PERFORCE change 65722 for review
Andrew Reisse
areisse at FreeBSD.org
Tue Nov 23 18:25:55 GMT 2004
http://perforce.freebsd.org/chv.cgi?CH=65722
Change 65722 by areisse at areisse_tislabs on 2004/11/23 18:25:04
Changes required to get the kernel to build after merging new
selinux pieces. The sebsd module should still not be used, as the
old and new policy formats are incompatible and the policy tools
have not been updated yet.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.c#7 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.h#7 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.c#6 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.h#6 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/conditional.c#2 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/conditional.h#2 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/policydb.c#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/policydb.h#6 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/security.h#7 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/services.c#8 edit
.. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/services.h#5 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.c#7 (text+ko) ====
@@ -89,6 +89,24 @@
return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1);
}
+#ifdef AVC_CACHE_STATS
+static inline void avc_cache_stats_incr(int type)
+{
+ avc_cache_stats[type]++;
+}
+
+static inline void avc_cache_stats_add(int type, unsigned val)
+{
+ avc_cache_stats[type] += val;
+}
+#else
+static inline void avc_cache_stats_incr(int type)
+{ }
+
+static inline void avc_cache_stats_add(int type, unsigned val)
+{ }
+#endif
+
/**
* avc_dump_av - Display an access vector in human-readable form.
* @tclass: target security class
@@ -583,9 +601,6 @@
} else {
printf(" fs/inode info not available");
}
- inode = a->u.fs.dentry->d_inode;
- } else if (a->u.fs.inode) {
- inode = a->u.fs.inode;
}
break;
case AVC_AUDIT_DATA_NET:
@@ -1022,6 +1037,7 @@
return rc;
}
+/*
static int __init avc_log_level_setup(char *str)
{
avc_log_level = simple_strtol(str, NULL, 0);
@@ -1032,3 +1048,4 @@
__setup("avc_log_level=", avc_log_level_setup);
+*/
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.h#7 (text+ko) ====
@@ -15,6 +15,7 @@
#endif /* _KERNEL */
#include <sys/capability.h>
+#include <netinet/in.h>
#include <security/sebsd/flask.h>
#include <security/sebsd/sebsd.h>
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.c#6 (text+ko) ====
@@ -14,14 +14,6 @@
* the Free Software Foundation, version 2.
*/
-#include <linux/kernel.h>
-#include <linux/slab.h>
-#include <linux/vmalloc.h>
-#include <linux/errno.h>
-
-#include "avtab.h"
-#include "policydb.h"
-
#ifdef _KERNEL
#include <sys/param.h>
#include <sys/conf.h>
@@ -40,14 +32,12 @@
(keyp->source_type << 9)) & \
AVTAB_HASH_MASK)
-static kmem_cache_t *avtab_node_cachep;
-
static struct avtab_node*
avtab_insert_node(struct avtab *h, int hvalue, struct avtab_node * prev, struct avtab_node * cur,
struct avtab_key *key, struct avtab_datum *datum)
{
struct avtab_node * newnode;
- newnode = kmem_cache_alloc(avtab_node_cachep, SLAB_KERNEL);
+ newnode = kmalloc(sizeof(*newnode), GFP_KERNEL);
if (newnode == NULL)
return NULL;
memset(newnode, 0, sizeof(struct avtab_node));
@@ -95,7 +85,7 @@
newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum);
if(!newnode)
- return -ENOMEM;
+ return ENOMEM;
return 0;
}
@@ -244,7 +234,7 @@
}
h->htable[i] = NULL;
}
- vfree(h->htable);
+ kfree(h->htable);
h->htable = NULL;
}
@@ -315,19 +305,19 @@
int avtab_read_item(void *fp, struct avtab_datum *avdatum, struct avtab_key *avkey)
{
- __u32 *buf;
- __u32 items, items2;
+ u32 *buf;
+ u32 items, items2;
memset(avkey, 0, sizeof(struct avtab_key));
memset(avdatum, 0, sizeof(struct avtab_datum));
- buf = next_entry(fp, sizeof(__u32));
+ buf = next_entry(fp, sizeof(u32));
if (!buf) {
printk(KERN_ERR "security: avtab: truncated entry\n");
goto bad;
}
items2 = le32_to_cpu(buf[0]);
- buf = next_entry(fp, sizeof(__u32)*items2);
+ buf = next_entry(fp, sizeof(u32)*items2);
if (!buf) {
printk(KERN_ERR "security: avtab: truncated entry\n");
goto bad;
@@ -347,12 +337,22 @@
goto bad;
}
if (avdatum->specified & AVTAB_AV) {
- if (avdatum->specified & AVTAB_ALLOWED)
- avtab_allowed(avdatum) = le32_to_cpu(buf[items++]);
- if (avdatum->specified & AVTAB_AUDITDENY)
- avtab_auditdeny(avdatum) = le32_to_cpu(buf[items++]);
- if (avdatum->specified & AVTAB_AUDITALLOW)
- avtab_auditallow(avdatum) = le32_to_cpu(buf[items++]);
+
+ if (avdatum->specified & AVTAB_ALLOWED) {
+ u32 b1 = le32_to_cpu (buf[items++]);
+ u32 b2 = le32_to_cpu (buf[items++]);
+ avtab_allowed(avdatum) = (((u64) b1) << 32) | b2;
+ }
+ if (avdatum->specified & AVTAB_AUDITDENY) {
+ u32 b1 = le32_to_cpu (buf[items++]);
+ u32 b2 = le32_to_cpu (buf[items++]);
+ avtab_auditdeny(avdatum) = (((u64) b1) << 32) | b2;
+ }
+ if (avdatum->specified & AVTAB_AUDITALLOW) {
+ u32 b1 = le32_to_cpu (buf[items++]);
+ u32 b2 = le32_to_cpu (buf[items++]);
+ avtab_auditallow(avdatum) = (((u64) b1) << 32) | b2;
+ }
} else {
if (avdatum->specified & AVTAB_TRANSITION)
avtab_transition(avdatum) = le32_to_cpu(buf[items++]);
@@ -394,39 +394,6 @@
for (i = 0; i < nel; i++) {
if (avtab_read_item(fp, &avdatum, &avkey))
goto bad;
- }
- if (avdatum.specified & AVTAB_AV) {
- if (avdatum.specified & AVTAB_ALLOWED)
- {
- u32 b1 = le32_to_cpu (buf[items++]);
- u32 b2 = le32_to_cpu (buf[items++]);
- avtab_allowed(&avdatum) = (((u64) b1) << 32) | b2;
- }
- if (avdatum.specified & AVTAB_AUDITDENY)
- {
- u32 b1 = le32_to_cpu (buf[items++]);
- u32 b2 = le32_to_cpu (buf[items++]);
- avtab_auditdeny(&avdatum) = (((u64) b1) << 32) | b2;
- }
- if (avdatum.specified & AVTAB_AUDITALLOW)
- {
- u32 b1 = le32_to_cpu (buf[items++]);
- u32 b2 = le32_to_cpu (buf[items++]);
- avtab_auditallow(&avdatum) = (((u64) b1) << 32) | b2;
- }
- } else {
- if (avdatum.specified & AVTAB_TRANSITION)
- avtab_transition(&avdatum) = le32_to_cpu(buf[items++]);
- if (avdatum.specified & AVTAB_CHANGE)
- avtab_change(&avdatum) = le32_to_cpu(buf[items++]);
- if (avdatum.specified & AVTAB_MEMBER)
- avtab_member(&avdatum) = le32_to_cpu(buf[items++]);
- }
- if (items != items2) {
- printk(KERN_ERR "security: avtab: entry only had %d "
- "items, expected %d\n", items2, items);
- goto bad;
- }
rc = avtab_insert(a, &avkey, &avdatum);
if (rc) {
if (rc == ENOMEM)
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.h#6 (text+ko) ====
@@ -38,6 +38,7 @@
#define AVTAB_MEMBER 32
#define AVTAB_CHANGE 64
#define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
+#define AVTAB_ENABLED 0x80000000 /* reserved for used in cond_avtab */
u32 specified; /* what fields are specified */
access_vector_t data[3]; /* access vectors or types */
#define avtab_allowed(x) (x)->data[0]
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/conditional.c#2 (text+ko) ====
@@ -7,15 +7,16 @@
* the Free Software Foundation, version 2.
*/
-#include <linux/kernel.h>
-#include <linux/errno.h>
-#include <linux/string.h>
-#include <linux/spinlock.h>
-#include <asm/semaphore.h>
-#include <linux/slab.h>
+#if defined(__FreeBSD__) && defined(_KERNEL)
+#include <sys/param.h>
+#include <sys/conf.h>
+#include <sys/kernel.h>
+#include <sys/systm.h>
+#endif /* FreeBSD _KERNEL */
-#include "security.h"
-#include "conditional.h"
+#include <security/sebsd/linux-compat.h>
+#include <security/sebsd/ss/security.h>
+#include <security/sebsd/ss/conditional.h>
/*
* cond_evaluate_expr evaluates a conditional expr
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/conditional.h#2 (text+ko) ====
@@ -10,9 +10,10 @@
#ifndef _CONDITIONAL_H_
#define _CONDITIONAL_H_
-#include "avtab.h"
-#include "symtab.h"
-#include "policydb.h"
+#include <security/sebsd/ss/avtab.h>
+#include <security/sebsd/ss/symtab.h>
+#include <security/sebsd/ss/sidtab.h>
+#include <security/sebsd/ss/policydb.h>
#define COND_EXPR_MAXDEPTH 10
@@ -29,8 +30,8 @@
#define COND_EQ 6 /* bool == bool */
#define COND_NEQ 7 /* bool != bool */
#define COND_LAST 8
- __u32 expr_type;
- __u32 bool;
+ u32 expr_type;
+ u32 bool;
struct cond_expr *next;
};
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/policydb.c#5 (text+ko) ====
@@ -14,16 +14,6 @@
* the Free Software Foundation, version 2.
*/
-#include <linux/kernel.h>
-#include <linux/slab.h>
-#include <linux/string.h>
-#include <linux/errno.h>
-#include "security.h"
-
-#include "policydb.h"
-#include "conditional.h"
-#include "mls.h"
-
#if defined(__FreeBSD__) && defined(_KERNEL)
#include <sys/param.h>
#include <sys/conf.h>
@@ -37,6 +27,7 @@
#include <security/sebsd/ss/services.h>
#include <security/sebsd/ss/security.h>
#include <security/sebsd/ss/mls.h>
+#include <security/sebsd/ss/conditional.h>
#define _DEBUG_HASHES
@@ -204,7 +195,7 @@
comdatum = datum;
p = datap;
if (!comdatum->value || comdatum->value > p->p_commons.nprim)
- return -EINVAL;
+ return EINVAL;
p->p_common_val_to_name[comdatum->value - 1] = key;
return 0;
}
@@ -217,7 +208,7 @@
cladatum = datum;
p = datap;
if (!cladatum->value || cladatum->value > p->p_classes.nprim)
- return -EINVAL;
+ return EINVAL;
p->p_class_val_to_name[cladatum->value - 1] = key;
p->class_val_to_struct[cladatum->value - 1] = cladatum;
return 0;
@@ -231,7 +222,7 @@
role = datum;
p = datap;
if (!role->value || role->value > p->p_roles.nprim)
- return -EINVAL;
+ return EINVAL;
p->p_role_val_to_name[role->value - 1] = key;
p->role_val_to_struct[role->value - 1] = role;
return 0;
@@ -247,7 +238,7 @@
if (typdatum->primary) {
if (!typdatum->value || typdatum->value > p->p_types.nprim)
- return -EINVAL;
+ return EINVAL;
p->p_type_val_to_name[typdatum->value - 1] = key;
}
@@ -262,7 +253,7 @@
usrdatum = datum;
p = datap;
if (!usrdatum->value || usrdatum->value > p->p_users.nprim)
- return -EINVAL;
+ return EINVAL;
p->p_user_val_to_name[usrdatum->value - 1] = key;
p->user_val_to_struct[usrdatum->value - 1] = usrdatum;
return 0;
@@ -373,12 +364,11 @@
GFP_KERNEL);
if (!p->user_val_to_struct) {
rc = ENOMEM;
- rc = -ENOMEM;
goto out;
}
if (cond_init_bool_indexes(p)) {
- rc = -ENOMEM;
+ rc = ENOMEM;
goto out;
}
@@ -1477,14 +1467,14 @@
goto bad;
newgenfs = kmalloc(sizeof(*newgenfs), GFP_KERNEL);
if (!newgenfs) {
- rc = -ENOMEM;
+ rc = ENOMEM;
goto bad;
}
memset(newgenfs, 0, sizeof(*newgenfs));
newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL);
if (!newgenfs->fstype) {
- rc = -ENOMEM;
+ rc = ENOMEM;
kfree(newgenfs);
goto bad;
}
@@ -1522,14 +1512,14 @@
newc = kmalloc(sizeof(*newc), GFP_KERNEL);
if (!newc) {
- rc = -ENOMEM;
+ rc = ENOMEM;
goto bad;
}
memset(newc, 0, sizeof(*newc));
newc->u.name = kmalloc(len + 1,GFP_KERNEL);
if (!newc->u.name) {
- rc = -ENOMEM;
+ rc = ENOMEM;
goto bad_newc;
}
memcpy(newc->u.name, buf, len);
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/policydb.h#6 (text+ko) ====
@@ -119,7 +119,7 @@
/* Boolean data type */
struct cond_bool_datum {
- __u32 value; /* internal type value */
+ u32 value; /* internal type value */
int state;
};
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/security.h#7 (text+ko) ====
@@ -77,7 +77,6 @@
int security_node_sid(u16 domain, void *addr, u32 addrlen,
security_id_t *out_sid);
- u32 *out_sid);
#define SECURITY_FS_USE_XATTR 1 /* use xattr */
#define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/services.c#8 (text+ko) ====
@@ -26,6 +26,8 @@
#include <security/sebsd/ss/services.h>
#include <security/sebsd/ss/security.h>
#include <security/sebsd/ss/mls.h>
+#include <security/sebsd/ss/conditional.h>
+#include <security/sebsd/ss/avtab.h>
#include <security/sebsd/avc/avc.h>
#include <security/sebsd/avc/avc_ss.h>
#include <sys/socket.h>
@@ -540,7 +542,7 @@
goto out_unlock;
if ((p - scontext2) < scontext_len) {
- rc = -EINVAL;
+ rc = EINVAL;
goto out_unlock;
}
@@ -955,7 +957,7 @@
if (rc)
goto out;
- rc = -EINVAL;
+ rc = EINVAL;
/* Convert the user. */
usrdatum = hashtab_search(args->newp->p_users.table,
@@ -1231,7 +1233,7 @@
u32 addr;
if (addrlen != sizeof(u32)) {
- rc = -EINVAL;
+ rc = EINVAL;
goto out;
}
@@ -1248,7 +1250,7 @@
case AF_INET6:
if (addrlen != sizeof(u64) * 2) {
- rc = -EINVAL;
+ rc = EINVAL;
goto out;
}
c = policydb.ocontexts[OCON_NODE6];
@@ -1503,7 +1505,7 @@
int security_get_bools(int *len, char ***names, int **values)
{
- int i, rc = -ENOMEM;
+ int i, rc = ENOMEM;
POLICY_RDLOCK;
*names = NULL;
@@ -1560,7 +1562,7 @@
lenp = policydb.p_bools.nprim;
if (len != lenp) {
- rc = -EFAULT;
+ rc = EFAULT;
goto out;
}
@@ -1590,7 +1592,7 @@
POLICY_WRUNLOCK;
if (!rc) {
avc_ss_reset(seqno);
- selnl_notify_policyload(seqno);
+ /*selnl_notify_policyload(seqno);*/
}
return rc;
}
@@ -1604,7 +1606,7 @@
len = policydb.p_bools.nprim;
if (bool >= len) {
- rc = -EFAULT;
+ rc = EFAULT;
goto out;
}
==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/services.h#5 (text+ko) ====
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list