From owner-p4-projects@FreeBSD.ORG Tue Oct 3 16:26:53 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id B447516A47B; Tue, 3 Oct 2006 16:26:53 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D4A716A416 for ; Tue, 3 Oct 2006 16:26:53 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F21143D45 for ; Tue, 3 Oct 2006 16:26:49 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k93GQnTN045306 for ; Tue, 3 Oct 2006 16:26:49 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k93GQlG4045285 for perforce@freebsd.org; Tue, 3 Oct 2006 16:26:47 GMT (envelope-from millert@freebsd.org) Date: Tue, 3 Oct 2006 16:26:47 GMT Message-Id: <200610031626.k93GQlG4045285@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 107194 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Oct 2006 16:26:54 -0000 http://perforce.freebsd.org/chv.cgi?CH=107194 Change 107194 by millert@millert_macbook on 2006/10/03 16:26:07 Rename entrypoints again; hopefully for the last time Remove mac_devfs_create_symlink(); Darwin devfs doesn't have them. Use a perl script to generate access control checks in mac_test Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kernel.h#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/bsd_init.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_audit.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_credential.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exec.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exit.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_fork.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_proc.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_prot.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_sig.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/posix_sem.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/posix_shm.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_pipe.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_msg.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_sem.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_shm.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf2.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_socket.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_socket2.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_usrreq.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_vfsops.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_vnops.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/bpf.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/bsd_comp.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/dlil.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/ppp_deflate.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/igmp.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/raw_ip.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_input.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_output.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/mld6.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/nd6_nbr.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/nfs/nfs_vfsops.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/sys/kauth.h#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_init.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_subr.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#9 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_xattr.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/config/MACFramework.exports#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_labelh.c#9 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_object.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/ipc_port.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/mach_msg.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/ipc/mach_port.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/kern/ipc_kobject.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/kern/ipc_tt.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/kern/security.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/kern/task.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/osfmk/mach/security.defs#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac.h#9 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_audit.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#15 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_internal.h#8 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_mach_internal.h#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_net.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_pipe.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#11 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_port.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_posix_sem.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_posix_shm.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_process.c#8 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_socket.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_msg.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_sem.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_sysv_shm.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_task.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs.c#8 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_vfs_subr.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/basetest/mac_basetest.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/color/mac_color.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/console/mac_console.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/console/mac_console.h#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/device_access/mac_device_access.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/extattr_test/mac_extattr_test.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/fwinteg/mac_fwinteg.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/policies/ipctrace/module/ipctrace.c#6 edit .. //depot/projects/trustedbsd/sedarwin8/policies/mls/mac_mls.c#10 edit .. //depot/projects/trustedbsd/sedarwin8/policies/multilabel/multilabel.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/readonly/mac_readonly.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#21 edit .. //depot/projects/trustedbsd/sedarwin8/policies/stacktrace/module/mac_stacktrace.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/Makefile#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_parse.pl#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/test/mac_test.c#9 edit .. //depot/projects/trustedbsd/sedarwin8/policies/vanity/vanity.c#4 edit .. //depot/projects/trustedbsd/sedarwin8/policies/xattr/xattr.c#4 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kernel.h#4 (text+ko) ==== @@ -250,7 +250,7 @@ #ifdef MAC /* MAC security related fields added by MAC policies - * ar_forced_by_mac is 1 if mac_audit_preselect() forced this + * ar_forced_by_mac is 1 if mac_audit_check_preselect() forced this * call to be audited, 0 otherwise. */ LIST_HEAD(mac_audit_record_list_t, mac_audit_record) *ar_mac_records; @@ -291,7 +291,7 @@ #ifdef MAC /* * The parameter list of audit_syscall_exit() was modified to also take the - * Darwin syscall number, which is required by mac_audit_postselect(). + * Darwin syscall number, which is required by mac_audit_check_postselect(). */ void audit_syscall_exit(unsigned short code, int error, struct proc *proc, struct uthread *uthread); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/bsd_init.c#5 (text+ko) ==== @@ -391,8 +391,8 @@ file_lock_init(); #ifdef MAC - mac_proc_create_swapper(p->p_ucred); - mac_task_update_from_cred (p->p_ucred, (struct task *) p->task); + mac_cred_label_associate_kernel(p->p_ucred); + mac_task_label_update_cred (p->p_ucred, (struct task *) p->task); #endif /* Create the file descriptor table. */ @@ -662,8 +662,8 @@ vm_set_shared_region(get_threadtask(th_act), system_region); } #ifdef MAC - mac_proc_create_init(p->p_ucred); - mac_task_update_from_cred (p->p_ucred, (struct task *) p->task); + mac_cred_label_associate_user(p->p_ucred); + mac_task_label_update_cred (p->p_ucred, (struct task *) p->task); #endif load_init_program(p); /* turn on app-profiling i.e. pre-heating */ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_audit.c#6 (text+ko) ==== @@ -1506,7 +1506,7 @@ } mac.m_buflen = MAC_AUDIT_LABEL_LEN; mac.m_string = ar->k_ar.ar_cred_mac_labels; - mac_cred_get_audit_labels(p, &mac); + mac_cred_label_externalize_audit(p, &mac); ar->k_ar.ar_mac_records = (struct mac_audit_record_list_t *) kalloc(sizeof(*ar->k_ar.ar_mac_records)); @@ -1708,7 +1708,7 @@ do { int error; - error = mac_audit_preselect(kauth_cred_get(), code, + error = mac_audit_check_preselect(kauth_cred_get(), code, (void *) uthread->uu_arg); if (error == MAC_AUDIT_YES) { @@ -1736,7 +1736,7 @@ /* * Note: The audit_syscall_exit() parameter list was modified to support - * mac_audit_postselect(), which requires the Darwin syscall number. + * mac_audit_check_postselect(), which requires the Darwin syscall number. */ #ifdef MAC void @@ -1770,13 +1770,13 @@ /* * Note, no other postselect mechanism exists. If - * mac_audit_postselect returns MAC_AUDIT_NO, the + * mac_audit_check_postselect returns MAC_AUDIT_NO, the * record will be suppressed. Other values at this * point result in the audit record being committed. * This suppression behavior will probably go away in * the port to 10.3.4. */ - mac_error = mac_audit_postselect(kauth_cred_get(), code, + mac_error = mac_audit_check_postselect(kauth_cred_get(), code, (void *) uthread->uu_arg, error, retval, uthread->uu_ar->k_ar.ar_forced_by_mac); @@ -2505,7 +2505,7 @@ if (*vnode_mac_labelp != NULL) { mac.m_buflen = MAC_AUDIT_LABEL_LEN; mac.m_string = *vnode_mac_labelp; - mac_vnode_get_audit_labels(vp, &mac); + mac_vnode_label_externalize_audit(vp, &mac); } else { /* XXX What to do here? This may be an "audit6" req. */ printf("Could not store vnode audit labels"); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_credential.c#4 (text+ko) ==== @@ -1601,7 +1601,7 @@ #endif #ifdef MAC - mac_cred_init(newcred); + mac_cred_label_init(newcred); #endif return(newcred); @@ -1654,7 +1654,7 @@ if (err == 0) break; #ifdef MAC - mac_cred_destroy(new_cred); + mac_cred_label_destroy(new_cred); #endif FREE(new_cred, M_KAUTH); new_cred = NULL; @@ -1932,19 +1932,19 @@ * Update the MAC label associated with a credential. */ kauth_cred_t -kauth_cred_setlabel(kauth_cred_t cred, struct label *label) +kauth_cred_label_update(kauth_cred_t cred, struct label *label) { kauth_cred_t newcred; struct ucred temp_cred; bcopy(cred, &temp_cred, sizeof(temp_cred)); - mac_cred_init(&temp_cred); - mac_cred_create(cred, &temp_cred); - mac_cred_setlabel(&temp_cred, label); + mac_cred_label_init(&temp_cred); + mac_cred_label_associate(cred, &temp_cred); + mac_cred_label_update(&temp_cred, label); newcred = kauth_cred_update(cred, &temp_cred, TRUE); - mac_cred_destroy(&temp_cred); + mac_cred_label_destroy(&temp_cred); return (newcred); } #endif @@ -2016,7 +2016,7 @@ bcopy(cred, newcred, sizeof(*newcred)); #ifdef MAC newcred->cr_label = temp_label; - mac_cred_create(cred, newcred); + mac_cred_label_associate(cred, newcred); #endif newcred->cr_ref = 1; } @@ -2041,7 +2041,7 @@ if (error == 0) break; #ifdef MAC - mac_cred_destroy(newcred); + mac_cred_label_destroy(newcred); #endif FREE(newcred, M_KAUTH); } @@ -2106,7 +2106,7 @@ if (err == 0) break; #ifdef MAC - mac_cred_destroy(newcred); + mac_cred_label_destroy(newcred); #endif FREE(newcred, M_KAUTH); newcred = NULL; @@ -2162,7 +2162,7 @@ if (err == 0) break; #ifdef MAC - mac_cred_destroy(new_cred); + mac_cred_label_destroy(new_cred); #endif FREE(new_cred, M_KAUTH); new_cred = NULL; @@ -2226,7 +2226,7 @@ /* found a match, remove it from the hash table */ TAILQ_REMOVE(&kauth_cred_table_anchor[hash_key], found_cred, cr_link); #ifdef MAC - mac_cred_destroy(cred); + mac_cred_label_destroy(cred); #endif FREE(cred, M_KAUTH); #if KAUTH_CRED_HASH_DEBUG ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exec.c#4 (text+ko) ==== @@ -886,10 +886,10 @@ #ifdef MAC if (uap->mac_p != USER_ADDR_NULL) { - imgp->ip_execlabelp = mac_cred_alloc_label(); + imgp->ip_execlabelp = mac_cred_label_alloc(); error = mac_execve_enter(uap->mac_p, imgp->ip_execlabelp); if (error) { - mac_cred_free_label(imgp->ip_execlabelp); + mac_cred_label_free(imgp->ip_execlabelp); return (error); } } @@ -973,8 +973,8 @@ * actually read by the interpreter. */ #ifdef MAC - imgp->ip_scriptlabelp = mac_vnode_alloc_label(); - mac_vnode_copy_label(imgp->ip_vp->v_label, + imgp->ip_scriptlabelp = mac_vnode_label_alloc(); + mac_vnode_label_copy(imgp->ip_vp->v_label, imgp->ip_scriptlabelp); #endif vnode_put(imgp->ip_vp); @@ -1019,9 +1019,9 @@ } #ifdef MAC if (imgp->ip_execlabelp) - mac_cred_free_label(imgp->ip_execlabelp); + mac_cred_label_free(imgp->ip_execlabelp); if (imgp->ip_scriptlabelp) - mac_vnode_free_label(imgp->ip_scriptlabelp); + mac_vnode_label_free(imgp->ip_scriptlabelp); #endif return(error); @@ -1462,7 +1462,7 @@ #ifdef MAC int mac_transition; - mac_transition = mac_vnode_execve_will_transition(cred, imgp->ip_vp, + mac_transition = mac_cred_check_label_update_execve(cred, imgp->ip_vp, imgp->ip_scriptlabelp, imgp->ip_execlabelp, p); #endif @@ -1507,9 +1507,9 @@ * something similar here, or risk vulnerability. */ if (mac_transition && !imgp->ip_no_trans) { - mac_vnode_execve_transition(cred, p->p_ucred, imgp->ip_vp, + mac_cred_label_update_execve(cred, p->p_ucred, imgp->ip_vp, imgp->ip_scriptlabelp, imgp->ip_execlabelp); - mac_task_update_from_cred(p->p_ucred, p->task); + mac_task_label_update_cred(p->p_ucred, p->task); } #endif /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exit.c#4 (text+ko) ==== @@ -209,7 +209,7 @@ /* * The parameter list of audit_syscall_exit() was augmented to * take the Darwin syscall number as the first parameter, - * which is currently required by mac_audit_postselect(). + * which is currently required by mac_audit_check_postselect(). */ AUDIT_SYSCALL_EXIT(SYS_exit, 0, p, ut); /* Exit is always successfull */ @@ -630,7 +630,7 @@ wakeup(&child->p_stat); #ifdef MAC - mac_proc_destroy(child); + mac_proc_label_destroy(child); #endif lck_mtx_destroy(&child->p_mlock, proc_lck_grp); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_fork.c#4 (text+ko) ==== @@ -290,7 +290,7 @@ } #ifdef MAC - mac_task_update_from_cred(child->p_ucred, task); + mac_task_label_update_cred(child->p_ucred, task); #endif if (child->p_nice != 0) @@ -443,7 +443,7 @@ panic("forkproc: M_SUBPROC zone exhausted (p_sigacts)"); #ifdef MAC - mac_proc_init(newproc); + mac_proc_label_init(newproc); #endif /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_proc.c#4 (text+ko) ==== @@ -894,7 +894,7 @@ LIST_INIT(&l->lc_members); lck_mtx_init(&l->lc_mtx, lctx_lck_grp, lctx_lck_attr); #ifdef MAC - l->lc_label = mac_lctx_alloc_label(); + l->lc_label = mac_lctx_label_alloc(); #endif ALLLCTX_LOCK; LIST_INSERT_HEAD(&alllctx, l, lc_list); @@ -920,9 +920,9 @@ #ifdef MAC if (create) - mac_proc_create_lctx(p, l); + mac_lctx_label_associate(p, l); else - mac_proc_join_lctx(p, l); + mac_lctx_notify_join(p, l); #endif LCTX_UNLOCK(l); @@ -946,7 +946,7 @@ LIST_REMOVE(p, p_lclist); l->lc_mc--; #ifdef MAC - mac_proc_leave_lctx(p, l); + mac_lctx_notify_leave(p, l); #endif if (LIST_EMPTY(&l->lc_members)) { ALLLCTX_LOCK; @@ -956,7 +956,7 @@ LCTX_UNLOCK(l); lck_mtx_destroy(&l->lc_mtx, lctx_lck_grp); #ifdef MAC - mac_lctx_free_label(l->lc_label); + mac_lctx_label_free(l->lc_label); l->lc_label = NULL; #endif FREE(l, M_LCTX); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_prot.c#6 (text+ko) ==== @@ -1013,7 +1013,7 @@ HOST_PRIV_NULL : host_priv_self()) != KERN_SUCCESS); #ifdef MAC - mac_task_update_from_cred(p->p_ucred, p->task); + mac_task_label_update_cred(p->p_ucred, p->task); #endif } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_sig.c#4 (text+ko) ==== @@ -135,7 +135,7 @@ void exit1(struct proc *, int, int *); void psignal_uthread(thread_t, int); kern_return_t do_bsdexception(int, int, int); -void __posixsem_syscall_return(kern_return_t); +void __posix_sem_syscall_return(kern_return_t); /* implementations in osfmk/kern/sync_sema.c. We do not want port.h in this scope, so void * them */ kern_return_t semaphore_timedwait_signal_trap_internal(void *, void *,time_t, int32_t, void (*)(int)); @@ -841,7 +841,7 @@ } void -__posixsem_syscall_return(kern_return_t kern_result) +__posix_sem_syscall_return(kern_return_t kern_result) { int error = 0; @@ -885,17 +885,17 @@ } if (uap->mutex_sem == (void *)NULL) - kern_result = semaphore_timedwait_trap_internal(uap->cond_sem, then.tv_sec, then.tv_nsec, __posixsem_syscall_return); + kern_result = semaphore_timedwait_trap_internal(uap->cond_sem, then.tv_sec, then.tv_nsec, __posix_sem_syscall_return); else - kern_result = semaphore_timedwait_signal_trap_internal(uap->cond_sem, uap->mutex_sem, then.tv_sec, then.tv_nsec, __posixsem_syscall_return); + kern_result = semaphore_timedwait_signal_trap_internal(uap->cond_sem, uap->mutex_sem, then.tv_sec, then.tv_nsec, __posix_sem_syscall_return); } else { if (uap->mutex_sem == (void *)NULL) - kern_result = semaphore_wait_trap_internal(uap->cond_sem, __posixsem_syscall_return); + kern_result = semaphore_wait_trap_internal(uap->cond_sem, __posix_sem_syscall_return); else - kern_result = semaphore_wait_signal_trap_internal(uap->cond_sem, uap->mutex_sem, __posixsem_syscall_return); + kern_result = semaphore_wait_signal_trap_internal(uap->cond_sem, uap->mutex_sem, __posix_sem_syscall_return); } out: ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/posix_sem.c#3 (text+ko) ==== @@ -144,11 +144,11 @@ LIST_HEAD(psemhashhead, psemcache) *psemhashtbl; /* Hash Table */ u_long psemhash; /* size of hash table - 1 */ long psemnument; /* number of cache entries allocated */ -long posixsem_max = 10000; /* tunable for max POSIX semaphores */ +long posix_sem_max = 10000; /* tunable for max POSIX semaphores */ /* 10000 limits to ~1M of memory */ SYSCTL_NODE(_kern, KERN_POSIX, posix, CTLFLAG_RW, 0, "Posix"); SYSCTL_NODE(_kern_posix, OID_AUTO, sem, CTLFLAG_RW, 0, "Semaphores"); -SYSCTL_INT (_kern_posix_sem, OID_AUTO, max, CTLFLAG_RW, &posixsem_max, 0, "max"); +SYSCTL_INT (_kern_posix_sem, OID_AUTO, max, CTLFLAG_RW, &posix_sem_max, 0, "max"); struct psemstats psemstats; /* cache effectiveness statistics */ @@ -271,7 +271,7 @@ if (psem_cache_search(&dpinfo, pnp, &dpcp) == -1) { return(EEXIST); } - if (psemnument >= posixsem_max) + if (psemnument >= posix_sem_max) return(ENOSPC); psemnument++; /* @@ -487,14 +487,14 @@ pinfo->sem_proc = p; #ifdef MAC PSEM_SUBSYS_UNLOCK(); - mac_posixsem_init(pinfo); + mac_posixsem_label_init(pinfo); PSEM_SUBSYS_LOCK(); error = mac_posixsem_check_create(kauth_cred_get(), nameptr); if (error) { PSEM_SUBSYS_UNLOCK(); goto bad2; } - mac_posixsem_create(kauth_cred_get(), pinfo, nameptr); + mac_posixsem_label_associate(kauth_cred_get(), pinfo, nameptr); #endif } else { /* semaphore should exist as it is without O_CREAT */ @@ -582,7 +582,7 @@ bad1: if (pinfo_alloc) { #ifdef MAC - mac_posixsem_destroy(pinfo); + mac_posixsem_label_destroy(pinfo); #endif FREE(pinfo, M_SHM); } @@ -1030,7 +1030,7 @@ kret = semaphore_destroy(kernel_task, pinfo->psem_semobject); #ifdef MAC - mac_posixsem_destroy(pinfo); + mac_posixsem_label_destroy(pinfo); #endif switch (kret) { ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/posix_shm.c#3 (text+ko) ==== @@ -488,14 +488,14 @@ pinfo->pshm_gid = kauth_cred_get()->cr_gid; #ifdef MAC PSHM_SUBSYS_UNLOCK(); - mac_posixshm_init(pinfo); + mac_posixshm_label_init(pinfo); PSHM_SUBSYS_LOCK(); error = mac_posixshm_check_create(kauth_cred_get(), nameptr); if (error) { PSHM_SUBSYS_UNLOCK(); goto bad2; } - mac_posixshm_create(kauth_cred_get(), pinfo, nameptr); + mac_posixshm_label_associate(kauth_cred_get(), pinfo, nameptr); #endif } else { /* already exists */ @@ -597,7 +597,7 @@ bad2: if (pinfo_alloc) { #ifdef MAC - mac_posixshm_destroy(pinfo); + mac_posixshm_label_destroy(pinfo); #endif FREE(pinfo, M_SHM); } @@ -1028,7 +1028,7 @@ mach_memory_entry_port_release(pinfo->pshm_memobject); PSHM_SUBSYS_LOCK(); #ifdef MAC - mac_posixshm_destroy(pinfo); + mac_posixshm_label_destroy(pinfo); #endif FREE(pinfo,M_SHM); } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_pipe.c#3 (text+ko) ==== @@ -353,12 +353,12 @@ * XXXXXXXX SHOULD NOT HOLD FILE_LOCK() XXXXXXXXXXXX * * struct pipe represents a pipe endpoint. The MAC label is shared - * between the connected endpoints. As a result mac_pipe_init() and - * mac_pipe_create() should only be called on one of the endpoints + * between the connected endpoints. As a result mac_pipe_label_init() and + * mac_pipe_label_associate() should only be called on one of the endpoints * after they have been connected. */ - mac_pipe_init(rpipe); - mac_pipe_create(kauth_cred_get(), rpipe); + mac_pipe_label_init(rpipe); + mac_pipe_label_associate(kauth_cred_get(), rpipe); wpipe->pipe_label = rpipe->pipe_label; #endif proc_fdlock(p); @@ -1479,7 +1479,7 @@ * Free the shared pipe label only after the two ends are disconnected. */ if (cpipe->pipe_label != NULL && cpipe->pipe_peer == NULL) - mac_pipe_destroy(cpipe); + mac_pipe_label_destroy(cpipe); #endif /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_msg.c#5 (text+ko) ==== @@ -227,7 +227,7 @@ msghdrs[i-1].msg_next = &msghdrs[i]; msghdrs[i].msg_next = NULL; #ifdef MAC - mac_sysvmsg_init(&msghdrs[i]); + mac_sysvmsg_label_init(&msghdrs[i]); #endif } free_msghdrs = &msghdrs[0]; @@ -239,7 +239,7 @@ msqids[i].u.msg_qbytes = 0; /* implies entry is available */ msqids[i].u.msg_perm.seq = 0; /* reset to a known value */ #ifdef MAC - mac_sysvmsq_init(&msqids[i]); + mac_sysvmsq_label_init(&msqids[i]); #endif } } @@ -278,7 +278,7 @@ msghdr->msg_next = free_msghdrs; free_msghdrs = msghdr; #ifdef MAC - mac_sysvmsg_cleanup(msghdr); + mac_sysvmsg_label_recycle(msghdr); #endif } @@ -383,7 +383,7 @@ msqptr->u.msg_qbytes = 0; /* Mark it as free */ #ifdef MAC - mac_sysvmsq_cleanup(msqptr); + mac_sysvmsq_label_recycle(msqptr); #endif wakeup((caddr_t)msqptr); @@ -570,7 +570,7 @@ msqptr->u.msg_rtime = 0; msqptr->u.msg_ctime = sysv_msgtime(); #ifdef MAC - mac_sysvmsq_create(cred, msqptr); + mac_sysvmsq_label_associate(cred, msqptr); #endif } else { #ifdef MSG_DEBUG_OK @@ -803,7 +803,7 @@ msghdr->msg_ts = msgsz; #ifdef MAC - mac_sysvmsg_create(kauth_cred_get(), msqptr, msghdr); + mac_sysvmsg_label_associate(kauth_cred_get(), msqptr, msghdr); #endif /* * Allocate space for the message ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_sem.c#5 (text+ko) ==== @@ -326,7 +326,7 @@ #ifdef MAC for (i = seminfo.semmni; i < newSize; i++) { - mac_sysvsem_init(&newSema[i]); + mac_sysvsem_label_init(&newSema[i]); } #endif @@ -683,7 +683,7 @@ } semakptr->u.sem_perm.mode = 0; #ifdef MAC - mac_sysvsem_cleanup(semakptr); + mac_sysvsem_label_recycle(semakptr); #endif semundo_clear(semid, -1); wakeup((caddr_t)semakptr); @@ -952,7 +952,7 @@ bzero(sema[semid].u.sem_base, sizeof(sema[semid].u.sem_base[0])*nsems); #ifdef MAC - mac_sysvsem_create(cred, &sema[semid]); + mac_sysvsem_label_associate(cred, &sema[semid]); #endif #ifdef SEM_DEBUG printf("sembase = 0x%x, next = 0x%x\n", sema[semid].u.sem_base, ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_shm.c#5 (text+ko) ==== @@ -246,7 +246,7 @@ shmseg->u.shm_perm.mode = SHMSEG_FREE; #ifdef MAC /* Reset the MAC label */ - mac_sysvshm_cleanup(shmseg); + mac_sysvshm_label_recycle(shmseg); #endif } @@ -685,7 +685,7 @@ shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0; shmseg->u.shm_atime = shmseg->u.shm_dtime = 0; #ifdef MAC - mac_sysvshm_create(cred, shmseg); + mac_sysvshm_label_associate(cred, shmseg); #endif shmseg->u.shm_ctime = sysv_shmtime(); shm_committed += btoc(size); @@ -870,7 +870,7 @@ shmsegs[i].u.shm_perm.mode = SHMSEG_FREE; shmsegs[i].u.shm_perm.seq = 0; #ifdef MAC - mac_sysvshm_init(&shmsegs[i]); + mac_sysvshm_label_init(&shmsegs[i]); #endif } shm_last_free = 0; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf.c#4 (text+ko) ==== @@ -506,7 +506,7 @@ m->m_data = m->m_pktdat; _M_CLEAR_PKTHDR(m); #ifdef MAC - if (mac_mbuf_init(m, canwait)) { + if (mac_mbuf_label_init(m, canwait)) { m_free(m); return (NULL); } @@ -577,7 +577,7 @@ m->m_len = 0; _M_CLEAR_PKTHDR(m) #ifdef MAC - if (mac_mbuf_init(m, nowait)) { + if (mac_mbuf_label_init(m, nowait)) { m_free(m); return (NULL); } @@ -921,7 +921,7 @@ _M_CLEAR_PKTHDR(m); #ifdef MAC MBUF_UNLOCK(); - if (mac_mbuf_init(m, how)) { + if (mac_mbuf_label_init(m, how)) { m_free(m); goto fail; } @@ -1094,7 +1094,7 @@ _M_CLEAR_PKTHDR(m); #ifdef MAC MBUF_UNLOCK(); - if (mac_mbuf_init(m, how)) { + if (mac_mbuf_label_init(m, how)) { m_free(m); goto fail; } @@ -1237,7 +1237,7 @@ _M_CLEAR_PKTHDR(m); #ifdef MAC MBUF_UNLOCK(); - if (mac_mbuf_init(m, how)) { + if (mac_mbuf_label_init(m, how)) { m_free(m); return(top); } @@ -1644,7 +1644,7 @@ _M_CLEAR_PKTHDR(n); #ifdef MAC MBUF_UNLOCK(); - if (mac_mbuf_init(n, wait)) { + if (mac_mbuf_label_init(n, wait)) { m_free(n); goto nospace_unlock; } ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf2.c#4 (text+ko) ==== @@ -482,7 +482,7 @@ if (t != NULL && t->m_tag_id == KERNEL_MODULE_TAG_ID && t->m_tag_type == KERNEL_TAG_TYPE_MACLABEL) - mac_mbuf_destroy_tag(t); + mac_mbuf_tag_destroy(t); #endif #ifndef __APPLE__ free(t, M_PACKET_TAGS); @@ -580,11 +580,11 @@ if (t != NULL && t->m_tag_id == KERNEL_MODULE_TAG_ID && t->m_tag_type == KERNEL_TAG_TYPE_MACLABEL) { - if (mac_mbuf_init_tag(p, how) != 0) { + if (mac_mbuf_tag_init(p, how) != 0) { m_tag_free(p); return (NULL); } - mac_mbuf_copy_tag(t, p); + mac_mbuf_tag_copy(t, p); } else #endif bcopy(t + 1, p + 1, t->m_tag_len); /* Copy the data */ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_socket.c#5 (text+ko) ==== @@ -424,7 +424,7 @@ so->so_gencnt = ++so_gencnt; so->so_zone = socket_zone; #ifdef MAC_SOCKET - if (mac_socket_init(so, waitok) != 0) { + if (mac_socket_label_init(so, waitok) != 0) { sodealloc(so); return (NULL); } @@ -490,7 +490,7 @@ so->so_rcv.sb_so = so->so_snd.sb_so = so; #endif #ifdef MAC_SOCKET - mac_socket_create(kauth_cred_get(), so); + mac_socket_label_associate(kauth_cred_get(), so); #endif //### Attachement will create the per pcb lock if necessary and increase refcount @@ -574,7 +574,7 @@ so->so_gencnt = ++so_gencnt; #ifdef MAC_SOCKET - mac_socket_destroy(so); + mac_socket_label_destroy(so); #endif #ifndef __APPLE__ if (so->so_rcv.sb_hiwat) @@ -2557,7 +2557,7 @@ sizeof(extmac)); if (error) return (error); - error = mac_socket_getlabel(proc_ucred(sopt->sopt_p), + error = mac_socket_label_get(proc_ucred(sopt->sopt_p), so, &extmac); if (error) return (error); @@ -2573,7 +2573,7 @@ sizeof(extmac)); if (error) return (error); - error = mac_getsockopt_peerlabel( + error = mac_socketpeer_label_get( proc_ucred(sopt->sopt_p), so, &extmac); if (error) return (error); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_socket2.c#4 (text+ko) ==== @@ -294,7 +294,7 @@ so->so_uid = head->so_uid; so->so_usecount = 1; #ifdef MAC_SOCKET - mac_socket_accept(head, so); + mac_socket_label_associate_accept(head, so); #endif #ifdef __APPLE__ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_usrreq.c#5 (text+ko) ==== @@ -809,8 +809,8 @@ #ifdef MAC_SOCKET /* XXXMAC: recursive lock: SOCK_LOCK(so); */ - mac_socket_peer_set_from_socket(so, so3); - mac_socket_peer_set_from_socket(so3, so); + mac_socketpeer_label_associate_socket(so, so3); + mac_socketpeer_label_associate_socket(so3, so); /* XXXMAC: SOCK_UNLOCK(so); */ #endif so2->so_usecount--; /* drop reference taken on so2 */ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#4 (text+ko) ==== @@ -165,8 +165,8 @@ TAILQ_INIT(&devfs_hidden_mount->mnt_workerqueue); TAILQ_INIT(&devfs_hidden_mount->mnt_newvnodes); #ifdef MAC - mac_mount_init(devfs_hidden_mount); - mac_mount_create(kauth_cred_get(), devfs_hidden_mount); + mac_mount_label_init(devfs_hidden_mount); + mac_mount_label_associate(kauth_cred_get(), devfs_hidden_mount); #endif /* Initialize the default IO constraints */ @@ -178,7 +178,7 @@ = (struct devfsmount *)devfs_hidden_mount->mnt_data; #endif /* HIDDEN_MOUNTPOINT */ #ifdef MAC - mac_devfs_create_directory(NULL, "/", strlen("/"), + mac_devfs_label_associate_directory(NULL, "/", strlen("/"), dev_root->de_dnp, "/"); #endif devfs_ready = 1; @@ -308,7 +308,7 @@ break; dnp = dirent_p->de_dnp; #ifdef MAC - mac_devfs_create_directory(NULL, + mac_devfs_label_associate_directory(NULL, dirnode->dn_typeinfo.Dir.myname->de_name, strlen(dirnode->dn_typeinfo.Dir.myname->de_name), dnp, fullpath); @@ -513,8 +513,8 @@ dnp->dn_nextsibling = proto; proto->dn_prevsiblingp = &(dnp->dn_nextsibling); #ifdef MAC - mac_devfs_init(dnp); - mac_devfs_copy_label(proto->dn_label, dnp->dn_label); + mac_devfs_label_init(dnp); + mac_devfs_label_copy(proto->dn_label, dnp->dn_label); #endif } else { struct timeval tv; @@ -531,7 +531,7 @@ dnp->dn_mtime.tv_sec = tv.tv_sec; dnp->dn_ctime.tv_sec = tv.tv_sec; #ifdef MAC - mac_devfs_init(dnp); + mac_devfs_label_init(dnp); #endif } dnp->dn_dvm = dvm; @@ -613,7 +613,7 @@ return; } #ifdef MAC - mac_devfs_destroy(dnp); + mac_devfs_label_destroy(dnp); #endif if (dnp->dn_type == DEV_SLNK) { DEVFS_DECR_STRINGSPACE(dnp->dn_typeinfo.Slnk.namelen + 1); @@ -1080,7 +1080,7 @@ vnode_lock(vn_p); if ((vn_p->v_lflag & VL_LABELED) == 0) { vn_p->v_lflag |= VL_LABEL; - mac_devfs_vnode_associate(dnp->dn_dvm->mount, dnp, vn_p); + mac_vnode_label_associate_devfs(dnp->dn_dvm->mount, dnp, vn_p); vn_p->v_lflag |= VL_LABELED; vn_p->v_lflag &= ~VL_LABEL; @@ -1225,7 +1225,7 @@ new_dev->de_dnp->dn_uid = uid; new_dev->de_dnp->dn_mode |= perms; #ifdef MAC - mac_devfs_create_device(NULL, NULL, dev, new_dev->de_dnp, + mac_devfs_label_associate_device(NULL, NULL, dev, new_dev->de_dnp, buff); #endif devfs_propogate(dnp->dn_typeinfo.Dir.myname, new_dev); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_vfsops.c#3 (text+ko) ==== @@ -419,8 +419,8 @@ mp->mnt_vfsstat.f_owner = kauth_cred_getuid(kauth_cred_get()); (void) copystr(mntname, mp->mnt_vfsstat.f_mntonname, MAXPATHLEN - 1, 0); #ifdef MAC - mac_mount_init(mp); - mac_mount_create(kauth_cred_get(), mp); + mac_mount_label_init(mp); + mac_mount_label_associate(kauth_cred_get(), mp); #endif error = devfs_mount(mp, NULL, NULL, &context); @@ -433,7 +433,7 @@ mount_lock_destroy(mp); #ifdef MAC - mac_mount_destroy(mp); + mac_mount_label_destroy(mp); #endif FREE_ZONE(mp, sizeof (struct mount), M_MOUNT); vnode_put(vp); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_vnops.c#3 (text+ko) ==== >>> TRUNCATED FOR MAIL (1000 lines) <<<