Lines Matching full:rules
45 &print_parse_error, 0, "Print parse errors on setting rules "
48 static MALLOC_DEFINE(M_DO, "do_rule", "Rules for mac_do");
78 * required for parsing rules specification strings.
168 struct rules {
316 toast_rules(struct rules *const rules)
318 struct rulehead *const head = &rules->head;
326 free(rules, M_DO);
329 static struct rules *
332 struct rules *const rules = malloc(sizeof(*rules), M_DO, M_WAITOK);
335 rules->string[0] = 0;
336 STAILQ_INIT(&rules->head);
337 rules->use_count = 0;
338 return (rules);
861 parse_single_rule(char *rule, struct rules *const rules,
876 /* Freed when the 'struct rules' container is freed. */
890 "the \"from\" part of rules.");
968 STAILQ_INSERT_TAIL(&rules->head, new, r_entries);
984 * Parse rules specification and produce rule structures out of it.
987 * representing the rules. On error, the returned value is non-zero and
994 * Expected format: A semi-colon-separated list of rules of the form
999 * rules are allowed (and do nothing), and spaces and tabs are allowed (and
1009 parse_rules(const char *const string, struct rules **const rulesp,
1014 struct rules *rules;
1026 rules = alloc_rules();
1027 bcopy(string, rules->string, len + 1);
1028 MPASS(rules->string[len] == '\0'); /* Catch some races. */
1038 error = parse_single_rule(rule, rules, parse_error);
1041 toast_rules(rules);
1046 *rulesp = rules;
1053 * Find rules applicable to the passed prison.
1055 * Returns the applicable rules (and never NULL). 'pr' must be unlocked.
1057 * once the caller is done accessing the rules. '*aprp' is equal to 'pr' if and
1058 * only if the current jail has its own set of rules.
1060 static struct rules *
1064 struct rules *rules;
1069 rules = osd_jail_get(cpr, osd_jail_slot);
1070 if (rules != NULL)
1075 MPASS(ppr != NULL); /* prison0 always has rules. */
1080 return (rules);
1084 hold_rules(struct rules *const rules)
1086 refcount_acquire(&rules->use_count);
1090 drop_rules(struct rules *const rules)
1092 if (refcount_release(&rules->use_count))
1093 toast_rules(rules);
1098 check_rules_use_count(const struct rules *const rules, u_int expected)
1100 const u_int use_count = refcount_load(&rules->use_count);
1103 panic("MAC/do: Rules at %p: Use count is %u, expected %u",
1104 rules, use_count, expected);
1119 struct rules *const rules = value;
1123 * using the rules but us at this point because no threads of that jail
1129 * where the rules' reference count has been bumped to keep them alive
1130 * even if the rules on the "holding" jail has been concurrently
1135 check_rules_use_count(rules, 1);
1136 toast_rules(rules);
1140 * Remove the rules specifically associated to a prison.
1142 * In practice, this means that the rules become inherited (from the closest
1150 struct rules *old_rules;
1155 * We go to the burden of extracting rules first instead of just letting
1175 * Assign already built rules to a jail.
1178 set_rules(struct prison *const pr, struct rules *const rules)
1180 struct rules *old_rules;
1183 check_rules_use_count(rules, 0);
1184 hold_rules(rules);
1189 osd_jail_set_reserved(pr, osd_jail_slot, rsv, rules);
1196 * Assigns empty rules to a jail.
1201 struct rules *const rules = alloc_rules();
1203 set_rules(pr, rules);
1207 * Parse a rules specification and assign them to a jail.
1215 struct rules *rules;
1218 error = parse_rules(rules_string, &rules, parse_error);
1221 set_rules(pr, rules);
1231 struct rules *rules;
1235 rules = find_rules(td_pr, &pr);
1236 strlcpy(buf, rules->string, MAC_RULE_STRING_LEN);
1243 /* Set our prison's rules, not that of the jail we inherited from. */
1256 SYSCTL_PROC(_security_mac_do, OID_AUTO, rules,
1259 "Rules");
1263 SYSCTL_JAIL_PARAM_STRING(_mac_do, rules, CTLFLAG_RW, MAC_RULE_STRING_LEN,
1264 "Jail MAC/do rules");
1281 struct rules *rules;
1284 rules = find_rules(pr, &ppr);
1287 (STAILQ_EMPTY(&rules->head) ? JAIL_SYS_DISABLE : JAIL_SYS_NEW) :
1293 error = vfs_setopts(opts, "mac.do.rules", rules->string);
1311 * We perform only cheap checks here, i.e., we do not really parse the rules
1338 error = vfs_getopt(opts, "mac.do.rules", (void**)&rules_string, &size);
1341 * Default (in absence of "mac.do.rules") is to disable (and, in
1348 vfs_opterror(opts, "'mac.do.rules' must be specified "
1353 /* Absence of "mac.do.rules" at this point is OK. */
1361 vfs_opterror(opts, "'mac.do.rules' not a proper string");
1366 vfs_opterror(opts, "'mdo.rules' too long");
1371 /* Default (if "mac.do.rules" is present). */
1377 * with an explicit empty rules specification.
1383 vfs_opterror(opts, "'mac.do.rules' specified "
1413 rules_string = vfs_getopts(opts, "mac.do.rules", &error);
1418 /* Default (if "mac.do.rules" is present). */
1430 * Default (in absence of "mac.do.rules") is to disable
1493 /* Rules to apply. */
1494 struct rules *rules;
1506 * a call to setcred() is in progress by storing the rules per-thread
1537 drop_rules(hdr->rules);
1559 struct rules *const rules)
1568 hdr->rules = rules;
1934 const struct rules *rules;
1951 rules = data->hdr.rules;
1960 * we are actually going to check. Currently, this rules out the
1971 * Browse rules, and for those that match the requestor, call specific
1975 STAILQ_FOREACH(rule, &rules->head, r_entries)
2015 struct rules *rules;
2037 * Find the currently applicable rules.
2039 rules = find_rules(curproc->p_ucred->cr_prison, &pr);
2040 hold_rules(rules);
2049 set_data_header(data, sizeof(*data), PRIV_CRED_SETCRED, rules);