Rename mac_associate_nfsd_label() to mac_proc_associate_nfsd(), and move
from mac_vfs.c to mac_process.c to join other functions that setup up process labels for specific purposes. Unlike the two proc create calls, this call is intended to run after creation when a process registers as the NFS daemon, so remains an _associate_ call.. Obtained from: TrustedBSD Project
This commit is contained in:
parent
2fd98af619
commit
8756317538
@ -361,7 +361,7 @@ nfs_getreq(struct nfsrv_descript *nd, struct nfsd *nfsd, int has_header)
|
||||
nd->nd_cr->cr_groups[0] = nd->nd_cr->cr_rgid =
|
||||
nd->nd_cr->cr_svgid = fxdr_unsigned(gid_t, *tl++);
|
||||
#ifdef MAC
|
||||
mac_associate_nfsd_label(nd->nd_cr);
|
||||
mac_proc_associate_nfsd(nd->nd_cr);
|
||||
#endif
|
||||
len = fxdr_unsigned(int, *tl);
|
||||
if (len < 0 || len > RPCAUTH_UNIXGIDS) {
|
||||
|
@ -224,6 +224,7 @@ int mac_vnode_execve_will_transition(struct ucred *cred,
|
||||
struct image_params *imgp);
|
||||
void mac_proc_create_swapper(struct ucred *cred);
|
||||
void mac_proc_create_init(struct ucred *cred);
|
||||
void mac_proc_associate_nfsd(struct ucred *cred);
|
||||
void mac_thread_userret(struct thread *td);
|
||||
|
||||
/*
|
||||
@ -414,7 +415,6 @@ int mac_setsockopt_label(struct ucred *cred, struct socket *so,
|
||||
int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
|
||||
struct label *label);
|
||||
void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
|
||||
void mac_associate_nfsd_label(struct ucred *cred);
|
||||
int mac_priv_check(struct ucred *cred, int priv);
|
||||
int mac_priv_grant(struct ucred *cred, int priv);
|
||||
|
||||
|
@ -607,7 +607,7 @@ typedef int (*mpo_vnode_check_unlink_t)(struct ucred *cred,
|
||||
typedef int (*mpo_vnode_check_write_t)(struct ucred *active_cred,
|
||||
struct ucred *file_cred, struct vnode *vp,
|
||||
struct label *vplabel);
|
||||
typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred);
|
||||
typedef void (*mpo_proc_associate_nfsd_t)(struct ucred *cred);
|
||||
typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv);
|
||||
typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv);
|
||||
|
||||
@ -765,6 +765,7 @@ struct mac_policy_ops {
|
||||
mpo_vnode_execve_will_transition_t mpo_vnode_execve_will_transition;
|
||||
mpo_proc_create_swapper_t mpo_proc_create_swapper;
|
||||
mpo_proc_create_init_t mpo_proc_create_init;
|
||||
mpo_proc_associate_nfsd_t mpo_proc_associate_nfsd;
|
||||
mpo_cred_relabel_t mpo_cred_relabel;
|
||||
mpo_placeholder_t _mpo_placeholder6;
|
||||
mpo_thread_userret_t mpo_thread_userret;
|
||||
@ -898,7 +899,6 @@ struct mac_policy_ops {
|
||||
mpo_vnode_check_stat_t mpo_vnode_check_stat;
|
||||
mpo_vnode_check_unlink_t mpo_vnode_check_unlink;
|
||||
mpo_vnode_check_write_t mpo_vnode_check_write;
|
||||
mpo_associate_nfsd_label_t mpo_associate_nfsd_label;
|
||||
mpo_mbuf_create_from_firewall_t mpo_mbuf_create_from_firewall;
|
||||
mpo_init_syncache_label_t mpo_init_syncache_label;
|
||||
mpo_destroy_syncache_label_t mpo_destroy_syncache_label;
|
||||
|
@ -192,6 +192,22 @@ mac_proc_create_init(struct ucred *cred)
|
||||
MAC_PERFORM(proc_create_init, cred);
|
||||
}
|
||||
|
||||
/*
|
||||
* When a thread becomes an NFS server daemon, its credential may need to be
|
||||
* updated to reflect this so that policies can recognize when file system
|
||||
* operations originate from the network.
|
||||
*
|
||||
* At some point, it would be desirable if the credential used for each NFS
|
||||
* RPC could be set based on the RPC context (i.e., source system, etc) to
|
||||
* provide more fine-grained access control.
|
||||
*/
|
||||
void
|
||||
mac_proc_associate_nfsd(struct ucred *cred)
|
||||
{
|
||||
|
||||
MAC_PERFORM(proc_associate_nfsd, cred);
|
||||
}
|
||||
|
||||
void
|
||||
mac_thread_userret(struct thread *td)
|
||||
{
|
||||
|
@ -876,19 +876,3 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred)
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* When a thread becomes an NFS server daemon, its credential may need to be
|
||||
* updated to reflect this so that policies can recognize when file system
|
||||
* operations originate from the network.
|
||||
*
|
||||
* At some point, it would be desirable if the credential used for each NFS
|
||||
* RPC could be set based on the RPC context (i.e., source system, etc) to
|
||||
* provide more fine-grained access control.
|
||||
*/
|
||||
void
|
||||
mac_associate_nfsd_label(struct ucred *cred)
|
||||
{
|
||||
|
||||
MAC_PERFORM(associate_nfsd_label, cred);
|
||||
}
|
||||
|
@ -1409,6 +1409,17 @@ biba_proc_create_init(struct ucred *cred)
|
||||
0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_proc_associate_nfsd(struct ucred *cred)
|
||||
{
|
||||
struct mac_biba *label;
|
||||
|
||||
label = SLOT(cred->cr_label);
|
||||
biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
|
||||
biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
|
||||
0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_cred_relabel(struct ucred *cred, struct label *newlabel)
|
||||
{
|
||||
@ -3199,17 +3210,6 @@ biba_vnode_check_write(struct ucred *active_cred,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_associate_nfsd_label(struct ucred *cred)
|
||||
{
|
||||
struct mac_biba *label;
|
||||
|
||||
label = SLOT(cred->cr_label);
|
||||
biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
|
||||
biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
|
||||
0, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
biba_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
|
||||
{
|
||||
@ -3331,6 +3331,7 @@ static struct mac_policy_ops mac_biba_ops =
|
||||
.mpo_inpcb_sosetlabel = biba_inpcb_sosetlabel,
|
||||
.mpo_proc_create_swapper = biba_proc_create_swapper,
|
||||
.mpo_proc_create_init = biba_proc_create_init,
|
||||
.mpo_proc_associate_nfsd = biba_proc_associate_nfsd,
|
||||
.mpo_cred_relabel = biba_cred_relabel,
|
||||
.mpo_sysvmsg_cleanup = biba_sysvmsg_cleanup,
|
||||
.mpo_sysvmsq_cleanup = biba_sysvmsq_cleanup,
|
||||
@ -3411,7 +3412,6 @@ static struct mac_policy_ops mac_biba_ops =
|
||||
.mpo_vnode_check_stat = biba_vnode_check_stat,
|
||||
.mpo_vnode_check_unlink = biba_vnode_check_unlink,
|
||||
.mpo_vnode_check_write = biba_vnode_check_write,
|
||||
.mpo_associate_nfsd_label = biba_associate_nfsd_label,
|
||||
.mpo_mbuf_create_from_firewall = biba_mbuf_create_from_firewall,
|
||||
.mpo_priv_check = biba_priv_check,
|
||||
};
|
||||
|
@ -1354,6 +1354,17 @@ mls_proc_create_init(struct ucred *cred)
|
||||
NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_proc_associate_nfsd(struct ucred *cred)
|
||||
{
|
||||
struct mac_mls *label;
|
||||
|
||||
label = SLOT(cred->cr_label);
|
||||
mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
|
||||
mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
|
||||
NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_cred_relabel(struct ucred *cred, struct label *newlabel)
|
||||
{
|
||||
@ -2847,17 +2858,6 @@ mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
|
||||
return (0);
|
||||
}
|
||||
|
||||
static void
|
||||
mls_associate_nfsd_label(struct ucred *cred)
|
||||
{
|
||||
struct mac_mls *label;
|
||||
|
||||
label = SLOT(cred->cr_label);
|
||||
mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
|
||||
mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
|
||||
NULL);
|
||||
}
|
||||
|
||||
static struct mac_policy_ops mls_ops =
|
||||
{
|
||||
.mpo_init = mls_init,
|
||||
@ -2958,6 +2958,7 @@ static struct mac_policy_ops mls_ops =
|
||||
.mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel,
|
||||
.mpo_proc_create_swapper = mls_proc_create_swapper,
|
||||
.mpo_proc_create_init = mls_proc_create_init,
|
||||
.mpo_proc_associate_nfsd = mls_proc_associate_nfsd,
|
||||
.mpo_cred_relabel = mls_cred_relabel,
|
||||
.mpo_sysvmsg_cleanup = mls_sysvmsg_cleanup,
|
||||
.mpo_sysvmsq_cleanup = mls_sysvmsq_cleanup,
|
||||
@ -3034,7 +3035,6 @@ static struct mac_policy_ops mls_ops =
|
||||
.mpo_vnode_check_stat = mls_vnode_check_stat,
|
||||
.mpo_vnode_check_unlink = mls_vnode_check_unlink,
|
||||
.mpo_vnode_check_write = mls_vnode_check_write,
|
||||
.mpo_associate_nfsd_label = mls_associate_nfsd_label,
|
||||
.mpo_mbuf_create_from_firewall = mls_mbuf_create_from_firewall,
|
||||
};
|
||||
|
||||
|
@ -185,12 +185,6 @@ stub_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel,
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_associate_nfsd_label(struct ucred *cred)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_devfs_create_device(struct ucred *cred, struct mount *mp,
|
||||
struct cdev *dev, struct devfs_dirent *de, struct label *delabel)
|
||||
@ -525,6 +519,12 @@ stub_proc_create_init(struct ucred *cred)
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_proc_associate_nfsd(struct ucred *cred)
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
static void
|
||||
stub_cred_relabel(struct ucred *cred, struct label *newlabel)
|
||||
{
|
||||
@ -1492,7 +1492,6 @@ static struct mac_policy_ops stub_ops =
|
||||
.mpo_vnode_internalize_label = stub_internalize_label,
|
||||
.mpo_devfs_vnode_associate = stub_devfs_vnode_associate,
|
||||
.mpo_vnode_associate_extattr = stub_vnode_associate_extattr,
|
||||
.mpo_associate_nfsd_label = stub_associate_nfsd_label,
|
||||
.mpo_vnode_associate_singlelabel = stub_vnode_associate_singlelabel,
|
||||
.mpo_devfs_create_device = stub_devfs_create_device,
|
||||
.mpo_devfs_create_directory = stub_devfs_create_directory,
|
||||
@ -1538,6 +1537,7 @@ static struct mac_policy_ops stub_ops =
|
||||
.mpo_vnode_execve_will_transition = stub_vnode_execve_will_transition,
|
||||
.mpo_proc_create_swapper = stub_proc_create_swapper,
|
||||
.mpo_proc_create_init = stub_proc_create_init,
|
||||
.mpo_proc_associate_nfsd = stub_proc_associate_nfsd,
|
||||
.mpo_cred_relabel= stub_cred_relabel,
|
||||
.mpo_thread_userret = stub_thread_userret,
|
||||
.mpo_sysvmsg_cleanup = stub_sysvmsg_cleanup,
|
||||
|
Loading…
x
Reference in New Issue
Block a user