d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a new MAC entry point, mac_thread_userret(td), which permits policy

Browse Source 
modules to perform MAC-related events when a thread returns to user
space.  This is required for policies that have floating process labels,
as it's not always possible to acquire the process lock at arbitrary
points in the stack during system call processing; process labels might
represent traditional authentication data, process history information,
or other data.

LOMAC will use this entry point to perform the process label update
prior to the thread returning to userspace, when plugged into the MAC
framework.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson 2002-10-02 02:42:38 +00:00
parent b6fcb4fec3
commit 92dbb82a47
14 changed files with 113 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
sys/kern/kern_mac.c
View File

@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_relabel_cred =
mpe->mpe_function;
break;
case MAC_THREAD_USERRET:
mpc->mpc_ops->mpo_thread_userret =
mpe->mpe_function;
break;
case MAC_CHECK_BPFDESC_RECEIVE:
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred)
MAC_PERFORM(create_proc1, cred);
}
void
mac_thread_userret(struct thread *td)
{
MAC_PERFORM(thread_userret, td);
}
/*
* When a new process is created, its label must be initialized. Generally,
* this involves inheritence from the parent process, modulo possible

6
sys/kern/subr_trap.c
View File

@ -38,6 +38,7 @@
* $FreeBSD$
*/
#include "opt_mac.h"
#ifdef __i386__
#include "opt_npx.h"
#endif
@ -46,6 +47,7 @@
#include <sys/bus.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/mac.h>
#include <sys/mutex.h>
#include <sys/proc.h>
#include <sys/kse.h>
@ -88,6 +90,10 @@ userret(td, frame, oticks)
mtx_unlock(&Giant);
#endif
#ifdef MAC
mac_thread_userret(td);
#endif
/*
* XXX we cheat slightly on the locking here to avoid locking in
* the usual case. Setting td_priority here is essentially an

11
sys/security/mac/mac_framework.c
View File

@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_relabel_cred =
mpe->mpe_function;
break;
case MAC_THREAD_USERRET:
mpc->mpc_ops->mpo_thread_userret =
mpe->mpe_function;
break;
case MAC_CHECK_BPFDESC_RECEIVE:
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred)
MAC_PERFORM(create_proc1, cred);
}
void
mac_thread_userret(struct thread *td)
{
MAC_PERFORM(thread_userret, td);
}
/*
* When a new process is created, its label must be initialized. Generally,
* this involves inheritence from the parent process, modulo possible

2
sys/security/mac/mac_framework.h
View File

@ -200,6 +200,7 @@ struct proc;
struct sockaddr;
struct socket;
struct pipe;
struct thread;
struct timespec;
struct ucred;
struct uio;
@ -293,6 +294,7 @@ void mac_execve_transition(struct ucred *old, struct ucred *new,
int mac_execve_will_transition(struct ucred *old, struct vnode *vp);
void mac_create_proc0(struct ucred *cred);
void mac_create_proc1(struct ucred *cred);
void mac_thread_userret(struct thread *td);
/* Access control checks. */
int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet);

11
sys/security/mac/mac_internal.h
View File

@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_relabel_cred =
mpe->mpe_function;
break;
case MAC_THREAD_USERRET:
mpc->mpc_ops->mpo_thread_userret =
mpe->mpe_function;
break;
case MAC_CHECK_BPFDESC_RECEIVE:
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred)
MAC_PERFORM(create_proc1, cred);
}
void
mac_thread_userret(struct thread *td)
{
MAC_PERFORM(thread_userret, td);
}
/*
* When a new process is created, its label must be initialized. Generally,
* this involves inheritence from the parent process, modulo possible

11
sys/security/mac/mac_net.c
View File

@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_relabel_cred =
mpe->mpe_function;
break;
case MAC_THREAD_USERRET:
mpc->mpc_ops->mpo_thread_userret =
mpe->mpe_function;
break;
case MAC_CHECK_BPFDESC_RECEIVE:
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred)
MAC_PERFORM(create_proc1, cred);
}
void
mac_thread_userret(struct thread *td)
{
MAC_PERFORM(thread_userret, td);
}
/*
* When a new process is created, its label must be initialized. Generally,
* this involves inheritence from the parent process, modulo possible

11
sys/security/mac/mac_pipe.c
View File

@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_relabel_cred =
mpe->mpe_function;
break;
case MAC_THREAD_USERRET:
mpc->mpc_ops->mpo_thread_userret =
mpe->mpe_function;
break;
case MAC_CHECK_BPFDESC_RECEIVE:
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred)
MAC_PERFORM(create_proc1, cred);
}
void
mac_thread_userret(struct thread *td)
{
MAC_PERFORM(thread_userret, td);
}
/*
* When a new process is created, its label must be initialized. Generally,
* this involves inheritence from the parent process, modulo possible

2
sys/security/mac/mac_policy.h
View File

@ -220,6 +220,7 @@ struct mac_policy_ops {
void (*mpo_create_proc1)(struct ucred *cred);
void (*mpo_relabel_cred)(struct ucred *cred,
struct label *newlabel);
void (*mpo_thread_userret)(struct thread *thread);
/*
* Access control checks.
@ -419,6 +420,7 @@ enum mac_op_constant {
MAC_CREATE_PROC0,
MAC_CREATE_PROC1,
MAC_RELABEL_CRED,
MAC_THREAD_USERRET,
MAC_CHECK_BPFDESC_RECEIVE,
MAC_CHECK_CRED_RELABEL,
MAC_CHECK_CRED_VISIBLE,

11
sys/security/mac/mac_process.c
View File

@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_relabel_cred =
mpe->mpe_function;
break;
case MAC_THREAD_USERRET:
mpc->mpc_ops->mpo_thread_userret =
mpe->mpe_function;
break;
case MAC_CHECK_BPFDESC_RECEIVE:
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred)
MAC_PERFORM(create_proc1, cred);
}
void
mac_thread_userret(struct thread *td)
{
MAC_PERFORM(thread_userret, td);
}
/*
* When a new process is created, its label must be initialized. Generally,
* this involves inheritence from the parent process, modulo possible

11
sys/security/mac/mac_syscalls.c
View File

@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_relabel_cred =
mpe->mpe_function;
break;
case MAC_THREAD_USERRET:
mpc->mpc_ops->mpo_thread_userret =
mpe->mpe_function;
break;
case MAC_CHECK_BPFDESC_RECEIVE:
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred)
MAC_PERFORM(create_proc1, cred);
}
void
mac_thread_userret(struct thread *td)
{
MAC_PERFORM(thread_userret, td);
}
/*
* When a new process is created, its label must be initialized. Generally,
* this involves inheritence from the parent process, modulo possible

11
sys/security/mac/mac_system.c
View File

@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_relabel_cred =
mpe->mpe_function;
break;
case MAC_THREAD_USERRET:
mpc->mpc_ops->mpo_thread_userret =
mpe->mpe_function;
break;
case MAC_CHECK_BPFDESC_RECEIVE:
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred)
MAC_PERFORM(create_proc1, cred);
}
void
mac_thread_userret(struct thread *td)
{
MAC_PERFORM(thread_userret, td);
}
/*
* When a new process is created, its label must be initialized. Generally,
* this involves inheritence from the parent process, modulo possible

11
sys/security/mac/mac_vfs.c
View File

@ -652,6 +652,10 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_relabel_cred =
mpe->mpe_function;
break;
case MAC_THREAD_USERRET:
mpc->mpc_ops->mpo_thread_userret =
mpe->mpe_function;
break;
case MAC_CHECK_BPFDESC_RECEIVE:
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
@ -1581,6 +1585,13 @@ mac_create_proc1(struct ucred *cred)
MAC_PERFORM(create_proc1, cred);
}
void
mac_thread_userret(struct thread *td)
{
MAC_PERFORM(thread_userret, td);
}
/*
* When a new process is created, its label must be initialized. Generally,
* this involves inheritence from the parent process, modulo possible

2
sys/sys/mac.h
View File

@ -200,6 +200,7 @@ struct proc;
struct sockaddr;
struct socket;
struct pipe;
struct thread;
struct timespec;
struct ucred;
struct uio;
@ -293,6 +294,7 @@ void mac_execve_transition(struct ucred *old, struct ucred *new,
int mac_execve_will_transition(struct ucred *old, struct vnode *vp);
void mac_create_proc0(struct ucred *cred);
void mac_create_proc1(struct ucred *cred);
void mac_thread_userret(struct thread *td);
/* Access control checks. */
int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet);

2
sys/sys/mac_policy.h
View File

@ -220,6 +220,7 @@ struct mac_policy_ops {
void (*mpo_create_proc1)(struct ucred *cred);
void (*mpo_relabel_cred)(struct ucred *cred,
struct label *newlabel);
void (*mpo_thread_userret)(struct thread *thread);
/*
* Access control checks.
@ -419,6 +420,7 @@ enum mac_op_constant {
MAC_CREATE_PROC0,
MAC_CREATE_PROC1,
MAC_RELABEL_CRED,
MAC_THREAD_USERRET,
MAC_CHECK_BPFDESC_RECEIVE,
MAC_CHECK_CRED_RELABEL,
MAC_CHECK_CRED_VISIBLE,