svn commit: r184407 - in head/sys: kern nfsserver security/mac security/mac_biba security/mac_lomac security/mac_mls security/mac_partition security/mac_stub security/mac_test

Robert Watson rwatson at FreeBSD.org
Tue Oct 28 04:33:07 PDT 2008 

Author: rwatson
Date: Tue Oct 28 11:33:06 2008
New Revision: 184407
URL: http://svn.freebsd.org/changeset/base/184407

Log:
  Rename three MAC entry points from _proc_ to _cred_ to reflect the fact
  that they operate directly on credentials: mac_proc_create_swapper(),
  mac_proc_create_init(), and mac_proc_associate_nfsd().  Update policies.
  
  Obtained from:	TrustedBSD Project

Modified:
  head/sys/kern/init_main.c
  head/sys/nfsserver/nfs_srvsock.c
  head/sys/security/mac/mac_framework.h
  head/sys/security/mac/mac_policy.h
  head/sys/security/mac/mac_process.c
  head/sys/security/mac_biba/mac_biba.c
  head/sys/security/mac_lomac/mac_lomac.c
  head/sys/security/mac_mls/mac_mls.c
  head/sys/security/mac_partition/mac_partition.c
  head/sys/security/mac_stub/mac_stub.c
  head/sys/security/mac_test/mac_test.c

Modified: head/sys/kern/init_main.c
==============================================================================
--- head/sys/kern/init_main.c	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/kern/init_main.c	Tue Oct 28 11:33:06 2008	(r184407)
@@ -456,7 +456,7 @@ proc0_init(void *dummy __unused)
 	audit_cred_kproc0(p->p_ucred);
 #endif
 #ifdef MAC
-	mac_proc_create_swapper(p->p_ucred);
+	mac_cred_create_swapper(p->p_ucred);
 #endif
 	td->td_ucred = crhold(p->p_ucred);
 
@@ -736,7 +736,7 @@ create_init(const void *udata __unused)
 	oldcred = initproc->p_ucred;
 	crcopy(newcred, oldcred);
 #ifdef MAC
-	mac_proc_create_init(newcred);
+	mac_cred_create_init(newcred);
 #endif
 #ifdef AUDIT
 	audit_cred_proc1(newcred);

Modified: head/sys/nfsserver/nfs_srvsock.c
==============================================================================
--- head/sys/nfsserver/nfs_srvsock.c	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/nfsserver/nfs_srvsock.c	Tue Oct 28 11:33:06 2008	(r184407)
@@ -360,7 +360,7 @@ nfs_getreq(struct nfsrv_descript *nd, st
 		nd->nd_cr->cr_groups[0] = nd->nd_cr->cr_rgid =
 		    nd->nd_cr->cr_svgid = fxdr_unsigned(gid_t, *tl++);
 #ifdef MAC
-		mac_proc_associate_nfsd(nd->nd_cr);
+		mac_cred_associate_nfsd(nd->nd_cr);
 #endif
 		len = fxdr_unsigned(int, *tl);
 		if (len < 0 || len > RPCAUTH_UNIXGIDS) {

Modified: head/sys/security/mac/mac_framework.h
==============================================================================
--- head/sys/security/mac/mac_framework.h	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/security/mac/mac_framework.h	Tue Oct 28 11:33:06 2008	(r184407)
@@ -103,8 +103,11 @@ void	mac_bpfdesc_create_mbuf(struct bpf_
 void	mac_bpfdesc_destroy(struct bpf_d *);
 void	mac_bpfdesc_init(struct bpf_d *);
 
+void	mac_cred_associate_nfsd(struct ucred *cred);
 int	mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2);
 void	mac_cred_copy(struct ucred *cr1, struct ucred *cr2);
+void	mac_cred_create_init(struct ucred *cred);
+void	mac_cred_create_swapper(struct ucred *cred);
 void	mac_cred_destroy(struct ucred *);
 void	mac_cred_init(struct ucred *);
 
@@ -227,7 +230,6 @@ void	mac_posixshm_init(struct shmfd *);
 int	mac_priv_check(struct ucred *cred, int priv);
 int	mac_priv_grant(struct ucred *cred, int priv);
 
-void	mac_proc_associate_nfsd(struct ucred *cred);
 int	mac_proc_check_debug(struct ucred *cred, struct proc *p);
 int	mac_proc_check_sched(struct ucred *cred, struct proc *p);
 int	mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai);
@@ -255,8 +257,6 @@ int	mac_proc_check_setuid(struct proc *p
 int	mac_proc_check_signal(struct ucred *cred, struct proc *p,
 	    int signum);
 int	mac_proc_check_wait(struct ucred *cred, struct proc *p);
-void	mac_proc_create_init(struct ucred *cred);
-void	mac_proc_create_swapper(struct ucred *cred);
 void	mac_proc_destroy(struct proc *);
 void	mac_proc_init(struct proc *);
 int	mac_execve_enter(struct image_params *imgp, struct mac *mac_p);

Modified: head/sys/security/mac/mac_policy.h
==============================================================================
--- head/sys/security/mac/mac_policy.h	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/security/mac/mac_policy.h	Tue Oct 28 11:33:06 2008	(r184407)
@@ -128,12 +128,15 @@ typedef void	(*mpo_bpfdesc_create_mbuf_t
 typedef void	(*mpo_bpfdesc_destroy_label_t)(struct label *label);
 typedef void	(*mpo_bpfdesc_init_label_t)(struct label *label);
 
+typedef void	(*mpo_cred_associate_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_cred_check_relabel_t)(struct ucred *cred,
 		    struct label *newlabel);
 typedef int	(*mpo_cred_check_visible_t)(struct ucred *cr1,
 		    struct ucred *cr2);
 typedef void	(*mpo_cred_copy_label_t)(struct label *src,
 		    struct label *dest);
+typedef void	(*mpo_cred_create_init_t)(struct ucred *cred);
+typedef void	(*mpo_cred_create_swapper_t)(struct ucred *cred);
 typedef void	(*mpo_cred_destroy_label_t)(struct label *label);
 typedef int	(*mpo_cred_externalize_label_t)(struct label *label,
 		    char *element_name, struct sbuf *sb, int *claimed);
@@ -345,7 +348,6 @@ typedef void	(*mpo_posixshm_init_label_t
 typedef int	(*mpo_priv_check_t)(struct ucred *cred, int priv);
 typedef int	(*mpo_priv_grant_t)(struct ucred *cred, int priv);
 
-typedef void	(*mpo_proc_associate_nfsd_t)(struct ucred *cred);
 typedef int	(*mpo_proc_check_debug_t)(struct ucred *cred,
 		    struct proc *p);
 typedef int	(*mpo_proc_check_sched_t)(struct ucred *cred,
@@ -373,8 +375,6 @@ typedef int	(*mpo_proc_check_signal_t)(s
 		    struct proc *proc, int signum);
 typedef int	(*mpo_proc_check_wait_t)(struct ucred *cred,
 		    struct proc *proc);
-typedef void	(*mpo_proc_create_init_t)(struct ucred *cred);
-typedef void	(*mpo_proc_create_swapper_t)(struct ucred *cred);
 typedef void	(*mpo_proc_destroy_label_t)(struct label *label);
 typedef void	(*mpo_proc_init_label_t)(struct label *label);
 
@@ -674,9 +674,12 @@ struct mac_policy_ops {
 	mpo_bpfdesc_destroy_label_t		mpo_bpfdesc_destroy_label;
 	mpo_bpfdesc_init_label_t		mpo_bpfdesc_init_label;
 
+	mpo_cred_associate_nfsd_t		mpo_cred_associate_nfsd;
 	mpo_cred_check_relabel_t		mpo_cred_check_relabel;
 	mpo_cred_check_visible_t		mpo_cred_check_visible;
 	mpo_cred_copy_label_t			mpo_cred_copy_label;
+	mpo_cred_create_swapper_t		mpo_cred_create_swapper;
+	mpo_cred_create_init_t			mpo_cred_create_init;
 	mpo_cred_destroy_label_t		mpo_cred_destroy_label;
 	mpo_cred_externalize_label_t		mpo_cred_externalize_label;
 	mpo_cred_init_label_t			mpo_cred_init_label;
@@ -790,7 +793,6 @@ struct mac_policy_ops {
 	mpo_priv_check_t			mpo_priv_check;
 	mpo_priv_grant_t			mpo_priv_grant;
 
-	mpo_proc_associate_nfsd_t		mpo_proc_associate_nfsd;
 	mpo_proc_check_debug_t			mpo_proc_check_debug;
 	mpo_proc_check_sched_t			mpo_proc_check_sched;
 	mpo_proc_check_setaudit_t		mpo_proc_check_setaudit;
@@ -807,8 +809,6 @@ struct mac_policy_ops {
 	mpo_proc_check_setresgid_t		mpo_proc_check_setresgid;
 	mpo_proc_check_signal_t			mpo_proc_check_signal;
 	mpo_proc_check_wait_t			mpo_proc_check_wait;
-	mpo_proc_create_swapper_t		mpo_proc_create_swapper;
-	mpo_proc_create_init_t			mpo_proc_create_init;
 	mpo_proc_destroy_label_t		mpo_proc_destroy_label;
 	mpo_proc_init_label_t			mpo_proc_init_label;
 

Modified: head/sys/security/mac/mac_process.c
==============================================================================
--- head/sys/security/mac/mac_process.c	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/security/mac/mac_process.c	Tue Oct 28 11:33:06 2008	(r184407)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2008 Robert N. M. Watson
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
  * Copyright (c) 2005 Samy Al Bahra
@@ -160,25 +160,20 @@ mac_proc_destroy(struct proc *p)
 	}
 }
 
-int
-mac_cred_externalize_label(struct label *label, char *elements,
-    char *outbuf, size_t outbuflen)
-{
-	int error;
-
-	MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
-
-	return (error);
-}
-
-int
-mac_cred_internalize_label(struct label *label, char *string)
+/*
+ * When a thread becomes an NFS server daemon, its credential may need to be
+ * updated to reflect this so that policies can recognize when file system
+ * operations originate from the network.
+ *
+ * At some point, it would be desirable if the credential used for each NFS
+ * RPC could be set based on the RPC context (i.e., source system, etc) to
+ * provide more fine-grained access control.
+ */
+void
+mac_cred_associate_nfsd(struct ucred *cred)
 {
-	int error;
 
-	MAC_INTERNALIZE(cred, label, string);
-
-	return (error);
+	MAC_PERFORM(cred_associate_nfsd, cred);
 }
 
 /*
@@ -186,10 +181,10 @@ mac_cred_internalize_label(struct label 
  * processes and threads are spawned.
  */
 void
-mac_proc_create_swapper(struct ucred *cred)
+mac_cred_create_swapper(struct ucred *cred)
 {
 
-	MAC_PERFORM(proc_create_swapper, cred);
+	MAC_PERFORM(cred_create_swapper, cred);
 }
 
 /*
@@ -197,26 +192,31 @@ mac_proc_create_swapper(struct ucred *cr
  * userland processes and threads are spawned.
  */
 void
-mac_proc_create_init(struct ucred *cred)
+mac_cred_create_init(struct ucred *cred)
 {
 
-	MAC_PERFORM(proc_create_init, cred);
+	MAC_PERFORM(cred_create_init, cred);
 }
 
-/*
- * When a thread becomes an NFS server daemon, its credential may need to be
- * updated to reflect this so that policies can recognize when file system
- * operations originate from the network.
- *
- * At some point, it would be desirable if the credential used for each NFS
- * RPC could be set based on the RPC context (i.e., source system, etc) to
- * provide more fine-grained access control.
- */
-void
-mac_proc_associate_nfsd(struct ucred *cred)
+int
+mac_cred_externalize_label(struct label *label, char *elements,
+    char *outbuf, size_t outbuflen)
 {
+	int error;
 
-	MAC_PERFORM(proc_associate_nfsd, cred);
+	MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
+
+	return (error);
+}
+
+int
+mac_cred_internalize_label(struct label *label, char *string)
+{
+	int error;
+
+	MAC_INTERNALIZE(cred, label, string);
+
+	return (error);
 }
 
 void

Modified: head/sys/security/mac_biba/mac_biba.c
==============================================================================
--- head/sys/security/mac_biba/mac_biba.c	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/security/mac_biba/mac_biba.c	Tue Oct 28 11:33:06 2008	(r184407)
@@ -815,6 +815,17 @@ biba_bpfdesc_create_mbuf(struct bpf_d *d
 	biba_copy_effective(source, dest);
 }
 
+static void
+biba_cred_associate_nfsd(struct ucred *cred)
+{
+	struct mac_biba *label;
+
+	label = SLOT(cred->cr_label);
+	biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
+	biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
+	    0, NULL);
+}
+
 static int
 biba_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -895,6 +906,30 @@ biba_cred_check_visible(struct ucred *u1
 }
 
 static void
+biba_cred_create_init(struct ucred *cred)
+{
+	struct mac_biba *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
+	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
+	    0, NULL);
+}
+
+static void
+biba_cred_create_swapper(struct ucred *cred)
+{
+	struct mac_biba *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
+	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
+	    0, NULL);
+}
+
+static void
 biba_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_biba *source, *dest;
@@ -1818,17 +1853,6 @@ biba_priv_check(struct ucred *cred, int 
 	return (0);
 }
 
-static void
-biba_proc_associate_nfsd(struct ucred *cred)
-{
-	struct mac_biba *label;
-
-	label = SLOT(cred->cr_label);
-	biba_set_effective(label, MAC_BIBA_TYPE_LOW, 0, NULL);
-	biba_set_range(label, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
-	    0, NULL);
-}
-
 static int
 biba_proc_check_debug(struct ucred *cred, struct proc *p)
 {
@@ -1904,30 +1928,6 @@ biba_socket_check_deliver(struct socket 
 	return (biba_equal_effective(p, s) ? 0 : EACCES);
 }
 
-static void
-biba_proc_create_init(struct ucred *cred)
-{
-	struct mac_biba *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	biba_set_effective(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
-	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
-	    0, NULL);
-}
-
-static void
-biba_proc_create_swapper(struct ucred *cred)
-{
-	struct mac_biba *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
-	biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
-	    0, NULL);
-}
-
 static int
 biba_socket_check_relabel(struct ucred *cred, struct socket *so,
     struct label *solabel, struct label *newlabel)
@@ -3334,9 +3334,12 @@ static struct mac_policy_ops mac_biba_op
 	.mpo_bpfdesc_destroy_label = biba_destroy_label,
 	.mpo_bpfdesc_init_label = biba_init_label,
 
+	.mpo_cred_associate_nfsd = biba_cred_associate_nfsd,
 	.mpo_cred_check_relabel = biba_cred_check_relabel,
 	.mpo_cred_check_visible = biba_cred_check_visible,
 	.mpo_cred_copy_label = biba_copy_label,
+	.mpo_cred_create_init = biba_cred_create_init,
+	.mpo_cred_create_swapper = biba_cred_create_swapper,
 	.mpo_cred_destroy_label = biba_destroy_label,
 	.mpo_cred_externalize_label = biba_externalize_label,
 	.mpo_cred_init_label = biba_init_label,
@@ -3432,12 +3435,9 @@ static struct mac_policy_ops mac_biba_op
 
 	.mpo_priv_check = biba_priv_check,
 
-	.mpo_proc_associate_nfsd = biba_proc_associate_nfsd,
 	.mpo_proc_check_debug = biba_proc_check_debug,
 	.mpo_proc_check_sched = biba_proc_check_sched,
 	.mpo_proc_check_signal = biba_proc_check_signal,
-	.mpo_proc_create_init = biba_proc_create_init,
-	.mpo_proc_create_swapper = biba_proc_create_swapper,
 
 	.mpo_socket_check_deliver = biba_socket_check_deliver,
 	.mpo_socket_check_relabel = biba_socket_check_relabel,

Modified: head/sys/security/mac_lomac/mac_lomac.c
==============================================================================
--- head/sys/security/mac_lomac/mac_lomac.c	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/security/mac_lomac/mac_lomac.c	Tue Oct 28 11:33:06 2008	(r184407)
@@ -993,6 +993,29 @@ lomac_cred_check_visible(struct ucred *c
 
 	return (0);
 }
+
+static void
+lomac_cred_create_init(struct ucred *cred)
+{
+	struct mac_lomac *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0);
+	lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0);
+}
+
+static void
+lomac_cred_create_swapper(struct ucred *cred)
+{
+	struct mac_lomac *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
+	lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0);
+}
+
 static void
 lomac_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -1885,28 +1908,6 @@ lomac_proc_check_signal(struct ucred *cr
 }
 
 static void
-lomac_proc_create_init(struct ucred *cred)
-{
-	struct mac_lomac *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0);
-	lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0);
-}
-
-static void
-lomac_proc_create_swapper(struct ucred *cred)
-{
-	struct mac_lomac *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
-	lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, 0);
-}
-
-static void
 lomac_proc_destroy_label(struct label *label)
 {
 
@@ -2894,6 +2895,8 @@ static struct mac_policy_ops lomac_ops =
 	.mpo_cred_check_relabel = lomac_cred_check_relabel,
 	.mpo_cred_check_visible = lomac_cred_check_visible,
 	.mpo_cred_copy_label = lomac_copy_label,
+	.mpo_cred_create_swapper = lomac_cred_create_swapper,
+	.mpo_cred_create_init = lomac_cred_create_init,
 	.mpo_cred_destroy_label = lomac_destroy_label,
 	.mpo_cred_externalize_label = lomac_externalize_label,
 	.mpo_cred_init_label = lomac_init_label,
@@ -2983,8 +2986,6 @@ static struct mac_policy_ops lomac_ops =
 	.mpo_proc_check_debug = lomac_proc_check_debug,
 	.mpo_proc_check_sched = lomac_proc_check_sched,
 	.mpo_proc_check_signal = lomac_proc_check_signal,
-	.mpo_proc_create_swapper = lomac_proc_create_swapper,
-	.mpo_proc_create_init = lomac_proc_create_init,
 	.mpo_proc_destroy_label = lomac_proc_destroy_label,
 	.mpo_proc_init_label = lomac_proc_init_label,
 

Modified: head/sys/security/mac_mls/mac_mls.c
==============================================================================
--- head/sys/security/mac_mls/mac_mls.c	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/security/mac_mls/mac_mls.c	Tue Oct 28 11:33:06 2008	(r184407)
@@ -776,6 +776,17 @@ mls_bpfdesc_create_mbuf(struct bpf_d *d,
 	mls_copy_effective(source, dest);
 }
 
+static void
+mls_cred_associate_nfsd(struct ucred *cred) 
+{
+	struct mac_mls *label;
+
+	label = SLOT(cred->cr_label);
+	mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
+	mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
+	    NULL);
+}
+
 static int
 mls_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -855,6 +866,30 @@ mls_cred_check_visible(struct ucred *cr1
 }
 
 static void
+mls_cred_create_init(struct ucred *cred)
+{
+	struct mac_mls *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
+	mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
+	    NULL);
+}
+
+static void
+mls_cred_create_swapper(struct ucred *cred)
+{
+	struct mac_mls *dest;
+
+	dest = SLOT(cred->cr_label);
+
+	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
+	mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
+	    NULL);
+}
+
+static void
 mls_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 	struct mac_mls *source, *dest;
@@ -1523,17 +1558,6 @@ mls_posixsem_create(struct ucred *cred, 
 	mls_copy_effective(source, dest);
 }
 
-static void
-mls_proc_associate_nfsd(struct ucred *cred) 
-{
-	struct mac_mls *label;
-
-	label = SLOT(cred->cr_label);
-	mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL);
-	mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
-	    NULL);
-}
-
 static int
 mls_proc_check_debug(struct ucred *cred, struct proc *p)
 {
@@ -1594,30 +1618,6 @@ mls_proc_check_signal(struct ucred *cred
 	return (0);
 }
 
-static void
-mls_proc_create_init(struct ucred *cred)
-{
-	struct mac_mls *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL);
-	mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
-	    NULL);
-}
-
-static void
-mls_proc_create_swapper(struct ucred *cred)
-{
-	struct mac_mls *dest;
-
-	dest = SLOT(cred->cr_label);
-
-	mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
-	mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0,
-	    NULL);
-}
-
 static int
 mls_socket_check_deliver(struct socket *so, struct label *solabel,
     struct mbuf *m, struct label *mlabel)
@@ -2957,9 +2957,12 @@ static struct mac_policy_ops mls_ops =
 	.mpo_bpfdesc_destroy_label = mls_destroy_label,
 	.mpo_bpfdesc_init_label = mls_init_label,
 
+	.mpo_cred_associate_nfsd = mls_cred_associate_nfsd,
 	.mpo_cred_check_relabel = mls_cred_check_relabel,
 	.mpo_cred_check_visible = mls_cred_check_visible,
 	.mpo_cred_copy_label = mls_copy_label,
+	.mpo_cred_create_init = mls_cred_create_init,
+	.mpo_cred_create_swapper = mls_cred_create_swapper,
 	.mpo_cred_destroy_label = mls_destroy_label,
 	.mpo_cred_externalize_label = mls_externalize_label,
 	.mpo_cred_init_label = mls_init_label,
@@ -3051,12 +3054,9 @@ static struct mac_policy_ops mls_ops =
 	.mpo_posixsem_destroy_label = mls_destroy_label,
 	.mpo_posixsem_init_label = mls_init_label,
 
-	.mpo_proc_associate_nfsd = mls_proc_associate_nfsd,
 	.mpo_proc_check_debug = mls_proc_check_debug,
 	.mpo_proc_check_sched = mls_proc_check_sched,
 	.mpo_proc_check_signal = mls_proc_check_signal,
-	.mpo_proc_create_init = mls_proc_create_init,
-	.mpo_proc_create_swapper = mls_proc_create_swapper,
 
 	.mpo_socket_check_deliver = mls_socket_check_deliver,
 	.mpo_socket_check_relabel = mls_socket_check_relabel,

Modified: head/sys/security/mac_partition/mac_partition.c
==============================================================================
--- head/sys/security/mac_partition/mac_partition.c	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/security/mac_partition/mac_partition.c	Tue Oct 28 11:33:06 2008	(r184407)
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson
+ * Copyright (c) 1999-2002, 2007-2008 Robert N. M. Watson
  * Copyright (c) 2001-2002 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
  * Copyright (c) 2008 Apple Inc.
@@ -155,6 +155,20 @@ partition_cred_copy_label(struct label *
 }
 
 static void
+partition_cred_create_init(struct ucred *cred)
+{
+
+	SLOT_SET(cred->cr_label, 0);
+}
+
+static void
+partition_cred_create_swapper(struct ucred *cred)
+{
+
+	SLOT_SET(cred->cr_label, 0);
+}
+
+static void
 partition_cred_destroy_label(struct label *label)
 {
 
@@ -251,20 +265,6 @@ partition_proc_check_signal(struct ucred
 	return (error ? ESRCH : 0);
 }
 
-static void
-partition_proc_create_init(struct ucred *cred)
-{
-
-	SLOT_SET(cred->cr_label, 0);
-}
-
-static void
-partition_proc_create_swapper(struct ucred *cred)
-{
-
-	SLOT_SET(cred->cr_label, 0);
-}
-
 static int
 partition_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
@@ -300,6 +300,8 @@ static struct mac_policy_ops partition_o
 	.mpo_cred_check_relabel = partition_cred_check_relabel,
 	.mpo_cred_check_visible = partition_cred_check_visible,
 	.mpo_cred_copy_label = partition_cred_copy_label,
+	.mpo_cred_create_init = partition_cred_create_init,
+	.mpo_cred_create_swapper = partition_cred_create_swapper,
 	.mpo_cred_destroy_label = partition_cred_destroy_label,
 	.mpo_cred_externalize_label = partition_cred_externalize_label,
 	.mpo_cred_init_label = partition_cred_init_label,
@@ -309,8 +311,6 @@ static struct mac_policy_ops partition_o
 	.mpo_proc_check_debug = partition_proc_check_debug,
 	.mpo_proc_check_sched = partition_proc_check_sched,
 	.mpo_proc_check_signal = partition_proc_check_signal,
-	.mpo_proc_create_init = partition_proc_create_init,
-	.mpo_proc_create_swapper = partition_proc_create_swapper,
 	.mpo_socket_check_visible = partition_socket_check_visible,
 	.mpo_vnode_check_exec = partition_vnode_check_exec,
 };

Modified: head/sys/security/mac_stub/mac_stub.c
==============================================================================
--- head/sys/security/mac_stub/mac_stub.c	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/security/mac_stub/mac_stub.c	Tue Oct 28 11:33:06 2008	(r184407)
@@ -185,6 +185,12 @@ stub_bpfdesc_create_mbuf(struct bpf_d *d
 
 }
 
+static void
+stub_cred_associate_nfsd(struct ucred *cred)
+{
+
+}
+
 static int
 stub_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -200,6 +206,18 @@ stub_cred_check_visible(struct ucred *cr
 }
 
 static void
+stub_cred_create_init(struct ucred *cred)
+{
+
+}
+
+static void
+stub_cred_create_swapper(struct ucred *cred)
+{
+
+}
+
+static void
 stub_cred_relabel(struct ucred *cred, struct label *newlabel)
 {
 
@@ -668,12 +686,6 @@ stub_priv_grant(struct ucred *cred, int 
 	return (EPERM);
 }
 
-static void
-stub_proc_associate_nfsd(struct ucred *cred)
-{
-
-}
-
 static int
 stub_proc_check_debug(struct ucred *cred, struct proc *p)
 {
@@ -789,18 +801,6 @@ stub_proc_check_wait(struct ucred *cred,
 	return (0);
 }
 
-static void
-stub_proc_create_init(struct ucred *cred)
-{
-
-}
-
-static void
-stub_proc_create_swapper(struct ucred *cred)
-{
-
-}
-
 static int
 stub_socket_check_accept(struct ucred *cred, struct socket *so,
     struct label *solabel)
@@ -1539,9 +1539,12 @@ static struct mac_policy_ops stub_ops =
 	.mpo_bpfdesc_destroy_label = stub_destroy_label,
 	.mpo_bpfdesc_init_label = stub_init_label,
 
+	.mpo_cred_associate_nfsd = stub_cred_associate_nfsd,
 	.mpo_cred_check_relabel = stub_cred_check_relabel,
 	.mpo_cred_check_visible = stub_cred_check_visible,
 	.mpo_cred_copy_label = stub_copy_label,
+	.mpo_cred_create_init = stub_cred_create_init,
+	.mpo_cred_create_swapper = stub_cred_create_swapper,
 	.mpo_cred_destroy_label = stub_destroy_label,
 	.mpo_cred_externalize_label = stub_externalize_label,
 	.mpo_cred_init_label = stub_init_label,
@@ -1655,7 +1658,6 @@ static struct mac_policy_ops stub_ops =
 	.mpo_priv_check = stub_priv_check,
 	.mpo_priv_grant = stub_priv_grant,
 
-	.mpo_proc_associate_nfsd = stub_proc_associate_nfsd,
 	.mpo_proc_check_debug = stub_proc_check_debug,
 	.mpo_proc_check_sched = stub_proc_check_sched,
 	.mpo_proc_check_setaudit = stub_proc_check_setaudit,
@@ -1672,8 +1674,6 @@ static struct mac_policy_ops stub_ops =
 	.mpo_proc_check_setuid = stub_proc_check_setuid,
 	.mpo_proc_check_signal = stub_proc_check_signal,
 	.mpo_proc_check_wait = stub_proc_check_wait,
-	.mpo_proc_create_init = stub_proc_create_init,
-	.mpo_proc_create_swapper = stub_proc_create_swapper,
 
 	.mpo_socket_check_accept = stub_socket_check_accept,
 	.mpo_socket_check_bind = stub_socket_check_bind,

Modified: head/sys/security/mac_test/mac_test.c
==============================================================================
--- head/sys/security/mac_test/mac_test.c	Tue Oct 28 10:37:40 2008	(r184406)
+++ head/sys/security/mac_test/mac_test.c	Tue Oct 28 11:33:06 2008	(r184407)
@@ -242,6 +242,24 @@ test_cred_copy_label(struct label *src, 
 	COUNTER_INC(cred_copy_label);
 }
 
+COUNTER_DECL(cred_create_init);
+static void
+test_cred_create_init(struct ucred *cred)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	COUNTER_INC(cred_create_init);
+}
+
+COUNTER_DECL(cred_create_swapper);
+static void
+test_cred_create_swapper(struct ucred *cred)
+{
+
+	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
+	COUNTER_INC(cred_create_swapper);
+}
+
 COUNTER_DECL(cred_destroy_label);
 static void
 test_cred_destroy_label(struct label *label)
@@ -1480,24 +1498,6 @@ test_proc_check_wait(struct ucred *cred,
 	return (0);
 }
 
-COUNTER_DECL(proc_create_init);
-static void
-test_proc_create_init(struct ucred *cred)
-{
-
-	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
-	COUNTER_INC(proc_create_init);
-}
-
-COUNTER_DECL(proc_create_swapper);
-static void
-test_proc_create_swapper(struct ucred *cred)
-{
-
-	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
-	COUNTER_INC(proc_create_swapper);
-}
-
 COUNTER_DECL(proc_destroy_label);
 static void
 test_proc_destroy_label(struct label *label)
@@ -2883,6 +2883,8 @@ static struct mac_policy_ops test_ops =
 	.mpo_cred_check_relabel = test_cred_check_relabel,
 	.mpo_cred_check_visible = test_cred_check_visible,
 	.mpo_cred_copy_label = test_cred_copy_label,
+	.mpo_cred_create_init = test_cred_create_init,
+	.mpo_cred_create_swapper = test_cred_create_swapper,
 	.mpo_cred_destroy_label = test_cred_destroy_label,
 	.mpo_cred_externalize_label = test_cred_externalize_label,
 	.mpo_cred_init_label = test_cred_init_label,
@@ -3022,8 +3024,6 @@ static struct mac_policy_ops test_ops =
 	.mpo_proc_check_setuid = test_proc_check_setuid,
 	.mpo_proc_check_signal = test_proc_check_signal,
 	.mpo_proc_check_wait = test_proc_check_wait,
-	.mpo_proc_create_init = test_proc_create_init,
-	.mpo_proc_create_swapper = test_proc_create_swapper,
 	.mpo_proc_destroy_label = test_proc_destroy_label,
 	.mpo_proc_init_label = test_proc_init_label,

More information about the svn-src-head mailing list