d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Consistently name functions for mac_<policy> as <policy>_whatever rather

Browse Source 
than mac_<policy>_whatever, as this shortens the names and makes the code
a bit easier to read.

When dealing with label structures, name variables 'mb', 'ml', 'mm rather
than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making
the code a little easier to read.

Obtained from:	TrustedBSD Project
This commit is contained in:
Robert Watson 2007-10-25 11:31:11 +00:00
parent ededffc06b
commit 3f1a7a9086
11 changed files with 2714 additions and 2753 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1462
sys/security/mac_biba/mac_biba.c
View File

File diff suppressed because it is too large Load Diff

258
sys/security/mac_bsdextended/mac_bsdextended.c
View File

@ -65,17 +65,17 @@
#include <security/mac/mac_policy.h>
#include <security/mac_bsdextended/mac_bsdextended.h>
static struct mtx mac_bsdextended_mtx;
static struct mtx ugidfw_mtx;
SYSCTL_DECL(_security_mac);
SYSCTL_NODE(_security_mac, OID_AUTO, bsdextended, CTLFLAG_RW, 0,
"TrustedBSD extended BSD MAC policy controls");
static int mac_bsdextended_enabled = 1;
static int ugidfw_enabled = 1;
SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, enabled, CTLFLAG_RW,
&mac_bsdextended_enabled, 0, "Enforce extended BSD policy");
TUNABLE_INT("security.mac.bsdextended.enabled", &mac_bsdextended_enabled);
&ugidfw_enabled, 0, "Enforce extended BSD policy");
TUNABLE_INT("security.mac.bsdextended.enabled", &ugidfw_enabled);
MALLOC_DEFINE(M_MACBSDEXTENDED, "mac_bsdextended", "BSD Extended MAC rule");
@ -96,23 +96,22 @@ SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_version, CTLFLAG_RD,
* This is just used for logging purposes, eventually we would like to log
* much more then failed requests.
*/
static int mac_bsdextended_logging;
static int ugidfw_logging;
SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW,
&mac_bsdextended_logging, 0, "Log failed authorization requests");
&ugidfw_logging, 0, "Log failed authorization requests");
/*
* This tunable is here for compatibility. It will allow the user to switch
* between the new mode (first rule matches) and the old functionality (all
* rules match).
*/
static int
mac_bsdextended_firstmatch_enabled;
static int ugidfw_firstmatch_enabled;
SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1,
CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1,
"Disable/enable match first rule functionality");
static int
mac_bsdextended_rule_valid(struct mac_bsdextended_rule *rule)
ugidfw_rule_valid(struct mac_bsdextended_rule *rule)
{
if ((rule->mbr_subject.mbs_flags | MBS_ALL_FLAGS) != MBS_ALL_FLAGS)
@ -156,7 +155,7 @@ sysctl_rule(SYSCTL_HANDLER_ARGS)
sizeof(*ruleptr), M_MACBSDEXTENDED, M_WAITOK | M_ZERO);
}
mtx_lock(&mac_bsdextended_mtx);
mtx_lock(&ugidfw_mtx);
if (req->oldptr) {
if (index < 0 || index > rule_slots + 1) {
error = ENOENT;
@ -178,7 +177,7 @@ sysctl_rule(SYSCTL_HANDLER_ARGS)
rule_count--;
rules[index] = NULL;
} else if (req->newptr) {
error = mac_bsdextended_rule_valid(&temprule);
error = ugidfw_rule_valid(&temprule);
if (error)
goto out;
if (rules[index] == NULL) {
@ -192,7 +191,7 @@ sysctl_rule(SYSCTL_HANDLER_ARGS)
*rules[index] = temprule;
}
out:
mtx_unlock(&mac_bsdextended_mtx);
mtx_unlock(&ugidfw_mtx);
if (ruleptr != NULL)
FREE(ruleptr, M_MACBSDEXTENDED);
if (req->oldptr && error == 0)
@ -204,21 +203,21 @@ SYSCTL_NODE(_security_mac_bsdextended, OID_AUTO, rules, CTLFLAG_RW,
sysctl_rule, "BSD extended MAC rules");
static void
mac_bsdextended_init(struct mac_policy_conf *mpc)
ugidfw_init(struct mac_policy_conf *mpc)
{
mtx_init(&mac_bsdextended_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
mtx_init(&ugidfw_mtx, "mac_bsdextended lock", NULL, MTX_DEF);
}
static void
mac_bsdextended_destroy(struct mac_policy_conf *mpc)
ugidfw_destroy(struct mac_policy_conf *mpc)
{
mtx_destroy(&mac_bsdextended_mtx);
mtx_destroy(&ugidfw_mtx);
}
static int
mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
ugidfw_rulecheck(struct mac_bsdextended_rule *rule,
struct ucred *cred, struct vnode *vp, struct vattr *vap, int acc_mode)
{
int match;
@ -227,7 +226,7 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
/*
* Is there a subject match?
*/
mtx_assert(&mac_bsdextended_mtx, MA_OWNED);
mtx_assert(&ugidfw_mtx, MA_OWNED);
if (rule->mbr_subject.mbs_flags & MBS_UID_DEFINED) {
match = ((cred->cr_uid <= rule->mbr_subject.mbs_uid_max &&
cred->cr_uid >= rule->mbr_subject.mbs_uid_min) ||
@ -375,7 +374,7 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
* Is the access permitted?
*/
if ((rule->mbr_mode & acc_mode) != acc_mode) {
if (mac_bsdextended_logging)
if (ugidfw_logging)
log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d"
" on %d:%d failed. \n", cred->cr_ruid,
cred->cr_rgid, acc_mode, vap->va_uid,
@ -387,14 +386,14 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule,
* If the rule matched, permits access, and first match is enabled,
* return success.
*/
if (mac_bsdextended_firstmatch_enabled)
if (ugidfw_firstmatch_enabled)
return (EJUSTRETURN);
else
return (0);
}
static int
mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
ugidfw_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
int acc_mode)
{
int error, i;
@ -412,341 +411,340 @@ mac_bsdextended_check(struct ucred *cred, struct vnode *vp, struct vattr *vap,
acc_mode &= ~MBI_APPEND;
acc_mode |= MBI_WRITE;
}
mtx_lock(&mac_bsdextended_mtx);
mtx_lock(&ugidfw_mtx);
for (i = 0; i < rule_slots; i++) {
if (rules[i] == NULL)
continue;
error = mac_bsdextended_rulecheck(rules[i], cred,
error = ugidfw_rulecheck(rules[i], cred,
vp, vap, acc_mode);
if (error == EJUSTRETURN)
break;
if (error) {
mtx_unlock(&mac_bsdextended_mtx);
mtx_unlock(&ugidfw_mtx);
return (error);
}
}
mtx_unlock(&mac_bsdextended_mtx);
mtx_unlock(&ugidfw_mtx);
return (0);
}
static int
mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
{
int error;
struct vattr vap;
if (!mac_bsdextended_enabled)
if (!ugidfw_enabled)
return (0);
error = VOP_GETATTR(vp, &vap, cred, curthread);
if (error)
return (error);
return (mac_bsdextended_check(cred, vp, &vap, acc_mode));
return (ugidfw_check(cred, vp, &vap, acc_mode));
}
static int
mac_bsdextended_system_check_acct(struct ucred *cred, struct vnode *vp,
ugidfw_system_check_acct(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
}
static int
mac_bsdextended_system_check_auditctl(struct ucred *cred, struct vnode *vp,
ugidfw_system_check_auditctl(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
}
static int
mac_bsdextended_system_check_swapoff(struct ucred *cred, struct vnode *vp,
ugidfw_system_check_swapoff(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
}
static int
mac_bsdextended_system_check_swapon(struct ucred *cred, struct vnode *vp,
ugidfw_system_check_swapon(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
}
static int
mac_bsdextended_vnode_check_access(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_access(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int acc_mode)
{
return (mac_bsdextended_check_vp(cred, vp, acc_mode));
return (ugidfw_check_vp(cred, vp, acc_mode));
}
static int
mac_bsdextended_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
ugidfw_vnode_check_chdir(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel)
{
return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
return (ugidfw_check_vp(cred, dvp, MBI_EXEC));
}
static int
mac_bsdextended_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
ugidfw_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel)
{
return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
return (ugidfw_check_vp(cred, dvp, MBI_EXEC));
}
static int
mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp,
ugidfw_check_create_vnode(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct componentname *cnp, struct vattr *vap)
{
return (mac_bsdextended_check_vp(cred, dvp, MBI_WRITE));
return (ugidfw_check_vp(cred, dvp, MBI_WRITE));
}
static int
mac_bsdextended_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp,
struct label *vplabel, acl_type_t type)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_vnode_check_deleteextattr(struct ucred *cred,
struct vnode *vp, struct label *vplabel, int attrnamespace,
const char *name)
ugidfw_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int attrnamespace, const char *name)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
}
static int
mac_bsdextended_vnode_check_exec(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_READ|MBI_EXEC));
return (ugidfw_check_vp(cred, vp, MBI_READ|MBI_EXEC));
}
static int
mac_bsdextended_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_getacl(struct ucred *cred, struct vnode *vp,
struct label *vplabel, acl_type_t type)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_STAT));
return (ugidfw_check_vp(cred, vp, MBI_STAT));
}
static int
mac_bsdextended_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_getextattr(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int attrnamespace, const char *name,
struct uio *uio)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
return (ugidfw_check_vp(cred, vp, MBI_READ));
}
static int
mac_bsdextended_vnode_check_link(struct ucred *cred, struct vnode *dvp,
ugidfw_vnode_check_link(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *label,
struct componentname *cnp)
{
int error;
error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
if (error)
return (error);
error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
error = ugidfw_check_vp(cred, vp, MBI_WRITE);
if (error)
return (error);
return (0);
}
static int
mac_bsdextended_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int attrnamespace)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
return (ugidfw_check_vp(cred, vp, MBI_READ));
}
static int
mac_bsdextended_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
ugidfw_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct componentname *cnp)
{
return (mac_bsdextended_check_vp(cred, dvp, MBI_EXEC));
return (ugidfw_check_vp(cred, dvp, MBI_EXEC));
}
static int
mac_bsdextended_vnode_check_open(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_open(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int acc_mode)
{
return (mac_bsdextended_check_vp(cred, vp, acc_mode));
return (ugidfw_check_vp(cred, vp, acc_mode));
}
static int
mac_bsdextended_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
ugidfw_vnode_check_readdir(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel)
{
return (mac_bsdextended_check_vp(cred, dvp, MBI_READ));
return (ugidfw_check_vp(cred, dvp, MBI_READ));
}
static int
mac_bsdextended_vnode_check_readdlink(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_readdlink(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_READ));
return (ugidfw_check_vp(cred, vp, MBI_READ));
}
static int
mac_bsdextended_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
ugidfw_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
int error;
error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
if (error)
return (error);
return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
}
static int
mac_bsdextended_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
ugidfw_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
int samedir, struct componentname *cnp)
{
int error;
error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
if (error)
return (error);
if (vp != NULL)
error = mac_bsdextended_check_vp(cred, vp, MBI_WRITE);
error = ugidfw_check_vp(cred, vp, MBI_WRITE);
return (error);
}
static int
mac_bsdextended_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_revoke(struct ucred *cred, struct vnode *vp,
struct label *vplabel)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
ugidfw_check_setacl_vnode(struct ucred *cred, struct vnode *vp,
struct label *vplabel, acl_type_t type, struct acl *acl)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_setextattr(struct ucred *cred, struct vnode *vp,
struct label *vplabel, int attrnamespace, const char *name,
struct uio *uio)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
}
static int
mac_bsdextended_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_setflags(struct ucred *cred, struct vnode *vp,
struct label *vplabel, u_long flags)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_setmode(struct ucred *cred, struct vnode *vp,
struct label *vplabel, mode_t mode)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_setowner(struct ucred *cred, struct vnode *vp,
struct label *vplabel, uid_t uid, gid_t gid)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
ugidfw_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct timespec atime, struct timespec utime)
{
return (mac_bsdextended_check_vp(cred, vp, MBI_ADMIN));
return (ugidfw_check_vp(cred, vp, MBI_ADMIN));
}
static int
mac_bsdextended_vnode_check_stat(struct ucred *active_cred,
ugidfw_vnode_check_stat(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp, struct label *vplabel)
{
return (mac_bsdextended_check_vp(active_cred, vp, MBI_STAT));
return (ugidfw_check_vp(active_cred, vp, MBI_STAT));
}
static int
mac_bsdextended_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
ugidfw_vnode_check_unlink(struct ucred *cred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{
int error;
error = mac_bsdextended_check_vp(cred, dvp, MBI_WRITE);
error = ugidfw_check_vp(cred, dvp, MBI_WRITE);
if (error)
return (error);
return (mac_bsdextended_check_vp(cred, vp, MBI_WRITE));
return (ugidfw_check_vp(cred, vp, MBI_WRITE));
}
static struct mac_policy_ops mac_bsdextended_ops =
static struct mac_policy_ops ugidfw_ops =
{
.mpo_destroy = mac_bsdextended_destroy,
.mpo_init = mac_bsdextended_init,
.mpo_system_check_acct = mac_bsdextended_system_check_acct,
.mpo_system_check_auditctl = mac_bsdextended_system_check_auditctl,
.mpo_system_check_swapoff = mac_bsdextended_system_check_swapoff,
.mpo_system_check_swapon = mac_bsdextended_system_check_swapon,
.mpo_vnode_check_access = mac_bsdextended_vnode_check_access,
.mpo_vnode_check_chdir = mac_bsdextended_vnode_check_chdir,
.mpo_vnode_check_chroot = mac_bsdextended_vnode_check_chroot,
.mpo_vnode_check_create = mac_bsdextended_check_create_vnode,
.mpo_vnode_check_deleteacl = mac_bsdextended_vnode_check_deleteacl,
.mpo_vnode_check_deleteextattr = mac_bsdextended_vnode_check_deleteextattr,
.mpo_vnode_check_exec = mac_bsdextended_vnode_check_exec,
.mpo_vnode_check_getacl = mac_bsdextended_vnode_check_getacl,
.mpo_vnode_check_getextattr = mac_bsdextended_vnode_check_getextattr,
.mpo_vnode_check_link = mac_bsdextended_vnode_check_link,
.mpo_vnode_check_listextattr = mac_bsdextended_vnode_check_listextattr,
.mpo_vnode_check_lookup = mac_bsdextended_vnode_check_lookup,
.mpo_vnode_check_open = mac_bsdextended_vnode_check_open,
.mpo_vnode_check_readdir = mac_bsdextended_vnode_check_readdir,
.mpo_vnode_check_readlink = mac_bsdextended_vnode_check_readdlink,
.mpo_vnode_check_rename_from = mac_bsdextended_vnode_check_rename_from,
.mpo_vnode_check_rename_to = mac_bsdextended_vnode_check_rename_to,
.mpo_vnode_check_revoke = mac_bsdextended_vnode_check_revoke,
.mpo_vnode_check_setacl = mac_bsdextended_check_setacl_vnode,
.mpo_vnode_check_setextattr = mac_bsdextended_vnode_check_setextattr,
.mpo_vnode_check_setflags = mac_bsdextended_vnode_check_setflags,
.mpo_vnode_check_setmode = mac_bsdextended_vnode_check_setmode,
.mpo_vnode_check_setowner = mac_bsdextended_vnode_check_setowner,
.mpo_vnode_check_setutimes = mac_bsdextended_vnode_check_setutimes,
.mpo_vnode_check_stat = mac_bsdextended_vnode_check_stat,
.mpo_vnode_check_unlink = mac_bsdextended_vnode_check_unlink,
.mpo_destroy = ugidfw_destroy,
.mpo_init = ugidfw_init,
.mpo_system_check_acct = ugidfw_system_check_acct,
.mpo_system_check_auditctl = ugidfw_system_check_auditctl,
.mpo_system_check_swapoff = ugidfw_system_check_swapoff,
.mpo_system_check_swapon = ugidfw_system_check_swapon,
.mpo_vnode_check_access = ugidfw_vnode_check_access,
.mpo_vnode_check_chdir = ugidfw_vnode_check_chdir,
.mpo_vnode_check_chroot = ugidfw_vnode_check_chroot,
.mpo_vnode_check_create = ugidfw_check_create_vnode,
.mpo_vnode_check_deleteacl = ugidfw_vnode_check_deleteacl,
.mpo_vnode_check_deleteextattr = ugidfw_vnode_check_deleteextattr,
.mpo_vnode_check_exec = ugidfw_vnode_check_exec,
.mpo_vnode_check_getacl = ugidfw_vnode_check_getacl,
.mpo_vnode_check_getextattr = ugidfw_vnode_check_getextattr,
.mpo_vnode_check_link = ugidfw_vnode_check_link,
.mpo_vnode_check_listextattr = ugidfw_vnode_check_listextattr,
.mpo_vnode_check_lookup = ugidfw_vnode_check_lookup,
.mpo_vnode_check_open = ugidfw_vnode_check_open,
.mpo_vnode_check_readdir = ugidfw_vnode_check_readdir,
.mpo_vnode_check_readlink = ugidfw_vnode_check_readdlink,
.mpo_vnode_check_rename_from = ugidfw_vnode_check_rename_from,
.mpo_vnode_check_rename_to = ugidfw_vnode_check_rename_to,
.mpo_vnode_check_revoke = ugidfw_vnode_check_revoke,
.mpo_vnode_check_setacl = ugidfw_check_setacl_vnode,
.mpo_vnode_check_setextattr = ugidfw_vnode_check_setextattr,
.mpo_vnode_check_setflags = ugidfw_vnode_check_setflags,
.mpo_vnode_check_setmode = ugidfw_vnode_check_setmode,
.mpo_vnode_check_setowner = ugidfw_vnode_check_setowner,
.mpo_vnode_check_setutimes = ugidfw_vnode_check_setutimes,
.mpo_vnode_check_stat = ugidfw_vnode_check_stat,
.mpo_vnode_check_unlink = ugidfw_vnode_check_unlink,
};
MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended,
"TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);

59
sys/security/mac_ifoff/mac_ifoff.c
View File

@ -40,6 +40,7 @@
/*
* Developed by the TrustedBSD Project.
*
* Limit access to interfaces until they are specifically administratively
* enabled. Prevents protocol stack-driven packet leakage in unsafe
* environments.
@ -61,38 +62,38 @@ SYSCTL_DECL(_security_mac);
SYSCTL_NODE(_security_mac, OID_AUTO, ifoff, CTLFLAG_RW, 0,
"TrustedBSD mac_ifoff policy controls");
static int mac_ifoff_enabled = 1;
static int ifoff_enabled = 1;
SYSCTL_INT(_security_mac_ifoff, OID_AUTO, enabled, CTLFLAG_RW,
&mac_ifoff_enabled, 0, "Enforce ifoff policy");
TUNABLE_INT("security.mac.ifoff.enabled", &mac_ifoff_enabled);
&ifoff_enabled, 0, "Enforce ifoff policy");
TUNABLE_INT("security.mac.ifoff.enabled", &ifoff_enabled);
static int mac_ifoff_lo_enabled = 1;
static int ifoff_lo_enabled = 1;
SYSCTL_INT(_security_mac_ifoff, OID_AUTO, lo_enabled, CTLFLAG_RW,
&mac_ifoff_lo_enabled, 0, "Enable loopback interfaces");
TUNABLE_INT("security.mac.ifoff.lo_enabled", &mac_ifoff_lo_enabled);
&ifoff_lo_enabled, 0, "Enable loopback interfaces");
TUNABLE_INT("security.mac.ifoff.lo_enabled", &ifoff_lo_enabled);
static int mac_ifoff_other_enabled = 0;
static int ifoff_other_enabled = 0;
SYSCTL_INT(_security_mac_ifoff, OID_AUTO, other_enabled, CTLFLAG_RW,
&mac_ifoff_other_enabled, 0, "Enable other interfaces");
TUNABLE_INT("security.mac.ifoff.other_enabled", &mac_ifoff_other_enabled);
&ifoff_other_enabled, 0, "Enable other interfaces");
TUNABLE_INT("security.mac.ifoff.other_enabled", &ifoff_other_enabled);
static int mac_ifoff_bpfrecv_enabled = 0;
static int ifoff_bpfrecv_enabled = 0;
SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW,
&mac_ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface "
&ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface "
"is disabled");
TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled);
TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &ifoff_bpfrecv_enabled);
static int
ifnet_check_outgoing(struct ifnet *ifp)
{
if (!mac_ifoff_enabled)
if (!ifoff_enabled)
return (0);
if (mac_ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
return (0);
if (mac_ifoff_other_enabled && ifp->if_type != IFT_LOOP)
if (ifoff_other_enabled && ifp->if_type != IFT_LOOP)
return (0);
return (EPERM);
@ -101,23 +102,23 @@ ifnet_check_outgoing(struct ifnet *ifp)
static int
ifnet_check_incoming(struct ifnet *ifp, int viabpf)
{
if (!mac_ifoff_enabled)
if (!ifoff_enabled)
return (0);
if (mac_ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
if (ifoff_lo_enabled && ifp->if_type == IFT_LOOP)
return (0);
if (mac_ifoff_other_enabled && ifp->if_type != IFT_LOOP)
if (ifoff_other_enabled && ifp->if_type != IFT_LOOP)
return (0);
if (viabpf && mac_ifoff_bpfrecv_enabled)
if (viabpf && ifoff_bpfrecv_enabled)
return (0);
return (EPERM);
}
static int
mac_ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
struct ifnet *ifp, struct label *ifplabel)
{
@ -125,7 +126,7 @@ mac_ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
}
static int
mac_ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
struct mbuf *m, struct label *mlabel)
{
@ -133,7 +134,7 @@ mac_ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel,
}
static int
mac_ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
struct mbuf *m, struct label *mlabel)
{
@ -145,7 +146,7 @@ mac_ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel,
}
static int
mac_ifoff_socket_check_deliver(struct socket *so, struct label *solabel,
ifoff_socket_check_deliver(struct socket *so, struct label *solabel,
struct mbuf *m, struct label *mlabel)
{
@ -156,13 +157,13 @@ mac_ifoff_socket_check_deliver(struct socket *so, struct label *solabel,
return (0);
}
static struct mac_policy_ops mac_ifoff_ops =
static struct mac_policy_ops ifoff_ops =
{
.mpo_bpfdesc_check_receive = mac_ifoff_bpfdesc_check_receive,
.mpo_ifnet_check_transmit = mac_ifoff_ifnet_check_transmit,
.mpo_inpcb_check_deliver = mac_ifoff_inpcb_check_deliver,
.mpo_socket_check_deliver = mac_ifoff_socket_check_deliver,
.mpo_bpfdesc_check_receive = ifoff_bpfdesc_check_receive,
.mpo_ifnet_check_transmit = ifoff_ifnet_check_transmit,
.mpo_inpcb_check_deliver = ifoff_inpcb_check_deliver,
.mpo_socket_check_deliver = ifoff_socket_check_deliver,
};
MAC_POLICY_SET(&mac_ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff",
MAC_POLICY_SET(&ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);

1246
sys/security/mac_lomac/mac_lomac.c
View File

File diff suppressed because it is too large Load Diff

1443
sys/security/mac_mls/mac_mls.c
View File

File diff suppressed because it is too large Load Diff

4
sys/security/mac_none/mac_none.c
View File

@ -48,9 +48,9 @@
#include <security/mac/mac_policy.h>
static struct mac_policy_ops mac_none_ops =
static struct mac_policy_ops none_ops =
{
};
MAC_POLICY_SET(&mac_none_ops, mac_none, "TrustedBSD MAC/None",
MAC_POLICY_SET(&none_ops, mac_none, "TrustedBSD MAC/None",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);

71
sys/security/mac_partition/mac_partition.c
View File

@ -40,6 +40,7 @@
/*
* Developed by the TrustedBSD Project.
*
* Experiment with a partition-like model.
*/
@ -69,28 +70,28 @@ static int partition_slot;
#define SLOT_SET(l, v) mac_label_set((l), partition_slot, (v))
static void
mac_partition_init_label(struct label *label)
partition_init_label(struct label *label)
{
SLOT_SET(label, 0);
}
static void
mac_partition_destroy_label(struct label *label)
partition_destroy_label(struct label *label)
{
SLOT_SET(label, 0);
}
static void
mac_partition_copy_label(struct label *src, struct label *dest)
partition_copy_label(struct label *src, struct label *dest)
{
SLOT_SET(dest, SLOT(src));
}
static int
mac_partition_externalize_label(struct label *label, char *element_name,
partition_externalize_label(struct label *label, char *element_name,
struct sbuf *sb, int *claimed)
{
@ -106,7 +107,7 @@ mac_partition_externalize_label(struct label *label, char *element_name,
}
static int
mac_partition_internalize_label(struct label *label, char *element_name,
partition_internalize_label(struct label *label, char *element_name,
char *element_data, int *claimed)
{
@ -119,21 +120,21 @@ mac_partition_internalize_label(struct label *label, char *element_name,
}
static void
mac_partition_proc_create_swapper(struct ucred *cred)
partition_proc_create_swapper(struct ucred *cred)
{
SLOT_SET(cred->cr_label, 0);
}
static void
mac_partition_proc_create_init(struct ucred *cred)
partition_proc_create_init(struct ucred *cred)
{
SLOT_SET(cred->cr_label, 0);
}
static void
mac_partition_cred_relabel(struct ucred *cred, struct label *newlabel)
partition_cred_relabel(struct ucred *cred, struct label *newlabel)
{
if (SLOT(newlabel) != 0)
@ -157,7 +158,7 @@ label_on_label(struct label *subject, struct label *object)
}
static int
mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
{
int error;
@ -167,9 +168,9 @@ mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
if (SLOT(newlabel) != 0) {
/*
* Require BSD privilege in order to change the partition.
* Originally we also required that the process not be
* in a partition in the first place, but this didn't
* interact well with sendmail.
* Originally we also required that the process not be in a
* partition in the first place, but this didn't interact
* well with sendmail.
*/
error = priv_check_cred(cred, PRIV_MAC_PARTITION, 0);
}
@ -178,7 +179,7 @@ mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
}
static int
mac_partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
{
int error;
@ -188,7 +189,7 @@ mac_partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
}
static int
mac_partition_proc_check_debug(struct ucred *cred, struct proc *p)
partition_proc_check_debug(struct ucred *cred, struct proc *p)
{
int error;
@ -198,7 +199,7 @@ mac_partition_proc_check_debug(struct ucred *cred, struct proc *p)
}
static int
mac_partition_proc_check_sched(struct ucred *cred, struct proc *p)
partition_proc_check_sched(struct ucred *cred, struct proc *p)
{
int error;
@ -208,7 +209,7 @@ mac_partition_proc_check_sched(struct ucred *cred, struct proc *p)
}
static int
mac_partition_proc_check_signal(struct ucred *cred, struct proc *p,
partition_proc_check_signal(struct ucred *cred, struct proc *p,
int signum)
{
int error;
@ -219,7 +220,7 @@ mac_partition_proc_check_signal(struct ucred *cred, struct proc *p,
}
static int
mac_partition_socket_check_visible(struct ucred *cred, struct socket *so,
partition_socket_check_visible(struct ucred *cred, struct socket *so,
struct label *solabel)
{
int error;
@ -230,7 +231,7 @@ mac_partition_socket_check_visible(struct ucred *cred, struct socket *so,
}
static int
mac_partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
@ -248,24 +249,24 @@ mac_partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
return (0);
}
static struct mac_policy_ops mac_partition_ops =
static struct mac_policy_ops partition_ops =
{
.mpo_cred_init_label = mac_partition_init_label,
.mpo_cred_destroy_label = mac_partition_destroy_label,
.mpo_cred_copy_label = mac_partition_copy_label,
.mpo_cred_externalize_label = mac_partition_externalize_label,
.mpo_cred_internalize_label = mac_partition_internalize_label,
.mpo_proc_create_swapper = mac_partition_proc_create_swapper,
.mpo_proc_create_init = mac_partition_proc_create_init,
.mpo_cred_relabel = mac_partition_cred_relabel,
.mpo_cred_check_relabel = mac_partition_cred_check_relabel,
.mpo_cred_check_visible = mac_partition_cred_check_visible,
.mpo_proc_check_debug = mac_partition_proc_check_debug,
.mpo_proc_check_sched = mac_partition_proc_check_sched,
.mpo_proc_check_signal = mac_partition_proc_check_signal,
.mpo_socket_check_visible = mac_partition_socket_check_visible,
.mpo_vnode_check_exec = mac_partition_vnode_check_exec,
.mpo_cred_init_label = partition_init_label,
.mpo_cred_destroy_label = partition_destroy_label,
.mpo_cred_copy_label = partition_copy_label,
.mpo_cred_externalize_label = partition_externalize_label,
.mpo_cred_internalize_label = partition_internalize_label,
.mpo_proc_create_swapper = partition_proc_create_swapper,
.mpo_proc_create_init = partition_proc_create_init,
.mpo_cred_relabel = partition_cred_relabel,
.mpo_cred_check_relabel = partition_cred_check_relabel,
.mpo_cred_check_visible = partition_cred_check_visible,
.mpo_proc_check_debug = partition_proc_check_debug,
.mpo_proc_check_sched = partition_proc_check_sched,
.mpo_proc_check_signal = partition_proc_check_signal,
.mpo_socket_check_visible = partition_socket_check_visible,
.mpo_vnode_check_exec = partition_vnode_check_exec,
};
MAC_POLICY_SET(&mac_partition_ops, mac_partition, "TrustedBSD MAC/Partition",
MAC_POLICY_SET(&partition_ops, mac_partition, "TrustedBSD MAC/Partition",
MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot);

52
sys/security/mac_portacl/mac_portacl.c
View File

@ -48,15 +48,15 @@
* out-going connections where the process hasn't explicitly selected a port:
* these are automatically selected by the IP stack.
*
* To use this module, security.mac.enforce_socket must be enabled, and
* you will probably want to twiddle the net.inet sysctl listed above.
* Then use sysctl(8) to modify the rules string:
* To use this module, security.mac.enforce_socket must be enabled, and you
* will probably want to twiddle the net.inet sysctl listed above. Then use
* sysctl(8) to modify the rules string:
*
* # sysctl security.mac.portacl.rules="uid:425:tcp:80,uid:425:tcp:79"
*
* This ruleset, for example, permits uid 425 to bind TCP ports 80 (http)
* and 79 (finger). User names and group names can't be used directly
* because the kernel only knows about uids and gids.
* This ruleset, for example, permits uid 425 to bind TCP ports 80 (http) and
* 79 (finger). User names and group names can't be used directly because
* the kernel only knows about uids and gids.
*/
#include <sys/param.h>
@ -86,30 +86,30 @@ SYSCTL_DECL(_security_mac);
SYSCTL_NODE(_security_mac, OID_AUTO, portacl, CTLFLAG_RW, 0,
"TrustedBSD mac_portacl policy controls");
static int mac_portacl_enabled = 1;
static int portacl_enabled = 1;
SYSCTL_INT(_security_mac_portacl, OID_AUTO, enabled, CTLFLAG_RW,
&mac_portacl_enabled, 0, "Enforce portacl policy");
TUNABLE_INT("security.mac.portacl.enabled", &mac_portacl_enabled);
&portacl_enabled, 0, "Enforce portacl policy");
TUNABLE_INT("security.mac.portacl.enabled", &portacl_enabled);
static int mac_portacl_suser_exempt = 1;
static int portacl_suser_exempt = 1;
SYSCTL_INT(_security_mac_portacl, OID_AUTO, suser_exempt, CTLFLAG_RW,
&mac_portacl_suser_exempt, 0, "Privilege permits binding of any port");
&portacl_suser_exempt, 0, "Privilege permits binding of any port");
TUNABLE_INT("security.mac.portacl.suser_exempt",
&mac_portacl_suser_exempt);
&portacl_suser_exempt);
static int mac_portacl_autoport_exempt = 1;
static int portacl_autoport_exempt = 1;
SYSCTL_INT(_security_mac_portacl, OID_AUTO, autoport_exempt, CTLFLAG_RW,
&mac_portacl_autoport_exempt, 0, "Allow automatic allocation through "
&portacl_autoport_exempt, 0, "Allow automatic allocation through "
"binding port 0 if not IP_PORTRANGELOW");
TUNABLE_INT("security.mac.portacl.autoport_exempt",
&mac_portacl_autoport_exempt);
&portacl_autoport_exempt);
static int mac_portacl_port_high = 1023;
static int portacl_port_high = 1023;
SYSCTL_INT(_security_mac_portacl, OID_AUTO, port_high, CTLFLAG_RW,
&mac_portacl_port_high, 0, "Highest port to enforce for");
TUNABLE_INT("security.mac.portacl.port_high", &mac_portacl_port_high);
&portacl_port_high, 0, "Highest port to enforce for");
TUNABLE_INT("security.mac.portacl.port_high", &portacl_port_high);
MALLOC_DEFINE(M_PORTACL, "mac_portacl_rule", "Rules for mac_portacl");
MALLOC_DEFINE(M_PORTACL, "portacl_rule", "Rules for mac_portacl");
#define MAC_RULE_STRING_LEN 1024
@ -389,7 +389,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port)
cred->cr_uid, family, type, port);
#endif
if (port > mac_portacl_port_high)
if (port > portacl_port_high)
return (0);
error = EPERM;
@ -422,7 +422,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port)
}
mtx_unlock(&rule_mtx);
if (error != 0 && mac_portacl_suser_exempt != 0)
if (error != 0 && portacl_suser_exempt != 0)
error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0);
return (error);
@ -443,7 +443,7 @@ socket_check_bind(struct ucred *cred, struct socket *so,
u_int16_t port;
/* Only run if we are enabled. */
if (mac_portacl_enabled == 0)
if (portacl_enabled == 0)
return (0);
/* Only interested in IPv4 and IPv6 sockets. */
@ -473,7 +473,7 @@ socket_check_bind(struct ucred *cred, struct socket *so,
* flag exempts port 0 allocation from rule checking as long as a low
* port isn't required.
*/
if (mac_portacl_autoport_exempt && port == 0) {
if (portacl_autoport_exempt && port == 0) {
inp = sotoinpcb(so);
if ((inp->inp_flags & INP_LOWPORT) == 0)
return (0);
@ -482,12 +482,12 @@ socket_check_bind(struct ucred *cred, struct socket *so,
return (rules_check(cred, family, type, port));
}
static struct mac_policy_ops mac_portacl_ops =
static struct mac_policy_ops portacl_ops =
{
.mpo_destroy = destroy,
.mpo_init = init,
.mpo_socket_check_bind = socket_check_bind,
};
MAC_POLICY_SET(&mac_portacl_ops, trustedbsd_mac_portacl,
"TrustedBSD MAC/portacl", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
MAC_POLICY_SET(&portacl_ops, mac_portacl, "TrustedBSD MAC/portacl",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);

42
sys/security/mac_seeotheruids/mac_seeotheruids.c
View File

@ -61,9 +61,9 @@ SYSCTL_DECL(_security_mac);
SYSCTL_NODE(_security_mac, OID_AUTO, seeotheruids, CTLFLAG_RW, 0,
"TrustedBSD mac_seeotheruids policy controls");
static int mac_seeotheruids_enabled = 1;
static int seeotheruids_enabled = 1;
SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, enabled, CTLFLAG_RW,
&mac_seeotheruids_enabled, 0, "Enforce seeotheruids policy");
&seeotheruids_enabled, 0, "Enforce seeotheruids policy");
/*
* Exception: allow credentials to be aware of other credentials with the
@ -97,10 +97,10 @@ SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid, CTLFLAG_RW,
&specificgid, 0, "Specific gid to be exempt from seeotheruids policy");
static int
mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
{
if (!mac_seeotheruids_enabled)
if (!seeotheruids_enabled)
return (0);
if (primarygroup_enabled) {
@ -126,50 +126,50 @@ mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
}
static int
mac_seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
{
return (mac_seeotheruids_check(cr1, cr2));
return (seeotheruids_check(cr1, cr2));
}
static int
mac_seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p,
seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p,
int signum)
{
return (mac_seeotheruids_check(cred, p->p_ucred));
return (seeotheruids_check(cred, p->p_ucred));
}
static int
mac_seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p)
seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p)
{
return (mac_seeotheruids_check(cred, p->p_ucred));
return (seeotheruids_check(cred, p->p_ucred));
}
static int
mac_seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p)
seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p)
{
return (mac_seeotheruids_check(cred, p->p_ucred));
return (seeotheruids_check(cred, p->p_ucred));
}
static int
mac_seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so,
seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so,
struct label *solabel)
{
return (mac_seeotheruids_check(cred, so->so_cred));
return (seeotheruids_check(cred, so->so_cred));
}
static struct mac_policy_ops mac_seeotheruids_ops =
static struct mac_policy_ops seeotheruids_ops =
{
.mpo_cred_check_visible = mac_seeotheruids_cred_check_visible,
.mpo_proc_check_debug = mac_seeotheruids_proc_check_debug,
.mpo_proc_check_sched = mac_seeotheruids_proc_check_sched,
.mpo_proc_check_signal = mac_seeotheruids_proc_check_signal,
.mpo_socket_check_visible = mac_seeotheruids_socket_check_visible,
.mpo_cred_check_visible = seeotheruids_cred_check_visible,
.mpo_proc_check_debug = seeotheruids_proc_check_debug,
.mpo_proc_check_sched = seeotheruids_proc_check_sched,
.mpo_proc_check_signal = seeotheruids_proc_check_signal,
.mpo_socket_check_visible = seeotheruids_socket_check_visible,
};
MAC_POLICY_SET(&mac_seeotheruids_ops, mac_seeotheruids,
MAC_POLICY_SET(&seeotheruids_ops, mac_seeotheruids,
"TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL);

4
sys/security/mac_stub/mac_stub.c
View File

@ -1434,7 +1434,7 @@ stub_priv_grant(struct ucred *cred, int priv)
return (EPERM);
}
static struct mac_policy_ops mac_stub_ops =
static struct mac_policy_ops stub_ops =
{
.mpo_destroy = stub_destroy,
.mpo_init = stub_init,
@ -1660,5 +1660,5 @@ static struct mac_policy_ops mac_stub_ops =
.mpo_create_mbuf_from_syncache = stub_create_mbuf_from_syncache,
};
MAC_POLICY_SET(&mac_stub_ops, mac_stub, "TrustedBSD MAC/Stub",
MAC_POLICY_SET(&stub_ops, mac_stub, "TrustedBSD MAC/Stub",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);

826
sys/security/mac_test/mac_test.c
View File

File diff suppressed because it is too large Load Diff