Date: Fri, 30 Apr 2004 06:42:27 -0700 (PDT) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 51970 for review Message-ID: <200404301342.i3UDgROb037522@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=51970 Change 51970 by cvance@cvance_osx_laptop on 2004/04/30 06:42:11 Link in a nearly empty mac_mls policy. The module builds, the kernel boots, and the module is initialized. However, the module doesn't yet implement any entry points (other than init and destroy) Affected files ... .. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/conf/files#3 edit .. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_base.c#2 edit .. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.c#2 edit .. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.h#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/Makefile#3 (text+ko) ==== @@ -8,12 +8,16 @@ include $(MakeInc_def) INSTINC_SUBDIRS = \ + mac_mls \ + mac_test \ sebsd INSTINC_SUBDIRS_PPC = ${INSTINC_SUBDIRS} INSTINC_SUBDIRS_I386 = ${INSTINC_SUBDIRS} EXPINC_SUBDIRS = \ + mac_mls \ + mac_test \ sebsd EXPINC_SUBDIRS_PPC = ${EXPINC_SUBDIRS} ==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/conf/files#3 (text+ko) ==== @@ -13,6 +13,7 @@ security/mac_socket.c standard security/mac_network.c standard security/mac_test/mac_test.c standard +security/mac_mls/mac_mls.c standard security/sebsd/sebsd.c standard security/sebsd/sebsd_syscall.c standard security/sebsd/sebsd_sysctl.c standard ==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_base.c#2 (text+ko) ==== @@ -308,6 +308,7 @@ { extern struct mac_policy_conf test_mac_policy_conf; extern struct mac_policy_conf sebsd_mac_policy_conf; + extern struct mac_policy_conf mac_mls_mac_policy_conf; printf("MAC: init mac_test\n"); mac_policy_register(&test_mac_policy_conf); @@ -315,6 +316,9 @@ printf("MAC: init sebsd\n"); mac_policy_register(&sebsd_mac_policy_conf); + printf("MAC: init MAC/MLS\n"); + mac_policy_register(&mac_mls_mac_policy_conf); + mac_late = 1; } ==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.c#2 (text+ko) ==== @@ -41,25 +41,25 @@ #include <sys/types.h> #include <sys/param.h> -#include <sys/acl.h> +#include <sys/extattr.h> #include <sys/conf.h> -#include <sys/extattr.h> #include <sys/kernel.h> #include <sys/mac.h> #include <sys/malloc.h> +#include <sys/mman.h> #include <sys/mount.h> #include <sys/proc.h> #include <sys/sbuf.h> #include <sys/systm.h> -#include <sys/sysproto.h> -#include <sys/sysent.h> -#include <sys/systm.h> #include <sys/vnode.h> -#include <sys/file.h> +#include <sys/dirent.h> +#include <sys/sysctl.h> +#include <string.h> + +#if 0 #include <sys/socket.h> #include <sys/socketvar.h> #include <sys/pipe.h> -#include <sys/sysctl.h> #include <sys/msg.h> #include <sys/msg_msg.h> #include <sys/sem.h> @@ -76,13 +76,23 @@ #include <netinet/in.h> #include <netinet/ip_var.h> +#endif /* 0 */ -#include <vm/vm.h> +#include <sys/libkern.h> +#include <sys/ucred.h> +#include <vm/vm_kern.h> +#include <kern/kalloc.h> #include <sys/mac_policy.h> #include <security/mac_mls/mac_mls.h> +#ifdef APPLE +#define TUNABLE_INT(x, y) +#define atomic_add_int(P, V) (*(u_int*)(P) += (V)) +#define atomic_subtract_int(P, V) (*(u_int*)(P) -= (V)) +#endif + SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, mls, CTLFLAG_RW, 0, @@ -116,10 +126,9 @@ &max_compartments, 0, "Maximum compartments the policy supports"); static int mac_mls_slot; + #define SLOT(l) ((struct mac_mls *)LABEL_TO_SLOT((l), mac_mls_slot).l_ptr) -MALLOC_DEFINE(M_MACMLS, "mls label", "MAC/MLS labels"); - static __inline int mls_bit_set_empty(u_char *set) { int i; @@ -135,7 +144,8 @@ { struct mac_mls *mac_mls; - mac_mls = malloc(sizeof(struct mac_mls), M_MACMLS, M_ZERO | flag); + mac_mls = (struct mac_mls *)kalloc(sizeof(struct mac_mls)); + bzero(mac_mls, sizeof(struct mac_mls)); return (mac_mls); } @@ -145,7 +155,7 @@ { if (mac_mls != NULL) - free(mac_mls, M_MACMLS); + kfree((vm_offset_t)mac_mls, sizeof(struct mac_mls)); else atomic_add_int(&destroyed_not_inited, 1); } @@ -469,6 +479,7 @@ mac_mls_init(struct mac_policy_conf *conf) { + printf("MAC MLS policy is initialized!\n"); } /* @@ -590,6 +601,8 @@ panic("mac_mls_element_to_string: invalid type (%d)", element->mme_type); } + + return (-1); /* Unreachable */ } /* @@ -821,6 +834,7 @@ *SLOT(dest) = *SLOT(src); } +#if Big_Zero /* * Labeling event operations: file system objects, and things that look * a lot like file system objects. @@ -2358,6 +2372,7 @@ return (0); } +#if 0 static int mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, @@ -2389,6 +2404,7 @@ return (0); } +#endif /* 0 */ static int mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, @@ -2877,7 +2893,15 @@ return (0); } +#endif /* Big_Zero */ + +static struct mac_policy_ops mac_mls_ops = +{ + .mpo_destroy = mac_mls_destroy, + .mpo_init = mac_mls_init, +}; +#if 0 static struct mac_policy_ops mac_mls_ops = { .mpo_destroy = mac_mls_destroy, @@ -3049,6 +3073,18 @@ .mpo_check_vnode_stat = mac_mls_check_vnode_stat, .mpo_check_vnode_write = mac_mls_check_vnode_write, }; +#endif /* 0 */ +#if 0 MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS", MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mac_mls_slot); +#endif /* 0 */ + +struct mac_policy_conf mac_mls_mac_policy_conf = { + "mac_mls", /* policy name */ + "TrustedBSD MAC/MLS", /* full name */ + &mac_mls_ops, /* policy operations */ + 0, /* loadtime flags*/ + &mac_mls_slot, /* security field */ + 0 /* runtime flags */ +}; ==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.h#2 (text+ko) ====
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404301342.i3UDgROb037522>