PERFORCE change 41799 for review

Sun Nov 9 14:47:27 GMT 2003

http://perforce.freebsd.org/chv.cgi?CH=41799

Change 41799 by rwatson at rwatson_paprika on 2003/11/09 06:46:49

	As with other objects, move to a (struct label *) pointer in
	POSIX semaphore structures, rather than a (struct label).
	Allocate POSIX semaphore labels from the label zone.
	
	Further update policies for previous change to pass in a pointer
	the label as well as a pointer to the semaphore structure,
	permitting policies to avoid knowledge of the semaphore
	structure when basing decisions solely on labels.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/kern/uipc_sem.c#16 edit
.. //depot/projects/trustedbsd/mac/sys/posix4/ksem.h#4 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_posix_sem.c#7 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#225 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#117 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/kern/uipc_sem.c#16 (text+ko) ====

@@ -55,7 +55,6 @@
 #include <sys/jail.h>
 #include <sys/fcntl.h>
 #ifdef MAC
-#include <sys/_label.h>
 #include <sys/mac.h>
 #include <posix4/ksem.h>
 #endif

==== //depot/projects/trustedbsd/mac/sys/posix4/ksem.h#4 (text+ko) ====

@@ -47,8 +47,6 @@
 #include <sys/condvar.h>
 #include <sys/proc.h>
 #include <sys/queue.h>
-#include <sys/_label.h>
-#include <sys/mac.h>
 
 #ifdef _KERNEL
 
@@ -71,7 +69,7 @@
 	LIST_HEAD(, kuser) ks_users;	/* pids using this sem */
 	struct mtx ks_mtx;		/* mutex protecting this semaphore */	
 	int ks_unlinked;                /* Whether the named sem is unlinked */
-	struct label ks_label;		/* MAC label */
+	struct label *ks_label;		/* MAC label */
 };
 
 #endif /* _KERNEL */

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_posix_sem.c#7 (text+ko) ====

@@ -59,29 +59,45 @@
     &nmacposixksems, 0, "number of posix global semaphores inuse");
 #endif
 
+static struct label *
+mac_posix_ksem_label_alloc(void)
+{
+	struct label *label;
+
+	label = mac_labelzone_alloc(M_WAITOK);
+	MAC_PERFORM(init_posix_ksem_label, label);
+	MAC_DEBUG_COUNTER_INC(&nmacposixksems);
+	return (label);
+}
+
 void 
 mac_init_posix_ksem(struct ksem *ksemptr)
 {
 
-	mac_init_label(&ksemptr->ks_label);
-	MAC_PERFORM(init_posix_ksem_label, &ksemptr->ks_label);
-	MAC_DEBUG_COUNTER_INC(&nmacposixksems);
+	ksemptr->ks_label = mac_posix_ksem_label_alloc();
+}
+
+static void
+mac_posix_ksem_label_free(struct label *label)
+{
+
+	MAC_PERFORM(destroy_posix_ksem_label, label);
+	MAC_DEBUG_COUNTER_DEC(&nmacposixksems);
 }
 
 void
 mac_destroy_posix_ksem(struct ksem *ksemptr)
 {
 
-	MAC_PERFORM(destroy_posix_ksem_label, &ksemptr->ks_label);
-	mac_destroy_label(&ksemptr->ks_label);
-	MAC_DEBUG_COUNTER_DEC(&nmacposixksems);
+	mac_posix_ksem_label_free(ksemptr->ks_label);
+	ksemptr->ks_label = NULL;
 }
 
 void 
 mac_create_posix_ksem(struct ucred *cred, struct ksem *ksemptr)
 {
 
-	MAC_PERFORM(create_posix_ksem, cred, ksemptr, &ksemptr->ks_label);
+	MAC_PERFORM(create_posix_ksem, cred, ksemptr, ksemptr->ks_label);
 }
 
 int
@@ -92,7 +108,7 @@
 	if (!mac_enforce_posix_sem)
 		return (0);
 
-	MAC_CHECK(check_posix_sem_close, cred, ksemptr, &ksemptr->ks_label);
+	MAC_CHECK(check_posix_sem_close, cred, ksemptr, ksemptr->ks_label);
 
 	return(error);
 }
@@ -105,8 +121,7 @@
 	if (!mac_enforce_posix_sem)
 		return (0);
 
-	MAC_CHECK(check_posix_sem_destroy, cred, ksemptr,
-	    &ksemptr->ks_label);
+	MAC_CHECK(check_posix_sem_destroy, cred, ksemptr, ksemptr->ks_label);
 
 	return(error);
 }
@@ -120,7 +135,7 @@
 		return (0);
 
 	MAC_CHECK(check_posix_sem_openexisting, cred, ksemptr,
-	    &ksemptr->ks_label);
+	    ksemptr->ks_label);
 
 	return(error);
 }
@@ -134,7 +149,7 @@
 		return (0);
 
 	MAC_CHECK(check_posix_sem_getvalue, cred, ksemptr,
-	    &ksemptr->ks_label);
+	    ksemptr->ks_label);
 
 	return(error);
 }
@@ -147,7 +162,7 @@
 	if (!mac_enforce_posix_sem)
 		return (0);
 
-	MAC_CHECK(check_posix_sem_post, cred, ksemptr, &ksemptr->ks_label);
+	MAC_CHECK(check_posix_sem_post, cred, ksemptr, ksemptr->ks_label);
 
 	return(error);
 }
@@ -160,7 +175,7 @@
 	if (!mac_enforce_posix_sem)
 		return (0);
 
-	MAC_CHECK(check_posix_sem_unlink, cred, ksemptr, &ksemptr->ks_label);
+	MAC_CHECK(check_posix_sem_unlink, cred, ksemptr, ksemptr->ks_label);
 
 	return(error);
 }
@@ -173,7 +188,7 @@
 	if (!mac_enforce_posix_sem)
 		return (0);
 
-	MAC_CHECK(check_posix_sem_wait, cred, ksemptr, &ksemptr->ks_label);
+	MAC_CHECK(check_posix_sem_wait, cred, ksemptr, ksemptr->ks_label);
 
 	return(error);
 }

==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#225 (text+ko) ====

@@ -2164,7 +2164,7 @@
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT((&ksemptr->ks_label));
+	obj = SLOT(ks_label);
 
 	if (!mac_biba_dominate_single(subj, obj))
 		return (EACCES);
@@ -2182,7 +2182,7 @@
 		return (0);
 
 	subj = SLOT(cred->cr_label);
-	obj = SLOT((&ksemptr->ks_label));
+	obj = SLOT(ks_label);
 
 	if (!mac_biba_dominate_single(obj, subj))
 		return (EACCES);

==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#117 (text+ko) ====

@@ -1616,7 +1616,7 @@
 {
 
 	ASSERT_CRED_LABEL(cred->cr_label);
-	ASSERT_POSIX_LABEL(&ksemptr->ks_label);
+	ASSERT_POSIX_LABEL(ks_label);
 
 	return (0);
 }
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

