From owner-trustedbsd-cvs@FreeBSD.ORG Wed Oct 25 19:34:17 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1FD416A403 for ; Wed, 25 Oct 2006 19:34:17 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CC0F43D68 for ; Wed, 25 Oct 2006 19:34:06 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id 1928746E80 for ; Wed, 25 Oct 2006 15:34:06 -0400 (EDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 9136A7299A; Wed, 25 Oct 2006 19:27:31 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 89D5B16A47B; Wed, 25 Oct 2006 19:27:31 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B2FE16A407 for ; Wed, 25 Oct 2006 19:27:31 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E45143D45 for ; Wed, 25 Oct 2006 19:27:19 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k9PJRFhJ058362 for ; Wed, 25 Oct 2006 19:27:15 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k9PJRFDG058359 for perforce@freebsd.org; Wed, 25 Oct 2006 19:27:15 GMT (envelope-from millert@freebsd.org) Date: Wed, 25 Oct 2006 19:27:15 GMT Message-Id: <200610251927.k9PJRFDG058359@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 108418 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 19:34:17 -0000 http://perforce.freebsd.org/chv.cgi?CH=108418 Change 108418 by millert@millert_macbook on 2006/10/25 19:26:51 The first first parameter of mac_devfs_label_associate_directory() is always NULL. Likewise, the first two parameters of mac_devfs_label_associate_device() are always NULL. This is an artifact of the port of the devfs support from FreeBSD which has a more featureful devfs implementation. There's no good reason to pass pointers into the framework (and then the entry points) that are always NULL so they have been removed. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#9 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#17 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#13 edit .. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#15 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#26 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#13 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#5 (text+ko) ==== @@ -178,7 +178,7 @@ = (struct devfsmount *)devfs_hidden_mount->mnt_data; #endif /* HIDDEN_MOUNTPOINT */ #ifdef MAC - mac_devfs_label_associate_directory(NULL, "/", strlen("/"), + mac_devfs_label_associate_directory("/", strlen("/"), dev_root->de_dnp, "/"); #endif devfs_ready = 1; @@ -308,7 +308,7 @@ break; dnp = dirent_p->de_dnp; #ifdef MAC - mac_devfs_label_associate_directory(NULL, + mac_devfs_label_associate_directory( dirnode->dn_typeinfo.Dir.myname->de_name, strlen(dirnode->dn_typeinfo.Dir.myname->de_name), dnp, fullpath); @@ -1225,8 +1225,7 @@ new_dev->de_dnp->dn_uid = uid; new_dev->de_dnp->dn_mode |= perms; #ifdef MAC - mac_devfs_label_associate_device(NULL, NULL, dev, new_dev->de_dnp, - buff); + mac_devfs_label_associate_device(dev, new_dev->de_dnp, buff); #endif devfs_propogate(dnp->dn_typeinfo.Dir.myname, new_dev); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#9 (text+ko) ==== @@ -150,10 +150,10 @@ void mac_vnode_label_associate_singlelabel(struct mount *mp, struct vnode *vp); void mac_vnode_label_associate_file(struct ucred *cred, struct fileglob *fg, struct vnode *vp); -void mac_devfs_label_associate_device(struct ucred *cr, struct mount *mp, - dev_t dev, struct devnode *de, const char *fullpath); -void mac_devfs_label_associate_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devnode *de, const char *fullpath); +void mac_devfs_label_associate_device(dev_t dev, struct devnode *de, + const char *fullpath); +void mac_devfs_label_associate_directory(char *dirname, int dirnamelen, + struct devnode *de, const char *fullpath); int mac_vnode_notify_create(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); void mac_mount_label_associate(struct ucred *cred, struct mount *mp); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#17 (text+ko) ==== @@ -1496,23 +1496,16 @@ /** @brief Create a new devfs device - @param cred Process credential, if created on behalf of a user process - @param mp Devfs mount point (currently unused in Darwin) @param dev Major and minor numbers of special file @param de "inode" of new device file @param label Destination label @param fullpath Path relative to mount (e.g. /dev) of new device file This entry point labels a new devfs device. The label will likely be based - on the path to the device, or the major and minor numbers. If the device was - created on behalf of a user process (for example, /dev/pts/1), then - 'cred' contains the credentials of that process. - Otherwise, 'cred' is null. The policy should store an appropriate - label into 'label'. + on the path to the device, or the major and minor numbers. + The policy should store an appropriate label into 'label'. */ typedef void mpo_devfs_label_associate_device_t( - struct ucred *cred, - struct mount *mp, dev_t dev, struct devnode *de, struct label *label, @@ -1521,7 +1514,6 @@ /** @brief Create a new devfs directory - @param mp Not used in Darwin @param dirname Name of new directory @param dirnamelen Length of 'dirname' @param de "inode" of new directory @@ -1533,7 +1525,6 @@ label into 'label'. The devfs root directory is labelled in this way. */ typedef void mpo_devfs_label_associate_directory_t( - struct mount *mp, char *dirname, int dirnamelen, struct devnode *de, ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#13 (text+ko) ==== @@ -1090,20 +1090,19 @@ } void -mac_devfs_label_associate_device(struct ucred *cr, struct mount *mp, dev_t dev, - struct devnode *de, const char *fullpath) +mac_devfs_label_associate_device(dev_t dev, struct devnode *de, + const char *fullpath) { - MAC_PERFORM(devfs_label_associate_device, cr, mp, dev, de, de->dn_label, - fullpath); + MAC_PERFORM(devfs_label_associate_device, dev, de, de->dn_label, fullpath); } void -mac_devfs_label_associate_directory(struct mount *mp, char *dirname, int dirnamelen, +mac_devfs_label_associate_directory(char *dirname, int dirnamelen, struct devnode *de, const char *fullpath) { - MAC_PERFORM(devfs_label_associate_directory, mp, dirname, dirnamelen, de, + MAC_PERFORM(devfs_label_associate_directory, dirname, dirnamelen, de, de->dn_label, fullpath); } ==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#15 (text+ko) ==== @@ -1032,8 +1032,8 @@ * a lot like file system objects. */ static void -mac_mls_devfs_label_associate_device(struct ucred *cr, struct mount *mp, - dev_t dev, struct devnode *de, struct label *label, const char *fullpath) +mac_mls_devfs_label_associate_device(dev_t dev, struct devnode *de, + struct label *label, const char *fullpath) { struct mac_mls *mac_mls; int mls_type; @@ -1057,9 +1057,8 @@ } static void -mac_mls_devfs_label_associate_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devnode *de, struct label *label, - const char *fullpath) +mac_mls_devfs_label_associate_directory(char *dirname, int dirnamelen, + struct devnode *de, struct label *label, const char *fullpath) { struct mac_mls *mac_mls; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#26 (text+ko) ==== @@ -1062,13 +1062,9 @@ ipcsec->sclass = SECCLASS_SHM; } -/* - * NOTE: on Darwin mp will always be NULLL for sebsd_devfs_label_associate_device - */ static void -sebsd_devfs_label_associate_device(struct ucred *cr, struct mount *mp, dev_t dev, - struct devnode *devfs_dirent, struct label *label, - const char *fullpath) +sebsd_devfs_label_associate_device(dev_t dev, struct devnode *devfs_dirent, + struct label *label, const char *fullpath) { char *path; int rc; @@ -1090,21 +1086,6 @@ if (rc == 0) dirent->sid = newsid; - /* If there was a creating process (currently only for /dev/pty*), - try a type_transition rule. */ - if (cr != NULL) { - struct task_security_struct *task = SLOT(cr->cr_label); - - /* - * XXX: uses the type specified by genfs instead of the - * parent directory like it should! - */ - int error = security_transition_sid(task->sid, dirent->sid, - dirent->sclass, &newsid); - if (error == 0) - dirent->sid = newsid; - } - /* TBD: debugging */ if (sebsd_verbose > 1) { printf("%s(%s): rc=%d, sclass=%d, computedsid=%d, dirent=%d\n", @@ -1113,13 +1094,9 @@ sebsd_free(path, M_SEBSD); } -/* - * NOTE: on Darwin mp will always be NULLL for sebsd_devfs_label_associate_directory - */ static void -sebsd_devfs_label_associate_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devnode *de, struct label *label, - const char *fullpath) +sebsd_devfs_label_associate_directory(char *dirname, int dirnamelen, + struct devnode *de, struct label *label, const char *fullpath) { char *path; int rc; ==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#13 (text+ko) ==== @@ -1182,29 +1182,19 @@ USE_LABEL(fglabel, FILETYPE); } -/* The ucred and mount parameters can be NULL for this fcn */ static void -mac_test_devfs_label_associate_device(struct ucred *cr, struct mount *mp, - dev_t dev, struct devnode *de, struct label *label, - const char *fullpath) +mac_test_devfs_label_associate_device(dev_t dev, struct devnode *de, + struct label *label, const char *fullpath) { CHECKNULL(de); INIT_LABEL(label, DEVNODETYPE); - if (cr != NULL) - SANITY_CHECK(cr->cr_label, CREDTYPE); } static void -mac_test_devfs_label_associate_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devnode *de, - struct label *label, const char *fullpath) +mac_test_devfs_label_associate_directory(char *dirname, int dirnamelen, + struct devnode *de, struct label *label, const char *fullpath) { - /* - * MP should be NULL for devfs - * CHECKNULL(mp); - */ - CHECKNULL(de); INIT_LABEL(label, DEVNODETYPE);