PERFORCE change 21127 for review
Robert Watson
rwatson at freebsd.org
Sun Nov 17 04:17:03 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=21127
Change 21127 by rwatson at rwatson_paprika on 2002/11/16 20:16:05
Some minor entry point renaming: use the _kld_* naming
scheme rather than the _system_kld* naming scheme.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/kern/kern_linker.c#16 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#362 edit
.. //depot/projects/trustedbsd/mac/sys/kern/link_elf.c#14 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#187 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#41 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#109 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#85 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#218 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#172 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/kern/kern_linker.c#16 (text+ko) ====
@@ -477,7 +477,7 @@
if (securelevel > 0)
return (EPERM);
#ifdef MAC
- error = mac_check_system_kldunload(curthread->td_ucred);
+ error = mac_check_kld_unload(curthread->td_ucred);
if (error)
return (error);
#endif
@@ -832,7 +832,7 @@
int error = 0;
#ifdef MAC
- error = mac_check_system_kldobserve(curthread->td_ucred);
+ error = mac_check_kld_observe(curthread->td_ucred);
if (error)
return (error);
#endif
@@ -868,7 +868,7 @@
int error = 0;
#ifdef MAC
- error = mac_check_system_kldobserve(curthread->td_ucred);
+ error = mac_check_kld_observe(curthread->td_ucred);
if (error)
return (error);
#endif
@@ -909,7 +909,7 @@
struct kld_file_stat *stat;
#ifdef MAC
- error = mac_check_system_kldobserve(curthread->td_ucred);
+ error = mac_check_kld_observe(curthread->td_ucred);
if (error)
return (error);
#endif
@@ -964,7 +964,7 @@
int error = 0;
#ifdef MAC
- error = mac_check_system_kldobserve(curthread->td_ucred);
+ error = mac_check_kld_observe(curthread->td_ucred);
if (error)
return (error);
#endif
@@ -999,7 +999,7 @@
int error = 0;
#ifdef MAC
- error = mac_check_system_kldobserve(curthread->td_ucred);
+ error = mac_check_kld_observe(curthread->td_ucred);
if (error)
return (error);
#endif
@@ -1838,7 +1838,7 @@
int error;
#ifdef MAC
- error = mac_check_system_kldobserve(curthread->td_ucred);
+ error = mac_check_kld_observe(curthread->td_ucred);
if (error)
return (error);
#endif
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#362 (text+ko) ====
@@ -2317,6 +2317,50 @@
}
int
+mac_check_kld_load(struct ucred *cred, struct vnode *vp)
+{
+ int error;
+
+ if (vp != NULL) {
+ ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
+ }
+
+ if (!mac_enforce_system)
+ return (0);
+
+ MAC_CHECK(check_kld_load, cred, vp,
+ vp != NULL ? &vp->v_label : NULL);
+
+ return (error);
+}
+
+int
+mac_check_kld_observe(struct ucred *cred)
+{
+ int error;
+
+ if (!mac_enforce_system)
+ return (0);
+
+ MAC_CHECK(check_kld_observe, cred);
+
+ return (error);
+}
+
+int
+mac_check_kld_unload(struct ucred *cred)
+{
+ int error;
+
+ if (!mac_enforce_system)
+ return (0);
+
+ MAC_CHECK(check_kld_unload, cred);
+
+ return (error);
+}
+
+int
mac_check_mount_stat(struct ucred *cred, struct mount *mount)
{
int error;
@@ -2592,50 +2636,6 @@
}
int
-mac_check_system_kldload(struct ucred *cred, struct vnode *vp)
-{
- int error;
-
- if (vp != NULL) {
- ASSERT_VOP_LOCKED(vp, "mac_check_system_acct");
- }
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_kldload, cred, vp,
- vp != NULL ? &vp->v_label : NULL);
-
- return (error);
-}
-
-int
-mac_check_system_kldobserve(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_kldobserve, cred);
-
- return (error);
-}
-
-int
-mac_check_system_kldunload(struct ucred *cred)
-{
- int error;
-
- if (!mac_enforce_system)
- return (0);
-
- MAC_CHECK(check_system_kldunload, cred);
-
- return (error);
-}
-
-int
mac_check_system_nfsd(struct ucred *cred)
{
int error;
==== //depot/projects/trustedbsd/mac/sys/kern/link_elf.c#14 (text+ko) ====
@@ -559,7 +559,7 @@
return error;
NDFREE(&nd, NDF_ONLY_PNBUF);
#ifdef MAC
- error = mac_check_system_kldload(curthread->td_ucred, nd.ni_vp);
+ error = mac_check_kld_load(curthread->td_ucred, nd.ni_vp);
if (error) {
firstpage = NULL;
goto out;
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#187 (text+ko) ====
@@ -1537,6 +1537,44 @@
}
static int
+mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp,
+ struct label *label)
+{
+ struct mac_biba *subj, *obj;
+ int error;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+
+ error = mac_biba_subject_privileged(subj);
+ if (error)
+ return (error);
+
+ obj = SLOT(label);
+ if (!mac_biba_high_single(obj))
+ return (EACCES);
+
+ return (0);
+}
+
+
+static int
+mac_biba_check_kld_unload(struct ucred *cred, struct vnode *vp,
+ struct label *label)
+{
+ struct mac_biba *subj;
+
+ if (!mac_biba_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+
+ return (mac_biba_subject_privileged(subj));
+}
+
+static int
mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp,
struct label *mntlabel)
{
@@ -1861,45 +1899,6 @@
}
static int
-mac_biba_check_system_kldload(struct ucred *cred, struct vnode *vp,
- struct label *label)
-{
- struct mac_biba *subj, *obj;
- int error;
-
- if (!mac_biba_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
-
- error = mac_biba_subject_privileged(subj);
- if (error)
- return (error);
-
- obj = SLOT(label);
- if (!mac_biba_high_single(obj))
- return (EACCES);
-
- return (0);
-}
-
-
-static int
-mac_biba_check_system_kldunload(struct ucred *cred, struct vnode *vp,
- struct label *label)
-{
- struct mac_biba *subj;
-
- if (!mac_biba_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
-
- return (mac_biba_subject_privileged(subj));
-}
-
-
-static int
mac_biba_check_system_settime(struct ucred *cred)
{
struct mac_biba *subj;
@@ -2655,6 +2654,8 @@
.mpo_check_cred_visible = mac_biba_check_cred_visible,
.mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel,
.mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit,
+ .mpo_check_kld_load = mac_biba_check_kld_load,
+ .mpo_check_kld_unload = mac_biba_check_kld_unload,
.mpo_check_mount_stat = mac_biba_check_mount_stat,
.mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl,
.mpo_check_pipe_poll = mac_biba_check_pipe_poll,
@@ -2669,8 +2670,6 @@
.mpo_check_socket_relabel = mac_biba_check_socket_relabel,
.mpo_check_socket_visible = mac_biba_check_socket_visible,
.mpo_check_system_acct = mac_biba_check_system_acct,
- .mpo_check_system_kldload = mac_biba_check_system_kldload,
- .mpo_check_system_kldunload = mac_biba_check_system_kldunload,
.mpo_check_system_settime = mac_biba_check_system_settime,
.mpo_check_system_swapon = mac_biba_check_system_swapon,
.mpo_check_system_sysctl = mac_biba_check_system_sysctl,
==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#41 (text+ko) ====
@@ -1754,6 +1754,43 @@
}
static int
+mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
+ struct label *label)
+{
+ struct mac_lomac *subj, *obj;
+
+ if (!mac_lomac_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+ obj = SLOT(label);
+
+ if (mac_lomac_subject_privileged(subj))
+ return (EPERM);
+
+ if (!mac_lomac_high_single(obj))
+ return (EACCES);
+
+ return (0);
+}
+
+static int
+mac_lomac_check_kld_unload(struct ucred *cred)
+{
+ struct mac_lomac *subj;
+
+ if (!mac_lomac_enabled)
+ return (0);
+
+ subj = SLOT(&cred->cr_label);
+
+ if (mac_lomac_subject_privileged(subj))
+ return (EPERM);
+
+ return (0);
+}
+
+static int
mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
{
@@ -1998,44 +2035,6 @@
}
static int
-mac_lomac_check_system_kldload(struct ucred *cred, struct vnode *vp,
- struct label *label)
-{
- struct mac_lomac *subj, *obj;
-
- if (!mac_lomac_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
- obj = SLOT(label);
-
- if (mac_lomac_subject_privileged(subj))
- return (EPERM);
-
- if (!mac_lomac_high_single(obj))
- return (EACCES);
-
- return (0);
-}
-
-static int
-mac_lomac_check_system_kldunload(struct ucred *cred)
-{
- struct mac_lomac *subj;
-
- if (!mac_lomac_enabled)
- return (0);
-
- subj = SLOT(&cred->cr_label);
-
- if (mac_lomac_subject_privileged(subj))
- return (EPERM);
-
- return (0);
-}
-
-
-static int
mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp,
struct label *label)
{
@@ -2696,6 +2695,8 @@
.mpo_check_cred_visible = mac_lomac_check_cred_visible,
.mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel,
.mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit,
+ .mpo_check_kld_load = mac_lomac_check_kld_load,
+ .mpo_check_kld_unload = mac_lomac_check_kld_unload,
.mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl,
.mpo_check_pipe_read = mac_lomac_check_pipe_read,
.mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel,
@@ -2706,8 +2707,6 @@
.mpo_check_socket_deliver = mac_lomac_check_socket_deliver,
.mpo_check_socket_relabel = mac_lomac_check_socket_relabel,
.mpo_check_socket_visible = mac_lomac_check_socket_visible,
- .mpo_check_system_kldload = mac_lomac_check_system_kldload,
- .mpo_check_system_kldunload = mac_lomac_check_system_kldunload,
.mpo_check_system_swapon = mac_lomac_check_system_swapon,
.mpo_check_system_sysctl = mac_lomac_check_system_sysctl,
.mpo_check_vnode_access = mac_lomac_check_vnode_open,
==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#109 (text+ko) ====
@@ -519,6 +519,28 @@
}
static int
+mac_none_check_kld_load(struct ucred *cred, struct vnode *vp,
+ struct label *vlabel)
+{
+
+ return (0);
+}
+
+static int
+mac_none_check_kld_observe(struct ucred *cred)
+{
+
+ return (0);
+}
+
+static int
+mac_none_check_kld_unload(struct ucred *cred)
+{
+
+ return (0);
+}
+
+static int
mac_none_check_mount_stat(struct ucred *cred, struct mount *mp,
struct label *mntlabel)
{
@@ -652,28 +674,6 @@
}
static int
-mac_none_check_system_kldload(struct ucred *cred, struct vnode *vp,
- struct label *vlabel)
-{
-
- return (0);
-}
-
-static int
-mac_none_check_system_kldobserve(struct ucred *cred)
-{
-
- return (0);
-}
-
-static int
-mac_none_check_system_kldunload(struct ucred *cred)
-{
-
- return (0);
-}
-
-static int
mac_none_check_system_reboot(struct ucred *cred, int how)
{
@@ -1039,6 +1039,9 @@
.mpo_check_kenv_get = mac_none_check_kenv_get,
.mpo_check_kenv_set = mac_none_check_kenv_set,
.mpo_check_kenv_unset = mac_none_check_kenv_unset,
+ .mpo_check_kld_load = mac_none_check_kld_load,
+ .mpo_check_kld_observe = mac_none_check_kld_observe,
+ .mpo_check_kld_unload = mac_none_check_kld_unload,
.mpo_check_mount_stat = mac_none_check_mount_stat,
.mpo_check_pipe_ioctl = mac_none_check_pipe_ioctl,
.mpo_check_pipe_poll = mac_none_check_pipe_poll,
@@ -1056,9 +1059,6 @@
.mpo_check_socket_relabel = mac_none_check_socket_relabel,
.mpo_check_socket_visible = mac_none_check_socket_visible,
.mpo_check_system_acct = mac_none_check_system_acct,
- .mpo_check_system_kldload = mac_none_check_system_kldload,
- .mpo_check_system_kldobserve = mac_none_check_system_kldobserve,
- .mpo_check_system_kldunload = mac_none_check_system_kldunload,
.mpo_check_system_reboot = mac_none_check_system_reboot,
.mpo_check_system_settime = mac_none_check_system_settime,
.mpo_check_system_swapon = mac_none_check_system_swapon,
==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#85 (text+ko) ====
@@ -915,6 +915,28 @@
}
static int
+mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
+ struct label *label)
+{
+
+ return (0);
+}
+
+static int
+mac_test_check_kld_observe(struct ucred *cred)
+{
+
+ return (0);
+}
+
+static int
+mac_test_check_kld_unload(struct ucred *cred)
+{
+
+ return (0);
+}
+
+static int
mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
struct label *mntlabel)
{
@@ -1048,28 +1070,6 @@
}
static int
-mac_test_check_system_kldload(struct ucred *cred, struct vnode *vp,
- struct label *label)
-{
-
- return (0);
-}
-
-static int
-mac_test_check_system_kldobserve(struct ucred *cred)
-{
-
- return (0);
-}
-
-static int
-mac_test_check_system_kldunload(struct ucred *cred)
-{
-
- return (0);
-}
-
-static int
mac_test_check_system_reboot(struct ucred *cred, int how)
{
@@ -1436,6 +1436,9 @@
.mpo_check_kenv_get = mac_test_check_kenv_get,
.mpo_check_kenv_set = mac_test_check_kenv_set,
.mpo_check_kenv_unset = mac_test_check_kenv_unset,
+ .mpo_check_kld_load = mac_test_check_kld_load,
+ .mpo_check_kld_observe = mac_test_check_kld_observe,
+ .mpo_check_kld_unload = mac_test_check_kld_unload,
.mpo_check_mount_stat = mac_test_check_mount_stat,
.mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
.mpo_check_pipe_poll = mac_test_check_pipe_poll,
@@ -1453,9 +1456,6 @@
.mpo_check_socket_relabel = mac_test_check_socket_relabel,
.mpo_check_socket_visible = mac_test_check_socket_visible,
.mpo_check_system_acct = mac_test_check_system_acct,
- .mpo_check_system_kldload = mac_test_check_system_kldload,
- .mpo_check_system_kldobserve = mac_test_check_system_kldobserve,
- .mpo_check_system_kldunload = mac_test_check_system_kldunload,
.mpo_check_system_reboot = mac_test_check_system_reboot,
.mpo_check_system_settime = mac_test_check_system_settime,
.mpo_check_system_swapon = mac_test_check_system_swapon,
==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#218 (text+ko) ====
@@ -239,6 +239,9 @@
int mac_check_kenv_get(struct ucred *cred, char *name);
int mac_check_kenv_set(struct ucred *cred, char *name, char *value);
int mac_check_kenv_unset(struct ucred *cred, char *name);
+int mac_check_kld_load(struct ucred *cred, struct vnode *vp);
+int mac_check_kld_observe(struct ucred *cred);
+int mac_check_kld_unload(struct ucred *cred);
int mac_check_mount_stat(struct ucred *cred, struct mount *mp);
int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
unsigned long cmd, void *data);
@@ -260,9 +263,6 @@
int mac_check_socket_send(struct ucred *cred, struct socket *so);
int mac_check_socket_visible(struct ucred *cred, struct socket *so);
int mac_check_system_acct(struct ucred *cred, struct vnode *vp);
-int mac_check_system_kldload(struct ucred *cred, struct vnode *vp);
-int mac_check_system_kldobserve(struct ucred *cred);
-int mac_check_system_kldunload(struct ucred *cred);
int mac_check_system_nfsd(struct ucred *cred);
int mac_check_system_reboot(struct ucred *cred, int howto);
int mac_check_system_settime(struct ucred *cred);
==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#172 (text+ko) ====
@@ -274,6 +274,10 @@
int (*mpo_check_kenv_set)(struct ucred *cred, char *name,
char *value);
int (*mpo_check_kenv_unset)(struct ucred *cred, char *name);
+ int (*mpo_check_kld_load)(struct ucred *cred, struct vnode *vp,
+ struct label *vlabel);
+ int (*mpo_check_kld_observe)(struct ucred *cred);
+ int (*mpo_check_kld_unload)(struct ucred *cred);
int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp,
struct label *mntlabel);
int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe,
@@ -317,10 +321,6 @@
struct socket *so, struct label *socketlabel);
int (*mpo_check_system_acct)(struct ucred *cred,
struct vnode *vp, struct label *vlabel);
- int (*mpo_check_system_kldload)(struct ucred *cred,
- struct vnode *vp, struct label *vlabel);
- int (*mpo_check_system_kldobserve)(struct ucred *cred);
- int (*mpo_check_system_kldunload)(struct ucred *cred);
int (*mpo_check_system_nfsd)(struct ucred *cred);
int (*mpo_check_system_reboot)(struct ucred *cred, int howto);
int (*mpo_check_system_settime)(struct ucred *cred);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list