PERFORCE change 113353 for review

[Todd Miller]

http://perforce.freebsd.org/chv.cgi?CH=113353

Change 113353 by millert at millert_macbook on 2007/01/22 16:11:12

	Change 2nd param to mac_execve_enter() from a label pointer
	to an imgp.  This means mac_execve_enter() must allocate
	ip_execlabelp itself, moving some MAC-specific code into
	mac_process.c where it belongs.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exec.c#8 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#36 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#14 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exec.c#8 (text+ko) ====

@@ -894,12 +894,9 @@
 
 #ifdef MAC
 	if (uap->mac_p != USER_ADDR_NULL) {
-		imgp->ip_execlabelp = mac_cred_label_alloc();
-		error = mac_execve_enter(uap->mac_p, imgp->ip_execlabelp);
-		if (error) {
-			mac_cred_label_free(imgp->ip_execlabelp);
+		error = mac_execve_enter(uap->mac_p, imgp);
+		if (error)
 			return (error);
-		}
 	}
 #endif
 

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#36 (text+ko) ====

@@ -130,7 +130,7 @@
 void	mac_devfs_label_init(struct devnode *de);
 void	mac_devfs_label_update(struct mount *mp, struct devnode *de,
 	    struct vnode *vp);
-int	mac_execve_enter(user_addr_t mac_p, struct label *execlabel);
+int	mac_execve_enter(user_addr_t mac_p, struct image_params *imgp);
 int	mac_file_check_change_offset(struct ucred *cred, struct fileglob *fg);
 int	mac_file_check_create(struct ucred *cred);
 int	mac_file_check_dup(struct ucred *cred, struct fileglob *fg, int newfd);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#14 (text+ko) ====

@@ -44,6 +44,7 @@
 #include <sys/proc.h>
 #include <sys/proc_internal.h>
 #include <sys/kauth.h>
+#include <sys/imgact.h>
 
 #include <security/mac_internal.h>
 
@@ -186,9 +187,10 @@
 }
 
 int
-mac_execve_enter(user_addr_t mac_p, struct label *execlabelstorage)
+mac_execve_enter(user_addr_t mac_p, struct image_params *imgp)
 {
 	struct mac mac;
+	struct label *execlabel;
 	char *buffer;
 	int error;
 	size_t ulen;
@@ -204,15 +206,20 @@
 	if (error)
 		return (error);
 
+	execlabel = mac_cred_label_alloc();
 	MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
 	error = copyinstr(CAST_USER_ADDR_T(mac.m_string), buffer, mac.m_buflen, &ulen);
+	if (error)
+		goto out;
+	AUDIT_ARG(mac_string, buffer);
+
+	error = mac_cred_label_internalize(execlabel, buffer);
+out:
 	if (error) {
-		FREE(buffer, M_MACTEMP);
-		return (error);
+		mac_cred_label_free(execlabel);
+		execlabel = NULL;
 	}
-	AUDIT_ARG(mac_string, buffer);
-
-	error = mac_cred_label_internalize(execlabelstorage, buffer);
+	imgp->ip_execlabelp = execlabel;
 	FREE(buffer, M_MACTEMP);
 	return (error);
 }