From owner-trustedbsd-cvs@FreeBSD.ORG Wed Jul 5 22:25:04 2006 Return-Path: X-Original-To: trustedbsd-cvs@freebsd.org Delivered-To: trustedbsd-cvs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC28416A4E7 for ; Wed, 5 Jul 2006 22:25:04 +0000 (UTC) (envelope-from owner-perforce@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A1F043D46 for ; Wed, 5 Jul 2006 22:25:03 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by cyrus.watson.org (Postfix) with ESMTP id 84D8B46C39 for ; Wed, 5 Jul 2006 18:25:01 -0400 (EDT) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 92667554DD; Wed, 5 Jul 2006 22:24:59 +0000 (GMT) (envelope-from owner-perforce@freebsd.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id 9170E16A4E0; Wed, 5 Jul 2006 22:24:59 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52CA716A4DE for ; Wed, 5 Jul 2006 22:24:59 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 135DA43D46 for ; Wed, 5 Jul 2006 22:24:59 +0000 (GMT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k65MOwUN074886 for ; Wed, 5 Jul 2006 22:24:58 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k65MOwBv074883 for perforce@freebsd.org; Wed, 5 Jul 2006 22:24:58 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Wed, 5 Jul 2006 22:24:58 GMT Message-Id: <200607052224.k65MOwBv074883@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 100662 for review X-BeenThere: trustedbsd-cvs@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD CVS and Perforce commit message list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jul 2006 22:25:04 -0000 http://perforce.freebsd.org/chv.cgi?CH=100662 Change 100662 by rwatson@rwatson_zoo on 2006/07/05 22:24:42 Checkpoint resort/respell on policy ops structure. Affected files ... .. //depot/projects/trustedbsd/mac2/sys/sys/mac_policy.h#6 edit Differences ... ==== //depot/projects/trustedbsd/mac2/sys/sys/mac_policy.h#6 (text+ko) ==== @@ -170,7 +170,7 @@ * Object: struct ucred (User credential) */ typedef void (*mpo_cred_init_label_t)(struct label *label); -typedef void (*mpo_cred_destroy_cred_label_t)(struct label *label); +typedef void (*mpo_cred_destroy_label_t)(struct label *label); typedef void (*mpo_cred_copy_label_t)(struct label *src, struct label *dest); typedef int (*mpo_cred_externalize_label_t)(struct label *label, @@ -659,18 +659,131 @@ typedef int (*mpo_associate_nfsd_label_t)(struct ucred *cred); struct mac_policy_ops { + mpo_policy_destroy_t mpo_policy_destroy; + mpo_policy_init_t mpo_policy_init; + + mpo_syscall_t mpo_syscall; + + mpo_bpfdesc_init_label_t mpo_bpfdesc_init_label; + mpo_bpfdesc_destroy_label_t mpo_bpfdesc_destroy_label; + mpo_bpfdesc_create_t mpo_bpfdesc_create; + mpo_bpfdesc_create_mbuf_t mpo_bpfdesc_create_mbuf; + mpo_bpfdesc_check_receive_t mpo_bpfdesc_check_receive; + /* - * Policy module operations. + * XXXRW: Naming consistency here -- perhaps should just be + * mpo_devfs_*. + */ + mpo_devfsdirent_init_label_t mpo_devfsdirent_init_label; + mpo_devfsdirent_destroy_label_t mpo_devfsdirent_destroy_label; + mpo_devfs_vnode_associate_t mpo_devfs_vnode_associate; + mpo_devfs_create_device_t mpo_devfs_create_device; + mpo_devfs_create_directory_t mpo_devfs_create_directory; + mpo_devfs_create_symlink_t mpo_devfs_create_symlink; + mpo_devfsdirent_update_t mpo_devfsdirent_update_t; + + /* + * XXXRW: Perhaps should be mpo_ucred_*. + */ + mpo_cred_init_label_t mpo_cred_init_label; + mpo_cred_destroy_label_t mpo_cred_destroy_label; + mpo_cred_copy_label_t mpo_cred_copy_label; + mpo_cred_externalize_label_t mpo_cred_externalize_label; + mpo_cred_internalize_label_t mpo_cred_internalize_label; + mpo_cred_relabel_t mpo_cred_relabel; + mpo_cred_check_relabel_t mpo_cred_check_relabel; + mpo_cred_check_visible_t mpo_cred_check_visible; + + /* + * XXXRW: Names here still inconsistent. + */ + mpo_ifnet_init_label_t mpo_ifnet_init_label; + mpo_ifnet_destroy_label_t mpo_ifnet_destroy_label; + mpo_ifnet_copy_label_t mpo_ifnet_copy_label; + mpo_ifnet_externalize_label_t mpo_ifnet_externalize_label; + mpo_ifnet_internalize_label_t mpo_ifnet_internalize_label; + mpo_ifnet_create_t mpo_ifnet_create; + mpo_create_mbuf_linklayer_t mpo_create_mbuf_linklayer; + mpo_ifnet_create_mbuf_t mpo_ifnet_create_mbuf; + mpo_create_mbuf_multicast_encap_t mpo_create_mbuf_mulicast_encap; + mpo_ifnet_relabel_t mpo_ifnet_relabel; + mpo_ifnet_check_relabel_t mpo_ifnet_check_relabel; + mpo_ifnet_check_transmit_t mpo_ifnet_check_transmit; + + /* + * XXXRW: Could s/create_from_socket/create/. + */ + mpo_inpcb_init_label_t mpo_inpcb_init_label; + mpo_inpcb_destroy_label_t mpo_inpcb_destroy_label; + mpo_inpcb_create_from_socket_t mpo_inpcb_create_from_socket; + mpo_inpcb_create_mbuf_t mpo_inpcb_create_mbuf; + mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; + mpo_inpcb_check_deliver_t mpo_inpcb_check_deliver; + + /* + * XXXRW: Maybe s/create_datagram/reassemble/, + * s/fragment_match/match/. + */ + mpo_ipq_init_label_t mpo_ipq_init_label; + mpo_ipq_destroy_label_t mpo_ipq_destroy_label; + mpo_ipq_create_t mpo_ipq_create; + mpo_ipq_create_datagram_t mpo_ipq_create_datagram; + mpo_ipq_fragment_match_t mpo_ipq_fragment_match; + mpo_ipq_update_t mpo_ipq_update; + + mpo_kenv_check_dump_t mpo_kenv_check_dump; + mpo_kenv_check_get_t mpo_kenv_check_get; + mpo_kenv_check_set_t mpo_kenv_check_set; + mpo_kenv_check_unset_t mpo_kenv_check_unset; + + mpo_kld_check_load_t mpo_kld_check_load; + mpo_kld_check_stat_t mpo_kld_check_stat; + mpo_kld_check_unload_t mpo_kld_check_unload; + + /* + * XXXRW: Since the structure is ksem, maybe these should be + * renamed; alternatively, maybe ksem should be renamed? Should + * be unlink instead of destroy? + */ + mpo_posix_sem_init_label_t mpo_posix_sem_init_label; + mpo_posix_sem_destroy_label_t mpo_posix_sem_destroy_label; + mpo_posix_sem_create_t mpo_posix_sem_create; + mpo_posix_sem_check_destroy_t mpo_posix_sem_check_destroy; + mpo_posix_sem_check_getvalue_t mpo_posix_sem_check_getvalue; + mpo_posix_sem_check_open_t mpo_posix_sem_check_open; + mpo_posix_sem_check_post_t mpo_posix_sem_check_post; + mpo_posix_sem_check_unlink_t mpo_posix_sem_check_unlink; + mpo_posix_sem_check_wait_t mpo_posix_sem_check_wait; + + /* + * XXXRW: Perhaps fragment, netlayer, icmp, tcp, etc, should be + * netinet calls rather than mbuf calls? */ - mpo_policy_destroy_t mpo_policy_destroy; - mpo_policy_init_t mpo_policy_init; + mpo_mbuf_init_label_t mpo_mbuf_init_label; + mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label; + mpo_mbuf_copy_label_t mpo_mbuf_copy_label; + mpo_mbuf_create_fragment_t mpo_mbuf_create_fragment; + mpo_mbuf_create_netlayer_t mpo_mbuf_create_netlayer; + mpo_mbuf_reflect_icmp_t mpo_mbuf_reflect_icmp; + mpo_mbuf_reflect_tcp_t mpo_mbuf_reflect_tcp; /* - * General policy-directed security system call so that policies may - * implement new services without reserving explicit system call - * numbers. + * XXXRW: Time to toast mount_fs label since it basically is unused? */ - mpo_syscall_t mpo_syscall; + mpo_mount_init_label_t mpo_mount_init_label; + mpo_mount_fs_init_label_t mpo_mount_fs_init_label; + mpo_mount_destroy_label_t mpo_mount_destroy_label; + mpo_mount_fs_destroy_label_t mpo_mount_fs_destroy_label; + mpo_mount_check_stat_t mpo_mount_check_stat; + + + + + + + + + /* * Label operations. Initialize label storage, destroy label