| mac_framework.c (165593) | mac_framework.c (165595) |
|---|---|
| 1/*- 2 * Copyright (c) 1999-2002, 2006 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 5 * Copyright (c) 2005-2006 SPARTA, Inc. 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson and Ilmar Habibulin for the --- 49 unchanged lines hidden (view full) --- 58 * and set label state on objects. 59 * 60 * The majority of the MAC Framework implementation may be found in 61 * src/sys/security/mac. Sample policy modules may be found in 62 * src/sys/security/mac_*. 63 */ 64 65#include <sys/cdefs.h> | 1/*- 2 * Copyright (c) 1999-2002, 2006 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 5 * Copyright (c) 2005-2006 SPARTA, Inc. 6 * All rights reserved. 7 * 8 * This software was developed by Robert Watson and Ilmar Habibulin for the --- 49 unchanged lines hidden (view full) --- 58 * and set label state on objects. 59 * 60 * The majority of the MAC Framework implementation may be found in 61 * src/sys/security/mac. Sample policy modules may be found in 62 * src/sys/security/mac_*. 63 */ 64 65#include <sys/cdefs.h> |
| 66__FBSDID("$FreeBSD: head/sys/security/mac/mac_framework.c 165593 2006-12-28 21:15:37Z rwatson $"); | 66__FBSDID("$FreeBSD: head/sys/security/mac/mac_framework.c 165595 2006-12-28 21:48:38Z rwatson $"); |
| 67 68#include <sys/param.h> 69#include <sys/condvar.h> 70#include <sys/kernel.h> 71#include <sys/lock.h> 72#include <sys/mutex.h> 73#include <sys/mac.h> 74#include <sys/module.h> --- 10 unchanged lines hidden (view full) --- 85SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, 86 "TrustedBSD MAC policy controls"); 87 88/* 89 * Declare that the kernel provides MAC support, version 3 (FreeBSD 7.x). 90 * This permits modules to refuse to be loaded if the necessary support isn't 91 * present, even if it's pre-boot. 92 */ | 67 68#include <sys/param.h> 69#include <sys/condvar.h> 70#include <sys/kernel.h> 71#include <sys/lock.h> 72#include <sys/mutex.h> 73#include <sys/mac.h> 74#include <sys/module.h> --- 10 unchanged lines hidden (view full) --- 85SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, 86 "TrustedBSD MAC policy controls"); 87 88/* 89 * Declare that the kernel provides MAC support, version 3 (FreeBSD 7.x). 90 * This permits modules to refuse to be loaded if the necessary support isn't 91 * present, even if it's pre-boot. 92 */ |
| 93#define MAC_VERSION 3 94static unsigned int mac_version = MAC_VERSION; 95 | |
| 96MODULE_VERSION(kernel_mac_support, MAC_VERSION); | 93MODULE_VERSION(kernel_mac_support, MAC_VERSION); |
| 94 95static unsigned int mac_version = MAC_VERSION; |
|
| 97SYSCTL_UINT(_security_mac, OID_AUTO, version, CTLFLAG_RD, &mac_version, 0, 98 ""); 99 100/* 101 * Labels consist of a indexed set of "slots", which are allocated policies 102 * as required. The MAC Framework maintains a bitmask of slots allocated so 103 * far to prevent reuse. Slots cannot be reused, as the MAC Framework 104 * guarantees that newly allocated slots in labels will be NULL unless --- 11 unchanged lines hidden (view full) --- 116SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD, &mac_max_slots, 117 0, ""); 118 119/* 120 * Has the kernel started generating labeled objects yet? All read/write 121 * access to this variable is serialized during the boot process. Following 122 * the end of serialization, we don't update this flag; no locking. 123 */ | 96SYSCTL_UINT(_security_mac, OID_AUTO, version, CTLFLAG_RD, &mac_version, 0, 97 ""); 98 99/* 100 * Labels consist of a indexed set of "slots", which are allocated policies 101 * as required. The MAC Framework maintains a bitmask of slots allocated so 102 * far to prevent reuse. Slots cannot be reused, as the MAC Framework 103 * guarantees that newly allocated slots in labels will be NULL unless --- 11 unchanged lines hidden (view full) --- 115SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD, &mac_max_slots, 116 0, ""); 117 118/* 119 * Has the kernel started generating labeled objects yet? All read/write 120 * access to this variable is serialized during the boot process. Following 121 * the end of serialization, we don't update this flag; no locking. 122 */ |
| 124int mac_late = 0; | 123static int mac_late = 0; |
| 125 126/* 127 * Flag to indicate whether or not we should allocate label storage for new 128 * mbufs. Since most dynamic policies we currently work with don't rely on 129 * mbuf labeling, try to avoid paying the cost of mtag allocation unless 130 * specifically notified of interest. One result of this is that if a 131 * dynamically loaded policy requests mbuf labels, it must be able to deal 132 * with a NULL label being returned on any mbufs that were already in flight --- 442 unchanged lines hidden --- | 124 125/* 126 * Flag to indicate whether or not we should allocate label storage for new 127 * mbufs. Since most dynamic policies we currently work with don't rely on 128 * mbuf labeling, try to avoid paying the cost of mtag allocation unless 129 * specifically notified of interest. One result of this is that if a 130 * dynamically loaded policy requests mbuf labels, it must be able to deal 131 * with a NULL label being returned on any mbufs that were already in flight --- 442 unchanged lines hidden --- |