Teach the MAC policies which utilize mbuf labeling the new syncache

entry points.  Properly initialize the mbuf label based on the label
we copy from the PCB. This fixes an LOR between the PCB and syncache
code.

sys/security/mac_biba/mac_biba.c

@@ -3040,6 +3040,27 @@ mac_biba_associate_nfsd_label(struct ucred *cred)
 	    MAC_BIBA_TYPE_HIGH, 0, NULL);
 }
 
+static void
+mac_biba_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(inp->inp_label);
+	dest = SLOT(label);
+	mac_biba_copy_effective(source, dest);
+}
+
+static void
+mac_biba_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
+    struct label *mbuf_label)
+{
+	struct mac_biba *source, *dest;
+
+	source = SLOT(sc_label);
+	dest = SLOT(mbuf_label);
+	mac_biba_copy_effective(source, dest);
+}
+
 static struct mac_policy_ops mac_biba_ops =
 {
 	.mpo_init = mac_biba_init,
@@ -3048,6 +3069,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_init_devfsdirent_label = mac_biba_init_label,
 	.mpo_init_ifnet_label = mac_biba_init_label,
 	.mpo_init_inpcb_label = mac_biba_init_label_waitcheck,
+	.mpo_init_syncache_label = mac_biba_init_label_waitcheck,
 	.mpo_init_sysv_msgmsg_label = mac_biba_init_label,
 	.mpo_init_sysv_msgqueue_label = mac_biba_init_label,
 	.mpo_init_sysv_sem_label = mac_biba_init_label,
@@ -3060,12 +3082,14 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_init_posix_sem_label = mac_biba_init_label,
 	.mpo_init_socket_label = mac_biba_init_label_waitcheck,
 	.mpo_init_socket_peer_label = mac_biba_init_label_waitcheck,
+	.mpo_init_syncache_from_inpcb = mac_biba_init_syncache_from_inpcb,
 	.mpo_init_vnode_label = mac_biba_init_label,
 	.mpo_destroy_bpfdesc_label = mac_biba_destroy_label,
 	.mpo_destroy_cred_label = mac_biba_destroy_label,
 	.mpo_destroy_devfsdirent_label = mac_biba_destroy_label,
 	.mpo_destroy_ifnet_label = mac_biba_destroy_label,
 	.mpo_destroy_inpcb_label = mac_biba_destroy_label,
+	.mpo_destroy_syncache_label = mac_biba_destroy_label,
 	.mpo_destroy_sysv_msgmsg_label = mac_biba_destroy_label,
 	.mpo_destroy_sysv_msgqueue_label = mac_biba_destroy_label,
 	.mpo_destroy_sysv_sem_label = mac_biba_destroy_label,
@@ -3108,6 +3132,7 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_create_vnode_extattr = mac_biba_create_vnode_extattr,
 	.mpo_setlabel_vnode_extattr = mac_biba_setlabel_vnode_extattr,
 	.mpo_create_mbuf_from_socket = mac_biba_create_mbuf_from_socket,
+	.mpo_create_mbuf_from_syncache = mac_biba_create_mbuf_from_syncache,
 	.mpo_create_pipe = mac_biba_create_pipe,
 	.mpo_create_posix_sem = mac_biba_create_posix_sem,
 	.mpo_create_socket = mac_biba_create_socket,

sys/security/mac_lomac/mac_lomac.c

@@ -1447,6 +1447,27 @@ mac_lomac_inpcb_sosetlabel(struct socket *so, struct label *solabel,
 	mac_lomac_copy_single(source, dest);
 }
 
+static void
+mac_lomac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
+{
+	struct mac_lomac *source, *dest;
+
+	source = SLOT(inp->inp_label);
+	dest = SLOT(label);
+	mac_lomac_copy(source, dest);
+}
+
+static void
+mac_lomac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
+    struct label *mbuf_label)
+{
+	struct mac_lomac *source, *dest;
+
+	source = SLOT(sc_label);
+	dest = SLOT(mbuf_label);
+	mac_lomac_copy(source, dest);
+}
+
 static void
 mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *label)
 {
@@ -2574,6 +2595,7 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_init_cred_label = mac_lomac_init_label,
 	.mpo_init_devfsdirent_label = mac_lomac_init_label,
 	.mpo_init_ifnet_label = mac_lomac_init_label,
+	.mpo_init_syncache_label = mac_lomac_init_label_waitcheck,
 	.mpo_init_inpcb_label = mac_lomac_init_label_waitcheck,
 	.mpo_init_ipq_label = mac_lomac_init_label_waitcheck,
 	.mpo_init_mbuf_label = mac_lomac_init_label_waitcheck,
@@ -2584,6 +2606,7 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_init_socket_label = mac_lomac_init_label_waitcheck,
 	.mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck,
 	.mpo_init_vnode_label = mac_lomac_init_label,
+	.mpo_init_syncache_from_inpcb = mac_lomac_init_syncache_from_inpcb,
 	.mpo_destroy_bpfdesc_label = mac_lomac_destroy_label,
 	.mpo_destroy_cred_label = mac_lomac_destroy_label,
 	.mpo_destroy_devfsdirent_label = mac_lomac_destroy_label,
@@ -2595,6 +2618,7 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_destroy_mount_fs_label = mac_lomac_destroy_label,
 	.mpo_destroy_pipe_label = mac_lomac_destroy_label,
 	.mpo_destroy_proc_label = mac_lomac_destroy_proc_label,
+	.mpo_destroy_syncache_label = mac_lomac_destroy_label,
 	.mpo_destroy_socket_label = mac_lomac_destroy_label,
 	.mpo_destroy_socket_peer_label = mac_lomac_destroy_label,
 	.mpo_destroy_vnode_label = mac_lomac_destroy_label,
@@ -2628,6 +2652,7 @@ static struct mac_policy_ops mac_lomac_ops =
 	.mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr,
 	.mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr,
 	.mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket,
+	.mpo_create_mbuf_from_syncache = mac_lomac_create_mbuf_from_syncache,
 	.mpo_create_pipe = mac_lomac_create_pipe,
 	.mpo_create_socket = mac_lomac_create_socket,
 	.mpo_create_socket_from_socket = mac_lomac_create_socket_from_socket,

sys/security/mac_mls/mac_mls.c

@@ -1315,6 +1315,27 @@ mac_mls_create_mbuf_from_firewall(struct mbuf *m, struct label *mbuflabel)
 	mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
 }
 
+static void
+mac_mls_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
+{
+	struct mac_mls *source, *dest;
+
+	source = SLOT(inp->inp_label);
+	dest = SLOT(label);
+	mac_mls_copy_effective(source, dest);
+}
+
+static void
+mac_mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m,
+    struct label *mbuf_label)
+{
+	struct mac_mls *source, *dest;
+
+	source = SLOT(sc_label);
+	dest = SLOT(mbuf_label);
+	mac_mls_copy_effective(source, dest);
+}
+
 /*
  * Labeling event operations: processes.
  */
@@ -2817,6 +2838,7 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_init_devfsdirent_label = mac_mls_init_label,
 	.mpo_init_ifnet_label = mac_mls_init_label,
 	.mpo_init_inpcb_label = mac_mls_init_label_waitcheck,
+	.mpo_init_syncache_label = mac_mls_init_label_waitcheck,
 	.mpo_init_sysv_msgmsg_label = mac_mls_init_label,
 	.mpo_init_sysv_msgqueue_label = mac_mls_init_label,
 	.mpo_init_sysv_sem_label = mac_mls_init_label,
@@ -2835,6 +2857,7 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_destroy_devfsdirent_label = mac_mls_destroy_label,
 	.mpo_destroy_ifnet_label = mac_mls_destroy_label,
 	.mpo_destroy_inpcb_label = mac_mls_destroy_label,
+	.mpo_destroy_syncache_label = mac_mls_destroy_label,
 	.mpo_destroy_sysv_msgmsg_label = mac_mls_destroy_label,
 	.mpo_destroy_sysv_msgqueue_label = mac_mls_destroy_label,
 	.mpo_destroy_sysv_sem_label = mac_mls_destroy_label,
@@ -2877,6 +2900,7 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_create_vnode_extattr = mac_mls_create_vnode_extattr,
 	.mpo_setlabel_vnode_extattr = mac_mls_setlabel_vnode_extattr,
 	.mpo_create_mbuf_from_socket = mac_mls_create_mbuf_from_socket,
+	.mpo_create_mbuf_from_syncache = mac_mls_create_mbuf_from_syncache,
 	.mpo_create_pipe = mac_mls_create_pipe,
 	.mpo_create_posix_sem = mac_mls_create_posix_sem,
 	.mpo_create_socket = mac_mls_create_socket,
@@ -2890,6 +2914,7 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_create_fragment = mac_mls_create_fragment,
 	.mpo_create_ifnet = mac_mls_create_ifnet,
 	.mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket,
+	.mpo_init_syncache_from_inpcb = mac_mls_init_syncache_from_inpcb,
 	.mpo_create_ipq = mac_mls_create_ipq,
 	.mpo_create_sysv_msgmsg = mac_mls_create_sysv_msgmsg,
 	.mpo_create_sysv_msgqueue = mac_mls_create_sysv_msgqueue,