From owner-p4-projects Sat Oct 5 12: 7:22 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id B394F37B404; Sat, 5 Oct 2002 12:06:55 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 438C937B401 for ; Sat, 5 Oct 2002 12:06:55 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6985043E42 for ; Sat, 5 Oct 2002 12:06:54 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id g95J6sCo039939 for ; Sat, 5 Oct 2002 12:06:54 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id g95J6rCl039935 for perforce@freebsd.org; Sat, 5 Oct 2002 12:06:53 -0700 (PDT) Date: Sat, 5 Oct 2002 12:06:53 -0700 (PDT) Message-Id: <200210051906.g95J6rCl039935@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 18750 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18750 Change 18750 by rwatson@rwatson_tislabs on 2002/10/05 12:05:57 Integ 5.0-CURRENT into TrustedBSD base. Mostly this is loop-back MAC changes getting flushed through the main tree, including: - mac_check_vnode_link() - mac_create_devfs_vnode() Also some code reorg and cleanup. Affected files ... .. //depot/projects/trustedbsd/base/etc/MAKEDEV#17 integrate .. //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/hardware/common/dev.sgml#26 integrate .. //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#42 integrate .. //depot/projects/trustedbsd/base/sys/conf/bsd.kern.mk#2 delete .. //depot/projects/trustedbsd/base/sys/fs/devfs/devfs_vnops.c#14 integrate .. //depot/projects/trustedbsd/base/sys/geom/geom_bsd.c#10 integrate .. //depot/projects/trustedbsd/base/sys/kern/kern_conf.c#10 integrate .. //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#15 integrate .. //depot/projects/trustedbsd/base/sys/kern/vfs_syscalls.c#32 integrate .. //depot/projects/trustedbsd/base/sys/security/mac_biba/mac_biba.c#7 integrate .. //depot/projects/trustedbsd/base/sys/security/mac_bsdextended/mac_bsdextended.c#3 integrate .. //depot/projects/trustedbsd/base/sys/security/mac_mls/mac_mls.c#7 integrate .. //depot/projects/trustedbsd/base/sys/security/mac_none/mac_none.c#6 integrate .. //depot/projects/trustedbsd/base/sys/security/mac_test/mac_test.c#6 integrate .. //depot/projects/trustedbsd/base/sys/sys/mac.h#7 integrate .. //depot/projects/trustedbsd/base/sys/sys/mac_policy.h#9 integrate Differences ... ==== //depot/projects/trustedbsd/base/etc/MAKEDEV#17 (text+ko) ==== @@ -20,7 +20,7 @@ # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. # # @(#)MAKEDEV 5.2 (Berkeley) 6/22/90 -# $FreeBSD: src/etc/MAKEDEV,v 1.329 2002/10/04 20:44:46 sam Exp $ +# $FreeBSD: src/etc/MAKEDEV,v 1.330 2002/10/05 18:28:48 scottl Exp $ # # Device "make" file. Valid arguments: # all makes all known devices, standard number of units (or close) @@ -44,7 +44,6 @@ # fd* floppy disk drives (3 1/2", 5 1/4") # fla* M-Systems DiskOnChip # idad* Compaq Smart-2 RAID arrays -# matcd* Matsushita (Panasonic) CD-ROM disks # mcd* Mitsumi CD-ROM disks # md* Memory (or malloc) disk # mlx* Mylex DAC960 RAID controllers @@ -314,7 +313,7 @@ sh $0 acd0 acd0t0 afd0 ast0 # ATAPI devices sh $0 wd0 wd1 wd2 wd3 # OLD disk sh $0 wcd0 wfd0 wst0 # OLD ATAPI devs - sh $0 cd0 matcd0 mcd0 scd0 # cdrom + sh $0 cd0 mcd0 scd0 # cdrom sh $0 sa0 wt0 # tape sh $0 vty12 # virtual tty sh $0 cuaa0 cuaa1 cuaa2 cuaa3 # serial tty @@ -853,36 +852,6 @@ umask 77 ;; -matcd*) - umask 2 - case $i in - matcd*) unit=`expr $i : '.....\(.*\)'`; name=matcd; chr=46;; - esac - case $unit in - 0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15) - mknod ${name}${unit}a c $chr $(($unit * 8 + 0)) \ - root:operator - mknod ${name}${unit}c c $chr $(($unit * 8 + 2)) \ - root:operator - ln -f ${name}${unit}a r${name}${unit}a - ln -f ${name}${unit}c r${name}${unit}c - chmod 640 ${name}${unit}[a-h] r${name}${unit}[a-h] - - mknod ${name}${unit}la c $chr $(($unit * 8 + 128)) \ - root:operator - mknod ${name}${unit}lc c $chr $(($unit * 8 + 130)) \ - root:operator - ln -f ${name}${unit}la r${name}${unit}la - ln -f ${name}${unit}lc r${name}${unit}lc - chmod 640 ${name}${unit}l[a-h] r${name}${unit}l[a-h] - ;; - *) - echo bad unit for disk in: $i - ;; - esac - umask 77 - ;; - wcd*) umask 2 ; unit=`expr $i : '...\(.*\)'` ==== //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/hardware/common/dev.sgml#26 (text+ko) ==== @@ -31,7 +31,7 @@ - $FreeBSD: src/release/doc/en_US.ISO8859-1/hardware/common/dev.sgml,v 1.105 2002/10/04 16:53:39 bmah Exp $ + $FreeBSD: src/release/doc/en_US.ISO8859-1/hardware/common/dev.sgml,v 1.106 2002/10/05 17:23:18 bmah Exp $ Supported Devices @@ -3041,6 +3041,41 @@ + Cryptographic Accelerators + + Accelerators based on + the Hifn 7751, 7811, or 7951 chipsets (&man.hifn.4; driver) + + + + Invertex AEON + + + Hifn 7751 reference board + + + Global Technologies Group PowerCrypt and XL-Crypt + + + NetSec 7751 + + + Soekris Engineering vpn1201 and vpn1211 + + + + + Accelerators based on + the Bluesteel 5501 or 5601 chipsets (&man.ubsec.4; + driver) + + Accelerators based on + the Broadcom BCM5801, BCM5802, BCM5805, BCM5820, BCM 5821, + BCM5822 chipsets (&man.ubsec.4; driver) + + + + Miscellaneous FAX-Modem/PCCARD ==== //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#42 (text+ko) ==== @@ -3,7 +3,7 @@ The FreeBSD Project - $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.430 2002/10/04 16:53:12 bmah Exp $ + $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.431 2002/10/05 17:22:22 bmah Exp $ 2000 @@ -111,6 +111,14 @@ The &man.agp.4; driver for AGP devices has been added. &merged; + A new in-kernel cryptographic framework (see &man.crypto.4; + and &man.crypto.9;) has been imported from OpenBSD. It provides + a consistent interface to hardware and software implementations + of cryptographic algorithms for use by the kernel and access to + cryptographic hardware for user-mode applications. + Hardware device drivers are provided to support hifn-based cards + (&man.hifn.4;) and Broadcom-based cards (&man.ubsec.4;). + A new &man.ddb.4; command show pcpu lists some of the per-CPU data. @@ -469,12 +477,11 @@ The &os; kernel scheduler now supports Kernel-Scheduled Entities (KSEs), which provides support for multiple threads of - execution per process similar to Schedular Activations. At this + execution per process similar to Scheduler Activations. At this point, the kernel has most of the changes needed to support threading. The kernel scheduler can schedule multiple threads per - process, but only on a single CPU at a time. Support for - userland programs to create and utilize multiple threads is not - yet completed. + process, but only on a single CPU at a time. More information + can be found in &man.kse.2;. KSE is a work in progress. @@ -3670,7 +3677,7 @@ less has been imported. An XML processing library, named - libbsdxml has been added for the benefit + libbsdxml, has been added for the benefit of XML-using utilities in the base system. It is based almost entirely on an import of expat 1.95.5, but is installed under a different name to avoid ==== //depot/projects/trustedbsd/base/sys/fs/devfs/devfs_vnops.c#14 (text+ko) ==== @@ -31,7 +31,7 @@ * @(#)kernfs_vnops.c 8.15 (Berkeley) 5/21/95 * From: FreeBSD: src/sys/miscfs/kernfs/kernfs_vnops.c 1.43 * - * $FreeBSD: src/sys/fs/devfs/devfs_vnops.c,v 1.49 2002/10/01 10:08:08 phk Exp $ + * $FreeBSD: src/sys/fs/devfs/devfs_vnops.c,v 1.50 2002/10/05 18:40:10 rwatson Exp $ */ /* @@ -868,12 +868,11 @@ MALLOC(de->de_symlink, char *, i, M_DEVFS, M_WAITOK); bcopy(ap->a_target, de->de_symlink, i); lockmgr(&dmp->dm_lock, LK_EXCLUSIVE, 0, curthread); +#ifdef MAC + mac_create_devfs_symlink(ap->a_cnp->cn_cred, dd, de); +#endif TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list); devfs_allocv(de, ap->a_dvp->v_mount, ap->a_vpp, 0); -#ifdef MAC - mac_create_vnode(ap->a_cnp->cn_cred, ap->a_dvp, *ap->a_vpp); - mac_update_devfsdirent(de, *ap->a_vpp); -#endif /* MAC */ lockmgr(&dmp->dm_lock, LK_RELEASE, 0, curthread); return (0); } ==== //depot/projects/trustedbsd/base/sys/geom/geom_bsd.c#10 (text+ko) ==== @@ -32,7 +32,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/geom/geom_bsd.c,v 1.24 2002/09/30 08:59:59 phk Exp $ + * $FreeBSD: src/sys/geom/geom_bsd.c,v 1.25 2002/10/05 18:52:06 phk Exp $ * * This is the method for dealing with BSD disklabels. It has been * extensively (by my standards at least) commented, in the vain hope that @@ -103,7 +103,7 @@ d->d_type = g_dec_le2(ptr + 4); d->d_subtype = g_dec_le2(ptr + 6); bcopy(ptr + 8, d->d_typename, 16); - bcopy(d->d_packname, ptr + 24, 16); + bcopy(ptr + 24, d->d_packname, 16); d->d_secsize = g_dec_le4(ptr + 40); d->d_nsectors = g_dec_le4(ptr + 44); d->d_ntracks = g_dec_le4(ptr + 48); ==== //depot/projects/trustedbsd/base/sys/kern/kern_conf.c#10 (text+ko) ==== @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/kern/kern_conf.c,v 1.111 2002/09/27 18:27:09 phk Exp $ + * $FreeBSD: src/sys/kern/kern_conf.c,v 1.112 2002/10/05 17:10:28 green Exp $ */ #include @@ -436,6 +436,8 @@ u *= 10; u += name[i++] - '0'; } + if (u > 0xffffff) + return (0); *unit = u; if (namep) *namep = &name[i]; ==== //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#15 (text+ko) ==== @@ -36,7 +36,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/kern/kern_mac.c,v 1.33 2002/10/05 16:57:16 rwatson Exp $ + * $FreeBSD: src/sys/kern/kern_mac.c,v 1.38 2002/10/05 18:40:10 rwatson Exp $ */ /* * Developed by the TrustedBSD Project. @@ -519,6 +519,10 @@ mpc->mpc_ops->mpo_create_devfs_directory = mpe->mpe_function; break; + case MAC_CREATE_DEVFS_SYMLINK: + mpc->mpc_ops->mpo_create_devfs_symlink = + mpe->mpe_function; + break; case MAC_CREATE_DEVFS_VNODE: mpc->mpc_ops->mpo_create_devfs_vnode = mpe->mpe_function; @@ -799,6 +803,10 @@ mpc->mpc_ops->mpo_check_vnode_getextattr = mpe->mpe_function; break; + case MAC_CHECK_VNODE_LINK: + mpc->mpc_ops->mpo_check_vnode_link = + mpe->mpe_function; + break; case MAC_CHECK_VNODE_LOOKUP: mpc->mpc_ops->mpo_check_vnode_lookup = mpe->mpe_function; @@ -1043,28 +1051,14 @@ mac->m_macflags = MAC_FLAG_INITIALIZED; } -int -mac_init_mbuf(struct mbuf *m, int how) -{ - KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); - - /* "how" is one of M_(TRY|DONT)WAIT */ - mac_init_label(&m->m_pkthdr.label); - MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how); -#ifdef MAC_DEBUG - atomic_add_int(&nmacmbufs, 1); -#endif - return (0); -} - void -mac_destroy_mbuf(struct mbuf *m) +mac_init_bpfdesc(struct bpf_d *bpf_d) { - MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); - mac_destroy_label(&m->m_pkthdr.label); + mac_init_label(&bpf_d->bd_label); + MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); #ifdef MAC_DEBUG - atomic_subtract_int(&nmacmbufs, 1); + atomic_add_int(&nmacbpfdescs, 1); #endif } @@ -1080,13 +1074,13 @@ } void -mac_destroy_cred(struct ucred *cr) +mac_init_devfsdirent(struct devfs_dirent *de) { - MAC_PERFORM(destroy_cred_label, &cr->cr_label); - mac_destroy_label(&cr->cr_label); + mac_init_label(&de->de_label); + MAC_PERFORM(init_devfsdirent_label, &de->de_label); #ifdef MAC_DEBUG - atomic_subtract_int(&nmaccreds, 1); + atomic_add_int(&nmacdevfsdirents, 1); #endif } @@ -1102,35 +1096,63 @@ } void -mac_destroy_ifnet(struct ifnet *ifp) +mac_init_ipq(struct ipq *ipq) +{ + + mac_init_label(&ipq->ipq_label); + MAC_PERFORM(init_ipq_label, &ipq->ipq_label); +#ifdef MAC_DEBUG + atomic_add_int(&nmacipqs, 1); +#endif +} + +int +mac_init_mbuf(struct mbuf *m, int flag) { + int error; + + KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf")); + + mac_init_label(&m->m_pkthdr.label); + + MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag); + if (error) { + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); + } - MAC_PERFORM(destroy_ifnet_label, &ifp->if_label); - mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG - atomic_subtract_int(&nmacifnets, 1); + if (error == 0) + atomic_add_int(&nmacmbufs, 1); #endif + return (error); } void -mac_init_ipq(struct ipq *ipq) +mac_init_mount(struct mount *mp) { - mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + mac_init_label(&mp->mnt_mntlabel); + mac_init_label(&mp->mnt_fslabel); + MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); + MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + atomic_add_int(&nmacmounts, 1); #endif } void -mac_destroy_ipq(struct ipq *ipq) +mac_init_pipe(struct pipe *pipe) { + struct label *label; - MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); - mac_destroy_label(&ipq->ipq_label); + label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); + mac_init_label(label); + pipe->pipe_label = label; + pipe->pipe_peer->pipe_label = label; + MAC_PERFORM(init_pipe_label, pipe->pipe_label); #ifdef MAC_DEBUG - atomic_subtract_int(&nmacipqs, 1); + atomic_add_int(&nmacpipes, 1); #endif } @@ -1147,157 +1169,151 @@ #endif } -void -mac_destroy_socket(struct socket *socket) +static void +mac_init_temp(struct label *label) { - MAC_PERFORM(destroy_socket_label, &socket->so_label); - MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); - mac_destroy_label(&socket->so_label); - mac_destroy_label(&socket->so_peerlabel); + mac_init_label(label); + MAC_PERFORM(init_temp_label, label); #ifdef MAC_DEBUG - atomic_subtract_int(&nmacsockets, 1); + atomic_add_int(&nmactemp, 1); #endif } void -mac_init_pipe(struct pipe *pipe) +mac_init_vnode(struct vnode *vp) { - struct label *label; - label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); - mac_init_label(label); - pipe->pipe_label = label; - pipe->pipe_peer->pipe_label = label; - MAC_PERFORM(init_pipe_label, pipe->pipe_label); + mac_init_label(&vp->v_label); + MAC_PERFORM(init_vnode_label, &vp->v_label); #ifdef MAC_DEBUG - atomic_add_int(&nmacpipes, 1); + atomic_add_int(&nmacvnodes, 1); #endif } void -mac_destroy_pipe(struct pipe *pipe) +mac_destroy_bpfdesc(struct bpf_d *bpf_d) { - MAC_PERFORM(destroy_pipe_label, pipe->pipe_label); - mac_destroy_label(pipe->pipe_label); - free(pipe->pipe_label, M_MACPIPELABEL); + MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); + mac_destroy_label(&bpf_d->bd_label); #ifdef MAC_DEBUG - atomic_subtract_int(&nmacpipes, 1); + atomic_subtract_int(&nmacbpfdescs, 1); #endif } void -mac_init_bpfdesc(struct bpf_d *bpf_d) +mac_destroy_cred(struct ucred *cr) { - mac_init_label(&bpf_d->bd_label); - MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); + MAC_PERFORM(destroy_cred_label, &cr->cr_label); + mac_destroy_label(&cr->cr_label); #ifdef MAC_DEBUG - atomic_add_int(&nmacbpfdescs, 1); + atomic_subtract_int(&nmaccreds, 1); #endif } void -mac_destroy_bpfdesc(struct bpf_d *bpf_d) +mac_destroy_devfsdirent(struct devfs_dirent *de) { - MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); - mac_destroy_label(&bpf_d->bd_label); + MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); + mac_destroy_label(&de->de_label); #ifdef MAC_DEBUG - atomic_subtract_int(&nmacbpfdescs, 1); + atomic_subtract_int(&nmacdevfsdirents, 1); #endif } void -mac_init_mount(struct mount *mp) +mac_destroy_ifnet(struct ifnet *ifp) { - mac_init_label(&mp->mnt_mntlabel); - mac_init_label(&mp->mnt_fslabel); - MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); - MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); + MAC_PERFORM(destroy_ifnet_label, &ifp->if_label); + mac_destroy_label(&ifp->if_label); #ifdef MAC_DEBUG - atomic_add_int(&nmacmounts, 1); + atomic_subtract_int(&nmacifnets, 1); #endif } void -mac_destroy_mount(struct mount *mp) +mac_destroy_ipq(struct ipq *ipq) { - MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); - MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); - mac_destroy_label(&mp->mnt_fslabel); - mac_destroy_label(&mp->mnt_mntlabel); + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); #ifdef MAC_DEBUG - atomic_subtract_int(&nmacmounts, 1); + atomic_subtract_int(&nmacipqs, 1); #endif } -static void -mac_init_temp(struct label *label) +void +mac_destroy_mbuf(struct mbuf *m) { - mac_init_label(label); - MAC_PERFORM(init_temp_label, label); + MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label); + mac_destroy_label(&m->m_pkthdr.label); #ifdef MAC_DEBUG - atomic_add_int(&nmactemp, 1); + atomic_subtract_int(&nmacmbufs, 1); #endif } -static void -mac_destroy_temp(struct label *label) +void +mac_destroy_mount(struct mount *mp) { - MAC_PERFORM(destroy_temp_label, label); - mac_destroy_label(label); + MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); + MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); + mac_destroy_label(&mp->mnt_fslabel); + mac_destroy_label(&mp->mnt_mntlabel); #ifdef MAC_DEBUG - atomic_subtract_int(&nmactemp, 1); + atomic_subtract_int(&nmacmounts, 1); #endif } void -mac_init_vnode(struct vnode *vp) +mac_destroy_pipe(struct pipe *pipe) { - mac_init_label(&vp->v_label); - MAC_PERFORM(init_vnode_label, &vp->v_label); + MAC_PERFORM(destroy_pipe_label, pipe->pipe_label); + mac_destroy_label(pipe->pipe_label); + free(pipe->pipe_label, M_MACPIPELABEL); #ifdef MAC_DEBUG - atomic_add_int(&nmacvnodes, 1); + atomic_subtract_int(&nmacpipes, 1); #endif } void -mac_destroy_vnode(struct vnode *vp) +mac_destroy_socket(struct socket *socket) { - MAC_PERFORM(destroy_vnode_label, &vp->v_label); - mac_destroy_label(&vp->v_label); + MAC_PERFORM(destroy_socket_label, &socket->so_label); + MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel); + mac_destroy_label(&socket->so_label); + mac_destroy_label(&socket->so_peerlabel); #ifdef MAC_DEBUG - atomic_subtract_int(&nmacvnodes, 1); + atomic_subtract_int(&nmacsockets, 1); #endif } -void -mac_init_devfsdirent(struct devfs_dirent *de) +static void +mac_destroy_temp(struct label *label) { - mac_init_label(&de->de_label); - MAC_PERFORM(init_devfsdirent_label, &de->de_label); + MAC_PERFORM(destroy_temp_label, label); + mac_destroy_label(label); #ifdef MAC_DEBUG - atomic_add_int(&nmacdevfsdirents, 1); + atomic_subtract_int(&nmactemp, 1); #endif } void -mac_destroy_devfsdirent(struct devfs_dirent *de) +mac_destroy_vnode(struct vnode *vp) { - MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); - mac_destroy_label(&de->de_label); + MAC_PERFORM(destroy_vnode_label, &vp->v_label); + mac_destroy_label(&vp->v_label); #ifdef MAC_DEBUG - atomic_subtract_int(&nmacdevfsdirents, 1); + atomic_subtract_int(&nmacvnodes, 1); #endif } @@ -1824,6 +1840,32 @@ } int +mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct vnode *vp, struct componentname *cnp) +{ + + int error; + + ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + + if (!mac_enforce_fs) + return (0); + + error = vn_refreshlabel(dvp, cred); + if (error) + return (error); + + error = vn_refreshlabel(vp, cred); + if (error) + return (error); + + MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, + &vp->v_label, cnp); + return (error); +} + +int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { @@ -2908,6 +2950,15 @@ MAC_PERFORM(create_devfs_device, dev, de, &de->de_label); } +void +mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd, + struct devfs_dirent *de) +{ + + MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de, + &de->de_label); +} + static int mac_stdcreatevnode_ea(struct vnode *vp) { ==== //depot/projects/trustedbsd/base/sys/kern/vfs_syscalls.c#32 (text+ko) ==== @@ -36,7 +36,7 @@ * SUCH DAMAGE. * * @(#)vfs_syscalls.c 8.13 (Berkeley) 4/15/94 - * $FreeBSD: src/sys/kern/vfs_syscalls.c,v 1.289 2002/10/02 09:05:30 phk Exp $ + * $FreeBSD: src/sys/kern/vfs_syscalls.c,v 1.290 2002/10/05 18:11:32 rwatson Exp $ */ /* For 4.3 integer FS ID compatibility */ @@ -1031,7 +1031,12 @@ == 0) { VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE); VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); - error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd); +#ifdef MAC + error = mac_check_vnode_link(td->td_ucred, nd.ni_dvp, + vp, &nd.ni_cnd); + if (error == 0) +#endif + error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd); VOP_UNLOCK(vp, 0, td); } NDFREE(&nd, NDF_ONLY_PNBUF); ==== //depot/projects/trustedbsd/base/sys/security/mac_biba/mac_biba.c#7 (text+ko) ==== @@ -34,7 +34,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.13 2002/10/05 15:09:58 rwatson Exp $ + * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.15 2002/10/05 18:56:25 rwatson Exp $ */ /* @@ -477,6 +477,18 @@ } static void +mac_biba_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd, + struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) +{ + struct mac_biba *source, *dest; + + source = SLOT(&cred->cr_label); + dest = SLOT(delabel); + + mac_biba_copy_single(source, dest); +} + +static void mac_biba_create_devfs_vnode(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { @@ -1510,6 +1522,30 @@ } static int +mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct label *dlabel, struct vnode *vp, struct label *label, + struct componentname *cnp) +{ + struct mac_biba *subj, *obj; + + if (!mac_biba_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(dlabel); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + obj = SLOT(label); + + if (!mac_biba_dominate_single(subj, obj)) + return (EACCES); + + return (0); +} + +static int mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -1959,6 +1995,8 @@ (macop_t)mac_biba_create_devfs_device }, { MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_biba_create_devfs_directory }, + { MAC_CREATE_DEVFS_SYMLINK, + (macop_t)mac_biba_create_devfs_symlink }, { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_biba_create_devfs_vnode }, { MAC_CREATE_VNODE, @@ -2087,6 +2125,8 @@ (macop_t)mac_biba_check_vnode_getacl }, { MAC_CHECK_VNODE_GETEXTATTR, (macop_t)mac_biba_check_vnode_getextattr }, + { MAC_CHECK_VNODE_LINK, + (macop_t)mac_biba_check_vnode_link }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_biba_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, ==== //depot/projects/trustedbsd/base/sys/security/mac_bsdextended/mac_bsdextended.c#3 (text+ko) ==== @@ -34,7 +34,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.2 2002/08/19 19:04:52 rwatson Exp $ + * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.3 2002/10/05 18:25:48 rwatson Exp $ */ /* * Developed by the TrustedBSD Project. @@ -445,6 +445,33 @@ } static int +mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct label *dlabel, struct vnode *vp, struct label *label, + struct componentname *cnp) +{ + struct vattr vap; + int error; + + if (!mac_bsdextended_enabled) + return (0); + + error = VOP_GETATTR(dvp, &vap, cred, curthread); + if (error) + return (error); + error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); + if (error) + return (error); + + error = VOP_GETATTR(vp, &vap, cred, curthread); + if (error) + return (error); + error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE); + if (error) + return (error); + return (0); +} + +static int mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { @@ -715,6 +742,8 @@ (macop_t)mac_bsdextended_check_vnode_getacl }, { MAC_CHECK_VNODE_GETEXTATTR, (macop_t)mac_bsdextended_check_vnode_getextattr }, + { MAC_CHECK_VNODE_LINK, + (macop_t)mac_bsdextended_check_vnode_link }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_bsdextended_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, ==== //depot/projects/trustedbsd/base/sys/security/mac_mls/mac_mls.c#7 (text+ko) ==== @@ -34,7 +34,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_mls/mac_mls.c,v 1.11 2002/10/05 15:09:58 rwatson Exp $ + * $FreeBSD: src/sys/security/mac_mls/mac_mls.c,v 1.13 2002/10/05 18:56:25 rwatson Exp $ */ /* @@ -469,6 +469,18 @@ } static void +mac_mls_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd, + struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) +{ + struct mac_mls *source, *dest; + + source = SLOT(&cred->cr_label); + dest = SLOT(delabel); + + mac_mls_copy_single(source, dest); +} + +static void mac_mls_create_devfs_vnode(struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vnodelabel) { @@ -1471,6 +1483,29 @@ return (0); } +static int +mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct label *dlabel, struct vnode *vp, struct label *label, + struct componentname *cnp) +{ + struct mac_mls *subj, *obj; + + if (!mac_mls_enabled) + return (0); + + subj = SLOT(&cred->cr_label); + obj = SLOT(dlabel); + + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + obj = SLOT(dlabel); + if (!mac_mls_dominate_single(obj, subj)) + return (EACCES); + + return (0); +} + static int mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) @@ -1922,6 +1957,8 @@ (macop_t)mac_mls_create_devfs_device }, { MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_mls_create_devfs_directory }, + { MAC_CREATE_DEVFS_SYMLINK, + (macop_t)mac_mls_create_devfs_symlink }, { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_mls_create_devfs_vnode }, { MAC_CREATE_VNODE, @@ -2050,6 +2087,8 @@ (macop_t)mac_mls_check_vnode_getacl }, { MAC_CHECK_VNODE_GETEXTATTR, (macop_t)mac_mls_check_vnode_getextattr }, + { MAC_CHECK_VNODE_LINK, + (macop_t)mac_mls_check_vnode_link }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_mls_check_vnode_lookup }, { MAC_CHECK_VNODE_OPEN, ==== //depot/projects/trustedbsd/base/sys/security/mac_none/mac_none.c#6 (text+ko) ==== @@ -34,7 +34,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/security/mac_none/mac_none.c,v 1.8 2002/10/05 15:09:59 rwatson Exp $ + * $FreeBSD: src/sys/security/mac_none/mac_none.c,v 1.10 2002/10/05 18:56:25 rwatson Exp $ */ /* @@ -153,6 +153,13 @@ } static void +mac_none_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd, + struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) +{ + +} + +static void mac_none_create_devfs_directory(char *dirname, int dirnamelen, struct devfs_dirent *devfs_dirent, struct label *label) { @@ -669,6 +676,15 @@ return (0); } +static int +mac_none_check_vnode_link(struct ucred *cred, struct vnode *dvp, + struct label *dlabel, struct vnode *vp, struct label *label, + struct componentname *cnp) +{ + + return (0); +} + static int mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) @@ -883,6 +899,8 @@ (macop_t)mac_none_create_devfs_device }, { MAC_CREATE_DEVFS_DIRECTORY, (macop_t)mac_none_create_devfs_directory }, + { MAC_CREATE_DEVFS_SYMLINK, + (macop_t)mac_none_create_devfs_symlink }, { MAC_CREATE_DEVFS_VNODE, (macop_t)mac_none_create_devfs_vnode }, { MAC_CREATE_VNODE, @@ -1019,6 +1037,8 @@ (macop_t)mac_none_check_vnode_getacl }, { MAC_CHECK_VNODE_GETEXTATTR, (macop_t)mac_none_check_vnode_getextattr }, + { MAC_CHECK_VNODE_LINK, + (macop_t)mac_none_check_vnode_link }, { MAC_CHECK_VNODE_LOOKUP, (macop_t)mac_none_check_vnode_lookup }, >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message