From owner-p4-projects@FreeBSD.ORG  Tue Sep 16 06:50:04 2003
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id BCE1E16A4C0; Tue, 16 Sep 2003 06:50:03 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 810F616A4B3
	for <perforce@freebsd.org>; Tue, 16 Sep 2003 06:50:03 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D2D0C43F3F
	for <perforce@freebsd.org>; Tue, 16 Sep 2003 06:50:02 -0700 (PDT)
	(envelope-from cvance@nailabs.com)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h8GDo20U095532
	for <perforce@freebsd.org>; Tue, 16 Sep 2003 06:50:02 -0700 (PDT)
	(envelope-from cvance@nailabs.com)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h8GDo22R095529
	for perforce@freebsd.org; Tue, 16 Sep 2003 06:50:02 -0700 (PDT)
Date: Tue, 16 Sep 2003 06:50:02 -0700 (PDT)
Message-Id: <200309161350.h8GDo22R095529@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	cvance@nailabs.com using -f
From: Chris Vance <cvance@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 38121 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Sep 2003 13:50:04 -0000

http://perforce.freebsd.org/chv.cgi?CH=38121

Change 38121 by cvance@cvance_osx_laptop on 2003/09/16 06:49:05

	A batch of changes.  Added entry points for most process checks.
	Also, go ahead and ifdef away the label in struct ifnet, since it
	breaks the network ABI and causes all sorts of trouble.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/bsd_init.c#3 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exec.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exit.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_ktrace.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#17 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_prot.c#3 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_resource.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_sig.c#2 edit
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/net/if_var.h#3 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/bsd_init.c#3 (text+ko) ====

@@ -350,6 +350,10 @@
 	p->p_ucred = crget();
 	p->p_ucred->cr_ngroups = 1;	/* group 0 */
 
+#ifdef MAC
+/* 	mac_create_proc0(kernproc->p_ucred); */
+#endif
+
 	/* Create the file descriptor table. */
 	filedesc0.fd_refcnt = 1+1;	/* +1 so shutdown will not _FREE_ZONE */
 	p->p_fd = &filedesc0;

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exec.c#2 (text+ko) ====

@@ -207,6 +207,12 @@
 		}
 	}
 
+#ifdef MAC_TBD
+	error = mac_execve_enter(NULL, NULL);
+	if (error)
+		return(error);
+#endif
+
 	error = execargs_alloc(&execargs);
 	if (error)
 		return(error);

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_exit.c#2 (text+ko) ====

@@ -553,7 +553,7 @@
 	register struct proc *p, *t;
 	int status, error;
 	struct vnode *tvp;
-
+	struct pcred *pcred = q->p_cred;
 retry:
 	if (uap->pid == 0)
 		uap->pid = -q->p_pgid;
@@ -565,6 +565,12 @@
 		    p->p_pid != uap->pid &&
 		    p->p_pgid != -(uap->pid))
 			continue;
+
+#ifdef MAC
+	if ((error = mac_check_proc_wait(pcred->pc_ucred, p)))
+		return (error);
+#endif
+
 		nfound++;
 		if (p->p_flag & P_WAITING) {
 			(void)tsleep(&p->p_stat, PWAIT, "waitcoll", 0);

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_ktrace.c#2 (text+ko) ====

@@ -631,6 +631,7 @@
 {
 	register struct pcred *caller = callp->p_cred;
 	register struct pcred *target = targetp->p_cred;
+	int error;
 
 	if (!PRISON_CHECK(callp, targetp))
 		return (0);
@@ -642,6 +643,11 @@
 	     caller->pc_ucred->cr_uid == 0)
 		return (1);
 
+#ifdef MAC
+	if ((error = mac_check_proc_debug(caller->pc_ucred, targetp)))
+		return (error);
+#endif
+
 	return (0);
 }
 

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_mac.c#17 (text+ko) ====

@@ -798,7 +798,7 @@
 	tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL);
 	label = (struct label *)(tag+1);
 #endif
-#ifdef NO_MBUF
+#ifdef HAVE_MBUFLABEL
 	label = &mbuf->m_pkthdr.label;
 #endif
 	return (label);
@@ -872,7 +872,9 @@
 mac_init_ifnet(struct ifnet *ifp)
 {
 
+#ifdef HAVE_IFLABEL
 	mac_init_ifnet_label(&ifp->if_label);
+#endif
 }
 
 int
@@ -943,7 +945,7 @@
 	}
 #endif
 #else
-#ifdef NO_MBUF
+#ifdef HAVE_MBUFLABEL
 	mac_init_label(&m->m_pkthdr.label);
 	MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag);
 	if (error) {
@@ -952,7 +954,7 @@
 	} else {
 		MAC_DEBUG_COUNTER_INC(&nmacmbufs);
 	}
-#endif /* NO_MBUF */
+#endif /* HAVE_MBUFLABEL */
 #endif
 	return (error);
 }
@@ -1114,7 +1116,9 @@
 mac_destroy_ifnet(struct ifnet *ifp)
 {
 
+#ifdef HAVE_IFLABEL
 	mac_destroy_ifnet_label(&ifp->if_label);
+#endif
 }
 
 void
@@ -1130,10 +1134,10 @@
 mac_destroy_mbuf(struct mbuf *m)
 {
 
-#ifdef NO_MBUF
+#ifdef HAVE_MBUFLABEL
 	MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
 	mac_destroy_label(&m->m_pkthdr.label);
-#endif /* NO_MBUF */
+#endif /* HAVE_MBUFLABEL */
 	MAC_DEBUG_COUNTER_DEC(&nmacmbufs);
 }
 
@@ -1221,9 +1225,9 @@
 mac_copy_mbuf(struct mbuf *src, struct mbuf *dst)
 {
 
-#ifdef NO_MBUF
+#ifdef HAVE_MBUFLABEL
 	MAC_PERFORM(copy_mbuf_label, &src->m_pkthdr.label, &dst->m_pkthdr.label);
-#endif /* NO_MBUF */
+#endif /* HAVE_MBUFLABEL */
 }
 
 #if 0
@@ -1380,7 +1384,7 @@
 mac_create_proc0(struct ucred *cred)
 {
 
-	MAC_PERFORM(create_proc0, cred);
+/*	MAC_PERFORM(create_proc0, cred); */
 }
 
 /*
@@ -2269,7 +2273,9 @@
 mac_create_ifnet(struct ifnet *ifnet)
 {
 
+#ifdef HAVE_IFLABEL
 	MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label);
+#endif
 }
 
 void
@@ -2404,8 +2410,10 @@
 
 	label = mbuf_to_label(mbuf);
 
+#ifdef HAVE_IFLABEL
 	MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf,
 	    label);
+#endif
 }
 
 void
@@ -2415,8 +2423,10 @@
 
 	label = mbuf_to_label(mbuf);
 
+#ifdef HAVE_IFLABEL
 	MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf,
 	    label);
+#endif
 }
 
 void
@@ -2428,8 +2438,10 @@
 	oldmbuflabel = mbuf_to_label(oldmbuf);
 	newmbuflabel = mbuf_to_label(newmbuf);
 
+#ifdef HAVE_IFLABEL
 	MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel,
 	    ifnet, &ifnet->if_label, newmbuf, newmbuflabel);
+#endif
 }
 
 void
@@ -2496,6 +2508,7 @@
 
 	label = mbuf_to_label(m);
 
+#ifdef HAVE_IFLABEL
 	if (m->m_pkthdr.rcvif != NULL)
 		ifnetlabel = &m->m_pkthdr.rcvif->if_label;
 	else
@@ -2503,6 +2516,7 @@
 
 	MAC_CHECK(update_mbuf_from_cipso, m, label, m->m_pkthdr.rcvif,
 	    ifnetlabel, cp, code);
+#endif
 
 	return (error);
 }
@@ -2542,8 +2556,10 @@
 	if (!mac_enforce_network)
 		return (0);
 
+#ifdef HAVE_IFLABEL
 	MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet,
 	    &ifnet->if_label);
+#endif
 
 	return (error);
 }
@@ -2584,8 +2600,10 @@
 
 	label = mbuf_to_label(mbuf);
 
+#ifdef HAVE_IFLABEL
 	MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
 	    label);
+#endif
 
 	return (error);
 }
@@ -3092,6 +3110,7 @@
 	if (error)
 		return (error);
 
+#ifdef HAVE_IFLABEL
 	MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);  
 	error = copyinstr(mac.m_string, elements, mac.m_buflen, NULL);
 	if (error) {
@@ -3107,6 +3126,7 @@
 
 	FREE(buffer, M_MACTEMP);
 	FREE(elements, M_MACTEMP);
+#endif
 
 	return (error);
 }
@@ -3157,6 +3177,7 @@
 		return (error);
 	}
 
+#ifdef HAVE_IFLABEL
 	MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
 	    &intlabel);
 	if (error) {
@@ -3165,6 +3186,7 @@
 	}
 
 	MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel);
+#endif
 
 	mac_destroy_ifnet_label(&intlabel);
 	return (0);

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_prot.c#3 (text+ko) ====


==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_resource.c#2 (text+ko) ====

@@ -211,12 +211,19 @@
 	register struct proc *curp, *chgp;
 	register int n;
 {
+	int error;
 	register struct pcred *pcred = curp->p_cred;
 
 	if (pcred->pc_ucred->cr_uid && pcred->p_ruid &&
 	    pcred->pc_ucred->cr_uid != chgp->p_ucred->cr_uid &&
 	    pcred->p_ruid != chgp->p_ucred->cr_uid)
 		return (EPERM);
+
+#ifdef MAC
+	if ((error = mac_check_proc_sched(pcred->pc_ucred, chgp)))
+		return (error);
+#endif
+
 	if (n > PRIO_MAX)
 		n = PRIO_MAX;
 	if (n < PRIO_MIN)

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/kern/kern_sig.c#2 (text+ko) ====

@@ -198,6 +198,13 @@
 	struct proc *q;
 	int signum;
 {
+	int error;
+
+#ifdef MAC
+	if ((error = mac_check_proc_signal(pc->pc_ucred, q, signum)))
+		return (error);
+#endif
+
 	/* you can signal yourself */
 	if (p == q)
 		return(1);

==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/net/if_var.h#3 (text+ko) ====

@@ -287,7 +287,9 @@
 #else
 	struct	ifprefixhead if_prefixhead; /* list of prefixes per if */
 #endif /* __APPLE__ */
-	struct	label if_label;		/* interface MAC label */
+#ifdef HAVE_IFLABEL
+	struct	label if_label; 	/* interface MAC label */
+#endif
 };
 typedef void if_init_f_t __P((void *));