d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

In the MAC Framework implementation, file systems have two per-mountpoint

Browse Source 
labels: the mount label (label of the mountpoint) and the fs label (label
of the file system).  In practice, policies appear to only ever use one,
and the distinction is not helpful.

Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and
eliminate extra machinery required to maintain the additional label.
Update policies to reflect removal of extra entry points and label.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.
This commit is contained in:
Robert Watson 2007-04-22 16:18:10 +00:00
parent 2efc0f7f47
commit eb542415c0
8 changed files with 55 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
sys/security/mac/mac_policy.h
View File

@ -127,7 +127,6 @@ typedef void (*mpo_init_sysv_shm_label_t)(struct label *label);
typedef int (*mpo_init_ipq_label_t)(struct label *label, int flag);
typedef int (*mpo_init_mbuf_label_t)(struct label *label, int flag);
typedef void (*mpo_init_mount_label_t)(struct label *label);
typedef void (*mpo_init_mount_fs_label_t)(struct label *label);
typedef int (*mpo_init_socket_label_t)(struct label *label, int flag);
typedef int (*mpo_init_socket_peer_label_t)(struct label *label,
int flag);
@ -147,7 +146,6 @@ typedef void (*mpo_destroy_sysv_shm_label_t)(struct label *label);
typedef void (*mpo_destroy_ipq_label_t)(struct label *label);
typedef void (*mpo_destroy_mbuf_label_t)(struct label *label);
typedef void (*mpo_destroy_mount_label_t)(struct label *label);
typedef void (*mpo_destroy_mount_fs_label_t)(struct label *label);
typedef void (*mpo_destroy_socket_label_t)(struct label *label);
typedef void (*mpo_destroy_socket_peer_label_t)(struct label *label);
typedef void (*mpo_destroy_pipe_label_t)(struct label *label);
@ -198,14 +196,14 @@ typedef int (*mpo_internalize_vnode_label_t)(struct label *label,
* like file system objects.
*/
typedef void (*mpo_associate_vnode_devfs_t)(struct mount *mp,
struct label *fslabel, struct devfs_dirent *de,
struct label *mntlabel, struct devfs_dirent *de,
struct label *delabel, struct vnode *vp,
struct label *vlabel);
typedef int (*mpo_associate_vnode_extattr_t)(struct mount *mp,
struct label *fslabel, struct vnode *vp,
struct label *mntlabel, struct vnode *vp,
struct label *vlabel);
typedef void (*mpo_associate_vnode_singlelabel_t)(struct mount *mp,
struct label *fslabel, struct vnode *vp,
struct label *mntlabel, struct vnode *vp,
struct label *vlabel);
typedef void (*mpo_create_devfs_device_t)(struct ucred *cred,
struct mount *mp, struct cdev *dev,
@ -218,12 +216,12 @@ typedef void (*mpo_create_devfs_symlink_t)(struct ucred *cred,
struct label *ddlabel, struct devfs_dirent *de,
struct label *delabel);
typedef int (*mpo_create_vnode_extattr_t)(struct ucred *cred,
struct mount *mp, struct label *fslabel,
struct mount *mp, struct label *mntlabel,
struct vnode *dvp, struct label *dlabel,
struct vnode *vp, struct label *vlabel,
struct componentname *cnp);
typedef void (*mpo_create_mount_t)(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel);
struct label *mntlabel);
typedef void (*mpo_relabel_vnode_t)(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, struct label *label);
typedef int (*mpo_setlabel_vnode_extattr_t)(struct ucred *cred,
@ -645,7 +643,6 @@ struct mac_policy_ops {
mpo_init_ipq_label_t mpo_init_ipq_label;
mpo_init_mbuf_label_t mpo_init_mbuf_label;
mpo_init_mount_label_t mpo_init_mount_label;
mpo_init_mount_fs_label_t mpo_init_mount_fs_label;
mpo_init_socket_label_t mpo_init_socket_label;
mpo_init_socket_peer_label_t mpo_init_socket_peer_label;
mpo_init_pipe_label_t mpo_init_pipe_label;
@ -665,7 +662,6 @@ struct mac_policy_ops {
mpo_destroy_ipq_label_t mpo_destroy_ipq_label;
mpo_destroy_mbuf_label_t mpo_destroy_mbuf_label;
mpo_destroy_mount_label_t mpo_destroy_mount_label;
mpo_destroy_mount_fs_label_t mpo_destroy_mount_fs_label;
mpo_destroy_socket_label_t mpo_destroy_socket_label;
mpo_destroy_socket_peer_label_t mpo_destroy_socket_peer_label;
mpo_destroy_pipe_label_t mpo_destroy_pipe_label;

44
sys/security/mac/mac_vfs.c
View File

@ -2,7 +2,7 @@
* Copyright (c) 1999-2002 Robert N. M. Watson
* Copyright (c) 2001 Ilmar S. Habibulin
* Copyright (c) 2001-2005 McAfee, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* Copyright (c) 2005-2006 SPARTA, Inc.
* All rights reserved.
*
* This software was developed by Robert Watson and Ilmar Habibulin for the
@ -107,22 +107,11 @@ mac_mount_label_alloc(void)
return (label);
}
static struct label *
mac_mount_fs_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_mount_fs_label, label);
return (label);
}
void
mac_init_mount(struct mount *mp)
{
mp->mnt_mntlabel = mac_mount_label_alloc();
mp->mnt_fslabel = mac_mount_fs_label_alloc();
mp->mnt_label = mac_mount_label_alloc();
}
struct label *
@ -166,22 +155,12 @@ mac_mount_label_free(struct label *label)
mac_labelzone_free(label);
}
static void
mac_mount_fs_label_free(struct label *label)
{
MAC_PERFORM(destroy_mount_fs_label, label);
mac_labelzone_free(label);
}
void
mac_destroy_mount(struct mount *mp)
{
mac_mount_fs_label_free(mp->mnt_fslabel);
mp->mnt_fslabel = NULL;
mac_mount_label_free(mp->mnt_mntlabel);
mp->mnt_mntlabel = NULL;
mac_mount_label_free(mp->mnt_label);
mp->mnt_label = NULL;
}
void
@ -242,7 +221,7 @@ mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp)
{
MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_fslabel, de,
MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_label, de,
de->de_label, vp, vp->v_label);
}
@ -253,7 +232,7 @@ mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_fslabel, vp,
MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_label, vp,
vp->v_label);
return (error);
@ -263,7 +242,7 @@ void
mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
{
MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_fslabel, vp,
MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_label, vp,
vp->v_label);
}
@ -295,8 +274,8 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
} else if (error)
return (error);
MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel,
dvp, dvp->v_label, vp, vp->v_label, cnp);
MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_label, dvp,
dvp->v_label, vp, vp->v_label, cnp);
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
@ -788,8 +767,7 @@ void
mac_create_mount(struct ucred *cred, struct mount *mp)
{
MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel,
mp->mnt_fslabel);
MAC_PERFORM(create_mount, cred, mp, mp->mnt_label);
}
int
@ -797,7 +775,7 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount)
{
int error;
MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel);
MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_label);
return (error);
}

20
sys/security/mac_biba/mac_biba.c
View File

@ -829,15 +829,13 @@ mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp,
static void
mac_biba_create_mount(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel)
struct label *mntlabel)
{
struct mac_biba *source, *dest;
source = SLOT(cred->cr_label);
dest = SLOT(mntlabel);
mac_biba_copy_effective(source, dest);
dest = SLOT(fslabel);
mac_biba_copy_effective(source, dest);
}
static void
@ -866,7 +864,7 @@ mac_biba_update_devfsdirent(struct mount *mp,
}
static void
mac_biba_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
mac_biba_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
struct label *vlabel)
{
@ -879,13 +877,13 @@ mac_biba_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
}
static int
mac_biba_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mntlabel,
struct vnode *vp, struct label *vlabel)
{
struct mac_biba temp, *source, *dest;
int buflen, error;
source = SLOT(fslabel);
source = SLOT(mntlabel);
dest = SLOT(vlabel);
buflen = sizeof(temp);
@ -894,7 +892,7 @@ mac_biba_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE,
MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
if (error == ENOATTR || error == EOPNOTSUPP) {
/* Fall back to the fslabel. */
/* Fall back to the mntlabel. */
mac_biba_copy_effective(source, dest);
return (0);
} else if (error)
@ -920,11 +918,11 @@ mac_biba_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
static void
mac_biba_associate_vnode_singlelabel(struct mount *mp,
struct label *fslabel, struct vnode *vp, struct label *vlabel)
struct label *mntlabel, struct vnode *vp, struct label *vlabel)
{
struct mac_biba *source, *dest;
source = SLOT(fslabel);
source = SLOT(mntlabel);
dest = SLOT(vlabel);
mac_biba_copy_effective(source, dest);
@ -932,7 +930,7 @@ mac_biba_associate_vnode_singlelabel(struct mount *mp,
static int
mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct label *fslabel, struct vnode *dvp, struct label *dlabel,
struct label *mntlabel, struct vnode *dvp, struct label *dlabel,
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
{
struct mac_biba *source, *dest, temp;
@ -3258,7 +3256,6 @@ static struct mac_policy_ops mac_biba_ops =
.mpo_init_ipq_label = mac_biba_init_label_waitcheck,
.mpo_init_mbuf_label = mac_biba_init_label_waitcheck,
.mpo_init_mount_label = mac_biba_init_label,
.mpo_init_mount_fs_label = mac_biba_init_label,
.mpo_init_pipe_label = mac_biba_init_label,
.mpo_init_posix_sem_label = mac_biba_init_label,
.mpo_init_socket_label = mac_biba_init_label_waitcheck,
@ -3278,7 +3275,6 @@ static struct mac_policy_ops mac_biba_ops =
.mpo_destroy_ipq_label = mac_biba_destroy_label,
.mpo_destroy_mbuf_label = mac_biba_destroy_label,
.mpo_destroy_mount_label = mac_biba_destroy_label,
.mpo_destroy_mount_fs_label = mac_biba_destroy_label,
.mpo_destroy_pipe_label = mac_biba_destroy_label,
.mpo_destroy_posix_sem_label = mac_biba_destroy_label,
.mpo_destroy_socket_label = mac_biba_destroy_label,

20
sys/security/mac_lomac/mac_lomac.c
View File

@ -949,15 +949,13 @@ mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
static void
mac_lomac_create_mount(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel)
struct label *mntlabel)
{
struct mac_lomac *source, *dest;
source = SLOT(cred->cr_label);
dest = SLOT(mntlabel);
mac_lomac_copy_single(source, dest);
dest = SLOT(fslabel);
mac_lomac_copy_single(source, dest);
}
static void
@ -986,7 +984,7 @@ mac_lomac_update_devfsdirent(struct mount *mp,
}
static void
mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
struct label *vlabel)
{
@ -999,13 +997,13 @@ mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
}
static int
mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mntlabel,
struct vnode *vp, struct label *vlabel)
{
struct mac_lomac temp, *source, *dest;
int buflen, error;
source = SLOT(fslabel);
source = SLOT(mntlabel);
dest = SLOT(vlabel);
buflen = sizeof(temp);
@ -1014,7 +1012,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
error = vn_extattr_get(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE,
MAC_LOMAC_EXTATTR_NAME, &buflen, (char *)&temp, curthread);
if (error == ENOATTR || error == EOPNOTSUPP) {
/* Fall back to the fslabel. */
/* Fall back to the mntlabel. */
mac_lomac_copy_single(source, dest);
return (0);
} else if (error)
@ -1047,11 +1045,11 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
static void
mac_lomac_associate_vnode_singlelabel(struct mount *mp,
struct label *fslabel, struct vnode *vp, struct label *vlabel)
struct label *mntlabel, struct vnode *vp, struct label *vlabel)
{
struct mac_lomac *source, *dest;
source = SLOT(fslabel);
source = SLOT(mntlabel);
dest = SLOT(vlabel);
mac_lomac_copy_single(source, dest);
@ -1059,7 +1057,7 @@ mac_lomac_associate_vnode_singlelabel(struct mount *mp,
static int
mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct label *fslabel, struct vnode *dvp, struct label *dlabel,
struct label *mntlabel, struct vnode *dvp, struct label *dlabel,
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
{
struct mac_lomac *source, *dest, *dir, temp;
@ -2833,7 +2831,6 @@ static struct mac_policy_ops mac_lomac_ops =
.mpo_init_ipq_label = mac_lomac_init_label_waitcheck,
.mpo_init_mbuf_label = mac_lomac_init_label_waitcheck,
.mpo_init_mount_label = mac_lomac_init_label,
.mpo_init_mount_fs_label = mac_lomac_init_label,
.mpo_init_pipe_label = mac_lomac_init_label,
.mpo_init_proc_label = mac_lomac_init_proc_label,
.mpo_init_socket_label = mac_lomac_init_label_waitcheck,
@ -2848,7 +2845,6 @@ static struct mac_policy_ops mac_lomac_ops =
.mpo_destroy_ipq_label = mac_lomac_destroy_label,
.mpo_destroy_mbuf_label = mac_lomac_destroy_label,
.mpo_destroy_mount_label = mac_lomac_destroy_label,
.mpo_destroy_mount_fs_label = mac_lomac_destroy_label,
.mpo_destroy_pipe_label = mac_lomac_destroy_label,
.mpo_destroy_proc_label = mac_lomac_destroy_proc_label,
.mpo_destroy_syncache_label = mac_lomac_destroy_label,

20
sys/security/mac_mls/mac_mls.c
View File

@ -793,15 +793,13 @@ mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp,
static void
mac_mls_create_mount(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel)
struct label *mntlabel)
{
struct mac_mls *source, *dest;
source = SLOT(cred->cr_label);
dest = SLOT(mntlabel);
mac_mls_copy_effective(source, dest);
dest = SLOT(fslabel);
mac_mls_copy_effective(source, dest);
}
static void
@ -830,7 +828,7 @@ mac_mls_update_devfsdirent(struct mount *mp,
}
static void
mac_mls_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
mac_mls_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
struct label *vlabel)
{
@ -843,13 +841,13 @@ mac_mls_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
}
static int
mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mntlabel,
struct vnode *vp, struct label *vlabel)
{
struct mac_mls temp, *source, *dest;
int buflen, error;
source = SLOT(fslabel);
source = SLOT(mntlabel);
dest = SLOT(vlabel);
buflen = sizeof(temp);
@ -858,7 +856,7 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
error = vn_extattr_get(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
MAC_MLS_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
if (error == ENOATTR || error == EOPNOTSUPP) {
/* Fall back to the fslabel. */
/* Fall back to the mntlabel. */
mac_mls_copy_effective(source, dest);
return (0);
} else if (error)
@ -884,11 +882,11 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
static void
mac_mls_associate_vnode_singlelabel(struct mount *mp,
struct label *fslabel, struct vnode *vp, struct label *vlabel)
struct label *mntlabel, struct vnode *vp, struct label *vlabel)
{
struct mac_mls *source, *dest;
source = SLOT(fslabel);
source = SLOT(mntlabel);
dest = SLOT(vlabel);
mac_mls_copy_effective(source, dest);
@ -896,7 +894,7 @@ mac_mls_associate_vnode_singlelabel(struct mount *mp,
static int
mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct label *fslabel, struct vnode *dvp, struct label *dlabel,
struct label *mntlabel, struct vnode *dvp, struct label *dlabel,
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
{
struct mac_mls *source, *dest, temp;
@ -2882,7 +2880,6 @@ static struct mac_policy_ops mac_mls_ops =
.mpo_init_ipq_label = mac_mls_init_label_waitcheck,
.mpo_init_mbuf_label = mac_mls_init_label_waitcheck,
.mpo_init_mount_label = mac_mls_init_label,
.mpo_init_mount_fs_label = mac_mls_init_label,
.mpo_init_pipe_label = mac_mls_init_label,
.mpo_init_posix_sem_label = mac_mls_init_label,
.mpo_init_socket_label = mac_mls_init_label_waitcheck,
@ -2901,7 +2898,6 @@ static struct mac_policy_ops mac_mls_ops =
.mpo_destroy_ipq_label = mac_mls_destroy_label,
.mpo_destroy_mbuf_label = mac_mls_destroy_label,
.mpo_destroy_mount_label = mac_mls_destroy_label,
.mpo_destroy_mount_fs_label = mac_mls_destroy_label,
.mpo_destroy_pipe_label = mac_mls_destroy_label,
.mpo_destroy_posix_sem_label = mac_mls_destroy_label,
.mpo_destroy_socket_label = mac_mls_destroy_label,

12
sys/security/mac_stub/mac_stub.c
View File

@ -163,7 +163,7 @@ stub_internalize_label(struct label *label, char *element_name,
* a lot like file system objects.
*/
static void
stub_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
stub_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
struct label *vlabel)
{
@ -171,7 +171,7 @@ stub_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
}
static int
stub_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
stub_associate_vnode_extattr(struct mount *mp, struct label *mntlabel,
struct vnode *vp, struct label *vlabel)
{
@ -180,7 +180,7 @@ stub_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
static void
stub_associate_vnode_singlelabel(struct mount *mp,
struct label *fslabel, struct vnode *vp, struct label *vlabel)
struct label *mntlabel, struct vnode *vp, struct label *vlabel)
{
}
@ -215,7 +215,7 @@ stub_create_devfs_symlink(struct ucred *cred, struct mount *mp,
static int
stub_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct label *fslabel, struct vnode *dvp, struct label *dlabel,
struct label *mntlabel, struct vnode *dvp, struct label *dlabel,
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
{
@ -224,7 +224,7 @@ stub_create_vnode_extattr(struct ucred *cred, struct mount *mp,
static void
stub_create_mount(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel)
struct label *mntlabel)
{
}
@ -1447,7 +1447,6 @@ static struct mac_policy_ops mac_stub_ops =
.mpo_init_ipq_label = stub_init_label_waitcheck,
.mpo_init_mbuf_label = stub_init_label_waitcheck,
.mpo_init_mount_label = stub_init_label,
.mpo_init_mount_fs_label = stub_init_label,
.mpo_init_pipe_label = stub_init_label,
.mpo_init_posix_sem_label = stub_init_label,
.mpo_init_socket_label = stub_init_label_waitcheck,
@ -1465,7 +1464,6 @@ static struct mac_policy_ops mac_stub_ops =
.mpo_destroy_ipq_label = stub_destroy_label,
.mpo_destroy_mbuf_label = stub_destroy_label,
.mpo_destroy_mount_label = stub_destroy_label,
.mpo_destroy_mount_fs_label = stub_destroy_label,
.mpo_destroy_pipe_label = stub_destroy_label,
.mpo_destroy_posix_sem_label = stub_destroy_label,
.mpo_destroy_socket_label = stub_destroy_label,

39
sys/security/mac_test/mac_test.c
View File

@ -268,15 +268,6 @@ mac_test_init_mount_label(struct label *label)
COUNTER_INC(init_mount_label);
}
COUNTER_DECL(init_mount_fs_label);
static void
mac_test_init_mount_fs_label(struct label *label)
{
LABEL_INIT(label, MAGIC_MOUNT);
COUNTER_INC(init_mount_fs_label);
}
COUNTER_DECL(init_socket_label);
static int
mac_test_init_socket_label(struct label *label, int flag)
@ -459,15 +450,6 @@ mac_test_destroy_mount_label(struct label *label)
COUNTER_INC(destroy_mount_label);
}
COUNTER_DECL(destroy_mount_fs_label);
static void
mac_test_destroy_mount_fs_label(struct label *label)
{
LABEL_DESTROY(label, MAGIC_MOUNT);
COUNTER_INC(destroy_mount_fs_label);
}
COUNTER_DECL(destroy_socket_label);
static void
mac_test_destroy_socket_label(struct label *label)
@ -612,12 +594,12 @@ mac_test_internalize_label(struct label *label, char *element_name,
*/
COUNTER_DECL(associate_vnode_devfs);
static void
mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
mac_test_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,
struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
struct label *vlabel)
{
LABEL_CHECK(fslabel, MAGIC_MOUNT);
LABEL_CHECK(mntlabel, MAGIC_MOUNT);
LABEL_CHECK(delabel, MAGIC_DEVFS);
LABEL_CHECK(vlabel, MAGIC_VNODE);
COUNTER_INC(associate_vnode_devfs);
@ -625,11 +607,11 @@ mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
COUNTER_DECL(associate_vnode_extattr);
static int
mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
mac_test_associate_vnode_extattr(struct mount *mp, struct label *mntlabel,
struct vnode *vp, struct label *vlabel)
{
LABEL_CHECK(fslabel, MAGIC_MOUNT);
LABEL_CHECK(mntlabel, MAGIC_MOUNT);
LABEL_CHECK(vlabel, MAGIC_VNODE);
COUNTER_INC(associate_vnode_extattr);
@ -639,10 +621,10 @@ mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
COUNTER_DECL(associate_vnode_singlelabel);
static void
mac_test_associate_vnode_singlelabel(struct mount *mp,
struct label *fslabel, struct vnode *vp, struct label *vlabel)
struct label *mntlabel, struct vnode *vp, struct label *vlabel)
{
LABEL_CHECK(fslabel, MAGIC_MOUNT);
LABEL_CHECK(mntlabel, MAGIC_MOUNT);
LABEL_CHECK(vlabel, MAGIC_VNODE);
COUNTER_INC(associate_vnode_singlelabel);
}
@ -685,12 +667,12 @@ mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
COUNTER_DECL(create_vnode_extattr);
static int
mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct label *fslabel, struct vnode *dvp, struct label *dlabel,
struct label *mntlabel, struct vnode *dvp, struct label *dlabel,
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
LABEL_CHECK(fslabel, MAGIC_MOUNT);
LABEL_CHECK(mntlabel, MAGIC_MOUNT);
LABEL_CHECK(dlabel, MAGIC_VNODE);
COUNTER_INC(create_vnode_extattr);
@ -700,12 +682,11 @@ mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
COUNTER_DECL(create_mount);
static void
mac_test_create_mount(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel)
struct label *mntlabel)
{
LABEL_CHECK(cred->cr_label, MAGIC_CRED);
LABEL_CHECK(mntlabel, MAGIC_MOUNT);
LABEL_CHECK(fslabel, MAGIC_MOUNT);
COUNTER_INC(create_mount);
}
@ -2490,7 +2471,6 @@ static struct mac_policy_ops mac_test_ops =
.mpo_init_ipq_label = mac_test_init_ipq_label,
.mpo_init_mbuf_label = mac_test_init_mbuf_label,
.mpo_init_mount_label = mac_test_init_mount_label,
.mpo_init_mount_fs_label = mac_test_init_mount_fs_label,
.mpo_init_pipe_label = mac_test_init_pipe_label,
.mpo_init_posix_sem_label = mac_test_init_posix_sem_label,
.mpo_init_proc_label = mac_test_init_proc_label,
@ -2510,7 +2490,6 @@ static struct mac_policy_ops mac_test_ops =
.mpo_destroy_ipq_label = mac_test_destroy_ipq_label,
.mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label,
.mpo_destroy_mount_label = mac_test_destroy_mount_label,
.mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label,
.mpo_destroy_pipe_label = mac_test_destroy_pipe_label,
.mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label,
.mpo_destroy_proc_label = mac_test_destroy_proc_label,

3
sys/sys/mount.h
View File

@ -168,8 +168,7 @@ struct mount {
time_t mnt_time; /* last time written*/
int mnt_iosize_max; /* max size for clusters, etc */
struct netexport *mnt_export; /* export list */
struct label *mnt_mntlabel; /* MAC label for the mount */
struct label *mnt_fslabel; /* MAC label for the fs */
struct label *mnt_label; /* MAC label for the fs */
u_int mnt_hashseed; /* Random seed for vfs_hash */
int mnt_markercnt; /* marker vnodes in use */
int mnt_holdcnt; /* hold count */