PERFORCE change 90006 for review
Todd Miller
millert at FreeBSD.org
Fri Jan 20 15:16:42 GMT 2006
http://perforce.freebsd.org/chv.cgi?CH=90006
Change 90006 by millert at millert_ibook on 2006/01/20 15:15:56
Switch to the new module build framework. With it we get
a report on unimplemented entry points for free.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/build/PolicyKext.mk#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/build/mkPolicyInfoPlist.sh#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/build/policy-ops.gdb#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/commands/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/commands/dotbyproc#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/commands/dumptrace.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/commands/ikotnames#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/commands/tr2dot#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/dumptrace.c#3 delete
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/ikotnames#3 delete
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/ipctrace.c#5 delete
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/ipctrace.h#4 delete
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/ipctrace.kmodinfo#3 delete
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/module/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/module/ikotnames.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/module/ipctrace.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/module/ipctrace.h#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/tr2dot#3 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/Makefile#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/commands/Makefile#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/commands/mac_counter.c#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mac_count.c#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mac_count.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mk_count_decls.awk#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mk_count_funcs.awk#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mk_count_policy_ops.awk#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mk_count_reg.awk#1 add
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/module/Makefile#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/module/hash_string.c#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/module/hash_string.h#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/module/mac_count.c#3 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_count/module/mac_count.kmodinfo#2 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_mls/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.c#5 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.h#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.kmodinfo#3 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_none/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mac_none/mac_none.4#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mac_none/mac_none.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mac_none/mac_none.kmodinfo#3 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mac_stub/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.4#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.c#5 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.kmodinfo#3 delete
.. //depot/projects/trustedbsd/sedarwin7/src/mactest/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mactest/mac_test.c#5 edit
.. //depot/projects/trustedbsd/sedarwin7/src/mactest/mac_test.kmodinfo#3 delete
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/save_trace/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/save_trace/save_trace.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/sec_trace/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/sec_trace/sec_trace.c#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/module/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/module/mac_stacktrace.c#4 edit
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/module/mac_stacktrace.kmodinfo#3 delete
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/stacktrace_syscalls.h#3 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/build/PolicyKext.mk#3 (text+ko) ====
@@ -1,30 +1,103 @@
+#
+# Including Makefile MUST have the following variables defined:
+#
+# POLICY Name of the policy (eg: mac_foo)
+# POLICY_VER Policy Version for Bundle
+# POLICY_COMPVER Policy OS Compatible Version for Bundle
+# POLICY_DESC Description of Policy
+#
+# The following variables MAY be defined
+#
+# POLICY_SRCS Override default sources of $(POLICY).c
+# POLICY_NOMAN Define if policy module has no manpage.
+# POLICY_MAN
+# POLICY_LIBS key:string specification of OSBundleLibraries
+#
+# CLEANFILES Additional build files to remove on 'make clean'
+#
+
+CFLAGS += -g $(DARWIN_HDRS) -nostdinc -mlong-branch -DAPPLE -DKERNEL \
+ -DKERNEL_PRIVATE -DKEXT -fno-common -static -fno-builtin \
+ -I$(DARWIN)/EXTERNAL_HEADERS -I$(DARWIN)/EXTERNAL_HEADERS/bsd
+CFLAGS += $(CWARNFLAGS)
+CFLAGS += -DPOLICY_VER=\"$(POLICY_VER)\" \
+ -DPOLICY_DESC=\"$(POLICY_DESC)\"
+POLICY_SRCS ?= $(POLICY).c
+POLICY_OBJS = $(POLICY_SRCS:.c=.o)
+
+POLICY_LIBS += com.apple.kernel.bsd:1.1 \
+ com.apple.kernel.libkern:1.0b1
+
+WARNS ?= 6
+
+#CWARNFLAGS += -Wsystem-headers
+#CWARNFLAGS += -Werror
+#CWARNFLAGS += -Wall -Wno-format-y2k
+#CWARNFLAGS += -W -Wno-unused-parameter -Wstrict-prototypes \
+# -Wmissing-prototypes -Wpointer-arith
+#CWARNFLAGS += -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch \
+# -Wshadow -Wcast-align
+#CWARNFLAGS += -Wunused-parameter
+#CWARNFLAGS += -Wchar-subscripts -Winline -Wnested-externs \
+# -Wredundant-decls
+#CWARNFLAGS += -Wno-uninitialized
+
+ifndef POLICY_NOMAN
+POLICY_MAN ?= $(POLICY).4
+else
+POLICY_MAN=
+endif
+
+CLEANFILES += $(POLICY_OBJS) \
+ $(POLICY)-test $(POLICY).gdb $(POLICY).report \
+ .gdb_history
+
+all: mac_$(POLICY).kext.tar $(POLICY).report
+
+clean:
+ @rm -rf mac_$(POLICY).kext.tar mac_$(POLICY).kext
+ @rm -f $(CLEANFILES)
-CFLAGS += -nostdinc -mlong-branch -DKERNEL -DKERNEL_PRIVATE -fno-common -static -fno-builtin
-CFLAGS += -I$(DARWIN)/EXTERNAL_HEADERS -I$(DARWIN)/EXTERNAL_HEADERS/bsd -DKEXT
+install: mac_$(POLICY).kext.tar $(POLICY_MAN)
+ifndef POLICY_NOMAN
+ @install -m 644 $(POLICY_MAN) $(DESTDIR)/usr/share/man/man4
+endif
+ @tar -C $(DESTDIR)/System/Library/Extensions -xf mac_$(POLICY).kext.tar
+
+mac_$(POLICY).kext.tar: mac_$(POLICY).kext mac_$(POLICY).kext/Contents/Info.plist $(POLICY_OBJS)
+ @echo "$(POLICY): Creating KEXT tar file..."
+ @touch mac_$(POLICY).kext/LoadEarly
+ @tar --owner root --group wheel -cf $@ mac_$(POLICY).kext
+
+mac_$(POLICY).kext/Contents/Info.plist: Makefile
+ @echo "$(POLICY): Generating Info.plist..."
+ @$(DARWIN_ROOT)/build/mkPolicyInfoPlist.sh \
+ $(POLICY) $(POLICY_VER) $(POLICY_COMPVER) \
+ $(POLICY_DESC) "$(POLICY_LIBS)" > $@
+
+mac_$(POLICY).kext: $(POLICY_OBJS)
+ @echo "$(POLICY): Creating KEXT..."
+ @mkdir -p mac_$(POLICY).kext/Contents/MacOS
+ @ld -r -o mac_$(POLICY).kext/Contents/MacOS/$(POLICY) $(POLICY_OBJS) -lkmod -lcc_kext -static
+
+# Display undefined policy entrypoints.
-%.kext.tar: %.o
- mkdir -p $*.kext/Contents/MacOS
- ld -r -o $*.kext/Contents/MacOS/$* $^ -lkmod -lcc_kext -static
- @$(MAKE) $*.kext/Contents/Info.plist
- @touch $*.kext/LoadEarly
- tar --owner root --group wheel -cf $@ $*.kext
+$(POLICY)-test: $(POLICY_OBJS)
+ @$(LD) -twolevel_namespace -undefined define_a_way -o $@ $(POLICY_OBJS) 2> /dev/null
+
+$(POLICY).gdb: $(POLICY)-test
+ @gdb -x $(DARWIN_ROOT)/build/policy-ops.gdb $< \
+ | grep mac_policy_ops \
+ | sed s/\;// \
+ | awk '{print "p " $$4 "\nquit"}' \
+ > $@
-%.kext/Contents/Info.plist: %.kmodinfo
- @echo "Generating $@ from $<..."
- @echo '<?xml version="1.0" encoding="UTF-8"?>' > $@
- @echo '<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' >> $@
- @echo -e '<plist version="1.0">\n<dict>' >> $@
- @echo -ne '<key>CFBundleExecutable</key>\n<string>' >> $@
- @echo -n $* >> $@
- @echo -ne '</string>\n<key>CFBundleIdentifier</key>\n<string>' >> $@
- @echo -n `cat $< | sed -ne '/^name:/ s/^name:// p'` >> $@
- @echo -e '</string>\n<key>CFBundleInfoDictionaryVersion</key>\n<string>6.0</string>' >> $@
- @echo -ne '<key>CFBundleName</key>\n<string>' >> $@
- @echo -n `cat $< | sed -ne '/^desc:/ s/^desc:// p'` >> $@
- @echo -e '</string>\n<key>CFBundlePackageType</key>\n<string>KEXT</string>' >> $@
- @echo -e '<key>CFBundleSignature</key>\n<string>9999</string>' >> $@
- @echo -ne '<key>CFBundleVersion</key>\n<string>' >> $@
- @echo -n `cat $< | sed -ne '/^ver:/ s/^ver:// p'` >> $@
- @echo -ne '</string><key>OSBundleCompatibleVersion</key>\n<string>' >> $@
- @echo -n `cat $< | sed -ne '/^compver:/ s/^compver:// p'` >> $@
- @echo -e '</string><key>OSBundleLibraries</key>\n<dict>\n<key>com.apple.kernel.bsd</key><string>1.1</string>\n<key>com.apple.kernel.libkern</key><string>1.0b1</string>\n</dict>\n<key>OSBundleRequired</key><string>None</string>\n</dict></plist>' >> $@
+$(POLICY).report: $(POLICY).gdb $(POLICY)-test
+ @echo "$(POLICY): Creating policy report..."
+ @echo "Undefined $(POLICY) policy entrypoints:" > $@
+ @gdb -x $(POLICY).gdb $(POLICY)-test \
+ | grep ' = 0,' \
+ | awk '{print "\t"$$1}' \
+ | sort \
+ | uniq \
+ >> $@
==== //depot/projects/trustedbsd/sedarwin7/src/ipctrace/Makefile#3 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin7/src/mac_count/Makefile#2 (text+ko) ====
@@ -1,11 +1,58 @@
-all:
- cd module && make
- cd commands && make
+POLICY= count
+POLICY_VER= 1.0
+POLICY_COMPVER= 1.0
+POLICY_DESC= "Entry Point Counter"
+POLICY_SRCS= mac_count.c
+POLICY_NOMAN= yes
+
+include ../Makeconfig
+include $(DARWIN_ROOT)/build/PolicyKext.mk
+
+CLEANFILES+= count_decls.h count_reg.h count_funcs.h count_policy_ops.h \
+ policy.in
+
+mac_count.c: count_decls.h count_reg.h count_funcs.h count_policy_ops.h
+
+policy.in: $(EXPORT_HDRS)/bsd/sys/mac_policy.h
+ @cpp -P $< \
+ | grep -v ^\$ \
+ | awk 'RS=";" { if ($$1 == "typedef") { print $$0";" } }' \
+ | tr -d "\n\t" \
+ | tr ";" "\n" \
+ | sed -e 's/typedef //g' \
+ -e 's/,/, /g' \
+ -e 's/_t(/ (/g' \
+ -e 's/ mpo_/ /g' \
+ > $@
+
+count_decls.h: policy.in
+ @cat $< \
+ | grep -v \
+ -e ' destroy ' \
+ -e ' init_bsd ' \
+ -e ' init ' \
+ | awk -f mk_count_decls.awk \
+ > $@
+
+count_reg.h: policy.in
+ @cat $< \
+ | grep -v \
+ -e ' destroy ' \
+ -e ' init_bsd ' \
+ -e ' init ' \
+ | awk -f mk_count_reg.awk \
+ > $@
-clean:
- cd module && make clean
- cd commands && make clean
+count_funcs.h: policy.in
+ @cat $< \
+ | grep -v \
+ -e ' destroy ' \
+ -e ' init_bsd ' \
+ -e ' init ' \
+ | awk -f mk_count_funcs.awk \
+ > $@
-install:
- cd module && make install
- cd commands && make install
+count_policy_ops.h: policy.in
+ @cat $< \
+ | awk -f mk_count_policy_ops.awk \
+ > $@
==== //depot/projects/trustedbsd/sedarwin7/src/mac_mls/Makefile#3 (text+ko) ====
@@ -1,16 +1,9 @@
+POLICY= mls
+POLICY_VER= 1.0
+POLICY_COMPVER= 1.0
+POLICY_DESC= "TrustedBSD MAC/MLS"
+POLICY_SRCS= mac_mls.c
+POLICY_NOMAN= yes
include ../Makeconfig
include $(DARWIN_ROOT)/build/PolicyKext.mk
-
-CFLAGS += $(DARWIN_HDRS) -DAPPLE
-CFLAGS += -g
-
-mac_mls.kext.tar: mac_mls.o
-
-clean:
- rm -rf mac_mls.kext.tar mac_mls.kext
- rm -f mac_mls.o
-
-install: mac_mls.kext.tar
- cat $< | (cd $(DESTDIR)/System/Library/Extensions; tar xf -)
- touch $(DESTDIR)/System/Library/Extensions/mac_mls.kext/LoadEarly
==== //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.c#5 (text+ko) ====
@@ -43,6 +43,7 @@
#include <sys/extattr.h>
#include <sys/conf.h>
#include <sys/kernel.h>
+#include <sys/lctx.h>
#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/mman.h>
@@ -1794,6 +1795,45 @@
}
static int
+mac_mls_check_proc_setlcid (struct proc *p0, struct proc *p,
+ pid_t pid, pid_t lcid)
+{
+ struct mac_mls *source, *dest;
+
+ /* Create/Join/Leave */
+ if (pid == LCID_PROC_SELF)
+ return (0);
+
+ switch (lcid) {
+ case LCID_REMOVE: /* Orphan */
+
+ /* loginwindow.app/MAC.loginPlugin orphaned process. */
+ dest = SLOT(p->p_ucred->cr_label);
+
+ mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
+ mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL,
+ MAC_MLS_TYPE_HIGH, 0, NULL);
+ break;
+
+ case LCID_CREATE: /* Create */
+ /* nop */
+ break;
+ default: /* Adopt */
+
+ /* loginwindow.app/MAC.loginPlugin adopted process. */
+
+ source = SLOT(p0->p_ucred->cr_label);
+ dest = SLOT(p->p_ucred->cr_label);
+
+ mac_mls_copy(source, dest);
+
+ break;
+ }
+
+ return (0);
+}
+
+static int
mac_mls_audit_preselect(struct ucred *cred, unsigned short syscode,
void *args)
{
@@ -1845,27 +1885,7 @@
return (MAC_AUDIT_DEFAULT);
}
-#ifdef LATER
static int
-mac_mls_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel,
- struct ifnet *ifnet, struct label *ifnetlabel)
-{
- struct mac_mls *a, *b;
-
- if (!mac_mls_enabled)
- return (0);
-
- a = SLOT(bpflabel);
- b = SLOT(ifnetlabel);
-
- if (mac_mls_equal_effective(a, b))
- return (0);
-
- MLS_RETURN (EACCES);
-}
-#endif /* LATER */
-
-static int
mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel)
{
struct mac_mls *subj, *new;
@@ -2764,11 +2784,11 @@
return (0);
}
+#if 0
static int
mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace, const char *name)
{
-#if 0
struct mac_mls *subj, *obj;
if (!mac_mls_enabled)
@@ -2779,10 +2799,10 @@
if (!mac_mls_dominate_effective(obj, subj))
return (EACCES);
-#endif
return (0);
}
+#endif
static int
mac_mls_check_vnode_exchangedata(struct ucred *cred,
@@ -2884,11 +2904,11 @@
return (0);
}
+#if 0
static int
mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace)
{
-#if 0
struct mac_mls *subj, *obj;
if (!mac_mls_enabled)
@@ -2899,10 +2919,10 @@
if (!mac_mls_dominate_effective(subj, obj))
return (EACCES);
-#endif
return (0);
}
+#endif
static int
mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
@@ -3344,41 +3364,6 @@
mac_mls_copy_range(source, dest);
}
-#if 0
-static void
-mac_mls_execve_transition(struct ucred *old, struct ucred *new,
- struct vnode *vp, struct label *filelabel,
- struct label *interpvnodelabel, struct label *execlabel)
-{
-#warning mac_mls_execve_transition unimplemented
- printf("mac_mls_execve_transition: not implemented\n");
-}
-
-static int
-mac_mls_execve_will_transition(struct ucred *old, struct vnode *vp,
- struct label *filelabel, struct label *interpvnodelabel,
- struct label *execlabel, struct proc *proc)
-{
-#warning mac_mls_execve_will_transition unimplemented
- printf("mac_mls_execve_will_transition: not implemented\n");
- return 0;
-}
-
-static void
-mac_mls_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel)
-{
-#warning what to do in mac_mls_reflect_mbuf_icmp
- printf("mac_mls_reflect_mbuf_icmp: not implemented\n");
-}
-
-static void
-mac_mls_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel)
-{
-#warning what to do in mac_mls_reflect_mbuf_tcp
- printf("mac_mls_reflect_mbuf_tcp: not implemented\n");
-}
-#endif /* 0 */
-
static struct mac_policy_ops mac_mls_ops =
{
@@ -3442,11 +3427,11 @@
.mpo_check_vnode_exchangedata = mac_mls_check_vnode_exchangedata,
.mpo_check_vnode_getattrlist = mac_mls_check_vnode_getattrlist,
.mpo_check_vnode_setattrlist = mac_mls_check_vnode_setattrlist,
- .mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr,
+/* .mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr,*/
.mpo_check_vnode_exec = mac_mls_check_vnode_exec,
.mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr,
.mpo_check_vnode_link = mac_mls_check_vnode_link,
- .mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr,
+/* .mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr,*/
.mpo_check_vnode_lookup = mac_mls_check_vnode_lookup,
.mpo_check_vnode_mmap = mac_mls_check_vnode_mmap,
.mpo_check_vnode_open = mac_mls_check_vnode_open,
@@ -3531,47 +3516,12 @@
.mpo_check_proc_setauid = mac_mls_check_proc_setauid,
.mpo_check_proc_getaudit = mac_mls_check_proc_getaudit,
.mpo_check_proc_setaudit = mac_mls_check_proc_setaudit,
+ .mpo_check_proc_setlcid = mac_mls_check_proc_setlcid,
.mpo_audit_preselect = mac_mls_audit_preselect,
.mpo_audit_postselect = mac_mls_audit_postselect,
};
-/* These are the mac_test policy ops which aren't (yet) implemented by mac_mls
-
-.mpo_check_kld_load = mac_test_check_kld_load,
-.mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm,
-.mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
-.mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
-.mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
-.mpo_thread_userret = mac_test_thread_userret,
-.mpo_execve_will_transition = mac_mls_execve_will_transition,
-.mpo_execve_transition = mac_mls_execve_transition,
-.mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq,
- .mpo_init_bpfdesc_label = mac_mls_init_label,
- .mpo_destroy_bpfdesc_label = mac_mls_destroy_label,
- .mpo_create_bpfdesc = mac_mls_create_bpfdesc,
- .mpo_create_fragment = mac_mls_create_fragment,
- .mpo_destroy_ifnet_label = mac_mls_destroy_label,
- .mpo_externalize_ifnet_label = mac_mls_externalize_label,
- .mpo_init_ifnet_label = mac_mls_init_label,
- .mpo_internalize_ifnet_label = mac_mls_internalize_label,
- .mpo_create_ifnet = mac_mls_create_ifnet,
- .mpo_relabel_ifnet = mac_mls_relabel_ifnet,
- .mpo_init_ipq_label = mac_mls_init_label_waitcheck,
- .mpo_update_ipq = mac_mls_update_ipq,
- .mpo_fragment_match = mac_mls_fragment_match,
- .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc,
- .mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet,
- .mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf,
- .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
- .mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap,
- .mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer,
- .mpo_destroy_mbuf_label = mac_mls_destroy_label,
- .mpo_init_mbuf_label = mac_mls_init_label_waitcheck,
- .mpo_reflect_mbuf_icmp = mac_mls_reflect_mbuf_icmp,
- .mpo_reflect_mbuf_tcp = mac_mls_reflect_mbuf_tcp,
-*/
-
static char *labelnamespaces[MAC_MLS_LABEL_NAME_COUNT] = {MAC_MLS_LABEL_NAME};
struct mac_policy_conf mac_mls_mac_policy_conf = {
"mac_mls", /* policy name */
@@ -3591,13 +3541,15 @@
static kern_return_t
kmod_start(kmod_info_t *ki, void *xd)
{
- return mac_policy_register (&mac_mls_mac_policy_conf);
+
+ return (mac_policy_register(&mac_mls_mac_policy_conf));
}
static kern_return_t
kmod_stop(kmod_info_t *ki, void *xd)
{
- return mac_policy_unregister (&mac_mls_mac_policy_conf);
+
+ return (mac_policy_unregister(&mac_mls_mac_policy_conf));
}
extern kern_return_t _start(kmod_info_t *ki, void *data);
==== //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.h#3 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin7/src/mac_none/Makefile#3 (text+ko) ====
@@ -1,16 +1,9 @@
+POLICY= none
+POLICY_VER= 1.0
+POLICY_COMPVER= 1.0
+POLICY_DESC= "MAC None Policy"
+POLICY_SRCS= mac_none.c
+POLICY_MAN= mac_none.4
+
include ../Makeconfig
include $(DARWIN_ROOT)/build/PolicyKext.mk
-
-CFLAGS += $(DARWIN_HDRS) -DAPPLE
-CFLAGS += -g
-
-mac_none.kext.tar: mac_none.o
-
-clean:
- rm -rf mac_none.kext.tar mac_none.kext
- rm -f mac_none.o
-
-install: mac_none.kext.tar mac_none.4
- install -m 644 mac_none.4 $(DESTDIR)/usr/share/man/man4
- cat $< | (cd $(DESTDIR)/System/Library/Extensions; tar xf -)
- touch $(DESTDIR)/System/Library/Extensions/mac_none.kext/LoadEarly
==== //depot/projects/trustedbsd/sedarwin7/src/mac_none/mac_none.4#3 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin7/src/mac_none/mac_none.c#3 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin7/src/mac_stub/Makefile#3 (text+ko) ====
@@ -1,16 +1,35 @@
+POLICY= stub
+POLICY_VER= 1.0
+POLICY_COMPVER= 1.0
+POLICY_DESC= "MAC Stub Policy"
+POLICY_SRCS= mac_stub.c
+POLICY_MAN= mac_stub.4
+
include ../Makeconfig
include $(DARWIN_ROOT)/build/PolicyKext.mk
-CFLAGS += $(DARWIN_HDRS) -DAPPLE
-CFLAGS += -g -Wall
+CLEANFILES+= stub_funcs.h stub_policy_ops.h policy.in
+
+mac_stub.c: stub_funcs.h stub_policy_ops.h
-mac_stub.kext.tar: mac_stub.o
+policy.in: $(EXPORT_HDRS)/bsd/sys/mac_policy.h
+ @cpp -P $< \
+ | grep -v ^\$ \
+ | awk 'RS=";" { if ($$1 == "typedef") { print $$0";" } }' \
+ | tr -d "\n\t" \
+ | tr ";" "\n" \
+ | sed -e 's/typedef //g' \
+ -e 's/,/, /g' \
+ -e 's/_t(/ (/g' \
+ -e 's/ mpo_/ /g' \
+ > $@
-clean:
- rm -rf mac_stub.kext.tar mac_stub.kext
- rm -f mac_stub.o
+stub_funcs.h: policy.in
+ @cat $< \
+ | awk -f mk_stub_funcs.awk \
+ > $@
-install: mac_stub.kext.tar mac_stub.4
- install -m 644 mac_stub.4 $(DESTDIR)/usr/share/man/man4
- cat $< | (cd $(DESTDIR)/System/Library/Extensions; tar xf -)
- touch $(DESTDIR)/System/Library/Extensions/mac_stub.kext/LoadEarly
+stub_policy_ops.h: policy.in
+ @cat $< \
+ | awk -f mk_stub_policy_ops.awk \
+ > $@
==== //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.4#3 (text+ko) ====
==== //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.c#5 (text+ko) ====
@@ -1,6 +1,7 @@
/*-
+ * Copyright (c) 2005 SPARTA, Inc.
+ * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* Copyright (c) 1999-2002 Robert N. M. Watson
- * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@@ -44,25 +45,27 @@
*/
#include <sys/types.h>
-#include <sys/extattr.h>
#include <sys/conf.h>
#include <sys/kernel.h>
-#include <sys/mac.h>
#include <sys/malloc.h>
#include <sys/mman.h>
#include <sys/mount.h>
#include <sys/posix_sem.h>
#include <sys/posix_shm.h>
#include <sys/proc.h>
+#include <sys/sem.h>
+#include <sys/shm.h>
#include <sys/sbuf.h>
#include <sys/systm.h>
#include <sys/vnode.h>
#include <sys/dirent.h>
#include <sys/sysctl.h>
-#include <sys/libkern.h>
#include <sys/ucred.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
+
+#include <libkern/libkern.h>
+#include <sys/mac.h>
#include <sys/mac_policy.h>
#include <vm/vm_kern.h>
@@ -89,1286 +92,18 @@
SYSCTL_INT(_security_mac_stub, OID_AUTO, enabled, CTLFLAG_RW,
&mac_stub_enabled, 0, "Enforce stub policy");
-static void
-stub_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
- struct devnode *de, struct label *delabel, struct vnode *vp,
- struct label *vlabel)
-{
-
-}
-
-static int
-stub_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
- struct vnode *vp, struct label *vlabel)
-{
-
- return (0);
-}
-
-static void
-stub_associate_vnode_singlelabel(struct mount *mp, struct label *fslabel,
- struct vnode *vp, struct label *vlabel)
-{
-
-}
-
-static int
-stub_check_cred_relabel(struct ucred *cred, struct label *newlabel)
-{
-
- return (0);
-}
-
-static int
-stub_check_cred_visible(struct ucred *u1, struct ucred *u2)
-{
-
- return (0);
-}
-
-
-static int
-stub_check_fcntl(struct ucred *cred, struct file *fd, int cmd, int arg)
-{
-
- return (0);
-}
-
-static int
-stub_check_get_fd(struct ucred *cred, struct file *fd, char *elements, int len)
-{
-
- return (0);
-}
-
-static int
-stub_check_ioctl(struct ucred *cred, struct file *fd, int com, void *data)
-{
-
- return (0);
-}
-
-static int
-stub_check_mount_stat(struct ucred *cred, struct mount *mp,
- struct label *mntlabel)
-{
-
- return (0);
-}
-
-static int
-stub_check_port_copy_send(struct label *task, struct label *port)
-{
-
- return (0);
-}
-
-static int
-stub_check_port_hold_receive(struct label *task, struct label *port)
-{
-
- return (0);
-}
-
-static int
-stub_check_port_hold_send(struct label *task, struct label *port)
-{
-
- return (0);
-}
-
-static int
-stub_check_port_make_send(struct label *task, struct label *port)
-{
-
- return (0);
-}
-
-static int
-stub_check_port_move_receive(struct label *task, struct label *port)
-{
-
- return (0);
-}
-
-static int
-stub_check_port_relabel(struct label *task, struct label *old,
- struct label *newlabel)
-{
-
- return (0);
-}
-
-static int
-stub_check_port_send(struct label *task, struct label *port)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_sem_create(struct ucred *cred, const char *semname)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_sem_open(struct ucred *cred, struct pseminfo *sem,
- struct label *semlabel)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_sem_post(struct ucred *cred, struct pseminfo *sem,
- struct label *semlabel)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_sem_unlink(struct ucred *cred, struct pseminfo *sem,
- struct label *semlabel, const char *semname)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_sem_wait(struct ucred *cred, struct pseminfo *sem,
- struct label *semlabel)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_shm_create(struct ucred *cred, const char *shmname)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_shm_open(struct ucred *cred, struct pshminfo *shm,
- struct label *shmlabel)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_shm_mmap(struct ucred *cred, struct pshminfo *shm,
- struct label *shmlabel, int flags, int prot)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_shm_stat(struct ucred *cred, struct pshminfo *shm,
- struct label *shmlabel)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_shm_truncate(struct ucred *cred, struct pshminfo *shm,
- struct label *shmlabel, size_t size)
-{
-
- return (0);
-}
-
-static int
-stub_check_posix_shm_unlink(struct ucred *cred, struct pshminfo *shm,
- struct label *shmlabel, const char *shmname)
-{
-
- return (0);
-}
-
-static int
-stub_check_proc_debug(struct ucred *cred, struct proc *proc)
-{
-
- return (0);
-}
-
-static int
-stub_check_proc_getaudit(struct ucred *cred)
-{
-
- return (0);
-}
-
-static int
-stub_check_proc_getauid(struct ucred *cred)
-{
-
- return (0);
-}
-
-static int
-stub_check_proc_sched(struct ucred *cred, struct proc *proc)
-{
-
- return (0);
-}
-
-static int
-stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai)
-{
-
- return (0);
-}
-
-static int
-stub_check_proc_setauid(struct ucred *cred, uid_t auid)
-{
-
- return (0);
-}
-
-static int
-stub_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
-{
-
- return (0);
-}
-
-static int
-stub_check_proc_wait(struct ucred *cred, struct proc *proc)
-{
-
- return (0);
-}
-
-static int
-stub_check_service_access(struct label *subj, struct label *obj,
- const char *serv, const char *perm)
-{
-
- return (0);
-}
-
-static int
-stub_check_set_fd(struct ucred *cred, struct file *fd, char *elements, int len)
-{
-
- return (0);
-}
-
-static int
-stub_check_socket_accept(struct ucred *cred,
- struct socket *socket, struct label *socklabel, struct sockaddr *addr)
-{
-
- return (0);
-}
-
-static int
-stub_check_socket_bind(struct ucred *cred, struct socket *socket,
- struct label *socklabel, struct sockaddr *addr)
-{
-
- return (0);
-}
-
-static int
-stub_check_socket_connect(struct ucred *cred, struct socket *socket,
- struct label *socklabel, struct sockaddr *addr)
-{
-
- return (0);
-}
-
-static int
-stub_check_socket_deliver(struct socket *so, struct label *so_label,
- struct mbuf *m, struct label *m_label)
-{
-
- return (0);
-}
-
-static int
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list