From owner-p4-projects Sun Jul 28 16:43:56 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 7B0A837B401; Sun, 28 Jul 2002 16:43:09 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F24D437B400 for ; Sun, 28 Jul 2002 16:43:08 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CA2B43E65 for ; Sun, 28 Jul 2002 16:43:08 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6SNh3JU014836 for ; Sun, 28 Jul 2002 16:43:03 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6SNh3NH014833 for perforce@freebsd.org; Sun, 28 Jul 2002 16:43:03 -0700 (PDT) Date: Sun, 28 Jul 2002 16:43:03 -0700 (PDT) Message-Id: <200207282343.g6SNh3NH014833@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 15079 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15079 Change 15079 by rwatson@rwatson_paprika on 2002/07/28 16:42:56 Move the pipe_ioctl and pipe_op entry point implementations into the right place alphabetically for the new naming convention. No functional change. Affected files ... .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#204 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#81 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#69 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#56 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#61 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#26 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#131 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#97 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#204 (text+ko) ==== @@ -674,6 +674,14 @@ mpc->mpc_ops->mpo_check_mount_stat = mpe->mpe_function; break; + case MAC_CHECK_PIPE_IOCTL: + mpc->mpc_ops->mpo_check_pipe_ioctl = + mpe->mpe_function; + break; + case MAC_CHECK_PIPE_OP: + mpc->mpc_ops->mpo_check_pipe_op = + mpe->mpe_function; + break; case MAC_CHECK_PIPE_RELABEL: mpc->mpc_ops->mpo_check_pipe_relabel = mpe->mpe_function; @@ -818,14 +826,6 @@ mpc->mpc_ops->mpo_check_vnode_op = mpe->mpe_function; break; - case MAC_CHECK_PIPE_IOCTL: - mpc->mpc_ops->mpo_check_pipe_ioctl = - mpe->mpe_function; - break; - case MAC_CHECK_PIPE_OP: - mpc->mpc_ops->mpo_check_pipe_op = - mpe->mpe_function; - break; case MAC_INIT_BPFDESC: mpc->mpc_ops->mpo_init_bpfdesc = mpe->mpe_function; @@ -2331,27 +2331,6 @@ &mbuf->m_pkthdr.label); } -int -mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) -{ - int error; - - MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); - - return (error); -} - -int -mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, - void *data) -{ - int error; - - MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); - - return (error); -} - void mac_create_mount(struct ucred *cred, struct mount *mp) { @@ -2437,6 +2416,27 @@ return (error); } +int +mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, unsigned long cmd, + void *data) +{ + int error; + + MAC_CHECK(check_pipe_ioctl, cred, pipe, pipe->pipe_label, cmd, data); + + return (error); +} + +int +mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op) +{ + int error; + + MAC_CHECK(check_pipe_op, cred, pipe, pipe->pipe_label, op); + + return (error); +} + static int mac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *newlabel) ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#81 (text+ko) ==== @@ -1290,6 +1290,49 @@ } static int +mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) +{ + + if(!mac_biba_enabled) + return (0); + + /* XXX: This will be implemented soon... */ + + return (0); +} + +static int +mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, int op) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + switch(op) { + case MAC_OP_PIPE_READ: + case MAC_OP_PIPE_STAT: + case MAC_OP_PIPE_POLL: + if (!mac_biba_dominate_single(obj, subj)) + return (EACCES); + break; + case MAC_OP_PIPE_WRITE: + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + break; + default: + panic("mac_biba_check_pipe_op: invalid pipe operation"); + } + + return (0); +} + +static int mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { @@ -1965,49 +2008,6 @@ } } -static int -mac_biba_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) -{ - struct mac_biba *subj, *obj; - - if (!mac_biba_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT((pipelabel)); - - switch(op) { - case MAC_OP_PIPE_READ: - case MAC_OP_PIPE_STAT: - case MAC_OP_PIPE_POLL: - if (!mac_biba_dominate_single(obj, subj)) - return (EACCES); - break; - case MAC_OP_PIPE_WRITE: - if (!mac_biba_dominate_single(subj, obj)) - return (EACCES); - break; - default: - panic("mac_biba_check_pipe_op: invalid pipe operation"); - } - - return (0); -} - -static int -mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) -{ - - if(!mac_biba_enabled) - return (0); - - /* XXX: This will be implemented soon... */ - - return (0); -} - static struct mac_policy_op_entry mac_biba_ops[] = { { MAC_DESTROY, @@ -2152,6 +2152,10 @@ (macop_t)mac_biba_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_biba_check_mount_stat }, + { MAC_CHECK_PIPE_IOCTL, + (macop_t)mac_biba_check_pipe_ioctl }, + { MAC_CHECK_PIPE_OP, + (macop_t)mac_biba_check_pipe_op }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_biba_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, @@ -2188,10 +2192,6 @@ (macop_t)mac_biba_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_biba_check_vnode_open }, - { MAC_CHECK_PIPE_IOCTL, - (macop_t)mac_biba_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_biba_check_pipe_op }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_biba_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#69 (text+ko) ==== @@ -1237,6 +1237,49 @@ } static int +mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) +{ + + if(!mac_mls_enabled) + return (0); + + /* XXX: This will be implemented soon... */ + + return (0); +} + +static int +mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, int op) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT((pipelabel)); + + switch(op) { + case MAC_OP_PIPE_READ: + case MAC_OP_PIPE_STAT: + case MAC_OP_PIPE_POLL: + if (!mac_mls_dominate_single(subj, obj)) + return (EACCES); + break; + case MAC_OP_PIPE_WRITE: + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + break; + default: + panic("mac_mls_check_pipe_op: invalid pipe operation"); + } + + return (0); +} + +static int mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { @@ -1916,49 +1959,6 @@ } } -static int -mac_mls_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) -{ - struct mac_mls *subj, *obj; - - if (!mac_mls_enabled) - return (0); - - subj = SLOT(&cred->cr_label); - obj = SLOT((pipelabel)); - - switch(op) { - case MAC_OP_PIPE_READ: - case MAC_OP_PIPE_STAT: - case MAC_OP_PIPE_POLL: - if (!mac_mls_dominate_single(subj, obj)) - return (EACCES); - break; - case MAC_OP_PIPE_WRITE: - if (!mac_mls_dominate_single(obj, subj)) - return (EACCES); - break; - default: - panic("mac_mls_check_pipe_op: invalid pipe operation"); - } - - return (0); -} - -static int -mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) -{ - - if(!mac_mls_enabled) - return (0); - - /* XXX: This will be implemented soon... */ - - return (0); -} - static struct mac_policy_op_entry mac_mls_ops[] = { { MAC_DESTROY, @@ -2103,6 +2103,10 @@ (macop_t)mac_mls_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_mls_check_mount_stat }, + { MAC_CHECK_PIPE_IOCTL, + (macop_t)mac_mls_check_pipe_ioctl }, + { MAC_CHECK_PIPE_OP, + (macop_t)mac_mls_check_pipe_op }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_mls_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, @@ -2139,10 +2143,6 @@ (macop_t)mac_mls_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, (macop_t)mac_mls_check_vnode_open }, - { MAC_CHECK_PIPE_IOCTL, - (macop_t)mac_mls_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_mls_check_pipe_op }, { MAC_CHECK_VNODE_READDIR, (macop_t)mac_mls_check_vnode_readdir }, { MAC_CHECK_VNODE_READLINK, ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#56 (text+ko) ==== @@ -595,6 +595,22 @@ } static int +mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) +{ + + return (0); +} + +static int +mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, int op) +{ + + return (0); +} + +static int mac_none_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { @@ -866,22 +882,6 @@ return (0); } -static int -mac_none_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) -{ - - return (0); -} - -static int -mac_none_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) -{ - - return (0); -} - static struct mac_policy_op_entry mac_none_ops[] = { { MAC_DESTROY, @@ -1028,6 +1028,10 @@ (macop_t)mac_none_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_none_check_mount_stat }, + { MAC_CHECK_PIPE_IOCTL, + (macop_t)mac_none_check_pipe_ioctl }, + { MAC_CHECK_PIPE_OP, + (macop_t)mac_none_check_pipe_op }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_none_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, @@ -1096,10 +1100,6 @@ (macop_t)mac_none_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_none_check_vnode_stat }, - { MAC_CHECK_PIPE_IOCTL, - (macop_t)mac_none_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_none_check_pipe_op }, { MAC_OP_LAST, NULL } }; ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#61 (text+ko) ==== @@ -686,6 +686,26 @@ } static int +mac_te_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) +{ + + /* XXX: This will be implemented soon... */ + + return (0); +} + +static int +mac_te_check_pipe_op(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, int op) +{ + + /* XXX: This will be implemented soon... */ + + return (0); +} + +static int mac_te_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { @@ -1650,26 +1670,6 @@ mac_te_copy_label(SLOT(fragmentlabel), SLOT(ipqlabel)); } -static int -mac_te_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) -{ - - /* XXX: This will be implemented soon... */ - - return (0); -} - -static int -mac_te_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) -{ - - /* XXX: This will be implemented soon... */ - - return (0); -} - static struct mac_policy_op_entry mac_te_ops[] = { { MAC_INIT_BPFDESC, (macop_t)mac_te_init_bpfdesc }, @@ -1754,6 +1754,10 @@ (macop_t)mac_te_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_te_check_mount_stat }, + { MAC_CHECK_PIPE_IOCTL, + (macop_t)mac_te_check_pipe_ioctl }, + { MAC_CHECK_PIPE_OP, + (macop_t)mac_te_check_pipe_op }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_te_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, @@ -1819,11 +1823,8 @@ (macop_t)mac_te_check_setowner_vnode }, { MAC_CHECK_VNODE_SETUTIMES, (macop_t)mac_te_check_vnode_setutimes }, - { MAC_CHECK_PIPE_IOCTL, - (macop_t)mac_te_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_te_check_pipe_op }, - { MAC_CHECK_VNODE_STAT, (macop_t)mac_te_check_stat_vnode }, + { MAC_CHECK_VNODE_STAT, + (macop_t)mac_te_check_stat_vnode }, { MAC_CHECK_VNODE_MMAP_PERMS, (macop_t)mac_te_check_vnode_mmap_perms }, { MAC_CHECK_VNODE_OP, ==== //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#26 (text+ko) ==== @@ -803,6 +803,22 @@ } static int +mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) +{ + + return (0); +} + +static int +mac_test_check_pipe_op(struct ucred *cred, struct pipe *pipe, + struct label *pipelabel, int op) +{ + + return (0); +} + +static int mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { @@ -880,22 +896,6 @@ } static int -mac_test_check_pipe_op(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, int op) -{ - - return (0); -} - -static int -mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, - struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) -{ - - return (0); -} - -static int mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, mode_t flags) { @@ -1234,6 +1234,10 @@ (macop_t)mac_test_check_ifnet_transmit }, { MAC_CHECK_MOUNT_STAT, (macop_t)mac_test_check_mount_stat }, + { MAC_CHECK_PIPE_IOCTL, + (macop_t)mac_test_check_pipe_ioctl }, + { MAC_CHECK_PIPE_OP, + (macop_t)mac_test_check_pipe_op }, { MAC_CHECK_PIPE_RELABEL, (macop_t)mac_test_check_pipe_relabel }, { MAC_CHECK_PROC_DEBUG, @@ -1302,10 +1306,6 @@ (macop_t)mac_test_check_vnode_setutimes }, { MAC_CHECK_VNODE_STAT, (macop_t)mac_test_check_vnode_stat }, - { MAC_CHECK_PIPE_IOCTL, - (macop_t)mac_test_check_pipe_ioctl }, - { MAC_CHECK_PIPE_OP, - (macop_t)mac_test_check_pipe_op }, { MAC_OP_LAST, NULL } }; ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#131 (text+ko) ==== @@ -259,6 +259,9 @@ /* Authorizational event hooks. */ int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet); int mac_check_mount_stat(struct ucred *cred, struct mount *mp); +int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op); +int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, + unsigned long cmd, void *data); int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int flags); int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); @@ -302,9 +305,6 @@ int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp); int mac_check_vnode_op(struct ucred *cred, struct vnode *vp, int op); -int mac_check_pipe_op(struct ucred *cred, struct pipe *pipe, int op); -int mac_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, - unsigned long cmd, void *data); int mac_getsockopt_label_get(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#97 (text+ko) ==== @@ -242,6 +242,11 @@ struct label *mbuflabel); int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp, struct label *mntlabel); + int (*mpo_check_pipe_ioctl)(struct ucred *cred, + struct pipe *pipe, struct label *pipelabel, + unsigned long cmd, void *data); + int (*mpo_check_pipe_op)(struct ucred *cred, + struct pipe *pipe, struct label *pipelabel, int op); int (*mpo_check_pipe_relabel)(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel); @@ -331,11 +336,6 @@ struct vnode *vp, struct label *label, int newmapping); int (*mpo_check_vnode_op)(struct ucred *cred, struct vnode *vp, struct label *label, int op); - int (*mpo_check_pipe_op)(struct ucred *cred, - struct pipe *pipe, struct label *pipelabel, int op); - int (*mpo_check_pipe_ioctl)(struct ucred *cred, - struct pipe *pipe, struct label *pipelabel, - unsigned long cmd, void /* caddr_t */ *data); }; typedef void *macop_t; @@ -415,6 +415,8 @@ MAC_CHECK_IFNET_RELABEL, MAC_CHECK_IFNET_TRANSMIT, MAC_CHECK_MOUNT_STAT, + MAC_CHECK_PIPE_IOCTL, + MAC_CHECK_PIPE_OP, MAC_CHECK_PIPE_RELABEL, MAC_CHECK_PROC_DEBUG, MAC_CHECK_PROC_SCHED, @@ -451,8 +453,6 @@ MAC_CHECK_VNODE_STAT, MAC_CHECK_VNODE_MMAP_PERMS, MAC_CHECK_VNODE_OP, - MAC_CHECK_PIPE_IOCTL, - MAC_CHECK_PIPE_OP }; struct mac_policy_op_entry { To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message