Introduce support for Mandatory Access Control and extensible
kernel access control. Invoke the necessary MAC entry points to maintain labels on process credentials. In particular, invoke entry points for the initialization and destruction of struct ucred, the copying of struct ucred, and permit the initial labels to be set for both process 0 (parent of all kernel processes) and process 1 (parent of all user processes). Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
This commit is contained in:
Robert Watson
parent
47ac133d33
commit
4024496496
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=101001
@ -43,6 +43,7 @@
|
||||
*/
|
||||
|
||||
#include "opt_init_path.h"
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/kernel.h>
|
||||
@ -50,6 +51,7 @@
|
||||
#include <sys/filedesc.h>
|
||||
#include <sys/ktr.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/sysctl.h>
|
||||
@ -362,6 +364,9 @@ KASSERT((ke->ke_kgrlist.tqe_next != ke), ("linked to self!"));
|
||||
p->p_ucred->cr_uidinfo = uifind(0);
|
||||
p->p_ucred->cr_ruidinfo = uifind(0);
|
||||
p->p_ucred->cr_prison = NULL; /* Don't jail it. */
|
||||
#ifdef MAC
|
||||
mac_create_proc0(p->p_ucred);
|
||||
#endif
|
||||
td->td_ucred = crhold(p->p_ucred);
|
||||
|
||||
/* Create procsig. */
|
||||
@ -657,6 +662,9 @@ create_init(const void *udata __unused)
|
||||
initproc->p_flag |= P_SYSTEM;
|
||||
oldcred = initproc->p_ucred;
|
||||
crcopy(newcred, oldcred);
|
||||
#ifdef MAC
|
||||
mac_create_proc1(newcred);
|
||||
#endif
|
||||
initproc->p_ucred = newcred;
|
||||
PROC_UNLOCK(initproc);
|
||||
crfree(oldcred);
|
||||
|
||||
@ -45,6 +45,7 @@
|
||||
*/
|
||||
|
||||
#include "opt_compat.h"
|
||||
#include "opt_mac.h"
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
@ -52,6 +53,7 @@
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/malloc.h>
|
||||
#include <sys/mac.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/sx.h>
|
||||
#include <sys/proc.h>
|
||||
@ -1670,6 +1672,9 @@ crget(void)
|
||||
MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
|
||||
cr->cr_ref = 1;
|
||||
cr->cr_mtxp = mtx_pool_find(cr);
|
||||
#ifdef MAC
|
||||
mac_init_cred(cr);
|
||||
#endif
|
||||
return (cr);
|
||||
}
|
||||
|
||||
@ -1714,6 +1719,9 @@ crfree(struct ucred *cr)
|
||||
*/
|
||||
if (jailed(cr))
|
||||
prison_free(cr->cr_prison);
|
||||
#ifdef MAC
|
||||
mac_destroy_cred(cr);
|
||||
#endif
|
||||
FREE(cr, M_CRED);
|
||||
mtx_unlock(&Giant);
|
||||
} else {
|
||||
@ -1750,6 +1758,9 @@ crcopy(struct ucred *dest, struct ucred *src)
|
||||
uihold(dest->cr_ruidinfo);
|
||||
if (jailed(dest))
|
||||
prison_hold(dest->cr_prison);
|
||||
#ifdef MAC
|
||||
mac_create_cred(src, dest);
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
Loading…
Reference in New Issue
Block a user