From owner-p4-projects Sat Jul 27 20:53:37 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id B9F8237B420; Sat, 27 Jul 2002 20:52:53 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 793A237B428 for ; Sat, 27 Jul 2002 20:52:48 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F142543E3B for ; Sat, 27 Jul 2002 20:52:47 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6S3qlJU012953 for ; Sat, 27 Jul 2002 20:52:47 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6S3qljh012950 for perforce@freebsd.org; Sat, 27 Jul 2002 20:52:47 -0700 (PDT) Date: Sat, 27 Jul 2002 20:52:47 -0700 (PDT) Message-Id: <200207280352.g6S3qljh012950@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 15035 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15035 Change 15035 by rwatson@rwatson_paprika on 2002/07/27 20:52:28 Rename mpo_check_see_socket() and mpo_check_see_cred() to mpo_check_socket_visible() and mpo_check_cred_visible() respectively. Move entry point naming towards a model using mac_check_(objectname)_(methodname)() from mac_cred_check_(methodname)_(objectname)(). This is the bit where we generate conflicts. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#197 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#23 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#74 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#63 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#49 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#7 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#12 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#54 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#19 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#125 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#90 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#197 (text+ko) ==== @@ -658,18 +658,18 @@ mpc->mpc_ops->mpo_check_bpfdesc_receive = mpe->mpe_function; break; + case MAC_CHECK_CRED_VISIBLE: + mpc->mpc_ops->mpo_check_cred_visible = + mpe->mpe_function; + break; case MAC_CHECK_CONNECT_SOCKET: mpc->mpc_ops->mpo_check_connect_socket = mpe->mpe_function; break; - case MAC_CHECK_SEE_CRED: - mpc->mpc_ops->mpo_check_see_cred = + case MAC_CHECK_SOCKET_VISIBLE: + mpc->mpc_ops->mpo_check_socket_visible = mpe->mpe_function; break; - case MAC_CHECK_SEE_SOCKET: - mpc->mpc_ops->mpo_check_see_socket = - mpe->mpe_function; - break; case MAC_CHECK_RELABEL_IFNET: mpc->mpc_ops->mpo_check_relabel_ifnet = mpe->mpe_function; @@ -1041,32 +1041,6 @@ } int -mac_cred_cansee(struct ucred *u1, struct ucred *u2) -{ - int error; - - if (!mac_enforce_process) - return (0); - - MAC_CHECK(check_see_cred, u1, u2); - - return (error); -} - -int -mac_cred_canseesocket(struct ucred *cred, struct socket *socket) -{ - int error; - - if (!mac_enforce_socket) - return (0); - - MAC_CHECK(check_see_socket, cred, socket, &socket->so_label); - - return (error); -} - -int mac_cred_cansignal(struct ucred *cred, struct proc *proc, int signum) { int error; @@ -2533,6 +2507,19 @@ } int +mac_check_cred_visible(struct ucred *u1, struct ucred *u2) +{ + int error; + + if (!mac_enforce_process) + return (0); + + MAC_CHECK(check_cred_visible, u1, u2); + + return (error); +} + +int mac_check_connect_socket(struct ucred *cred, struct socket *socket, struct sockaddr *sockaddr) { @@ -2562,6 +2549,19 @@ } int +mac_check_socket_visible(struct ucred *cred, struct socket *socket) +{ + int error; + + if (!mac_enforce_socket) + return (0); + + MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); + + return (error); +} + +int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { ==== //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#23 (text+ko) ==== @@ -1380,7 +1380,7 @@ if ((error = prison_check(u1, u2))) return (error); #ifdef MAC - if ((error = mac_cred_cansee(u1, u2))) + if ((error = mac_check_cred_visible(u1, u2))) return (error); #endif if ((error = cr_seeotheruids(u1, u2))) @@ -1674,7 +1674,7 @@ if (cr_seeotheruids(cred, so->so_cred)) return (ENOENT); #ifdef MAC - error = mac_cred_canseesocket(cred, so); + error = mac_check_socket_visible(cred, so); if (error) return (error); #endif ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#74 (text+ko) ==== @@ -1181,7 +1181,7 @@ } static int -mac_biba_check_see_cred(struct ucred *u1, struct ucred *u2) +mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) { struct mac_biba *subj, *obj; @@ -1199,7 +1199,7 @@ } static int -mac_biba_check_see_socket(struct ucred *cred, struct socket *socket, +mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { struct mac_biba *subj, *obj; @@ -2142,10 +2142,10 @@ (macop_t)mac_biba_relabel_subject }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_biba_check_bpfdesc_receive }, - { MAC_CHECK_SEE_CRED, - (macop_t)mac_biba_check_see_cred }, - { MAC_CHECK_SEE_SOCKET, - (macop_t)mac_biba_check_see_socket }, + { MAC_CHECK_CRED_VISIBLE, + (macop_t)mac_biba_check_cred_visible }, + { MAC_CHECK_SOCKET_VISIBLE, + (macop_t)mac_biba_check_socket_visible }, { MAC_CHECK_RELABEL_IFNET, (macop_t)mac_biba_check_relabel_ifnet }, { MAC_CHECK_RELABEL_PIPE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#63 (text+ko) ==== @@ -1127,7 +1127,7 @@ } static int -mac_mls_check_see_cred(struct ucred *u1, struct ucred *u2) +mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2) { struct mac_mls *subj, *obj; @@ -1145,7 +1145,7 @@ } static int -mac_mls_check_see_socket(struct ucred *cred, struct socket *socket, +mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { struct mac_mls *subj, *obj; @@ -2088,10 +2088,10 @@ (macop_t)mac_mls_relabel_subject }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_mls_check_bpfdesc_receive }, - { MAC_CHECK_SEE_CRED, - (macop_t)mac_mls_check_see_cred }, - { MAC_CHECK_SEE_SOCKET, - (macop_t)mac_mls_check_see_socket }, + { MAC_CHECK_CRED_VISIBLE, + (macop_t)mac_mls_check_cred_visible }, + { MAC_CHECK_SOCKET_VISIBLE, + (macop_t)mac_mls_check_socket_visible }, { MAC_CHECK_RELABEL_IFNET, (macop_t)mac_mls_check_relabel_ifnet }, { MAC_CHECK_RELABEL_PIPE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#49 (text+ko) ==== @@ -565,22 +565,22 @@ } static int -mac_none_check_connect_socket(struct ucred *cred, struct socket *socket, - struct label *socketlabel, struct sockaddr *sockaddr) +mac_none_check_cred_visible(struct ucred *u1, struct ucred *u2) { return (0); } static int -mac_none_check_see_cred(struct ucred *u1, struct ucred *u2) +mac_none_check_connect_socket(struct ucred *cred, struct socket *socket, + struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int -mac_none_check_see_socket(struct ucred *cred, struct socket *socket, +mac_none_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -1020,12 +1020,12 @@ (macop_t)mac_none_check_bind_socket }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_none_check_bpfdesc_receive }, + { MAC_CHECK_CRED_VISIBLE, + (macop_t)mac_none_check_cred_visible }, { MAC_CHECK_CONNECT_SOCKET, (macop_t)mac_none_check_connect_socket }, - { MAC_CHECK_SEE_CRED, - (macop_t)mac_none_check_see_cred }, - { MAC_CHECK_SEE_SOCKET, - (macop_t)mac_none_check_see_socket }, + { MAC_CHECK_SOCKET_VISIBLE, + (macop_t)mac_none_check_socket_visible }, { MAC_CHECK_RELABEL_IFNET, (macop_t)mac_none_check_relabel_ifnet }, { MAC_CHECK_RELABEL_PIPE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#7 (text+ko) ==== @@ -188,7 +188,7 @@ } static int -mac_partition_check_see_cred(struct ucred *u1, struct ucred *u2) +mac_partition_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; @@ -198,7 +198,7 @@ } static int -mac_partition_check_see_socket(struct ucred *cred, struct socket *socket, +mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { int error; @@ -277,10 +277,10 @@ (macop_t)mac_partition_create_proc1 }, { MAC_RELABEL_SUBJECT, (macop_t)mac_partition_relabel_subject }, - { MAC_CHECK_SEE_CRED, - (macop_t)mac_partition_check_see_cred }, - { MAC_CHECK_SEE_SOCKET, - (macop_t)mac_partition_check_see_socket }, + { MAC_CHECK_CRED_VISIBLE, + (macop_t)mac_partition_check_cred_visible }, + { MAC_CHECK_SOCKET_VISIBLE, + (macop_t)mac_partition_check_socket_visible }, { MAC_CHECK_RELABEL_SUBJECT, (macop_t)mac_partition_check_relabel_subject }, { MAC_CHECK_DEBUG_PROC, ==== //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#12 (text+ko) ==== @@ -124,14 +124,14 @@ } static int -mac_seeotheruids_check_see_cred(struct ucred *u1, struct ucred *u2) +mac_seeotheruids_check_cred_visible(struct ucred *u1, struct ucred *u2) { return (mac_seeotheruids_check(u1, u2)); } static int -mac_seeotheruids_check_see_socket(struct ucred *cred, struct socket *socket, +mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -162,10 +162,10 @@ static struct mac_policy_op_entry mac_seeotheruids_ops[] = { - { MAC_CHECK_SEE_CRED, - (macop_t)mac_seeotheruids_check_see_cred }, - { MAC_CHECK_SEE_SOCKET, - (macop_t)mac_seeotheruids_check_see_socket }, + { MAC_CHECK_CRED_VISIBLE, + (macop_t)mac_seeotheruids_check_cred_visible }, + { MAC_CHECK_SOCKET_VISIBLE, + (macop_t)mac_seeotheruids_check_socket_visible }, { MAC_CHECK_DEBUG_PROC, (macop_t)mac_seeotheruids_check_debug_proc }, { MAC_CHECK_SCHED_PROC, ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#54 (text+ko) ==== @@ -698,6 +698,14 @@ } static int +mac_te_check_cred_visible(struct ucred *u1, struct ucred *u2) +{ + + return (mac_te_check(SLOT(&u1->cr_label), SLOT(&u2->cr_label), + MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SEE)); +} + +static int mac_te_check_connect_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -735,6 +743,15 @@ MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_RECEIVE)); } +static int +mac_te_check_socket_visible(struct ucred *cred, struct socket *socket, + struct label *socketlabel) +{ + + return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), + MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_SEE)); +} + static void mac_te_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) { @@ -1132,23 +1149,6 @@ } static int -mac_te_check_see_cred(struct ucred *u1, struct ucred *u2) -{ - - return (mac_te_check(SLOT(&u1->cr_label), SLOT(&u2->cr_label), - MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SEE)); -} - -static int -mac_te_check_see_socket(struct ucred *cred, struct socket *socket, - struct label *socketlabel) -{ - - return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), - MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_SEE)); -} - -static int mac_te_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) { @@ -1747,14 +1747,16 @@ { MAC_CREATE_PROC1, (macop_t)mac_te_create_proc1 }, { MAC_RELABEL_SUBJECT, (macop_t)mac_te_relabel_subject }, { MAC_RELABEL_VNODE, (macop_t)mac_te_relabel_vnode }, - { MAC_CHECK_SEE_CRED, (macop_t)mac_te_check_see_cred }, - { MAC_CHECK_SEE_SOCKET, (macop_t)mac_te_check_see_socket }, { MAC_CHECK_BIND_SOCKET, (macop_t)mac_te_check_bind_socket }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_te_check_bpfdesc_receive }, + { MAC_CHECK_CRED_VISIBLE, + (macop_t)mac_te_check_cred_visible }, { MAC_CHECK_CONNECT_SOCKET, (macop_t)mac_te_check_connect_socket }, { MAC_CHECK_LISTEN_SOCKET, (macop_t)mac_te_check_listen_socket }, + { MAC_CHECK_SOCKET_VISIBLE, + (macop_t)mac_te_check_socket_visible }, { MAC_CHECK_RELABEL_IFNET, (macop_t)mac_te_check_relabel_ifnet }, { MAC_CHECK_RELABEL_PIPE, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#19 (text+ko) ==== @@ -773,22 +773,22 @@ } static int -mac_test_check_connect_socket(struct ucred *cred, struct socket *socket, - struct label *socketlabel, struct sockaddr *sockaddr) +mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) { return (0); } static int -mac_test_check_see_cred(struct ucred *u1, struct ucred *u2) +mac_test_check_connect_socket(struct ucred *cred, struct socket *socket, + struct label *socketlabel, struct sockaddr *sockaddr) { return (0); } static int -mac_test_check_see_socket(struct ucred *cred, struct socket *socket, +mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -1226,12 +1226,12 @@ (macop_t)mac_test_check_bind_socket }, { MAC_CHECK_BPFDESC_RECEIVE, (macop_t)mac_test_check_bpfdesc_receive }, + { MAC_CHECK_CRED_VISIBLE, + (macop_t)mac_test_check_cred_visible }, { MAC_CHECK_CONNECT_SOCKET, (macop_t)mac_test_check_connect_socket }, - { MAC_CHECK_SEE_CRED, - (macop_t)mac_test_check_see_cred }, - { MAC_CHECK_SEE_SOCKET, - (macop_t)mac_test_check_see_socket }, + { MAC_CHECK_SOCKET_VISIBLE, + (macop_t)mac_test_check_socket_visible }, { MAC_CHECK_RELABEL_IFNET, (macop_t)mac_test_check_relabel_ifnet }, { MAC_CHECK_RELABEL_PIPE, ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#125 (text+ko) ==== @@ -373,11 +373,11 @@ int mac_socket_can_receive(struct socket *so, struct mbuf *m); /* Hooks for the proc-based "can"-checks. */ +int mac_check_cred_visible(struct ucred *u1, struct ucred *u2); +int mac_check_socket_visible(struct ucred *cred, struct socket *so); int mac_cred_candebug(struct ucred *cred, struct proc *proc); int mac_cred_canexec(struct ucred *cred, struct vnode *vp); int mac_cred_cansched(struct ucred *cred, struct proc *proc); -int mac_cred_cansee(struct ucred *u1, struct ucred *u2); -int mac_cred_canseesocket(struct ucred *cred, struct socket *socket); int mac_cred_cansignal(struct ucred *cred, struct proc *proc, int signum); /* Calls to help various file systems implement labeling using EAs. */ ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#90 (text+ko) ==== @@ -234,11 +234,11 @@ int (*mpo_check_bpfdesc_receive)(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel); + int (*mpo_check_cred_visible)(struct ucred *u1, struct ucred *u2); int (*mpo_check_connect_socket)(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr); - int (*mpo_check_see_cred)(struct ucred *u1, struct ucred *u2); - int (*mpo_check_see_socket)(struct ucred *cred, + int (*mpo_check_socket_visible)(struct ucred *cred, struct socket *socket, struct label *socketlabel); int (*mpo_check_relabel_ifnet)(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, @@ -413,8 +413,8 @@ MAC_RELABEL_SUBJECT, MAC_CHECK_BIND_SOCKET, MAC_CHECK_BPFDESC_RECEIVE, - MAC_CHECK_SEE_CRED, - MAC_CHECK_SEE_SOCKET, + MAC_CHECK_CRED_VISIBLE, + MAC_CHECK_SOCKET_VISIBLE, MAC_CHECK_RELABEL_IFNET, MAC_CHECK_RELABEL_PIPE, MAC_CHECK_RELABEL_SOCKET, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message