mirror of
https://github.com/opnsense/src.git
synced 2026-02-15 16:48:36 -05:00
6356dba0b4
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
so that the general exec code isn't aware of the details of
allocating, copying, and freeing labels, rather, simply passes in
a void pointer to start and stop functions that will be used by
the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
allowing policies to declare which types of objects require label
allocation, initialization, and destruction, and define a set of
flags covering various supported object types (MPC_OBJECT_PROC,
MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the
overhead of compiling the MAC Framework into the kernel if policies
aren't loaded, or if policies require labels on only a small number
or even no object types. Each time a policy is loaded or unloaded,
we recalculate a mask of labeled object types across all policies
present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it
is no longer required.
MFC after: 1 week ((1) only)
Reviewed by: csjp
Obtained from: TrustedBSD Project
Sponsored by: Apple, Inc.
|
||
|---|---|---|
| .. | ||
| mac_atalk.c | ||
| mac_audit.c | ||
| mac_framework.c | ||
| mac_framework.h | ||
| mac_inet.c | ||
| mac_inet6.c | ||
| mac_internal.h | ||
| mac_label.c | ||
| mac_net.c | ||
| mac_pipe.c | ||
| mac_policy.h | ||
| mac_posix_sem.c | ||
| mac_posix_shm.c | ||
| mac_priv.c | ||
| mac_process.c | ||
| mac_socket.c | ||
| mac_syscalls.c | ||
| mac_system.c | ||
| mac_sysv_msg.c | ||
| mac_sysv_sem.c | ||
| mac_sysv_shm.c | ||
| mac_vfs.c | ||