Date: Wed, 5 Jul 2006 22:24:58 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 100662 for review Message-ID: <200607052224.k65MOwBv074883@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=100662 Change 100662 by rwatson@rwatson_zoo on 2006/07/05 22:24:42 Checkpoint resort/respell on policy ops structure. Affected files ... .. //depot/projects/trustedbsd/mac2/sys/sys/mac_policy.h#6 edit Differences ... ==== //depot/projects/trustedbsd/mac2/sys/sys/mac_policy.h#6 (text+ko) ==== @@ -170,7 +170,7 @@ * Object: struct ucred (User credential) */ typedef void (*mpo_cred_init_label_t)(struct label *label); -typedef void (*mpo_cred_destroy_cred_label_t)(struct label *label); +typedef void (*mpo_cred_destroy_label_t)(struct label *label); typedef void (*mpo_cred_copy_label_t)(struct label *src, struct label *dest); typedef int (*mpo_cred_externalize_label_t)(struct label *label, @@ -659,18 +659,131 @@ typedef int (*mpo_associate_nfsd_label_t)(struct ucred *cred); struct mac_policy_ops { + mpo_policy_destroy_t mpo_policy_destroy; + mpo_policy_init_t mpo_policy_init; + + mpo_syscall_t mpo_syscall; + + mpo_bpfdesc_init_label_t mpo_bpfdesc_init_label; + mpo_bpfdesc_destroy_label_t mpo_bpfdesc_destroy_label; + mpo_bpfdesc_create_t mpo_bpfdesc_create; + mpo_bpfdesc_create_mbuf_t mpo_bpfdesc_create_mbuf; + mpo_bpfdesc_check_receive_t mpo_bpfdesc_check_receive; + /* - * Policy module operations. + * XXXRW: Naming consistency here -- perhaps should just be + * mpo_devfs_*. + */ + mpo_devfsdirent_init_label_t mpo_devfsdirent_init_label; + mpo_devfsdirent_destroy_label_t mpo_devfsdirent_destroy_label; + mpo_devfs_vnode_associate_t mpo_devfs_vnode_associate; + mpo_devfs_create_device_t mpo_devfs_create_device; + mpo_devfs_create_directory_t mpo_devfs_create_directory; + mpo_devfs_create_symlink_t mpo_devfs_create_symlink; + mpo_devfsdirent_update_t mpo_devfsdirent_update_t; + + /* + * XXXRW: Perhaps should be mpo_ucred_*. + */ + mpo_cred_init_label_t mpo_cred_init_label; + mpo_cred_destroy_label_t mpo_cred_destroy_label; + mpo_cred_copy_label_t mpo_cred_copy_label; + mpo_cred_externalize_label_t mpo_cred_externalize_label; + mpo_cred_internalize_label_t mpo_cred_internalize_label; + mpo_cred_relabel_t mpo_cred_relabel; + mpo_cred_check_relabel_t mpo_cred_check_relabel; + mpo_cred_check_visible_t mpo_cred_check_visible; + + /* + * XXXRW: Names here still inconsistent. + */ + mpo_ifnet_init_label_t mpo_ifnet_init_label; + mpo_ifnet_destroy_label_t mpo_ifnet_destroy_label; + mpo_ifnet_copy_label_t mpo_ifnet_copy_label; + mpo_ifnet_externalize_label_t mpo_ifnet_externalize_label; + mpo_ifnet_internalize_label_t mpo_ifnet_internalize_label; + mpo_ifnet_create_t mpo_ifnet_create; + mpo_create_mbuf_linklayer_t mpo_create_mbuf_linklayer; + mpo_ifnet_create_mbuf_t mpo_ifnet_create_mbuf; + mpo_create_mbuf_multicast_encap_t mpo_create_mbuf_mulicast_encap; + mpo_ifnet_relabel_t mpo_ifnet_relabel; + mpo_ifnet_check_relabel_t mpo_ifnet_check_relabel; + mpo_ifnet_check_transmit_t mpo_ifnet_check_transmit; + + /* + * XXXRW: Could s/create_from_socket/create/. + */ + mpo_inpcb_init_label_t mpo_inpcb_init_label; + mpo_inpcb_destroy_label_t mpo_inpcb_destroy_label; + mpo_inpcb_create_from_socket_t mpo_inpcb_create_from_socket; + mpo_inpcb_create_mbuf_t mpo_inpcb_create_mbuf; + mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; + mpo_inpcb_check_deliver_t mpo_inpcb_check_deliver; + + /* + * XXXRW: Maybe s/create_datagram/reassemble/, + * s/fragment_match/match/. + */ + mpo_ipq_init_label_t mpo_ipq_init_label; + mpo_ipq_destroy_label_t mpo_ipq_destroy_label; + mpo_ipq_create_t mpo_ipq_create; + mpo_ipq_create_datagram_t mpo_ipq_create_datagram; + mpo_ipq_fragment_match_t mpo_ipq_fragment_match; + mpo_ipq_update_t mpo_ipq_update; + + mpo_kenv_check_dump_t mpo_kenv_check_dump; + mpo_kenv_check_get_t mpo_kenv_check_get; + mpo_kenv_check_set_t mpo_kenv_check_set; + mpo_kenv_check_unset_t mpo_kenv_check_unset; + + mpo_kld_check_load_t mpo_kld_check_load; + mpo_kld_check_stat_t mpo_kld_check_stat; + mpo_kld_check_unload_t mpo_kld_check_unload; + + /* + * XXXRW: Since the structure is ksem, maybe these should be + * renamed; alternatively, maybe ksem should be renamed? Should + * be unlink instead of destroy? + */ + mpo_posix_sem_init_label_t mpo_posix_sem_init_label; + mpo_posix_sem_destroy_label_t mpo_posix_sem_destroy_label; + mpo_posix_sem_create_t mpo_posix_sem_create; + mpo_posix_sem_check_destroy_t mpo_posix_sem_check_destroy; + mpo_posix_sem_check_getvalue_t mpo_posix_sem_check_getvalue; + mpo_posix_sem_check_open_t mpo_posix_sem_check_open; + mpo_posix_sem_check_post_t mpo_posix_sem_check_post; + mpo_posix_sem_check_unlink_t mpo_posix_sem_check_unlink; + mpo_posix_sem_check_wait_t mpo_posix_sem_check_wait; + + /* + * XXXRW: Perhaps fragment, netlayer, icmp, tcp, etc, should be + * netinet calls rather than mbuf calls? */ - mpo_policy_destroy_t mpo_policy_destroy; - mpo_policy_init_t mpo_policy_init; + mpo_mbuf_init_label_t mpo_mbuf_init_label; + mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label; + mpo_mbuf_copy_label_t mpo_mbuf_copy_label; + mpo_mbuf_create_fragment_t mpo_mbuf_create_fragment; + mpo_mbuf_create_netlayer_t mpo_mbuf_create_netlayer; + mpo_mbuf_reflect_icmp_t mpo_mbuf_reflect_icmp; + mpo_mbuf_reflect_tcp_t mpo_mbuf_reflect_tcp; /* - * General policy-directed security system call so that policies may - * implement new services without reserving explicit system call - * numbers. + * XXXRW: Time to toast mount_fs label since it basically is unused? */ - mpo_syscall_t mpo_syscall; + mpo_mount_init_label_t mpo_mount_init_label; + mpo_mount_fs_init_label_t mpo_mount_fs_init_label; + mpo_mount_destroy_label_t mpo_mount_destroy_label; + mpo_mount_fs_destroy_label_t mpo_mount_fs_destroy_label; + mpo_mount_check_stat_t mpo_mount_check_stat; + + + + + + + + + /* * Label operations. Initialize label storage, destroy label
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607052224.k65MOwBv074883>