Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is

redundant with respect to existing mbuf copy label routines.  Expose
a new mac_copy_mbuf() routine at the top end of the Framework and
use that; use the existing mpo_copy_mbuf_label() routine on the
bottom end.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, SPAWAR
Approved by:	re (scottl)

sys/net/bsd_comp.c

@@ -880,7 +880,7 @@ bsd_decompress(state, cmp, dmpp)
     wptr = mtod(dmp, u_char *);
     space = M_TRAILINGSPACE(dmp) - PPP_HDRLEN + 1;
 #ifdef MAC
-    mac_create_mbuf_from_mbuf(cmp, dmp);
+    mac_copy_mbuf(cmp, dmp);
 #endif
 
     /*

sys/net/if_ppp.c

@@ -1490,7 +1490,7 @@ ppp_inproc(sc, m)
 	    }
 	}
 #ifdef MAC
-	mac_create_mbuf_from_mbuf(m, mp);
+	mac_copy_mbuf(m, mp);
 #endif
 	cp = mtod(mp, u_char *);
 	cp[0] = adrs;
@@ -1544,7 +1544,7 @@ ppp_inproc(sc, m)
 	MGETHDR(mp, M_DONTWAIT, MT_DATA);
 	if (mp != NULL) {
 #ifdef MAC
-	    mac_create_mbuf_from_mbuf(m, mp);
+	    mac_copy_mbuf(m, mp);
 #endif
 	    m_copydata(m, 0, ilen, mtod(mp, caddr_t));
 	    m_freem(m);

sys/netatalk/ddp_output.c

@@ -207,7 +207,7 @@ ddp_route(struct mbuf *m, struct route *ro)
 	    return (ENOBUFS);
 	}
 #ifdef MAC
-	mac_create_mbuf_from_mbuf(m, m0);
+	mac_copy_mbuf(m, m0);
 #endif
 	m0->m_next = m;
 	/* XXX perhaps we ought to align the header? */

sys/netinet/ip_output.c

@@ -1071,7 +1071,7 @@ ip_insertoptions(m, opt, phlen)
 		M_MOVE_PKTHDR(n, m);
 		n->m_pkthdr.rcvif = NULL;
 #ifdef MAC
-		mac_create_mbuf_from_mbuf(m, n);
+		mac_copy_mbuf(m, n);
 #endif
 		n->m_pkthdr.len += optlen;
 		m->m_len -= sizeof(struct ip);

sys/security/mac/mac_framework.h

@@ -166,6 +166,7 @@ int	mac_init_mbuf_tag(struct m_tag *, int flag);
 void	mac_init_mount(struct mount *);
 void	mac_init_proc(struct proc *);
 void	mac_init_vnode(struct vnode *);
+void	mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to);
 void	mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
 void	mac_copy_vnode_label(struct label *, struct label *label);
 void	mac_destroy_bpfdesc(struct bpf_d *);
@@ -255,7 +256,6 @@ void	mac_create_ipq(struct mbuf *fragment, struct ipq *ipq);
 void	mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram);
 void	mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment);
 void	mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m);
-void	mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf);
 void	mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m);
 void	mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
 void	mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *m);

sys/security/mac/mac_net.c

@@ -253,6 +253,17 @@ mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest)
 	MAC_PERFORM(copy_mbuf_label, src_label, dest_label);
 }
 
+void
+mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to)
+{
+	struct label *src_label, *dest_label;
+
+	src_label = mac_mbuf_to_label(m_from);
+	dest_label = mac_mbuf_to_label(m_to);
+
+	MAC_PERFORM(copy_mbuf_label, src_label, dest_label);
+}
+
 static void
 mac_copy_ifnet_label(struct label *src, struct label *dest)
 {
@@ -297,18 +308,6 @@ mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
 	MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label);
 }
 
-void
-mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf)
-{
-	struct label *oldmbuflabel, *newmbuflabel;
-
-	oldmbuflabel = mac_mbuf_to_label(oldmbuf);
-	newmbuflabel = mac_mbuf_to_label(newmbuf);
-
-	MAC_PERFORM(create_mbuf_from_mbuf, oldmbuf, oldmbuflabel, newmbuf,
-	    newmbuflabel);
-}
-
 void
 mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
 {

sys/security/mac/mac_policy.h

@@ -284,9 +284,6 @@ struct mac_policy_ops {
 	void	(*mpo_create_mbuf_from_inpcb)(struct inpcb *inp,
 		    struct label *inplabel, struct mbuf *m,
 		    struct label *mlabel);
-	void	(*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf,
-		    struct label *oldlabel, struct mbuf *newmbuf,
-		    struct label *newlabel);
 	void	(*mpo_create_mbuf_linklayer)(struct ifnet *ifnet,
 		    struct label *ifnetlabel, struct mbuf *mbuf,
 		    struct label *mbuflabel);

sys/security/mac_biba/mac_biba.c

@@ -1284,27 +1284,6 @@ mac_biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
 	mac_biba_copy_effective(source, dest);
 }
 
-static void
-mac_biba_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
-    struct label *oldmbuflabel, struct mbuf *newmbuf,
-    struct label *newmbuflabel)
-{
-	struct mac_biba *source, *dest;
-
-	source = SLOT(oldmbuflabel);
-	dest = SLOT(newmbuflabel);
-
-	/*
-	 * Because the source mbuf may not yet have been "created",
-	 * just initialized, we do a conditional copy.  Since we don't
-	 * allow mbufs to have ranges, do a KASSERT to make sure that
-	 * doesn't happen.
-	 */
-	KASSERT((source->mb_flags & MAC_BIBA_FLAG_RANGE) == 0,
-	    ("mac_biba_create_mbuf_from_mbuf: source mbuf has range"));
-	mac_biba_copy(source, dest);
-}
-
 static void
 mac_biba_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
     struct mbuf *mbuf, struct label *mbuflabel)
@@ -3135,7 +3114,6 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_create_sysv_shm = mac_biba_create_sysv_shm,
 	.mpo_create_ipq = mac_biba_create_ipq,
 	.mpo_create_mbuf_from_inpcb = mac_biba_create_mbuf_from_inpcb,
-	.mpo_create_mbuf_from_mbuf = mac_biba_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc,
 	.mpo_create_mbuf_from_ifnet = mac_biba_create_mbuf_from_ifnet,

sys/security/mac_lomac/mac_lomac.c

@@ -1354,27 +1354,6 @@ mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
 	mac_lomac_copy_single(source, dest);
 }
 
-static void
-mac_lomac_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
-    struct label *oldmbuflabel, struct mbuf *newmbuf,
-    struct label *newmbuflabel)
-{
-	struct mac_lomac *source, *dest;
-
-	source = SLOT(oldmbuflabel);
-	dest = SLOT(newmbuflabel);
-
-	/*
-	 * Because the source mbuf may not yet have been "created",
-	 * just initialized, we do a conditional copy.  Since we don't
-	 * allow mbufs to have ranges, do a KASSERT to make sure that
-	 * doesn't happen.
-	 */
-	KASSERT((source->ml_flags & MAC_LOMAC_FLAG_RANGE) == 0,
-	    ("mac_lomac_create_mbuf_from_mbuf: source mbuf has range"));
-	mac_lomac_copy(source, dest);
-}
-
 static void
 mac_lomac_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
     struct mbuf *mbuf, struct label *mbuflabel)
@@ -2663,7 +2642,6 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket,
 	.mpo_create_ipq = mac_lomac_create_ipq,
 	.mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb,
-	.mpo_create_mbuf_from_mbuf = mac_lomac_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc,
 	.mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet,

sys/security/mac_mls/mac_mls.c

@@ -1213,27 +1213,6 @@ mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
 	mac_mls_copy_effective(source, dest);
 }
 
-static void
-mac_mls_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
-    struct label *oldmbuflabel, struct mbuf *newmbuf,
-    struct label *newmbuflabel)
-{
-	struct mac_mls *source, *dest;
-
-	source = SLOT(oldmbuflabel);
-	dest = SLOT(newmbuflabel);
-
-	/*
-	 * Because the source mbuf may not yet have been "created",
-	 * just initialized, we do a conditional copy.  Since we don't
-	 * allow mbufs to have ranges, do a KASSERT to make sure that
-	 * doesn't happen.
-	 */
-	KASSERT((source->mm_flags & MAC_MLS_FLAG_RANGE) == 0,
-	    ("mac_mls_create_mbuf_from_mbuf: source mbuf has range"));
-	mac_mls_copy(source, dest);
-}
-
 static void
 mac_mls_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
     struct mbuf *mbuf, struct label *mbuflabel)
@@ -2909,7 +2888,6 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_create_sysv_sem = mac_mls_create_sysv_sem,
 	.mpo_create_sysv_shm = mac_mls_create_sysv_shm,
 	.mpo_create_mbuf_from_inpcb = mac_mls_create_mbuf_from_inpcb,
-	.mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc,
 	.mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet,

sys/security/mac_stub/mac_stub.c

@@ -401,14 +401,6 @@ stub_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
 
 }
 
-static void
-stub_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
-    struct label *oldmbuflabel, struct mbuf *newmbuf,
-    struct label *newmbuflabel)
-{
-
-}
-
 static void
 stub_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
     struct mbuf *mbuf, struct label *mbuflabel)
@@ -1467,7 +1459,6 @@ static struct mac_policy_ops mac_stub_ops =
 	.mpo_create_fragment = stub_create_fragment,
 	.mpo_create_ipq = stub_create_ipq,
 	.mpo_create_mbuf_from_inpcb = stub_create_mbuf_from_inpcb,
-	.mpo_create_mbuf_from_mbuf = stub_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc,
 	.mpo_create_mbuf_from_ifnet = stub_create_mbuf_from_ifnet,

sys/security/mac_test/mac_test.c

@@ -1139,16 +1139,6 @@ mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel,
 	ASSERT_MBUF_LABEL(mlabel);
 }
 
-static void
-mac_test_create_mbuf_from_mbuf(struct mbuf *oldmbuf,
-    struct label *oldmbuflabel, struct mbuf *newmbuf,
-    struct label *newmbuflabel)
-{
-
-	ASSERT_MBUF_LABEL(oldmbuflabel);
-	ASSERT_MBUF_LABEL(newmbuflabel);
-}
-
 static void
 mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel,
     struct mbuf *mbuf, struct label *mbuflabel)
@@ -2503,7 +2493,6 @@ static struct mac_policy_ops mac_test_ops =
 	.mpo_create_fragment = mac_test_create_fragment,
 	.mpo_create_ipq = mac_test_create_ipq,
 	.mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb,
-	.mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf,
 	.mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
 	.mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
 	.mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,

sys/sys/mac.h

@@ -166,6 +166,7 @@ int	mac_init_mbuf_tag(struct m_tag *, int flag);
 void	mac_init_mount(struct mount *);
 void	mac_init_proc(struct proc *);
 void	mac_init_vnode(struct vnode *);
+void	mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to);
 void	mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
 void	mac_copy_vnode_label(struct label *, struct label *label);
 void	mac_destroy_bpfdesc(struct bpf_d *);
@@ -255,7 +256,6 @@ void	mac_create_ipq(struct mbuf *fragment, struct ipq *ipq);
 void	mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram);
 void	mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment);
 void	mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m);
-void	mac_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf);
 void	mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m);
 void	mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
 void	mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *m);

sys/sys/mac_policy.h

@@ -284,9 +284,6 @@ struct mac_policy_ops {
 	void	(*mpo_create_mbuf_from_inpcb)(struct inpcb *inp,
 		    struct label *inplabel, struct mbuf *m,
 		    struct label *mlabel);
-	void	(*mpo_create_mbuf_from_mbuf)(struct mbuf *oldmbuf,
-		    struct label *oldlabel, struct mbuf *newmbuf,
-		    struct label *newlabel);
 	void	(*mpo_create_mbuf_linklayer)(struct ifnet *ifnet,
 		    struct label *ifnetlabel, struct mbuf *mbuf,
 		    struct label *mbuflabel);