PERFORCE change 113297 for review
Todd Miller
millert at FreeBSD.org
Sun Jan 21 22:48:46 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=113297
Change 113297 by millert at millert_macbook on 2007/01/21 22:47:40
Move to a single label struct for sedarwin. The old struct
names are still supported via a macro for now as they aid
in readability. They may be removed in the future if
variable names improve...
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#54 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#5 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#54 (text+ko) ====
@@ -97,10 +97,7 @@
int sebsd_verbose = 0;
-static zone_t task_security_zone;
-static zone_t network_security_zone;
-static zone_t vnode_security_zone;
-static zone_t ipc_security_zone;
+static zone_t sebsd_label_zone;
static int sebsd_slot; /* set by framework */
#define SLOT(l) ((void *)LABEL_TO_SLOT((l), sebsd_slot).l_ptr)
@@ -216,25 +213,9 @@
sebsd_zone_init(void)
{
- /* We use task_security_struct for creds and ports too. */
- task_security_zone = mac_zinit(sizeof(struct task_security_struct),
- 2048 * sizeof(struct task_security_struct), 0,
- "task_security_struct");
-
- /* Want to use maxsockets here. */
- network_security_zone = mac_zinit(sizeof(struct network_security_struct),
- 512 * sizeof(struct network_security_struct), 0,
- "network_security_struct");
-
- /* Want to use desiredvnodes here. */
- vnode_security_zone = mac_zinit(sizeof(struct vnode_security_struct),
- 8192 * sizeof(struct vnode_security_struct), 0,
- "vnode_security_struct");
-
- /* Want to use maxsockets here. */
- ipc_security_zone = mac_zinit(sizeof(struct ipc_security_struct),
- 512 * sizeof(struct ipc_security_struct), 0,
- "ipc_security_struct");
+ sebsd_label_zone = mac_zinit(sizeof(struct sebsd_label),
+ 8192 * sizeof(struct sebsd_label), 0,
+ "sebsd_label");
}
static void
@@ -478,6 +459,7 @@
}
/* Update security class if not set or vnode was recycled. */
+ /* XXX - why is this needed? When things get recycled the class should be zeroed */
if (file->sclass == 0 || vp->v_type == VBAD)
file->sclass = vnode_type_to_security_class(vp->v_type);
@@ -545,81 +527,40 @@
}
static void
-sebsd_cred_label_init(struct label *label)
+sebsd_label_init(struct label *label)
{
- struct task_security_struct *new_tsec;
+ struct sebsd_label *new;
- new_tsec = mac_zalloc(task_security_zone, M_WAITOK);
- new_tsec->osid = new_tsec->sid = SECINITSID_UNLABELED;
- SLOT(label) = new_tsec;
+ new = mac_zalloc(sebsd_label_zone, M_WAITOK);
+ new->sid = new->task_sid = SECINITSID_UNLABELED;
+ new->sclass = 0;
+ SLOT(label) = new;
}
-static void
-sebsd_cred_label_destroy(struct label *label)
-{
-
- mac_zfree(task_security_zone, SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-sebsd_file_label_init(struct label *label)
-{
- struct file_security_struct *fsec;
-
- fsec = sebsd_malloc(sizeof(*fsec), M_SEBSD, M_ZERO | M_WAITOK);
- fsec->sid = SECINITSID_UNLABELED;
- SLOT(label) = fsec;
-}
-
-static void
-sebsd_mount_label_init(struct label *label)
-{
- struct mount_security_struct *sbsec;
-
- sbsec = sebsd_malloc(sizeof(*sbsec), M_SEBSD, M_ZERO | M_WAITOK);
- sbsec->sid = SECINITSID_UNLABELED;
- SLOT(label) = sbsec;
-}
-
static int
-sebsd_init_network_label_waitcheck(struct label *label, int flag)
+sebsd_label_init2(struct label *label, int flag)
{
- struct network_security_struct *new;
+ struct sebsd_label *new;
- new = mac_zalloc(network_security_zone, flag);
- if (new == NULL) {
- SLOT(label) = NULL;
- return (ENOMEM);
+ new = mac_zalloc(sebsd_label_zone, flag);
+ if (new != NULL) {
+ new->sid = new->task_sid = SECINITSID_UNLABELED;
+ new->sclass = 0;
}
-
- new->sid = new->task_sid = SECINITSID_UNLABELED;
SLOT(label) = new;
- return (0);
+ return (new ? 0 : ENOMEM);
}
static void
-sebsd_destroy_network_label(struct label *label)
+sebsd_label_destroy(struct label *label)
{
- mac_zfree(network_security_zone, SLOT(label));
+ mac_zfree(sebsd_label_zone, SLOT(label));
SLOT(label) = NULL;
}
static void
-sebsd_vnode_label_init(struct label *label)
-{
- struct vnode_security_struct *vsec;
-
- vsec = mac_zalloc(vnode_security_zone, M_WAITOK);
- vsec->sid = SECINITSID_UNLABELED;
- vsec->task_sid = SECINITSID_UNLABELED;
- vsec->sclass = 0;
- SLOT(label) = vsec;
-}
-
-static void
sebsd_vnode_label_recycle(struct label *label)
{
struct vnode_security_struct *vsec;
@@ -631,41 +572,6 @@
}
static void
-sebsd_vnode_label_destroy(struct label *label)
-{
-
- mac_zfree(vnode_security_zone, SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-sebsd_ipc_label_init(struct label *label)
-{
- struct ipc_security_struct *new;
-
- new = mac_zalloc(ipc_security_zone, M_WAITOK);
- new->sid = SECINITSID_UNLABELED;
- new->sclass = 0;
- SLOT(label) = new;
-}
-
-static void
-sebsd_ipc_label_destroy(struct label *label)
-{
-
- mac_zfree(ipc_security_zone, SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-sebsd_label_destroy(struct label *label)
-{
-
- sebsd_free(SLOT(label), M_SEBSD);
- SLOT(label) = NULL;
-}
-
-static void
sebsd_cred_label_update(struct ucred *cred, struct label *newlabel)
{
/*
@@ -948,7 +854,7 @@
static void
-sebsd_cred_create(struct ucred *cred_parent, struct ucred *cred_child)
+sebsd_cred_label_associate(struct ucred *cred_parent, struct ucred *cred_child)
{
int rc;
struct task_security_struct *parent, *task;
@@ -1210,7 +1116,7 @@
}
static void
-sebsd_create_kernel_proc(struct ucred *cred)
+sebsd_cred_label_associate_kproc(struct ucred *cred)
{
struct task_security_struct *task;
@@ -1231,75 +1137,40 @@
struct label *mntlabel)
{
struct mount_security_struct *sbsec;
- int behavior, rc;
+ unsigned int behavior;
+ int error;
/*
* Update the mount label based on the policy.
*/
sbsec = SLOT(mntlabel);
- rc = security_fs_use(mp->mnt_vfsstat.f_fstypename, &behavior, &sbsec->sid);
- if (rc) {
+ error = security_fs_use(mp->mnt_vfsstat.f_fstypename, &behavior,
+ &sbsec->sid);
+ if (error) {
sebsd_log("%s: security_fs_use(%s) returned %d",
- __func__, mp->mnt_vfsstat.f_fstypename, rc);
+ __func__, mp->mnt_vfsstat.f_fstypename, error);
behavior = SECURITY_FS_USE_NONE;
} else if (sebsd_verbose > 1) {
- sebsd_log("%s: security_fs_use(%s) behavior %d, sid %d",
+ sebsd_log("%s: security_fs_use(%s) behavior %u, sid %d",
__func__, mp->mnt_vfsstat.f_fstypename, behavior,
sbsec->sid);
}
switch (behavior) {
case SECURITY_FS_USE_XATTR:
- /*
- * PSIDs only work for persistent file systems with unique
- * and persistent inode numbers.
- */
- sbsec->uses_psids = 1;
-
- /*
- * TBD: need to correctly label mountpoint with persistent
- * label at this point (currently vnode is unavailable)
- */
-
- break;
case SECURITY_FS_USE_TRANS:
- /*
- * Transition SIDs are used for pseudo filesystems like
- * devpts and tmpfs where you want the SID to be derived
- * from the SID of the creating process and the SID of the
- * filesystem.
- */
- sbsec->uses_trans = 1;
- break;
case SECURITY_FS_USE_TASK:
- /*
- * Task SIDs are used for pseudo filesystems like pipefs and
- * sockfs where you want the objects to be labeled with the
- * SID of the creating process.
- */
- sbsec->uses_task = 1;
- break;
case SECURITY_FS_USE_GENFS:
- /*
- * genfs_contexts handles everything else, like devfs,
- * usbdevfs, driverfs, and portions of proc.
- */
- sbsec->uses_genfs = 1;
- break;
case SECURITY_FS_USE_NONE:
- /*
- * No labeling support configured for this filesystem type.
- * Don't appear to require labeling for binfmt_misc, bdev,
- * or rootfs.
- */
break;
default:
sebsd_log("%s: security_fs_use(%s) returned unrecognized "
- "behavior %d", __func__, mp->mnt_vfsstat.f_fstypename,
+ "behavior %u", __func__, mp->mnt_vfsstat.f_fstypename,
behavior);
behavior = SECURITY_FS_USE_NONE;
break;
}
+ sbsec->behavior = behavior; /* note: behavior 16 bits in sbsec */
}
static void
@@ -1898,35 +1769,21 @@
}
static int
-sebsd_internalize_sid(u_int32_t *sidp, char *element_name,
+sebsd_label_internalize(struct label *label, char *element_name,
char *element_data)
{
- char context[128]; /* TBD: contexts aren't fixed size */
- size_t context_len;
+ struct sebsd_label *lsec;
+ u_int32_t context_len;
+
+ if (strcmp("sebsd", element_name) != 0)
+ return (EINVAL);
+ lsec = SLOT(label);
context_len = strlen(element_data) + 1;
- if (context_len >= sizeof(context))
- return (ENAMETOOLONG);
- strcpy(context, element_data);
- return (security_context_to_sid(context, context_len, sidp));
-}
-
-#define SEBSD_INTERNALIZE_LABEL(n1,n2) \
-static int sebsd_##n1##_label_internalize(struct label *label, \
- char *element_name, char *element_data) \
-{ \
- struct n2##_security_struct *lsec; \
- lsec = SLOT(label); \
- return (sebsd_internalize_sid(&lsec->sid, element_name, \
- element_data)); \
+ return (security_context_to_sid(element_data, context_len, &lsec->sid));
}
-SEBSD_INTERNALIZE_LABEL(cred,task)
-SEBSD_INTERNALIZE_LABEL(network,network)
-SEBSD_INTERNALIZE_LABEL(vnode,vnode)
-SEBSD_INTERNALIZE_LABEL(mount,mount)
-
static void
sebsd_pipe_label_update(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, struct label *newlabel)
@@ -3000,21 +2857,22 @@
return (error);
}
-#define SEBSD_EXTERNALIZE_LABEL(n1,n2) \
-static int sebsd_##n1##_label_externalize(struct label *label, \
- char *element_name, struct sbuf *sb) \
-{ \
- struct n2##_security_struct *lsec; \
- \
- if (strcmp("sebsd", element_name) != 0) \
- return (ENOENT); \
- \
- lsec = SLOT(label); \
- return (sebsd_externalize_sid(lsec->sid, element_name, sb)); \
+static int
+sebsd_label_externalize(struct label *label, char *element_name,
+ struct sbuf *sb)
+{
+ struct sebsd_label *lsec;
+
+ if (strcmp("sebsd", element_name) != 0)
+ return (ENOENT);
+
+ lsec = SLOT(label);
+ return (sebsd_externalize_sid(lsec->sid, element_name, sb));
}
-static int sebsd_cred_label_externalize(struct label *label,
- char *element_name, struct sbuf *sb)
+static int
+sebsd_cred_label_externalize(struct label *label, char *element_name,
+ struct sbuf *sb)
{
struct task_security_struct *tsec;
u_int32_t sid;
@@ -3029,10 +2887,6 @@
return (sebsd_externalize_sid(sid, element_name, sb));
}
-SEBSD_EXTERNALIZE_LABEL(network,network)
-SEBSD_EXTERNALIZE_LABEL(vnode,vnode)
-SEBSD_EXTERNALIZE_LABEL(mount,mount)
-
static void
sebsd_vnode_label_copy(struct label *src, struct label *dest)
{
@@ -3513,21 +3367,21 @@
static struct mac_policy_ops sebsd_ops = {
.mpo_cred_check_label_update =sebsd_cred_check_label_update,
.mpo_cred_check_label_update_execve = sebsd_cred_check_label_update_execve,
- .mpo_cred_label_associate = sebsd_cred_create,
- .mpo_cred_label_associate_kernel = sebsd_create_kernel_proc,
- .mpo_cred_label_associate_user = sebsd_create_kernel_proc,
- .mpo_cred_label_destroy = sebsd_cred_label_destroy,
+ .mpo_cred_label_associate = sebsd_cred_label_associate,
+ .mpo_cred_label_associate_kernel = sebsd_cred_label_associate_kproc,
+ .mpo_cred_label_associate_user = sebsd_cred_label_associate_kproc,
+ .mpo_cred_label_destroy = sebsd_label_destroy,
.mpo_cred_label_externalize = sebsd_cred_label_externalize,
.mpo_cred_label_externalize_audit = sebsd_cred_label_externalize,
- .mpo_cred_label_init = sebsd_cred_label_init,
- .mpo_cred_label_internalize = sebsd_cred_label_internalize,
+ .mpo_cred_label_init = sebsd_label_init,
+ .mpo_cred_label_internalize = sebsd_label_internalize,
.mpo_cred_label_update = sebsd_cred_label_update,
.mpo_cred_label_update_execve = sebsd_cred_label_update_execve,
.mpo_devfs_label_associate_device = sebsd_devfs_label_associate_device,
.mpo_devfs_label_associate_directory = sebsd_devfs_label_associate_directory,
.mpo_devfs_label_copy = sebsd_vnode_label_copy,
- .mpo_devfs_label_destroy = sebsd_vnode_label_destroy,
- .mpo_devfs_label_init = sebsd_vnode_label_init,
+ .mpo_devfs_label_destroy = sebsd_label_destroy,
+ .mpo_devfs_label_init = sebsd_label_init,
.mpo_devfs_label_update = sebsd_devfs_update,
.mpo_file_check_change_offset = sebsd_file_check_change_offset,
.mpo_file_check_dup = sebsd_file_check_dup,
@@ -3540,11 +3394,11 @@
.mpo_file_check_receive = sebsd_file_check_receive,
.mpo_file_label_associate = sebsd_file_label_associate,
.mpo_file_label_destroy = sebsd_label_destroy,
- .mpo_file_label_init = sebsd_file_label_init,
+ .mpo_file_label_init = sebsd_label_init,
.mpo_mbuf_label_associate_socket = sebsd_mbuf_label_associate_socket,
.mpo_mbuf_label_copy = copy_network_label,
- .mpo_mbuf_label_destroy = sebsd_destroy_network_label,
- .mpo_mbuf_label_init = sebsd_init_network_label_waitcheck,
+ .mpo_mbuf_label_destroy = sebsd_label_destroy,
+ .mpo_mbuf_label_init = sebsd_label_init2,
.mpo_mount_check_getattr = sebsd_mount_check_getattr,
.mpo_mount_check_label_update = sebsd_mount_check_label_update,
.mpo_mount_check_mount = sebsd_mount_check_mount,
@@ -3556,9 +3410,9 @@
.mpo_mount_check_umount = sebsd_mount_check_umount,
.mpo_mount_label_associate = sebsd_mount_label_associate,
.mpo_mount_label_destroy = sebsd_label_destroy,
- .mpo_mount_label_externalize = sebsd_mount_label_externalize,
- .mpo_mount_label_init = sebsd_mount_label_init,
- .mpo_mount_label_internalize = sebsd_mount_label_internalize,
+ .mpo_mount_label_externalize = sebsd_label_externalize,
+ .mpo_mount_label_init = sebsd_label_init,
+ .mpo_mount_label_internalize = sebsd_label_internalize,
.mpo_pipe_check_ioctl = sebsd_pipe_check_ioctl,
.mpo_pipe_check_label_update = sebsd_pipe_check_label_update,
.mpo_pipe_check_read = sebsd_pipe_check_read,
@@ -3566,10 +3420,10 @@
.mpo_pipe_check_write = sebsd_pipe_check_write,
.mpo_pipe_label_associate = sebsd_pipe_label_associate,
.mpo_pipe_label_copy = sebsd_vnode_label_copy,
- .mpo_pipe_label_destroy = sebsd_vnode_label_destroy,
- .mpo_pipe_label_externalize = sebsd_vnode_label_externalize,
- .mpo_pipe_label_init = sebsd_vnode_label_init,
- .mpo_pipe_label_internalize = sebsd_vnode_label_internalize,
+ .mpo_pipe_label_destroy = sebsd_label_destroy,
+ .mpo_pipe_label_externalize = sebsd_label_externalize,
+ .mpo_pipe_label_init = sebsd_label_init,
+ .mpo_pipe_label_internalize = sebsd_label_internalize,
.mpo_pipe_label_update = sebsd_pipe_label_update,
.mpo_policy_destroy = sebsd_policy_destroy,
.mpo_policy_init = sebsd_policy_init,
@@ -3593,8 +3447,8 @@
.mpo_port_label_associate_kernel = sebsd_port_label_associate_kernel,
.mpo_port_label_compute = sebsd_request_label,
.mpo_port_label_copy = sebsd_task_label_copy,
- .mpo_port_label_destroy = sebsd_cred_label_destroy,
- .mpo_port_label_init = sebsd_cred_label_init,
+ .mpo_port_label_destroy = sebsd_label_destroy,
+ .mpo_port_label_init = sebsd_label_init,
.mpo_port_label_update_cred = sebsd_port_label_update_cred,
.mpo_posixsem_check_create = sebsd_posixsem_check_create,
.mpo_posixsem_check_open = sebsd_posixsem_check_open,
@@ -3602,8 +3456,8 @@
.mpo_posixsem_check_unlink = sebsd_posixsem_check_unlink,
.mpo_posixsem_check_wait = sebsd_posixsem_check_wait,
.mpo_posixsem_label_associate = sebsd_posixsem_label_associate,
- .mpo_posixsem_label_destroy = sebsd_ipc_label_destroy,
- .mpo_posixsem_label_init = sebsd_ipc_label_init,
+ .mpo_posixsem_label_destroy = sebsd_label_destroy,
+ .mpo_posixsem_label_init = sebsd_label_init,
.mpo_posixshm_check_create = sebsd_posixshm_check_create,
.mpo_posixshm_check_mmap = sebsd_posixshm_check_mmap,
.mpo_posixshm_check_open = sebsd_posixshm_check_open,
@@ -3611,8 +3465,8 @@
.mpo_posixshm_check_truncate = sebsd_posixshm_check_truncate,
.mpo_posixshm_check_unlink = sebsd_posixshm_check_unlink,
.mpo_posixshm_label_associate = sebsd_posixshm_label_associate,
- .mpo_posixshm_label_destroy = sebsd_ipc_label_destroy,
- .mpo_posixshm_label_init = sebsd_ipc_label_init,
+ .mpo_posixshm_label_destroy = sebsd_label_destroy,
+ .mpo_posixshm_label_init = sebsd_label_init,
.mpo_proc_check_debug = sebsd_proc_check_debug,
.mpo_proc_check_getaudit = sebsd_proc_check_getaudit,
.mpo_proc_check_mprotect = sebsd_proc_check_mprotect,
@@ -3633,16 +3487,16 @@
.mpo_socket_label_associate = sebsd_socket_label_associate,
.mpo_socket_label_associate_accept = sebsd_socket_label_associate_accept,
.mpo_socket_label_copy = copy_network_label,
- .mpo_socket_label_destroy = sebsd_destroy_network_label,
- .mpo_socket_label_externalize = sebsd_network_label_externalize,
- .mpo_socket_label_init = sebsd_init_network_label_waitcheck,
- .mpo_socket_label_internalize = sebsd_network_label_internalize,
+ .mpo_socket_label_destroy = sebsd_label_destroy,
+ .mpo_socket_label_externalize = sebsd_label_externalize,
+ .mpo_socket_label_init = sebsd_label_init2,
+ .mpo_socket_label_internalize = sebsd_label_internalize,
.mpo_socket_label_update = sebsd_socket_label_update,
.mpo_socketpeer_label_associate_mbuf = sebsd_socketpeer_label_associate_mbuf,
.mpo_socketpeer_label_associate_socket = sebsd_socketpeer_label_associate_socket,
- .mpo_socketpeer_label_destroy = sebsd_destroy_network_label,
- .mpo_socketpeer_label_externalize = sebsd_network_label_externalize,
- .mpo_socketpeer_label_init = sebsd_init_network_label_waitcheck,
+ .mpo_socketpeer_label_destroy = sebsd_label_destroy,
+ .mpo_socketpeer_label_externalize = sebsd_label_externalize,
+ .mpo_socketpeer_label_init = sebsd_label_init2,
.mpo_system_check_acct = sebsd_system_check_acct,
.mpo_system_check_audit = sebsd_system_check_audit,
.mpo_system_check_auditctl = sebsd_system_check_auditctl,
@@ -3653,8 +3507,8 @@
.mpo_system_check_swapoff = sebsd_system_check_swapon,
.mpo_system_check_swapon = sebsd_system_check_swapon,
.mpo_sysvmsg_label_associate = sebsd_sysvmsg_label_associate,
- .mpo_sysvmsg_label_destroy = sebsd_ipc_label_destroy,
- .mpo_sysvmsg_label_init = sebsd_ipc_label_init,
+ .mpo_sysvmsg_label_destroy = sebsd_label_destroy,
+ .mpo_sysvmsg_label_init = sebsd_label_init,
.mpo_sysvmsg_label_recycle = sebsd_sysv_label_recycle,
.mpo_sysvmsq_check_enqueue = sebsd_sysvmsq_check_enqueue,
.mpo_sysvmsq_check_msgrcv = sebsd_sysvmsq_check_msgrcv,
@@ -3663,31 +3517,31 @@
.mpo_sysvmsq_check_msqrcv = sebsd_sysvmsq_check_msqrcv,
.mpo_sysvmsq_check_msqsnd = sebsd_sysvmsq_check_msqsnd,
.mpo_sysvmsq_label_associate = sebsd_sysvmsq_label_associate,
- .mpo_sysvmsq_label_destroy = sebsd_ipc_label_destroy,
- .mpo_sysvmsq_label_init = sebsd_ipc_label_init,
+ .mpo_sysvmsq_label_destroy = sebsd_label_destroy,
+ .mpo_sysvmsq_label_init = sebsd_label_init,
.mpo_sysvmsq_label_recycle = sebsd_sysv_label_recycle,
.mpo_sysvsem_check_semctl = sebsd_sysvsem_check_semctl,
.mpo_sysvsem_check_semget = sebsd_sysvsem_check_semget,
.mpo_sysvsem_check_semop = sebsd_sysvsem_check_semop,
.mpo_sysvsem_label_associate = sebsd_sysvsem_label_associate,
- .mpo_sysvsem_label_destroy = sebsd_ipc_label_destroy,
- .mpo_sysvsem_label_init = sebsd_ipc_label_init,
+ .mpo_sysvsem_label_destroy = sebsd_label_destroy,
+ .mpo_sysvsem_label_init = sebsd_label_init,
.mpo_sysvsem_label_recycle = sebsd_sysv_label_recycle,
.mpo_sysvshm_check_shmat = sebsd_sysvshm_check_shmat,
.mpo_sysvshm_check_shmctl = sebsd_sysvshm_check_shmctl,
.mpo_sysvshm_check_shmget = sebsd_sysvshm_check_shmget,
.mpo_sysvshm_label_associate = sebsd_sysvshm_label_associate,
- .mpo_sysvshm_label_destroy = sebsd_ipc_label_destroy,
- .mpo_sysvshm_label_init = sebsd_ipc_label_init,
+ .mpo_sysvshm_label_destroy = sebsd_label_destroy,
+ .mpo_sysvshm_label_init = sebsd_label_init,
.mpo_sysvshm_label_recycle = sebsd_sysv_label_recycle,
.mpo_task_check_get_port = sebsd_task_check_get_port,
.mpo_task_label_associate = sebsd_task_create,
.mpo_task_label_associate_kernel = sebsd_task_create_kernel,
.mpo_task_label_copy = sebsd_task_label_copy,
- .mpo_task_label_destroy = sebsd_cred_label_destroy,
- .mpo_task_label_externalize = sebsd_cred_label_externalize,
- .mpo_task_label_init = sebsd_cred_label_init,
- .mpo_task_label_internalize = sebsd_cred_label_internalize,
+ .mpo_task_label_destroy = sebsd_label_destroy,
+ .mpo_task_label_externalize = sebsd_label_externalize,
+ .mpo_task_label_init = sebsd_label_init,
+ .mpo_task_label_internalize = sebsd_label_internalize,
.mpo_task_label_update = sebsd_task_label_update,
.mpo_thread_userret = sebsd_thread_userret,
.mpo_vnode_check_access = sebsd_vnode_check_access,
@@ -3728,11 +3582,11 @@
.mpo_vnode_label_associate_singlelabel = sebsd_vnode_label_associate_singlelabel,
.mpo_vnode_label_associate_socket = sebsd_vnode_label_associate_socket,
.mpo_vnode_label_copy = sebsd_vnode_label_copy,
- .mpo_vnode_label_destroy = sebsd_vnode_label_destroy,
- .mpo_vnode_label_externalize = sebsd_vnode_label_externalize,
- .mpo_vnode_label_externalize_audit = sebsd_vnode_label_externalize,
- .mpo_vnode_label_init = sebsd_vnode_label_init,
- .mpo_vnode_label_internalize = sebsd_vnode_label_internalize,
+ .mpo_vnode_label_destroy = sebsd_label_destroy,
+ .mpo_vnode_label_externalize = sebsd_label_externalize,
+ .mpo_vnode_label_externalize_audit = sebsd_label_externalize,
+ .mpo_vnode_label_init = sebsd_label_init,
+ .mpo_vnode_label_internalize = sebsd_label_internalize,
.mpo_vnode_label_recycle = sebsd_vnode_label_recycle,
.mpo_vnode_label_store = sebsd_vnode_label_store,
.mpo_vnode_label_update = sebsd_vnode_label_update,
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#5 (text+ko) ====
@@ -41,47 +41,19 @@
#ifndef _SYS_SECURITY_SEBSD_LABELS_H
#define _SYS_SECURITY_SEBSD_LABELS_H
-struct task_security_struct {
- u_int32_t osid;
+struct sebsd_label {
+ u_int32_t osid; /* task_sid for all but task_security_struct */
u_int32_t sid;
-#ifdef notyet
- u_int32_t exec_sid; /* exec SID */
- u_int32_t create_sid; /* fscreate SID */
-#endif
+ u_int16_t sclass; /* only used for vnode and ipc */
+ u_int16_t behavior; /* only used for mount */
};
+#define task_sid osid
-struct file_security_struct {
- u_int32_t sid;
-};
-
-struct vnode_security_struct {
- u_int32_t task_sid;
- u_int32_t sid;
- u_int16_t sclass;
-};
+#define task_security_struct sebsd_label
+#define file_security_struct sebsd_label
+#define vnode_security_struct sebsd_label
+#define network_security_struct sebsd_label
+#define ipc_security_struct sebsd_label
+#define mount_security_struct sebsd_label
-struct network_security_struct {
- u_int32_t sid;
- u_int32_t task_sid;
-};
-
-struct ipc_security_struct {
- u_int32_t sid;
- u_int16_t sclass;
-};
-
-struct mount_security_struct {
- u_int32_t sid; /* SID of file system */
-#ifndef __FreeBSD__
- struct psidtab *psidtab; /* persistent SID mapping */
-#endif
- unsigned char uses_psids; /* uses persistent SID flag */
-#ifndef __FreeBSD__
- unsigned char initialized; /* initialization flag */
-#endif
- unsigned char uses_task; /* use creating task SID for inodes */
- unsigned char uses_genfs; /* use security_genfs_sid for inodes */
- unsigned char proc; /* call procfs_set_sid */
- unsigned char uses_trans; /* call security_transition_sid */
-};
#endif /* _SYS_SECURITY_SEBSD_LABELS_H */
More information about the trustedbsd-cvs
mailing list