mac_framework.c (104521) | mac_framework.c (104522) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 22 unchanged lines hidden (view full) --- 31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 * SUCH DAMAGE. 38 * |
39 * $FreeBSD: head/sys/security/mac/mac_framework.c 104521 2002-10-05 16:54:59Z rwatson $ | 39 * $FreeBSD: head/sys/security/mac/mac_framework.c 104522 2002-10-05 16:57:16Z rwatson $ |
40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 1248 unchanged lines hidden (view full) --- 1296 1297 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); 1298 mac_destroy_label(&de->de_label); 1299#ifdef MAC_DEBUG 1300 atomic_subtract_int(&nmacdevfsdirents, 1); 1301#endif 1302} 1303 | 40 */ 41/* 42 * Developed by the TrustedBSD Project. 43 * 44 * Framework for extensible kernel access control. Kernel and userland 45 * interface to the framework, policy registration and composition. 46 */ 47 --- 1248 unchanged lines hidden (view full) --- 1296 1297 MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); 1298 mac_destroy_label(&de->de_label); 1299#ifdef MAC_DEBUG 1300 atomic_subtract_int(&nmacdevfsdirents, 1); 1301#endif 1302} 1303 |
1304static int 1305mac_externalize(struct label *label, struct mac *mac) 1306{ 1307 int error; 1308 1309 mac_init_structmac(mac); 1310 MAC_CHECK(externalize, label, mac); 1311 1312 return (error); 1313} 1314 1315static int 1316mac_internalize(struct label *label, struct mac *mac) 1317{ 1318 int error; 1319 1320 mac_init_temp(label); 1321 MAC_CHECK(internalize, label, mac); 1322 if (error) 1323 mac_destroy_temp(label); 1324 1325 return (error); 1326} 1327 1328/* 1329 * Initialize MAC label for the first kernel process, from which other 1330 * kernel processes and threads are spawned. 1331 */ |
|
1304void | 1332void |
1333mac_create_proc0(struct ucred *cred) 1334{ 1335 1336 MAC_PERFORM(create_proc0, cred); 1337} 1338 1339/* 1340 * Initialize MAC label for the first userland process, from which other 1341 * userland processes and threads are spawned. 1342 */ 1343void 1344mac_create_proc1(struct ucred *cred) 1345{ 1346 1347 MAC_PERFORM(create_proc1, cred); 1348} 1349 1350void 1351mac_thread_userret(struct thread *td) 1352{ 1353 1354 MAC_PERFORM(thread_userret, td); 1355} 1356 1357/* 1358 * When a new process is created, its label must be initialized. Generally, 1359 * this involves inheritence from the parent process, modulo possible 1360 * deltas. This function allows that processing to take place. 1361 */ 1362void 1363mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) 1364{ 1365 1366 MAC_PERFORM(create_cred, parent_cred, child_cred); 1367} 1368 1369void |
|
1305mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) 1306{ 1307 1308 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); 1309} 1310 1311void 1312mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) --- 268 unchanged lines hidden (view full) --- 1581 return (error); 1582 1583 result = 0; 1584 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); 1585 1586 return (result); 1587} 1588 | 1370mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp) 1371{ 1372 1373 MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label); 1374} 1375 1376void 1377mac_update_procfsvnode(struct vnode *vp, struct ucred *cred) --- 268 unchanged lines hidden (view full) --- 1646 return (error); 1647 1648 result = 0; 1649 MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label); 1650 1651 return (result); 1652} 1653 |
1589static int 1590mac_externalize(struct label *label, struct mac *mac) 1591{ 1592 int error; 1593 1594 mac_init_structmac(mac); 1595 MAC_CHECK(externalize, label, mac); 1596 1597 return (error); 1598} 1599 1600static int 1601mac_internalize(struct label *label, struct mac *mac) 1602{ 1603 int error; 1604 1605 mac_init_temp(label); 1606 MAC_CHECK(internalize, label, mac); 1607 if (error) 1608 mac_destroy_temp(label); 1609 1610 return (error); 1611} 1612 1613/* 1614 * Initialize MAC label for the first kernel process, from which other 1615 * kernel processes and threads are spawned. 1616 */ 1617void 1618mac_create_proc0(struct ucred *cred) 1619{ 1620 1621 MAC_PERFORM(create_proc0, cred); 1622} 1623 1624/* 1625 * Initialize MAC label for the first userland process, from which other 1626 * userland processes and threads are spawned. 1627 */ 1628void 1629mac_create_proc1(struct ucred *cred) 1630{ 1631 1632 MAC_PERFORM(create_proc1, cred); 1633} 1634 1635void 1636mac_thread_userret(struct thread *td) 1637{ 1638 1639 MAC_PERFORM(thread_userret, td); 1640} 1641 1642/* 1643 * When a new process is created, its label must be initialized. Generally, 1644 * this involves inheritence from the parent process, modulo possible 1645 * deltas. This function allows that processing to take place. 1646 */ 1647void 1648mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) 1649{ 1650 1651 MAC_PERFORM(create_cred, parent_cred, child_cred); 1652} 1653 | |
1654int 1655mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) 1656{ 1657 int error; 1658 1659 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); 1660 1661 if (!mac_enforce_fs) --- 1763 unchanged lines hidden --- | 1654int 1655mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags) 1656{ 1657 int error; 1658 1659 ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); 1660 1661 if (!mac_enforce_fs) --- 1763 unchanged lines hidden --- |