kern: security: Improve scalability of MAC checks

The concept of resource borders is mostly used for resources that can easily be mapped into memory, synced and contain attributes. However, some things (e.g., a network resource, keyboard input, etc) may not be great with raw memory mappings. This commit mitigates this problem. Signed-off-by: Ian Moffett <ian@osmora.org>
author: Ian Moffett <ian@osmora.org> 2025-10-09 15:46:59 -0400
committer: Ian Moffett <ian@osmora.org> 2025-10-09 15:46:59 -0400
commit: 22a4e1692886c118955da0326ed45bf4a8f7682e (patch)
tree: ea3f71b3140f442a260a0ebc3cc7c365445339c3 /src/sys/include
parent: 55af95ee7eb7ac85a0da2cfe5c76745fc718e96e (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/src/sys/include/os/mac.h b/src/sys/include/os/mac.h
index 2c20eab..7e7f083 100644
--- a/src/sys/include/os/mac.h
+++ b/src/sys/include/os/mac.h
@@ -92,15 +92,16 @@ struct mac_border {
 
 /*
  * Check creds with a specific process and a specific
- * resource border.
+ * MAC level, useful when a resource border is not enough
+ * for a specific application.
  *
- * @procp: Process to check with border
- * @mbp: Border to 'procp' is trying to access
+ * @procp: Process to check with level
+ * @lvl: Level to check
  *
  * Returns zero if the check passed, otherwise a less than
  * zero value if the check failed.
  */
-int mac_check_creds(struct proc *procp, struct mac_border *mbp);
+int mac_check_lvl(struct proc *procp, mac_level_t lvl);
 
 /*
  * Map a resource into process address space by
author	Ian Moffett <ian@osmora.org>	2025-10-09 15:46:59 -0400
committer	Ian Moffett <ian@osmora.org>	2025-10-09 15:46:59 -0400
commit	22a4e1692886c118955da0326ed45bf4a8f7682e (patch)
tree	ea3f71b3140f442a260a0ebc3cc7c365445339c3 /src/sys/include
parent	55af95ee7eb7ac85a0da2cfe5c76745fc718e96e (diff)