From 4ec34a908bb2caf1967fd6e26e152e0bf2e4534e Mon Sep 17 00:00:00 2001
From: Mateusz Guzik <mjg@FreeBSD.org>
Date: Thu, 6 Aug 2020 00:23:06 +0000
Subject: [PATCH] mac: even up all entry points to the same scheme

- use a macro for checking whether the site is enabled
- expand it to 0 if mac is not compiled in to begin with
---
 sys/security/mac/mac_framework.h | 45 +++++++++++++++++++++++++++-----
 1 file changed, 38 insertions(+), 7 deletions(-)

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 70a7aad44757..fed574d36135 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -264,11 +264,12 @@ extern bool mac_priv_check_fp_flag;
 #else
 #define mac_priv_check_fp_flag 0
 #endif
+#define mac_priv_check_enabled()	__predict_false(mac_priv_check_fp_flag)
 static inline int
 mac_priv_check(struct ucred *cred, int priv)
 {
 
-	if (__predict_false(mac_priv_check_fp_flag))
+	if (mac_priv_check_enabled())
 		return (mac_priv_check_impl(cred, priv));
 	return (0);
 }
@@ -279,11 +280,12 @@ extern bool mac_priv_grant_fp_flag;
 #else
 #define mac_priv_grant_fp_flag 0
 #endif
+#define mac_priv_grant_enabled()	__predict_false(mac_priv_grant_fp_flag)
 static inline int
 mac_priv_grant(struct ucred *cred, int priv)
 {
 
-	if (__predict_false(mac_priv_grant_fp_flag))
+	if (mac_priv_grant_enabled())
 		return (mac_priv_grant_impl(cred, priv));
 	return (EPERM);
 }
@@ -441,7 +443,11 @@ int	mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp,
 
 int	mac_vnode_check_lookup_impl(struct ucred *cred, struct vnode *dvp,
  	    struct componentname *cnp);
+#ifdef MAC
 extern bool mac_vnode_check_lookup_fp_flag;
+#else
+#define mac_vnode_check_lookup_fp_flag 0
+#endif
 #define mac_vnode_check_lookup_enabled() __predict_false(mac_vnode_check_lookup_fp_flag)
 static inline int
 mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
@@ -456,28 +462,38 @@ mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp,
 
 int	mac_vnode_check_mmap_impl(struct ucred *cred, struct vnode *vp, int prot,
 	    int flags);
+#ifdef MAC
 extern bool mac_vnode_check_mmap_fp_flag;
+#else
+#define mac_vnode_check_mmap_fp_flag 0
+#endif
+#define mac_vnode_check_mmap_enabled() __predict_false(mac_vnode_check_mmap_fp_flag)
 static inline int
 mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot,
     int flags)
 {
 
 	mac_vnode_assert_locked(vp, "mac_vnode_check_mmap");
-	if (__predict_false(mac_vnode_check_mmap_fp_flag))
+	if (mac_vnode_check_mmap_enabled())
 		return (mac_vnode_check_mmap_impl(cred, vp, prot, flags));
 	return (0);
 }
 
 int	mac_vnode_check_open_impl(struct ucred *cred, struct vnode *vp,
 	    accmode_t accmode);
+#ifdef MAC
 extern bool mac_vnode_check_open_fp_flag;
+#else
+#define mac_vnode_check_open_fp_flag 0
+#endif
+#define mac_vnode_check_open_enabled() __predict_false(mac_vnode_check_open_fp_flag)
 static inline int
 mac_vnode_check_open(struct ucred *cred, struct vnode *vp,
     accmode_t accmode)
 {
 
 	mac_vnode_assert_locked(vp, "mac_vnode_check_open");
-	if (__predict_false(mac_vnode_check_open_fp_flag))
+	if (mac_vnode_check_open_enabled())
 		return (mac_vnode_check_open_impl(cred, vp, accmode));
 	return (0);
 }
@@ -526,42 +542,57 @@ int	mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp,
 
 int	mac_vnode_check_stat_impl(struct ucred *active_cred,
 	    struct ucred *file_cred, struct vnode *vp);
+#ifdef MAC
 extern bool mac_vnode_check_stat_fp_flag;
+#else
+#define mac_vnode_check_stat_fp_flag 0
+#endif
+#define mac_vnode_check_stat_enabled()	__predict_false(mac_vnode_check_stat_fp_flag)
 static inline int
 mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp)
 {
 
 	mac_vnode_assert_locked(vp, "mac_vnode_check_stat");
-	if (__predict_false(mac_vnode_check_stat_fp_flag))
+	if (mac_vnode_check_stat_enabled())
 		return (mac_vnode_check_stat_impl(active_cred, file_cred, vp));
 	return (0);
 }
 
 int	mac_vnode_check_read_impl(struct ucred *active_cred,
 	    struct ucred *file_cred, struct vnode *vp);
+#ifdef MAC
 extern bool mac_vnode_check_read_fp_flag;
+#else
+#define mac_vnode_check_read_fp_flag 0
+#endif
+#define mac_vnode_check_read_enabled() __predict_false(mac_vnode_check_read_fp_flag)
 static inline int
 mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp)
 {
 
 	mac_vnode_assert_locked(vp, "mac_vnode_check_read");
-	if (__predict_false(mac_vnode_check_read_fp_flag))
+	if (mac_vnode_check_read_enabled())
 		return (mac_vnode_check_read_impl(active_cred, file_cred, vp));
 	return (0);
 }
 
 int	mac_vnode_check_write_impl(struct ucred *active_cred,
 	    struct ucred *file_cred, struct vnode *vp);
+#ifdef MAC
 extern bool mac_vnode_check_write_fp_flag;
+#else
+#define mac_vnode_check_write_fp_flag 0
+#endif
+#define mac_vnode_check_write_enabled() __predict_false(mac_vnode_check_write_fp_flag)
 static inline int
 mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred,
     struct vnode *vp)
 {
 
 	mac_vnode_assert_locked(vp, "mac_vnode_check_write");
-	if (__predict_false(mac_vnode_check_write_fp_flag))
+	if (mac_vnode_check_write_enabled())
 		return (mac_vnode_check_write_impl(active_cred, file_cred, vp));
 	return (0);
 }