Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(),

and the mpo_create_cred() MAC policy entry point to
mpo_copy_cred_label().  This is more consistent with similar entry
points for creation and label copying, as mac_create_cred() was
called from crdup() as opposed to during process creation.  For
a number of policies, this removes the requirement for special
handling when copying credential labels, and improves consistency.

Approved by:	re (scottl)
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

sys/kern/kern_prot.c

@@ -1804,7 +1804,7 @@ crcopy(struct ucred *dest, struct ucred *src)
 	if (jailed(dest))
 		prison_hold(dest->cr_prison);
 #ifdef MAC
-	mac_create_cred(src, dest);
+	mac_copy_cred(src, dest);
 #endif
 }
 

sys/security/mac/mac_framework.h

@@ -229,7 +229,7 @@ void	mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
 /*
  * Labeling event operations: processes.
  */
-void	mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
+void	mac_copy_cred(struct ucred *cr1, struct ucred *cr2);
 int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
 void	mac_execve_exit(struct image_params *imgp);
 void	mac_execve_transition(struct ucred *old, struct ucred *new,

sys/security/mac/mac_policy.h

@@ -111,6 +111,8 @@ struct mac_policy_ops {
 	void	(*mpo_destroy_pipe_label)(struct label *label);
 	void	(*mpo_destroy_proc_label)(struct label *label);
 	void	(*mpo_destroy_vnode_label)(struct label *label);
+	void	(*mpo_copy_cred_label)(struct label *src,
+		    struct label *dest);
 	void	(*mpo_copy_mbuf_label)(struct label *src,
 		    struct label *dest);
 	void	(*mpo_copy_pipe_label)(struct label *src,
@@ -264,8 +266,6 @@ struct mac_policy_ops {
 	/*
 	 * Labeling event operations: processes.
 	 */
-	void	(*mpo_create_cred)(struct ucred *parent_cred,
-		    struct ucred *child_cred);
 	void	(*mpo_execve_transition)(struct ucred *old, struct ucred *new,
 		    struct vnode *vp, struct label *vnodelabel,
 		    struct label *interpvnodelabel,

sys/security/mac/mac_process.c

@@ -222,10 +222,10 @@ mac_thread_userret(struct thread *td)
  * deltas.  This function allows that processing to take place.
  */
 void
-mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
+mac_copy_cred(struct ucred *src, struct ucred *dest)
 {
 
-	MAC_PERFORM(create_cred, parent_cred, child_cred);
+	MAC_PERFORM(copy_cred_label, src->cr_label, dest->cr_label);
 }
 
 int

sys/security/mac_biba/mac_biba.c

@@ -1327,18 +1327,6 @@ mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 /*
  * Labeling event operations: processes.
  */
-static void
-mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(cred_parent->cr_label);
-	dest = SLOT(cred_child->cr_label);
-
-	mac_biba_copy_single(source, dest);
-	mac_biba_copy_range(source, dest);
-}
-
 static void
 mac_biba_create_proc0(struct ucred *cred)
 {
@@ -2668,6 +2656,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_destroy_socket_label = mac_biba_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_biba_destroy_label,
 	.mpo_destroy_vnode_label = mac_biba_destroy_label,
+	.mpo_copy_cred_label = mac_biba_copy_label,
 	.mpo_copy_mbuf_label = mac_biba_copy_label,
 	.mpo_copy_pipe_label = mac_biba_copy_label,
 	.mpo_copy_socket_label = mac_biba_copy_label,
@@ -2719,7 +2708,6 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_relabel_ifnet = mac_biba_relabel_ifnet,
 	.mpo_update_ipq = mac_biba_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel,
-	.mpo_create_cred = mac_biba_create_cred,
 	.mpo_create_proc0 = mac_biba_create_proc0,
 	.mpo_create_proc1 = mac_biba_create_proc1,
 	.mpo_relabel_cred = mac_biba_relabel_cred,

sys/security/mac_lomac/mac_lomac.c

@@ -1467,18 +1467,6 @@ mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 /*
  * Labeling event operations: processes.
  */
-static void
-mac_lomac_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-	struct mac_lomac *source, *dest;
-
-	source = SLOT(cred_parent->cr_label);
-	dest = SLOT(cred_child->cr_label);
-
-	mac_lomac_copy_single(source, dest);
-	mac_lomac_copy_range(source, dest);
-}
-
 static void
 mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vnodelabel,
@@ -2648,6 +2636,7 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_destroy_socket_label = mac_lomac_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_lomac_destroy_label,
 	.mpo_destroy_vnode_label = mac_lomac_destroy_label,
+	.mpo_copy_cred_label = mac_lomac_copy_label,
 	.mpo_copy_mbuf_label = mac_lomac_copy_label,
 	.mpo_copy_pipe_label = mac_lomac_copy_label,
 	.mpo_copy_socket_label = mac_lomac_copy_label,
@@ -2702,7 +2691,6 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_relabel_ifnet = mac_lomac_relabel_ifnet,
 	.mpo_update_ipq = mac_lomac_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel,
-	.mpo_create_cred = mac_lomac_create_cred,
 	.mpo_execve_transition = mac_lomac_execve_transition,
 	.mpo_execve_will_transition = mac_lomac_execve_will_transition,
 	.mpo_create_proc0 = mac_lomac_create_proc0,

sys/security/mac_mls/mac_mls.c

@@ -1257,18 +1257,6 @@ mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 /*
  * Labeling event operations: processes.
  */
-static void
-mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-	struct mac_mls *source, *dest;
-
-	source = SLOT(cred_parent->cr_label);
-	dest = SLOT(cred_child->cr_label);
-
-	mac_mls_copy_single(source, dest);
-	mac_mls_copy_range(source, dest);
-}
-
 static void
 mac_mls_create_proc0(struct ucred *cred)
 {
@@ -2440,6 +2428,7 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_destroy_socket_label = mac_mls_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_mls_destroy_label,
 	.mpo_destroy_vnode_label = mac_mls_destroy_label,
+	.mpo_copy_cred_label = mac_mls_copy_label,
 	.mpo_copy_mbuf_label = mac_mls_copy_label,
 	.mpo_copy_pipe_label = mac_mls_copy_label,
 	.mpo_copy_socket_label = mac_mls_copy_label,
@@ -2491,7 +2480,6 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_relabel_ifnet = mac_mls_relabel_ifnet,
 	.mpo_update_ipq = mac_mls_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel,
-	.mpo_create_cred = mac_mls_create_cred,
 	.mpo_create_proc0 = mac_mls_create_proc0,
 	.mpo_create_proc1 = mac_mls_create_proc1,
 	.mpo_relabel_cred = mac_mls_relabel_cred,

sys/security/mac_partition/mac_partition.c

@@ -101,6 +101,13 @@ mac_partition_destroy_label(struct label *label)
 	SLOT(label) = 0;
 }
 
+static void
+mac_partition_copy_label(struct label *src, struct label *dest)
+{
+
+	SLOT(dest) = SLOT(src);
+}
+
 static int
 mac_partition_externalize_label(struct label *label, char *element_name,
     struct sbuf *sb, int *claimed)
@@ -130,13 +137,6 @@ mac_partition_internalize_label(struct label *label, char *element_name,
 	return (0);
 }
 
-static void
-mac_partition_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-
-	SLOT(cred_child->cr_label) = SLOT(cred_parent->cr_label);
-}
-
 static void
 mac_partition_create_proc0(struct ucred *cred)
 {
@@ -271,9 +271,9 @@ static struct mac_policy_ops mac_partition_ops =
 	.mpo_init = mac_partition_init,
 	.mpo_init_cred_label = mac_partition_init_label,
 	.mpo_destroy_cred_label = mac_partition_destroy_label,
+	.mpo_copy_cred_label = mac_partition_copy_label,
 	.mpo_externalize_cred_label = mac_partition_externalize_label,
 	.mpo_internalize_cred_label = mac_partition_internalize_label,
-	.mpo_create_cred = mac_partition_create_cred,
 	.mpo_create_proc0 = mac_partition_create_proc0,
 	.mpo_create_proc1 = mac_partition_create_proc1,
 	.mpo_relabel_cred = mac_partition_relabel_cred,

sys/security/mac_stub/mac_stub.c

@@ -438,12 +438,6 @@ stub_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 /*
  * Labeling event operations: processes.
  */
-static void
-stub_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-
-}
-
 static void
 stub_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vnodelabel,
@@ -1055,6 +1049,7 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_destroy_socket_label = stub_destroy_label,
 	.mpo_destroy_socket_peer_label = stub_destroy_label,
 	.mpo_destroy_vnode_label = stub_destroy_label,
+	.mpo_copy_cred_label = stub_copy_label,
 	.mpo_copy_mbuf_label = stub_copy_label,
 	.mpo_copy_pipe_label = stub_copy_label,
 	.mpo_copy_socket_label = stub_copy_label,
@@ -1109,7 +1104,6 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_relabel_ifnet = stub_relabel_ifnet,
 	.mpo_update_ipq = stub_update_ipq,
 	.mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel,
-	.mpo_create_cred = stub_create_cred,
 	.mpo_execve_transition = stub_execve_transition,
 	.mpo_execve_will_transition = stub_execve_will_transition,
 	.mpo_create_proc0 = stub_create_proc0,

sys/security/mac_test/mac_test.c

@@ -590,6 +590,14 @@ mac_test_destroy_vnode_label(struct label *label)
 	}
 }
 
+static void
+mac_test_copy_cred_label(struct label *src, struct label *dest)
+{
+
+	ASSERT_CRED_LABEL(src);
+	ASSERT_CRED_LABEL(dest);
+}
+
 static void
 mac_test_copy_mbuf_label(struct label *src, struct label *dest)
 {
@@ -1020,14 +1028,6 @@ mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 /*
  * Labeling event operations: processes.
  */
-static void
-mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
-{
-
-	ASSERT_CRED_LABEL(cred_parent->cr_label);
-	ASSERT_CRED_LABEL(cred_child->cr_label);
-}
-
 static void
 mac_test_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *filelabel,
@@ -1879,6 +1879,7 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_destroy_socket_label = mac_test_destroy_socket_label,
 	.mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
 	.mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
+	.mpo_copy_cred_label = mac_test_copy_cred_label,
 	.mpo_copy_mbuf_label = mac_test_copy_mbuf_label,
 	.mpo_copy_pipe_label = mac_test_copy_pipe_label,
 	.mpo_copy_socket_label = mac_test_copy_socket_label,
@@ -1932,7 +1933,6 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_relabel_ifnet = mac_test_relabel_ifnet,
 	.mpo_update_ipq = mac_test_update_ipq,
 	.mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel,
-	.mpo_create_cred = mac_test_create_cred,
 	.mpo_execve_transition = mac_test_execve_transition,
 	.mpo_execve_will_transition = mac_test_execve_will_transition,
 	.mpo_create_proc0 = mac_test_create_proc0,

sys/sys/mac.h

@@ -229,7 +229,7 @@ void	mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
 /*
  * Labeling event operations: processes.
  */
-void	mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
+void	mac_copy_cred(struct ucred *cr1, struct ucred *cr2);
 int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
 void	mac_execve_exit(struct image_params *imgp);
 void	mac_execve_transition(struct ucred *old, struct ucred *new,

sys/sys/mac_policy.h

@@ -111,6 +111,8 @@ struct mac_policy_ops {
 	void	(*mpo_destroy_pipe_label)(struct label *label);
 	void	(*mpo_destroy_proc_label)(struct label *label);
 	void	(*mpo_destroy_vnode_label)(struct label *label);
+	void	(*mpo_copy_cred_label)(struct label *src,
+		    struct label *dest);
 	void	(*mpo_copy_mbuf_label)(struct label *src,
 		    struct label *dest);
 	void	(*mpo_copy_pipe_label)(struct label *src,
@@ -264,8 +266,6 @@ struct mac_policy_ops {
 	/*
 	 * Labeling event operations: processes.
 	 */
-	void	(*mpo_create_cred)(struct ucred *parent_cred,
-		    struct ucred *child_cred);
 	void	(*mpo_execve_transition)(struct ucred *old, struct ucred *new,
 		    struct vnode *vp, struct label *vnodelabel,
 		    struct label *interpvnodelabel,