From owner-p4-projects Wed May 1 21:39: 4 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 5BB6F37B405; Wed, 1 May 2002 21:38:52 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A4A9637B405 for ; Wed, 1 May 2002 21:38:50 -0700 (PDT) Received: (from perforce@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g424cor78103 for perforce@freebsd.org; Wed, 1 May 2002 21:38:50 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Wed, 1 May 2002 21:38:50 -0700 (PDT) Message-Id: <200205020438.g424cor78103@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 10647 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=10647 Change 10647 by rwatson@rwatson_tislabs on 2002/05/01 21:38:24 Introduce a new startup ordering constant: SI_SUB_MAC_LATE. This allows the MAC subsystem to keep a 'mac_late' variable -- it is 0 initially, and set to 1 during SI_SUB_MAC_LATE after all policies have evaluated. This variable will allow modules to determine if they are being loaded "late" -- i.e., following the initialization of the MAC system and all modules linked into the kernel or loaded early. That way they can reject loading in the event that they need to be initialized before any objects are instantiated. This Affected files ... ... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#134 edit ... //depot/projects/trustedbsd/mac/sys/sys/kernel.h#10 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#134 (text+ko) ==== @@ -98,6 +98,8 @@ void *labels[MAC_MAX_POLICIES]; }; +int mac_late = 0; + static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); @@ -223,6 +225,18 @@ } /* + * For the purposes of modules that want to know if they were loaded + * "early", set the mac_late flag once we've processed modules either + * linked into the kernel, or loaded before the kernel startup. + */ +static void +mac_late_init(void) +{ + + mac_late = 1; +} + +/* * Allow MAC policy modules to register during boot, etc. */ int @@ -1812,6 +1826,7 @@ } SYSINIT(mac, SI_SUB_MAC, SI_ORDER_FIRST, mac_init, NULL); +SYSINIT(mac_late, SI_SUB_MAC_LATE, SI_ORDER_FIRST, mac_late_init, NULL); #else /* !MAC */ ==== //depot/projects/trustedbsd/mac/sys/sys/kernel.h#10 (text+ko) ==== @@ -121,6 +121,7 @@ SI_SUB_CPU = 0x2100000, /* CPU resource(s)*/ SI_SUB_MAC = 0x2180000, /* TrustedBSD MAC subsystem */ SI_SUB_MAC_POLICY = 0x21C0000, /* TrustedBSD MAC policies */ + SI_SUB_MAC_LATE = 0x21D0000, /* TrustedBSD MAC subsystem */ SI_SUB_INTRINSIC = 0x2200000, /* proc 0*/ SI_SUB_VM_CONF = 0x2300000, /* config VM, set limits*/ SI_SUB_RUN_QUEUE = 0x2400000, /* set up run queue*/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message