From 22a4e1692886c118955da0326ed45bf4a8f7682e Mon Sep 17 00:00:00 2001
From: Ian Moffett <ian@osmora.org>
Date: Thu, 9 Oct 2025 15:46:59 -0400
Subject: kern: security: Improve scalability of MAC checks

The concept of resource borders is mostly used for resources that can
easily be mapped into memory, synced and contain attributes. However,
some things (e.g., a network resource, keyboard input, etc) may not be
great with raw memory mappings. This commit mitigates this problem.

Signed-off-by: Ian Moffett <ian@osmora.org>
---
 src/sys/os/os_mac.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

(limited to 'src/sys/os')

diff --git a/src/sys/os/os_mac.c b/src/sys/os/os_mac.c
index 898b476..2443b23 100644
--- a/src/sys/os/os_mac.c
+++ b/src/sys/os/os_mac.c
@@ -39,17 +39,14 @@ static struct mac_border *bortab[__BORDER_MAX] = {
     [BORDER_FBDEV] = &g_fbdev_border
 };
 
-/*
- * Check process creds against border
- */
 int
-mac_check_creds(struct proc *procp, struct mac_border *mbp)
+mac_check_lvl(struct proc *procp, mac_level_t lvl)
 {
-    if (procp == NULL || mbp == NULL) {
+    if (procp == NULL) {
         return -EINVAL;
     }
 
-    if (procp->level < mbp->level) {
+    if (procp->level < lvl) {
         return -EACCES;
     }
 
@@ -75,7 +72,7 @@ mac_map(struct mac_border *mbp, off_t off, size_t len, void **res, int flags)
         return -EINVAL;
     }
 
-    error = mac_check_creds(procp, mbp);
+    error = mac_check_lvl(procp, mbp->level);
     if (error < 0) {
         return error;
     }
-- 
cgit v1.2.3