kern: mac: add various jail MAC hooks - src

diff options


context:
space:
mode:

author	Kyle Evans <kevans@FreeBSD.org>	2025-10-21 03:42:50 +0000
committer	Kyle Evans <kevans@FreeBSD.org>	2026-01-16 00:23:39 +0000
commit	8254b0dec02b376dae259cd2043513842d827bd8 (patch)
tree	c23e53bc860373b97fabfd432339c5a006d0cc71 /sys/security/mac/mac_prison.c
parent	92b7366e438d8422a9e453aed02ca365da25bf62 (diff)

Diffstat (limited to 'sys/security/mac/mac_prison.c')

-rw-r--r--

sys/security/mac/mac_prison.c

1 files changed, 87 insertions, 0 deletions

diff --git a/sys/security/mac/mac_prison.c b/sys/security/mac/mac_prison.c
index e24ffa9e698d..3f787c6b3647 100644
--- a/sys/security/mac/mac_prison.c
+++ b/sys/security/mac/mac_prison.c

@@ -142,3 +142,90 @@ mac_prison_check_relabel(struct ucred *cred, struct prison *pr,

return (error);

}

+MAC_CHECK_PROBE_DEFINE3(prison_check_attach, "struct ucred *",

+ "struct prison *", "struct label *");

+int

+mac_prison_check_attach(struct ucred *cred, struct prison *pr)

+ int error;

+ MAC_POLICY_CHECK_NOSLEEP(prison_check_attach, cred, pr, pr->pr_label);

+ MAC_CHECK_PROBE3(prison_check_attach, error, cred, pr, pr->pr_label);

+ return (error);

+MAC_CHECK_PROBE_DEFINE3(prison_check_create, "struct ucred *",

+ "struct vfsoptlist *", "int");

+int

+mac_prison_check_create(struct ucred *cred, struct vfsoptlist *opts,

+ int flags)

+ int error;

+ MAC_POLICY_CHECK_NOSLEEP(prison_check_create, cred, opts, flags);

+ MAC_CHECK_PROBE3(prison_check_create, error, cred, opts, flags);

+ return (error);

+MAC_CHECK_PROBE_DEFINE5(prison_check_get, "struct ucred *",

+ "struct prison *", "struct label *", "struct vfsoptlist *", "int");

+int

+mac_prison_check_get(struct ucred *cred, struct prison *pr,

+ struct vfsoptlist *opts, int flags)

+ int error;

+ MAC_POLICY_CHECK_NOSLEEP(prison_check_get, cred, pr, pr->pr_label,

+ opts, flags);

+ MAC_CHECK_PROBE5(prison_check_get, error, cred, pr, pr->pr_label, opts,

+ flags);

+ return (error);

+MAC_CHECK_PROBE_DEFINE5(prison_check_set, "struct ucred *",

+ "struct prison *", "struct label *", "struct vfsoptlist *", "int");

+int

+mac_prison_check_set(struct ucred *cred, struct prison *pr,

+ struct vfsoptlist *opts, int flags)

+ int error;

+ MAC_POLICY_CHECK_NOSLEEP(prison_check_set, cred, pr, pr->pr_label,

+ opts, flags);

+ MAC_CHECK_PROBE5(prison_check_set, error, cred, pr, pr->pr_label, opts,

+ flags);

+ return (error);

+MAC_CHECK_PROBE_DEFINE3(prison_check_remove, "struct ucred *",

+ "struct prison *", "struct label *");

+int

+mac_prison_check_remove(struct ucred *cred, struct prison *pr)

+ int error;

+ MAC_POLICY_CHECK_NOSLEEP(prison_check_remove, cred, pr, pr->pr_label);

+ MAC_CHECK_PROBE3(prison_check_remove, error, cred, pr, pr->pr_label);

+ return (error);

+void

+mac_prison_created(struct ucred *cred, struct prison *pr)

+ MAC_POLICY_PERFORM(prison_created, cred, pr, pr->pr_label);

+void

+mac_prison_attached(struct ucred *cred, struct prison *pr, struct proc *p)

+ MAC_POLICY_PERFORM(prison_attached, cred, pr, pr->pr_label, p,

+ p->p_label);