Date: Fri, 20 Jan 2006 15:16:42 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 90006 for review Message-ID: <200601201516.k0KFGgr0074053@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=90006 Change 90006 by millert@millert_ibook on 2006/01/20 15:15:56 Switch to the new module build framework. With it we get a report on unimplemented entry points for free. Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/darwin/build/PolicyKext.mk#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/build/mkPolicyInfoPlist.sh#1 add .. //depot/projects/trustedbsd/sedarwin7/src/darwin/build/policy-ops.gdb#1 add .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/commands/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/commands/dotbyproc#1 add .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/commands/dumptrace.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/commands/ikotnames#1 add .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/commands/tr2dot#1 add .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/dumptrace.c#3 delete .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/ikotnames#3 delete .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/ipctrace.c#5 delete .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/ipctrace.h#4 delete .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/ipctrace.kmodinfo#3 delete .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/module/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/module/ikotnames.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/module/ipctrace.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/module/ipctrace.h#1 add .. //depot/projects/trustedbsd/sedarwin7/src/ipctrace/tr2dot#3 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/Makefile#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/commands/Makefile#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/commands/mac_counter.c#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mac_count.c#1 add .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mac_count.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mk_count_decls.awk#1 add .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mk_count_funcs.awk#1 add .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mk_count_policy_ops.awk#1 add .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/mk_count_reg.awk#1 add .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/module/Makefile#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/module/hash_string.c#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/module/hash_string.h#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/module/mac_count.c#3 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_count/module/mac_count.kmodinfo#2 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_mls/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.c#5 edit .. //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.h#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.kmodinfo#3 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_none/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/mac_none/mac_none.4#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/mac_none/mac_none.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/mac_none/mac_none.kmodinfo#3 delete .. //depot/projects/trustedbsd/sedarwin7/src/mac_stub/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.4#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.c#5 edit .. //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.kmodinfo#3 delete .. //depot/projects/trustedbsd/sedarwin7/src/mactest/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/mactest/mac_test.c#5 edit .. //depot/projects/trustedbsd/sedarwin7/src/mactest/mac_test.kmodinfo#3 delete .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/save_trace/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/save_trace/save_trace.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/sec_trace/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/sec_trace/sec_trace.c#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/module/Makefile#3 edit .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/module/mac_stacktrace.c#4 edit .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/module/mac_stacktrace.kmodinfo#3 delete .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/stacktrace_syscalls.h#3 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/build/PolicyKext.mk#3 (text+ko) ==== @@ -1,30 +1,103 @@ +# +# Including Makefile MUST have the following variables defined: +# +# POLICY Name of the policy (eg: mac_foo) +# POLICY_VER Policy Version for Bundle +# POLICY_COMPVER Policy OS Compatible Version for Bundle +# POLICY_DESC Description of Policy +# +# The following variables MAY be defined +# +# POLICY_SRCS Override default sources of $(POLICY).c +# POLICY_NOMAN Define if policy module has no manpage. +# POLICY_MAN +# POLICY_LIBS key:string specification of OSBundleLibraries +# +# CLEANFILES Additional build files to remove on 'make clean' +# + +CFLAGS += -g $(DARWIN_HDRS) -nostdinc -mlong-branch -DAPPLE -DKERNEL \ + -DKERNEL_PRIVATE -DKEXT -fno-common -static -fno-builtin \ + -I$(DARWIN)/EXTERNAL_HEADERS -I$(DARWIN)/EXTERNAL_HEADERS/bsd +CFLAGS += $(CWARNFLAGS) +CFLAGS += -DPOLICY_VER=\"$(POLICY_VER)\" \ + -DPOLICY_DESC=\"$(POLICY_DESC)\" +POLICY_SRCS ?= $(POLICY).c +POLICY_OBJS = $(POLICY_SRCS:.c=.o) + +POLICY_LIBS += com.apple.kernel.bsd:1.1 \ + com.apple.kernel.libkern:1.0b1 + +WARNS ?= 6 + +#CWARNFLAGS += -Wsystem-headers +#CWARNFLAGS += -Werror +#CWARNFLAGS += -Wall -Wno-format-y2k +#CWARNFLAGS += -W -Wno-unused-parameter -Wstrict-prototypes \ +# -Wmissing-prototypes -Wpointer-arith +#CWARNFLAGS += -Wreturn-type -Wcast-qual -Wwrite-strings -Wswitch \ +# -Wshadow -Wcast-align +#CWARNFLAGS += -Wunused-parameter +#CWARNFLAGS += -Wchar-subscripts -Winline -Wnested-externs \ +# -Wredundant-decls +#CWARNFLAGS += -Wno-uninitialized + +ifndef POLICY_NOMAN +POLICY_MAN ?= $(POLICY).4 +else +POLICY_MAN= +endif + +CLEANFILES += $(POLICY_OBJS) \ + $(POLICY)-test $(POLICY).gdb $(POLICY).report \ + .gdb_history + +all: mac_$(POLICY).kext.tar $(POLICY).report + +clean: + @rm -rf mac_$(POLICY).kext.tar mac_$(POLICY).kext + @rm -f $(CLEANFILES) -CFLAGS += -nostdinc -mlong-branch -DKERNEL -DKERNEL_PRIVATE -fno-common -static -fno-builtin -CFLAGS += -I$(DARWIN)/EXTERNAL_HEADERS -I$(DARWIN)/EXTERNAL_HEADERS/bsd -DKEXT +install: mac_$(POLICY).kext.tar $(POLICY_MAN) +ifndef POLICY_NOMAN + @install -m 644 $(POLICY_MAN) $(DESTDIR)/usr/share/man/man4 +endif + @tar -C $(DESTDIR)/System/Library/Extensions -xf mac_$(POLICY).kext.tar + +mac_$(POLICY).kext.tar: mac_$(POLICY).kext mac_$(POLICY).kext/Contents/Info.plist $(POLICY_OBJS) + @echo "$(POLICY): Creating KEXT tar file..." + @touch mac_$(POLICY).kext/LoadEarly + @tar --owner root --group wheel -cf $@ mac_$(POLICY).kext + +mac_$(POLICY).kext/Contents/Info.plist: Makefile + @echo "$(POLICY): Generating Info.plist..." + @$(DARWIN_ROOT)/build/mkPolicyInfoPlist.sh \ + $(POLICY) $(POLICY_VER) $(POLICY_COMPVER) \ + $(POLICY_DESC) "$(POLICY_LIBS)" > $@ + +mac_$(POLICY).kext: $(POLICY_OBJS) + @echo "$(POLICY): Creating KEXT..." + @mkdir -p mac_$(POLICY).kext/Contents/MacOS + @ld -r -o mac_$(POLICY).kext/Contents/MacOS/$(POLICY) $(POLICY_OBJS) -lkmod -lcc_kext -static + +# Display undefined policy entrypoints. -%.kext.tar: %.o - mkdir -p $*.kext/Contents/MacOS - ld -r -o $*.kext/Contents/MacOS/$* $^ -lkmod -lcc_kext -static - @$(MAKE) $*.kext/Contents/Info.plist - @touch $*.kext/LoadEarly - tar --owner root --group wheel -cf $@ $*.kext +$(POLICY)-test: $(POLICY_OBJS) + @$(LD) -twolevel_namespace -undefined define_a_way -o $@ $(POLICY_OBJS) 2> /dev/null + +$(POLICY).gdb: $(POLICY)-test + @gdb -x $(DARWIN_ROOT)/build/policy-ops.gdb $< \ + | grep mac_policy_ops \ + | sed s/\;// \ + | awk '{print "p " $$4 "\nquit"}' \ + > $@ -%.kext/Contents/Info.plist: %.kmodinfo - @echo "Generating $@ from $<..." - @echo '<?xml version="1.0" encoding="UTF-8"?>' > $@ - @echo '<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' >> $@ - @echo -e '<plist version="1.0">\n<dict>' >> $@ - @echo -ne '<key>CFBundleExecutable</key>\n<string>' >> $@ - @echo -n $* >> $@ - @echo -ne '</string>\n<key>CFBundleIdentifier</key>\n<string>' >> $@ - @echo -n `cat $< | sed -ne '/^name:/ s/^name:// p'` >> $@ - @echo -e '</string>\n<key>CFBundleInfoDictionaryVersion</key>\n<string>6.0</string>' >> $@ - @echo -ne '<key>CFBundleName</key>\n<string>' >> $@ - @echo -n `cat $< | sed -ne '/^desc:/ s/^desc:// p'` >> $@ - @echo -e '</string>\n<key>CFBundlePackageType</key>\n<string>KEXT</string>' >> $@ - @echo -e '<key>CFBundleSignature</key>\n<string>9999</string>' >> $@ - @echo -ne '<key>CFBundleVersion</key>\n<string>' >> $@ - @echo -n `cat $< | sed -ne '/^ver:/ s/^ver:// p'` >> $@ - @echo -ne '</string><key>OSBundleCompatibleVersion</key>\n<string>' >> $@ - @echo -n `cat $< | sed -ne '/^compver:/ s/^compver:// p'` >> $@ - @echo -e '</string><key>OSBundleLibraries</key>\n<dict>\n<key>com.apple.kernel.bsd</key><string>1.1</string>\n<key>com.apple.kernel.libkern</key><string>1.0b1</string>\n</dict>\n<key>OSBundleRequired</key><string>None</string>\n</dict></plist>' >> $@ +$(POLICY).report: $(POLICY).gdb $(POLICY)-test + @echo "$(POLICY): Creating policy report..." + @echo "Undefined $(POLICY) policy entrypoints:" > $@ + @gdb -x $(POLICY).gdb $(POLICY)-test \ + | grep ' = 0,' \ + | awk '{print "\t"$$1}' \ + | sort \ + | uniq \ + >> $@ ==== //depot/projects/trustedbsd/sedarwin7/src/ipctrace/Makefile#3 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin7/src/mac_count/Makefile#2 (text+ko) ==== @@ -1,11 +1,58 @@ -all: - cd module && make - cd commands && make +POLICY= count +POLICY_VER= 1.0 +POLICY_COMPVER= 1.0 +POLICY_DESC= "Entry Point Counter" +POLICY_SRCS= mac_count.c +POLICY_NOMAN= yes + +include ../Makeconfig +include $(DARWIN_ROOT)/build/PolicyKext.mk + +CLEANFILES+= count_decls.h count_reg.h count_funcs.h count_policy_ops.h \ + policy.in + +mac_count.c: count_decls.h count_reg.h count_funcs.h count_policy_ops.h + +policy.in: $(EXPORT_HDRS)/bsd/sys/mac_policy.h + @cpp -P $< \ + | grep -v ^\$ \ + | awk 'RS=";" { if ($$1 == "typedef") { print $$0";" } }' \ + | tr -d "\n\t" \ + | tr ";" "\n" \ + | sed -e 's/typedef //g' \ + -e 's/,/, /g' \ + -e 's/_t(/ (/g' \ + -e 's/ mpo_/ /g' \ + > $@ + +count_decls.h: policy.in + @cat $< \ + | grep -v \ + -e ' destroy ' \ + -e ' init_bsd ' \ + -e ' init ' \ + | awk -f mk_count_decls.awk \ + > $@ + +count_reg.h: policy.in + @cat $< \ + | grep -v \ + -e ' destroy ' \ + -e ' init_bsd ' \ + -e ' init ' \ + | awk -f mk_count_reg.awk \ + > $@ -clean: - cd module && make clean - cd commands && make clean +count_funcs.h: policy.in + @cat $< \ + | grep -v \ + -e ' destroy ' \ + -e ' init_bsd ' \ + -e ' init ' \ + | awk -f mk_count_funcs.awk \ + > $@ -install: - cd module && make install - cd commands && make install +count_policy_ops.h: policy.in + @cat $< \ + | awk -f mk_count_policy_ops.awk \ + > $@ ==== //depot/projects/trustedbsd/sedarwin7/src/mac_mls/Makefile#3 (text+ko) ==== @@ -1,16 +1,9 @@ +POLICY= mls +POLICY_VER= 1.0 +POLICY_COMPVER= 1.0 +POLICY_DESC= "TrustedBSD MAC/MLS" +POLICY_SRCS= mac_mls.c +POLICY_NOMAN= yes include ../Makeconfig include $(DARWIN_ROOT)/build/PolicyKext.mk - -CFLAGS += $(DARWIN_HDRS) -DAPPLE -CFLAGS += -g - -mac_mls.kext.tar: mac_mls.o - -clean: - rm -rf mac_mls.kext.tar mac_mls.kext - rm -f mac_mls.o - -install: mac_mls.kext.tar - cat $< | (cd $(DESTDIR)/System/Library/Extensions; tar xf -) - touch $(DESTDIR)/System/Library/Extensions/mac_mls.kext/LoadEarly ==== //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.c#5 (text+ko) ==== @@ -43,6 +43,7 @@ #include <sys/extattr.h> #include <sys/conf.h> #include <sys/kernel.h> +#include <sys/lctx.h> #include <sys/mac.h> #include <sys/malloc.h> #include <sys/mman.h> @@ -1794,6 +1795,45 @@ } static int +mac_mls_check_proc_setlcid (struct proc *p0, struct proc *p, + pid_t pid, pid_t lcid) +{ + struct mac_mls *source, *dest; + + /* Create/Join/Leave */ + if (pid == LCID_PROC_SELF) + return (0); + + switch (lcid) { + case LCID_REMOVE: /* Orphan */ + + /* loginwindow.app/MAC.loginPlugin orphaned process. */ + dest = SLOT(p->p_ucred->cr_label); + + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); + mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, + MAC_MLS_TYPE_HIGH, 0, NULL); + break; + + case LCID_CREATE: /* Create */ + /* nop */ + break; + default: /* Adopt */ + + /* loginwindow.app/MAC.loginPlugin adopted process. */ + + source = SLOT(p0->p_ucred->cr_label); + dest = SLOT(p->p_ucred->cr_label); + + mac_mls_copy(source, dest); + + break; + } + + return (0); +} + +static int mac_mls_audit_preselect(struct ucred *cred, unsigned short syscode, void *args) { @@ -1845,27 +1885,7 @@ return (MAC_AUDIT_DEFAULT); } -#ifdef LATER static int -mac_mls_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, - struct ifnet *ifnet, struct label *ifnetlabel) -{ - struct mac_mls *a, *b; - - if (!mac_mls_enabled) - return (0); - - a = SLOT(bpflabel); - b = SLOT(ifnetlabel); - - if (mac_mls_equal_effective(a, b)) - return (0); - - MLS_RETURN (EACCES); -} -#endif /* LATER */ - -static int mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *subj, *new; @@ -2764,11 +2784,11 @@ return (0); } +#if 0 static int mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name) { -#if 0 struct mac_mls *subj, *obj; if (!mac_mls_enabled) @@ -2779,10 +2799,10 @@ if (!mac_mls_dominate_effective(obj, subj)) return (EACCES); -#endif return (0); } +#endif static int mac_mls_check_vnode_exchangedata(struct ucred *cred, @@ -2884,11 +2904,11 @@ return (0); } +#if 0 static int mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace) { -#if 0 struct mac_mls *subj, *obj; if (!mac_mls_enabled) @@ -2899,10 +2919,10 @@ if (!mac_mls_dominate_effective(subj, obj)) return (EACCES); -#endif return (0); } +#endif static int mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, @@ -3344,41 +3364,6 @@ mac_mls_copy_range(source, dest); } -#if 0 -static void -mac_mls_execve_transition(struct ucred *old, struct ucred *new, - struct vnode *vp, struct label *filelabel, - struct label *interpvnodelabel, struct label *execlabel) -{ -#warning mac_mls_execve_transition unimplemented - printf("mac_mls_execve_transition: not implemented\n"); -} - -static int -mac_mls_execve_will_transition(struct ucred *old, struct vnode *vp, - struct label *filelabel, struct label *interpvnodelabel, - struct label *execlabel, struct proc *proc) -{ -#warning mac_mls_execve_will_transition unimplemented - printf("mac_mls_execve_will_transition: not implemented\n"); - return 0; -} - -static void -mac_mls_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) -{ -#warning what to do in mac_mls_reflect_mbuf_icmp - printf("mac_mls_reflect_mbuf_icmp: not implemented\n"); -} - -static void -mac_mls_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) -{ -#warning what to do in mac_mls_reflect_mbuf_tcp - printf("mac_mls_reflect_mbuf_tcp: not implemented\n"); -} -#endif /* 0 */ - static struct mac_policy_ops mac_mls_ops = { @@ -3442,11 +3427,11 @@ .mpo_check_vnode_exchangedata = mac_mls_check_vnode_exchangedata, .mpo_check_vnode_getattrlist = mac_mls_check_vnode_getattrlist, .mpo_check_vnode_setattrlist = mac_mls_check_vnode_setattrlist, - .mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr, +/* .mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr,*/ .mpo_check_vnode_exec = mac_mls_check_vnode_exec, .mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr, .mpo_check_vnode_link = mac_mls_check_vnode_link, - .mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr, +/* .mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr,*/ .mpo_check_vnode_lookup = mac_mls_check_vnode_lookup, .mpo_check_vnode_mmap = mac_mls_check_vnode_mmap, .mpo_check_vnode_open = mac_mls_check_vnode_open, @@ -3531,47 +3516,12 @@ .mpo_check_proc_setauid = mac_mls_check_proc_setauid, .mpo_check_proc_getaudit = mac_mls_check_proc_getaudit, .mpo_check_proc_setaudit = mac_mls_check_proc_setaudit, + .mpo_check_proc_setlcid = mac_mls_check_proc_setlcid, .mpo_audit_preselect = mac_mls_audit_preselect, .mpo_audit_postselect = mac_mls_audit_postselect, }; -/* These are the mac_test policy ops which aren't (yet) implemented by mac_mls - -.mpo_check_kld_load = mac_test_check_kld_load, -.mpo_check_sysarch_ioperm = mac_test_check_sysarch_ioperm, -.mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, -.mpo_check_vnode_getacl = mac_test_check_vnode_getacl, -.mpo_check_vnode_setacl = mac_test_check_vnode_setacl, -.mpo_thread_userret = mac_test_thread_userret, -.mpo_execve_will_transition = mac_mls_execve_will_transition, -.mpo_execve_transition = mac_mls_execve_transition, -.mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq, - .mpo_init_bpfdesc_label = mac_mls_init_label, - .mpo_destroy_bpfdesc_label = mac_mls_destroy_label, - .mpo_create_bpfdesc = mac_mls_create_bpfdesc, - .mpo_create_fragment = mac_mls_create_fragment, - .mpo_destroy_ifnet_label = mac_mls_destroy_label, - .mpo_externalize_ifnet_label = mac_mls_externalize_label, - .mpo_init_ifnet_label = mac_mls_init_label, - .mpo_internalize_ifnet_label = mac_mls_internalize_label, - .mpo_create_ifnet = mac_mls_create_ifnet, - .mpo_relabel_ifnet = mac_mls_relabel_ifnet, - .mpo_init_ipq_label = mac_mls_init_label_waitcheck, - .mpo_update_ipq = mac_mls_update_ipq, - .mpo_fragment_match = mac_mls_fragment_match, - .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet, - .mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf, - .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer, - .mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer, - .mpo_destroy_mbuf_label = mac_mls_destroy_label, - .mpo_init_mbuf_label = mac_mls_init_label_waitcheck, - .mpo_reflect_mbuf_icmp = mac_mls_reflect_mbuf_icmp, - .mpo_reflect_mbuf_tcp = mac_mls_reflect_mbuf_tcp, -*/ - static char *labelnamespaces[MAC_MLS_LABEL_NAME_COUNT] = {MAC_MLS_LABEL_NAME}; struct mac_policy_conf mac_mls_mac_policy_conf = { "mac_mls", /* policy name */ @@ -3591,13 +3541,15 @@ static kern_return_t kmod_start(kmod_info_t *ki, void *xd) { - return mac_policy_register (&mac_mls_mac_policy_conf); + + return (mac_policy_register(&mac_mls_mac_policy_conf)); } static kern_return_t kmod_stop(kmod_info_t *ki, void *xd) { - return mac_policy_unregister (&mac_mls_mac_policy_conf); + + return (mac_policy_unregister(&mac_mls_mac_policy_conf)); } extern kern_return_t _start(kmod_info_t *ki, void *data); ==== //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.h#3 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin7/src/mac_none/Makefile#3 (text+ko) ==== @@ -1,16 +1,9 @@ +POLICY= none +POLICY_VER= 1.0 +POLICY_COMPVER= 1.0 +POLICY_DESC= "MAC None Policy" +POLICY_SRCS= mac_none.c +POLICY_MAN= mac_none.4 + include ../Makeconfig include $(DARWIN_ROOT)/build/PolicyKext.mk - -CFLAGS += $(DARWIN_HDRS) -DAPPLE -CFLAGS += -g - -mac_none.kext.tar: mac_none.o - -clean: - rm -rf mac_none.kext.tar mac_none.kext - rm -f mac_none.o - -install: mac_none.kext.tar mac_none.4 - install -m 644 mac_none.4 $(DESTDIR)/usr/share/man/man4 - cat $< | (cd $(DESTDIR)/System/Library/Extensions; tar xf -) - touch $(DESTDIR)/System/Library/Extensions/mac_none.kext/LoadEarly ==== //depot/projects/trustedbsd/sedarwin7/src/mac_none/mac_none.4#3 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin7/src/mac_none/mac_none.c#3 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin7/src/mac_stub/Makefile#3 (text+ko) ==== @@ -1,16 +1,35 @@ +POLICY= stub +POLICY_VER= 1.0 +POLICY_COMPVER= 1.0 +POLICY_DESC= "MAC Stub Policy" +POLICY_SRCS= mac_stub.c +POLICY_MAN= mac_stub.4 + include ../Makeconfig include $(DARWIN_ROOT)/build/PolicyKext.mk -CFLAGS += $(DARWIN_HDRS) -DAPPLE -CFLAGS += -g -Wall +CLEANFILES+= stub_funcs.h stub_policy_ops.h policy.in + +mac_stub.c: stub_funcs.h stub_policy_ops.h -mac_stub.kext.tar: mac_stub.o +policy.in: $(EXPORT_HDRS)/bsd/sys/mac_policy.h + @cpp -P $< \ + | grep -v ^\$ \ + | awk 'RS=";" { if ($$1 == "typedef") { print $$0";" } }' \ + | tr -d "\n\t" \ + | tr ";" "\n" \ + | sed -e 's/typedef //g' \ + -e 's/,/, /g' \ + -e 's/_t(/ (/g' \ + -e 's/ mpo_/ /g' \ + > $@ -clean: - rm -rf mac_stub.kext.tar mac_stub.kext - rm -f mac_stub.o +stub_funcs.h: policy.in + @cat $< \ + | awk -f mk_stub_funcs.awk \ + > $@ -install: mac_stub.kext.tar mac_stub.4 - install -m 644 mac_stub.4 $(DESTDIR)/usr/share/man/man4 - cat $< | (cd $(DESTDIR)/System/Library/Extensions; tar xf -) - touch $(DESTDIR)/System/Library/Extensions/mac_stub.kext/LoadEarly +stub_policy_ops.h: policy.in + @cat $< \ + | awk -f mk_stub_policy_ops.awk \ + > $@ ==== //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.4#3 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.c#5 (text+ko) ==== @@ -1,6 +1,7 @@ /*- + * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2001-2003 Networks Associates Technology, Inc. * Copyright (c) 1999-2002 Robert N. M. Watson - * Copyright (c) 2001-2003 Networks Associates Technology, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -44,25 +45,27 @@ */ #include <sys/types.h> -#include <sys/extattr.h> #include <sys/conf.h> #include <sys/kernel.h> -#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mman.h> #include <sys/mount.h> #include <sys/posix_sem.h> #include <sys/posix_shm.h> #include <sys/proc.h> +#include <sys/sem.h> +#include <sys/shm.h> #include <sys/sbuf.h> #include <sys/systm.h> #include <sys/vnode.h> #include <sys/dirent.h> #include <sys/sysctl.h> -#include <sys/libkern.h> #include <sys/ucred.h> #include <sys/socket.h> #include <sys/socketvar.h> + +#include <libkern/libkern.h> +#include <sys/mac.h> #include <sys/mac_policy.h> #include <vm/vm_kern.h> @@ -89,1286 +92,18 @@ SYSCTL_INT(_security_mac_stub, OID_AUTO, enabled, CTLFLAG_RW, &mac_stub_enabled, 0, "Enforce stub policy"); -static void -stub_associate_vnode_devfs(struct mount *mp, struct label *fslabel, - struct devnode *de, struct label *delabel, struct vnode *vp, - struct label *vlabel) -{ - -} - -static int -stub_associate_vnode_extattr(struct mount *mp, struct label *fslabel, - struct vnode *vp, struct label *vlabel) -{ - - return (0); -} - -static void -stub_associate_vnode_singlelabel(struct mount *mp, struct label *fslabel, - struct vnode *vp, struct label *vlabel) -{ - -} - -static int -stub_check_cred_relabel(struct ucred *cred, struct label *newlabel) -{ - - return (0); -} - -static int -stub_check_cred_visible(struct ucred *u1, struct ucred *u2) -{ - - return (0); -} - - -static int -stub_check_fcntl(struct ucred *cred, struct file *fd, int cmd, int arg) -{ - - return (0); -} - -static int -stub_check_get_fd(struct ucred *cred, struct file *fd, char *elements, int len) -{ - - return (0); -} - -static int -stub_check_ioctl(struct ucred *cred, struct file *fd, int com, void *data) -{ - - return (0); -} - -static int -stub_check_mount_stat(struct ucred *cred, struct mount *mp, - struct label *mntlabel) -{ - - return (0); -} - -static int -stub_check_port_copy_send(struct label *task, struct label *port) -{ - - return (0); -} - -static int -stub_check_port_hold_receive(struct label *task, struct label *port) -{ - - return (0); -} - -static int -stub_check_port_hold_send(struct label *task, struct label *port) -{ - - return (0); -} - -static int -stub_check_port_make_send(struct label *task, struct label *port) -{ - - return (0); -} - -static int -stub_check_port_move_receive(struct label *task, struct label *port) -{ - - return (0); -} - -static int -stub_check_port_relabel(struct label *task, struct label *old, - struct label *newlabel) -{ - - return (0); -} - -static int -stub_check_port_send(struct label *task, struct label *port) -{ - - return (0); -} - -static int -stub_check_posix_sem_create(struct ucred *cred, const char *semname) -{ - - return (0); -} - -static int -stub_check_posix_sem_open(struct ucred *cred, struct pseminfo *sem, - struct label *semlabel) -{ - - return (0); -} - -static int -stub_check_posix_sem_post(struct ucred *cred, struct pseminfo *sem, - struct label *semlabel) -{ - - return (0); -} - -static int -stub_check_posix_sem_unlink(struct ucred *cred, struct pseminfo *sem, - struct label *semlabel, const char *semname) -{ - - return (0); -} - -static int -stub_check_posix_sem_wait(struct ucred *cred, struct pseminfo *sem, - struct label *semlabel) -{ - - return (0); -} - -static int -stub_check_posix_shm_create(struct ucred *cred, const char *shmname) -{ - - return (0); -} - -static int -stub_check_posix_shm_open(struct ucred *cred, struct pshminfo *shm, - struct label *shmlabel) -{ - - return (0); -} - -static int -stub_check_posix_shm_mmap(struct ucred *cred, struct pshminfo *shm, - struct label *shmlabel, int flags, int prot) -{ - - return (0); -} - -static int -stub_check_posix_shm_stat(struct ucred *cred, struct pshminfo *shm, - struct label *shmlabel) -{ - - return (0); -} - -static int -stub_check_posix_shm_truncate(struct ucred *cred, struct pshminfo *shm, - struct label *shmlabel, size_t size) -{ - - return (0); -} - -static int -stub_check_posix_shm_unlink(struct ucred *cred, struct pshminfo *shm, - struct label *shmlabel, const char *shmname) -{ - - return (0); -} - -static int -stub_check_proc_debug(struct ucred *cred, struct proc *proc) -{ - - return (0); -} - -static int -stub_check_proc_getaudit(struct ucred *cred) -{ - - return (0); -} - -static int -stub_check_proc_getauid(struct ucred *cred) -{ - - return (0); -} - -static int -stub_check_proc_sched(struct ucred *cred, struct proc *proc) -{ - - return (0); -} - -static int -stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) -{ - - return (0); -} - -static int -stub_check_proc_setauid(struct ucred *cred, uid_t auid) -{ - - return (0); -} - -static int -stub_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) -{ - - return (0); -} - -static int -stub_check_proc_wait(struct ucred *cred, struct proc *proc) -{ - - return (0); -} - -static int -stub_check_service_access(struct label *subj, struct label *obj, - const char *serv, const char *perm) -{ - - return (0); -} - -static int -stub_check_set_fd(struct ucred *cred, struct file *fd, char *elements, int len) -{ - - return (0); -} - -static int -stub_check_socket_accept(struct ucred *cred, - struct socket *socket, struct label *socklabel, struct sockaddr *addr) -{ - - return (0); -} - -static int -stub_check_socket_bind(struct ucred *cred, struct socket *socket, - struct label *socklabel, struct sockaddr *addr) -{ - - return (0); -} - -static int -stub_check_socket_connect(struct ucred *cred, struct socket *socket, - struct label *socklabel, struct sockaddr *addr) -{ - - return (0); -} - -static int -stub_check_socket_deliver(struct socket *so, struct label *so_label, - struct mbuf *m, struct label *m_label) -{ - - return (0); -} - -static int >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601201516.k0KFGgr0074053>