mac_framework.c (120582) | mac_framework.c (121371) |
---|---|
1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 26 unchanged lines hidden (view full) --- 35 */ 36 37/* 38 * Framework for extensible kernel access control. Kernel and userland 39 * interface to the framework, policy registration and composition. 40 */ 41 42#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001, 2002, 2003 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * This software was developed by Robert Watson and Ilmar Habibulin for the 8 * TrustedBSD Project. --- 26 unchanged lines hidden (view full) --- 35 */ 36 37/* 38 * Framework for extensible kernel access control. Kernel and userland 39 * interface to the framework, policy registration and composition. 40 */ 41 42#include <sys/cdefs.h> |
43__FBSDID("$FreeBSD: head/sys/security/mac/mac_framework.c 120582 2003-09-29 18:35:17Z rwatson $"); | 43__FBSDID("$FreeBSD: head/sys/security/mac/mac_framework.c 121371 2003-10-22 20:42:22Z rwatson $"); |
44 45#include "opt_mac.h" 46#include "opt_devfs.h" 47 48#include <sys/param.h> 49#include <sys/condvar.h> 50#include <sys/extattr.h> 51#include <sys/imgact.h> --- 178 unchanged lines hidden (view full) --- 230 &nmacvnodes, 0, "number of vnodes in use"); 231SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, 232 &nmacdevfsdirents, 0, "number of devfs dirents inuse"); 233#else 234#define MAC_DEBUG_COUNTER_INC(x) 235#define MAC_DEBUG_COUNTER_DEC(x) 236#endif 237 | 44 45#include "opt_mac.h" 46#include "opt_devfs.h" 47 48#include <sys/param.h> 49#include <sys/condvar.h> 50#include <sys/extattr.h> 51#include <sys/imgact.h> --- 178 unchanged lines hidden (view full) --- 230 &nmacvnodes, 0, "number of vnodes in use"); 231SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, 232 &nmacdevfsdirents, 0, "number of devfs dirents inuse"); 233#else 234#define MAC_DEBUG_COUNTER_INC(x) 235#define MAC_DEBUG_COUNTER_DEC(x) 236#endif 237 |
238static int error_select(int error1, int error2); | |
239static int mac_policy_register(struct mac_policy_conf *mpc); 240static int mac_policy_unregister(struct mac_policy_conf *mpc); 241 242static void mac_check_vnode_mmap_downgrade(struct ucred *cred, 243 struct vnode *vp, int *prot); 244static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 245 struct ucred *cred, struct vm_map *map); 246 --- 108 unchanged lines hidden (view full) --- 355 */ 356#define MAC_CHECK(check, args...) do { \ 357 struct mac_policy_conf *mpc; \ 358 int entrycount; \ 359 \ 360 error = 0; \ 361 LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \ 362 if (mpc->mpc_ops->mpo_ ## check != NULL) \ | 238static int mac_policy_register(struct mac_policy_conf *mpc); 239static int mac_policy_unregister(struct mac_policy_conf *mpc); 240 241static void mac_check_vnode_mmap_downgrade(struct ucred *cred, 242 struct vnode *vp, int *prot); 243static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, 244 struct ucred *cred, struct vm_map *map); 245 --- 108 unchanged lines hidden (view full) --- 354 */ 355#define MAC_CHECK(check, args...) do { \ 356 struct mac_policy_conf *mpc; \ 357 int entrycount; \ 358 \ 359 error = 0; \ 360 LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \ 361 if (mpc->mpc_ops->mpo_ ## check != NULL) \ |
363 error = error_select( \ | 362 error = mac_error_select( \ |
364 mpc->mpc_ops->mpo_ ## check (args), \ 365 error); \ 366 } \ 367 if ((entrycount = mac_policy_list_conditional_busy()) != 0) { \ 368 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 369 if (mpc->mpc_ops->mpo_ ## check != NULL) \ | 363 mpc->mpc_ops->mpo_ ## check (args), \ 364 error); \ 365 } \ 366 if ((entrycount = mac_policy_list_conditional_busy()) != 0) { \ 367 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ 368 if (mpc->mpc_ops->mpo_ ## check != NULL) \ |
370 error = error_select( \ | 369 error = mac_error_select( \ |
371 mpc->mpc_ops->mpo_ ## check (args), \ 372 error); \ 373 } \ 374 mac_policy_list_unbusy(); \ 375 } \ 376} while (0) 377 378/* --- 325 unchanged lines hidden (view full) --- 704 705 return (0); 706} 707 708/* 709 * Define an error value precedence, and given two arguments, selects the 710 * value with the higher precedence. 711 */ | 370 mpc->mpc_ops->mpo_ ## check (args), \ 371 error); \ 372 } \ 373 mac_policy_list_unbusy(); \ 374 } \ 375} while (0) 376 377/* --- 325 unchanged lines hidden (view full) --- 703 704 return (0); 705} 706 707/* 708 * Define an error value precedence, and given two arguments, selects the 709 * value with the higher precedence. 710 */ |
712static int 713error_select(int error1, int error2) | 711int 712mac_error_select(int error1, int error2) |
714{ 715 716 /* Certain decision-making errors take top priority. */ 717 if (error1 == EDEADLK || error2 == EDEADLK) 718 return (EDEADLK); 719 720 /* Invalid arguments should be reported where possible. */ 721 if (error1 == EINVAL || error2 == EINVAL) --- 3237 unchanged lines hidden --- | 713{ 714 715 /* Certain decision-making errors take top priority. */ 716 if (error1 == EDEADLK || error2 == EDEADLK) 717 return (EDEADLK); 718 719 /* Invalid arguments should be reported where possible. */ 720 if (error1 == EINVAL || error2 == EINVAL) --- 3237 unchanged lines hidden --- |