PERFORCE change 41787 for review
Robert Watson
rwatson at FreeBSD.org
Sun Nov 9 05:52:35 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=41787
Change 41787 by rwatson at rwatson_paprika on 2003/11/08 21:52:12
Add explicit label arguments to ksem policy entry points so that
policy modules can avoid explicit knowledge of the ksem structure
for label-only decisions.
Affected files ...
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_posix_sem.c#6 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#224 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#72 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#182 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#9 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#116 edit
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#200 edit
Differences ...
==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_posix_sem.c#6 (text+ko) ====
@@ -92,8 +92,7 @@
if (!mac_enforce_posix_sem)
return (0);
- //XXX: Should we also pass &ksemptr->ks_label ??
- MAC_CHECK(check_posix_sem_close, cred, ksemptr);
+ MAC_CHECK(check_posix_sem_close, cred, ksemptr, &ksemptr->ks_label);
return(error);
}
@@ -106,8 +105,8 @@
if (!mac_enforce_posix_sem)
return (0);
- //XXX: Should we also pass &ksemptr->ks_label ??
- MAC_CHECK(check_posix_sem_destroy, cred, ksemptr);
+ MAC_CHECK(check_posix_sem_destroy, cred, ksemptr,
+ &ksemptr->ks_label);
return(error);
}
@@ -120,8 +119,8 @@
if (!mac_enforce_posix_sem)
return (0);
- //XXX: Should we also pass &ksemptr->ks_label ??
- MAC_CHECK(check_posix_sem_openexisting, cred, ksemptr);
+ MAC_CHECK(check_posix_sem_openexisting, cred, ksemptr,
+ &ksemptr->ks_label);
return(error);
}
@@ -134,8 +133,8 @@
if (!mac_enforce_posix_sem)
return (0);
- //XXX: Should we also pass &ksemptr->ks_label ??
- MAC_CHECK(check_posix_sem_getvalue, cred, ksemptr);
+ MAC_CHECK(check_posix_sem_getvalue, cred, ksemptr,
+ &ksemptr->ks_label);
return(error);
}
@@ -148,8 +147,7 @@
if (!mac_enforce_posix_sem)
return (0);
- //XXX: Should we also pass &ksemptr->ks_label ??
- MAC_CHECK(check_posix_sem_post, cred, ksemptr);
+ MAC_CHECK(check_posix_sem_post, cred, ksemptr, &ksemptr->ks_label);
return(error);
}
@@ -162,8 +160,7 @@
if (!mac_enforce_posix_sem)
return (0);
- //XXX: Should we also pass &ksemptr->ks_label ??
- MAC_CHECK(check_posix_sem_unlink, cred, ksemptr);
+ MAC_CHECK(check_posix_sem_unlink, cred, ksemptr, &ksemptr->ks_label);
return(error);
}
@@ -176,8 +173,7 @@
if (!mac_enforce_posix_sem)
return (0);
- //XXX: Should we also pass &ksemptr->ks_label ??
- MAC_CHECK(check_posix_sem_wait, cred, ksemptr);
+ MAC_CHECK(check_posix_sem_wait, cred, ksemptr, &ksemptr->ks_label);
return(error);
}
==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#224 (text+ko) ====
@@ -2155,7 +2155,8 @@
}
static int
-mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ksemptr)
+mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
struct mac_biba *subj, *obj;
@@ -2172,7 +2173,8 @@
}
static int
-mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ksemptr)
+mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
struct mac_biba *subj, *obj;
==== //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#72 (text+ko) ====
@@ -2277,7 +2277,8 @@
}
static int
-mac_lomac_check_posix_sem_write(struct ucred *cred, struct ksem *ksemptr)
+mac_lomac_check_posix_sem_write(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
struct mac_lomac *subj, *obj;
@@ -2285,7 +2286,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((&ksemptr->ks_label));
+ obj = SLOT(ks_label);
if (!mac_lomac_dominate_single(subj, obj))
return (EACCES);
@@ -2294,7 +2295,8 @@
}
static int
-mac_lomac_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ksemptr)
+mac_lomac_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
struct mac_lomac *subj, *obj;
@@ -2302,7 +2304,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((&ksemptr->ks_label));
+ obj = SLOT(ks_label);
if (!mac_lomac_dominate_single(obj, subj))
return (maybe_demote(subj, obj, "sem_getvalue", "posix_sem", NULL));
==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#182 (text+ko) ====
@@ -2049,7 +2049,8 @@
}
static int
-mac_mls_check_posix_sem_write(struct ucred *cred, struct ksem *ksemptr)
+mac_mls_check_posix_sem_write(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
struct mac_mls *subj, *obj;
@@ -2057,7 +2058,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((&ksemptr->ks_label));
+ obj = SLOT(ks_label);
if (!mac_mls_dominate_single(obj, subj))
return (EACCES);
@@ -2066,7 +2067,8 @@
}
static int
-mac_mls_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ksemptr)
+mac_mls_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
struct mac_mls *subj, *obj;
@@ -2074,7 +2076,7 @@
return (0);
subj = SLOT(cred->cr_label);
- obj = SLOT((&ksemptr->ks_label));
+ obj = SLOT(ks_label);
if (!mac_mls_dominate_single(subj, obj))
return (EACCES);
==== //depot/projects/trustedbsd/mac/sys/security/mac_stub/mac_stub.c#9 (text+ko) ====
@@ -271,7 +271,8 @@
}
static void
-stub_create_posix_ksem(struct ucred *cred, struct ksem *ksemptr)
+stub_create_posix_ksem(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
}
@@ -802,49 +803,56 @@
}
static int
-stub_check_posix_sem_close(struct ucred *cred, struct ksem *ksemptr)
+stub_check_posix_sem_close(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
return (0);
}
static int
-stub_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr)
+stub_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
return (0);
}
static int
-stub_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ksemptr)
+stub_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
return (0);
}
static int
-stub_check_posix_sem_openexisting(struct ucred *cred, struct ksem *ksemptr)
+stub_check_posix_sem_openexisting(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
return (0);
}
static int
-stub_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr)
+stub_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
return (0);
}
static int
-stub_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr)
+stub_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
return (0);
}
static int
-stub_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr)
+stub_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
return (0);
==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#116 (text+ko) ====
@@ -1611,7 +1611,8 @@
}
static int
-mac_test_check_posix_ksem(struct ucred *cred, struct ksem *ksemptr)
+mac_test_check_posix_ksem(struct ucred *cred, struct ksem *ksemptr,
+ struct label *ks_label)
{
ASSERT_CRED_LABEL(cred->cr_label);
==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#200 (text+ko) ====
@@ -386,19 +386,19 @@
int (*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
int (*mpo_check_posix_sem_close)(struct ucred *cred,
- struct ksem *ksemptr);
+ struct ksem *ksemptr, struct label *ks_label);
int (*mpo_check_posix_sem_destroy)(struct ucred *cred,
- struct ksem *ksemptr);
+ struct ksem *ksemptr, struct label *ks_label);
int (*mpo_check_posix_sem_getvalue)(struct ucred *cred,
- struct ksem *ksemptr);
+ struct ksem *ksemptr, struct label *ks_label);
int (*mpo_check_posix_sem_openexisting)(struct ucred *cred,
- struct ksem *ksemptr);
+ struct ksem *ksemptr, struct label *ks_label);
int (*mpo_check_posix_sem_post)(struct ucred *cred,
- struct ksem *ksemptr);
+ struct ksem *ksemptr, struct label *ks_label);
int (*mpo_check_posix_sem_unlink)(struct ucred *cred,
- struct ksem *ksemptr);
+ struct ksem *ksemptr, struct label *ks_label);
int (*mpo_check_posix_sem_wait)(struct ucred *cred,
- struct ksem *ksemptr);
+ struct ksem *ksemptr, struct label *ks_label);
int (*mpo_check_proc_debug)(struct ucred *cred,
struct proc *proc);
int (*mpo_check_proc_sched)(struct ucred *cred,
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list