PERFORCE change 15238 for review
Robert Watson
rwatson at freebsd.org
Tue Jul 30 22:49:49 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15238
Change 15238 by rwatson at rwatson_tislabs on 2002/07/30 15:49:14
Integrate from the main FreeBSD tree. Largely these changes
are from committing MAC changes to the main tree, so they'll
get re-merged.
Affected files ...
.. //depot/projects/trustedbsd/base/sbin/fsck_ffs/Makefile#3 integrate
.. //depot/projects/trustedbsd/base/sbin/fsck_ffs/pass5.c#8 integrate
.. //depot/projects/trustedbsd/base/share/examples/isdn/FAQ#3 integrate
.. //depot/projects/trustedbsd/base/share/man/man7/ports.7#4 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files#25 integrate
.. //depot/projects/trustedbsd/base/sys/dev/hme/if_hme.c#6 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#2 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_sig.c#16 integrate
.. //depot/projects/trustedbsd/base/sys/kern/subr_mbuf.c#10 integrate
.. //depot/projects/trustedbsd/base/sys/kern/syscalls.master#13 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vnode_if.src#9 integrate
.. //depot/projects/trustedbsd/base/sys/sys/mac.h#1 branch
.. //depot/projects/trustedbsd/base/sys/sys/mac_policy.h#1 branch
.. //depot/projects/trustedbsd/base/sys/sys/mbuf.h#9 integrate
.. //depot/projects/trustedbsd/base/sys/sys/mount.h#10 integrate
.. //depot/projects/trustedbsd/base/sys/sys/pipe.h#3 integrate
.. //depot/projects/trustedbsd/base/sys/sys/socketvar.h#16 integrate
.. //depot/projects/trustedbsd/base/sys/sys/ucred.h#8 integrate
.. //depot/projects/trustedbsd/base/sys/sys/vnode.h#17 integrate
.. //depot/projects/trustedbsd/base/usr.sbin/mergemaster/mergemaster.8#6 integrate
.. //depot/projects/trustedbsd/base/usr.sbin/ppp/ppp.8.m4#9 integrate
Differences ...
==== //depot/projects/trustedbsd/base/sbin/fsck_ffs/Makefile#3 (text+ko) ====
@@ -1,4 +1,4 @@
-# $FreeBSD: src/sbin/fsck_ffs/Makefile,v 1.10 2001/12/04 02:19:46 obrien Exp $
+# $FreeBSD: src/sbin/fsck_ffs/Makefile,v 1.11 2002/07/30 20:49:29 phk Exp $
# @(#)Makefile 8.2 (Berkeley) 4/27/95
PROG= fsck_ffs
@@ -7,7 +7,8 @@
MAN= fsck_ffs.8
SRCS= dir.c fsutil.c inode.c main.c pass1.c pass1b.c pass2.c pass3.c pass4.c \
pass5.c setup.c utilities.c ffs_subr.c ffs_tables.c
-WARNS= 0
+WARNS= 2
+CFLAGS+= -I${.CURDIR}
.PATH: ${.CURDIR}/../../sys/ufs/ffs
==== //depot/projects/trustedbsd/base/sbin/fsck_ffs/pass5.c#8 (text+ko) ====
@@ -36,7 +36,7 @@
static const char sccsid[] = "@(#)pass5.c 8.9 (Berkeley) 4/28/95";
#endif
static const char rcsid[] =
- "$FreeBSD: src/sbin/fsck_ffs/pass5.c,v 1.29 2002/07/30 13:01:21 phk Exp $";
+ "$FreeBSD: src/sbin/fsck_ffs/pass5.c,v 1.30 2002/07/30 20:49:29 phk Exp $";
#endif /* not lint */
#include <sys/param.h>
@@ -382,7 +382,6 @@
aend = n;
continue;
}
- returntosingle = 1;
if (astart == aend)
(*msg)("ALLOCATED %s %d MARKED FREE\n",
name, astart);
@@ -419,7 +418,6 @@
pwarn("%s %sS %d-%ld MARKED USED\n",
"UNALLOCATED", name, ustart,
ustart + size - 1);
- returntosingle = 1;
if (bkgrdflag != 0) {
cmd.value = ustart;
cmd.size = size;
@@ -462,7 +460,6 @@
pwarn("UNALLOCATED %sS %d-%ld MARKED USED\n",
name, ustart, ustart + size - 1);
}
- returntosingle = 1;
if (bkgrdflag != 0) {
cmd.value = ustart;
cmd.size = size;
==== //depot/projects/trustedbsd/base/share/examples/isdn/FAQ#3 (text+ko) ====
@@ -5,7 +5,7 @@
last edit-date: [Wed Nov 1 15:08:03 2000]
- $FreeBSD: src/share/examples/isdn/FAQ,v 1.11 2002/05/11 06:06:11 dd Exp $
+ $FreeBSD: src/share/examples/isdn/FAQ,v 1.12 2002/07/30 21:14:15 blackend Exp $
--------------------------------------------------------------------------------
@@ -910,8 +910,8 @@
More information to ppp setup can be found at
http://www.Awfulhak.org/ppp.html
- http://www.freebsd.org/handbook/ppp-and-slip.html
- http://www.freebsd.org/FAQ/userppp.html
+ http://www.freebsd.org/doc/handbook/ppp-and-slip.html
+ http://www.freebsd.org/doc/faq/ppp.html
and in the directory "user-ppp" of the isdn4bsd distribution.
==== //depot/projects/trustedbsd/base/share/man/man7/ports.7#4 (text+ko) ====
@@ -23,7 +23,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/share/man/man7/ports.7,v 1.31 2002/03/18 10:07:22 ru Exp $
+.\" $FreeBSD: src/share/man/man7/ports.7,v 1.32 2002/07/30 21:04:26 blackend Exp $
.\"
.Dd January 25, 1998
.Dt PORTS 7
@@ -75,12 +75,12 @@
.%B "The FreeBSD Handbook" ,
.Pa ( file:/usr/share/doc/handbook/ports.html
or
-.Pa http://www.FreeBSD.org/handbook/ports.html ) .
+.Pa http://www.FreeBSD.org/doc/handbook/ports.html ) .
For information about creating new ports, see
.%B "The Porter's Handbook"
.Pa ( file:/usr/share/doc/porters-handbook/index.html
or
-.Pa http://www.FreeBSD.org/porters-handbook/index.html ) .
+.Pa http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/porters-handbook/ ) .
.Sh TARGETS
Some of the targets work recursively through subdirectories.
This lets you, for example, install all of the
==== //depot/projects/trustedbsd/base/sys/conf/files#25 (text+ko) ====
@@ -1,4 +1,4 @@
-# $FreeBSD: src/sys/conf/files,v 1.677 2002/07/30 19:35:20 iwasaki Exp $
+# $FreeBSD: src/sys/conf/files,v 1.678 2002/07/30 22:28:43 imp Exp $
#
# The long compile-with and dependency lines are required because of
# limitations in config: backslash-newline doesn't work in strings, and
@@ -984,11 +984,12 @@
# of the files in libkern/ are only needed on some architectures, e.g.,
# libkern/divdi3.c is needed by i386 but not alpha. Also, some of these
# routines may be optimized for a particular platform. In either case,
-# the file should be moved to <arch>/conf/files.<arch> from here.
+# the file should be moved to conf/files.<arch> from here.
#
libkern/arc4random.c standard
libkern/bcd.c standard
libkern/bsearch.c standard
+libkern/crc32.c standard
libkern/iconv.c optional libiconv
libkern/iconv_converter_if.m optional libiconv
libkern/iconv_xlat.c optional libiconv
@@ -1011,7 +1012,6 @@
libkern/strtoul.c standard
libkern/strtouq.c standard
libkern/strvalid.c standard
-libkern/crc32.c standard
net/bpf.c standard
net/bpf_filter.c optional bpf
bpf.h standard \
==== //depot/projects/trustedbsd/base/sys/dev/hme/if_hme.c#6 (text+ko) ====
@@ -36,7 +36,7 @@
*
* from: NetBSD: hme.c,v 1.20 2000/12/14 06:27:25 thorpej Exp
*
- * $FreeBSD: src/sys/dev/hme/if_hme.c,v 1.5 2002/07/14 12:09:48 tmm Exp $
+ * $FreeBSD: src/sys/dev/hme/if_hme.c,v 1.6 2002/07/30 21:47:14 fenner Exp $
*/
/*
@@ -70,6 +70,7 @@
#include <sys/socket.h>
#include <sys/sockio.h>
+#include <net/bpf.h>
#include <net/ethernet.h>
#include <net/if.h>
#include <net/if_arp.h>
@@ -1052,8 +1053,11 @@
ifp->if_flags |= IFF_OACTIVE;
IF_PREPEND(&ifp->if_snd, m);
break;
- } else
+ } else {
enq = 1;
+ if (ifp->if_bpf)
+ bpf_mtap(ifp, m);
+ }
}
if (sc->sc_rb.rb_td_nbusy == HME_NTXDESC || error == -1)
==== //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#2 (text+ko) ====
@@ -36,7 +36,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/kern/kern_mac.c,v 1.1 2002/07/30 02:04:05 rwatson Exp $
+ * $FreeBSD: src/sys/kern/kern_mac.c,v 1.2 2002/07/30 21:36:05 rwatson Exp $
*/
/*
* Developed by the TrustedBSD Project.
@@ -47,13 +47,3027 @@
#include "opt_mac.h"
#include <sys/param.h>
+#include <sys/extattr.h>
+#include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/mutex.h>
+#include <sys/sx.h>
+#include <sys/mac.h>
+#include <sys/proc.h>
+#include <sys/systm.h>
#include <sys/sysproto.h>
#include <sys/sysent.h>
+#include <sys/vnode.h>
+#include <sys/mount.h>
+#include <sys/file.h>
+#include <sys/namei.h>
+#include <sys/socket.h>
+#include <sys/pipe.h>
+#include <sys/socketvar.h>
+#include <sys/sx.h>
+#include <sys/sysctl.h>
+
+#include <vm/vm.h>
+#include <vm/pmap.h>
+#include <vm/vm_map.h>
+#include <vm/vm_object.h>
+
+#include <sys/mac_policy.h>
+
+#include <fs/devfs/devfs.h>
+
+#include <net/bpf.h>
+#include <net/bpfdesc.h>
+#include <net/if.h>
+#include <net/if_var.h>
+
+#include <netinet/in.h>
+#include <netinet/ip_var.h>
+
+#ifdef MAC
+
+SYSCTL_DECL(_security);
+
+SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0,
+ "TrustedBSD MAC policy controls");
+SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0,
+ "TrustedBSD MAC debug info");
+
+static int mac_debug_label_fallback = 0;
+SYSCTL_INT(_security_mac_debug, OID_AUTO, label_fallback, CTLFLAG_RW,
+ &mac_debug_label_fallback, 0, "Filesystems should fall back to fs label"
+ "when label is corrupted.");
+TUNABLE_INT("security.mac.debug_label_fallback",
+ &mac_debug_label_fallback);
+
+#ifndef MAC_MAX_POLICIES
+#define MAC_MAX_POLICIES 8
+#endif
+#if MAC_MAX_POLICIES > 32
+#error "MAC_MAX_POLICIES too large"
+#endif
+static unsigned int mac_max_policies = MAC_MAX_POLICIES;
+static unsigned int mac_policy_offsets_free = (1 << MAC_MAX_POLICIES) - 1;
+SYSCTL_UINT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD,
+ &mac_max_policies, 0, "");
+
+static int mac_late = 0;
+
+static int mac_enforce_fs = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
+ &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
+TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
+
+static int mac_enforce_network = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_network, CTLFLAG_RW,
+ &mac_enforce_network, 0, "Enforce MAC policy on network packets");
+TUNABLE_INT("security.mac.enforce_network", &mac_enforce_network);
+
+static int mac_enforce_process = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
+ &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
+TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
+
+static int mac_enforce_socket = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
+ &mac_enforce_socket, 0, "Enforce MAC policy on socket operations");
+TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
+
+static int mac_enforce_pipe = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
+ &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
+
+static int mac_label_size = sizeof(struct mac);
+SYSCTL_INT(_security_mac, OID_AUTO, label_size, CTLFLAG_RD,
+ &mac_label_size, 0, "Pre-compiled MAC label size");
+
+static int mac_cache_fslabel_in_vnode = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, cache_fslabel_in_vnode, CTLFLAG_RW,
+ &mac_cache_fslabel_in_vnode, 0, "Cache mount fslabel in vnode");
+TUNABLE_INT("security.mac.cache_fslabel_in_vnode",
+ &mac_cache_fslabel_in_vnode);
+
+static int mac_vnode_label_cache_hits = 0;
+SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_hits, CTLFLAG_RD,
+ &mac_vnode_label_cache_hits, 0, "Cache hits on vnode labels");
+static int mac_vnode_label_cache_misses = 0;
+SYSCTL_INT(_security_mac, OID_AUTO, vnode_label_cache_misses, CTLFLAG_RD,
+ &mac_vnode_label_cache_misses, 0, "Cache misses on vnode labels");
+static int mac_mmap_revocation_via_cow = 1;
+SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
+ &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
+ "copy-on-write semantics, or by removing all write access");
+
+static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
+ nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
+ nmacipqs, nmacpipes;
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD,
+ &nmacmbufs, 0, "number of mbufs in use");
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD,
+ &nmaccreds, 0, "number of ucreds in use");
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD,
+ &nmacifnets, 0, "number of ifnets in use");
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD,
+ &nmacipqs, 0, "number of ipqs in use");
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD,
+ &nmacbpfdescs, 0, "number of bpfdescs in use");
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD,
+ &nmacsockets, 0, "number of sockets in use");
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD,
+ &nmacpipes, 0, "number of pipes in use");
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD,
+ &nmacmounts, 0, "number of mounts in use");
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD,
+ &nmactemp, 0, "number of temporary labels in use");
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD,
+ &nmacvnodes, 0, "number of vnodes in use");
+SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD,
+ &nmacdevfsdirents, 0, "number of devfs dirents inuse");
+
+static int error_select(int error1, int error2);
+static int mac_externalize(struct label *label, struct mac *mac);
+static int mac_policy_register(struct mac_policy_conf *mpc);
+static int mac_policy_unregister(struct mac_policy_conf *mpc);
+
+static int mac_stdcreatevnode_ea(struct vnode *vp);
+static void mac_cred_mmapped_drop_perms(struct thread *td,
+ struct ucred *cred);
+static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
+ struct ucred *cred, struct vm_map *map);
+
+MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
+MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
+
+/*
+ * mac_policy_list_lock protects the consistency of 'mac_policy_list',
+ * the linked list of attached policy modules. Read-only consumers of
+ * the list must acquire a shared lock for the duration of their use;
+ * writers must acquire an exclusive lock. Note that for compound
+ * operations, locks should be held for the entire compound operation,
+ * and that this is not yet done for relabel requests.
+ */
+static struct mtx mac_policy_list_lock;
+static LIST_HEAD(, mac_policy_conf) mac_policy_list;
+static int mac_policy_list_busy;
+#define MAC_POLICY_LIST_LOCKINIT() mtx_init(&mac_policy_list_lock, \
+ "mac_policy_list_lock", NULL, MTX_DEF);
+#define MAC_POLICY_LIST_LOCK() mtx_lock(&mac_policy_list_lock);
+#define MAC_POLICY_LIST_UNLOCK() mtx_unlock(&mac_policy_list_lock);
+
+#define MAC_POLICY_LIST_BUSY() do { \
+ MAC_POLICY_LIST_LOCK(); \
+ mac_policy_list_busy++; \
+ MAC_POLICY_LIST_UNLOCK(); \
+} while (0)
+
+#define MAC_POLICY_LIST_UNBUSY() do { \
+ MAC_POLICY_LIST_LOCK(); \
+ mac_policy_list_busy--; \
+ if (mac_policy_list_busy < 0) \
+ panic("Extra mac_policy_list_busy--"); \
+ MAC_POLICY_LIST_UNLOCK(); \
+} while (0)
+
+/*
+ * MAC_CHECK performs the designated check by walking the policy
+ * module list and checking with each as to how it feels about the
+ * request. Note that it returns its value via 'error' in the scope
+ * of the caller.
+ */
+#define MAC_CHECK(check, args...) do { \
+ struct mac_policy_conf *mpc; \
+ \
+ error = 0; \
+ MAC_POLICY_LIST_BUSY(); \
+ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
+ if (mpc->mpc_ops->mpo_ ## check != NULL) \
+ error = error_select( \
+ mpc->mpc_ops->mpo_ ## check (args), \
+ error); \
+ } \
+ MAC_POLICY_LIST_UNBUSY(); \
+} while (0)
+
+/*
+ * MAC_BOOLEAN performs the designated boolean composition by walking
+ * the module list, invoking each instance of the operation, and
+ * combining the results using the passed C operator. Note that it
+ * returns its value via 'result' in the scope of the caller, which
+ * should be initialized by the caller in a meaningful way to get
+ * a meaningful result.
+ */
+#define MAC_BOOLEAN(operation, composition, args...) do { \
+ struct mac_policy_conf *mpc; \
+ \
+ MAC_POLICY_LIST_BUSY(); \
+ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
+ if (mpc->mpc_ops->mpo_ ## operation != NULL) \
+ result = result composition \
+ mpc->mpc_ops->mpo_ ## operation (args); \
+ } \
+ MAC_POLICY_LIST_UNBUSY(); \
+} while (0)
+
+/*
+ * MAC_PERFORM performs the designated operation by walking the policy
+ * module list and invoking that operation for each policy.
+ */
+#define MAC_PERFORM(operation, args...) do { \
+ struct mac_policy_conf *mpc; \
+ \
+ MAC_POLICY_LIST_BUSY(); \
+ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \
+ if (mpc->mpc_ops->mpo_ ## operation != NULL) \
+ mpc->mpc_ops->mpo_ ## operation (args); \
+ } \
+ MAC_POLICY_LIST_UNBUSY(); \
+} while (0)
+
+/*
+ * Initialize the MAC subsystem, including appropriate SMP locks.
+ */
+static void
+mac_init(void)
+{
+
+ LIST_INIT(&mac_policy_list);
+ MAC_POLICY_LIST_LOCKINIT();
+}
+
+/*
+ * For the purposes of modules that want to know if they were loaded
+ * "early", set the mac_late flag once we've processed modules either
+ * linked into the kernel, or loaded before the kernel startup.
+ */
+static void
+mac_late_init(void)
+{
+
+ mac_late = 1;
+}
+
+/*
+ * Allow MAC policy modules to register during boot, etc.
+ */
+int
+mac_policy_modevent(module_t mod, int type, void *data)
+{
+ struct mac_policy_conf *mpc;
+ int error;
+
+ error = 0;
+ mpc = (struct mac_policy_conf *) data;
+
+ switch (type) {
+ case MOD_LOAD:
+ if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE &&
+ mac_late) {
+ printf("mac_policy_modevent: can't load %s policy "
+ "after booting\n", mpc->mpc_name);
+ error = EBUSY;
+ break;
+ }
+ error = mac_policy_register(mpc);
+ break;
+ case MOD_UNLOAD:
+ /* Don't unregister the module if it was never registered. */
+ if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED)
+ != 0)
+ error = mac_policy_unregister(mpc);
+ else
+ error = 0;
+ break;
+ default:
+ break;
+ }
+
+ return (error);
+}
+
+static int
+mac_policy_register(struct mac_policy_conf *mpc)
+{
+ struct mac_policy_conf *tmpc;
+ struct mac_policy_ops *ops;
+ struct mac_policy_op_entry *mpe;
+ int slot;
+
+ MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*ops), M_MACOPVEC,
+ M_WAITOK | M_ZERO);
+ for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
+ switch (mpe->mpe_constant) {
+ case MAC_OP_LAST:
+ /*
+ * Doesn't actually happen, but this allows checking
+ * that all enumerated values are handled.
+ */
+ break;
+ case MAC_DESTROY:
+ mpc->mpc_ops->mpo_destroy =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT:
+ mpc->mpc_ops->mpo_init =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_BPFDESC:
+ mpc->mpc_ops->mpo_init_bpfdesc =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_CRED:
+ mpc->mpc_ops->mpo_init_cred =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_DEVFSDIRENT:
+ mpc->mpc_ops->mpo_init_devfsdirent =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_IFNET:
+ mpc->mpc_ops->mpo_init_ifnet =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_IPQ:
+ mpc->mpc_ops->mpo_init_ipq =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_MBUF:
+ mpc->mpc_ops->mpo_init_mbuf =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_MOUNT:
+ mpc->mpc_ops->mpo_init_mount =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_PIPE:
+ mpc->mpc_ops->mpo_init_pipe =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_SOCKET:
+ mpc->mpc_ops->mpo_init_socket =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_TEMP:
+ mpc->mpc_ops->mpo_init_temp =
+ mpe->mpe_function;
+ break;
+ case MAC_INIT_VNODE:
+ mpc->mpc_ops->mpo_init_vnode =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_BPFDESC:
+ mpc->mpc_ops->mpo_destroy_bpfdesc =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_CRED:
+ mpc->mpc_ops->mpo_destroy_cred =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_DEVFSDIRENT:
+ mpc->mpc_ops->mpo_destroy_devfsdirent =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_IFNET:
+ mpc->mpc_ops->mpo_destroy_ifnet =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_IPQ:
+ mpc->mpc_ops->mpo_destroy_ipq =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_MBUF:
+ mpc->mpc_ops->mpo_destroy_mbuf =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_MOUNT:
+ mpc->mpc_ops->mpo_destroy_mount =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_PIPE:
+ mpc->mpc_ops->mpo_destroy_pipe =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET:
+ mpc->mpc_ops->mpo_destroy_socket =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP:
+ mpc->mpc_ops->mpo_destroy_temp =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE:
+ mpc->mpc_ops->mpo_destroy_vnode =
+ mpe->mpe_function;
+ break;
+ case MAC_EXTERNALIZE:
+ mpc->mpc_ops->mpo_externalize =
+ mpe->mpe_function;
+ break;
+ case MAC_INTERNALIZE:
+ mpc->mpc_ops->mpo_internalize =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_DEVFS_DEVICE:
+ mpc->mpc_ops->mpo_create_devfs_device =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_DEVFS_DIRECTORY:
+ mpc->mpc_ops->mpo_create_devfs_directory =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_DEVFS_VNODE:
+ mpc->mpc_ops->mpo_create_devfs_vnode =
+ mpe->mpe_function;
+ break;
+ case MAC_STDCREATEVNODE_EA:
+ mpc->mpc_ops->mpo_stdcreatevnode_ea =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_VNODE:
+ mpc->mpc_ops->mpo_create_vnode =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_MOUNT:
+ mpc->mpc_ops->mpo_create_mount =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_ROOT_MOUNT:
+ mpc->mpc_ops->mpo_create_root_mount =
+ mpe->mpe_function;
+ break;
+ case MAC_RELABEL_VNODE:
+ mpc->mpc_ops->mpo_relabel_vnode =
+ mpe->mpe_function;
+ break;
+ case MAC_UPDATE_DEVFSDIRENT:
+ mpc->mpc_ops->mpo_update_devfsdirent =
+ mpe->mpe_function;
+ break;
+ case MAC_UPDATE_PROCFSVNODE:
+ mpc->mpc_ops->mpo_update_procfsvnode =
+ mpe->mpe_function;
+ break;
+ case MAC_UPDATE_VNODE_FROM_EXTATTR:
+ mpc->mpc_ops->mpo_update_vnode_from_extattr =
+ mpe->mpe_function;
+ break;
+ case MAC_UPDATE_VNODE_FROM_EXTERNALIZED:
+ mpc->mpc_ops->mpo_update_vnode_from_externalized =
+ mpe->mpe_function;
+ break;
+ case MAC_UPDATE_VNODE_FROM_MOUNT:
+ mpc->mpc_ops->mpo_update_vnode_from_mount =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_MBUF_FROM_SOCKET:
+ mpc->mpc_ops->mpo_create_mbuf_from_socket =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_PIPE:
+ mpc->mpc_ops->mpo_create_pipe =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_SOCKET:
+ mpc->mpc_ops->mpo_create_socket =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_SOCKET_FROM_SOCKET:
+ mpc->mpc_ops->mpo_create_socket_from_socket =
+ mpe->mpe_function;
+ break;
+ case MAC_RELABEL_PIPE:
+ mpc->mpc_ops->mpo_relabel_pipe =
+ mpe->mpe_function;
+ break;
+ case MAC_RELABEL_SOCKET:
+ mpc->mpc_ops->mpo_relabel_socket =
+ mpe->mpe_function;
+ break;
+ case MAC_SET_SOCKET_PEER_FROM_MBUF:
+ mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
+ mpe->mpe_function;
+ break;
+ case MAC_SET_SOCKET_PEER_FROM_SOCKET:
+ mpc->mpc_ops->mpo_set_socket_peer_from_socket =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_BPFDESC:
+ mpc->mpc_ops->mpo_create_bpfdesc =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_DATAGRAM_FROM_IPQ:
+ mpc->mpc_ops->mpo_create_datagram_from_ipq =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_FRAGMENT:
+ mpc->mpc_ops->mpo_create_fragment =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_IFNET:
+ mpc->mpc_ops->mpo_create_ifnet =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_IPQ:
+ mpc->mpc_ops->mpo_create_ipq =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_MBUF_FROM_MBUF:
+ mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_MBUF_LINKLAYER:
+ mpc->mpc_ops->mpo_create_mbuf_linklayer =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_MBUF_FROM_BPFDESC:
+ mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_MBUF_FROM_IFNET:
+ mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_MBUF_MULTICAST_ENCAP:
+ mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_MBUF_NETLAYER:
+ mpc->mpc_ops->mpo_create_mbuf_netlayer =
+ mpe->mpe_function;
+ break;
+ case MAC_FRAGMENT_MATCH:
+ mpc->mpc_ops->mpo_fragment_match =
+ mpe->mpe_function;
+ break;
+ case MAC_RELABEL_IFNET:
+ mpc->mpc_ops->mpo_relabel_ifnet =
+ mpe->mpe_function;
+ break;
+ case MAC_UPDATE_IPQ:
+ mpc->mpc_ops->mpo_update_ipq =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_CRED:
+ mpc->mpc_ops->mpo_create_cred =
+ mpe->mpe_function;
+ break;
+ case MAC_EXECVE_TRANSITION:
+ mpc->mpc_ops->mpo_execve_transition =
+ mpe->mpe_function;
+ break;
+ case MAC_EXECVE_WILL_TRANSITION:
+ mpc->mpc_ops->mpo_execve_will_transition =
+ mpe->mpe_function;
+ break;
+ case MAC_CREATE_PROC0:
+ mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function;
+ break;
+ case MAC_CREATE_PROC1:
+ mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function;
+ break;
+ case MAC_RELABEL_CRED:
+ mpc->mpc_ops->mpo_relabel_cred =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_BPFDESC_RECEIVE:
+ mpc->mpc_ops->mpo_check_bpfdesc_receive =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_CRED_RELABEL:
+ mpc->mpc_ops->mpo_check_cred_relabel =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_CRED_VISIBLE:
+ mpc->mpc_ops->mpo_check_cred_visible =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_IFNET_RELABEL:
+ mpc->mpc_ops->mpo_check_ifnet_relabel =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_IFNET_TRANSMIT:
+ mpc->mpc_ops->mpo_check_ifnet_transmit =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_MOUNT_STAT:
+ mpc->mpc_ops->mpo_check_mount_stat =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_PIPE_IOCTL:
+ mpc->mpc_ops->mpo_check_pipe_ioctl =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_PIPE_OP:
+ mpc->mpc_ops->mpo_check_pipe_op =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_PIPE_RELABEL:
+ mpc->mpc_ops->mpo_check_pipe_relabel =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_PROC_DEBUG:
+ mpc->mpc_ops->mpo_check_proc_debug =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_PROC_SCHED:
+ mpc->mpc_ops->mpo_check_proc_sched =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_PROC_SIGNAL:
+ mpc->mpc_ops->mpo_check_proc_signal =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_SOCKET_BIND:
+ mpc->mpc_ops->mpo_check_socket_bind =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_SOCKET_CONNECT:
+ mpc->mpc_ops->mpo_check_socket_connect =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_SOCKET_LISTEN:
+ mpc->mpc_ops->mpo_check_socket_listen =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_SOCKET_RECEIVE:
+ mpc->mpc_ops->mpo_check_socket_receive =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_SOCKET_RELABEL:
+ mpc->mpc_ops->mpo_check_socket_relabel =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_SOCKET_VISIBLE:
+ mpc->mpc_ops->mpo_check_socket_visible =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_ACCESS:
+ mpc->mpc_ops->mpo_check_vnode_access =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_CHDIR:
+ mpc->mpc_ops->mpo_check_vnode_chdir =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_CHROOT:
+ mpc->mpc_ops->mpo_check_vnode_chroot =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_CREATE:
+ mpc->mpc_ops->mpo_check_vnode_create =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_DELETE:
+ mpc->mpc_ops->mpo_check_vnode_delete =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_DELETEACL:
+ mpc->mpc_ops->mpo_check_vnode_deleteacl =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_EXEC:
+ mpc->mpc_ops->mpo_check_vnode_exec =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_GETACL:
+ mpc->mpc_ops->mpo_check_vnode_getacl =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_GETEXTATTR:
+ mpc->mpc_ops->mpo_check_vnode_getextattr =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_LOOKUP:
+ mpc->mpc_ops->mpo_check_vnode_lookup =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_MMAP_PERMS:
+ mpc->mpc_ops->mpo_check_vnode_mmap_perms =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_OP:
+ mpc->mpc_ops->mpo_check_vnode_op =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_OPEN:
+ mpc->mpc_ops->mpo_check_vnode_open =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READDIR:
+ mpc->mpc_ops->mpo_check_vnode_readdir =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_READLINK:
+ mpc->mpc_ops->mpo_check_vnode_readlink =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_RELABEL:
+ mpc->mpc_ops->mpo_check_vnode_relabel =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_RENAME_FROM:
+ mpc->mpc_ops->mpo_check_vnode_rename_from =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_RENAME_TO:
+ mpc->mpc_ops->mpo_check_vnode_rename_to =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_REVOKE:
+ mpc->mpc_ops->mpo_check_vnode_revoke =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_SETACL:
+ mpc->mpc_ops->mpo_check_vnode_setacl =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_SETEXTATTR:
+ mpc->mpc_ops->mpo_check_vnode_setextattr =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_SETFLAGS:
+ mpc->mpc_ops->mpo_check_vnode_setflags =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_SETMODE:
+ mpc->mpc_ops->mpo_check_vnode_setmode =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_SETOWNER:
+ mpc->mpc_ops->mpo_check_vnode_setowner =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_SETUTIMES:
+ mpc->mpc_ops->mpo_check_vnode_setutimes =
+ mpe->mpe_function;
+ break;
+ case MAC_CHECK_VNODE_STAT:
+ mpc->mpc_ops->mpo_check_vnode_stat =
+ mpe->mpe_function;
+ break;
+/*
+ default:
+ printf("MAC policy `%s': unknown operation %d\n",
+ mpc->mpc_name, mpe->mpe_constant);
+ return (EINVAL);
+*/
+ }
+ }
+ MAC_POLICY_LIST_LOCK();
+ if (mac_policy_list_busy > 0) {
+ MAC_POLICY_LIST_UNLOCK();
+ FREE(mpc->mpc_ops, M_MACOPVEC);
+ mpc->mpc_ops = NULL;
+ return (EBUSY);
+ }
+ LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
+ if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
+ MAC_POLICY_LIST_UNLOCK();
+ FREE(mpc->mpc_ops, M_MACOPVEC);
+ mpc->mpc_ops = NULL;
+ return (EEXIST);
+ }
+ }
+ if (mpc->mpc_field_off != NULL) {
+ slot = ffs(mac_policy_offsets_free);
+ if (slot == 0) {
+ MAC_POLICY_LIST_UNLOCK();
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list