From 5743072acfd292c98911ffb9ccbb0889d58912a6 Mon Sep 17 00:00:00 2001 From: rwatson Date: Sat, 10 Jan 2009 10:58:41 +0000 Subject: Rather than having MAC policies explicitly declare what object types they label, derive that information implicitly from the set of label initializers in their policy operations set. This avoids a possible class of programmer errors, while retaining the structure that allows us to avoid allocating labels for objects that don't need them. As before, we regenerate a global mask of labeled objects each time a policy is loaded or unloaded, stored in mac_labeled. Discussed with: csjp Suggested by: Jacques Vidrine Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. --- sys/security/mac_biba/mac_biba.c | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) (limited to 'sys/security/mac_biba/mac_biba.c') diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 72a3f0e..26366e3 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -3545,26 +3545,5 @@ static struct mac_policy_ops mac_biba_ops = .mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr, }; -#define BIBA_OBJECTS (MPC_OBJECT_CRED | \ - /* MPC_OBJECT_PROC | */ \ - MPC_OBJECT_VNODE | \ - MPC_OBJECT_INPCB | \ - MPC_OBJECT_SOCKET | \ - MPC_OBJECT_DEVFS | \ - MPC_OBJECT_MBUF | \ - MPC_OBJECT_IPQ | \ - MPC_OBJECT_IP6Q | \ - MPC_OBJECT_IFNET | \ - MPC_OBJECT_BPFDESC | \ - MPC_OBJECT_PIPE | \ - MPC_OBJECT_MOUNT | \ - MPC_OBJECT_POSIXSEM | \ - /* MPC_OBJECT_POSIXSHM | */ \ - MPC_OBJECT_SYSVMSG | \ - MPC_OBJECT_SYSVMSQ | \ - MPC_OBJECT_SYSVSEM | \ - MPC_OBJECT_SYSVSHM | \ - MPC_OBJECT_SYNCACHE) - MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba", - MPC_LOADTIME_FLAG_NOTLATE, &biba_slot, BIBA_OBJECTS); + MPC_LOADTIME_FLAG_NOTLATE, &biba_slot); -- cgit v1.1