Browse Source

Finish the renaming of secfw to secadm

github-issue: #2
master
Shawn Webb 5 years ago
parent
commit
1d1f00b96d
No known key found for this signature in database
20 changed files with 335 additions and 335 deletions
  1. +1
    -1
      .gitignore
  2. +2
    -2
      Makefile
  3. +3
    -3
      kmod/Makefile
  4. +57
    -57
      kmod/secadm.c
  5. +14
    -14
      kmod/secadm_mac.c
  6. +33
    -33
      kmod/secadm_sysctl.c
  7. +7
    -7
      kmod/secadm_vnode.c
  8. +3
    -3
      libsecadm/Makefile
  9. +61
    -61
      libsecadm/libsecadm.c
  10. +13
    -13
      libsecadm/libsecadm.h
  11. +2
    -2
      libsecadm/rules.c
  12. +87
    -87
      libsecadm/secadm.h
  13. +13
    -0
      secadm/Makefile
  14. +13
    -13
      secadm/config.c
  15. +0
    -0
      secadm/config.conf.sample
  16. +3
    -3
      secadm/kld.c
  17. +13
    -13
      secadm/secadm.c
  18. +10
    -0
      secadm/secadm_internal.h
  19. +0
    -13
      secfw/Makefile
  20. +0
    -10
      secfw/secfw_internal.h

+ 1
- 1
.gitignore View File

@@ -6,5 +6,5 @@
*.So*
*.un~
*.conf
secfw/secfw
secadm/secadm
kmod/vnode_if*

+ 2
- 2
Makefile View File

@@ -1,5 +1,5 @@
SUBDIR+= kmod \
libsecfw \
secfw
libsecadm \
secadm

.include <bsd.subdir.mk>

+ 3
- 3
kmod/Makefile View File

@@ -1,6 +1,6 @@
KMOD= secfw
SRCS= secfw.c secfw_mac.c secfw_vnode.c secfw_sysctl.c vnode_if.h
KMOD= secadm
SRCS= secadm.c secadm_mac.c secadm_vnode.c secadm_sysctl.c vnode_if.h

CFLAGS+= -g -O0 -I../libsecfw
CFLAGS+= -g -O0 -I../libsecadm

.include <bsd.kmod.mk>

kmod/secfw.c → kmod/secadm.c View File

@@ -43,16 +43,16 @@

#include <security/mac/mac_policy.h>

#include "secfw.h"
#include "secadm.h"

MALLOC_DEFINE(M_SECFW, "secfw", "secfw rule data");
MALLOC_DEFINE(M_SECADM, "secadm", "secadm rule data");

secfw_kernel_t kernel_data;
secadm_kernel_t kernel_data;

secfw_prison_list_t *
secadm_prison_list_t *
get_prison_list_entry(const char *name, int create)
{
secfw_prison_list_t *list, *entry;
secadm_prison_list_t *list, *entry;
struct rm_priotracker tracker;

rm_rlock(&(kernel_data.skd_prisons_lock), &tracker);
@@ -67,10 +67,10 @@ get_prison_list_entry(const char *name, int create)
rm_runlock(&(kernel_data.skd_prisons_lock), &tracker);

if (create) {
list = malloc(sizeof(secfw_prison_list_t), M_SECFW, M_WAITOK | M_ZERO);
list = malloc(sizeof(secadm_prison_list_t), M_SECADM, M_WAITOK | M_ZERO);

rm_init(&(list->spl_lock), "secfw per-prison lock");
list->spl_prison = malloc(strlen(name)+1, M_SECFW, M_WAITOK | M_ZERO);
rm_init(&(list->spl_lock), "secadm per-prison lock");
list->spl_prison = malloc(strlen(name)+1, M_SECADM, M_WAITOK | M_ZERO);
strlcpy(list->spl_prison, name, strlen(name)+1);

rm_wlock(&(kernel_data.skd_prisons_lock));
@@ -92,7 +92,7 @@ get_prison_list_entry(const char *name, int create)
}

int
validate_rule(struct thread *td, secfw_rule_t *head, secfw_rule_t *rule)
validate_rule(struct thread *td, secadm_rule_t *head, secadm_rule_t *rule)
{
KASSERT(rule != NULL, ("validate_rule: rule cannot be null!"));

@@ -103,39 +103,39 @@ validate_rule(struct thread *td, secfw_rule_t *head, secfw_rule_t *rule)
}

void
free_rule(secfw_rule_t *rule, int freerule)
free_rule(secadm_rule_t *rule, int freerule)
{
size_t i;
if (rule->sr_path)
free(rule->sr_path, M_SECFW);
free(rule->sr_path, M_SECADM);

for (i=0; i < rule->sr_nfeatures; i++)
if (rule->sr_features[i].metadata)
free(rule->sr_features[i].metadata, M_SECFW);
free(rule->sr_features[i].metadata, M_SECADM);

if (rule->sr_features)
free(rule->sr_features, M_SECFW);
free(rule->sr_features, M_SECADM);

free(rule->sr_prison, M_SECFW);
free(rule->sr_kernel, M_SECFW);
free(rule->sr_prison, M_SECADM);
free(rule->sr_kernel, M_SECADM);

if (freerule)
free(rule, M_SECFW);
free(rule, M_SECADM);
}

secfw_rule_t *
secadm_rule_t *
get_first_rule(struct thread *td)
{

return (get_first_prison_rule(td->td_ucred->cr_prison));
}

secfw_rule_t *
secadm_rule_t *
get_first_prison_rule(struct prison *pr)
{
secfw_prison_list_t *list;
secfw_rule_t *rule=NULL;
secadm_prison_list_t *list;
secadm_rule_t *rule=NULL;
struct rm_priotracker prisons_tracker, rule_tracker;

rm_rlock(&(kernel_data.skd_prisons_lock), &prisons_tracker);
@@ -156,9 +156,9 @@ get_first_prison_rule(struct prison *pr)
}

void
cleanup_jail_rules(secfw_prison_list_t *list)
cleanup_jail_rules(secadm_prison_list_t *list)
{
secfw_rule_t *rule, *next;
secadm_rule_t *rule, *next;

rm_wlock(&(list->spl_lock));

@@ -181,15 +181,15 @@ cleanup_jail_rules(secfw_prison_list_t *list)

rm_destroy(&(list->spl_lock));

free(list->spl_prison, M_SECFW);
free(list, M_SECFW);
free(list->spl_prison, M_SECADM);
free(list, M_SECADM);
}

void
flush_rules(struct thread *td)
{
secfw_prison_list_t *list;
secfw_rule_t *rule, *next;
secadm_prison_list_t *list;
secadm_rule_t *rule, *next;

list = get_prison_list_entry(td->td_ucred->cr_prison->pr_name, 0);
if (list == NULL)
@@ -212,29 +212,29 @@ flush_rules(struct thread *td)
/* XXX This is more of a PoC. This needs to be cleaned up for
* production use */
int
read_rule_from_userland(struct thread *td, secfw_rule_t *rule)
read_rule_from_userland(struct thread *td, secadm_rule_t *rule)
{
secfw_feature_t *features;
secfw_kernel_metadata_t *kernel_metadata;
secadm_feature_t *features;
secadm_kernel_metadata_t *kernel_metadata;
size_t i;
int err = 0;
char *path;

if (rule->sr_features == NULL || rule->sr_nfeatures == 0
|| rule->sr_nfeatures > SECFW_MAX_FEATURES) {
|| rule->sr_nfeatures > SECADM_MAX_FEATURES) {
return (-1);
}

if (rule->sr_pathlen > MNAMELEN)
return (-1);

features = malloc(sizeof(secfw_feature_t) *
rule->sr_nfeatures, M_SECFW, M_WAITOK);
features = malloc(sizeof(secadm_feature_t) *
rule->sr_nfeatures, M_SECADM, M_WAITOK);

err = copyin(rule->sr_features, features,
sizeof(secfw_feature_t) * rule->sr_nfeatures);
sizeof(secadm_feature_t) * rule->sr_nfeatures);
if (err) {
free(features, M_SECFW);
free(features, M_SECADM);
return (-1);
}

@@ -247,7 +247,7 @@ read_rule_from_userland(struct thread *td, secfw_rule_t *rule)
rule->sr_features = features;

if (rule->sr_path && rule->sr_pathlen) {
path = malloc(rule->sr_pathlen+1, M_SECFW, M_WAITOK | M_ZERO);
path = malloc(rule->sr_pathlen+1, M_SECADM, M_WAITOK | M_ZERO);
err = copyin(rule->sr_path, path, rule->sr_pathlen);
if (err) {
rule->sr_path = NULL;
@@ -261,11 +261,11 @@ read_rule_from_userland(struct thread *td, secfw_rule_t *rule)
rule->sr_pathlen = 0;
}

kernel_metadata = malloc(sizeof(secfw_kernel_metadata_t), M_SECFW, M_WAITOK);
kernel_metadata = malloc(sizeof(secadm_kernel_metadata_t), M_SECADM, M_WAITOK);
kernel_metadata->skm_owner = td->td_ucred->cr_prison;
rule->sr_kernel = kernel_metadata;
rule->sr_prison = malloc(strlen(kernel_metadata->skm_owner->pr_name)+1,
M_SECFW, M_WAITOK | M_ZERO);
M_SECADM, M_WAITOK | M_ZERO);
strcpy(rule->sr_prison, kernel_metadata->skm_owner->pr_name);

#if 0
@@ -278,10 +278,10 @@ read_rule_from_userland(struct thread *td, secfw_rule_t *rule)
return 0;
}

secfw_rule_t
secadm_rule_t
*get_rule_by_id(struct thread *td, size_t id)
{
secfw_rule_t *rule;
secadm_rule_t *rule;

rule = get_first_rule(td);
if (rule == NULL)
@@ -297,7 +297,7 @@ secfw_rule_t
size_t
get_rule_size(struct thread *td, size_t id)
{
secfw_rule_t *rule;
secadm_rule_t *rule;
size_t size, i;

size = 0;
@@ -305,9 +305,9 @@ get_rule_size(struct thread *td, size_t id)
if (rule == NULL)
goto end;

size += sizeof(secfw_rule_t);
size += sizeof(secadm_rule_t);
size += rule->sr_pathlen+1;
size += sizeof(secfw_feature_t) * rule->sr_nfeatures;
size += sizeof(secadm_feature_t) * rule->sr_nfeatures;
size += strlen(rule->sr_prison)+1;

for (i=0; i < rule->sr_nfeatures; i++)
@@ -318,7 +318,7 @@ end:
}

int
handle_get_rule_size(struct thread *td, secfw_command_t *cmd, secfw_reply_t *reply)
handle_get_rule_size(struct thread *td, secadm_command_t *cmd, secadm_reply_t *reply)
{
size_t id, size;
int err;
@@ -338,9 +338,9 @@ handle_get_rule_size(struct thread *td, secfw_command_t *cmd, secfw_reply_t *rep
}

int
get_num_rules(struct thread *td, secfw_command_t *cmd, secfw_reply_t *reply)
get_num_rules(struct thread *td, secadm_command_t *cmd, secadm_reply_t *reply)
{
secfw_prison_list_t *list;
secadm_prison_list_t *list;
size_t nrules;
int err;

@@ -357,10 +357,10 @@ get_num_rules(struct thread *td, secfw_command_t *cmd, secfw_reply_t *reply)
}

int
handle_get_rule(struct thread *td, secfw_command_t *cmd, secfw_reply_t *reply)
handle_get_rule(struct thread *td, secadm_command_t *cmd, secadm_reply_t *reply)
{
secfw_rule_t *rule, *newrule;
secfw_feature_t *newrule_features;
secadm_rule_t *rule, *newrule;
secadm_feature_t *newrule_features;
size_t id, size, written, i;
char *buf, *path;
int err;
@@ -387,22 +387,22 @@ handle_get_rule(struct thread *td, secfw_command_t *cmd, secfw_reply_t *reply)
return (EOVERFLOW);

written=0;
buf = malloc(size, M_SECFW, M_WAITOK);
buf = malloc(size, M_SECADM, M_WAITOK);

memcpy(buf, rule, sizeof(secfw_rule_t));
newrule = (secfw_rule_t *)buf;
written += sizeof(secfw_rule_t);
memcpy(buf, rule, sizeof(secadm_rule_t));
newrule = (secadm_rule_t *)buf;
written += sizeof(secadm_rule_t);

/* Sanitize sensitive data */
newrule->sr_next = NULL;
newrule->sr_kernel = NULL;

newrule->sr_features = (secfw_feature_t *)(buf+written);
newrule_features = (secfw_feature_t *)((char *)(reply->sr_metadata) + written);
written += sizeof(secfw_feature_t) * rule->sr_nfeatures;
newrule->sr_features = (secadm_feature_t *)(buf+written);
newrule_features = (secadm_feature_t *)((char *)(reply->sr_metadata) + written);
written += sizeof(secadm_feature_t) * rule->sr_nfeatures;

for (i=0; i < rule->sr_nfeatures; i++)
memcpy(&(newrule->sr_features[i]), &rule->sr_features[i], sizeof(secfw_feature_t));
memcpy(&(newrule->sr_features[i]), &rule->sr_features[i], sizeof(secadm_feature_t));

newrule->sr_features = newrule_features;

@@ -419,7 +419,7 @@ handle_get_rule(struct thread *td, secfw_command_t *cmd, secfw_reply_t *reply)

copyout(newrule, reply->sr_metadata, size);

free(buf, M_SECFW);
free(buf, M_SECADM);

return 0;
}

kmod/secfw_mac.c → kmod/secadm_mac.c View File

@@ -43,19 +43,19 @@

#include <security/mac/mac_policy.h>

#include "secfw.h"
#include "secadm.h"

static void
secfw_init(struct mac_policy_conf *mpc)
secadm_init(struct mac_policy_conf *mpc)
{

memset(&kernel_data, 0x00, sizeof(secfw_kernel_t));
memset(&kernel_data, 0x00, sizeof(secadm_kernel_t));

rm_init(&(kernel_data.skd_prisons_lock), "Main secfw lock");
rm_init(&(kernel_data.skd_prisons_lock), "Main secadm lock");
}

static void
secfw_destroy(struct mac_policy_conf *mpc)
secadm_destroy(struct mac_policy_conf *mpc)
{

rm_wlock(&(kernel_data.skd_prisons_lock));
@@ -70,9 +70,9 @@ secfw_destroy(struct mac_policy_conf *mpc)
}

static void
secfw_jail_destroy(struct prison *pr)
secadm_jail_destroy(struct prison *pr)
{
secfw_prison_list_t *list;
secadm_prison_list_t *list;

list = get_prison_list_entry(pr->pr_name, 0);

@@ -83,14 +83,14 @@ secfw_jail_destroy(struct prison *pr)
}
}

static struct mac_policy_ops secfw_ops =
static struct mac_policy_ops secadm_ops =
{
.mpo_destroy = secfw_destroy,
.mpo_init = secfw_init,
.mpo_vnode_check_exec = secfw_vnode_check_exec,
.mpo_vnode_check_unlink = secfw_vnode_check_unlink,
.mpo_prison_destroy = secfw_jail_destroy
.mpo_destroy = secadm_destroy,
.mpo_init = secadm_init,
.mpo_vnode_check_exec = secadm_vnode_check_exec,
.mpo_vnode_check_unlink = secadm_vnode_check_unlink,
.mpo_prison_destroy = secadm_jail_destroy
};

MAC_POLICY_SET(&secfw_ops, secfw, "HardenedBSD Security Firewall",
MAC_POLICY_SET(&secadm_ops, secadm, "HardenedBSD Security Firewall",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);

kmod/secfw_sysctl.c → kmod/secadm_sysctl.c View File

@@ -44,20 +44,20 @@

#include <security/mac/mac_policy.h>

#include "secfw.h"
#include "secadm.h"

static void handle_version_command(secfw_command_t *cmd, secfw_reply_t *reply);
static void handle_version_command(secadm_command_t *cmd, secadm_reply_t *reply);
static int sysctl_control(SYSCTL_HANDLER_ARGS);

SYSCTL_NODE(_hardening, OID_AUTO, secfw, CTLFLAG_RD, 0,
SYSCTL_NODE(_hardening, OID_AUTO, secadm, CTLFLAG_RD, 0,
"HardenedBSD Security Firewall");

SYSCTL_NODE(_hardening_secfw, OID_AUTO, control,
SYSCTL_NODE(_hardening_secadm, OID_AUTO, control,
CTLFLAG_MPSAFE | CTLFLAG_RW | CTLFLAG_PRISON, sysctl_control,
"secfw management interface");
"secadm management interface");

static void
handle_version_command(secfw_command_t *cmd, secfw_reply_t *reply)
handle_version_command(secadm_command_t *cmd, secadm_reply_t *reply)
{
reply->sr_metadata = cmd->sc_buf;
reply->sr_size = sizeof(unsigned long);
@@ -68,16 +68,16 @@ handle_version_command(secfw_command_t *cmd, secfw_reply_t *reply)
}

static unsigned int
handle_add_rule(struct thread *td, secfw_command_t *cmd, secfw_reply_t *reply)
handle_add_rule(struct thread *td, secadm_command_t *cmd, secadm_reply_t *reply)
{
secfw_rule_t *rule, *next, *tail;
secfw_prison_list_t *list;
secadm_rule_t *rule, *next, *tail;
secadm_prison_list_t *list;
size_t maxid=0;
unsigned int res=0;
int err;

rule = malloc(sizeof(secfw_rule_t), M_SECFW, M_WAITOK);
if ((err = copyin(cmd->sc_metadata, rule, sizeof(secfw_rule_t))) != 0) {
rule = malloc(sizeof(secadm_rule_t), M_SECADM, M_WAITOK);
if ((err = copyin(cmd->sc_metadata, rule, sizeof(secadm_rule_t))) != 0) {
res = EFAULT;
goto err;
}
@@ -91,8 +91,8 @@ handle_add_rule(struct thread *td, secfw_command_t *cmd, secfw_reply_t *reply)

tail = rule;
while (tail->sr_next != NULL) {
next = malloc(sizeof(secfw_rule_t), M_SECFW, M_WAITOK);
if ((err = copyin(tail->sr_next, next, sizeof(secfw_rule_t))) != 0) {
next = malloc(sizeof(secadm_rule_t), M_SECADM, M_WAITOK);
if ((err = copyin(tail->sr_next, next, sizeof(secadm_rule_t))) != 0) {
res = EFAULT;
goto err;
}
@@ -130,39 +130,39 @@ err:
static int
sysctl_control(SYSCTL_HANDLER_ARGS)
{
secfw_command_t cmd;
secfw_reply_t reply;
secadm_command_t cmd;
secadm_reply_t reply;
int err;

if (!(req->newptr) || (req->newlen != sizeof(secfw_command_t)))
if (!(req->newptr) || (req->newlen != sizeof(secadm_command_t)))
return (EINVAL);

if (!(req->oldptr) || (req->oldlen) != sizeof(secfw_reply_t))
if (!(req->oldptr) || (req->oldlen) != sizeof(secadm_reply_t))
return (EINVAL);

err = SYSCTL_IN(req, &cmd, sizeof(secfw_command_t));
err = SYSCTL_IN(req, &cmd, sizeof(secadm_command_t));
if (err)
return (err);

if (cmd.sc_version < SECFW_VERSION)
if (cmd.sc_version < SECADM_VERSION)
return (EINVAL);

memset(&reply, 0x00, sizeof(reply));
if (copyin(req->oldptr, &reply, sizeof(reply)))
return (EFAULT);

reply.sr_version = SECFW_VERSION;
reply.sr_version = SECADM_VERSION;
reply.sr_id = cmd.sc_id;

switch (cmd.sc_type) {
case secfw_get_version:
case secadm_get_version:
if (cmd.sc_bufsize < sizeof(unsigned long))
return (EINVAL);

handle_version_command(&cmd, &reply);
break;
case secfw_set_rules:
if (cmd.sc_size != sizeof(secfw_rule_t)) {
case secadm_set_rules:
if (cmd.sc_size != sizeof(secadm_rule_t)) {
printf("Size mismatch\n");
uprintf("Size mismatch\n");
return (EINVAL);
@@ -181,30 +181,30 @@ sysctl_control(SYSCTL_HANDLER_ARGS)

handle_add_rule(req->td, &cmd, &reply);
break;
case secfw_flush_rules:
case secadm_flush_rules:
flush_rules(req->td);
break;
case secfw_get_rule_size:
case secadm_get_rule_size:
reply.sr_code = handle_get_rule_size(req->td, &cmd, &reply);
break;
case secfw_get_num_rules:
case secadm_get_num_rules:
reply.sr_code = (unsigned int)get_num_rules(req->td, &cmd,
&reply);
break;
case secfw_get_rule:
case secadm_get_rule:
reply.sr_code = (unsigned int)handle_get_rule(req->td, &cmd,
&reply);
break;
case secfw_get_rules:
case secfw_get_admins:
case secfw_set_admins:
case secfw_get_views:
case secfw_set_views:
case secadm_get_rules:
case secadm_get_admins:
case secadm_set_admins:
case secadm_get_views:
case secadm_set_views:
return (ENOTSUP);
default:
return (EINVAL);
}

err = SYSCTL_OUT(req, &reply, sizeof(secfw_reply_t));
err = SYSCTL_OUT(req, &reply, sizeof(secadm_reply_t));
return (err);
}

kmod/secfw_vnode.c → kmod/secadm_vnode.c View File

@@ -48,10 +48,10 @@

#include <security/mac/mac_policy.h>

#include "secfw.h"
#include "secadm.h"

int
secfw_check_prison(secfw_rule_t *rule, struct prison *pr)
secadm_check_prison(secadm_rule_t *rule, struct prison *pr)
{
if (!strcmp(rule->sr_prison, pr->pr_name))
return 1;
@@ -60,13 +60,13 @@ secfw_check_prison(secfw_rule_t *rule, struct prison *pr)
}

int
secfw_vnode_check_exec(struct ucred *ucred, struct vnode *vp,
secadm_vnode_check_exec(struct ucred *ucred, struct vnode *vp,
struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
struct rm_priotracker tracker;
secfw_prison_list_t *list;
secfw_rule_t *rule;
secadm_prison_list_t *list;
secadm_rule_t *rule;
struct vattr vap;
size_t i;
int err, flags=0;
@@ -86,7 +86,7 @@ secfw_vnode_check_exec(struct ucred *ucred, struct vnode *vp,
if (vap.va_fileid != rule->sr_inode)
continue;

if (secfw_check_prison(rule, ucred->cr_prison) == 0)
if (secadm_check_prison(rule, ucred->cr_prison) == 0)
continue;

if (strcmp(imgp->vp->v_mount->mnt_stat.f_mntonname,
@@ -139,7 +139,7 @@ secfw_vnode_check_exec(struct ucred *ucred, struct vnode *vp,
}

int
secfw_vnode_check_unlink(struct ucred *ucred, struct vnode *dvp,
secadm_vnode_check_unlink(struct ucred *ucred, struct vnode *dvp,
struct label *dvplabel, struct vnode *vp, struct label *vplabel,
struct componentname *cnp)
{

libsecfw/Makefile → libsecadm/Makefile View File

@@ -1,7 +1,7 @@
LIB= secfw
LIB= secadm
SHLIB_MAJOR= 0
SRCS= libsecfw.c rules.c
INCS= secfw.h libsecfw.h
SRCS= libsecadm.c rules.c
INCS= secadm.h libsecadm.h

CFLAGS+= -g -O0


libsecfw/libsecfw.c → libsecadm/libsecadm.c View File

@@ -45,18 +45,18 @@
#include <sys/queue.h>
#include <sys/sysctl.h>

#include "secfw.h"
#include "secadm.h"

int
secfw_sysctl(secfw_command_t *cmd, secfw_reply_t *reply)
secadm_sysctl(secadm_command_t *cmd, secadm_reply_t *reply)
{
int err;
size_t cmdsz, replysz;

cmdsz = sizeof(secfw_command_t);
replysz = sizeof(secfw_reply_t);
cmdsz = sizeof(secadm_command_t);
replysz = sizeof(secadm_reply_t);

err = sysctlbyname("hardening.secfw.control", reply, &replysz, cmd,
err = sysctlbyname("hardening.secadm.control", reply, &replysz, cmd,
cmdsz);

if (err) {
@@ -73,23 +73,23 @@ secfw_sysctl(secfw_command_t *cmd, secfw_reply_t *reply)
}

unsigned long
secfw_kernel_version(void)
secadm_kernel_version(void)
{
secfw_command_t cmd;
secfw_reply_t reply;
secadm_command_t cmd;
secadm_reply_t reply;
int err;
unsigned long version=0;

memset(&cmd, 0x00, sizeof(secfw_command_t));
cmd.sc_version = SECFW_VERSION;
cmd.sc_type = secfw_get_version;
memset(&cmd, 0x00, sizeof(secadm_command_t));
cmd.sc_version = SECADM_VERSION;
cmd.sc_type = secadm_get_version;
cmd.sc_buf = calloc(1, sizeof(unsigned long));
if (!(cmd.sc_buf))
return 0;

cmd.sc_bufsize = sizeof(unsigned long);

err = secfw_sysctl(&cmd, &reply);
err = secadm_sysctl(&cmd, &reply);
if (err == 0) {
version = *((unsigned long *)(reply.sr_metadata));
} else {
@@ -106,21 +106,21 @@ error:
}

unsigned int
secfw_add_rules(secfw_rule_t *rule)
secadm_add_rules(secadm_rule_t *rule)
{
secfw_command_t cmd;
secfw_reply_t reply;
secadm_command_t cmd;
secadm_reply_t reply;
int err=0;

memset(&cmd, 0x00, sizeof(secfw_command_t));
memset(&reply, 0x00, sizeof(secfw_reply_t));
memset(&cmd, 0x00, sizeof(secadm_command_t));
memset(&reply, 0x00, sizeof(secadm_reply_t));

cmd.sc_version = SECFW_VERSION;
cmd.sc_type = secfw_set_rules;
cmd.sc_version = SECADM_VERSION;
cmd.sc_type = secadm_set_rules;
cmd.sc_metadata = rule;
cmd.sc_size = sizeof(secfw_rule_t);
cmd.sc_size = sizeof(secadm_rule_t);

if ((err = secfw_sysctl(&cmd, &reply))) {
if ((err = secadm_sysctl(&cmd, &reply))) {
fprintf(stderr, "[-] Control channel received an error code: %d\n",
err);
}
@@ -129,19 +129,19 @@ secfw_add_rules(secfw_rule_t *rule)
}

unsigned int
secfw_flush_all_rules(void)
secadm_flush_all_rules(void)
{
secfw_command_t cmd;
secfw_reply_t reply;
secadm_command_t cmd;
secadm_reply_t reply;
int err=0;

memset(&cmd, 0x00, sizeof(secfw_command_t));
memset(&reply, 0x00, sizeof(secfw_reply_t));
memset(&cmd, 0x00, sizeof(secadm_command_t));
memset(&reply, 0x00, sizeof(secadm_reply_t));

cmd.sc_version = SECFW_VERSION;
cmd.sc_type = secfw_flush_rules;
cmd.sc_version = SECADM_VERSION;
cmd.sc_type = secadm_flush_rules;

if ((err = secfw_sysctl(&cmd, &reply))) {
if ((err = secadm_sysctl(&cmd, &reply))) {
fprintf(stderr, "[-] Could not flush rules. Error code: %d\n",
err);
}
@@ -150,9 +150,9 @@ secfw_flush_all_rules(void)
}

void
secfw_debug_print_rule(secfw_rule_t *rule)
secadm_debug_print_rule(secadm_rule_t *rule)
{
secfw_feature_t *feature;
secadm_feature_t *feature;
size_t i;

fprintf(stderr, "[*] Rule %zu\n", rule->sr_id);
@@ -194,34 +194,34 @@ secfw_debug_print_rule(secfw_rule_t *rule)
}

void
secfw_debug_print_rules(secfw_rule_t *rules)
secadm_debug_print_rules(secadm_rule_t *rules)
{
secfw_rule_t *rule;
secadm_rule_t *rule;

for (rule = rules; rule != NULL; rule = rule->sr_next)
secfw_debug_print_rule(rule);
secadm_debug_print_rule(rule);
}

size_t
secfw_get_kernel_rule_size(size_t id)
secadm_get_kernel_rule_size(size_t id)
{
secfw_command_t cmd;
secfw_reply_t reply;
secadm_command_t cmd;
secadm_reply_t reply;
size_t size;
int err;

memset(&cmd, 0x00, sizeof(secfw_command_t));
memset(&reply, 0x00, sizeof(secfw_reply_t));
memset(&cmd, 0x00, sizeof(secadm_command_t));
memset(&reply, 0x00, sizeof(secadm_reply_t));

cmd.sc_version = SECFW_VERSION;
cmd.sc_type = secfw_get_rule_size;
cmd.sc_version = SECADM_VERSION;
cmd.sc_type = secadm_get_rule_size;
cmd.sc_buf = &id;
cmd.sc_bufsize = sizeof(size_t);

reply.sr_metadata = &size;
reply.sr_size = sizeof(size_t);

if ((err = secfw_sysctl(&cmd, &reply))) {
if ((err = secadm_sysctl(&cmd, &reply))) {
fprintf(stderr, "[-] Could not get rule size for id %zu: %s\n",
id, strerror(err));
return (0);
@@ -231,23 +231,23 @@ secfw_get_kernel_rule_size(size_t id)
}

size_t
secfw_get_num_kernel_rules(void)
secadm_get_num_kernel_rules(void)
{
secfw_command_t cmd;
secfw_reply_t reply;
secadm_command_t cmd;
secadm_reply_t reply;
size_t size;
int err;

memset(&cmd, 0x00, sizeof(secfw_command_t));
memset(&reply, 0x00, sizeof(secfw_reply_t));
memset(&cmd, 0x00, sizeof(secadm_command_t));
memset(&reply, 0x00, sizeof(secadm_reply_t));

cmd.sc_version = SECFW_VERSION;
cmd.sc_type = secfw_get_num_rules;
cmd.sc_version = SECADM_VERSION;
cmd.sc_type = secadm_get_num_rules;

reply.sr_metadata = &size;
reply.sr_size = sizeof(size_t);

if ((err = secfw_sysctl(&cmd, &reply))) {
if ((err = secadm_sysctl(&cmd, &reply))) {
fprintf(stderr, "[-] Could not get number of kernel rules: %s\n",
strerror(err));
return (0);
@@ -257,16 +257,16 @@ secfw_get_num_kernel_rules(void)

}

secfw_rule_t *
secfw_get_kernel_rule(size_t id)
secadm_rule_t *
secadm_get_kernel_rule(size_t id)
{
secfw_command_t cmd;
secfw_reply_t reply;
secadm_command_t cmd;
secadm_reply_t reply;
void *buf;
size_t size;
int err;

size = secfw_get_kernel_rule_size(id);
size = secadm_get_kernel_rule_size(id);
if (size == 0)
return NULL;

@@ -274,23 +274,23 @@ secfw_get_kernel_rule(size_t id)
if (buf == NULL)
return NULL;

memset(&cmd, 0x00, sizeof(secfw_command_t));
memset(&reply, 0x00, sizeof(secfw_reply_t));
memset(&cmd, 0x00, sizeof(secadm_command_t));
memset(&reply, 0x00, sizeof(secadm_reply_t));

cmd.sc_version = SECFW_VERSION;
cmd.sc_type = secfw_get_rule;
cmd.sc_version = SECADM_VERSION;
cmd.sc_type = secadm_get_rule;
cmd.sc_buf = &id;
cmd.sc_bufsize = sizeof(size_t);

reply.sr_metadata = buf;
reply.sr_size = size;

if ((err = secfw_sysctl(&cmd, &reply))) {
if ((err = secadm_sysctl(&cmd, &reply))) {
fprintf(stderr, "[-] Could not get rule %zu: %s\n", id,
strerror(err));
free(buf);
return NULL;
}

return ((secfw_rule_t *)buf);
return ((secadm_rule_t *)buf);
}

libsecfw/libsecfw.h → libsecadm/libsecadm.h View File

@@ -26,20 +26,20 @@
* $FreeBSD$
*/

#ifndef _LIBSECFW_H
#define _LIBSECFW_H
#ifndef _LIBSECADM_H
#define _LIBSECADM_H

#include "secfw.h"
#include "secadm.h"

int secfw_sysctl(secfw_command_t *, secfw_reply_t *);
unsigned long secfw_kernel_version(void);
unsigned int secfw_add_rules(secfw_rule_t *);
int secfw_parse_path(secfw_rule_t *, const char *);
void secfw_debug_print_rule(secfw_rule_t *rule);
void secfw_debug_print_rules(secfw_rule_t *rules);
size_t secfw_get_kernel_rule_size(size_t id);
size_t secfw_get_num_kernel_rules(void);
secfw_rule_t *secfw_get_kernel_rule(size_t id);
unsigned int secfw_flush_all_rules(void);
int secadm_sysctl(secadm_command_t *, secadm_reply_t *);
unsigned long secadm_kernel_version(void);
unsigned int secadm_add_rules(secadm_rule_t *);
int secadm_parse_path(secadm_rule_t *, const char *);
void secadm_debug_print_rule(secadm_rule_t *rule);
void secadm_debug_print_rules(secadm_rule_t *rules);
size_t secadm_get_kernel_rule_size(size_t id);
size_t secadm_get_num_kernel_rules(void);
secadm_rule_t *secadm_get_kernel_rule(size_t id);
unsigned int secadm_flush_all_rules(void);

#endif

libsecfw/rules.c → libsecadm/rules.c View File

@@ -47,10 +47,10 @@

#include <fcntl.h>

#include "secfw.h"
#include "secadm.h"

int
secfw_parse_path(secfw_rule_t *rule, const char *path)
secadm_parse_path(secadm_rule_t *rule, const char *path)
{
struct stat sb;
struct statfs fsb;

libsecfw/secfw.h → libsecadm/secadm.h View File

@@ -26,21 +26,21 @@
* $FreeBSD$
*/

#ifndef _SYS_SECURITY_SECFW_H
#define _SYS_SECURITY_SECFW_H
#ifndef _SYS_SECURITY_SECADM_H
#define _SYS_SECURITY_SECADM_H

#define SECFW_VERSION 20141217001UL
#define SECADM_VERSION 20141217001UL

/* These flags are unused right now */
#define SECFW_RULE_FLAGS_NONE 0x00000000
#define SECFW_RULE_FLAGS_UID_DEFINED 0x00000001
#define SECFW_RULE_FLAGS_GID_DEFINED 0x00000002
#define SECFW_RULE_FLAGS_INODE_DEFINED 0x00000004
#define SECADM_RULE_FLAGS_NONE 0x00000000
#define SECADM_RULE_FLAGS_UID_DEFINED 0x00000001
#define SECADM_RULE_FLAGS_GID_DEFINED 0x00000002
#define SECADM_RULE_FLAGS_INODE_DEFINED 0x00000004

#define SECFW_MAX_FEATURES 4
#define SECADM_MAX_FEATURES 4

typedef enum secfw_feature_type {
secfw_invalid=0,
typedef enum secadm_feature_type {
secadm_invalid=0,
pageexec_enabled,
pageexec_disabled,
mprotect_enabled,
@@ -49,29 +49,29 @@ typedef enum secfw_feature_type {
segvguard_enabled,
aslr_disabled,
aslr_enabled
} secfw_feature_type_t;
typedef enum secfw_command_type {
secfw_get_version=0,
secfw_get_rules,
secfw_set_rules,
secfw_flush_rules,
secfw_get_admins,
secfw_get_views,
secfw_set_admins,
secfw_set_views,
secfw_get_rule_size,
secfw_get_num_rules,
secfw_get_rule
} secfw_command_type_t;
typedef struct secfw_feature {
secfw_feature_type_t type;
} secadm_feature_type_t;
typedef enum secadm_command_type {
secadm_get_version=0,
secadm_get_rules,
secadm_set_rules,
secadm_flush_rules,
secadm_get_admins,
secadm_get_views,
secadm_set_admins,
secadm_set_views,
secadm_get_rule_size,
secadm_get_num_rules,
secadm_get_rule
} secadm_command_type_t;
typedef struct secadm_feature {
secadm_feature_type_t type;
size_t metadatasz;
void *metadata;
} secfw_feature_t;
} secadm_feature_t;

typedef struct secfw_rule {
typedef struct secadm_rule {
size_t sr_id;
unsigned int sr_flags;
char sr_mount[MNAMELEN];
@@ -79,61 +79,61 @@ typedef struct secfw_rule {
size_t sr_pathlen;
char *sr_path;
size_t sr_nfeatures;
secfw_feature_t *sr_features;
struct secfw_rule *sr_next;
secadm_feature_t *sr_features;
struct secadm_rule *sr_next;
char *sr_prison;
void *sr_kernel;
} secfw_rule_t;
} secadm_rule_t;

#define SPS_FLAG_VIEW 0x1
#define SPS_FLAG_ADMIN 0x2

typedef struct secfw_prison_spec {
typedef struct secadm_prison_spec {
char *sps_name;
unsigned long sps_flags;
} secfw_prison_spec_t;
} secadm_prison_spec_t;

typedef struct secfw_command {
typedef struct secadm_command {
unsigned long sc_version;
size_t sc_id;
secfw_command_type_t sc_type;
secadm_command_type_t sc_type;
void *sc_metadata;
size_t sc_size;
void *sc_buf;
size_t sc_bufsize;
} secfw_command_t;
} secadm_command_t;

typedef struct secfw_reply {
typedef struct secadm_reply {
unsigned long sr_version;
size_t sr_id;
unsigned int sr_code;
void *sr_metadata;
size_t sr_size;
} secfw_reply_t;
} secadm_reply_t;

#ifdef _KERNEL

MALLOC_DECLARE(M_SECFW);
MALLOC_DECLARE(M_SECADM);

typedef struct secfw_prison_list {
typedef struct secadm_prison_list {
struct rmlock spl_lock;
secfw_rule_t *spl_rules;
secadm_rule_t *spl_rules;
char *spl_prison;
size_t spl_max_id;

struct secfw_prison_list *spl_prev;
struct secfw_prison_list *spl_next;
} secfw_prison_list_t;
struct secadm_prison_list *spl_prev;
struct secadm_prison_list *spl_next;
} secadm_prison_list_t;

typedef struct secfw_kernel_data {
secfw_prison_list_t *skd_prisons;
typedef struct secadm_kernel_data {
secadm_prison_list_t *skd_prisons;

struct rmlock skd_prisons_lock;

#if 0
/* These are planned, but not currently used */
secfw_prison_spec_t *skd_admins;
secfw_prison_spec_t *skd_views;
secadm_prison_spec_t *skd_admins;
secadm_prison_spec_t *skd_views;
struct rmlock skd_admins_lock;
struct rmlock skd_views_lock;
struct rm_priotracker skd_admins_tracker;
@@ -142,54 +142,54 @@ typedef struct secfw_kernel_data {
size_t skd_nadmins;
size_t skd_nviews;
#endif
} secfw_kernel_t;
} secadm_kernel_t;

typedef struct secfw_kernel_metadata {
typedef struct secadm_kernel_metadata {
struct prison *skm_owner;
} secfw_kernel_metadata_t;
extern secfw_kernel_t kernel_data;
void secfw_lock_init(void);
void secfw_lock_destroy(void);
void secfw_rules_lock_read(void);
void secfw_rules_unlock_read(void);
void secfw_rules_lock_write(void);
void secfw_rules_unlock_write(void);
void secfw_admins_lock_read(void);
void secfw_admins_unlock_read(void);
void secfw_admins_lock_write(void);
void secfw_admins_unlock_write(void);
void secfw_views_lock_read(void);
void secfw_views_unlock_read(void);
void secfw_views_lock_write(void);
void secfw_views_unlock_write(void);
int secfw_check_prison(secfw_rule_t *, struct prison *);
int secfw_vnode_check_exec(struct ucred *, struct vnode *,
} secadm_kernel_metadata_t;
extern secadm_kernel_t kernel_data;
void secadm_lock_init(void);
void secadm_lock_destroy(void);
void secadm_rules_lock_read(void);
void secadm_rules_unlock_read(void);
void secadm_rules_lock_write(void);
void secadm_rules_unlock_write(void);
void secadm_admins_lock_read(void);
void secadm_admins_unlock_read(void);
void secadm_admins_lock_write(void);
void secadm_admins_unlock_write(void);
void secadm_views_lock_read(void);
void secadm_views_unlock_read(void);
void secadm_views_lock_write(void);
void secadm_views_unlock_write(void);
int secadm_check_prison(secadm_rule_t *, struct prison *);
int secadm_vnode_check_exec(struct ucred *, struct vnode *,
struct label *, struct image_params *,
struct label *);

int secfw_vnode_check_unlink(struct ucred *, struct vnode *,
int secadm_vnode_check_unlink(struct ucred *, struct vnode *,
struct label *, struct vnode *, struct label *,
struct componentname *);

int validate_rule(struct thread *, secfw_rule_t *, secfw_rule_t *);
void free_rule(secfw_rule_t *, int);
secfw_prison_list_t *get_prison_list_entry(const char *, int);
secfw_rule_t *get_first_rule(struct thread *);
secfw_rule_t *get_first_prison_rule(struct prison *);
int validate_rule(struct thread *, secadm_rule_t *, secadm_rule_t *);
void free_rule(secadm_rule_t *, int);
secadm_prison_list_t *get_prison_list_entry(const char *, int);
secadm_rule_t *get_first_rule(struct thread *);
secadm_rule_t *get_first_prison_rule(struct prison *);
void flush_rules(struct thread *);
int read_rule_from_userland(struct thread *, secfw_rule_t *);
secfw_rule_t *get_rule_by_id(struct thread *, size_t);
int read_rule_from_userland(struct thread *, secadm_rule_t *);
secadm_rule_t *get_rule_by_id(struct thread *, size_t);
size_t get_rule_size(struct thread *, size_t);
int handle_get_rule_size(struct thread *, secfw_command_t *, secfw_reply_t *);
int get_num_rules(struct thread *, secfw_command_t *, secfw_reply_t *);
int handle_get_rule(struct thread *, secfw_command_t *, secfw_reply_t *);
void cleanup_jail_rules(secfw_prison_list_t *);
int handle_get_rule_size(struct thread *, secadm_command_t *, secadm_reply_t *);
int get_num_rules(struct thread *, secadm_command_t *, secadm_reply_t *);
int handle_get_rule(struct thread *, secadm_command_t *, secadm_reply_t *);
void cleanup_jail_rules(secadm_prison_list_t *);
void log_location(const char *, int);

#endif /* _KERNEL */

#endif /* _SECFW_H */
#endif /* _SECADM_H */

+ 13
- 0
secadm/Makefile View File

@@ -0,0 +1,13 @@
PROG= secadm
SRCS= config.c \
kld.c \
secadm.c

LDADD= -lucl -lm -lsecadm

CFLAGS+= -fPIE -g -O0 -I../libsecadm -I/usr/local/include
LDFLAGS+= -pie -L../libsecadm -L/usr/local/lib -L../libsecadm

NO_MAN= "yes"

.include <bsd.prog.mk>

secfw/config.c → secadm/config.c View File

@@ -47,14 +47,14 @@
#include <sys/queue.h>

#include "ucl.h"
#include "libsecfw.h"
#include "secfw_internal.h"
#include "libsecadm.h"
#include "secadm_internal.h"

secfw_rule_t *
secadm_rule_t *
load_config(const char *config)
{
struct ucl_parser *parser=NULL;
secfw_rule_t *rules, *rule;
secadm_rule_t *rules, *rule;
unsigned char *map;
size_t sz;
int fd;
@@ -109,10 +109,10 @@ load_config(const char *config)
return rules;
}

secfw_rule_t *
secadm_rule_t *
parse_object(struct ucl_parser *parser)
{
secfw_rule_t *rules=NULL, *newrules, *rule;
secadm_rule_t *rules=NULL, *newrules, *rule;
ucl_object_t *obj;
const ucl_object_t *curobj;
ucl_object_iter_t it=NULL;
@@ -146,18 +146,18 @@ parse_object(struct ucl_parser *parser)
}

void
add_feature(secfw_rule_t *rule, const ucl_object_t *obj, secfw_feature_type_t feature)
add_feature(secadm_rule_t *rule, const ucl_object_t *obj, secadm_feature_type_t feature)
{
void *f;

f = reallocarray(rule->sr_features, rule->sr_nfeatures + 1,
sizeof(secfw_feature_t));
sizeof(secadm_feature_t));
if (f == NULL)
return;
rule->sr_features = f;

memset(&(rule->sr_features[rule->sr_nfeatures]), 0x00,
sizeof(secfw_feature_t));
sizeof(secadm_feature_t));

switch (feature) {
case pageexec_enabled:
@@ -177,18 +177,18 @@ add_feature(secfw_rule_t *rule, const ucl_object_t *obj, secfw_feature_type_t fe
rule->sr_nfeatures++;
}

secfw_rule_t *
secadm_rule_t *
parse_applications_object(const ucl_object_t *obj)
{
const ucl_object_t *appindex, *ucl_feature, *appdata, *ucl_jails,
*ucl_jail;
ucl_object_iter_t it=NULL, jailit=NULL;
secfw_rule_t *head=NULL, *apprule;
secadm_rule_t *head=NULL, *apprule;
const char *path, *datakey, *key;
bool enabled;

while ((appindex = ucl_iterate_object(obj, &it, 1))) {
apprule = calloc(1, sizeof(secfw_rule_t));
apprule = calloc(1, sizeof(secadm_rule_t));
if (!(apprule))
return head;

@@ -205,7 +205,7 @@ parse_applications_object(const ucl_object_t *obj)
continue;
}

if (secfw_parse_path(apprule, path)) {
if (secadm_parse_path(apprule, path)) {
fprintf(stderr, "Could not set the rule's path!\n");
free(apprule);
continue;

secfw/config.conf.sample → secadm/config.conf.sample View File


secfw/kld.c → secadm/kld.c View File

@@ -44,8 +44,8 @@
#include <sys/queue.h>

#include "ucl.h"
#include "libsecfw.h"
#include "secfw_internal.h"
#include "libsecadm.h"
#include "secadm_internal.h"

int
kldcheck(void)
@@ -62,7 +62,7 @@ kldcheck(void)
return 1;
}

if (!strcmp("secfw.ko", kfs.name))
if (!strcmp("secadm.ko", kfs.name))
return 0;
}


secfw/secfw.c → secadm/secadm.c View File

@@ -46,8 +46,8 @@
#include <sys/sysctl.h>

#include "ucl.h"
#include "libsecfw.h"
#include "secfw_internal.h"
#include "libsecadm.h"
#include "secadm_internal.h"

typedef int (*action_t)(int, char **);

@@ -106,9 +106,9 @@ get_version(void)
{
unsigned long version;

version = secfw_kernel_version();
version = secadm_kernel_version();
if (version)
fprintf(stderr, "[+] secfw kernel module version: %lu\n",
fprintf(stderr, "[+] secadm kernel module version: %lu\n",
version);

exit(0);
@@ -117,19 +117,19 @@ get_version(void)
static int
listact(int argc, char *argv[])
{
secfw_rule_t *rule;
secadm_rule_t *rule;
size_t nrules, i;

nrules = secfw_get_num_kernel_rules();
nrules = secadm_get_num_kernel_rules();
for (i=0; i < nrules; i++) {
rule = secfw_get_kernel_rule(i);
rule = secadm_get_kernel_rule(i);
if (!(rule)) {
fprintf(stderr, "[-] Could not get rule %zu from the kernel.\n", i);
free(rule);
return 1;
}

secfw_debug_print_rule(rule);
secadm_debug_print_rule(rule);
free(rule);
}

@@ -139,7 +139,7 @@ listact(int argc, char *argv[])
static int
setact(int argc, char *argv[])
{
secfw_rule_t *rules;
secadm_rule_t *rules;

if (!(configpath))
usage(name);
@@ -150,7 +150,7 @@ setact(int argc, char *argv[])
return 1;
}

if (secfw_add_rules(rules)) {
if (secadm_add_rules(rules)) {
fprintf(stderr, "[-] Could not load the rules\n");
return 1;
}
@@ -163,13 +163,13 @@ static int
flushact(int argc, char *argv[])
{

return ((int)secfw_flush_all_rules());
return ((int)secadm_flush_all_rules());
}

int
main(int argc, char *argv[])
{
secfw_rule_t *rules, *rule;
secadm_rule_t *rules, *rule;
size_t nrules, rulesize, i;
int ch;

@@ -178,7 +178,7 @@ main(int argc, char *argv[])
check_bsd();

if (kldcheck()) {
fprintf(stderr, "[-] secfw module not loaded\n");
fprintf(stderr, "[-] secadm module not loaded\n");
return 1;
}


+ 10
- 0
secadm/secadm_internal.h View File

@@ -0,0 +1,10 @@
#ifndef _SECADM_INTERNAL_H
#define _SECADM_INTERNAL_H

int kldcheck(void);
secadm_rule_t *load_config(const char *);
secadm_rule_t *parse_object(struct ucl_parser *);
void add_feature(secadm_rule_t *, const ucl_object_t *, secadm_feature_type_t);
secadm_rule_t *parse_applications_object(const ucl_object_t *);

#endif

+ 0
- 13
secfw/Makefile View File

@@ -1,13 +0,0 @@
PROG= secfw
SRCS= config.c \
kld.c \
secfw.c

LDADD= -lucl -lm -lsecfw

CFLAGS+= -fPIE -g -O0 -I../libsecfw -I/usr/local/include
LDFLAGS+= -pie -L../libsecfw -L/usr/local/lib -L../libsecfw

NO_MAN= "yes"

.include <bsd.prog.mk>

+ 0
- 10
secfw/secfw_internal.h View File

@@ -1,10 +0,0 @@
#ifndef _SECFW_INTERNAL_H
#define _SECFW_INTERNAL_H

int kldcheck(void);
secfw_rule_t *load_config(const char *);
secfw_rule_t *parse_object(struct ucl_parser *);
void add_feature(secfw_rule_t *, const ucl_object_t *, secfw_feature_type_t);
secfw_rule_t *parse_applications_object(const ucl_object_t *);

#endif

Loading…
Cancel
Save