From owner-p4-projects@FreeBSD.ORG Sat Aug 13 07:55:11 2005 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id BE21016A421; Sat, 13 Aug 2005 07:55:10 +0000 (GMT) X-Original-To: perforce@FreeBSD.org Delivered-To: perforce@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88C2416A41F for ; Sat, 13 Aug 2005 07:55:10 +0000 (GMT) (envelope-from samy@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C66743D46 for ; Sat, 13 Aug 2005 07:55:10 +0000 (GMT) (envelope-from samy@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j7D7t9gU021023 for ; Sat, 13 Aug 2005 07:55:09 GMT (envelope-from samy@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j7D7t9bB021020 for perforce@freebsd.org; Sat, 13 Aug 2005 07:55:09 GMT (envelope-from samy@FreeBSD.org) Date: Sat, 13 Aug 2005 07:55:09 GMT Message-Id: <200508130755.j7D7t9bB021020@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to samy@FreeBSD.org using -f From: Samy Al Bahra To: Perforce Change Reviews Cc: Subject: PERFORCE change 81927 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Aug 2005 07:55:11 -0000 http://perforce.freebsd.org/chv.cgi?CH=81927 Change 81927 by samy@mini on 2005/08/13 07:54:27 Allow policies to define a prerequisite for the MAC version. Systems with a MAC version lower than defined by the policy will fail to load the policy. The MAC_DEPEND_VERSION macro should be changed so we don't require it after MAC_POLICY_SET. Policies that don't use MAC_POLICY_SET will load on any system as usual (thus, not breaking API). rwatson would want cleanly generated code, that's what we'll do until I convince him to go another way. Approved by: rwatson Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#449 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#237 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#449 (text+ko) ==== @@ -392,6 +392,14 @@ error = EBUSY; break; } + if (mac_version < mpc->mpc_depend_version) { + printf("mac_policy_modevent: %s policy requires " + "MAC version %d\n", mpc->mpc_name, + mpc->mpc_depend_version); + error = ENOTSUP; + break; + } + error = mac_policy_register(mpc); break; case MOD_UNLOAD: ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#237 (text+ko) ==== @@ -600,6 +600,7 @@ int mpc_loadtime_flags; /* flags */ int *mpc_field_off; /* security field */ int mpc_runtime_flags; /* flags */ + int mpc_depend_version; /* required MAC */ LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ }; @@ -611,6 +612,10 @@ /* Flags for the mpc_runtime_flags field. */ #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 +/* This must be defined after MAC_POLICY_SET. */ +#define MAC_DEPEND_VERSION(mpname, version) \ + mpname##_mac_policy_conf.mpc_depend_version = version; + #define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \ static struct mac_policy_conf mpname##_mac_policy_conf = { \ #mpname, \ @@ -619,6 +624,7 @@ mpflags, \ privdata_wanted, \ 0, \ + 0, \ }; \ static moduledata_t mpname##_mod = { \ #mpname, \