| mac_system.c (116701) | mac_system.c (118308) |
|---|---|
| 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 26 unchanged lines hidden (view full) --- 35 */ 36 37/* 38 * Framework for extensible kernel access control. Kernel and userland 39 * interface to the framework, policy registration and composition. 40 */ 41 42#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 26 unchanged lines hidden (view full) --- 35 */ 36 37/* 38 * Framework for extensible kernel access control. Kernel and userland 39 * interface to the framework, policy registration and composition. 40 */ 41 42#include <sys/cdefs.h> |
| 43__FBSDID("$FreeBSD: head/sys/security/mac/mac_system.c 116701 2003-06-23 01:26:34Z rwatson $"); | 43__FBSDID("$FreeBSD: head/sys/security/mac/mac_system.c 118308 2003-08-01 15:45:14Z rwatson $"); |
| 44 45#include "opt_mac.h" 46#include "opt_devfs.h" 47 48#include <sys/param.h> 49#include <sys/condvar.h> 50#include <sys/extattr.h> 51#include <sys/imgact.h> --- 64 unchanged lines hidden (view full) --- 116static int mac_late = 0; 117 118/* 119 * Warn about EA transactions only the first time they happen. 120 * Weak coherency, no locking. 121 */ 122static int ea_warn_once = 0; 123 | 44 45#include "opt_mac.h" 46#include "opt_devfs.h" 47 48#include <sys/param.h> 49#include <sys/condvar.h> 50#include <sys/extattr.h> 51#include <sys/imgact.h> --- 64 unchanged lines hidden (view full) --- 116static int mac_late = 0; 117 118/* 119 * Warn about EA transactions only the first time they happen. 120 * Weak coherency, no locking. 121 */ 122static int ea_warn_once = 0; 123 |
| 124#ifndef MAC_ALWAYS_LABEL_MBUF | |
| 125/* 126 * Flag to indicate whether or not we should allocate label storage for 127 * new mbufs. Since most dynamic policies we currently work with don't 128 * rely on mbuf labeling, try to avoid paying the cost of mtag allocation 129 * unless specifically notified of interest. One result of this is 130 * that if a dynamically loaded policy requests mbuf labels, it must 131 * be able to deal with a NULL label being returned on any mbufs that 132 * were already in flight when the policy was loaded. Since the policy 133 * already has to deal with uninitialized labels, this probably won't 134 * be a problem. Note: currently no locking. Will this be a problem? 135 */ | 124/* 125 * Flag to indicate whether or not we should allocate label storage for 126 * new mbufs. Since most dynamic policies we currently work with don't 127 * rely on mbuf labeling, try to avoid paying the cost of mtag allocation 128 * unless specifically notified of interest. One result of this is 129 * that if a dynamically loaded policy requests mbuf labels, it must 130 * be able to deal with a NULL label being returned on any mbufs that 131 * were already in flight when the policy was loaded. Since the policy 132 * already has to deal with uninitialized labels, this probably won't 133 * be a problem. Note: currently no locking. Will this be a problem? 134 */ |
| 135#ifndef MAC_ALWAYS_LABEL_MBUF |
|
| 136static int mac_labelmbufs = 0; 137#endif 138 139static int mac_enforce_fs = 1; 140SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 141 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 142TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 143 --- 365 unchanged lines hidden (view full) --- 509mac_late_init(void) 510{ 511 512 mac_late = 1; 513} 514 515/* 516 * After the policy list has changed, walk the list to update any global | 136static int mac_labelmbufs = 0; 137#endif 138 139static int mac_enforce_fs = 1; 140SYSCTL_INT(_security_mac, OID_AUTO, enforce_fs, CTLFLAG_RW, 141 &mac_enforce_fs, 0, "Enforce MAC policy on file system objects"); 142TUNABLE_INT("security.mac.enforce_fs", &mac_enforce_fs); 143 --- 365 unchanged lines hidden (view full) --- 509mac_late_init(void) 510{ 511 512 mac_late = 1; 513} 514 515/* 516 * After the policy list has changed, walk the list to update any global |
| 517 * flags. | 517 * flags. Currently, we support only one flag, and it's conditionally 518 * defined; as a result, the entire function is conditional. Eventually, 519 * the #else case might also iterate across the policies. |
| 518 */ 519static void 520mac_policy_updateflags(void) 521{ | 520 */ 521static void 522mac_policy_updateflags(void) 523{ |
| 522 struct mac_policy_conf *tmpc; | |
| 523#ifndef MAC_ALWAYS_LABEL_MBUF | 524#ifndef MAC_ALWAYS_LABEL_MBUF |
| 525 struct mac_policy_conf *tmpc; |
|
| 524 int labelmbufs; | 526 int labelmbufs; |
| 525#endif | |
| 526 527 mac_policy_assert_exclusive(); 528 | 527 528 mac_policy_assert_exclusive(); 529 |
| 529#ifndef MAC_ALWAYS_LABEL_MBUF | |
| 530 labelmbufs = 0; | 530 labelmbufs = 0; |
| 531#endif 532 | |
| 533 LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) { | 531 LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) { |
| 534#ifndef MAC_ALWAYS_LABEL_MBUF | |
| 535 if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS) 536 labelmbufs++; | 532 if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS) 533 labelmbufs++; |
| 537#endif | |
| 538 } 539 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { | 534 } 535 LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) { |
| 540#ifndef MAC_ALWAYS_LABEL_MBUF | |
| 541 if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS) 542 labelmbufs++; | 536 if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS) 537 labelmbufs++; |
| 543#endif | |
| 544 } | 538 } |
| 545 546#ifndef MAC_ALWAYS_LABEL_MBUF | |
| 547 mac_labelmbufs = (labelmbufs != 0); 548#endif 549} 550 551/* 552 * Allow MAC policy modules to register during boot, etc. 553 */ 554int --- 323 unchanged lines hidden (view full) --- 878{ 879 struct m_tag *tag; 880 int error; 881 882 M_ASSERTPKTHDR(m); 883 884#ifndef MAC_ALWAYS_LABEL_MBUF 885 /* | 539 mac_labelmbufs = (labelmbufs != 0); 540#endif 541} 542 543/* 544 * Allow MAC policy modules to register during boot, etc. 545 */ 546int --- 323 unchanged lines hidden (view full) --- 870{ 871 struct m_tag *tag; 872 int error; 873 874 M_ASSERTPKTHDR(m); 875 876#ifndef MAC_ALWAYS_LABEL_MBUF 877 /* |
| 886 * Don't reserve space for labels on mbufs unless we have a policy 887 * that uses the labels. | 878 * If conditionally allocating mbuf labels, don't allocate unless 879 * they are required. |
| 888 */ | 880 */ |
| 889 if (mac_labelmbufs) { | 881 if (!mac_labelmbufs) 882 return (0); |
| 890#endif | 883#endif |
| 891 tag = m_tag_get(PACKET_TAG_MACLABEL, sizeof(struct label), 892 flag); 893 if (tag == NULL) 894 return (ENOMEM); 895 error = mac_init_mbuf_tag(tag, flag); 896 if (error) { 897 m_tag_free(tag); 898 return (error); 899 } 900 m_tag_prepend(m, tag); 901#ifndef MAC_ALWAYS_LABEL_MBUF | 884 tag = m_tag_get(PACKET_TAG_MACLABEL, sizeof(struct label), 885 flag); 886 if (tag == NULL) 887 return (ENOMEM); 888 error = mac_init_mbuf_tag(tag, flag); 889 if (error) { 890 m_tag_free(tag); 891 return (error); |
| 902 } | 892 } |
| 903#endif | 893 m_tag_prepend(m, tag); |
| 904 return (0); 905} 906 907void 908mac_init_mount(struct mount *mp) 909{ 910 911 mac_init_label(&mp->mnt_mntlabel); --- 3044 unchanged lines hidden --- | 894 return (0); 895} 896 897void 898mac_init_mount(struct mount *mp) 899{ 900 901 mac_init_label(&mp->mnt_mntlabel); --- 3044 unchanged lines hidden --- |