diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index 5c3da06b452b..4882c0f46d2c 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -471,595 +471,16 @@ static int
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
- struct mac_policy_op_entry *mpe;
int slot;
- MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
- M_MACOPVEC, M_WAITOK | M_ZERO);
- for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
- switch (mpe->mpe_constant) {
- case MAC_OP_LAST:
- /*
- * Doesn't actually happen, but this allows checking
- * that all enumerated values are handled.
- */
- break;
- case MAC_DESTROY:
- mpc->mpc_ops->mpo_destroy =
- mpe->mpe_function;
- break;
- case MAC_INIT:
- mpc->mpc_ops->mpo_init =
- mpe->mpe_function;
- break;
- case MAC_SYSCALL:
- mpc->mpc_ops->mpo_syscall =
- mpe->mpe_function;
- break;
- case MAC_INIT_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_init_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_CRED_LABEL:
- mpc->mpc_ops->mpo_init_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_init_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IFNET_LABEL:
- mpc->mpc_ops->mpo_init_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IPQ_LABEL:
- mpc->mpc_ops->mpo_init_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MBUF_LABEL:
- mpc->mpc_ops->mpo_init_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_LABEL:
- mpc->mpc_ops->mpo_init_mount_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_init_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PIPE_LABEL:
- mpc->mpc_ops->mpo_init_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_LABEL:
- mpc->mpc_ops->mpo_init_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_init_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_VNODE_LABEL:
- mpc->mpc_ops->mpo_init_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_destroy_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_CRED_LABEL:
- mpc->mpc_ops->mpo_destroy_cred_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_destroy_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IFNET_LABEL:
- mpc->mpc_ops->mpo_destroy_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IPQ_LABEL:
- mpc->mpc_ops->mpo_destroy_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MBUF_LABEL:
- mpc->mpc_ops->mpo_destroy_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PIPE_LABEL:
- mpc->mpc_ops->mpo_destroy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_VNODE_LABEL:
- mpc->mpc_ops->mpo_destroy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_PIPE_LABEL:
- mpc->mpc_ops->mpo_copy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_VNODE_LABEL:
- mpc->mpc_ops->mpo_copy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_externalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_externalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_externalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_externalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_internalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_internalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_internalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_internalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_internalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DEVICE:
- mpc->mpc_ops->mpo_create_devfs_device =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DIRECTORY:
- mpc->mpc_ops->mpo_create_devfs_directory =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_SYMLINK:
- mpc->mpc_ops->mpo_create_devfs_symlink =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_VNODE:
- mpc->mpc_ops->mpo_create_devfs_vnode =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MOUNT:
- mpc->mpc_ops->mpo_create_mount =
- mpe->mpe_function;
- break;
- case MAC_CREATE_ROOT_MOUNT:
- mpc->mpc_ops->mpo_create_root_mount =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_VNODE:
- mpc->mpc_ops->mpo_relabel_vnode =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_DEVFSDIRENT:
- mpc->mpc_ops->mpo_update_devfsdirent =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_mbuf_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PIPE:
- mpc->mpc_ops->mpo_create_pipe =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET:
- mpc->mpc_ops->mpo_create_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_socket_from_socket =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_PIPE:
- mpc->mpc_ops->mpo_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_MBUF:
- mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_SOCKET:
- mpc->mpc_ops->mpo_set_socket_peer_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_BPFDESC:
- mpc->mpc_ops->mpo_create_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DATAGRAM_FROM_IPQ:
- mpc->mpc_ops->mpo_create_datagram_from_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_FRAGMENT:
- mpc->mpc_ops->mpo_create_fragment =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IFNET:
- mpc->mpc_ops->mpo_create_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IPQ:
- mpc->mpc_ops->mpo_create_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_MBUF:
- mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_LINKLAYER:
- mpc->mpc_ops->mpo_create_mbuf_linklayer =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_BPFDESC:
- mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_IFNET:
- mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_MULTICAST_ENCAP:
- mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_NETLAYER:
- mpc->mpc_ops->mpo_create_mbuf_netlayer =
- mpe->mpe_function;
- break;
- case MAC_FRAGMENT_MATCH:
- mpc->mpc_ops->mpo_fragment_match =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_IFNET:
- mpc->mpc_ops->mpo_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_IPQ:
- mpc->mpc_ops->mpo_update_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_CRED:
- mpc->mpc_ops->mpo_create_cred =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_TRANSITION:
- mpc->mpc_ops->mpo_execve_transition =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_WILL_TRANSITION:
- mpc->mpc_ops->mpo_execve_will_transition =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC0:
- mpc->mpc_ops->mpo_create_proc0 =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC1:
- mpc->mpc_ops->mpo_create_proc1 =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_CRED:
- mpc->mpc_ops->mpo_relabel_cred =
- mpe->mpe_function;
- break;
- case MAC_THREAD_USERRET:
- mpc->mpc_ops->mpo_thread_userret =
- mpe->mpe_function;
- break;
- case MAC_CHECK_BPFDESC_RECEIVE:
- mpc->mpc_ops->mpo_check_bpfdesc_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_RELABEL:
- mpc->mpc_ops->mpo_check_cred_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_VISIBLE:
- mpc->mpc_ops->mpo_check_cred_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_RELABEL:
- mpc->mpc_ops->mpo_check_ifnet_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
- mpe->mpe_function;
- break;
- case MAC_CHECK_MOUNT_STAT:
- mpc->mpc_ops->mpo_check_mount_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_IOCTL:
- mpc->mpc_ops->mpo_check_pipe_ioctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_POLL:
- mpc->mpc_ops->mpo_check_pipe_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_READ:
- mpc->mpc_ops->mpo_check_pipe_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_RELABEL:
- mpc->mpc_ops->mpo_check_pipe_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_STAT:
- mpc->mpc_ops->mpo_check_pipe_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_WRITE:
- mpc->mpc_ops->mpo_check_pipe_write =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_DEBUG:
- mpc->mpc_ops->mpo_check_proc_debug =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SCHED:
- mpc->mpc_ops->mpo_check_proc_sched =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SIGNAL:
- mpc->mpc_ops->mpo_check_proc_signal =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_BIND:
- mpc->mpc_ops->mpo_check_socket_bind =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_CONNECT:
- mpc->mpc_ops->mpo_check_socket_connect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_DELIVER:
- mpc->mpc_ops->mpo_check_socket_deliver =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_LISTEN:
- mpc->mpc_ops->mpo_check_socket_listen =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RECEIVE:
- mpc->mpc_ops->mpo_check_socket_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RELABEL:
- mpc->mpc_ops->mpo_check_socket_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_SEND:
- mpc->mpc_ops->mpo_check_socket_send =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_VISIBLE:
- mpc->mpc_ops->mpo_check_socket_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_REBOOT:
- mpc->mpc_ops->mpo_check_system_reboot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SWAPON:
- mpc->mpc_ops->mpo_check_system_swapon =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SYSCTL:
- mpc->mpc_ops->mpo_check_system_sysctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_ACCESS:
- mpc->mpc_ops->mpo_check_vnode_access =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHDIR:
- mpc->mpc_ops->mpo_check_vnode_chdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHROOT:
- mpc->mpc_ops->mpo_check_vnode_chroot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CREATE:
- mpc->mpc_ops->mpo_check_vnode_create =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETE:
- mpc->mpc_ops->mpo_check_vnode_delete =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETEACL:
- mpc->mpc_ops->mpo_check_vnode_deleteacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_EXEC:
- mpc->mpc_ops->mpo_check_vnode_exec =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETACL:
- mpc->mpc_ops->mpo_check_vnode_getacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_getextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LINK:
- mpc->mpc_ops->mpo_check_vnode_link =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LOOKUP:
- mpc->mpc_ops->mpo_check_vnode_lookup =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP:
- mpc->mpc_ops->mpo_check_vnode_mmap =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
- mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MPROTECT:
- mpc->mpc_ops->mpo_check_vnode_mprotect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_OPEN:
- mpc->mpc_ops->mpo_check_vnode_open =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_POLL:
- mpc->mpc_ops->mpo_check_vnode_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READ:
- mpc->mpc_ops->mpo_check_vnode_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READDIR:
- mpc->mpc_ops->mpo_check_vnode_readdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READLINK:
- mpc->mpc_ops->mpo_check_vnode_readlink =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RELABEL:
- mpc->mpc_ops->mpo_check_vnode_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_FROM:
- mpc->mpc_ops->mpo_check_vnode_rename_from =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_TO:
- mpc->mpc_ops->mpo_check_vnode_rename_to =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_REVOKE:
- mpc->mpc_ops->mpo_check_vnode_revoke =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETACL:
- mpc->mpc_ops->mpo_check_vnode_setacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_setextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETFLAGS:
- mpc->mpc_ops->mpo_check_vnode_setflags =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETMODE:
- mpc->mpc_ops->mpo_check_vnode_setmode =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETOWNER:
- mpc->mpc_ops->mpo_check_vnode_setowner =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETUTIMES:
- mpc->mpc_ops->mpo_check_vnode_setutimes =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_STAT:
- mpc->mpc_ops->mpo_check_vnode_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_WRITE:
- mpc->mpc_ops->mpo_check_vnode_write =
- mpe->mpe_function;
- break;
-/*
- default:
- printf("MAC policy `%s': unknown operation %d\n",
- mpc->mpc_name, mpe->mpe_constant);
- return (EINVAL);
-*/
- }
- }
MAC_POLICY_LIST_LOCK();
if (mac_policy_list_busy > 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EBUSY);
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EEXIST);
}
}
@@ -1067,8 +488,6 @@ mac_policy_register(struct mac_policy_conf *mpc)
slot = ffs(mac_policy_offsets_free);
if (slot == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (ENOMEM);
}
slot--;
@@ -1135,8 +554,6 @@ mac_policy_unregister(struct mac_policy_conf *mpc)
LIST_REMOVE(mpc, mpc_list);
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 5c3da06b452b..4882c0f46d2c 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -471,595 +471,16 @@ static int
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
- struct mac_policy_op_entry *mpe;
int slot;
- MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
- M_MACOPVEC, M_WAITOK | M_ZERO);
- for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
- switch (mpe->mpe_constant) {
- case MAC_OP_LAST:
- /*
- * Doesn't actually happen, but this allows checking
- * that all enumerated values are handled.
- */
- break;
- case MAC_DESTROY:
- mpc->mpc_ops->mpo_destroy =
- mpe->mpe_function;
- break;
- case MAC_INIT:
- mpc->mpc_ops->mpo_init =
- mpe->mpe_function;
- break;
- case MAC_SYSCALL:
- mpc->mpc_ops->mpo_syscall =
- mpe->mpe_function;
- break;
- case MAC_INIT_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_init_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_CRED_LABEL:
- mpc->mpc_ops->mpo_init_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_init_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IFNET_LABEL:
- mpc->mpc_ops->mpo_init_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IPQ_LABEL:
- mpc->mpc_ops->mpo_init_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MBUF_LABEL:
- mpc->mpc_ops->mpo_init_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_LABEL:
- mpc->mpc_ops->mpo_init_mount_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_init_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PIPE_LABEL:
- mpc->mpc_ops->mpo_init_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_LABEL:
- mpc->mpc_ops->mpo_init_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_init_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_VNODE_LABEL:
- mpc->mpc_ops->mpo_init_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_destroy_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_CRED_LABEL:
- mpc->mpc_ops->mpo_destroy_cred_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_destroy_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IFNET_LABEL:
- mpc->mpc_ops->mpo_destroy_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IPQ_LABEL:
- mpc->mpc_ops->mpo_destroy_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MBUF_LABEL:
- mpc->mpc_ops->mpo_destroy_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PIPE_LABEL:
- mpc->mpc_ops->mpo_destroy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_VNODE_LABEL:
- mpc->mpc_ops->mpo_destroy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_PIPE_LABEL:
- mpc->mpc_ops->mpo_copy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_VNODE_LABEL:
- mpc->mpc_ops->mpo_copy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_externalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_externalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_externalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_externalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_internalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_internalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_internalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_internalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_internalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DEVICE:
- mpc->mpc_ops->mpo_create_devfs_device =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DIRECTORY:
- mpc->mpc_ops->mpo_create_devfs_directory =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_SYMLINK:
- mpc->mpc_ops->mpo_create_devfs_symlink =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_VNODE:
- mpc->mpc_ops->mpo_create_devfs_vnode =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MOUNT:
- mpc->mpc_ops->mpo_create_mount =
- mpe->mpe_function;
- break;
- case MAC_CREATE_ROOT_MOUNT:
- mpc->mpc_ops->mpo_create_root_mount =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_VNODE:
- mpc->mpc_ops->mpo_relabel_vnode =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_DEVFSDIRENT:
- mpc->mpc_ops->mpo_update_devfsdirent =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_mbuf_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PIPE:
- mpc->mpc_ops->mpo_create_pipe =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET:
- mpc->mpc_ops->mpo_create_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_socket_from_socket =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_PIPE:
- mpc->mpc_ops->mpo_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_MBUF:
- mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_SOCKET:
- mpc->mpc_ops->mpo_set_socket_peer_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_BPFDESC:
- mpc->mpc_ops->mpo_create_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DATAGRAM_FROM_IPQ:
- mpc->mpc_ops->mpo_create_datagram_from_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_FRAGMENT:
- mpc->mpc_ops->mpo_create_fragment =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IFNET:
- mpc->mpc_ops->mpo_create_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IPQ:
- mpc->mpc_ops->mpo_create_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_MBUF:
- mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_LINKLAYER:
- mpc->mpc_ops->mpo_create_mbuf_linklayer =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_BPFDESC:
- mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_IFNET:
- mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_MULTICAST_ENCAP:
- mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_NETLAYER:
- mpc->mpc_ops->mpo_create_mbuf_netlayer =
- mpe->mpe_function;
- break;
- case MAC_FRAGMENT_MATCH:
- mpc->mpc_ops->mpo_fragment_match =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_IFNET:
- mpc->mpc_ops->mpo_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_IPQ:
- mpc->mpc_ops->mpo_update_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_CRED:
- mpc->mpc_ops->mpo_create_cred =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_TRANSITION:
- mpc->mpc_ops->mpo_execve_transition =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_WILL_TRANSITION:
- mpc->mpc_ops->mpo_execve_will_transition =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC0:
- mpc->mpc_ops->mpo_create_proc0 =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC1:
- mpc->mpc_ops->mpo_create_proc1 =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_CRED:
- mpc->mpc_ops->mpo_relabel_cred =
- mpe->mpe_function;
- break;
- case MAC_THREAD_USERRET:
- mpc->mpc_ops->mpo_thread_userret =
- mpe->mpe_function;
- break;
- case MAC_CHECK_BPFDESC_RECEIVE:
- mpc->mpc_ops->mpo_check_bpfdesc_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_RELABEL:
- mpc->mpc_ops->mpo_check_cred_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_VISIBLE:
- mpc->mpc_ops->mpo_check_cred_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_RELABEL:
- mpc->mpc_ops->mpo_check_ifnet_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
- mpe->mpe_function;
- break;
- case MAC_CHECK_MOUNT_STAT:
- mpc->mpc_ops->mpo_check_mount_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_IOCTL:
- mpc->mpc_ops->mpo_check_pipe_ioctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_POLL:
- mpc->mpc_ops->mpo_check_pipe_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_READ:
- mpc->mpc_ops->mpo_check_pipe_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_RELABEL:
- mpc->mpc_ops->mpo_check_pipe_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_STAT:
- mpc->mpc_ops->mpo_check_pipe_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_WRITE:
- mpc->mpc_ops->mpo_check_pipe_write =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_DEBUG:
- mpc->mpc_ops->mpo_check_proc_debug =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SCHED:
- mpc->mpc_ops->mpo_check_proc_sched =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SIGNAL:
- mpc->mpc_ops->mpo_check_proc_signal =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_BIND:
- mpc->mpc_ops->mpo_check_socket_bind =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_CONNECT:
- mpc->mpc_ops->mpo_check_socket_connect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_DELIVER:
- mpc->mpc_ops->mpo_check_socket_deliver =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_LISTEN:
- mpc->mpc_ops->mpo_check_socket_listen =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RECEIVE:
- mpc->mpc_ops->mpo_check_socket_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RELABEL:
- mpc->mpc_ops->mpo_check_socket_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_SEND:
- mpc->mpc_ops->mpo_check_socket_send =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_VISIBLE:
- mpc->mpc_ops->mpo_check_socket_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_REBOOT:
- mpc->mpc_ops->mpo_check_system_reboot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SWAPON:
- mpc->mpc_ops->mpo_check_system_swapon =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SYSCTL:
- mpc->mpc_ops->mpo_check_system_sysctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_ACCESS:
- mpc->mpc_ops->mpo_check_vnode_access =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHDIR:
- mpc->mpc_ops->mpo_check_vnode_chdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHROOT:
- mpc->mpc_ops->mpo_check_vnode_chroot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CREATE:
- mpc->mpc_ops->mpo_check_vnode_create =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETE:
- mpc->mpc_ops->mpo_check_vnode_delete =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETEACL:
- mpc->mpc_ops->mpo_check_vnode_deleteacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_EXEC:
- mpc->mpc_ops->mpo_check_vnode_exec =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETACL:
- mpc->mpc_ops->mpo_check_vnode_getacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_getextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LINK:
- mpc->mpc_ops->mpo_check_vnode_link =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LOOKUP:
- mpc->mpc_ops->mpo_check_vnode_lookup =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP:
- mpc->mpc_ops->mpo_check_vnode_mmap =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
- mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MPROTECT:
- mpc->mpc_ops->mpo_check_vnode_mprotect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_OPEN:
- mpc->mpc_ops->mpo_check_vnode_open =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_POLL:
- mpc->mpc_ops->mpo_check_vnode_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READ:
- mpc->mpc_ops->mpo_check_vnode_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READDIR:
- mpc->mpc_ops->mpo_check_vnode_readdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READLINK:
- mpc->mpc_ops->mpo_check_vnode_readlink =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RELABEL:
- mpc->mpc_ops->mpo_check_vnode_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_FROM:
- mpc->mpc_ops->mpo_check_vnode_rename_from =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_TO:
- mpc->mpc_ops->mpo_check_vnode_rename_to =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_REVOKE:
- mpc->mpc_ops->mpo_check_vnode_revoke =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETACL:
- mpc->mpc_ops->mpo_check_vnode_setacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_setextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETFLAGS:
- mpc->mpc_ops->mpo_check_vnode_setflags =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETMODE:
- mpc->mpc_ops->mpo_check_vnode_setmode =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETOWNER:
- mpc->mpc_ops->mpo_check_vnode_setowner =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETUTIMES:
- mpc->mpc_ops->mpo_check_vnode_setutimes =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_STAT:
- mpc->mpc_ops->mpo_check_vnode_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_WRITE:
- mpc->mpc_ops->mpo_check_vnode_write =
- mpe->mpe_function;
- break;
-/*
- default:
- printf("MAC policy `%s': unknown operation %d\n",
- mpc->mpc_name, mpe->mpe_constant);
- return (EINVAL);
-*/
- }
- }
MAC_POLICY_LIST_LOCK();
if (mac_policy_list_busy > 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EBUSY);
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EEXIST);
}
}
@@ -1067,8 +488,6 @@ mac_policy_register(struct mac_policy_conf *mpc)
slot = ffs(mac_policy_offsets_free);
if (slot == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (ENOMEM);
}
slot--;
@@ -1135,8 +554,6 @@ mac_policy_unregister(struct mac_policy_conf *mpc)
LIST_REMOVE(mpc, mpc_list);
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 5c3da06b452b..4882c0f46d2c 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -471,595 +471,16 @@ static int
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
- struct mac_policy_op_entry *mpe;
int slot;
- MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
- M_MACOPVEC, M_WAITOK | M_ZERO);
- for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
- switch (mpe->mpe_constant) {
- case MAC_OP_LAST:
- /*
- * Doesn't actually happen, but this allows checking
- * that all enumerated values are handled.
- */
- break;
- case MAC_DESTROY:
- mpc->mpc_ops->mpo_destroy =
- mpe->mpe_function;
- break;
- case MAC_INIT:
- mpc->mpc_ops->mpo_init =
- mpe->mpe_function;
- break;
- case MAC_SYSCALL:
- mpc->mpc_ops->mpo_syscall =
- mpe->mpe_function;
- break;
- case MAC_INIT_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_init_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_CRED_LABEL:
- mpc->mpc_ops->mpo_init_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_init_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IFNET_LABEL:
- mpc->mpc_ops->mpo_init_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IPQ_LABEL:
- mpc->mpc_ops->mpo_init_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MBUF_LABEL:
- mpc->mpc_ops->mpo_init_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_LABEL:
- mpc->mpc_ops->mpo_init_mount_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_init_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PIPE_LABEL:
- mpc->mpc_ops->mpo_init_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_LABEL:
- mpc->mpc_ops->mpo_init_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_init_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_VNODE_LABEL:
- mpc->mpc_ops->mpo_init_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_destroy_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_CRED_LABEL:
- mpc->mpc_ops->mpo_destroy_cred_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_destroy_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IFNET_LABEL:
- mpc->mpc_ops->mpo_destroy_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IPQ_LABEL:
- mpc->mpc_ops->mpo_destroy_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MBUF_LABEL:
- mpc->mpc_ops->mpo_destroy_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PIPE_LABEL:
- mpc->mpc_ops->mpo_destroy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_VNODE_LABEL:
- mpc->mpc_ops->mpo_destroy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_PIPE_LABEL:
- mpc->mpc_ops->mpo_copy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_VNODE_LABEL:
- mpc->mpc_ops->mpo_copy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_externalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_externalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_externalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_externalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_internalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_internalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_internalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_internalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_internalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DEVICE:
- mpc->mpc_ops->mpo_create_devfs_device =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DIRECTORY:
- mpc->mpc_ops->mpo_create_devfs_directory =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_SYMLINK:
- mpc->mpc_ops->mpo_create_devfs_symlink =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_VNODE:
- mpc->mpc_ops->mpo_create_devfs_vnode =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MOUNT:
- mpc->mpc_ops->mpo_create_mount =
- mpe->mpe_function;
- break;
- case MAC_CREATE_ROOT_MOUNT:
- mpc->mpc_ops->mpo_create_root_mount =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_VNODE:
- mpc->mpc_ops->mpo_relabel_vnode =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_DEVFSDIRENT:
- mpc->mpc_ops->mpo_update_devfsdirent =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_mbuf_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PIPE:
- mpc->mpc_ops->mpo_create_pipe =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET:
- mpc->mpc_ops->mpo_create_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_socket_from_socket =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_PIPE:
- mpc->mpc_ops->mpo_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_MBUF:
- mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_SOCKET:
- mpc->mpc_ops->mpo_set_socket_peer_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_BPFDESC:
- mpc->mpc_ops->mpo_create_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DATAGRAM_FROM_IPQ:
- mpc->mpc_ops->mpo_create_datagram_from_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_FRAGMENT:
- mpc->mpc_ops->mpo_create_fragment =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IFNET:
- mpc->mpc_ops->mpo_create_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IPQ:
- mpc->mpc_ops->mpo_create_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_MBUF:
- mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_LINKLAYER:
- mpc->mpc_ops->mpo_create_mbuf_linklayer =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_BPFDESC:
- mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_IFNET:
- mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_MULTICAST_ENCAP:
- mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_NETLAYER:
- mpc->mpc_ops->mpo_create_mbuf_netlayer =
- mpe->mpe_function;
- break;
- case MAC_FRAGMENT_MATCH:
- mpc->mpc_ops->mpo_fragment_match =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_IFNET:
- mpc->mpc_ops->mpo_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_IPQ:
- mpc->mpc_ops->mpo_update_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_CRED:
- mpc->mpc_ops->mpo_create_cred =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_TRANSITION:
- mpc->mpc_ops->mpo_execve_transition =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_WILL_TRANSITION:
- mpc->mpc_ops->mpo_execve_will_transition =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC0:
- mpc->mpc_ops->mpo_create_proc0 =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC1:
- mpc->mpc_ops->mpo_create_proc1 =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_CRED:
- mpc->mpc_ops->mpo_relabel_cred =
- mpe->mpe_function;
- break;
- case MAC_THREAD_USERRET:
- mpc->mpc_ops->mpo_thread_userret =
- mpe->mpe_function;
- break;
- case MAC_CHECK_BPFDESC_RECEIVE:
- mpc->mpc_ops->mpo_check_bpfdesc_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_RELABEL:
- mpc->mpc_ops->mpo_check_cred_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_VISIBLE:
- mpc->mpc_ops->mpo_check_cred_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_RELABEL:
- mpc->mpc_ops->mpo_check_ifnet_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
- mpe->mpe_function;
- break;
- case MAC_CHECK_MOUNT_STAT:
- mpc->mpc_ops->mpo_check_mount_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_IOCTL:
- mpc->mpc_ops->mpo_check_pipe_ioctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_POLL:
- mpc->mpc_ops->mpo_check_pipe_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_READ:
- mpc->mpc_ops->mpo_check_pipe_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_RELABEL:
- mpc->mpc_ops->mpo_check_pipe_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_STAT:
- mpc->mpc_ops->mpo_check_pipe_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_WRITE:
- mpc->mpc_ops->mpo_check_pipe_write =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_DEBUG:
- mpc->mpc_ops->mpo_check_proc_debug =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SCHED:
- mpc->mpc_ops->mpo_check_proc_sched =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SIGNAL:
- mpc->mpc_ops->mpo_check_proc_signal =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_BIND:
- mpc->mpc_ops->mpo_check_socket_bind =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_CONNECT:
- mpc->mpc_ops->mpo_check_socket_connect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_DELIVER:
- mpc->mpc_ops->mpo_check_socket_deliver =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_LISTEN:
- mpc->mpc_ops->mpo_check_socket_listen =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RECEIVE:
- mpc->mpc_ops->mpo_check_socket_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RELABEL:
- mpc->mpc_ops->mpo_check_socket_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_SEND:
- mpc->mpc_ops->mpo_check_socket_send =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_VISIBLE:
- mpc->mpc_ops->mpo_check_socket_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_REBOOT:
- mpc->mpc_ops->mpo_check_system_reboot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SWAPON:
- mpc->mpc_ops->mpo_check_system_swapon =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SYSCTL:
- mpc->mpc_ops->mpo_check_system_sysctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_ACCESS:
- mpc->mpc_ops->mpo_check_vnode_access =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHDIR:
- mpc->mpc_ops->mpo_check_vnode_chdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHROOT:
- mpc->mpc_ops->mpo_check_vnode_chroot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CREATE:
- mpc->mpc_ops->mpo_check_vnode_create =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETE:
- mpc->mpc_ops->mpo_check_vnode_delete =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETEACL:
- mpc->mpc_ops->mpo_check_vnode_deleteacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_EXEC:
- mpc->mpc_ops->mpo_check_vnode_exec =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETACL:
- mpc->mpc_ops->mpo_check_vnode_getacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_getextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LINK:
- mpc->mpc_ops->mpo_check_vnode_link =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LOOKUP:
- mpc->mpc_ops->mpo_check_vnode_lookup =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP:
- mpc->mpc_ops->mpo_check_vnode_mmap =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
- mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MPROTECT:
- mpc->mpc_ops->mpo_check_vnode_mprotect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_OPEN:
- mpc->mpc_ops->mpo_check_vnode_open =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_POLL:
- mpc->mpc_ops->mpo_check_vnode_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READ:
- mpc->mpc_ops->mpo_check_vnode_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READDIR:
- mpc->mpc_ops->mpo_check_vnode_readdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READLINK:
- mpc->mpc_ops->mpo_check_vnode_readlink =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RELABEL:
- mpc->mpc_ops->mpo_check_vnode_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_FROM:
- mpc->mpc_ops->mpo_check_vnode_rename_from =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_TO:
- mpc->mpc_ops->mpo_check_vnode_rename_to =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_REVOKE:
- mpc->mpc_ops->mpo_check_vnode_revoke =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETACL:
- mpc->mpc_ops->mpo_check_vnode_setacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_setextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETFLAGS:
- mpc->mpc_ops->mpo_check_vnode_setflags =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETMODE:
- mpc->mpc_ops->mpo_check_vnode_setmode =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETOWNER:
- mpc->mpc_ops->mpo_check_vnode_setowner =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETUTIMES:
- mpc->mpc_ops->mpo_check_vnode_setutimes =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_STAT:
- mpc->mpc_ops->mpo_check_vnode_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_WRITE:
- mpc->mpc_ops->mpo_check_vnode_write =
- mpe->mpe_function;
- break;
-/*
- default:
- printf("MAC policy `%s': unknown operation %d\n",
- mpc->mpc_name, mpe->mpe_constant);
- return (EINVAL);
-*/
- }
- }
MAC_POLICY_LIST_LOCK();
if (mac_policy_list_busy > 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EBUSY);
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EEXIST);
}
}
@@ -1067,8 +488,6 @@ mac_policy_register(struct mac_policy_conf *mpc)
slot = ffs(mac_policy_offsets_free);
if (slot == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (ENOMEM);
}
slot--;
@@ -1135,8 +554,6 @@ mac_policy_unregister(struct mac_policy_conf *mpc)
LIST_REMOVE(mpc, mpc_list);
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 5c3da06b452b..4882c0f46d2c 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -471,595 +471,16 @@ static int
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
- struct mac_policy_op_entry *mpe;
int slot;
- MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
- M_MACOPVEC, M_WAITOK | M_ZERO);
- for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
- switch (mpe->mpe_constant) {
- case MAC_OP_LAST:
- /*
- * Doesn't actually happen, but this allows checking
- * that all enumerated values are handled.
- */
- break;
- case MAC_DESTROY:
- mpc->mpc_ops->mpo_destroy =
- mpe->mpe_function;
- break;
- case MAC_INIT:
- mpc->mpc_ops->mpo_init =
- mpe->mpe_function;
- break;
- case MAC_SYSCALL:
- mpc->mpc_ops->mpo_syscall =
- mpe->mpe_function;
- break;
- case MAC_INIT_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_init_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_CRED_LABEL:
- mpc->mpc_ops->mpo_init_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_init_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IFNET_LABEL:
- mpc->mpc_ops->mpo_init_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IPQ_LABEL:
- mpc->mpc_ops->mpo_init_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MBUF_LABEL:
- mpc->mpc_ops->mpo_init_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_LABEL:
- mpc->mpc_ops->mpo_init_mount_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_init_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PIPE_LABEL:
- mpc->mpc_ops->mpo_init_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_LABEL:
- mpc->mpc_ops->mpo_init_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_init_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_VNODE_LABEL:
- mpc->mpc_ops->mpo_init_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_destroy_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_CRED_LABEL:
- mpc->mpc_ops->mpo_destroy_cred_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_destroy_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IFNET_LABEL:
- mpc->mpc_ops->mpo_destroy_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IPQ_LABEL:
- mpc->mpc_ops->mpo_destroy_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MBUF_LABEL:
- mpc->mpc_ops->mpo_destroy_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PIPE_LABEL:
- mpc->mpc_ops->mpo_destroy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_VNODE_LABEL:
- mpc->mpc_ops->mpo_destroy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_PIPE_LABEL:
- mpc->mpc_ops->mpo_copy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_VNODE_LABEL:
- mpc->mpc_ops->mpo_copy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_externalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_externalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_externalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_externalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_internalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_internalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_internalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_internalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_internalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DEVICE:
- mpc->mpc_ops->mpo_create_devfs_device =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DIRECTORY:
- mpc->mpc_ops->mpo_create_devfs_directory =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_SYMLINK:
- mpc->mpc_ops->mpo_create_devfs_symlink =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_VNODE:
- mpc->mpc_ops->mpo_create_devfs_vnode =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MOUNT:
- mpc->mpc_ops->mpo_create_mount =
- mpe->mpe_function;
- break;
- case MAC_CREATE_ROOT_MOUNT:
- mpc->mpc_ops->mpo_create_root_mount =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_VNODE:
- mpc->mpc_ops->mpo_relabel_vnode =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_DEVFSDIRENT:
- mpc->mpc_ops->mpo_update_devfsdirent =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_mbuf_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PIPE:
- mpc->mpc_ops->mpo_create_pipe =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET:
- mpc->mpc_ops->mpo_create_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_socket_from_socket =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_PIPE:
- mpc->mpc_ops->mpo_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_MBUF:
- mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_SOCKET:
- mpc->mpc_ops->mpo_set_socket_peer_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_BPFDESC:
- mpc->mpc_ops->mpo_create_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DATAGRAM_FROM_IPQ:
- mpc->mpc_ops->mpo_create_datagram_from_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_FRAGMENT:
- mpc->mpc_ops->mpo_create_fragment =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IFNET:
- mpc->mpc_ops->mpo_create_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IPQ:
- mpc->mpc_ops->mpo_create_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_MBUF:
- mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_LINKLAYER:
- mpc->mpc_ops->mpo_create_mbuf_linklayer =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_BPFDESC:
- mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_IFNET:
- mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_MULTICAST_ENCAP:
- mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_NETLAYER:
- mpc->mpc_ops->mpo_create_mbuf_netlayer =
- mpe->mpe_function;
- break;
- case MAC_FRAGMENT_MATCH:
- mpc->mpc_ops->mpo_fragment_match =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_IFNET:
- mpc->mpc_ops->mpo_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_IPQ:
- mpc->mpc_ops->mpo_update_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_CRED:
- mpc->mpc_ops->mpo_create_cred =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_TRANSITION:
- mpc->mpc_ops->mpo_execve_transition =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_WILL_TRANSITION:
- mpc->mpc_ops->mpo_execve_will_transition =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC0:
- mpc->mpc_ops->mpo_create_proc0 =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC1:
- mpc->mpc_ops->mpo_create_proc1 =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_CRED:
- mpc->mpc_ops->mpo_relabel_cred =
- mpe->mpe_function;
- break;
- case MAC_THREAD_USERRET:
- mpc->mpc_ops->mpo_thread_userret =
- mpe->mpe_function;
- break;
- case MAC_CHECK_BPFDESC_RECEIVE:
- mpc->mpc_ops->mpo_check_bpfdesc_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_RELABEL:
- mpc->mpc_ops->mpo_check_cred_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_VISIBLE:
- mpc->mpc_ops->mpo_check_cred_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_RELABEL:
- mpc->mpc_ops->mpo_check_ifnet_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
- mpe->mpe_function;
- break;
- case MAC_CHECK_MOUNT_STAT:
- mpc->mpc_ops->mpo_check_mount_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_IOCTL:
- mpc->mpc_ops->mpo_check_pipe_ioctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_POLL:
- mpc->mpc_ops->mpo_check_pipe_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_READ:
- mpc->mpc_ops->mpo_check_pipe_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_RELABEL:
- mpc->mpc_ops->mpo_check_pipe_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_STAT:
- mpc->mpc_ops->mpo_check_pipe_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_WRITE:
- mpc->mpc_ops->mpo_check_pipe_write =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_DEBUG:
- mpc->mpc_ops->mpo_check_proc_debug =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SCHED:
- mpc->mpc_ops->mpo_check_proc_sched =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SIGNAL:
- mpc->mpc_ops->mpo_check_proc_signal =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_BIND:
- mpc->mpc_ops->mpo_check_socket_bind =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_CONNECT:
- mpc->mpc_ops->mpo_check_socket_connect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_DELIVER:
- mpc->mpc_ops->mpo_check_socket_deliver =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_LISTEN:
- mpc->mpc_ops->mpo_check_socket_listen =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RECEIVE:
- mpc->mpc_ops->mpo_check_socket_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RELABEL:
- mpc->mpc_ops->mpo_check_socket_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_SEND:
- mpc->mpc_ops->mpo_check_socket_send =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_VISIBLE:
- mpc->mpc_ops->mpo_check_socket_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_REBOOT:
- mpc->mpc_ops->mpo_check_system_reboot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SWAPON:
- mpc->mpc_ops->mpo_check_system_swapon =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SYSCTL:
- mpc->mpc_ops->mpo_check_system_sysctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_ACCESS:
- mpc->mpc_ops->mpo_check_vnode_access =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHDIR:
- mpc->mpc_ops->mpo_check_vnode_chdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHROOT:
- mpc->mpc_ops->mpo_check_vnode_chroot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CREATE:
- mpc->mpc_ops->mpo_check_vnode_create =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETE:
- mpc->mpc_ops->mpo_check_vnode_delete =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETEACL:
- mpc->mpc_ops->mpo_check_vnode_deleteacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_EXEC:
- mpc->mpc_ops->mpo_check_vnode_exec =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETACL:
- mpc->mpc_ops->mpo_check_vnode_getacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_getextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LINK:
- mpc->mpc_ops->mpo_check_vnode_link =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LOOKUP:
- mpc->mpc_ops->mpo_check_vnode_lookup =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP:
- mpc->mpc_ops->mpo_check_vnode_mmap =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
- mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MPROTECT:
- mpc->mpc_ops->mpo_check_vnode_mprotect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_OPEN:
- mpc->mpc_ops->mpo_check_vnode_open =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_POLL:
- mpc->mpc_ops->mpo_check_vnode_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READ:
- mpc->mpc_ops->mpo_check_vnode_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READDIR:
- mpc->mpc_ops->mpo_check_vnode_readdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READLINK:
- mpc->mpc_ops->mpo_check_vnode_readlink =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RELABEL:
- mpc->mpc_ops->mpo_check_vnode_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_FROM:
- mpc->mpc_ops->mpo_check_vnode_rename_from =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_TO:
- mpc->mpc_ops->mpo_check_vnode_rename_to =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_REVOKE:
- mpc->mpc_ops->mpo_check_vnode_revoke =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETACL:
- mpc->mpc_ops->mpo_check_vnode_setacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_setextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETFLAGS:
- mpc->mpc_ops->mpo_check_vnode_setflags =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETMODE:
- mpc->mpc_ops->mpo_check_vnode_setmode =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETOWNER:
- mpc->mpc_ops->mpo_check_vnode_setowner =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETUTIMES:
- mpc->mpc_ops->mpo_check_vnode_setutimes =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_STAT:
- mpc->mpc_ops->mpo_check_vnode_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_WRITE:
- mpc->mpc_ops->mpo_check_vnode_write =
- mpe->mpe_function;
- break;
-/*
- default:
- printf("MAC policy `%s': unknown operation %d\n",
- mpc->mpc_name, mpe->mpe_constant);
- return (EINVAL);
-*/
- }
- }
MAC_POLICY_LIST_LOCK();
if (mac_policy_list_busy > 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EBUSY);
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EEXIST);
}
}
@@ -1067,8 +488,6 @@ mac_policy_register(struct mac_policy_conf *mpc)
slot = ffs(mac_policy_offsets_free);
if (slot == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (ENOMEM);
}
slot--;
@@ -1135,8 +554,6 @@ mac_policy_unregister(struct mac_policy_conf *mpc)
LIST_REMOVE(mpc, mpc_list);
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 5c3da06b452b..4882c0f46d2c 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -471,595 +471,16 @@ static int
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
- struct mac_policy_op_entry *mpe;
int slot;
- MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
- M_MACOPVEC, M_WAITOK | M_ZERO);
- for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
- switch (mpe->mpe_constant) {
- case MAC_OP_LAST:
- /*
- * Doesn't actually happen, but this allows checking
- * that all enumerated values are handled.
- */
- break;
- case MAC_DESTROY:
- mpc->mpc_ops->mpo_destroy =
- mpe->mpe_function;
- break;
- case MAC_INIT:
- mpc->mpc_ops->mpo_init =
- mpe->mpe_function;
- break;
- case MAC_SYSCALL:
- mpc->mpc_ops->mpo_syscall =
- mpe->mpe_function;
- break;
- case MAC_INIT_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_init_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_CRED_LABEL:
- mpc->mpc_ops->mpo_init_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_init_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IFNET_LABEL:
- mpc->mpc_ops->mpo_init_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IPQ_LABEL:
- mpc->mpc_ops->mpo_init_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MBUF_LABEL:
- mpc->mpc_ops->mpo_init_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_LABEL:
- mpc->mpc_ops->mpo_init_mount_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_init_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PIPE_LABEL:
- mpc->mpc_ops->mpo_init_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_LABEL:
- mpc->mpc_ops->mpo_init_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_init_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_VNODE_LABEL:
- mpc->mpc_ops->mpo_init_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_destroy_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_CRED_LABEL:
- mpc->mpc_ops->mpo_destroy_cred_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_destroy_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IFNET_LABEL:
- mpc->mpc_ops->mpo_destroy_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IPQ_LABEL:
- mpc->mpc_ops->mpo_destroy_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MBUF_LABEL:
- mpc->mpc_ops->mpo_destroy_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PIPE_LABEL:
- mpc->mpc_ops->mpo_destroy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_VNODE_LABEL:
- mpc->mpc_ops->mpo_destroy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_PIPE_LABEL:
- mpc->mpc_ops->mpo_copy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_VNODE_LABEL:
- mpc->mpc_ops->mpo_copy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_externalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_externalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_externalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_externalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_internalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_internalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_internalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_internalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_internalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DEVICE:
- mpc->mpc_ops->mpo_create_devfs_device =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DIRECTORY:
- mpc->mpc_ops->mpo_create_devfs_directory =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_SYMLINK:
- mpc->mpc_ops->mpo_create_devfs_symlink =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_VNODE:
- mpc->mpc_ops->mpo_create_devfs_vnode =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MOUNT:
- mpc->mpc_ops->mpo_create_mount =
- mpe->mpe_function;
- break;
- case MAC_CREATE_ROOT_MOUNT:
- mpc->mpc_ops->mpo_create_root_mount =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_VNODE:
- mpc->mpc_ops->mpo_relabel_vnode =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_DEVFSDIRENT:
- mpc->mpc_ops->mpo_update_devfsdirent =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_mbuf_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PIPE:
- mpc->mpc_ops->mpo_create_pipe =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET:
- mpc->mpc_ops->mpo_create_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_socket_from_socket =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_PIPE:
- mpc->mpc_ops->mpo_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_MBUF:
- mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_SOCKET:
- mpc->mpc_ops->mpo_set_socket_peer_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_BPFDESC:
- mpc->mpc_ops->mpo_create_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DATAGRAM_FROM_IPQ:
- mpc->mpc_ops->mpo_create_datagram_from_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_FRAGMENT:
- mpc->mpc_ops->mpo_create_fragment =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IFNET:
- mpc->mpc_ops->mpo_create_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IPQ:
- mpc->mpc_ops->mpo_create_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_MBUF:
- mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_LINKLAYER:
- mpc->mpc_ops->mpo_create_mbuf_linklayer =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_BPFDESC:
- mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_IFNET:
- mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_MULTICAST_ENCAP:
- mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_NETLAYER:
- mpc->mpc_ops->mpo_create_mbuf_netlayer =
- mpe->mpe_function;
- break;
- case MAC_FRAGMENT_MATCH:
- mpc->mpc_ops->mpo_fragment_match =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_IFNET:
- mpc->mpc_ops->mpo_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_IPQ:
- mpc->mpc_ops->mpo_update_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_CRED:
- mpc->mpc_ops->mpo_create_cred =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_TRANSITION:
- mpc->mpc_ops->mpo_execve_transition =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_WILL_TRANSITION:
- mpc->mpc_ops->mpo_execve_will_transition =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC0:
- mpc->mpc_ops->mpo_create_proc0 =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC1:
- mpc->mpc_ops->mpo_create_proc1 =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_CRED:
- mpc->mpc_ops->mpo_relabel_cred =
- mpe->mpe_function;
- break;
- case MAC_THREAD_USERRET:
- mpc->mpc_ops->mpo_thread_userret =
- mpe->mpe_function;
- break;
- case MAC_CHECK_BPFDESC_RECEIVE:
- mpc->mpc_ops->mpo_check_bpfdesc_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_RELABEL:
- mpc->mpc_ops->mpo_check_cred_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_VISIBLE:
- mpc->mpc_ops->mpo_check_cred_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_RELABEL:
- mpc->mpc_ops->mpo_check_ifnet_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
- mpe->mpe_function;
- break;
- case MAC_CHECK_MOUNT_STAT:
- mpc->mpc_ops->mpo_check_mount_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_IOCTL:
- mpc->mpc_ops->mpo_check_pipe_ioctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_POLL:
- mpc->mpc_ops->mpo_check_pipe_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_READ:
- mpc->mpc_ops->mpo_check_pipe_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_RELABEL:
- mpc->mpc_ops->mpo_check_pipe_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_STAT:
- mpc->mpc_ops->mpo_check_pipe_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_WRITE:
- mpc->mpc_ops->mpo_check_pipe_write =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_DEBUG:
- mpc->mpc_ops->mpo_check_proc_debug =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SCHED:
- mpc->mpc_ops->mpo_check_proc_sched =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SIGNAL:
- mpc->mpc_ops->mpo_check_proc_signal =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_BIND:
- mpc->mpc_ops->mpo_check_socket_bind =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_CONNECT:
- mpc->mpc_ops->mpo_check_socket_connect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_DELIVER:
- mpc->mpc_ops->mpo_check_socket_deliver =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_LISTEN:
- mpc->mpc_ops->mpo_check_socket_listen =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RECEIVE:
- mpc->mpc_ops->mpo_check_socket_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RELABEL:
- mpc->mpc_ops->mpo_check_socket_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_SEND:
- mpc->mpc_ops->mpo_check_socket_send =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_VISIBLE:
- mpc->mpc_ops->mpo_check_socket_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_REBOOT:
- mpc->mpc_ops->mpo_check_system_reboot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SWAPON:
- mpc->mpc_ops->mpo_check_system_swapon =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SYSCTL:
- mpc->mpc_ops->mpo_check_system_sysctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_ACCESS:
- mpc->mpc_ops->mpo_check_vnode_access =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHDIR:
- mpc->mpc_ops->mpo_check_vnode_chdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHROOT:
- mpc->mpc_ops->mpo_check_vnode_chroot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CREATE:
- mpc->mpc_ops->mpo_check_vnode_create =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETE:
- mpc->mpc_ops->mpo_check_vnode_delete =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETEACL:
- mpc->mpc_ops->mpo_check_vnode_deleteacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_EXEC:
- mpc->mpc_ops->mpo_check_vnode_exec =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETACL:
- mpc->mpc_ops->mpo_check_vnode_getacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_getextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LINK:
- mpc->mpc_ops->mpo_check_vnode_link =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LOOKUP:
- mpc->mpc_ops->mpo_check_vnode_lookup =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP:
- mpc->mpc_ops->mpo_check_vnode_mmap =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
- mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MPROTECT:
- mpc->mpc_ops->mpo_check_vnode_mprotect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_OPEN:
- mpc->mpc_ops->mpo_check_vnode_open =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_POLL:
- mpc->mpc_ops->mpo_check_vnode_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READ:
- mpc->mpc_ops->mpo_check_vnode_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READDIR:
- mpc->mpc_ops->mpo_check_vnode_readdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READLINK:
- mpc->mpc_ops->mpo_check_vnode_readlink =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RELABEL:
- mpc->mpc_ops->mpo_check_vnode_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_FROM:
- mpc->mpc_ops->mpo_check_vnode_rename_from =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_TO:
- mpc->mpc_ops->mpo_check_vnode_rename_to =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_REVOKE:
- mpc->mpc_ops->mpo_check_vnode_revoke =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETACL:
- mpc->mpc_ops->mpo_check_vnode_setacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_setextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETFLAGS:
- mpc->mpc_ops->mpo_check_vnode_setflags =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETMODE:
- mpc->mpc_ops->mpo_check_vnode_setmode =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETOWNER:
- mpc->mpc_ops->mpo_check_vnode_setowner =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETUTIMES:
- mpc->mpc_ops->mpo_check_vnode_setutimes =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_STAT:
- mpc->mpc_ops->mpo_check_vnode_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_WRITE:
- mpc->mpc_ops->mpo_check_vnode_write =
- mpe->mpe_function;
- break;
-/*
- default:
- printf("MAC policy `%s': unknown operation %d\n",
- mpc->mpc_name, mpe->mpe_constant);
- return (EINVAL);
-*/
- }
- }
MAC_POLICY_LIST_LOCK();
if (mac_policy_list_busy > 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EBUSY);
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EEXIST);
}
}
@@ -1067,8 +488,6 @@ mac_policy_register(struct mac_policy_conf *mpc)
slot = ffs(mac_policy_offsets_free);
if (slot == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (ENOMEM);
}
slot--;
@@ -1135,8 +554,6 @@ mac_policy_unregister(struct mac_policy_conf *mpc)
LIST_REMOVE(mpc, mpc_list);
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index cb7222c029a3..bf58634527e7 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -327,7 +327,8 @@ struct mac_policy_ops {
struct componentname *cnp, struct vattr *vap);
int (*mpo_check_vnode_delete)(struct ucred *cred,
struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, void *label, struct componentname *cnp);
+ struct vnode *vp, struct label *label,
+ struct componentname *cnp);
int (*mpo_check_vnode_deleteacl)(struct ucred *cred,
struct vnode *vp, struct label *label, acl_type_t type);
int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp,
@@ -397,161 +398,10 @@ struct mac_policy_ops {
struct label *label);
};
-typedef const void *macop_t;
-
-enum mac_op_constant {
- MAC_OP_LAST,
- MAC_DESTROY,
- MAC_INIT,
- MAC_SYSCALL,
- MAC_INIT_BPFDESC_LABEL,
- MAC_INIT_CRED_LABEL,
- MAC_INIT_DEVFSDIRENT_LABEL,
- MAC_INIT_IFNET_LABEL,
- MAC_INIT_IPQ_LABEL,
- MAC_INIT_MBUF_LABEL,
- MAC_INIT_MOUNT_LABEL,
- MAC_INIT_MOUNT_FS_LABEL,
- MAC_INIT_PIPE_LABEL,
- MAC_INIT_SOCKET_LABEL,
- MAC_INIT_SOCKET_PEER_LABEL,
- MAC_INIT_VNODE_LABEL,
- MAC_DESTROY_BPFDESC_LABEL,
- MAC_DESTROY_CRED_LABEL,
- MAC_DESTROY_DEVFSDIRENT_LABEL,
- MAC_DESTROY_IFNET_LABEL,
- MAC_DESTROY_IPQ_LABEL,
- MAC_DESTROY_MBUF_LABEL,
- MAC_DESTROY_MOUNT_LABEL,
- MAC_DESTROY_MOUNT_FS_LABEL,
- MAC_DESTROY_PIPE_LABEL,
- MAC_DESTROY_SOCKET_LABEL,
- MAC_DESTROY_SOCKET_PEER_LABEL,
- MAC_DESTROY_VNODE_LABEL,
- MAC_COPY_PIPE_LABEL,
- MAC_COPY_VNODE_LABEL,
- MAC_EXTERNALIZE_CRED_LABEL,
- MAC_EXTERNALIZE_IFNET_LABEL,
- MAC_EXTERNALIZE_PIPE_LABEL,
- MAC_EXTERNALIZE_SOCKET_LABEL,
- MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
- MAC_EXTERNALIZE_VNODE_LABEL,
- MAC_INTERNALIZE_CRED_LABEL,
- MAC_INTERNALIZE_IFNET_LABEL,
- MAC_INTERNALIZE_PIPE_LABEL,
- MAC_INTERNALIZE_SOCKET_LABEL,
- MAC_INTERNALIZE_VNODE_LABEL,
- MAC_CREATE_DEVFS_DEVICE,
- MAC_CREATE_DEVFS_DIRECTORY,
- MAC_CREATE_DEVFS_SYMLINK,
- MAC_CREATE_DEVFS_VNODE,
- MAC_CREATE_MOUNT,
- MAC_CREATE_ROOT_MOUNT,
- MAC_RELABEL_VNODE,
- MAC_UPDATE_DEVFSDIRENT,
- MAC_ASSOCIATE_VNODE_DEVFS,
- MAC_ASSOCIATE_VNODE_EXTATTR,
- MAC_ASSOCIATE_VNODE_SINGLELABEL,
- MAC_CREATE_VNODE_EXTATTR,
- MAC_SETLABEL_VNODE_EXTATTR,
- MAC_CREATE_MBUF_FROM_SOCKET,
- MAC_CREATE_PIPE,
- MAC_CREATE_SOCKET,
- MAC_CREATE_SOCKET_FROM_SOCKET,
- MAC_RELABEL_PIPE,
- MAC_RELABEL_SOCKET,
- MAC_SET_SOCKET_PEER_FROM_MBUF,
- MAC_SET_SOCKET_PEER_FROM_SOCKET,
- MAC_CREATE_BPFDESC,
- MAC_CREATE_DATAGRAM_FROM_IPQ,
- MAC_CREATE_IFNET,
- MAC_CREATE_IPQ,
- MAC_CREATE_FRAGMENT,
- MAC_CREATE_MBUF_FROM_MBUF,
- MAC_CREATE_MBUF_LINKLAYER,
- MAC_CREATE_MBUF_FROM_BPFDESC,
- MAC_CREATE_MBUF_FROM_IFNET,
- MAC_CREATE_MBUF_MULTICAST_ENCAP,
- MAC_CREATE_MBUF_NETLAYER,
- MAC_FRAGMENT_MATCH,
- MAC_RELABEL_IFNET,
- MAC_UPDATE_IPQ,
- MAC_CREATE_CRED,
- MAC_EXECVE_TRANSITION,
- MAC_EXECVE_WILL_TRANSITION,
- MAC_CREATE_PROC0,
- MAC_CREATE_PROC1,
- MAC_RELABEL_CRED,
- MAC_THREAD_USERRET,
- MAC_CHECK_BPFDESC_RECEIVE,
- MAC_CHECK_CRED_RELABEL,
- MAC_CHECK_CRED_VISIBLE,
- MAC_CHECK_IFNET_RELABEL,
- MAC_CHECK_IFNET_TRANSMIT,
- MAC_CHECK_MOUNT_STAT,
- MAC_CHECK_PIPE_IOCTL,
- MAC_CHECK_PIPE_POLL,
- MAC_CHECK_PIPE_READ,
- MAC_CHECK_PIPE_RELABEL,
- MAC_CHECK_PIPE_STAT,
- MAC_CHECK_PIPE_WRITE,
- MAC_CHECK_PROC_DEBUG,
- MAC_CHECK_PROC_SCHED,
- MAC_CHECK_PROC_SIGNAL,
- MAC_CHECK_SOCKET_BIND,
- MAC_CHECK_SOCKET_CONNECT,
- MAC_CHECK_SOCKET_DELIVER,
- MAC_CHECK_SOCKET_LISTEN,
- MAC_CHECK_SOCKET_RECEIVE,
- MAC_CHECK_SOCKET_RELABEL,
- MAC_CHECK_SOCKET_SEND,
- MAC_CHECK_SOCKET_VISIBLE,
- MAC_CHECK_SYSTEM_REBOOT,
- MAC_CHECK_SYSTEM_SWAPON,
- MAC_CHECK_SYSTEM_SYSCTL,
- MAC_CHECK_VNODE_ACCESS,
- MAC_CHECK_VNODE_CHDIR,
- MAC_CHECK_VNODE_CHROOT,
- MAC_CHECK_VNODE_CREATE,
- MAC_CHECK_VNODE_DELETE,
- MAC_CHECK_VNODE_DELETEACL,
- MAC_CHECK_VNODE_EXEC,
- MAC_CHECK_VNODE_GETACL,
- MAC_CHECK_VNODE_GETEXTATTR,
- MAC_CHECK_VNODE_LINK,
- MAC_CHECK_VNODE_LOOKUP,
- MAC_CHECK_VNODE_MMAP,
- MAC_CHECK_VNODE_MMAP_DOWNGRADE,
- MAC_CHECK_VNODE_MPROTECT,
- MAC_CHECK_VNODE_OPEN,
- MAC_CHECK_VNODE_POLL,
- MAC_CHECK_VNODE_READ,
- MAC_CHECK_VNODE_READDIR,
- MAC_CHECK_VNODE_READLINK,
- MAC_CHECK_VNODE_RELABEL,
- MAC_CHECK_VNODE_RENAME_FROM,
- MAC_CHECK_VNODE_RENAME_TO,
- MAC_CHECK_VNODE_REVOKE,
- MAC_CHECK_VNODE_SETACL,
- MAC_CHECK_VNODE_SETEXTATTR,
- MAC_CHECK_VNODE_SETFLAGS,
- MAC_CHECK_VNODE_SETMODE,
- MAC_CHECK_VNODE_SETOWNER,
- MAC_CHECK_VNODE_SETUTIMES,
- MAC_CHECK_VNODE_STAT,
- MAC_CHECK_VNODE_WRITE,
-};
-
-struct mac_policy_op_entry {
- enum mac_op_constant mpe_constant; /* what this hook implements */
- macop_t mpe_function; /* hook's implementation */
-};
-
struct mac_policy_conf {
char *mpc_name; /* policy name */
char *mpc_fullname; /* policy full name */
struct mac_policy_ops *mpc_ops; /* policy operations */
- struct mac_policy_op_entry *mpc_entries; /* ops to fill in */
int mpc_loadtime_flags; /* flags */
int *mpc_field_off; /* security field */
int mpc_runtime_flags; /* flags */
@@ -565,12 +415,11 @@ struct mac_policy_conf {
/* Flags for the mpc_runtime_flags field. */
#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
-#define MAC_POLICY_SET(mpents, mpname, mpfullname, mpflags, privdata_wanted) \
+#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
static struct mac_policy_conf mpname##_mac_policy_conf = { \
#mpname, \
mpfullname, \
- NULL, \
- mpents, \
+ mpops, \
mpflags, \
privdata_wanted, \
0, \
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 5c3da06b452b..4882c0f46d2c 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -471,595 +471,16 @@ static int
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
- struct mac_policy_op_entry *mpe;
int slot;
- MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
- M_MACOPVEC, M_WAITOK | M_ZERO);
- for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
- switch (mpe->mpe_constant) {
- case MAC_OP_LAST:
- /*
- * Doesn't actually happen, but this allows checking
- * that all enumerated values are handled.
- */
- break;
- case MAC_DESTROY:
- mpc->mpc_ops->mpo_destroy =
- mpe->mpe_function;
- break;
- case MAC_INIT:
- mpc->mpc_ops->mpo_init =
- mpe->mpe_function;
- break;
- case MAC_SYSCALL:
- mpc->mpc_ops->mpo_syscall =
- mpe->mpe_function;
- break;
- case MAC_INIT_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_init_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_CRED_LABEL:
- mpc->mpc_ops->mpo_init_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_init_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IFNET_LABEL:
- mpc->mpc_ops->mpo_init_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IPQ_LABEL:
- mpc->mpc_ops->mpo_init_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MBUF_LABEL:
- mpc->mpc_ops->mpo_init_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_LABEL:
- mpc->mpc_ops->mpo_init_mount_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_init_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PIPE_LABEL:
- mpc->mpc_ops->mpo_init_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_LABEL:
- mpc->mpc_ops->mpo_init_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_init_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_VNODE_LABEL:
- mpc->mpc_ops->mpo_init_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_destroy_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_CRED_LABEL:
- mpc->mpc_ops->mpo_destroy_cred_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_destroy_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IFNET_LABEL:
- mpc->mpc_ops->mpo_destroy_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IPQ_LABEL:
- mpc->mpc_ops->mpo_destroy_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MBUF_LABEL:
- mpc->mpc_ops->mpo_destroy_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PIPE_LABEL:
- mpc->mpc_ops->mpo_destroy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_VNODE_LABEL:
- mpc->mpc_ops->mpo_destroy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_PIPE_LABEL:
- mpc->mpc_ops->mpo_copy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_VNODE_LABEL:
- mpc->mpc_ops->mpo_copy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_externalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_externalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_externalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_externalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_internalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_internalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_internalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_internalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_internalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DEVICE:
- mpc->mpc_ops->mpo_create_devfs_device =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DIRECTORY:
- mpc->mpc_ops->mpo_create_devfs_directory =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_SYMLINK:
- mpc->mpc_ops->mpo_create_devfs_symlink =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_VNODE:
- mpc->mpc_ops->mpo_create_devfs_vnode =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MOUNT:
- mpc->mpc_ops->mpo_create_mount =
- mpe->mpe_function;
- break;
- case MAC_CREATE_ROOT_MOUNT:
- mpc->mpc_ops->mpo_create_root_mount =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_VNODE:
- mpc->mpc_ops->mpo_relabel_vnode =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_DEVFSDIRENT:
- mpc->mpc_ops->mpo_update_devfsdirent =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_mbuf_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PIPE:
- mpc->mpc_ops->mpo_create_pipe =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET:
- mpc->mpc_ops->mpo_create_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_socket_from_socket =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_PIPE:
- mpc->mpc_ops->mpo_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_MBUF:
- mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_SOCKET:
- mpc->mpc_ops->mpo_set_socket_peer_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_BPFDESC:
- mpc->mpc_ops->mpo_create_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DATAGRAM_FROM_IPQ:
- mpc->mpc_ops->mpo_create_datagram_from_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_FRAGMENT:
- mpc->mpc_ops->mpo_create_fragment =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IFNET:
- mpc->mpc_ops->mpo_create_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IPQ:
- mpc->mpc_ops->mpo_create_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_MBUF:
- mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_LINKLAYER:
- mpc->mpc_ops->mpo_create_mbuf_linklayer =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_BPFDESC:
- mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_IFNET:
- mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_MULTICAST_ENCAP:
- mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_NETLAYER:
- mpc->mpc_ops->mpo_create_mbuf_netlayer =
- mpe->mpe_function;
- break;
- case MAC_FRAGMENT_MATCH:
- mpc->mpc_ops->mpo_fragment_match =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_IFNET:
- mpc->mpc_ops->mpo_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_IPQ:
- mpc->mpc_ops->mpo_update_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_CRED:
- mpc->mpc_ops->mpo_create_cred =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_TRANSITION:
- mpc->mpc_ops->mpo_execve_transition =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_WILL_TRANSITION:
- mpc->mpc_ops->mpo_execve_will_transition =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC0:
- mpc->mpc_ops->mpo_create_proc0 =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC1:
- mpc->mpc_ops->mpo_create_proc1 =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_CRED:
- mpc->mpc_ops->mpo_relabel_cred =
- mpe->mpe_function;
- break;
- case MAC_THREAD_USERRET:
- mpc->mpc_ops->mpo_thread_userret =
- mpe->mpe_function;
- break;
- case MAC_CHECK_BPFDESC_RECEIVE:
- mpc->mpc_ops->mpo_check_bpfdesc_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_RELABEL:
- mpc->mpc_ops->mpo_check_cred_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_VISIBLE:
- mpc->mpc_ops->mpo_check_cred_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_RELABEL:
- mpc->mpc_ops->mpo_check_ifnet_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
- mpe->mpe_function;
- break;
- case MAC_CHECK_MOUNT_STAT:
- mpc->mpc_ops->mpo_check_mount_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_IOCTL:
- mpc->mpc_ops->mpo_check_pipe_ioctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_POLL:
- mpc->mpc_ops->mpo_check_pipe_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_READ:
- mpc->mpc_ops->mpo_check_pipe_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_RELABEL:
- mpc->mpc_ops->mpo_check_pipe_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_STAT:
- mpc->mpc_ops->mpo_check_pipe_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_WRITE:
- mpc->mpc_ops->mpo_check_pipe_write =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_DEBUG:
- mpc->mpc_ops->mpo_check_proc_debug =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SCHED:
- mpc->mpc_ops->mpo_check_proc_sched =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SIGNAL:
- mpc->mpc_ops->mpo_check_proc_signal =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_BIND:
- mpc->mpc_ops->mpo_check_socket_bind =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_CONNECT:
- mpc->mpc_ops->mpo_check_socket_connect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_DELIVER:
- mpc->mpc_ops->mpo_check_socket_deliver =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_LISTEN:
- mpc->mpc_ops->mpo_check_socket_listen =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RECEIVE:
- mpc->mpc_ops->mpo_check_socket_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RELABEL:
- mpc->mpc_ops->mpo_check_socket_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_SEND:
- mpc->mpc_ops->mpo_check_socket_send =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_VISIBLE:
- mpc->mpc_ops->mpo_check_socket_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_REBOOT:
- mpc->mpc_ops->mpo_check_system_reboot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SWAPON:
- mpc->mpc_ops->mpo_check_system_swapon =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SYSCTL:
- mpc->mpc_ops->mpo_check_system_sysctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_ACCESS:
- mpc->mpc_ops->mpo_check_vnode_access =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHDIR:
- mpc->mpc_ops->mpo_check_vnode_chdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHROOT:
- mpc->mpc_ops->mpo_check_vnode_chroot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CREATE:
- mpc->mpc_ops->mpo_check_vnode_create =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETE:
- mpc->mpc_ops->mpo_check_vnode_delete =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETEACL:
- mpc->mpc_ops->mpo_check_vnode_deleteacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_EXEC:
- mpc->mpc_ops->mpo_check_vnode_exec =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETACL:
- mpc->mpc_ops->mpo_check_vnode_getacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_getextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LINK:
- mpc->mpc_ops->mpo_check_vnode_link =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LOOKUP:
- mpc->mpc_ops->mpo_check_vnode_lookup =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP:
- mpc->mpc_ops->mpo_check_vnode_mmap =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
- mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MPROTECT:
- mpc->mpc_ops->mpo_check_vnode_mprotect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_OPEN:
- mpc->mpc_ops->mpo_check_vnode_open =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_POLL:
- mpc->mpc_ops->mpo_check_vnode_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READ:
- mpc->mpc_ops->mpo_check_vnode_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READDIR:
- mpc->mpc_ops->mpo_check_vnode_readdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READLINK:
- mpc->mpc_ops->mpo_check_vnode_readlink =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RELABEL:
- mpc->mpc_ops->mpo_check_vnode_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_FROM:
- mpc->mpc_ops->mpo_check_vnode_rename_from =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_TO:
- mpc->mpc_ops->mpo_check_vnode_rename_to =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_REVOKE:
- mpc->mpc_ops->mpo_check_vnode_revoke =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETACL:
- mpc->mpc_ops->mpo_check_vnode_setacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_setextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETFLAGS:
- mpc->mpc_ops->mpo_check_vnode_setflags =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETMODE:
- mpc->mpc_ops->mpo_check_vnode_setmode =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETOWNER:
- mpc->mpc_ops->mpo_check_vnode_setowner =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETUTIMES:
- mpc->mpc_ops->mpo_check_vnode_setutimes =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_STAT:
- mpc->mpc_ops->mpo_check_vnode_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_WRITE:
- mpc->mpc_ops->mpo_check_vnode_write =
- mpe->mpe_function;
- break;
-/*
- default:
- printf("MAC policy `%s': unknown operation %d\n",
- mpc->mpc_name, mpe->mpe_constant);
- return (EINVAL);
-*/
- }
- }
MAC_POLICY_LIST_LOCK();
if (mac_policy_list_busy > 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EBUSY);
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EEXIST);
}
}
@@ -1067,8 +488,6 @@ mac_policy_register(struct mac_policy_conf *mpc)
slot = ffs(mac_policy_offsets_free);
if (slot == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (ENOMEM);
}
slot--;
@@ -1135,8 +554,6 @@ mac_policy_unregister(struct mac_policy_conf *mpc)
LIST_REMOVE(mpc, mpc_list);
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index 5c3da06b452b..4882c0f46d2c 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -471,595 +471,16 @@ static int
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
- struct mac_policy_op_entry *mpe;
int slot;
- MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
- M_MACOPVEC, M_WAITOK | M_ZERO);
- for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
- switch (mpe->mpe_constant) {
- case MAC_OP_LAST:
- /*
- * Doesn't actually happen, but this allows checking
- * that all enumerated values are handled.
- */
- break;
- case MAC_DESTROY:
- mpc->mpc_ops->mpo_destroy =
- mpe->mpe_function;
- break;
- case MAC_INIT:
- mpc->mpc_ops->mpo_init =
- mpe->mpe_function;
- break;
- case MAC_SYSCALL:
- mpc->mpc_ops->mpo_syscall =
- mpe->mpe_function;
- break;
- case MAC_INIT_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_init_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_CRED_LABEL:
- mpc->mpc_ops->mpo_init_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_init_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IFNET_LABEL:
- mpc->mpc_ops->mpo_init_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IPQ_LABEL:
- mpc->mpc_ops->mpo_init_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MBUF_LABEL:
- mpc->mpc_ops->mpo_init_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_LABEL:
- mpc->mpc_ops->mpo_init_mount_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_init_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PIPE_LABEL:
- mpc->mpc_ops->mpo_init_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_LABEL:
- mpc->mpc_ops->mpo_init_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_init_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_VNODE_LABEL:
- mpc->mpc_ops->mpo_init_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_destroy_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_CRED_LABEL:
- mpc->mpc_ops->mpo_destroy_cred_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_destroy_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IFNET_LABEL:
- mpc->mpc_ops->mpo_destroy_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IPQ_LABEL:
- mpc->mpc_ops->mpo_destroy_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MBUF_LABEL:
- mpc->mpc_ops->mpo_destroy_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PIPE_LABEL:
- mpc->mpc_ops->mpo_destroy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_VNODE_LABEL:
- mpc->mpc_ops->mpo_destroy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_PIPE_LABEL:
- mpc->mpc_ops->mpo_copy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_VNODE_LABEL:
- mpc->mpc_ops->mpo_copy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_externalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_externalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_externalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_externalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_internalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_internalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_internalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_internalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_internalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DEVICE:
- mpc->mpc_ops->mpo_create_devfs_device =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DIRECTORY:
- mpc->mpc_ops->mpo_create_devfs_directory =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_SYMLINK:
- mpc->mpc_ops->mpo_create_devfs_symlink =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_VNODE:
- mpc->mpc_ops->mpo_create_devfs_vnode =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MOUNT:
- mpc->mpc_ops->mpo_create_mount =
- mpe->mpe_function;
- break;
- case MAC_CREATE_ROOT_MOUNT:
- mpc->mpc_ops->mpo_create_root_mount =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_VNODE:
- mpc->mpc_ops->mpo_relabel_vnode =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_DEVFSDIRENT:
- mpc->mpc_ops->mpo_update_devfsdirent =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_mbuf_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PIPE:
- mpc->mpc_ops->mpo_create_pipe =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET:
- mpc->mpc_ops->mpo_create_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_socket_from_socket =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_PIPE:
- mpc->mpc_ops->mpo_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_MBUF:
- mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_SOCKET:
- mpc->mpc_ops->mpo_set_socket_peer_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_BPFDESC:
- mpc->mpc_ops->mpo_create_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DATAGRAM_FROM_IPQ:
- mpc->mpc_ops->mpo_create_datagram_from_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_FRAGMENT:
- mpc->mpc_ops->mpo_create_fragment =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IFNET:
- mpc->mpc_ops->mpo_create_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IPQ:
- mpc->mpc_ops->mpo_create_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_MBUF:
- mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_LINKLAYER:
- mpc->mpc_ops->mpo_create_mbuf_linklayer =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_BPFDESC:
- mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_IFNET:
- mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_MULTICAST_ENCAP:
- mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_NETLAYER:
- mpc->mpc_ops->mpo_create_mbuf_netlayer =
- mpe->mpe_function;
- break;
- case MAC_FRAGMENT_MATCH:
- mpc->mpc_ops->mpo_fragment_match =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_IFNET:
- mpc->mpc_ops->mpo_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_IPQ:
- mpc->mpc_ops->mpo_update_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_CRED:
- mpc->mpc_ops->mpo_create_cred =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_TRANSITION:
- mpc->mpc_ops->mpo_execve_transition =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_WILL_TRANSITION:
- mpc->mpc_ops->mpo_execve_will_transition =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC0:
- mpc->mpc_ops->mpo_create_proc0 =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC1:
- mpc->mpc_ops->mpo_create_proc1 =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_CRED:
- mpc->mpc_ops->mpo_relabel_cred =
- mpe->mpe_function;
- break;
- case MAC_THREAD_USERRET:
- mpc->mpc_ops->mpo_thread_userret =
- mpe->mpe_function;
- break;
- case MAC_CHECK_BPFDESC_RECEIVE:
- mpc->mpc_ops->mpo_check_bpfdesc_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_RELABEL:
- mpc->mpc_ops->mpo_check_cred_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_VISIBLE:
- mpc->mpc_ops->mpo_check_cred_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_RELABEL:
- mpc->mpc_ops->mpo_check_ifnet_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
- mpe->mpe_function;
- break;
- case MAC_CHECK_MOUNT_STAT:
- mpc->mpc_ops->mpo_check_mount_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_IOCTL:
- mpc->mpc_ops->mpo_check_pipe_ioctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_POLL:
- mpc->mpc_ops->mpo_check_pipe_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_READ:
- mpc->mpc_ops->mpo_check_pipe_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_RELABEL:
- mpc->mpc_ops->mpo_check_pipe_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_STAT:
- mpc->mpc_ops->mpo_check_pipe_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_WRITE:
- mpc->mpc_ops->mpo_check_pipe_write =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_DEBUG:
- mpc->mpc_ops->mpo_check_proc_debug =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SCHED:
- mpc->mpc_ops->mpo_check_proc_sched =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SIGNAL:
- mpc->mpc_ops->mpo_check_proc_signal =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_BIND:
- mpc->mpc_ops->mpo_check_socket_bind =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_CONNECT:
- mpc->mpc_ops->mpo_check_socket_connect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_DELIVER:
- mpc->mpc_ops->mpo_check_socket_deliver =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_LISTEN:
- mpc->mpc_ops->mpo_check_socket_listen =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RECEIVE:
- mpc->mpc_ops->mpo_check_socket_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RELABEL:
- mpc->mpc_ops->mpo_check_socket_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_SEND:
- mpc->mpc_ops->mpo_check_socket_send =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_VISIBLE:
- mpc->mpc_ops->mpo_check_socket_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_REBOOT:
- mpc->mpc_ops->mpo_check_system_reboot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SWAPON:
- mpc->mpc_ops->mpo_check_system_swapon =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SYSCTL:
- mpc->mpc_ops->mpo_check_system_sysctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_ACCESS:
- mpc->mpc_ops->mpo_check_vnode_access =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHDIR:
- mpc->mpc_ops->mpo_check_vnode_chdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHROOT:
- mpc->mpc_ops->mpo_check_vnode_chroot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CREATE:
- mpc->mpc_ops->mpo_check_vnode_create =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETE:
- mpc->mpc_ops->mpo_check_vnode_delete =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETEACL:
- mpc->mpc_ops->mpo_check_vnode_deleteacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_EXEC:
- mpc->mpc_ops->mpo_check_vnode_exec =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETACL:
- mpc->mpc_ops->mpo_check_vnode_getacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_getextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LINK:
- mpc->mpc_ops->mpo_check_vnode_link =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LOOKUP:
- mpc->mpc_ops->mpo_check_vnode_lookup =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP:
- mpc->mpc_ops->mpo_check_vnode_mmap =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
- mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MPROTECT:
- mpc->mpc_ops->mpo_check_vnode_mprotect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_OPEN:
- mpc->mpc_ops->mpo_check_vnode_open =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_POLL:
- mpc->mpc_ops->mpo_check_vnode_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READ:
- mpc->mpc_ops->mpo_check_vnode_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READDIR:
- mpc->mpc_ops->mpo_check_vnode_readdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READLINK:
- mpc->mpc_ops->mpo_check_vnode_readlink =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RELABEL:
- mpc->mpc_ops->mpo_check_vnode_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_FROM:
- mpc->mpc_ops->mpo_check_vnode_rename_from =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_TO:
- mpc->mpc_ops->mpo_check_vnode_rename_to =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_REVOKE:
- mpc->mpc_ops->mpo_check_vnode_revoke =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETACL:
- mpc->mpc_ops->mpo_check_vnode_setacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_setextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETFLAGS:
- mpc->mpc_ops->mpo_check_vnode_setflags =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETMODE:
- mpc->mpc_ops->mpo_check_vnode_setmode =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETOWNER:
- mpc->mpc_ops->mpo_check_vnode_setowner =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETUTIMES:
- mpc->mpc_ops->mpo_check_vnode_setutimes =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_STAT:
- mpc->mpc_ops->mpo_check_vnode_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_WRITE:
- mpc->mpc_ops->mpo_check_vnode_write =
- mpe->mpe_function;
- break;
-/*
- default:
- printf("MAC policy `%s': unknown operation %d\n",
- mpc->mpc_name, mpe->mpe_constant);
- return (EINVAL);
-*/
- }
- }
MAC_POLICY_LIST_LOCK();
if (mac_policy_list_busy > 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EBUSY);
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EEXIST);
}
}
@@ -1067,8 +488,6 @@ mac_policy_register(struct mac_policy_conf *mpc)
slot = ffs(mac_policy_offsets_free);
if (slot == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (ENOMEM);
}
slot--;
@@ -1135,8 +554,6 @@ mac_policy_unregister(struct mac_policy_conf *mpc)
LIST_REMOVE(mpc, mpc_list);
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 5c3da06b452b..4882c0f46d2c 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -471,595 +471,16 @@ static int
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
- struct mac_policy_op_entry *mpe;
int slot;
- MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
- M_MACOPVEC, M_WAITOK | M_ZERO);
- for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
- switch (mpe->mpe_constant) {
- case MAC_OP_LAST:
- /*
- * Doesn't actually happen, but this allows checking
- * that all enumerated values are handled.
- */
- break;
- case MAC_DESTROY:
- mpc->mpc_ops->mpo_destroy =
- mpe->mpe_function;
- break;
- case MAC_INIT:
- mpc->mpc_ops->mpo_init =
- mpe->mpe_function;
- break;
- case MAC_SYSCALL:
- mpc->mpc_ops->mpo_syscall =
- mpe->mpe_function;
- break;
- case MAC_INIT_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_init_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_CRED_LABEL:
- mpc->mpc_ops->mpo_init_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_init_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IFNET_LABEL:
- mpc->mpc_ops->mpo_init_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IPQ_LABEL:
- mpc->mpc_ops->mpo_init_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MBUF_LABEL:
- mpc->mpc_ops->mpo_init_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_LABEL:
- mpc->mpc_ops->mpo_init_mount_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_init_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PIPE_LABEL:
- mpc->mpc_ops->mpo_init_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_LABEL:
- mpc->mpc_ops->mpo_init_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_init_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_VNODE_LABEL:
- mpc->mpc_ops->mpo_init_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_destroy_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_CRED_LABEL:
- mpc->mpc_ops->mpo_destroy_cred_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_destroy_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IFNET_LABEL:
- mpc->mpc_ops->mpo_destroy_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IPQ_LABEL:
- mpc->mpc_ops->mpo_destroy_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MBUF_LABEL:
- mpc->mpc_ops->mpo_destroy_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PIPE_LABEL:
- mpc->mpc_ops->mpo_destroy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_VNODE_LABEL:
- mpc->mpc_ops->mpo_destroy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_PIPE_LABEL:
- mpc->mpc_ops->mpo_copy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_VNODE_LABEL:
- mpc->mpc_ops->mpo_copy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_externalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_externalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_externalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_externalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_internalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_internalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_internalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_internalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_internalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DEVICE:
- mpc->mpc_ops->mpo_create_devfs_device =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DIRECTORY:
- mpc->mpc_ops->mpo_create_devfs_directory =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_SYMLINK:
- mpc->mpc_ops->mpo_create_devfs_symlink =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_VNODE:
- mpc->mpc_ops->mpo_create_devfs_vnode =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MOUNT:
- mpc->mpc_ops->mpo_create_mount =
- mpe->mpe_function;
- break;
- case MAC_CREATE_ROOT_MOUNT:
- mpc->mpc_ops->mpo_create_root_mount =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_VNODE:
- mpc->mpc_ops->mpo_relabel_vnode =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_DEVFSDIRENT:
- mpc->mpc_ops->mpo_update_devfsdirent =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_mbuf_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PIPE:
- mpc->mpc_ops->mpo_create_pipe =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET:
- mpc->mpc_ops->mpo_create_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_socket_from_socket =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_PIPE:
- mpc->mpc_ops->mpo_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_MBUF:
- mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_SOCKET:
- mpc->mpc_ops->mpo_set_socket_peer_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_BPFDESC:
- mpc->mpc_ops->mpo_create_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DATAGRAM_FROM_IPQ:
- mpc->mpc_ops->mpo_create_datagram_from_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_FRAGMENT:
- mpc->mpc_ops->mpo_create_fragment =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IFNET:
- mpc->mpc_ops->mpo_create_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IPQ:
- mpc->mpc_ops->mpo_create_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_MBUF:
- mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_LINKLAYER:
- mpc->mpc_ops->mpo_create_mbuf_linklayer =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_BPFDESC:
- mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_IFNET:
- mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_MULTICAST_ENCAP:
- mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_NETLAYER:
- mpc->mpc_ops->mpo_create_mbuf_netlayer =
- mpe->mpe_function;
- break;
- case MAC_FRAGMENT_MATCH:
- mpc->mpc_ops->mpo_fragment_match =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_IFNET:
- mpc->mpc_ops->mpo_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_IPQ:
- mpc->mpc_ops->mpo_update_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_CRED:
- mpc->mpc_ops->mpo_create_cred =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_TRANSITION:
- mpc->mpc_ops->mpo_execve_transition =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_WILL_TRANSITION:
- mpc->mpc_ops->mpo_execve_will_transition =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC0:
- mpc->mpc_ops->mpo_create_proc0 =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC1:
- mpc->mpc_ops->mpo_create_proc1 =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_CRED:
- mpc->mpc_ops->mpo_relabel_cred =
- mpe->mpe_function;
- break;
- case MAC_THREAD_USERRET:
- mpc->mpc_ops->mpo_thread_userret =
- mpe->mpe_function;
- break;
- case MAC_CHECK_BPFDESC_RECEIVE:
- mpc->mpc_ops->mpo_check_bpfdesc_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_RELABEL:
- mpc->mpc_ops->mpo_check_cred_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_VISIBLE:
- mpc->mpc_ops->mpo_check_cred_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_RELABEL:
- mpc->mpc_ops->mpo_check_ifnet_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
- mpe->mpe_function;
- break;
- case MAC_CHECK_MOUNT_STAT:
- mpc->mpc_ops->mpo_check_mount_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_IOCTL:
- mpc->mpc_ops->mpo_check_pipe_ioctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_POLL:
- mpc->mpc_ops->mpo_check_pipe_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_READ:
- mpc->mpc_ops->mpo_check_pipe_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_RELABEL:
- mpc->mpc_ops->mpo_check_pipe_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_STAT:
- mpc->mpc_ops->mpo_check_pipe_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_WRITE:
- mpc->mpc_ops->mpo_check_pipe_write =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_DEBUG:
- mpc->mpc_ops->mpo_check_proc_debug =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SCHED:
- mpc->mpc_ops->mpo_check_proc_sched =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SIGNAL:
- mpc->mpc_ops->mpo_check_proc_signal =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_BIND:
- mpc->mpc_ops->mpo_check_socket_bind =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_CONNECT:
- mpc->mpc_ops->mpo_check_socket_connect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_DELIVER:
- mpc->mpc_ops->mpo_check_socket_deliver =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_LISTEN:
- mpc->mpc_ops->mpo_check_socket_listen =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RECEIVE:
- mpc->mpc_ops->mpo_check_socket_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RELABEL:
- mpc->mpc_ops->mpo_check_socket_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_SEND:
- mpc->mpc_ops->mpo_check_socket_send =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_VISIBLE:
- mpc->mpc_ops->mpo_check_socket_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_REBOOT:
- mpc->mpc_ops->mpo_check_system_reboot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SWAPON:
- mpc->mpc_ops->mpo_check_system_swapon =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SYSCTL:
- mpc->mpc_ops->mpo_check_system_sysctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_ACCESS:
- mpc->mpc_ops->mpo_check_vnode_access =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHDIR:
- mpc->mpc_ops->mpo_check_vnode_chdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHROOT:
- mpc->mpc_ops->mpo_check_vnode_chroot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CREATE:
- mpc->mpc_ops->mpo_check_vnode_create =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETE:
- mpc->mpc_ops->mpo_check_vnode_delete =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETEACL:
- mpc->mpc_ops->mpo_check_vnode_deleteacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_EXEC:
- mpc->mpc_ops->mpo_check_vnode_exec =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETACL:
- mpc->mpc_ops->mpo_check_vnode_getacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_getextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LINK:
- mpc->mpc_ops->mpo_check_vnode_link =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LOOKUP:
- mpc->mpc_ops->mpo_check_vnode_lookup =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP:
- mpc->mpc_ops->mpo_check_vnode_mmap =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
- mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MPROTECT:
- mpc->mpc_ops->mpo_check_vnode_mprotect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_OPEN:
- mpc->mpc_ops->mpo_check_vnode_open =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_POLL:
- mpc->mpc_ops->mpo_check_vnode_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READ:
- mpc->mpc_ops->mpo_check_vnode_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READDIR:
- mpc->mpc_ops->mpo_check_vnode_readdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READLINK:
- mpc->mpc_ops->mpo_check_vnode_readlink =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RELABEL:
- mpc->mpc_ops->mpo_check_vnode_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_FROM:
- mpc->mpc_ops->mpo_check_vnode_rename_from =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_TO:
- mpc->mpc_ops->mpo_check_vnode_rename_to =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_REVOKE:
- mpc->mpc_ops->mpo_check_vnode_revoke =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETACL:
- mpc->mpc_ops->mpo_check_vnode_setacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_setextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETFLAGS:
- mpc->mpc_ops->mpo_check_vnode_setflags =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETMODE:
- mpc->mpc_ops->mpo_check_vnode_setmode =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETOWNER:
- mpc->mpc_ops->mpo_check_vnode_setowner =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETUTIMES:
- mpc->mpc_ops->mpo_check_vnode_setutimes =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_STAT:
- mpc->mpc_ops->mpo_check_vnode_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_WRITE:
- mpc->mpc_ops->mpo_check_vnode_write =
- mpe->mpe_function;
- break;
-/*
- default:
- printf("MAC policy `%s': unknown operation %d\n",
- mpc->mpc_name, mpe->mpe_constant);
- return (EINVAL);
-*/
- }
- }
MAC_POLICY_LIST_LOCK();
if (mac_policy_list_busy > 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EBUSY);
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EEXIST);
}
}
@@ -1067,8 +488,6 @@ mac_policy_register(struct mac_policy_conf *mpc)
slot = ffs(mac_policy_offsets_free);
if (slot == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (ENOMEM);
}
slot--;
@@ -1135,8 +554,6 @@ mac_policy_unregister(struct mac_policy_conf *mpc)
LIST_REMOVE(mpc, mpc_list);
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 5c3da06b452b..4882c0f46d2c 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -471,595 +471,16 @@ static int
mac_policy_register(struct mac_policy_conf *mpc)
{
struct mac_policy_conf *tmpc;
- struct mac_policy_op_entry *mpe;
int slot;
- MALLOC(mpc->mpc_ops, struct mac_policy_ops *, sizeof(*mpc->mpc_ops),
- M_MACOPVEC, M_WAITOK | M_ZERO);
- for (mpe = mpc->mpc_entries; mpe->mpe_constant != MAC_OP_LAST; mpe++) {
- switch (mpe->mpe_constant) {
- case MAC_OP_LAST:
- /*
- * Doesn't actually happen, but this allows checking
- * that all enumerated values are handled.
- */
- break;
- case MAC_DESTROY:
- mpc->mpc_ops->mpo_destroy =
- mpe->mpe_function;
- break;
- case MAC_INIT:
- mpc->mpc_ops->mpo_init =
- mpe->mpe_function;
- break;
- case MAC_SYSCALL:
- mpc->mpc_ops->mpo_syscall =
- mpe->mpe_function;
- break;
- case MAC_INIT_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_init_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_CRED_LABEL:
- mpc->mpc_ops->mpo_init_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_init_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IFNET_LABEL:
- mpc->mpc_ops->mpo_init_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_IPQ_LABEL:
- mpc->mpc_ops->mpo_init_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MBUF_LABEL:
- mpc->mpc_ops->mpo_init_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_LABEL:
- mpc->mpc_ops->mpo_init_mount_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_init_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_PIPE_LABEL:
- mpc->mpc_ops->mpo_init_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_LABEL:
- mpc->mpc_ops->mpo_init_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_init_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_INIT_VNODE_LABEL:
- mpc->mpc_ops->mpo_init_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_BPFDESC_LABEL:
- mpc->mpc_ops->mpo_destroy_bpfdesc_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_CRED_LABEL:
- mpc->mpc_ops->mpo_destroy_cred_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_DEVFSDIRENT_LABEL:
- mpc->mpc_ops->mpo_destroy_devfsdirent_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IFNET_LABEL:
- mpc->mpc_ops->mpo_destroy_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_IPQ_LABEL:
- mpc->mpc_ops->mpo_destroy_ipq_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MBUF_LABEL:
- mpc->mpc_ops->mpo_destroy_mbuf_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_MOUNT_FS_LABEL:
- mpc->mpc_ops->mpo_destroy_mount_fs_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_PIPE_LABEL:
- mpc->mpc_ops->mpo_destroy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_destroy_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_DESTROY_VNODE_LABEL:
- mpc->mpc_ops->mpo_destroy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_PIPE_LABEL:
- mpc->mpc_ops->mpo_copy_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_COPY_VNODE_LABEL:
- mpc->mpc_ops->mpo_copy_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_externalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_externalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_externalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_SOCKET_PEER_LABEL:
- mpc->mpc_ops->mpo_externalize_socket_peer_label =
- mpe->mpe_function;
- break;
- case MAC_EXTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_externalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_CRED_LABEL:
- mpc->mpc_ops->mpo_internalize_cred_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_IFNET_LABEL:
- mpc->mpc_ops->mpo_internalize_ifnet_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_PIPE_LABEL:
- mpc->mpc_ops->mpo_internalize_pipe_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_SOCKET_LABEL:
- mpc->mpc_ops->mpo_internalize_socket_label =
- mpe->mpe_function;
- break;
- case MAC_INTERNALIZE_VNODE_LABEL:
- mpc->mpc_ops->mpo_internalize_vnode_label =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DEVICE:
- mpc->mpc_ops->mpo_create_devfs_device =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_DIRECTORY:
- mpc->mpc_ops->mpo_create_devfs_directory =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_SYMLINK:
- mpc->mpc_ops->mpo_create_devfs_symlink =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DEVFS_VNODE:
- mpc->mpc_ops->mpo_create_devfs_vnode =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MOUNT:
- mpc->mpc_ops->mpo_create_mount =
- mpe->mpe_function;
- break;
- case MAC_CREATE_ROOT_MOUNT:
- mpc->mpc_ops->mpo_create_root_mount =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_VNODE:
- mpc->mpc_ops->mpo_relabel_vnode =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_DEVFSDIRENT:
- mpc->mpc_ops->mpo_update_devfsdirent =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_DEVFS:
- mpc->mpc_ops->mpo_associate_vnode_devfs =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_associate_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_ASSOCIATE_VNODE_SINGLELABEL:
- mpc->mpc_ops->mpo_associate_vnode_singlelabel =
- mpe->mpe_function;
- break;
- case MAC_CREATE_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_create_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_SETLABEL_VNODE_EXTATTR:
- mpc->mpc_ops->mpo_setlabel_vnode_extattr =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_mbuf_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PIPE:
- mpc->mpc_ops->mpo_create_pipe =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET:
- mpc->mpc_ops->mpo_create_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_SOCKET_FROM_SOCKET:
- mpc->mpc_ops->mpo_create_socket_from_socket =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_PIPE:
- mpc->mpc_ops->mpo_relabel_pipe =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_SOCKET:
- mpc->mpc_ops->mpo_relabel_socket =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_MBUF:
- mpc->mpc_ops->mpo_set_socket_peer_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_SET_SOCKET_PEER_FROM_SOCKET:
- mpc->mpc_ops->mpo_set_socket_peer_from_socket =
- mpe->mpe_function;
- break;
- case MAC_CREATE_BPFDESC:
- mpc->mpc_ops->mpo_create_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_DATAGRAM_FROM_IPQ:
- mpc->mpc_ops->mpo_create_datagram_from_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_FRAGMENT:
- mpc->mpc_ops->mpo_create_fragment =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IFNET:
- mpc->mpc_ops->mpo_create_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_IPQ:
- mpc->mpc_ops->mpo_create_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_MBUF:
- mpc->mpc_ops->mpo_create_mbuf_from_mbuf =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_LINKLAYER:
- mpc->mpc_ops->mpo_create_mbuf_linklayer =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_BPFDESC:
- mpc->mpc_ops->mpo_create_mbuf_from_bpfdesc =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_FROM_IFNET:
- mpc->mpc_ops->mpo_create_mbuf_from_ifnet =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_MULTICAST_ENCAP:
- mpc->mpc_ops->mpo_create_mbuf_multicast_encap =
- mpe->mpe_function;
- break;
- case MAC_CREATE_MBUF_NETLAYER:
- mpc->mpc_ops->mpo_create_mbuf_netlayer =
- mpe->mpe_function;
- break;
- case MAC_FRAGMENT_MATCH:
- mpc->mpc_ops->mpo_fragment_match =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_IFNET:
- mpc->mpc_ops->mpo_relabel_ifnet =
- mpe->mpe_function;
- break;
- case MAC_UPDATE_IPQ:
- mpc->mpc_ops->mpo_update_ipq =
- mpe->mpe_function;
- break;
- case MAC_CREATE_CRED:
- mpc->mpc_ops->mpo_create_cred =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_TRANSITION:
- mpc->mpc_ops->mpo_execve_transition =
- mpe->mpe_function;
- break;
- case MAC_EXECVE_WILL_TRANSITION:
- mpc->mpc_ops->mpo_execve_will_transition =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC0:
- mpc->mpc_ops->mpo_create_proc0 =
- mpe->mpe_function;
- break;
- case MAC_CREATE_PROC1:
- mpc->mpc_ops->mpo_create_proc1 =
- mpe->mpe_function;
- break;
- case MAC_RELABEL_CRED:
- mpc->mpc_ops->mpo_relabel_cred =
- mpe->mpe_function;
- break;
- case MAC_THREAD_USERRET:
- mpc->mpc_ops->mpo_thread_userret =
- mpe->mpe_function;
- break;
- case MAC_CHECK_BPFDESC_RECEIVE:
- mpc->mpc_ops->mpo_check_bpfdesc_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_RELABEL:
- mpc->mpc_ops->mpo_check_cred_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_CRED_VISIBLE:
- mpc->mpc_ops->mpo_check_cred_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_RELABEL:
- mpc->mpc_ops->mpo_check_ifnet_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_IFNET_TRANSMIT:
- mpc->mpc_ops->mpo_check_ifnet_transmit =
- mpe->mpe_function;
- break;
- case MAC_CHECK_MOUNT_STAT:
- mpc->mpc_ops->mpo_check_mount_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_IOCTL:
- mpc->mpc_ops->mpo_check_pipe_ioctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_POLL:
- mpc->mpc_ops->mpo_check_pipe_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_READ:
- mpc->mpc_ops->mpo_check_pipe_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_RELABEL:
- mpc->mpc_ops->mpo_check_pipe_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_STAT:
- mpc->mpc_ops->mpo_check_pipe_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PIPE_WRITE:
- mpc->mpc_ops->mpo_check_pipe_write =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_DEBUG:
- mpc->mpc_ops->mpo_check_proc_debug =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SCHED:
- mpc->mpc_ops->mpo_check_proc_sched =
- mpe->mpe_function;
- break;
- case MAC_CHECK_PROC_SIGNAL:
- mpc->mpc_ops->mpo_check_proc_signal =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_BIND:
- mpc->mpc_ops->mpo_check_socket_bind =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_CONNECT:
- mpc->mpc_ops->mpo_check_socket_connect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_DELIVER:
- mpc->mpc_ops->mpo_check_socket_deliver =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_LISTEN:
- mpc->mpc_ops->mpo_check_socket_listen =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RECEIVE:
- mpc->mpc_ops->mpo_check_socket_receive =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_RELABEL:
- mpc->mpc_ops->mpo_check_socket_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_SEND:
- mpc->mpc_ops->mpo_check_socket_send =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SOCKET_VISIBLE:
- mpc->mpc_ops->mpo_check_socket_visible =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_REBOOT:
- mpc->mpc_ops->mpo_check_system_reboot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SWAPON:
- mpc->mpc_ops->mpo_check_system_swapon =
- mpe->mpe_function;
- break;
- case MAC_CHECK_SYSTEM_SYSCTL:
- mpc->mpc_ops->mpo_check_system_sysctl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_ACCESS:
- mpc->mpc_ops->mpo_check_vnode_access =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHDIR:
- mpc->mpc_ops->mpo_check_vnode_chdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CHROOT:
- mpc->mpc_ops->mpo_check_vnode_chroot =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_CREATE:
- mpc->mpc_ops->mpo_check_vnode_create =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETE:
- mpc->mpc_ops->mpo_check_vnode_delete =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_DELETEACL:
- mpc->mpc_ops->mpo_check_vnode_deleteacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_EXEC:
- mpc->mpc_ops->mpo_check_vnode_exec =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETACL:
- mpc->mpc_ops->mpo_check_vnode_getacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_GETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_getextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LINK:
- mpc->mpc_ops->mpo_check_vnode_link =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_LOOKUP:
- mpc->mpc_ops->mpo_check_vnode_lookup =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP:
- mpc->mpc_ops->mpo_check_vnode_mmap =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MMAP_DOWNGRADE:
- mpc->mpc_ops->mpo_check_vnode_mmap_downgrade =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_MPROTECT:
- mpc->mpc_ops->mpo_check_vnode_mprotect =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_OPEN:
- mpc->mpc_ops->mpo_check_vnode_open =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_POLL:
- mpc->mpc_ops->mpo_check_vnode_poll =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READ:
- mpc->mpc_ops->mpo_check_vnode_read =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READDIR:
- mpc->mpc_ops->mpo_check_vnode_readdir =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_READLINK:
- mpc->mpc_ops->mpo_check_vnode_readlink =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RELABEL:
- mpc->mpc_ops->mpo_check_vnode_relabel =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_FROM:
- mpc->mpc_ops->mpo_check_vnode_rename_from =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_RENAME_TO:
- mpc->mpc_ops->mpo_check_vnode_rename_to =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_REVOKE:
- mpc->mpc_ops->mpo_check_vnode_revoke =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETACL:
- mpc->mpc_ops->mpo_check_vnode_setacl =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETEXTATTR:
- mpc->mpc_ops->mpo_check_vnode_setextattr =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETFLAGS:
- mpc->mpc_ops->mpo_check_vnode_setflags =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETMODE:
- mpc->mpc_ops->mpo_check_vnode_setmode =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETOWNER:
- mpc->mpc_ops->mpo_check_vnode_setowner =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_SETUTIMES:
- mpc->mpc_ops->mpo_check_vnode_setutimes =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_STAT:
- mpc->mpc_ops->mpo_check_vnode_stat =
- mpe->mpe_function;
- break;
- case MAC_CHECK_VNODE_WRITE:
- mpc->mpc_ops->mpo_check_vnode_write =
- mpe->mpe_function;
- break;
-/*
- default:
- printf("MAC policy `%s': unknown operation %d\n",
- mpc->mpc_name, mpe->mpe_constant);
- return (EINVAL);
-*/
- }
- }
MAC_POLICY_LIST_LOCK();
if (mac_policy_list_busy > 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EBUSY);
}
LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
if (strcmp(tmpc->mpc_name, mpc->mpc_name) == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (EEXIST);
}
}
@@ -1067,8 +488,6 @@ mac_policy_register(struct mac_policy_conf *mpc)
slot = ffs(mac_policy_offsets_free);
if (slot == 0) {
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
return (ENOMEM);
}
slot--;
@@ -1135,8 +554,6 @@ mac_policy_unregister(struct mac_policy_conf *mpc)
LIST_REMOVE(mpc, mpc_list);
MAC_POLICY_LIST_UNLOCK();
- FREE(mpc->mpc_ops, M_MACOPVEC);
- mpc->mpc_ops = NULL;
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
printf("Security policy unload: %s (%s)\n", mpc->mpc_fullname,
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index 93bec8483f9c..f60028edfc81 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -2508,270 +2508,139 @@ mac_biba_check_vnode_write(struct ucred *active_cred,
return (0);
}
-static struct mac_policy_op_entry mac_biba_ops[] =
+static struct mac_policy_ops mac_biba_ops =
{
- { MAC_DESTROY,
- (macop_t)mac_biba_destroy },
- { MAC_INIT,
- (macop_t)mac_biba_init },
- { MAC_INIT_BPFDESC_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_CRED_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_DEVFSDIRENT_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_IFNET_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_IPQ_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_MBUF_LABEL,
- (macop_t)mac_biba_init_label_waitcheck },
- { MAC_INIT_MOUNT_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_MOUNT_FS_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_PIPE_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_INIT_SOCKET_LABEL,
- (macop_t)mac_biba_init_label_waitcheck },
- { MAC_INIT_SOCKET_PEER_LABEL,
- (macop_t)mac_biba_init_label_waitcheck },
- { MAC_INIT_VNODE_LABEL,
- (macop_t)mac_biba_init_label },
- { MAC_DESTROY_BPFDESC_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_CRED_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_DEVFSDIRENT_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_IFNET_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_IPQ_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_MBUF_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_MOUNT_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_MOUNT_FS_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_PIPE_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_SOCKET_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_SOCKET_PEER_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_DESTROY_VNODE_LABEL,
- (macop_t)mac_biba_destroy_label },
- { MAC_COPY_PIPE_LABEL,
- (macop_t)mac_biba_copy_label },
- { MAC_COPY_VNODE_LABEL,
- (macop_t)mac_biba_copy_label },
- { MAC_EXTERNALIZE_CRED_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_EXTERNALIZE_IFNET_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_EXTERNALIZE_PIPE_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_EXTERNALIZE_VNODE_LABEL,
- (macop_t)mac_biba_externalize_label },
- { MAC_INTERNALIZE_CRED_LABEL,
- (macop_t)mac_biba_internalize_label },
- { MAC_INTERNALIZE_IFNET_LABEL,
- (macop_t)mac_biba_internalize_label },
- { MAC_INTERNALIZE_PIPE_LABEL,
- (macop_t)mac_biba_internalize_label },
- { MAC_INTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_biba_internalize_label },
- { MAC_INTERNALIZE_VNODE_LABEL,
- (macop_t)mac_biba_internalize_label },
- { MAC_CREATE_DEVFS_DEVICE,
- (macop_t)mac_biba_create_devfs_device },
- { MAC_CREATE_DEVFS_DIRECTORY,
- (macop_t)mac_biba_create_devfs_directory },
- { MAC_CREATE_DEVFS_SYMLINK,
- (macop_t)mac_biba_create_devfs_symlink },
- { MAC_CREATE_DEVFS_VNODE,
- (macop_t)mac_biba_create_devfs_vnode },
- { MAC_CREATE_MOUNT,
- (macop_t)mac_biba_create_mount },
- { MAC_CREATE_ROOT_MOUNT,
- (macop_t)mac_biba_create_root_mount },
- { MAC_RELABEL_VNODE,
- (macop_t)mac_biba_relabel_vnode },
- { MAC_UPDATE_DEVFSDIRENT,
- (macop_t)mac_biba_update_devfsdirent },
- { MAC_ASSOCIATE_VNODE_DEVFS,
- (macop_t)mac_biba_associate_vnode_devfs },
- { MAC_ASSOCIATE_VNODE_EXTATTR,
- (macop_t)mac_biba_associate_vnode_extattr },
- { MAC_ASSOCIATE_VNODE_SINGLELABEL,
- (macop_t)mac_biba_associate_vnode_singlelabel },
- { MAC_CREATE_VNODE_EXTATTR,
- (macop_t)mac_biba_create_vnode_extattr },
- { MAC_SETLABEL_VNODE_EXTATTR,
- (macop_t)mac_biba_setlabel_vnode_extattr },
- { MAC_CREATE_MBUF_FROM_SOCKET,
- (macop_t)mac_biba_create_mbuf_from_socket },
- { MAC_CREATE_PIPE,
- (macop_t)mac_biba_create_pipe },
- { MAC_CREATE_SOCKET,
- (macop_t)mac_biba_create_socket },
- { MAC_CREATE_SOCKET_FROM_SOCKET,
- (macop_t)mac_biba_create_socket_from_socket },
- { MAC_RELABEL_PIPE,
- (macop_t)mac_biba_relabel_pipe },
- { MAC_RELABEL_SOCKET,
- (macop_t)mac_biba_relabel_socket },
- { MAC_SET_SOCKET_PEER_FROM_MBUF,
- (macop_t)mac_biba_set_socket_peer_from_mbuf },
- { MAC_SET_SOCKET_PEER_FROM_SOCKET,
- (macop_t)mac_biba_set_socket_peer_from_socket },
- { MAC_CREATE_BPFDESC,
- (macop_t)mac_biba_create_bpfdesc },
- { MAC_CREATE_DATAGRAM_FROM_IPQ,
- (macop_t)mac_biba_create_datagram_from_ipq },
- { MAC_CREATE_FRAGMENT,
- (macop_t)mac_biba_create_fragment },
- { MAC_CREATE_IFNET,
- (macop_t)mac_biba_create_ifnet },
- { MAC_CREATE_IPQ,
- (macop_t)mac_biba_create_ipq },
- { MAC_CREATE_MBUF_FROM_MBUF,
- (macop_t)mac_biba_create_mbuf_from_mbuf },
- { MAC_CREATE_MBUF_LINKLAYER,
- (macop_t)mac_biba_create_mbuf_linklayer },
- { MAC_CREATE_MBUF_FROM_BPFDESC,
- (macop_t)mac_biba_create_mbuf_from_bpfdesc },
- { MAC_CREATE_MBUF_FROM_IFNET,
- (macop_t)mac_biba_create_mbuf_from_ifnet },
- { MAC_CREATE_MBUF_MULTICAST_ENCAP,
- (macop_t)mac_biba_create_mbuf_multicast_encap },
- { MAC_CREATE_MBUF_NETLAYER,
- (macop_t)mac_biba_create_mbuf_netlayer },
- { MAC_FRAGMENT_MATCH,
- (macop_t)mac_biba_fragment_match },
- { MAC_RELABEL_IFNET,
- (macop_t)mac_biba_relabel_ifnet },
- { MAC_UPDATE_IPQ,
- (macop_t)mac_biba_update_ipq },
- { MAC_CREATE_CRED,
- (macop_t)mac_biba_create_cred },
- { MAC_EXECVE_TRANSITION,
- (macop_t)mac_biba_execve_transition },
- { MAC_EXECVE_WILL_TRANSITION,
- (macop_t)mac_biba_execve_will_transition },
- { MAC_CREATE_PROC0,
- (macop_t)mac_biba_create_proc0 },
- { MAC_CREATE_PROC1,
- (macop_t)mac_biba_create_proc1 },
- { MAC_RELABEL_CRED,
- (macop_t)mac_biba_relabel_cred },
- { MAC_CHECK_BPFDESC_RECEIVE,
- (macop_t)mac_biba_check_bpfdesc_receive },
- { MAC_CHECK_CRED_RELABEL,
- (macop_t)mac_biba_check_cred_relabel },
- { MAC_CHECK_CRED_VISIBLE,
- (macop_t)mac_biba_check_cred_visible },
- { MAC_CHECK_IFNET_RELABEL,
- (macop_t)mac_biba_check_ifnet_relabel },
- { MAC_CHECK_IFNET_TRANSMIT,
- (macop_t)mac_biba_check_ifnet_transmit },
- { MAC_CHECK_MOUNT_STAT,
- (macop_t)mac_biba_check_mount_stat },
- { MAC_CHECK_PIPE_IOCTL,
- (macop_t)mac_biba_check_pipe_ioctl },
- { MAC_CHECK_PIPE_POLL,
- (macop_t)mac_biba_check_pipe_poll },
- { MAC_CHECK_PIPE_READ,
- (macop_t)mac_biba_check_pipe_read },
- { MAC_CHECK_PIPE_RELABEL,
- (macop_t)mac_biba_check_pipe_relabel },
- { MAC_CHECK_PIPE_STAT,
- (macop_t)mac_biba_check_pipe_stat },
- { MAC_CHECK_PIPE_WRITE,
- (macop_t)mac_biba_check_pipe_write },
- { MAC_CHECK_PROC_DEBUG,
- (macop_t)mac_biba_check_proc_debug },
- { MAC_CHECK_PROC_SCHED,
- (macop_t)mac_biba_check_proc_sched },
- { MAC_CHECK_PROC_SIGNAL,
- (macop_t)mac_biba_check_proc_signal },
- { MAC_CHECK_SOCKET_DELIVER,
- (macop_t)mac_biba_check_socket_deliver },
- { MAC_CHECK_SOCKET_RELABEL,
- (macop_t)mac_biba_check_socket_relabel },
- { MAC_CHECK_SOCKET_VISIBLE,
- (macop_t)mac_biba_check_socket_visible },
- { MAC_CHECK_SYSTEM_SWAPON,
- (macop_t)mac_biba_check_system_swapon },
- { MAC_CHECK_SYSTEM_SYSCTL,
- (macop_t)mac_biba_check_system_sysctl },
- { MAC_CHECK_VNODE_ACCESS,
- (macop_t)mac_biba_check_vnode_open },
- { MAC_CHECK_VNODE_CHDIR,
- (macop_t)mac_biba_check_vnode_chdir },
- { MAC_CHECK_VNODE_CHROOT,
- (macop_t)mac_biba_check_vnode_chroot },
- { MAC_CHECK_VNODE_CREATE,
- (macop_t)mac_biba_check_vnode_create },
- { MAC_CHECK_VNODE_DELETE,
- (macop_t)mac_biba_check_vnode_delete },
- { MAC_CHECK_VNODE_DELETEACL,
- (macop_t)mac_biba_check_vnode_deleteacl },
- { MAC_CHECK_VNODE_EXEC,
- (macop_t)mac_biba_check_vnode_exec },
- { MAC_CHECK_VNODE_GETACL,
- (macop_t)mac_biba_check_vnode_getacl },
- { MAC_CHECK_VNODE_GETEXTATTR,
- (macop_t)mac_biba_check_vnode_getextattr },
- { MAC_CHECK_VNODE_LINK,
- (macop_t)mac_biba_check_vnode_link },
- { MAC_CHECK_VNODE_LOOKUP,
- (macop_t)mac_biba_check_vnode_lookup },
- { MAC_CHECK_VNODE_MMAP,
- (macop_t)mac_biba_check_vnode_mmap },
- { MAC_CHECK_VNODE_MPROTECT,
- (macop_t)mac_biba_check_vnode_mmap },
- { MAC_CHECK_VNODE_OPEN,
- (macop_t)mac_biba_check_vnode_open },
- { MAC_CHECK_VNODE_POLL,
- (macop_t)mac_biba_check_vnode_poll },
- { MAC_CHECK_VNODE_READ,
- (macop_t)mac_biba_check_vnode_read },
- { MAC_CHECK_VNODE_READDIR,
- (macop_t)mac_biba_check_vnode_readdir },
- { MAC_CHECK_VNODE_READLINK,
- (macop_t)mac_biba_check_vnode_readlink },
- { MAC_CHECK_VNODE_RELABEL,
- (macop_t)mac_biba_check_vnode_relabel },
- { MAC_CHECK_VNODE_RENAME_FROM,
- (macop_t)mac_biba_check_vnode_rename_from },
- { MAC_CHECK_VNODE_RENAME_TO,
- (macop_t)mac_biba_check_vnode_rename_to },
- { MAC_CHECK_VNODE_REVOKE,
- (macop_t)mac_biba_check_vnode_revoke },
- { MAC_CHECK_VNODE_SETACL,
- (macop_t)mac_biba_check_vnode_setacl },
- { MAC_CHECK_VNODE_SETEXTATTR,
- (macop_t)mac_biba_check_vnode_setextattr },
- { MAC_CHECK_VNODE_SETFLAGS,
- (macop_t)mac_biba_check_vnode_setflags },
- { MAC_CHECK_VNODE_SETMODE,
- (macop_t)mac_biba_check_vnode_setmode },
- { MAC_CHECK_VNODE_SETOWNER,
- (macop_t)mac_biba_check_vnode_setowner },
- { MAC_CHECK_VNODE_SETUTIMES,
- (macop_t)mac_biba_check_vnode_setutimes },
- { MAC_CHECK_VNODE_STAT,
- (macop_t)mac_biba_check_vnode_stat },
- { MAC_CHECK_VNODE_WRITE,
- (macop_t)mac_biba_check_vnode_write },
- { MAC_OP_LAST, NULL }
+ .mpo_destroy = mac_biba_destroy,
+ .mpo_init = mac_biba_init,
+ .mpo_init_bpfdesc_label = mac_biba_init_label,
+ .mpo_init_cred_label = mac_biba_init_label,
+ .mpo_init_devfsdirent_label = mac_biba_init_label,
+ .mpo_init_ifnet_label = mac_biba_init_label,
+ .mpo_init_ipq_label = mac_biba_init_label,
+ .mpo_init_mbuf_label = mac_biba_init_label_waitcheck,
+ .mpo_init_mount_label = mac_biba_init_label,
+ .mpo_init_mount_fs_label = mac_biba_init_label,
+ .mpo_init_pipe_label = mac_biba_init_label,
+ .mpo_init_socket_label = mac_biba_init_label_waitcheck,
+ .mpo_init_socket_peer_label = mac_biba_init_label_waitcheck,
+ .mpo_init_vnode_label = mac_biba_init_label,
+ .mpo_destroy_bpfdesc_label = mac_biba_destroy_label,
+ .mpo_destroy_cred_label = mac_biba_destroy_label,
+ .mpo_destroy_devfsdirent_label = mac_biba_destroy_label,
+ .mpo_destroy_ifnet_label = mac_biba_destroy_label,
+ .mpo_destroy_ipq_label = mac_biba_destroy_label,
+ .mpo_destroy_mbuf_label = mac_biba_destroy_label,
+ .mpo_destroy_mount_label = mac_biba_destroy_label,
+ .mpo_destroy_mount_fs_label = mac_biba_destroy_label,
+ .mpo_destroy_pipe_label = mac_biba_destroy_label,
+ .mpo_destroy_socket_label = mac_biba_destroy_label,
+ .mpo_destroy_socket_peer_label = mac_biba_destroy_label,
+ .mpo_destroy_vnode_label = mac_biba_destroy_label,
+ .mpo_copy_pipe_label = mac_biba_copy_label,
+ .mpo_copy_vnode_label = mac_biba_copy_label,
+ .mpo_externalize_cred_label = mac_biba_externalize_label,
+ .mpo_externalize_ifnet_label = mac_biba_externalize_label,
+ .mpo_externalize_pipe_label = mac_biba_externalize_label,
+ .mpo_externalize_socket_label = mac_biba_externalize_label,
+ .mpo_externalize_socket_peer_label = mac_biba_externalize_label,
+ .mpo_externalize_vnode_label = mac_biba_externalize_label,
+ .mpo_internalize_cred_label = mac_biba_internalize_label,
+ .mpo_internalize_ifnet_label = mac_biba_internalize_label,
+ .mpo_internalize_pipe_label = mac_biba_internalize_label,
+ .mpo_internalize_socket_label = mac_biba_internalize_label,
+ .mpo_internalize_vnode_label = mac_biba_internalize_label,
+ .mpo_create_devfs_device = mac_biba_create_devfs_device,
+ .mpo_create_devfs_directory = mac_biba_create_devfs_directory,
+ .mpo_create_devfs_symlink = mac_biba_create_devfs_symlink,
+ .mpo_create_devfs_vnode = mac_biba_create_devfs_vnode,
+ .mpo_create_mount = mac_biba_create_mount,
+ .mpo_create_root_mount = mac_biba_create_root_mount,
+ .mpo_relabel_vnode = mac_biba_relabel_vnode,
+ .mpo_update_devfsdirent = mac_biba_update_devfsdirent,
+ .mpo_associate_vnode_devfs = mac_biba_associate_vnode_devfs,
+ .mpo_associate_vnode_extattr = mac_biba_associate_vnode_extattr,
+ .mpo_associate_vnode_singlelabel = mac_biba_associate_vnode_singlelabel,
+ .mpo_create_vnode_extattr = mac_biba_create_vnode_extattr,
+ .mpo_setlabel_vnode_extattr = mac_biba_setlabel_vnode_extattr,
+ .mpo_create_mbuf_from_socket = mac_biba_create_mbuf_from_socket,
+ .mpo_create_pipe = mac_biba_create_pipe,
+ .mpo_create_socket = mac_biba_create_socket,
+ .mpo_create_socket_from_socket = mac_biba_create_socket_from_socket,
+ .mpo_relabel_pipe = mac_biba_relabel_pipe,
+ .mpo_relabel_socket = mac_biba_relabel_socket,
+ .mpo_set_socket_peer_from_mbuf = mac_biba_set_socket_peer_from_mbuf,
+ .mpo_set_socket_peer_from_socket = mac_biba_set_socket_peer_from_socket,
+ .mpo_create_bpfdesc = mac_biba_create_bpfdesc,
+ .mpo_create_datagram_from_ipq = mac_biba_create_datagram_from_ipq,
+ .mpo_create_fragment = mac_biba_create_fragment,
+ .mpo_create_ifnet = mac_biba_create_ifnet,
+ .mpo_create_ipq = mac_biba_create_ipq,
+ .mpo_create_mbuf_from_mbuf = mac_biba_create_mbuf_from_mbuf,
+ .mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer,
+ .mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc,
+ .mpo_create_mbuf_from_ifnet = mac_biba_create_mbuf_from_ifnet,
+ .mpo_create_mbuf_multicast_encap = mac_biba_create_mbuf_multicast_encap,
+ .mpo_create_mbuf_netlayer = mac_biba_create_mbuf_netlayer,
+ .mpo_fragment_match = mac_biba_fragment_match,
+ .mpo_relabel_ifnet = mac_biba_relabel_ifnet,
+ .mpo_update_ipq = mac_biba_update_ipq,
+ .mpo_create_cred = mac_biba_create_cred,
+ .mpo_execve_transition = mac_biba_execve_transition,
+ .mpo_execve_will_transition = mac_biba_execve_will_transition,
+ .mpo_create_proc0 = mac_biba_create_proc0,
+ .mpo_create_proc1 = mac_biba_create_proc1,
+ .mpo_relabel_cred = mac_biba_relabel_cred,
+ .mpo_check_bpfdesc_receive = mac_biba_check_bpfdesc_receive,
+ .mpo_check_cred_relabel = mac_biba_check_cred_relabel,
+ .mpo_check_cred_visible = mac_biba_check_cred_visible,
+ .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel,
+ .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit,
+ .mpo_check_mount_stat = mac_biba_check_mount_stat,
+ .mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl,
+ .mpo_check_pipe_poll = mac_biba_check_pipe_poll,
+ .mpo_check_pipe_read = mac_biba_check_pipe_read,
+ .mpo_check_pipe_relabel = mac_biba_check_pipe_relabel,
+ .mpo_check_pipe_stat = mac_biba_check_pipe_stat,
+ .mpo_check_pipe_write = mac_biba_check_pipe_write,
+ .mpo_check_proc_debug = mac_biba_check_proc_debug,
+ .mpo_check_proc_sched = mac_biba_check_proc_sched,
+ .mpo_check_proc_signal = mac_biba_check_proc_signal,
+ .mpo_check_socket_deliver = mac_biba_check_socket_deliver,
+ .mpo_check_socket_relabel = mac_biba_check_socket_relabel,
+ .mpo_check_socket_visible = mac_biba_check_socket_visible,
+ .mpo_check_system_swapon = mac_biba_check_system_swapon,
+ .mpo_check_system_sysctl = mac_biba_check_system_sysctl,
+ .mpo_check_vnode_access = mac_biba_check_vnode_open,
+ .mpo_check_vnode_chdir = mac_biba_check_vnode_chdir,
+ .mpo_check_vnode_chroot = mac_biba_check_vnode_chroot,
+ .mpo_check_vnode_create = mac_biba_check_vnode_create,
+ .mpo_check_vnode_delete = mac_biba_check_vnode_delete,
+ .mpo_check_vnode_deleteacl = mac_biba_check_vnode_deleteacl,
+ .mpo_check_vnode_exec = mac_biba_check_vnode_exec,
+ .mpo_check_vnode_getacl = mac_biba_check_vnode_getacl,
+ .mpo_check_vnode_getextattr = mac_biba_check_vnode_getextattr,
+ .mpo_check_vnode_link = mac_biba_check_vnode_link,
+ .mpo_check_vnode_lookup = mac_biba_check_vnode_lookup,
+ .mpo_check_vnode_mmap = mac_biba_check_vnode_mmap,
+ .mpo_check_vnode_mprotect = mac_biba_check_vnode_mmap,
+ .mpo_check_vnode_open = mac_biba_check_vnode_open,
+ .mpo_check_vnode_poll = mac_biba_check_vnode_poll,
+ .mpo_check_vnode_read = mac_biba_check_vnode_read,
+ .mpo_check_vnode_readdir = mac_biba_check_vnode_readdir,
+ .mpo_check_vnode_readlink = mac_biba_check_vnode_readlink,
+ .mpo_check_vnode_relabel = mac_biba_check_vnode_relabel,
+ .mpo_check_vnode_rename_from = mac_biba_check_vnode_rename_from,
+ .mpo_check_vnode_rename_to = mac_biba_check_vnode_rename_to,
+ .mpo_check_vnode_revoke = mac_biba_check_vnode_revoke,
+ .mpo_check_vnode_setacl = mac_biba_check_vnode_setacl,
+ .mpo_check_vnode_setextattr = mac_biba_check_vnode_setextattr,
+ .mpo_check_vnode_setflags = mac_biba_check_vnode_setflags,
+ .mpo_check_vnode_setmode = mac_biba_check_vnode_setmode,
+ .mpo_check_vnode_setowner = mac_biba_check_vnode_setowner,
+ .mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes,
+ .mpo_check_vnode_stat = mac_biba_check_vnode_stat,
+ .mpo_check_vnode_write = mac_biba_check_vnode_write,
};
-MAC_POLICY_SET(mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba",
+MAC_POLICY_SET(&mac_biba_ops, trustedbsd_mac_biba, "TrustedBSD MAC/Biba",
MPC_LOADTIME_FLAG_NOTLATE, &mac_biba_slot);
diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c
index 1435bbab4be5..b500d130115b 100644
--- a/sys/security/mac_bsdextended/mac_bsdextended.c
+++ b/sys/security/mac_bsdextended/mac_bsdextended.c
@@ -718,62 +718,35 @@ mac_bsdextended_check_vnode_stat(struct ucred *active_cred,
VSTAT));
}
-static struct mac_policy_op_entry mac_bsdextended_ops[] =
+static struct mac_policy_ops mac_bsdextended_ops =
{
- { MAC_DESTROY,
- (macop_t)mac_bsdextended_destroy },
- { MAC_INIT,
- (macop_t)mac_bsdextended_init },
- { MAC_CHECK_VNODE_ACCESS,
- (macop_t)mac_bsdextended_check_vnode_access },
- { MAC_CHECK_VNODE_CHDIR,
- (macop_t)mac_bsdextended_check_vnode_chdir },
- { MAC_CHECK_VNODE_CHROOT,
- (macop_t)mac_bsdextended_check_vnode_chroot },
- { MAC_CHECK_VNODE_CREATE,
- (macop_t)mac_bsdextended_check_create_vnode },
- { MAC_CHECK_VNODE_DELETE,
- (macop_t)mac_bsdextended_check_vnode_delete },
- { MAC_CHECK_VNODE_DELETEACL,
- (macop_t)mac_bsdextended_check_vnode_deleteacl },
- { MAC_CHECK_VNODE_EXEC,
- (macop_t)mac_bsdextended_check_vnode_exec },
- { MAC_CHECK_VNODE_GETACL,
- (macop_t)mac_bsdextended_check_vnode_getacl },
- { MAC_CHECK_VNODE_GETEXTATTR,
- (macop_t)mac_bsdextended_check_vnode_getextattr },
- { MAC_CHECK_VNODE_LINK,
- (macop_t)mac_bsdextended_check_vnode_link },
- { MAC_CHECK_VNODE_LOOKUP,
- (macop_t)mac_bsdextended_check_vnode_lookup },
- { MAC_CHECK_VNODE_OPEN,
- (macop_t)mac_bsdextended_check_vnode_open },
- { MAC_CHECK_VNODE_READDIR,
- (macop_t)mac_bsdextended_check_vnode_readdir },
- { MAC_CHECK_VNODE_READLINK,
- (macop_t)mac_bsdextended_check_vnode_readdlink },
- { MAC_CHECK_VNODE_RENAME_FROM,
- (macop_t)mac_bsdextended_check_vnode_rename_from },
- { MAC_CHECK_VNODE_RENAME_TO,
- (macop_t)mac_bsdextended_check_vnode_rename_to },
- { MAC_CHECK_VNODE_REVOKE,
- (macop_t)mac_bsdextended_check_vnode_revoke },
- { MAC_CHECK_VNODE_SETACL,
- (macop_t)mac_bsdextended_check_setacl_vnode },
- { MAC_CHECK_VNODE_SETEXTATTR,
- (macop_t)mac_bsdextended_check_vnode_setextattr },
- { MAC_CHECK_VNODE_SETFLAGS,
- (macop_t)mac_bsdextended_check_vnode_setflags },
- { MAC_CHECK_VNODE_SETMODE,
- (macop_t)mac_bsdextended_check_vnode_setmode },
- { MAC_CHECK_VNODE_SETOWNER,
- (macop_t)mac_bsdextended_check_vnode_setowner },
- { MAC_CHECK_VNODE_SETUTIMES,
- (macop_t)mac_bsdextended_check_vnode_setutimes },
- { MAC_CHECK_VNODE_STAT,
- (macop_t)mac_bsdextended_check_vnode_stat },
- { MAC_OP_LAST, NULL }
+ .mpo_destroy = mac_bsdextended_destroy,
+ .mpo_init = mac_bsdextended_init,
+ .mpo_check_vnode_access = mac_bsdextended_check_vnode_access,
+ .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir,
+ .mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot,
+ .mpo_check_vnode_create = mac_bsdextended_check_create_vnode,
+ .mpo_check_vnode_delete = mac_bsdextended_check_vnode_delete,
+ .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl,
+ .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec,
+ .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl,
+ .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr,
+ .mpo_check_vnode_link = mac_bsdextended_check_vnode_link,
+ .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup,
+ .mpo_check_vnode_open = mac_bsdextended_check_vnode_open,
+ .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir,
+ .mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink,
+ .mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from,
+ .mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to,
+ .mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke,
+ .mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode,
+ .mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr,
+ .mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags,
+ .mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode,
+ .mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner,
+ .mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes,
+ .mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat,
};
-MAC_POLICY_SET(mac_bsdextended_ops, trustedbsd_mac_bsdextended,
+MAC_POLICY_SET(&mac_bsdextended_ops, trustedbsd_mac_bsdextended,
"TrustedBSD MAC/BSD Extended", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_ifoff/mac_ifoff.c b/sys/security/mac_ifoff/mac_ifoff.c
index 8aea44a8f339..fb7e96612296 100644
--- a/sys/security/mac_ifoff/mac_ifoff.c
+++ b/sys/security/mac_ifoff/mac_ifoff.c
@@ -158,16 +158,12 @@ mac_ifoff_check_socket_deliver(struct socket *so, struct label *socketlabel,
return (0);
}
-static struct mac_policy_op_entry mac_ifoff_ops[] =
+static struct mac_policy_ops mac_ifoff_ops =
{
- { MAC_CHECK_BPFDESC_RECEIVE,
- (macop_t)mac_ifoff_check_bpfdesc_receive },
- { MAC_CHECK_IFNET_TRANSMIT,
- (macop_t)mac_ifoff_check_ifnet_transmit },
- { MAC_CHECK_SOCKET_DELIVER,
- (macop_t)mac_ifoff_check_socket_deliver },
- { MAC_OP_LAST, NULL }
+ .mpo_check_bpfdesc_receive = mac_ifoff_check_bpfdesc_receive,
+ .mpo_check_ifnet_transmit = mac_ifoff_check_ifnet_transmit,
+ .mpo_check_socket_deliver = mac_ifoff_check_socket_deliver,
};
-MAC_POLICY_SET(mac_ifoff_ops, trustedbsd_mac_ifoff, "TrustedBSD MAC/ifoff",
+MAC_POLICY_SET(&mac_ifoff_ops, trustedbsd_mac_ifoff, "TrustedBSD MAC/ifoff",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 21b97a05dc63..329c85b8f33b 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -2372,266 +2372,137 @@ mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
return (0);
}
-static struct mac_policy_op_entry mac_mls_ops[] =
+static struct mac_policy_ops mac_mls_ops =
{
- { MAC_DESTROY,
- (macop_t)mac_mls_destroy },
- { MAC_INIT,
- (macop_t)mac_mls_init },
- { MAC_INIT_BPFDESC_LABEL,
- (macop_t)mac_mls_init_label },
- { MAC_INIT_CRED_LABEL,
- (macop_t)mac_mls_init_label },
- { MAC_INIT_DEVFSDIRENT_LABEL,
- (macop_t)mac_mls_init_label },
- { MAC_INIT_IFNET_LABEL,
- (macop_t)mac_mls_init_label },
- { MAC_INIT_IPQ_LABEL,
- (macop_t)mac_mls_init_label },
- { MAC_INIT_MBUF_LABEL,
- (macop_t)mac_mls_init_label_waitcheck },
- { MAC_INIT_MOUNT_LABEL,
- (macop_t)mac_mls_init_label },
- { MAC_INIT_MOUNT_FS_LABEL,
- (macop_t)mac_mls_init_label },
- { MAC_INIT_PIPE_LABEL,
- (macop_t)mac_mls_init_label },
- { MAC_INIT_SOCKET_LABEL,
- (macop_t)mac_mls_init_label_waitcheck },
- { MAC_INIT_SOCKET_PEER_LABEL,
- (macop_t)mac_mls_init_label_waitcheck },
- { MAC_INIT_VNODE_LABEL,
- (macop_t)mac_mls_init_label },
- { MAC_DESTROY_BPFDESC_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_CRED_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_DEVFSDIRENT_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_IFNET_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_IPQ_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_MBUF_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_MOUNT_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_MOUNT_FS_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_PIPE_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_SOCKET_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_SOCKET_PEER_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_DESTROY_VNODE_LABEL,
- (macop_t)mac_mls_destroy_label },
- { MAC_COPY_PIPE_LABEL,
- (macop_t)mac_mls_copy_label },
- { MAC_COPY_VNODE_LABEL,
- (macop_t)mac_mls_copy_label },
- { MAC_EXTERNALIZE_CRED_LABEL,
- (macop_t)mac_mls_externalize_label },
- { MAC_EXTERNALIZE_IFNET_LABEL,
- (macop_t)mac_mls_externalize_label },
- { MAC_EXTERNALIZE_PIPE_LABEL,
- (macop_t)mac_mls_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_mls_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
- (macop_t)mac_mls_externalize_label },
- { MAC_EXTERNALIZE_VNODE_LABEL,
- (macop_t)mac_mls_externalize_label },
- { MAC_INTERNALIZE_CRED_LABEL,
- (macop_t)mac_mls_internalize_label },
- { MAC_INTERNALIZE_IFNET_LABEL,
- (macop_t)mac_mls_internalize_label },
- { MAC_INTERNALIZE_PIPE_LABEL,
- (macop_t)mac_mls_internalize_label },
- { MAC_INTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_mls_internalize_label },
- { MAC_INTERNALIZE_VNODE_LABEL,
- (macop_t)mac_mls_internalize_label },
- { MAC_CREATE_DEVFS_DEVICE,
- (macop_t)mac_mls_create_devfs_device },
- { MAC_CREATE_DEVFS_DIRECTORY,
- (macop_t)mac_mls_create_devfs_directory },
- { MAC_CREATE_DEVFS_SYMLINK,
- (macop_t)mac_mls_create_devfs_symlink },
- { MAC_CREATE_DEVFS_VNODE,
- (macop_t)mac_mls_create_devfs_vnode },
- { MAC_CREATE_MOUNT,
- (macop_t)mac_mls_create_mount },
- { MAC_CREATE_ROOT_MOUNT,
- (macop_t)mac_mls_create_root_mount },
- { MAC_RELABEL_VNODE,
- (macop_t)mac_mls_relabel_vnode },
- { MAC_UPDATE_DEVFSDIRENT,
- (macop_t)mac_mls_update_devfsdirent },
- { MAC_ASSOCIATE_VNODE_DEVFS,
- (macop_t)mac_mls_associate_vnode_devfs },
- { MAC_ASSOCIATE_VNODE_EXTATTR,
- (macop_t)mac_mls_associate_vnode_extattr },
- { MAC_ASSOCIATE_VNODE_SINGLELABEL,
- (macop_t)mac_mls_associate_vnode_singlelabel },
- { MAC_CREATE_VNODE_EXTATTR,
- (macop_t)mac_mls_create_vnode_extattr },
- { MAC_SETLABEL_VNODE_EXTATTR,
- (macop_t)mac_mls_setlabel_vnode_extattr },
- { MAC_CREATE_MBUF_FROM_SOCKET,
- (macop_t)mac_mls_create_mbuf_from_socket },
- { MAC_CREATE_PIPE,
- (macop_t)mac_mls_create_pipe },
- { MAC_CREATE_SOCKET,
- (macop_t)mac_mls_create_socket },
- { MAC_CREATE_SOCKET_FROM_SOCKET,
- (macop_t)mac_mls_create_socket_from_socket },
- { MAC_RELABEL_PIPE,
- (macop_t)mac_mls_relabel_pipe },
- { MAC_RELABEL_SOCKET,
- (macop_t)mac_mls_relabel_socket },
- { MAC_SET_SOCKET_PEER_FROM_MBUF,
- (macop_t)mac_mls_set_socket_peer_from_mbuf },
- { MAC_SET_SOCKET_PEER_FROM_SOCKET,
- (macop_t)mac_mls_set_socket_peer_from_socket },
- { MAC_CREATE_BPFDESC,
- (macop_t)mac_mls_create_bpfdesc },
- { MAC_CREATE_DATAGRAM_FROM_IPQ,
- (macop_t)mac_mls_create_datagram_from_ipq },
- { MAC_CREATE_FRAGMENT,
- (macop_t)mac_mls_create_fragment },
- { MAC_CREATE_IFNET,
- (macop_t)mac_mls_create_ifnet },
- { MAC_CREATE_IPQ,
- (macop_t)mac_mls_create_ipq },
- { MAC_CREATE_MBUF_FROM_MBUF,
- (macop_t)mac_mls_create_mbuf_from_mbuf },
- { MAC_CREATE_MBUF_LINKLAYER,
- (macop_t)mac_mls_create_mbuf_linklayer },
- { MAC_CREATE_MBUF_FROM_BPFDESC,
- (macop_t)mac_mls_create_mbuf_from_bpfdesc },
- { MAC_CREATE_MBUF_FROM_IFNET,
- (macop_t)mac_mls_create_mbuf_from_ifnet },
- { MAC_CREATE_MBUF_MULTICAST_ENCAP,
- (macop_t)mac_mls_create_mbuf_multicast_encap },
- { MAC_CREATE_MBUF_NETLAYER,
- (macop_t)mac_mls_create_mbuf_netlayer },
- { MAC_FRAGMENT_MATCH,
- (macop_t)mac_mls_fragment_match },
- { MAC_RELABEL_IFNET,
- (macop_t)mac_mls_relabel_ifnet },
- { MAC_UPDATE_IPQ,
- (macop_t)mac_mls_update_ipq },
- { MAC_CREATE_CRED,
- (macop_t)mac_mls_create_cred },
- { MAC_EXECVE_TRANSITION,
- (macop_t)mac_mls_execve_transition },
- { MAC_EXECVE_WILL_TRANSITION,
- (macop_t)mac_mls_execve_will_transition },
- { MAC_CREATE_PROC0,
- (macop_t)mac_mls_create_proc0 },
- { MAC_CREATE_PROC1,
- (macop_t)mac_mls_create_proc1 },
- { MAC_RELABEL_CRED,
- (macop_t)mac_mls_relabel_cred },
- { MAC_CHECK_BPFDESC_RECEIVE,
- (macop_t)mac_mls_check_bpfdesc_receive },
- { MAC_CHECK_CRED_RELABEL,
- (macop_t)mac_mls_check_cred_relabel },
- { MAC_CHECK_CRED_VISIBLE,
- (macop_t)mac_mls_check_cred_visible },
- { MAC_CHECK_IFNET_RELABEL,
- (macop_t)mac_mls_check_ifnet_relabel },
- { MAC_CHECK_IFNET_TRANSMIT,
- (macop_t)mac_mls_check_ifnet_transmit },
- { MAC_CHECK_MOUNT_STAT,
- (macop_t)mac_mls_check_mount_stat },
- { MAC_CHECK_PIPE_IOCTL,
- (macop_t)mac_mls_check_pipe_ioctl },
- { MAC_CHECK_PIPE_POLL,
- (macop_t)mac_mls_check_pipe_poll },
- { MAC_CHECK_PIPE_READ,
- (macop_t)mac_mls_check_pipe_read },
- { MAC_CHECK_PIPE_RELABEL,
- (macop_t)mac_mls_check_pipe_relabel },
- { MAC_CHECK_PIPE_STAT,
- (macop_t)mac_mls_check_pipe_stat },
- { MAC_CHECK_PIPE_WRITE,
- (macop_t)mac_mls_check_pipe_write },
- { MAC_CHECK_PROC_DEBUG,
- (macop_t)mac_mls_check_proc_debug },
- { MAC_CHECK_PROC_SCHED,
- (macop_t)mac_mls_check_proc_sched },
- { MAC_CHECK_PROC_SIGNAL,
- (macop_t)mac_mls_check_proc_signal },
- { MAC_CHECK_SOCKET_DELIVER,
- (macop_t)mac_mls_check_socket_deliver },
- { MAC_CHECK_SOCKET_RELABEL,
- (macop_t)mac_mls_check_socket_relabel },
- { MAC_CHECK_SOCKET_VISIBLE,
- (macop_t)mac_mls_check_socket_visible },
- { MAC_CHECK_VNODE_ACCESS,
- (macop_t)mac_mls_check_vnode_open },
- { MAC_CHECK_VNODE_CHDIR,
- (macop_t)mac_mls_check_vnode_chdir },
- { MAC_CHECK_VNODE_CHROOT,
- (macop_t)mac_mls_check_vnode_chroot },
- { MAC_CHECK_VNODE_CREATE,
- (macop_t)mac_mls_check_vnode_create },
- { MAC_CHECK_VNODE_DELETE,
- (macop_t)mac_mls_check_vnode_delete },
- { MAC_CHECK_VNODE_DELETEACL,
- (macop_t)mac_mls_check_vnode_deleteacl },
- { MAC_CHECK_VNODE_EXEC,
- (macop_t)mac_mls_check_vnode_exec },
- { MAC_CHECK_VNODE_GETACL,
- (macop_t)mac_mls_check_vnode_getacl },
- { MAC_CHECK_VNODE_GETEXTATTR,
- (macop_t)mac_mls_check_vnode_getextattr },
- { MAC_CHECK_VNODE_LINK,
- (macop_t)mac_mls_check_vnode_link },
- { MAC_CHECK_VNODE_LOOKUP,
- (macop_t)mac_mls_check_vnode_lookup },
- { MAC_CHECK_VNODE_MMAP,
- (macop_t)mac_mls_check_vnode_mmap },
- { MAC_CHECK_VNODE_MPROTECT,
- (macop_t)mac_mls_check_vnode_mmap },
- { MAC_CHECK_VNODE_OPEN,
- (macop_t)mac_mls_check_vnode_open },
- { MAC_CHECK_VNODE_POLL,
- (macop_t)mac_mls_check_vnode_poll },
- { MAC_CHECK_VNODE_READ,
- (macop_t)mac_mls_check_vnode_read },
- { MAC_CHECK_VNODE_READDIR,
- (macop_t)mac_mls_check_vnode_readdir },
- { MAC_CHECK_VNODE_READLINK,
- (macop_t)mac_mls_check_vnode_readlink },
- { MAC_CHECK_VNODE_RELABEL,
- (macop_t)mac_mls_check_vnode_relabel },
- { MAC_CHECK_VNODE_RENAME_FROM,
- (macop_t)mac_mls_check_vnode_rename_from },
- { MAC_CHECK_VNODE_RENAME_TO,
- (macop_t)mac_mls_check_vnode_rename_to },
- { MAC_CHECK_VNODE_REVOKE,
- (macop_t)mac_mls_check_vnode_revoke },
- { MAC_CHECK_VNODE_SETACL,
- (macop_t)mac_mls_check_vnode_setacl },
- { MAC_CHECK_VNODE_SETEXTATTR,
- (macop_t)mac_mls_check_vnode_setextattr },
- { MAC_CHECK_VNODE_SETFLAGS,
- (macop_t)mac_mls_check_vnode_setflags },
- { MAC_CHECK_VNODE_SETMODE,
- (macop_t)mac_mls_check_vnode_setmode },
- { MAC_CHECK_VNODE_SETOWNER,
- (macop_t)mac_mls_check_vnode_setowner },
- { MAC_CHECK_VNODE_SETUTIMES,
- (macop_t)mac_mls_check_vnode_setutimes },
- { MAC_CHECK_VNODE_STAT,
- (macop_t)mac_mls_check_vnode_stat },
- { MAC_CHECK_VNODE_WRITE,
- (macop_t)mac_mls_check_vnode_write },
- { MAC_OP_LAST, NULL }
+ .mpo_destroy = mac_mls_destroy,
+ .mpo_init = mac_mls_init,
+ .mpo_init_bpfdesc_label = mac_mls_init_label,
+ .mpo_init_cred_label = mac_mls_init_label,
+ .mpo_init_devfsdirent_label = mac_mls_init_label,
+ .mpo_init_ifnet_label = mac_mls_init_label,
+ .mpo_init_ipq_label = mac_mls_init_label,
+ .mpo_init_mbuf_label = mac_mls_init_label_waitcheck,
+ .mpo_init_mount_label = mac_mls_init_label,
+ .mpo_init_mount_fs_label = mac_mls_init_label,
+ .mpo_init_pipe_label = mac_mls_init_label,
+ .mpo_init_socket_label = mac_mls_init_label_waitcheck,
+ .mpo_init_socket_peer_label = mac_mls_init_label_waitcheck,
+ .mpo_init_vnode_label = mac_mls_init_label,
+ .mpo_destroy_bpfdesc_label = mac_mls_destroy_label,
+ .mpo_destroy_cred_label = mac_mls_destroy_label,
+ .mpo_destroy_devfsdirent_label = mac_mls_destroy_label,
+ .mpo_destroy_ifnet_label = mac_mls_destroy_label,
+ .mpo_destroy_ipq_label = mac_mls_destroy_label,
+ .mpo_destroy_mbuf_label = mac_mls_destroy_label,
+ .mpo_destroy_mount_label = mac_mls_destroy_label,
+ .mpo_destroy_mount_fs_label = mac_mls_destroy_label,
+ .mpo_destroy_pipe_label = mac_mls_destroy_label,
+ .mpo_destroy_socket_label = mac_mls_destroy_label,
+ .mpo_destroy_socket_peer_label = mac_mls_destroy_label,
+ .mpo_destroy_vnode_label = mac_mls_destroy_label,
+ .mpo_copy_pipe_label = mac_mls_copy_label,
+ .mpo_copy_vnode_label = mac_mls_copy_label,
+ .mpo_externalize_cred_label = mac_mls_externalize_label,
+ .mpo_externalize_ifnet_label = mac_mls_externalize_label,
+ .mpo_externalize_pipe_label = mac_mls_externalize_label,
+ .mpo_externalize_socket_label = mac_mls_externalize_label,
+ .mpo_externalize_socket_peer_label = mac_mls_externalize_label,
+ .mpo_externalize_vnode_label = mac_mls_externalize_label,
+ .mpo_internalize_cred_label = mac_mls_internalize_label,
+ .mpo_internalize_ifnet_label = mac_mls_internalize_label,
+ .mpo_internalize_pipe_label = mac_mls_internalize_label,
+ .mpo_internalize_socket_label = mac_mls_internalize_label,
+ .mpo_internalize_vnode_label = mac_mls_internalize_label,
+ .mpo_create_devfs_device = mac_mls_create_devfs_device,
+ .mpo_create_devfs_directory = mac_mls_create_devfs_directory,
+ .mpo_create_devfs_symlink = mac_mls_create_devfs_symlink,
+ .mpo_create_devfs_vnode = mac_mls_create_devfs_vnode,
+ .mpo_create_mount = mac_mls_create_mount,
+ .mpo_create_root_mount = mac_mls_create_root_mount,
+ .mpo_relabel_vnode = mac_mls_relabel_vnode,
+ .mpo_update_devfsdirent = mac_mls_update_devfsdirent,
+ .mpo_associate_vnode_devfs = mac_mls_associate_vnode_devfs,
+ .mpo_associate_vnode_extattr = mac_mls_associate_vnode_extattr,
+ .mpo_associate_vnode_singlelabel = mac_mls_associate_vnode_singlelabel,
+ .mpo_create_vnode_extattr = mac_mls_create_vnode_extattr,
+ .mpo_setlabel_vnode_extattr = mac_mls_setlabel_vnode_extattr,
+ .mpo_create_mbuf_from_socket = mac_mls_create_mbuf_from_socket,
+ .mpo_create_pipe = mac_mls_create_pipe,
+ .mpo_create_socket = mac_mls_create_socket,
+ .mpo_create_socket_from_socket = mac_mls_create_socket_from_socket,
+ .mpo_relabel_pipe = mac_mls_relabel_pipe,
+ .mpo_relabel_socket = mac_mls_relabel_socket,
+ .mpo_set_socket_peer_from_mbuf = mac_mls_set_socket_peer_from_mbuf,
+ .mpo_set_socket_peer_from_socket = mac_mls_set_socket_peer_from_socket,
+ .mpo_create_bpfdesc = mac_mls_create_bpfdesc,
+ .mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq,
+ .mpo_create_fragment = mac_mls_create_fragment,
+ .mpo_create_ifnet = mac_mls_create_ifnet,
+ .mpo_create_ipq = mac_mls_create_ipq,
+ .mpo_create_mbuf_from_mbuf = mac_mls_create_mbuf_from_mbuf,
+ .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer,
+ .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc,
+ .mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet,
+ .mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap,
+ .mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer,
+ .mpo_fragment_match = mac_mls_fragment_match,
+ .mpo_relabel_ifnet = mac_mls_relabel_ifnet,
+ .mpo_update_ipq = mac_mls_update_ipq,
+ .mpo_create_cred = mac_mls_create_cred,
+ .mpo_execve_transition = mac_mls_execve_transition,
+ .mpo_execve_will_transition = mac_mls_execve_will_transition,
+ .mpo_create_proc0 = mac_mls_create_proc0,
+ .mpo_create_proc1 = mac_mls_create_proc1,
+ .mpo_relabel_cred = mac_mls_relabel_cred,
+ .mpo_check_bpfdesc_receive = mac_mls_check_bpfdesc_receive,
+ .mpo_check_cred_relabel = mac_mls_check_cred_relabel,
+ .mpo_check_cred_visible = mac_mls_check_cred_visible,
+ .mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel,
+ .mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit,
+ .mpo_check_mount_stat = mac_mls_check_mount_stat,
+ .mpo_check_pipe_ioctl = mac_mls_check_pipe_ioctl,
+ .mpo_check_pipe_poll = mac_mls_check_pipe_poll,
+ .mpo_check_pipe_read = mac_mls_check_pipe_read,
+ .mpo_check_pipe_relabel = mac_mls_check_pipe_relabel,
+ .mpo_check_pipe_stat = mac_mls_check_pipe_stat,
+ .mpo_check_pipe_write = mac_mls_check_pipe_write,
+ .mpo_check_proc_debug = mac_mls_check_proc_debug,
+ .mpo_check_proc_sched = mac_mls_check_proc_sched,
+ .mpo_check_proc_signal = mac_mls_check_proc_signal,
+ .mpo_check_socket_deliver = mac_mls_check_socket_deliver,
+ .mpo_check_socket_relabel = mac_mls_check_socket_relabel,
+ .mpo_check_socket_visible = mac_mls_check_socket_visible,
+ .mpo_check_vnode_access = mac_mls_check_vnode_open,
+ .mpo_check_vnode_chdir = mac_mls_check_vnode_chdir,
+ .mpo_check_vnode_chroot = mac_mls_check_vnode_chroot,
+ .mpo_check_vnode_create = mac_mls_check_vnode_create,
+ .mpo_check_vnode_delete = mac_mls_check_vnode_delete,
+ .mpo_check_vnode_deleteacl = mac_mls_check_vnode_deleteacl,
+ .mpo_check_vnode_exec = mac_mls_check_vnode_exec,
+ .mpo_check_vnode_getacl = mac_mls_check_vnode_getacl,
+ .mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr,
+ .mpo_check_vnode_link = mac_mls_check_vnode_link,
+ .mpo_check_vnode_lookup = mac_mls_check_vnode_lookup,
+ .mpo_check_vnode_mmap = mac_mls_check_vnode_mmap,
+ .mpo_check_vnode_mprotect = mac_mls_check_vnode_mmap,
+ .mpo_check_vnode_open = mac_mls_check_vnode_open,
+ .mpo_check_vnode_poll = mac_mls_check_vnode_poll,
+ .mpo_check_vnode_read = mac_mls_check_vnode_read,
+ .mpo_check_vnode_readdir = mac_mls_check_vnode_readdir,
+ .mpo_check_vnode_readlink = mac_mls_check_vnode_readlink,
+ .mpo_check_vnode_relabel = mac_mls_check_vnode_relabel,
+ .mpo_check_vnode_rename_from = mac_mls_check_vnode_rename_from,
+ .mpo_check_vnode_rename_to = mac_mls_check_vnode_rename_to,
+ .mpo_check_vnode_revoke = mac_mls_check_vnode_revoke,
+ .mpo_check_vnode_setacl = mac_mls_check_vnode_setacl,
+ .mpo_check_vnode_setextattr = mac_mls_check_vnode_setextattr,
+ .mpo_check_vnode_setflags = mac_mls_check_vnode_setflags,
+ .mpo_check_vnode_setmode = mac_mls_check_vnode_setmode,
+ .mpo_check_vnode_setowner = mac_mls_check_vnode_setowner,
+ .mpo_check_vnode_setutimes = mac_mls_check_vnode_setutimes,
+ .mpo_check_vnode_stat = mac_mls_check_vnode_stat,
+ .mpo_check_vnode_write = mac_mls_check_vnode_write,
};
-MAC_POLICY_SET(mac_mls_ops, trustedbsd_mac_mls, "TrustedBSD MAC/MLS",
+MAC_POLICY_SET(&mac_mls_ops, trustedbsd_mac_mls, "TrustedBSD MAC/MLS",
MPC_LOADTIME_FLAG_NOTLATE, &mac_mls_slot);
diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c
index e5c3027b13e8..292b5492dbde 100644
--- a/sys/security/mac_none/mac_none.c
+++ b/sys/security/mac_none/mac_none.c
@@ -883,278 +883,143 @@ mac_none_check_vnode_write(struct ucred *active_cred,
return (0);
}
-static struct mac_policy_op_entry mac_none_ops[] =
+static struct mac_policy_ops mac_none_ops =
{
- { MAC_DESTROY,
- (macop_t)mac_none_destroy },
- { MAC_INIT,
- (macop_t)mac_none_init },
- { MAC_SYSCALL,
- (macop_t)mac_none_syscall },
- { MAC_INIT_BPFDESC_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_CRED_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_DEVFSDIRENT_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_IFNET_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_IPQ_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_MBUF_LABEL,
- (macop_t)mac_none_init_label_waitcheck },
- { MAC_INIT_MOUNT_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_MOUNT_FS_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_PIPE_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_SOCKET_LABEL,
- (macop_t)mac_none_init_label_waitcheck },
- { MAC_INIT_SOCKET_PEER_LABEL,
- (macop_t)mac_none_init_label_waitcheck },
- { MAC_INIT_VNODE_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_DESTROY_BPFDESC_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_CRED_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_DEVFSDIRENT_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_IFNET_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_IPQ_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_MBUF_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_MOUNT_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_MOUNT_FS_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_PIPE_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_SOCKET_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_SOCKET_PEER_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_VNODE_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_EXTERNALIZE_CRED_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_EXTERNALIZE_IFNET_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_EXTERNALIZE_PIPE_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_EXTERNALIZE_VNODE_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_INTERNALIZE_CRED_LABEL,
- (macop_t)mac_none_internalize_label },
- { MAC_INTERNALIZE_IFNET_LABEL,
- (macop_t)mac_none_internalize_label },
- { MAC_INTERNALIZE_PIPE_LABEL,
- (macop_t)mac_none_internalize_label },
- { MAC_INTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_none_internalize_label },
- { MAC_INTERNALIZE_VNODE_LABEL,
- (macop_t)mac_none_internalize_label },
- { MAC_ASSOCIATE_VNODE_DEVFS,
- (macop_t)mac_none_associate_vnode_devfs },
- { MAC_ASSOCIATE_VNODE_EXTATTR,
- (macop_t)mac_none_associate_vnode_extattr },
- { MAC_ASSOCIATE_VNODE_SINGLELABEL,
- (macop_t)mac_none_associate_vnode_singlelabel },
- { MAC_CREATE_DEVFS_DEVICE,
- (macop_t)mac_none_create_devfs_device },
- { MAC_CREATE_DEVFS_DIRECTORY,
- (macop_t)mac_none_create_devfs_directory },
- { MAC_CREATE_DEVFS_SYMLINK,
- (macop_t)mac_none_create_devfs_symlink },
- { MAC_CREATE_DEVFS_VNODE,
- (macop_t)mac_none_create_devfs_vnode },
- { MAC_CREATE_VNODE_EXTATTR,
- (macop_t)mac_none_create_vnode_extattr },
- { MAC_CREATE_MOUNT,
- (macop_t)mac_none_create_mount },
- { MAC_CREATE_ROOT_MOUNT,
- (macop_t)mac_none_create_root_mount },
- { MAC_RELABEL_VNODE,
- (macop_t)mac_none_relabel_vnode },
- { MAC_SETLABEL_VNODE_EXTATTR,
- (macop_t)mac_none_setlabel_vnode_extattr },
- { MAC_UPDATE_DEVFSDIRENT,
- (macop_t)mac_none_update_devfsdirent },
- { MAC_CREATE_MBUF_FROM_SOCKET,
- (macop_t)mac_none_create_mbuf_from_socket },
- { MAC_CREATE_PIPE,
- (macop_t)mac_none_create_pipe },
- { MAC_CREATE_SOCKET,
- (macop_t)mac_none_create_socket },
- { MAC_CREATE_SOCKET_FROM_SOCKET,
- (macop_t)mac_none_create_socket_from_socket },
- { MAC_RELABEL_PIPE,
- (macop_t)mac_none_relabel_pipe },
- { MAC_RELABEL_SOCKET,
- (macop_t)mac_none_relabel_socket },
- { MAC_SET_SOCKET_PEER_FROM_MBUF,
- (macop_t)mac_none_set_socket_peer_from_mbuf },
- { MAC_SET_SOCKET_PEER_FROM_SOCKET,
- (macop_t)mac_none_set_socket_peer_from_socket },
- { MAC_CREATE_BPFDESC,
- (macop_t)mac_none_create_bpfdesc },
- { MAC_CREATE_IFNET,
- (macop_t)mac_none_create_ifnet },
- { MAC_CREATE_IPQ,
- (macop_t)mac_none_create_ipq },
- { MAC_CREATE_DATAGRAM_FROM_IPQ,
- (macop_t)mac_none_create_datagram_from_ipq },
- { MAC_CREATE_FRAGMENT,
- (macop_t)mac_none_create_fragment },
- { MAC_CREATE_IPQ,
- (macop_t)mac_none_create_ipq },
- { MAC_CREATE_MBUF_FROM_MBUF,
- (macop_t)mac_none_create_mbuf_from_mbuf },
- { MAC_CREATE_MBUF_LINKLAYER,
- (macop_t)mac_none_create_mbuf_linklayer },
- { MAC_CREATE_MBUF_FROM_BPFDESC,
- (macop_t)mac_none_create_mbuf_from_bpfdesc },
- { MAC_CREATE_MBUF_FROM_IFNET,
- (macop_t)mac_none_create_mbuf_from_ifnet },
- { MAC_CREATE_MBUF_MULTICAST_ENCAP,
- (macop_t)mac_none_create_mbuf_multicast_encap },
- { MAC_CREATE_MBUF_NETLAYER,
- (macop_t)mac_none_create_mbuf_netlayer },
- { MAC_FRAGMENT_MATCH,
- (macop_t)mac_none_fragment_match },
- { MAC_RELABEL_IFNET,
- (macop_t)mac_none_relabel_ifnet },
- { MAC_UPDATE_IPQ,
- (macop_t)mac_none_update_ipq },
- { MAC_CREATE_CRED,
- (macop_t)mac_none_create_cred },
- { MAC_EXECVE_TRANSITION,
- (macop_t)mac_none_execve_transition },
- { MAC_EXECVE_WILL_TRANSITION,
- (macop_t)mac_none_execve_will_transition },
- { MAC_CREATE_PROC0,
- (macop_t)mac_none_create_proc0 },
- { MAC_CREATE_PROC1,
- (macop_t)mac_none_create_proc1 },
- { MAC_RELABEL_CRED,
- (macop_t)mac_none_relabel_cred },
- { MAC_CHECK_BPFDESC_RECEIVE,
- (macop_t)mac_none_check_bpfdesc_receive },
- { MAC_CHECK_CRED_RELABEL,
- (macop_t)mac_none_check_cred_relabel },
- { MAC_CHECK_CRED_VISIBLE,
- (macop_t)mac_none_check_cred_visible },
- { MAC_CHECK_IFNET_RELABEL,
- (macop_t)mac_none_check_ifnet_relabel },
- { MAC_CHECK_IFNET_TRANSMIT,
- (macop_t)mac_none_check_ifnet_transmit },
- { MAC_CHECK_MOUNT_STAT,
- (macop_t)mac_none_check_mount_stat },
- { MAC_CHECK_PIPE_IOCTL,
- (macop_t)mac_none_check_pipe_ioctl },
- { MAC_CHECK_PIPE_POLL,
- (macop_t)mac_none_check_pipe_poll },
- { MAC_CHECK_PIPE_READ,
- (macop_t)mac_none_check_pipe_read },
- { MAC_CHECK_PIPE_RELABEL,
- (macop_t)mac_none_check_pipe_relabel },
- { MAC_CHECK_PIPE_STAT,
- (macop_t)mac_none_check_pipe_stat },
- { MAC_CHECK_PIPE_WRITE,
- (macop_t)mac_none_check_pipe_write },
- { MAC_CHECK_PROC_DEBUG,
- (macop_t)mac_none_check_proc_debug },
- { MAC_CHECK_PROC_SCHED,
- (macop_t)mac_none_check_proc_sched },
- { MAC_CHECK_PROC_SIGNAL,
- (macop_t)mac_none_check_proc_signal },
- { MAC_CHECK_SOCKET_BIND,
- (macop_t)mac_none_check_socket_bind },
- { MAC_CHECK_SOCKET_CONNECT,
- (macop_t)mac_none_check_socket_connect },
- { MAC_CHECK_SOCKET_DELIVER,
- (macop_t)mac_none_check_socket_deliver },
- { MAC_CHECK_SOCKET_LISTEN,
- (macop_t)mac_none_check_socket_listen },
- { MAC_CHECK_SOCKET_RELABEL,
- (macop_t)mac_none_check_socket_relabel },
- { MAC_CHECK_SOCKET_VISIBLE,
- (macop_t)mac_none_check_socket_visible },
- { MAC_CHECK_SYSTEM_REBOOT,
- (macop_t)mac_none_check_system_reboot },
- { MAC_CHECK_SYSTEM_SWAPON,
- (macop_t)mac_none_check_system_swapon },
- { MAC_CHECK_SYSTEM_SYSCTL,
- (macop_t)mac_none_check_system_sysctl },
- { MAC_CHECK_VNODE_ACCESS,
- (macop_t)mac_none_check_vnode_access },
- { MAC_CHECK_VNODE_CHDIR,
- (macop_t)mac_none_check_vnode_chdir },
- { MAC_CHECK_VNODE_CHROOT,
- (macop_t)mac_none_check_vnode_chroot },
- { MAC_CHECK_VNODE_CREATE,
- (macop_t)mac_none_check_vnode_create },
- { MAC_CHECK_VNODE_DELETE,
- (macop_t)mac_none_check_vnode_delete },
- { MAC_CHECK_VNODE_DELETEACL,
- (macop_t)mac_none_check_vnode_deleteacl },
- { MAC_CHECK_VNODE_EXEC,
- (macop_t)mac_none_check_vnode_exec },
- { MAC_CHECK_VNODE_GETACL,
- (macop_t)mac_none_check_vnode_getacl },
- { MAC_CHECK_VNODE_GETEXTATTR,
- (macop_t)mac_none_check_vnode_getextattr },
- { MAC_CHECK_VNODE_LINK,
- (macop_t)mac_none_check_vnode_link },
- { MAC_CHECK_VNODE_LOOKUP,
- (macop_t)mac_none_check_vnode_lookup },
- { MAC_CHECK_VNODE_MMAP,
- (macop_t)mac_none_check_vnode_mmap },
- { MAC_CHECK_VNODE_MPROTECT,
- (macop_t)mac_none_check_vnode_mprotect },
- { MAC_CHECK_VNODE_OPEN,
- (macop_t)mac_none_check_vnode_open },
- { MAC_CHECK_VNODE_POLL,
- (macop_t)mac_none_check_vnode_poll },
- { MAC_CHECK_VNODE_READ,
- (macop_t)mac_none_check_vnode_read },
- { MAC_CHECK_VNODE_READDIR,
- (macop_t)mac_none_check_vnode_readdir },
- { MAC_CHECK_VNODE_READLINK,
- (macop_t)mac_none_check_vnode_readlink },
- { MAC_CHECK_VNODE_RELABEL,
- (macop_t)mac_none_check_vnode_relabel },
- { MAC_CHECK_VNODE_RENAME_FROM,
- (macop_t)mac_none_check_vnode_rename_from },
- { MAC_CHECK_VNODE_RENAME_TO,
- (macop_t)mac_none_check_vnode_rename_to },
- { MAC_CHECK_VNODE_REVOKE,
- (macop_t)mac_none_check_vnode_revoke },
- { MAC_CHECK_VNODE_SETACL,
- (macop_t)mac_none_check_vnode_setacl },
- { MAC_CHECK_VNODE_SETEXTATTR,
- (macop_t)mac_none_check_vnode_setextattr },
- { MAC_CHECK_VNODE_SETFLAGS,
- (macop_t)mac_none_check_vnode_setflags },
- { MAC_CHECK_VNODE_SETMODE,
- (macop_t)mac_none_check_vnode_setmode },
- { MAC_CHECK_VNODE_SETOWNER,
- (macop_t)mac_none_check_vnode_setowner },
- { MAC_CHECK_VNODE_SETUTIMES,
- (macop_t)mac_none_check_vnode_setutimes },
- { MAC_CHECK_VNODE_STAT,
- (macop_t)mac_none_check_vnode_stat },
- { MAC_CHECK_VNODE_WRITE,
- (macop_t)mac_none_check_vnode_write },
- { MAC_OP_LAST, NULL }
+ .mpo_destroy = mac_none_destroy,
+ .mpo_init = mac_none_init,
+ .mpo_syscall = mac_none_syscall,
+ .mpo_init_bpfdesc_label = mac_none_init_label,
+ .mpo_init_cred_label = mac_none_init_label,
+ .mpo_init_devfsdirent_label = mac_none_init_label,
+ .mpo_init_ifnet_label = mac_none_init_label,
+ .mpo_init_ipq_label = mac_none_init_label,
+ .mpo_init_mbuf_label = mac_none_init_label_waitcheck,
+ .mpo_init_mount_label = mac_none_init_label,
+ .mpo_init_mount_fs_label = mac_none_init_label,
+ .mpo_init_pipe_label = mac_none_init_label,
+ .mpo_init_socket_label = mac_none_init_label_waitcheck,
+ .mpo_init_socket_peer_label = mac_none_init_label_waitcheck,
+ .mpo_init_vnode_label = mac_none_init_label,
+ .mpo_destroy_bpfdesc_label = mac_none_destroy_label,
+ .mpo_destroy_cred_label = mac_none_destroy_label,
+ .mpo_destroy_devfsdirent_label = mac_none_destroy_label,
+ .mpo_destroy_ifnet_label = mac_none_destroy_label,
+ .mpo_destroy_ipq_label = mac_none_destroy_label,
+ .mpo_destroy_mbuf_label = mac_none_destroy_label,
+ .mpo_destroy_mount_label = mac_none_destroy_label,
+ .mpo_destroy_mount_fs_label = mac_none_destroy_label,
+ .mpo_destroy_pipe_label = mac_none_destroy_label,
+ .mpo_destroy_socket_label = mac_none_destroy_label,
+ .mpo_destroy_socket_peer_label = mac_none_destroy_label,
+ .mpo_destroy_vnode_label = mac_none_destroy_label,
+ .mpo_externalize_cred_label = mac_none_externalize_label,
+ .mpo_externalize_ifnet_label = mac_none_externalize_label,
+ .mpo_externalize_pipe_label = mac_none_externalize_label,
+ .mpo_externalize_socket_label = mac_none_externalize_label,
+ .mpo_externalize_socket_peer_label = mac_none_externalize_label,
+ .mpo_externalize_vnode_label = mac_none_externalize_label,
+ .mpo_internalize_cred_label = mac_none_internalize_label,
+ .mpo_internalize_ifnet_label = mac_none_internalize_label,
+ .mpo_internalize_pipe_label = mac_none_internalize_label,
+ .mpo_internalize_socket_label = mac_none_internalize_label,
+ .mpo_internalize_vnode_label = mac_none_internalize_label,
+ .mpo_associate_vnode_devfs = mac_none_associate_vnode_devfs,
+ .mpo_associate_vnode_extattr = mac_none_associate_vnode_extattr,
+ .mpo_associate_vnode_singlelabel = mac_none_associate_vnode_singlelabel,
+ .mpo_create_devfs_device = mac_none_create_devfs_device,
+ .mpo_create_devfs_directory = mac_none_create_devfs_directory,
+ .mpo_create_devfs_symlink = mac_none_create_devfs_symlink,
+ .mpo_create_devfs_vnode = mac_none_create_devfs_vnode,
+ .mpo_create_vnode_extattr = mac_none_create_vnode_extattr,
+ .mpo_create_mount = mac_none_create_mount,
+ .mpo_create_root_mount = mac_none_create_root_mount,
+ .mpo_relabel_vnode = mac_none_relabel_vnode,
+ .mpo_setlabel_vnode_extattr = mac_none_setlabel_vnode_extattr,
+ .mpo_update_devfsdirent = mac_none_update_devfsdirent,
+ .mpo_create_mbuf_from_socket = mac_none_create_mbuf_from_socket,
+ .mpo_create_pipe = mac_none_create_pipe,
+ .mpo_create_socket = mac_none_create_socket,
+ .mpo_create_socket_from_socket = mac_none_create_socket_from_socket,
+ .mpo_relabel_pipe = mac_none_relabel_pipe,
+ .mpo_relabel_socket = mac_none_relabel_socket,
+ .mpo_set_socket_peer_from_mbuf = mac_none_set_socket_peer_from_mbuf,
+ .mpo_set_socket_peer_from_socket = mac_none_set_socket_peer_from_socket,
+ .mpo_create_bpfdesc = mac_none_create_bpfdesc,
+ .mpo_create_ifnet = mac_none_create_ifnet,
+ .mpo_create_ipq = mac_none_create_ipq,
+ .mpo_create_datagram_from_ipq = mac_none_create_datagram_from_ipq,
+ .mpo_create_fragment = mac_none_create_fragment,
+ .mpo_create_ipq = mac_none_create_ipq,
+ .mpo_create_mbuf_from_mbuf = mac_none_create_mbuf_from_mbuf,
+ .mpo_create_mbuf_linklayer = mac_none_create_mbuf_linklayer,
+ .mpo_create_mbuf_from_bpfdesc = mac_none_create_mbuf_from_bpfdesc,
+ .mpo_create_mbuf_from_ifnet = mac_none_create_mbuf_from_ifnet,
+ .mpo_create_mbuf_multicast_encap = mac_none_create_mbuf_multicast_encap,
+ .mpo_create_mbuf_netlayer = mac_none_create_mbuf_netlayer,
+ .mpo_fragment_match = mac_none_fragment_match,
+ .mpo_relabel_ifnet = mac_none_relabel_ifnet,
+ .mpo_update_ipq = mac_none_update_ipq,
+ .mpo_create_cred = mac_none_create_cred,
+ .mpo_execve_transition = mac_none_execve_transition,
+ .mpo_execve_will_transition = mac_none_execve_will_transition,
+ .mpo_create_proc0 = mac_none_create_proc0,
+ .mpo_create_proc1 = mac_none_create_proc1,
+ .mpo_relabel_cred = mac_none_relabel_cred,
+ .mpo_check_bpfdesc_receive = mac_none_check_bpfdesc_receive,
+ .mpo_check_cred_relabel = mac_none_check_cred_relabel,
+ .mpo_check_cred_visible = mac_none_check_cred_visible,
+ .mpo_check_ifnet_relabel = mac_none_check_ifnet_relabel,
+ .mpo_check_ifnet_transmit = mac_none_check_ifnet_transmit,
+ .mpo_check_mount_stat = mac_none_check_mount_stat,
+ .mpo_check_pipe_ioctl = mac_none_check_pipe_ioctl,
+ .mpo_check_pipe_poll = mac_none_check_pipe_poll,
+ .mpo_check_pipe_read = mac_none_check_pipe_read,
+ .mpo_check_pipe_relabel = mac_none_check_pipe_relabel,
+ .mpo_check_pipe_stat = mac_none_check_pipe_stat,
+ .mpo_check_pipe_write = mac_none_check_pipe_write,
+ .mpo_check_proc_debug = mac_none_check_proc_debug,
+ .mpo_check_proc_sched = mac_none_check_proc_sched,
+ .mpo_check_proc_signal = mac_none_check_proc_signal,
+ .mpo_check_socket_bind = mac_none_check_socket_bind,
+ .mpo_check_socket_connect = mac_none_check_socket_connect,
+ .mpo_check_socket_deliver = mac_none_check_socket_deliver,
+ .mpo_check_socket_listen = mac_none_check_socket_listen,
+ .mpo_check_socket_relabel = mac_none_check_socket_relabel,
+ .mpo_check_socket_visible = mac_none_check_socket_visible,
+ .mpo_check_system_reboot = mac_none_check_system_reboot,
+ .mpo_check_system_swapon = mac_none_check_system_swapon,
+ .mpo_check_system_sysctl = mac_none_check_system_sysctl,
+ .mpo_check_vnode_access = mac_none_check_vnode_access,
+ .mpo_check_vnode_chdir = mac_none_check_vnode_chdir,
+ .mpo_check_vnode_chroot = mac_none_check_vnode_chroot,
+ .mpo_check_vnode_create = mac_none_check_vnode_create,
+ .mpo_check_vnode_delete = mac_none_check_vnode_delete,
+ .mpo_check_vnode_deleteacl = mac_none_check_vnode_deleteacl,
+ .mpo_check_vnode_exec = mac_none_check_vnode_exec,
+ .mpo_check_vnode_getacl = mac_none_check_vnode_getacl,
+ .mpo_check_vnode_getextattr = mac_none_check_vnode_getextattr,
+ .mpo_check_vnode_link = mac_none_check_vnode_link,
+ .mpo_check_vnode_lookup = mac_none_check_vnode_lookup,
+ .mpo_check_vnode_mmap = mac_none_check_vnode_mmap,
+ .mpo_check_vnode_mprotect = mac_none_check_vnode_mprotect,
+ .mpo_check_vnode_open = mac_none_check_vnode_open,
+ .mpo_check_vnode_poll = mac_none_check_vnode_poll,
+ .mpo_check_vnode_read = mac_none_check_vnode_read,
+ .mpo_check_vnode_readdir = mac_none_check_vnode_readdir,
+ .mpo_check_vnode_readlink = mac_none_check_vnode_readlink,
+ .mpo_check_vnode_relabel = mac_none_check_vnode_relabel,
+ .mpo_check_vnode_rename_from = mac_none_check_vnode_rename_from,
+ .mpo_check_vnode_rename_to = mac_none_check_vnode_rename_to,
+ .mpo_check_vnode_revoke = mac_none_check_vnode_revoke,
+ .mpo_check_vnode_setacl = mac_none_check_vnode_setacl,
+ .mpo_check_vnode_setextattr = mac_none_check_vnode_setextattr,
+ .mpo_check_vnode_setflags = mac_none_check_vnode_setflags,
+ .mpo_check_vnode_setmode = mac_none_check_vnode_setmode,
+ .mpo_check_vnode_setowner = mac_none_check_vnode_setowner,
+ .mpo_check_vnode_setutimes = mac_none_check_vnode_setutimes,
+ .mpo_check_vnode_stat = mac_none_check_vnode_stat,
+ .mpo_check_vnode_write = mac_none_check_vnode_write,
};
-MAC_POLICY_SET(mac_none_ops, trustedbsd_mac_none, "TrustedBSD MAC/None",
+MAC_POLICY_SET(&mac_none_ops, trustedbsd_mac_none, "TrustedBSD MAC/None",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c
index 6636bef67b53..c1167ea59b02 100644
--- a/sys/security/mac_partition/mac_partition.c
+++ b/sys/security/mac_partition/mac_partition.c
@@ -249,40 +249,24 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket,
return (error ? ENOENT : 0);
}
-static struct mac_policy_op_entry mac_partition_ops[] =
+static struct mac_policy_ops mac_partition_ops =
{
- { MAC_INIT,
- (macop_t)mac_partition_init },
- { MAC_INIT_CRED_LABEL,
- (macop_t)mac_partition_init_label },
- { MAC_DESTROY_CRED_LABEL,
- (macop_t)mac_partition_destroy_label },
- { MAC_EXTERNALIZE_CRED_LABEL,
- (macop_t)mac_partition_externalize_label },
- { MAC_INTERNALIZE_CRED_LABEL,
- (macop_t)mac_partition_internalize_label },
- { MAC_CREATE_CRED,
- (macop_t)mac_partition_create_cred },
- { MAC_CREATE_PROC0,
- (macop_t)mac_partition_create_proc0 },
- { MAC_CREATE_PROC1,
- (macop_t)mac_partition_create_proc1 },
- { MAC_RELABEL_CRED,
- (macop_t)mac_partition_relabel_cred },
- { MAC_CHECK_CRED_RELABEL,
- (macop_t)mac_partition_check_cred_relabel },
- { MAC_CHECK_CRED_VISIBLE,
- (macop_t)mac_partition_check_cred_visible },
- { MAC_CHECK_PROC_DEBUG,
- (macop_t)mac_partition_check_proc_debug },
- { MAC_CHECK_PROC_SCHED,
- (macop_t)mac_partition_check_proc_sched },
- { MAC_CHECK_PROC_SIGNAL,
- (macop_t)mac_partition_check_proc_signal },
- { MAC_CHECK_SOCKET_VISIBLE,
- (macop_t)mac_partition_check_socket_visible },
- { MAC_OP_LAST, NULL }
+ .mpo_init = mac_partition_init,
+ .mpo_init_cred_label = mac_partition_init_label,
+ .mpo_destroy_cred_label = mac_partition_destroy_label,
+ .mpo_externalize_cred_label = mac_partition_externalize_label,
+ .mpo_internalize_cred_label = mac_partition_internalize_label,
+ .mpo_create_cred = mac_partition_create_cred,
+ .mpo_create_proc0 = mac_partition_create_proc0,
+ .mpo_create_proc1 = mac_partition_create_proc1,
+ .mpo_relabel_cred = mac_partition_relabel_cred,
+ .mpo_check_cred_relabel = mac_partition_check_cred_relabel,
+ .mpo_check_cred_visible = mac_partition_check_cred_visible,
+ .mpo_check_proc_debug = mac_partition_check_proc_debug,
+ .mpo_check_proc_sched = mac_partition_check_proc_sched,
+ .mpo_check_proc_signal = mac_partition_check_proc_signal,
+ .mpo_check_socket_visible = mac_partition_check_socket_visible,
};
-MAC_POLICY_SET(mac_partition_ops, trustedbsd_mac_partition,
+MAC_POLICY_SET(&mac_partition_ops, trustedbsd_mac_partition,
"TrustedBSD MAC/Partition", MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot);
diff --git a/sys/security/mac_seeotheruids/mac_seeotheruids.c b/sys/security/mac_seeotheruids/mac_seeotheruids.c
index 8233724d2da6..06c95e67f569 100644
--- a/sys/security/mac_seeotheruids/mac_seeotheruids.c
+++ b/sys/security/mac_seeotheruids/mac_seeotheruids.c
@@ -160,20 +160,14 @@ mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *socket,
return (mac_seeotheruids_check(cred, socket->so_cred));
}
-static struct mac_policy_op_entry mac_seeotheruids_ops[] =
+static struct mac_policy_ops mac_seeotheruids_ops =
{
- { MAC_CHECK_CRED_VISIBLE,
- (macop_t)mac_seeotheruids_check_cred_visible },
- { MAC_CHECK_PROC_DEBUG,
- (macop_t)mac_seeotheruids_check_proc_debug },
- { MAC_CHECK_PROC_SCHED,
- (macop_t)mac_seeotheruids_check_proc_sched },
- { MAC_CHECK_PROC_SIGNAL,
- (macop_t)mac_seeotheruids_check_proc_signal },
- { MAC_CHECK_SOCKET_VISIBLE,
- (macop_t)mac_seeotheruids_check_socket_visible },
- { MAC_OP_LAST, NULL }
+ .mpo_check_cred_visible = mac_seeotheruids_check_cred_visible,
+ .mpo_check_proc_debug = mac_seeotheruids_check_proc_debug,
+ .mpo_check_proc_sched = mac_seeotheruids_check_proc_sched,
+ .mpo_check_proc_signal = mac_seeotheruids_check_proc_signal,
+ .mpo_check_socket_visible = mac_seeotheruids_check_socket_visible,
};
-MAC_POLICY_SET(mac_seeotheruids_ops, trustedbsd_mac_seeotheruids,
+MAC_POLICY_SET(&mac_seeotheruids_ops, trustedbsd_mac_seeotheruids,
"TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index e5c3027b13e8..292b5492dbde 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -883,278 +883,143 @@ mac_none_check_vnode_write(struct ucred *active_cred,
return (0);
}
-static struct mac_policy_op_entry mac_none_ops[] =
+static struct mac_policy_ops mac_none_ops =
{
- { MAC_DESTROY,
- (macop_t)mac_none_destroy },
- { MAC_INIT,
- (macop_t)mac_none_init },
- { MAC_SYSCALL,
- (macop_t)mac_none_syscall },
- { MAC_INIT_BPFDESC_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_CRED_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_DEVFSDIRENT_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_IFNET_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_IPQ_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_MBUF_LABEL,
- (macop_t)mac_none_init_label_waitcheck },
- { MAC_INIT_MOUNT_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_MOUNT_FS_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_PIPE_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_INIT_SOCKET_LABEL,
- (macop_t)mac_none_init_label_waitcheck },
- { MAC_INIT_SOCKET_PEER_LABEL,
- (macop_t)mac_none_init_label_waitcheck },
- { MAC_INIT_VNODE_LABEL,
- (macop_t)mac_none_init_label },
- { MAC_DESTROY_BPFDESC_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_CRED_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_DEVFSDIRENT_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_IFNET_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_IPQ_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_MBUF_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_MOUNT_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_MOUNT_FS_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_PIPE_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_SOCKET_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_SOCKET_PEER_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_DESTROY_VNODE_LABEL,
- (macop_t)mac_none_destroy_label },
- { MAC_EXTERNALIZE_CRED_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_EXTERNALIZE_IFNET_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_EXTERNALIZE_PIPE_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_EXTERNALIZE_VNODE_LABEL,
- (macop_t)mac_none_externalize_label },
- { MAC_INTERNALIZE_CRED_LABEL,
- (macop_t)mac_none_internalize_label },
- { MAC_INTERNALIZE_IFNET_LABEL,
- (macop_t)mac_none_internalize_label },
- { MAC_INTERNALIZE_PIPE_LABEL,
- (macop_t)mac_none_internalize_label },
- { MAC_INTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_none_internalize_label },
- { MAC_INTERNALIZE_VNODE_LABEL,
- (macop_t)mac_none_internalize_label },
- { MAC_ASSOCIATE_VNODE_DEVFS,
- (macop_t)mac_none_associate_vnode_devfs },
- { MAC_ASSOCIATE_VNODE_EXTATTR,
- (macop_t)mac_none_associate_vnode_extattr },
- { MAC_ASSOCIATE_VNODE_SINGLELABEL,
- (macop_t)mac_none_associate_vnode_singlelabel },
- { MAC_CREATE_DEVFS_DEVICE,
- (macop_t)mac_none_create_devfs_device },
- { MAC_CREATE_DEVFS_DIRECTORY,
- (macop_t)mac_none_create_devfs_directory },
- { MAC_CREATE_DEVFS_SYMLINK,
- (macop_t)mac_none_create_devfs_symlink },
- { MAC_CREATE_DEVFS_VNODE,
- (macop_t)mac_none_create_devfs_vnode },
- { MAC_CREATE_VNODE_EXTATTR,
- (macop_t)mac_none_create_vnode_extattr },
- { MAC_CREATE_MOUNT,
- (macop_t)mac_none_create_mount },
- { MAC_CREATE_ROOT_MOUNT,
- (macop_t)mac_none_create_root_mount },
- { MAC_RELABEL_VNODE,
- (macop_t)mac_none_relabel_vnode },
- { MAC_SETLABEL_VNODE_EXTATTR,
- (macop_t)mac_none_setlabel_vnode_extattr },
- { MAC_UPDATE_DEVFSDIRENT,
- (macop_t)mac_none_update_devfsdirent },
- { MAC_CREATE_MBUF_FROM_SOCKET,
- (macop_t)mac_none_create_mbuf_from_socket },
- { MAC_CREATE_PIPE,
- (macop_t)mac_none_create_pipe },
- { MAC_CREATE_SOCKET,
- (macop_t)mac_none_create_socket },
- { MAC_CREATE_SOCKET_FROM_SOCKET,
- (macop_t)mac_none_create_socket_from_socket },
- { MAC_RELABEL_PIPE,
- (macop_t)mac_none_relabel_pipe },
- { MAC_RELABEL_SOCKET,
- (macop_t)mac_none_relabel_socket },
- { MAC_SET_SOCKET_PEER_FROM_MBUF,
- (macop_t)mac_none_set_socket_peer_from_mbuf },
- { MAC_SET_SOCKET_PEER_FROM_SOCKET,
- (macop_t)mac_none_set_socket_peer_from_socket },
- { MAC_CREATE_BPFDESC,
- (macop_t)mac_none_create_bpfdesc },
- { MAC_CREATE_IFNET,
- (macop_t)mac_none_create_ifnet },
- { MAC_CREATE_IPQ,
- (macop_t)mac_none_create_ipq },
- { MAC_CREATE_DATAGRAM_FROM_IPQ,
- (macop_t)mac_none_create_datagram_from_ipq },
- { MAC_CREATE_FRAGMENT,
- (macop_t)mac_none_create_fragment },
- { MAC_CREATE_IPQ,
- (macop_t)mac_none_create_ipq },
- { MAC_CREATE_MBUF_FROM_MBUF,
- (macop_t)mac_none_create_mbuf_from_mbuf },
- { MAC_CREATE_MBUF_LINKLAYER,
- (macop_t)mac_none_create_mbuf_linklayer },
- { MAC_CREATE_MBUF_FROM_BPFDESC,
- (macop_t)mac_none_create_mbuf_from_bpfdesc },
- { MAC_CREATE_MBUF_FROM_IFNET,
- (macop_t)mac_none_create_mbuf_from_ifnet },
- { MAC_CREATE_MBUF_MULTICAST_ENCAP,
- (macop_t)mac_none_create_mbuf_multicast_encap },
- { MAC_CREATE_MBUF_NETLAYER,
- (macop_t)mac_none_create_mbuf_netlayer },
- { MAC_FRAGMENT_MATCH,
- (macop_t)mac_none_fragment_match },
- { MAC_RELABEL_IFNET,
- (macop_t)mac_none_relabel_ifnet },
- { MAC_UPDATE_IPQ,
- (macop_t)mac_none_update_ipq },
- { MAC_CREATE_CRED,
- (macop_t)mac_none_create_cred },
- { MAC_EXECVE_TRANSITION,
- (macop_t)mac_none_execve_transition },
- { MAC_EXECVE_WILL_TRANSITION,
- (macop_t)mac_none_execve_will_transition },
- { MAC_CREATE_PROC0,
- (macop_t)mac_none_create_proc0 },
- { MAC_CREATE_PROC1,
- (macop_t)mac_none_create_proc1 },
- { MAC_RELABEL_CRED,
- (macop_t)mac_none_relabel_cred },
- { MAC_CHECK_BPFDESC_RECEIVE,
- (macop_t)mac_none_check_bpfdesc_receive },
- { MAC_CHECK_CRED_RELABEL,
- (macop_t)mac_none_check_cred_relabel },
- { MAC_CHECK_CRED_VISIBLE,
- (macop_t)mac_none_check_cred_visible },
- { MAC_CHECK_IFNET_RELABEL,
- (macop_t)mac_none_check_ifnet_relabel },
- { MAC_CHECK_IFNET_TRANSMIT,
- (macop_t)mac_none_check_ifnet_transmit },
- { MAC_CHECK_MOUNT_STAT,
- (macop_t)mac_none_check_mount_stat },
- { MAC_CHECK_PIPE_IOCTL,
- (macop_t)mac_none_check_pipe_ioctl },
- { MAC_CHECK_PIPE_POLL,
- (macop_t)mac_none_check_pipe_poll },
- { MAC_CHECK_PIPE_READ,
- (macop_t)mac_none_check_pipe_read },
- { MAC_CHECK_PIPE_RELABEL,
- (macop_t)mac_none_check_pipe_relabel },
- { MAC_CHECK_PIPE_STAT,
- (macop_t)mac_none_check_pipe_stat },
- { MAC_CHECK_PIPE_WRITE,
- (macop_t)mac_none_check_pipe_write },
- { MAC_CHECK_PROC_DEBUG,
- (macop_t)mac_none_check_proc_debug },
- { MAC_CHECK_PROC_SCHED,
- (macop_t)mac_none_check_proc_sched },
- { MAC_CHECK_PROC_SIGNAL,
- (macop_t)mac_none_check_proc_signal },
- { MAC_CHECK_SOCKET_BIND,
- (macop_t)mac_none_check_socket_bind },
- { MAC_CHECK_SOCKET_CONNECT,
- (macop_t)mac_none_check_socket_connect },
- { MAC_CHECK_SOCKET_DELIVER,
- (macop_t)mac_none_check_socket_deliver },
- { MAC_CHECK_SOCKET_LISTEN,
- (macop_t)mac_none_check_socket_listen },
- { MAC_CHECK_SOCKET_RELABEL,
- (macop_t)mac_none_check_socket_relabel },
- { MAC_CHECK_SOCKET_VISIBLE,
- (macop_t)mac_none_check_socket_visible },
- { MAC_CHECK_SYSTEM_REBOOT,
- (macop_t)mac_none_check_system_reboot },
- { MAC_CHECK_SYSTEM_SWAPON,
- (macop_t)mac_none_check_system_swapon },
- { MAC_CHECK_SYSTEM_SYSCTL,
- (macop_t)mac_none_check_system_sysctl },
- { MAC_CHECK_VNODE_ACCESS,
- (macop_t)mac_none_check_vnode_access },
- { MAC_CHECK_VNODE_CHDIR,
- (macop_t)mac_none_check_vnode_chdir },
- { MAC_CHECK_VNODE_CHROOT,
- (macop_t)mac_none_check_vnode_chroot },
- { MAC_CHECK_VNODE_CREATE,
- (macop_t)mac_none_check_vnode_create },
- { MAC_CHECK_VNODE_DELETE,
- (macop_t)mac_none_check_vnode_delete },
- { MAC_CHECK_VNODE_DELETEACL,
- (macop_t)mac_none_check_vnode_deleteacl },
- { MAC_CHECK_VNODE_EXEC,
- (macop_t)mac_none_check_vnode_exec },
- { MAC_CHECK_VNODE_GETACL,
- (macop_t)mac_none_check_vnode_getacl },
- { MAC_CHECK_VNODE_GETEXTATTR,
- (macop_t)mac_none_check_vnode_getextattr },
- { MAC_CHECK_VNODE_LINK,
- (macop_t)mac_none_check_vnode_link },
- { MAC_CHECK_VNODE_LOOKUP,
- (macop_t)mac_none_check_vnode_lookup },
- { MAC_CHECK_VNODE_MMAP,
- (macop_t)mac_none_check_vnode_mmap },
- { MAC_CHECK_VNODE_MPROTECT,
- (macop_t)mac_none_check_vnode_mprotect },
- { MAC_CHECK_VNODE_OPEN,
- (macop_t)mac_none_check_vnode_open },
- { MAC_CHECK_VNODE_POLL,
- (macop_t)mac_none_check_vnode_poll },
- { MAC_CHECK_VNODE_READ,
- (macop_t)mac_none_check_vnode_read },
- { MAC_CHECK_VNODE_READDIR,
- (macop_t)mac_none_check_vnode_readdir },
- { MAC_CHECK_VNODE_READLINK,
- (macop_t)mac_none_check_vnode_readlink },
- { MAC_CHECK_VNODE_RELABEL,
- (macop_t)mac_none_check_vnode_relabel },
- { MAC_CHECK_VNODE_RENAME_FROM,
- (macop_t)mac_none_check_vnode_rename_from },
- { MAC_CHECK_VNODE_RENAME_TO,
- (macop_t)mac_none_check_vnode_rename_to },
- { MAC_CHECK_VNODE_REVOKE,
- (macop_t)mac_none_check_vnode_revoke },
- { MAC_CHECK_VNODE_SETACL,
- (macop_t)mac_none_check_vnode_setacl },
- { MAC_CHECK_VNODE_SETEXTATTR,
- (macop_t)mac_none_check_vnode_setextattr },
- { MAC_CHECK_VNODE_SETFLAGS,
- (macop_t)mac_none_check_vnode_setflags },
- { MAC_CHECK_VNODE_SETMODE,
- (macop_t)mac_none_check_vnode_setmode },
- { MAC_CHECK_VNODE_SETOWNER,
- (macop_t)mac_none_check_vnode_setowner },
- { MAC_CHECK_VNODE_SETUTIMES,
- (macop_t)mac_none_check_vnode_setutimes },
- { MAC_CHECK_VNODE_STAT,
- (macop_t)mac_none_check_vnode_stat },
- { MAC_CHECK_VNODE_WRITE,
- (macop_t)mac_none_check_vnode_write },
- { MAC_OP_LAST, NULL }
+ .mpo_destroy = mac_none_destroy,
+ .mpo_init = mac_none_init,
+ .mpo_syscall = mac_none_syscall,
+ .mpo_init_bpfdesc_label = mac_none_init_label,
+ .mpo_init_cred_label = mac_none_init_label,
+ .mpo_init_devfsdirent_label = mac_none_init_label,
+ .mpo_init_ifnet_label = mac_none_init_label,
+ .mpo_init_ipq_label = mac_none_init_label,
+ .mpo_init_mbuf_label = mac_none_init_label_waitcheck,
+ .mpo_init_mount_label = mac_none_init_label,
+ .mpo_init_mount_fs_label = mac_none_init_label,
+ .mpo_init_pipe_label = mac_none_init_label,
+ .mpo_init_socket_label = mac_none_init_label_waitcheck,
+ .mpo_init_socket_peer_label = mac_none_init_label_waitcheck,
+ .mpo_init_vnode_label = mac_none_init_label,
+ .mpo_destroy_bpfdesc_label = mac_none_destroy_label,
+ .mpo_destroy_cred_label = mac_none_destroy_label,
+ .mpo_destroy_devfsdirent_label = mac_none_destroy_label,
+ .mpo_destroy_ifnet_label = mac_none_destroy_label,
+ .mpo_destroy_ipq_label = mac_none_destroy_label,
+ .mpo_destroy_mbuf_label = mac_none_destroy_label,
+ .mpo_destroy_mount_label = mac_none_destroy_label,
+ .mpo_destroy_mount_fs_label = mac_none_destroy_label,
+ .mpo_destroy_pipe_label = mac_none_destroy_label,
+ .mpo_destroy_socket_label = mac_none_destroy_label,
+ .mpo_destroy_socket_peer_label = mac_none_destroy_label,
+ .mpo_destroy_vnode_label = mac_none_destroy_label,
+ .mpo_externalize_cred_label = mac_none_externalize_label,
+ .mpo_externalize_ifnet_label = mac_none_externalize_label,
+ .mpo_externalize_pipe_label = mac_none_externalize_label,
+ .mpo_externalize_socket_label = mac_none_externalize_label,
+ .mpo_externalize_socket_peer_label = mac_none_externalize_label,
+ .mpo_externalize_vnode_label = mac_none_externalize_label,
+ .mpo_internalize_cred_label = mac_none_internalize_label,
+ .mpo_internalize_ifnet_label = mac_none_internalize_label,
+ .mpo_internalize_pipe_label = mac_none_internalize_label,
+ .mpo_internalize_socket_label = mac_none_internalize_label,
+ .mpo_internalize_vnode_label = mac_none_internalize_label,
+ .mpo_associate_vnode_devfs = mac_none_associate_vnode_devfs,
+ .mpo_associate_vnode_extattr = mac_none_associate_vnode_extattr,
+ .mpo_associate_vnode_singlelabel = mac_none_associate_vnode_singlelabel,
+ .mpo_create_devfs_device = mac_none_create_devfs_device,
+ .mpo_create_devfs_directory = mac_none_create_devfs_directory,
+ .mpo_create_devfs_symlink = mac_none_create_devfs_symlink,
+ .mpo_create_devfs_vnode = mac_none_create_devfs_vnode,
+ .mpo_create_vnode_extattr = mac_none_create_vnode_extattr,
+ .mpo_create_mount = mac_none_create_mount,
+ .mpo_create_root_mount = mac_none_create_root_mount,
+ .mpo_relabel_vnode = mac_none_relabel_vnode,
+ .mpo_setlabel_vnode_extattr = mac_none_setlabel_vnode_extattr,
+ .mpo_update_devfsdirent = mac_none_update_devfsdirent,
+ .mpo_create_mbuf_from_socket = mac_none_create_mbuf_from_socket,
+ .mpo_create_pipe = mac_none_create_pipe,
+ .mpo_create_socket = mac_none_create_socket,
+ .mpo_create_socket_from_socket = mac_none_create_socket_from_socket,
+ .mpo_relabel_pipe = mac_none_relabel_pipe,
+ .mpo_relabel_socket = mac_none_relabel_socket,
+ .mpo_set_socket_peer_from_mbuf = mac_none_set_socket_peer_from_mbuf,
+ .mpo_set_socket_peer_from_socket = mac_none_set_socket_peer_from_socket,
+ .mpo_create_bpfdesc = mac_none_create_bpfdesc,
+ .mpo_create_ifnet = mac_none_create_ifnet,
+ .mpo_create_ipq = mac_none_create_ipq,
+ .mpo_create_datagram_from_ipq = mac_none_create_datagram_from_ipq,
+ .mpo_create_fragment = mac_none_create_fragment,
+ .mpo_create_ipq = mac_none_create_ipq,
+ .mpo_create_mbuf_from_mbuf = mac_none_create_mbuf_from_mbuf,
+ .mpo_create_mbuf_linklayer = mac_none_create_mbuf_linklayer,
+ .mpo_create_mbuf_from_bpfdesc = mac_none_create_mbuf_from_bpfdesc,
+ .mpo_create_mbuf_from_ifnet = mac_none_create_mbuf_from_ifnet,
+ .mpo_create_mbuf_multicast_encap = mac_none_create_mbuf_multicast_encap,
+ .mpo_create_mbuf_netlayer = mac_none_create_mbuf_netlayer,
+ .mpo_fragment_match = mac_none_fragment_match,
+ .mpo_relabel_ifnet = mac_none_relabel_ifnet,
+ .mpo_update_ipq = mac_none_update_ipq,
+ .mpo_create_cred = mac_none_create_cred,
+ .mpo_execve_transition = mac_none_execve_transition,
+ .mpo_execve_will_transition = mac_none_execve_will_transition,
+ .mpo_create_proc0 = mac_none_create_proc0,
+ .mpo_create_proc1 = mac_none_create_proc1,
+ .mpo_relabel_cred = mac_none_relabel_cred,
+ .mpo_check_bpfdesc_receive = mac_none_check_bpfdesc_receive,
+ .mpo_check_cred_relabel = mac_none_check_cred_relabel,
+ .mpo_check_cred_visible = mac_none_check_cred_visible,
+ .mpo_check_ifnet_relabel = mac_none_check_ifnet_relabel,
+ .mpo_check_ifnet_transmit = mac_none_check_ifnet_transmit,
+ .mpo_check_mount_stat = mac_none_check_mount_stat,
+ .mpo_check_pipe_ioctl = mac_none_check_pipe_ioctl,
+ .mpo_check_pipe_poll = mac_none_check_pipe_poll,
+ .mpo_check_pipe_read = mac_none_check_pipe_read,
+ .mpo_check_pipe_relabel = mac_none_check_pipe_relabel,
+ .mpo_check_pipe_stat = mac_none_check_pipe_stat,
+ .mpo_check_pipe_write = mac_none_check_pipe_write,
+ .mpo_check_proc_debug = mac_none_check_proc_debug,
+ .mpo_check_proc_sched = mac_none_check_proc_sched,
+ .mpo_check_proc_signal = mac_none_check_proc_signal,
+ .mpo_check_socket_bind = mac_none_check_socket_bind,
+ .mpo_check_socket_connect = mac_none_check_socket_connect,
+ .mpo_check_socket_deliver = mac_none_check_socket_deliver,
+ .mpo_check_socket_listen = mac_none_check_socket_listen,
+ .mpo_check_socket_relabel = mac_none_check_socket_relabel,
+ .mpo_check_socket_visible = mac_none_check_socket_visible,
+ .mpo_check_system_reboot = mac_none_check_system_reboot,
+ .mpo_check_system_swapon = mac_none_check_system_swapon,
+ .mpo_check_system_sysctl = mac_none_check_system_sysctl,
+ .mpo_check_vnode_access = mac_none_check_vnode_access,
+ .mpo_check_vnode_chdir = mac_none_check_vnode_chdir,
+ .mpo_check_vnode_chroot = mac_none_check_vnode_chroot,
+ .mpo_check_vnode_create = mac_none_check_vnode_create,
+ .mpo_check_vnode_delete = mac_none_check_vnode_delete,
+ .mpo_check_vnode_deleteacl = mac_none_check_vnode_deleteacl,
+ .mpo_check_vnode_exec = mac_none_check_vnode_exec,
+ .mpo_check_vnode_getacl = mac_none_check_vnode_getacl,
+ .mpo_check_vnode_getextattr = mac_none_check_vnode_getextattr,
+ .mpo_check_vnode_link = mac_none_check_vnode_link,
+ .mpo_check_vnode_lookup = mac_none_check_vnode_lookup,
+ .mpo_check_vnode_mmap = mac_none_check_vnode_mmap,
+ .mpo_check_vnode_mprotect = mac_none_check_vnode_mprotect,
+ .mpo_check_vnode_open = mac_none_check_vnode_open,
+ .mpo_check_vnode_poll = mac_none_check_vnode_poll,
+ .mpo_check_vnode_read = mac_none_check_vnode_read,
+ .mpo_check_vnode_readdir = mac_none_check_vnode_readdir,
+ .mpo_check_vnode_readlink = mac_none_check_vnode_readlink,
+ .mpo_check_vnode_relabel = mac_none_check_vnode_relabel,
+ .mpo_check_vnode_rename_from = mac_none_check_vnode_rename_from,
+ .mpo_check_vnode_rename_to = mac_none_check_vnode_rename_to,
+ .mpo_check_vnode_revoke = mac_none_check_vnode_revoke,
+ .mpo_check_vnode_setacl = mac_none_check_vnode_setacl,
+ .mpo_check_vnode_setextattr = mac_none_check_vnode_setextattr,
+ .mpo_check_vnode_setflags = mac_none_check_vnode_setflags,
+ .mpo_check_vnode_setmode = mac_none_check_vnode_setmode,
+ .mpo_check_vnode_setowner = mac_none_check_vnode_setowner,
+ .mpo_check_vnode_setutimes = mac_none_check_vnode_setutimes,
+ .mpo_check_vnode_stat = mac_none_check_vnode_stat,
+ .mpo_check_vnode_write = mac_none_check_vnode_write,
};
-MAC_POLICY_SET(mac_none_ops, trustedbsd_mac_none, "TrustedBSD MAC/None",
+MAC_POLICY_SET(&mac_none_ops, trustedbsd_mac_none, "TrustedBSD MAC/None",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 9c26415cee7b..225d426a7441 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -912,7 +912,7 @@ mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
}
static int
-mac_test_check_proc_signal(struct ucred *cred, struct proc *proc)
+mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
{
return (0);
@@ -944,7 +944,7 @@ mac_test_check_socket_deliver(struct socket *socket, struct label *socketlabel,
static int
mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
- struct label *socketlabel, struct sockaddr *sockaddr)
+ struct label *socketlabel)
{
return (0);
@@ -1210,270 +1210,139 @@ mac_test_check_vnode_write(struct ucred *active_cred,
return (0);
}
-static struct mac_policy_op_entry mac_test_ops[] =
+static struct mac_policy_ops mac_test_ops =
{
- { MAC_DESTROY,
- (macop_t)mac_test_destroy },
- { MAC_INIT,
- (macop_t)mac_test_init },
- { MAC_SYSCALL,
- (macop_t)mac_test_syscall },
- { MAC_INIT_BPFDESC_LABEL,
- (macop_t)mac_test_init_bpfdesc_label },
- { MAC_INIT_CRED_LABEL,
- (macop_t)mac_test_init_cred_label },
- { MAC_INIT_DEVFSDIRENT_LABEL,
- (macop_t)mac_test_init_devfsdirent_label },
- { MAC_INIT_IFNET_LABEL,
- (macop_t)mac_test_init_ifnet_label },
- { MAC_INIT_IPQ_LABEL,
- (macop_t)mac_test_init_ipq_label },
- { MAC_INIT_MBUF_LABEL,
- (macop_t)mac_test_init_mbuf_label },
- { MAC_INIT_MOUNT_LABEL,
- (macop_t)mac_test_init_mount_label },
- { MAC_INIT_MOUNT_FS_LABEL,
- (macop_t)mac_test_init_mount_fs_label },
- { MAC_INIT_PIPE_LABEL,
- (macop_t)mac_test_init_pipe_label },
- { MAC_INIT_SOCKET_LABEL,
- (macop_t)mac_test_init_socket_label },
- { MAC_INIT_SOCKET_PEER_LABEL,
- (macop_t)mac_test_init_socket_peer_label },
- { MAC_INIT_VNODE_LABEL,
- (macop_t)mac_test_init_vnode_label },
- { MAC_DESTROY_BPFDESC_LABEL,
- (macop_t)mac_test_destroy_bpfdesc_label },
- { MAC_DESTROY_CRED_LABEL,
- (macop_t)mac_test_destroy_cred_label },
- { MAC_DESTROY_DEVFSDIRENT_LABEL,
- (macop_t)mac_test_destroy_devfsdirent_label },
- { MAC_DESTROY_IFNET_LABEL,
- (macop_t)mac_test_destroy_ifnet_label },
- { MAC_DESTROY_IPQ_LABEL,
- (macop_t)mac_test_destroy_ipq_label },
- { MAC_DESTROY_MBUF_LABEL,
- (macop_t)mac_test_destroy_mbuf_label },
- { MAC_DESTROY_MOUNT_LABEL,
- (macop_t)mac_test_destroy_mount_label },
- { MAC_DESTROY_MOUNT_FS_LABEL,
- (macop_t)mac_test_destroy_mount_fs_label },
- { MAC_DESTROY_PIPE_LABEL,
- (macop_t)mac_test_destroy_pipe_label },
- { MAC_DESTROY_SOCKET_LABEL,
- (macop_t)mac_test_destroy_socket_label },
- { MAC_DESTROY_SOCKET_PEER_LABEL,
- (macop_t)mac_test_destroy_socket_peer_label },
- { MAC_DESTROY_VNODE_LABEL,
- (macop_t)mac_test_destroy_vnode_label },
- { MAC_EXTERNALIZE_CRED_LABEL,
- (macop_t)mac_test_externalize_label },
- { MAC_EXTERNALIZE_IFNET_LABEL,
- (macop_t)mac_test_externalize_label },
- { MAC_EXTERNALIZE_PIPE_LABEL,
- (macop_t)mac_test_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_test_externalize_label },
- { MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
- (macop_t)mac_test_externalize_label },
- { MAC_EXTERNALIZE_VNODE_LABEL,
- (macop_t)mac_test_externalize_label },
- { MAC_INTERNALIZE_CRED_LABEL,
- (macop_t)mac_test_internalize_label },
- { MAC_INTERNALIZE_IFNET_LABEL,
- (macop_t)mac_test_internalize_label },
- { MAC_INTERNALIZE_PIPE_LABEL,
- (macop_t)mac_test_internalize_label },
- { MAC_INTERNALIZE_SOCKET_LABEL,
- (macop_t)mac_test_internalize_label },
- { MAC_INTERNALIZE_VNODE_LABEL,
- (macop_t)mac_test_internalize_label },
- { MAC_ASSOCIATE_VNODE_DEVFS,
- (macop_t)mac_test_associate_vnode_devfs },
- { MAC_ASSOCIATE_VNODE_EXTATTR,
- (macop_t)mac_test_associate_vnode_extattr },
- { MAC_ASSOCIATE_VNODE_SINGLELABEL,
- (macop_t)mac_test_associate_vnode_singlelabel },
- { MAC_CREATE_DEVFS_DEVICE,
- (macop_t)mac_test_create_devfs_device },
- { MAC_CREATE_DEVFS_DIRECTORY,
- (macop_t)mac_test_create_devfs_directory },
- { MAC_CREATE_DEVFS_SYMLINK,
- (macop_t)mac_test_create_devfs_symlink },
- { MAC_CREATE_DEVFS_VNODE,
- (macop_t)mac_test_create_devfs_vnode },
- { MAC_CREATE_VNODE_EXTATTR,
- (macop_t)mac_test_create_vnode_extattr },
- { MAC_CREATE_MOUNT,
- (macop_t)mac_test_create_mount },
- { MAC_CREATE_ROOT_MOUNT,
- (macop_t)mac_test_create_root_mount },
- { MAC_RELABEL_VNODE,
- (macop_t)mac_test_relabel_vnode },
- { MAC_SETLABEL_VNODE_EXTATTR,
- (macop_t)mac_test_setlabel_vnode_extattr },
- { MAC_UPDATE_DEVFSDIRENT,
- (macop_t)mac_test_update_devfsdirent },
- { MAC_CREATE_MBUF_FROM_SOCKET,
- (macop_t)mac_test_create_mbuf_from_socket },
- { MAC_CREATE_PIPE,
- (macop_t)mac_test_create_pipe },
- { MAC_CREATE_SOCKET,
- (macop_t)mac_test_create_socket },
- { MAC_CREATE_SOCKET_FROM_SOCKET,
- (macop_t)mac_test_create_socket_from_socket },
- { MAC_RELABEL_PIPE,
- (macop_t)mac_test_relabel_pipe },
- { MAC_RELABEL_SOCKET,
- (macop_t)mac_test_relabel_socket },
- { MAC_SET_SOCKET_PEER_FROM_MBUF,
- (macop_t)mac_test_set_socket_peer_from_mbuf },
- { MAC_SET_SOCKET_PEER_FROM_SOCKET,
- (macop_t)mac_test_set_socket_peer_from_socket },
- { MAC_CREATE_BPFDESC,
- (macop_t)mac_test_create_bpfdesc },
- { MAC_CREATE_IFNET,
- (macop_t)mac_test_create_ifnet },
- { MAC_CREATE_DATAGRAM_FROM_IPQ,
- (macop_t)mac_test_create_datagram_from_ipq },
- { MAC_CREATE_FRAGMENT,
- (macop_t)mac_test_create_fragment },
- { MAC_CREATE_IPQ,
- (macop_t)mac_test_create_ipq },
- { MAC_CREATE_MBUF_FROM_MBUF,
- (macop_t)mac_test_create_mbuf_from_mbuf },
- { MAC_CREATE_MBUF_LINKLAYER,
- (macop_t)mac_test_create_mbuf_linklayer },
- { MAC_CREATE_MBUF_FROM_BPFDESC,
- (macop_t)mac_test_create_mbuf_from_bpfdesc },
- { MAC_CREATE_MBUF_FROM_IFNET,
- (macop_t)mac_test_create_mbuf_from_ifnet },
- { MAC_CREATE_MBUF_MULTICAST_ENCAP,
- (macop_t)mac_test_create_mbuf_multicast_encap },
- { MAC_CREATE_MBUF_NETLAYER,
- (macop_t)mac_test_create_mbuf_netlayer },
- { MAC_FRAGMENT_MATCH,
- (macop_t)mac_test_fragment_match },
- { MAC_RELABEL_IFNET,
- (macop_t)mac_test_relabel_ifnet },
- { MAC_UPDATE_IPQ,
- (macop_t)mac_test_update_ipq },
- { MAC_CREATE_CRED,
- (macop_t)mac_test_create_cred },
- { MAC_EXECVE_TRANSITION,
- (macop_t)mac_test_execve_transition },
- { MAC_EXECVE_WILL_TRANSITION,
- (macop_t)mac_test_execve_will_transition },
- { MAC_CREATE_PROC0,
- (macop_t)mac_test_create_proc0 },
- { MAC_CREATE_PROC1,
- (macop_t)mac_test_create_proc1 },
- { MAC_RELABEL_CRED,
- (macop_t)mac_test_relabel_cred },
- { MAC_CHECK_BPFDESC_RECEIVE,
- (macop_t)mac_test_check_bpfdesc_receive },
- { MAC_CHECK_CRED_RELABEL,
- (macop_t)mac_test_check_cred_relabel },
- { MAC_CHECK_CRED_VISIBLE,
- (macop_t)mac_test_check_cred_visible },
- { MAC_CHECK_IFNET_RELABEL,
- (macop_t)mac_test_check_ifnet_relabel },
- { MAC_CHECK_IFNET_TRANSMIT,
- (macop_t)mac_test_check_ifnet_transmit },
- { MAC_CHECK_MOUNT_STAT,
- (macop_t)mac_test_check_mount_stat },
- { MAC_CHECK_PIPE_IOCTL,
- (macop_t)mac_test_check_pipe_ioctl },
- { MAC_CHECK_PIPE_POLL,
- (macop_t)mac_test_check_pipe_poll },
- { MAC_CHECK_PIPE_READ,
- (macop_t)mac_test_check_pipe_read },
- { MAC_CHECK_PIPE_RELABEL,
- (macop_t)mac_test_check_pipe_relabel },
- { MAC_CHECK_PIPE_STAT,
- (macop_t)mac_test_check_pipe_stat },
- { MAC_CHECK_PIPE_WRITE,
- (macop_t)mac_test_check_pipe_write },
- { MAC_CHECK_PROC_DEBUG,
- (macop_t)mac_test_check_proc_debug },
- { MAC_CHECK_PROC_SCHED,
- (macop_t)mac_test_check_proc_sched },
- { MAC_CHECK_PROC_SIGNAL,
- (macop_t)mac_test_check_proc_signal },
- { MAC_CHECK_SOCKET_BIND,
- (macop_t)mac_test_check_socket_bind },
- { MAC_CHECK_SOCKET_CONNECT,
- (macop_t)mac_test_check_socket_connect },
- { MAC_CHECK_SOCKET_DELIVER,
- (macop_t)mac_test_check_socket_deliver },
- { MAC_CHECK_SOCKET_LISTEN,
- (macop_t)mac_test_check_socket_listen },
- { MAC_CHECK_SOCKET_RELABEL,
- (macop_t)mac_test_check_socket_relabel },
- { MAC_CHECK_SOCKET_VISIBLE,
- (macop_t)mac_test_check_socket_visible },
- { MAC_CHECK_VNODE_ACCESS,
- (macop_t)mac_test_check_vnode_access },
- { MAC_CHECK_VNODE_CHDIR,
- (macop_t)mac_test_check_vnode_chdir },
- { MAC_CHECK_VNODE_CHROOT,
- (macop_t)mac_test_check_vnode_chroot },
- { MAC_CHECK_VNODE_CREATE,
- (macop_t)mac_test_check_vnode_create },
- { MAC_CHECK_VNODE_DELETE,
- (macop_t)mac_test_check_vnode_delete },
- { MAC_CHECK_VNODE_DELETEACL,
- (macop_t)mac_test_check_vnode_deleteacl },
- { MAC_CHECK_VNODE_EXEC,
- (macop_t)mac_test_check_vnode_exec },
- { MAC_CHECK_VNODE_GETACL,
- (macop_t)mac_test_check_vnode_getacl },
- { MAC_CHECK_VNODE_GETEXTATTR,
- (macop_t)mac_test_check_vnode_getextattr },
- { MAC_CHECK_VNODE_LINK,
- (macop_t)mac_test_check_vnode_link },
- { MAC_CHECK_VNODE_LOOKUP,
- (macop_t)mac_test_check_vnode_lookup },
- { MAC_CHECK_VNODE_MMAP,
- (macop_t)mac_test_check_vnode_mmap },
- { MAC_CHECK_VNODE_MPROTECT,
- (macop_t)mac_test_check_vnode_mprotect },
- { MAC_CHECK_VNODE_OPEN,
- (macop_t)mac_test_check_vnode_open },
- { MAC_CHECK_VNODE_POLL,
- (macop_t)mac_test_check_vnode_poll },
- { MAC_CHECK_VNODE_READ,
- (macop_t)mac_test_check_vnode_read },
- { MAC_CHECK_VNODE_READDIR,
- (macop_t)mac_test_check_vnode_readdir },
- { MAC_CHECK_VNODE_READLINK,
- (macop_t)mac_test_check_vnode_readlink },
- { MAC_CHECK_VNODE_RELABEL,
- (macop_t)mac_test_check_vnode_relabel },
- { MAC_CHECK_VNODE_RENAME_FROM,
- (macop_t)mac_test_check_vnode_rename_from },
- { MAC_CHECK_VNODE_RENAME_TO,
- (macop_t)mac_test_check_vnode_rename_to },
- { MAC_CHECK_VNODE_REVOKE,
- (macop_t)mac_test_check_vnode_revoke },
- { MAC_CHECK_VNODE_SETACL,
- (macop_t)mac_test_check_vnode_setacl },
- { MAC_CHECK_VNODE_SETEXTATTR,
- (macop_t)mac_test_check_vnode_setextattr },
- { MAC_CHECK_VNODE_SETFLAGS,
- (macop_t)mac_test_check_vnode_setflags },
- { MAC_CHECK_VNODE_SETMODE,
- (macop_t)mac_test_check_vnode_setmode },
- { MAC_CHECK_VNODE_SETOWNER,
- (macop_t)mac_test_check_vnode_setowner },
- { MAC_CHECK_VNODE_SETUTIMES,
- (macop_t)mac_test_check_vnode_setutimes },
- { MAC_CHECK_VNODE_STAT,
- (macop_t)mac_test_check_vnode_stat },
- { MAC_CHECK_VNODE_WRITE,
- (macop_t)mac_test_check_vnode_write },
- { MAC_OP_LAST, NULL }
+ .mpo_destroy = mac_test_destroy,
+ .mpo_init = mac_test_init,
+ .mpo_syscall = mac_test_syscall,
+ .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label,
+ .mpo_init_cred_label = mac_test_init_cred_label,
+ .mpo_init_devfsdirent_label = mac_test_init_devfsdirent_label,
+ .mpo_init_ifnet_label = mac_test_init_ifnet_label,
+ .mpo_init_ipq_label = mac_test_init_ipq_label,
+ .mpo_init_mbuf_label = mac_test_init_mbuf_label,
+ .mpo_init_mount_label = mac_test_init_mount_label,
+ .mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
+ .mpo_init_pipe_label = mac_test_init_pipe_label,
+ .mpo_init_socket_label = mac_test_init_socket_label,
+ .mpo_init_socket_peer_label = mac_test_init_socket_peer_label,
+ .mpo_init_vnode_label = mac_test_init_vnode_label,
+ .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label,
+ .mpo_destroy_cred_label = mac_test_destroy_cred_label,
+ .mpo_destroy_devfsdirent_label = mac_test_destroy_devfsdirent_label,
+ .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label,
+ .mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
+ .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
+ .mpo_destroy_mount_label = mac_test_destroy_mount_label,
+ .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
+ .mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
+ .mpo_destroy_socket_label = mac_test_destroy_socket_label,
+ .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label,
+ .mpo_destroy_vnode_label = mac_test_destroy_vnode_label,
+ .mpo_externalize_cred_label = mac_test_externalize_label,
+ .mpo_externalize_ifnet_label = mac_test_externalize_label,
+ .mpo_externalize_pipe_label = mac_test_externalize_label,
+ .mpo_externalize_socket_label = mac_test_externalize_label,
+ .mpo_externalize_socket_peer_label = mac_test_externalize_label,
+ .mpo_externalize_vnode_label = mac_test_externalize_label,
+ .mpo_internalize_cred_label = mac_test_internalize_label,
+ .mpo_internalize_ifnet_label = mac_test_internalize_label,
+ .mpo_internalize_pipe_label = mac_test_internalize_label,
+ .mpo_internalize_socket_label = mac_test_internalize_label,
+ .mpo_internalize_vnode_label = mac_test_internalize_label,
+ .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs,
+ .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr,
+ .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel,
+ .mpo_create_devfs_device = mac_test_create_devfs_device,
+ .mpo_create_devfs_directory = mac_test_create_devfs_directory,
+ .mpo_create_devfs_symlink = mac_test_create_devfs_symlink,
+ .mpo_create_devfs_vnode = mac_test_create_devfs_vnode,
+ .mpo_create_vnode_extattr = mac_test_create_vnode_extattr,
+ .mpo_create_mount = mac_test_create_mount,
+ .mpo_create_root_mount = mac_test_create_root_mount,
+ .mpo_relabel_vnode = mac_test_relabel_vnode,
+ .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr,
+ .mpo_update_devfsdirent = mac_test_update_devfsdirent,
+ .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket,
+ .mpo_create_pipe = mac_test_create_pipe,
+ .mpo_create_socket = mac_test_create_socket,
+ .mpo_create_socket_from_socket = mac_test_create_socket_from_socket,
+ .mpo_relabel_pipe = mac_test_relabel_pipe,
+ .mpo_relabel_socket = mac_test_relabel_socket,
+ .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf,
+ .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket,
+ .mpo_create_bpfdesc = mac_test_create_bpfdesc,
+ .mpo_create_ifnet = mac_test_create_ifnet,
+ .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq,
+ .mpo_create_fragment = mac_test_create_fragment,
+ .mpo_create_ipq = mac_test_create_ipq,
+ .mpo_create_mbuf_from_mbuf = mac_test_create_mbuf_from_mbuf,
+ .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer,
+ .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc,
+ .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet,
+ .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap,
+ .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer,
+ .mpo_fragment_match = mac_test_fragment_match,
+ .mpo_relabel_ifnet = mac_test_relabel_ifnet,
+ .mpo_update_ipq = mac_test_update_ipq,
+ .mpo_create_cred = mac_test_create_cred,
+ .mpo_execve_transition = mac_test_execve_transition,
+ .mpo_execve_will_transition = mac_test_execve_will_transition,
+ .mpo_create_proc0 = mac_test_create_proc0,
+ .mpo_create_proc1 = mac_test_create_proc1,
+ .mpo_relabel_cred = mac_test_relabel_cred,
+ .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive,
+ .mpo_check_cred_relabel = mac_test_check_cred_relabel,
+ .mpo_check_cred_visible = mac_test_check_cred_visible,
+ .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel,
+ .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit,
+ .mpo_check_mount_stat = mac_test_check_mount_stat,
+ .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl,
+ .mpo_check_pipe_poll = mac_test_check_pipe_poll,
+ .mpo_check_pipe_read = mac_test_check_pipe_read,
+ .mpo_check_pipe_relabel = mac_test_check_pipe_relabel,
+ .mpo_check_pipe_stat = mac_test_check_pipe_stat,
+ .mpo_check_pipe_write = mac_test_check_pipe_write,
+ .mpo_check_proc_debug = mac_test_check_proc_debug,
+ .mpo_check_proc_sched = mac_test_check_proc_sched,
+ .mpo_check_proc_signal = mac_test_check_proc_signal,
+ .mpo_check_socket_bind = mac_test_check_socket_bind,
+ .mpo_check_socket_connect = mac_test_check_socket_connect,
+ .mpo_check_socket_deliver = mac_test_check_socket_deliver,
+ .mpo_check_socket_listen = mac_test_check_socket_listen,
+ .mpo_check_socket_relabel = mac_test_check_socket_relabel,
+ .mpo_check_socket_visible = mac_test_check_socket_visible,
+ .mpo_check_vnode_access = mac_test_check_vnode_access,
+ .mpo_check_vnode_chdir = mac_test_check_vnode_chdir,
+ .mpo_check_vnode_chroot = mac_test_check_vnode_chroot,
+ .mpo_check_vnode_create = mac_test_check_vnode_create,
+ .mpo_check_vnode_delete = mac_test_check_vnode_delete,
+ .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl,
+ .mpo_check_vnode_exec = mac_test_check_vnode_exec,
+ .mpo_check_vnode_getacl = mac_test_check_vnode_getacl,
+ .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr,
+ .mpo_check_vnode_link = mac_test_check_vnode_link,
+ .mpo_check_vnode_lookup = mac_test_check_vnode_lookup,
+ .mpo_check_vnode_mmap = mac_test_check_vnode_mmap,
+ .mpo_check_vnode_mprotect = mac_test_check_vnode_mprotect,
+ .mpo_check_vnode_open = mac_test_check_vnode_open,
+ .mpo_check_vnode_poll = mac_test_check_vnode_poll,
+ .mpo_check_vnode_read = mac_test_check_vnode_read,
+ .mpo_check_vnode_readdir = mac_test_check_vnode_readdir,
+ .mpo_check_vnode_readlink = mac_test_check_vnode_readlink,
+ .mpo_check_vnode_relabel = mac_test_check_vnode_relabel,
+ .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from,
+ .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to,
+ .mpo_check_vnode_revoke = mac_test_check_vnode_revoke,
+ .mpo_check_vnode_setacl = mac_test_check_vnode_setacl,
+ .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr,
+ .mpo_check_vnode_setflags = mac_test_check_vnode_setflags,
+ .mpo_check_vnode_setmode = mac_test_check_vnode_setmode,
+ .mpo_check_vnode_setowner = mac_test_check_vnode_setowner,
+ .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes,
+ .mpo_check_vnode_stat = mac_test_check_vnode_stat,
+ .mpo_check_vnode_write = mac_test_check_vnode_write,
};
-MAC_POLICY_SET(mac_test_ops, trustedbsd_mac_test, "TrustedBSD MAC/Test",
+MAC_POLICY_SET(&mac_test_ops, trustedbsd_mac_test, "TrustedBSD MAC/Test",
MPC_LOADTIME_FLAG_UNLOADOK, &test_slot);
diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h
index cb7222c029a3..bf58634527e7 100644
--- a/sys/sys/mac_policy.h
+++ b/sys/sys/mac_policy.h
@@ -327,7 +327,8 @@ struct mac_policy_ops {
struct componentname *cnp, struct vattr *vap);
int (*mpo_check_vnode_delete)(struct ucred *cred,
struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, void *label, struct componentname *cnp);
+ struct vnode *vp, struct label *label,
+ struct componentname *cnp);
int (*mpo_check_vnode_deleteacl)(struct ucred *cred,
struct vnode *vp, struct label *label, acl_type_t type);
int (*mpo_check_vnode_exec)(struct ucred *cred, struct vnode *vp,
@@ -397,161 +398,10 @@ struct mac_policy_ops {
struct label *label);
};
-typedef const void *macop_t;
-
-enum mac_op_constant {
- MAC_OP_LAST,
- MAC_DESTROY,
- MAC_INIT,
- MAC_SYSCALL,
- MAC_INIT_BPFDESC_LABEL,
- MAC_INIT_CRED_LABEL,
- MAC_INIT_DEVFSDIRENT_LABEL,
- MAC_INIT_IFNET_LABEL,
- MAC_INIT_IPQ_LABEL,
- MAC_INIT_MBUF_LABEL,
- MAC_INIT_MOUNT_LABEL,
- MAC_INIT_MOUNT_FS_LABEL,
- MAC_INIT_PIPE_LABEL,
- MAC_INIT_SOCKET_LABEL,
- MAC_INIT_SOCKET_PEER_LABEL,
- MAC_INIT_VNODE_LABEL,
- MAC_DESTROY_BPFDESC_LABEL,
- MAC_DESTROY_CRED_LABEL,
- MAC_DESTROY_DEVFSDIRENT_LABEL,
- MAC_DESTROY_IFNET_LABEL,
- MAC_DESTROY_IPQ_LABEL,
- MAC_DESTROY_MBUF_LABEL,
- MAC_DESTROY_MOUNT_LABEL,
- MAC_DESTROY_MOUNT_FS_LABEL,
- MAC_DESTROY_PIPE_LABEL,
- MAC_DESTROY_SOCKET_LABEL,
- MAC_DESTROY_SOCKET_PEER_LABEL,
- MAC_DESTROY_VNODE_LABEL,
- MAC_COPY_PIPE_LABEL,
- MAC_COPY_VNODE_LABEL,
- MAC_EXTERNALIZE_CRED_LABEL,
- MAC_EXTERNALIZE_IFNET_LABEL,
- MAC_EXTERNALIZE_PIPE_LABEL,
- MAC_EXTERNALIZE_SOCKET_LABEL,
- MAC_EXTERNALIZE_SOCKET_PEER_LABEL,
- MAC_EXTERNALIZE_VNODE_LABEL,
- MAC_INTERNALIZE_CRED_LABEL,
- MAC_INTERNALIZE_IFNET_LABEL,
- MAC_INTERNALIZE_PIPE_LABEL,
- MAC_INTERNALIZE_SOCKET_LABEL,
- MAC_INTERNALIZE_VNODE_LABEL,
- MAC_CREATE_DEVFS_DEVICE,
- MAC_CREATE_DEVFS_DIRECTORY,
- MAC_CREATE_DEVFS_SYMLINK,
- MAC_CREATE_DEVFS_VNODE,
- MAC_CREATE_MOUNT,
- MAC_CREATE_ROOT_MOUNT,
- MAC_RELABEL_VNODE,
- MAC_UPDATE_DEVFSDIRENT,
- MAC_ASSOCIATE_VNODE_DEVFS,
- MAC_ASSOCIATE_VNODE_EXTATTR,
- MAC_ASSOCIATE_VNODE_SINGLELABEL,
- MAC_CREATE_VNODE_EXTATTR,
- MAC_SETLABEL_VNODE_EXTATTR,
- MAC_CREATE_MBUF_FROM_SOCKET,
- MAC_CREATE_PIPE,
- MAC_CREATE_SOCKET,
- MAC_CREATE_SOCKET_FROM_SOCKET,
- MAC_RELABEL_PIPE,
- MAC_RELABEL_SOCKET,
- MAC_SET_SOCKET_PEER_FROM_MBUF,
- MAC_SET_SOCKET_PEER_FROM_SOCKET,
- MAC_CREATE_BPFDESC,
- MAC_CREATE_DATAGRAM_FROM_IPQ,
- MAC_CREATE_IFNET,
- MAC_CREATE_IPQ,
- MAC_CREATE_FRAGMENT,
- MAC_CREATE_MBUF_FROM_MBUF,
- MAC_CREATE_MBUF_LINKLAYER,
- MAC_CREATE_MBUF_FROM_BPFDESC,
- MAC_CREATE_MBUF_FROM_IFNET,
- MAC_CREATE_MBUF_MULTICAST_ENCAP,
- MAC_CREATE_MBUF_NETLAYER,
- MAC_FRAGMENT_MATCH,
- MAC_RELABEL_IFNET,
- MAC_UPDATE_IPQ,
- MAC_CREATE_CRED,
- MAC_EXECVE_TRANSITION,
- MAC_EXECVE_WILL_TRANSITION,
- MAC_CREATE_PROC0,
- MAC_CREATE_PROC1,
- MAC_RELABEL_CRED,
- MAC_THREAD_USERRET,
- MAC_CHECK_BPFDESC_RECEIVE,
- MAC_CHECK_CRED_RELABEL,
- MAC_CHECK_CRED_VISIBLE,
- MAC_CHECK_IFNET_RELABEL,
- MAC_CHECK_IFNET_TRANSMIT,
- MAC_CHECK_MOUNT_STAT,
- MAC_CHECK_PIPE_IOCTL,
- MAC_CHECK_PIPE_POLL,
- MAC_CHECK_PIPE_READ,
- MAC_CHECK_PIPE_RELABEL,
- MAC_CHECK_PIPE_STAT,
- MAC_CHECK_PIPE_WRITE,
- MAC_CHECK_PROC_DEBUG,
- MAC_CHECK_PROC_SCHED,
- MAC_CHECK_PROC_SIGNAL,
- MAC_CHECK_SOCKET_BIND,
- MAC_CHECK_SOCKET_CONNECT,
- MAC_CHECK_SOCKET_DELIVER,
- MAC_CHECK_SOCKET_LISTEN,
- MAC_CHECK_SOCKET_RECEIVE,
- MAC_CHECK_SOCKET_RELABEL,
- MAC_CHECK_SOCKET_SEND,
- MAC_CHECK_SOCKET_VISIBLE,
- MAC_CHECK_SYSTEM_REBOOT,
- MAC_CHECK_SYSTEM_SWAPON,
- MAC_CHECK_SYSTEM_SYSCTL,
- MAC_CHECK_VNODE_ACCESS,
- MAC_CHECK_VNODE_CHDIR,
- MAC_CHECK_VNODE_CHROOT,
- MAC_CHECK_VNODE_CREATE,
- MAC_CHECK_VNODE_DELETE,
- MAC_CHECK_VNODE_DELETEACL,
- MAC_CHECK_VNODE_EXEC,
- MAC_CHECK_VNODE_GETACL,
- MAC_CHECK_VNODE_GETEXTATTR,
- MAC_CHECK_VNODE_LINK,
- MAC_CHECK_VNODE_LOOKUP,
- MAC_CHECK_VNODE_MMAP,
- MAC_CHECK_VNODE_MMAP_DOWNGRADE,
- MAC_CHECK_VNODE_MPROTECT,
- MAC_CHECK_VNODE_OPEN,
- MAC_CHECK_VNODE_POLL,
- MAC_CHECK_VNODE_READ,
- MAC_CHECK_VNODE_READDIR,
- MAC_CHECK_VNODE_READLINK,
- MAC_CHECK_VNODE_RELABEL,
- MAC_CHECK_VNODE_RENAME_FROM,
- MAC_CHECK_VNODE_RENAME_TO,
- MAC_CHECK_VNODE_REVOKE,
- MAC_CHECK_VNODE_SETACL,
- MAC_CHECK_VNODE_SETEXTATTR,
- MAC_CHECK_VNODE_SETFLAGS,
- MAC_CHECK_VNODE_SETMODE,
- MAC_CHECK_VNODE_SETOWNER,
- MAC_CHECK_VNODE_SETUTIMES,
- MAC_CHECK_VNODE_STAT,
- MAC_CHECK_VNODE_WRITE,
-};
-
-struct mac_policy_op_entry {
- enum mac_op_constant mpe_constant; /* what this hook implements */
- macop_t mpe_function; /* hook's implementation */
-};
-
struct mac_policy_conf {
char *mpc_name; /* policy name */
char *mpc_fullname; /* policy full name */
struct mac_policy_ops *mpc_ops; /* policy operations */
- struct mac_policy_op_entry *mpc_entries; /* ops to fill in */
int mpc_loadtime_flags; /* flags */
int *mpc_field_off; /* security field */
int mpc_runtime_flags; /* flags */
@@ -565,12 +415,11 @@ struct mac_policy_conf {
/* Flags for the mpc_runtime_flags field. */
#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
-#define MAC_POLICY_SET(mpents, mpname, mpfullname, mpflags, privdata_wanted) \
+#define MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
static struct mac_policy_conf mpname##_mac_policy_conf = { \
#mpname, \
mpfullname, \
- NULL, \
- mpents, \
+ mpops, \
mpflags, \
privdata_wanted, \
0, \