diff options
author | rwatson <rwatson@FreeBSD.org> | 2006-10-22 11:52:19 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2006-10-22 11:52:19 +0000 |
commit | 7beaaf5cd2391ef1f8159791b46dbeb83ab0c2fb (patch) | |
tree | 15bbe7ba3ad64d39db33baa0b88a2dae4206568e /sys/security | |
parent | cbcb760109a202fb847f48aa942a8b84b1e85015 (diff) | |
download | FreeBSD-src-7beaaf5cd2391ef1f8159791b46dbeb83ab0c2fb.zip FreeBSD-src-7beaaf5cd2391ef1f8159791b46dbeb83ab0c2fb.tar.gz |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h
begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.
This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.
Obtained from: TrustedBSD Project
Sponsored by: SPARTA
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_framework.c | 3 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 86 | ||||
-rw-r--r-- | sys/security/mac/mac_inet.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_label.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 2 | ||||
-rw-r--r-- | sys/security/mac/mac_posix_sem.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_socket.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_syscalls.c | 3 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_sysv_msg.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_sysv_sem.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_sysv_shm.c | 1 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 1 | ||||
-rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 2 |
17 files changed, 32 insertions, 76 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index b553c80..8d69dcc 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -2,7 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 Networks Associates Technology, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -91,6 +91,7 @@ __FBSDID("$FreeBSD$"); #include <netinet/in.h> #include <netinet/ip_var.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> #ifdef MAC diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 520e767..02d3eb9 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -37,91 +37,33 @@ * * $FreeBSD$ */ -/* - * Userland/kernel interface for Mandatory Access Control. - * - * The POSIX.1e implementation page may be reached at: - * http://www.trustedbsd.org/ - */ - -#ifndef _SYS_MAC_H_ -#define _SYS_MAC_H_ - -#include <sys/_label.h> - -#ifndef _POSIX_MAC -#define _POSIX_MAC -#endif /* - * MAC framework-related constants and limits. + * Kernel interface for Mandatory Access Control -- how kernel services + * interact with the TrustedBSD MAC Framework. */ -#define MAC_MAX_POLICY_NAME 32 -#define MAC_MAX_LABEL_ELEMENT_NAME 32 -#define MAC_MAX_LABEL_ELEMENT_DATA 4096 -#define MAC_MAX_LABEL_BUF_LEN 8192 - -struct mac { - size_t m_buflen; - char *m_string; -}; -typedef struct mac *mac_t; +#ifndef _SYS_SECURITY_MAC_MAC_FRAMEWORK_H_ +#define _SYS_SECURITY_MAC_MAC_MAC_FRAMEWORK_H_ #ifndef _KERNEL +#error "no user-serviceable parts inside" +#endif -/* - * Location of the userland MAC framework configuration file. mac.conf - * binds policy names to shared libraries that understand those policies, - * as well as setting defaults for MAC-aware applications. - */ -#define MAC_CONFFILE "/etc/mac.conf" - -/* - * Extended non-POSIX.1e interfaces that offer additional services - * available from the userland and kernel MAC frameworks. - */ -__BEGIN_DECLS -int mac_execve(char *fname, char **argv, char **envv, mac_t _label); -int mac_free(mac_t _label); -int mac_from_text(mac_t *_label, const char *_text); -int mac_get_fd(int _fd, mac_t _label); -int mac_get_file(const char *_path, mac_t _label); -int mac_get_link(const char *_path, mac_t _label); -int mac_get_peer(int _fd, mac_t _label); -int mac_get_pid(pid_t _pid, mac_t _label); -int mac_get_proc(mac_t _label); -int mac_is_present(const char *_policyname); -int mac_prepare(mac_t *_label, const char *_elements); -int mac_prepare_file_label(mac_t *_label); -int mac_prepare_ifnet_label(mac_t *_label); -int mac_prepare_process_label(mac_t *_label); -int mac_prepare_type(mac_t *_label, const char *_type); -int mac_set_fd(int _fildes, const mac_t _label); -int mac_set_file(const char *_path, mac_t _label); -int mac_set_link(const char *_path, mac_t _label); -int mac_set_proc(const mac_t _label); -int mac_syscall(const char *_policyname, int _call, void *_arg); -int mac_to_text(mac_t mac, char **_text); -__END_DECLS - -#else /* _KERNEL */ +#include <sys/_label.h> -/* - * Kernel functions to manage and evaluate labels. - */ struct bpf_d; struct cdev; struct componentname; struct devfs_dirent; struct ifnet; struct ifreq; -struct inpcb; struct image_params; struct inpcb; struct ipq; struct ksem; struct m_tag; +struct mac; struct mbuf; struct mount; struct msg; @@ -140,14 +82,14 @@ struct ucred; struct uio; struct vattr; struct vnode; +struct vop_setlabel_args; #include <sys/acl.h> /* XXX acl_type_t */ -struct vop_setlabel_args; - /* - * Label operations. + * Kernel functions to manage and evaluate labels. */ + void mac_init_bpfdesc(struct bpf_d *); void mac_init_cred(struct ucred *); void mac_init_devfsdirent(struct devfs_dirent *); @@ -472,6 +414,4 @@ void mac_associate_nfsd_label(struct ucred *cred); */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap); -#endif /* !_KERNEL */ - -#endif /* !_SYS_MAC_H_ */ +#endif /* !_SYS_SECURITY_MAC_MAC_FRAMEWORK_H_ */ diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index 7dafc45..0d35e48 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -64,6 +64,7 @@ __FBSDID("$FreeBSD$"); #include <netinet/in_pcb.h> #include <netinet/ip_var.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> static struct label * diff --git a/sys/security/mac/mac_label.c b/sys/security/mac/mac_label.c index f6d92ef..572d598 100644 --- a/sys/security/mac/mac_label.c +++ b/sys/security/mac/mac_label.c @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); #include <vm/uma.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> uma_zone_t zone_label; diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index d542806..eb602da 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$"); #include <net/if.h> #include <net/if_var.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> /* diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 6a59567..edc03132 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -49,6 +49,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mac_policy.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> static int mac_enforce_pipe = 1; diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index afd437f..a7e9d834 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -55,6 +55,8 @@ * Operations are sorted first by general class of operation, then * alphabetically. */ +#include <sys/acl.h> /* XXX acl_type_t */ + struct acl; struct bpf_d; struct componentname; diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c index a71b021..e852779 100644 --- a/sys/security/mac/mac_posix_sem.c +++ b/sys/security/mac/mac_posix_sem.c @@ -47,6 +47,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mac_policy.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> static int mac_enforce_posix_sem = 1; diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index c3f8eab..c903204 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -64,6 +64,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mac_policy.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> int mac_enforce_process = 1; diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index 21439cd..2766716 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -69,6 +69,7 @@ __FBSDID("$FreeBSD$"); #include <netinet/in_pcb.h> #include <netinet/ip_var.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> /* diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index b553c80..8d69dcc 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -2,7 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 Networks Associates Technology, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -91,6 +91,7 @@ __FBSDID("$FreeBSD$"); #include <netinet/in.h> #include <netinet/ip_var.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> #ifdef MAC diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 6cd6430..eef66e6 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -47,6 +47,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mac_policy.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> static int mac_enforce_kld = 1; diff --git a/sys/security/mac/mac_sysv_msg.c b/sys/security/mac/mac_sysv_msg.c index d7e2629..86ae8a8 100644 --- a/sys/security/mac/mac_sysv_msg.c +++ b/sys/security/mac/mac_sysv_msg.c @@ -51,6 +51,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mac_policy.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> static int mac_enforce_sysv_msg = 1; diff --git a/sys/security/mac/mac_sysv_sem.c b/sys/security/mac/mac_sysv_sem.c index ffe31e1..aae6788 100644 --- a/sys/security/mac/mac_sysv_sem.c +++ b/sys/security/mac/mac_sysv_sem.c @@ -51,6 +51,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mac_policy.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> static int mac_enforce_sysv_sem = 1; diff --git a/sys/security/mac/mac_sysv_shm.c b/sys/security/mac/mac_sysv_shm.c index adbea14..b7c8cfb 100644 --- a/sys/security/mac/mac_sysv_shm.c +++ b/sys/security/mac/mac_sysv_shm.c @@ -51,6 +51,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mac_policy.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> static int mac_enforce_sysv_shm = 1; diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 058dc6c..ef667b1 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -70,6 +70,7 @@ __FBSDID("$FreeBSD$"); #include <fs/devfs/devfs.h> +#include <security/mac/mac_framework.h> #include <security/mac/mac_internal.h> /* diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 8ae03e0..07484d1 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -45,7 +45,6 @@ #include <sys/conf.h> #include <sys/extattr.h> #include <sys/kernel.h> -#include <sys/mac.h> #include <sys/malloc.h> #include <sys/mman.h> #include <sys/mount.h> @@ -79,6 +78,7 @@ #include <sys/mac_policy.h> +#include <security/mac/mac_framework.h> #include <security/mac_lomac/mac_lomac.h> struct mac_lomac_proc { |