From owner-p4-projects@FreeBSD.ORG  Fri Aug 31 12:36:57 2007
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 08C3616A468; Fri, 31 Aug 2007 12:36:57 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AF10916A41B
	for <perforce@freebsd.org>; Fri, 31 Aug 2007 12:36:56 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 9BE4913C45E
	for <perforce@freebsd.org>; Fri, 31 Aug 2007 12:36:56 +0000 (UTC)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id l7VCaumm014811
	for <perforce@freebsd.org>; Fri, 31 Aug 2007 12:36:56 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.1/8.14.1/Submit) id l7VCauKP014808
	for perforce@freebsd.org; Fri, 31 Aug 2007 12:36:56 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Fri, 31 Aug 2007 12:36:56 GMT
Message-Id: <200708311236.l7VCauKP014808@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 125888 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2007 12:36:57 -0000

http://perforce.freebsd.org/chv.cgi?CH=125888

Change 125888 by rwatson@rwatson_zoo on 2007/08/31 12:36:24

	Finish getting MAC branch building after integration.

Affected files ...

.. //depot/projects/trustedbsd/mac/sys/security/mac/mac_policy.h#6 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_chkexec/mac_chkexec.c#18 edit
.. //depot/projects/trustedbsd/mac/sys/security/mac_suidacl/mac_suidacl.c#5 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac/mac_policy.h#6 (text+ko) ====

@@ -519,6 +519,10 @@
 typedef int	(*mpo_check_system_sysctl_t)(struct ucred *cred,
 		    struct sysctl_oid *oidp, void *arg1, int arg2,
 		    struct sysctl_req *req);
+typedef int	(*mpo_thread_syscall_enter_t)(struct thread *td, int *args,
+		    int code);
+typedef void	(*mpo_thread_syscall_exit_t)(struct thread *td, int *args,
+		    int code, int error);
 typedef int	(*mpo_check_vnode_access_t)(struct ucred *cred,
 		    struct vnode *vp, struct label *vplabel, int acc_mode);
 typedef int	(*mpo_check_vnode_chdir_t)(struct ucred *cred,
@@ -868,7 +872,8 @@
 	mpo_check_system_swapon_t		mpo_check_system_swapon;
 	mpo_check_system_swapoff_t		mpo_check_system_swapoff;
 	mpo_check_system_sysctl_t		mpo_check_system_sysctl;
-	mpo_placeholder_t			_mpo_placeholder23;
+	mpo_thread_syscall_enter_t		mpo_thread_syscall_enter;
+	mpo_thread_syscall_exit_t		mpo_thread_syscall_exit;
 	mpo_check_vnode_access_t		mpo_check_vnode_access;
 	mpo_check_vnode_chdir_t			mpo_check_vnode_chdir;
 	mpo_check_vnode_chroot_t		mpo_check_vnode_chroot;

==== //depot/projects/trustedbsd/mac/sys/security/mac_chkexec/mac_chkexec.c#18 (text+ko) ====

@@ -42,6 +42,7 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/sx.h>
+#include <sys/priv.h>
 #include <sys/queue.h>
 #include <sys/tree.h>
 #include <sys/vnode.h>
@@ -831,7 +832,7 @@
 	 * Only superuser may modify the extended attribute namespace associated
 	 * with this files checksum.
 	 */
-	error = suser(td);
+	error = priv_check(td, PRIV_VFS_EXTATTR_SYSTEM);
 	if (error)
 		return (error);
 	ha = mac_chkexec_get_algo();

==== //depot/projects/trustedbsd/mac/sys/security/mac_suidacl/mac_suidacl.c#5 (text+ko) ====

@@ -39,6 +39,7 @@
 #include <sys/malloc.h>
 #include <sys/mount.h>
 #include <sys/mutex.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
 #include <sys/sysproto.h>
@@ -341,7 +342,11 @@
 	int error = 0;
 	struct rule *current;
 
-	if ((mac_suidacl_enabled == 0) || !suser_cred(cred, 0))
+	/*
+	 * XXXRW: A better privilege selection might be used here.
+	 */
+	if ((mac_suidacl_enabled == 0) || !priv_check_cred(cred,
+	    PRIV_CRED_SETUID, 0))
 		return (0);
 
 	mtx_lock(&rule_mtx);