Date: Sat, 30 Mar 2002 00:25:32 -0500 (EST) From: Robert Watson <rwatson@FreeBSD.org> To: Brian Feldman <green@FreeBSD.org> Cc: Perforce Change Reviews <perforce@FreeBSD.org> Subject: Re: PERFORCE change 8575 for review Message-ID: <Pine.NEB.3.96L.1020330002505.73912N-100000@fledge.watson.org> In-Reply-To: <200203281713.g2SHDm939906@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Ah, ok. BTW, I can't help but wonder if the VFS change shouldn't have gone into another branch and/or the main tree rather than the MAC tree directly. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Thu, 28 Mar 2002, Brian Feldman wrote: > http://people.freebsd.org/~peter/p4db/chv.cgi?CH=8575 > > Change 8575 by green@green_laptop_2 on 2002/03/28 09:13:36 > > Change the way that MAC policies' operation vectors are > declared from a hard-to-maintain struct which enforced > strong type-checking in the declarations in the module > and strict ordering requirements, to an easily-modifiable > array which will not have to be changed necessarily for > each addition of a new MAC operation. > > The downside of this is that the MAC policy authors will > have to manually make certain to match arguments of their > function declarations with what they pass in via the > operation vector, since C cannot help by providing strong > type checking here. > > (I accidentally already submitted kern_mac.c last.) > > Affected files ... > > ... //depot/projects/trustedbsd/mac/sys/security/babyaudit/babyaudit.c#6 edit > ... //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#25 edit > ... //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#26 edit > ... //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.h#5 edit > ... //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#21 edit > ... //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#20 edit > ... //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#6 edit > ... //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#20 edit > ... //depot/projects/trustedbsd/mac/sys/sys/mac.h#91 edit > ... //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#56 edit > > Differences ... > > ==== //depot/projects/trustedbsd/mac/sys/security/babyaudit/babyaudit.c#6 (text+ko) ==== > > @@ -222,70 +222,35 @@ > return (0); > } > > -static struct mac_policy_ops babyaudit_ops = > +static struct mac_policy_op_entry babyaudit_ops[] = > { > - NULL /* babyaudit_destroy */, > - NULL /* babyaudit_init */, > - NULL /* babyaudit_copy_label */, > - NULL /* babyaudit_dominate */, > - NULL /* babyaudit_equal */, > - NULL /* babyaudit_print_label */, > - NULL /* babyaudit_validate_label */, > - NULL /* babyaudit_create_devfs_device */, > - NULL /* babyaudit_create_devfs_directory */, > - NULL /* babyaudit_create_vnode_from_vnode */, > - NULL /* babyaudit_mountfs */, > - NULL /* babyaudit_mountrootfs */, > - NULL /* babyaudit_create_mbuf_from_socket */, > - NULL /* babyaudit_create_socket */, > - NULL /* babyaudit_relabel_socket */, > - NULL /* babyaudit_create_bpfdesc */, > - NULL /* babyaudit_create_ifnet */, > - NULL /* babyaudit_create_mbuf_datagram_from_mbuf_fragmentqueue */, > - NULL /* babyaudit_create_mbuf_fragment_from_mbuf */, > - NULL /* babyaudit_create_mbuf_fragmentqueue_from_mbuf_fragment */, > - NULL /* babyaudit_create_mbuf_from_mbuf */, > - NULL /* babyaudit_create_mbuf_linklayer_for_ifnet */, > - NULL /* babyaudit_create_mbuf_from_bpfdesc */, > - NULL /* babyaudit_create_mbuf_from_ifnet */, > - NULL /* babyaudit_create_mbuf_multicast_encap_from_mbuf */, > - NULL /* babyaudit_create_mbuf_netlayer_from_mbuf */, > - NULL /* babyaudit_mbuf_fragment_matches_mbuf_fragmentqueue */, > - NULL /* babyaudit_relabel_ifnet */, > - NULL /* babyaudit_update_mbuf_fragmentqueue_from_mbuf_fragment */, > - NULL /* babyaudit_create_subject */, > - NULL /* babyaudit_execve_transition */, > - NULL /* babyaudit_execve_will_transition */, > - NULL /* babyaudit_create_proc0 */, > - NULL /* babyaudit_create_proc1 */, > - NULL /* babyaudit_relabel_subject */, > - NULL /* babyaudit_bpfdesc_check_receive_from_ifnet */, > - NULL /* babyaudit_cred_check_see_cred */, > - NULL /* babyaudit_cred_check_see_socket */, > - NULL /* babyaudit_cred_check_relabel_ifnet */, > - NULL /* babyaudit_cred_check_relabel_socket */, > - NULL /* babyaudit_cred_check_relabel_subject */, > - NULL /* babyaudit_cred_check_relabel_vnode */, > - NULL /* babyaudit_cred_check_statfs */, > - NULL /* babyaudit_cred_check_debug_proc */, > - NULL /* babyaudit_cred_check_exec_file */, > - babyaudit_cred_check_chdir_vnode, > - babyaudit_cred_check_create_vnode, > - babyaudit_cred_check_delete_vnode, > - babyaudit_cred_check_exec_vnode, > - babyaudit_cred_check_open_vnode, > - babyaudit_cred_check_rename_from_vnode, > - babyaudit_cred_check_rename_to_vnode, > - babyaudit_cred_check_revoke_vnode, > - babyaudit_cred_check_search_vnode, > - babyaudit_cred_check_setflags_vnode, > - babyaudit_cred_check_setmode_vnode, > - babyaudit_cred_check_setowner_vnode, > - babyaudit_cred_check_setutimes_vnode, > - NULL /* babyaudit_cred_check_sched_proc */, > - NULL /* babyaudit_cred_check_signal_proc */, > - NULL /* babyaudit_ifnet_check_send_mbuf */, > - NULL /* babyaudit_socket_check_receive_mbuf */ > + { MAC_CRED_CHECK_CHDIR_VNODE, > + (macop_t)babyaudit_cred_check_chdir_vnode }, > + { MAC_CRED_CHECK_CREATE_VNODE, > + (macop_t)babyaudit_cred_check_create_vnode }, > + { MAC_CRED_CHECK_DELETE_VNODE, > + (macop_t)babyaudit_cred_check_delete_vnode }, > + { MAC_CRED_CHECK_EXEC_VNODE, > + (macop_t)babyaudit_cred_check_exec_vnode }, > + { MAC_CRED_CHECK_OPEN_VNODE, > + (macop_t)babyaudit_cred_check_open_vnode }, > + { MAC_CRED_CHECK_RENAME_FROM_VNODE, > + (macop_t)babyaudit_cred_check_rename_from_vnode }, > + { MAC_CRED_CHECK_RENAME_TO_VNODE, > + (macop_t)babyaudit_cred_check_rename_to_vnode }, > + { MAC_CRED_CHECK_REVOKE_VNODE, > + (macop_t)babyaudit_cred_check_revoke_vnode }, > + { MAC_CRED_CHECK_SEARCH_VNODE, > + (macop_t)babyaudit_cred_check_search_vnode }, > + { MAC_CRED_CHECK_SETFLAGS_VNODE, > + (macop_t)babyaudit_cred_check_setflags_vnode }, > + { MAC_CRED_CHECK_SETMODE_VNODE, > + (macop_t)babyaudit_cred_check_setmode_vnode }, > + { MAC_CRED_CHECK_SETOWNER_VNODE, > + (macop_t)babyaudit_cred_check_setowner_vnode }, > + { MAC_CRED_CHECK_SETUTIMES_VNODE, > + (macop_t)babyaudit_cred_check_setutimes_vnode }, > + { MAC_OP_LAST, NULL } > }; > > MAC_POLICY_SET(babyaudit_ops, trustedbsd_babyaudit, "TrustedBSD MAC/babyaudit", > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#25 (text+ko) ==== > > @@ -996,71 +996,129 @@ > return (0); > } > > -static struct mac_policy_ops mac_biba_ops = > +static struct mac_policy_op_entry mac_biba_ops[] = > { > - NULL, > - NULL, > - mac_biba_copy_label, > - mac_biba_single_dominate, > - mac_biba_equal, /* XXX */ > - mac_biba_print_label, > - mac_biba_validate_label, > - mac_biba_create_devfs_device, > - mac_biba_create_devfs_directory, > - mac_biba_create_vnode_from_vnode, > - mac_biba_mountfs, > - mac_biba_mountrootfs, > - mac_biba_create_mbuf_from_socket, > - mac_biba_create_socket, > - mac_biba_relabel_socket, > - mac_biba_create_bpfdesc, > - mac_biba_create_ifnet, > - mac_biba_create_mbuf_datagram_from_mbuf_fragmentqueue, > - mac_biba_create_mbuf_fragment_from_mbuf, > - mac_biba_create_mbuf_fragmentqueue_from_mbuf_fragment, > - mac_biba_create_mbuf_from_mbuf, > - mac_biba_create_mbuf_linklayer_for_ifnet, > - mac_biba_create_mbuf_from_bpfdesc, > - mac_biba_create_mbuf_from_ifnet, > - mac_biba_create_mbuf_multicast_encap_from_mbuf, > - mac_biba_create_mbuf_netlayer_from_mbuf, > - mac_biba_mbuf_fragment_matches_mbuf_fragmentqueue, > - mac_biba_relabel_ifnet, > - NULL, /* update fragq */ > - mac_biba_create_subject, > - mac_biba_execve_transition, > - mac_biba_execve_will_transition, > - mac_biba_create_proc0, > - mac_biba_create_proc1, > - mac_biba_relabel_subject, > - mac_biba_bpfdesc_check_receive_from_ifnet, > - mac_biba_cred_check_see_cred, > - mac_biba_cred_check_see_socket, > - mac_biba_cred_check_relabel_ifnet, > - mac_biba_cred_check_relabel_socket, > - mac_biba_cred_check_relabel_subject, > - mac_biba_cred_check_relabel_vnode, > - mac_biba_cred_check_statfs, > - mac_biba_cred_check_debug_proc, > - mac_biba_cred_check_exec_file, > - mac_biba_cred_check_chdir_vnode, > - mac_biba_cred_check_create_vnode, > - mac_biba_cred_check_delete_vnode, > - mac_biba_cred_check_exec_vnode, > - mac_biba_cred_check_open_vnode, > - mac_biba_cred_check_rename_from_vnode, > - mac_biba_cred_check_rename_to_vnode, > - mac_biba_cred_check_revoke_vnode, > - mac_biba_cred_check_search_vnode, > - mac_biba_cred_check_setflags_vnode, > - mac_biba_cred_check_setmode_vnode, > - mac_biba_cred_check_setowner_vnode, > - mac_biba_cred_check_setutimes_vnode, > - mac_biba_cred_check_sched_proc, > - mac_biba_cred_check_signal_proc, > - mac_biba_cred_check_stat_vnode, > - mac_biba_ifnet_check_send_mbuf, > - mac_biba_socket_check_receive_mbuf > + { MAC_COPY_LABEL, > + (macop_t)mac_biba_copy_label }, > + { MAC_DOMINATE, > + (macop_t)mac_biba_single_dominate }, > + { MAC_EQUAL, > + (macop_t)mac_biba_equal }, /* XXX */ > + { MAC_PRINT_LABEL, > + (macop_t)mac_biba_print_label }, > + { MAC_VALIDATE_LABEL, > + (macop_t)mac_biba_validate_label }, > + { MAC_CREATE_DEVFS_DEVICE, > + (macop_t)mac_biba_create_devfs_device }, > + { MAC_CREATE_DEVFS_DIRECTORY, > + (macop_t)mac_biba_create_devfs_directory }, > + { MAC_CREATE_VNODE_FROM_VNODE, > + (macop_t)mac_biba_create_vnode_from_vnode }, > + { MAC_CREATE_MOUNT, > + (macop_t)mac_biba_mountfs }, > + { MAC_CREATE_ROOT_MOUNT, > + (macop_t)mac_biba_mountrootfs }, > + { MAC_CREATE_MBUF_FROM_SOCKET, > + (macop_t)mac_biba_create_mbuf_from_socket }, > + { MAC_CREATE_SOCKET, > + (macop_t)mac_biba_create_socket }, > + { MAC_RELABEL_SOCKET, > + (macop_t)mac_biba_relabel_socket }, > + { MAC_CREATE_BPFDESC, > + (macop_t)mac_biba_create_bpfdesc }, > + { MAC_CREATE_IFNET, > + (macop_t)mac_biba_create_ifnet }, > + { MAC_CREATE_MBUF_DATAGRAM_FROM_MBUF_FRAGMENTQUEUE, > + (macop_t)mac_biba_create_mbuf_datagram_from_mbuf_fragmentqueue }, > + { MAC_CREATE_MBUF_FRAGMENT_FROM_MBUF, > + (macop_t)mac_biba_create_mbuf_fragment_from_mbuf }, > + { MAC_CREATE_MBUF_FRAGMENTQUEUE_FROM_MBUF_FRAGMENT, > + (macop_t)mac_biba_create_mbuf_fragmentqueue_from_mbuf_fragment }, > + { MAC_CREATE_MBUF_FROM_MBUF, > + (macop_t)mac_biba_create_mbuf_from_mbuf }, > + { MAC_CREATE_MBUF_LINKLAYER_FOR_IFNET, > + (macop_t)mac_biba_create_mbuf_linklayer_for_ifnet }, > + { MAC_CREATE_MBUF_FROM_BPFDESC, > + (macop_t)mac_biba_create_mbuf_from_bpfdesc }, > + { MAC_CREATE_MBUF_FROM_IFNET, > + (macop_t)mac_biba_create_mbuf_from_ifnet }, > + { MAC_CREATE_MBUF_MULTICAST_ENCAP_FROM_MBUF, > + (macop_t)mac_biba_create_mbuf_multicast_encap_from_mbuf }, > + { MAC_CREATE_MBUF_NETLAYER_FROM_MBUF, > + (macop_t)mac_biba_create_mbuf_netlayer_from_mbuf }, > + { MAC_MBUF_FRAGMENT_MATCHES_MBUF_FRAGMENTQUEUE, > + (macop_t)mac_biba_mbuf_fragment_matches_mbuf_fragmentqueue }, > + { MAC_RELABEL_IFNET, > + (macop_t)mac_biba_relabel_ifnet }, > + { MAC_CREATE_SUBJECT, > + (macop_t)mac_biba_create_subject }, > + { MAC_EXECVE_TRANSITION, > + (macop_t)mac_biba_execve_transition }, > + { MAC_EXECVE_WILL_TRANSITION, > + (macop_t)mac_biba_execve_will_transition }, > + { MAC_CREATE_PROC0, > + (macop_t)mac_biba_create_proc0 }, > + { MAC_CREATE_PROC1, > + (macop_t)mac_biba_create_proc1 }, > + { MAC_RELABEL_SUBJECT, > + (macop_t)mac_biba_relabel_subject }, > + { MAC_BPFDESC_CHECK_RECEIVE_FROM_IFNET, > + (macop_t)mac_biba_bpfdesc_check_receive_from_ifnet }, > + { MAC_CRED_CHECK_SEE_CRED, > + (macop_t)mac_biba_cred_check_see_cred }, > + { MAC_CRED_CHECK_SEE_SOCKET, > + (macop_t)mac_biba_cred_check_see_socket }, > + { MAC_CRED_CHECK_RELABEL_IFNET, > + (macop_t)mac_biba_cred_check_relabel_ifnet }, > + { MAC_CRED_CHECK_RELABEL_SOCKET, > + (macop_t)mac_biba_cred_check_relabel_socket }, > + { MAC_CRED_CHECK_RELABEL_SUBJECT, > + (macop_t)mac_biba_cred_check_relabel_subject }, > + { MAC_CRED_CHECK_RELABEL_VNODE, > + (macop_t)mac_biba_cred_check_relabel_vnode }, > + { MAC_CRED_CHECK_STATFS, > + (macop_t)mac_biba_cred_check_statfs }, > + { MAC_CRED_CHECK_DEBUG_PROC, > + (macop_t)mac_biba_cred_check_debug_proc }, > + { MAC_CRED_CHECK_EXEC_FILE, > + (macop_t)mac_biba_cred_check_exec_file }, > + { MAC_CRED_CHECK_CHDIR_VNODE, > + (macop_t)mac_biba_cred_check_chdir_vnode }, > + { MAC_CRED_CHECK_CREATE_VNODE, > + (macop_t)mac_biba_cred_check_create_vnode }, > + { MAC_CRED_CHECK_DELETE_VNODE, > + (macop_t)mac_biba_cred_check_delete_vnode }, > + { MAC_CRED_CHECK_EXEC_VNODE, > + (macop_t)mac_biba_cred_check_exec_vnode }, > + { MAC_CRED_CHECK_OPEN_VNODE, > + (macop_t)mac_biba_cred_check_open_vnode }, > + { MAC_CRED_CHECK_RENAME_FROM_VNODE, > + (macop_t)mac_biba_cred_check_rename_from_vnode }, > + { MAC_CRED_CHECK_RENAME_TO_VNODE, > + (macop_t)mac_biba_cred_check_rename_to_vnode }, > + { MAC_CRED_CHECK_REVOKE_VNODE, > + (macop_t)mac_biba_cred_check_revoke_vnode }, > + { MAC_CRED_CHECK_SEARCH_VNODE, > + (macop_t)mac_biba_cred_check_search_vnode }, > + { MAC_CRED_CHECK_SETFLAGS_VNODE, > + (macop_t)mac_biba_cred_check_setflags_vnode }, > + { MAC_CRED_CHECK_SETMODE_VNODE, > + (macop_t)mac_biba_cred_check_setmode_vnode }, > + { MAC_CRED_CHECK_SETOWNER_VNODE, > + (macop_t)mac_biba_cred_check_setowner_vnode }, > + { MAC_CRED_CHECK_SETUTIMES_VNODE, > + (macop_t)mac_biba_cred_check_setutimes_vnode }, > + { MAC_CRED_CHECK_SCHED_PROC, > + (macop_t)mac_biba_cred_check_sched_proc }, > + { MAC_CRED_CHECK_SIGNAL_PROC, > + (macop_t)mac_biba_cred_check_signal_proc }, > + { MAC_CRED_CHECK_STAT_VNODE, > + (macop_t)mac_biba_cred_check_stat_vnode }, > + { MAC_IFNET_CHECK_SEND_MBUF, > + (macop_t)mac_biba_ifnet_check_send_mbuf }, > + { MAC_SOCKET_CHECK_RECEIVE_MBUF, > + (macop_t)mac_biba_socket_check_receive_mbuf }, > + { MAC_OP_LAST, NULL } > }; > > MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba", 1); > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.c#26 (text+ko) ==== > > @@ -585,71 +585,51 @@ > return (mac_bsdextended_cred_cantouch(cred, proc)); > } > > -static struct mac_policy_ops mac_bsdextended_ops = > +static struct mac_policy_op_entry mac_bsdextended_ops[] = > { > - mac_bsdextended_init, > - mac_bsdextended_destroy, > - NULL, /* copy label */ > - NULL, /* dominate */ > - NULL, /* equal label */ > - NULL, /* print label */ > - NULL, /* validate label */ > - NULL, /* create devfs dev */ > - NULL, /* create devfs dir */ > - NULL, /* create vnode */ > - NULL, /* mount fs */ > - NULL, /* mount rootfs */ > - NULL, /* mbuf from socket */ > - NULL, /* create socket */ > - NULL, /* relabel socket */ > - NULL, /* create bpf */ > - NULL, /* create ifnet */ > - NULL, /* mbuf datagram from fragq */ > - NULL, /* mbuf fragment */ > - NULL, /* mbuf fragment queue */ > - NULL, /* mbuf from mbuf */ > - NULL, /* mbuf linklayer */ > - NULL, /* mbuf from bpf */ > - NULL, /* mbuf from ifnet */ > - NULL, /* mbuf multicast encap */ > - NULL, /* mbuf netlayer */ > - NULL, /* fragment queue match */ > - NULL, /* relabel ifnet */ > - NULL, /* update fragment queue */ > - NULL, /* create subject */ > - NULL, /* transition */ > - NULL, /* will transition */ > - NULL, /* proc0 */ > - NULL, /* proc1 */ > - NULL, /* relabel subject */ > - NULL, /* bpfdesc check ifnet */ > - mac_bsdextended_cred_check_see_cred, > - mac_bsdextended_cred_check_see_socket, > - NULL, /* check relabel ifnet */ > - NULL, /* check relabel socket */ > - NULL, /* check relabel subject */ > - NULL, /* check relabel vnode */ > - NULL, /* check statfs */ > - mac_bsdextended_cred_check_debug_proc, > - NULL, /* exec file */ > - mac_bsdextended_cred_check_chdir_vnode, > - mac_bsdextended_cred_check_create_vnode, > - mac_bsdextended_cred_check_delete_vnode, > - mac_bsdextended_cred_check_exec_vnode, > - mac_bsdextended_cred_check_open_vnode, > - mac_bsdextended_cred_check_rename_from_vnode, > - mac_bsdextended_cred_check_rename_to_vnode, > - mac_bsdextended_cred_check_revoke_vnode, > - mac_bsdextended_cred_check_search_vnode, > - mac_bsdextended_cred_check_setflags_vnode, > - mac_bsdextended_cred_check_setmode_vnode, > - mac_bsdextended_cred_check_setowner_vnode, > - mac_bsdextended_cred_check_setutimes_vnode, > - mac_bsdextended_cred_check_sched_proc, > - mac_bsdextended_cred_check_signal_proc, > - mac_bsdextended_cred_check_stat_vnode, > - NULL, /* ifnet check send mbuf */ > - NULL, /* socket check receive mbuf */ > + { MAC_DESTROY, > + (macop_t)mac_bsdextended_destroy }, > + { MAC_INIT, > + (macop_t)mac_bsdextended_init }, > + { MAC_CRED_CHECK_SEE_CRED, > + (macop_t)mac_bsdextended_cred_check_see_cred }, > + { MAC_CRED_CHECK_SEE_SOCKET, > + (macop_t)mac_bsdextended_cred_check_see_socket }, > + { MAC_CRED_CHECK_DEBUG_PROC, > + (macop_t)mac_bsdextended_cred_check_debug_proc }, > + { MAC_CRED_CHECK_CHDIR_VNODE, > + (macop_t)mac_bsdextended_cred_check_chdir_vnode }, > + { MAC_CRED_CHECK_CREATE_VNODE, > + (macop_t)mac_bsdextended_cred_check_create_vnode }, > + { MAC_CRED_CHECK_DELETE_VNODE, > + (macop_t)mac_bsdextended_cred_check_delete_vnode }, > + { MAC_CRED_CHECK_EXEC_VNODE, > + (macop_t)mac_bsdextended_cred_check_exec_vnode }, > + { MAC_CRED_CHECK_OPEN_VNODE, > + (macop_t)mac_bsdextended_cred_check_open_vnode }, > + { MAC_CRED_CHECK_RENAME_FROM_VNODE, > + (macop_t)mac_bsdextended_cred_check_rename_from_vnode }, > + { MAC_CRED_CHECK_RENAME_TO_VNODE, > + (macop_t)mac_bsdextended_cred_check_rename_to_vnode }, > + { MAC_CRED_CHECK_REVOKE_VNODE, > + (macop_t)mac_bsdextended_cred_check_revoke_vnode }, > + { MAC_CRED_CHECK_SEARCH_VNODE, > + (macop_t)mac_bsdextended_cred_check_search_vnode }, > + { MAC_CRED_CHECK_SETFLAGS_VNODE, > + (macop_t)mac_bsdextended_cred_check_setflags_vnode }, > + { MAC_CRED_CHECK_SETMODE_VNODE, > + (macop_t)mac_bsdextended_cred_check_setmode_vnode }, > + { MAC_CRED_CHECK_SETOWNER_VNODE, > + (macop_t)mac_bsdextended_cred_check_setowner_vnode }, > + { MAC_CRED_CHECK_SETUTIMES_VNODE, > + (macop_t)mac_bsdextended_cred_check_setutimes_vnode }, > + { MAC_CRED_CHECK_SCHED_PROC, > + (macop_t)mac_bsdextended_cred_check_sched_proc }, > + { MAC_CRED_CHECK_SIGNAL_PROC, > + (macop_t)mac_bsdextended_cred_check_signal_proc }, > + { MAC_CRED_CHECK_STAT_VNODE, > + (macop_t)mac_bsdextended_cred_check_stat_vnode }, > + { MAC_OP_LAST, NULL } > }; > > MAC_POLICY_SET(mac_bsdextended_ops, trustedbsd_mac_bsdextended, > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_bsdextended/mac_bsdextended.h#5 (text+ko) ==== > > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#21 (text+ko) ==== > > @@ -965,71 +965,129 @@ > return (0); > } > > -static struct mac_policy_ops mac_mls_ops = > +static struct mac_policy_op_entry mac_mls_ops[] = > { > - NULL, > - NULL, > - mac_mls_copy_label, > - mac_mls_single_dominate, > - mac_mls_equal, /* XXX */ > - mac_mls_print_label, > - mac_mls_validate_label, > - mac_mls_create_devfs_device, > - mac_mls_create_devfs_directory, > - mac_mls_create_vnode_from_vnode, > - mac_mls_mountfs, > - mac_mls_mountrootfs, > - mac_mls_create_mbuf_from_socket, > - mac_mls_create_socket, > - mac_mls_relabel_socket, > - mac_mls_create_bpfdesc, > - mac_mls_create_ifnet, > - mac_mls_create_mbuf_datagram_from_mbuf_fragmentqueue, > - mac_mls_create_mbuf_fragment_from_mbuf, > - mac_mls_create_mbuf_fragmentqueue_from_mbuf_fragment, > - mac_mls_create_mbuf_from_mbuf, > - mac_mls_create_mbuf_linklayer_for_ifnet, > - mac_mls_create_mbuf_from_bpfdesc, > - mac_mls_create_mbuf_from_ifnet, > - mac_mls_create_mbuf_multicast_encap_from_mbuf, > - mac_mls_create_mbuf_netlayer_from_mbuf, > - mac_mls_mbuf_fragment_matches_mbuf_fragmentqueue, > - mac_mls_relabel_ifnet, > - NULL, /* update fragq */ > - mac_mls_create_subject, > - mac_mls_execve_transition, > - mac_mls_execve_will_transition, > - mac_mls_create_proc0, > - mac_mls_create_proc1, > - mac_mls_relabel_subject, > - mac_mls_bpfdesc_check_receive_from_ifnet, > - mac_mls_cred_check_see_cred, > - mac_mls_cred_check_see_socket, > - mac_mls_cred_check_relabel_ifnet, > - mac_mls_cred_check_relabel_socket, > - mac_mls_cred_check_relabel_subject, > - mac_mls_cred_check_relabel_vnode, > - mac_mls_cred_check_statfs, > - mac_mls_cred_check_debug_proc, > - mac_mls_cred_check_exec_file, > - mac_mls_cred_check_chdir_vnode, > - mac_mls_cred_check_create_vnode, > - mac_mls_cred_check_delete_vnode, > - mac_mls_cred_check_exec_vnode, > - mac_mls_cred_check_open_vnode, > - mac_mls_cred_check_rename_from_vnode, > - mac_mls_cred_check_rename_to_vnode, > - mac_mls_cred_check_revoke_vnode, > - mac_mls_cred_check_search_vnode, > - mac_mls_cred_check_setflags_vnode, > - mac_mls_cred_check_setmode_vnode, > - mac_mls_cred_check_setowner_vnode, > - mac_mls_cred_check_setutimes_vnode, > - mac_mls_cred_check_sched_proc, > - mac_mls_cred_check_signal_proc, > - mac_mls_cred_check_stat_vnode, > - mac_mls_ifnet_check_send_mbuf, > - mac_mls_socket_check_receive_mbuf > + { MAC_COPY_LABEL, > + (macop_t)mac_mls_copy_label }, > + { MAC_DOMINATE, > + (macop_t)mac_mls_single_dominate }, > + { MAC_EQUAL, > + (macop_t)mac_mls_equal }, /* XXX */ > + { MAC_PRINT_LABEL, > + (macop_t)mac_mls_print_label }, > + { MAC_VALIDATE_LABEL, > + (macop_t)mac_mls_validate_label }, > + { MAC_CREATE_DEVFS_DEVICE, > + (macop_t)mac_mls_create_devfs_device }, > + { MAC_CREATE_DEVFS_DIRECTORY, > + (macop_t)mac_mls_create_devfs_directory }, > + { MAC_CREATE_VNODE_FROM_VNODE, > + (macop_t)mac_mls_create_vnode_from_vnode }, > + { MAC_CREATE_MOUNT, > + (macop_t)mac_mls_mountfs }, > + { MAC_CREATE_ROOT_MOUNT, > + (macop_t)mac_mls_mountrootfs }, > + { MAC_CREATE_MBUF_FROM_SOCKET, > + (macop_t)mac_mls_create_mbuf_from_socket }, > + { MAC_CREATE_SOCKET, > + (macop_t)mac_mls_create_socket }, > + { MAC_RELABEL_SOCKET, > + (macop_t)mac_mls_relabel_socket }, > + { MAC_CREATE_BPFDESC, > + (macop_t)mac_mls_create_bpfdesc }, > + { MAC_CREATE_IFNET, > + (macop_t)mac_mls_create_ifnet }, > + { MAC_CREATE_MBUF_DATAGRAM_FROM_MBUF_FRAGMENTQUEUE, > + (macop_t)mac_mls_create_mbuf_datagram_from_mbuf_fragmentqueue }, > + { MAC_CREATE_MBUF_FRAGMENT_FROM_MBUF, > + (macop_t)mac_mls_create_mbuf_fragment_from_mbuf }, > + { MAC_CREATE_MBUF_FRAGMENTQUEUE_FROM_MBUF_FRAGMENT, > + (macop_t)mac_mls_create_mbuf_fragmentqueue_from_mbuf_fragment }, > + { MAC_CREATE_MBUF_FROM_MBUF, > + (macop_t)mac_mls_create_mbuf_from_mbuf }, > + { MAC_CREATE_MBUF_LINKLAYER_FOR_IFNET, > + (macop_t)mac_mls_create_mbuf_linklayer_for_ifnet }, > + { MAC_CREATE_MBUF_FROM_BPFDESC, > + (macop_t)mac_mls_create_mbuf_from_bpfdesc }, > + { MAC_CREATE_MBUF_FROM_IFNET, > + (macop_t)mac_mls_create_mbuf_from_ifnet }, > + { MAC_CREATE_MBUF_MULTICAST_ENCAP_FROM_MBUF, > + (macop_t)mac_mls_create_mbuf_multicast_encap_from_mbuf }, > + { MAC_CREATE_MBUF_NETLAYER_FROM_MBUF, > + (macop_t)mac_mls_create_mbuf_netlayer_from_mbuf }, > + { MAC_MBUF_FRAGMENT_MATCHES_MBUF_FRAGMENTQUEUE, > + (macop_t)mac_mls_mbuf_fragment_matches_mbuf_fragmentqueue }, > + { MAC_RELABEL_IFNET, > + (macop_t)mac_mls_relabel_ifnet }, > + { MAC_CREATE_SUBJECT, > + (macop_t)mac_mls_create_subject }, > + { MAC_EXECVE_TRANSITION, > + (macop_t)mac_mls_execve_transition }, > + { MAC_EXECVE_WILL_TRANSITION, > + (macop_t)mac_mls_execve_will_transition }, > + { MAC_CREATE_PROC0, > + (macop_t)mac_mls_create_proc0 }, > + { MAC_CREATE_PROC1, > + (macop_t)mac_mls_create_proc1 }, > + { MAC_RELABEL_SUBJECT, > + (macop_t)mac_mls_relabel_subject }, > + { MAC_BPFDESC_CHECK_RECEIVE_FROM_IFNET, > + (macop_t)mac_mls_bpfdesc_check_receive_from_ifnet }, > + { MAC_CRED_CHECK_SEE_CRED, > + (macop_t)mac_mls_cred_check_see_cred }, > + { MAC_CRED_CHECK_SEE_SOCKET, > + (macop_t)mac_mls_cred_check_see_socket }, > + { MAC_CRED_CHECK_RELABEL_IFNET, > + (macop_t)mac_mls_cred_check_relabel_ifnet }, > + { MAC_CRED_CHECK_RELABEL_SOCKET, > + (macop_t)mac_mls_cred_check_relabel_socket }, > + { MAC_CRED_CHECK_RELABEL_SUBJECT, > + (macop_t)mac_mls_cred_check_relabel_subject }, > + { MAC_CRED_CHECK_RELABEL_VNODE, > + (macop_t)mac_mls_cred_check_relabel_vnode }, > + { MAC_CRED_CHECK_STATFS, > + (macop_t)mac_mls_cred_check_statfs }, > + { MAC_CRED_CHECK_DEBUG_PROC, > + (macop_t)mac_mls_cred_check_debug_proc }, > + { MAC_CRED_CHECK_EXEC_FILE, > + (macop_t)mac_mls_cred_check_exec_file }, > + { MAC_CRED_CHECK_CHDIR_VNODE, > + (macop_t)mac_mls_cred_check_chdir_vnode }, > + { MAC_CRED_CHECK_CREATE_VNODE, > + (macop_t)mac_mls_cred_check_create_vnode }, > + { MAC_CRED_CHECK_DELETE_VNODE, > + (macop_t)mac_mls_cred_check_delete_vnode }, > + { MAC_CRED_CHECK_EXEC_VNODE, > + (macop_t)mac_mls_cred_check_exec_vnode }, > + { MAC_CRED_CHECK_OPEN_VNODE, > + (macop_t)mac_mls_cred_check_open_vnode }, > + { MAC_CRED_CHECK_RENAME_FROM_VNODE, > + (macop_t)mac_mls_cred_check_rename_from_vnode }, > + { MAC_CRED_CHECK_RENAME_TO_VNODE, > + (macop_t)mac_mls_cred_check_rename_to_vnode }, > + { MAC_CRED_CHECK_REVOKE_VNODE, > + (macop_t)mac_mls_cred_check_revoke_vnode }, > + { MAC_CRED_CHECK_SEARCH_VNODE, > + (macop_t)mac_mls_cred_check_search_vnode }, > + { MAC_CRED_CHECK_SETFLAGS_VNODE, > + (macop_t)mac_mls_cred_check_setflags_vnode }, > + { MAC_CRED_CHECK_SETMODE_VNODE, > + (macop_t)mac_mls_cred_check_setmode_vnode }, > + { MAC_CRED_CHECK_SETOWNER_VNODE, > + (macop_t)mac_mls_cred_check_setowner_vnode }, > + { MAC_CRED_CHECK_SETUTIMES_VNODE, > + (macop_t)mac_mls_cred_check_setutimes_vnode }, > + { MAC_CRED_CHECK_SCHED_PROC, > + (macop_t)mac_mls_cred_check_sched_proc }, > + { MAC_CRED_CHECK_SIGNAL_PROC, > + (macop_t)mac_mls_cred_check_signal_proc }, > + { MAC_CRED_CHECK_STAT_VNODE, > + (macop_t)mac_mls_cred_check_stat_vnode }, > + { MAC_IFNET_CHECK_SEND_MBUF, > + (macop_t)mac_mls_ifnet_check_send_mbuf }, > + { MAC_SOCKET_CHECK_RECEIVE_MBUF, > + (macop_t)mac_mls_socket_check_receive_mbuf }, > + { MAC_OP_LAST, NULL } > }; > > MAC_POLICY_SET(mac_mls_ops, trustedbsd_mac_mls, "TrustedBSD MAC/MLS", 1); > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#20 (text+ko) ==== > > @@ -586,71 +586,135 @@ > return (0); > } > > -static struct mac_policy_ops mac_none_ops = > +static struct mac_policy_op_entry mac_none_ops[] = > { > - mac_none_destroy, > - mac_none_init, > - mac_none_copy_label, > - mac_none_dominate, > - mac_none_equal, > - mac_none_print_label, > - mac_none_validate_label, > - mac_none_create_devfs_device, > - mac_none_create_devfs_directory, > - mac_none_create_vnode_from_vnode, > - mac_none_mountfs, > - mac_none_mountrootfs, > - mac_none_create_mbuf_from_socket, > - mac_none_create_socket, > - mac_none_relabel_socket, > - mac_none_create_bpfdesc, > - mac_none_create_ifnet, > - mac_none_create_mbuf_datagram_from_mbuf_fragmentqueue, > - mac_none_create_mbuf_fragment_from_mbuf, > - mac_none_create_mbuf_fragmentqueue_from_mbuf_fragment, > - mac_none_create_mbuf_from_mbuf, > - mac_none_create_mbuf_linklayer_for_ifnet, > - mac_none_create_mbuf_from_bpfdesc, > - mac_none_create_mbuf_from_ifnet, > - mac_none_create_mbuf_multicast_encap_from_mbuf, > - mac_none_create_mbuf_netlayer_from_mbuf, > - mac_none_mbuf_fragment_matches_mbuf_fragmentqueue, > - mac_none_relabel_ifnet, > - mac_none_update_mbuf_fragmentqueue_from_mbuf_fragment, > - mac_none_create_subject, > - mac_none_execve_transition, > - mac_none_execve_will_transition, > - mac_none_create_proc0, > - mac_none_create_proc1, > - mac_none_relabel_subject, > - mac_none_bpfdesc_check_receive_from_ifnet, > - mac_none_cred_check_see_cred, > - mac_none_cred_check_see_socket, > - mac_none_cred_check_relabel_ifnet, > - mac_none_cred_check_relabel_socket, > - mac_none_cred_check_relabel_subject, > - mac_none_cred_check_relabel_vnode, > - mac_none_cred_check_statfs, > - mac_none_cred_check_debug_proc, > - mac_none_cred_check_exec_file, > - mac_none_cred_check_chdir_vnode, > - mac_none_cred_check_create_vnode, > - mac_none_cred_check_delete_vnode, > - mac_none_cred_check_exec_vnode, > - mac_none_cred_check_open_vnode, > - mac_none_cred_check_rename_from_vnode, > - mac_none_cred_check_rename_to_vnode, > - mac_none_cred_check_revoke_vnode, > - mac_none_cred_check_search_vnode, > - mac_none_cred_check_setflags_vnode, > - mac_none_cred_check_setmode_vnode, > - mac_none_cred_check_setowner_vnode, > - mac_none_cred_check_setutimes_vnode, > - mac_none_cred_check_sched_proc, > - mac_none_cred_check_signal_proc, > - mac_none_cred_check_stat_vnode, > - mac_none_ifnet_check_send_mbuf, > - mac_none_socket_check_receive_mbuf > + { MAC_DESTROY, > + (macop_t)mac_none_destroy }, > + { MAC_INIT, > + (macop_t)mac_none_init }, > + { MAC_COPY_LABEL, > + (macop_t)mac_none_copy_label }, > + { MAC_DOMINATE, > + (macop_t)mac_none_dominate }, > + { MAC_EQUAL, > + (macop_t)mac_none_equal }, > + { MAC_PRINT_LABEL, > + (macop_t)mac_none_print_label }, > + { MAC_VALIDATE_LABEL, > + (macop_t)mac_none_validate_label }, > + { MAC_CREATE_DEVFS_DEVICE, > + (macop_t)mac_none_create_devfs_device }, > + { MAC_CREATE_DEVFS_DIRECTORY, > + (macop_t)mac_none_create_devfs_directory }, > + { MAC_CREATE_VNODE_FROM_VNODE, > + (macop_t)mac_none_create_vnode_from_vnode }, > + { MAC_CREATE_MOUNT, > + (macop_t)mac_none_mountfs }, > + { MAC_CREATE_ROOT_MOUNT, > + (macop_t)mac_none_mountrootfs }, > + { MAC_CREATE_MBUF_FROM_SOCKET, > + (macop_t)mac_none_create_mbuf_from_socket }, > + { MAC_CREATE_SOCKET, > + (macop_t)mac_none_create_socket }, > + { MAC_RELABEL_SOCKET, > + (macop_t)mac_none_relabel_socket }, > + { MAC_CREATE_BPFDESC, > + (macop_t)mac_none_create_bpfdesc }, > + { MAC_CREATE_IFNET, > + (macop_t)mac_none_create_ifnet }, > + { MAC_CREATE_MBUF_DATAGRAM_FROM_MBUF_FRAGMENTQUEUE, > + (macop_t)mac_none_create_mbuf_datagram_from_mbuf_fragmentqueue }, > + { MAC_CREATE_MBUF_FRAGMENT_FROM_MBUF, > + (macop_t)mac_none_create_mbuf_fragment_from_mbuf }, > + { MAC_CREATE_MBUF_FRAGMENTQUEUE_FROM_MBUF_FRAGMENT, > + (macop_t)mac_none_create_mbuf_fragmentqueue_from_mbuf_fragment }, > + { MAC_CREATE_MBUF_FROM_MBUF, > + (macop_t)mac_none_create_mbuf_from_mbuf }, > + { MAC_CREATE_MBUF_LINKLAYER_FOR_IFNET, > + (macop_t)mac_none_create_mbuf_linklayer_for_ifnet }, > + { MAC_CREATE_MBUF_FROM_BPFDESC, > + (macop_t)mac_none_create_mbuf_from_bpfdesc }, > + { MAC_CREATE_MBUF_FROM_IFNET, > + (macop_t)mac_none_create_mbuf_from_ifnet }, > + { MAC_CREATE_MBUF_MULTICAST_ENCAP_FROM_MBUF, > + (macop_t)mac_none_create_mbuf_multicast_encap_from_mbuf }, > + { MAC_CREATE_MBUF_NETLAYER_FROM_MBUF, > + (macop_t)mac_none_create_mbuf_netlayer_from_mbuf }, > + { MAC_MBUF_FRAGMENT_MATCHES_MBUF_FRAGMENTQUEUE, > + (macop_t)mac_none_mbuf_fragment_matches_mbuf_fragmentqueue }, > + { MAC_RELABEL_IFNET, > + (macop_t)mac_none_relabel_ifnet }, > + { MAC_UPDATE_MBUF_FRAGMENTQUEUE_FROM_MBUF_FRAGMENT, > + (macop_t)mac_none_update_mbuf_fragmentqueue_from_mbuf_fragment }, > + { MAC_CREATE_SUBJECT, > + (macop_t)mac_none_create_subject }, > + { MAC_EXECVE_TRANSITION, > + (macop_t)mac_none_execve_transition }, > + { MAC_EXECVE_WILL_TRANSITION, > + (macop_t)mac_none_execve_will_transition }, > + { MAC_CREATE_PROC0, > + (macop_t)mac_none_create_proc0 }, > + { MAC_CREATE_PROC1, > + (macop_t)mac_none_create_proc1 }, > + { MAC_RELABEL_SUBJECT, > + (macop_t)mac_none_relabel_subject }, > + { MAC_BPFDESC_CHECK_RECEIVE_FROM_IFNET, > + (macop_t)mac_none_bpfdesc_check_receive_from_ifnet }, > + { MAC_CRED_CHECK_SEE_CRED, > + (macop_t)mac_none_cred_check_see_cred }, > + { MAC_CRED_CHECK_SEE_SOCKET, > + (macop_t)mac_none_cred_check_see_socket }, > + { MAC_CRED_CHECK_RELABEL_IFNET, > + (macop_t)mac_none_cred_check_relabel_ifnet }, > + { MAC_CRED_CHECK_RELABEL_SOCKET, > + (macop_t)mac_none_cred_check_relabel_socket }, > + { MAC_CRED_CHECK_RELABEL_SUBJECT, > + (macop_t)mac_none_cred_check_relabel_subject }, > + { MAC_CRED_CHECK_RELABEL_VNODE, > + (macop_t)mac_none_cred_check_relabel_vnode }, > + { MAC_CRED_CHECK_STATFS, > + (macop_t)mac_none_cred_check_statfs }, > + { MAC_CRED_CHECK_DEBUG_PROC, > + (macop_t)mac_none_cred_check_debug_proc }, > + { MAC_CRED_CHECK_EXEC_FILE, > + (macop_t)mac_none_cred_check_exec_file }, > + { MAC_CRED_CHECK_CHDIR_VNODE, > + (macop_t)mac_none_cred_check_chdir_vnode }, > + { MAC_CRED_CHECK_CREATE_VNODE, > + (macop_t)mac_none_cred_check_create_vnode }, > + { MAC_CRED_CHECK_DELETE_VNODE, > + (macop_t)mac_none_cred_check_delete_vnode }, > + { MAC_CRED_CHECK_EXEC_VNODE, > + (macop_t)mac_none_cred_check_exec_vnode }, > + { MAC_CRED_CHECK_OPEN_VNODE, > + (macop_t)mac_none_cred_check_open_vnode }, > + { MAC_CRED_CHECK_RENAME_FROM_VNODE, > + (macop_t)mac_none_cred_check_rename_from_vnode }, > + { MAC_CRED_CHECK_RENAME_TO_VNODE, > + (macop_t)mac_none_cred_check_rename_to_vnode }, > + { MAC_CRED_CHECK_REVOKE_VNODE, > + (macop_t)mac_none_cred_check_revoke_vnode }, > + { MAC_CRED_CHECK_SEARCH_VNODE, > + (macop_t)mac_none_cred_check_search_vnode }, > + { MAC_CRED_CHECK_SETFLAGS_VNODE, > + (macop_t)mac_none_cred_check_setflags_vnode }, > + { MAC_CRED_CHECK_SETMODE_VNODE, > + (macop_t)mac_none_cred_check_setmode_vnode }, > + { MAC_CRED_CHECK_SETOWNER_VNODE, > + (macop_t)mac_none_cred_check_setowner_vnode }, > + { MAC_CRED_CHECK_SETUTIMES_VNODE, > + (macop_t)mac_none_cred_check_setutimes_vnode }, > + { MAC_CRED_CHECK_SCHED_PROC, > + (macop_t)mac_none_cred_check_sched_proc }, > + { MAC_CRED_CHECK_SIGNAL_PROC, > + (macop_t)mac_none_cred_check_signal_proc }, > + { MAC_CRED_CHECK_STAT_VNODE, > + (macop_t)mac_none_cred_check_stat_vnode }, > + { MAC_IFNET_CHECK_SEND_MBUF, > + (macop_t)mac_none_ifnet_check_send_mbuf }, > + { MAC_SOCKET_CHECK_RECEIVE_MBUF, > + (macop_t)mac_none_socket_check_receive_mbuf }, > + { MAC_OP_LAST, NULL } > }; > > MAC_POLICY_SET(mac_none_ops, trustedbsd_mac_none, "TrustedBSD MAC/None", 0); > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_seeotheruids/mac_seeotheruids.c#6 (text+ko) ==== > > @@ -157,71 +157,19 @@ > return (mac_seeotheruids_check(cred, proc->p_ucred)); > } > > -static struct mac_policy_ops mac_seeotheruids_ops = > +static struct mac_policy_op_entry mac_seeotheruids_ops[] = > { > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - mac_seeotheruids_cred_check_see_cred, > - mac_seeotheruids_cred_check_see_socket, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - mac_seeotheruids_cred_check_debug_proc, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - NULL, > - mac_seeotheruids_cred_check_sched_proc, > - mac_seeotheruids_cred_check_signal_proc, > - NULL, > - NULL, > - NULL, > + { MAC_CRED_CHECK_SEE_CRED, > + (macop_t)mac_seeotheruids_cred_check_see_cred }, > + { MAC_CRED_CHECK_SEE_SOCKET, > + (macop_t)mac_seeotheruids_cred_check_see_socket }, > + { MAC_CRED_CHECK_DEBUG_PROC, > + (macop_t)mac_seeotheruids_cred_check_debug_proc }, > + { MAC_CRED_CHECK_SCHED_PROC, > + (macop_t)mac_seeotheruids_cred_check_sched_proc }, > + { MAC_CRED_CHECK_SIGNAL_PROC, > + (macop_t)mac_seeotheruids_cred_check_signal_proc }, > + { MAC_OP_LAST, NULL } > }; > > MAC_POLICY_SET(mac_seeotheruids_ops, trustedbsd_mac_seeotheruids, > > ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#20 (text+ko) ==== > > @@ -1039,71 +1039,127 @@ > return (error); > } > > -static struct mac_policy_ops mac_te_ops = > +static struct mac_policy_op_entry mac_te_ops[] = > { > - NULL, > - NULL, > - mac_te_copy_label, > - NULL, > - mac_te_equal, > - mac_te_print_label, > - mac_te_validate_label, > - mac_te_create_devfs_device, > - mac_te_create_devfs_directory, > - mac_te_create_vnode_from_vnode, > - mac_te_mountfs, > - mac_te_mountrootfs, > - mac_te_create_mbuf_from_socket, > - mac_te_create_socket, > - mac_te_relabel_socket, > - mac_te_create_bpfdesc, > - mac_te_create_ifnet, > - mac_te_create_mbuf_datagram_from_mbuf_fragmentqueue, > - mac_te_create_mbuf_fragment_from_mbuf, > - mac_te_create_mbuf_fragmentqueue_from_mbuf_fragment, > - mac_te_create_mbuf_from_mbuf, > - mac_te_create_mbuf_linklayer_for_ifnet, > - mac_te_create_mbuf_from_bpfdesc, > - mac_te_create_mbuf_from_ifnet, > - mac_te_create_mbuf_multicast_encap_from_mbuf, > - mac_te_create_mbuf_netlayer_from_mbuf, > - mac_te_mbuf_fragment_matches_mbuf_fragmentqueue, > - mac_te_relabel_ifnet, > - NULL, /* update fragq */ > - mac_te_create_subject, > - mac_te_execve_transition, > - mac_te_execve_will_transition, > - mac_te_create_proc0, > - mac_te_create_proc1, > - mac_te_relabel_subject, > - mac_te_bpfdesc_check_receive_from_ifnet, > - mac_te_cred_check_see_cred, > - mac_te_cred_check_see_socket, > - mac_te_cred_check_relabel_ifnet, > - mac_te_cred_check_relabel_socket, > - mac_te_cred_check_relabel_subject, > - mac_te_cred_check_relabel_vnode, > - mac_te_cred_check_statfs, > - mac_te_cred_check_debug_proc, > - mac_te_cred_check_exec_file, > - mac_te_cred_check_chdir_vnode, > - mac_te_cred_check_create_vnode, > - mac_te_cred_check_delete_vnode, > - mac_te_cred_check_exec_vnode, > - mac_te_cred_check_open_vnode, > - mac_te_cred_check_rename_from_vnode, > > >>> TRUNCATED FOR MAIL (1000 lines) <<< > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020330002505.73912N-100000>