Date: Sun, 21 Jan 2007 22:47:56 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 113297 for review Message-ID: <200701212247.l0LMluPs066801@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=113297 Change 113297 by millert@millert_macbook on 2007/01/21 22:47:40 Move to a single label struct for sedarwin. The old struct names are still supported via a macro for now as they aid in readability. They may be removed in the future if variable names improve... Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#54 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#5 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#54 (text+ko) ==== @@ -97,10 +97,7 @@ int sebsd_verbose = 0; -static zone_t task_security_zone; -static zone_t network_security_zone; -static zone_t vnode_security_zone; -static zone_t ipc_security_zone; +static zone_t sebsd_label_zone; static int sebsd_slot; /* set by framework */ #define SLOT(l) ((void *)LABEL_TO_SLOT((l), sebsd_slot).l_ptr) @@ -216,25 +213,9 @@ sebsd_zone_init(void) { - /* We use task_security_struct for creds and ports too. */ - task_security_zone = mac_zinit(sizeof(struct task_security_struct), - 2048 * sizeof(struct task_security_struct), 0, - "task_security_struct"); - - /* Want to use maxsockets here. */ - network_security_zone = mac_zinit(sizeof(struct network_security_struct), - 512 * sizeof(struct network_security_struct), 0, - "network_security_struct"); - - /* Want to use desiredvnodes here. */ - vnode_security_zone = mac_zinit(sizeof(struct vnode_security_struct), - 8192 * sizeof(struct vnode_security_struct), 0, - "vnode_security_struct"); - - /* Want to use maxsockets here. */ - ipc_security_zone = mac_zinit(sizeof(struct ipc_security_struct), - 512 * sizeof(struct ipc_security_struct), 0, - "ipc_security_struct"); + sebsd_label_zone = mac_zinit(sizeof(struct sebsd_label), + 8192 * sizeof(struct sebsd_label), 0, + "sebsd_label"); } static void @@ -478,6 +459,7 @@ } /* Update security class if not set or vnode was recycled. */ + /* XXX - why is this needed? When things get recycled the class should be zeroed */ if (file->sclass == 0 || vp->v_type == VBAD) file->sclass = vnode_type_to_security_class(vp->v_type); @@ -545,81 +527,40 @@ } static void -sebsd_cred_label_init(struct label *label) +sebsd_label_init(struct label *label) { - struct task_security_struct *new_tsec; + struct sebsd_label *new; - new_tsec = mac_zalloc(task_security_zone, M_WAITOK); - new_tsec->osid = new_tsec->sid = SECINITSID_UNLABELED; - SLOT(label) = new_tsec; + new = mac_zalloc(sebsd_label_zone, M_WAITOK); + new->sid = new->task_sid = SECINITSID_UNLABELED; + new->sclass = 0; + SLOT(label) = new; } -static void -sebsd_cred_label_destroy(struct label *label) -{ - - mac_zfree(task_security_zone, SLOT(label)); - SLOT(label) = NULL; -} - -static void -sebsd_file_label_init(struct label *label) -{ - struct file_security_struct *fsec; - - fsec = sebsd_malloc(sizeof(*fsec), M_SEBSD, M_ZERO | M_WAITOK); - fsec->sid = SECINITSID_UNLABELED; - SLOT(label) = fsec; -} - -static void -sebsd_mount_label_init(struct label *label) -{ - struct mount_security_struct *sbsec; - - sbsec = sebsd_malloc(sizeof(*sbsec), M_SEBSD, M_ZERO | M_WAITOK); - sbsec->sid = SECINITSID_UNLABELED; - SLOT(label) = sbsec; -} - static int -sebsd_init_network_label_waitcheck(struct label *label, int flag) +sebsd_label_init2(struct label *label, int flag) { - struct network_security_struct *new; + struct sebsd_label *new; - new = mac_zalloc(network_security_zone, flag); - if (new == NULL) { - SLOT(label) = NULL; - return (ENOMEM); + new = mac_zalloc(sebsd_label_zone, flag); + if (new != NULL) { + new->sid = new->task_sid = SECINITSID_UNLABELED; + new->sclass = 0; } - - new->sid = new->task_sid = SECINITSID_UNLABELED; SLOT(label) = new; - return (0); + return (new ? 0 : ENOMEM); } static void -sebsd_destroy_network_label(struct label *label) +sebsd_label_destroy(struct label *label) { - mac_zfree(network_security_zone, SLOT(label)); + mac_zfree(sebsd_label_zone, SLOT(label)); SLOT(label) = NULL; } static void -sebsd_vnode_label_init(struct label *label) -{ - struct vnode_security_struct *vsec; - - vsec = mac_zalloc(vnode_security_zone, M_WAITOK); - vsec->sid = SECINITSID_UNLABELED; - vsec->task_sid = SECINITSID_UNLABELED; - vsec->sclass = 0; - SLOT(label) = vsec; -} - -static void sebsd_vnode_label_recycle(struct label *label) { struct vnode_security_struct *vsec; @@ -631,41 +572,6 @@ } static void -sebsd_vnode_label_destroy(struct label *label) -{ - - mac_zfree(vnode_security_zone, SLOT(label)); - SLOT(label) = NULL; -} - -static void -sebsd_ipc_label_init(struct label *label) -{ - struct ipc_security_struct *new; - - new = mac_zalloc(ipc_security_zone, M_WAITOK); - new->sid = SECINITSID_UNLABELED; - new->sclass = 0; - SLOT(label) = new; -} - -static void -sebsd_ipc_label_destroy(struct label *label) -{ - - mac_zfree(ipc_security_zone, SLOT(label)); - SLOT(label) = NULL; -} - -static void -sebsd_label_destroy(struct label *label) -{ - - sebsd_free(SLOT(label), M_SEBSD); - SLOT(label) = NULL; -} - -static void sebsd_cred_label_update(struct ucred *cred, struct label *newlabel) { /* @@ -948,7 +854,7 @@ static void -sebsd_cred_create(struct ucred *cred_parent, struct ucred *cred_child) +sebsd_cred_label_associate(struct ucred *cred_parent, struct ucred *cred_child) { int rc; struct task_security_struct *parent, *task; @@ -1210,7 +1116,7 @@ } static void -sebsd_create_kernel_proc(struct ucred *cred) +sebsd_cred_label_associate_kproc(struct ucred *cred) { struct task_security_struct *task; @@ -1231,75 +1137,40 @@ struct label *mntlabel) { struct mount_security_struct *sbsec; - int behavior, rc; + unsigned int behavior; + int error; /* * Update the mount label based on the policy. */ sbsec = SLOT(mntlabel); - rc = security_fs_use(mp->mnt_vfsstat.f_fstypename, &behavior, &sbsec->sid); - if (rc) { + error = security_fs_use(mp->mnt_vfsstat.f_fstypename, &behavior, + &sbsec->sid); + if (error) { sebsd_log("%s: security_fs_use(%s) returned %d", - __func__, mp->mnt_vfsstat.f_fstypename, rc); + __func__, mp->mnt_vfsstat.f_fstypename, error); behavior = SECURITY_FS_USE_NONE; } else if (sebsd_verbose > 1) { - sebsd_log("%s: security_fs_use(%s) behavior %d, sid %d", + sebsd_log("%s: security_fs_use(%s) behavior %u, sid %d", __func__, mp->mnt_vfsstat.f_fstypename, behavior, sbsec->sid); } switch (behavior) { case SECURITY_FS_USE_XATTR: - /* - * PSIDs only work for persistent file systems with unique - * and persistent inode numbers. - */ - sbsec->uses_psids = 1; - - /* - * TBD: need to correctly label mountpoint with persistent - * label at this point (currently vnode is unavailable) - */ - - break; case SECURITY_FS_USE_TRANS: - /* - * Transition SIDs are used for pseudo filesystems like - * devpts and tmpfs where you want the SID to be derived - * from the SID of the creating process and the SID of the - * filesystem. - */ - sbsec->uses_trans = 1; - break; case SECURITY_FS_USE_TASK: - /* - * Task SIDs are used for pseudo filesystems like pipefs and - * sockfs where you want the objects to be labeled with the - * SID of the creating process. - */ - sbsec->uses_task = 1; - break; case SECURITY_FS_USE_GENFS: - /* - * genfs_contexts handles everything else, like devfs, - * usbdevfs, driverfs, and portions of proc. - */ - sbsec->uses_genfs = 1; - break; case SECURITY_FS_USE_NONE: - /* - * No labeling support configured for this filesystem type. - * Don't appear to require labeling for binfmt_misc, bdev, - * or rootfs. - */ break; default: sebsd_log("%s: security_fs_use(%s) returned unrecognized " - "behavior %d", __func__, mp->mnt_vfsstat.f_fstypename, + "behavior %u", __func__, mp->mnt_vfsstat.f_fstypename, behavior); behavior = SECURITY_FS_USE_NONE; break; } + sbsec->behavior = behavior; /* note: behavior 16 bits in sbsec */ } static void @@ -1898,35 +1769,21 @@ } static int -sebsd_internalize_sid(u_int32_t *sidp, char *element_name, +sebsd_label_internalize(struct label *label, char *element_name, char *element_data) { - char context[128]; /* TBD: contexts aren't fixed size */ - size_t context_len; + struct sebsd_label *lsec; + u_int32_t context_len; + + if (strcmp("sebsd", element_name) != 0) + return (EINVAL); + lsec = SLOT(label); context_len = strlen(element_data) + 1; - if (context_len >= sizeof(context)) - return (ENAMETOOLONG); - strcpy(context, element_data); - return (security_context_to_sid(context, context_len, sidp)); -} - -#define SEBSD_INTERNALIZE_LABEL(n1,n2) \ -static int sebsd_##n1##_label_internalize(struct label *label, \ - char *element_name, char *element_data) \ -{ \ - struct n2##_security_struct *lsec; \ - lsec = SLOT(label); \ - return (sebsd_internalize_sid(&lsec->sid, element_name, \ - element_data)); \ + return (security_context_to_sid(element_data, context_len, &lsec->sid)); } -SEBSD_INTERNALIZE_LABEL(cred,task) -SEBSD_INTERNALIZE_LABEL(network,network) -SEBSD_INTERNALIZE_LABEL(vnode,vnode) -SEBSD_INTERNALIZE_LABEL(mount,mount) - static void sebsd_pipe_label_update(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) @@ -3000,21 +2857,22 @@ return (error); } -#define SEBSD_EXTERNALIZE_LABEL(n1,n2) \ -static int sebsd_##n1##_label_externalize(struct label *label, \ - char *element_name, struct sbuf *sb) \ -{ \ - struct n2##_security_struct *lsec; \ - \ - if (strcmp("sebsd", element_name) != 0) \ - return (ENOENT); \ - \ - lsec = SLOT(label); \ - return (sebsd_externalize_sid(lsec->sid, element_name, sb)); \ +static int +sebsd_label_externalize(struct label *label, char *element_name, + struct sbuf *sb) +{ + struct sebsd_label *lsec; + + if (strcmp("sebsd", element_name) != 0) + return (ENOENT); + + lsec = SLOT(label); + return (sebsd_externalize_sid(lsec->sid, element_name, sb)); } -static int sebsd_cred_label_externalize(struct label *label, - char *element_name, struct sbuf *sb) +static int +sebsd_cred_label_externalize(struct label *label, char *element_name, + struct sbuf *sb) { struct task_security_struct *tsec; u_int32_t sid; @@ -3029,10 +2887,6 @@ return (sebsd_externalize_sid(sid, element_name, sb)); } -SEBSD_EXTERNALIZE_LABEL(network,network) -SEBSD_EXTERNALIZE_LABEL(vnode,vnode) -SEBSD_EXTERNALIZE_LABEL(mount,mount) - static void sebsd_vnode_label_copy(struct label *src, struct label *dest) { @@ -3513,21 +3367,21 @@ static struct mac_policy_ops sebsd_ops = { .mpo_cred_check_label_update =sebsd_cred_check_label_update, .mpo_cred_check_label_update_execve = sebsd_cred_check_label_update_execve, - .mpo_cred_label_associate = sebsd_cred_create, - .mpo_cred_label_associate_kernel = sebsd_create_kernel_proc, - .mpo_cred_label_associate_user = sebsd_create_kernel_proc, - .mpo_cred_label_destroy = sebsd_cred_label_destroy, + .mpo_cred_label_associate = sebsd_cred_label_associate, + .mpo_cred_label_associate_kernel = sebsd_cred_label_associate_kproc, + .mpo_cred_label_associate_user = sebsd_cred_label_associate_kproc, + .mpo_cred_label_destroy = sebsd_label_destroy, .mpo_cred_label_externalize = sebsd_cred_label_externalize, .mpo_cred_label_externalize_audit = sebsd_cred_label_externalize, - .mpo_cred_label_init = sebsd_cred_label_init, - .mpo_cred_label_internalize = sebsd_cred_label_internalize, + .mpo_cred_label_init = sebsd_label_init, + .mpo_cred_label_internalize = sebsd_label_internalize, .mpo_cred_label_update = sebsd_cred_label_update, .mpo_cred_label_update_execve = sebsd_cred_label_update_execve, .mpo_devfs_label_associate_device = sebsd_devfs_label_associate_device, .mpo_devfs_label_associate_directory = sebsd_devfs_label_associate_directory, .mpo_devfs_label_copy = sebsd_vnode_label_copy, - .mpo_devfs_label_destroy = sebsd_vnode_label_destroy, - .mpo_devfs_label_init = sebsd_vnode_label_init, + .mpo_devfs_label_destroy = sebsd_label_destroy, + .mpo_devfs_label_init = sebsd_label_init, .mpo_devfs_label_update = sebsd_devfs_update, .mpo_file_check_change_offset = sebsd_file_check_change_offset, .mpo_file_check_dup = sebsd_file_check_dup, @@ -3540,11 +3394,11 @@ .mpo_file_check_receive = sebsd_file_check_receive, .mpo_file_label_associate = sebsd_file_label_associate, .mpo_file_label_destroy = sebsd_label_destroy, - .mpo_file_label_init = sebsd_file_label_init, + .mpo_file_label_init = sebsd_label_init, .mpo_mbuf_label_associate_socket = sebsd_mbuf_label_associate_socket, .mpo_mbuf_label_copy = copy_network_label, - .mpo_mbuf_label_destroy = sebsd_destroy_network_label, - .mpo_mbuf_label_init = sebsd_init_network_label_waitcheck, + .mpo_mbuf_label_destroy = sebsd_label_destroy, + .mpo_mbuf_label_init = sebsd_label_init2, .mpo_mount_check_getattr = sebsd_mount_check_getattr, .mpo_mount_check_label_update = sebsd_mount_check_label_update, .mpo_mount_check_mount = sebsd_mount_check_mount, @@ -3556,9 +3410,9 @@ .mpo_mount_check_umount = sebsd_mount_check_umount, .mpo_mount_label_associate = sebsd_mount_label_associate, .mpo_mount_label_destroy = sebsd_label_destroy, - .mpo_mount_label_externalize = sebsd_mount_label_externalize, - .mpo_mount_label_init = sebsd_mount_label_init, - .mpo_mount_label_internalize = sebsd_mount_label_internalize, + .mpo_mount_label_externalize = sebsd_label_externalize, + .mpo_mount_label_init = sebsd_label_init, + .mpo_mount_label_internalize = sebsd_label_internalize, .mpo_pipe_check_ioctl = sebsd_pipe_check_ioctl, .mpo_pipe_check_label_update = sebsd_pipe_check_label_update, .mpo_pipe_check_read = sebsd_pipe_check_read, @@ -3566,10 +3420,10 @@ .mpo_pipe_check_write = sebsd_pipe_check_write, .mpo_pipe_label_associate = sebsd_pipe_label_associate, .mpo_pipe_label_copy = sebsd_vnode_label_copy, - .mpo_pipe_label_destroy = sebsd_vnode_label_destroy, - .mpo_pipe_label_externalize = sebsd_vnode_label_externalize, - .mpo_pipe_label_init = sebsd_vnode_label_init, - .mpo_pipe_label_internalize = sebsd_vnode_label_internalize, + .mpo_pipe_label_destroy = sebsd_label_destroy, + .mpo_pipe_label_externalize = sebsd_label_externalize, + .mpo_pipe_label_init = sebsd_label_init, + .mpo_pipe_label_internalize = sebsd_label_internalize, .mpo_pipe_label_update = sebsd_pipe_label_update, .mpo_policy_destroy = sebsd_policy_destroy, .mpo_policy_init = sebsd_policy_init, @@ -3593,8 +3447,8 @@ .mpo_port_label_associate_kernel = sebsd_port_label_associate_kernel, .mpo_port_label_compute = sebsd_request_label, .mpo_port_label_copy = sebsd_task_label_copy, - .mpo_port_label_destroy = sebsd_cred_label_destroy, - .mpo_port_label_init = sebsd_cred_label_init, + .mpo_port_label_destroy = sebsd_label_destroy, + .mpo_port_label_init = sebsd_label_init, .mpo_port_label_update_cred = sebsd_port_label_update_cred, .mpo_posixsem_check_create = sebsd_posixsem_check_create, .mpo_posixsem_check_open = sebsd_posixsem_check_open, @@ -3602,8 +3456,8 @@ .mpo_posixsem_check_unlink = sebsd_posixsem_check_unlink, .mpo_posixsem_check_wait = sebsd_posixsem_check_wait, .mpo_posixsem_label_associate = sebsd_posixsem_label_associate, - .mpo_posixsem_label_destroy = sebsd_ipc_label_destroy, - .mpo_posixsem_label_init = sebsd_ipc_label_init, + .mpo_posixsem_label_destroy = sebsd_label_destroy, + .mpo_posixsem_label_init = sebsd_label_init, .mpo_posixshm_check_create = sebsd_posixshm_check_create, .mpo_posixshm_check_mmap = sebsd_posixshm_check_mmap, .mpo_posixshm_check_open = sebsd_posixshm_check_open, @@ -3611,8 +3465,8 @@ .mpo_posixshm_check_truncate = sebsd_posixshm_check_truncate, .mpo_posixshm_check_unlink = sebsd_posixshm_check_unlink, .mpo_posixshm_label_associate = sebsd_posixshm_label_associate, - .mpo_posixshm_label_destroy = sebsd_ipc_label_destroy, - .mpo_posixshm_label_init = sebsd_ipc_label_init, + .mpo_posixshm_label_destroy = sebsd_label_destroy, + .mpo_posixshm_label_init = sebsd_label_init, .mpo_proc_check_debug = sebsd_proc_check_debug, .mpo_proc_check_getaudit = sebsd_proc_check_getaudit, .mpo_proc_check_mprotect = sebsd_proc_check_mprotect, @@ -3633,16 +3487,16 @@ .mpo_socket_label_associate = sebsd_socket_label_associate, .mpo_socket_label_associate_accept = sebsd_socket_label_associate_accept, .mpo_socket_label_copy = copy_network_label, - .mpo_socket_label_destroy = sebsd_destroy_network_label, - .mpo_socket_label_externalize = sebsd_network_label_externalize, - .mpo_socket_label_init = sebsd_init_network_label_waitcheck, - .mpo_socket_label_internalize = sebsd_network_label_internalize, + .mpo_socket_label_destroy = sebsd_label_destroy, + .mpo_socket_label_externalize = sebsd_label_externalize, + .mpo_socket_label_init = sebsd_label_init2, + .mpo_socket_label_internalize = sebsd_label_internalize, .mpo_socket_label_update = sebsd_socket_label_update, .mpo_socketpeer_label_associate_mbuf = sebsd_socketpeer_label_associate_mbuf, .mpo_socketpeer_label_associate_socket = sebsd_socketpeer_label_associate_socket, - .mpo_socketpeer_label_destroy = sebsd_destroy_network_label, - .mpo_socketpeer_label_externalize = sebsd_network_label_externalize, - .mpo_socketpeer_label_init = sebsd_init_network_label_waitcheck, + .mpo_socketpeer_label_destroy = sebsd_label_destroy, + .mpo_socketpeer_label_externalize = sebsd_label_externalize, + .mpo_socketpeer_label_init = sebsd_label_init2, .mpo_system_check_acct = sebsd_system_check_acct, .mpo_system_check_audit = sebsd_system_check_audit, .mpo_system_check_auditctl = sebsd_system_check_auditctl, @@ -3653,8 +3507,8 @@ .mpo_system_check_swapoff = sebsd_system_check_swapon, .mpo_system_check_swapon = sebsd_system_check_swapon, .mpo_sysvmsg_label_associate = sebsd_sysvmsg_label_associate, - .mpo_sysvmsg_label_destroy = sebsd_ipc_label_destroy, - .mpo_sysvmsg_label_init = sebsd_ipc_label_init, + .mpo_sysvmsg_label_destroy = sebsd_label_destroy, + .mpo_sysvmsg_label_init = sebsd_label_init, .mpo_sysvmsg_label_recycle = sebsd_sysv_label_recycle, .mpo_sysvmsq_check_enqueue = sebsd_sysvmsq_check_enqueue, .mpo_sysvmsq_check_msgrcv = sebsd_sysvmsq_check_msgrcv, @@ -3663,31 +3517,31 @@ .mpo_sysvmsq_check_msqrcv = sebsd_sysvmsq_check_msqrcv, .mpo_sysvmsq_check_msqsnd = sebsd_sysvmsq_check_msqsnd, .mpo_sysvmsq_label_associate = sebsd_sysvmsq_label_associate, - .mpo_sysvmsq_label_destroy = sebsd_ipc_label_destroy, - .mpo_sysvmsq_label_init = sebsd_ipc_label_init, + .mpo_sysvmsq_label_destroy = sebsd_label_destroy, + .mpo_sysvmsq_label_init = sebsd_label_init, .mpo_sysvmsq_label_recycle = sebsd_sysv_label_recycle, .mpo_sysvsem_check_semctl = sebsd_sysvsem_check_semctl, .mpo_sysvsem_check_semget = sebsd_sysvsem_check_semget, .mpo_sysvsem_check_semop = sebsd_sysvsem_check_semop, .mpo_sysvsem_label_associate = sebsd_sysvsem_label_associate, - .mpo_sysvsem_label_destroy = sebsd_ipc_label_destroy, - .mpo_sysvsem_label_init = sebsd_ipc_label_init, + .mpo_sysvsem_label_destroy = sebsd_label_destroy, + .mpo_sysvsem_label_init = sebsd_label_init, .mpo_sysvsem_label_recycle = sebsd_sysv_label_recycle, .mpo_sysvshm_check_shmat = sebsd_sysvshm_check_shmat, .mpo_sysvshm_check_shmctl = sebsd_sysvshm_check_shmctl, .mpo_sysvshm_check_shmget = sebsd_sysvshm_check_shmget, .mpo_sysvshm_label_associate = sebsd_sysvshm_label_associate, - .mpo_sysvshm_label_destroy = sebsd_ipc_label_destroy, - .mpo_sysvshm_label_init = sebsd_ipc_label_init, + .mpo_sysvshm_label_destroy = sebsd_label_destroy, + .mpo_sysvshm_label_init = sebsd_label_init, .mpo_sysvshm_label_recycle = sebsd_sysv_label_recycle, .mpo_task_check_get_port = sebsd_task_check_get_port, .mpo_task_label_associate = sebsd_task_create, .mpo_task_label_associate_kernel = sebsd_task_create_kernel, .mpo_task_label_copy = sebsd_task_label_copy, - .mpo_task_label_destroy = sebsd_cred_label_destroy, - .mpo_task_label_externalize = sebsd_cred_label_externalize, - .mpo_task_label_init = sebsd_cred_label_init, - .mpo_task_label_internalize = sebsd_cred_label_internalize, + .mpo_task_label_destroy = sebsd_label_destroy, + .mpo_task_label_externalize = sebsd_label_externalize, + .mpo_task_label_init = sebsd_label_init, + .mpo_task_label_internalize = sebsd_label_internalize, .mpo_task_label_update = sebsd_task_label_update, .mpo_thread_userret = sebsd_thread_userret, .mpo_vnode_check_access = sebsd_vnode_check_access, @@ -3728,11 +3582,11 @@ .mpo_vnode_label_associate_singlelabel = sebsd_vnode_label_associate_singlelabel, .mpo_vnode_label_associate_socket = sebsd_vnode_label_associate_socket, .mpo_vnode_label_copy = sebsd_vnode_label_copy, - .mpo_vnode_label_destroy = sebsd_vnode_label_destroy, - .mpo_vnode_label_externalize = sebsd_vnode_label_externalize, - .mpo_vnode_label_externalize_audit = sebsd_vnode_label_externalize, - .mpo_vnode_label_init = sebsd_vnode_label_init, - .mpo_vnode_label_internalize = sebsd_vnode_label_internalize, + .mpo_vnode_label_destroy = sebsd_label_destroy, + .mpo_vnode_label_externalize = sebsd_label_externalize, + .mpo_vnode_label_externalize_audit = sebsd_label_externalize, + .mpo_vnode_label_init = sebsd_label_init, + .mpo_vnode_label_internalize = sebsd_label_internalize, .mpo_vnode_label_recycle = sebsd_vnode_label_recycle, .mpo_vnode_label_store = sebsd_vnode_label_store, .mpo_vnode_label_update = sebsd_vnode_label_update, ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#5 (text+ko) ==== @@ -41,47 +41,19 @@ #ifndef _SYS_SECURITY_SEBSD_LABELS_H #define _SYS_SECURITY_SEBSD_LABELS_H -struct task_security_struct { - u_int32_t osid; +struct sebsd_label { + u_int32_t osid; /* task_sid for all but task_security_struct */ u_int32_t sid; -#ifdef notyet - u_int32_t exec_sid; /* exec SID */ - u_int32_t create_sid; /* fscreate SID */ -#endif + u_int16_t sclass; /* only used for vnode and ipc */ + u_int16_t behavior; /* only used for mount */ }; +#define task_sid osid -struct file_security_struct { - u_int32_t sid; -}; - -struct vnode_security_struct { - u_int32_t task_sid; - u_int32_t sid; - u_int16_t sclass; -}; +#define task_security_struct sebsd_label +#define file_security_struct sebsd_label +#define vnode_security_struct sebsd_label +#define network_security_struct sebsd_label +#define ipc_security_struct sebsd_label +#define mount_security_struct sebsd_label -struct network_security_struct { - u_int32_t sid; - u_int32_t task_sid; -}; - -struct ipc_security_struct { - u_int32_t sid; - u_int16_t sclass; -}; - -struct mount_security_struct { - u_int32_t sid; /* SID of file system */ -#ifndef __FreeBSD__ - struct psidtab *psidtab; /* persistent SID mapping */ -#endif - unsigned char uses_psids; /* uses persistent SID flag */ -#ifndef __FreeBSD__ - unsigned char initialized; /* initialization flag */ -#endif - unsigned char uses_task; /* use creating task SID for inodes */ - unsigned char uses_genfs; /* use security_genfs_sid for inodes */ - unsigned char proc; /* call procfs_set_sid */ - unsigned char uses_trans; /* call security_transition_sid */ -}; #endif /* _SYS_SECURITY_SEBSD_LABELS_H */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701212247.l0LMluPs066801>