PERFORCE change 17594 for review
Robert Watson
rwatson at freebsd.org
Tue Sep 17 02:37:00 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=17594
Change 17594 by rwatson at rwatson_tislabs on 2002/09/16 19:36:56
Integ new MAC userland API from rwatson_macnewapi branch;
work done by rwatson and amigus.
These changes revise the system call API and userland library
API to support a flexible label format, rather than hard-coding
a particular label structure. This permits kernel policies
to introduce new label elements visible to userland without
changes in the kernel ABI or advance knowledge of the
label format. For example, the mac_partition policy now
seperately exports partition information without any
modifications to the base kernel. This is possible by
re-working 'struct mac' so that it points at a variable
length 'struct mac_element' array, which in turn points to
a set of "bibary blob" label elements generated by user and
kernel policy modules.
Policies may now be shipped with a userland shared object
that implements text/binary blob conversion routines, or
can rely on generic string conversion provided by mac_generic.
mac.conf configures the shared objects for use by applications,
as well as the default elements to render in various label
retrieving programs (getpmac, getfmac, etc).
Existing support in applications such as ls, ps, ifconfig
is updated, but due to static linking of these binaries,
will not work at this time. getpmac, getfmac, et al have
all been updated to work. macctl is now added to manage
the labels on interfaces. getpmac can now also be used to
retrieve the labels on non-current processes using -p.
-l may be used to retrieve a non-default label set.
Note: it is no longer possible to successfully set elements
for a policy not loaded in the kernel. This results in better
fail-closed characteristics, but means that you need to be
careful not to set elements in login.conf unless the policy
will be loaded, or users may not be able to log in.
Note: you will need to recompile the kernel and userland, and
insert a useful mac.conf, and update login.conf as needed
to update through these changes. We've tested them a fair
amount, but there are probably nits.
Affected files ...
.. //depot/projects/trustedbsd/mac/MACREADME#22 integrate
.. //depot/projects/trustedbsd/mac/bin/ls/Makefile#5 integrate
.. //depot/projects/trustedbsd/mac/bin/ls/lomac.c#7 delete
.. //depot/projects/trustedbsd/mac/bin/ls/lomac.h#3 delete
.. //depot/projects/trustedbsd/mac/bin/ls/ls.1#11 integrate
.. //depot/projects/trustedbsd/mac/bin/ls/ls.c#10 integrate
.. //depot/projects/trustedbsd/mac/bin/ls/ls.h#6 integrate
.. //depot/projects/trustedbsd/mac/bin/ls/print.c#9 integrate
.. //depot/projects/trustedbsd/mac/bin/ls/util.c#7 integrate
.. //depot/projects/trustedbsd/mac/bin/ps/Makefile#6 integrate
.. //depot/projects/trustedbsd/mac/bin/ps/extern.h#7 integrate
.. //depot/projects/trustedbsd/mac/bin/ps/keyword.c#9 integrate
.. //depot/projects/trustedbsd/mac/bin/ps/lomac.c#8 delete
.. //depot/projects/trustedbsd/mac/bin/ps/lomac.h#4 delete
.. //depot/projects/trustedbsd/mac/bin/ps/print.c#9 integrate
.. //depot/projects/trustedbsd/mac/bin/ps/ps.1#10 integrate
.. //depot/projects/trustedbsd/mac/bin/ps/ps.c#12 integrate
.. //depot/projects/trustedbsd/mac/etc/Makefile#18 integrate
.. //depot/projects/trustedbsd/mac/etc/login.conf#15 integrate
.. //depot/projects/trustedbsd/mac/etc/mac.conf#1 branch
.. //depot/projects/trustedbsd/mac/etc/rc.diskless1#7 integrate
.. //depot/projects/trustedbsd/mac/etc/rc.diskless2#27 integrate
.. //depot/projects/trustedbsd/mac/include/Makefile#18 integrate
.. //depot/projects/trustedbsd/mac/lib/Makefile#10 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/Makefile.inc#17 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac.c#1 branch
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_biba.c#7 delete
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_free.3#7 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_free.c#5 delete
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_get.c#7 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_is_present_np.c#7 delete
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_mls.c#6 delete
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_module.h#1 branch
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_set.c#5 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_te.c#8 delete
.. //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_text.c#27 delete
.. //depot/projects/trustedbsd/mac/lib/libmac/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/Makefile.inc#1 branch
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/mac_biba/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/mac_biba/mac_biba.c#1 branch
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/mac_generic/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/mac_generic/mac_generic.c#1 branch
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/mac_mls/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/mac_mls/mac_mls.c#1 branch
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/mac_partition/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/lib/libmac/modules/mac_partition/mac_partition.c#1 branch
.. //depot/projects/trustedbsd/mac/lib/libutil/login_class.c#8 integrate
.. //depot/projects/trustedbsd/mac/libexec/ftpd/Makefile#7 integrate
.. //depot/projects/trustedbsd/mac/libexec/getty/main.c#8 integrate
.. //depot/projects/trustedbsd/mac/libexec/lukemftpd/Makefile#5 integrate
.. //depot/projects/trustedbsd/mac/sbin/ifconfig/ifmac.c#8 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/init_sysent.c#29 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#265 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/syscalls.c#29 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/syscalls.master#25 integrate
.. //depot/projects/trustedbsd/mac/sys/modules/Makefile#32 integrate
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c#106 integrate
.. //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.h#5 integrate
.. //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c#5 integrate
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c#88 integrate
.. //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.h#5 integrate
.. //depot/projects/trustedbsd/mac/sys/security/mac_none/mac_none.c#72 integrate
.. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.c#12 integrate
.. //depot/projects/trustedbsd/mac/sys/security/mac_partition/mac_partition.h#1 branch
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#75 integrate
.. //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.h#11 integrate
.. //depot/projects/trustedbsd/mac/sys/security/mac_test/mac_test.c#43 integrate
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.c#25 integrate
.. //depot/projects/trustedbsd/mac/sys/security/sebsd/sebsd.h#8 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/_label.h#2 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/mac.h#159 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#123 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/syscall.h#29 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/syscall.mk#29 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/sysproto.h#30 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/login/login.c#21 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/Makefile#13 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/getfmac/getfmac.c#2 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/getpmac/getpmac.c#2 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/macctl/Makefile#1 branch
.. //depot/projects/trustedbsd/mac/usr.sbin/macctl/macctl.c#1 branch
.. //depot/projects/trustedbsd/mac/usr.sbin/macctl/macctl.h#1 branch
.. //depot/projects/trustedbsd/mac/usr.sbin/macctl/macctl_interface.c#1 branch
.. //depot/projects/trustedbsd/mac/usr.sbin/setfmac/setfmac.c#2 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/setpmac/setpmac.c#5 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/syslogd/syslogd.c#12 integrate
Differences ...
==== //depot/projects/trustedbsd/mac/MACREADME#22 (text+ko) ====
@@ -124,6 +124,14 @@
be able to map video memory, and by default video memory is labeled
as mls/high so as to be conservative.
+For now, use the MAC modules and not the kernel options to enable
+particular MAC policies. This is necessary because the modules
+are built without INVARIANTS; when compiled with INVARIANTS,
+panics may sometimes be experienced when an uninitialized label
+is passed through the system. Without INVARIANTS, the system will
+ignore these labels unless they are involved in an access control
+check, in the current configuration.
+
Things that look like they should work but don't
------------------------------------------------
==== //depot/projects/trustedbsd/mac/bin/ls/Makefile#5 (text+ko) ====
@@ -2,7 +2,7 @@
# $FreeBSD: src/bin/ls/Makefile,v 1.23 2002/02/04 03:06:50 kris Exp $
PROG= ls
-SRCS= cmp.c lomac.c ls.c print.c util.c
+SRCS= cmp.c ls.c print.c util.c
NO_WERROR=1
WFORMAT=0
DPADD= ${LIBM}
==== //depot/projects/trustedbsd/mac/bin/ls/ls.1#11 (text+ko) ====
@@ -146,7 +146,7 @@
.It Fl W
Display whiteouts when scanning directories.
.It Fl Z
-Display each file's LOMAC level.
+Display each file's MAC label.
.It Fl a
Include directory entries whose names begin with a
dot
@@ -303,7 +303,7 @@
is displayed for each file:
file mode,
number of links, owner name, group name,
-LOMAC level,
+MAC label,
number of bytes in the file, abbreviated
month, day-of-month file was last modified,
hour file last modified, minute file last
@@ -618,11 +618,6 @@
files in order to be compatible with the
.St -p1003.2
specification.
-.Sh FILES
-.Bl -tag -width ".Pa /dev/lomac" -compact
-.It Pa /dev/lomac
-interface used to query the
-.Xr lomac 4
KLD
.El
.Sh SEE ALSO
@@ -630,7 +625,6 @@
.Xr chmod 1 ,
.Xr sort 1 ,
.Xr xterm 1 ,
-.Xr lomac 4 ,
.Xr termcap 5 ,
.Xr symlink 7 ,
.Xr sticky 8
==== //depot/projects/trustedbsd/mac/bin/ls/ls.c#10 (text+ko) ====
@@ -51,6 +51,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
+#include <sys/mac.h>
#include <dirent.h>
#include <err.h>
@@ -71,7 +72,6 @@
#include "ls.h"
#include "extern.h"
-#include "lomac.h"
/*
* Upward approximation of the maximum number of characters needed to
@@ -118,7 +118,7 @@
static int f_timesort; /* sort by time vice name */
int f_type; /* add type character for non-regular files */
static int f_whiteout; /* show whiteout entries */
- int f_lomac; /* show LOMAC attributes */
+ int f_label; /* show MAC label */
#ifdef COLORLS
int f_color; /* add type in color for non-regular files */
@@ -300,7 +300,7 @@
f_octal_escape = 0;
break;
case 'Z':
- f_lomac = 1;
+ f_label = 1;
break;
default:
case '?':
@@ -502,7 +502,8 @@
FTSENT *cur;
NAMES *np;
off_t maxsize;
- u_long btotal, lattrlen, maxblock, maxinode, maxlen, maxnlink, maxlattr;
+ u_long btotal, labelstrlen, maxblock, maxinode, maxlen, maxnlink;
+ u_long maxlabelstr;
int bcfile, maxflags;
gid_t maxgroup;
uid_t maxuser;
@@ -510,7 +511,7 @@
char *initmax;
int entries, needstats;
const char *user, *group;
- char *flags, *lattr = NULL;
+ char *flags, *labelstr = NULL;
char buf[STRBUF_SIZEOF(u_quad_t) + 1];
char ngroup[STRBUF_SIZEOF(uid_t) + 1];
char nuser[STRBUF_SIZEOF(gid_t) + 1];
@@ -530,7 +531,7 @@
btotal = 0;
initmax = getenv("LS_COLWIDTHS");
/* Fields match -lios order. New ones should be added at the end. */
- maxlattr = maxblock = maxinode = maxlen = maxnlink =
+ maxlabelstr = maxblock = maxinode = maxlen = maxnlink =
maxuser = maxgroup = maxflags = maxsize = 0;
if (initmax != NULL && *initmax != '\0') {
char *initmax2, *jinitmax;
@@ -560,7 +561,7 @@
ninitmax = sscanf(jinitmax,
" %lu : %lu : %lu : %i : %i : %i : %llu : %lu : %lu ",
&maxinode, &maxblock, &maxnlink, &maxuser,
- &maxgroup, &maxflags, &maxsize, &maxlen, &maxlattr);
+ &maxgroup, &maxflags, &maxsize, &maxlen, &maxlabelstr);
f_notabs = 1;
switch (ninitmax) {
case 0:
@@ -588,7 +589,7 @@
maxlen = 0;
/* FALLTHROUGH */
case 8:
- maxlattr = 0;
+ maxlabelstr = 0;
/* FALLTHROUGH */
#ifdef COLORLS
if (!f_color)
@@ -603,8 +604,6 @@
maxnlink = makenines(maxnlink);
maxsize = makenines(maxsize);
}
- if (f_lomac)
- lomac_start();
bcfile = 0;
flags = NULL;
for (cur = list, entries = 0; cur; cur = cur->fts_link) {
@@ -681,16 +680,48 @@
maxflags = flen;
} else
flen = 0;
- lattr = NULL;
- if (f_lomac) {
- lattr = get_lattr(cur);
- lattrlen = strlen(lattr);
- if (lattrlen > maxlattr)
- maxlattr = lattrlen;
+ labelstr = NULL;
+ if (f_label) {
+ mac_t label;
+ int error;
+
+ error = mac_prepare_file_label(&label);
+ if (error != MAC_SUCCESS) {
+ fprintf(stderr, "%s: %s\n",
+ cur->fts_name,
+ mac_error(error));
+ goto label_out;
+ }
+
+ error = mac_get_file(cur->fts_name,
+ label);
+ if (error != MAC_SUCCESS) {
+ fprintf(stderr, "%s: %s\n",
+ cur->fts_name,
+ mac_error(error));
+ goto label_out;
+ }
+
+ error = mac_to_text(label,
+ &labelstr);
+ if (error != MAC_SUCCESS) {
+ fprintf(stderr, "%s: %s\n",
+ cur->fts_name,
+ mac_error(error));
+ goto label_out;
+ }
+
+ if (labelstr == NULL)
+ labelstr = strdup("");
+
+label_out:
+ labelstrlen = strlen(labelstr);
+ if (labelstrlen > maxlabelstr)
+ maxlabelstr = labelstrlen;
} else
- lattrlen = 0;
+ labelstrlen = 0;
- if ((np = malloc(sizeof(NAMES) + lattrlen +
+ if ((np = malloc(sizeof(NAMES) + labelstrlen +
ulen + glen + flen + 4)) == NULL)
err(1, "malloc");
@@ -708,11 +739,11 @@
(void)strcpy(np->flags, flags);
free(flags);
}
- if (f_lomac) {
- np->lattr = &np->data[ulen + glen + 2
+ if (f_label) {
+ np->label = &np->data[ulen + glen + 2
+ (f_flags ? flen + 1 : 0)];
- (void)strcpy(np->lattr, lattr);
- free(lattr);
+ (void)strcpy(np->label, labelstr);
+ free(labelstr);
}
cur->fts_pointer = np;
}
@@ -732,7 +763,7 @@
(void)snprintf(buf, sizeof(buf), "%lu", maxblock);
d.s_block = strlen(buf);
d.s_flags = maxflags;
- d.s_lattr = maxlattr;
+ d.s_label = maxlabelstr;
d.s_group = maxgroup;
(void)snprintf(buf, sizeof(buf), "%lu", maxinode);
d.s_inode = strlen(buf);
@@ -748,8 +779,6 @@
if (f_longform)
for (cur = list; cur; cur = cur->fts_link)
free(cur->fts_pointer);
- if (f_lomac)
- lomac_stop();
}
/*
==== //depot/projects/trustedbsd/mac/bin/ls/ls.h#6 (text+ko) ====
@@ -45,7 +45,7 @@
extern int f_accesstime; /* use time of last access */
extern int f_flags; /* show flags associated with a file */
extern int f_humanval; /* show human-readable file sizes */
-extern int f_lomac; /* show LOMAC attributes */
+extern int f_label; /* show MAC label */
extern int f_inode; /* print inode */
extern int f_longform; /* long listing format */
extern int f_octal; /* print unprintables in octal */
@@ -70,7 +70,7 @@
int maxlen;
u_int s_block;
u_int s_flags;
- u_int s_lattr;
+ u_int s_label;
u_int s_group;
u_int s_inode;
u_int s_nlink;
@@ -82,6 +82,6 @@
char *user;
char *group;
char *flags;
- char *lattr;
+ char *label;
char data[1];
} NAMES;
==== //depot/projects/trustedbsd/mac/bin/ls/print.c#9 (text+ko) ====
@@ -182,8 +182,8 @@
np->group);
if (f_flags)
(void)printf("%-*s ", dp->s_flags, np->flags);
- if (f_lomac)
- (void)printf("%-*s ", dp->s_lattr, np->lattr);
+ if (f_label)
+ (void)printf("%-*s ", dp->s_label, np->label);
if (S_ISCHR(sp->st_mode) || S_ISBLK(sp->st_mode))
if (minor(sp->st_rdev) > 255 || minor(sp->st_rdev) < 0)
(void)printf("%3d, 0x%08x ",
==== //depot/projects/trustedbsd/mac/bin/ls/util.c#7 (text+ko) ====
==== //depot/projects/trustedbsd/mac/bin/ps/Makefile#6 (text+ko) ====
@@ -2,7 +2,7 @@
# @(#)Makefile 8.1 (Berkeley) 6/2/93
PROG= ps
-SRCS= fmt.c keyword.c nlist.c print.c ps.c lomac.c
+SRCS= fmt.c keyword.c nlist.c print.c ps.c
#
# To support "lazy" ps for non root/wheel users
# add -DLAZY_PS to the cflags. This helps
==== //depot/projects/trustedbsd/mac/bin/ps/extern.h#7 (text+ko) ====
@@ -54,7 +54,7 @@
const char *fmt_argv(char **, char *, size_t);
double getpcpu(const KINFO *);
void kvar(KINFO *, VARENT *);
-void lattr(KINFO *, VARENT *);
+void label(KINFO *, VARENT *);
void logname(KINFO *, VARENT *);
void longtname(KINFO *, VARENT *);
void lstarted(KINFO *, VARENT *);
@@ -74,7 +74,6 @@
int s_rgroupname(KINFO *);
int s_runame(KINFO *);
int s_uname(KINFO *);
-void sebsd(KINFO *, VARENT *);
void showkey(void);
void started(KINFO *, VARENT *);
void state(KINFO *, VARENT *);
==== //depot/projects/trustedbsd/mac/bin/ps/keyword.c#9 (text+ko) ====
@@ -104,13 +104,13 @@
0},
{"ktrace", "KTRACE", NULL, 0, kvar, NULL, 8, KOFF(ki_traceflag), INT,
"x", 0},
+ {"label", "LABEL", NULL, LJUST, label, NULL, 0, 0, CHAR, NULL, 0},
{"lim", "LIM", NULL, 0, maxrss, NULL, 5, 0, CHAR, NULL, 0},
{"login", "LOGIN", NULL, LJUST, logname, NULL, MAXLOGNAME-1, 0, CHAR,
NULL, 0},
{"logname", "", "login", 0, NULL, NULL, 0, 0, CHAR, NULL, 0},
{"lstart", "STARTED", NULL, LJUST|USER, lstarted, NULL, 28, 0, CHAR,
NULL, 0},
- {"lvl", "LVL", NULL, LJUST, lattr, NULL, 3, 0, CHAR, NULL, 0},
{"majflt", "MAJFLT", NULL, USER, rvar, NULL, 4, ROFF(ru_majflt),
LONG, "ld", 0},
{"minflt", "MINFLT", NULL, USER, rvar, NULL, 4, ROFF(ru_minflt),
@@ -164,7 +164,6 @@
UINT, UIDFMT, 0},
{"ruser", "RUSER", NULL, LJUST|DSIZ, runame, s_runame, USERLEN,
0, CHAR, NULL, 0},
- {"sebsd", "SEBSD", NULL, LJUST, sebsd, NULL, 0, 0, CHAR, NULL, 0},
{"sid", "SID", NULL, 0, kvar, NULL, PIDLEN, KOFF(ki_sid), UINT,
PIDFMT, 0},
{"sig", "PENDING", NULL, 0, kvar, NULL, 8, KOFF(ki_siglist), INT,
==== //depot/projects/trustedbsd/mac/bin/ps/print.c#9 (text+ko) ====
@@ -63,7 +63,6 @@
#include <unistd.h>
#include <vis.h>
-#include "lomac.h"
#include "ps.h"
static void printval(void *, VAR *);
@@ -736,28 +735,30 @@
}
void
-lattr(KINFO *k, VARENT *ve)
+label(KINFO *k, VARENT *ve)
{
+ char *string;
+ mac_t label;
+ int error;
VAR *v;
- v = ve->var;
- (void)printf("%-*d", v->width, get_lattr(k->ki_p->ki_pid));
-}
+ string = "";
+
+ error = mac_prepare_process_label(&label);
+ if (error != MAC_SUCCESS) {
+ fprintf(stderr, "%s\n", mac_error(error));
+ goto out;
+ }
-void
-sebsd(KINFO *k, VARENT *ve)
-{
- char buf[128];
- struct mac_pid_data mpd;
- size_t datalen;
- VAR *v;
+ error = mac_get_pid(k->ki_p->ki_pid, label);
+ if (error == 0) {
+ error = mac_to_text(label, &string);
+ if (error != MAC_SUCCESS)
+ string = "";
+ }
+ mac_free(label);
- strcpy(buf, "<<whoknows>>");
- strcpy(mpd.mpd_name, "trustedbsd_sebsd");
- mpd.mpd_data = buf;
- datalen = sizeof(buf);
- mpd.mpd_datalen = &datalen;
- (void)mac_get_pid(k->ki_p->ki_pid, &mpd, 1);
- v = ve->var;
- (void)printf("%*s", v->width, mpd.mpd_data);
+out:
+ (void)printf("%*s", v->width, string);
+ return;
}
==== //depot/projects/trustedbsd/mac/bin/ps/ps.1#10 (text+ko) ====
@@ -144,10 +144,6 @@
.It Fl r
Sort by current cpu usage, instead of by process
.Tn ID .
-.It Fl s
-Add sebsd to the list of keywords for which
-.Nm
-will display information.
.It Fl S
Change the way the process time is calculated by summing all exited
children to their parent process.
@@ -188,7 +184,7 @@
.It Fl x
Display information about processes without controlling terminals.
.It Fl Z
-Add lvl to the list of keywords for which
+Add label to the list of keywords for which
.Nm
will display information.
.El
@@ -228,14 +224,14 @@
.It Dv "P_OWEUPC" Ta No "0x20000 Owe process an addupc() call at next ast"
.It Dv "P_SWAPPING" Ta No "0x40000 Process is being swapped"
.El
+.It label
+The MAC label of the process.
.It lim
The soft limit on memory used, specified via a call to
.Xr setrlimit 2 .
.It lstart
The exact time the command started, using the ``%c'' format described in
.Xr strftime 3 .
-.It lvl
-The LOMAC level of the process.
.It mtxname
The name of the
.Xr mutex 9
@@ -339,8 +335,6 @@
.It X
The process is being traced or debugged.
.El
-.It sebsd
-The SEBSD security context of the process.
.It tt
An abbreviation for the pathname of the controlling terminal, if any.
The abbreviation consists of the three letters following
@@ -398,14 +392,14 @@
job control count
.It ktrace
tracing flags
+.It label
+MAC label
.It lim
memoryuse limit
.It logname
login name of user who started the process
.It lstart
time started
-.It lvl
-LOMAC level
.It majflt
total page faults
.It minflt
==== //depot/projects/trustedbsd/mac/bin/ps/ps.c#12 (text+ko) ====
@@ -64,7 +64,6 @@
#include <string.h>
#include <unistd.h>
-#include "lomac.h"
#include "ps.h"
#define SEP ", \t" /* username separators */
@@ -108,15 +107,14 @@
static char o2[] = "tt,state,time,command";
static char ufmt[] = "user,pid,%cpu,%mem,vsz,rss,tt,state,start,time,command";
static char vfmt[] = "pid,state,time,sl,re,pagein,vsz,rss,lim,tsiz,%cpu,%mem,command";
-static char Zfmt[] = "lvl";
-static char sfmt[] = "sebsd";
+static char Zfmt[] = "label";
static kvm_t *kd;
#if defined(LAZY_PS)
-#define PS_ARGS "aCcefghjLlM:mN:O:o:p:rsSTt:U:uvwxZ"
+#define PS_ARGS "aCcefghjLlM:mN:O:o:p:rSTt:U:uvwxZ"
#else
-#define PS_ARGS "aCceghjLlM:mN:O:o:p:rsSTt:U:uvwxZ"
+#define PS_ARGS "aCceghjLlM:mN:O:o:p:rSTt:U:uvwxZ"
#endif
int
@@ -242,10 +240,6 @@
case 'r':
sortby = SORTCPU;
break;
- case 's':
- parsefmt(sfmt);
- sfmt[0] = '\0';
- break;
case 'S':
sumrusage = 1;
break;
@@ -415,7 +409,6 @@
}
}
free(uids);
- lomac_stop();
exit(eval);
}
==== //depot/projects/trustedbsd/mac/etc/Makefile#18 (text+ko) ====
@@ -10,7 +10,7 @@
dhclient.conf dm.conf fbtab ftpusers gettytab group \
hosts hosts.allow hosts.equiv hosts.lpd \
inetd.conf login.access login.conf \
- motd modems netconfig networks newsyslog.conf \
+ mac.conf motd modems netconfig networks newsyslog.conf \
phones printcap profile protocols \
rc rc.atm rc.devfs rc.diskless1 rc.diskless2 rc.firewall rc.firewall6 \
rc.network rc.network6 rc.pccard rc.sendmail rc.serial rc.shutdown \
==== //depot/projects/trustedbsd/mac/etc/login.conf#15 (text+ko) ====
@@ -41,6 +41,15 @@
#:label=biba/high(low-high),mls/low(low-high),te/default_d:\
#:ttylabel=biba/high,mls/low,te/device_t:
+ # In many configurations, it will be desirable to set a default
+ # user MAC label. If so, the following might be a useful place
+ # to start:
+ #
+ #:label=biba/high(low-high),mls/low(low-high),te/default_d:
+ #:ttylabel=biba/high,mls/low,te/device_t:
+ #
+ # In addition, other labels might be desirable for other user
+ # classes.
#
# A collection of common class names - forward them all to 'default'
==== //depot/projects/trustedbsd/mac/etc/rc.diskless1#7 (text+ko) ====
@@ -61,8 +61,8 @@
mount_md() {
/sbin/mdconfig -a -t malloc -s $1 -u $3
/sbin/disklabel -r -w md$3 auto
- /sbin/newfs -i 4096 /dev/md$3c
- /sbin/mount /dev/md$3c $2
+ /sbin/newfs -O1 -i 4096 /dev/md$3c
+ /sbin/mount -o multilabel /dev/md$3c $2
}
# DEBUGGING
==== //depot/projects/trustedbsd/mac/etc/rc.diskless2#27 (text+ko) ====
@@ -42,24 +42,8 @@
fi
/sbin/mdconfig -a -t malloc -s $1 -u $3
/sbin/disklabel -r -w md$3 auto
- /sbin/newfs $bpi /dev/md$3c
- /sbin/mount /dev/md$3c $2
-}
-
-# Enable label support on a UFS1 md file system
-# $1 = mountpoint
-# $2 = md device
-# XXX: Assumes auto-start
-multilabel_md() {
- labelsize=`/sbin/sysctl -n security.mac.label_size`
- /bin/mkdir -p $1/.attribute/system
- /usr/sbin/extattrctl initattr -f -p $1 ${labelsize} \
- $1/.attribute/system/freebsd.mac
- #/usr/sbin/extattrctl start $1
- #/usr/sbin/extattrctl enable $1 system freebsd.mac \
- # $1/.attribute/system/freebsd.mac
- /sbin/umount $1
- /sbin/mount -o multilabel /dev/md$2c $1
+ /sbin/newfs -O2 $bpi /dev/md$3c
+ /sbin/mount -o multilabel /dev/md$3c $2
}
# If there is a global system configuration file, suck it in.
==== //depot/projects/trustedbsd/mac/include/Makefile#18 (text+ko) ====
==== //depot/projects/trustedbsd/mac/lib/Makefile#10 (text+ko) ====
@@ -26,7 +26,7 @@
${_compat} libalias libatm ${_libbind} libbz2 libc ${_libc_r} \
libcalendar libcam libcompat libdevinfo libdevstat libdisk \
libedit libfetch libform libftpio ${_libio} libipsec \
- libipx libisc libmenu ${_libmilter} ${_libmp} ${_libncp} \
+ libipx libisc libmac libmenu ${_libmilter} ${_libmp} ${_libncp} \
libnetgraph libopie libpam libpanel libpcap libsebsd \
${_libsm} ${_libsmb} ${_libsmdb} ${_libsmutil} \
libstand ${_libtelnet} libufs libugidfw libusbhid ${_libvgl} \
==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/Makefile.inc#17 (text+ko) ====
@@ -19,16 +19,9 @@
acl_to_text.c \
acl_valid.c \
extattr.c \
- mac_biba.c \
- mac_constant.c \
- mac_free.c \
- mac_is_present_np.c \
+ mac.c \
mac_get.c \
- mac_mls.c \
- mac_sebsd.c \
- mac_set.c \
- mac_te.c \
- mac_text.c
+ mac_set.c
.if ${LIB} == "c"
==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_free.3#7 (text+ko) ====
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2001 Networks Associates Technology, Inc.
+.\" Copyright (c) 2001, 2002 Networks Associates Technology, Inc.
.\" All rights reserved.
.\"
.\" This software was developed for the FreeBSD Project by Chris
@@ -43,21 +43,18 @@
.Sh SYNOPSIS
.In sys/mac.h
.Ft int
-.Fn mac_free "void *buf_p"
+.Fn mac_free "mac_t label"
.Sh DESCRIPTION
The
.Fn mac_free
-function frees the storage allocated to contain either a
-.Vt mac_t
-or a
-.Vt char * ,
-as allocated by the
-.Fn mac_to_text
-function.
+function frees the storage allocated to contain a
+.Vt mac_t .
.Sh RETURN VALUES
The
.Fn mac_free
function always returns 0.
+WARNING: see the notes in the BUGS section regarding the use of this
+function.
.Sh SEE ALSO
.Xr mac 3 ,
.Xr mac_get 3 ,
@@ -71,3 +68,16 @@
.Fx
POSIX.1e implementation page
for more information.
+.Sh BUGS
+POSIX.1e specifies that
+.Fn mac_free
+will be used to free text strings created using
+.Xr mac_to_text 3 .
+Because
+.Vt mac_t
+is a complex structure in the TrustedBSD implementation,
+.Fn mac_free
+is specific to that type, and must not be used to free the character
+strings returned from
+.Fn mac_to_text .
+Doing so may result in an application failure.
==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_get.c#7 (text+ko) ====
@@ -37,65 +37,34 @@
#include <errno.h>
#include <stdlib.h>
-mac_t
-mac_get_file(const char *path_p)
+int
+mac_get_file(const char *path, struct mac *label)
{
- struct mac *label;
- int error;
- label = (mac_t) malloc(sizeof(*label));
- if (label == NULL) {
- errno = ENOMEM;
- return (NULL);
- }
+ return (__mac_get_file(path, label));
+}
- error = __mac_get_file(path_p, label);
- if (error) {
- mac_free(label);
- return (NULL);
- }
+int
+mac_get_fd(int fd, struct mac *label)
+{
- return (label);
+ return (__mac_get_fd(fd, label));
}
-mac_t
-mac_get_fd(int fd)
+int
+mac_get_proc(struct mac *label)
{
- struct mac *label;
- int error;
- label = (mac_t) malloc(sizeof(*label));
- if (label == NULL) {
- errno = ENOMEM;
- return (NULL);
- }
+ return (__mac_get_proc(label));
+}
- error = __mac_get_fd(fd, label);
- if (error) {
- mac_free(label);
- return (NULL);
- }
+/*
+ * XXXMAC: Not yet.
- return (label);
-}
-
-mac_t
-mac_get_proc()
+int
+mac_get_pid(pid_t pid, struct mac *label)
{
- struct mac *label;
- int error;
- label = (mac_t) malloc(sizeof(*label));
- if (label == NULL) {
- errno = ENOMEM;
- return (NULL);
- }
-
- error = __mac_get_proc(label);
- if (error) {
- mac_free(label);
- return (NULL);
- }
-
- return (label);
+ return (__mac_get_pid(pid, label));
}
+*/
==== //depot/projects/trustedbsd/mac/lib/libc/posix1e/mac_set.c#5 (text+ko) ====
@@ -35,21 +35,21 @@
#include <sys/mac.h>
int
-mac_set_file(const char *path_p, mac_t label)
+mac_set_file(const char *path, struct mac *label)
{
- return (__mac_set_file(path_p, label));
+ return (__mac_set_file(path, label));
}
int
-mac_set_fd(int fd, mac_t label)
+mac_set_fd(int fd, struct mac *label)
{
return (__mac_set_fd(fd, label));
}
int
-mac_set_proc(mac_t label)
+mac_set_proc(struct mac *label)
{
return (__mac_set_proc(label));
==== //depot/projects/trustedbsd/mac/lib/libutil/login_class.c#8 (text+ko) ====
@@ -377,8 +377,8 @@
}
/* Setup the user's MAC label. */
- if (flags & LOGIN_SETMAC && mac_is_present_np(NULL) == 1) {
- char *label_string;
+ if (flags & LOGIN_SETMAC && mac_is_present(NULL) == 1) {
+ const char *label_string;
mac_t label;
/*
@@ -396,11 +396,11 @@
if (label_string == NULL) {
/* Leave label as is, warning, dangerous */
} else {
- label = mac_from_text(label_string);
- if (label == NULL) {
- syslog(LOG_ERR, "mac_from_text(%s): %m",
- label_string);
- return -1;
+ error = mac_from_text(&label, label_string);
+ if (error != MAC_SUCCESS) {
+ syslog(LOG_ERR, "mac_from_text('%s'): %s", label_string,
+ mac_error(error));
+ return -1;
}
error = mac_set_proc(label);
mac_free(label);
==== //depot/projects/trustedbsd/mac/libexec/ftpd/Makefile#7 (text+ko) ====
@@ -20,7 +20,7 @@
LSDIR= ../../bin/ls
.PATH: ${.CURDIR}/${LSDIR}
-SRCS+= ls.c cmp.c lomac.c print.c util.c
+SRCS+= ls.c cmp.c print.c util.c
CFLAGS+=-Dmain=ls_main -I${.CURDIR}/${LSDIR}
DPADD+= ${LIBM}
LDADD+= -lm
==== //depot/projects/trustedbsd/mac/libexec/getty/main.c#8 (text+ko) ====
@@ -232,6 +232,7 @@
rootpw = getpwuid(0);
/*
* After a user logs out, reset the tty MAC label to root's.
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list