PERFORCE change 18311 for review

Robert Watson rwatson at freebsd.org
Sun Sep 29 03:17:35 GMT 2002


http://people.freebsd.org/~peter/p4db/chv.cgi?CH=18311

Change 18311 by rwatson at rwatson_tislabs on 2002/09/28 20:16:53

	Unhook module processing of _prepare(), _to_text(), _from_text()
	for the time being, as we continue to work on the correct
	structural relationship between pluggable user and kernel
	MAC code.  This permits MAC to be used with existing MAC support
	in statically linked binaries, which is fine again now that
	we can interpret labels from the kernel without user module
	help, but also has its downsides.  Expect more work in this
	space soon, including the ability to specify labels that
	require intepretation by a user module vs labels that are
	understood natively without the help of a module.

Affected files ...

.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac.c#2 (text+ko) ====

@@ -78,10 +78,14 @@
 static LIST_HEAD(, internal_module_entry)	internal_module_list;
 static int					internal_initialized;
 
+/* Default sets of labels for various query operations. */
 static char	*default_file_labels;
 static char	*default_ifnet_labels;
 static char	*default_process_labels;
 
+/* List of labels to process internally as text strings. */
+static char	*text_labels;
+
 const char *
 mac_error(int error)
 {
@@ -311,6 +315,22 @@
 
 			LIST_INSERT_HEAD(&internal_module_list, entry,
 			    ime_entries);
+		} else if (strcmp(statement, "text_labels") == 0) {
+			if (text_labels != NULL) {
+				free(text_labels);
+				text_labels = NULL;
+			}
+
+			arg = strsep(&parse, "# \t");
+			if (arg != NULL && arg[0] != '\0') {
+				text_labels = strdup(arg);
+				if (text_labels == NULL) {
+					error =
+					    MAC_ERROR_INSUFFICIENTRESOURCES;
+					fclose(file);
+					goto just_return;
+				}
+			}
 		} else if (strcmp(statement, "default_file_labels") == 0) {
 			if (default_file_labels != NULL) {
 				free(default_file_labels);
@@ -429,13 +449,17 @@
 {
 	struct internal_module_entry *entry;
 
+#if 0
 	entry = mac_module_find_by_labelname(element->me_name);
 	if (entry != NULL && entry->ime_free != NULL) {
 		entry->ime_free(element);
 	} else {
+#endif
 		if (element->me_data != NULL)
 			free(element->me_data);
+#if 0
 	}
+#endif
 }
 
 int
@@ -483,6 +507,14 @@
 	return (mac);
 }
 
+static int
+mac_name_in_list(char *string, char *name)
+{
+	
+
+
+}
+
 int
 mac_from_text(struct mac **mac, const char *text)
 {
@@ -518,7 +550,10 @@
 
 	search = dup;
 	while ((element = strsep(&search, MAC_PARSE_ELEMENT_SEP_STR))) {
+#if 0
 		struct internal_module_entry *entry;
+#endif
+		struct mac_element *mac_element;
 		char *labelname, *labelvalue;
 
 		labelvalue = element;
@@ -527,17 +562,13 @@
 			error = MAC_ERROR_UNPARSEABLELABEL;
 			goto free_temp;
 		}
-		if (strcmp(labelvalue, MAC_PARSE_UNKNOWNVALUE) == 0) {
-			error = MAC_ERROR_INVALIDLABELVALUE;
-			goto free_temp;
-		}
-
+		mac_element = &temp->m_elements[temp->m_numliveelements];
+		strcpy(mac_element->me_name, labelname);
+#if 0
 		/*
 		 * Walk down the module list until we find a module that
 		 * is willing to accept this label name.
 		 */
-		strcpy(temp->m_elements[temp->m_numliveelements].me_name,
-		    labelname);
 		entry = mac_module_find_by_labelname(labelname);
 		if (entry == NULL) {
 			error = MAC_ERROR_UNKNOWNLABELNAME;
@@ -553,6 +584,10 @@
 			error = MAC_ERROR_NOFROMTEXT;
 			goto free_temp;
 		}
+#endif
+		mac_element->me_data = strdup(labelvalue);
+		mac_element->me_databuflen = mac_element->me_datalen =
+		    strlen(labelvalue) + 1;
 		temp->m_numliveelements++;
 	}
 
@@ -602,6 +637,7 @@
 	}
 
 	for (count = 0; count < element_count; count++) {
+#if 0
 		entry = mac_module_find_by_labelname(element_array[count]);
 		if (entry == NULL) {
 			free(local_policies);
@@ -609,7 +645,9 @@
 			*mac = NULL;
 			return (MAC_ERROR_UNKNOWNLABELNAME);
 		}
+#endif
 		strcpy(temp->m_elements[count].me_name, element_array[count]);
+#if 0
 		if (entry->ime_prepare == NULL) {
 			free(local_policies);
 			mac_free(temp);
@@ -623,6 +661,18 @@
 			*mac = NULL;
 			return (error);
 		}
+#endif
+		temp->m_elements[count].me_databuflen =
+		    MAC_MAX_LABEL_ELEMENT_DATALEN;
+		temp->m_elements[count].me_data =
+		    malloc(temp->m_elements[count].me_databuflen);
+		if (temp->m_elements[count].me_data == NULL) {
+			free(local_policies);
+			mac_free(temp);
+			*mac = NULL;
+			return (MAC_ERROR_INSUFFICIENTRESOURCES);
+		}
+		temp->m_elements[count].me_datalen = 0;
 		temp->m_numliveelements++;
 	}
 
@@ -634,7 +684,9 @@
 int
 mac_to_text(struct mac *mac, char **text)
 {
+#if 0
 	struct internal_module_entry *entry;
+#endif
 	struct mac_element *element;
 	char *string, *tempstring, *elementstring, *policyvalue;
 	int error, i;
@@ -647,6 +699,7 @@
 	string = NULL;
 	for (i = 0; i < mac->m_numliveelements; i++) {
 		element = &mac->m_elements[i];
+#if 0
 		entry = mac_module_find_by_labelname(element->me_name);
 		if (entry == NULL)
 			elementstring = strdup(MAC_PARSE_UNKNOWNVALUE);
@@ -656,11 +709,13 @@
 			error = entry->ime_to_text(element, &policyvalue);
 			if (error != MAC_SUCCESS)
 				goto error_handler;
-
+#endif
 			asprintf(&elementstring, "%s%s%s", element->me_name,
-			    MAC_PARSE_POLICY_SEP_STR, policyvalue);
+			    MAC_PARSE_POLICY_SEP_STR, element->me_data);
+#if 0
 			free(policyvalue);
 		}
+#endif
 		if (elementstring == NULL) {
 			error = MAC_ERROR_INSUFFICIENTRESOURCES;
 			goto error_handler;
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list