PERFORCE change 107172 for review
Todd Miller
millert at FreeBSD.org
Tue Oct 3 07:31:07 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=107172
Change 107172 by millert at millert_macbook on 2006/10/03 14:30:00
Return ENOENT in externalize routines when passed an
element_name that is not supported for the label type being
exported. Fixes "getfmac -l '*' /bin/ls"
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#11 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/count/mac_count.c#4 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/count/mk_count_decls.awk#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#16 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/stub/mk_stub_funcs.awk#2 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#8 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#11 (text+ko) ====
@@ -1066,8 +1066,21 @@
if (error)
goto done;
error = mpo_externalize(label, mle->mle_name, sb);
- if (error)
- goto done;
+ if (error) {
+ if (error != ENOENT)
+ goto done;
+ /*
+ * If a policy doesn't have a label to
+ * externalize it returns ENOENT. This
+ * may occur for policies that support
+ * multiple label elements for some
+ * (but not all) object types.
+ */
+ sbuf_setpos(sb, sbuf_len(sb) -
+ (strlen(mle->mle_name) + 1));
+ error = 0;
+ continue;
+ }
error = sbuf_putc(sb, ',');
if (error)
goto done;
==== //depot/projects/trustedbsd/sedarwin8/policies/count/mac_count.c#4 (text+ko) ====
@@ -79,8 +79,8 @@
#define REG_COUNTER(n) \
sysctl_register_oid(&sysctl__security_mac_count_ ## n ## _c);
-#define MAKE_RETSYSCTL(n) \
- static int n ## _ret; \
+#define MAKE_RETSYSCTL(n, v) \
+ static int n ## _ret = v; \
SYSCTL_INT(_security_mac_retcontrol, OID_AUTO, n ## _ret, CTLFLAG_RW, \
&n ## _ret, 0, #n "() return value");
==== //depot/projects/trustedbsd/sedarwin8/policies/count/mk_count_decls.awk#2 (text+ko) ====
@@ -1,5 +1,9 @@
{
printf "MAKE_COUNTER(" $2 ");\n"
- if ($1 == "int")
- printf "MAKE_RETSYSCTL(" $2 ");\n"
+ if ($1 == "int") {
+ if ($2 ~ /externalize/)
+ printf "MAKE_RETSYSCTL(" $2 ", ENOENT);\n"
+ else
+ printf "MAKE_RETSYSCTL(" $2 ", 0);\n"
+ }
}
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#16 (text+ko) ====
@@ -2940,7 +2940,7 @@
struct n2##_security_struct *lsec; \
\
if (strcmp("sebsd", element_name) != 0) \
- return (0); \
+ return (ENOENT); \
\
lsec = SLOT(label); \
return (sebsd_externalize_sid(lsec->sid, element_name, sb)); \
@@ -2958,7 +2958,7 @@
else if (strcmp("sebsd", element_name) == 0)
sid = tsec->sid;
else
- return (0);
+ return (ENOENT);
return (sebsd_externalize_sid(sid, element_name, sb));
}
==== //depot/projects/trustedbsd/sedarwin8/policies/stub/mk_stub_funcs.awk#2 (text+ko) ====
@@ -6,7 +6,10 @@
}
printf "\n{\n"
if ($1 == "int") {
- printf "\treturn (0);\n"
+ if ($2 ~ /externalize/)
+ printf "\treturn (ENOENT);\n"
+ else
+ printf "\treturn (0);\n"
}
printf "}\n\n"
}
==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#8 (text+ko) ====
@@ -590,7 +590,7 @@
init_label(dest, desttype, fcnname, fctx);
}
-static int
+static void
externalize_label(struct label *label, int type,
const char *fcnname, const char *fctx)
{
@@ -600,10 +600,9 @@
#else
use_label(label, type, fcnname, fctx);
#endif
- return (0);
}
-static int
+static void
internalize_label(struct label *label, int type,
const char *fcnname, const char *fctx)
{
@@ -613,7 +612,6 @@
#else
init_label(label, type, fcnname, fctx);
#endif
- return (0);
}
/*
@@ -907,70 +905,80 @@
mac_test_cred_externalize_label(struct label *label,
char *element_name, struct sbuf *sb)
{
- return EXTERNALIZE_LABEL(label, CREDTYPE);
+ EXTERNALIZE_LABEL(label, CREDTYPE);
+ return (ENOENT);
}
static int
mac_test_lctx_externalize_label(struct label *label,
char *element_name, struct sbuf *sb)
{
- return EXTERNALIZE_LABEL(label, LCTXTYPE);
+ EXTERNALIZE_LABEL(label, LCTXTYPE);
+ return (ENOENT);
}
static int
mac_test_pipe_externalize_label(struct label *label,
char *element_name, struct sbuf *sb)
{
- return EXTERNALIZE_LABEL(label, PIPETYPE);
+ EXTERNALIZE_LABEL(label, PIPETYPE);
+ return (ENOENT);
}
static int
mac_test_vnode_externalize_label(struct label *label,
char *element_name, struct sbuf *sb)
{
- return EXTERNALIZE_LABEL(label, VNODETYPE);
+ EXTERNALIZE_LABEL(label, VNODETYPE);
+ return (ENOENT);
}
static int
mac_test_mount_externalize_label(struct label *label,
char *element_name, struct sbuf *sb)
{
- return EXTERNALIZE_LABEL(label, MOUNTTYPE);
+ EXTERNALIZE_LABEL(label, MOUNTTYPE);
+ return (ENOENT);
}
static int
mac_test_cred_internalize_label(struct label *label,
char *element_name, char *element_data)
{
- return INTERNALIZE_LABEL(label, CREDTYPE);
+ INTERNALIZE_LABEL(label, CREDTYPE);
+ return (0);
}
static int
mac_test_lctx_internalize_label(struct label *label,
char *element_name, char *element_data)
{
- return INTERNALIZE_LABEL(label, LCTXTYPE);
+ INTERNALIZE_LABEL(label, LCTXTYPE);
+ return (0);
}
static int
mac_test_pipe_internalize_label(struct label *label,
char *element_name, char *element_data)
{
- return INTERNALIZE_LABEL(label, PIPETYPE);
+ INTERNALIZE_LABEL(label, PIPETYPE);
+ return (0);
}
static int
mac_test_vnode_internalize_label(struct label *label,
char *element_name, char *element_data)
{
- return INTERNALIZE_LABEL(label, VNODETYPE);
+ INTERNALIZE_LABEL(label, VNODETYPE);
+ return (0);
}
static int
mac_test_mount_internalize_label(struct label *label,
char *element_name, char *element_data)
{
- return INTERNALIZE_LABEL(label, MOUNTTYPE);
+ INTERNALIZE_LABEL(label, MOUNTTYPE);
+ return (0);
}
static void
@@ -2349,7 +2357,8 @@
// this probably doesn't work.
if (sbuf_cat(sb, "socket") < 0)
return (ENOMEM);
- return EXTERNALIZE_LABEL(label, SOCKETTYPE);
+ EXTERNALIZE_LABEL(label, SOCKETTYPE);
+ return 0;
}
static int
@@ -2359,7 +2368,8 @@
//this probably doesn't work.
if (sbuf_cat(sb, "socketpeer") < 0)
return ENOMEM;
- return EXTERNALIZE_LABEL(label, SOCKETTYPE);
+ EXTERNALIZE_LABEL(label, SOCKETTYPE);
+ return 0;
}
static int
@@ -2369,7 +2379,8 @@
// KASSERT(thread_funnel_get() == network_flock,
// "mac_test_socket_internalize_label: not holding the network funnel!");
- return INTERNALIZE_LABEL(label, SOCKETTYPE);
+ INTERNALIZE_LABEL(label, SOCKETTYPE);
+ return (0);
}
static void
More information about the trustedbsd-cvs
mailing list