PERFORCE change 18733 for review

Robert Watson rwatson at freebsd.org
Sat Oct 5 17:09:19 GMT 2002 

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18733

Change 18733 by rwatson at rwatson_tislabs on 2002/10/05 10:09:12

	Integ 5.0-CURRENT into TrustedBSD base: look back a lot of MAC
	cosmetic changes to sync the trees--also, GEOM is now default
	unless NO_GEOM is specified.

Affected files ...

.. //depot/projects/trustedbsd/base/sys/alpha/conf/GENERIC#15 integrate
.. //depot/projects/trustedbsd/base/sys/alpha/conf/SIMOS#5 integrate
.. //depot/projects/trustedbsd/base/sys/conf/NOTES#17 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files#37 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files.alpha#11 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files.i386#19 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files.ia64#10 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files.pc98#17 integrate
.. //depot/projects/trustedbsd/base/sys/conf/files.sparc64#16 integrate
.. //depot/projects/trustedbsd/base/sys/conf/options#20 integrate
.. //depot/projects/trustedbsd/base/sys/dev/mcd/mcd.c#2 integrate
.. //depot/projects/trustedbsd/base/sys/dev/mcd/mcd_isa.c#2 integrate
.. //depot/projects/trustedbsd/base/sys/geom/geom_disk.c#10 integrate
.. //depot/projects/trustedbsd/base/sys/i386/conf/GENERIC#22 integrate
.. //depot/projects/trustedbsd/base/sys/i386/conf/OLDCARD#6 integrate
.. //depot/projects/trustedbsd/base/sys/i386/isa/scd.c#7 integrate
.. //depot/projects/trustedbsd/base/sys/ia64/conf/GENERIC#13 integrate
.. //depot/projects/trustedbsd/base/sys/ia64/conf/SKI#6 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#14 integrate
.. //depot/projects/trustedbsd/base/sys/kern/subr_disk.c#8 integrate
.. //depot/projects/trustedbsd/base/sys/pc98/conf/GENERIC#16 integrate
.. //depot/projects/trustedbsd/base/sys/pc98/pc98/wd.c#3 integrate
.. //depot/projects/trustedbsd/base/sys/pc98/pc98/wd_cd.c#4 integrate
.. //depot/projects/trustedbsd/base/sys/powerpc/conf/GENERIC#10 integrate
.. //depot/projects/trustedbsd/base/sys/sparc64/conf/GENERIC#19 integrate

Differences ...

==== //depot/projects/trustedbsd/base/sys/alpha/conf/GENERIC#15 (text+ko) ====

@@ -18,7 +18,7 @@
 #
 # For hardware specific information check HARDWARE.TXT
 #
-# $FreeBSD: src/sys/alpha/conf/GENERIC,v 1.150 2002/08/20 00:10:19 peter Exp $
+# $FreeBSD: src/sys/alpha/conf/GENERIC,v 1.151 2002/10/05 16:35:20 phk Exp $
 
 machine		alpha
 cpu		EV4
@@ -31,6 +31,8 @@
 
 makeoptions	DEBUG=-g		#Build kernel with gdb(1) debug symbols
 
+options		NO_GEOM
+
 # Platforms supported
 options 	API_UP1000		# UP1000, UP1100 (Nautilus)
 options 	DEC_AXPPCI_33		# UDB, Multia, AXPpci33, NoName

==== //depot/projects/trustedbsd/base/sys/alpha/conf/SIMOS#5 (text+ko) ====

@@ -11,13 +11,15 @@
 # device lines is present in the ./NOTES file. If you are in doubt as
 # to the purpose or necessity of a line, check first in NOTES.
 #
-# $FreeBSD: src/sys/alpha/conf/SIMOS,v 1.22 2002/07/23 06:36:23 peter Exp $
+# $FreeBSD: src/sys/alpha/conf/SIMOS,v 1.23 2002/10/05 16:35:21 phk Exp $
 
 machine		alpha
 cpu		EV5
 ident		SIMOS
 maxusers	10
 
+options		NO_GEOM
+
 options 	DEC_KN8AE
 options 	SIMOS
 options 	INET			#InterNETworking

==== //depot/projects/trustedbsd/base/sys/conf/NOTES#17 (text+ko) ====

@@ -1,4 +1,4 @@
-# $FreeBSD: src/sys/conf/NOTES,v 1.1088 2002/10/04 20:42:31 sam Exp $
+# $FreeBSD: src/sys/conf/NOTES,v 1.1089 2002/10/05 16:35:25 phk Exp $
 #
 # NOTES -- Lines that can be cut/pasted into kernel and hints configs.
 #
@@ -114,8 +114,12 @@
 #
 options 	INCLUDE_CONFIG_FILE     # Include this file in kernel
 
-options 	GEOM			# Use the GEOMetry system for
-					# disk-I/O transformations.
+options 	GEOM_AES
+options 	GEOM_BSD
+options 	GEOM_GPT
+options 	GEOM_MBR
+options 	GEOM_PC98
+options 	GEOM_SUNLABEL
 
 #
 # The root device and filesystem type can be compiled in;

==== //depot/projects/trustedbsd/base/sys/conf/files#37 (text+ko) ====

@@ -1,4 +1,4 @@
-# $FreeBSD: src/sys/conf/files,v 1.712 2002/10/05 02:00:57 iwasaki Exp $
+# $FreeBSD: src/sys/conf/files,v 1.713 2002/10/05 16:35:26 phk Exp $
 #
 # The long compile-with and dependency lines are required because of
 # limitations in config: backslash-newline doesn't work in strings, and
@@ -458,8 +458,8 @@
 dev/nsp/nsp_pccard.c	optional nsp card
 #dev/nsp/nsp_pccard.c	optional nsp pccard
 dev/mca/mca_bus.c	optional mca
-dev/mcd/mcd.c		optional mcd isa
-dev/mcd/mcd_isa.c	optional mcd isa
+dev/mcd/mcd.c		optional mcd isa nowerror
+dev/mcd/mcd_isa.c	optional mcd isa nowerror
 dev/md/md.c		optional md
 dev/mii/amphy.c		optional miibus
 dev/mii/bmtphy.c	optional miibus
@@ -787,21 +787,21 @@
 fs/unionfs/union_subr.c	optional unionfs
 fs/unionfs/union_vfsops.c	optional unionfs
 fs/unionfs/union_vnops.c	optional unionfs
-geom/geom_aes.c	optional geom
-geom/geom_bsd.c	optional geom
-geom/geom_dev.c	optional geom
-geom/geom_disk.c	optional geom
-geom/geom_dump.c	optional geom
-geom/geom_enc.c	optional geom
-geom/geom_event.c	optional geom
-geom/geom_gpt.c	optional geom
-geom/geom_io.c	optional geom
-geom/geom_kern.c	optional geom
-geom/geom_mbr.c	optional geom
-geom/geom_pc98.c	optional geom
-geom/geom_slice.c	optional geom
-geom/geom_subr.c	optional geom
-geom/geom_sunlabel.c	optional geom
+geom/geom_aes.c		optional geom_aes
+geom/geom_bsd.c		optional geom_bsd
+geom/geom_dev.c		standard
+geom/geom_disk.c	standard
+geom/geom_dump.c	standard
+geom/geom_enc.c		standard
+geom/geom_event.c	standard
+geom/geom_gpt.c		optional geom_gpt
+geom/geom_io.c		standard
+geom/geom_kern.c	standard
+geom/geom_mbr.c		optional geom_mbr
+geom/geom_pc98.c	optional geom_pc98
+geom/geom_slice.c	standard
+geom/geom_subr.c	standard
+geom/geom_sunlabel.c	optional geom_sunlabel
 crypto/rijndael/rijndael-alg-fst.c	optional geom
 crypto/rijndael/rijndael-api-fst.c	optional geom
 gnu/ext2fs/ext2_alloc.c		optional ext2fs \

==== //depot/projects/trustedbsd/base/sys/conf/files.alpha#11 (text+ko) ====

@@ -1,7 +1,7 @@
 # This file tells config what files go into building a kernel,
 # files marked standard are always included.
 #
-# $FreeBSD: src/sys/conf/files.alpha,v 1.94 2002/10/04 20:42:33 sam Exp $
+# $FreeBSD: src/sys/conf/files.alpha,v 1.95 2002/10/05 16:35:26 phk Exp $
 #
 # The long compile-with and dependency lines are required because of
 # limitations in config: backslash-newline doesn't work in strings, and
@@ -193,6 +193,7 @@
 dev/syscons/scvtb.c		optional	sc
 dev/syscons/syscons.c		optional	sc
 dev/syscons/sysmouse.c		optional	sc
+geom/geom_bsd.c			standard
 isa/atkbd_isa.c			optional	atkbd
 isa/atkbdc_isa.c		optional	atkbdc
 isa/fd.c			optional	fdc

==== //depot/projects/trustedbsd/base/sys/conf/files.i386#19 (text+ko) ====

@@ -1,7 +1,7 @@
 # This file tells config what files go into building a kernel,
 # files marked standard are always included.
 #
-# $FreeBSD: src/sys/conf/files.i386,v 1.422 2002/10/04 20:42:33 sam Exp $
+# $FreeBSD: src/sys/conf/files.i386,v 1.423 2002/10/05 16:35:26 phk Exp $
 #
 # The long compile-with and dependency lines are required because of
 # limitations in config: backslash-newline doesn't work in strings, and
@@ -146,6 +146,8 @@
 dev/syscons/scvtb.c		optional	sc
 dev/syscons/syscons.c		optional	sc
 dev/syscons/sysmouse.c		optional	sc
+geom/geom_bsd.c			standard
+geom/geom_mbr.c			standard
 gnu/i386/fpemul/div_small.s	optional	gpl_math_emulate \
 	warning "kernel contains GPL contaminated math emulator"
 gnu/i386/fpemul/errors.c	optional	gpl_math_emulate
@@ -285,7 +287,7 @@
 i386/isa/pmtimer.c		optional	pmtimer
 i386/isa/prof_machdep.c		optional	profiling-routine
 i386/isa/rc.c			count		rc
-i386/isa/scd.c			count		scd
+i386/isa/scd.c			count		scd nowerror
 i386/isa/spic.c			optional	spic
 i386/isa/spigot.c		count		spigot
 i386/isa/spkr.c			optional	speaker

==== //depot/projects/trustedbsd/base/sys/conf/files.ia64#10 (text+ko) ====

@@ -1,7 +1,7 @@
 # This file tells config what files go into building a kernel,
 # files marked standard are always included.
 #
-# $FreeBSD: src/sys/conf/files.ia64,v 1.37 2002/10/04 20:42:33 sam Exp $
+# $FreeBSD: src/sys/conf/files.ia64,v 1.38 2002/10/05 16:35:26 phk Exp $
 #
 # The long compile-with and dependency lines are required because of
 # limitations in config: backslash-newline doesn't work in strings, and
@@ -99,6 +99,7 @@
 dev/syscons/scvtb.c		optional	sc
 dev/syscons/syscons.c		optional	sc
 dev/syscons/sysmouse.c		optional	sc
+geom/geom_gpt.c			standard
 isa/atkbd_isa.c			optional	atkbd
 isa/atkbdc_isa.c		optional	atkbdc
 isa/fd.c			optional	fdc

==== //depot/projects/trustedbsd/base/sys/conf/files.pc98#17 (text+ko) ====

@@ -3,7 +3,7 @@
 #
 # modified for PC-9801
 #
-# $FreeBSD: src/sys/conf/files.pc98,v 1.249 2002/10/04 20:42:33 sam Exp $
+# $FreeBSD: src/sys/conf/files.pc98,v 1.250 2002/10/05 16:35:26 phk Exp $
 #
 # The long compile-with and dependency lines are required because of
 # limitations in config: backslash-newline doesn't work in strings, and
@@ -135,6 +135,9 @@
 dev/syscons/scterm-dumb.c	optional	sc
 dev/syscons/scvidctl.c		optional	sc
 dev/syscons/sysmouse.c		optional	sc
+geom/geom_mbr.c			standard
+geom/geom_bsd.c			standard
+geom/geom_pc98.c		standard
 gnu/i386/fpemul/div_small.s	optional	gpl_math_emulate \
 	warning "kernel contains GPL contaminated math emulator"
 gnu/i386/fpemul/errors.c	optional	gpl_math_emulate

==== //depot/projects/trustedbsd/base/sys/conf/files.sparc64#16 (text+ko) ====

@@ -1,7 +1,7 @@
 # This file tells config what files go into building a kernel,
 # files marked standard are always included.
 #
-# $FreeBSD: src/sys/conf/files.sparc64,v 1.31 2002/10/04 20:42:33 sam Exp $
+# $FreeBSD: src/sys/conf/files.sparc64,v 1.32 2002/10/05 16:35:26 phk Exp $
 #
 # The long compile-with and dependency lines are required because of
 # limitations in config: backslash-newline doesn't work in strings, and
@@ -16,6 +16,8 @@
 dev/ofw/openfirm.c		standard
 dev/sio/sio.c			optional	sio
 dev/sio/sio_isa.c		optional	sio isa
+geom/geom_bsd.c			standard
+geom/geom_sunlabel.c		standard
 libkern/ffs.c			standard
 kern/subr_diskmbr.c		standard
 kern/syscalls.c			optional	ktr

==== //depot/projects/trustedbsd/base/sys/conf/options#20 (text+ko) ====

@@ -1,4 +1,4 @@
-# $FreeBSD: src/sys/conf/options,v 1.354 2002/10/02 07:44:15 scottl Exp $
+# $FreeBSD: src/sys/conf/options,v 1.355 2002/10/05 16:35:26 phk Exp $
 #
 #        On the handling of kernel options
 #
@@ -86,7 +86,13 @@
 DDB_UNATTENDED
 GDB_REMOTE_CHAT	opt_ddb.h
 GDBSPEED	opt_ddb.h
-GEOM
+NO_GEOM		opt_geom.h
+GEOM_AES	opt_geom.h
+GEOM_BSD	opt_geom.h
+GEOM_GPT	opt_geom.h
+GEOM_MBR	opt_geom.h
+GEOM_PC98	opt_geom.h
+GEOM_SUNLABEL	opt_geom.h
 HW_WDOG
 KSTACK_PAGES
 KSTACK_MAX_PAGES

==== //depot/projects/trustedbsd/base/sys/dev/mcd/mcd.c#2 (text+ko) ====

@@ -1,5 +1,7 @@
 #include "opt_geom.h"
-#ifndef GEOM
+#ifndef NO_GEOM
+#warning "The mcd driver is currently not compatible with GEOM"
+#else
 /*
  * Copyright 1993 by Holger Veit (data part)
  * Copyright 1993 by Brian Moore (audio part)
@@ -42,7 +44,7 @@
  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/dev/mcd/mcd.c,v 1.129 2002/10/04 07:14:13 mdodd Exp $
+ * $FreeBSD: src/sys/dev/mcd/mcd.c,v 1.130 2002/10/05 16:35:27 phk Exp $
  */
 static const char COPYRIGHT[] = "mcd-driver (C)1993 by H.Veit & B.Moore";
 

==== //depot/projects/trustedbsd/base/sys/dev/mcd/mcd_isa.c#2 (text+ko) ====

@@ -1,7 +1,10 @@
 /*
- * $FreeBSD: src/sys/dev/mcd/mcd_isa.c,v 1.1 2002/10/04 07:14:13 mdodd Exp $
+ * $FreeBSD: src/sys/dev/mcd/mcd_isa.c,v 1.2 2002/10/05 16:35:29 phk Exp $
  */
 
+#include "opt_geom.h"
+#ifdef NO_GEOM
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
@@ -209,3 +212,5 @@
 static devclass_t	mcd_devclass;
 
 DRIVER_MODULE(mcd, isa, mcd_isa_driver, mcd_devclass, NULL, 0);
+
+#endif /* GEOM */

==== //depot/projects/trustedbsd/base/sys/geom/geom_disk.c#10 (text+ko) ====

@@ -32,9 +32,12 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/geom/geom_disk.c,v 1.20 2002/10/04 10:15:26 phk Exp $
+ * $FreeBSD: src/sys/geom/geom_disk.c,v 1.21 2002/10/05 16:35:29 phk Exp $
  */
 
+#include "opt_geom.h"
+#ifndef NO_GEOM
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
@@ -263,15 +266,6 @@
 {
 }
 
-SYSCTL_INT(_debug_sizeof, OID_AUTO, disklabel, CTLFLAG_RD,
-    0, sizeof(struct disklabel), "sizeof(struct disklabel)");
-
-SYSCTL_INT(_debug_sizeof, OID_AUTO, diskslices, CTLFLAG_RD,
-    0, sizeof(struct diskslices), "sizeof(struct diskslices)");
-
-SYSCTL_INT(_debug_sizeof, OID_AUTO, disk, CTLFLAG_RD,
-    0, sizeof(struct disk), "sizeof(struct disk)");
-
 static void
 g_kern_disks(void *p)
 {
@@ -309,3 +303,5 @@
  
 SYSCTL_PROC(_kern, OID_AUTO, disks, CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_NOLOCK, 0, 0, 
     sysctl_disks, "A", "names of available disks");
+
+#endif

==== //depot/projects/trustedbsd/base/sys/i386/conf/GENERIC#22 (text+ko) ====

@@ -16,7 +16,7 @@
 # If you are in doubt as to the purpose or necessity of a line, check first 
 # in NOTES.
 #
-# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.365 2002/09/27 19:09:21 sos Exp $
+# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.366 2002/10/05 16:35:30 phk Exp $
 
 machine		i386
 cpu		I486_CPU
@@ -30,6 +30,8 @@
 
 makeoptions	DEBUG=-g		#Build kernel with gdb(1) debug symbols
 
+options		NO_GEOM
+
 options 	INET			#InterNETworking
 options 	INET6			#IPv6 communications protocols
 options 	FFS			#Berkeley Fast Filesystem

==== //depot/projects/trustedbsd/base/sys/i386/conf/OLDCARD#6 (text+ko) ====

@@ -17,7 +17,7 @@
 # If you are in doubt as to the purpose or necessity of a line, check first 
 # in NOTES.
 #
-# $FreeBSD: src/sys/i386/conf/OLDCARD,v 1.10 2002/08/20 04:36:31 kuriyama Exp $
+# $FreeBSD: src/sys/i386/conf/OLDCARD,v 1.11 2002/10/05 16:35:30 phk Exp $
 
 machine		i386
 cpu		I486_CPU
@@ -31,6 +31,8 @@
 
 makeoptions	DEBUG=-g		#Build kernel with gdb(1) debug symbols
 
+options		NO_GEOM
+
 options 	INET			#InterNETworking
 options 	INET6			#IPv6 communications protocols
 options 	FFS			#Berkeley Fast Filesystem

==== //depot/projects/trustedbsd/base/sys/i386/isa/scd.c#7 (text+ko) ====

@@ -1,5 +1,7 @@
 #include "opt_geom.h"
-#ifndef GEOM
+#ifndef NO_GEOM
+#warning "The scd driver is currently incompatible with GEOM"
+#else
 /*-
  * Copyright (c) 1995 Mikael Hybsch
  * All rights reserved.
@@ -43,7 +45,7 @@
  */
 
 
-/* $FreeBSD: src/sys/i386/isa/scd.c,v 1.68 2002/10/04 08:33:10 mdodd Exp $ */
+/* $FreeBSD: src/sys/i386/isa/scd.c,v 1.69 2002/10/05 16:35:31 phk Exp $ */
 
 /* Please send any comments to micke at dynas.se */
 

==== //depot/projects/trustedbsd/base/sys/ia64/conf/GENERIC#13 (text+ko) ====

@@ -18,7 +18,7 @@
 #
 # For hardware specific information check HARDWARE.TXT
 #
-# $FreeBSD: src/sys/ia64/conf/GENERIC,v 1.37 2002/09/09 02:40:59 kuriyama Exp $
+# $FreeBSD: src/sys/ia64/conf/GENERIC,v 1.38 2002/10/05 16:35:31 phk Exp $
 
 machine		ia64
 cpu		ITANIUM
@@ -31,6 +31,8 @@
 makeoptions	DEBUG=-g		#Build kernel with gdb(1) debug symbols
 makeoptions	NO_CPU_COPTFLAGS=true	#Ignore any x86 CPUTYPE
 
+options		NO_GEOM
+
 #options 	SKI			#Support for HP simulator
 options 	INET			#InterNETworking
 options 	INET6			#IPv6 communications protocols

==== //depot/projects/trustedbsd/base/sys/ia64/conf/SKI#6 (text+ko) ====

@@ -20,7 +20,7 @@
 #
 # For hardware specific information check HARDWARE.TXT
 #
-# $FreeBSD: src/sys/ia64/conf/SKI,v 1.6 2002/09/09 02:40:59 kuriyama Exp $
+# $FreeBSD: src/sys/ia64/conf/SKI,v 1.7 2002/10/05 16:35:31 phk Exp $
 
 machine		ia64
 cpu		ITANIUM
@@ -33,6 +33,8 @@
 makeoptions	DEBUG=-g		#Build kernel with gdb(1) debug symbols
 makeoptions	NO_CPU_COPTFLAGS=true	#Ignore any x86 CPUTYPE
 
+options		NO_GEOM
+
 options 	SKI			#Support for HP simulator
 options 	INET			#InterNETworking
 #options 	INET6			#IPv6 communications protocols

==== //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#14 (text+ko) ====

@@ -36,7 +36,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/kern/kern_mac.c,v 1.28 2002/10/05 15:09:57 rwatson Exp $
+ * $FreeBSD: src/sys/kern/kern_mac.c,v 1.33 2002/10/05 16:57:16 rwatson Exp $
  */
 /*
  * Developed by the TrustedBSD Project.
@@ -98,6 +98,7 @@
 
 SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0,
     "TrustedBSD MAC policy controls");
+
 #ifndef MAC_MAX_POLICIES
 #define	MAC_MAX_POLICIES	8
 #endif
@@ -178,30 +179,34 @@
 TUNABLE_INT("security.mac.debug_label_fallback",
     &mac_debug_label_fallback);
 
+SYSCTL_NODE(_security_mac_debug, OID_AUTO, counters, CTLFLAG_RW, 0,
+    "TrustedBSD MAC object counters");
+
 static unsigned int nmacmbufs, nmaccreds, nmacifnets, nmacbpfdescs,
     nmacsockets, nmacmounts, nmactemp, nmacvnodes, nmacdevfsdirents,
     nmacipqs, nmacpipes;
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, mbufs, CTLFLAG_RD,
+
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mbufs, CTLFLAG_RD,
     &nmacmbufs, 0, "number of mbufs in use");
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, creds, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
     &nmaccreds, 0, "number of ucreds in use");
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, ifnets, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ifnets, CTLFLAG_RD,
     &nmacifnets, 0, "number of ifnets in use");
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, ipqs, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, ipqs, CTLFLAG_RD,
     &nmacipqs, 0, "number of ipqs in use");
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, bpfdescs, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, bpfdescs, CTLFLAG_RD,
     &nmacbpfdescs, 0, "number of bpfdescs in use");
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, sockets, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
     &nmacsockets, 0, "number of sockets in use");
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, pipes, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
     &nmacpipes, 0, "number of pipes in use");
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, mounts, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, mounts, CTLFLAG_RD,
     &nmacmounts, 0, "number of mounts in use");
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, temp, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, temp, CTLFLAG_RD,
     &nmactemp, 0, "number of temporary labels in use");
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, vnodes, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, vnodes, CTLFLAG_RD,
     &nmacvnodes, 0, "number of vnodes in use");
-SYSCTL_UINT(_security_mac_debug, OID_AUTO, devfsdirents, CTLFLAG_RD,
+SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
     &nmacdevfsdirents, 0, "number of devfs dirents inuse");
 #endif
 
@@ -659,10 +664,12 @@
 			    mpe->mpe_function;
 			break;
 		case MAC_CREATE_PROC0:
-			mpc->mpc_ops->mpo_create_proc0 = mpe->mpe_function;
+			mpc->mpc_ops->mpo_create_proc0 =
+			    mpe->mpe_function;
 			break;
 		case MAC_CREATE_PROC1:
-			mpc->mpc_ops->mpo_create_proc1 = mpe->mpe_function;
+			mpc->mpc_ops->mpo_create_proc1 =
+			    mpe->mpe_function;
 			break;
 		case MAC_RELABEL_CRED:
 			mpc->mpc_ops->mpo_relabel_cred =
@@ -921,16 +928,38 @@
 mac_policy_unregister(struct mac_policy_conf *mpc)
 {
 
+	/*
+	 * If we fail the load, we may get a request to unload.  Check
+	 * to see if we did the run-time registration, and if not,
+	 * silently succeed.
+	 */
+	MAC_POLICY_LIST_LOCK();
+	if ((mpc->mpc_runtime_flags & MPC_RUNTIME_FLAG_REGISTERED) == 0) {
+		MAC_POLICY_LIST_UNLOCK();
+		return (0);
+	}
 #if 0
 	/*
 	 * Don't allow unloading modules with private data.
 	 */
-	if (mpc->mpc_field_off != NULL)
+	if (mpc->mpc_field_off != NULL) {
+		MAC_POLICY_LIST_UNLOCK();
 		return (EBUSY);
+	}
 #endif
-	if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0)
+	/*
+	 * Only allow the unload to proceed if the module is unloadable
+	 * by its own definition.
+	 */
+	if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK) == 0) {
+		MAC_POLICY_LIST_UNLOCK();
 		return (EBUSY);
-	MAC_POLICY_LIST_LOCK();
+	}
+	/*
+	 * Right now, we EBUSY if the list is in use.  In the future,
+	 * for reliability reasons, we might want to sleep and wakeup
+	 * later to try again.
+	 */
 	if (mac_policy_list_busy > 0) {
 		MAC_POLICY_LIST_UNLOCK();
 		return (EBUSY);
@@ -987,291 +1016,6 @@
 	return (error2);
 }
 
-void
-mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp)
-{
-
-	MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label);
-}
-
-void
-mac_update_procfsvnode(struct vnode *vp, struct ucred *cred)
-{
-
-	MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred);
-}
-
-/*
- * Support callout for policies that manage their own externalization
- * using extended attributes.
- */
-static int
-mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp)
-{
-	int error;
-
-	MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp,
-	    &mp->mnt_fslabel);
-
-	return (error);
-}
-
-/*
- * Given an externalized mac label, internalize it and stamp it on a
- * vnode.
- */
-static int
-mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac)
-{
-	int error;
-
-	MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac);
-
-	return (error);
-}
-
-/*
- * Call out to individual policies to update the label in a vnode from
- * the mountpoint.
- */
-void
-mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp)
-{
-
-	MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp,
-	    &mp->mnt_fslabel);
-
-	ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount");
-	if (mac_cache_fslabel_in_vnode)
-		vp->v_vflag |= VV_CACHEDLABEL;
-}
-
-/*
- * Implementation of VOP_REFRESHLABEL() that relies on extended attributes
- * to store label data.  Can be referenced by filesystems supporting
- * extended attributes.
- */
-int
-vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap)
-{
-	struct vnode *vp = ap->a_vp;
-	struct mac extmac;
-	int buflen, error;
-
-	ASSERT_VOP_LOCKED(vp, "vop_stdrefreshlabel_ea");
-
-	/*
-	 * Call out to external policies first.  Order doesn't really
-	 * matter, as long as failure of one assures failure of all.
-	 */
-	error = mac_update_vnode_from_extattr(vp, vp->v_mount);
-	if (error)
-		return (error);
-
-	buflen = sizeof(extmac);
-	error = vn_extattr_get(vp, IO_NODELOCKED,
-	    FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &buflen,
-	    (char *)&extmac, curthread);
-	switch (error) {
-	case 0:
-		/* Got it */
-		break;
-
-	case ENOATTR:
-		/*
-		 * Use the label from the mount point.
-		 */
-		mac_update_vnode_from_mount(vp, vp->v_mount);
-		return (0);
-
-	case EOPNOTSUPP:
-	default:
-		/* Fail horribly. */
-		return (error);
-	}
-
-	if (buflen != sizeof(extmac))
-		error = EPERM;		/* Fail very closed. */
-	if (error == 0)
-		error = mac_update_vnode_from_externalized(vp, &extmac);
-	if (error == 0)
-		vp->v_vflag |= VV_CACHEDLABEL;
-	else {
-		struct vattr va;
-
-		printf("Corrupted label on %s",
-		    vp->v_mount->mnt_stat.f_mntonname);
-		if (VOP_GETATTR(vp, &va, curthread->td_ucred, curthread) == 0)
-			printf(" inum %ld", va.va_fileid);
-#ifdef MAC_DEBUG
-		if (mac_debug_label_fallback) {
-			printf(", falling back.\n");
-			mac_update_vnode_from_mount(vp, vp->v_mount);
-			error = 0;
-		} else {
-#endif
-			printf(".\n");
-			error = EPERM;
-#ifdef MAC_DEBUG
-		}
-#endif
-	}
-
-	return (error);
-}
-
-/*
- * Make sure the vnode label is up-to-date.  If EOPNOTSUPP, then we handle
- * the labeling activity outselves.  Filesystems should be careful not
- * to change their minds regarding whether they support vop_refreshlabel()
- * for a vnode or not.  Don't cache the vnode here, allow the file
- * system code to determine if it's safe to cache.  If we update from
- * the mount, don't cache since a change to the mount label should affect
- * all vnodes.
- */
-static int
-vn_refreshlabel(struct vnode *vp, struct ucred *cred)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "vn_refreshlabel");
-
-	if (vp->v_mount == NULL) {
-/*
-		Eventually, we probably want to special-case refreshing
-		of deadfs vnodes, and if there's a lock-free race somewhere,
-		that case might be handled here.
-
-		mac_update_vnode_deadfs(vp);
-		return (0);
- */
-		/* printf("vn_refreshlabel: null v_mount\n"); */
-		if (vp->v_type != VNON)
-			printf(
-			    "vn_refreshlabel: null v_mount with non-VNON\n");
-		return (EBADF);
-	}
-
-	if (vp->v_vflag & VV_CACHEDLABEL) {
-		mac_vnode_label_cache_hits++;
-		return (0);
-	} else
-		mac_vnode_label_cache_misses++;
-
-	if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
-		mac_update_vnode_from_mount(vp, vp->v_mount);
-		return (0);
-	}
-
-	error = VOP_REFRESHLABEL(vp, cred, curthread);
-	switch (error) {
-	case EOPNOTSUPP:
-		/*
-		 * If labels are not supported on this vnode, fall back to
-		 * the label in the mount and propagate it to the vnode.
-		 * There should probably be some sort of policy/flag/decision
-		 * about doing this.
-		 */
-		mac_update_vnode_from_mount(vp, vp->v_mount);
-		error = 0;
-	default:
-		return (error);
-	}
-}
-
-/*
- * Helper function for file systems using the vop_std*_ea() calls.  This
- * function must be called after EA service is available for the vnode,
- * but before it's hooked up to the namespace so that the node persists
- * if there's a crash, or before it can be accessed.  On successful
- * commit of the label to disk (etc), do cache the label.
- */
-int
-vop_stdcreatevnode_ea(struct vnode *dvp, struct vnode *tvp, struct ucred *cred)
-{
-	struct mac extmac;
-	int error;
-
-	ASSERT_VOP_LOCKED(tvp, "vop_stdcreatevnode_ea");
-	if ((dvp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
-		mac_update_vnode_from_mount(tvp, tvp->v_mount);
-	} else {
-		error = vn_refreshlabel(dvp, cred);
-		if (error)
-			return (error);
-
-		/*
-		 * Stick the label in the vnode.  Then try to write to
-		 * disk.  If we fail, return a failure to abort the
-		 * create operation.  Really, this failure shouldn't
-		 * happen except in fairly unusual circumstances (out
-		 * of disk, etc).
-		 */
-		mac_create_vnode(cred, dvp, tvp);
-
-		error = mac_stdcreatevnode_ea(tvp);
-		if (error)
-			return (error);
-
-		/*
-		 * XXX: Eventually this will go away and all policies will
-		 * directly manage their extended attributes.
-		 */
-		error = mac_externalize(&tvp->v_label, &extmac);
-		if (error)
-			return (error);
-
-		error = vn_extattr_set(tvp, IO_NODELOCKED,
-		    FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME,
-		    sizeof(extmac), (char *)&extmac, curthread);
-		if (error == 0)
-			tvp->v_vflag |= VV_CACHEDLABEL;
-		else {
-#if 0
-			/*
-			 * In theory, we could have fall-back behavior here.
-			 * It would probably be incorrect.
-			 */
-#endif
-			return (error);
-		}
-	}
-
-	return (0);
-}
-
-void
-mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp)
-{
-	int error;
-
-	ASSERT_VOP_LOCKED(vp, "mac_execve_transition");
-
-	error = vn_refreshlabel(vp, old);
-	if (error) {
-		printf("mac_execve_transition: vn_refreshlabel returned %d\n",
-		    error);
-		printf("mac_execve_transition: using old vnode label\n");
-	}
-
-	MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label);
-}
-
-int
-mac_execve_will_transition(struct ucred *old, struct vnode *vp)
-{
-	int error, result;
-
-	error = vn_refreshlabel(vp, old);
-	if (error)
-		return (error);
-
-	result = 0;
-	MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label);
-
-	return (result);
-}
-
 static void
 mac_init_label(struct label *label)
 {
@@ -1281,14 +1025,6 @@
 }
 
 static void
-mac_init_structmac(struct mac *mac)
-{
-
-	bzero(mac, sizeof(*mac));
-	mac->m_macflags = MAC_FLAG_INITIALIZED;
-}
-
-static void
 mac_destroy_label(struct label *label)
 {
 
@@ -1299,6 +1035,14 @@
 	/* implicit: label->l_flags &= ~MAC_FLAG_INITIALIZED; */
 }
 
+static void
+mac_init_structmac(struct mac *mac)
+{
+
+	bzero(mac, sizeof(*mac));
+	mac->m_macflags = MAC_FLAG_INITIALIZED;
+}
+
 int
 mac_init_mbuf(struct mbuf *m, int how)
 {
@@ -1622,6 +1366,291 @@
 	MAC_PERFORM(create_cred, parent_cred, child_cred);
 }
 
+void
+mac_update_devfsdirent(struct devfs_dirent *de, struct vnode *vp)
+{
+
+	MAC_PERFORM(update_devfsdirent, de, &de->de_label, vp, &vp->v_label);
+}
+
+void
+mac_update_procfsvnode(struct vnode *vp, struct ucred *cred)
+{
+
+	MAC_PERFORM(update_procfsvnode, vp, &vp->v_label, cred);
+}
+
+/*
+ * Support callout for policies that manage their own externalization
+ * using extended attributes.
+ */
+static int
+mac_update_vnode_from_extattr(struct vnode *vp, struct mount *mp)
+{
+	int error;
+
+	MAC_CHECK(update_vnode_from_extattr, vp, &vp->v_label, mp,
+	    &mp->mnt_fslabel);
+
+	return (error);
+}
+
+/*
+ * Given an externalized mac label, internalize it and stamp it on a
+ * vnode.
+ */
+static int
+mac_update_vnode_from_externalized(struct vnode *vp, struct mac *extmac)
+{
+	int error;
+
+	MAC_CHECK(update_vnode_from_externalized, vp, &vp->v_label, extmac);
+
+	return (error);
+}
+
+/*
+ * Call out to individual policies to update the label in a vnode from
+ * the mountpoint.
+ */
+void
+mac_update_vnode_from_mount(struct vnode *vp, struct mount *mp)
+{
+
+	MAC_PERFORM(update_vnode_from_mount, vp, &vp->v_label, mp,
+	    &mp->mnt_fslabel);
+
+	ASSERT_VOP_LOCKED(vp, "mac_update_vnode_from_mount");
+	if (mac_cache_fslabel_in_vnode)
+		vp->v_vflag |= VV_CACHEDLABEL;
+}
+
+/*
+ * Implementation of VOP_REFRESHLABEL() that relies on extended attributes
+ * to store label data.  Can be referenced by filesystems supporting
+ * extended attributes.
+ */
+int
+vop_stdrefreshlabel_ea(struct vop_refreshlabel_args *ap)
+{
+	struct vnode *vp = ap->a_vp;
+	struct mac extmac;
+	int buflen, error;
+

>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list