Date: Sun, 10 Jul 2005 11:51:29 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 79915 for review Message-ID: <200507101151.j6ABpTGD053747@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=79915 Change 79915 by rwatson@rwatson_zoo on 2005/07/10 11:51:25 Implement NO_SEBSD, which controls the building of many SEBSD-related tools, libraries, and the inclusion of SEBSD-specific functionality into some base system components. Affected files ... .. //depot/projects/trustedbsd/sebsd/lib/Makefile#16 edit .. //depot/projects/trustedbsd/sebsd/sbin/Makefile#12 edit .. //depot/projects/trustedbsd/sebsd/sys/modules/Makefile#14 edit .. //depot/projects/trustedbsd/sebsd/usr.bin/login/Makefile#6 edit .. //depot/projects/trustedbsd/sebsd/usr.bin/login/login.c#9 edit .. //depot/projects/trustedbsd/sebsd/usr.sbin/Makefile#13 edit .. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/Makefile#4 edit .. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/database.c#5 edit .. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/do_command.c#7 edit .. //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/Makefile#4 edit .. //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/pwd_mkdb.c#7 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/lib/Makefile#16 (text+ko) ==== @@ -34,7 +34,7 @@ libpmc ${_libpthread} ${_libsdp} ${_libsm} ${_libsmb} ${_libsmdb} \ ${_libsmutil} libstand libtelnet ${_libthr} ${_libthread_db} libufs \ libugidfw ${_libusbhid} ${_libvgl} libwrap liby libz ${_bind} \ - libsebsd libsepol + ${_libsebsd} ${_libsepol} .if exists(${.CURDIR}/csu/${MACHINE_ARCH}-elf) _csu=csu/${MACHINE_ARCH}-elf @@ -77,6 +77,11 @@ _libio= libio .endif +.if !defined(NO_SEBSD) +_libsebsd= libsebsd +_libsepol= libsepol +.endif + .if !defined(NO_SENDMAIL) _libmilter= libmilter _libsm= libsm ==== //depot/projects/trustedbsd/sebsd/sbin/Makefile#12 (text+ko) ==== @@ -81,8 +81,8 @@ rtsol \ savecore \ ${_sconfig} \ - sebsd_checkpolicy \ - sebsd_setfiles \ + ${_sebsd_checkpolicy} \ + ${_sebsd_setfiles} \ setfsmac \ shutdown \ slattach \ @@ -111,6 +111,11 @@ _pflogd= pflogd .endif +.if !defined(NO_SEBSD) +_sebsd_checkpolicy= sebsd_checkpolicy +_sebsd_setfiles= sebsd_setfiles +.endif + .if !defined(NO_INET6) _ip6fw= ip6fw _ping6= ping6 ==== //depot/projects/trustedbsd/sebsd/sys/modules/Makefile#14 (text+ko) ==== @@ -204,7 +204,7 @@ sbsh \ scd \ ${_scsi_low} \ - sebsd \ + ${_sebsd} \ sf \ ${_sio} \ sis \ @@ -309,6 +309,10 @@ _pf= pf .endif +.if !defined(NO_SEBSD) || defined(ALL_MODULES) +_sebsd= sebsd +.endif + .if ${MACHINE_ARCH} == "i386" # XXX some of these can move to the general case when de-i386'ed # XXX some of these can move now, but are untested on other architectures. ==== //depot/projects/trustedbsd/sebsd/usr.bin/login/Makefile#6 (text+ko) ==== @@ -3,18 +3,25 @@ PROG= login SRCS= login.c login_fbtab.c -CFLAGS+=-I${.CURDIR}/../../lib/libsebsd -CFLAGS+=-I${.CURDIR}/../../contrib/sebsd/libselinux/include -CFLAGS+=-I${.CURDIR}/../../sys -CFLAGS+=-I${.CURDIR}/../../sys/security/sebsd CFLAGS+=-DLOGALL -DPADD= ${LIBUTIL} ${LIBPAM} ${LIBSEBSD} -LDADD= -lutil ${MINUSLPAM} -lsebsd +DPADD= ${LIBUTIL} ${LIBPAM} +LDADD= -lutil ${MINUSLPAM} MAN= login.1 login.access.5 + .if !defined(NO_SETUID_LOGIN) BINOWN= root BINMODE=4555 PRECIOUSPROG= .endif +.if !defined(NO_SEBSD) +CFLAGS+=-I${.CURDIR}/../../lib/libsebsd +CFLAGS+=-I${.CURDIR}/../../contrib/sebsd/libselinux/include +CFLAGS+=-I${.CURDIR}/../../sys +CFLAGS+=-I${.CURDIR}/../../sys/security/sebsd +CFLAGS+=-DSEBSD +DPADD+= ${LIBSEBSD} +LDADD+= -lsebsd +.endif + .include <bsd.prog.mk> ==== //depot/projects/trustedbsd/sebsd/usr.bin/login/login.c#9 (text+ko) ==== @@ -139,7 +139,9 @@ static char *username; /* user name */ static char *olduser; /* previous user name */ +#ifdef SEBSD static char *user_role; /* role/type specified with username */ +#endif /* * Prompts @@ -295,6 +297,7 @@ badlogin(olduser); } +#ifdef SEBSD char *rp = username; while (*rp && *rp != '/') rp++; @@ -302,6 +305,8 @@ *rp = 0; user_role = rp+1; } +#endif + /* * Load the PAM policy and set some variables */ @@ -508,6 +513,7 @@ username, tty); } +#ifdef SEBSD /* * Determine if we must execute a transition when we * run our shell, for MAC policies which require it. For now, @@ -594,6 +600,7 @@ mac_free(newttylabel); } nosebsd: +#endif /* !SEBSD */ /* * Destroy environment unless user has requested its ==== //depot/projects/trustedbsd/sebsd/usr.sbin/Makefile#13 (text+ko) ==== @@ -146,8 +146,8 @@ rwhod \ sa \ ${_sendmail} \ - sebsd_loadpolicy \ - sebsd_newrole \ + ${_sebsd_loadpolicy} \ + ${_sebsd_newrole} \ setkey \ setpmac \ ${_sicontrol} \ @@ -244,6 +244,11 @@ _lpr= lpr .endif +.if !defined(NO_SEBSD) +_sebsd_loadpolicy= sebsd_loadpolicy +.sebsd_newrole= sebsd_newrole +.endif + .if !defined(NO_SENDMAIL) _editmap= editmap _mailstats= mailstats ==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/Makefile#4 (text+ko) ==== @@ -4,10 +4,16 @@ MAN= cron.8 SRCS= cron.c database.c do_command.c job.c user.c popen.c -CFLAGS+= -I${.CURDIR}/../../../sys CFLAGS+= -DLOGIN_CAP -DPADD= ${LIBCRON} ${LIBUTIL} ${LIBSEBSD} -LDADD= ${LIBCRON} -lutil -lsebsd +DPADD= ${LIBCRON} ${LIBUTIL} +LDADD= ${LIBCRON} -lutil + +.if !defined(SEBSD) +CFLAGS+= -I${.CURDIR}/../../../sys +CFLAGS+= -DSEBSD +DPADD+= ${LIBSEBSD} +LDADD+= -lsebsd +.endif .include <bsd.prog.mk> ==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/database.c#5 (text+ko) ==== @@ -253,6 +253,7 @@ free_user(u); log_it(fname, getpid(), "RELOAD", tabname); } +#ifdef SEBSD if (is_selinux_enabled()) { /* * Perform a virtual entrypoint access decision on @@ -300,6 +301,7 @@ goto next_crontab; } } +#endif /* !SEBSD */ u = load_user(crontab_fd, pw, fname); if (u != NULL) { u->mtime = statbuf->st_mtime; ==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/do_command.c#7 (text+ko) ==== @@ -274,6 +274,7 @@ _exit(OK_EXIT); } # endif /*DEBUGGING*/ +#ifdef SEBSD if (is_selinux_enabled()) { mac_t mac; char *context, *labeltext, *argv[4]; @@ -301,12 +302,15 @@ argv[3] = NULL; mac_execve(shell, argv, e->envp, mac); } else { +#endif /* !SEBSD */ execle(shell, shell, "-c", e->cmd, (char *)0, e->envp); +#ifdef SEBSD } warn("execl: couldn't exec `%s'", shell); _exit(ERROR_EXIT); } +#endif /* !SEBSD */ break; default: /* parent process */ ==== //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/Makefile#4 (text+ko) ==== @@ -10,4 +10,8 @@ WARNS?= 4 CFLAGS+= -I${.CURDIR}/../../lib/libc/gen # for pw_scan.h +.if !defined(NO_SEBSD) +CFLAGS+= -DSEBSD +.endif + .include <bsd.prog.mk> ==== //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/pwd_mkdb.c#7 (text+ko) ==== @@ -721,6 +721,7 @@ errno = sverrno; error(buf); } +#ifdef SEBSD if (label) { mac_t mac; if (mac_from_text(&mac, label)) { @@ -732,6 +733,7 @@ return; } } +#endif /* !SEBSD */ } void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507101151.j6ABpTGD053747>