From 56d9e932072f81ebaa7bb1bf5995a46813bc91c4 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Sat, 6 Dec 2003 21:48:03 +0000 Subject: [PATCH] Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(), and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency. Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/kern/kern_prot.c | 2 +- sys/security/mac/mac_framework.h | 2 +- sys/security/mac/mac_policy.h | 4 ++-- sys/security/mac/mac_process.c | 4 ++-- sys/security/mac_biba/mac_biba.c | 14 +------------- sys/security/mac_lomac/mac_lomac.c | 14 +------------- sys/security/mac_mls/mac_mls.c | 14 +------------- sys/security/mac_partition/mac_partition.c | 16 ++++++++-------- sys/security/mac_stub/mac_stub.c | 8 +------- sys/security/mac_test/mac_test.c | 18 +++++++++--------- sys/sys/mac.h | 2 +- sys/sys/mac_policy.h | 4 ++-- 12 files changed, 30 insertions(+), 72 deletions(-) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 0f0fc40903a9..d6ecb3f971ab 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1804,7 +1804,7 @@ crcopy(struct ucred *dest, struct ucred *src) if (jailed(dest)) prison_hold(dest->cr_prison); #ifdef MAC - mac_create_cred(src, dest); + mac_copy_cred(src, dest); #endif } diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 81dad5a37ad8..098a2bde828c 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -229,7 +229,7 @@ void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); /* * Labeling event operations: processes. */ -void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); +void mac_copy_cred(struct ucred *cr1, struct ucred *cr2); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); void mac_execve_transition(struct ucred *old, struct ucred *new, diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 518f883c3c12..be432535c7a8 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -111,6 +111,8 @@ struct mac_policy_ops { void (*mpo_destroy_pipe_label)(struct label *label); void (*mpo_destroy_proc_label)(struct label *label); void (*mpo_destroy_vnode_label)(struct label *label); + void (*mpo_copy_cred_label)(struct label *src, + struct label *dest); void (*mpo_copy_mbuf_label)(struct label *src, struct label *dest); void (*mpo_copy_pipe_label)(struct label *src, @@ -264,8 +266,6 @@ struct mac_policy_ops { /* * Labeling event operations: processes. */ - void (*mpo_create_cred)(struct ucred *parent_cred, - struct ucred *child_cred); void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 68d847dcfb4e..5c82e7c69112 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -222,10 +222,10 @@ mac_thread_userret(struct thread *td) * deltas. This function allows that processing to take place. */ void -mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) +mac_copy_cred(struct ucred *src, struct ucred *dest) { - MAC_PERFORM(create_cred, parent_cred, child_cred); + MAC_PERFORM(copy_cred_label, src->cr_label, dest->cr_label); } int diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 9c9192fdb441..12392207664f 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1327,18 +1327,6 @@ mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, /* * Labeling event operations: processes. */ -static void -mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - struct mac_biba *source, *dest; - - source = SLOT(cred_parent->cr_label); - dest = SLOT(cred_child->cr_label); - - mac_biba_copy_single(source, dest); - mac_biba_copy_range(source, dest); -} - static void mac_biba_create_proc0(struct ucred *cred) { @@ -2668,6 +2656,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_destroy_socket_label = mac_biba_destroy_label, .mpo_destroy_socket_peer_label = mac_biba_destroy_label, .mpo_destroy_vnode_label = mac_biba_destroy_label, + .mpo_copy_cred_label = mac_biba_copy_label, .mpo_copy_mbuf_label = mac_biba_copy_label, .mpo_copy_pipe_label = mac_biba_copy_label, .mpo_copy_socket_label = mac_biba_copy_label, @@ -2719,7 +2708,6 @@ static struct mac_policy_ops mac_biba_ops = .mpo_relabel_ifnet = mac_biba_relabel_ifnet, .mpo_update_ipq = mac_biba_update_ipq, .mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel, - .mpo_create_cred = mac_biba_create_cred, .mpo_create_proc0 = mac_biba_create_proc0, .mpo_create_proc1 = mac_biba_create_proc1, .mpo_relabel_cred = mac_biba_relabel_cred, diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 52eeaa6cffc6..a8a4a988d32c 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1467,18 +1467,6 @@ mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel, /* * Labeling event operations: processes. */ -static void -mac_lomac_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - struct mac_lomac *source, *dest; - - source = SLOT(cred_parent->cr_label); - dest = SLOT(cred_child->cr_label); - - mac_lomac_copy_single(source, dest); - mac_lomac_copy_range(source, dest); -} - static void mac_lomac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, @@ -2648,6 +2636,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_destroy_socket_label = mac_lomac_destroy_label, .mpo_destroy_socket_peer_label = mac_lomac_destroy_label, .mpo_destroy_vnode_label = mac_lomac_destroy_label, + .mpo_copy_cred_label = mac_lomac_copy_label, .mpo_copy_mbuf_label = mac_lomac_copy_label, .mpo_copy_pipe_label = mac_lomac_copy_label, .mpo_copy_socket_label = mac_lomac_copy_label, @@ -2702,7 +2691,6 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_relabel_ifnet = mac_lomac_relabel_ifnet, .mpo_update_ipq = mac_lomac_update_ipq, .mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel, - .mpo_create_cred = mac_lomac_create_cred, .mpo_execve_transition = mac_lomac_execve_transition, .mpo_execve_will_transition = mac_lomac_execve_will_transition, .mpo_create_proc0 = mac_lomac_create_proc0, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index e3c2ef4d0772..3a7346785fa7 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1257,18 +1257,6 @@ mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, /* * Labeling event operations: processes. */ -static void -mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - struct mac_mls *source, *dest; - - source = SLOT(cred_parent->cr_label); - dest = SLOT(cred_child->cr_label); - - mac_mls_copy_single(source, dest); - mac_mls_copy_range(source, dest); -} - static void mac_mls_create_proc0(struct ucred *cred) { @@ -2440,6 +2428,7 @@ static struct mac_policy_ops mac_mls_ops = .mpo_destroy_socket_label = mac_mls_destroy_label, .mpo_destroy_socket_peer_label = mac_mls_destroy_label, .mpo_destroy_vnode_label = mac_mls_destroy_label, + .mpo_copy_cred_label = mac_mls_copy_label, .mpo_copy_mbuf_label = mac_mls_copy_label, .mpo_copy_pipe_label = mac_mls_copy_label, .mpo_copy_socket_label = mac_mls_copy_label, @@ -2491,7 +2480,6 @@ static struct mac_policy_ops mac_mls_ops = .mpo_relabel_ifnet = mac_mls_relabel_ifnet, .mpo_update_ipq = mac_mls_update_ipq, .mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel, - .mpo_create_cred = mac_mls_create_cred, .mpo_create_proc0 = mac_mls_create_proc0, .mpo_create_proc1 = mac_mls_create_proc1, .mpo_relabel_cred = mac_mls_relabel_cred, diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c index 74df98c7c943..e8ee78ac3576 100644 --- a/sys/security/mac_partition/mac_partition.c +++ b/sys/security/mac_partition/mac_partition.c @@ -101,6 +101,13 @@ mac_partition_destroy_label(struct label *label) SLOT(label) = 0; } +static void +mac_partition_copy_label(struct label *src, struct label *dest) +{ + + SLOT(dest) = SLOT(src); +} + static int mac_partition_externalize_label(struct label *label, char *element_name, struct sbuf *sb, int *claimed) @@ -130,13 +137,6 @@ mac_partition_internalize_label(struct label *label, char *element_name, return (0); } -static void -mac_partition_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - - SLOT(cred_child->cr_label) = SLOT(cred_parent->cr_label); -} - static void mac_partition_create_proc0(struct ucred *cred) { @@ -271,9 +271,9 @@ static struct mac_policy_ops mac_partition_ops = .mpo_init = mac_partition_init, .mpo_init_cred_label = mac_partition_init_label, .mpo_destroy_cred_label = mac_partition_destroy_label, + .mpo_copy_cred_label = mac_partition_copy_label, .mpo_externalize_cred_label = mac_partition_externalize_label, .mpo_internalize_cred_label = mac_partition_internalize_label, - .mpo_create_cred = mac_partition_create_cred, .mpo_create_proc0 = mac_partition_create_proc0, .mpo_create_proc1 = mac_partition_create_proc1, .mpo_relabel_cred = mac_partition_relabel_cred, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 1b6ad02beb6f..ccf3583301ad 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -438,12 +438,6 @@ stub_inpcb_sosetlabel(struct socket *so, struct label *solabel, /* * Labeling event operations: processes. */ -static void -stub_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - -} - static void stub_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, @@ -1055,6 +1049,7 @@ static struct mac_policy_ops mac_stub_ops = .mpo_destroy_socket_label = stub_destroy_label, .mpo_destroy_socket_peer_label = stub_destroy_label, .mpo_destroy_vnode_label = stub_destroy_label, + .mpo_copy_cred_label = stub_copy_label, .mpo_copy_mbuf_label = stub_copy_label, .mpo_copy_pipe_label = stub_copy_label, .mpo_copy_socket_label = stub_copy_label, @@ -1109,7 +1104,6 @@ static struct mac_policy_ops mac_stub_ops = .mpo_relabel_ifnet = stub_relabel_ifnet, .mpo_update_ipq = stub_update_ipq, .mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel, - .mpo_create_cred = stub_create_cred, .mpo_execve_transition = stub_execve_transition, .mpo_execve_will_transition = stub_execve_will_transition, .mpo_create_proc0 = stub_create_proc0, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 847c9e9044a5..ef8c5b3126ba 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -590,6 +590,14 @@ mac_test_destroy_vnode_label(struct label *label) } } +static void +mac_test_copy_cred_label(struct label *src, struct label *dest) +{ + + ASSERT_CRED_LABEL(src); + ASSERT_CRED_LABEL(dest); +} + static void mac_test_copy_mbuf_label(struct label *src, struct label *dest) { @@ -1020,14 +1028,6 @@ mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, /* * Labeling event operations: processes. */ -static void -mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child) -{ - - ASSERT_CRED_LABEL(cred_parent->cr_label); - ASSERT_CRED_LABEL(cred_child->cr_label); -} - static void mac_test_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *filelabel, @@ -1879,6 +1879,7 @@ static struct mac_policy_ops mac_test_ops = .mpo_destroy_socket_label = mac_test_destroy_socket_label, .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, + .mpo_copy_cred_label = mac_test_copy_cred_label, .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, .mpo_copy_pipe_label = mac_test_copy_pipe_label, .mpo_copy_socket_label = mac_test_copy_socket_label, @@ -1932,7 +1933,6 @@ static struct mac_policy_ops mac_test_ops = .mpo_relabel_ifnet = mac_test_relabel_ifnet, .mpo_update_ipq = mac_test_update_ipq, .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, - .mpo_create_cred = mac_test_create_cred, .mpo_execve_transition = mac_test_execve_transition, .mpo_execve_will_transition = mac_test_execve_will_transition, .mpo_create_proc0 = mac_test_create_proc0, diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 81dad5a37ad8..098a2bde828c 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -229,7 +229,7 @@ void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); /* * Labeling event operations: processes. */ -void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); +void mac_copy_cred(struct ucred *cr1, struct ucred *cr2); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); void mac_execve_transition(struct ucred *old, struct ucred *new, diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 518f883c3c12..be432535c7a8 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -111,6 +111,8 @@ struct mac_policy_ops { void (*mpo_destroy_pipe_label)(struct label *label); void (*mpo_destroy_proc_label)(struct label *label); void (*mpo_destroy_vnode_label)(struct label *label); + void (*mpo_copy_cred_label)(struct label *src, + struct label *dest); void (*mpo_copy_mbuf_label)(struct label *src, struct label *dest); void (*mpo_copy_pipe_label)(struct label *src, @@ -264,8 +266,6 @@ struct mac_policy_ops { /* * Labeling event operations: processes. */ - void (*mpo_create_cred)(struct ucred *parent_cred, - struct ucred *child_cred); void (*mpo_execve_transition)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel,