Date: Tue, 19 Mar 2002 08:30:48 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 7966 for review Message-ID: <200203191630.g2JGUm445851@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=7966 Change 7966 by green@green_laptop_2 on 2002/03/19 08:30:21 Next target: make "subjects" (ucred) carefully-managed like mbufs are. Affected files ... ... //depot/projects/trustedbsd/mac/sys/kern/init_main.c#14 edit ... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#113 edit ... //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#12 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac.h#85 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/init_main.c#14 (text+ko) ==== @@ -348,7 +348,7 @@ p->p_ucred->cr_ngroups = 1; /* group 0 */ #ifdef MAC - mac_init_proc0(p->p_ucred); + mac_create_proc0(p->p_ucred); #endif p->p_ucred->cr_uidinfo = uifind(0); @@ -654,7 +654,7 @@ mtx_unlock_spin(&sched_lock); cpu_set_fork_handler(FIRST_THREAD_IN_PROC(initproc), start_init, NULL); #ifdef MAC - mac_init_proc1(initproc->p_ucred); + mac_create_proc1(initproc->p_ucred); #endif } SYSINIT(init, SI_SUB_CREATE_INIT, SI_ORDER_FIRST, create_init, NULL) ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#113 (text+ko) ==== @@ -422,9 +422,11 @@ SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); -static unsigned int nmacmbufs; +static unsigned int nmacmbufs, nmacsubjects; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); +SYSCTL_UINT(_security_mac_debug, OID_AUTO, subjects, CTLFLAG_RD, + &nmacsubjects, 0, "number of ucreds in use"); int mac_init_mbuf(struct mbuf *m, int how) @@ -443,6 +445,21 @@ atomic_subtract_int(&nmacmbufs, 1); } +void +mac_init_subject(struct ucred *cr) +{ + + mac_init_label(&cr->cr_label); + atomic_add_int(&nmacsubjects, 1); +} + +void +mac_destroy_subject(struct ucred *cr) +{ + + atomic_subtract_int(&nmacsubjects, 1); +} + static int mac_label_valid(struct mac *label) { @@ -480,10 +497,9 @@ * kernel processes and threads are spawned. */ void -mac_init_proc0(struct ucred *cred) +mac_create_proc0(struct ucred *cred) { - mac_init_label(&cred->cr_label); MAC_PERFORM(create_proc0, cred); } @@ -492,10 +508,9 @@ * userland processes and threads are spawned. */ void -mac_init_proc1(struct ucred *cred) +mac_create_proc1(struct ucred *cred) { - mac_init_label(&cred->cr_label); MAC_PERFORM(create_proc1, cred); } @@ -508,7 +523,6 @@ mac_create_subject(struct ucred *parent_cred, struct ucred *child_cred) { - mac_init_label(&child_cred->cr_label); MAC_PERFORM(create_subject, parent_cred, child_cred); } ==== //depot/projects/trustedbsd/mac/sys/kern/kern_prot.c#12 (text+ko) ==== @@ -1687,6 +1687,9 @@ MALLOC(cr, struct ucred *, sizeof(*cr), M_CRED, M_WAITOK | M_ZERO); cr->cr_ref = 1; cr->cr_mtxp = mtx_pool_find(cr); +#ifdef MAC + mac_init_subject(cr); +#endif /* MAC */ return (cr); } @@ -1732,6 +1735,9 @@ */ if (jailed(cr)) prison_free(cr->cr_prison); +#ifdef MAC + mac_destroy_subject(cr); +#endif /* MAC */ FREE((caddr_t)cr, M_CRED); } else { mtx_unlock(mtxp); @@ -1765,6 +1771,9 @@ bcopy(&src->cr_startcopy, &dest->cr_startcopy, (unsigned)((caddr_t)&src->cr_endcopy - (caddr_t)&src->cr_startcopy)); +#ifdef MAC + mac_create_subject(src, dest); +#endif /* MAC */ uihold(dest->cr_uidinfo); uihold(dest->cr_ruidinfo); if (jailed(dest)) ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#85 (text+ko) ==== @@ -274,16 +274,21 @@ void mac_copy_label(struct mac *labelfrom, struct mac *labelto); void mac_print_label(struct mac *); int mac_validate_label(struct mac *); +void mac_init_bpfdesc(struct bpf_d *); +void mac_destroy_bpfdesc(struct bpf_d *); int mac_init_mbuf(struct mbuf *, int how); void mac_destroy_mbuf(struct mbuf *); +void mac_init_ifnet(struct ifnet *); +void mac_destroy_ifnet(struct ifnet *); +void mac_init_socket(struct socket *); +void mac_destroy_socket(struct socket *); +void mac_init_subject(struct ucred *); +void mac_destroy_subject(struct ucred *); /* Non-authorizational event hooks. */ void mac_execve_transition(struct ucred *old, struct ucred *new, struct mac *filelabel); int mac_execve_will_transition(struct ucred *old, struct mac *filelabel); -void mac_init_ifnet(struct ifnet *ifnet); -void mac_init_proc0(struct ucred *cred); -void mac_init_proc1(struct ucred *cred); void mac_mountfs(struct ucred *cred, struct mount *mp); void mac_mountrootfs(struct ucred *cred, struct mount *mp); void mac_relabel_subject(struct ucred *oldcred, struct mac *newlabel); @@ -344,6 +349,8 @@ struct ifnet *ifnet, struct mbuf *newmbuf); void mac_create_mbuf_netlayer_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf); +void mac_create_proc0(struct ucred *cred); +void mac_create_proc1(struct ucred *cred); void mac_create_socket(struct ucred *cred, struct socket *socket); void mac_create_subject(struct ucred *cred_parent, struct ucred *cred_child); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203191630.g2JGUm445851>