Fw: PERFORCE change 19450 for review
Adam Migus
adam at migus.org
Thu Oct 17 23:07:41 GMT 2002
Ilmar,
Biba compartments are in my tree, I'll get them into the main mac tree
within the next day or so...
Adam
----- Original Message -----
From: "Adam Migus" <amigus at FreeBSD.org>
To: "Perforce Change Reviews" <perforce at FreeBSD.org>
Sent: Thursday, October 17, 2002 9:21 AM
Subject: PERFORCE change 19450 for review
> http://perforce.freebsd.org/chv.cgi?CH=19450
>
> Change 19450 by amigus at amigus_ganyopa on 2002/10/17 06:21:32
>
> Sync MLS and Biba, add compartments and fix bugs in the process.
>
> Affected files ...
>
> ..
//depot/user/amigus/amigus_mac_userland/sys/security/mac_biba/mac_biba.c#13
edit
> ..
//depot/user/amigus/amigus_mac_userland/sys/security/mac_biba/mac_biba.h#3
edit
> .. //depot/user/amigus/amigus_mac_userland/sys/sys/mac.h#13 edit
>
> Differences ...
>
> ====
//depot/user/amigus/amigus_mac_userland/sys/security/mac_biba/mac_biba.c#13
(text+ko) ====
>
> @@ -34,7 +34,7 @@
> * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> * SUCH DAMAGE.
> *
> - * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.18 2002/10/06
13:11:01 rwatson Exp $
> + * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.15 2002/10/06
02:46:25 rwatson Exp $
> */
>
> /*
> @@ -80,17 +80,19 @@
>
> static int mac_biba_enabled = 0;
> static int destroyed_not_inited;
> +static int ptys_equal = 0;
> +static int revocation_enabled = 0;
> static int trust_all_interfaces = 0;
> static char trusted_interfaces[128];
> -static int ptys_equal = 0;
> -static int revocation_enabled = 0;
> +static int max_compartments = MAC_BIBA_MAX_COMPARTMENTS;
>
> /* A warning is printed if this differs from the actual prefix */
> -#define MAC_TUNABLE_PREFIX "security.mac.policies.mac_biba"
> +#define MAC_TUNABLE_PREFIX "security.mac.policies.mac_biba"
>
> TUNABLE_INT(MAC_TUNABLE_PREFIX ".compat.enabled", &mac_biba_enabled);
> -TUNABLE_INT(MAC_TUNABLE_PREFIX ".ptys_equal", &ptys_equal);
> -TUNABLE_INT(MAC_TUNABLE_PREFIX ".revocation_enabled",
&revocation_enabled);
> +TUNABLE_INT(MAC_TUNABLE_PREFIX ".options.ptys_equal", &ptys_equal);
> +TUNABLE_INT(MAC_TUNABLE_PREFIX ".options.revocation_enabled",
> + &revocation_enabled);
> TUNABLE_INT(MAC_TUNABLE_PREFIX ".options.trust_all_interfaces",
> &trust_all_interfaces);
> TUNABLE_STR(MAC_TUNABLE_PREFIX ".options.trusted_interfaces",
> @@ -138,14 +140,29 @@
> "trusted_interfaces", CTLFLAG_RW, trusted_interfaces,
> sizeof(trusted_interfaces),
> "List of interfaces that are high integrity");
> +
> + oidp = mps->mps_info;
> + SYSCTL_ADD_INT(clist, SYSCTL_CHILDREN(oidp), OID_AUTO,
> + "max_compartments", CTLFLAG_RD, &max_compartments, 0,
> + "Maximum number of compartments");
> }
>
> static void
> -mac_biba_destroy(struct mac_policy_conf *conf)
> +mac_biba_destroy(struct mac_policy_conf *mpc)
> {
>
> }
>
> +static __inline int
> +biba_bit_set_empty(u_char *set) {
> + int i;
> +
> + for (i = 0; i < MAC_BIBA_MAX_COMPARTMENTS >> 3; i++)
> + if (set[i] != 0)
> + return (0);
> + return (1);
> +}
> +
> static struct mac_biba *
> biba_alloc(int flag)
> {
> @@ -179,6 +196,7 @@
> mac_biba_dominate_element(struct mac_biba_element *a,
> struct mac_biba_element *b)
> {
> + int bit;
>
> switch(a->mbe_type) {
> case MAC_BIBA_TYPE_EQUAL:
> @@ -209,6 +227,11 @@
> return (0);
>
> case MAC_BIBA_TYPE_GRADE:
> + for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++)
> + if (!MAC_BIBA_BIT_TEST(bit,
> + a->mbe_compartments) &&
> + MAC_BIBA_BIT_TEST(bit, b->mbe_compartments))
> + return (0);
> return (a->mbe_grade >= b->mbe_grade);
>
> default:
> @@ -309,21 +332,21 @@
> MAC_BIBA_FLAGS_BOTH,
> ("mac_biba_subject_equal_ok: subject doesn't have both labels"));
>
> - /* If the single is EQUAL, it's ok */
> + /* If the single is EQUAL, it's ok. */
> if (mac_biba->mb_single.mbe_type == MAC_BIBA_TYPE_EQUAL)
> return (0);
>
> - /* If either range endpoint is EQUAL, it's ok */
> + /* If either range endpoint is EQUAL, it's ok. */
> if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_EQUAL ||
> mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_EQUAL)
> return (0);
>
> - /* If the range is low-high, it's ok */
> + /* If the range is low-high, it's ok. */
> if (mac_biba->mb_rangelow.mbe_type == MAC_BIBA_TYPE_LOW &&
> mac_biba->mb_rangehigh.mbe_type == MAC_BIBA_TYPE_HIGH)
> return (0);
>
> - /* It's not OK. */
> + /* It's not ok. */
> return (EPERM);
> }
>
> @@ -339,7 +362,9 @@
> case MAC_BIBA_TYPE_EQUAL:
> case MAC_BIBA_TYPE_HIGH:
> case MAC_BIBA_TYPE_LOW:
> - if (mac_biba->mb_single.mbe_grade != 0)
> + if (mac_biba->mb_single.mbe_grade != 0 ||
> + !MAC_BIBA_BIT_SET_EMPTY(
> + mac_biba->mb_single.mbe_compartments))
> return (EINVAL);
> break;
>
> @@ -359,7 +384,9 @@
> case MAC_BIBA_TYPE_EQUAL:
> case MAC_BIBA_TYPE_HIGH:
> case MAC_BIBA_TYPE_LOW:
> - if (mac_biba->mb_rangelow.mbe_grade != 0)
> + if (mac_biba->mb_rangelow.mbe_grade != 0 ||
> + !MAC_BIBA_BIT_SET_EMPTY(
> + mac_biba->mb_rangelow.mbe_compartments))
> return (EINVAL);
> break;
>
> @@ -374,7 +401,9 @@
> case MAC_BIBA_TYPE_EQUAL:
> case MAC_BIBA_TYPE_HIGH:
> case MAC_BIBA_TYPE_LOW:
> - if (mac_biba->mb_rangehigh.mbe_grade != 0)
> + if (mac_biba->mb_rangehigh.mbe_grade != 0 ||
> + !MAC_BIBA_BIT_SET_EMPTY(
> + mac_biba->mb_rangehigh.mbe_compartments))
> return (EINVAL);
> break;
>
> @@ -395,33 +424,54 @@
>
> static void
> mac_biba_set_range(struct mac_biba *mac_biba, u_short typelow,
> - u_short gradelow, u_short typehigh, u_short gradehigh)
> + u_short gradelow, u_char *compartmentslow, u_short typehigh,
> + u_short gradehigh, u_char *compartmentshigh)
> {
>
> mac_biba->mb_rangelow.mbe_type = typelow;
> mac_biba->mb_rangelow.mbe_grade = gradelow;
> + if (compartmentslow)
> + memcpy(mac_biba->mb_rangelow.mbe_compartments, compartmentslow,
> + sizeof(mac_biba->mb_rangelow.mbe_compartments));
> mac_biba->mb_rangehigh.mbe_type = typehigh;
> mac_biba->mb_rangehigh.mbe_grade = gradehigh;
> + if (compartmentshigh)
> + memcpy(mac_biba->mb_rangehigh.mbe_compartments,
> + compartmentshigh,
> + sizeof(mac_biba->mb_rangehigh.mbe_compartments));
> mac_biba->mb_flags |= MAC_BIBA_FLAG_RANGE;
> }
>
> static void
> -mac_biba_set_single(struct mac_biba *mac_biba, u_short type, u_short
grade)
> +mac_biba_set_single(struct mac_biba *mac_biba, u_short type, u_short
grade,
> + u_char *compartments)
> {
>
> mac_biba->mb_single.mbe_type = type;
> mac_biba->mb_single.mbe_grade = grade;
> + if (compartments)
> + memcpy(mac_biba->mb_single.mbe_compartments, compartments,
> + sizeof(mac_biba->mb_single.mbe_compartments));
> mac_biba->mb_flags |= MAC_BIBA_FLAG_SINGLE;
> }
>
> static void
> mac_biba_copy_range(struct mac_biba *labelfrom, struct mac_biba *labelto)
> {
> +
> KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_RANGE) != 0,
> ("mac_biba_copy_range: labelfrom not range"));
>
> + memcpy(labelto->mb_rangelow.mbe_compartments,
> + labelfrom->mb_rangelow.mbe_compartments,
> + sizeof(labelfrom->mb_rangelow.mbe_compartments));
> labelto->mb_rangelow = labelfrom->mb_rangelow;
> +
> + memcpy(labelto->mb_rangehigh.mbe_compartments,
> + labelfrom->mb_rangehigh.mbe_compartments,
> + sizeof(labelfrom->mb_rangehigh.mbe_compartments));
> labelto->mb_rangehigh = labelfrom->mb_rangehigh;
> +
> labelto->mb_flags |= MAC_BIBA_FLAG_RANGE;
> }
>
> @@ -432,6 +482,9 @@
> KASSERT((labelfrom->mb_flags & MAC_BIBA_FLAG_SINGLE) != 0,
> ("mac_biba_copy_single: labelfrom not single"));
>
> + memcpy(labelto->mb_single.mbe_compartments,
> + labelfrom->mb_single.mbe_compartments,
> + sizeof(labelfrom->mb_single.mbe_compartments));
> labelto->mb_single = labelfrom->mb_single;
> labelto->mb_flags |= MAC_BIBA_FLAG_SINGLE;
> }
> @@ -472,7 +525,7 @@
> {
>
> biba_free(SLOT(label));
> - SLOT(label) = NULL; /* Slightly cautious */
> + SLOT(label) = NULL;
> }
>
> /*
> @@ -484,6 +537,7 @@
> mac_biba_element_to_string(char *string, size_t size,
> struct mac_biba_element *element)
> {
> + int pos, bit = 1;
>
> switch (element->mbe_type) {
> case MAC_BIBA_TYPE_HIGH:
> @@ -496,7 +550,15 @@
> return (snprintf(string, size, "equal"));
>
> case MAC_BIBA_TYPE_GRADE:
> - return (snprintf(string, size, "%d", element->mbe_grade));
> + pos = snprintf(string, size, "%d:", element->mbe_grade);
> + for (bit = 1; bit <= MAC_BIBA_MAX_COMPARTMENTS; bit++) {
> + if (MAC_BIBA_BIT_TEST(bit, element->mbe_compartments))
> + pos += snprintf(string + pos, size - pos,
> + "%d+", bit);
> + }
> + if (string[pos - 1] == '+' || string[pos - 1] == ':')
> + string[--pos] = NULL;
> + return (pos);
>
> default:
> panic("mac_biba_element_to_string: invalid type (%d)",
> @@ -520,7 +582,7 @@
> if (len >= left)
> return (EINVAL);
> left -= len;
> - curptr += len;
> + curptr += len;
> }
>
> if (mac_biba->mb_flags & MAC_BIBA_FLAG_RANGE) {
> @@ -624,13 +686,39 @@
> element->mbe_type = MAC_BIBA_TYPE_EQUAL;
> element->mbe_grade = MAC_BIBA_TYPE_UNDEF;
> } else {
> + char *p0, *p1;
> int d;
>
> - d = strtol(string, NULL, 10);
> + p0 = string;
> + d = strtol(p0, &p1, 10);
> +
> if (d < 0 || d > 65535)
> return (EINVAL);
> element->mbe_type = MAC_BIBA_TYPE_GRADE;
> element->mbe_grade = d;
> +
> + if (*p1 != ':') {
> + if (p1 == p0 || *p1 != '\0')
> + return (EINVAL);
> + else
> + return (0);
> + }
> + else
> + if (*(p1 + 1) == '\0')
> + return (0);
> +
> + while ((p0 = ++p1)) {
> + d = strtol(p0, &p1, 10);
> + if (d < 1 || d > MAC_BIBA_MAX_COMPARTMENTS)
> + return (EINVAL);
> +
> + MAC_BIBA_BIT_SET(d, element->mbe_compartments);
> +
> + if (*p1 == '\0')
> + break;
> + if (p1 == p0 || *p1 != '+')
> + return (EINVAL);
> + }
> }
>
> return (0);
> @@ -643,7 +731,7 @@
> static int
> mac_biba_parse(struct mac_biba *mac_biba, char *string)
> {
> - char *single, *range, *rangeend, *rangehigh, *rangelow;
> + char *range, *rangeend, *rangehigh, *rangelow, *single;
> int error;
>
> /* Do we have a range? */
> @@ -689,7 +777,7 @@
> rangelow);
> if (error)
> return (error);
> - error == mac_biba_parse_element(&mac_biba->mb_rangehigh,
> + error = mac_biba_parse_element(&mac_biba->mb_rangehigh,
> rangehigh);
> if (error)
> return (error);
> @@ -757,13 +845,16 @@
> strcmp(dev->si_name, "random") == 0 ||
> strncmp(dev->si_name, "fd/", strlen("fd/")) == 0)
> biba_type = MAC_BIBA_TYPE_EQUAL;
> + else if (strcmp(dev->si_name, "kmem") == 0 ||
> + strcmp(dev->si_name, "mem") == 0)
> + biba_type = MAC_BIBA_TYPE_HIGH;
> else if (ptys_equal &&
> (strncmp(dev->si_name, "ttyp", strlen("ttyp")) == 0 ||
> strncmp(dev->si_name, "ptyp", strlen("ptyp")) == 0))
> biba_type = MAC_BIBA_TYPE_EQUAL;
> else
> biba_type = MAC_BIBA_TYPE_HIGH;
> - mac_biba_set_single(mac_biba, biba_type, 0);
> + mac_biba_set_single(mac_biba, biba_type, 0, NULL);
> }
>
> static void
> @@ -773,7 +864,7 @@
> struct mac_biba *mac_biba;
>
> mac_biba = SLOT(label);
> - mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0);
> + mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_LOW, 0, NULL);
> }
>
> static void
> @@ -832,9 +923,9 @@
>
> /* Always mount root as high integrity. */
> mac_biba = SLOT(fslabel);
> - mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0);
> + mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_LOW, 0, NULL);
> mac_biba = SLOT(mntlabel);
> - mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_HIGH, 0);
> + mac_biba_set_single(mac_biba, MAC_BIBA_TYPE_LOW, 0, NULL);
> }
>
> static void
> @@ -858,7 +949,7 @@
> source = SLOT(vnodelabel);
> dest = SLOT(direntlabel);
>
> - mac_biba_copy(source, dest);
> + mac_biba_copy_single(source, dest);
> }
>
> static void
> @@ -972,7 +1063,7 @@
> source = SLOT(newlabel);
> dest = SLOT(socketlabel);
>
> - mac_biba_copy(source, dest);
> + mac_biba_copy_single(source, dest);
> }
>
> static void
> @@ -1033,52 +1124,58 @@
> char tifname[IFNAMSIZ], ifname[IFNAMSIZ], *p, *q;
> char tiflist[sizeof(trusted_interfaces)];
> struct mac_biba *dest;
> - int len, grade;
> + int len, type;
>
> dest = SLOT(ifnetlabel);
>
> if (ifnet->if_type == IFT_LOOP) {
> - grade = MAC_BIBA_TYPE_EQUAL;
> + type = MAC_BIBA_TYPE_EQUAL;
> goto set;
> }
>
> if (trust_all_interfaces) {
> - grade = MAC_BIBA_TYPE_HIGH;
> + type = MAC_BIBA_TYPE_HIGH;
> goto set;
> }
>
> - grade = MAC_BIBA_TYPE_LOW;
> + type = MAC_BIBA_TYPE_LOW;
>
> if (trusted_interfaces[0] == '\0' ||
> !strvalid(trusted_interfaces, sizeof(trusted_interfaces)))
> goto set;
>
> bzero(tiflist, sizeof(tiflist));
> - for (p = trusted_interfaces, q = tiflist; *p != '\0'; p++, q++)
> + for (p = trusted_interfaces, q = tiflist; *p != NULL; p++)
> if(*p != ' ' && *p != '\t')
> *q = *p;
>
> snprintf(ifname, IFNAMSIZ, "%s%d", ifnet->if_name, ifnet->if_unit);
>
> for (p = q = tiflist;; p++) {
> - if (*p == ',' || *p == '\0') {
> + if (*p == ',' || *p == NULL) {
> len = p - q;
> if (len < IFNAMSIZ) {
> bzero(tifname, sizeof(tifname));
> bcopy(q, tifname, len);
> if (strcmp(tifname, ifname) == 0) {
> - grade = MAC_BIBA_TYPE_HIGH;
> + type = MAC_BIBA_TYPE_HIGH;
> break;
> }
> }
> - if (*p == '\0')
> + else {
> + *p = NULL;
> + printf("MAC/Biba warning: interface name "
> + "\"%s\" is too long (must be < %d)\n",
> + q, IFNAMSIZ);
> + }
> + if (*p == NULL)
> break;
> q = p + 1;
> }
> }
> set:
> - mac_biba_set_single(dest, grade, 0);
> - mac_biba_set_range(dest, grade, 0, grade, 0);
> + mac_biba_set_single(dest, type, 0, NULL);
> + mac_biba_set_range(dest, type, 0, NULL, type, 0, NULL);
> }
>
> static void
> @@ -1147,7 +1244,7 @@
>
> dest = SLOT(mbuflabel);
>
> - mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0);
> + mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
> }
>
> static void
> @@ -1274,8 +1371,9 @@
>
> dest = SLOT(&cred->cr_label);
>
> - mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0);
> - mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, MAC_BIBA_TYPE_HIGH, 0);
> + mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
> + mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
> + 0, NULL);
> }
>
> static void
> @@ -1285,8 +1383,9 @@
>
> dest = SLOT(&cred->cr_label);
>
> - mac_biba_set_single(dest, MAC_BIBA_TYPE_HIGH, 0);
> - mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, MAC_BIBA_TYPE_HIGH, 0);
> + mac_biba_set_single(dest, MAC_BIBA_TYPE_LOW, 0, NULL);
> + mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, MAC_BIBA_TYPE_HIGH,
> + 0, NULL);
> }
>
> static void
> @@ -1358,7 +1457,7 @@
> return (EPERM);
>
> /*
> - * To have EQUAL in any components of the new credential
> + * To have EQUAL in any component of the new credential
> * Biba label, the subject must already have EQUAL in
> * their label.
> */
> @@ -1420,12 +1519,17 @@
> if (new->mb_flags & MAC_BIBA_FLAGS_BOTH) {
> /*
> * Rely on the traditional superuser status for the Biba
> - * interface relabel requirements. XXXMAC: This will go
> + * interface relabel requirements. XXXMAC: This will go
> * away.
> */
> error = suser_cred(cred, 0);
> if (error)
> return (EPERM);
> +
> + /*
> + * XXXMAC: Additional consistency tests regarding the single
> + * and the range of the new label might be performed here.
> + */
> }
>
> return (0);
> @@ -1546,7 +1650,7 @@
> /*
> * To change the Biba label on a pipe, the new pipe label
> * must be in the subject range.
> - */
> + */
> if (!mac_biba_single_in_range(new, subj))
> return (EPERM);
>
> @@ -1732,6 +1836,9 @@
> {
> struct mac_biba *subj, *obj;
>
> + if (!mac_biba_enabled)
> + return (0);
> +
> subj = SLOT(&cred->cr_label);
> obj = SLOT(socketlabel);
>
> @@ -1891,7 +1998,7 @@
> return (0);
> }
>
> -static int
> +static int
> mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp,
> struct label *dlabel, struct vnode *vp, struct label *label,
> struct componentname *cnp)
> @@ -2092,8 +2199,7 @@
> * To change the Biba label on a vnode, the new vnode label
> * must be in the subject range.
> */
> - if (new->mb_flags & MAC_BIBA_FLAG_SINGLE &&
> - !mac_biba_single_in_range(new, subj))
> + if (!mac_biba_single_in_range(new, subj))
> return (EPERM);
>
> /*
> @@ -2586,6 +2692,6 @@
> { MAC_OP_LAST, NULL }
> };
>
> -MAC_POLICY_SET(mac_biba, "TrustedBSD MAC/Biba", "Network Associates",
"0.1",
> - MAC_BIBA_LABEL_NAME, &mac_biba_slot, mac_biba_ops,
> - MPC_LT_FLAG_ONBOOT_NO_UNLOAD, MPC_RT_FLAG_ENFORCED, NULL);
> +MAC_POLICY_SET(mac_biba, "TrustedBSD Compartmentalized MAC/Biba",
> + "Network Associates", "0.1", MAC_BIBA_LABEL_NAME, &mac_biba_slot,
> + mac_biba_ops, MPC_LT_FLAG_ONBOOT_NO_UNLOAD, MPC_RT_FLAG_ENFORCED,
NULL);
>
> ====
//depot/user/amigus/amigus_mac_userland/sys/security/mac_biba/mac_biba.h#3
(text+ko) ====
>
> @@ -68,9 +68,13 @@
> * and mb_grade represents the hierarchal grade if valid for the current
> * mb_type.
> */
> +
> +#define MAC_BIBA_MAX_COMPARTMMENTS 256
> +
> struct mac_biba_element {
> u_short mbe_type;
> u_short mbe_grade;
> + u_char mbe_compartments[MAC_BIBA_MAX_COMPARTMENTS >> 3];
> };
>
> /*
> @@ -86,4 +90,12 @@
> };
> #endif
>
> +/*
> + * Biba compartments bit test/set macros.
> + * The range is 1 to MAC_BIBA_MAX_COMPARTMENTS.
> + */
> +#define MAC_BIBA_BIT_TEST(b, w) (w[((b - 1) >> 3)] & (1 << ((b - 1) &
7)))
> +#define MAC_BIBA_BIT_SET(b, w) (w[((b - 1) >> 3)] |= (1 << ((b - 1) &
7)))
> +#define MAC_BIBA_BIT_SET_EMPTY(set) biba_bit_set_empty(set)
> +
> #endif /* !_SYS_SECURITY_MAC_BIBA_H */
>
> ==== //depot/user/amigus/amigus_mac_userland/sys/sys/mac.h#13 (text+ko)
====
>
> @@ -148,9 +148,12 @@
> * these can be disabled.
> */
>
> +#define MAC_BIBA_MAX_COMPARTMENTS 256
> +
> struct mac_biba_element {
> u_short mbe_type;
> u_short mbe_grade;
> + u_char mbe_compartments[MAC_BIBA_MAX_COMPARTMENTS >> 3];
> };
>
> struct mac_biba {
>
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list