xref: /freebsd/sys/security/mac/mac_cred.c (revision 685dc743) 
1564f8f0fSRobert Watson /*-
22087a58cSRobert Watson  * Copyright (c) 1999-2002, 2008-2009 Robert N. M. Watson
3564f8f0fSRobert Watson  * Copyright (c) 2001 Ilmar S. Habibulin
4564f8f0fSRobert Watson  * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
5564f8f0fSRobert Watson  * Copyright (c) 2005 Samy Al Bahra
6564f8f0fSRobert Watson  * Copyright (c) 2006 SPARTA, Inc.
7564f8f0fSRobert Watson  * Copyright (c) 2008 Apple Inc.
8564f8f0fSRobert Watson  * All rights reserved.
9564f8f0fSRobert Watson  *
10564f8f0fSRobert Watson  * This software was developed by Robert Watson and Ilmar Habibulin for the
11564f8f0fSRobert Watson  * TrustedBSD Project.
12564f8f0fSRobert Watson  *
13564f8f0fSRobert Watson  * This software was developed for the FreeBSD Project in part by Network
14564f8f0fSRobert Watson  * Associates Laboratories, the Security Research Division of Network
15564f8f0fSRobert Watson  * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
16564f8f0fSRobert Watson  * as part of the DARPA CHATS research program.
17564f8f0fSRobert Watson  *
18564f8f0fSRobert Watson  * This software was enhanced by SPARTA ISSO under SPAWAR contract
19564f8f0fSRobert Watson  * N66001-04-C-6019 ("SEFOS").
20564f8f0fSRobert Watson  *
212087a58cSRobert Watson  * This software was developed at the University of Cambridge Computer
222087a58cSRobert Watson  * Laboratory with support from a grant from Google, Inc.
232087a58cSRobert Watson  *
24564f8f0fSRobert Watson  * Redistribution and use in source and binary forms, with or without
25564f8f0fSRobert Watson  * modification, are permitted provided that the following conditions
26564f8f0fSRobert Watson  * are met:
27564f8f0fSRobert Watson  * 1. Redistributions of source code must retain the above copyright
28564f8f0fSRobert Watson  *    notice, this list of conditions and the following disclaimer.
29564f8f0fSRobert Watson  * 2. Redistributions in binary form must reproduce the above copyright
30564f8f0fSRobert Watson  *    notice, this list of conditions and the following disclaimer in the
31564f8f0fSRobert Watson  *    documentation and/or other materials provided with the distribution.
32564f8f0fSRobert Watson  *
33564f8f0fSRobert Watson  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
34564f8f0fSRobert Watson  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
35564f8f0fSRobert Watson  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
36564f8f0fSRobert Watson  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
37564f8f0fSRobert Watson  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
38564f8f0fSRobert Watson  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
39564f8f0fSRobert Watson  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
40564f8f0fSRobert Watson  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
41564f8f0fSRobert Watson  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
42564f8f0fSRobert Watson  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
43564f8f0fSRobert Watson  * SUCH DAMAGE.
44564f8f0fSRobert Watson  */
45564f8f0fSRobert Watson 
46564f8f0fSRobert Watson #include <sys/cdefs.h>
47564f8f0fSRobert Watson #include "opt_mac.h"
48564f8f0fSRobert Watson 
49564f8f0fSRobert Watson #include <sys/param.h>
50564f8f0fSRobert Watson #include <sys/condvar.h>
51564f8f0fSRobert Watson #include <sys/imgact.h>
52564f8f0fSRobert Watson #include <sys/kernel.h>
53564f8f0fSRobert Watson #include <sys/lock.h>
54564f8f0fSRobert Watson #include <sys/malloc.h>
55564f8f0fSRobert Watson #include <sys/mutex.h>
56564f8f0fSRobert Watson #include <sys/mac.h>
57564f8f0fSRobert Watson #include <sys/proc.h>
58564f8f0fSRobert Watson #include <sys/sbuf.h>
592087a58cSRobert Watson #include <sys/sdt.h>
60564f8f0fSRobert Watson #include <sys/systm.h>
61564f8f0fSRobert Watson #include <sys/vnode.h>
62564f8f0fSRobert Watson #include <sys/mount.h>
63564f8f0fSRobert Watson #include <sys/file.h>
64564f8f0fSRobert Watson #include <sys/namei.h>
65564f8f0fSRobert Watson #include <sys/sysctl.h>
66564f8f0fSRobert Watson 
67564f8f0fSRobert Watson #include <vm/vm.h>
68564f8f0fSRobert Watson #include <vm/pmap.h>
69564f8f0fSRobert Watson #include <vm/vm_map.h>
70564f8f0fSRobert Watson #include <vm/vm_object.h>
71564f8f0fSRobert Watson 
72564f8f0fSRobert Watson #include <security/mac/mac_framework.h>
73564f8f0fSRobert Watson #include <security/mac/mac_internal.h>
74564f8f0fSRobert Watson #include <security/mac/mac_policy.h>
75564f8f0fSRobert Watson 
76564f8f0fSRobert Watson struct label *
mac_cred_label_alloc(void)77564f8f0fSRobert Watson mac_cred_label_alloc(void)
78564f8f0fSRobert Watson {
79564f8f0fSRobert Watson 	struct label *label;
80564f8f0fSRobert Watson 
81564f8f0fSRobert Watson 	label = mac_labelzone_alloc(M_WAITOK);
82fa765671SRobert Watson 	MAC_POLICY_PERFORM(cred_init_label, label);
83564f8f0fSRobert Watson 	return (label);
84564f8f0fSRobert Watson }
85564f8f0fSRobert Watson 
86564f8f0fSRobert Watson void
mac_cred_init(struct ucred * cred)87564f8f0fSRobert Watson mac_cred_init(struct ucred *cred)
88564f8f0fSRobert Watson {
89564f8f0fSRobert Watson 
90564f8f0fSRobert Watson 	if (mac_labeled & MPC_OBJECT_CRED)
91564f8f0fSRobert Watson 		cred->cr_label = mac_cred_label_alloc();
92564f8f0fSRobert Watson 	else
93564f8f0fSRobert Watson 		cred->cr_label = NULL;
94564f8f0fSRobert Watson }
95564f8f0fSRobert Watson 
96564f8f0fSRobert Watson void
mac_cred_label_free(struct label * label)97564f8f0fSRobert Watson mac_cred_label_free(struct label *label)
98564f8f0fSRobert Watson {
99564f8f0fSRobert Watson 
100fa765671SRobert Watson 	MAC_POLICY_PERFORM_NOSLEEP(cred_destroy_label, label);
101564f8f0fSRobert Watson 	mac_labelzone_free(label);
102564f8f0fSRobert Watson }
103564f8f0fSRobert Watson 
104564f8f0fSRobert Watson void
mac_cred_destroy(struct ucred * cred)105564f8f0fSRobert Watson mac_cred_destroy(struct ucred *cred)
106564f8f0fSRobert Watson {
107564f8f0fSRobert Watson 
108564f8f0fSRobert Watson 	if (cred->cr_label != NULL) {
109564f8f0fSRobert Watson 		mac_cred_label_free(cred->cr_label);
110564f8f0fSRobert Watson 		cred->cr_label = NULL;
111564f8f0fSRobert Watson 	}
112564f8f0fSRobert Watson }
113564f8f0fSRobert Watson 
114564f8f0fSRobert Watson /*
115564f8f0fSRobert Watson  * When a thread becomes an NFS server daemon, its credential may need to be
116564f8f0fSRobert Watson  * updated to reflect this so that policies can recognize when file system
117564f8f0fSRobert Watson  * operations originate from the network.
118564f8f0fSRobert Watson  *
119564f8f0fSRobert Watson  * At some point, it would be desirable if the credential used for each NFS
120564f8f0fSRobert Watson  * RPC could be set based on the RPC context (i.e., source system, etc) to
121564f8f0fSRobert Watson  * provide more fine-grained access control.
122564f8f0fSRobert Watson  */
123564f8f0fSRobert Watson void
mac_cred_associate_nfsd(struct ucred * cred)124564f8f0fSRobert Watson mac_cred_associate_nfsd(struct ucred *cred)
125564f8f0fSRobert Watson {
126564f8f0fSRobert Watson 
127fa765671SRobert Watson 	MAC_POLICY_PERFORM_NOSLEEP(cred_associate_nfsd, cred);
128564f8f0fSRobert Watson }
129564f8f0fSRobert Watson 
130564f8f0fSRobert Watson /*
131564f8f0fSRobert Watson  * Initialize MAC label for the first kernel process, from which other kernel
132564f8f0fSRobert Watson  * processes and threads are spawned.
133564f8f0fSRobert Watson  */
134564f8f0fSRobert Watson void
mac_cred_create_swapper(struct ucred * cred)135564f8f0fSRobert Watson mac_cred_create_swapper(struct ucred *cred)
136564f8f0fSRobert Watson {
137564f8f0fSRobert Watson 
138fa765671SRobert Watson 	MAC_POLICY_PERFORM_NOSLEEP(cred_create_swapper, cred);
139564f8f0fSRobert Watson }
140564f8f0fSRobert Watson 
141564f8f0fSRobert Watson /*
142564f8f0fSRobert Watson  * Initialize MAC label for the first userland process, from which other
143564f8f0fSRobert Watson  * userland processes and threads are spawned.
144564f8f0fSRobert Watson  */
145564f8f0fSRobert Watson void
mac_cred_create_init(struct ucred * cred)146564f8f0fSRobert Watson mac_cred_create_init(struct ucred *cred)
147564f8f0fSRobert Watson {
148564f8f0fSRobert Watson 
149fa765671SRobert Watson 	MAC_POLICY_PERFORM_NOSLEEP(cred_create_init, cred);
150564f8f0fSRobert Watson }
151564f8f0fSRobert Watson 
152564f8f0fSRobert Watson int
mac_cred_externalize_label(struct label * label,char * elements,char * outbuf,size_t outbuflen)153564f8f0fSRobert Watson mac_cred_externalize_label(struct label *label, char *elements,
154564f8f0fSRobert Watson     char *outbuf, size_t outbuflen)
155564f8f0fSRobert Watson {
156564f8f0fSRobert Watson 	int error;
157564f8f0fSRobert Watson 
158fa765671SRobert Watson 	MAC_POLICY_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
159564f8f0fSRobert Watson 
160564f8f0fSRobert Watson 	return (error);
161564f8f0fSRobert Watson }
162564f8f0fSRobert Watson 
163564f8f0fSRobert Watson int
mac_cred_internalize_label(struct label * label,char * string)164564f8f0fSRobert Watson mac_cred_internalize_label(struct label *label, char *string)
165564f8f0fSRobert Watson {
166564f8f0fSRobert Watson 	int error;
167564f8f0fSRobert Watson 
168fa765671SRobert Watson 	MAC_POLICY_INTERNALIZE(cred, label, string);
169564f8f0fSRobert Watson 
170564f8f0fSRobert Watson 	return (error);
171564f8f0fSRobert Watson }
172564f8f0fSRobert Watson 
173564f8f0fSRobert Watson /*
174564f8f0fSRobert Watson  * When a new process is created, its label must be initialized.  Generally,
175bc5ade0dSPedro F. Giffuni  * this involves inheritance from the parent process, modulo possible deltas.
176564f8f0fSRobert Watson  * This function allows that processing to take place.
177564f8f0fSRobert Watson  */
178564f8f0fSRobert Watson void
mac_cred_copy(struct ucred * src,struct ucred * dest)179564f8f0fSRobert Watson mac_cred_copy(struct ucred *src, struct ucred *dest)
180564f8f0fSRobert Watson {
181564f8f0fSRobert Watson 
182fa765671SRobert Watson 	MAC_POLICY_PERFORM_NOSLEEP(cred_copy_label, src->cr_label,
183fa765671SRobert Watson 	    dest->cr_label);
184564f8f0fSRobert Watson }
185564f8f0fSRobert Watson 
186564f8f0fSRobert Watson /*
187564f8f0fSRobert Watson  * When the subject's label changes, it may require revocation of privilege
188564f8f0fSRobert Watson  * to mapped objects.  This can't be done on-the-fly later with a unified
189564f8f0fSRobert Watson  * buffer cache.
190564f8f0fSRobert Watson  */
191564f8f0fSRobert Watson void
mac_cred_relabel(struct ucred * cred,struct label * newlabel)192564f8f0fSRobert Watson mac_cred_relabel(struct ucred *cred, struct label *newlabel)
193564f8f0fSRobert Watson {
194564f8f0fSRobert Watson 
195fa765671SRobert Watson 	MAC_POLICY_PERFORM_NOSLEEP(cred_relabel, cred, newlabel);
196564f8f0fSRobert Watson }
197564f8f0fSRobert Watson 
1982087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(cred_check_relabel, "struct ucred *",
1992087a58cSRobert Watson     "struct label *");
2002087a58cSRobert Watson 
201564f8f0fSRobert Watson int
mac_cred_check_relabel(struct ucred * cred,struct label * newlabel)202564f8f0fSRobert Watson mac_cred_check_relabel(struct ucred *cred, struct label *newlabel)
203564f8f0fSRobert Watson {
204564f8f0fSRobert Watson 	int error;
205564f8f0fSRobert Watson 
206fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_relabel, cred, newlabel);
2072087a58cSRobert Watson 	MAC_CHECK_PROBE2(cred_check_relabel, error, cred, newlabel);
208564f8f0fSRobert Watson 
209564f8f0fSRobert Watson 	return (error);
210564f8f0fSRobert Watson }
211564f8f0fSRobert Watson 
2126f6174a7SRobert Watson MAC_CHECK_PROBE_DEFINE2(cred_check_setuid, "struct ucred *", "uid_t");
2136f6174a7SRobert Watson 
2146f6174a7SRobert Watson int
mac_cred_check_setuid(struct ucred * cred,uid_t uid)2156f6174a7SRobert Watson mac_cred_check_setuid(struct ucred *cred, uid_t uid)
2166f6174a7SRobert Watson {
2176f6174a7SRobert Watson 	int error;
2186f6174a7SRobert Watson 
219fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_setuid, cred, uid);
2206f6174a7SRobert Watson 	MAC_CHECK_PROBE2(cred_check_setuid, error, cred, uid);
2216f6174a7SRobert Watson 
2226f6174a7SRobert Watson 	return (error);
2236f6174a7SRobert Watson }
2246f6174a7SRobert Watson 
2256f6174a7SRobert Watson MAC_CHECK_PROBE_DEFINE2(cred_check_seteuid, "struct ucred *", "uid_t");
2266f6174a7SRobert Watson 
2276f6174a7SRobert Watson int
mac_cred_check_seteuid(struct ucred * cred,uid_t euid)2286f6174a7SRobert Watson mac_cred_check_seteuid(struct ucred *cred, uid_t euid)
2296f6174a7SRobert Watson {
2306f6174a7SRobert Watson 	int error;
2316f6174a7SRobert Watson 
232fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_seteuid, cred, euid);
2336f6174a7SRobert Watson 	MAC_CHECK_PROBE2(cred_check_seteuid, error, cred, euid);
2346f6174a7SRobert Watson 
2356f6174a7SRobert Watson 	return (error);
2366f6174a7SRobert Watson }
2376f6174a7SRobert Watson 
2386f6174a7SRobert Watson MAC_CHECK_PROBE_DEFINE2(cred_check_setgid, "struct ucred *", "gid_t");
2396f6174a7SRobert Watson 
2406f6174a7SRobert Watson int
mac_cred_check_setgid(struct ucred * cred,gid_t gid)2416f6174a7SRobert Watson mac_cred_check_setgid(struct ucred *cred, gid_t gid)
2426f6174a7SRobert Watson {
2436f6174a7SRobert Watson 	int error;
2446f6174a7SRobert Watson 
245fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_setgid, cred, gid);
2466f6174a7SRobert Watson 	MAC_CHECK_PROBE2(cred_check_setgid, error, cred, gid);
2476f6174a7SRobert Watson 
2486f6174a7SRobert Watson 	return (error);
2496f6174a7SRobert Watson }
2506f6174a7SRobert Watson 
2516f6174a7SRobert Watson MAC_CHECK_PROBE_DEFINE2(cred_check_setegid, "struct ucred *", "gid_t");
2526f6174a7SRobert Watson 
2536f6174a7SRobert Watson int
mac_cred_check_setegid(struct ucred * cred,gid_t egid)2546f6174a7SRobert Watson mac_cred_check_setegid(struct ucred *cred, gid_t egid)
2556f6174a7SRobert Watson {
2566f6174a7SRobert Watson 	int error;
2576f6174a7SRobert Watson 
258fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_setegid, cred, egid);
2596f6174a7SRobert Watson 	MAC_CHECK_PROBE2(cred_check_setegid, error, cred, egid);
2606f6174a7SRobert Watson 
2616f6174a7SRobert Watson 	return (error);
2626f6174a7SRobert Watson }
2636f6174a7SRobert Watson 
2646f6174a7SRobert Watson MAC_CHECK_PROBE_DEFINE3(cred_check_setgroups, "struct ucred *", "int",
2656f6174a7SRobert Watson     "gid_t *");
2666f6174a7SRobert Watson 
2676f6174a7SRobert Watson int
mac_cred_check_setgroups(struct ucred * cred,int ngroups,gid_t * gidset)2686f6174a7SRobert Watson mac_cred_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset)
2696f6174a7SRobert Watson {
2706f6174a7SRobert Watson 	int error;
2716f6174a7SRobert Watson 
272fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_setgroups, cred, ngroups, gidset);
2736f6174a7SRobert Watson 	MAC_CHECK_PROBE3(cred_check_setgroups, error, cred, ngroups, gidset);
2746f6174a7SRobert Watson 
2756f6174a7SRobert Watson 	return (error);
2766f6174a7SRobert Watson }
2776f6174a7SRobert Watson 
2786f6174a7SRobert Watson MAC_CHECK_PROBE_DEFINE3(cred_check_setreuid, "struct ucred *", "uid_t",
2796f6174a7SRobert Watson     "uid_t");
2806f6174a7SRobert Watson 
2816f6174a7SRobert Watson int
mac_cred_check_setreuid(struct ucred * cred,uid_t ruid,uid_t euid)2826f6174a7SRobert Watson mac_cred_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
2836f6174a7SRobert Watson {
2846f6174a7SRobert Watson 	int error;
2856f6174a7SRobert Watson 
286fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_setreuid, cred, ruid, euid);
2876f6174a7SRobert Watson 	MAC_CHECK_PROBE3(cred_check_setreuid, error, cred, ruid, euid);
2886f6174a7SRobert Watson 
2896f6174a7SRobert Watson 	return (error);
2906f6174a7SRobert Watson }
2916f6174a7SRobert Watson 
2926f6174a7SRobert Watson MAC_CHECK_PROBE_DEFINE3(cred_check_setregid, "struct ucred *", "gid_t",
2936f6174a7SRobert Watson     "gid_t");
2946f6174a7SRobert Watson 
2956f6174a7SRobert Watson int
mac_cred_check_setregid(struct ucred * cred,gid_t rgid,gid_t egid)2966f6174a7SRobert Watson mac_cred_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
2976f6174a7SRobert Watson {
2986f6174a7SRobert Watson 	int error;
2996f6174a7SRobert Watson 
300fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_setregid, cred, rgid, egid);
3016f6174a7SRobert Watson 	MAC_CHECK_PROBE3(cred_check_setregid, error, cred, rgid, egid);
3026f6174a7SRobert Watson 
3036f6174a7SRobert Watson 	return (error);
3046f6174a7SRobert Watson }
3056f6174a7SRobert Watson 
3066f6174a7SRobert Watson MAC_CHECK_PROBE_DEFINE4(cred_check_setresuid, "struct ucred *", "uid_t",
3076f6174a7SRobert Watson     "uid_t", "uid_t");
3086f6174a7SRobert Watson 
3096f6174a7SRobert Watson int
mac_cred_check_setresuid(struct ucred * cred,uid_t ruid,uid_t euid,uid_t suid)3106f6174a7SRobert Watson mac_cred_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
3116f6174a7SRobert Watson     uid_t suid)
3126f6174a7SRobert Watson {
3136f6174a7SRobert Watson 	int error;
3146f6174a7SRobert Watson 
315fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_setresuid, cred, ruid, euid, suid);
3166f6174a7SRobert Watson 	MAC_CHECK_PROBE4(cred_check_setresuid, error, cred, ruid, euid,
3176f6174a7SRobert Watson 	    suid);
3186f6174a7SRobert Watson 
3196f6174a7SRobert Watson 	return (error);
3206f6174a7SRobert Watson }
3216f6174a7SRobert Watson 
3226f6174a7SRobert Watson MAC_CHECK_PROBE_DEFINE4(cred_check_setresgid, "struct ucred *", "gid_t",
3236f6174a7SRobert Watson     "gid_t", "gid_t");
3246f6174a7SRobert Watson 
3256f6174a7SRobert Watson int
mac_cred_check_setresgid(struct ucred * cred,gid_t rgid,gid_t egid,gid_t sgid)3266f6174a7SRobert Watson mac_cred_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
3276f6174a7SRobert Watson     gid_t sgid)
3286f6174a7SRobert Watson {
3296f6174a7SRobert Watson 	int error;
3306f6174a7SRobert Watson 
331fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_setresgid, cred, rgid, egid, sgid);
3326f6174a7SRobert Watson 	MAC_CHECK_PROBE4(cred_check_setresgid, error, cred, rgid, egid,
3336f6174a7SRobert Watson 	    sgid);
3346f6174a7SRobert Watson 
3356f6174a7SRobert Watson 	return (error);
3366f6174a7SRobert Watson }
3376f6174a7SRobert Watson 
3382087a58cSRobert Watson MAC_CHECK_PROBE_DEFINE2(cred_check_visible, "struct ucred *",
3392087a58cSRobert Watson     "struct ucred *");
3402087a58cSRobert Watson 
341564f8f0fSRobert Watson int
mac_cred_check_visible(struct ucred * cr1,struct ucred * cr2)342564f8f0fSRobert Watson mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
343564f8f0fSRobert Watson {
344564f8f0fSRobert Watson 	int error;
345564f8f0fSRobert Watson 
346fa765671SRobert Watson 	MAC_POLICY_CHECK_NOSLEEP(cred_check_visible, cr1, cr2);
3472087a58cSRobert Watson 	MAC_CHECK_PROBE2(cred_check_visible, error, cr1, cr2);
348564f8f0fSRobert Watson 
349564f8f0fSRobert Watson 	return (error);
350564f8f0fSRobert Watson }
351