PERFORCE change 108418 for review

Todd Miller millert at FreeBSD.org
Wed Oct 25 12:34:17 PDT 2006 

http://perforce.freebsd.org/chv.cgi?CH=108418

Change 108418 by millert at millert_macbook on 2006/10/25 19:26:51

	The first first parameter of mac_devfs_label_associate_directory()
	is always NULL.  Likewise, the first two parameters of
	mac_devfs_label_associate_device() are always NULL.  This
	is an artifact of the port of the devfs support from FreeBSD
	which has a more featureful devfs implementation.  There's
	no good reason to pass pointers into the framework (and
	then the entry points) that are always NULL so they have
	been removed.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#5 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#9 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#17 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#13 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#15 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#26 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#13 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#5 (text+ko) ====

@@ -178,7 +178,7 @@
 	    = (struct devfsmount *)devfs_hidden_mount->mnt_data;
 #endif /* HIDDEN_MOUNTPOINT */
 #ifdef MAC
-	mac_devfs_label_associate_directory(NULL, "/", strlen("/"),
+	mac_devfs_label_associate_directory("/", strlen("/"),
 	    dev_root->de_dnp, "/");
 #endif
 	devfs_ready = 1;
@@ -308,7 +308,7 @@
 		    break;
 		dnp = dirent_p->de_dnp;
 #ifdef MAC
-		mac_devfs_label_associate_directory(NULL, 
+		mac_devfs_label_associate_directory(
 		    dirnode->dn_typeinfo.Dir.myname->de_name, 
 		    strlen(dirnode->dn_typeinfo.Dir.myname->de_name),
 		    dnp, fullpath);
@@ -1225,8 +1225,7 @@
 		new_dev->de_dnp->dn_uid = uid;
 		new_dev->de_dnp->dn_mode |= perms;
 #ifdef MAC
-		mac_devfs_label_associate_device(NULL, NULL, dev, new_dev->de_dnp, 
-		    buff);
+		mac_devfs_label_associate_device(dev, new_dev->de_dnp, buff);
 #endif
 		devfs_propogate(dnp->dn_typeinfo.Dir.myname, new_dev);
 	    }

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#9 (text+ko) ====

@@ -150,10 +150,10 @@
 void	mac_vnode_label_associate_singlelabel(struct mount *mp, struct vnode *vp);
 void	mac_vnode_label_associate_file(struct ucred *cred, struct fileglob *fg,
 	    struct vnode *vp);
-void	mac_devfs_label_associate_device(struct ucred *cr, struct mount *mp,
-	    dev_t dev, struct devnode *de, const char *fullpath);
-void	mac_devfs_label_associate_directory(struct mount *mp, char *dirname,
-	    int dirnamelen, struct devnode *de, const char *fullpath);
+void	mac_devfs_label_associate_device(dev_t dev, struct devnode *de,
+	    const char *fullpath);
+void	mac_devfs_label_associate_directory(char *dirname, int dirnamelen,
+	    struct devnode *de, const char *fullpath);
 int	mac_vnode_notify_create(struct ucred *cred, struct mount *mp,
 	    struct vnode *dvp, struct vnode *vp, struct componentname *cnp);
 void	mac_mount_label_associate(struct ucred *cred, struct mount *mp);

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#17 (text+ko) ====

@@ -1496,23 +1496,16 @@
 
 /**
   @brief Create a new devfs device
-  @param cred Process credential, if created on behalf of a user process
-  @param mp Devfs mount point (currently unused in Darwin)
   @param dev Major and minor numbers of special file
   @param de "inode" of new device file
   @param label Destination label
   @param fullpath Path relative to mount (e.g. /dev) of new device file
 
   This entry point labels a new devfs device. The label will likely be based
-  on the path to the device, or the major and minor numbers. If the device was
-  created on behalf of a user process (for example, /dev/pts/1), then
-  'cred' contains the credentials of that process.
-  Otherwise, 'cred' is null. The policy should store an appropriate
-  label into 'label'.
+  on the path to the device, or the major and minor numbers.
+  The policy should store an appropriate label into 'label'.
 */
 typedef void mpo_devfs_label_associate_device_t(
-	struct ucred *cred,
-	struct mount *mp,
 	dev_t dev,
 	struct devnode *de,
 	struct label *label,
@@ -1521,7 +1514,6 @@
 
 /**
   @brief Create a new devfs directory
-  @param mp Not used in Darwin
   @param dirname Name of new directory
   @param dirnamelen Length of 'dirname'
   @param de "inode" of new directory
@@ -1533,7 +1525,6 @@
   label into 'label'. The devfs root directory is labelled in this way.
 */
 typedef void mpo_devfs_label_associate_directory_t(
-	struct mount *mp,
 	char *dirname,
 	int dirnamelen,
 	struct devnode *de,

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#13 (text+ko) ====

@@ -1090,20 +1090,19 @@
 }
 
 void
-mac_devfs_label_associate_device(struct ucred *cr, struct mount *mp, dev_t dev, 
-    struct devnode *de, const char *fullpath)
+mac_devfs_label_associate_device(dev_t dev, struct devnode *de,
+    const char *fullpath)
 {
 
-  MAC_PERFORM(devfs_label_associate_device, cr, mp, dev, de, de->dn_label,
-	      fullpath);
+  MAC_PERFORM(devfs_label_associate_device, dev, de, de->dn_label, fullpath);
 }
 
 void
-mac_devfs_label_associate_directory(struct mount *mp, char *dirname, int dirnamelen,
+mac_devfs_label_associate_directory(char *dirname, int dirnamelen,
     struct devnode *de, const char *fullpath)
 {
 
-	MAC_PERFORM(devfs_label_associate_directory, mp, dirname, dirnamelen, de,
+	MAC_PERFORM(devfs_label_associate_directory, dirname, dirnamelen, de,
 	    de->dn_label, fullpath);
 }
 

==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#15 (text+ko) ====

@@ -1032,8 +1032,8 @@
  * a lot like file system objects.
  */
 static void
-mac_mls_devfs_label_associate_device(struct ucred *cr, struct mount *mp,
-    dev_t dev, struct devnode *de, struct label *label, const char *fullpath)
+mac_mls_devfs_label_associate_device(dev_t dev, struct devnode *de,
+    struct label *label, const char *fullpath)
 {
 	struct mac_mls *mac_mls;
 	int mls_type;
@@ -1057,9 +1057,8 @@
 }
 
 static void
-mac_mls_devfs_label_associate_directory(struct mount *mp, char *dirname,
-    int dirnamelen, struct devnode *de, struct label *label,
-    const char *fullpath)
+mac_mls_devfs_label_associate_directory(char *dirname, int dirnamelen,
+    struct devnode *de, struct label *label, const char *fullpath)
 {
 	struct mac_mls *mac_mls;
 

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#26 (text+ko) ====

@@ -1062,13 +1062,9 @@
 	ipcsec->sclass = SECCLASS_SHM;
 }
 
-/*
- * NOTE: on Darwin mp will always be NULLL for sebsd_devfs_label_associate_device
- */
 static void
-sebsd_devfs_label_associate_device(struct ucred *cr, struct mount *mp, dev_t dev,
-    struct devnode *devfs_dirent, struct label *label,
-    const char *fullpath)
+sebsd_devfs_label_associate_device(dev_t dev, struct devnode *devfs_dirent,
+    struct label *label, const char *fullpath)
 {
 	char *path;
 	int rc;
@@ -1090,21 +1086,6 @@
 	if (rc == 0)
 		dirent->sid = newsid;
 
-	/* If there was a creating process (currently only for /dev/pty*),
-	   try a type_transition rule. */
-	if (cr != NULL) {
-		struct task_security_struct *task = SLOT(cr->cr_label);
-
-		/*
-		 * XXX: uses the type specified by genfs instead of the
-		 * parent directory like it should!
-		 */
-		int error = security_transition_sid(task->sid, dirent->sid,
-		    dirent->sclass, &newsid);
-		if (error == 0)
-			dirent->sid = newsid;
-	}
-
 	/* TBD: debugging */
 	if (sebsd_verbose > 1) {
 		printf("%s(%s): rc=%d, sclass=%d, computedsid=%d, dirent=%d\n",
@@ -1113,13 +1094,9 @@
 	sebsd_free(path, M_SEBSD);
 }
 
-/*
- * NOTE: on Darwin mp will always be NULLL for sebsd_devfs_label_associate_directory
- */
 static void
-sebsd_devfs_label_associate_directory(struct mount *mp, char *dirname,
-    int dirnamelen, struct devnode *de, struct label *label,
-    const char *fullpath)
+sebsd_devfs_label_associate_directory(char *dirname, int dirnamelen,
+    struct devnode *de, struct label *label, const char *fullpath)
 {
 	char *path;
 	int rc;

==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#13 (text+ko) ====

@@ -1182,29 +1182,19 @@
 	USE_LABEL(fglabel, FILETYPE);
 }
 
-/*  The ucred and mount parameters can be NULL for this fcn */
 static void
-mac_test_devfs_label_associate_device(struct ucred *cr, struct mount *mp, 
-    dev_t dev, struct devnode *de, struct label *label,
-    const char *fullpath)
+mac_test_devfs_label_associate_device(dev_t dev, struct devnode *de,
+    struct label *label, const char *fullpath)
 {
 	CHECKNULL(de);
 
 	INIT_LABEL(label, DEVNODETYPE);
-	if (cr != NULL)
-		SANITY_CHECK(cr->cr_label, CREDTYPE);
 }
 
 static void
-mac_test_devfs_label_associate_directory(struct mount *mp, char *dirname,
-	int dirnamelen, struct devnode *de,
-	struct label *label, const char *fullpath)
+mac_test_devfs_label_associate_directory(char *dirname, int dirnamelen,
+    struct devnode *de, struct label *label, const char *fullpath)
 {
-	/*
-	 * MP should be NULL for devfs
-	 * CHECKNULL(mp);
-	 */
-	 
 	CHECKNULL(de);
 
 	INIT_LABEL(label, DEVNODETYPE);

More information about the trustedbsd-cvs mailing list