From 5743072acfd292c98911ffb9ccbb0889d58912a6 Mon Sep 17 00:00:00 2001 From: rwatson Date: Sat, 10 Jan 2009 10:58:41 +0000 Subject: Rather than having MAC policies explicitly declare what object types they label, derive that information implicitly from the set of label initializers in their policy operations set. This avoids a possible class of programmer errors, while retaining the structure that allows us to avoid allocating labels for objects that don't need them. As before, we regenerate a global mask of labeled objects each time a policy is loaded or unloaded, stored in mac_labeled. Discussed with: csjp Suggested by: Jacques Vidrine Obtained from: TrustedBSD Project Sponsored by: Apple, Inc. --- sys/security/mac_lomac/mac_lomac.c | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) (limited to 'sys/security/mac_lomac/mac_lomac.c') diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index e2620cd..da3aa30 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -3052,26 +3052,5 @@ static struct mac_policy_ops lomac_ops = .mpo_vnode_setlabel_extattr = lomac_vnode_setlabel_extattr, }; -#define LOMAC_OBJECTS (MPC_OBJECT_CRED | \ - /* MPC_OBJECT_PROC | */ \ - MPC_OBJECT_VNODE | \ - MPC_OBJECT_INPCB | \ - MPC_OBJECT_SOCKET | \ - MPC_OBJECT_DEVFS | \ - MPC_OBJECT_MBUF | \ - MPC_OBJECT_IPQ | \ - MPC_OBJECT_IP6Q | \ - MPC_OBJECT_IFNET | \ - MPC_OBJECT_BPFDESC | \ - MPC_OBJECT_PIPE | \ - MPC_OBJECT_MOUNT | \ - /* MPC_OBJECT_POSIXSEM | */ \ - /* MPC_OBJECT_POSIXSHM | */ \ - /* MPC_OBJECT_SYSVMSG | */ \ - /* MPC_OBJECT_SYSVMSQ | */ \ - /* MPC_OBJECT_SYSVSEM | */ \ - /* MPC_OBJECT_SYSVSHM | */ \ - MPC_OBJECT_SYNCACHE) - MAC_POLICY_SET(&lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC", - MPC_LOADTIME_FLAG_NOTLATE, &lomac_slot, LOMAC_OBJECTS); + MPC_LOADTIME_FLAG_NOTLATE, &lomac_slot); -- cgit v1.1