PERFORCE change 33482 for review
Robert Watson
rwatson at FreeBSD.org
Sun Jun 22 00:29:52 GMT 2003
http://perforce.freebsd.org/chv.cgi?CH=33482
Change 33482 by rwatson at rwatson_powerbook on 2003/06/21 17:29:03
o Forward declare a boatload of structures referenced in mac_policy_conf;
Darwin's build flags seem a lot more concerned about this than FreeBSD's.
could be an include file ordering issue, but this is a change we should
probably make on FreeBSD as well to avoid having all policy modules
include all the include files for every entry point rather than just
local entry points.
o Use a proc as an argument to mpo_syscall(): while Darwin has threads,
it doesn't associate enough information with struct uthread to be
useful. This may be something we have to fix in Darwin to do the
port of the MAC Framework to Darwin, but we can defer it for a bit.
o "#if 0" anything related to devfs, as Darwin's devfs is the FreeBSD
3.x devfs, and uses different internals than the FreeBSD 5.x devfs.
We'll reconsitute the devfs things later.
o "#if 0" anything related to pipes; Darwin uses FreeBSD 3.x pipes
without VM optimization, and as such uses a pair of sockets rather than
and independent pipe structure. Not yet clear how to handle this,
so simple whack it out for now.
o "#if 0" anything that relates to image activators for now, since no
equivilent notion exists in Darwin. We'll need to pass in the
relevant entries explicitly and not rely on that abstraction.
o "#if 0" anything that relates to ACLs; we have a local ACL implementation
for Darwin, but I don't want to mix it up with the MAC code yet.
o "#if 0" the module event macros and structures, since Darwin doesn't
do linker sets. We'll need to make the MAC Framework use kext's
instead.
With these changes, we can now get a lot further in the kern_mac.c build.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac_policy.h#2 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin/apsl/xnu/bsd/sys/mac_policy.h#2 (text+ko) ====
@@ -51,8 +51,17 @@
* Operations are sorted first by general class of operation, then
* alphabetically.
*/
+struct bpf_d;
+struct ifnet;
+struct ipq;
+struct label;
struct mac_policy_conf;
+struct mbuf;
+struct mount;
struct sbuf;
+struct socket;
+struct ucred;
+struct vnode;
struct mac_policy_ops {
/*
* Policy module operations.
@@ -65,14 +74,16 @@
* may implement new services without reserving explicit
* system call numbers.
*/
- int (*mpo_syscall)(struct thread *td, int call, void *arg);
+ int (*mpo_syscall)(struct proc *p, int call, void *arg);
/*
* Label operations.
*/
void (*mpo_init_bpfdesc_label)(struct label *label);
void (*mpo_init_cred_label)(struct label *label);
+#if 0
void (*mpo_init_devfsdirent_label)(struct label *label);
+#endif
void (*mpo_init_ifnet_label)(struct label *label);
int (*mpo_init_ipq_label)(struct label *label, int flag);
int (*mpo_init_mbuf_label)(struct label *label, int flag);
@@ -80,12 +91,16 @@
void (*mpo_init_mount_fs_label)(struct label *label);
int (*mpo_init_socket_label)(struct label *label, int flag);
int (*mpo_init_socket_peer_label)(struct label *label, int flag);
+#if 0
void (*mpo_init_pipe_label)(struct label *label);
+#endif
void (*mpo_init_proc_label)(struct label *label);
void (*mpo_init_vnode_label)(struct label *label);
void (*mpo_destroy_bpfdesc_label)(struct label *label);
void (*mpo_destroy_cred_label)(struct label *label);
+#if 0
void (*mpo_destroy_devfsdirent_label)(struct label *label);
+#endif
void (*mpo_destroy_ifnet_label)(struct label *label);
void (*mpo_destroy_ipq_label)(struct label *label);
void (*mpo_destroy_mbuf_label)(struct label *label);
@@ -93,21 +108,27 @@
void (*mpo_destroy_mount_fs_label)(struct label *label);
void (*mpo_destroy_socket_label)(struct label *label);
void (*mpo_destroy_socket_peer_label)(struct label *label);
+#if 0
void (*mpo_destroy_pipe_label)(struct label *label);
+#endif
void (*mpo_destroy_proc_label)(struct label *label);
void (*mpo_destroy_vnode_label)(struct label *label);
void (*mpo_copy_mbuf_label)(struct label *src,
struct label *dest);
+#if 0
void (*mpo_copy_pipe_label)(struct label *src,
struct label *dest);
+#endif
void (*mpo_copy_vnode_label)(struct label *src,
struct label *dest);
int (*mpo_externalize_cred_label)(struct label *label,
char *element_name, struct sbuf *sb, int *claimed);
int (*mpo_externalize_ifnet_label)(struct label *label,
char *element_name, struct sbuf *sb, int *claimed);
+#if 0
int (*mpo_externalize_pipe_label)(struct label *label,
char *element_name, struct sbuf *sb, int *claimed);
+#endif
int (*mpo_externalize_socket_label)(struct label *label,
char *element_name, struct sbuf *sb, int *claimed);
int (*mpo_externalize_socket_peer_label)(struct label *label,
@@ -118,8 +139,10 @@
char *element_name, char *element_data, int *claimed);
int (*mpo_internalize_ifnet_label)(struct label *label,
char *element_name, char *element_data, int *claimed);
+#if 0
int (*mpo_internalize_pipe_label)(struct label *label,
char *element_name, char *element_data, int *claimed);
+#endif
int (*mpo_internalize_socket_label)(struct label *label,
char *element_name, char *element_data, int *claimed);
int (*mpo_internalize_vnode_label)(struct label *label,
@@ -129,16 +152,19 @@
* Labeling event operations: file system objects, and things that
* look a lot like file system objects.
*/
+#if 0
void (*mpo_associate_vnode_devfs)(struct mount *mp,
struct label *fslabel, struct devfs_dirent *de,
struct label *delabel, struct vnode *vp,
struct label *vlabel);
+#endif
int (*mpo_associate_vnode_extattr)(struct mount *mp,
struct label *fslabel, struct vnode *vp,
struct label *vlabel);
void (*mpo_associate_vnode_singlelabel)(struct mount *mp,
struct label *fslabel, struct vnode *vp,
struct label *vlabel);
+#if 0
void (*mpo_create_devfs_device)(struct mount *mp, dev_t dev,
struct devfs_dirent *de, struct label *label,
const char *fullpath);
@@ -149,6 +175,7 @@
struct mount *mp, struct devfs_dirent *dd,
struct label *ddlabel, struct devfs_dirent *de,
struct label *delabel, const char *fullpath);
+#endif
int (*mpo_create_vnode_extattr)(struct ucred *cred,
struct mount *mp, struct label *fslabel,
struct vnode *dvp, struct label *dlabel,
@@ -163,10 +190,12 @@
int (*mpo_setlabel_vnode_extattr)(struct ucred *cred,
struct vnode *vp, struct label *vlabel,
struct label *intlabel);
+#if 0
void (*mpo_update_devfsdirent)(struct mount *mp,
struct devfs_dirent *devfs_dirent,
struct label *direntlabel, struct vnode *vp,
struct label *vnodelabel);
+#endif
/*
* Labeling event operations: IPC objects.
@@ -181,16 +210,20 @@
struct label *newsocketlabel);
void (*mpo_relabel_socket)(struct ucred *cred, struct socket *so,
struct label *oldlabel, struct label *newlabel);
+#if 0
void (*mpo_relabel_pipe)(struct ucred *cred, struct pipe *pipe,
struct label *oldlabel, struct label *newlabel);
+#endif
void (*mpo_set_socket_peer_from_mbuf)(struct mbuf *mbuf,
struct label *mbuflabel, struct socket *so,
struct label *socketpeerlabel);
void (*mpo_set_socket_peer_from_socket)(struct socket *oldsocket,
struct label *oldsocketlabel, struct socket *newsocket,
struct label *newsocketpeerlabel);
+#if 0
void (*mpo_create_pipe)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
+#endif
/*
* Labeling event operations: network objects.
@@ -247,6 +280,7 @@
*/
void (*mpo_create_cred)(struct ucred *parent_cred,
struct ucred *child_cred);
+#if 0
void (*mpo_execve_transition)(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *vnodelabel,
struct label *interpvnodelabel,
@@ -255,11 +289,14 @@
struct vnode *vp, struct label *vnodelabel,
struct label *interpvnodelabel,
struct image_params *imgp, struct label *execlabel);
+#endif
void (*mpo_create_proc0)(struct ucred *cred);
void (*mpo_create_proc1)(struct ucred *cred);
void (*mpo_relabel_cred)(struct ucred *cred,
struct label *newlabel);
+#if 0
void (*mpo_thread_userret)(struct thread *thread);
+#endif
/*
* Access control checks.
@@ -287,6 +324,7 @@
int (*mpo_check_kld_unload)(struct ucred *cred);
int (*mpo_check_mount_stat)(struct ucred *cred, struct mount *mp,
struct label *mntlabel);
+#if 0
int (*mpo_check_pipe_ioctl)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, unsigned long cmd, void *data);
int (*mpo_check_pipe_poll)(struct ucred *cred, struct pipe *pipe,
@@ -300,6 +338,7 @@
struct label *pipelabel);
int (*mpo_check_pipe_write)(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel);
+#endif
int (*mpo_check_proc_debug)(struct ucred *cred,
struct proc *proc);
int (*mpo_check_proc_sched)(struct ucred *cred,
@@ -354,6 +393,7 @@
struct vnode *dvp, struct label *dlabel,
struct vnode *vp, struct label *label,
struct componentname *cnp);
+#if 0
int (*mpo_check_vnode_deleteacl)(struct ucred *cred,
struct vnode *vp, struct label *label, acl_type_t type);
int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp,
@@ -361,6 +401,7 @@
struct label *execlabel);
int (*mpo_check_vnode_getacl)(struct ucred *cred,
struct vnode *vp, struct label *label, acl_type_t type);
+#endif
int (*mpo_check_vnode_getextattr)(struct ucred *cred,
struct vnode *vp, struct label *label, int attrnamespace,
const char *name, struct uio *uio);
@@ -400,9 +441,11 @@
struct componentname *cnp);
int (*mpo_check_vnode_revoke)(struct ucred *cred,
struct vnode *vp, struct label *label);
+#if 0
int (*mpo_check_vnode_setacl)(struct ucred *cred,
struct vnode *vp, struct label *label, acl_type_t type,
struct acl *acl);
+#endif
int (*mpo_check_vnode_setextattr)(struct ucred *cred,
struct vnode *vp, struct label *label, int attrnamespace,
const char *name, struct uio *uio);
@@ -442,6 +485,7 @@
/* Flags for the mpc_runtime_flags field. */
#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
+#if 0
#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
static struct mac_policy_conf mpname##_mac_policy_conf = { \
#mpname, \
@@ -461,6 +505,7 @@
SI_ORDER_MIDDLE)
int mac_policy_modevent(module_t mod, int type, void *data);
+#endif
#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list