PERFORCE change 20423 for review
Robert Watson
rwatson at freebsd.org
Wed Oct 30 16:30:40 GMT 2002
http://perforce.freebsd.org/chv.cgi?CH=20423
Change 20423 by rwatson at rwatson_tislabs on 2002/10/30 08:29:58
Move to C99 sparse structure initialization for the mac_policy_ops
structure definition, rather than using an operation vector
we translate into the structure. Originally, we used a vector
for two reasons:
(1) We wanted to define the structure sparsely, which wasn't
supported by the C compiler for structures. For a policy
with five entry points, you don't want to have to stick in
a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules
to work with kernels that had a superset of the entry points
defined in the module, even if the kernel had changed its
entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers,
argument changes, and semantic mismatches. Since the going
rule for FreeBSD is that you really need your modules to
pretty closely match your kernel, it's not worth the
complexity.
This submit eliminates the operation vector, dynamic allocation
of the operation structure, copying of the vector to the
structure, and redoes the vectors in each policy to direct
structure definitions.
One huge benefit of this change is that we now get decent
type checking on the policy entry points, hence the large
round of prototype synchronization and bug fixes I submitted
over the last couple of hours as I adapted for these changes.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#341 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#172 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#60 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#16 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#28 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#137 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#97 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#18 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#16 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#72 edit
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#55 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#159 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#341 (text+ko) ====
@@ -474,623 +474,16 @@
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
- struct mac_policy_op_entry *mpe;
int slot;
- MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
- M_MACOPVEC, M_WAITOK | M_ZERO);
- for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
- switch (mpe->mpe_constant) {
- case MAC_OP_LAST:
- /*
- * Doesn't actually happen, but this allows checking
- * that all enumerated values are handled.
- */
- break;
- case MAC_DESTROY:
- mpc->mpc_ops->mpo_destroy =
- mpe->mpe_function;
- break;
- case MAC_INIT:
- mpc->mpc_ops->mpo_init =
- mpe->mpe_function;
- break;
- case MAC_SYSCALL:
- mpc->mpc_ops->mpo_syscall =
- mpe->mpe_function;
- break;
- case MAC_INIT_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_init_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_CRED_LABEL:
- mpc->mpc_ops->mpo_init_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_init_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IFNET_LABEL:
- mpc->mpc_ops->mpo_init_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IPQ_LABEL:
- mpc->mpc_ops->mpo_init_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MBUF_LABEL:
- mpc->mpc_ops->mpo_init_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_LABEL:
- mpc->mpc_ops->mpo_init_mount_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_init_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PIPE_LABEL:
- mpc->mpc_ops->mpo_init_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PROC:
- mpc->mpc_ops->mpo_init_proc =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_LABEL:
- mpc->mpc_ops->mpo_init_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_init_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_VNODE_LABEL:
- mpc->mpc_ops->mpo_init_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_destroy_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_CRED_LABEL:
- mpc->mpc_ops->mpo_destroy_cred_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_destroy_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IFNET_LABEL:
- mpc->mpc_ops->mpo_destroy_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IPQ_LABEL:
- mpc->mpc_ops->mpo_destroy_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MBUF_LABEL:
- mpc->mpc_ops->mpo_destroy_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PIPE_LABEL:
- mpc->mpc_ops->mpo_destroy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PROC:
- mpc->mpc_ops->mpo_destroy_proc =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_VNODE_LABEL:
- mpc->mpc_ops->mpo_destroy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_PIPE_LABEL:
- mpc->mpc_ops->mpo_copy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_VNODE_LABEL:
- mpc->mpc_ops->mpo_copy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_externalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_externalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_externalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_externalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_internalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_internalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_internalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_internalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_internalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DEVICE:
- mpc->mpc_ops->mpo_create_devfs_device =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DIRECTORY:
- mpc->mpc_ops->mpo_create_devfs_directory =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_SYMLINK:
- mpc->mpc_ops->mpo_create_devfs_symlink =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_VNODE:
- mpc->mpc_ops->mpo_create_devfs_vnode =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MOUNT:
- mpc->mpc_ops->mpo_create_mount =
- mpe->mpe_function;
- break;
- case MAC_CREATE_ROOT_MOUNT:
- mpc->mpc_ops->mpo_create_root_mount =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_VNODE:
- mpc->mpc_ops->mpo_relabel_vnode =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_DEVFSDIRENT:
- mpc->mpc_ops->mpo_update_devfsdirent =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_mbuf_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PIPE:
- mpc->mpc_ops->mpo_create_pipe =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET:
- mpc->mpc_ops->mpo_create_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_socket_from_socket =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_PIPE:
- mpc->mpc_ops->mpo_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_MBUF:
- mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_SOCKET:
- mpc->mpc_ops->mpo_set_socket_peer_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_BPFDESC:
- mpc->mpc_ops->mpo_create_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DATAGRAM_FROM_IPQ:
- mpc->mpc_ops->mpo_create_datagram_from_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_FRAGMENT:
- mpc->mpc_ops->mpo_create_fragment =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IFNET:
- mpc->mpc_ops->mpo_create_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IPQ:
- mpc->mpc_ops->mpo_create_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_MBUF:
- mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_LINKLAYER:
- mpc->mpc_ops->mpo_create_mbuf_linklayer =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_BPFDESC:
- mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_IFNET:
- mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_MULTICAST_ENCAP:
- mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_NETLAYER:
- mpc->mpc_ops->mpo_create_mbuf_netlayer =
- mpe->mpe_function;
- break;
- case MAC_FRAGMENT_MATCH:
- mpc->mpc_ops->mpo_fragment_match =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_IFNET:
- mpc->mpc_ops->mpo_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_IPQ:
- mpc->mpc_ops->mpo_update_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_CRED:
- mpc->mpc_ops->mpo_create_cred =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_TRANSITION:
- mpc->mpc_ops->mpo_execve_transition =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_WILL_TRANSITION:
- mpc->mpc_ops->mpo_execve_will_transition =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC0:
- mpc->mpc_ops->mpo_create_proc0 =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC1:
- mpc->mpc_ops->mpo_create_proc1 =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_CRED:
- mpc->mpc_ops->mpo_relabel_cred =
- mpe->mpe_function;
- break;
- case MAC_THREAD_USERRET:
- mpc->mpc_ops->mpo_thread_userret =
- mpe->mpe_function;
- break;
- case MAC_CHECK_BPFDESC_RECEIVE:
- mpc->mpc_ops->mpo_check_bpfdesc_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_RELABEL:
- mpc->mpc_ops->mpo_check_cred_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_VISIBLE:
- mpc->mpc_ops->mpo_check_cred_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_RELABEL:
- mpc->mpc_ops->mpo_check_ifnet_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
- mpe->mpe_function;
- break;
- case MAC_CHECK_KENV_DUMP:
- mpc->mpc_ops->mpo_check_kenv_dump =
- mpe->mpe_function;
- break;
- case MAC_CHECK_KENV_GET:
- mpc->mpc_ops->mpo_check_kenv_get =
- mpe->mpe_function;
- break;
- case MAC_CHECK_KENV_SET:
- mpc->mpc_ops->mpo_check_kenv_set =
- mpe->mpe_function;
- break;
- case MAC_CHECK_KENV_UNSET:
- mpc->mpc_ops->mpo_check_kenv_unset =
- mpe->mpe_function;
- break;
- case MAC_CHECK_MOUNT_STAT:
- mpc->mpc_ops->mpo_check_mount_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_IOCTL:
- mpc->mpc_ops->mpo_check_pipe_ioctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_POLL:
- mpc->mpc_ops->mpo_check_pipe_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_READ:
- mpc->mpc_ops->mpo_check_pipe_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_RELABEL:
- mpc->mpc_ops->mpo_check_pipe_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_STAT:
- mpc->mpc_ops->mpo_check_pipe_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_WRITE:
- mpc->mpc_ops->mpo_check_pipe_write =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_DEBUG:
- mpc->mpc_ops->mpo_check_proc_debug =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SCHED:
- mpc->mpc_ops->mpo_check_proc_sched =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SIGNAL:
- mpc->mpc_ops->mpo_check_proc_signal =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_BIND:
- mpc->mpc_ops->mpo_check_socket_bind =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_CONNECT:
- mpc->mpc_ops->mpo_check_socket_connect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_DELIVER:
- mpc->mpc_ops->mpo_check_socket_deliver =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_LISTEN:
- mpc->mpc_ops->mpo_check_socket_listen =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RECEIVE:
- mpc->mpc_ops->mpo_check_socket_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RELABEL:
- mpc->mpc_ops->mpo_check_socket_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_SEND:
- mpc->mpc_ops->mpo_check_socket_send =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_VISIBLE:
- mpc->mpc_ops->mpo_check_socket_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_ACCT:
- mpc->mpc_ops->mpo_check_system_acct =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_REBOOT:
- mpc->mpc_ops->mpo_check_system_reboot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SWAPON:
- mpc->mpc_ops->mpo_check_system_swapon =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SYSCTL:
- mpc->mpc_ops->mpo_check_system_sysctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_ACCESS:
- mpc->mpc_ops->mpo_check_vnode_access =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHDIR:
- mpc->mpc_ops->mpo_check_vnode_chdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHROOT:
- mpc->mpc_ops->mpo_check_vnode_chroot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CREATE:
- mpc->mpc_ops->mpo_check_vnode_create =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETE:
- mpc->mpc_ops->mpo_check_vnode_delete =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETEACL:
- mpc->mpc_ops->mpo_check_vnode_deleteacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_EXEC:
- mpc->mpc_ops->mpo_check_vnode_exec =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETACL:
- mpc->mpc_ops->mpo_check_vnode_getacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_getextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LINK:
- mpc->mpc_ops->mpo_check_vnode_link =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LOOKUP:
- mpc->mpc_ops->mpo_check_vnode_lookup =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP:
- mpc->mpc_ops->mpo_check_vnode_mmap =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
- mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MPROTECT:
- mpc->mpc_ops->mpo_check_vnode_mprotect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_OPEN:
- mpc->mpc_ops->mpo_check_vnode_open =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_POLL:
- mpc->mpc_ops->mpo_check_vnode_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READ:
- mpc->mpc_ops->mpo_check_vnode_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READDIR:
- mpc->mpc_ops->mpo_check_vnode_readdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READLINK:
- mpc->mpc_ops->mpo_check_vnode_readlink =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RELABEL:
- mpc->mpc_ops->mpo_check_vnode_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_FROM:
- mpc->mpc_ops->mpo_check_vnode_rename_from =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_TO:
- mpc->mpc_ops->mpo_check_vnode_rename_to =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_REVOKE:
- mpc->mpc_ops->mpo_check_vnode_revoke =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETACL:
- mpc->mpc_ops->mpo_check_vnode_setacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_setextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETFLAGS:
- mpc->mpc_ops->mpo_check_vnode_setflags =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETMODE:
- mpc->mpc_ops->mpo_check_vnode_setmode =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETOWNER:
- mpc->mpc_ops->mpo_check_vnode_setowner =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETUTIMES:
- mpc->mpc_ops->mpo_check_vnode_setutimes =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_STAT:
- mpc->mpc_ops->mpo_check_vnode_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_WRITE:
- mpc->mpc_ops->mpo_check_vnode_write =
- mpe->mpe_function;
- break;
-/*
- default:
- printf("MAC policy `%s': unknown operation %d\n",
- mpc->mpc_name, mpe->mpe_constant);
- return (EINVAL);
-*/
- }
- }
MAC_POLICY_LIST_LOCK();
if (mac_policy_list_busy > 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EBUSY);
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EEXIST);
}
}
@@ -1098,8 +491,6 @@
slot = ffs(mac_policy_offsets_free);
if (slot == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (ENOMEM);
}
slot--;
@@ -1166,8 +557,6 @@
LIST_REMOVE(mpc, mpc_list);
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#172 (text+ko) ====
@@ -1804,7 +1804,7 @@
}
static int
-mac_biba_check_socket_relabel(struct ucred *cred, struct socket *socket,
+mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so,
struct label *socketlabel, struct label *newlabel)
{
struct mac_biba *subj, *obj, *new;
@@ -2533,272 +2533,140 @@
return (0);
}
-static struct mac_policy_op_entry mac_biba_ops[] =
+static struct mac_policy_ops mac_biba_ops =
{
- { MAC_DESTROY,
- (macop_t)mac_biba_destroy },
- { MAC_INIT,
- (macop_t)mac_biba_init },
- { MAC_INIT_BPFDESC_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_CRED_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_DEVFSDIRENT_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_IFNET_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_IPQ_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_MBUF_LABEL,
- (macop_t)mac_biba_init_label_waitcheck },
- { MAC_INIT_MOUNT_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_MOUNT_FS_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_PIPE_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_SOCKET_LABEL,
- (macop_t)mac_biba_init_label_waitcheck },
- { MAC_INIT_SOCKET_PEER_LABEL,
- (macop_t)mac_biba_init_label_waitcheck },
- { MAC_INIT_VNODE_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_DESTROY_BPFDESC_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_CRED_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_DEVFSDIRENT_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_IFNET_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_IPQ_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_MBUF_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_MOUNT_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_MOUNT_FS_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_PIPE_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_SOCKET_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_SOCKET_PEER_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_VNODE_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_COPY_PIPE_LABEL,
- (macop_t)mac_biba_copy_label },
- { MAC_COPY_VNODE_LABEL,
- (macop_t)mac_biba_copy_label },
- { MAC_EXTERNALIZE_CRED_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_EXTERNALIZE_IFNET_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_EXTERNALIZE_PIPE_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_EXTERNALIZE_VNODE_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_INTERNALIZE_CRED_LABEL,
- (macop_t)mac_biba_internalize_label },
- { MAC_INTERNALIZE_IFNET_LABEL,
- (macop_t)mac_biba_internalize_label },
- { MAC_INTERNALIZE_PIPE_LABEL,
- (macop_t)mac_biba_internalize_label },
- { MAC_INTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_biba_internalize_label },
- { MAC_INTERNALIZE_VNODE_LABEL,
- (macop_t)mac_biba_internalize_label },
- { MAC_CREATE_DEVFS_DEVICE,
- (macop_t)mac_biba_create_devfs_device },
- { MAC_CREATE_DEVFS_DIRECTORY,
- (macop_t)mac_biba_create_devfs_directory },
- { MAC_CREATE_DEVFS_SYMLINK,
- (macop_t)mac_biba_create_devfs_symlink },
- { MAC_CREATE_DEVFS_VNODE,
- (macop_t)mac_biba_create_devfs_vnode },
- { MAC_CREATE_MOUNT,
- (macop_t)mac_biba_create_mount },
- { MAC_CREATE_ROOT_MOUNT,
- (macop_t)mac_biba_create_root_mount },
- { MAC_RELABEL_VNODE,
- (macop_t)mac_biba_relabel_vnode },
- { MAC_UPDATE_DEVFSDIRENT,
- (macop_t)mac_biba_update_devfsdirent },
- { MAC_ASSOCIATE_VNODE_DEVFS,
- (macop_t)mac_biba_associate_vnode_devfs },
- { MAC_ASSOCIATE_VNODE_EXTATTR,
- (macop_t)mac_biba_associate_vnode_extattr },
- { MAC_ASSOCIATE_VNODE_SINGLELABEL,
- (macop_t)mac_biba_associate_vnode_singlelabel },
- { MAC_CREATE_VNODE_EXTATTR,
- (macop_t)mac_biba_create_vnode_extattr },
- { MAC_SETLABEL_VNODE_EXTATTR,
- (macop_t)mac_biba_setlabel_vnode_extattr },
- { MAC_CREATE_MBUF_FROM_SOCKET,
- (macop_t)mac_biba_create_mbuf_from_socket },
- { MAC_CREATE_PIPE,
- (macop_t)mac_biba_create_pipe },
- { MAC_CREATE_SOCKET,
- (macop_t)mac_biba_create_socket },
- { MAC_CREATE_SOCKET_FROM_SOCKET,
- (macop_t)mac_biba_create_socket_from_socket },
- { MAC_RELABEL_PIPE,
- (macop_t)mac_biba_relabel_pipe },
- { MAC_RELABEL_SOCKET,
- (macop_t)mac_biba_relabel_socket },
- { MAC_SET_SOCKET_PEER_FROM_MBUF,
- (macop_t)mac_biba_set_socket_peer_from_mbuf },
- { MAC_SET_SOCKET_PEER_FROM_SOCKET,
- (macop_t)mac_biba_set_socket_peer_from_socket },
- { MAC_CREATE_BPFDESC,
- (macop_t)mac_biba_create_bpfdesc },
- { MAC_CREATE_DATAGRAM_FROM_IPQ,
- (macop_t)mac_biba_create_datagram_from_ipq },
- { MAC_CREATE_FRAGMENT,
- (macop_t)mac_biba_create_fragment },
- { MAC_CREATE_IFNET,
- (macop_t)mac_biba_create_ifnet },
- { MAC_CREATE_IPQ,
- (macop_t)mac_biba_create_ipq },
- { MAC_CREATE_MBUF_FROM_MBUF,
- (macop_t)mac_biba_create_mbuf_from_mbuf },
- { MAC_CREATE_MBUF_LINKLAYER,
- (macop_t)mac_biba_create_mbuf_linklayer },
- { MAC_CREATE_MBUF_FROM_BPFDESC,
- (macop_t)mac_biba_create_mbuf_from_bpfdesc },
- { MAC_CREATE_MBUF_FROM_IFNET,
- (macop_t)mac_biba_create_mbuf_from_ifnet },
- { MAC_CREATE_MBUF_MULTICAST_ENCAP,
- (macop_t)mac_biba_create_mbuf_multicast_encap },
- { MAC_CREATE_MBUF_NETLAYER,
- (macop_t)mac_biba_create_mbuf_netlayer },
- { MAC_FRAGMENT_MATCH,
- (macop_t)mac_biba_fragment_match },
- { MAC_RELABEL_IFNET,
- (macop_t)mac_biba_relabel_ifnet },
- { MAC_UPDATE_IPQ,
- (macop_t)mac_biba_update_ipq },
- { MAC_CREATE_CRED,
- (macop_t)mac_biba_create_cred },
- { MAC_EXECVE_TRANSITION,
- (macop_t)mac_biba_execve_transition },
- { MAC_EXECVE_WILL_TRANSITION,
- (macop_t)mac_biba_execve_will_transition },
- { MAC_CREATE_PROC0,
- (macop_t)mac_biba_create_proc0 },
- { MAC_CREATE_PROC1,
- (macop_t)mac_biba_create_proc1 },
- { MAC_RELABEL_CRED,
- (macop_t)mac_biba_relabel_cred },
- { MAC_CHECK_BPFDESC_RECEIVE,
- (macop_t)mac_biba_check_bpfdesc_receive },
- { MAC_CHECK_CRED_RELABEL,
- (macop_t)mac_biba_check_cred_relabel },
- { MAC_CHECK_CRED_VISIBLE,
- (macop_t)mac_biba_check_cred_visible },
- { MAC_CHECK_IFNET_RELABEL,
- (macop_t)mac_biba_check_ifnet_relabel },
- { MAC_CHECK_IFNET_TRANSMIT,
- (macop_t)mac_biba_check_ifnet_transmit },
- { MAC_CHECK_MOUNT_STAT,
- (macop_t)mac_biba_check_mount_stat },
- { MAC_CHECK_PIPE_IOCTL,
- (macop_t)mac_biba_check_pipe_ioctl },
- { MAC_CHECK_PIPE_POLL,
- (macop_t)mac_biba_check_pipe_poll },
- { MAC_CHECK_PIPE_READ,
- (macop_t)mac_biba_check_pipe_read },
- { MAC_CHECK_PIPE_RELABEL,
- (macop_t)mac_biba_check_pipe_relabel },
- { MAC_CHECK_PIPE_STAT,
- (macop_t)mac_biba_check_pipe_stat },
- { MAC_CHECK_PIPE_WRITE,
- (macop_t)mac_biba_check_pipe_write },
- { MAC_CHECK_PROC_DEBUG,
- (macop_t)mac_biba_check_proc_debug },
- { MAC_CHECK_PROC_SCHED,
- (macop_t)mac_biba_check_proc_sched },
- { MAC_CHECK_PROC_SIGNAL,
- (macop_t)mac_biba_check_proc_signal },
- { MAC_CHECK_SOCKET_DELIVER,
- (macop_t)mac_biba_check_socket_deliver },
- { MAC_CHECK_SOCKET_RELABEL,
- (macop_t)mac_biba_check_socket_relabel },
- { MAC_CHECK_SOCKET_VISIBLE,
- (macop_t)mac_biba_check_socket_visible },
- { MAC_CHECK_SYSTEM_ACCT,
- (macop_t)mac_biba_check_system_acct },
- { MAC_CHECK_SYSTEM_SWAPON,
- (macop_t)mac_biba_check_system_swapon },
- { MAC_CHECK_SYSTEM_SYSCTL,
- (macop_t)mac_biba_check_system_sysctl },
- { MAC_CHECK_VNODE_ACCESS,
- (macop_t)mac_biba_check_vnode_open },
- { MAC_CHECK_VNODE_CHDIR,
- (macop_t)mac_biba_check_vnode_chdir },
- { MAC_CHECK_VNODE_CHROOT,
- (macop_t)mac_biba_check_vnode_chroot },
- { MAC_CHECK_VNODE_CREATE,
- (macop_t)mac_biba_check_vnode_create },
- { MAC_CHECK_VNODE_DELETE,
- (macop_t)mac_biba_check_vnode_delete },
- { MAC_CHECK_VNODE_DELETEACL,
- (macop_t)mac_biba_check_vnode_deleteacl },
- { MAC_CHECK_VNODE_EXEC,
- (macop_t)mac_biba_check_vnode_exec },
- { MAC_CHECK_VNODE_GETACL,
- (macop_t)mac_biba_check_vnode_getacl },
- { MAC_CHECK_VNODE_GETEXTATTR,
- (macop_t)mac_biba_check_vnode_getextattr },
- { MAC_CHECK_VNODE_LINK,
- (macop_t)mac_biba_check_vnode_link },
- { MAC_CHECK_VNODE_LOOKUP,
- (macop_t)mac_biba_check_vnode_lookup },
- { MAC_CHECK_VNODE_MMAP,
- (macop_t)mac_biba_check_vnode_mmap },
- { MAC_CHECK_VNODE_MPROTECT,
- (macop_t)mac_biba_check_vnode_mmap },
- { MAC_CHECK_VNODE_OPEN,
- (macop_t)mac_biba_check_vnode_open },
- { MAC_CHECK_VNODE_POLL,
- (macop_t)mac_biba_check_vnode_poll },
- { MAC_CHECK_VNODE_READ,
- (macop_t)mac_biba_check_vnode_read },
- { MAC_CHECK_VNODE_READDIR,
- (macop_t)mac_biba_check_vnode_readdir },
- { MAC_CHECK_VNODE_READLINK,
- (macop_t)mac_biba_check_vnode_readlink },
- { MAC_CHECK_VNODE_RELABEL,
- (macop_t)mac_biba_check_vnode_relabel },
- { MAC_CHECK_VNODE_RENAME_FROM,
- (macop_t)mac_biba_check_vnode_rename_from },
- { MAC_CHECK_VNODE_RENAME_TO,
- (macop_t)mac_biba_check_vnode_rename_to },
- { MAC_CHECK_VNODE_REVOKE,
- (macop_t)mac_biba_check_vnode_revoke },
- { MAC_CHECK_VNODE_SETACL,
- (macop_t)mac_biba_check_vnode_setacl },
- { MAC_CHECK_VNODE_SETEXTATTR,
- (macop_t)mac_biba_check_vnode_setextattr },
- { MAC_CHECK_VNODE_SETFLAGS,
- (macop_t)mac_biba_check_vnode_setflags },
- { MAC_CHECK_VNODE_SETMODE,
- (macop_t)mac_biba_check_vnode_setmode },
- { MAC_CHECK_VNODE_SETOWNER,
- (macop_t)mac_biba_check_vnode_setowner },
- { MAC_CHECK_VNODE_SETUTIMES,
- (macop_t)mac_biba_check_vnode_setutimes },
- { MAC_CHECK_VNODE_STAT,
- (macop_t)mac_biba_check_vnode_stat },
- { MAC_CHECK_VNODE_WRITE,
- (macop_t)mac_biba_check_vnode_write },
- { MAC_OP_LAST, NULL }
+ .mpo_destroy = mac_biba_destroy,
+ .mpo_init = mac_biba_init,
+ .mpo_init_bpfdesc_label = mac_biba_init_label,
+ .mpo_init_cred_label = mac_biba_init_label,
+ .mpo_init_devfsdirent_label = mac_biba_init_label,
+ .mpo_init_ifnet_label = mac_biba_init_label,
+ .mpo_init_ipq_label = mac_biba_init_label,
+ .mpo_init_mbuf_label = mac_biba_init_label_waitcheck,
+ .mpo_init_mount_label = mac_biba_init_label,
+ .mpo_init_mount_fs_label = mac_biba_init_label,
+ .mpo_init_pipe_label = mac_biba_init_label,
+ .mpo_init_socket_label = mac_biba_init_label_waitcheck,
+ .mpo_init_socket_peer_label = mac_biba_init_label_waitcheck,
+ .mpo_init_vnode_label = mac_biba_init_label,
+ .mpo_destroy_bpfdesc_label = mac_biba_destroy_label,
+ .mpo_destroy_cred_label = mac_biba_destroy_label,
+ .mpo_destroy_devfsdirent_label = mac_biba_destroy_label,
+ .mpo_destroy_ifnet_label = mac_biba_destroy_label,
+ .mpo_destroy_ipq_label = mac_biba_destroy_label,
+ .mpo_destroy_mbuf_label = mac_biba_destroy_label,
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list