PERFORCE change 38121 for review
Chris Vance
cvance at FreeBSD.org
Tue Sep 16 13:50:02 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=38121
Change 38121 by cvance at cvance_osx_laptop on 2003/09/16 06:49:05
A batch of changes. Added entry points for most process checks.
Also, go ahead and ifdef away the label in struct ifnet, since it
breaks the network ABI and causes all sorts of trouble.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/bsd_init.c#3 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exec.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exit.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_ktrace.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#17 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_prot.c#3 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_resource.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_sig.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/net/if_var.h#3 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/bsd_init.c#3 (text+ko) ====
@@ -350,6 +350,10 @@
p->p_ucred = crget();
p->p_ucred->cr_ngroups = 1; /* group 0 */
+#ifdef MAC
+/* mac_create_proc0(kernproc->p_ucred); */
+#endif
+
/* Create the file descriptor table. */
filedesc0.fd_refcnt = 1+1; /* +1 so shutdown will not _FREE_ZONE */
p->p_fd = &filedesc0;
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exec.c#2 (text+ko) ====
@@ -207,6 +207,12 @@
}
}
+#ifdef MAC_TBD
+ error = mac_execve_enter(NULL, NULL);
+ if (error)
+ return(error);
+#endif
+
error = execargs_alloc(&execargs);
if (error)
return(error);
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exit.c#2 (text+ko) ====
@@ -553,7 +553,7 @@
register struct proc *p, *t;
int status, error;
struct vnode *tvp;
-
+ struct pcred *pcred = q->p_cred;
retry:
if (uap->pid == 0)
uap->pid = -q->p_pgid;
@@ -565,6 +565,12 @@
p->p_pid != uap->pid &&
p->p_pgid != -(uap->pid))
continue;
+
+#ifdef MAC
+ if ((error = mac_check_proc_wait(pcred->pc_ucred, p)))
+ return (error);
+#endif
+
nfound++;
if (p->p_flag & P_WAITING) {
(void)tsleep(&p->p_stat, PWAIT, "waitcoll", 0);
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_ktrace.c#2 (text+ko) ====
@@ -631,6 +631,7 @@
{
register struct pcred *caller = callp->p_cred;
register struct pcred *target = targetp->p_cred;
+ int error;
if (!PRISON_CHECK(callp, targetp))
return (0);
@@ -642,6 +643,11 @@
caller->pc_ucred->cr_uid == 0)
return (1);
+#ifdef MAC
+ if ((error = mac_check_proc_debug(caller->pc_ucred, targetp)))
+ return (error);
+#endif
+
return (0);
}
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#17 (text+ko) ====
@@ -798,7 +798,7 @@
tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL);
label = (struct label *)(tag+1);
#endif
-#ifdef NO_MBUF
+#ifdef HAVE_MBUFLABEL
label = &mbuf->m_pkthdr.label;
#endif
return (label);
@@ -872,7 +872,9 @@
mac_init_ifnet(struct ifnet *ifp)
{
+#ifdef HAVE_IFLABEL
mac_init_ifnet_label(&ifp->if_label);
+#endif
}
int
@@ -943,7 +945,7 @@
}
#endif
#else
-#ifdef NO_MBUF
+#ifdef HAVE_MBUFLABEL
mac_init_label(&m->m_pkthdr.label);
MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag);
if (error) {
@@ -952,7 +954,7 @@
} else {
MAC_DEBUG_COUNTER_INC(&nmacmbufs);
}
-#endif /* NO_MBUF */
+#endif /* HAVE_MBUFLABEL */
#endif
return (error);
}
@@ -1114,7 +1116,9 @@
mac_destroy_ifnet(struct ifnet *ifp)
{
+#ifdef HAVE_IFLABEL
mac_destroy_ifnet_label(&ifp->if_label);
+#endif
}
void
@@ -1130,10 +1134,10 @@
mac_destroy_mbuf(struct mbuf *m)
{
-#ifdef NO_MBUF
+#ifdef HAVE_MBUFLABEL
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
-#endif /* NO_MBUF */
+#endif /* HAVE_MBUFLABEL */
MAC_DEBUG_COUNTER_DEC(&nmacmbufs);
}
@@ -1221,9 +1225,9 @@
mac_copy_mbuf(struct mbuf *src, struct mbuf *dst)
{
-#ifdef NO_MBUF
+#ifdef HAVE_MBUFLABEL
MAC_PERFORM(copy_mbuf_label, &src->m_pkthdr.label, &dst->m_pkthdr.label);
-#endif /* NO_MBUF */
+#endif /* HAVE_MBUFLABEL */
}
#if 0
@@ -1380,7 +1384,7 @@
mac_create_proc0(struct ucred *cred)
{
- MAC_PERFORM(create_proc0, cred);
+/* MAC_PERFORM(create_proc0, cred); */
}
/*
@@ -2269,7 +2273,9 @@
mac_create_ifnet(struct ifnet *ifnet)
{
+#ifdef HAVE_IFLABEL
MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label);
+#endif
}
void
@@ -2404,8 +2410,10 @@
label = mbuf_to_label(mbuf);
+#ifdef HAVE_IFLABEL
MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf,
label);
+#endif
}
void
@@ -2415,8 +2423,10 @@
label = mbuf_to_label(mbuf);
+#ifdef HAVE_IFLABEL
MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf,
label);
+#endif
}
void
@@ -2428,8 +2438,10 @@
oldmbuflabel = mbuf_to_label(oldmbuf);
newmbuflabel = mbuf_to_label(newmbuf);
+#ifdef HAVE_IFLABEL
MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel,
ifnet, &ifnet->if_label, newmbuf, newmbuflabel);
+#endif
}
void
@@ -2496,6 +2508,7 @@
label = mbuf_to_label(m);
+#ifdef HAVE_IFLABEL
if (m->m_pkthdr.rcvif != NULL)
ifnetlabel = &m->m_pkthdr.rcvif->if_label;
else
@@ -2503,6 +2516,7 @@
MAC_CHECK(update_mbuf_from_cipso, m, label, m->m_pkthdr.rcvif,
ifnetlabel, cp, code);
+#endif
return (error);
}
@@ -2542,8 +2556,10 @@
if (!mac_enforce_network)
return (0);
+#ifdef HAVE_IFLABEL
MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet,
&ifnet->if_label);
+#endif
return (error);
}
@@ -2584,8 +2600,10 @@
label = mbuf_to_label(mbuf);
+#ifdef HAVE_IFLABEL
MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
label);
+#endif
return (error);
}
@@ -3092,6 +3110,7 @@
if (error)
return (error);
+#ifdef HAVE_IFLABEL
MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
if (error) {
@@ -3107,6 +3126,7 @@
FREE(buffer, M_MACTEMP);
FREE(elements, M_MACTEMP);
+#endif
return (error);
}
@@ -3157,6 +3177,7 @@
return (error);
}
+#ifdef HAVE_IFLABEL
MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
&intlabel);
if (error) {
@@ -3165,6 +3186,7 @@
}
MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel);
+#endif
mac_destroy_ifnet_label(&intlabel);
return (0);
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_prot.c#3 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_resource.c#2 (text+ko) ====
@@ -211,12 +211,19 @@
register struct proc *curp, *chgp;
register int n;
{
+ int error;
register struct pcred *pcred = curp->p_cred;
if (pcred->pc_ucred->cr_uid && pcred->p_ruid &&
pcred->pc_ucred->cr_uid != chgp->p_ucred->cr_uid &&
pcred->p_ruid != chgp->p_ucred->cr_uid)
return (EPERM);
+
+#ifdef MAC
+ if ((error = mac_check_proc_sched(pcred->pc_ucred, chgp)))
+ return (error);
+#endif
+
if (n > PRIO_MAX)
n = PRIO_MAX;
if (n < PRIO_MIN)
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_sig.c#2 (text+ko) ====
@@ -198,6 +198,13 @@
struct proc *q;
int signum;
{
+ int error;
+
+#ifdef MAC
+ if ((error = mac_check_proc_signal(pc->pc_ucred, q, signum)))
+ return (error);
+#endif
+
/* you can signal yourself */
if (p == q)
return(1);
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/net/if_var.h#3 (text+ko) ====
@@ -287,7 +287,9 @@
#else
struct ifprefixhead if_prefixhead; /* list of prefixes per if */
#endif /* __APPLE__ */
- struct label if_label; /* interface MAC label */
+#ifdef HAVE_IFLABEL
+ struct label if_label; /* interface MAC label */
+#endif
};
typedef void if_init_f_t __P((void *));
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list