Date: Fri, 10 Oct 2003 19:08:03 -0700 (PDT) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 39488 for review Message-ID: <200310110208.h9B283hC049318@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=39488 Change 39488 by cvance@cvance_osx_laptop on 2003/10/10 19:07:26 Convince SEBSD "module" to build on Darwin. Please note: (build != run) Affected files ... .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.h#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/flask_types.h#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/linux-compat.h#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#3 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd_syscall.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd_sysctl.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/context.h#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/ebitmap.h#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/global.h#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/init.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/queue.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/sidtab.c#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/sidtab.h#2 edit .. //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/symtab.h#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.c#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/avc/avc.h#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/flask_types.h#2 (text+ko) ==== @@ -15,7 +15,7 @@ */ -#ifdef __FreeBSD__ +#if defined(__FreeBSD__) || defined(__APPLE__) #include <sys/types.h> #include <security/sebsd/linux-compat.h> #else /* __FreeBSD__ */ ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/linux-compat.h#2 (text+ko) ==== @@ -44,16 +44,19 @@ */ #include <sys/types.h> + +#ifdef __APPLE__ +#include <machine/endian.h> +#else /* Probably FreeBSD */ #include <sys/endian.h> +#endif typedef u_int64_t u64; typedef u_int32_t u32; typedef u_int16_t u16; typedef u_int8_t u8; - -#ifndef _KERNEL - +#if !defined(_KERNEL) && !defined(KERNEL) #if BYTE_ORDER == LITTLE_ENDIAN #define cpu_to_le32(x) ((__uint32_t)(x)) #define cpu_to_le64(x) ((__uint64_t)(x)) @@ -68,7 +71,7 @@ /* sebsd uses same ss source files for userspace */ -#define kmalloc(size,flags) malloc(size) +#define kmalloc(size,flags) malloc(size,as) #define kfree(v) free(v) #define __get_free_page(flags) malloc (4096) /* XXX need page size */ #define GFP_ATOMIC 1 @@ -76,8 +79,19 @@ #else /* _KERNEL */ +#ifdef __APPLE__ +#include <architecture/byte_order.h> +#if BYTE_ORDER == LITTLE_ENDIAN +#define le32_to_cpu(x) ((__uint32_t)(x)) +#define le64_to_cpu(x) ((__uint64_t)(x)) +#else /* BYTE_ORDER != LITTLE_ENDIAN */ +#define le32_to_cpu(x) NXSwapLittleLongToHost(x) +#define le64_to_cpu(x) NXSwapLittleLongLongToHost(x) +#endif +#else #define le32_to_cpu(a) le32toh(a) #define le64_to_cpu(a) le64toh(a) +#endif #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) @@ -91,16 +105,36 @@ /* kmalloc */ +#include <sys/malloc.h> + +#ifdef __APPLE__ +#define malloc(size,type,flags) _MALLOC(size,type,flags) +#define free(addr,type) FREE(addr,type) +#define M_SEBSD M_MACTEMP +#else +#ifndef _M_SEBSD_DEF +MALLOC_DECLARE(M_SEBSD); +#define _M_SEBSD_DEF +#endif +#endif /* __APPLE__ */ + #define kmalloc(size,flags) malloc(size, M_SEBSD, flags) #define kfree(v) free(v, M_SEBSD) -#define __get_free_page(flags) malloc (4096, M_SEBSD, flags) /* XXX need page size */ +/* XXX need page size */ +#define __get_free_page(flags) malloc(4096, M_SEBSD, flags) #define GFP_ATOMIC M_NOWAIT #define GFP_KERNEL M_NOWAIT -#include <sys/malloc.h> -#ifndef _M_SEBSD_DEF -MALLOC_DECLARE(M_SEBSD); -#define _M_SEBSD_DEF +#ifdef __APPLE__ +/* TBD: Skip this for now: */ +#define mtx_init(a,b,c,d) + +/* TBD: no boot-time tunable support yet */ +#define TUNABLE_INT_FETCH(str,var) + +/* TBD: scary, but skip locking for now */ +#define mtx_lock(m) +#define mtx_unlock(m) #endif /* spinlock */ ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd.c#3 (text+ko) ==== @@ -37,7 +37,6 @@ #include <sys/types.h> #include <sys/param.h> #include <sys/extattr.h> -#include <sys/imgact.h> #include <sys/conf.h> #include <sys/kernel.h> #include <sys/mac.h> @@ -47,16 +46,26 @@ #include <sys/proc.h> #include <sys/sbuf.h> #include <sys/systm.h> -#include <sys/sysproto.h> #include <sys/vnode.h> -#include <sys/pipe.h> #include <sys/dirent.h> -#include <sys/capability.h> -#include <fs/devfs/devfs.h> +#ifdef __APPLE__ +/* + * The code is conditional upon the following list of defines. For now, + * Darwin does not provide support for them: + * CAPABILITIES + * HAS_THREADS + * HAS_PIPES + * HAS_EXTATTRS + * HAS_DEVFS_DIRENT + * HAS_VAPPEND + * HAS_IMAGE_PARAMS + * HAS_STRINGS + * HAS_ACLS + */ +#include <sys/ucred.h> +#endif -#include <vm/vm.h> - #include <sys/mac_policy.h> #include <security/sebsd/sebsd.h> @@ -64,10 +73,14 @@ int sebsd_verbose = 0; -static int slot; +static int slot = 1; /* TBD, dynamic */ #define SLOT(l) ((void *)LABEL_TO_SLOT((l), slot).l_ptr) +#ifdef __APPLE__ +#define M_SEBSD M_MACTEMP +#else MALLOC_DEFINE(M_SEBSD, "sebsd", "Security Enhanced BSD"); +#endif extern int ss_initialized; static __inline int ss_precondition(void) @@ -79,10 +92,12 @@ sebsd_init(struct mac_policy_conf *mpc) { printf("sebsd:: init\n"); +#if 0 avc_init(); if (security_init()) { panic("SEBSD: couldn't read policy file"); } +#endif } static void @@ -92,6 +107,7 @@ printf("sebsd:: destroy\n"); } +#ifdef CAPABILITIES /* * Check whether a task is allowed to use a capability. */ @@ -109,6 +125,7 @@ return avc_has_perm_audit(task->sid, task->sid, SECCLASS_CAPABILITY, cap, &ad); } +#endif static int cred_has_perm(struct ucred *cred, struct proc *proc, access_vector_t perm) @@ -158,6 +175,7 @@ SECCLASS_SECURITY, perm, NULL, NULL)); } +#ifdef HAS_THREADS int thread_has_system(struct thread *td, access_vector_t perm) { @@ -171,6 +189,7 @@ return (cred_has_security(td->td_proc->p_ucred, perm)); } +#endif static __inline security_class_t vnode_type_to_security_class(enum vtype vt) @@ -192,12 +211,17 @@ return SECCLASS_FIFO_FILE; case VNON: case VBAD: +#ifdef __APPLE__ + case VSTR: + case VCPLX: +#endif return SECCLASS_FILE; } return SECCLASS_FILE; } +#ifdef HAS_DEVFS_DIRENT static __inline security_class_t dirent_type_to_security_class(__uint8_t type) { @@ -223,6 +247,7 @@ return SECCLASS_FILE; } +#endif static __inline access_vector_t file_mask_to_av(enum vtype vt, int mask) @@ -235,10 +260,13 @@ if (mask & VREAD) av |= FILE__READ; +#ifdef HAS_VAPPEND if (mask & VAPPEND) av |= FILE__APPEND; - else if (mask & VWRITE) - av |= FILE__WRITE; + else +#endif + if (mask & VWRITE) + av |= FILE__WRITE; } else { if (mask & VEXEC) @@ -266,6 +294,7 @@ AVC_AUDIT_DATA_INIT(&ad, FS); ad.u.fs.vp = vp; +#if 0 if (file->sclass == 0) { struct vattr va; VOP_GETATTR(vp, &va, curthread->td_ucred, curthread); @@ -278,10 +307,12 @@ return 1; /* TBD: debugging */ } } +#endif return avc_has_perm_ref_audit(task->sid, file->sid, file->sclass, perm, aeref ? aeref : &file->avcr, &ad); } +#ifdef HAS_PIPES static int pipe_has_perm(struct ucred *cred, struct pipe *pipe, access_vector_t perm) { @@ -298,6 +329,7 @@ return(avc_has_perm_ref(task->sid, file->sid, file->sclass, perm, &file->avcr)); } +#endif static void sebsd_init_cred_label(struct label *label) @@ -392,6 +424,7 @@ printf("sebsd_relabel_cred:: This does nothing\n"); } +#ifdef HAS_DEVFS_DIRENT static void sebsd_associate_vnode_devfs(struct mount *mp, struct label *fslabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, @@ -414,7 +447,9 @@ * relabel calls. */ } +#endif +#ifdef HAS_EXTATTRS static int sebsd_associate_vnode_extattr(struct mount *mp, struct label *fslabel, struct vnode *vp, struct label *vlabel) @@ -474,6 +509,7 @@ return (0); } +#endif static void sebsd_associate_vnode_singlelabel(struct mount *mp, struct label *fslabel, @@ -520,6 +556,7 @@ fsec->sid = tsec->sid; } +#ifdef HAS_DEVFS_DIRENT static void sebsd_create_devfs_device(struct ucred *cr, struct mount *mp, dev_t dev, struct devfs_dirent *devfs_dirent, struct label *label, @@ -652,7 +689,9 @@ } free(path, M_SEBSD); } +#endif /* HAS_DEVFS_DIRENT */ +#ifdef HAS_PIPES /* * Use the allocating task SID to label pipes. On Linux, pipes reside * in a pseudo filesystem. @@ -670,6 +709,7 @@ vsec->sid = vsec->task_sid = tsec->sid; vsec->sclass = SECCLASS_FIFO_FILE; } +#endif static void sebsd_create_proc0(struct ucred *cred) @@ -778,6 +818,7 @@ sebsd_create_root_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { +#if 0 struct vnode *vp, *nvp; /* @@ -797,8 +838,10 @@ vp = nvp; } while (vp != NULL); mtx_unlock(&mntvnode_mtx); +#endif } +#ifdef HAS_EXTATTRS static int sebsd_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct label *fslabel, struct vnode *parent, struct label *parentlabel, @@ -840,12 +883,16 @@ security_free_context(context); return (error); } +#endif +#ifdef CAPABILITIES static int sebsd_check_cap (struct ucred *cred, cap_value_t capv) { + return cred_has_capability (cred, capv); } +#endif /* * SEBSD does not support the relabeling of processes without @@ -932,6 +979,7 @@ return (mount_has_perm(cred, mp, FILESYSTEM__UNMOUNT, NULL)); } +#ifdef HAS_PIPES static int sebsd_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) @@ -1004,6 +1052,7 @@ return (pipe_has_perm(cred, pipe, FIFO_FILE__WRITE)); } +#endif /* HAS_PIPES */ static int sebsd_check_proc_debug(struct ucred *cred, struct proc *proc) @@ -1042,6 +1091,7 @@ return (cred_has_perm(cred, proc, perm)); } +#ifdef HAS_IMAGE_PARAMS static void sebsd_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vnodelabel, struct label *interpvnodelabel, @@ -1111,7 +1161,9 @@ return (newsid != task->sid); } +#endif +#ifdef HAS_STRING static int sebsd_internalize_sid(security_id_t *sidp, char *element_name, char *element_data, int *claimed) @@ -1174,7 +1226,9 @@ return (sebsd_internalize_sid(&vsec->sid, element_name, element_data, claimed)); } +#endif /* HAS_STRINGS */ +#ifdef HAS_PIPES static void sebsd_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) @@ -1195,6 +1249,7 @@ dest->sid = source->sid; } +#endif static void sebsd_relabel_vnode(struct ucred *cred, struct vnode *vp, @@ -1217,6 +1272,7 @@ dest->sid = source->sid; } +#ifdef HAS_EXTATTRS static int sebsd_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, struct label *vlabel, struct label *intlabel) @@ -1240,6 +1296,7 @@ security_free_context(context); return (error); } +#endif static int sebsd_check_vnode_access(struct ucred *cred, struct vnode *vp, @@ -1353,6 +1410,7 @@ return (rc); } +#ifdef HAS_ACLS static int sebsd_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) @@ -1360,7 +1418,9 @@ return (vnode_has_perm(cred, vp, FILE__SETATTR, NULL)); } +#endif +#ifdef HAS_IMAGE_PARAMS static int sebsd_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *label, struct image_params *imgp, struct label *execlabel) @@ -1422,7 +1482,9 @@ return (0); } +#endif +#ifdef HAS_ACLS static int sebsd_check_vnode_getacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) @@ -1430,7 +1492,9 @@ return (vnode_has_perm(cred, vp, FILE__GETATTR, NULL)); } +#endif +#ifdef HAS_EXTATTRS static int sebsd_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) @@ -1438,6 +1502,7 @@ return (vnode_has_perm(cred, vp, FILE__GETATTR, NULL)); } +#endif static int sebsd_check_vnode_link(struct ucred *cred, struct vnode *dvp, @@ -1673,6 +1738,7 @@ return 0; } +#ifdef HAS_ACLS static int sebsd_check_vnode_setacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) @@ -1680,7 +1746,9 @@ return vnode_has_perm(cred, vp, FILE__SETATTR, NULL); } +#endif +#ifdef HAS_EXTATTRS static int sebsd_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) @@ -1688,6 +1756,7 @@ return vnode_has_perm(cred, vp, FILE__SETATTR, NULL); } +#endif static int sebsd_check_vnode_setflags(struct ucred *cred, struct vnode *vp, @@ -1804,6 +1873,7 @@ return (0); } +#ifdef HAS_STRINGS static int sebsd_externalize_sid(security_id_t sid, char *element_name, struct sbuf *sb, int *claimed) @@ -1866,6 +1936,7 @@ nsec = SLOT(label); return (sebsd_externalize_sid(nsec->sid, element_name, sb, claimed)); } +#endif /* HAS_STRINGS */ static void sebsd_copy_vnode_label(struct label *src, struct label *dest) @@ -1977,18 +2048,25 @@ } static struct mac_policy_ops sebsd_ops = { + .mpo_init = sebsd_init +}; + +static struct mac_policy_ops sebsd_ops_o = { /* Init Labels */ - .mpo_init = sebsd_init, .mpo_init_bpfdesc_label = sebsd_init_network_label, .mpo_init_cred_label = sebsd_init_cred_label, +#if 0 .mpo_init_devfsdirent_label = sebsd_init_vnode_label, .mpo_init_file_label = sebsd_init_file_label, +#endif .mpo_init_ifnet_label = sebsd_init_network_label, .mpo_init_ipq_label = sebsd_init_network_label_waitcheck, .mpo_init_mbuf_label = sebsd_init_network_label_waitcheck, .mpo_init_mount_label = sebsd_init_mount_label, .mpo_init_mount_fs_label = sebsd_init_mount_fs_label, +#ifdef HAS_PIPES .mpo_init_pipe_label = sebsd_init_vnode_label, +#endif .mpo_init_socket_label = sebsd_init_network_label_waitcheck, .mpo_init_socket_peer_label = sebsd_init_network_label_waitcheck, .mpo_init_vnode_label = sebsd_init_vnode_label, @@ -1997,37 +2075,53 @@ .mpo_destroy = sebsd_destroy, .mpo_destroy_bpfdesc_label = sebsd_destroy_label, .mpo_destroy_cred_label = sebsd_destroy_label, +#ifdef HAS_DEVFS_DIRENT .mpo_destroy_devfsdirent_label = sebsd_destroy_label, +#endif .mpo_destroy_ifnet_label = sebsd_destroy_label, .mpo_destroy_ipq_label = sebsd_destroy_label, .mpo_destroy_mbuf_label = sebsd_destroy_label, +#if 0 .mpo_destroy_file_label = sebsd_destroy_label, +#endif .mpo_destroy_mount_label = sebsd_destroy_label, .mpo_destroy_mount_fs_label = sebsd_destroy_label, +#ifdef HAS_PIPES .mpo_destroy_pipe_label = sebsd_destroy_label, +#endif .mpo_destroy_socket_label = sebsd_destroy_label, .mpo_destroy_socket_peer_label = sebsd_destroy_label, .mpo_destroy_vnode_label = sebsd_destroy_label, /* Copy labels */ +#ifdef HAS_PIPES .mpo_copy_pipe_label = sebsd_copy_vnode_label, +#endif .mpo_copy_vnode_label = sebsd_copy_vnode_label, +#if 0 .mpo_copy_mount_label = sebsd_copy_mount_label, +#endif +#if 0 /* In/Out */ .mpo_externalize_cred_label = sebsd_externalize_cred_label, .mpo_externalize_ifnet_label = sebsd_externalize_network_label, +#ifdef HAS_PIPES .mpo_externalize_pipe_label = sebsd_externalize_vnode_label, +#endif .mpo_externalize_socket_label = sebsd_externalize_network_label, .mpo_externalize_socket_peer_label = sebsd_externalize_network_label, .mpo_externalize_vnode_label = sebsd_externalize_vnode_label, .mpo_externalize_mount_label = sebsd_externalize_mount_label, .mpo_internalize_cred_label = sebsd_internalize_cred_label, .mpo_internalize_ifnet_label = sebsd_internalize_network_label, +#ifdef HAS_PIPES .mpo_internalize_pipe_label = sebsd_internalize_vnode_label, +#endif .mpo_internalize_socket_label = sebsd_internalize_network_label, .mpo_internalize_vnode_label = sebsd_internalize_vnode_label, .mpo_internalize_mount_label = sebsd_internalize_mount_label, +#endif #ifdef notdef void (*mpo_create_mbuf_from_socket)(struct socket *so, @@ -2050,33 +2144,51 @@ /* Create Labels */ .mpo_create_cred = sebsd_create_cred, + +#ifdef HAS_DEVFS_DIRENT .mpo_create_devfs_device = sebsd_create_devfs_device, .mpo_create_devfs_directory = sebsd_create_devfs_directory, .mpo_create_devfs_symlink = sebsd_create_devfs_symlink, +#endif +#if 0 .mpo_create_file = sebsd_create_file, +#endif /* .mpo_create_mbuf_from_socket = sebsd_create_mbuf_from_socket, */ .mpo_create_mount = sebsd_create_mount, +#ifdef HAS_PIPES .mpo_create_pipe = sebsd_create_pipe, +#endif .mpo_create_proc0 = sebsd_create_proc0, .mpo_create_proc1 = sebsd_create_proc1, .mpo_create_root_mount = sebsd_create_root_mount, /* .mpo_create_socket = sebsd_create_socket, */ /* .mpo_create_socket_from_socket = sebsd_create_socket_from_socket, */ +#ifdef HAS_EXTATTRS .mpo_create_vnode_extattr = sebsd_create_vnode_extattr, +#endif +#ifdef HAS_DEVFS_DIRENT .mpo_associate_vnode_devfs = sebsd_associate_vnode_devfs, +#endif .mpo_associate_vnode_singlelabel = sebsd_associate_vnode_singlelabel, +#ifdef HAS_EXTATTRS .mpo_associate_vnode_extattr = sebsd_associate_vnode_extattr, +#endif /* Check Labels */ +#ifdef CAPABILITIES .mpo_check_cap = sebsd_check_cap, +#endif .mpo_check_cred_relabel = sebsd_check_cred_relabel, +#if 0 .mpo_check_file_create = sebsd_check_file_create, + /* .mpo_check_file_dup .mpo_check_file_inherit .mpo_check_file_ioctl .mpo_check_file_receive */ + .mpo_check_file_get_flags = sebsd_check_file_get_flags, .mpo_check_file_get_ofileflags = sebsd_check_file_get_ofileflags, .mpo_check_file_get_offset = sebsd_check_file_get_offset, @@ -2087,13 +2199,16 @@ .mpo_check_umount = sebsd_check_umount, .mpo_check_remount = sebsd_check_remount, .mpo_check_mount_stat = sebsd_check_mount_stat, +#endif +#ifdef HAS_PIPES .mpo_check_pipe_ioctl = sebsd_check_pipe_ioctl, .mpo_check_pipe_poll = sebsd_check_pipe_poll, .mpo_check_pipe_read = sebsd_check_pipe_read, .mpo_check_pipe_relabel = sebsd_check_pipe_relabel, .mpo_check_pipe_stat = sebsd_check_pipe_stat, .mpo_check_pipe_write = sebsd_check_pipe_write, +#endif .mpo_check_proc_debug = sebsd_check_proc_debug, .mpo_check_proc_sched = sebsd_check_proc_sched, @@ -2107,10 +2222,18 @@ .mpo_check_vnode_chroot = sebsd_check_vnode_chroot, .mpo_check_vnode_create = sebsd_check_vnode_create, .mpo_check_vnode_delete = sebsd_check_vnode_delete, +#ifdef HAS_ACLS .mpo_check_vnode_deleteacl = sebsd_check_vnode_deleteacl, +#endif +#ifdef HAS_IMAGE_PARAMS .mpo_check_vnode_exec = sebsd_check_vnode_exec, +#endif +#ifdef HAS_ACLS .mpo_check_vnode_getacl = sebsd_check_vnode_getacl, +#endif +#ifdef EXTATTR .mpo_check_vnode_getextattr = sebsd_check_vnode_getextattr, +#endif .mpo_check_vnode_link = sebsd_check_vnode_link, .mpo_check_vnode_lookup = sebsd_check_vnode_lookup, .mpo_check_vnode_mmap = sebsd_check_vnode_mmap, @@ -2124,8 +2247,12 @@ .mpo_check_vnode_rename_from = sebsd_check_vnode_rename_from, .mpo_check_vnode_rename_to = sebsd_check_vnode_rename_to, .mpo_check_vnode_revoke = sebsd_check_vnode_revoke, +#ifdef HAS_ACLS .mpo_check_vnode_setacl = sebsd_check_vnode_setacl, +#endif +#ifdef HAS_EXTATTRS .mpo_check_vnode_setextattr = sebsd_check_vnode_setextattr, +#endif .mpo_check_vnode_setflags = sebsd_check_vnode_setflags, .mpo_check_vnode_setmode = sebsd_check_vnode_setmode, .mpo_check_vnode_setowner = sebsd_check_vnode_setowner, @@ -2134,18 +2261,37 @@ .mpo_check_vnode_write = sebsd_check_vnode_write, /* Misc */ +#ifdef HAS_IMAGE_PARAMS .mpo_execve_transition = sebsd_execve_transition, .mpo_execve_will_transition = sebsd_execve_will_transition, +#endif .mpo_relabel_cred = sebsd_relabel_cred, +#ifdef HAS_PIPES .mpo_relabel_pipe = sebsd_relabel_pipe, +#endif /* .mpo_relabel_socket = sebsd_relabel_socket, */ .mpo_relabel_vnode = sebsd_relabel_vnode, +#ifdef HAS_EXTATTRS .mpo_setlabel_vnode_extattr = sebsd_setlabel_vnode_extattr, +#endif /*.mpo_set_socket_peer_from_mbuf = sebsd_set_socket_peer_from_mbuf,*/ /*.mpo_set_socket_peer_from_socket = sebsd_set_socket_peer_from_socket,*/ +#if 0 .mpo_syscall = sebsd_syscall, +#endif }; +#if 0 MAC_POLICY_SET(&sebsd_ops, sebsd, "NSA/NAI Labs Security Enhanced BSD", MPC_LOADTIME_FLAG_NOTLATE, &slot); +#endif + +struct mac_policy_conf sebsd_mac_policy_conf = { + "sebsd", /* policy name */ + "NSA/NAI Labs Security Enhanced BSD", /* full name */ + &sebsd_ops, /* policy operations */ + 0, /* loadtime flags*/ + 1, /* security field */ + 0 /* runtime flags */ +}; ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd_syscall.c#2 (text+ko) ==== @@ -34,6 +34,7 @@ * $FreeBSD$ */ +#if 0 #include <sys/types.h> #include <sys/param.h> #include <sys/kernel.h> @@ -91,3 +92,4 @@ return err; } +#endif /* 0 */ ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/sebsd_sysctl.c#2 (text+ko) ==== @@ -34,6 +34,7 @@ * $FreeBSD$ */ +#if 0 #include <sys/types.h> #include <sys/param.h> #include <sys/kernel.h> @@ -320,3 +321,4 @@ "SEBSD access vector decision query"); SYSCTL_PROC(_security_mac_sebsd, OID_AUTO, enforcing, CTLTYPE_INT | CTLFLAG_RW, NULL, 0, sysctl_sebsd_enforcing, "I", "SEBSD avc enforcement"); +#endif /* 0 */ ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/context.h#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/ebitmap.h#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/global.h#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/init.c#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/queue.c#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/sidtab.c#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/sidtab.h#2 (text+ko) ==== ==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/security/sebsd/ss/symtab.h#2 (text+ko) ====
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200310110208.h9B283hC049318>