Date: Tue, 3 Oct 2006 14:31:01 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 107172 for review Message-ID: <200610031431.k93EV199014869@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=107172 Change 107172 by millert@millert_macbook on 2006/10/03 14:30:00 Return ENOENT in externalize routines when passed an element_name that is not supported for the label type being exported. Fixes "getfmac -l '*' /bin/ls" Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#11 edit .. //depot/projects/trustedbsd/sedarwin8/policies/count/mac_count.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/count/mk_count_decls.awk#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#16 edit .. //depot/projects/trustedbsd/sedarwin8/policies/stub/mk_stub_funcs.awk#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#8 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#11 (text+ko) ==== @@ -1066,8 +1066,21 @@ if (error) goto done; error = mpo_externalize(label, mle->mle_name, sb); - if (error) - goto done; + if (error) { + if (error != ENOENT) + goto done; + /* + * If a policy doesn't have a label to + * externalize it returns ENOENT. This + * may occur for policies that support + * multiple label elements for some + * (but not all) object types. + */ + sbuf_setpos(sb, sbuf_len(sb) - + (strlen(mle->mle_name) + 1)); + error = 0; + continue; + } error = sbuf_putc(sb, ','); if (error) goto done; ==== //depot/projects/trustedbsd/sedarwin8/policies/count/mac_count.c#4 (text+ko) ==== @@ -79,8 +79,8 @@ #define REG_COUNTER(n) \ sysctl_register_oid(&sysctl__security_mac_count_ ## n ## _c); -#define MAKE_RETSYSCTL(n) \ - static int n ## _ret; \ +#define MAKE_RETSYSCTL(n, v) \ + static int n ## _ret = v; \ SYSCTL_INT(_security_mac_retcontrol, OID_AUTO, n ## _ret, CTLFLAG_RW, \ &n ## _ret, 0, #n "() return value"); ==== //depot/projects/trustedbsd/sedarwin8/policies/count/mk_count_decls.awk#2 (text+ko) ==== @@ -1,5 +1,9 @@ { printf "MAKE_COUNTER(" $2 ");\n" - if ($1 == "int") - printf "MAKE_RETSYSCTL(" $2 ");\n" + if ($1 == "int") { + if ($2 ~ /externalize/) + printf "MAKE_RETSYSCTL(" $2 ", ENOENT);\n" + else + printf "MAKE_RETSYSCTL(" $2 ", 0);\n" + } } ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#16 (text+ko) ==== @@ -2940,7 +2940,7 @@ struct n2##_security_struct *lsec; \ \ if (strcmp("sebsd", element_name) != 0) \ - return (0); \ + return (ENOENT); \ \ lsec = SLOT(label); \ return (sebsd_externalize_sid(lsec->sid, element_name, sb)); \ @@ -2958,7 +2958,7 @@ else if (strcmp("sebsd", element_name) == 0) sid = tsec->sid; else - return (0); + return (ENOENT); return (sebsd_externalize_sid(sid, element_name, sb)); } ==== //depot/projects/trustedbsd/sedarwin8/policies/stub/mk_stub_funcs.awk#2 (text+ko) ==== @@ -6,7 +6,10 @@ } printf "\n{\n" if ($1 == "int") { - printf "\treturn (0);\n" + if ($2 ~ /externalize/) + printf "\treturn (ENOENT);\n" + else + printf "\treturn (0);\n" } printf "}\n\n" } ==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#8 (text+ko) ==== @@ -590,7 +590,7 @@ init_label(dest, desttype, fcnname, fctx); } -static int +static void externalize_label(struct label *label, int type, const char *fcnname, const char *fctx) { @@ -600,10 +600,9 @@ #else use_label(label, type, fcnname, fctx); #endif - return (0); } -static int +static void internalize_label(struct label *label, int type, const char *fcnname, const char *fctx) { @@ -613,7 +612,6 @@ #else init_label(label, type, fcnname, fctx); #endif - return (0); } /* @@ -907,70 +905,80 @@ mac_test_cred_externalize_label(struct label *label, char *element_name, struct sbuf *sb) { - return EXTERNALIZE_LABEL(label, CREDTYPE); + EXTERNALIZE_LABEL(label, CREDTYPE); + return (ENOENT); } static int mac_test_lctx_externalize_label(struct label *label, char *element_name, struct sbuf *sb) { - return EXTERNALIZE_LABEL(label, LCTXTYPE); + EXTERNALIZE_LABEL(label, LCTXTYPE); + return (ENOENT); } static int mac_test_pipe_externalize_label(struct label *label, char *element_name, struct sbuf *sb) { - return EXTERNALIZE_LABEL(label, PIPETYPE); + EXTERNALIZE_LABEL(label, PIPETYPE); + return (ENOENT); } static int mac_test_vnode_externalize_label(struct label *label, char *element_name, struct sbuf *sb) { - return EXTERNALIZE_LABEL(label, VNODETYPE); + EXTERNALIZE_LABEL(label, VNODETYPE); + return (ENOENT); } static int mac_test_mount_externalize_label(struct label *label, char *element_name, struct sbuf *sb) { - return EXTERNALIZE_LABEL(label, MOUNTTYPE); + EXTERNALIZE_LABEL(label, MOUNTTYPE); + return (ENOENT); } static int mac_test_cred_internalize_label(struct label *label, char *element_name, char *element_data) { - return INTERNALIZE_LABEL(label, CREDTYPE); + INTERNALIZE_LABEL(label, CREDTYPE); + return (0); } static int mac_test_lctx_internalize_label(struct label *label, char *element_name, char *element_data) { - return INTERNALIZE_LABEL(label, LCTXTYPE); + INTERNALIZE_LABEL(label, LCTXTYPE); + return (0); } static int mac_test_pipe_internalize_label(struct label *label, char *element_name, char *element_data) { - return INTERNALIZE_LABEL(label, PIPETYPE); + INTERNALIZE_LABEL(label, PIPETYPE); + return (0); } static int mac_test_vnode_internalize_label(struct label *label, char *element_name, char *element_data) { - return INTERNALIZE_LABEL(label, VNODETYPE); + INTERNALIZE_LABEL(label, VNODETYPE); + return (0); } static int mac_test_mount_internalize_label(struct label *label, char *element_name, char *element_data) { - return INTERNALIZE_LABEL(label, MOUNTTYPE); + INTERNALIZE_LABEL(label, MOUNTTYPE); + return (0); } static void @@ -2349,7 +2357,8 @@ // this probably doesn't work. if (sbuf_cat(sb, "socket") < 0) return (ENOMEM); - return EXTERNALIZE_LABEL(label, SOCKETTYPE); + EXTERNALIZE_LABEL(label, SOCKETTYPE); + return 0; } static int @@ -2359,7 +2368,8 @@ //this probably doesn't work. if (sbuf_cat(sb, "socketpeer") < 0) return ENOMEM; - return EXTERNALIZE_LABEL(label, SOCKETTYPE); + EXTERNALIZE_LABEL(label, SOCKETTYPE); + return 0; } static int @@ -2369,7 +2379,8 @@ // KASSERT(thread_funnel_get() == network_flock, // "mac_test_socket_internalize_label: not holding the network funnel!"); - return INTERNALIZE_LABEL(label, SOCKETTYPE); + INTERNALIZE_LABEL(label, SOCKETTYPE); + return (0); } static void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610031431.k93EV199014869>