svn commit: r189529 - in head/sys: kern security/audit security/mac security/mac_stub security/mac_test

Robert Watson rwatson at FreeBSD.org
Sun Mar 8 03:58:39 PDT 2009


Author: rwatson
Date: Sun Mar  8 10:58:37 2009
New Revision: 189529
URL: http://svn.freebsd.org/changeset/base/189529

Log:
  Improve the consistency of MAC Framework and MAC policy entry point
  naming by renaming certain "proc" entry points to "cred" entry points,
  reflecting their manipulation of credentials.  For some entry points,
  the process was passed into the framework but not into policies; in
  these cases, stop passing in the process since we don't need it.
  
    mac_proc_check_setaudit -> mac_cred_check_setaudit
    mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr
    mac_proc_check_setauid -> mac_cred_check_setauid
    mac_proc_check_setegid -> mac_cred_check_setegid
    mac_proc_check_seteuid -> mac_cred_check_seteuid
    mac_proc_check_setgid -> mac_cred_check_setgid
    mac_proc_check_setgroups -> mac_cred_ceck_setgroups
    mac_proc_check_setregid -> mac_cred_check_setregid
    mac_proc_check_setresgid -> mac_cred_check_setresgid
    mac_proc_check_setresuid -> mac_cred_check_setresuid
    mac_proc_check_setreuid -> mac_cred_check_setreuid
    mac_proc_check_setuid -> mac_cred_check_setuid
  
  Obtained from:	TrustedBSD Project
  Sponsored by:	Google, Inc.

Modified:
  head/sys/kern/kern_prot.c
  head/sys/security/audit/audit_syscalls.c
  head/sys/security/mac/mac_audit.c
  head/sys/security/mac/mac_cred.c
  head/sys/security/mac/mac_framework.c
  head/sys/security/mac/mac_framework.h
  head/sys/security/mac/mac_policy.h
  head/sys/security/mac/mac_process.c
  head/sys/security/mac_stub/mac_stub.c
  head/sys/security/mac_test/mac_test.c

Modified: head/sys/kern/kern_prot.c
==============================================================================
--- head/sys/kern/kern_prot.c	Sun Mar  8 06:56:13 2009	(r189528)
+++ head/sys/kern/kern_prot.c	Sun Mar  8 10:58:37 2009	(r189529)
@@ -489,7 +489,7 @@ setuid(struct thread *td, struct setuid_
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_proc_check_setuid(p, oldcred, uid);
+	error = mac_cred_check_setuid(oldcred, uid);
 	if (error)
 		goto fail;
 #endif
@@ -601,7 +601,7 @@ seteuid(struct thread *td, struct seteui
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_proc_check_seteuid(p, oldcred, euid);
+	error = mac_cred_check_seteuid(oldcred, euid);
 	if (error)
 		goto fail;
 #endif
@@ -654,7 +654,7 @@ setgid(struct thread *td, struct setgid_
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_proc_check_setgid(p, oldcred, gid);
+	error = mac_cred_check_setgid(oldcred, gid);
 	if (error)
 		goto fail;
 #endif
@@ -753,7 +753,7 @@ setegid(struct thread *td, struct setegi
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_proc_check_setegid(p, oldcred, egid);
+	error = mac_cred_check_setegid(oldcred, egid);
 	if (error)
 		goto fail;
 #endif
@@ -815,7 +815,7 @@ kern_setgroups(struct thread *td, u_int 
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_proc_check_setgroups(p, oldcred, ngrp, groups);
+	error = mac_cred_check_setgroups(oldcred, ngrp, groups);
 	if (error)
 		goto fail;
 #endif
@@ -880,7 +880,7 @@ setreuid(register struct thread *td, str
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_proc_check_setreuid(p, oldcred, ruid, euid);
+	error = mac_cred_check_setreuid(oldcred, ruid, euid);
 	if (error)
 		goto fail;
 #endif
@@ -945,7 +945,7 @@ setregid(register struct thread *td, str
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_proc_check_setregid(p, oldcred, rgid, egid);
+	error = mac_cred_check_setregid(oldcred, rgid, egid);
 	if (error)
 		goto fail;
 #endif
@@ -1016,7 +1016,7 @@ setresuid(register struct thread *td, st
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid);
+	error = mac_cred_check_setresuid(oldcred, ruid, euid, suid);
 	if (error)
 		goto fail;
 #endif
@@ -1093,7 +1093,7 @@ setresgid(register struct thread *td, st
 	oldcred = p->p_ucred;
 
 #ifdef MAC
-	error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid);
+	error = mac_cred_check_setresgid(oldcred, rgid, egid, sgid);
 	if (error)
 		goto fail;
 #endif

Modified: head/sys/security/audit/audit_syscalls.c
==============================================================================
--- head/sys/security/audit/audit_syscalls.c	Sun Mar  8 06:56:13 2009	(r189528)
+++ head/sys/security/audit/audit_syscalls.c	Sun Mar  8 10:58:37 2009	(r189529)
@@ -474,7 +474,7 @@ setauid(struct thread *td, struct setaui
 	oldcred = td->td_proc->p_ucred;
 	crcopy(newcred, oldcred);
 #ifdef MAC
-	error = mac_proc_check_setauid(oldcred, id);
+	error = mac_cred_check_setauid(oldcred, id);
 	if (error)
 		goto fail;
 #endif
@@ -539,7 +539,7 @@ setaudit(struct thread *td, struct setau
 	oldcred = td->td_proc->p_ucred;
 	crcopy(newcred, oldcred);
 #ifdef MAC
-	error = mac_proc_check_setaudit(oldcred, &ai);
+	error = mac_cred_check_setaudit(oldcred, &ai);
 	if (error)
 		goto fail;
 #endif
@@ -602,7 +602,7 @@ setaudit_addr(struct thread *td, struct 
 	oldcred = td->td_proc->p_ucred;
 	crcopy(newcred, oldcred);
 #ifdef MAC
-	error = mac_proc_check_setaudit_addr(oldcred, &aia);
+	error = mac_cred_check_setaudit_addr(oldcred, &aia);
 	if (error)
 		goto fail;
 #endif

Modified: head/sys/security/mac/mac_audit.c
==============================================================================
--- head/sys/security/mac/mac_audit.c	Sun Mar  8 06:56:13 2009	(r189528)
+++ head/sys/security/mac/mac_audit.c	Sun Mar  8 10:58:37 2009	(r189529)
@@ -58,43 +58,43 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_internal.h>
 #include <security/mac/mac_policy.h>
 
-MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit, "struct ucred *",
+MAC_CHECK_PROBE_DEFINE2(cred_check_setaudit, "struct ucred *",
     "struct auditinfo *");
 
 int
-mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
+mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
 {
 	int error;
 
-	MAC_CHECK(proc_check_setaudit, cred, ai);
-	MAC_CHECK_PROBE2(proc_check_setaudit, error, cred, ai);
+	MAC_CHECK(cred_check_setaudit, cred, ai);
+	MAC_CHECK_PROBE2(cred_check_setaudit, error, cred, ai);
 
 	return (error);
 }
 
-MAC_CHECK_PROBE_DEFINE2(proc_check_setaudit_addr, "struct ucred *",
+MAC_CHECK_PROBE_DEFINE2(cred_check_setaudit_addr, "struct ucred *",
     "struct auditinfo_addr *");
 
 int
-mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
+mac_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
 {
 	int error;
 
-	MAC_CHECK(proc_check_setaudit_addr, cred, aia);
-	MAC_CHECK_PROBE2(proc_check_setaudit_addr, error, cred, aia);
+	MAC_CHECK(cred_check_setaudit_addr, cred, aia);
+	MAC_CHECK_PROBE2(cred_check_setaudit_addr, error, cred, aia);
 
 	return (error);
 }
 
-MAC_CHECK_PROBE_DEFINE2(proc_check_setauid, "struct ucred *", "uid_t");
+MAC_CHECK_PROBE_DEFINE2(cred_check_setauid, "struct ucred *", "uid_t");
 
 int
-mac_proc_check_setauid(struct ucred *cred, uid_t auid)
+mac_cred_check_setauid(struct ucred *cred, uid_t auid)
 {
 	int error;
 
-	MAC_CHECK(proc_check_setauid, cred, auid);
-	MAC_CHECK_PROBE2(proc_check_setauid, error, cred, auid);
+	MAC_CHECK(cred_check_setauid, cred, auid);
+	MAC_CHECK_PROBE2(cred_check_setauid, error, cred, auid);
 
 	return (error);
 }

Modified: head/sys/security/mac/mac_cred.c
==============================================================================
--- head/sys/security/mac/mac_cred.c	Sun Mar  8 06:56:13 2009	(r189528)
+++ head/sys/security/mac/mac_cred.c	Sun Mar  8 10:58:37 2009	(r189529)
@@ -211,6 +211,132 @@ mac_cred_check_relabel(struct ucred *cre
 	return (error);
 }
 
+MAC_CHECK_PROBE_DEFINE2(cred_check_setuid, "struct ucred *", "uid_t");
+
+int
+mac_cred_check_setuid(struct ucred *cred, uid_t uid)
+{
+	int error;
+
+	MAC_CHECK(cred_check_setuid, cred, uid);
+	MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid);
+
+	return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE2(cred_check_seteuid, "struct ucred *", "uid_t");
+
+int
+mac_cred_check_seteuid(struct ucred *cred, uid_t euid)
+{
+	int error;
+
+	MAC_CHECK(cred_check_seteuid, cred, euid);
+	MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid);
+
+	return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE2(cred_check_setgid, "struct ucred *", "gid_t");
+
+int
+mac_cred_check_setgid(struct ucred *cred, gid_t gid)
+{
+	int error;
+
+	MAC_CHECK(cred_check_setgid, cred, gid);
+	MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid);
+
+	return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE2(cred_check_setegid, "struct ucred *", "gid_t");
+
+int
+mac_cred_check_setegid(struct ucred *cred, gid_t egid)
+{
+	int error;
+
+	MAC_CHECK(cred_check_setegid, cred, egid);
+	MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid);
+
+	return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE3(cred_check_setgroups, "struct ucred *", "int",
+    "gid_t *");
+
+int
+mac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset)
+{
+	int error;
+
+	MAC_CHECK(cred_check_setgroups, cred, ngroups, gidset);
+	MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset);
+
+	return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE3(cred_check_setreuid, "struct ucred *", "uid_t",
+    "uid_t");
+
+int
+mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
+{
+	int error;
+
+	MAC_CHECK(cred_check_setreuid, cred, ruid, euid);
+	MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid);
+
+	return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE3(cred_check_setregid, "struct ucred *", "gid_t",
+    "gid_t");
+
+int
+mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
+{
+	int error;
+
+	MAC_CHECK(cred_check_setregid, cred, rgid, egid);
+	MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid);
+
+	return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE4(cred_check_setresuid, "struct ucred *", "uid_t",
+    "uid_t", "uid_t");
+
+int
+mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
+    uid_t suid)
+{
+	int error;
+
+	MAC_CHECK(cred_check_setresuid, cred, ruid, euid, suid);
+	MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid,
+	    suid);
+
+	return (error);
+}
+
+MAC_CHECK_PROBE_DEFINE4(cred_check_setresgid, "struct ucred *", "gid_t",
+    "gid_t", "gid_t");
+
+int
+mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
+    gid_t sgid)
+{
+	int error;
+
+	MAC_CHECK(cred_check_setresgid, cred, rgid, egid, sgid);
+	MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid,
+	    sgid);
+
+	return (error);
+}
+
 MAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *",
     "struct ucred *");
 

Modified: head/sys/security/mac/mac_framework.c
==============================================================================
--- head/sys/security/mac/mac_framework.c	Sun Mar  8 06:56:13 2009	(r189528)
+++ head/sys/security/mac/mac_framework.c	Sun Mar  8 10:58:37 2009	(r189529)
@@ -17,6 +17,9 @@
  * This software was enhanced by SPARTA ISSO under SPAWAR contract 
  * N66001-04-C-6019 ("SEFOS").
  *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:

Modified: head/sys/security/mac/mac_framework.h
==============================================================================
--- head/sys/security/mac/mac_framework.h	Sun Mar  8 06:56:13 2009	(r189528)
+++ head/sys/security/mac/mac_framework.h	Sun Mar  8 10:58:37 2009	(r189529)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * All rights reserved.
@@ -14,6 +14,9 @@
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -105,6 +108,22 @@ void	mac_bpfdesc_destroy(struct bpf_d *)
 void	mac_bpfdesc_init(struct bpf_d *);
 
 void	mac_cred_associate_nfsd(struct ucred *cred);
+int	mac_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai);
+int	mac_cred_check_setaudit_addr(struct ucred *cred,
+	    struct auditinfo_addr *aia);
+int	mac_cred_check_setauid(struct ucred *cred, uid_t auid);
+int	mac_cred_check_setegid(struct ucred *cred, gid_t egid);
+int	mac_cred_check_seteuid(struct ucred *cred, uid_t euid);
+int	mac_cred_check_setgid(struct ucred *cred, gid_t gid);
+int	mac_cred_check_setgroups(struct ucred *cred, int ngroups,
+	    gid_t *gidset);
+int	mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid);
+int	mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
+	    gid_t sgid);
+int	mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
+	    uid_t suid);
+int	mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid);
+int	mac_cred_check_setuid(struct ucred *cred, uid_t uid);
 int	mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);
 void	mac_cred_copy(struct ucred *cr1, struct ucred *cr2);
 void	mac_cred_create_init(struct ucred *cred);
@@ -233,28 +252,6 @@ int	mac_priv_grant(struct ucred *cred, i
 
 int	mac_proc_check_debug(struct ucred *cred, struct proc *p);
 int	mac_proc_check_sched(struct ucred *cred, struct proc *p);
-int	mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai);
-int	mac_proc_check_setaudit_addr(struct ucred *cred,
-	    struct auditinfo_addr *aia);
-int	mac_proc_check_setauid(struct ucred *cred, uid_t auid);
-int	mac_proc_check_setegid(struct proc *p, struct ucred *cred,
-	    gid_t egid);
-int	mac_proc_check_seteuid(struct proc *p, struct ucred *cred,
-	    uid_t euid);
-int	mac_proc_check_setgid(struct proc *p, struct ucred *cred,
-	    gid_t gid);
-int	mac_proc_check_setgroups(struct proc *p, struct ucred *cred,
-	    int ngroups, gid_t *gidset);
-int	mac_proc_check_setregid(struct proc *p, struct ucred *cred,
-	    gid_t rgid, gid_t egid);
-int	mac_proc_check_setresgid(struct proc *p, struct ucred *cred,
-	    gid_t rgid, gid_t egid, gid_t sgid);
-int	mac_proc_check_setresuid(struct proc *p, struct ucred *cred,
-	    uid_t ruid, uid_t euid, uid_t suid);
-int	mac_proc_check_setreuid(struct proc *p, struct ucred *cred,
-	    uid_t ruid, uid_t euid);
-int	mac_proc_check_setuid(struct proc *p,  struct ucred *cred,
-	    uid_t uid);
 int	mac_proc_check_signal(struct ucred *cred, struct proc *p,
 	    int signum);
 int	mac_proc_check_wait(struct ucred *cred, struct proc *p);

Modified: head/sys/security/mac/mac_policy.h
==============================================================================
--- head/sys/security/mac/mac_policy.h	Sun Mar  8 06:56:13 2009	(r189528)
+++ head/sys/security/mac/mac_policy.h	Sun Mar  8 10:58:37 2009	(r189529)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -15,6 +15,9 @@
  * This software was enhanced by SPARTA ISSO under SPAWAR contract 
  * N66001-04-C-6019 ("SEFOS").
  *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -132,6 +135,25 @@ typedef void	(*mpo_bpfdesc_init_label_t)
 typedef void	(*mpo_cred_associate_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_cred_check_relabel_t)(struct ucred *cred,
 		    struct label *newlabel);
+typedef int	(*mpo_cred_check_setaudit_t)(struct ucred *cred,
+		    struct auditinfo *ai);
+typedef int	(*mpo_cred_check_setaudit_addr_t)(struct ucred *cred,
+		    struct auditinfo_addr *aia);
+typedef int	(*mpo_cred_check_setauid_t)(struct ucred *cred, uid_t auid);
+typedef int	(*mpo_cred_check_setegid_t)(struct ucred *cred, gid_t egid);
+typedef int	(*mpo_cred_check_seteuid_t)(struct ucred *cred, uid_t euid);
+typedef int	(*mpo_cred_check_setgid_t)(struct ucred *cred, gid_t gid);
+typedef int	(*mpo_cred_check_setgroups_t)(struct ucred *cred, int ngroups,
+		    gid_t *gidset);
+typedef int	(*mpo_cred_check_setregid_t)(struct ucred *cred, gid_t rgid,
+		    gid_t egid);
+typedef int	(*mpo_cred_check_setresgid_t)(struct ucred *cred, gid_t rgid,
+		    gid_t egid, gid_t sgid);
+typedef int	(*mpo_cred_check_setresuid_t)(struct ucred *cred, uid_t ruid,
+		    uid_t euid, uid_t suid);
+typedef int	(*mpo_cred_check_setreuid_t)(struct ucred *cred, uid_t ruid,
+		    uid_t euid);
+typedef int	(*mpo_cred_check_setuid_t)(struct ucred *cred, uid_t uid);
 typedef int	(*mpo_cred_check_visible_t)(struct ucred *cr1,
 		    struct ucred *cr2);
 typedef void	(*mpo_cred_copy_label_t)(struct label *src,
@@ -353,25 +375,6 @@ typedef int	(*mpo_proc_check_debug_t)(st
 		    struct proc *p);
 typedef int	(*mpo_proc_check_sched_t)(struct ucred *cred,
 		    struct proc *p);
-typedef int	(*mpo_proc_check_setaudit_t)(struct ucred *cred,
-		    struct auditinfo *ai);
-typedef int	(*mpo_proc_check_setaudit_addr_t)(struct ucred *cred,
-		    struct auditinfo_addr *aia);
-typedef int	(*mpo_proc_check_setauid_t)(struct ucred *cred, uid_t auid);
-typedef int	(*mpo_proc_check_setegid_t)(struct ucred *cred, gid_t egid);
-typedef int	(*mpo_proc_check_seteuid_t)(struct ucred *cred, uid_t euid);
-typedef int	(*mpo_proc_check_setgid_t)(struct ucred *cred, gid_t gid);
-typedef int	(*mpo_proc_check_setgroups_t)(struct ucred *cred, int ngroups,
-		    gid_t *gidset);
-typedef int	(*mpo_proc_check_setregid_t)(struct ucred *cred, gid_t rgid,
-		    gid_t egid);
-typedef int	(*mpo_proc_check_setresgid_t)(struct ucred *cred, gid_t rgid,
-		    gid_t egid, gid_t sgid);
-typedef int	(*mpo_proc_check_setresuid_t)(struct ucred *cred, uid_t ruid,
-		    uid_t euid, uid_t suid);
-typedef int	(*mpo_proc_check_setreuid_t)(struct ucred *cred, uid_t ruid,
-		    uid_t euid);
-typedef int	(*mpo_proc_check_setuid_t)(struct ucred *cred, uid_t uid);
 typedef int	(*mpo_proc_check_signal_t)(struct ucred *cred,
 		    struct proc *proc, int signum);
 typedef int	(*mpo_proc_check_wait_t)(struct ucred *cred,
@@ -679,6 +682,18 @@ struct mac_policy_ops {
 
 	mpo_cred_associate_nfsd_t		mpo_cred_associate_nfsd;
 	mpo_cred_check_relabel_t		mpo_cred_check_relabel;
+	mpo_cred_check_setaudit_t		mpo_cred_check_setaudit;
+	mpo_cred_check_setaudit_addr_t		mpo_cred_check_setaudit_addr;
+	mpo_cred_check_setauid_t		mpo_cred_check_setauid;
+	mpo_cred_check_setuid_t			mpo_cred_check_setuid;
+	mpo_cred_check_seteuid_t		mpo_cred_check_seteuid;
+	mpo_cred_check_setgid_t			mpo_cred_check_setgid;
+	mpo_cred_check_setegid_t		mpo_cred_check_setegid;
+	mpo_cred_check_setgroups_t		mpo_cred_check_setgroups;
+	mpo_cred_check_setreuid_t		mpo_cred_check_setreuid;
+	mpo_cred_check_setregid_t		mpo_cred_check_setregid;
+	mpo_cred_check_setresuid_t		mpo_cred_check_setresuid;
+	mpo_cred_check_setresgid_t		mpo_cred_check_setresgid;
 	mpo_cred_check_visible_t		mpo_cred_check_visible;
 	mpo_cred_copy_label_t			mpo_cred_copy_label;
 	mpo_cred_create_swapper_t		mpo_cred_create_swapper;
@@ -798,18 +813,6 @@ struct mac_policy_ops {
 
 	mpo_proc_check_debug_t			mpo_proc_check_debug;
 	mpo_proc_check_sched_t			mpo_proc_check_sched;
-	mpo_proc_check_setaudit_t		mpo_proc_check_setaudit;
-	mpo_proc_check_setaudit_addr_t		mpo_proc_check_setaudit_addr;
-	mpo_proc_check_setauid_t		mpo_proc_check_setauid;
-	mpo_proc_check_setuid_t			mpo_proc_check_setuid;
-	mpo_proc_check_seteuid_t		mpo_proc_check_seteuid;
-	mpo_proc_check_setgid_t			mpo_proc_check_setgid;
-	mpo_proc_check_setegid_t		mpo_proc_check_setegid;
-	mpo_proc_check_setgroups_t		mpo_proc_check_setgroups;
-	mpo_proc_check_setreuid_t		mpo_proc_check_setreuid;
-	mpo_proc_check_setregid_t		mpo_proc_check_setregid;
-	mpo_proc_check_setresuid_t		mpo_proc_check_setresuid;
-	mpo_proc_check_setresgid_t		mpo_proc_check_setresgid;
 	mpo_proc_check_signal_t			mpo_proc_check_signal;
 	mpo_proc_check_wait_t			mpo_proc_check_wait;
 	mpo_proc_destroy_label_t		mpo_proc_destroy_label;

Modified: head/sys/security/mac/mac_process.c
==============================================================================
--- head/sys/security/mac/mac_process.c	Sun Mar  8 06:56:13 2009	(r189528)
+++ head/sys/security/mac/mac_process.c	Sun Mar  8 10:58:37 2009	(r189529)
@@ -2,7 +2,6 @@
  * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
- * Copyright (c) 2005 Samy Al Bahra
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
  * All rights reserved.
@@ -424,153 +423,6 @@ mac_proc_check_signal(struct ucred *cred
 	return (error);
 }
 
-MAC_CHECK_PROBE_DEFINE2(proc_check_setuid, "struct ucred *", "uid_t");
-
-int
-mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid)
-{
-	int error;
-
-	PROC_LOCK_ASSERT(p, MA_OWNED);
-
-	MAC_CHECK(proc_check_setuid, cred, uid);
-	MAC_CHECK_PROBE2(proc_check_setuid, error, cred, uid);
-
-	return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE2(proc_check_seteuid, "struct ucred *", "uid_t");
-
-int
-mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
-{
-	int error;
-
-	PROC_LOCK_ASSERT(p, MA_OWNED);
-
-	MAC_CHECK(proc_check_seteuid, cred, euid);
-	MAC_CHECK_PROBE2(proc_check_seteuid, error, cred, euid);
-
-	return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE2(proc_check_setgid, "struct ucred *", "gid_t");
-
-int
-mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid)
-{
-	int error;
-
-	PROC_LOCK_ASSERT(p, MA_OWNED);
-
-	MAC_CHECK(proc_check_setgid, cred, gid);
-	MAC_CHECK_PROBE2(proc_check_setgid, error, cred, gid);
-
-	return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE2(proc_check_setegid, "struct ucred *", "gid_t");
-
-int
-mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid)
-{
-	int error;
-
-	PROC_LOCK_ASSERT(p, MA_OWNED);
-
-	MAC_CHECK(proc_check_setegid, cred, egid);
-	MAC_CHECK_PROBE2(proc_check_setegid, error, cred, egid);
-
-	return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE3(proc_check_setgroups, "struct ucred *", "int",
-    "gid_t *");
-
-int
-mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups,
-    gid_t *gidset)
-{
-	int error;
-
-	PROC_LOCK_ASSERT(p, MA_OWNED);
-
-	MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset);
-	MAC_CHECK_PROBE3(proc_check_setgroups, error, cred, ngroups, gidset);
-
-	return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE3(proc_check_setreuid, "struct ucred *", "uid_t",
-    "uid_t");
-
-int
-mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
-    uid_t euid)
-{
-	int error;
-
-	PROC_LOCK_ASSERT(p, MA_OWNED);
-
-	MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
-	MAC_CHECK_PROBE3(proc_check_setreuid, error, cred, ruid, euid);
-
-	return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE3(proc_check_setregid, "struct ucred *", "gid_t",
-    "gid_t");
-
-int
-mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
-    gid_t egid)
-{
-	int error;
-
-	PROC_LOCK_ASSERT(proc, MA_OWNED);
-
-	MAC_CHECK(proc_check_setregid, cred, rgid, egid);
-	MAC_CHECK_PROBE3(proc_check_setregid, error, cred, rgid, egid);
-
-	return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE4(proc_check_setresuid, "struct ucred *", "uid_t",
-    "uid_t", "uid_t");
-
-int
-mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
-    uid_t euid, uid_t suid)
-{
-	int error;
-
-	PROC_LOCK_ASSERT(p, MA_OWNED);
-
-	MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid);
-	MAC_CHECK_PROBE4(proc_check_setresuid, error, cred, ruid, euid,
-	    suid);
-
-	return (error);
-}
-
-MAC_CHECK_PROBE_DEFINE4(proc_check_setresgid, "struct ucred *", "gid_t",
-    "gid_t", "gid_t");
-
-int
-mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
-    gid_t egid, gid_t sgid)
-{
-	int error;
-
-	PROC_LOCK_ASSERT(p, MA_OWNED);
-
-	MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid);
-	MAC_CHECK_PROBE4(proc_check_setresgid, error, cred, rgid, egid,
-	    sgid);
-
-	return (error);
-}
-
 MAC_CHECK_PROBE_DEFINE2(proc_check_wait, "struct ucred *", "struct proc *");
 
 int

Modified: head/sys/security/mac_stub/mac_stub.c
==============================================================================
--- head/sys/security/mac_stub/mac_stub.c	Sun Mar  8 06:56:13 2009	(r189528)
+++ head/sys/security/mac_stub/mac_stub.c	Sun Mar  8 10:58:37 2009	(r189529)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -15,6 +15,9 @@
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -199,6 +202,93 @@ stub_cred_check_relabel(struct ucred *cr
 }
 
 static int
+stub_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_setauid(struct ucred *cred, uid_t auid)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_setegid(struct ucred *cred, gid_t egid)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_seteuid(struct ucred *cred, uid_t euid)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_setgid(struct ucred *cred, gid_t gid)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_setgroups(struct ucred *cred, int ngroups,
+	gid_t *gidset)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
+	gid_t sgid)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
+	uid_t suid)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
+{
+
+	return (0);
+}
+
+static int
+stub_cred_check_setuid(struct ucred *cred, uid_t uid)
+{
+
+	return (0);
+}
+
+static int
 stub_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 {
 
@@ -701,93 +791,6 @@ stub_proc_check_sched(struct ucred *cred
 }
 
 static int
-stub_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_setauid(struct ucred *cred, uid_t auid)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_setegid(struct ucred *cred, gid_t egid)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_seteuid(struct ucred *cred, uid_t euid)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_setgid(struct ucred *cred, gid_t gid)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_setgroups(struct ucred *cred, int ngroups,
-	gid_t *gidset)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
-	gid_t sgid)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
-	uid_t suid)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
-{
-
-	return (0);
-}
-
-static int
-stub_proc_check_setuid(struct ucred *cred, uid_t uid)
-{
-
-	return (0);
-}
-
-static int
 stub_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
 {
 
@@ -1541,6 +1544,18 @@ static struct mac_policy_ops stub_ops =
 
 	.mpo_cred_associate_nfsd = stub_cred_associate_nfsd,
 	.mpo_cred_check_relabel = stub_cred_check_relabel,
+	.mpo_cred_check_setaudit = stub_cred_check_setaudit,
+	.mpo_cred_check_setaudit_addr = stub_cred_check_setaudit_addr,
+	.mpo_cred_check_setauid = stub_cred_check_setauid,
+	.mpo_cred_check_setegid = stub_cred_check_setegid,
+	.mpo_cred_check_seteuid = stub_cred_check_seteuid,
+	.mpo_cred_check_setgid = stub_cred_check_setgid,
+	.mpo_cred_check_setgroups = stub_cred_check_setgroups,
+	.mpo_cred_check_setregid = stub_cred_check_setregid,
+	.mpo_cred_check_setresgid = stub_cred_check_setresgid,
+	.mpo_cred_check_setresuid = stub_cred_check_setresuid,
+	.mpo_cred_check_setreuid = stub_cred_check_setreuid,
+	.mpo_cred_check_setuid = stub_cred_check_setuid,
 	.mpo_cred_check_visible = stub_cred_check_visible,
 	.mpo_cred_copy_label = stub_copy_label,
 	.mpo_cred_create_init = stub_cred_create_init,
@@ -1660,18 +1675,6 @@ static struct mac_policy_ops stub_ops =
 
 	.mpo_proc_check_debug = stub_proc_check_debug,
 	.mpo_proc_check_sched = stub_proc_check_sched,
-	.mpo_proc_check_setaudit = stub_proc_check_setaudit,
-	.mpo_proc_check_setaudit_addr = stub_proc_check_setaudit_addr,
-	.mpo_proc_check_setauid = stub_proc_check_setauid,
-	.mpo_proc_check_setegid = stub_proc_check_setegid,
-	.mpo_proc_check_seteuid = stub_proc_check_seteuid,
-	.mpo_proc_check_setgid = stub_proc_check_setgid,
-	.mpo_proc_check_setgroups = stub_proc_check_setgroups,
-	.mpo_proc_check_setregid = stub_proc_check_setregid,
-	.mpo_proc_check_setresgid = stub_proc_check_setresgid,
-	.mpo_proc_check_setresuid = stub_proc_check_setresuid,
-	.mpo_proc_check_setreuid = stub_proc_check_setreuid,
-	.mpo_proc_check_setuid = stub_proc_check_setuid,
 	.mpo_proc_check_signal = stub_proc_check_signal,
 	.mpo_proc_check_wait = stub_proc_check_wait,
 

Modified: head/sys/security/mac_test/mac_test.c
==============================================================================
--- head/sys/security/mac_test/mac_test.c	Sun Mar  8 06:56:13 2009	(r189528)
+++ head/sys/security/mac_test/mac_test.c	Sun Mar  8 10:58:37 2009	(r189529)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2009 Robert N. M. Watson
  * Copyright (c) 2001-2005 McAfee, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -15,6 +15,9 @@
  * This software was enhanced by SPARTA ISSO under SPAWAR contract
  * N66001-04-C-6019 ("SEFOS").
  *
+ * This software was developed at the University of Cambridge Computer
+ * Laboratory with support from a grant from Google, Inc.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -220,6 +223,142 @@ test_cred_check_relabel(struct ucred *cr
 	return (0);
 }
 
+COUNTER_DECL(cred_check_setaudit);
+static int
+test_cred_check_setaudit(struct ucred *cred, struct auditinfo *ai)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	COUNTER_INC(cred_check_setaudit);
+
+	return (0);
+}
+
+COUNTER_DECL(cred_check_setaudit_addr);
+static int
+test_cred_check_setaudit_addr(struct ucred *cred,
+    struct auditinfo_addr *aia)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	COUNTER_INC(cred_check_setaudit_addr);
+
+	return (0);
+}
+
+COUNTER_DECL(cred_check_setauid);
+static int
+test_cred_check_setauid(struct ucred *cred, uid_t auid)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	COUNTER_INC(cred_check_setauid);
+
+	return (0);
+}
+
+COUNTER_DECL(cred_check_setegid);
+static int
+test_cred_check_setegid(struct ucred *cred, gid_t egid)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	COUNTER_INC(cred_check_setegid);
+
+	return (0);
+}
+
+COUNTER_DECL(proc_check_euid);
+static int
+test_cred_check_seteuid(struct ucred *cred, uid_t euid)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	COUNTER_INC(proc_check_euid);
+
+	return (0);
+}
+
+COUNTER_DECL(cred_check_setregid);
+static int
+test_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	COUNTER_INC(cred_check_setregid);
+
+	return (0);
+}
+
+COUNTER_DECL(cred_check_setreuid);
+static int
+test_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
+{

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-src-all mailing list