* vp The exec vnode
* scriptl The script MAC label
* execl The executable MAC label
+ * disjointp Pointer to flag to set if old
+ * and returned credentials are
+ * disjoint
*
* Returns: (kauth_cred_t) The updated credential
*
+ * Implicit returns:
+ * *disjointp Set to 1 for disjoint creds
+ *
* IMPORTANT: This function is implemented via kauth_cred_update(), which,
* if it returns a credential other than the one it is passed,
* will have dropped the reference on the passed credential. All
static
kauth_cred_t
kauth_cred_label_update_execve(kauth_cred_t cred, vfs_context_t ctx,
- struct vnode *vp, struct label *scriptl, struct label *execl)
+ struct vnode *vp, struct label *scriptl, struct label *execl,
+ int *disjointp)
{
kauth_cred_t newcred;
struct ucred temp_cred;
mac_cred_label_init(&temp_cred);
mac_cred_label_associate(cred, &temp_cred);
- mac_cred_label_update_execve(ctx, &temp_cred,
- vp, scriptl, execl);
+ *disjointp = mac_cred_label_update_execve(ctx, &temp_cred,
+ vp, scriptl, execl);
newcred = kauth_cred_update(cred, &temp_cred, TRUE);
mac_cred_label_destroy(&temp_cred);
* scriptl The script MAC label
* execl The executable MAC label
*
+ * Returns: 0 Label update did not make credential
+ * disjoint
+ * 1 Label update caused credential to be
+ * disjoint
+ *
* Notes: The credential associated with the process WILL change as a
* result of this call. The caller should not assume the process
* reference to the old credential still exists.
*/
-int kauth_proc_label_update_execve(struct proc *p, vfs_context_t ctx,
+int
+kauth_proc_label_update_execve(struct proc *p, vfs_context_t ctx,
struct vnode *vp, struct label *scriptl, struct label *execl)
{
kauth_cred_t my_cred, my_new_cred;
+ int disjoint = 0;
my_cred = kauth_cred_proc_ref(p);
* passed in. The subsequent compare is safe, because it is
* a pointer compare rather than a contents compare.
*/
- my_new_cred = kauth_cred_label_update_execve(my_cred, ctx, vp, scriptl, execl);
+ my_new_cred = kauth_cred_label_update_execve(my_cred, ctx, vp, scriptl, execl, &disjoint);
if (my_cred != my_new_cred) {
DEBUG_CRED_CHANGE("kauth_proc_label_update_execve_unlocked CH(%d): %p/0x%08x -> %p/0x%08x\n", p->p_pid, my_cred, my_cred->cr_flags, my_new_cred, my_new_cred->cr_flags);
/* Drop old proc reference or our extra reference */
kauth_cred_unref(&my_cred);
- return (0);
+ return (disjoint);
}
#if 1
projects / apple / xnu.git / blobdiff