PERFORCE change 109948 for review
Todd Miller
millert at FreeBSD.org
Tue Nov 14 18:26:50 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=109948
Change 109948 by millert at millert_g5tower on 2006/11/14 18:25:35
Add vfs_truncate entrypoint.
Remove mac_enforce_XXX toggles.
Remove lock assertions from FreeBSD that were #defined away.
Add MPC_LOADTIME_FLAG_NOTLATE to policy load flags where appropriate.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#12 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#20 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#11 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_internal.h#9 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_pipe.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#19 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_posix_sem.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_posix_shm.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#10 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_socket.c#7 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_system.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_msg.c#6 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_sem.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_shm.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#14 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#9 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/console/mac_console.c#8 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/count/mac_count.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/device_access/mac_device_access.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#17 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/multilabel/multilabel.c#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/none/mac_none.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/readonly/mac_readonly.c#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#32 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/stacktrace/module/mac_stacktrace.c#6 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/stub/mac_stub.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#15 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#6 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#12 (text+ko) ====
@@ -3596,7 +3596,7 @@
VATTR_SET(&va, va_data_size, uap->length);
#ifdef MAC
- error = mac_vnode_check_write(vfs_context_ucred(&context), NOCRED, vp);
+ error = mac_vnode_check_truncate(vfs_context_ucred(&context), NOCRED, vp);
if (error)
goto out;
#endif
@@ -3663,7 +3663,7 @@
AUDIT_ARG(vnpath, vp, ARG_VNODE1);
#ifdef MAC
- error = mac_vnode_check_write(vfs_context_ucred(&context),
+ error = mac_vnode_check_truncate(vfs_context_ucred(&context),
fp->f_fglob->fg_cred, vp);
if (error) {
(void)vnode_put(vp);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#20 (text+ko) ====
@@ -116,36 +116,10 @@
static int mac_labelmbufs = 0;
#endif
-int mac_enforce_fs = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW,
- &mac_enforce_fs, 0, "Enforce MAC policy on file system objects");
-TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs);
-
-int mac_enforce_process = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW,
- &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations");
-TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process);
-
-int mac_enforce_socket = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW,
- &mac_enforce_socket, 1, "Enforce MAC policy on sockets");
-TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket);
-
extern int mac_label_mbufs;
SYSCTL_INT(_security_mac, OID_AUTO, label_mbufs, CTLFLAG_RW,
&mac_label_mbufs, 1, "Label all MBUFs");
-TUNABLE_INT("security.mac.label_mbufs", &mac_label_mbufs);
-int mac_enforce_system = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW,
- &mac_enforce_system, 0, "Enforce MAC policy on system operations");
-TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system);
-
-int mac_enforce_vm = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW,
- &mac_enforce_vm, 0, "Enforce MAC policy on vm operations");
-TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm);
-
int mac_mmap_revocation = 1;
SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW,
&mac_mmap_revocation, 0, "Revoke mmap access to files on subject "
@@ -328,8 +302,6 @@
static __inline void
mac_policy_grab_exclusive(void)
{
- WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
- "mac_policy_grab_exclusive() at %s:%d", __FILE__, __LINE__);
mutex_lock(mac_policy_mtx);
while (mac_policy_busy != 0)
cv_wait(&mac_policy_cv, mac_policy_mtx);
@@ -471,12 +443,7 @@
sysctl_register_oid(&sysctl__security);
sysctl_register_oid(&sysctl__security_mac);
sysctl_register_oid(&sysctl__security_mac_max_slots);
- sysctl_register_oid(&sysctl__security_mac_enforce_fs);
- sysctl_register_oid(&sysctl__security_mac_enforce_process);
- sysctl_register_oid(&sysctl__security_mac_enforce_system);
- sysctl_register_oid(&sysctl__security_mac_enforce_socket);
sysctl_register_oid(&sysctl__security_mac_label_mbufs);
- sysctl_register_oid(&sysctl__security_mac_enforce_vm);
sysctl_register_oid(&sysctl__security_mac_mmap_revocation);
sysctl_register_oid(&sysctl__security_mac_mmap_revocation_via_cow);
printf("MAC Framework successfully initialized\n");
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#11 (text+ko) ====
@@ -441,6 +441,8 @@
struct timespec atime, struct timespec mtime);
int mac_vnode_check_stat(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
+int mac_vnode_check_truncate(struct ucred *active_cred,
+ struct ucred *file_cred, struct vnode *vp);
int mac_vnode_check_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_internal.h#9 (text+ko) ====
@@ -382,15 +382,8 @@
} while (0)
/* Darwin */
-
-#define TUNABLE_INT(x, y)
-#define WITNESS_WARN(x, y, z, ...)
#define mtx_assert(x, y)
#define MA_OWNED
-#define PROC_LOCK_ASSERT(x, y)
-#define M_ASSERTPKTHDR(x)
-
-#define ASSERT_VOP_LOCKED(vp,msg)
struct __mac_get_pid_args;
struct __mac_get_proc_args;
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_pipe.c#7 (text+ko) ====
@@ -44,14 +44,6 @@
#include <security/mac_internal.h>
-static int mac_enforce_pipe = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW,
- &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations");
-TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe);
-
-/* Define this to PIPE_LOCK_ASSERT(x, y) if mutex assertions are desired. */
-#define MAC_PIPE_LOCK_ASSERT(x, y)
-
struct label *
mac_pipe_label_alloc(void)
{
@@ -126,11 +118,6 @@
{
int error;
- MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED);
-
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(pipe_check_kqfilter, cred, kn, cpipe, cpipe->pipe_label);
return (error);
}
@@ -140,11 +127,6 @@
{
int error;
- MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED);
-
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(pipe_check_ioctl, cred, cpipe, cpipe->pipe_label, cmd, data);
return (error);
@@ -155,11 +137,6 @@
{
int error;
- MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED);
-
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(pipe_check_read, cred, cpipe, cpipe->pipe_label);
return (error);
@@ -171,11 +148,6 @@
{
int error;
- MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED);
-
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(pipe_check_label_update, cred, cpipe, cpipe->pipe_label, newlabel);
return (error);
@@ -186,11 +158,6 @@
{
int error;
- MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED);
-
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(pipe_check_select, cred, cpipe, cpipe->pipe_label, which);
return (error);
@@ -201,11 +168,6 @@
{
int error;
- MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED);
-
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(pipe_check_stat, cred, cpipe, cpipe->pipe_label);
return (error);
@@ -216,11 +178,6 @@
{
int error;
- MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED);
-
- if (!mac_enforce_pipe)
- return (0);
-
MAC_CHECK(pipe_check_write, cred, cpipe, cpipe->pipe_label);
return (error);
@@ -232,8 +189,6 @@
{
int error;
- MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED);
-
error = mac_pipe_check_label_update(cred, cpipe, label);
if (error)
return (error);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#19 (text+ko) ====
@@ -2968,6 +2968,31 @@
);
/**
+ @brief Access control check for truncate/ftruncate
+ @param active_cred Subject credential
+ @param file_cred Credential associated with the struct fileproc
+ @param vp Object vnode
+ @param label Policy label for vp
+
+ Determine whether the subject identified by the credential can
+ perform a truncate operation on the passed vnode. The active_cred hold
+ the credentials of the subject performing the operation, and
+ file_cred holds the credentials of the subject that originally
+ opened the file.
+
+ @return Return 0 if access is granted, otherwise an appropriate value for
+ errno should be returned. Suggested failure: EACCES for label mismatch or
+ EPERM for lack of privilege.
+*/
+typedef int mpo_vnode_check_truncate_t(
+ struct ucred *active_cred,
+ struct ucred *file_cred, /* NULLOK */
+ struct vnode *vp,
+ struct label *label
+);
+
+
+/**
@brief Access control check for POSIX semaphore unlink
@param cred Subject credential
@param ps Pointer to semaphore information structure
@@ -5607,6 +5632,7 @@
mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
mpo_vnode_check_stat_t *mpo_vnode_check_stat;
+ mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
mpo_vnode_check_write_t *mpo_vnode_check_write;
mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_posix_sem.c#5 (text+ko) ====
@@ -41,11 +41,6 @@
#include <security/mac_internal.h>
#include <sys/posix_sem.h>
-static int mac_enforce_posix_sem = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_sem, CTLFLAG_RW,
- &mac_enforce_posix_sem, 0, "Enforce MAC policy on Posix Semaphores");
-TUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem);
-
static struct label *
mac_posixsem_label_alloc(void)
{
@@ -92,9 +87,6 @@
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
-
MAC_CHECK(posixsem_check_create, cred, name);
return (error);
@@ -105,9 +97,6 @@
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
-
MAC_CHECK(posixsem_check_open, cred, psem,
psem->psem_label);
@@ -119,9 +108,6 @@
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
-
MAC_CHECK(posixsem_check_post, cred, psem, psem->psem_label);
return (error);
@@ -133,9 +119,6 @@
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
-
MAC_CHECK(posixsem_check_unlink, cred, psem, psem->psem_label, name);
return (error);
@@ -146,9 +129,6 @@
{
int error;
- if (!mac_enforce_posix_sem)
- return (0);
-
MAC_CHECK(posixsem_check_wait, cred, psem, psem->psem_label);
return (error);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_posix_shm.c#5 (text+ko) ====
@@ -41,11 +41,6 @@
#include <sys/sysctl.h>
#include <security/mac_internal.h>
-static int mac_enforce_pshm = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_shm, CTLFLAG_RW,
- &mac_enforce_pshm, 0, "Enforce MAC policy on Posix Shared memory");
-TUNABLE_INT("security.mac.enforce_posix_shm", &mac_enforce_posix_shm);
-
static struct label *
mac_posixshm_label_alloc(void)
{
@@ -92,9 +87,6 @@
{
int error = 0;
- if (!mac_enforce_pshm)
- return 0;
-
MAC_CHECK(posixshm_check_create, cred, name);
return error;
@@ -105,9 +97,6 @@
{
int error;
- if (!mac_enforce_pshm)
- return (0);
-
MAC_CHECK(posixshm_check_open, cred, shm, shm->pshm_label);
return (error);
@@ -119,9 +108,6 @@
{
int error;
- if (!mac_enforce_pshm)
- return (0);
-
MAC_CHECK(posixshm_check_mmap, cred, shm, shm->pshm_label,
prot, flags);
@@ -133,9 +119,6 @@
{
int error;
- if (!mac_enforce_pshm)
- return (0);
-
MAC_CHECK(posixshm_check_stat, cred, shm, shm->pshm_label);
return (error);
@@ -147,9 +130,6 @@
{
int error;
- if (!mac_enforce_pshm)
- return (0);
-
MAC_CHECK(posixshm_check_truncate, cred, shm, shm->pshm_label, size);
return (error);
@@ -161,9 +141,6 @@
{
int error;
- if (!mac_enforce_pshm)
- return (0);
-
MAC_CHECK(posixshm_check_unlink, cred, shm, shm->pshm_label, name);
return (error);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#10 (text+ko) ====
@@ -249,9 +249,6 @@
{
int error;
- if (!mac_enforce_process)
- return (0);
-
MAC_CHECK(cred_check_visible, u1, u2);
return (error);
@@ -262,11 +259,6 @@
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_process)
- return (0);
-
MAC_CHECK(proc_check_debug, cred, proc);
return (error);
@@ -277,11 +269,6 @@
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_process)
- return (0);
-
MAC_CHECK(proc_check_sched, cred, proc);
return (error);
@@ -292,11 +279,6 @@
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_process)
- return (0);
-
MAC_CHECK(proc_check_signal, cred, proc, signum);
return (error);
@@ -307,11 +289,6 @@
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
-
- if (!mac_enforce_process)
- return (0);
-
MAC_CHECK(proc_check_wait, cred, proc);
return (error);
@@ -328,9 +305,6 @@
{
int error;
- if (!mac_enforce_process)
- return (0);
-
MAC_CHECK(proc_check_setlcid, p0, p, pid, lcid);
return (error);
}
@@ -340,9 +314,6 @@
{
int error;
- if (!mac_enforce_process)
- return (0);
-
MAC_CHECK(proc_check_getlcid, p0, p, pid);
return (error);
}
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_socket.c#7 (text+ko) ====
@@ -62,9 +62,6 @@
#include <security/mac_internal.h>
-extern int mac_enforce_socket;
-
-
struct label *
mac_socket_label_alloc(int flag)
{
@@ -205,7 +202,6 @@
{
struct xsocket oldxso, newxso;
- SOCK_LOCK_ASSERT(oldsocket);
sotoxsocket(oldsocket, &oldxso);
sotoxsocket(newsocket, &newxso);
MAC_PERFORM(socket_label_associate_accept, &oldxso, oldsocket->so_label,
@@ -218,7 +214,6 @@
struct label *label;
struct xsocket xso;
- SOCK_LOCK_ASSERT(socket);
sotoxsocket(socket, &xso);
label = mac_mbuf_to_label(mbuf);
@@ -252,11 +247,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(so);
-
- if (!mac_enforce_socket)
- return (0);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_accept, cred, &xso, socket->so_label);
@@ -270,11 +260,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_bind, ucred, &xso, socket->so_label, sockaddr);
@@ -288,11 +273,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_connect, cred, &xso, socket->so_label,
sockaddr);
@@ -305,9 +285,6 @@
{
int error;
- if (!mac_enforce_socket)
- return (0);
-
MAC_CHECK(socket_check_create, cred, domain, type, protocol);
return (error);
@@ -320,11 +297,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
-
label = mac_mbuf_to_label(mbuf);
/* Policy must deal with NULL label (unlabeled mbufs) */
@@ -341,11 +313,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_kqfilter, cred, kn, &xso, socket->so_label);
return (error);
@@ -357,11 +324,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_listen, cred, &xso, socket->so_label);
@@ -374,11 +336,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_receive, cred, &xso, socket->so_label);
@@ -392,8 +349,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_label_update, cred, &xso, socket->so_label,
newlabel);
@@ -407,11 +362,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_select, cred, &xso, socket->so_label, which);
@@ -424,11 +374,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_send, cred, &xso, socket->so_label);
@@ -441,11 +386,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_stat, cred, &xso, socket->so_label);
@@ -463,11 +403,6 @@
struct xsocket xso;
int error;
- SOCK_LOCK_ASSERT(socket);
-
- if (!mac_enforce_socket)
- return (0);
-
sotoxsocket(socket, &xso);
MAC_CHECK(socket_check_visible, cred, &xso, socket->so_label);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_system.c#3 (text+ko) ====
@@ -46,13 +46,6 @@
{
int error;
- if (vp != NULL) {
- ASSERT_VOP_LOCKED(vp, "mac_system_check_acct");
- }
-
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(system_check_acct, cred, vp,
vp != NULL ? vp->v_label : NULL);
@@ -64,9 +57,6 @@
{
int error;
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(system_check_nfsd, cred);
return (error);
@@ -77,9 +67,6 @@
{
int error;
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(system_check_reboot, cred, howto);
return (error);
@@ -90,9 +77,6 @@
{
int error;
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(system_check_settime, cred);
return (error);
@@ -103,11 +87,6 @@
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon");
-
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(system_check_swapon, cred, vp, vp->v_label);
return (error);
}
@@ -117,11 +96,6 @@
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff");
-
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label);
return (error);
}
@@ -136,9 +110,6 @@
* XXXMAC: We're very much like to assert the SYSCTL_LOCK here,
* but since it's not exported from kern_sysctl.c, we can't.
*/
- if (!mac_enforce_system)
- return (0);
-
MAC_CHECK(system_check_sysctl, cred, name, namelen, old, oldlenp,
inkernel, new, newlen);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_msg.c#6 (text+ko) ====
@@ -16,12 +16,6 @@
#include <security/mac_internal.h>
-static int mac_enforce_sysv_msg = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_msg, CTLFLAG_RW,
- &mac_enforce_sysv_msg, 0,
- "Enforce MAC policy on System V IPC Message Queues");
-TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg);
-
static struct label *
mac_sysv_msgmsg_label_alloc(void)
{
@@ -92,9 +86,6 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(sysvmsq_check_enqueue, cred, msgptr, msgptr->label, msqptr,
msqptr->label);
@@ -106,9 +97,6 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(sysvmsq_check_msgrcv, cred, msgptr, msgptr->label);
return(error);
@@ -119,9 +107,6 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(sysvmsq_check_msgrmid, cred, msgptr, msgptr->label);
return(error);
@@ -132,9 +117,6 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(sysvmsq_check_msqget, cred, msqptr, msqptr->label);
return(error);
@@ -145,9 +127,6 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(sysvmsq_check_msqsnd, cred, msqptr, msqptr->label);
return(error);
@@ -158,9 +137,6 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(sysvmsq_check_msqrcv, cred, msqptr, msqptr->label);
return(error);
@@ -172,9 +148,6 @@
{
int error;
- if (!mac_enforce_sysv_msg)
- return (0);
-
MAC_CHECK(sysvmsq_check_msqctl, cred, msqptr, msqptr->label, cmd);
return(error);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_sem.c#5 (text+ko) ====
@@ -47,11 +47,6 @@
#include <security/mac_internal.h>
-static int mac_enforce_sysv_sem = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_sem, CTLFLAG_RW,
- &mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores");
-TUNABLE_INT("security.mac.enforce_sysv_sem", &mac_enforce_sysv_sem);
-
static struct label *
mac_sysv_sem_label_alloc(void)
{
@@ -105,9 +100,6 @@
{
int error;
- if (!mac_enforce_sysv_sem)
- return (0);
-
MAC_CHECK(sysvsem_check_semctl, cred, semakptr, semakptr->label, cmd);
return(error);
@@ -118,9 +110,6 @@
{
int error;
- if (!mac_enforce_sysv_sem)
- return (0);
-
MAC_CHECK(sysvsem_check_semget, cred, semakptr, semakptr->label);
return(error);
@@ -132,9 +121,6 @@
{
int error;
- if (!mac_enforce_sysv_sem)
- return (0);
-
MAC_CHECK(sysvsem_check_semop, cred, semakptr, semakptr->label,
accesstype);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_shm.c#5 (text+ko) ====
@@ -49,12 +49,6 @@
#include <security/mac_internal.h>
-static int mac_enforce_sysv_shm = 1;
-SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW,
- &mac_enforce_sysv_shm, 0,
- "Enforce MAC policy on System V IPC shared memory");
-TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm);
-
static struct label *
mac_sysv_shm_label_alloc(void)
{
@@ -108,9 +102,6 @@
{
int error;
- if (!mac_enforce_sysv_shm)
- return (0);
-
MAC_CHECK(sysvshm_check_shmat, cred, shmsegptr, shmsegptr->label,
shmflg);
@@ -123,9 +114,6 @@
{
int error;
- if (!mac_enforce_sysv_shm)
- return (0);
-
MAC_CHECK(sysvshm_check_shmctl, cred, shmsegptr, shmsegptr->label,
cmd);
@@ -137,9 +125,6 @@
{
int error;
- if (!mac_enforce_sysv_shm)
- return (0);
-
MAC_CHECK(sysvshm_check_shmdt, cred, shmsegptr, shmsegptr->label);
return(error);
@@ -151,9 +136,6 @@
{
int error;
- if (!mac_enforce_sysv_shm)
- return (0);
-
MAC_CHECK(sysvshm_check_shmget, cred, shmsegptr, shmsegptr->label,
shmflg);
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#14 (text+ko) ====
@@ -260,8 +260,6 @@
{
int error;
- ASSERT_VOP_LOCKED(vp, "mac_vnode_label_associate_extattr");
-
MAC_CHECK(vnode_label_associate_extattr, mp, mp->mnt_mntlabel, vp,
vp->v_label);
@@ -282,9 +280,6 @@
{
int error;
- ASSERT_VOP_LOCKED(dvp, __func__);
- ASSERT_VOP_LOCKED(vp, __func__);
-
MAC_CHECK(vnode_notify_create, cred, mp, mp->mnt_mntlabel,
dvp, dvp->v_label, vp, vp->v_label, cnp);
@@ -321,7 +316,6 @@
{
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list