From owner-p4-projects@FreeBSD.ORG  Fri Apr 30 06:42:28 2004
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id B4FD416A4D0; Fri, 30 Apr 2004 06:42:28 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7419B16A4CE
	for <perforce@freebsd.org>; Fri, 30 Apr 2004 06:42:28 -0700 (PDT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4A5AB43D45
	for <perforce@freebsd.org>; Fri, 30 Apr 2004 06:42:28 -0700 (PDT)
	(envelope-from cvance@nailabs.com)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.10/8.12.10) with ESMTP id i3UDgSGe037525
	for <perforce@freebsd.org>; Fri, 30 Apr 2004 06:42:28 -0700 (PDT)
	(envelope-from cvance@nailabs.com)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.10/8.12.10/Submit) id i3UDgROb037522
	for perforce@freebsd.org; Fri, 30 Apr 2004 06:42:27 -0700 (PDT)
	(envelope-from cvance@nailabs.com)
Date: Fri, 30 Apr 2004 06:42:27 -0700 (PDT)
Message-Id: <200404301342.i3UDgROb037522@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	cvance@nailabs.com using -f
From: Chris Vance <cvance@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 51970 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2004 13:42:29 -0000

http://perforce.freebsd.org/chv.cgi?CH=51970

Change 51970 by cvance@cvance_osx_laptop on 2004/04/30 06:42:11

	Link in a nearly empty mac_mls policy.  The module builds, the kernel
	boots, and the module is initialized.  However, the module doesn't 
	yet implement any entry points (other than init and destroy)

Affected files ...

.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/Makefile#3 edit
.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/conf/files#3 edit
.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_base.c#2 edit
.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/Makefile#1 add
.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.c#2 edit
.. //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.h#2 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/Makefile#3 (text+ko) ====

@@ -8,12 +8,16 @@
 include $(MakeInc_def)
 
 INSTINC_SUBDIRS = \
+	mac_mls \
+	mac_test \
 	sebsd
 
 INSTINC_SUBDIRS_PPC = ${INSTINC_SUBDIRS}
 INSTINC_SUBDIRS_I386 = ${INSTINC_SUBDIRS}
 
 EXPINC_SUBDIRS = \
+	mac_mls \
+	mac_test \
 	sebsd
 
 EXPINC_SUBDIRS_PPC = ${EXPINC_SUBDIRS}

==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/conf/files#3 (text+ko) ====

@@ -13,6 +13,7 @@
 security/mac_socket.c					standard
 security/mac_network.c					standard
 security/mac_test/mac_test.c				standard
+security/mac_mls/mac_mls.c				standard
 security/sebsd/sebsd.c					standard
 security/sebsd/sebsd_syscall.c				standard
 security/sebsd/sebsd_sysctl.c				standard

==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_base.c#2 (text+ko) ====

@@ -308,6 +308,7 @@
 {
 	extern struct mac_policy_conf test_mac_policy_conf;
 	extern struct mac_policy_conf sebsd_mac_policy_conf;
+	extern struct mac_policy_conf mac_mls_mac_policy_conf;
 
 	printf("MAC: init mac_test\n");
 	mac_policy_register(&test_mac_policy_conf);
@@ -315,6 +316,9 @@
 	printf("MAC: init sebsd\n");
 	mac_policy_register(&sebsd_mac_policy_conf);
 
+	printf("MAC: init MAC/MLS\n");
+	mac_policy_register(&mac_mls_mac_policy_conf);
+
 	mac_late = 1;
 }
 

==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.c#2 (text+ko) ====

@@ -41,25 +41,25 @@
 
 #include <sys/types.h>
 #include <sys/param.h>
-#include <sys/acl.h>
+#include <sys/extattr.h>
 #include <sys/conf.h>
-#include <sys/extattr.h>
 #include <sys/kernel.h>
 #include <sys/mac.h>
 #include <sys/malloc.h>
+#include <sys/mman.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/systm.h>
-#include <sys/sysproto.h>
-#include <sys/sysent.h>
-#include <sys/systm.h>
 #include <sys/vnode.h>
-#include <sys/file.h>
+#include <sys/dirent.h>
+#include <sys/sysctl.h>
+#include <string.h>
+
+#if 0
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/pipe.h>
-#include <sys/sysctl.h>
 #include <sys/msg.h>
 #include <sys/msg_msg.h>
 #include <sys/sem.h>
@@ -76,13 +76,23 @@
 
 #include <netinet/in.h>
 #include <netinet/ip_var.h>
+#endif /* 0 */
 
-#include <vm/vm.h>
+#include <sys/libkern.h>
+#include <sys/ucred.h>
+#include <vm/vm_kern.h>
+#include <kern/kalloc.h>
 
 #include <sys/mac_policy.h>
 
 #include <security/mac_mls/mac_mls.h>
 
+#ifdef APPLE
+#define	TUNABLE_INT(x, y)
+#define atomic_add_int(P, V)         (*(u_int*)(P) += (V))
+#define atomic_subtract_int(P, V)    (*(u_int*)(P) -= (V))
+#endif
+
 SYSCTL_DECL(_security_mac);
 
 SYSCTL_NODE(_security_mac, OID_AUTO, mls, CTLFLAG_RW, 0,
@@ -116,10 +126,9 @@
     &max_compartments, 0, "Maximum compartments the policy supports");
 
 static int	mac_mls_slot;
+
 #define	SLOT(l)	((struct mac_mls *)LABEL_TO_SLOT((l), mac_mls_slot).l_ptr)
 
-MALLOC_DEFINE(M_MACMLS, "mls label", "MAC/MLS labels");
-
 static __inline int
 mls_bit_set_empty(u_char *set) {
 	int i;
@@ -135,7 +144,8 @@
 {
 	struct mac_mls *mac_mls;
 
-	mac_mls = malloc(sizeof(struct mac_mls), M_MACMLS, M_ZERO | flag);
+	mac_mls = (struct mac_mls *)kalloc(sizeof(struct mac_mls));
+	bzero(mac_mls, sizeof(struct mac_mls));
 
 	return (mac_mls);
 }
@@ -145,7 +155,7 @@
 {
 
 	if (mac_mls != NULL)
-		free(mac_mls, M_MACMLS);
+		kfree((vm_offset_t)mac_mls, sizeof(struct mac_mls));
 	else
 		atomic_add_int(&destroyed_not_inited, 1);
 }
@@ -469,6 +479,7 @@
 mac_mls_init(struct mac_policy_conf *conf)
 {
 
+	printf("MAC MLS policy is initialized!\n");
 }
 
 /*
@@ -590,6 +601,8 @@
 		panic("mac_mls_element_to_string: invalid type (%d)",
 		    element->mme_type);
 	}
+
+	return (-1);  /* Unreachable */
 }
 
 /*
@@ -821,6 +834,7 @@
 	*SLOT(dest) = *SLOT(src);
 }
 
+#if Big_Zero
 /*
  * Labeling event operations: file system objects, and things that look
  * a lot like file system objects.
@@ -2358,6 +2372,7 @@
 	return (0);
 }
 
+#if 0
 static int
 mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
     struct label *label, struct image_params *imgp,
@@ -2389,6 +2404,7 @@
 
 	return (0);
 }
+#endif /* 0 */
 
 static int
 mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
@@ -2877,7 +2893,15 @@
 
 	return (0);
 }
+#endif /* Big_Zero */
+
+static struct mac_policy_ops mac_mls_ops =
+{
+	.mpo_destroy = mac_mls_destroy,
+	.mpo_init = mac_mls_init,
+};
 
+#if 0
 static struct mac_policy_ops mac_mls_ops =
 {
 	.mpo_destroy = mac_mls_destroy,
@@ -3049,6 +3073,18 @@
 	.mpo_check_vnode_stat = mac_mls_check_vnode_stat,
 	.mpo_check_vnode_write = mac_mls_check_vnode_write,
 };
+#endif /* 0 */
 
+#if 0
 MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS",
     MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mac_mls_slot);
+#endif /* 0 */
+
+struct mac_policy_conf mac_mls_mac_policy_conf = {
+	"mac_mls",				/* policy name */
+	"TrustedBSD MAC/MLS",			/* full name */
+	&mac_mls_ops,				/* policy operations */
+	0,					/* loadtime flags*/
+	&mac_mls_slot,				/* security field */
+	0					/* runtime flags */
+};

==== //depot/projects/trustedbsd/sedarwin73/apsl/xnu/security/mac_mls/mac_mls.h#2 (text+ko) ====