diff options
| author | Ian Moffett <ian@osmora.org> | 2025-10-09 15:46:59 -0400 |
|---|---|---|
| committer | Ian Moffett <ian@osmora.org> | 2025-10-09 15:46:59 -0400 |
| commit | 22a4e1692886c118955da0326ed45bf4a8f7682e (patch) | |
| tree | ea3f71b3140f442a260a0ebc3cc7c365445339c3 /src | |
| parent | 55af95ee7eb7ac85a0da2cfe5c76745fc718e96e (diff) | |
kern: security: Improve scalability of MAC checks
The concept of resource borders is mostly used for resources that can
easily be mapped into memory, synced and contain attributes. However,
some things (e.g., a network resource, keyboard input, etc) may not be
great with raw memory mappings. This commit mitigates this problem.
Signed-off-by: Ian Moffett <ian@osmora.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/sys/compat/unix/os/os_mac.c | 2 | ||||
| -rw-r--r-- | src/sys/include/os/mac.h | 9 | ||||
| -rw-r--r-- | src/sys/os/os_mac.c | 11 |
3 files changed, 10 insertions, 12 deletions
diff --git a/src/sys/compat/unix/os/os_mac.c b/src/sys/compat/unix/os/os_mac.c index be0ec84..4b52868 100644 --- a/src/sys/compat/unix/os/os_mac.c +++ b/src/sys/compat/unix/os/os_mac.c @@ -92,7 +92,7 @@ sys_query(struct syscall_args *scargs) } /* Can we even touch this? */ - error = mac_check_creds(self, bop); + error = mac_check_lvl(self, bop->level); if (error < 0) { return error; } diff --git a/src/sys/include/os/mac.h b/src/sys/include/os/mac.h index 2c20eab..7e7f083 100644 --- a/src/sys/include/os/mac.h +++ b/src/sys/include/os/mac.h @@ -92,15 +92,16 @@ struct mac_border { /* * Check creds with a specific process and a specific - * resource border. + * MAC level, useful when a resource border is not enough + * for a specific application. * - * @procp: Process to check with border - * @mbp: Border to 'procp' is trying to access + * @procp: Process to check with level + * @lvl: Level to check * * Returns zero if the check passed, otherwise a less than * zero value if the check failed. */ -int mac_check_creds(struct proc *procp, struct mac_border *mbp); +int mac_check_lvl(struct proc *procp, mac_level_t lvl); /* * Map a resource into process address space by diff --git a/src/sys/os/os_mac.c b/src/sys/os/os_mac.c index 898b476..2443b23 100644 --- a/src/sys/os/os_mac.c +++ b/src/sys/os/os_mac.c @@ -39,17 +39,14 @@ static struct mac_border *bortab[__BORDER_MAX] = { [BORDER_FBDEV] = &g_fbdev_border }; -/* - * Check process creds against border - */ int -mac_check_creds(struct proc *procp, struct mac_border *mbp) +mac_check_lvl(struct proc *procp, mac_level_t lvl) { - if (procp == NULL || mbp == NULL) { + if (procp == NULL) { return -EINVAL; } - if (procp->level < mbp->level) { + if (procp->level < lvl) { return -EACCES; } @@ -75,7 +72,7 @@ mac_map(struct mac_border *mbp, off_t off, size_t len, void **res, int flags) return -EINVAL; } - error = mac_check_creds(procp, mbp); + error = mac_check_lvl(procp, mbp->level); if (error < 0) { return error; } |