Date: Wed, 1 May 2002 22:15:35 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 10651 for review Message-ID: <200205020515.g425FZm85979@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=10651 Change 10651 by rwatson@rwatson_tislabs on 2002/05/01 22:15:19 Make mac_late static. Add a new flag field to policy definition structures, mpc_loadtime_flags, which will allow policies to declare some of their properties using a series of flags. Define a flag MPC_LOADTIME_FLAG_NOTLATE, which will indicate a module refuses to register if it is loaded "late". Check this flag and the late variable during the registration process, reject modules with EBUSY if it's late and they refuse to be. Rename MPC_FLAG_REGISTERED to MPC_RUNTIME_FLAG_REGISTERED, to represent the fact that this flag is maintained by the MAC framework at runtime, and not by the policy itself. Affected files ... ... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#135 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#62 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#135 (text+ko) ==== @@ -98,7 +98,7 @@ void *labels[MAC_MAX_POLICIES]; }; -int mac_late = 0; +static int mac_late = 0; static int mac_enforce_fs = 1; SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, @@ -250,11 +250,17 @@ switch (type) { case MOD_LOAD: + if (mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_NOTLATE && + mac_late) { + error = EBUSY; + break; + } error = mac_policy_register(mpc); break; case MOD_UNLOAD: /* Don't unregister the module if it was never registered. */ - if ((mpc->mpc_runtime_flags & MPC_FLAG_REGISTERED) != 0) + if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) + != 0) error = mac_policy_unregister(mpc); else error = 0; @@ -555,7 +561,7 @@ mpc->mpc_field_off = slot; } else mpc->mpc_field_off = -1; - mpc->mpc_runtime_flags |= MPC_FLAG_REGISTERED; + mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED; LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list); printf("Security policy: %s (%s)\n", mpc->mpc_fullname, mpc->mpc_name); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#62 (text+ko) ==== @@ -299,20 +299,25 @@ char *mpc_fullname; /* policy full name */ struct mac_policy_ops mpc_ops; /* policy operations */ struct mac_policy_op_entry *mpc_entries; /* ops to fill in */ + int mpc_loadtime_flags; /* flags */ int mpc_field_off; /* security field */ int mpc_runtime_flags; /* flags */ LIST_ENTRY(mac_policy_conf) mpc_list; /* global list */ }; +/* Flags for the mpc_loadtime_flags field. */ +#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 + /* Flags for the mpc_runtime_flags field. */ -#define MPC_FLAG_REGISTERED 0x00000001 +#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 -#define MAC_POLICY_SET(mpents, mpname, mpfullname, privdata_wanted) \ +#define MAC_POLICY_SET(mpents, mpname, mpfullname, mpflags, privdata_wanted)\ static struct mac_policy_conf mpname##_mac_policy_conf = { \ #mpname, \ mpfullname, \ { NULL /*... */ }, \ mpents, \ + mpflags, \ privdata_wanted, \ 0 \ }; \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205020515.g425FZm85979>