From 583b25a64f2aaa24c8694f63278278ffbf4c05d2 Mon Sep 17 00:00:00 2001 From: rwatson Date: Mon, 19 Sep 2005 13:59:57 +0000 Subject: [PATCH] Remove mac_create_root_mount() and mpo_create_root_mount(), which provided access to the root file system before the start of the init process. This was used briefly by SEBSD before it knew about preloading data in the loader, and using that method to gain access to data earlier results in fewer inconsistencies in the approach. Policy modules still have access to the root file system creation event through the mac_create_mount() entry point. Removed now, and will be removed from RELENG_6, in order to gain third party policy dependencies on the entry point for the lifetime of the 6.x branch. MFC after: 3 days Submitted by: Chris Vance Sponsored by: SPARTA --- sys/kern/init_main.c | 4 ---- sys/security/mac/mac_vfs.c | 8 -------- sys/security/mac_biba/mac_biba.c | 14 -------------- sys/security/mac_lomac/mac_lomac.c | 14 -------------- sys/security/mac_mls/mac_mls.c | 14 -------------- sys/security/mac_stub/mac_stub.c | 8 -------- sys/security/mac_test/mac_test.c | 11 ----------- 7 files changed, 73 deletions(-) diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c index fd8ae7a7b905..7e2396d51ced 100644 --- a/sys/kern/init_main.c +++ b/sys/kern/init_main.c @@ -533,10 +533,6 @@ start_init(void *dummy) vfs_mountroot(); -#ifdef MAC - mac_create_root_mount(td->td_ucred, TAILQ_FIRST(&mountlist)); -#endif - /* * Need just enough stack to hold the faked-up "execve()" arguments. */ diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 647697b0055c..59aa61bc792d 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -921,14 +921,6 @@ mac_create_mount(struct ucred *cred, struct mount *mp) mp->mnt_fslabel); } -void -mac_create_root_mount(struct ucred *cred, struct mount *mp) -{ - - MAC_PERFORM(create_root_mount, cred, mp, mp->mnt_mntlabel, - mp->mnt_fslabel); -} - int mac_check_mount_stat(struct ucred *cred, struct mount *mount) { diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 8d5e9db8da36..946ec9004039 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -837,19 +837,6 @@ mac_biba_create_mount(struct ucred *cred, struct mount *mp, mac_biba_copy_effective(source, dest); } -static void -mac_biba_create_root_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) -{ - struct mac_biba *mac_biba; - - /* Always mount root as high integrity. */ - mac_biba = SLOT(fslabel); - mac_biba_set_effective(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL); - mac_biba = SLOT(mntlabel); - mac_biba_set_effective(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL); -} - static void mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) @@ -3086,7 +3073,6 @@ static struct mac_policy_ops mac_biba_ops = .mpo_create_devfs_directory = mac_biba_create_devfs_directory, .mpo_create_devfs_symlink = mac_biba_create_devfs_symlink, .mpo_create_mount = mac_biba_create_mount, - .mpo_create_root_mount = mac_biba_create_root_mount, .mpo_relabel_vnode = mac_biba_relabel_vnode, .mpo_update_devfsdirent = mac_biba_update_devfsdirent, .mpo_associate_vnode_devfs = mac_biba_associate_vnode_devfs, diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index cb2ebdfc421b..6808257dcc15 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -958,19 +958,6 @@ mac_lomac_create_mount(struct ucred *cred, struct mount *mp, mac_lomac_copy_single(source, dest); } -static void -mac_lomac_create_root_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) -{ - struct mac_lomac *mac_lomac; - - /* Always mount root as high integrity. */ - mac_lomac = SLOT(fslabel); - mac_lomac_set_single(mac_lomac, MAC_LOMAC_TYPE_HIGH, 0); - mac_lomac = SLOT(mntlabel); - mac_lomac_set_single(mac_lomac, MAC_LOMAC_TYPE_HIGH, 0); -} - static void mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) @@ -2617,7 +2604,6 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_create_devfs_directory = mac_lomac_create_devfs_directory, .mpo_create_devfs_symlink = mac_lomac_create_devfs_symlink, .mpo_create_mount = mac_lomac_create_mount, - .mpo_create_root_mount = mac_lomac_create_root_mount, .mpo_relabel_vnode = mac_lomac_relabel_vnode, .mpo_update_devfsdirent = mac_lomac_update_devfsdirent, .mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 1599cc0a4c58..ffd97f82486b 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -806,19 +806,6 @@ mac_mls_create_mount(struct ucred *cred, struct mount *mp, mac_mls_copy_effective(source, dest); } -static void -mac_mls_create_root_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) -{ - struct mac_mls *mac_mls; - - /* Always mount root as high integrity. */ - mac_mls = SLOT(fslabel); - mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL); - mac_mls = SLOT(mntlabel); - mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL); -} - static void mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) @@ -2860,7 +2847,6 @@ static struct mac_policy_ops mac_mls_ops = .mpo_create_devfs_directory = mac_mls_create_devfs_directory, .mpo_create_devfs_symlink = mac_mls_create_devfs_symlink, .mpo_create_mount = mac_mls_create_mount, - .mpo_create_root_mount = mac_mls_create_root_mount, .mpo_relabel_vnode = mac_mls_relabel_vnode, .mpo_update_devfsdirent = mac_mls_update_devfsdirent, .mpo_associate_vnode_devfs = mac_mls_associate_vnode_devfs, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 8ab11e976bd6..3be11ba9acf7 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -224,13 +224,6 @@ stub_create_mount(struct ucred *cred, struct mount *mp, } -static void -stub_create_root_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) -{ - -} - static void stub_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) @@ -1438,7 +1431,6 @@ static struct mac_policy_ops mac_stub_ops = .mpo_create_sysv_shm = stub_create_sysv_shm, .mpo_create_vnode_extattr = stub_create_vnode_extattr, .mpo_create_mount = stub_create_mount, - .mpo_create_root_mount = stub_create_root_mount, .mpo_relabel_vnode = stub_relabel_vnode, .mpo_setlabel_vnode_extattr = stub_setlabel_vnode_extattr, .mpo_update_devfsdirent = stub_update_devfsdirent, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 3c51215518e4..a7441864debb 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -917,16 +917,6 @@ mac_test_create_mount(struct ucred *cred, struct mount *mp, ASSERT_MOUNT_LABEL(fslabel); } -static void -mac_test_create_root_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) -{ - - ASSERT_CRED_LABEL(cred->cr_label); - ASSERT_MOUNT_LABEL(mntlabel); - ASSERT_MOUNT_LABEL(fslabel); -} - static void mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) @@ -2472,7 +2462,6 @@ static struct mac_policy_ops mac_test_ops = .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, .mpo_create_mount = mac_test_create_mount, - .mpo_create_root_mount = mac_test_create_root_mount, .mpo_relabel_vnode = mac_test_relabel_vnode, .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, .mpo_update_devfsdirent = mac_test_update_devfsdirent,