From owner-p4-projects@FreeBSD.ORG Fri Apr 1 19:17:21 2005 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 86A3316A4D0; Fri, 1 Apr 2005 19:17:20 +0000 (GMT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29E6516A4CF for ; Fri, 1 Apr 2005 19:17:20 +0000 (GMT) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AA0F43D45 for ; Fri, 1 Apr 2005 19:17:19 +0000 (GMT) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j31JHJrT074085 for ; Fri, 1 Apr 2005 19:17:19 GMT (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j31JHIUI074082 for perforce@freebsd.org; Fri, 1 Apr 2005 19:17:18 GMT (envelope-from areisse@nailabs.com) Date: Fri, 1 Apr 2005 19:17:18 GMT Message-Id: <200504011917.j31JHIUI074082@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 74303 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2005 19:17:21 -0000 http://perforce.freebsd.org/chv.cgi?CH=74303 Change 74303 by areisse@areisse_ibook on 2005/04/01 19:16:38 Bring over changes made in the dsep-20050331 drop. See the readme for the major changes. Affected files ... .. //depot/projects/trustedbsd/sedarwin7/README#2 integrate .. //depot/projects/trustedbsd/sedarwin7/VERSION#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/Makefile.preamble#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/fcode-to-c.tproj/Makefile.preamble#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/macho-to-xcoff.tproj/Makefile.preamble#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/etc/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/file_cmds/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/file_cmds/ls/ls.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_get.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_set.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getfmac/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getpmac/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/mexec/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setfsmac/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setfsmac/sysqueue.h#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setpmac/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setpmac/setpmac.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mach_cmds/BootstrapDump.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/mach_cmds/mgetpmac.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/bootstrap.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_descrip.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/posix_sem.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/posix_shm.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/sys_socket.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/uipc_mbuf.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/uipc_socket.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/uipc_socket2.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/uipc_syscalls.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/uipc_usrreq.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet/raw_ip.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet/tcp_input.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet/tcp_output.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet/tcp_subr.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet6/esp_input.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet6/icmp6.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet6/ip6_output.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet6/ipsec.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet6/raw_ip6.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac.h#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mbuf.h#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/posix_sem.h#1 branch .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/posix_shm.h#1 branch .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/socket.h#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/socketvar.h#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/vnode.h#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/vfs/vfs_vnops.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/ipc_right.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/mach/mac.h#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/conf/files#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_base.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_internal.h#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_port.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_posix_sem.c#1 branch .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_posix_shm.c#1 branch .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_socket.c#1 branch .. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_vfs.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/mactest/mac_test.c#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsedarwin/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/programs/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/programs/checkpolicy/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/programs/loadpolicy/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/programs/newrole/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/programs/wslogin/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/save_trace/Makefile#2 integrate .. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/sec_trace/Makefile#2 integrate Differences ... ==== //depot/projects/trustedbsd/sedarwin7/README#2 (text+ko) ==== @@ -46,7 +46,35 @@ - Enhancements to the BootX boot loader and XNU kernel extension linker to support the loading of policy KEXTs earlier in the boot sequence. + - Modifications to mach_init to help bootstrap the mac_mls policy; + this is only a temporary measure until the login modifications + are complete. + + +New Features in the 20050331 release +==================================== + + - Support labelling and access control for Posix IPC (semaphores + and shared memory). This includes support for Posix IPC in mls and + stub policies. + + - Modifications to the Darwin kernel to assign labels to + sockets and other supporting IPv4 data structures, and the + addition of access control checks to socket-related operations. + Extensions to the MAC Framework to permit policy modules to + implement these entry points. + + - Build improvements to convert all remaining BSD Makefiles to GNU + Makefiles. The build is further isolated; it no longer builds + and installs BootX tools in the user's home directory. The + mach_init program was added to the installation. + - Modified Darwin kernel with additional experimental labeling and + access control for Mach IPC. Prototype modifications to the MLS + policy to control information flow via Mach IPC. + + - Additional maturing in VFS security; in particular, vn_read, + vn_write, and vn_rdwr access controls were changed. New Features in Drop 5 ====================== ==== //depot/projects/trustedbsd/sedarwin7/VERSION#2 (text+ko) ==== @@ -1,6 +1,4 @@ -Code Drop 5 -December 17, 2004 +Code Drop dsep-20050331 +March 31, 2005 -src @1501 -docs @1501 -testbed @1501 +src @1896 ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/Makefile.preamble#2 (text+ko) ==== @@ -1,3 +1,4 @@ +include ../../Makeconfig INCLUDED_ARCHS = ppc OTHER_RECURSIVE_VARIABLES += INCLUDED_ARCHS @@ -139,4 +140,4 @@ # Change this definition to install projects somewhere other than the # standard locations. NEXT_ROOT defaults to "C:/Apple" on Windows systems # and "" on other systems. -DSTROOT = $(HOME) +DSTROOT = $(DARWIN_ROOT) ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/fcode-to-c.tproj/Makefile.preamble#2 (text+ko) ==== @@ -1,3 +1,4 @@ +include ../../../Makeconfig ############################################################################### # Makefile.preamble # Copyright 1997, Apple Computer, Inc. @@ -134,4 +135,4 @@ # Change this definition to install projects somewhere other than the # standard locations. NEXT_ROOT defaults to "C:/Apple" on Windows systems # and "" on other systems. -DSTROOT = $(HOME) +DSTROOT = $(DARWIN_ROOT) ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/macho-to-xcoff.tproj/Makefile.preamble#2 (text+ko) ==== @@ -1,3 +1,4 @@ +include ../../../Makeconfig ############################################################################### # Makefile.preamble # Copyright 1997, Apple Computer, Inc. @@ -134,4 +135,4 @@ # Change this definition to install projects somewhere other than the # standard locations. NEXT_ROOT defaults to "C:/Apple" on Windows systems # and "" on other systems. -DSTROOT = $(HOME) +DSTROOT = $(DARWIN_ROOT) ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/Makefile#2 (text+ko) ==== @@ -10,12 +10,13 @@ cd libextattr && gnumake cd libmac && gnumake cd adv_cmds/ps.tproj && gnumake - cd etc && bsdmake + cd etc && gnumake cd extattr_cmds && make - cd mac_cmds && bsdmake - cd file_cmds && bsdmake + cd mac_cmds && gnumake + cd file_cmds && gnumake cd mach_cmds && gnumake cd top && make + cd system_cmds/mach_init.tproj && gnumake # bootstrap_cmds @@ -28,12 +29,13 @@ cd libextattr && gnumake install cd libmac && gnumake install cd adv_cmds/ps.tproj && gnumake install - cd etc && bsdmake install + cd etc && gnumake install cd extattr_cmds && make install - cd mac_cmds && bsdmake install - cd file_cmds && bsdmake install + cd mac_cmds && gnumake install + cd file_cmds && gnumake install cd mach_cmds && gnumake install cd top && make install + cd system_cmds/mach_init.tproj && gnumake install clean: rm -rf xnu/BUILD @@ -45,12 +47,13 @@ cd libextattr && gnumake clean cd libmac && gnumake clean cd adv_cmds/ps.tproj && gnumake clean - cd etc && bsdmake clean + cd etc && gnumake clean cd extattr_cmds && make clean - cd mac_cmds && bsdmake clean - cd file_cmds && bsdmake clean + cd mac_cmds && gnumake clean + cd file_cmds && gnumake clean cd mach_cmds && gnumake clean cd top && make clean + cd system_cmds/mach_init.tproj && gnumake clean #ifndef DARWIN_ROOT # $(error DARWIN_ROOT is not defined in Makeconfig) ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/etc/Makefile#2 (text+ko) ==== @@ -1,11 +1,13 @@ include ../../Makeconfig ETCFILES= mac.conf +INSTALL= install + +all: install: - cd ${.CURDIR}; \ + cd ${CURDIR}; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \ $(ETCFILES) ${DESTDIR}/private/etc; - -.include +clean: ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/file_cmds/Makefile#2 (text+ko) ==== @@ -1,7 +1,13 @@ include ../../Makeconfig -SUBDIR= ls +.PHONY: install + +all: + cd ls && gnumake + +install: + cd ls && gnumake install -MAKE=gnumake +clean: + cd ls && gnumake clean -.include ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/file_cmds/ls/ls.c#2 (text+ko) ==== @@ -593,7 +593,6 @@ if (f_flags) { np->flags = &np->data[ulen + glen + 2]; (void)strcpy(np->flags, flags); - free(flags); } if (f_label) { np->label = &np->data[ulen + glen + 2 ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_get.c#2 (text+ko) ==== @@ -33,6 +33,7 @@ #include #include +#include #include #include @@ -40,7 +41,7 @@ mac_get_fd(int fd, struct mac *label) { - return (ENOSYS); + return (syscall(SYS___mac_get_fd, fd, label)); } int @@ -70,3 +71,12 @@ return (syscall(SYS___mac_get_proc, label)); } + +int +mac_get_peer(int fd, struct mac *label) +{ + socklen_t len; + + len = sizeof(*label); + return (getsockopt(fd, SOL_SOCKET, SO_PEERLABEL, label, &len)); +} ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_set.c#2 (text+ko) ==== @@ -40,7 +40,7 @@ mac_set_fd(int fd, struct mac *label) { - return (ENOSYS); + return (syscall(SYS___mac_set_fd, fd, label)); } int ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/Makefile#2 (text+ko) ==== @@ -1,9 +1,22 @@ include ../../Makeconfig -SUBDIR= getfmac \ - getpmac \ - mexec \ - setfsmac \ - setpmac +all: + cd getfmac && gnumake + cd getpmac && gnumake + cd mexec && gnumake + cd setfsmac && gnumake + cd setpmac && gnumake + +install: + cd getfmac && gnumake install + cd getpmac && gnumake install + cd mexec && gnumake install + cd setfsmac && gnumake install + cd setpmac && gnumake install -.include +clean: + cd getfmac && gnumake clean + cd getpmac && gnumake clean + cd mexec && gnumake clean + cd setfsmac && gnumake clean + cd setpmac && gnumake clean ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getfmac/Makefile#2 (text+ko) ==== @@ -3,7 +3,19 @@ PROG= getfmac MAN8= getfmac.8 +OBJS= getfmac.o + CFLAGS+= $(DARWIN_HDRS) LDADD+= $(LIBMAC) -.include +all: $(PROG) + +$(PROG): $(OBJS) + $(CC) $(CFLAGS) -o $@ $^ $(LDADD) + +install: $(PROG) + install -m 555 $(PROG) $(DESTDIR)/usr/bin + install -m 444 $(MAN8) $(DESTDIR)/usr/share/man/man8 + +clean: + rm -f $(OBJS) $(PROG) ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getpmac/Makefile#2 (text+ko) ==== @@ -3,7 +3,19 @@ PROG= getpmac MAN8= getpmac.8 +OBJS= getpmac.o + CFLAGS+= $(DARWIN_HDRS) LDADD+= $(LIBMAC) -.include +all: $(PROG) + +$(PROG): $(OBJS) + $(CC) $(CFLAGS) -o $@ $^ $(LDADD) + +install: $(PROG) + install -m 555 $(PROG) $(DESTDIR)/usr/bin + install -m 444 $(MAN8) $(DESTDIR)/usr/share/man/man8 + +clean: + rm -f $(PROG) $(OBJS) ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/mexec/Makefile#2 (text+ko) ==== @@ -3,7 +3,18 @@ PROG= mexec NOMAN= +OBJS= mexec.o + CFLAGS+= $(DARWIN_HDRS) LDADD+= $(LIBMAC) -.include +all: $(PROG) + +$(PROG): $(OBJS) + $(CC) $(CFLAGS) -o $@ $^ $(LDADD) + +install: $(PROG) + install -m 555 $(PROG) $(DESTDIR)/usr/bin + +clean: + rm -f $(PROG) $(OBJS) ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setfsmac/Makefile#2 (text+ko) ==== @@ -3,8 +3,22 @@ PROG= setfsmac MAN8= setfsmac.8 setfmac.8 +OBJS= setfsmac.o + CFLAGS+= $(DARWIN_HDRS) LDADD+= $(LIBMAC) -LINKS+= $(BINDIR)/setfsmac $(BINDIR)/setfmac +LINKS+= $(DESTDIR)/usr/bin/setfsmac $(DESTDIR)/usr/bin/setfmac + +all: $(PROG) + +$(PROG): $(OBJS) + $(CC) $(CFLAGS) -o $@ $^ $(LDADD) + +install: $(PROG) + install -m 555 $(PROG) $(DESTDIR)/usr/bin + ln -f $(LINKS) + install -m 444 $(MAN8) $(DESTDIR)/usr/share/man/man8 + +clean: + rm -f $(PROG) $(OBJS) -.include ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setfsmac/sysqueue.h#2 (text+ko) ==== @@ -34,8 +34,8 @@ * $FreeBSD: src/sys/sys/queue.h,v 1.54 2002/08/05 05:18:43 alfred Exp $ */ -#ifndef _SYS_QUEUE_H_ -#define _SYS_QUEUE_H_ +#ifndef _SYSQUEUE_H_ +#define _SYSQUEUE_H_ #include @@ -526,4 +526,4 @@ #endif /* _KERNEL */ -#endif /* !_SYS_QUEUE_H_ */ +#endif /* _SYSQUEUE_H_ */ ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setpmac/Makefile#2 (text+ko) ==== @@ -3,7 +3,19 @@ PROG= setpmac MAN8= setpmac.8 +OBJS= setpmac.o + CFLAGS+= $(DARWIN_HDRS) LDADD+= $(LIBMAC) -.include +all: $(PROG) + +$(PROG): $(OBJS) + $(CC) $(CFLAGS) -o $@ $^ $(LDADD) + +install: $(PROG) + install -m 555 $(PROG) $(DESTDIR)/usr/bin + install -m 444 $(MAN8) $(DESTDIR)/usr/share/man/man8 + +clean: + rm -f $(PROG) $(OBJS) ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setpmac/setpmac.c#2 (text+ko) ==== @@ -62,7 +62,7 @@ int error; - if (argc < 3) + if (argc < 2) usage(); error = mac_from_text(&label, argv[1]); ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mach_cmds/BootstrapDump.c#2 (text+ko) ==== @@ -70,7 +70,7 @@ fprintf(stderr, "%s: Usage: BootstrapPortDump [ pid ]\n", gProgramName); } -static const char *policies = "sebsd,ipctrace"; +static const char *policies = "?sebsd,?ipctrace,?mls"; int main (int argc, const char * argv[]) { ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mach_cmds/mgetpmac.c#2 (text+ko) ==== @@ -42,7 +42,7 @@ { mach_port_t tp; char label[512]; - char *policies = "sebsd"; + char *policies = "?sebsd,?ipctrace,?mls"; if (argc > 1) task_for_pid(mach_task_self(), strtol(argv[1], NULL, 10), &tp); ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/Makefile#2 (text+ko) ==== @@ -7,6 +7,8 @@ # and Makefile.postamble (both optional), and Makefile will include them. # +include ../../../Makeconfig + NAME = mach_init PROJECTVERSION = 2.8 @@ -26,7 +28,8 @@ NEXTSTEP_INSTALLDIR = /sbin WINDOWS_INSTALLDIR = /sbin PDO_UNIX_INSTALLDIR = /sbin -LIBS = +OTHER_CFLAGS= -I$(EXPORT_HDRS)/bsd -I$(EXPORT_HDRS)/osfmk -I$(EXPORT_HDRS) +LIBS = $(LIBMAC) DEBUG_LIBS = $(LIBS) PROF_LIBS = $(LIBS) @@ -36,7 +39,7 @@ PDO_UNIX_PB_CFLAGS = -DMACH_USER_API -NEXTSTEP_BUILD_OUTPUT_DIR = /tmp/$(USER)/BUILD +NEXTSTEP_BUILD_OUTPUT_DIR = NEXTSTEP_OBJCPLUS_COMPILER = /usr/bin/cc WINDOWS_OBJCPLUS_COMPILER = $(DEVDIR)/gcc ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/bootstrap.c#2 (text+ko) ==== @@ -43,6 +43,7 @@ #include #include #include +#include #import #import @@ -254,6 +255,10 @@ ioctl(fd, TIOCNOTTY, 0); close(fd); } + + mac_t mac; + if (!mac_from_text(&mac, "mls/low(low-high)")) + mac_set_proc(mac); /* pass our arguments on to init */ argv[0] = INIT_PATH; @@ -813,6 +818,10 @@ sigemptyset(&mask); (void) sigprocmask(SIG_SETMASK, &mask, (sigset_t *)NULL); + mac_t mac; + if (!mac_from_text(&mac, "mls/low(low-high)")) + mac_set_proc(mac); + execv(argv[0], argv); unix_fatal("Disabled server %x bootstrap %x: \"%s\": exec()", serverp->port, ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_descrip.c#2 (text+ko) ==== @@ -257,6 +257,12 @@ return (EBADF); pop = &fdp->fd_ofileflags[fd]; +#ifdef MAC + error = mac_check_fcntl(p->p_ucred, fdp, uap->cmd, uap->arg); + if (error) + return (error); +#endif + switch (uap->cmd) { case F_DUPFD: @@ -733,7 +739,7 @@ break; case DTYPE_PSXSHM: - error = pshm_stat((void *)fp->f_data, &ub); + error = pshm_stat((void *)fp->f_data, &ub, p); break; case DTYPE_KQUEUE: ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/posix_sem.c#2 (text+ko) ==== @@ -61,30 +61,8 @@ #include #include #include - -#define PSEMNAMLEN 31 /* maximum name segment length we bother with */ - -struct pseminfo { - unsigned int psem_flags; - unsigned int psem_usecount; - mode_t psem_mode; - uid_t psem_uid; - gid_t psem_gid; - char psem_name[PSEMNAMLEN + 1]; /* segment name */ - void * psem_semobject; - struct proc * sem_proc; -}; -#define PSEMINFO_NULL (struct pseminfo *)0 +#include -#define PSEM_NONE 1 -#define PSEM_DEFINED 2 -#define PSEM_ALLOCATED 4 -#define PSEM_MAPPED 8 -#define PSEM_INUSE 0x10 -#define PSEM_REMOVED 0x20 -#define PSEM_INCREATE 0x40 -#define PSEM_INDELETE 0x80 - struct psemcache { LIST_ENTRY(psemcache) psem_hash; /* hash chain */ struct pseminfo *pseminfo; /* vnode the name refers to */ @@ -424,6 +402,15 @@ pinfo->psem_flags &= ~PSEM_DEFINED; pinfo->psem_flags |= PSEM_ALLOCATED; pinfo->sem_proc = p; +#ifdef MAC + mac_init_posix_sem(pinfo); + + error = mac_check_posix_sem_create(p->p_ucred, nameptr); + if (error) + goto bad2; + + mac_create_posix_sem(p->p_ucred, pinfo, nameptr); +#endif } else { /* semaphore should exist as it is without O_CREAT */ if (!incache) { @@ -433,7 +420,11 @@ if( pinfo->psem_flags & PSEM_INDELETE) { error = ENOENT; goto bad1; - } + } +#ifdef MAC + if (error = mac_check_posix_sem_open(p->p_ucred, pinfo)) + goto bad1; +#endif if (error = psem_access(pinfo, fmode, p->p_ucred, p)) goto bad1; } @@ -469,8 +460,12 @@ goto bad1; bad2: _FREE(pnode, M_SHM); - if (pinfo_alloc) + if (pinfo_alloc) { +#ifdef MAC + mac_destroy_posix_sem(pinfo); +#endif _FREE(pinfo, M_SHM); + } bad1: fdrelse(p, indx); ffree(nfp); @@ -602,6 +597,11 @@ goto bad; } else incache = 1; +#ifdef MAC + error = mac_check_posix_sem_unlink(p->p_ucred, pinfo, nameptr); + if (error) + goto bad; +#endif if (error = psem_access(pinfo, pinfo->psem_mode, p->p_ucred, p)) goto bad; @@ -686,6 +686,11 @@ != PSEM_ALLOCATED) { return(EINVAL); } +#ifdef MAC + error = mac_check_posix_sem_wait(p->p_ucred, pinfo); + if (error) + return (error); +#endif kret = semaphore_wait(pinfo->psem_semobject); switch (kret) { @@ -733,6 +738,11 @@ != PSEM_ALLOCATED) { return(EINVAL); } +#ifdef MAC + error = mac_check_posix_sem_wait(p->p_ucred, pinfo); + if (error) + return (error); +#endif wait_time.tv_sec = 0; wait_time.tv_nsec = 0; @@ -783,6 +793,11 @@ != PSEM_ALLOCATED) { return(EINVAL); } +#ifdef MAC + error = mac_check_posix_sem_post(p->p_ucred, pinfo); + if (error) + return (error); +#endif kret = semaphore_signal(pinfo->psem_semobject); switch (kret) { @@ -890,6 +905,10 @@ kret = semaphore_destroy(kernel_task, pinfo->psem_semobject); +#ifdef MAC + mac_destroy_posix_sem(pinfo); +#endif + switch (kret) { case KERN_INVALID_ADDRESS: case KERN_PROTECTION_FAILURE: ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/posix_shm.c#2 (text+ko) ==== @@ -60,36 +60,8 @@ #include #include #include - - -#define PSHMNAMLEN 31 /* maximum name segment length we bother with */ - -struct pshminfo { - unsigned int pshm_flags; - unsigned int pshm_usecount; - off_t pshm_length; - mode_t pshm_mode; - uid_t pshm_uid; - gid_t pshm_gid; - char pshm_name[PSHMNAMLEN + 1]; /* segment name */ - void * pshm_memobject; -#if DIAGNOSTIC - unsigned int pshm_readcount; - unsigned int pshm_writecount; - struct proc * pshm_proc; -#endif /* DIAGNOSTIC */ -}; -#define PSHMINFO_NULL (struct pshminfo *)0 +#include -#define PSHM_NONE 1 -#define PSHM_DEFINED 2 -#define PSHM_ALLOCATED 4 -#define PSHM_MAPPED 8 -#define PSHM_INUSE 0x10 -#define PSHM_REMOVED 0x20 -#define PSHM_INCREATE 0x40 -#define PSHM_INDELETE 0x80 - struct pshmcache { LIST_ENTRY(pshmcache) pshm_hash; /* hash chain */ struct pshminfo *pshminfo; /* vnode the name refers to */ @@ -417,12 +389,25 @@ pinfo->pshm_mode = cmode; pinfo->pshm_uid = p->p_ucred->cr_uid; pinfo->pshm_gid = p->p_ucred->cr_gid; +#ifdef MAC + mac_init_posix_shm(pinfo); + + error = mac_check_posix_shm_create(p->p_ucred, nameptr); + if (error) + goto bad2; + + mac_create_posix_shm(p->p_ucred, pinfo, nameptr); +#endif } else { /* already exists */ if( pinfo->pshm_flags & PSHM_INDELETE) { error = ENOENT; goto bad1; } +#ifdef MAC + if (error = mac_check_posix_shm_open(p->p_ucred, pinfo)) + goto bad1; +#endif if (error = pshm_access(pinfo, fmode, p->p_ucred, p)) goto bad1; } @@ -436,6 +421,10 @@ error = ENOENT; goto bad1; } +#ifdef MAC + if (error = mac_check_posix_shm_open(p->p_ucred, pinfo)) + goto bad1; +#endif if (error = pshm_access(pinfo, fmode, p->p_ucred, p)) goto bad1; } @@ -472,8 +461,12 @@ _FREE(pnode, M_SHM); bad2: - if (pinfo_alloc) + if (pinfo_alloc) { +#ifdef MAC + mac_destroy_posix_shm(pinfo); +#endif _FREE(pinfo, M_SHM); + } bad1: fdrelse(p, indx); ffree(nfp); @@ -515,6 +508,13 @@ } size = round_page_64(length); + +#ifdef MAC + int error = mac_check_posix_shm_truncate(p->p_ucred, pinfo, size); + if (error) + return(error); +#endif + kret = vm_allocate(current_map(), &user_addr, size, TRUE); if (kret != KERN_SUCCESS) goto out; @@ -547,15 +547,22 @@ } int -pshm_stat(pnode, sb) +pshm_stat(pnode, sb, p) struct pshmnode *pnode; struct stat *sb; +struct proc *p; { struct pshminfo *pinfo; if ((pinfo = pnode->pinfo) == PSHMINFO_NULL) return(EINVAL); +#ifdef MAC + int error = mac_check_posix_shm_stat(p->p_ucred, pinfo); + if (error) + return(error); +#endif + bzero(sb, sizeof(struct stat)); sb->st_mode = pinfo->pshm_mode; sb->st_uid = pinfo->pshm_uid; @@ -663,7 +670,12 @@ return(EINVAL); } - +#ifdef MAC + int error = mac_check_posix_shm_mmap(p->p_ucred, pinfo, prot, flags); + if (error) + return(error); +#endif + user_map = current_map(); if ((flags & MAP_FIXED) == 0) { @@ -794,6 +806,12 @@ return (EINVAL); } +#ifdef MAC + error = mac_check_posix_shm_unlink(p->p_ucred, pinfo, nameptr); + if (error) + goto bad; +#endif + if (pinfo->pshm_flags & PSHM_INDELETE) { error = 0; goto bad; @@ -849,6 +867,9 @@ pinfo->pshm_usecount--; if ((pinfo->pshm_flags & PSHM_REMOVED) && !pinfo->pshm_usecount) { +#ifdef MAC + mac_destroy_posix_shm(pinfo); +#endif _FREE(pinfo,M_SHM); } _FREE(pnode, M_SHM); ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/sys_socket.c#2 (text+ko) ==== @@ -104,6 +104,9 @@ struct mbuf **controlp, int *flagsp)); +#ifdef MAC + int error; +#endif thread_funnel_switch(KERNEL_FUNNEL, NETWORK_FUNNEL); if ((so = (struct socket *)fp->f_data) == NULL) { @@ -112,6 +115,13 @@ return (EBADF); } +#ifdef MAC + error = mac_check_socket_receive(p->p_ucred, so); + if (error) { + thread_funnel_switch(NETWORK_FUNNEL, KERNEL_FUNNEL); + return (error); + } +#endif fsoreceive = so->so_proto->pr_usrreqs->pru_soreceive; if (fsoreceive != soreceive) { kp = sotokextcb(so); @@ -144,6 +154,9 @@ struct mbuf *control, int flags)); struct kextcb *kp; int stat; +#ifdef MAC + int error; +#endif thread_funnel_switch(KERNEL_FUNNEL, NETWORK_FUNNEL); @@ -153,6 +166,13 @@ return (EBADF); } +#ifdef MAC + error = mac_check_socket_send(p->p_ucred, so); + if (error) { + thread_funnel_switch(NETWORK_FUNNEL, KERNEL_FUNNEL); + return (error); + } +#endif fsosend = so->so_proto->pr_usrreqs->pru_sosend; if (fsosend != sosend) { kp = sotokextcb(so); @@ -398,12 +418,25 @@ register struct stat *ub; { int stat; +#ifdef MAC + struct proc *p; +#endif /* * DANGER: by the time we get the network funnel the socket * may have been closed */ +#ifdef MAC + p = current_proc(); +#endif thread_funnel_switch(KERNEL_FUNNEL, NETWORK_FUNNEL); +#ifdef MAC + stat = mac_check_socket_stat(p->p_ucred, so); >>> TRUNCATED FOR MAIL (1000 lines) <<<