Modify label allocation semantics for sockets: pass in soalloc's malloc

flags so that we can call malloc with M_NOWAIT if necessary, avoiding
potential sleeps while holding mutexes in the TCP syncache code.
Similar to the existing support for mbuf label allocation: if we can't
allocate all the necessary label store in each policy, we back out
the label allocation and fail the socket creation.  Sync from MAC tree.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

sys/kern/kern_mac.c

@@ -221,6 +221,8 @@ static void	mac_cred_mmapped_drop_perms(struct thread *td,
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
+static void	mac_destroy_socket_label(struct label *label);
+
 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
 
@@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe)
 #endif
 }
 
-void
-mac_init_socket(struct socket *socket)
+static int
+mac_init_socket_label(struct label *label, int flag)
 {
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
 
-	mac_init_label(&socket->so_label);
-	mac_init_label(&socket->so_peerlabel);
-	MAC_PERFORM(init_socket_label, &socket->so_label);
-	MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacsockets, 1);
+	if (error == 0)
+		atomic_add_int(&nmacsockets, 1);
 #endif
+
+	return (error);
+}
+
+static int
+mac_init_socket_peer_label(struct label *label, int flag)
+{
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_peer_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
+
+	return (error);
+}
+
+int
+mac_init_socket(struct socket *socket, int flag)
+{
+	int error;
+
+	error = mac_init_socket_label(&socket->so_label, flag);
+	if (error)
+		return (error);
+
+	error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
+	if (error)
+		mac_destroy_socket_label(&socket->so_label);
+
+	return (error);
 }
 
 static void
@@ -1282,17 +1324,31 @@ mac_destroy_pipe(struct pipe *pipe)
 #endif
 }
 
+static void
+mac_destroy_socket_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_label, label);
+	mac_destroy_label(label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacsockets, 1);
+#endif
+}
+
+static void
+mac_destroy_socket_peer_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_peer_label, label);
+	mac_destroy_label(label);
+}
+
 void
 mac_destroy_socket(struct socket *socket)
 {
 
-	MAC_PERFORM(destroy_socket_label, &socket->so_label);
-	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
-	mac_destroy_label(&socket->so_label);
-	mac_destroy_label(&socket->so_peerlabel);
-#ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacsockets, 1);
-#endif
+	mac_destroy_socket_label(&socket->so_label);
+	mac_destroy_socket_peer_label(&socket->so_peerlabel);
 }
 
 static void

sys/kern/uipc_socket.c

@@ -131,6 +131,9 @@ soalloc(waitok)
 	int waitok;
 {
 	struct socket *so;
+#ifdef MAC
+	int error;
+#endif
 	int flag;
 
 	if (waitok == 1)
@@ -140,14 +143,19 @@ soalloc(waitok)
 	flag |= M_ZERO;
 	so = uma_zalloc(socket_zone, flag);
 	if (so) {
+#ifdef MAC
+		error = mac_init_socket(so, flag);
+		if (error != 0) {
+			uma_zfree(socket_zone, so);
+			so = NULL;
+			return so;
+		}
+#endif
 		/* XXX race condition for reentrant kernel */
 		so->so_gencnt = ++so_gencnt;
 		/* sx_init(&so->so_sxlock, "socket sxlock"); */
 		TAILQ_INIT(&so->so_aiojobq);
 		++numopensockets;
-#ifdef MAC
-		mac_init_socket(so);
-#endif
 	}
 	return so;
 }

sys/security/mac/mac_framework.c

@@ -221,6 +221,8 @@ static void	mac_cred_mmapped_drop_perms(struct thread *td,
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
+static void	mac_destroy_socket_label(struct label *label);
+
 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
 
@@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe)
 #endif
 }
 
-void
-mac_init_socket(struct socket *socket)
+static int
+mac_init_socket_label(struct label *label, int flag)
 {
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
 
-	mac_init_label(&socket->so_label);
-	mac_init_label(&socket->so_peerlabel);
-	MAC_PERFORM(init_socket_label, &socket->so_label);
-	MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacsockets, 1);
+	if (error == 0)
+		atomic_add_int(&nmacsockets, 1);
 #endif
+
+	return (error);
+}
+
+static int
+mac_init_socket_peer_label(struct label *label, int flag)
+{
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_peer_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
+
+	return (error);
+}
+
+int
+mac_init_socket(struct socket *socket, int flag)
+{
+	int error;
+
+	error = mac_init_socket_label(&socket->so_label, flag);
+	if (error)
+		return (error);
+
+	error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
+	if (error)
+		mac_destroy_socket_label(&socket->so_label);
+
+	return (error);
 }
 
 static void
@@ -1282,17 +1324,31 @@ mac_destroy_pipe(struct pipe *pipe)
 #endif
 }
 
+static void
+mac_destroy_socket_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_label, label);
+	mac_destroy_label(label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacsockets, 1);
+#endif
+}
+
+static void
+mac_destroy_socket_peer_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_peer_label, label);
+	mac_destroy_label(label);
+}
+
 void
 mac_destroy_socket(struct socket *socket)
 {
 
-	MAC_PERFORM(destroy_socket_label, &socket->so_label);
-	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
-	mac_destroy_label(&socket->so_label);
-	mac_destroy_label(&socket->so_peerlabel);
-#ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacsockets, 1);
-#endif
+	mac_destroy_socket_label(&socket->so_label);
+	mac_destroy_socket_peer_label(&socket->so_peerlabel);
 }
 
 static void

sys/security/mac/mac_framework.h

@@ -220,9 +220,9 @@ void	mac_init_cred(struct ucred *);
 void	mac_init_devfsdirent(struct devfs_dirent *);
 void	mac_init_ifnet(struct ifnet *);
 void	mac_init_ipq(struct ipq *);
-void	mac_init_socket(struct socket *);
+int	mac_init_socket(struct socket *, int flag);
 void	mac_init_pipe(struct pipe *);
-int	mac_init_mbuf(struct mbuf *m, int how);
+int	mac_init_mbuf(struct mbuf *m, int flag);
 void	mac_init_mount(struct mount *);
 void	mac_init_vnode(struct vnode *);
 void	mac_destroy_bpfdesc(struct bpf_d *);

sys/security/mac/mac_internal.h

@@ -221,6 +221,8 @@ static void	mac_cred_mmapped_drop_perms(struct thread *td,
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
+static void	mac_destroy_socket_label(struct label *label);
+
 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
 
@@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe)
 #endif
 }
 
-void
-mac_init_socket(struct socket *socket)
+static int
+mac_init_socket_label(struct label *label, int flag)
 {
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
 
-	mac_init_label(&socket->so_label);
-	mac_init_label(&socket->so_peerlabel);
-	MAC_PERFORM(init_socket_label, &socket->so_label);
-	MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacsockets, 1);
+	if (error == 0)
+		atomic_add_int(&nmacsockets, 1);
 #endif
+
+	return (error);
+}
+
+static int
+mac_init_socket_peer_label(struct label *label, int flag)
+{
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_peer_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
+
+	return (error);
+}
+
+int
+mac_init_socket(struct socket *socket, int flag)
+{
+	int error;
+
+	error = mac_init_socket_label(&socket->so_label, flag);
+	if (error)
+		return (error);
+
+	error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
+	if (error)
+		mac_destroy_socket_label(&socket->so_label);
+
+	return (error);
 }
 
 static void
@@ -1282,17 +1324,31 @@ mac_destroy_pipe(struct pipe *pipe)
 #endif
 }
 
+static void
+mac_destroy_socket_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_label, label);
+	mac_destroy_label(label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacsockets, 1);
+#endif
+}
+
+static void
+mac_destroy_socket_peer_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_peer_label, label);
+	mac_destroy_label(label);
+}
+
 void
 mac_destroy_socket(struct socket *socket)
 {
 
-	MAC_PERFORM(destroy_socket_label, &socket->so_label);
-	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
-	mac_destroy_label(&socket->so_label);
-	mac_destroy_label(&socket->so_peerlabel);
-#ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacsockets, 1);
-#endif
+	mac_destroy_socket_label(&socket->so_label);
+	mac_destroy_socket_peer_label(&socket->so_peerlabel);
 }
 
 static void

sys/security/mac/mac_net.c

@@ -221,6 +221,8 @@ static void	mac_cred_mmapped_drop_perms(struct thread *td,
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
+static void	mac_destroy_socket_label(struct label *label);
+
 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
 
@@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe)
 #endif
 }
 
-void
-mac_init_socket(struct socket *socket)
+static int
+mac_init_socket_label(struct label *label, int flag)
 {
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
 
-	mac_init_label(&socket->so_label);
-	mac_init_label(&socket->so_peerlabel);
-	MAC_PERFORM(init_socket_label, &socket->so_label);
-	MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacsockets, 1);
+	if (error == 0)
+		atomic_add_int(&nmacsockets, 1);
 #endif
+
+	return (error);
+}
+
+static int
+mac_init_socket_peer_label(struct label *label, int flag)
+{
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_peer_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
+
+	return (error);
+}
+
+int
+mac_init_socket(struct socket *socket, int flag)
+{
+	int error;
+
+	error = mac_init_socket_label(&socket->so_label, flag);
+	if (error)
+		return (error);
+
+	error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
+	if (error)
+		mac_destroy_socket_label(&socket->so_label);
+
+	return (error);
 }
 
 static void
@@ -1282,17 +1324,31 @@ mac_destroy_pipe(struct pipe *pipe)
 #endif
 }
 
+static void
+mac_destroy_socket_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_label, label);
+	mac_destroy_label(label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacsockets, 1);
+#endif
+}
+
+static void
+mac_destroy_socket_peer_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_peer_label, label);
+	mac_destroy_label(label);
+}
+
 void
 mac_destroy_socket(struct socket *socket)
 {
 
-	MAC_PERFORM(destroy_socket_label, &socket->so_label);
-	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
-	mac_destroy_label(&socket->so_label);
-	mac_destroy_label(&socket->so_peerlabel);
-#ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacsockets, 1);
-#endif
+	mac_destroy_socket_label(&socket->so_label);
+	mac_destroy_socket_peer_label(&socket->so_peerlabel);
 }
 
 static void

sys/security/mac/mac_pipe.c

@@ -221,6 +221,8 @@ static void	mac_cred_mmapped_drop_perms(struct thread *td,
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
+static void	mac_destroy_socket_label(struct label *label);
+
 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
 
@@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe)
 #endif
 }
 
-void
-mac_init_socket(struct socket *socket)
+static int
+mac_init_socket_label(struct label *label, int flag)
 {
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
 
-	mac_init_label(&socket->so_label);
-	mac_init_label(&socket->so_peerlabel);
-	MAC_PERFORM(init_socket_label, &socket->so_label);
-	MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacsockets, 1);
+	if (error == 0)
+		atomic_add_int(&nmacsockets, 1);
 #endif
+
+	return (error);
+}
+
+static int
+mac_init_socket_peer_label(struct label *label, int flag)
+{
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_peer_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
+
+	return (error);
+}
+
+int
+mac_init_socket(struct socket *socket, int flag)
+{
+	int error;
+
+	error = mac_init_socket_label(&socket->so_label, flag);
+	if (error)
+		return (error);
+
+	error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
+	if (error)
+		mac_destroy_socket_label(&socket->so_label);
+
+	return (error);
 }
 
 static void
@@ -1282,17 +1324,31 @@ mac_destroy_pipe(struct pipe *pipe)
 #endif
 }
 
+static void
+mac_destroy_socket_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_label, label);
+	mac_destroy_label(label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacsockets, 1);
+#endif
+}
+
+static void
+mac_destroy_socket_peer_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_peer_label, label);
+	mac_destroy_label(label);
+}
+
 void
 mac_destroy_socket(struct socket *socket)
 {
 
-	MAC_PERFORM(destroy_socket_label, &socket->so_label);
-	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
-	mac_destroy_label(&socket->so_label);
-	mac_destroy_label(&socket->so_peerlabel);
-#ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacsockets, 1);
-#endif
+	mac_destroy_socket_label(&socket->so_label);
+	mac_destroy_socket_peer_label(&socket->so_peerlabel);
 }
 
 static void

sys/security/mac/mac_policy.h

@@ -80,8 +80,8 @@ struct mac_policy_ops {
 	int	(*mpo_init_mbuf_label)(struct label *label, int flag);
 	void	(*mpo_init_mount_label)(struct label *label);
 	void	(*mpo_init_mount_fs_label)(struct label *label);
-	void	(*mpo_init_socket_label)(struct label *label);
-	void	(*mpo_init_socket_peer_label)(struct label *label);
+	int	(*mpo_init_socket_label)(struct label *label, int flag);
+	int	(*mpo_init_socket_peer_label)(struct label *label, int flag);
 	void	(*mpo_init_pipe_label)(struct label *label);
 	void	(*mpo_init_temp_label)(struct label *label);
 	void	(*mpo_init_vnode_label)(struct label *label);

sys/security/mac/mac_process.c

@@ -221,6 +221,8 @@ static void	mac_cred_mmapped_drop_perms(struct thread *td,
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
+static void	mac_destroy_socket_label(struct label *label);
+
 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
 
@@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe)
 #endif
 }
 
-void
-mac_init_socket(struct socket *socket)
+static int
+mac_init_socket_label(struct label *label, int flag)
 {
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
 
-	mac_init_label(&socket->so_label);
-	mac_init_label(&socket->so_peerlabel);
-	MAC_PERFORM(init_socket_label, &socket->so_label);
-	MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacsockets, 1);
+	if (error == 0)
+		atomic_add_int(&nmacsockets, 1);
 #endif
+
+	return (error);
+}
+
+static int
+mac_init_socket_peer_label(struct label *label, int flag)
+{
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_peer_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
+
+	return (error);
+}
+
+int
+mac_init_socket(struct socket *socket, int flag)
+{
+	int error;
+
+	error = mac_init_socket_label(&socket->so_label, flag);
+	if (error)
+		return (error);
+
+	error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
+	if (error)
+		mac_destroy_socket_label(&socket->so_label);
+
+	return (error);
 }
 
 static void
@@ -1282,17 +1324,31 @@ mac_destroy_pipe(struct pipe *pipe)
 #endif
 }
 
+static void
+mac_destroy_socket_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_label, label);
+	mac_destroy_label(label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacsockets, 1);
+#endif
+}
+
+static void
+mac_destroy_socket_peer_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_peer_label, label);
+	mac_destroy_label(label);
+}
+
 void
 mac_destroy_socket(struct socket *socket)
 {
 
-	MAC_PERFORM(destroy_socket_label, &socket->so_label);
-	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
-	mac_destroy_label(&socket->so_label);
-	mac_destroy_label(&socket->so_peerlabel);
-#ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacsockets, 1);
-#endif
+	mac_destroy_socket_label(&socket->so_label);
+	mac_destroy_socket_peer_label(&socket->so_peerlabel);
 }
 
 static void

sys/security/mac/mac_syscalls.c

@@ -221,6 +221,8 @@ static void	mac_cred_mmapped_drop_perms(struct thread *td,
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
+static void	mac_destroy_socket_label(struct label *label);
+
 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
 
@@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe)
 #endif
 }
 
-void
-mac_init_socket(struct socket *socket)
+static int
+mac_init_socket_label(struct label *label, int flag)
 {
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
 
-	mac_init_label(&socket->so_label);
-	mac_init_label(&socket->so_peerlabel);
-	MAC_PERFORM(init_socket_label, &socket->so_label);
-	MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacsockets, 1);
+	if (error == 0)
+		atomic_add_int(&nmacsockets, 1);
 #endif
+
+	return (error);
+}
+
+static int
+mac_init_socket_peer_label(struct label *label, int flag)
+{
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_peer_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
+
+	return (error);
+}
+
+int
+mac_init_socket(struct socket *socket, int flag)
+{
+	int error;
+
+	error = mac_init_socket_label(&socket->so_label, flag);
+	if (error)
+		return (error);
+
+	error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
+	if (error)
+		mac_destroy_socket_label(&socket->so_label);
+
+	return (error);
 }
 
 static void
@@ -1282,17 +1324,31 @@ mac_destroy_pipe(struct pipe *pipe)
 #endif
 }
 
+static void
+mac_destroy_socket_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_label, label);
+	mac_destroy_label(label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacsockets, 1);
+#endif
+}
+
+static void
+mac_destroy_socket_peer_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_peer_label, label);
+	mac_destroy_label(label);
+}
+
 void
 mac_destroy_socket(struct socket *socket)
 {
 
-	MAC_PERFORM(destroy_socket_label, &socket->so_label);
-	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
-	mac_destroy_label(&socket->so_label);
-	mac_destroy_label(&socket->so_peerlabel);
-#ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacsockets, 1);
-#endif
+	mac_destroy_socket_label(&socket->so_label);
+	mac_destroy_socket_peer_label(&socket->so_peerlabel);
 }
 
 static void

sys/security/mac/mac_system.c

@@ -221,6 +221,8 @@ static void	mac_cred_mmapped_drop_perms(struct thread *td,
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
+static void	mac_destroy_socket_label(struct label *label);
+
 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
 
@@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe)
 #endif
 }
 
-void
-mac_init_socket(struct socket *socket)
+static int
+mac_init_socket_label(struct label *label, int flag)
 {
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
 
-	mac_init_label(&socket->so_label);
-	mac_init_label(&socket->so_peerlabel);
-	MAC_PERFORM(init_socket_label, &socket->so_label);
-	MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacsockets, 1);
+	if (error == 0)
+		atomic_add_int(&nmacsockets, 1);
 #endif
+
+	return (error);
+}
+
+static int
+mac_init_socket_peer_label(struct label *label, int flag)
+{
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_peer_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
+
+	return (error);
+}
+
+int
+mac_init_socket(struct socket *socket, int flag)
+{
+	int error;
+
+	error = mac_init_socket_label(&socket->so_label, flag);
+	if (error)
+		return (error);
+
+	error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
+	if (error)
+		mac_destroy_socket_label(&socket->so_label);
+
+	return (error);
 }
 
 static void
@@ -1282,17 +1324,31 @@ mac_destroy_pipe(struct pipe *pipe)
 #endif
 }
 
+static void
+mac_destroy_socket_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_label, label);
+	mac_destroy_label(label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacsockets, 1);
+#endif
+}
+
+static void
+mac_destroy_socket_peer_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_peer_label, label);
+	mac_destroy_label(label);
+}
+
 void
 mac_destroy_socket(struct socket *socket)
 {
 
-	MAC_PERFORM(destroy_socket_label, &socket->so_label);
-	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
-	mac_destroy_label(&socket->so_label);
-	mac_destroy_label(&socket->so_peerlabel);
-#ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacsockets, 1);
-#endif
+	mac_destroy_socket_label(&socket->so_label);
+	mac_destroy_socket_peer_label(&socket->so_peerlabel);
 }
 
 static void

sys/security/mac/mac_vfs.c

@@ -221,6 +221,8 @@ static void	mac_cred_mmapped_drop_perms(struct thread *td,
 static void	mac_cred_mmapped_drop_perms_recurse(struct thread *td,
 		    struct ucred *cred, struct vm_map *map);
 
+static void	mac_destroy_socket_label(struct label *label);
+
 MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
 MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
 
@@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe)
 #endif
 }
 
-void
-mac_init_socket(struct socket *socket)
+static int
+mac_init_socket_label(struct label *label, int flag)
 {
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
 
-	mac_init_label(&socket->so_label);
-	mac_init_label(&socket->so_peerlabel);
-	MAC_PERFORM(init_socket_label, &socket->so_label);
-	MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
 #ifdef MAC_DEBUG
-	atomic_add_int(&nmacsockets, 1);
+	if (error == 0)
+		atomic_add_int(&nmacsockets, 1);
 #endif
+
+	return (error);
+}
+
+static int
+mac_init_socket_peer_label(struct label *label, int flag)
+{
+	int error;
+
+	mac_init_label(label);
+
+	MAC_CHECK(init_socket_peer_label, label, flag);
+	if (error) {
+		MAC_PERFORM(destroy_socket_label, label);
+		mac_destroy_label(label);
+	}
+
+	return (error);
+}
+
+int
+mac_init_socket(struct socket *socket, int flag)
+{
+	int error;
+
+	error = mac_init_socket_label(&socket->so_label, flag);
+	if (error)
+		return (error);
+
+	error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
+	if (error)
+		mac_destroy_socket_label(&socket->so_label);
+
+	return (error);
 }
 
 static void
@@ -1282,17 +1324,31 @@ mac_destroy_pipe(struct pipe *pipe)
 #endif
 }
 
+static void
+mac_destroy_socket_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_label, label);
+	mac_destroy_label(label);
+#ifdef MAC_DEBUG
+	atomic_subtract_int(&nmacsockets, 1);
+#endif
+}
+
+static void
+mac_destroy_socket_peer_label(struct label *label)
+{
+
+	MAC_PERFORM(destroy_socket_peer_label, label);
+	mac_destroy_label(label);
+}
+
 void
 mac_destroy_socket(struct socket *socket)
 {
 
-	MAC_PERFORM(destroy_socket_label, &socket->so_label);
-	MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
-	mac_destroy_label(&socket->so_label);
-	mac_destroy_label(&socket->so_peerlabel);
-#ifdef MAC_DEBUG
-	atomic_subtract_int(&nmacsockets, 1);
-#endif
+	mac_destroy_socket_label(&socket->so_label);
+	mac_destroy_socket_peer_label(&socket->so_peerlabel);
 }
 
 static void

sys/security/mac_biba/mac_biba.c

@@ -1954,9 +1954,9 @@ static struct mac_policy_op_entry mac_biba_ops[] =
 	{ MAC_INIT_PIPE_LABEL,
 	    (macop_t)mac_biba_init_label },
 	{ MAC_INIT_SOCKET_LABEL,
-	    (macop_t)mac_biba_init_label },
+	    (macop_t)mac_biba_init_label_waitcheck },
 	{ MAC_INIT_SOCKET_PEER_LABEL,
-	    (macop_t)mac_biba_init_label },
+	    (macop_t)mac_biba_init_label_waitcheck },
 	{ MAC_INIT_TEMP_LABEL,
 	    (macop_t)mac_biba_init_label },
 	{ MAC_INIT_VNODE_LABEL,

sys/security/mac_mls/mac_mls.c

@@ -1916,9 +1916,9 @@ static struct mac_policy_op_entry mac_mls_ops[] =
 	{ MAC_INIT_PIPE_LABEL,
 	    (macop_t)mac_mls_init_label },
 	{ MAC_INIT_SOCKET_LABEL,
-	    (macop_t)mac_mls_init_label },
+	    (macop_t)mac_mls_init_label_waitcheck },
 	{ MAC_INIT_SOCKET_PEER_LABEL,
-	    (macop_t)mac_mls_init_label },
+	    (macop_t)mac_mls_init_label_waitcheck },
 	{ MAC_INIT_TEMP_LABEL,
 	    (macop_t)mac_mls_init_label },
 	{ MAC_INIT_VNODE_LABEL,

sys/security/mac_none/mac_none.c

@@ -858,9 +858,9 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	{ MAC_INIT_PIPE_LABEL,
 	    (macop_t)mac_none_init_label },
 	{ MAC_INIT_SOCKET_LABEL,
-	    (macop_t)mac_none_init_label },
+	    (macop_t)mac_none_init_label_waitcheck },
 	{ MAC_INIT_SOCKET_PEER_LABEL,
-	    (macop_t)mac_none_init_label },
+	    (macop_t)mac_none_init_label_waitcheck },
 	{ MAC_INIT_TEMP_LABEL,
 	    (macop_t)mac_none_init_label },
 	{ MAC_INIT_VNODE_LABEL,

sys/security/mac_stub/mac_stub.c

@@ -858,9 +858,9 @@ static struct mac_policy_op_entry mac_none_ops[] =
 	{ MAC_INIT_PIPE_LABEL,
 	    (macop_t)mac_none_init_label },
 	{ MAC_INIT_SOCKET_LABEL,
-	    (macop_t)mac_none_init_label },
+	    (macop_t)mac_none_init_label_waitcheck },
 	{ MAC_INIT_SOCKET_PEER_LABEL,
-	    (macop_t)mac_none_init_label },
+	    (macop_t)mac_none_init_label_waitcheck },
 	{ MAC_INIT_TEMP_LABEL,
 	    (macop_t)mac_none_init_label },
 	{ MAC_INIT_VNODE_LABEL,

sys/security/mac_test/mac_test.c

@@ -277,20 +277,22 @@ mac_test_init_mount_fs_label(struct label *label)
 	atomic_add_int(&init_count_mount_fslabel, 1);
 }
 
-static void
-mac_test_init_socket_label(struct label *label)
+static int
+mac_test_init_socket_label(struct label *label, int flag)
 {
 
 	SLOT(label) = SOCKETMAGIC;
 	atomic_add_int(&init_count_socket, 1);
+	return (0);
 }
 
-static void
-mac_test_init_socket_peer_label(struct label *label)
+static int
+mac_test_init_socket_peer_label(struct label *label, int flag)
 {
 
 	SLOT(label) = SOCKETMAGIC;
 	atomic_add_int(&init_count_socket_peerlabel, 1);
+	return (0);
 }
 
 static void

sys/sys/mac.h

@@ -220,9 +220,9 @@ void	mac_init_cred(struct ucred *);
 void	mac_init_devfsdirent(struct devfs_dirent *);
 void	mac_init_ifnet(struct ifnet *);
 void	mac_init_ipq(struct ipq *);
-void	mac_init_socket(struct socket *);
+int	mac_init_socket(struct socket *, int flag);
 void	mac_init_pipe(struct pipe *);
-int	mac_init_mbuf(struct mbuf *m, int how);
+int	mac_init_mbuf(struct mbuf *m, int flag);
 void	mac_init_mount(struct mount *);
 void	mac_init_vnode(struct vnode *);
 void	mac_destroy_bpfdesc(struct bpf_d *);

sys/sys/mac_policy.h

@@ -80,8 +80,8 @@ struct mac_policy_ops {
 	int	(*mpo_init_mbuf_label)(struct label *label, int flag);
 	void	(*mpo_init_mount_label)(struct label *label);
 	void	(*mpo_init_mount_fs_label)(struct label *label);
-	void	(*mpo_init_socket_label)(struct label *label);
-	void	(*mpo_init_socket_peer_label)(struct label *label);
+	int	(*mpo_init_socket_label)(struct label *label, int flag);
+	int	(*mpo_init_socket_peer_label)(struct label *label, int flag);
 	void	(*mpo_init_pipe_label)(struct label *label);
 	void	(*mpo_init_temp_label)(struct label *label);
 	void	(*mpo_init_vnode_label)(struct label *label);