Resort TrustedBSD MAC Framework policy entry point implementations and

declarations to match the object, operation sort order in the framework
itself.

Obtained from:	TrustedBSD Project

sys/security/mac_bsdextended/mac_bsdextended.c

@@ -442,6 +442,10 @@ ugidfw_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode)
 	return (ugidfw_check(cred, vp, &vap, acc_mode));
 }
 
+/*
+ * Object-specific entry point implementations are sorted alphabetically by
+ * object type and then by operation.
+ */
 static int
 ugidfw_system_check_acct(struct ucred *cred, struct vnode *vp,
     struct label *vplabel)

sys/security/mac_ifoff/mac_ifoff.c

@@ -117,6 +117,10 @@ ifnet_check_incoming(struct ifnet *ifp, int viabpf)
 	return (EPERM);
 }
 
+/*
+ * Object-specific entry point implementations are sorted alphabetically by
+ * object type and then by operation.
+ */
 static int
 ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel,
     struct ifnet *ifp, struct label *ifplabel)

sys/security/mac_partition/mac_partition.c

@@ -69,78 +69,6 @@ static int	partition_slot;
 #define	SLOT(l)	mac_label_get((l), partition_slot)
 #define	SLOT_SET(l, v)	mac_label_set((l), partition_slot, (v))
 
-static void
-partition_init_label(struct label *label)
-{
-
-	SLOT_SET(label, 0);
-}
-
-static void
-partition_destroy_label(struct label *label)
-{
-
-	SLOT_SET(label, 0);
-}
-
-static void
-partition_copy_label(struct label *src, struct label *dest)
-{
-
-	SLOT_SET(dest, SLOT(src));
-}
-
-static int
-partition_externalize_label(struct label *label, char *element_name,
-    struct sbuf *sb, int *claimed)
-{
-
-	if (strcmp(MAC_PARTITION_LABEL_NAME, element_name) != 0)
-		return (0);
-
-	(*claimed)++;
-
-	if (sbuf_printf(sb, "%jd", (intmax_t)SLOT(label)) == -1)
-		return (EINVAL);
-	else
-		return (0);
-}
-
-static int
-partition_internalize_label(struct label *label, char *element_name,
-    char *element_data, int *claimed)
-{
-
-	if (strcmp(MAC_PARTITION_LABEL_NAME, element_name) != 0)
-		return (0);
-
-	(*claimed)++;
-	SLOT_SET(label, strtol(element_data, NULL, 10));
-	return (0);
-}
-
-static void
-partition_proc_create_swapper(struct ucred *cred)
-{
-
-	SLOT_SET(cred->cr_label, 0);
-}
-
-static void
-partition_proc_create_init(struct ucred *cred)
-{
-
-	SLOT_SET(cred->cr_label, 0);
-}
-
-static void
-partition_cred_relabel(struct ucred *cred, struct label *newlabel)
-{
-
-	if (SLOT(newlabel) != 0)
-		SLOT_SET(cred->cr_label, SLOT(newlabel));
-}
-
 static int
 label_on_label(struct label *subject, struct label *object)
 {
@@ -157,6 +85,10 @@ label_on_label(struct label *subject, struct label *object)
 	return (EPERM);
 }
 
+/*
+ * Object-specific entry points are sorted alphabetically by object type name
+ * and then by operation.
+ */
 static int
 partition_cred_check_relabel(struct ucred *cred, struct label *newlabel)
 {
@@ -188,6 +120,64 @@ partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
 	return (error == 0 ? 0 : ESRCH);
 }
 
+static void
+partition_cred_copy_label(struct label *src, struct label *dest)
+{
+
+	SLOT_SET(dest, SLOT(src));
+}
+
+static void
+partition_cred_destroy_label(struct label *label)
+{
+
+	SLOT_SET(label, 0);
+}
+
+static int
+partition_cred_externalize_label(struct label *label, char *element_name,
+    struct sbuf *sb, int *claimed)
+{
+
+	if (strcmp(MAC_PARTITION_LABEL_NAME, element_name) != 0)
+		return (0);
+
+	(*claimed)++;
+
+	if (sbuf_printf(sb, "%jd", (intmax_t)SLOT(label)) == -1)
+		return (EINVAL);
+	else
+		return (0);
+}
+
+static void
+partition_cred_init_label(struct label *label)
+{
+
+	SLOT_SET(label, 0);
+}
+
+static int
+partition_cred_internalize_label(struct label *label, char *element_name,
+    char *element_data, int *claimed)
+{
+
+	if (strcmp(MAC_PARTITION_LABEL_NAME, element_name) != 0)
+		return (0);
+
+	(*claimed)++;
+	SLOT_SET(label, strtol(element_data, NULL, 10));
+	return (0);
+}
+
+static void
+partition_cred_relabel(struct ucred *cred, struct label *newlabel)
+{
+
+	if (SLOT(newlabel) != 0)
+		SLOT_SET(cred->cr_label, SLOT(newlabel));
+}
+
 static int
 partition_proc_check_debug(struct ucred *cred, struct proc *p)
 {
@@ -219,6 +209,20 @@ partition_proc_check_signal(struct ucred *cred, struct proc *p,
 	return (error ? ESRCH : 0);
 }
 
+static void
+partition_proc_create_init(struct ucred *cred)
+{
+
+	SLOT_SET(cred->cr_label, 0);
+}
+
+static void
+partition_proc_create_swapper(struct ucred *cred)
+{
+
+	SLOT_SET(cred->cr_label, 0);
+}
+
 static int
 partition_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
@@ -251,19 +255,19 @@ partition_vnode_check_exec(struct ucred *cred, struct vnode *vp,
 
 static struct mac_policy_ops partition_ops =
 {
-	.mpo_cred_init_label = partition_init_label,
-	.mpo_cred_destroy_label = partition_destroy_label,
-	.mpo_cred_copy_label = partition_copy_label,
-	.mpo_cred_externalize_label = partition_externalize_label,
-	.mpo_cred_internalize_label = partition_internalize_label,
-	.mpo_proc_create_swapper = partition_proc_create_swapper,
-	.mpo_proc_create_init = partition_proc_create_init,
-	.mpo_cred_relabel = partition_cred_relabel,
 	.mpo_cred_check_relabel = partition_cred_check_relabel,
 	.mpo_cred_check_visible = partition_cred_check_visible,
+	.mpo_cred_copy_label = partition_cred_copy_label,
+	.mpo_cred_destroy_label = partition_cred_destroy_label,
+	.mpo_cred_externalize_label = partition_cred_externalize_label,
+	.mpo_cred_init_label = partition_cred_init_label,
+	.mpo_cred_internalize_label = partition_cred_internalize_label,
+	.mpo_cred_relabel = partition_cred_relabel,
 	.mpo_proc_check_debug = partition_proc_check_debug,
 	.mpo_proc_check_sched = partition_proc_check_sched,
 	.mpo_proc_check_signal = partition_proc_check_signal,
+	.mpo_proc_create_init = partition_proc_create_init,
+	.mpo_proc_create_swapper = partition_proc_create_swapper,
 	.mpo_socket_check_visible = partition_socket_check_visible,
 	.mpo_vnode_check_exec = partition_vnode_check_exec,
 };

sys/security/mac_seeotheruids/mac_seeotheruids.c

@@ -126,15 +126,7 @@ seeotheruids_check(struct ucred *cr1, struct ucred *cr2)
 }
 
 static int
-seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
-{
-
-	return (seeotheruids_check(cr1, cr2));
-}
-
-static int
-seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p,
-    int signum)
+seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p)
 {
 
 	return (seeotheruids_check(cred, p->p_ucred));
@@ -148,12 +140,20 @@ seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p)
 }
 
 static int
-seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p)
+seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p,
+    int signum)
 {
 
 	return (seeotheruids_check(cred, p->p_ucred));
 }
 
+static int
+seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2)
+{
+
+	return (seeotheruids_check(cr1, cr2));
+}
+
 static int
 seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so,
     struct label *solabel)
@@ -164,10 +164,10 @@ seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so,
 
 static struct mac_policy_ops seeotheruids_ops =
 {
-	.mpo_cred_check_visible = seeotheruids_cred_check_visible,
 	.mpo_proc_check_debug = seeotheruids_proc_check_debug,
 	.mpo_proc_check_sched = seeotheruids_proc_check_sched,
 	.mpo_proc_check_signal = seeotheruids_proc_check_signal,
+	.mpo_cred_check_visible = seeotheruids_cred_check_visible,
 	.mpo_socket_check_visible = seeotheruids_socket_check_visible,
 };