From be23ba9aab3096c48ab0b0a8e52cbabbfaad1f55 Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Thu, 28 Dec 2006 21:48:38 +0000 Subject: [PATCH] Centralize definition of MAC_VERSION in mac_policy.h, as it defines the kernel<->policy ABI version. Add a comment to the definition describing it and listing known versions. Modify MAC_POLICY_SET() to reference the current kernel version by name rather than by number. Staticize mac_late, which is used only in mac_framework.c. Obtained from: TrustedBSD Project --- sys/security/mac/mac_framework.c | 7 +++---- sys/security/mac/mac_internal.h | 1 - sys/security/mac/mac_policy.h | 17 ++++++++++++++++- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index f248e55742b..94a593e62f3 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -90,10 +90,9 @@ SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0, * This permits modules to refuse to be loaded if the necessary support isn't * present, even if it's pre-boot. */ -#define MAC_VERSION 3 -static unsigned int mac_version = MAC_VERSION; - MODULE_VERSION(kernel_mac_support, MAC_VERSION); + +static unsigned int mac_version = MAC_VERSION; SYSCTL_UINT(_security_mac, OID_AUTO, version, CTLFLAG_RD, &mac_version, 0, ""); @@ -121,7 +120,7 @@ SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD, &mac_max_slots, * access to this variable is serialized during the boot process. Following * the end of serialization, we don't update this flag; no locking. */ -int mac_late = 0; +static int mac_late = 0; /* * Flag to indicate whether or not we should allocate label storage for new diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 24a6cfc5cf2..a235bd726ff 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -60,7 +60,6 @@ MALLOC_DECLARE(M_MACTEMP); */ extern struct mac_policy_list_head mac_policy_list; extern struct mac_policy_list_head mac_static_policy_list; -extern int mac_late; #ifndef MAC_ALWAYS_LABEL_MBUF extern int mac_labelmbufs; #endif diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index c7de3c80341..5de8ff64470 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -926,6 +926,20 @@ struct mac_policy_conf { /* Flags for the mpc_runtime_flags field. */ #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 +/*- + * The TrustedBSD MAC Framework has a major version number, MAC_VERSION, + * which defines the ABI of the Framework present in the kernel (and depended + * on by policy modules compiled against that kernel). Currently, + * MAC_POLICY_SET() requires that the kernel and module ABI version numbers + * exactly match. The following major versions have been defined to date: + * + * MAC version FreeBSD versions + * 1 5.x + * 2 6.x + * 3 7.x + */ +#define MAC_VERSION 3 + #define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \ static struct mac_policy_conf mpname##_mac_policy_conf = { \ #mpname, \ @@ -940,7 +954,8 @@ struct mac_policy_conf { mac_policy_modevent, \ &mpname##_mac_policy_conf \ }; \ - MODULE_DEPEND(mpname, kernel_mac_support, 3, 3, 3); \ + MODULE_DEPEND(mpname, kernel_mac_support, MAC_VERSION, \ + MAC_VERSION, MAC_VERSION); \ DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY, \ SI_ORDER_MIDDLE)