d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Begin another merge from the TrustedBSD MAC branch:

Browse Source 
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
  entry points to mpo_init_foo_label(label) and
  mpo_destroy_foo_label(label).  This will permit the use of the same
  entry points for holding temporary type-specific label during
  internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
  mpo_{init,destroy}_mount() into seperate entry points for socket
  main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
  all entry points, implement these entry points using common
  implementations for Biba, MLS, and Test, reducing the number of
  almost identical looking functions.

This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson 2002-10-05 15:10:00 +00:00
parent ef795b8f41
commit 96adb90996
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=104514
16 changed files with 1246 additions and 1540 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
sys/kern/kern_mac.c
View File

@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
case MAC_INIT_BPFDESC:
mpc->mpc_ops->mpo_init_bpfdesc =
case MAC_INIT_BPFDESC_LABEL:
mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_INIT_CRED:
mpc->mpc_ops->mpo_init_cred =
case MAC_INIT_CRED_LABEL:
mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
case MAC_INIT_DEVFSDIRENT:
mpc->mpc_ops->mpo_init_devfsdirent =
case MAC_INIT_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_INIT_IFNET:
mpc->mpc_ops->mpo_init_ifnet =
case MAC_INIT_IFNET_LABEL:
mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
case MAC_INIT_IPQ:
mpc->mpc_ops->mpo_init_ipq =
case MAC_INIT_IPQ_LABEL:
mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
case MAC_INIT_MBUF:
mpc->mpc_ops->mpo_init_mbuf =
case MAC_INIT_MBUF_LABEL:
mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
case MAC_INIT_MOUNT:
mpc->mpc_ops->mpo_init_mount =
case MAC_INIT_MOUNT_LABEL:
mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
case MAC_INIT_PIPE:
mpc->mpc_ops->mpo_init_pipe =
case MAC_INIT_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
case MAC_INIT_SOCKET:
mpc->mpc_ops->mpo_init_socket =
case MAC_INIT_PIPE_LABEL:
mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
case MAC_INIT_TEMP:
mpc->mpc_ops->mpo_init_temp =
case MAC_INIT_SOCKET_LABEL:
mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
case MAC_INIT_VNODE:
mpc->mpc_ops->mpo_init_vnode =
case MAC_INIT_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_BPFDESC:
mpc->mpc_ops->mpo_destroy_bpfdesc =
case MAC_INIT_TEMP_LABEL:
mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_CRED:
mpc->mpc_ops->mpo_destroy_cred =
case MAC_INIT_VNODE_LABEL:
mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
case MAC_DESTROY_DEVFSDIRENT:
mpc->mpc_ops->mpo_destroy_devfsdirent =
case MAC_DESTROY_BPFDESC_LABEL:
mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IFNET:
mpc->mpc_ops->mpo_destroy_ifnet =
case MAC_DESTROY_CRED_LABEL:
mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IPQ:
mpc->mpc_ops->mpo_destroy_ipq =
case MAC_DESTROY_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MBUF:
mpc->mpc_ops->mpo_destroy_mbuf =
case MAC_DESTROY_IFNET_LABEL:
mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MOUNT:
mpc->mpc_ops->mpo_destroy_mount =
case MAC_DESTROY_IPQ_LABEL:
mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
case MAC_DESTROY_PIPE:
mpc->mpc_ops->mpo_destroy_pipe =
case MAC_DESTROY_MBUF_LABEL:
mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET:
mpc->mpc_ops->mpo_destroy_socket =
case MAC_DESTROY_MOUNT_LABEL:
mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP:
mpc->mpc_ops->mpo_destroy_temp =
case MAC_DESTROY_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE:
mpc->mpc_ops->mpo_destroy_vnode =
case MAC_DESTROY_PIPE_LABEL:
mpc->mpc_ops->mpo_destroy_pipe_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_LABEL:
mpc->mpc_ops->mpo_destroy_socket_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_destroy_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP_LABEL:
mpc->mpc_ops->mpo_destroy_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE_LABEL:
mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
MAC_PERFORM(init_cred, cr, &cr->cr_label);
MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
MAC_PERFORM(init_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(init_socket_label, &socket->so_label);
MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
MAC_PERFORM(destroy_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(destroy_socket_label, &socket->so_label);
MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
MAC_PERFORM(init_temp, label);
MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
MAC_PERFORM(destroy_temp, label);
MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
MAC_PERFORM(init_vnode, vp, &vp->v_label);
MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent, de, &de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);

154
sys/security/mac/mac_framework.c
View File

@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
case MAC_INIT_BPFDESC:
mpc->mpc_ops->mpo_init_bpfdesc =
case MAC_INIT_BPFDESC_LABEL:
mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_INIT_CRED:
mpc->mpc_ops->mpo_init_cred =
case MAC_INIT_CRED_LABEL:
mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
case MAC_INIT_DEVFSDIRENT:
mpc->mpc_ops->mpo_init_devfsdirent =
case MAC_INIT_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_INIT_IFNET:
mpc->mpc_ops->mpo_init_ifnet =
case MAC_INIT_IFNET_LABEL:
mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
case MAC_INIT_IPQ:
mpc->mpc_ops->mpo_init_ipq =
case MAC_INIT_IPQ_LABEL:
mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
case MAC_INIT_MBUF:
mpc->mpc_ops->mpo_init_mbuf =
case MAC_INIT_MBUF_LABEL:
mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
case MAC_INIT_MOUNT:
mpc->mpc_ops->mpo_init_mount =
case MAC_INIT_MOUNT_LABEL:
mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
case MAC_INIT_PIPE:
mpc->mpc_ops->mpo_init_pipe =
case MAC_INIT_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
case MAC_INIT_SOCKET:
mpc->mpc_ops->mpo_init_socket =
case MAC_INIT_PIPE_LABEL:
mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
case MAC_INIT_TEMP:
mpc->mpc_ops->mpo_init_temp =
case MAC_INIT_SOCKET_LABEL:
mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
case MAC_INIT_VNODE:
mpc->mpc_ops->mpo_init_vnode =
case MAC_INIT_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_BPFDESC:
mpc->mpc_ops->mpo_destroy_bpfdesc =
case MAC_INIT_TEMP_LABEL:
mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_CRED:
mpc->mpc_ops->mpo_destroy_cred =
case MAC_INIT_VNODE_LABEL:
mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
case MAC_DESTROY_DEVFSDIRENT:
mpc->mpc_ops->mpo_destroy_devfsdirent =
case MAC_DESTROY_BPFDESC_LABEL:
mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IFNET:
mpc->mpc_ops->mpo_destroy_ifnet =
case MAC_DESTROY_CRED_LABEL:
mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IPQ:
mpc->mpc_ops->mpo_destroy_ipq =
case MAC_DESTROY_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MBUF:
mpc->mpc_ops->mpo_destroy_mbuf =
case MAC_DESTROY_IFNET_LABEL:
mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MOUNT:
mpc->mpc_ops->mpo_destroy_mount =
case MAC_DESTROY_IPQ_LABEL:
mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
case MAC_DESTROY_PIPE:
mpc->mpc_ops->mpo_destroy_pipe =
case MAC_DESTROY_MBUF_LABEL:
mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET:
mpc->mpc_ops->mpo_destroy_socket =
case MAC_DESTROY_MOUNT_LABEL:
mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP:
mpc->mpc_ops->mpo_destroy_temp =
case MAC_DESTROY_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE:
mpc->mpc_ops->mpo_destroy_vnode =
case MAC_DESTROY_PIPE_LABEL:
mpc->mpc_ops->mpo_destroy_pipe_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_LABEL:
mpc->mpc_ops->mpo_destroy_socket_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_destroy_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP_LABEL:
mpc->mpc_ops->mpo_destroy_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE_LABEL:
mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
MAC_PERFORM(init_cred, cr, &cr->cr_label);
MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
MAC_PERFORM(init_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(init_socket_label, &socket->so_label);
MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
MAC_PERFORM(destroy_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(destroy_socket_label, &socket->so_label);
MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
MAC_PERFORM(init_temp, label);
MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
MAC_PERFORM(destroy_temp, label);
MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
MAC_PERFORM(init_vnode, vp, &vp->v_label);
MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent, de, &de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);

154
sys/security/mac/mac_internal.h
View File

@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
case MAC_INIT_BPFDESC:
mpc->mpc_ops->mpo_init_bpfdesc =
case MAC_INIT_BPFDESC_LABEL:
mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_INIT_CRED:
mpc->mpc_ops->mpo_init_cred =
case MAC_INIT_CRED_LABEL:
mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
case MAC_INIT_DEVFSDIRENT:
mpc->mpc_ops->mpo_init_devfsdirent =
case MAC_INIT_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_INIT_IFNET:
mpc->mpc_ops->mpo_init_ifnet =
case MAC_INIT_IFNET_LABEL:
mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
case MAC_INIT_IPQ:
mpc->mpc_ops->mpo_init_ipq =
case MAC_INIT_IPQ_LABEL:
mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
case MAC_INIT_MBUF:
mpc->mpc_ops->mpo_init_mbuf =
case MAC_INIT_MBUF_LABEL:
mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
case MAC_INIT_MOUNT:
mpc->mpc_ops->mpo_init_mount =
case MAC_INIT_MOUNT_LABEL:
mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
case MAC_INIT_PIPE:
mpc->mpc_ops->mpo_init_pipe =
case MAC_INIT_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
case MAC_INIT_SOCKET:
mpc->mpc_ops->mpo_init_socket =
case MAC_INIT_PIPE_LABEL:
mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
case MAC_INIT_TEMP:
mpc->mpc_ops->mpo_init_temp =
case MAC_INIT_SOCKET_LABEL:
mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
case MAC_INIT_VNODE:
mpc->mpc_ops->mpo_init_vnode =
case MAC_INIT_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_BPFDESC:
mpc->mpc_ops->mpo_destroy_bpfdesc =
case MAC_INIT_TEMP_LABEL:
mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_CRED:
mpc->mpc_ops->mpo_destroy_cred =
case MAC_INIT_VNODE_LABEL:
mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
case MAC_DESTROY_DEVFSDIRENT:
mpc->mpc_ops->mpo_destroy_devfsdirent =
case MAC_DESTROY_BPFDESC_LABEL:
mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IFNET:
mpc->mpc_ops->mpo_destroy_ifnet =
case MAC_DESTROY_CRED_LABEL:
mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IPQ:
mpc->mpc_ops->mpo_destroy_ipq =
case MAC_DESTROY_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MBUF:
mpc->mpc_ops->mpo_destroy_mbuf =
case MAC_DESTROY_IFNET_LABEL:
mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MOUNT:
mpc->mpc_ops->mpo_destroy_mount =
case MAC_DESTROY_IPQ_LABEL:
mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
case MAC_DESTROY_PIPE:
mpc->mpc_ops->mpo_destroy_pipe =
case MAC_DESTROY_MBUF_LABEL:
mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET:
mpc->mpc_ops->mpo_destroy_socket =
case MAC_DESTROY_MOUNT_LABEL:
mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP:
mpc->mpc_ops->mpo_destroy_temp =
case MAC_DESTROY_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE:
mpc->mpc_ops->mpo_destroy_vnode =
case MAC_DESTROY_PIPE_LABEL:
mpc->mpc_ops->mpo_destroy_pipe_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_LABEL:
mpc->mpc_ops->mpo_destroy_socket_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_destroy_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP_LABEL:
mpc->mpc_ops->mpo_destroy_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE_LABEL:
mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
MAC_PERFORM(init_cred, cr, &cr->cr_label);
MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
MAC_PERFORM(init_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(init_socket_label, &socket->so_label);
MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
MAC_PERFORM(destroy_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(destroy_socket_label, &socket->so_label);
MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
MAC_PERFORM(init_temp, label);
MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
MAC_PERFORM(destroy_temp, label);
MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
MAC_PERFORM(init_vnode, vp, &vp->v_label);
MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent, de, &de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);

154
sys/security/mac/mac_net.c
View File

@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
case MAC_INIT_BPFDESC:
mpc->mpc_ops->mpo_init_bpfdesc =
case MAC_INIT_BPFDESC_LABEL:
mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_INIT_CRED:
mpc->mpc_ops->mpo_init_cred =
case MAC_INIT_CRED_LABEL:
mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
case MAC_INIT_DEVFSDIRENT:
mpc->mpc_ops->mpo_init_devfsdirent =
case MAC_INIT_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_INIT_IFNET:
mpc->mpc_ops->mpo_init_ifnet =
case MAC_INIT_IFNET_LABEL:
mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
case MAC_INIT_IPQ:
mpc->mpc_ops->mpo_init_ipq =
case MAC_INIT_IPQ_LABEL:
mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
case MAC_INIT_MBUF:
mpc->mpc_ops->mpo_init_mbuf =
case MAC_INIT_MBUF_LABEL:
mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
case MAC_INIT_MOUNT:
mpc->mpc_ops->mpo_init_mount =
case MAC_INIT_MOUNT_LABEL:
mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
case MAC_INIT_PIPE:
mpc->mpc_ops->mpo_init_pipe =
case MAC_INIT_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
case MAC_INIT_SOCKET:
mpc->mpc_ops->mpo_init_socket =
case MAC_INIT_PIPE_LABEL:
mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
case MAC_INIT_TEMP:
mpc->mpc_ops->mpo_init_temp =
case MAC_INIT_SOCKET_LABEL:
mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
case MAC_INIT_VNODE:
mpc->mpc_ops->mpo_init_vnode =
case MAC_INIT_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_BPFDESC:
mpc->mpc_ops->mpo_destroy_bpfdesc =
case MAC_INIT_TEMP_LABEL:
mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_CRED:
mpc->mpc_ops->mpo_destroy_cred =
case MAC_INIT_VNODE_LABEL:
mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
case MAC_DESTROY_DEVFSDIRENT:
mpc->mpc_ops->mpo_destroy_devfsdirent =
case MAC_DESTROY_BPFDESC_LABEL:
mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IFNET:
mpc->mpc_ops->mpo_destroy_ifnet =
case MAC_DESTROY_CRED_LABEL:
mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IPQ:
mpc->mpc_ops->mpo_destroy_ipq =
case MAC_DESTROY_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MBUF:
mpc->mpc_ops->mpo_destroy_mbuf =
case MAC_DESTROY_IFNET_LABEL:
mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MOUNT:
mpc->mpc_ops->mpo_destroy_mount =
case MAC_DESTROY_IPQ_LABEL:
mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
case MAC_DESTROY_PIPE:
mpc->mpc_ops->mpo_destroy_pipe =
case MAC_DESTROY_MBUF_LABEL:
mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET:
mpc->mpc_ops->mpo_destroy_socket =
case MAC_DESTROY_MOUNT_LABEL:
mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP:
mpc->mpc_ops->mpo_destroy_temp =
case MAC_DESTROY_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE:
mpc->mpc_ops->mpo_destroy_vnode =
case MAC_DESTROY_PIPE_LABEL:
mpc->mpc_ops->mpo_destroy_pipe_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_LABEL:
mpc->mpc_ops->mpo_destroy_socket_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_destroy_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP_LABEL:
mpc->mpc_ops->mpo_destroy_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE_LABEL:
mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
MAC_PERFORM(init_cred, cr, &cr->cr_label);
MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
MAC_PERFORM(init_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(init_socket_label, &socket->so_label);
MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
MAC_PERFORM(destroy_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(destroy_socket_label, &socket->so_label);
MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
MAC_PERFORM(init_temp, label);
MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
MAC_PERFORM(destroy_temp, label);
MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
MAC_PERFORM(init_vnode, vp, &vp->v_label);
MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent, de, &de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);

154
sys/security/mac/mac_pipe.c
View File

@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
case MAC_INIT_BPFDESC:
mpc->mpc_ops->mpo_init_bpfdesc =
case MAC_INIT_BPFDESC_LABEL:
mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_INIT_CRED:
mpc->mpc_ops->mpo_init_cred =
case MAC_INIT_CRED_LABEL:
mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
case MAC_INIT_DEVFSDIRENT:
mpc->mpc_ops->mpo_init_devfsdirent =
case MAC_INIT_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_INIT_IFNET:
mpc->mpc_ops->mpo_init_ifnet =
case MAC_INIT_IFNET_LABEL:
mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
case MAC_INIT_IPQ:
mpc->mpc_ops->mpo_init_ipq =
case MAC_INIT_IPQ_LABEL:
mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
case MAC_INIT_MBUF:
mpc->mpc_ops->mpo_init_mbuf =
case MAC_INIT_MBUF_LABEL:
mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
case MAC_INIT_MOUNT:
mpc->mpc_ops->mpo_init_mount =
case MAC_INIT_MOUNT_LABEL:
mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
case MAC_INIT_PIPE:
mpc->mpc_ops->mpo_init_pipe =
case MAC_INIT_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
case MAC_INIT_SOCKET:
mpc->mpc_ops->mpo_init_socket =
case MAC_INIT_PIPE_LABEL:
mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
case MAC_INIT_TEMP:
mpc->mpc_ops->mpo_init_temp =
case MAC_INIT_SOCKET_LABEL:
mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
case MAC_INIT_VNODE:
mpc->mpc_ops->mpo_init_vnode =
case MAC_INIT_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_BPFDESC:
mpc->mpc_ops->mpo_destroy_bpfdesc =
case MAC_INIT_TEMP_LABEL:
mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_CRED:
mpc->mpc_ops->mpo_destroy_cred =
case MAC_INIT_VNODE_LABEL:
mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
case MAC_DESTROY_DEVFSDIRENT:
mpc->mpc_ops->mpo_destroy_devfsdirent =
case MAC_DESTROY_BPFDESC_LABEL:
mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IFNET:
mpc->mpc_ops->mpo_destroy_ifnet =
case MAC_DESTROY_CRED_LABEL:
mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IPQ:
mpc->mpc_ops->mpo_destroy_ipq =
case MAC_DESTROY_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MBUF:
mpc->mpc_ops->mpo_destroy_mbuf =
case MAC_DESTROY_IFNET_LABEL:
mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MOUNT:
mpc->mpc_ops->mpo_destroy_mount =
case MAC_DESTROY_IPQ_LABEL:
mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
case MAC_DESTROY_PIPE:
mpc->mpc_ops->mpo_destroy_pipe =
case MAC_DESTROY_MBUF_LABEL:
mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET:
mpc->mpc_ops->mpo_destroy_socket =
case MAC_DESTROY_MOUNT_LABEL:
mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP:
mpc->mpc_ops->mpo_destroy_temp =
case MAC_DESTROY_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE:
mpc->mpc_ops->mpo_destroy_vnode =
case MAC_DESTROY_PIPE_LABEL:
mpc->mpc_ops->mpo_destroy_pipe_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_LABEL:
mpc->mpc_ops->mpo_destroy_socket_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_destroy_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP_LABEL:
mpc->mpc_ops->mpo_destroy_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE_LABEL:
mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
MAC_PERFORM(init_cred, cr, &cr->cr_label);
MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
MAC_PERFORM(init_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(init_socket_label, &socket->so_label);
MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
MAC_PERFORM(destroy_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(destroy_socket_label, &socket->so_label);
MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
MAC_PERFORM(init_temp, label);
MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
MAC_PERFORM(destroy_temp, label);
MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
MAC_PERFORM(init_vnode, vp, &vp->v_label);
MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent, de, &de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);

103
sys/security/mac/mac_policy.h
View File

@ -72,34 +72,33 @@ struct mac_policy_ops {
/*
* Label operations.
*/
void (*mpo_init_bpfdesc)(struct bpf_d *, struct label *label);
void (*mpo_init_cred)(struct ucred *, struct label *label);
void (*mpo_init_devfsdirent)(struct devfs_dirent *,
struct label *label);
void (*mpo_init_ifnet)(struct ifnet *, struct label *label);
void (*mpo_init_ipq)(struct ipq *ipq, struct label *label);
int (*mpo_init_mbuf)(struct mbuf *, int how, struct label *label);
void (*mpo_init_mount)(struct mount *, struct label *mntlabel,
struct label *fslabel);
void (*mpo_init_socket)(struct socket *so, struct label *label,
struct label *peerlabel);
void (*mpo_init_pipe)(struct pipe *pipe, struct label *label);
void (*mpo_init_temp)(struct label *label);
void (*mpo_init_vnode)(struct vnode *, struct label *label);
void (*mpo_destroy_bpfdesc)(struct bpf_d *, struct label *label);
void (*mpo_destroy_cred)(struct ucred *, struct label *label);
void (*mpo_destroy_devfsdirent)(struct devfs_dirent *de,
struct label *label);
void (*mpo_destroy_ifnet)(struct ifnet *, struct label *label);
void (*mpo_destroy_ipq)(struct ipq *ipq, struct label *label);
void (*mpo_destroy_mbuf)(struct mbuf *, struct label *label);
void (*mpo_destroy_mount)(struct mount *, struct label *mntlabel,
struct label *fslabel);
void (*mpo_destroy_socket)(struct socket *so, struct label *label,
struct label *peerlabel);
void (*mpo_destroy_pipe)(struct pipe *pipe, struct label *label);
void (*mpo_destroy_temp)(struct label *label);
void (*mpo_destroy_vnode)(struct vnode *, struct label *label);
void (*mpo_init_bpfdesc_label)(struct label *label);
void (*mpo_init_cred_label)(struct label *label);
void (*mpo_init_devfsdirent_label)(struct label *label);
void (*mpo_init_ifnet_label)(struct label *label);
void (*mpo_init_ipq_label)(struct label *label);
int (*mpo_init_mbuf_label)(struct label *label, int flag);
void (*mpo_init_mount_label)(struct label *label);
void (*mpo_init_mount_fs_label)(struct label *label);
void (*mpo_init_socket_label)(struct label *label);
void (*mpo_init_socket_peer_label)(struct label *label);
void (*mpo_init_pipe_label)(struct label *label);
void (*mpo_init_temp_label)(struct label *label);
void (*mpo_init_vnode_label)(struct label *label);
void (*mpo_destroy_bpfdesc_label)(struct label *label);
void (*mpo_destroy_cred_label)(struct label *label);
void (*mpo_destroy_devfsdirent_label)(struct label *label);
void (*mpo_destroy_ifnet_label)(struct label *label);
void (*mpo_destroy_ipq_label)(struct label *label);
void (*mpo_destroy_mbuf_label)(struct label *label);
void (*mpo_destroy_mount_label)(struct label *label);
void (*mpo_destroy_mount_fs_label)(struct label *label);
void (*mpo_destroy_socket_label)(struct label *label);
void (*mpo_destroy_socket_peer_label)(struct label *label);
void (*mpo_destroy_pipe_label)(struct label *label);
void (*mpo_destroy_temp_label)(struct label *label);
void (*mpo_destroy_vnode_label)(struct label *label);
int (*mpo_externalize)(struct label *label, struct mac *extmac);
int (*mpo_internalize)(struct label *label, struct mac *extmac);
@ -355,28 +354,32 @@ enum mac_op_constant {
MAC_DESTROY,
MAC_INIT,
MAC_SYSCALL,
MAC_INIT_BPFDESC,
MAC_INIT_CRED,
MAC_INIT_DEVFSDIRENT,
MAC_INIT_IFNET,
MAC_INIT_IPQ,
MAC_INIT_MBUF,
MAC_INIT_MOUNT,
MAC_INIT_PIPE,
MAC_INIT_SOCKET,
MAC_INIT_TEMP,
MAC_INIT_VNODE,
MAC_DESTROY_BPFDESC,
MAC_DESTROY_CRED,
MAC_DESTROY_DEVFSDIRENT,
MAC_DESTROY_IFNET,
MAC_DESTROY_IPQ,
MAC_DESTROY_MBUF,
MAC_DESTROY_MOUNT,
MAC_DESTROY_PIPE,
MAC_DESTROY_SOCKET,
MAC_DESTROY_TEMP,
MAC_DESTROY_VNODE,
MAC_INIT_BPFDESC_LABEL,
MAC_INIT_CRED_LABEL,
MAC_INIT_DEVFSDIRENT_LABEL,
MAC_INIT_IFNET_LABEL,
MAC_INIT_IPQ_LABEL,
MAC_INIT_MBUF_LABEL,
MAC_INIT_MOUNT_LABEL,
MAC_INIT_MOUNT_FS_LABEL,
MAC_INIT_PIPE_LABEL,
MAC_INIT_SOCKET_LABEL,
MAC_INIT_SOCKET_PEER_LABEL,
MAC_INIT_TEMP_LABEL,
MAC_INIT_VNODE_LABEL,
MAC_DESTROY_BPFDESC_LABEL,
MAC_DESTROY_CRED_LABEL,
MAC_DESTROY_DEVFSDIRENT_LABEL,
MAC_DESTROY_IFNET_LABEL,
MAC_DESTROY_IPQ_LABEL,
MAC_DESTROY_MBUF_LABEL,
MAC_DESTROY_MOUNT_LABEL,
MAC_DESTROY_MOUNT_FS_LABEL,
MAC_DESTROY_PIPE_LABEL,
MAC_DESTROY_SOCKET_LABEL,
MAC_DESTROY_SOCKET_PEER_LABEL,
MAC_DESTROY_TEMP_LABEL,
MAC_DESTROY_VNODE_LABEL,
MAC_EXTERNALIZE,
MAC_INTERNALIZE,
MAC_CREATE_DEVFS_DEVICE,

154
sys/security/mac/mac_process.c
View File

@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
case MAC_INIT_BPFDESC:
mpc->mpc_ops->mpo_init_bpfdesc =
case MAC_INIT_BPFDESC_LABEL:
mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_INIT_CRED:
mpc->mpc_ops->mpo_init_cred =
case MAC_INIT_CRED_LABEL:
mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
case MAC_INIT_DEVFSDIRENT:
mpc->mpc_ops->mpo_init_devfsdirent =
case MAC_INIT_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_INIT_IFNET:
mpc->mpc_ops->mpo_init_ifnet =
case MAC_INIT_IFNET_LABEL:
mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
case MAC_INIT_IPQ:
mpc->mpc_ops->mpo_init_ipq =
case MAC_INIT_IPQ_LABEL:
mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
case MAC_INIT_MBUF:
mpc->mpc_ops->mpo_init_mbuf =
case MAC_INIT_MBUF_LABEL:
mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
case MAC_INIT_MOUNT:
mpc->mpc_ops->mpo_init_mount =
case MAC_INIT_MOUNT_LABEL:
mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
case MAC_INIT_PIPE:
mpc->mpc_ops->mpo_init_pipe =
case MAC_INIT_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
case MAC_INIT_SOCKET:
mpc->mpc_ops->mpo_init_socket =
case MAC_INIT_PIPE_LABEL:
mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
case MAC_INIT_TEMP:
mpc->mpc_ops->mpo_init_temp =
case MAC_INIT_SOCKET_LABEL:
mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
case MAC_INIT_VNODE:
mpc->mpc_ops->mpo_init_vnode =
case MAC_INIT_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_BPFDESC:
mpc->mpc_ops->mpo_destroy_bpfdesc =
case MAC_INIT_TEMP_LABEL:
mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_CRED:
mpc->mpc_ops->mpo_destroy_cred =
case MAC_INIT_VNODE_LABEL:
mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
case MAC_DESTROY_DEVFSDIRENT:
mpc->mpc_ops->mpo_destroy_devfsdirent =
case MAC_DESTROY_BPFDESC_LABEL:
mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IFNET:
mpc->mpc_ops->mpo_destroy_ifnet =
case MAC_DESTROY_CRED_LABEL:
mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IPQ:
mpc->mpc_ops->mpo_destroy_ipq =
case MAC_DESTROY_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MBUF:
mpc->mpc_ops->mpo_destroy_mbuf =
case MAC_DESTROY_IFNET_LABEL:
mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MOUNT:
mpc->mpc_ops->mpo_destroy_mount =
case MAC_DESTROY_IPQ_LABEL:
mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
case MAC_DESTROY_PIPE:
mpc->mpc_ops->mpo_destroy_pipe =
case MAC_DESTROY_MBUF_LABEL:
mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET:
mpc->mpc_ops->mpo_destroy_socket =
case MAC_DESTROY_MOUNT_LABEL:
mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP:
mpc->mpc_ops->mpo_destroy_temp =
case MAC_DESTROY_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE:
mpc->mpc_ops->mpo_destroy_vnode =
case MAC_DESTROY_PIPE_LABEL:
mpc->mpc_ops->mpo_destroy_pipe_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_LABEL:
mpc->mpc_ops->mpo_destroy_socket_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_destroy_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP_LABEL:
mpc->mpc_ops->mpo_destroy_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE_LABEL:
mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
MAC_PERFORM(init_cred, cr, &cr->cr_label);
MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
MAC_PERFORM(init_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(init_socket_label, &socket->so_label);
MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
MAC_PERFORM(destroy_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(destroy_socket_label, &socket->so_label);
MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
MAC_PERFORM(init_temp, label);
MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
MAC_PERFORM(destroy_temp, label);
MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
MAC_PERFORM(init_vnode, vp, &vp->v_label);
MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent, de, &de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);

154
sys/security/mac/mac_syscalls.c
View File

@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
case MAC_INIT_BPFDESC:
mpc->mpc_ops->mpo_init_bpfdesc =
case MAC_INIT_BPFDESC_LABEL:
mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_INIT_CRED:
mpc->mpc_ops->mpo_init_cred =
case MAC_INIT_CRED_LABEL:
mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
case MAC_INIT_DEVFSDIRENT:
mpc->mpc_ops->mpo_init_devfsdirent =
case MAC_INIT_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_INIT_IFNET:
mpc->mpc_ops->mpo_init_ifnet =
case MAC_INIT_IFNET_LABEL:
mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
case MAC_INIT_IPQ:
mpc->mpc_ops->mpo_init_ipq =
case MAC_INIT_IPQ_LABEL:
mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
case MAC_INIT_MBUF:
mpc->mpc_ops->mpo_init_mbuf =
case MAC_INIT_MBUF_LABEL:
mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
case MAC_INIT_MOUNT:
mpc->mpc_ops->mpo_init_mount =
case MAC_INIT_MOUNT_LABEL:
mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
case MAC_INIT_PIPE:
mpc->mpc_ops->mpo_init_pipe =
case MAC_INIT_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
case MAC_INIT_SOCKET:
mpc->mpc_ops->mpo_init_socket =
case MAC_INIT_PIPE_LABEL:
mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
case MAC_INIT_TEMP:
mpc->mpc_ops->mpo_init_temp =
case MAC_INIT_SOCKET_LABEL:
mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
case MAC_INIT_VNODE:
mpc->mpc_ops->mpo_init_vnode =
case MAC_INIT_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_BPFDESC:
mpc->mpc_ops->mpo_destroy_bpfdesc =
case MAC_INIT_TEMP_LABEL:
mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_CRED:
mpc->mpc_ops->mpo_destroy_cred =
case MAC_INIT_VNODE_LABEL:
mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
case MAC_DESTROY_DEVFSDIRENT:
mpc->mpc_ops->mpo_destroy_devfsdirent =
case MAC_DESTROY_BPFDESC_LABEL:
mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IFNET:
mpc->mpc_ops->mpo_destroy_ifnet =
case MAC_DESTROY_CRED_LABEL:
mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IPQ:
mpc->mpc_ops->mpo_destroy_ipq =
case MAC_DESTROY_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MBUF:
mpc->mpc_ops->mpo_destroy_mbuf =
case MAC_DESTROY_IFNET_LABEL:
mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MOUNT:
mpc->mpc_ops->mpo_destroy_mount =
case MAC_DESTROY_IPQ_LABEL:
mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
case MAC_DESTROY_PIPE:
mpc->mpc_ops->mpo_destroy_pipe =
case MAC_DESTROY_MBUF_LABEL:
mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET:
mpc->mpc_ops->mpo_destroy_socket =
case MAC_DESTROY_MOUNT_LABEL:
mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP:
mpc->mpc_ops->mpo_destroy_temp =
case MAC_DESTROY_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE:
mpc->mpc_ops->mpo_destroy_vnode =
case MAC_DESTROY_PIPE_LABEL:
mpc->mpc_ops->mpo_destroy_pipe_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_LABEL:
mpc->mpc_ops->mpo_destroy_socket_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_destroy_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP_LABEL:
mpc->mpc_ops->mpo_destroy_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE_LABEL:
mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
MAC_PERFORM(init_cred, cr, &cr->cr_label);
MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
MAC_PERFORM(init_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(init_socket_label, &socket->so_label);
MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
MAC_PERFORM(destroy_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(destroy_socket_label, &socket->so_label);
MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
MAC_PERFORM(init_temp, label);
MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
MAC_PERFORM(destroy_temp, label);
MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
MAC_PERFORM(init_vnode, vp, &vp->v_label);
MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent, de, &de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);

154
sys/security/mac/mac_system.c
View File

@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
case MAC_INIT_BPFDESC:
mpc->mpc_ops->mpo_init_bpfdesc =
case MAC_INIT_BPFDESC_LABEL:
mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_INIT_CRED:
mpc->mpc_ops->mpo_init_cred =
case MAC_INIT_CRED_LABEL:
mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
case MAC_INIT_DEVFSDIRENT:
mpc->mpc_ops->mpo_init_devfsdirent =
case MAC_INIT_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_INIT_IFNET:
mpc->mpc_ops->mpo_init_ifnet =
case MAC_INIT_IFNET_LABEL:
mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
case MAC_INIT_IPQ:
mpc->mpc_ops->mpo_init_ipq =
case MAC_INIT_IPQ_LABEL:
mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
case MAC_INIT_MBUF:
mpc->mpc_ops->mpo_init_mbuf =
case MAC_INIT_MBUF_LABEL:
mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
case MAC_INIT_MOUNT:
mpc->mpc_ops->mpo_init_mount =
case MAC_INIT_MOUNT_LABEL:
mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
case MAC_INIT_PIPE:
mpc->mpc_ops->mpo_init_pipe =
case MAC_INIT_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
case MAC_INIT_SOCKET:
mpc->mpc_ops->mpo_init_socket =
case MAC_INIT_PIPE_LABEL:
mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
case MAC_INIT_TEMP:
mpc->mpc_ops->mpo_init_temp =
case MAC_INIT_SOCKET_LABEL:
mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
case MAC_INIT_VNODE:
mpc->mpc_ops->mpo_init_vnode =
case MAC_INIT_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_BPFDESC:
mpc->mpc_ops->mpo_destroy_bpfdesc =
case MAC_INIT_TEMP_LABEL:
mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_CRED:
mpc->mpc_ops->mpo_destroy_cred =
case MAC_INIT_VNODE_LABEL:
mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
case MAC_DESTROY_DEVFSDIRENT:
mpc->mpc_ops->mpo_destroy_devfsdirent =
case MAC_DESTROY_BPFDESC_LABEL:
mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IFNET:
mpc->mpc_ops->mpo_destroy_ifnet =
case MAC_DESTROY_CRED_LABEL:
mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IPQ:
mpc->mpc_ops->mpo_destroy_ipq =
case MAC_DESTROY_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MBUF:
mpc->mpc_ops->mpo_destroy_mbuf =
case MAC_DESTROY_IFNET_LABEL:
mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MOUNT:
mpc->mpc_ops->mpo_destroy_mount =
case MAC_DESTROY_IPQ_LABEL:
mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
case MAC_DESTROY_PIPE:
mpc->mpc_ops->mpo_destroy_pipe =
case MAC_DESTROY_MBUF_LABEL:
mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET:
mpc->mpc_ops->mpo_destroy_socket =
case MAC_DESTROY_MOUNT_LABEL:
mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP:
mpc->mpc_ops->mpo_destroy_temp =
case MAC_DESTROY_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE:
mpc->mpc_ops->mpo_destroy_vnode =
case MAC_DESTROY_PIPE_LABEL:
mpc->mpc_ops->mpo_destroy_pipe_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_LABEL:
mpc->mpc_ops->mpo_destroy_socket_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_destroy_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP_LABEL:
mpc->mpc_ops->mpo_destroy_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE_LABEL:
mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
MAC_PERFORM(init_cred, cr, &cr->cr_label);
MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
MAC_PERFORM(init_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(init_socket_label, &socket->so_label);
MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
MAC_PERFORM(destroy_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(destroy_socket_label, &socket->so_label);
MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
MAC_PERFORM(init_temp, label);
MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
MAC_PERFORM(destroy_temp, label);
MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
MAC_PERFORM(init_vnode, vp, &vp->v_label);
MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent, de, &de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);

154
sys/security/mac/mac_vfs.c
View File

@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
case MAC_INIT_BPFDESC:
mpc->mpc_ops->mpo_init_bpfdesc =
case MAC_INIT_BPFDESC_LABEL:
mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_INIT_CRED:
mpc->mpc_ops->mpo_init_cred =
case MAC_INIT_CRED_LABEL:
mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
case MAC_INIT_DEVFSDIRENT:
mpc->mpc_ops->mpo_init_devfsdirent =
case MAC_INIT_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_INIT_IFNET:
mpc->mpc_ops->mpo_init_ifnet =
case MAC_INIT_IFNET_LABEL:
mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
case MAC_INIT_IPQ:
mpc->mpc_ops->mpo_init_ipq =
case MAC_INIT_IPQ_LABEL:
mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
case MAC_INIT_MBUF:
mpc->mpc_ops->mpo_init_mbuf =
case MAC_INIT_MBUF_LABEL:
mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
case MAC_INIT_MOUNT:
mpc->mpc_ops->mpo_init_mount =
case MAC_INIT_MOUNT_LABEL:
mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
case MAC_INIT_PIPE:
mpc->mpc_ops->mpo_init_pipe =
case MAC_INIT_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
case MAC_INIT_SOCKET:
mpc->mpc_ops->mpo_init_socket =
case MAC_INIT_PIPE_LABEL:
mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
case MAC_INIT_TEMP:
mpc->mpc_ops->mpo_init_temp =
case MAC_INIT_SOCKET_LABEL:
mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
case MAC_INIT_VNODE:
mpc->mpc_ops->mpo_init_vnode =
case MAC_INIT_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_BPFDESC:
mpc->mpc_ops->mpo_destroy_bpfdesc =
case MAC_INIT_TEMP_LABEL:
mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_CRED:
mpc->mpc_ops->mpo_destroy_cred =
case MAC_INIT_VNODE_LABEL:
mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
case MAC_DESTROY_DEVFSDIRENT:
mpc->mpc_ops->mpo_destroy_devfsdirent =
case MAC_DESTROY_BPFDESC_LABEL:
mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IFNET:
mpc->mpc_ops->mpo_destroy_ifnet =
case MAC_DESTROY_CRED_LABEL:
mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
case MAC_DESTROY_IPQ:
mpc->mpc_ops->mpo_destroy_ipq =
case MAC_DESTROY_DEVFSDIRENT_LABEL:
mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MBUF:
mpc->mpc_ops->mpo_destroy_mbuf =
case MAC_DESTROY_IFNET_LABEL:
mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
case MAC_DESTROY_MOUNT:
mpc->mpc_ops->mpo_destroy_mount =
case MAC_DESTROY_IPQ_LABEL:
mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
case MAC_DESTROY_PIPE:
mpc->mpc_ops->mpo_destroy_pipe =
case MAC_DESTROY_MBUF_LABEL:
mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET:
mpc->mpc_ops->mpo_destroy_socket =
case MAC_DESTROY_MOUNT_LABEL:
mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP:
mpc->mpc_ops->mpo_destroy_temp =
case MAC_DESTROY_MOUNT_FS_LABEL:
mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE:
mpc->mpc_ops->mpo_destroy_vnode =
case MAC_DESTROY_PIPE_LABEL:
mpc->mpc_ops->mpo_destroy_pipe_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_LABEL:
mpc->mpc_ops->mpo_destroy_socket_label =
mpe->mpe_function;
break;
case MAC_DESTROY_SOCKET_PEER_LABEL:
mpc->mpc_ops->mpo_destroy_socket_peer_label =
mpe->mpe_function;
break;
case MAC_DESTROY_TEMP_LABEL:
mpc->mpc_ops->mpo_destroy_temp_label =
mpe->mpe_function;
break;
case MAC_DESTROY_VNODE_LABEL:
mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
MAC_PERFORM(init_cred, cr, &cr->cr_label);
MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
MAC_PERFORM(init_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(init_socket_label, &socket->so_label);
MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
MAC_PERFORM(destroy_socket, socket, &socket->so_label,
&socket->so_peerlabel);
MAC_PERFORM(destroy_socket_label, &socket->so_label);
MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
MAC_PERFORM(init_temp, label);
MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
MAC_PERFORM(destroy_temp, label);
MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
MAC_PERFORM(init_vnode, vp, &vp->v_label);
MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent, de, &de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);

263
sys/security/mac_biba/mac_biba.c
View File

@ -117,11 +117,11 @@ static int mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, mode_t acc_mode);
static struct mac_biba *
biba_alloc(int how)
biba_alloc(int flag)
{
struct mac_biba *mac_biba;
mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | how);
mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | flag);
return (mac_biba);
}
@ -385,46 +385,17 @@ mac_biba_init(struct mac_policy_conf *conf)
* Label operations.
*/
static void
mac_biba_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
{
SLOT(label) = biba_alloc(M_WAITOK);
}
static void
mac_biba_init_cred(struct ucred *ucred, struct label *label)
{
SLOT(label) = biba_alloc(M_WAITOK);
}
static void
mac_biba_init_devfsdirent(struct devfs_dirent *devfs_dirent,
struct label *label)
{
SLOT(label) = biba_alloc(M_WAITOK);
}
static void
mac_biba_init_ifnet(struct ifnet *ifnet, struct label *label)
{
SLOT(label) = biba_alloc(M_WAITOK);
}
static void
mac_biba_init_ipq(struct ipq *ipq, struct label *label)
mac_biba_init_label(struct label *label)
{
SLOT(label) = biba_alloc(M_WAITOK);
}
static int
mac_biba_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
mac_biba_init_label_waitcheck(struct label *label, int flag)
{
SLOT(label) = biba_alloc(how);
SLOT(label) = biba_alloc(flag);
if (SLOT(label) == NULL)
return (ENOMEM);
@ -432,133 +403,7 @@ mac_biba_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
}
static void
mac_biba_init_mount(struct mount *mount, struct label *mntlabel,
struct label *fslabel)
{
SLOT(mntlabel) = biba_alloc(M_WAITOK);
SLOT(fslabel) = biba_alloc(M_WAITOK);
}
static void
mac_biba_init_socket(struct socket *socket, struct label *label,
struct label *peerlabel)
{
SLOT(label) = biba_alloc(M_WAITOK);
SLOT(peerlabel) = biba_alloc(M_WAITOK);
}
static void
mac_biba_init_pipe(struct pipe *pipe, struct label *label)
{
SLOT(label) = biba_alloc(M_WAITOK);
}
static void
mac_biba_init_temp(struct label *label)
{
SLOT(label) = biba_alloc(M_WAITOK);
}
static void
mac_biba_init_vnode(struct vnode *vp, struct label *label)
{
SLOT(label) = biba_alloc(M_WAITOK);
}
static void
mac_biba_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
{
biba_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_biba_destroy_cred(struct ucred *ucred, struct label *label)
{
biba_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_biba_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
struct label *label)
{
biba_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_biba_destroy_ifnet(struct ifnet *ifnet, struct label *label)
{
biba_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_biba_destroy_ipq(struct ipq *ipq, struct label *label)
{
biba_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_biba_destroy_mbuf(struct mbuf *mbuf, struct label *label)
{
biba_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_biba_destroy_mount(struct mount *mount, struct label *mntlabel,
struct label *fslabel)
{
biba_free(SLOT(mntlabel));
SLOT(mntlabel) = NULL;
biba_free(SLOT(fslabel));
SLOT(fslabel) = NULL;
}
static void
mac_biba_destroy_socket(struct socket *socket, struct label *label,
struct label *peerlabel)
{
biba_free(SLOT(label));
SLOT(label) = NULL;
biba_free(SLOT(peerlabel));
SLOT(peerlabel) = NULL;
}
static void
mac_biba_destroy_pipe(struct pipe *pipe, struct label *label)
{
biba_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_biba_destroy_temp(struct label *label)
{
biba_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_biba_destroy_vnode(struct vnode *vp, struct label *label)
mac_biba_destroy_label(struct label *label)
{
biba_free(SLOT(label));
@ -2054,50 +1899,58 @@ static struct mac_policy_op_entry mac_biba_ops[] =
(macop_t)mac_biba_destroy },
{ MAC_INIT,
(macop_t)mac_biba_init },
{ MAC_INIT_BPFDESC,
(macop_t)mac_biba_init_bpfdesc },
{ MAC_INIT_CRED,
(macop_t)mac_biba_init_cred },
{ MAC_INIT_DEVFSDIRENT,
(macop_t)mac_biba_init_devfsdirent },
{ MAC_INIT_IFNET,
(macop_t)mac_biba_init_ifnet },
{ MAC_INIT_IPQ,
(macop_t)mac_biba_init_ipq },
{ MAC_INIT_MBUF,
(macop_t)mac_biba_init_mbuf },
{ MAC_INIT_MOUNT,
(macop_t)mac_biba_init_mount },
{ MAC_INIT_PIPE,
(macop_t)mac_biba_init_pipe },
{ MAC_INIT_SOCKET,
(macop_t)mac_biba_init_socket },
{ MAC_INIT_TEMP,
(macop_t)mac_biba_init_temp },
{ MAC_INIT_VNODE,
(macop_t)mac_biba_init_vnode },
{ MAC_DESTROY_BPFDESC,
(macop_t)mac_biba_destroy_bpfdesc },
{ MAC_DESTROY_CRED,
(macop_t)mac_biba_destroy_cred },
{ MAC_DESTROY_DEVFSDIRENT,
(macop_t)mac_biba_destroy_devfsdirent },
{ MAC_DESTROY_IFNET,
(macop_t)mac_biba_destroy_ifnet },
{ MAC_DESTROY_IPQ,
(macop_t)mac_biba_destroy_ipq },
{ MAC_DESTROY_MBUF,
(macop_t)mac_biba_destroy_mbuf },
{ MAC_DESTROY_MOUNT,
(macop_t)mac_biba_destroy_mount },
{ MAC_DESTROY_PIPE,
(macop_t)mac_biba_destroy_pipe },
{ MAC_DESTROY_SOCKET,
(macop_t)mac_biba_destroy_socket },
{ MAC_DESTROY_TEMP,
(macop_t)mac_biba_destroy_temp },
{ MAC_DESTROY_VNODE,
(macop_t)mac_biba_destroy_vnode },
{ MAC_INIT_BPFDESC_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_CRED_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_DEVFSDIRENT_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_IFNET_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_IPQ_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_MBUF_LABEL,
(macop_t)mac_biba_init_label_waitcheck },
{ MAC_INIT_MOUNT_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_MOUNT_FS_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_PIPE_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_SOCKET_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_SOCKET_PEER_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_TEMP_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_INIT_VNODE_LABEL,
(macop_t)mac_biba_init_label },
{ MAC_DESTROY_BPFDESC_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_CRED_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_DEVFSDIRENT_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_IFNET_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_IPQ_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_MBUF_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_MOUNT_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_MOUNT_FS_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_PIPE_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_SOCKET_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_SOCKET_PEER_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_TEMP_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_DESTROY_VNODE_LABEL,
(macop_t)mac_biba_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_biba_externalize },
{ MAC_INTERNALIZE,

263
sys/security/mac_mls/mac_mls.c
View File

@ -106,11 +106,11 @@ static int mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, mode_t acc_mode);
static struct mac_mls *
mls_alloc(int how)
mls_alloc(int flag)
{
struct mac_mls *mac_mls;
mac_mls = malloc(sizeof(struct mac_mls), M_MACMLS, M_ZERO | how);
mac_mls = malloc(sizeof(struct mac_mls), M_MACMLS, M_ZERO | flag);
return (mac_mls);
}
@ -374,46 +374,17 @@ mac_mls_init(struct mac_policy_conf *conf)
* Label operations.
*/
static void
mac_mls_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
{
SLOT(label) = mls_alloc(M_WAITOK);
}
static void
mac_mls_init_cred(struct ucred *ucred, struct label *label)
{
SLOT(label) = mls_alloc(M_WAITOK);
}
static void
mac_mls_init_devfsdirent(struct devfs_dirent *devfs_dirent,
struct label *label)
{
SLOT(label) = mls_alloc(M_WAITOK);
}
static void
mac_mls_init_ifnet(struct ifnet *ifnet, struct label *label)
{
SLOT(label) = mls_alloc(M_WAITOK);
}
static void
mac_mls_init_ipq(struct ipq *ipq, struct label *label)
mac_mls_init_label(struct label *label)
{
SLOT(label) = mls_alloc(M_WAITOK);
}
static int
mac_mls_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
mac_mls_init_label_waitcheck(struct label *label, int flag)
{
SLOT(label) = mls_alloc(how);
SLOT(label) = mls_alloc(flag);
if (SLOT(label) == NULL)
return (ENOMEM);
@ -421,133 +392,7 @@ mac_mls_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
}
static void
mac_mls_init_mount(struct mount *mount, struct label *mntlabel,
struct label *fslabel)
{
SLOT(mntlabel) = mls_alloc(M_WAITOK);
SLOT(fslabel) = mls_alloc(M_WAITOK);
}
static void
mac_mls_init_socket(struct socket *socket, struct label *label,
struct label *peerlabel)
{
SLOT(label) = mls_alloc(M_WAITOK);
SLOT(peerlabel) = mls_alloc(M_WAITOK);
}
static void
mac_mls_init_pipe(struct pipe *pipe, struct label *label)
{
SLOT(label) = mls_alloc(M_WAITOK);
}
static void
mac_mls_init_temp(struct label *label)
{
SLOT(label) = mls_alloc(M_WAITOK);
}
static void
mac_mls_init_vnode(struct vnode *vp, struct label *label)
{
SLOT(label) = mls_alloc(M_WAITOK);
}
static void
mac_mls_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
{
mls_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_mls_destroy_cred(struct ucred *ucred, struct label *label)
{
mls_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_mls_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
struct label *label)
{
mls_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_mls_destroy_ifnet(struct ifnet *ifnet, struct label *label)
{
mls_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_mls_destroy_ipq(struct ipq *ipq, struct label *label)
{
mls_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_mls_destroy_mbuf(struct mbuf *mbuf, struct label *label)
{
mls_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_mls_destroy_mount(struct mount *mount, struct label *mntlabel,
struct label *fslabel)
{
mls_free(SLOT(mntlabel));
SLOT(mntlabel) = NULL;
mls_free(SLOT(fslabel));
SLOT(fslabel) = NULL;
}
static void
mac_mls_destroy_socket(struct socket *socket, struct label *label,
struct label *peerlabel)
{
mls_free(SLOT(label));
SLOT(label) = NULL;
mls_free(SLOT(peerlabel));
SLOT(peerlabel) = NULL;
}
static void
mac_mls_destroy_pipe(struct pipe *pipe, struct label *label)
{
mls_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_mls_destroy_temp(struct label *label)
{
mls_free(SLOT(label));
SLOT(label) = NULL;
}
static void
mac_mls_destroy_vnode(struct vnode *vp, struct label *label)
mac_mls_destroy_label(struct label *label)
{
mls_free(SLOT(label));
@ -2017,50 +1862,58 @@ static struct mac_policy_op_entry mac_mls_ops[] =
(macop_t)mac_mls_destroy },
{ MAC_INIT,
(macop_t)mac_mls_init },
{ MAC_INIT_BPFDESC,
(macop_t)mac_mls_init_bpfdesc },
{ MAC_INIT_CRED,
(macop_t)mac_mls_init_cred },
{ MAC_INIT_DEVFSDIRENT,
(macop_t)mac_mls_init_devfsdirent },
{ MAC_INIT_IFNET,
(macop_t)mac_mls_init_ifnet },
{ MAC_INIT_IPQ,
(macop_t)mac_mls_init_ipq },
{ MAC_INIT_MBUF,
(macop_t)mac_mls_init_mbuf },
{ MAC_INIT_MOUNT,
(macop_t)mac_mls_init_mount },
{ MAC_INIT_PIPE,
(macop_t)mac_mls_init_pipe },
{ MAC_INIT_SOCKET,
(macop_t)mac_mls_init_socket },
{ MAC_INIT_TEMP,
(macop_t)mac_mls_init_temp },
{ MAC_INIT_VNODE,
(macop_t)mac_mls_init_vnode },
{ MAC_DESTROY_BPFDESC,
(macop_t)mac_mls_destroy_bpfdesc },
{ MAC_DESTROY_CRED,
(macop_t)mac_mls_destroy_cred },
{ MAC_DESTROY_DEVFSDIRENT,
(macop_t)mac_mls_destroy_devfsdirent },
{ MAC_DESTROY_IFNET,
(macop_t)mac_mls_destroy_ifnet },
{ MAC_DESTROY_IPQ,
(macop_t)mac_mls_destroy_ipq },
{ MAC_DESTROY_MBUF,
(macop_t)mac_mls_destroy_mbuf },
{ MAC_DESTROY_MOUNT,
(macop_t)mac_mls_destroy_mount },
{ MAC_DESTROY_PIPE,
(macop_t)mac_mls_destroy_pipe },
{ MAC_DESTROY_SOCKET,
(macop_t)mac_mls_destroy_socket },
{ MAC_DESTROY_TEMP,
(macop_t)mac_mls_destroy_temp },
{ MAC_DESTROY_VNODE,
(macop_t)mac_mls_destroy_vnode },
{ MAC_INIT_BPFDESC_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_CRED_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_DEVFSDIRENT_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_IFNET_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_IPQ_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_MBUF_LABEL,
(macop_t)mac_mls_init_label_waitcheck },
{ MAC_INIT_MOUNT_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_MOUNT_FS_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_PIPE_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_SOCKET_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_SOCKET_PEER_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_TEMP_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_INIT_VNODE_LABEL,
(macop_t)mac_mls_init_label },
{ MAC_DESTROY_BPFDESC_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_CRED_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_DEVFSDIRENT_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_IFNET_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_IPQ_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_MBUF_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_MOUNT_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_MOUNT_FS_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_PIPE_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_SOCKET_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_SOCKET_PEER_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_TEMP_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_DESTROY_VNODE_LABEL,
(macop_t)mac_mls_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_mls_externalize },
{ MAC_INTERNALIZE,

222
sys/security/mac_none/mac_none.c
View File

@ -109,140 +109,20 @@ mac_none_syscall(struct thread *td, int call, void *arg)
* Label operations.
*/
static void
mac_none_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
{
}
static void
mac_none_init_cred(struct ucred *ucred, struct label *label)
{
}
static void
mac_none_init_devfsdirent(struct devfs_dirent *devfs_dirent,
struct label *label)
{
}
static void
mac_none_init_ifnet(struct ifnet *ifnet, struct label *label)
{
}
static void
mac_none_init_ipq(struct ipq *ipq, struct label *ipqlabel)
mac_none_init_label(struct label *label)
{
}
static int
mac_none_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
mac_none_init_label_waitcheck(struct label *label, int flag)
{
return (0);
}
static void
mac_none_init_mount(struct mount *mount, struct label *mntlabel,
struct label *fslabel)
{
}
static void
mac_none_init_socket(struct socket *socket, struct label *label,
struct label *peerlabel)
{
}
static void
mac_none_init_pipe(struct pipe *pipe, struct label *label)
{
}
static void
mac_none_init_temp(struct label *label)
{
}
static void
mac_none_init_vnode(struct vnode *vp, struct label *label)
{
}
static void
mac_none_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
{
}
static void
mac_none_destroy_cred(struct ucred *ucred, struct label *label)
{
}
static void
mac_none_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
struct label *label)
{
}
static void
mac_none_destroy_ifnet(struct ifnet *ifnet, struct label *label)
{
}
static void
mac_none_destroy_ipq(struct ipq *ipq, struct label *label)
{
}
static void
mac_none_destroy_mbuf(struct mbuf *mbuf, struct label *label)
{
}
static void
mac_none_destroy_mount(struct mount *mount, struct label *mntlabel,
struct label *fslabel)
{
}
static void
mac_none_destroy_socket(struct socket *socket, struct label *label,
struct label *peerlabel)
{
}
static void
mac_none_destroy_pipe(struct pipe *pipe, struct label *label)
{
}
static void
mac_none_destroy_temp(struct label *label)
{
}
static void
mac_none_destroy_vnode(struct vnode *vp, struct label *label)
mac_none_destroy_label(struct label *label)
{
}
@ -943,50 +823,58 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_init },
{ MAC_SYSCALL,
(macop_t)mac_none_syscall },
{ MAC_INIT_BPFDESC,
(macop_t)mac_none_init_bpfdesc },
{ MAC_INIT_CRED,
(macop_t)mac_none_init_cred },
{ MAC_INIT_DEVFSDIRENT,
(macop_t)mac_none_init_devfsdirent },
{ MAC_INIT_IFNET,
(macop_t)mac_none_init_ifnet },
{ MAC_INIT_IPQ,
(macop_t)mac_none_init_ipq },
{ MAC_INIT_MBUF,
(macop_t)mac_none_init_mbuf },
{ MAC_INIT_MOUNT,
(macop_t)mac_none_init_mount },
{ MAC_INIT_PIPE,
(macop_t)mac_none_init_pipe },
{ MAC_INIT_SOCKET,
(macop_t)mac_none_init_socket },
{ MAC_INIT_TEMP,
(macop_t)mac_none_init_temp },
{ MAC_INIT_VNODE,
(macop_t)mac_none_init_vnode },
{ MAC_DESTROY_BPFDESC,
(macop_t)mac_none_destroy_bpfdesc },
{ MAC_DESTROY_CRED,
(macop_t)mac_none_destroy_cred },
{ MAC_DESTROY_DEVFSDIRENT,
(macop_t)mac_none_destroy_devfsdirent },
{ MAC_DESTROY_IFNET,
(macop_t)mac_none_destroy_ifnet },
{ MAC_DESTROY_IPQ,
(macop_t)mac_none_destroy_ipq },
{ MAC_DESTROY_MBUF,
(macop_t)mac_none_destroy_mbuf },
{ MAC_DESTROY_MOUNT,
(macop_t)mac_none_destroy_mount },
{ MAC_DESTROY_PIPE,
(macop_t)mac_none_destroy_pipe },
{ MAC_DESTROY_SOCKET,
(macop_t)mac_none_destroy_socket },
{ MAC_DESTROY_TEMP,
(macop_t)mac_none_destroy_temp },
{ MAC_DESTROY_VNODE,
(macop_t)mac_none_destroy_vnode },
{ MAC_INIT_BPFDESC_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_CRED_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_DEVFSDIRENT_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_IFNET_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_IPQ_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_MBUF_LABEL,
(macop_t)mac_none_init_label_waitcheck },
{ MAC_INIT_MOUNT_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_MOUNT_FS_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_PIPE_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_SOCKET_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_SOCKET_PEER_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_TEMP_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_VNODE_LABEL,
(macop_t)mac_none_init_label },
{ MAC_DESTROY_BPFDESC_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_CRED_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_DEVFSDIRENT_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_IFNET_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_IPQ_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_MBUF_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_MOUNT_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_MOUNT_FS_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_PIPE_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_SOCKET_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_SOCKET_PEER_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_TEMP_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_VNODE_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_none_externalize },
{ MAC_INTERNALIZE,

222
sys/security/mac_stub/mac_stub.c
View File

@ -109,140 +109,20 @@ mac_none_syscall(struct thread *td, int call, void *arg)
* Label operations.
*/
static void
mac_none_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
{
}
static void
mac_none_init_cred(struct ucred *ucred, struct label *label)
{
}
static void
mac_none_init_devfsdirent(struct devfs_dirent *devfs_dirent,
struct label *label)
{
}
static void
mac_none_init_ifnet(struct ifnet *ifnet, struct label *label)
{
}
static void
mac_none_init_ipq(struct ipq *ipq, struct label *ipqlabel)
mac_none_init_label(struct label *label)
{
}
static int
mac_none_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
mac_none_init_label_waitcheck(struct label *label, int flag)
{
return (0);
}
static void
mac_none_init_mount(struct mount *mount, struct label *mntlabel,
struct label *fslabel)
{
}
static void
mac_none_init_socket(struct socket *socket, struct label *label,
struct label *peerlabel)
{
}
static void
mac_none_init_pipe(struct pipe *pipe, struct label *label)
{
}
static void
mac_none_init_temp(struct label *label)
{
}
static void
mac_none_init_vnode(struct vnode *vp, struct label *label)
{
}
static void
mac_none_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
{
}
static void
mac_none_destroy_cred(struct ucred *ucred, struct label *label)
{
}
static void
mac_none_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
struct label *label)
{
}
static void
mac_none_destroy_ifnet(struct ifnet *ifnet, struct label *label)
{
}
static void
mac_none_destroy_ipq(struct ipq *ipq, struct label *label)
{
}
static void
mac_none_destroy_mbuf(struct mbuf *mbuf, struct label *label)
{
}
static void
mac_none_destroy_mount(struct mount *mount, struct label *mntlabel,
struct label *fslabel)
{
}
static void
mac_none_destroy_socket(struct socket *socket, struct label *label,
struct label *peerlabel)
{
}
static void
mac_none_destroy_pipe(struct pipe *pipe, struct label *label)
{
}
static void
mac_none_destroy_temp(struct label *label)
{
}
static void
mac_none_destroy_vnode(struct vnode *vp, struct label *label)
mac_none_destroy_label(struct label *label)
{
}
@ -943,50 +823,58 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_init },
{ MAC_SYSCALL,
(macop_t)mac_none_syscall },
{ MAC_INIT_BPFDESC,
(macop_t)mac_none_init_bpfdesc },
{ MAC_INIT_CRED,
(macop_t)mac_none_init_cred },
{ MAC_INIT_DEVFSDIRENT,
(macop_t)mac_none_init_devfsdirent },
{ MAC_INIT_IFNET,
(macop_t)mac_none_init_ifnet },
{ MAC_INIT_IPQ,
(macop_t)mac_none_init_ipq },
{ MAC_INIT_MBUF,
(macop_t)mac_none_init_mbuf },
{ MAC_INIT_MOUNT,
(macop_t)mac_none_init_mount },
{ MAC_INIT_PIPE,
(macop_t)mac_none_init_pipe },
{ MAC_INIT_SOCKET,
(macop_t)mac_none_init_socket },
{ MAC_INIT_TEMP,
(macop_t)mac_none_init_temp },
{ MAC_INIT_VNODE,
(macop_t)mac_none_init_vnode },
{ MAC_DESTROY_BPFDESC,
(macop_t)mac_none_destroy_bpfdesc },
{ MAC_DESTROY_CRED,
(macop_t)mac_none_destroy_cred },
{ MAC_DESTROY_DEVFSDIRENT,
(macop_t)mac_none_destroy_devfsdirent },
{ MAC_DESTROY_IFNET,
(macop_t)mac_none_destroy_ifnet },
{ MAC_DESTROY_IPQ,
(macop_t)mac_none_destroy_ipq },
{ MAC_DESTROY_MBUF,
(macop_t)mac_none_destroy_mbuf },
{ MAC_DESTROY_MOUNT,
(macop_t)mac_none_destroy_mount },
{ MAC_DESTROY_PIPE,
(macop_t)mac_none_destroy_pipe },
{ MAC_DESTROY_SOCKET,
(macop_t)mac_none_destroy_socket },
{ MAC_DESTROY_TEMP,
(macop_t)mac_none_destroy_temp },
{ MAC_DESTROY_VNODE,
(macop_t)mac_none_destroy_vnode },
{ MAC_INIT_BPFDESC_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_CRED_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_DEVFSDIRENT_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_IFNET_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_IPQ_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_MBUF_LABEL,
(macop_t)mac_none_init_label_waitcheck },
{ MAC_INIT_MOUNT_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_MOUNT_FS_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_PIPE_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_SOCKET_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_SOCKET_PEER_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_TEMP_LABEL,
(macop_t)mac_none_init_label },
{ MAC_INIT_VNODE_LABEL,
(macop_t)mac_none_init_label },
{ MAC_DESTROY_BPFDESC_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_CRED_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_DEVFSDIRENT_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_IFNET_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_IPQ_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_MBUF_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_MOUNT_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_MOUNT_FS_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_PIPE_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_SOCKET_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_SOCKET_PEER_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_TEMP_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_DESTROY_VNODE_LABEL,
(macop_t)mac_none_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_none_externalize },
{ MAC_INTERNALIZE,

224
sys/security/mac_test/mac_test.c
View File

@ -118,9 +118,16 @@ SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
static int init_count_mount;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
&init_count_mount, 0, "mount init calls");
static int init_count_mount_fslabel;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
&init_count_mount_fslabel, 0, "mount_fslabel init calls");
static int init_count_socket;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
&init_count_socket, 0, "socket init calls");
static int init_count_socket_peerlabel;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
CTLFLAG_RD, &init_count_socket_peerlabel, 0,
"socket_peerlabel init calls");
static int init_count_pipe;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
&init_count_pipe, 0, "pipe init calls");
@ -152,9 +159,17 @@ SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
static int destroy_count_mount;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
&destroy_count_mount, 0, "mount destroy calls");
static int destroy_count_mount_fslabel;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
"mount_fslabel destroy calls");
static int destroy_count_socket;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
&destroy_count_socket, 0, "socket destroy calls");
static int destroy_count_socket_peerlabel;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
"socket_peerlabel destroy calls");
static int destroy_count_pipe;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
&destroy_count_pipe, 0, "pipe destroy calls");
@ -198,7 +213,7 @@ mac_test_syscall(struct thread *td, int call, void *arg)
* Label operations.
*/
static void
mac_test_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
mac_test_init_bpfdesc_label(struct label *label)
{
SLOT(label) = BPFMAGIC;
@ -206,7 +221,7 @@ mac_test_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
}
static void
mac_test_init_cred(struct ucred *ucred, struct label *label)
mac_test_init_cred_label(struct label *label)
{
SLOT(label) = CREDMAGIC;
@ -214,8 +229,7 @@ mac_test_init_cred(struct ucred *ucred, struct label *label)
}
static void
mac_test_init_devfsdirent(struct devfs_dirent *devfs_dirent,
struct label *label)
mac_test_init_devfsdirent_label(struct label *label)
{
SLOT(label) = DEVFSMAGIC;
@ -223,7 +237,7 @@ mac_test_init_devfsdirent(struct devfs_dirent *devfs_dirent,
}
static void
mac_test_init_ifnet(struct ifnet *ifnet, struct label *label)
mac_test_init_ifnet_label(struct label *label)
{
SLOT(label) = IFNETMAGIC;
@ -231,7 +245,7 @@ mac_test_init_ifnet(struct ifnet *ifnet, struct label *label)
}
static void
mac_test_init_ipq(struct ipq *ipq, struct label *label)
mac_test_init_ipq_label(struct label *label)
{
SLOT(label) = IPQMAGIC;
@ -239,7 +253,7 @@ mac_test_init_ipq(struct ipq *ipq, struct label *label)
}
static int
mac_test_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
mac_test_init_mbuf_label(struct label *label, int flag)
{
SLOT(label) = MBUFMAGIC;
@ -248,27 +262,39 @@ mac_test_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
}
static void
mac_test_init_mount(struct mount *mount, struct label *mntlabel,
struct label *fslabel)
mac_test_init_mount_label(struct label *label)
{
SLOT(mntlabel) = MOUNTMAGIC;
SLOT(fslabel) = MOUNTMAGIC;
SLOT(label) = MOUNTMAGIC;
atomic_add_int(&init_count_mount, 1);
}
static void
mac_test_init_socket(struct socket *socket, struct label *label,
struct label *peerlabel)
mac_test_init_mount_fs_label(struct label *label)
{
SLOT(label) = MOUNTMAGIC;
atomic_add_int(&init_count_mount_fslabel, 1);
}
static void
mac_test_init_socket_label(struct label *label)
{
SLOT(label) = SOCKETMAGIC;
SLOT(peerlabel) = SOCKETMAGIC;
atomic_add_int(&init_count_socket, 1);
}
static void
mac_test_init_pipe(struct pipe *pipe, struct label *label)
mac_test_init_socket_peer_label(struct label *label)
{
SLOT(label) = SOCKETMAGIC;
atomic_add_int(&init_count_socket_peerlabel, 1);
}
static void
mac_test_init_pipe_label(struct label *label)
{
SLOT(label) = PIPEMAGIC;
@ -276,7 +302,7 @@ mac_test_init_pipe(struct pipe *pipe, struct label *label)
}
static void
mac_test_init_temp(struct label *label)
mac_test_init_temp_label(struct label *label)
{
SLOT(label) = TEMPMAGIC;
@ -284,7 +310,7 @@ mac_test_init_temp(struct label *label)
}
static void
mac_test_init_vnode(struct vnode *vp, struct label *label)
mac_test_init_vnode_label(struct label *label)
{
SLOT(label) = VNODEMAGIC;
@ -292,7 +318,7 @@ mac_test_init_vnode(struct vnode *vp, struct label *label)
}
static void
mac_test_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
mac_test_destroy_bpfdesc_label(struct label *label)
{
if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
@ -306,7 +332,7 @@ mac_test_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
}
static void
mac_test_destroy_cred(struct ucred *ucred, struct label *label)
mac_test_destroy_cred_label(struct label *label)
{
if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
@ -320,8 +346,7 @@ mac_test_destroy_cred(struct ucred *ucred, struct label *label)
}
static void
mac_test_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
struct label *label)
mac_test_destroy_devfsdirent_label(struct label *label)
{
if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
@ -335,7 +360,7 @@ mac_test_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
}
static void
mac_test_destroy_ifnet(struct ifnet *ifnet, struct label *label)
mac_test_destroy_ifnet_label(struct label *label)
{
if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
@ -349,7 +374,7 @@ mac_test_destroy_ifnet(struct ifnet *ifnet, struct label *label)
}
static void
mac_test_destroy_ipq(struct ipq *ipq, struct label *label)
mac_test_destroy_ipq_label(struct label *label)
{
if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
@ -363,7 +388,7 @@ mac_test_destroy_ipq(struct ipq *ipq, struct label *label)
}
static void
mac_test_destroy_mbuf(struct mbuf *mbuf, struct label *label)
mac_test_destroy_mbuf_label(struct label *label)
{
if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
@ -377,16 +402,13 @@ mac_test_destroy_mbuf(struct mbuf *mbuf, struct label *label)
}
static void
mac_test_destroy_mount(struct mount *mount, struct label *mntlabel,
struct label *fslabel)
mac_test_destroy_mount_label(struct label *label)
{
if ((SLOT(mntlabel) == MOUNTMAGIC || SLOT(mntlabel) == 0) &&
(SLOT(fslabel) == MOUNTMAGIC || SLOT(fslabel) == 0)) {
if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
atomic_add_int(&destroy_count_mount, 1);
SLOT(mntlabel) = EXMAGIC;
SLOT(fslabel) = EXMAGIC;
} else if (SLOT(mntlabel) == EXMAGIC || SLOT(fslabel) == EXMAGIC) {
SLOT(label) = EXMAGIC;
} else if (SLOT(label) == EXMAGIC) {
Debugger("mac_test_destroy_mount: dup destroy");
} else {
Debugger("mac_test_destroy_mount: corrupted label");
@ -394,23 +416,49 @@ mac_test_destroy_mount(struct mount *mount, struct label *mntlabel,
}
static void
mac_test_destroy_socket(struct socket *socket, struct label *label,
struct label *peerlabel)
mac_test_destroy_mount_fs_label(struct label *label)
{
if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0) &&
(SLOT(peerlabel) == SOCKETMAGIC || SLOT(peerlabel) == 0)) {
if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
atomic_add_int(&destroy_count_mount_fslabel, 1);
SLOT(label) = EXMAGIC;
} else if (SLOT(label) == EXMAGIC) {
Debugger("mac_test_destroy_mount_fslabel: dup destroy");
} else {
Debugger("mac_test_destroy_mount_fslabel: corrupted label");
}
}
static void
mac_test_destroy_socket_label(struct label *label)
{
if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
atomic_add_int(&destroy_count_socket, 1);
SLOT(label) = EXMAGIC;
SLOT(peerlabel) = EXMAGIC;
} else if (SLOT(label) == EXMAGIC || SLOT(peerlabel) == EXMAGIC) {
} else if (SLOT(label) == EXMAGIC) {
Debugger("mac_test_destroy_socket: dup destroy");
} else {
Debugger("mac_test_destroy_socket: corrupted label");
}
}
static void
mac_test_destroy_pipe(struct pipe *pipe, struct label *label)
mac_test_destroy_socket_peer_label(struct label *label)
{
if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
atomic_add_int(&destroy_count_socket_peerlabel, 1);
SLOT(label) = EXMAGIC;
} else if (SLOT(label) == EXMAGIC) {
Debugger("mac_test_destroy_socket_peerlabel: dup destroy");
} else {
Debugger("mac_test_destroy_socket_peerlabel: corrupted label");
}
}
static void
mac_test_destroy_pipe_label(struct label *label)
{
if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
@ -424,7 +472,7 @@ mac_test_destroy_pipe(struct pipe *pipe, struct label *label)
}
static void
mac_test_destroy_temp(struct label *label)
mac_test_destroy_temp_label(struct label *label)
{
if (SLOT(label) == TEMPMAGIC || SLOT(label) == 0) {
@ -438,7 +486,7 @@ mac_test_destroy_temp(struct label *label)
}
static void
mac_test_destroy_vnode(struct vnode *vp, struct label *label)
mac_test_destroy_vnode_label(struct label *label)
{
if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
@ -1151,50 +1199,58 @@ static struct mac_policy_op_entry mac_test_ops[] =
(macop_t)mac_test_init },
{ MAC_SYSCALL,
(macop_t)mac_test_syscall },
{ MAC_INIT_BPFDESC,
(macop_t)mac_test_init_bpfdesc },
{ MAC_INIT_CRED,
(macop_t)mac_test_init_cred },
{ MAC_INIT_DEVFSDIRENT,
(macop_t)mac_test_init_devfsdirent },
{ MAC_INIT_IFNET,
(macop_t)mac_test_init_ifnet },
{ MAC_INIT_IPQ,
(macop_t)mac_test_init_ipq },
{ MAC_INIT_MBUF,
(macop_t)mac_test_init_mbuf },
{ MAC_INIT_MOUNT,
(macop_t)mac_test_init_mount },
{ MAC_INIT_PIPE,
(macop_t)mac_test_init_pipe },
{ MAC_INIT_SOCKET,
(macop_t)mac_test_init_socket },
{ MAC_INIT_TEMP,
(macop_t)mac_test_init_temp },
{ MAC_INIT_VNODE,
(macop_t)mac_test_init_vnode },
{ MAC_DESTROY_BPFDESC,
(macop_t)mac_test_destroy_bpfdesc },
{ MAC_DESTROY_CRED,
(macop_t)mac_test_destroy_cred },
{ MAC_DESTROY_DEVFSDIRENT,
(macop_t)mac_test_destroy_devfsdirent },
{ MAC_DESTROY_IFNET,
(macop_t)mac_test_destroy_ifnet },
{ MAC_DESTROY_IPQ,
(macop_t)mac_test_destroy_ipq },
{ MAC_DESTROY_MBUF,
(macop_t)mac_test_destroy_mbuf },
{ MAC_DESTROY_MOUNT,
(macop_t)mac_test_destroy_mount },
{ MAC_DESTROY_PIPE,
(macop_t)mac_test_destroy_pipe },
{ MAC_DESTROY_SOCKET,
(macop_t)mac_test_destroy_socket },
{ MAC_DESTROY_TEMP,
(macop_t)mac_test_destroy_temp },
{ MAC_DESTROY_VNODE,
(macop_t)mac_test_destroy_vnode },
{ MAC_INIT_BPFDESC_LABEL,
(macop_t)mac_test_init_bpfdesc_label },
{ MAC_INIT_CRED_LABEL,
(macop_t)mac_test_init_cred_label },
{ MAC_INIT_DEVFSDIRENT_LABEL,
(macop_t)mac_test_init_devfsdirent_label },
{ MAC_INIT_IFNET_LABEL,
(macop_t)mac_test_init_ifnet_label },
{ MAC_INIT_IPQ_LABEL,
(macop_t)mac_test_init_ipq_label },
{ MAC_INIT_MBUF_LABEL,
(macop_t)mac_test_init_mbuf_label },
{ MAC_INIT_MOUNT_LABEL,
(macop_t)mac_test_init_mount_label },
{ MAC_INIT_MOUNT_FS_LABEL,
(macop_t)mac_test_init_mount_fs_label },
{ MAC_INIT_PIPE_LABEL,
(macop_t)mac_test_init_pipe_label },
{ MAC_INIT_SOCKET_LABEL,
(macop_t)mac_test_init_socket_label },
{ MAC_INIT_SOCKET_PEER_LABEL,
(macop_t)mac_test_init_socket_peer_label },
{ MAC_INIT_TEMP_LABEL,
(macop_t)mac_test_init_temp_label },
{ MAC_INIT_VNODE_LABEL,
(macop_t)mac_test_init_vnode_label },
{ MAC_DESTROY_BPFDESC_LABEL,
(macop_t)mac_test_destroy_bpfdesc_label },
{ MAC_DESTROY_CRED_LABEL,
(macop_t)mac_test_destroy_cred_label },
{ MAC_DESTROY_DEVFSDIRENT_LABEL,
(macop_t)mac_test_destroy_devfsdirent_label },
{ MAC_DESTROY_IFNET_LABEL,
(macop_t)mac_test_destroy_ifnet_label },
{ MAC_DESTROY_IPQ_LABEL,
(macop_t)mac_test_destroy_ipq_label },
{ MAC_DESTROY_MBUF_LABEL,
(macop_t)mac_test_destroy_mbuf_label },
{ MAC_DESTROY_MOUNT_LABEL,
(macop_t)mac_test_destroy_mount_label },
{ MAC_DESTROY_MOUNT_FS_LABEL,
(macop_t)mac_test_destroy_mount_fs_label },
{ MAC_DESTROY_PIPE_LABEL,
(macop_t)mac_test_destroy_pipe_label },
{ MAC_DESTROY_SOCKET_LABEL,
(macop_t)mac_test_destroy_socket_label },
{ MAC_DESTROY_SOCKET_PEER_LABEL,
(macop_t)mac_test_destroy_socket_peer_label },
{ MAC_DESTROY_TEMP_LABEL,
(macop_t)mac_test_destroy_temp_label },
{ MAC_DESTROY_VNODE_LABEL,
(macop_t)mac_test_destroy_vnode_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_test_externalize },
{ MAC_INTERNALIZE,

103
sys/sys/mac_policy.h
View File

@ -72,34 +72,33 @@ struct mac_policy_ops {
/*
* Label operations.
*/
void (*mpo_init_bpfdesc)(struct bpf_d *, struct label *label);
void (*mpo_init_cred)(struct ucred *, struct label *label);
void (*mpo_init_devfsdirent)(struct devfs_dirent *,
struct label *label);
void (*mpo_init_ifnet)(struct ifnet *, struct label *label);
void (*mpo_init_ipq)(struct ipq *ipq, struct label *label);
int (*mpo_init_mbuf)(struct mbuf *, int how, struct label *label);
void (*mpo_init_mount)(struct mount *, struct label *mntlabel,
struct label *fslabel);
void (*mpo_init_socket)(struct socket *so, struct label *label,
struct label *peerlabel);
void (*mpo_init_pipe)(struct pipe *pipe, struct label *label);
void (*mpo_init_temp)(struct label *label);
void (*mpo_init_vnode)(struct vnode *, struct label *label);
void (*mpo_destroy_bpfdesc)(struct bpf_d *, struct label *label);
void (*mpo_destroy_cred)(struct ucred *, struct label *label);
void (*mpo_destroy_devfsdirent)(struct devfs_dirent *de,
struct label *label);
void (*mpo_destroy_ifnet)(struct ifnet *, struct label *label);
void (*mpo_destroy_ipq)(struct ipq *ipq, struct label *label);
void (*mpo_destroy_mbuf)(struct mbuf *, struct label *label);
void (*mpo_destroy_mount)(struct mount *, struct label *mntlabel,
struct label *fslabel);
void (*mpo_destroy_socket)(struct socket *so, struct label *label,
struct label *peerlabel);
void (*mpo_destroy_pipe)(struct pipe *pipe, struct label *label);
void (*mpo_destroy_temp)(struct label *label);
void (*mpo_destroy_vnode)(struct vnode *, struct label *label);
void (*mpo_init_bpfdesc_label)(struct label *label);
void (*mpo_init_cred_label)(struct label *label);
void (*mpo_init_devfsdirent_label)(struct label *label);
void (*mpo_init_ifnet_label)(struct label *label);
void (*mpo_init_ipq_label)(struct label *label);
int (*mpo_init_mbuf_label)(struct label *label, int flag);
void (*mpo_init_mount_label)(struct label *label);
void (*mpo_init_mount_fs_label)(struct label *label);
void (*mpo_init_socket_label)(struct label *label);
void (*mpo_init_socket_peer_label)(struct label *label);
void (*mpo_init_pipe_label)(struct label *label);
void (*mpo_init_temp_label)(struct label *label);
void (*mpo_init_vnode_label)(struct label *label);
void (*mpo_destroy_bpfdesc_label)(struct label *label);
void (*mpo_destroy_cred_label)(struct label *label);
void (*mpo_destroy_devfsdirent_label)(struct label *label);
void (*mpo_destroy_ifnet_label)(struct label *label);
void (*mpo_destroy_ipq_label)(struct label *label);
void (*mpo_destroy_mbuf_label)(struct label *label);
void (*mpo_destroy_mount_label)(struct label *label);
void (*mpo_destroy_mount_fs_label)(struct label *label);
void (*mpo_destroy_socket_label)(struct label *label);
void (*mpo_destroy_socket_peer_label)(struct label *label);
void (*mpo_destroy_pipe_label)(struct label *label);
void (*mpo_destroy_temp_label)(struct label *label);
void (*mpo_destroy_vnode_label)(struct label *label);
int (*mpo_externalize)(struct label *label, struct mac *extmac);
int (*mpo_internalize)(struct label *label, struct mac *extmac);
@ -355,28 +354,32 @@ enum mac_op_constant {
MAC_DESTROY,
MAC_INIT,
MAC_SYSCALL,
MAC_INIT_BPFDESC,
MAC_INIT_CRED,
MAC_INIT_DEVFSDIRENT,
MAC_INIT_IFNET,
MAC_INIT_IPQ,
MAC_INIT_MBUF,
MAC_INIT_MOUNT,
MAC_INIT_PIPE,
MAC_INIT_SOCKET,
MAC_INIT_TEMP,
MAC_INIT_VNODE,
MAC_DESTROY_BPFDESC,
MAC_DESTROY_CRED,
MAC_DESTROY_DEVFSDIRENT,
MAC_DESTROY_IFNET,
MAC_DESTROY_IPQ,
MAC_DESTROY_MBUF,
MAC_DESTROY_MOUNT,
MAC_DESTROY_PIPE,
MAC_DESTROY_SOCKET,
MAC_DESTROY_TEMP,
MAC_DESTROY_VNODE,
MAC_INIT_BPFDESC_LABEL,
MAC_INIT_CRED_LABEL,
MAC_INIT_DEVFSDIRENT_LABEL,
MAC_INIT_IFNET_LABEL,
MAC_INIT_IPQ_LABEL,
MAC_INIT_MBUF_LABEL,
MAC_INIT_MOUNT_LABEL,
MAC_INIT_MOUNT_FS_LABEL,
MAC_INIT_PIPE_LABEL,
MAC_INIT_SOCKET_LABEL,
MAC_INIT_SOCKET_PEER_LABEL,
MAC_INIT_TEMP_LABEL,
MAC_INIT_VNODE_LABEL,
MAC_DESTROY_BPFDESC_LABEL,
MAC_DESTROY_CRED_LABEL,
MAC_DESTROY_DEVFSDIRENT_LABEL,
MAC_DESTROY_IFNET_LABEL,
MAC_DESTROY_IPQ_LABEL,
MAC_DESTROY_MBUF_LABEL,
MAC_DESTROY_MOUNT_LABEL,
MAC_DESTROY_MOUNT_FS_LABEL,
MAC_DESTROY_PIPE_LABEL,
MAC_DESTROY_SOCKET_LABEL,
MAC_DESTROY_SOCKET_PEER_LABEL,
MAC_DESTROY_TEMP_LABEL,
MAC_DESTROY_VNODE_LABEL,
MAC_EXTERNALIZE,
MAC_INTERNALIZE,
MAC_CREATE_DEVFS_DEVICE,