Index: contrib/amd/include/am_defs.h =================================================================== RCS file: /home/ncvs/src/contrib/amd/include/am_defs.h,v retrieving revision 1.12 diff -u -r1.12 am_defs.h --- contrib/amd/include/am_defs.h 2001/09/02 20:37:36 1.12 +++ contrib/amd/include/am_defs.h 2001/09/24 03:45:56 @@ -360,6 +360,7 @@ * Actions to take if exists. */ #ifdef HAVE_SYS_MBUF_H +# include # include /* * OSF4 (DU-4.0) defines m_next and m_data also in so I must @@ -446,6 +447,8 @@ * Actions to take if exists. */ #ifdef HAVE_SYS_UCRED_H +/* XXX: need something more here */ +#include # include #endif /* HAVE_SYS_UCRED_H */ Index: contrib/bind/bin/named/ns_main.c =================================================================== RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_main.c,v retrieving revision 1.1.1.7 diff -u -r1.1.1.7 ns_main.c --- contrib/bind/bin/named/ns_main.c 2001/07/30 16:51:26 1.1.1.7 +++ contrib/bind/bin/named/ns_main.c 2001/09/24 15:08:33 @@ -98,8 +98,6 @@ #include #ifdef SVR4 /* XXX */ # include -#else -# include #endif #include Index: contrib/bind/bin/named/ns_signal.c =================================================================== RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_signal.c,v retrieving revision 1.1.1.3 diff -u -r1.1.1.3 ns_signal.c --- contrib/bind/bin/named/ns_signal.c 2000/10/31 12:35:29 1.1.1.3 +++ contrib/bind/bin/named/ns_signal.c 2001/09/24 15:03:32 @@ -86,8 +86,6 @@ #include #ifdef SVR4 /* XXX */ # include -#else -# include #endif #include Index: contrib/ipfilter/ipsend/sbpf.c =================================================================== RCS file: /home/ncvs/src/contrib/ipfilter/ipsend/sbpf.c,v retrieving revision 1.4 diff -u -r1.4 sbpf.c --- contrib/ipfilter/ipsend/sbpf.c 2001/07/28 12:08:15 1.4 +++ contrib/ipfilter/ipsend/sbpf.c 2001/09/24 12:24:40 @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include Index: contrib/sendmail/src/deliver.c =================================================================== RCS file: /home/ncvs/src/contrib/sendmail/src/deliver.c,v retrieving revision 1.1.1.9 diff -u -r1.1.1.9 deliver.c --- contrib/sendmail/src/deliver.c 2001/08/01 01:33:23 1.1.1.9 +++ contrib/sendmail/src/deliver.c 2001/08/05 16:51:40 @@ -1967,7 +1967,7 @@ if (pwd != NULL) (void) setusercontext(NULL, pwd, pwd->pw_uid, - LOGIN_SETRESOURCES|LOGIN_SETPRIORITY); + LOGIN_SETRESOURCES|LOGIN_SETPRIORITY|LOGIN_SETLABEL); } # endif /* HASSETUSERCONTEXT */ Index: etc/login.conf =================================================================== RCS file: /home/ncvs/src/etc/login.conf,v retrieving revision 1.43 diff -u -r1.43 login.conf --- etc/login.conf 2001/09/11 07:01:47 1.43 +++ etc/login.conf 2001/09/19 02:15:28 @@ -36,7 +36,8 @@ :sbsize=unlimited:\ :priority=0:\ :ignoretime@:\ - :umask=022: + :umask=022:\ + :label=biba/low,mls/low,partition/none: # @@ -64,6 +65,7 @@ # in preference to 'default'. root:\ :ignorenologin:\ + :label=biba/high,mls/low,partition/none:\ :tc=default: # Index: lib/libc/gen/getmntinfo.c =================================================================== RCS file: /home/ncvs/src/lib/libc/gen/getmntinfo.c,v retrieving revision 1.3 diff -u -r1.3 getmntinfo.c --- lib/libc/gen/getmntinfo.c 2001/10/10 17:48:42 1.3 +++ lib/libc/gen/getmntinfo.c 2001/10/16 01:11:03 @@ -38,6 +38,7 @@ #endif /* LIBC_SCCS and not lint */ #include +#include #include #include #include Index: lib/libc/gen/getpeereid.c =================================================================== RCS file: /home/ncvs/src/lib/libc/gen/getpeereid.c,v retrieving revision 1.1 diff -u -r1.1 getpeereid.c --- lib/libc/gen/getpeereid.c 2001/08/17 22:09:15 1.1 +++ lib/libc/gen/getpeereid.c 2001/09/23 15:11:20 @@ -31,6 +31,7 @@ #include #include +#include #include #include Index: lib/libc/posix1e/Makefile.inc =================================================================== RCS file: /home/ncvs/src/lib/libc/posix1e/Makefile.inc,v retrieving revision 1.6 diff -u -r1.6 Makefile.inc --- lib/libc/posix1e/Makefile.inc 2001/09/01 00:00:50 1.6 +++ lib/libc/posix1e/Makefile.inc 2001/09/09 02:17:41 @@ -32,7 +32,12 @@ cap_set_file.c \ cap_set_flag.c \ cap_set_proc.c \ - cap_text.c + cap_text.c \ + mac_constant.c \ + mac_free.c \ + mac_get.c \ + mac_set.c \ + mac_text.c .if ${LIB} == "c" Index: lib/libc/posix1e/mac_constant.c =================================================================== RCS file: mac_constant.c diff -N mac_constant.c --- /dev/null Tue Oct 16 15:44:01 2001 +++ mac_constant.c Sun Jun 3 10:07:26 2001 @@ -0,0 +1,21 @@ +#include +#include + +/* + * The following label defines "system high", used by the TrustedBSD + * userland Trusted Code Base (TCB). It is assigned during the install + * process to TCB files, and used by privileged processes when setting + * rights on files that are part of the TCB (/etc/passwd and so on). + * Changing this label has serious consequences both in terms of + * propagation (recompile everything, make sure the kernel default + * label matches, etc), as well as security (changing this may break + * assumptions throughout the system). Don't change it unless you + * know what you're doing. Seriously. + */ + +const struct mac mac_userland_system_high_label = { + {MAC_BIBA_TYPE_HIGH, 0}, + {MAC_MLS_TYPE_LOW, 0}, + {MAC_PARTITION_TYPE_NONE, 0} +}; + Index: lib/libc/posix1e/mac_free.c =================================================================== RCS file: mac_free.c diff -N mac_free.c --- /dev/null Tue Oct 16 15:44:01 2001 +++ mac_free.c Sun Jun 3 10:07:26 2001 @@ -0,0 +1,12 @@ +#include +#include + +#include + +int +mac_free(void *buf_p) +{ + + free(buf_p); + return (0); +} Index: lib/libc/posix1e/mac_get.c =================================================================== RCS file: mac_get.c diff -N mac_get.c --- /dev/null Tue Oct 16 15:44:01 2001 +++ mac_get.c Sun Jun 3 10:07:26 2001 @@ -0,0 +1,68 @@ +#include +#include + +#include +#include + +mac_t +mac_get_file(const char *path_p) +{ + struct mac *label; + int error; + + label = (mac_t) malloc(sizeof(*label)); + if (label == NULL) { + errno = ENOMEM; + return (NULL); + } + + error = __mac_get_file(path_p, label); + if (error) { + mac_free(label); + return (NULL); + } + + return (label); +} + +mac_t +mac_get_fd(int fd) +{ + struct mac *label; + int error; + + label = (mac_t) malloc(sizeof(*label)); + if (label == NULL) { + errno = ENOMEM; + return (NULL); + } + + error = __mac_get_fd(fd, label); + if (error) { + mac_free(label); + return (NULL); + } + + return (label); +} + +mac_t +mac_get_proc() +{ + struct mac *label; + int error; + + label = (mac_t) malloc(sizeof(*label)); + if (label == NULL) { + errno = ENOMEM; + return (NULL); + } + + error = __mac_get_proc(label); + if (error) { + mac_free(label); + return (NULL); + } + + return (label); +} Index: lib/libc/posix1e/mac_set.c =================================================================== RCS file: mac_set.c diff -N mac_set.c --- /dev/null Tue Oct 16 15:44:01 2001 +++ mac_set.c Sun Jun 3 10:07:26 2001 @@ -0,0 +1,23 @@ +#include +#include + +int +mac_set_file(const char *path_p, mac_t label) +{ + + return (__mac_set_file(path_p, label)); +} + +int +mac_set_fd(int fd, mac_t label) +{ + + return (__mac_set_fd(fd, label)); +} + +int +mac_set_proc(mac_t label) +{ + + return (__mac_set_proc(label)); +} Index: lib/libc/posix1e/mac_text.c =================================================================== RCS file: mac_text.c diff -N mac_text.c --- /dev/null Tue Oct 16 15:44:01 2001 +++ mac_text.c Sun Jun 3 10:07:26 2001 @@ -0,0 +1,391 @@ +#include +#include + +#include +#include +#include + +/* + * POSIX.1e does not define a text format for MAC label string conversions. + * We use the following format: + * "policy/qualifier,..." + * Where: + * policy can be one of "biba", "mls", "partition + * type for "biba" can be "high", "low", "equal", or a numeric grade + * type for "mls" can be "high", "low", "equal", of a numeric level + * type for "partition" can be "none", "all", or a numeric partition + * All policies must be present, but may be in any order. + * + * Sample labels: + * biba/high,mls/low,partition/none + * biba/low,mls/low,partition/none + * biba/low,mls/low,partition/3 + * biba/low,mls/3,partition/none + */ + +/* + * XXX: Parsing code below assumes these next two constants will be + * character strings containing a single character. + */ +#define STRING_SEP "," +#define STRING_ASSIGN "/" + +#define STRING_BIBA "biba" +#define STRING_MLS "mls" +#define STRING_PARTITION "partition" +static char *STRING_UNKNOWN = "unknown"; + +static char *STRING_BIBA_HIGH = "high"; +static char *STRING_BIBA_LOW = "low"; +static char *STRING_BIBA_EQUAL = "equal"; + +static char *STRING_MLS_HIGH = "high"; +static char *STRING_MLS_LOW = "low"; +static char *STRING_MLS_EQUAL = "equal"; + +static char *STRING_PARTITION_NONE = "none"; +static char *STRING_PARTITION_ALL = "all"; + +static int +biba_string_to_label(char *string, struct mac_biba *label) +{ + char *local_string, *token, *next_token, *tmp; + int error = 0; + + local_string = strdup(string); + if (local_string == NULL) + return (ENOMEM); + + next_token = local_string; + token = strsep(&next_token, STRING_ASSIGN); + + if (strcmp(token, STRING_BIBA) != 0) { + error = EINVAL; + goto exit1; + } + + token = strsep(&next_token, STRING_ASSIGN); + if (token == NULL) { + error = EINVAL; + goto exit1; + } + + label->mb_grade = 0; + if (strcmp(token, STRING_BIBA_HIGH) == 0) + label->mb_type = MAC_BIBA_TYPE_HIGH; + else if (strcmp(token, STRING_BIBA_LOW) == 0) + label->mb_type = MAC_BIBA_TYPE_LOW; + else if (strcmp(token, STRING_BIBA_EQUAL) == 0) + label->mb_type = MAC_BIBA_TYPE_EQUAL; + else { + /* Should be a numeric grade. */ + /* XXX: Check range for strtoul. */ + label->mb_type = MAC_BIBA_TYPE_GRADE; + label->mb_grade = strtoul(token, &tmp, 10); + if (*tmp != '\0') + error = EINVAL; + } + + if (next_token != NULL) + error = EINVAL; + +exit1: + free(local_string); + return (error); +} + +static char * +biba_label_to_string(struct mac_biba label) +{ + char *buf; + + switch (label.mb_type) { + case MAC_BIBA_TYPE_GRADE: + asprintf(&buf, "%s%s%hu", STRING_BIBA, STRING_ASSIGN, + label.mb_grade); + break; + case MAC_BIBA_TYPE_LOW: + asprintf(&buf, "%s%s%s", STRING_BIBA, STRING_ASSIGN, + STRING_BIBA_LOW); + break; + case MAC_BIBA_TYPE_HIGH: + asprintf(&buf, "%s%s%s", STRING_BIBA, STRING_ASSIGN, + STRING_BIBA_HIGH); + break; + case MAC_BIBA_TYPE_EQUAL: + asprintf(&buf, "%s%s%s", STRING_BIBA, STRING_ASSIGN, + STRING_BIBA_EQUAL); + break; + default: + asprintf(&buf, "%s%s%s", STRING_BIBA, STRING_ASSIGN, + STRING_UNKNOWN); + } + + return (buf); +} + +static int +mls_string_to_label(char *string, struct mac_mls *label) +{ + char *local_string, *token, *next_token, *tmp; + int error = 0; + + local_string = strdup(string); + if (local_string == NULL) + return (ENOMEM); + + next_token = local_string; + token = strsep(&next_token, STRING_ASSIGN); + + if (strcmp(token, STRING_MLS) != 0) { + error = EINVAL; + goto exit1; + } + + token = strsep(&next_token, STRING_ASSIGN); + if (token == NULL) { + error = EINVAL; + goto exit1; + } + + label->mm_level = 0; + if (strcmp(token, STRING_MLS_HIGH) == 0) + label->mm_type = MAC_MLS_TYPE_HIGH; + else if (strcmp(token, STRING_MLS_LOW) == 0) + label->mm_type = MAC_MLS_TYPE_LOW; + else if (strcmp(token, STRING_MLS_EQUAL) == 0) + label->mm_type = MAC_MLS_TYPE_EQUAL; + else { + /* Should be a numeric level. */ + /* XXX: Check range for strtoul. */ + label->mm_type = MAC_MLS_TYPE_LEVEL; + label->mm_level = strtoul(token, &tmp, 10); + if (*tmp != '\0') + error = EINVAL; + } + + if (next_token != NULL) + error = EINVAL; + +exit1: + free(local_string); + return (error); +} + +static char * +mls_label_to_string(struct mac_mls label) +{ + char *buf; + + switch (label.mm_type) { + case MAC_MLS_TYPE_LEVEL: + asprintf(&buf, "%s%s%hu", STRING_MLS, STRING_ASSIGN, + label.mm_level); + break; + case MAC_MLS_TYPE_LOW: + asprintf(&buf, "%s%s%s", STRING_MLS, STRING_ASSIGN, + STRING_MLS_LOW); + break; + case MAC_MLS_TYPE_HIGH: + asprintf(&buf, "%s%s%s", STRING_MLS, STRING_ASSIGN, + STRING_MLS_HIGH); + break; + case MAC_MLS_TYPE_EQUAL: + asprintf(&buf, "%s%s%s", STRING_MLS, STRING_ASSIGN, + STRING_MLS_EQUAL); + break; + default: + asprintf(&buf, "%s:%s", STRING_MLS, STRING_ASSIGN, + STRING_UNKNOWN); + } + + return (buf); +} + +static int +partition_string_to_label(char *string, struct mac_partition *label) +{ + char *local_string, *token, *next_token, *tmp; + int error = 0; + + local_string = strdup(string); + if (local_string == NULL) + return (ENOMEM); + + next_token = local_string; + token = strsep(&next_token, STRING_ASSIGN); + + if (strcmp(token, STRING_PARTITION) != 0) { + error = EINVAL; + goto exit1; + } + + token = strsep(&next_token, STRING_ASSIGN); + if (token == NULL) { + error = EINVAL; + goto exit1; + } + + label->mp_partition = 0; + if (strcmp(token, STRING_PARTITION_NONE) == 0) + label->mp_type = MAC_PARTITION_TYPE_NONE; + else if (strcmp(token, STRING_PARTITION_ALL) == 0) + label->mp_type = MAC_PARTITION_TYPE_ALL; + else { + /* Should be a numeric partition identifier. */ + /* XXX: Should check range for strtoul. */ + label->mp_type = MAC_PARTITION_TYPE_PARTITION; + label->mp_partition = strtoul(token, &tmp, 10); + if (*tmp != '\0') + error = EINVAL; + } + + if (next_token != NULL) + error = EINVAL; + +exit1: + free(local_string); + return (error); +} + +static char * +partition_label_to_string(struct mac_partition label) +{ + char *buf; + + switch (label.mp_type) { + case MAC_PARTITION_TYPE_PARTITION: + asprintf(&buf, "%s%s%hu", STRING_PARTITION, STRING_ASSIGN, + label.mp_partition); + break; + case MAC_PARTITION_TYPE_ALL: + asprintf(&buf, "%s%s%s", STRING_PARTITION, STRING_ASSIGN, + STRING_PARTITION_ALL); + break; + case MAC_PARTITION_TYPE_NONE: + asprintf(&buf, "%s%s%s", STRING_PARTITION, STRING_ASSIGN, + STRING_PARTITION_NONE); + break; + default: + asprintf(&buf, "%s%s%s", STRING_PARTITION, STRING_ASSIGN, + STRING_UNKNOWN); + } + + return (buf); +} + +char * +mac_to_text(struct mac *mac_p, size_t *len_p) +{ + char *biba, *mls, *partition; + char *buf; + int len; + + biba = biba_label_to_string(mac_p->m_biba); + if (biba == NULL) { + errno = ENOMEM; + return (NULL); + } + mls = mls_label_to_string(mac_p->m_mls); + if (mls == NULL) { + errno = ENOMEM; + free(biba); + return (NULL); + } + partition = partition_label_to_string(mac_p->m_partition); + if (partition == NULL) { + errno = ENOMEM; + free(biba); + free(mls); + return (NULL); + } + + len = asprintf(&buf, "%s%s%s%s%s", biba, STRING_SEP, mls, STRING_SEP, + partition); + + free(biba); + free(mls); + free(partition); + + if (len != -1 && len_p != NULL) + *len_p = len; + + return (buf); +} + +struct mac * +mac_from_text(const char *text_p) +{ + struct mac *label; + char *local_string, *next_token, *token, *tmp; + int biba_seen = 0, mls_seen = 0, partition_seen = 0; + int error; + + /* + * Parse into three assignments, determine which assignments + * they are and recurse appropriately, and reject if there are + * not the right assignments (or duplicates). + */ + + label = (struct mac *) malloc(sizeof(*label)); + if (label == NULL) { + errno = ENOMEM; + goto exit1; + } + + local_string = strdup(text_p); + if (local_string == NULL) { + errno = ENOMEM; + goto exit2; + } + + next_token = local_string; + while ((token = strsep(&next_token, STRING_SEP)) != NULL) { + + if (strncmp(token, STRING_BIBA STRING_ASSIGN, strlen( + STRING_BIBA STRING_ASSIGN)) == 0) { + error = biba_string_to_label(token, &label->m_biba); + if (error) { + errno = error; + goto exit2; + } + biba_seen++; + } else if (strncmp(token, STRING_MLS STRING_ASSIGN, strlen( + STRING_MLS STRING_ASSIGN)) == 0) { + error = mls_string_to_label(token, &label->m_mls); + if (error) { + errno = error; + goto exit2; + } + mls_seen++; + } else if (strncmp(token, STRING_PARTITION STRING_ASSIGN, + strlen(STRING_PARTITION STRING_ASSIGN)) == 0) { + error = partition_string_to_label(token, + &label->m_partition); + if (error) { + errno = error; + goto exit2; + } + partition_seen++; + } else { + /* Unrecognized label type name. */ + errno = EINVAL; + goto exit2; + } + } + + if (biba_seen != 1 || mls_seen != 1 || partition_seen != 1) { + errno = EINVAL; + goto exit2; + } + + /* Success. */ + goto exit1; + +exit2: + free(label); + label = NULL; +exit1: + free(local_string); + return (label); +} Index: lib/libcom_err/Makefile =================================================================== RCS file: /home/ncvs/src/lib/libcom_err/Makefile,v retrieving revision 1.12 diff -u -r1.12 Makefile --- lib/libcom_err/Makefile 2001/03/27 17:26:58 1.12 +++ lib/libcom_err/Makefile 2001/06/11 23:23:00 @@ -3,7 +3,7 @@ LIB= com_err SRCS= com_err.c error.c INCS= ${COM_ERRDIR}/com_err.h ${COM_ERRDIR}/com_right.h -MAN= com_err.3 +#MAN= com_err.3 COM_ERRDIR= ${.CURDIR}/../../contrib/com_err CFLAGS+= -I${COM_ERRDIR} Index: lib/libutil/login_cap.h =================================================================== RCS file: /home/ncvs/src/lib/libutil/login_cap.h,v retrieving revision 1.4 diff -u -r1.4 login_cap.h --- lib/libutil/login_cap.h 2000/08/22 02:15:52 1.4 +++ lib/libutil/login_cap.h 2000/11/19 22:56:25 @@ -47,7 +47,8 @@ #define LOGIN_SETUMASK 0x0020 /* set umask, obviously */ #define LOGIN_SETUSER 0x0040 /* set user (via setuid) */ #define LOGIN_SETENV 0x0080 /* set user environment */ -#define LOGIN_SETALL 0x00ff /* set everything */ +#define LOGIN_SETLABEL 0x0100 /* set user MAC label */ +#define LOGIN_SETALL 0x01ff /* set everything */ #define BI_AUTH "authorize" /* accepted authentication */ #define BI_REJECT "reject" /* rejected authentication */ Index: lib/libutil/login_class.c =================================================================== RCS file: /home/ncvs/src/lib/libutil/login_class.c,v retrieving revision 1.16 diff -u -r1.16 login_class.c --- lib/libutil/login_class.c 2001/09/30 22:35:07 1.16 +++ lib/libutil/login_class.c 2001/10/01 17:13:02 @@ -40,6 +40,7 @@ #include #include #include +#include static struct login_res { @@ -317,6 +318,7 @@ #ifndef __NETBSD_SYSCALLS struct rtprio rtp; #endif + int error; if (lc == NULL) { if (pwd != NULL && (lc = login_getpwclass(pwd)) != NULL) @@ -371,6 +373,44 @@ (u_long)pwd->pw_gid); login_close(llc); return -1; + } + } + + /* Setup the user's MAC label. */ + if (flags & LOGIN_SETLABEL) { + char *label_string; + mac_t label; + + /* + * XXX: In the following code, there are a number of "fail open" + * cases in which the process label will not be set. The following + * cases need to be addressed better: + * - The login.conf file does not contain a label for the user. + * but the kernel supports labeling (how to test this case?) + * - The login.conf file contains a syntactically semantically + * invalid label. + * - The kernel does not have support for labels compiled in, but + * a label is defined. + */ + label_string = login_getcapstr(lc, "label", NULL, NULL); + if (label_string == NULL) { + /* Leave label as is, warning, dangerous */ + } else { + label = mac_from_text(label_string); + if (label == NULL) { + syslog(LOG_ERR, "mac_from_text(%s): %m", + label_string); + return -1; + } + error = mac_set_proc(label); + mac_free(label); + if (error != 0 && errno == ENOSYS) { + syslog(LOG_WARNING, "mac_set_proc(%s): warning: %m", + label_string); + } else if (error != 0) { + syslog(LOG_ERR, "mac_set_proc(%s): error: %m", label_string); + return -1; + } } } Index: libexec/ftpd/ftpd.c =================================================================== RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v retrieving revision 1.86 diff -u -r1.86 ftpd.c --- libexec/ftpd/ftpd.c 2001/10/12 13:16:34 1.86 +++ libexec/ftpd/ftpd.c 2001/10/14 15:21:47 @@ -1058,7 +1058,8 @@ pw = NULL; #ifdef LOGIN_CAP setusercontext(NULL, getpwuid(0), (uid_t)0, - LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK); + LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK| + LOGIN_SETLABEL); #endif #ifdef USE_PAM if ((e = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS) @@ -1308,7 +1309,7 @@ } setusercontext(lc, pw, (uid_t)0, LOGIN_SETLOGIN|LOGIN_SETGROUP|LOGIN_SETPRIORITY| - LOGIN_SETRESOURCES|LOGIN_SETUMASK); + LOGIN_SETRESOURCES|LOGIN_SETUMASK|LOGIN_SETLABEL); #else setlogin(pw->pw_name); (void) initgroups(pw->pw_name, pw->pw_gid); Index: sbin/ipfw/ipfw.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v retrieving revision 1.111 diff -u -r1.111 ipfw.c --- sbin/ipfw/ipfw.c 2001/09/27 23:44:27 1.111 +++ sbin/ipfw/ipfw.c 2001/10/01 17:14:10 @@ -25,6 +25,7 @@ #include +#include #include #include #include Index: sys/coda/coda_fbsd.c =================================================================== RCS file: /home/ncvs/src/sys/coda/coda_fbsd.c,v retrieving revision 1.24 diff -u -r1.24 coda_fbsd.c --- sys/coda/coda_fbsd.c 2001/06/15 00:02:27 1.24 +++ sys/coda/coda_fbsd.c 2001/08/05 17:01:30 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include Index: sys/coda/coda_namecache.c =================================================================== RCS file: /home/ncvs/src/sys/coda/coda_namecache.c,v retrieving revision 1.14 diff -u -r1.14 coda_namecache.c --- sys/coda/coda_namecache.c 2001/10/11 23:38:13 1.14 +++ sys/coda/coda_namecache.c 2001/10/14 15:24:28 @@ -82,6 +82,7 @@ #include #include #include +#include #include #include Index: sys/conf/files =================================================================== RCS file: /home/ncvs/src/sys/conf/files,v retrieving revision 1.574 diff -u -r1.574 files --- sys/conf/files 2001/10/07 20:08:36 1.574 +++ sys/conf/files 2001/10/08 02:02:58 @@ -773,6 +773,10 @@ kern/kern_linker.c standard kern/kern_lock.c standard kern/kern_lockf.c standard +kern/kern_mac.c standard +kern/kern_mac_biba.c standard +kern/kern_mac_mls.c standard +kern/kern_mac_partition.c standard kern/kern_malloc.c standard kern/kern_mib.c standard kern/kern_module.c standard Index: sys/conf/newvers.sh =================================================================== RCS file: /home/ncvs/src/sys/conf/newvers.sh,v retrieving revision 1.47 diff -u -r1.47 newvers.sh --- sys/conf/newvers.sh 2001/03/02 16:52:13 1.47 +++ sys/conf/newvers.sh 2001/05/31 14:41:23 @@ -34,7 +34,7 @@ # @(#)newvers.sh 8.1 (Berkeley) 4/20/94 # $FreeBSD: src/sys/conf/newvers.sh,v 1.47 2001/03/02 16:52:13 ru Exp $ -TYPE="FreeBSD" +TYPE="TrustedBSD" REVISION="5.0" BRANCH="CURRENT" RELEASE="${REVISION}-${BRANCH}" Index: sys/conf/options =================================================================== RCS file: /home/ncvs/src/sys/conf/options,v retrieving revision 1.296 diff -u -r1.296 options --- sys/conf/options 2001/10/10 23:06:52 1.296 +++ sys/conf/options 2001/10/11 14:37:34 @@ -107,6 +107,7 @@ # TrustedBSD and POSIX.1e Kernel Options CAPABILITIES opt_cap.h +MAC opt_mac.h # Do we want the config file compiled into the kernel? INCLUDE_CONFIG_FILE opt_config.h Index: sys/contrib/dev/oltr/if_oltr.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/dev/oltr/if_oltr.c,v retrieving revision 1.20 diff -u -r1.20 if_oltr.c --- sys/contrib/dev/oltr/if_oltr.c 2001/06/14 15:08:40 1.20 +++ sys/contrib/dev/oltr/if_oltr.c 2001/09/25 12:34:08 @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include Index: sys/contrib/ipfilter/netinet/fil.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/ipfilter/netinet/fil.c,v retrieving revision 1.25 diff -u -r1.25 fil.c --- sys/contrib/ipfilter/netinet/fil.c 2001/09/12 22:06:36 1.25 +++ sys/contrib/ipfilter/netinet/fil.c 2001/09/24 11:58:57 @@ -37,6 +37,7 @@ #include #if !defined(__SVR4) && !defined(__svr4__) # ifndef linux +# include # include # endif #else Index: sys/contrib/ipfilter/netinet/ip_auth.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/ipfilter/netinet/ip_auth.c,v retrieving revision 1.22 diff -u -r1.22 ip_auth.c --- sys/contrib/ipfilter/netinet/ip_auth.c 2001/07/28 11:58:25 1.22 +++ sys/contrib/ipfilter/netinet/ip_auth.c 2001/09/24 11:58:01 @@ -29,6 +29,7 @@ #endif #if !defined(__SVR4) && !defined(__svr4__) # ifndef linux +# include # include # endif #else Index: sys/contrib/ipfilter/netinet/ip_fil.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/ipfilter/netinet/ip_fil.c,v retrieving revision 1.27 diff -u -r1.27 ip_fil.c --- sys/contrib/ipfilter/netinet/ip_fil.c 2001/09/12 08:37:00 1.27 +++ sys/contrib/ipfilter/netinet/ip_fil.c 2001/09/24 11:58:07 @@ -52,6 +52,7 @@ # else # include # endif +# include # include #else # include Index: sys/contrib/ipfilter/netinet/ip_frag.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/ipfilter/netinet/ip_frag.c,v retrieving revision 1.17 diff -u -r1.17 ip_frag.c --- sys/contrib/ipfilter/netinet/ip_frag.c 2001/07/30 10:53:23 1.17 +++ sys/contrib/ipfilter/netinet/ip_frag.c 2001/09/24 11:58:14 @@ -36,6 +36,7 @@ # include # endif # ifndef linux +# include # include # endif #else Index: sys/contrib/ipfilter/netinet/ip_log.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/ipfilter/netinet/ip_log.c,v retrieving revision 1.18 diff -u -r1.18 ip_log.c --- sys/contrib/ipfilter/netinet/ip_log.c 2001/07/28 11:58:26 1.18 +++ sys/contrib/ipfilter/netinet/ip_log.c 2001/09/24 11:58:23 @@ -65,6 +65,7 @@ # else # include # endif +# include # include # else # include Index: sys/contrib/ipfilter/netinet/ip_nat.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/ipfilter/netinet/ip_nat.c,v retrieving revision 1.23 diff -u -r1.23 ip_nat.c --- sys/contrib/ipfilter/netinet/ip_nat.c 2001/07/28 11:58:26 1.23 +++ sys/contrib/ipfilter/netinet/ip_nat.c 2001/09/24 11:58:29 @@ -41,6 +41,7 @@ #endif #if !defined(__SVR4) && !defined(__svr4__) # ifndef linux +# include # include # endif #else Index: sys/contrib/ipfilter/netinet/ip_proxy.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/ipfilter/netinet/ip_proxy.c,v retrieving revision 1.12 diff -u -r1.12 ip_proxy.c --- sys/contrib/ipfilter/netinet/ip_proxy.c 2001/07/28 11:58:26 1.12 +++ sys/contrib/ipfilter/netinet/ip_proxy.c 2001/09/24 11:58:35 @@ -36,6 +36,7 @@ #endif #if !defined(__SVR4) && !defined(__svr4__) # ifndef linux +# include # include # endif #else Index: sys/contrib/ipfilter/netinet/ip_state.c =================================================================== RCS file: /home/ncvs/src/sys/contrib/ipfilter/netinet/ip_state.c,v retrieving revision 1.22 diff -u -r1.22 ip_state.c --- sys/contrib/ipfilter/netinet/ip_state.c 2001/07/28 11:58:26 1.22 +++ sys/contrib/ipfilter/netinet/ip_state.c 2001/09/24 11:58:44 @@ -46,6 +46,7 @@ #endif #if !defined(__SVR4) && !defined(__svr4__) # ifndef linux +# include # include # endif #else Index: sys/dev/an/if_an.c =================================================================== RCS file: /home/ncvs/src/sys/dev/an/if_an.c,v retrieving revision 1.24 diff -u -r1.24 if_an.c --- sys/dev/an/if_an.c 2001/10/11 17:52:19 1.24 +++ sys/dev/an/if_an.c 2001/10/14 15:24:48 @@ -93,6 +93,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/an/if_an_isa.c =================================================================== RCS file: /home/ncvs/src/sys/dev/an/if_an_isa.c,v retrieving revision 1.6 diff -u -r1.6 if_an_isa.c --- sys/dev/an/if_an_isa.c 2001/09/10 02:36:18 1.6 +++ sys/dev/an/if_an_isa.c 2001/09/24 17:58:02 @@ -41,6 +41,7 @@ */ #include "opt_inet.h" + #ifdef INET #define ANCACHE #endif @@ -48,6 +49,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/an/if_an_pci.c =================================================================== RCS file: /home/ncvs/src/sys/dev/an/if_an_pci.c,v retrieving revision 1.12 diff -u -r1.12 if_an_pci.c --- sys/dev/an/if_an_pci.c 2001/10/11 17:52:19 1.12 +++ sys/dev/an/if_an_pci.c 2001/10/14 15:24:48 @@ -61,6 +61,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/ar/if_ar.c =================================================================== RCS file: /home/ncvs/src/sys/dev/ar/if_ar.c,v retrieving revision 1.50 diff -u -r1.50 if_ar.c --- sys/dev/ar/if_ar.c 2001/04/16 13:20:21 1.50 +++ sys/dev/ar/if_ar.c 2001/09/25 11:38:33 @@ -50,6 +50,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/awi/awi.c =================================================================== RCS file: /home/ncvs/src/sys/dev/awi/awi.c,v retrieving revision 1.16 diff -u -r1.16 awi.c --- sys/dev/awi/awi.c 2001/09/12 08:37:02 1.16 +++ sys/dev/awi/awi.c 2001/09/24 17:58:11 @@ -98,6 +98,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/awi/awi_wep.c =================================================================== RCS file: /home/ncvs/src/sys/dev/awi/awi_wep.c,v retrieving revision 1.5 diff -u -r1.5 awi_wep.c --- sys/dev/awi/awi_wep.c 2001/09/12 08:37:02 1.5 +++ sys/dev/awi/awi_wep.c 2001/09/24 17:55:16 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/awi/awi_wicfg.c =================================================================== RCS file: /home/ncvs/src/sys/dev/awi/awi_wicfg.c,v retrieving revision 1.5 diff -u -r1.5 awi_wicfg.c --- sys/dev/awi/awi_wicfg.c 2001/09/12 08:37:02 1.5 +++ sys/dev/awi/awi_wicfg.c 2001/09/24 17:58:50 @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/bge/if_bge.c =================================================================== RCS file: /home/ncvs/src/sys/dev/bge/if_bge.c,v retrieving revision 1.3 diff -u -r1.3 if_bge.c --- sys/dev/bge/if_bge.c 2001/09/29 19:31:29 1.3 +++ sys/dev/bge/if_bge.c 2001/10/03 03:16:34 @@ -73,6 +73,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/cnw/if_cnw.c =================================================================== RCS file: /home/ncvs/src/sys/dev/cnw/if_cnw.c,v retrieving revision 1.3 diff -u -r1.3 if_cnw.c --- sys/dev/cnw/if_cnw.c 2001/05/08 23:57:32 1.3 +++ sys/dev/cnw/if_cnw.c 2001/09/25 11:43:10 @@ -231,6 +231,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/cs/if_cs.c =================================================================== RCS file: /home/ncvs/src/sys/dev/cs/if_cs.c,v retrieving revision 1.20 diff -u -r1.20 if_cs.c --- sys/dev/cs/if_cs.c 2001/02/23 08:08:21 1.20 +++ sys/dev/cs/if_cs.c 2001/09/24 17:59:13 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/ed/if_ed.c =================================================================== RCS file: /home/ncvs/src/sys/dev/ed/if_ed.c,v retrieving revision 1.203 diff -u -r1.203 if_ed.c --- sys/dev/ed/if_ed.c 2001/10/07 00:18:48 1.203 +++ sys/dev/ed/if_ed.c 2001/10/08 02:03:25 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/ep/if_ep.c =================================================================== RCS file: /home/ncvs/src/sys/dev/ep/if_ep.c,v retrieving revision 1.107 diff -u -r1.107 if_ep.c --- sys/dev/ep/if_ep.c 2001/06/05 22:29:16 1.107 +++ sys/dev/ep/if_ep.c 2001/09/24 18:01:35 @@ -63,6 +63,7 @@ #include #include +#include #include #include #include Index: sys/dev/ex/if_ex.c =================================================================== RCS file: /home/ncvs/src/sys/dev/ex/if_ex.c,v retrieving revision 1.37 diff -u -r1.37 if_ex.c --- sys/dev/ex/if_ex.c 2001/02/04 13:11:49 1.37 +++ sys/dev/ex/if_ex.c 2001/09/24 18:01:51 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include Index: sys/dev/fe/if_fe.c =================================================================== RCS file: /home/ncvs/src/sys/dev/fe/if_fe.c,v retrieving revision 1.71 diff -u -r1.71 if_fe.c --- sys/dev/fe/if_fe.c 2001/09/02 13:05:00 1.71 +++ sys/dev/fe/if_fe.c 2001/09/24 18:02:47 @@ -72,6 +72,7 @@ #include #include #include +#include #include #include Index: sys/dev/fxp/if_fxp.c =================================================================== RCS file: /home/ncvs/src/sys/dev/fxp/if_fxp.c,v retrieving revision 1.118 diff -u -r1.118 if_fxp.c --- sys/dev/fxp/if_fxp.c 2001/09/05 23:33:58 1.118 +++ sys/dev/fxp/if_fxp.c 2001/09/24 18:03:32 @@ -34,6 +34,7 @@ #include #include +#include #include #include /* #include */ Index: sys/dev/ie/if_ie.c =================================================================== RCS file: /home/ncvs/src/sys/dev/ie/if_ie.c,v retrieving revision 1.83 diff -u -r1.83 if_ie.c --- sys/dev/ie/if_ie.c 2001/07/02 05:29:58 1.83 +++ sys/dev/ie/if_ie.c 2001/09/25 11:43:46 @@ -116,6 +116,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/iicbus/if_ic.c =================================================================== RCS file: /home/ncvs/src/sys/dev/iicbus/if_ic.c,v retrieving revision 1.10 diff -u -r1.10 if_ic.c --- sys/dev/iicbus/if_ic.c 2000/11/25 07:35:22 1.10 +++ sys/dev/iicbus/if_ic.c 2001/09/25 11:44:35 @@ -33,6 +33,7 @@ #ifdef _KERNEL #include #include +#include #include #include #include @@ -48,6 +49,7 @@ #include #endif +#include #include #include #include Index: sys/dev/lge/if_lge.c =================================================================== RCS file: /home/ncvs/src/sys/dev/lge/if_lge.c,v retrieving revision 1.9 diff -u -r1.9 if_lge.c --- sys/dev/lge/if_lge.c 2001/09/29 19:31:29 1.9 +++ sys/dev/lge/if_lge.c 2001/10/01 16:30:49 @@ -76,6 +76,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/lmc/if_lmc.c =================================================================== RCS file: /home/ncvs/src/sys/dev/lmc/if_lmc.c,v retrieving revision 1.13 diff -u -r1.13 if_lmc.c --- sys/dev/lmc/if_lmc.c 2001/01/17 01:08:50 1.13 +++ sys/dev/lmc/if_lmc.c 2001/09/25 11:46:04 @@ -37,6 +37,7 @@ #include "opt_netgraph.h" #include #include +#include #include #include #include Index: sys/dev/lnc/if_lnc.c =================================================================== RCS file: /home/ncvs/src/sys/dev/lnc/if_lnc.c,v retrieving revision 1.89 diff -u -r1.89 if_lnc.c --- sys/dev/lnc/if_lnc.c 2001/07/04 13:00:19 1.89 +++ sys/dev/lnc/if_lnc.c 2001/09/24 18:04:05 @@ -65,6 +65,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/nge/if_nge.c =================================================================== RCS file: /home/ncvs/src/sys/dev/nge/if_nge.c,v retrieving revision 1.23 diff -u -r1.23 if_nge.c --- sys/dev/nge/if_nge.c 2001/09/29 19:31:29 1.23 +++ sys/dev/nge/if_nge.c 2001/10/01 16:30:54 @@ -90,6 +90,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/ppbus/if_plip.c =================================================================== RCS file: /home/ncvs/src/sys/dev/ppbus/if_plip.c,v retrieving revision 1.22 diff -u -r1.22 if_plip.c --- sys/dev/ppbus/if_plip.c 2000/11/25 07:35:23 1.22 +++ sys/dev/ppbus/if_plip.c 2001/09/24 18:05:10 @@ -84,6 +84,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/ray/if_ray.c =================================================================== RCS file: /home/ncvs/src/sys/dev/ray/if_ray.c,v retrieving revision 1.56 diff -u -r1.56 if_ray.c --- sys/dev/ray/if_ray.c 2001/05/17 22:23:49 1.56 +++ sys/dev/ray/if_ray.c 2001/09/25 11:46:30 @@ -251,6 +251,7 @@ #include #include +#include #include #include #include Index: sys/dev/sn/if_sn.c =================================================================== RCS file: /home/ncvs/src/sys/dev/sn/if_sn.c,v retrieving revision 1.19 diff -u -r1.19 if_sn.c --- sys/dev/sn/if_sn.c 2001/08/04 05:27:52 1.19 +++ sys/dev/sn/if_sn.c 2001/09/24 18:06:02 @@ -83,6 +83,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/sr/if_sr.c =================================================================== RCS file: /home/ncvs/src/sys/dev/sr/if_sr.c,v retrieving revision 1.47 diff -u -r1.47 if_sr.c --- sys/dev/sr/if_sr.c 2001/02/26 16:30:02 1.47 +++ sys/dev/sr/if_sr.c 2001/09/25 11:46:44 @@ -55,6 +55,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/txp/if_txp.c =================================================================== RCS file: /home/ncvs/src/sys/dev/txp/if_txp.c,v retrieving revision 1.7 diff -u -r1.7 if_txp.c --- sys/dev/txp/if_txp.c 2001/09/18 18:41:39 1.7 +++ sys/dev/txp/if_txp.c 2001/09/24 18:07:11 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/usb/if_aue.c =================================================================== RCS file: /home/ncvs/src/sys/dev/usb/if_aue.c,v retrieving revision 1.43 diff -u -r1.43 if_aue.c --- sys/dev/usb/if_aue.c 2001/09/29 19:31:29 1.43 +++ sys/dev/usb/if_aue.c 2001/10/01 16:31:09 @@ -64,6 +64,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/usb/if_cue.c =================================================================== RCS file: /home/ncvs/src/sys/dev/usb/if_cue.c,v retrieving revision 1.19 diff -u -r1.19 if_cue.c --- sys/dev/usb/if_cue.c 2001/08/22 05:33:57 1.19 +++ sys/dev/usb/if_cue.c 2001/09/24 18:07:53 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/usb/if_kue.c =================================================================== RCS file: /home/ncvs/src/sys/dev/usb/if_kue.c,v retrieving revision 1.32 diff -u -r1.32 if_kue.c --- sys/dev/usb/if_kue.c 2001/08/22 05:33:57 1.32 +++ sys/dev/usb/if_kue.c 2001/09/24 18:08:04 @@ -67,6 +67,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/usb/udbp.c =================================================================== RCS file: /home/ncvs/src/sys/dev/usb/udbp.c,v retrieving revision 1.13 diff -u -r1.13 udbp.c --- sys/dev/usb/udbp.c 2001/01/09 04:33:17 1.13 +++ sys/dev/usb/udbp.c 2001/09/25 02:56:52 @@ -83,6 +83,7 @@ #include #endif #include +#include #include #include #include Index: sys/dev/usb/usb_ethersubr.c =================================================================== RCS file: /home/ncvs/src/sys/dev/usb/usb_ethersubr.c,v retrieving revision 1.9 diff -u -r1.9 usb_ethersubr.c --- sys/dev/usb/usb_ethersubr.c 2000/11/25 07:35:24 1.9 +++ sys/dev/usb/usb_ethersubr.c 2001/09/24 18:08:51 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/vx/if_vx.c =================================================================== RCS file: /home/ncvs/src/sys/dev/vx/if_vx.c,v retrieving revision 1.34 diff -u -r1.34 if_vx.c --- sys/dev/vx/if_vx.c 2001/07/19 02:16:01 1.34 +++ sys/dev/vx/if_vx.c 2001/09/24 18:09:11 @@ -59,6 +59,7 @@ #include #include #include +#include #include #include Index: sys/dev/wi/if_wi.c =================================================================== RCS file: /home/ncvs/src/sys/dev/wi/if_wi.c,v retrieving revision 1.61 diff -u -r1.61 if_wi.c --- sys/dev/wi/if_wi.c 2001/09/12 08:37:16 1.61 +++ sys/dev/wi/if_wi.c 2001/09/24 18:09:30 @@ -71,6 +71,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/wl/if_wl.c =================================================================== RCS file: /home/ncvs/src/sys/dev/wl/if_wl.c,v retrieving revision 1.39 diff -u -r1.39 if_wl.c --- sys/dev/wl/if_wl.c 2001/09/12 08:37:16 1.39 +++ sys/dev/wl/if_wl.c 2001/09/25 11:47:03 @@ -196,6 +196,7 @@ #include #include #include +#include #include #include #include Index: sys/dev/xe/if_xe.c =================================================================== RCS file: /home/ncvs/src/sys/dev/xe/if_xe.c,v retrieving revision 1.28 diff -u -r1.28 if_xe.c --- sys/dev/xe/if_xe.c 2001/08/29 05:11:44 1.28 +++ sys/dev/xe/if_xe.c 2001/09/24 18:09:48 @@ -112,6 +112,7 @@ #include #include #include +#include #include #include #include Index: sys/fs/procfs/procfs_vnops.c =================================================================== RCS file: /home/ncvs/src/sys/fs/procfs/procfs_vnops.c,v retrieving revision 1.103 diff -u -r1.103 procfs_vnops.c --- sys/fs/procfs/procfs_vnops.c 2001/10/07 19:37:13 1.103 +++ sys/fs/procfs/procfs_vnops.c 2001/10/08 02:03:59 @@ -43,12 +43,15 @@ * procfs vnode interface */ +#include "opt_mac.h" + #include #include #include #include #include #include +#include #include #include #include @@ -72,6 +75,9 @@ static int procfs_badop __P((void)); static int procfs_close __P((struct vop_close_args *)); static int procfs_getattr __P((struct vop_getattr_args *)); +#ifdef MAC +static int procfs_getlabel __P((struct vop_getlabel_args *)); +#endif static int procfs_ioctl __P((struct vop_ioctl_args *)); static int procfs_lookup __P((struct vop_lookup_args *)); static int procfs_open __P((struct vop_open_args *)); @@ -563,7 +569,61 @@ return (error); } +#ifdef MAC static int +procfs_getlabel(ap) + struct vop_getlabel_args /* { + struct vnode *a_vp; + struct mac *a_label; + struct ucred *a_cred; + struct proc *a_p; + }; */ *ap; +{ + struct pfsnode *pfs = VTOPFS(ap->a_vp); + struct proc *procp; + + switch (pfs->pfs_type) { + case Proot: + case Pcurproc: + procp = NULL; + break; + + default: + procp = PFIND(pfs->pfs_pid); + if (procp == NULL) + return (ENOENT); + + if (procp->p_ucred == NULL) { + PROC_UNLOCK(procp); + return (ENOENT); + } + + if (p_cansee(ap->a_td->td_proc, procp)) { + PROC_UNLOCK(procp); + return (ENOENT); + } + } + + if (procp == NULL) { + /* + * Return the default object label for non-process + * entries. Might be better to replicate the label + * of proc 0, or do the default subject label. + */ + mac_init_object(ap->a_label); + } else { + /* + * Copy the process label. + */ + *ap->a_label = procp->p_ucred->cr_label; + PROC_UNLOCK(procp); + } + + return (0); +} +#endif /* !MAC */ + +static int procfs_setattr(ap) struct vop_setattr_args /* { struct vnode *a_vp; @@ -997,6 +1057,9 @@ { &vop_close_desc, (vop_t *) procfs_close }, { &vop_create_desc, (vop_t *) procfs_badop }, { &vop_getattr_desc, (vop_t *) procfs_getattr }, +#if MAC + { &vop_getlabel_desc, (vop_t *) procfs_getlabel }, +#endif { &vop_link_desc, (vop_t *) procfs_badop }, { &vop_lookup_desc, (vop_t *) procfs_lookup }, { &vop_mkdir_desc, (vop_t *) procfs_badop }, Index: sys/i386/i386/in_cksum.c =================================================================== RCS file: /home/ncvs/src/sys/i386/i386/in_cksum.c,v retrieving revision 1.22 diff -u -r1.22 in_cksum.c --- sys/i386/i386/in_cksum.c 2000/11/25 03:01:05 1.22 +++ sys/i386/i386/in_cksum.c 2001/09/24 19:00:40 @@ -40,6 +40,7 @@ */ #include #include +#include #include #include Index: sys/i386/isa/if_cx.c =================================================================== RCS file: /home/ncvs/src/sys/i386/isa/if_cx.c,v retrieving revision 1.34 diff -u -r1.34 if_cx.c --- sys/i386/isa/if_cx.c 2000/06/13 22:28:47 1.34 +++ sys/i386/isa/if_cx.c 2001/09/25 11:53:37 @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include Index: sys/i386/isa/if_el.c =================================================================== RCS file: /home/ncvs/src/sys/i386/isa/if_el.c,v retrieving revision 1.54 diff -u -r1.54 if_el.c --- sys/i386/isa/if_el.c 2001/02/09 06:09:28 1.54 +++ sys/i386/isa/if_el.c 2001/09/25 11:53:39 @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include Index: sys/i386/isa/if_le.c =================================================================== RCS file: /home/ncvs/src/sys/i386/isa/if_le.c,v retrieving revision 1.64 diff -u -r1.64 if_le.c --- sys/i386/isa/if_le.c 2001/02/06 10:11:19 1.64 +++ sys/i386/isa/if_le.c 2001/09/25 11:53:42 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include Index: sys/i386/isa/if_rdp.c =================================================================== RCS file: /home/ncvs/src/sys/i386/isa/if_rdp.c,v retrieving revision 1.11 diff -u -r1.11 if_rdp.c --- sys/i386/isa/if_rdp.c 2000/10/15 14:18:38 1.11 +++ sys/i386/isa/if_rdp.c 2001/09/25 11:53:44 @@ -67,6 +67,7 @@ #include #include #include +#include #include #include #include Index: sys/kern/init_main.c =================================================================== RCS file: /home/ncvs/src/sys/kern/init_main.c,v retrieving revision 1.177 diff -u -r1.177 init_main.c --- sys/kern/init_main.c 2001/09/18 22:09:47 1.177 +++ sys/kern/init_main.c 2001/09/19 02:36:48 @@ -43,6 +43,7 @@ */ #include "opt_init_path.h" +#include "opt_mac.h" #include #include @@ -54,6 +55,7 @@ #include #include #include +#include #include #include #include @@ -345,6 +347,9 @@ p->p_ucred = crget(); p->p_ucred->cr_ngroups = 1; /* group 0 */ p->p_ucred->cr_uidinfo = uifind(0); +#ifdef MAC + mac_init_subject(p->p_ucred); +#endif p->p_ucred->cr_ruidinfo = uifind(0); p->p_ucred->cr_prison = NULL; /* Don't jail it. */ Index: sys/kern/init_sysent.c =================================================================== RCS file: /home/ncvs/src/sys/kern/init_sysent.c,v retrieving revision 1.110 diff -u -r1.110 init_sysent.c --- sys/kern/init_sysent.c 2001/10/13 13:30:20 1.110 +++ sys/kern/init_sysent.c 2001/10/16 01:28:36 @@ -2,7 +2,7 @@ * System call switch table. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/kern/init_sysent.c,v 1.110 2001/10/13 13:30:20 rwatson Exp $ + * $FreeBSD$ * created from FreeBSD: src/sys/kern/syscalls.master,v 1.99 2001/10/13 13:19:34 rwatson Exp */ @@ -400,4 +400,10 @@ { AS(nfsclnt_args), (sy_call_t *)nosys }, /* 375 = nfsclnt */ { AS(eaccess_args), (sy_call_t *)eaccess }, /* 376 = eaccess */ { 0, (sy_call_t *)nosys }, /* 377 = afs_syscall */ + { AS(__mac_get_proc_args), (sy_call_t *)__mac_get_proc }, /* 378 = __mac_get_proc */ + { AS(__mac_set_proc_args), (sy_call_t *)__mac_set_proc }, /* 379 = __mac_set_proc */ + { AS(__mac_get_fd_args), (sy_call_t *)__mac_get_fd }, /* 380 = __mac_get_fd */ + { AS(__mac_get_file_args), (sy_call_t *)__mac_get_file }, /* 381 = __mac_get_file */ + { AS(__mac_set_fd_args), (sy_call_t *)__mac_set_fd }, /* 382 = __mac_set_fd */ + { AS(__mac_set_file_args), (sy_call_t *)__mac_set_file }, /* 383 = __mac_set_file */ }; Index: sys/kern/kern_exec.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_exec.c,v retrieving revision 1.141 diff -u -r1.141 kern_exec.c --- sys/kern/kern_exec.c 2001/10/10 23:06:53 1.141 +++ sys/kern/kern_exec.c 2001/10/11 14:38:57 @@ -26,6 +26,8 @@ * $FreeBSD: src/sys/kern/kern_exec.c,v 1.141 2001/10/10 23:06:53 ps Exp $ */ +#include "opt_mac.h" + #include #include #include @@ -833,6 +835,22 @@ error = VOP_ACCESS(vp, VEXEC, p->p_ucred, curthread); /* XXXKSE */ if (error) return (error); + +#ifdef MAC +#if 0 + { + struct mac label; + + error = VOP_GETLABEL(vp, &label, curthread->td_proc->p_ucred, + curthread); + if (error) + return (error); + error = mac_p_canexec(curthread->td_proc, &label); + if (error) + return (error); + } +#endif /* !0 */ +#endif /* !MAC */ /* * Check number of open-for-writes on the file and deny execution Index: sys/kern/kern_mac.c =================================================================== RCS file: kern_mac.c diff -N kern_mac.c --- /dev/null Tue Oct 16 15:44:01 2001 +++ kern_mac.c Fri Oct 5 09:31:47 2001 @@ -0,0 +1,510 @@ +/*- + * Copyright (c) 1999-2001 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: $ + */ +/* + * Developed by the TrustedBSD Project. + * Userland/kernel interface, policy merging for various access models. + */ + +#include "opt_mac.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef MAC + +static int error_select __P((int error1, int error2)); + +/* + * error_select() defines an error value precedence, and given two + * arguments, selects the value with the higher precedence. + */ +static int +error_select(int error1, int error2) +{ + + /* Certain decision-making errors take top priority. */ + if (error1 == EDEADLK || error2 == EDEADLK) + return (EDEADLK); + + /* Precedence goes to "visibility", with both process and file. */ + if (error1 == ESRCH || error2 == ESRCH) + return (ESRCH); + + if (error1 == ENOENT || error2 == ENOENT) + return (ENOENT); + + /* Precedence goes to DAC/MAC protections. */ + if (error1 == EACCES || error2 == EACCES) + return (EACCES); + + /* Precedence goes to privilege. */ + if (error1 == EPERM || error2 == EPERM) + return (EPERM); + + /* Oh well. */ + return (error1); + +} + +int +mac_cr_cansee(const struct ucred *u1, const struct ucred *u2) +{ + int error_biba, error_mls, error; + + error_biba = mac_biba_cr_cansee(u1, u2); + error_mls = mac_mls_cr_cansee(u1, u2); + + error = error_select(error_biba, error_mls); + + return (error); +} + +int +mac_p_cansignal(const struct proc *p1, const struct proc *p2, int signum) +{ + int error_biba, error_mls, error; + + error_biba = mac_biba_p_cansignal(p1, p2, signum); + error_mls = mac_mls_p_cansignal(p1, p2, signum); + + error = error_select(error_biba, error_mls); + + return (error); +} + +int +mac_p_cansched(const struct proc *p1, const struct proc *p2) +{ + int error_biba, error_mls, error; + + error_biba = mac_biba_p_cansched(p1, p2); + error_mls = mac_mls_p_cansched(p1, p2); + + error = error_select(error_biba, error_mls); + + return (error); +} + +int +mac_p_candebug(const struct proc *p1, const struct proc *p2) +{ + int error_biba, error_mls, error; + + error_biba = mac_biba_p_candebug(p1, p2); + error_mls = mac_mls_p_candebug(p1, p2); + + error = error_select(error_biba, error_mls); + + return (error); +} + +int +mac_p_canexec(const struct proc *p1, const struct mac *label) +{ + + return (0); +} + +#if 0 +/* + * POSIX.1e calls for a dominate function to be exported or available + * to userland processes. However, not all policies support a concept + * of "dominate" and so it may be inappropriate in more general policy + * environments (such as type enforcement). Disabled for the time + * being in the hopes that it doesn't prove necessary. + */ +/* + * Return (1) if MAC labela dominates MAC labelb, otherwise, (0). + */ +int +mac_dominate(const struct mac *labela, const struct mac *labelb) +{ + + /* + * A MAC label only dominates another if all of the component + * labels from it dominate the other. + */ + return (mac_biba_dominate(&labela->m_biba, &labelb->m_biba) && + mac_mls_dominate(&labela->m_mls, &labelb->m_mls) && + mac_partition_dominate(&labela->m_partition, + &labelb->m_partition)); +} +#endif + +/* + * Return (1) if the two MAC labels are equal, otherwise, (0). + */ +int +mac_equal(const struct mac *labela, const struct mac *labelb) +{ + + /* + * Two MAC labels are only equal of they are equal according to + * all of the individual policies. + */ + return (mac_biba_equal(labela, labelb) && + mac_mls_equal(labela, labelb) && + mac_partition_equal(labela, labelb)); +} + +/* + * At system start-up time, the credential of the first-born process + * is passed in for label initialization. What actually occurs will + * be policy-specific, but the results should allow the system to + * boot. + */ +void +mac_init_subject(struct ucred *cred) +{ + + mac_biba_init_subject(cred); + mac_mls_init_subject(cred); + mac_partition_init_subject(cred); +} + +/* + * When a new process is created, its label must be initialized. Generally, + * this involves inheritence from the parent process, modulo possible + * deltas. This function allows that processing to take place. + */ +void +mac_create_subject(const struct ucred *parent_cred, + struct ucred *child_cred) +{ + + mac_biba_create_subject(parent_cred, child_cred); + mac_mls_create_subject(parent_cred, child_cred); + mac_partition_create_subject(parent_cred, child_cred); +} + +/* + * Processes may need to modify their current subject label if they + * perform multi-level activities, or proxy data between levels. + * This function is a check to determine if a particular label change + * is permitted; the old and new credentials are provided. 0 is + * returned for success, otherwise an errno. + */ +int +mac_can_setlabel_subject(const struct ucred *cred_old, + const struct ucred *cred_new) +{ + int error; + + /* + * Because a composition occurs here, we must select one + * error to return to the user. A precedence rule should + * probably be present, but instead we return the first + * failure to be discovered. Any failure by any policy + * vetoes the whole operation. + */ + + error = mac_biba_can_setlabel_subject(cred_old, cred_new); + if (error) + return (error); + + error = mac_mls_can_setlabel_subject(cred_old, cred_new); + if (error) + return (error); + + error = mac_partition_can_setlabel_subject(cred_old, cred_new); + if (error) + return (error); + + return (0); +} + +/* + * Generally speaking, object providers will maintain persistent or + * inherited labels for most system objects. However, until this + * is done, mac_init_object() will be used to label unlabeled objects. + * For safety purposes, this should protect the object from unnecessary + * writes, and possibly reads. + */ +void +mac_init_object(struct mac *label) +{ + + mac_biba_init_object(label); + mac_mls_init_object(label); + mac_partition_init_object(label); +} + +/* + * When a new object is created, its label must be initialized. Generally, + * this involves inheritence from the subject creating the object, + * modulo possible deltas. This function allows that processing to take + * place. + */ +void +mac_create_object(const struct ucred *cred, struct mac *label) +{ + + if (cred != NULL) { + mac_biba_create_object(cred, label); + mac_mls_create_object(cred, label); + mac_partition_create_object(cred, label); + } else + mac_init_object(label); +} + +/* + * Processes may need to modify the current object label on objects in + * the system, for reasons identified above. This function is a check to + * determine if a particular label change is permitted; the requesting + * credential is provided, as well as the old and new object labels. 0 is + * returned for success, otherwise an errno. + */ +int +mac_can_setlabel_object(const struct ucred *cred, const struct mac *label_old, + const struct mac *label_new) +{ + int error; + + /* + * Because a composition occurs here, we must select one + * error to return to the user. A precedence rule should + * probably be present, but instead we return the first + * failure to be discovered. Any failure by any policy + * vetoes the whole operation. + */ + + error = mac_biba_can_setlabel_object(cred, label_old, label_new); + if (error) + return (error); + + error = mac_mls_can_setlabel_object(cred, label_old, label_new); + if (error) + return (error); + + error = mac_partition_can_setlabel_object(cred, label_old, label_new); + if (error) + return (error); + + return (0); +} + +/* +int +mac_ether_output_check(struct ifnet *ifp, struct mbuf *mbp) +{ + + return (0); +} +*/ + +void +mac_print_label(const struct mac *label) +{ + + printf("MAC label:\n"); + mac_biba_print_label(label); + mac_mls_print_label(label); + mac_partition_print_label(label); +} + +/* + * Function to intersect with vaccess() providing mandatory access + * checks for file system objects. Accepts object type, object label, + * access request, requesting credential, and an optional privused + * field to return privilege information (currently unused). + */ +int +vaccess_mac(enum vtype type, const struct mac *filelabel, mode_t acc_mode, + struct ucred *cred) +{ + int error_biba, error_mls, error; + + /* Detect and reject unknown access modes. */ + if ((acc_mode & (VWRITE | VADMIN | VREAD | VEXEC)) != acc_mode) { + printf("vaccess_mac: unknown access mode in %d\n", acc_mode); + return (EPERM); + } + + error_biba = mac_biba_vaccess(type, filelabel, acc_mode, cred); + error_mls = mac_mls_vaccess(type, filelabel, acc_mode, cred); + + error = error_select(error_biba, error_mls); + + return (error); +} + +int +__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) +{ + int error; + + error = copyout(&td->td_proc->p_ucred->cr_label, SCARG(uap, mac_p), + sizeof(td->td_proc->p_ucred->cr_label)); + + return (0); +} + +int +__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) +{ + struct ucred *new_cred, *old_cred; + int error; + + old_cred = td->td_proc->p_ucred; + new_cred = crdup(td->td_proc->p_ucred); + if (new_cred == NULL) + return (ENOMEM); + + error = copyin(SCARG(uap, mac_p), &new_cred->cr_label, + sizeof(new_cred->cr_label)); + if (error) { + crfree(new_cred); + return (error); + } + + error = mac_can_setlabel_subject(td->td_proc->p_ucred, new_cred); + if (error) { + crfree(new_cred); + return (error); + } + + td->td_proc->p_ucred = new_cred; + crfree(old_cred); + return (0); +} + +int +__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) +{ + + return (ENOSYS); +} + +int +__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) +{ + struct nameidata nd; + struct mac label; + int error; + + NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, + SCARG(uap, path_p), td); + error = namei(&nd); + if (error) + return (error); + + error = VOP_GETLABEL(nd.ni_vp, &label, td->td_proc->p_ucred, td); + NDFREE(&nd, 0); + if (error) + return (error); + + error = copyout(&label, SCARG(uap, mac_p), sizeof(label)); + + return (error); +} + +int +__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) +{ + + return (ENOSYS); +} + +int +__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) +{ + struct nameidata nd; + struct mac label; + int error; + + error = copyin(SCARG(uap, mac_p), &label, sizeof(label)); + if (error) + return (error); + + NDINIT(&nd, LOOKUP, LOCKLEAF | FOLLOW, UIO_USERSPACE, + SCARG(uap, path_p), td); + error = namei(&nd); + if (error) + return (error); + + error = VOP_SETLABEL(nd.ni_vp, &label, td->td_proc->p_ucred, td); + NDFREE(&nd, 0); + + return (error); +} + +#else /* !MAC */ + +int +__mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) +{ + + return (ENOSYS); +} + +int +__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) +{ + + return (ENOSYS); +} + +int +__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) +{ + + return (ENOSYS); +} + +int +__mac_get_file(struct thread *td, struct __mac_get_file_args *uap) +{ + + return (ENOSYS); +} + +int +__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) +{ + + return (ENOSYS); +} + +int +__mac_set_file(struct thread *td, struct __mac_set_file_args *uap) +{ + + return (ENOSYS); +} + +#endif /* !MAC */ Index: sys/kern/kern_mac_biba.c =================================================================== RCS file: kern_mac_biba.c diff -N kern_mac_biba.c --- /dev/null Tue Oct 16 15:44:01 2001 +++ kern_mac_biba.c Fri Oct 5 09:31:54 2001 @@ -0,0 +1,247 @@ +/*- + * Copyright (c) 1999-2001 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: $ + */ +/* + * Developed by the TrustedBSD Project. + * Biba Integrity Policy. + */ + +#include "opt_mac.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef MAC + +/* + * Syntactic check of label: 0 for success, else an errno. + */ +static int +mac_biba_label_valid(const struct mac *label) +{ + + switch(label->m_biba.mb_type) { + case MAC_BIBA_TYPE_GRADE: + break; + case MAC_BIBA_TYPE_HIGH: + case MAC_BIBA_TYPE_LOW: + case MAC_BIBA_TYPE_EQUAL: + if (label->m_biba.mb_grade != 0) + return (EINVAL); + break; + default: + return (EINVAL); + } + + return (0); +} + +int +mac_biba_dominate(const struct mac *labela, const struct mac *labelb) +{ + + switch (labela->m_biba.mb_type) { + case MAC_BIBA_TYPE_GRADE: + switch (labelb->m_biba.mb_type) { + case MAC_BIBA_TYPE_GRADE: + return (labela->m_biba.mb_grade >= + labelb->m_biba.mb_grade); + + case MAC_BIBA_TYPE_LOW: + return (1); + + case MAC_BIBA_TYPE_HIGH: + return (0); + + case MAC_BIBA_TYPE_EQUAL: + return (1); + + default: + panic("mac_biba_dominate(): unknown mb_type\n"); + } + + case MAC_BIBA_TYPE_LOW: + switch (labelb->m_biba.mb_type) { + case MAC_BIBA_TYPE_GRADE: + return (0); + + case MAC_BIBA_TYPE_LOW: + return (1); + + case MAC_BIBA_TYPE_HIGH: + return (0); + + case MAC_BIBA_TYPE_EQUAL: + return (1); + + default: + panic("mac_biba_dominate(): unknown mb_type\n"); + } + + case MAC_BIBA_TYPE_HIGH: + return (1); + + case MAC_BIBA_TYPE_EQUAL: + return (1); + default: + panic("mac_biba_dominate(): unknown mb_type\n"); + } +} + +int +mac_biba_equal(const struct mac *labela, const struct mac *labelb) +{ + + return (mac_biba_dominate(labela, labelb) && + mac_biba_dominate(labelb, labela)); +} + +void +mac_biba_init_subject(struct ucred *cred) +{ + + /* + * Early system processes run with high integrity. + */ + cred->cr_label.m_biba.mb_type = MAC_BIBA_TYPE_HIGH; + cred->cr_label.m_biba.mb_grade = 0; +} + +void +mac_biba_create_subject(const struct ucred *cred_parent, + struct ucred *cred_child) +{ + + cred_child->cr_label = cred_parent->cr_label; +} + +int +mac_biba_can_setlabel_subject(const struct ucred *cred_old, + const struct ucred *cred_new) +{ + int error; + + error = mac_biba_label_valid(&cred_new->cr_label); + if (error) + return (error); + + error = suser_xxx(cred_old, NULL, 0); + if (error) + return (error); + + return (0); +} + +void +mac_biba_init_object(struct mac *label) +{ + + /* + * XXX: + * Eventually, objects without explicit labeling will be at + * low integrity. For development purposes, set them to high + * integrity to allow the system to boot. + */ + label->m_biba.mb_type = MAC_BIBA_TYPE_HIGH; + label->m_biba.mb_grade = 0; +} + +void +mac_biba_create_object(const struct ucred *cred, struct mac *label) +{ + + label->m_biba.mb_type = cred->cr_label.m_biba.mb_type; + label->m_biba.mb_grade = cred->cr_label.m_biba.mb_grade; +} + +int +mac_biba_can_setlabel_object(const struct ucred *cred, + const struct mac *label_old, const struct mac *label_new) +{ + int error; + + error = mac_biba_label_valid(label_new); + if (error) + return (error); + + error = suser_xxx(cred, NULL, 0); + if (error) + return (error); + + return (0); +} + +void +mac_biba_print_label(const struct mac *label) +{ + + printf("Biba: type==%u, grade==%u\n", label->m_biba.mb_type, + label->m_biba.mb_grade); +} + +int +mac_biba_vaccess(enum vtype type, const struct mac *filelabel, mode_t acc_mode, + struct ucred *cred) +{ + + if (operation & ~(MAC_WRITE | MAC_ADMIN | MAC_CREATE | MAC_READ | + MAC_EXEC | MAC_STAT)) { + printf("mac_biba_vaccess: unknown acc_mode %d\n", acc_mode); + return (EINVAL); + } + + if (operation & (MAC_WRITE | MAC_ADMIN)) { + if (!mac_biba_dominate(&cred->cr_label, filelabel) && + suser_xxx(cred, NULL, 0)) + return (EACCES); + } + + if (operation & (MAC_READ | MAC_EXEC | MAC_STAT)) { + if (!mac_biba_dominate(filelabel, &cred->cr_label) && + suser_xxx(cred, NULL, 0)) + return (EACCES); + } + + if (operation & (MAC_CREATE)) { + if (!mac_biba_equal(&cred->cr_label, filelabel) && + suser_xxx(cred, NULL, 0)) + return (EACCES); + } + + return (0); +} + +#endif /* !MAC */ Index: sys/kern/kern_mac_mls.c =================================================================== RCS file: kern_mac_mls.c diff -N kern_mac_mls.c --- /dev/null Tue Oct 16 15:44:01 2001 +++ kern_mac_mls.c Fri Oct 5 09:32:02 2001 @@ -0,0 +1,250 @@ +/*- + * Copyright (c) 1999-2001 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: $ + */ +/* + * Developed by the TrustedBSD Project. + * Multi-Level Security Policy. + */ + +#include "opt_mac.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef MAC + +/* + * Syntactic check of label: 0 for success, else an errno. + */ +static int +mac_mls_label_valid(const struct mac *label) +{ + + switch(label->m_mls.mm_type) { + case MAC_MLS_TYPE_LEVEL: + break; + case MAC_MLS_TYPE_HIGH: + case MAC_MLS_TYPE_LOW: + case MAC_MLS_TYPE_EQUAL: + if (label->m_mls.mm_level != 0) + return (EINVAL); + break; + default: + return (EINVAL); + } + + return (0); +} + +int +mac_mls_dominate(const struct mac *labela, const struct mac *labelb) +{ + + switch (labela->m_mls.mm_type) { + case MAC_MLS_TYPE_LEVEL: + switch (labelb->m_mls.mm_type) { + case MAC_MLS_TYPE_LEVEL: + return (labela->m_mls.mm_level >= + labelb->m_mls.mm_level); + + case MAC_MLS_TYPE_LOW: + return (1); + + case MAC_MLS_TYPE_HIGH: + return (0); + + case MAC_MLS_TYPE_EQUAL: + return (1); + + default: + panic("mac_mls_dominate(): Unknown mm_type\n"); + } + + case MAC_MLS_TYPE_LOW: + switch (labelb->m_mls.mm_type) { + case MAC_MLS_TYPE_LEVEL: + return (0); + + case MAC_MLS_TYPE_LOW: + return (1); + + case MAC_MLS_TYPE_HIGH: + return (0); + + case MAC_MLS_TYPE_EQUAL: + return (1); + + default: + panic("mac_mls_dominate(): Unknown mm_type\n"); + } + + case MAC_MLS_TYPE_HIGH: + return (1); + + case MAC_MLS_TYPE_EQUAL: + return (1); + + default: + panic("mac_mls_dominate(): Unknown mm_type\n"); + } + return (0); +} + +int +mac_mls_equal(const struct mac *labela, const struct mac *labelb) +{ + + return (mac_mls_dominate(labela, labelb) && + mac_mls_dominate(labelb, labela)); +} + +void +mac_mls_init_subject(struct ucred *cred) +{ + + /* + * Early system processes run with low secrecy, and must + * use privilege to access high secrecy objects. + */ + cred->cr_label.m_mls.mm_type = MAC_MLS_TYPE_LOW; + cred->cr_label.m_mls.mm_level = 0; +} + +void +mac_mls_create_subject(const struct ucred *cred_parent, + struct ucred *cred_child) +{ + + cred_child->cr_label = cred_parent->cr_label; +} + +int +mac_mls_can_setlabel_subject(const struct ucred *cred_old, + const struct ucred *cred_new) +{ + int error; + + error = mac_mls_label_valid(&cred_new->cr_label); + if (error) + return (error); + + error = suser_xxx(cred_old, NULL, 0); + if (error) + return (error); + + return (0); +} + +void +mac_mls_init_object(struct mac *label) +{ + + /* + * XXX: + * Eventually, might be desirable to label unlabeled objects + * as high secrecy, but for initial booting purposes, label + * them as low secrecy. + */ + label->m_mls.mm_type = MAC_MLS_TYPE_LOW; + label->m_mls.mm_level = 0; +} + +void +mac_mls_create_object(const struct ucred *cred, struct mac *label) +{ + + label->m_mls.mm_type = cred->cr_label.m_mls.mm_type; + label->m_mls.mm_level = cred->cr_label.m_mls.mm_level; +} + +int +mac_mls_can_setlabel_object(const struct ucred *cred, + const struct mac *label_old, const struct mac *label_new) +{ + int error; + + error = mac_mls_label_valid(label_new); + if (error) + return (error); + + error = suser_xxx(cred, NULL, 0); + if (error) + return (error); + + return (0); +} + +void +mac_mls_print_label(const struct mac *label) +{ + + printf("MLS: type==%u, level==%u\n", label->m_mls.mm_type, + label->m_mls.mm_level); +} + +int +mac_mls_vaccess(enum vtype type, constr struct mac *filelabel, mode_t acc_mode, + struct ucred *cred) +{ + + if (operation & ~(MAC_WRITE | MAC_ADMIN | MAC_CREATE | MAC_READ | + MAC_EXEC | MAC_STAT)) { + printf("mac_mls_vaccess: unknown acc_mode %d\n", acc_mode); + return (EINVAL); + } + + if (operation & (MAC_WRITE | MAC_ADMIN)) { + if (!mac_mls_dominate(filelabel, &cred->cr_label) && + suser_xxx(cred, NULL, 0)) + return (EACCES); + } + + if (operation & (MAC_READ | MAC_EXEC | MAC_STAT)) { + if (!mac_mls_dominate(&cred->cr_label, filelabel) && + suser_xxx(cred, NULL, 0)) + return (EACCES); + } + + if (operation & (MAC_CREATE)) { + if (!mac_mls_equal(&cred->cr_label, filelabel) && + suser_xxx(cred, NULL, 0)) + return (EACCES); + } + + return (0); +} + +#endif /* !MAC */ Index: sys/kern/kern_mac_partition.c =================================================================== RCS file: kern_mac_partition.c diff -N kern_mac_partition.c --- /dev/null Tue Oct 16 15:44:01 2001 +++ kern_mac_partition.c Fri Oct 5 09:32:37 2001 @@ -0,0 +1,227 @@ +/*- + * Copyright (c) 1999-2001 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: $ + */ +/* + * Developed by the TrustedBSD Project. + * Light-Weight Partition Policy. + */ + +#include "opt_mac.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef MAC + +/* + * Syntactic check of label: 0 for success, else an errno. + */ +static int +mac_partition_label_valid(const struct mac *label) +{ + + switch(label->m_partition.mp_type) { + case MAC_PARTITION_TYPE_PARTITION: + break; + case MAC_PARTITION_TYPE_NONE: + case MAC_PARTITION_TYPE_ALL: + if (label->m_partition.mp_partition != 0) + return (EINVAL); + break; + default: + return (EINVAL); + } + + return (0); +} + +int +mac_partition_can(const struct ucred *cred, const struct mac *label, + int operation, int sub_operation) +{ + /* + * Partitioning policy dictates that for a subject to modify + * an object, the label of the subject must dominate that of the + * object. + * For a subject to read an object, the label of the subject must + * dominate the label of the object. + * For a subject to create an object on a fixed-label target, the + * label of the subject must dominate the label of the target. + * Appropriate privilege may override the Partition policy. + * + * MAC_WRITE, MAC_ADMIN, MAC_SIGNAL: subject dominates object + * MAC_READ, MAC_EXEC, MAC_STAT: subject dominates object + * MAC_CREATE: subject dominates object + */ + if (operation & MAC_ALL && + !mac_partition_dominate(&cred->cr_label, label) && + suser_xxx(cred, NULL, 0)) + return (EACCES); + + return (0); +} + +int +mac_partition_dominate(const struct mac *labela, const struct mac *labelb) +{ + + switch(labela->m_partition.mp_type) { + case MAC_PARTITION_TYPE_PARTITION: + switch(labelb->m_partition.mp_type) { + case MAC_PARTITION_TYPE_PARTITION: + return (labela->m_partition.mp_partition == + labelb->m_partition.mp_partition); + + case MAC_PARTITION_TYPE_ALL: + /* + * Bypass of this restriction for MAC_READ + * is implemented in mac_partition_can(). + */ + return (0); + + case MAC_PARTITION_TYPE_NONE: + return (0); + + default: + panic("mac_partition_dominate(): Unknown mp_type\n"); + } + + case MAC_PARTITION_TYPE_ALL: + printf("mac_partition_dominate: warning, " + "MAC_PARTITION_TYPE_ALL used as subject."); + return (labelb->m_partition.mp_type == MAC_PARTITION_TYPE_ALL); + + case MAC_PARTITION_TYPE_NONE: + return (1); + + default: + panic("mac_partition_dominate(): Unknown mp_type\n"); + } + + return (0); +} + +int +mac_partition_equal(const struct mac *labela, const struct mac *labelb) +{ + + return (mac_partition_dominate(labela, labelb) && + mac_partition_dominate(labelb, labela)); +} + +void +mac_partition_init_subject(struct ucred *cred) +{ + + /* + * Early system processes run outside of partitions. + */ + cred->cr_label.m_partition.mp_type = MAC_PARTITION_TYPE_NONE; + cred->cr_label.m_partition.mp_partition = 0; +} + +void +mac_partition_create_subject(const struct ucred *cred_parent, + struct ucred *cred_child) +{ + + cred_child->cr_label = cred_parent->cr_label; +} + +int +mac_partition_can_setlabel_subject(const struct ucred *cred_old, + const struct ucred *cred_new) +{ + int error; + + error = mac_partition_label_valid(&cred_new->cr_label); + if (error) + return (error); + + error = suser_xxx(cred_old, NULL, 0); + if (error) + return (error); + + return (0); +} + +void +mac_partition_init_object(struct mac *label) +{ + + /* + * Unless explicitely labeled, objects are not visible from + * any partition. + */ + label->m_partition.mp_type = MAC_PARTITION_TYPE_NONE; + label->m_partition.mp_partition = 0; +} + +void +mac_partition_create_object(const struct ucred *cred, struct mac *label) +{ + + label->m_partition.mp_type = cred->cr_label.m_partition.mp_type; + label->m_partition.mp_partition = + cred->cr_label.m_partition.mp_partition; +} + +int +mac_partition_can_setlabel_object(const struct ucred *cred, + const struct mac *label_old, const struct mac *label_new) +{ + int error; + + error = mac_partition_label_valid(label_new); + if (error) + return (error); + + error = suser_xxx(cred, NULL, 0); + if (error) + return (error); + + return (0); +} + +void +mac_partition_print_label(const struct mac *label) +{ + + printf("Partition: type==%u, partition==%u\n", + label->m_partition.mp_type, label->m_partition.mp_partition); +} + +#endif /* !MAC */ Index: sys/kern/kern_malloc.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_malloc.c,v retrieving revision 1.93 diff -u -r1.93 kern_malloc.c --- sys/kern/kern_malloc.c 2001/09/12 08:37:44 1.93 +++ sys/kern/kern_malloc.c 2001/09/24 18:20:20 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include Index: sys/kern/kern_prot.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_prot.c,v retrieving revision 1.115 diff -u -r1.115 kern_prot.c --- sys/kern/kern_prot.c 2001/10/11 23:38:15 1.115 +++ sys/kern/kern_prot.c 2001/10/14 15:25:58 @@ -1,7 +1,7 @@ /* * Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993 * The Regents of the University of California. All rights reserved. - * Copyright (c) 2000, 2001 Robert N. M. Watson. All rights reserved. + * Copyright (c) 2000-2001 Robert N. M. Watson. All rights reserved. * (c) UNIX System Laboratories, Inc. * All or some portions of this file are derived from material licensed * to the University of California by American Telephone and Telegraph @@ -46,12 +46,14 @@ #include "opt_compat.h" #include "opt_global.h" +#include "opt_mac.h" #include #include #include #include #include +#include #include #include #include @@ -1371,8 +1373,16 @@ if ((error = prison_check(u1, u2))) return (error); +<<<<<<< kern_prot.c +#ifdef MAC + if ((error = mac_cr_cansee(u1, u2))) + return (ESRCH); +#endif + if (!ps_showallprocs && u1->cr_ruid != u2->cr_ruid) { +======= if (!kern_security_seeotheruids_permitted && u1->cr_ruid != u2->cr_ruid) { +>>>>>>> 1.112 if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) return (ESRCH); } @@ -1418,6 +1428,11 @@ if ((error = prison_check(p1->p_ucred, p2->p_ucred))) return (error); +#ifdef MAC + if ((error = mac_p_cansignal(p1->p_ucred, p2->p_ucred))) + return (error); +#endif + /* * UNIX signalling semantics require that processes in the same * session always be able to deliver SIGCONT to one another, @@ -1491,6 +1506,13 @@ return (0); if ((error = prison_check(p1->p_ucred, p2->p_ucred))) return (error); + +#ifdef MAC + error = mac_p_cansched(p1, p2); + if (error) + return (error); +#endif + if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) return (0); if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) @@ -1545,6 +1567,12 @@ if ((error = prison_check(p1->p_ucred, p2->p_ucred))) return (error); + +#ifdef MAC + error = mac_p_candebug(p1, p2); + if (error) + return (error); +#endif /* * Not owned by you, has done setuid (unless you're root). Index: sys/kern/subr_mbuf.c =================================================================== RCS file: /home/ncvs/src/sys/kern/subr_mbuf.c,v retrieving revision 1.9 diff -u -r1.9 subr_mbuf.c --- sys/kern/subr_mbuf.c 2001/09/30 01:58:33 1.9 +++ sys/kern/subr_mbuf.c 2001/10/01 16:31:48 @@ -29,13 +29,17 @@ */ #include "opt_param.h" +#include "opt_mac.h" + #include #include +#include #include #include #include #include #include +#include #include #include #include @@ -933,6 +937,12 @@ } \ } while (0) +#ifdef MAC +#define MAC_GETHDR(m) mac_init_object(&((m)->m_pkthdr.label)) +#else +#define MAC_GETHDR(m) +#endif /* !MAC */ + #define _m_gethdr(m, how, type) do { \ (m) = (struct mbuf *)mb_alloc(&mb_list_mbuf, (how), (type)); \ if ((m) != NULL) { \ @@ -944,6 +954,7 @@ (m)->m_pkthdr.rcvif = NULL; \ (m)->m_pkthdr.csum_flags = 0; \ (m)->m_pkthdr.aux = NULL; \ + MAC_GETHDR(m); \ } \ } while (0) Index: sys/kern/subr_mchain.c =================================================================== RCS file: /home/ncvs/src/sys/kern/subr_mchain.c,v retrieving revision 1.2 diff -u -r1.2 subr_mchain.c --- sys/kern/subr_mchain.c 2001/02/25 06:33:50 1.2 +++ sys/kern/subr_mchain.c 2001/09/25 02:02:52 @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include Index: sys/kern/sys_socket.c =================================================================== RCS file: /home/ncvs/src/sys/kern/sys_socket.c,v retrieving revision 1.35 diff -u -r1.35 sys_socket.c --- sys/kern/sys_socket.c 2001/09/12 08:37:46 1.35 +++ sys/kern/sys_socket.c 2001/09/13 22:01:36 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include Index: sys/kern/syscalls.c =================================================================== RCS file: /home/ncvs/src/sys/kern/syscalls.c,v retrieving revision 1.97 diff -u -r1.97 syscalls.c --- sys/kern/syscalls.c 2001/10/13 13:30:20 1.97 +++ sys/kern/syscalls.c 2001/10/16 01:28:36 @@ -2,7 +2,7 @@ * System call names. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/kern/syscalls.c,v 1.97 2001/10/13 13:30:20 rwatson Exp $ + * $FreeBSD$ * created from FreeBSD: src/sys/kern/syscalls.master,v 1.99 2001/10/13 13:19:34 rwatson Exp */ @@ -385,4 +385,10 @@ "nfsclnt", /* 375 = nfsclnt */ "eaccess", /* 376 = eaccess */ "#377", /* 377 = afs_syscall */ + "__mac_get_proc", /* 378 = __mac_get_proc */ + "__mac_set_proc", /* 379 = __mac_set_proc */ + "__mac_get_fd", /* 380 = __mac_get_fd */ + "__mac_get_file", /* 381 = __mac_get_file */ + "__mac_set_fd", /* 382 = __mac_set_fd */ + "__mac_set_file", /* 383 = __mac_set_file */ }; Index: sys/kern/syscalls.master =================================================================== RCS file: /home/ncvs/src/sys/kern/syscalls.master,v retrieving revision 1.99 diff -u -r1.99 syscalls.master --- sys/kern/syscalls.master 2001/10/13 13:19:34 1.99 +++ sys/kern/syscalls.master 2001/10/16 01:17:48 @@ -546,3 +546,9 @@ 375 NOIMPL BSD { int nfsclnt(int flag, caddr_t argp); } 376 STD BSD { int eaccess(char *path, int flags); } 377 UNIMPL BSD afs_syscall +378 STD BSD { int __mac_get_proc(struct mac *mac_p); } +379 STD BSD { int __mac_set_proc(struct mac *mac_p); } +380 STD BSD { int __mac_get_fd(int fd, struct mac *mac_p); } +381 STD BSD { int __mac_get_file(const char *path_p, struct mac *mac_p); } +382 STD BSD { int __mac_set_fd(int fd, struct mac *mac_p); } +383 STD BSD { int __mac_set_file(const char *path_p, struct mac *mac_p); } Index: sys/kern/uipc_accf.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_accf.c,v retrieving revision 1.6 diff -u -r1.6 uipc_accf.c --- sys/kern/uipc_accf.c 2001/06/01 21:47:34 1.6 +++ sys/kern/uipc_accf.c 2001/09/24 18:21:46 @@ -34,6 +34,7 @@ #include #include #include +#include #include #include #include Index: sys/kern/uipc_domain.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_domain.c,v retrieving revision 1.24 diff -u -r1.24 uipc_domain.c --- sys/kern/uipc_domain.c 2001/06/11 12:38:57 1.24 +++ sys/kern/uipc_domain.c 2001/09/24 18:22:16 @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include Index: sys/kern/uipc_mbuf.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_mbuf.c,v retrieving revision 1.88 diff -u -r1.88 uipc_mbuf.c --- sys/kern/uipc_mbuf.c 2001/08/19 04:35:28 1.88 +++ sys/kern/uipc_mbuf.c 2001/09/24 18:22:30 @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include Index: sys/kern/uipc_mbuf2.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_mbuf2.c,v retrieving revision 1.9 diff -u -r1.9 uipc_mbuf2.c --- sys/kern/uipc_mbuf2.c 2001/06/11 21:17:59 1.9 +++ sys/kern/uipc_mbuf2.c 2001/09/24 18:23:01 @@ -71,6 +71,7 @@ #include #include #include +#include #include #include #include Index: sys/kern/uipc_socket.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_socket.c,v retrieving revision 1.103 diff -u -r1.103 uipc_socket.c --- sys/kern/uipc_socket.c 2001/10/11 23:38:15 1.103 +++ sys/kern/uipc_socket.c 2001/10/14 15:26:01 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include Index: sys/kern/uipc_socket2.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_socket2.c,v retrieving revision 1.76 diff -u -r1.76 uipc_socket2.c --- sys/kern/uipc_socket2.c 2001/10/11 23:38:15 1.76 +++ sys/kern/uipc_socket2.c 2001/10/14 15:26:01 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include Index: sys/kern/uipc_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_usrreq.c,v retrieving revision 1.74 diff -u -r1.74 uipc_usrreq.c --- sys/kern/uipc_usrreq.c 2001/10/09 21:40:30 1.74 +++ sys/kern/uipc_usrreq.c 2001/10/11 14:39:00 @@ -44,6 +44,7 @@ #include /* XXX must be before */ #include #include +#include #include #include #include Index: sys/kern/vfs_export.c =================================================================== RCS file: /home/ncvs/src/sys/kern/vfs_export.c,v retrieving revision 1.312 diff -u -r1.312 vfs_export.c --- sys/kern/vfs_export.c 2001/09/10 11:28:05 1.312 +++ sys/kern/vfs_export.c 2001/09/24 18:24:57 @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include Index: sys/kern/vnode_if.src =================================================================== RCS file: /home/ncvs/src/sys/kern/vnode_if.src,v retrieving revision 1.43 diff -u -r1.43 vnode_if.src --- sys/kern/vnode_if.src 2001/09/12 08:37:47 1.43 +++ sys/kern/vnode_if.src 2001/09/24 18:17:12 @@ -551,3 +551,23 @@ IN struct vnode *vp; OUT struct vm_object **objpp; }; + +# +#% getlabel vp L L L +# +vop_getlabel { + IN struct vnode *vp; + OUT struct mac *label; + IN struct ucred *cred; + IN struct thread *td; +}; + +# +#% setlabel vp L L L +# +vop_setlabel { + IN struct vnode *vp; + IN struct mac *label; + IN struct ucred *cred; + IN struct thread *td; +}; Index: sys/modules/if_stf/Makefile =================================================================== RCS file: /home/ncvs/src/sys/modules/if_stf/Makefile,v retrieving revision 1.1 diff -u -r1.1 Makefile --- sys/modules/if_stf/Makefile 2001/07/02 21:01:56 1.1 +++ sys/modules/if_stf/Makefile 2001/09/25 00:27:42 @@ -3,7 +3,7 @@ .PATH: ${.CURDIR}/../../net KMOD= if_stf -SRCS= if_stf.c opt_inet.h opt_inet6.h +SRCS= if_stf.c opt_inet.h opt_inet6.h opt_mac.h NOMAN= opt_inet.h: Index: sys/modules/oltr/Makefile =================================================================== RCS file: /home/ncvs/src/sys/modules/oltr/Makefile,v retrieving revision 1.1 diff -u -r1.1 Makefile --- sys/modules/oltr/Makefile 2001/06/14 15:16:04 1.1 +++ sys/modules/oltr/Makefile 2001/09/24 23:33:40 @@ -3,7 +3,8 @@ .PATH: ${.CURDIR}/../../contrib/dev/oltr ${.CURDIR}/../../net KMOD = if_oltr SRCS = if_oltr.c trlldbm.c trlldhm.c trlldmac.c if_iso88025subr.c \ - opt_inet.h opt_inet6.h opt_ipx.h device_if.h bus_if.h pci_if.h + opt_inet.h opt_inet6.h opt_ipx.h device_if.h bus_if.h pci_if.h \ + opt_mac.h OBJS+= trlld.o NOMAN= Index: sys/modules/procfs/Makefile =================================================================== RCS file: /home/ncvs/src/sys/modules/procfs/Makefile,v retrieving revision 1.23 diff -u -r1.23 Makefile --- sys/modules/procfs/Makefile 2001/05/23 09:42:27 1.23 +++ sys/modules/procfs/Makefile 2001/09/24 22:59:50 @@ -16,7 +16,8 @@ procfs_subr.c \ procfs_type.c \ procfs_vfsops.c \ - procfs_vnops.c + procfs_vnops.c \ + opt_mac.h NOMAN= .include Index: sys/modules/sppp/Makefile =================================================================== RCS file: /home/ncvs/src/sys/modules/sppp/Makefile,v retrieving revision 1.2 diff -u -r1.2 Makefile --- sys/modules/sppp/Makefile 2001/01/06 14:00:22 1.2 +++ sys/modules/sppp/Makefile 2001/09/24 23:15:41 @@ -4,7 +4,7 @@ KMOD= sppp SRCS= if_spppsubr.c -SRCS+= opt_inet.h opt_inet6.h opt_ipx.h +SRCS+= opt_inet.h opt_inet6.h opt_ipx.h opt_mac.h NOMAN= opt_inet.h: Index: sys/net/bpf.c =================================================================== RCS file: /home/ncvs/src/sys/net/bpf.c,v retrieving revision 1.83 diff -u -r1.83 bpf.c --- sys/net/bpf.c 2001/10/10 20:43:50 1.83 +++ sys/net/bpf.c 2001/10/11 14:39:47 @@ -46,6 +46,7 @@ #include #include #include +#include #include #include #include Index: sys/net/bpf_filter.c =================================================================== RCS file: /home/ncvs/src/sys/net/bpf_filter.c,v retrieving revision 1.18 diff -u -r1.18 bpf_filter.c --- sys/net/bpf_filter.c 2001/10/05 19:04:23 1.18 +++ sys/net/bpf_filter.c 2001/10/08 02:05:19 @@ -66,6 +66,7 @@ #endif #ifdef _KERNEL +#include #include #endif #include Index: sys/net/bridge.c =================================================================== RCS file: /home/ncvs/src/sys/net/bridge.c,v retrieving revision 1.40 diff -u -r1.40 bridge.c --- sys/net/bridge.c 2001/10/12 18:04:44 1.40 +++ sys/net/bridge.c 2001/10/14 15:26:49 @@ -70,6 +70,7 @@ */ #include +#include #include #include #include Index: sys/net/bsd_comp.c =================================================================== RCS file: /home/ncvs/src/sys/net/bsd_comp.c,v retrieving revision 1.13 diff -u -r1.13 bsd_comp.c --- sys/net/bsd_comp.c 2001/05/01 08:13:11 1.13 +++ sys/net/bsd_comp.c 2001/09/24 19:27:09 @@ -46,6 +46,7 @@ #include #include #include +#include #include #include #include Index: sys/net/if.c =================================================================== RCS file: /home/ncvs/src/sys/net/if.c,v retrieving revision 1.121 diff -u -r1.121 if.c --- sys/net/if.c 2001/10/14 20:17:52 1.121 +++ sys/net/if.c 2001/10/16 01:03:08 @@ -37,9 +37,11 @@ #include "opt_compat.h" #include "opt_inet6.h" #include "opt_inet.h" +#include "opt_mac.h" #include #include +#include #include #include #include @@ -381,9 +383,19 @@ TAILQ_INIT(&ifp->if_multiaddrs); SLIST_INIT(&ifp->if_klist); getmicrotime(&ifp->if_lastchange); +<<<<<<< if.c + +#ifdef MAC + mac_init_object(&ifp->if_label_default); + mac_init_object(&ifp->if_label_lower); + mac_init_object(&ifp->if_label_upper); +#endif + +======= ifp->if_index = if_findindex(ifp); if (ifp->if_index >= if_index) if_index = ifp->if_index + 1; +>>>>>>> 1.119 if (if_index >= if_indexlim) if_grow(); Index: sys/net/if_atmsubr.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_atmsubr.c,v retrieving revision 1.16 diff -u -r1.16 if_atmsubr.c --- sys/net/if_atmsubr.c 2001/06/15 07:32:25 1.16 +++ sys/net/if_atmsubr.c 2001/09/24 19:27:25 @@ -40,10 +40,12 @@ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_mac.h" #include "opt_natm.h" #include #include +#include #include #include #include @@ -233,6 +235,14 @@ return; } ifp->if_ibytes += m->m_pkthdr.len; + +#ifdef MAC + /* + * XXX: Label all ATM packets with the interface default label here. + * Can be relabeled later in the protocol stack if desired. + */ + m->m_label = ifp->if_label_default; +#endif if (rxhand) { #ifdef NATM Index: sys/net/if_disc.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_disc.c,v retrieving revision 1.28 diff -u -r1.28 if_disc.c --- sys/net/if_disc.c 2001/06/16 10:47:34 1.28 +++ sys/net/if_disc.c 2001/09/24 19:11:10 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include Index: sys/net/if_ef.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_ef.c,v retrieving revision 1.15 diff -u -r1.15 if_ef.c --- sys/net/if_ef.c 2001/09/06 02:40:28 1.15 +++ sys/net/if_ef.c 2001/09/24 19:24:34 @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include Index: sys/net/if_ethersubr.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_ethersubr.c,v retrieving revision 1.100 diff -u -r1.100 if_ethersubr.c --- sys/net/if_ethersubr.c 2001/10/14 20:17:52 1.100 +++ sys/net/if_ethersubr.c 2001/10/16 01:03:08 @@ -39,11 +39,13 @@ #include "opt_inet6.h" #include "opt_ipx.h" #include "opt_bdg.h" +#include "opt_mac.h" #include "opt_netgraph.h" #include #include #include +#include #include #include #include @@ -147,6 +149,17 @@ int hlen; /* link layer header lenght */ struct arpcom *ac = IFP2AC(ifp); +/* + * XXX MAC output check here. + */ +#ifdef MAC +/* + error = mac_ether_output_check(ifp, m); + if (error) + senderr(error); +*/ +#endif /* !MAC */ + if ((ifp->if_flags & (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING)) senderr(ENETDOWN); rt = rt0; @@ -409,6 +422,15 @@ struct mbuf *m; { struct ether_header save_eh; + +#ifdef MAC + /* + * XXX: Label all ethernet packets with the interface default + * label here. Can be relabeled later in the protocol stack if + * desired. + */ + m->m_pkthdr.label = ifp->if_label_default; +#endif /* Check for a BPF tap */ if (ifp->if_bpf != NULL) { Index: sys/net/if_faith.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_faith.c,v retrieving revision 1.7 diff -u -r1.7 if_faith.c --- sys/net/if_faith.c 2001/09/25 18:40:51 1.7 +++ sys/net/if_faith.c 2001/09/26 15:36:39 @@ -49,6 +49,7 @@ #include #include #include +#include #include #include #include Index: sys/net/if_fddisubr.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_fddisubr.c,v retrieving revision 1.53 diff -u -r1.53 if_fddisubr.c --- sys/net/if_fddisubr.c 2001/10/14 20:17:52 1.53 +++ sys/net/if_fddisubr.c 2001/10/16 01:03:09 @@ -40,9 +40,11 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipx.h" +#include "opt_mac.h" #include #include +#include #include #include #include @@ -377,6 +379,16 @@ m_freem(m); return; } + +#ifdef MAC + /* + * XXX: Label all ethernet packets with the interface default + * label here. Can be relabeled later in the protocol stack if + * desired. + */ + m->m_label = ifp->if_label_default; +#endif + getmicrotime(&ifp->if_lastchange); ifp->if_ibytes += m->m_pkthdr.len + sizeof (*fh); if (fh->fddi_dhost[0] & 1) { Index: sys/net/if_gif.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_gif.c,v retrieving revision 1.16 diff -u -r1.16 if_gif.c --- sys/net/if_gif.c 2001/09/27 03:14:16 1.16 +++ sys/net/if_gif.c 2001/10/01 16:32:39 @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -452,6 +453,13 @@ } m->m_pkthdr.rcvif = gifp; + + /* + * XXX: Label all ethernet packets with the interface default + * label here. Can be relabeled later in the protocol stack if + * desired. + */ + m->m_pkthdr.label = gifp->if_label_default; if (gifp->if_bpf) { /* Index: sys/net/if_iso88025subr.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_iso88025subr.c,v retrieving revision 1.19 diff -u -r1.19 if_iso88025subr.c --- sys/net/if_iso88025subr.c 2001/10/14 20:17:52 1.19 +++ sys/net/if_iso88025subr.c 2001/10/16 01:03:10 @@ -43,9 +43,11 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipx.h" +#include "opt_mac.h" #include #include +#include #include #include #include @@ -421,6 +423,15 @@ m_freem(m); return; } + +#ifdef MAC + /* + * XXX: Label all ethernet packets with the interface default + * label here. Can be relabeled later in the protocol stack if + * desired. + */ + m->m_label = ifp->if_label_default; +#endif getmicrotime(&ifp->if_lastchange); ifp->if_ibytes += m->m_pkthdr.len + sizeof(*th); Index: sys/net/if_loop.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_loop.c,v retrieving revision 1.63 diff -u -r1.63 if_loop.c --- sys/net/if_loop.c 2001/10/05 19:04:23 1.63 +++ sys/net/if_loop.c 2001/10/08 02:05:21 @@ -46,6 +46,7 @@ #include #include #include +#include #include #include #include Index: sys/net/if_ppp.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_ppp.c,v retrieving revision 1.72 diff -u -r1.72 if_ppp.c --- sys/net/if_ppp.c 2001/09/12 08:37:51 1.72 +++ sys/net/if_ppp.c 2001/09/24 19:26:44 @@ -87,6 +87,7 @@ #include #include #include +#include #include #include #include Index: sys/net/if_sl.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_sl.c,v retrieving revision 1.96 diff -u -r1.96 if_sl.c --- sys/net/if_sl.c 2001/09/12 08:37:51 1.96 +++ sys/net/if_sl.c 2001/09/24 18:28:25 @@ -70,6 +70,7 @@ #include #include +#include #include #include #include Index: sys/net/if_spppsubr.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_spppsubr.c,v retrieving revision 1.73 diff -u -r1.73 if_spppsubr.c --- sys/net/if_spppsubr.c 2001/10/01 18:14:49 1.73 +++ sys/net/if_spppsubr.c 2001/10/02 18:22:56 @@ -26,6 +26,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipx.h" +#include "opt_mac.h" #endif #ifdef NetBSD1_3 @@ -45,6 +46,7 @@ #if defined(__FreeBSD__) && __FreeBSD__ >= 3 #include #endif +#include #include #include @@ -518,6 +520,15 @@ m_freem (m); return; } + +#ifdef MAC + /* + * XXX: Label all ethernet packets with the interface default + * label here. Can be relabeled later in the protocol stack if + * desired. + */ + m->m_label = ifp->if_label_default; +#endif /* Get PPP header. */ h = mtod (m, struct ppp_header*); Index: sys/net/if_stf.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_stf.c,v retrieving revision 1.13 diff -u -r1.13 if_stf.c --- sys/net/if_stf.c 2001/09/29 05:02:36 1.13 +++ sys/net/if_stf.c 2001/10/01 16:32:40 @@ -76,11 +76,13 @@ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_mac.h" #include #include #include #include +#include #include #include #include @@ -613,6 +615,15 @@ m_freem(m); return; } + +#ifdef MAC + /* + * XXX: Label all ethernet packets with the interface default + * label here. Can be relabeled later in the protocol stack if + * desired. + */ + m->m_label = ifp->if_label_default; +#endif /* !MAC */ ip = mtod(m, struct ip *); Index: sys/net/if_tap.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_tap.c,v retrieving revision 1.11 diff -u -r1.11 if_tap.c --- sys/net/if_tap.c 2001/09/21 22:46:54 1.11 +++ sys/net/if_tap.c 2001/09/24 19:28:47 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include Index: sys/net/if_tun.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_tun.c,v retrieving revision 1.100 diff -u -r1.100 if_tun.c --- sys/net/if_tun.c 2001/09/21 22:46:54 1.100 +++ sys/net/if_tun.c 2001/09/24 19:29:01 @@ -21,6 +21,7 @@ #include #include #include +#include #include #include #include Index: sys/net/if_var.h =================================================================== RCS file: /home/ncvs/src/sys/net/if_var.h,v retrieving revision 1.39 diff -u -r1.39 if_var.h --- sys/net/if_var.h 2001/10/14 20:17:52 1.39 +++ sys/net/if_var.h 2001/10/16 01:21:03 @@ -73,6 +73,7 @@ struct ether_header; #endif +#include /* struct mac */ #include /* get TAILQ macros */ #ifdef _KERNEL @@ -159,6 +160,9 @@ struct ifqueue *if_poll_slowq; /* input queue for slow devices */ struct ifprefixhead if_prefixhead; /* list of prefixes per if */ u_int8_t *if_broadcastaddr; /* linklevel broadcast bytestring */ + struct mac if_label_default; /* default label for incoming packets */ + struct mac if_label_lower; /* lower bound for send/recv */ + struct mac if_label_upper; /* upper bound for send/recv */ }; typedef void if_init_f_t __P((void *)); Index: sys/net/if_vlan.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_vlan.c,v retrieving revision 1.35 diff -u -r1.35 if_vlan.c --- sys/net/if_vlan.c 2001/10/15 19:21:01 1.35 +++ sys/net/if_vlan.c 2001/10/16 01:03:11 @@ -58,6 +58,7 @@ #include #include +#include #include #include #include Index: sys/net/intrq.c =================================================================== RCS file: /home/ncvs/src/sys/net/intrq.c,v retrieving revision 1.6 diff -u -r1.6 intrq.c --- sys/net/intrq.c 2001/02/18 17:54:52 1.6 +++ sys/net/intrq.c 2001/09/24 18:29:36 @@ -27,6 +27,7 @@ */ #include +#include #include #include #include Index: sys/net/net_osdep.c =================================================================== RCS file: /home/ncvs/src/sys/net/net_osdep.c,v retrieving revision 1.5 diff -u -r1.5 net_osdep.c --- sys/net/net_osdep.c 2001/07/26 19:14:52 1.5 +++ sys/net/net_osdep.c 2001/09/24 18:29:54 @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include Index: sys/net/ppp_deflate.c =================================================================== RCS file: /home/ncvs/src/sys/net/ppp_deflate.c,v retrieving revision 1.14 diff -u -r1.14 ppp_deflate.c --- sys/net/ppp_deflate.c 2001/05/01 08:13:11 1.14 +++ sys/net/ppp_deflate.c 2001/09/24 19:29:26 @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include Index: sys/net/ppp_tty.c =================================================================== RCS file: /home/ncvs/src/sys/net/ppp_tty.c,v retrieving revision 1.47 diff -u -r1.47 ppp_tty.c --- sys/net/ppp_tty.c 2001/09/12 08:37:51 1.47 +++ sys/net/ppp_tty.c 2001/09/24 19:29:33 @@ -79,6 +79,7 @@ #include #include #include +#include #include #include #include Index: sys/net/raw_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/net/raw_usrreq.c,v retrieving revision 1.20 diff -u -r1.20 raw_usrreq.c --- sys/net/raw_usrreq.c 2001/09/12 08:37:51 1.20 +++ sys/net/raw_usrreq.c 2001/09/24 18:30:14 @@ -36,6 +36,7 @@ #include #include +#include #include #include #include Index: sys/net/route.c =================================================================== RCS file: /home/ncvs/src/sys/net/route.c,v retrieving revision 1.65 diff -u -r1.65 route.c --- sys/net/route.c 2001/10/15 09:46:48 1.65 +++ sys/net/route.c 2001/10/16 01:03:12 @@ -39,6 +39,7 @@ #include #include +#include #include #include #include Index: sys/net/rtsock.c =================================================================== RCS file: /home/ncvs/src/sys/net/rtsock.c,v retrieving revision 1.59 diff -u -r1.59 rtsock.c --- sys/net/rtsock.c 2001/09/29 05:08:04 1.59 +++ sys/net/rtsock.c 2001/10/01 16:32:41 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include Index: sys/net/slcompress.c =================================================================== RCS file: /home/ncvs/src/sys/net/slcompress.c,v retrieving revision 1.16 diff -u -r1.16 slcompress.c --- sys/net/slcompress.c 1999/12/29 04:38:37 1.16 +++ sys/net/slcompress.c 2001/09/24 18:33:16 @@ -44,6 +44,7 @@ */ #include +#include #include #include Index: sys/netgraph/ng_UI.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_UI.c,v retrieving revision 1.14 diff -u -r1.14 ng_UI.c --- sys/netgraph/ng_UI.c 2001/01/08 05:34:05 1.14 +++ sys/netgraph/ng_UI.c 2001/09/25 12:21:33 @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_async.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_async.c,v retrieving revision 1.16 diff -u -r1.16 ng_async.c --- sys/netgraph/ng_async.c 2001/01/10 07:13:58 1.16 +++ sys/netgraph/ng_async.c 2001/09/25 12:21:35 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_base.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_base.c,v retrieving revision 1.57 diff -u -r1.57 ng_base.c --- sys/netgraph/ng_base.c 2001/08/21 13:20:02 1.57 +++ sys/netgraph/ng_base.c 2001/09/25 12:21:38 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_bpf.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_bpf.c,v retrieving revision 1.14 diff -u -r1.14 ng_bpf.c --- sys/netgraph/ng_bpf.c 2001/01/30 07:58:30 1.14 +++ sys/netgraph/ng_bpf.c 2001/09/25 12:21:40 @@ -57,6 +57,7 @@ #include #include #include +#include #include #include Index: sys/netgraph/ng_bridge.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_bridge.c,v retrieving revision 1.10 diff -u -r1.10 ng_bridge.c --- sys/netgraph/ng_bridge.c 2001/01/10 07:13:58 1.10 +++ sys/netgraph/ng_bridge.c 2001/09/25 12:21:43 @@ -60,6 +60,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_cisco.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_cisco.c,v retrieving revision 1.15 diff -u -r1.15 ng_cisco.c --- sys/netgraph/ng_cisco.c 2001/06/15 07:35:25 1.15 +++ sys/netgraph/ng_cisco.c 2001/09/25 12:21:47 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_echo.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_echo.c,v retrieving revision 1.10 diff -u -r1.10 ng_echo.c --- sys/netgraph/ng_echo.c 2001/01/08 05:34:06 1.10 +++ sys/netgraph/ng_echo.c 2001/09/25 12:21:49 @@ -49,6 +49,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_eiface.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_eiface.c,v retrieving revision 1.3 diff -u -r1.3 ng_eiface.c --- sys/netgraph/ng_eiface.c 2001/02/26 09:31:54 1.3 +++ sys/netgraph/ng_eiface.c 2001/09/25 12:21:52 @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_ether.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_ether.c,v retrieving revision 1.20 diff -u -r1.20 ng_ether.c --- sys/netgraph/ng_ether.c 2001/09/12 08:37:53 1.20 +++ sys/netgraph/ng_ether.c 2001/09/25 12:21:55 @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_frame_relay.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_frame_relay.c,v retrieving revision 1.18 diff -u -r1.18 ng_frame_relay.c --- sys/netgraph/ng_frame_relay.c 2001/01/08 05:34:06 1.18 +++ sys/netgraph/ng_frame_relay.c 2001/09/25 12:21:57 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_gif.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_gif.c,v retrieving revision 1.4 diff -u -r1.4 ng_gif.c --- sys/netgraph/ng_gif.c 2001/09/28 00:02:50 1.4 +++ sys/netgraph/ng_gif.c 2001/10/03 03:29:16 @@ -70,6 +70,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_gif_demux.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_gif_demux.c,v retrieving revision 1.3 diff -u -r1.3 ng_gif_demux.c --- sys/netgraph/ng_gif_demux.c 2001/09/27 03:14:16 1.3 +++ sys/netgraph/ng_gif_demux.c 2001/10/03 03:46:30 @@ -77,6 +77,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_hole.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_hole.c,v retrieving revision 1.10 diff -u -r1.10 ng_hole.c --- sys/netgraph/ng_hole.c 2001/01/08 05:34:06 1.10 +++ sys/netgraph/ng_hole.c 2001/09/25 12:22:00 @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_iface.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_iface.c,v retrieving revision 1.18 diff -u -r1.18 ng_iface.c --- sys/netgraph/ng_iface.c 2001/01/10 07:13:58 1.18 +++ sys/netgraph/ng_iface.c 2001/09/25 12:22:02 @@ -55,6 +55,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_ip_input.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_ip_input.c,v retrieving revision 1.1 diff -u -r1.1 ng_ip_input.c --- sys/netgraph/ng_ip_input.c 2001/09/27 21:54:27 1.1 +++ sys/netgraph/ng_ip_input.c 2001/10/03 04:06:35 @@ -72,6 +72,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_ksocket.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_ksocket.c,v retrieving revision 1.22 diff -u -r1.22 ng_ksocket.c --- sys/netgraph/ng_ksocket.c 2001/10/10 19:51:13 1.22 +++ sys/netgraph/ng_ksocket.c 2001/10/11 14:39:55 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_lmi.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_lmi.c,v retrieving revision 1.14 diff -u -r1.14 ng_lmi.c --- sys/netgraph/ng_lmi.c 2001/01/10 07:13:58 1.14 +++ sys/netgraph/ng_lmi.c 2001/09/25 12:22:08 @@ -56,6 +56,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_mppc.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_mppc.c,v retrieving revision 1.14 diff -u -r1.14 ng_mppc.c --- sys/netgraph/ng_mppc.c 2001/09/12 08:37:53 1.14 +++ sys/netgraph/ng_mppc.c 2001/09/25 12:22:10 @@ -50,6 +50,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_one2many.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_one2many.c,v retrieving revision 1.7 diff -u -r1.7 ng_one2many.c --- sys/netgraph/ng_one2many.c 2001/01/30 20:51:52 1.7 +++ sys/netgraph/ng_one2many.c 2001/09/25 12:22:13 @@ -52,6 +52,7 @@ #include #include #include +#include #include #include Index: sys/netgraph/ng_ppp.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_ppp.c,v retrieving revision 1.34 diff -u -r1.34 ng_ppp.c --- sys/netgraph/ng_ppp.c 2001/01/10 07:13:58 1.34 +++ sys/netgraph/ng_ppp.c 2001/09/25 12:22:20 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_pppoe.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_pppoe.c,v retrieving revision 1.47 diff -u -r1.47 ng_pppoe.c --- sys/netgraph/ng_pppoe.c 2001/09/04 06:29:35 1.47 +++ sys/netgraph/ng_pppoe.c 2001/09/25 12:22:22 @@ -50,6 +50,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_pptpgre.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_pptpgre.c,v retrieving revision 1.21 diff -u -r1.21 ng_pptpgre.c --- sys/netgraph/ng_pptpgre.c 2001/04/11 22:04:47 1.21 +++ sys/netgraph/ng_pptpgre.c 2001/09/25 12:22:24 @@ -57,6 +57,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_rfc1490.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_rfc1490.c,v retrieving revision 1.15 diff -u -r1.15 ng_rfc1490.c --- sys/netgraph/ng_rfc1490.c 2001/01/09 00:49:31 1.15 +++ sys/netgraph/ng_rfc1490.c 2001/09/25 12:22:27 @@ -50,6 +50,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_sample.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_sample.c,v retrieving revision 1.19 diff -u -r1.19 ng_sample.c --- sys/netgraph/ng_sample.c 2001/02/25 05:36:25 1.19 +++ sys/netgraph/ng_sample.c 2001/09/25 12:22:30 @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_socket.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_socket.c,v retrieving revision 1.29 diff -u -r1.29 ng_socket.c --- sys/netgraph/ng_socket.c 2001/10/10 19:58:11 1.29 +++ sys/netgraph/ng_socket.c 2001/10/11 14:39:56 @@ -56,6 +56,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_split.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_split.c,v retrieving revision 1.2 diff -u -r1.2 ng_split.c --- sys/netgraph/ng_split.c 2001/07/24 23:33:06 1.2 +++ sys/netgraph/ng_split.c 2001/09/25 12:22:39 @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_tee.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_tee.c,v retrieving revision 1.18 diff -u -r1.18 ng_tee.c --- sys/netgraph/ng_tee.c 2001/09/12 08:37:53 1.18 +++ sys/netgraph/ng_tee.c 2001/09/25 12:22:42 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_tty.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_tty.c,v retrieving revision 1.20 diff -u -r1.20 ng_tty.c --- sys/netgraph/ng_tty.c 2001/09/12 08:37:53 1.20 +++ sys/netgraph/ng_tty.c 2001/09/25 12:22:47 @@ -62,6 +62,7 @@ #include #include #include +#include #include #include #include Index: sys/netgraph/ng_vjc.c =================================================================== RCS file: /home/ncvs/src/sys/netgraph/ng_vjc.c,v retrieving revision 1.19 diff -u -r1.19 ng_vjc.c --- sys/netgraph/ng_vjc.c 2001/01/08 05:34:06 1.19 +++ sys/netgraph/ng_vjc.c 2001/09/25 12:22:50 @@ -49,6 +49,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet/accf_http.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/accf_http.c,v retrieving revision 1.5 diff -u -r1.5 accf_http.c --- sys/netinet/accf_http.c 2001/01/03 19:50:23 1.5 +++ sys/netinet/accf_http.c 2001/09/24 19:06:35 @@ -33,6 +33,7 @@ #include #include #include +#include #include /* check for GET/HEAD */ Index: sys/netinet/if_ether.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/if_ether.c,v retrieving revision 1.84 diff -u -r1.84 if_ether.c --- sys/netinet/if_ether.c 2001/10/14 20:17:53 1.84 +++ sys/netinet/if_ether.c 2001/10/16 01:03:16 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet/igmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/igmp.c,v retrieving revision 1.33 diff -u -r1.33 igmp.c --- sys/netinet/igmp.c 2001/09/03 20:40:35 1.33 +++ sys/netinet/igmp.c 2001/09/24 18:36:23 @@ -51,6 +51,7 @@ #include #include +#include #include #include #include Index: sys/netinet/in_gif.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/in_gif.c,v retrieving revision 1.13 diff -u -r1.13 in_gif.c --- sys/netinet/in_gif.c 2001/09/12 08:37:53 1.13 +++ sys/netinet/in_gif.c 2001/09/24 18:36:39 @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet/in_pcb.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v retrieving revision 1.90 diff -u -r1.90 in_pcb.c --- sys/netinet/in_pcb.c 2001/09/29 03:23:43 1.90 +++ sys/netinet/in_pcb.c 2001/10/01 16:32:48 @@ -39,6 +39,7 @@ #include #include +#include #include #include #include Index: sys/netinet/in_rmx.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/in_rmx.c,v retrieving revision 1.41 diff -u -r1.41 in_rmx.c --- sys/netinet/in_rmx.c 2001/09/29 03:23:44 1.41 +++ sys/netinet/in_rmx.c 2001/10/01 16:32:48 @@ -47,6 +47,7 @@ #include #include #include +#include #include #include Index: sys/netinet/ip_ecn.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_ecn.c,v retrieving revision 1.4 diff -u -r1.4 ip_ecn.c --- sys/netinet/ip_ecn.c 2001/06/11 12:39:00 1.4 +++ sys/netinet/ip_ecn.c 2001/09/24 18:43:13 @@ -40,6 +40,7 @@ #include #include +#include #include #include Index: sys/netinet/ip_encap.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_encap.c,v retrieving revision 1.10 diff -u -r1.10 ip_encap.c --- sys/netinet/ip_encap.c 2001/09/07 07:24:28 1.10 +++ sys/netinet/ip_encap.c 2001/09/24 18:43:35 @@ -64,6 +64,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet/ip_flow.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_flow.c,v retrieving revision 1.12 diff -u -r1.12 ip_flow.c --- sys/netinet/ip_flow.c 2001/06/26 09:00:50 1.12 +++ sys/netinet/ip_flow.c 2001/09/24 18:44:03 @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet/ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.173 diff -u -r1.173 ip_fw.c --- sys/netinet/ip_fw.c 2001/10/05 07:06:31 1.173 +++ sys/netinet/ip_fw.c 2001/10/08 02:05:30 @@ -35,6 +35,7 @@ #include #include +#include #include #include #include @@ -43,6 +44,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet/ip_icmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.61 diff -u -r1.61 ip_icmp.c --- sys/netinet/ip_icmp.c 2001/09/29 04:34:11 1.61 +++ sys/netinet/ip_icmp.c 2001/10/01 16:32:49 @@ -38,6 +38,7 @@ #include #include +#include #include #include #include Index: sys/netinet/ip_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_input.c,v retrieving revision 1.182 diff -u -r1.182 ip_input.c --- sys/netinet/ip_input.c 2001/10/05 05:45:27 1.182 +++ sys/netinet/ip_input.c 2001/10/08 02:05:31 @@ -48,6 +48,7 @@ #include #include +#include #include #include #include Index: sys/netinet/ip_mroute.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_mroute.c,v retrieving revision 1.67 diff -u -r1.67 ip_mroute.c --- sys/netinet/ip_mroute.c 2001/09/20 07:59:45 1.67 +++ sys/netinet/ip_mroute.c 2001/09/24 18:45:07 @@ -17,6 +17,7 @@ #include #include +#include #include #include #include Index: sys/netinet/ip_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.139 diff -u -r1.139 ip_output.c --- sys/netinet/ip_output.c 2001/10/05 05:45:27 1.139 +++ sys/netinet/ip_output.c 2001/10/08 02:05:31 @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet/raw_ip.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/raw_ip.c,v retrieving revision 1.85 diff -u -r1.85 raw_ip.c --- sys/netinet/raw_ip.c 2001/10/09 21:40:30 1.85 +++ sys/netinet/raw_ip.c 2001/10/11 14:39:58 @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet/tcp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_input.c,v retrieving revision 1.141 diff -u -r1.141 tcp_input.c --- sys/netinet/tcp_input.c 2001/09/12 08:37:54 1.141 +++ sys/netinet/tcp_input.c 2001/09/24 18:45:51 @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include /* for proc0 declaration */ Index: sys/netinet/tcp_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_output.c,v retrieving revision 1.53 diff -u -r1.53 tcp_output.c --- sys/netinet/tcp_output.c 2001/10/05 21:33:38 1.53 +++ sys/netinet/tcp_output.c 2001/10/08 02:05:32 @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet/tcp_subr.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_subr.c,v retrieving revision 1.116 diff -u -r1.116 tcp_subr.c --- sys/netinet/tcp_subr.c 2001/10/09 21:40:30 1.116 +++ sys/netinet/tcp_subr.c 2001/10/11 14:39:59 @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #ifdef INET6 Index: sys/netinet/tcp_timer.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_timer.c,v retrieving revision 1.47 diff -u -r1.47 tcp_timer.c --- sys/netinet/tcp_timer.c 2001/08/22 00:58:16 1.47 +++ sys/netinet/tcp_timer.c 2001/09/24 18:46:38 @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet/tcp_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_usrreq.c,v retrieving revision 1.67 diff -u -r1.67 tcp_usrreq.c --- sys/netinet/tcp_usrreq.c 2001/09/12 08:37:54 1.67 +++ sys/netinet/tcp_usrreq.c 2001/09/24 18:46:52 @@ -42,6 +42,7 @@ #include #include #include +#include #include #ifdef INET6 #include Index: sys/netinet/udp_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/udp_usrreq.c,v retrieving revision 1.98 diff -u -r1.98 udp_usrreq.c --- sys/netinet/udp_usrreq.c 2001/10/09 21:40:30 1.98 +++ sys/netinet/udp_usrreq.c 2001/10/11 14:39:59 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet6/ah_core.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ah_core.c,v retrieving revision 1.8 diff -u -r1.8 ah_core.c --- sys/netinet6/ah_core.c 2001/06/11 12:39:03 1.8 +++ sys/netinet6/ah_core.c 2001/09/24 18:47:39 @@ -42,6 +42,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/ah_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ah_input.c,v retrieving revision 1.9 diff -u -r1.9 ah_input.c --- sys/netinet6/ah_input.c 2001/09/07 07:19:12 1.9 +++ sys/netinet6/ah_input.c 2001/09/24 18:47:48 @@ -39,6 +39,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/ah_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ah_output.c,v retrieving revision 1.7 diff -u -r1.7 ah_output.c --- sys/netinet6/ah_output.c 2001/06/11 12:39:04 1.7 +++ sys/netinet6/ah_output.c 2001/09/24 18:47:52 @@ -39,6 +39,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/dest6.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/dest6.c,v retrieving revision 1.6 diff -u -r1.6 dest6.c --- sys/netinet6/dest6.c 2001/06/11 12:39:04 1.6 +++ sys/netinet6/dest6.c 2001/09/24 18:47:56 @@ -35,6 +35,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/esp_core.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/esp_core.c,v retrieving revision 1.6 diff -u -r1.6 esp_core.c --- sys/netinet6/esp_core.c 2001/08/20 17:58:46 1.6 +++ sys/netinet6/esp_core.c 2001/09/24 18:48:01 @@ -35,6 +35,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/esp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/esp_input.c,v retrieving revision 1.9 diff -u -r1.9 esp_input.c --- sys/netinet6/esp_input.c 2001/09/07 07:19:12 1.9 +++ sys/netinet6/esp_input.c 2001/09/24 18:48:05 @@ -39,6 +39,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/esp_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/esp_output.c,v retrieving revision 1.5 diff -u -r1.5 esp_output.c --- sys/netinet6/esp_output.c 2001/06/11 12:39:05 1.5 +++ sys/netinet6/esp_output.c 2001/09/24 18:48:12 @@ -39,6 +39,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/frag6.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/frag6.c,v retrieving revision 1.8 diff -u -r1.8 frag6.c --- sys/netinet6/frag6.c 2001/06/11 12:39:05 1.8 +++ sys/netinet6/frag6.c 2001/09/24 18:48:16 @@ -32,6 +32,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/icmp6.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/icmp6.c,v retrieving revision 1.14 diff -u -r1.14 icmp6.c --- sys/netinet6/icmp6.c 2001/09/25 18:40:52 1.14 +++ sys/netinet6/icmp6.c 2001/09/26 15:36:51 @@ -71,6 +71,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/in6_cksum.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/in6_cksum.c,v retrieving revision 1.4 diff -u -r1.4 in6_cksum.c --- sys/netinet6/in6_cksum.c 2001/06/11 12:39:05 1.4 +++ sys/netinet6/in6_cksum.c 2001/09/24 18:48:28 @@ -66,6 +66,7 @@ */ #include +#include #include #include #include Index: sys/netinet6/in6_gif.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/in6_gif.c,v retrieving revision 1.5 diff -u -r1.5 in6_gif.c --- sys/netinet6/in6_gif.c 2001/06/11 12:39:05 1.5 +++ sys/netinet6/in6_gif.c 2001/09/24 18:48:34 @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet6/in6_pcb.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/in6_pcb.c,v retrieving revision 1.19 diff -u -r1.19 in6_pcb.c --- sys/netinet6/in6_pcb.c 2001/09/25 18:40:52 1.19 +++ sys/netinet6/in6_pcb.c 2001/09/26 15:36:51 @@ -72,6 +72,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/in6_proto.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/in6_proto.c,v retrieving revision 1.16 diff -u -r1.16 in6_proto.c --- sys/netinet6/in6_proto.c 2001/07/02 21:02:09 1.16 +++ sys/netinet6/in6_proto.c 2001/09/24 18:48:42 @@ -75,6 +75,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet6/in6_rmx.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/in6_rmx.c,v retrieving revision 1.4 diff -u -r1.4 in6_rmx.c --- sys/netinet6/in6_rmx.c 2001/06/11 12:39:05 1.4 +++ sys/netinet6/in6_rmx.c 2001/09/24 18:52:10 @@ -80,6 +80,7 @@ #include #include #include +#include #include #include Index: sys/netinet6/in6_src.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/in6_src.c,v retrieving revision 1.6 diff -u -r1.6 in6_src.c --- sys/netinet6/in6_src.c 2001/09/12 08:37:55 1.6 +++ sys/netinet6/in6_src.c 2001/09/24 18:52:14 @@ -70,6 +70,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/ip6_forward.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_forward.c,v retrieving revision 1.12 diff -u -r1.12 ip6_forward.c --- sys/netinet6/ip6_forward.c 2001/10/15 14:16:18 1.12 +++ sys/netinet6/ip6_forward.c 2001/10/16 01:03:20 @@ -37,6 +37,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/ip6_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_fw.c,v retrieving revision 1.13 diff -u -r1.13 ip6_fw.c --- sys/netinet6/ip6_fw.c 2001/06/28 05:18:31 1.13 +++ sys/netinet6/ip6_fw.c 2001/09/24 18:52:21 @@ -35,6 +35,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/ip6_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_input.c,v retrieving revision 1.30 diff -u -r1.30 ip6_input.c --- sys/netinet6/ip6_input.c 2001/09/25 18:40:52 1.30 +++ sys/netinet6/ip6_input.c 2001/09/26 15:36:52 @@ -73,6 +73,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/ip6_mroute.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_mroute.c,v retrieving revision 1.9 diff -u -r1.9 ip6_mroute.c --- sys/netinet6/ip6_mroute.c 2001/09/20 08:04:21 1.9 +++ sys/netinet6/ip6_mroute.c 2001/09/24 18:52:30 @@ -51,6 +51,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet6/ip6_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ip6_output.c,v retrieving revision 1.32 diff -u -r1.32 ip6_output.c --- sys/netinet6/ip6_output.c 2001/09/12 08:37:55 1.32 +++ sys/netinet6/ip6_output.c 2001/09/24 18:52:34 @@ -72,6 +72,7 @@ #include "opt_pfil_hooks.h" #include +#include #include #include #include Index: sys/netinet6/ipcomp_core.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ipcomp_core.c,v retrieving revision 1.2 diff -u -r1.2 ipcomp_core.c --- sys/netinet6/ipcomp_core.c 2001/06/11 12:39:06 1.2 +++ sys/netinet6/ipcomp_core.c 2001/09/24 18:52:41 @@ -39,6 +39,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/ipcomp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ipcomp_input.c,v retrieving revision 1.4 diff -u -r1.4 ipcomp_input.c --- sys/netinet6/ipcomp_input.c 2001/09/07 07:19:12 1.4 +++ sys/netinet6/ipcomp_input.c 2001/09/24 18:52:46 @@ -39,6 +39,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/ipcomp_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ipcomp_output.c,v retrieving revision 1.2 diff -u -r1.2 ipcomp_output.c --- sys/netinet6/ipcomp_output.c 2001/06/11 12:39:06 1.2 +++ sys/netinet6/ipcomp_output.c 2001/09/24 18:52:50 @@ -39,6 +39,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/ipsec.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ipsec.c,v retrieving revision 1.12 diff -u -r1.12 ipsec.c --- sys/netinet6/ipsec.c 2001/06/11 12:39:06 1.12 +++ sys/netinet6/ipsec.c 2001/09/24 18:52:54 @@ -40,6 +40,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/mld6.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/mld6.c,v retrieving revision 1.7 diff -u -r1.7 mld6.c --- sys/netinet6/mld6.c 2001/06/11 12:39:06 1.7 +++ sys/netinet6/mld6.c 2001/09/24 18:52:57 @@ -74,6 +74,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/nd6.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/nd6.c,v retrieving revision 1.13 diff -u -r1.13 nd6.c --- sys/netinet6/nd6.c 2001/09/06 02:40:38 1.13 +++ sys/netinet6/nd6.c 2001/09/24 18:53:03 @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include Index: sys/netinet6/nd6_nbr.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/nd6_nbr.c,v retrieving revision 1.10 diff -u -r1.10 nd6_nbr.c --- sys/netinet6/nd6_nbr.c 2001/06/19 14:48:02 1.10 +++ sys/netinet6/nd6_nbr.c 2001/09/24 18:53:07 @@ -36,6 +36,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/nd6_rtr.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/nd6_rtr.c,v retrieving revision 1.9 diff -u -r1.9 nd6_rtr.c --- sys/netinet6/nd6_rtr.c 2001/09/06 02:40:38 1.9 +++ sys/netinet6/nd6_rtr.c 2001/09/24 18:53:11 @@ -35,6 +35,7 @@ #include #include +#include #include #include #include Index: sys/netinet6/raw_ip6.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/raw_ip6.c,v retrieving revision 1.15 diff -u -r1.15 raw_ip6.c --- sys/netinet6/raw_ip6.c 2001/09/25 18:40:52 1.15 +++ sys/netinet6/raw_ip6.c 2001/09/26 15:36:53 @@ -68,6 +68,7 @@ #include "opt_inet6.h" #include +#include #include #include #include Index: sys/netinet6/route6.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/route6.c,v retrieving revision 1.4 diff -u -r1.4 route6.c --- sys/netinet6/route6.c 2001/06/11 12:39:06 1.4 +++ sys/netinet6/route6.c 2001/09/24 18:53:18 @@ -34,6 +34,7 @@ #include "opt_inet6.h" #include +#include #include #include #include Index: sys/netinet6/scope6.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/scope6.c,v retrieving revision 1.2 diff -u -r1.2 scope6.c --- sys/netinet6/scope6.c 2001/06/11 12:39:06 1.2 +++ sys/netinet6/scope6.c 2001/09/24 18:53:23 @@ -31,6 +31,7 @@ */ #include +#include #include #include #include Index: sys/netinet6/udp6_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/udp6_output.c,v retrieving revision 1.6 diff -u -r1.6 udp6_output.c --- sys/netinet6/udp6_output.c 2001/09/25 18:40:52 1.6 +++ sys/netinet6/udp6_output.c 2001/09/26 15:36:53 @@ -70,6 +70,7 @@ #include "opt_inet6.h" #include +#include #include #include #include Index: sys/netinet6/udp6_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/udp6_usrreq.c,v retrieving revision 1.18 diff -u -r1.18 udp6_usrreq.c --- sys/netinet6/udp6_usrreq.c 2001/09/25 18:40:52 1.18 +++ sys/netinet6/udp6_usrreq.c 2001/09/26 15:36:53 @@ -71,6 +71,7 @@ #include #include +#include #include #include #include Index: sys/nfsclient/bootp_subr.c =================================================================== RCS file: /home/ncvs/src/sys/nfsclient/bootp_subr.c,v retrieving revision 1.30 diff -u -r1.30 bootp_subr.c --- sys/nfsclient/bootp_subr.c 2001/09/18 23:31:49 1.30 +++ sys/nfsclient/bootp_subr.c 2001/09/24 18:54:46 @@ -49,6 +49,7 @@ #include #include #include +#include #include #include #include Index: sys/nfsclient/krpc_subr.c =================================================================== RCS file: /home/ncvs/src/sys/nfsclient/krpc_subr.c,v retrieving revision 1.17 diff -u -r1.17 krpc_subr.c --- sys/nfsclient/krpc_subr.c 2001/09/18 23:31:51 1.17 +++ sys/nfsclient/krpc_subr.c 2001/09/24 18:54:50 @@ -47,6 +47,7 @@ #include #include +#include #include #include #include Index: sys/nfsclient/nfs_lock.c =================================================================== RCS file: /home/ncvs/src/sys/nfsclient/nfs_lock.c,v retrieving revision 1.14 diff -u -r1.14 nfs_lock.c --- sys/nfsclient/nfs_lock.c 2001/09/18 23:31:51 1.14 +++ sys/nfsclient/nfs_lock.c 2001/09/24 18:54:59 @@ -36,6 +36,7 @@ #include #include /* for hz */ #include +#include #include #include /* for hz */ /* Must come after sys/malloc.h */ #include Index: sys/nfsclient/nfs_nfsiod.c =================================================================== RCS file: /home/ncvs/src/sys/nfsclient/nfs_nfsiod.c,v retrieving revision 1.71 diff -u -r1.71 nfs_nfsiod.c --- sys/nfsclient/nfs_nfsiod.c 2001/09/18 23:31:51 1.71 +++ sys/nfsclient/nfs_nfsiod.c 2001/09/24 18:55:03 @@ -52,6 +52,7 @@ #include #include #include +#include #include #include #include Index: sys/nfsclient/nfs_socket.c =================================================================== RCS file: /home/ncvs/src/sys/nfsclient/nfs_socket.c,v retrieving revision 1.71 diff -u -r1.71 nfs_socket.c --- sys/nfsclient/nfs_socket.c 2001/10/09 02:40:45 1.71 +++ sys/nfsclient/nfs_socket.c 2001/10/11 14:40:06 @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include Index: sys/nfsclient/nfs_subs.c =================================================================== RCS file: /home/ncvs/src/sys/nfsclient/nfs_subs.c,v retrieving revision 1.109 diff -u -r1.109 nfs_subs.c --- sys/nfsclient/nfs_subs.c 2001/09/27 22:40:37 1.109 +++ sys/nfsclient/nfs_subs.c 2001/10/01 16:32:58 @@ -54,6 +54,7 @@ #include #include #include +#include #include #include #include Index: sys/nfsclient/nfs_vfsops.c =================================================================== RCS file: /home/ncvs/src/sys/nfsclient/nfs_vfsops.c,v retrieving revision 1.105 diff -u -r1.105 nfs_vfsops.c --- sys/nfsclient/nfs_vfsops.c 2001/09/27 22:40:37 1.105 +++ sys/nfsclient/nfs_vfsops.c 2001/10/01 16:32:58 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include Index: sys/nfsclient/nfs_vnops.c =================================================================== RCS file: /home/ncvs/src/sys/nfsclient/nfs_vnops.c,v retrieving revision 1.178 diff -u -r1.178 nfs_vnops.c --- sys/nfsclient/nfs_vnops.c 2001/10/11 23:38:16 1.178 +++ sys/nfsclient/nfs_vnops.c 2001/10/14 15:27:07 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include Index: sys/nfsserver/nfs_serv.c =================================================================== RCS file: /home/ncvs/src/sys/nfsserver/nfs_serv.c,v retrieving revision 1.107 diff -u -r1.107 nfs_serv.c --- sys/nfsserver/nfs_serv.c 2001/09/28 04:37:08 1.107 +++ sys/nfsserver/nfs_serv.c 2001/10/01 16:33:01 @@ -81,6 +81,7 @@ #include #include #include +#include #include #include #include Index: sys/nfsserver/nfs_srvcache.c =================================================================== RCS file: /home/ncvs/src/sys/nfsserver/nfs_srvcache.c,v retrieving revision 1.31 diff -u -r1.31 nfs_srvcache.c --- sys/nfsserver/nfs_srvcache.c 2001/09/28 04:37:08 1.31 +++ sys/nfsserver/nfs_srvcache.c 2001/10/01 16:33:02 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include /* for dup_sockaddr */ Index: sys/nfsserver/nfs_srvsock.c =================================================================== RCS file: /home/ncvs/src/sys/nfsserver/nfs_srvsock.c,v retrieving revision 1.71 diff -u -r1.71 nfs_srvsock.c --- sys/nfsserver/nfs_srvsock.c 2001/09/28 04:37:08 1.71 +++ sys/nfsserver/nfs_srvsock.c 2001/10/01 16:33:03 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include Index: sys/nfsserver/nfs_srvsubs.c =================================================================== RCS file: /home/ncvs/src/sys/nfsserver/nfs_srvsubs.c,v retrieving revision 1.109 diff -u -r1.109 nfs_srvsubs.c --- sys/nfsserver/nfs_srvsubs.c 2001/09/28 04:37:08 1.109 +++ sys/nfsserver/nfs_srvsubs.c 2001/10/01 16:33:03 @@ -55,6 +55,7 @@ #include #include #include +#include #include #include #include Index: sys/nfsserver/nfs_syscalls.c =================================================================== RCS file: /home/ncvs/src/sys/nfsserver/nfs_syscalls.c,v retrieving revision 1.72 diff -u -r1.72 nfs_syscalls.c --- sys/nfsserver/nfs_syscalls.c 2001/09/28 04:37:08 1.72 +++ sys/nfsserver/nfs_syscalls.c 2001/10/01 16:33:03 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_dc.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_dc.c,v retrieving revision 1.56 diff -u -r1.56 if_dc.c --- sys/pci/if_dc.c 2001/09/29 19:28:31 1.56 +++ sys/pci/if_dc.c 2001/10/01 16:33:08 @@ -92,6 +92,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_de.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_de.c,v retrieving revision 1.136 diff -u -r1.136 if_de.c --- sys/pci/if_de.c 2001/02/06 10:11:45 1.136 +++ sys/pci/if_de.c 2001/09/24 18:56:35 @@ -42,6 +42,7 @@ #include #include +#include #include #include #include Index: sys/pci/if_mn.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_mn.c,v retrieving revision 1.32 diff -u -r1.32 if_mn.c --- sys/pci/if_mn.c 2001/06/15 07:39:12 1.32 +++ sys/pci/if_mn.c 2001/09/24 18:56:40 @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_pcn.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_pcn.c,v retrieving revision 1.23 diff -u -r1.23 if_pcn.c --- sys/pci/if_pcn.c 2001/09/29 19:28:31 1.23 +++ sys/pci/if_pcn.c 2001/10/01 16:33:09 @@ -58,6 +58,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_rl.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_rl.c,v retrieving revision 1.61 diff -u -r1.61 if_rl.c --- sys/pci/if_rl.c 2001/08/15 17:38:43 1.61 +++ sys/pci/if_rl.c 2001/09/24 18:56:51 @@ -86,6 +86,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_sf.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_sf.c,v retrieving revision 1.40 diff -u -r1.40 if_sf.c --- sys/pci/if_sf.c 2001/09/29 19:28:31 1.40 +++ sys/pci/if_sf.c 2001/10/01 16:33:09 @@ -82,6 +82,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_sis.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_sis.c,v retrieving revision 1.36 diff -u -r1.36 if_sis.c --- sys/pci/if_sis.c 2001/09/29 19:28:31 1.36 +++ sys/pci/if_sis.c 2001/10/01 16:33:10 @@ -60,6 +60,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_sk.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_sk.c,v retrieving revision 1.45 diff -u -r1.45 if_sk.c --- sys/pci/if_sk.c 2001/09/29 19:28:31 1.45 +++ sys/pci/if_sk.c 2001/10/01 16:33:10 @@ -71,6 +71,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_ste.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_ste.c,v retrieving revision 1.29 diff -u -r1.29 if_ste.c --- sys/pci/if_ste.c 2001/09/29 19:28:31 1.29 +++ sys/pci/if_ste.c 2001/10/01 16:33:10 @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_ti.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_ti.c,v retrieving revision 1.53 diff -u -r1.53 if_ti.c --- sys/pci/if_ti.c 2001/09/18 18:40:22 1.53 +++ sys/pci/if_ti.c 2001/09/24 18:57:12 @@ -81,6 +81,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_tl.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_tl.c,v retrieving revision 1.66 diff -u -r1.66 if_tl.c --- sys/pci/if_tl.c 2001/07/09 17:58:37 1.66 +++ sys/pci/if_tl.c 2001/09/24 18:57:18 @@ -181,6 +181,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_tx.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_tx.c,v retrieving revision 1.49 diff -u -r1.49 if_tx.c --- sys/pci/if_tx.c 2001/09/05 23:04:53 1.49 +++ sys/pci/if_tx.c 2001/09/24 18:57:22 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_vr.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_vr.c,v retrieving revision 1.45 diff -u -r1.45 if_vr.c --- sys/pci/if_vr.c 2001/07/09 17:58:37 1.45 +++ sys/pci/if_vr.c 2001/09/24 18:57:27 @@ -62,6 +62,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_wb.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_wb.c,v retrieving revision 1.43 diff -u -r1.43 if_wb.c --- sys/pci/if_wb.c 2001/07/09 17:58:37 1.43 +++ sys/pci/if_wb.c 2001/09/24 18:57:32 @@ -88,6 +88,7 @@ #include #include #include +#include #include #include #include Index: sys/pci/if_wxvar.h =================================================================== RCS file: /home/ncvs/src/sys/pci/if_wxvar.h,v retrieving revision 1.12 diff -u -r1.12 if_wxvar.h --- sys/pci/if_wxvar.h 2001/10/15 06:59:41 1.12 +++ sys/pci/if_wxvar.h 2001/10/16 01:03:32 @@ -49,6 +49,7 @@ #include #include +#include #include #include #include Index: sys/pci/if_xl.c =================================================================== RCS file: /home/ncvs/src/sys/pci/if_xl.c,v retrieving revision 1.98 diff -u -r1.98 if_xl.c --- sys/pci/if_xl.c 2001/09/23 05:13:12 1.98 +++ sys/pci/if_xl.c 2001/09/26 15:37:05 @@ -103,6 +103,7 @@ #include #include #include +#include #include #include #include Index: sys/sys/mac.h =================================================================== RCS file: mac.h diff -N mac.h --- /dev/null Tue Oct 16 15:55:02 2001 +++ mac.h Wed Oct 3 07:10:37 2001 @@ -0,0 +1,224 @@ +/*- + * Copyright (c) 1999-2001 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: $ + */ +/* + * Userland/kernel interface for Mandatory Access Control. + * + * The POSIX.1e implementation page may be reached at: + * http://www.trustedbsd.org/ + */ +#ifndef _SYS_MAC_H +#define _SYS_MAC_H + +#ifndef _POSIX_MAC +#define _POSIX_MAC +#endif + +#define FREEBSD_MAC_EXTATTR_NAME "$freebsd.mac" +#define FREEBSD_MAC_EXTATTR_NAMESPACE EXTATTR_NAMESPACE_SYSTEM + +/* + * Structures and constants associated with a Biba Integrity policy. + * mac_biba represents a Biba label, with mb_type determining its properties, + * and mb_grade represents the hierarchal grade if valid for the current + * mb_type. + */ +struct mac_biba { + u_short mb_type; + u_short mb_grade; +}; +#define MAC_BIBA_TYPE_GRADE 0 /* Hierarchal grade with mb_grade. */ +#define MAC_BIBA_TYPE_LOW 1 /* Dominated by any + * MAC_BIBA_TYPE_LABEL. */ +#define MAC_BIBA_TYPE_HIGH 2 /* Dominates any + * MAC_BIBA_TYPE_LABEL. */ +#define MAC_BIBA_TYPE_EQUAL 3 /* Equivilent to any + * MAC_BIBA_TYPE_LABEL. */ + +/* + * The Biba label scope is expressed as an inclusive range of label values. + */ +struct mac_biba_scope { + struct mac_biba mbs_bottom; + struct mac_biba mbs_top; +}; + +/* + * Structures and constants associated with a Multi-Level Security policy. + * mac_mls represents an MLS label, with mm_type determining its properties, + * and mm_level represents the hierarchal sensitivity level if valid for the + * current mm_type. + */ +struct mac_mls { + u_short mm_type; + u_short mm_level; +}; +#define MAC_MLS_TYPE_LEVEL 0 /* Hierarchal level with mm_level. */ +#define MAC_MLS_TYPE_LOW 1 /* Dominated by any + * MAC_MLS_TYPE_LABEL. */ +#define MAC_MLS_TYPE_HIGH 2 /* Dominates any + * MAC_MLS_TYPE_LABEL. */ +#define MAC_MLS_TYPE_EQUAL 3 /* Equivilent to any + * MAC_MLS_TYPE_LABEL. */ + +/* + * The MLS label scope is expressed as an inclusive range of label values. + */ +struct mac_mls_scope { + struct mac_mls mbs_bottom; + struct mac_mls mbs_top; +}; + +/* + * Structures and constants for efficient, scalable non-overlapping system + * partitions. + * mac_partition represents a partitiong label, with mp_type determining + * its properties, and mp_partition representing the partition number for + * the current mp_type. + */ +struct mac_partition { + u_short mp_type; + u_int mp_partition; +}; +#define MAC_PARTITION_TYPE_PARTITION 0 /* Visible/can effect the + * partition identified by + * mp_partition. */ +#define MAC_PARTITION_TYPE_ALL 1 /* Visible from any partition, + * not modifiable from any + * partition. */ +#define MAC_PARTITION_TYPE_NONE 2 /* Visible from no partition, + * not modifiable from any + * partition. */ + +/* + * The Partition scope consists of a single label. + */ +struct mac_partition_scope { + struct mac_partition mps; +}; + +struct mac { + struct mac_biba m_biba; + struct mac_mls m_mls; + struct mac_partition m_partition; +}; +typedef struct mac *mac_t; + +struct mac_scope { + struct mac_biba_scope ms_biba; + struct mac_mls_scope ms_mls; + struct mac_partition_scope ms_partition; +}; + +const struct mac mac_userland_system_high_label; + +#ifndef _KERNEL + +/* + * POSIX.1e functions visible in the application namespace. + */ +int mac_dominate __P((const mac_t labela, const mac_t labelb)); +int mac_equal __P((const mac_t labela, const mac_t labelb)); +int mac_free __P((void *buf_p)); +mac_t mac_from_text __P((const char *text_p)); +mac_t mac_from_fd __P((int fildes)); +mac_t mac_get_file __P((const char *path_p)); +mac_t mac_get_proc __P((void)); +mac_t mac_glb __P((const mac_t labela, const mac_t labelb)); +mac_t mac_lub __P((const mac_t labela, const mac_t labelb)); +int mac_set_fd __P((int fildes, const mac_t label)); +int mac_set_file __P((const char *path_p, mac_t label)); +int mac_set_proc __P((const mac_t label)); +ssize_t mac_size __P((mac_t label)); +char * mac_to_text __P((const mac_t label, size_t *len_p)); +int mac_valid __P((const mac_t label)); + +/* + * System calls wrapped by some POSIX.1e functions. + */ +int __mac_get_fd(int fd, struct mac *mac_p); +int __mac_get_file(const char *path_p, struct mac *mac_p); +int __mac_get_proc(struct mac *mac_p); +int __mac_set_fd(int fd, struct mac *mac_p); +int __mac_set_file(const char *path_p, struct mac *mac_p); +int __mac_set_proc(struct mac *mac_p); + +#else /* _KERNEL */ + +/* + * Information flow/operation mask, used as an argument to mac_can(). + */ +#define MAC_NONE 0x00000000 +#define MAC_READ 0x00000001 /* Information flow to subject. */ +#define MAC_WRITE 0x00000002 /* Information flow to object. */ +#define MAC_EXEC 0x00000004 /* Execute the object. */ +#define MAC_ADMIN 0x00000008 /* Administer object attributes. */ +#define MAC_SIGNAL 0x00000010 /* Signal the object (process). */ +#define MAC_CREATE 0x00000020 /* Create an object with this label. */ +#define MAC_STAT 0x00000040 /* Read object attributes. */ +#define MAC_ALL (MAC_READ | MAC_WRITE | MAC_EXEC | MAC_ADMIN | MAC_CREATE | \ + MAC_STAT) + +/* + * Types of objects. MAC return values frequently depend on the object + * type being accesed. + */ +#define MAC_OBJ_PROC 0x00000001 /* Process. */ +#define MAC_OBJ_VFS_REGULAR 0x00000002 /* File. */ +#define MAC_OBJ_VFS_DIRECTORY 0x00000003 /* Directory. */ +#define MAC_OBJ_VFS_DEVICE 0x00000004 /* Device node. */ +#define MAC_OBJ_VFS_PIPE 0x00000005 /* Pipe. */ + +/* + * Kernel functions to manage and evaluate labels. + */ +struct proc; +struct ucred; +int mac_can __P((const struct ucred *cred, const struct mac *label, + int operation, int sub_operation)); +int mac_cr_cansee __P((const struct ucred *u1, const struct ucred *u2)); +int mac_dominate __P((const struct mac *labela, const struct mac *labelb)); +int mac_equal __P((const struct mac *labela, const struct mac *labelb)); +void mac_init_subject __P((struct ucred *cred)); +void mac_create_subject __P((const struct ucred *cred_parent, + struct ucred *cred_child)); +int mac_can_setlabel_subject __P((const struct ucred *cred_old, + const struct ucred *cred_new)); +void mac_init_object __P((struct mac *label)); +void mac_create_object __P((const struct ucred *cred, struct mac *label)); +int mac_can_setlabel_object __P((const struct ucred *cred, + const struct mac *label_old, const struct mac *label_new)); +void mac_print_label __P((const struct mac *label)); +int mac_p_candebug __P((const struct proc *p1, const struct proc *p2)); +int mac_p_cansched __P((const struct proc *p1, const struct proc *p2)); +int mac_p_cansignal __P((const struct proc *p1, const struct proc *p2, + int signum)); +int mac_p_canexec __P((const struct proc *p1, const struct mac *label)); + +#endif /* _KERNEL */ + +#endif /* !_SYS_MAC_H */ Index: sys/sys/mac_private.h =================================================================== RCS file: mac_private.h diff -N mac_private.h --- /dev/null Tue Oct 16 15:55:02 2001 +++ mac_private.h Fri Oct 5 10:11:56 2001 @@ -0,0 +1,103 @@ +/*- + * Copyright (c) 1999-2001 Robert N. M. Watson + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: $ + */ +/* + * Developed by the TrustedBSD Project. + * Private label management functions for mandatory security policies. + */ +#ifndef _SYS_MAC_PRIVATE_H +#define _SYS_MAC_PRIVATE_H + +/* Biba Integrity Policy. */ +int mac_biba_cr_cansee __P((const struct ucred *u1, + const struct ucred *u2)); +int mac_biba_dominate __P((const struct mac *labela, + const struct mac *labelb)); +int mac_biba_equal __P((const struct mac *labela, + const struct mac *labelb)); +void mac_biba_init_subject __P((struct ucred *cred)); +void mac_biba_create_subject __P((const struct ucred *parent_cred, + struct ucred *child_cred)); +int mac_biba_can_setlabel_subject __P((const struct ucred *cred_old, + const struct ucred *cred_new)); +void mac_biba_init_object __P((struct mac *label)); +void mac_biba_create_object __P((const struct ucred *cred, + struct mac *label)); +int mac_biba_can_setlabel_object __P((const struct ucred *cred, + const struct mac *label_old, const struct mac *label_new)); +void mac_biba_print_label __P((const struct mac *label)); +int mac_biba_p_candebug __P((const struct proc *p1, + const struct proc *p2)); +int mac_biba_p_cansched __P((const struct proc *p1, + const struct proc *p2)); +int mac_biba_p_cansignal __P((const struct proc *p1, const struct proc *p2, + int signum)); +int mac_biba_vaccess __P((enum vtype type, const struct mac *filelabel, + mode_t acc_mode, struct ucred *cred)); + +/* Multi-Level Security Policy. */ +int mac_mls_cr_cansee __P((const struct ucred *u1, + const struct ucred *u2)); +int mac_mls_dominate __P((const struct mac *labela, + const struct mac *labelb)); +int mac_mls_equal __P((const struct mac *labela, const struct mac *labelb)); +void mac_mls_init_subject __P((struct ucred *cred)); +void mac_mls_create_subject __P((const struct ucred *parent_cred, + struct ucred *child_cred)); +int mac_mls_can_setlabel_subject __P((const struct ucred *cred_old, + const struct ucred *cred_new)); +void mac_mls_init_object __P((struct mac *label)); +void mac_mls_create_object __P((const struct ucred *cred, + struct mac *label)); +int mac_mls_can_setlabel_object __P((const struct ucred *cred, + const struct mac *label_old, const struct mac *label_new)); +void mac_mls_print_label __P((const struct mac *label)); +int mac_mls_p_candebug __P((const struct proc *p1, const struct proc *p2)); +int mac_mls_p_cansched __P((const struct proc *p1, const struct proc *p2)); +int mac_mls_p_cansignal __P((const struct proc *p1, const struct proc *p2, + int signum)); +int mac_mls_vaccess __P((enum vtype type, const struct mac *filelabel, + mode_t acc_mode, struct ucred *cred)); + +/* Light-Weight Partition Security Policy. */ +int mac_partition_dominate __P((const struct mac *labela, + const struct mac *labelb)); +int mac_partition_equal __P((const struct mac *labela, + const struct mac *labelb)); +void mac_partition_init_subject __P((struct ucred *cred)); +void mac_partition_create_subject __P((const struct ucred *parent_cred, + struct ucred *child_cred)); +int mac_partition_can_setlabel_subject __P((const struct ucred *cred_old, + const struct ucred *cred_new)); +void mac_partition_init_object __P((struct mac *label)); +void mac_partition_create_object __P((const struct ucred *cred, + struct mac *label)); +int mac_partition_can_setlabel_object __P((const struct ucred *cred, + const struct mac *label_old, const struct mac *label_new)); +void mac_partition_print_label __P((const struct mac *label)); + +#endif /* !_SYS_MAC_PRIVATE_H */ Index: sys/sys/mbuf.h =================================================================== RCS file: /home/ncvs/src/sys/sys/mbuf.h,v retrieving revision 1.85 diff -u -r1.85 mbuf.h --- sys/sys/mbuf.h 2001/09/30 01:58:35 1.85 +++ sys/sys/mbuf.h 2001/10/01 16:33:20 @@ -85,6 +85,7 @@ int csum_flags; /* flags regarding checksum */ int csum_data; /* data field used by csum routines */ struct mbuf *aux; /* extra data buffer; ipsec/others */ + struct mac label; /* label of data in packet */ }; /* Index: sys/sys/mount.h =================================================================== RCS file: /home/ncvs/src/sys/sys/mount.h,v retrieving revision 1.113 diff -u -r1.113 mount.h --- sys/sys/mount.h 2001/09/12 08:38:05 1.113 +++ sys/sys/mount.h 2001/09/13 22:02:59 @@ -43,6 +43,7 @@ */ #include +#include #include #include #ifdef _KERNEL Index: sys/sys/proc.h =================================================================== RCS file: /home/ncvs/src/sys/sys/proc.h,v retrieving revision 1.186 diff -u -r1.186 proc.h --- sys/sys/proc.h 2001/10/07 19:47:37 1.186 +++ sys/sys/proc.h 2001/10/08 02:05:54 @@ -53,6 +53,7 @@ #ifndef _KERNEL #include /* For structs itimerval, timeval. */ #endif +#include #include #include /* Machine-dependent proc substruct. */ Index: sys/sys/syscall-hide.h =================================================================== RCS file: syscall-hide.h diff -N syscall-hide.h --- /dev/null Tue Oct 16 15:55:02 2001 +++ syscall-hide.h Mon Oct 15 21:03:43 2001 @@ -0,0 +1,302 @@ +/* + * System call hiders. + * + * DO NOT EDIT-- this file is automatically generated. +<<<<<<< syscall-hide.h + * $FreeBSD$ +======= + * $FreeBSD: src/sys/sys/syscall-hide.h,v 1.90 2001/10/13 09:18:26 phk dead $ +>>>>>>> 1.90 + * created from FreeBSD: src/sys/kern/syscalls.master,v 1.98 2001/09/21 21:33:22 rwatson Exp + */ + +HIDE_POSIX(fork) +HIDE_POSIX(read) +HIDE_POSIX(write) +HIDE_POSIX(open) +HIDE_POSIX(close) +HIDE_BSD(wait4) +HIDE_BSD(creat) +HIDE_POSIX(link) +HIDE_POSIX(unlink) +HIDE_POSIX(chdir) +HIDE_BSD(fchdir) +HIDE_POSIX(mknod) +HIDE_POSIX(chmod) +HIDE_POSIX(chown) +HIDE_BSD(obreak) +HIDE_BSD(getfsstat) +HIDE_POSIX(lseek) +HIDE_POSIX(getpid) +HIDE_BSD(mount) +HIDE_BSD(unmount) +HIDE_POSIX(setuid) +HIDE_POSIX(getuid) +HIDE_POSIX(geteuid) +HIDE_BSD(ptrace) +HIDE_BSD(recvmsg) +HIDE_BSD(sendmsg) +HIDE_BSD(recvfrom) +HIDE_BSD(accept) +HIDE_BSD(getpeername) +HIDE_BSD(getsockname) +HIDE_POSIX(access) +HIDE_BSD(chflags) +HIDE_BSD(fchflags) +HIDE_BSD(sync) +HIDE_POSIX(kill) +HIDE_POSIX(stat) +HIDE_POSIX(getppid) +HIDE_POSIX(lstat) +HIDE_POSIX(dup) +HIDE_POSIX(pipe) +HIDE_POSIX(getegid) +HIDE_BSD(profil) +HIDE_BSD(ktrace) +HIDE_POSIX(sigaction) +HIDE_POSIX(getgid) +HIDE_POSIX(sigprocmask) +HIDE_BSD(getlogin) +HIDE_BSD(setlogin) +HIDE_BSD(acct) +HIDE_POSIX(sigpending) +HIDE_BSD(sigaltstack) +HIDE_POSIX(ioctl) +HIDE_BSD(reboot) +HIDE_POSIX(revoke) +HIDE_POSIX(symlink) +HIDE_POSIX(readlink) +HIDE_POSIX(execve) +HIDE_POSIX(umask) +HIDE_BSD(chroot) +HIDE_POSIX(fstat) +HIDE_BSD(getkerninfo) +HIDE_BSD(getpagesize) +HIDE_BSD(msync) +HIDE_BSD(vfork) +HIDE_BSD(sbrk) +HIDE_BSD(sstk) +HIDE_BSD(mmap) +HIDE_BSD(ovadvise) +HIDE_BSD(munmap) +HIDE_BSD(mprotect) +HIDE_BSD(madvise) +HIDE_BSD(mincore) +HIDE_POSIX(getgroups) +HIDE_POSIX(setgroups) +HIDE_POSIX(getpgrp) +HIDE_POSIX(setpgid) +HIDE_BSD(setitimer) +HIDE_BSD(wait) +HIDE_BSD(swapon) +HIDE_BSD(getitimer) +HIDE_BSD(gethostname) +HIDE_BSD(sethostname) +HIDE_BSD(getdtablesize) +HIDE_POSIX(dup2) +HIDE_BSD(getdopt) +HIDE_POSIX(fcntl) +HIDE_BSD(select) +HIDE_BSD(setdopt) +HIDE_POSIX(fsync) +HIDE_BSD(setpriority) +HIDE_BSD(socket) +HIDE_BSD(connect) +HIDE_BSD(accept) +HIDE_BSD(getpriority) +HIDE_BSD(send) +HIDE_BSD(recv) +HIDE_BSD(sigreturn) +HIDE_BSD(bind) +HIDE_BSD(setsockopt) +HIDE_BSD(listen) +HIDE_BSD(sigvec) +HIDE_BSD(sigblock) +HIDE_BSD(sigsetmask) +HIDE_POSIX(sigsuspend) +HIDE_BSD(sigstack) +HIDE_BSD(recvmsg) +HIDE_BSD(sendmsg) +HIDE_BSD(gettimeofday) +HIDE_BSD(getrusage) +HIDE_BSD(getsockopt) +HIDE_BSD(readv) +HIDE_BSD(writev) +HIDE_BSD(settimeofday) +HIDE_BSD(fchown) +HIDE_BSD(fchmod) +HIDE_BSD(recvfrom) +HIDE_BSD(setreuid) +HIDE_BSD(setregid) +HIDE_POSIX(rename) +HIDE_BSD(truncate) +HIDE_BSD(ftruncate) +HIDE_BSD(flock) +HIDE_POSIX(mkfifo) +HIDE_BSD(sendto) +HIDE_BSD(shutdown) +HIDE_BSD(socketpair) +HIDE_POSIX(mkdir) +HIDE_POSIX(rmdir) +HIDE_BSD(utimes) +HIDE_BSD(adjtime) +HIDE_BSD(getpeername) +HIDE_BSD(gethostid) +HIDE_BSD(sethostid) +HIDE_BSD(getrlimit) +HIDE_BSD(setrlimit) +HIDE_BSD(killpg) +HIDE_POSIX(setsid) +HIDE_BSD(quotactl) +HIDE_BSD(quota) +HIDE_BSD(getsockname) +HIDE_BSD(nfssvc) +HIDE_BSD(getdirentries) +HIDE_BSD(statfs) +HIDE_BSD(fstatfs) +HIDE_BSD(getfh) +HIDE_BSD(getdomainname) +HIDE_BSD(setdomainname) +HIDE_BSD(uname) +HIDE_BSD(sysarch) +HIDE_BSD(rtprio) +HIDE_BSD(semsys) +HIDE_BSD(msgsys) +HIDE_BSD(shmsys) +HIDE_POSIX(pread) +HIDE_POSIX(pwrite) +HIDE_BSD(ntp_adjtime) +HIDE_POSIX(setgid) +HIDE_BSD(setegid) +HIDE_BSD(seteuid) +HIDE_BSD(lfs_bmapv) +HIDE_BSD(lfs_markv) +HIDE_BSD(lfs_segclean) +HIDE_BSD(lfs_segwait) +HIDE_POSIX(stat) +HIDE_POSIX(fstat) +HIDE_POSIX(lstat) +HIDE_POSIX(pathconf) +HIDE_POSIX(fpathconf) +HIDE_BSD(getrlimit) +HIDE_BSD(setrlimit) +HIDE_BSD(getdirentries) +HIDE_BSD(mmap) +HIDE_POSIX(lseek) +HIDE_BSD(truncate) +HIDE_BSD(ftruncate) +HIDE_BSD(__sysctl) +HIDE_BSD(mlock) +HIDE_BSD(munlock) +HIDE_BSD(undelete) +HIDE_BSD(futimes) +HIDE_BSD(getpgid) +HIDE_BSD(poll) +HIDE_BSD(__semctl) +HIDE_BSD(semget) +HIDE_BSD(semop) +HIDE_BSD(msgctl) +HIDE_BSD(msgget) +HIDE_BSD(msgsnd) +HIDE_BSD(msgrcv) +HIDE_BSD(shmat) +HIDE_BSD(shmctl) +HIDE_BSD(shmdt) +HIDE_BSD(shmget) +HIDE_POSIX(clock_gettime) +HIDE_POSIX(clock_settime) +HIDE_POSIX(clock_getres) +HIDE_POSIX(nanosleep) +HIDE_BSD(minherit) +HIDE_BSD(rfork) +HIDE_BSD(openbsd_poll) +HIDE_BSD(issetugid) +HIDE_BSD(lchown) +HIDE_BSD(getdents) +HIDE_BSD(lchmod) +HIDE_BSD(lchown) +HIDE_BSD(lutimes) +HIDE_BSD(msync) +HIDE_BSD(nstat) +HIDE_BSD(nfstat) +HIDE_BSD(nlstat) +HIDE_BSD(fhstatfs) +HIDE_BSD(fhopen) +HIDE_BSD(fhstat) +HIDE_BSD(modnext) +HIDE_BSD(modstat) +HIDE_BSD(modfnext) +HIDE_BSD(modfind) +HIDE_BSD(kldload) +HIDE_BSD(kldunload) +HIDE_BSD(kldfind) +HIDE_BSD(kldnext) +HIDE_BSD(kldstat) +HIDE_BSD(kldfirstmod) +HIDE_BSD(getsid) +HIDE_BSD(setresuid) +HIDE_BSD(setresgid) +HIDE_BSD(aio_return) +HIDE_BSD(aio_suspend) +HIDE_BSD(aio_cancel) +HIDE_BSD(aio_error) +HIDE_BSD(aio_read) +HIDE_BSD(aio_write) +HIDE_BSD(lio_listio) +HIDE_BSD(yield) +HIDE_BSD(mlockall) +HIDE_BSD(munlockall) +HIDE_BSD(__getcwd) +HIDE_POSIX(sched_setparam) +HIDE_POSIX(sched_getparam) +HIDE_POSIX(sched_setscheduler) +HIDE_POSIX(sched_getscheduler) +HIDE_POSIX(sched_yield) +HIDE_POSIX(sched_get_priority_max) +HIDE_POSIX(sched_get_priority_min) +HIDE_POSIX(sched_rr_get_interval) +HIDE_BSD(utrace) +HIDE_BSD(sendfile) +HIDE_BSD(kldsym) +HIDE_BSD(jail) +HIDE_BSD(pioctl) +HIDE_POSIX(sigprocmask) +HIDE_POSIX(sigsuspend) +HIDE_POSIX(sigaction) +HIDE_POSIX(sigpending) +HIDE_BSD(sigreturn) +HIDE_BSD(__acl_get_file) +HIDE_BSD(__acl_set_file) +HIDE_BSD(__acl_get_fd) +HIDE_BSD(__acl_set_fd) +HIDE_BSD(__acl_delete_file) +HIDE_BSD(__acl_delete_fd) +HIDE_BSD(__acl_aclcheck_file) +HIDE_BSD(__acl_aclcheck_fd) +HIDE_BSD(extattrctl) +HIDE_BSD(extattr_set_file) +HIDE_BSD(extattr_get_file) +HIDE_BSD(extattr_delete_file) +HIDE_BSD(aio_waitcomplete) +HIDE_BSD(getresuid) +HIDE_BSD(getresgid) +HIDE_BSD(kqueue) +HIDE_BSD(kevent) +HIDE_BSD(__cap_get_proc) +HIDE_BSD(__cap_set_proc) +HIDE_BSD(__cap_get_fd) +HIDE_BSD(__cap_get_file) +HIDE_BSD(__cap_set_fd) +HIDE_BSD(__cap_set_file) +HIDE_BSD(extattr_set_fd) +HIDE_BSD(extattr_get_fd) +HIDE_BSD(extattr_delete_fd) +HIDE_BSD(__setugid) +HIDE_BSD(nfsclnt) +HIDE_BSD(eaccess) +HIDE_BSD(__mac_get_proc) +HIDE_BSD(__mac_set_proc) +HIDE_BSD(__mac_get_fd) +HIDE_BSD(__mac_get_file) +HIDE_BSD(__mac_set_fd) +HIDE_BSD(__mac_set_file) Index: sys/sys/syscall.h =================================================================== RCS file: /home/ncvs/src/sys/sys/syscall.h,v retrieving revision 1.95 diff -u -r1.95 syscall.h --- sys/sys/syscall.h 2001/10/13 13:30:21 1.95 +++ sys/sys/syscall.h 2001/10/16 01:28:36 @@ -2,7 +2,7 @@ * System call numbers. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/sys/syscall.h,v 1.95 2001/10/13 13:30:21 rwatson Exp $ + * $FreeBSD$ * created from FreeBSD: src/sys/kern/syscalls.master,v 1.99 2001/10/13 13:19:34 rwatson Exp */ @@ -297,4 +297,10 @@ #define SYS___setugid 374 #define SYS_nfsclnt 375 #define SYS_eaccess 376 -#define SYS_MAXSYSCALL 378 +#define SYS___mac_get_proc 378 +#define SYS___mac_set_proc 379 +#define SYS___mac_get_fd 380 +#define SYS___mac_get_file 381 +#define SYS___mac_set_fd 382 +#define SYS___mac_set_file 383 +#define SYS_MAXSYSCALL 384 Index: sys/sys/syscall.mk =================================================================== RCS file: /home/ncvs/src/sys/sys/syscall.mk,v retrieving revision 1.49 diff -u -r1.49 syscall.mk --- sys/sys/syscall.mk 2001/10/13 13:30:21 1.49 +++ sys/sys/syscall.mk 2001/10/16 01:28:36 @@ -1,6 +1,6 @@ # FreeBSD system call names. # DO NOT EDIT-- this file is automatically generated. -# $FreeBSD: src/sys/sys/syscall.mk,v 1.49 2001/10/13 13:30:21 rwatson Exp $ +# $FreeBSD$ # created from FreeBSD: src/sys/kern/syscalls.master,v 1.99 2001/10/13 13:19:34 rwatson Exp MIASM = \ syscall.o \ @@ -245,4 +245,10 @@ extattr_delete_fd.o \ __setugid.o \ nfsclnt.o \ - eaccess.o + eaccess.o \ + __mac_get_proc.o \ + __mac_set_proc.o \ + __mac_get_fd.o \ + __mac_get_file.o \ + __mac_set_fd.o \ + __mac_set_file.o Index: sys/sys/sysproto.h =================================================================== RCS file: /home/ncvs/src/sys/sys/sysproto.h,v retrieving revision 1.86 diff -u -r1.86 sysproto.h --- sys/sys/sysproto.h 2001/10/13 13:30:21 1.86 +++ sys/sys/sysproto.h 2001/10/16 01:28:36 @@ -2,7 +2,7 @@ * System call prototypes. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/sys/sysproto.h,v 1.86 2001/10/13 13:30:21 rwatson Exp $ + * $FreeBSD$ * created from FreeBSD: src/sys/kern/syscalls.master,v 1.99 2001/10/13 13:19:34 rwatson Exp */ @@ -1081,6 +1081,28 @@ char path_l_[PADL_(char *)]; char * path; char path_r_[PADR_(char *)]; char flags_l_[PADL_(int)]; int flags; char flags_r_[PADR_(int)]; }; +struct __mac_get_proc_args { + char mac_p_l_[PADL_(struct mac *)]; struct mac * mac_p; char mac_p_r_[PADR_(struct mac *)]; +}; +struct __mac_set_proc_args { + char mac_p_l_[PADL_(struct mac *)]; struct mac * mac_p; char mac_p_r_[PADR_(struct mac *)]; +}; +struct __mac_get_fd_args { + char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)]; + char mac_p_l_[PADL_(struct mac *)]; struct mac * mac_p; char mac_p_r_[PADR_(struct mac *)]; +}; +struct __mac_get_file_args { + char path_p_l_[PADL_(const char *)]; const char * path_p; char path_p_r_[PADR_(const char *)]; + char mac_p_l_[PADL_(struct mac *)]; struct mac * mac_p; char mac_p_r_[PADR_(struct mac *)]; +}; +struct __mac_set_fd_args { + char fd_l_[PADL_(int)]; int fd; char fd_r_[PADR_(int)]; + char mac_p_l_[PADL_(struct mac *)]; struct mac * mac_p; char mac_p_r_[PADR_(struct mac *)]; +}; +struct __mac_set_file_args { + char path_p_l_[PADL_(const char *)]; const char * path_p; char path_p_r_[PADR_(const char *)]; + char mac_p_l_[PADL_(struct mac *)]; struct mac * mac_p; char mac_p_r_[PADR_(struct mac *)]; +}; int nosys __P((struct thread *, struct nosys_args *)); void sys_exit __P((struct thread *, struct sys_exit_args *)); int fork __P((struct thread *, struct fork_args *)); @@ -1323,6 +1345,12 @@ int __setugid __P((struct thread *, struct __setugid_args *)); int nfsclnt __P((struct thread *, struct nfsclnt_args *)); int eaccess __P((struct thread *, struct eaccess_args *)); +int __mac_get_proc __P((struct thread *, struct __mac_get_proc_args *)); +int __mac_set_proc __P((struct thread *, struct __mac_set_proc_args *)); +int __mac_get_fd __P((struct thread *, struct __mac_get_fd_args *)); +int __mac_get_file __P((struct thread *, struct __mac_get_file_args *)); +int __mac_set_fd __P((struct thread *, struct __mac_set_fd_args *)); +int __mac_set_file __P((struct thread *, struct __mac_set_file_args *)); #ifdef COMPAT_43 Index: sys/sys/ucred.h =================================================================== RCS file: /home/ncvs/src/sys/sys/ucred.h,v retrieving revision 1.26 diff -u -r1.26 ucred.h --- sys/sys/ucred.h 2001/10/11 23:38:17 1.26 +++ sys/sys/ucred.h 2001/10/16 01:23:41 @@ -60,6 +60,7 @@ struct uidinfo *cr_uidinfo; /* per euid resource consumption */ struct uidinfo *cr_ruidinfo; /* per ruid resource consumption */ struct prison *cr_prison; /* jail(4) */ + struct mac cr_label; /* mandatory access control label */ #define cr_endcopy cr_mtx struct mtx cr_mtx; /* protect refcount */ }; @@ -78,6 +79,9 @@ short cr_ngroups; /* number of groups */ gid_t cr_groups[NGROUPS]; /* groups */ void *_cr_unused1; /* compatibility with old ucred */ +#if 0 + struct mac cr_label; /* mandatory access control label */ +#endif }; #ifdef _KERNEL Index: sys/sys/user.h =================================================================== RCS file: /home/ncvs/src/sys/sys/user.h,v retrieving revision 1.45 diff -u -r1.45 user.h --- sys/sys/user.h 2001/10/11 08:15:16 1.45 +++ sys/sys/user.h 2001/10/11 14:40:25 @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include Index: sys/sys/vnode.h =================================================================== RCS file: /home/ncvs/src/sys/sys/vnode.h,v retrieving revision 1.158 diff -u -r1.158 vnode.h --- sys/sys/vnode.h 2001/10/01 04:33:35 1.158 +++ sys/sys/vnode.h 2001/10/03 11:30:09 @@ -543,6 +543,7 @@ struct proc; struct stat; struct nstat; +struct mac; struct ucred; struct uio; struct vattr; @@ -574,6 +575,8 @@ int vaccess_acl_posix1e __P((enum vtype type, uid_t file_uid, gid_t file_gid, struct acl *acl, mode_t acc_mode, struct ucred *cred, int *privused)); +int vaccess_mac __P((enum vtype type, const struct mac *filelabel, + mode_t acc_mode, struct ucred *cred)); void vattr_null __P((struct vattr *vap)); int vcount __P((struct vnode *vp)); void vdrop __P((struct vnode *)); Index: sys/ufs/ffs/ffs_vfsops.c =================================================================== RCS file: /home/ncvs/src/sys/ufs/ffs/ffs_vfsops.c,v retrieving revision 1.161 diff -u -r1.161 ffs_vfsops.c --- sys/ufs/ffs/ffs_vfsops.c 2001/10/02 14:34:22 1.161 +++ sys/ufs/ffs/ffs_vfsops.c 2001/10/02 18:23:28 @@ -34,6 +34,7 @@ * $FreeBSD: src/sys/ufs/ffs/ffs_vfsops.c,v 1.161 2001/10/02 14:34:22 rwatson Exp $ */ +#include "opt_mac.h" #include "opt_quota.h" #include "opt_ufs.h" @@ -712,6 +713,18 @@ ump->um_quotas[i] = NULLVP; #ifdef UFS_EXTATTR ufs_extattr_uepm_init(&ump->um_extattr); +#endif +#ifdef MAC + /* + * The following sets a file system to use default object labels + * for system objects. + * mac_init_object(&ump->um_label); + */ + /* The following inherits a file system label from the credential + * of the caller. mac_inherit_object knows what to do if cred is + * NOCRED. + */ + mac_create_object(cred, &ump->um_label); #endif devvp->v_rdev->si_mountpoint = mp; ffs_oldfscompat(fs); Index: sys/ufs/ufs/ufs_vnops.c =================================================================== RCS file: /home/ncvs/src/sys/ufs/ufs/ufs_vnops.c,v retrieving revision 1.180 diff -u -r1.180 ufs_vnops.c --- sys/ufs/ufs/ufs_vnops.c 2001/10/08 00:37:54 1.180 +++ sys/ufs/ufs/ufs_vnops.c 2001/10/08 02:05:58 @@ -39,6 +39,7 @@ * $FreeBSD: src/sys/ufs/ufs/ufs_vnops.c,v 1.180 2001/10/08 00:37:54 dillon Exp $ */ +#include "opt_mac.h" #include "opt_quota.h" #include "opt_suiddir.h" #include "opt_ufs.h" @@ -60,6 +61,8 @@ #include #include #include +#include +#include #include @@ -88,6 +91,9 @@ static int ufs_close __P((struct vop_close_args *)); static int ufs_create __P((struct vop_create_args *)); static int ufs_getattr __P((struct vop_getattr_args *)); +#ifdef MAC +static int ufs_getlabel __P((struct vop_getlabel_args *)); +#endif static int ufs_link __P((struct vop_link_args *)); static int ufs_makeinode __P((int mode, struct vnode *, struct vnode **, struct componentname *)); static int ufs_missingop __P((struct vop_generic_args *ap)); @@ -101,6 +107,9 @@ static int ufs_rename __P((struct vop_rename_args *)); static int ufs_rmdir __P((struct vop_rmdir_args *)); static int ufs_setattr __P((struct vop_setattr_args *)); +#ifdef MAC +static int ufs_setlabel __P((struct vop_setlabel_args *)); +#endif static int ufs_strategy __P((struct vop_strategy_args *)); static int ufs_symlink __P((struct vop_symlink_args *)); static int ufs_whiteout __P((struct vop_whiteout_args *)); @@ -337,6 +346,9 @@ { struct vnode *vp = ap->a_vp; struct inode *ip = VTOI(vp); +#ifdef MAC + struct mac label; +#endif mode_t mode = ap->a_mode; int error; #ifdef UFS_ACL @@ -367,9 +379,27 @@ } /* If immutable bit set, nobody gets to write it. */ + /* XXX: This breaks chflags(), please fix. + if ((mode & (VWRITE | VADMIN)) && + (ip->i_flags & (IMMUTABLE | SF_SNAPSHOT))) + return (EPERM); + */ if ((mode & VWRITE) && (ip->i_flags & (IMMUTABLE | SF_SNAPSHOT))) return (EPERM); +#ifdef MAC + error = VOP_GETLABEL(vp, &label, ap->a_cred, ap->a_td); + if (error) { + printf("ufs_access: couldn't get any label (%d)\n", error); + return (error); + } + error = vaccess_mac(vp->v_type, &label, ap->a_mode, ap->a_cred); + if (error) { + printf("mac_vaccess returned %d for %d (%s)\n", error, + ap->a_td->td_proc->p_pid, ap->a_td->td_proc->p_comm); + return (error); + } +#endif /* !MAC */ #ifdef UFS_ACL MALLOC(acl, struct acl *, sizeof(*acl), M_ACL, M_WAITOK); len = sizeof(*acl); @@ -741,6 +771,102 @@ return (0); } +#ifdef MAC +/* + * Retrieve the MAC label on a file. + */ +static int +ufs_getlabel(ap) + struct vop_getlabel_args /* { + struct vnode *a_vp; + struct mac *a_label; + struct ucred *a_cred; + struct thread *a_td; + } */ *ap; +{ + struct ufsmount *ump; + int error, len; + + len = sizeof(*ap->a_label); + bzero(ap->a_label, sizeof(*ap->a_label)); + error = vn_extattr_get(ap->a_vp, IO_NODELOCKED, + FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, &len, + (char *) ap->a_label, ap->a_td); + switch (error) { + case 0: + /* + * Successfully retrieved the label from disk. + * Check the length, fail closed. + */ + if (len != sizeof(*ap->a_label)) { + printf("Corrupted label\n"); + error = EPERM; + } + break; + case ENOENT: /* XXX: Should be ENOATTR not ENOENT. */ + case EOPNOTSUPP: + /* + * If no label is available, return the mount label + * instead. + */ + ump = VFSTOUFS(ap->a_vp->v_mount); + *ap->a_label = ump->um_label; + error = 0; + break; + default: + } + + return (error); +} + +/* + * Set the MAC label on a file. + */ +static int +ufs_setlabel(ap) + struct vop_setlabel_args /* { + struct vnode *a_vp; + struct mac *a_label; + struct ucred *a_cred; + struct thread *a_td; + } */ *ap; +{ + struct mac old_label; + int error; + + /* + * First access check: does the caller have the ability to + * administer the file system object to be labeled/re-labeled. + */ + error = VOP_ACCESS(ap->a_vp, VADMIN, ap->a_cred, ap->a_td); + if (error) + return (error); + + /* + * Second check: is the label being assigned to the object + * appropriate based on the label previously assigned, and + * the label on the subject. To do this, must retrieve the + * old label. + */ + error = VOP_GETLABEL(ap->a_vp, &old_label, ap->a_cred, ap->a_td); + if (error) + return (error); + + error = mac_can_setlabel_object(ap->a_cred, &old_label, ap->a_label); + if (error) + return (error); + + error = vn_extattr_set(ap->a_vp, IO_NODELOCKED, + FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, + sizeof(*ap->a_label), (char *) ap->a_label, ap->a_td); + if (error) + return (error); + + VN_KNOTE(ap->a_vp, NOTE_ATTRIB); + return (0); +} +#endif /* !MAC */ + int ufs_remove(ap) struct vop_remove_args /* { @@ -1358,6 +1484,10 @@ struct buf *bp; struct dirtemplate dirtemplate, *dtp; struct direct newdir; +#ifdef MAC + struct ufsmount *ump; + struct mac label; +#endif #ifdef UFS_ACL struct acl *acl, *dacl; #endif @@ -1511,6 +1641,31 @@ error = UFS_UPDATE(tvp, !(DOINGSOFTDEP(dvp) | DOINGASYNC(dvp))); if (error) goto bad; + +#ifdef MAC + mac_create_object(cnp->cn_cred, &label); + error = vn_extattr_set(tvp, IO_NODELOCKED, + FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, + sizeof(label), (char *) &label, cnp->cn_thread); + switch (error) { + case 0: + break; + case ENOENT: /* XXX: Should be ENOATTR. */ + case EOPNOTSUPP: + /* Authorize creation of a file with the device label. */ + ump = VFSTOUFS(tvp->v_mount); + error = mac_can(cnp->cn_cred, &ump->um_label, MAC_CREATE, 0); + if (error == 0) + break; + printf("ufs_mkdir: cannot assign MAC or use default\n"); + /* Falls through. */ + default: + printf("ufs_mkdir failed (%d)\n", error); + UFS_VFREE(tvp, ip->i_number, dmode); + vput(tvp); + return (error); + } +#endif /* !MAC */ #ifdef UFS_ACL if (acl != NULL) { /* @@ -2247,6 +2402,10 @@ register struct inode *ip, *pdir; struct direct newdir; struct vnode *tvp; +#ifdef MAC + struct ufsmount *ump; + struct mac label; +#endif #ifdef UFS_ACL struct acl *acl; #endif @@ -2383,6 +2542,35 @@ error = UFS_UPDATE(tvp, !(DOINGSOFTDEP(tvp) | DOINGASYNC(tvp))); if (error) goto bad; +/* + * Set the MAC label for the newly created file. Attempt to set it using + * the credential of the writer; if this is not allowed, check to see if + * the writer has the same label as the default file system label. If neither + * succeeds, then fail closed. + */ +#ifdef MAC + mac_create_object(cnp->cn_cred, &label); + error = vn_extattr_set(tvp, IO_NODELOCKED, + FREEBSD_MAC_EXTATTR_NAMESPACE, FREEBSD_MAC_EXTATTR_NAME, + sizeof(label), (char *) &label, cnp->cn_thread); + switch (error) { + case 0: + break; + case ENOENT: /* XXX: should be ENOATTR. */ + case EOPNOTSUPP: + /* Authorize creation of a file with the device label. */ + ump = VFSTOUFS(tvp->v_mount); + error = mac_can(cnp->cn_cred, &ump->um_label, MAC_CREATE, 0); + if (error == 0) + break; + /* Falls through. */ + default: + printf("ufs_makeinode failed (%d)\n", error); + UFS_VFREE(tvp, ip->i_number, mode); + vput(tvp); + return (error); + } +#endif /* !MAC */ #ifdef UFS_ACL if (acl != NULL) { /* @@ -2558,6 +2746,9 @@ { &vop_close_desc, (vop_t *) ufs_close }, { &vop_create_desc, (vop_t *) ufs_create }, { &vop_getattr_desc, (vop_t *) ufs_getattr }, +#ifdef MAC + { &vop_getlabel_desc, (vop_t *) ufs_getlabel }, +#endif MAC { &vop_inactive_desc, (vop_t *) ufs_inactive }, { &vop_islocked_desc, (vop_t *) vop_stdislocked }, { &vop_link_desc, (vop_t *) ufs_link }, @@ -2578,6 +2769,9 @@ { &vop_rename_desc, (vop_t *) ufs_rename }, { &vop_rmdir_desc, (vop_t *) ufs_rmdir }, { &vop_setattr_desc, (vop_t *) ufs_setattr }, +#ifdef MAC + { &vop_setlabel_desc, (vop_t *) ufs_setlabel }, +#endif { &vop_strategy_desc, (vop_t *) ufs_strategy }, { &vop_symlink_desc, (vop_t *) ufs_symlink }, { &vop_unlock_desc, (vop_t *) vop_stdunlock }, @@ -2599,6 +2793,9 @@ { &vop_access_desc, (vop_t *) ufs_access }, { &vop_close_desc, (vop_t *) ufsspec_close }, { &vop_getattr_desc, (vop_t *) ufs_getattr }, +#ifdef MAC + { &vop_getlabel_desc, (vop_t *) ufs_getlabel }, +#endif { &vop_inactive_desc, (vop_t *) ufs_inactive }, { &vop_islocked_desc, (vop_t *) vop_stdislocked }, { &vop_lock_desc, (vop_t *) vop_stdlock }, @@ -2606,6 +2803,9 @@ { &vop_read_desc, (vop_t *) ufsspec_read }, { &vop_reclaim_desc, (vop_t *) ufs_reclaim }, { &vop_setattr_desc, (vop_t *) ufs_setattr }, +#ifdef MAC + { &vop_setlabel_desc, (vop_t *) ufs_setlabel }, +#endif { &vop_unlock_desc, (vop_t *) vop_stdunlock }, { &vop_write_desc, (vop_t *) ufsspec_write }, #ifdef UFS_ACL @@ -2625,6 +2825,9 @@ { &vop_access_desc, (vop_t *) ufs_access }, { &vop_close_desc, (vop_t *) ufsfifo_close }, { &vop_getattr_desc, (vop_t *) ufs_getattr }, +#ifdef MAC + { &vop_getlabel_desc, (vop_t *) ufs_getlabel }, +#endif { &vop_inactive_desc, (vop_t *) ufs_inactive }, { &vop_islocked_desc, (vop_t *) vop_stdislocked }, { &vop_kqfilter_desc, (vop_t *) ufsfifo_kqfilter }, @@ -2633,6 +2836,9 @@ { &vop_read_desc, (vop_t *) ufsfifo_read }, { &vop_reclaim_desc, (vop_t *) ufs_reclaim }, { &vop_setattr_desc, (vop_t *) ufs_setattr }, +#ifdef MAC + { &vop_setlabel_desc, (vop_t *) ufs_setlabel }, +#endif { &vop_unlock_desc, (vop_t *) vop_stdunlock }, { &vop_write_desc, (vop_t *) ufsfifo_write }, #ifdef UFS_ACL Index: sys/ufs/ufs/ufsmount.h =================================================================== RCS file: /home/ncvs/src/sys/ufs/ufs/ufsmount.h,v retrieving revision 1.22 diff -u -r1.22 ufsmount.h --- sys/ufs/ufs/ufsmount.h 2001/09/12 08:38:11 1.22 +++ sys/ufs/ufs/ufsmount.h 2001/09/13 22:03:06 @@ -77,6 +77,7 @@ struct vnode *um_quotas[MAXQUOTAS]; /* pointer to quota files */ struct ucred *um_cred[MAXQUOTAS]; /* quota file access cred */ struct ufs_extattr_per_mount um_extattr; /* extended attrs */ + struct mac um_label; /* immutable mounter label */ u_long um_nindir; /* indirect ptrs per block */ u_long um_bptrtodb; /* indir ptr to disk block */ u_long um_seqinc; /* inc between seq blocks */ Index: usr.bin/login/login.c =================================================================== RCS file: /home/ncvs/src/usr.bin/login/login.c,v retrieving revision 1.69 diff -u -r1.69 login.c --- usr.bin/login/login.c 2001/09/15 17:09:39 1.69 +++ usr.bin/login/login.c 2001/09/19 03:14:23 @@ -394,7 +394,13 @@ lc = login_getpwclass(pwd); quietlog = login_getcapbool(lc, "hushlogin", 0); +#if 0 /* + * XXX: The sete[ug]id code here is broken in the base system + * because it doesn't do setgroups(). It's even more broken + * with MAC. This test needs to happen further down, below + * the setusercontext call. + * * Switching needed for NFS with root access disabled. * * XXX: This change fails to modify the additional groups for the @@ -414,6 +420,7 @@ } (void)seteuid(euid); (void)setegid(egid); +#endif if (!quietlog) quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0; @@ -630,6 +637,22 @@ syslog(LOG_ERR, "setusercontext() failed - exiting"); exit(1); } + +#if 1 + /* + * XXX: The home directory check should really go here, after + * credentials are appropriately configured. + */ + if (!*pwd->pw_dir || chdir(pwd->pw_dir) < 0) { + if (login_getcapbool(lc, "requirehome", 0)) + refused("Home directory not available", "HOMEDIR", 1); + if (chdir("/") < 0) + refused("Cannot find root directory", "ROOTDIR", 1); + if (!quietlog || *pwd->pw_dir) + printf("No home directory.\nLogging in with home = \"/\".\n"); + pwd->pw_dir = "/"; + } +#endif (void)setenv("SHELL", pwd->pw_shell, 1); (void)setenv("HOME", pwd->pw_dir, 1); Index: usr.bin/netstat/inet6.c =================================================================== RCS file: /home/ncvs/src/usr.bin/netstat/inet6.c,v retrieving revision 1.18 diff -u -r1.18 inet6.c --- usr.bin/netstat/inet6.c 2001/09/07 12:00:49 1.18 +++ usr.bin/netstat/inet6.c 2001/09/23 22:27:15 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include Index: usr.bin/netstat/iso.c =================================================================== RCS file: /home/ncvs/src/usr.bin/netstat/iso.c,v retrieving revision 1.9 diff -u -r1.9 iso.c --- usr.bin/netstat/iso.c 2001/06/15 23:55:45 1.9 +++ usr.bin/netstat/iso.c 2001/09/23 22:51:28 @@ -66,6 +66,7 @@ */ #include +#include #include #include #include Index: usr.bin/netstat/mbuf.c =================================================================== RCS file: /home/ncvs/src/usr.bin/netstat/mbuf.c,v retrieving revision 1.29 diff -u -r1.29 mbuf.c --- usr.bin/netstat/mbuf.c 2001/09/30 01:58:37 1.29 +++ usr.bin/netstat/mbuf.c 2001/10/01 17:19:30 @@ -40,6 +40,7 @@ #endif /* not lint */ #include +#include #include #include #include Index: usr.bin/netstat/mroute.c =================================================================== RCS file: /home/ncvs/src/usr.bin/netstat/mroute.c,v retrieving revision 1.18 diff -u -r1.18 mroute.c --- usr.bin/netstat/mroute.c 2001/09/07 12:59:30 1.18 +++ usr.bin/netstat/mroute.c 2001/09/23 22:51:39 @@ -54,6 +54,7 @@ #include #include #include +#include #include #include Index: usr.bin/netstat/ns.c =================================================================== RCS file: /home/ncvs/src/usr.bin/netstat/ns.c,v retrieving revision 1.5 diff -u -r1.5 ns.c --- usr.bin/netstat/ns.c 2001/06/15 23:55:45 1.5 +++ usr.bin/netstat/ns.c 2001/09/23 22:51:47 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include Index: usr.bin/netstat/unix.c =================================================================== RCS file: /home/ncvs/src/usr.bin/netstat/unix.c,v retrieving revision 1.16 diff -u -r1.16 unix.c --- usr.bin/netstat/unix.c 2001/06/15 23:35:13 1.16 +++ usr.bin/netstat/unix.c 2001/09/23 22:51:57 @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include Index: usr.bin/passwd/Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/passwd/Makefile,v retrieving revision 1.42 diff -u -r1.42 Makefile --- usr.bin/passwd/Makefile 2001/09/13 06:48:17 1.42 +++ usr.bin/passwd/Makefile 2001/09/24 02:11:54 @@ -44,6 +44,9 @@ -I${.CURDIR}/../../usr.sbin/rpc.yppasswdd \ -Dyp_error=warnx -DLOGGING +.if defined(MAC) +CFLAGS+=-DMAC +.endif .endif CLEANFILES= ${GENSRCS} Index: usr.bin/passwd/local_passwd.c =================================================================== RCS file: /home/ncvs/src/usr.bin/passwd/local_passwd.c,v retrieving revision 1.27 diff -u -r1.27 local_passwd.c --- usr.bin/passwd/local_passwd.c 2001/03/11 16:37:30 1.27 +++ usr.bin/passwd/local_passwd.c 2001/05/31 14:50:00 @@ -39,6 +39,9 @@ #include #include +#ifdef MAC +#include +#endif #include #include @@ -70,6 +73,9 @@ #include "extern.h" static uid_t uid; +#ifdef MAC +static mac_t label; +#endif int randinit; char *tempname; @@ -208,6 +214,13 @@ uid = getuid(); if (uid && uid != pw->pw_uid) errx(1, "%s", strerror(EACCES)); +#ifdef MAC + label = mac_get_proc(); + if (label == NULL) + err(1, "mac_get_proc"); + if (mac_set_proc(&mac_userland_system_high_label) == -1) + err(1, "mac_set_proc"); +#endif pw_init(); Index: usr.bin/systat/mbufs.c =================================================================== RCS file: /home/ncvs/src/usr.bin/systat/mbufs.c,v retrieving revision 1.15 diff -u -r1.15 mbufs.c --- usr.bin/systat/mbufs.c 2001/09/30 01:58:39 1.15 +++ usr.bin/systat/mbufs.c 2001/10/01 17:19:42 @@ -39,6 +39,7 @@ #include #include +#include #include #include Index: usr.sbin/Makefile =================================================================== RCS file: /home/ncvs/src/usr.sbin/Makefile,v retrieving revision 1.209 diff -u -r1.209 Makefile --- usr.sbin/Makefile 2001/09/11 01:13:15 1.209 +++ usr.sbin/Makefile 2001/09/19 02:44:58 @@ -34,6 +34,8 @@ fdread \ fdwrite \ getextattr \ + getfmac \ + getpmac \ gifconfig \ ifmcstat \ inetd \ @@ -100,7 +102,9 @@ rwhod \ sa \ setextattr \ + setfmac \ setkey \ + setpmac \ sliplogin \ slstat \ spray \ Index: usr.sbin/getfmac/Makefile =================================================================== RCS file: Makefile diff -N Makefile --- /dev/null Tue Oct 16 15:55:02 2001 +++ Makefile Sun Sep 23 22:12:26 2001 @@ -0,0 +1,5 @@ +PROG= getfmac +SRCS= getfmac.c +CFLAGS+=-Wall +NOMAN=yes +.include Index: usr.sbin/getfmac/getfmac.c =================================================================== RCS file: getfmac.c diff -N getfmac.c --- /dev/null Tue Oct 16 15:55:02 2001 +++ getfmac.c Sun Nov 19 17:56:36 2000 @@ -0,0 +1,34 @@ +#include +#include + +#include + +int +main(int argc, char *argv[]) +{ + mac_t label; + char *string; + int i, had_error = 0; + + if (argc < 2) { + fprintf(stderr, "getfmac [file ...]\n"); + return (-1); + } + + for (i = 1; i < argc; i++) { + label = mac_get_file(argv[i]); + if (label == NULL) { + perror(argv[i]); + had_error = -1; + } else { + string = mac_to_text(label, NULL); + if (string == NULL) { + perror(argv[i]); + had_error = -1; + } else + printf("%s: %s\n", argv[i], string); + } + } + + return (had_error); +} Index: usr.sbin/getpmac/Makefile =================================================================== RCS file: Makefile diff -N Makefile --- /dev/null Tue Oct 16 15:55:02 2001 +++ Makefile Sun Sep 23 22:12:28 2001 @@ -0,0 +1,5 @@ +PROG= getpmac +SRCS= getpmac.c +CFLAGS+=-Wall +NOMAN=yes +.include Index: usr.sbin/getpmac/getpmac.c =================================================================== RCS file: getpmac.c diff -N getpmac.c --- /dev/null Tue Oct 16 15:55:02 2001 +++ getpmac.c Sun Nov 19 17:56:36 2000 @@ -0,0 +1,28 @@ +#include +#include + +#include + +int +main(int argc, char *argv[]) +{ + struct mac label; + char *buf; + int error; + + error = __mac_get_proc(&label); + if (error) { + perror("mac_get_proc"); + return (-1); + } + + buf = mac_to_text(&label, NULL); + if (buf == NULL) { + perror("mac_to_text"); + return (-1); + } + + printf("%s\n", buf); + + return (0); +} Index: usr.sbin/i4b/ispppcontrol/ispppcontrol.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/i4b/ispppcontrol/ispppcontrol.c,v retrieving revision 1.1 diff -u -r1.1 ispppcontrol.c --- usr.sbin/i4b/ispppcontrol/ispppcontrol.c 2000/10/09 14:22:50 1.1 +++ usr.sbin/i4b/ispppcontrol/ispppcontrol.c 2001/09/24 15:27:58 @@ -42,7 +42,6 @@ #include #include #include -#include #include #include #include Index: usr.sbin/setfmac/Makefile =================================================================== RCS file: Makefile diff -N Makefile --- /dev/null Tue Oct 16 15:55:02 2001 +++ Makefile Sun Sep 23 22:12:46 2001 @@ -0,0 +1,5 @@ +PROG= setfmac +SRCS= setfmac.c +CFLAGS+=-Wall +NOMAN=yes +.include Index: usr.sbin/setfmac/setfmac.c =================================================================== RCS file: setfmac.c diff -N setfmac.c --- /dev/null Tue Oct 16 15:55:02 2001 +++ setfmac.c Sun Nov 19 17:56:36 2000 @@ -0,0 +1,30 @@ +#include +#include + +#include + +int +main(int argc, char *argv[]) +{ + mac_t label; + int i, had_error = 0; + + if (argc < 3) { + fprintf(stderr, "setfmac [label] [file ...]\n"); + return (-1); + } + + label = mac_from_text(argv[1]); + if (label == NULL) { + perror("mac_from_text"); + return (-1); + } + + for (i = 2; i < argc; i++) + if (mac_set_file(argv[i], label) != 0) { + perror(argv[i]); + had_error = -1; + } + + return (had_error); +} Index: usr.sbin/setpmac/Makefile =================================================================== RCS file: Makefile diff -N Makefile --- /dev/null Tue Oct 16 15:55:02 2001 +++ Makefile Sun Sep 23 22:12:48 2001 @@ -0,0 +1,5 @@ +PROG= setpmac +SRCS= setpmac.c +CFLAGS+=-Wall +NOMAN=yes +.include Index: usr.sbin/setpmac/setpmac.c =================================================================== RCS file: setpmac.c diff -N setpmac.c --- /dev/null Tue Oct 16 15:55:02 2001 +++ setpmac.c Sun Nov 19 17:56:36 2000 @@ -0,0 +1,41 @@ +#include +#include + +#include +#include + +extern char *environ[]; + +int +main(int argc, char *argv[]) +{ + struct mac *label; + int error; + + if (argc < 3) { + fprintf(stderr, "setpmac [label] [binary] [args...]\n"); + return (-1); + } + + label = mac_from_text(argv[1]); + if (label == NULL) { + perror("mac_from_text"); + return (-1); + } + + error = __mac_set_proc(label); + if (error) { + perror("mac_set_proc"); + return (-1); + } + + mac_free(label); + + error = execve(argv[2], argv + 2, environ); + if (error) { + perror(argv[2]); + return (-1); + } + + return (0); +}