Date: Thu, 6 Jul 2006 09:54:17 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 100708 for review Message-ID: <200607060954.k669sHXw058688@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=100708 Change 100708 by rwatson@rwatson_zoo on 2006/07/06 09:54:10 Resort. Affected files ... .. //depot/projects/trustedbsd/mac2/sys/sys/mac_framework.h#3 edit Differences ... ==== //depot/projects/trustedbsd/mac2/sys/sys/mac_framework.h#3 (text+ko) ==== @@ -90,208 +90,110 @@ * Kernel functions to manage and evaluate labels. */ -/* - * Label operations. - */ void mac_init_bpfdesc(struct bpf_d *); -void mac_init_cred(struct ucred *); +void mac_destroy_bpfdesc(struct bpf_d *); +void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d); +void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); +int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); + void mac_init_devfsdirent(struct devfs_dirent *); -void mac_init_ifnet(struct ifnet *); -int mac_init_inpcb(struct inpcb *, int flag); -void mac_init_sysv_msgmsg(struct msg *); -void mac_init_sysv_msgqueue(struct msqid_kernel*); -void mac_init_sysv_sem(struct semid_kernel*); -void mac_init_sysv_shm(struct shmid_kernel*); -int mac_init_ipq(struct ipq *, int flag); -int mac_init_socket(struct socket *, int flag); -void mac_init_pipe(struct pipepair *); -void mac_init_posix_sem(struct ksem *); -int mac_init_mbuf(struct mbuf *mbuf, int flag); -int mac_init_mbuf_tag(struct m_tag *, int flag); -void mac_init_mount(struct mount *); -void mac_init_proc(struct proc *); -void mac_init_vnode(struct vnode *); -void mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to); -void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); -void mac_copy_vnode_label(struct label *, struct label *label); -void mac_destroy_bpfdesc(struct bpf_d *); -void mac_destroy_cred(struct ucred *); void mac_destroy_devfsdirent(struct devfs_dirent *); -void mac_destroy_ifnet(struct ifnet *); -void mac_destroy_inpcb(struct inpcb *); -void mac_destroy_sysv_msgmsg(struct msg *); -void mac_destroy_sysv_msgqueue(struct msqid_kernel *); -void mac_destroy_sysv_sem(struct semid_kernel *); -void mac_destroy_sysv_shm(struct shmid_kernel *); -void mac_destroy_ipq(struct ipq *); -void mac_destroy_socket(struct socket *); -void mac_destroy_pipe(struct pipepair *); -void mac_destroy_posix_sem(struct ksem *); -void mac_destroy_proc(struct proc *); -void mac_destroy_mbuf_tag(struct m_tag *); -void mac_destroy_mount(struct mount *); -void mac_destroy_vnode(struct vnode *); - -struct label *mac_cred_label_alloc(void); -void mac_cred_label_free(struct label *label); -struct label *mac_vnode_label_alloc(void); -void mac_vnode_label_free(struct label *label); - -/* - * Labeling event operations: file system objects, and things that - * look a lot like file system objects. - */ void mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); -int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); -void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp); void mac_create_devfs_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de); void mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de); void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de); -int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, - struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -void mac_create_mount(struct ucred *cred, struct mount *mp); -void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, - struct label *newlabel); void mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); -/* - * Labeling event operations: IPC objects. - */ -void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); -void mac_create_socket(struct ucred *cred, struct socket *socket); -void mac_create_socket_from_socket(struct socket *oldsocket, - struct socket *newsocket); -void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, - struct socket *socket); -void mac_set_socket_peer_from_socket(struct socket *oldsocket, - struct socket *newsocket); -void mac_create_pipe(struct ucred *cred, struct pipepair *pp); +void mac_init_cred(struct ucred *); +void mac_destroy_cred(struct ucred *); +void mac_copy_cred(struct ucred *cr1, struct ucred *cr2); +struct label *mac_cred_label_alloc(void); +void mac_cred_label_free(struct label *label); +int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); -/* - * Labeling event operations: System V IPC primitives - */ -void mac_create_sysv_msgmsg(struct ucred *cred, - struct msqid_kernel *msqkptr, struct msg *msgptr); -void mac_create_sysv_msgqueue(struct ucred *cred, - struct msqid_kernel *msqkptr); -void mac_create_sysv_sem(struct ucred *cred, - struct semid_kernel *semakptr); -void mac_create_sysv_shm(struct ucred *cred, - struct shmid_kernel *shmsegptr); - -/* - * Labeling event operations: POSIX (global/inter-process) semaphores. - */ -void mac_create_posix_sem(struct ucred *cred, struct ksem *ksemptr); - - -/* - * Labeling event operations: network objects. - */ -void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d); +void mac_init_ifnet(struct ifnet *); +void mac_destroy_ifnet(struct ifnet *); void mac_create_ifnet(struct ifnet *ifp); -void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); -void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); -void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); -void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); -void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m); -void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *m); void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, struct mbuf *newmbuf); -void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); +int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, + struct ifnet *ifnet); +int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, + struct ifnet *ifnet); + +int mac_init_inpcb(struct inpcb *, int flag); +void mac_destroy_inpcb(struct inpcb *); +void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); +void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); +void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); +int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m); + +int mac_init_ipq(struct ipq *, int flag); +void mac_destroy_ipq(struct ipq *); +void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq); +void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram); int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq); -void mac_reflect_mbuf_icmp(struct mbuf *m); -void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); -void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); - -/* - * Labeling event operations: processes. - */ -void mac_copy_cred(struct ucred *cr1, struct ucred *cr2); -int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); -void mac_execve_exit(struct image_params *imgp); -void mac_execve_transition(struct ucred *old, struct ucred *new, - struct vnode *vp, struct label *interpvnodelabel, - struct image_params *imgp); -int mac_execve_will_transition(struct ucred *old, struct vnode *vp, - struct label *interpvnodelabel, struct image_params *imgp); -void mac_create_proc0(struct ucred *cred); -void mac_create_proc1(struct ucred *cred); -void mac_thread_userret(struct thread *td); - -/* - * Label cleanup operation: This is the inverse complement for the - * mac_create and associate type of hooks. This hook lets the policy - * module(s) perform a cleanup/flushing operation on the label - * associated with the objects, without freeing up the space allocated. - * This hook is useful in cases where it is desirable to remove any - * labeling reference when recycling any object to a pool. This hook - * does not replace the mac_destroy hooks. - */ -void mac_cleanup_sysv_msgmsg(struct msg *msgptr); -void mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr); -void mac_cleanup_sysv_sem(struct semid_kernel *semakptr); -void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr); -/* Access control checks. */ -int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); -int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); -int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m); -int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m); -int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, - struct msqid_kernel *msqkptr); -int mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr); -int mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr); -int mac_check_sysv_msqget(struct ucred *cred, - struct msqid_kernel *msqkptr); -int mac_check_sysv_msqsnd(struct ucred *cred, - struct msqid_kernel *msqkptr); -int mac_check_sysv_msqrcv(struct ucred *cred, - struct msqid_kernel *msqkptr); -int mac_check_sysv_msqctl(struct ucred *cred, - struct msqid_kernel *msqkptr, int cmd); -int mac_check_sysv_semctl(struct ucred *cred, - struct semid_kernel *semakptr, int cmd); -int mac_check_sysv_semget(struct ucred *cred, - struct semid_kernel *semakptr); -int mac_check_sysv_semop(struct ucred *cred,struct semid_kernel *semakptr, - size_t accesstype); -int mac_check_sysv_shmat(struct ucred *cred, - struct shmid_kernel *shmsegptr, int shmflg); -int mac_check_sysv_shmctl(struct ucred *cred, - struct shmid_kernel *shmsegptr, int cmd); -int mac_check_sysv_shmdt(struct ucred *cred, - struct shmid_kernel *shmsegptr); -int mac_check_sysv_shmget(struct ucred *cred, - struct shmid_kernel *shmsegptr, int shmflg); int mac_check_kenv_dump(struct ucred *cred); int mac_check_kenv_get(struct ucred *cred, char *name); int mac_check_kenv_set(struct ucred *cred, char *name, char *value); int mac_check_kenv_unset(struct ucred *cred, char *name); + int mac_check_kld_load(struct ucred *cred, struct vnode *vp); int mac_check_kld_stat(struct ucred *cred); int mac_check_kld_unload(struct ucred *cred); + +void mac_init_posix_sem(struct ksem *); +void mac_destroy_posix_sem(struct ksem *); +void mac_create_posix_sem(struct ucred *cred, struct ksem *ksemptr); +int mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr); +int mac_check_posix_sem_getvalue(struct ucred *cred,struct ksem *ksemptr); +int mac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr); +int mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr); +int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr); +int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr); + +int mac_init_mbuf(struct mbuf *mbuf, int flag); +int mac_init_mbuf_tag(struct m_tag *, int flag); +void mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to); +void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); +void mac_destroy_mbuf_tag(struct m_tag *); +void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment); +void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf); +void mac_reflect_mbuf_icmp(struct mbuf *m); +void mac_reflect_mbuf_tcp(struct mbuf *m); + +void mac_init_mount(struct mount *); +void mac_destroy_mount(struct mount *); +void mac_create_mount(struct ucred *cred, struct mount *mp); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); + +void mac_init_pipe(struct pipepair *); +void mac_destroy_pipe(struct pipepair *); +void mac_create_pipe(struct ucred *cred, struct pipepair *pp); int mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data); int mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp); int mac_check_pipe_read(struct ucred *cred, struct pipepair *pp); int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp); int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp); -int mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ksemptr); -int mac_check_posix_sem_getvalue(struct ucred *cred,struct ksem *ksemptr); -int mac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr); -int mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr); -int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr); -int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr); +int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, + struct label *label); + +void mac_init_proc(struct proc *); +void mac_destroy_proc(struct proc *); +void mac_create_proc0(struct ucred *cred); +void mac_create_proc1(struct ucred *cred); +void mac_thread_userret(struct thread *td); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); int mac_check_proc_setuid(struct proc *proc, struct ucred *cred, @@ -315,6 +217,19 @@ int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); int mac_check_proc_wait(struct ucred *cred, struct proc *proc); +void mac_associate_nfsd_label(struct ucred *cred); +void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); + +int mac_init_socket(struct socket *, int flag); +void mac_destroy_socket(struct socket *); +void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); +void mac_create_socket(struct ucred *cred, struct socket *socket); +void mac_create_socket_from_socket(struct socket *oldsocket, + struct socket *newsocket); +void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, + struct socket *socket); +void mac_set_socket_peer_from_socket(struct socket *oldsocket, + struct socket *newsocket); int mac_check_socket_accept(struct ucred *cred, struct socket *so); int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); @@ -329,6 +244,7 @@ int mac_check_socket_send(struct ucred *cred, struct socket *so); int mac_check_socket_stat(struct ucred *cred, struct socket *so); int mac_check_socket_visible(struct ucred *cred, struct socket *so); + int mac_check_sysarch_ioperm(struct ucred *cred); int mac_check_system_acct(struct ucred *cred, struct vnode *vp); int mac_check_system_nfsd(struct ucred *cred); @@ -338,8 +254,77 @@ int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp); int mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); + int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode); +void mac_init_sysv_msgqueue(struct msqid_kernel*); +void mac_destroy_sysv_msgqueue(struct msqid_kernel *); +void mac_cleanup_sysv_msgmsg(struct msg *msgptr); +void mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr); +void mac_create_sysv_msgmsg(struct ucred *cred, + struct msqid_kernel *msqkptr, struct msg *msgptr); +void mac_create_sysv_msgqueue(struct ucred *cred, + struct msqid_kernel *msqkptr); +void mac_init_sysv_msgmsg(struct msg *); +void mac_destroy_sysv_msgmsg(struct msg *); +int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, + struct msqid_kernel *msqkptr); +int mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr); +int mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr); +int mac_check_sysv_msqget(struct ucred *cred, + struct msqid_kernel *msqkptr); +int mac_check_sysv_msqsnd(struct ucred *cred, + struct msqid_kernel *msqkptr); +int mac_check_sysv_msqrcv(struct ucred *cred, + struct msqid_kernel *msqkptr); +int mac_check_sysv_msqctl(struct ucred *cred, + struct msqid_kernel *msqkptr, int cmd); + +void mac_init_sysv_sem(struct semid_kernel*); +void mac_destroy_sysv_sem(struct semid_kernel *); +void mac_create_sysv_sem(struct ucred *cred, + struct semid_kernel *semakptr); +void mac_cleanup_sysv_sem(struct semid_kernel *semakptr); +int mac_check_sysv_semctl(struct ucred *cred, + struct semid_kernel *semakptr, int cmd); +int mac_check_sysv_semget(struct ucred *cred, + struct semid_kernel *semakptr); +int mac_check_sysv_semop(struct ucred *cred,struct semid_kernel *semakptr, + size_t accesstype); + +void mac_init_sysv_shm(struct shmid_kernel*); +void mac_destroy_sysv_shm(struct shmid_kernel *); +void mac_create_sysv_shm(struct ucred *cred, + struct shmid_kernel *shmsegptr); +void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr); +int mac_check_sysv_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, int shmflg); +int mac_check_sysv_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, int cmd); +int mac_check_sysv_shmdt(struct ucred *cred, + struct shmid_kernel *shmsegptr); +int mac_check_sysv_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, int shmflg); + +int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); +void mac_execve_exit(struct image_params *imgp); +void mac_execve_transition(struct ucred *old, struct ucred *new, + struct vnode *vp, struct label *interpvnodelabel, + struct image_params *imgp); +int mac_execve_will_transition(struct ucred *old, struct vnode *vp, + struct label *interpvnodelabel, struct image_params *imgp); + +void mac_init_vnode(struct vnode *); +void mac_copy_vnode_label(struct label *, struct label *label); +void mac_destroy_vnode(struct vnode *); +struct label *mac_vnode_label_alloc(void); +void mac_vnode_label_free(struct label *label); +int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); +void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp); +int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, + struct vnode *dvp, struct vnode *vp, struct componentname *cnp); +void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, + struct label *newlabel); int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp); int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, @@ -399,16 +384,8 @@ struct mac *extmac); int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, struct mac *extmac); -int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, - struct ifnet *ifnet); -int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, - struct ifnet *ifnet); int mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *extmac); -int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, - struct label *label); -void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); -void mac_associate_nfsd_label(struct ucred *cred); /* * Calls to help various file systems implement labeling functionality
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607060954.k669sHXw058688>