PERFORCE change 113512 for review

Todd Miller millert at FreeBSD.org
Thu Jan 25 15:24:00 UTC 2007


http://perforce.freebsd.org/chv.cgi?CH=113512

Change 113512 by millert at millert_macbook on 2007/01/25 15:23:20

	Adapt to MAC policy API changes.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#12 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/console/mac_console.c#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/filewatch/mac_filewatch.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#27 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/readonly/mac_readonly.c#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_parse.pl#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#20 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#10 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#12 (text+ko) ====

@@ -383,7 +383,7 @@
 
 static int
 color_vnode_check_access(struct ucred *cred, struct vnode *vp,
-    struct label *label, int acc_mode)
+    struct label *label, struct componentname *cnp, int acc_mode)
 {
 
 	return (co_maybe_promote_process(cred, label));
@@ -399,7 +399,7 @@
 
 static int
 color_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
-    struct label *label) 
+    struct label *label, struct componentname *cnp) 
 {
 
 	return (co_maybe_promote_process(cred, label));
@@ -443,7 +443,7 @@
 
 static int
 color_vnode_check_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct label *execlabel)
+    struct label *label, struct label *execlabel, struct componentname *cnp)
 {
 
 	if (execlabel != NULL)
@@ -518,14 +518,6 @@
 }
 
 static int
-color_proc_check_mprotect(struct ucred *cred, struct proc *proc,
-    void *addr, size_t size, int prot) 
-{
-
-	// Nothing yet
-}
-
-static int
 color_vnode_check_open(struct ucred *cred, struct vnode *vp,
     struct label *label, int acc_mode) 
 {
@@ -709,7 +701,6 @@
 	.mpo_lctx_notify_leave		= color_lctx_notify_leave,
 	.mpo_lctx_label_update		= color_lctx_label_update,
 	.mpo_proc_check_signal		= color_proc_check_signal,
-	.mpo_proc_check_mprotect	= color_proc_check_mprotect,
 
 	.mpo_vnode_check_access		= color_vnode_check_access,
 	.mpo_vnode_check_chdir		= color_vnode_check_chdir,

==== //depot/projects/trustedbsd/sedarwin8/policies/console/mac_console.c#9 (text+ko) ====

@@ -680,12 +680,32 @@
 }
 
 static int
+mac_console_vnode_check_access(struct ucred *cred, struct vnode *vp,
+    struct label *vnodelabel, struct componentname *cnp, int acc_mode)
+{
+	struct mac_console *subj, *obj;
+
+	if (!mac_console_enabled)
+		return (0);
+
+	subj = SLOT(cred->cr_label);
+	obj = SLOT(vnodelabel);
+	if (!mac_console_vnode_access(subj, obj))
+		return (EACCES);
+	return (0);
+}
+
+static int
 mac_console_vnode_check_exec(struct ucred *cred, struct vnode *vp,
 			     struct label *label,
 #ifdef __FreeBSD__
 			     struct image_params *imgp,
 #endif
-    			     struct label *execlabel)
+    			     struct label *execlabel
+#ifdef __APPLE__
+			     ,struct componentname *cnp
+#endif
+			     )
 {
 	struct mac_console *subj, *obj;
 
@@ -776,7 +796,7 @@
 	.mpo_vnode_label_associate_extattr= mac_console_vnode_label_associate_extattr,
 	.mpo_vnode_label_store		= mac_console_vnode_label_store,
 
-	.mpo_vnode_check_access		= mac_console_vnode_check_open,
+	.mpo_vnode_check_access		= mac_console_vnode_check_access,
 	.mpo_vnode_check_open		= mac_console_vnode_check_open,
 	.mpo_vnode_check_exec		= mac_console_vnode_check_exec,
         .mpo_vnode_check_unlink		= mac_console_vnode_check_unlink,

==== //depot/projects/trustedbsd/sedarwin8/policies/filewatch/mac_filewatch.c#2 (text+ko) ====

@@ -78,35 +78,27 @@
 
 static int
 filewatch_vnode_check_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct label *execlabel)
+    struct label *label, struct label *execlabel, struct componentname *cnp)
 {
 	char *pbuf, cbuf[MAXCOMLEN+1];
-	int error, plen, clen;
+	int plen, clen;
 
 	if (vp == NULL) {
 		printf("filewatch:: NULL vp\n");
 		return (0);
 	}
 
-	MALLOC_ZONE(pbuf, char *, MAXPATHLEN, M_NAMEI, M_WAITOK);
-	if (pbuf == NULL) {
-		printf("filewatch:: This sucks, no path buffers available (via exec)\n");
-		return (0);
-	}
+	pbuf = cnp->cn_pnbuf;
+	plen = cnp->cn_nameptr - cnp->cn_pnbuf + cnp->cn_namelen;
 
-	plen = MAXPATHLEN;
-	error = vn_getpath(vp, pbuf, &plen);
-
-	clen = MAXCOMLEN+1;
+	clen = sizeof(cbuf);
 	proc_selfname(cbuf, clen);
-	printf("filewatch:: pcomm '%s' (%d/%d) uid %d exec '%s'\n",
+	printf("filewatch:: pcomm '%s' (%d/%d) uid %d exec '%.*s'\n",
 	    cbuf,
 	    proc_selfpid(),
 	    proc_selfppid(),
 	    cred->cr_uid,
-	    pbuf);
-
-	FREE_ZONE(pbuf, MAXPATHLEN, M_NAMEI);
+	    plen, pbuf);
 
 	return (0);
 }
@@ -132,7 +124,7 @@
 	plen = MAXPATHLEN;
 	error = vn_getpath(vp, pbuf, &plen);
 
-	clen = MAXCOMLEN+1;
+	clen = sizeof(cbuf);
 	proc_selfname(cbuf, clen);
 	printf("filewatch:: pcomm '%s' (%d/%d) uid %d open '%s' (%d,%s%s%s%s%s)\n", 
 	    cbuf,

==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#27 (text+ko) ====

@@ -314,6 +314,7 @@
 	return (mac_mls_dominate_element(&a->mm_effective, &b->mm_effective));
 }
 
+#if 0
 static int
 mac_mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b)
 {
@@ -351,6 +352,7 @@
 
 	return (mac_mls_equal_element(&a->mm_effective, &b->mm_effective));
 }
+#endif
 
 static int
 mac_mls_contains_equal(struct mac_mls *mac_mls)
@@ -1529,7 +1531,7 @@
 
 static void
 mac_mls_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d,
-			 	 struct mbuf *mbuf, struct label *mbuflabel)
+    struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel)
 {
 	struct mac_mls *dest;
 
@@ -3287,7 +3289,7 @@
 
 static int
 mac_mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp,
-    struct label *dlabel)
+    struct label *dlabel, struct componentname *cnp)
 {
 	struct mac_mls *subj, *obj;
 
@@ -3389,7 +3391,7 @@
 
 static int
 mac_mls_vnode_check_exec(struct ucred *cred, struct vnode *vp,
-    struct label *label, struct label *execlabel)
+    struct label *label, struct label *execlabel, struct componentname *cnp)
 {
 	struct mac_mls *subj, *obj, *exec;
 	int error;
@@ -3613,7 +3615,7 @@
 
 static int
 mac_mls_vnode_check_access(struct ucred *cred, struct vnode *vp,
-    struct label *vnodelabel, int acc_mode)
+    struct label *vnodelabel, struct componentname *cnp, int acc_mode)
 {
 	struct mac_mls *subj, *obj;
 

==== //depot/projects/trustedbsd/sedarwin8/policies/readonly/mac_readonly.c#9 (text+ko) ====

@@ -371,7 +371,7 @@
 }
 
 static int
-readonly_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) 
+readonly_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *label, struct componentname *cnp, int acc_mode) 
 {
 
 	return (ro_checkdiraccess(vp, label, acc_mode));

==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_parse.pl#4 (text+ko) ====

@@ -207,9 +207,6 @@
 		elsif ($var =~ /port/ || $name =~ /check_port_/) {
 				print CFILE "\tUSE_LABEL($var, PORTTYPE);\n";
 		}
-		elsif ($var =~ /task/) {
-				print CFILE "\tUSE_LABEL($var, TASKTYPE);\n";
-		}
 		elsif ($type =~ /struct label/) {
 			if ($flags =~ /NULLOK/) {
 				print CFILE "\tif ($var != NULL)\n\t";
@@ -217,6 +214,9 @@
 			if ($firsttype ne "") {
 				print CFILE "\tUSE_LABEL($var, $firsttype);\n";
 			}
+			elsif ($var =~ /task/) {
+				print CFILE "\tUSE_LABEL($var, TASKTYPE);\n";
+			}
 			else {
 				print CFILE "\tUSE_LABEL($var, $typename);\n";
 			}

==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#20 (text+ko) ====

@@ -1627,7 +1627,7 @@
 
 static void
 mac_test_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d,
-    struct mbuf *m, struct label *m_label)
+    struct label *b_label, struct mbuf *m, struct label *m_label)
 {
 
 	CHECKNULL(bpf_d);

==== //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#10 (text+ko) ====

@@ -236,7 +236,7 @@
 }
 
 static int
-vanity_mount_check_mount(struct ucred *cred, struct vnode *vp, struct label *vlabel, const char *vfc_name) 
+vanity_mount_check_mount(struct ucred *cred, struct vnode *vp, struct label *vlabel, struct componentname *cnp, const char *vfc_name) 
 {
 	VANITY(vp);
 	return (0);
@@ -264,7 +264,7 @@
 }
 
 static int
-vanity_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) 
+vanity_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *label, struct componentname *cnp, int acc_mode) 
 {
 	VANITY(vp);
 	return (0);
@@ -278,7 +278,7 @@
 }
 
 static int
-vanity_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) 
+vanity_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) 
 {
 	VANITY(dvp);
 	return (0);
@@ -315,7 +315,7 @@
 }
 
 static int
-vanity_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct label *execlabel) 
+vanity_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct label *execlabel, struct componentname *cnp) 
 {
 	VANITY(vp);
 	return (0);


More information about the p4-projects mailing list