PERFORCE change 20708 for review

Robert Watson rwatson at freebsd.org
Tue Nov 5 18:22:59 GMT 2002 

http://perforce.freebsd.org/chv.cgi?CH=20708

Change 20708 by rwatson at rwatson_tislabs on 2002/11/05 10:22:43

	Pass the execlabel into policies explicitly in the execve
	entry points, rather than relying on policies grubbing through
	imgp.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#352 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#180 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#64 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#35 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#143 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#103 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#79 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#167 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#352 (text+ko) ====

@@ -1330,7 +1330,7 @@
 		return;
 
 	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 }
 
 int
@@ -1346,7 +1346,7 @@
 
 	result = 0;
 	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
-	    interpvnodelabel, imgp);
+	    interpvnodelabel, imgp, imgp->execlabel);
 
 	return (result);
 }
@@ -1451,7 +1451,8 @@
 	if (!mac_enforce_process && !mac_enforce_fs)
 		return (0);
 
-	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp);
+	MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+	    imgp->execlabel);
 
 	return (error);
 }

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#180 (text+ko) ====

@@ -2044,7 +2044,8 @@
 
 static int
 mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
 	struct mac_biba *subj, *obj;
 

==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#64 (text+ko) ====

@@ -410,7 +410,8 @@
 
 static int
 mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
 	struct vattr vap;
 	int error;

==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#35 (text+ko) ====

@@ -1508,7 +1508,8 @@
 static void
 mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vnodelabel,
-    struct label *interpvnodelabel, struct image_params *imgp)
+    struct label *interpvnodelabel, struct image_params *imgp,
+    struct label *execlabel)
 {
 	struct mac_lomac *source, *dest, *obj, *robj;
 
@@ -1544,7 +1545,7 @@
 static int
 mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *vnodelabel, struct label *interpvnodelabel,
-    struct image_params *imgp)
+    struct image_params *imgp, struct label *execlabel)
 {
 	struct mac_lomac *subj, *obj, *robj;
 

==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#143 (text+ko) ====

@@ -1881,7 +1881,8 @@
 
 static int
 mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
 	struct mac_mls *subj, *obj;
 

==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#103 (text+ko) ====

@@ -417,7 +417,8 @@
 static void
 mac_none_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *vnodelabel,
-    struct label *interpvnodelabel, struct image_params *imgp)
+    struct label *interpvnodelabel, struct image_params *imgp,
+    struct label *execlabel)
 {
 
 }
@@ -425,7 +426,7 @@
 static int
 mac_none_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *vnodelabel, struct label *interpvnodelabel,
-    struct image_params *imgp)
+    struct image_params *imgp, struct label *execlabel)
 {
 
 	return (0);
@@ -738,7 +739,8 @@
 
 static int
 mac_none_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
 
 	return (0);

==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#79 (text+ko) ====

@@ -796,7 +796,8 @@
 static void
 mac_test_execve_transition(struct ucred *old, struct ucred *new,
     struct vnode *vp, struct label *filelabel,
-    struct label *interpvnodelabel, struct image_params *imgp)
+    struct label *interpvnodelabel, struct image_params *imgp,
+    struct label *execlabel)
 {
 
 }
@@ -804,7 +805,7 @@
 static int
 mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
     struct label *filelabel, struct label *interpvnodelabel,
-    struct image_params *imgp)
+    struct image_params *imgp, struct label *execlabel)
 {
 
 	return (0);
@@ -1134,7 +1135,8 @@
 
 static int
 mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct image_params *imgp)
+    struct label *label, struct image_params *imgp,
+    struct label *execlabel)
 {
 
 	return (0);

==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#167 (text+ko) ====

@@ -246,11 +246,11 @@
 	void	(*mpo_execve_transition)(struct ucred *old, struct ucred *new,
 		    struct vnode *vp, struct label *vnodelabel,
 		    struct label *interpvnodelabel,
-		    struct image_params *imgp);
+		    struct image_params *imgp, struct label *execlabel);
 	int	(*mpo_execve_will_transition)(struct ucred *old,
 		    struct vnode *vp, struct label *vnodelabel,
 		    struct label *interpvnodelabel,
-		    struct image_params *imgp);
+		    struct image_params *imgp, struct label *execlabel);
 	void	(*mpo_create_proc0)(struct ucred *cred);
 	void	(*mpo_create_proc1)(struct ucred *cred);
 	void	(*mpo_relabel_cred)(struct ucred *cred,
@@ -344,7 +344,8 @@
 	int	(*mpo_check_vnode_deleteacl)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, acl_type_t type);
 	int	(*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp,
-		    struct label *label, struct image_params *imgp);
+		    struct label *label, struct image_params *imgp,
+		    struct label *execlabel);
 	int	(*mpo_check_vnode_getacl)(struct ucred *cred,
 		    struct vnode *vp, struct label *label, acl_type_t type);
 	int	(*mpo_check_vnode_getextattr)(struct ucred *cred,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list