Date: Wed, 25 Oct 2006 19:27:15 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 108418 for review Message-ID: <200610251927.k9PJRFDG058359@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=108418 Change 108418 by millert@millert_macbook on 2006/10/25 19:26:51 The first first parameter of mac_devfs_label_associate_directory() is always NULL. Likewise, the first two parameters of mac_devfs_label_associate_device() are always NULL. This is an artifact of the port of the devfs support from FreeBSD which has a more featureful devfs implementation. There's no good reason to pass pointers into the framework (and then the entry points) that are always NULL so they have been removed. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#9 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#17 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#13 edit .. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#15 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#26 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#13 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#5 (text+ko) ==== @@ -178,7 +178,7 @@ = (struct devfsmount *)devfs_hidden_mount->mnt_data; #endif /* HIDDEN_MOUNTPOINT */ #ifdef MAC - mac_devfs_label_associate_directory(NULL, "/", strlen("/"), + mac_devfs_label_associate_directory("/", strlen("/"), dev_root->de_dnp, "/"); #endif devfs_ready = 1; @@ -308,7 +308,7 @@ break; dnp = dirent_p->de_dnp; #ifdef MAC - mac_devfs_label_associate_directory(NULL, + mac_devfs_label_associate_directory( dirnode->dn_typeinfo.Dir.myname->de_name, strlen(dirnode->dn_typeinfo.Dir.myname->de_name), dnp, fullpath); @@ -1225,8 +1225,7 @@ new_dev->de_dnp->dn_uid = uid; new_dev->de_dnp->dn_mode |= perms; #ifdef MAC - mac_devfs_label_associate_device(NULL, NULL, dev, new_dev->de_dnp, - buff); + mac_devfs_label_associate_device(dev, new_dev->de_dnp, buff); #endif devfs_propogate(dnp->dn_typeinfo.Dir.myname, new_dev); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#9 (text+ko) ==== @@ -150,10 +150,10 @@ void mac_vnode_label_associate_singlelabel(struct mount *mp, struct vnode *vp); void mac_vnode_label_associate_file(struct ucred *cred, struct fileglob *fg, struct vnode *vp); -void mac_devfs_label_associate_device(struct ucred *cr, struct mount *mp, - dev_t dev, struct devnode *de, const char *fullpath); -void mac_devfs_label_associate_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devnode *de, const char *fullpath); +void mac_devfs_label_associate_device(dev_t dev, struct devnode *de, + const char *fullpath); +void mac_devfs_label_associate_directory(char *dirname, int dirnamelen, + struct devnode *de, const char *fullpath); int mac_vnode_notify_create(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); void mac_mount_label_associate(struct ucred *cred, struct mount *mp); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#17 (text+ko) ==== @@ -1496,23 +1496,16 @@ /** @brief Create a new devfs device - @param cred Process credential, if created on behalf of a user process - @param mp Devfs mount point (currently unused in Darwin) @param dev Major and minor numbers of special file @param de "inode" of new device file @param label Destination label @param fullpath Path relative to mount (e.g. /dev) of new device file This entry point labels a new devfs device. The label will likely be based - on the path to the device, or the major and minor numbers. If the device was - created on behalf of a user process (for example, /dev/pts/1), then - 'cred' contains the credentials of that process. - Otherwise, 'cred' is null. The policy should store an appropriate - label into 'label'. + on the path to the device, or the major and minor numbers. + The policy should store an appropriate label into 'label'. */ typedef void mpo_devfs_label_associate_device_t( - struct ucred *cred, - struct mount *mp, dev_t dev, struct devnode *de, struct label *label, @@ -1521,7 +1514,6 @@ /** @brief Create a new devfs directory - @param mp Not used in Darwin @param dirname Name of new directory @param dirnamelen Length of 'dirname' @param de "inode" of new directory @@ -1533,7 +1525,6 @@ label into 'label'. The devfs root directory is labelled in this way. */ typedef void mpo_devfs_label_associate_directory_t( - struct mount *mp, char *dirname, int dirnamelen, struct devnode *de, ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#13 (text+ko) ==== @@ -1090,20 +1090,19 @@ } void -mac_devfs_label_associate_device(struct ucred *cr, struct mount *mp, dev_t dev, - struct devnode *de, const char *fullpath) +mac_devfs_label_associate_device(dev_t dev, struct devnode *de, + const char *fullpath) { - MAC_PERFORM(devfs_label_associate_device, cr, mp, dev, de, de->dn_label, - fullpath); + MAC_PERFORM(devfs_label_associate_device, dev, de, de->dn_label, fullpath); } void -mac_devfs_label_associate_directory(struct mount *mp, char *dirname, int dirnamelen, +mac_devfs_label_associate_directory(char *dirname, int dirnamelen, struct devnode *de, const char *fullpath) { - MAC_PERFORM(devfs_label_associate_directory, mp, dirname, dirnamelen, de, + MAC_PERFORM(devfs_label_associate_directory, dirname, dirnamelen, de, de->dn_label, fullpath); } ==== //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#15 (text+ko) ==== @@ -1032,8 +1032,8 @@ * a lot like file system objects. */ static void -mac_mls_devfs_label_associate_device(struct ucred *cr, struct mount *mp, - dev_t dev, struct devnode *de, struct label *label, const char *fullpath) +mac_mls_devfs_label_associate_device(dev_t dev, struct devnode *de, + struct label *label, const char *fullpath) { struct mac_mls *mac_mls; int mls_type; @@ -1057,9 +1057,8 @@ } static void -mac_mls_devfs_label_associate_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devnode *de, struct label *label, - const char *fullpath) +mac_mls_devfs_label_associate_directory(char *dirname, int dirnamelen, + struct devnode *de, struct label *label, const char *fullpath) { struct mac_mls *mac_mls; ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#26 (text+ko) ==== @@ -1062,13 +1062,9 @@ ipcsec->sclass = SECCLASS_SHM; } -/* - * NOTE: on Darwin mp will always be NULLL for sebsd_devfs_label_associate_device - */ static void -sebsd_devfs_label_associate_device(struct ucred *cr, struct mount *mp, dev_t dev, - struct devnode *devfs_dirent, struct label *label, - const char *fullpath) +sebsd_devfs_label_associate_device(dev_t dev, struct devnode *devfs_dirent, + struct label *label, const char *fullpath) { char *path; int rc; @@ -1090,21 +1086,6 @@ if (rc == 0) dirent->sid = newsid; - /* If there was a creating process (currently only for /dev/pty*), - try a type_transition rule. */ - if (cr != NULL) { - struct task_security_struct *task = SLOT(cr->cr_label); - - /* - * XXX: uses the type specified by genfs instead of the - * parent directory like it should! - */ - int error = security_transition_sid(task->sid, dirent->sid, - dirent->sclass, &newsid); - if (error == 0) - dirent->sid = newsid; - } - /* TBD: debugging */ if (sebsd_verbose > 1) { printf("%s(%s): rc=%d, sclass=%d, computedsid=%d, dirent=%d\n", @@ -1113,13 +1094,9 @@ sebsd_free(path, M_SEBSD); } -/* - * NOTE: on Darwin mp will always be NULLL for sebsd_devfs_label_associate_directory - */ static void -sebsd_devfs_label_associate_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devnode *de, struct label *label, - const char *fullpath) +sebsd_devfs_label_associate_directory(char *dirname, int dirnamelen, + struct devnode *de, struct label *label, const char *fullpath) { char *path; int rc; ==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#13 (text+ko) ==== @@ -1182,29 +1182,19 @@ USE_LABEL(fglabel, FILETYPE); } -/* The ucred and mount parameters can be NULL for this fcn */ static void -mac_test_devfs_label_associate_device(struct ucred *cr, struct mount *mp, - dev_t dev, struct devnode *de, struct label *label, - const char *fullpath) +mac_test_devfs_label_associate_device(dev_t dev, struct devnode *de, + struct label *label, const char *fullpath) { CHECKNULL(de); INIT_LABEL(label, DEVNODETYPE); - if (cr != NULL) - SANITY_CHECK(cr->cr_label, CREDTYPE); } static void -mac_test_devfs_label_associate_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devnode *de, - struct label *label, const char *fullpath) +mac_test_devfs_label_associate_directory(char *dirname, int dirnamelen, + struct devnode *de, struct label *label, const char *fullpath) { - /* - * MP should be NULL for devfs - * CHECKNULL(mp); - */ - CHECKNULL(de); INIT_LABEL(label, DEVNODETYPE);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610251927.k9PJRFDG058359>