Date: Tue, 23 Nov 2004 18:25:55 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 65722 for review Message-ID: <200411231825.iANIPtwA061865@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=65722 Change 65722 by areisse@areisse_tislabs on 2004/11/23 18:25:04 Changes required to get the kernel to build after merging new selinux pieces. The sebsd module should still not be used, as the old and new policy formats are incompatible and the policy tools have not been updated yet. Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.c#7 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.h#7 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.c#6 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.h#6 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/conditional.c#2 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/conditional.h#2 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/policydb.c#5 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/policydb.h#6 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/security.h#7 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/services.c#8 edit .. //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/services.h#5 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.c#7 (text+ko) ==== @@ -89,6 +89,24 @@ return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); } +#ifdef AVC_CACHE_STATS +static inline void avc_cache_stats_incr(int type) +{ + avc_cache_stats[type]++; +} + +static inline void avc_cache_stats_add(int type, unsigned val) +{ + avc_cache_stats[type] += val; +} +#else +static inline void avc_cache_stats_incr(int type) +{ } + +static inline void avc_cache_stats_add(int type, unsigned val) +{ } +#endif + /** * avc_dump_av - Display an access vector in human-readable form. * @tclass: target security class @@ -583,9 +601,6 @@ } else { printf(" fs/inode info not available"); } - inode = a->u.fs.dentry->d_inode; - } else if (a->u.fs.inode) { - inode = a->u.fs.inode; } break; case AVC_AUDIT_DATA_NET: @@ -1022,6 +1037,7 @@ return rc; } +/* static int __init avc_log_level_setup(char *str) { avc_log_level = simple_strtol(str, NULL, 0); @@ -1032,3 +1048,4 @@ __setup("avc_log_level=", avc_log_level_setup); +*/ ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/avc/avc.h#7 (text+ko) ==== @@ -15,6 +15,7 @@ #endif /* _KERNEL */ #include <sys/capability.h> +#include <netinet/in.h> #include <security/sebsd/flask.h> #include <security/sebsd/sebsd.h> ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.c#6 (text+ko) ==== @@ -14,14 +14,6 @@ * the Free Software Foundation, version 2. */ -#include <linux/kernel.h> -#include <linux/slab.h> -#include <linux/vmalloc.h> -#include <linux/errno.h> - -#include "avtab.h" -#include "policydb.h" - #ifdef _KERNEL #include <sys/param.h> #include <sys/conf.h> @@ -40,14 +32,12 @@ (keyp->source_type << 9)) & \ AVTAB_HASH_MASK) -static kmem_cache_t *avtab_node_cachep; - static struct avtab_node* avtab_insert_node(struct avtab *h, int hvalue, struct avtab_node * prev, struct avtab_node * cur, struct avtab_key *key, struct avtab_datum *datum) { struct avtab_node * newnode; - newnode = kmem_cache_alloc(avtab_node_cachep, SLAB_KERNEL); + newnode = kmalloc(sizeof(*newnode), GFP_KERNEL); if (newnode == NULL) return NULL; memset(newnode, 0, sizeof(struct avtab_node)); @@ -95,7 +85,7 @@ newnode = avtab_insert_node(h, hvalue, prev, cur, key, datum); if(!newnode) - return -ENOMEM; + return ENOMEM; return 0; } @@ -244,7 +234,7 @@ } h->htable[i] = NULL; } - vfree(h->htable); + kfree(h->htable); h->htable = NULL; } @@ -315,19 +305,19 @@ int avtab_read_item(void *fp, struct avtab_datum *avdatum, struct avtab_key *avkey) { - __u32 *buf; - __u32 items, items2; + u32 *buf; + u32 items, items2; memset(avkey, 0, sizeof(struct avtab_key)); memset(avdatum, 0, sizeof(struct avtab_datum)); - buf = next_entry(fp, sizeof(__u32)); + buf = next_entry(fp, sizeof(u32)); if (!buf) { printk(KERN_ERR "security: avtab: truncated entry\n"); goto bad; } items2 = le32_to_cpu(buf[0]); - buf = next_entry(fp, sizeof(__u32)*items2); + buf = next_entry(fp, sizeof(u32)*items2); if (!buf) { printk(KERN_ERR "security: avtab: truncated entry\n"); goto bad; @@ -347,12 +337,22 @@ goto bad; } if (avdatum->specified & AVTAB_AV) { - if (avdatum->specified & AVTAB_ALLOWED) - avtab_allowed(avdatum) = le32_to_cpu(buf[items++]); - if (avdatum->specified & AVTAB_AUDITDENY) - avtab_auditdeny(avdatum) = le32_to_cpu(buf[items++]); - if (avdatum->specified & AVTAB_AUDITALLOW) - avtab_auditallow(avdatum) = le32_to_cpu(buf[items++]); + + if (avdatum->specified & AVTAB_ALLOWED) { + u32 b1 = le32_to_cpu (buf[items++]); + u32 b2 = le32_to_cpu (buf[items++]); + avtab_allowed(avdatum) = (((u64) b1) << 32) | b2; + } + if (avdatum->specified & AVTAB_AUDITDENY) { + u32 b1 = le32_to_cpu (buf[items++]); + u32 b2 = le32_to_cpu (buf[items++]); + avtab_auditdeny(avdatum) = (((u64) b1) << 32) | b2; + } + if (avdatum->specified & AVTAB_AUDITALLOW) { + u32 b1 = le32_to_cpu (buf[items++]); + u32 b2 = le32_to_cpu (buf[items++]); + avtab_auditallow(avdatum) = (((u64) b1) << 32) | b2; + } } else { if (avdatum->specified & AVTAB_TRANSITION) avtab_transition(avdatum) = le32_to_cpu(buf[items++]); @@ -394,39 +394,6 @@ for (i = 0; i < nel; i++) { if (avtab_read_item(fp, &avdatum, &avkey)) goto bad; - } - if (avdatum.specified & AVTAB_AV) { - if (avdatum.specified & AVTAB_ALLOWED) - { - u32 b1 = le32_to_cpu (buf[items++]); - u32 b2 = le32_to_cpu (buf[items++]); - avtab_allowed(&avdatum) = (((u64) b1) << 32) | b2; - } - if (avdatum.specified & AVTAB_AUDITDENY) - { - u32 b1 = le32_to_cpu (buf[items++]); - u32 b2 = le32_to_cpu (buf[items++]); - avtab_auditdeny(&avdatum) = (((u64) b1) << 32) | b2; - } - if (avdatum.specified & AVTAB_AUDITALLOW) - { - u32 b1 = le32_to_cpu (buf[items++]); - u32 b2 = le32_to_cpu (buf[items++]); - avtab_auditallow(&avdatum) = (((u64) b1) << 32) | b2; - } - } else { - if (avdatum.specified & AVTAB_TRANSITION) - avtab_transition(&avdatum) = le32_to_cpu(buf[items++]); - if (avdatum.specified & AVTAB_CHANGE) - avtab_change(&avdatum) = le32_to_cpu(buf[items++]); - if (avdatum.specified & AVTAB_MEMBER) - avtab_member(&avdatum) = le32_to_cpu(buf[items++]); - } - if (items != items2) { - printk(KERN_ERR "security: avtab: entry only had %d " - "items, expected %d\n", items2, items); - goto bad; - } rc = avtab_insert(a, &avkey, &avdatum); if (rc) { if (rc == ENOMEM) ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/avtab.h#6 (text+ko) ==== @@ -38,6 +38,7 @@ #define AVTAB_MEMBER 32 #define AVTAB_CHANGE 64 #define AVTAB_TYPE (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE) +#define AVTAB_ENABLED 0x80000000 /* reserved for used in cond_avtab */ u32 specified; /* what fields are specified */ access_vector_t data[3]; /* access vectors or types */ #define avtab_allowed(x) (x)->data[0] ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/conditional.c#2 (text+ko) ==== @@ -7,15 +7,16 @@ * the Free Software Foundation, version 2. */ -#include <linux/kernel.h> -#include <linux/errno.h> -#include <linux/string.h> -#include <linux/spinlock.h> -#include <asm/semaphore.h> -#include <linux/slab.h> +#if defined(__FreeBSD__) && defined(_KERNEL) +#include <sys/param.h> +#include <sys/conf.h> +#include <sys/kernel.h> +#include <sys/systm.h> +#endif /* FreeBSD _KERNEL */ -#include "security.h" -#include "conditional.h" +#include <security/sebsd/linux-compat.h> +#include <security/sebsd/ss/security.h> +#include <security/sebsd/ss/conditional.h> /* * cond_evaluate_expr evaluates a conditional expr ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/conditional.h#2 (text+ko) ==== @@ -10,9 +10,10 @@ #ifndef _CONDITIONAL_H_ #define _CONDITIONAL_H_ -#include "avtab.h" -#include "symtab.h" -#include "policydb.h" +#include <security/sebsd/ss/avtab.h> +#include <security/sebsd/ss/symtab.h> +#include <security/sebsd/ss/sidtab.h> +#include <security/sebsd/ss/policydb.h> #define COND_EXPR_MAXDEPTH 10 @@ -29,8 +30,8 @@ #define COND_EQ 6 /* bool == bool */ #define COND_NEQ 7 /* bool != bool */ #define COND_LAST 8 - __u32 expr_type; - __u32 bool; + u32 expr_type; + u32 bool; struct cond_expr *next; }; ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/policydb.c#5 (text+ko) ==== @@ -14,16 +14,6 @@ * the Free Software Foundation, version 2. */ -#include <linux/kernel.h> -#include <linux/slab.h> -#include <linux/string.h> -#include <linux/errno.h> -#include "security.h" - -#include "policydb.h" -#include "conditional.h" -#include "mls.h" - #if defined(__FreeBSD__) && defined(_KERNEL) #include <sys/param.h> #include <sys/conf.h> @@ -37,6 +27,7 @@ #include <security/sebsd/ss/services.h> #include <security/sebsd/ss/security.h> #include <security/sebsd/ss/mls.h> +#include <security/sebsd/ss/conditional.h> #define _DEBUG_HASHES @@ -204,7 +195,7 @@ comdatum = datum; p = datap; if (!comdatum->value || comdatum->value > p->p_commons.nprim) - return -EINVAL; + return EINVAL; p->p_common_val_to_name[comdatum->value - 1] = key; return 0; } @@ -217,7 +208,7 @@ cladatum = datum; p = datap; if (!cladatum->value || cladatum->value > p->p_classes.nprim) - return -EINVAL; + return EINVAL; p->p_class_val_to_name[cladatum->value - 1] = key; p->class_val_to_struct[cladatum->value - 1] = cladatum; return 0; @@ -231,7 +222,7 @@ role = datum; p = datap; if (!role->value || role->value > p->p_roles.nprim) - return -EINVAL; + return EINVAL; p->p_role_val_to_name[role->value - 1] = key; p->role_val_to_struct[role->value - 1] = role; return 0; @@ -247,7 +238,7 @@ if (typdatum->primary) { if (!typdatum->value || typdatum->value > p->p_types.nprim) - return -EINVAL; + return EINVAL; p->p_type_val_to_name[typdatum->value - 1] = key; } @@ -262,7 +253,7 @@ usrdatum = datum; p = datap; if (!usrdatum->value || usrdatum->value > p->p_users.nprim) - return -EINVAL; + return EINVAL; p->p_user_val_to_name[usrdatum->value - 1] = key; p->user_val_to_struct[usrdatum->value - 1] = usrdatum; return 0; @@ -373,12 +364,11 @@ GFP_KERNEL); if (!p->user_val_to_struct) { rc = ENOMEM; - rc = -ENOMEM; goto out; } if (cond_init_bool_indexes(p)) { - rc = -ENOMEM; + rc = ENOMEM; goto out; } @@ -1477,14 +1467,14 @@ goto bad; newgenfs = kmalloc(sizeof(*newgenfs), GFP_KERNEL); if (!newgenfs) { - rc = -ENOMEM; + rc = ENOMEM; goto bad; } memset(newgenfs, 0, sizeof(*newgenfs)); newgenfs->fstype = kmalloc(len + 1,GFP_KERNEL); if (!newgenfs->fstype) { - rc = -ENOMEM; + rc = ENOMEM; kfree(newgenfs); goto bad; } @@ -1522,14 +1512,14 @@ newc = kmalloc(sizeof(*newc), GFP_KERNEL); if (!newc) { - rc = -ENOMEM; + rc = ENOMEM; goto bad; } memset(newc, 0, sizeof(*newc)); newc->u.name = kmalloc(len + 1,GFP_KERNEL); if (!newc->u.name) { - rc = -ENOMEM; + rc = ENOMEM; goto bad_newc; } memcpy(newc->u.name, buf, len); ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/policydb.h#6 (text+ko) ==== @@ -119,7 +119,7 @@ /* Boolean data type */ struct cond_bool_datum { - __u32 value; /* internal type value */ + u32 value; /* internal type value */ int state; }; ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/security.h#7 (text+ko) ==== @@ -77,7 +77,6 @@ int security_node_sid(u16 domain, void *addr, u32 addrlen, security_id_t *out_sid); - u32 *out_sid); #define SECURITY_FS_USE_XATTR 1 /* use xattr */ #define SECURITY_FS_USE_TRANS 2 /* use transition SIDs, e.g. devpts/tmpfs */ ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/services.c#8 (text+ko) ==== @@ -26,6 +26,8 @@ #include <security/sebsd/ss/services.h> #include <security/sebsd/ss/security.h> #include <security/sebsd/ss/mls.h> +#include <security/sebsd/ss/conditional.h> +#include <security/sebsd/ss/avtab.h> #include <security/sebsd/avc/avc.h> #include <security/sebsd/avc/avc_ss.h> #include <sys/socket.h> @@ -540,7 +542,7 @@ goto out_unlock; if ((p - scontext2) < scontext_len) { - rc = -EINVAL; + rc = EINVAL; goto out_unlock; } @@ -955,7 +957,7 @@ if (rc) goto out; - rc = -EINVAL; + rc = EINVAL; /* Convert the user. */ usrdatum = hashtab_search(args->newp->p_users.table, @@ -1231,7 +1233,7 @@ u32 addr; if (addrlen != sizeof(u32)) { - rc = -EINVAL; + rc = EINVAL; goto out; } @@ -1248,7 +1250,7 @@ case AF_INET6: if (addrlen != sizeof(u64) * 2) { - rc = -EINVAL; + rc = EINVAL; goto out; } c = policydb.ocontexts[OCON_NODE6]; @@ -1503,7 +1505,7 @@ int security_get_bools(int *len, char ***names, int **values) { - int i, rc = -ENOMEM; + int i, rc = ENOMEM; POLICY_RDLOCK; *names = NULL; @@ -1560,7 +1562,7 @@ lenp = policydb.p_bools.nprim; if (len != lenp) { - rc = -EFAULT; + rc = EFAULT; goto out; } @@ -1590,7 +1592,7 @@ POLICY_WRUNLOCK; if (!rc) { avc_ss_reset(seqno); - selnl_notify_policyload(seqno); + /*selnl_notify_policyload(seqno);*/ } return rc; } @@ -1604,7 +1606,7 @@ len = policydb.p_bools.nprim; if (bool >= len) { - rc = -EFAULT; + rc = EFAULT; goto out; } ==== //depot/projects/trustedbsd/sebsd/sys/security/sebsd/ss/services.h#5 (text+ko) ====
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411231825.iANIPtwA061865>