Date: Fri, 10 May 2002 19:58:11 -0700 (PDT) From: Adam Migus <amigus@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 11145 for review Message-ID: <200205110258.g4B2wBR79494@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=11145 Change 11145 by amigus@amigus_vmganyopa on 2002/05/10 19:57:54 - removed __mac_get_peer() and updated libc and man pages to reflect that. - made __mac_[gs]et_fd() not handle sockets and updated man pages to reflect that also mentioning that the correct way to set and get labels on sockets is [gs]etsockopt(). - fixed declaration of mac_get_fd() (it was mac_from_fd()) in sys/mac.h NOTE: currently setsockopt() only checks suser_cred() for permission to set the label. I will fix it so that it acutally consults the installed MAC policies soon... Affected files ... ... //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac.3#5 edit ... //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_get.3#5 edit ... //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_get.c#4 edit ... //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_set.3#4 edit ... //depot/projects/trustedbsd/mac/sys/kern/init_sysent.c#17 edit ... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#140 edit ... //depot/projects/trustedbsd/mac/sys/kern/syscalls.c#17 edit ... //depot/projects/trustedbsd/mac/sys/kern/syscalls.master#15 edit ... //depot/projects/trustedbsd/mac/sys/kern/uipc_socket.c#21 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac.h#99 edit ... //depot/projects/trustedbsd/mac/sys/sys/syscall.h#18 edit ... //depot/projects/trustedbsd/mac/sys/sys/syscall.mk#18 edit ... //depot/projects/trustedbsd/mac/sys/sys/sysproto.h#19 edit Differences ... ==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac.3#5 (text+ko) ==== @@ -77,18 +77,6 @@ and may be used to retrieve the MAC label associated with a named file. -.It Fn mac_get_socket -This function is described in -.Xr mac_get 3 , -and may be used to retrieve the -MAC label associated with -a specific socket descriptor. -.It Fn mac_get_peer -This function is described in -.Xr mac_get 3 , -and may be used to retrieve the -MAC label associated with -a the peer of a specific socket descriptor. .It Fn mac_get_proc This function is described in .Xr mac_get 3 , ==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_get.3#5 (text+ko) ==== @@ -37,8 +37,6 @@ .Sh NAME .Nm mac_get_file , .Nm mac_get_fd , -.Nm mac_get_socket , -.Nm mac_get_peer , .Nm mac_get_proc .Nd get the label of a file, socket, socket peer or process .Sh SYNOPSIS @@ -48,10 +46,6 @@ .Ft mac_t .Fn mac_get_fd "int fd" .Ft mac_t -.Fn mac_get_socket "int s" -.Ft mac_t -.Fn mac_get_peer "int s" -.Ft mac_t .Fn mac_get_proc .Sh DESCRIPTION The @@ -64,18 +58,10 @@ .Fa path_p or the file descriptor specified by .Fa fd , -respectively. -The -.Fn mac_get_socket -and -.Fn mac_get_peer -functions return the MAC label associated -with the socket descriptor and it's peer -specified by -.Fa s , -respectively. Note: mac_get_peer is currently only -valid for TCP STREAM and UNIX DOMAIN -sockets. +respectively. Note this function will +fail on socket descriptors. For information on +getting MAC labels on socket descriptors see +.Xr getsockopt 2 . The .Fn mac_get_proc function returns a MAC label associated ==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_get.c#4 (text+ko) ==== @@ -99,45 +99,3 @@ return (label); } - -mac_t -mac_get_peer(int s) -{ - struct mac *label; - int error; - - label = (mac_t) malloc(sizeof(*label)); - if (label == NULL) { - errno = ENOMEM; - return (NULL); - } - - error = __mac_get_peer(s, label); - if (error) { - mac_free(label); - return (NULL); - } - - return (label); -} - -mac_t -mac_get_socket(int s) -{ - struct mac *label; - int error; - - label = (mac_t) malloc(sizeof(*label)); - if (label == NULL) { - errno = ENOMEM; - return (NULL); - } - - error = __mac_get_fd(s, label); - if (error) { - mac_free(label); - return (NULL); - } - - return (label); -} ==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_set.3#4 (text+ko) ==== @@ -61,7 +61,10 @@ .Fa path_p , or to the file descriptor .Fa fd , -respectively. +respectively. Note this function will +fail on socket descriptors. For information on +setting MAC labels on socket descriptors see +.Xr setsockopt 2 . The .Fn mac_set_proc function associates the MAC label ==== //depot/projects/trustedbsd/mac/sys/kern/init_sysent.c#17 (text+ko) ==== @@ -414,5 +414,4 @@ { SYF_MPSAFE | AS(__mac_set_file_args), (sy_call_t *)__mac_set_file }, /* 389 = __mac_set_file */ { AS(kenv_args), (sy_call_t *)kenv }, /* 390 = kenv */ { 0, (sy_call_t *)nosys }, /* 391 = lchflags */ - { SYF_MPSAFE | AS(__mac_get_peer_args), (sy_call_t *)__mac_get_peer }, /* 392 = __mac_get_peer */ }; ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#140 (text+ko) ==== @@ -44,7 +44,6 @@ */ #include "opt_mac.h" - #include <sys/param.h> #include <sys/kernel.h> #include <sys/lock.h> @@ -1668,7 +1667,6 @@ { struct file *fp; struct mac label; - struct socket *so; struct vnode *vp; int error; @@ -1679,11 +1677,6 @@ goto out; switch (fp->f_type) { - case DTYPE_SOCKET: - so = (struct socket *)fp->f_data; - label = so->so_label; - break; - case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; @@ -1710,41 +1703,6 @@ * MPSAFE */ int -__mac_get_peer(struct thread *td, struct __mac_get_peer_args *uap) -{ - struct file *fp; - struct socket *so; - struct mac label; - int error; - - mtx_lock(&Giant); - - error = fget(td, SCARG(uap, fd), &fp); - if (error) - goto out2; - - if(fp->f_type != DTYPE_SOCKET) { - error = EINVAL; - goto out; - } - else { - so = (struct socket *)fp->f_data; - label = so->so_peerlabel; - } - - if (error == 0) - error = copyout(&label, SCARG(uap, mac_p), sizeof(label)); -out: - fdrop(fp, td); -out2: - mtx_unlock(&Giant); - return (error); -} - -/* - * MPSAFE - */ -int __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { struct nameidata nd; @@ -1779,7 +1737,6 @@ struct file *fp; struct mac newlabel; struct mount *mp; - struct socket *so; struct vnode *vp; int error; @@ -1793,18 +1750,6 @@ goto out2; switch (fp->f_type) { - case DTYPE_SOCKET: - so = (struct socket *)fp->f_data; - - error = mac_cred_check_relabel_socket(td->td_ucred, so, - &newlabel); - if (error) - goto out2; - - mac_relabel_socket(td->td_ucred, so, &newlabel); - - break; - case DTYPE_FIFO: case DTYPE_VNODE: vp = (struct vnode *)fp->f_data; ==== //depot/projects/trustedbsd/mac/sys/kern/syscalls.c#17 (text+ko) ==== @@ -399,5 +399,4 @@ "__mac_set_file", /* 389 = __mac_set_file */ "kenv", /* 390 = kenv */ "#391", /* 391 = lchflags */ - "__mac_get_peer", /* 392 = __mac_get_peer */ }; ==== //depot/projects/trustedbsd/mac/sys/kern/syscalls.master#15 (text+ko) ==== @@ -561,5 +561,4 @@ 389 MSTD BSD { int __mac_set_file(const char *path_p, struct mac *mac_p); } 390 STD BSD { int kenv(int what, const char *name, char *value, \ int len); } -391 UNIMPL BSD lchflags -392 MSTD BSD { int __mac_get_peer(int fd, struct mac *mac_p); }+391 UNIMPL BSD lchflags ==== //depot/projects/trustedbsd/mac/sys/kern/uipc_socket.c#21 (text+ko) ==== ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#99 (text+ko) ==== @@ -171,10 +171,8 @@ int mac_equal(const mac_t labela, const mac_t _labelb); int mac_free(void *_buf_p); mac_t mac_from_text(const char *_text_p); -mac_t mac_from_fd(int _fildes); +mac_t mac_get_fd(int _fildes); mac_t mac_get_file(const char *_path_p); -mac_t mac_get_socket(int s); -mac_t mac_get_peer(int s); mac_t mac_get_proc(void); mac_t mac_glb(const mac_t _labela, const mac_t _labelb); mac_t mac_lub(const mac_t _labela, const mac_t _labelb); ==== //depot/projects/trustedbsd/mac/sys/sys/syscall.h#18 (text+ko) ==== @@ -310,5 +310,4 @@ #define SYS___mac_set_fd 388 #define SYS___mac_set_file 389 #define SYS_kenv 390 -#define SYS___mac_get_peer 392 -#define SYS_MAXSYSCALL 393 +#define SYS_MAXSYSCALL 392 ==== //depot/projects/trustedbsd/mac/sys/sys/syscall.mk#18 (text+ko) ==== @@ -259,5 +259,4 @@ __mac_get_file.o \ __mac_set_fd.o \ __mac_set_file.o \ - kenv.o \ - __mac_get_peer.o + kenv.o ==== //depot/projects/trustedbsd/mac/sys/sys/sysproto.h#19 (text+ko) ==== @@ -1134,10 +1134,6 @@ char value_l_[PADL_(char *)]; char * value; char value_r_[PADR_(char *)]; char len_l_[PADL_(int)]; int len; char len_r_[PADR_(int)]; }; -struct __mac_get_peer_args { - char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)]; - char mac_p_l_[PADL_(struct mac *)]; struct mac * mac_p; char mac_p_r_[PADR_(struct mac *)]; -}; int nosys(struct thread *, struct nosys_args *); void sys_exit(struct thread *, struct sys_exit_args *); int fork(struct thread *, struct fork_args *); @@ -1394,7 +1390,6 @@ int __mac_set_fd(struct thread *, struct __mac_set_fd_args *); int __mac_set_file(struct thread *, struct __mac_set_file_args *); int kenv(struct thread *, struct kenv_args *); -int __mac_get_peer(struct thread *, struct __mac_get_peer_args *); #ifdef COMPAT_43 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205110258.g4B2wBR79494>