mac_framework.c (182063) | mac_framework.c (187016) |
---|---|
1/*- 2 * Copyright (c) 1999-2002, 2006 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 5 * Copyright (c) 2005-2006 SPARTA, Inc. | 1/*- 2 * Copyright (c) 1999-2002, 2006 Robert N. M. Watson 3 * Copyright (c) 2001 Ilmar S. Habibulin 4 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 5 * Copyright (c) 2005-2006 SPARTA, Inc. |
6 * Copyright (c) 2008 Apple Inc. | 6 * Copyright (c) 2008-2009 Apple Inc. |
7 * All rights reserved. 8 * 9 * This software was developed by Robert Watson and Ilmar Habibulin for the 10 * TrustedBSD Project. 11 * 12 * This software was developed for the FreeBSD Project in part by Network 13 * Associates Laboratories, the Security Research Division of Network 14 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), --- 46 unchanged lines hidden (view full) --- 61 * The majority of the MAC Framework implementation may be found in 62 * src/sys/security/mac. Sample policy modules may be found in 63 * src/sys/security/mac_*. 64 */ 65 66#include "opt_mac.h" 67 68#include <sys/cdefs.h> | 7 * All rights reserved. 8 * 9 * This software was developed by Robert Watson and Ilmar Habibulin for the 10 * TrustedBSD Project. 11 * 12 * This software was developed for the FreeBSD Project in part by Network 13 * Associates Laboratories, the Security Research Division of Network 14 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), --- 46 unchanged lines hidden (view full) --- 61 * The majority of the MAC Framework implementation may be found in 62 * src/sys/security/mac. Sample policy modules may be found in 63 * src/sys/security/mac_*. 64 */ 65 66#include "opt_mac.h" 67 68#include <sys/cdefs.h> |
69__FBSDID("$FreeBSD: head/sys/security/mac/mac_framework.c 182063 2008-08-23 15:26:36Z rwatson $"); | 69__FBSDID("$FreeBSD: head/sys/security/mac/mac_framework.c 187016 2009-01-10 10:58:41Z rwatson $"); |
70 71#include <sys/param.h> 72#include <sys/condvar.h> 73#include <sys/kernel.h> 74#include <sys/lock.h> 75#include <sys/mutex.h> 76#include <sys/mac.h> 77#include <sys/module.h> --- 246 unchanged lines hidden (view full) --- 324static void 325mac_late_init(void) 326{ 327 328 mac_late = 1; 329} 330 331/* | 70 71#include <sys/param.h> 72#include <sys/condvar.h> 73#include <sys/kernel.h> 74#include <sys/lock.h> 75#include <sys/mutex.h> 76#include <sys/mac.h> 77#include <sys/module.h> --- 246 unchanged lines hidden (view full) --- 324static void 325mac_late_init(void) 326{ 327 328 mac_late = 1; 329} 330 331/* |
332 * After the policy list has changed, walk the list to update any global 333 * flags. Currently, we support only one flag, and it's conditionally 334 * defined; as a result, the entire function is conditional. Eventually, the 335 * #else case might also iterate across the policies. | 332 * Given a policy, derive from its set of non-NULL label init methods what 333 * object types the policy is interested in. |
336 */ | 334 */ |
335static uint64_t 336mac_policy_getlabeled(struct mac_policy_conf *mpc) 337{ 338 uint64_t labeled; 339 340#define MPC_FLAG(method, flag) \ 341 if (mpc->mpc_ops->mpo_ ## method != NULL) \ 342 labeled |= (flag); \ 343 344 labeled = 0; 345 MPC_FLAG(cred_init_label, MPC_OBJECT_CRED); 346 MPC_FLAG(proc_init_label, MPC_OBJECT_PROC); 347 MPC_FLAG(vnode_init_label, MPC_OBJECT_VNODE); 348 MPC_FLAG(inpcb_init_label, MPC_OBJECT_INPCB); 349 MPC_FLAG(socket_init_label, MPC_OBJECT_SOCKET); 350 MPC_FLAG(devfs_init_label, MPC_OBJECT_DEVFS); 351 MPC_FLAG(mbuf_init_label, MPC_OBJECT_MBUF); 352 MPC_FLAG(ipq_init_label, MPC_OBJECT_IPQ); 353 MPC_FLAG(ifnet_init_label, MPC_OBJECT_IFNET); 354 MPC_FLAG(bpfdesc_init_label, MPC_OBJECT_BPFDESC); 355 MPC_FLAG(pipe_init_label, MPC_OBJECT_PIPE); 356 MPC_FLAG(mount_init_label, MPC_OBJECT_MOUNT); 357 MPC_FLAG(posixsem_init_label, MPC_OBJECT_POSIXSEM); 358 MPC_FLAG(posixshm_init_label, MPC_OBJECT_POSIXSHM); 359 MPC_FLAG(sysvmsg_init_label, MPC_OBJECT_SYSVMSG); 360 MPC_FLAG(sysvmsq_init_label, MPC_OBJECT_SYSVMSQ); 361 MPC_FLAG(sysvsem_init_label, MPC_OBJECT_SYSVSEM); 362 MPC_FLAG(sysvshm_init_label, MPC_OBJECT_SYSVSHM); 363 MPC_FLAG(syncache_init_label, MPC_OBJECT_SYNCACHE); 364 MPC_FLAG(ip6q_init_label, MPC_OBJECT_IP6Q); 365 366#undef MPC_FLAG 367 return (labeled); 368} 369 370/* 371 * When policies are loaded or unloaded, walk the list of registered policies 372 * and built mac_labeled, a bitmask representing the union of all objects 373 * requiring labels across all policies. 374 */ |
|
337static void 338mac_policy_updateflags(void) 339{ 340 struct mac_policy_conf *mpc; 341 342 mac_policy_assert_exclusive(); 343 344 mac_labeled = 0; 345 LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) | 375static void 376mac_policy_updateflags(void) 377{ 378 struct mac_policy_conf *mpc; 379 380 mac_policy_assert_exclusive(); 381 382 mac_labeled = 0; 383 LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) |
346 mac_labeled |= mpc->mpc_labeled; | 384 mac_labeled |= mac_policy_getlabeled(mpc); |
347 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) | 385 LIST_FOREACH(mpc, &mac_policy_list, mpc_list) |
348 mac_labeled |= mpc->mpc_labeled; | 386 mac_labeled |= mac_policy_getlabeled(mpc); |
349} 350 351static int 352mac_policy_register(struct mac_policy_conf *mpc) 353{ 354 struct mac_policy_conf *tmpc; 355 int error, slot, static_entry; 356 --- 215 unchanged lines hidden --- | 387} 388 389static int 390mac_policy_register(struct mac_policy_conf *mpc) 391{ 392 struct mac_policy_conf *tmpc; 393 int error, slot, static_entry; 394 --- 215 unchanged lines hidden --- |