail;
@@ -340,9 +339,8 @@
/* free name buffer and old vnode */
NDFREE(ndp, NDF_ONLY_PNBUF);
#ifdef MAC
- mac_init_vnode_label(&interplabel);
- mac_copy_vnode_label(ndp->ni_vp->v_label, &interplabel);
- interplabelvalid = 1;
+ interplabel = mac_cred_label_alloc();
+ mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel);
#endif
vput(ndp->ni_vp);
vm_object_deallocate(imgp->object);
@@ -456,7 +454,7 @@
attr.va_gid;
#ifdef MAC
will_transition = mac_execve_will_transition(oldcred, imgp->vp,
- interplabelvalid ? &interplabel : NULL, imgp);
+ interplabel, imgp);
credential_changing |= will_transition;
#endif
@@ -506,7 +504,7 @@
#ifdef MAC
if (will_transition) {
mac_execve_transition(oldcred, newcred, imgp->vp,
- interplabelvalid ? &interplabel : NULL, imgp);
+ interplabel, imgp);
}
#endif
/*
@@ -658,8 +656,8 @@
/* sorry, no more process anymore. exit gracefully */
#ifdef MAC
mac_execve_exit(imgp);
- if (interplabelvalid)
- mac_destroy_vnode_label(&interplabel);
+ if (interplabel != NULL)
+ mac_vnode_label_free(interplabel);
#endif
exit1(td, W_EXITCODE(0, SIGABRT));
/* NOT REACHED */
@@ -668,8 +666,8 @@
done2:
#ifdef MAC
mac_execve_exit(imgp);
- if (interplabelvalid)
- mac_destroy_vnode_label(&interplabel);
+ if (interplabel != NULL)
+ mac_vnode_label_free(interplabel);
#endif
mtx_unlock(&Giant);
return (error);
==== //depot/projects/trustedbsd/sebsd/sys/kern/kern_mac.c#18 (text+ko) ====
@@ -643,7 +643,7 @@
__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
{
struct ucred *newcred, *oldcred;
- struct label intlabel;
+ struct label *intlabel;
struct proc *p;
struct mac mac;
char *buffer;
@@ -664,13 +664,11 @@
return (error);
}
- mac_init_cred_label(&intlabel);
- error = mac_internalize_cred_label(&intlabel, buffer);
+ intlabel = mac_cred_label_alloc();
+ error = mac_internalize_cred_label(intlabel, buffer);
free(buffer, M_MACTEMP);
- if (error) {
- mac_destroy_cred_label(&intlabel);
- return (error);
- }
+ if (error)
+ goto out;
newcred = crget();
@@ -678,7 +676,7 @@
PROC_LOCK(p);
oldcred = p->p_ucred;
- error = mac_check_cred_relabel(oldcred, &intlabel);
+ error = mac_check_cred_relabel(oldcred, intlabel);
if (error) {
PROC_UNLOCK(p);
crfree(newcred);
@@ -687,7 +685,7 @@
setsugid(p);
crcopy(newcred, oldcred);
- mac_relabel_cred(newcred, &intlabel);
+ mac_relabel_cred(newcred, intlabel);
p->p_ucred = newcred;
/*
@@ -707,7 +705,7 @@
crfree(oldcred);
out:
- mac_destroy_cred_label(&intlabel);
+ mac_cred_label_free(intlabel);
return (error);
}
@@ -718,7 +716,7 @@
__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
{
char *elements, *buffer;
- struct label intlabel;
+ struct label *intlabel;
struct file *fp;
struct mac mac;
struct vnode *vp;
@@ -753,20 +751,20 @@
case DTYPE_VNODE:
vp = fp->f_vnode;
- mac_init_vnode_label(&intlabel);
+ intlabel = mac_vnode_label_alloc();
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- mac_copy_vnode_label(vp->v_label, &intlabel);
+ mac_copy_vnode_label(vp->v_label, intlabel);
VOP_UNLOCK(vp, 0, td);
break;
case DTYPE_PIPE:
pipe = fp->f_data;
- mac_init_pipe_label(&intlabel);
+ intlabel = mac_pipe_label_alloc();
PIPE_LOCK(pipe);
- mac_copy_pipe_label(pipe->pipe_label, &intlabel);
+ mac_copy_pipe_label(pipe->pipe_label, intlabel);
PIPE_UNLOCK(pipe);
break;
default:
@@ -780,14 +778,14 @@
case DTYPE_FIFO:
case DTYPE_VNODE:
if (error == 0)
- error = mac_externalize_vnode_label(&intlabel,
+ error = mac_externalize_vnode_label(intlabel,
elements, buffer, mac.m_buflen);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
- error = mac_externalize_pipe_label(&intlabel, elements,
+ error = mac_externalize_pipe_label(intlabel, elements,
buffer, mac.m_buflen);
- mac_destroy_pipe_label(&intlabel);
+ mac_pipe_label_free(intlabel);
break;
default:
panic("__mac_get_fd: corrupted label_type");
@@ -812,7 +810,7 @@
{
char *elements, *buffer;
struct nameidata nd;
- struct label intlabel;
+ struct label *intlabel;
struct mac mac;
int error;
@@ -839,13 +837,13 @@
if (error)
goto out;
- mac_init_vnode_label(&intlabel);
- mac_copy_vnode_label(nd.ni_vp->v_label, &intlabel);
- error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+ intlabel = mac_vnode_label_alloc();
+ mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+ error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -867,7 +865,7 @@
{
char *elements, *buffer;
struct nameidata nd;
- struct label intlabel;
+ struct label *intlabel;
struct mac mac;
int error;
@@ -894,12 +892,12 @@
if (error)
goto out;
- mac_init_vnode_label(&intlabel);
- mac_copy_vnode_label(nd.ni_vp->v_label, &intlabel);
- error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+ intlabel = mac_vnode_label_alloc();
+ mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+ error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -974,7 +972,7 @@
int
__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
{
- struct label intlabel;
+ struct label *intlabel;
struct pipe *pipe;
struct file *fp;
struct mount *mp;
@@ -1007,40 +1005,38 @@
switch (fp->f_type) {
case DTYPE_FIFO:
case DTYPE_VNODE:
- mac_init_vnode_label(&intlabel);
- error = mac_internalize_vnode_label(&intlabel, buffer);
+ intlabel = mac_vnode_label_alloc();
+ error = mac_internalize_vnode_label(intlabel, buffer);
if (error) {
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
}
vp = fp->f_vnode;
error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
if (error != 0) {
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
}
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- error = vn_setlabel(vp, &intlabel, td->td_ucred);
+ error = vn_setlabel(vp, intlabel, td->td_ucred);
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
-
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
- mac_init_pipe_label(&intlabel);
- error = mac_internalize_pipe_label(&intlabel, buffer);
+ intlabel = mac_pipe_label_alloc();
+ error = mac_internalize_pipe_label(intlabel, buffer);
if (error == 0) {
pipe = fp->f_data;
PIPE_LOCK(pipe);
error = mac_pipe_label_set(td->td_ucred, pipe,
- &intlabel);
+ intlabel);
PIPE_UNLOCK(pipe);
}
-
- mac_destroy_pipe_label(&intlabel);
+ mac_pipe_label_free(intlabel);
break;
default:
@@ -1062,7 +1058,7 @@
int
__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
{
- struct label intlabel;
+ struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@@ -1084,13 +1080,11 @@
return (error);
}
- mac_init_vnode_label(&intlabel);
- error = mac_internalize_vnode_label(&intlabel, buffer);
+ intlabel = mac_vnode_label_alloc();
+ error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
- if (error) {
- mac_destroy_vnode_label(&intlabel);
- return (error);
- }
+ if (error)
+ goto out;
mtx_lock(&Giant); /* VFS */
@@ -1100,15 +1094,16 @@
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
- error = vn_setlabel(nd.ni_vp, &intlabel,
+ error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
- mac_destroy_vnode_label(&intlabel);
+out:
+ mac_vnode_label_free(intlabel);
return (error);
}
@@ -1118,7 +1113,7 @@
int
__mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
{
- struct label intlabel;
+ struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@@ -1140,13 +1135,11 @@
return (error);
}
- mac_init_vnode_label(&intlabel);
- error = mac_internalize_vnode_label(&intlabel, buffer);
+ intlabel = mac_vnode_label_alloc();
+ error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
- if (error) {
- mac_destroy_vnode_label(&intlabel);
- return (error);
- }
+ if (error)
+ goto out;
mtx_lock(&Giant); /* VFS */
@@ -1156,15 +1149,15 @@
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
- error = vn_setlabel(nd.ni_vp, &intlabel,
+ error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
- mac_destroy_vnode_label(&intlabel);
-
+out:
+ mac_vnode_label_free(intlabel);
return (error);
}
==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_internal.h#7 (text+ko) ====
@@ -103,11 +103,12 @@
* the namespaces, etc, should work for these, so for now, sort by
* object type.
*/
+struct label *mac_pipe_label_alloc(void);
+void mac_pipe_label_free(struct label *label);
+
int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
-void mac_destroy_cred_label(struct label *label);
int mac_externalize_cred_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
-void mac_init_cred_label(struct label *label);
int mac_internalize_cred_label(struct label *label, char *string);
void mac_relabel_cred(struct ucred *cred, struct label *newlabel);
@@ -116,10 +117,8 @@
int mac_internalize_mount_label(struct label *label, char *string);
void mac_copy_pipe_label(struct label *src, struct label *dest);
-void mac_destroy_pipe_label(struct label *label);
int mac_externalize_pipe_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
-void mac_init_pipe_label(struct label *label);
int mac_internalize_pipe_label(struct label *label, char *string);
int mac_externalize_vnode_label(struct label *label, char *elements,
==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_net.c#4 (text+ko) ====
@@ -124,15 +124,6 @@
bpf_d->bd_label = mac_bpfdesc_label_alloc();
}
-static void
-mac_init_ifnet_label(struct label *label)
-{
-
- mac_init_label(label);
- MAC_PERFORM(init_ifnet_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacifnets);
-}
-
static struct label *
mac_ifnet_label_alloc(void)
{
@@ -229,24 +220,6 @@
return (0);
}
-static int
-mac_init_socket_label(struct label *label, int flag)
-{
- int error;
-
- mac_init_label(label);
-
- MAC_CHECK(init_socket_label, label, flag);
- if (error) {
- MAC_PERFORM(destroy_socket_label, label);
- mac_destroy_label(label);
- } else {
- MAC_DEBUG_COUNTER_INC(&nmacsockets);
- }
-
- return (error);
-}
-
static struct label *
mac_socket_label_alloc(int flag)
{
@@ -320,15 +293,6 @@
}
static void
-mac_destroy_ifnet_label(struct label *label)
-{
-
- MAC_PERFORM(destroy_ifnet_label, label);
- mac_destroy_label(label);
- MAC_DEBUG_COUNTER_DEC(&nmacifnets);
-}
-
-static void
mac_ifnet_label_free(struct label *label)
{
@@ -372,15 +336,6 @@
}
static void
-mac_destroy_socket_label(struct label *label)
-{
-
- MAC_PERFORM(destroy_socket_label, label);
- mac_destroy_label(label);
- MAC_DEBUG_COUNTER_DEC(&nmacsockets);
-}
-
-static void
mac_socket_label_free(struct label *label)
{
@@ -891,7 +846,7 @@
mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
- struct label intlabel;
+ struct label *intlabel;
struct mac mac;
char *buffer;
int error;
@@ -911,11 +866,11 @@
return (error);
}
- mac_init_ifnet_label(&intlabel);
- error = mac_internalize_ifnet_label(&intlabel, buffer);
+ intlabel = mac_ifnet_label_alloc();
+ error = mac_internalize_ifnet_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
- mac_destroy_ifnet_label(&intlabel);
+ mac_ifnet_label_free(intlabel);
return (error);
}
@@ -926,20 +881,20 @@
*/
error = suser_cred(cred, 0);
if (error) {
- mac_destroy_ifnet_label(&intlabel);
+ mac_ifnet_label_free(intlabel);
return (error);
}
MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label,
- &intlabel);
+ intlabel);
if (error) {
- mac_destroy_ifnet_label(&intlabel);
+ mac_ifnet_label_free(intlabel);
return (error);
}
- MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, &intlabel);
+ MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel);
- mac_destroy_ifnet_label(&intlabel);
+ mac_ifnet_label_free(intlabel);
return (0);
}
@@ -947,7 +902,7 @@
mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
struct mac *mac)
{
- struct label intlabel;
+ struct label *intlabel;
char *buffer;
int error;
@@ -962,23 +917,23 @@
return (error);
}
- mac_init_socket_label(&intlabel, M_WAITOK);
- error = mac_internalize_socket_label(&intlabel, buffer);
+ intlabel = mac_socket_label_alloc(M_WAITOK);
+ error = mac_internalize_socket_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
- mac_destroy_socket_label(&intlabel);
+ mac_socket_label_free(intlabel);
return (error);
}
- mac_check_socket_relabel(cred, so, &intlabel);
+ mac_check_socket_relabel(cred, so, intlabel);
if (error) {
- mac_destroy_socket_label(&intlabel);
+ mac_socket_label_free(intlabel);
return (error);
}
- mac_relabel_socket(cred, so, &intlabel);
+ mac_relabel_socket(cred, so, intlabel);
- mac_destroy_socket_label(&intlabel);
+ mac_socket_label_free(intlabel);
return (0);
}
==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_pipe.c#4 (text+ko) ====
@@ -61,16 +61,7 @@
&nmacpipes, 0, "number of pipes in use");
#endif
-void
-mac_init_pipe_label(struct label *label)
-{
-
- mac_init_label(label);
- MAC_PERFORM(init_pipe_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacpipes);
-}
-
-static struct label *
+struct label *
mac_pipe_label_alloc(void)
{
struct label *label;
@@ -90,15 +81,6 @@
}
void
-mac_destroy_pipe_label(struct label *label)
-{
-
- MAC_PERFORM(destroy_pipe_label, label);
- mac_destroy_label(label);
- MAC_DEBUG_COUNTER_DEC(&nmacpipes);
-}
-
-static void
mac_pipe_label_free(struct label *label)
{
==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_process.c#4 (text+ko) ====
@@ -96,16 +96,7 @@
static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
struct ucred *cred, struct vm_map *map);
-void
-mac_init_cred_label(struct label *label)
-{
-
- mac_init_label(label);
- MAC_PERFORM(init_cred_label, label);
- MAC_DEBUG_COUNTER_INC(&nmaccreds);
-}
-
-static struct label *
+struct label *
mac_cred_label_alloc(void)
{
struct label *label;
@@ -141,7 +132,7 @@
p->p_label = mac_proc_label_alloc();
}
-static void
+void
mac_cred_label_free(struct label *label)
{
@@ -151,15 +142,6 @@
}
void
-mac_destroy_cred_label(struct label *label)
-{
-
- MAC_PERFORM(destroy_cred_label, label);
- mac_destroy_label(label);
- MAC_DEBUG_COUNTER_DEC(&nmaccreds);
-}
-
-void
mac_destroy_cred(struct ucred *cred)
{
@@ -247,9 +229,9 @@
}
int
-mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
- struct label *execlabelstorage)
+mac_execve_enter(struct image_params *imgp, struct mac *mac_p)
{
+ struct label *label;
struct mac mac;
char *buffer;
int error;
@@ -272,22 +254,24 @@
return (error);
}
- mac_init_cred_label(execlabelstorage);
- error = mac_internalize_cred_label(execlabelstorage, buffer);
+ label = mac_cred_label_alloc();
+ error = mac_internalize_cred_label(label, buffer);
free(buffer, M_MACTEMP);
if (error) {
- mac_destroy_cred_label(execlabelstorage);
+ mac_cred_label_free(label);
return (error);
}
- imgp->execlabel = execlabelstorage;
+ imgp->execlabel = label;
return (0);
}
void
mac_execve_exit(struct image_params *imgp)
{
- if (imgp->execlabel != NULL)
- mac_destroy_cred_label(imgp->execlabel);
+ if (imgp->execlabel != NULL) {
+ mac_cred_label_free(imgp->execlabel);
+ imgp->execlabel = NULL;
+ }
}
/*
==== //depot/projects/trustedbsd/sebsd/sys/security/mac/mac_vfs.c#6 (text+ko) ====
@@ -156,16 +156,7 @@
mp->mnt_fslabel = mac_mount_fs_label_alloc();
}
-void
-mac_init_vnode_label(struct label *label)
-{
-
- mac_init_label(label);
- MAC_PERFORM(init_vnode_label, label);
- MAC_DEBUG_COUNTER_INC(&nmacvnodes);
-}
-
-static struct label *
+struct label *
mac_vnode_label_alloc(void)
{
struct label *label;
@@ -237,15 +228,6 @@
}
void
-mac_destroy_vnode_label(struct label *label)
-{
-
- MAC_PERFORM(destroy_vnode_label, label);
- mac_destroy_label(label);
- MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
-}
-
-static void
mac_vnode_label_free(struct label *label)
{
==== //depot/projects/trustedbsd/sebsd/sys/security/mac_biba/mac_biba.c#8 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/sys/sys/mac.h#11 (text+ko) ====
@@ -158,7 +158,6 @@
void mac_init_mount(struct mount *);
void mac_init_proc(struct proc *);
void mac_init_vnode(struct vnode *);
-void mac_init_vnode_label(struct label *);
void mac_init_mount_label(struct label *);
void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
void mac_copy_vnode_label(struct label *, struct label *label);
@@ -180,9 +179,13 @@
void mac_destroy_mbuf_tag(struct m_tag *);
void mac_destroy_mount(struct mount *);
void mac_destroy_vnode(struct vnode *);
-void mac_destroy_vnode_label(struct label *);
void mac_destroy_mount_label(struct label *);
+struct label *mac_cred_label_alloc(void);
+void mac_cred_label_free(struct label *label);
+struct label *mac_vnode_label_alloc(void);
+void mac_vnode_label_free(struct label *label);
+
/*
* Labeling event operations: file system objects, and things that
* look a lot like file system objects.
@@ -264,8 +267,7 @@
* Labeling event operations: processes.
*/
void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
-int mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
- struct label *execlabel);
+int mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
void mac_execve_exit(struct image_params *imgp);
void mac_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *interpvnodelabel,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list