Introduce support for Mandatory Access Control and extensible

kernel access control. Invoke the necessary MAC entry points to maintain labels on process credentials. In particular, invoke entry points for the initialization and destruction of struct ucred, the copying of struct ucred, and permit the initial labels to be set for both process 0 (parent of all kernel processes) and process 1 (parent of all user processes). Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
2002-07-31 00:39:19 +00:00 · 2002-07-31 00:39:19 +00:00 · 4024496496
commit 4024496496
parent 47ac133d33
2 changed files with 19 additions and 0 deletions
--- a/sys/kern/init_main.c
+++ b/sys/kern/init_main.c
@ -43,6 +43,7 @@
 */

 #include "opt_init_path.h"
+#include "opt_mac.h"

 #include <sys/param.h>
 #include <sys/kernel.h>
@ -50,6 +51,7 @@
 #include <sys/filedesc.h>
 #include <sys/ktr.h>
 #include <sys/lock.h>
+#include <sys/mac.h>
 #include <sys/mount.h>
 #include <sys/mutex.h>
 #include <sys/sysctl.h>
@ -362,6 +364,9 @@ KASSERT((ke->ke_kgrlist.tqe_next != ke), ("linked to self!"));
 	p->p_ucred->cr_uidinfo = uifind(0);
 	p->p_ucred->cr_ruidinfo = uifind(0);
 	p->p_ucred->cr_prison = NULL;	/* Don't jail it. */
+#ifdef MAC
+	mac_create_proc0(p->p_ucred);
+#endif
 	td->td_ucred = crhold(p->p_ucred);

 	/* Create procsig. */
@ -657,6 +662,9 @@ create_init(const void *udata __unused)
 	initproc->p_flag |= P_SYSTEM;
 	oldcred = initproc->p_ucred;
 	crcopy(newcred, oldcred);
+#ifdef MAC
+	mac_create_proc1(newcred);
+#endif
 	initproc->p_ucred = newcred;
 	PROC_UNLOCK(initproc);
 	crfree(oldcred);
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@ -45,6 +45,7 @@
 */

 #include "opt_compat.h"
+#include "opt_mac.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -52,6 +53,7 @@
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/mac.h>
 #include <sys/mutex.h>
 #include <sys/sx.h>
 #include <sys/proc.h>
@ -1670,6 +1672,9 @@ crget(void)
 	MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO);
 	cr->cr_ref = 1;
 	cr->cr_mtxp = mtx_pool_find(cr);
+#ifdef MAC
+	mac_init_cred(cr);
+#endif
 	return (cr);
 }

@ -1714,6 +1719,9 @@ crfree(struct ucred *cr)
 		 */
 		if (jailed(cr))
 			prison_free(cr->cr_prison);
+#ifdef MAC
+		mac_destroy_cred(cr);
+#endif
 		FREE(cr, M_CRED);
 		mtx_unlock(&Giant);
 	} else {
@ -1750,6 +1758,9 @@ crcopy(struct ucred *dest, struct ucred *src)
 	uihold(dest->cr_ruidinfo);
 	if (jailed(dest))
 		prison_hold(dest->cr_prison);
+#ifdef MAC
+	mac_create_cred(src, dest);
+#endif
 }

 /*