PERFORCE change 79906 for review
Robert Watson
rwatson at FreeBSD.org
Sun Jul 10 11:05:29 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=79906
Change 79906 by rwatson at rwatson_zoo on 2005/07/10 11:04:52
Integrate trustedbsd_sebsd branch:
- mac_syscall_enter() for non-i386.
- MAC_SUIDACL added to NOTES and kernel ompile
- mac_chkexec strsep() simplification and SMP VFS support
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/alpha/alpha/trap.c#9 integrate
.. //depot/projects/trustedbsd/sebsd/sys/amd64/amd64/trap.c#11 integrate
.. //depot/projects/trustedbsd/sebsd/sys/arm/arm/trap.c#3 integrate
.. //depot/projects/trustedbsd/sebsd/sys/conf/NOTES#13 integrate
.. //depot/projects/trustedbsd/sebsd/sys/conf/options#15 integrate
.. //depot/projects/trustedbsd/sebsd/sys/ia64/ia32/ia32_trap.c#3 integrate
.. //depot/projects/trustedbsd/sebsd/sys/ia64/ia64/trap.c#13 integrate
.. //depot/projects/trustedbsd/sebsd/sys/powerpc/powerpc/trap.c#7 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_chkexec/mac_chkexec.c#3 integrate
.. //depot/projects/trustedbsd/sebsd/sys/security/mac_portacl/mac_portacl.c#10 integrate
.. //depot/projects/trustedbsd/sebsd/sys/sparc64/sparc64/trap.c#10 integrate
.. //depot/projects/trustedbsd/sebsd/usr.sbin/getfhash/getfhash.c#2 integrate
.. //depot/projects/trustedbsd/sebsd/usr.sbin/getfhash/setfhash.8#3 integrate
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/alpha/alpha/trap.c#9 (text+ko) ====
@@ -32,6 +32,7 @@
/* #include "opt_fix_unaligned_vax_fp.h" */
#include "opt_ddb.h"
#include "opt_ktrace.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -42,6 +43,7 @@
#include <sys/proc.h>
#include <sys/exec.h>
#include <sys/lock.h>
+#include <sys/mac.h>
#include <sys/mutex.h>
#include <sys/smp.h>
#include <sys/vmmeter.h>
@@ -687,10 +689,9 @@
if (p->p_sysent->sv_mask)
code &= p->p_sysent->sv_mask;
- if (code >= p->p_sysent->sv_size)
- callp = &p->p_sysent->sv_table[0];
- else
- callp = &p->p_sysent->sv_table[code];
+ if (code >= p->p_sysent->sv_size)
+ code = 0;
+ callp = &p->p_sysent->sv_table[code];
nargs = (callp->sy_narg & SYF_ARGMASK) + hidden;
switch (nargs) {
@@ -734,7 +735,14 @@
PTRACESTOP_SC(p, td, S_PT_SCE);
+#ifdef MAC
+ error = mac_syscall_enter(td, args + hidden, code);
+ if (error == 0)
+ error = (*callp->sy_call)(td, args + hidden);
+ mac_syscall_exit(td, args + hidden, code, error);
+#else
error = (*callp->sy_call)(td, args + hidden);
+#endif
}
==== //depot/projects/trustedbsd/sebsd/sys/amd64/amd64/trap.c#11 (text+ko) ====
@@ -48,6 +48,7 @@
#include "opt_cpu.h"
#include "opt_isa.h"
#include "opt_ktrace.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/bus.h>
@@ -59,6 +60,7 @@
#include <sys/kernel.h>
#include <sys/ktr.h>
#include <sys/lock.h>
+#include <sys/mac.h>
#include <sys/mutex.h>
#include <sys/resourcevar.h>
#include <sys/signalvar.h>
@@ -740,10 +742,9 @@
if (p->p_sysent->sv_mask)
code &= p->p_sysent->sv_mask;
- if (code >= p->p_sysent->sv_size)
- callp = &p->p_sysent->sv_table[0];
- else
- callp = &p->p_sysent->sv_table[code];
+ if (code >= p->p_sysent->sv_size)
+ code = 0;
+ callp = &p->p_sysent->sv_table[code];
narg = callp->sy_narg & SYF_ARGMASK;
@@ -779,12 +780,18 @@
PTRACESTOP_SC(p, td, S_PT_SCE);
- if ((callp->sy_narg & SYF_MPSAFE) == 0) {
+ if ((callp->sy_narg & SYF_MPSAFE) == 0)
mtx_lock(&Giant);
+#ifdef MAC
+ error = mac_syscall_enter(td, argp, code);
+ if (error == 0)
error = (*callp->sy_call)(td, argp);
+ mac_syscall_exit(td, argp, code, error);
+#else
+ error = (*callp->sy_call)(td, argp);
+#endif
+ if ((callp->sy_narg & SYF_MPSAFE) == 0)
mtx_unlock(&Giant);
- } else
- error = (*callp->sy_call)(td, argp);
}
switch (error) {
==== //depot/projects/trustedbsd/sebsd/sys/arm/arm/trap.c#3 (text+ko) ====
@@ -80,6 +80,7 @@
#include "opt_ktrace.h"
+#include "opt_mac.h"
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: src/sys/arm/arm/trap.c,v 1.15 2005/05/25 13:46:32 cognet Exp $");
@@ -91,6 +92,7 @@
#include <sys/proc.h>
#include <sys/kernel.h>
#include <sys/lock.h>
+#include <sys/mac.h>
#include <sys/mutex.h>
#include <sys/syscall.h>
#include <sys/sysent.h>
@@ -894,9 +896,8 @@
if (p->p_sysent->sv_mask)
code &= p->p_sysent->sv_mask;
if (code >= p->p_sysent->sv_size)
- callp = &p->p_sysent->sv_table[0];
- else
- callp = &p->p_sysent->sv_table[code];
+ code = 0;
+ callp = &p->p_sysent->sv_table[code];
nargs = callp->sy_narg & SYF_ARGMASK;
memcpy(copyargs, ap, nap * sizeof(register_t));
if (nargs > nap) {
@@ -922,7 +923,14 @@
td->td_retval[1] = 0;
STOPEVENT(p, S_SCE, (callp->sy_narg & SYF_ARGMASK));
PTRACESTOP_SC(p, td, S_PT_SCE);
+#ifdef MAC
+ error = mac_syscall_enter(td, args, code);
+ if (error == 0)
+ error = (*callp->sy_call)(td, args);
+ mac_syscall_exit(td, args, code, error);
+#else
error = (*callp->sy_call)(td, args);
+#endif
}
switch (error) {
case 0:
==== //depot/projects/trustedbsd/sebsd/sys/conf/NOTES#13 (text+ko) ====
@@ -966,6 +966,7 @@
options MAC
options MAC_BIBA
options MAC_BSDEXTENDED
+options MAC_CHKEXEC
options MAC_DEBUG
options MAC_IFOFF
options MAC_LOMAC
@@ -974,6 +975,7 @@
options MAC_PARTITION
options MAC_PORTACL
options MAC_SEEOTHERUIDS
+options MAC_SUIDACL
options MAC_STUB
options MAC_TEST
==== //depot/projects/trustedbsd/sebsd/sys/conf/options#15 (text+ko) ====
@@ -106,6 +106,7 @@
MAC_PARTITION opt_dontuse.h
MAC_PORTACL opt_dontuse.h
MAC_SEEOTHERUIDS opt_dontuse.h
+MAC_SUIDACL opt_dontuse.h
MAC_STATIC opt_mac.h
MAC_STUB opt_dontuse.h
MAC_TEST opt_dontuse.h
==== //depot/projects/trustedbsd/sebsd/sys/ia64/ia32/ia32_trap.c#3 (text+ko) ====
@@ -27,12 +27,15 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD: src/sys/ia64/ia32/ia32_trap.c,v 1.5 2005/04/12 23:18:54 jhb Exp $");
+#include "opt_mac.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/ktr.h>
#include <sys/sysproto.h>
#include <sys/kernel.h>
#include <sys/lock.h>
+#include <sys/mac.h>
#include <sys/mutex.h>
#include <sys/pioctl.h>
#include <sys/proc.h>
@@ -92,9 +95,8 @@
code &= p->p_sysent->sv_mask;
if (code >= p->p_sysent->sv_size)
- callp = &p->p_sysent->sv_table[0];
- else
- callp = &p->p_sysent->sv_table[code];
+ code = 0;
+ callp = &p->p_sysent->sv_table[code];
narg = callp->sy_narg & SYF_ARGMASK;
@@ -124,7 +126,14 @@
STOPEVENT(p, S_SCE, narg);
+#ifdef MAC
+ eror = mac_syscall_enter(td, args64, code);
+ if (error == 0)
+ error = (*callp->sy_call)(td, args64);
+ mac_syscall_exit(td, args64, code, error);
+#else
error = (*callp->sy_call)(td, args64);
+#endif
}
switch (error) {
==== //depot/projects/trustedbsd/sebsd/sys/ia64/ia64/trap.c#13 (text+ko) ====
@@ -33,6 +33,7 @@
#include "opt_ddb.h"
#include "opt_ktrace.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -43,6 +44,7 @@
#include <sys/proc.h>
#include <sys/exec.h>
#include <sys/lock.h>
+#include <sys/mac.h>
#include <sys/mutex.h>
#include <sys/smp.h>
#include <sys/vmmeter.h>
@@ -928,10 +930,9 @@
if (p->p_sysent->sv_mask)
code &= p->p_sysent->sv_mask;
- if (code >= p->p_sysent->sv_size)
- callp = &p->p_sysent->sv_table[0];
- else
- callp = &p->p_sysent->sv_table[code];
+ if (code >= p->p_sysent->sv_size)
+ code = 0;
+ callp = &p->p_sysent->sv_table[code]
#ifdef KTRACE
if (KTRPOINT(td, KTR_SYSCALL))
@@ -949,12 +950,18 @@
/*
* Grab Giant if the syscall is not flagged as MP safe.
*/
- if ((callp->sy_narg & SYF_MPSAFE) == 0) {
+ if ((callp->sy_narg & SYF_MPSAFE) == 0)
mtx_lock(&Giant);
+#ifdef MAC
+ error = mac_syscall_enter(td, args, code);
+ if (error == 0)
error = (*callp->sy_call)(td, args);
+ mac_syscall_exit(td, args, code, error);
+#else
+ error = (*callp->sy_call)(td, args);
+#endif
+ if ((callp->sy_narg & SYF_MPSAFE) == 0)
mtx_unlock(&Giant);
- } else
- error = (*callp->sy_call)(td, args);
if (error != EJUSTRETURN) {
/*
==== //depot/projects/trustedbsd/sebsd/sys/powerpc/powerpc/trap.c#7 (text+ko) ====
@@ -35,12 +35,14 @@
__FBSDID("$FreeBSD: src/sys/powerpc/powerpc/trap.c,v 1.54 2005/04/20 20:52:46 ps Exp $");
#include "opt_ktrace.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/kdb.h>
#include <sys/proc.h>
#include <sys/ktr.h>
#include <sys/lock.h>
+#include <sys/mac.h>
#include <sys/mutex.h>
#include <sys/pioctl.h>
#include <sys/reboot.h>
@@ -373,10 +375,9 @@
if (p->p_sysent->sv_mask)
code &= p->p_sysent->sv_mask;
- if (code >= p->p_sysent->sv_size)
- callp = &p->p_sysent->sv_table[0];
- else
- callp = &p->p_sysent->sv_table[code];
+ if (code >= p->p_sysent->sv_size)
+ code = 0;
+ callp = &p->p_sysent->sv_table[code];
narg = callp->sy_narg & SYF_ARGMASK;
@@ -410,7 +411,14 @@
STOPEVENT(p, S_SCE, narg);
+#ifdef MAC
+ error = mac_syscall_enter(td, params, code);
+ if (error == 0)
+ error = (*callp->sy_call)(td, params);
+ mac_syscall_exit(td, params, code, error);
+#else
error = (*callp->sy_call)(td, params);
+#endif
CTR3(KTR_SYSC, "syscall: p=%s %s ret=%x", p->p_comm,
syscallnames[code], td->td_retval[0]);
==== //depot/projects/trustedbsd/sebsd/sys/security/mac_chkexec/mac_chkexec.c#3 (text+ko) ====
@@ -505,10 +505,9 @@
static int
mac_chkexec_check_depends(struct vnode *vp, struct ucred *cred)
{
- char *depends, **ap, *paths[10];
- int error, i, npaths;
struct nameidata nd;
- int alen;
+ char *depends, *ap;
+ int alen, error;
size_t ealen;
ASSERT_VOP_LOCKED(vp, "no vlock held");
@@ -525,28 +524,28 @@
depends = malloc(alen + 1, M_CHKEXEC, M_WAITOK | M_ZERO);
error = vn_extattr_get(vp, IO_NODELOCKED, MAC_CHKEXEC_ATTRN,
MAC_CHKEXEC_DEP, &alen, depends, curthread);
- for (npaths = 0, ap = paths;
- (*ap = strsep(&depends, ":")) != NULL; npaths++)
- if (**ap != '\0')
- if (++ap >= &paths[10])
- break;
- for (i = 0; i < npaths; i++) {
- NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW,
- UIO_SYSSPACE, paths[i], curthread);
+ if (error) {
+ free(depends, M_CHKEXEC);
+ return (error);
+ }
+ for (; (ap = strsep(&depends, ":")) != NULL && error == 0;) {
+ if (strlen(ap) == 0)
+ continue;
+ mtx_lock(&Giant);
+ NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_SYSSPACE,
+ ap, curthread);
if ((error = namei(&nd)) != 0) {
free(depends, M_CHKEXEC);
+ mtx_unlock(&Giant);
return (error);
}
error = mac_chkexec_check(nd.ni_vp, cred);
NDFREE(&nd, NDF_ONLY_PNBUF);
vput(nd.ni_vp);
- if (error) {
- free(depends, M_CHKEXEC);
- return (error);
- }
+ mtx_unlock(&Giant);
}
free(depends, M_CHKEXEC);
- return (0);
+ return (error);
}
static int
@@ -840,15 +839,18 @@
CTR0(KTR_MAC, "mac_chkexec_check: invalid checksum algorithm");
return (EPERM);
}
- NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW,
- UIO_USERSPACE, arg, td);
- if ((error = namei(&nd)) != 0)
+ /* XXX MPSAFE VFS */
+ mtx_lock(&Giant);
+ NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, arg, td);
+ if ((error = namei(&nd)) != 0) {
+ mtx_unlock(&Giant);
return (error);
- error = ha->crypto_hash(nd.ni_vp,
- curthread->td_ucred, digest);
+ }
+ error = ha->crypto_hash(nd.ni_vp, td->td_ucred, digest);
if (error) {
NDFREE(&nd, NDF_ONLY_PNBUF);
vput(nd.ni_vp);
+ mtx_unlock(&Giant);
return (error);
}
bzero(&vcsum, sizeof(vcsum));
@@ -857,6 +859,7 @@
error = mac_chkexec_set_vcsum(nd.ni_vp, &vcsum);
NDFREE(&nd, NDF_ONLY_PNBUF);
vput(nd.ni_vp);
+ mtx_unlock(&Giant);
return (error);
}
==== //depot/projects/trustedbsd/sebsd/sys/security/mac_portacl/mac_portacl.c#10 (text+ko) ====
==== //depot/projects/trustedbsd/sebsd/sys/sparc64/sparc64/trap.c#10 (text+ko) ====
@@ -43,6 +43,7 @@
#include "opt_ddb.h"
#include "opt_ktr.h"
#include "opt_ktrace.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/kdb.h>
@@ -51,6 +52,7 @@
#include <sys/interrupt.h>
#include <sys/ktr.h>
#include <sys/lock.h>
+#include <sys/mac.h>
#include <sys/mutex.h>
#include <sys/systm.h>
#include <sys/pioctl.h>
@@ -547,10 +549,9 @@
if (p->p_sysent->sv_mask)
code &= p->p_sysent->sv_mask;
- if (code >= p->p_sysent->sv_size)
- callp = &p->p_sysent->sv_table[0];
- else
- callp = &p->p_sysent->sv_table[code];
+ if (code >= p->p_sysent->sv_size)
+ code = 0;
+ callp = &p->p_sysent->sv_table[code];
narg = callp->sy_narg & SYF_ARGMASK;
@@ -589,7 +590,14 @@
PTRACESTOP_SC(p, td, S_PT_SCE);
+#ifdef MAC
+ error = mac_syscall_enter(td, argp, code);
+ if (error == 0)
+ error = (*callp->sy_call)(td, argp);
+ mac_syscall_exit(td, argp, code, error);
+#else
error = (*callp->sy_call)(td, argp);
+#endif
CTR5(KTR_SYSC, "syscall: p=%p error=%d %s return %#lx %#lx ", p,
error, syscallnames[code], td->td_retval[0],
==== //depot/projects/trustedbsd/sebsd/usr.sbin/getfhash/getfhash.c#2 (text+ko) ====
@@ -142,8 +142,8 @@
static void
process_depends(const char *pathname)
{
- char **av, *depends[10], *dependlist;
- int ndeps, error, i, j;
+ char *av, *dependlist;
+ int error, j;
ssize_t nbytes;
nbytes = extattr_get_file(pathname, MAC_CHKEXEC_ATTRN,
@@ -162,17 +162,14 @@
error = extattr_get_file(pathname, MAC_CHKEXEC_ATTRN,
MAC_CHKEXEC_DEP, dependlist, nbytes);
dependlist[nbytes] = '\0';
- for (ndeps = 0, av = depends;
- (*av = strsep(&dependlist, ":")) != NULL; ndeps++)
- if (**av != '\0')
- if (++av > &depends[10])
- break;
depth++;
- for (i = 0; i < ndeps; i++) {
+ for (; (av = strsep(&dependlist, ":")) != NULL;) {
+ if (strlen(av) == 0)
+ continue;
for (j = 0; j < depth; j++)
fputs(" ", stdout);
- print_hash(depends[i]);
- }
+ print_hash(av);
+ }
depth--;
}
==== //depot/projects/trustedbsd/sebsd/usr.sbin/getfhash/setfhash.8#3 (text+ko) ====
@@ -54,7 +54,8 @@
When setting dependencies, they must be listed previous to the
system object which requires them.
Multiple dependencies may exist and must be separated by a
-colon when entered. It should be noted that dependency pathnames
+colon when entered.
+It should be noted that dependency pathnames
will be looked up relative to the calling process's root.
.El
.Sh EXAMPLES
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list