Rename mac_associate_nfsd_label() to mac_proc_associate_nfsd(), and move

from mac_vfs.c to mac_process.c to join other functions that setup up
process labels for specific purposes.  Unlike the two proc create calls,
this call is intended to run after creation when a process registers as
the NFS daemon, so remains an _associate_ call..

Obtained from:	TrustedBSD Project
This commit is contained in:
rwatson 2007-10-25 12:34:14 +00:00
parent 2fd98af619
commit 8756317538
8 changed files with 51 additions and 51 deletions

View File

@ -361,7 +361,7 @@ nfs_getreq(struct nfsrv_descript *nd, struct nfsd *nfsd, int has_header)
nd->nd_cr->cr_groups[0] = nd->nd_cr->cr_rgid =
nd->nd_cr->cr_svgid = fxdr_unsigned(gid_t, *tl++);
#ifdef MAC
mac_associate_nfsd_label(nd->nd_cr);
mac_proc_associate_nfsd(nd->nd_cr);
#endif
len = fxdr_unsigned(int, *tl);
if (len < 0 || len > RPCAUTH_UNIXGIDS) {

View File

@ -224,6 +224,7 @@ int mac_vnode_execve_will_transition(struct ucred *cred,
struct image_params *imgp);
void mac_proc_create_swapper(struct ucred *cred);
void mac_proc_create_init(struct ucred *cred);
void mac_proc_associate_nfsd(struct ucred *cred);
void mac_thread_userret(struct thread *td);
/*
@ -414,7 +415,6 @@ int mac_setsockopt_label(struct ucred *cred, struct socket *so,
int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
struct label *label);
void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
void mac_associate_nfsd_label(struct ucred *cred);
int mac_priv_check(struct ucred *cred, int priv);
int mac_priv_grant(struct ucred *cred, int priv);

View File

@ -607,7 +607,7 @@ typedef int (*mpo_vnode_check_unlink_t)(struct ucred *cred,
typedef int (*mpo_vnode_check_write_t)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
struct label *vplabel);
typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred);
typedef void (*mpo_proc_associate_nfsd_t)(struct ucred *cred);
typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv);
typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv);
@ -765,6 +765,7 @@ struct mac_policy_ops {
mpo_vnode_execve_will_transition_t mpo_vnode_execve_will_transition;
mpo_proc_create_swapper_t mpo_proc_create_swapper;
mpo_proc_create_init_t mpo_proc_create_init;
mpo_proc_associate_nfsd_t mpo_proc_associate_nfsd;
mpo_cred_relabel_t mpo_cred_relabel;
mpo_placeholder_t _mpo_placeholder6;
mpo_thread_userret_t mpo_thread_userret;
@ -898,7 +899,6 @@ struct mac_policy_ops {
mpo_vnode_check_stat_t mpo_vnode_check_stat;
mpo_vnode_check_unlink_t mpo_vnode_check_unlink;
mpo_vnode_check_write_t mpo_vnode_check_write;
mpo_associate_nfsd_label_t mpo_associate_nfsd_label;
mpo_mbuf_create_from_firewall_t mpo_mbuf_create_from_firewall;
mpo_init_syncache_label_t mpo_init_syncache_label;
mpo_destroy_syncache_label_t mpo_destroy_syncache_label;

View File

@ -192,6 +192,22 @@ mac_proc_create_init(struct ucred *cred)
MAC_PERFORM(proc_create_init, cred);
}
/*
* When a thread becomes an NFS server daemon, its credential may need to be
* updated to reflect this so that policies can recognize when file system
* operations originate from the network.
*
* At some point, it would be desirable if the credential used for each NFS
* RPC could be set based on the RPC context (i.e., source system, etc) to
* provide more fine-grained access control.
*/
void
mac_proc_associate_nfsd(struct ucred *cred)
{
MAC_PERFORM(proc_associate_nfsd, cred);
}
void
mac_thread_userret(struct thread *td)
{

View File

@ -876,19 +876,3 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
return (0);
}
/*
* When a thread becomes an NFS server daemon, its credential may need to be
* updated to reflect this so that policies can recognize when file system
* operations originate from the network.
*
* At some point, it would be desirable if the credential used for each NFS
* RPC could be set based on the RPC context (i.e., source system, etc) to
* provide more fine-grained access control.
*/
void
mac_associate_nfsd_label(struct ucred *cred)
{
MAC_PERFORM(associate_nfsd_label, cred);
}

View File

@ -1409,6 +1409,17 @@ biba_proc_create_init(struct ucred *cred)
0, NULL);
}
static void
biba_proc_associate_nfsd(struct ucred *cred)
{
struct mac_biba *label;
label = SLOT(cred->cr_label);
biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
0, NULL);
}
static void
biba_cred_relabel(struct ucred *cred, struct label *newlabel)
{
@ -3199,17 +3210,6 @@ biba_vnode_check_write(struct ucred *active_cred,
return (0);
}
static void
biba_associate_nfsd_label(struct ucred *cred)
{
struct mac_biba *label;
label = SLOT(cred->cr_label);
biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
0, NULL);
}
static void
biba_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
{
@ -3331,6 +3331,7 @@ static struct mac_policy_ops mac_biba_ops =
.mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
.mpo_proc_create_swapper = biba_proc_create_swapper,
.mpo_proc_create_init = biba_proc_create_init,
.mpo_proc_associate_nfsd = biba_proc_associate_nfsd,
.mpo_cred_relabel = biba_cred_relabel,
.mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup,
.mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup,
@ -3411,7 +3412,6 @@ static struct mac_policy_ops mac_biba_ops =
.mpo_vnode_check_stat = biba_vnode_check_stat,
.mpo_vnode_check_unlink = biba_vnode_check_unlink,
.mpo_vnode_check_write = biba_vnode_check_write,
.mpo_associate_nfsd_label = biba_associate_nfsd_label,
.mpo_mbuf_create_from_firewall = biba_mbuf_create_from_firewall,
.mpo_priv_check = biba_priv_check,
};

View File

@ -1354,6 +1354,17 @@ mls_proc_create_init(struct ucred *cred)
NULL);
}
static void
mls_proc_associate_nfsd(struct ucred *cred)
{
struct mac_mls *label;
label = SLOT(cred->cr_label);
mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
NULL);
}
static void
mls_cred_relabel(struct ucred *cred, struct label *newlabel)
{
@ -2847,17 +2858,6 @@ mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
return (0);
}
static void
mls_associate_nfsd_label(struct ucred *cred)
{
struct mac_mls *label;
label = SLOT(cred->cr_label);
mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
NULL);
}
static struct mac_policy_ops mls_ops =
{
.mpo_init = mls_init,
@ -2958,6 +2958,7 @@ static struct mac_policy_ops mls_ops =
.mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel,
.mpo_proc_create_swapper = mls_proc_create_swapper,
.mpo_proc_create_init = mls_proc_create_init,
.mpo_proc_associate_nfsd = mls_proc_associate_nfsd,
.mpo_cred_relabel = mls_cred_relabel,
.mpo_sysvmsg_cleanup = mls_sysvmsg_cleanup,
.mpo_sysvmsq_cleanup = mls_sysvmsq_cleanup,
@ -3034,7 +3035,6 @@ static struct mac_policy_ops mls_ops =
.mpo_vnode_check_stat = mls_vnode_check_stat,
.mpo_vnode_check_unlink = mls_vnode_check_unlink,
.mpo_vnode_check_write = mls_vnode_check_write,
.mpo_associate_nfsd_label = mls_associate_nfsd_label,
.mpo_mbuf_create_from_firewall = mls_mbuf_create_from_firewall,
};

View File

@ -185,12 +185,6 @@ stub_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
}
static void
stub_associate_nfsd_label(struct ucred *cred)
{
}
static void
stub_devfs_create_device(struct ucred *cred, struct mount *mp,
struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
@ -525,6 +519,12 @@ stub_proc_create_init(struct ucred *cred)
}
static void
stub_proc_associate_nfsd(struct ucred *cred)
{
}
static void
stub_cred_relabel(struct ucred *cred, struct label *newlabel)
{
@ -1492,7 +1492,6 @@ static struct mac_policy_ops stub_ops =
.mpo_vnode_internalize_label = stub_internalize_label,
.mpo_devfs_vnode_associate = stub_devfs_vnode_associate,
.mpo_vnode_associate_extattr = stub_vnode_associate_extattr,
.mpo_associate_nfsd_label = stub_associate_nfsd_label,
.mpo_vnode_associate_singlelabel = stub_vnode_associate_singlelabel,
.mpo_devfs_create_device = stub_devfs_create_device,
.mpo_devfs_create_directory = stub_devfs_create_directory,
@ -1538,6 +1537,7 @@ static struct mac_policy_ops stub_ops =
.mpo_vnode_execve_will_transition = stub_vnode_execve_will_transition,
.mpo_proc_create_swapper = stub_proc_create_swapper,
.mpo_proc_create_init = stub_proc_create_init,
.mpo_proc_associate_nfsd = stub_proc_associate_nfsd,
.mpo_cred_relabel= stub_cred_relabel,
.mpo_thread_userret = stub_thread_userret,
.mpo_sysvmsg_cleanup = stub_sysvmsg_cleanup,