Date: Fri, 24 Oct 2008 13:22:16 GMT From: Marko Zec <zec@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 151847 for review Message-ID: <200810241322.m9ODMGDm044467@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=151847 Change 151847 by zec@zec_tpx32 on 2008/10/24 13:21:57 Reduce diff against head by actually introducing a bit of whitespace junk here and removing other bits there. More importantly, do not initialize global variables at instatiation (for nooptions VIMAGE builds only) in a prep for merging this further down the pipeline vimage-commi2 -> head. Affected files ... .. //depot/projects/vimage/src/sys/contrib/altq/altq/altq_subr.c#9 edit .. //depot/projects/vimage/src/sys/dev/ata/chipsets/ata-acard.c#2 edit .. //depot/projects/vimage/src/sys/net/if.c#45 edit .. //depot/projects/vimage/src/sys/netinet/icmp_var.h#5 edit .. //depot/projects/vimage/src/sys/netinet/if_ether.c#27 edit .. //depot/projects/vimage/src/sys/netinet/in_pcb.c#37 edit .. //depot/projects/vimage/src/sys/netinet/in_var.h#11 edit .. //depot/projects/vimage/src/sys/netinet/ip_divert.c#17 edit .. //depot/projects/vimage/src/sys/netinet/ip_fw2.c#53 edit .. //depot/projects/vimage/src/sys/netinet/ip_icmp.c#21 edit .. //depot/projects/vimage/src/sys/netinet/ip_input.c#38 edit .. //depot/projects/vimage/src/sys/netinet/ip_ipsec.c#16 edit .. //depot/projects/vimage/src/sys/netinet/tcp_input.c#40 edit .. //depot/projects/vimage/src/sys/netinet/tcp_subr.c#55 edit .. //depot/projects/vimage/src/sys/netinet/tcp_syncache.c#43 edit .. //depot/projects/vimage/src/sys/netinet/tcp_syncache.h#18 edit .. //depot/projects/vimage/src/sys/netinet/udp_usrreq.c#37 edit .. //depot/projects/vimage/src/sys/netinet6/icmp6.c#32 edit .. //depot/projects/vimage/src/sys/netinet6/nd6_nbr.c#25 edit .. //depot/projects/vimage/src/sys/netinet6/vinet6.h#24 edit .. //depot/projects/vimage/src/sys/netipsec/key.c#27 edit .. //depot/projects/vimage/src/sys/netipsec/keysock.c#16 edit .. //depot/projects/vimage/src/sys/netipsec/keysock.h#3 edit .. //depot/projects/vimage/src/sys/netipsec/vipsec.h#16 edit .. //depot/projects/vimage/src/sys/netipsec/xform_ah.c#18 edit .. //depot/projects/vimage/src/sys/netipsec/xform_esp.c#18 edit .. //depot/projects/vimage/src/sys/netipsec/xform_ipcomp.c#15 edit .. //depot/projects/vimage/src/sys/netipsec/xform_ipip.c#19 edit .. //depot/projects/vimage/src/sys/netipsec/xform_tcp.c#3 edit .. //depot/projects/vimage/src/sys/security/mac/mac_framework.h#13 edit .. //depot/projects/vimage/src/sys/security/mac/mac_inet.c#11 edit .. //depot/projects/vimage/src/sys/security/mac/mac_policy.h#14 integrate .. //depot/projects/vimage/src/sys/security/mac_partition/mac_partition.c#8 integrate .. //depot/projects/vimage/src/sys/sys/vimage.h#69 edit Differences ... ==== //depot/projects/vimage/src/sys/contrib/altq/altq/altq_subr.c#9 (text+ko) ==== @@ -447,6 +447,7 @@ tbr_timeout(arg) void *arg; { + VNET_ITERATOR_DECL(vnet_iter); struct ifnet *ifp; int active, s; @@ -459,17 +460,23 @@ #if defined(__FreeBSD__) && (__FreeBSD_version >= 500000) IFNET_RLOCK(); #endif - VNET_ITERLOOP_BEGIN(); - INIT_VNET_NET(curvnet); - for (ifp = TAILQ_FIRST(&V_ifnet); ifp; ifp = TAILQ_NEXT(ifp, if_list)) { - /* read from if_snd unlocked */ - if (!TBR_IS_ENABLED(&ifp->if_snd)) - continue; - active++; - if (!IFQ_IS_EMPTY(&ifp->if_snd) && ifp->if_start != NULL) - (*ifp->if_start)(ifp); + VNET_LIST_RLOCK(); + VNET_FOREACH(vnet_iter) { + CURVNET_SET(vnet_iter); + INIT_VNET_NET(vnet_iter); + for (ifp = TAILQ_FIRST(&V_ifnet); ifp; + ifp = TAILQ_NEXT(ifp, if_list)) { + /* read from if_snd unlocked */ + if (!TBR_IS_ENABLED(&ifp->if_snd)) + continue; + active++; + if (!IFQ_IS_EMPTY(&ifp->if_snd) && + ifp->if_start != NULL) + (*ifp->if_start)(ifp); + } + CURVNET_RESTORE(); } - VNET_ITERLOOP_END() + VNET_LIST_RUNLOCK(); #if defined(__FreeBSD__) && (__FreeBSD_version >= 500000) IFNET_RUNLOCK(); #endif ==== //depot/projects/vimage/src/sys/dev/ata/chipsets/ata-acard.c#2 (text+ko) ==== ==== //depot/projects/vimage/src/sys/net/if.c#45 (text+ko) ==== ==== //depot/projects/vimage/src/sys/netinet/icmp_var.h#5 (text+ko) ==== ==== //depot/projects/vimage/src/sys/netinet/if_ether.c#27 (text+ko) ==== @@ -887,6 +887,10 @@ (*ifp->if_output)(ifp, hold, rt_key(rt), rt); } /* end of FIB loop */ reply: + + /* + * Decide if we have to respond to something. + */ if (op != ARPOP_REQUEST) goto drop; if (itaddr.s_addr == myaddr.s_addr) { ==== //depot/projects/vimage/src/sys/netinet/in_pcb.c#37 (text+ko) ==== @@ -120,13 +120,10 @@ static int sysctl_net_ipport_check(SYSCTL_HANDLER_ARGS) { -#ifdef VIMAGE INIT_VNET_INET(curvnet); - SYSCTL_RESOLVE_V_ARG1(); -#endif int error; - error = sysctl_handle_int(oidp, arg1, arg2, req); + error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req); if (error == 0) { RANGECHK(V_ipport_lowfirstauto, 1, IPPORT_RESERVED - 1); RANGECHK(V_ipport_lowlastauto, 1, IPPORT_RESERVED - 1); ==== //depot/projects/vimage/src/sys/netinet/in_var.h#11 (text+ko) ==== @@ -101,16 +101,16 @@ #define IPREASS_HASH(x,y) \ (((((x) & 0xF) | ((((x) >> 8) & 0xF) << 4)) ^ (y)) & IPREASS_HMASK) -/* - * Macro for finding the internet address structure (in_ifaddr) - * corresponding to one of our IP addresses (in_addr). - */ -#define INADDR_NHASH_LOG2 9 +#define INADDR_NHASH_LOG2 9 #define INADDR_NHASH (1 << INADDR_NHASH_LOG2) #define INADDR_HASHVAL(x) fnv_32_buf((&(x)), sizeof(x), FNV1_32_INIT) #define INADDR_HASH(x) \ (&V_in_ifaddrhashtbl[INADDR_HASHVAL(x) & V_in_ifaddrhmask]) +/* + * Macro for finding the internet address structure (in_ifaddr) + * corresponding to one of our IP addresses (in_addr). + */ #define INADDR_TO_IFADDR(addr, ia) \ /* struct in_addr addr; */ \ /* struct in_ifaddr *ia; */ \ ==== //depot/projects/vimage/src/sys/netinet/ip_divert.c#17 (text+ko) ==== @@ -152,7 +152,7 @@ div_init(void) { INIT_VNET_INET(curvnet); - + #ifdef VIMAGE if (IS_DEFAULT_VNET(curvnet)) { #endif @@ -304,7 +304,7 @@ m_freem(m); V_ipstat.ips_noproto++; V_ipstat.ips_delivered--; - } + } } /* @@ -318,7 +318,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin, struct mbuf *control) { - INIT_VNET_INET(so->so_vnet); + INIT_VNET_INET(curvnet); struct m_tag *mtag; struct divert_tag *dt; int error = 0; @@ -576,11 +576,11 @@ void div_ctlinput(int cmd, struct sockaddr *sa, void *vip) { - struct in_addr faddr; + struct in_addr faddr; faddr = ((struct sockaddr_in *)sa)->sin_addr; if (sa->sa_family != AF_INET || faddr.s_addr == INADDR_ANY) - return; + return; if (PRC_IS_REDIRECT(cmd)) return; } @@ -768,9 +768,9 @@ } static moduledata_t ipdivertmod = { - "ipdivert", - div_modevent, - 0 + "ipdivert", + div_modevent, + 0 }; DECLARE_MODULE(ipdivert, ipdivertmod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY); ==== //depot/projects/vimage/src/sys/netinet/ip_fw2.c#53 (text+ko) ==== @@ -642,7 +642,6 @@ return 1; } - static __inline int hash_packet6(struct ipfw_flow_id *id) { ==== //depot/projects/vimage/src/sys/netinet/ip_icmp.c#21 (text+ko) ==== @@ -78,17 +78,17 @@ */ #ifndef VIMAGE -struct icmpstat icmpstat; -static int icmpmaskrepl = 0; -static u_int icmpmaskfake = 0; -static int drop_redirect = 0; -static int log_redirect = 0; -static int icmplim = 200; -static int icmplim_output = 1; -static char reply_src[IFNAMSIZ]; -static int icmp_rfi = 0; -static int icmp_quotelen = 8; -static int icmpbmcastecho = 0; +struct icmpstat icmpstat; +static int icmpmaskrepl; +static u_int icmpmaskfake; +static int drop_redirect; +static int log_redirect; +static int icmplim; +static int icmplim_output; +static char reply_src[IFNAMSIZ]; +static int icmp_rfi; +static int icmp_quotelen; +static int icmpbmcastecho; #endif SYSCTL_V_STRUCT(V_NET, vnet_inet, _net_inet_icmp, ICMPCTL_STATS, stats, ==== //depot/projects/vimage/src/sys/netinet/ip_input.c#38 (text+ko) ==== @@ -240,8 +240,7 @@ int i; TAILQ_INIT(&V_in_ifaddrhead); - V_in_ifaddrhashtbl = hashinit(INADDR_NHASH, M_IFADDR, - &V_in_ifaddrhmask); + V_in_ifaddrhashtbl = hashinit(INADDR_NHASH, M_IFADDR, &V_in_ifaddrhmask); /* Initialize IP reassembly queue. */ for (i = 0; i < IPREASS_NHASH; i++) ==== //depot/projects/vimage/src/sys/netinet/ip_ipsec.c#16 (text+ko) ==== @@ -144,7 +144,6 @@ #ifdef IPSEC INIT_VNET_IPSEC(curvnet); struct ip *ip = mtod(m, struct ip *); - INIT_VNET_IPSEC(curvnet); struct m_tag *mtag; struct tdb_ident *tdbi; struct secpolicy *sp; ==== //depot/projects/vimage/src/sys/netinet/tcp_input.c#40 (text+ko) ==== @@ -142,10 +142,8 @@ "Enable RFC 3390 (Increasing TCP's Initial Congestion Window)"); SYSCTL_NODE(_net_inet_tcp, OID_AUTO, ecn, CTLFLAG_RW, 0, "TCP ECN"); - SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_ecn, OID_AUTO, enable, CTLFLAG_RW, tcp_do_ecn, 0, "TCP ECN support"); - SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_ecn, OID_AUTO, maxretries, CTLFLAG_RW, tcp_ecn_maxretries, 0, "Max retries before giving up on ECN"); ==== //depot/projects/vimage/src/sys/netinet/tcp_subr.c#55 (text+ko) ==== @@ -292,6 +292,7 @@ static void tcp_zone_change(void *tag) { + uma_zone_set_max(tcp_ipi_zone, maxsockets); uma_zone_set_max(tcpcb_zone, maxsockets); tcp_tw_zone_change(); @@ -1616,10 +1617,10 @@ struct inpcb * tcp_drop_syn_sent(struct inpcb *inp, int errno) { - struct tcpcb *tp; #ifdef INVARIANTS INIT_VNET_INET(inp->inp_vnet); #endif + struct tcpcb *tp; INP_INFO_WLOCK_ASSERT(&V_tcbinfo); INP_WLOCK_ASSERT(inp); @@ -1992,6 +1993,7 @@ tcp_signature_compute(struct mbuf *m, int _unused, int len, int optlen, u_char *buf, u_int direction) { + INIT_VNET_IPSEC(curvnet); union sockaddr_union dst; struct ippseudo ippseudo; MD5_CTX ctx; ==== //depot/projects/vimage/src/sys/netinet/tcp_syncache.c#43 (text+ko) ==== @@ -98,12 +98,6 @@ #include <security/mac/mac_framework.h> -#ifdef TCP_OFFLOAD_DISABLE -#define TOEPCB_ISSET(sc) (0) -#else -#define TOEPCB_ISSET(sc) ((sc)->sc_toepcb != NULL) -#endif - static int tcp_syncookies = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, syncookies, CTLFLAG_RW, &tcp_syncookies, 0, @@ -114,6 +108,12 @@ &tcp_syncookiesonly, 0, "Use only TCP SYN cookies"); +#ifdef TCP_OFFLOAD_DISABLE +#define TOEPCB_ISSET(sc) (0) +#else +#define TOEPCB_ISSET(sc) ((sc)->sc_toepcb != NULL) +#endif + static void syncache_drop(struct syncache *, struct syncache_head *); static void syncache_free(struct syncache *); static void syncache_insert(struct syncache *, struct syncache_head *); ==== //depot/projects/vimage/src/sys/netinet/tcp_syncache.h#18 (text+ko) ==== @@ -1,6 +1,6 @@ /*- * Copyright (c) 1982, 1986, 1993, 1994, 1995 - * The Regents of the University of California. All rights reserved. + * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -52,8 +52,7 @@ void syncache_chkrst(struct in_conninfo *, struct tcphdr *); void syncache_badack(struct in_conninfo *); int syncache_pcbcount(void); -int syncache_pcblist(struct sysctl_req *req, int max_pcbs, - int *pcbs_exported); +int syncache_pcblist(struct sysctl_req *req, int max_pcbs, int *pcbs_exported); struct syncache { TAILQ_ENTRY(syncache) sc_hash; @@ -87,7 +86,7 @@ #ifndef TCP_OFFLOAD_DISABLE struct toe_usrreqs *sc_tu; /* TOE operations */ void *sc_toepcb; /* TOE protocol block */ -#endif +#endif #ifdef MAC struct label *sc_label; /* MAC label reference */ #endif ==== //depot/projects/vimage/src/sys/netinet/udp_usrreq.c#37 (text+ko) ==== @@ -154,6 +154,7 @@ static void udp_zone_change(void *tag) { + uma_zone_set_max(udp_ipi_zone, maxsockets); } ==== //depot/projects/vimage/src/sys/netinet6/icmp6.c#32 (text+ko) ==== @@ -116,9 +116,7 @@ extern struct inpcbhead ripcb; extern int icmp6errppslim; static int icmp6errpps_count; -#endif /* !VIMAGE */ static struct timeval icmp6errppslim_last; -#ifndef VIMAGE extern int icmp6_nodeinfo; #endif /* !VIMAGE */ @@ -141,8 +139,8 @@ icmp6_init(void) { INIT_VNET_INET6(curvnet); + V_icmp6errpps_count = 0; - mld6_init(); } @@ -2814,7 +2812,7 @@ ret = 0; /* okay to send */ /* PPS limit */ - if (!ppsratecheck(&icmp6errppslim_last, &V_icmp6errpps_count, + if (!ppsratecheck(&V_icmp6errppslim_last, &V_icmp6errpps_count, V_icmp6errppslim)) { /* The packet is subject to rate limit */ ret++; ==== //depot/projects/vimage/src/sys/netinet6/nd6_nbr.c#25 (text+ko) ==== @@ -88,7 +88,7 @@ #ifndef VIMAGE int dad_ignore_ns; /* ignore NS in DAD - specwise incorrect*/ -int dad_maxtry; /* max # of *tries* to transmit DAD packet */ +int dad_maxtry; /* max # of *tries* to transmit DAD packet */ #endif /* !VIMAGE */ /* @@ -1246,11 +1246,14 @@ nd6_dad_timer(struct dadq *dp) { CURVNET_SET(dp->dad_vnet); - INIT_VNET_INET6(dp->dad_vnet); + INIT_VNET_INET6(curvnet); + int s; struct ifaddr *ifa = dp->dad_ifa; struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa; char ip6buf[INET6_ADDRSTRLEN]; + s = splnet(); /* XXX */ + /* Sanity check */ if (ia == NULL) { log(LOG_ERR, "nd6_dad_timer: called with null parameter\n"); @@ -1337,6 +1340,7 @@ } done: + splx(s); CURVNET_RESTORE(); } ==== //depot/projects/vimage/src/sys/netinet6/vinet6.h#24 (text+ko) ==== @@ -84,7 +84,7 @@ TAILQ_HEAD(, dadq) _dadq; int _dad_init; int _icmp6errpps_count; - int _icmp6errppslim_last; + struct timeval _icmp6errppslim_last; int _ip6_forwarding; int _ip6_sendredirects; int _ip6_defhlim; ==== //depot/projects/vimage/src/sys/netipsec/key.c#27 (text+ko) ==== @@ -151,6 +151,7 @@ #define SAHTREE_LOCK() mtx_lock(&sahtree_lock) #define SAHTREE_UNLOCK() mtx_unlock(&sahtree_lock) #define SAHTREE_LOCK_ASSERT() mtx_assert(&sahtree_lock, MA_OWNED) + /* registed list */ #ifndef VIMAGE static LIST_HEAD(_regtree, secreg) regtree[SADB_SATYPE_MAX + 1]; @@ -203,6 +204,7 @@ SADB_SASTATE_LARVAL, SADB_SASTATE_DEAD }; #endif + static const int minsize[] = { sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ sizeof(struct sadb_sa), /* SADB_EXT_SA */ @@ -247,11 +249,13 @@ 0, /* SADB_X_EXT_POLICY */ sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ }; + #ifndef VIMAGE static int ipsec_esp_keymin = 256; static int ipsec_esp_auth = 0; static int ipsec_ah_keymin = 128; #endif + #ifdef SYSCTL_DECL SYSCTL_DECL(_net_key); #endif @@ -2353,7 +2357,6 @@ struct mbuf *m; const struct sadb_msghdr *mhp; { - printf("\n---> key_spdflush()..\n"); INIT_VNET_IPSEC(curvnet); struct sadb_msg *newmsg; struct secpolicy *sp; ==== //depot/projects/vimage/src/sys/netipsec/keysock.c#16 (text+ko) ==== ==== //depot/projects/vimage/src/sys/netipsec/keysock.h#3 (text+ko) ==== @@ -57,12 +57,14 @@ /* others */ u_quad_t sockerr; /* # of socket related errors */ }; + #ifdef VIMAGE struct key_cb { int key_count; int any_count; }; #endif + #define KEY_SENDUP_ONE 0 #define KEY_SENDUP_ALL 1 #define KEY_SENDUP_REGISTERED 2 ==== //depot/projects/vimage/src/sys/netipsec/vipsec.h#16 (text+ko) ==== @@ -115,7 +115,9 @@ }; #endif -/* Symbol translation macros */ +/* + * Symbol translation macros + */ #define INIT_VNET_IPSEC(vnet) \ INIT_FROM_VNET(vnet, VNET_MOD_IPSEC, struct vnet_ipsec, vnet_ipsec) ==== //depot/projects/vimage/src/sys/netipsec/xform_ah.c#18 (text+ko) ==== @@ -89,8 +89,8 @@ ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) #ifndef VIMAGE -int ah_enable = 1; /* control flow of packets with AH */ -int ah_cleartos = 1; /* clear ip_tos when doing AH calc */ +int ah_enable; /* control flow of packets with AH */ +int ah_cleartos; /* clear ip_tos when doing AH calc */ struct ahstat ahstat; #endif ==== //depot/projects/vimage/src/sys/netipsec/xform_esp.c#18 (text+ko) ==== @@ -77,8 +77,9 @@ #include <opencrypto/xform.h> #ifndef VIMAGE -int esp_enable = 1; +int esp_enable; struct espstat espstat; +static int esp_max_ivlen; /* max iv length over all algorithms */ #endif SYSCTL_DECL(_net_inet_esp); @@ -87,9 +88,6 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS, stats, CTLFLAG_RD, espstat, espstat, ""); -#ifndef VIMAGE -static int esp_max_ivlen; /* max iv length over all algorithms */ -#endif static int esp_input_cb(struct cryptop *op); static int esp_output_cb(struct cryptop *crp); ==== //depot/projects/vimage/src/sys/netipsec/xform_ipcomp.c#15 (text+ko) ==== @@ -68,7 +68,7 @@ #include <opencrypto/xform.h> #ifndef VIMAGE -int ipcomp_enable = 0; +int ipcomp_enable; struct ipcompstat ipcompstat; #endif ==== //depot/projects/vimage/src/sys/netipsec/xform_ipip.c#19 (text+ko) ==== @@ -92,7 +92,7 @@ * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. */ #ifndef VIMAGE -int ipip_allow = 0; +int ipip_allow; struct ipipstat ipipstat; #endif @@ -718,10 +718,10 @@ /* attach to encapsulation framework */ /* XXX save return cookie for detach on module remove */ (void) encap_attach_func(AF_INET, -1, - ipe4_encapcheck, &ipe4_protosw, NULL); + ipe4_encapcheck, &ipe4_protosw, NULL); #ifdef INET6 (void) encap_attach_func(AF_INET6, -1, - ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL); + ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL); #endif return 0; ==== //depot/projects/vimage/src/sys/netipsec/xform_tcp.c#3 (text+ko) ==== @@ -82,6 +82,7 @@ static int tcpsignature_init(struct secasvar *sav, struct xformsw *xsp) { + INIT_VNET_IPSEC(curvnet); int keylen; if (sav->spi != htonl(TCP_SIG_SPI)) { ==== //depot/projects/vimage/src/sys/security/mac/mac_framework.h#13 (text+ko) ==== @@ -35,7 +35,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac/mac_framework.h,v 1.101 2008/08/23 15:26:36 rwatson Exp $ + * $FreeBSD: src/sys/security/mac/mac_framework.h,v 1.102 2008/10/17 12:54:28 bz Exp $ */ /* @@ -131,6 +131,7 @@ struct ifnet *ifp); int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m); +int mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp); void mac_inpcb_create(struct socket *so, struct inpcb *inp); void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m); void mac_inpcb_destroy(struct inpcb *); ==== //depot/projects/vimage/src/sys/security/mac/mac_inet.c#11 (text+ko) ==== @@ -40,7 +40,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/security/mac/mac_inet.c,v 1.21 2008/08/23 15:26:36 rwatson Exp $"); +__FBSDID("$FreeBSD: src/sys/security/mac/mac_inet.c,v 1.22 2008/10/17 12:54:28 bz Exp $"); #include "opt_mac.h" @@ -313,6 +313,18 @@ return (error); } +int +mac_inpcb_check_visible(struct ucred *cred, struct inpcb *inp) +{ + int error; + + INP_LOCK_ASSERT(inp); + + MAC_CHECK(inpcb_check_visible, cred, inp, inp->inp_label); + + return (error); +} + void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) { ==== //depot/projects/vimage/src/sys/security/mac/mac_policy.h#14 (text+ko) ==== @@ -36,7 +36,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac/mac_policy.h,v 1.111 2008/08/23 15:26:36 rwatson Exp $ + * $FreeBSD: src/sys/security/mac/mac_policy.h,v 1.112 2008/10/17 12:54:28 bz Exp $ */ /* * Kernel interface for MAC policy modules. @@ -187,6 +187,8 @@ typedef int (*mpo_inpcb_check_deliver_t)(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel); +typedef int (*mpo_inpcb_check_visible_t)(struct ucred *cred, + struct inpcb *inp, struct label *inplabel); typedef void (*mpo_inpcb_create_t)(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel); @@ -689,6 +691,7 @@ mpo_ifnet_relabel_t mpo_ifnet_relabel; mpo_inpcb_check_deliver_t mpo_inpcb_check_deliver; + mpo_inpcb_check_visible_t mpo_inpcb_check_visible; mpo_inpcb_create_t mpo_inpcb_create; mpo_inpcb_create_mbuf_t mpo_inpcb_create_mbuf; mpo_inpcb_destroy_label_t mpo_inpcb_destroy_label; ==== //depot/projects/vimage/src/sys/security/mac_partition/mac_partition.c#8 (text+ko) ==== @@ -36,7 +36,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_partition/mac_partition.c,v 1.24 2008/08/23 15:26:36 rwatson Exp $ + * $FreeBSD: src/sys/security/mac_partition/mac_partition.c,v 1.25 2008/10/17 08:58:33 bz Exp $ */ /* @@ -51,6 +51,7 @@ #include <sys/priv.h> #include <sys/proc.h> #include <sys/sbuf.h> +#include <sys/socketvar.h> #include <sys/systm.h> #include <sys/sysctl.h> @@ -248,7 +249,7 @@ { int error; - error = label_on_label(cred->cr_label, solabel); + error = label_on_label(cred->cr_label, so->so_cred->cr_label); return (error ? ENOENT : 0); } ==== //depot/projects/vimage/src/sys/sys/vimage.h#69 (text+ko) ==== @@ -383,33 +383,6 @@ char _domainname[MAXHOSTNAMELEN]; int _morphing_symlinks; - -#if 0 - long _cp_time[CPUSTATES]; - - struct loadavg _averunnable; /* from kern/kern_synch.c */ - int _sched_tdcnt; /* from kern/sched_4bsd.c */ - int _tdq_sysload[32]; /* XXX MAXCPUS from kern/sched_ule.c (SMP) */ - - u_int proc_limit; /* max. number of processes */ - - struct msgbuf *msgbufp; - int msgbuftrigger; - int msg_seqn; - - pid_t log_open_pid; - int log_sc_state; - struct selinfo log_sc_selp; - struct sigio *log_sc_sigio; - struct callout log_sc_callout; - - struct timeval boottime; - long boottdelta_sec; - - char chroot[MAXPATHLEN]; /* assigned/inherited from parent */ - - int big_brother; /* manage procs in all child vprocgs */ -#endif }; struct vcpu { @@ -420,16 +393,6 @@ u_int _acc_statcalls; /* statclocks since last avg update*/ u_int _avg1_fixp; /* "fast" avg in 16:16 bit fixedpoint */ u_int _avg2_fixp; /* "slow" avg in 16:16 bit fixedpoint */ - -#if 0 - u_int cpu_min; /* Guaranteed CPU share */ - u_int cpu_max; /* Maximum average CPU usage */ - u_int intr_limit; /* Limit on CPU usage in intr ctx */ - u_int cpu_weight; /* Prop. share scheduling priority */ - u_int cpu_elimit; /* Dynamic soft CPU usage limit */ - u_int schedstamp; /* Prop. share scheduler tmp var */ - u_int forcedmin; /* Prop. share scheduler tmp var */ -#endif }; #endif /* VIMAGE */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810241322.m9ODMGDm044467>