diff options
| author | Robert Watson <rwatson@FreeBSD.org> | 2008-08-23 15:26:36 +0000 |
|---|---|---|
| committer | Robert Watson <rwatson@FreeBSD.org> | 2008-08-23 15:26:36 +0000 |
| commit | 6356dba0b403daa023dec24559ab1f8e602e4f14 (patch) | |
| tree | 5219c0b4d17dd1dcbcb5fda367c1905a0929ee2b /sys/security/mac/mac_framework.h | |
| parent | 99448af81e4572b5f1d892bdf81cfbe37c518e7f (diff) | |
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
Notes
Notes:
svn path=/head/; revision=182063
Diffstat (limited to 'sys/security/mac/mac_framework.h')
| -rw-r--r-- | sys/security/mac/mac_framework.h | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 2a8b00ca2f51..0297ed0cae97 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -249,9 +249,12 @@ int mac_proc_check_wait(struct ucred *cred, struct proc *p); void mac_proc_create_init(struct ucred *cred); void mac_proc_create_swapper(struct ucred *cred); void mac_proc_destroy(struct proc *); +void mac_proc_init(struct proc *); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); -void mac_proc_init(struct proc *); +void mac_execve_interpreter_enter(struct vnode *interpvp, + struct label **interplabel); +void mac_execve_interpreter_exit(struct label *interpvplabel); int mac_socket_check_accept(struct ucred *cred, struct socket *so); int mac_socket_check_bind(struct ucred *cred, struct socket *so, @@ -422,11 +425,6 @@ int mac_vnode_execve_will_transition(struct ucred *cred, void mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel); -struct label *mac_cred_label_alloc(void); -void mac_cred_label_free(struct label *); -struct label *mac_vnode_label_alloc(void); -void mac_vnode_label_free(struct label *); - void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); /* |