PERFORCE change 15035 for review
Robert Watson
rwatson at freebsd.org
Sun Jul 28 03:52:47 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15035
Change 15035 by rwatson at rwatson_paprika on 2002/07/27 20:52:28
Rename mpo_check_see_socket() and mpo_check_see_cred() to
mpo_check_socket_visible() and mpo_check_cred_visible()
respectively. Move entry point naming towards a model using
mac_check_(objectname)_(methodname)() from
mac_cred_check_(methodname)_(objectname)(). This is the bit
where we generate conflicts.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#197 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#23 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#74 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#63 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#49 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#7 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#12 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#54 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#19 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#125 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#90 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#197 (text+ko) ====
@@ -658,18 +658,18 @@
mpc->mpc_ops->mpo_check_bpfdesc_receive =
mpe->mpe_function;
break;
+ case MAC_CHECK_CRED_VISIBLE:
+ mpc->mpc_ops->mpo_check_cred_visible =
+ mpe->mpe_function;
+ break;
case MAC_CHECK_CONNECT_SOCKET:
mpc->mpc_ops->mpo_check_connect_socket =
mpe->mpe_function;
break;
- case MAC_CHECK_SEE_CRED:
- mpc->mpc_ops->mpo_check_see_cred =
+ case MAC_CHECK_SOCKET_VISIBLE:
+ mpc->mpc_ops->mpo_check_socket_visible =
mpe->mpe_function;
break;
- case MAC_CHECK_SEE_SOCKET:
- mpc->mpc_ops->mpo_check_see_socket =
- mpe->mpe_function;
- break;
case MAC_CHECK_RELABEL_IFNET:
mpc->mpc_ops->mpo_check_relabel_ifnet =
mpe->mpe_function;
@@ -1041,32 +1041,6 @@
}
int
-mac_cred_cansee(struct ucred *u1, struct ucred *u2)
-{
- int error;
-
- if (!mac_enforce_process)
- return (0);
-
- MAC_CHECK(check_see_cred, u1, u2);
-
- return (error);
-}
-
-int
-mac_cred_canseesocket(struct ucred *cred, struct socket *socket)
-{
- int error;
-
- if (!mac_enforce_socket)
- return (0);
-
- MAC_CHECK(check_see_socket, cred, socket, &socket->so_label);
-
- return (error);
-}
-
-int
mac_cred_cansignal(struct ucred *cred, struct proc *proc, int signum)
{
int error;
@@ -2533,6 +2507,19 @@
}
int
+mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
+{
+ int error;
+
+ if (!mac_enforce_process)
+ return (0);
+
+ MAC_CHECK(check_cred_visible, u1, u2);
+
+ return (error);
+}
+
+int
mac_check_connect_socket(struct ucred *cred, struct socket *socket,
struct sockaddr *sockaddr)
{
@@ -2562,6 +2549,19 @@
}
int
+mac_check_socket_visible(struct ucred *cred, struct socket *socket)
+{
+ int error;
+
+ if (!mac_enforce_socket)
+ return (0);
+
+ MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label);
+
+ return (error);
+}
+
+int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
==== //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#23 (text+ko) ====
@@ -1380,7 +1380,7 @@
if ((error = prison_check(u1, u2)))
return (error);
#ifdef MAC
- if ((error = mac_cred_cansee(u1, u2)))
+ if ((error = mac_check_cred_visible(u1, u2)))
return (error);
#endif
if ((error = cr_seeotheruids(u1, u2)))
@@ -1674,7 +1674,7 @@
if (cr_seeotheruids(cred, so->so_cred))
return (ENOENT);
#ifdef MAC
- error = mac_cred_canseesocket(cred, so);
+ error = mac_check_socket_visible(cred, so);
if (error)
return (error);
#endif
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#74 (text+ko) ====
@@ -1181,7 +1181,7 @@
}
static int
-mac_biba_check_see_cred(struct ucred *u1, struct ucred *u2)
+mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
struct mac_biba *subj, *obj;
@@ -1199,7 +1199,7 @@
}
static int
-mac_biba_check_see_socket(struct ucred *cred, struct socket *socket,
+mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
struct mac_biba *subj, *obj;
@@ -2142,10 +2142,10 @@
(macop_t)mac_biba_relabel_subject },
{ MAC_CHECK_BPFDESC_RECEIVE,
(macop_t)mac_biba_check_bpfdesc_receive },
- { MAC_CHECK_SEE_CRED,
- (macop_t)mac_biba_check_see_cred },
- { MAC_CHECK_SEE_SOCKET,
- (macop_t)mac_biba_check_see_socket },
+ { MAC_CHECK_CRED_VISIBLE,
+ (macop_t)mac_biba_check_cred_visible },
+ { MAC_CHECK_SOCKET_VISIBLE,
+ (macop_t)mac_biba_check_socket_visible },
{ MAC_CHECK_RELABEL_IFNET,
(macop_t)mac_biba_check_relabel_ifnet },
{ MAC_CHECK_RELABEL_PIPE,
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#63 (text+ko) ====
@@ -1127,7 +1127,7 @@
}
static int
-mac_mls_check_see_cred(struct ucred *u1, struct ucred *u2)
+mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
struct mac_mls *subj, *obj;
@@ -1145,7 +1145,7 @@
}
static int
-mac_mls_check_see_socket(struct ucred *cred, struct socket *socket,
+mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
struct mac_mls *subj, *obj;
@@ -2088,10 +2088,10 @@
(macop_t)mac_mls_relabel_subject },
{ MAC_CHECK_BPFDESC_RECEIVE,
(macop_t)mac_mls_check_bpfdesc_receive },
- { MAC_CHECK_SEE_CRED,
- (macop_t)mac_mls_check_see_cred },
- { MAC_CHECK_SEE_SOCKET,
- (macop_t)mac_mls_check_see_socket },
+ { MAC_CHECK_CRED_VISIBLE,
+ (macop_t)mac_mls_check_cred_visible },
+ { MAC_CHECK_SOCKET_VISIBLE,
+ (macop_t)mac_mls_check_socket_visible },
{ MAC_CHECK_RELABEL_IFNET,
(macop_t)mac_mls_check_relabel_ifnet },
{ MAC_CHECK_RELABEL_PIPE,
==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#49 (text+ko) ====
@@ -565,22 +565,22 @@
}
static int
-mac_none_check_connect_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
+mac_none_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
return (0);
}
static int
-mac_none_check_see_cred(struct ucred *u1, struct ucred *u2)
+mac_none_check_connect_socket(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel, struct sockaddr *sockaddr)
{
return (0);
}
static int
-mac_none_check_see_socket(struct ucred *cred, struct socket *socket,
+mac_none_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
@@ -1020,12 +1020,12 @@
(macop_t)mac_none_check_bind_socket },
{ MAC_CHECK_BPFDESC_RECEIVE,
(macop_t)mac_none_check_bpfdesc_receive },
+ { MAC_CHECK_CRED_VISIBLE,
+ (macop_t)mac_none_check_cred_visible },
{ MAC_CHECK_CONNECT_SOCKET,
(macop_t)mac_none_check_connect_socket },
- { MAC_CHECK_SEE_CRED,
- (macop_t)mac_none_check_see_cred },
- { MAC_CHECK_SEE_SOCKET,
- (macop_t)mac_none_check_see_socket },
+ { MAC_CHECK_SOCKET_VISIBLE,
+ (macop_t)mac_none_check_socket_visible },
{ MAC_CHECK_RELABEL_IFNET,
(macop_t)mac_none_check_relabel_ifnet },
{ MAC_CHECK_RELABEL_PIPE,
==== //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#7 (text+ko) ====
@@ -188,7 +188,7 @@
}
static int
-mac_partition_check_see_cred(struct ucred *u1, struct ucred *u2)
+mac_partition_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
int error;
@@ -198,7 +198,7 @@
}
static int
-mac_partition_check_see_socket(struct ucred *cred, struct socket *socket,
+mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
int error;
@@ -277,10 +277,10 @@
(macop_t)mac_partition_create_proc1 },
{ MAC_RELABEL_SUBJECT,
(macop_t)mac_partition_relabel_subject },
- { MAC_CHECK_SEE_CRED,
- (macop_t)mac_partition_check_see_cred },
- { MAC_CHECK_SEE_SOCKET,
- (macop_t)mac_partition_check_see_socket },
+ { MAC_CHECK_CRED_VISIBLE,
+ (macop_t)mac_partition_check_cred_visible },
+ { MAC_CHECK_SOCKET_VISIBLE,
+ (macop_t)mac_partition_check_socket_visible },
{ MAC_CHECK_RELABEL_SUBJECT,
(macop_t)mac_partition_check_relabel_subject },
{ MAC_CHECK_DEBUG_PROC,
==== //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#12 (text+ko) ====
@@ -124,14 +124,14 @@
}
static int
-mac_seeotheruids_check_see_cred(struct ucred *u1, struct ucred *u2)
+mac_seeotheruids_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
return (mac_seeotheruids_check(u1, u2));
}
static int
-mac_seeotheruids_check_see_socket(struct ucred *cred, struct socket *socket,
+mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
@@ -162,10 +162,10 @@
static struct mac_policy_op_entry mac_seeotheruids_ops[] =
{
- { MAC_CHECK_SEE_CRED,
- (macop_t)mac_seeotheruids_check_see_cred },
- { MAC_CHECK_SEE_SOCKET,
- (macop_t)mac_seeotheruids_check_see_socket },
+ { MAC_CHECK_CRED_VISIBLE,
+ (macop_t)mac_seeotheruids_check_cred_visible },
+ { MAC_CHECK_SOCKET_VISIBLE,
+ (macop_t)mac_seeotheruids_check_socket_visible },
{ MAC_CHECK_DEBUG_PROC,
(macop_t)mac_seeotheruids_check_debug_proc },
{ MAC_CHECK_SCHED_PROC,
==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#54 (text+ko) ====
@@ -698,6 +698,14 @@
}
static int
+mac_te_check_cred_visible(struct ucred *u1, struct ucred *u2)
+{
+
+ return (mac_te_check(SLOT(&u1->cr_label), SLOT(&u2->cr_label),
+ MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SEE));
+}
+
+static int
mac_te_check_connect_socket(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
@@ -735,6 +743,15 @@
MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_RECEIVE));
}
+static int
+mac_te_check_socket_visible(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel)
+{
+
+ return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
+ MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_SEE));
+}
+
static void
mac_te_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel)
{
@@ -1132,23 +1149,6 @@
}
static int
-mac_te_check_see_cred(struct ucred *u1, struct ucred *u2)
-{
-
- return (mac_te_check(SLOT(&u1->cr_label), SLOT(&u2->cr_label),
- MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SEE));
-}
-
-static int
-mac_te_check_see_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel)
-{
-
- return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel),
- MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_SEE));
-}
-
-static int
mac_te_check_signal_proc(struct ucred *cred, struct proc *proc, int signum)
{
@@ -1747,14 +1747,16 @@
{ MAC_CREATE_PROC1, (macop_t)mac_te_create_proc1 },
{ MAC_RELABEL_SUBJECT, (macop_t)mac_te_relabel_subject },
{ MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode },
- { MAC_CHECK_SEE_CRED, (macop_t)mac_te_check_see_cred },
- { MAC_CHECK_SEE_SOCKET, (macop_t)mac_te_check_see_socket },
{ MAC_CHECK_BIND_SOCKET, (macop_t)mac_te_check_bind_socket },
{ MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_te_check_bpfdesc_receive },
+ { MAC_CHECK_CRED_VISIBLE,
+ (macop_t)mac_te_check_cred_visible },
{ MAC_CHECK_CONNECT_SOCKET,
(macop_t)mac_te_check_connect_socket },
{ MAC_CHECK_LISTEN_SOCKET,
(macop_t)mac_te_check_listen_socket },
+ { MAC_CHECK_SOCKET_VISIBLE,
+ (macop_t)mac_te_check_socket_visible },
{ MAC_CHECK_RELABEL_IFNET,
(macop_t)mac_te_check_relabel_ifnet },
{ MAC_CHECK_RELABEL_PIPE,
==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#19 (text+ko) ====
@@ -773,22 +773,22 @@
}
static int
-mac_test_check_connect_socket(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
+mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
return (0);
}
static int
-mac_test_check_see_cred(struct ucred *u1, struct ucred *u2)
+mac_test_check_connect_socket(struct ucred *cred, struct socket *socket,
+ struct label *socketlabel, struct sockaddr *sockaddr)
{
return (0);
}
static int
-mac_test_check_see_socket(struct ucred *cred, struct socket *socket,
+mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
@@ -1226,12 +1226,12 @@
(macop_t)mac_test_check_bind_socket },
{ MAC_CHECK_BPFDESC_RECEIVE,
(macop_t)mac_test_check_bpfdesc_receive },
+ { MAC_CHECK_CRED_VISIBLE,
+ (macop_t)mac_test_check_cred_visible },
{ MAC_CHECK_CONNECT_SOCKET,
(macop_t)mac_test_check_connect_socket },
- { MAC_CHECK_SEE_CRED,
- (macop_t)mac_test_check_see_cred },
- { MAC_CHECK_SEE_SOCKET,
- (macop_t)mac_test_check_see_socket },
+ { MAC_CHECK_SOCKET_VISIBLE,
+ (macop_t)mac_test_check_socket_visible },
{ MAC_CHECK_RELABEL_IFNET,
(macop_t)mac_test_check_relabel_ifnet },
{ MAC_CHECK_RELABEL_PIPE,
==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#125 (text+ko) ====
@@ -373,11 +373,11 @@
int mac_socket_can_receive(struct socket *so, struct mbuf *m);
/* Hooks for the proc-based "can"-checks. */
+int mac_check_cred_visible(struct ucred *u1, struct ucred *u2);
+int mac_check_socket_visible(struct ucred *cred, struct socket *so);
int mac_cred_candebug(struct ucred *cred, struct proc *proc);
int mac_cred_canexec(struct ucred *cred, struct vnode *vp);
int mac_cred_cansched(struct ucred *cred, struct proc *proc);
-int mac_cred_cansee(struct ucred *u1, struct ucred *u2);
-int mac_cred_canseesocket(struct ucred *cred, struct socket *socket);
int mac_cred_cansignal(struct ucred *cred, struct proc *proc, int signum);
/* Calls to help various file systems implement labeling using EAs. */
==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#90 (text+ko) ====
@@ -234,11 +234,11 @@
int (*mpo_check_bpfdesc_receive)(struct bpf_d *bpf_d,
struct label *bpflabel, struct ifnet *ifnet,
struct label *ifnetlabel);
+ int (*mpo_check_cred_visible)(struct ucred *u1, struct ucred *u2);
int (*mpo_check_connect_socket)(struct ucred *cred,
struct socket *socket, struct label *socketlabel,
struct sockaddr *sockaddr);
- int (*mpo_check_see_cred)(struct ucred *u1, struct ucred *u2);
- int (*mpo_check_see_socket)(struct ucred *cred,
+ int (*mpo_check_socket_visible)(struct ucred *cred,
struct socket *socket, struct label *socketlabel);
int (*mpo_check_relabel_ifnet)(struct ucred *cred,
struct ifnet *ifnet, struct label *ifnetlabel,
@@ -413,8 +413,8 @@
MAC_RELABEL_SUBJECT,
MAC_CHECK_BIND_SOCKET,
MAC_CHECK_BPFDESC_RECEIVE,
- MAC_CHECK_SEE_CRED,
- MAC_CHECK_SEE_SOCKET,
+ MAC_CHECK_CRED_VISIBLE,
+ MAC_CHECK_SOCKET_VISIBLE,
MAC_CHECK_RELABEL_IFNET,
MAC_CHECK_RELABEL_PIPE,
MAC_CHECK_RELABEL_SOCKET,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list