PERFORCE change 15264 for review
Robert Watson
rwatson at freebsd.org
Wed Jul 31 02:15:11 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15264
Change 15264 by rwatson at rwatson_tislabs on 2002/07/30 19:14:19
Trickle IFC MAC changes back into the TrustedBSD source tree.
Affected files ...
.. //depot/projects/trustedbsd/base/sys/kern/init_main.c#14 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_prot.c#17 integrate
.. //depot/projects/trustedbsd/base/sys/kern/subr_mbuf.c#11 integrate
.. //depot/projects/trustedbsd/base/sys/kern/uipc_mbuf.c#8 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vfs_mount.c#3 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vfs_subr.c#17 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vfs_syscalls.c#20 integrate
Differences ...
==== //depot/projects/trustedbsd/base/sys/kern/init_main.c#14 (text+ko) ====
@@ -39,7 +39,7 @@
* SUCH DAMAGE.
*
* @(#)init_main.c 8.9 (Berkeley) 1/21/94
- * $FreeBSD: src/sys/kern/init_main.c,v 1.200 2002/07/31 00:39:19 rwatson Exp $
+ * $FreeBSD: src/sys/kern/init_main.c,v 1.201 2002/07/31 01:11:29 rwatson Exp $
*/
#include "opt_init_path.h"
@@ -519,6 +519,9 @@
VREF(p->p_fd->fd_rdir);
FILEDESC_UNLOCK(p->p_fd);
VOP_UNLOCK(rootvnode, 0, td);
+#ifdef MAC
+ mac_create_root_mount(td->td_ucred, TAILQ_FIRST(&mountlist));
+#endif
if (devfs_present) {
/*
==== //depot/projects/trustedbsd/base/sys/kern/kern_prot.c#17 (text+ko) ====
@@ -37,7 +37,7 @@
* SUCH DAMAGE.
*
* @(#)kern_prot.c 8.6 (Berkeley) 1/21/94
- * $FreeBSD: src/sys/kern/kern_prot.c,v 1.162 2002/07/31 00:39:19 rwatson Exp $
+ * $FreeBSD: src/sys/kern/kern_prot.c,v 1.163 2002/07/31 00:48:24 rwatson Exp $
*/
/*
@@ -1379,6 +1379,10 @@
if ((error = prison_check(u1, u2)))
return (error);
+#ifdef MAC
+ if ((error = mac_check_cred_visible(u1, u2)))
+ return (error);
+#endif
if ((error = cr_seeotheruids(u1, u2)))
return (error);
return (0);
@@ -1420,6 +1424,10 @@
error = prison_check(cred, proc->p_ucred);
if (error)
return (error);
+#ifdef MAC
+ if ((error = mac_check_proc_signal(cred, proc, signum)))
+ return (error);
+#endif
error = cr_seeotheruids(cred, proc->p_ucred);
if (error)
return (error);
@@ -1521,6 +1529,10 @@
return (0);
if ((error = prison_check(td->td_ucred, p->p_ucred)))
return (error);
+#ifdef MAC
+ if ((error = mac_check_proc_sched(td->td_ucred, p)))
+ return (error);
+#endif
if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
return (error);
if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
@@ -1578,6 +1590,10 @@
return (0);
if ((error = prison_check(td->td_ucred, p->p_ucred)))
return (error);
+#ifdef MAC
+ if ((error = mac_check_proc_debug(td->td_ucred, p)))
+ return (error);
+#endif
if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
return (error);
@@ -1652,11 +1668,13 @@
error = prison_check(cred, so->so_cred);
if (error)
return (ENOENT);
+#ifdef MAC
+ error = mac_check_socket_visible(cred, so);
+ if (error)
+ return (error);
+#endif
if (cr_seeotheruids(cred, so->so_cred))
return (ENOENT);
-#ifdef MAC
- /* XXX: error = mac_cred_check_seesocket() here. */
-#endif
return (0);
}
==== //depot/projects/trustedbsd/base/sys/kern/subr_mbuf.c#11 (text+ko) ====
@@ -25,13 +25,16 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/kern/subr_mbuf.c,v 1.24 2002/07/30 21:06:27 bmilekic Exp $
+ * $FreeBSD: src/sys/kern/subr_mbuf.c,v 1.25 2002/07/31 01:42:19 rwatson Exp $
*/
+#include "opt_mac.h"
#include "opt_param.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/malloc.h>
+#include <sys/mac.h>
#include <sys/mbuf.h>
#include <sys/lock.h>
#include <sys/mutex.h>
@@ -802,6 +805,11 @@
struct mb_bucket *bucket;
u_int owner;
+#ifdef MAC
+ if (type != MT_NOTMBUF && ((struct mbuf *)m)->m_flags & M_PKTHDR)
+ mac_destroy_mbuf((struct mbuf *)m);
+#endif
+
bucket = mb_list->ml_btable[MB_BUCKET_INDX(m, mb_list)];
/*
@@ -1254,8 +1262,15 @@
struct mbuf *mb;
mb = (struct mbuf *)mb_alloc(&mb_list_mbuf, how, type, 0, NULL);
- if (mb != NULL)
+ if (mb != NULL) {
_mbhdr_setup(mb, type);
+#ifdef MAC
+ if (mac_init_mbuf(mb, how) != 0) {
+ mb_free(&mb_list_mbuf, mb, type, 0, NULL);
+ return (NULL);
+ }
+#endif
+ }
return (mb);
}
@@ -1298,6 +1313,12 @@
mb = (struct mbuf *)mb_alloc(&mb_list_mbuf, how, type, 0, NULL);
if (mb != NULL) {
_mbhdr_setup(mb, type);
+#ifdef MAC
+ if (mac_init_mbuf(mb, how) != 0) {
+ mb_free(&mb_list_mbuf, mb, type, 0, NULL);
+ return (NULL);
+ }
+#endif
bzero(mtod(mb, caddr_t), MHLEN);
}
return (mb);
==== //depot/projects/trustedbsd/base/sys/kern/uipc_mbuf.c#8 (text+ko) ====
@@ -31,15 +31,18 @@
* SUCH DAMAGE.
*
* @(#)uipc_mbuf.c 8.2 (Berkeley) 1/4/94
- * $FreeBSD: src/sys/kern/uipc_mbuf.c,v 1.95 2002/07/30 18:28:58 rwatson Exp $
+ * $FreeBSD: src/sys/kern/uipc_mbuf.c,v 1.96 2002/07/31 01:51:34 rwatson Exp $
*/
+#include "opt_mac.h"
#include "opt_param.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/malloc.h>
+#include <sys/mac.h>
#include <sys/mbuf.h>
#include <sys/sysctl.h>
#include <sys/domain.h>
@@ -75,9 +78,17 @@
KASSERT(to->m_flags & M_PKTHDR,
("m_copy_pkthdr() called on non-header"));
#endif
+#ifdef MAC
+ if (to->m_flags & M_PKTHDR)
+ mac_destroy_mbuf(to);
+#endif
to->m_data = to->m_pktdat;
to->m_flags = from->m_flags & M_COPYFLAGS;
to->m_pkthdr = from->m_pkthdr;
+#ifdef MAC
+ mac_init_mbuf(to, 1); /* XXXMAC no way to fail */
+ mac_create_mbuf_from_mbuf(from, to);
+#endif
from->m_pkthdr.aux = NULL;
}
@@ -98,6 +109,9 @@
}
if (m->m_flags & M_PKTHDR) {
M_COPY_PKTHDR(mn, m);
+#ifdef MAC
+ mac_destroy_mbuf(m);
+#endif
m->m_flags &= ~M_PKTHDR;
}
mn->m_next = m;
==== //depot/projects/trustedbsd/base/sys/kern/vfs_mount.c#3 (text+ko) ====
@@ -61,7 +61,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/kern/vfs_mount.c,v 1.78 2002/07/29 06:26:55 jeff Exp $
+ * $FreeBSD: src/sys/kern/vfs_mount.c,v 1.79 2002/07/31 01:11:29 rwatson Exp $
*/
#include <sys/param.h>
@@ -70,6 +70,7 @@
#include <sys/kernel.h>
#include <sys/linker.h>
#include <sys/malloc.h>
+#include <sys/mac.h>
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/namei.h>
@@ -86,6 +87,7 @@
#include "opt_rootdevname.h"
#include "opt_ddb.h"
+#include "opt_mac.h"
#ifdef DDB
#include <ddb/ddb.h>
@@ -643,8 +645,12 @@
mp->mnt_stat.f_owner = td->td_ucred->cr_uid;
strncpy(mp->mnt_stat.f_mntonname, fspath, MNAMELEN);
mp->mnt_iosize_max = DFLTPHYS;
+#ifdef MAC
+ mac_init_mount(mp);
+ mac_create_mount(td->td_ucred, mp);
+#endif
VOP_UNLOCK(vp, 0, td);
- mp->mnt_optnew = optlist;
+ mp->mnt_optnew = optlist; /* XXXMAC: should this be above? */
update:
/*
@@ -662,6 +668,9 @@
else {
mp->mnt_vfc->vfc_refcount--;
vfs_unbusy(mp, td);
+#ifdef MAC
+ mac_destroy_mount(mp);
+#endif
free(mp, M_MOUNT);
}
vrele(vp);
@@ -752,6 +761,9 @@
mtx_unlock(&vp->v_interlock);
mp->mnt_vfc->vfc_refcount--;
vfs_unbusy(mp, td);
+#ifdef MAC
+ mac_destroy_mount(mp);
+#endif
free(mp, M_MOUNT);
vput(vp);
goto bad;
@@ -999,6 +1011,10 @@
mp->mnt_stat.f_owner = td->td_ucred->cr_uid;
strncpy(mp->mnt_stat.f_mntonname, fspath, MNAMELEN);
mp->mnt_iosize_max = DFLTPHYS;
+#ifdef MAC
+ mac_init_mount(mp);
+ mac_create_mount(td->td_ucred, mp);
+#endif
VOP_UNLOCK(vp, 0, td);
update:
/*
@@ -1016,6 +1032,9 @@
else {
mp->mnt_vfc->vfc_refcount--;
vfs_unbusy(mp, td);
+#ifdef MAC
+ mac_destroy_mount(mp);
+#endif
free(mp, M_MOUNT);
}
vrele(vp);
@@ -1093,6 +1112,9 @@
mtx_unlock(&vp->v_interlock);
mp->mnt_vfc->vfc_refcount--;
vfs_unbusy(mp, td);
+#ifdef MAC
+ mac_destroy_mount(mp);
+#endif
free(mp, M_MOUNT);
vput(vp);
}
@@ -1304,6 +1326,9 @@
vrele(coveredvp);
if (mp->mnt_kern_flag & MNTK_MWAIT)
wakeup(mp);
+#ifdef MAC
+ mac_destroy_mount(mp);
+#endif
if (mp->mnt_op->vfs_mount == NULL)
vfs_freeopts(mp->mnt_opt);
free(mp, M_MOUNT);
@@ -1350,6 +1375,10 @@
mp->mnt_stat.f_mntonname[0] = '/';
mp->mnt_stat.f_mntonname[1] = 0;
(void) copystr(devname, mp->mnt_stat.f_mntfromname, MNAMELEN - 1, 0);
+#ifdef MAC
+ mac_init_mount(mp);
+ mac_create_mount(td->td_ucred, mp);
+#endif
*mpp = mp;
return (0);
}
@@ -1502,6 +1531,9 @@
if (error != 0) {
if (mp != NULL) {
vfs_unbusy(mp, curthread);
+#ifdef MAC
+ mac_destroy_mount(mp);
+#endif
free(mp, M_MOUNT);
}
printf("Root mount failed: %d\n", error);
==== //depot/projects/trustedbsd/base/sys/kern/vfs_subr.c#17 (text+ko) ====
@@ -36,13 +36,14 @@
* SUCH DAMAGE.
*
* @(#)vfs_subr.c 8.31 (Berkeley) 5/26/95
- * $FreeBSD: src/sys/kern/vfs_subr.c,v 1.382 2002/07/29 06:26:55 jeff Exp $
+ * $FreeBSD: src/sys/kern/vfs_subr.c,v 1.384 2002/07/31 02:05:12 rwatson Exp $
*/
/*
* External virtual filesystem routines
*/
#include "opt_ddb.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -54,6 +55,7 @@
#include <sys/kernel.h>
#include <sys/kthread.h>
#include <sys/malloc.h>
+#include <sys/mac.h>
#include <sys/mount.h>
#include <sys/namei.h>
#include <sys/stat.h>
@@ -801,6 +803,9 @@
uma_zfree(vnodepoll_zone, vp->v_pollinfo);
}
vp->v_pollinfo = NULL;
+#ifdef MAC
+ mac_destroy_vnode(vp);
+#endif
vp->v_flag = 0;
vp->v_lastw = 0;
vp->v_lasta = 0;
@@ -827,6 +832,9 @@
vp->v_tag = tag;
vp->v_op = vops;
lockinit(&vp->v_lock, PVFS, "vnlock", VLKTIMEOUT, LK_NOPAUSE);
+#ifdef MAC
+ mac_init_vnode(vp);
+#endif
insmntque(vp, mp);
*vpp = vp;
vp->v_usecount = 1;
@@ -3218,7 +3226,7 @@
* vnode's type, "mode", uid and gid, requested access mode, credentials,
* and optional call-by-reference privused argument allowing vaccess()
* to indicate to the caller whether privilege was used to satisfy the
- * request. Returns 0 on success, or an errno on failure.
+ * request (obsoleted). Returns 0 on success, or an errno on failure.
*/
int
vaccess(type, file_mode, file_uid, file_gid, acc_mode, cred, privused)
==== //depot/projects/trustedbsd/base/sys/kern/vfs_syscalls.c#20 (text+ko) ====
@@ -36,11 +36,12 @@
* SUCH DAMAGE.
*
* @(#)vfs_syscalls.c 8.13 (Berkeley) 4/15/94
- * $FreeBSD: src/sys/kern/vfs_syscalls.c,v 1.272 2002/07/30 18:48:25 rwatson Exp $
+ * $FreeBSD: src/sys/kern/vfs_syscalls.c,v 1.273 2002/07/31 01:27:33 rwatson Exp $
*/
/* For 4.3 integer FS ID compatibility */
#include "opt_compat.h"
+#include "opt_mac.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -48,6 +49,7 @@
#include <sys/buf.h>
#include <sys/sysent.h>
#include <sys/malloc.h>
+#include <sys/mac.h>
#include <sys/mount.h>
#include <sys/mutex.h>
#include <sys/sysproto.h>
@@ -225,6 +227,11 @@
sp = &mp->mnt_stat;
NDFREE(&nd, NDF_ONLY_PNBUF);
vrele(nd.ni_vp);
+#ifdef MAC
+ error = mac_check_mount_stat(td->td_ucred, mp);
+ if (error)
+ return (error);
+#endif
error = VFS_STATFS(mp, sp, td);
if (error)
return (error);
@@ -267,6 +274,11 @@
fdrop(fp, td);
if (mp == NULL)
return (EBADF);
+#ifdef MAC
+ error = mac_check_mount_stat(td->td_ucred, mp);
+ if (error)
+ return (error);
+#endif
sp = &mp->mnt_stat;
error = VFS_STATFS(mp, sp, td);
if (error)
@@ -309,6 +321,12 @@
count = 0;
mtx_lock(&mountlist_mtx);
for (mp = TAILQ_FIRST(&mountlist); mp != NULL; mp = nmp) {
+#ifdef MAC
+ if (mac_check_mount_stat(td->td_ucred, mp) != 0) {
+ nmp = TAILQ_NEXT(mp, mnt_list);
+ continue;
+ }
+#endif
if (vfs_busy(mp, LK_NOWAIT, &mountlist_mtx, td)) {
nmp = TAILQ_NEXT(mp, mnt_list);
continue;
@@ -3415,6 +3433,11 @@
mp = vp->v_mount;
sp = &mp->mnt_stat;
vput(vp);
+#ifdef MAC
+ error = mac_check_mount_stat(td->td_ucred, mp);
+ if (error)
+ return (error);
+#endif
if ((error = VFS_STATFS(mp, sp, td)) != 0)
return (error);
sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list