Date: Thu, 17 Oct 2002 20:14:12 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 19525 for review Message-ID: <200210180314.g9I3ECwE011510@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=19525 Change 19525 by rwatson@rwatson_tislabs on 2002/10/17 20:13:35 Hopefully approaching the final revision on the MAC user API for FreeBSD 5.0. This continues to take much the same approach to prior label processing, but differs in the following ways: (1) Previously, mac.c in libc broke down labels into their component elements, and passed them to the kernel via a variable-length array of 'struct mac_element'. When retrieving labels, the same approach was taken. In the new approach, this split is performed by the kernel code, and only a single string is read in. This dramatically simplifies the copyin/out and validation operations, and removes the copyin's/copyout's from the individual modules (they now just deal with in-kernel strings). Modules receive 'element_name' and 'element_data', and may claim entries as before -- if claimed, a destructive parsing of the string may be performed in order to extract useful data. (2) Permit label names in /etc/mac.conf to be prefixed with a '?' indicating that failure to retrieve the label element should not be considered a fatal error, allowing entries to appear in mac.conf even if the kernel module supporting the element name is not present. Populate the default mac.conf with entries for each of our labeled policies, which means mac.conf doesn't have to be modified if any of them is loaded. Third party policies will still require configuration. (3) Temporarily remove all support for userland modules, since all of the existing functionality is now encapsulated in the kernel policy modules. We may wish to reintroduce this module support for the purposes of permitting userland mapping of label element data--however, almost all the current code would be inappropriate for that, so we'll just remove it, making mac.c almost empty. There is room for further improvement, including relating to the 'claimed' model, errno values, etc. I've tested all policies except sebsd, which I don't have a run-time configuration for, but it appears to build properly and 'looks right'. There are probably bits. I'd also appreciate a detailed review of the string parsing code for labels, as if there are any serious problems, the results could be relatively catastrophic. I'll let this settle in the MAC tree for a few days, and if all goes well, migrate the changes to the main tree over the weekend, giving re@ approval. Affected files ... .. //depot/projects/trustedbsd/mac/bin/ls/ls.c#14 edit .. //depot/projects/trustedbsd/mac/bin/ps/print.c#13 edit .. //depot/projects/trustedbsd/mac/etc/mac.conf#6 edit .. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac.c#3 edit .. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_module.h#2 delete .. //depot/projects/trustedbsd/mac/lib/libmac/Makefile#2 edit .. //depot/projects/trustedbsd/mac/lib/libutil/login_class.c#9 edit .. //depot/projects/trustedbsd/mac/libexec/getty/main.c#9 edit .. //depot/projects/trustedbsd/mac/sbin/ifconfig/ifmac.c#9 edit .. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#313 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#135 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#115 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#86 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#16 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#88 edit .. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#59 edit .. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#43 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac.h#181 edit .. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#142 edit .. //depot/projects/trustedbsd/mac/usr.bin/login/login.c#22 edit .. //depot/projects/trustedbsd/mac/usr.sbin/getfmac/getfmac.c#7 edit .. //depot/projects/trustedbsd/mac/usr.sbin/getpmac/getpmac.c#4 edit .. //depot/projects/trustedbsd/mac/usr.sbin/setfmac/setfmac.c#7 edit .. //depot/projects/trustedbsd/mac/usr.sbin/setpmac/setpmac.c#6 edit Differences ... ==== //depot/projects/trustedbsd/mac/bin/ls/ls.c#14 (text+ko) ==== @@ -686,10 +686,10 @@ int error; error = mac_prepare_file_label(&label); - if (error != MAC_SUCCESS) { + if (error == -1) { fprintf(stderr, "%s: %s\n", cur->fts_name, - mac_error(error)); + strerror(errno)); goto label_out; } @@ -707,10 +707,10 @@ error = mac_to_text(label, &labelstr); - if (error != MAC_SUCCESS) { + if (error == -1) { fprintf(stderr, "%s: %s\n", cur->fts_name, - mac_error(error)); + strerror(errno)); mac_free(label); goto label_out; } ==== //depot/projects/trustedbsd/mac/bin/ps/print.c#13 (text+ko) ==== @@ -734,23 +734,24 @@ VAR *v; v = ve->var; - string = ""; + string = NULL; - error = mac_prepare_process_label(&label); - if (error != MAC_SUCCESS) { - fprintf(stderr, "%s\n", mac_error(error)); + if (mac_prepare_process_label(&label) == -1) { + perror("mac_prepare_process_label"); goto out; } error = mac_get_pid(k->ki_p->ki_pid, label); if (error == 0) { - error = mac_to_text(label, &string); - if (error != MAC_SUCCESS) - string = ""; + if (mac_to_text(label, &string) == -1) + string = NULL; } mac_free(label); out: - (void)printf("%*s", v->width, string); + if (string != NULL) + (void)printf("%*s", v->width, string); + else + (void)printf("%*s", v->width, ""); return; } ==== //depot/projects/trustedbsd/mac/etc/mac.conf#6 (text+ko) ==== @@ -9,13 +9,7 @@ # Default label set to be used by simple MAC applications # -default_file_labels biba,mls -default_ifnet_labels biba,mls -default_process_labels biba,mls,partition - -# -# Bind policy names to loadable shared modules -# - -#module mac_generic libmac_generic.so.1 biba mls partition te +default_file_labels ?biba,?mls,?sebsd,?te +default_ifnet_labels ?biba,?mls,?sebsd,?te +default_process_labels ?biba,?mls,?partition,?sebsd,?te ==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac.c#3 (text+ko) ==== @@ -50,32 +50,6 @@ #include <sys/mac.h> -#include "mac_module.h" - -#define MAC_PARSE_ELEMENT_SEP ',' -#define MAC_PARSE_ELEMENT_SEP_STR "," -#define MAC_PARSE_POLICY_SEP_STR "/" -#define MAC_PARSE_UNKNOWNVALUE "_unknown" - -struct internal_module_entry { - char *ime_path; - void *ime_handle; - - char ime_name[MAC_MAX_POLICY_NAME]; - - mm_init ime_init; - mm_destroy ime_destroy; - - mm_checklabelname ime_checklabelname; - mm_free ime_free; - mm_from_text ime_from_text; - mm_prepare ime_prepare; - mm_to_text ime_to_text; - - LIST_ENTRY(internal_module_entry) ime_entries; -}; - -static LIST_HEAD(, internal_module_entry) internal_module_list; static int internal_initialized; /* Default sets of labels for various query operations. */ @@ -83,121 +57,7 @@ static char *default_ifnet_labels; static char *default_process_labels; -/* List of labels to process internally as text strings. */ -static char *text_labels; - -const char * -mac_error(int error) -{ - - switch (error) { - case MAC_SUCCESS: - return ("Success"); - case MAC_ERROR_NOSUCHPOLICY: - return ("MAC policy not found"); - case MAC_ERROR_NOFROMTEXT: - return ("MAC policy can't convert text"); - case MAC_ERROR_INVALIDLABELVALUE: - return ("Invalid label value"); - case MAC_ERROR_POLICYNAMEINVALID: - return ("Invalid policy name"); - case MAC_ERROR_INSUFFICIENTRESOURCES: - return ("Insufficient resources to complete request"); - case MAC_ERROR_NOTTHISMODULE: - return ("Module does not implement requested policy"); - case MAC_ERROR_NOTSUPPORTED: - return ("Module does not support requested operation"); - case MAC_ERROR_UNPARSEABLELABEL: - return ("Label contains unparseable element"); - case MAC_ERROR_INVALIDINITARGS: - return ("Invalid arguments passed to MAC policy initialization"); - case MAC_ERROR_UNKNOWNLABELNAME: - return ("Label name not recognized"); - case MAC_ERROR_UNPRINTABLE: - return ("Label contains unprintable component"); - case MAC_ERROR_INTERNALPOLICYERROR: - return ("MAC policy module caused internal error"); - case MAC_ERROR_CONFFILEERROR: - return ("MAC configuration file error"); - case MAC_ERROR_CANTLOADMODULE: - return ("MAC module load error"); - case MAC_ERROR_NOSUCHELEMENTSET: - return ("Element set not found"); - default: - return ("Unknown error"); - } -} - -void -mac_error_to_errno(int error) -{ - - switch (error) { - case MAC_ERROR_INSUFFICIENTRESOURCES: - errno = ENOMEM; - default: - errno = EINVAL; - } -} - -static int -mac_entry_attach(struct internal_module_entry *entry, const char *policyname, - const char *path, int argc, char **argv) -{ - int error; - - if (strlen(policyname)+1 > MAC_MAX_POLICY_NAME) - return (MAC_ERROR_POLICYNAMEINVALID); - - memset(entry, 0, sizeof(*entry)); - - strcpy(entry->ime_name, policyname); - entry->ime_path = strdup(path); - if (entry->ime_path == NULL) - return (MAC_ERROR_INSUFFICIENTRESOURCES); - - entry->ime_handle = dlopen(entry->ime_path, RTLD_LAZY); - if (entry->ime_handle == NULL) { - free(entry->ime_path); - return (MAC_ERROR_CANTLOADMODULE); - } - - entry->ime_init = dlsym(entry->ime_handle, MAC_MODULE_INIT); - entry->ime_destroy = dlsym(entry->ime_handle, MAC_MODULE_DESTROY); - - entry->ime_checklabelname = dlsym(entry->ime_handle, - MAC_MODULE_CHECKLABELNAME); - entry->ime_free = dlsym(entry->ime_handle, MAC_MODULE_FREE); - entry->ime_from_text = dlsym(entry->ime_handle, MAC_MODULE_FROM_TEXT); - entry->ime_prepare = dlsym(entry->ime_handle, MAC_MODULE_PREPARE); - entry->ime_to_text = dlsym(entry->ime_handle, MAC_MODULE_TO_TEXT); - - if (entry->ime_init != NULL) { - error = entry->ime_init(entry->ime_name, entry->ime_path, - argc, argv); - if (error != MAC_SUCCESS) { - dlclose(entry->ime_handle); - free(entry->ime_path); - return (error); - } - } - - return (MAC_SUCCESS); -} - static void -mac_entry_detach(struct internal_module_entry *entry) -{ - - if (entry->ime_destroy != NULL) - entry->ime_destroy(); - dlclose(entry->ime_handle); - free(entry->ime_path); - memset(entry, 0, sizeof(*entry)); - free(entry); -} - -static void mac_destroy_labels(void) { @@ -220,16 +80,7 @@ static void mac_destroy_internal(void) { - struct internal_module_entry *entry1, *entry2; - entry1 = LIST_FIRST(&internal_module_list); - while (entry1 != NULL) { - entry2 = LIST_NEXT(entry1, ime_entries); - LIST_REMOVE(entry1, ime_entries); - mac_entry_detach(entry1); - entry1 = entry2; - } - mac_destroy_labels(); internal_initialized = 0; @@ -238,18 +89,15 @@ static int mac_init_internal(void) { - struct internal_module_entry *entry; FILE *file; char line[LINE_MAX]; int error; - error = MAC_SUCCESS; + error = 0; - LIST_INIT(&internal_module_list); - file = fopen(MAC_CONFFILE, "r"); if (file == NULL) - return (MAC_ERROR_CONFFILEERROR); + return (0); while (fgets(line, LINE_MAX, file)) { char *argv[ARG_MAX]; @@ -260,7 +108,7 @@ line[strlen(line)-1] = '\0'; else { fclose(file); - error = MAC_ERROR_CONFFILEERROR; + error = EINVAL; goto just_return; } @@ -277,61 +125,7 @@ if (statement[0] == '#') continue; - if (strcmp(statement, "module") == 0) { - policyname = ""; - while (parse && policyname[0] == '\0') - policyname = strsep(&parse, " \t"); - - modulename = ""; - while (parse && modulename[0] == '\0') - modulename = strsep(&parse, " \t"); - - argc = 0; - while (parse && argc < ARG_MAX) { - arg = ""; - while (parse && arg[0] == '\0') - arg = strsep(&parse, " \t"); - if (arg[0] == '#') - break; - argv[argc] = arg; - argc++; - } - - entry = (struct internal_module_entry *) malloc( - sizeof(*entry)); - if (entry == NULL) { - fclose(file); - error = MAC_ERROR_INSUFFICIENTRESOURCES; - goto just_return; - } - - error = mac_entry_attach(entry, policyname, modulename, - argc, argv); - if (error != MAC_SUCCESS) { - free(entry); - fclose(file); - goto just_return; - } - - LIST_INSERT_HEAD(&internal_module_list, entry, - ime_entries); - } else if (strcmp(statement, "text_labels") == 0) { - if (text_labels != NULL) { - free(text_labels); - text_labels = NULL; - } - - arg = strsep(&parse, "# \t"); - if (arg != NULL && arg[0] != '\0') { - text_labels = strdup(arg); - if (text_labels == NULL) { - error = - MAC_ERROR_INSUFFICIENTRESOURCES; - fclose(file); - goto just_return; - } - } - } else if (strcmp(statement, "default_file_labels") == 0) { + if (strcmp(statement, "default_file_labels") == 0) { if (default_file_labels != NULL) { free(default_file_labels); default_file_labels = NULL; @@ -341,8 +135,7 @@ if (arg != NULL && arg[0] != '\0') { default_file_labels = strdup(arg); if (default_file_labels == NULL) { - error = - MAC_ERROR_INSUFFICIENTRESOURCES; + error = ENOMEM; fclose(file); goto just_return; } @@ -357,8 +150,7 @@ if (arg != NULL && arg[0] != '\0') { default_ifnet_labels = strdup(arg); if (default_ifnet_labels == NULL) { - error = - MAC_ERROR_INSUFFICIENTRESOURCES; + error = ENOMEM; fclose(file); goto just_return; } @@ -373,15 +165,14 @@ if (arg != NULL && arg[0] != '\0') { default_process_labels = strdup(arg); if (default_process_labels == NULL) { - error = - MAC_ERROR_INSUFFICIENTRESOURCES; + error = ENOMEM; fclose(file); goto just_return; } } } else { fclose(file); - error = MAC_ERROR_CONFFILEERROR; + error = EINVAL; goto just_return; } } @@ -403,7 +194,7 @@ if (!internal_initialized) return (mac_init_internal()); else - return (MAC_SUCCESS); + return (0); } int @@ -415,106 +206,37 @@ return (mac_init_internal()); } -static struct internal_module_entry * -mac_module_find_by_policyname(const char *policyname) -{ - struct internal_module_entry *entry; - - LIST_FOREACH(entry, &internal_module_list, ime_entries) - if (strcmp(entry->ime_name, policyname) == 0) - return (entry); - - return (NULL); -} - -static struct internal_module_entry * -mac_module_find_by_labelname(const char *labelname) -{ - struct internal_module_entry *entry; - - LIST_FOREACH(entry, &internal_module_list, ime_entries) { - if (entry->ime_checklabelname != NULL) { - if (entry->ime_checklabelname(labelname) == 1) - return (entry); - } else { - /* This is a pretty dumb policy module. */ - } - } - - return (NULL); -} - -static void -mac_free_element(struct mac_element *element) -{ - struct internal_module_entry *entry; - -#if 0 - entry = mac_module_find_by_labelname(element->me_name); - if (entry != NULL && entry->ime_free != NULL) { - entry->ime_free(element); - } else { -#endif - if (element->me_data != NULL) - free(element->me_data); -#if 0 - } -#endif -} - int mac_free(struct mac *mac) { - int count, error; + int error; - error = mac_maybe_init_internal(); - if (error != MAC_SUCCESS) - return (error); + if (mac->m_string != NULL) + free(mac->m_string); + free(mac); - if (mac->m_elements != NULL) { - for (count = 0; count < mac->m_numliveelements; count++) { - mac_free_element(&mac->m_elements[count]); - } - free(mac->m_elements); - } - - free(mac); - return (MAC_SUCCESS); + return (0); } static struct mac * mac_alloc(int numelements) { - struct mac_element *elements; struct mac *mac; - elements = (struct mac_element *) malloc(sizeof(struct mac_element) * - numelements); - if (elements == NULL) + mac = (struct mac *) malloc(sizeof(*mac)); + if (mac == NULL) return (NULL); - memset(elements, 0, sizeof(struct mac_element) * numelements); - - mac = (struct mac *) malloc(sizeof(*mac)); - if (mac == NULL) { - free(elements); + mac->m_string = malloc(MAC_MAX_LABEL_BUF_LEN); + if (mac->m_string == NULL) { + free(mac); return (NULL); } - memset(mac, 0, sizeof(*mac)); - mac->m_numelements = numelements; - mac->m_numliveelements = 0; - mac->m_elements = elements; + bzero(mac->m_string, MAC_MAX_LABEL_BUF_LEN); + mac->m_buflen = MAC_MAX_LABEL_BUF_LEN; return (mac); } -static int -mac_name_in_list(char *string, char *name) -{ - - - -} - int mac_from_text(struct mac **mac, const char *text) { @@ -522,270 +244,99 @@ char *dup, *element, *search; int count, error; - error = mac_maybe_init_internal(); - if (error != MAC_SUCCESS) - return (error); + *mac = (struct mac *) malloc(sizeof(**mac)); + if (*mac == NULL) + return (ENOMEM); - dup = strdup(text); - if (dup == NULL) - return (MAC_ERROR_INSUFFICIENTRESOURCES); - - /* - * First, count the elements to we can allocate a mac_element - * array. Use a simple counting algorithm. - */ - count = 1; - search = dup; - while (*search != '\0') { - if (*search == MAC_PARSE_ELEMENT_SEP) - count++; - search++; + (*mac)->m_string = strdup(text); + if ((*mac)->m_string == NULL) { + free(*mac); + *mac = NULL; + return (ENOMEM); } - temp = mac_alloc(count); - if (temp == NULL) { - error = MAC_ERROR_INSUFFICIENTRESOURCES; - goto free_dup; - } + (*mac)->m_buflen = strlen((*mac)->m_string)+1; - search = dup; - while ((element = strsep(&search, MAC_PARSE_ELEMENT_SEP_STR))) { -#if 0 - struct internal_module_entry *entry; -#endif - struct mac_element *mac_element; - char *labelname, *labelvalue; - - labelvalue = element; - labelname = strsep(&labelvalue, MAC_PARSE_POLICY_SEP_STR); - if (labelvalue == NULL) { - error = MAC_ERROR_UNPARSEABLELABEL; - goto free_temp; - } - mac_element = &temp->m_elements[temp->m_numliveelements]; - strcpy(mac_element->me_name, labelname); -#if 0 - /* - * Walk down the module list until we find a module that - * is willing to accept this label name. - */ - entry = mac_module_find_by_labelname(labelname); - if (entry == NULL) { - error = MAC_ERROR_UNKNOWNLABELNAME; - goto free_temp; - } - if (entry->ime_from_text != NULL) { - error = entry->ime_from_text( - &temp->m_elements[temp->m_numliveelements], - labelvalue); - if (error != MAC_SUCCESS) - goto free_temp; - } else { - error = MAC_ERROR_NOFROMTEXT; - goto free_temp; - } -#endif - mac_element->me_data = strdup(labelvalue); - mac_element->me_databuflen = mac_element->me_datalen = - strlen(labelvalue) + 1; - temp->m_numliveelements++; - } - - goto done; - -free_temp: - mac_free(temp); -free_dup: - free(dup); - temp = NULL; -done: - *mac = temp; - return (error); + return (0); } int mac_prepare(struct mac **mac, char *elements) { - char *arg, *element_array[MAC_MAX_LABEL_ELEMENTS], *local_policies; - char *parse; - struct internal_module_entry *entry; struct mac *temp; - int count, element_count, error; - error = mac_maybe_init_internal(); - if (error != MAC_SUCCESS) - return (error); + if (strlen(elements) >= MAC_MAX_LABEL_BUF_LEN) + return (EINVAL); - local_policies = strdup(elements); - if (local_policies == NULL) - return (MAC_ERROR_INSUFFICIENTRESOURCES); + *mac = (struct mac *) malloc(sizeof(**mac)); + if (*mac == NULL) + return (ENOMEM); - parse = local_policies; - element_count = 0; - while (parse != NULL && element_count < MAC_MAX_LABEL_ELEMENTS) { - arg = ""; - while (parse != NULL && arg[0] == '\0') - arg = strsep(&parse, ","); - element_array[element_count] = arg; - element_count++; + (*mac)->m_string = malloc(MAC_MAX_LABEL_BUF_LEN); + if ((*mac)->m_string == NULL) { + free(*mac); + *mac = NULL; + return (ENOMEM); } - temp = mac_alloc(element_count); - if (temp == NULL) { - free(local_policies); - return (MAC_ERROR_INSUFFICIENTRESOURCES); - } + strcpy((*mac)->m_string, elements); + (*mac)->m_buflen = MAC_MAX_LABEL_BUF_LEN; - for (count = 0; count < element_count; count++) { -#if 0 - entry = mac_module_find_by_labelname(element_array[count]); - if (entry == NULL) { - free(local_policies); - mac_free(temp); - *mac = NULL; - return (MAC_ERROR_UNKNOWNLABELNAME); - } -#endif - strcpy(temp->m_elements[count].me_name, element_array[count]); -#if 0 - if (entry->ime_prepare == NULL) { - free(local_policies); - mac_free(temp); - *mac = NULL; - return (MAC_ERROR_NOTSUPPORTED); - } - error = entry->ime_prepare(&temp->m_elements[count]); - if (error) { - free(local_policies); - mac_free(temp); - *mac = NULL; - return (error); - } -#endif - temp->m_elements[count].me_databuflen = - MAC_MAX_LABEL_ELEMENT_DATALEN; - temp->m_elements[count].me_data = - malloc(temp->m_elements[count].me_databuflen); - if (temp->m_elements[count].me_data == NULL) { - free(local_policies); - mac_free(temp); - *mac = NULL; - return (MAC_ERROR_INSUFFICIENTRESOURCES); - } - temp->m_elements[count].me_datalen = 0; - temp->m_numliveelements++; - } - - free(local_policies); - *mac = temp; - return (MAC_SUCCESS); + return (0); } int mac_to_text(struct mac *mac, char **text) { -#if 0 - struct internal_module_entry *entry; -#endif - struct mac_element *element; - char *string, *tempstring, *elementstring, *policyvalue; - int error, i; - error = mac_maybe_init_internal(); - if (error != MAC_SUCCESS) - return (error); - - elementstring = NULL; - string = NULL; - for (i = 0; i < mac->m_numliveelements; i++) { - element = &mac->m_elements[i]; -#if 0 - entry = mac_module_find_by_labelname(element->me_name); - if (entry == NULL) - elementstring = strdup(MAC_PARSE_UNKNOWNVALUE); - else if (entry->ime_to_text == NULL) - elementstring = strdup(MAC_PARSE_UNKNOWNVALUE); - else { - error = entry->ime_to_text(element, &policyvalue); - if (error != MAC_SUCCESS) - goto error_handler; -#endif - asprintf(&elementstring, "%s%s%s", element->me_name, - MAC_PARSE_POLICY_SEP_STR, element->me_data); -#if 0 - free(policyvalue); - } -#endif - if (elementstring == NULL) { - error = MAC_ERROR_INSUFFICIENTRESOURCES; - goto error_handler; - } - - if (string == NULL) { - string = elementstring; - } else { - tempstring = string; - asprintf(&string, "%s,%s", tempstring, elementstring); - free(tempstring); - free(elementstring); - elementstring = NULL; - } - } - - *text = string; - return (MAC_SUCCESS); - -error_handler: - if (string != NULL) - free(string); - if (elementstring != NULL) - free(elementstring); - - return (error); + *text = strdup(mac->m_string); + if (*text == NULL) + return (ENOMEM); + return (0); } int -mac_prepare_file_label(struct mac **label) +mac_prepare_file_label(struct mac **mac) { int error; error = mac_maybe_init_internal(); - if (error != MAC_SUCCESS) + if (error != 0) return (error); if (default_file_labels == NULL) - return (MAC_ERROR_NOSUCHELEMENTSET); + return (mac_prepare(mac, "")); - return (mac_prepare(label, default_file_labels)); + return (mac_prepare(mac, default_file_labels)); } int -mac_prepare_ifnet_label(struct mac **label) +mac_prepare_ifnet_label(struct mac **mac) { int error; error = mac_maybe_init_internal(); - if (error != MAC_SUCCESS) + if (error != 0) return (error); if (default_ifnet_labels == NULL) - return (MAC_ERROR_NOSUCHELEMENTSET); + return (mac_prepare(mac, "")); - return (mac_prepare(label, default_ifnet_labels)); + return (mac_prepare(mac, default_ifnet_labels)); } int -mac_prepare_process_label(struct mac **label) +mac_prepare_process_label(struct mac **mac) { int error; error = mac_maybe_init_internal(); - if (error != MAC_SUCCESS) + if (error != 0) return (error); if (default_process_labels == NULL) - return (MAC_ERROR_NOSUCHELEMENTSET); + return (mac_prepare(mac, "")); - return (mac_prepare(label, default_process_labels)); + return (mac_prepare(mac, default_process_labels)); } /* ==== //depot/projects/trustedbsd/mac/lib/libmac/Makefile#2 (text+ko) ==== @@ -1,3 +1,3 @@ -SUBDIR+= modules +#SUBDIR+= modules .include <bsd.subdir.mk> ==== //depot/projects/trustedbsd/mac/lib/libutil/login_class.c#9 (text+ko) ==== @@ -396,19 +396,21 @@ if (label_string == NULL) { /* Leave label as is, warning, dangerous */ } else { - error = mac_from_text(&label, label_string); - if (error != MAC_SUCCESS) { - syslog(LOG_ERR, "mac_from_text('%s'): %s", label_string, - mac_error(error)); + if (mac_from_text(&label, label_string) == -1) { + syslog(LOG_ERR, "mac_from_text('%s'): %m", label_string); return -1; } - error = mac_set_proc(label); + if (mac_set_proc(label) == -1) + error = errno; + else + error = 0; mac_free(label); - if (error != 0 && errno == ENOSYS) { - syslog(LOG_WARNING, "mac_set_proc(%s): warning: %m", - label_string); + if (error == ENOSYS) { + syslog(LOG_WARNING, "mac_set_proc(%s): warning: %s", + label_string, strerror(error)); } else if (error != 0) { - syslog(LOG_ERR, "mac_set_proc(%s): error: %m", label_string); + syslog(LOG_ERR, "mac_set_proc(%s): error: %s", label_string, + strerror(error)); return -1; } } ==== //depot/projects/trustedbsd/mac/libexec/getty/main.c#9 (text+ko) ==== @@ -263,7 +263,8 @@ error = mac_from_text(&rootmac, rootmacstr); - if (error == MAC_SUCCESS) { + if (mac_from_text(&rootmac, rootmacstr) + == 0) { mac_set_file(ttyn, rootmac); mac_free(rootmac); } ==== //depot/projects/trustedbsd/mac/sbin/ifconfig/ifmac.c#9 (text+ko) ==== @@ -60,16 +60,14 @@ memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); - error = mac_prepare_ifnet_label(&label); - if (error != MAC_SUCCESS) + if (mac_prepare_ifnet_label(&label) == -1) return; ifr.ifr_ifru.ifru_data = (void *)label; - error = ioctl(s, SIOCGIFMAC, &ifr); - if (error == -1) + if (ioctl(s, SIOCGIFMAC, &ifr) == -1) goto mac_free; - error = mac_to_text(label, &label_text); - if (error != MAC_SUCCESS) + + if (mac_to_text(label, &label_text) == -1) goto mac_free; printf("\tmac %s\n", label_text); @@ -86,9 +84,8 @@ mac_t label; int error; - error = mac_from_text(&label, val); - if (error != MAC_SUCCESS) { - fprintf(stderr, "%s: %s\n", val, mac_error(error)); + if (mac_from_text(&label, val) == -1) { + perror(val); return; } >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210180314.g9I3ECwE011510>