From 71ce8bbc83c48ab4b6876cd489d4bc102d1bc859 Mon Sep 17 00:00:00 2001 From: rwatson Date: Mon, 28 Oct 2002 19:44:05 +0000 Subject: Remove all reference to 'struct oldmac', since it's no longer required with the new VFS/EA semantics in the MAC framework. Move the per-policy structures out to per-policy include files, removing all policy-specific defines and structures out of the base framework includes and implementation, making mac_biba and mac_mls entirely self-contained. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- sys/security/mac/mac_framework.h | 51 ++-------------------------------------- sys/security/mac_biba/mac_biba.h | 27 +++++++++++++++++++++ sys/security/mac_mls/mac_mls.h | 32 +++++++++++++++++++++++++ sys/sys/mac.h | 51 ++-------------------------------------- 4 files changed, 63 insertions(+), 98 deletions(-) diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 0e07753..68ad4b4 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -106,54 +106,7 @@ int mac_set_proc(const mac_t _label); int mac_syscall(const char *_policyname, int _call, void *_arg); int mac_to_text(mac_t mac, char **_text); -#endif /* !_KERNEL */ - -/* - * XXXMAC: For compatibility until the labels on disk are changed. We - * will enable the definitions in various policy include files once - * these can be disabled. - */ - -#define MAC_BIBA_MAX_COMPARTMENTS 256 - -struct mac_biba_element { - u_short mbe_type; - u_short mbe_grade; - u_char mbe_compartments[MAC_BIBA_MAX_COMPARTMENTS >> 3]; -}; - -struct mac_biba { - int mb_flags; - struct mac_biba_element mb_single; - struct mac_biba_element mb_rangelow, mb_rangehigh; -}; - -#define MAC_MLS_MAX_COMPARTMENTS 256 - -struct mac_mls_element { - u_short mme_type; - u_short mme_level; - u_char mme_compartments[MAC_MLS_MAX_COMPARTMENTS >> 3]; -}; - -struct mac_mls { - int mm_flags; - struct mac_mls_element mm_single; - struct mac_mls_element mm_rangelow, mm_rangehigh; -}; - -struct mac_sebsd { - uint32_t ms_psid; -}; - -struct oldmac { - int m_macflags; - struct mac_biba m_biba; - struct mac_mls m_mls; - struct mac_sebsd m_sebsd; -}; - -#ifdef _KERNEL +#else /* _KERNEL */ /* * Kernel functions to manage and evaluate labels. @@ -373,6 +326,6 @@ int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap); -#endif /* _KERNEL */ +#endif /* !_KERNEL */ #endif /* !_SYS_MAC_H */ diff --git a/sys/security/mac_biba/mac_biba.h b/sys/security/mac_biba/mac_biba.h index 95af8dd..67d2bc8 100644 --- a/sys/security/mac_biba/mac_biba.h +++ b/sys/security/mac_biba/mac_biba.h @@ -61,6 +61,33 @@ * MAC_BIBA_TYPE_LABEL. */ /* + * Structures and constants associated with a Biba Integrity policy. + * mac_biba represents a Biba label, with mb_type determining its properties, + * and mb_grade represents the hierarchal grade if valid for the current + * mb_type. + */ + +#define MAC_BIBA_MAX_COMPARTMENTS 256 + +struct mac_biba_element { + u_short mbe_type; + u_short mbe_grade; + u_char mbe_compartments[MAC_BIBA_MAX_COMPARTMENTS >> 3]; +}; + +/* + * Biba labels consist of two components: a single label, and a label + * range. Depending on the context, one or both may be used; the mb_flags + * field permits the provider to indicate what fields are intended for + * use. + */ +struct mac_biba { + int mb_flags; + struct mac_biba_element mb_single; + struct mac_biba_element mb_rangelow, mb_rangehigh; +}; + +/* * Biba compartments bit test/set macros. * The range is 1 to MAC_BIBA_MAX_COMPARTMENTS. */ diff --git a/sys/security/mac_mls/mac_mls.h b/sys/security/mac_mls/mac_mls.h index 23296dd..2e464dc 100644 --- a/sys/security/mac_mls/mac_mls.h +++ b/sys/security/mac_mls/mac_mls.h @@ -61,6 +61,38 @@ * MAC_MLS_TYPE_LABEL. */ /* + * Structures and constants associated with a Multi-Level Security policy. + * mac_mls represents an MLS label, with mm_type determining its properties, + * and mm_level represents the hierarchal sensitivity level if valid for the + * current mm_type. If compartments are used, the same semantics apply as + * long as the suject is in every compartment the object is in. LOW, EQUAL + * and HIGH cannot be in compartments. + */ + +/* + * MLS compartments bit set size (in bits). + */ +#define MAC_MLS_MAX_COMPARTMMENTS 256 + +struct mac_mls_element { + u_short mme_type; + u_short mme_level; + u_char mme_compartments[MAC_MLS_MAX_COMPARTMENTS >> 3]; +}; + +/* + * MLS labels consist of two components: a single label, and a label + * range. Depending on the context, one or both may be used; the mb_flags + * field permits the provider to indicate what fields are intended for + * use. + */ +struct mac_mls { + int mm_flags; + struct mac_mls_element mm_single; + struct mac_mls_element mm_rangelow, mm_rangehigh; +}; + +/* * MLS compartments bit test/set macros. * The range is 1 to MAC_MLS_MAX_COMPARTMENTS. */ diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 0e07753..68ad4b4 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -106,54 +106,7 @@ int mac_set_proc(const mac_t _label); int mac_syscall(const char *_policyname, int _call, void *_arg); int mac_to_text(mac_t mac, char **_text); -#endif /* !_KERNEL */ - -/* - * XXXMAC: For compatibility until the labels on disk are changed. We - * will enable the definitions in various policy include files once - * these can be disabled. - */ - -#define MAC_BIBA_MAX_COMPARTMENTS 256 - -struct mac_biba_element { - u_short mbe_type; - u_short mbe_grade; - u_char mbe_compartments[MAC_BIBA_MAX_COMPARTMENTS >> 3]; -}; - -struct mac_biba { - int mb_flags; - struct mac_biba_element mb_single; - struct mac_biba_element mb_rangelow, mb_rangehigh; -}; - -#define MAC_MLS_MAX_COMPARTMENTS 256 - -struct mac_mls_element { - u_short mme_type; - u_short mme_level; - u_char mme_compartments[MAC_MLS_MAX_COMPARTMENTS >> 3]; -}; - -struct mac_mls { - int mm_flags; - struct mac_mls_element mm_single; - struct mac_mls_element mm_rangelow, mm_rangehigh; -}; - -struct mac_sebsd { - uint32_t ms_psid; -}; - -struct oldmac { - int m_macflags; - struct mac_biba m_biba; - struct mac_mls m_mls; - struct mac_sebsd m_sebsd; -}; - -#ifdef _KERNEL +#else /* _KERNEL */ /* * Kernel functions to manage and evaluate labels. @@ -373,6 +326,6 @@ int mac_pipe_label_set(struct ucred *cred, struct pipe *pipe, */ int vop_stdsetlabel_ea(struct vop_setlabel_args *ap); -#endif /* _KERNEL */ +#endif /* !_KERNEL */ #endif /* !_SYS_MAC_H */ -- cgit v1.1