PERFORCE change 42812 for review

Robert Watson rwatson at FreeBSD.org
Thu Nov 20 19:44:20 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=42812

Change 42812 by rwatson at rwatson_tislabs on 2003/11/20 11:43:33

	Rename mac_create_cred() to mac_cred_copy(), and rename
	mpo_create_cred() to mpo_cred_copy_label(), which better
	reflects the way credential labels are actually exposed
	to the MAC Framework.  Unlike other objects/subjects,
	credentials are rarely "created" -- crdup() copies a
	credential for later updates.  This slightly simplifies
	some of our policies by letting us reuse a generic label
	copy routine, rather than having a special-purpose
	credential copy routine.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#38 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_process.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#238 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#80 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#192 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#29 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#16 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#125 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#256 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#205 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#38 (text+ko) ====

@@ -1786,7 +1786,7 @@
 	if (jailed(dest))
 		prison_hold(dest->cr_prison);
 #ifdef MAC
-	mac_create_cred(src, dest);
+	mac_copy_cred(src, dest);
 #endif
 }
 

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_process.c#11 (text+ko) ====

@@ -222,10 +222,10 @@
  * deltas.  This function allows that processing to take place.
  */
 void
-mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
+mac_copy_cred(struct ucred *src, struct ucred *dest)
 {
 
-	MAC_PERFORM(create_cred, parent_cred, child_cred);
+	MAC_PERFORM(copy_cred_label, src->cr_label, dest->cr_label);
 }
 
 int

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#238 (text+ko) ====

@@ -1467,18 +1467,6 @@
  * Labeling event operations: processes.
  */
 static void
-mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(cred_parent->cr_label);
-	dest = SLOT(cred_child->cr_label);
-
-	mac_biba_copy_single(source, dest);
-	mac_biba_copy_range(source, dest);
-}
-
-static void
 mac_biba_create_proc0(struct ucred *cred)
 {
 	struct mac_biba *dest;
@@ -3184,6 +3172,7 @@
 	.mpo_destroy_socket_label = mac_biba_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_biba_destroy_label,
 	.mpo_destroy_vnode_label = mac_biba_destroy_label,
+	.mpo_copy_cred_label = mac_biba_copy_label,
 	.mpo_copy_mbuf_label = mac_biba_copy_label,
 	.mpo_copy_pipe_label = mac_biba_copy_label,
 	.mpo_copy_socket_label = mac_biba_copy_label,
@@ -3240,7 +3229,6 @@
 	.mpo_relabel_ifnet = mac_biba_relabel_ifnet,
 	.mpo_update_ipq = mac_biba_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel,
-	.mpo_create_cred = mac_biba_create_cred,
 	.mpo_create_proc0 = mac_biba_create_proc0,
 	.mpo_create_proc1 = mac_biba_create_proc1,
 	.mpo_relabel_cred = mac_biba_relabel_cred,

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#80 (text+ko) ====

@@ -1551,18 +1551,6 @@
  * Labeling event operations: processes.
  */
 static void
-mac_lomac_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-	struct mac_lomac *source, *dest;
-
-	source = SLOT(cred_parent->cr_label);
-	dest = SLOT(cred_child->cr_label);
-
-	mac_lomac_copy_single(source, dest);
-	mac_lomac_copy_range(source, dest);
-}
-
-static void
 mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vnodelabel,
     struct label *interpvnodelabel, struct image_params *imgp,
@@ -3112,6 +3100,7 @@
 	.mpo_destroy_socket_label = mac_lomac_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_lomac_destroy_label,
 	.mpo_destroy_vnode_label = mac_lomac_destroy_label,
+	.mpo_copy_cred_label = mac_lomac_copy_label,
 	.mpo_copy_mbuf_label = mac_lomac_copy_label,
 	.mpo_copy_pipe_label = mac_lomac_copy_label,
 	.mpo_copy_socket_label = mac_lomac_copy_label,
@@ -3171,7 +3160,6 @@
 	.mpo_relabel_ifnet = mac_lomac_relabel_ifnet,
 	.mpo_update_ipq = mac_lomac_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel,
-	.mpo_create_cred = mac_lomac_create_cred,
 	.mpo_execve_transition = mac_lomac_execve_transition,
 	.mpo_execve_will_transition = mac_lomac_execve_will_transition,
 	.mpo_create_proc0 = mac_lomac_create_proc0,

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#192 (text+ko) ====

@@ -1406,18 +1406,6 @@
  * Labeling event operations: processes.
  */
 static void
-mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-	struct mac_mls *source, *dest;
-
-	source = SLOT(cred_parent->cr_label);
-	dest = SLOT(cred_child->cr_label);
-
-	mac_mls_copy_single(source, dest);
-	mac_mls_copy_range(source, dest);
-}
-
-static void
 mac_mls_create_proc0(struct ucred *cred)
 {
 	struct mac_mls *dest;
@@ -2961,6 +2949,7 @@
 	.mpo_destroy_socket_label = mac_mls_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_mls_destroy_label,
 	.mpo_destroy_vnode_label = mac_mls_destroy_label,
+	.mpo_copy_cred_label = mac_mls_copy_label,
 	.mpo_copy_mbuf_label = mac_mls_copy_label,
 	.mpo_copy_pipe_label = mac_mls_copy_label,
 	.mpo_copy_socket_label = mac_mls_copy_label,
@@ -3017,7 +3006,6 @@
 	.mpo_relabel_ifnet = mac_mls_relabel_ifnet,
 	.mpo_update_ipq = mac_mls_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel,
-	.mpo_create_cred = mac_mls_create_cred,
 	.mpo_create_proc0 = mac_mls_create_proc0,
 	.mpo_create_proc1 = mac_mls_create_proc1,
 	.mpo_relabel_cred = mac_mls_relabel_cred,

==== //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#29 (text+ko) ====

@@ -101,6 +101,13 @@
 	SLOT(label) = 0;
 }
 
+static void
+mac_partition_copy_label(struct label *src, struct label *dest)
+{
+
+	SLOT(dest) = SLOT(src);
+}
+
 static int
 mac_partition_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
@@ -131,13 +138,6 @@
 }
 
 static void
-mac_partition_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-
-	SLOT(cred_child->cr_label) = SLOT(cred_parent->cr_label);
-}
-
-static void
 mac_partition_create_proc0(struct ucred *cred)
 {
 
@@ -271,9 +271,9 @@
 	.mpo_init = mac_partition_init,
 	.mpo_init_cred_label = mac_partition_init_label,
 	.mpo_destroy_cred_label = mac_partition_destroy_label,
+	.mpo_copy_cred_label = mac_partition_copy_label,
 	.mpo_externalize_cred_label = mac_partition_externalize_label,
 	.mpo_internalize_cred_label = mac_partition_internalize_label,
-	.mpo_create_cred = mac_partition_create_cred,
 	.mpo_create_proc0 = mac_partition_create_proc0,
 	.mpo_create_proc1 = mac_partition_create_proc1,
 	.mpo_relabel_cred = mac_partition_relabel_cred,

==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#16 (text+ko) ====

@@ -490,12 +490,6 @@
  * Labeling event operations: processes.
  */
 static void
-stub_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-
-}
-
-static void
 stub_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vnodelabel,
     struct label *interpvnodelabel, struct image_params *imgp,
@@ -1326,6 +1320,7 @@
 	.mpo_destroy_socket_label = stub_destroy_label,
 	.mpo_destroy_socket_peer_label = stub_destroy_label,
 	.mpo_destroy_vnode_label = stub_destroy_label,
+	.mpo_copy_cred_label = stub_copy_label,
 	.mpo_copy_mbuf_label = stub_copy_label,
 	.mpo_copy_pipe_label = stub_copy_label,
 	.mpo_copy_socket_label = stub_copy_label,
@@ -1386,7 +1381,6 @@
 	.mpo_update_ipq = stub_update_ipq,
 	.mpo_update_mbuf_from_cipso = stub_update_mbuf_from_cipso,
 	.mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel,
-	.mpo_create_cred = stub_create_cred,
 	.mpo_execve_transition = stub_execve_transition,
 	.mpo_execve_will_transition = stub_execve_will_transition,
 	.mpo_create_proc0 = stub_create_proc0,

==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#125 (text+ko) ====

@@ -748,6 +748,14 @@
 }
 
 static void
+mac_test_copy_cred_label(struct label *src, struct label *dest)
+{
+
+	ASSERT_CRED_LABEL(src);
+	ASSERT_CRED_LABEL(dest);
+}
+
+static void
 mac_test_copy_mbuf_label(struct label *src, struct label *dest)
 {
 
@@ -1233,14 +1241,6 @@
  * Labeling event operations: processes.
  */
 static void
-mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-
-	ASSERT_CRED_LABEL(cred_parent->cr_label);
-	ASSERT_CRED_LABEL(cred_child->cr_label);
-}
-
-static void
 mac_test_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *filelabel,
     struct label *interpvnodelabel, struct image_params *imgp,
@@ -2325,6 +2325,7 @@
 	.mpo_destroy_socket_label = mac_test_destroy_socket_label,
 	.mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
 	.mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
+	.mpo_copy_cred_label = mac_test_copy_cred_label,
 	.mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
 	.mpo_copy_pipe_label = mac_test_copy_pipe_label,
 	.mpo_copy_socket_label = mac_test_copy_socket_label,
@@ -2384,7 +2385,6 @@
 	.mpo_update_ipq = mac_test_update_ipq,
 	.mpo_update_mbuf_from_cipso = mac_test_update_mbuf_from_cipso,
 	.mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
-	.mpo_create_cred = mac_test_create_cred,
 	.mpo_execve_transition = mac_test_execve_transition,
 	.mpo_execve_will_transition = mac_test_execve_will_transition,
 	.mpo_create_proc0 = mac_test_create_proc0,

==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#256 (text+ko) ====

@@ -265,7 +265,7 @@
 /*
  * Labeling event operations: processes.
  */
-void	mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
+void	mac_copy_cred(struct ucred *cr1, struct ucred *cr2);
 int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
 void	mac_execve_exit(struct image_params *imgp);
 void	mac_execve_transition(struct ucred *old, struct ucred *new,

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#205 (text+ko) ====

@@ -121,6 +121,8 @@
 	void    (*mpo_destroy_posix_ksem_label)(struct label *label);
 	void	(*mpo_destroy_proc_label)(struct label *label);
 	void	(*mpo_destroy_vnode_label)(struct label *label);
+	void	(*mpo_copy_cred_label)(struct label *src,
+		    struct label *dest);
 	void	(*mpo_copy_mbuf_label)(struct label *src,
 		    struct label *dest);
 	void	(*mpo_copy_pipe_label)(struct label *src,
@@ -299,8 +301,6 @@
 	/*
 	 * Labeling event operations: processes.
 	 */
-	void	(*mpo_create_cred)(struct ucred *parent_cred,
-		    struct ucred *child_cred);
 	void	(*mpo_execve_transition)(struct ucred *old, struct ucred *new,
 		    struct vnode *vp, struct label *vnodelabel,
 		    struct label *interpvnodelabel,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list