Improve the consistency of MAC Framework and MAC policy entry point

naming by renaming certain "proc" entry points to "cred" entry points,
reflecting their manipulation of credentials.  For some entry points,
the process was passed into the framework but not into policies; in
these cases, stop passing in the process since we don't need it.

  mac_proc_check_setaudit -> mac_cred_check_setaudit
  mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr
  mac_proc_check_setauid -> mac_cred_check_setauid
  mac_proc_check_setegid -> mac_cred_check_setegid
  mac_proc_check_seteuid -> mac_cred_check_seteuid
  mac_proc_check_setgid -> mac_cred_check_setgid
  mac_proc_check_setgroups -> mac_cred_ceck_setgroups
  mac_proc_check_setregid -> mac_cred_check_setregid
  mac_proc_check_setresgid -> mac_cred_check_setresgid
  mac_proc_check_setresuid -> mac_cred_check_setresuid
  mac_proc_check_setreuid -> mac_cred_check_setreuid
  mac_proc_check_setuid -> mac_cred_check_setuid

Obtained from:	TrustedBSD Project
Sponsored by:	Google, Inc.
This commit is contained in:
Robert Watson 2009-03-08 10:58:37 +00:00
parent 75fd0939b4
commit 6f6174a762
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=189529
10 changed files with 463 additions and 476 deletions

View File

@ -489,7 +489,7 @@ setuid(struct thread *td, struct setuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_proc_check_setuid(p, oldcred, uid);
error = mac_cred_check_setuid(oldcred, uid);
if (error)
goto fail;
#endif
@ -601,7 +601,7 @@ seteuid(struct thread *td, struct seteuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_proc_check_seteuid(p, oldcred, euid);
error = mac_cred_check_seteuid(oldcred, euid);
if (error)
goto fail;
#endif
@ -654,7 +654,7 @@ setgid(struct thread *td, struct setgid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_proc_check_setgid(p, oldcred, gid);
error = mac_cred_check_setgid(oldcred, gid);
if (error)
goto fail;
#endif
@ -753,7 +753,7 @@ setegid(struct thread *td, struct setegid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_proc_check_setegid(p, oldcred, egid);
error = mac_cred_check_setegid(oldcred, egid);
if (error)
goto fail;
#endif
@ -815,7 +815,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_proc_check_setgroups(p, oldcred, ngrp, groups);
error = mac_cred_check_setgroups(oldcred, ngrp, groups);
if (error)
goto fail;
#endif
@ -880,7 +880,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_proc_check_setreuid(p, oldcred, ruid, euid);
error = mac_cred_check_setreuid(oldcred, ruid, euid);
if (error)
goto fail;
#endif
@ -945,7 +945,7 @@ setregid(register struct thread *td, struct setregid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_proc_check_setregid(p, oldcred, rgid, egid);
error = mac_cred_check_setregid(oldcred, rgid, egid);
if (error)
goto fail;
#endif
@ -1016,7 +1016,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid);
error = mac_cred_check_setresuid(oldcred, ruid, euid, suid);
if (error)
goto fail;
#endif
@ -1093,7 +1093,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap)
oldcred = p->p_ucred;
#ifdef MAC
error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid);
error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid);
if (error)
goto fail;
#endif

View File

@ -474,7 +474,7 @@ setauid(struct thread *td, struct setauid_args *uap)
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
error = mac_proc_check_setauid(oldcred, id);
error = mac_cred_check_setauid(oldcred, id);
if (error)
goto fail;
#endif
@ -539,7 +539,7 @@ setaudit(struct thread *td, struct setaudit_args *uap)
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
error = mac_proc_check_setaudit(oldcred, &ai);
error = mac_cred_check_setaudit(oldcred, &ai);
if (error)
goto fail;
#endif
@ -602,7 +602,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap)
oldcred = td->td_proc->p_ucred;
crcopy(newcred, oldcred);
#ifdef MAC
error = mac_proc_check_setaudit_addr(oldcred, &aia);
error = mac_cred_check_setaudit_addr(oldcred, &aia);
if (error)
goto fail;
#endif

View File

@ -58,43 +58,43 @@ __FBSDID("$FreeBSD$");
#include <security/mac/mac_internal.h>
#include <security/mac/mac_policy.h>
MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit, "struct ucred *",
MAC_CHECK_PROBE_DEFINE2(cred_check_setaudit, "struct ucred *",
"struct auditinfo *");
int
mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
{
int error;
MAC_CHECK(proc_check_setaudit, cred, ai);
MAC_CHECK_PROBE2(proc_check_setaudit, error, cred, ai);
MAC_CHECK(cred_check_setaudit, cred, ai);
MAC_CHECK_PROBE2(cred_check_setaudit, error, cred, ai);
return (error);
}
MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit_addr, "struct ucred *",
MAC_CHECK_PROBE_DEFINE2(cred_check_setaudit_addr, "struct ucred *",
"struct auditinfo_addr *");
int
mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
mac_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
{
int error;
MAC_CHECK(proc_check_setaudit_addr, cred, aia);
MAC_CHECK_PROBE2(proc_check_setaudit_addr, error, cred, aia);
MAC_CHECK(cred_check_setaudit_addr, cred, aia);
MAC_CHECK_PROBE2(cred_check_setaudit_addr, error, cred, aia);
return (error);
}
MAC_CHECK_PROBE_DEFINE2(proc_check_setauid, "struct ucred *", "uid_t");
MAC_CHECK_PROBE_DEFINE2(cred_check_setauid, "struct ucred *", "uid_t");
int
mac_proc_check_setauid(struct ucred *cred, uid_t auid)
mac_cred_check_setauid(struct ucred *cred, uid_t auid)
{
int error;
MAC_CHECK(proc_check_setauid, cred, auid);
MAC_CHECK_PROBE2(proc_check_setauid, error, cred, auid);
MAC_CHECK(cred_check_setauid, cred, auid);
MAC_CHECK_PROBE2(cred_check_setauid, error, cred, auid);
return (error);
}

View File

@ -211,6 +211,132 @@ mac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
return (error);
}
MAC_CHECK_PROBE_DEFINE2(cred_check_setuid, "struct ucred *", "uid_t");
int
mac_cred_check_setuid(struct ucred *cred, uid_t uid)
{
int error;
MAC_CHECK(cred_check_setuid, cred, uid);
MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid);
return (error);
}
MAC_CHECK_PROBE_DEFINE2(cred_check_seteuid, "struct ucred *", "uid_t");
int
mac_cred_check_seteuid(struct ucred *cred, uid_t euid)
{
int error;
MAC_CHECK(cred_check_seteuid, cred, euid);
MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid);
return (error);
}
MAC_CHECK_PROBE_DEFINE2(cred_check_setgid, "struct ucred *", "gid_t");
int
mac_cred_check_setgid(struct ucred *cred, gid_t gid)
{
int error;
MAC_CHECK(cred_check_setgid, cred, gid);
MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid);
return (error);
}
MAC_CHECK_PROBE_DEFINE2(cred_check_setegid, "struct ucred *", "gid_t");
int
mac_cred_check_setegid(struct ucred *cred, gid_t egid)
{
int error;
MAC_CHECK(cred_check_setegid, cred, egid);
MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid);
return (error);
}
MAC_CHECK_PROBE_DEFINE3(cred_check_setgroups, "struct ucred *", "int",
"gid_t *");
int
mac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset)
{
int error;
MAC_CHECK(cred_check_setgroups, cred, ngroups, gidset);
MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset);
return (error);
}
MAC_CHECK_PROBE_DEFINE3(cred_check_setreuid, "struct ucred *", "uid_t",
"uid_t");
int
mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
{
int error;
MAC_CHECK(cred_check_setreuid, cred, ruid, euid);
MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid);
return (error);
}
MAC_CHECK_PROBE_DEFINE3(cred_check_setregid, "struct ucred *", "gid_t",
"gid_t");
int
mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
{
int error;
MAC_CHECK(cred_check_setregid, cred, rgid, egid);
MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid);
return (error);
}
MAC_CHECK_PROBE_DEFINE4(cred_check_setresuid, "struct ucred *", "uid_t",
"uid_t", "uid_t");
int
mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
uid_t suid)
{
int error;
MAC_CHECK(cred_check_setresuid, cred, ruid, euid, suid);
MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid,
suid);
return (error);
}
MAC_CHECK_PROBE_DEFINE4(cred_check_setresgid, "struct ucred *", "gid_t",
"gid_t", "gid_t");
int
mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
gid_t sgid)
{
int error;
MAC_CHECK(cred_check_setresgid, cred, rgid, egid, sgid);
MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid,
sgid);
return (error);
}
MAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *",
"struct ucred *");

View File

@ -17,6 +17,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* This software was developed at the University of Cambridge Computer
* Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
* Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* All rights reserved.
@ -14,6 +14,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* This software was developed at the University of Cambridge Computer
* Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -105,6 +108,22 @@ void mac_bpfdesc_destroy(struct bpf_d *);
void mac_bpfdesc_init(struct bpf_d *);
void mac_cred_associate_nfsd(struct ucred *cred);
int mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai);
int mac_cred_check_setaudit_addr(struct ucred *cred,
struct auditinfo_addr *aia);
int mac_cred_check_setauid(struct ucred *cred, uid_t auid);
int mac_cred_check_setegid(struct ucred *cred, gid_t egid);
int mac_cred_check_seteuid(struct ucred *cred, uid_t euid);
int mac_cred_check_setgid(struct ucred *cred, gid_t gid);
int mac_cred_check_setgroups(struct ucred *cred, int ngroups,
gid_t *gidset);
int mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid);
int mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
gid_t sgid);
int mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
uid_t suid);
int mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid);
int mac_cred_check_setuid(struct ucred *cred, uid_t uid);
int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);
void mac_cred_copy(struct ucred *cr1, struct ucred *cr2);
void mac_cred_create_init(struct ucred *cred);
@ -233,28 +252,6 @@ int mac_priv_grant(struct ucred *cred, int priv);
int mac_proc_check_debug(struct ucred *cred, struct proc *p);
int mac_proc_check_sched(struct ucred *cred, struct proc *p);
int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai);
int mac_proc_check_setaudit_addr(struct ucred *cred,
struct auditinfo_addr *aia);
int mac_proc_check_setauid(struct ucred *cred, uid_t auid);
int mac_proc_check_setegid(struct proc *p, struct ucred *cred,
gid_t egid);
int mac_proc_check_seteuid(struct proc *p, struct ucred *cred,
uid_t euid);
int mac_proc_check_setgid(struct proc *p, struct ucred *cred,
gid_t gid);
int mac_proc_check_setgroups(struct proc *p, struct ucred *cred,
int ngroups, gid_t *gidset);
int mac_proc_check_setregid(struct proc *p, struct ucred *cred,
gid_t rgid, gid_t egid);
int mac_proc_check_setresgid(struct proc *p, struct ucred *cred,
gid_t rgid, gid_t egid, gid_t sgid);
int mac_proc_check_setresuid(struct proc *p, struct ucred *cred,
uid_t ruid, uid_t euid, uid_t suid);
int mac_proc_check_setreuid(struct proc *p, struct ucred *cred,
uid_t ruid, uid_t euid);
int mac_proc_check_setuid(struct proc *p, struct ucred *cred,
uid_t uid);
int mac_proc_check_signal(struct ucred *cred, struct proc *p,
int signum);
int mac_proc_check_wait(struct ucred *cred, struct proc *p);

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
* Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 Networks Associates Technology, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* Copyright (c) 2008 Apple Inc.
@ -15,6 +15,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* This software was developed at the University of Cambridge Computer
* Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -132,6 +135,25 @@ typedef void (*mpo_bpfdesc_init_label_t)(struct label *label);
typedef void (*mpo_cred_associate_nfsd_t)(struct ucred *cred);
typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred,
struct label *newlabel);
typedef int (*mpo_cred_check_setaudit_t)(struct ucred *cred,
struct auditinfo *ai);
typedef int (*mpo_cred_check_setaudit_addr_t)(struct ucred *cred,
struct auditinfo_addr *aia);
typedef int (*mpo_cred_check_setauid_t)(struct ucred *cred, uid_t auid);
typedef int (*mpo_cred_check_setegid_t)(struct ucred *cred, gid_t egid);
typedef int (*mpo_cred_check_seteuid_t)(struct ucred *cred, uid_t euid);
typedef int (*mpo_cred_check_setgid_t)(struct ucred *cred, gid_t gid);
typedef int (*mpo_cred_check_setgroups_t)(struct ucred *cred, int ngroups,
gid_t *gidset);
typedef int (*mpo_cred_check_setregid_t)(struct ucred *cred, gid_t rgid,
gid_t egid);
typedef int (*mpo_cred_check_setresgid_t)(struct ucred *cred, gid_t rgid,
gid_t egid, gid_t sgid);
typedef int (*mpo_cred_check_setresuid_t)(struct ucred *cred, uid_t ruid,
uid_t euid, uid_t suid);
typedef int (*mpo_cred_check_setreuid_t)(struct ucred *cred, uid_t ruid,
uid_t euid);
typedef int (*mpo_cred_check_setuid_t)(struct ucred *cred, uid_t uid);
typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1,
struct ucred *cr2);
typedef void (*mpo_cred_copy_label_t)(struct label *src,
@ -353,25 +375,6 @@ typedef int (*mpo_proc_check_debug_t)(struct ucred *cred,
struct proc *p);
typedef int (*mpo_proc_check_sched_t)(struct ucred *cred,
struct proc *p);
typedef int (*mpo_proc_check_setaudit_t)(struct ucred *cred,
struct auditinfo *ai);
typedef int (*mpo_proc_check_setaudit_addr_t)(struct ucred *cred,
struct auditinfo_addr *aia);
typedef int (*mpo_proc_check_setauid_t)(struct ucred *cred, uid_t auid);
typedef int (*mpo_proc_check_setegid_t)(struct ucred *cred, gid_t egid);
typedef int (*mpo_proc_check_seteuid_t)(struct ucred *cred, uid_t euid);
typedef int (*mpo_proc_check_setgid_t)(struct ucred *cred, gid_t gid);
typedef int (*mpo_proc_check_setgroups_t)(struct ucred *cred, int ngroups,
gid_t *gidset);
typedef int (*mpo_proc_check_setregid_t)(struct ucred *cred, gid_t rgid,
gid_t egid);
typedef int (*mpo_proc_check_setresgid_t)(struct ucred *cred, gid_t rgid,
gid_t egid, gid_t sgid);
typedef int (*mpo_proc_check_setresuid_t)(struct ucred *cred, uid_t ruid,
uid_t euid, uid_t suid);
typedef int (*mpo_proc_check_setreuid_t)(struct ucred *cred, uid_t ruid,
uid_t euid);
typedef int (*mpo_proc_check_setuid_t)(struct ucred *cred, uid_t uid);
typedef int (*mpo_proc_check_signal_t)(struct ucred *cred,
struct proc *proc, int signum);
typedef int (*mpo_proc_check_wait_t)(struct ucred *cred,
@ -679,6 +682,18 @@ struct mac_policy_ops {
mpo_cred_associate_nfsd_t mpo_cred_associate_nfsd;
mpo_cred_check_relabel_t mpo_cred_check_relabel;
mpo_cred_check_setaudit_t mpo_cred_check_setaudit;
mpo_cred_check_setaudit_addr_t mpo_cred_check_setaudit_addr;
mpo_cred_check_setauid_t mpo_cred_check_setauid;
mpo_cred_check_setuid_t mpo_cred_check_setuid;
mpo_cred_check_seteuid_t mpo_cred_check_seteuid;
mpo_cred_check_setgid_t mpo_cred_check_setgid;
mpo_cred_check_setegid_t mpo_cred_check_setegid;
mpo_cred_check_setgroups_t mpo_cred_check_setgroups;
mpo_cred_check_setreuid_t mpo_cred_check_setreuid;
mpo_cred_check_setregid_t mpo_cred_check_setregid;
mpo_cred_check_setresuid_t mpo_cred_check_setresuid;
mpo_cred_check_setresgid_t mpo_cred_check_setresgid;
mpo_cred_check_visible_t mpo_cred_check_visible;
mpo_cred_copy_label_t mpo_cred_copy_label;
mpo_cred_create_swapper_t mpo_cred_create_swapper;
@ -798,18 +813,6 @@ struct mac_policy_ops {
mpo_proc_check_debug_t mpo_proc_check_debug;
mpo_proc_check_sched_t mpo_proc_check_sched;
mpo_proc_check_setaudit_t mpo_proc_check_setaudit;
mpo_proc_check_setaudit_addr_t mpo_proc_check_setaudit_addr;
mpo_proc_check_setauid_t mpo_proc_check_setauid;
mpo_proc_check_setuid_t mpo_proc_check_setuid;
mpo_proc_check_seteuid_t mpo_proc_check_seteuid;
mpo_proc_check_setgid_t mpo_proc_check_setgid;
mpo_proc_check_setegid_t mpo_proc_check_setegid;
mpo_proc_check_setgroups_t mpo_proc_check_setgroups;
mpo_proc_check_setreuid_t mpo_proc_check_setreuid;
mpo_proc_check_setregid_t mpo_proc_check_setregid;
mpo_proc_check_setresuid_t mpo_proc_check_setresuid;
mpo_proc_check_setresgid_t mpo_proc_check_setresgid;
mpo_proc_check_signal_t mpo_proc_check_signal;
mpo_proc_check_wait_t mpo_proc_check_wait;
mpo_proc_destroy_label_t mpo_proc_destroy_label;

View File

@ -2,7 +2,6 @@
* Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* Copyright (c) 2005 Samy Al Bahra
* Copyright (c) 2006 SPARTA, Inc.
* Copyright (c) 2008 Apple Inc.
* All rights reserved.
@ -424,153 +423,6 @@ mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
return (error);
}
MAC_CHECK_PROBE_DEFINE2(proc_check_setuid, "struct ucred *", "uid_t");
int
mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setuid, cred, uid);
MAC_CHECK_PROBE2(proc_check_setuid, error, cred, uid);
return (error);
}
MAC_CHECK_PROBE_DEFINE2(proc_check_seteuid, "struct ucred *", "uid_t");
int
mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_seteuid, cred, euid);
MAC_CHECK_PROBE2(proc_check_seteuid, error, cred, euid);
return (error);
}
MAC_CHECK_PROBE_DEFINE2(proc_check_setgid, "struct ucred *", "gid_t");
int
mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setgid, cred, gid);
MAC_CHECK_PROBE2(proc_check_setgid, error, cred, gid);
return (error);
}
MAC_CHECK_PROBE_DEFINE2(proc_check_setegid, "struct ucred *", "gid_t");
int
mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setegid, cred, egid);
MAC_CHECK_PROBE2(proc_check_setegid, error, cred, egid);
return (error);
}
MAC_CHECK_PROBE_DEFINE3(proc_check_setgroups, "struct ucred *", "int",
"gid_t *");
int
mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups,
gid_t *gidset)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset);
MAC_CHECK_PROBE3(proc_check_setgroups, error, cred, ngroups, gidset);
return (error);
}
MAC_CHECK_PROBE_DEFINE3(proc_check_setreuid, "struct ucred *", "uid_t",
"uid_t");
int
mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
uid_t euid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
MAC_CHECK_PROBE3(proc_check_setreuid, error, cred, ruid, euid);
return (error);
}
MAC_CHECK_PROBE_DEFINE3(proc_check_setregid, "struct ucred *", "gid_t",
"gid_t");
int
mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
gid_t egid)
{
int error;
PROC_LOCK_ASSERT(proc, MA_OWNED);
MAC_CHECK(proc_check_setregid, cred, rgid, egid);
MAC_CHECK_PROBE3(proc_check_setregid, error, cred, rgid, egid);
return (error);
}
MAC_CHECK_PROBE_DEFINE4(proc_check_setresuid, "struct ucred *", "uid_t",
"uid_t", "uid_t");
int
mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
uid_t euid, uid_t suid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid);
MAC_CHECK_PROBE4(proc_check_setresuid, error, cred, ruid, euid,
suid);
return (error);
}
MAC_CHECK_PROBE_DEFINE4(proc_check_setresgid, "struct ucred *", "gid_t",
"gid_t", "gid_t");
int
mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
gid_t egid, gid_t sgid)
{
int error;
PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid);
MAC_CHECK_PROBE4(proc_check_setresgid, error, cred, rgid, egid,
sgid);
return (error);
}
MAC_CHECK_PROBE_DEFINE2(proc_check_wait, "struct ucred *", "struct proc *");
int

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
* Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* Copyright (c) 2008 Apple Inc.
@ -15,6 +15,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* This software was developed at the University of Cambridge Computer
* Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -198,6 +201,93 @@ stub_cred_check_relabel(struct ucred *cred, struct label *newlabel)
return (0);
}
static int
stub_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
{
return (0);
}
static int
stub_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
{
return (0);
}
static int
stub_cred_check_setauid(struct ucred *cred, uid_t auid)
{
return (0);
}
static int
stub_cred_check_setegid(struct ucred *cred, gid_t egid)
{
return (0);
}
static int
stub_cred_check_seteuid(struct ucred *cred, uid_t euid)
{
return (0);
}
static int
stub_cred_check_setgid(struct ucred *cred, gid_t gid)
{
return (0);
}
static int
stub_cred_check_setgroups(struct ucred *cred, int ngroups,
gid_t *gidset)
{
return (0);
}
static int
stub_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
{
return (0);
}
static int
stub_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
gid_t sgid)
{
return (0);
}
static int
stub_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
uid_t suid)
{
return (0);
}
static int
stub_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
{
return (0);
}
static int
stub_cred_check_setuid(struct ucred *cred, uid_t uid)
{
return (0);
}
static int
stub_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
{
@ -700,93 +790,6 @@ stub_proc_check_sched(struct ucred *cred, struct proc *p)
return (0);
}
static int
stub_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
{
return (0);
}
static int
stub_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
{
return (0);
}
static int
stub_proc_check_setauid(struct ucred *cred, uid_t auid)
{
return (0);
}
static int
stub_proc_check_setegid(struct ucred *cred, gid_t egid)
{
return (0);
}
static int
stub_proc_check_seteuid(struct ucred *cred, uid_t euid)
{
return (0);
}
static int
stub_proc_check_setgid(struct ucred *cred, gid_t gid)
{
return (0);
}
static int
stub_proc_check_setgroups(struct ucred *cred, int ngroups,
gid_t *gidset)
{
return (0);
}
static int
stub_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
{
return (0);
}
static int
stub_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
gid_t sgid)
{
return (0);
}
static int
stub_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
uid_t suid)
{
return (0);
}
static int
stub_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
{
return (0);
}
static int
stub_proc_check_setuid(struct ucred *cred, uid_t uid)
{
return (0);
}
static int
stub_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
{
@ -1541,6 +1544,18 @@ static struct mac_policy_ops stub_ops =
.mpo_cred_associate_nfsd = stub_cred_associate_nfsd,
.mpo_cred_check_relabel = stub_cred_check_relabel,
.mpo_cred_check_setaudit = stub_cred_check_setaudit,
.mpo_cred_check_setaudit_addr = stub_cred_check_setaudit_addr,
.mpo_cred_check_setauid = stub_cred_check_setauid,
.mpo_cred_check_setegid = stub_cred_check_setegid,
.mpo_cred_check_seteuid = stub_cred_check_seteuid,
.mpo_cred_check_setgid = stub_cred_check_setgid,
.mpo_cred_check_setgroups = stub_cred_check_setgroups,
.mpo_cred_check_setregid = stub_cred_check_setregid,
.mpo_cred_check_setresgid = stub_cred_check_setresgid,
.mpo_cred_check_setresuid = stub_cred_check_setresuid,
.mpo_cred_check_setreuid = stub_cred_check_setreuid,
.mpo_cred_check_setuid = stub_cred_check_setuid,
.mpo_cred_check_visible = stub_cred_check_visible,
.mpo_cred_copy_label = stub_copy_label,
.mpo_cred_create_init = stub_cred_create_init,
@ -1660,18 +1675,6 @@ static struct mac_policy_ops stub_ops =
.mpo_proc_check_debug = stub_proc_check_debug,
.mpo_proc_check_sched = stub_proc_check_sched,
.mpo_proc_check_setaudit = stub_proc_check_setaudit,
.mpo_proc_check_setaudit_addr = stub_proc_check_setaudit_addr,
.mpo_proc_check_setauid = stub_proc_check_setauid,
.mpo_proc_check_setegid = stub_proc_check_setegid,
.mpo_proc_check_seteuid = stub_proc_check_seteuid,
.mpo_proc_check_setgid = stub_proc_check_setgid,
.mpo_proc_check_setgroups = stub_proc_check_setgroups,
.mpo_proc_check_setregid = stub_proc_check_setregid,
.mpo_proc_check_setresgid = stub_proc_check_setresgid,
.mpo_proc_check_setresuid = stub_proc_check_setresuid,
.mpo_proc_check_setreuid = stub_proc_check_setreuid,
.mpo_proc_check_setuid = stub_proc_check_setuid,
.mpo_proc_check_signal = stub_proc_check_signal,
.mpo_proc_check_wait = stub_proc_check_wait,

View File

@ -1,5 +1,5 @@
/*-
* Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
* Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2006 SPARTA, Inc.
* Copyright (c) 2008 Apple Inc.
@ -15,6 +15,9 @@
* This software was enhanced by SPARTA ISSO under SPAWAR contract
* N66001-04-C-6019 ("SEFOS").
*
* This software was developed at the University of Cambridge Computer
* Laboratory with support from a grant from Google, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -220,6 +223,142 @@ test_cred_check_relabel(struct ucred *cred, struct label *newlabel)
return (0);
}
COUNTER_DECL(cred_check_setaudit);
static int
test_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setaudit);
return (0);
}
COUNTER_DECL(cred_check_setaudit_addr);
static int
test_cred_check_setaudit_addr(struct ucred *cred,
struct auditinfo_addr *aia)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setaudit_addr);
return (0);
}
COUNTER_DECL(cred_check_setauid);
static int
test_cred_check_setauid(struct ucred *cred, uid_t auid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setauid);
return (0);
}
COUNTER_DECL(cred_check_setegid);
static int
test_cred_check_setegid(struct ucred *cred, gid_t egid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setegid);
return (0);
}
COUNTER_DECL(proc_check_euid);
static int
test_cred_check_seteuid(struct ucred *cred, uid_t euid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_euid);
return (0);
}
COUNTER_DECL(cred_check_setregid);
static int
test_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setregid);
return (0);
}
COUNTER_DECL(cred_check_setreuid);
static int
test_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setreuid);
return (0);
}
COUNTER_DECL(cred_check_setgid);
static int
test_cred_check_setgid(struct ucred *cred, gid_t gid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setgid);
return (0);
}
COUNTER_DECL(cred_check_setgroups);
static int
test_cred_check_setgroups(struct ucred *cred, int ngroups,
gid_t *gidset)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setgroups);
return (0);
}
COUNTER_DECL(cred_check_setresgid);
static int
test_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
gid_t sgid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setresgid);
return (0);
}
COUNTER_DECL(cred_check_setresuid);
static int
test_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
uid_t suid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setresuid);
return (0);
}
COUNTER_DECL(cred_check_setuid);
static int
test_cred_check_setuid(struct ucred *cred, uid_t uid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(cred_check_setuid);
return (0);
}
COUNTER_DECL(cred_check_visible);
static int
test_cred_check_visible(struct ucred *u1, struct ucred *u2)
@ -1350,142 +1489,6 @@ test_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
return (0);
}
COUNTER_DECL(proc_check_setaudit);
static int
test_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setaudit);
return (0);
}
COUNTER_DECL(proc_check_setaudit_addr);
static int
test_proc_check_setaudit_addr(struct ucred *cred,
struct auditinfo_addr *aia)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setaudit_addr);
return (0);
}
COUNTER_DECL(proc_check_setauid);
static int
test_proc_check_setauid(struct ucred *cred, uid_t auid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setauid);
return (0);
}
COUNTER_DECL(proc_check_setegid);
static int
test_proc_check_setegid(struct ucred *cred, gid_t egid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setegid);
return (0);
}
COUNTER_DECL(proc_check_euid);
static int
test_proc_check_seteuid(struct ucred *cred, uid_t euid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_euid);
return (0);
}
COUNTER_DECL(proc_check_setregid);
static int
test_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setregid);
return (0);
}
COUNTER_DECL(proc_check_setreuid);
static int
test_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setreuid);
return (0);
}
COUNTER_DECL(proc_check_setgid);
static int
test_proc_check_setgid(struct ucred *cred, gid_t gid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setgid);
return (0);
}
COUNTER_DECL(proc_check_setgroups);
static int
test_proc_check_setgroups(struct ucred *cred, int ngroups,
gid_t *gidset)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setgroups);
return (0);
}
COUNTER_DECL(proc_check_setresgid);
static int
test_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
gid_t sgid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setresgid);
return (0);
}
COUNTER_DECL(proc_check_setresuid);
static int
test_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
uid_t suid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setresuid);
return (0);
}
COUNTER_DECL(proc_check_setuid);
static int
test_proc_check_setuid(struct ucred *cred, uid_t uid)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
COUNTER_INC(proc_check_setuid);
return (0);
}
COUNTER_DECL(proc_check_wait);
static int
test_proc_check_wait(struct ucred *cred, struct proc *p)
@ -2881,6 +2884,18 @@ static struct mac_policy_ops test_ops =
.mpo_bpfdesc_init_label = test_bpfdesc_init_label,
.mpo_cred_check_relabel = test_cred_check_relabel,
.mpo_cred_check_setaudit = test_cred_check_setaudit,
.mpo_cred_check_setaudit_addr = test_cred_check_setaudit_addr,
.mpo_cred_check_setauid = test_cred_check_setauid,
.mpo_cred_check_seteuid = test_cred_check_seteuid,
.mpo_cred_check_setegid = test_cred_check_setegid,
.mpo_cred_check_setgid = test_cred_check_setgid,
.mpo_cred_check_setgroups = test_cred_check_setgroups,
.mpo_cred_check_setregid = test_cred_check_setregid,
.mpo_cred_check_setresgid = test_cred_check_setresgid,
.mpo_cred_check_setresuid = test_cred_check_setresuid,
.mpo_cred_check_setreuid = test_cred_check_setreuid,
.mpo_cred_check_setuid = test_cred_check_setuid,
.mpo_cred_check_visible = test_cred_check_visible,
.mpo_cred_copy_label = test_cred_copy_label,
.mpo_cred_create_init = test_cred_create_init,
@ -3010,18 +3025,6 @@ static struct mac_policy_ops test_ops =
.mpo_proc_check_debug = test_proc_check_debug,
.mpo_proc_check_sched = test_proc_check_sched,
.mpo_proc_check_setaudit = test_proc_check_setaudit,
.mpo_proc_check_setaudit_addr = test_proc_check_setaudit_addr,
.mpo_proc_check_setauid = test_proc_check_setauid,
.mpo_proc_check_seteuid = test_proc_check_seteuid,
.mpo_proc_check_setegid = test_proc_check_setegid,
.mpo_proc_check_setgid = test_proc_check_setgid,
.mpo_proc_check_setgroups = test_proc_check_setgroups,
.mpo_proc_check_setregid = test_proc_check_setregid,
.mpo_proc_check_setresgid = test_proc_check_setresgid,
.mpo_proc_check_setresuid = test_proc_check_setresuid,
.mpo_proc_check_setreuid = test_proc_check_setreuid,
.mpo_proc_check_setuid = test_proc_check_setuid,
.mpo_proc_check_signal = test_proc_check_signal,
.mpo_proc_check_wait = test_proc_check_wait,
.mpo_proc_destroy_label = test_proc_destroy_label,