aboutsummaryrefslogtreecommitdiff
path: root/sys/security/mac/mac_framework.h
diff options
context:
space:
mode:
authorRobert Watson <rwatson@FreeBSD.org>2008-08-23 15:26:36 +0000
committerRobert Watson <rwatson@FreeBSD.org>2008-08-23 15:26:36 +0000
commit6356dba0b403daa023dec24559ab1f8e602e4f14 (patch)
tree5219c0b4d17dd1dcbcb5fda367c1905a0929ee2b /sys/security/mac/mac_framework.h
parent99448af81e4572b5f1d892bdf81cfbe37c518e7f (diff)
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd. (2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required. MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
Notes
Notes: svn path=/head/; revision=182063
Diffstat (limited to 'sys/security/mac/mac_framework.h')
-rw-r--r--sys/security/mac/mac_framework.h10
1 files changed, 4 insertions, 6 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 2a8b00ca2f51..0297ed0cae97 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -249,9 +249,12 @@ int mac_proc_check_wait(struct ucred *cred, struct proc *p);
void mac_proc_create_init(struct ucred *cred);
void mac_proc_create_swapper(struct ucred *cred);
void mac_proc_destroy(struct proc *);
+void mac_proc_init(struct proc *);
int mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
void mac_execve_exit(struct image_params *imgp);
-void mac_proc_init(struct proc *);
+void mac_execve_interpreter_enter(struct vnode *interpvp,
+ struct label **interplabel);
+void mac_execve_interpreter_exit(struct label *interpvplabel);
int mac_socket_check_accept(struct ucred *cred, struct socket *so);
int mac_socket_check_bind(struct ucred *cred, struct socket *so,
@@ -422,11 +425,6 @@ int mac_vnode_execve_will_transition(struct ucred *cred,
void mac_vnode_relabel(struct ucred *cred, struct vnode *vp,
struct label *newlabel);
-struct label *mac_cred_label_alloc(void);
-void mac_cred_label_free(struct label *);
-struct label *mac_vnode_label_alloc(void);
-void mac_vnode_label_free(struct label *);
-
void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred);
/*