PERFORCE change 113297 for review

Todd Miller millert at FreeBSD.org
Sun Jan 21 22:48:46 UTC 2007


http://perforce.freebsd.org/chv.cgi?CH=113297

Change 113297 by millert at millert_macbook on 2007/01/21 22:47:40

	Move to a single label struct for sedarwin.  The old struct
	names are still supported via a macro for now as they aid
	in readability.  They may be removed in the future if
	variable names improve...

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#54 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#5 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd.c#54 (text+ko) ====

@@ -97,10 +97,7 @@
 
 int	sebsd_verbose = 0;
 
-static zone_t task_security_zone;
-static zone_t network_security_zone;
-static zone_t vnode_security_zone;
-static zone_t ipc_security_zone;
+static zone_t sebsd_label_zone;
 
 static int sebsd_slot;		/* set by framework */
 #define	SLOT(l)	((void *)LABEL_TO_SLOT((l), sebsd_slot).l_ptr)
@@ -216,25 +213,9 @@
 sebsd_zone_init(void)
 {
 
-	/* We use task_security_struct for creds and ports too. */
-	task_security_zone = mac_zinit(sizeof(struct task_security_struct),
-	    2048 * sizeof(struct task_security_struct), 0,
-	    "task_security_struct");
-
-	/* Want to use maxsockets here. */
-	network_security_zone = mac_zinit(sizeof(struct network_security_struct),
-	    512 * sizeof(struct network_security_struct), 0,
-	    "network_security_struct");
-
-	/* Want to use desiredvnodes here. */
-	vnode_security_zone = mac_zinit(sizeof(struct vnode_security_struct),
-	    8192 * sizeof(struct vnode_security_struct), 0,
-	    "vnode_security_struct");
-
-	/* Want to use maxsockets here. */
-	ipc_security_zone = mac_zinit(sizeof(struct ipc_security_struct),
-	    512 * sizeof(struct ipc_security_struct), 0,
-	    "ipc_security_struct");
+	sebsd_label_zone = mac_zinit(sizeof(struct sebsd_label),
+	    8192 * sizeof(struct sebsd_label), 0,
+	    "sebsd_label");
 }
 
 static void
@@ -478,6 +459,7 @@
 	}
 
 	/* Update security class if not set or vnode was recycled. */
+	/* XXX - why is this needed?  When things get recycled the class should be zeroed */
 	if (file->sclass == 0 || vp->v_type == VBAD)
 		file->sclass = vnode_type_to_security_class(vp->v_type);
 
@@ -545,81 +527,40 @@
 }
 
 static void
-sebsd_cred_label_init(struct label *label)
+sebsd_label_init(struct label *label)
 {
-	struct task_security_struct *new_tsec;
+	struct sebsd_label *new;
 
-	new_tsec = mac_zalloc(task_security_zone, M_WAITOK);
-	new_tsec->osid = new_tsec->sid = SECINITSID_UNLABELED;
-	SLOT(label) = new_tsec;
+	new = mac_zalloc(sebsd_label_zone, M_WAITOK);
+	new->sid = new->task_sid = SECINITSID_UNLABELED;
+	new->sclass = 0;
+	SLOT(label) = new;
 }
 
-static void
-sebsd_cred_label_destroy(struct label *label)
-{
-
-	mac_zfree(task_security_zone, SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-sebsd_file_label_init(struct label *label)
-{
-	struct file_security_struct *fsec;
-
-	fsec = sebsd_malloc(sizeof(*fsec), M_SEBSD, M_ZERO | M_WAITOK);
-	fsec->sid = SECINITSID_UNLABELED;
-	SLOT(label) = fsec;
-}
-
-static void
-sebsd_mount_label_init(struct label *label)
-{
-	struct mount_security_struct *sbsec;
-
-	sbsec = sebsd_malloc(sizeof(*sbsec), M_SEBSD, M_ZERO | M_WAITOK);
-	sbsec->sid = SECINITSID_UNLABELED;
-	SLOT(label) = sbsec;
-}
-
 static int
-sebsd_init_network_label_waitcheck(struct label *label, int flag)
+sebsd_label_init2(struct label *label, int flag)
 {
-	struct network_security_struct *new;
+	struct sebsd_label *new;
 
-	new = mac_zalloc(network_security_zone, flag);
-	if (new == NULL) {
-		SLOT(label) = NULL;
-		return (ENOMEM);
+	new = mac_zalloc(sebsd_label_zone, flag);
+	if (new != NULL) {
+		new->sid = new->task_sid = SECINITSID_UNLABELED;
+		new->sclass = 0;
 	}
-
-	new->sid = new->task_sid = SECINITSID_UNLABELED;
 	SLOT(label) = new;
 
-	return (0);
+	return (new ? 0 : ENOMEM);
 }
 
 static void
-sebsd_destroy_network_label(struct label *label)
+sebsd_label_destroy(struct label *label)
 {
 
-	mac_zfree(network_security_zone, SLOT(label));
+	mac_zfree(sebsd_label_zone, SLOT(label));
 	SLOT(label) = NULL;
 }
 
 static void
-sebsd_vnode_label_init(struct label *label)
-{
-	struct vnode_security_struct *vsec;
-
-	vsec = mac_zalloc(vnode_security_zone, M_WAITOK);
-	vsec->sid = SECINITSID_UNLABELED;
-	vsec->task_sid = SECINITSID_UNLABELED;
-	vsec->sclass = 0;
-	SLOT(label) = vsec;
-}
-
-static void
 sebsd_vnode_label_recycle(struct label *label)
 {
 	struct vnode_security_struct *vsec;
@@ -631,41 +572,6 @@
 }
 
 static void
-sebsd_vnode_label_destroy(struct label *label)
-{
-
-	mac_zfree(vnode_security_zone, SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-sebsd_ipc_label_init(struct label *label)
-{
-	struct ipc_security_struct *new;
-
-	new = mac_zalloc(ipc_security_zone, M_WAITOK);
-	new->sid = SECINITSID_UNLABELED;
-	new->sclass = 0;
-	SLOT(label) = new;
-}
-
-static void
-sebsd_ipc_label_destroy(struct label *label)
-{
-
-	mac_zfree(ipc_security_zone, SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-sebsd_label_destroy(struct label *label)
-{
-
-	sebsd_free(SLOT(label), M_SEBSD);
-	SLOT(label) = NULL;
-}
-
-static void
 sebsd_cred_label_update(struct ucred *cred, struct label *newlabel)
 {
 	/*
@@ -948,7 +854,7 @@
 
 
 static void
-sebsd_cred_create(struct ucred *cred_parent, struct ucred *cred_child)
+sebsd_cred_label_associate(struct ucred *cred_parent, struct ucred *cred_child)
 {
 	int rc;
 	struct task_security_struct *parent, *task;
@@ -1210,7 +1116,7 @@
 }
 
 static void
-sebsd_create_kernel_proc(struct ucred *cred)
+sebsd_cred_label_associate_kproc(struct ucred *cred)
 {
 	struct task_security_struct *task;
 
@@ -1231,75 +1137,40 @@
     struct label *mntlabel)
 {
 	struct mount_security_struct *sbsec;
-	int behavior, rc;
+	unsigned int behavior;
+	int error;
 
 	/*
 	 * Update the mount label based on the policy.
 	 */
 	sbsec = SLOT(mntlabel);
-	rc = security_fs_use(mp->mnt_vfsstat.f_fstypename, &behavior, &sbsec->sid);
-	if (rc) {
+	error = security_fs_use(mp->mnt_vfsstat.f_fstypename, &behavior,
+	    &sbsec->sid);
+	if (error) {
 		sebsd_log("%s: security_fs_use(%s) returned %d",
-		    __func__, mp->mnt_vfsstat.f_fstypename, rc);
+		    __func__, mp->mnt_vfsstat.f_fstypename, error);
 		behavior = SECURITY_FS_USE_NONE;
 	} else if (sebsd_verbose > 1) {
-		sebsd_log("%s: security_fs_use(%s) behavior %d, sid %d",
+		sebsd_log("%s: security_fs_use(%s) behavior %u, sid %d",
 		    __func__, mp->mnt_vfsstat.f_fstypename, behavior,
 		    sbsec->sid);
 	}
 
 	switch (behavior) {
 	case SECURITY_FS_USE_XATTR:
-		/*
-		 * PSIDs only work for persistent file systems with unique
-		 * and persistent inode numbers.
-		 */
-		sbsec->uses_psids = 1;
-
-		/*
-		 * TBD: need to correctly label mountpoint with persistent
-		 * label at this point (currently vnode is unavailable)
-		 */
-
-		break;
 	case SECURITY_FS_USE_TRANS:
-		/*
-		 * Transition SIDs are used for pseudo filesystems like
-		 * devpts and tmpfs where you want the SID to be derived
-		 * from the SID of the creating process and the SID of the
-		 * filesystem.
-		 */
-		sbsec->uses_trans = 1;
-		break;
 	case SECURITY_FS_USE_TASK:
-		/*
-		 * Task SIDs are used for pseudo filesystems like pipefs and
-		 * sockfs where you want the objects to be labeled with the
-		 * SID of the creating process.
-		 */
-		sbsec->uses_task = 1;
-		break;
 	case SECURITY_FS_USE_GENFS:
-		/*
-		 * genfs_contexts handles everything else, like devfs,
-		 * usbdevfs, driverfs, and portions of proc.
-		 */
-		sbsec->uses_genfs = 1;
-		break;
 	case SECURITY_FS_USE_NONE:
-		/*
-		 * No labeling support configured for this filesystem type.
-		 * Don't appear to require labeling for binfmt_misc, bdev,
-		 * or rootfs.
-		 */
 		break;
 	default:
 		sebsd_log("%s:  security_fs_use(%s) returned unrecognized "
-		    "behavior %d", __func__, mp->mnt_vfsstat.f_fstypename,
+		    "behavior %u", __func__, mp->mnt_vfsstat.f_fstypename,
 		    behavior);
 		behavior = SECURITY_FS_USE_NONE;
 		break;
 	}
+	sbsec->behavior = behavior;	/* note: behavior 16 bits in sbsec */
 }
 
 static void
@@ -1898,35 +1769,21 @@
 }
 
 static int
-sebsd_internalize_sid(u_int32_t *sidp, char *element_name,
+sebsd_label_internalize(struct label *label, char *element_name,
     char *element_data)
 {
-	char context[128];  /* TBD: contexts aren't fixed size */
-	size_t context_len;
+	struct sebsd_label *lsec;
+	u_int32_t context_len;
+
+	if (strcmp("sebsd", element_name) != 0)
+		return (EINVAL);
 
+	lsec = SLOT(label);
 	context_len = strlen(element_data) + 1;
-	if (context_len >= sizeof(context))
-		return (ENAMETOOLONG);
-	strcpy(context, element_data);
 
-	return (security_context_to_sid(context, context_len, sidp));
-}
-
-#define SEBSD_INTERNALIZE_LABEL(n1,n2)					\
-static int sebsd_##n1##_label_internalize(struct label *label,		\
-    char *element_name,	char *element_data)				\
-{									\
-	struct n2##_security_struct *lsec;				\
-	lsec = SLOT(label);						\
-	return (sebsd_internalize_sid(&lsec->sid, element_name,		\
-	    element_data));						\
+	return (security_context_to_sid(element_data, context_len, &lsec->sid));
 }
 
-SEBSD_INTERNALIZE_LABEL(cred,task)
-SEBSD_INTERNALIZE_LABEL(network,network)
-SEBSD_INTERNALIZE_LABEL(vnode,vnode)
-SEBSD_INTERNALIZE_LABEL(mount,mount)
-
 static void
 sebsd_pipe_label_update(struct ucred *cred, struct pipe *pipe,
     struct label *pipelabel, struct label *newlabel)
@@ -3000,21 +2857,22 @@
 	return (error);
 }
 
-#define	SEBSD_EXTERNALIZE_LABEL(n1,n2)					\
-static int sebsd_##n1##_label_externalize(struct label *label,		\
-    char *element_name,	struct sbuf *sb)				\
-{									\
-	struct n2##_security_struct *lsec;				\
-									\
-	if (strcmp("sebsd", element_name) != 0)				\
-		return (ENOENT);					\
-									\
-	lsec = SLOT(label);						\
-	return (sebsd_externalize_sid(lsec->sid, element_name, sb));	\
+static int
+sebsd_label_externalize(struct label *label, char *element_name,
+    struct sbuf *sb)
+{
+	struct sebsd_label *lsec;
+
+	if (strcmp("sebsd", element_name) != 0)
+		return (ENOENT);
+
+	lsec = SLOT(label);
+	return (sebsd_externalize_sid(lsec->sid, element_name, sb));
 }
 
-static int sebsd_cred_label_externalize(struct label *label,
-    char *element_name,	struct sbuf *sb)
+static int
+sebsd_cred_label_externalize(struct label *label, char *element_name,
+    struct sbuf *sb)
 {
 	struct task_security_struct *tsec;
 	u_int32_t sid;
@@ -3029,10 +2887,6 @@
 	return (sebsd_externalize_sid(sid, element_name, sb));
 }
 
-SEBSD_EXTERNALIZE_LABEL(network,network)
-SEBSD_EXTERNALIZE_LABEL(vnode,vnode)
-SEBSD_EXTERNALIZE_LABEL(mount,mount)
-
 static void
 sebsd_vnode_label_copy(struct label *src, struct label *dest)
 {
@@ -3513,21 +3367,21 @@
 static struct mac_policy_ops sebsd_ops = {
 	.mpo_cred_check_label_update =sebsd_cred_check_label_update,
 	.mpo_cred_check_label_update_execve = sebsd_cred_check_label_update_execve,
-	.mpo_cred_label_associate = sebsd_cred_create,
-	.mpo_cred_label_associate_kernel = sebsd_create_kernel_proc,
-	.mpo_cred_label_associate_user = sebsd_create_kernel_proc,
-	.mpo_cred_label_destroy = sebsd_cred_label_destroy,
+	.mpo_cred_label_associate = sebsd_cred_label_associate,
+	.mpo_cred_label_associate_kernel = sebsd_cred_label_associate_kproc,
+	.mpo_cred_label_associate_user = sebsd_cred_label_associate_kproc,
+	.mpo_cred_label_destroy = sebsd_label_destroy,
 	.mpo_cred_label_externalize = sebsd_cred_label_externalize,
 	.mpo_cred_label_externalize_audit = sebsd_cred_label_externalize,
-	.mpo_cred_label_init = sebsd_cred_label_init,
-	.mpo_cred_label_internalize = sebsd_cred_label_internalize,
+	.mpo_cred_label_init = sebsd_label_init,
+	.mpo_cred_label_internalize = sebsd_label_internalize,
 	.mpo_cred_label_update = sebsd_cred_label_update,
 	.mpo_cred_label_update_execve = sebsd_cred_label_update_execve,
 	.mpo_devfs_label_associate_device = sebsd_devfs_label_associate_device,
 	.mpo_devfs_label_associate_directory = sebsd_devfs_label_associate_directory,
 	.mpo_devfs_label_copy = sebsd_vnode_label_copy,
-	.mpo_devfs_label_destroy = sebsd_vnode_label_destroy,
-	.mpo_devfs_label_init = sebsd_vnode_label_init,
+	.mpo_devfs_label_destroy = sebsd_label_destroy,
+	.mpo_devfs_label_init = sebsd_label_init,
 	.mpo_devfs_label_update = sebsd_devfs_update,
 	.mpo_file_check_change_offset = sebsd_file_check_change_offset,
 	.mpo_file_check_dup = sebsd_file_check_dup,
@@ -3540,11 +3394,11 @@
 	.mpo_file_check_receive = sebsd_file_check_receive,
 	.mpo_file_label_associate = sebsd_file_label_associate,
 	.mpo_file_label_destroy = sebsd_label_destroy,
-	.mpo_file_label_init = sebsd_file_label_init,
+	.mpo_file_label_init = sebsd_label_init,
 	.mpo_mbuf_label_associate_socket = sebsd_mbuf_label_associate_socket,
 	.mpo_mbuf_label_copy = copy_network_label,
-	.mpo_mbuf_label_destroy = sebsd_destroy_network_label,
-	.mpo_mbuf_label_init = sebsd_init_network_label_waitcheck,
+	.mpo_mbuf_label_destroy = sebsd_label_destroy,
+	.mpo_mbuf_label_init = sebsd_label_init2,
 	.mpo_mount_check_getattr = sebsd_mount_check_getattr,
 	.mpo_mount_check_label_update = sebsd_mount_check_label_update,
 	.mpo_mount_check_mount = sebsd_mount_check_mount,
@@ -3556,9 +3410,9 @@
 	.mpo_mount_check_umount = sebsd_mount_check_umount,
 	.mpo_mount_label_associate = sebsd_mount_label_associate,
 	.mpo_mount_label_destroy = sebsd_label_destroy,
-	.mpo_mount_label_externalize = sebsd_mount_label_externalize,
-	.mpo_mount_label_init = sebsd_mount_label_init,
-	.mpo_mount_label_internalize = sebsd_mount_label_internalize,
+	.mpo_mount_label_externalize = sebsd_label_externalize,
+	.mpo_mount_label_init = sebsd_label_init,
+	.mpo_mount_label_internalize = sebsd_label_internalize,
 	.mpo_pipe_check_ioctl = sebsd_pipe_check_ioctl,
 	.mpo_pipe_check_label_update = sebsd_pipe_check_label_update,
 	.mpo_pipe_check_read = sebsd_pipe_check_read,
@@ -3566,10 +3420,10 @@
 	.mpo_pipe_check_write = sebsd_pipe_check_write,
 	.mpo_pipe_label_associate = sebsd_pipe_label_associate,
 	.mpo_pipe_label_copy = sebsd_vnode_label_copy,
-	.mpo_pipe_label_destroy = sebsd_vnode_label_destroy,
-	.mpo_pipe_label_externalize = sebsd_vnode_label_externalize,
-	.mpo_pipe_label_init = sebsd_vnode_label_init,
-	.mpo_pipe_label_internalize = sebsd_vnode_label_internalize,
+	.mpo_pipe_label_destroy = sebsd_label_destroy,
+	.mpo_pipe_label_externalize = sebsd_label_externalize,
+	.mpo_pipe_label_init = sebsd_label_init,
+	.mpo_pipe_label_internalize = sebsd_label_internalize,
 	.mpo_pipe_label_update = sebsd_pipe_label_update,
 	.mpo_policy_destroy = sebsd_policy_destroy,
 	.mpo_policy_init = sebsd_policy_init,
@@ -3593,8 +3447,8 @@
 	.mpo_port_label_associate_kernel = sebsd_port_label_associate_kernel,
 	.mpo_port_label_compute = sebsd_request_label,
 	.mpo_port_label_copy = sebsd_task_label_copy,
-	.mpo_port_label_destroy = sebsd_cred_label_destroy,
-	.mpo_port_label_init = sebsd_cred_label_init,
+	.mpo_port_label_destroy = sebsd_label_destroy,
+	.mpo_port_label_init = sebsd_label_init,
 	.mpo_port_label_update_cred = sebsd_port_label_update_cred,
 	.mpo_posixsem_check_create = sebsd_posixsem_check_create,
 	.mpo_posixsem_check_open = sebsd_posixsem_check_open,
@@ -3602,8 +3456,8 @@
 	.mpo_posixsem_check_unlink = sebsd_posixsem_check_unlink,
 	.mpo_posixsem_check_wait = sebsd_posixsem_check_wait,
 	.mpo_posixsem_label_associate = sebsd_posixsem_label_associate,
-	.mpo_posixsem_label_destroy = sebsd_ipc_label_destroy,
-	.mpo_posixsem_label_init = sebsd_ipc_label_init,
+	.mpo_posixsem_label_destroy = sebsd_label_destroy,
+	.mpo_posixsem_label_init = sebsd_label_init,
 	.mpo_posixshm_check_create = sebsd_posixshm_check_create,
 	.mpo_posixshm_check_mmap = sebsd_posixshm_check_mmap,
 	.mpo_posixshm_check_open = sebsd_posixshm_check_open,
@@ -3611,8 +3465,8 @@
 	.mpo_posixshm_check_truncate = sebsd_posixshm_check_truncate,
 	.mpo_posixshm_check_unlink = sebsd_posixshm_check_unlink,
 	.mpo_posixshm_label_associate = sebsd_posixshm_label_associate,
-	.mpo_posixshm_label_destroy = sebsd_ipc_label_destroy,
-	.mpo_posixshm_label_init = sebsd_ipc_label_init,
+	.mpo_posixshm_label_destroy = sebsd_label_destroy,
+	.mpo_posixshm_label_init = sebsd_label_init,
 	.mpo_proc_check_debug = sebsd_proc_check_debug,
 	.mpo_proc_check_getaudit = sebsd_proc_check_getaudit,
 	.mpo_proc_check_mprotect = sebsd_proc_check_mprotect,
@@ -3633,16 +3487,16 @@
 	.mpo_socket_label_associate = sebsd_socket_label_associate,
 	.mpo_socket_label_associate_accept = sebsd_socket_label_associate_accept,
 	.mpo_socket_label_copy = copy_network_label,
-	.mpo_socket_label_destroy = sebsd_destroy_network_label,
-	.mpo_socket_label_externalize = sebsd_network_label_externalize,
-	.mpo_socket_label_init = sebsd_init_network_label_waitcheck,
-	.mpo_socket_label_internalize = sebsd_network_label_internalize,
+	.mpo_socket_label_destroy = sebsd_label_destroy,
+	.mpo_socket_label_externalize = sebsd_label_externalize,
+	.mpo_socket_label_init = sebsd_label_init2,
+	.mpo_socket_label_internalize = sebsd_label_internalize,
 	.mpo_socket_label_update = sebsd_socket_label_update,
 	.mpo_socketpeer_label_associate_mbuf = sebsd_socketpeer_label_associate_mbuf,
 	.mpo_socketpeer_label_associate_socket = sebsd_socketpeer_label_associate_socket,
-	.mpo_socketpeer_label_destroy = sebsd_destroy_network_label,
-	.mpo_socketpeer_label_externalize = sebsd_network_label_externalize,
-	.mpo_socketpeer_label_init = sebsd_init_network_label_waitcheck,
+	.mpo_socketpeer_label_destroy = sebsd_label_destroy,
+	.mpo_socketpeer_label_externalize = sebsd_label_externalize,
+	.mpo_socketpeer_label_init = sebsd_label_init2,
 	.mpo_system_check_acct = sebsd_system_check_acct,
 	.mpo_system_check_audit = sebsd_system_check_audit,
 	.mpo_system_check_auditctl = sebsd_system_check_auditctl,
@@ -3653,8 +3507,8 @@
 	.mpo_system_check_swapoff = sebsd_system_check_swapon,
 	.mpo_system_check_swapon = sebsd_system_check_swapon,
 	.mpo_sysvmsg_label_associate = sebsd_sysvmsg_label_associate,
-	.mpo_sysvmsg_label_destroy = sebsd_ipc_label_destroy,
-	.mpo_sysvmsg_label_init = sebsd_ipc_label_init,
+	.mpo_sysvmsg_label_destroy = sebsd_label_destroy,
+	.mpo_sysvmsg_label_init = sebsd_label_init,
 	.mpo_sysvmsg_label_recycle = sebsd_sysv_label_recycle,
 	.mpo_sysvmsq_check_enqueue = sebsd_sysvmsq_check_enqueue,
 	.mpo_sysvmsq_check_msgrcv = sebsd_sysvmsq_check_msgrcv,
@@ -3663,31 +3517,31 @@
 	.mpo_sysvmsq_check_msqrcv = sebsd_sysvmsq_check_msqrcv,
 	.mpo_sysvmsq_check_msqsnd = sebsd_sysvmsq_check_msqsnd,
 	.mpo_sysvmsq_label_associate = sebsd_sysvmsq_label_associate,
-	.mpo_sysvmsq_label_destroy = sebsd_ipc_label_destroy,
-	.mpo_sysvmsq_label_init = sebsd_ipc_label_init,
+	.mpo_sysvmsq_label_destroy = sebsd_label_destroy,
+	.mpo_sysvmsq_label_init = sebsd_label_init,
 	.mpo_sysvmsq_label_recycle = sebsd_sysv_label_recycle,
 	.mpo_sysvsem_check_semctl = sebsd_sysvsem_check_semctl,
 	.mpo_sysvsem_check_semget = sebsd_sysvsem_check_semget,
 	.mpo_sysvsem_check_semop = sebsd_sysvsem_check_semop,
 	.mpo_sysvsem_label_associate = sebsd_sysvsem_label_associate,
-	.mpo_sysvsem_label_destroy = sebsd_ipc_label_destroy,
-	.mpo_sysvsem_label_init = sebsd_ipc_label_init,
+	.mpo_sysvsem_label_destroy = sebsd_label_destroy,
+	.mpo_sysvsem_label_init = sebsd_label_init,
 	.mpo_sysvsem_label_recycle = sebsd_sysv_label_recycle,
 	.mpo_sysvshm_check_shmat = sebsd_sysvshm_check_shmat,
 	.mpo_sysvshm_check_shmctl = sebsd_sysvshm_check_shmctl,
 	.mpo_sysvshm_check_shmget = sebsd_sysvshm_check_shmget,
 	.mpo_sysvshm_label_associate = sebsd_sysvshm_label_associate,
-	.mpo_sysvshm_label_destroy = sebsd_ipc_label_destroy,
-	.mpo_sysvshm_label_init = sebsd_ipc_label_init,
+	.mpo_sysvshm_label_destroy = sebsd_label_destroy,
+	.mpo_sysvshm_label_init = sebsd_label_init,
 	.mpo_sysvshm_label_recycle = sebsd_sysv_label_recycle,
 	.mpo_task_check_get_port = sebsd_task_check_get_port,
 	.mpo_task_label_associate = sebsd_task_create,
 	.mpo_task_label_associate_kernel = sebsd_task_create_kernel,
 	.mpo_task_label_copy = sebsd_task_label_copy,
-	.mpo_task_label_destroy = sebsd_cred_label_destroy,
-	.mpo_task_label_externalize = sebsd_cred_label_externalize,
-	.mpo_task_label_init = sebsd_cred_label_init,
-	.mpo_task_label_internalize = sebsd_cred_label_internalize,
+	.mpo_task_label_destroy = sebsd_label_destroy,
+	.mpo_task_label_externalize = sebsd_label_externalize,
+	.mpo_task_label_init = sebsd_label_init,
+	.mpo_task_label_internalize = sebsd_label_internalize,
 	.mpo_task_label_update = sebsd_task_label_update,
 	.mpo_thread_userret = sebsd_thread_userret,
 	.mpo_vnode_check_access = sebsd_vnode_check_access,
@@ -3728,11 +3582,11 @@
 	.mpo_vnode_label_associate_singlelabel = sebsd_vnode_label_associate_singlelabel,
 	.mpo_vnode_label_associate_socket = sebsd_vnode_label_associate_socket,
 	.mpo_vnode_label_copy = sebsd_vnode_label_copy,
-	.mpo_vnode_label_destroy = sebsd_vnode_label_destroy,
-	.mpo_vnode_label_externalize = sebsd_vnode_label_externalize,
-	.mpo_vnode_label_externalize_audit = sebsd_vnode_label_externalize,
-	.mpo_vnode_label_init = sebsd_vnode_label_init,
-	.mpo_vnode_label_internalize = sebsd_vnode_label_internalize,
+	.mpo_vnode_label_destroy = sebsd_label_destroy,
+	.mpo_vnode_label_externalize = sebsd_label_externalize,
+	.mpo_vnode_label_externalize_audit = sebsd_label_externalize,
+	.mpo_vnode_label_init = sebsd_label_init,
+	.mpo_vnode_label_internalize = sebsd_label_internalize,
 	.mpo_vnode_label_recycle = sebsd_vnode_label_recycle,
 	.mpo_vnode_label_store = sebsd_vnode_label_store,
 	.mpo_vnode_label_update = sebsd_vnode_label_update,

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/sedarwin/sebsd_labels.h#5 (text+ko) ====

@@ -41,47 +41,19 @@
 #ifndef _SYS_SECURITY_SEBSD_LABELS_H
 #define _SYS_SECURITY_SEBSD_LABELS_H
 
-struct task_security_struct {
-	u_int32_t osid;
+struct sebsd_label {
+	u_int32_t osid;		/* task_sid for all but task_security_struct */
 	u_int32_t sid;
-#ifdef notyet
-	u_int32_t exec_sid;        /* exec SID */
-	u_int32_t create_sid;      /* fscreate SID */
-#endif
+	u_int16_t sclass;	/* only used for vnode and ipc */
+	u_int16_t behavior;	/* only used for mount */
 };
+#define	task_sid	osid
 
-struct file_security_struct {
-	u_int32_t sid;
-};
-
-struct vnode_security_struct {
-	u_int32_t task_sid;
-	u_int32_t sid;
-	u_int16_t sclass;
-};
+#define	task_security_struct	sebsd_label
+#define	file_security_struct	sebsd_label
+#define	vnode_security_struct	sebsd_label
+#define	network_security_struct	sebsd_label
+#define	ipc_security_struct	sebsd_label
+#define	mount_security_struct	sebsd_label
 
-struct network_security_struct {
-	u_int32_t sid;
-	u_int32_t task_sid;
-};
-
-struct ipc_security_struct {
-	u_int32_t sid;
-	u_int16_t sclass;
-};
-
-struct mount_security_struct {
-	u_int32_t sid;			/* SID of file system */
-#ifndef __FreeBSD__
-	struct psidtab *psidtab;        /* persistent SID mapping */
-#endif
-	unsigned char uses_psids;       /* uses persistent SID flag */
-#ifndef __FreeBSD__
-	unsigned char initialized;      /* initialization flag */
-#endif
-	unsigned char uses_task;        /* use creating task SID for inodes */
-	unsigned char uses_genfs;       /* use security_genfs_sid for inodes */
-	unsigned char proc;             /* call procfs_set_sid */
-	unsigned char uses_trans;       /* call security_transition_sid */
-};
 #endif /* _SYS_SECURITY_SEBSD_LABELS_H */


More information about the trustedbsd-cvs mailing list