| mac_cred.c (182063) | mac_cred.c (184407) |
|---|---|
| 1/*- | 1/*- |
| 2 * Copyright (c) 1999-2002 Robert N. M. Watson | 2 * Copyright (c) 1999-2002, 2008 Robert N. M. Watson |
| 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 5 * Copyright (c) 2005 Samy Al Bahra 6 * Copyright (c) 2006 SPARTA, Inc. 7 * Copyright (c) 2008 Apple Inc. 8 * All rights reserved. 9 * 10 * This software was developed by Robert Watson and Ilmar Habibulin for the --- 25 unchanged lines hidden (view full) --- 36 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 37 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 38 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 39 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 40 * SUCH DAMAGE. 41 */ 42 43#include <sys/cdefs.h> | 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2003 Networks Associates Technology, Inc. 5 * Copyright (c) 2005 Samy Al Bahra 6 * Copyright (c) 2006 SPARTA, Inc. 7 * Copyright (c) 2008 Apple Inc. 8 * All rights reserved. 9 * 10 * This software was developed by Robert Watson and Ilmar Habibulin for the --- 25 unchanged lines hidden (view full) --- 36 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 37 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 38 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 39 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 40 * SUCH DAMAGE. 41 */ 42 43#include <sys/cdefs.h> |
| 44__FBSDID("$FreeBSD: head/sys/security/mac/mac_process.c 182063 2008-08-23 15:26:36Z rwatson $"); | 44__FBSDID("$FreeBSD: head/sys/security/mac/mac_process.c 184407 2008-10-28 11:33:06Z rwatson $"); |
| 45 46#include "opt_mac.h" 47 48#include <sys/param.h> 49#include <sys/condvar.h> 50#include <sys/imgact.h> 51#include <sys/kernel.h> 52#include <sys/lock.h> --- 102 unchanged lines hidden (view full) --- 155{ 156 157 if (p->p_label != NULL) { 158 mac_proc_label_free(p->p_label); 159 p->p_label = NULL; 160 } 161} 162 | 45 46#include "opt_mac.h" 47 48#include <sys/param.h> 49#include <sys/condvar.h> 50#include <sys/imgact.h> 51#include <sys/kernel.h> 52#include <sys/lock.h> --- 102 unchanged lines hidden (view full) --- 155{ 156 157 if (p->p_label != NULL) { 158 mac_proc_label_free(p->p_label); 159 p->p_label = NULL; 160 } 161} 162 |
| 163int 164mac_cred_externalize_label(struct label *label, char *elements, 165 char *outbuf, size_t outbuflen) | 163/* 164 * When a thread becomes an NFS server daemon, its credential may need to be 165 * updated to reflect this so that policies can recognize when file system 166 * operations originate from the network. 167 * 168 * At some point, it would be desirable if the credential used for each NFS 169 * RPC could be set based on the RPC context (i.e., source system, etc) to 170 * provide more fine-grained access control. 171 */ 172void 173mac_cred_associate_nfsd(struct ucred *cred) |
| 166{ | 174{ |
| 167 int error; | |
| 168 | 175 |
| 169 MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); 170 171 return (error); | 176 MAC_PERFORM(cred_associate_nfsd, cred); |
| 172} 173 | 177} 178 |
| 174int 175mac_cred_internalize_label(struct label *label, char *string) 176{ 177 int error; 178 179 MAC_INTERNALIZE(cred, label, string); 180 181 return (error); 182} 183 | |
| 184/* 185 * Initialize MAC label for the first kernel process, from which other kernel 186 * processes and threads are spawned. 187 */ 188void | 179/* 180 * Initialize MAC label for the first kernel process, from which other kernel 181 * processes and threads are spawned. 182 */ 183void |
| 189mac_proc_create_swapper(struct ucred *cred) | 184mac_cred_create_swapper(struct ucred *cred) |
| 190{ 191 | 185{ 186 |
| 192 MAC_PERFORM(proc_create_swapper, cred); | 187 MAC_PERFORM(cred_create_swapper, cred); |
| 193} 194 195/* 196 * Initialize MAC label for the first userland process, from which other 197 * userland processes and threads are spawned. 198 */ 199void | 188} 189 190/* 191 * Initialize MAC label for the first userland process, from which other 192 * userland processes and threads are spawned. 193 */ 194void |
| 200mac_proc_create_init(struct ucred *cred) | 195mac_cred_create_init(struct ucred *cred) |
| 201{ 202 | 196{ 197 |
| 203 MAC_PERFORM(proc_create_init, cred); | 198 MAC_PERFORM(cred_create_init, cred); |
| 204} 205 | 199} 200 |
| 206/* 207 * When a thread becomes an NFS server daemon, its credential may need to be 208 * updated to reflect this so that policies can recognize when file system 209 * operations originate from the network. 210 * 211 * At some point, it would be desirable if the credential used for each NFS 212 * RPC could be set based on the RPC context (i.e., source system, etc) to 213 * provide more fine-grained access control. 214 */ 215void 216mac_proc_associate_nfsd(struct ucred *cred) | 201int 202mac_cred_externalize_label(struct label *label, char *elements, 203 char *outbuf, size_t outbuflen) |
| 217{ | 204{ |
| 205 int error; |
|
| 218 | 206 |
| 219 MAC_PERFORM(proc_associate_nfsd, cred); | 207 MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen); 208 209 return (error); |
| 220} 221 | 210} 211 |
| 212int 213mac_cred_internalize_label(struct label *label, char *string) 214{ 215 int error; 216 217 MAC_INTERNALIZE(cred, label, string); 218 219 return (error); 220} 221 |
|
| 222void 223mac_thread_userret(struct thread *td) 224{ 225 226 MAC_PERFORM(thread_userret, td); 227} 228 229/* --- 438 unchanged lines hidden --- | 222void 223mac_thread_userret(struct thread *td) 224{ 225 226 MAC_PERFORM(thread_userret, td); 227} 228 229/* --- 438 unchanged lines hidden --- |