From 22a4e1692886c118955da0326ed45bf4a8f7682e Mon Sep 17 00:00:00 2001 From: Ian Moffett Date: Thu, 9 Oct 2025 15:46:59 -0400 Subject: kern: security: Improve scalability of MAC checks The concept of resource borders is mostly used for resources that can easily be mapped into memory, synced and contain attributes. However, some things (e.g., a network resource, keyboard input, etc) may not be great with raw memory mappings. This commit mitigates this problem. Signed-off-by: Ian Moffett --- src/sys/include/os/mac.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'src/sys/include/os') diff --git a/src/sys/include/os/mac.h b/src/sys/include/os/mac.h index 2c20eab..7e7f083 100644 --- a/src/sys/include/os/mac.h +++ b/src/sys/include/os/mac.h @@ -92,15 +92,16 @@ struct mac_border { /* * Check creds with a specific process and a specific - * resource border. + * MAC level, useful when a resource border is not enough + * for a specific application. * - * @procp: Process to check with border - * @mbp: Border to 'procp' is trying to access + * @procp: Process to check with level + * @lvl: Level to check * * Returns zero if the check passed, otherwise a less than * zero value if the check failed. */ -int mac_check_creds(struct proc *procp, struct mac_border *mbp); +int mac_check_lvl(struct proc *procp, mac_level_t lvl); /* * Map a resource into process address space by -- cgit v1.2.3