PERFORCE change 15425 for review

Fri Aug 2 03:16:31 GMT 2002

On Thu, 1 Aug 2002, Chris Vance wrote:

> http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15425
> 
> Change 15425 by cvance at cvance_laptop on 2002/08/01 18:04:47
> 
> 	Add support for a basic mac_policy syscall handler.
> 	Things to think about: 
> 	    - who guarantees MPSAFE, trustedbsd harness or the modules?  
> 	    - the module must perform the copyin on the arg parameter.

Also, you need to rebuild and commit the rebuilt init_sysent.c,
syscalls.c, and related sys/sys/ stuff.

> 
> Affected files ...
> 
> .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#225 edit
> .. //depot/projects/trustedbsd/mac/sys/kern/syscalls.master#21 edit
> .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#141 edit
> .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#106 edit
> 
> Differences ...
> 
> ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#225 (text+ko) ====
> 
> @@ -363,6 +363,9 @@
>  			 * that all enumerated values are handled.
>  			 */
>  			break;
> +		case MAC_SYSCALL:
> +			mpc->mpc_ops->mpo_mac_policy =
> +			    mpe->mpe_function;
>  		case MAC_DESTROY:
>  			mpc->mpc_ops->mpo_destroy =
>  			    mpe->mpe_function;
> @@ -3060,6 +3063,40 @@
>  	return (error);
>  }
>  
> +/*
> + * MPSAFE
> + */
> +int
> +mac_policy(struct thread *td, struct mac_policy_args *uap)
> +{
> +	int error;
> +	char target[128]; /* TBD: should be MAX_MAXNAME or some such */
> +	struct mac_policy_conf *mpc;
> +
> +	error = copyinstr(uap->policy, target, sizeof(target), NULL);
> +	if (error == ENAMETOOLONG) {
> +		return (EINVAL);
> +	}
> +	if (error) {
> +		return (error);
> +	}
> +
> +	error = ENOSYS;
> +	MAC_POLICY_LIST_BUSY();
> +	LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {
> +		if (strcmp(mpc->mpc_name, target) == 0 &&
> +			mpc->mpc_ops->mpo_mac_policy) {
> +			error = mpc->mpc_ops->mpo_mac_policy(SCARG(uap, call),
> +							     SCARG(uap, arg));
> +			goto out;
> +		}
> +	}
> +
> + out:
> +	MAC_POLICY_LIST_UNBUSY();
> +	return (error);
> +}
> +
>  SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL);
>  SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL);
>  
> @@ -3107,4 +3144,11 @@
>  	return (ENOSYS);
>  }
>  
> +int
> +mac_policy(struct thread *td, struct mac_policy *uap)
> +{
> +
> +	return (ENOSYS);
> +}
> +
>  #endif /* !MAC */
> 
> ==== //depot/projects/trustedbsd/mac/sys/kern/syscalls.master#21 (text+ko) ====
> 
> @@ -567,5 +567,5 @@
>  392	STD	BSD	{ int uuidgen(struct uuid *store, int count); }
>  393	MSTD	BSD	{ int sendfile(int fd, int s, off_t offset, size_t nbytes, \
>  				struct sf_hdtr *hdtr, off_t *sbytes, int flags); }
> -394	MNOIMPL	BSD	{ int mac_policy(const char *policy, int call, \
> +394	MSTD	BSD	{ int mac_policy(const char *policy, int call, \
>  				void *arg); }
> 
> ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#141 (text+ko) ====
> 
> 
> ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#106 (text+ko) ====
> 
> @@ -63,6 +63,11 @@
>  	void	(*mpo_init)(struct mac_policy_conf *mpc);
>  
>  	/*
> +	 * Generic policy-directed security syscall
> +	 */
> +	int	(*mpo_mac_policy)(int call, void *arg);
> +
> +	/*
>  	 * Label operations.
>  	 */
>  	void	(*mpo_init_bpfdesc)(struct bpf_d *, struct label *label);
> @@ -330,6 +335,7 @@
>  
>  enum mac_op_constant {
>  	MAC_OP_LAST,
> +	MAC_SYSCALL,
>  	MAC_DESTROY,
>  	MAC_INIT,
>  	MAC_INIT_BPFDESC,
> 

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message