From owner-p4-projects@FreeBSD.ORG Thu Jan 25 15:24:00 2007 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 48A5616A406; Thu, 25 Jan 2007 15:24:00 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 248B516A404 for ; Thu, 25 Jan 2007 15:24:00 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 092AB13C478 for ; Thu, 25 Jan 2007 15:24:00 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id l0PFNxAG057153 for ; Thu, 25 Jan 2007 15:23:59 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id l0PFNxJZ057150 for perforce@freebsd.org; Thu, 25 Jan 2007 15:23:59 GMT (envelope-from millert@freebsd.org) Date: Thu, 25 Jan 2007 15:23:59 GMT Message-Id: <200701251523.l0PFNxJZ057150@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 113512 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Jan 2007 15:24:00 -0000 http://perforce.freebsd.org/chv.cgi?CH=113512 Change 113512 by millert@millert_macbook on 2007/01/25 15:23:20 Adapt to MAC policy API changes. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#12 edit .. //depot/projects/trustedbsd/sedarwin8/policies/console/mac_console.c#9 edit .. //depot/projects/trustedbsd/sedarwin8/policies/filewatch/mac_filewatch.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#27 edit .. //depot/projects/trustedbsd/sedarwin8/policies/readonly/mac_readonly.c#9 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_parse.pl#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#20 edit .. //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#10 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#12 (text+ko) ==== @@ -383,7 +383,7 @@ static int color_vnode_check_access(struct ucred *cred, struct vnode *vp, - struct label *label, int acc_mode) + struct label *label, struct componentname *cnp, int acc_mode) { return (co_maybe_promote_process(cred, label)); @@ -399,7 +399,7 @@ static int color_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, - struct label *label) + struct label *label, struct componentname *cnp) { return (co_maybe_promote_process(cred, label)); @@ -443,7 +443,7 @@ static int color_vnode_check_exec(struct ucred *cred, struct vnode *vp, - struct label *label, struct label *execlabel) + struct label *label, struct label *execlabel, struct componentname *cnp) { if (execlabel != NULL) @@ -518,14 +518,6 @@ } static int -color_proc_check_mprotect(struct ucred *cred, struct proc *proc, - void *addr, size_t size, int prot) -{ - - // Nothing yet -} - -static int color_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) { @@ -709,7 +701,6 @@ .mpo_lctx_notify_leave = color_lctx_notify_leave, .mpo_lctx_label_update = color_lctx_label_update, .mpo_proc_check_signal = color_proc_check_signal, - .mpo_proc_check_mprotect = color_proc_check_mprotect, .mpo_vnode_check_access = color_vnode_check_access, .mpo_vnode_check_chdir = color_vnode_check_chdir, ==== //depot/projects/trustedbsd/sedarwin8/policies/console/mac_console.c#9 (text+ko) ==== @@ -680,12 +680,32 @@ } static int +mac_console_vnode_check_access(struct ucred *cred, struct vnode *vp, + struct label *vnodelabel, struct componentname *cnp, int acc_mode) +{ + struct mac_console *subj, *obj; + + if (!mac_console_enabled) + return (0); + + subj = SLOT(cred->cr_label); + obj = SLOT(vnodelabel); + if (!mac_console_vnode_access(subj, obj)) + return (EACCES); + return (0); +} + +static int mac_console_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *label, #ifdef __FreeBSD__ struct image_params *imgp, #endif - struct label *execlabel) + struct label *execlabel +#ifdef __APPLE__ + ,struct componentname *cnp +#endif + ) { struct mac_console *subj, *obj; @@ -776,7 +796,7 @@ .mpo_vnode_label_associate_extattr= mac_console_vnode_label_associate_extattr, .mpo_vnode_label_store = mac_console_vnode_label_store, - .mpo_vnode_check_access = mac_console_vnode_check_open, + .mpo_vnode_check_access = mac_console_vnode_check_access, .mpo_vnode_check_open = mac_console_vnode_check_open, .mpo_vnode_check_exec = mac_console_vnode_check_exec, .mpo_vnode_check_unlink = mac_console_vnode_check_unlink, ==== //depot/projects/trustedbsd/sedarwin8/policies/filewatch/mac_filewatch.c#2 (text+ko) ==== @@ -78,35 +78,27 @@ static int filewatch_vnode_check_exec(struct ucred *cred, struct vnode *vp, - struct label *label, struct label *execlabel) + struct label *label, struct label *execlabel, struct componentname *cnp) { char *pbuf, cbuf[MAXCOMLEN+1]; - int error, plen, clen; + int plen, clen; if (vp == NULL) { printf("filewatch:: NULL vp\n"); return (0); } - MALLOC_ZONE(pbuf, char *, MAXPATHLEN, M_NAMEI, M_WAITOK); - if (pbuf == NULL) { - printf("filewatch:: This sucks, no path buffers available (via exec)\n"); - return (0); - } + pbuf = cnp->cn_pnbuf; + plen = cnp->cn_nameptr - cnp->cn_pnbuf + cnp->cn_namelen; - plen = MAXPATHLEN; - error = vn_getpath(vp, pbuf, &plen); - - clen = MAXCOMLEN+1; + clen = sizeof(cbuf); proc_selfname(cbuf, clen); - printf("filewatch:: pcomm '%s' (%d/%d) uid %d exec '%s'\n", + printf("filewatch:: pcomm '%s' (%d/%d) uid %d exec '%.*s'\n", cbuf, proc_selfpid(), proc_selfppid(), cred->cr_uid, - pbuf); - - FREE_ZONE(pbuf, MAXPATHLEN, M_NAMEI); + plen, pbuf); return (0); } @@ -132,7 +124,7 @@ plen = MAXPATHLEN; error = vn_getpath(vp, pbuf, &plen); - clen = MAXCOMLEN+1; + clen = sizeof(cbuf); proc_selfname(cbuf, clen); printf("filewatch:: pcomm '%s' (%d/%d) uid %d open '%s' (%d,%s%s%s%s%s)\n", cbuf, ==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#27 (text+ko) ==== @@ -314,6 +314,7 @@ return (mac_mls_dominate_element(&a->mm_effective, &b->mm_effective)); } +#if 0 static int mac_mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b) { @@ -351,6 +352,7 @@ return (mac_mls_equal_element(&a->mm_effective, &b->mm_effective)); } +#endif static int mac_mls_contains_equal(struct mac_mls *mac_mls) @@ -1529,7 +1531,7 @@ static void mac_mls_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, - struct mbuf *mbuf, struct label *mbuflabel) + struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel) { struct mac_mls *dest; @@ -3287,7 +3289,7 @@ static int mac_mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, - struct label *dlabel) + struct label *dlabel, struct componentname *cnp) { struct mac_mls *subj, *obj; @@ -3389,7 +3391,7 @@ static int mac_mls_vnode_check_exec(struct ucred *cred, struct vnode *vp, - struct label *label, struct label *execlabel) + struct label *label, struct label *execlabel, struct componentname *cnp) { struct mac_mls *subj, *obj, *exec; int error; @@ -3613,7 +3615,7 @@ static int mac_mls_vnode_check_access(struct ucred *cred, struct vnode *vp, - struct label *vnodelabel, int acc_mode) + struct label *vnodelabel, struct componentname *cnp, int acc_mode) { struct mac_mls *subj, *obj; ==== //depot/projects/trustedbsd/sedarwin8/policies/readonly/mac_readonly.c#9 (text+ko) ==== @@ -371,7 +371,7 @@ } static int -readonly_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) +readonly_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *label, struct componentname *cnp, int acc_mode) { return (ro_checkdiraccess(vp, label, acc_mode)); ==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_parse.pl#4 (text+ko) ==== @@ -207,9 +207,6 @@ elsif ($var =~ /port/ || $name =~ /check_port_/) { print CFILE "\tUSE_LABEL($var, PORTTYPE);\n"; } - elsif ($var =~ /task/) { - print CFILE "\tUSE_LABEL($var, TASKTYPE);\n"; - } elsif ($type =~ /struct label/) { if ($flags =~ /NULLOK/) { print CFILE "\tif ($var != NULL)\n\t"; @@ -217,6 +214,9 @@ if ($firsttype ne "") { print CFILE "\tUSE_LABEL($var, $firsttype);\n"; } + elsif ($var =~ /task/) { + print CFILE "\tUSE_LABEL($var, TASKTYPE);\n"; + } else { print CFILE "\tUSE_LABEL($var, $typename);\n"; } ==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#20 (text+ko) ==== @@ -1627,7 +1627,7 @@ static void mac_test_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, - struct mbuf *m, struct label *m_label) + struct label *b_label, struct mbuf *m, struct label *m_label) { CHECKNULL(bpf_d); ==== //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#10 (text+ko) ==== @@ -236,7 +236,7 @@ } static int -vanity_mount_check_mount(struct ucred *cred, struct vnode *vp, struct label *vlabel, const char *vfc_name) +vanity_mount_check_mount(struct ucred *cred, struct vnode *vp, struct label *vlabel, struct componentname *cnp, const char *vfc_name) { VANITY(vp); return (0); @@ -264,7 +264,7 @@ } static int -vanity_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) +vanity_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *label, struct componentname *cnp, int acc_mode) { VANITY(vp); return (0); @@ -278,7 +278,7 @@ } static int -vanity_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) +vanity_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { VANITY(dvp); return (0); @@ -315,7 +315,7 @@ } static int -vanity_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct label *execlabel) +vanity_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct label *execlabel, struct componentname *cnp) { VANITY(vp); return (0);