kern: security: Improve scalability of MAC checks

The concept of resource borders is mostly used for resources that can easily be mapped into memory, synced and contain attributes. However, some things (e.g., a network resource, keyboard input, etc) may not be great with raw memory mappings. This commit mitigates this problem. Signed-off-by: Ian Moffett <ian@osmora.org>
author: Ian Moffett <ian@osmora.org> 2025-10-09 15:46:59 -0400
committer: Ian Moffett <ian@osmora.org> 2025-10-09 15:46:59 -0400
commit: 22a4e1692886c118955da0326ed45bf4a8f7682e (patch)
tree: ea3f71b3140f442a260a0ebc3cc7c365445339c3 /src/sys/os
parent: 55af95ee7eb7ac85a0da2cfe5c76745fc718e96e (diff)
1 files changed, 4 insertions, 7 deletions
diff --git a/src/sys/os/os_mac.c b/src/sys/os/os_mac.c
index 898b476..2443b23 100644
--- a/src/sys/os/os_mac.c
+++ b/src/sys/os/os_mac.c
@@ -39,17 +39,14 @@ static struct mac_border *bortab[__BORDER_MAX] = {
     [BORDER_FBDEV] = &g_fbdev_border
 };
 
-/*
- * Check process creds against border
- */
 int
-mac_check_creds(struct proc *procp, struct mac_border *mbp)
+mac_check_lvl(struct proc *procp, mac_level_t lvl)
 {
-    if (procp == NULL || mbp == NULL) {
+    if (procp == NULL) {
         return -EINVAL;
     }
 
-    if (procp->level < mbp->level) {
+    if (procp->level < lvl) {
         return -EACCES;
     }
 
@@ -75,7 +72,7 @@ mac_map(struct mac_border *mbp, off_t off, size_t len, void **res, int flags)
         return -EINVAL;
     }
 
-    error = mac_check_creds(procp, mbp);
+    error = mac_check_lvl(procp, mbp->level);
     if (error < 0) {
         return error;
     }
author	Ian Moffett <ian@osmora.org>	2025-10-09 15:46:59 -0400
committer	Ian Moffett <ian@osmora.org>	2025-10-09 15:46:59 -0400
commit	22a4e1692886c118955da0326ed45bf4a8f7682e (patch)
tree	ea3f71b3140f442a260a0ebc3cc7c365445339c3 /src/sys/os
parent	55af95ee7eb7ac85a0da2cfe5c76745fc718e96e (diff)