Rather than having MAC policies explicitly declare what object types

they label, derive that information implicitly from the set of label
initializers in their policy operations set.  This avoids a possible
class of programmer errors, while retaining the structure that
allows us to avoid allocating labels for objects that don't need
them.  As before, we regenerate a global mask of labeled objects
each time a policy is loaded or unloaded, stored in mac_labeled.

Discussed with:   csjp
Suggested by:     Jacques Vidrine <nectar at apple.com>
Obtained from:    TrustedBSD Project
Sponsored by:     Apple, Inc.

sys/security/mac/mac_framework.c

@@ -3,7 +3,7 @@
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
- * Copyright (c) 2008 Apple Inc.
+ * Copyright (c) 2008-2009 Apple Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -329,10 +329,48 @@ mac_late_init(void)
 }
 
 /*
- * After the policy list has changed, walk the list to update any global
- * flags.  Currently, we support only one flag, and it's conditionally
- * defined; as a result, the entire function is conditional.  Eventually, the
- * #else case might also iterate across the policies.
+ * Given a policy, derive from its set of non-NULL label init methods what
+ * object types the policy is interested in.
+ */
+static uint64_t
+mac_policy_getlabeled(struct mac_policy_conf *mpc)
+{
+	uint64_t labeled;
+
+#define	MPC_FLAG(method, flag)					\
+	if (mpc->mpc_ops->mpo_ ## method != NULL)			\
+		labeled |= (flag);					\
+
+	labeled = 0;
+	MPC_FLAG(cred_init_label, MPC_OBJECT_CRED);
+	MPC_FLAG(proc_init_label, MPC_OBJECT_PROC);
+	MPC_FLAG(vnode_init_label, MPC_OBJECT_VNODE);
+	MPC_FLAG(inpcb_init_label, MPC_OBJECT_INPCB);
+	MPC_FLAG(socket_init_label, MPC_OBJECT_SOCKET);
+	MPC_FLAG(devfs_init_label, MPC_OBJECT_DEVFS);
+	MPC_FLAG(mbuf_init_label, MPC_OBJECT_MBUF);
+	MPC_FLAG(ipq_init_label, MPC_OBJECT_IPQ);
+	MPC_FLAG(ifnet_init_label, MPC_OBJECT_IFNET);
+	MPC_FLAG(bpfdesc_init_label, MPC_OBJECT_BPFDESC);
+	MPC_FLAG(pipe_init_label, MPC_OBJECT_PIPE);
+	MPC_FLAG(mount_init_label, MPC_OBJECT_MOUNT);
+	MPC_FLAG(posixsem_init_label, MPC_OBJECT_POSIXSEM);
+	MPC_FLAG(posixshm_init_label, MPC_OBJECT_POSIXSHM);
+	MPC_FLAG(sysvmsg_init_label, MPC_OBJECT_SYSVMSG);
+	MPC_FLAG(sysvmsq_init_label, MPC_OBJECT_SYSVMSQ);
+	MPC_FLAG(sysvsem_init_label, MPC_OBJECT_SYSVSEM);
+	MPC_FLAG(sysvshm_init_label, MPC_OBJECT_SYSVSHM);
+	MPC_FLAG(syncache_init_label, MPC_OBJECT_SYNCACHE);
+	MPC_FLAG(ip6q_init_label, MPC_OBJECT_IP6Q);
+
+#undef MPC_FLAG
+	return (labeled);
+}
+
+/*
+ * When policies are loaded or unloaded, walk the list of registered policies
+ * and built mac_labeled, a bitmask representing the union of all objects
+ * requiring labels across all policies.
  */
 static void
 mac_policy_updateflags(void)
@@ -343,9 +381,9 @@ mac_policy_updateflags(void)
 
 	mac_labeled = 0;
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list)
-		mac_labeled |= mpc->mpc_labeled;
+		mac_labeled |= mac_policy_getlabeled(mpc);
 	LIST_FOREACH(mpc, &mac_policy_list, mpc_list)
-		mac_labeled |= mpc->mpc_labeled;
+		mac_labeled |= mac_policy_getlabeled(mpc);
 }
 
 static int

sys/security/mac/mac_internal.h

@@ -4,6 +4,7 @@
  * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
  * Copyright (c) 2006 nCircle Network Security, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
+ * Copyright (c) 2009 Apple, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -83,6 +84,34 @@ struct label {
 	intptr_t	l_perpolicy[MAC_MAX_SLOTS];
 };
 
+
+/*
+ * Flags for mac_labeled, a bitmask of object types need across the union of
+ * all policies currently registered with the MAC Framework, used to key
+ * whether or not labels are allocated and constructors for the type are
+ * invoked.
+ */
+#define	MPC_OBJECT_CRED			0x0000000000000001
+#define	MPC_OBJECT_PROC			0x0000000000000002
+#define	MPC_OBJECT_VNODE		0x0000000000000004
+#define	MPC_OBJECT_INPCB		0x0000000000000008
+#define	MPC_OBJECT_SOCKET		0x0000000000000010
+#define	MPC_OBJECT_DEVFS		0x0000000000000020
+#define	MPC_OBJECT_MBUF			0x0000000000000040
+#define	MPC_OBJECT_IPQ			0x0000000000000080
+#define	MPC_OBJECT_IFNET		0x0000000000000100
+#define	MPC_OBJECT_BPFDESC		0x0000000000000200
+#define	MPC_OBJECT_PIPE			0x0000000000000400
+#define	MPC_OBJECT_MOUNT		0x0000000000000800
+#define	MPC_OBJECT_POSIXSEM		0x0000000000001000
+#define	MPC_OBJECT_POSIXSHM		0x0000000000002000
+#define	MPC_OBJECT_SYSVMSG		0x0000000000004000
+#define	MPC_OBJECT_SYSVMSQ		0x0000000000008000
+#define	MPC_OBJECT_SYSVSEM		0x0000000000010000
+#define	MPC_OBJECT_SYSVSHM		0x0000000000020000
+#define	MPC_OBJECT_SYNCACHE		0x0000000000040000
+#define	MPC_OBJECT_IP6Q			0x0000000000080000
+
 /*
  * MAC Framework global variables.
  */

sys/security/mac/mac_policy.h

@@ -956,9 +956,9 @@ struct mac_policy_conf {
 	int				*mpc_field_off; /* security field */
 	int				 mpc_runtime_flags; /* flags */
 	int				 _mpc_spare1;	/* Spare. */
-	uint64_t			 mpc_labeled;	/* Labeled objects. */
 	uint64_t			 _mpc_spare2;	/* Spare. */
-	void				*_mpc_spare3;	/* Spare. */
+	uint64_t			 _mpc_spare3;	/* Spare. */
+	void				*_mpc_spare4;	/* Spare. */
 	LIST_ENTRY(mac_policy_conf)	 mpc_list;	/* global list */
 };
 
@@ -969,31 +969,6 @@ struct mac_policy_conf {
 /* Flags for the mpc_runtime_flags field. */
 #define	MPC_RUNTIME_FLAG_REGISTERED	0x00000001
 
-/*
- * Flags for mpc_labeled declaring which objects should have labels allocated
- * for them by the MAC Framework.
- */
-#define	MPC_OBJECT_CRED			0x0000000000000001
-#define	MPC_OBJECT_PROC			0x0000000000000002
-#define	MPC_OBJECT_VNODE		0x0000000000000004
-#define	MPC_OBJECT_INPCB		0x0000000000000008
-#define	MPC_OBJECT_SOCKET		0x0000000000000010
-#define	MPC_OBJECT_DEVFS		0x0000000000000020
-#define	MPC_OBJECT_MBUF			0x0000000000000040
-#define	MPC_OBJECT_IPQ			0x0000000000000080
-#define	MPC_OBJECT_IFNET		0x0000000000000100
-#define	MPC_OBJECT_BPFDESC		0x0000000000000200
-#define	MPC_OBJECT_PIPE			0x0000000000000400
-#define	MPC_OBJECT_MOUNT		0x0000000000000800
-#define	MPC_OBJECT_POSIXSEM		0x0000000000001000
-#define	MPC_OBJECT_POSIXSHM		0x0000000000002000
-#define	MPC_OBJECT_SYSVMSG		0x0000000000004000
-#define	MPC_OBJECT_SYSVMSQ		0x0000000000008000
-#define	MPC_OBJECT_SYSVSEM		0x0000000000010000
-#define	MPC_OBJECT_SYSVSHM		0x0000000000020000
-#define	MPC_OBJECT_SYNCACHE		0x0000000000040000
-#define	MPC_OBJECT_IP6Q			0x0000000000080000
-
 /*-
  * The TrustedBSD MAC Framework has a major version number, MAC_VERSION,
  * which defines the ABI of the Framework present in the kernel (and depended
@@ -1009,15 +984,13 @@ struct mac_policy_conf {
  */
 #define	MAC_VERSION	4
 
-#define	MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted, \
-    labeled)								\
+#define	MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
 	static struct mac_policy_conf mpname##_mac_policy_conf = {	\
 		.mpc_name = #mpname,					\
 		.mpc_fullname = mpfullname,				\
 		.mpc_ops = mpops,					\
 		.mpc_loadtime_flags = mpflags,				\
 		.mpc_field_off = privdata_wanted,			\
-		.mpc_labeled = labeled,					\
 	};								\
 	static moduledata_t mpname##_mod = {				\
 		#mpname,						\

sys/security/mac_biba/mac_biba.c

@@ -3545,26 +3545,5 @@ static struct mac_policy_ops mac_biba_ops =
 	.mpo_vnode_setlabel_extattr = biba_vnode_setlabel_extattr,
 };
 
-#define	BIBA_OBJECTS	(MPC_OBJECT_CRED |				\
-			 /* MPC_OBJECT_PROC | */			\
-			 MPC_OBJECT_VNODE |				\
-			 MPC_OBJECT_INPCB |				\
-			 MPC_OBJECT_SOCKET |				\
-			 MPC_OBJECT_DEVFS |				\
-			 MPC_OBJECT_MBUF |				\
-			 MPC_OBJECT_IPQ |				\
-			 MPC_OBJECT_IP6Q |				\
-			 MPC_OBJECT_IFNET |				\
-			 MPC_OBJECT_BPFDESC |				\
-			 MPC_OBJECT_PIPE |				\
-			 MPC_OBJECT_MOUNT |				\
-			 MPC_OBJECT_POSIXSEM |				\
-			 /* MPC_OBJECT_POSIXSHM | */			\
-			 MPC_OBJECT_SYSVMSG |				\
-			 MPC_OBJECT_SYSVMSQ |				\
-			 MPC_OBJECT_SYSVSEM |				\
-			 MPC_OBJECT_SYSVSHM |				\
-			 MPC_OBJECT_SYNCACHE)
-
 MAC_POLICY_SET(&mac_biba_ops, mac_biba, "TrustedBSD MAC/Biba",
-    MPC_LOADTIME_FLAG_NOTLATE, &biba_slot, BIBA_OBJECTS);
+    MPC_LOADTIME_FLAG_NOTLATE, &biba_slot);

sys/security/mac_bsdextended/mac_bsdextended.c

@@ -523,4 +523,4 @@ static struct mac_policy_ops ugidfw_ops =
 };
 
 MAC_POLICY_SET(&ugidfw_ops, mac_bsdextended, "TrustedBSD MAC/BSD Extended",
-    MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_ifoff/mac_ifoff.c

@@ -170,4 +170,4 @@ static struct mac_policy_ops ifoff_ops =
 };
 
 MAC_POLICY_SET(&ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff",
-    MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_lomac/mac_lomac.c

@@ -3052,26 +3052,5 @@ static struct mac_policy_ops lomac_ops =
 	.mpo_vnode_setlabel_extattr = lomac_vnode_setlabel_extattr,
 };
 
-#define	LOMAC_OBJECTS	(MPC_OBJECT_CRED |				\
-			 /* MPC_OBJECT_PROC | */			\
-			 MPC_OBJECT_VNODE |				\
-			 MPC_OBJECT_INPCB |				\
-			 MPC_OBJECT_SOCKET |				\
-			 MPC_OBJECT_DEVFS |				\
-			 MPC_OBJECT_MBUF |				\
-			 MPC_OBJECT_IPQ |				\
-			 MPC_OBJECT_IP6Q |				\
-			 MPC_OBJECT_IFNET |				\
-			 MPC_OBJECT_BPFDESC |				\
-			 MPC_OBJECT_PIPE |				\
-			 MPC_OBJECT_MOUNT |				\
-			 /* MPC_OBJECT_POSIXSEM | */			\
-			 /* MPC_OBJECT_POSIXSHM | */			\
-			 /* MPC_OBJECT_SYSVMSG | */			\
-			 /* MPC_OBJECT_SYSVMSQ | */			\
-			 /* MPC_OBJECT_SYSVSEM | */			\
-			 /* MPC_OBJECT_SYSVSHM | */			\
-			 MPC_OBJECT_SYNCACHE)
-
 MAC_POLICY_SET(&lomac_ops, mac_lomac, "TrustedBSD MAC/LOMAC",
-    MPC_LOADTIME_FLAG_NOTLATE, &lomac_slot, LOMAC_OBJECTS);
+    MPC_LOADTIME_FLAG_NOTLATE, &lomac_slot);

sys/security/mac_mls/mac_mls.c

@@ -3162,26 +3162,5 @@ static struct mac_policy_ops mls_ops =
 	.mpo_vnode_setlabel_extattr = mls_vnode_setlabel_extattr,
 };
 
-#define	MLS_OBJECTS	(MPC_OBJECT_CRED |				\
-			 /* MPC_OBJECT_PROC | */			\
-			 MPC_OBJECT_VNODE |				\
-			 MPC_OBJECT_INPCB |				\
-			 MPC_OBJECT_SOCKET |				\
-			 MPC_OBJECT_DEVFS |				\
-			 MPC_OBJECT_MBUF |				\
-			 MPC_OBJECT_IPQ |				\
-			 MPC_OBJECT_IP6Q |				\
-			 MPC_OBJECT_IFNET |				\
-			 MPC_OBJECT_BPFDESC |				\
-			 MPC_OBJECT_PIPE |				\
-			 MPC_OBJECT_MOUNT |				\
-			 MPC_OBJECT_POSIXSEM |				\
-			 /* MPC_OBJECT_POSIXSHM | */			\
-			 MPC_OBJECT_SYSVMSG |				\
-			 MPC_OBJECT_SYSVMSQ |				\
-			 MPC_OBJECT_SYSVSEM |				\
-			 MPC_OBJECT_SYSVSHM |				\
-			 MPC_OBJECT_SYNCACHE)
-
 MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS",
-    MPC_LOADTIME_FLAG_NOTLATE, &mls_slot, MLS_OBJECTS);
+    MPC_LOADTIME_FLAG_NOTLATE, &mls_slot);

sys/security/mac_none/mac_none.c

@@ -53,4 +53,4 @@ static struct mac_policy_ops none_ops =
 };
 
 MAC_POLICY_SET(&none_ops, mac_none, "TrustedBSD MAC/None",
-    MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_partition/mac_partition.c

@@ -316,4 +316,4 @@ static struct mac_policy_ops partition_ops =
 };
 
 MAC_POLICY_SET(&partition_ops, mac_partition, "TrustedBSD MAC/Partition",
-    MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot, MPC_OBJECT_CRED);
+    MPC_LOADTIME_FLAG_UNLOADOK, &partition_slot);

sys/security/mac_portacl/mac_portacl.c

@@ -490,4 +490,4 @@ static struct mac_policy_ops portacl_ops =
 };
 
 MAC_POLICY_SET(&portacl_ops, mac_portacl, "TrustedBSD MAC/portacl",
-    MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_seeotheruids/mac_seeotheruids.c

@@ -186,4 +186,4 @@ static struct mac_policy_ops seeotheruids_ops =
 };
 
 MAC_POLICY_SET(&seeotheruids_ops, mac_seeotheruids,
-    "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL, 0);
+    "TrustedBSD MAC/seeotheruids", MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_stub/mac_stub.c

@@ -1800,26 +1800,5 @@ static struct mac_policy_ops stub_ops =
 	.mpo_vnode_setlabel_extattr = stub_vnode_setlabel_extattr,
 };
 
-#define	STUB_OBJECTS	(MPC_OBJECT_CRED |				\
-			 /* XXX: MPC_OBJECT_PROC | */			\
-			 MPC_OBJECT_VNODE |				\
-			 MPC_OBJECT_INPCB |				\
-			 MPC_OBJECT_SOCKET |				\
-			 MPC_OBJECT_DEVFS |				\
-			 MPC_OBJECT_MBUF |				\
-			 MPC_OBJECT_IPQ |				\
-			 MPC_OBJECT_IP6Q |				\
-			 MPC_OBJECT_IFNET |				\
-			 MPC_OBJECT_BPFDESC |				\
-			 MPC_OBJECT_PIPE |				\
-			 MPC_OBJECT_MOUNT |				\
-			 MPC_OBJECT_POSIXSEM |				\
-			 MPC_OBJECT_POSIXSHM |				\
-			 MPC_OBJECT_SYSVMSG |				\
-			 MPC_OBJECT_SYSVMSQ |				\
-			 MPC_OBJECT_SYSVSEM |				\
-			 MPC_OBJECT_SYSVSHM |				\
-			 MPC_OBJECT_SYNCACHE)
-
 MAC_POLICY_SET(&stub_ops, mac_stub, "TrustedBSD MAC/Stub",
-    MPC_LOADTIME_FLAG_UNLOADOK, NULL, STUB_OBJECTS);
+    MPC_LOADTIME_FLAG_UNLOADOK, NULL);

sys/security/mac_test/mac_test.c

@@ -3139,26 +3139,5 @@ static struct mac_policy_ops test_ops =
 	.mpo_vnode_setlabel_extattr = test_vnode_setlabel_extattr,
 };
 
-#define	TEST_OBJECTS	(MPC_OBJECT_CRED |				\
-			 MPC_OBJECT_PROC |				\
-			 MPC_OBJECT_VNODE |				\
-			 MPC_OBJECT_INPCB |				\
-			 MPC_OBJECT_SOCKET |				\
-			 MPC_OBJECT_DEVFS |				\
-			 MPC_OBJECT_MBUF |				\
-			 MPC_OBJECT_IPQ |				\
-			 MPC_OBJECT_IP6Q |				\
-			 MPC_OBJECT_IFNET |				\
-			 MPC_OBJECT_BPFDESC |				\
-			 MPC_OBJECT_PIPE |				\
-			 MPC_OBJECT_MOUNT |				\
-			 MPC_OBJECT_POSIXSEM |				\
-			 MPC_OBJECT_POSIXSHM |				\
-			 MPC_OBJECT_SYSVMSG |				\
-			 MPC_OBJECT_SYSVMSQ |				\
-			 MPC_OBJECT_SYSVSEM |				\
-			 MPC_OBJECT_SYSVSHM |				\
-			 MPC_OBJECT_SYNCACHE)
-
 MAC_POLICY_SET(&test_ops, mac_test, "TrustedBSD MAC/Test",
-    MPC_LOADTIME_FLAG_UNLOADOK, &test_slot, TEST_OBJECTS);
+    MPC_LOADTIME_FLAG_UNLOADOK, &test_slot);