Centralize definition of MAC_VERSION in mac_policy.h, as it defines the

kernel<->policy ABI version. Add a comment to the definition describing it and listing known versions. Modify MAC_POLICY_SET() to reference the current kernel version by name rather than by number. Staticize mac_late, which is used only in mac_framework.c. Obtained from: TrustedBSD Project
2006-12-28 21:48:38 +00:00 · 2006-12-28 21:48:38 +00:00 · d4e941ae59
commit d4e941ae59
parent 8a59ab518d
3 changed files with 19 additions and 6 deletions
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@ -90,10 +90,9 @@ SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW, 0,
 * This permits modules to refuse to be loaded if the necessary support isn't
 * present, even if it's pre-boot.
 */
-#define	MAC_VERSION	3
-static unsigned int	mac_version = MAC_VERSION;
-
 MODULE_VERSION(kernel_mac_support, MAC_VERSION);
+
+static unsigned int	mac_version = MAC_VERSION;
 SYSCTL_UINT(_security_mac, OID_AUTO, version, CTLFLAG_RD, &mac_version, 0,
    "");

@ -121,7 +120,7 @@ SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD, &mac_max_slots,
 * access to this variable is serialized during the boot process.  Following
 * the end of serialization, we don't update this flag; no locking.
 */
-int	mac_late = 0;
+static int	mac_late = 0;

 /*
 * Flag to indicate whether or not we should allocate label storage for new
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@ -60,7 +60,6 @@ MALLOC_DECLARE(M_MACTEMP);
 */
 extern struct mac_policy_list_head	mac_policy_list;
 extern struct mac_policy_list_head	mac_static_policy_list;
-extern int				mac_late;
 #ifndef MAC_ALWAYS_LABEL_MBUF
 extern int				mac_labelmbufs;
 #endif
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@ -926,6 +926,20 @@ struct mac_policy_conf {
 /* Flags for the mpc_runtime_flags field. */
 #define	MPC_RUNTIME_FLAG_REGISTERED	0x00000001

+/*-
+ * The TrustedBSD MAC Framework has a major version number, MAC_VERSION,
+ * which defines the ABI of the Framework present in the kernel (and depended
+ * on by policy modules compiled against that kernel).  Currently,
+ * MAC_POLICY_SET() requires that the kernel and module ABI version numbers
+ * exactly match.  The following major versions have been defined to date:
+ *
+ *   MAC version             FreeBSD versions
+ *   1                       5.x
+ *   2                       6.x
+ *   3                       7.x
+ */
+#define	MAC_VERSION	3
+
 #define	MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
 	static struct mac_policy_conf mpname##_mac_policy_conf = {	\
 		#mpname,						\
@ -940,7 +954,8 @@ struct mac_policy_conf {
 		mac_policy_modevent,					\
 		&mpname##_mac_policy_conf				\
 	};								\
-	MODULE_DEPEND(mpname, kernel_mac_support, 3, 3, 3);		\
+	MODULE_DEPEND(mpname, kernel_mac_support, MAC_VERSION,		\
+	    MAC_VERSION, MAC_VERSION);					\
 	DECLARE_MODULE(mpname, mpname##_mod, SI_SUB_MAC_POLICY,		\
 	    SI_ORDER_MIDDLE)