X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/7e41aa883dd258f888d0470250eead40a53ef1f5..cc8bc92ae4a8e9f1a1ab61bf83d34ad8150b3405:/security/mac_process.c diff --git a/security/mac_process.c b/security/mac_process.c index 8071c3e65..f3ea32890 100644 --- a/security/mac_process.c +++ b/security/mac_process.c @@ -291,25 +291,16 @@ mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2) int error; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_proc_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; #endif MAC_CHECK(cred_check_visible, u1, u2); - return (error); } -/* - * called with process locked. - */ -void mac_proc_set_enforce(proc_t p, int enforce_flags) -{ - p->p_mac_enforce |= enforce_flags; -} - int mac_proc_check_debug(proc_t curp, struct proc *proc) { @@ -317,13 +308,12 @@ mac_proc_check_debug(proc_t curp, struct proc *proc) int error; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_proc_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; #endif - - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return 0; + if (!mac_proc_check_enforce(curp)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_debug, cred, proc); @@ -339,13 +329,12 @@ mac_proc_check_fork(proc_t curp) int error; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_proc_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; #endif - - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return 0; + if (!mac_proc_check_enforce(curp)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_fork, cred, curp); @@ -407,11 +396,11 @@ mac_proc_check_map_anon(proc_t proc, user_addr_t u_addr, int error; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_vm_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_vm_enforce) + return 0; #endif - if (!mac_proc_check_enforce(proc, MAC_VM_ENFORCE)) + if (!mac_proc_check_enforce(proc)) return (0); cred = kauth_cred_proc_ref(proc); @@ -429,12 +418,12 @@ mac_proc_check_mprotect(proc_t proc, int error; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_vm_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_vm_enforce) + return 0; #endif - if (!mac_proc_check_enforce(proc, MAC_VM_ENFORCE)) - return (0); + if (!mac_proc_check_enforce(proc)) + return (0); cred = kauth_cred_proc_ref(proc); MAC_CHECK(proc_check_mprotect, cred, proc, addr, size, prot); @@ -466,13 +455,12 @@ mac_proc_check_sched(proc_t curp, struct proc *proc) int error; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_proc_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; #endif - - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return 0; + if (!mac_proc_check_enforce(curp)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_sched, cred, proc); @@ -488,13 +476,12 @@ mac_proc_check_signal(proc_t curp, struct proc *proc, int signum) int error; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_proc_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; #endif - - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return 0; + if (!mac_proc_check_enforce(curp)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_signal, cred, proc, signum); @@ -510,12 +497,12 @@ mac_proc_check_wait(proc_t curp, struct proc *proc) int error; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_proc_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; #endif - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return 0; + if (!mac_proc_check_enforce(curp)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_wait, cred, proc); @@ -524,6 +511,12 @@ mac_proc_check_wait(proc_t curp, struct proc *proc) return (error); } +void +mac_proc_notify_exit(struct proc *proc) +{ + MAC_PERFORM(proc_notify_exit, proc); +} + int mac_proc_check_suspend_resume(proc_t curp, int sr) { @@ -531,12 +524,12 @@ mac_proc_check_suspend_resume(proc_t curp, int sr) int error; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_proc_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; #endif - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return 0; + if (!mac_proc_check_enforce(curp)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_suspend_resume, cred, curp, sr); @@ -552,12 +545,12 @@ mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op) int error = 0; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_proc_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; #endif - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return 0; + if (!mac_proc_check_enforce(curp)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_ledger, cred, proc, ledger_op); @@ -566,27 +559,6 @@ mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op) return (error); } -int -mac_proc_check_cpumon(proc_t curp) -{ - kauth_cred_t cred; - int error = 0; - -#if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_proc_enforce) - return 0; -#endif - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return 0; - - cred = kauth_cred_proc_ref(curp); - MAC_CHECK(proc_check_cpumon, cred); - kauth_cred_unref(&cred); - - return (error); -} - int mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor) { @@ -594,12 +566,12 @@ mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor) int error = 0; #if SECURITY_MAC_CHECK_ENFORCE - /* 21167099 - only check if we allow write */ - if (!mac_proc_enforce) - return 0; + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; #endif - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return 0; + if (!mac_proc_check_enforce(curp)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_proc_info, cred, target, callnum, flavor); @@ -608,7 +580,6 @@ mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor) return (error); } - int mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op) { @@ -620,7 +591,7 @@ mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op) if (!mac_proc_enforce) return 0; #endif - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + if (!mac_proc_check_enforce(curp)) return 0; cred = kauth_cred_proc_ref(curp); @@ -641,7 +612,7 @@ mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op) if (!mac_proc_enforce) return 0; #endif - if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + if (!mac_proc_check_enforce(curp)) return 0; cred = kauth_cred_proc_ref(curp);