Modify the MAC Framework so that instead of embedding a (struct label)

in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c).  This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE.  This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time.  This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.

This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.

While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.

NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change.  Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.

Suggestions from:	bmilekic
Obtained from:		TrustedBSD Project
Sponsored by:		DARPA, Network Associates Laboratories
This commit is contained in:
Robert Watson 2003-11-12 03:14:31 +00:00
parent 5c957adbf1
commit eca8a663d4
29 changed files with 953 additions and 748 deletions

View File

@ -1618,6 +1618,7 @@ posix4/ksched.c optional _kposix_priority_scheduling
posix4/p1003_1b.c standard
posix4/posix4_mib.c standard
kern/uipc_sem.c optional p1003_1b_semaphores
security/mac/mac_label.c optional mac
security/mac/mac_net.c optional mac
security/mac/mac_pipe.c optional mac
security/mac/mac_process.c optional mac

View File

@ -159,7 +159,7 @@ struct devfs_dirent {
mode_t de_mode;
uid_t de_uid;
gid_t de_gid;
struct label de_label;
struct label *de_label;
struct timespec de_atime;
struct timespec de_mtime;
struct timespec de_ctime;

View File

@ -167,9 +167,8 @@ kern_execve(td, fname, argv, envv, mac_p)
int credential_changing;
int textset;
#ifdef MAC
struct label interplabel; /* label of the interpreted vnode */
struct label execlabel; /* optional label argument */
int will_transition, interplabelvalid = 0;
struct label *interplabel = NULL;
int will_transition;
#endif
imgp = &image_params;
@ -222,7 +221,7 @@ kern_execve(td, fname, argv, envv, mac_p)
imgp->auxarg_size = 0;
#ifdef MAC
error = mac_execve_enter(imgp, mac_p, &execlabel);
error = mac_execve_enter(imgp, mac_p);
if (error) {
mtx_lock(&Giant);
goto exec_fail;
@ -336,9 +335,8 @@ interpret:
/* free name buffer and old vnode */
NDFREE(ndp, NDF_ONLY_PNBUF);
#ifdef MAC
mac_init_vnode_label(&interplabel);
mac_copy_vnode_label(&ndp->ni_vp->v_label, &interplabel);
interplabelvalid = 1;
interplabel = mac_vnode_label_alloc();
mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel);
#endif
vput(ndp->ni_vp);
vm_object_deallocate(imgp->object);
@ -452,7 +450,7 @@ interpret:
attr.va_gid;
#ifdef MAC
will_transition = mac_execve_will_transition(oldcred, imgp->vp,
interplabelvalid ? &interplabel : NULL, imgp);
interplabel, imgp);
credential_changing |= will_transition;
#endif
@ -502,7 +500,7 @@ interpret:
#ifdef MAC
if (will_transition) {
mac_execve_transition(oldcred, newcred, imgp->vp,
interplabelvalid ? &interplabel : NULL, imgp);
interplabel, imgp);
}
#endif
/*
@ -654,8 +652,8 @@ exec_fail:
/* sorry, no more process anymore. exit gracefully */
#ifdef MAC
mac_execve_exit(imgp);
if (interplabelvalid)
mac_destroy_vnode_label(&interplabel);
if (interplabel != NULL)
mac_vnode_label_free(interplabel);
#endif
exit1(td, W_EXITCODE(0, SIGABRT));
/* NOT REACHED */
@ -664,8 +662,8 @@ exec_fail:
done2:
#ifdef MAC
mac_execve_exit(imgp);
if (interplabelvalid)
mac_destroy_vnode_label(&interplabel);
if (interplabel != NULL)
mac_vnode_label_free(interplabel);
#endif
mtx_unlock(&Giant);
return (error);

View File

@ -256,6 +256,7 @@ mac_init(void)
LIST_INIT(&mac_static_policy_list);
LIST_INIT(&mac_policy_list);
mac_labelzone_init();
mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
cv_init(&mac_policy_cv, "mac_policy_cv");
@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_cred_label(&tcred->cr_label, elements,
error = mac_externalize_cred_label(tcred->cr_label, elements,
buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_cred_label(&td->td_ucred->cr_label,
error = mac_externalize_cred_label(td->td_ucred->cr_label,
elements, buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -619,7 +620,7 @@ int
__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
{
struct ucred *newcred, *oldcred;
struct label intlabel;
struct label *intlabel;
struct proc *p;
struct mac mac;
char *buffer;
@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
return (error);
}
mac_init_cred_label(&intlabel);
error = mac_internalize_cred_label(&intlabel, buffer);
intlabel = mac_cred_label_alloc();
error = mac_internalize_cred_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_cred_label(&intlabel);
return (error);
}
if (error)
goto out;
newcred = crget();
@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
PROC_LOCK(p);
oldcred = p->p_ucred;
error = mac_check_cred_relabel(oldcred, &intlabel);
error = mac_check_cred_relabel(oldcred, intlabel);
if (error) {
PROC_UNLOCK(p);
crfree(newcred);
@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
setsugid(p);
crcopy(newcred, oldcred);
mac_relabel_cred(newcred, &intlabel);
mac_relabel_cred(newcred, intlabel);
p->p_ucred = newcred;
/*
@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
crfree(oldcred);
out:
mac_destroy_cred_label(&intlabel);
mac_cred_label_free(intlabel);
return (error);
}
@ -694,7 +693,7 @@ int
__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
{
char *elements, *buffer;
struct label intlabel;
struct label *intlabel;
struct file *fp;
struct mac mac;
struct vnode *vp;
@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
case DTYPE_VNODE:
vp = fp->f_vnode;
mac_init_vnode_label(&intlabel);
intlabel = mac_vnode_label_alloc();
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
mac_copy_vnode_label(&vp->v_label, &intlabel);
mac_copy_vnode_label(vp->v_label, intlabel);
VOP_UNLOCK(vp, 0, td);
break;
case DTYPE_PIPE:
pipe = fp->f_data;
mac_init_pipe_label(&intlabel);
intlabel = mac_pipe_label_alloc();
PIPE_LOCK(pipe);
mac_copy_pipe_label(pipe->pipe_label, &intlabel);
mac_copy_pipe_label(pipe->pipe_label, intlabel);
PIPE_UNLOCK(pipe);
break;
default:
@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
case DTYPE_FIFO:
case DTYPE_VNODE:
if (error == 0)
error = mac_externalize_vnode_label(&intlabel,
error = mac_externalize_vnode_label(intlabel,
elements, buffer, mac.m_buflen);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
error = mac_externalize_pipe_label(&intlabel, elements,
error = mac_externalize_pipe_label(intlabel, elements,
buffer, mac.m_buflen);
mac_destroy_pipe_label(&intlabel);
mac_pipe_label_free(intlabel);
break;
default:
panic("__mac_get_fd: corrupted label_type");
@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
{
char *elements, *buffer;
struct nameidata nd;
struct label intlabel;
struct label *intlabel;
struct mac mac;
int error;
@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
if (error)
goto out;
mac_init_vnode_label(&intlabel);
mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
intlabel = mac_vnode_label_alloc();
mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
{
char *elements, *buffer;
struct nameidata nd;
struct label intlabel;
struct label *intlabel;
struct mac mac;
int error;
@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
if (error)
goto out;
mac_init_vnode_label(&intlabel);
mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
intlabel = mac_vnode_label_alloc();
mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -895,7 +894,7 @@ out:
int
__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
{
struct label intlabel;
struct label *intlabel;
struct pipe *pipe;
struct file *fp;
struct mount *mp;
@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
switch (fp->f_type) {
case DTYPE_FIFO:
case DTYPE_VNODE:
mac_init_vnode_label(&intlabel);
error = mac_internalize_vnode_label(&intlabel, buffer);
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
if (error) {
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
}
vp = fp->f_vnode;
error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
if (error != 0) {
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
}
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = vn_setlabel(vp, &intlabel, td->td_ucred);
error = vn_setlabel(vp, intlabel, td->td_ucred);
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
mac_init_pipe_label(&intlabel);
error = mac_internalize_pipe_label(&intlabel, buffer);
intlabel = mac_pipe_label_alloc();
error = mac_internalize_pipe_label(intlabel, buffer);
if (error == 0) {
pipe = fp->f_data;
PIPE_LOCK(pipe);
error = mac_pipe_label_set(td->td_ucred, pipe,
&intlabel);
intlabel);
PIPE_UNLOCK(pipe);
}
mac_destroy_pipe_label(&intlabel);
mac_pipe_label_free(intlabel);
break;
default:
@ -983,7 +982,7 @@ out:
int
__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
{
struct label intlabel;
struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
return (error);
}
mac_init_vnode_label(&intlabel);
error = mac_internalize_vnode_label(&intlabel, buffer);
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_vnode_label(&intlabel);
return (error);
}
if (error)
goto out;
mtx_lock(&Giant); /* VFS */
@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
error = vn_setlabel(nd.ni_vp, &intlabel,
error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
mac_destroy_vnode_label(&intlabel);
out:
mac_vnode_label_free(intlabel);
return (error);
}
@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
int
__mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
{
struct label intlabel;
struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
return (error);
}
mac_init_vnode_label(&intlabel);
error = mac_internalize_vnode_label(&intlabel, buffer);
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_vnode_label(&intlabel);
return (error);
}
if (error)
goto out;
mtx_lock(&Giant); /* VFS */
@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
error = vn_setlabel(nd.ni_vp, &intlabel,
error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
mac_destroy_vnode_label(&intlabel);
out:
mac_vnode_label_free(intlabel);
return (error);
}

View File

@ -43,7 +43,6 @@
#ifndef _NET_BPFDESC_H_
#define _NET_BPFDESC_H_
#include <sys/_label.h>
#include <sys/callout.h>
#include <sys/selinfo.h>
@ -93,7 +92,7 @@ struct bpf_d {
#endif
struct mtx bd_mtx; /* mutex for this descriptor */
struct callout bd_callout; /* for BPF timeouts with select */
struct label bd_label; /* MAC label for descriptor */
struct label *bd_label; /* MAC label for descriptor */
};
/* Values for bd_state */

View File

@ -74,7 +74,6 @@ struct socket;
struct ether_header;
#endif
#include <sys/_label.h> /* struct label */
#include <sys/queue.h> /* get TAILQ macros */
#ifdef _KERNEL
@ -180,7 +179,7 @@ struct ifnet {
struct ifqueue *if_poll_slowq; /* input queue for slow devices */
struct ifprefixhead if_prefixhead; /* list of prefixes per if */
u_int8_t *if_broadcastaddr; /* linklevel broadcast bytestring */
struct label if_label; /* interface MAC label */
struct label *if_label; /* interface MAC label */
void *if_afdata[AF_MAX];
int if_afdata_initialized;

View File

@ -39,10 +39,6 @@
#include <sys/queue.h>
#ifdef _KERNEL
#include <sys/_label.h>
#endif
/*
* Overlay for ip header used by other protocols (tcp, udp).
*/
@ -71,7 +67,7 @@ struct ipq {
u_char ipq_nfrags; /* # frags in this packet */
u_int32_t ipq_div_info; /* ipfw divert port & flags */
u_int16_t ipq_div_cookie; /* ipfw divert cookie */
struct label ipq_label; /* MAC label */
struct label *ipq_label; /* MAC label */
};
#endif /* _KERNEL */

View File

@ -256,6 +256,7 @@ mac_init(void)
LIST_INIT(&mac_static_policy_list);
LIST_INIT(&mac_policy_list);
mac_labelzone_init();
mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
cv_init(&mac_policy_cv, "mac_policy_cv");
@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_cred_label(&tcred->cr_label, elements,
error = mac_externalize_cred_label(tcred->cr_label, elements,
buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_cred_label(&td->td_ucred->cr_label,
error = mac_externalize_cred_label(td->td_ucred->cr_label,
elements, buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -619,7 +620,7 @@ int
__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
{
struct ucred *newcred, *oldcred;
struct label intlabel;
struct label *intlabel;
struct proc *p;
struct mac mac;
char *buffer;
@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
return (error);
}
mac_init_cred_label(&intlabel);
error = mac_internalize_cred_label(&intlabel, buffer);
intlabel = mac_cred_label_alloc();
error = mac_internalize_cred_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_cred_label(&intlabel);
return (error);
}
if (error)
goto out;
newcred = crget();
@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
PROC_LOCK(p);
oldcred = p->p_ucred;
error = mac_check_cred_relabel(oldcred, &intlabel);
error = mac_check_cred_relabel(oldcred, intlabel);
if (error) {
PROC_UNLOCK(p);
crfree(newcred);
@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
setsugid(p);
crcopy(newcred, oldcred);
mac_relabel_cred(newcred, &intlabel);
mac_relabel_cred(newcred, intlabel);
p->p_ucred = newcred;
/*
@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
crfree(oldcred);
out:
mac_destroy_cred_label(&intlabel);
mac_cred_label_free(intlabel);
return (error);
}
@ -694,7 +693,7 @@ int
__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
{
char *elements, *buffer;
struct label intlabel;
struct label *intlabel;
struct file *fp;
struct mac mac;
struct vnode *vp;
@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
case DTYPE_VNODE:
vp = fp->f_vnode;
mac_init_vnode_label(&intlabel);
intlabel = mac_vnode_label_alloc();
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
mac_copy_vnode_label(&vp->v_label, &intlabel);
mac_copy_vnode_label(vp->v_label, intlabel);
VOP_UNLOCK(vp, 0, td);
break;
case DTYPE_PIPE:
pipe = fp->f_data;
mac_init_pipe_label(&intlabel);
intlabel = mac_pipe_label_alloc();
PIPE_LOCK(pipe);
mac_copy_pipe_label(pipe->pipe_label, &intlabel);
mac_copy_pipe_label(pipe->pipe_label, intlabel);
PIPE_UNLOCK(pipe);
break;
default:
@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
case DTYPE_FIFO:
case DTYPE_VNODE:
if (error == 0)
error = mac_externalize_vnode_label(&intlabel,
error = mac_externalize_vnode_label(intlabel,
elements, buffer, mac.m_buflen);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
error = mac_externalize_pipe_label(&intlabel, elements,
error = mac_externalize_pipe_label(intlabel, elements,
buffer, mac.m_buflen);
mac_destroy_pipe_label(&intlabel);
mac_pipe_label_free(intlabel);
break;
default:
panic("__mac_get_fd: corrupted label_type");
@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
{
char *elements, *buffer;
struct nameidata nd;
struct label intlabel;
struct label *intlabel;
struct mac mac;
int error;
@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
if (error)
goto out;
mac_init_vnode_label(&intlabel);
mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
intlabel = mac_vnode_label_alloc();
mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
{
char *elements, *buffer;
struct nameidata nd;
struct label intlabel;
struct label *intlabel;
struct mac mac;
int error;
@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
if (error)
goto out;
mac_init_vnode_label(&intlabel);
mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
intlabel = mac_vnode_label_alloc();
mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -895,7 +894,7 @@ out:
int
__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
{
struct label intlabel;
struct label *intlabel;
struct pipe *pipe;
struct file *fp;
struct mount *mp;
@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
switch (fp->f_type) {
case DTYPE_FIFO:
case DTYPE_VNODE:
mac_init_vnode_label(&intlabel);
error = mac_internalize_vnode_label(&intlabel, buffer);
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
if (error) {
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
}
vp = fp->f_vnode;
error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
if (error != 0) {
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
}
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = vn_setlabel(vp, &intlabel, td->td_ucred);
error = vn_setlabel(vp, intlabel, td->td_ucred);
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
mac_init_pipe_label(&intlabel);
error = mac_internalize_pipe_label(&intlabel, buffer);
intlabel = mac_pipe_label_alloc();
error = mac_internalize_pipe_label(intlabel, buffer);
if (error == 0) {
pipe = fp->f_data;
PIPE_LOCK(pipe);
error = mac_pipe_label_set(td->td_ucred, pipe,
&intlabel);
intlabel);
PIPE_UNLOCK(pipe);
}
mac_destroy_pipe_label(&intlabel);
mac_pipe_label_free(intlabel);
break;
default:
@ -983,7 +982,7 @@ out:
int
__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
{
struct label intlabel;
struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
return (error);
}
mac_init_vnode_label(&intlabel);
error = mac_internalize_vnode_label(&intlabel, buffer);
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_vnode_label(&intlabel);
return (error);
}
if (error)
goto out;
mtx_lock(&Giant); /* VFS */
@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
error = vn_setlabel(nd.ni_vp, &intlabel,
error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
mac_destroy_vnode_label(&intlabel);
out:
mac_vnode_label_free(intlabel);
return (error);
}
@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
int
__mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
{
struct label intlabel;
struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
return (error);
}
mac_init_vnode_label(&intlabel);
error = mac_internalize_vnode_label(&intlabel, buffer);
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_vnode_label(&intlabel);
return (error);
}
if (error)
goto out;
mtx_lock(&Giant); /* VFS */
@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
error = vn_setlabel(nd.ni_vp, &intlabel,
error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
mac_destroy_vnode_label(&intlabel);
out:
mac_vnode_label_free(intlabel);
return (error);
}

View File

@ -144,7 +144,6 @@ int mac_init_mbuf_tag(struct m_tag *, int flag);
void mac_init_mount(struct mount *);
void mac_init_proc(struct proc *);
void mac_init_vnode(struct vnode *);
void mac_init_vnode_label(struct label *);
void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
void mac_copy_vnode_label(struct label *, struct label *label);
void mac_destroy_bpfdesc(struct bpf_d *);
@ -158,7 +157,12 @@ void mac_destroy_proc(struct proc *);
void mac_destroy_mbuf_tag(struct m_tag *);
void mac_destroy_mount(struct mount *);
void mac_destroy_vnode(struct vnode *);
void mac_destroy_vnode_label(struct label *);
struct label *mac_cred_label_alloc(void);
void mac_cred_label_free(struct label *label);
struct label *mac_vnode_label_alloc(void);
void mac_vnode_label_free(struct label *label);
void mac_destroy_vnode_label(struct label *);
/*
* Labeling event operations: file system objects, and things that
@ -220,8 +224,7 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
* Labeling event operations: processes.
*/
void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
int mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
struct label *execlabel);
int mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
void mac_execve_exit(struct image_params *imgp);
void mac_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *interpvnodelabel,

View File

@ -59,6 +59,7 @@ extern struct mac_policy_list_head mac_policy_list;
extern struct mac_policy_list_head mac_static_policy_list;
extern int mac_late;
extern int mac_enforce_process;
extern int mac_enforce_sysv;
extern int mac_enforce_vm;
#ifndef MAC_ALWAYS_LABEL_MBUF
extern int mac_labelmbufs;
@ -88,6 +89,10 @@ void mac_policy_list_busy(void);
int mac_policy_list_conditional_busy(void);
void mac_policy_list_unbusy(void);
struct label *mac_labelzone_alloc(int flags);
void mac_labelzone_free(struct label *label);
void mac_labelzone_init(void);
void mac_init_label(struct label *label);
void mac_destroy_label(struct label *label);
int mac_check_structmac_consistent(struct mac *mac);
@ -98,19 +103,18 @@ int mac_allocate_slot(void);
* the namespaces, etc, should work for these, so for now, sort by
* object type.
*/
struct label *mac_pipe_label_alloc(void);
void mac_pipe_label_free(struct label *label);
int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
void mac_destroy_cred_label(struct label *label);
int mac_externalize_cred_label(struct label *label, char *elements,
int mac_externalize_cred_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
void mac_init_cred_label(struct label *label);
int mac_internalize_cred_label(struct label *label, char *string);
void mac_relabel_cred(struct ucred *cred, struct label *newlabel);
void mac_copy_pipe_label(struct label *src, struct label *dest);
void mac_destroy_pipe_label(struct label *label);
int mac_externalize_pipe_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
void mac_init_pipe_label(struct label *label);
int mac_internalize_pipe_label(struct label *label, char *string);
int mac_externalize_vnode_label(struct label *label, char *elements,

View File

@ -0,0 +1,97 @@
/*-
* Copyright (c) 2003 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
* Associates Laboratories, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
* as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include "opt_mac.h"
#include <sys/param.h>
#include <sys/mac.h>
#include <sys/sysctl.h>
#include <sys/systm.h>
#include <vm/uma.h>
#include <security/mac/mac_internal.h>
uma_zone_t zone_label;
static void mac_labelzone_ctor(void *mem, int size, void *arg);
static void mac_labelzone_dtor(void *mem, int size, void *arg);
void
mac_labelzone_init(void)
{
zone_label = uma_zcreate("MAC labels", sizeof(struct label),
mac_labelzone_ctor, mac_labelzone_dtor, NULL, NULL,
UMA_ALIGN_PTR, 0);
}
static void
mac_labelzone_ctor(void *mem, int size, void *arg)
{
struct label *label;
KASSERT(size == sizeof(*label), ("mac_labelzone_ctor: wrong size\n"));
label = mem;
bzero(label, sizeof(*label));
label->l_flags = MAC_FLAG_INITIALIZED;
}
static void
mac_labelzone_dtor(void *mem, int size, void *arg)
{
struct label *label;
KASSERT(size == sizeof(*label), ("mac_labelzone_dtor: wrong size\n"));
label = mem;
#ifdef DIAGNOSTIC
bzero(label, sizeof(*label));
#else
label->l_flags &= ~MAC_FLAG_INITIALIZED;
#endif
}
struct label *
mac_labelzone_alloc(int flags)
{
return (uma_zalloc(zone_label, flags));
}
void
mac_labelzone_free(struct label *label)
{
uma_zfree(zone_label, label);
}

View File

@ -91,7 +91,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
&nmacsockets, 0, "number of sockets in use");
#endif
static void mac_destroy_socket_label(struct label *label);
static void mac_socket_label_free(struct label *label);
static struct label *
mbuf_to_label(struct mbuf *mbuf)
@ -105,46 +106,70 @@ mbuf_to_label(struct mbuf *mbuf)
return (label);
}
static struct label *
mac_bpfdesc_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_bpfdesc_label, label);
MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
return (label);
}
void
mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
bpf_d->bd_label = mac_bpfdesc_label_alloc();
}
static void
mac_init_ifnet_label(struct label *label)
static struct label *
mac_ifnet_label_alloc(void)
{
struct label *label;
mac_init_label(label);
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_ifnet_label, label);
MAC_DEBUG_COUNTER_INC(&nmacifnets);
return (label);
}
void
mac_init_ifnet(struct ifnet *ifp)
{
mac_init_ifnet_label(&ifp->if_label);
ifp->if_label = mac_ifnet_label_alloc();
}
static struct label *
mac_ipq_label_alloc(int flag)
{
struct label *label;
int error;
label = mac_labelzone_alloc(flag);
if (label == NULL)
return (NULL);
MAC_CHECK(init_ipq_label, label, flag);
if (error) {
MAC_PERFORM(destroy_ipq_label, label);
mac_labelzone_free(label);
return (NULL);
}
MAC_DEBUG_COUNTER_INC(&nmacipqs);
return (label);
}
int
mac_init_ipq(struct ipq *ipq, int flag)
{
int error;
mac_init_label(&ipq->ipq_label);
MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag);
if (error) {
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
} else {
MAC_DEBUG_COUNTER_INC(&nmacipqs);
}
return (error);
ipq->ipq_label = mac_ipq_label_alloc(flag);
if (ipq->ipq_label == NULL)
return (ENOMEM);
return (0);
}
int
@ -195,71 +220,85 @@ mac_init_mbuf(struct mbuf *m, int flag)
return (0);
}
static int
mac_init_socket_label(struct label *label, int flag)
static struct label *
mac_socket_label_alloc(int flag)
{
struct label *label;
int error;
mac_init_label(label);
label = mac_labelzone_alloc(flag);
if (label == NULL)
return (NULL);
MAC_CHECK(init_socket_label, label, flag);
if (error) {
MAC_PERFORM(destroy_socket_label, label);
mac_destroy_label(label);
} else {
MAC_DEBUG_COUNTER_INC(&nmacsockets);
mac_labelzone_free(label);
return (NULL);
}
return (error);
MAC_DEBUG_COUNTER_INC(&nmacsockets);
return (label);
}
static int
mac_init_socket_peer_label(struct label *label, int flag)
static struct label *
mac_socket_peer_label_alloc(int flag)
{
struct label *label;
int error;
mac_init_label(label);
label = mac_labelzone_alloc(flag);
if (label == NULL)
return (NULL);
MAC_CHECK(init_socket_peer_label, label, flag);
if (error) {
MAC_PERFORM(destroy_socket_peer_label, label);
mac_destroy_label(label);
mac_labelzone_free(label);
return (NULL);
}
return (error);
MAC_DEBUG_COUNTER_INC(&nmacsockets);
return (label);
}
int
mac_init_socket(struct socket *socket, int flag)
mac_init_socket(struct socket *so, int flag)
{
int error;
error = mac_init_socket_label(&socket->so_label, flag);
if (error)
return (error);
so->so_label = mac_socket_label_alloc(flag);
if (so->so_label == NULL)
return (ENOMEM);
so->so_peerlabel = mac_socket_peer_label_alloc(flag);
if (so->so_peerlabel == NULL) {
mac_socket_label_free(so->so_label);
so->so_label = NULL;
return (ENOMEM);
}
return (0);
}
error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
if (error)
mac_destroy_socket_label(&socket->so_label);
static void
mac_bpfdesc_label_free(struct label *label)
{
return (error);
MAC_PERFORM(destroy_bpfdesc_label, label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
}
void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
mac_bpfdesc_label_free(bpf_d->bd_label);
bpf_d->bd_label = NULL;
}
static void
mac_destroy_ifnet_label(struct label *label)
mac_ifnet_label_free(struct label *label)
{
MAC_PERFORM(destroy_ifnet_label, label);
mac_destroy_label(label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacifnets);
}
@ -267,16 +306,25 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
mac_destroy_ifnet_label(&ifp->if_label);
mac_ifnet_label_free(ifp->if_label);
ifp->if_label = NULL;
}
static void
mac_ipq_label_free(struct label *label)
{
MAC_PERFORM(destroy_ipq_label, label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacipqs);
}
void
mac_destroy_ipq(struct ipq *ipq)
{
MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
MAC_DEBUG_COUNTER_DEC(&nmacipqs);
mac_ipq_label_free(ipq->ipq_label);
ipq->ipq_label = NULL;
}
void
@ -292,28 +340,31 @@ mac_destroy_mbuf_tag(struct m_tag *tag)
}
static void
mac_destroy_socket_label(struct label *label)
mac_socket_label_free(struct label *label)
{
MAC_PERFORM(destroy_socket_label, label);
mac_destroy_label(label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacsockets);
}
static void
mac_destroy_socket_peer_label(struct label *label)
mac_socket_peer_label_free(struct label *label)
{
MAC_PERFORM(destroy_socket_peer_label, label);
mac_destroy_label(label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacsockets);
}
void
mac_destroy_socket(struct socket *socket)
{
mac_destroy_socket_label(&socket->so_label);
mac_destroy_socket_peer_label(&socket->so_peerlabel);
mac_socket_label_free(socket->so_label);
socket->so_label = NULL;
mac_socket_peer_label_free(socket->so_peerlabel);
socket->so_peerlabel = NULL;
}
void
@ -388,21 +439,21 @@ void
mac_create_ifnet(struct ifnet *ifnet)
{
MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label);
MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label);
}
void
mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
{
MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label);
MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label);
}
void
mac_create_socket(struct ucred *cred, struct socket *socket)
{
MAC_PERFORM(create_socket, cred, socket, &socket->so_label);
MAC_PERFORM(create_socket, cred, socket, socket->so_label);
}
void
@ -410,8 +461,8 @@ mac_create_socket_from_socket(struct socket *oldsocket,
struct socket *newsocket)
{
MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label,
newsocket, &newsocket->so_label);
MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label,
newsocket, newsocket->so_label);
}
static void
@ -419,7 +470,7 @@ mac_relabel_socket(struct ucred *cred, struct socket *socket,
struct label *newlabel)
{
MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel);
MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel);
}
void
@ -430,7 +481,7 @@ mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket)
label = mbuf_to_label(mbuf);
MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket,
&socket->so_peerlabel);
socket->so_peerlabel);
}
void
@ -439,7 +490,7 @@ mac_set_socket_peer_from_socket(struct socket *oldsocket,
{
MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
&oldsocket->so_label, newsocket, &newsocket->so_peerlabel);
oldsocket->so_label, newsocket, newsocket->so_peerlabel);
}
void
@ -449,7 +500,7 @@ mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram)
label = mbuf_to_label(datagram);
MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label,
MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label,
datagram, label);
}
@ -472,7 +523,7 @@ mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
label = mbuf_to_label(fragment);
MAC_PERFORM(create_ipq, fragment, label, ipq, &ipq->ipq_label);
MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label);
}
void
@ -494,7 +545,7 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf,
MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf,
label);
}
@ -505,7 +556,7 @@ mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf,
MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf,
label);
}
@ -516,7 +567,7 @@ mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf,
MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf,
label);
}
@ -530,7 +581,7 @@ mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet,
newmbuflabel = mbuf_to_label(newmbuf);
MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel,
ifnet, &ifnet->if_label, newmbuf, newmbuflabel);
ifnet, ifnet->if_label, newmbuf, newmbuflabel);
}
void
@ -555,7 +606,7 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
result = 1;
MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq,
&ipq->ipq_label);
ipq->ipq_label);
return (result);
}
@ -586,7 +637,7 @@ mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
label = mbuf_to_label(fragment);
MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label);
MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label);
}
void
@ -596,7 +647,7 @@ mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf,
MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf,
label);
}
@ -608,8 +659,8 @@ mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
if (!mac_enforce_network)
return (0);
MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet,
&ifnet->if_label);
MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet,
ifnet->if_label);
return (error);
}
@ -627,7 +678,7 @@ mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf,
label);
return (error);
@ -642,7 +693,7 @@ mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
if (!mac_enforce_socket)
return (0);
MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label,
MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label,
sockaddr);
return (error);
@ -657,7 +708,7 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket,
if (!mac_enforce_socket)
return (0);
MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label,
MAC_CHECK(check_socket_connect, cred, socket, socket->so_label,
sockaddr);
return (error);
@ -674,7 +725,7 @@ mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf,
MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf,
label);
return (error);
@ -688,7 +739,7 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket)
if (!mac_enforce_socket)
return (0);
MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label);
MAC_CHECK(check_socket_listen, cred, socket, socket->so_label);
return (error);
}
@ -700,7 +751,7 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so)
if (!mac_enforce_socket)
return (0);
MAC_CHECK(check_socket_receive, cred, so, &so->so_label);
MAC_CHECK(check_socket_receive, cred, so, so->so_label);
return (error);
}
@ -711,7 +762,7 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
{
int error;
MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label,
MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label,
newlabel);
return (error);
@ -725,7 +776,7 @@ mac_check_socket_send(struct ucred *cred, struct socket *so)
if (!mac_enforce_socket)
return (0);
MAC_CHECK(check_socket_send, cred, so, &so->so_label);
MAC_CHECK(check_socket_send, cred, so, so->so_label);
return (error);
}
@ -738,7 +789,7 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
if (!mac_enforce_socket)
return (0);
MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label);
MAC_CHECK(check_socket_visible, cred, socket, socket->so_label);
return (error);
}
@ -767,7 +818,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_ifnet_label(&ifnet->if_label, elements,
error = mac_externalize_ifnet_label(ifnet->if_label, elements,
buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -782,7 +833,7 @@ int
mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
struct label intlabel;
struct label *intlabel;
struct mac mac;
char *buffer;
int error;
@ -802,11 +853,11 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
return (error);
}
mac_init_ifnet_label(&intlabel);
error = mac_internalize_ifnet_label(&intlabel, buffer);
intlabel = mac_ifnet_label_alloc();
error = mac_internalize_ifnet_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_ifnet_label(&intlabel);
mac_ifnet_label_free(intlabel);
return (error);
}
@ -817,20 +868,20 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
*/
error = suser_cred(cred, 0);
if (error) {
mac_destroy_ifnet_label(&intlabel);
mac_ifnet_label_free(intlabel);
return (error);
}
MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
&intlabel);
MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label,
intlabel);
if (error) {
mac_destroy_ifnet_label(&intlabel);
mac_ifnet_label_free(intlabel);
return (error);
}
MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel);
MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel);
mac_destroy_ifnet_label(&intlabel);
mac_ifnet_label_free(intlabel);
return (0);
}
@ -838,7 +889,7 @@ int
mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
struct mac *mac)
{
struct label intlabel;
struct label *intlabel;
char *buffer;
int error;
@ -853,23 +904,23 @@ mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
return (error);
}
mac_init_socket_label(&intlabel, M_WAITOK);
error = mac_internalize_socket_label(&intlabel, buffer);
intlabel = mac_socket_label_alloc(M_WAITOK);
error = mac_internalize_socket_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_socket_label(&intlabel);
mac_socket_label_free(intlabel);
return (error);
}
mac_check_socket_relabel(cred, so, &intlabel);
mac_check_socket_relabel(cred, so, intlabel);
if (error) {
mac_destroy_socket_label(&intlabel);
mac_socket_label_free(intlabel);
return (error);
}
mac_relabel_socket(cred, so, &intlabel);
mac_relabel_socket(cred, so, intlabel);
mac_destroy_socket_label(&intlabel);
mac_socket_label_free(intlabel);
return (0);
}
@ -892,7 +943,7 @@ mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
}
buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_socket_label(&so->so_label, elements,
error = mac_externalize_socket_label(so->so_label, elements,
buffer, mac->m_buflen);
if (error == 0)
error = copyout(buffer, mac->m_string, strlen(buffer)+1);
@ -922,7 +973,7 @@ mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,
}
buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_socket_peer_label(&so->so_peerlabel,
error = mac_externalize_socket_peer_label(so->so_peerlabel,
elements, buffer, mac->m_buflen);
if (error == 0)
error = copyout(buffer, mac->m_string, strlen(buffer)+1);

View File

@ -61,34 +61,31 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
&nmacpipes, 0, "number of pipes in use");
#endif
MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
void
mac_init_pipe_label(struct label *label)
struct label *
mac_pipe_label_alloc(void)
{
struct label *label;
mac_init_label(label);
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_pipe_label, label);
MAC_DEBUG_COUNTER_INC(&nmacpipes);
return (label);
}
void
mac_init_pipe(struct pipe *pipe)
{
struct label *label;
label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
mac_init_pipe_label(label);
pipe->pipe_label = pipe->pipe_peer->pipe_label =
mac_pipe_label_alloc();
}
void
mac_destroy_pipe_label(struct label *label)
mac_pipe_label_free(struct label *label)
{
MAC_PERFORM(destroy_pipe_label, label);
mac_destroy_label(label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacpipes);
}
@ -96,8 +93,8 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
mac_destroy_pipe_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
mac_pipe_label_free(pipe->pipe_label);
pipe->pipe_label = NULL;
}
void

View File

@ -96,37 +96,48 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
struct ucred *cred, struct vm_map *map);
void
mac_init_cred_label(struct label *label)
struct label *
mac_cred_label_alloc(void)
{
struct label *label;
mac_init_label(label);
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_cred_label, label);
MAC_DEBUG_COUNTER_INC(&nmaccreds);
return (label);
}
void
mac_init_cred(struct ucred *cred)
{
mac_init_cred_label(&cred->cr_label);
cred->cr_label = mac_cred_label_alloc();
}
static struct label *
mac_proc_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_proc_label, label);
MAC_DEBUG_COUNTER_INC(&nmacprocs);
return (label);
}
void
mac_init_proc(struct proc *p)
{
mac_init_label(&p->p_label);
MAC_PERFORM(init_proc_label, &p->p_label);
MAC_DEBUG_COUNTER_INC(&nmacprocs);
p->p_label = mac_proc_label_alloc();
}
void
mac_destroy_cred_label(struct label *label)
mac_cred_label_free(struct label *label)
{
MAC_PERFORM(destroy_cred_label, label);
mac_destroy_label(label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmaccreds);
}
@ -134,16 +145,25 @@ void
mac_destroy_cred(struct ucred *cred)
{
mac_destroy_cred_label(&cred->cr_label);
mac_cred_label_free(cred->cr_label);
cred->cr_label = NULL;
}
static void
mac_proc_label_free(struct label *label)
{
MAC_PERFORM(destroy_proc_label, label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacprocs);
}
void
mac_destroy_proc(struct proc *p)
{
MAC_PERFORM(destroy_proc_label, &p->p_label);
mac_destroy_label(&p->p_label);
MAC_DEBUG_COUNTER_DEC(&nmacprocs);
mac_proc_label_free(p->p_label);
p->p_label = NULL;
}
int
@ -209,9 +229,9 @@ mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
}
int
mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
struct label *execlabelstorage)
mac_execve_enter(struct image_params *imgp, struct mac *mac_p)
{
struct label *label;
struct mac mac;
char *buffer;
int error;
@ -234,22 +254,24 @@ mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
return (error);
}
mac_init_cred_label(execlabelstorage);
error = mac_internalize_cred_label(execlabelstorage, buffer);
label = mac_cred_label_alloc();
error = mac_internalize_cred_label(label, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_cred_label(execlabelstorage);
mac_cred_label_free(label);
return (error);
}
imgp->execlabel = execlabelstorage;
imgp->execlabel = label;
return (0);
}
void
mac_execve_exit(struct image_params *imgp)
{
if (imgp->execlabel != NULL)
mac_destroy_cred_label(imgp->execlabel);
if (imgp->execlabel != NULL) {
mac_cred_label_free(imgp->execlabel);
imgp->execlabel = NULL;
}
}
/*

View File

@ -256,6 +256,7 @@ mac_init(void)
LIST_INIT(&mac_static_policy_list);
LIST_INIT(&mac_policy_list);
mac_labelzone_init();
mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
cv_init(&mac_policy_cv, "mac_policy_cv");
@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_cred_label(&tcred->cr_label, elements,
error = mac_externalize_cred_label(tcred->cr_label, elements,
buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
error = mac_externalize_cred_label(&td->td_ucred->cr_label,
error = mac_externalize_cred_label(td->td_ucred->cr_label,
elements, buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -619,7 +620,7 @@ int
__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
{
struct ucred *newcred, *oldcred;
struct label intlabel;
struct label *intlabel;
struct proc *p;
struct mac mac;
char *buffer;
@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
return (error);
}
mac_init_cred_label(&intlabel);
error = mac_internalize_cred_label(&intlabel, buffer);
intlabel = mac_cred_label_alloc();
error = mac_internalize_cred_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_cred_label(&intlabel);
return (error);
}
if (error)
goto out;
newcred = crget();
@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
PROC_LOCK(p);
oldcred = p->p_ucred;
error = mac_check_cred_relabel(oldcred, &intlabel);
error = mac_check_cred_relabel(oldcred, intlabel);
if (error) {
PROC_UNLOCK(p);
crfree(newcred);
@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
setsugid(p);
crcopy(newcred, oldcred);
mac_relabel_cred(newcred, &intlabel);
mac_relabel_cred(newcred, intlabel);
p->p_ucred = newcred;
/*
@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
crfree(oldcred);
out:
mac_destroy_cred_label(&intlabel);
mac_cred_label_free(intlabel);
return (error);
}
@ -694,7 +693,7 @@ int
__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
{
char *elements, *buffer;
struct label intlabel;
struct label *intlabel;
struct file *fp;
struct mac mac;
struct vnode *vp;
@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
case DTYPE_VNODE:
vp = fp->f_vnode;
mac_init_vnode_label(&intlabel);
intlabel = mac_vnode_label_alloc();
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
mac_copy_vnode_label(&vp->v_label, &intlabel);
mac_copy_vnode_label(vp->v_label, intlabel);
VOP_UNLOCK(vp, 0, td);
break;
case DTYPE_PIPE:
pipe = fp->f_data;
mac_init_pipe_label(&intlabel);
intlabel = mac_pipe_label_alloc();
PIPE_LOCK(pipe);
mac_copy_pipe_label(pipe->pipe_label, &intlabel);
mac_copy_pipe_label(pipe->pipe_label, intlabel);
PIPE_UNLOCK(pipe);
break;
default:
@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
case DTYPE_FIFO:
case DTYPE_VNODE:
if (error == 0)
error = mac_externalize_vnode_label(&intlabel,
error = mac_externalize_vnode_label(intlabel,
elements, buffer, mac.m_buflen);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
error = mac_externalize_pipe_label(&intlabel, elements,
error = mac_externalize_pipe_label(intlabel, elements,
buffer, mac.m_buflen);
mac_destroy_pipe_label(&intlabel);
mac_pipe_label_free(intlabel);
break;
default:
panic("__mac_get_fd: corrupted label_type");
@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
{
char *elements, *buffer;
struct nameidata nd;
struct label intlabel;
struct label *intlabel;
struct mac mac;
int error;
@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
if (error)
goto out;
mac_init_vnode_label(&intlabel);
mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
intlabel = mac_vnode_label_alloc();
mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
{
char *elements, *buffer;
struct nameidata nd;
struct label intlabel;
struct label *intlabel;
struct mac mac;
int error;
@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
if (error)
goto out;
mac_init_vnode_label(&intlabel);
mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
error = mac_externalize_vnode_label(&intlabel, elements, buffer,
intlabel = mac_vnode_label_alloc();
mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@ -895,7 +894,7 @@ out:
int
__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
{
struct label intlabel;
struct label *intlabel;
struct pipe *pipe;
struct file *fp;
struct mount *mp;
@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
switch (fp->f_type) {
case DTYPE_FIFO:
case DTYPE_VNODE:
mac_init_vnode_label(&intlabel);
error = mac_internalize_vnode_label(&intlabel, buffer);
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
if (error) {
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
}
vp = fp->f_vnode;
error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
if (error != 0) {
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
}
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
error = vn_setlabel(vp, &intlabel, td->td_ucred);
error = vn_setlabel(vp, intlabel, td->td_ucred);
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
mac_destroy_vnode_label(&intlabel);
mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
mac_init_pipe_label(&intlabel);
error = mac_internalize_pipe_label(&intlabel, buffer);
intlabel = mac_pipe_label_alloc();
error = mac_internalize_pipe_label(intlabel, buffer);
if (error == 0) {
pipe = fp->f_data;
PIPE_LOCK(pipe);
error = mac_pipe_label_set(td->td_ucred, pipe,
&intlabel);
intlabel);
PIPE_UNLOCK(pipe);
}
mac_destroy_pipe_label(&intlabel);
mac_pipe_label_free(intlabel);
break;
default:
@ -983,7 +982,7 @@ out:
int
__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
{
struct label intlabel;
struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
return (error);
}
mac_init_vnode_label(&intlabel);
error = mac_internalize_vnode_label(&intlabel, buffer);
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_vnode_label(&intlabel);
return (error);
}
if (error)
goto out;
mtx_lock(&Giant); /* VFS */
@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
error = vn_setlabel(nd.ni_vp, &intlabel,
error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
mac_destroy_vnode_label(&intlabel);
out:
mac_vnode_label_free(intlabel);
return (error);
}
@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
int
__mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
{
struct label intlabel;
struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
return (error);
}
mac_init_vnode_label(&intlabel);
error = mac_internalize_vnode_label(&intlabel, buffer);
intlabel = mac_vnode_label_alloc();
error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
mac_destroy_vnode_label(&intlabel);
return (error);
}
if (error)
goto out;
mtx_lock(&Giant); /* VFS */
@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
error = vn_setlabel(nd.ni_vp, &intlabel,
error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
mac_destroy_vnode_label(&intlabel);
out:
mac_vnode_label_free(intlabel);
return (error);
}

View File

@ -120,7 +120,7 @@ mac_check_kld_load(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_kld)
return (0);
MAC_CHECK(check_kld_load, cred, vp, &vp->v_label);
MAC_CHECK(check_kld_load, cred, vp, vp->v_label);
return (error);
}
@ -176,7 +176,7 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
vp != NULL ? &vp->v_label : NULL);
vp != NULL ? vp->v_label : NULL);
return (error);
}
@ -230,7 +230,7 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapon, cred, vp, &vp->v_label);
MAC_CHECK(check_system_swapon, cred, vp, vp->v_label);
return (error);
}
@ -244,7 +244,7 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_system)
return (0);
MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label);
return (error);
}

View File

@ -100,68 +100,123 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
static int mac_setlabel_vnode_extattr(struct ucred *cred,
struct vnode *vp, struct label *intlabel);
static struct label *
mac_devfsdirent_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_devfsdirent_label, label);
MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);
return (label);
}
void
mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
MAC_PERFORM(init_devfsdirent_label, &de->de_label);
MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);
de->de_label = mac_devfsdirent_label_alloc();
}
static struct label *
mac_mount_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_mount_label, label);
MAC_DEBUG_COUNTER_INC(&nmacmounts);
return (label);
}
static struct label *
mac_mount_fs_label_alloc(void)
{
struct label *label;
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_mount_fs_label, label);
MAC_DEBUG_COUNTER_INC(&nmacmounts);
return (label);
}
void
mac_init_mount(struct mount *mp)
{
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
MAC_DEBUG_COUNTER_INC(&nmacmounts);
mp->mnt_mntlabel = mac_mount_label_alloc();
mp->mnt_fslabel = mac_mount_fs_label_alloc();
}
void
mac_init_vnode_label(struct label *label)
struct label *
mac_vnode_label_alloc(void)
{
struct label *label;
mac_init_label(label);
label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_vnode_label, label);
MAC_DEBUG_COUNTER_INC(&nmacvnodes);
return (label);
}
void
mac_init_vnode(struct vnode *vp)
{
mac_init_vnode_label(&vp->v_label);
vp->v_label = mac_vnode_label_alloc();
}
static void
mac_devfsdirent_label_free(struct label *label)
{
MAC_PERFORM(destroy_devfsdirent_label, label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
}
void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
mac_devfsdirent_label_free(de->de_label);
de->de_label = NULL;
}
static void
mac_mount_label_free(struct label *label)
{
MAC_PERFORM(destroy_mount_label, label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacmounts);
}
static void
mac_mount_fs_label_free(struct label *label)
{
MAC_PERFORM(destroy_mount_fs_label, label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacmounts);
}
void
mac_destroy_mount(struct mount *mp)
{
MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
MAC_DEBUG_COUNTER_DEC(&nmacmounts);
mac_mount_fs_label_free(mp->mnt_fslabel);
mp->mnt_fslabel = NULL;
mac_mount_label_free(mp->mnt_mntlabel);
mp->mnt_mntlabel = NULL;
}
void
mac_destroy_vnode_label(struct label *label)
mac_vnode_label_free(struct label *label)
{
MAC_PERFORM(destroy_vnode_label, label);
mac_destroy_label(label);
mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
}
@ -169,7 +224,8 @@ void
mac_destroy_vnode(struct vnode *vp)
{
mac_destroy_vnode_label(&vp->v_label);
mac_vnode_label_free(vp->v_label);
vp->v_label = NULL;
}
void
@ -205,8 +261,8 @@ mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp)
{
MAC_PERFORM(update_devfsdirent, mp, de, &de->de_label, vp,
&vp->v_label);
MAC_PERFORM(update_devfsdirent, mp, de, de->de_label, vp,
vp->v_label);
}
void
@ -214,8 +270,8 @@ mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp)
{
MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de,
&de->de_label, vp, &vp->v_label);
MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_fslabel, de,
de->de_label, vp, vp->v_label);
}
int
@ -225,8 +281,8 @@ mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp,
&vp->v_label);
MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_fslabel, vp,
vp->v_label);
return (error);
}
@ -235,8 +291,8 @@ void
mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
{
MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp,
&vp->v_label);
MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_fslabel, vp,
vp->v_label);
}
int
@ -259,8 +315,8 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
} else if (error)
return (error);
MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel,
dvp, &dvp->v_label, vp, &vp->v_label, cnp);
MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel,
dvp, dvp->v_label, vp, vp->v_label, cnp);
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
@ -294,7 +350,7 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
} else if (error)
return (error);
MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel);
MAC_CHECK(setlabel_vnode_extattr, cred, vp, vp->v_label, intlabel);
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
@ -319,7 +375,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
if (!mac_enforce_process && !mac_enforce_fs)
return;
MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
MAC_PERFORM(execve_transition, old, new, vp, vp->v_label,
interpvnodelabel, imgp, imgp->execlabel);
}
@ -335,7 +391,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
return (0);
result = 0;
MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label,
interpvnodelabel, imgp, imgp->execlabel);
return (result);
@ -351,7 +407,7 @@ mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, acc_mode);
MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode);
return (error);
}
@ -365,7 +421,7 @@ mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label);
return (error);
}
@ -379,7 +435,7 @@ mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label);
return (error);
}
@ -394,7 +450,7 @@ mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap);
return (error);
}
@ -410,8 +466,8 @@ mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
&vp->v_label, cnp);
MAC_CHECK(check_vnode_delete, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
}
@ -426,7 +482,7 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type);
return (error);
}
@ -441,7 +497,7 @@ mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label,
attrnamespace, name);
return (error);
}
@ -457,7 +513,7 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_process && !mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp,
imgp->execlabel);
return (error);
@ -473,7 +529,7 @@ mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type);
return (error);
}
@ -488,7 +544,7 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
return (error);
}
@ -505,8 +561,8 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp,
&vp->v_label, cnp);
MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
}
@ -521,7 +577,7 @@ mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label,
attrnamespace);
return (error);
}
@ -537,7 +593,7 @@ mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp);
return (error);
}
@ -551,7 +607,7 @@ mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot)
if (!mac_enforce_fs || !mac_enforce_vm)
return (0);
MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot);
MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot);
return (error);
}
@ -565,7 +621,7 @@ mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
if (!mac_enforce_fs || !mac_enforce_vm)
return;
MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label,
MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label,
&result);
*prot = result;
@ -581,7 +637,7 @@ mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
if (!mac_enforce_fs || !mac_enforce_vm)
return (0);
MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot);
MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot);
return (error);
}
@ -595,7 +651,7 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode);
return (error);
}
@ -611,7 +667,7 @@ mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
return (0);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
&vp->v_label);
vp->v_label);
return (error);
}
@ -628,7 +684,7 @@ mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
return (0);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
&vp->v_label);
vp->v_label);
return (error);
}
@ -643,7 +699,7 @@ mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label);
return (error);
}
@ -657,7 +713,7 @@ mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label);
return (error);
}
@ -669,7 +725,7 @@ mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
MAC_CHECK(check_vnode_relabel, cred, vp, vp->v_label, newlabel);
return (error);
}
@ -686,8 +742,8 @@ mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
&vp->v_label, cnp);
MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp,
vp->v_label, cnp);
return (error);
}
@ -703,8 +759,8 @@ mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
vp != NULL ? &vp->v_label : NULL, samedir, cnp);
MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp,
vp != NULL ? vp->v_label : NULL, samedir, cnp);
return (error);
}
@ -718,7 +774,7 @@ mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label);
return (error);
}
@ -733,7 +789,7 @@ mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl);
return (error);
}
@ -748,7 +804,7 @@ mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
return (error);
}
@ -763,7 +819,7 @@ mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags);
return (error);
}
@ -777,7 +833,7 @@ mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode);
return (error);
}
@ -792,7 +848,7 @@ mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid);
return (error);
}
@ -807,7 +863,7 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime,
mtime);
return (error);
}
@ -824,7 +880,7 @@ mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
return (0);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
&vp->v_label);
vp->v_label);
return (error);
}
@ -840,7 +896,7 @@ mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
return (0);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
&vp->v_label);
vp->v_label);
return (error);
}
@ -849,23 +905,23 @@ void
mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
{
MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel);
MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel);
}
void
mac_create_mount(struct ucred *cred, struct mount *mp)
{
MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel,
&mp->mnt_fslabel);
MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel,
mp->mnt_fslabel);
}
void
mac_create_root_mount(struct ucred *cred, struct mount *mp)
{
MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel,
&mp->mnt_fslabel);
MAC_PERFORM(create_root_mount, cred, mp, mp->mnt_mntlabel,
mp->mnt_fslabel);
}
int
@ -876,7 +932,7 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount)
if (!mac_enforce_fs)
return (0);
MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel);
MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel);
return (error);
}
@ -885,7 +941,7 @@ void
mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de)
{
MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label);
MAC_PERFORM(create_devfs_device, mp, dev, de, de->de_label);
}
void
@ -893,8 +949,8 @@ mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct devfs_dirent *de)
{
MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de,
&de->de_label);
MAC_PERFORM(create_devfs_symlink, cred, mp, dd, dd->de_label, de,
de->de_label);
}
void
@ -903,7 +959,7 @@ mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen,
{
MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de,
&de->de_label);
de->de_label);
}
/*

View File

@ -811,11 +811,11 @@ mac_biba_create_devfs_directory(struct mount *mp, char *dirname,
static void
mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
struct label *delabel)
struct label *delabel, const char *fullpath)
{
struct mac_biba *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(delabel);
mac_biba_copy_single(source, dest);
@ -827,7 +827,7 @@ mac_biba_create_mount(struct ucred *cred, struct mount *mp,
{
struct mac_biba *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(mntlabel);
mac_biba_copy_single(source, dest);
dest = SLOT(fslabel);
@ -949,7 +949,7 @@ mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp,
buflen = sizeof(temp);
bzero(&temp, buflen);
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(vlabel);
mac_biba_copy_single(source, &temp);
@ -1003,7 +1003,7 @@ mac_biba_create_socket(struct ucred *cred, struct socket *socket,
{
struct mac_biba *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(socketlabel);
mac_biba_copy_single(source, dest);
@ -1015,7 +1015,7 @@ mac_biba_create_pipe(struct ucred *cred, struct pipe *pipe,
{
struct mac_biba *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(pipelabel);
mac_biba_copy_single(source, dest);
@ -1092,7 +1092,7 @@ mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
{
struct mac_biba *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(bpflabel);
mac_biba_copy_single(source, dest);
@ -1313,8 +1313,8 @@ mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
{
struct mac_biba *source, *dest;
source = SLOT(&cred_parent->cr_label);
dest = SLOT(&cred_child->cr_label);
source = SLOT(cred_parent->cr_label);
dest = SLOT(cred_child->cr_label);
mac_biba_copy_single(source, dest);
mac_biba_copy_range(source, dest);
@ -1325,7 +1325,7 @@ mac_biba_create_proc0(struct ucred *cred)
{
struct mac_biba *dest;
dest = SLOT(&cred->cr_label);
dest = SLOT(cred->cr_label);
mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL);
mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL,
@ -1337,7 +1337,7 @@ mac_biba_create_proc1(struct ucred *cred)
{
struct mac_biba *dest;
dest = SLOT(&cred->cr_label);
dest = SLOT(cred->cr_label);
mac_biba_set_single(dest, MAC_BIBA_TYPE_HIGH, 0, NULL);
mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL,
@ -1350,7 +1350,7 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel)
struct mac_biba *source, *dest;
source = SLOT(newlabel);
dest = SLOT(&cred->cr_label);
dest = SLOT(cred->cr_label);
mac_biba_copy(source, dest);
}
@ -1381,7 +1381,7 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel)
struct mac_biba *subj, *new;
int error;
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
new = SLOT(newlabel);
/*
@ -1445,8 +1445,8 @@ mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2)
if (!mac_biba_enabled)
return (0);
subj = SLOT(&u1->cr_label);
obj = SLOT(&u2->cr_label);
subj = SLOT(u1->cr_label);
obj = SLOT(u2->cr_label);
/* XXX: range */
if (!mac_biba_dominate_single(obj, subj))
@ -1462,7 +1462,7 @@ mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
struct mac_biba *subj, *new;
int error;
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
new = SLOT(newlabel);
/*
@ -1508,7 +1508,7 @@ mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
error = mac_biba_subject_privileged(subj);
if (error)
@ -1530,7 +1530,7 @@ mac_biba_check_kld_unload(struct ucred *cred)
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
return (mac_biba_subject_privileged(subj));
}
@ -1544,7 +1544,7 @@ mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(mntlabel);
if (!mac_biba_dominate_single(obj, subj))
@ -1575,7 +1575,7 @@ mac_biba_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_biba_dominate_single(obj, subj))
@ -1593,7 +1593,7 @@ mac_biba_check_pipe_read(struct ucred *cred, struct pipe *pipe,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_biba_dominate_single(obj, subj))
@ -1610,7 +1610,7 @@ mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
int error;
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(pipelabel);
/*
@ -1662,7 +1662,7 @@ mac_biba_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_biba_dominate_single(obj, subj))
@ -1680,7 +1680,7 @@ mac_biba_check_pipe_write(struct ucred *cred, struct pipe *pipe,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_biba_dominate_single(subj, obj))
@ -1697,8 +1697,8 @@ mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc)
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(&proc->p_ucred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_biba_dominate_single(obj, subj))
@ -1717,8 +1717,8 @@ mac_biba_check_proc_sched(struct ucred *cred, struct proc *proc)
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(&proc->p_ucred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_biba_dominate_single(obj, subj))
@ -1737,8 +1737,8 @@ mac_biba_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(&proc->p_ucred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_biba_dominate_single(obj, subj))
@ -1772,7 +1772,7 @@ mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so,
int error;
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(socketlabel);
/*
@ -1824,7 +1824,7 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(socketlabel);
if (!mac_biba_dominate_single(obj, subj))
@ -1842,7 +1842,7 @@ mac_biba_check_sysarch_ioperm(struct ucred *cred)
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
error = mac_biba_subject_privileged(subj);
if (error)
@ -1861,7 +1861,7 @@ mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
error = mac_biba_subject_privileged(subj);
if (error)
@ -1886,7 +1886,7 @@ mac_biba_check_system_settime(struct ucred *cred)
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
error = mac_biba_subject_privileged(subj);
if (error)
@ -1905,7 +1905,7 @@ mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
error = mac_biba_subject_privileged(subj);
@ -1928,7 +1928,7 @@ mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
error = mac_biba_subject_privileged(subj);
@ -1948,7 +1948,7 @@ mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
/*
* In general, treat sysctl variables as biba/high, but also
@ -1981,7 +1981,7 @@ mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_biba_dominate_single(obj, subj))
@ -1999,7 +1999,7 @@ mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_biba_dominate_single(obj, subj))
@ -2017,7 +2017,7 @@ mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_biba_dominate_single(subj, obj))
@ -2036,7 +2036,7 @@ mac_biba_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_biba_dominate_single(subj, obj))
@ -2059,7 +2059,7 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(subj, obj))
@ -2077,7 +2077,7 @@ mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(subj, obj))
@ -2109,7 +2109,7 @@ mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
@ -2127,7 +2127,7 @@ mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
@ -2145,7 +2145,7 @@ mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
@ -2164,7 +2164,7 @@ mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_biba_dominate_single(subj, obj))
@ -2187,7 +2187,7 @@ mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
@ -2205,7 +2205,7 @@ mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_biba_dominate_single(obj, subj))
@ -2227,7 +2227,7 @@ mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled || !revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
@ -2251,7 +2251,7 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
/* XXX privilege override for admin? */
@ -2276,7 +2276,7 @@ mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
if (!mac_biba_enabled || !revocation_enabled)
return (0);
subj = SLOT(&active_cred->cr_label);
subj = SLOT(active_cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
@ -2294,7 +2294,7 @@ mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
if (!mac_biba_enabled || !revocation_enabled)
return (0);
subj = SLOT(&active_cred->cr_label);
subj = SLOT(active_cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
@ -2312,7 +2312,7 @@ mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_biba_dominate_single(obj, subj))
@ -2330,7 +2330,7 @@ mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(obj, subj))
@ -2348,7 +2348,7 @@ mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
old = SLOT(vnodelabel);
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
/*
* If there is a Biba label update for the vnode, it must be a
@ -2400,7 +2400,7 @@ mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_biba_dominate_single(subj, obj))
@ -2424,7 +2424,7 @@ mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_biba_dominate_single(subj, obj))
@ -2449,7 +2449,7 @@ mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(subj, obj))
@ -2467,7 +2467,7 @@ mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(subj, obj))
@ -2486,7 +2486,7 @@ mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_biba_dominate_single(subj, obj))
@ -2506,7 +2506,7 @@ mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_biba_dominate_single(subj, obj))
@ -2524,7 +2524,7 @@ mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_biba_dominate_single(subj, obj))
@ -2542,7 +2542,7 @@ mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_biba_dominate_single(subj, obj))
@ -2560,7 +2560,7 @@ mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_biba_dominate_single(subj, obj))
@ -2578,7 +2578,7 @@ mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
if (!mac_biba_enabled)
return (0);
subj = SLOT(&active_cred->cr_label);
subj = SLOT(active_cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_biba_dominate_single(obj, subj))
@ -2596,7 +2596,7 @@ mac_biba_check_vnode_write(struct ucred *active_cred,
if (!mac_biba_enabled || !revocation_enabled)
return (0);
subj = SLOT(&active_cred->cr_label);
subj = SLOT(active_cred->cr_label);
obj = SLOT(label);
if (!mac_biba_dominate_single(subj, obj))

View File

@ -499,7 +499,7 @@ maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel,
struct proc *p;
pid_t pgid;
subj = PSLOT(&curthread->td_proc->p_label);
subj = PSLOT(curthread->td_proc->p_label);
p = curthread->td_proc;
mtx_lock(&subj->mtx);
@ -941,7 +941,7 @@ mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
{
struct mac_lomac *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(delabel);
mac_lomac_copy_single(source, dest);
@ -953,7 +953,7 @@ mac_lomac_create_mount(struct ucred *cred, struct mount *mp,
{
struct mac_lomac *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(mntlabel);
mac_lomac_copy_single(source, dest);
dest = SLOT(fslabel);
@ -1082,7 +1082,7 @@ mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
buflen = sizeof(temp);
bzero(&temp, buflen);
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(vlabel);
dir = SLOT(dlabel);
if (dir->ml_flags & MAC_LOMAC_FLAG_AUX) {
@ -1142,7 +1142,7 @@ mac_lomac_create_socket(struct ucred *cred, struct socket *socket,
{
struct mac_lomac *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(socketlabel);
mac_lomac_copy_single(source, dest);
@ -1154,7 +1154,7 @@ mac_lomac_create_pipe(struct ucred *cred, struct pipe *pipe,
{
struct mac_lomac *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(pipelabel);
mac_lomac_copy_single(source, dest);
@ -1231,7 +1231,7 @@ mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
{
struct mac_lomac *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(bpflabel);
mac_lomac_copy_single(source, dest);
@ -1453,8 +1453,8 @@ mac_lomac_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
{
struct mac_lomac *source, *dest;
source = SLOT(&cred_parent->cr_label);
dest = SLOT(&cred_child->cr_label);
source = SLOT(cred_parent->cr_label);
dest = SLOT(cred_child->cr_label);
mac_lomac_copy_single(source, dest);
mac_lomac_copy_range(source, dest);
@ -1468,8 +1468,8 @@ mac_lomac_execve_transition(struct ucred *old, struct ucred *new,
{
struct mac_lomac *source, *dest, *obj, *robj;
source = SLOT(&old->cr_label);
dest = SLOT(&new->cr_label);
source = SLOT(old->cr_label);
dest = SLOT(new->cr_label);
obj = SLOT(vnodelabel);
robj = interpvnodelabel != NULL ? SLOT(interpvnodelabel) : obj;
@ -1507,7 +1507,7 @@ mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp,
if (!mac_lomac_enabled || !revocation_enabled)
return (0);
subj = SLOT(&old->cr_label);
subj = SLOT(old->cr_label);
obj = SLOT(vnodelabel);
robj = interpvnodelabel != NULL ? SLOT(interpvnodelabel) : obj;
@ -1522,7 +1522,7 @@ mac_lomac_create_proc0(struct ucred *cred)
{
struct mac_lomac *dest;
dest = SLOT(&cred->cr_label);
dest = SLOT(cred->cr_label);
mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0);
mac_lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH,
@ -1534,7 +1534,7 @@ mac_lomac_create_proc1(struct ucred *cred)
{
struct mac_lomac *dest;
dest = SLOT(&cred->cr_label);
dest = SLOT(cred->cr_label);
mac_lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0);
mac_lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH,
@ -1547,7 +1547,7 @@ mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel)
struct mac_lomac *source, *dest;
source = SLOT(newlabel);
dest = SLOT(&cred->cr_label);
dest = SLOT(cred->cr_label);
try_relabel(source, dest);
}
@ -1578,7 +1578,7 @@ mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
struct mac_lomac *subj, *new;
int error;
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
new = SLOT(newlabel);
/*
@ -1646,8 +1646,8 @@ mac_lomac_check_cred_visible(struct ucred *u1, struct ucred *u2)
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&u1->cr_label);
obj = SLOT(&u2->cr_label);
subj = SLOT(u1->cr_label);
obj = SLOT(u2->cr_label);
/* XXX: range */
if (!mac_lomac_dominate_single(obj, subj))
@ -1663,7 +1663,7 @@ mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
struct mac_lomac *subj, *new;
int error;
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
new = SLOT(newlabel);
/*
@ -1735,7 +1735,7 @@ mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (mac_lomac_subject_privileged(subj))
@ -1755,7 +1755,7 @@ mac_lomac_check_kld_unload(struct ucred *cred)
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
if (mac_lomac_subject_privileged(subj))
return (EPERM);
@ -1785,7 +1785,7 @@ mac_lomac_check_pipe_read(struct ucred *cred, struct pipe *pipe,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_lomac_dominate_single(obj, subj))
@ -1802,7 +1802,7 @@ mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
int error;
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(pipelabel);
/*
@ -1854,7 +1854,7 @@ mac_lomac_check_pipe_write(struct ucred *cred, struct pipe *pipe,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_lomac_subject_dominate(subj, obj))
@ -1871,8 +1871,8 @@ mac_lomac_check_proc_debug(struct ucred *cred, struct proc *proc)
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(&proc->p_ucred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_lomac_dominate_single(obj, subj))
@ -1891,8 +1891,8 @@ mac_lomac_check_proc_sched(struct ucred *cred, struct proc *proc)
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(&proc->p_ucred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_lomac_dominate_single(obj, subj))
@ -1911,8 +1911,8 @@ mac_lomac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(&proc->p_ucred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_lomac_dominate_single(obj, subj))
@ -1946,7 +1946,7 @@ mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *socket,
int error;
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(socketlabel);
/*
@ -1998,7 +1998,7 @@ mac_lomac_check_socket_visible(struct ucred *cred, struct socket *socket,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(socketlabel);
if (!mac_lomac_dominate_single(obj, subj))
@ -2016,7 +2016,7 @@ mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (mac_lomac_subject_privileged(subj))
@ -2037,7 +2037,7 @@ mac_lomac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
/*
* In general, treat sysctl variables as lomac/high, but also
@ -2071,7 +2071,7 @@ mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2093,7 +2093,7 @@ mac_lomac_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2116,7 +2116,7 @@ mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2135,7 +2135,7 @@ mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2162,7 +2162,7 @@ mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (prot & VM_PROT_WRITE) {
@ -2190,7 +2190,7 @@ mac_lomac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled || !revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (prot & VM_PROT_WRITE) {
@ -2218,7 +2218,7 @@ mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled || !revocation_enabled)
return;
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2234,7 +2234,7 @@ mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
/* XXX privilege override for admin? */
@ -2255,7 +2255,7 @@ mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
if (!mac_lomac_enabled || !revocation_enabled)
return (0);
subj = SLOT(&active_cred->cr_label);
subj = SLOT(active_cred->cr_label);
obj = SLOT(label);
if (!mac_lomac_dominate_single(obj, subj))
@ -2273,7 +2273,7 @@ mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
old = SLOT(vnodelabel);
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
/*
* If there is a LOMAC label update for the vnode, it must be a
@ -2350,7 +2350,7 @@ mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2374,7 +2374,7 @@ mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2399,7 +2399,7 @@ mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2417,7 +2417,7 @@ mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2436,7 +2436,7 @@ mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2456,7 +2456,7 @@ mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2474,7 +2474,7 @@ mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2492,7 +2492,7 @@ mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2510,7 +2510,7 @@ mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
if (!mac_lomac_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2528,7 +2528,7 @@ mac_lomac_check_vnode_write(struct ucred *active_cred,
if (!mac_lomac_enabled || !revocation_enabled)
return (0);
subj = SLOT(&active_cred->cr_label);
subj = SLOT(active_cred->cr_label);
obj = SLOT(label);
if (!mac_lomac_subject_dominate(subj, obj))
@ -2541,7 +2541,7 @@ static void
mac_lomac_thread_userret(struct thread *td)
{
struct proc *p = td->td_proc;
struct mac_lomac_proc *subj = PSLOT(&p->p_label);
struct mac_lomac_proc *subj = PSLOT(p->p_label);
struct ucred *newcred, *oldcred;
int dodrop;
@ -2568,7 +2568,7 @@ mac_lomac_thread_userret(struct thread *td)
oldcred = p->p_ucred;
crcopy(newcred, oldcred);
crhold(newcred);
mac_lomac_copy(&subj->mac_lomac, SLOT(&newcred->cr_label));
mac_lomac_copy(&subj->mac_lomac, SLOT(newcred->cr_label));
p->p_ucred = newcred;
crfree(oldcred);
dodrop = 1;

View File

@ -781,11 +781,11 @@ mac_mls_create_devfs_directory(struct mount *mp, char *dirname,
static void
mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de,
struct label *delabel)
struct label *delabel, const char *fullpath)
{
struct mac_mls *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(delabel);
mac_mls_copy_single(source, dest);
@ -797,7 +797,7 @@ mac_mls_create_mount(struct ucred *cred, struct mount *mp,
{
struct mac_mls *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(mntlabel);
mac_mls_copy_single(source, dest);
dest = SLOT(fslabel);
@ -919,7 +919,7 @@ mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp,
buflen = sizeof(temp);
bzero(&temp, buflen);
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(vlabel);
mac_mls_copy_single(source, &temp);
@ -973,7 +973,7 @@ mac_mls_create_socket(struct ucred *cred, struct socket *socket,
{
struct mac_mls *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(socketlabel);
mac_mls_copy_single(source, dest);
@ -985,7 +985,7 @@ mac_mls_create_pipe(struct ucred *cred, struct pipe *pipe,
{
struct mac_mls *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(pipelabel);
mac_mls_copy_single(source, dest);
@ -1062,7 +1062,7 @@ mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
{
struct mac_mls *source, *dest;
source = SLOT(&cred->cr_label);
source = SLOT(cred->cr_label);
dest = SLOT(bpflabel);
mac_mls_copy_single(source, dest);
@ -1243,8 +1243,8 @@ mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
{
struct mac_mls *source, *dest;
source = SLOT(&cred_parent->cr_label);
dest = SLOT(&cred_child->cr_label);
source = SLOT(cred_parent->cr_label);
dest = SLOT(cred_child->cr_label);
mac_mls_copy_single(source, dest);
mac_mls_copy_range(source, dest);
@ -1255,7 +1255,7 @@ mac_mls_create_proc0(struct ucred *cred)
{
struct mac_mls *dest;
dest = SLOT(&cred->cr_label);
dest = SLOT(cred->cr_label);
mac_mls_set_single(dest, MAC_MLS_TYPE_EQUAL, 0, NULL);
mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH,
@ -1267,7 +1267,7 @@ mac_mls_create_proc1(struct ucred *cred)
{
struct mac_mls *dest;
dest = SLOT(&cred->cr_label);
dest = SLOT(cred->cr_label);
mac_mls_set_single(dest, MAC_MLS_TYPE_LOW, 0, NULL);
mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH,
@ -1280,7 +1280,7 @@ mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel)
struct mac_mls *source, *dest;
source = SLOT(newlabel);
dest = SLOT(&cred->cr_label);
dest = SLOT(cred->cr_label);
mac_mls_copy(source, dest);
}
@ -1311,7 +1311,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel)
struct mac_mls *subj, *new;
int error;
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
new = SLOT(newlabel);
/*
@ -1375,8 +1375,8 @@ mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2)
if (!mac_mls_enabled)
return (0);
subj = SLOT(&u1->cr_label);
obj = SLOT(&u2->cr_label);
subj = SLOT(u1->cr_label);
obj = SLOT(u2->cr_label);
/* XXX: range */
if (!mac_mls_dominate_single(subj, obj))
@ -1392,7 +1392,7 @@ mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
struct mac_mls *subj, *new;
int error;
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
new = SLOT(newlabel);
/*
@ -1435,7 +1435,7 @@ mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(mntlabel);
if (!mac_mls_dominate_single(subj, obj))
@ -1466,7 +1466,7 @@ mac_mls_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_mls_dominate_single(subj, obj))
@ -1484,7 +1484,7 @@ mac_mls_check_pipe_read(struct ucred *cred, struct pipe *pipe,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_mls_dominate_single(subj, obj))
@ -1501,7 +1501,7 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
int error;
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(pipelabel);
/*
@ -1553,7 +1553,7 @@ mac_mls_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_mls_dominate_single(subj, obj))
@ -1571,7 +1571,7 @@ mac_mls_check_pipe_write(struct ucred *cred, struct pipe *pipe,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT((pipelabel));
if (!mac_mls_dominate_single(obj, subj))
@ -1588,8 +1588,8 @@ mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc)
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(&proc->p_ucred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_mls_dominate_single(subj, obj))
@ -1608,8 +1608,8 @@ mac_mls_check_proc_sched(struct ucred *cred, struct proc *proc)
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(&proc->p_ucred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_mls_dominate_single(subj, obj))
@ -1628,8 +1628,8 @@ mac_mls_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
obj = SLOT(&proc->p_ucred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(proc->p_ucred->cr_label);
/* XXX: range checks */
if (!mac_mls_dominate_single(subj, obj))
@ -1663,7 +1663,7 @@ mac_mls_check_socket_relabel(struct ucred *cred, struct socket *socket,
int error;
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(socketlabel);
/*
@ -1715,7 +1715,7 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(socketlabel);
if (!mac_mls_dominate_single(subj, obj))
@ -1733,7 +1733,7 @@ mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(obj, subj) ||
@ -1752,7 +1752,7 @@ mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(subj, obj))
@ -1770,7 +1770,7 @@ mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(subj, obj))
@ -1788,7 +1788,7 @@ mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(obj, subj))
@ -1807,7 +1807,7 @@ mac_mls_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(obj, subj))
@ -1830,7 +1830,7 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(obj, subj))
@ -1848,7 +1848,7 @@ mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(obj, subj))
@ -1880,7 +1880,7 @@ mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(subj, obj))
@ -1898,7 +1898,7 @@ mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(subj, obj))
@ -1916,7 +1916,7 @@ mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(subj, obj))
@ -1935,7 +1935,7 @@ mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(obj, subj))
@ -1958,7 +1958,7 @@ mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(subj, obj))
@ -1976,7 +1976,7 @@ mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(subj, obj))
@ -1998,7 +1998,7 @@ mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled || !revocation_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) {
@ -2022,7 +2022,7 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
/* XXX privilege override for admin? */
@ -2047,7 +2047,7 @@ mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
if (!mac_mls_enabled || !revocation_enabled)
return (0);
subj = SLOT(&active_cred->cr_label);
subj = SLOT(active_cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(subj, obj))
@ -2065,7 +2065,7 @@ mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
if (!mac_mls_enabled || !revocation_enabled)
return (0);
subj = SLOT(&active_cred->cr_label);
subj = SLOT(active_cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(subj, obj))
@ -2083,7 +2083,7 @@ mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(subj, obj))
@ -2101,7 +2101,7 @@ mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_mls_dominate_single(subj, obj))
@ -2119,7 +2119,7 @@ mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
old = SLOT(vnodelabel);
new = SLOT(newlabel);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
/*
* If there is an MLS label update for the vnode, it must be a
@ -2172,7 +2172,7 @@ mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(obj, subj))
@ -2196,7 +2196,7 @@ mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(dlabel);
if (!mac_mls_dominate_single(obj, subj))
@ -2221,7 +2221,7 @@ mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(obj, subj))
@ -2239,7 +2239,7 @@ mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(obj, subj))
@ -2258,7 +2258,7 @@ mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_mls_dominate_single(obj, subj))
@ -2278,7 +2278,7 @@ mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_mls_dominate_single(obj, subj))
@ -2296,7 +2296,7 @@ mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_mls_dominate_single(obj, subj))
@ -2314,7 +2314,7 @@ mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_mls_dominate_single(obj, subj))
@ -2332,7 +2332,7 @@ mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&cred->cr_label);
subj = SLOT(cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_mls_dominate_single(obj, subj))
@ -2350,7 +2350,7 @@ mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
if (!mac_mls_enabled)
return (0);
subj = SLOT(&active_cred->cr_label);
subj = SLOT(active_cred->cr_label);
obj = SLOT(vnodelabel);
if (!mac_mls_dominate_single(subj, obj))
@ -2368,7 +2368,7 @@ mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
if (!mac_mls_enabled || !revocation_enabled)
return (0);
subj = SLOT(&active_cred->cr_label);
subj = SLOT(active_cred->cr_label);
obj = SLOT(label);
if (!mac_mls_dominate_single(obj, subj))

View File

@ -134,21 +134,21 @@ static void
mac_partition_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
{
SLOT(&cred_child->cr_label) = SLOT(&cred_parent->cr_label);
SLOT(cred_child->cr_label) = SLOT(cred_parent->cr_label);
}
static void
mac_partition_create_proc0(struct ucred *cred)
{
SLOT(&cred->cr_label) = 0;
SLOT(cred->cr_label) = 0;
}
static void
mac_partition_create_proc1(struct ucred *cred)
{
SLOT(&cred->cr_label) = 0;
SLOT(cred->cr_label) = 0;
}
static void
@ -156,7 +156,7 @@ mac_partition_relabel_cred(struct ucred *cred, struct label *newlabel)
{
if (SLOT(newlabel) != 0)
SLOT(&cred->cr_label) = SLOT(newlabel);
SLOT(cred->cr_label) = SLOT(newlabel);
}
static int
@ -201,7 +201,7 @@ mac_partition_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
int error;
error = label_on_label(&u1->cr_label, &u2->cr_label);
error = label_on_label(u1->cr_label, u2->cr_label);
return (error == 0 ? 0 : ESRCH);
}
@ -211,7 +211,7 @@ mac_partition_check_proc_debug(struct ucred *cred, struct proc *proc)
{
int error;
error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label);
error = label_on_label(cred->cr_label, proc->p_ucred->cr_label);
return (error ? ESRCH : 0);
}
@ -221,7 +221,7 @@ mac_partition_check_proc_sched(struct ucred *cred, struct proc *proc)
{
int error;
error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label);
error = label_on_label(cred->cr_label, proc->p_ucred->cr_label);
return (error ? ESRCH : 0);
}
@ -232,7 +232,7 @@ mac_partition_check_proc_signal(struct ucred *cred, struct proc *proc,
{
int error;
error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label);
error = label_on_label(cred->cr_label, proc->p_ucred->cr_label);
return (error ? ESRCH : 0);
}
@ -243,7 +243,7 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket,
{
int error;
error = label_on_label(&cred->cr_label, socketlabel);
error = label_on_label(cred->cr_label, socketlabel);
return (error ? ENOENT : 0);
}

View File

@ -635,7 +635,7 @@ mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct label *delabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_DEVFS_LABEL(ddlabel);
ASSERT_DEVFS_LABEL(delabel);
}
@ -646,7 +646,7 @@ mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp,
struct vnode *vp, struct label *vlabel, struct componentname *cnp)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_MOUNT_LABEL(fslabel);
ASSERT_VNODE_LABEL(dlabel);
@ -658,7 +658,7 @@ mac_test_create_mount(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_MOUNT_LABEL(mntlabel);
ASSERT_MOUNT_LABEL(fslabel);
}
@ -668,7 +668,7 @@ mac_test_create_root_mount(struct ucred *cred, struct mount *mp,
struct label *mntlabel, struct label *fslabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_MOUNT_LABEL(mntlabel);
ASSERT_MOUNT_LABEL(fslabel);
}
@ -678,7 +678,7 @@ mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, struct label *label)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(vnodelabel);
ASSERT_VNODE_LABEL(label);
}
@ -688,7 +688,7 @@ mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
struct label *vlabel, struct label *intlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(vlabel);
ASSERT_VNODE_LABEL(intlabel);
return (0);
@ -721,7 +721,7 @@ mac_test_create_socket(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
}
@ -730,7 +730,7 @@ mac_test_create_pipe(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_PIPE_LABEL(pipelabel);
}
@ -749,7 +749,7 @@ mac_test_relabel_socket(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct label *newlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(newlabel);
}
@ -758,7 +758,7 @@ mac_test_relabel_pipe(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, struct label *newlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_PIPE_LABEL(pipelabel);
ASSERT_PIPE_LABEL(newlabel);
}
@ -790,7 +790,7 @@ mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d,
struct label *bpflabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_BPF_LABEL(bpflabel);
}
@ -916,7 +916,7 @@ mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet,
struct label *ifnetlabel, struct label *newlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_IFNET_LABEL(ifnetlabel);
ASSERT_IFNET_LABEL(newlabel);
}
@ -937,8 +937,8 @@ static void
mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child)
{
ASSERT_CRED_LABEL(&cred_parent->cr_label);
ASSERT_CRED_LABEL(&cred_child->cr_label);
ASSERT_CRED_LABEL(cred_parent->cr_label);
ASSERT_CRED_LABEL(cred_child->cr_label);
}
static void
@ -948,8 +948,8 @@ mac_test_execve_transition(struct ucred *old, struct ucred *new,
struct label *execlabel)
{
ASSERT_CRED_LABEL(&old->cr_label);
ASSERT_CRED_LABEL(&new->cr_label);
ASSERT_CRED_LABEL(old->cr_label);
ASSERT_CRED_LABEL(new->cr_label);
ASSERT_VNODE_LABEL(filelabel);
ASSERT_VNODE_LABEL(interpvnodelabel);
if (execlabel != NULL) {
@ -963,7 +963,7 @@ mac_test_execve_will_transition(struct ucred *old, struct vnode *vp,
struct image_params *imgp, struct label *execlabel)
{
ASSERT_CRED_LABEL(&old->cr_label);
ASSERT_CRED_LABEL(old->cr_label);
ASSERT_VNODE_LABEL(filelabel);
if (interpvnodelabel != NULL) {
ASSERT_VNODE_LABEL(interpvnodelabel);
@ -979,21 +979,21 @@ static void
mac_test_create_proc0(struct ucred *cred)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
}
static void
mac_test_create_proc1(struct ucred *cred)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
}
static void
mac_test_relabel_cred(struct ucred *cred, struct label *newlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(newlabel);
}
@ -1023,7 +1023,7 @@ static int
mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_CRED_LABEL(newlabel);
return (0);
@ -1033,8 +1033,8 @@ static int
mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2)
{
ASSERT_CRED_LABEL(&u1->cr_label);
ASSERT_CRED_LABEL(&u2->cr_label);
ASSERT_CRED_LABEL(u1->cr_label);
ASSERT_CRED_LABEL(u2->cr_label);
return (0);
}
@ -1044,7 +1044,7 @@ mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet,
struct label *ifnetlabel, struct label *newlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_IFNET_LABEL(ifnetlabel);
ASSERT_IFNET_LABEL(newlabel);
return (0);
@ -1074,7 +1074,7 @@ static int
mac_test_check_kenv_get(struct ucred *cred, char *name)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
return (0);
}
@ -1083,7 +1083,7 @@ static int
mac_test_check_kenv_set(struct ucred *cred, char *name, char *value)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
return (0);
}
@ -1092,7 +1092,7 @@ static int
mac_test_check_kenv_unset(struct ucred *cred, char *name)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
return (0);
}
@ -1102,7 +1102,7 @@ mac_test_check_kld_load(struct ucred *cred, struct vnode *vp,
struct label *label)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1112,7 +1112,7 @@ static int
mac_test_check_kld_stat(struct ucred *cred)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
return (0);
}
@ -1121,7 +1121,7 @@ static int
mac_test_check_kld_unload(struct ucred *cred)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
return (0);
}
@ -1131,7 +1131,7 @@ mac_test_check_mount_stat(struct ucred *cred, struct mount *mp,
struct label *mntlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_MOUNT_LABEL(mntlabel);
return (0);
@ -1142,7 +1142,7 @@ mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_PIPE_LABEL(pipelabel);
return (0);
@ -1153,7 +1153,7 @@ mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_PIPE_LABEL(pipelabel);
return (0);
@ -1164,7 +1164,7 @@ mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_PIPE_LABEL(pipelabel);
return (0);
@ -1175,7 +1175,7 @@ mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel, struct label *newlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_PIPE_LABEL(pipelabel);
ASSERT_PIPE_LABEL(newlabel);
@ -1187,7 +1187,7 @@ mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_PIPE_LABEL(pipelabel);
return (0);
@ -1198,7 +1198,7 @@ mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe,
struct label *pipelabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_PIPE_LABEL(pipelabel);
return (0);
@ -1208,8 +1208,8 @@ static int
mac_test_check_proc_debug(struct ucred *cred, struct proc *proc)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(&proc->p_ucred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
return (0);
}
@ -1218,8 +1218,8 @@ static int
mac_test_check_proc_sched(struct ucred *cred, struct proc *proc)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(&proc->p_ucred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
return (0);
}
@ -1228,8 +1228,8 @@ static int
mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(&proc->p_ucred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_CRED_LABEL(proc->p_ucred->cr_label);
return (0);
}
@ -1239,7 +1239,7 @@ mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
return (0);
@ -1250,7 +1250,7 @@ mac_test_check_socket_connect(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct sockaddr *sockaddr)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
return (0);
@ -1272,7 +1272,7 @@ mac_test_check_socket_listen(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
return (0);
@ -1283,7 +1283,7 @@ mac_test_check_socket_visible(struct ucred *cred, struct socket *socket,
struct label *socketlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
return (0);
@ -1294,7 +1294,7 @@ mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket,
struct label *socketlabel, struct label *newlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_SOCKET_LABEL(socketlabel);
ASSERT_SOCKET_LABEL(newlabel);
@ -1305,7 +1305,7 @@ static int
mac_test_check_sysarch_ioperm(struct ucred *cred)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
return (0);
}
@ -1315,7 +1315,7 @@ mac_test_check_system_acct(struct ucred *cred, struct vnode *vp,
struct label *label)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
return (0);
}
@ -1324,7 +1324,7 @@ static int
mac_test_check_system_reboot(struct ucred *cred, int how)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
return (0);
}
@ -1333,7 +1333,7 @@ static int
mac_test_check_system_settime(struct ucred *cred)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
return (0);
}
@ -1343,7 +1343,7 @@ mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp,
struct label *label)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1354,7 +1354,7 @@ mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp,
struct label *label)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1365,7 +1365,7 @@ mac_test_check_system_sysctl(struct ucred *cred, int *name, u_int namelen,
void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
return (0);
}
@ -1375,7 +1375,7 @@ mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp,
struct label *label, int acc_mode)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1386,7 +1386,7 @@ mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp,
struct label *dlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(dlabel);
return (0);
@ -1397,7 +1397,7 @@ mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp,
struct label *dlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(dlabel);
return (0);
@ -1408,7 +1408,7 @@ mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp, struct vattr *vap)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(dlabel);
return (0);
@ -1420,7 +1420,7 @@ mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(dlabel);
ASSERT_VNODE_LABEL(label);
@ -1432,7 +1432,7 @@ mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
struct label *label, acl_type_t type)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1443,7 +1443,7 @@ mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
struct label *label, int attrnamespace, const char *name)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1455,7 +1455,7 @@ mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp,
struct label *execlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
if (execlabel != NULL) {
ASSERT_CRED_LABEL(execlabel);
@ -1469,7 +1469,7 @@ mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp,
struct label *label, acl_type_t type)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1480,7 +1480,7 @@ mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
struct label *label, int attrnamespace, const char *name, struct uio *uio)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1492,7 +1492,7 @@ mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(dlabel);
ASSERT_VNODE_LABEL(label);
@ -1504,7 +1504,7 @@ mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
struct label *label, int attrnamespace)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1515,7 +1515,7 @@ mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct label *dlabel, struct componentname *cnp)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(dlabel);
return (0);
@ -1526,7 +1526,7 @@ mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
struct label *label, int prot)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1537,7 +1537,7 @@ mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
struct label *label, int prot)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1548,7 +1548,7 @@ mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp,
struct label *filelabel, int acc_mode)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(filelabel);
return (0);
@ -1559,8 +1559,8 @@ mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
ASSERT_CRED_LABEL(&active_cred->cr_label);
ASSERT_CRED_LABEL(&file_cred->cr_label);
ASSERT_CRED_LABEL(active_cred->cr_label);
ASSERT_CRED_LABEL(file_cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1571,9 +1571,9 @@ mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
ASSERT_CRED_LABEL(&active_cred->cr_label);
ASSERT_CRED_LABEL(active_cred->cr_label);
if (file_cred != NULL) {
ASSERT_CRED_LABEL(&file_cred->cr_label);
ASSERT_CRED_LABEL(file_cred->cr_label);
}
ASSERT_VNODE_LABEL(label);
@ -1585,7 +1585,7 @@ mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp,
struct label *dlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(dlabel);
return (0);
@ -1596,7 +1596,7 @@ mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(vnodelabel);
return (0);
@ -1607,7 +1607,7 @@ mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, struct label *newlabel)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(vnodelabel);
ASSERT_VNODE_LABEL(newlabel);
@ -1620,7 +1620,7 @@ mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(dlabel);
ASSERT_VNODE_LABEL(label);
@ -1633,7 +1633,7 @@ mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(dlabel);
if (vp != NULL) {
@ -1648,7 +1648,7 @@ mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp,
struct label *label)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1659,7 +1659,7 @@ mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp,
struct label *label, acl_type_t type, struct acl *acl)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1670,7 +1670,7 @@ mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
struct label *label, int attrnamespace, const char *name, struct uio *uio)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1681,7 +1681,7 @@ mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp,
struct label *label, u_long flags)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1692,7 +1692,7 @@ mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp,
struct label *label, mode_t mode)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1703,7 +1703,7 @@ mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp,
struct label *label, uid_t uid, gid_t gid)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1714,7 +1714,7 @@ mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
struct label *label, struct timespec atime, struct timespec mtime)
{
ASSERT_CRED_LABEL(&cred->cr_label);
ASSERT_CRED_LABEL(cred->cr_label);
ASSERT_VNODE_LABEL(label);
return (0);
@ -1725,9 +1725,9 @@ mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
struct vnode *vp, struct label *label)
{
ASSERT_CRED_LABEL(&active_cred->cr_label);
ASSERT_CRED_LABEL(active_cred->cr_label);
if (file_cred != NULL) {
ASSERT_CRED_LABEL(&file_cred->cr_label);
ASSERT_CRED_LABEL(file_cred->cr_label);
}
ASSERT_VNODE_LABEL(label);
@ -1739,9 +1739,9 @@ mac_test_check_vnode_write(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp, struct label *label)
{
ASSERT_CRED_LABEL(&active_cred->cr_label);
ASSERT_CRED_LABEL(active_cred->cr_label);
if (file_cred != NULL) {
ASSERT_CRED_LABEL(&file_cred->cr_label);
ASSERT_CRED_LABEL(file_cred->cr_label);
}
ASSERT_VNODE_LABEL(label);

View File

@ -144,7 +144,6 @@ int mac_init_mbuf_tag(struct m_tag *, int flag);
void mac_init_mount(struct mount *);
void mac_init_proc(struct proc *);
void mac_init_vnode(struct vnode *);
void mac_init_vnode_label(struct label *);
void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
void mac_copy_vnode_label(struct label *, struct label *label);
void mac_destroy_bpfdesc(struct bpf_d *);
@ -158,7 +157,12 @@ void mac_destroy_proc(struct proc *);
void mac_destroy_mbuf_tag(struct m_tag *);
void mac_destroy_mount(struct mount *);
void mac_destroy_vnode(struct vnode *);
void mac_destroy_vnode_label(struct label *);
struct label *mac_cred_label_alloc(void);
void mac_cred_label_free(struct label *label);
struct label *mac_vnode_label_alloc(void);
void mac_vnode_label_free(struct label *label);
void mac_destroy_vnode_label(struct label *);
/*
* Labeling event operations: file system objects, and things that
@ -220,8 +224,7 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
* Labeling event operations: processes.
*/
void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
int mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
struct label *execlabel);
int mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
void mac_execve_exit(struct image_params *imgp);
void mac_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *interpvnodelabel,

View File

@ -41,7 +41,6 @@
#include <sys/queue.h>
#ifdef _KERNEL
#include <sys/lockmgr.h>
#include <sys/_label.h>
#include <sys/_lock.h>
#include <sys/_mutex.h>
#endif
@ -145,8 +144,8 @@ struct mount {
time_t mnt_time; /* last time written*/
int mnt_iosize_max; /* max size for clusters, etc */
struct netexport *mnt_export; /* export list */
struct label mnt_mntlabel; /* MAC label for the mount */
struct label mnt_fslabel; /* MAC label for the fs */
struct label *mnt_mntlabel; /* MAC label for the mount */
struct label *mnt_fslabel; /* MAC label for the fs */
int mnt_nvnodelistsize; /* # of vnodes on this mount */
};

View File

@ -28,7 +28,6 @@
#include <sys/time.h> /* for struct timespec */
#include <sys/selinfo.h> /* for struct selinfo */
#include <vm/vm.h> /* for vm_page_t */
#include <sys/_label.h> /* for struct label */
#include <machine/param.h> /* for PAGE_SIZE */
#endif

View File

@ -55,7 +55,6 @@
#include <sys/runq.h>
#include <sys/sigio.h>
#include <sys/signal.h>
#include <sys/_label.h>
#ifndef _KERNEL
#include <sys/time.h> /* For structs itimerval, timeval. */
#else
@ -616,7 +615,7 @@ struct proc {
struct proc *p_peers; /* (r) */
struct proc *p_leader; /* (b) */
void *p_emuldata; /* (c) Emulator state data. */
struct label p_label; /* (*) Process (not subject) MAC label */
struct label *p_label; /* (*) Proc (not subject) MAC label. */
struct p_sched *p_sched; /* (*) Scheduler-specific data. */
};

View File

@ -37,7 +37,6 @@
#ifndef _SYS_SOCKETVAR_H_
#define _SYS_SOCKETVAR_H_
#include <sys/_label.h> /* for struct label */
#include <sys/queue.h> /* for TAILQ macros */
#include <sys/selinfo.h> /* for struct selinfo */
@ -128,8 +127,8 @@ struct socket {
void (*so_upcall)(struct socket *, void *, int);
void *so_upcallarg;
struct ucred *so_cred; /* user credentials */
struct label so_label; /* MAC label for socket */
struct label so_peerlabel; /* cached MAC label for socket peer */
struct label *so_label; /* MAC label for socket */
struct label *so_peerlabel; /* cached MAC label for socket peer */
/* NB: generation count must not be first; easiest to make it last. */
so_gen_t so_gencnt; /* generation count */
void *so_emuldata; /* private data for emulators */

View File

@ -44,7 +44,6 @@
* Only the suser() or suser_cred() function should be used for this.
*/
#if defined(_KERNEL) || defined(_WANT_UCRED)
#include <sys/_label.h>
struct ucred {
u_int cr_ref; /* reference count */
@ -60,7 +59,7 @@ struct ucred {
struct uidinfo *cr_ruidinfo; /* per ruid resource consumption */
struct prison *cr_prison; /* jail(2) */
#define cr_endcopy cr_label
struct label cr_label; /* MAC label */
struct label *cr_label; /* MAC label */
struct mtx *cr_mtxp; /* protect refcount */
};
#define NOCRED ((struct ucred *)0) /* no credential available */

View File

@ -44,7 +44,6 @@
#include <sys/lockmgr.h>
#include <sys/queue.h>
#include <sys/_label.h>
#include <sys/_lock.h>
#include <sys/lock.h>
#include <sys/_mutex.h>
@ -153,7 +152,7 @@ struct vnode {
struct vnode *v_dd; /* c .. vnode */
u_long v_ddid; /* c .. capability identifier */
struct vpollinfo *v_pollinfo; /* p Poll events */
struct label v_label; /* MAC label for vnode */
struct label *v_label; /* MAC label for vnode */
#ifdef DEBUG_LOCKS
const char *filename; /* Source file doing locking */
int line; /* Line number doing locking */