Date: Fri, 22 Mar 2002 06:53:24 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 8204 for review Message-ID: <200203221453.g2MErOB88903@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=8204 Change 8204 by green@green_laptop_2 on 2002/03/22 06:53:02 Start allocating "slots" for being able to have dynamic per-policy MAC structure allocation. Affected files ... ... //depot/projects/trustedbsd/mac/lib/libc/posix1e/Makefile.inc#13 edit ... //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_sebsd.c#1 add ... //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_text.c#21 edit ... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#116 edit ... //depot/projects/trustedbsd/mac/sys/kern/vfs_conf.c#7 edit ... //depot/projects/trustedbsd/mac/sys/security/babyaudit/babyaudit.c#4 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#22 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#22 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#18 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#16 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#17 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac.h#87 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#50 edit Differences ... ==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/Makefile.inc#13 (text+ko) ==== @@ -40,6 +40,7 @@ mac_is_present_np.c \ mac_get.c \ mac_mls.c \ + mac_sebsd.c \ mac_set.c \ mac_te.c \ mac_text.c ==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_text.c#21 (text+ko) ==== ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#116 (text+ko) ==== @@ -84,6 +84,20 @@ TUNABLE_INT("security.mac.debug_label_fallback", &mac_debug_label_fallback); +#ifndef MAC_MAX_POLICIES +#define MAC_MAX_POLICIES 8 +#endif +#if MAC_MAX_POLICIES > 32 +#error "MAC_MAX_POLICIES too large" +#endif +static const unsigned int mac_max_policies = MAC_MAX_POLICIES; +static const unsigned int mac_policies_free = (1 << MAC_MAX_POLICIES) - 1; +SYSCTL_INT(_security_mac, OID_AUTO, max_policies, CTLFLAG_RD, + &mac_max_policies, 0, ""); +struct maclabels { + void *labels[MAC_MAX_POLICIES]; +}; + static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); @@ -211,13 +225,14 @@ default: } - return (0); + return (error); } static int mac_policy_register(struct mac_policy_conf *mpc) { struct mac_policy_conf *tmpc; + int slot; sx_xlock(&mac_policy_list_lock); LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { @@ -226,6 +241,17 @@ return (EEXIST); } } + if (mpc->mpc_field_off) { + slot = ffs(mac_policies_free); + if (slot == 0) { + sx_xunlock(&mac_policy_list_lock); + return (EEXIST); + } + slot--; + mac_policies_free &= ~(1 << slot); + mpc->mpc_field_off = slot; + } else + mpc->mpc_field_off = -1; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); printf("Security policy: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); @@ -241,6 +267,11 @@ mac_policy_unregister(struct mac_policy_conf *mpc) { + /* + * Don't allow unloading modules with private data. + */ + if (mpc->mpc_field_off == -1) + return (EBUSY); sx_xlock(&mac_policy_list_lock); if (mpc->mpc_ops->mpo_destroy != NULL) (*(mpc->mpc_ops->mpo_destroy))(mpc); ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_conf.c#7 (text+ko) ==== ==== //depot/projects/trustedbsd/mac/sys/security/babyaudit/babyaudit.c#4 (text+ko) ==== @@ -287,4 +287,5 @@ NULL /* babyaudit_socket_check_receive_mbuf */ }; -MAC_POLICY_SET(babyaudit_ops, trustedbsd_babyaudit, "TrustedBSD MAC/babyaudit"); +MAC_POLICY_SET(babyaudit_ops, trustedbsd_babyaudit, "TrustedBSD MAC/babyaudit", + 0); ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#22 (text+ko) ==== @@ -1051,5 +1051,5 @@ mac_biba_socket_check_receive_mbuf }; -MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba"); +MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba", 1); #endif /* !MAC */ ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#22 (text+ko) ==== @@ -645,5 +645,5 @@ }; MAC_POLICY_SET(mac_bsdextended_ops, trustedbsd_mac_bsdextended, - "TrustedBSD MAC/BSD Extended"); + "TrustedBSD MAC/BSD Extended", 0); #endif /* !MAC */ ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#18 (text+ko) ==== @@ -1020,5 +1020,5 @@ mac_mls_socket_check_receive_mbuf }; -MAC_POLICY_SET(mac_mls_ops, trustedbsd_mac_mls, "TrustedBSD MAC/MLS"); +MAC_POLICY_SET(mac_mls_ops, trustedbsd_mac_mls, "TrustedBSD MAC/MLS", 1); #endif /* !MAC */ ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#16 (text+ko) ==== @@ -644,6 +644,6 @@ mac_none_socket_check_receive_mbuf }; -MAC_POLICY_SET(mac_none_ops, trustedbsd_mac_none, "TrustedBSD MAC/None"); +MAC_POLICY_SET(mac_none_ops, trustedbsd_mac_none, "TrustedBSD MAC/None", 0); #endif /* !MAC */ ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#17 (text+ko) ==== @@ -1097,6 +1097,6 @@ mac_te_socket_check_receive_mbuf }; -MAC_POLICY_SET(mac_te_ops, trustedbsd_mac_te, "TrustedBSD MAC/TE"); +MAC_POLICY_SET(mac_te_ops, trustedbsd_mac_te, "TrustedBSD MAC/TE", 1); #endif /* !MAC */ ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#87 (text+ko) ==== @@ -180,6 +180,10 @@ #define MAC_TE_CLASS_BPF 6 #define MAC_TE_OPERATION_BPF_RECEIVE 1 +struct mac_sebsd { + uint32_t ms_psid; /* persistent sid storage */ +}; + /* * Composite structures and constants which combine the various policy * elements into common structures to be associated with subjects and @@ -190,6 +194,7 @@ struct mac_biba m_biba; struct mac_mls m_mls; struct mac_te m_te; + struct mac_sebsd m_sebsd; }; typedef struct mac *mac_t; ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#50 (text+ko) ==== @@ -206,13 +206,16 @@ char *mpc_fullname; /* policy full name */ struct mac_policy_ops *mpc_ops; /* policy operations */ LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ + int mpc_field_off; /* security field */ }; -#define MAC_POLICY_SET(mpops, mpname, mpfullname) \ +#define MAC_POLICY_SET(mpops, mpname, mpfullname, privdata_wanted) \ static struct mac_policy_conf mpname ## _mac_policy_conf = { \ #mpname, \ mpfullname, \ &mpops, \ + NULL, \ + privdata_wanted \ }; \ static moduledata_t mpname ## _mod = { \ #mpname, \ @@ -223,5 +226,6 @@ SI_ORDER_MIDDLE) int mac_policy_modevent(module_t mod, int type, void *data); + #endif /* !_SYS_MAC_POLICY_H */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203221453.g2MErOB88903>