From owner-p4-projects@FreeBSD.ORG Tue Oct 3 14:31:03 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id DCCB016A40F; Tue, 3 Oct 2006 14:31:02 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 934C216A403 for ; Tue, 3 Oct 2006 14:31:02 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DB0B43D45 for ; Tue, 3 Oct 2006 14:31:02 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k93EV2Nj014876 for ; Tue, 3 Oct 2006 14:31:02 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k93EV199014869 for perforce@freebsd.org; Tue, 3 Oct 2006 14:31:01 GMT (envelope-from millert@freebsd.org) Date: Tue, 3 Oct 2006 14:31:01 GMT Message-Id: <200610031431.k93EV199014869@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 107172 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Oct 2006 14:31:03 -0000 http://perforce.freebsd.org/chv.cgi?CH=107172 Change 107172 by millert@millert_macbook on 2006/10/03 14:30:00 Return ENOENT in externalize routines when passed an element_name that is not supported for the label type being exported. Fixes "getfmac -l '*' /bin/ls" Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#11 edit .. //depot/projects/trustedbsd/sedarwin8/policies/count/mac_count.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/count/mk_count_decls.awk#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#16 edit .. //depot/projects/trustedbsd/sedarwin8/policies/stub/mk_stub_funcs.awk#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#8 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#11 (text+ko) ==== @@ -1066,8 +1066,21 @@ if (error) goto done; error = mpo_externalize(label, mle->mle_name, sb); - if (error) - goto done; + if (error) { + if (error != ENOENT) + goto done; + /* + * If a policy doesn't have a label to + * externalize it returns ENOENT. This + * may occur for policies that support + * multiple label elements for some + * (but not all) object types. + */ + sbuf_setpos(sb, sbuf_len(sb) - + (strlen(mle->mle_name) + 1)); + error = 0; + continue; + } error = sbuf_putc(sb, ','); if (error) goto done; ==== //depot/projects/trustedbsd/sedarwin8/policies/count/mac_count.c#4 (text+ko) ==== @@ -79,8 +79,8 @@ #define REG_COUNTER(n) \ sysctl_register_oid(&sysctl__security_mac_count_ ## n ## _c); -#define MAKE_RETSYSCTL(n) \ - static int n ## _ret; \ +#define MAKE_RETSYSCTL(n, v) \ + static int n ## _ret = v; \ SYSCTL_INT(_security_mac_retcontrol, OID_AUTO, n ## _ret, CTLFLAG_RW, \ &n ## _ret, 0, #n "() return value"); ==== //depot/projects/trustedbsd/sedarwin8/policies/count/mk_count_decls.awk#2 (text+ko) ==== @@ -1,5 +1,9 @@ { printf "MAKE_COUNTER(" $2 ");\n" - if ($1 == "int") - printf "MAKE_RETSYSCTL(" $2 ");\n" + if ($1 == "int") { + if ($2 ~ /externalize/) + printf "MAKE_RETSYSCTL(" $2 ", ENOENT);\n" + else + printf "MAKE_RETSYSCTL(" $2 ", 0);\n" + } } ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#16 (text+ko) ==== @@ -2940,7 +2940,7 @@ struct n2##_security_struct *lsec; \ \ if (strcmp("sebsd", element_name) != 0) \ - return (0); \ + return (ENOENT); \ \ lsec = SLOT(label); \ return (sebsd_externalize_sid(lsec->sid, element_name, sb)); \ @@ -2958,7 +2958,7 @@ else if (strcmp("sebsd", element_name) == 0) sid = tsec->sid; else - return (0); + return (ENOENT); return (sebsd_externalize_sid(sid, element_name, sb)); } ==== //depot/projects/trustedbsd/sedarwin8/policies/stub/mk_stub_funcs.awk#2 (text+ko) ==== @@ -6,7 +6,10 @@ } printf "\n{\n" if ($1 == "int") { - printf "\treturn (0);\n" + if ($2 ~ /externalize/) + printf "\treturn (ENOENT);\n" + else + printf "\treturn (0);\n" } printf "}\n\n" } ==== //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#8 (text+ko) ==== @@ -590,7 +590,7 @@ init_label(dest, desttype, fcnname, fctx); } -static int +static void externalize_label(struct label *label, int type, const char *fcnname, const char *fctx) { @@ -600,10 +600,9 @@ #else use_label(label, type, fcnname, fctx); #endif - return (0); } -static int +static void internalize_label(struct label *label, int type, const char *fcnname, const char *fctx) { @@ -613,7 +612,6 @@ #else init_label(label, type, fcnname, fctx); #endif - return (0); } /* @@ -907,70 +905,80 @@ mac_test_cred_externalize_label(struct label *label, char *element_name, struct sbuf *sb) { - return EXTERNALIZE_LABEL(label, CREDTYPE); + EXTERNALIZE_LABEL(label, CREDTYPE); + return (ENOENT); } static int mac_test_lctx_externalize_label(struct label *label, char *element_name, struct sbuf *sb) { - return EXTERNALIZE_LABEL(label, LCTXTYPE); + EXTERNALIZE_LABEL(label, LCTXTYPE); + return (ENOENT); } static int mac_test_pipe_externalize_label(struct label *label, char *element_name, struct sbuf *sb) { - return EXTERNALIZE_LABEL(label, PIPETYPE); + EXTERNALIZE_LABEL(label, PIPETYPE); + return (ENOENT); } static int mac_test_vnode_externalize_label(struct label *label, char *element_name, struct sbuf *sb) { - return EXTERNALIZE_LABEL(label, VNODETYPE); + EXTERNALIZE_LABEL(label, VNODETYPE); + return (ENOENT); } static int mac_test_mount_externalize_label(struct label *label, char *element_name, struct sbuf *sb) { - return EXTERNALIZE_LABEL(label, MOUNTTYPE); + EXTERNALIZE_LABEL(label, MOUNTTYPE); + return (ENOENT); } static int mac_test_cred_internalize_label(struct label *label, char *element_name, char *element_data) { - return INTERNALIZE_LABEL(label, CREDTYPE); + INTERNALIZE_LABEL(label, CREDTYPE); + return (0); } static int mac_test_lctx_internalize_label(struct label *label, char *element_name, char *element_data) { - return INTERNALIZE_LABEL(label, LCTXTYPE); + INTERNALIZE_LABEL(label, LCTXTYPE); + return (0); } static int mac_test_pipe_internalize_label(struct label *label, char *element_name, char *element_data) { - return INTERNALIZE_LABEL(label, PIPETYPE); + INTERNALIZE_LABEL(label, PIPETYPE); + return (0); } static int mac_test_vnode_internalize_label(struct label *label, char *element_name, char *element_data) { - return INTERNALIZE_LABEL(label, VNODETYPE); + INTERNALIZE_LABEL(label, VNODETYPE); + return (0); } static int mac_test_mount_internalize_label(struct label *label, char *element_name, char *element_data) { - return INTERNALIZE_LABEL(label, MOUNTTYPE); + INTERNALIZE_LABEL(label, MOUNTTYPE); + return (0); } static void @@ -2349,7 +2357,8 @@ // this probably doesn't work. if (sbuf_cat(sb, "socket") < 0) return (ENOMEM); - return EXTERNALIZE_LABEL(label, SOCKETTYPE); + EXTERNALIZE_LABEL(label, SOCKETTYPE); + return 0; } static int @@ -2359,7 +2368,8 @@ //this probably doesn't work. if (sbuf_cat(sb, "socketpeer") < 0) return ENOMEM; - return EXTERNALIZE_LABEL(label, SOCKETTYPE); + EXTERNALIZE_LABEL(label, SOCKETTYPE); + return 0; } static int @@ -2369,7 +2379,8 @@ // KASSERT(thread_funnel_get() == network_flock, // "mac_test_socket_internalize_label: not holding the network funnel!"); - return INTERNALIZE_LABEL(label, SOCKETTYPE); + INTERNALIZE_LABEL(label, SOCKETTYPE); + return (0); } static void