From owner-p4-projects@FreeBSD.ORG Tue Nov 14 18:25:56 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id E30E516A492; Tue, 14 Nov 2006 18:25:55 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A28D816A412 for ; Tue, 14 Nov 2006 18:25:55 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0366043D76 for ; Tue, 14 Nov 2006 18:25:39 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kAEIPc8B006124 for ; Tue, 14 Nov 2006 18:25:38 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kAEIPc5n006115 for perforce@freebsd.org; Tue, 14 Nov 2006 18:25:38 GMT (envelope-from millert@freebsd.org) Date: Tue, 14 Nov 2006 18:25:38 GMT Message-Id: <200611141825.kAEIPc5n006115@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 109948 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2006 18:25:56 -0000 http://perforce.freebsd.org/chv.cgi?CH=109948 Change 109948 by millert@millert_g5tower on 2006/11/14 18:25:35 Add vfs_truncate entrypoint. Remove mac_enforce_XXX toggles. Remove lock assertions from FreeBSD that were #defined away. Add MPC_LOADTIME_FLAG_NOTLATE to policy load flags where appropriate. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#12 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#20 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#11 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_internal.h#9 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_pipe.c#7 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#19 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_posix_sem.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_posix_shm.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#10 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_socket.c#7 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_system.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_msg.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_sem.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_shm.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#14 edit .. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#9 edit .. //depot/projects/trustedbsd/sedarwin8/policies/console/mac_console.c#8 edit .. //depot/projects/trustedbsd/sedarwin8/policies/count/mac_count.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/device_access/mac_device_access.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#17 edit .. //depot/projects/trustedbsd/sedarwin8/policies/multilabel/multilabel.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/none/mac_none.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/readonly/mac_readonly.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#32 edit .. //depot/projects/trustedbsd/sedarwin8/policies/stacktrace/module/mac_stacktrace.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/stub/mac_stub.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#15 edit .. //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#6 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#12 (text+ko) ==== @@ -3596,7 +3596,7 @@ VATTR_SET(&va, va_data_size, uap->length); #ifdef MAC - error = mac_vnode_check_write(vfs_context_ucred(&context), NOCRED, vp); + error = mac_vnode_check_truncate(vfs_context_ucred(&context), NOCRED, vp); if (error) goto out; #endif @@ -3663,7 +3663,7 @@ AUDIT_ARG(vnpath, vp, ARG_VNODE1); #ifdef MAC - error = mac_vnode_check_write(vfs_context_ucred(&context), + error = mac_vnode_check_truncate(vfs_context_ucred(&context), fp->f_fglob->fg_cred, vp); if (error) { (void)vnode_put(vp); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#20 (text+ko) ==== @@ -116,36 +116,10 @@ static int mac_labelmbufs = 0; #endif -int mac_enforce_fs = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, - &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); -TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); - -int mac_enforce_process = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_process, CTLFLAG_RW, - &mac_enforce_process, 0, "Enforce MAC policy on inter-process operations"); -TUNABLE_INT("security.mac.enforce_process", &mac_enforce_process); - -int mac_enforce_socket = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_socket, CTLFLAG_RW, - &mac_enforce_socket, 1, "Enforce MAC policy on sockets"); -TUNABLE_INT("security.mac.enforce_socket", &mac_enforce_socket); - extern int mac_label_mbufs; SYSCTL_INT(_security_mac, OID_AUTO, label_mbufs, CTLFLAG_RW, &mac_label_mbufs, 1, "Label all MBUFs"); -TUNABLE_INT("security.mac.label_mbufs", &mac_label_mbufs); -int mac_enforce_system = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_system, CTLFLAG_RW, - &mac_enforce_system, 0, "Enforce MAC policy on system operations"); -TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system); - -int mac_enforce_vm = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_vm, CTLFLAG_RW, - &mac_enforce_vm, 0, "Enforce MAC policy on vm operations"); -TUNABLE_INT("security.mac.enforce_vm", &mac_enforce_vm); - int mac_mmap_revocation = 1; SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation, CTLFLAG_RW, &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " @@ -328,8 +302,6 @@ static __inline void mac_policy_grab_exclusive(void) { - WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_policy_grab_exclusive() at %s:%d", __FILE__, __LINE__); mutex_lock(mac_policy_mtx); while (mac_policy_busy != 0) cv_wait(&mac_policy_cv, mac_policy_mtx); @@ -471,12 +443,7 @@ sysctl_register_oid(&sysctl__security); sysctl_register_oid(&sysctl__security_mac); sysctl_register_oid(&sysctl__security_mac_max_slots); - sysctl_register_oid(&sysctl__security_mac_enforce_fs); - sysctl_register_oid(&sysctl__security_mac_enforce_process); - sysctl_register_oid(&sysctl__security_mac_enforce_system); - sysctl_register_oid(&sysctl__security_mac_enforce_socket); sysctl_register_oid(&sysctl__security_mac_label_mbufs); - sysctl_register_oid(&sysctl__security_mac_enforce_vm); sysctl_register_oid(&sysctl__security_mac_mmap_revocation); sysctl_register_oid(&sysctl__security_mac_mmap_revocation_via_cow); printf("MAC Framework successfully initialized\n"); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#11 (text+ko) ==== @@ -441,6 +441,8 @@ struct timespec atime, struct timespec mtime); int mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); +int mac_vnode_check_truncate(struct ucred *active_cred, + struct ucred *file_cred, struct vnode *vp); int mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_internal.h#9 (text+ko) ==== @@ -382,15 +382,8 @@ } while (0) /* Darwin */ - -#define TUNABLE_INT(x, y) -#define WITNESS_WARN(x, y, z, ...) #define mtx_assert(x, y) #define MA_OWNED -#define PROC_LOCK_ASSERT(x, y) -#define M_ASSERTPKTHDR(x) - -#define ASSERT_VOP_LOCKED(vp,msg) struct __mac_get_pid_args; struct __mac_get_proc_args; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_pipe.c#7 (text+ko) ==== @@ -44,14 +44,6 @@ #include -static int mac_enforce_pipe = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_pipe, CTLFLAG_RW, - &mac_enforce_pipe, 0, "Enforce MAC policy on pipe operations"); -TUNABLE_INT("security.mac.enforce_pipe", &mac_enforce_pipe); - -/* Define this to PIPE_LOCK_ASSERT(x, y) if mutex assertions are desired. */ -#define MAC_PIPE_LOCK_ASSERT(x, y) - struct label * mac_pipe_label_alloc(void) { @@ -126,11 +118,6 @@ { int error; - MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED); - - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(pipe_check_kqfilter, cred, kn, cpipe, cpipe->pipe_label); return (error); } @@ -140,11 +127,6 @@ { int error; - MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED); - - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(pipe_check_ioctl, cred, cpipe, cpipe->pipe_label, cmd, data); return (error); @@ -155,11 +137,6 @@ { int error; - MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED); - - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(pipe_check_read, cred, cpipe, cpipe->pipe_label); return (error); @@ -171,11 +148,6 @@ { int error; - MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED); - - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(pipe_check_label_update, cred, cpipe, cpipe->pipe_label, newlabel); return (error); @@ -186,11 +158,6 @@ { int error; - MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED); - - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(pipe_check_select, cred, cpipe, cpipe->pipe_label, which); return (error); @@ -201,11 +168,6 @@ { int error; - MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED); - - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(pipe_check_stat, cred, cpipe, cpipe->pipe_label); return (error); @@ -216,11 +178,6 @@ { int error; - MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED); - - if (!mac_enforce_pipe) - return (0); - MAC_CHECK(pipe_check_write, cred, cpipe, cpipe->pipe_label); return (error); @@ -232,8 +189,6 @@ { int error; - MAC_PIPE_LOCK_ASSERT(cpipe, LCK_MTX_ASSERT_OWNED); - error = mac_pipe_check_label_update(cred, cpipe, label); if (error) return (error); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#19 (text+ko) ==== @@ -2968,6 +2968,31 @@ ); /** + @brief Access control check for truncate/ftruncate + @param active_cred Subject credential + @param file_cred Credential associated with the struct fileproc + @param vp Object vnode + @param label Policy label for vp + + Determine whether the subject identified by the credential can + perform a truncate operation on the passed vnode. The active_cred hold + the credentials of the subject performing the operation, and + file_cred holds the credentials of the subject that originally + opened the file. + + @return Return 0 if access is granted, otherwise an appropriate value for + errno should be returned. Suggested failure: EACCES for label mismatch or + EPERM for lack of privilege. +*/ +typedef int mpo_vnode_check_truncate_t( + struct ucred *active_cred, + struct ucred *file_cred, /* NULLOK */ + struct vnode *vp, + struct label *label +); + + +/** @brief Access control check for POSIX semaphore unlink @param cred Subject credential @param ps Pointer to semaphore information structure @@ -5607,6 +5632,7 @@ mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; mpo_vnode_check_stat_t *mpo_vnode_check_stat; + mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; mpo_vnode_check_write_t *mpo_vnode_check_write; mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_posix_sem.c#5 (text+ko) ==== @@ -41,11 +41,6 @@ #include #include -static int mac_enforce_posix_sem = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_sem, CTLFLAG_RW, - &mac_enforce_posix_sem, 0, "Enforce MAC policy on Posix Semaphores"); -TUNABLE_INT("security.mac.enforce_posix_sem", &mac_enforce_posix_sem); - static struct label * mac_posixsem_label_alloc(void) { @@ -92,9 +87,6 @@ { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(posixsem_check_create, cred, name); return (error); @@ -105,9 +97,6 @@ { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(posixsem_check_open, cred, psem, psem->psem_label); @@ -119,9 +108,6 @@ { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(posixsem_check_post, cred, psem, psem->psem_label); return (error); @@ -133,9 +119,6 @@ { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(posixsem_check_unlink, cred, psem, psem->psem_label, name); return (error); @@ -146,9 +129,6 @@ { int error; - if (!mac_enforce_posix_sem) - return (0); - MAC_CHECK(posixsem_check_wait, cred, psem, psem->psem_label); return (error); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_posix_shm.c#5 (text+ko) ==== @@ -41,11 +41,6 @@ #include #include -static int mac_enforce_pshm = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_posix_shm, CTLFLAG_RW, - &mac_enforce_pshm, 0, "Enforce MAC policy on Posix Shared memory"); -TUNABLE_INT("security.mac.enforce_posix_shm", &mac_enforce_posix_shm); - static struct label * mac_posixshm_label_alloc(void) { @@ -92,9 +87,6 @@ { int error = 0; - if (!mac_enforce_pshm) - return 0; - MAC_CHECK(posixshm_check_create, cred, name); return error; @@ -105,9 +97,6 @@ { int error; - if (!mac_enforce_pshm) - return (0); - MAC_CHECK(posixshm_check_open, cred, shm, shm->pshm_label); return (error); @@ -119,9 +108,6 @@ { int error; - if (!mac_enforce_pshm) - return (0); - MAC_CHECK(posixshm_check_mmap, cred, shm, shm->pshm_label, prot, flags); @@ -133,9 +119,6 @@ { int error; - if (!mac_enforce_pshm) - return (0); - MAC_CHECK(posixshm_check_stat, cred, shm, shm->pshm_label); return (error); @@ -147,9 +130,6 @@ { int error; - if (!mac_enforce_pshm) - return (0); - MAC_CHECK(posixshm_check_truncate, cred, shm, shm->pshm_label, size); return (error); @@ -161,9 +141,6 @@ { int error; - if (!mac_enforce_pshm) - return (0); - MAC_CHECK(posixshm_check_unlink, cred, shm, shm->pshm_label, name); return (error); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#10 (text+ko) ==== @@ -249,9 +249,6 @@ { int error; - if (!mac_enforce_process) - return (0); - MAC_CHECK(cred_check_visible, u1, u2); return (error); @@ -262,11 +259,6 @@ { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); - - if (!mac_enforce_process) - return (0); - MAC_CHECK(proc_check_debug, cred, proc); return (error); @@ -277,11 +269,6 @@ { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); - - if (!mac_enforce_process) - return (0); - MAC_CHECK(proc_check_sched, cred, proc); return (error); @@ -292,11 +279,6 @@ { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); - - if (!mac_enforce_process) - return (0); - MAC_CHECK(proc_check_signal, cred, proc, signum); return (error); @@ -307,11 +289,6 @@ { int error; - PROC_LOCK_ASSERT(proc, MA_OWNED); - - if (!mac_enforce_process) - return (0); - MAC_CHECK(proc_check_wait, cred, proc); return (error); @@ -328,9 +305,6 @@ { int error; - if (!mac_enforce_process) - return (0); - MAC_CHECK(proc_check_setlcid, p0, p, pid, lcid); return (error); } @@ -340,9 +314,6 @@ { int error; - if (!mac_enforce_process) - return (0); - MAC_CHECK(proc_check_getlcid, p0, p, pid); return (error); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_socket.c#7 (text+ko) ==== @@ -62,9 +62,6 @@ #include -extern int mac_enforce_socket; - - struct label * mac_socket_label_alloc(int flag) { @@ -205,7 +202,6 @@ { struct xsocket oldxso, newxso; - SOCK_LOCK_ASSERT(oldsocket); sotoxsocket(oldsocket, &oldxso); sotoxsocket(newsocket, &newxso); MAC_PERFORM(socket_label_associate_accept, &oldxso, oldsocket->so_label, @@ -218,7 +214,6 @@ struct label *label; struct xsocket xso; - SOCK_LOCK_ASSERT(socket); sotoxsocket(socket, &xso); label = mac_mbuf_to_label(mbuf); @@ -252,11 +247,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(so); - - if (!mac_enforce_socket) - return (0); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_accept, cred, &xso, socket->so_label); @@ -270,11 +260,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - - if (!mac_enforce_socket) - return (0); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_bind, ucred, &xso, socket->so_label, sockaddr); @@ -288,11 +273,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - - if (!mac_enforce_socket) - return (0); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_connect, cred, &xso, socket->so_label, sockaddr); @@ -305,9 +285,6 @@ { int error; - if (!mac_enforce_socket) - return (0); - MAC_CHECK(socket_check_create, cred, domain, type, protocol); return (error); @@ -320,11 +297,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - - if (!mac_enforce_socket) - return (0); - label = mac_mbuf_to_label(mbuf); /* Policy must deal with NULL label (unlabeled mbufs) */ @@ -341,11 +313,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - - if (!mac_enforce_socket) - return (0); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_kqfilter, cred, kn, &xso, socket->so_label); return (error); @@ -357,11 +324,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - - if (!mac_enforce_socket) - return (0); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_listen, cred, &xso, socket->so_label); @@ -374,11 +336,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - - if (!mac_enforce_socket) - return (0); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_receive, cred, &xso, socket->so_label); @@ -392,8 +349,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_label_update, cred, &xso, socket->so_label, newlabel); @@ -407,11 +362,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - - if (!mac_enforce_socket) - return (0); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_select, cred, &xso, socket->so_label, which); @@ -424,11 +374,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - - if (!mac_enforce_socket) - return (0); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_send, cred, &xso, socket->so_label); @@ -441,11 +386,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - - if (!mac_enforce_socket) - return (0); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_stat, cred, &xso, socket->so_label); @@ -463,11 +403,6 @@ struct xsocket xso; int error; - SOCK_LOCK_ASSERT(socket); - - if (!mac_enforce_socket) - return (0); - sotoxsocket(socket, &xso); MAC_CHECK(socket_check_visible, cred, &xso, socket->so_label); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_system.c#3 (text+ko) ==== @@ -46,13 +46,6 @@ { int error; - if (vp != NULL) { - ASSERT_VOP_LOCKED(vp, "mac_system_check_acct"); - } - - if (!mac_enforce_system) - return (0); - MAC_CHECK(system_check_acct, cred, vp, vp != NULL ? vp->v_label : NULL); @@ -64,9 +57,6 @@ { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(system_check_nfsd, cred); return (error); @@ -77,9 +67,6 @@ { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(system_check_reboot, cred, howto); return (error); @@ -90,9 +77,6 @@ { int error; - if (!mac_enforce_system) - return (0); - MAC_CHECK(system_check_settime, cred); return (error); @@ -103,11 +87,6 @@ { int error; - ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon"); - - if (!mac_enforce_system) - return (0); - MAC_CHECK(system_check_swapon, cred, vp, vp->v_label); return (error); } @@ -117,11 +96,6 @@ { int error; - ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff"); - - if (!mac_enforce_system) - return (0); - MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label); return (error); } @@ -136,9 +110,6 @@ * XXXMAC: We're very much like to assert the SYSCTL_LOCK here, * but since it's not exported from kern_sysctl.c, we can't. */ - if (!mac_enforce_system) - return (0); - MAC_CHECK(system_check_sysctl, cred, name, namelen, old, oldlenp, inkernel, new, newlen); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_msg.c#6 (text+ko) ==== @@ -16,12 +16,6 @@ #include -static int mac_enforce_sysv_msg = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_msg, CTLFLAG_RW, - &mac_enforce_sysv_msg, 0, - "Enforce MAC policy on System V IPC Message Queues"); -TUNABLE_INT("security.mac.enforce_sysv_msg", &mac_enforce_sysv_msg); - static struct label * mac_sysv_msgmsg_label_alloc(void) { @@ -92,9 +86,6 @@ { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(sysvmsq_check_enqueue, cred, msgptr, msgptr->label, msqptr, msqptr->label); @@ -106,9 +97,6 @@ { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(sysvmsq_check_msgrcv, cred, msgptr, msgptr->label); return(error); @@ -119,9 +107,6 @@ { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(sysvmsq_check_msgrmid, cred, msgptr, msgptr->label); return(error); @@ -132,9 +117,6 @@ { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(sysvmsq_check_msqget, cred, msqptr, msqptr->label); return(error); @@ -145,9 +127,6 @@ { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(sysvmsq_check_msqsnd, cred, msqptr, msqptr->label); return(error); @@ -158,9 +137,6 @@ { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(sysvmsq_check_msqrcv, cred, msqptr, msqptr->label); return(error); @@ -172,9 +148,6 @@ { int error; - if (!mac_enforce_sysv_msg) - return (0); - MAC_CHECK(sysvmsq_check_msqctl, cred, msqptr, msqptr->label, cmd); return(error); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_sem.c#5 (text+ko) ==== @@ -47,11 +47,6 @@ #include -static int mac_enforce_sysv_sem = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv_sem, CTLFLAG_RW, - &mac_enforce_sysv_sem, 0, "Enforce MAC policy on System V IPC Semaphores"); -TUNABLE_INT("security.mac.enforce_sysv_sem", &mac_enforce_sysv_sem); - static struct label * mac_sysv_sem_label_alloc(void) { @@ -105,9 +100,6 @@ { int error; - if (!mac_enforce_sysv_sem) - return (0); - MAC_CHECK(sysvsem_check_semctl, cred, semakptr, semakptr->label, cmd); return(error); @@ -118,9 +110,6 @@ { int error; - if (!mac_enforce_sysv_sem) - return (0); - MAC_CHECK(sysvsem_check_semget, cred, semakptr, semakptr->label); return(error); @@ -132,9 +121,6 @@ { int error; - if (!mac_enforce_sysv_sem) - return (0); - MAC_CHECK(sysvsem_check_semop, cred, semakptr, semakptr->label, accesstype); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_shm.c#5 (text+ko) ==== @@ -49,12 +49,6 @@ #include -static int mac_enforce_sysv_shm = 1; -SYSCTL_INT(_security_mac, OID_AUTO, enforce_sysv, CTLFLAG_RW, - &mac_enforce_sysv_shm, 0, - "Enforce MAC policy on System V IPC shared memory"); -TUNABLE_INT("security.mac.enforce_sysv", &mac_enforce_sysv_shm); - static struct label * mac_sysv_shm_label_alloc(void) { @@ -108,9 +102,6 @@ { int error; - if (!mac_enforce_sysv_shm) - return (0); - MAC_CHECK(sysvshm_check_shmat, cred, shmsegptr, shmsegptr->label, shmflg); @@ -123,9 +114,6 @@ { int error; - if (!mac_enforce_sysv_shm) - return (0); - MAC_CHECK(sysvshm_check_shmctl, cred, shmsegptr, shmsegptr->label, cmd); @@ -137,9 +125,6 @@ { int error; - if (!mac_enforce_sysv_shm) - return (0); - MAC_CHECK(sysvshm_check_shmdt, cred, shmsegptr, shmsegptr->label); return(error); @@ -151,9 +136,6 @@ { int error; - if (!mac_enforce_sysv_shm) - return (0); - MAC_CHECK(sysvshm_check_shmget, cred, shmsegptr, shmsegptr->label, shmflg); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#14 (text+ko) ==== @@ -260,8 +260,6 @@ { int error; - ASSERT_VOP_LOCKED(vp, "mac_vnode_label_associate_extattr"); - MAC_CHECK(vnode_label_associate_extattr, mp, mp->mnt_mntlabel, vp, vp->v_label); @@ -282,9 +280,6 @@ { int error; - ASSERT_VOP_LOCKED(dvp, __func__); - ASSERT_VOP_LOCKED(vp, __func__); - MAC_CHECK(vnode_notify_create, cred, mp, mp->mnt_mntlabel, dvp, dvp->v_label, vp, vp->v_label, cnp); @@ -321,7 +316,6 @@ { >>> TRUNCATED FOR MAIL (1000 lines) <<<