PERFORCE change 18750 for review

Robert Watson rwatson at freebsd.org
Sat Oct 5 19:06:53 GMT 2002


http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18750

Change 18750 by rwatson at rwatson_tislabs on 2002/10/05 12:05:57

	Integ 5.0-CURRENT into TrustedBSD base.  Mostly this is loop-back
	MAC changes getting flushed through the main tree, including:
	
	- mac_check_vnode_link()
	- mac_create_devfs_vnode()
	
	Also some code reorg and cleanup.

Affected files ...

.. //depot/projects/trustedbsd/base/etc/MAKEDEV#17 integrate
.. //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/hardware/common/dev.sgml#26 integrate
.. //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#42 integrate
.. //depot/projects/trustedbsd/base/sys/conf/bsd.kern.mk#2 delete
.. //depot/projects/trustedbsd/base/sys/fs/devfs/devfs_vnops.c#14 integrate
.. //depot/projects/trustedbsd/base/sys/geom/geom_bsd.c#10 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_conf.c#10 integrate
.. //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#15 integrate
.. //depot/projects/trustedbsd/base/sys/kern/vfs_syscalls.c#32 integrate
.. //depot/projects/trustedbsd/base/sys/security/mac_biba/mac_biba.c#7 integrate
.. //depot/projects/trustedbsd/base/sys/security/mac_bsdextended/mac_bsdextended.c#3 integrate
.. //depot/projects/trustedbsd/base/sys/security/mac_mls/mac_mls.c#7 integrate
.. //depot/projects/trustedbsd/base/sys/security/mac_none/mac_none.c#6 integrate
.. //depot/projects/trustedbsd/base/sys/security/mac_test/mac_test.c#6 integrate
.. //depot/projects/trustedbsd/base/sys/sys/mac.h#7 integrate
.. //depot/projects/trustedbsd/base/sys/sys/mac_policy.h#9 integrate

Differences ...

==== //depot/projects/trustedbsd/base/etc/MAKEDEV#17 (text+ko) ====

@@ -20,7 +20,7 @@
 # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 #
 #	@(#)MAKEDEV	5.2 (Berkeley) 6/22/90
-# $FreeBSD: src/etc/MAKEDEV,v 1.329 2002/10/04 20:44:46 sam Exp $
+# $FreeBSD: src/etc/MAKEDEV,v 1.330 2002/10/05 18:28:48 scottl Exp $
 #
 # Device "make" file.  Valid arguments:
 #	all	makes all known devices, standard number of units (or close)
@@ -44,7 +44,6 @@
 #	fd*	floppy disk drives (3 1/2", 5 1/4")
 #	fla*	M-Systems DiskOnChip
 #	idad*	Compaq Smart-2 RAID arrays
-#	matcd*	Matsushita (Panasonic) CD-ROM disks
 #	mcd*	Mitsumi CD-ROM disks
 #	md*	Memory (or malloc) disk
 #	mlx*	Mylex DAC960 RAID controllers
@@ -314,7 +313,7 @@
 	sh $0 acd0 acd0t0 afd0 ast0			# ATAPI devices
 	sh $0 wd0 wd1 wd2 wd3				# OLD disk
 	sh $0 wcd0 wfd0 wst0				# OLD ATAPI devs
-	sh $0 cd0 matcd0 mcd0 scd0			# cdrom
+	sh $0 cd0 mcd0 scd0				# cdrom
 	sh $0 sa0 wt0					# tape
 	sh $0 vty12					# virtual tty
 	sh $0 cuaa0 cuaa1 cuaa2 cuaa3			# serial tty
@@ -853,36 +852,6 @@
 	umask 77
 	;;
 
-matcd*)
-	umask 2
-	case $i in
-	matcd*) unit=`expr $i : '.....\(.*\)'`; name=matcd; chr=46;;
-	esac
-	case $unit in
-	0|1|2|3|4|5|6|7|8|9|10|11|12|13|14|15)
-		mknod ${name}${unit}a	c $chr $(($unit * 8 + 0)) \
-		    root:operator
-		mknod ${name}${unit}c   c $chr $(($unit * 8 + 2)) \
-		    root:operator
-		ln -f ${name}${unit}a r${name}${unit}a
-		ln -f ${name}${unit}c r${name}${unit}c
-		chmod 640 ${name}${unit}[a-h] r${name}${unit}[a-h]
-
-		mknod ${name}${unit}la  c $chr $(($unit * 8 + 128)) \
-		    root:operator
-		mknod ${name}${unit}lc  c $chr $(($unit * 8 + 130)) \
-		    root:operator
-		ln -f ${name}${unit}la r${name}${unit}la
-		ln -f ${name}${unit}lc r${name}${unit}lc
-		chmod 640 ${name}${unit}l[a-h] r${name}${unit}l[a-h]
-		;;
-	*)
-		echo bad unit for disk in: $i
-		;;
-	esac
-	umask 77
-	;;
-
 wcd*)
 	umask 2 ;
 	unit=`expr $i : '...\(.*\)'`

==== //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/hardware/common/dev.sgml#26 (text+ko) ====

@@ -31,7 +31,7 @@
 
 <sect1>
   <sect1info>
-    <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/hardware/common/dev.sgml,v 1.105 2002/10/04 16:53:39 bmah Exp $</pubdate>
+    <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/hardware/common/dev.sgml,v 1.106 2002/10/05 17:23:18 bmah Exp $</pubdate>
   </sect1info>
 
   <title>Supported Devices</title>
@@ -3041,6 +3041,41 @@
  </sect2>
 
   <sect2>
+    <title>Cryptographic Accelerators</title>
+
+    <para arch="i386,pc98">Accelerators based on
+      the Hifn 7751, 7811, or 7951 chipsets (&man.hifn.4; driver)
+
+      <itemizedlist>
+        <listitem>
+	  <para>Invertex AEON</para>
+	</listitem>
+        <listitem>
+	  <para>Hifn 7751 reference board</para>
+	</listitem>
+        <listitem>
+	  <para>Global Technologies Group PowerCrypt and XL-Crypt</para>
+	</listitem>
+        <listitem>
+	  <para>NetSec 7751</para>
+	</listitem>
+        <listitem>
+	  <para>Soekris Engineering vpn1201 and vpn1211</para>
+	</listitem>
+      </itemizedlist>
+     </para>
+
+    <para arch="i386,pc98">Accelerators based on
+      the Bluesteel 5501 or 5601 chipsets (&man.ubsec.4;
+      driver)</para>
+
+    <para arch="i386,pc98">Accelerators based on
+      the Broadcom BCM5801, BCM5802, BCM5805, BCM5820, BCM 5821,
+      BCM5822 chipsets (&man.ubsec.4; driver)</para>
+
+  </sect2>
+
+  <sect2>
     <title>Miscellaneous</title>
 
     <para arch="i386,pc98">FAX-Modem/PCCARD

==== //depot/projects/trustedbsd/base/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml#42 (text+ko) ====

@@ -3,7 +3,7 @@
 
   <corpauthor>The FreeBSD Project</corpauthor>
 
-  <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.430 2002/10/04 16:53:12 bmah Exp $</pubdate>
+  <pubdate>$FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.431 2002/10/05 17:22:22 bmah Exp $</pubdate>
 
   <copyright>
     <year>2000</year>
@@ -111,6 +111,14 @@
     <para role="historic">The &man.agp.4; driver for AGP devices has been
       added. &merged;</para>
 
+    <para>A new in-kernel cryptographic framework (see &man.crypto.4;
+      and &man.crypto.9;) has been imported from OpenBSD.  It provides
+      a consistent interface to hardware and software implementations
+      of cryptographic algorithms for use by the kernel and access to
+      cryptographic hardware for user-mode applications.
+      Hardware device drivers are provided to support hifn-based cards
+      (&man.hifn.4;) and Broadcom-based cards (&man.ubsec.4;).</para>
+
     <para>A new &man.ddb.4; command <command>show pcpu</command> lists
       some of the per-CPU data.</para>
 
@@ -469,12 +477,11 @@
 
     <para>The &os; kernel scheduler now supports Kernel-Scheduled
       Entities (KSEs), which provides support for multiple threads of
-      execution per process similar to Schedular Activations.  At this
+      execution per process similar to Scheduler Activations.  At this
       point, the kernel has most of the changes needed to support
       threading.  The kernel scheduler can schedule multiple threads per
-      process, but only on a single CPU at a time.  Support for
-      userland programs to create and utilize multiple threads is not
-      yet completed.
+      process, but only on a single CPU at a time.  More information
+      can be found in &man.kse.2;.
 
         <note>
 	  <para>KSE is a work in progress.</para>
@@ -3670,7 +3677,7 @@
       <application>less</application> has been imported.</para>
 
       <para>An XML processing library, named
-        <filename>libbsdxml</filename> has been added for the benefit
+        <filename>libbsdxml</filename>, has been added for the benefit
         of XML-using utilities in the base system.  It is based almost
         entirely on an import of <application>expat</application>
         1.95.5, but is installed under a different name to avoid

==== //depot/projects/trustedbsd/base/sys/fs/devfs/devfs_vnops.c#14 (text+ko) ====

@@ -31,7 +31,7 @@
  *	@(#)kernfs_vnops.c	8.15 (Berkeley) 5/21/95
  * From: FreeBSD: src/sys/miscfs/kernfs/kernfs_vnops.c 1.43
  *
- * $FreeBSD: src/sys/fs/devfs/devfs_vnops.c,v 1.49 2002/10/01 10:08:08 phk Exp $
+ * $FreeBSD: src/sys/fs/devfs/devfs_vnops.c,v 1.50 2002/10/05 18:40:10 rwatson Exp $
  */
 
 /*
@@ -868,12 +868,11 @@
 	MALLOC(de->de_symlink, char *, i, M_DEVFS, M_WAITOK);
 	bcopy(ap->a_target, de->de_symlink, i);
 	lockmgr(&dmp->dm_lock, LK_EXCLUSIVE, 0, curthread);
+#ifdef MAC
+	mac_create_devfs_symlink(ap->a_cnp->cn_cred, dd, de);
+#endif
 	TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list);
 	devfs_allocv(de, ap->a_dvp->v_mount, ap->a_vpp, 0);
-#ifdef MAC
-	mac_create_vnode(ap->a_cnp->cn_cred, ap->a_dvp, *ap->a_vpp);
-	mac_update_devfsdirent(de, *ap->a_vpp);
-#endif /* MAC */
 	lockmgr(&dmp->dm_lock, LK_RELEASE, 0, curthread);
 	return (0);
 }

==== //depot/projects/trustedbsd/base/sys/geom/geom_bsd.c#10 (text+ko) ====

@@ -32,7 +32,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/geom/geom_bsd.c,v 1.24 2002/09/30 08:59:59 phk Exp $
+ * $FreeBSD: src/sys/geom/geom_bsd.c,v 1.25 2002/10/05 18:52:06 phk Exp $
  *
  * This is the method for dealing with BSD disklabels.  It has been
  * extensively (by my standards at least) commented, in the vain hope that
@@ -103,7 +103,7 @@
 	d->d_type = g_dec_le2(ptr + 4);
 	d->d_subtype = g_dec_le2(ptr + 6);
 	bcopy(ptr + 8, d->d_typename, 16);
-	bcopy(d->d_packname, ptr + 24, 16);
+	bcopy(ptr + 24, d->d_packname, 16);
 	d->d_secsize = g_dec_le4(ptr + 40);
 	d->d_nsectors = g_dec_le4(ptr + 44);
 	d->d_ntracks = g_dec_le4(ptr + 48);

==== //depot/projects/trustedbsd/base/sys/kern/kern_conf.c#10 (text+ko) ====

@@ -23,7 +23,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/kern/kern_conf.c,v 1.111 2002/09/27 18:27:09 phk Exp $
+ * $FreeBSD: src/sys/kern/kern_conf.c,v 1.112 2002/10/05 17:10:28 green Exp $
  */
 
 #include <sys/param.h>
@@ -436,6 +436,8 @@
 		u *= 10;
 		u += name[i++] - '0';
 	}
+	if (u > 0xffffff)
+		return (0);
 	*unit = u;
 	if (namep)
 		*namep = &name[i];

==== //depot/projects/trustedbsd/base/sys/kern/kern_mac.c#15 (text+ko) ====

@@ -36,7 +36,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/kern/kern_mac.c,v 1.33 2002/10/05 16:57:16 rwatson Exp $
+ * $FreeBSD: src/sys/kern/kern_mac.c,v 1.38 2002/10/05 18:40:10 rwatson Exp $
  */
 /*
  * Developed by the TrustedBSD Project.
@@ -519,6 +519,10 @@
 			mpc->mpc_ops->mpo_create_devfs_directory =
 			    mpe->mpe_function;
 			break;
+		case MAC_CREATE_DEVFS_SYMLINK:
+			mpc->mpc_ops->mpo_create_devfs_symlink =
+			    mpe->mpe_function;
+			break;
 		case MAC_CREATE_DEVFS_VNODE:
 			mpc->mpc_ops->mpo_create_devfs_vnode =
 			    mpe->mpe_function;
@@ -799,6 +803,10 @@
 			mpc->mpc_ops->mpo_check_vnode_getextattr =
 			    mpe->mpe_function;
 			break;
+		case MAC_CHECK_VNODE_LINK:
+			mpc->mpc_ops->mpo_check_vnode_link =
+			    mpe->mpe_function;
+			break;
 		case MAC_CHECK_VNODE_LOOKUP:
 			mpc->mpc_ops->mpo_check_vnode_lookup =
 			    mpe->mpe_function;
@@ -1043,28 +1051,14 @@
 	mac->m_macflags = MAC_FLAG_INITIALIZED;
 }
 
-int
-mac_init_mbuf(struct mbuf *m, int how)
-{
-	KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf"));
-
-	/* "how" is one of M_(TRY|DONT)WAIT */
-	mac_init_label(&m->m_pkthdr.label);
-	MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
-#ifdef MAC_DEBUG
-	atomic_add_int(&nmacmbufs, 1);
-#endif
-	return (0);
-}
-
 void
-mac_destroy_mbuf(struct mbuf *m)
+mac_init_bpfdesc(struct bpf_d *bpf_d)
 {
 
-	MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
-	mac_destroy_label(&m->m_pkthdr.label);
+	mac_init_label(&bpf_d->bd_label);
+	MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacmbufs, 1);
+	atomic_add_int(&nmacbpfdescs, 1);
 #endif
 }
 
@@ -1080,13 +1074,13 @@
 }
 
 void
-mac_destroy_cred(struct ucred *cr)
+mac_init_devfsdirent(struct devfs_dirent *de)
 {
 
-	MAC_PERFORM(destroy_cred_label, &cr->cr_label);
-	mac_destroy_label(&cr->cr_label);
+	mac_init_label(&de->de_label);
+	MAC_PERFORM(init_devfsdirent_label, &de->de_label);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmaccreds, 1);
+	atomic_add_int(&nmacdevfsdirents, 1);
 #endif
 }
 
@@ -1102,35 +1096,63 @@
 }
 
 void
-mac_destroy_ifnet(struct ifnet *ifp)
+mac_init_ipq(struct ipq *ipq)
+{
+
+	mac_init_label(&ipq->ipq_label);
+	MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
+#ifdef MAC_DEBUG
+	atomic_add_int(&nmacipqs, 1);
+#endif
+}
+
+int
+mac_init_mbuf(struct mbuf *m, int flag)
 {
+	int error;
+
+	KASSERT(m->m_flags & M_PKTHDR, ("mac_init_mbuf on non-header mbuf"));
+
+	mac_init_label(&m->m_pkthdr.label);
+
+	MAC_CHECK(init_mbuf_label, &m->m_pkthdr.label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
+		mac_destroy_label(&m->m_pkthdr.label);
+	}
 
-	MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
-	mac_destroy_label(&ifp->if_label);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacifnets, 1);
+	if (error == 0)
+		atomic_add_int(&nmacmbufs, 1);
 #endif
+	return (error);
 }
 
 void
-mac_init_ipq(struct ipq *ipq)
+mac_init_mount(struct mount *mp)
 {
 
-	mac_init_label(&ipq->ipq_label);
-	MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
+	mac_init_label(&mp->mnt_mntlabel);
+	mac_init_label(&mp->mnt_fslabel);
+	MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+	MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacipqs, 1);
+	atomic_add_int(&nmacmounts, 1);
 #endif
 }
 
 void
-mac_destroy_ipq(struct ipq *ipq)
+mac_init_pipe(struct pipe *pipe)
 {
+	struct label *label;
 
-	MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
-	mac_destroy_label(&ipq->ipq_label);
+	label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK);
+	mac_init_label(label);
+	pipe->pipe_label = label;
+	pipe->pipe_peer->pipe_label = label;
+	MAC_PERFORM(init_pipe_label, pipe->pipe_label);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacipqs, 1);
+	atomic_add_int(&nmacpipes, 1);
 #endif
 }
 
@@ -1147,157 +1169,151 @@
 #endif
 }
 
-void
-mac_destroy_socket(struct socket *socket)
+static void
+mac_init_temp(struct label *label)
 {
 
-	MAC_PERFORM(destroy_socket_label, &socket->so_label);
-	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
-	mac_destroy_label(&socket->so_label);
-	mac_destroy_label(&socket->so_peerlabel);
+	mac_init_label(label);
+	MAC_PERFORM(init_temp_label, label);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacsockets, 1);
+	atomic_add_int(&nmactemp, 1);
 #endif
 }
 
 void
-mac_init_pipe(struct pipe *pipe)
+mac_init_vnode(struct vnode *vp)
 {
-	struct label *label;
 
-	label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK);
-	mac_init_label(label);
-	pipe->pipe_label = label;
-	pipe->pipe_peer->pipe_label = label;
-	MAC_PERFORM(init_pipe_label, pipe->pipe_label);
+	mac_init_label(&vp->v_label);
+	MAC_PERFORM(init_vnode_label, &vp->v_label);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacpipes, 1);
+	atomic_add_int(&nmacvnodes, 1);
 #endif
 }
 
 void
-mac_destroy_pipe(struct pipe *pipe)
+mac_destroy_bpfdesc(struct bpf_d *bpf_d)
 {
 
-	MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
-	mac_destroy_label(pipe->pipe_label);
-	free(pipe->pipe_label, M_MACPIPELABEL);
+	MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
+	mac_destroy_label(&bpf_d->bd_label);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacpipes, 1);
+	atomic_subtract_int(&nmacbpfdescs, 1);
 #endif
 }
 
 void
-mac_init_bpfdesc(struct bpf_d *bpf_d)
+mac_destroy_cred(struct ucred *cr)
 {
 
-	mac_init_label(&bpf_d->bd_label);
-	MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
+	MAC_PERFORM(destroy_cred_label, &cr->cr_label);
+	mac_destroy_label(&cr->cr_label);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacbpfdescs, 1);
+	atomic_subtract_int(&nmaccreds, 1);
 #endif
 }
 
 void
-mac_destroy_bpfdesc(struct bpf_d *bpf_d)
+mac_destroy_devfsdirent(struct devfs_dirent *de)
 {
 
-	MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
-	mac_destroy_label(&bpf_d->bd_label);
+	MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
+	mac_destroy_label(&de->de_label);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacbpfdescs, 1);
+	atomic_subtract_int(&nmacdevfsdirents, 1);
 #endif
 }
 
 void
-mac_init_mount(struct mount *mp)
+mac_destroy_ifnet(struct ifnet *ifp)
 {
 
-	mac_init_label(&mp->mnt_mntlabel);
-	mac_init_label(&mp->mnt_fslabel);
-	MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
-	MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
+	MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
+	mac_destroy_label(&ifp->if_label);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacmounts, 1);
+	atomic_subtract_int(&nmacifnets, 1);
 #endif
 }
 
 void
-mac_destroy_mount(struct mount *mp)
+mac_destroy_ipq(struct ipq *ipq)
 {
 
-	MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
-	MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
-	mac_destroy_label(&mp->mnt_fslabel);
-	mac_destroy_label(&mp->mnt_mntlabel);
+	MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
+	mac_destroy_label(&ipq->ipq_label);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacmounts, 1);
+	atomic_subtract_int(&nmacipqs, 1);
 #endif
 }
 
-static void
-mac_init_temp(struct label *label)
+void
+mac_destroy_mbuf(struct mbuf *m)
 {
 
-	mac_init_label(label);
-	MAC_PERFORM(init_temp_label, label);
+	MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
+	mac_destroy_label(&m->m_pkthdr.label);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmactemp, 1);
+	atomic_subtract_int(&nmacmbufs, 1);
 #endif
 }
 
-static void
-mac_destroy_temp(struct label *label)
+void
+mac_destroy_mount(struct mount *mp)
 {
 
-	MAC_PERFORM(destroy_temp_label, label);
-	mac_destroy_label(label);
+	MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+	MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
+	mac_destroy_label(&mp->mnt_fslabel);
+	mac_destroy_label(&mp->mnt_mntlabel);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmactemp, 1);
+	atomic_subtract_int(&nmacmounts, 1);
 #endif
 }
 
 void
-mac_init_vnode(struct vnode *vp)
+mac_destroy_pipe(struct pipe *pipe)
 {
 
-	mac_init_label(&vp->v_label);
-	MAC_PERFORM(init_vnode_label, &vp->v_label);
+	MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
+	mac_destroy_label(pipe->pipe_label);
+	free(pipe->pipe_label, M_MACPIPELABEL);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacvnodes, 1);
+	atomic_subtract_int(&nmacpipes, 1);
 #endif
 }
 
 void
-mac_destroy_vnode(struct vnode *vp)
+mac_destroy_socket(struct socket *socket)
 {
 
-	MAC_PERFORM(destroy_vnode_label, &vp->v_label);
-	mac_destroy_label(&vp->v_label);
+	MAC_PERFORM(destroy_socket_label, &socket->so_label);
+	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
+	mac_destroy_label(&socket->so_label);
+	mac_destroy_label(&socket->so_peerlabel);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacvnodes, 1);
+	atomic_subtract_int(&nmacsockets, 1);
 #endif
 }
 
-void
-mac_init_devfsdirent(struct devfs_dirent *de)
+static void
+mac_destroy_temp(struct label *label)
 {
 
-	mac_init_label(&de->de_label);
-	MAC_PERFORM(init_devfsdirent_label, &de->de_label);
+	MAC_PERFORM(destroy_temp_label, label);
+	mac_destroy_label(label);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacdevfsdirents, 1);
+	atomic_subtract_int(&nmactemp, 1);
 #endif
 }
 
 void
-mac_destroy_devfsdirent(struct devfs_dirent *de)
+mac_destroy_vnode(struct vnode *vp)
 {
 
-	MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
-	mac_destroy_label(&de->de_label);
+	MAC_PERFORM(destroy_vnode_label, &vp->v_label);
+	mac_destroy_label(&vp->v_label);
 #ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacdevfsdirents, 1);
+	atomic_subtract_int(&nmacvnodes, 1);
 #endif
 }
 
@@ -1824,6 +1840,32 @@
 }
 
 int
+mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+    struct vnode *vp, struct componentname *cnp)
+{
+
+	int error;
+
+	ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link");
+	ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link");
+
+	if (!mac_enforce_fs)
+		return (0);
+
+	error = vn_refreshlabel(dvp, cred);
+	if (error)
+		return (error);
+
+	error = vn_refreshlabel(vp, cred);
+	if (error)
+		return (error);
+
+	MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp,
+	    &vp->v_label, cnp);
+	return (error);
+}
+
+int
 mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct componentname *cnp)
 {
@@ -2908,6 +2950,15 @@
 	MAC_PERFORM(create_devfs_device, dev, de, &de->de_label);
 }
 
+void
+mac_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
+    struct devfs_dirent *de)
+{
+
+	MAC_PERFORM(create_devfs_symlink, cred, dd, &dd->de_label, de,
+	    &de->de_label);
+}
+
 static int
 mac_stdcreatevnode_ea(struct vnode *vp)
 {

==== //depot/projects/trustedbsd/base/sys/kern/vfs_syscalls.c#32 (text+ko) ====

@@ -36,7 +36,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)vfs_syscalls.c	8.13 (Berkeley) 4/15/94
- * $FreeBSD: src/sys/kern/vfs_syscalls.c,v 1.289 2002/10/02 09:05:30 phk Exp $
+ * $FreeBSD: src/sys/kern/vfs_syscalls.c,v 1.290 2002/10/05 18:11:32 rwatson Exp $
  */
 
 /* For 4.3 integer FS ID compatibility */
@@ -1031,7 +1031,12 @@
 		    == 0) {
 			VOP_LEASE(nd.ni_dvp, td, td->td_ucred, LEASE_WRITE);
 			VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE);
-			error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd);
+#ifdef MAC
+			error = mac_check_vnode_link(td->td_ucred, nd.ni_dvp,
+			    vp, &nd.ni_cnd);
+			if (error == 0)
+#endif
+				error = VOP_LINK(nd.ni_dvp, vp, &nd.ni_cnd);
 			VOP_UNLOCK(vp, 0, td);
 		}
 		NDFREE(&nd, NDF_ONLY_PNBUF);

==== //depot/projects/trustedbsd/base/sys/security/mac_biba/mac_biba.c#7 (text+ko) ====

@@ -34,7 +34,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.13 2002/10/05 15:09:58 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_biba/mac_biba.c,v 1.15 2002/10/05 18:56:25 rwatson Exp $
  */
 
 /*
@@ -477,6 +477,18 @@
 }
 
 static void
+mac_biba_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
+    struct label *ddlabel, struct devfs_dirent *de, struct label *delabel)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(&cred->cr_label);
+	dest = SLOT(delabel);
+
+	mac_biba_copy_single(source, dest);
+}
+
+static void
 mac_biba_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
     struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
 {
@@ -1510,6 +1522,30 @@
 }
 
 static int
+mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct vnode *vp, struct label *label,
+    struct componentname *cnp)
+{
+	struct mac_biba *subj, *obj;
+
+	if (!mac_biba_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(dlabel);
+
+	if (!mac_biba_dominate_single(subj, obj))
+		return (EACCES);
+
+	obj = SLOT(label);
+
+	if (!mac_biba_dominate_single(subj, obj))
+		return (EACCES);
+
+	return (0);
+}
+
+static int
 mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel, struct componentname *cnp)
 {
@@ -1959,6 +1995,8 @@
 	    (macop_t)mac_biba_create_devfs_device },
 	{ MAC_CREATE_DEVFS_DIRECTORY,
 	    (macop_t)mac_biba_create_devfs_directory },
+	{ MAC_CREATE_DEVFS_SYMLINK,
+	    (macop_t)mac_biba_create_devfs_symlink },
 	{ MAC_CREATE_DEVFS_VNODE,
 	    (macop_t)mac_biba_create_devfs_vnode },
 	{ MAC_CREATE_VNODE,
@@ -2087,6 +2125,8 @@
 	    (macop_t)mac_biba_check_vnode_getacl },
 	{ MAC_CHECK_VNODE_GETEXTATTR,
 	    (macop_t)mac_biba_check_vnode_getextattr },
+	{ MAC_CHECK_VNODE_LINK,
+	    (macop_t)mac_biba_check_vnode_link },
 	{ MAC_CHECK_VNODE_LOOKUP,
 	    (macop_t)mac_biba_check_vnode_lookup },
 	{ MAC_CHECK_VNODE_OPEN,

==== //depot/projects/trustedbsd/base/sys/security/mac_bsdextended/mac_bsdextended.c#3 (text+ko) ====

@@ -34,7 +34,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.2 2002/08/19 19:04:52 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_bsdextended/mac_bsdextended.c,v 1.3 2002/10/05 18:25:48 rwatson Exp $
  */
 /*
  * Developed by the TrustedBSD Project.
@@ -445,6 +445,33 @@
 }
 
 static int
+mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct vnode *vp, struct label *label,
+    struct componentname *cnp)
+{
+	struct vattr vap;
+	int error;
+
+	if (!mac_bsdextended_enabled)
+		return (0);
+
+	error = VOP_GETATTR(dvp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
+		if (error)  
+	return (error);
+
+	error = VOP_GETATTR(vp, &vap, cred, curthread);
+	if (error)
+		return (error);
+	error = mac_bsdextended_check(cred, vap.va_uid, vap.va_gid, VWRITE);
+	if (error)
+		return (error);
+	return (0);
+}
+
+static int
 mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel, struct componentname *cnp)
 {
@@ -715,6 +742,8 @@
 	    (macop_t)mac_bsdextended_check_vnode_getacl },
 	{ MAC_CHECK_VNODE_GETEXTATTR,
 	    (macop_t)mac_bsdextended_check_vnode_getextattr },
+	{ MAC_CHECK_VNODE_LINK,
+	    (macop_t)mac_bsdextended_check_vnode_link },
 	{ MAC_CHECK_VNODE_LOOKUP,
 	    (macop_t)mac_bsdextended_check_vnode_lookup },
 	{ MAC_CHECK_VNODE_OPEN,

==== //depot/projects/trustedbsd/base/sys/security/mac_mls/mac_mls.c#7 (text+ko) ====

@@ -34,7 +34,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/security/mac_mls/mac_mls.c,v 1.11 2002/10/05 15:09:58 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_mls/mac_mls.c,v 1.13 2002/10/05 18:56:25 rwatson Exp $
  */
 
 /*
@@ -469,6 +469,18 @@
 }
 
 static void
+mac_mls_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
+    struct label *ddlabel, struct devfs_dirent *de, struct label *delabel)
+{
+	struct mac_mls *source, *dest;
+
+	source = SLOT(&cred->cr_label);
+	dest = SLOT(delabel);
+
+	mac_mls_copy_single(source, dest);
+}
+
+static void
 mac_mls_create_devfs_vnode(struct devfs_dirent *devfs_dirent,
     struct label *direntlabel, struct vnode *vp, struct label *vnodelabel)
 {
@@ -1471,6 +1483,29 @@
 	return (0);
 }
 
+static int 
+mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct vnode *vp, struct label *label,
+    struct componentname *cnp)
+{
+	struct mac_mls *subj, *obj;
+
+	if (!mac_mls_enabled)
+		return (0);
+
+	subj = SLOT(&cred->cr_label);
+	obj = SLOT(dlabel);
+
+	if (!mac_mls_dominate_single(obj, subj))
+		return (EACCES);
+
+	obj = SLOT(dlabel);
+	if (!mac_mls_dominate_single(obj, subj))
+		return (EACCES);
+
+	return (0);
+}
+
 static int
 mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
     struct label *dlabel, struct componentname *cnp)
@@ -1922,6 +1957,8 @@
 	    (macop_t)mac_mls_create_devfs_device },
 	{ MAC_CREATE_DEVFS_DIRECTORY,
 	    (macop_t)mac_mls_create_devfs_directory },
+	{ MAC_CREATE_DEVFS_SYMLINK,
+	    (macop_t)mac_mls_create_devfs_symlink },
 	{ MAC_CREATE_DEVFS_VNODE,
 	    (macop_t)mac_mls_create_devfs_vnode },
 	{ MAC_CREATE_VNODE,
@@ -2050,6 +2087,8 @@
 	    (macop_t)mac_mls_check_vnode_getacl },
 	{ MAC_CHECK_VNODE_GETEXTATTR,
 	    (macop_t)mac_mls_check_vnode_getextattr },
+	{ MAC_CHECK_VNODE_LINK,
+	    (macop_t)mac_mls_check_vnode_link },
 	{ MAC_CHECK_VNODE_LOOKUP,
 	    (macop_t)mac_mls_check_vnode_lookup },
 	{ MAC_CHECK_VNODE_OPEN,

==== //depot/projects/trustedbsd/base/sys/security/mac_none/mac_none.c#6 (text+ko) ====

@@ -34,7 +34,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/sys/security/mac_none/mac_none.c,v 1.8 2002/10/05 15:09:59 rwatson Exp $
+ * $FreeBSD: src/sys/security/mac_none/mac_none.c,v 1.10 2002/10/05 18:56:25 rwatson Exp $
  */
 
 /*
@@ -153,6 +153,13 @@
 }
 
 static void
+mac_none_create_devfs_symlink(struct ucred *cred, struct devfs_dirent *dd,
+    struct label *ddlabel, struct devfs_dirent *de, struct label *delabel)
+{
+
+}
+
+static void
 mac_none_create_devfs_directory(char *dirname, int dirnamelen,
     struct devfs_dirent *devfs_dirent, struct label *label)
 {
@@ -669,6 +676,15 @@
 	return (0);
 }
 
+static int 
+mac_none_check_vnode_link(struct ucred *cred, struct vnode *dvp,
+    struct label *dlabel, struct vnode *vp, struct label *label,
+    struct componentname *cnp)
+{
+
+	return (0);
+}
+
 static int
 mac_none_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, 
     struct label *dlabel, struct componentname *cnp)
@@ -883,6 +899,8 @@
 	    (macop_t)mac_none_create_devfs_device },
 	{ MAC_CREATE_DEVFS_DIRECTORY,
 	    (macop_t)mac_none_create_devfs_directory },
+	{ MAC_CREATE_DEVFS_SYMLINK,
+	    (macop_t)mac_none_create_devfs_symlink },
 	{ MAC_CREATE_DEVFS_VNODE,
 	    (macop_t)mac_none_create_devfs_vnode },
 	{ MAC_CREATE_VNODE,
@@ -1019,6 +1037,8 @@
 	    (macop_t)mac_none_check_vnode_getacl },
 	{ MAC_CHECK_VNODE_GETEXTATTR,
 	    (macop_t)mac_none_check_vnode_getextattr },
+	{ MAC_CHECK_VNODE_LINK,
+	    (macop_t)mac_none_check_vnode_link },
 	{ MAC_CHECK_VNODE_LOOKUP,
 	    (macop_t)mac_none_check_vnode_lookup },

>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list