From owner-p4-projects Thu Mar 21 7:10:42 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 0842637B417; Thu, 21 Mar 2002 07:10:21 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 1BC9E37B404 for ; Thu, 21 Mar 2002 07:10:20 -0800 (PST) Received: (from perforce@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g2LFAJ451886 for perforce@freebsd.org; Thu, 21 Mar 2002 07:10:19 -0800 (PST) (envelope-from green@freebsd.org) Date: Thu, 21 Mar 2002 07:10:19 -0800 (PST) Message-Id: <200203211510.g2LFAJ451886@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to green@freebsd.org using -f From: Brian Feldman Subject: PERFORCE change 8156 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=8156 Change 8156 by green@green_laptop_2 on 2002/03/21 07:10:08 * Fixup mac.h a bit. * Treat mount objects like the other MAC-containing objects. * Rename mac_mountfs() and mac_mountrootfs() to the more-correct mac_create_mount() and mac_create_root_mount(). * Move the root-mounted hook until after rootvnode has been set so the system has at least some sort of filesystem state :) Affected files ... ... //depot/projects/trustedbsd/mac/sys/kern/init_main.c#15 edit ... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#115 edit ... //depot/projects/trustedbsd/mac/sys/kern/vfs_conf.c#5 edit ... //depot/projects/trustedbsd/mac/sys/kern/vfs_subr.c#18 edit ... //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#36 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac.h#86 edit ... //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#49 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/kern/init_main.c#15 (text+ko) ==== @@ -506,6 +506,9 @@ VREF(p->p_fd->fd_rdir); FILEDESC_UNLOCK(p->p_fd); VOP_UNLOCK(rootvnode, 0, td); +#ifdef MAC + mac_create_root_mount(td->td_ucred, TAILQ_FIRST(&mountlist)); +#endif /* MAC */ if (devfs_present) { /* ==== //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#115 (text+ko) ==== @@ -432,7 +432,7 @@ SYSCTL_NODE(_security_mac, OID_AUTO, debug, CTLFLAG_RW, 0, "TrustedBSD MAC debug info"); static unsigned int nmacmbufs, nmacsubjects, nmacifnets, nmacbpfdescs, - nmacsockets; + nmacsockets, nmacmounts; SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD, &nmacmbufs, 0, "number of mbufs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, subjects, CTLFLAG_RD, @@ -443,6 +443,8 @@ &nmacbpfdescs, 0, "number of bpfdescs in use"); SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); +SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD, + &nmacmounts, 0, "number of mounts in use"); int mac_init_mbuf(struct mbuf *m, int how) @@ -526,6 +528,22 @@ atomic_subtract_int(&nmacbpfdescs, 1); } +void +mac_init_mount(struct mount *mp) +{ + + mac_init_label(&mp->mnt_label); + atomic_add_int(&nmacmounts, 1); +} + +void +mac_destroy_mount(struct mount *mp) +{ + + mac_destroy_label(&mp->mnt_label); + atomic_subtract_int(&nmacmounts, 1); +} + static int mac_label_valid(struct mac *label) { @@ -969,19 +987,17 @@ } void -mac_mountfs(struct ucred *cred, struct mount *mount) +mac_create_mount(struct ucred *cred, struct mount *mount) { - mac_init_label(&mount->mnt_label); - MAC_PERFORM(mountfs, cred, mount); + MAC_PERFORM(create_mount, cred, mount); } void -mac_mountrootfs(struct ucred *cred, struct mount *mount) +mac_create_root_mount(struct ucred *cred, struct mount *mount) { - mac_init_label(&mount->mnt_label); - MAC_PERFORM(mountrootfs, cred, mount); + MAC_PERFORM(create_root_mount, cred, mount); } int ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_conf.c#5 (text+ko) ==== @@ -227,6 +227,9 @@ * (which is `path'.) */ strncpy(mp->mnt_stat.f_mntonname, "/", MNAMELEN); +#ifdef MAC + mac_init_mount(mp); +#endif /* MAC */ error = VFS_MOUNT(mp, NULL, NULL, NULL, curthread); @@ -237,6 +240,9 @@ free(path, M_MOUNT); if (error != 0) { if (mp != NULL) { +#ifdef MAC + mac_destroy_mount(mp); +#endif /* MAC */ vfs_unbusy(mp, curthread); free(mp, M_MOUNT); } ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_subr.c#18 (text+ko) ==== @@ -376,9 +376,6 @@ mp->mnt_stat.f_mntonname[0] = '/'; mp->mnt_stat.f_mntonname[1] = 0; (void) copystr(devname, mp->mnt_stat.f_mntfromname, MNAMELEN - 1, 0); -#ifdef MAC - mac_mountrootfs(td->td_ucred, mp); -#endif *mpp = mp; return (0); } ==== //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#36 (text+ko) ==== @@ -359,7 +359,7 @@ mp->mnt_stat.f_mntonname[MNAMELEN - 1] = '\0'; mp->mnt_iosize_max = DFLTPHYS; #ifdef MAC - mac_mountfs(td->td_ucred, mp); + mac_init_mount(mp); #endif VOP_UNLOCK(vp, 0, td); update: @@ -403,6 +403,10 @@ vrele(vp); return (error); } +#ifdef MAC + if (error == 0) + mac_create_mount(td->td_ucred, mp); +#endif /* MAC */ vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); /* * Put the new filesystem on the mount list after root. @@ -433,6 +437,9 @@ vp->v_flag &= ~VMOUNT; mtx_unlock(&vp->v_interlock); mp->mnt_vfc->vfc_refcount--; +#ifdef MAC + mac_destroy_mount(mp); +#endif vfs_unbusy(mp, td); free((caddr_t)mp, M_MOUNT); vput(vp); @@ -633,6 +640,9 @@ vrele(coveredvp); if (mp->mnt_kern_flag & MNTK_MWAIT) wakeup((caddr_t)mp); +#ifdef MAC + mac_destroy_mount(mp); +#endif /* MAC */ free((caddr_t)mp, M_MOUNT); return (0); } ==== //depot/projects/trustedbsd/mac/sys/sys/mac.h#86 (text+ko) ==== @@ -284,13 +284,13 @@ void mac_destroy_socket(struct socket *); void mac_init_subject(struct ucred *); void mac_destroy_subject(struct ucred *); +void mac_init_mount(struct mount *); +void mac_destroy_mount(struct mount *); /* Non-authorizational event hooks. */ void mac_execve_transition(struct ucred *old, struct ucred *new, struct mac *filelabel); int mac_execve_will_transition(struct ucred *old, struct mac *filelabel); -void mac_mountfs(struct ucred *cred, struct mount *mp); -void mac_mountrootfs(struct ucred *cred, struct mount *mp); void mac_relabel_subject(struct ucred *oldcred, struct mac *newlabel); /* Authorizational event hooks. */ @@ -333,6 +333,7 @@ void mac_create_devfs_device(dev_t dev, struct mac *devicelabel); void mac_create_devfs_directory(char *dirname, int dirnamelen, struct mac *dirlabel); +void mac_create_ifnet(struct ifnet *ifp); void mac_create_mbuf_datagram_from_mbuf_fragmentqueue( struct mbuf *fragmentqueue, struct mbuf *datagram); void mac_create_mbuf_fragment_from_mbuf(struct mbuf *mbuf, @@ -349,8 +350,10 @@ struct ifnet *ifnet, struct mbuf *newmbuf); void mac_create_mbuf_netlayer_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf); +void mac_create_mount(struct ucred *cred, struct mount *mp); void mac_create_proc0(struct ucred *cred); void mac_create_proc1(struct ucred *cred); +void mac_create_root_mount(struct ucred *cred, struct mount *mp); void mac_create_socket(struct ucred *cred, struct socket *socket); void mac_create_subject(struct ucred *cred_parent, struct ucred *cred_child); ==== //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#49 (text+ko) ==== @@ -81,8 +81,8 @@ void (*mpo_create_vnode_from_vnode)(struct ucred *cred, struct vnode *parent, struct mac *parentlabel, struct vnode *child, struct mac *childlabel); - void (*mpo_mountfs)(struct ucred *cred, struct mount *mp); - void (*mpo_mountrootfs)(struct ucred *cred, struct mount *mp); + void (*mpo_create_mount)(struct ucred *cred, struct mount *mp); + void (*mpo_create_root_mount)(struct ucred *cred, struct mount *mp); /* * Labeling event operations: IPC objects. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message