PERFORCE change 19525 for review
Robert Watson
rwatson at freebsd.org
Fri Oct 18 03:14:12 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=19525
Change 19525 by rwatson at rwatson_tislabs on 2002/10/17 20:13:35
Hopefully approaching the final revision on the MAC user
API for FreeBSD 5.0. This continues to take much the same
approach to prior label processing, but differs in the
following ways:
(1) Previously, mac.c in libc broke down labels into their
component elements, and passed them to the kernel via
a variable-length array of 'struct mac_element'. When
retrieving labels, the same approach was taken. In the
new approach, this split is performed by the kernel
code, and only a single string is read in. This
dramatically simplifies the copyin/out and validation
operations, and removes the copyin's/copyout's from the
individual modules (they now just deal with in-kernel
strings). Modules receive 'element_name' and
'element_data', and may claim entries as before -- if
claimed, a destructive parsing of the string may be
performed in order to extract useful data.
(2) Permit label names in /etc/mac.conf to be prefixed with
a '?' indicating that failure to retrieve the label
element should not be considered a fatal error, allowing
entries to appear in mac.conf even if the kernel module
supporting the element name is not present. Populate
the default mac.conf with entries for each of our
labeled policies, which means mac.conf doesn't have to
be modified if any of them is loaded. Third party
policies will still require configuration.
(3) Temporarily remove all support for userland modules, since
all of the existing functionality is now encapsulated
in the kernel policy modules. We may wish to reintroduce
this module support for the purposes of permitting userland
mapping of label element data--however, almost all the
current code would be inappropriate for that, so we'll
just remove it, making mac.c almost empty.
There is room for further improvement, including relating to
the 'claimed' model, errno values, etc.
I've tested all policies except sebsd, which I don't have a
run-time configuration for, but it appears to build properly
and 'looks right'. There are probably bits. I'd also
appreciate a detailed review of the string parsing code for
labels, as if there are any serious problems, the results
could be relatively catastrophic.
I'll let this settle in the MAC tree for a few days, and if
all goes well, migrate the changes to the main tree over
the weekend, giving re@ approval.
Affected files ...
.. //depot/projects/trustedbsd/mac/bin/ls/ls.c#14 edit
.. //depot/projects/trustedbsd/mac/bin/ps/print.c#13 edit
.. //depot/projects/trustedbsd/mac/etc/mac.conf#6 edit
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac.c#3 edit
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_module.h#2 delete
.. //depot/projects/trustedbsd/mac/lib/libmac/Makefile#2 edit
.. //depot/projects/trustedbsd/mac/lib/libutil/login_class.c#9 edit
.. //depot/projects/trustedbsd/mac/libexec/getty/main.c#9 edit
.. //depot/projects/trustedbsd/mac/sbin/ifconfig/ifmac.c#9 edit
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#313 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#135 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#115 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#86 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#16 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#88 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#59 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#43 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#181 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#142 edit
.. //depot/projects/trustedbsd/mac/usr.bin/login/login.c#22 edit
.. //depot/projects/trustedbsd/mac/usr.sbin/getfmac/getfmac.c#7 edit
.. //depot/projects/trustedbsd/mac/usr.sbin/getpmac/getpmac.c#4 edit
.. //depot/projects/trustedbsd/mac/usr.sbin/setfmac/setfmac.c#7 edit
.. //depot/projects/trustedbsd/mac/usr.sbin/setpmac/setpmac.c#6 edit
Differences ...
==== //depot/projects/trustedbsd/mac/bin/ls/ls.c#14 (text+ko) ====
@@ -686,10 +686,10 @@
int error;
error = mac_prepare_file_label(&label);
- if (error != MAC_SUCCESS) {
+ if (error == -1) {
fprintf(stderr, "%s: %s\n",
cur->fts_name,
- mac_error(error));
+ strerror(errno));
goto label_out;
}
@@ -707,10 +707,10 @@
error = mac_to_text(label,
&labelstr);
- if (error != MAC_SUCCESS) {
+ if (error == -1) {
fprintf(stderr, "%s: %s\n",
cur->fts_name,
- mac_error(error));
+ strerror(errno));
mac_free(label);
goto label_out;
}
==== //depot/projects/trustedbsd/mac/bin/ps/print.c#13 (text+ko) ====
@@ -734,23 +734,24 @@
VAR *v;
v = ve->var;
- string = "";
+ string = NULL;
- error = mac_prepare_process_label(&label);
- if (error != MAC_SUCCESS) {
- fprintf(stderr, "%s\n", mac_error(error));
+ if (mac_prepare_process_label(&label) == -1) {
+ perror("mac_prepare_process_label");
goto out;
}
error = mac_get_pid(k->ki_p->ki_pid, label);
if (error == 0) {
- error = mac_to_text(label, &string);
- if (error != MAC_SUCCESS)
- string = "";
+ if (mac_to_text(label, &string) == -1)
+ string = NULL;
}
mac_free(label);
out:
- (void)printf("%*s", v->width, string);
+ if (string != NULL)
+ (void)printf("%*s", v->width, string);
+ else
+ (void)printf("%*s", v->width, "");
return;
}
==== //depot/projects/trustedbsd/mac/etc/mac.conf#6 (text+ko) ====
@@ -9,13 +9,7 @@
# Default label set to be used by simple MAC applications
#
-default_file_labels biba,mls
-default_ifnet_labels biba,mls
-default_process_labels biba,mls,partition
-
-#
-# Bind policy names to loadable shared modules
-#
-
-#module mac_generic libmac_generic.so.1 biba mls partition te
+default_file_labels ?biba,?mls,?sebsd,?te
+default_ifnet_labels ?biba,?mls,?sebsd,?te
+default_process_labels ?biba,?mls,?partition,?sebsd,?te
==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac.c#3 (text+ko) ====
@@ -50,32 +50,6 @@
#include <sys/mac.h>
-#include "mac_module.h"
-
-#define MAC_PARSE_ELEMENT_SEP ','
-#define MAC_PARSE_ELEMENT_SEP_STR ","
-#define MAC_PARSE_POLICY_SEP_STR "/"
-#define MAC_PARSE_UNKNOWNVALUE "_unknown"
-
-struct internal_module_entry {
- char *ime_path;
- void *ime_handle;
-
- char ime_name[MAC_MAX_POLICY_NAME];
-
- mm_init ime_init;
- mm_destroy ime_destroy;
-
- mm_checklabelname ime_checklabelname;
- mm_free ime_free;
- mm_from_text ime_from_text;
- mm_prepare ime_prepare;
- mm_to_text ime_to_text;
-
- LIST_ENTRY(internal_module_entry) ime_entries;
-};
-
-static LIST_HEAD(, internal_module_entry) internal_module_list;
static int internal_initialized;
/* Default sets of labels for various query operations. */
@@ -83,121 +57,7 @@
static char *default_ifnet_labels;
static char *default_process_labels;
-/* List of labels to process internally as text strings. */
-static char *text_labels;
-
-const char *
-mac_error(int error)
-{
-
- switch (error) {
- case MAC_SUCCESS:
- return ("Success");
- case MAC_ERROR_NOSUCHPOLICY:
- return ("MAC policy not found");
- case MAC_ERROR_NOFROMTEXT:
- return ("MAC policy can't convert text");
- case MAC_ERROR_INVALIDLABELVALUE:
- return ("Invalid label value");
- case MAC_ERROR_POLICYNAMEINVALID:
- return ("Invalid policy name");
- case MAC_ERROR_INSUFFICIENTRESOURCES:
- return ("Insufficient resources to complete request");
- case MAC_ERROR_NOTTHISMODULE:
- return ("Module does not implement requested policy");
- case MAC_ERROR_NOTSUPPORTED:
- return ("Module does not support requested operation");
- case MAC_ERROR_UNPARSEABLELABEL:
- return ("Label contains unparseable element");
- case MAC_ERROR_INVALIDINITARGS:
- return ("Invalid arguments passed to MAC policy initialization");
- case MAC_ERROR_UNKNOWNLABELNAME:
- return ("Label name not recognized");
- case MAC_ERROR_UNPRINTABLE:
- return ("Label contains unprintable component");
- case MAC_ERROR_INTERNALPOLICYERROR:
- return ("MAC policy module caused internal error");
- case MAC_ERROR_CONFFILEERROR:
- return ("MAC configuration file error");
- case MAC_ERROR_CANTLOADMODULE:
- return ("MAC module load error");
- case MAC_ERROR_NOSUCHELEMENTSET:
- return ("Element set not found");
- default:
- return ("Unknown error");
- }
-}
-
-void
-mac_error_to_errno(int error)
-{
-
- switch (error) {
- case MAC_ERROR_INSUFFICIENTRESOURCES:
- errno = ENOMEM;
- default:
- errno = EINVAL;
- }
-}
-
-static int
-mac_entry_attach(struct internal_module_entry *entry, const char *policyname,
- const char *path, int argc, char **argv)
-{
- int error;
-
- if (strlen(policyname)+1 > MAC_MAX_POLICY_NAME)
- return (MAC_ERROR_POLICYNAMEINVALID);
-
- memset(entry, 0, sizeof(*entry));
-
- strcpy(entry->ime_name, policyname);
- entry->ime_path = strdup(path);
- if (entry->ime_path == NULL)
- return (MAC_ERROR_INSUFFICIENTRESOURCES);
-
- entry->ime_handle = dlopen(entry->ime_path, RTLD_LAZY);
- if (entry->ime_handle == NULL) {
- free(entry->ime_path);
- return (MAC_ERROR_CANTLOADMODULE);
- }
-
- entry->ime_init = dlsym(entry->ime_handle, MAC_MODULE_INIT);
- entry->ime_destroy = dlsym(entry->ime_handle, MAC_MODULE_DESTROY);
-
- entry->ime_checklabelname = dlsym(entry->ime_handle,
- MAC_MODULE_CHECKLABELNAME);
- entry->ime_free = dlsym(entry->ime_handle, MAC_MODULE_FREE);
- entry->ime_from_text = dlsym(entry->ime_handle, MAC_MODULE_FROM_TEXT);
- entry->ime_prepare = dlsym(entry->ime_handle, MAC_MODULE_PREPARE);
- entry->ime_to_text = dlsym(entry->ime_handle, MAC_MODULE_TO_TEXT);
-
- if (entry->ime_init != NULL) {
- error = entry->ime_init(entry->ime_name, entry->ime_path,
- argc, argv);
- if (error != MAC_SUCCESS) {
- dlclose(entry->ime_handle);
- free(entry->ime_path);
- return (error);
- }
- }
-
- return (MAC_SUCCESS);
-}
-
static void
-mac_entry_detach(struct internal_module_entry *entry)
-{
-
- if (entry->ime_destroy != NULL)
- entry->ime_destroy();
- dlclose(entry->ime_handle);
- free(entry->ime_path);
- memset(entry, 0, sizeof(*entry));
- free(entry);
-}
-
-static void
mac_destroy_labels(void)
{
@@ -220,16 +80,7 @@
static void
mac_destroy_internal(void)
{
- struct internal_module_entry *entry1, *entry2;
- entry1 = LIST_FIRST(&internal_module_list);
- while (entry1 != NULL) {
- entry2 = LIST_NEXT(entry1, ime_entries);
- LIST_REMOVE(entry1, ime_entries);
- mac_entry_detach(entry1);
- entry1 = entry2;
- }
-
mac_destroy_labels();
internal_initialized = 0;
@@ -238,18 +89,15 @@
static int
mac_init_internal(void)
{
- struct internal_module_entry *entry;
FILE *file;
char line[LINE_MAX];
int error;
- error = MAC_SUCCESS;
+ error = 0;
- LIST_INIT(&internal_module_list);
-
file = fopen(MAC_CONFFILE, "r");
if (file == NULL)
- return (MAC_ERROR_CONFFILEERROR);
+ return (0);
while (fgets(line, LINE_MAX, file)) {
char *argv[ARG_MAX];
@@ -260,7 +108,7 @@
line[strlen(line)-1] = '\0';
else {
fclose(file);
- error = MAC_ERROR_CONFFILEERROR;
+ error = EINVAL;
goto just_return;
}
@@ -277,61 +125,7 @@
if (statement[0] == '#')
continue;
- if (strcmp(statement, "module") == 0) {
- policyname = "";
- while (parse && policyname[0] == '\0')
- policyname = strsep(&parse, " \t");
-
- modulename = "";
- while (parse && modulename[0] == '\0')
- modulename = strsep(&parse, " \t");
-
- argc = 0;
- while (parse && argc < ARG_MAX) {
- arg = "";
- while (parse && arg[0] == '\0')
- arg = strsep(&parse, " \t");
- if (arg[0] == '#')
- break;
- argv[argc] = arg;
- argc++;
- }
-
- entry = (struct internal_module_entry *) malloc(
- sizeof(*entry));
- if (entry == NULL) {
- fclose(file);
- error = MAC_ERROR_INSUFFICIENTRESOURCES;
- goto just_return;
- }
-
- error = mac_entry_attach(entry, policyname, modulename,
- argc, argv);
- if (error != MAC_SUCCESS) {
- free(entry);
- fclose(file);
- goto just_return;
- }
-
- LIST_INSERT_HEAD(&internal_module_list, entry,
- ime_entries);
- } else if (strcmp(statement, "text_labels") == 0) {
- if (text_labels != NULL) {
- free(text_labels);
- text_labels = NULL;
- }
-
- arg = strsep(&parse, "# \t");
- if (arg != NULL && arg[0] != '\0') {
- text_labels = strdup(arg);
- if (text_labels == NULL) {
- error =
- MAC_ERROR_INSUFFICIENTRESOURCES;
- fclose(file);
- goto just_return;
- }
- }
- } else if (strcmp(statement, "default_file_labels") == 0) {
+ if (strcmp(statement, "default_file_labels") == 0) {
if (default_file_labels != NULL) {
free(default_file_labels);
default_file_labels = NULL;
@@ -341,8 +135,7 @@
if (arg != NULL && arg[0] != '\0') {
default_file_labels = strdup(arg);
if (default_file_labels == NULL) {
- error =
- MAC_ERROR_INSUFFICIENTRESOURCES;
+ error = ENOMEM;
fclose(file);
goto just_return;
}
@@ -357,8 +150,7 @@
if (arg != NULL && arg[0] != '\0') {
default_ifnet_labels = strdup(arg);
if (default_ifnet_labels == NULL) {
- error =
- MAC_ERROR_INSUFFICIENTRESOURCES;
+ error = ENOMEM;
fclose(file);
goto just_return;
}
@@ -373,15 +165,14 @@
if (arg != NULL && arg[0] != '\0') {
default_process_labels = strdup(arg);
if (default_process_labels == NULL) {
- error =
- MAC_ERROR_INSUFFICIENTRESOURCES;
+ error = ENOMEM;
fclose(file);
goto just_return;
}
}
} else {
fclose(file);
- error = MAC_ERROR_CONFFILEERROR;
+ error = EINVAL;
goto just_return;
}
}
@@ -403,7 +194,7 @@
if (!internal_initialized)
return (mac_init_internal());
else
- return (MAC_SUCCESS);
+ return (0);
}
int
@@ -415,106 +206,37 @@
return (mac_init_internal());
}
-static struct internal_module_entry *
-mac_module_find_by_policyname(const char *policyname)
-{
- struct internal_module_entry *entry;
-
- LIST_FOREACH(entry, &internal_module_list, ime_entries)
- if (strcmp(entry->ime_name, policyname) == 0)
- return (entry);
-
- return (NULL);
-}
-
-static struct internal_module_entry *
-mac_module_find_by_labelname(const char *labelname)
-{
- struct internal_module_entry *entry;
-
- LIST_FOREACH(entry, &internal_module_list, ime_entries) {
- if (entry->ime_checklabelname != NULL) {
- if (entry->ime_checklabelname(labelname) == 1)
- return (entry);
- } else {
- /* This is a pretty dumb policy module. */
- }
- }
-
- return (NULL);
-}
-
-static void
-mac_free_element(struct mac_element *element)
-{
- struct internal_module_entry *entry;
-
-#if 0
- entry = mac_module_find_by_labelname(element->me_name);
- if (entry != NULL && entry->ime_free != NULL) {
- entry->ime_free(element);
- } else {
-#endif
- if (element->me_data != NULL)
- free(element->me_data);
-#if 0
- }
-#endif
-}
-
int
mac_free(struct mac *mac)
{
- int count, error;
+ int error;
- error = mac_maybe_init_internal();
- if (error != MAC_SUCCESS)
- return (error);
+ if (mac->m_string != NULL)
+ free(mac->m_string);
+ free(mac);
- if (mac->m_elements != NULL) {
- for (count = 0; count < mac->m_numliveelements; count++) {
- mac_free_element(&mac->m_elements[count]);
- }
- free(mac->m_elements);
- }
-
- free(mac);
- return (MAC_SUCCESS);
+ return (0);
}
static struct mac *
mac_alloc(int numelements)
{
- struct mac_element *elements;
struct mac *mac;
- elements = (struct mac_element *) malloc(sizeof(struct mac_element) *
- numelements);
- if (elements == NULL)
+ mac = (struct mac *) malloc(sizeof(*mac));
+ if (mac == NULL)
return (NULL);
- memset(elements, 0, sizeof(struct mac_element) * numelements);
-
- mac = (struct mac *) malloc(sizeof(*mac));
- if (mac == NULL) {
- free(elements);
+ mac->m_string = malloc(MAC_MAX_LABEL_BUF_LEN);
+ if (mac->m_string == NULL) {
+ free(mac);
return (NULL);
}
- memset(mac, 0, sizeof(*mac));
- mac->m_numelements = numelements;
- mac->m_numliveelements = 0;
- mac->m_elements = elements;
+ bzero(mac->m_string, MAC_MAX_LABEL_BUF_LEN);
+ mac->m_buflen = MAC_MAX_LABEL_BUF_LEN;
return (mac);
}
-static int
-mac_name_in_list(char *string, char *name)
-{
-
-
-
-}
-
int
mac_from_text(struct mac **mac, const char *text)
{
@@ -522,270 +244,99 @@
char *dup, *element, *search;
int count, error;
- error = mac_maybe_init_internal();
- if (error != MAC_SUCCESS)
- return (error);
+ *mac = (struct mac *) malloc(sizeof(**mac));
+ if (*mac == NULL)
+ return (ENOMEM);
- dup = strdup(text);
- if (dup == NULL)
- return (MAC_ERROR_INSUFFICIENTRESOURCES);
-
- /*
- * First, count the elements to we can allocate a mac_element
- * array. Use a simple counting algorithm.
- */
- count = 1;
- search = dup;
- while (*search != '\0') {
- if (*search == MAC_PARSE_ELEMENT_SEP)
- count++;
- search++;
+ (*mac)->m_string = strdup(text);
+ if ((*mac)->m_string == NULL) {
+ free(*mac);
+ *mac = NULL;
+ return (ENOMEM);
}
- temp = mac_alloc(count);
- if (temp == NULL) {
- error = MAC_ERROR_INSUFFICIENTRESOURCES;
- goto free_dup;
- }
+ (*mac)->m_buflen = strlen((*mac)->m_string)+1;
- search = dup;
- while ((element = strsep(&search, MAC_PARSE_ELEMENT_SEP_STR))) {
-#if 0
- struct internal_module_entry *entry;
-#endif
- struct mac_element *mac_element;
- char *labelname, *labelvalue;
-
- labelvalue = element;
- labelname = strsep(&labelvalue, MAC_PARSE_POLICY_SEP_STR);
- if (labelvalue == NULL) {
- error = MAC_ERROR_UNPARSEABLELABEL;
- goto free_temp;
- }
- mac_element = &temp->m_elements[temp->m_numliveelements];
- strcpy(mac_element->me_name, labelname);
-#if 0
- /*
- * Walk down the module list until we find a module that
- * is willing to accept this label name.
- */
- entry = mac_module_find_by_labelname(labelname);
- if (entry == NULL) {
- error = MAC_ERROR_UNKNOWNLABELNAME;
- goto free_temp;
- }
- if (entry->ime_from_text != NULL) {
- error = entry->ime_from_text(
- &temp->m_elements[temp->m_numliveelements],
- labelvalue);
- if (error != MAC_SUCCESS)
- goto free_temp;
- } else {
- error = MAC_ERROR_NOFROMTEXT;
- goto free_temp;
- }
-#endif
- mac_element->me_data = strdup(labelvalue);
- mac_element->me_databuflen = mac_element->me_datalen =
- strlen(labelvalue) + 1;
- temp->m_numliveelements++;
- }
-
- goto done;
-
-free_temp:
- mac_free(temp);
-free_dup:
- free(dup);
- temp = NULL;
-done:
- *mac = temp;
- return (error);
+ return (0);
}
int
mac_prepare(struct mac **mac, char *elements)
{
- char *arg, *element_array[MAC_MAX_LABEL_ELEMENTS], *local_policies;
- char *parse;
- struct internal_module_entry *entry;
struct mac *temp;
- int count, element_count, error;
- error = mac_maybe_init_internal();
- if (error != MAC_SUCCESS)
- return (error);
+ if (strlen(elements) >= MAC_MAX_LABEL_BUF_LEN)
+ return (EINVAL);
- local_policies = strdup(elements);
- if (local_policies == NULL)
- return (MAC_ERROR_INSUFFICIENTRESOURCES);
+ *mac = (struct mac *) malloc(sizeof(**mac));
+ if (*mac == NULL)
+ return (ENOMEM);
- parse = local_policies;
- element_count = 0;
- while (parse != NULL && element_count < MAC_MAX_LABEL_ELEMENTS) {
- arg = "";
- while (parse != NULL && arg[0] == '\0')
- arg = strsep(&parse, ",");
- element_array[element_count] = arg;
- element_count++;
+ (*mac)->m_string = malloc(MAC_MAX_LABEL_BUF_LEN);
+ if ((*mac)->m_string == NULL) {
+ free(*mac);
+ *mac = NULL;
+ return (ENOMEM);
}
- temp = mac_alloc(element_count);
- if (temp == NULL) {
- free(local_policies);
- return (MAC_ERROR_INSUFFICIENTRESOURCES);
- }
+ strcpy((*mac)->m_string, elements);
+ (*mac)->m_buflen = MAC_MAX_LABEL_BUF_LEN;
- for (count = 0; count < element_count; count++) {
-#if 0
- entry = mac_module_find_by_labelname(element_array[count]);
- if (entry == NULL) {
- free(local_policies);
- mac_free(temp);
- *mac = NULL;
- return (MAC_ERROR_UNKNOWNLABELNAME);
- }
-#endif
- strcpy(temp->m_elements[count].me_name, element_array[count]);
-#if 0
- if (entry->ime_prepare == NULL) {
- free(local_policies);
- mac_free(temp);
- *mac = NULL;
- return (MAC_ERROR_NOTSUPPORTED);
- }
- error = entry->ime_prepare(&temp->m_elements[count]);
- if (error) {
- free(local_policies);
- mac_free(temp);
- *mac = NULL;
- return (error);
- }
-#endif
- temp->m_elements[count].me_databuflen =
- MAC_MAX_LABEL_ELEMENT_DATALEN;
- temp->m_elements[count].me_data =
- malloc(temp->m_elements[count].me_databuflen);
- if (temp->m_elements[count].me_data == NULL) {
- free(local_policies);
- mac_free(temp);
- *mac = NULL;
- return (MAC_ERROR_INSUFFICIENTRESOURCES);
- }
- temp->m_elements[count].me_datalen = 0;
- temp->m_numliveelements++;
- }
-
- free(local_policies);
- *mac = temp;
- return (MAC_SUCCESS);
+ return (0);
}
int
mac_to_text(struct mac *mac, char **text)
{
-#if 0
- struct internal_module_entry *entry;
-#endif
- struct mac_element *element;
- char *string, *tempstring, *elementstring, *policyvalue;
- int error, i;
- error = mac_maybe_init_internal();
- if (error != MAC_SUCCESS)
- return (error);
-
- elementstring = NULL;
- string = NULL;
- for (i = 0; i < mac->m_numliveelements; i++) {
- element = &mac->m_elements[i];
-#if 0
- entry = mac_module_find_by_labelname(element->me_name);
- if (entry == NULL)
- elementstring = strdup(MAC_PARSE_UNKNOWNVALUE);
- else if (entry->ime_to_text == NULL)
- elementstring = strdup(MAC_PARSE_UNKNOWNVALUE);
- else {
- error = entry->ime_to_text(element, &policyvalue);
- if (error != MAC_SUCCESS)
- goto error_handler;
-#endif
- asprintf(&elementstring, "%s%s%s", element->me_name,
- MAC_PARSE_POLICY_SEP_STR, element->me_data);
-#if 0
- free(policyvalue);
- }
-#endif
- if (elementstring == NULL) {
- error = MAC_ERROR_INSUFFICIENTRESOURCES;
- goto error_handler;
- }
-
- if (string == NULL) {
- string = elementstring;
- } else {
- tempstring = string;
- asprintf(&string, "%s,%s", tempstring, elementstring);
- free(tempstring);
- free(elementstring);
- elementstring = NULL;
- }
- }
-
- *text = string;
- return (MAC_SUCCESS);
-
-error_handler:
- if (string != NULL)
- free(string);
- if (elementstring != NULL)
- free(elementstring);
-
- return (error);
+ *text = strdup(mac->m_string);
+ if (*text == NULL)
+ return (ENOMEM);
+ return (0);
}
int
-mac_prepare_file_label(struct mac **label)
+mac_prepare_file_label(struct mac **mac)
{
int error;
error = mac_maybe_init_internal();
- if (error != MAC_SUCCESS)
+ if (error != 0)
return (error);
if (default_file_labels == NULL)
- return (MAC_ERROR_NOSUCHELEMENTSET);
+ return (mac_prepare(mac, ""));
- return (mac_prepare(label, default_file_labels));
+ return (mac_prepare(mac, default_file_labels));
}
int
-mac_prepare_ifnet_label(struct mac **label)
+mac_prepare_ifnet_label(struct mac **mac)
{
int error;
error = mac_maybe_init_internal();
- if (error != MAC_SUCCESS)
+ if (error != 0)
return (error);
if (default_ifnet_labels == NULL)
- return (MAC_ERROR_NOSUCHELEMENTSET);
+ return (mac_prepare(mac, ""));
- return (mac_prepare(label, default_ifnet_labels));
+ return (mac_prepare(mac, default_ifnet_labels));
}
int
-mac_prepare_process_label(struct mac **label)
+mac_prepare_process_label(struct mac **mac)
{
int error;
error = mac_maybe_init_internal();
- if (error != MAC_SUCCESS)
+ if (error != 0)
return (error);
if (default_process_labels == NULL)
- return (MAC_ERROR_NOSUCHELEMENTSET);
+ return (mac_prepare(mac, ""));
- return (mac_prepare(label, default_process_labels));
+ return (mac_prepare(mac, default_process_labels));
}
/*
==== //depot/projects/trustedbsd/mac/lib/libmac/Makefile#2 (text+ko) ====
@@ -1,3 +1,3 @@
-SUBDIR+= modules
+#SUBDIR+= modules
.include <bsd.subdir.mk>
==== //depot/projects/trustedbsd/mac/lib/libutil/login_class.c#9 (text+ko) ====
@@ -396,19 +396,21 @@
if (label_string == NULL) {
/* Leave label as is, warning, dangerous */
} else {
- error = mac_from_text(&label, label_string);
- if (error != MAC_SUCCESS) {
- syslog(LOG_ERR, "mac_from_text('%s'): %s", label_string,
- mac_error(error));
+ if (mac_from_text(&label, label_string) == -1) {
+ syslog(LOG_ERR, "mac_from_text('%s'): %m", label_string);
return -1;
}
- error = mac_set_proc(label);
+ if (mac_set_proc(label) == -1)
+ error = errno;
+ else
+ error = 0;
mac_free(label);
- if (error != 0 && errno == ENOSYS) {
- syslog(LOG_WARNING, "mac_set_proc(%s): warning: %m",
- label_string);
+ if (error == ENOSYS) {
+ syslog(LOG_WARNING, "mac_set_proc(%s): warning: %s",
+ label_string, strerror(error));
} else if (error != 0) {
- syslog(LOG_ERR, "mac_set_proc(%s): error: %m", label_string);
+ syslog(LOG_ERR, "mac_set_proc(%s): error: %s", label_string,
+ strerror(error));
return -1;
}
}
==== //depot/projects/trustedbsd/mac/libexec/getty/main.c#9 (text+ko) ====
@@ -263,7 +263,8 @@
error = mac_from_text(&rootmac,
rootmacstr);
- if (error == MAC_SUCCESS) {
+ if (mac_from_text(&rootmac, rootmacstr)
+ == 0) {
mac_set_file(ttyn, rootmac);
mac_free(rootmac);
}
==== //depot/projects/trustedbsd/mac/sbin/ifconfig/ifmac.c#9 (text+ko) ====
@@ -60,16 +60,14 @@
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
- error = mac_prepare_ifnet_label(&label);
- if (error != MAC_SUCCESS)
+ if (mac_prepare_ifnet_label(&label) == -1)
return;
ifr.ifr_ifru.ifru_data = (void *)label;
- error = ioctl(s, SIOCGIFMAC, &ifr);
- if (error == -1)
+ if (ioctl(s, SIOCGIFMAC, &ifr) == -1)
goto mac_free;
- error = mac_to_text(label, &label_text);
- if (error != MAC_SUCCESS)
+
+ if (mac_to_text(label, &label_text) == -1)
goto mac_free;
printf("\tmac %s\n", label_text);
@@ -86,9 +84,8 @@
mac_t label;
int error;
- error = mac_from_text(&label, val);
- if (error != MAC_SUCCESS) {
- fprintf(stderr, "%s: %s\n", val, mac_error(error));
+ if (mac_from_text(&label, val) == -1) {
+ perror(val);
return;
}
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list