diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c index 6b2e6534e10f..17b37d8d1345 100644 --- a/sys/kern/kern_mac.c +++ b/sys/kern/kern_mac.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 44e4edaa142b..e26cc8dd55fe 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -983,7 +983,10 @@ ip_reass(struct mbuf *m, struct ipqhead *head, struct ipq *fp, goto dropfrag; fp = mtod(t, struct ipq *); #ifdef MAC - mac_init_ipq(fp); + if (mac_init_ipq(fp, M_NOWAIT) != 0) { + m_free(t); + goto dropfrag; + } mac_create_ipq(m, fp); #endif TAILQ_INSERT_HEAD(head, fp, ipq_list); diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 6b2e6534e10f..17b37d8d1345 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index b12ba2acd70f..3cc856d30fa3 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -133,7 +133,7 @@ void mac_init_bpfdesc(struct bpf_d *); void mac_init_cred(struct ucred *); void mac_init_devfsdirent(struct devfs_dirent *); void mac_init_ifnet(struct ifnet *); -void mac_init_ipq(struct ipq *); +int mac_init_ipq(struct ipq *, int flag); int mac_init_socket(struct socket *, int flag); void mac_init_pipe(struct pipe *); int mac_init_mbuf(struct mbuf *m, int flag); diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 6b2e6534e10f..17b37d8d1345 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 6b2e6534e10f..17b37d8d1345 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 6b2e6534e10f..17b37d8d1345 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index d536f05659f6..4e00577587c6 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -73,7 +73,7 @@ struct mac_policy_ops { void (*mpo_init_cred_label)(struct label *label); void (*mpo_init_devfsdirent_label)(struct label *label); void (*mpo_init_ifnet_label)(struct label *label); - void (*mpo_init_ipq_label)(struct label *label); + int (*mpo_init_ipq_label)(struct label *label, int flag); int (*mpo_init_mbuf_label)(struct label *label, int flag); void (*mpo_init_mount_label)(struct label *label); void (*mpo_init_mount_fs_label)(struct label *label); diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 6b2e6534e10f..17b37d8d1345 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 6b2e6534e10f..17b37d8d1345 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 6b2e6534e10f..17b37d8d1345 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 6b2e6534e10f..17b37d8d1345 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 2b045e48778f..8f2efe4b8317 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -2621,7 +2621,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_init_cred_label = mac_biba_init_label, .mpo_init_devfsdirent_label = mac_biba_init_label, .mpo_init_ifnet_label = mac_biba_init_label, - .mpo_init_ipq_label = mac_biba_init_label, + .mpo_init_ipq_label = mac_biba_init_label_waitcheck, .mpo_init_mbuf_label = mac_biba_init_label_waitcheck, .mpo_init_mount_label = mac_biba_init_label, .mpo_init_mount_fs_label = mac_biba_init_label, diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index ef11d6332a1d..0287ad2e9180 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -2612,7 +2612,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_init_cred_label = mac_lomac_init_label, .mpo_init_devfsdirent_label = mac_lomac_init_label, .mpo_init_ifnet_label = mac_lomac_init_label, - .mpo_init_ipq_label = mac_lomac_init_label, + .mpo_init_ipq_label = mac_lomac_init_label_waitcheck, .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck, .mpo_init_mount_label = mac_lomac_init_label, .mpo_init_mount_fs_label = mac_lomac_init_label, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index ed7ac61169b6..0645cf9b5c6f 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -2384,7 +2384,7 @@ static struct mac_policy_ops mac_mls_ops = .mpo_init_cred_label = mac_mls_init_label, .mpo_init_devfsdirent_label = mac_mls_init_label, .mpo_init_ifnet_label = mac_mls_init_label, - .mpo_init_ipq_label = mac_mls_init_label, + .mpo_init_ipq_label = mac_mls_init_label_waitcheck, .mpo_init_mbuf_label = mac_mls_init_label_waitcheck, .mpo_init_mount_label = mac_mls_init_label, .mpo_init_mount_fs_label = mac_mls_init_label, diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c index 482128aa0d96..5bb8a428fb47 100644 --- a/sys/security/mac_none/mac_none.c +++ b/sys/security/mac_none/mac_none.c @@ -974,7 +974,7 @@ static struct mac_policy_ops mac_none_ops = .mpo_init_cred_label = mac_none_init_label, .mpo_init_devfsdirent_label = mac_none_init_label, .mpo_init_ifnet_label = mac_none_init_label, - .mpo_init_ipq_label = mac_none_init_label, + .mpo_init_ipq_label = mac_none_init_label_waitcheck, .mpo_init_mbuf_label = mac_none_init_label_waitcheck, .mpo_init_mount_label = mac_none_init_label, .mpo_init_mount_fs_label = mac_none_init_label, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 482128aa0d96..5bb8a428fb47 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -974,7 +974,7 @@ static struct mac_policy_ops mac_none_ops = .mpo_init_cred_label = mac_none_init_label, .mpo_init_devfsdirent_label = mac_none_init_label, .mpo_init_ifnet_label = mac_none_init_label, - .mpo_init_ipq_label = mac_none_init_label, + .mpo_init_ipq_label = mac_none_init_label_waitcheck, .mpo_init_mbuf_label = mac_none_init_label_waitcheck, .mpo_init_mount_label = mac_none_init_label, .mpo_init_mount_fs_label = mac_none_init_label, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 25097316b2dd..751186d9421e 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -242,12 +242,13 @@ mac_test_init_ifnet_label(struct label *label) atomic_add_int(&init_count_ifnet, 1); } -static void -mac_test_init_ipq_label(struct label *label) +static int +mac_test_init_ipq_label(struct label *label, int flag) { SLOT(label) = IPQMAGIC; atomic_add_int(&init_count_ipq, 1); + return (0); } static int diff --git a/sys/sys/mac.h b/sys/sys/mac.h index b12ba2acd70f..3cc856d30fa3 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -133,7 +133,7 @@ void mac_init_bpfdesc(struct bpf_d *); void mac_init_cred(struct ucred *); void mac_init_devfsdirent(struct devfs_dirent *); void mac_init_ifnet(struct ifnet *); -void mac_init_ipq(struct ipq *); +int mac_init_ipq(struct ipq *, int flag); int mac_init_socket(struct socket *, int flag); void mac_init_pipe(struct pipe *); int mac_init_mbuf(struct mbuf *m, int flag); diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index d536f05659f6..4e00577587c6 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -73,7 +73,7 @@ struct mac_policy_ops { void (*mpo_init_cred_label)(struct label *label); void (*mpo_init_devfsdirent_label)(struct label *label); void (*mpo_init_ifnet_label)(struct label *label); - void (*mpo_init_ipq_label)(struct label *label); + int (*mpo_init_ipq_label)(struct label *label, int flag); int (*mpo_init_mbuf_label)(struct label *label, int flag); void (*mpo_init_mount_label)(struct label *label); void (*mpo_init_mount_fs_label)(struct label *label);