diff options
| author | rwatson <rwatson@FreeBSD.org> | 2007-04-22 16:18:10 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2007-04-22 16:18:10 +0000 |
| commit | 1c94b6d3ee7cc5a273997e5dd61d432475bed233 (patch) | |
| tree | 1a5de6c7822c50a3ed2d30c9621d0e6c1932b16f | |
| parent | c729a4c68dbc009109dc4dacf19bd61514820196 (diff) | |
| download | FreeBSD-src-1c94b6d3ee7cc5a273997e5dd61d432475bed233.zip FreeBSD-src-1c94b6d3ee7cc5a273997e5dd61d432475bed233.tar.gz | |
In the MAC Framework implementation, file systems have two per-mountpoint
labels: the mount label (label of the mountpoint) and the fs label (label
of the file system). In practice, policies appear to only ever use one,
and the distinction is not helpful.
Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and
eliminate extra machinery required to maintain the additional label.
Update policies to reflect removal of extra entry points and label.
Obtained from: TrustedBSD Project
Sponsored by: SPARTA, Inc.
| -rw-r--r-- | sys/security/mac/mac_policy.h | 14 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 44 | ||||
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 20 | ||||
| -rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 20 | ||||
| -rw-r--r-- | sys/security/mac_mls/mac_mls.c | 20 | ||||
| -rw-r--r-- | sys/security/mac_stub/mac_stub.c | 12 | ||||
| -rw-r--r-- | sys/security/mac_test/mac_test.c | 39 | ||||
| -rw-r--r-- | sys/sys/mount.h | 3 |
8 files changed, 55 insertions, 117 deletions
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 451633f..77d3f98 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -127,7 +127,6 @@ typedef void (*mpo_init_sysv_shm_label_t)(struct label *label); typedef int (*mpo_init_ipq_label_t)(struct label *label, int flag); typedef int (*mpo_init_mbuf_label_t)(struct label *label, int flag); typedef void (*mpo_init_mount_label_t)(struct label *label); -typedef void (*mpo_init_mount_fs_label_t)(struct label *label); typedef int (*mpo_init_socket_label_t)(struct label *label, int flag); typedef int (*mpo_init_socket_peer_label_t)(struct label *label, int flag); @@ -147,7 +146,6 @@ typedef void (*mpo_destroy_sysv_shm_label_t)(struct label *label); typedef void (*mpo_destroy_ipq_label_t)(struct label *label); typedef void (*mpo_destroy_mbuf_label_t)(struct label *label); typedef void (*mpo_destroy_mount_label_t)(struct label *label); -typedef void (*mpo_destroy_mount_fs_label_t)(struct label *label); typedef void (*mpo_destroy_socket_label_t)(struct label *label); typedef void (*mpo_destroy_socket_peer_label_t)(struct label *label); typedef void (*mpo_destroy_pipe_label_t)(struct label *label); @@ -198,14 +196,14 @@ typedef int (*mpo_internalize_vnode_label_t)(struct label *label, * like file system objects. */ typedef void (*mpo_associate_vnode_devfs_t)(struct mount *mp, - struct label *fslabel, struct devfs_dirent *de, + struct label *mntlabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vlabel); typedef int (*mpo_associate_vnode_extattr_t)(struct mount *mp, - struct label *fslabel, struct vnode *vp, + struct label *mntlabel, struct vnode *vp, struct label *vlabel); typedef void (*mpo_associate_vnode_singlelabel_t)(struct mount *mp, - struct label *fslabel, struct vnode *vp, + struct label *mntlabel, struct vnode *vp, struct label *vlabel); typedef void (*mpo_create_devfs_device_t)(struct ucred *cred, struct mount *mp, struct cdev *dev, @@ -218,12 +216,12 @@ typedef void (*mpo_create_devfs_symlink_t)(struct ucred *cred, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel); typedef int (*mpo_create_vnode_extattr_t)(struct ucred *cred, - struct mount *mp, struct label *fslabel, + struct mount *mp, struct label *mntlabel, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *vlabel, struct componentname *cnp); typedef void (*mpo_create_mount_t)(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel); + struct label *mntlabel); typedef void (*mpo_relabel_vnode_t)(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label); typedef int (*mpo_setlabel_vnode_extattr_t)(struct ucred *cred, @@ -645,7 +643,6 @@ struct mac_policy_ops { mpo_init_ipq_label_t mpo_init_ipq_label; mpo_init_mbuf_label_t mpo_init_mbuf_label; mpo_init_mount_label_t mpo_init_mount_label; - mpo_init_mount_fs_label_t mpo_init_mount_fs_label; mpo_init_socket_label_t mpo_init_socket_label; mpo_init_socket_peer_label_t mpo_init_socket_peer_label; mpo_init_pipe_label_t mpo_init_pipe_label; @@ -665,7 +662,6 @@ struct mac_policy_ops { mpo_destroy_ipq_label_t mpo_destroy_ipq_label; mpo_destroy_mbuf_label_t mpo_destroy_mbuf_label; mpo_destroy_mount_label_t mpo_destroy_mount_label; - mpo_destroy_mount_fs_label_t mpo_destroy_mount_fs_label; mpo_destroy_socket_label_t mpo_destroy_socket_label; mpo_destroy_socket_peer_label_t mpo_destroy_socket_peer_label; mpo_destroy_pipe_label_t mpo_destroy_pipe_label; diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 9196779..c6726d2 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -2,7 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 McAfee, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -107,22 +107,11 @@ mac_mount_label_alloc(void) return (label); } -static struct label * -mac_mount_fs_label_alloc(void) -{ - struct label *label; - - label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_mount_fs_label, label); - return (label); -} - void mac_init_mount(struct mount *mp) { - mp->mnt_mntlabel = mac_mount_label_alloc(); - mp->mnt_fslabel = mac_mount_fs_label_alloc(); + mp->mnt_label = mac_mount_label_alloc(); } struct label * @@ -166,22 +155,12 @@ mac_mount_label_free(struct label *label) mac_labelzone_free(label); } -static void -mac_mount_fs_label_free(struct label *label) -{ - - MAC_PERFORM(destroy_mount_fs_label, label); - mac_labelzone_free(label); -} - void mac_destroy_mount(struct mount *mp) { - mac_mount_fs_label_free(mp->mnt_fslabel); - mp->mnt_fslabel = NULL; - mac_mount_label_free(mp->mnt_mntlabel); - mp->mnt_mntlabel = NULL; + mac_mount_label_free(mp->mnt_label); + mp->mnt_label = NULL; } void @@ -242,7 +221,7 @@ mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_fslabel, de, + MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_label, de, de->de_label, vp, vp->v_label); } @@ -253,7 +232,7 @@ mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); - MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_fslabel, vp, + MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_label, vp, vp->v_label); return (error); @@ -263,7 +242,7 @@ void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) { - MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_fslabel, vp, + MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_label, vp, vp->v_label); } @@ -295,8 +274,8 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } else if (error) return (error); - MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, - dvp, dvp->v_label, vp, vp->v_label, cnp); + MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_label, dvp, + dvp->v_label, vp, vp->v_label, cnp); if (error) { VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); @@ -788,8 +767,7 @@ void mac_create_mount(struct ucred *cred, struct mount *mp) { - MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel, - mp->mnt_fslabel); + MAC_PERFORM(create_mount, cred, mp, mp->mnt_label); } int @@ -797,7 +775,7 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount) { int error; - MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel); + MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_label); return (error); } diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 30dbf79..663ea5b 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -829,15 +829,13 @@ mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, static void mac_biba_create_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) + struct label *mntlabel) { struct mac_biba *source, *dest; source = SLOT(cred->cr_label); dest = SLOT(mntlabel); mac_biba_copy_effective(source, dest); - dest = SLOT(fslabel); - mac_biba_copy_effective(source, dest); } static void @@ -866,7 +864,7 @@ mac_biba_update_devfsdirent(struct mount *mp, } static void -mac_biba_associate_vnode_devfs(struct mount *mp, struct label *fslabel, +mac_biba_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vlabel) { @@ -879,13 +877,13 @@ mac_biba_associate_vnode_devfs(struct mount *mp, struct label *fslabel, } static int -mac_biba_associate_vnode_extattr(struct mount *mp, struct label *fslabel, +mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel) { struct mac_biba temp, *source, *dest; int buflen, error; - source = SLOT(fslabel); + source = SLOT(mntlabel); dest = SLOT(vlabel); buflen = sizeof(temp); @@ -894,7 +892,7 @@ mac_biba_associate_vnode_extattr(struct mount *mp, struct label *fslabel, error = vn_extattr_get(vp, IO_NODELOCKED, MAC_BIBA_EXTATTR_NAMESPACE, MAC_BIBA_EXTATTR_NAME, &buflen, (char *) &temp, curthread); if (error == ENOATTR || error == EOPNOTSUPP) { - /* Fall back to the fslabel. */ + /* Fall back to the mntlabel. */ mac_biba_copy_effective(source, dest); return (0); } else if (error) @@ -920,11 +918,11 @@ mac_biba_associate_vnode_extattr(struct mount *mp, struct label *fslabel, static void mac_biba_associate_vnode_singlelabel(struct mount *mp, - struct label *fslabel, struct vnode *vp, struct label *vlabel) + struct label *mntlabel, struct vnode *vp, struct label *vlabel) { struct mac_biba *source, *dest; - source = SLOT(fslabel); + source = SLOT(mntlabel); dest = SLOT(vlabel); mac_biba_copy_effective(source, dest); @@ -932,7 +930,7 @@ mac_biba_associate_vnode_singlelabel(struct mount *mp, static int mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp, - struct label *fslabel, struct vnode *dvp, struct label *dlabel, + struct label *mntlabel, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *vlabel, struct componentname *cnp) { struct mac_biba *source, *dest, temp; @@ -3258,7 +3256,6 @@ static struct mac_policy_ops mac_biba_ops = .mpo_init_ipq_label = mac_biba_init_label_waitcheck, .mpo_init_mbuf_label = mac_biba_init_label_waitcheck, .mpo_init_mount_label = mac_biba_init_label, - .mpo_init_mount_fs_label = mac_biba_init_label, .mpo_init_pipe_label = mac_biba_init_label, .mpo_init_posix_sem_label = mac_biba_init_label, .mpo_init_socket_label = mac_biba_init_label_waitcheck, @@ -3278,7 +3275,6 @@ static struct mac_policy_ops mac_biba_ops = .mpo_destroy_ipq_label = mac_biba_destroy_label, .mpo_destroy_mbuf_label = mac_biba_destroy_label, .mpo_destroy_mount_label = mac_biba_destroy_label, - .mpo_destroy_mount_fs_label = mac_biba_destroy_label, .mpo_destroy_pipe_label = mac_biba_destroy_label, .mpo_destroy_posix_sem_label = mac_biba_destroy_label, .mpo_destroy_socket_label = mac_biba_destroy_label, diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index c52cf70..c85ec2f 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -949,15 +949,13 @@ mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp, static void mac_lomac_create_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) + struct label *mntlabel) { struct mac_lomac *source, *dest; source = SLOT(cred->cr_label); dest = SLOT(mntlabel); mac_lomac_copy_single(source, dest); - dest = SLOT(fslabel); - mac_lomac_copy_single(source, dest); } static void @@ -986,7 +984,7 @@ mac_lomac_update_devfsdirent(struct mount *mp, } static void -mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *fslabel, +mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vlabel) { @@ -999,13 +997,13 @@ mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *fslabel, } static int -mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *fslabel, +mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel) { struct mac_lomac temp, *source, *dest; int buflen, error; - source = SLOT(fslabel); + source = SLOT(mntlabel); dest = SLOT(vlabel); buflen = sizeof(temp); @@ -1014,7 +1012,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *fslabel, error = vn_extattr_get(vp, IO_NODELOCKED, MAC_LOMAC_EXTATTR_NAMESPACE, MAC_LOMAC_EXTATTR_NAME, &buflen, (char *)&temp, curthread); if (error == ENOATTR || error == EOPNOTSUPP) { - /* Fall back to the fslabel. */ + /* Fall back to the mntlabel. */ mac_lomac_copy_single(source, dest); return (0); } else if (error) @@ -1047,11 +1045,11 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *fslabel, static void mac_lomac_associate_vnode_singlelabel(struct mount *mp, - struct label *fslabel, struct vnode *vp, struct label *vlabel) + struct label *mntlabel, struct vnode *vp, struct label *vlabel) { struct mac_lomac *source, *dest; - source = SLOT(fslabel); + source = SLOT(mntlabel); dest = SLOT(vlabel); mac_lomac_copy_single(source, dest); @@ -1059,7 +1057,7 @@ mac_lomac_associate_vnode_singlelabel(struct mount *mp, static int mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp, - struct label *fslabel, struct vnode *dvp, struct label *dlabel, + struct label *mntlabel, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *vlabel, struct componentname *cnp) { struct mac_lomac *source, *dest, *dir, temp; @@ -2833,7 +2831,6 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_init_ipq_label = mac_lomac_init_label_waitcheck, .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck, .mpo_init_mount_label = mac_lomac_init_label, - .mpo_init_mount_fs_label = mac_lomac_init_label, .mpo_init_pipe_label = mac_lomac_init_label, .mpo_init_proc_label = mac_lomac_init_proc_label, .mpo_init_socket_label = mac_lomac_init_label_waitcheck, @@ -2848,7 +2845,6 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_destroy_ipq_label = mac_lomac_destroy_label, .mpo_destroy_mbuf_label = mac_lomac_destroy_label, .mpo_destroy_mount_label = mac_lomac_destroy_label, - .mpo_destroy_mount_fs_label = mac_lomac_destroy_label, .mpo_destroy_pipe_label = mac_lomac_destroy_label, .mpo_destroy_proc_label = mac_lomac_destroy_proc_label, .mpo_destroy_syncache_label = mac_lomac_destroy_label, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index e1cbc91..5169360 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -793,15 +793,13 @@ mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, static void mac_mls_create_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) + struct label *mntlabel) { struct mac_mls *source, *dest; source = SLOT(cred->cr_label); dest = SLOT(mntlabel); mac_mls_copy_effective(source, dest); - dest = SLOT(fslabel); - mac_mls_copy_effective(source, dest); } static void @@ -830,7 +828,7 @@ mac_mls_update_devfsdirent(struct mount *mp, } static void -mac_mls_associate_vnode_devfs(struct mount *mp, struct label *fslabel, +mac_mls_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vlabel) { @@ -843,13 +841,13 @@ mac_mls_associate_vnode_devfs(struct mount *mp, struct label *fslabel, } static int -mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel, +mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel) { struct mac_mls temp, *source, *dest; int buflen, error; - source = SLOT(fslabel); + source = SLOT(mntlabel); dest = SLOT(vlabel); buflen = sizeof(temp); @@ -858,7 +856,7 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel, error = vn_extattr_get(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE, MAC_MLS_EXTATTR_NAME, &buflen, (char *) &temp, curthread); if (error == ENOATTR || error == EOPNOTSUPP) { - /* Fall back to the fslabel. */ + /* Fall back to the mntlabel. */ mac_mls_copy_effective(source, dest); return (0); } else if (error) @@ -884,11 +882,11 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel, static void mac_mls_associate_vnode_singlelabel(struct mount *mp, - struct label *fslabel, struct vnode *vp, struct label *vlabel) + struct label *mntlabel, struct vnode *vp, struct label *vlabel) { struct mac_mls *source, *dest; - source = SLOT(fslabel); + source = SLOT(mntlabel); dest = SLOT(vlabel); mac_mls_copy_effective(source, dest); @@ -896,7 +894,7 @@ mac_mls_associate_vnode_singlelabel(struct mount *mp, static int mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp, - struct label *fslabel, struct vnode *dvp, struct label *dlabel, + struct label *mntlabel, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *vlabel, struct componentname *cnp) { struct mac_mls *source, *dest, temp; @@ -2882,7 +2880,6 @@ static struct mac_policy_ops mac_mls_ops = .mpo_init_ipq_label = mac_mls_init_label_waitcheck, .mpo_init_mbuf_label = mac_mls_init_label_waitcheck, .mpo_init_mount_label = mac_mls_init_label, - .mpo_init_mount_fs_label = mac_mls_init_label, .mpo_init_pipe_label = mac_mls_init_label, .mpo_init_posix_sem_label = mac_mls_init_label, .mpo_init_socket_label = mac_mls_init_label_waitcheck, @@ -2901,7 +2898,6 @@ static struct mac_policy_ops mac_mls_ops = .mpo_destroy_ipq_label = mac_mls_destroy_label, .mpo_destroy_mbuf_label = mac_mls_destroy_label, .mpo_destroy_mount_label = mac_mls_destroy_label, - .mpo_destroy_mount_fs_label = mac_mls_destroy_label, .mpo_destroy_pipe_label = mac_mls_destroy_label, .mpo_destroy_posix_sem_label = mac_mls_destroy_label, .mpo_destroy_socket_label = mac_mls_destroy_label, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index b06c02b..822dd36 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -163,7 +163,7 @@ stub_internalize_label(struct label *label, char *element_name, * a lot like file system objects. */ static void -stub_associate_vnode_devfs(struct mount *mp, struct label *fslabel, +stub_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vlabel) { @@ -171,7 +171,7 @@ stub_associate_vnode_devfs(struct mount *mp, struct label *fslabel, } static int -stub_associate_vnode_extattr(struct mount *mp, struct label *fslabel, +stub_associate_vnode_extattr(struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel) { @@ -180,7 +180,7 @@ stub_associate_vnode_extattr(struct mount *mp, struct label *fslabel, static void stub_associate_vnode_singlelabel(struct mount *mp, - struct label *fslabel, struct vnode *vp, struct label *vlabel) + struct label *mntlabel, struct vnode *vp, struct label *vlabel) { } @@ -215,7 +215,7 @@ stub_create_devfs_symlink(struct ucred *cred, struct mount *mp, static int stub_create_vnode_extattr(struct ucred *cred, struct mount *mp, - struct label *fslabel, struct vnode *dvp, struct label *dlabel, + struct label *mntlabel, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *vlabel, struct componentname *cnp) { @@ -224,7 +224,7 @@ stub_create_vnode_extattr(struct ucred *cred, struct mount *mp, static void stub_create_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) + struct label *mntlabel) { } @@ -1447,7 +1447,6 @@ static struct mac_policy_ops mac_stub_ops = .mpo_init_ipq_label = stub_init_label_waitcheck, .mpo_init_mbuf_label = stub_init_label_waitcheck, .mpo_init_mount_label = stub_init_label, - .mpo_init_mount_fs_label = stub_init_label, .mpo_init_pipe_label = stub_init_label, .mpo_init_posix_sem_label = stub_init_label, .mpo_init_socket_label = stub_init_label_waitcheck, @@ -1465,7 +1464,6 @@ static struct mac_policy_ops mac_stub_ops = .mpo_destroy_ipq_label = stub_destroy_label, .mpo_destroy_mbuf_label = stub_destroy_label, .mpo_destroy_mount_label = stub_destroy_label, - .mpo_destroy_mount_fs_label = stub_destroy_label, .mpo_destroy_pipe_label = stub_destroy_label, .mpo_destroy_posix_sem_label = stub_destroy_label, .mpo_destroy_socket_label = stub_destroy_label, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 5c53b15..c5493ff 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -268,15 +268,6 @@ mac_test_init_mount_label(struct label *label) COUNTER_INC(init_mount_label); } -COUNTER_DECL(init_mount_fs_label); -static void -mac_test_init_mount_fs_label(struct label *label) -{ - - LABEL_INIT(label, MAGIC_MOUNT); - COUNTER_INC(init_mount_fs_label); -} - COUNTER_DECL(init_socket_label); static int mac_test_init_socket_label(struct label *label, int flag) @@ -459,15 +450,6 @@ mac_test_destroy_mount_label(struct label *label) COUNTER_INC(destroy_mount_label); } -COUNTER_DECL(destroy_mount_fs_label); -static void -mac_test_destroy_mount_fs_label(struct label *label) -{ - - LABEL_DESTROY(label, MAGIC_MOUNT); - COUNTER_INC(destroy_mount_fs_label); -} - COUNTER_DECL(destroy_socket_label); static void mac_test_destroy_socket_label(struct label *label) @@ -612,12 +594,12 @@ mac_test_internalize_label(struct label *label, char *element_name, */ COUNTER_DECL(associate_vnode_devfs); static void -mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, +mac_test_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vlabel) { - LABEL_CHECK(fslabel, MAGIC_MOUNT); + LABEL_CHECK(mntlabel, MAGIC_MOUNT); LABEL_CHECK(delabel, MAGIC_DEVFS); LABEL_CHECK(vlabel, MAGIC_VNODE); COUNTER_INC(associate_vnode_devfs); @@ -625,11 +607,11 @@ mac_test_associate_vnode_devfs(struct mount *mp, struct label *fslabel, COUNTER_DECL(associate_vnode_extattr); static int -mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, +mac_test_associate_vnode_extattr(struct mount *mp, struct label *mntlabel, struct vnode *vp, struct label *vlabel) { - LABEL_CHECK(fslabel, MAGIC_MOUNT); + LABEL_CHECK(mntlabel, MAGIC_MOUNT); LABEL_CHECK(vlabel, MAGIC_VNODE); COUNTER_INC(associate_vnode_extattr); @@ -639,10 +621,10 @@ mac_test_associate_vnode_extattr(struct mount *mp, struct label *fslabel, COUNTER_DECL(associate_vnode_singlelabel); static void mac_test_associate_vnode_singlelabel(struct mount *mp, - struct label *fslabel, struct vnode *vp, struct label *vlabel) + struct label *mntlabel, struct vnode *vp, struct label *vlabel) { - LABEL_CHECK(fslabel, MAGIC_MOUNT); + LABEL_CHECK(mntlabel, MAGIC_MOUNT); LABEL_CHECK(vlabel, MAGIC_VNODE); COUNTER_INC(associate_vnode_singlelabel); } @@ -685,12 +667,12 @@ mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, COUNTER_DECL(create_vnode_extattr); static int mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, - struct label *fslabel, struct vnode *dvp, struct label *dlabel, + struct label *mntlabel, struct vnode *dvp, struct label *dlabel, struct vnode *vp, struct label *vlabel, struct componentname *cnp) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - LABEL_CHECK(fslabel, MAGIC_MOUNT); + LABEL_CHECK(mntlabel, MAGIC_MOUNT); LABEL_CHECK(dlabel, MAGIC_VNODE); COUNTER_INC(create_vnode_extattr); @@ -700,12 +682,11 @@ mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, COUNTER_DECL(create_mount); static void mac_test_create_mount(struct ucred *cred, struct mount *mp, - struct label *mntlabel, struct label *fslabel) + struct label *mntlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mntlabel, MAGIC_MOUNT); - LABEL_CHECK(fslabel, MAGIC_MOUNT); COUNTER_INC(create_mount); } @@ -2490,7 +2471,6 @@ static struct mac_policy_ops mac_test_ops = .mpo_init_ipq_label = mac_test_init_ipq_label, .mpo_init_mbuf_label = mac_test_init_mbuf_label, .mpo_init_mount_label = mac_test_init_mount_label, - .mpo_init_mount_fs_label = mac_test_init_mount_fs_label, .mpo_init_pipe_label = mac_test_init_pipe_label, .mpo_init_posix_sem_label = mac_test_init_posix_sem_label, .mpo_init_proc_label = mac_test_init_proc_label, @@ -2510,7 +2490,6 @@ static struct mac_policy_ops mac_test_ops = .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, .mpo_destroy_mount_label = mac_test_destroy_mount_label, - .mpo_destroy_mount_fs_label = mac_test_destroy_mount_fs_label, .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label, .mpo_destroy_proc_label = mac_test_destroy_proc_label, diff --git a/sys/sys/mount.h b/sys/sys/mount.h index 9b76c1b..6eeb5dd 100644 --- a/sys/sys/mount.h +++ b/sys/sys/mount.h @@ -168,8 +168,7 @@ struct mount { time_t mnt_time; /* last time written*/ int mnt_iosize_max; /* max size for clusters, etc */ struct netexport *mnt_export; /* export list */ - struct label *mnt_mntlabel; /* MAC label for the mount */ - struct label *mnt_fslabel; /* MAC label for the fs */ + struct label *mnt_label; /* MAC label for the fs */ u_int mnt_hashseed; /* Random seed for vfs_hash */ int mnt_markercnt; /* marker vnodes in use */ int mnt_holdcnt; /* hold count */ |
