From owner-p4-projects@FreeBSD.ORG Wed Aug 30 21:00:33 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 56C5016A4E0; Wed, 30 Aug 2006 21:00:33 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 30B1516A4DD for ; Wed, 30 Aug 2006 21:00:33 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id B8C2943D45 for ; Wed, 30 Aug 2006 21:00:32 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k7UL0Wvn033613 for ; Wed, 30 Aug 2006 21:00:32 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k7UL0VRe033610 for perforce@freebsd.org; Wed, 30 Aug 2006 21:00:31 GMT (envelope-from millert@freebsd.org) Date: Wed, 30 Aug 2006 21:00:31 GMT Message-Id: <200608302100.k7UL0VRe033610@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 105361 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 21:00:33 -0000 http://perforce.freebsd.org/chv.cgi?CH=105361 Change 105361 by millert@millert_g4tower on 2006/08/30 21:00:07 Split the MAC Framework kernel interface (the mac_foo routines) out into a separate header file, mac_framework.h. This mirrors a similar change in the TrustedBSD mac2 branch. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kernel.h#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/bsd_init.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_acct.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_audit.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_credential.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exec.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exit.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_fork.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_proc.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_prot.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_time.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_xxx.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_socket.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_sem.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_shm.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf2.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_socket.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_usrreq.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfsdefs.h#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/bpf.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/bsd_comp.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/dlil.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/ppp_deflate.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/igmp.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_mroute.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/raw_ip.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_input.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_output.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/ip6_mroute.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/ip6_output.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/mld6.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/nfs/nfs_syscalls.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/nfs/nfs_vfsops.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/kpi_vfs.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_attrlist.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_init.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_lookup.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_subr.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#5 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_xattr.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vm/dp_backing_file.c#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/Makefile#2 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac.h#6 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_framework.h#1 add Differences ... ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/bsm/audit_kernel.h#2 (text+ko) ==== @@ -32,7 +32,7 @@ #ifdef MAC #include -#include +#include #endif #ifdef KERNEL ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/bsd_init.c#3 (text+ko) ==== @@ -124,7 +124,7 @@ #include #ifdef MAC -#include +#include #endif extern int app_profile; /* on/off switch for pre-heat cache */ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_acct.c#2 (text+ko) ==== @@ -89,7 +89,7 @@ #include #include #ifdef MAC -#include +#include #endif /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_audit.c#2 (text+ko) ==== @@ -69,6 +69,7 @@ #ifdef MAC #include +#include #include #endif ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_bsm_audit.c#2 (text+ko) ==== @@ -50,7 +50,7 @@ #include #ifdef MAC -#include +#include #endif /* The number of BSM records allocated. */ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_credential.c#2 (text+ko) ==== @@ -61,7 +61,7 @@ #include #ifdef MAC -#include +#include #endif #define CRED_DIAGNOSTIC 1 ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exec.c#2 (text+ko) ==== @@ -110,7 +110,7 @@ #include #ifdef MAC -#include +#include #endif #include ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_exit.c#2 (text+ko) ==== @@ -112,7 +112,7 @@ #endif #ifdef MAC -#include +#include #include #endif ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_fork.c#2 (text+ko) ==== @@ -101,7 +101,7 @@ #include #ifdef MAC -#include +#include #endif #include // for vm_map_commpage64 ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_proc.c#2 (text+ko) ==== @@ -90,7 +90,7 @@ #include #ifdef MAC -#include +#include #endif /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_prot.c#3 (text+ko) ==== @@ -94,7 +94,7 @@ #endif #ifdef MAC -#include +#include #endif #include ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_time.c#2 (text+ko) ==== @@ -76,7 +76,7 @@ #include #include #ifdef MAC -#include +#include #endif #define HZ 100 /* XXX */ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/kern_xxx.c#3 (text+ko) ==== @@ -78,7 +78,7 @@ #include #include #ifdef MAC -#include +#include #endif int ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sys_socket.c#2 (text+ko) ==== @@ -79,7 +79,7 @@ #include #ifdef MAC -#include +#include #endif /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_sem.c#3 (text+ko) ==== @@ -53,7 +53,7 @@ #include #include #ifdef MAC -#include +#include #endif #include ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/sysv_shm.c#3 (text+ko) ==== @@ -74,7 +74,7 @@ #include #include #ifdef MAC -#include +#include #endif #include ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf.c#2 (text+ko) ==== @@ -88,7 +88,7 @@ #include #ifdef MAC -#include +#include #endif extern vm_offset_t kmem_mb_alloc(vm_map_t , int ); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_mbuf2.c#2 (text+ko) ==== @@ -106,7 +106,7 @@ #endif #ifdef MAC -#include +#include #endif /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_socket.c#2 (text+ko) ==== @@ -94,6 +94,7 @@ #ifdef MAC #include +#include #endif int so_cache_hw = 0; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/uipc_usrreq.c#3 (text+ko) ==== @@ -87,7 +87,7 @@ #include #ifdef MAC -#include +#include #endif #define f_msgcount f_fglob->fg_msgcount ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfs_tree.c#2 (text+ko) ==== @@ -97,7 +97,7 @@ #include "devfsdefs.h" #ifdef MAC -#include +#include #endif static void devfs_release_busy(devnode_t *); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/miscfs/devfs/devfsdefs.h#2 (text+ko) ==== @@ -66,7 +66,7 @@ #include -#include +#include #ifdef __APPLE_API_PRIVATE #define DEVMAXNAMESIZE 32 /* XXX */ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/bpf.c#2 (text+ko) ==== @@ -114,7 +114,7 @@ #include #ifdef MAC -#include +#include #endif extern int tvtohz(struct timeval *); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/bsd_comp.c#2 (text+ko) ==== @@ -79,7 +79,7 @@ #include #ifdef MAC -#include +#include #endif #if DO_BSD_COMPRESS ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/dlil.c#2 (text+ko) ==== @@ -63,7 +63,7 @@ #include #ifdef MAC -#include +#include #endif #define DBG_LAYER_BEG DLILDBG_CODE(DBG_DLIL_STATIC, 0) ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/net/ppp_deflate.c#2 (text+ko) ==== @@ -65,7 +65,7 @@ #include #ifdef MAC -#include +#include #endif #if DO_DEFLATE ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/igmp.c#2 (text+ko) ==== @@ -96,7 +96,7 @@ #include #ifdef MAC -#include +#include #endif #ifndef __APPLE__ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_icmp.c#3 (text+ko) ==== @@ -98,7 +98,7 @@ #endif #ifdef MAC -#include +#include #endif /* XXX This one should go in sys/mbuf.h. It is used to avoid that ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_mroute.c#2 (text+ko) ==== @@ -63,7 +63,7 @@ #include #ifdef MAC -#include +#include #endif #ifndef NTOHL ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/ip_output.c#2 (text+ko) ==== @@ -87,7 +87,7 @@ #include #ifdef MAC -#include +#include #endif #include "faith.h" ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/raw_ip.c#2 (text+ko) ==== @@ -99,7 +99,7 @@ #endif #ifdef MAC -#include +#include #endif #if IPSEC ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_input.c#2 (text+ko) ==== @@ -118,7 +118,7 @@ #endif /*IPSEC*/ #ifdef MAC -#include +#include #endif #include ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_output.c#2 (text+ko) ==== @@ -103,7 +103,7 @@ #endif /*IPSEC*/ #ifdef MAC -#include +#include #endif #define DBG_LAYER_BEG NETDBG_CODE(DBG_NETTCP, 1) ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet/tcp_subr.c#2 (text+ko) ==== @@ -123,7 +123,7 @@ #endif /*IPSEC*/ #ifdef MAC -#include +#include #endif #include ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/ip6_mroute.c#2 (text+ko) ==== @@ -80,7 +80,7 @@ #include #ifdef MAC -#include +#include #endif #ifndef __APPLE__ ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/ip6_output.c#3 (text+ko) ==== @@ -108,7 +108,7 @@ #endif /* IPSEC */ #ifdef MAC -#include +#include #endif #include ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/netinet6/mld6.c#2 (text+ko) ==== @@ -94,7 +94,7 @@ #include #ifdef MAC -#include +#include #endif /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/nfs/nfs_syscalls.c#3 (text+ko) ==== @@ -114,7 +114,7 @@ #include #include #ifdef MAC -#include +#include #endif extern void unix_syscall_return(int); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/nfs/nfs_vfsops.c#2 (text+ko) ==== @@ -104,7 +104,7 @@ #include #include #ifdef MAC -#include +#include #endif extern int nfs_mountroot(void); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/kpi_vfs.c#2 (text+ko) ==== @@ -108,7 +108,7 @@ #include #ifdef MAC -#include +#include #endif #define ESUCCESS 0 ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_attrlist.c#2 (text+ko) ==== @@ -46,7 +46,7 @@ #include #ifdef MAC -#include +#include #endif #define ATTR_TIME_SIZE -1 ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_init.c#2 (text+ko) ==== @@ -79,7 +79,7 @@ #include #ifdef MAC -#include +#include #include #endif ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_lookup.c#2 (text+ko) ==== @@ -86,7 +86,7 @@ #include #ifdef MAC -#include +#include #endif #if KTRACE ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_subr.c#2 (text+ko) ==== @@ -112,7 +112,7 @@ #include #ifdef MAC -#include +#include #endif extern lck_grp_t *vnode_lck_grp; ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_syscalls.c#5 (text+ko) ==== @@ -107,6 +107,7 @@ #ifdef MAC #include +#include #endif /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_vnops.c#3 (text+ko) ==== @@ -95,7 +95,7 @@ #include #ifdef MAC -#include +#include #endif ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vfs/vfs_xattr.c#2 (text+ko) ==== @@ -47,7 +47,7 @@ #include #ifdef MAC -#include +#include #endif /* ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vm/dp_backing_file.c#3 (text+ko) ==== @@ -64,7 +64,7 @@ #include #include #ifdef MAC -#include +#include #endif extern thread_t current_act(void); ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/Makefile#2 (text+ko) ==== @@ -23,6 +23,7 @@ mac.h \ mac_alloc.h \ mac_data.h \ + mac_framework.h \ mac_policy.h \ mac_mach_internal.h \ mac_internal.h ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac.h#6 (text+ko) ==== @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -11,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -35,7 +38,7 @@ * $FreeBSD: src/sys/sys/mac.h,v 1.40 2003/04/18 19:57:37 rwatson Exp $ */ /* - * Userland/kernel interface for Mandatory Access Control. + * Userland interface for Mandatory Access Control. * * The POSIX.1e implementation page may be reached at: * http://www.trustedbsd.org/ @@ -65,7 +68,6 @@ typedef struct mac *mac_t; #ifndef KERNEL - /* * Location of the userland MAC framework configuration file. mac.conf * binds policy names to shared libraries that understand those policies, @@ -104,433 +106,6 @@ int mac_syscall(const char *_policyname, int _call, void *_arg); int mac_to_text(mac_t mac, char **_text); __END_DECLS - -#else /* _KERNEL */ - -#ifdef MAC - -/* - * Kernel functions to manage and evaluate labels. - */ -struct auditinfo; -struct attrlist; -struct bpf_d; -struct componentname; -struct devnode; -struct fileproc; -struct ifnet; -struct lctx; -struct mount; -struct pseminfo; -struct pshminfo; -struct proc; -struct semid_kernel; -struct shmid_kernel; -struct uthread; -struct timespec; -struct ucred; -struct uio; -struct vnode_attr; -struct vnode; -struct socket; -struct sockaddr; -struct mbuf; -struct m_tag; -struct vop_setlabel_args; -struct pipe; - -/* - * Framework initialization. - */ -void mac_init_bsd(void); - -/* - * Label operations. - */ -void mac_init_cred(struct ucred *); -void mac_init_devfsdirent(struct devnode *); -int mac_init_mbuf(struct mbuf *, int); -int mac_init_mbuf_tag(struct m_tag *, int); -void mac_init_mount(struct mount *); -void mac_init_pipe(struct pipe *cpipe); -void mac_init_posix_sem(struct pseminfo *); -void mac_init_posix_shm(struct pshminfo *); -void mac_init_proc(struct proc *); -int mac_init_socket(struct socket *, int waitok); -void mac_init_sysv_msgmsg(struct msg *); -void mac_init_sysv_msgqueue(struct label *); -void mac_init_sysv_sem(struct semid_kernel*); -void mac_init_sysv_shm(struct shmid_kernel*); -void mac_init_vnode(struct vnode *vp); -void mac_copy_vnode_label(struct label *, struct label *label); -void mac_copy_devfs_label(struct label *, struct label *label); -void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); -void mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to); -void mac_copy_socket_label(struct label *from, struct label *to); -void mac_destroy_cred(struct ucred *); -void mac_destroy_devfsdirent(struct devnode *); -void mac_destroy_mbuf(struct mbuf *); -void mac_destroy_mbuf_tag(struct m_tag *); -void mac_destroy_mount(struct mount *); -void mac_destroy_pipe(struct pipe *cpipe); -void mac_destroy_posix_sem(struct pseminfo *); -void mac_destroy_posix_shm(struct pshminfo *); -void mac_destroy_proc(struct proc *); -void mac_destroy_socket(struct socket *); -void mac_destroy_sysv_sem(struct semid_kernel *); -void mac_destroy_sysv_shm(struct shmid_kernel *); -void mac_destroy_vnode(struct vnode *); -int mac_internalize_mount_label(struct label *, char *string); -int mac_externalize_mount_label(struct label *label, char *elements, - char *outbuf, size_t outbuflen); - -struct label *mac_cred_label_alloc(void); -void mac_cred_label_free(struct label *label); -int mac_get_cred_audit_labels(struct proc *p, struct mac *mac); -struct label *mac_vnode_label_alloc(void); -void mac_vnode_label_free(struct label *label); -int mac_get_vnode_audit_labels(struct vnode *vp, - struct mac *mac); -struct label *mac_lctx_label_alloc(void); -void mac_lctx_label_free(struct label *label); - -#define mac_update_task_from_cred(cred, task) \ - mac_update_task_label(((cred)->cr_label), task) - -/* - * Labeling event operations: file system objects, and things that - * look a lot like file system objects. - */ -void mac_associate_vnode_devfs(struct mount *mp, struct devnode *de, - struct vnode *vp); -int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); -void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp); -void mac_create_devfs_device(struct ucred *cr, struct mount *mp, dev_t dev, - struct devnode *de, const char *fullpath); -void mac_create_devfs_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devnode *de, const char *fullpath); -void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, - struct devnode *dd, struct devnode *de, - const char *fullpath); -int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, - struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -void mac_create_mount(struct ucred *cred, struct mount *mp); -void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, - struct label *newlabel); -void mac_update_vnode_extattr(struct mount *mp, struct vnode *vp, - const char *name); -void mac_update_devfsdirent(struct mount *mp, struct devnode *de, - struct vnode *vp); - -#define VNODE_LABEL_CREATE 1 -#define VNODE_LABEL_NEEDREF 2 -int vnode_label(struct mount *mp, struct vnode *dvp, struct vnode *vp, - struct componentname *cnp, int flags, vfs_context_t ctx); - -/* - * Labeling event operations: Posix IPC primitives - */ -void mac_create_posix_sem(struct ucred *cred, struct pseminfo *psem, - const char *name); -void mac_create_posix_shm(struct ucred *cred, struct pshminfo *pshm, - const char *name); - -/* - * Labeling event operations: sockets and network IPC - * - * Note: all functions involving sockets (and other network objects yet to be - * implemented) hold (and rely on) the NETWORK_FUNNEL as opposed to the - * KERNEL_FUNNEL. When reading/writing kernel network objects, be sure to - * hold the NETWORK_FUNNEL. When reading/writing other types of kernel - * objects (vnode for example), be sure to hold the KERNEL_FUNNEL. - * - * XXX: Note that cred can be NULL in mac_create_socket() in Darwin. - */ -void mac_create_socket(struct ucred *cred, struct socket *so); -void mac_create_socket_from_socket(struct socket *oldsocket, - struct socket *newsocket); -void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); -void mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m); -void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); -void mac_set_socket_peer_from_socket(struct socket *peersocket, - struct socket *socket_to_modify); - -/* - * Labeling event operations: System V IPC primitives - */ -void mac_create_sysv_msgmsg(struct ucred *cred, - struct msqid_kernel *msqptr, struct msg *msgptr); -void mac_create_sysv_msgqueue(struct ucred *cred, - struct msqid_kernel *msqptr); -void mac_create_sysv_sem(struct ucred *cred, - struct semid_kernel *semakptr); -void mac_create_sysv_shm(struct ucred *cred, - struct shmid_kernel *shmsegptr); - -/* - * Labeling event operations: processes. - */ -void mac_relabel_cred(struct ucred *cred, struct label *newlabel); -void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); -int mac_execve_enter(user_addr_t mac_p, struct label *execlabel); -#if 0 -void mac_execve_exit(struct image_params *imgp); #endif -void mac_execve_transition(struct ucred *old, struct ucred *newcred, - struct vnode *vp, struct label *scriptvnodelabel, - struct label *execlabel); -int mac_execve_will_transition(struct ucred *old, struct vnode *vp, - struct label *scriptvnodelabel, struct label *execlabel, - struct proc *p); -void mac_create_proc0(struct ucred *cred); -void mac_create_proc1(struct ucred *cred); -#if 0 -void mac_thread_userret(struct uthread *td); -#endif - -void mac_relabel_lctx(struct lctx *l, struct label *newlabel); - -/* - * Labeling operations for pipes. - */ -struct label *mac_pipe_label_alloc(void); -void mac_pipe_label_free(struct label *label); -void mac_copy_pipe_label(struct label *src, struct label *dest); -void mac_create_pipe(struct ucred *cred, struct pipe *cpipe); -int mac_pipe_label_set(struct ucred *cred, struct pipe *cpipe, - struct label *label); - -/* - * Label cleanup operation: This is the inverse complement for the mac_create - * and associate type of hooks. This hook lets the policy module(s) perform - * a cleanup/flushing operation on the label associated with the objects, - * without freeing up the space allocated. This hook is useful in cases - * where it is desirable to remove any labeling reference when recycling any - * object to a pool. This hook does not replace the mac_destroy hooks. - */ -void mac_cleanup_sysv_msgmsg(struct msg *msgptr); -void mac_cleanup_sysv_msgqueue(struct label *msqlabel); -void mac_cleanup_sysv_sem(struct semid_kernel *semakptr); -void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr); -void mac_cleanup_vnode(struct vnode *vp); - -/* - * Access control checks. - */ -int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); -int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); -int mac_check_lctx_relabel(struct lctx *l, struct label *newlabel); -int mac_check_posix_sem_create(struct ucred *cred, const char *name); -int mac_check_posix_sem_open(struct ucred *cred, struct pseminfo *ps); -int mac_check_posix_sem_post(struct ucred *cred, struct pseminfo *ps); -int mac_check_posix_sem_unlink(struct ucred *cred, struct pseminfo *ps, - const char *name); -int mac_check_posix_sem_wait(struct ucred *cred, struct pseminfo *ps); -int mac_check_posix_shm_create(struct ucred *cred, const char *name); -int mac_check_posix_shm_open(struct ucred *cred, struct pshminfo *ps); -int mac_check_posix_shm_mmap(struct ucred *cred, struct pshminfo *ps, - int prot, int flags); -int mac_check_posix_shm_stat(struct ucred *cred, struct pshminfo *ps); -int mac_check_posix_shm_truncate(struct ucred *cred, struct pshminfo *ps, - size_t s); -int mac_check_posix_shm_unlink(struct ucred *cred, struct pshminfo *ps, - const char *name); -int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, - struct msqid_kernel *msqptr); -int mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr); -int mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr); -int mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqptr, - int cmd); -int mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqptr); -int mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqptr); -int mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqptr); -int mac_check_sysv_semctl(struct ucred *cred, - struct semid_kernel *semakptr, int cmd); -int mac_check_fcntl(struct ucred *cred, struct fileproc *fp, int cmd, - int arg); -int mac_check_get_fd(struct ucred *cred, struct fileproc *fp, - char *elements, int len); - -/* - * Note: mac_check_ioctl is currently not called and will probably be broken into - * more granular checks. - */ -int mac_check_ioctl(struct ucred *cred, struct fileproc *fp, int com, - void *data); -int mac_check_sysv_semget(struct ucred *cred, - struct semid_kernel *semakptr); -int mac_check_sysv_semop(struct ucred *cred,struct semid_kernel *semakptr, - size_t accesstype); -int mac_check_sysv_shmat(struct ucred *cred, - struct shmid_kernel *shmsegptr, int shmflg); -int mac_check_sysv_shmctl(struct ucred *cred, - struct shmid_kernel *shmsegptr, int cmd); -int mac_check_sysv_shmdt(struct ucred *cred, - struct shmid_kernel *shmsegptr); -int mac_check_sysv_shmget(struct ucred *cred, - struct shmid_kernel *shmsegptr, int shmflg); -int mac_check_mount(struct ucred *cred, struct vnode *vp, - const char *vfc_name); -int mac_check_remount(struct ucred *cred, struct mount *mp); -int mac_check_umount(struct ucred *cred, struct mount *mp); -int mac_check_mount_getattr(struct ucred *cred, struct mount *mp, - struct vfs_attr *vfa); -int mac_check_mount_setattr(struct ucred *cred, struct mount *mp, - struct vfs_attr *vfa); -int mac_check_mount_stat(struct ucred *cred, struct mount *mp); -int mac_check_mount_relabel(struct ucred *cred, struct mount *mp); -int mac_check_pipe_kqfilter(struct ucred *cred, struct knote *kn, - struct pipe *cpipe); -int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *cpipe, - unsigned long cmd, void *data); -int mac_check_pipe_read(struct ucred *cred, struct pipe *cpipe); -int mac_check_pipe_select(struct ucred *cred, struct pipe *cpipe, - int which); -int mac_check_pipe_stat(struct ucred *cred, struct pipe *cpipe); -int mac_check_pipe_write(struct ucred *cred, struct pipe *cpipe); -int mac_check_proc_debug(struct ucred *cred, struct proc *proc); -int mac_check_proc_getaudit(struct ucred *cred); -int mac_check_proc_getauid(struct ucred *cred); -int mac_check_proc_sched(struct ucred *cred, struct proc *proc); -int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai); -int mac_check_proc_setauid(struct ucred *cred, uid_t auid); -int mac_check_proc_signal(struct ucred *cred, struct proc *proc, - int signum); -int mac_check_proc_wait(struct ucred *cred, struct proc *proc); -int mac_check_proc_setlcid(struct proc *, struct proc *, pid_t, pid_t); -int mac_check_proc_getlcid(struct proc *, struct proc *, pid_t); -int mac_check_set_fd(struct ucred *cred, struct fileproc *fp, char *buf, - int buflen); -int mac_check_socket_accept(struct ucred *cred, struct socket *so); -int mac_check_socket_bind(struct ucred *cred, struct socket *so, - struct sockaddr *addr); -int mac_check_socket_connect(struct ucred *cred, struct socket *so, - struct sockaddr *addr); -int mac_check_socket_create(struct ucred *cred, int domain, int type, - int protocol); -int mac_check_socket_deliver(struct socket *so, struct mbuf *m); -int mac_check_socket_kqfilter(struct ucred *cred, struct knote *kn, - struct socket *so); -int mac_check_socket_listen(struct ucred *cred, struct socket *so); -int mac_check_socket_receive(struct ucred *cred, struct socket *so); -int mac_check_socket_select(struct ucred *cred, struct socket *so, - int which); -int mac_check_socket_send(struct ucred *cred, struct socket *so); >>> TRUNCATED FOR MAIL (1000 lines) <<<