PERFORCE change 19903 for review
Brian Feldman
green at freebsd.org
Tue Oct 22 17:06:54 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=19903
Change 19903 by green at green_laptop_2 on 2002/10/22 10:06:01
This is the bare minimum of changes needed to turn Biba
into a bare minimum, neutered sort of LOMAC-appearing
mess that doesn't do much of anything. This is mostly just
renaming, and an axe will soon be taken to e.g. compartments
and other things not to be fussed about.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.h#6 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#11 (text+ko) ====
@@ -34,12 +34,12 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.26 2002/10/22 14:31:34 rwatson Exp $
+ * $FreeBSD$
*/
/*
* Developed by the TrustedBSD Project.
- * Biba fixed label mandatory integrity policy.
+ * Low-watermark floating label mandatory integrity policy.
*/
#include <sys/types.h>
@@ -76,217 +76,217 @@
#include <sys/mac_policy.h>
-#include <security/mac_biba/mac_biba.h>
+#include <security/mac_lomac/mac_lomac.h>
SYSCTL_DECL(_security_mac);
-SYSCTL_NODE(_security_mac, OID_AUTO, biba, CTLFLAG_RW, 0,
- "TrustedBSD mac_biba policy controls");
+SYSCTL_NODE(_security_mac, OID_AUTO, lomac, CTLFLAG_RW, 0,
+ "TrustedBSD mac_lomac policy controls");
-static int mac_biba_enabled = 0;
-SYSCTL_INT(_security_mac_biba, OID_AUTO, enabled, CTLFLAG_RW,
- &mac_biba_enabled, 0, "Enforce MAC/Biba policy");
-TUNABLE_INT("security.mac.biba.enabled", &mac_biba_enabled);
+static int mac_lomac_enabled = 0;
+SYSCTL_INT(_security_mac_lomac, OID_AUTO, enabled, CTLFLAG_RW,
+ &mac_lomac_enabled, 0, "Enforce MAC/LOMAC policy");
+TUNABLE_INT("security.mac.lomac.enabled", &mac_lomac_enabled);
static int destroyed_not_inited;
-SYSCTL_INT(_security_mac_biba, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
+SYSCTL_INT(_security_mac_lomac, OID_AUTO, destroyed_not_inited, CTLFLAG_RD,
&destroyed_not_inited, 0, "Count of labels destroyed but not inited");
static int trust_all_interfaces = 0;
-SYSCTL_INT(_security_mac_biba, OID_AUTO, trust_all_interfaces, CTLFLAG_RD,
- &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/Biba");
-TUNABLE_INT("security.mac.biba.trust_all_interfaces", &trust_all_interfaces);
+SYSCTL_INT(_security_mac_lomac, OID_AUTO, trust_all_interfaces, CTLFLAG_RD,
+ &trust_all_interfaces, 0, "Consider all interfaces 'trusted' by MAC/LOMAC");
+TUNABLE_INT("security.mac.lomac.trust_all_interfaces", &trust_all_interfaces);
static char trusted_interfaces[128];
-SYSCTL_STRING(_security_mac_biba, OID_AUTO, trusted_interfaces, CTLFLAG_RD,
- trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/Biba");
-TUNABLE_STR("security.mac.biba.trusted_interfaces", trusted_interfaces,
+SYSCTL_STRING(_security_mac_lomac, OID_AUTO, trusted_interfaces, CTLFLAG_RD,
+ trusted_interfaces, 0, "Interfaces considered 'trusted' by MAC/LOMAC");
+TUNABLE_STR("security.mac.lomac.trusted_interfaces", trusted_interfaces,
sizeof(trusted_interfaces));
-static int max_compartments = MAC_BIBA_MAX_COMPARTMENTS;
-SYSCTL_INT(_security_mac_biba, OID_AUTO, max_compartments, CTLFLAG_RD,
+static int max_compartments = MAC_LOMAC_MAX_COMPARTMENTS;
+SYSCTL_INT(_security_mac_lomac, OID_AUTO, max_compartments, CTLFLAG_RD,
&max_compartments, 0, "Maximum supported compartments");
static int ptys_equal = 0;
-SYSCTL_INT(_security_mac_biba, OID_AUTO, ptys_equal, CTLFLAG_RW,
- &ptys_equal, 0, "Label pty devices as biba/equal on create");
-TUNABLE_INT("security.mac.biba.ptys_equal", &ptys_equal);
+SYSCTL_INT(_security_mac_lomac, OID_AUTO, ptys_equal, CTLFLAG_RW,
+ &ptys_equal, 0, "Label pty devices as lomac/equal on create");
+TUNABLE_INT("security.mac.lomac.ptys_equal", &ptys_equal);
static int revocation_enabled = 0;
-SYSCTL_INT(_security_mac_biba, OID_AUTO, revocation_enabled, CTLFLAG_RW,
+SYSCTL_INT(_security_mac_lomac, OID_AUTO, revocation_enabled, CTLFLAG_RW,
&revocation_enabled, 0, "Revoke access to objects on relabel");
-TUNABLE_INT("security.mac.biba.revocation_enabled", &revocation_enabled);
+TUNABLE_INT("security.mac.lomac.revocation_enabled", &revocation_enabled);
-static int mac_biba_slot;
-#define SLOT(l) ((struct mac_biba *)LABEL_TO_SLOT((l), mac_biba_slot).l_ptr)
+static int mac_lomac_slot;
+#define SLOT(l) ((struct mac_lomac *)LABEL_TO_SLOT((l), mac_lomac_slot).l_ptr)
-MALLOC_DEFINE(M_MACBIBA, "biba label", "MAC/Biba labels");
+MALLOC_DEFINE(M_MACLOMAC, "lomac label", "MAC/LOMAC labels");
static __inline int
-biba_bit_set_empty(u_char *set) {
+lomac_bit_set_empty(u_char *set) {
int i;
- for (i = 0; i < MAC_BIBA_MAX_COMPARTMENTS >> 3; i++)
+ for (i = 0; i < MAC_LOMAC_MAX_COMPARTMENTS >> 3; i++)
if (set[i] != 0)
return (0);
return (1);
}
-static struct mac_biba *
-biba_alloc(int flag)
+static struct mac_lomac *
+lomac_alloc(int flag)
{
- struct mac_biba *mac_biba;
+ struct mac_lomac *mac_lomac;
- mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | flag);
+ mac_lomac = malloc(sizeof(struct mac_lomac), M_MACLOMAC, M_ZERO | flag);
- return (mac_biba);
+ return (mac_lomac);
}
static void
-biba_free(struct mac_biba *mac_biba)
+lomac_free(struct mac_lomac *mac_lomac)
{
- if (mac_biba != NULL)
- free(mac_biba, M_MACBIBA);
+ if (mac_lomac != NULL)
+ free(mac_lomac, M_MACLOMAC);
else
atomic_add_int(&destroyed_not_inited, 1);
}
static int
-biba_atmostflags(struct mac_biba *mac_biba, int flags)
+lomac_atmostflags(struct mac_lomac *mac_lomac, int flags)
{
- if ((mac_biba->mb_flags & flags) != mac_biba->mb_flags)
+ if ((mac_lomac->ml_flags & flags) != mac_lomac->ml_flags)
return (EINVAL);
return (0);
}
static int
-mac_biba_dominate_element(struct mac_biba_element *a,
- struct mac_biba_element *b)
+mac_lomac_dominate_element(struct mac_lomac_element *a,
+ struct mac_lomac_element *b)
{
int bit;
- switch(a->mbe_type) {
- case MAC_BIBA_TYPE_EQUAL:
- case MAC_BIBA_TYPE_HIGH:
+ switch(a->mle_type) {
+ case MAC_LOMAC_TYPE_EQUAL:
+ case MAC_LOMAC_TYPE_HIGH:
return (1);
- case MAC_BIBA_TYPE_LOW:
- switch (b->mbe_type) {
- case MAC_BIBA_TYPE_GRADE:
- case MAC_BIBA_TYPE_HIGH:
+ case MAC_LOMAC_TYPE_LOW:
+ switch (b->mle_type) {
+ case MAC_LOMAC_TYPE_GRADE:
+ case MAC_LOMAC_TYPE_HIGH:
return (0);
- case MAC_BIBA_TYPE_EQUAL:
- case MAC_BIBA_TYPE_LOW:
+ case MAC_LOMAC_TYPE_EQUAL:
+ case MAC_LOMAC_TYPE_LOW:
return (1);
default:
- panic("mac_biba_dominate_element: b->mbe_type invalid");
+ panic("mac_lomac_dominate_element: b->mle_type invalid");
}
- case MAC_BIBA_TYPE_GRADE:
- switch (b->mbe_type) {
- case MAC_BIBA_TYPE_EQUAL:
- case MAC_BIBA_TYPE_LOW:
+ case MAC_LOMAC_TYPE_GRADE:
+ switch (b->mle_type) {
+ case MAC_LOMAC_TYPE_EQUAL:
+ case MAC_LOMAC_TYPE_LOW:
return (1);
- case MAC_BIBA_TYPE_HIGH:
+ case MAC_LOMAC_TYPE_HIGH:
return (0);
- case MAC_BIBA_TYPE_GRADE:
- for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++)
- if (!MAC_BIBA_BIT_TEST(bit,
- a->mbe_compartments) &&
- MAC_BIBA_BIT_TEST(bit, b->mbe_compartments))
+ case MAC_LOMAC_TYPE_GRADE:
+ for (bit = 1; bit <= MAC_LOMAC_MAX_COMPARTMENTS; bit++)
+ if (!MAC_LOMAC_BIT_TEST(bit,
+ a->mle_compartments) &&
+ MAC_LOMAC_BIT_TEST(bit, b->mle_compartments))
return (0);
- return (a->mbe_grade >= b->mbe_grade);
+ return (a->mle_grade >= b->mle_grade);
default:
- panic("mac_biba_dominate_element: b->mbe_type invalid");
+ panic("mac_lomac_dominate_element: b->mle_type invalid");
}
default:
- panic("mac_biba_dominate_element: a->mbe_type invalid");
+ panic("mac_lomac_dominate_element: a->mle_type invalid");
}
return (0);
}
static int
-mac_biba_range_in_range(struct mac_biba *rangea, struct mac_biba *rangeb)
+mac_lomac_range_in_range(struct mac_lomac *rangea, struct mac_lomac *rangeb)
{
- return (mac_biba_dominate_element(&rangeb->mb_rangehigh,
- &rangea->mb_rangehigh) &&
- mac_biba_dominate_element(&rangea->mb_rangelow,
- &rangeb->mb_rangelow));
+ return (mac_lomac_dominate_element(&rangeb->ml_rangehigh,
+ &rangea->ml_rangehigh) &&
+ mac_lomac_dominate_element(&rangea->ml_rangelow,
+ &rangeb->ml_rangelow));
}
static int
-mac_biba_single_in_range(struct mac_biba *single, struct mac_biba *range)
+mac_lomac_single_in_range(struct mac_lomac *single, struct mac_lomac *range)
{
- KASSERT((single->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_single_in_range: a not single"));
- KASSERT((range->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
- ("mac_biba_single_in_range: b not range"));
+ KASSERT((single->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
+ ("mac_lomac_single_in_range: a not single"));
+ KASSERT((range->ml_flags & MAC_LOMAC_FLAG_RANGE) != 0,
+ ("mac_lomac_single_in_range: b not range"));
- return (mac_biba_dominate_element(&range->mb_rangehigh,
- &single->mb_single) &&
- mac_biba_dominate_element(&single->mb_single,
- &range->mb_rangelow));
+ return (mac_lomac_dominate_element(&range->ml_rangehigh,
+ &single->ml_single) &&
+ mac_lomac_dominate_element(&single->ml_single,
+ &range->ml_rangelow));
return (1);
}
static int
-mac_biba_dominate_single(struct mac_biba *a, struct mac_biba *b)
+mac_lomac_dominate_single(struct mac_lomac *a, struct mac_lomac *b)
{
- KASSERT((a->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_dominate_single: a not single"));
- KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_dominate_single: b not single"));
+ KASSERT((a->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
+ ("mac_lomac_dominate_single: a not single"));
+ KASSERT((b->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
+ ("mac_lomac_dominate_single: b not single"));
- return (mac_biba_dominate_element(&a->mb_single, &b->mb_single));
+ return (mac_lomac_dominate_element(&a->ml_single, &b->ml_single));
}
static int
-mac_biba_equal_element(struct mac_biba_element *a, struct mac_biba_element *b)
+mac_lomac_equal_element(struct mac_lomac_element *a, struct mac_lomac_element *b)
{
- if (a->mbe_type == MAC_BIBA_TYPE_EQUAL ||
- b->mbe_type == MAC_BIBA_TYPE_EQUAL)
+ if (a->mle_type == MAC_LOMAC_TYPE_EQUAL ||
+ b->mle_type == MAC_LOMAC_TYPE_EQUAL)
return (1);
- return (a->mbe_type == b->mbe_type && a->mbe_grade == b->mbe_grade);
+ return (a->mle_type == b->mle_type && a->mle_grade == b->mle_grade);
}
static int
-mac_biba_equal_single(struct mac_biba *a, struct mac_biba *b)
+mac_lomac_equal_single(struct mac_lomac *a, struct mac_lomac *b)
{
- KASSERT((a->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_equal_single: a not single"));
- KASSERT((b->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_equal_single: b not single"));
+ KASSERT((a->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
+ ("mac_lomac_equal_single: a not single"));
+ KASSERT((b->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
+ ("mac_lomac_equal_single: b not single"));
- return (mac_biba_equal_element(&a->mb_single, &b->mb_single));
+ return (mac_lomac_equal_element(&a->ml_single, &b->ml_single));
}
static int
-mac_biba_contains_equal(struct mac_biba *mac_biba)
+mac_lomac_contains_equal(struct mac_lomac *mac_lomac)
{
- if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE)
- if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL)
+ if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE)
+ if (mac_lomac->ml_single.mle_type == MAC_LOMAC_TYPE_EQUAL)
return (1);
- if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
- if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL)
+ if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
+ if (mac_lomac->ml_rangelow.mle_type == MAC_LOMAC_TYPE_EQUAL)
return (1);
- if (mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
+ if (mac_lomac->ml_rangehigh.mle_type == MAC_LOMAC_TYPE_EQUAL)
return (1);
}
@@ -294,25 +294,25 @@
}
static int
-mac_biba_subject_equal_ok(struct mac_biba *mac_biba)
+mac_lomac_subject_equal_ok(struct mac_lomac *mac_lomac)
{
- KASSERT((mac_biba->mb_flags & MAC_BIBA_FLAGS_BOTH) ==
- MAC_BIBA_FLAGS_BOTH,
- ("mac_biba_subject_equal_ok: subject doesn't have both labels"));
+ KASSERT((mac_lomac->ml_flags & MAC_LOMAC_FLAGS_BOTH) ==
+ MAC_LOMAC_FLAGS_BOTH,
+ ("mac_lomac_subject_equal_ok: subject doesn't have both labels"));
/* If the single is EQUAL, it's ok. */
- if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL)
+ if (mac_lomac->ml_single.mle_type == MAC_LOMAC_TYPE_EQUAL)
return (0);
/* If either range endpoint is EQUAL, it's ok. */
- if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL ||
- mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
+ if (mac_lomac->ml_rangelow.mle_type == MAC_LOMAC_TYPE_EQUAL ||
+ mac_lomac->ml_rangehigh.mle_type == MAC_LOMAC_TYPE_EQUAL)
return (0);
/* If the range is low-high, it's ok. */
- if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW &&
- mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH)
+ if (mac_lomac->ml_rangelow.mle_type == MAC_LOMAC_TYPE_LOW &&
+ mac_lomac->ml_rangehigh.mle_type == MAC_LOMAC_TYPE_HIGH)
return (0);
/* It's not ok. */
@@ -320,20 +320,20 @@
}
static int
-mac_biba_valid(struct mac_biba *mac_biba)
+mac_lomac_valid(struct mac_lomac *mac_lomac)
{
- if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) {
- switch (mac_biba->mb_single.mbe_type) {
- case MAC_BIBA_TYPE_GRADE:
+ if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
+ switch (mac_lomac->ml_single.mle_type) {
+ case MAC_LOMAC_TYPE_GRADE:
break;
- case MAC_BIBA_TYPE_EQUAL:
- case MAC_BIBA_TYPE_HIGH:
- case MAC_BIBA_TYPE_LOW:
- if (mac_biba->mb_single.mbe_grade != 0 ||
- !MAC_BIBA_BIT_SET_EMPTY(
- mac_biba->mb_single.mbe_compartments))
+ case MAC_LOMAC_TYPE_EQUAL:
+ case MAC_LOMAC_TYPE_HIGH:
+ case MAC_LOMAC_TYPE_LOW:
+ if (mac_lomac->ml_single.mle_grade != 0 ||
+ !MAC_LOMAC_BIT_SET_EMPTY(
+ mac_lomac->ml_single.mle_compartments))
return (EINVAL);
break;
@@ -341,21 +341,21 @@
return (EINVAL);
}
} else {
- if (mac_biba->mb_single.mbe_type != MAC_BIBA_TYPE_UNDEF)
+ if (mac_lomac->ml_single.mle_type != MAC_LOMAC_TYPE_UNDEF)
return (EINVAL);
}
- if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
- switch (mac_biba->mb_rangelow.mbe_type) {
- case MAC_BIBA_TYPE_GRADE:
+ if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
+ switch (mac_lomac->ml_rangelow.mle_type) {
+ case MAC_LOMAC_TYPE_GRADE:
break;
- case MAC_BIBA_TYPE_EQUAL:
- case MAC_BIBA_TYPE_HIGH:
- case MAC_BIBA_TYPE_LOW:
- if (mac_biba->mb_rangelow.mbe_grade != 0 ||
- !MAC_BIBA_BIT_SET_EMPTY(
- mac_biba->mb_rangelow.mbe_compartments))
+ case MAC_LOMAC_TYPE_EQUAL:
+ case MAC_LOMAC_TYPE_HIGH:
+ case MAC_LOMAC_TYPE_LOW:
+ if (mac_lomac->ml_rangelow.mle_grade != 0 ||
+ !MAC_LOMAC_BIT_SET_EMPTY(
+ mac_lomac->ml_rangelow.mle_compartments))
return (EINVAL);
break;
@@ -363,28 +363,28 @@
return (EINVAL);
}
- switch (mac_biba->mb_rangehigh.mbe_type) {
- case MAC_BIBA_TYPE_GRADE:
+ switch (mac_lomac->ml_rangehigh.mle_type) {
+ case MAC_LOMAC_TYPE_GRADE:
break;
- case MAC_BIBA_TYPE_EQUAL:
- case MAC_BIBA_TYPE_HIGH:
- case MAC_BIBA_TYPE_LOW:
- if (mac_biba->mb_rangehigh.mbe_grade != 0 ||
- !MAC_BIBA_BIT_SET_EMPTY(
- mac_biba->mb_rangehigh.mbe_compartments))
+ case MAC_LOMAC_TYPE_EQUAL:
+ case MAC_LOMAC_TYPE_HIGH:
+ case MAC_LOMAC_TYPE_LOW:
+ if (mac_lomac->ml_rangehigh.mle_grade != 0 ||
+ !MAC_LOMAC_BIT_SET_EMPTY(
+ mac_lomac->ml_rangehigh.mle_compartments))
return (EINVAL);
break;
default:
return (EINVAL);
}
- if (!mac_biba_dominate_element(&mac_biba->mb_rangehigh,
- &mac_biba->mb_rangelow))
+ if (!mac_lomac_dominate_element(&mac_lomac->ml_rangehigh,
+ &mac_lomac->ml_rangelow))
return (EINVAL);
} else {
- if (mac_biba->mb_rangelow.mbe_type != MAC_BIBA_TYPE_UNDEF ||
- mac_biba->mb_rangehigh.mbe_type != MAC_BIBA_TYPE_UNDEF)
+ if (mac_lomac->ml_rangelow.mle_type != MAC_LOMAC_TYPE_UNDEF ||
+ mac_lomac->ml_rangehigh.mle_type != MAC_LOMAC_TYPE_UNDEF)
return (EINVAL);
}
@@ -392,83 +392,83 @@
}
static void
-mac_biba_set_range(struct mac_biba *mac_biba, u_short typelow,
+mac_lomac_set_range(struct mac_lomac *mac_lomac, u_short typelow,
u_short gradelow, u_char *compartmentslow, u_short typehigh,
u_short gradehigh, u_char *compartmentshigh)
{
- mac_biba->mb_rangelow.mbe_type = typelow;
- mac_biba->mb_rangelow.mbe_grade = gradelow;
+ mac_lomac->ml_rangelow.mle_type = typelow;
+ mac_lomac->ml_rangelow.mle_grade = gradelow;
if (compartmentslow != NULL)
- memcpy(mac_biba->mb_rangelow.mbe_compartments,
+ memcpy(mac_lomac->ml_rangelow.mle_compartments,
compartmentslow,
- sizeof(mac_biba->mb_rangelow.mbe_compartments));
- mac_biba->mb_rangehigh.mbe_type = typehigh;
- mac_biba->mb_rangehigh.mbe_grade = gradehigh;
+ sizeof(mac_lomac->ml_rangelow.mle_compartments));
+ mac_lomac->ml_rangehigh.mle_type = typehigh;
+ mac_lomac->ml_rangehigh.mle_grade = gradehigh;
if (compartmentshigh != NULL)
- memcpy(mac_biba->mb_rangehigh.mbe_compartments,
+ memcpy(mac_lomac->ml_rangehigh.mle_compartments,
compartmentshigh,
- sizeof(mac_biba->mb_rangehigh.mbe_compartments));
- mac_biba->mb_flags |= MAC_BIBA_FLAG_RANGE;
+ sizeof(mac_lomac->ml_rangehigh.mle_compartments));
+ mac_lomac->ml_flags |= MAC_LOMAC_FLAG_RANGE;
}
static void
-mac_biba_set_single(struct mac_biba *mac_biba, u_short type, u_short grade,
+mac_lomac_set_single(struct mac_lomac *mac_lomac, u_short type, u_short grade,
u_char *compartments)
{
- mac_biba->mb_single.mbe_type = type;
- mac_biba->mb_single.mbe_grade = grade;
+ mac_lomac->ml_single.mle_type = type;
+ mac_lomac->ml_single.mle_grade = grade;
if (compartments != NULL)
- memcpy(mac_biba->mb_single.mbe_compartments, compartments,
- sizeof(mac_biba->mb_single.mbe_compartments));
- mac_biba->mb_flags |= MAC_BIBA_FLAG_SINGLE;
+ memcpy(mac_lomac->ml_single.mle_compartments, compartments,
+ sizeof(mac_lomac->ml_single.mle_compartments));
+ mac_lomac->ml_flags |= MAC_LOMAC_FLAG_SINGLE;
}
static void
-mac_biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto)
+mac_lomac_copy_range(struct mac_lomac *labelfrom, struct mac_lomac *labelto)
{
- KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
- ("mac_biba_copy_range: labelfrom not range"));
+ KASSERT((labelfrom->ml_flags & MAC_LOMAC_FLAG_RANGE) != 0,
+ ("mac_lomac_copy_range: labelfrom not range"));
- labelto->mb_rangelow = labelfrom->mb_rangelow;
- labelto->mb_rangehigh = labelfrom->mb_rangehigh;
- labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
+ labelto->ml_rangelow = labelfrom->ml_rangelow;
+ labelto->ml_rangehigh = labelfrom->ml_rangehigh;
+ labelto->ml_flags |= MAC_LOMAC_FLAG_RANGE;
}
static void
-mac_biba_copy_single(struct mac_biba *labelfrom, struct mac_biba *labelto)
+mac_lomac_copy_single(struct mac_lomac *labelfrom, struct mac_lomac *labelto)
{
- KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
- ("mac_biba_copy_single: labelfrom not single"));
+ KASSERT((labelfrom->ml_flags & MAC_LOMAC_FLAG_SINGLE) != 0,
+ ("mac_lomac_copy_single: labelfrom not single"));
- labelto->mb_single = labelfrom->mb_single;
- labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE;
+ labelto->ml_single = labelfrom->ml_single;
+ labelto->ml_flags |= MAC_LOMAC_FLAG_SINGLE;
}
static void
-mac_biba_copy(struct mac_biba *source, struct mac_biba *dest)
+mac_lomac_copy(struct mac_lomac *source, struct mac_lomac *dest)
{
- if (source->mb_flags & MAC_BIBA_FLAG_SINGLE)
- mac_biba_copy_single(source, dest);
- if (source->mb_flags & MAC_BIBA_FLAG_RANGE)
- mac_biba_copy_range(source, dest);
+ if (source->ml_flags & MAC_LOMAC_FLAG_SINGLE)
+ mac_lomac_copy_single(source, dest);
+ if (source->ml_flags & MAC_LOMAC_FLAG_RANGE)
+ mac_lomac_copy_range(source, dest);
}
/*
* Policy module operations.
*/
static void
-mac_biba_destroy(struct mac_policy_conf *conf)
+mac_lomac_destroy(struct mac_policy_conf *conf)
{
}
static void
-mac_biba_init(struct mac_policy_conf *conf)
+mac_lomac_init(struct mac_policy_conf *conf)
{
}
@@ -477,17 +477,17 @@
* Label operations.
*/
static void
-mac_biba_init_label(struct label *label)
+mac_lomac_init_label(struct label *label)
{
- SLOT(label) = biba_alloc(M_WAITOK);
+ SLOT(label) = lomac_alloc(M_WAITOK);
}
static int
-mac_biba_init_label_waitcheck(struct label *label, int flag)
+mac_lomac_init_label_waitcheck(struct label *label, int flag)
{
- SLOT(label) = biba_alloc(flag);
+ SLOT(label) = lomac_alloc(flag);
if (SLOT(label) == NULL)
return (ENOMEM);
@@ -495,38 +495,38 @@
}
static void
-mac_biba_destroy_label(struct label *label)
+mac_lomac_destroy_label(struct label *label)
{
- biba_free(SLOT(label));
+ lomac_free(SLOT(label));
SLOT(label) = NULL;
}
/*
- * mac_biba_element_to_string() is basically an snprintf wrapper with
+ * mac_lomac_element_to_string() is basically an snprintf wrapper with
* the same properties as snprintf(). It returns the length it would
* have added to the string in the event the string is too short.
*/
static size_t
-mac_biba_element_to_string(char *string, size_t size,
- struct mac_biba_element *element)
+mac_lomac_element_to_string(char *string, size_t size,
+ struct mac_lomac_element *element)
{
int pos, bit = 1;
- switch (element->mbe_type) {
- case MAC_BIBA_TYPE_HIGH:
+ switch (element->mle_type) {
+ case MAC_LOMAC_TYPE_HIGH:
return (snprintf(string, size, "high"));
- case MAC_BIBA_TYPE_LOW:
+ case MAC_LOMAC_TYPE_LOW:
return (snprintf(string, size, "low"));
- case MAC_BIBA_TYPE_EQUAL:
+ case MAC_LOMAC_TYPE_EQUAL:
return (snprintf(string, size, "equal"));
- case MAC_BIBA_TYPE_GRADE:
- pos = snprintf(string, size, "%d:", element->mbe_grade);
- for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++) {
- if (MAC_BIBA_BIT_TEST(bit, element->mbe_compartments))
+ case MAC_LOMAC_TYPE_GRADE:
+ pos = snprintf(string, size, "%d:", element->mle_grade);
+ for (bit = 1; bit <= MAC_LOMAC_MAX_COMPARTMENTS; bit++) {
+ if (MAC_LOMAC_BIT_TEST(bit, element->mle_compartments))
pos += snprintf(string + pos, size - pos,
"%d+", bit);
}
@@ -535,14 +535,14 @@
return (pos);
default:
- panic("mac_biba_element_to_string: invalid type (%d)",
- element->mbe_type);
+ panic("mac_lomac_element_to_string: invalid type (%d)",
+ element->mle_type);
}
}
static int
-mac_biba_to_string(char *string, size_t size, size_t *caller_len,
- struct mac_biba *mac_biba)
+mac_lomac_to_string(char *string, size_t size, size_t *caller_len,
+ struct mac_lomac *mac_lomac)
{
size_t left, len;
char *curptr;
@@ -551,24 +551,24 @@
curptr = string;
left = size;
- if (mac_biba->mb_flags & MAC_BIBA_FLAG_SINGLE) {
- len = mac_biba_element_to_string(curptr, left,
- &mac_biba->mb_single);
+ if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_SINGLE) {
+ len = mac_lomac_element_to_string(curptr, left,
+ &mac_lomac->ml_single);
if (len >= left)
return (EINVAL);
left -= len;
curptr += len;
}
- if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
+ if (mac_lomac->ml_flags & MAC_LOMAC_FLAG_RANGE) {
len = snprintf(curptr, left, "(");
if (len >= left)
return (EINVAL);
left -= len;
curptr += len;
- len = mac_biba_element_to_string(curptr, left,
- &mac_biba->mb_rangelow);
+ len = mac_lomac_element_to_string(curptr, left,
+ &mac_lomac->ml_rangelow);
if (len >= left)
return (EINVAL);
left -= len;
@@ -580,8 +580,8 @@
left -= len;
curptr += len;
- len = mac_biba_element_to_string(curptr, left,
- &mac_biba->mb_rangehigh);
+ len = mac_lomac_element_to_string(curptr, left,
+ &mac_lomac->ml_rangehigh);
if (len >= left)
return (EINVAL);
left -= len;
@@ -599,19 +599,19 @@
}
static int
-mac_biba_externalize_label(struct label *label, char *element_name,
+mac_lomac_externalize_label(struct label *label, char *element_name,
char *element_data, size_t size, size_t *len, int *claimed)
{
- struct mac_biba *mac_biba;
+ struct mac_lomac *mac_lomac;
int error;
- if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
+ if (strcmp(MAC_LOMAC_LABEL_NAME, element_name) != 0)
return (0);
(*claimed)++;
- mac_biba = SLOT(label);
- error = mac_biba_to_string(element_data, size, len, mac_biba);
+ mac_lomac = SLOT(label);
+ error = mac_lomac_to_string(element_data, size, len, mac_lomac);
if (error)
return (error);
@@ -620,38 +620,21 @@
}
static int
-mac_biba_externalize_vnode_oldmac(struct label *label, struct oldmac *extmac)
+mac_lomac_parse_element(struct mac_lomac_element *element, char *string)
{
- struct mac_biba *mac_biba;
-
- mac_biba = SLOT(label);
-
- if (mac_biba == NULL) {
- printf("mac_biba_externalize_vnode_oldmac: NULL pointer\n");
- return (0);
- }
- extmac->m_biba = *mac_biba;
-
- return (0);
-}
-
-static int
-mac_biba_parse_element(struct mac_biba_element *element, char *string)
-{
-
if (strcmp(string, "high") == 0 ||
strcmp(string, "hi") == 0) {
- element->mbe_type = MAC_BIBA_TYPE_HIGH;
- element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
+ element->mle_type = MAC_LOMAC_TYPE_HIGH;
+ element->mle_grade = MAC_LOMAC_TYPE_UNDEF;
} else if (strcmp(string, "low") == 0 ||
strcmp(string, "lo") == 0) {
- element->mbe_type = MAC_BIBA_TYPE_LOW;
- element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
+ element->mle_type = MAC_LOMAC_TYPE_LOW;
+ element->mle_grade = MAC_LOMAC_TYPE_UNDEF;
} else if (strcmp(string, "equal") == 0 ||
strcmp(string, "eq") == 0) {
- element->mbe_type = MAC_BIBA_TYPE_EQUAL;
- element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
+ element->mle_type = MAC_LOMAC_TYPE_EQUAL;
+ element->mle_grade = MAC_LOMAC_TYPE_UNDEF;
} else {
char *p0, *p1;
int d;
@@ -661,8 +644,8 @@
if (d < 0 || d > 65535)
return (EINVAL);
- element->mbe_type = MAC_BIBA_TYPE_GRADE;
- element->mbe_grade = d;
+ element->mle_type = MAC_LOMAC_TYPE_GRADE;
+ element->mle_grade = d;
if (*p1 != ':') {
if (p1 == p0 || *p1 != '\0')
@@ -676,10 +659,10 @@
while ((p0 = ++p1)) {
d = strtol(p0, &p1, 10);
- if (d < 1 || d > MAC_BIBA_MAX_COMPARTMENTS)
+ if (d < 1 || d > MAC_LOMAC_MAX_COMPARTMENTS)
return (EINVAL);
- MAC_BIBA_BIT_SET(d, element->mbe_compartments);
+ MAC_LOMAC_BIT_SET(d, element->mle_compartments);
if (*p1 == '\0')
break;
@@ -696,7 +679,7 @@
* calling if that's a problem.
*/
static int
-mac_biba_parse(struct mac_biba *mac_biba, char *string)
+mac_lomac_parse(struct mac_lomac *mac_lomac, char *string)
{
char *range, *rangeend, *rangehigh, *rangelow, *single;
int error;
@@ -729,29 +712,29 @@
}
KASSERT((rangelow != NULL && rangehigh != NULL) ||
(rangelow == NULL && rangehigh == NULL),
- ("mac_biba_internalize_label: range mismatch"));
+ ("mac_lomac_internalize_label: range mismatch"));
- bzero(mac_biba, sizeof(*mac_biba));
+ bzero(mac_lomac, sizeof(*mac_lomac));
if (single != NULL) {
- error = mac_biba_parse_element(&mac_biba->mb_single, single);
+ error = mac_lomac_parse_element(&mac_lomac->ml_single, single);
if (error)
return (error);
- mac_biba->mb_flags |= MAC_BIBA_FLAG_SINGLE;
+ mac_lomac->ml_flags |= MAC_LOMAC_FLAG_SINGLE;
}
if (rangelow != NULL) {
- error = mac_biba_parse_element(&mac_biba->mb_rangelow,
+ error = mac_lomac_parse_element(&mac_lomac->ml_rangelow,
rangelow);
if (error)
return (error);
- error = mac_biba_parse_element(&mac_biba->mb_rangehigh,
+ error = mac_lomac_parse_element(&mac_lomac->ml_rangehigh,
rangehigh);
if (error)
return (error);
- mac_biba->mb_flags |= MAC_BIBA_FLAG_RANGE;
+ mac_lomac->ml_flags |= MAC_LOMAC_FLAG_RANGE;
}
- error = mac_biba_valid(mac_biba);
+ error = mac_lomac_valid(mac_lomac);
if (error)
return (error);
@@ -759,29 +742,29 @@
}
static int
-mac_biba_internalize_label(struct label *label, char *element_name,
+mac_lomac_internalize_label(struct label *label, char *element_name,
char *element_data, int *claimed)
{
- struct mac_biba *mac_biba, mac_biba_temp;
+ struct mac_lomac *mac_lomac, mac_lomac_temp;
int error;
- if (strcmp(MAC_BIBA_LABEL_NAME, element_name) != 0)
+ if (strcmp(MAC_LOMAC_LABEL_NAME, element_name) != 0)
return (0);
(*claimed)++;
- error = mac_biba_parse(&mac_biba_temp, element_data);
+ error = mac_lomac_parse(&mac_lomac_temp, element_data);
if (error)
return (error);
- mac_biba = SLOT(label);
- *mac_biba = mac_biba_temp;
+ mac_lomac = SLOT(label);
+ *mac_lomac = mac_lomac_temp;
return (0);
}
static void
-mac_biba_copy_label(struct label *src, struct label *dest)
+mac_lomac_copy_label(struct label *src, struct label *dest)
{
*SLOT(dest) = *SLOT(src);
@@ -792,127 +775,127 @@
* a lot like file system objects.
*/
static void
-mac_biba_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,
+mac_lomac_create_devfs_device(dev_t dev, struct devfs_dirent *devfs_dirent,
struct label *label)
{
- struct mac_biba *mac_biba;
- int biba_type;
+ struct mac_lomac *mac_lomac;
+ int lomac_type;
- mac_biba = SLOT(label);
+ mac_lomac = SLOT(label);
if (strcmp(dev->si_name, "null") == 0 ||
strcmp(dev->si_name, "zero") == 0 ||
strcmp(dev->si_name, "random") == 0 ||
strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
- biba_type = MAC_BIBA_TYPE_EQUAL;
+ lomac_type = MAC_LOMAC_TYPE_EQUAL;
else if (ptys_equal &&
(strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
- biba_type = MAC_BIBA_TYPE_EQUAL;
+ lomac_type = MAC_LOMAC_TYPE_EQUAL;
else
- biba_type = MAC_BIBA_TYPE_HIGH;
- mac_biba_set_single(mac_biba, biba_type, 0, NULL);
+ lomac_type = MAC_LOMAC_TYPE_HIGH;
+ mac_lomac_set_single(mac_lomac, lomac_type, 0, NULL);
}
static void
-mac_biba_create_devfs_directory(char *dirname, int dirnamelen,
+mac_lomac_create_devfs_directory(char *dirname, int dirnamelen,
struct devfs_dirent *devfs_dirent, struct label *label)
{
- struct mac_biba *mac_biba;
+ struct mac_lomac *mac_lomac;
- mac_biba = SLOT(label);
- mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0, NULL);
+ mac_lomac = SLOT(label);
+ mac_lomac_set_single(mac_lomac, MAC_LOMAC_TYPE_HIGH, 0, NULL);
}
static void
-mac_biba_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
+mac_lomac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
struct label *ddlabel, struct devfs_dirent *de, struct label *delabel)
{
- struct mac_biba *source, *dest;
+ struct mac_lomac *source, *dest;
source = SLOT(&cred->cr_label);
dest = SLOT(delabel);
- mac_biba_copy_single(source, dest);
+ mac_lomac_copy_single(source, dest);
}
static void
-mac_biba_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
+mac_lomac_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
{
- struct mac_biba *source, *dest;
+ struct mac_lomac *source, *dest;
source = SLOT(direntlabel);
dest = SLOT(vnodelabel);
- mac_biba_copy_single(source, dest);
+ mac_lomac_copy_single(source, dest);
}
static void
-mac_biba_create_vnode(struct ucred *cred, struct vnode *parent,
+mac_lomac_create_vnode(struct ucred *cred, struct vnode *parent,
struct label *parentlabel, struct vnode *child, struct label *childlabel)
{
- struct mac_biba *source, *dest;
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list