PERFORCE change 100662 for review

Robert Watson rwatson at FreeBSD.org
Wed Jul 5 22:25:04 UTC 2006 

http://perforce.freebsd.org/chv.cgi?CH=100662

Change 100662 by rwatson at rwatson_zoo on 2006/07/05 22:24:42

	Checkpoint resort/respell on policy ops structure.

Affected files ...

.. //depot/projects/trustedbsd/mac2/sys/sys/mac_policy.h#6 edit

Differences ...

==== //depot/projects/trustedbsd/mac2/sys/sys/mac_policy.h#6 (text+ko) ====

@@ -170,7 +170,7 @@
  * Object: struct ucred (User credential)
  */
 typedef void	(*mpo_cred_init_label_t)(struct label *label);
-typedef void	(*mpo_cred_destroy_cred_label_t)(struct label *label);
+typedef void	(*mpo_cred_destroy_label_t)(struct label *label);
 typedef void	(*mpo_cred_copy_label_t)(struct label *src,
 		    struct label *dest);
 typedef int	(*mpo_cred_externalize_label_t)(struct label *label,
@@ -659,18 +659,131 @@
 typedef int	(*mpo_associate_nfsd_label_t)(struct ucred *cred);
 
 struct mac_policy_ops {
+	mpo_policy_destroy_t				mpo_policy_destroy;
+	mpo_policy_init_t				mpo_policy_init;
+
+	mpo_syscall_t				mpo_syscall;
+
+	mpo_bpfdesc_init_label_t		mpo_bpfdesc_init_label;
+	mpo_bpfdesc_destroy_label_t		mpo_bpfdesc_destroy_label;
+	mpo_bpfdesc_create_t			mpo_bpfdesc_create;
+	mpo_bpfdesc_create_mbuf_t		mpo_bpfdesc_create_mbuf;
+	mpo_bpfdesc_check_receive_t		mpo_bpfdesc_check_receive;
+
 	/*
-	 * Policy module operations.
+	 * XXXRW: Naming consistency here -- perhaps should just be
+	 * mpo_devfs_*.
+	 */
+	mpo_devfsdirent_init_label_t		mpo_devfsdirent_init_label;
+	mpo_devfsdirent_destroy_label_t		mpo_devfsdirent_destroy_label;
+	mpo_devfs_vnode_associate_t		mpo_devfs_vnode_associate;
+	mpo_devfs_create_device_t		mpo_devfs_create_device;
+	mpo_devfs_create_directory_t		mpo_devfs_create_directory;
+	mpo_devfs_create_symlink_t		mpo_devfs_create_symlink;
+	mpo_devfsdirent_update_t		mpo_devfsdirent_update_t;
+
+	/*
+	 * XXXRW: Perhaps should be mpo_ucred_*.
+	 */
+	mpo_cred_init_label_t			mpo_cred_init_label;
+	mpo_cred_destroy_label_t		mpo_cred_destroy_label;
+	mpo_cred_copy_label_t			mpo_cred_copy_label;
+	mpo_cred_externalize_label_t		mpo_cred_externalize_label;
+	mpo_cred_internalize_label_t		mpo_cred_internalize_label;
+	mpo_cred_relabel_t			mpo_cred_relabel;
+	mpo_cred_check_relabel_t		mpo_cred_check_relabel;
+	mpo_cred_check_visible_t		mpo_cred_check_visible;
+
+	/*
+	 * XXXRW: Names here still inconsistent.
+	 */
+	mpo_ifnet_init_label_t			mpo_ifnet_init_label;
+	mpo_ifnet_destroy_label_t		mpo_ifnet_destroy_label;
+	mpo_ifnet_copy_label_t			mpo_ifnet_copy_label;
+	mpo_ifnet_externalize_label_t		mpo_ifnet_externalize_label;
+	mpo_ifnet_internalize_label_t		mpo_ifnet_internalize_label;
+	mpo_ifnet_create_t			mpo_ifnet_create;
+	mpo_create_mbuf_linklayer_t		mpo_create_mbuf_linklayer;
+	mpo_ifnet_create_mbuf_t			mpo_ifnet_create_mbuf;
+	mpo_create_mbuf_multicast_encap_t	mpo_create_mbuf_mulicast_encap;
+	mpo_ifnet_relabel_t			mpo_ifnet_relabel;
+	mpo_ifnet_check_relabel_t		mpo_ifnet_check_relabel;
+	mpo_ifnet_check_transmit_t		mpo_ifnet_check_transmit;
+
+	/*
+	 * XXXRW: Could s/create_from_socket/create/.
+	 */
+	mpo_inpcb_init_label_t			mpo_inpcb_init_label;
+	mpo_inpcb_destroy_label_t		mpo_inpcb_destroy_label;
+	mpo_inpcb_create_from_socket_t		mpo_inpcb_create_from_socket;
+	mpo_inpcb_create_mbuf_t			mpo_inpcb_create_mbuf;
+	mpo_inpcb_sosetlabel_t			mpo_inpcb_sosetlabel;
+	mpo_inpcb_check_deliver_t		mpo_inpcb_check_deliver;
+
+	/*
+	 * XXXRW: Maybe s/create_datagram/reassemble/,
+	 * s/fragment_match/match/.
+	 */
+	mpo_ipq_init_label_t			mpo_ipq_init_label;
+	mpo_ipq_destroy_label_t			mpo_ipq_destroy_label;
+	mpo_ipq_create_t			mpo_ipq_create;
+	mpo_ipq_create_datagram_t		mpo_ipq_create_datagram;
+	mpo_ipq_fragment_match_t		mpo_ipq_fragment_match;
+	mpo_ipq_update_t			mpo_ipq_update;
+
+	mpo_kenv_check_dump_t			mpo_kenv_check_dump;
+	mpo_kenv_check_get_t			mpo_kenv_check_get;
+	mpo_kenv_check_set_t			mpo_kenv_check_set;
+	mpo_kenv_check_unset_t			mpo_kenv_check_unset;
+
+	mpo_kld_check_load_t			mpo_kld_check_load;
+	mpo_kld_check_stat_t			mpo_kld_check_stat;
+	mpo_kld_check_unload_t			mpo_kld_check_unload;
+
+	/*
+	 * XXXRW: Since the structure is ksem, maybe these should be
+	 * renamed; alternatively, maybe ksem should be renamed?  Should
+	 * be unlink instead of destroy?
+	 */
+	mpo_posix_sem_init_label_t		mpo_posix_sem_init_label;
+	mpo_posix_sem_destroy_label_t		mpo_posix_sem_destroy_label;
+	mpo_posix_sem_create_t			mpo_posix_sem_create;
+	mpo_posix_sem_check_destroy_t		mpo_posix_sem_check_destroy;
+	mpo_posix_sem_check_getvalue_t		mpo_posix_sem_check_getvalue;
+	mpo_posix_sem_check_open_t		mpo_posix_sem_check_open;
+	mpo_posix_sem_check_post_t		mpo_posix_sem_check_post;
+	mpo_posix_sem_check_unlink_t		mpo_posix_sem_check_unlink;
+	mpo_posix_sem_check_wait_t		mpo_posix_sem_check_wait;
+
+	/*
+	 * XXXRW: Perhaps fragment, netlayer, icmp, tcp, etc, should be
+	 * netinet calls rather than mbuf calls?
 	 */
-	mpo_policy_destroy_t				mpo_policy_destroy;
-	mpo_policy_init_t				mpo_policy_init;
+	mpo_mbuf_init_label_t			mpo_mbuf_init_label;
+	mpo_mbuf_destroy_label_t		mpo_mbuf_destroy_label;
+	mpo_mbuf_copy_label_t			mpo_mbuf_copy_label;
+	mpo_mbuf_create_fragment_t		mpo_mbuf_create_fragment;
+	mpo_mbuf_create_netlayer_t		mpo_mbuf_create_netlayer;
+	mpo_mbuf_reflect_icmp_t			mpo_mbuf_reflect_icmp;
+	mpo_mbuf_reflect_tcp_t			mpo_mbuf_reflect_tcp;
 
 	/*
-	 * General policy-directed security system call so that policies may
-	 * implement new services without reserving explicit system call
-	 * numbers.
+	 * XXXRW: Time to toast mount_fs label since it basically is unused?
 	 */
-	mpo_syscall_t				mpo_syscall;
+	mpo_mount_init_label_t			mpo_mount_init_label;
+	mpo_mount_fs_init_label_t		mpo_mount_fs_init_label;
+	mpo_mount_destroy_label_t		mpo_mount_destroy_label;
+	mpo_mount_fs_destroy_label_t		mpo_mount_fs_destroy_label;
+	mpo_mount_check_stat_t			mpo_mount_check_stat;
+
+
+
+
+
+
+
+
+
 
 	/*
 	 * Label operations.  Initialize label storage, destroy label

More information about the trustedbsd-cvs mailing list