PERFORCE change 74303 for review
Andrew Reisse
areisse at FreeBSD.org
Fri Apr 1 19:17:18 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=74303
Change 74303 by areisse at areisse_ibook on 2005/04/01 19:16:38
Bring over changes made in the dsep-20050331 drop.
See the readme for the major changes.
Affected files ...
.. //depot/projects/trustedbsd/sedarwin7/README#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/VERSION#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/Makefile.preamble#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/fcode-to-c.tproj/Makefile.preamble#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/macho-to-xcoff.tproj/Makefile.preamble#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/etc/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/file_cmds/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/file_cmds/ls/ls.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_get.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_set.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getfmac/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getpmac/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/mexec/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setfsmac/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setfsmac/sysqueue.h#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setpmac/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setpmac/setpmac.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mach_cmds/BootstrapDump.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/mach_cmds/mgetpmac.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/bootstrap.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_descrip.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/posix_sem.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/posix_shm.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/sys_socket.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/uipc_mbuf.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/uipc_socket.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/uipc_socket2.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/uipc_syscalls.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/uipc_usrreq.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet/raw_ip.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet/tcp_input.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet/tcp_output.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet/tcp_subr.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet6/esp_input.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet6/icmp6.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet6/ip6_output.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet6/ipsec.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/netinet6/raw_ip6.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac.h#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mac_policy.h#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/mbuf.h#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/posix_sem.h#1 branch
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/posix_shm.h#1 branch
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/socket.h#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/socketvar.h#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/sys/vnode.h#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/vfs/vfs_vnops.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/ipc/ipc_right.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/osfmk/mach/mac.h#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/conf/files#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_base.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_internal.h#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_port.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_posix_sem.c#1 branch
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_posix_shm.c#1 branch
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_socket.c#1 branch
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/security/mac_vfs.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/mac_mls/mac_mls.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/mac_stub/mac_stub.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/mactest/mac_test.c#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/libsedarwin/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/programs/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/programs/checkpolicy/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/programs/loadpolicy/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/programs/newrole/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/programs/wslogin/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/save_trace/Makefile#2 integrate
.. //depot/projects/trustedbsd/sedarwin7/src/stacktrace/commands/sec_trace/Makefile#2 integrate
Differences ...
==== //depot/projects/trustedbsd/sedarwin7/README#2 (text+ko) ====
@@ -46,7 +46,35 @@
- Enhancements to the BootX boot loader and XNU kernel extension
linker to support the loading of policy KEXTs earlier in the
boot sequence.
+ - Modifications to mach_init to help bootstrap the mac_mls policy;
+ this is only a temporary measure until the login modifications
+ are complete.
+
+
+New Features in the 20050331 release
+====================================
+
+ - Support labelling and access control for Posix IPC (semaphores
+ and shared memory). This includes support for Posix IPC in mls and
+ stub policies.
+
+ - Modifications to the Darwin kernel to assign labels to
+ sockets and other supporting IPv4 data structures, and the
+ addition of access control checks to socket-related operations.
+ Extensions to the MAC Framework to permit policy modules to
+ implement these entry points.
+
+ - Build improvements to convert all remaining BSD Makefiles to GNU
+ Makefiles. The build is further isolated; it no longer builds
+ and installs BootX tools in the user's home directory. The
+ mach_init program was added to the installation.
+ - Modified Darwin kernel with additional experimental labeling and
+ access control for Mach IPC. Prototype modifications to the MLS
+ policy to control information flow via Mach IPC.
+
+ - Additional maturing in VFS security; in particular, vn_read,
+ vn_write, and vn_rdwr access controls were changed.
New Features in Drop 5
======================
==== //depot/projects/trustedbsd/sedarwin7/VERSION#2 (text+ko) ====
@@ -1,6 +1,4 @@
-Code Drop 5
-December 17, 2004
+Code Drop dsep-20050331
+March 31, 2005
-src @1501
-docs @1501
-testbed @1501
+src @1896
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/Makefile.preamble#2 (text+ko) ====
@@ -1,3 +1,4 @@
+include ../../Makeconfig
INCLUDED_ARCHS = ppc
OTHER_RECURSIVE_VARIABLES += INCLUDED_ARCHS
@@ -139,4 +140,4 @@
# Change this definition to install projects somewhere other than the
# standard locations. NEXT_ROOT defaults to "C:/Apple" on Windows systems
# and "" on other systems.
-DSTROOT = $(HOME)
+DSTROOT = $(DARWIN_ROOT)
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/fcode-to-c.tproj/Makefile.preamble#2 (text+ko) ====
@@ -1,3 +1,4 @@
+include ../../../Makeconfig
###############################################################################
# Makefile.preamble
# Copyright 1997, Apple Computer, Inc.
@@ -134,4 +135,4 @@
# Change this definition to install projects somewhere other than the
# standard locations. NEXT_ROOT defaults to "C:/Apple" on Windows systems
# and "" on other systems.
-DSTROOT = $(HOME)
+DSTROOT = $(DARWIN_ROOT)
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/BootX/macho-to-xcoff.tproj/Makefile.preamble#2 (text+ko) ====
@@ -1,3 +1,4 @@
+include ../../../Makeconfig
###############################################################################
# Makefile.preamble
# Copyright 1997, Apple Computer, Inc.
@@ -134,4 +135,4 @@
# Change this definition to install projects somewhere other than the
# standard locations. NEXT_ROOT defaults to "C:/Apple" on Windows systems
# and "" on other systems.
-DSTROOT = $(HOME)
+DSTROOT = $(DARWIN_ROOT)
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/Makefile#2 (text+ko) ====
@@ -10,12 +10,13 @@
cd libextattr && gnumake
cd libmac && gnumake
cd adv_cmds/ps.tproj && gnumake
- cd etc && bsdmake
+ cd etc && gnumake
cd extattr_cmds && make
- cd mac_cmds && bsdmake
- cd file_cmds && bsdmake
+ cd mac_cmds && gnumake
+ cd file_cmds && gnumake
cd mach_cmds && gnumake
cd top && make
+ cd system_cmds/mach_init.tproj && gnumake
# bootstrap_cmds
@@ -28,12 +29,13 @@
cd libextattr && gnumake install
cd libmac && gnumake install
cd adv_cmds/ps.tproj && gnumake install
- cd etc && bsdmake install
+ cd etc && gnumake install
cd extattr_cmds && make install
- cd mac_cmds && bsdmake install
- cd file_cmds && bsdmake install
+ cd mac_cmds && gnumake install
+ cd file_cmds && gnumake install
cd mach_cmds && gnumake install
cd top && make install
+ cd system_cmds/mach_init.tproj && gnumake install
clean:
rm -rf xnu/BUILD
@@ -45,12 +47,13 @@
cd libextattr && gnumake clean
cd libmac && gnumake clean
cd adv_cmds/ps.tproj && gnumake clean
- cd etc && bsdmake clean
+ cd etc && gnumake clean
cd extattr_cmds && make clean
- cd mac_cmds && bsdmake clean
- cd file_cmds && bsdmake clean
+ cd mac_cmds && gnumake clean
+ cd file_cmds && gnumake clean
cd mach_cmds && gnumake clean
cd top && make clean
+ cd system_cmds/mach_init.tproj && gnumake clean
#ifndef DARWIN_ROOT
# $(error DARWIN_ROOT is not defined in Makeconfig)
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/etc/Makefile#2 (text+ko) ====
@@ -1,11 +1,13 @@
include ../../Makeconfig
ETCFILES= mac.conf
+INSTALL= install
+
+all:
install:
- cd ${.CURDIR}; \
+ cd ${CURDIR}; \
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
$(ETCFILES) ${DESTDIR}/private/etc;
-
-.include <bsd.prog.mk>
+clean:
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/file_cmds/Makefile#2 (text+ko) ====
@@ -1,7 +1,13 @@
include ../../Makeconfig
-SUBDIR= ls
+.PHONY: install
+
+all:
+ cd ls && gnumake
+
+install:
+ cd ls && gnumake install
-MAKE=gnumake
+clean:
+ cd ls && gnumake clean
-.include <bsd.subdir.mk>
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/file_cmds/ls/ls.c#2 (text+ko) ====
@@ -593,7 +593,6 @@
if (f_flags) {
np->flags = &np->data[ulen + glen + 2];
(void)strcpy(np->flags, flags);
- free(flags);
}
if (f_label) {
np->label = &np->data[ulen + glen + 2
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_get.c#2 (text+ko) ====
@@ -33,6 +33,7 @@
#include <sys/syscall.h>
#include <sys/types.h>
+#include <sys/socket.h>
#include <sys/mac.h>
#include <errno.h>
@@ -40,7 +41,7 @@
mac_get_fd(int fd, struct mac *label)
{
- return (ENOSYS);
+ return (syscall(SYS___mac_get_fd, fd, label));
}
int
@@ -70,3 +71,12 @@
return (syscall(SYS___mac_get_proc, label));
}
+
+int
+mac_get_peer(int fd, struct mac *label)
+{
+ socklen_t len;
+
+ len = sizeof(*label);
+ return (getsockopt(fd, SOL_SOCKET, SO_PEERLABEL, label, &len));
+}
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/libmac/mac_set.c#2 (text+ko) ====
@@ -40,7 +40,7 @@
mac_set_fd(int fd, struct mac *label)
{
- return (ENOSYS);
+ return (syscall(SYS___mac_set_fd, fd, label));
}
int
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/Makefile#2 (text+ko) ====
@@ -1,9 +1,22 @@
include ../../Makeconfig
-SUBDIR= getfmac \
- getpmac \
- mexec \
- setfsmac \
- setpmac
+all:
+ cd getfmac && gnumake
+ cd getpmac && gnumake
+ cd mexec && gnumake
+ cd setfsmac && gnumake
+ cd setpmac && gnumake
+
+install:
+ cd getfmac && gnumake install
+ cd getpmac && gnumake install
+ cd mexec && gnumake install
+ cd setfsmac && gnumake install
+ cd setpmac && gnumake install
-.include <bsd.subdir.mk>+clean:
+ cd getfmac && gnumake clean
+ cd getpmac && gnumake clean
+ cd mexec && gnumake clean
+ cd setfsmac && gnumake clean
+ cd setpmac && gnumake clean
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getfmac/Makefile#2 (text+ko) ====
@@ -3,7 +3,19 @@
PROG= getfmac
MAN8= getfmac.8
+OBJS= getfmac.o
+
CFLAGS+= $(DARWIN_HDRS)
LDADD+= $(LIBMAC)
-.include <bsd.prog.mk>
+all: $(PROG)
+
+$(PROG): $(OBJS)
+ $(CC) $(CFLAGS) -o $@ $^ $(LDADD)
+
+install: $(PROG)
+ install -m 555 $(PROG) $(DESTDIR)/usr/bin
+ install -m 444 $(MAN8) $(DESTDIR)/usr/share/man/man8
+
+clean:
+ rm -f $(OBJS) $(PROG)
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/getpmac/Makefile#2 (text+ko) ====
@@ -3,7 +3,19 @@
PROG= getpmac
MAN8= getpmac.8
+OBJS= getpmac.o
+
CFLAGS+= $(DARWIN_HDRS)
LDADD+= $(LIBMAC)
-.include <bsd.prog.mk>
+all: $(PROG)
+
+$(PROG): $(OBJS)
+ $(CC) $(CFLAGS) -o $@ $^ $(LDADD)
+
+install: $(PROG)
+ install -m 555 $(PROG) $(DESTDIR)/usr/bin
+ install -m 444 $(MAN8) $(DESTDIR)/usr/share/man/man8
+
+clean:
+ rm -f $(PROG) $(OBJS)
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/mexec/Makefile#2 (text+ko) ====
@@ -3,7 +3,18 @@
PROG= mexec
NOMAN=
+OBJS= mexec.o
+
CFLAGS+= $(DARWIN_HDRS)
LDADD+= $(LIBMAC)
-.include <bsd.prog.mk>
+all: $(PROG)
+
+$(PROG): $(OBJS)
+ $(CC) $(CFLAGS) -o $@ $^ $(LDADD)
+
+install: $(PROG)
+ install -m 555 $(PROG) $(DESTDIR)/usr/bin
+
+clean:
+ rm -f $(PROG) $(OBJS)
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setfsmac/Makefile#2 (text+ko) ====
@@ -3,8 +3,22 @@
PROG= setfsmac
MAN8= setfsmac.8 setfmac.8
+OBJS= setfsmac.o
+
CFLAGS+= $(DARWIN_HDRS)
LDADD+= $(LIBMAC)
-LINKS+= $(BINDIR)/setfsmac $(BINDIR)/setfmac
+LINKS+= $(DESTDIR)/usr/bin/setfsmac $(DESTDIR)/usr/bin/setfmac
+
+all: $(PROG)
+
+$(PROG): $(OBJS)
+ $(CC) $(CFLAGS) -o $@ $^ $(LDADD)
+
+install: $(PROG)
+ install -m 555 $(PROG) $(DESTDIR)/usr/bin
+ ln -f $(LINKS)
+ install -m 444 $(MAN8) $(DESTDIR)/usr/share/man/man8
+
+clean:
+ rm -f $(PROG) $(OBJS)
-.include <bsd.prog.mk>
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setfsmac/sysqueue.h#2 (text+ko) ====
@@ -34,8 +34,8 @@
* $FreeBSD: src/sys/sys/queue.h,v 1.54 2002/08/05 05:18:43 alfred Exp $
*/
-#ifndef _SYS_QUEUE_H_
-#define _SYS_QUEUE_H_
+#ifndef _SYSQUEUE_H_
+#define _SYSQUEUE_H_
#include <sys/cdefs.h>
@@ -526,4 +526,4 @@
#endif /* _KERNEL */
-#endif /* !_SYS_QUEUE_H_ */
+#endif /* _SYSQUEUE_H_ */
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setpmac/Makefile#2 (text+ko) ====
@@ -3,7 +3,19 @@
PROG= setpmac
MAN8= setpmac.8
+OBJS= setpmac.o
+
CFLAGS+= $(DARWIN_HDRS)
LDADD+= $(LIBMAC)
-.include <bsd.prog.mk>
+all: $(PROG)
+
+$(PROG): $(OBJS)
+ $(CC) $(CFLAGS) -o $@ $^ $(LDADD)
+
+install: $(PROG)
+ install -m 555 $(PROG) $(DESTDIR)/usr/bin
+ install -m 444 $(MAN8) $(DESTDIR)/usr/share/man/man8
+
+clean:
+ rm -f $(PROG) $(OBJS)
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mac_cmds/setpmac/setpmac.c#2 (text+ko) ====
@@ -62,7 +62,7 @@
int error;
- if (argc < 3)
+ if (argc < 2)
usage();
error = mac_from_text(&label, argv[1]);
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mach_cmds/BootstrapDump.c#2 (text+ko) ====
@@ -70,7 +70,7 @@
fprintf(stderr, "%s: Usage: BootstrapPortDump [ pid ]\n", gProgramName);
}
-static const char *policies = "sebsd,ipctrace";
+static const char *policies = "?sebsd,?ipctrace,?mls";
int main (int argc, const char * argv[])
{
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/mach_cmds/mgetpmac.c#2 (text+ko) ====
@@ -42,7 +42,7 @@
{
mach_port_t tp;
char label[512];
- char *policies = "sebsd";
+ char *policies = "?sebsd,?ipctrace,?mls";
if (argc > 1)
task_for_pid(mach_task_self(), strtol(argv[1], NULL, 10), &tp);
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/Makefile#2 (text+ko) ====
@@ -7,6 +7,8 @@
# and Makefile.postamble (both optional), and Makefile will include them.
#
+include ../../../Makeconfig
+
NAME = mach_init
PROJECTVERSION = 2.8
@@ -26,7 +28,8 @@
NEXTSTEP_INSTALLDIR = /sbin
WINDOWS_INSTALLDIR = /sbin
PDO_UNIX_INSTALLDIR = /sbin
-LIBS =
+OTHER_CFLAGS= -I$(EXPORT_HDRS)/bsd -I$(EXPORT_HDRS)/osfmk -I$(EXPORT_HDRS)
+LIBS = $(LIBMAC)
DEBUG_LIBS = $(LIBS)
PROF_LIBS = $(LIBS)
@@ -36,7 +39,7 @@
PDO_UNIX_PB_CFLAGS = -DMACH_USER_API
-NEXTSTEP_BUILD_OUTPUT_DIR = /tmp/$(USER)/BUILD
+NEXTSTEP_BUILD_OUTPUT_DIR =
NEXTSTEP_OBJCPLUS_COMPILER = /usr/bin/cc
WINDOWS_OBJCPLUS_COMPILER = $(DEVDIR)/gcc
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/system_cmds/mach_init.tproj/bootstrap.c#2 (text+ko) ====
@@ -43,6 +43,7 @@
#include <mach/host_info.h>
#include <mach/mach_host.h>
#include <mach/exception.h>
+#include <sys/mac.h>
#import <sys/ioctl.h>
#import <sys/types.h>
@@ -254,6 +255,10 @@
ioctl(fd, TIOCNOTTY, 0);
close(fd);
}
+
+ mac_t mac;
+ if (!mac_from_text(&mac, "mls/low(low-high)"))
+ mac_set_proc(mac);
/* pass our arguments on to init */
argv[0] = INIT_PATH;
@@ -813,6 +818,10 @@
sigemptyset(&mask);
(void) sigprocmask(SIG_SETMASK, &mask, (sigset_t *)NULL);
+ mac_t mac;
+ if (!mac_from_text(&mac, "mls/low(low-high)"))
+ mac_set_proc(mac);
+
execv(argv[0], argv);
unix_fatal("Disabled server %x bootstrap %x: \"%s\": exec()",
serverp->port,
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/kern_descrip.c#2 (text+ko) ====
@@ -257,6 +257,12 @@
return (EBADF);
pop = &fdp->fd_ofileflags[fd];
+#ifdef MAC
+ error = mac_check_fcntl(p->p_ucred, fdp, uap->cmd, uap->arg);
+ if (error)
+ return (error);
+#endif
+
switch (uap->cmd) {
case F_DUPFD:
@@ -733,7 +739,7 @@
break;
case DTYPE_PSXSHM:
- error = pshm_stat((void *)fp->f_data, &ub);
+ error = pshm_stat((void *)fp->f_data, &ub, p);
break;
case DTYPE_KQUEUE:
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/posix_sem.c#2 (text+ko) ====
@@ -61,30 +61,8 @@
#include <kern/task.h>
#include <kern/clock.h>
#include <mach/kern_return.h>
-
-#define PSEMNAMLEN 31 /* maximum name segment length we bother with */
-
-struct pseminfo {
- unsigned int psem_flags;
- unsigned int psem_usecount;
- mode_t psem_mode;
- uid_t psem_uid;
- gid_t psem_gid;
- char psem_name[PSEMNAMLEN + 1]; /* segment name */
- void * psem_semobject;
- struct proc * sem_proc;
-};
-#define PSEMINFO_NULL (struct pseminfo *)0
+#include <sys/posix_sem.h>
-#define PSEM_NONE 1
-#define PSEM_DEFINED 2
-#define PSEM_ALLOCATED 4
-#define PSEM_MAPPED 8
-#define PSEM_INUSE 0x10
-#define PSEM_REMOVED 0x20
-#define PSEM_INCREATE 0x40
-#define PSEM_INDELETE 0x80
-
struct psemcache {
LIST_ENTRY(psemcache) psem_hash; /* hash chain */
struct pseminfo *pseminfo; /* vnode the name refers to */
@@ -424,6 +402,15 @@
pinfo->psem_flags &= ~PSEM_DEFINED;
pinfo->psem_flags |= PSEM_ALLOCATED;
pinfo->sem_proc = p;
+#ifdef MAC
+ mac_init_posix_sem(pinfo);
+
+ error = mac_check_posix_sem_create(p->p_ucred, nameptr);
+ if (error)
+ goto bad2;
+
+ mac_create_posix_sem(p->p_ucred, pinfo, nameptr);
+#endif
} else {
/* semaphore should exist as it is without O_CREAT */
if (!incache) {
@@ -433,7 +420,11 @@
if( pinfo->psem_flags & PSEM_INDELETE) {
error = ENOENT;
goto bad1;
- }
+ }
+#ifdef MAC
+ if (error = mac_check_posix_sem_open(p->p_ucred, pinfo))
+ goto bad1;
+#endif
if (error = psem_access(pinfo, fmode, p->p_ucred, p))
goto bad1;
}
@@ -469,8 +460,12 @@
goto bad1;
bad2:
_FREE(pnode, M_SHM);
- if (pinfo_alloc)
+ if (pinfo_alloc) {
+#ifdef MAC
+ mac_destroy_posix_sem(pinfo);
+#endif
_FREE(pinfo, M_SHM);
+ }
bad1:
fdrelse(p, indx);
ffree(nfp);
@@ -602,6 +597,11 @@
goto bad;
} else
incache = 1;
+#ifdef MAC
+ error = mac_check_posix_sem_unlink(p->p_ucred, pinfo, nameptr);
+ if (error)
+ goto bad;
+#endif
if (error = psem_access(pinfo, pinfo->psem_mode, p->p_ucred, p))
goto bad;
@@ -686,6 +686,11 @@
!= PSEM_ALLOCATED) {
return(EINVAL);
}
+#ifdef MAC
+ error = mac_check_posix_sem_wait(p->p_ucred, pinfo);
+ if (error)
+ return (error);
+#endif
kret = semaphore_wait(pinfo->psem_semobject);
switch (kret) {
@@ -733,6 +738,11 @@
!= PSEM_ALLOCATED) {
return(EINVAL);
}
+#ifdef MAC
+ error = mac_check_posix_sem_wait(p->p_ucred, pinfo);
+ if (error)
+ return (error);
+#endif
wait_time.tv_sec = 0;
wait_time.tv_nsec = 0;
@@ -783,6 +793,11 @@
!= PSEM_ALLOCATED) {
return(EINVAL);
}
+#ifdef MAC
+ error = mac_check_posix_sem_post(p->p_ucred, pinfo);
+ if (error)
+ return (error);
+#endif
kret = semaphore_signal(pinfo->psem_semobject);
switch (kret) {
@@ -890,6 +905,10 @@
kret = semaphore_destroy(kernel_task, pinfo->psem_semobject);
+#ifdef MAC
+ mac_destroy_posix_sem(pinfo);
+#endif
+
switch (kret) {
case KERN_INVALID_ADDRESS:
case KERN_PROTECTION_FAILURE:
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/posix_shm.c#2 (text+ko) ====
@@ -60,36 +60,8 @@
#include <mach/vm_inherit.h>
#include <mach/kern_return.h>
#include <mach/memory_object_control.h>
-
-
-#define PSHMNAMLEN 31 /* maximum name segment length we bother with */
-
-struct pshminfo {
- unsigned int pshm_flags;
- unsigned int pshm_usecount;
- off_t pshm_length;
- mode_t pshm_mode;
- uid_t pshm_uid;
- gid_t pshm_gid;
- char pshm_name[PSHMNAMLEN + 1]; /* segment name */
- void * pshm_memobject;
-#if DIAGNOSTIC
- unsigned int pshm_readcount;
- unsigned int pshm_writecount;
- struct proc * pshm_proc;
-#endif /* DIAGNOSTIC */
-};
-#define PSHMINFO_NULL (struct pshminfo *)0
+#include <sys/posix_shm.h>
-#define PSHM_NONE 1
-#define PSHM_DEFINED 2
-#define PSHM_ALLOCATED 4
-#define PSHM_MAPPED 8
-#define PSHM_INUSE 0x10
-#define PSHM_REMOVED 0x20
-#define PSHM_INCREATE 0x40
-#define PSHM_INDELETE 0x80
-
struct pshmcache {
LIST_ENTRY(pshmcache) pshm_hash; /* hash chain */
struct pshminfo *pshminfo; /* vnode the name refers to */
@@ -417,12 +389,25 @@
pinfo->pshm_mode = cmode;
pinfo->pshm_uid = p->p_ucred->cr_uid;
pinfo->pshm_gid = p->p_ucred->cr_gid;
+#ifdef MAC
+ mac_init_posix_shm(pinfo);
+
+ error = mac_check_posix_shm_create(p->p_ucred, nameptr);
+ if (error)
+ goto bad2;
+
+ mac_create_posix_shm(p->p_ucred, pinfo, nameptr);
+#endif
} else {
/* already exists */
if( pinfo->pshm_flags & PSHM_INDELETE) {
error = ENOENT;
goto bad1;
}
+#ifdef MAC
+ if (error = mac_check_posix_shm_open(p->p_ucred, pinfo))
+ goto bad1;
+#endif
if (error = pshm_access(pinfo, fmode, p->p_ucred, p))
goto bad1;
}
@@ -436,6 +421,10 @@
error = ENOENT;
goto bad1;
}
+#ifdef MAC
+ if (error = mac_check_posix_shm_open(p->p_ucred, pinfo))
+ goto bad1;
+#endif
if (error = pshm_access(pinfo, fmode, p->p_ucred, p))
goto bad1;
}
@@ -472,8 +461,12 @@
_FREE(pnode, M_SHM);
bad2:
- if (pinfo_alloc)
+ if (pinfo_alloc) {
+#ifdef MAC
+ mac_destroy_posix_shm(pinfo);
+#endif
_FREE(pinfo, M_SHM);
+ }
bad1:
fdrelse(p, indx);
ffree(nfp);
@@ -515,6 +508,13 @@
}
size = round_page_64(length);
+
+#ifdef MAC
+ int error = mac_check_posix_shm_truncate(p->p_ucred, pinfo, size);
+ if (error)
+ return(error);
+#endif
+
kret = vm_allocate(current_map(), &user_addr, size, TRUE);
if (kret != KERN_SUCCESS)
goto out;
@@ -547,15 +547,22 @@
}
int
-pshm_stat(pnode, sb)
+pshm_stat(pnode, sb, p)
struct pshmnode *pnode;
struct stat *sb;
+struct proc *p;
{
struct pshminfo *pinfo;
if ((pinfo = pnode->pinfo) == PSHMINFO_NULL)
return(EINVAL);
+#ifdef MAC
+ int error = mac_check_posix_shm_stat(p->p_ucred, pinfo);
+ if (error)
+ return(error);
+#endif
+
bzero(sb, sizeof(struct stat));
sb->st_mode = pinfo->pshm_mode;
sb->st_uid = pinfo->pshm_uid;
@@ -663,7 +670,12 @@
return(EINVAL);
}
-
+#ifdef MAC
+ int error = mac_check_posix_shm_mmap(p->p_ucred, pinfo, prot, flags);
+ if (error)
+ return(error);
+#endif
+
user_map = current_map();
if ((flags & MAP_FIXED) == 0) {
@@ -794,6 +806,12 @@
return (EINVAL);
}
+#ifdef MAC
+ error = mac_check_posix_shm_unlink(p->p_ucred, pinfo, nameptr);
+ if (error)
+ goto bad;
+#endif
+
if (pinfo->pshm_flags & PSHM_INDELETE) {
error = 0;
goto bad;
@@ -849,6 +867,9 @@
pinfo->pshm_usecount--;
if ((pinfo->pshm_flags & PSHM_REMOVED) && !pinfo->pshm_usecount) {
+#ifdef MAC
+ mac_destroy_posix_shm(pinfo);
+#endif
_FREE(pinfo,M_SHM);
}
_FREE(pnode, M_SHM);
==== //depot/projects/trustedbsd/sedarwin7/src/darwin/xnu/bsd/kern/sys_socket.c#2 (text+ko) ====
@@ -104,6 +104,9 @@
struct mbuf **controlp, int *flagsp));
+#ifdef MAC
+ int error;
+#endif
thread_funnel_switch(KERNEL_FUNNEL, NETWORK_FUNNEL);
if ((so = (struct socket *)fp->f_data) == NULL) {
@@ -112,6 +115,13 @@
return (EBADF);
}
+#ifdef MAC
+ error = mac_check_socket_receive(p->p_ucred, so);
+ if (error) {
+ thread_funnel_switch(NETWORK_FUNNEL, KERNEL_FUNNEL);
+ return (error);
+ }
+#endif
fsoreceive = so->so_proto->pr_usrreqs->pru_soreceive;
if (fsoreceive != soreceive)
{ kp = sotokextcb(so);
@@ -144,6 +154,9 @@
struct mbuf *control, int flags));
struct kextcb *kp;
int stat;
+#ifdef MAC
+ int error;
+#endif
thread_funnel_switch(KERNEL_FUNNEL, NETWORK_FUNNEL);
@@ -153,6 +166,13 @@
return (EBADF);
}
+#ifdef MAC
+ error = mac_check_socket_send(p->p_ucred, so);
+ if (error) {
+ thread_funnel_switch(NETWORK_FUNNEL, KERNEL_FUNNEL);
+ return (error);
+ }
+#endif
fsosend = so->so_proto->pr_usrreqs->pru_sosend;
if (fsosend != sosend)
{ kp = sotokextcb(so);
@@ -398,12 +418,25 @@
register struct stat *ub;
{
int stat;
+#ifdef MAC
+ struct proc *p;
+#endif
/*
* DANGER: by the time we get the network funnel the socket
* may have been closed
*/
+#ifdef MAC
+ p = current_proc();
+#endif
thread_funnel_switch(KERNEL_FUNNEL, NETWORK_FUNNEL);
+#ifdef MAC
+ stat = mac_check_socket_stat(p->p_ucred, so);
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list