PERFORCE change 39488 for review
Chris Vance
cvance at FreeBSD.org
Sat Oct 11 02:08:03 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=39488
Change 39488 by cvance at cvance_osx_laptop on 2003/10/10 19:07:26
Convince SEBSD "module" to build on Darwin.
Please note: (build != run)
Affected files ...
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.h#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/flask_types.h#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/linux-compat.h#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#3 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd_syscall.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd_sysctl.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/context.h#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/ebitmap.h#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/global.h#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/init.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/queue.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/sidtab.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/sidtab.h#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/symtab.h#2 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.c#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/flask_types.h#2 (text+ko) ====
@@ -15,7 +15,7 @@
*/
-#ifdef __FreeBSD__
+#if defined(__FreeBSD__) || defined(__APPLE__)
#include <sys/types.h>
#include <security/sebsd/linux-compat.h>
#else /* __FreeBSD__ */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/linux-compat.h#2 (text+ko) ====
@@ -44,16 +44,19 @@
*/
#include <sys/types.h>
+
+#ifdef __APPLE__
+#include <machine/endian.h>
+#else /* Probably FreeBSD */
#include <sys/endian.h>
+#endif
typedef u_int64_t u64;
typedef u_int32_t u32;
typedef u_int16_t u16;
typedef u_int8_t u8;
-
-#ifndef _KERNEL
-
+#if !defined(_KERNEL) && !defined(KERNEL)
#if BYTE_ORDER == LITTLE_ENDIAN
#define cpu_to_le32(x) ((__uint32_t)(x))
#define cpu_to_le64(x) ((__uint64_t)(x))
@@ -68,7 +71,7 @@
/* sebsd uses same ss source files for userspace */
-#define kmalloc(size,flags) malloc(size)
+#define kmalloc(size,flags) malloc(size,as)
#define kfree(v) free(v)
#define __get_free_page(flags) malloc (4096) /* XXX need page size */
#define GFP_ATOMIC 1
@@ -76,8 +79,19 @@
#else /* _KERNEL */
+#ifdef __APPLE__
+#include <architecture/byte_order.h>
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define le32_to_cpu(x) ((__uint32_t)(x))
+#define le64_to_cpu(x) ((__uint64_t)(x))
+#else /* BYTE_ORDER != LITTLE_ENDIAN */
+#define le32_to_cpu(x) NXSwapLittleLongToHost(x)
+#define le64_to_cpu(x) NXSwapLittleLongLongToHost(x)
+#endif
+#else
#define le32_to_cpu(a) le32toh(a)
#define le64_to_cpu(a) le64toh(a)
+#endif
#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
@@ -91,16 +105,36 @@
/* kmalloc */
+#include <sys/malloc.h>
+
+#ifdef __APPLE__
+#define malloc(size,type,flags) _MALLOC(size,type,flags)
+#define free(addr,type) FREE(addr,type)
+#define M_SEBSD M_MACTEMP
+#else
+#ifndef _M_SEBSD_DEF
+MALLOC_DECLARE(M_SEBSD);
+#define _M_SEBSD_DEF
+#endif
+#endif /* __APPLE__ */
+
#define kmalloc(size,flags) malloc(size, M_SEBSD, flags)
#define kfree(v) free(v, M_SEBSD)
-#define __get_free_page(flags) malloc (4096, M_SEBSD, flags) /* XXX need page size */
+/* XXX need page size */
+#define __get_free_page(flags) malloc(4096, M_SEBSD, flags)
#define GFP_ATOMIC M_NOWAIT
#define GFP_KERNEL M_NOWAIT
-#include <sys/malloc.h>
-#ifndef _M_SEBSD_DEF
-MALLOC_DECLARE(M_SEBSD);
-#define _M_SEBSD_DEF
+#ifdef __APPLE__
+/* TBD: Skip this for now: */
+#define mtx_init(a,b,c,d)
+
+/* TBD: no boot-time tunable support yet */
+#define TUNABLE_INT_FETCH(str,var)
+
+/* TBD: scary, but skip locking for now */
+#define mtx_lock(m)
+#define mtx_unlock(m)
#endif
/* spinlock */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#3 (text+ko) ====
@@ -37,7 +37,6 @@
#include <sys/types.h>
#include <sys/param.h>
#include <sys/extattr.h>
-#include <sys/imgact.h>
#include <sys/conf.h>
#include <sys/kernel.h>
#include <sys/mac.h>
@@ -47,16 +46,26 @@
#include <sys/proc.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
-#include <sys/sysproto.h>
#include <sys/vnode.h>
-#include <sys/pipe.h>
#include <sys/dirent.h>
-#include <sys/capability.h>
-#include <fs/devfs/devfs.h>
+#ifdef __APPLE__
+/*
+ * The code is conditional upon the following list of defines. For now,
+ * Darwin does not provide support for them:
+ * CAPABILITIES
+ * HAS_THREADS
+ * HAS_PIPES
+ * HAS_EXTATTRS
+ * HAS_DEVFS_DIRENT
+ * HAS_VAPPEND
+ * HAS_IMAGE_PARAMS
+ * HAS_STRINGS
+ * HAS_ACLS
+ */
+#include <sys/ucred.h>
+#endif
-#include <vm/vm.h>
-
#include <sys/mac_policy.h>
#include <security/sebsd/sebsd.h>
@@ -64,10 +73,14 @@
int sebsd_verbose = 0;
-static int slot;
+static int slot = 1; /* TBD, dynamic */
#define SLOT(l) ((void *)LABEL_TO_SLOT((l), slot).l_ptr)
+#ifdef __APPLE__
+#define M_SEBSD M_MACTEMP
+#else
MALLOC_DEFINE(M_SEBSD, "sebsd", "Security Enhanced BSD");
+#endif
extern int ss_initialized;
static __inline int ss_precondition(void)
@@ -79,10 +92,12 @@
sebsd_init(struct mac_policy_conf *mpc)
{
printf("sebsd:: init\n");
+#if 0
avc_init();
if (security_init()) {
panic("SEBSD: couldn't read policy file");
}
+#endif
}
static void
@@ -92,6 +107,7 @@
printf("sebsd:: destroy\n");
}
+#ifdef CAPABILITIES
/*
* Check whether a task is allowed to use a capability.
*/
@@ -109,6 +125,7 @@
return avc_has_perm_audit(task->sid, task->sid,
SECCLASS_CAPABILITY, cap, &ad);
}
+#endif
static int
cred_has_perm(struct ucred *cred, struct proc *proc, access_vector_t perm)
@@ -158,6 +175,7 @@
SECCLASS_SECURITY, perm, NULL, NULL));
}
+#ifdef HAS_THREADS
int
thread_has_system(struct thread *td, access_vector_t perm)
{
@@ -171,6 +189,7 @@
return (cred_has_security(td->td_proc->p_ucred, perm));
}
+#endif
static __inline security_class_t
vnode_type_to_security_class(enum vtype vt)
@@ -192,12 +211,17 @@
return SECCLASS_FIFO_FILE;
case VNON:
case VBAD:
+#ifdef __APPLE__
+ case VSTR:
+ case VCPLX:
+#endif
return SECCLASS_FILE;
}
return SECCLASS_FILE;
}
+#ifdef HAS_DEVFS_DIRENT
static __inline security_class_t
dirent_type_to_security_class(__uint8_t type)
{
@@ -223,6 +247,7 @@
return SECCLASS_FILE;
}
+#endif
static __inline access_vector_t
file_mask_to_av(enum vtype vt, int mask)
@@ -235,10 +260,13 @@
if (mask & VREAD)
av |= FILE__READ;
+#ifdef HAS_VAPPEND
if (mask & VAPPEND)
av |= FILE__APPEND;
- else if (mask & VWRITE)
- av |= FILE__WRITE;
+ else
+#endif
+ if (mask & VWRITE)
+ av |= FILE__WRITE;
} else {
if (mask & VEXEC)
@@ -266,6 +294,7 @@
AVC_AUDIT_DATA_INIT(&ad, FS);
ad.u.fs.vp = vp;
+#if 0
if (file->sclass == 0) {
struct vattr va;
VOP_GETATTR(vp, &va, curthread->td_ucred, curthread);
@@ -278,10 +307,12 @@
return 1; /* TBD: debugging */
}
}
+#endif
return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass,
perm, aeref ? aeref : &file->avcr, &ad);
}
+#ifdef HAS_PIPES
static int
pipe_has_perm(struct ucred *cred, struct pipe *pipe, access_vector_t perm)
{
@@ -298,6 +329,7 @@
return(avc_has_perm_ref(task->sid, file->sid, file->sclass,
perm, &file->avcr));
}
+#endif
static void
sebsd_init_cred_label(struct label *label)
@@ -392,6 +424,7 @@
printf("sebsd_relabel_cred:: This does nothing\n");
}
+#ifdef HAS_DEVFS_DIRENT
static void
sebsd_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
@@ -414,7 +447,9 @@
* relabel calls.
*/
}
+#endif
+#ifdef HAS_EXTATTRS
static int
sebsd_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
struct vnode *vp, struct label *vlabel)
@@ -474,6 +509,7 @@
return (0);
}
+#endif
static void
sebsd_associate_vnode_singlelabel(struct mount *mp, struct label *fslabel,
@@ -520,6 +556,7 @@
fsec->sid = tsec->sid;
}
+#ifdef HAS_DEVFS_DIRENT
static void
sebsd_create_devfs_device(struct ucred *cr, struct mount *mp, dev_t dev,
struct devfs_dirent *devfs_dirent, struct label *label,
@@ -652,7 +689,9 @@
}
free(path, M_SEBSD);
}
+#endif /* HAS_DEVFS_DIRENT */
+#ifdef HAS_PIPES
/*
* Use the allocating task SID to label pipes. On Linux, pipes reside
* in a pseudo filesystem.
@@ -670,6 +709,7 @@
vsec->sid = vsec->task_sid = tsec->sid;
vsec->sclass = SECCLASS_FIFO_FILE;
}
+#endif
static void
sebsd_create_proc0(struct ucred *cred)
@@ -778,6 +818,7 @@
sebsd_create_root_mount(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel)
{
+#if 0
struct vnode *vp, *nvp;
/*
@@ -797,8 +838,10 @@
vp = nvp;
} while (vp != NULL);
mtx_unlock(&mntvnode_mtx);
+#endif
}
+#ifdef HAS_EXTATTRS
static int
sebsd_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct label *fslabel, struct vnode *parent, struct label *parentlabel,
@@ -840,12 +883,16 @@
security_free_context(context);
return (error);
}
+#endif
+#ifdef CAPABILITIES
static int
sebsd_check_cap (struct ucred *cred, cap_value_t capv)
{
+
return cred_has_capability (cred, capv);
}
+#endif
/*
* SEBSD does not support the relabeling of processes without
@@ -932,6 +979,7 @@
return (mount_has_perm(cred, mp, FILESYSTEM__UNMOUNT, NULL));
}
+#ifdef HAS_PIPES
static int
sebsd_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
@@ -1004,6 +1052,7 @@
return (pipe_has_perm(cred, pipe, FIFO_FILE__WRITE));
}
+#endif /* HAS_PIPES */
static int
sebsd_check_proc_debug(struct ucred *cred, struct proc *proc)
@@ -1042,6 +1091,7 @@
return (cred_has_perm(cred, proc, perm));
}
+#ifdef HAS_IMAGE_PARAMS
static void
sebsd_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel,
@@ -1111,7 +1161,9 @@
return (newsid != task->sid);
}
+#endif
+#ifdef HAS_STRING
static int
sebsd_internalize_sid(security_id_t *sidp, char *element_name,
char *element_data, int *claimed)
@@ -1174,7 +1226,9 @@
return (sebsd_internalize_sid(&vsec->sid, element_name, element_data,
claimed));
}
+#endif /* HAS_STRINGS */
+#ifdef HAS_PIPES
static void
sebsd_relabel_pipe(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, struct label *newlabel)
@@ -1195,6 +1249,7 @@
dest->sid = source->sid;
}
+#endif
static void
sebsd_relabel_vnode(struct ucred *cred, struct vnode *vp,
@@ -1217,6 +1272,7 @@
dest->sid = source->sid;
}
+#ifdef HAS_EXTATTRS
static int
sebsd_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
struct label *vlabel, struct label *intlabel)
@@ -1240,6 +1296,7 @@
security_free_context(context);
return (error);
}
+#endif
static int
sebsd_check_vnode_access(struct ucred *cred, struct vnode *vp,
@@ -1353,6 +1410,7 @@
return (rc);
}
+#ifdef HAS_ACLS
static int
sebsd_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
struct label *label, acl_type_t type)
@@ -1360,7 +1418,9 @@
return (vnode_has_perm(cred, vp, FILE__SETATTR, NULL));
}
+#endif
+#ifdef HAS_IMAGE_PARAMS
static int
sebsd_check_vnode_exec(struct ucred *cred, struct vnode *vp,
struct label *label, struct image_params *imgp, struct label *execlabel)
@@ -1422,7 +1482,9 @@
return (0);
}
+#endif
+#ifdef HAS_ACLS
static int
sebsd_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
struct label *label, acl_type_t type)
@@ -1430,7 +1492,9 @@
return (vnode_has_perm(cred, vp, FILE__GETATTR, NULL));
}
+#endif
+#ifdef HAS_EXTATTRS
static int
sebsd_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
struct label *label, int attrnamespace, const char *name, struct uio *uio)
@@ -1438,6 +1502,7 @@
return (vnode_has_perm(cred, vp, FILE__GETATTR, NULL));
}
+#endif
static int
sebsd_check_vnode_link(struct ucred *cred, struct vnode *dvp,
@@ -1673,6 +1738,7 @@
return 0;
}
+#ifdef HAS_ACLS
static int
sebsd_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
struct label *label, acl_type_t type, struct acl *acl)
@@ -1680,7 +1746,9 @@
return vnode_has_perm(cred, vp, FILE__SETATTR, NULL);
}
+#endif
+#ifdef HAS_EXTATTRS
static int
sebsd_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
struct label *label, int attrnamespace, const char *name, struct uio *uio)
@@ -1688,6 +1756,7 @@
return vnode_has_perm(cred, vp, FILE__SETATTR, NULL);
}
+#endif
static int
sebsd_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
@@ -1804,6 +1873,7 @@
return (0);
}
+#ifdef HAS_STRINGS
static int
sebsd_externalize_sid(security_id_t sid, char *element_name,
struct sbuf *sb, int *claimed)
@@ -1866,6 +1936,7 @@
nsec = SLOT(label);
return (sebsd_externalize_sid(nsec->sid, element_name, sb, claimed));
}
+#endif /* HAS_STRINGS */
static void
sebsd_copy_vnode_label(struct label *src, struct label *dest)
@@ -1977,18 +2048,25 @@
}
static struct mac_policy_ops sebsd_ops = {
+ .mpo_init = sebsd_init
+};
+
+static struct mac_policy_ops sebsd_ops_o = {
/* Init Labels */
- .mpo_init = sebsd_init,
.mpo_init_bpfdesc_label = sebsd_init_network_label,
.mpo_init_cred_label = sebsd_init_cred_label,
+#if 0
.mpo_init_devfsdirent_label = sebsd_init_vnode_label,
.mpo_init_file_label = sebsd_init_file_label,
+#endif
.mpo_init_ifnet_label = sebsd_init_network_label,
.mpo_init_ipq_label = sebsd_init_network_label_waitcheck,
.mpo_init_mbuf_label = sebsd_init_network_label_waitcheck,
.mpo_init_mount_label = sebsd_init_mount_label,
.mpo_init_mount_fs_label = sebsd_init_mount_fs_label,
+#ifdef HAS_PIPES
.mpo_init_pipe_label = sebsd_init_vnode_label,
+#endif
.mpo_init_socket_label = sebsd_init_network_label_waitcheck,
.mpo_init_socket_peer_label = sebsd_init_network_label_waitcheck,
.mpo_init_vnode_label = sebsd_init_vnode_label,
@@ -1997,37 +2075,53 @@
.mpo_destroy = sebsd_destroy,
.mpo_destroy_bpfdesc_label = sebsd_destroy_label,
.mpo_destroy_cred_label = sebsd_destroy_label,
+#ifdef HAS_DEVFS_DIRENT
.mpo_destroy_devfsdirent_label = sebsd_destroy_label,
+#endif
.mpo_destroy_ifnet_label = sebsd_destroy_label,
.mpo_destroy_ipq_label = sebsd_destroy_label,
.mpo_destroy_mbuf_label = sebsd_destroy_label,
+#if 0
.mpo_destroy_file_label = sebsd_destroy_label,
+#endif
.mpo_destroy_mount_label = sebsd_destroy_label,
.mpo_destroy_mount_fs_label = sebsd_destroy_label,
+#ifdef HAS_PIPES
.mpo_destroy_pipe_label = sebsd_destroy_label,
+#endif
.mpo_destroy_socket_label = sebsd_destroy_label,
.mpo_destroy_socket_peer_label = sebsd_destroy_label,
.mpo_destroy_vnode_label = sebsd_destroy_label,
/* Copy labels */
+#ifdef HAS_PIPES
.mpo_copy_pipe_label = sebsd_copy_vnode_label,
+#endif
.mpo_copy_vnode_label = sebsd_copy_vnode_label,
+#if 0
.mpo_copy_mount_label = sebsd_copy_mount_label,
+#endif
+#if 0
/* In/Out */
.mpo_externalize_cred_label = sebsd_externalize_cred_label,
.mpo_externalize_ifnet_label = sebsd_externalize_network_label,
+#ifdef HAS_PIPES
.mpo_externalize_pipe_label = sebsd_externalize_vnode_label,
+#endif
.mpo_externalize_socket_label = sebsd_externalize_network_label,
.mpo_externalize_socket_peer_label = sebsd_externalize_network_label,
.mpo_externalize_vnode_label = sebsd_externalize_vnode_label,
.mpo_externalize_mount_label = sebsd_externalize_mount_label,
.mpo_internalize_cred_label = sebsd_internalize_cred_label,
.mpo_internalize_ifnet_label = sebsd_internalize_network_label,
+#ifdef HAS_PIPES
.mpo_internalize_pipe_label = sebsd_internalize_vnode_label,
+#endif
.mpo_internalize_socket_label = sebsd_internalize_network_label,
.mpo_internalize_vnode_label = sebsd_internalize_vnode_label,
.mpo_internalize_mount_label = sebsd_internalize_mount_label,
+#endif
#ifdef notdef
void (*mpo_create_mbuf_from_socket)(struct socket *so,
@@ -2050,33 +2144,51 @@
/* Create Labels */
.mpo_create_cred = sebsd_create_cred,
+
+#ifdef HAS_DEVFS_DIRENT
.mpo_create_devfs_device = sebsd_create_devfs_device,
.mpo_create_devfs_directory = sebsd_create_devfs_directory,
.mpo_create_devfs_symlink = sebsd_create_devfs_symlink,
+#endif
+#if 0
.mpo_create_file = sebsd_create_file,
+#endif
/* .mpo_create_mbuf_from_socket = sebsd_create_mbuf_from_socket, */
.mpo_create_mount = sebsd_create_mount,
+#ifdef HAS_PIPES
.mpo_create_pipe = sebsd_create_pipe,
+#endif
.mpo_create_proc0 = sebsd_create_proc0,
.mpo_create_proc1 = sebsd_create_proc1,
.mpo_create_root_mount = sebsd_create_root_mount,
/* .mpo_create_socket = sebsd_create_socket, */
/* .mpo_create_socket_from_socket = sebsd_create_socket_from_socket, */
+#ifdef HAS_EXTATTRS
.mpo_create_vnode_extattr = sebsd_create_vnode_extattr,
+#endif
+#ifdef HAS_DEVFS_DIRENT
.mpo_associate_vnode_devfs = sebsd_associate_vnode_devfs,
+#endif
.mpo_associate_vnode_singlelabel = sebsd_associate_vnode_singlelabel,
+#ifdef HAS_EXTATTRS
.mpo_associate_vnode_extattr = sebsd_associate_vnode_extattr,
+#endif
/* Check Labels */
+#ifdef CAPABILITIES
.mpo_check_cap = sebsd_check_cap,
+#endif
.mpo_check_cred_relabel = sebsd_check_cred_relabel,
+#if 0
.mpo_check_file_create = sebsd_check_file_create,
+
/*
.mpo_check_file_dup
.mpo_check_file_inherit
.mpo_check_file_ioctl
.mpo_check_file_receive
*/
+
.mpo_check_file_get_flags = sebsd_check_file_get_flags,
.mpo_check_file_get_ofileflags = sebsd_check_file_get_ofileflags,
.mpo_check_file_get_offset = sebsd_check_file_get_offset,
@@ -2087,13 +2199,16 @@
.mpo_check_umount = sebsd_check_umount,
.mpo_check_remount = sebsd_check_remount,
.mpo_check_mount_stat = sebsd_check_mount_stat,
+#endif
+#ifdef HAS_PIPES
.mpo_check_pipe_ioctl = sebsd_check_pipe_ioctl,
.mpo_check_pipe_poll = sebsd_check_pipe_poll,
.mpo_check_pipe_read = sebsd_check_pipe_read,
.mpo_check_pipe_relabel = sebsd_check_pipe_relabel,
.mpo_check_pipe_stat = sebsd_check_pipe_stat,
.mpo_check_pipe_write = sebsd_check_pipe_write,
+#endif
.mpo_check_proc_debug = sebsd_check_proc_debug,
.mpo_check_proc_sched = sebsd_check_proc_sched,
@@ -2107,10 +2222,18 @@
.mpo_check_vnode_chroot = sebsd_check_vnode_chroot,
.mpo_check_vnode_create = sebsd_check_vnode_create,
.mpo_check_vnode_delete = sebsd_check_vnode_delete,
+#ifdef HAS_ACLS
.mpo_check_vnode_deleteacl = sebsd_check_vnode_deleteacl,
+#endif
+#ifdef HAS_IMAGE_PARAMS
.mpo_check_vnode_exec = sebsd_check_vnode_exec,
+#endif
+#ifdef HAS_ACLS
.mpo_check_vnode_getacl = sebsd_check_vnode_getacl,
+#endif
+#ifdef EXTATTR
.mpo_check_vnode_getextattr = sebsd_check_vnode_getextattr,
+#endif
.mpo_check_vnode_link = sebsd_check_vnode_link,
.mpo_check_vnode_lookup = sebsd_check_vnode_lookup,
.mpo_check_vnode_mmap = sebsd_check_vnode_mmap,
@@ -2124,8 +2247,12 @@
.mpo_check_vnode_rename_from = sebsd_check_vnode_rename_from,
.mpo_check_vnode_rename_to = sebsd_check_vnode_rename_to,
.mpo_check_vnode_revoke = sebsd_check_vnode_revoke,
+#ifdef HAS_ACLS
.mpo_check_vnode_setacl = sebsd_check_vnode_setacl,
+#endif
+#ifdef HAS_EXTATTRS
.mpo_check_vnode_setextattr = sebsd_check_vnode_setextattr,
+#endif
.mpo_check_vnode_setflags = sebsd_check_vnode_setflags,
.mpo_check_vnode_setmode = sebsd_check_vnode_setmode,
.mpo_check_vnode_setowner = sebsd_check_vnode_setowner,
@@ -2134,18 +2261,37 @@
.mpo_check_vnode_write = sebsd_check_vnode_write,
/* Misc */
+#ifdef HAS_IMAGE_PARAMS
.mpo_execve_transition = sebsd_execve_transition,
.mpo_execve_will_transition = sebsd_execve_will_transition,
+#endif
.mpo_relabel_cred = sebsd_relabel_cred,
+#ifdef HAS_PIPES
.mpo_relabel_pipe = sebsd_relabel_pipe,
+#endif
/* .mpo_relabel_socket = sebsd_relabel_socket, */
.mpo_relabel_vnode = sebsd_relabel_vnode,
+#ifdef HAS_EXTATTRS
.mpo_setlabel_vnode_extattr = sebsd_setlabel_vnode_extattr,
+#endif
/*.mpo_set_socket_peer_from_mbuf = sebsd_set_socket_peer_from_mbuf,*/
/*.mpo_set_socket_peer_from_socket = sebsd_set_socket_peer_from_socket,*/
+#if 0
.mpo_syscall = sebsd_syscall,
+#endif
};
+#if 0
MAC_POLICY_SET(&sebsd_ops, sebsd, "NSA/NAI Labs Security Enhanced BSD",
MPC_LOADTIME_FLAG_NOTLATE, &slot);
+#endif
+
+struct mac_policy_conf sebsd_mac_policy_conf = {
+ "sebsd", /* policy name */
+ "NSA/NAI Labs Security Enhanced BSD", /* full name */
+ &sebsd_ops, /* policy operations */
+ 0, /* loadtime flags*/
+ 1, /* security field */
+ 0 /* runtime flags */
+};
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd_syscall.c#2 (text+ko) ====
@@ -34,6 +34,7 @@
* $FreeBSD$
*/
+#if 0
#include <sys/types.h>
#include <sys/param.h>
#include <sys/kernel.h>
@@ -91,3 +92,4 @@
return err;
}
+#endif /* 0 */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd_sysctl.c#2 (text+ko) ====
@@ -34,6 +34,7 @@
* $FreeBSD$
*/
+#if 0
#include <sys/types.h>
#include <sys/param.h>
#include <sys/kernel.h>
@@ -320,3 +321,4 @@
"SEBSD access vector decision query");
SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW,
NULL, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement");
+#endif /* 0 */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/context.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/ebitmap.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/global.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/init.c#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/queue.c#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/sidtab.c#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/sidtab.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/symtab.h#2 (text+ko) ====
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list