PERFORCE change 51970 for review

Fri Apr 30 06:42:29 PDT 2004

http://perforce.freebsd.org/chv.cgi?CH=51970

Change 51970 by cvance at cvance_osx_laptop on 2004/04/30 06:42:11

	Link in a nearly empty mac_mls policy.  The module builds, the kernel
	boots, and the module is initialized.  However, the module doesn't 
	yet implement any entry points (other than init and destroy)

Affected files ...

.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/conf/files#3 edit
.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_base.c#2 edit
.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.c#2 edit
.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.h#2 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/Makefile#3 (text+ko) ====

@@ -8,12 +8,16 @@
 include $(MakeInc_def)
 
 INSTINC_SUBDIRS = \
+	mac_mls \
+	mac_test \
 	sebsd
 
 INSTINC_SUBDIRS_PPC = ${INSTINC_SUBDIRS}
 INSTINC_SUBDIRS_I386 = ${INSTINC_SUBDIRS}
 
 EXPINC_SUBDIRS = \
+	mac_mls \
+	mac_test \
 	sebsd
 
 EXPINC_SUBDIRS_PPC = ${EXPINC_SUBDIRS}

==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/conf/files#3 (text+ko) ====

@@ -13,6 +13,7 @@
 security/mac_socket.c					standard
 security/mac_network.c					standard
 security/mac_test/mac_test.c				standard
+security/mac_mls/mac_mls.c				standard
 security/sebsd/sebsd.c					standard
 security/sebsd/sebsd_syscall.c				standard
 security/sebsd/sebsd_sysctl.c				standard

==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_base.c#2 (text+ko) ====

@@ -308,6 +308,7 @@
 {
 	extern struct mac_policy_conf test_mac_policy_conf;
 	extern struct mac_policy_conf sebsd_mac_policy_conf;
+	extern struct mac_policy_conf mac_mls_mac_policy_conf;
 
 	printf("MAC: init mac_test\n");
 	mac_policy_register(&test_mac_policy_conf);
@@ -315,6 +316,9 @@
 	printf("MAC: init sebsd\n");
 	mac_policy_register(&sebsd_mac_policy_conf);
 
+	printf("MAC: init MAC/MLS\n");
+	mac_policy_register(&mac_mls_mac_policy_conf);
+
 	mac_late = 1;
 }
 

==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.c#2 (text+ko) ====

@@ -41,25 +41,25 @@
 
 #include <sys/types.h>
 #include <sys/param.h>
-#include <sys/acl.h>
+#include <sys/extattr.h>
 #include <sys/conf.h>
-#include <sys/extattr.h>
 #include <sys/kernel.h>
 #include <sys/mac.h>
 #include <sys/malloc.h>
+#include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
-#include <sys/sysproto.h>
-#include <sys/sysent.h>
-#include <sys/systm.h>
 #include <sys/vnode.h>
-#include <sys/file.h>
+#include <sys/dirent.h>
+#include <sys/sysctl.h>
+#include <string.h>
+
+#if 0
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/pipe.h>
-#include <sys/sysctl.h>
 #include <sys/msg.h>
 #include <sys/msg_msg.h>
 #include <sys/sem.h>
@@ -76,13 +76,23 @@
 
 #include <netinet/in.h>
 #include <netinet/ip_var.h>
+#endif /* 0 */
 
-#include <vm/vm.h>
+#include <sys/libkern.h>
+#include <sys/ucred.h>
+#include <vm/vm_kern.h>
+#include <kern/kalloc.h>
 
 #include <sys/mac_policy.h>
 
 #include <security/mac_mls/mac_mls.h>
 
+#ifdef APPLE
+#define	TUNABLE_INT(x, y)
+#define atomic_add_int(P, V)         (*(u_int*)(P) += (V))
+#define atomic_subtract_int(P, V)    (*(u_int*)(P) -= (V))
+#endif
+
 SYSCTL_DECL(_security_mac);
 
 SYSCTL_NODE(_security_mac, OID_AUTO, mls, CTLFLAG_RW, 0,
@@ -116,10 +126,9 @@
     &max_compartments, 0, "Maximum compartments the policy supports");
 
 static int	mac_mls_slot;
+
 #define	SLOT(l)	((struct mac_mls *)LABEL_TO_SLOT((l), mac_mls_slot).l_ptr)
 
-MALLOC_DEFINE(M_MACMLS, "mls label", "MAC/MLS labels");
-
 static __inline int
 mls_bit_set_empty(u_char *set) {
 	int i;
@@ -135,7 +144,8 @@
 {
 	struct mac_mls *mac_mls;
 
-	mac_mls = malloc(sizeof(struct mac_mls), M_MACMLS, M_ZERO | flag);
+	mac_mls = (struct mac_mls *)kalloc(sizeof(struct mac_mls));
+	bzero(mac_mls, sizeof(struct mac_mls));
 
 	return (mac_mls);
 }
@@ -145,7 +155,7 @@
 {
 
 	if (mac_mls != NULL)
-		free(mac_mls, M_MACMLS);
+		kfree((vm_offset_t)mac_mls, sizeof(struct mac_mls));
 	else
 		atomic_add_int(&destroyed_not_inited, 1);
 }
@@ -469,6 +479,7 @@
 mac_mls_init(struct mac_policy_conf *conf)
 {
 
+	printf("MAC MLS policy is initialized!\n");
 }
 
 /*
@@ -590,6 +601,8 @@
 		panic("mac_mls_element_to_string: invalid type (%d)",
 		    element->mme_type);
 	}
+
+	return (-1);  /* Unreachable */
 }
 
 /*
@@ -821,6 +834,7 @@
 	*SLOT(dest) = *SLOT(src);
 }
 
+#if Big_Zero
 /*
  * Labeling event operations: file system objects, and things that look
  * a lot like file system objects.
@@ -2358,6 +2372,7 @@
 	return (0);
 }
 
+#if 0
 static int
 mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct label *label, struct image_params *imgp,
@@ -2389,6 +2404,7 @@
 
 	return (0);
 }
+#endif /* 0 */
 
 static int
 mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
@@ -2877,7 +2893,15 @@
 
 	return (0);
 }
+#endif /* Big_Zero */
+
+static struct mac_policy_ops mac_mls_ops =
+{
+	.mpo_destroy = mac_mls_destroy,
+	.mpo_init = mac_mls_init,
+};
 
+#if 0
 static struct mac_policy_ops mac_mls_ops =
 {
 	.mpo_destroy = mac_mls_destroy,
@@ -3049,6 +3073,18 @@
 	.mpo_check_vnode_stat = mac_mls_check_vnode_stat,
 	.mpo_check_vnode_write = mac_mls_check_vnode_write,
 };
+#endif /* 0 */
 
+#if 0
 MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS",
     MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mac_mls_slot);
+#endif /* 0 */
+
+struct mac_policy_conf mac_mls_mac_policy_conf = {
+	"mac_mls",				/* policy name */
+	"TrustedBSD MAC/MLS",			/* full name */
+	&mac_mls_ops,				/* policy operations */
+	0,					/* loadtime flags*/
+	&mac_mls_slot,				/* security field */
+	0					/* runtime flags */
+};

==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.h#2 (text+ko) ====

