PERFORCE change 40416 for review
Andrew Reisse
areisse at FreeBSD.org
Fri Oct 24 18:17:02 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=40416
Change 40416 by areisse at areisse_ibook on 2003/10/24 11:16:52
Some mac syscalls (mac_get_file, mac_get_pid, mac_get_proc)
mpo_execve calls take execlabel and not image_params
Porting for sebsd
Most memory allocation changed to use kmem_alloc and sometimes kmem_free
Affected files ...
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/init_sysent.c#3 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#21 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac.h#5 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac_policy.h#3 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/linux-compat.h#3 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#6 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/avtab.h#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/ebitmap.h#4 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/global.h#4 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/init.c#4 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/policydb.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/policydb.h#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/queue.c#4 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/services.c#2 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/init_sysent.c#3 (text+ko) ====
@@ -317,7 +317,9 @@
int __mac_get_link();
int __mac_set_link();
int __mac_get_proc();
+int __mac_get_pid();
int __mac_set_proc();
+int mac_execve();
#endif
/*
@@ -729,14 +731,17 @@
syss(__mac_get_link,2), /* 339 */
syss(__mac_get_proc,1), /* 340 */
syss(__mac_set_proc,1), /* 341 */
+ /*syss(mac_execve,4), /* 342 */
+ syss(nosys,0), /* 342 */
+ syss(__mac_get_pid,2), /* 343 */
#else
syss(nosys,0), /* 338 */
syss(nosys,0), /* 339 */
syss(nosys,0), /* 340 */
syss(nosys,0), /* 341 */
-#endif
syss(nosys,0), /* 342 */
syss(nosys,0), /* 343 */
+#endif
syss(nosys,0), /* 344 */
syss(nosys,0), /* 345 */
syss(nosys,0), /* 346 */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#21 (text+ko) ====
@@ -1558,10 +1558,10 @@
return (error);
}
+#endif
int
-mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
- struct label *execlabelstorage)
+mac_execve_enter(struct mac *mac_p, struct label *execlabelstorage)
{
struct mac mac;
char *buffer;
@@ -1578,7 +1578,7 @@
if (error)
return (error);
- buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK);
+ buffer = _MALLOC(mac.m_buflen, M_MACTEMP, M_WAITOK);
error = copyinstr(mac.m_string, buffer, mac.m_buflen, NULL);
if (error) {
FREE(buffer, M_MACTEMP);
@@ -1592,20 +1592,12 @@
mac_destroy_cred_label(execlabelstorage);
return (error);
}
- imgp->execlabel = execlabelstorage;
return (0);
}
void
-mac_execve_exit(struct image_params *imgp)
-{
- if (imgp->execlabel != NULL)
- mac_destroy_cred_label(imgp->execlabel);
-}
-
-void
mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
- struct label *interpvnodelabel, struct image_params *imgp)
+ struct label *interpvnodelabel, struct label *execl)
{
ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
@@ -1614,12 +1606,12 @@
return;
MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
- interpvnodelabel, imgp, imgp->execlabel);
+ interpvnodelabel, execl);
}
int
mac_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *interpvnodelabel, struct image_params *imgp)
+ struct label *interpvnodelabel, struct label *execlabel)
{
int result;
@@ -1630,11 +1622,10 @@
result = 0;
MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
- interpvnodelabel, imgp, imgp->execlabel);
+ interpvnodelabel, execlabel);
return (result);
}
-#endif
int
mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
@@ -3455,7 +3446,7 @@
struct mac mac;
struct proc *tproc;
struct ucred *tcred;
- int error;
+ int error, ulen;
error = copyin(uap->mac_p, &mac, sizeof(mac));
if (error)
@@ -3480,7 +3471,7 @@
return (error);
MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
- error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
+ error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen);
if (error) {
FREE(elements, M_MACTEMP);
crfree(tcred);
@@ -3787,7 +3778,7 @@
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
mac.m_buflen, M_WAITOK);
- /*NDFREE(&nd, 0);*/
+ vput (nd.ni_vp);
FREE_ZONE(nd.ni_cnd.cn_pnbuf, nd.ni_cnd.cn_pnlen, M_NAMEI);
mac_destroy_vnode_label(&intlabel);
@@ -3853,7 +3844,8 @@
mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
mac.m_buflen, M_WAITOK);
- /*NDFREE(&nd, 0);*/
+
+ vput (nd.ni_vp);
FREE_ZONE(nd.ni_cnd.cn_pnbuf, nd.ni_cnd.cn_pnlen, M_NAMEI);
mac_destroy_vnode_label(&intlabel);
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac.h#5 (text+ko) ====
@@ -222,14 +222,14 @@
* Labeling event operations: processes.
*/
void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
-int mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
+int mac_execve_enter(struct mac *mac_p,
struct label *execlabel);
void mac_execve_exit(struct image_params *imgp);
void mac_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *interpvnodelabel,
- struct image_params *imgp);
+ struct label *execlabel);
int mac_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *interpvnodelabel, struct image_params *imgp);
+ struct label *interpvnodelabel, struct label *execlabel);
void mac_create_proc0(struct ucred *cred);
void mac_create_proc1(struct ucred *cred);
#if 0
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac_policy.h#3 (text+ko) ====
@@ -280,16 +280,18 @@
*/
void (*mpo_create_cred)(struct ucred *parent_cred,
struct ucred *child_cred);
-#if 0
+
void (*mpo_execve_transition)(struct ucred *old, struct ucred *new,
- struct vnode *vp, struct label *vnodelabel,
+ struct vnode *vp,
+ struct label *vnodelabel,
struct label *interpvnodelabel,
- struct image_params *imgp, struct label *execlabel);
+ struct label *execlabel);
int (*mpo_execve_will_transition)(struct ucred *old,
- struct vnode *vp, struct label *vnodelabel,
+ struct vnode *vp,
+ struct label *vnodelabel,
struct label *interpvnodelabel,
- struct image_params *imgp, struct label *execlabel);
-#endif
+ struct label *execlabel);
+
void (*mpo_create_proc0)(struct ucred *cred);
void (*mpo_create_proc1)(struct ucred *cred);
void (*mpo_relabel_cred)(struct ucred *cred,
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/Makefile#3 (text+ko) ====
@@ -11,6 +11,7 @@
sebsd.h \
flask.h \
flask_types.h \
+ sebsd_syscalls.h \
linux-compat.h
INSTINC_SUBDIRS = avc ss
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/Makefile#2 (text+ko) ====
@@ -17,6 +17,11 @@
EXPORT_ONLY_FILES = \
avc.h \
+ avc_ss.h \
+ class_to_string.h \
+ av_perm_to_string.h \
+ common_perm_to_string.h \
+ initial_sid_to_string.h \
av_permissions.h
INSTALL_MI_LIST =
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/linux-compat.h#3 (text+ko) ====
@@ -47,6 +47,7 @@
#ifdef __APPLE__
#include <machine/endian.h>
+#include <architecture/byte_order.h>
#else /* Probably FreeBSD */
#include <sys/endian.h>
#endif
@@ -63,15 +64,25 @@
#define le32_to_cpu(x) ((__uint32_t)(x))
#define le64_to_cpu(x) ((__uint64_t)(x))
#else /* BYTE_ORDER != LITTLE_ENDIAN */
+
+#ifdef __APPLE__
+#define le32_to_cpu(x) NXSwapLittleLongToHost(x)
+#define le64_to_cpu(x) NXSwapLittleLongLongToHost(x)
+#define cpu_to_le32(x) NXSwapHostLongToLittle(x)
+#define cpu_to_le64(x) NXSwapHostLongLongToLittle(x)
+#else
+
#define cpu_to_le32(x) bswap32((x))
#define cpu_to_le64(x) bswap64((x))
#define le32_to_cpu(x) bswap32((x))
#define le64_to_cpu(x) bswap64((x))
+
+#endif
#endif /* BYTE_ORDER */
/* sebsd uses same ss source files for userspace */
-#define kmalloc(size,flags) malloc(size,as)
+#define kmalloc(size,flags) malloc(size)
#define kfree(v) free(v)
#define __get_free_page(flags) malloc (4096) /* XXX need page size */
#define GFP_ATOMIC 1
@@ -80,7 +91,6 @@
#else /* _KERNEL */
#ifdef __APPLE__
-#include <architecture/byte_order.h>
#if BYTE_ORDER == LITTLE_ENDIAN
#define le32_to_cpu(x) ((__uint32_t)(x))
#define le64_to_cpu(x) ((__uint64_t)(x))
@@ -108,8 +118,12 @@
#include <sys/malloc.h>
#ifdef __APPLE__
-#define malloc(size,type,flags) _MALLOC(size,type,flags)
-#define free(addr,type) FREE(addr,type)
+
+extern void *sebsd_malloc (size_t size, int flags);
+
+#define malloc(size,type,flags) sebsd_malloc (size,flags)
+#define free(addr,type)
+
#define M_SEBSD M_MACTEMP
#else
#ifndef _M_SEBSD_DEF
@@ -118,10 +132,10 @@
#endif
#endif /* __APPLE__ */
-#define kmalloc(size,flags) malloc(size, M_SEBSD, flags)
+#define kmalloc(size,flags) sebsd_malloc(size, flags)
#define kfree(v) free(v, M_SEBSD)
/* XXX need page size */
-#define __get_free_page(flags) malloc(4096, M_SEBSD, flags)
+#define __get_free_page(flags) sebsd_malloc(4096, flags)
#define GFP_ATOMIC M_NOWAIT
#define GFP_KERNEL M_NOWAIT
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#6 (text+ko) ====
@@ -59,11 +59,15 @@
* HAS_EXTATTRS
* HAS_DEVFS_DIRENT
* HAS_VAPPEND
- * HAS_IMAGE_PARAMS
* HAS_STRINGS
* HAS_ACLS
*/
+
+#define HAS_STRING
+#define HAS_STRINGS
+
#include <sys/ucred.h>
+#include <vm/vm_kern.h>
#endif
#include <sys/mac_policy.h>
@@ -77,7 +81,21 @@
#define SLOT(l) ((void *)LABEL_TO_SLOT((l), slot).l_ptr)
#ifdef __APPLE__
-#define M_SEBSD M_MACTEMP
+
+void *sebsd_malloc (size_t size, int flags)
+{
+ void *v;
+ kmem_alloc (kernel_map, &v, size);
+ if (flags & M_ZERO)
+ bzero (v, size);
+ return v;
+}
+
+static void sebsd_free (void *v, size_t size)
+{
+ kmem_free (kernel_map, v, size);
+}
+
#else
MALLOC_DEFINE(M_SEBSD, "sebsd", "Security Enhanced BSD");
#endif
@@ -92,13 +110,12 @@
sebsd_init(struct mac_policy_conf *mpc)
{
printf("sebsd:: init\n");
+
+ avc_init();
sebsd_register_sysctls();
-#if 0
- avc_init();
if (security_init()) {
panic("SEBSD: couldn't read policy file");
}
-#endif
}
static void
@@ -337,7 +354,7 @@
{
struct task_security_struct *new_tsec;
- new_tsec = malloc(sizeof(*new_tsec), M_SEBSD, M_ZERO | M_WAITOK);
+ new_tsec = sebsd_malloc(sizeof(*new_tsec), M_ZERO | M_WAITOK);
new_tsec->osid = new_tsec->sid = SECINITSID_UNLABELED;
SLOT(label) = new_tsec;
}
@@ -347,7 +364,7 @@
{
struct file_security_struct *new_fsec;
- new_fsec = malloc(sizeof(*new_fsec), M_SEBSD, M_ZERO | M_WAITOK);
+ new_fsec = sebsd_malloc (sizeof(*new_fsec), M_ZERO | M_WAITOK);
new_fsec->sid = new_fsec->sid = SECINITSID_UNLABELED;
SLOT(label) = new_fsec;
}
@@ -357,7 +374,7 @@
{
struct mount_security_struct *sbsec;
- sbsec = malloc(sizeof(*sbsec), M_SEBSD, M_ZERO | M_WAITOK);
+ sbsec = sebsd_malloc(sizeof(*sbsec), M_ZERO | M_WAITOK);
sbsec->sid = SECINITSID_UNLABELED;
SLOT(label) = sbsec;
}
@@ -367,7 +384,7 @@
{
struct mount_fs_security_struct *sbsec;
- sbsec = malloc(sizeof(*sbsec), M_SEBSD, M_ZERO | M_WAITOK);
+ sbsec = sebsd_malloc(sizeof(*sbsec), M_ZERO | M_WAITOK);
sbsec->sid = SECINITSID_UNLABELED;
SLOT(label) = sbsec;
}
@@ -377,7 +394,7 @@
{
struct network_security_struct *new;
- new = malloc(sizeof(*new), M_SEBSD, M_ZERO | M_WAITOK);
+ new = sebsd_malloc(sizeof(*new), M_ZERO | M_WAITOK);
new->sid = new->task_sid = SECINITSID_UNLABELED;
SLOT(label) = new;
}
@@ -387,7 +404,7 @@
{
struct network_security_struct *new;
- new = malloc(sizeof(*new), M_SEBSD, M_ZERO | flag);
+ new = sebsd_malloc(sizeof(*new), M_ZERO | flag);
if (new == NULL) {
SLOT(label) = NULL;
return (ENOMEM);
@@ -404,20 +421,25 @@
{
struct vnode_security_struct *vsec;
- vsec = malloc(sizeof(*vsec), M_SEBSD, M_ZERO | M_WAITOK);
+ vsec = sebsd_malloc(sizeof(*vsec), M_ZERO | M_WAITOK);
vsec->sid = SECINITSID_UNLABELED;
vsec->task_sid = SECINITSID_UNLABELED;
SLOT(label) = vsec;
}
static void
-sebsd_destroy_label(struct label *label)
+sebsd_destroy_cred_label(struct label *label)
{
+ sebsd_free (SLOT(label), sizeof (struct task_security_struct));
+ SLOT(label) = NULL;
+}
- free(SLOT(label), M_SEBSD);
- SLOT(label) = NULL;
+static void
+sebsd_destroy_vnode_label(struct label *label)
+{
+ sebsd_free (SLOT(label), sizeof (struct vnode_security_struct));
+ SLOT(label) = NULL;
}
-
static void
sebsd_relabel_cred(struct ucred *cred, struct label *newlabel)
{
@@ -579,7 +601,7 @@
dirent_type_to_security_class(devfs_dirent->de_dirent->d_type);
/* Obtain a SID based on the fstype, path, and class. */
- path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
+ path = sebsd_malloc(strlen(fullpath) + 2, M_ZERO | M_WAITOK);
path[0] = '/';
strcpy(&path[1], fullpath);
rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass,
@@ -608,7 +630,7 @@
"dirent=%d\n", path, sbsec->sid, mp->mnt_stat.f_mntonname,
rc, dirent->sclass, newsid, dirent->sid);
}
- free(path, M_SEBSD);
+ sebsd_free (path, 2 + strlen(fullpath));
}
static void
@@ -631,7 +653,7 @@
dirent->sclass = SECCLASS_DIR;
/* Obtain a SID based on the fstype, path, and class. */
- path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
+ path = sebsd_malloc(strlen(fullpath) + 2, M_ZERO | M_WAITOK);
path[0] = '/';
strcpy(&path[1], fullpath);
rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, dirent->sclass,
@@ -646,7 +668,7 @@
__func__, path, sbsec->sid, mp->mnt_stat.f_mntonname, rc,
dirent->sclass, newsid, dirent->sid);
}
- free(path, M_SEBSD);
+ sebsd_free(path, strlen (fullpath) + 2);
}
static void
@@ -674,7 +696,7 @@
lnksec->sclass = SECCLASS_LNK_FILE;
/* Obtain a SID based on the fstype, path, and class. */
- path = malloc(strlen(fullpath) + 2, M_SEBSD, M_ZERO | M_WAITOK);
+ path = sebsd_malloc(strlen(fullpath) + 2, M_ZERO | M_WAITOK);
path[0] = '/';
strcpy(&path[1], fullpath);
rc = security_genfs_sid(mp->mnt_vfc->vfc_name, path, lnksec->sclass,
@@ -688,7 +710,7 @@
sbsec->sid, mp->mnt_stat.f_mntonname, rc,
lnksec->sclass, newsid, lnksec->sid);
}
- free(path, M_SEBSD);
+ sebsd_free(path, strlen (fullpath) + 2);
}
#endif /* HAS_DEVFS_DIRENT */
@@ -1092,11 +1114,10 @@
return (cred_has_perm(cred, proc, perm));
}
-#ifdef HAS_IMAGE_PARAMS
static void
sebsd_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel,
- struct image_params *imgp, struct label *execlabel)
+ struct label *execlabel)
{
struct task_security_struct *otask, *ntask;
struct vnode_security_struct *file;
@@ -1136,7 +1157,7 @@
static int
sebsd_execve_will_transition(struct ucred *old, struct vnode *vp,
struct label *vnodelabel, struct label *interpvnodelabel,
- struct image_params *imgp, struct label *execlabel)
+ struct label *execlabel)
{
struct task_security_struct *task;
struct vnode_security_struct *file;
@@ -1155,6 +1176,15 @@
if (execlabel == NULL) {
(void)security_transition_sid(task->sid, file->sid,
SECCLASS_PROCESS, &newsid);
+ int len;
+ char *ts, *ns, *fs;
+ security_sid_to_context (task->sid, &ts, &len);
+ security_sid_to_context (file->sid, &fs, &len);
+ security_sid_to_context (newsid, &ns, &len);
+ printf ("transition: %s %s -> %s\n", ts, fs, ns);
+ security_free_context (ts);
+ security_free_context (fs);
+ security_free_context (ns);
} else {
newsid = ((struct task_security_struct *)
SLOT(execlabel))->sid;
@@ -1162,7 +1192,6 @@
return (newsid != task->sid);
}
-#endif
#ifdef HAS_STRING
static int
@@ -1893,7 +1922,7 @@
return (error);
if (sbuf_cat(sb, context) == -1)
- error = EINVAL;
+ error = ENOMEM;
security_free_context(context);
return (error);
}
@@ -2049,9 +2078,33 @@
}
static struct mac_policy_ops sebsd_ops = {
- .mpo_init = sebsd_init
+ .mpo_init = sebsd_init,
+
+ .mpo_init_cred_label = sebsd_init_cred_label,
+ .mpo_init_vnode_label = sebsd_init_vnode_label,
+
+ .mpo_destroy = sebsd_destroy,
+ .mpo_destroy_cred_label = sebsd_destroy_cred_label,
+ .mpo_destroy_vnode_label = sebsd_destroy_vnode_label,
+
+ .mpo_internalize_cred_label = sebsd_internalize_cred_label,
+ .mpo_externalize_cred_label = sebsd_externalize_cred_label,
+
+ .mpo_internalize_vnode_label = sebsd_internalize_vnode_label,
+ .mpo_externalize_vnode_label = sebsd_externalize_vnode_label,
+
+ /* Create Labels */
+
+ .mpo_create_cred = sebsd_create_cred,
+ .mpo_create_proc0 = sebsd_create_proc0,
+ .mpo_create_proc1 = sebsd_create_proc1,
+
+ /* Transition */
+ .mpo_execve_will_transition = sebsd_execve_will_transition,
+ .mpo_execve_transition = sebsd_execve_transition
};
+#if 0
static struct mac_policy_ops sebsd_ops_o = {
/* Init Labels */
.mpo_init_bpfdesc_label = sebsd_init_network_label,
@@ -2282,6 +2335,7 @@
.mpo_syscall = sebsd_syscall,
#endif
};
+#endif
#if 0
MAC_POLICY_SET(&sebsd_ops, sebsd, "NSA/NAI Labs Security Enhanced BSD",
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/Makefile#2 (text+ko) ====
@@ -16,7 +16,8 @@
EXPINC_SUBDIRS_I386 = ${EXPINC_SUBDIRS}
EXPORT_ONLY_FILES = \
- security.h
+ mls.h security.h services.h policydb.h global.h context.h queue.h \
+ hashtab.h symtab.h avtab.h sidtab.h ebitmap.h mls_types.h constraint.h
INSTALL_MI_LIST =
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/avtab.h#2 (text+ko) ====
@@ -11,7 +11,6 @@
#define _SS_AVTAB_H_
#include <security/sebsd/flask_types.h>
-#include <security/sebsd/ss/fileutils.h>
struct avtab_key {
u32 source_type; /* source type */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/ebitmap.h#4 (text+ko) ====
@@ -15,14 +15,23 @@
#define _SS_EBITMAP_H_
#ifdef __APPLE__
+
+#ifdef KERNEL
#include <sys/systm.h>
#else
+#include <stdlib.h>
+#include <stdio.h>
+#endif
+
+#else
+
#ifdef _KERNEL
#include <sys/libkern.h>
#else
#include <stdlib.h>
#include <stdio.h>
#endif
+
#endif
#include <security/sebsd/linux-compat.h>
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/global.h#4 (text+ko) ====
@@ -24,13 +24,15 @@
#include <sys/malloc.h>
#if defined(_KERNEL) || defined(KERNEL)
-#define sebsd_malloc(a,b,c) malloc(a,b,c)
-#define sebsd_free(a,b) free(a,b)
+/*#define sebsd_malloc(a,b,c) sebsd_malloc(a,c)
+ #define sebsd_free(a,b) free(a,b)*/
#else /* _KERNEL */
#include <stdlib.h>
#include <errno.h>
+/*
#define sebsd_malloc(a,b,c) (c&M_ZERO)?calloc(1,a):malloc(a)
#define sebsd_free(a,b) free(a)
+*/
#define mtx_lock(a)
#define mtx_unlock(a)
#endif /* _KERNEL */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/init.c#4 (text+ko) ====
@@ -16,6 +16,18 @@
#include <sys/systm.h>
#ifndef __APPLE__
#include <sys/linker.h>
+#else
+#include <mach/kmod.h>
+#include <string.h> /* TMP */
+
+struct lpargs
+{
+ int size;
+ void *data;
+};
+
+extern kmod_info_t *kmod;
+
#endif
#include <security/sebsd/linux-compat.h>
@@ -29,6 +41,17 @@
char policyfile[MAXPATHLEN];
+#if 1
+
+#include <security/sebsd/sebsd_policy.h>
+
+int security_init(void)
+{
+ return security_load_policy (binpolicy_data, binpolicy_len);
+}
+
+#else
+
int security_init(void)
{
int rc;
@@ -39,9 +62,7 @@
printf("security: starting up (compiled " __DATE__ ")\n");
#ifndef __APPLE__
-/*
- * TBD: No way to load policy on Darwin (yet)
- */
+
lh = preload_search_by_type ("sebsd_policy");
if (lh == NULL)
goto loaderr;
@@ -62,14 +83,40 @@
printf("security: error while reading policy, cannot initialize.\n");
return EINVAL;
}
+#else
+
+ struct lpargs lp;
+ kmod_info_t *k;
+ lp.size = 0;
+
+ for (k = kmod; k != NULL; k = k->next)
+ {
+ printf ("kmod %s\n", k->name);
+ if (k->address && 0 == strcmp ("sebsd.policy", k->name))
+ {
+ rc = k->start (k, &lp);
+ if (rc)
+ return rc;
+
+ break;
+ }
+ }
+
+ char *lpdata = (char *) lp.data;
+ if (lp.size)
+ printf ("%d %c%c%c%c%c\n", lp.size, lpdata[0], lpdata[1],
+ lpdata[2], lpdata[3], lpdata[4]);
+ else
+ printf ("security: no policy module found\n");
+
#endif
- return 0;
-
loaderr:
printf("security: policy not supplied by bootloader\n");
return EINVAL;
}
+#endif
+
/* FLASK */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/policydb.c#2 (text+ko) ====
@@ -546,7 +546,7 @@
*/
static int context_read_and_validate(struct context *c,
struct policydb *p,
- void *fp)
+ struct policy_file *fp)
{
u32 *buf;
int rc = 0;
@@ -582,7 +582,7 @@
* binary representation file.
*/
-static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
+static int perm_read(struct policydb *p, struct hashtab *h, struct policy_file *fp)
{
char *key = 0;
struct perm_datum *perdatum;
@@ -631,7 +631,7 @@
goto out;
}
-static int common_read(struct policydb *p, struct hashtab *h, void *fp)
+static int common_read(struct policydb *p, struct hashtab *h, struct policy_file *fp)
{
char *key = 0;
struct common_datum *comdatum;
@@ -689,7 +689,7 @@
goto out;
}
-static int class_read(struct policydb *p, struct hashtab *h, void *fp)
+static int class_read(struct policydb *p, struct hashtab *h, struct policy_file *fp)
{
char *key = 0;
struct class_datum *cladatum;
@@ -866,7 +866,7 @@
goto out;
}
-static int role_read(struct policydb *p, struct hashtab *h, void *fp)
+static int role_read(struct policydb *p, struct hashtab *h, struct policy_file *fp)
{
char *key = 0;
struct role_datum *role;
@@ -931,7 +931,7 @@
goto out;
}
-static int type_read(struct policydb *p, struct hashtab *h, void *fp)
+static int type_read(struct policydb *p, struct hashtab *h, struct policy_file *fp)
{
char *key = 0;
struct type_datum *typdatum;
@@ -978,7 +978,7 @@
goto out;
}
-static int user_read(struct policydb *p, struct hashtab *h, void *fp)
+static int user_read(struct policydb *p, struct hashtab *h, struct policy_file *fp)
{
char *key = 0;
struct user_datum *usrdatum;
@@ -1033,7 +1033,7 @@
goto out;
}
-static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, void *fp) =
+static int (*read_f[SYM_NUM]) (struct policydb *p, struct hashtab *h, struct policy_file *fp) =
{
common_read,
class_read,
@@ -1064,8 +1064,10 @@
mls_set_config(config);
rc = policydb_init(p);
- if (rc)
- goto out;
+ if (rc) {
+ printf ("policydb_init failed\n");
+ goto out;
+ }
rc = EINVAL;
/* Read the magic number and string length. */
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/policydb.h#2 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/queue.c#4 (text+ko) ====
@@ -22,7 +22,7 @@
{
queue_t q;
- q = (queue_t) sebsd_malloc(sizeof(struct queue_info),
+ q = (queue_t) malloc(sizeof(struct queue_info),
M_SEBSD, M_WAITOK);
if (q == NULL)
return NULL;
@@ -40,7 +40,7 @@
if (!q)
return -1;
- newnode = (queue_node_ptr_t) sebsd_malloc(sizeof(struct queue_node),
+ newnode = (queue_node_ptr_t) malloc(sizeof(struct queue_node),
M_SEBSD, M_WAITOK);
if (newnode == NULL)
return -1;
@@ -66,7 +66,7 @@
if (!q)
return -1;
- newnode = (queue_node_ptr_t) sebsd_malloc(sizeof(struct queue_node),
+ newnode = (queue_node_ptr_t) malloc(sizeof(struct queue_node),
M_SEBSD, M_WAITOK);
if (newnode == NULL)
return -1;
@@ -103,7 +103,7 @@
q->tail = NULL;
e = node->element;
- sebsd_free(node, M_SEBSD);
+ free(node, M_SEBSD);
return e;
}
@@ -132,10 +132,10 @@
while (p != NULL) {
temp = p;
p = p->next;
- sebsd_free(temp, M_SEBSD);
+ free(temp, M_SEBSD);
}
- sebsd_free(q, M_SEBSD);
+ free(q, M_SEBSD);
}
int queue_map(queue_t q, int (*f) (queue_element_t, void *), void *vp)
@@ -188,7 +188,7 @@
temp = p;
p = p->next;
g(temp->element, vp);
- sebsd_free(temp, M_SEBSD);
+ free(temp, M_SEBSD);
} else {
last = p;
p = p->next;
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/services.c#2 (text+ko) ====
@@ -402,7 +402,7 @@
}
printk(KERN_ERR "security_sid_to_context: called before initial "
"load_policy on unknown SID %d\n", sid);
- rc = EINVAL;
+ rc = ENOENT;
goto out;
}
POLICY_RDLOCK;
@@ -410,7 +410,7 @@
if (!context) {
printk(KERN_ERR "security_sid_to_context: unrecognized SID "
"%d\n", sid);
- rc = EINVAL;
+ rc = EMFILE;
goto out_unlock;
}
rc = context_struct_to_string(context, scontext, scontext_len);
@@ -997,11 +997,14 @@
LOAD_LOCK;
+ printf ("policy %x %d\n", data, len);
+
if (!ss_initialized) {
if (policydb_read(&policydb, fp)) {
LOAD_UNLOCK;
return EINVAL;
}
+ printf ("finished reading policy");
if (policydb_load_isids(&policydb, &sidtab)) {
LOAD_UNLOCK;
policydb_destroy(&policydb);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list