d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mac: Honor order when registering MAC modules.

Browse Source 
Ensure MAC modules are inserted in order that they are registered.

Reviewed by:	markj
Obtained from:	Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D39589
This commit is contained in:
Steve Kiernan 2023-04-02 15:17:17 -07:00 committed by Stephen J. Kiernan
parent 21d56b7966
commit 8deb442cf7
1 changed files with 16 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
sys/security/mac/mac_framework.c
View File

@ -519,7 +519,8 @@ mac_policy_fastpath_unregister(struct mac_policy_conf *mpc)
static int
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
struct mac_policy_list_head *mpc_list;
struct mac_policy_conf *last_mpc, *tmpc;
int error, slot, static_entry;
error = 0;
@ -539,19 +540,14 @@ mac_policy_register(struct mac_policy_conf *mpc)
static_entry = (!mac_late &&
!(mpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_UNLOADOK));
if (static_entry) {
LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
error = EEXIST;
goto out;
}
}
} else {
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
error = EEXIST;
goto out;
}
mpc_list = (static_entry) ? &mac_static_policy_list :
&mac_policy_list;
last_mpc = NULL;
LIST_FOREACH(tmpc, mpc_list, mpc_list) {
last_mpc = tmpc;
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
error = EEXIST;
goto out;
}
}
if (mpc->mpc_field_off != NULL) {
@ -567,16 +563,14 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_runtime_flags |= MPC_RUNTIME_FLAG_REGISTERED;
/*
* If we're loading a MAC module after the framework has initialized,
* it has to go into the dynamic list. If we're loading it before
* we've finished initializing, it can go into the static list with
* weaker locker requirements.
* Some modules may depend on the operations of its dependencies.
* Inserting modules in order of registration ensures operations
* that work on the module list retain dependency order.
*/
if (static_entry)
LIST_INSERT_HEAD(&mac_static_policy_list, mpc, mpc_list);
if (last_mpc == NULL)
LIST_INSERT_HEAD(mpc_list, mpc, mpc_list);
else
LIST_INSERT_HEAD(&mac_policy_list, mpc, mpc_list);
LIST_INSERT_AFTER(last_mpc, mpc, mpc_list);
/*
* Per-policy initialization. Currently, this takes place under the
* exclusive lock, so policies must not sleep in their init method.