PERFORCE change 105352 for review
Todd Miller
millert at FreeBSD.org
Wed Aug 30 20:37:44 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=105352
Change 105352 by millert at millert_g4tower on 2006/08/30 20:32:36
There is no good reason to have both an fs label and a mount
label. Remove the fs label and store the default label(s)
in the mount label instead.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/mount_internal.h#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac.h#4 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/extattr_test/mac_extattr_test.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#3 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/mount_internal.h#2 (text+ko) ====
@@ -123,7 +123,6 @@
gid_t mnt_fsgroup;
struct label *mnt_mntlabel; /* MAC mount label */
- struct label *mnt_fslabel; /* MAC default fs label */
};
/* XXX 3762912 hack to support HFS filesystem 'owner' */
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#3 (text+ko) ====
@@ -520,7 +520,7 @@
size_t ulen = 0;
if ((uap->flags & MNT_UPDATE) != 0) {
- error = mac_check_mount_fs_relabel(kauth_cred_get(), mp);
+ error = mac_check_mount_relabel(kauth_cred_get(), mp);
if (error != 0)
goto out3;
}
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac.h#4 (text+ko) ====
@@ -175,8 +175,8 @@
void mac_destroy_sysv_sem(struct semid_kernel *);
void mac_destroy_sysv_shm(struct shmid_kernel *);
void mac_destroy_vnode(struct vnode *);
-int mac_internalize_mount_fs_label(struct label *, char *string);
-int mac_externalize_mount_fs_label(struct label *label, char *elements,
+int mac_internalize_mount_label(struct label *, char *string);
+int mac_externalize_mount_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
struct label *mac_cred_label_alloc(void);
@@ -373,7 +373,7 @@
int mac_check_mount_setattr(struct ucred *cred, struct mount *mp,
struct vfs_attr *vfa);
int mac_check_mount_stat(struct ucred *cred, struct mount *mp);
-int mac_check_mount_fs_relabel(struct ucred *cred, struct mount *mp);
+int mac_check_mount_relabel(struct ucred *cred, struct mount *mp);
int mac_check_pipe_kqfilter(struct ucred *cred, struct knote *kn,
struct pipe *cpipe);
int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *cpipe,
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#3 (text+ko) ====
@@ -308,37 +308,22 @@
);
/**
- @brief Initialize mount label
+ @brief Initialize mount point label
@param label New label to initialize
- @see mpo_init_mount_fs_label_t
- Initialize the label for a newly instantiated mount structure. This
- is the label for the mount point itself. Sleeping is permitted.
+ Initialize the label for a newly instantiated mount structure.
+ This label is typically used to store a default label in the case
+ that the file system has been mounted singlelabel. Since some
+ file systems do not support persistent labels (extended attributes)
+ or are read-only (such as CD-ROMs), it is often necessary to store
+ a default label separately from the label of the mount point
+ itself. Sleeping is permitted.
*/
typedef void mpo_init_mount_label_t(
struct label *label
);
/**
- @brief Initialize mount point file system label
- @param label New label to initialize
- @see mpo_init_mount_label_t
-
- Initialize the file system label for a newly instantiated mount
- structure. This label is typically used to store a file system
- default label in the case that the file system has been mounted
- singlelabel. Since some file systems do not support persistent
- labels (extended attributes) or are read-only (such as CD-ROMs), it
- is often necessary to store a default label separately from the
- label of the mount point itself. Sleeping is permitted.
-
- @warning This is not the label for the mount point itself.
-*/
-typedef void mpo_init_mount_fs_label_t(
- struct label *label
-);
-
-/**
@brief Initialize Mach port label
@param label New label to initialize
@@ -568,19 +553,6 @@
);
/**
- @brief Destroy file system label
- @param label The label to be destroyed
-
- Destroy the file system label associated with a mount point.
- Since the object is going out of scope, policy modules should free
- any internal storage associated with the label so that it may be
- destroyed.
-*/
-typedef void mpo_destroy_mount_fs_label_t(
- struct label *label
-);
-
-/**
@brief Destroy Mach port label
@param label The label to be destroyed
@@ -809,7 +781,7 @@
/**
@brief Update vnode label from extended attributes
@param mp File system mount point
- @param fslabel File system label
+ @param mntlabel Mount point label
@param vp Vnode to label
@param vlabel Label associated with vp
@param name Name of the xattr
@@ -831,7 +803,7 @@
*/
typedef void mpo_update_vnode_extattr_t(
struct mount *mp,
- struct label *fslabel,
+ struct label *mntlabel,
struct vnode *vp,
struct label *vlabel,
char *name
@@ -1087,17 +1059,16 @@
);
/**
- @brief Externalize a mount point file system label
+ @brief Externalize a mount point label
@param label Label to be externalized
@param element_name Name of the label namespace for which labels should be
externalized
@param sb String buffer to be filled with a text representation of the label
- Produce an external representation of the file system label on a
- mount point. An externalized label consists of a text representation
- of the label contents that can be used with user applications.
- Policy-agnostic user space tools will display this externalized
- version.
+ Produce an external representation of the mount point label. An
+ externalized label consists of a text representation of the label
+ contents that can be used with user applications. Policy-agnostic
+ user space tools will display this externalized version.
The policy's externalize entry points will be called only if the
policy has registered interest in the label namespace.
@@ -1106,7 +1077,7 @@
externalizing the label data.
*/
-typedef int mpo_externalize_mount_fs_label_t(
+typedef int mpo_externalize_mount_label_t(
struct label *label,
char *element_name,
struct sbuf *sb
@@ -1216,7 +1187,7 @@
);
/**
- @brief Internalize a mount point file system label
+ @brief Internalize a mount point label
@param label Label to be internalized
@param element_name Name of the label namespace for which the label should
be internalized
@@ -1235,7 +1206,7 @@
while internalizing the label data.
*/
-typedef int mpo_internalize_mount_fs_label_t(
+typedef int mpo_internalize_mount_label_t(
struct label *label,
char *element_name,
char *element_data
@@ -1253,7 +1224,7 @@
/**
@brief Associate a vnode with a devfs entry
@param mp Devfs mount point
- @param fslabel Devfs file system label
+ @param mntlabel Devfs mount point label
@param de Devfs directory entry
@param delabel Label associated with de
@param vp vnode associated with de
@@ -1265,7 +1236,7 @@
*/
typedef void mpo_associate_vnode_devfs_t(
struct mount *mp,
- struct label *fslabel,
+ struct label *mntlabel,
struct devnode *de,
struct label *delabel,
struct vnode *vp,
@@ -1275,7 +1246,7 @@
/**
@brief Associate a label with a vnode
@param mp File system mount point
- @param fslabel File system label
+ @param mntlabel File system mount point label
@param vp Vnode to label
@param vlabel Label associated with vp
@@ -1283,14 +1254,14 @@
file system extended attribute store. The label should be stored in
the supplied vlabel parameter. If a policy cannot retrieve an
extended attribute, sometimes it is acceptible to fallback to using
- the fslabel.
+ the mntlabel.
@return In the event of an error, an appropriate value for errno
should be returned, otherwise return 0 upon success.
*/
typedef int mpo_associate_vnode_extattr_t(
struct mount *mp,
- struct label *fslabel,
+ struct label *mntlabel,
struct vnode *vp,
struct label *vlabel
);
@@ -1298,7 +1269,7 @@
/**
@brief Associate a label with a vnode
@param mp File system mount point
- @param fslabel File system label
+ @param mntlabel File system mount point label
@param vp Vnode to label
@param vlabel Label associated with vp
@@ -1307,7 +1278,7 @@
*/
typedef void mpo_associate_vnode_singlelabel_t(
struct mount *mp,
- struct label *fslabel,
+ struct label *mntlabel,
struct vnode *vp,
struct label *vlabel
);
@@ -1378,7 +1349,7 @@
@brief Create a new vnode, backed by extended attributes
@param cred User credential for the creating process
@param mp File system mount point
- @param fslabel File system label
+ @param mntlabel File system mount point label
@param dvp Parent directory vnode
@param dlabel Parent directory vnode label
@param vp Newly created vnode
@@ -1397,7 +1368,7 @@
typedef int mpo_create_vnode_extattr_t(
struct ucred *cred,
struct mount *mp,
- struct label *fslabel,
+ struct label *mntlabel,
struct vnode *dvp,
struct label *dlabel,
struct vnode *vp,
@@ -1410,9 +1381,7 @@
@param cred Subject credential
@param mp Mount point of file system being mounted
@param mntlabel Label to associate with the new mount point
- @param fslabel Label for the file system default
@see mpo_init_mount_label_t
- @see mpo_init_mount_fs_label_t
Fill out the labels on the mount point being created by the supplied
user credential. This call is made when file systems are first mounted.
@@ -1420,8 +1389,7 @@
typedef void mpo_create_mount_t(
struct ucred *cred,
struct mount *mp,
- struct label *mntlabel,
- struct label *fslabel
+ struct label *mntlabel
);
/**
@@ -3288,22 +3256,22 @@
);
/**
- @brief Access control check for file system relabeling
+ @brief Access control check for mount point relabeling
@param cred Subject credential
@param mp Object file system mount point
- @param fslabel Policy label for fle system under mount point
+ @param mntlabel Policy label for fle system mount point
Determine whether the subject identified by the credential can relabel
- the file system. This call is made when a file system mount is updated.
+ the mount point. This call is made when a file system mount is updated.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch
or EPERM for lack of privilege.
*/
-typedef int mpo_check_mount_fs_relabel_t(
+typedef int mpo_check_mount_relabel_t(
struct ucred *cred,
struct mount *mp,
- struct label *fslabel
+ struct label *mntlabel
);
/**
@@ -4839,7 +4807,6 @@
mpo_init_lctx_label_t *mpo_init_lctx_label;
mpo_init_mbuf_label_t *mpo_init_mbuf_label;
mpo_init_mount_label_t *mpo_init_mount_label;
- mpo_init_mount_fs_label_t *mpo_init_mount_fs_label;
mpo_init_port_label_t *mpo_init_port_label;
mpo_init_posix_sem_label_t *mpo_init_posix_sem_label;
mpo_init_posix_shm_label_t *mpo_init_posix_shm_label;
@@ -4858,7 +4825,6 @@
mpo_destroy_lctx_label_t *mpo_destroy_lctx_label;
mpo_destroy_mbuf_label_t *mpo_destroy_mbuf_label;
mpo_destroy_mount_label_t *mpo_destroy_mount_label;
- mpo_destroy_mount_fs_label_t *mpo_destroy_mount_fs_label;
mpo_destroy_port_label_t *mpo_destroy_port_label;
mpo_destroy_posix_sem_label_t *mpo_destroy_posix_sem_label;
mpo_destroy_posix_shm_label_t *mpo_destroy_posix_shm_label;
@@ -4894,13 +4860,13 @@
mpo_externalize_vnode_label_t *mpo_externalize_vnode_label;
mpo_externalize_vnode_audit_label_t *mpo_externalize_vnode_audit_label;
mpo_externalize_pipe_label_t *mpo_externalize_pipe_label;
- mpo_externalize_mount_fs_label_t *mpo_externalize_mount_fs_label;
+ mpo_externalize_mount_label_t *mpo_externalize_mount_label;
mpo_internalize_cred_label_t *mpo_internalize_cred_label;
mpo_internalize_lctx_label_t *mpo_internalize_lctx_label;
mpo_internalize_socket_label_t *mpo_internalize_socket_label;
mpo_internalize_vnode_label_t *mpo_internalize_vnode_label;
mpo_internalize_pipe_label_t *mpo_internalize_pipe_label;
- mpo_internalize_mount_fs_label_t *mpo_internalize_mount_fs_label;
+ mpo_internalize_mount_label_t *mpo_internalize_mount_label;
/*
* Labeling event operations: file system objects; and things that
@@ -5035,7 +5001,7 @@
mpo_check_mount_getattr_t *mpo_check_mount_getattr;
mpo_check_mount_setattr_t *mpo_check_mount_setattr;
mpo_check_mount_stat_t *mpo_check_mount_stat;
- mpo_check_mount_fs_relabel_t *mpo_check_mount_fs_relabel;
+ mpo_check_mount_relabel_t *mpo_check_mount_relabel;
mpo_check_proc_debug_t *mpo_check_proc_debug;
mpo_check_proc_getaudit_t *mpo_check_proc_getaudit;
mpo_check_proc_getauid_t *mpo_check_proc_getauid;
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#3 (text+ko) ====
@@ -76,22 +76,11 @@
return (label);
}
-static struct label *
-mac_mount_fs_label_alloc(void)
-{
- struct label *label;
-
- label = mac_labelzone_alloc(MAC_WAITOK);
- MAC_PERFORM(init_mount_fs_label, label);
- return (label);
-}
-
void
mac_init_mount(struct mount *mp)
{
mp->mnt_mntlabel = mac_mount_label_alloc();
- mp->mnt_fslabel = mac_mount_fs_label_alloc();
}
struct label *
@@ -147,23 +136,11 @@
mac_labelzone_free(label);
}
-static void
-mac_mount_fs_label_free(struct label *label)
-{
-
- MAC_PERFORM(destroy_mount_fs_label, label);
- mac_labelzone_free(label);
-}
-
void
mac_destroy_mount(struct mount *mp)
{
- if (mp->mnt_fslabel != NULL) {
- mac_mount_fs_label_free(mp->mnt_fslabel);
- mp->mnt_fslabel = NULL;
- }
if (mp->mnt_mntlabel != NULL) {
mac_mount_label_free(mp->mnt_mntlabel);
mp->mnt_mntlabel = NULL;
@@ -236,27 +213,27 @@
}
int
-mac_internalize_mount_fs_label(struct label *label, char *string)
+mac_internalize_mount_label(struct label *label, char *string)
{
int error;
- MAC_INTERNALIZE_LIST(mount_fs, label, string);
+ MAC_INTERNALIZE_LIST(mount, label, string);
return (error);
}
int
-mac_externalize_mount_fs_label(struct label *label, char *elements,
+mac_externalize_mount_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen)
{
int error;
if (elements[0] == '*') {
int count;
- MAC_EXTERNALIZE_REGISTERED_LABELS(mount_fs, label, outbuf,
+ MAC_EXTERNALIZE_REGISTERED_LABELS(mount, label, outbuf,
outbuflen, count);
} else
- MAC_EXTERNALIZE_LIST(mount_fs, label, elements, outbuf, outbuflen);
+ MAC_EXTERNALIZE_LIST(mount, label, elements, outbuf, outbuflen);
// error is set by MAC_EXTERNALIZE_*
return (error);
@@ -283,7 +260,7 @@
struct vnode *vp)
{
- MAC_PERFORM(associate_vnode_devfs, mp, mp ? mp->mnt_fslabel : NULL, de,
+ MAC_PERFORM(associate_vnode_devfs, mp, mp ? mp->mnt_mntlabel : NULL, de,
de->dn_label, vp, vp->v_label);
}
@@ -294,7 +271,7 @@
ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
- MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_fslabel, vp,
+ MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_mntlabel, vp,
vp->v_label);
return (error);
@@ -305,7 +282,7 @@
{
MAC_PERFORM(associate_vnode_singlelabel, mp,
- mp ? mp->mnt_fslabel : NULL, vp, vp->v_label);
+ mp ? mp->mnt_mntlabel : NULL, vp, vp->v_label);
}
int
@@ -317,7 +294,7 @@
ASSERT_VOP_LOCKED(dvp, __func__);
ASSERT_VOP_LOCKED(vp, __func__);
- MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel,
+ MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_mntlabel,
dvp, dvp->v_label, vp, vp->v_label, cnp);
return (error);
@@ -328,7 +305,7 @@
{
ASSERT_VOP_LOCKED(vp, __func__);
- MAC_PERFORM(update_vnode_extattr, mp, mp->mnt_fslabel, vp,
+ MAC_PERFORM(update_vnode_extattr, mp, mp->mnt_mntlabel, vp,
vp->v_label, name);
}
@@ -998,8 +975,7 @@
mp->mnt_flag &= ~MNT_MULTILABEL;
}
- MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel,
- mp->mnt_fslabel);
+ MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel);
printf("MAC Framework enabling %s support: %s -> %s (%s)\n",
mp->mnt_flag & MNT_MULTILABEL ? "multilabel" : "singlelabel",
@@ -1087,14 +1063,14 @@
}
int
-mac_check_mount_fs_relabel(struct ucred *cred, struct mount *mount)
+mac_check_mount_relabel(struct ucred *cred, struct mount *mount)
{
int error;
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_mount_fs_relabel, cred, mount, mount->mnt_fslabel);
+ MAC_CHECK(check_mount_relabel, cred, mount, mount->mnt_mntlabel);
return (error);
}
==== //depot/projects/trustedbsd/sedarwin8/policies/extattr_test/mac_extattr_test.c#2 (text+ko) ====
@@ -272,7 +272,7 @@
}
/*
- * We don't implement init_mount_fs_label() so just pull a label out of the
+ * We don't implement init_mount_label() so just pull a label out of the
* air.
*/
static void
==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#4 (text+ko) ====
@@ -2804,7 +2804,7 @@
}
static int
-mac_mls_check_mount_fs_relabel(struct ucred *cred, struct mount *mp,
+mac_mls_check_mount_relabel(struct ucred *cred, struct mount *mp,
struct label *mntlabel)
{
struct mac_mls *subj, *obj;
@@ -4077,14 +4077,12 @@
.mpo_check_mount_stat = mac_mls_check_mount_stat,
.mpo_check_mount_getattr = mac_mls_check_mount_getattr,
.mpo_check_mount_setattr = mac_mls_check_mount_setattr,
- .mpo_check_mount_fs_relabel = mac_mls_check_mount_fs_relabel,
- .mpo_destroy_mount_fs_label = mac_mls_destroy_label,
+ .mpo_check_mount_relabel = mac_mls_check_mount_relabel,
.mpo_destroy_mount_label = mac_mls_destroy_label,
- .mpo_init_mount_fs_label = mac_mls_init_label,
.mpo_init_mount_label = mac_mls_init_label,
.mpo_create_mount = mac_mls_create_mount,
- .mpo_internalize_mount_fs_label = mac_mls_internalize_label,
- .mpo_externalize_mount_fs_label = mac_mls_externalize_label,
+ .mpo_internalize_mount_label = mac_mls_internalize_label,
+ .mpo_externalize_mount_label = mac_mls_externalize_label,
.mpo_init_port_label = mac_mls_init_port_label,
.mpo_init_task_label = mac_mls_init_label,
.mpo_destroy_port_label = mac_mls_destroy_label,
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#7 (text+ko) ====
@@ -521,16 +521,6 @@
SLOT(label) = sbsec;
}
-static void
-sebsd_init_mount_fs_label(struct label *label)
-{
- struct mount_fs_security_struct *sbsec;
-
- sbsec = sebsd_malloc(sizeof(*sbsec), M_SEBSD, M_ZERO | M_WAITOK);
- sbsec->sid = SECINITSID_UNLABELED;
- SLOT(label) = sbsec;
-}
-
static int
sebsd_init_network_label_waitcheck(struct label *label, int flag)
{
@@ -637,7 +627,7 @@
}
static void
-sebsd_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
+sebsd_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,
struct devnode *de, struct label *delabel, struct vnode *vp,
struct label *vlabel)
{
@@ -666,11 +656,11 @@
}
static int
-sebsd_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
+sebsd_associate_vnode_extattr(struct mount *mp, struct label *mntlabel,
struct vnode *vp, struct label *vlabel)
{
struct vnode_security_struct *vsec;
- struct mount_fs_security_struct *fssec;
+ struct mount_security_struct *sbsec;
/*
* TBD: static buffers aren't a good idea, and SELinux contexts
* aren't restricted in length.
@@ -706,11 +696,11 @@
dosclass:
vsec->sclass = vnode_type_to_security_class(vp->v_type);
- /* Fall back to the filesystem label on error */
+ /* Fall back to the mount label on error */
if (error) {
- if (fslabel) {
- fssec = SLOT(fslabel);
- vsec->sid = fssec->sid;
+ if (mntlabel) {
+ sbsec = SLOT(mntlabel);
+ vsec->sid = sbsec->sid;
} else
vsec->sid = SECINITSID_UNLABELED;
}
@@ -724,10 +714,10 @@
* since the underlying vnode type should not have changed.
*/
static void
-sebsd_update_vnode_extattr(struct mount *mp, struct label *fslabel,
+sebsd_update_vnode_extattr(struct mount *mp, struct label *mntlabel,
struct vnode *vp, struct label *vlabel, char *name)
{
- struct vnode_security_struct *vsec, *fssec;
+ struct vnode_security_struct *vsec, *sbsec;
/*
* TBD: static buffers aren't a good idea, and SELinux contexts
* aren't restricted in length.
@@ -751,24 +741,24 @@
__func__, context_len, context);
}
- /* Fall back to the filesystem label on error */
+ /* Fall back to the mount label on error */
if (error) {
- if (fslabel) {
- fssec = SLOT(fslabel);
- vsec->sid = fssec->sid;
+ if (mntlabel) {
+ sbsec = SLOT(mntlabel);
+ vsec->sid = sbsec->sid;
} else
vsec->sid = SECINITSID_UNLABELED;
}
}
static void
-sebsd_associate_vnode_singlelabel(struct mount *mp, struct label *fslabel,
+sebsd_associate_vnode_singlelabel(struct mount *mp, struct label *mntlabel,
struct vnode *vp, struct label *vlabel)
{
- struct mount_fs_security_struct *sbsec;
+ struct mount_security_struct *sbsec;
struct vnode_security_struct *vsec;
- sbsec = SLOT(fslabel);
+ sbsec = SLOT(mntlabel);
vsec = SLOT(vlabel);
vsec->sclass = vnode_type_to_security_class(vp->v_type);
@@ -1185,10 +1175,9 @@
static void
sebsd_create_mount(struct ucred *cred, struct mount *mp,
- struct label *mntlabel, struct label *fslabel)
+ struct label *mntlabel)
{
struct mount_security_struct *sbsec;
- struct mount_fs_security_struct *sbfssec;
int behavior, rc;
/* vfs_init() calls us with no mnt_vtable for dead_mountp */
@@ -1196,7 +1185,6 @@
return;
sbsec = SLOT(mntlabel);
- sbfssec = SLOT(fslabel);
/* TBD TBD TBD */
/*
* Make the label for the filesystem the same as the singlelabel
@@ -1207,14 +1195,10 @@
printf("%s: security_fs_use(%s) returned %d\n", __func__,
mp->mnt_vtable->vfc_name, rc);
behavior = SECURITY_FS_USE_NONE;
- } else {
- sbfssec->sid = sbsec->sid;
- /* TBD: debugging */
- if (sebsd_verbose > 1) {
- printf("%s: security_fs_use(%s) behavior %d, sid %d\n",
- __func__, mp->mnt_vtable->vfc_name, behavior,
- sbsec->sid);
- }
+ } else if (sebsd_verbose > 1) {
+ printf("%s: security_fs_use(%s) behavior %d, sid %d\n",
+ __func__, mp->mnt_vtable->vfc_name, behavior,
+ sbsec->sid);
}
switch (behavior) {
@@ -1293,7 +1277,7 @@
static int
sebsd_create_vnode_extattr(struct ucred *cred, struct mount *mp,
- struct label *fslabel, struct vnode *parent, struct label *parentlabel,
+ struct label *mntlabel, struct vnode *parent, struct label *parentlabel,
struct vnode *child, struct label *childlabel, struct componentname *cnp)
{
struct vnode_security_struct *dir, *vsec;
@@ -1392,14 +1376,14 @@
}
static int
-sebsd_check_mount_fs_relabel(struct ucred *cred, struct mount *mp,
- struct label *fslabel)
+sebsd_check_mount_relabel(struct ucred *cred, struct mount *mp,
+ struct label *mntlabel)
{
- struct mount_fs_security_struct *nsec;
+ struct mount_security_struct *nsec;
struct task_security_struct *tsec;
int rc;
- nsec = SLOT(fslabel);
+ nsec = SLOT(mntlabel);
tsec = SLOT(cred->cr_label);
if (nsec == NULL)
@@ -1875,7 +1859,7 @@
SEBSD_INTERNALIZE_LABEL(cred,task)
SEBSD_INTERNALIZE_LABEL(network,network)
SEBSD_INTERNALIZE_LABEL(vnode,vnode)
-SEBSD_INTERNALIZE_LABEL(mount_fs,mount_fs)
+SEBSD_INTERNALIZE_LABEL(mount,mount)
static void
sebsd_relabel_pipe(struct ucred *cred, struct pipe *pipe,
@@ -2976,7 +2960,7 @@
SEBSD_EXTERNALIZE_LABEL(network,network)
SEBSD_EXTERNALIZE_LABEL(vnode,vnode)
-SEBSD_EXTERNALIZE_LABEL(mount_fs,mount_fs)
+SEBSD_EXTERNALIZE_LABEL(mount,mount)
static void
sebsd_copy_vnode_label(struct label *src, struct label *dest)
@@ -3638,13 +3622,11 @@
/* Mount Points */
.mpo_init_mount_label = sebsd_init_mount_label,
- .mpo_init_mount_fs_label = sebsd_init_mount_fs_label,
.mpo_create_mount = sebsd_create_mount,
- .mpo_internalize_mount_fs_label = sebsd_internalize_mount_fs_label,
- .mpo_externalize_mount_fs_label = sebsd_externalize_mount_fs_label,
+ .mpo_internalize_mount_label = sebsd_internalize_mount_label,
+ .mpo_externalize_mount_label = sebsd_externalize_mount_label,
.mpo_destroy_mount_label = sebsd_destroy_label,
- .mpo_destroy_mount_fs_label = sebsd_destroy_label,
- .mpo_check_mount_fs_relabel = sebsd_check_mount_fs_relabel,
+ .mpo_check_mount_relabel = sebsd_check_mount_relabel,
.mpo_check_mount = sebsd_check_mount,
.mpo_check_umount = sebsd_check_umount,
.mpo_check_remount = sebsd_check_remount,
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#3 (text+ko) ====
@@ -88,8 +88,4 @@
unsigned char proc; /* call procfs_set_sid */
unsigned char uses_trans; /* call security_transition_sid */
};
-
-struct mount_fs_security_struct {
- u_int32_t sid; /* default object SID of file system */
-};
#endif /* _SYS_SECURITY_SEBSD_LABELS_H */
==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#3 (text+ko) ====
@@ -711,12 +711,6 @@
}
static void
-mac_test_init_mount_fs_label(struct label *label)
-{
- ALLOC_LABEL(label, MOUNTTYPE);
-}
-
-static void
mac_test_init_pipe_label(struct label *label)
{
ALLOC_LABEL(label, PIPETYPE);
@@ -797,12 +791,6 @@
}
static void
-mac_test_destroy_mount_fs_label(struct label *label)
-{
- DESTROY_LABEL(label, MOUNTTYPE);
-}
-
-static void
mac_test_destroy_pipe_label(struct label *label)
{
DESTROY_LABEL(label, PIPETYPE);
@@ -845,14 +833,14 @@
}
static void
-mac_test_update_vnode_extattr(struct mount *mp, struct label *fslabel,
+mac_test_update_vnode_extattr(struct mount *mp, struct label *mntlabel,
struct vnode *vp, struct label *vlabel, char *name)
{
CHECKNULL(mp);
CHECKNULL(vp);
CHECKNULL(name);
- USE_LABEL(fslabel, MOUNTTYPE);
+ USE_LABEL(mntlabel, MOUNTTYPE);
USE_LABEL(vlabel, VNODETYPE);
}
@@ -951,7 +939,7 @@
}
static int
-mac_test_externalize_mount_fs_label(struct label *label,
+mac_test_externalize_mount_label(struct label *label,
char *element_name, struct sbuf *sb)
{
return EXTERNALIZE_LABEL(label, MOUNTTYPE);
@@ -986,7 +974,7 @@
}
static int
-mac_test_internalize_mount_fs_label(struct label *label,
+mac_test_internalize_mount_label(struct label *label,
char *element_name, char *element_data)
{
return INTERNALIZE_LABEL(label, MOUNTTYPE);
@@ -1037,7 +1025,7 @@
/* mp can be NULL in this fcn */
static void
-mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
+mac_test_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,
struct devnode *de, struct label *delabel, struct vnode *vp,
struct label *vlabel)
{
@@ -1046,31 +1034,31 @@
INIT_LABEL(vlabel, VNODETYPE);
if (mp != NULL)
- USE_LABEL(fslabel, MOUNTTYPE);
+ USE_LABEL(mntlabel, MOUNTTYPE);
USE_LABEL(delabel, DEVNODETYPE);
}
static int
-mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
+mac_test_associate_vnode_extattr(struct mount *mp, struct label *mntlabel,
struct vnode *vp, struct label *vlabel)
{
CHECKNULL(mp);
CHECKNULL(vp);
INIT_LABEL(vlabel, VNODETYPE);
- USE_LABEL(fslabel, MOUNTTYPE);
+ USE_LABEL(mntlabel, MOUNTTYPE);
return (0);
}
static void
mac_test_associate_vnode_singlelabel(struct mount *mp,
- struct label *fslabel, struct vnode *vp, struct label *vlabel)
+ struct label *mntlabel, struct vnode *vp, struct label *vlabel)
{
CHECKNULL(mp);
CHECKNULL(vp);
INIT_LABEL(vlabel, VNODETYPE);
- USE_LABEL(fslabel, MOUNTTYPE);
+ USE_LABEL(mntlabel, MOUNTTYPE);
}
@@ -1120,7 +1108,7 @@
static int
mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
- struct label *fslabel, struct vnode *dvp, struct label *dlabel,
+ struct label *mntlabel, struct vnode *dvp, struct label *dlabel,
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
{
CHECKNULL(cred);
@@ -1130,7 +1118,7 @@
INIT_LABEL(vlabel, VNODETYPE);
USE_LABEL(dlabel, VNODETYPE);
- USE_LABEL(fslabel, MOUNTTYPE);
+ USE_LABEL(mntlabel, MOUNTTYPE);
USE_LABEL(cred->cr_label, CREDTYPE);
return (0);
}
@@ -1138,12 +1126,11 @@
static void
mac_test_create_mount(struct ucred *cred, struct mount *mp,
- struct label *mntlabel, struct label *fslabel)
+ struct label *mntlabel)
{
CHECKNULL(cred);
CHECKNULL(mp);
- INIT_LABEL(fslabel, MOUNTTYPE);
USE_LABEL(cred->cr_label, CREDTYPE);
INIT_LABEL(mntlabel, MOUNTTYPE);
}
@@ -1381,7 +1368,7 @@
}
static int
-mac_test_check_mount_fs_relabel(struct ucred *cred, struct mount *mp,
+mac_test_check_mount_relabel(struct ucred *cred, struct mount *mp,
struct label *mntlabel)
{
CHECKNULL(cred);
@@ -3166,7 +3153,6 @@
.mpo_init_lctx_label = mac_test_init_lctx_label,
.mpo_init_mbuf_label = mac_test_init_mbuf_label,
.mpo_init_mount_label = mac_test_init_mount_label,
- .mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
.mpo_init_port_label = mac_test_init_port_label,
.mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
.mpo_init_posix_shm_label = mac_test_init_posix_shm_label,
@@ -3185,7 +3171,6 @@
.mpo_destroy_lctx_label = mac_test_destroy_lctx_label,
.mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
.mpo_destroy_mount_label = mac_test_destroy_mount_label,
- .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
.mpo_destroy_port_label = mac_test_destroy_port_label,
.mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
.mpo_destroy_posix_shm_label = mac_test_destroy_posix_shm_label,
@@ -3223,13 +3208,13 @@
.mpo_externalize_vnode_label = mac_test_externalize_vnode_label,
.mpo_externalize_vnode_audit_label =
mac_test_externalize_vnode_audit_label,
- .mpo_externalize_mount_fs_label = mac_test_externalize_mount_fs_label,
+ .mpo_externalize_mount_label = mac_test_externalize_mount_label,
.mpo_internalize_cred_label = mac_test_internalize_cred_label,
.mpo_internalize_lctx_label = mac_test_internalize_lctx_label,
.mpo_internalize_pipe_label = mac_test_internalize_pipe_label,
.mpo_internalize_socket_label = mac_test_internalize_socket_label,
.mpo_internalize_vnode_label = mac_test_internalize_vnode_label,
- .mpo_internalize_mount_fs_label = mac_test_internalize_mount_fs_label,
+ .mpo_internalize_mount_label = mac_test_internalize_mount_label,
/*
* Labeling event operations: file system objects; and things that
@@ -3320,7 +3305,7 @@
.mpo_check_mount_getattr = mac_test_check_mount_getattr,
.mpo_check_mount_setattr = mac_test_check_mount_setattr,
.mpo_check_mount_stat = mac_test_check_mount_stat,
- .mpo_check_mount_fs_relabel = mac_test_check_mount_fs_relabel,
+ .mpo_check_mount_relabel = mac_test_check_mount_relabel,
.mpo_check_port_relabel = mac_test_check_port_relabel,
.mpo_check_port_send = mac_test_check_port_send,
.mpo_check_port_make_send = mac_test_check_port_make_send,
More information about the trustedbsd-cvs
mailing list