diff options
| author | rwatson <rwatson@FreeBSD.org> | 2007-10-24 19:04:04 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2007-10-24 19:04:04 +0000 |
| commit | 60570a92bf794d255e5f8ed235b49c553776ad92 (patch) | |
| tree | fea282db79628eed98808fd38cc46445b2f97ca5 | |
| parent | 7781c2181af1113baab38322a55a90b5469cba03 (diff) | |
| download | FreeBSD-src-60570a92bf794d255e5f8ed235b49c553776ad92.zip FreeBSD-src-60570a92bf794d255e5f8ed235b49c553776ad92.tar.gz | |
Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:
mac_<object>_<method/action>
mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly
reversed from the new scheme. Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier. Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods. Also simplify, slightly,
some entry point names.
All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X)
Obtained from: TrustedBSD Project, Apple Computer
103 files changed, 3601 insertions, 3518 deletions
diff --git a/sys/compat/linux/linux_file.c b/sys/compat/linux/linux_file.c index 5833b39..bee733c 100644 --- a/sys/compat/linux/linux_file.c +++ b/sys/compat/linux/linux_file.c @@ -467,7 +467,7 @@ again: /* * Do directory search MAC check using non-cached credentials. */ - if ((error = mac_check_vnode_readdir(td->td_ucred, vp))) + if ((error = mac_vnode_check_readdir(td->td_ucred, vp))) goto out; #endif /* MAC */ if ((error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, &ncookies, diff --git a/sys/compat/linux/linux_getcwd.c b/sys/compat/linux/linux_getcwd.c index c244e50..1110fc1 100644 --- a/sys/compat/linux/linux_getcwd.c +++ b/sys/compat/linux/linux_getcwd.c @@ -170,7 +170,7 @@ linux_getcwd_scandir(lvpp, uvpp, bpp, bufp, td) * On successful return, *uvpp will be locked */ #ifdef MAC - error = mac_check_vnode_lookup(td->td_ucred, lvp, &cn); + error = mac_vnode_check_lookup(td->td_ucred, lvp, &cn); if (error == 0) #endif error = VOP_LOOKUP(lvp, uvpp, &cn); @@ -216,7 +216,7 @@ unionread: eofflag = 0; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, uvp); + error = mac_vnode_check_readdir(td->td_ucred, uvp); if (error == 0) #endif /* MAC */ error = VOP_READDIR(uvp, &uio, td->td_ucred, &eofflag, diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c index 01f1cee..96adc6d 100644 --- a/sys/compat/linux/linux_misc.c +++ b/sys/compat/linux/linux_misc.c @@ -301,7 +301,7 @@ linux_uselib(struct thread *td, struct linux_uselib_args *args) * than vn_open(). */ #ifdef MAC - error = mac_check_vnode_open(td->td_ucred, vp, FREAD); + error = mac_vnode_check_open(td->td_ucred, vp, FREAD); if (error) goto cleanup; #endif diff --git a/sys/compat/svr4/svr4_fcntl.c b/sys/compat/svr4/svr4_fcntl.c index 8735abb..792a8a7 100644 --- a/sys/compat/svr4/svr4_fcntl.c +++ b/sys/compat/svr4/svr4_fcntl.c @@ -271,7 +271,7 @@ fd_revoke(td, fd) #ifdef MAC vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_revoke(td->td_ucred, vp); + error = mac_vnode_check_revoke(td->td_ucred, vp); VOP_UNLOCK(vp, 0, td); if (error) goto out; diff --git a/sys/compat/svr4/svr4_misc.c b/sys/compat/svr4/svr4_misc.c index e4c48c0..85385b5 100644 --- a/sys/compat/svr4/svr4_misc.c +++ b/sys/compat/svr4/svr4_misc.c @@ -296,7 +296,7 @@ again: } #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) goto out; #endif @@ -461,7 +461,7 @@ again: auio.uio_offset = off; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) goto out; #endif @@ -625,7 +625,7 @@ svr4_sys_fchroot(td, uap) if (error) goto fail; #ifdef MAC - error = mac_check_vnode_chroot(td->td_ucred, vp); + error = mac_vnode_check_chroot(td->td_ucred, vp); if (error) goto fail; #endif diff --git a/sys/contrib/pf/net/pf.c b/sys/contrib/pf/net/pf.c index 0c996ab..5b209af 100644 --- a/sys/contrib/pf/net/pf.c +++ b/sys/contrib/pf/net/pf.c @@ -1818,9 +1818,9 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af, #ifdef __FreeBSD__ #ifdef MAC if (replyto) - mac_create_mbuf_netlayer(replyto, m); + mac_mbuf_create_netlayer(replyto, m); else - mac_create_mbuf_from_firewall(m); + mac_mbuf_create_from_firewall(m); #else (void)replyto; #endif diff --git a/sys/fs/devfs/devfs_devs.c b/sys/fs/devfs/devfs_devs.c index ca5c2de..526f20d 100644 --- a/sys/fs/devfs/devfs_devs.c +++ b/sys/fs/devfs/devfs_devs.c @@ -182,7 +182,7 @@ devfs_newdirent(char *name, int namelen) de->de_links = 1; de->de_holdcnt = 1; #ifdef MAC - mac_init_devfs(de); + mac_devfs_init(de); #endif return (de); } @@ -226,7 +226,7 @@ devfs_vmkdir(struct devfs_mount *dmp, char *name, int namelen, struct devfs_dire } #ifdef MAC - mac_create_devfs_directory(dmp->dm_mount, name, namelen, dd); + mac_devfs_create_directory(dmp->dm_mount, name, namelen, dd); #endif return (dd); } @@ -274,7 +274,7 @@ devfs_delete(struct devfs_mount *dm, struct devfs_dirent *de, int vp_locked) de->de_symlink = NULL; } #ifdef MAC - mac_destroy_devfs(de); + mac_devfs_destroy(de); #endif if (de->de_inode > DEVFS_ROOTINO) { free_unr(devfs_inos, de->de_inode); @@ -452,7 +452,7 @@ devfs_populate_loop(struct devfs_mount *dm, int cleanup) de->de_inode = cdp->cdp_inode; de->de_cdp = cdp; #ifdef MAC - mac_create_devfs_device(cdp->cdp_c.si_cred, dm->dm_mount, + mac_devfs_create_device(cdp->cdp_c.si_cred, dm->dm_mount, &cdp->cdp_c, de); #endif de->de_dir = dd; diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c index 5ed41de..ba01318 100644 --- a/sys/fs/devfs/devfs_vnops.c +++ b/sys/fs/devfs/devfs_vnops.c @@ -262,7 +262,7 @@ devfs_allocv(struct devfs_dirent *de, struct mount *mp, struct vnode **vpp, stru return (ENOENT); } #ifdef MAC - mac_associate_vnode_devfs(mp, de, vp); + mac_devfs_vnode_associate(mp, de, vp); #endif sx_xunlock(&dmp->dm_lock); *vpp = vp; @@ -1233,8 +1233,8 @@ devfs_setlabel(struct vop_setlabel_args *ap) vp = ap->a_vp; de = vp->v_data; - mac_relabel_vnode(ap->a_cred, vp, ap->a_label); - mac_update_devfs(vp->v_mount, de, vp); + mac_vnode_relabel(ap->a_cred, vp, ap->a_label); + mac_devfs_update(vp->v_mount, de, vp); return (0); } @@ -1275,7 +1275,7 @@ devfs_symlink(struct vop_symlink_args *ap) bcopy(ap->a_target, de->de_symlink, i); sx_xlock(&dmp->dm_lock); #ifdef MAC - mac_create_devfs_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de); + mac_devfs_create_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de); #endif TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list); return (devfs_allocv(de, ap->a_dvp->v_mount, ap->a_vpp, td)); diff --git a/sys/fs/unionfs/union_subr.c b/sys/fs/unionfs/union_subr.c index fc5e27c..05dd077 100644 --- a/sys/fs/unionfs/union_subr.c +++ b/sys/fs/unionfs/union_subr.c @@ -966,7 +966,7 @@ unionfs_check_rmdir(struct vnode *vp, struct ucred *cred, struct thread *td) /* open vnode */ #ifdef MAC - if ((error = mac_check_vnode_open(cred, vp, VEXEC|VREAD)) != 0) + if ((error = mac_vnode_check_open(cred, vp, VEXEC|VREAD)) != 0) return (error); #endif if ((error = VOP_ACCESS(vp, VEXEC|VREAD, cred, td)) != 0) @@ -980,7 +980,7 @@ unionfs_check_rmdir(struct vnode *vp, struct ucred *cred, struct thread *td) uio.uio_offset = 0; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, lvp); + error = mac_vnode_check_readdir(td->td_ucred, lvp); #endif while (!error && !eofflag) { iov.iov_base = buf; diff --git a/sys/i386/ibcs2/ibcs2_misc.c b/sys/i386/ibcs2/ibcs2_misc.c index f6375c3..8dae2b2 100644 --- a/sys/i386/ibcs2/ibcs2_misc.c +++ b/sys/i386/ibcs2/ibcs2_misc.c @@ -374,7 +374,7 @@ again: } #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) goto out; #endif @@ -536,7 +536,7 @@ again: } #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) goto out; #endif diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c index ef404b3..ae18f12 100644 --- a/sys/kern/init_main.c +++ b/sys/kern/init_main.c @@ -448,7 +448,7 @@ proc0_init(void *dummy __unused) audit_cred_kproc0(p->p_ucred); #endif #ifdef MAC - mac_create_proc0(p->p_ucred); + mac_proc_create_swapper(p->p_ucred); #endif td->td_ucred = crhold(p->p_ucred); @@ -714,7 +714,7 @@ create_init(const void *udata __unused) oldcred = initproc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - mac_create_proc1(newcred); + mac_proc_create_init(newcred); #endif #ifdef AUDIT audit_cred_proc1(newcred); diff --git a/sys/kern/kern_acct.c b/sys/kern/kern_acct.c index 17a74c4..13c9b70 100644 --- a/sys/kern/kern_acct.c +++ b/sys/kern/kern_acct.c @@ -218,7 +218,7 @@ acct(struct thread *td, struct acct_args *uap) vfslocked = NDHASGIANT(&nd); NDFREE(&nd, NDF_ONLY_PNBUF); #ifdef MAC - error = mac_check_system_acct(td->td_ucred, nd.ni_vp); + error = mac_system_check_acct(td->td_ucred, nd.ni_vp); if (error) { VOP_UNLOCK(nd.ni_vp, 0, td); vn_close(nd.ni_vp, flags, td->td_ucred, td); @@ -235,7 +235,7 @@ acct(struct thread *td, struct acct_args *uap) VFS_UNLOCK_GIANT(vfslocked); #ifdef MAC } else { - error = mac_check_system_acct(td->td_ucred, NULL); + error = mac_system_check_acct(td->td_ucred, NULL); if (error) return (error); #endif diff --git a/sys/kern/kern_alq.c b/sys/kern/kern_alq.c index a141034..6d132a9 100644 --- a/sys/kern/kern_alq.c +++ b/sys/kern/kern_alq.c @@ -300,7 +300,7 @@ alq_doio(struct alq *alq) * XXX: VOP_WRITE error checks are ignored. */ #ifdef MAC - if (mac_check_vnode_write(alq->aq_cred, NOCRED, vp) == 0) + if (mac_vnode_check_write(alq->aq_cred, NOCRED, vp) == 0) #endif VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, alq->aq_cred); VOP_UNLOCK(vp, 0, td); diff --git a/sys/kern/kern_environment.c b/sys/kern/kern_environment.c index ca20f38..34b1eec 100644 --- a/sys/kern/kern_environment.c +++ b/sys/kern/kern_environment.c @@ -95,7 +95,7 @@ kenv(td, uap) error = 0; if (uap->what == KENV_DUMP) { #ifdef MAC - error = mac_check_kenv_dump(td->td_ucred); + error = mac_kenv_check_dump(td->td_ucred); if (error) return (error); #endif @@ -148,7 +148,7 @@ kenv(td, uap) switch (uap->what) { case KENV_GET: #ifdef MAC - error = mac_check_kenv_get(td->td_ucred, name); + error = mac_kenv_check_get(td->td_ucred, name); if (error) goto done; #endif @@ -181,7 +181,7 @@ kenv(td, uap) goto done; } #ifdef MAC - error = mac_check_kenv_set(td->td_ucred, name, value); + error = mac_kenv_check_set(td->td_ucred, name, value); if (error == 0) #endif setenv(name, value); @@ -189,7 +189,7 @@ kenv(td, uap) break; case KENV_UNSET: #ifdef MAC - error = mac_check_kenv_unset(td->td_ucred, name); + error = mac_kenv_check_unset(td->td_ucred, name); if (error) goto done; #endif diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index b3884d0..d2798db 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -439,7 +439,7 @@ interpret: NDFREE(ndp, NDF_ONLY_PNBUF); #ifdef MAC interplabel = mac_vnode_label_alloc(); - mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel); + mac_vnode_copy_label(ndp->ni_vp->v_label, interplabel); #endif vput(ndp->ni_vp); vm_object_deallocate(imgp->object); @@ -550,7 +550,7 @@ interpret: credential_changing |= (attr.va_mode & VSGID) && oldcred->cr_gid != attr.va_gid; #ifdef MAC - will_transition = mac_execve_will_transition(oldcred, imgp->vp, + will_transition = mac_vnode_execve_will_transition(oldcred, imgp->vp, interplabel, imgp); credential_changing |= will_transition; #endif @@ -604,7 +604,7 @@ interpret: change_egid(newcred, attr.va_gid); #ifdef MAC if (will_transition) { - mac_execve_transition(oldcred, newcred, imgp->vp, + mac_vnode_execve_transition(oldcred, newcred, imgp->vp, interplabel, imgp); } #endif @@ -1191,7 +1191,7 @@ exec_check_permissions(imgp) return (error); #ifdef MAC - error = mac_check_vnode_exec(td->td_ucred, imgp->vp, imgp); + error = mac_vnode_check_exec(td->td_ucred, imgp->vp, imgp); if (error) return (error); #endif diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 696a101..94b949b 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -791,7 +791,7 @@ loop: */ vm_waitproc(p); #ifdef MAC - mac_destroy_proc(p); + mac_proc_destroy(p); #endif KASSERT(FIRST_THREAD_IN_PROC(p), ("kern_wait: no residual thread!")); diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index 1043d1c..52f68f0 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -285,7 +285,7 @@ fork1(td, flags, pages, procp) /* Allocate new proc. */ newproc = uma_zalloc(proc_zone, M_WAITOK); #ifdef MAC - mac_init_proc(newproc); + mac_proc_init(newproc); #endif knlist_init(&newproc->p_klist, &newproc->p_mtx, NULL, NULL, NULL); STAILQ_INIT(&newproc->p_ktr); @@ -752,7 +752,7 @@ fail: td->td_ucred->cr_ruid); sx_xunlock(&allproc_lock); #ifdef MAC - mac_destroy_proc(newproc); + mac_proc_destroy(newproc); #endif uma_zfree(proc_zone, newproc); if (p1->p_flag & P_HADTHREADS) { diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 49bc0806..1bcc264 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -258,7 +258,7 @@ jail_attach(struct thread *td, struct jail_attach_args *uap) if ((error = change_dir(pr->pr_root, td)) != 0) goto e_unlock; #ifdef MAC - if ((error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root))) + if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root))) goto e_unlock; #endif VOP_UNLOCK(pr->pr_root, 0, td); diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 2b7ee33..4e5a63c 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -927,7 +927,7 @@ ktr_writerequest(struct thread *td, struct ktr_request *req) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); (void)VOP_LEASE(vp, td, cred, LEASE_WRITE); #ifdef MAC - error = mac_check_vnode_write(cred, NOCRED, vp); + error = mac_vnode_check_write(cred, NOCRED, vp); if (error == 0) #endif error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred); diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c index 324d349..e6080aa 100644 --- a/sys/kern/kern_linker.c +++ b/sys/kern/kern_linker.c @@ -995,7 +995,7 @@ kldfind(struct thread *td, struct kldfind_args *uap) int error; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1026,7 +1026,7 @@ kldnext(struct thread *td, struct kldnext_args *uap) int error = 0; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1076,7 +1076,7 @@ kldstat(struct thread *td, struct kldstat_args *uap) return (EINVAL); #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1119,7 +1119,7 @@ kldfirstmod(struct thread *td, struct kldfirstmod_args *uap) int error = 0; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1151,7 +1151,7 @@ kldsym(struct thread *td, struct kldsym_args *uap) int error = 0; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1997,7 +1997,7 @@ sysctl_kern_function_list(SYSCTL_HANDLER_ARGS) int error; #ifdef MAC - error = mac_check_kld_stat(req->td->td_ucred); + error = mac_kld_check_stat(req->td->td_ucred); if (error) return (error); #endif diff --git a/sys/kern/kern_mbuf.c b/sys/kern/kern_mbuf.c index 9015e24..97f4075 100644 --- a/sys/kern/kern_mbuf.c +++ b/sys/kern/kern_mbuf.c @@ -323,7 +323,7 @@ mb_ctor_mbuf(void *mem, int size, void *arg, int how) SLIST_INIT(&m->m_pkthdr.tags); #ifdef MAC /* If the label init fails, fail the alloc */ - error = mac_init_mbuf(m, how); + error = mac_mbuf_init(m, how); if (error) return (error); #endif @@ -543,7 +543,7 @@ mb_ctor_pack(void *mem, int size, void *arg, int how) SLIST_INIT(&m->m_pkthdr.tags); #ifdef MAC /* If the label init fails, fail the alloc */ - error = mac_init_mbuf(m, how); + error = mac_mbuf_init(m, how); if (error) return (error); #endif diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 18d3b2a..cd0fb17 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -482,7 +482,7 @@ setuid(struct thread *td, struct setuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setuid(p, oldcred, uid); + error = mac_proc_check_setuid(p, oldcred, uid); if (error) goto fail; #endif @@ -594,7 +594,7 @@ seteuid(struct thread *td, struct seteuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_seteuid(p, oldcred, euid); + error = mac_proc_check_seteuid(p, oldcred, euid); if (error) goto fail; #endif @@ -647,7 +647,7 @@ setgid(struct thread *td, struct setgid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setgid(p, oldcred, gid); + error = mac_proc_check_setgid(p, oldcred, gid); if (error) goto fail; #endif @@ -746,7 +746,7 @@ setegid(struct thread *td, struct setegid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setegid(p, oldcred, egid); + error = mac_proc_check_setegid(p, oldcred, egid); if (error) goto fail; #endif @@ -808,7 +808,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setgroups(p, oldcred, ngrp, groups); + error = mac_proc_check_setgroups(p, oldcred, ngrp, groups); if (error) goto fail; #endif @@ -873,7 +873,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setreuid(p, oldcred, ruid, euid); + error = mac_proc_check_setreuid(p, oldcred, ruid, euid); if (error) goto fail; #endif @@ -938,7 +938,7 @@ setregid(register struct thread *td, struct setregid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setregid(p, oldcred, rgid, egid); + error = mac_proc_check_setregid(p, oldcred, rgid, egid); if (error) goto fail; #endif @@ -1009,7 +1009,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid); + error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid); if (error) goto fail; #endif @@ -1086,7 +1086,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid); + error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid); if (error) goto fail; #endif @@ -1369,7 +1369,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2) if ((error = prison_check(u1, u2))) return (error); #ifdef MAC - if ((error = mac_check_cred_visible(u1, u2))) + if ((error = mac_cred_check_visible(u1, u2))) return (error); #endif if ((error = cr_seeotheruids(u1, u2))) @@ -1430,7 +1430,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) if (error) return (error); #ifdef MAC - if ((error = mac_check_proc_signal(cred, proc, signum))) + if ((error = mac_proc_check_signal(cred, proc, signum))) return (error); #endif if ((error = cr_seeotheruids(cred, proc->p_ucred))) @@ -1547,7 +1547,7 @@ p_cansched(struct thread *td, struct proc *p) if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_sched(td->td_ucred, p))) + if ((error = mac_proc_check_sched(td->td_ucred, p))) return (error); #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) @@ -1604,7 +1604,7 @@ p_candebug(struct thread *td, struct proc *p) if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_debug(td->td_ucred, p))) + if ((error = mac_proc_check_debug(td->td_ucred, p))) return (error); #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) @@ -1691,7 +1691,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so) return (ENOENT); #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_visible(cred, so); + error = mac_socket_check_visible(cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -1723,7 +1723,7 @@ p_canwait(struct thread *td, struct proc *p) if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_wait(td->td_ucred, p))) + if ((error = mac_proc_check_wait(td->td_ucred, p))) return (error); #endif #if 0 @@ -1749,7 +1749,7 @@ crget(void) audit_cred_init(cr); #endif #ifdef MAC - mac_init_cred(cr); + mac_cred_init(cr); #endif return (cr); } @@ -1793,7 +1793,7 @@ crfree(struct ucred *cr) audit_cred_destroy(cr); #endif #ifdef MAC - mac_destroy_cred(cr); + mac_cred_destroy(cr); #endif FREE(cr, M_CRED); } @@ -1828,7 +1828,7 @@ crcopy(struct ucred *dest, struct ucred *src) audit_cred_copy(src, dest); #endif #ifdef MAC - mac_copy_cred(src, dest); + mac_cred_copy(src, dest); #endif } diff --git a/sys/kern/kern_shutdown.c b/sys/kern/kern_shutdown.c index bd1aeaf..14a74b7 100644 --- a/sys/kern/kern_shutdown.c +++ b/sys/kern/kern_shutdown.c @@ -160,7 +160,7 @@ reboot(struct thread *td, struct reboot_args *uap) error = 0; #ifdef MAC - error = mac_check_system_reboot(td->td_ucred, uap->opt); + error = mac_system_check_reboot(td->td_ucred, uap->opt); #endif if (error == 0) error = priv_check(td, PRIV_REBOOT); diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index dc64f31..2ce6f7e 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1298,7 +1298,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS) arg2 = oid->oid_arg2; } #ifdef MAC - error = mac_check_system_sysctl(req->td->td_ucred, oid, arg1, arg2, + error = mac_system_check_sysctl(req->td->td_ucred, oid, arg1, arg2, req); if (error != 0) return (error); diff --git a/sys/kern/link_elf.c b/sys/kern/link_elf.c index 5e9480c..86e69a2 100644 --- a/sys/kern/link_elf.c +++ b/sys/kern/link_elf.c @@ -572,7 +572,7 @@ link_elf_load_file(linker_class_t cls, const char* filename, vfslocked = NDHASGIANT(&nd); NDFREE(&nd, NDF_ONLY_PNBUF); #ifdef MAC - error = mac_check_kld_load(curthread->td_ucred, nd.ni_vp); + error = mac_kld_check_load(curthread->td_ucred, nd.ni_vp); if (error) { firstpage = NULL; goto out; diff --git a/sys/kern/link_elf_obj.c b/sys/kern/link_elf_obj.c index 6426fc0..1798253 100644 --- a/sys/kern/link_elf_obj.c +++ b/sys/kern/link_elf_obj.c @@ -410,7 +410,7 @@ link_elf_load_file(linker_class_t cls, const char *filename, vfslocked = NDHASGIANT(&nd); NDFREE(&nd, NDF_ONLY_PNBUF); #ifdef MAC - error = mac_check_kld_load(td->td_ucred, nd.ni_vp); + error = mac_kld_check_load(td->td_ucred, nd.ni_vp); if (error) { goto out; } diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index 6871306..4e3f523 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -323,11 +323,11 @@ pipe(td, uap) #ifdef MAC /* * The MAC label is shared between the connected endpoints. As a - * result mac_init_pipe() and mac_create_pipe() are called once + * result mac_pipe_init() and mac_pipe_create() are called once * for the pair, and not on the endpoints. */ - mac_init_pipe(pp); - mac_create_pipe(td->td_ucred, pp); + mac_pipe_init(pp); + mac_pipe_create(td->td_ucred, pp); #endif rpipe = &pp->pp_rpipe; wpipe = &pp->pp_wpipe; @@ -576,7 +576,7 @@ pipe_read(fp, uio, active_cred, flags, td) goto unlocked_error; #ifdef MAC - error = mac_check_pipe_read(active_cred, rpipe->pipe_pair); + error = mac_pipe_check_read(active_cred, rpipe->pipe_pair); if (error) goto locked_error; #endif @@ -986,7 +986,7 @@ pipe_write(fp, uio, active_cred, flags, td) return (EPIPE); } #ifdef MAC - error = mac_check_pipe_write(active_cred, wpipe->pipe_pair); + error = mac_pipe_check_write(active_cred, wpipe->pipe_pair); if (error) { pipeunlock(wpipe); PIPE_UNLOCK(rpipe); @@ -1252,7 +1252,7 @@ pipe_ioctl(fp, cmd, data, active_cred, td) PIPE_LOCK(mpipe); #ifdef MAC - error = mac_check_pipe_ioctl(active_cred, mpipe->pipe_pair, cmd, data); + error = mac_pipe_check_ioctl(active_cred, mpipe->pipe_pair, cmd, data); if (error) { PIPE_UNLOCK(mpipe); return (error); @@ -1326,7 +1326,7 @@ pipe_poll(fp, events, active_cred, td) wpipe = rpipe->pipe_peer; PIPE_LOCK(rpipe); #ifdef MAC - error = mac_check_pipe_poll(active_cred, rpipe->pipe_pair); + error = mac_pipe_check_poll(active_cred, rpipe->pipe_pair); if (error) goto locked_error; #endif @@ -1382,7 +1382,7 @@ pipe_stat(fp, ub, active_cred, td) int error; PIPE_LOCK(pipe); - error = mac_check_pipe_stat(active_cred, pipe->pipe_pair); + error = mac_pipe_check_stat(active_cred, pipe->pipe_pair); PIPE_UNLOCK(pipe); if (error) return (error); @@ -1511,7 +1511,7 @@ pipeclose(cpipe) if (ppipe->pipe_present == 0) { PIPE_UNLOCK(cpipe); #ifdef MAC - mac_destroy_pipe(pp); + mac_pipe_destroy(pp); #endif uma_zfree(pipe_zone, cpipe->pipe_pair); } else diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c index 9229658..7e4547c 100644 --- a/sys/kern/sys_socket.c +++ b/sys/kern/sys_socket.c @@ -77,7 +77,7 @@ soo_read(struct file *fp, struct uio *uio, struct ucred *active_cred, int error; SOCK_LOCK(so); - error = mac_check_socket_receive(active_cred, so); + error = mac_socket_check_receive(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -95,7 +95,7 @@ soo_write(struct file *fp, struct uio *uio, struct ucred *active_cred, #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(active_cred, so); + error = mac_socket_check_send(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -208,7 +208,7 @@ soo_poll(struct file *fp, int events, struct ucred *active_cred, int error; SOCK_LOCK(so); - error = mac_check_socket_poll(active_cred, so); + error = mac_socket_check_poll(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -229,7 +229,7 @@ soo_stat(struct file *fp, struct stat *ub, struct ucred *active_cred, ub->st_mode = S_IFSOCK; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_stat(active_cred, so); + error = mac_socket_check_stat(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); diff --git a/sys/kern/sysv_msg.c b/sys/kern/sysv_msg.c index bd5ca90..fe92186 100644 --- a/sys/kern/sysv_msg.c +++ b/sys/kern/sysv_msg.c @@ -224,7 +224,7 @@ msginit() msghdrs[i-1].msg_next = &msghdrs[i]; msghdrs[i].msg_next = NULL; #ifdef MAC - mac_init_sysv_msgmsg(&msghdrs[i]); + mac_sysvmsg_init(&msghdrs[i]); #endif } free_msghdrs = &msghdrs[0]; @@ -237,7 +237,7 @@ msginit() msqids[i].u.msg_perm.seq = 0; /* reset to a known value */ msqids[i].u.msg_perm.mode = 0; #ifdef MAC - mac_init_sysv_msgqueue(&msqids[i]); + mac_sysvmsq_init(&msqids[i]); #endif } mtx_init(&msq_mtx, "msq", NULL, MTX_DEF); @@ -269,9 +269,9 @@ msgunload() #ifdef MAC for (i = 0; i < msginfo.msgtql; i++) - mac_destroy_sysv_msgmsg(&msghdrs[i]); + mac_sysvmsg_destroy(&msghdrs[i]); for (msqid = 0; msqid < msginfo.msgmni; msqid++) - mac_destroy_sysv_msgqueue(&msqids[msqid]); + mac_sysvmsq_destroy(&msqids[msqid]); #endif free(msgpool, M_MSG); free(msgmaps, M_MSG); @@ -369,7 +369,7 @@ msg_freehdr(msghdr) msghdr->msg_next = free_msghdrs; free_msghdrs = msghdr; #ifdef MAC - mac_cleanup_sysv_msgmsg(msghdr); + mac_sysvmsg_cleanup(msghdr); #endif } @@ -435,7 +435,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) goto done2; } #ifdef MAC - error = mac_check_sysv_msqctl(td->td_ucred, msqkptr, cmd); + error = mac_sysvmsq_check_msqctl(td->td_ucred, msqkptr, cmd); if (error != 0) goto done2; #endif @@ -463,7 +463,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) */ for (msghdr = msqkptr->u.msg_first; msghdr != NULL; msghdr = msghdr->msg_next) { - error = mac_check_sysv_msgrmid(td->td_ucred, msghdr); + error = mac_sysvmsq_check_msgrmid(td->td_ucred, msghdr); if (error != 0) goto done2; } @@ -490,7 +490,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) msqkptr->u.msg_qbytes = 0; /* Mark it as free */ #ifdef MAC - mac_cleanup_sysv_msgqueue(msqkptr); + mac_sysvmsq_cleanup(msqkptr); #endif wakeup(msqkptr); @@ -589,7 +589,7 @@ msgget(td, uap) goto done2; } #ifdef MAC - error = mac_check_sysv_msqget(cred, msqkptr); + error = mac_sysvmsq_check_msqget(cred, msqkptr); if (error != 0) goto done2; #endif @@ -636,7 +636,7 @@ msgget(td, uap) msqkptr->u.msg_rtime = 0; msqkptr->u.msg_ctime = time_second; #ifdef MAC - mac_create_sysv_msgqueue(cred, msqkptr); + mac_sysvmsq_create(cred, msqkptr); #endif } else { DPRINTF(("didn't find it and wasn't asked to create it\n")); @@ -705,7 +705,7 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype) } #ifdef MAC - error = mac_check_sysv_msqsnd(td->td_ucred, msqkptr); + error = mac_sysvmsq_check_msqsnd(td->td_ucred, msqkptr); if (error != 0) goto done2; #endif @@ -830,11 +830,11 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype) msghdr->msg_type = mtype; #ifdef MAC /* - * XXXMAC: Should the mac_check_sysv_msgmsq check follow here + * XXXMAC: Should the mac_sysvmsq_check_msgmsq check follow here * immediately? Or, should it be checked just before the msg is * enqueued in the msgq (as it is done now)? */ - mac_create_sysv_msgmsg(td->td_ucred, msqkptr, msghdr); + mac_sysvmsg_create(td->td_ucred, msqkptr, msghdr); #endif /* @@ -928,14 +928,14 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype) * Note: Since the task/thread allocates the msghdr and usually * primes it with its own MAC label, for a majority of policies, it * won't be necessary to check whether the msghdr has access - * permissions to the msgq. The mac_check_sysv_msqsnd check would + * permissions to the msgq. The mac_sysvmsq_check_msqsnd check would * suffice in that case. However, this hook may be required where * individual policies derive a non-identical label for the msghdr * from the current thread label and may want to check the msghdr * enqueue permissions, along with read/write permissions to the * msgq. */ - error = mac_check_sysv_msgmsq(td->td_ucred, msghdr, msqkptr); + error = mac_sysvmsq_check_msgmsq(td->td_ucred, msghdr, msqkptr); if (error != 0) { msg_freehdr(msghdr); wakeup(msqkptr); @@ -1042,7 +1042,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype) } #ifdef MAC - error = mac_check_sysv_msqrcv(td->td_ucred, msqkptr); + error = mac_sysvmsq_check_msqrcv(td->td_ucred, msqkptr); if (error != 0) goto done2; #endif @@ -1061,7 +1061,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype) goto done2; } #ifdef MAC - error = mac_check_sysv_msgrcv(td->td_ucred, + error = mac_sysvmsq_check_msgrcv(td->td_ucred, msghdr); if (error != 0) goto done2; @@ -1106,7 +1106,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype) goto done2; } #ifdef MAC - error = mac_check_sysv_msgrcv( + error = mac_sysvmsq_check_msgrcv( td->td_ucred, msghdr); if (error != 0) goto done2; diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c index 48548a2..bea7832 100644 --- a/sys/kern/sysv_sem.c +++ b/sys/kern/sysv_sem.c @@ -245,7 +245,7 @@ seminit(void) sema[i].u.sem_perm.mode = 0; sema[i].u.sem_perm.seq = 0; #ifdef MAC - mac_init_sysv_sem(&sema[i]); + mac_sysvsem_init(&sema[i]); #endif } for (i = 0; i < seminfo.semmni; i++) @@ -271,7 +271,7 @@ semunload(void) EVENTHANDLER_DEREGISTER(process_exit, semexit_tag); #ifdef MAC for (i = 0; i < seminfo.semmni; i++) - mac_destroy_sysv_sem(&sema[i]); + mac_sysvsem_destroy(&sema[i]); #endif free(sem, M_SEM); free(sema, M_SEM); @@ -639,7 +639,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd, if ((error = ipcperm(td, &semakptr->u.sem_perm, IPC_R))) goto done2; #ifdef MAC - error = mac_check_sysv_semctl(cred, semakptr, cmd); + error = mac_sysvsem_check_semctl(cred, semakptr, cmd); if (error != 0) goto done2; #endif @@ -657,7 +657,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd, sema_mtxp = &sema_mtx[semidx]; mtx_lock(sema_mtxp); #ifdef MAC - error = mac_check_sysv_semctl(cred, semakptr, cmd); + error = mac_sysvsem_check_semctl(cred, semakptr, cmd); if (error != 0) goto done2; #endif @@ -683,7 +683,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd, } semakptr->u.sem_perm.mode = 0; #ifdef MAC - mac_cleanup_sysv_sem(semakptr); + mac_sysvsem_cleanup(semakptr); #endif SEMUNDO_LOCK(); semundo_clear(semidx, -1); @@ -906,7 +906,7 @@ semget(td, uap) goto done2; } #ifdef MAC - error = mac_check_sysv_semget(cred, &sema[semid]); + error = mac_sysvsem_check_semget(cred, &sema[semid]); if (error != 0) goto done2; #endif @@ -955,7 +955,7 @@ semget(td, uap) bzero(sema[semid].u.sem_base, sizeof(sema[semid].u.sem_base[0])*nsems); #ifdef MAC - mac_create_sysv_sem(cred, &sema[semid]); + mac_sysvsem_create(cred, &sema[semid]); #endif DPRINTF(("sembase = %p, next = %p\n", sema[semid].u.sem_base, &sem[semtot])); @@ -1063,7 +1063,7 @@ semop(td, uap) goto done2; } #ifdef MAC - error = mac_check_sysv_semop(td->td_ucred, semakptr, j); + error = mac_sysvsem_check_semop(td->td_ucred, semakptr, j); if (error != 0) goto done2; #endif diff --git a/sys/kern/sysv_shm.c b/sys/kern/sysv_shm.c index 574c3de..57b6c5e 100644 --- a/sys/kern/sysv_shm.c +++ b/sys/kern/sysv_shm.c @@ -255,7 +255,7 @@ shm_deallocate_segment(shmseg) shm_nused--; shmseg->u.shm_perm.mode = SHMSEG_FREE; #ifdef MAC - mac_cleanup_sysv_shm(shmseg); + mac_sysvshm_cleanup(shmseg); #endif } @@ -322,7 +322,7 @@ shmdt(td, uap) } #ifdef MAC shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)]; - error = mac_check_sysv_shmdt(td->td_ucred, shmsegptr); + error = mac_sysvshm_check_shmdt(td->td_ucred, shmsegptr); if (error != 0) goto done2; #endif @@ -377,7 +377,7 @@ kern_shmat(td, shmid, shmaddr, shmflg) if (error) goto done2; #ifdef MAC - error = mac_check_sysv_shmat(td->td_ucred, shmseg, shmflg); + error = mac_sysvshm_check_shmat(td->td_ucred, shmseg, shmflg); if (error != 0) goto done2; #endif @@ -492,7 +492,7 @@ oshmctl(td, uap) if (error) goto done2; #ifdef MAC - error = mac_check_sysv_shmctl(td->td_ucred, shmseg, uap->cmd); + error = mac_sysvshm_check_shmctl(td->td_ucred, shmseg, uap->cmd); if (error != 0) goto done2; #endif @@ -575,7 +575,7 @@ kern_shmctl(td, shmid, cmd, buf, bufsz) goto done2; } #ifdef MAC - error = mac_check_sysv_shmctl(td->td_ucred, shmseg, cmd); + error = mac_sysvshm_check_shmctl(td->td_ucred, shmseg, cmd); if (error != 0) goto done2; #endif @@ -701,7 +701,7 @@ shmget_existing(td, uap, mode, segnum) if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL)) return (EEXIST); #ifdef MAC - error = mac_check_sysv_shmget(td->td_ucred, shmseg, uap->shmflg); + error = mac_sysvshm_check_shmget(td->td_ucred, shmseg, uap->shmflg); if (error != 0) return (error); #endif @@ -779,7 +779,7 @@ shmget_allocate_segment(td, uap, mode) shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0; shmseg->u.shm_atime = shmseg->u.shm_dtime = 0; #ifdef MAC - mac_create_sysv_shm(cred, shmseg); + mac_sysvshm_create(cred, shmseg); #endif shmseg->u.shm_ctime = time_second; shm_committed += btoc(size); @@ -911,7 +911,7 @@ shmrealloc(void) shmsegs[i].u.shm_perm.mode = SHMSEG_FREE; shmsegs[i].u.shm_perm.seq = 0; #ifdef MAC - mac_init_sysv_shm(&shmsegs[i]); + mac_sysvshm_init(&shmsegs[i]); #endif } free(shmsegs, M_SHM); @@ -943,7 +943,7 @@ shminit() shmsegs[i].u.shm_perm.mode = SHMSEG_FREE; shmsegs[i].u.shm_perm.seq = 0; #ifdef MAC - mac_init_sysv_shm(&shmsegs[i]); + mac_sysvshm_init(&shmsegs[i]); #endif } shm_last_free = 0; @@ -965,7 +965,7 @@ shmunload() #ifdef MAC for (i = 0; i < shmalloced; i++) - mac_destroy_sysv_shm(&shmsegs[i]); + mac_sysvshm_destroy(&shmsegs[i]); #endif free(shmsegs, M_SHM); shmexit_hook = NULL; diff --git a/sys/kern/uipc_mbuf2.c b/sys/kern/uipc_mbuf2.c index c8363f8..6fe83b0 100644 --- a/sys/kern/uipc_mbuf2.c +++ b/sys/kern/uipc_mbuf2.c @@ -309,7 +309,7 @@ m_tag_free_default(struct m_tag *t) { #ifdef MAC if (t->m_tag_id == PACKET_TAG_MACLABEL) - mac_destroy_mbuf_tag(t); + mac_mbuf_tag_destroy(t); #endif free(t, M_PACKET_TAGS); } @@ -413,11 +413,11 @@ m_tag_copy(struct m_tag *t, int how) * special from the mbuf code? */ if (t->m_tag_id == PACKET_TAG_MACLABEL) { - if (mac_init_mbuf_tag(p, how) != 0) { + if (mac_mbuf_tag_init(p, how) != 0) { m_tag_free(p); return (NULL); } - mac_copy_mbuf_tag(t, p); + mac_mbuf_tag_copy(t, p); } else #endif bcopy(t + 1, p + 1, t->m_tag_len); /* Copy the data */ diff --git a/sys/kern/uipc_sem.c b/sys/kern/uipc_sem.c index c9903aa..588d6bf 100644 --- a/sys/kern/uipc_sem.c +++ b/sys/kern/uipc_sem.c @@ -215,8 +215,8 @@ sem_create(struct thread *td, const char *name, struct ksem **ksret, cv_init(&ret->ks_cv, "sem"); LIST_INIT(&ret->ks_users); #ifdef MAC - mac_init_posix_sem(ret); - mac_create_posix_sem(uc, ret); + mac_posixsem_init(ret); + mac_posixsem_create(uc, ret); #endif if (name != NULL) sem_enter(td->td_proc, ret); @@ -381,7 +381,7 @@ kern_sem_open(struct thread *td, int dir, const char *name, int oflag, } } else { #ifdef MAC - error = mac_check_posix_sem_open(td->td_ucred, ks); + error = mac_posixsem_check_open(td->td_ucred, ks); if (error) goto err_open; #endif @@ -540,7 +540,7 @@ kern_sem_unlink(struct thread *td, const char *name) ks = sem_lookup_byname(name); if (ks != NULL) { #ifdef MAC - error = mac_check_posix_sem_unlink(td->td_ucred, ks); + error = mac_posixsem_check_unlink(td->td_ucred, ks); if (error) { mtx_unlock(&sem_lock); return (error); @@ -614,7 +614,7 @@ kern_sem_post(struct thread *td, semid_t id) goto err; } #ifdef MAC - error = mac_check_posix_sem_post(td->td_ucred, ks); + error = mac_posixsem_check_post(td->td_ucred, ks); if (error) goto err; #endif @@ -709,7 +709,7 @@ kern_sem_wait(struct thread *td, semid_t id, int tryflag, goto err; } #ifdef MAC - error = mac_check_posix_sem_wait(td->td_ucred, ks); + error = mac_posixsem_check_wait(td->td_ucred, ks); if (error) { DP(("kern_sem_wait mac failed\n")); goto err; @@ -772,7 +772,7 @@ ksem_getvalue(struct thread *td, struct ksem_getvalue_args *uap) return (EINVAL); } #ifdef MAC - error = mac_check_posix_sem_getvalue(td->td_ucred, ks); + error = mac_posixsem_check_getvalue(td->td_ucred, ks); if (error) { mtx_unlock(&sem_lock); return (error); @@ -804,7 +804,7 @@ ksem_destroy(struct thread *td, struct ksem_destroy_args *uap) goto err; } #ifdef MAC - error = mac_check_posix_sem_destroy(td->td_ucred, ks); + error = mac_posixsem_check_destroy(td->td_ucred, ks); if (error) goto err; #endif diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index e2cf09b..d89b435 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -267,7 +267,7 @@ soalloc(void) if (so == NULL) return (NULL); #ifdef MAC - if (mac_init_socket(so, M_NOWAIT) != 0) { + if (mac_socket_init(so, M_NOWAIT) != 0) { uma_zfree(socket_zone, so); return (NULL); } @@ -312,7 +312,7 @@ sodealloc(struct socket *so) do_setopt_accept_filter(so, NULL); #endif #ifdef MAC - mac_destroy_socket(so); + mac_socket_destroy(so); #endif crfree(so->so_cred); sx_destroy(&so->so_snd.sb_sx); @@ -362,7 +362,7 @@ socreate(int dom, struct socket **aso, int type, int proto, so->so_cred = crhold(cred); so->so_proto = prp; #ifdef MAC - mac_create_socket(cred, so); + mac_socket_create(cred, so); #endif knlist_init(&so->so_rcv.sb_sel.si_note, SOCKBUF_MTX(&so->so_rcv), NULL, NULL, NULL); @@ -429,7 +429,7 @@ sonewconn(struct socket *head, int connstatus) so->so_cred = crhold(head->so_cred); #ifdef MAC SOCK_LOCK(head); - mac_create_socket_from_socket(head, so); + mac_socket_newconn(head, so); SOCK_UNLOCK(head); #endif knlist_init(&so->so_rcv.sb_sel.si_note, SOCKBUF_MTX(&so->so_rcv), diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 2821a5e..faf7f24 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -165,7 +165,7 @@ socket(td, uap) int fd, error; #ifdef MAC - error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type, + error = mac_socket_check_create(td->td_ucred, uap->domain, uap->type, uap->protocol); if (error) return (error); @@ -229,7 +229,7 @@ kern_bind(td, fd, sa) so = fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_bind(td->td_ucred, so, sa); + error = mac_socket_check_bind(td->td_ucred, so, sa); SOCK_UNLOCK(so); if (error) goto done; @@ -260,7 +260,7 @@ listen(td, uap) so = fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_listen(td->td_ucred, so); + error = mac_socket_check_listen(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto done; @@ -360,7 +360,7 @@ kern_accept(struct thread *td, int s, struct sockaddr **name, } #ifdef MAC SOCK_LOCK(head); - error = mac_check_socket_accept(td->td_ucred, head); + error = mac_socket_check_accept(td->td_ucred, head); SOCK_UNLOCK(head); if (error != 0) goto done; @@ -550,7 +550,7 @@ kern_connect(td, fd, sa) } #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_connect(td->td_ucred, so, sa); + error = mac_socket_check_connect(td->td_ucred, so, sa); SOCK_UNLOCK(so); if (error) goto bad; @@ -604,7 +604,7 @@ socketpair(td, uap) #ifdef MAC /* We might want to have a separate check for socket pairs. */ - error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type, + error = mac_socket_check_create(td->td_ucred, uap->domain, uap->type, uap->protocol); if (error) return (error); @@ -761,7 +761,7 @@ kern_sendit(td, s, mp, flags, control, segflg) #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto bad; @@ -956,7 +956,7 @@ kern_recvit(td, s, mp, fromseg, controlp) #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_receive(td->td_ucred, so); + error = mac_socket_check_receive(td->td_ucred, so); SOCK_UNLOCK(so); if (error) { fdrop(fp, td); @@ -1849,7 +1849,7 @@ kern_sendfile(struct thread *td, struct sendfile_args *uap, #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto out; @@ -2354,7 +2354,7 @@ sctp_generic_sendmsg (td, uap) so = (struct socket *)fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto sctp_bad; @@ -2454,7 +2454,7 @@ sctp_generic_sendmsg_iov(td, uap) so = (struct socket *)fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto sctp_bad; @@ -2551,7 +2551,7 @@ sctp_generic_recvmsg(td, uap) so = fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_receive(td->td_ucred, so); + error = mac_socket_check_receive(td->td_ucred, so); SOCK_UNLOCK(so); if (error) { goto out; diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 682496e..9fea71b4 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -449,7 +449,7 @@ restart: vattr.va_type = VSOCK; vattr.va_mode = (ACCESSPERMS & ~td->td_proc->p_fd->fd_cmask); #ifdef MAC - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); #endif if (error == 0) { @@ -1159,7 +1159,7 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) goto bad; } #ifdef MAC - error = mac_check_vnode_open(td->td_ucred, vp, VWRITE | VREAD); + error = mac_vnode_check_open(td->td_ucred, vp, VWRITE | VREAD); if (error) goto bad; #endif @@ -1236,8 +1236,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) UNP_PCB_UNLOCK(unp); #ifdef MAC SOCK_LOCK(so); - mac_set_socket_peer_from_socket(so, so3); - mac_set_socket_peer_from_socket(so3, so); + mac_socketpeer_set_from_socket(so, so3); + mac_socketpeer_set_from_socket(so3, so); SOCK_UNLOCK(so); #endif diff --git a/sys/kern/vfs_acl.c b/sys/kern/vfs_acl.c index c2456be..ea33f66 100644 --- a/sys/kern/vfs_acl.c +++ b/sys/kern/vfs_acl.c @@ -93,7 +93,7 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type, VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl); + error = mac_vnode_check_setacl(td->td_ucred, vp, type, &inkernacl); if (error != 0) goto out; #endif @@ -119,7 +119,7 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type, VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_getacl(td->td_ucred, vp, type); + error = mac_vnode_check_getacl(td->td_ucred, vp, type); if (error != 0) goto out; #endif @@ -148,7 +148,7 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type) VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_deleteacl(td->td_ucred, vp, type); + error = mac_vnode_check_deleteacl(td->td_ucred, vp, type); if (error) goto out; #endif diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 48bfd66..0d414f8 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -180,7 +180,7 @@ extattr_set_vp(struct vnode *vp, int attrnamespace, const char *attrname, cnt = nbytes; #ifdef MAC - error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, + error = mac_vnode_check_setextattr(td->td_ucred, vp, attrnamespace, attrname, &auio); if (error) goto done; @@ -358,7 +358,7 @@ extattr_get_vp(struct vnode *vp, int attrnamespace, const char *attrname, sizep = &size; #ifdef MAC - error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace, + error = mac_vnode_check_getextattr(td->td_ucred, vp, attrnamespace, attrname, &auio); if (error) goto done; @@ -512,7 +512,7 @@ extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname, vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace, + error = mac_vnode_check_deleteextattr(td->td_ucred, vp, attrnamespace, attrname); if (error) goto done; @@ -676,7 +676,7 @@ extattr_list_vp(struct vnode *vp, int attrnamespace, void *data, sizep = &size; #ifdef MAC - error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace); + error = mac_vnode_check_listextattr(td->td_ucred, vp, attrnamespace); if (error) goto done; #endif diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index 6349c36..0841fd3 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -252,7 +252,7 @@ namei(struct nameidata *ndp) } #ifdef MAC if ((cnp->cn_flags & NOMACCHECK) == 0) { - error = mac_check_vnode_readlink(td->td_ucred, + error = mac_vnode_check_readlink(td->td_ucred, ndp->ni_vp); if (error) break; @@ -556,7 +556,7 @@ dirloop: unionlookup: #ifdef MAC if ((cnp->cn_flags & NOMACCHECK) == 0) { - error = mac_check_vnode_lookup(td->td_ucred, dp, cnp); + error = mac_vnode_check_lookup(td->td_ucred, dp, cnp); if (error) goto bad; } diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c index a109a3b..e8fbd50 100644 --- a/sys/kern/vfs_mount.c +++ b/sys/kern/vfs_mount.c @@ -488,8 +488,8 @@ vfs_mount_alloc(struct vnode *vp, struct vfsconf *vfsp, strlcpy(mp->mnt_stat.f_mntonname, fspath, MNAMELEN); mp->mnt_iosize_max = DFLTPHYS; #ifdef MAC - mac_init_mount(mp); - mac_create_mount(td->td_ucred, mp); + mac_mount_init(mp); + mac_mount_create(td->td_ucred, mp); #endif arc4rand(&mp->mnt_hashseed, sizeof mp->mnt_hashseed, 0); return (mp); @@ -567,7 +567,7 @@ vfs_mount_destroy(struct mount *mp) mp->mnt_secondary_writes = -1000; MNT_IUNLOCK(mp); #ifdef MAC - mac_destroy_mount(mp); + mac_mount_destroy(mp); #endif if (mp->mnt_opt != NULL) vfs_freeopts(mp->mnt_opt); diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c index fce5beb..8dca49b 100644 --- a/sys/kern/vfs_subr.c +++ b/sys/kern/vfs_subr.c @@ -811,7 +811,7 @@ vdestroy(struct vnode *vp) VNASSERT(LIST_EMPTY(&vp->v_cache_src), vp, ("vp has namecache src")); VI_UNLOCK(vp); #ifdef MAC - mac_destroy_vnode(vp); + mac_vnode_destroy(vp); #endif if (vp->v_pollinfo != NULL) { knlist_destroy(&vp->v_pollinfo->vpi_selinfo.si_note); @@ -955,9 +955,9 @@ alloc: v_incr_usecount(vp); vp->v_data = 0; #ifdef MAC - mac_init_vnode(vp); + mac_vnode_init(vp); if (mp != NULL && (mp->mnt_flag & MNT_MULTILABEL) == 0) - mac_associate_vnode_singlelabel(mp, vp); + mac_vnode_associate_singlelabel(mp, vp); else if (mp == NULL) printf("NULL mp in getnewvnode()\n"); #endif diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 07a8de1..20d722e 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -293,7 +293,7 @@ kern_statfs(struct thread *td, char *path, enum uio_seg pathseg, NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_vp); #ifdef MAC - error = mac_check_mount_stat(td->td_ucred, mp); + error = mac_mount_check_stat(td->td_ucred, mp); if (error) goto out; #endif @@ -378,7 +378,7 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf) goto out; } #ifdef MAC - error = mac_check_mount_stat(td->td_ucred, mp); + error = mac_mount_check_stat(td->td_ucred, mp); if (error) goto out; #endif @@ -470,7 +470,7 @@ kern_getfsstat(struct thread *td, struct statfs **buf, size_t bufsize, continue; } #ifdef MAC - if (mac_check_mount_stat(td->td_ucred, mp) != 0) { + if (mac_mount_check_stat(td->td_ucred, mp) != 0) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } @@ -891,7 +891,7 @@ chroot(td, uap) if ((error = change_dir(nd.ni_vp, td)) != 0) goto e_vunlock; #ifdef MAC - if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) + if ((error = mac_vnode_check_chroot(td->td_ucred, nd.ni_vp))) goto e_vunlock; #endif VOP_UNLOCK(nd.ni_vp, 0, td); @@ -923,7 +923,7 @@ change_dir(vp, td) if (vp->v_type != VDIR) return (ENOTDIR); #ifdef MAC - error = mac_check_vnode_chdir(td->td_ucred, vp); + error = mac_vnode_check_chdir(td->td_ucred, vp); if (error) return (error); #endif @@ -933,8 +933,8 @@ change_dir(vp, td) /* * Common routine for kern_chroot() and jail_attach(). The caller is - * responsible for invoking priv_check() and mac_check_chroot() to authorize - * this operation. + * responsible for invoking priv_check() and mac_vnode_check_chroot() to + * authorize this operation. */ int change_root(vp, td) @@ -1103,7 +1103,7 @@ kern_open(struct thread *td, char *path, enum uio_seg pathseg, int flags, vat.va_size = 0; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_write(td->td_ucred, fp->f_cred, vp); + error = mac_vnode_check_write(td->td_ucred, fp->f_cred, vp); if (error == 0) #endif error = VOP_SETATTR(vp, &vat, td->td_ucred, td); @@ -1258,7 +1258,7 @@ restart: } #ifdef MAC if (error == 0 && !whiteout) - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); #endif if (!error) { @@ -1341,7 +1341,7 @@ restart: vattr.va_mode = (mode & ALLPERMS) & ~td->td_proc->p_fd->fd_cmask; FILEDESC_SUNLOCK(td->td_proc->p_fd); #ifdef MAC - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); if (error) goto out; @@ -1467,7 +1467,7 @@ kern_link(struct thread *td, char *path, char *link, enum uio_seg segflg) error = can_hardlink(vp, td, td->td_ucred); if (error == 0) #ifdef MAC - error = mac_check_vnode_link(td->td_ucred, + error = mac_vnode_check_link(td->td_ucred, nd.ni_dvp, vp, &nd.ni_cnd); if (error == 0) #endif @@ -1555,7 +1555,7 @@ restart: FILEDESC_SUNLOCK(td->td_proc->p_fd); #ifdef MAC vattr.va_type = VLNK; - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); if (error) goto out2; @@ -1693,7 +1693,7 @@ restart: goto restart; } #ifdef MAC - error = mac_check_vnode_unlink(td->td_ucred, nd.ni_dvp, vp, + error = mac_vnode_check_unlink(td->td_ucred, nd.ni_dvp, vp, &nd.ni_cnd); if (error) goto out; @@ -1872,7 +1872,7 @@ vn_access(vp, user_flags, cred, td) if (user_flags & X_OK) flags |= VEXEC; #ifdef MAC - error = mac_check_vnode_access(cred, vp, flags); + error = mac_vnode_check_access(cred, vp, flags); if (error) return (error); #endif @@ -2341,7 +2341,7 @@ kern_readlink(struct thread *td, char *path, enum uio_seg pathseg, char *buf, vfslocked = NDHASGIANT(&nd); vp = nd.ni_vp; #ifdef MAC - error = mac_check_vnode_readlink(td->td_ucred, vp); + error = mac_vnode_check_readlink(td->td_ucred, vp); if (error) { vput(vp); VFS_UNLOCK_GIANT(vfslocked); @@ -2400,7 +2400,7 @@ setfflags(td, vp, flags) VATTR_NULL(&vattr); vattr.va_flags = flags; #ifdef MAC - error = mac_check_vnode_setflags(td->td_ucred, vp, vattr.va_flags); + error = mac_vnode_check_setflags(td->td_ucred, vp, vattr.va_flags); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); @@ -2528,7 +2528,7 @@ setfmode(td, vp, mode) VATTR_NULL(&vattr); vattr.va_mode = mode & ALLPERMS; #ifdef MAC - error = mac_check_vnode_setmode(td->td_ucred, vp, vattr.va_mode); + error = mac_vnode_check_setmode(td->td_ucred, vp, vattr.va_mode); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); @@ -2670,7 +2670,7 @@ setfown(td, vp, uid, gid) vattr.va_uid = uid; vattr.va_gid = gid; #ifdef MAC - error = mac_check_vnode_setowner(td->td_ucred, vp, vattr.va_uid, + error = mac_vnode_check_setowner(td->td_ucred, vp, vattr.va_uid, vattr.va_gid); if (error == 0) #endif @@ -2873,7 +2873,7 @@ setutimes(td, vp, ts, numtimes, nullflag) if (nullflag) vattr.va_vaflags |= VA_UTIMES_NULL; #ifdef MAC - error = mac_check_vnode_setutimes(td->td_ucred, vp, vattr.va_atime, + error = mac_vnode_check_setutimes(td->td_ucred, vp, vattr.va_atime, vattr.va_mtime); #endif if (error == 0) @@ -3069,7 +3069,7 @@ kern_truncate(struct thread *td, char *path, enum uio_seg pathseg, off_t length) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_write(td->td_ucred, NOCRED, vp))) { + else if ((error = mac_vnode_check_write(td->td_ucred, NOCRED, vp))) { } #endif else if ((error = vn_writechk(vp)) == 0 && @@ -3129,7 +3129,7 @@ ftruncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_write(td->td_ucred, fp->f_cred, + else if ((error = mac_vnode_check_write(td->td_ucred, fp->f_cred, vp))) { } #endif @@ -3315,7 +3315,7 @@ kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg) fvfslocked = NDHASGIANT(&fromnd); tvfslocked = 0; #ifdef MAC - error = mac_check_vnode_rename_from(td->td_ucred, fromnd.ni_dvp, + error = mac_vnode_check_rename_from(td->td_ucred, fromnd.ni_dvp, fromnd.ni_vp, &fromnd.ni_cnd); VOP_UNLOCK(fromnd.ni_dvp, 0, td); if (fromnd.ni_dvp != fromnd.ni_vp) @@ -3366,7 +3366,7 @@ kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg) error = -1; #ifdef MAC else - error = mac_check_vnode_rename_to(td->td_ucred, tdvp, + error = mac_vnode_check_rename_to(td->td_ucred, tdvp, tond.ni_vp, fromnd.ni_dvp == tdvp, &tond.ni_cnd); #endif out: @@ -3476,7 +3476,7 @@ restart: vattr.va_mode = (mode & ACCESSPERMS) &~ td->td_proc->p_fd->fd_cmask; FILEDESC_SUNLOCK(td->td_proc->p_fd); #ifdef MAC - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); if (error) goto out; @@ -3550,7 +3550,7 @@ restart: goto out; } #ifdef MAC - error = mac_check_vnode_unlink(td->td_ucred, nd.ni_dvp, vp, + error = mac_vnode_check_unlink(td->td_ucred, nd.ni_dvp, vp, &nd.ni_cnd); if (error) goto out; @@ -3641,7 +3641,7 @@ unionread: vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); loff = auio.uio_offset = fp->f_offset; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) { VOP_UNLOCK(vp, 0, td); VFS_UNLOCK_GIANT(vfslocked); @@ -3785,7 +3785,7 @@ unionread: AUDIT_ARG(vnode, vp, ARG_VNODE1); loff = auio.uio_offset = fp->f_offset; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error == 0) #endif error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, NULL, @@ -3903,7 +3903,7 @@ revoke(td, uap) goto out; } #ifdef MAC - error = mac_check_vnode_revoke(td->td_ucred, vp); + error = mac_vnode_check_revoke(td->td_ucred, vp); if (error) goto out; #endif @@ -4126,7 +4126,7 @@ fhopen(td, uap) if (fmode & O_APPEND) mode |= VAPPEND; #ifdef MAC - error = mac_check_vnode_open(td->td_ucred, vp, mode); + error = mac_vnode_check_open(td->td_ucred, vp, mode); if (error) goto bad; #endif @@ -4148,7 +4148,7 @@ fhopen(td, uap) * We don't yet have fp->f_cred, so use td->td_ucred, which * should be right. */ - error = mac_check_vnode_write(td->td_ucred, td->td_ucred, vp); + error = mac_vnode_check_write(td->td_ucred, td->td_ucred, vp); if (error == 0) { #endif VATTR_NULL(vap); @@ -4337,7 +4337,7 @@ kern_fhstatfs(struct thread *td, fhandle_t fh, struct statfs *buf) if (error) goto out; #ifdef MAC - error = mac_check_mount_stat(td->td_ucred, mp); + error = mac_mount_check_stat(td->td_ucred, mp); if (error) goto out; #endif diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index 4f5305e..5083574 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -148,7 +148,7 @@ restart: goto restart; } #ifdef MAC - error = mac_check_vnode_create(cred, ndp->ni_dvp, + error = mac_vnode_check_create(cred, ndp->ni_dvp, &ndp->ni_cnd, vap); if (error == 0) { #endif @@ -213,7 +213,7 @@ restart: if (fmode & O_APPEND) mode |= VAPPEND; #ifdef MAC - error = mac_check_vnode_open(cred, vp, mode); + error = mac_vnode_check_open(cred, vp, mode); if (error) goto bad; #endif @@ -387,10 +387,10 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred, #ifdef MAC if ((ioflg & IO_NOMACCHECK) == 0) { if (rw == UIO_READ) - error = mac_check_vnode_read(active_cred, file_cred, + error = mac_vnode_check_read(active_cred, file_cred, vp); else - error = mac_check_vnode_write(active_cred, file_cred, + error = mac_vnode_check_write(active_cred, file_cred, vp); } #endif @@ -520,7 +520,7 @@ vn_read(fp, uio, active_cred, flags, td) ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_read(active_cred, fp->f_cred, vp); + error = mac_vnode_check_read(active_cred, fp->f_cred, vp); if (error == 0) #endif error = VOP_READ(vp, uio, ioflag, fp->f_cred); @@ -580,7 +580,7 @@ vn_write(fp, uio, active_cred, flags, td) uio->uio_offset = fp->f_offset; ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_write(active_cred, fp->f_cred, vp); + error = mac_vnode_check_write(active_cred, fp->f_cred, vp); if (error == 0) #endif error = VOP_WRITE(vp, uio, ioflag, fp->f_cred); @@ -635,7 +635,7 @@ vn_stat(vp, sb, active_cred, file_cred, td) u_short mode; #ifdef MAC - error = mac_check_vnode_stat(active_cred, file_cred, vp); + error = mac_vnode_check_stat(active_cred, file_cred, vp); if (error) return (error); #endif @@ -783,7 +783,7 @@ vn_poll(fp, events, active_cred, td) vfslocked = VFS_LOCK_GIANT(vp->v_mount); #ifdef MAC vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_poll(active_cred, fp->f_cred, vp); + error = mac_vnode_check_poll(active_cred, fp->f_cred, vp); VOP_UNLOCK(vp, 0, td); if (!error) #endif diff --git a/sys/net/bpf.c b/sys/net/bpf.c index 7af9f3c..2d6630a 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -416,8 +416,8 @@ bpfopen(struct cdev *dev, int flags, int fmt, struct thread *td) d->bd_direction = BPF_D_INOUT; d->bd_pid = td->td_proc->p_pid; #ifdef MAC - mac_init_bpfdesc(d); - mac_create_bpfdesc(td->td_ucred, d); + mac_bpfdesc_init(d); + mac_bpfdesc_create(td->td_ucred, d); #endif mtx_init(&d->bd_mtx, devtoname(dev), "bpf cdev lock", MTX_DEF); callout_init(&d->bd_callout, CALLOUT_MPSAFE); @@ -448,7 +448,7 @@ bpfclose(struct cdev *dev, int flags, int fmt, struct thread *td) mtx_unlock(&bpf_mtx); selwakeuppri(&d->bd_sel, PRINET); #ifdef MAC - mac_destroy_bpfdesc(d); + mac_bpfdesc_destroy(d); #endif /* MAC */ knlist_destroy(&d->bd_sel.si_note); bpf_freed(d); @@ -656,9 +656,9 @@ bpfwrite(struct cdev *dev, struct uio *uio, int ioflag) #ifdef MAC BPFD_LOCK(d); - mac_create_mbuf_from_bpfdesc(d, m); + mac_bpfdesc_create_mbuf(d, m); if (mc != NULL) - mac_create_mbuf_from_bpfdesc(d, mc); + mac_bpfdesc_create_mbuf(d, mc); BPFD_UNLOCK(d); #endif @@ -1299,7 +1299,7 @@ bpf_tap(struct bpf_if *bp, u_char *pkt, u_int pktlen) gottime = 1; } #ifdef MAC - if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0) + if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0) #endif catchpacket(d, pkt, pktlen, slen, bcopy, &tv); } @@ -1378,7 +1378,7 @@ bpf_mtap(struct bpf_if *bp, struct mbuf *m) gottime = 1; } #ifdef MAC - if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0) + if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0) #endif catchpacket(d, (u_char *)m, pktlen, slen, bpf_mcopy, &tv); @@ -1433,7 +1433,7 @@ bpf_mtap2(struct bpf_if *bp, void *data, u_int dlen, struct mbuf *m) gottime = 1; } #ifdef MAC - if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0) + if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0) #endif catchpacket(d, (u_char *)&mb, pktlen, slen, bpf_mcopy, &tv); diff --git a/sys/net/bsd_comp.c b/sys/net/bsd_comp.c index 139f772..3506196 100644 --- a/sys/net/bsd_comp.c +++ b/sys/net/bsd_comp.c @@ -881,7 +881,7 @@ bsd_decompress(state, cmp, dmpp) wptr = mtod(dmp, u_char *); space = M_TRAILINGSPACE(dmp) - PPP_HDRLEN + 1; #ifdef MAC - mac_copy_mbuf(cmp, dmp); + mac_mbuf_copy(cmp, dmp); #endif /* diff --git a/sys/net/if.c b/sys/net/if.c index 0b602bc..a6db03d 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -478,8 +478,8 @@ if_attach(struct ifnet *ifp) ifp->if_data.ifi_datalen = sizeof(struct if_data); #ifdef MAC - mac_init_ifnet(ifp); - mac_create_ifnet(ifp); + mac_ifnet_init(ifp); + mac_ifnet_create(ifp); #endif ifdev_byindex(ifp->if_index) = make_dev(&net_cdevsw, @@ -758,7 +758,7 @@ if_detach(struct ifnet *ifp) IF_AFDATA_UNLOCK(ifp); #ifdef MAC - mac_destroy_ifnet(ifp); + mac_ifnet_destroy(ifp); #endif /* MAC */ KNOTE_UNLOCKED(&ifp->if_klist, NOTE_EXIT); knlist_clear(&ifp->if_klist, 0); @@ -1534,7 +1534,7 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td) #ifdef MAC case SIOCGIFMAC: - error = mac_ioctl_ifnet_get(td->td_ucred, ifr, ifp); + error = mac_ifnet_ioctl_get(td->td_ucred, ifr, ifp); break; #endif @@ -1610,7 +1610,7 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td) #ifdef MAC case SIOCSIFMAC: - error = mac_ioctl_ifnet_set(td->td_ucred, ifr, ifp); + error = mac_ifnet_ioctl_set(td->td_ucred, ifr, ifp); break; #endif diff --git a/sys/net/if_atmsubr.c b/sys/net/if_atmsubr.c index b84b08a..9d1a7fa 100644 --- a/sys/net/if_atmsubr.c +++ b/sys/net/if_atmsubr.c @@ -134,7 +134,7 @@ atm_output(struct ifnet *ifp, struct mbuf *m0, struct sockaddr *dst, u_int32_t atm_flags; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) senderr(error); #endif @@ -261,7 +261,7 @@ atm_input(struct ifnet *ifp, struct atm_pseudohdr *ah, struct mbuf *m, return; } #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif ifp->if_ibytes += m->m_pkthdr.len; diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c index a06a6cd..e3d3620 100644 --- a/sys/net/if_ethersubr.c +++ b/sys/net/if_ethersubr.c @@ -157,7 +157,7 @@ ether_output(struct ifnet *ifp, struct mbuf *m, int hlen; /* link layer header length */ #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) senderr(error); #endif @@ -570,7 +570,7 @@ ether_input(struct ifnet *ifp, struct mbuf *m) * Tag the mbuf with an appropriate MAC label before any other * consumers can get to it. */ - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* diff --git a/sys/net/if_fddisubr.c b/sys/net/if_fddisubr.c index a2fd00b..7152eac 100644 --- a/sys/net/if_fddisubr.c +++ b/sys/net/if_fddisubr.c @@ -121,7 +121,7 @@ fddi_output(ifp, m, dst, rt0) struct fddi_header *fh; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) senderr(error); #endif @@ -407,7 +407,7 @@ fddi_input(ifp, m) } #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* diff --git a/sys/net/if_fwsubr.c b/sys/net/if_fwsubr.c index b1c68d2..e001c29 100644 --- a/sys/net/if_fwsubr.c +++ b/sys/net/if_fwsubr.c @@ -91,7 +91,7 @@ firewire_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, static int next_dgl; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) goto bad; #endif @@ -557,7 +557,7 @@ firewire_input(struct ifnet *ifp, struct mbuf *m, uint16_t src) * Tag the mbuf with an appropriate MAC label before any other * consumers can get to it. */ - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* diff --git a/sys/net/if_gif.c b/sys/net/if_gif.c index dfe69bd..4743a05 100644 --- a/sys/net/if_gif.c +++ b/sys/net/if_gif.c @@ -360,7 +360,7 @@ gif_output(ifp, m, dst, rt) u_int32_t af; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) { m_freem(m); goto end; @@ -479,7 +479,7 @@ gif_input(m, af, ifp) m->m_pkthdr.rcvif = ifp; #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif if (bpf_peers_present(ifp->if_bpf)) { diff --git a/sys/net/if_iso88025subr.c b/sys/net/if_iso88025subr.c index 8dca499..7abf585 100644 --- a/sys/net/if_iso88025subr.c +++ b/sys/net/if_iso88025subr.c @@ -244,7 +244,7 @@ iso88025_output(ifp, m, dst, rt0) struct rtentry *rt = NULL; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) senderr(error); #endif @@ -503,7 +503,7 @@ iso88025_input(ifp, m) } #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* diff --git a/sys/net/if_ppp.c b/sys/net/if_ppp.c index 462b7c5..5030ac58 100644 --- a/sys/net/if_ppp.c +++ b/sys/net/if_ppp.c @@ -815,7 +815,7 @@ pppoutput(ifp, m0, dst, rtp) int len; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m0); + error = mac_ifnet_check_transmit(ifp, m0); if (error) goto bad; #endif @@ -1231,7 +1231,7 @@ pppintr() if (m == NULL) break; #ifdef MAC - mac_create_mbuf_from_ifnet(PPP2IFP(sc), m); + mac_ifnet_create_mbuf(PPP2IFP(sc), m); #endif ppp_inproc(sc, m); } @@ -1509,7 +1509,7 @@ ppp_inproc(sc, m) } } #ifdef MAC - mac_copy_mbuf(m, mp); + mac_mbuf_copy(m, mp); #endif cp = mtod(mp, u_char *); cp[0] = adrs; @@ -1563,7 +1563,7 @@ ppp_inproc(sc, m) MGETHDR(mp, M_DONTWAIT, MT_DATA); if (mp != NULL) { #ifdef MAC - mac_copy_mbuf(m, mp); + mac_mbuf_copy(m, mp); #endif m_copydata(m, 0, ilen, mtod(mp, caddr_t)); m_freem(m); diff --git a/sys/net/if_stf.c b/sys/net/if_stf.c index dfb9aea..8f70df6 100644 --- a/sys/net/if_stf.c +++ b/sys/net/if_stf.c @@ -406,7 +406,7 @@ stf_output(ifp, m, dst, rt) #ifdef MAC int error; - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) { m_freem(m); return (error); @@ -674,7 +674,7 @@ in_stf_input(m, off) ifp = STF2IFP(sc); #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* diff --git a/sys/net/if_tun.c b/sys/net/if_tun.c index 61f08d7..cf4a3b9 100644 --- a/sys/net/if_tun.c +++ b/sys/net/if_tun.c @@ -579,7 +579,7 @@ tunoutput( TUNDEBUG (ifp, "tunoutput\n"); #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m0); + error = mac_ifnet_check_transmit(ifp, m0); if (error) { m_freem(m0); return (error); @@ -875,7 +875,7 @@ tunwrite(struct cdev *dev, struct uio *uio, int flag) m->m_pkthdr.rcvif = ifp; #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* Could be unlocked read? */ diff --git a/sys/netatalk/ddp_input.c b/sys/netatalk/ddp_input.c index 7e15cb1..2e7dac8 100644 --- a/sys/netatalk/ddp_input.c +++ b/sys/netatalk/ddp_input.c @@ -411,7 +411,7 @@ ddp_input(struct mbuf *m, struct ifnet *ifp, struct elaphdr *elh, int phase) #ifdef MAC SOCK_LOCK(ddp->ddp_socket); - if (mac_check_socket_deliver(ddp->ddp_socket, m) != 0) { + if (mac_socket_check_deliver(ddp->ddp_socket, m) != 0) { SOCK_UNLOCK(ddp->ddp_socket); goto out; } diff --git a/sys/netatalk/ddp_output.c b/sys/netatalk/ddp_output.c index c67264e..bc85fcb 100644 --- a/sys/netatalk/ddp_output.c +++ b/sys/netatalk/ddp_output.c @@ -54,7 +54,7 @@ ddp_output(struct mbuf *m, struct socket *so) #ifdef MAC SOCK_LOCK(so); - mac_create_mbuf_from_socket(so, m); + mac_socket_create_mbuf(so, m); SOCK_UNLOCK(so); #endif @@ -200,7 +200,7 @@ ddp_route(struct mbuf *m, struct route *ro) return (ENOBUFS); } #ifdef MAC - mac_copy_mbuf(m, m0); + mac_mbuf_copy(m, m0); #endif m0->m_next = m; /* XXX perhaps we ought to align the header? */ diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index d85251e..c1727ca 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -187,11 +187,11 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo) inp->inp_pcbinfo = pcbinfo; inp->inp_socket = so; #ifdef MAC - error = mac_init_inpcb(inp, M_NOWAIT); + error = mac_inpcb_init(inp, M_NOWAIT); if (error != 0) goto out; SOCK_LOCK(so); - mac_create_inpcb_from_socket(so, inp); + mac_inpcb_create(so, inp); SOCK_UNLOCK(so); #endif @@ -725,7 +725,7 @@ in_pcbfree(struct inpcb *inp) inp->inp_vflag = 0; #ifdef MAC - mac_destroy_inpcb(inp); + mac_inpcb_destroy(inp); #endif INP_UNLOCK(inp); uma_zfree(ipi->ipi_zone, inp); diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index 35208ff..ee81288 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -376,7 +376,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin, ipstat.ips_rawout++; /* XXX */ #ifdef MAC - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif /* * Get ready to inject the packet into ip_output(). @@ -439,7 +439,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin, } #ifdef MAC SOCK_LOCK(so); - mac_create_mbuf_from_socket(so, m); + mac_socket_create_mbuf(so, m); SOCK_UNLOCK(so); #endif /* Send packet to input processing via netisr */ diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 2519519..db407e5 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -1619,9 +1619,9 @@ send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, #ifdef MAC if (replyto != NULL) - mac_create_mbuf_netlayer(replyto, m); + mac_mbuf_create_netlayer(replyto, m); else - mac_create_mbuf_from_firewall(m); + mac_mbuf_create_from_firewall(m); #else (void)replyto; /* don't warn about unused arg */ #endif diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index f5843a0..35718c9 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -221,7 +221,7 @@ stdreply: icmpelen = max(8, min(icmp_quotelen, oip->ip_len - oiphlen)); if (m == NULL) goto freeit; #ifdef MAC - mac_create_mbuf_netlayer(n, m); + mac_mbuf_create_netlayer(n, m); #endif icmplen = min(icmplen, M_TRAILINGSPACE(m) - sizeof(struct ip) - ICMP_MINLEN); m_align(m, ICMP_MINLEN + icmplen); @@ -699,7 +699,7 @@ icmp_reflect(struct mbuf *m) } match: #ifdef MAC - mac_reflect_mbuf_icmp(m); + mac_netinet_icmp_reply(m); #endif t = IA_SIN(ia)->sin_addr; ip->ip_src = t; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 20bdd6f..7f8703f 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -776,7 +776,7 @@ ip_reass(struct mbuf *m) ip->ip_src.s_addr == fp->ipq_src.s_addr && ip->ip_dst.s_addr == fp->ipq_dst.s_addr && #ifdef MAC - mac_fragment_match(m, fp) && + mac_ipq_match(m, fp) && #endif ip->ip_p == fp->ipq_p) goto found; @@ -852,12 +852,12 @@ found: if (fp == NULL) goto dropfrag; #ifdef MAC - if (mac_init_ipq(fp, M_NOWAIT) != 0) { + if (mac_ipq_init(fp, M_NOWAIT) != 0) { uma_zfree(ipq_zone, fp); fp = NULL; goto dropfrag; } - mac_create_ipq(m, fp); + mac_ipq_create(m, fp); #endif TAILQ_INSERT_HEAD(head, fp, ipq_list); nipq++; @@ -873,7 +873,7 @@ found: } else { fp->ipq_nfrags++; #ifdef MAC - mac_update_ipq(m, fp); + mac_ipq_update(m, fp); #endif } @@ -1015,8 +1015,8 @@ found: m->m_pkthdr.csum_data = (m->m_pkthdr.csum_data & 0xffff) + (m->m_pkthdr.csum_data >> 16); #ifdef MAC - mac_create_datagram_from_ipq(fp, m); - mac_destroy_ipq(fp); + mac_ipq_reassemble(fp, m); + mac_ipq_destroy(fp); #endif /* diff --git a/sys/netinet/ip_options.c b/sys/netinet/ip_options.c index d1c0594..f190df1 100644 --- a/sys/netinet/ip_options.c +++ b/sys/netinet/ip_options.c @@ -508,7 +508,7 @@ ip_insertoptions(struct mbuf *m, struct mbuf *opt, int *phlen) M_MOVE_PKTHDR(n, m); n->m_pkthdr.rcvif = NULL; #ifdef MAC - mac_copy_mbuf(m, n); + mac_mbuf_copy(m, n); #endif n->m_pkthdr.len += optlen; m->m_len -= sizeof(struct ip); diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 261a15f..4105fe4 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -733,7 +733,7 @@ smart_frag_failure: m->m_pkthdr.len = mhlen + len; m->m_pkthdr.rcvif = NULL; #ifdef MAC - mac_create_fragment(m0, m); + mac_netinet_fragment(m0, m); #endif m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags; mhip->ip_off = htons(mhip->ip_off); diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 1d0ced5..f23aaf1 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -164,7 +164,7 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) } #endif /* IPSEC */ #ifdef MAC - if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) + if (!policyfail && mac_inpcb_check_deliver(last, n) != 0) policyfail = 1; #endif /* Check the minimum TTL for socket. */ @@ -330,7 +330,7 @@ rip_output(struct mbuf *m, struct socket *so, u_long dst) flags |= IP_SENDONES; #ifdef MAC - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif error = ip_output(m, inp->inp_options, NULL, flags, diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 4e69016..deb31fb 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -534,7 +534,7 @@ findpcb: #ifdef MAC INP_LOCK_ASSERT(inp); - if (mac_check_inpcb_deliver(inp, m)) + if (mac_inpcb_check_deliver(inp, m)) goto dropunlock; #endif so = inp->inp_socket; @@ -1278,7 +1278,7 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, struct socket *so, soisconnected(so); #ifdef MAC SOCK_LOCK(so); - mac_set_socket_peer_from_mbuf(m, so); + mac_socketpeer_set_from_mbuf(m, so); SOCK_UNLOCK(so); #endif /* Do window scaling on this connection? */ diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index c554ffb..58a4ad9 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -846,7 +846,7 @@ send: SOCKBUF_UNLOCK_ASSERT(&so->so_snd); m->m_pkthdr.rcvif = (struct ifnet *)0; #ifdef MAC - mac_create_mbuf_from_inpcb(tp->t_inpcb, m); + mac_inpcb_create_mbuf(tp->t_inpcb, m); #endif #ifdef INET6 if (isipv6) { diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 64d1835..688a5d2 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -525,13 +525,13 @@ tcp_respond(struct tcpcb *tp, void *ipgen, struct tcphdr *th, struct mbuf *m, * label of the response to reflect the socket label. */ INP_LOCK_ASSERT(inp); - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); } else { /* * Packet is not associated with a socket, so possibly * update the label in place. */ - mac_reflect_mbuf_tcp(m); + mac_netinet_tcp_reply(m); } #endif nth->th_seq = htonl(seq); diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index aaee985..430640a 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -640,7 +640,7 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m) } #ifdef MAC SOCK_LOCK(so); - mac_set_socket_peer_from_mbuf(m, so); + mac_socketpeer_set_from_mbuf(m, so); SOCK_UNLOCK(so); #endif diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index d31e99c..6882642 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -540,7 +540,7 @@ tcp_twrespond(struct tcptw *tw, int flags) m->m_data += max_linkhdr; #ifdef MAC - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif #ifdef INET6 diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 3e122bf..d55377f 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -206,7 +206,7 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off, } #endif /* IPSEC */ #ifdef MAC - if (mac_check_inpcb_deliver(inp, n) != 0) { + if (mac_inpcb_check_deliver(inp, n) != 0) { m_freem(n); return; } @@ -843,7 +843,7 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr, INP_LOCK(inp); #ifdef MAC - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif /* diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index b443ead..e9c7328 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -138,7 +138,7 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off, } #endif /* IPSEC */ #ifdef MAC - if (mac_check_inpcb_deliver(inp, n) != 0) { + if (mac_inpcb_check_deliver(inp, n) != 0) { m_freem(n); return; } @@ -990,7 +990,7 @@ udp6_send(struct socket *so, int flags, struct mbuf *m, } #endif #ifdef MAC - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif error = udp6_output(inp, m, addr, control, td); out: diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c index fa037ab..f9865f5 100644 --- a/sys/security/audit/audit_syscalls.c +++ b/sys/security/audit/audit_syscalls.c @@ -114,7 +114,7 @@ audit(struct thread *td, struct audit_args *uap) } #ifdef MAC - error = mac_check_system_audit(td->td_ucred, rec, uap->length); + error = mac_system_check_audit(td->td_ucred, rec, uap->length); if (error) goto free_out; #endif @@ -166,7 +166,7 @@ auditon(struct thread *td, struct auditon_args *uap) AUDIT_ARG(cmd, uap->cmd); #ifdef MAC - error = mac_check_system_auditon(td->td_ucred, uap->cmd); + error = mac_system_check_auditon(td->td_ucred, uap->cmd); if (error) return (error); #endif @@ -470,7 +470,7 @@ setauid(struct thread *td, struct setauid_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_check_proc_setauid(oldcred, id); + error = mac_proc_check_setauid(oldcred, id); if (error) goto fail; #endif @@ -533,7 +533,7 @@ setaudit(struct thread *td, struct setaudit_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_check_proc_setaudit(oldcred, &ai); + error = mac_proc_check_setaudit(oldcred, &ai); if (error) goto fail; #endif @@ -596,7 +596,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_check_proc_setaudit_addr(oldcred, &aia); + error = mac_proc_check_setaudit_addr(oldcred, &aia); if (error) goto fail; #endif @@ -655,7 +655,7 @@ auditctl(struct thread *td, struct auditctl_args *uap) vfslocked = NDHASGIANT(&nd); vp = nd.ni_vp; #ifdef MAC - error = mac_check_system_auditctl(td->td_ucred, vp); + error = mac_system_check_auditctl(td->td_ucred, vp); VOP_UNLOCK(vp, 0, td); if (error) { vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td); diff --git a/sys/security/mac/mac_audit.c b/sys/security/mac/mac_audit.c index 69731c7..d8cd8e6 100644 --- a/sys/security/mac/mac_audit.c +++ b/sys/security/mac/mac_audit.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. @@ -11,6 +12,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -46,66 +50,66 @@ #include <security/mac/mac_policy.h> int -mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) { int error; - MAC_CHECK(check_proc_setaudit, cred, ai); + MAC_CHECK(proc_check_setaudit, cred, ai); return (error); } int -mac_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { int error; - MAC_CHECK(check_proc_setaudit_addr, cred, aia); + MAC_CHECK(proc_check_setaudit_addr, cred, aia); return (error); } int -mac_check_proc_setauid(struct ucred *cred, uid_t auid) +mac_proc_check_setauid(struct ucred *cred, uid_t auid) { int error; - MAC_CHECK(check_proc_setauid, cred, auid); + MAC_CHECK(proc_check_setauid, cred, auid); return (error); } int -mac_check_system_audit(struct ucred *cred, void *record, int length) +mac_system_check_audit(struct ucred *cred, void *record, int length) { int error; - MAC_CHECK(check_system_audit, cred, record, length); + MAC_CHECK(system_check_audit, cred, record, length); return (error); } int -mac_check_system_auditctl(struct ucred *cred, struct vnode *vp) +mac_system_check_auditctl(struct ucred *cred, struct vnode *vp) { int error; struct label *vl; - ASSERT_VOP_LOCKED(vp, "mac_check_system_auditctl"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl"); vl = (vp != NULL) ? vp->v_label : NULL; - MAC_CHECK(check_system_auditctl, cred, vp, vl); + MAC_CHECK(system_check_auditctl, cred, vp, vl); return (error); } int -mac_check_system_auditon(struct ucred *cred, int cmd) +mac_system_check_auditon(struct ucred *cred, int cmd) { int error; - MAC_CHECK(check_system_auditon, cred, cmd); + MAC_CHECK(system_check_auditon, cred, cmd); return (error); } diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index d9ede98..a00b90f 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -90,44 +90,44 @@ struct vop_setlabel_args; /* * Kernel functions to manage and evaluate labels. */ -void mac_init_bpfdesc(struct bpf_d *); -void mac_init_cred(struct ucred *); -void mac_init_devfs(struct devfs_dirent *); -void mac_init_ifnet(struct ifnet *); -int mac_init_inpcb(struct inpcb *, int); -void mac_init_sysv_msgmsg(struct msg *); -void mac_init_sysv_msgqueue(struct msqid_kernel *); -void mac_init_sysv_sem(struct semid_kernel *); -void mac_init_sysv_shm(struct shmid_kernel *); -int mac_init_ipq(struct ipq *, int); -int mac_init_socket(struct socket *, int); -void mac_init_pipe(struct pipepair *); -void mac_init_posix_sem(struct ksem *); -int mac_init_mbuf(struct mbuf *, int); -int mac_init_mbuf_tag(struct m_tag *, int); -void mac_init_mount(struct mount *); -void mac_init_proc(struct proc *); -void mac_init_vnode(struct vnode *); -void mac_copy_mbuf(struct mbuf *, struct mbuf *); -void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); -void mac_copy_vnode_label(struct label *, struct label *); -void mac_destroy_bpfdesc(struct bpf_d *); -void mac_destroy_cred(struct ucred *); -void mac_destroy_devfs(struct devfs_dirent *); -void mac_destroy_ifnet(struct ifnet *); -void mac_destroy_inpcb(struct inpcb *); -void mac_destroy_sysv_msgmsg(struct msg *); -void mac_destroy_sysv_msgqueue(struct msqid_kernel *); -void mac_destroy_sysv_sem(struct semid_kernel *); -void mac_destroy_sysv_shm(struct shmid_kernel *); -void mac_destroy_ipq(struct ipq *); -void mac_destroy_socket(struct socket *); -void mac_destroy_pipe(struct pipepair *); -void mac_destroy_posix_sem(struct ksem *); -void mac_destroy_proc(struct proc *); -void mac_destroy_mbuf_tag(struct m_tag *); -void mac_destroy_mount(struct mount *); -void mac_destroy_vnode(struct vnode *); +void mac_bpfdesc_init(struct bpf_d *); +void mac_cred_init(struct ucred *); +void mac_devfs_init(struct devfs_dirent *); +void mac_ifnet_init(struct ifnet *); +int mac_inpcb_init(struct inpcb *, int); +void mac_sysvmsg_init(struct msg *); +void mac_sysvmsq_init(struct msqid_kernel *); +void mac_sysvsem_init(struct semid_kernel *); +void mac_sysvshm_init(struct shmid_kernel *); +int mac_ipq_init(struct ipq *, int); +int mac_socket_init(struct socket *, int); +void mac_pipe_init(struct pipepair *); +void mac_posixsem_init(struct ksem *); +int mac_mbuf_init(struct mbuf *, int); +int mac_mbuf_tag_init(struct m_tag *, int); +void mac_mount_init(struct mount *); +void mac_proc_init(struct proc *); +void mac_vnode_init(struct vnode *); +void mac_mbuf_copy(struct mbuf *, struct mbuf *); +void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *); +void mac_vnode_copy_label(struct label *, struct label *); +void mac_bpfdesc_destroy(struct bpf_d *); +void mac_cred_destroy(struct ucred *); +void mac_devfs_destroy(struct devfs_dirent *); +void mac_ifnet_destroy(struct ifnet *); +void mac_inpcb_destroy(struct inpcb *); +void mac_sysvmsg_destroy(struct msg *); +void mac_sysvmsq_destroy(struct msqid_kernel *); +void mac_sysvsem_destroy(struct semid_kernel *); +void mac_sysvshm_destroy(struct shmid_kernel *); +void mac_ipq_destroy(struct ipq *); +void mac_socket_destroy(struct socket *); +void mac_pipe_destroy(struct pipepair *); +void mac_posixsem_destroy(struct ksem *); +void mac_proc_destroy(struct proc *); +void mac_mbuf_tag_destroy(struct m_tag *); +void mac_mount_destroy(struct mount *); +void mac_vnode_destroy(struct vnode *); struct label *mac_cred_label_alloc(void); void mac_cred_label_free(struct label *); @@ -138,75 +138,73 @@ void mac_vnode_label_free(struct label *); * Labeling event operations: file system objects, and things that look a lot * like file system objects. */ -void mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, +void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); -int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); -void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp); -void mac_create_devfs_device(struct ucred *cred, struct mount *mp, +int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp); +void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp); +void mac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de); -void mac_create_devfs_directory(struct mount *mp, char *dirname, +void mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de); -void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, +void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de); -int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, +int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -void mac_create_mount(struct ucred *cred, struct mount *mp); -void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, +void mac_mount_create(struct ucred *cred, struct mount *mp); +void mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel); -void mac_update_devfs(struct mount *mp, struct devfs_dirent *de, +void mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); /* * Labeling event operations: IPC objects. */ -void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); -void mac_create_socket(struct ucred *cred, struct socket *so); -void mac_create_socket_from_socket(struct socket *oldso, +void mac_socket_create_mbuf(struct socket *so, struct mbuf *m); +void mac_socket_create(struct ucred *cred, struct socket *so); +void mac_socket_newconn(struct socket *oldso, struct socket *newso); +void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so); +void mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso); -void mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so); -void mac_set_socket_peer_from_socket(struct socket *oldso, - struct socket *newso); -void mac_create_pipe(struct ucred *cred, struct pipepair *pp); +void mac_pipe_create(struct ucred *cred, struct pipepair *pp); /* * Labeling event operations: System V IPC primitives */ -void mac_create_sysv_msgmsg(struct ucred *cred, - struct msqid_kernel *msqkptr, struct msg *msgptr); -void mac_create_sysv_msgqueue(struct ucred *cred, - struct msqid_kernel *msqkptr); -void mac_create_sysv_sem(struct ucred *cred, +void mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, + struct msg *msgptr); +void mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr); +void mac_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr); -void mac_create_sysv_shm(struct ucred *cred, +void mac_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr); /* * Labeling event operations: POSIX (global/inter-process) semaphores. */ -void mac_create_posix_sem(struct ucred *cred, struct ksem *ks); +void mac_posixsem_create(struct ucred *cred, struct ksem *ks); /* * Labeling event operations: network objects. */ -void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d); -void mac_create_ifnet(struct ifnet *ifp); -void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); -void mac_create_ipq(struct mbuf *m, struct ipq *ipq); -void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m); -void mac_create_fragment(struct mbuf *m, struct mbuf *frag); -void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); +void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d); +void mac_ifnet_create(struct ifnet *ifp); +void mac_inpcb_create(struct socket *so, struct inpcb *inp); +void mac_ipq_create(struct mbuf *m, struct ipq *ipq); +void mac_ipq_reassemble(struct ipq *ipq, struct mbuf *m); +void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag); +void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m); void mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m); -void mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m); -void mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m); -void mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, +void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m); +void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m); +void mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp, struct mbuf *mnew); -void mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew); -int mac_fragment_match(struct mbuf *m, struct ipq *ipq); -void mac_reflect_mbuf_icmp(struct mbuf *m); -void mac_reflect_mbuf_tcp(struct mbuf *m); -void mac_update_ipq(struct mbuf *m, struct ipq *ipq); +void mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew); +int mac_ipq_match(struct mbuf *m, struct ipq *ipq); +void mac_netinet_icmp_reply(struct mbuf *m); +void mac_netinet_tcp_reply(struct mbuf *m); +void mac_ipq_update(struct mbuf *m, struct ipq *ipq); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); -void mac_create_mbuf_from_firewall(struct mbuf *m); +void mac_mbuf_create_from_firewall(struct mbuf *m); void mac_destroy_syncache(struct label **l); int mac_init_syncache(struct label **l); void mac_init_syncache_from_inpcb(struct label *l, struct inpcb *inp); @@ -215,16 +213,17 @@ void mac_create_mbuf_from_syncache(struct label *l, struct mbuf *m); /* * Labeling event operations: processes. */ -void mac_copy_cred(struct ucred *cr1, struct ucred *cr2); +void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); -void mac_execve_transition(struct ucred *oldcred, struct ucred *newcred, +void mac_vnode_execve_transition(struct ucred *oldcred, + struct ucred *newcred, struct vnode *vp, + struct label *interpvnodelabel, struct image_params *imgp); +int mac_vnode_execve_will_transition(struct ucred *cred, struct vnode *vp, struct label *interpvnodelabel, struct image_params *imgp); -int mac_execve_will_transition(struct ucred *cred, struct vnode *vp, - struct label *interpvnodelabel, struct image_params *imgp); -void mac_create_proc0(struct ucred *cred); -void mac_create_proc1(struct ucred *cred); +void mac_proc_create_swapper(struct ucred *cred); +void mac_proc_create_init(struct ucred *cred); void mac_thread_userret(struct thread *td); /* @@ -238,177 +237,177 @@ void mac_thread_userret(struct thread *td); * XXXRW: These object methods are inconsistent with the life cycles of other * objects, and likely should be revised to be more consistent. */ -void mac_cleanup_sysv_msgmsg(struct msg *msgptr); -void mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr); -void mac_cleanup_sysv_sem(struct semid_kernel *semakptr); -void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr); +void mac_sysvmsg_cleanup(struct msg *msgptr); +void mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr); +void mac_sysvsem_cleanup(struct semid_kernel *semakptr); +void mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr); /* * Access control checks. */ -int mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp); -int mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2); -int mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m); -int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m); -int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp); +int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); +int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m); +int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m); +int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr); -int mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr); -int mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr); -int mac_check_sysv_msqget(struct ucred *cred, +int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr); +int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr); +int mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr); -int mac_check_sysv_msqsnd(struct ucred *cred, +int mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr); -int mac_check_sysv_msqrcv(struct ucred *cred, +int mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr); -int mac_check_sysv_msqctl(struct ucred *cred, +int mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, int cmd); -int mac_check_sysv_semctl(struct ucred *cred, +int mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, int cmd); -int mac_check_sysv_semget(struct ucred *cred, +int mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr); -int mac_check_sysv_semop(struct ucred *cred,struct semid_kernel *semakptr, - size_t accesstype); -int mac_check_sysv_shmat(struct ucred *cred, +int mac_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, size_t accesstype); +int mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg); -int mac_check_sysv_shmctl(struct ucred *cred, +int mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, int cmd); -int mac_check_sysv_shmdt(struct ucred *cred, +int mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr); -int mac_check_sysv_shmget(struct ucred *cred, +int mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg); -int mac_check_kenv_dump(struct ucred *cred); -int mac_check_kenv_get(struct ucred *cred, char *name); -int mac_check_kenv_set(struct ucred *cred, char *name, char *value); -int mac_check_kenv_unset(struct ucred *cred, char *name); -int mac_check_kld_load(struct ucred *cred, struct vnode *vp); -int mac_check_kld_stat(struct ucred *cred); -int mac_check_mount_stat(struct ucred *cred, struct mount *mp); -int mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +int mac_kenv_check_dump(struct ucred *cred); +int mac_kenv_check_get(struct ucred *cred, char *name); +int mac_kenv_check_set(struct ucred *cred, char *name, char *value); +int mac_kenv_check_unset(struct ucred *cred, char *name); +int mac_kld_check_load(struct ucred *cred, struct vnode *vp); +int mac_kld_check_stat(struct ucred *cred); +int mac_mount_check_stat(struct ucred *cred, struct mount *mp); +int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data); -int mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp); -int mac_check_pipe_read(struct ucred *cred, struct pipepair *pp); -int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp); -int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp); -int mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_getvalue(struct ucred *cred,struct ksem *ks); -int mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks); -int mac_check_proc_debug(struct ucred *cred, struct proc *p); -int mac_check_proc_sched(struct ucred *cred, struct proc *p); -int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai); -int mac_check_proc_setaudit_addr(struct ucred *cred, +int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp); +int mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_getvalue(struct ucred *cred,struct ksem *ks); +int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_post(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks); +int mac_proc_check_debug(struct ucred *cred, struct proc *p); +int mac_proc_check_sched(struct ucred *cred, struct proc *p); +int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai); +int mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia); -int mac_check_proc_setauid(struct ucred *cred, uid_t auid); -int mac_check_proc_setuid(struct proc *p, struct ucred *cred, +int mac_proc_check_setauid(struct ucred *cred, uid_t auid); +int mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid); -int mac_check_proc_seteuid(struct proc *p, struct ucred *cred, +int mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid); -int mac_check_proc_setgid(struct proc *p, struct ucred *cred, +int mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid); -int mac_check_proc_setegid(struct proc *p, struct ucred *cred, +int mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid); -int mac_check_proc_setgroups(struct proc *p, struct ucred *cred, +int mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups, gid_t *gidset); -int mac_check_proc_setreuid(struct proc *p, struct ucred *cred, +int mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid); -int mac_check_proc_setregid(struct proc *p, struct ucred *cred, +int mac_proc_check_setregid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid); -int mac_check_proc_setresuid(struct proc *p, struct ucred *cred, +int mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid); -int mac_check_proc_setresgid(struct proc *p, struct ucred *cred, +int mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); -int mac_check_proc_signal(struct ucred *cred, struct proc *p, +int mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum); -int mac_check_proc_wait(struct ucred *cred, struct proc *p); -int mac_check_socket_accept(struct ucred *cred, struct socket *so); -int mac_check_socket_bind(struct ucred *cred, struct socket *so, +int mac_proc_check_wait(struct ucred *cred, struct proc *p); +int mac_socket_check_accept(struct ucred *cred, struct socket *so); +int mac_socket_check_bind(struct ucred *cred, struct socket *so, struct sockaddr *sa); -int mac_check_socket_connect(struct ucred *cred, struct socket *so, +int mac_socket_check_connect(struct ucred *cred, struct socket *so, struct sockaddr *sa); -int mac_check_socket_create(struct ucred *cred, int domain, int type, +int mac_socket_check_create(struct ucred *cred, int domain, int type, int proto); -int mac_check_socket_deliver(struct socket *so, struct mbuf *m); -int mac_check_socket_listen(struct ucred *cred, struct socket *so); -int mac_check_socket_poll(struct ucred *cred, struct socket *so); -int mac_check_socket_receive(struct ucred *cred, struct socket *so); -int mac_check_socket_send(struct ucred *cred, struct socket *so); -int mac_check_socket_stat(struct ucred *cred, struct socket *so); -int mac_check_socket_visible(struct ucred *cred, struct socket *so); -int mac_check_system_acct(struct ucred *cred, struct vnode *vp); -int mac_check_system_audit(struct ucred *cred, void *record, int length); -int mac_check_system_auditctl(struct ucred *cred, struct vnode *vp); -int mac_check_system_auditon(struct ucred *cred, int cmd); -int mac_check_system_reboot(struct ucred *cred, int howto); -int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); -int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp); -int mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +int mac_socket_check_deliver(struct socket *so, struct mbuf *m); +int mac_socket_check_listen(struct ucred *cred, struct socket *so); +int mac_socket_check_poll(struct ucred *cred, struct socket *so); +int mac_socket_check_receive(struct ucred *cred, struct socket *so); +int mac_socket_check_send(struct ucred *cred, struct socket *so); +int mac_socket_check_stat(struct ucred *cred, struct socket *so); +int mac_socket_check_visible(struct ucred *cred, struct socket *so); +int mac_system_check_acct(struct ucred *cred, struct vnode *vp); +int mac_system_check_audit(struct ucred *cred, void *record, int length); +int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp); +int mac_system_check_auditon(struct ucred *cred, int cmd); +int mac_system_check_reboot(struct ucred *cred, int howto); +int mac_system_check_swapon(struct ucred *cred, struct vnode *vp); +int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp); +int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); -int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode); -int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); -int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp); -int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); +int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); +int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap); -int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type); -int mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name); -int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp); -int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); -int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); -int mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace); -int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); -int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot, +int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, int flags); -int mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot); -int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode); -int mac_check_vnode_poll(struct ucred *active_cred, +int mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_check_vnode_read(struct ucred *active_cred, +int mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp); +int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp); +int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp); -int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp); +int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl); -int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); -int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags); -int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode); -int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid); -int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); -int mac_check_vnode_stat(struct ucred *active_cred, +int mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_check_vnode_write(struct ucred *active_cred, +int mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); int mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, struct mac *extmac); -int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, +int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp); -int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, +int mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp); int mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *extmac); diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index 7704d73..001be116 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -12,6 +13,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -74,9 +78,9 @@ mac_inpcb_label_alloc(int flag) label = mac_labelzone_alloc(flag); if (label == NULL) return (NULL); - MAC_CHECK(init_inpcb_label, label, flag); + MAC_CHECK(inpcb_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_inpcb_label, label); + MAC_PERFORM(inpcb_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -84,7 +88,7 @@ mac_inpcb_label_alloc(int flag) } int -mac_init_inpcb(struct inpcb *inp, int flag) +mac_inpcb_init(struct inpcb *inp, int flag) { inp->inp_label = mac_inpcb_label_alloc(flag); @@ -103,9 +107,9 @@ mac_ipq_label_alloc(int flag) if (label == NULL) return (NULL); - MAC_CHECK(init_ipq_label, label, flag); + MAC_CHECK(ipq_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_ipq_label, label); + MAC_PERFORM(ipq_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -113,7 +117,7 @@ mac_ipq_label_alloc(int flag) } int -mac_init_ipq(struct ipq *ipq, int flag) +mac_ipq_init(struct ipq *ipq, int flag) { ipq->ipq_label = mac_ipq_label_alloc(flag); @@ -126,12 +130,12 @@ static void mac_inpcb_label_free(struct label *label) { - MAC_PERFORM(destroy_inpcb_label, label); + MAC_PERFORM(inpcb_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_inpcb(struct inpcb *inp) +mac_inpcb_destroy(struct inpcb *inp) { mac_inpcb_label_free(inp->inp_label); @@ -142,12 +146,12 @@ static void mac_ipq_label_free(struct label *label) { - MAC_PERFORM(destroy_ipq_label, label); + MAC_PERFORM(ipq_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_ipq(struct ipq *ipq) +mac_ipq_destroy(struct ipq *ipq) { mac_ipq_label_free(ipq->ipq_label); @@ -155,57 +159,56 @@ mac_destroy_ipq(struct ipq *ipq) } void -mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp) +mac_inpcb_create(struct socket *so, struct inpcb *inp) { - MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp, - inp->inp_label); + MAC_PERFORM(inpcb_create, so, so->so_label, inp, inp->inp_label); } void -mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m) +mac_ipq_reassemble(struct ipq *ipq, struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, m, label); + MAC_PERFORM(ipq_reassemble, ipq, ipq->ipq_label, m, label); } void -mac_create_fragment(struct mbuf *m, struct mbuf *frag) +mac_netinet_fragment(struct mbuf *m, struct mbuf *frag) { struct label *mlabel, *fraglabel; mlabel = mac_mbuf_to_label(m); fraglabel = mac_mbuf_to_label(frag); - MAC_PERFORM(create_fragment, m, mlabel, frag, fraglabel); + MAC_PERFORM(netinet_fragment, m, mlabel, frag, fraglabel); } void -mac_create_ipq(struct mbuf *m, struct ipq *ipq) +mac_ipq_create(struct mbuf *m, struct ipq *ipq) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(create_ipq, m, label, ipq, ipq->ipq_label); + MAC_PERFORM(ipq_create, m, label, ipq, ipq->ipq_label); } void -mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m) +mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m) { struct label *mlabel; INP_LOCK_ASSERT(inp); mlabel = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel); + MAC_PERFORM(inpcb_create_mbuf, inp, inp->inp_label, m, mlabel); } int -mac_fragment_match(struct mbuf *m, struct ipq *ipq) +mac_ipq_match(struct mbuf *m, struct ipq *ipq) { struct label *label; int result; @@ -213,43 +216,43 @@ mac_fragment_match(struct mbuf *m, struct ipq *ipq) label = mac_mbuf_to_label(m); result = 1; - MAC_BOOLEAN(fragment_match, &&, m, label, ipq, ipq->ipq_label); + MAC_BOOLEAN(ipq_match, &&, m, label, ipq, ipq->ipq_label); return (result); } void -mac_reflect_mbuf_icmp(struct mbuf *m) +mac_netinet_icmp_reply(struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(reflect_mbuf_icmp, m, label); + MAC_PERFORM(netinet_icmp_reply, m, label); } void -mac_reflect_mbuf_tcp(struct mbuf *m) +mac_netinet_tcp_reply(struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(reflect_mbuf_tcp, m, label); + MAC_PERFORM(netinet_tcp_reply, m, label); } void -mac_update_ipq(struct mbuf *m, struct ipq *ipq) +mac_ipq_update(struct mbuf *m, struct ipq *ipq) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(update_ipq, m, label, ipq, ipq->ipq_label); + MAC_PERFORM(ipq_update, m, label, ipq, ipq->ipq_label); } int -mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) +mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m) { struct label *label; int error; @@ -258,7 +261,7 @@ mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label); + MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label); return (error); } @@ -273,13 +276,13 @@ mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) } void -mac_create_mbuf_from_firewall(struct mbuf *m) +mac_mbuf_create_from_firewall(struct mbuf *m) { struct label *label; M_ASSERTPKTHDR(m); label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_firewall, m, label); + MAC_PERFORM(mbuf_create_from_firewall, m, label); } /* diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index fcf59aa..2cdc006 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -3,6 +3,7 @@ * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 nCircle Network Security, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -16,6 +17,9 @@ * This software was developed by Robert N. M. Watson for the TrustedBSD * Project under contract to nCircle Network Security, Inc. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -118,30 +122,30 @@ void mac_pipe_label_free(struct label *label); struct label *mac_socket_label_alloc(int flag); void mac_socket_label_free(struct label *label); -int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); -int mac_externalize_cred_label(struct label *label, char *elements, +int mac_cred_check_relabel(struct ucred *cred, struct label *newlabel); +int mac_cred_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_cred_label(struct label *label, char *string); -void mac_relabel_cred(struct ucred *cred, struct label *newlabel); +int mac_cred_internalize_label(struct label *label, char *string); +void mac_cred_relabel(struct ucred *cred, struct label *newlabel); struct label *mac_mbuf_to_label(struct mbuf *m); -void mac_copy_pipe_label(struct label *src, struct label *dest); -int mac_externalize_pipe_label(struct label *label, char *elements, +void mac_pipe_copy_label(struct label *src, struct label *dest); +int mac_pipe_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_pipe_label(struct label *label, char *string); +int mac_pipe_internalize_label(struct label *label, char *string); int mac_socket_label_set(struct ucred *cred, struct socket *so, struct label *label); -void mac_copy_socket_label(struct label *src, struct label *dest); -int mac_externalize_socket_label(struct label *label, char *elements, +void mac_socket_copy_label(struct label *src, struct label *dest); +int mac_socket_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_socket_label(struct label *label, char *string); +int mac_socket_internalize_label(struct label *label, char *string); -int mac_externalize_vnode_label(struct label *label, char *elements, +int mac_vnode_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_vnode_label(struct label *label, char *string); -void mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, +int mac_vnode_internalize_label(struct label *label, char *string); +void mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot); int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred); @@ -263,7 +267,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, break; \ } \ claimed = 0; \ - MAC_CHECK(externalize_ ## type ## _label, label, \ + MAC_CHECK(type ## _externalize_label, label, \ element_name, &sb, &claimed); \ if (error) \ break; \ @@ -299,7 +303,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, break; \ } \ claimed = 0; \ - MAC_CHECK(internalize_ ## type ## _label, label, \ + MAC_CHECK(type ## _internalize_label, label, \ element_name, element_data, &claimed); \ if (error) \ break; \ diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 05a0073..406e1f8 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -2,11 +2,15 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * This software was developed for the FreeBSD Project in part by Network * Associates Laboratories, the Security Research Division of Network * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), @@ -102,12 +106,12 @@ mac_bpfdesc_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_bpfdesc_label, label); + MAC_PERFORM(bpfdesc_init_label, label); return (label); } void -mac_init_bpfdesc(struct bpf_d *d) +mac_bpfdesc_init(struct bpf_d *d) { d->bd_label = mac_bpfdesc_label_alloc(); @@ -119,19 +123,19 @@ mac_ifnet_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_ifnet_label, label); + MAC_PERFORM(ifnet_init_label, label); return (label); } void -mac_init_ifnet(struct ifnet *ifp) +mac_ifnet_init(struct ifnet *ifp) { ifp->if_label = mac_ifnet_label_alloc(); } int -mac_init_mbuf_tag(struct m_tag *tag, int flag) +mac_mbuf_tag_init(struct m_tag *tag, int flag) { struct label *label; int error; @@ -139,16 +143,16 @@ mac_init_mbuf_tag(struct m_tag *tag, int flag) label = (struct label *) (tag + 1); mac_init_label(label); - MAC_CHECK(init_mbuf_label, label, flag); + MAC_CHECK(mbuf_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_mbuf_label, label); + MAC_PERFORM(mbuf_destroy_label, label); mac_destroy_label(label); } return (error); } int -mac_init_mbuf(struct mbuf *m, int flag) +mac_mbuf_init(struct mbuf *m, int flag) { struct m_tag *tag; int error; @@ -167,7 +171,7 @@ mac_init_mbuf(struct mbuf *m, int flag) flag); if (tag == NULL) return (ENOMEM); - error = mac_init_mbuf_tag(tag, flag); + error = mac_mbuf_tag_init(tag, flag); if (error) { m_tag_free(tag); return (error); @@ -180,12 +184,12 @@ static void mac_bpfdesc_label_free(struct label *label) { - MAC_PERFORM(destroy_bpfdesc_label, label); + MAC_PERFORM(bpfdesc_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_bpfdesc(struct bpf_d *d) +mac_bpfdesc_destroy(struct bpf_d *d) { mac_bpfdesc_label_free(d->bd_label); @@ -196,12 +200,12 @@ static void mac_ifnet_label_free(struct label *label) { - MAC_PERFORM(destroy_ifnet_label, label); + MAC_PERFORM(ifnet_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_ifnet(struct ifnet *ifp) +mac_ifnet_destroy(struct ifnet *ifp) { mac_ifnet_label_free(ifp->if_label); @@ -209,22 +213,22 @@ mac_destroy_ifnet(struct ifnet *ifp) } void -mac_destroy_mbuf_tag(struct m_tag *tag) +mac_mbuf_tag_destroy(struct m_tag *tag) { struct label *label; label = (struct label *)(tag+1); - MAC_PERFORM(destroy_mbuf_label, label); + MAC_PERFORM(mbuf_destroy_label, label); mac_destroy_label(label); } /* - * mac_copy_mbuf_tag is called when an mbuf header is duplicated, in which + * mac_mbuf_tag_copy is called when an mbuf header is duplicated, in which * case the labels must also be duplicated. */ void -mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) +mac_mbuf_tag_copy(struct m_tag *src, struct m_tag *dest) { struct label *src_label, *dest_label; @@ -232,32 +236,32 @@ mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) dest_label = (struct label *)(dest+1); /* - * mac_init_mbuf_tag() is called on the target tag in m_tag_copy(), + * mac_mbuf_tag_init() is called on the target tag in m_tag_copy(), * so we don't need to call it here. */ - MAC_PERFORM(copy_mbuf_label, src_label, dest_label); + MAC_PERFORM(mbuf_copy_label, src_label, dest_label); } void -mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to) +mac_mbuf_copy(struct mbuf *m_from, struct mbuf *m_to) { struct label *src_label, *dest_label; src_label = mac_mbuf_to_label(m_from); dest_label = mac_mbuf_to_label(m_to); - MAC_PERFORM(copy_mbuf_label, src_label, dest_label); + MAC_PERFORM(mbuf_copy_label, src_label, dest_label); } static void -mac_copy_ifnet_label(struct label *src, struct label *dest) +mac_ifnet_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_ifnet_label, src, dest); + MAC_PERFORM(ifnet_copy_label, src, dest); } static int -mac_externalize_ifnet_label(struct label *label, char *elements, +mac_ifnet_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -268,7 +272,7 @@ mac_externalize_ifnet_label(struct label *label, char *elements, } static int -mac_internalize_ifnet_label(struct label *label, char *string) +mac_ifnet_internalize_label(struct label *label, char *string) { int error; @@ -278,23 +282,23 @@ mac_internalize_ifnet_label(struct label *label, char *string) } void -mac_create_ifnet(struct ifnet *ifp) +mac_ifnet_create(struct ifnet *ifp) { MAC_IFNET_LOCK(ifp); - MAC_PERFORM(create_ifnet, ifp, ifp->if_label); + MAC_PERFORM(ifnet_create, ifp, ifp->if_label); MAC_IFNET_UNLOCK(ifp); } void -mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d) +mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d) { - MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label); + MAC_PERFORM(bpfdesc_create, cred, d, d->bd_label); } void -mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m) +mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m) { struct label *label; @@ -302,7 +306,7 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label); + MAC_PERFORM(bpfdesc_create_mbuf, d, d->bd_label, m, label); } void @@ -318,19 +322,19 @@ mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m) } void -mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m) +mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label); + MAC_PERFORM(ifnet_create_mbuf, ifp, ifp->if_label, m, label); MAC_IFNET_UNLOCK(ifp); } void -mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, +mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp, struct mbuf *mnew) { struct label *mlabel, *mnewlabel; @@ -339,38 +343,38 @@ mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, mnewlabel = mac_mbuf_to_label(mnew); MAC_IFNET_LOCK(ifp); - MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp, + MAC_PERFORM(mbuf_create_multicast_encap, m, mlabel, ifp, ifp->if_label, mnew, mnewlabel); MAC_IFNET_UNLOCK(ifp); } void -mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew) +mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew) { struct label *mlabel, *mnewlabel; mlabel = mac_mbuf_to_label(m); mnewlabel = mac_mbuf_to_label(mnew); - MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel); + MAC_PERFORM(mbuf_create_netlayer, m, mlabel, mnew, mnewlabel); } int -mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp) +mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp) { int error; BPFD_LOCK_ASSERT(d); MAC_IFNET_LOCK(ifp); - MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label); + MAC_CHECK(bpfdesc_check_receive, d, d->bd_label, ifp, ifp->if_label); MAC_IFNET_UNLOCK(ifp); return (error); } int -mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m) +mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m) { struct label *label; int error; @@ -380,14 +384,14 @@ mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m) label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label); + MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, m, label); MAC_IFNET_UNLOCK(ifp); return (error); } int -mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, +mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) { char *elements, *buffer; @@ -413,9 +417,9 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_ifnet_label_alloc(); MAC_IFNET_LOCK(ifp); - mac_copy_ifnet_label(ifp->if_label, intlabel); + mac_ifnet_copy_label(ifp->if_label, intlabel); MAC_IFNET_UNLOCK(ifp); - error = mac_externalize_ifnet_label(intlabel, elements, buffer, + error = mac_ifnet_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_ifnet_label_free(intlabel); if (error == 0) @@ -428,7 +432,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, } int -mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) +mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) { struct label *intlabel; struct mac mac; @@ -451,7 +455,7 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) } intlabel = mac_ifnet_label_alloc(); - error = mac_internalize_ifnet_label(intlabel, buffer); + error = mac_ifnet_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) { mac_ifnet_label_free(intlabel); @@ -470,14 +474,14 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) } MAC_IFNET_LOCK(ifp); - MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel); + MAC_CHECK(ifnet_check_relabel, cred, ifp, ifp->if_label, intlabel); if (error) { MAC_IFNET_UNLOCK(ifp); mac_ifnet_label_free(intlabel); return (error); } - MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel); + MAC_PERFORM(ifnet_relabel, cred, ifp, ifp->if_label, intlabel); MAC_IFNET_UNLOCK(ifp); mac_ifnet_label_free(intlabel); diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 6578517..0a352bb 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -56,12 +60,12 @@ mac_pipe_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_pipe_label, label); + MAC_PERFORM(pipe_init_label, label); return (label); } void -mac_init_pipe(struct pipepair *pp) +mac_pipe_init(struct pipepair *pp) { pp->pp_label = mac_pipe_label_alloc(); @@ -71,12 +75,12 @@ void mac_pipe_label_free(struct label *label) { - MAC_PERFORM(destroy_pipe_label, label); + MAC_PERFORM(pipe_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_pipe(struct pipepair *pp) +mac_pipe_destroy(struct pipepair *pp) { mac_pipe_label_free(pp->pp_label); @@ -84,14 +88,14 @@ mac_destroy_pipe(struct pipepair *pp) } void -mac_copy_pipe_label(struct label *src, struct label *dest) +mac_pipe_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_pipe_label, src, dest); + MAC_PERFORM(pipe_copy_label, src, dest); } int -mac_externalize_pipe_label(struct label *label, char *elements, +mac_pipe_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -102,7 +106,7 @@ mac_externalize_pipe_label(struct label *label, char *elements, } int -mac_internalize_pipe_label(struct label *label, char *string) +mac_pipe_internalize_label(struct label *label, char *string) { int error; @@ -112,90 +116,90 @@ mac_internalize_pipe_label(struct label *label, char *string) } void -mac_create_pipe(struct ucred *cred, struct pipepair *pp) +mac_pipe_create(struct ucred *cred, struct pipepair *pp) { - MAC_PERFORM(create_pipe, cred, pp, pp->pp_label); + MAC_PERFORM(pipe_create, cred, pp, pp->pp_label); } static void -mac_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *newlabel) { - MAC_PERFORM(relabel_pipe, cred, pp, pp->pp_label, newlabel); + MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel); } int -mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_ioctl, cred, pp, pp->pp_label, cmd, data); + MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data); return (error); } int -mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_poll, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label); return (error); } int -mac_check_pipe_read(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_read(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_read, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label); return (error); } static int -mac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *newlabel) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_relabel, cred, pp, pp->pp_label, newlabel); + MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel); return (error); } int -mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_stat, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label); return (error); } int -mac_check_pipe_write(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_write(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_write, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label); return (error); } @@ -208,11 +212,11 @@ mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, mtx_assert(&pp->pp_mtx, MA_OWNED); - error = mac_check_pipe_relabel(cred, pp, label); + error = mac_pipe_check_relabel(cred, pp, label); if (error) return (error); - mac_relabel_pipe(cred, pp, label); + mac_pipe_relabel(cred, pp, label); return (0); } diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index c061e2e..5106d94 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -116,217 +116,217 @@ typedef void (*mpo_placeholder_t)(void); * recycle for re-use without init/destroy, copy a label to initialized * storage, and externalize/internalize from/to initialized storage. */ -typedef void (*mpo_init_bpfdesc_label_t)(struct label *label); -typedef void (*mpo_init_cred_label_t)(struct label *label); -typedef void (*mpo_init_devfs_label_t)(struct label *label); -typedef void (*mpo_init_ifnet_label_t)(struct label *label); -typedef int (*mpo_init_inpcb_label_t)(struct label *label, int flag); -typedef void (*mpo_init_sysv_msgmsg_label_t)(struct label *label); -typedef void (*mpo_init_sysv_msgqueue_label_t)(struct label *label); -typedef void (*mpo_init_sysv_sem_label_t)(struct label *label); -typedef void (*mpo_init_sysv_shm_label_t)(struct label *label); -typedef int (*mpo_init_ipq_label_t)(struct label *label, int flag); -typedef int (*mpo_init_mbuf_label_t)(struct label *label, int flag); -typedef void (*mpo_init_mount_label_t)(struct label *label); -typedef int (*mpo_init_socket_label_t)(struct label *label, int flag); -typedef int (*mpo_init_socket_peer_label_t)(struct label *label, +typedef void (*mpo_bpfdesc_init_label_t)(struct label *label); +typedef void (*mpo_cred_init_label_t)(struct label *label); +typedef void (*mpo_devfs_init_label_t)(struct label *label); +typedef void (*mpo_ifnet_init_label_t)(struct label *label); +typedef int (*mpo_inpcb_init_label_t)(struct label *label, int flag); +typedef void (*mpo_sysvmsg_init_label_t)(struct label *label); +typedef void (*mpo_sysvmsq_init_label_t)(struct label *label); +typedef void (*mpo_sysvsem_init_label_t)(struct label *label); +typedef void (*mpo_sysvshm_init_label_t)(struct label *label); +typedef int (*mpo_ipq_init_label_t)(struct label *label, int flag); +typedef int (*mpo_mbuf_init_label_t)(struct label *label, int flag); +typedef void (*mpo_mount_init_label_t)(struct label *label); +typedef int (*mpo_socket_init_label_t)(struct label *label, int flag); +typedef int (*mpo_socketpeer_init_label_t)(struct label *label, int flag); -typedef void (*mpo_init_pipe_label_t)(struct label *label); -typedef void (*mpo_init_posix_sem_label_t)(struct label *label); -typedef void (*mpo_init_proc_label_t)(struct label *label); -typedef void (*mpo_init_vnode_label_t)(struct label *label); -typedef void (*mpo_destroy_bpfdesc_label_t)(struct label *label); -typedef void (*mpo_destroy_cred_label_t)(struct label *label); -typedef void (*mpo_destroy_devfs_label_t)(struct label *label); -typedef void (*mpo_destroy_ifnet_label_t)(struct label *label); -typedef void (*mpo_destroy_inpcb_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_msgmsg_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_msgqueue_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_sem_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_shm_label_t)(struct label *label); -typedef void (*mpo_destroy_ipq_label_t)(struct label *label); -typedef void (*mpo_destroy_mbuf_label_t)(struct label *label); -typedef void (*mpo_destroy_mount_label_t)(struct label *label); -typedef void (*mpo_destroy_socket_label_t)(struct label *label); -typedef void (*mpo_destroy_socket_peer_label_t)(struct label *label); -typedef void (*mpo_destroy_pipe_label_t)(struct label *label); -typedef void (*mpo_destroy_posix_sem_label_t)(struct label *label); -typedef void (*mpo_destroy_proc_label_t)(struct label *label); -typedef void (*mpo_destroy_vnode_label_t)(struct label *label); -typedef void (*mpo_cleanup_sysv_msgmsg_t)(struct label *msglabel); -typedef void (*mpo_cleanup_sysv_msgqueue_t)(struct label *msqlabel); -typedef void (*mpo_cleanup_sysv_sem_t)(struct label *semalabel); -typedef void (*mpo_cleanup_sysv_shm_t)(struct label *shmlabel); -typedef void (*mpo_copy_cred_label_t)(struct label *src, +typedef void (*mpo_pipe_init_label_t)(struct label *label); +typedef void (*mpo_posixsem_init_label_t)(struct label *label); +typedef void (*mpo_proc_init_label_t)(struct label *label); +typedef void (*mpo_vnode_init_label_t)(struct label *label); +typedef void (*mpo_bpfdesc_destroy_label_t)(struct label *label); +typedef void (*mpo_cred_destroy_label_t)(struct label *label); +typedef void (*mpo_devfs_destroy_label_t)(struct label *label); +typedef void (*mpo_ifnet_destroy_label_t)(struct label *label); +typedef void (*mpo_inpcb_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvmsg_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvmsq_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvsem_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvshm_destroy_label_t)(struct label *label); +typedef void (*mpo_ipq_destroy_label_t)(struct label *label); +typedef void (*mpo_mbuf_destroy_label_t)(struct label *label); +typedef void (*mpo_mount_destroy_label_t)(struct label *label); +typedef void (*mpo_socket_destroy_label_t)(struct label *label); +typedef void (*mpo_socketpeer_destroy_label_t)(struct label *label); +typedef void (*mpo_pipe_destroy_label_t)(struct label *label); +typedef void (*mpo_posixsem_destroy_label_t)(struct label *label); +typedef void (*mpo_proc_destroy_label_t)(struct label *label); +typedef void (*mpo_vnode_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvmsg_cleanup_t)(struct label *msglabel); +typedef void (*mpo_sysvmsq_cleanup_t)(struct label *msqlabel); +typedef void (*mpo_sysvsem_cleanup_t)(struct label *semalabel); +typedef void (*mpo_sysvshm_cleanup_t)(struct label *shmlabel); +typedef void (*mpo_cred_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_ifnet_label_t)(struct label *src, +typedef void (*mpo_ifnet_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_mbuf_label_t)(struct label *src, +typedef void (*mpo_mbuf_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_pipe_label_t)(struct label *src, +typedef void (*mpo_pipe_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_socket_label_t)(struct label *src, +typedef void (*mpo_socket_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_vnode_label_t)(struct label *src, +typedef void (*mpo_vnode_copy_label_t)(struct label *src, struct label *dest); -typedef int (*mpo_externalize_cred_label_t)(struct label *label, +typedef int (*mpo_cred_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_ifnet_label_t)(struct label *label, +typedef int (*mpo_ifnet_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_pipe_label_t)(struct label *label, +typedef int (*mpo_pipe_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_socket_label_t)(struct label *label, +typedef int (*mpo_socket_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_socket_peer_label_t)(struct label *label, +typedef int (*mpo_socketpeer_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_vnode_label_t)(struct label *label, +typedef int (*mpo_vnode_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_internalize_cred_label_t)(struct label *label, +typedef int (*mpo_cred_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_ifnet_label_t)(struct label *label, +typedef int (*mpo_ifnet_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_pipe_label_t)(struct label *label, +typedef int (*mpo_pipe_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_socket_label_t)(struct label *label, +typedef int (*mpo_socket_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_vnode_label_t)(struct label *label, +typedef int (*mpo_vnode_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); /* * Labeling event operations: file system objects, and things that look a lot * like file system objects. */ -typedef void (*mpo_associate_vnode_devfs_t)(struct mount *mp, +typedef void (*mpo_devfs_vnode_associate_t)(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_associate_vnode_extattr_t)(struct mount *mp, +typedef int (*mpo_vnode_associate_extattr_t)(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel); -typedef void (*mpo_associate_vnode_singlelabel_t)(struct mount *mp, +typedef void (*mpo_vnode_associate_singlelabel_t)(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel); -typedef void (*mpo_create_devfs_device_t)(struct ucred *cred, +typedef void (*mpo_devfs_create_device_t)(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel); -typedef void (*mpo_create_devfs_directory_t)(struct mount *mp, +typedef void (*mpo_devfs_create_directory_t)(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel); -typedef void (*mpo_create_devfs_symlink_t)(struct ucred *cred, +typedef void (*mpo_devfs_create_symlink_t)(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel); -typedef int (*mpo_create_vnode_extattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_create_extattr_t)(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef void (*mpo_create_mount_t)(struct ucred *cred, struct mount *mp, +typedef void (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp, struct label *mplabel); -typedef void (*mpo_relabel_vnode_t)(struct ucred *cred, struct vnode *vp, +typedef void (*mpo_vnode_relabel_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label); -typedef int (*mpo_setlabel_vnode_extattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_setlabel_extattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel); -typedef void (*mpo_update_devfs_t)(struct mount *mp, +typedef void (*mpo_devfs_update_t)(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel); /* * Labeling event operations: IPC objects. */ -typedef void (*mpo_create_mbuf_from_socket_t)(struct socket *so, +typedef void (*mpo_socket_create_mbuf_t)(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_socket_t)(struct ucred *cred, struct socket *so, +typedef void (*mpo_socket_create_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldso, +typedef void (*mpo_socket_newconn_t)(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsolabel); -typedef void (*mpo_relabel_socket_t)(struct ucred *cred, struct socket *so, +typedef void (*mpo_socket_relabel_t)(struct ucred *cred, struct socket *so, struct label *oldlabel, struct label *newlabel); -typedef void (*mpo_relabel_pipe_t)(struct ucred *cred, struct pipepair *pp, +typedef void (*mpo_pipe_relabel_t)(struct ucred *cred, struct pipepair *pp, struct label *oldlabel, struct label *newlabel); -typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *m, +typedef void (*mpo_socketpeer_set_from_mbuf_t)(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel); -typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldso, +typedef void (*mpo_socketpeer_set_from_socket_t)(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel); -typedef void (*mpo_create_pipe_t)(struct ucred *cred, struct pipepair *pp, +typedef void (*mpo_pipe_create_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); /* * Labeling event operations: System V IPC primitives. */ -typedef void (*mpo_create_sysv_msgmsg_t)(struct ucred *cred, +typedef void (*mpo_sysvmsg_create_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel); -typedef void (*mpo_create_sysv_msgqueue_t)(struct ucred *cred, +typedef void (*mpo_sysvmsq_create_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel); -typedef void (*mpo_create_sysv_sem_t)(struct ucred *cred, +typedef void (*mpo_sysvsem_create_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel); -typedef void (*mpo_create_sysv_shm_t)(struct ucred *cred, +typedef void (*mpo_sysvshm_create_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel); /* * Labeling event operations: POSIX (global/inter-process) semaphores. */ -typedef void (*mpo_create_posix_sem_t)(struct ucred *cred, +typedef void (*mpo_posixsem_create_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); /* * Labeling event operations: network objects. */ -typedef void (*mpo_create_bpfdesc_t)(struct ucred *cred, +typedef void (*mpo_bpfdesc_create_t)(struct ucred *cred, struct bpf_d *d, struct label *dlabel); -typedef void (*mpo_create_ifnet_t)(struct ifnet *ifp, +typedef void (*mpo_ifnet_create_t)(struct ifnet *ifp, struct label *ifplabel); -typedef void (*mpo_create_inpcb_from_socket_t)(struct socket *so, +typedef void (*mpo_inpcb_create_t)(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel); -typedef void (*mpo_create_ipq_t)(struct mbuf *m, struct label *mlabel, +typedef void (*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel); -typedef void (*mpo_create_datagram_from_ipq) +typedef void (*mpo_ipq_reassemble) (struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_fragment_t)(struct mbuf *m, +typedef void (*mpo_netinet_fragment_t)(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel); -typedef void (*mpo_create_mbuf_from_inpcb_t)(struct inpcb *inp, +typedef void (*mpo_inpcb_create_mbuf_t)(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel); typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *d, +typedef void (*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifp, +typedef void (*mpo_ifnet_create_mbuf_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *m, +typedef void (*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel); -typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *m, +typedef void (*mpo_mbuf_create_netlayer_t)(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel); -typedef int (*mpo_fragment_match_t)(struct mbuf *m, struct label *mlabel, +typedef int (*mpo_ipq_match_t)(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel); -typedef void (*mpo_reflect_mbuf_icmp_t)(struct mbuf *m, +typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *m, struct label *mlabel); -typedef void (*mpo_reflect_mbuf_tcp_t)(struct mbuf *m, +typedef void (*mpo_netinet_tcp_reply_t)(struct mbuf *m, struct label *mlabel); -typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred, struct ifnet *ifp, +typedef void (*mpo_ifnet_relabel_t)(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel); -typedef void (*mpo_update_ipq_t)(struct mbuf *m, struct label *mlabel, +typedef void (*mpo_ipq_update_t)(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel); typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); -typedef void (*mpo_create_mbuf_from_firewall_t)(struct mbuf *m, +typedef void (*mpo_mbuf_create_from_firewall_t)(struct mbuf *m, struct label *label); typedef void (*mpo_destroy_syncache_label_t)(struct label *label); typedef int (*mpo_init_syncache_label_t)(struct label *label, int flag); @@ -337,274 +337,274 @@ typedef void (*mpo_create_mbuf_from_syncache_t)(struct label *sc_label, /* * Labeling event operations: processes. */ -typedef void (*mpo_execve_transition_t)(struct ucred *old, +typedef void (*mpo_vnode_execve_transition_t)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel); -typedef int (*mpo_execve_will_transition_t)(struct ucred *old, +typedef int (*mpo_vnode_execve_will_transition_t)(struct ucred *old, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel); -typedef void (*mpo_create_proc0_t)(struct ucred *cred); -typedef void (*mpo_create_proc1_t)(struct ucred *cred); -typedef void (*mpo_relabel_cred_t)(struct ucred *cred, +typedef void (*mpo_proc_create_swapper_t)(struct ucred *cred); +typedef void (*mpo_proc_create_init_t)(struct ucred *cred); +typedef void (*mpo_cred_relabel_t)(struct ucred *cred, struct label *newlabel); typedef void (*mpo_thread_userret_t)(struct thread *thread); /* * Access control checks. */ -typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *d, +typedef int (*mpo_bpfdesc_check_receive_t)(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel); -typedef int (*mpo_check_cred_relabel_t)(struct ucred *cred, +typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred, struct label *newlabel); -typedef int (*mpo_check_cred_visible_t)(struct ucred *cr1, +typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1, struct ucred *cr2); -typedef int (*mpo_check_ifnet_relabel_t)(struct ucred *cred, +typedef int (*mpo_ifnet_check_relabel_t)(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel); -typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifp, +typedef int (*mpo_ifnet_check_transmit_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel); -typedef int (*mpo_check_inpcb_deliver_t)(struct inpcb *inp, +typedef int (*mpo_inpcb_check_deliver_t)(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel); -typedef int (*mpo_check_sysv_msgmsq_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msgmsq_t)(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msgrcv_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msgrcv_t)(struct ucred *cred, struct msg *msgptr, struct label *msglabel); -typedef int (*mpo_check_sysv_msgrmid_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msgrmid_t)(struct ucred *cred, struct msg *msgptr, struct label *msglabel); -typedef int (*mpo_check_sysv_msqget_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqget_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msqsnd_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqsnd_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msqrcv_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqrcv_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msqctl_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqctl_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd); -typedef int (*mpo_check_sysv_semctl_t)(struct ucred *cred, +typedef int (*mpo_sysvsem_check_semctl_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, int cmd); -typedef int (*mpo_check_sysv_semget_t)(struct ucred *cred, +typedef int (*mpo_sysvsem_check_semget_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel); -typedef int (*mpo_check_sysv_semop_t)(struct ucred *cred, +typedef int (*mpo_sysvsem_check_semop_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype); -typedef int (*mpo_check_sysv_shmat_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmat_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg); -typedef int (*mpo_check_sysv_shmctl_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmctl_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd); -typedef int (*mpo_check_sysv_shmdt_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmdt_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel); -typedef int (*mpo_check_sysv_shmget_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmget_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg); -typedef int (*mpo_check_kenv_dump_t)(struct ucred *cred); -typedef int (*mpo_check_kenv_get_t)(struct ucred *cred, char *name); -typedef int (*mpo_check_kenv_set_t)(struct ucred *cred, char *name, +typedef int (*mpo_kenv_check_dump_t)(struct ucred *cred); +typedef int (*mpo_kenv_check_get_t)(struct ucred *cred, char *name); +typedef int (*mpo_kenv_check_set_t)(struct ucred *cred, char *name, char *value); -typedef int (*mpo_check_kenv_unset_t)(struct ucred *cred, char *name); -typedef int (*mpo_check_kld_load_t)(struct ucred *cred, struct vnode *vp, +typedef int (*mpo_kenv_check_unset_t)(struct ucred *cred, char *name); +typedef int (*mpo_kld_check_load_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_kld_stat_t)(struct ucred *cred); +typedef int (*mpo_kld_check_stat_t)(struct ucred *cred); typedef int (*mpo_mpo_placeholder19_t)(void); typedef int (*mpo_mpo_placeholder20_t)(void); -typedef int (*mpo_check_mount_stat_t)(struct ucred *cred, +typedef int (*mpo_mount_check_stat_t)(struct ucred *cred, struct mount *mp, struct label *mplabel); typedef int (*mpo_mpo_placeholder21_t)(void); -typedef int (*mpo_check_pipe_ioctl_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_ioctl_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void *data); -typedef int (*mpo_check_pipe_poll_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_poll_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_pipe_read_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_read_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_pipe_relabel_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_relabel_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel); -typedef int (*mpo_check_pipe_stat_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_stat_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_pipe_write_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_write_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_posix_sem_destroy_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_destroy_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_getvalue_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_getvalue_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_open_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_open_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_post_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_post_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_unlink_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_unlink_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_wait_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_wait_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_proc_debug_t)(struct ucred *cred, +typedef int (*mpo_proc_check_debug_t)(struct ucred *cred, struct proc *p); -typedef int (*mpo_check_proc_sched_t)(struct ucred *cred, +typedef int (*mpo_proc_check_sched_t)(struct ucred *cred, struct proc *p); -typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred, +typedef int (*mpo_proc_check_setaudit_t)(struct ucred *cred, struct auditinfo *ai); -typedef int (*mpo_check_proc_setaudit_addr_t)(struct ucred *cred, +typedef int (*mpo_proc_check_setaudit_addr_t)(struct ucred *cred, struct auditinfo_addr *aia); -typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid); -typedef int (*mpo_check_proc_setuid_t)(struct ucred *cred, uid_t uid); -typedef int (*mpo_check_proc_seteuid_t)(struct ucred *cred, uid_t euid); -typedef int (*mpo_check_proc_setgid_t)(struct ucred *cred, gid_t gid); -typedef int (*mpo_check_proc_setegid_t)(struct ucred *cred, gid_t egid); -typedef int (*mpo_check_proc_setgroups_t)(struct ucred *cred, int ngroups, +typedef int (*mpo_proc_check_setauid_t)(struct ucred *cred, uid_t auid); +typedef int (*mpo_proc_check_setuid_t)(struct ucred *cred, uid_t uid); +typedef int (*mpo_proc_check_seteuid_t)(struct ucred *cred, uid_t euid); +typedef int (*mpo_proc_check_setgid_t)(struct ucred *cred, gid_t gid); +typedef int (*mpo_proc_check_setegid_t)(struct ucred *cred, gid_t egid); +typedef int (*mpo_proc_check_setgroups_t)(struct ucred *cred, int ngroups, gid_t *gidset); -typedef int (*mpo_check_proc_setreuid_t)(struct ucred *cred, uid_t ruid, +typedef int (*mpo_proc_check_setreuid_t)(struct ucred *cred, uid_t ruid, uid_t euid); -typedef int (*mpo_check_proc_setregid_t)(struct ucred *cred, gid_t rgid, +typedef int (*mpo_proc_check_setregid_t)(struct ucred *cred, gid_t rgid, gid_t egid); -typedef int (*mpo_check_proc_setresuid_t)(struct ucred *cred, uid_t ruid, +typedef int (*mpo_proc_check_setresuid_t)(struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid); -typedef int (*mpo_check_proc_setresgid_t)(struct ucred *cred, gid_t rgid, +typedef int (*mpo_proc_check_setresgid_t)(struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); -typedef int (*mpo_check_proc_signal_t)(struct ucred *cred, +typedef int (*mpo_proc_check_signal_t)(struct ucred *cred, struct proc *proc, int signum); -typedef int (*mpo_check_proc_wait_t)(struct ucred *cred, +typedef int (*mpo_proc_check_wait_t)(struct ucred *cred, struct proc *proc); -typedef int (*mpo_check_socket_accept_t)(struct ucred *cred, +typedef int (*mpo_socket_check_accept_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_bind_t)(struct ucred *cred, +typedef int (*mpo_socket_check_bind_t)(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa); -typedef int (*mpo_check_socket_connect_t)(struct ucred *cred, +typedef int (*mpo_socket_check_connect_t)(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa); -typedef int (*mpo_check_socket_create_t)(struct ucred *cred, int domain, +typedef int (*mpo_socket_check_create_t)(struct ucred *cred, int domain, int type, int protocol); -typedef int (*mpo_check_socket_deliver_t)(struct socket *so, +typedef int (*mpo_socket_check_deliver_t)(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel); -typedef int (*mpo_check_socket_listen_t)(struct ucred *cred, +typedef int (*mpo_socket_check_listen_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_poll_t)(struct ucred *cred, +typedef int (*mpo_socket_check_poll_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_receive_t)(struct ucred *cred, +typedef int (*mpo_socket_check_receive_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_relabel_t)(struct ucred *cred, +typedef int (*mpo_socket_check_relabel_t)(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel); -typedef int (*mpo_check_socket_send_t)(struct ucred *cred, +typedef int (*mpo_socket_check_send_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_stat_t)(struct ucred *cred, +typedef int (*mpo_socket_check_stat_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_visible_t)(struct ucred *cred, +typedef int (*mpo_socket_check_visible_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_system_acct_t)(struct ucred *cred, +typedef int (*mpo_system_check_acct_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_audit_t)(struct ucred *cred, void *record, +typedef int (*mpo_system_check_audit_t)(struct ucred *cred, void *record, int length); -typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred, +typedef int (*mpo_system_check_auditctl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_auditon_t)(struct ucred *cred, int cmd); -typedef int (*mpo_check_system_reboot_t)(struct ucred *cred, int howto); -typedef int (*mpo_check_system_swapon_t)(struct ucred *cred, +typedef int (*mpo_system_check_auditon_t)(struct ucred *cred, int cmd); +typedef int (*mpo_system_check_reboot_t)(struct ucred *cred, int howto); +typedef int (*mpo_system_check_swapon_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_swapoff_t)(struct ucred *cred, +typedef int (*mpo_system_check_swapoff_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_sysctl_t)(struct ucred *cred, +typedef int (*mpo_system_check_sysctl_t)(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); -typedef int (*mpo_check_vnode_access_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_access_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode); -typedef int (*mpo_check_vnode_chdir_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_chdir_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); -typedef int (*mpo_check_vnode_chroot_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_chroot_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); -typedef int (*mpo_check_vnode_create_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_create_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap); -typedef int (*mpo_check_vnode_deleteacl_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_deleteacl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type); -typedef int (*mpo_check_vnode_deleteextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_deleteextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name); -typedef int (*mpo_check_vnode_exec_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_exec_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel); -typedef int (*mpo_check_vnode_getacl_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_getacl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type); -typedef int (*mpo_check_vnode_getextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_getextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio); -typedef int (*mpo_check_vnode_link_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_link_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_listextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_listextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace); -typedef int (*mpo_check_vnode_lookup_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_lookup_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_mmap_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_mmap_t)(struct ucred *cred, struct vnode *vp, struct label *label, int prot, int flags); -typedef void (*mpo_check_vnode_mmap_downgrade_t)(struct ucred *cred, +typedef void (*mpo_vnode_check_mmap_downgrade_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int *prot); -typedef int (*mpo_check_vnode_mprotect_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_mprotect_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot); -typedef int (*mpo_check_vnode_open_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_open_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode); -typedef int (*mpo_check_vnode_poll_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_poll_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_read_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_read_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_readdir_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_readdir_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); -typedef int (*mpo_check_vnode_readlink_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_readlink_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_relabel_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_relabel_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel); -typedef int (*mpo_check_vnode_rename_from_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_rename_from_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_rename_to_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_rename_to_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp); -typedef int (*mpo_check_vnode_revoke_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_revoke_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_setacl_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setacl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl); -typedef int (*mpo_check_vnode_setextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio); -typedef int (*mpo_check_vnode_setflags_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setflags_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags); -typedef int (*mpo_check_vnode_setmode_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setmode_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode); -typedef int (*mpo_check_vnode_setowner_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setowner_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid); -typedef int (*mpo_check_vnode_setutimes_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setutimes_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime); -typedef int (*mpo_check_vnode_stat_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_stat_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_unlink_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_unlink_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_write_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_write_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred); @@ -631,151 +631,151 @@ struct mac_policy_ops { * initialized storage, and externalize/internalize from/to * initialized storage. */ - mpo_init_bpfdesc_label_t mpo_init_bpfdesc_label; - mpo_init_cred_label_t mpo_init_cred_label; - mpo_init_devfs_label_t mpo_init_devfs_label; + mpo_bpfdesc_init_label_t mpo_bpfdesc_init_label; + mpo_cred_init_label_t mpo_cred_init_label; + mpo_devfs_init_label_t mpo_devfs_init_label; mpo_placeholder_t _mpo_placeholder0; - mpo_init_ifnet_label_t mpo_init_ifnet_label; - mpo_init_inpcb_label_t mpo_init_inpcb_label; - mpo_init_sysv_msgmsg_label_t mpo_init_sysv_msgmsg_label; - mpo_init_sysv_msgqueue_label_t mpo_init_sysv_msgqueue_label; - mpo_init_sysv_sem_label_t mpo_init_sysv_sem_label; - mpo_init_sysv_shm_label_t mpo_init_sysv_shm_label; - mpo_init_ipq_label_t mpo_init_ipq_label; - mpo_init_mbuf_label_t mpo_init_mbuf_label; - mpo_init_mount_label_t mpo_init_mount_label; - mpo_init_socket_label_t mpo_init_socket_label; - mpo_init_socket_peer_label_t mpo_init_socket_peer_label; - mpo_init_pipe_label_t mpo_init_pipe_label; - mpo_init_posix_sem_label_t mpo_init_posix_sem_label; - mpo_init_proc_label_t mpo_init_proc_label; - mpo_init_vnode_label_t mpo_init_vnode_label; - mpo_destroy_bpfdesc_label_t mpo_destroy_bpfdesc_label; - mpo_destroy_cred_label_t mpo_destroy_cred_label; - mpo_destroy_devfs_label_t mpo_destroy_devfs_label; + mpo_ifnet_init_label_t mpo_ifnet_init_label; + mpo_inpcb_init_label_t mpo_inpcb_init_label; + mpo_sysvmsg_init_label_t mpo_sysvmsg_init_label; + mpo_sysvmsq_init_label_t mpo_sysvmsq_init_label; + mpo_sysvsem_init_label_t mpo_sysvsem_init_label; + mpo_sysvshm_init_label_t mpo_sysvshm_init_label; + mpo_ipq_init_label_t mpo_ipq_init_label; + mpo_mbuf_init_label_t mpo_mbuf_init_label; + mpo_mount_init_label_t mpo_mount_init_label; + mpo_socket_init_label_t mpo_socket_init_label; + mpo_socketpeer_init_label_t mpo_socketpeer_init_label; + mpo_pipe_init_label_t mpo_pipe_init_label; + mpo_posixsem_init_label_t mpo_posixsem_init_label; + mpo_proc_init_label_t mpo_proc_init_label; + mpo_vnode_init_label_t mpo_vnode_init_label; + mpo_bpfdesc_destroy_label_t mpo_bpfdesc_destroy_label; + mpo_cred_destroy_label_t mpo_cred_destroy_label; + mpo_devfs_destroy_label_t mpo_devfs_destroy_label; mpo_placeholder_t _mpo_placeholder1; - mpo_destroy_ifnet_label_t mpo_destroy_ifnet_label; - mpo_destroy_inpcb_label_t mpo_destroy_inpcb_label; - mpo_destroy_sysv_msgmsg_label_t mpo_destroy_sysv_msgmsg_label; - mpo_destroy_sysv_msgqueue_label_t mpo_destroy_sysv_msgqueue_label; - mpo_destroy_sysv_sem_label_t mpo_destroy_sysv_sem_label; - mpo_destroy_sysv_shm_label_t mpo_destroy_sysv_shm_label; - mpo_destroy_ipq_label_t mpo_destroy_ipq_label; - mpo_destroy_mbuf_label_t mpo_destroy_mbuf_label; - mpo_destroy_mount_label_t mpo_destroy_mount_label; - mpo_destroy_socket_label_t mpo_destroy_socket_label; - mpo_destroy_socket_peer_label_t mpo_destroy_socket_peer_label; - mpo_destroy_pipe_label_t mpo_destroy_pipe_label; - mpo_destroy_posix_sem_label_t mpo_destroy_posix_sem_label; - mpo_destroy_proc_label_t mpo_destroy_proc_label; - mpo_destroy_vnode_label_t mpo_destroy_vnode_label; - mpo_cleanup_sysv_msgmsg_t mpo_cleanup_sysv_msgmsg; - mpo_cleanup_sysv_msgqueue_t mpo_cleanup_sysv_msgqueue; - mpo_cleanup_sysv_sem_t mpo_cleanup_sysv_sem; - mpo_cleanup_sysv_shm_t mpo_cleanup_sysv_shm; - mpo_copy_cred_label_t mpo_copy_cred_label; - mpo_copy_ifnet_label_t mpo_copy_ifnet_label; - mpo_copy_mbuf_label_t mpo_copy_mbuf_label; + mpo_ifnet_destroy_label_t mpo_ifnet_destroy_label; + mpo_inpcb_destroy_label_t mpo_inpcb_destroy_label; + mpo_sysvmsg_destroy_label_t mpo_sysvmsg_destroy_label; + mpo_sysvmsq_destroy_label_t mpo_sysvmsq_destroy_label; + mpo_sysvsem_destroy_label_t mpo_sysvsem_destroy_label; + mpo_sysvshm_destroy_label_t mpo_sysvshm_destroy_label; + mpo_ipq_destroy_label_t mpo_ipq_destroy_label; + mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label; + mpo_mount_destroy_label_t mpo_mount_destroy_label; + mpo_socket_destroy_label_t mpo_socket_destroy_label; + mpo_socketpeer_destroy_label_t mpo_socketpeer_destroy_label; + mpo_pipe_destroy_label_t mpo_pipe_destroy_label; + mpo_posixsem_destroy_label_t mpo_posixsem_destroy_label; + mpo_proc_destroy_label_t mpo_proc_destroy_label; + mpo_vnode_destroy_label_t mpo_vnode_destroy_label; + mpo_sysvmsg_cleanup_t mpo_sysvmsg_cleanup; + mpo_sysvmsq_cleanup_t mpo_sysvmsq_cleanup; + mpo_sysvsem_cleanup_t mpo_sysvsem_cleanup; + mpo_sysvshm_cleanup_t mpo_sysvshm_cleanup; + mpo_cred_copy_label_t mpo_cred_copy_label; + mpo_ifnet_copy_label_t mpo_ifnet_copy_label; + mpo_mbuf_copy_label_t mpo_mbuf_copy_label; mpo_placeholder_t _mpo_placeholder2; - mpo_copy_pipe_label_t mpo_copy_pipe_label; - mpo_copy_socket_label_t mpo_copy_socket_label; - mpo_copy_vnode_label_t mpo_copy_vnode_label; - mpo_externalize_cred_label_t mpo_externalize_cred_label; - mpo_externalize_ifnet_label_t mpo_externalize_ifnet_label; + mpo_pipe_copy_label_t mpo_pipe_copy_label; + mpo_socket_copy_label_t mpo_socket_copy_label; + mpo_vnode_copy_label_t mpo_vnode_copy_label; + mpo_cred_externalize_label_t mpo_cred_externalize_label; + mpo_ifnet_externalize_label_t mpo_ifnet_externalize_label; mpo_placeholder_t _mpo_placeholder3; - mpo_externalize_pipe_label_t mpo_externalize_pipe_label; - mpo_externalize_socket_label_t mpo_externalize_socket_label; - mpo_externalize_socket_peer_label_t mpo_externalize_socket_peer_label; - mpo_externalize_vnode_label_t mpo_externalize_vnode_label; - mpo_internalize_cred_label_t mpo_internalize_cred_label; - mpo_internalize_ifnet_label_t mpo_internalize_ifnet_label; + mpo_pipe_externalize_label_t mpo_pipe_externalize_label; + mpo_socket_externalize_label_t mpo_socket_externalize_label; + mpo_socketpeer_externalize_label_t mpo_socketpeer_externalize_label; + mpo_vnode_externalize_label_t mpo_vnode_externalize_label; + mpo_cred_internalize_label_t mpo_cred_internalize_label; + mpo_ifnet_internalize_label_t mpo_ifnet_internalize_label; mpo_placeholder_t _mpo_placeholder4; - mpo_internalize_pipe_label_t mpo_internalize_pipe_label; - mpo_internalize_socket_label_t mpo_internalize_socket_label; - mpo_internalize_vnode_label_t mpo_internalize_vnode_label; + mpo_pipe_internalize_label_t mpo_pipe_internalize_label; + mpo_socket_internalize_label_t mpo_socket_internalize_label; + mpo_vnode_internalize_label_t mpo_vnode_internalize_label; /* * Labeling event operations: file system objects, and things that * look a lot like file system objects. */ - mpo_associate_vnode_devfs_t mpo_associate_vnode_devfs; - mpo_associate_vnode_extattr_t mpo_associate_vnode_extattr; - mpo_associate_vnode_singlelabel_t mpo_associate_vnode_singlelabel; - mpo_create_devfs_device_t mpo_create_devfs_device; - mpo_create_devfs_directory_t mpo_create_devfs_directory; - mpo_create_devfs_symlink_t mpo_create_devfs_symlink; + mpo_devfs_vnode_associate_t mpo_devfs_vnode_associate; + mpo_vnode_associate_extattr_t mpo_vnode_associate_extattr; + mpo_vnode_associate_singlelabel_t mpo_vnode_associate_singlelabel; + mpo_devfs_create_device_t mpo_devfs_create_device; + mpo_devfs_create_directory_t mpo_devfs_create_directory; + mpo_devfs_create_symlink_t mpo_devfs_create_symlink; mpo_placeholder_t _mpo_placeholder5; - mpo_create_vnode_extattr_t mpo_create_vnode_extattr; - mpo_create_mount_t mpo_create_mount; - mpo_relabel_vnode_t mpo_relabel_vnode; - mpo_setlabel_vnode_extattr_t mpo_setlabel_vnode_extattr; - mpo_update_devfs_t mpo_update_devfs; + mpo_vnode_create_extattr_t mpo_vnode_create_extattr; + mpo_mount_create_t mpo_mount_create; + mpo_vnode_relabel_t mpo_vnode_relabel; + mpo_vnode_setlabel_extattr_t mpo_vnode_setlabel_extattr; + mpo_devfs_update_t mpo_devfs_update; /* * Labeling event operations: IPC objects. */ - mpo_create_mbuf_from_socket_t mpo_create_mbuf_from_socket; - mpo_create_socket_t mpo_create_socket; - mpo_create_socket_from_socket_t mpo_create_socket_from_socket; - mpo_relabel_socket_t mpo_relabel_socket; - mpo_relabel_pipe_t mpo_relabel_pipe; - mpo_set_socket_peer_from_mbuf_t mpo_set_socket_peer_from_mbuf; - mpo_set_socket_peer_from_socket_t mpo_set_socket_peer_from_socket; - mpo_create_pipe_t mpo_create_pipe; + mpo_socket_create_mbuf_t mpo_socket_create_mbuf; + mpo_socket_create_t mpo_socket_create; + mpo_socket_newconn_t mpo_socket_newconn; + mpo_socket_relabel_t mpo_socket_relabel; + mpo_pipe_relabel_t mpo_pipe_relabel; + mpo_socketpeer_set_from_mbuf_t mpo_socketpeer_set_from_mbuf; + mpo_socketpeer_set_from_socket_t mpo_socketpeer_set_from_socket; + mpo_pipe_create_t mpo_pipe_create; /* * Labeling event operations: System V IPC primitives. */ - mpo_create_sysv_msgmsg_t mpo_create_sysv_msgmsg; - mpo_create_sysv_msgqueue_t mpo_create_sysv_msgqueue; - mpo_create_sysv_sem_t mpo_create_sysv_sem; - mpo_create_sysv_shm_t mpo_create_sysv_shm; + mpo_sysvmsg_create_t mpo_sysvmsg_create; + mpo_sysvmsq_create_t mpo_sysvmsq_create; + mpo_sysvsem_create_t mpo_sysvsem_create; + mpo_sysvshm_create_t mpo_sysvshm_create; /* * Labeling event operations: POSIX (global/inter-process) semaphores. */ - mpo_create_posix_sem_t mpo_create_posix_sem; + mpo_posixsem_create_t mpo_posixsem_create; /* * Labeling event operations: network objects. */ - mpo_create_bpfdesc_t mpo_create_bpfdesc; - mpo_create_ifnet_t mpo_create_ifnet; - mpo_create_inpcb_from_socket_t mpo_create_inpcb_from_socket; - mpo_create_ipq_t mpo_create_ipq; - mpo_create_datagram_from_ipq mpo_create_datagram_from_ipq; - mpo_create_fragment_t mpo_create_fragment; - mpo_create_mbuf_from_inpcb_t mpo_create_mbuf_from_inpcb; + mpo_bpfdesc_create_t mpo_bpfdesc_create; + mpo_ifnet_create_t mpo_ifnet_create; + mpo_inpcb_create_t mpo_inpcb_create; + mpo_ipq_create_t mpo_ipq_create; + mpo_ipq_reassemble mpo_ipq_reassemble; + mpo_netinet_fragment_t mpo_netinet_fragment; + mpo_inpcb_create_mbuf_t mpo_inpcb_create_mbuf; mpo_create_mbuf_linklayer_t mpo_create_mbuf_linklayer; - mpo_create_mbuf_from_bpfdesc_t mpo_create_mbuf_from_bpfdesc; - mpo_create_mbuf_from_ifnet_t mpo_create_mbuf_from_ifnet; - mpo_create_mbuf_multicast_encap_t mpo_create_mbuf_multicast_encap; - mpo_create_mbuf_netlayer_t mpo_create_mbuf_netlayer; - mpo_fragment_match_t mpo_fragment_match; - mpo_reflect_mbuf_icmp_t mpo_reflect_mbuf_icmp; - mpo_reflect_mbuf_tcp_t mpo_reflect_mbuf_tcp; - mpo_relabel_ifnet_t mpo_relabel_ifnet; - mpo_update_ipq_t mpo_update_ipq; + mpo_bpfdesc_create_mbuf_t mpo_bpfdesc_create_mbuf; + mpo_ifnet_create_mbuf_t mpo_ifnet_create_mbuf; + mpo_mbuf_create_multicast_encap_t mpo_mbuf_create_multicast_encap; + mpo_mbuf_create_netlayer_t mpo_mbuf_create_netlayer; + mpo_ipq_match_t mpo_ipq_match; + mpo_netinet_icmp_reply_t mpo_netinet_icmp_reply; + mpo_netinet_tcp_reply_t mpo_netinet_tcp_reply; + mpo_ifnet_relabel_t mpo_ifnet_relabel; + mpo_ipq_update_t mpo_ipq_update; mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; /* * Labeling event operations: processes. */ - mpo_execve_transition_t mpo_execve_transition; - mpo_execve_will_transition_t mpo_execve_will_transition; - mpo_create_proc0_t mpo_create_proc0; - mpo_create_proc1_t mpo_create_proc1; - mpo_relabel_cred_t mpo_relabel_cred; + mpo_vnode_execve_transition_t mpo_vnode_execve_transition; + mpo_vnode_execve_will_transition_t mpo_vnode_execve_will_transition; + mpo_proc_create_swapper_t mpo_proc_create_swapper; + mpo_proc_create_init_t mpo_proc_create_init; + mpo_cred_relabel_t mpo_cred_relabel; mpo_placeholder_t _mpo_placeholder6; mpo_thread_userret_t mpo_thread_userret; /* * Access control checks. */ - mpo_check_bpfdesc_receive_t mpo_check_bpfdesc_receive; + mpo_bpfdesc_check_receive_t mpo_bpfdesc_check_receive; mpo_placeholder_t _mpo_placeholder7; - mpo_check_cred_relabel_t mpo_check_cred_relabel; - mpo_check_cred_visible_t mpo_check_cred_visible; + mpo_cred_check_relabel_t mpo_cred_check_relabel; + mpo_cred_check_visible_t mpo_cred_check_visible; mpo_placeholder_t _mpo_placeholder8; mpo_placeholder_t _mpo_placeholder9; mpo_placeholder_t _mpo_placeholder10; @@ -787,119 +787,119 @@ struct mac_policy_ops { mpo_placeholder_t _mpo_placeholder16; mpo_placeholder_t _mpo_placeholder17; mpo_placeholder_t _mpo_placeholder18; - mpo_check_ifnet_relabel_t mpo_check_ifnet_relabel; - mpo_check_ifnet_transmit_t mpo_check_ifnet_transmit; - mpo_check_inpcb_deliver_t mpo_check_inpcb_deliver; - mpo_check_sysv_msgmsq_t mpo_check_sysv_msgmsq; - mpo_check_sysv_msgrcv_t mpo_check_sysv_msgrcv; - mpo_check_sysv_msgrmid_t mpo_check_sysv_msgrmid; - mpo_check_sysv_msqget_t mpo_check_sysv_msqget; - mpo_check_sysv_msqsnd_t mpo_check_sysv_msqsnd; - mpo_check_sysv_msqrcv_t mpo_check_sysv_msqrcv; - mpo_check_sysv_msqctl_t mpo_check_sysv_msqctl; - mpo_check_sysv_semctl_t mpo_check_sysv_semctl; - mpo_check_sysv_semget_t mpo_check_sysv_semget; - mpo_check_sysv_semop_t mpo_check_sysv_semop; - mpo_check_sysv_shmat_t mpo_check_sysv_shmat; - mpo_check_sysv_shmctl_t mpo_check_sysv_shmctl; - mpo_check_sysv_shmdt_t mpo_check_sysv_shmdt; - mpo_check_sysv_shmget_t mpo_check_sysv_shmget; - mpo_check_kenv_dump_t mpo_check_kenv_dump; - mpo_check_kenv_get_t mpo_check_kenv_get; - mpo_check_kenv_set_t mpo_check_kenv_set; - mpo_check_kenv_unset_t mpo_check_kenv_unset; - mpo_check_kld_load_t mpo_check_kld_load; - mpo_check_kld_stat_t mpo_check_kld_stat; + mpo_ifnet_check_relabel_t mpo_ifnet_check_relabel; + mpo_ifnet_check_transmit_t mpo_ifnet_check_transmit; + mpo_inpcb_check_deliver_t mpo_inpcb_check_deliver; + mpo_sysvmsq_check_msgmsq_t mpo_sysvmsq_check_msgmsq; + mpo_sysvmsq_check_msgrcv_t mpo_sysvmsq_check_msgrcv; + mpo_sysvmsq_check_msgrmid_t mpo_sysvmsq_check_msgrmid; + mpo_sysvmsq_check_msqget_t mpo_sysvmsq_check_msqget; + mpo_sysvmsq_check_msqsnd_t mpo_sysvmsq_check_msqsnd; + mpo_sysvmsq_check_msqrcv_t mpo_sysvmsq_check_msqrcv; + mpo_sysvmsq_check_msqctl_t mpo_sysvmsq_check_msqctl; + mpo_sysvsem_check_semctl_t mpo_sysvsem_check_semctl; + mpo_sysvsem_check_semget_t mpo_sysvsem_check_semget; + mpo_sysvsem_check_semop_t mpo_sysvsem_check_semop; + mpo_sysvshm_check_shmat_t mpo_sysvshm_check_shmat; + mpo_sysvshm_check_shmctl_t mpo_sysvshm_check_shmctl; + mpo_sysvshm_check_shmdt_t mpo_sysvshm_check_shmdt; + mpo_sysvshm_check_shmget_t mpo_sysvshm_check_shmget; + mpo_kenv_check_dump_t mpo_kenv_check_dump; + mpo_kenv_check_get_t mpo_kenv_check_get; + mpo_kenv_check_set_t mpo_kenv_check_set; + mpo_kenv_check_unset_t mpo_kenv_check_unset; + mpo_kld_check_load_t mpo_kld_check_load; + mpo_kld_check_stat_t mpo_kld_check_stat; mpo_placeholder_t _mpo_placeholder19; mpo_placeholder_t _mpo_placeholder20; - mpo_check_mount_stat_t mpo_check_mount_stat; + mpo_mount_check_stat_t mpo_mount_check_stat; mpo_placeholder_t _mpo_placeholder_21; - mpo_check_pipe_ioctl_t mpo_check_pipe_ioctl; - mpo_check_pipe_poll_t mpo_check_pipe_poll; - mpo_check_pipe_read_t mpo_check_pipe_read; - mpo_check_pipe_relabel_t mpo_check_pipe_relabel; - mpo_check_pipe_stat_t mpo_check_pipe_stat; - mpo_check_pipe_write_t mpo_check_pipe_write; - mpo_check_posix_sem_destroy_t mpo_check_posix_sem_destroy; - mpo_check_posix_sem_getvalue_t mpo_check_posix_sem_getvalue; - mpo_check_posix_sem_open_t mpo_check_posix_sem_open; - mpo_check_posix_sem_post_t mpo_check_posix_sem_post; - mpo_check_posix_sem_unlink_t mpo_check_posix_sem_unlink; - mpo_check_posix_sem_wait_t mpo_check_posix_sem_wait; - mpo_check_proc_debug_t mpo_check_proc_debug; - mpo_check_proc_sched_t mpo_check_proc_sched; - mpo_check_proc_setaudit_t mpo_check_proc_setaudit; - mpo_check_proc_setaudit_addr_t mpo_check_proc_setaudit_addr; - mpo_check_proc_setauid_t mpo_check_proc_setauid; - mpo_check_proc_setuid_t mpo_check_proc_setuid; - mpo_check_proc_seteuid_t mpo_check_proc_seteuid; - mpo_check_proc_setgid_t mpo_check_proc_setgid; - mpo_check_proc_setegid_t mpo_check_proc_setegid; - mpo_check_proc_setgroups_t mpo_check_proc_setgroups; - mpo_check_proc_setreuid_t mpo_check_proc_setreuid; - mpo_check_proc_setregid_t mpo_check_proc_setregid; - mpo_check_proc_setresuid_t mpo_check_proc_setresuid; - mpo_check_proc_setresgid_t mpo_check_proc_setresgid; - mpo_check_proc_signal_t mpo_check_proc_signal; - mpo_check_proc_wait_t mpo_check_proc_wait; - mpo_check_socket_accept_t mpo_check_socket_accept; - mpo_check_socket_bind_t mpo_check_socket_bind; - mpo_check_socket_connect_t mpo_check_socket_connect; - mpo_check_socket_create_t mpo_check_socket_create; - mpo_check_socket_deliver_t mpo_check_socket_deliver; + mpo_pipe_check_ioctl_t mpo_pipe_check_ioctl; + mpo_pipe_check_poll_t mpo_pipe_check_poll; + mpo_pipe_check_read_t mpo_pipe_check_read; + mpo_pipe_check_relabel_t mpo_pipe_check_relabel; + mpo_pipe_check_stat_t mpo_pipe_check_stat; + mpo_pipe_check_write_t mpo_pipe_check_write; + mpo_posixsem_check_destroy_t mpo_posixsem_check_destroy; + mpo_posixsem_check_getvalue_t mpo_posixsem_check_getvalue; + mpo_posixsem_check_open_t mpo_posixsem_check_open; + mpo_posixsem_check_post_t mpo_posixsem_check_post; + mpo_posixsem_check_unlink_t mpo_posixsem_check_unlink; + mpo_posixsem_check_wait_t mpo_posixsem_check_wait; + mpo_proc_check_debug_t mpo_proc_check_debug; + mpo_proc_check_sched_t mpo_proc_check_sched; + mpo_proc_check_setaudit_t mpo_proc_check_setaudit; + mpo_proc_check_setaudit_addr_t mpo_proc_check_setaudit_addr; + mpo_proc_check_setauid_t mpo_proc_check_setauid; + mpo_proc_check_setuid_t mpo_proc_check_setuid; + mpo_proc_check_seteuid_t mpo_proc_check_seteuid; + mpo_proc_check_setgid_t mpo_proc_check_setgid; + mpo_proc_check_setegid_t mpo_proc_check_setegid; + mpo_proc_check_setgroups_t mpo_proc_check_setgroups; + mpo_proc_check_setreuid_t mpo_proc_check_setreuid; + mpo_proc_check_setregid_t mpo_proc_check_setregid; + mpo_proc_check_setresuid_t mpo_proc_check_setresuid; + mpo_proc_check_setresgid_t mpo_proc_check_setresgid; + mpo_proc_check_signal_t mpo_proc_check_signal; + mpo_proc_check_wait_t mpo_proc_check_wait; + mpo_socket_check_accept_t mpo_socket_check_accept; + mpo_socket_check_bind_t mpo_socket_check_bind; + mpo_socket_check_connect_t mpo_socket_check_connect; + mpo_socket_check_create_t mpo_socket_check_create; + mpo_socket_check_deliver_t mpo_socket_check_deliver; mpo_placeholder_t _mpo_placeholder22; - mpo_check_socket_listen_t mpo_check_socket_listen; - mpo_check_socket_poll_t mpo_check_socket_poll; - mpo_check_socket_receive_t mpo_check_socket_receive; - mpo_check_socket_relabel_t mpo_check_socket_relabel; - mpo_check_socket_send_t mpo_check_socket_send; - mpo_check_socket_stat_t mpo_check_socket_stat; - mpo_check_socket_visible_t mpo_check_socket_visible; - mpo_check_system_acct_t mpo_check_system_acct; - mpo_check_system_audit_t mpo_check_system_audit; - mpo_check_system_auditctl_t mpo_check_system_auditctl; - mpo_check_system_auditon_t mpo_check_system_auditon; - mpo_check_system_reboot_t mpo_check_system_reboot; - mpo_check_system_swapon_t mpo_check_system_swapon; - mpo_check_system_swapoff_t mpo_check_system_swapoff; - mpo_check_system_sysctl_t mpo_check_system_sysctl; + mpo_socket_check_listen_t mpo_socket_check_listen; + mpo_socket_check_poll_t mpo_socket_check_poll; + mpo_socket_check_receive_t mpo_socket_check_receive; + mpo_socket_check_relabel_t mpo_socket_check_relabel; + mpo_socket_check_send_t mpo_socket_check_send; + mpo_socket_check_stat_t mpo_socket_check_stat; + mpo_socket_check_visible_t mpo_socket_check_visible; + mpo_system_check_acct_t mpo_system_check_acct; + mpo_system_check_audit_t mpo_system_check_audit; + mpo_system_check_auditctl_t mpo_system_check_auditctl; + mpo_system_check_auditon_t mpo_system_check_auditon; + mpo_system_check_reboot_t mpo_system_check_reboot; + mpo_system_check_swapon_t mpo_system_check_swapon; + mpo_system_check_swapoff_t mpo_system_check_swapoff; + mpo_system_check_sysctl_t mpo_system_check_sysctl; mpo_placeholder_t _mpo_placeholder23; - mpo_check_vnode_access_t mpo_check_vnode_access; - mpo_check_vnode_chdir_t mpo_check_vnode_chdir; - mpo_check_vnode_chroot_t mpo_check_vnode_chroot; - mpo_check_vnode_create_t mpo_check_vnode_create; - mpo_check_vnode_deleteacl_t mpo_check_vnode_deleteacl; - mpo_check_vnode_deleteextattr_t mpo_check_vnode_deleteextattr; - mpo_check_vnode_exec_t mpo_check_vnode_exec; - mpo_check_vnode_getacl_t mpo_check_vnode_getacl; - mpo_check_vnode_getextattr_t mpo_check_vnode_getextattr; + mpo_vnode_check_access_t mpo_vnode_check_access; + mpo_vnode_check_chdir_t mpo_vnode_check_chdir; + mpo_vnode_check_chroot_t mpo_vnode_check_chroot; + mpo_vnode_check_create_t mpo_vnode_check_create; + mpo_vnode_check_deleteacl_t mpo_vnode_check_deleteacl; + mpo_vnode_check_deleteextattr_t mpo_vnode_check_deleteextattr; + mpo_vnode_check_exec_t mpo_vnode_check_exec; + mpo_vnode_check_getacl_t mpo_vnode_check_getacl; + mpo_vnode_check_getextattr_t mpo_vnode_check_getextattr; mpo_placeholder_t _mpo_placeholder24; - mpo_check_vnode_link_t mpo_check_vnode_link; - mpo_check_vnode_listextattr_t mpo_check_vnode_listextattr; - mpo_check_vnode_lookup_t mpo_check_vnode_lookup; - mpo_check_vnode_mmap_t mpo_check_vnode_mmap; - mpo_check_vnode_mmap_downgrade_t mpo_check_vnode_mmap_downgrade; - mpo_check_vnode_mprotect_t mpo_check_vnode_mprotect; - mpo_check_vnode_open_t mpo_check_vnode_open; - mpo_check_vnode_poll_t mpo_check_vnode_poll; - mpo_check_vnode_read_t mpo_check_vnode_read; - mpo_check_vnode_readdir_t mpo_check_vnode_readdir; - mpo_check_vnode_readlink_t mpo_check_vnode_readlink; - mpo_check_vnode_relabel_t mpo_check_vnode_relabel; - mpo_check_vnode_rename_from_t mpo_check_vnode_rename_from; - mpo_check_vnode_rename_to_t mpo_check_vnode_rename_to; - mpo_check_vnode_revoke_t mpo_check_vnode_revoke; - mpo_check_vnode_setacl_t mpo_check_vnode_setacl; - mpo_check_vnode_setextattr_t mpo_check_vnode_setextattr; - mpo_check_vnode_setflags_t mpo_check_vnode_setflags; - mpo_check_vnode_setmode_t mpo_check_vnode_setmode; - mpo_check_vnode_setowner_t mpo_check_vnode_setowner; - mpo_check_vnode_setutimes_t mpo_check_vnode_setutimes; - mpo_check_vnode_stat_t mpo_check_vnode_stat; - mpo_check_vnode_unlink_t mpo_check_vnode_unlink; - mpo_check_vnode_write_t mpo_check_vnode_write; + mpo_vnode_check_link_t mpo_vnode_check_link; + mpo_vnode_check_listextattr_t mpo_vnode_check_listextattr; + mpo_vnode_check_lookup_t mpo_vnode_check_lookup; + mpo_vnode_check_mmap_t mpo_vnode_check_mmap; + mpo_vnode_check_mmap_downgrade_t mpo_vnode_check_mmap_downgrade; + mpo_vnode_check_mprotect_t mpo_vnode_check_mprotect; + mpo_vnode_check_open_t mpo_vnode_check_open; + mpo_vnode_check_poll_t mpo_vnode_check_poll; + mpo_vnode_check_read_t mpo_vnode_check_read; + mpo_vnode_check_readdir_t mpo_vnode_check_readdir; + mpo_vnode_check_readlink_t mpo_vnode_check_readlink; + mpo_vnode_check_relabel_t mpo_vnode_check_relabel; + mpo_vnode_check_rename_from_t mpo_vnode_check_rename_from; + mpo_vnode_check_rename_to_t mpo_vnode_check_rename_to; + mpo_vnode_check_revoke_t mpo_vnode_check_revoke; + mpo_vnode_check_setacl_t mpo_vnode_check_setacl; + mpo_vnode_check_setextattr_t mpo_vnode_check_setextattr; + mpo_vnode_check_setflags_t mpo_vnode_check_setflags; + mpo_vnode_check_setmode_t mpo_vnode_check_setmode; + mpo_vnode_check_setowner_t mpo_vnode_check_setowner; + mpo_vnode_check_setutimes_t mpo_vnode_check_setutimes; + mpo_vnode_check_stat_t mpo_vnode_check_stat; + mpo_vnode_check_unlink_t mpo_vnode_check_unlink; + mpo_vnode_check_write_t mpo_vnode_check_write; mpo_associate_nfsd_label_t mpo_associate_nfsd_label; - mpo_create_mbuf_from_firewall_t mpo_create_mbuf_from_firewall; + mpo_mbuf_create_from_firewall_t mpo_mbuf_create_from_firewall; mpo_init_syncache_label_t mpo_init_syncache_label; mpo_destroy_syncache_label_t mpo_destroy_syncache_label; mpo_init_syncache_from_inpcb_t mpo_init_syncache_from_inpcb; diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c index 103eab2..2ea3c72 100644 --- a/sys/security/mac/mac_posix_sem.c +++ b/sys/security/mac/mac_posix_sem.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2003-2005 SPARTA, Inc. + * Copyright (c) 2003-2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +7,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -48,100 +51,100 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_policy.h> static struct label * -mac_posix_sem_label_alloc(void) +mac_posixsem_label_alloc(void) { struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_posix_sem_label, label); + MAC_PERFORM(posixsem_init_label, label); return (label); } void -mac_init_posix_sem(struct ksem *ks) +mac_posixsem_init(struct ksem *ks) { - ks->ks_label = mac_posix_sem_label_alloc(); + ks->ks_label = mac_posixsem_label_alloc(); } static void -mac_posix_sem_label_free(struct label *label) +mac_posixsem_label_free(struct label *label) { - MAC_PERFORM(destroy_posix_sem_label, label); + MAC_PERFORM(posixsem_destroy_label, label); } void -mac_destroy_posix_sem(struct ksem *ks) +mac_posixsem_destroy(struct ksem *ks) { - mac_posix_sem_label_free(ks->ks_label); + mac_posixsem_label_free(ks->ks_label); ks->ks_label = NULL; } void -mac_create_posix_sem(struct ucred *cred, struct ksem *ks) +mac_posixsem_create(struct ucred *cred, struct ksem *ks) { - MAC_PERFORM(create_posix_sem, cred, ks, ks->ks_label); + MAC_PERFORM(posixsem_create, cred, ks, ks->ks_label); } int -mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_destroy, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_destroy, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_open(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_open, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_open, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_getvalue, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_getvalue, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_post(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_post, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_post, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_unlink, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_unlink, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_wait, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_wait, cred, ks, ks->ks_label); return (error); } diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index abba4a9..c6c5cd8 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -3,6 +3,7 @@ * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. * Copyright (c) 2005 Samy Al Bahra + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -13,6 +14,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -85,12 +89,12 @@ mac_cred_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_cred_label, label); + MAC_PERFORM(cred_init_label, label); return (label); } void -mac_init_cred(struct ucred *cred) +mac_cred_init(struct ucred *cred) { cred->cr_label = mac_cred_label_alloc(); @@ -102,12 +106,12 @@ mac_proc_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_proc_label, label); + MAC_PERFORM(proc_init_label, label); return (label); } void -mac_init_proc(struct proc *p) +mac_proc_init(struct proc *p) { p->p_label = mac_proc_label_alloc(); @@ -117,12 +121,12 @@ void mac_cred_label_free(struct label *label) { - MAC_PERFORM(destroy_cred_label, label); + MAC_PERFORM(cred_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_cred(struct ucred *cred) +mac_cred_destroy(struct ucred *cred) { mac_cred_label_free(cred->cr_label); @@ -133,12 +137,12 @@ static void mac_proc_label_free(struct label *label) { - MAC_PERFORM(destroy_proc_label, label); + MAC_PERFORM(proc_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_proc(struct proc *p) +mac_proc_destroy(struct proc *p) { mac_proc_label_free(p->p_label); @@ -146,7 +150,7 @@ mac_destroy_proc(struct proc *p) } int -mac_externalize_cred_label(struct label *label, char *elements, +mac_cred_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -157,7 +161,7 @@ mac_externalize_cred_label(struct label *label, char *elements, } int -mac_internalize_cred_label(struct label *label, char *string) +mac_cred_internalize_label(struct label *label, char *string) { int error; @@ -171,10 +175,10 @@ mac_internalize_cred_label(struct label *label, char *string) * processes and threads are spawned. */ void -mac_create_proc0(struct ucred *cred) +mac_proc_create_swapper(struct ucred *cred) { - MAC_PERFORM(create_proc0, cred); + MAC_PERFORM(proc_create_swapper, cred); } /* @@ -182,10 +186,10 @@ mac_create_proc0(struct ucred *cred) * userland processes and threads are spawned. */ void -mac_create_proc1(struct ucred *cred) +mac_proc_create_init(struct ucred *cred) { - MAC_PERFORM(create_proc1, cred); + MAC_PERFORM(proc_create_init, cred); } void @@ -201,10 +205,10 @@ mac_thread_userret(struct thread *td) * This function allows that processing to take place. */ void -mac_copy_cred(struct ucred *src, struct ucred *dest) +mac_cred_copy(struct ucred *src, struct ucred *dest) { - MAC_PERFORM(copy_cred_label, src->cr_label, dest->cr_label); + MAC_PERFORM(cred_copy_label, src->cr_label, dest->cr_label); } int @@ -234,7 +238,7 @@ mac_execve_enter(struct image_params *imgp, struct mac *mac_p) } label = mac_cred_label_alloc(); - error = mac_internalize_cred_label(label, buffer); + error = mac_cred_internalize_label(label, buffer); free(buffer, M_MACTEMP); if (error) { mac_cred_label_free(label); @@ -347,7 +351,7 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, vfslocked = VFS_LOCK_GIANT(vp->v_mount); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = vme->max_protection; - mac_check_vnode_mmap_downgrade(cred, vp, &result); + mac_vnode_check_mmap_downgrade(cred, vp, &result); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing now @@ -429,185 +433,185 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, * buffer cache. */ void -mac_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_cred_relabel(struct ucred *cred, struct label *newlabel) { - MAC_PERFORM(relabel_cred, cred, newlabel); + MAC_PERFORM(cred_relabel, cred, newlabel); } int -mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_cred_check_relabel(struct ucred *cred, struct label *newlabel) { int error; - MAC_CHECK(check_cred_relabel, cred, newlabel); + MAC_CHECK(cred_check_relabel, cred, newlabel); return (error); } int -mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { int error; - MAC_CHECK(check_cred_visible, cr1, cr2); + MAC_CHECK(cred_check_visible, cr1, cr2); return (error); } int -mac_check_proc_debug(struct ucred *cred, struct proc *p) +mac_proc_check_debug(struct ucred *cred, struct proc *p) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_debug, cred, p); + MAC_CHECK(proc_check_debug, cred, p); return (error); } int -mac_check_proc_sched(struct ucred *cred, struct proc *p) +mac_proc_check_sched(struct ucred *cred, struct proc *p) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_sched, cred, p); + MAC_CHECK(proc_check_sched, cred, p); return (error); } int -mac_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_signal, cred, p, signum); + MAC_CHECK(proc_check_signal, cred, p, signum); return (error); } int -mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid) +mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setuid, cred, uid); + MAC_CHECK(proc_check_setuid, cred, uid); return (error); } int -mac_check_proc_seteuid(struct proc *p, struct ucred *cred, uid_t euid) +mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_seteuid, cred, euid); + MAC_CHECK(proc_check_seteuid, cred, euid); return (error); } int -mac_check_proc_setgid(struct proc *p, struct ucred *cred, gid_t gid) +mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setgid, cred, gid); + MAC_CHECK(proc_check_setgid, cred, gid); return (error); } int -mac_check_proc_setegid(struct proc *p, struct ucred *cred, gid_t egid) +mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setegid, cred, egid); + MAC_CHECK(proc_check_setegid, cred, egid); return (error); } int -mac_check_proc_setgroups(struct proc *p, struct ucred *cred, int ngroups, +mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups, gid_t *gidset) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset); + MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset); return (error); } int -mac_check_proc_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, +mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setreuid, cred, ruid, euid); + MAC_CHECK(proc_check_setreuid, cred, ruid, euid); return (error); } int -mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, +mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, gid_t egid) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); - MAC_CHECK(check_proc_setregid, cred, rgid, egid); + MAC_CHECK(proc_check_setregid, cred, rgid, egid); return (error); } int -mac_check_proc_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, +mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid); + MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid); return (error); } int -mac_check_proc_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, +mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid); + MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid); return (error); } int -mac_check_proc_wait(struct ucred *cred, struct proc *p) +mac_proc_check_wait(struct ucred *cred, struct proc *p) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_wait, cred, p); + MAC_CHECK(proc_check_wait, cred, p); return (error); } diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index 07722ad..37dfa3f 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -2,7 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 Networks Associates Technology, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -94,9 +94,9 @@ mac_socket_label_alloc(int flag) if (label == NULL) return (NULL); - MAC_CHECK(init_socket_label, label, flag); + MAC_CHECK(socket_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_socket_label, label); + MAC_PERFORM(socket_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -104,7 +104,7 @@ mac_socket_label_alloc(int flag) } static struct label * -mac_socket_peer_label_alloc(int flag) +mac_socketpeer_label_alloc(int flag) { struct label *label; int error; @@ -113,9 +113,9 @@ mac_socket_peer_label_alloc(int flag) if (label == NULL) return (NULL); - MAC_CHECK(init_socket_peer_label, label, flag); + MAC_CHECK(socketpeer_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_socket_peer_label, label); + MAC_PERFORM(socketpeer_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -123,13 +123,13 @@ mac_socket_peer_label_alloc(int flag) } int -mac_init_socket(struct socket *so, int flag) +mac_socket_init(struct socket *so, int flag) { so->so_label = mac_socket_label_alloc(flag); if (so->so_label == NULL) return (ENOMEM); - so->so_peerlabel = mac_socket_peer_label_alloc(flag); + so->so_peerlabel = mac_socketpeer_label_alloc(flag); if (so->so_peerlabel == NULL) { mac_socket_label_free(so->so_label); so->so_label = NULL; @@ -142,37 +142,37 @@ void mac_socket_label_free(struct label *label) { - MAC_PERFORM(destroy_socket_label, label); + MAC_PERFORM(socket_destroy_label, label); mac_labelzone_free(label); } static void -mac_socket_peer_label_free(struct label *label) +mac_socketpeer_label_free(struct label *label) { - MAC_PERFORM(destroy_socket_peer_label, label); + MAC_PERFORM(socketpeer_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_socket(struct socket *so) +mac_socket_destroy(struct socket *so) { mac_socket_label_free(so->so_label); so->so_label = NULL; - mac_socket_peer_label_free(so->so_peerlabel); + mac_socketpeer_label_free(so->so_peerlabel); so->so_peerlabel = NULL; } void -mac_copy_socket_label(struct label *src, struct label *dest) +mac_socket_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_socket_label, src, dest); + MAC_PERFORM(socket_copy_label, src, dest); } int -mac_externalize_socket_label(struct label *label, char *elements, +mac_socket_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -183,18 +183,18 @@ mac_externalize_socket_label(struct label *label, char *elements, } static int -mac_externalize_socket_peer_label(struct label *label, char *elements, +mac_socketpeer_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; - MAC_EXTERNALIZE(socket_peer, label, elements, outbuf, outbuflen); + MAC_EXTERNALIZE(socketpeer, label, elements, outbuf, outbuflen); return (error); } int -mac_internalize_socket_label(struct label *label, char *string) +mac_socket_internalize_label(struct label *label, char *string) { int error; @@ -204,34 +204,34 @@ mac_internalize_socket_label(struct label *label, char *string) } void -mac_create_socket(struct ucred *cred, struct socket *so) +mac_socket_create(struct ucred *cred, struct socket *so) { - MAC_PERFORM(create_socket, cred, so, so->so_label); + MAC_PERFORM(socket_create, cred, so, so->so_label); } void -mac_create_socket_from_socket(struct socket *oldso, struct socket *newso) +mac_socket_newconn(struct socket *oldso, struct socket *newso) { SOCK_LOCK_ASSERT(oldso); - MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso, + MAC_PERFORM(socket_newconn, oldso, oldso->so_label, newso, newso->so_label); } static void -mac_relabel_socket(struct ucred *cred, struct socket *so, +mac_socket_relabel(struct ucred *cred, struct socket *so, struct label *newlabel) { SOCK_LOCK_ASSERT(so); - MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel); + MAC_PERFORM(socket_relabel, cred, so, so->so_label, newlabel); } void -mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so) +mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so) { struct label *label; @@ -239,12 +239,12 @@ mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so) label = mac_mbuf_to_label(m); - MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so, + MAC_PERFORM(socketpeer_set_from_mbuf, m, label, so, so->so_peerlabel); } void -mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso) +mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso) { /* @@ -252,12 +252,12 @@ mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso) * is the original, and one is the new. However, it's called in both * directions, so we can't assert the lock here currently. */ - MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label, + MAC_PERFORM(socketpeer_set_from_socket, oldso, oldso->so_label, newso, newso->so_peerlabel); } void -mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m) +mac_socket_create_mbuf(struct socket *so, struct mbuf *m) { struct label *label; @@ -265,59 +265,59 @@ mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label); + MAC_PERFORM(socket_create_mbuf, so, so->so_label, m, label); } int -mac_check_socket_accept(struct ucred *cred, struct socket *so) +mac_socket_check_accept(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_accept, cred, so, so->so_label); + MAC_CHECK(socket_check_accept, cred, so, so->so_label); return (error); } int -mac_check_socket_bind(struct ucred *ucred, struct socket *so, +mac_socket_check_bind(struct ucred *ucred, struct socket *so, struct sockaddr *sa) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa); + MAC_CHECK(socket_check_bind, ucred, so, so->so_label, sa); return (error); } int -mac_check_socket_connect(struct ucred *cred, struct socket *so, +mac_socket_check_connect(struct ucred *cred, struct socket *so, struct sockaddr *sa) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa); + MAC_CHECK(socket_check_connect, cred, so, so->so_label, sa); return (error); } int -mac_check_socket_create(struct ucred *cred, int domain, int type, int proto) +mac_socket_check_create(struct ucred *cred, int domain, int type, int proto) { int error; - MAC_CHECK(check_socket_create, cred, domain, type, proto); + MAC_CHECK(socket_check_create, cred, domain, type, proto); return (error); } int -mac_check_socket_deliver(struct socket *so, struct mbuf *m) +mac_socket_check_deliver(struct socket *so, struct mbuf *m) { struct label *label; int error; @@ -326,92 +326,92 @@ mac_check_socket_deliver(struct socket *so, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_CHECK(check_socket_deliver, so, so->so_label, m, label); + MAC_CHECK(socket_check_deliver, so, so->so_label, m, label); return (error); } int -mac_check_socket_listen(struct ucred *cred, struct socket *so) +mac_socket_check_listen(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_listen, cred, so, so->so_label); + MAC_CHECK(socket_check_listen, cred, so, so->so_label); return (error); } int -mac_check_socket_poll(struct ucred *cred, struct socket *so) +mac_socket_check_poll(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_poll, cred, so, so->so_label); + MAC_CHECK(socket_check_poll, cred, so, so->so_label); return (error); } int -mac_check_socket_receive(struct ucred *cred, struct socket *so) +mac_socket_check_receive(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_receive, cred, so, so->so_label); + MAC_CHECK(socket_check_receive, cred, so, so->so_label); return (error); } static int -mac_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *newlabel) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel); + MAC_CHECK(socket_check_relabel, cred, so, so->so_label, newlabel); return (error); } int -mac_check_socket_send(struct ucred *cred, struct socket *so) +mac_socket_check_send(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_send, cred, so, so->so_label); + MAC_CHECK(socket_check_send, cred, so, so->so_label); return (error); } int -mac_check_socket_stat(struct ucred *cred, struct socket *so) +mac_socket_check_stat(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_stat, cred, so, so->so_label); + MAC_CHECK(socket_check_stat, cred, so, so->so_label); return (error); } int -mac_check_socket_visible(struct ucred *cred, struct socket *so) +mac_socket_check_visible(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_visible, cred, so, so->so_label); + MAC_CHECK(socket_check_visible, cred, so, so->so_label); return (error); } @@ -431,13 +431,13 @@ mac_socket_label_set(struct ucred *cred, struct socket *so, * acquire the socket lock before refreshing, holding both locks. */ SOCK_LOCK(so); - error = mac_check_socket_relabel(cred, so, label); + error = mac_socket_check_relabel(cred, so, label); if (error) { SOCK_UNLOCK(so); return (error); } - mac_relabel_socket(cred, so, label); + mac_socket_relabel(cred, so, label); SOCK_UNLOCK(so); /* @@ -471,7 +471,7 @@ mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) } intlabel = mac_socket_label_alloc(M_WAITOK); - error = mac_internalize_socket_label(intlabel, buffer); + error = mac_socket_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; @@ -503,9 +503,9 @@ mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_socket_label_alloc(M_WAITOK); SOCK_LOCK(so); - mac_copy_socket_label(so->so_label, intlabel); + mac_socket_copy_label(so->so_label, intlabel); SOCK_UNLOCK(so); - error = mac_externalize_socket_label(intlabel, elements, buffer, + error = mac_socket_externalize_label(intlabel, elements, buffer, mac->m_buflen); mac_socket_label_free(intlabel); if (error == 0) @@ -539,9 +539,9 @@ mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_socket_label_alloc(M_WAITOK); SOCK_LOCK(so); - mac_copy_socket_label(so->so_peerlabel, intlabel); + mac_socket_copy_label(so->so_peerlabel, intlabel); SOCK_UNLOCK(so); - error = mac_externalize_socket_peer_label(intlabel, elements, buffer, + error = mac_socketpeer_externalize_label(intlabel, elements, buffer, mac->m_buflen); mac_socket_label_free(intlabel); if (error == 0) diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index cda98c2..0c41c78 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -105,7 +105,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(tcred->cr_label, elements, + error = mac_cred_externalize_label(tcred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -139,7 +139,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(td->td_ucred->cr_label, + error = mac_cred_externalize_label(td->td_ucred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -175,7 +175,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) } intlabel = mac_cred_label_alloc(); - error = mac_internalize_cred_label(intlabel, buffer); + error = mac_cred_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; @@ -186,7 +186,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_cred_relabel(oldcred, intlabel); + error = mac_cred_check_relabel(oldcred, intlabel); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -195,7 +195,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) setsugid(p); crcopy(newcred, oldcred); - mac_relabel_cred(newcred, intlabel); + mac_cred_relabel(newcred, intlabel); p->p_ucred = newcred; /* @@ -256,10 +256,10 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) intlabel = mac_vnode_label_alloc(); vfslocked = VFS_LOCK_GIANT(vp->v_mount); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - mac_copy_vnode_label(vp->v_label, intlabel); + mac_vnode_copy_label(vp->v_label, intlabel); VOP_UNLOCK(vp, 0, td); VFS_UNLOCK_GIANT(vfslocked); - error = mac_externalize_vnode_label(intlabel, elements, + error = mac_vnode_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_vnode_label_free(intlabel); break; @@ -268,9 +268,9 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) pipe = fp->f_data; intlabel = mac_pipe_label_alloc(); PIPE_LOCK(pipe); - mac_copy_pipe_label(pipe->pipe_pair->pp_label, intlabel); + mac_pipe_copy_label(pipe->pipe_pair->pp_label, intlabel); PIPE_UNLOCK(pipe); - error = mac_externalize_pipe_label(intlabel, elements, + error = mac_pipe_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_pipe_label_free(intlabel); break; @@ -279,9 +279,9 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) so = fp->f_data; intlabel = mac_socket_label_alloc(M_WAITOK); SOCK_LOCK(so); - mac_copy_socket_label(so->so_label, intlabel); + mac_socket_copy_label(so->so_label, intlabel); SOCK_UNLOCK(so); - error = mac_externalize_socket_label(intlabel, elements, + error = mac_socket_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_socket_label_free(intlabel); break; @@ -332,8 +332,8 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) intlabel = mac_vnode_label_alloc(); vfslocked = NDHASGIANT(&nd); - mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); - error = mac_externalize_vnode_label(intlabel, elements, buffer, + mac_vnode_copy_label(nd.ni_vp->v_label, intlabel); + error = mac_vnode_externalize_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); @@ -382,8 +382,8 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) intlabel = mac_vnode_label_alloc(); vfslocked = NDHASGIANT(&nd); - mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); - error = mac_externalize_vnode_label(intlabel, elements, buffer, + mac_vnode_copy_label(nd.ni_vp->v_label, intlabel); + error = mac_vnode_externalize_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); VFS_UNLOCK_GIANT(vfslocked); @@ -435,7 +435,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) case DTYPE_FIFO: case DTYPE_VNODE: intlabel = mac_vnode_label_alloc(); - error = mac_internalize_vnode_label(intlabel, buffer); + error = mac_vnode_internalize_label(intlabel, buffer); if (error) { mac_vnode_label_free(intlabel); break; @@ -458,7 +458,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) case DTYPE_PIPE: intlabel = mac_pipe_label_alloc(); - error = mac_internalize_pipe_label(intlabel, buffer); + error = mac_pipe_internalize_label(intlabel, buffer); if (error == 0) { pipe = fp->f_data; PIPE_LOCK(pipe); @@ -471,7 +471,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) case DTYPE_SOCKET: intlabel = mac_socket_label_alloc(M_WAITOK); - error = mac_internalize_socket_label(intlabel, buffer); + error = mac_socket_internalize_label(intlabel, buffer); if (error == 0) { so = fp->f_data; error = mac_socket_label_set(td->td_ucred, so, @@ -515,7 +515,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) } intlabel = mac_vnode_label_alloc(); - error = mac_internalize_vnode_label(intlabel, buffer); + error = mac_vnode_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; @@ -566,7 +566,7 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) } intlabel = mac_vnode_label_alloc(); - error = mac_internalize_vnode_label(intlabel, buffer); + error = mac_vnode_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 380466e..588e019 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2007 Robert N. M. Watson * All rights reserved. * @@ -11,6 +12,9 @@ * Portions of this software were developed by Robert Watson for the * TrustedBSD Project. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -63,116 +67,116 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_policy.h> int -mac_check_kenv_dump(struct ucred *cred) +mac_kenv_check_dump(struct ucred *cred) { int error; - MAC_CHECK(check_kenv_dump, cred); + MAC_CHECK(kenv_check_dump, cred); return (error); } int -mac_check_kenv_get(struct ucred *cred, char *name) +mac_kenv_check_get(struct ucred *cred, char *name) { int error; - MAC_CHECK(check_kenv_get, cred, name); + MAC_CHECK(kenv_check_get, cred, name); return (error); } int -mac_check_kenv_set(struct ucred *cred, char *name, char *value) +mac_kenv_check_set(struct ucred *cred, char *name, char *value) { int error; - MAC_CHECK(check_kenv_set, cred, name, value); + MAC_CHECK(kenv_check_set, cred, name, value); return (error); } int -mac_check_kenv_unset(struct ucred *cred, char *name) +mac_kenv_check_unset(struct ucred *cred, char *name) { int error; - MAC_CHECK(check_kenv_unset, cred, name); + MAC_CHECK(kenv_check_unset, cred, name); return (error); } int -mac_check_kld_load(struct ucred *cred, struct vnode *vp) +mac_kld_check_load(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + ASSERT_VOP_LOCKED(vp, "mac_kld_check_load"); - MAC_CHECK(check_kld_load, cred, vp, vp->v_label); + MAC_CHECK(kld_check_load, cred, vp, vp->v_label); return (error); } int -mac_check_kld_stat(struct ucred *cred) +mac_kld_check_stat(struct ucred *cred) { int error; - MAC_CHECK(check_kld_stat, cred); + MAC_CHECK(kld_check_stat, cred); return (error); } int -mac_check_system_acct(struct ucred *cred, struct vnode *vp) +mac_system_check_acct(struct ucred *cred, struct vnode *vp) { int error; if (vp != NULL) { - ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_acct"); } - MAC_CHECK(check_system_acct, cred, vp, + MAC_CHECK(system_check_acct, cred, vp, vp != NULL ? vp->v_label : NULL); return (error); } int -mac_check_system_reboot(struct ucred *cred, int howto) +mac_system_check_reboot(struct ucred *cred, int howto) { int error; - MAC_CHECK(check_system_reboot, cred, howto); + MAC_CHECK(system_check_reboot, cred, howto); return (error); } int -mac_check_system_swapon(struct ucred *cred, struct vnode *vp) +mac_system_check_swapon(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon"); - MAC_CHECK(check_system_swapon, cred, vp, vp->v_label); + MAC_CHECK(system_check_swapon, cred, vp, vp->v_label); return (error); } int -mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +mac_system_check_swapoff(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff"); - MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label); + MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label); return (error); } int -mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { int error; @@ -181,7 +185,7 @@ mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, * XXXMAC: We would very much like to assert the SYSCTL_LOCK here, * but since it's not exported from kern_sysctl.c, we can't. */ - MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req); + MAC_CHECK(system_check_sysctl, cred, oidp, arg1, arg2, req); return (error); } diff --git a/sys/security/mac/mac_sysv_msg.c b/sys/security/mac/mac_sysv_msg.c index 054614b..5db6270 100644 --- a/sys/security/mac/mac_sysv_msg.c +++ b/sys/security/mac/mac_sysv_msg.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -58,12 +62,12 @@ mac_sysv_msgmsg_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_msgmsg_label, label); + MAC_PERFORM(sysvmsg_init_label, label); return (label); } void -mac_init_sysv_msgmsg(struct msg *msgptr) +mac_sysvmsg_init(struct msg *msgptr) { msgptr->label = mac_sysv_msgmsg_label_alloc(); @@ -75,12 +79,12 @@ mac_sysv_msgqueue_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_msgqueue_label, label); + MAC_PERFORM(sysvmsq_init_label, label); return (label); } void -mac_init_sysv_msgqueue(struct msqid_kernel *msqkptr) +mac_sysvmsq_init(struct msqid_kernel *msqkptr) { msqkptr->label = mac_sysv_msgqueue_label_alloc(); @@ -90,12 +94,12 @@ static void mac_sysv_msgmsg_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_msgmsg_label, label); + MAC_PERFORM(sysvmsg_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_msgmsg(struct msg *msgptr) +mac_sysvmsg_destroy(struct msg *msgptr) { mac_sysv_msgmsg_label_free(msgptr->label); @@ -106,12 +110,12 @@ static void mac_sysv_msgqueue_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_msgqueue_label, label); + MAC_PERFORM(sysvmsq_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr) +mac_sysvmsq_destroy(struct msqid_kernel *msqkptr) { mac_sysv_msgqueue_label_free(msqkptr->label); @@ -119,104 +123,104 @@ mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr) } void -mac_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct msg *msgptr) { - MAC_PERFORM(create_sysv_msgmsg, cred, msqkptr, msqkptr->label, + MAC_PERFORM(sysvmsg_create, cred, msqkptr, msqkptr->label, msgptr, msgptr->label); } void -mac_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr) { - MAC_PERFORM(create_sysv_msgqueue, cred, msqkptr, msqkptr->label); + MAC_PERFORM(sysvmsq_create, cred, msqkptr, msqkptr->label); } void -mac_cleanup_sysv_msgmsg(struct msg *msgptr) +mac_sysvmsg_cleanup(struct msg *msgptr) { - MAC_PERFORM(cleanup_sysv_msgmsg, msgptr->label); + MAC_PERFORM(sysvmsg_cleanup, msgptr->label); } void -mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr) +mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr) { - MAC_PERFORM(cleanup_sysv_msgqueue, msqkptr->label); + MAC_PERFORM(sysvmsq_cleanup, msqkptr->label); } int -mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msgmsq, cred, msgptr, msgptr->label, msqkptr, - msqkptr->label); + MAC_CHECK(sysvmsq_check_msgmsq, cred, msgptr, msgptr->label, + msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr) +mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr) { int error; - MAC_CHECK(check_sysv_msgrcv, cred, msgptr, msgptr->label); + MAC_CHECK(sysvmsq_check_msgrcv, cred, msgptr, msgptr->label); return (error); } int -mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr) +mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr) { int error; - MAC_CHECK(check_sysv_msgrmid, cred, msgptr, msgptr->label); + MAC_CHECK(sysvmsq_check_msgrmid, cred, msgptr, msgptr->label); return (error); } int -mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msqget, cred, msqkptr, msqkptr->label); + MAC_CHECK(sysvmsq_check_msqget, cred, msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msqsnd, cred, msqkptr, msqkptr->label); + MAC_CHECK(sysvmsq_check_msqsnd, cred, msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msqrcv, cred, msqkptr, msqkptr->label); + MAC_CHECK(sysvmsq_check_msqrcv, cred, msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, int cmd) { int error; - MAC_CHECK(check_sysv_msqctl, cred, msqkptr, msqkptr->label, cmd); + MAC_CHECK(sysvmsq_check_msqctl, cred, msqkptr, msqkptr->label, cmd); return (error); } diff --git a/sys/security/mac/mac_sysv_sem.c b/sys/security/mac/mac_sysv_sem.c index e77331e..5f7c4f9 100644 --- a/sys/security/mac/mac_sysv_sem.c +++ b/sys/security/mac/mac_sysv_sem.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -58,12 +62,12 @@ mac_sysv_sem_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_sem_label, label); + MAC_PERFORM(sysvsem_init_label, label); return (label); } void -mac_init_sysv_sem(struct semid_kernel *semakptr) +mac_sysvsem_init(struct semid_kernel *semakptr) { semakptr->label = mac_sysv_sem_label_alloc(); @@ -73,12 +77,12 @@ static void mac_sysv_sem_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_sem_label, label); + MAC_PERFORM(sysvsem_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_sem(struct semid_kernel *semakptr) +mac_sysvsem_destroy(struct semid_kernel *semakptr) { mac_sysv_sem_label_free(semakptr->label); @@ -86,47 +90,48 @@ mac_destroy_sysv_sem(struct semid_kernel *semakptr) } void -mac_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr) +mac_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr) { - MAC_PERFORM(create_sysv_sem, cred, semakptr, semakptr->label); + MAC_PERFORM(sysvsem_create, cred, semakptr, semakptr->label); } void -mac_cleanup_sysv_sem(struct semid_kernel *semakptr) +mac_sysvsem_cleanup(struct semid_kernel *semakptr) { - MAC_PERFORM(cleanup_sysv_sem, semakptr->label); + MAC_PERFORM(sysvsem_cleanup, semakptr->label); } int -mac_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, +mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, int cmd) { int error; - MAC_CHECK(check_sysv_semctl, cred, semakptr, semakptr->label, cmd); + MAC_CHECK(sysvsem_check_semctl, cred, semakptr, semakptr->label, + cmd); return (error); } int -mac_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr) +mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr) { int error; - MAC_CHECK(check_sysv_semget, cred, semakptr, semakptr->label); + MAC_CHECK(sysvsem_check_semget, cred, semakptr, semakptr->label); return (error); } int -mac_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, +mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, size_t accesstype) { int error; - MAC_CHECK(check_sysv_semop, cred, semakptr, semakptr->label, + MAC_CHECK(sysvsem_check_semop, cred, semakptr, semakptr->label, accesstype); return (error); diff --git a/sys/security/mac/mac_sysv_shm.c b/sys/security/mac/mac_sysv_shm.c index 6cabeb4..05ec1e1 100644 --- a/sys/security/mac/mac_sysv_shm.c +++ b/sys/security/mac/mac_sysv_shm.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -58,12 +62,12 @@ mac_sysv_shm_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_shm_label, label); + MAC_PERFORM(sysvshm_init_label, label); return (label); } void -mac_init_sysv_shm(struct shmid_kernel *shmsegptr) +mac_sysvshm_init(struct shmid_kernel *shmsegptr) { shmsegptr->label = mac_sysv_shm_label_alloc(); @@ -73,12 +77,12 @@ static void mac_sysv_shm_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_shm_label, label); + MAC_PERFORM(sysvshm_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr) +mac_sysvshm_destroy(struct shmid_kernel *shmsegptr) { mac_sysv_shm_label_free(shmsegptr->label); @@ -86,60 +90,60 @@ mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr) } void -mac_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr) +mac_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr) { - MAC_PERFORM(create_sysv_shm, cred, shmsegptr, shmsegptr->label); + MAC_PERFORM(sysvshm_create, cred, shmsegptr, shmsegptr->label); } void -mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr) +mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr) { - MAC_PERFORM(cleanup_sysv_shm, shmsegptr->label); + MAC_PERFORM(sysvshm_cleanup, shmsegptr->label); } int -mac_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg) { int error; - MAC_CHECK(check_sysv_shmat, cred, shmsegptr, shmsegptr->label, + MAC_CHECK(sysvshm_check_shmat, cred, shmsegptr, shmsegptr->label, shmflg); return (error); } int -mac_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, int cmd) { int error; - MAC_CHECK(check_sysv_shmctl, cred, shmsegptr, shmsegptr->label, + MAC_CHECK(sysvshm_check_shmctl, cred, shmsegptr, shmsegptr->label, cmd); return (error); } int -mac_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) +mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) { int error; - MAC_CHECK(check_sysv_shmdt, cred, shmsegptr, shmsegptr->label); + MAC_CHECK(sysvshm_check_shmdt, cred, shmsegptr, shmsegptr->label); return (error); } int -mac_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg) { int error; - MAC_CHECK(check_sysv_shmget, cred, shmsegptr, shmsegptr->label, + MAC_CHECK(sysvshm_check_shmget, cred, shmsegptr, shmsegptr->label, shmflg); return (error); diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index ad6a0e6..d6546f6 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -77,7 +77,7 @@ __FBSDID("$FreeBSD$"); */ static int ea_warn_once = 0; -static int mac_setlabel_vnode_extattr(struct ucred *cred, +static int mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel); static struct label * @@ -86,12 +86,12 @@ mac_devfs_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_devfs_label, label); + MAC_PERFORM(devfs_init_label, label); return (label); } void -mac_init_devfs(struct devfs_dirent *de) +mac_devfs_init(struct devfs_dirent *de) { de->de_label = mac_devfs_label_alloc(); @@ -103,12 +103,12 @@ mac_mount_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_mount_label, label); + MAC_PERFORM(mount_init_label, label); return (label); } void -mac_init_mount(struct mount *mp) +mac_mount_init(struct mount *mp) { mp->mnt_label = mac_mount_label_alloc(); @@ -120,12 +120,12 @@ mac_vnode_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_vnode_label, label); + MAC_PERFORM(vnode_init_label, label); return (label); } void -mac_init_vnode(struct vnode *vp) +mac_vnode_init(struct vnode *vp) { vp->v_label = mac_vnode_label_alloc(); @@ -135,12 +135,12 @@ static void mac_devfs_label_free(struct label *label) { - MAC_PERFORM(destroy_devfs_label, label); + MAC_PERFORM(devfs_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_devfs(struct devfs_dirent *de) +mac_devfs_destroy(struct devfs_dirent *de) { mac_devfs_label_free(de->de_label); @@ -151,12 +151,12 @@ static void mac_mount_label_free(struct label *label) { - MAC_PERFORM(destroy_mount_label, label); + MAC_PERFORM(mount_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_mount(struct mount *mp) +mac_mount_destroy(struct mount *mp) { mac_mount_label_free(mp->mnt_label); @@ -167,12 +167,12 @@ void mac_vnode_label_free(struct label *label) { - MAC_PERFORM(destroy_vnode_label, label); + MAC_PERFORM(vnode_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_vnode(struct vnode *vp) +mac_vnode_destroy(struct vnode *vp) { mac_vnode_label_free(vp->v_label); @@ -180,14 +180,14 @@ mac_destroy_vnode(struct vnode *vp) } void -mac_copy_vnode_label(struct label *src, struct label *dest) +mac_vnode_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_vnode_label, src, dest); + MAC_PERFORM(vnode_copy_label, src, dest); } int -mac_externalize_vnode_label(struct label *label, char *elements, +mac_vnode_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -198,7 +198,7 @@ mac_externalize_vnode_label(struct label *label, char *elements, } int -mac_internalize_vnode_label(struct label *label, char *string) +mac_vnode_internalize_label(struct label *label, char *string) { int error; @@ -208,39 +208,39 @@ mac_internalize_vnode_label(struct label *label, char *string) } void -mac_update_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) +mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(update_devfs, mp, de, de->de_label, vp, vp->v_label); + MAC_PERFORM(devfs_update, mp, de, de->de_label, vp, vp->v_label); } void -mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, +mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_label, de, + MAC_PERFORM(devfs_vnode_associate, mp, mp->mnt_label, de, de->de_label, vp, vp->v_label); } int -mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) +mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_associate_extattr"); - MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_label, vp, + MAC_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp, vp->v_label); return (error); } void -mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) +mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp) { - MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_label, vp, + MAC_PERFORM(vnode_associate_singlelabel, mp, mp->mnt_label, vp, vp->v_label); } @@ -254,13 +254,13 @@ mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) * printf warning. */ int -mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr"); - ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_create_extattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_create_extattr"); error = VOP_OPENEXTATTR(vp, cred, curthread); if (error == EOPNOTSUPP) { @@ -272,7 +272,7 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } else if (error) return (error); - MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_label, dvp, + MAC_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp, dvp->v_label, vp, vp->v_label, cnp); if (error) { @@ -288,12 +288,12 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel) { int error; - ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_setlabel_extattr"); error = VOP_OPENEXTATTR(vp, cred, curthread); if (error == EOPNOTSUPP) { @@ -305,7 +305,7 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } else if (error) return (error); - MAC_CHECK(setlabel_vnode_extattr, cred, vp, vp->v_label, intlabel); + MAC_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label, intlabel); if (error) { VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); @@ -320,487 +320,488 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } void -mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, - struct label *interpvnodelabel, struct image_params *imgp) +mac_vnode_execve_transition(struct ucred *old, struct ucred *new, + struct vnode *vp, struct label *interpvnodelabel, + struct image_params *imgp) { - ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_transition"); - MAC_PERFORM(execve_transition, old, new, vp, vp->v_label, + MAC_PERFORM(vnode_execve_transition, old, new, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); } int -mac_execve_will_transition(struct ucred *old, struct vnode *vp, +mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *interpvnodelabel, struct image_params *imgp) { int result; - ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_will_transition"); result = 0; - MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label, + MAC_BOOLEAN(vnode_execve_will_transition, ||, old, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); return (result); } int -mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode) +mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access"); - MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode); + MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, acc_mode); return (error); } int -mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) +mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir"); - MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label); + MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label); return (error); } int -mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) +mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot"); - MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label); + MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label); return (error); } int -mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create"); - MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap); + MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap); return (error); } int -mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl"); - MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type); + MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type); return (error); } int -mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteextattr"); - MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label, attrnamespace, name); return (error); } int -mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_exec"); - MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp, + MAC_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp, imgp->execlabel); return (error); } int -mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) +mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl"); - MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type); + MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type); return (error); } int -mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getextattr"); - MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); } int -mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_link"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_link"); - MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); } int -mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_listextattr"); - MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label, attrnamespace); return (error); } int -mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup"); - MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp); + MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp); return (error); } int -mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, int flags) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap"); - MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot, flags); + MAC_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags); return (error); } void -mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) +mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) { int result = *prot; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap_downgrade"); - MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label, + MAC_PERFORM(vnode_check_mmap_downgrade, cred, vp, vp->v_label, &result); *prot = result; } int -mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot) +mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect"); - MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot); + MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode) +mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_open"); - MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode); + MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, acc_mode); return (error); } int -mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_poll"); - MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_poll, active_cred, file_cred, vp, vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_read"); - MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_read, active_cred, file_cred, vp, vp->v_label); return (error); } int -mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) +mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir"); - MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label); + MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label); return (error); } int -mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) +mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink"); - MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label); + MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label); return (error); } static int -mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel"); - MAC_CHECK(check_vnode_relabel, cred, vp, vp->v_label, newlabel); + MAC_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel); return (error); } int -mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_from"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_from"); - MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); } int -mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_to"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_to"); - MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp, vp != NULL ? vp->v_label : NULL, samedir, cnp); return (error); } int -mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) +mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke"); - MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label); + MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label); return (error); } int -mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, +mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl"); - MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl); + MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl); return (error); } int -mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setextattr"); - MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); } int -mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) +mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags"); - MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags); + MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags); return (error); } int -mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) +mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode"); - MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode); + MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode); return (error); } int -mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, +mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner"); - MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid); + MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid); return (error); } int -mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setutimes"); - MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime, + MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime, mtime); return (error); } int -mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_stat"); - MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_stat, active_cred, file_cred, vp, vp->v_label); return (error); } int -mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, +mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_unlink"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_unlink"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_unlink"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_unlink"); - MAC_CHECK(check_vnode_unlink, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); } int -mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_write"); - MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_write, active_cred, file_cred, vp, vp->v_label); return (error); } void -mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) +mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { - MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel); + MAC_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel); } void -mac_create_mount(struct ucred *cred, struct mount *mp) +mac_mount_create(struct ucred *cred, struct mount *mp) { - MAC_PERFORM(create_mount, cred, mp, mp->mnt_label); + MAC_PERFORM(mount_create, cred, mp, mp->mnt_label); } int -mac_check_mount_stat(struct ucred *cred, struct mount *mount) +mac_mount_check_stat(struct ucred *cred, struct mount *mount) { int error; - MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_label); + MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_label); return (error); } void -mac_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_device, cred, mp, dev, de, de->de_label); + MAC_PERFORM(devfs_create_device, cred, mp, dev, de, de->de_label); } void -mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_symlink, cred, mp, dd, dd->de_label, de, + MAC_PERFORM(devfs_create_symlink, cred, mp, dd, dd->de_label, de, de->de_label); } void -mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, +mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de, + MAC_PERFORM(devfs_create_directory, mp, dirname, dirnamelen, de, de->de_label); } @@ -821,11 +822,11 @@ vop_stdsetlabel_ea(struct vop_setlabel_args *ap) if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); - error = mac_setlabel_vnode_extattr(ap->a_cred, vp, intlabel); + error = mac_vnode_setlabel_extattr(ap->a_cred, vp, intlabel); if (error) return (error); - mac_relabel_vnode(ap->a_cred, vp, intlabel); + mac_vnode_relabel(ap->a_cred, vp, intlabel); return (0); } @@ -853,7 +854,7 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) * Question: maybe the filesystem should update the vnode at the end * as part of VOP_SETLABEL()? */ - error = mac_check_vnode_relabel(cred, vp, intlabel); + error = mac_vnode_check_relabel(cred, vp, intlabel); if (error) return (error); diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 5a87aee..2b66972 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -783,7 +787,7 @@ mac_biba_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_biba_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { struct mac_biba *mac_biba; @@ -805,7 +809,7 @@ mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp, } static void -mac_biba_create_devfs_directory(struct mount *mp, char *dirname, +mac_biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { struct mac_biba *mac_biba; @@ -815,7 +819,7 @@ mac_biba_create_devfs_directory(struct mount *mp, char *dirname, } static void -mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_biba_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -828,7 +832,7 @@ mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static void -mac_biba_create_mount(struct ucred *cred, struct mount *mp, +mac_biba_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_biba *source, *dest; @@ -839,7 +843,7 @@ mac_biba_create_mount(struct ucred *cred, struct mount *mp, } static void -mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -851,7 +855,7 @@ mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, } static void -mac_biba_update_devfs(struct mount *mp, struct devfs_dirent *de, +mac_biba_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_biba *source, *dest; @@ -863,7 +867,7 @@ mac_biba_update_devfs(struct mount *mp, struct devfs_dirent *de, } static void -mac_biba_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, +mac_biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -876,7 +880,7 @@ mac_biba_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, } static int -mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_biba temp, *source, *dest; @@ -898,16 +902,16 @@ mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel, return (error); if (buflen != sizeof(temp)) { - printf("mac_biba_associate_vnode_extattr: bad size %d\n", + printf("mac_biba_vnode_associate_extattr: bad size %d\n", buflen); return (EPERM); } if (mac_biba_valid(&temp) != 0) { - printf("mac_biba_associate_vnode_extattr: invalid\n"); + printf("mac_biba_vnode_associate_extattr: invalid\n"); return (EPERM); } if ((temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_EFFECTIVE) { - printf("mac_biba_associate_vnode_extattr: not effective\n"); + printf("mac_biba_vnode_associate_extattr: not effective\n"); return (EPERM); } @@ -916,7 +920,7 @@ mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -mac_biba_associate_vnode_singlelabel(struct mount *mp, +mac_biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_biba *source, *dest; @@ -928,7 +932,7 @@ mac_biba_associate_vnode_singlelabel(struct mount *mp, } static int -mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_biba_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -951,7 +955,7 @@ mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_biba_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { struct mac_biba *source, temp; @@ -976,7 +980,7 @@ mac_biba_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, * Labeling event operations: IPC object. */ static void -mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_biba_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { struct mac_biba *source, *dest; @@ -988,7 +992,7 @@ mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel, } static void -mac_biba_create_mbuf_from_socket(struct socket *so, struct label *solabel, +mac_biba_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1000,7 +1004,7 @@ mac_biba_create_mbuf_from_socket(struct socket *so, struct label *solabel, } static void -mac_biba_create_socket(struct ucred *cred, struct socket *so, +mac_biba_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_biba *source, *dest; @@ -1012,7 +1016,7 @@ mac_biba_create_socket(struct ucred *cred, struct socket *so, } static void -mac_biba_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *source, *dest; @@ -1024,7 +1028,7 @@ mac_biba_create_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_biba_create_posix_sem(struct ucred *cred, struct ksem *ks, +mac_biba_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_biba *source, *dest; @@ -1036,8 +1040,8 @@ mac_biba_create_posix_sem(struct ucred *cred, struct ksem *ks, } static void -mac_biba_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +mac_biba_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { struct mac_biba *source, *dest; @@ -1048,7 +1052,7 @@ mac_biba_create_socket_from_socket(struct socket *oldso, } static void -mac_biba_relabel_socket(struct ucred *cred, struct socket *so, +mac_biba_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1060,7 +1064,7 @@ mac_biba_relabel_socket(struct ucred *cred, struct socket *so, } static void -mac_biba_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1072,7 +1076,7 @@ mac_biba_relabel_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_biba_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +mac_biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { struct mac_biba *source, *dest; @@ -1087,7 +1091,7 @@ mac_biba_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, * Labeling event operations: System V IPC objects. */ static void -mac_biba_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { struct mac_biba *source, *dest; @@ -1100,7 +1104,7 @@ mac_biba_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, } static void -mac_biba_create_sysv_msgqueue(struct ucred *cred, +mac_biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { struct mac_biba *source, *dest; @@ -1112,7 +1116,7 @@ mac_biba_create_sysv_msgqueue(struct ucred *cred, } static void -mac_biba_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +mac_biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { struct mac_biba *source, *dest; @@ -1124,7 +1128,7 @@ mac_biba_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, } static void -mac_biba_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { struct mac_biba *source, *dest; @@ -1139,7 +1143,7 @@ mac_biba_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, * Labeling event operations: network objects. */ static void -mac_biba_set_socket_peer_from_socket(struct socket *oldso, +mac_biba_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -1152,7 +1156,7 @@ mac_biba_set_socket_peer_from_socket(struct socket *oldso, } static void -mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +mac_biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { struct mac_biba *source, *dest; @@ -1164,7 +1168,7 @@ mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *d, } static void -mac_biba_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +mac_biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { char tifname[IFNAMSIZ], *p, *q; char tiflist[sizeof(trusted_interfaces)]; @@ -1221,7 +1225,7 @@ set: } static void -mac_biba_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_biba *source, *dest; @@ -1233,7 +1237,7 @@ mac_biba_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_biba_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1246,7 +1250,7 @@ mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, } static void -mac_biba_create_fragment(struct mbuf *m, struct label *mlabel, +mac_biba_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { struct mac_biba *source, *dest; @@ -1258,7 +1262,7 @@ mac_biba_create_fragment(struct mbuf *m, struct label *mlabel, } static void -mac_biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1281,7 +1285,7 @@ mac_biba_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, } static void -mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +mac_biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1293,7 +1297,7 @@ mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, } static void -mac_biba_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +mac_biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1305,7 +1309,7 @@ mac_biba_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, } static void -mac_biba_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +mac_biba_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -1318,7 +1322,7 @@ mac_biba_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -mac_biba_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +mac_biba_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *newm, struct label *mnewlabel) { struct mac_biba *source, *dest; @@ -1330,8 +1334,8 @@ mac_biba_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, } static int -mac_biba_fragment_match(struct mbuf *m, struct label *mlabel, - struct ipq *ipq, struct label *ipqlabel) +mac_biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, + struct label *ipqlabel) { struct mac_biba *a, *b; @@ -1342,7 +1346,7 @@ mac_biba_fragment_match(struct mbuf *m, struct label *mlabel, } static void -mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +mac_biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1354,7 +1358,7 @@ mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, } static void -mac_biba_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_biba_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -1374,7 +1378,7 @@ mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, } static void -mac_biba_create_mbuf_from_firewall(struct mbuf *m, struct label *label) +mac_biba_mbuf_create_from_firewall(struct mbuf *m, struct label *label) { struct mac_biba *dest; @@ -1388,7 +1392,7 @@ mac_biba_create_mbuf_from_firewall(struct mbuf *m, struct label *label) * Labeling event operations: processes. */ static void -mac_biba_create_proc0(struct ucred *cred) +mac_biba_proc_create_swapper(struct ucred *cred) { struct mac_biba *dest; @@ -1400,7 +1404,7 @@ mac_biba_create_proc0(struct ucred *cred) } static void -mac_biba_create_proc1(struct ucred *cred) +mac_biba_proc_create_init(struct ucred *cred) { struct mac_biba *dest; @@ -1412,7 +1416,7 @@ mac_biba_create_proc1(struct ucred *cred) } static void -mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_biba_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1426,28 +1430,28 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) * Label cleanup/flush operations */ static void -mac_biba_cleanup_sysv_msgmsg(struct label *msglabel) +mac_biba_sysvmsg_cleanup(struct label *msglabel) { bzero(SLOT(msglabel), sizeof(struct mac_biba)); } static void -mac_biba_cleanup_sysv_msgqueue(struct label *msqlabel) +mac_biba_sysvmsq_cleanup(struct label *msqlabel) { bzero(SLOT(msqlabel), sizeof(struct mac_biba)); } static void -mac_biba_cleanup_sysv_sem(struct label *semalabel) +mac_biba_sysvsem_cleanup(struct label *semalabel) { bzero(SLOT(semalabel), sizeof(struct mac_biba)); } static void -mac_biba_cleanup_sysv_shm(struct label *shmlabel) +mac_biba_sysvshm_cleanup(struct label *shmlabel) { bzero(SLOT(shmlabel), sizeof(struct mac_biba)); } @@ -1456,7 +1460,7 @@ mac_biba_cleanup_sysv_shm(struct label *shmlabel) * Access control checks. */ static int -mac_biba_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { struct mac_biba *a, *b; @@ -1473,7 +1477,7 @@ mac_biba_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_biba_cred_check_relabel(struct ucred *cred, struct label *newlabel) { struct mac_biba *subj, *new; int error; @@ -1535,7 +1539,7 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) +mac_biba_cred_check_visible(struct ucred *u1, struct ucred *u2) { struct mac_biba *subj, *obj; @@ -1553,7 +1557,7 @@ mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) } static int -mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +mac_biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_biba *subj, *new; @@ -1581,7 +1585,7 @@ mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -mac_biba_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *p, *i; @@ -1596,7 +1600,7 @@ mac_biba_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *p, *i; @@ -1611,7 +1615,7 @@ mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -mac_biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +mac_biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_biba *subj, *obj; @@ -1629,7 +1633,7 @@ mac_biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, } static int -mac_biba_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +mac_biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_biba *subj, *obj; @@ -1647,8 +1651,8 @@ mac_biba_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, } static int -mac_biba_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_biba_sysvmsq_check_msqget(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -1665,8 +1669,8 @@ mac_biba_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_biba_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_biba_sysvmsq_check_msqsnd(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -1683,8 +1687,8 @@ mac_biba_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_biba_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_biba_sysvmsq_check_msqrcv(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -1702,8 +1706,8 @@ mac_biba_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, static int -mac_biba_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel, int cmd) +mac_biba_sysvmsq_check_msqctl(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { struct mac_biba *subj, *obj; @@ -1733,8 +1737,8 @@ mac_biba_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_biba_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, int cmd) +mac_biba_sysvsem_check_semctl(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { struct mac_biba *subj, *obj; @@ -1771,8 +1775,8 @@ mac_biba_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_biba_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel) +mac_biba_sysvsem_check_semget(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel) { struct mac_biba *subj, *obj; @@ -1790,8 +1794,9 @@ mac_biba_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, static int -mac_biba_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, size_t accesstype) +mac_biba_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, + size_t accesstype) { struct mac_biba *subj, *obj; @@ -1813,8 +1818,8 @@ mac_biba_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_biba_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_biba_sysvshm_check_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_biba *subj, *obj; @@ -1835,8 +1840,8 @@ mac_biba_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_biba_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int cmd) +mac_biba_sysvshm_check_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { struct mac_biba *subj, *obj; @@ -1867,8 +1872,8 @@ mac_biba_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_biba_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_biba_sysvshm_check_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_biba *subj, *obj; @@ -1885,7 +1890,7 @@ mac_biba_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, +mac_biba_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -1908,7 +1913,7 @@ mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, +mac_biba_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_biba *subj, *obj; @@ -1926,7 +1931,7 @@ mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, } static int -mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -1939,7 +1944,7 @@ mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -1957,7 +1962,7 @@ mac_biba_check_pipe_poll(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -1975,7 +1980,7 @@ mac_biba_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_biba *subj, *obj, *new; @@ -2026,7 +2031,7 @@ mac_biba_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -2044,7 +2049,7 @@ mac_biba_check_pipe_stat(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -2062,7 +2067,7 @@ mac_biba_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ks, +mac_biba_posixsem_check_write(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_biba *subj, *obj; @@ -2080,7 +2085,7 @@ mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ks, } static int -mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, +mac_biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_biba *subj, *obj; @@ -2098,7 +2103,7 @@ mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, } static int -mac_biba_check_proc_debug(struct ucred *cred, struct proc *p) +mac_biba_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_biba *subj, *obj; @@ -2118,7 +2123,7 @@ mac_biba_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_biba_check_proc_sched(struct ucred *cred, struct proc *p) +mac_biba_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_biba *subj, *obj; @@ -2138,7 +2143,7 @@ mac_biba_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_biba_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_biba *subj, *obj; @@ -2158,7 +2163,7 @@ mac_biba_check_proc_signal(struct ucred *cred, struct proc *p, int signum) } static int -mac_biba_check_socket_deliver(struct socket *so, struct label *solabel, +mac_biba_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *p, *s; @@ -2173,7 +2178,7 @@ mac_biba_check_socket_deliver(struct socket *so, struct label *solabel, } static int -mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_biba_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_biba *subj, *obj, *new; @@ -2224,7 +2229,7 @@ mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so, } static int -mac_biba_check_socket_visible(struct ucred *cred, struct socket *so, +mac_biba_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_biba *subj, *obj; @@ -2431,7 +2436,7 @@ mac_biba_priv_check(struct ucred *cred, int priv) } static int -mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2457,7 +2462,7 @@ mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2483,7 +2488,7 @@ mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_auditon(struct ucred *cred, int cmd) +mac_biba_system_check_auditon(struct ucred *cred, int cmd) { struct mac_biba *subj; int error; @@ -2501,7 +2506,7 @@ mac_biba_check_system_auditon(struct ucred *cred, int cmd) } static int -mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2524,7 +2529,7 @@ mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { struct mac_biba *subj; @@ -2543,7 +2548,7 @@ mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { struct mac_biba *subj; @@ -2571,7 +2576,7 @@ mac_biba_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, } static int -mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_biba *subj, *obj; @@ -2589,7 +2594,7 @@ mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_biba *subj, *obj; @@ -2607,7 +2612,7 @@ mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { struct mac_biba *subj, *obj; @@ -2625,7 +2630,7 @@ mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_biba *subj, *obj; @@ -2643,7 +2648,7 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { struct mac_biba *subj, *obj; @@ -2661,7 +2666,7 @@ mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -2693,7 +2698,7 @@ mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_biba *subj, *obj; @@ -2711,7 +2716,7 @@ mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2730,7 +2735,7 @@ mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2754,7 +2759,7 @@ mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { struct mac_biba *subj, *obj; @@ -2772,7 +2777,7 @@ mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { struct mac_biba *subj, *obj; @@ -2790,7 +2795,7 @@ mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { struct mac_biba *subj, *obj; @@ -2818,7 +2823,7 @@ mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { struct mac_biba *subj, *obj; @@ -2843,7 +2848,7 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_biba_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2861,7 +2866,7 @@ mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_biba_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2879,7 +2884,7 @@ mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_biba *subj, *obj; @@ -2897,7 +2902,7 @@ mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2915,7 +2920,7 @@ mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_biba *old, *new, *subj; @@ -2966,7 +2971,7 @@ mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2990,7 +2995,7 @@ mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -3016,7 +3021,7 @@ mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -3034,7 +3039,7 @@ mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { struct mac_biba *subj, *obj; @@ -3052,7 +3057,7 @@ mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -3073,7 +3078,7 @@ mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { struct mac_biba *subj, *obj; @@ -3091,7 +3096,7 @@ mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { struct mac_biba *subj, *obj; @@ -3109,7 +3114,7 @@ mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { struct mac_biba *subj, *obj; @@ -3127,7 +3132,7 @@ mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { struct mac_biba *subj, *obj; @@ -3145,7 +3150,7 @@ mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_biba_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -3163,7 +3168,7 @@ mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_biba_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -3187,7 +3192,7 @@ mac_biba_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_write(struct ucred *active_cred, +mac_biba_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -3239,185 +3244,185 @@ mac_biba_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, static struct mac_policy_ops mac_biba_ops = { .mpo_init = mac_biba_init, - .mpo_init_bpfdesc_label = mac_biba_init_label, - .mpo_init_cred_label = mac_biba_init_label, - .mpo_init_devfs_label = mac_biba_init_label, - .mpo_init_ifnet_label = mac_biba_init_label, - .mpo_init_inpcb_label = mac_biba_init_label_waitcheck, + .mpo_bpfdesc_init_label = mac_biba_init_label, + .mpo_cred_init_label = mac_biba_init_label, + .mpo_devfs_init_label = mac_biba_init_label, + .mpo_ifnet_init_label = mac_biba_init_label, + .mpo_inpcb_init_label = mac_biba_init_label_waitcheck, .mpo_init_syncache_label = mac_biba_init_label_waitcheck, - .mpo_init_sysv_msgmsg_label = mac_biba_init_label, - .mpo_init_sysv_msgqueue_label = mac_biba_init_label, - .mpo_init_sysv_sem_label = mac_biba_init_label, - .mpo_init_sysv_shm_label = mac_biba_init_label, - .mpo_init_ipq_label = mac_biba_init_label_waitcheck, - .mpo_init_mbuf_label = mac_biba_init_label_waitcheck, - .mpo_init_mount_label = mac_biba_init_label, - .mpo_init_pipe_label = mac_biba_init_label, - .mpo_init_posix_sem_label = mac_biba_init_label, - .mpo_init_socket_label = mac_biba_init_label_waitcheck, - .mpo_init_socket_peer_label = mac_biba_init_label_waitcheck, + .mpo_sysvmsg_init_label = mac_biba_init_label, + .mpo_sysvmsq_init_label = mac_biba_init_label, + .mpo_sysvsem_init_label = mac_biba_init_label, + .mpo_sysvshm_init_label = mac_biba_init_label, + .mpo_ipq_init_label = mac_biba_init_label_waitcheck, + .mpo_mbuf_init_label = mac_biba_init_label_waitcheck, + .mpo_mount_init_label = mac_biba_init_label, + .mpo_pipe_init_label = mac_biba_init_label, + .mpo_posixsem_init_label = mac_biba_init_label, + .mpo_socket_init_label = mac_biba_init_label_waitcheck, + .mpo_socketpeer_init_label = mac_biba_init_label_waitcheck, .mpo_init_syncache_from_inpcb = mac_biba_init_syncache_from_inpcb, - .mpo_init_vnode_label = mac_biba_init_label, - .mpo_destroy_bpfdesc_label = mac_biba_destroy_label, - .mpo_destroy_cred_label = mac_biba_destroy_label, - .mpo_destroy_devfs_label = mac_biba_destroy_label, - .mpo_destroy_ifnet_label = mac_biba_destroy_label, - .mpo_destroy_inpcb_label = mac_biba_destroy_label, + .mpo_vnode_init_label = mac_biba_init_label, + .mpo_bpfdesc_destroy_label = mac_biba_destroy_label, + .mpo_cred_destroy_label = mac_biba_destroy_label, + .mpo_devfs_destroy_label = mac_biba_destroy_label, + .mpo_ifnet_destroy_label = mac_biba_destroy_label, + .mpo_inpcb_destroy_label = mac_biba_destroy_label, .mpo_destroy_syncache_label = mac_biba_destroy_label, - .mpo_destroy_sysv_msgmsg_label = mac_biba_destroy_label, - .mpo_destroy_sysv_msgqueue_label = mac_biba_destroy_label, - .mpo_destroy_sysv_sem_label = mac_biba_destroy_label, - .mpo_destroy_sysv_shm_label = mac_biba_destroy_label, - .mpo_destroy_ipq_label = mac_biba_destroy_label, - .mpo_destroy_mbuf_label = mac_biba_destroy_label, - .mpo_destroy_mount_label = mac_biba_destroy_label, - .mpo_destroy_pipe_label = mac_biba_destroy_label, - .mpo_destroy_posix_sem_label = mac_biba_destroy_label, - .mpo_destroy_socket_label = mac_biba_destroy_label, - .mpo_destroy_socket_peer_label = mac_biba_destroy_label, - .mpo_destroy_vnode_label = mac_biba_destroy_label, - .mpo_copy_cred_label = mac_biba_copy_label, - .mpo_copy_ifnet_label = mac_biba_copy_label, - .mpo_copy_mbuf_label = mac_biba_copy_label, - .mpo_copy_pipe_label = mac_biba_copy_label, - .mpo_copy_socket_label = mac_biba_copy_label, - .mpo_copy_vnode_label = mac_biba_copy_label, - .mpo_externalize_cred_label = mac_biba_externalize_label, - .mpo_externalize_ifnet_label = mac_biba_externalize_label, - .mpo_externalize_pipe_label = mac_biba_externalize_label, - .mpo_externalize_socket_label = mac_biba_externalize_label, - .mpo_externalize_socket_peer_label = mac_biba_externalize_label, - .mpo_externalize_vnode_label = mac_biba_externalize_label, - .mpo_internalize_cred_label = mac_biba_internalize_label, - .mpo_internalize_ifnet_label = mac_biba_internalize_label, - .mpo_internalize_pipe_label = mac_biba_internalize_label, - .mpo_internalize_socket_label = mac_biba_internalize_label, - .mpo_internalize_vnode_label = mac_biba_internalize_label, - .mpo_create_devfs_device = mac_biba_create_devfs_device, - .mpo_create_devfs_directory = mac_biba_create_devfs_directory, - .mpo_create_devfs_symlink = mac_biba_create_devfs_symlink, - .mpo_create_mount = mac_biba_create_mount, - .mpo_relabel_vnode = mac_biba_relabel_vnode, - .mpo_update_devfs = mac_biba_update_devfs, - .mpo_associate_vnode_devfs = mac_biba_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_biba_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = mac_biba_associate_vnode_singlelabel, - .mpo_create_vnode_extattr = mac_biba_create_vnode_extattr, - .mpo_setlabel_vnode_extattr = mac_biba_setlabel_vnode_extattr, - .mpo_create_mbuf_from_socket = mac_biba_create_mbuf_from_socket, + .mpo_sysvmsg_destroy_label = mac_biba_destroy_label, + .mpo_sysvmsq_destroy_label = mac_biba_destroy_label, + .mpo_sysvsem_destroy_label = mac_biba_destroy_label, + .mpo_sysvshm_destroy_label = mac_biba_destroy_label, + .mpo_ipq_destroy_label = mac_biba_destroy_label, + .mpo_mbuf_destroy_label = mac_biba_destroy_label, + .mpo_mount_destroy_label = mac_biba_destroy_label, + .mpo_pipe_destroy_label = mac_biba_destroy_label, + .mpo_posixsem_destroy_label = mac_biba_destroy_label, + .mpo_socket_destroy_label = mac_biba_destroy_label, + .mpo_socketpeer_destroy_label = mac_biba_destroy_label, + .mpo_vnode_destroy_label = mac_biba_destroy_label, + .mpo_cred_copy_label = mac_biba_copy_label, + .mpo_ifnet_copy_label = mac_biba_copy_label, + .mpo_mbuf_copy_label = mac_biba_copy_label, + .mpo_pipe_copy_label = mac_biba_copy_label, + .mpo_socket_copy_label = mac_biba_copy_label, + .mpo_vnode_copy_label = mac_biba_copy_label, + .mpo_cred_externalize_label = mac_biba_externalize_label, + .mpo_ifnet_externalize_label = mac_biba_externalize_label, + .mpo_pipe_externalize_label = mac_biba_externalize_label, + .mpo_socket_externalize_label = mac_biba_externalize_label, + .mpo_socketpeer_externalize_label = mac_biba_externalize_label, + .mpo_vnode_externalize_label = mac_biba_externalize_label, + .mpo_cred_internalize_label = mac_biba_internalize_label, + .mpo_ifnet_internalize_label = mac_biba_internalize_label, + .mpo_pipe_internalize_label = mac_biba_internalize_label, + .mpo_socket_internalize_label = mac_biba_internalize_label, + .mpo_vnode_internalize_label = mac_biba_internalize_label, + .mpo_devfs_create_device = mac_biba_devfs_create_device, + .mpo_devfs_create_directory = mac_biba_devfs_create_directory, + .mpo_devfs_create_symlink = mac_biba_devfs_create_symlink, + .mpo_mount_create = mac_biba_mount_create, + .mpo_vnode_relabel = mac_biba_vnode_relabel, + .mpo_devfs_update = mac_biba_devfs_update, + .mpo_devfs_vnode_associate = mac_biba_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_biba_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = mac_biba_vnode_associate_singlelabel, + .mpo_vnode_create_extattr = mac_biba_vnode_create_extattr, + .mpo_vnode_setlabel_extattr = mac_biba_vnode_setlabel_extattr, + .mpo_socket_create_mbuf = mac_biba_socket_create_mbuf, .mpo_create_mbuf_from_syncache = mac_biba_create_mbuf_from_syncache, - .mpo_create_pipe = mac_biba_create_pipe, - .mpo_create_posix_sem = mac_biba_create_posix_sem, - .mpo_create_socket = mac_biba_create_socket, - .mpo_create_socket_from_socket = mac_biba_create_socket_from_socket, - .mpo_relabel_pipe = mac_biba_relabel_pipe, - .mpo_relabel_socket = mac_biba_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_biba_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = mac_biba_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_biba_create_bpfdesc, - .mpo_create_datagram_from_ipq = mac_biba_create_datagram_from_ipq, - .mpo_create_fragment = mac_biba_create_fragment, - .mpo_create_ifnet = mac_biba_create_ifnet, - .mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket, - .mpo_create_sysv_msgmsg = mac_biba_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = mac_biba_create_sysv_msgqueue, - .mpo_create_sysv_sem = mac_biba_create_sysv_sem, - .mpo_create_sysv_shm = mac_biba_create_sysv_shm, - .mpo_create_ipq = mac_biba_create_ipq, - .mpo_create_mbuf_from_inpcb = mac_biba_create_mbuf_from_inpcb, + .mpo_pipe_create = mac_biba_pipe_create, + .mpo_posixsem_create = mac_biba_posixsem_create, + .mpo_socket_create = mac_biba_socket_create, + .mpo_socket_newconn = mac_biba_socket_newconn, + .mpo_pipe_relabel = mac_biba_pipe_relabel, + .mpo_socket_relabel = mac_biba_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_biba_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = mac_biba_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_biba_bpfdesc_create, + .mpo_ipq_reassemble = mac_biba_ipq_reassemble, + .mpo_netinet_fragment = mac_biba_netinet_fragment, + .mpo_ifnet_create = mac_biba_ifnet_create, + .mpo_inpcb_create = mac_biba_inpcb_create, + .mpo_sysvmsg_create = mac_biba_sysvmsg_create, + .mpo_sysvmsq_create = mac_biba_sysvmsq_create, + .mpo_sysvsem_create = mac_biba_sysvsem_create, + .mpo_sysvshm_create = mac_biba_sysvshm_create, + .mpo_ipq_create = mac_biba_ipq_create, + .mpo_inpcb_create_mbuf = mac_biba_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_biba_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = mac_biba_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_biba_create_mbuf_netlayer, - .mpo_fragment_match = mac_biba_fragment_match, - .mpo_relabel_ifnet = mac_biba_relabel_ifnet, - .mpo_update_ipq = mac_biba_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_biba_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_biba_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = mac_biba_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_biba_mbuf_create_netlayer, + .mpo_ipq_match = mac_biba_ipq_match, + .mpo_ifnet_relabel = mac_biba_ifnet_relabel, + .mpo_ipq_update = mac_biba_ipq_update, .mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel, - .mpo_create_proc0 = mac_biba_create_proc0, - .mpo_create_proc1 = mac_biba_create_proc1, - .mpo_relabel_cred = mac_biba_relabel_cred, - .mpo_cleanup_sysv_msgmsg = mac_biba_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = mac_biba_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = mac_biba_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = mac_biba_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = mac_biba_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_biba_check_cred_relabel, - .mpo_check_cred_visible = mac_biba_check_cred_visible, - .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_biba_check_inpcb_deliver, - .mpo_check_sysv_msgrcv = mac_biba_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = mac_biba_check_sysv_msgrmid, - .mpo_check_sysv_msqget = mac_biba_check_sysv_msqget, - .mpo_check_sysv_msqsnd = mac_biba_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = mac_biba_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = mac_biba_check_sysv_msqctl, - .mpo_check_sysv_semctl = mac_biba_check_sysv_semctl, - .mpo_check_sysv_semget = mac_biba_check_sysv_semget, - .mpo_check_sysv_semop = mac_biba_check_sysv_semop, - .mpo_check_sysv_shmat = mac_biba_check_sysv_shmat, - .mpo_check_sysv_shmctl = mac_biba_check_sysv_shmctl, - .mpo_check_sysv_shmget = mac_biba_check_sysv_shmget, - .mpo_check_kld_load = mac_biba_check_kld_load, - .mpo_check_mount_stat = mac_biba_check_mount_stat, - .mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl, - .mpo_check_pipe_poll = mac_biba_check_pipe_poll, - .mpo_check_pipe_read = mac_biba_check_pipe_read, - .mpo_check_pipe_relabel = mac_biba_check_pipe_relabel, - .mpo_check_pipe_stat = mac_biba_check_pipe_stat, - .mpo_check_pipe_write = mac_biba_check_pipe_write, - .mpo_check_posix_sem_destroy = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_getvalue = mac_biba_check_posix_sem_rdonly, - .mpo_check_posix_sem_open = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_post = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_unlink = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_wait = mac_biba_check_posix_sem_write, - .mpo_check_proc_debug = mac_biba_check_proc_debug, - .mpo_check_proc_sched = mac_biba_check_proc_sched, - .mpo_check_proc_signal = mac_biba_check_proc_signal, - .mpo_check_socket_deliver = mac_biba_check_socket_deliver, - .mpo_check_socket_relabel = mac_biba_check_socket_relabel, - .mpo_check_socket_visible = mac_biba_check_socket_visible, - .mpo_check_system_acct = mac_biba_check_system_acct, - .mpo_check_system_auditctl = mac_biba_check_system_auditctl, - .mpo_check_system_auditon = mac_biba_check_system_auditon, - .mpo_check_system_swapon = mac_biba_check_system_swapon, - .mpo_check_system_swapoff = mac_biba_check_system_swapoff, - .mpo_check_system_sysctl = mac_biba_check_system_sysctl, - .mpo_check_vnode_access = mac_biba_check_vnode_open, - .mpo_check_vnode_chdir = mac_biba_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_biba_check_vnode_chroot, - .mpo_check_vnode_create = mac_biba_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_biba_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_biba_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_biba_check_vnode_exec, - .mpo_check_vnode_getacl = mac_biba_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_biba_check_vnode_getextattr, - .mpo_check_vnode_link = mac_biba_check_vnode_link, - .mpo_check_vnode_listextattr = mac_biba_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_biba_check_vnode_lookup, - .mpo_check_vnode_mmap = mac_biba_check_vnode_mmap, - .mpo_check_vnode_open = mac_biba_check_vnode_open, - .mpo_check_vnode_poll = mac_biba_check_vnode_poll, - .mpo_check_vnode_read = mac_biba_check_vnode_read, - .mpo_check_vnode_readdir = mac_biba_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_biba_check_vnode_readlink, - .mpo_check_vnode_relabel = mac_biba_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_biba_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_biba_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_biba_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_biba_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_biba_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_biba_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_biba_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_biba_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_biba_check_vnode_stat, - .mpo_check_vnode_unlink = mac_biba_check_vnode_unlink, - .mpo_check_vnode_write = mac_biba_check_vnode_write, + .mpo_proc_create_swapper = mac_biba_proc_create_swapper, + .mpo_proc_create_init = mac_biba_proc_create_init, + .mpo_cred_relabel = mac_biba_cred_relabel, + .mpo_sysvmsg_cleanup = mac_biba_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = mac_biba_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = mac_biba_sysvsem_cleanup, + .mpo_sysvshm_cleanup = mac_biba_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = mac_biba_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_biba_cred_check_relabel, + .mpo_cred_check_visible = mac_biba_cred_check_visible, + .mpo_ifnet_check_relabel = mac_biba_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_biba_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_biba_inpcb_check_deliver, + .mpo_sysvmsq_check_msgrcv = mac_biba_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = mac_biba_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = mac_biba_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = mac_biba_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = mac_biba_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = mac_biba_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = mac_biba_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = mac_biba_sysvsem_check_semget, + .mpo_sysvsem_check_semop = mac_biba_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = mac_biba_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = mac_biba_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmget = mac_biba_sysvshm_check_shmget, + .mpo_kld_check_load = mac_biba_kld_check_load, + .mpo_mount_check_stat = mac_biba_mount_check_stat, + .mpo_pipe_check_ioctl = mac_biba_pipe_check_ioctl, + .mpo_pipe_check_poll = mac_biba_pipe_check_poll, + .mpo_pipe_check_read = mac_biba_pipe_check_read, + .mpo_pipe_check_relabel = mac_biba_pipe_check_relabel, + .mpo_pipe_check_stat = mac_biba_pipe_check_stat, + .mpo_pipe_check_write = mac_biba_pipe_check_write, + .mpo_posixsem_check_destroy = mac_biba_posixsem_check_write, + .mpo_posixsem_check_getvalue = mac_biba_posixsem_check_rdonly, + .mpo_posixsem_check_open = mac_biba_posixsem_check_write, + .mpo_posixsem_check_post = mac_biba_posixsem_check_write, + .mpo_posixsem_check_unlink = mac_biba_posixsem_check_write, + .mpo_posixsem_check_wait = mac_biba_posixsem_check_write, + .mpo_proc_check_debug = mac_biba_proc_check_debug, + .mpo_proc_check_sched = mac_biba_proc_check_sched, + .mpo_proc_check_signal = mac_biba_proc_check_signal, + .mpo_socket_check_deliver = mac_biba_socket_check_deliver, + .mpo_socket_check_relabel = mac_biba_socket_check_relabel, + .mpo_socket_check_visible = mac_biba_socket_check_visible, + .mpo_system_check_acct = mac_biba_system_check_acct, + .mpo_system_check_auditctl = mac_biba_system_check_auditctl, + .mpo_system_check_auditon = mac_biba_system_check_auditon, + .mpo_system_check_swapon = mac_biba_system_check_swapon, + .mpo_system_check_swapoff = mac_biba_system_check_swapoff, + .mpo_system_check_sysctl = mac_biba_system_check_sysctl, + .mpo_vnode_check_access = mac_biba_vnode_check_open, + .mpo_vnode_check_chdir = mac_biba_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_biba_vnode_check_chroot, + .mpo_vnode_check_create = mac_biba_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_biba_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_biba_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_biba_vnode_check_exec, + .mpo_vnode_check_getacl = mac_biba_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_biba_vnode_check_getextattr, + .mpo_vnode_check_link = mac_biba_vnode_check_link, + .mpo_vnode_check_listextattr = mac_biba_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_biba_vnode_check_lookup, + .mpo_vnode_check_mmap = mac_biba_vnode_check_mmap, + .mpo_vnode_check_open = mac_biba_vnode_check_open, + .mpo_vnode_check_poll = mac_biba_vnode_check_poll, + .mpo_vnode_check_read = mac_biba_vnode_check_read, + .mpo_vnode_check_readdir = mac_biba_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_biba_vnode_check_readlink, + .mpo_vnode_check_relabel = mac_biba_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_biba_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_biba_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_biba_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_biba_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_biba_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_biba_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_biba_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_biba_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_biba_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_biba_vnode_check_stat, + .mpo_vnode_check_unlink = mac_biba_vnode_check_unlink, + .mpo_vnode_check_write = mac_biba_vnode_check_write, .mpo_associate_nfsd_label = mac_biba_associate_nfsd_label, - .mpo_create_mbuf_from_firewall = mac_biba_create_mbuf_from_firewall, + .mpo_mbuf_create_from_firewall = mac_biba_mbuf_create_from_firewall, .mpo_priv_check = mac_biba_priv_check, }; diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index bdeadce..05521fe 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005 Tom Rhodes + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -12,6 +13,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -440,7 +444,7 @@ mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) } static int -mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -448,7 +452,7 @@ mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -456,7 +460,7 @@ mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -464,7 +468,7 @@ mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -472,7 +476,7 @@ mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -480,7 +484,7 @@ mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -488,7 +492,7 @@ mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -504,7 +508,7 @@ mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -512,7 +516,7 @@ mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, +mac_bsdextended_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { @@ -521,7 +525,7 @@ mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, } static int -mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -530,7 +534,7 @@ mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -538,7 +542,7 @@ mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -547,7 +551,7 @@ mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *label, struct componentname *cnp) { @@ -563,7 +567,7 @@ mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { @@ -571,7 +575,7 @@ mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { @@ -579,7 +583,7 @@ mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -587,7 +591,7 @@ mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -595,7 +599,7 @@ mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_readdlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -603,7 +607,7 @@ mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -616,7 +620,7 @@ mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -631,7 +635,7 @@ mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -647,7 +651,7 @@ mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -656,7 +660,7 @@ mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { @@ -664,7 +668,7 @@ mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { @@ -672,7 +676,7 @@ mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { @@ -680,7 +684,7 @@ mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec utime) { @@ -688,7 +692,7 @@ mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_stat(struct ucred *active_cred, +mac_bsdextended_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -696,7 +700,7 @@ mac_bsdextended_check_vnode_stat(struct ucred *active_cred, } static int -mac_bsdextended_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -712,36 +716,36 @@ static struct mac_policy_ops mac_bsdextended_ops = { .mpo_destroy = mac_bsdextended_destroy, .mpo_init = mac_bsdextended_init, - .mpo_check_system_acct = mac_bsdextended_check_system_acct, - .mpo_check_system_auditctl = mac_bsdextended_check_system_auditctl, - .mpo_check_system_swapoff = mac_bsdextended_check_system_swapoff, - .mpo_check_system_swapon = mac_bsdextended_check_system_swapon, - .mpo_check_vnode_access = mac_bsdextended_check_vnode_access, - .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot, - .mpo_check_vnode_create = mac_bsdextended_check_create_vnode, - .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec, - .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr, - .mpo_check_vnode_link = mac_bsdextended_check_vnode_link, - .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup, - .mpo_check_vnode_open = mac_bsdextended_check_vnode_open, - .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink, - .mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode, - .mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat, - .mpo_check_vnode_unlink = mac_bsdextended_check_vnode_unlink, + .mpo_system_check_acct = mac_bsdextended_system_check_acct, + .mpo_system_check_auditctl = mac_bsdextended_system_check_auditctl, + .mpo_system_check_swapoff = mac_bsdextended_system_check_swapoff, + .mpo_system_check_swapon = mac_bsdextended_system_check_swapon, + .mpo_vnode_check_access = mac_bsdextended_vnode_check_access, + .mpo_vnode_check_chdir = mac_bsdextended_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_bsdextended_vnode_check_chroot, + .mpo_vnode_check_create = mac_bsdextended_check_create_vnode, + .mpo_vnode_check_deleteacl = mac_bsdextended_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_bsdextended_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_bsdextended_vnode_check_exec, + .mpo_vnode_check_getacl = mac_bsdextended_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_bsdextended_vnode_check_getextattr, + .mpo_vnode_check_link = mac_bsdextended_vnode_check_link, + .mpo_vnode_check_listextattr = mac_bsdextended_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_bsdextended_vnode_check_lookup, + .mpo_vnode_check_open = mac_bsdextended_vnode_check_open, + .mpo_vnode_check_readdir = mac_bsdextended_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_bsdextended_vnode_check_readdlink, + .mpo_vnode_check_rename_from = mac_bsdextended_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_bsdextended_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_bsdextended_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_bsdextended_check_setacl_vnode, + .mpo_vnode_check_setextattr = mac_bsdextended_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_bsdextended_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_bsdextended_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_bsdextended_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_bsdextended_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_bsdextended_vnode_check_stat, + .mpo_vnode_check_unlink = mac_bsdextended_vnode_check_unlink, }; MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended, diff --git a/sys/security/mac_ifoff/mac_ifoff.c b/sys/security/mac_ifoff/mac_ifoff.c index 412a547..31bf09a 100644 --- a/sys/security/mac_ifoff/mac_ifoff.c +++ b/sys/security/mac_ifoff/mac_ifoff.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -79,7 +83,7 @@ SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW, TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled); static int -check_ifnet_outgoing(struct ifnet *ifp) +ifnet_check_outgoing(struct ifnet *ifp) { if (!mac_ifoff_enabled) @@ -95,7 +99,7 @@ check_ifnet_outgoing(struct ifnet *ifp) } static int -check_ifnet_incoming(struct ifnet *ifp, int viabpf) +ifnet_check_incoming(struct ifnet *ifp, int viabpf) { if (!mac_ifoff_enabled) return (0); @@ -113,51 +117,51 @@ check_ifnet_incoming(struct ifnet *ifp, int viabpf) } static int -mac_ifoff_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { - return (check_ifnet_incoming(ifp, 1)); + return (ifnet_check_incoming(ifp, 1)); } static int -mac_ifoff_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { - return (check_ifnet_outgoing(ifp)); + return (ifnet_check_outgoing(ifp)); } static int -mac_ifoff_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { M_ASSERTPKTHDR(m); if (m->m_pkthdr.rcvif != NULL) - return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0)); + return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0)); return (0); } static int -mac_ifoff_check_socket_deliver(struct socket *so, struct label *solabel, +mac_ifoff_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { M_ASSERTPKTHDR(m); if (m->m_pkthdr.rcvif != NULL) - return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0)); + return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0)); return (0); } static struct mac_policy_ops mac_ifoff_ops = { - .mpo_check_bpfdesc_receive = mac_ifoff_check_bpfdesc_receive, - .mpo_check_ifnet_transmit = mac_ifoff_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_ifoff_check_inpcb_deliver, - .mpo_check_socket_deliver = mac_ifoff_check_socket_deliver, + .mpo_bpfdesc_check_receive = mac_ifoff_bpfdesc_check_receive, + .mpo_ifnet_check_transmit = mac_ifoff_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_ifoff_inpcb_check_deliver, + .mpo_socket_check_deliver = mac_ifoff_socket_check_deliver, }; MAC_POLICY_SET(&mac_ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff", diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 2186b97..8b44a09 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -631,7 +635,7 @@ mac_lomac_init_label_waitcheck(struct label *label, int flag) } static void -mac_lomac_init_proc_label(struct label *label) +mac_lomac_proc_init_label(struct label *label) { PSLOT_SET(label, malloc(sizeof(struct mac_lomac_proc), M_MACLOMAC, @@ -648,7 +652,7 @@ mac_lomac_destroy_label(struct label *label) } static void -mac_lomac_destroy_proc_label(struct label *label) +mac_lomac_proc_destroy_label(struct label *label) { mtx_destroy(&PSLOT(label)->mtx); @@ -901,7 +905,7 @@ mac_lomac_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_lomac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { struct mac_lomac *mac_lomac; @@ -924,7 +928,7 @@ mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp, } static void -mac_lomac_create_devfs_directory(struct mount *mp, char *dirname, +mac_lomac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { struct mac_lomac *mac_lomac; @@ -934,7 +938,7 @@ mac_lomac_create_devfs_directory(struct mount *mp, char *dirname, } static void -mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_lomac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -947,7 +951,7 @@ mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static void -mac_lomac_create_mount(struct ucred *cred, struct mount *mp, +mac_lomac_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_lomac *source, *dest; @@ -958,7 +962,7 @@ mac_lomac_create_mount(struct ucred *cred, struct mount *mp, } static void -mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -970,7 +974,7 @@ mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp, } static void -mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de, +mac_lomac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_lomac *source, *dest; @@ -982,7 +986,7 @@ mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de, } static void -mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +mac_lomac_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -995,7 +999,7 @@ mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel, } static int -mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_lomac_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_lomac temp, *source, *dest; @@ -1018,7 +1022,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, if (buflen != sizeof(temp)) { if (buflen != sizeof(temp) - sizeof(temp.ml_auxsingle)) { - printf("mac_lomac_associate_vnode_extattr: bad size %d\n", + printf("mac_lomac_vnode_associate_extattr: bad size %d\n", buflen); return (EPERM); } @@ -1029,11 +1033,11 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, buflen, (char *)&temp, curthread); } if (mac_lomac_valid(&temp) != 0) { - printf("mac_lomac_associate_vnode_extattr: invalid\n"); + printf("mac_lomac_vnode_associate_extattr: invalid\n"); return (EPERM); } if ((temp.ml_flags & MAC_LOMAC_FLAGS_BOTH) != MAC_LOMAC_FLAG_SINGLE) { - printf("mac_lomac_associate_vnode_extattr: not single\n"); + printf("mac_lomac_vnode_associate_extattr: not single\n"); return (EPERM); } @@ -1042,7 +1046,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -mac_lomac_associate_vnode_singlelabel(struct mount *mp, +mac_lomac_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_lomac *source, *dest; @@ -1054,7 +1058,7 @@ mac_lomac_associate_vnode_singlelabel(struct mount *mp, } static int -mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_lomac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1084,7 +1088,7 @@ mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { struct mac_lomac *source, temp; @@ -1108,7 +1112,7 @@ mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, * Labeling event operations: IPC object. */ static void -mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_lomac_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { struct mac_lomac *source, *dest; @@ -1120,7 +1124,7 @@ mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel, } static void -mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel, +mac_lomac_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1132,7 +1136,7 @@ mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel, } static void -mac_lomac_create_socket(struct ucred *cred, struct socket *so, +mac_lomac_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_lomac *source, *dest; @@ -1144,7 +1148,7 @@ mac_lomac_create_socket(struct ucred *cred, struct socket *so, } static void -mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_lomac *source, *dest; @@ -1156,8 +1160,8 @@ mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_lomac_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +mac_lomac_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { struct mac_lomac *source, *dest; @@ -1168,7 +1172,7 @@ mac_lomac_create_socket_from_socket(struct socket *oldso, } static void -mac_lomac_relabel_socket(struct ucred *cred, struct socket *so, +mac_lomac_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1180,7 +1184,7 @@ mac_lomac_relabel_socket(struct ucred *cred, struct socket *so, } static void -mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1192,7 +1196,7 @@ mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +mac_lomac_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { struct mac_lomac *source, *dest; @@ -1207,7 +1211,7 @@ mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, * Labeling event operations: network objects. */ static void -mac_lomac_set_socket_peer_from_socket(struct socket *oldso, +mac_lomac_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -1220,7 +1224,7 @@ mac_lomac_set_socket_peer_from_socket(struct socket *oldso, } static void -mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +mac_lomac_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { struct mac_lomac *source, *dest; @@ -1232,7 +1236,7 @@ mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d, } static void -mac_lomac_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +mac_lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { char tifname[IFNAMSIZ], *p, *q; char tiflist[sizeof(trusted_interfaces)]; @@ -1290,7 +1294,7 @@ set: } static void -mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_lomac_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_lomac *source, *dest; @@ -1302,7 +1306,7 @@ mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_lomac_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1315,7 +1319,7 @@ mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, } static void -mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel, +mac_lomac_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { struct mac_lomac *source, *dest; @@ -1327,7 +1331,7 @@ mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel, } static void -mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_lomac_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1350,7 +1354,7 @@ mac_lomac_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, } static void -mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +mac_lomac_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1362,7 +1366,7 @@ mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, } static void -mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +mac_lomac_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1374,7 +1378,7 @@ mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, } static void -mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +mac_lomac_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -1387,7 +1391,7 @@ mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +mac_lomac_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel) { struct mac_lomac *source, *dest; @@ -1399,8 +1403,8 @@ mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, } static int -mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel, - struct ipq *ipq, struct label *ipqlabel) +mac_lomac_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, + struct label *ipqlabel) { struct mac_lomac *a, *b; @@ -1411,7 +1415,7 @@ mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel, } static void -mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +mac_lomac_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1423,7 +1427,7 @@ mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, } static void -mac_lomac_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_lomac_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -1464,7 +1468,7 @@ mac_lomac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, } static void -mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) +mac_lomac_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) { struct mac_lomac *dest; @@ -1478,7 +1482,7 @@ mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) * Labeling event operations: processes. */ static void -mac_lomac_execve_transition(struct ucred *old, struct ucred *new, +mac_lomac_vnode_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -1514,7 +1518,7 @@ mac_lomac_execve_transition(struct ucred *old, struct ucred *new, } static int -mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp, +mac_lomac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -1534,7 +1538,7 @@ mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp, } static void -mac_lomac_create_proc0(struct ucred *cred) +mac_lomac_proc_create_swapper(struct ucred *cred) { struct mac_lomac *dest; @@ -1546,7 +1550,7 @@ mac_lomac_create_proc0(struct ucred *cred) } static void -mac_lomac_create_proc1(struct ucred *cred) +mac_lomac_proc_create_init(struct ucred *cred) { struct mac_lomac *dest; @@ -1558,7 +1562,7 @@ mac_lomac_create_proc1(struct ucred *cred) } static void -mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_lomac_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1572,7 +1576,7 @@ mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel) * Access control checks. */ static int -mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_lomac_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { struct mac_lomac *a, *b; @@ -1589,7 +1593,7 @@ mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_lomac_cred_check_relabel(struct ucred *cred, struct label *newlabel) { struct mac_lomac *subj, *new; int error; @@ -1655,7 +1659,7 @@ mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_lomac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { struct mac_lomac *subj, *obj; @@ -1673,7 +1677,7 @@ mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2) } static int -mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +mac_lomac_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_lomac *subj, *new; @@ -1730,7 +1734,7 @@ mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_lomac_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *p, *i; @@ -1745,7 +1749,7 @@ mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_lomac_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *p, *i; @@ -1760,7 +1764,7 @@ mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, +mac_lomac_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -1781,7 +1785,7 @@ mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -1794,7 +1798,7 @@ mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_lomac *subj, *obj; @@ -1812,7 +1816,7 @@ mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_lomac *subj, *obj, *new; @@ -1863,7 +1867,7 @@ mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_lomac *subj, *obj; @@ -1881,7 +1885,7 @@ mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p) +mac_lomac_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_lomac *subj, *obj; @@ -1901,7 +1905,7 @@ mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p) +mac_lomac_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_lomac *subj, *obj; @@ -1921,7 +1925,7 @@ mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_lomac_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_lomac *subj, *obj; @@ -1941,7 +1945,7 @@ mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum) } static int -mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel, +mac_lomac_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *p, *s; @@ -1956,7 +1960,7 @@ mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel, } static int -mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_lomac_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_lomac *subj, *obj, *new; @@ -2007,7 +2011,7 @@ mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so, } static int -mac_lomac_check_socket_visible(struct ucred *cred, struct socket *so, +mac_lomac_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_lomac *subj, *obj; @@ -2215,7 +2219,7 @@ mac_lomac_priv_check(struct ucred *cred, int priv) static int -mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2236,7 +2240,7 @@ mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2257,7 +2261,7 @@ mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj; @@ -2274,7 +2278,7 @@ mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2295,7 +2299,7 @@ mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_lomac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { struct mac_lomac *subj; @@ -2323,7 +2327,7 @@ mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, } static int -mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { struct mac_lomac *subj, *obj; @@ -2344,7 +2348,7 @@ mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_lomac *subj, *obj; @@ -2362,7 +2366,7 @@ mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2386,7 +2390,7 @@ mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { struct mac_lomac *subj, *obj; @@ -2414,7 +2418,7 @@ mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static void -mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, struct label *vplabel, /* XXX vm_prot_t */ int *prot) { struct mac_lomac *subj, *obj; @@ -2434,7 +2438,7 @@ mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { struct mac_lomac *subj, *obj; @@ -2455,7 +2459,7 @@ mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_lomac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2473,7 +2477,7 @@ mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_lomac *old, *new, *subj; @@ -2549,7 +2553,7 @@ mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2573,7 +2577,7 @@ mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -2599,7 +2603,7 @@ mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2617,7 +2621,7 @@ mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { struct mac_lomac *subj, *obj; @@ -2635,7 +2639,7 @@ mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2656,7 +2660,7 @@ mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { struct mac_lomac *subj, *obj; @@ -2674,7 +2678,7 @@ mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { struct mac_lomac *subj, *obj; @@ -2692,7 +2696,7 @@ mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { struct mac_lomac *subj, *obj; @@ -2710,7 +2714,7 @@ mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { struct mac_lomac *subj, *obj; @@ -2728,7 +2732,7 @@ mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2752,7 +2756,7 @@ mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_write(struct ucred *active_cred, +mac_lomac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2818,140 +2822,141 @@ mac_lomac_thread_userret(struct thread *td) static struct mac_policy_ops mac_lomac_ops = { .mpo_init = mac_lomac_init, - .mpo_init_bpfdesc_label = mac_lomac_init_label, - .mpo_init_cred_label = mac_lomac_init_label, - .mpo_init_devfs_label = mac_lomac_init_label, - .mpo_init_ifnet_label = mac_lomac_init_label, + .mpo_bpfdesc_init_label = mac_lomac_init_label, + .mpo_cred_init_label = mac_lomac_init_label, + .mpo_devfs_init_label = mac_lomac_init_label, + .mpo_ifnet_init_label = mac_lomac_init_label, .mpo_init_syncache_label = mac_lomac_init_label_waitcheck, - .mpo_init_inpcb_label = mac_lomac_init_label_waitcheck, - .mpo_init_ipq_label = mac_lomac_init_label_waitcheck, - .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck, - .mpo_init_mount_label = mac_lomac_init_label, - .mpo_init_pipe_label = mac_lomac_init_label, - .mpo_init_proc_label = mac_lomac_init_proc_label, - .mpo_init_socket_label = mac_lomac_init_label_waitcheck, - .mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck, - .mpo_init_vnode_label = mac_lomac_init_label, + .mpo_inpcb_init_label = mac_lomac_init_label_waitcheck, + .mpo_ipq_init_label = mac_lomac_init_label_waitcheck, + .mpo_mbuf_init_label = mac_lomac_init_label_waitcheck, + .mpo_mount_init_label = mac_lomac_init_label, + .mpo_pipe_init_label = mac_lomac_init_label, + .mpo_proc_init_label = mac_lomac_proc_init_label, + .mpo_socket_init_label = mac_lomac_init_label_waitcheck, + .mpo_socketpeer_init_label = mac_lomac_init_label_waitcheck, + .mpo_vnode_init_label = mac_lomac_init_label, .mpo_init_syncache_from_inpcb = mac_lomac_init_syncache_from_inpcb, - .mpo_destroy_bpfdesc_label = mac_lomac_destroy_label, - .mpo_destroy_cred_label = mac_lomac_destroy_label, - .mpo_destroy_devfs_label = mac_lomac_destroy_label, - .mpo_destroy_ifnet_label = mac_lomac_destroy_label, - .mpo_destroy_inpcb_label = mac_lomac_destroy_label, - .mpo_destroy_ipq_label = mac_lomac_destroy_label, - .mpo_destroy_mbuf_label = mac_lomac_destroy_label, - .mpo_destroy_mount_label = mac_lomac_destroy_label, - .mpo_destroy_pipe_label = mac_lomac_destroy_label, - .mpo_destroy_proc_label = mac_lomac_destroy_proc_label, + .mpo_bpfdesc_destroy_label = mac_lomac_destroy_label, + .mpo_cred_destroy_label = mac_lomac_destroy_label, + .mpo_devfs_destroy_label = mac_lomac_destroy_label, + .mpo_ifnet_destroy_label = mac_lomac_destroy_label, + .mpo_inpcb_destroy_label = mac_lomac_destroy_label, + .mpo_ipq_destroy_label = mac_lomac_destroy_label, + .mpo_mbuf_destroy_label = mac_lomac_destroy_label, + .mpo_mount_destroy_label = mac_lomac_destroy_label, + .mpo_pipe_destroy_label = mac_lomac_destroy_label, + .mpo_proc_destroy_label = mac_lomac_proc_destroy_label, .mpo_destroy_syncache_label = mac_lomac_destroy_label, - .mpo_destroy_socket_label = mac_lomac_destroy_label, - .mpo_destroy_socket_peer_label = mac_lomac_destroy_label, - .mpo_destroy_vnode_label = mac_lomac_destroy_label, - .mpo_copy_cred_label = mac_lomac_copy_label, - .mpo_copy_ifnet_label = mac_lomac_copy_label, - .mpo_copy_mbuf_label = mac_lomac_copy_label, - .mpo_copy_pipe_label = mac_lomac_copy_label, - .mpo_copy_socket_label = mac_lomac_copy_label, - .mpo_copy_vnode_label = mac_lomac_copy_label, - .mpo_externalize_cred_label = mac_lomac_externalize_label, - .mpo_externalize_ifnet_label = mac_lomac_externalize_label, - .mpo_externalize_pipe_label = mac_lomac_externalize_label, - .mpo_externalize_socket_label = mac_lomac_externalize_label, - .mpo_externalize_socket_peer_label = mac_lomac_externalize_label, - .mpo_externalize_vnode_label = mac_lomac_externalize_label, - .mpo_internalize_cred_label = mac_lomac_internalize_label, - .mpo_internalize_ifnet_label = mac_lomac_internalize_label, - .mpo_internalize_pipe_label = mac_lomac_internalize_label, - .mpo_internalize_socket_label = mac_lomac_internalize_label, - .mpo_internalize_vnode_label = mac_lomac_internalize_label, - .mpo_create_devfs_device = mac_lomac_create_devfs_device, - .mpo_create_devfs_directory = mac_lomac_create_devfs_directory, - .mpo_create_devfs_symlink = mac_lomac_create_devfs_symlink, - .mpo_create_mount = mac_lomac_create_mount, - .mpo_relabel_vnode = mac_lomac_relabel_vnode, - .mpo_update_devfs = mac_lomac_update_devfs, - .mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_lomac_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = - mac_lomac_associate_vnode_singlelabel, - .mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr, - .mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr, - .mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket, + .mpo_socket_destroy_label = mac_lomac_destroy_label, + .mpo_socketpeer_destroy_label = mac_lomac_destroy_label, + .mpo_vnode_destroy_label = mac_lomac_destroy_label, + .mpo_cred_copy_label = mac_lomac_copy_label, + .mpo_ifnet_copy_label = mac_lomac_copy_label, + .mpo_mbuf_copy_label = mac_lomac_copy_label, + .mpo_pipe_copy_label = mac_lomac_copy_label, + .mpo_socket_copy_label = mac_lomac_copy_label, + .mpo_vnode_copy_label = mac_lomac_copy_label, + .mpo_cred_externalize_label = mac_lomac_externalize_label, + .mpo_ifnet_externalize_label = mac_lomac_externalize_label, + .mpo_pipe_externalize_label = mac_lomac_externalize_label, + .mpo_socket_externalize_label = mac_lomac_externalize_label, + .mpo_socketpeer_externalize_label = mac_lomac_externalize_label, + .mpo_vnode_externalize_label = mac_lomac_externalize_label, + .mpo_cred_internalize_label = mac_lomac_internalize_label, + .mpo_ifnet_internalize_label = mac_lomac_internalize_label, + .mpo_pipe_internalize_label = mac_lomac_internalize_label, + .mpo_socket_internalize_label = mac_lomac_internalize_label, + .mpo_vnode_internalize_label = mac_lomac_internalize_label, + .mpo_devfs_create_device = mac_lomac_devfs_create_device, + .mpo_devfs_create_directory = mac_lomac_devfs_create_directory, + .mpo_devfs_create_symlink = mac_lomac_devfs_create_symlink, + .mpo_mount_create = mac_lomac_mount_create, + .mpo_vnode_relabel = mac_lomac_vnode_relabel, + .mpo_devfs_update = mac_lomac_devfs_update, + .mpo_devfs_vnode_associate = mac_lomac_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_lomac_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = + mac_lomac_vnode_associate_singlelabel, + .mpo_vnode_create_extattr = mac_lomac_vnode_create_extattr, + .mpo_vnode_setlabel_extattr = mac_lomac_vnode_setlabel_extattr, + .mpo_socket_create_mbuf = mac_lomac_socket_create_mbuf, .mpo_create_mbuf_from_syncache = mac_lomac_create_mbuf_from_syncache, - .mpo_create_pipe = mac_lomac_create_pipe, - .mpo_create_socket = mac_lomac_create_socket, - .mpo_create_socket_from_socket = mac_lomac_create_socket_from_socket, - .mpo_relabel_pipe = mac_lomac_relabel_pipe, - .mpo_relabel_socket = mac_lomac_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = - mac_lomac_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_lomac_create_bpfdesc, - .mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq, - .mpo_create_fragment = mac_lomac_create_fragment, - .mpo_create_ifnet = mac_lomac_create_ifnet, - .mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket, - .mpo_create_ipq = mac_lomac_create_ipq, - .mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb, + .mpo_pipe_create = mac_lomac_pipe_create, + .mpo_socket_create = mac_lomac_socket_create, + .mpo_socket_newconn = mac_lomac_socket_newconn, + .mpo_pipe_relabel = mac_lomac_pipe_relabel, + .mpo_socket_relabel = mac_lomac_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_lomac_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = + mac_lomac_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_lomac_bpfdesc_create, + .mpo_ipq_reassemble = mac_lomac_ipq_reassemble, + .mpo_netinet_fragment = mac_lomac_netinet_fragment, + .mpo_ifnet_create = mac_lomac_ifnet_create, + .mpo_inpcb_create = mac_lomac_inpcb_create, + .mpo_ipq_create = mac_lomac_ipq_create, + .mpo_inpcb_create_mbuf = mac_lomac_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = - mac_lomac_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer, - .mpo_fragment_match = mac_lomac_fragment_match, - .mpo_relabel_ifnet = mac_lomac_relabel_ifnet, - .mpo_update_ipq = mac_lomac_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_lomac_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_lomac_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = + mac_lomac_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_lomac_mbuf_create_netlayer, + .mpo_ipq_match = mac_lomac_ipq_match, + .mpo_ifnet_relabel = mac_lomac_ifnet_relabel, + .mpo_ipq_update = mac_lomac_ipq_update, .mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel, - .mpo_execve_transition = mac_lomac_execve_transition, - .mpo_execve_will_transition = mac_lomac_execve_will_transition, - .mpo_create_proc0 = mac_lomac_create_proc0, - .mpo_create_proc1 = mac_lomac_create_proc1, - .mpo_relabel_cred = mac_lomac_relabel_cred, - .mpo_check_bpfdesc_receive = mac_lomac_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_lomac_check_cred_relabel, - .mpo_check_cred_visible = mac_lomac_check_cred_visible, - .mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver, - .mpo_check_kld_load = mac_lomac_check_kld_load, - .mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl, - .mpo_check_pipe_read = mac_lomac_check_pipe_read, - .mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel, - .mpo_check_pipe_write = mac_lomac_check_pipe_write, - .mpo_check_proc_debug = mac_lomac_check_proc_debug, - .mpo_check_proc_sched = mac_lomac_check_proc_sched, - .mpo_check_proc_signal = mac_lomac_check_proc_signal, - .mpo_check_socket_deliver = mac_lomac_check_socket_deliver, - .mpo_check_socket_relabel = mac_lomac_check_socket_relabel, - .mpo_check_socket_visible = mac_lomac_check_socket_visible, - .mpo_check_system_acct = mac_lomac_check_system_acct, - .mpo_check_system_auditctl = mac_lomac_check_system_auditctl, - .mpo_check_system_swapoff = mac_lomac_check_system_swapoff, - .mpo_check_system_swapon = mac_lomac_check_system_swapon, - .mpo_check_system_sysctl = mac_lomac_check_system_sysctl, - .mpo_check_vnode_access = mac_lomac_check_vnode_open, - .mpo_check_vnode_create = mac_lomac_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_lomac_check_vnode_deleteacl, - .mpo_check_vnode_link = mac_lomac_check_vnode_link, - .mpo_check_vnode_mmap = mac_lomac_check_vnode_mmap, - .mpo_check_vnode_mmap_downgrade = mac_lomac_check_vnode_mmap_downgrade, - .mpo_check_vnode_open = mac_lomac_check_vnode_open, - .mpo_check_vnode_read = mac_lomac_check_vnode_read, - .mpo_check_vnode_relabel = mac_lomac_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_lomac_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_lomac_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_lomac_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_lomac_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_lomac_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_lomac_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_lomac_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_lomac_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_lomac_check_vnode_setutimes, - .mpo_check_vnode_unlink = mac_lomac_check_vnode_unlink, - .mpo_check_vnode_write = mac_lomac_check_vnode_write, + .mpo_vnode_execve_transition = mac_lomac_vnode_execve_transition, + .mpo_vnode_execve_will_transition = + mac_lomac_vnode_execve_will_transition, + .mpo_proc_create_swapper = mac_lomac_proc_create_swapper, + .mpo_proc_create_init = mac_lomac_proc_create_init, + .mpo_cred_relabel = mac_lomac_cred_relabel, + .mpo_bpfdesc_check_receive = mac_lomac_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_lomac_cred_check_relabel, + .mpo_cred_check_visible = mac_lomac_cred_check_visible, + .mpo_ifnet_check_relabel = mac_lomac_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_lomac_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_lomac_inpcb_check_deliver, + .mpo_kld_check_load = mac_lomac_kld_check_load, + .mpo_pipe_check_ioctl = mac_lomac_pipe_check_ioctl, + .mpo_pipe_check_read = mac_lomac_pipe_check_read, + .mpo_pipe_check_relabel = mac_lomac_pipe_check_relabel, + .mpo_pipe_check_write = mac_lomac_pipe_check_write, + .mpo_proc_check_debug = mac_lomac_proc_check_debug, + .mpo_proc_check_sched = mac_lomac_proc_check_sched, + .mpo_proc_check_signal = mac_lomac_proc_check_signal, + .mpo_socket_check_deliver = mac_lomac_socket_check_deliver, + .mpo_socket_check_relabel = mac_lomac_socket_check_relabel, + .mpo_socket_check_visible = mac_lomac_socket_check_visible, + .mpo_system_check_acct = mac_lomac_system_check_acct, + .mpo_system_check_auditctl = mac_lomac_system_check_auditctl, + .mpo_system_check_swapoff = mac_lomac_system_check_swapoff, + .mpo_system_check_swapon = mac_lomac_system_check_swapon, + .mpo_system_check_sysctl = mac_lomac_system_check_sysctl, + .mpo_vnode_check_access = mac_lomac_vnode_check_open, + .mpo_vnode_check_create = mac_lomac_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_lomac_vnode_check_deleteacl, + .mpo_vnode_check_link = mac_lomac_vnode_check_link, + .mpo_vnode_check_mmap = mac_lomac_vnode_check_mmap, + .mpo_vnode_check_mmap_downgrade = mac_lomac_vnode_check_mmap_downgrade, + .mpo_vnode_check_open = mac_lomac_vnode_check_open, + .mpo_vnode_check_read = mac_lomac_vnode_check_read, + .mpo_vnode_check_relabel = mac_lomac_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_lomac_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_lomac_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_lomac_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_lomac_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_lomac_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_lomac_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_lomac_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_lomac_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_lomac_vnode_check_setutimes, + .mpo_vnode_check_unlink = mac_lomac_vnode_check_unlink, + .mpo_vnode_check_write = mac_lomac_vnode_check_write, .mpo_thread_userret = mac_lomac_thread_userret, - .mpo_create_mbuf_from_firewall = mac_lomac_create_mbuf_from_firewall, + .mpo_mbuf_create_from_firewall = mac_lomac_mbuf_create_from_firewall, .mpo_priv_check = mac_lomac_priv_check, }; diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 0a84ae1..ea62f3f 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -745,7 +749,7 @@ mac_mls_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_mls_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_mls_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { struct mac_mls *mac_mls; @@ -770,7 +774,7 @@ mac_mls_create_devfs_device(struct ucred *cred, struct mount *mp, } static void -mac_mls_create_devfs_directory(struct mount *mp, char *dirname, +mac_mls_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { struct mac_mls *mac_mls; @@ -780,7 +784,7 @@ mac_mls_create_devfs_directory(struct mount *mp, char *dirname, } static void -mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_mls_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -793,7 +797,7 @@ mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static void -mac_mls_create_mount(struct ucred *cred, struct mount *mp, +mac_mls_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_mls *source, *dest; @@ -804,7 +808,7 @@ mac_mls_create_mount(struct ucred *cred, struct mount *mp, } static void -mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { struct mac_mls *source, *dest; @@ -816,7 +820,7 @@ mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, } static void -mac_mls_update_devfs(struct mount *mp, struct devfs_dirent *de, +mac_mls_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_mls *source, *dest; @@ -828,7 +832,7 @@ mac_mls_update_devfs(struct mount *mp, struct devfs_dirent *de, } static void -mac_mls_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +mac_mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -841,7 +845,7 @@ mac_mls_associate_vnode_devfs(struct mount *mp, struct label *mplabel, } static int -mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_mls_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_mls temp, *source, *dest; @@ -863,12 +867,12 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mplabel, return (error); if (buflen != sizeof(temp)) { - printf("mac_mls_associate_vnode_extattr: bad size %d\n", + printf("mac_mls_vnode_associate_extattr: bad size %d\n", buflen); return (EPERM); } if (mac_mls_valid(&temp) != 0) { - printf("mac_mls_associate_vnode_extattr: invalid\n"); + printf("mac_mls_vnode_associate_extattr: invalid\n"); return (EPERM); } if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_EFFECTIVE) { @@ -881,7 +885,7 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -mac_mls_associate_vnode_singlelabel(struct mount *mp, +mac_mls_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_mls *source, *dest; @@ -893,7 +897,7 @@ mac_mls_associate_vnode_singlelabel(struct mount *mp, } static int -mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_mls_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -916,7 +920,7 @@ mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_mls_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { struct mac_mls *source, temp; @@ -941,7 +945,7 @@ mac_mls_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, * Labeling event operations: IPC object. */ static void -mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_mls_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { struct mac_mls *source, *dest; @@ -953,7 +957,7 @@ mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel, } static void -mac_mls_create_mbuf_from_socket(struct socket *so, struct label *solabel, +mac_mls_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -965,7 +969,7 @@ mac_mls_create_mbuf_from_socket(struct socket *so, struct label *solabel, } static void -mac_mls_create_socket(struct ucred *cred, struct socket *so, +mac_mls_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_mls *source, *dest; @@ -977,7 +981,7 @@ mac_mls_create_socket(struct ucred *cred, struct socket *so, } static void -mac_mls_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *source, *dest; @@ -989,7 +993,7 @@ mac_mls_create_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_mls_create_posix_sem(struct ucred *cred, struct ksem *ks, +mac_mls_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *source, *dest; @@ -1001,8 +1005,8 @@ mac_mls_create_posix_sem(struct ucred *cred, struct ksem *ks, } static void -mac_mls_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +mac_mls_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { struct mac_mls *source, *dest; @@ -1013,7 +1017,7 @@ mac_mls_create_socket_from_socket(struct socket *oldso, } static void -mac_mls_relabel_socket(struct ucred *cred, struct socket *so, +mac_mls_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1025,7 +1029,7 @@ mac_mls_relabel_socket(struct ucred *cred, struct socket *so, } static void -mac_mls_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1037,7 +1041,7 @@ mac_mls_relabel_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_mls_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +mac_mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { struct mac_mls *source, *dest; @@ -1052,7 +1056,7 @@ mac_mls_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, * Labeling event operations: System V IPC objects. */ static void -mac_mls_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { struct mac_mls *source, *dest; @@ -1065,7 +1069,7 @@ mac_mls_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, } static void -mac_mls_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { struct mac_mls *source, *dest; @@ -1077,7 +1081,7 @@ mac_mls_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, } static void -mac_mls_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +mac_mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { struct mac_mls *source, *dest; @@ -1089,7 +1093,7 @@ mac_mls_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, } static void -mac_mls_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { struct mac_mls *source, *dest; @@ -1104,7 +1108,7 @@ mac_mls_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, * Labeling event operations: network objects. */ static void -mac_mls_set_socket_peer_from_socket(struct socket *oldso, +mac_mls_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -1117,7 +1121,7 @@ mac_mls_set_socket_peer_from_socket(struct socket *oldso, } static void -mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +mac_mls_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { struct mac_mls *source, *dest; @@ -1129,7 +1133,7 @@ mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *d, } static void -mac_mls_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +mac_mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { struct mac_mls *dest; int type; @@ -1146,7 +1150,7 @@ mac_mls_create_ifnet(struct ifnet *ifp, struct label *ifplabel) } static void -mac_mls_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_mls *source, *dest; @@ -1158,7 +1162,7 @@ mac_mls_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_mls_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_mls_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1171,7 +1175,7 @@ mac_mls_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, } static void -mac_mls_create_fragment(struct mbuf *m, struct label *mlabel, +mac_mls_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { struct mac_mls *source, *dest; @@ -1183,7 +1187,7 @@ mac_mls_create_fragment(struct mbuf *m, struct label *mlabel, } static void -mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1206,7 +1210,7 @@ mac_mls_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, } static void -mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +mac_mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1218,7 +1222,7 @@ mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, } static void -mac_mls_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +mac_mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1230,7 +1234,7 @@ mac_mls_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, } static void -mac_mls_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +mac_mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -1243,7 +1247,7 @@ mac_mls_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -mac_mls_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +mac_mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel) { struct mac_mls *source, *dest; @@ -1255,7 +1259,7 @@ mac_mls_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, } static int -mac_mls_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_mls *a, *b; @@ -1267,7 +1271,7 @@ mac_mls_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +mac_mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1279,7 +1283,7 @@ mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, } static void -mac_mls_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -1299,7 +1303,7 @@ mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, } static void -mac_mls_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) +mac_mls_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) { struct mac_mls *dest; @@ -1334,7 +1338,7 @@ mac_mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, * Labeling event operations: processes. */ static void -mac_mls_create_proc0(struct ucred *cred) +mac_mls_proc_create_swapper(struct ucred *cred) { struct mac_mls *dest; @@ -1346,7 +1350,7 @@ mac_mls_create_proc0(struct ucred *cred) } static void -mac_mls_create_proc1(struct ucred *cred) +mac_mls_proc_create_init(struct ucred *cred) { struct mac_mls *dest; @@ -1358,7 +1362,7 @@ mac_mls_create_proc1(struct ucred *cred) } static void -mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_mls_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1372,28 +1376,28 @@ mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) * Label cleanup/flush operations. */ static void -mac_mls_cleanup_sysv_msgmsg(struct label *msglabel) +mac_mls_sysvmsg_cleanup(struct label *msglabel) { bzero(SLOT(msglabel), sizeof(struct mac_mls)); } static void -mac_mls_cleanup_sysv_msgqueue(struct label *msqlabel) +mac_mls_sysvmsq_cleanup(struct label *msqlabel) { bzero(SLOT(msqlabel), sizeof(struct mac_mls)); } static void -mac_mls_cleanup_sysv_sem(struct label *semalabel) +mac_mls_sysvsem_cleanup(struct label *semalabel) { bzero(SLOT(semalabel), sizeof(struct mac_mls)); } static void -mac_mls_cleanup_sysv_shm(struct label *shmlabel) +mac_mls_sysvshm_cleanup(struct label *shmlabel) { bzero(SLOT(shmlabel), sizeof(struct mac_mls)); @@ -1403,7 +1407,7 @@ mac_mls_cleanup_sysv_shm(struct label *shmlabel) * Access control checks. */ static int -mac_mls_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_mls_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { struct mac_mls *a, *b; @@ -1420,7 +1424,7 @@ mac_mls_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *subj, *new; int error; @@ -1482,7 +1486,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_mls_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { struct mac_mls *subj, *obj; @@ -1500,7 +1504,7 @@ mac_mls_check_cred_visible(struct ucred *cr1, struct ucred *cr2) } static int -mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +mac_mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_mls *subj, *new; @@ -1526,7 +1530,7 @@ mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -mac_mls_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_mls_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *i; @@ -1541,7 +1545,7 @@ mac_mls_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -mac_mls_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *i; @@ -1556,7 +1560,7 @@ mac_mls_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -mac_mls_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +mac_mls_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_mls *subj, *obj; @@ -1574,7 +1578,7 @@ mac_mls_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, } static int -mac_mls_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +mac_mls_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_mls *subj, *obj; @@ -1592,8 +1596,8 @@ mac_mls_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, } static int -mac_mls_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_mls_sysvmsq_check_msqget(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_mls *subj, *obj; @@ -1610,8 +1614,8 @@ mac_mls_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_mls_sysvmsq_check_msqsnd(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_mls *subj, *obj; @@ -1628,8 +1632,8 @@ mac_mls_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_mls_sysvmsq_check_msqrcv(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_mls *subj, *obj; @@ -1646,8 +1650,8 @@ mac_mls_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel, int cmd) +mac_mls_sysvmsq_check_msqctl(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { struct mac_mls *subj, *obj; @@ -1677,8 +1681,8 @@ mac_mls_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, int cmd) +mac_mls_sysvsem_check_semctl(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { struct mac_mls *subj, *obj; @@ -1715,8 +1719,8 @@ mac_mls_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_mls_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel) +mac_mls_sysvsem_check_semget(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel) { struct mac_mls *subj, *obj; @@ -1733,8 +1737,9 @@ mac_mls_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_mls_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, size_t accesstype) +mac_mls_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, + size_t accesstype) { struct mac_mls *subj, *obj; @@ -1756,8 +1761,8 @@ mac_mls_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_mls_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_mls_sysvshm_check_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_mls *subj, *obj; @@ -1777,8 +1782,8 @@ mac_mls_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_mls_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int cmd) +mac_mls_sysvshm_check_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { struct mac_mls *subj, *obj; @@ -1809,8 +1814,8 @@ mac_mls_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_mls_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_mls_sysvshm_check_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_mls *subj, *obj; @@ -1827,7 +1832,7 @@ mac_mls_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, +mac_mls_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { struct mac_mls *subj, *obj; @@ -1845,7 +1850,7 @@ mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, } static int -mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -1858,7 +1863,7 @@ mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1876,7 +1881,7 @@ mac_mls_check_pipe_poll(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1894,7 +1899,7 @@ mac_mls_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; @@ -1945,7 +1950,7 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1963,7 +1968,7 @@ mac_mls_check_pipe_stat(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1981,7 +1986,7 @@ mac_mls_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_posix_sem_write(struct ucred *cred, struct ksem *ks, +mac_mls_posixsem_check_write(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *subj, *obj; @@ -1999,7 +2004,7 @@ mac_mls_check_posix_sem_write(struct ucred *cred, struct ksem *ks, } static int -mac_mls_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, +mac_mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *subj, *obj; @@ -2017,7 +2022,7 @@ mac_mls_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, } static int -mac_mls_check_proc_debug(struct ucred *cred, struct proc *p) +mac_mls_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_mls *subj, *obj; @@ -2037,7 +2042,7 @@ mac_mls_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_mls_check_proc_sched(struct ucred *cred, struct proc *p) +mac_mls_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_mls *subj, *obj; @@ -2057,7 +2062,7 @@ mac_mls_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_mls_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_mls *subj, *obj; @@ -2077,7 +2082,7 @@ mac_mls_check_proc_signal(struct ucred *cred, struct proc *p, int signum) } static int -mac_mls_check_socket_deliver(struct socket *so, struct label *solabel, +mac_mls_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *s; @@ -2092,7 +2097,7 @@ mac_mls_check_socket_deliver(struct socket *so, struct label *solabel, } static int -mac_mls_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_mls_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; @@ -2143,7 +2148,7 @@ mac_mls_check_socket_relabel(struct ucred *cred, struct socket *so, } static int -mac_mls_check_socket_visible(struct ucred *cred, struct socket *so, +mac_mls_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_mls *subj, *obj; @@ -2161,7 +2166,7 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *so, } static int -mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_mls_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2180,7 +2185,7 @@ mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_mls_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2199,7 +2204,7 @@ mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_mls_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2218,7 +2223,7 @@ mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; @@ -2236,7 +2241,7 @@ mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; @@ -2254,7 +2259,7 @@ mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { struct mac_mls *subj, *obj; @@ -2272,7 +2277,7 @@ mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_mls *subj, *obj; @@ -2290,7 +2295,7 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { struct mac_mls *subj, *obj; @@ -2308,7 +2313,7 @@ mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -2340,7 +2345,7 @@ mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_mls *subj, *obj; @@ -2358,7 +2363,7 @@ mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2377,7 +2382,7 @@ mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2400,7 +2405,7 @@ mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { @@ -2419,7 +2424,7 @@ mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { struct mac_mls *subj, *obj; @@ -2437,7 +2442,7 @@ mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { struct mac_mls *subj, *obj; @@ -2465,7 +2470,7 @@ mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { struct mac_mls *subj, *obj; @@ -2490,7 +2495,7 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2508,7 +2513,7 @@ mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2526,7 +2531,7 @@ mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; @@ -2544,7 +2549,7 @@ mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2562,7 +2567,7 @@ mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_mls *old, *new, *subj; @@ -2613,7 +2618,7 @@ mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2637,7 +2642,7 @@ mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -2663,7 +2668,7 @@ mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2681,7 +2686,7 @@ mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { struct mac_mls *subj, *obj; @@ -2699,7 +2704,7 @@ mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2720,7 +2725,7 @@ mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { struct mac_mls *subj, *obj; @@ -2738,7 +2743,7 @@ mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { struct mac_mls *subj, *obj; @@ -2756,7 +2761,7 @@ mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { struct mac_mls *subj, *obj; @@ -2774,7 +2779,7 @@ mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { struct mac_mls *subj, *obj; @@ -2792,7 +2797,7 @@ mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2810,7 +2815,7 @@ mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_mls_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2834,7 +2839,7 @@ mac_mls_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2865,181 +2870,181 @@ mac_mls_associate_nfsd_label(struct ucred *cred) static struct mac_policy_ops mac_mls_ops = { .mpo_init = mac_mls_init, - .mpo_init_bpfdesc_label = mac_mls_init_label, - .mpo_init_cred_label = mac_mls_init_label, - .mpo_init_devfs_label = mac_mls_init_label, - .mpo_init_ifnet_label = mac_mls_init_label, - .mpo_init_inpcb_label = mac_mls_init_label_waitcheck, + .mpo_bpfdesc_init_label = mac_mls_init_label, + .mpo_cred_init_label = mac_mls_init_label, + .mpo_devfs_init_label = mac_mls_init_label, + .mpo_ifnet_init_label = mac_mls_init_label, + .mpo_inpcb_init_label = mac_mls_init_label_waitcheck, .mpo_init_syncache_label = mac_mls_init_label_waitcheck, - .mpo_init_sysv_msgmsg_label = mac_mls_init_label, - .mpo_init_sysv_msgqueue_label = mac_mls_init_label, - .mpo_init_sysv_sem_label = mac_mls_init_label, - .mpo_init_sysv_shm_label = mac_mls_init_label, - .mpo_init_ipq_label = mac_mls_init_label_waitcheck, - .mpo_init_mbuf_label = mac_mls_init_label_waitcheck, - .mpo_init_mount_label = mac_mls_init_label, - .mpo_init_pipe_label = mac_mls_init_label, - .mpo_init_posix_sem_label = mac_mls_init_label, - .mpo_init_socket_label = mac_mls_init_label_waitcheck, - .mpo_init_socket_peer_label = mac_mls_init_label_waitcheck, - .mpo_init_vnode_label = mac_mls_init_label, - .mpo_destroy_bpfdesc_label = mac_mls_destroy_label, - .mpo_destroy_cred_label = mac_mls_destroy_label, - .mpo_destroy_devfs_label = mac_mls_destroy_label, - .mpo_destroy_ifnet_label = mac_mls_destroy_label, - .mpo_destroy_inpcb_label = mac_mls_destroy_label, + .mpo_sysvmsg_init_label = mac_mls_init_label, + .mpo_sysvmsq_init_label = mac_mls_init_label, + .mpo_sysvsem_init_label = mac_mls_init_label, + .mpo_sysvshm_init_label = mac_mls_init_label, + .mpo_ipq_init_label = mac_mls_init_label_waitcheck, + .mpo_mbuf_init_label = mac_mls_init_label_waitcheck, + .mpo_mount_init_label = mac_mls_init_label, + .mpo_pipe_init_label = mac_mls_init_label, + .mpo_posixsem_init_label = mac_mls_init_label, + .mpo_socket_init_label = mac_mls_init_label_waitcheck, + .mpo_socketpeer_init_label = mac_mls_init_label_waitcheck, + .mpo_vnode_init_label = mac_mls_init_label, + .mpo_bpfdesc_destroy_label = mac_mls_destroy_label, + .mpo_cred_destroy_label = mac_mls_destroy_label, + .mpo_devfs_destroy_label = mac_mls_destroy_label, + .mpo_ifnet_destroy_label = mac_mls_destroy_label, + .mpo_inpcb_destroy_label = mac_mls_destroy_label, .mpo_destroy_syncache_label = mac_mls_destroy_label, - .mpo_destroy_sysv_msgmsg_label = mac_mls_destroy_label, - .mpo_destroy_sysv_msgqueue_label = mac_mls_destroy_label, - .mpo_destroy_sysv_sem_label = mac_mls_destroy_label, - .mpo_destroy_sysv_shm_label = mac_mls_destroy_label, - .mpo_destroy_ipq_label = mac_mls_destroy_label, - .mpo_destroy_mbuf_label = mac_mls_destroy_label, - .mpo_destroy_mount_label = mac_mls_destroy_label, - .mpo_destroy_pipe_label = mac_mls_destroy_label, - .mpo_destroy_posix_sem_label = mac_mls_destroy_label, - .mpo_destroy_socket_label = mac_mls_destroy_label, - .mpo_destroy_socket_peer_label = mac_mls_destroy_label, - .mpo_destroy_vnode_label = mac_mls_destroy_label, - .mpo_copy_cred_label = mac_mls_copy_label, - .mpo_copy_ifnet_label = mac_mls_copy_label, - .mpo_copy_mbuf_label = mac_mls_copy_label, - .mpo_copy_pipe_label = mac_mls_copy_label, - .mpo_copy_socket_label = mac_mls_copy_label, - .mpo_copy_vnode_label = mac_mls_copy_label, - .mpo_externalize_cred_label = mac_mls_externalize_label, - .mpo_externalize_ifnet_label = mac_mls_externalize_label, - .mpo_externalize_pipe_label = mac_mls_externalize_label, - .mpo_externalize_socket_label = mac_mls_externalize_label, - .mpo_externalize_socket_peer_label = mac_mls_externalize_label, - .mpo_externalize_vnode_label = mac_mls_externalize_label, - .mpo_internalize_cred_label = mac_mls_internalize_label, - .mpo_internalize_ifnet_label = mac_mls_internalize_label, - .mpo_internalize_pipe_label = mac_mls_internalize_label, - .mpo_internalize_socket_label = mac_mls_internalize_label, - .mpo_internalize_vnode_label = mac_mls_internalize_label, - .mpo_create_devfs_device = mac_mls_create_devfs_device, - .mpo_create_devfs_directory = mac_mls_create_devfs_directory, - .mpo_create_devfs_symlink = mac_mls_create_devfs_symlink, - .mpo_create_mount = mac_mls_create_mount, - .mpo_relabel_vnode = mac_mls_relabel_vnode, - .mpo_update_devfs = mac_mls_update_devfs, - .mpo_associate_vnode_devfs = mac_mls_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_mls_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = mac_mls_associate_vnode_singlelabel, - .mpo_create_vnode_extattr = mac_mls_create_vnode_extattr, - .mpo_setlabel_vnode_extattr = mac_mls_setlabel_vnode_extattr, - .mpo_create_mbuf_from_socket = mac_mls_create_mbuf_from_socket, + .mpo_sysvmsg_destroy_label = mac_mls_destroy_label, + .mpo_sysvmsq_destroy_label = mac_mls_destroy_label, + .mpo_sysvsem_destroy_label = mac_mls_destroy_label, + .mpo_sysvshm_destroy_label = mac_mls_destroy_label, + .mpo_ipq_destroy_label = mac_mls_destroy_label, + .mpo_mbuf_destroy_label = mac_mls_destroy_label, + .mpo_mount_destroy_label = mac_mls_destroy_label, + .mpo_pipe_destroy_label = mac_mls_destroy_label, + .mpo_posixsem_destroy_label = mac_mls_destroy_label, + .mpo_socket_destroy_label = mac_mls_destroy_label, + .mpo_socketpeer_destroy_label = mac_mls_destroy_label, + .mpo_vnode_destroy_label = mac_mls_destroy_label, + .mpo_cred_copy_label = mac_mls_copy_label, + .mpo_ifnet_copy_label = mac_mls_copy_label, + .mpo_mbuf_copy_label = mac_mls_copy_label, + .mpo_pipe_copy_label = mac_mls_copy_label, + .mpo_socket_copy_label = mac_mls_copy_label, + .mpo_vnode_copy_label = mac_mls_copy_label, + .mpo_cred_externalize_label = mac_mls_externalize_label, + .mpo_ifnet_externalize_label = mac_mls_externalize_label, + .mpo_pipe_externalize_label = mac_mls_externalize_label, + .mpo_socket_externalize_label = mac_mls_externalize_label, + .mpo_socketpeer_externalize_label = mac_mls_externalize_label, + .mpo_vnode_externalize_label = mac_mls_externalize_label, + .mpo_cred_internalize_label = mac_mls_internalize_label, + .mpo_ifnet_internalize_label = mac_mls_internalize_label, + .mpo_pipe_internalize_label = mac_mls_internalize_label, + .mpo_socket_internalize_label = mac_mls_internalize_label, + .mpo_vnode_internalize_label = mac_mls_internalize_label, + .mpo_devfs_create_device = mac_mls_devfs_create_device, + .mpo_devfs_create_directory = mac_mls_devfs_create_directory, + .mpo_devfs_create_symlink = mac_mls_devfs_create_symlink, + .mpo_mount_create = mac_mls_mount_create, + .mpo_vnode_relabel = mac_mls_vnode_relabel, + .mpo_devfs_update = mac_mls_devfs_update, + .mpo_devfs_vnode_associate = mac_mls_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_mls_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = mac_mls_vnode_associate_singlelabel, + .mpo_vnode_create_extattr = mac_mls_vnode_create_extattr, + .mpo_vnode_setlabel_extattr = mac_mls_vnode_setlabel_extattr, + .mpo_socket_create_mbuf = mac_mls_socket_create_mbuf, .mpo_create_mbuf_from_syncache = mac_mls_create_mbuf_from_syncache, - .mpo_create_pipe = mac_mls_create_pipe, - .mpo_create_posix_sem = mac_mls_create_posix_sem, - .mpo_create_socket = mac_mls_create_socket, - .mpo_create_socket_from_socket = mac_mls_create_socket_from_socket, - .mpo_relabel_pipe = mac_mls_relabel_pipe, - .mpo_relabel_socket = mac_mls_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_mls_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = mac_mls_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_mls_create_bpfdesc, - .mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq, - .mpo_create_fragment = mac_mls_create_fragment, - .mpo_create_ifnet = mac_mls_create_ifnet, - .mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket, + .mpo_pipe_create = mac_mls_pipe_create, + .mpo_posixsem_create = mac_mls_posixsem_create, + .mpo_socket_create = mac_mls_socket_create, + .mpo_socket_newconn = mac_mls_socket_newconn, + .mpo_pipe_relabel = mac_mls_pipe_relabel, + .mpo_socket_relabel = mac_mls_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_mls_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = mac_mls_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_mls_bpfdesc_create, + .mpo_ipq_reassemble = mac_mls_ipq_reassemble, + .mpo_netinet_fragment = mac_mls_netinet_fragment, + .mpo_ifnet_create = mac_mls_ifnet_create, + .mpo_inpcb_create = mac_mls_inpcb_create, .mpo_init_syncache_from_inpcb = mac_mls_init_syncache_from_inpcb, - .mpo_create_ipq = mac_mls_create_ipq, - .mpo_create_sysv_msgmsg = mac_mls_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = mac_mls_create_sysv_msgqueue, - .mpo_create_sysv_sem = mac_mls_create_sysv_sem, - .mpo_create_sysv_shm = mac_mls_create_sysv_shm, - .mpo_create_mbuf_from_inpcb = mac_mls_create_mbuf_from_inpcb, + .mpo_ipq_create = mac_mls_ipq_create, + .mpo_sysvmsg_create = mac_mls_sysvmsg_create, + .mpo_sysvmsq_create = mac_mls_sysvmsq_create, + .mpo_sysvsem_create = mac_mls_sysvsem_create, + .mpo_sysvshm_create = mac_mls_sysvshm_create, + .mpo_inpcb_create_mbuf = mac_mls_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer, - .mpo_fragment_match = mac_mls_fragment_match, - .mpo_relabel_ifnet = mac_mls_relabel_ifnet, - .mpo_update_ipq = mac_mls_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_mls_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_mls_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = mac_mls_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_mls_mbuf_create_netlayer, + .mpo_ipq_match = mac_mls_ipq_match, + .mpo_ifnet_relabel = mac_mls_ifnet_relabel, + .mpo_ipq_update = mac_mls_ipq_update, .mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel, - .mpo_create_proc0 = mac_mls_create_proc0, - .mpo_create_proc1 = mac_mls_create_proc1, - .mpo_relabel_cred = mac_mls_relabel_cred, - .mpo_cleanup_sysv_msgmsg = mac_mls_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = mac_mls_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = mac_mls_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = mac_mls_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = mac_mls_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_mls_check_cred_relabel, - .mpo_check_cred_visible = mac_mls_check_cred_visible, - .mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_mls_check_inpcb_deliver, - .mpo_check_sysv_msgrcv = mac_mls_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = mac_mls_check_sysv_msgrmid, - .mpo_check_sysv_msqget = mac_mls_check_sysv_msqget, - .mpo_check_sysv_msqsnd = mac_mls_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = mac_mls_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = mac_mls_check_sysv_msqctl, - .mpo_check_sysv_semctl = mac_mls_check_sysv_semctl, - .mpo_check_sysv_semget = mac_mls_check_sysv_semget, - .mpo_check_sysv_semop = mac_mls_check_sysv_semop, - .mpo_check_sysv_shmat = mac_mls_check_sysv_shmat, - .mpo_check_sysv_shmctl = mac_mls_check_sysv_shmctl, - .mpo_check_sysv_shmget = mac_mls_check_sysv_shmget, - .mpo_check_mount_stat = mac_mls_check_mount_stat, - .mpo_check_pipe_ioctl = mac_mls_check_pipe_ioctl, - .mpo_check_pipe_poll = mac_mls_check_pipe_poll, - .mpo_check_pipe_read = mac_mls_check_pipe_read, - .mpo_check_pipe_relabel = mac_mls_check_pipe_relabel, - .mpo_check_pipe_stat = mac_mls_check_pipe_stat, - .mpo_check_pipe_write = mac_mls_check_pipe_write, - .mpo_check_posix_sem_destroy = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_getvalue = mac_mls_check_posix_sem_rdonly, - .mpo_check_posix_sem_open = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_post = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_unlink = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_wait = mac_mls_check_posix_sem_write, - .mpo_check_proc_debug = mac_mls_check_proc_debug, - .mpo_check_proc_sched = mac_mls_check_proc_sched, - .mpo_check_proc_signal = mac_mls_check_proc_signal, - .mpo_check_socket_deliver = mac_mls_check_socket_deliver, - .mpo_check_socket_relabel = mac_mls_check_socket_relabel, - .mpo_check_socket_visible = mac_mls_check_socket_visible, - .mpo_check_system_acct = mac_mls_check_system_acct, - .mpo_check_system_auditctl = mac_mls_check_system_auditctl, - .mpo_check_system_swapon = mac_mls_check_system_swapon, - .mpo_check_vnode_access = mac_mls_check_vnode_open, - .mpo_check_vnode_chdir = mac_mls_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_mls_check_vnode_chroot, - .mpo_check_vnode_create = mac_mls_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_mls_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_mls_check_vnode_exec, - .mpo_check_vnode_getacl = mac_mls_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr, - .mpo_check_vnode_link = mac_mls_check_vnode_link, - .mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_mls_check_vnode_lookup, - .mpo_check_vnode_mmap = mac_mls_check_vnode_mmap, - .mpo_check_vnode_open = mac_mls_check_vnode_open, - .mpo_check_vnode_poll = mac_mls_check_vnode_poll, - .mpo_check_vnode_read = mac_mls_check_vnode_read, - .mpo_check_vnode_readdir = mac_mls_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_mls_check_vnode_readlink, - .mpo_check_vnode_relabel = mac_mls_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_mls_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_mls_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_mls_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_mls_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_mls_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_mls_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_mls_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_mls_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_mls_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_mls_check_vnode_stat, - .mpo_check_vnode_unlink = mac_mls_check_vnode_unlink, - .mpo_check_vnode_write = mac_mls_check_vnode_write, + .mpo_proc_create_swapper = mac_mls_proc_create_swapper, + .mpo_proc_create_init = mac_mls_proc_create_init, + .mpo_cred_relabel = mac_mls_cred_relabel, + .mpo_sysvmsg_cleanup = mac_mls_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = mac_mls_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = mac_mls_sysvsem_cleanup, + .mpo_sysvshm_cleanup = mac_mls_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = mac_mls_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_mls_cred_check_relabel, + .mpo_cred_check_visible = mac_mls_cred_check_visible, + .mpo_ifnet_check_relabel = mac_mls_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_mls_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_mls_inpcb_check_deliver, + .mpo_sysvmsq_check_msgrcv = mac_mls_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = mac_mls_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = mac_mls_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = mac_mls_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = mac_mls_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = mac_mls_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = mac_mls_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = mac_mls_sysvsem_check_semget, + .mpo_sysvsem_check_semop = mac_mls_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = mac_mls_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = mac_mls_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmget = mac_mls_sysvshm_check_shmget, + .mpo_mount_check_stat = mac_mls_mount_check_stat, + .mpo_pipe_check_ioctl = mac_mls_pipe_check_ioctl, + .mpo_pipe_check_poll = mac_mls_pipe_check_poll, + .mpo_pipe_check_read = mac_mls_pipe_check_read, + .mpo_pipe_check_relabel = mac_mls_pipe_check_relabel, + .mpo_pipe_check_stat = mac_mls_pipe_check_stat, + .mpo_pipe_check_write = mac_mls_pipe_check_write, + .mpo_posixsem_check_destroy = mac_mls_posixsem_check_write, + .mpo_posixsem_check_getvalue = mac_mls_posixsem_check_rdonly, + .mpo_posixsem_check_open = mac_mls_posixsem_check_write, + .mpo_posixsem_check_post = mac_mls_posixsem_check_write, + .mpo_posixsem_check_unlink = mac_mls_posixsem_check_write, + .mpo_posixsem_check_wait = mac_mls_posixsem_check_write, + .mpo_proc_check_debug = mac_mls_proc_check_debug, + .mpo_proc_check_sched = mac_mls_proc_check_sched, + .mpo_proc_check_signal = mac_mls_proc_check_signal, + .mpo_socket_check_deliver = mac_mls_socket_check_deliver, + .mpo_socket_check_relabel = mac_mls_socket_check_relabel, + .mpo_socket_check_visible = mac_mls_socket_check_visible, + .mpo_system_check_acct = mac_mls_system_check_acct, + .mpo_system_check_auditctl = mac_mls_system_check_auditctl, + .mpo_system_check_swapon = mac_mls_system_check_swapon, + .mpo_vnode_check_access = mac_mls_vnode_check_open, + .mpo_vnode_check_chdir = mac_mls_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_mls_vnode_check_chroot, + .mpo_vnode_check_create = mac_mls_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_mls_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_mls_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_mls_vnode_check_exec, + .mpo_vnode_check_getacl = mac_mls_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_mls_vnode_check_getextattr, + .mpo_vnode_check_link = mac_mls_vnode_check_link, + .mpo_vnode_check_listextattr = mac_mls_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_mls_vnode_check_lookup, + .mpo_vnode_check_mmap = mac_mls_vnode_check_mmap, + .mpo_vnode_check_open = mac_mls_vnode_check_open, + .mpo_vnode_check_poll = mac_mls_vnode_check_poll, + .mpo_vnode_check_read = mac_mls_vnode_check_read, + .mpo_vnode_check_readdir = mac_mls_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_mls_vnode_check_readlink, + .mpo_vnode_check_relabel = mac_mls_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_mls_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_mls_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_mls_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_mls_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_mls_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_mls_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_mls_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_mls_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_mls_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_mls_vnode_check_stat, + .mpo_vnode_check_unlink = mac_mls_vnode_check_unlink, + .mpo_vnode_check_write = mac_mls_vnode_check_write, .mpo_associate_nfsd_label = mac_mls_associate_nfsd_label, - .mpo_create_mbuf_from_firewall = mac_mls_create_mbuf_from_firewall, + .mpo_mbuf_create_from_firewall = mac_mls_mbuf_create_from_firewall, }; MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS", diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c index c418d3f..986406a 100644 --- a/sys/security/mac_partition/mac_partition.c +++ b/sys/security/mac_partition/mac_partition.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -115,21 +119,21 @@ mac_partition_internalize_label(struct label *label, char *element_name, } static void -mac_partition_create_proc0(struct ucred *cred) +mac_partition_proc_create_swapper(struct ucred *cred) { SLOT_SET(cred->cr_label, 0); } static void -mac_partition_create_proc1(struct ucred *cred) +mac_partition_proc_create_init(struct ucred *cred) { SLOT_SET(cred->cr_label, 0); } static void -mac_partition_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_partition_cred_relabel(struct ucred *cred, struct label *newlabel) { if (SLOT(newlabel) != 0) @@ -153,7 +157,7 @@ label_on_label(struct label *subject, struct label *object) } static int -mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel) { int error; @@ -174,7 +178,7 @@ mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { int error; @@ -184,7 +188,7 @@ mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2) } static int -mac_partition_check_proc_debug(struct ucred *cred, struct proc *p) +mac_partition_proc_check_debug(struct ucred *cred, struct proc *p) { int error; @@ -194,7 +198,7 @@ mac_partition_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_partition_check_proc_sched(struct ucred *cred, struct proc *p) +mac_partition_proc_check_sched(struct ucred *cred, struct proc *p) { int error; @@ -204,7 +208,7 @@ mac_partition_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_partition_check_proc_signal(struct ucred *cred, struct proc *p, +mac_partition_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { int error; @@ -215,7 +219,7 @@ mac_partition_check_proc_signal(struct ucred *cred, struct proc *p, } static int -mac_partition_check_socket_visible(struct ucred *cred, struct socket *so, +mac_partition_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { int error; @@ -226,7 +230,7 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *so, } static int -mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_partition_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -246,21 +250,21 @@ mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp, static struct mac_policy_ops mac_partition_ops = { - .mpo_init_cred_label = mac_partition_init_label, - .mpo_destroy_cred_label = mac_partition_destroy_label, - .mpo_copy_cred_label = mac_partition_copy_label, - .mpo_externalize_cred_label = mac_partition_externalize_label, - .mpo_internalize_cred_label = mac_partition_internalize_label, - .mpo_create_proc0 = mac_partition_create_proc0, - .mpo_create_proc1 = mac_partition_create_proc1, - .mpo_relabel_cred = mac_partition_relabel_cred, - .mpo_check_cred_relabel = mac_partition_check_cred_relabel, - .mpo_check_cred_visible = mac_partition_check_cred_visible, - .mpo_check_proc_debug = mac_partition_check_proc_debug, - .mpo_check_proc_sched = mac_partition_check_proc_sched, - .mpo_check_proc_signal = mac_partition_check_proc_signal, - .mpo_check_socket_visible = mac_partition_check_socket_visible, - .mpo_check_vnode_exec = mac_partition_check_vnode_exec, + .mpo_cred_init_label = mac_partition_init_label, + .mpo_cred_destroy_label = mac_partition_destroy_label, + .mpo_cred_copy_label = mac_partition_copy_label, + .mpo_cred_externalize_label = mac_partition_externalize_label, + .mpo_cred_internalize_label = mac_partition_internalize_label, + .mpo_proc_create_swapper = mac_partition_proc_create_swapper, + .mpo_proc_create_init = mac_partition_proc_create_init, + .mpo_cred_relabel = mac_partition_cred_relabel, + .mpo_cred_check_relabel = mac_partition_cred_check_relabel, + .mpo_cred_check_visible = mac_partition_cred_check_visible, + .mpo_proc_check_debug = mac_partition_proc_check_debug, + .mpo_proc_check_sched = mac_partition_proc_check_sched, + .mpo_proc_check_signal = mac_partition_proc_check_signal, + .mpo_socket_check_visible = mac_partition_socket_check_visible, + .mpo_vnode_check_exec = mac_partition_vnode_check_exec, }; MAC_POLICY_SET(&mac_partition_ops, mac_partition, "TrustedBSD MAC/Partition", diff --git a/sys/security/mac_portacl/mac_portacl.c b/sys/security/mac_portacl/mac_portacl.c index 633f606..0d4428d 100644 --- a/sys/security/mac_portacl/mac_portacl.c +++ b/sys/security/mac_portacl/mac_portacl.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -430,7 +434,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port) * the source port is left up to the IP stack to determine automatically. */ static int -check_socket_bind(struct ucred *cred, struct socket *so, +socket_check_bind(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { struct sockaddr_in *sin; @@ -482,7 +486,7 @@ static struct mac_policy_ops mac_portacl_ops = { .mpo_destroy = destroy, .mpo_init = init, - .mpo_check_socket_bind = check_socket_bind, + .mpo_socket_check_bind = socket_check_bind, }; MAC_POLICY_SET(&mac_portacl_ops, trustedbsd_mac_portacl, diff --git a/sys/security/mac_seeotheruids/mac_seeotheruids.c b/sys/security/mac_seeotheruids/mac_seeotheruids.c index 1e5e4df..8681b86 100644 --- a/sys/security/mac_seeotheruids/mac_seeotheruids.c +++ b/sys/security/mac_seeotheruids/mac_seeotheruids.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -122,14 +126,14 @@ mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2) } static int -mac_seeotheruids_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { return (mac_seeotheruids_check(cr1, cr2)); } static int -mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p, +mac_seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { @@ -137,21 +141,21 @@ mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p, } static int -mac_seeotheruids_check_proc_sched(struct ucred *cred, struct proc *p) +mac_seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p) { return (mac_seeotheruids_check(cred, p->p_ucred)); } static int -mac_seeotheruids_check_proc_debug(struct ucred *cred, struct proc *p) +mac_seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p) { return (mac_seeotheruids_check(cred, p->p_ucred)); } static int -mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so, +mac_seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -160,11 +164,11 @@ mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so, static struct mac_policy_ops mac_seeotheruids_ops = { - .mpo_check_cred_visible = mac_seeotheruids_check_cred_visible, - .mpo_check_proc_debug = mac_seeotheruids_check_proc_debug, - .mpo_check_proc_sched = mac_seeotheruids_check_proc_sched, - .mpo_check_proc_signal = mac_seeotheruids_check_proc_signal, - .mpo_check_socket_visible = mac_seeotheruids_check_socket_visible, + .mpo_cred_check_visible = mac_seeotheruids_cred_check_visible, + .mpo_proc_check_debug = mac_seeotheruids_proc_check_debug, + .mpo_proc_check_sched = mac_seeotheruids_proc_check_sched, + .mpo_proc_check_signal = mac_seeotheruids_proc_check_signal, + .mpo_socket_check_visible = mac_seeotheruids_socket_check_visible, }; MAC_POLICY_SET(&mac_seeotheruids_ops, mac_seeotheruids, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 8fa9a0d..56a0953 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -163,7 +163,7 @@ stub_internalize_label(struct label *label, char *element_name, * a lot like file system objects. */ static void -stub_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +stub_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -171,7 +171,7 @@ stub_associate_vnode_devfs(struct mount *mp, struct label *mplabel, } static int -stub_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +stub_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { @@ -179,7 +179,7 @@ stub_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -stub_associate_vnode_singlelabel(struct mount *mp, +stub_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { @@ -192,21 +192,21 @@ stub_associate_nfsd_label(struct ucred *cred) } static void -stub_create_devfs_device(struct ucred *cred, struct mount *mp, +stub_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { } static void -stub_create_devfs_directory(struct mount *mp, char *dirname, +stub_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { } static void -stub_create_devfs_symlink(struct ucred *cred, struct mount *mp, +stub_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -214,7 +214,7 @@ stub_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static int -stub_create_vnode_extattr(struct ucred *cred, struct mount *mp, +stub_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -223,21 +223,21 @@ stub_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static void -stub_create_mount(struct ucred *cred, struct mount *mp, +stub_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { } static void -stub_relabel_vnode(struct ucred *cred, struct vnode *vp, +stub_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { } static int -stub_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +stub_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { @@ -245,7 +245,7 @@ stub_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } static void -stub_update_devfs(struct mount *mp, struct devfs_dirent *de, +stub_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -255,63 +255,63 @@ stub_update_devfs(struct mount *mp, struct devfs_dirent *de, * Labeling event operations: IPC object. */ static void -stub_create_mbuf_from_socket(struct socket *so, struct label *solabel, +stub_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_socket(struct ucred *cred, struct socket *so, +stub_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { } static void -stub_create_pipe(struct ucred *cred, struct pipepair *pp, +stub_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { } static void -stub_create_posix_sem(struct ucred *cred, struct ksem *ks, +stub_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { } static void -stub_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +stub_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { } static void -stub_relabel_socket(struct ucred *cred, struct socket *so, +stub_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { } static void -stub_relabel_pipe(struct ucred *cred, struct pipepair *pp, +stub_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { } static void -stub_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +stub_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { } static void -stub_set_socket_peer_from_socket(struct socket *oldso, +stub_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -322,34 +322,34 @@ stub_set_socket_peer_from_socket(struct socket *oldso, * Labeling event operations: network objects. */ static void -stub_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +stub_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { } static void -stub_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +stub_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, +stub_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { } static void -stub_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +stub_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { } static void -stub_create_inpcb_from_socket(struct socket *so, struct label *solabel, +stub_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { @@ -362,42 +362,42 @@ stub_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) } static void -stub_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { } static void -stub_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { } static void -stub_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { } static void -stub_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmalabel) { } static void -stub_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +stub_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { } static void -stub_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +stub_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { @@ -418,21 +418,21 @@ stub_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, } static void -stub_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +stub_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +stub_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +stub_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -440,20 +440,20 @@ stub_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -stub_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +stub_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel) { } static void -stub_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) +stub_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) { } static int -stub_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +stub_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -461,26 +461,26 @@ stub_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -stub_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) +stub_netinet_icmp_reply(struct mbuf *m, struct label *mlabel) { } static void -stub_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) +stub_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) { } static void -stub_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +stub_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { } static void -stub_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +stub_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -497,7 +497,7 @@ stub_inpcb_sosetlabel(struct socket *so, struct label *solabel, * Labeling event operations: processes. */ static void -stub_execve_transition(struct ucred *old, struct ucred *new, +stub_vnode_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -505,7 +505,7 @@ stub_execve_transition(struct ucred *old, struct ucred *new, } static int -stub_execve_will_transition(struct ucred *old, struct vnode *vp, +stub_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -514,19 +514,19 @@ stub_execve_will_transition(struct ucred *old, struct vnode *vp, } static void -stub_create_proc0(struct ucred *cred) +stub_proc_create_swapper(struct ucred *cred) { } static void -stub_create_proc1(struct ucred *cred) +stub_proc_create_init(struct ucred *cred) { } static void -stub_relabel_cred(struct ucred *cred, struct label *newlabel) +stub_cred_relabel(struct ucred *cred, struct label *newlabel) { } @@ -541,25 +541,25 @@ stub_thread_userret(struct thread *td) * Label cleanup/flush operations */ static void -stub_cleanup_sysv_msgmsg(struct label *msglabel) +stub_sysvmsg_cleanup(struct label *msglabel) { } static void -stub_cleanup_sysv_msgqueue(struct label *msqlabel) +stub_sysvmsq_cleanup(struct label *msqlabel) { } static void -stub_cleanup_sysv_sem(struct label *semalabel) +stub_sysvsem_cleanup(struct label *semalabel) { } static void -stub_cleanup_sysv_shm(struct label *shmlabel) +stub_sysvshm_cleanup(struct label *shmlabel) { } @@ -568,7 +568,7 @@ stub_cleanup_sysv_shm(struct label *shmlabel) * Access control checks. */ static int -stub_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +stub_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { @@ -576,21 +576,21 @@ stub_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -stub_check_cred_relabel(struct ucred *cred, struct label *newlabel) +stub_cred_check_relabel(struct ucred *cred, struct label *newlabel) { return (0); } static int -stub_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +stub_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { return (0); } static int -stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +stub_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { @@ -598,7 +598,7 @@ stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -stub_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +stub_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { @@ -606,7 +606,7 @@ stub_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -stub_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +stub_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { @@ -614,7 +614,7 @@ stub_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -stub_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +stub_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -623,7 +623,7 @@ stub_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, } static int -stub_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +stub_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -632,7 +632,7 @@ stub_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, static int -stub_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +stub_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -641,7 +641,7 @@ stub_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, static int -stub_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -650,7 +650,7 @@ stub_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, static int -stub_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -658,7 +658,7 @@ stub_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -stub_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -667,7 +667,7 @@ stub_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, static int -stub_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { @@ -676,7 +676,7 @@ stub_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, static int -stub_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { @@ -684,7 +684,7 @@ stub_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, } static int -stub_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel) { @@ -693,7 +693,7 @@ stub_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, static int -stub_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype) { @@ -701,7 +701,7 @@ stub_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, } static int -stub_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { @@ -709,7 +709,7 @@ stub_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -stub_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { @@ -717,7 +717,7 @@ stub_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -stub_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel) { @@ -726,7 +726,7 @@ stub_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, static int -stub_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { @@ -734,35 +734,35 @@ stub_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -stub_check_kenv_dump(struct ucred *cred) +stub_kenv_check_dump(struct ucred *cred) { return (0); } static int -stub_check_kenv_get(struct ucred *cred, char *name) +stub_kenv_check_get(struct ucred *cred, char *name) { return (0); } static int -stub_check_kenv_set(struct ucred *cred, char *name, char *value) +stub_kenv_check_set(struct ucred *cred, char *name, char *value) { return (0); } static int -stub_check_kenv_unset(struct ucred *cred, char *name) +stub_kenv_check_unset(struct ucred *cred, char *name) { return (0); } static int -stub_check_kld_load(struct ucred *cred, struct vnode *vp, +stub_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -770,14 +770,14 @@ stub_check_kld_load(struct ucred *cred, struct vnode *vp, } static int -stub_check_kld_stat(struct ucred *cred) +stub_kld_check_stat(struct ucred *cred) { return (0); } static int -stub_check_mount_stat(struct ucred *cred, struct mount *mp, +stub_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mplabel) { @@ -785,7 +785,7 @@ stub_check_mount_stat(struct ucred *cred, struct mount *mp, } static int -stub_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -793,7 +793,7 @@ stub_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -801,7 +801,7 @@ stub_check_pipe_poll(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_read(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -809,7 +809,7 @@ stub_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { @@ -817,7 +817,7 @@ stub_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -825,7 +825,7 @@ stub_check_pipe_stat(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_write(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -833,7 +833,7 @@ stub_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -stub_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_destroy(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -841,7 +841,7 @@ stub_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -849,7 +849,7 @@ stub_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_open(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_open(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -857,7 +857,7 @@ stub_check_posix_sem_open(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_post(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_post(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -865,7 +865,7 @@ stub_check_posix_sem_post(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_unlink(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -873,7 +873,7 @@ stub_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_wait(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_wait(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -881,84 +881,84 @@ stub_check_posix_sem_wait(struct ucred *cred, struct ksem *ks, } static int -stub_check_proc_debug(struct ucred *cred, struct proc *p) +stub_proc_check_debug(struct ucred *cred, struct proc *p) { return (0); } static int -stub_check_proc_sched(struct ucred *cred, struct proc *p) +stub_proc_check_sched(struct ucred *cred, struct proc *p) { return (0); } static int -stub_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +stub_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { return (0); } static int -stub_check_proc_wait(struct ucred *cred, struct proc *p) +stub_proc_check_wait(struct ucred *cred, struct proc *p) { return (0); } static int -stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +stub_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) { return (0); } static int -stub_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +stub_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { return (0); } static int -stub_check_proc_setauid(struct ucred *cred, uid_t auid) +stub_proc_check_setauid(struct ucred *cred, uid_t auid) { return (0); } static int -stub_check_proc_setuid(struct ucred *cred, uid_t uid) +stub_proc_check_setuid(struct ucred *cred, uid_t uid) { return (0); } static int -stub_check_proc_seteuid(struct ucred *cred, uid_t euid) +stub_proc_check_seteuid(struct ucred *cred, uid_t euid) { return (0); } static int -stub_check_proc_setgid(struct ucred *cred, gid_t gid) +stub_proc_check_setgid(struct ucred *cred, gid_t gid) { return (0); } static int -stub_check_proc_setegid(struct ucred *cred, gid_t egid) +stub_proc_check_setegid(struct ucred *cred, gid_t egid) { return (0); } static int -stub_check_proc_setgroups(struct ucred *cred, int ngroups, +stub_proc_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) { @@ -966,21 +966,21 @@ stub_check_proc_setgroups(struct ucred *cred, int ngroups, } static int -stub_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +stub_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) { return (0); } static int -stub_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +stub_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) { return (0); } static int -stub_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, +stub_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid) { @@ -988,7 +988,7 @@ stub_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, } static int -stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, +stub_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid) { @@ -996,7 +996,7 @@ stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, } static int -stub_check_socket_accept(struct ucred *cred, struct socket *so, +stub_socket_check_accept(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1004,7 +1004,7 @@ stub_check_socket_accept(struct ucred *cred, struct socket *so, } static int -stub_check_socket_bind(struct ucred *cred, struct socket *so, +stub_socket_check_bind(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { @@ -1012,7 +1012,7 @@ stub_check_socket_bind(struct ucred *cred, struct socket *so, } static int -stub_check_socket_connect(struct ucred *cred, struct socket *so, +stub_socket_check_connect(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { @@ -1020,14 +1020,14 @@ stub_check_socket_connect(struct ucred *cred, struct socket *so, } static int -stub_check_socket_create(struct ucred *cred, int domain, int type, int proto) +stub_socket_check_create(struct ucred *cred, int domain, int type, int proto) { return (0); } static int -stub_check_socket_deliver(struct socket *so, struct label *solabel, +stub_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { @@ -1035,7 +1035,7 @@ stub_check_socket_deliver(struct socket *so, struct label *solabel, } static int -stub_check_socket_listen(struct ucred *cred, struct socket *so, +stub_socket_check_listen(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1043,7 +1043,7 @@ stub_check_socket_listen(struct ucred *cred, struct socket *so, } static int -stub_check_socket_poll(struct ucred *cred, struct socket *so, +stub_socket_check_poll(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1051,7 +1051,7 @@ stub_check_socket_poll(struct ucred *cred, struct socket *so, } static int -stub_check_socket_receive(struct ucred *cred, struct socket *so, +stub_socket_check_receive(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1059,14 +1059,14 @@ stub_check_socket_receive(struct ucred *cred, struct socket *so, } static int -stub_check_socket_relabel(struct ucred *cred, struct socket *so, +stub_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { return (0); } static int -stub_check_socket_send(struct ucred *cred, struct socket *so, +stub_socket_check_send(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1074,7 +1074,7 @@ stub_check_socket_send(struct ucred *cred, struct socket *so, } static int -stub_check_socket_stat(struct ucred *cred, struct socket *so, +stub_socket_check_stat(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1082,7 +1082,7 @@ stub_check_socket_stat(struct ucred *cred, struct socket *so, } static int -stub_check_socket_visible(struct ucred *cred, struct socket *so, +stub_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1090,7 +1090,7 @@ stub_check_socket_visible(struct ucred *cred, struct socket *so, } static int -stub_check_system_acct(struct ucred *cred, struct vnode *vp, +stub_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1098,14 +1098,14 @@ stub_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_audit(struct ucred *cred, void *record, int length) +stub_system_check_audit(struct ucred *cred, void *record, int length) { return (0); } static int -stub_check_system_auditctl(struct ucred *cred, struct vnode *vp, +stub_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1113,21 +1113,21 @@ stub_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_auditon(struct ucred *cred, int cmd) +stub_system_check_auditon(struct ucred *cred, int cmd) { return (0); } static int -stub_check_system_reboot(struct ucred *cred, int how) +stub_system_check_reboot(struct ucred *cred, int how) { return (0); } static int -stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, +stub_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1135,7 +1135,7 @@ stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_swapon(struct ucred *cred, struct vnode *vp, +stub_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1143,7 +1143,7 @@ stub_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +stub_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { @@ -1151,7 +1151,7 @@ stub_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, } static int -stub_check_vnode_access(struct ucred *cred, struct vnode *vp, +stub_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -1159,7 +1159,7 @@ stub_check_vnode_access(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -1167,7 +1167,7 @@ stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -1175,7 +1175,7 @@ stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_create(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { @@ -1183,7 +1183,7 @@ stub_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +stub_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -1191,7 +1191,7 @@ stub_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { @@ -1199,7 +1199,7 @@ stub_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_exec(struct ucred *cred, struct vnode *vp, +stub_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -1208,7 +1208,7 @@ stub_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +stub_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -1216,7 +1216,7 @@ stub_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -1225,7 +1225,7 @@ stub_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_link(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1234,7 +1234,7 @@ stub_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { @@ -1242,7 +1242,7 @@ stub_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { @@ -1250,7 +1250,7 @@ stub_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +stub_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { @@ -1258,14 +1258,14 @@ stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static void -stub_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, +stub_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, struct label *vplabel, int *prot) { } static int -stub_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, +stub_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot) { @@ -1273,7 +1273,7 @@ stub_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_open(struct ucred *cred, struct vnode *vp, +stub_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -1281,7 +1281,7 @@ stub_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1289,7 +1289,7 @@ stub_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, } static int -stub_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1297,7 +1297,7 @@ stub_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -stub_check_vnode_readdir(struct ucred *cred, struct vnode *vp, +stub_vnode_check_readdir(struct ucred *cred, struct vnode *vp, struct label *dvplabel) { @@ -1305,7 +1305,7 @@ stub_check_vnode_readdir(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +stub_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1313,7 +1313,7 @@ stub_check_vnode_readlink(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +stub_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { @@ -1321,7 +1321,7 @@ stub_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1330,7 +1330,7 @@ stub_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -1339,7 +1339,7 @@ stub_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +stub_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1347,7 +1347,7 @@ stub_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { @@ -1355,7 +1355,7 @@ stub_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -1364,7 +1364,7 @@ stub_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { @@ -1372,7 +1372,7 @@ stub_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { @@ -1380,7 +1380,7 @@ stub_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { @@ -1388,7 +1388,7 @@ stub_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { @@ -1396,7 +1396,7 @@ stub_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1404,7 +1404,7 @@ stub_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, } static int -stub_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1413,7 +1413,7 @@ stub_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1439,219 +1439,219 @@ static struct mac_policy_ops mac_stub_ops = .mpo_destroy = stub_destroy, .mpo_init = stub_init, .mpo_syscall = stub_syscall, - .mpo_init_bpfdesc_label = stub_init_label, - .mpo_init_cred_label = stub_init_label, - .mpo_init_devfs_label = stub_init_label, - .mpo_init_ifnet_label = stub_init_label, - .mpo_init_inpcb_label = stub_init_label_waitcheck, - .mpo_init_sysv_msgmsg_label = stub_init_label, - .mpo_init_sysv_msgqueue_label = stub_init_label, - .mpo_init_sysv_sem_label = stub_init_label, - .mpo_init_sysv_shm_label = stub_init_label, - .mpo_init_ipq_label = stub_init_label_waitcheck, - .mpo_init_mbuf_label = stub_init_label_waitcheck, - .mpo_init_mount_label = stub_init_label, - .mpo_init_pipe_label = stub_init_label, - .mpo_init_posix_sem_label = stub_init_label, - .mpo_init_socket_label = stub_init_label_waitcheck, - .mpo_init_socket_peer_label = stub_init_label_waitcheck, - .mpo_init_vnode_label = stub_init_label, - .mpo_destroy_bpfdesc_label = stub_destroy_label, - .mpo_destroy_cred_label = stub_destroy_label, - .mpo_destroy_devfs_label = stub_destroy_label, - .mpo_destroy_ifnet_label = stub_destroy_label, - .mpo_destroy_inpcb_label = stub_destroy_label, - .mpo_destroy_sysv_msgmsg_label = stub_destroy_label, - .mpo_destroy_sysv_msgqueue_label = stub_destroy_label, - .mpo_destroy_sysv_sem_label = stub_destroy_label, - .mpo_destroy_sysv_shm_label = stub_destroy_label, - .mpo_destroy_ipq_label = stub_destroy_label, - .mpo_destroy_mbuf_label = stub_destroy_label, - .mpo_destroy_mount_label = stub_destroy_label, - .mpo_destroy_pipe_label = stub_destroy_label, - .mpo_destroy_posix_sem_label = stub_destroy_label, - .mpo_destroy_socket_label = stub_destroy_label, - .mpo_destroy_socket_peer_label = stub_destroy_label, - .mpo_destroy_vnode_label = stub_destroy_label, - .mpo_copy_cred_label = stub_copy_label, - .mpo_copy_ifnet_label = stub_copy_label, - .mpo_copy_mbuf_label = stub_copy_label, - .mpo_copy_pipe_label = stub_copy_label, - .mpo_copy_socket_label = stub_copy_label, - .mpo_copy_vnode_label = stub_copy_label, - .mpo_externalize_cred_label = stub_externalize_label, - .mpo_externalize_ifnet_label = stub_externalize_label, - .mpo_externalize_pipe_label = stub_externalize_label, - .mpo_externalize_socket_label = stub_externalize_label, - .mpo_externalize_socket_peer_label = stub_externalize_label, - .mpo_externalize_vnode_label = stub_externalize_label, - .mpo_internalize_cred_label = stub_internalize_label, - .mpo_internalize_ifnet_label = stub_internalize_label, - .mpo_internalize_pipe_label = stub_internalize_label, - .mpo_internalize_socket_label = stub_internalize_label, - .mpo_internalize_vnode_label = stub_internalize_label, - .mpo_associate_vnode_devfs = stub_associate_vnode_devfs, - .mpo_associate_vnode_extattr = stub_associate_vnode_extattr, + .mpo_bpfdesc_init_label = stub_init_label, + .mpo_cred_init_label = stub_init_label, + .mpo_devfs_init_label = stub_init_label, + .mpo_ifnet_init_label = stub_init_label, + .mpo_inpcb_init_label = stub_init_label_waitcheck, + .mpo_sysvmsg_init_label = stub_init_label, + .mpo_sysvmsq_init_label = stub_init_label, + .mpo_sysvsem_init_label = stub_init_label, + .mpo_sysvshm_init_label = stub_init_label, + .mpo_ipq_init_label = stub_init_label_waitcheck, + .mpo_mbuf_init_label = stub_init_label_waitcheck, + .mpo_mount_init_label = stub_init_label, + .mpo_pipe_init_label = stub_init_label, + .mpo_posixsem_init_label = stub_init_label, + .mpo_socket_init_label = stub_init_label_waitcheck, + .mpo_socketpeer_init_label = stub_init_label_waitcheck, + .mpo_vnode_init_label = stub_init_label, + .mpo_bpfdesc_destroy_label = stub_destroy_label, + .mpo_cred_destroy_label = stub_destroy_label, + .mpo_devfs_destroy_label = stub_destroy_label, + .mpo_ifnet_destroy_label = stub_destroy_label, + .mpo_inpcb_destroy_label = stub_destroy_label, + .mpo_sysvmsg_destroy_label = stub_destroy_label, + .mpo_sysvmsq_destroy_label = stub_destroy_label, + .mpo_sysvsem_destroy_label = stub_destroy_label, + .mpo_sysvshm_destroy_label = stub_destroy_label, + .mpo_ipq_destroy_label = stub_destroy_label, + .mpo_mbuf_destroy_label = stub_destroy_label, + .mpo_mount_destroy_label = stub_destroy_label, + .mpo_pipe_destroy_label = stub_destroy_label, + .mpo_posixsem_destroy_label = stub_destroy_label, + .mpo_socket_destroy_label = stub_destroy_label, + .mpo_socketpeer_destroy_label = stub_destroy_label, + .mpo_vnode_destroy_label = stub_destroy_label, + .mpo_cred_copy_label = stub_copy_label, + .mpo_ifnet_copy_label = stub_copy_label, + .mpo_mbuf_copy_label = stub_copy_label, + .mpo_pipe_copy_label = stub_copy_label, + .mpo_socket_copy_label = stub_copy_label, + .mpo_vnode_copy_label = stub_copy_label, + .mpo_cred_externalize_label = stub_externalize_label, + .mpo_ifnet_externalize_label = stub_externalize_label, + .mpo_pipe_externalize_label = stub_externalize_label, + .mpo_socket_externalize_label = stub_externalize_label, + .mpo_socketpeer_externalize_label = stub_externalize_label, + .mpo_vnode_externalize_label = stub_externalize_label, + .mpo_cred_internalize_label = stub_internalize_label, + .mpo_ifnet_internalize_label = stub_internalize_label, + .mpo_pipe_internalize_label = stub_internalize_label, + .mpo_socket_internalize_label = stub_internalize_label, + .mpo_vnode_internalize_label = stub_internalize_label, + .mpo_devfs_vnode_associate = stub_devfs_vnode_associate, + .mpo_vnode_associate_extattr = stub_vnode_associate_extattr, .mpo_associate_nfsd_label = stub_associate_nfsd_label, - .mpo_associate_vnode_singlelabel = stub_associate_vnode_singlelabel, - .mpo_create_devfs_device = stub_create_devfs_device, - .mpo_create_devfs_directory = stub_create_devfs_directory, - .mpo_create_devfs_symlink = stub_create_devfs_symlink, - .mpo_create_sysv_msgmsg = stub_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = stub_create_sysv_msgqueue, - .mpo_create_sysv_sem = stub_create_sysv_sem, - .mpo_create_sysv_shm = stub_create_sysv_shm, - .mpo_create_vnode_extattr = stub_create_vnode_extattr, - .mpo_create_mount = stub_create_mount, - .mpo_relabel_vnode = stub_relabel_vnode, - .mpo_setlabel_vnode_extattr = stub_setlabel_vnode_extattr, - .mpo_update_devfs = stub_update_devfs, - .mpo_create_mbuf_from_socket = stub_create_mbuf_from_socket, - .mpo_create_pipe = stub_create_pipe, - .mpo_create_posix_sem = stub_create_posix_sem, - .mpo_create_socket = stub_create_socket, - .mpo_create_socket_from_socket = stub_create_socket_from_socket, - .mpo_relabel_pipe = stub_relabel_pipe, - .mpo_relabel_socket = stub_relabel_socket, - .mpo_set_socket_peer_from_mbuf = stub_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = stub_set_socket_peer_from_socket, - .mpo_create_bpfdesc = stub_create_bpfdesc, - .mpo_create_ifnet = stub_create_ifnet, - .mpo_create_inpcb_from_socket = stub_create_inpcb_from_socket, - .mpo_create_ipq = stub_create_ipq, - .mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq, - .mpo_create_fragment = stub_create_fragment, - .mpo_create_mbuf_from_inpcb = stub_create_mbuf_from_inpcb, + .mpo_vnode_associate_singlelabel = stub_vnode_associate_singlelabel, + .mpo_devfs_create_device = stub_devfs_create_device, + .mpo_devfs_create_directory = stub_devfs_create_directory, + .mpo_devfs_create_symlink = stub_devfs_create_symlink, + .mpo_sysvmsg_create = stub_sysvmsg_create, + .mpo_sysvmsq_create = stub_sysvmsq_create, + .mpo_sysvsem_create = stub_sysvsem_create, + .mpo_sysvshm_create = stub_sysvshm_create, + .mpo_vnode_create_extattr = stub_vnode_create_extattr, + .mpo_mount_create = stub_mount_create, + .mpo_vnode_relabel = stub_vnode_relabel, + .mpo_vnode_setlabel_extattr = stub_vnode_setlabel_extattr, + .mpo_devfs_update = stub_devfs_update, + .mpo_socket_create_mbuf = stub_socket_create_mbuf, + .mpo_pipe_create = stub_pipe_create, + .mpo_posixsem_create = stub_posixsem_create, + .mpo_socket_create = stub_socket_create, + .mpo_socket_newconn = stub_socket_newconn, + .mpo_pipe_relabel = stub_pipe_relabel, + .mpo_socket_relabel = stub_socket_relabel, + .mpo_socketpeer_set_from_mbuf = stub_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = stub_socketpeer_set_from_socket, + .mpo_bpfdesc_create = stub_bpfdesc_create, + .mpo_ifnet_create = stub_ifnet_create, + .mpo_inpcb_create = stub_inpcb_create, + .mpo_ipq_create = stub_ipq_create, + .mpo_ipq_reassemble = stub_ipq_reassemble, + .mpo_netinet_fragment = stub_netinet_fragment, + .mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = stub_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = stub_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = stub_create_mbuf_netlayer, - .mpo_create_mbuf_from_firewall = stub_create_mbuf_from_firewall, - .mpo_fragment_match = stub_fragment_match, - .mpo_reflect_mbuf_icmp = stub_reflect_mbuf_icmp, - .mpo_reflect_mbuf_tcp = stub_reflect_mbuf_tcp, - .mpo_relabel_ifnet = stub_relabel_ifnet, - .mpo_update_ipq = stub_update_ipq, + .mpo_bpfdesc_create_mbuf = stub_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = stub_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = stub_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = stub_mbuf_create_netlayer, + .mpo_mbuf_create_from_firewall = stub_mbuf_create_from_firewall, + .mpo_ipq_match = stub_ipq_match, + .mpo_netinet_icmp_reply = stub_netinet_icmp_reply, + .mpo_netinet_tcp_reply = stub_netinet_tcp_reply, + .mpo_ifnet_relabel = stub_ifnet_relabel, + .mpo_ipq_update = stub_ipq_update, .mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel, - .mpo_execve_transition = stub_execve_transition, - .mpo_execve_will_transition = stub_execve_will_transition, - .mpo_create_proc0 = stub_create_proc0, - .mpo_create_proc1 = stub_create_proc1, - .mpo_relabel_cred = stub_relabel_cred, + .mpo_vnode_execve_transition = stub_vnode_execve_transition, + .mpo_vnode_execve_will_transition = stub_vnode_execve_will_transition, + .mpo_proc_create_swapper = stub_proc_create_swapper, + .mpo_proc_create_init = stub_proc_create_init, + .mpo_cred_relabel= stub_cred_relabel, .mpo_thread_userret = stub_thread_userret, - .mpo_cleanup_sysv_msgmsg = stub_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = stub_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = stub_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = stub_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = stub_check_bpfdesc_receive, - .mpo_check_cred_relabel = stub_check_cred_relabel, - .mpo_check_cred_visible = stub_check_cred_visible, - .mpo_check_ifnet_relabel = stub_check_ifnet_relabel, - .mpo_check_ifnet_transmit = stub_check_ifnet_transmit, - .mpo_check_inpcb_deliver = stub_check_inpcb_deliver, - .mpo_check_sysv_msgmsq = stub_check_sysv_msgmsq, - .mpo_check_sysv_msgrcv = stub_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = stub_check_sysv_msgrmid, - .mpo_check_sysv_msqget = stub_check_sysv_msqget, - .mpo_check_sysv_msqsnd = stub_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = stub_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = stub_check_sysv_msqctl, - .mpo_check_sysv_semctl = stub_check_sysv_semctl, - .mpo_check_sysv_semget = stub_check_sysv_semget, - .mpo_check_sysv_semop = stub_check_sysv_semop, - .mpo_check_sysv_shmat = stub_check_sysv_shmat, - .mpo_check_sysv_shmctl = stub_check_sysv_shmctl, - .mpo_check_sysv_shmdt = stub_check_sysv_shmdt, - .mpo_check_sysv_shmget = stub_check_sysv_shmget, - .mpo_check_kenv_dump = stub_check_kenv_dump, - .mpo_check_kenv_get = stub_check_kenv_get, - .mpo_check_kenv_set = stub_check_kenv_set, - .mpo_check_kenv_unset = stub_check_kenv_unset, - .mpo_check_kld_load = stub_check_kld_load, - .mpo_check_kld_stat = stub_check_kld_stat, - .mpo_check_mount_stat = stub_check_mount_stat, - .mpo_check_pipe_ioctl = stub_check_pipe_ioctl, - .mpo_check_pipe_poll = stub_check_pipe_poll, - .mpo_check_pipe_read = stub_check_pipe_read, - .mpo_check_pipe_relabel = stub_check_pipe_relabel, - .mpo_check_pipe_stat = stub_check_pipe_stat, - .mpo_check_pipe_write = stub_check_pipe_write, - .mpo_check_posix_sem_destroy = stub_check_posix_sem_destroy, - .mpo_check_posix_sem_getvalue = stub_check_posix_sem_getvalue, - .mpo_check_posix_sem_open = stub_check_posix_sem_open, - .mpo_check_posix_sem_post = stub_check_posix_sem_post, - .mpo_check_posix_sem_unlink = stub_check_posix_sem_unlink, - .mpo_check_posix_sem_wait = stub_check_posix_sem_wait, - .mpo_check_proc_debug = stub_check_proc_debug, - .mpo_check_proc_sched = stub_check_proc_sched, - .mpo_check_proc_setaudit = stub_check_proc_setaudit, - .mpo_check_proc_setaudit_addr = stub_check_proc_setaudit_addr, - .mpo_check_proc_setauid = stub_check_proc_setauid, - .mpo_check_proc_setuid = stub_check_proc_setuid, - .mpo_check_proc_seteuid = stub_check_proc_seteuid, - .mpo_check_proc_setgid = stub_check_proc_setgid, - .mpo_check_proc_setegid = stub_check_proc_setegid, - .mpo_check_proc_setgroups = stub_check_proc_setgroups, - .mpo_check_proc_setreuid = stub_check_proc_setreuid, - .mpo_check_proc_setregid = stub_check_proc_setregid, - .mpo_check_proc_setresuid = stub_check_proc_setresuid, - .mpo_check_proc_setresgid = stub_check_proc_setresgid, - .mpo_check_proc_signal = stub_check_proc_signal, - .mpo_check_proc_wait = stub_check_proc_wait, - .mpo_check_socket_accept = stub_check_socket_accept, - .mpo_check_socket_bind = stub_check_socket_bind, - .mpo_check_socket_connect = stub_check_socket_connect, - .mpo_check_socket_create = stub_check_socket_create, - .mpo_check_socket_deliver = stub_check_socket_deliver, - .mpo_check_socket_listen = stub_check_socket_listen, - .mpo_check_socket_poll = stub_check_socket_poll, - .mpo_check_socket_receive = stub_check_socket_receive, - .mpo_check_socket_relabel = stub_check_socket_relabel, - .mpo_check_socket_send = stub_check_socket_send, - .mpo_check_socket_stat = stub_check_socket_stat, - .mpo_check_socket_visible = stub_check_socket_visible, - .mpo_check_system_acct = stub_check_system_acct, - .mpo_check_system_audit = stub_check_system_audit, - .mpo_check_system_auditctl = stub_check_system_auditctl, - .mpo_check_system_auditon = stub_check_system_auditon, - .mpo_check_system_reboot = stub_check_system_reboot, - .mpo_check_system_swapoff = stub_check_system_swapoff, - .mpo_check_system_swapon = stub_check_system_swapon, - .mpo_check_system_sysctl = stub_check_system_sysctl, - .mpo_check_vnode_access = stub_check_vnode_access, - .mpo_check_vnode_chdir = stub_check_vnode_chdir, - .mpo_check_vnode_chroot = stub_check_vnode_chroot, - .mpo_check_vnode_create = stub_check_vnode_create, - .mpo_check_vnode_deleteacl = stub_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = stub_check_vnode_deleteextattr, - .mpo_check_vnode_exec = stub_check_vnode_exec, - .mpo_check_vnode_getacl = stub_check_vnode_getacl, - .mpo_check_vnode_getextattr = stub_check_vnode_getextattr, - .mpo_check_vnode_link = stub_check_vnode_link, - .mpo_check_vnode_listextattr = stub_check_vnode_listextattr, - .mpo_check_vnode_lookup = stub_check_vnode_lookup, - .mpo_check_vnode_mmap = stub_check_vnode_mmap, - .mpo_check_vnode_mmap_downgrade = stub_check_vnode_mmap_downgrade, - .mpo_check_vnode_mprotect = stub_check_vnode_mprotect, - .mpo_check_vnode_open = stub_check_vnode_open, - .mpo_check_vnode_poll = stub_check_vnode_poll, - .mpo_check_vnode_read = stub_check_vnode_read, - .mpo_check_vnode_readdir = stub_check_vnode_readdir, - .mpo_check_vnode_readlink = stub_check_vnode_readlink, - .mpo_check_vnode_relabel = stub_check_vnode_relabel, - .mpo_check_vnode_rename_from = stub_check_vnode_rename_from, - .mpo_check_vnode_rename_to = stub_check_vnode_rename_to, - .mpo_check_vnode_revoke = stub_check_vnode_revoke, - .mpo_check_vnode_setacl = stub_check_vnode_setacl, - .mpo_check_vnode_setextattr = stub_check_vnode_setextattr, - .mpo_check_vnode_setflags = stub_check_vnode_setflags, - .mpo_check_vnode_setmode = stub_check_vnode_setmode, - .mpo_check_vnode_setowner = stub_check_vnode_setowner, - .mpo_check_vnode_setutimes = stub_check_vnode_setutimes, - .mpo_check_vnode_stat = stub_check_vnode_stat, - .mpo_check_vnode_unlink = stub_check_vnode_unlink, - .mpo_check_vnode_write = stub_check_vnode_write, + .mpo_sysvmsg_cleanup = stub_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = stub_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = stub_sysvsem_cleanup, + .mpo_sysvshm_cleanup = stub_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = stub_bpfdesc_check_receive, + .mpo_cred_check_relabel = stub_cred_check_relabel, + .mpo_cred_check_visible = stub_cred_check_visible, + .mpo_ifnet_check_relabel = stub_ifnet_check_relabel, + .mpo_ifnet_check_transmit = stub_ifnet_check_transmit, + .mpo_inpcb_check_deliver = stub_inpcb_check_deliver, + .mpo_sysvmsq_check_msgmsq = stub_sysvmsq_check_msgmsq, + .mpo_sysvmsq_check_msgrcv = stub_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = stub_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = stub_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = stub_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = stub_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = stub_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = stub_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = stub_sysvsem_check_semget, + .mpo_sysvsem_check_semop = stub_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = stub_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = stub_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmdt = stub_sysvshm_check_shmdt, + .mpo_sysvshm_check_shmget = stub_sysvshm_check_shmget, + .mpo_kenv_check_dump = stub_kenv_check_dump, + .mpo_kenv_check_get = stub_kenv_check_get, + .mpo_kenv_check_set = stub_kenv_check_set, + .mpo_kenv_check_unset = stub_kenv_check_unset, + .mpo_kld_check_load = stub_kld_check_load, + .mpo_kld_check_stat = stub_kld_check_stat, + .mpo_mount_check_stat = stub_mount_check_stat, + .mpo_pipe_check_ioctl = stub_pipe_check_ioctl, + .mpo_pipe_check_poll = stub_pipe_check_poll, + .mpo_pipe_check_read = stub_pipe_check_read, + .mpo_pipe_check_relabel = stub_pipe_check_relabel, + .mpo_pipe_check_stat = stub_pipe_check_stat, + .mpo_pipe_check_write = stub_pipe_check_write, + .mpo_posixsem_check_destroy = stub_posixsem_check_destroy, + .mpo_posixsem_check_getvalue = stub_posixsem_check_getvalue, + .mpo_posixsem_check_open = stub_posixsem_check_open, + .mpo_posixsem_check_post = stub_posixsem_check_post, + .mpo_posixsem_check_unlink = stub_posixsem_check_unlink, + .mpo_posixsem_check_wait = stub_posixsem_check_wait, + .mpo_proc_check_debug = stub_proc_check_debug, + .mpo_proc_check_sched = stub_proc_check_sched, + .mpo_proc_check_setaudit = stub_proc_check_setaudit, + .mpo_proc_check_setaudit_addr = stub_proc_check_setaudit_addr, + .mpo_proc_check_setauid = stub_proc_check_setauid, + .mpo_proc_check_setuid = stub_proc_check_setuid, + .mpo_proc_check_seteuid = stub_proc_check_seteuid, + .mpo_proc_check_setgid = stub_proc_check_setgid, + .mpo_proc_check_setegid = stub_proc_check_setegid, + .mpo_proc_check_setgroups = stub_proc_check_setgroups, + .mpo_proc_check_setreuid = stub_proc_check_setreuid, + .mpo_proc_check_setregid = stub_proc_check_setregid, + .mpo_proc_check_setresuid = stub_proc_check_setresuid, + .mpo_proc_check_setresgid = stub_proc_check_setresgid, + .mpo_proc_check_signal = stub_proc_check_signal, + .mpo_proc_check_wait = stub_proc_check_wait, + .mpo_socket_check_accept = stub_socket_check_accept, + .mpo_socket_check_bind = stub_socket_check_bind, + .mpo_socket_check_connect = stub_socket_check_connect, + .mpo_socket_check_create = stub_socket_check_create, + .mpo_socket_check_deliver = stub_socket_check_deliver, + .mpo_socket_check_listen = stub_socket_check_listen, + .mpo_socket_check_poll = stub_socket_check_poll, + .mpo_socket_check_receive = stub_socket_check_receive, + .mpo_socket_check_relabel = stub_socket_check_relabel, + .mpo_socket_check_send = stub_socket_check_send, + .mpo_socket_check_stat = stub_socket_check_stat, + .mpo_socket_check_visible = stub_socket_check_visible, + .mpo_system_check_acct = stub_system_check_acct, + .mpo_system_check_audit = stub_system_check_audit, + .mpo_system_check_auditctl = stub_system_check_auditctl, + .mpo_system_check_auditon = stub_system_check_auditon, + .mpo_system_check_reboot = stub_system_check_reboot, + .mpo_system_check_swapoff = stub_system_check_swapoff, + .mpo_system_check_swapon = stub_system_check_swapon, + .mpo_system_check_sysctl = stub_system_check_sysctl, + .mpo_vnode_check_access = stub_vnode_check_access, + .mpo_vnode_check_chdir = stub_vnode_check_chdir, + .mpo_vnode_check_chroot = stub_vnode_check_chroot, + .mpo_vnode_check_create = stub_vnode_check_create, + .mpo_vnode_check_deleteacl = stub_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = stub_vnode_check_deleteextattr, + .mpo_vnode_check_exec = stub_vnode_check_exec, + .mpo_vnode_check_getacl = stub_vnode_check_getacl, + .mpo_vnode_check_getextattr = stub_vnode_check_getextattr, + .mpo_vnode_check_link = stub_vnode_check_link, + .mpo_vnode_check_listextattr = stub_vnode_check_listextattr, + .mpo_vnode_check_lookup = stub_vnode_check_lookup, + .mpo_vnode_check_mmap = stub_vnode_check_mmap, + .mpo_vnode_check_mmap_downgrade = stub_vnode_check_mmap_downgrade, + .mpo_vnode_check_mprotect = stub_vnode_check_mprotect, + .mpo_vnode_check_open = stub_vnode_check_open, + .mpo_vnode_check_poll = stub_vnode_check_poll, + .mpo_vnode_check_read = stub_vnode_check_read, + .mpo_vnode_check_readdir = stub_vnode_check_readdir, + .mpo_vnode_check_readlink = stub_vnode_check_readlink, + .mpo_vnode_check_relabel = stub_vnode_check_relabel, + .mpo_vnode_check_rename_from = stub_vnode_check_rename_from, + .mpo_vnode_check_rename_to = stub_vnode_check_rename_to, + .mpo_vnode_check_revoke = stub_vnode_check_revoke, + .mpo_vnode_check_setacl = stub_vnode_check_setacl, + .mpo_vnode_check_setextattr = stub_vnode_check_setextattr, + .mpo_vnode_check_setflags = stub_vnode_check_setflags, + .mpo_vnode_check_setmode = stub_vnode_check_setmode, + .mpo_vnode_check_setowner = stub_vnode_check_setowner, + .mpo_vnode_check_setutimes = stub_vnode_check_setutimes, + .mpo_vnode_check_stat = stub_vnode_check_stat, + .mpo_vnode_check_unlink = stub_vnode_check_unlink, + .mpo_vnode_check_write = stub_vnode_check_write, .mpo_priv_check = stub_priv_check, .mpo_priv_grant = stub_priv_grant, .mpo_init_syncache_label = stub_init_label_waitcheck, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 4947cdc..c7eaaad 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -146,287 +150,287 @@ SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0, /* * Label operations. */ -COUNTER_DECL(init_bpfdesc_label); +COUNTER_DECL(bpfdesc_init_label); static void -mac_test_init_bpfdesc_label(struct label *label) +mac_test_bpfdesc_init_label(struct label *label) { LABEL_INIT(label, MAGIC_BPF); - COUNTER_INC(init_bpfdesc_label); + COUNTER_INC(bpfdesc_init_label); } -COUNTER_DECL(init_cred_label); +COUNTER_DECL(cred_init_label); static void -mac_test_init_cred_label(struct label *label) +mac_test_cred_init_label(struct label *label) { LABEL_INIT(label, MAGIC_CRED); - COUNTER_INC(init_cred_label); + COUNTER_INC(cred_init_label); } -COUNTER_DECL(init_devfs_label); +COUNTER_DECL(devfs_init_label); static void -mac_test_init_devfs_label(struct label *label) +mac_test_devfs_init_label(struct label *label) { LABEL_INIT(label, MAGIC_DEVFS); - COUNTER_INC(init_devfs_label); + COUNTER_INC(devfs_init_label); } -COUNTER_DECL(init_ifnet_label); +COUNTER_DECL(ifnet_init_label); static void -mac_test_init_ifnet_label(struct label *label) +mac_test_ifnet_init_label(struct label *label) { LABEL_INIT(label, MAGIC_IFNET); - COUNTER_INC(init_ifnet_label); + COUNTER_INC(ifnet_init_label); } -COUNTER_DECL(init_inpcb_label); +COUNTER_DECL(inpcb_init_label); static int -mac_test_init_inpcb_label(struct label *label, int flag) +mac_test_inpcb_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_inpcb_label() at %s:%d", __FILE__, + "mac_test_inpcb_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_INPCB); - COUNTER_INC(init_inpcb_label); + COUNTER_INC(inpcb_init_label); return (0); } -COUNTER_DECL(init_sysv_msg_label); +COUNTER_DECL(sysvmsg_init_label); static void -mac_test_init_sysv_msgmsg_label(struct label *label) +mac_test_sysvmsg_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_MSG); - COUNTER_INC(init_sysv_msg_label); + COUNTER_INC(sysvmsg_init_label); } -COUNTER_DECL(init_sysv_msq_label); +COUNTER_DECL(sysvmsq_init_label); static void -mac_test_init_sysv_msgqueue_label(struct label *label) +mac_test_sysvmsq_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_MSQ); - COUNTER_INC(init_sysv_msq_label); + COUNTER_INC(sysvmsq_init_label); } -COUNTER_DECL(init_sysv_sem_label); +COUNTER_DECL(sysvsem_init_label); static void -mac_test_init_sysv_sem_label(struct label *label) +mac_test_sysvsem_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_SEM); - COUNTER_INC(init_sysv_sem_label); + COUNTER_INC(sysvsem_init_label); } -COUNTER_DECL(init_sysv_shm_label); +COUNTER_DECL(sysvshm_init_label); static void -mac_test_init_sysv_shm_label(struct label *label) +mac_test_sysvshm_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_SHM); - COUNTER_INC(init_sysv_shm_label); + COUNTER_INC(sysvshm_init_label); } -COUNTER_DECL(init_ipq_label); +COUNTER_DECL(ipq_init_label); static int -mac_test_init_ipq_label(struct label *label, int flag) +mac_test_ipq_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_ipq_label() at %s:%d", __FILE__, + "mac_test_ipq_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_IPQ); - COUNTER_INC(init_ipq_label); + COUNTER_INC(ipq_init_label); return (0); } -COUNTER_DECL(init_mbuf_label); +COUNTER_DECL(mbuf_init_label); static int -mac_test_init_mbuf_label(struct label *label, int flag) +mac_test_mbuf_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_mbuf_label() at %s:%d", __FILE__, + "mac_test_mbuf_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_MBUF); - COUNTER_INC(init_mbuf_label); + COUNTER_INC(mbuf_init_label); return (0); } -COUNTER_DECL(init_mount_label); +COUNTER_DECL(mount_init_label); static void -mac_test_init_mount_label(struct label *label) +mac_test_mount_init_label(struct label *label) { LABEL_INIT(label, MAGIC_MOUNT); - COUNTER_INC(init_mount_label); + COUNTER_INC(mount_init_label); } -COUNTER_DECL(init_socket_label); +COUNTER_DECL(socket_init_label); static int -mac_test_init_socket_label(struct label *label, int flag) +mac_test_socket_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_socket_label() at %s:%d", __FILE__, + "mac_test_socket_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_SOCKET); - COUNTER_INC(init_socket_label); + COUNTER_INC(socket_init_label); return (0); } -COUNTER_DECL(init_socket_peer_label); +COUNTER_DECL(socketpeer_init_label); static int -mac_test_init_socket_peer_label(struct label *label, int flag) +mac_test_socketpeer_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_socket_peer_label() at %s:%d", __FILE__, + "mac_test_socketpeer_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_SOCKET); - COUNTER_INC(init_socket_peer_label); + COUNTER_INC(socketpeer_init_label); return (0); } -COUNTER_DECL(init_pipe_label); +COUNTER_DECL(pipe_init_label); static void -mac_test_init_pipe_label(struct label *label) +mac_test_pipe_init_label(struct label *label) { LABEL_INIT(label, MAGIC_PIPE); - COUNTER_INC(init_pipe_label); + COUNTER_INC(pipe_init_label); } -COUNTER_DECL(init_posix_sem_label); +COUNTER_DECL(posixsem_init_label); static void -mac_test_init_posix_sem_label(struct label *label) +mac_test_posixsem_init_label(struct label *label) { LABEL_INIT(label, MAGIC_POSIX_SEM); - COUNTER_INC(init_posix_sem_label); + COUNTER_INC(posixsem_init_label); } -COUNTER_DECL(init_proc_label); +COUNTER_DECL(proc_init_label); static void -mac_test_init_proc_label(struct label *label) +mac_test_proc_init_label(struct label *label) { LABEL_INIT(label, MAGIC_PROC); - COUNTER_INC(init_proc_label); + COUNTER_INC(proc_init_label); } -COUNTER_DECL(init_vnode_label); +COUNTER_DECL(vnode_init_label); static void -mac_test_init_vnode_label(struct label *label) +mac_test_vnode_init_label(struct label *label) { LABEL_INIT(label, MAGIC_VNODE); - COUNTER_INC(init_vnode_label); + COUNTER_INC(vnode_init_label); } -COUNTER_DECL(destroy_bpfdesc_label); +COUNTER_DECL(bpfdesc_destroy_label); static void -mac_test_destroy_bpfdesc_label(struct label *label) +mac_test_bpfdesc_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_BPF); - COUNTER_INC(destroy_bpfdesc_label); + COUNTER_INC(bpfdesc_destroy_label); } -COUNTER_DECL(destroy_cred_label); +COUNTER_DECL(cred_destroy_label); static void -mac_test_destroy_cred_label(struct label *label) +mac_test_cred_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_CRED); - COUNTER_INC(destroy_cred_label); + COUNTER_INC(cred_destroy_label); } -COUNTER_DECL(destroy_devfs_label); +COUNTER_DECL(devfs_destroy_label); static void -mac_test_destroy_devfs_label(struct label *label) +mac_test_devfs_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_DEVFS); - COUNTER_INC(destroy_devfs_label); + COUNTER_INC(devfs_destroy_label); } -COUNTER_DECL(destroy_ifnet_label); +COUNTER_DECL(ifnet_destroy_label); static void -mac_test_destroy_ifnet_label(struct label *label) +mac_test_ifnet_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_IFNET); - COUNTER_INC(destroy_ifnet_label); + COUNTER_INC(ifnet_destroy_label); } -COUNTER_DECL(destroy_inpcb_label); +COUNTER_DECL(inpcb_destroy_label); static void -mac_test_destroy_inpcb_label(struct label *label) +mac_test_inpcb_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_INPCB); - COUNTER_INC(destroy_inpcb_label); + COUNTER_INC(inpcb_destroy_label); } -COUNTER_DECL(destroy_sysv_msg_label); +COUNTER_DECL(sysvmsg_destroy_label); static void -mac_test_destroy_sysv_msgmsg_label(struct label *label) +mac_test_sysvmsg_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_MSG); - COUNTER_INC(destroy_sysv_msg_label); + COUNTER_INC(sysvmsg_destroy_label); } -COUNTER_DECL(destroy_sysv_msq_label); +COUNTER_DECL(sysvmsq_destroy_label); static void -mac_test_destroy_sysv_msgqueue_label(struct label *label) +mac_test_sysvmsq_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_MSQ); - COUNTER_INC(destroy_sysv_msq_label); + COUNTER_INC(sysvmsq_destroy_label); } -COUNTER_DECL(destroy_sysv_sem_label); +COUNTER_DECL(sysvsem_destroy_label); static void -mac_test_destroy_sysv_sem_label(struct label *label) +mac_test_sysvsem_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_SEM); - COUNTER_INC(destroy_sysv_sem_label); + COUNTER_INC(sysvsem_destroy_label); } -COUNTER_DECL(destroy_sysv_shm_label); +COUNTER_DECL(sysvshm_destroy_label); static void -mac_test_destroy_sysv_shm_label(struct label *label) +mac_test_sysvshm_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_SHM); - COUNTER_INC(destroy_sysv_shm_label); + COUNTER_INC(sysvshm_destroy_label); } -COUNTER_DECL(destroy_ipq_label); +COUNTER_DECL(ipq_destroy_label); static void -mac_test_destroy_ipq_label(struct label *label) +mac_test_ipq_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_IPQ); - COUNTER_INC(destroy_ipq_label); + COUNTER_INC(ipq_destroy_label); } -COUNTER_DECL(destroy_mbuf_label); +COUNTER_DECL(mbuf_destroy_label); static void -mac_test_destroy_mbuf_label(struct label *label) +mac_test_mbuf_destroy_label(struct label *label) { /* @@ -438,130 +442,130 @@ mac_test_destroy_mbuf_label(struct label *label) return; LABEL_DESTROY(label, MAGIC_MBUF); - COUNTER_INC(destroy_mbuf_label); + COUNTER_INC(mbuf_destroy_label); } -COUNTER_DECL(destroy_mount_label); +COUNTER_DECL(mount_destroy_label); static void -mac_test_destroy_mount_label(struct label *label) +mac_test_mount_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_MOUNT); - COUNTER_INC(destroy_mount_label); + COUNTER_INC(mount_destroy_label); } -COUNTER_DECL(destroy_socket_label); +COUNTER_DECL(socket_destroy_label); static void -mac_test_destroy_socket_label(struct label *label) +mac_test_socket_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SOCKET); - COUNTER_INC(destroy_socket_label); + COUNTER_INC(socket_destroy_label); } -COUNTER_DECL(destroy_socket_peer_label); +COUNTER_DECL(socketpeer_destroy_label); static void -mac_test_destroy_socket_peer_label(struct label *label) +mac_test_socketpeer_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SOCKET); - COUNTER_INC(destroy_socket_peer_label); + COUNTER_INC(socketpeer_destroy_label); } -COUNTER_DECL(destroy_pipe_label); +COUNTER_DECL(pipe_destroy_label); static void -mac_test_destroy_pipe_label(struct label *label) +mac_test_pipe_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_PIPE); - COUNTER_INC(destroy_pipe_label); + COUNTER_INC(pipe_destroy_label); } -COUNTER_DECL(destroy_posix_sem_label); +COUNTER_DECL(posixsem_destroy_label); static void -mac_test_destroy_posix_sem_label(struct label *label) +mac_test_posixsem_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_POSIX_SEM); - COUNTER_INC(destroy_posix_sem_label); + COUNTER_INC(posixsem_destroy_label); } -COUNTER_DECL(destroy_proc_label); +COUNTER_DECL(proc_destroy_label); static void -mac_test_destroy_proc_label(struct label *label) +mac_test_proc_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_PROC); - COUNTER_INC(destroy_proc_label); + COUNTER_INC(proc_destroy_label); } -COUNTER_DECL(destroy_vnode_label); +COUNTER_DECL(vnode_destroy_label); static void -mac_test_destroy_vnode_label(struct label *label) +mac_test_vnode_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_VNODE); - COUNTER_INC(destroy_vnode_label); + COUNTER_INC(vnode_destroy_label); } -COUNTER_DECL(copy_cred_label); +COUNTER_DECL(cred_copy_label); static void -mac_test_copy_cred_label(struct label *src, struct label *dest) +mac_test_cred_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_CRED); LABEL_CHECK(dest, MAGIC_CRED); - COUNTER_INC(copy_cred_label); + COUNTER_INC(cred_copy_label); } -COUNTER_DECL(copy_ifnet_label); +COUNTER_DECL(ifnet_copy_label); static void -mac_test_copy_ifnet_label(struct label *src, struct label *dest) +mac_test_ifnet_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_IFNET); LABEL_CHECK(dest, MAGIC_IFNET); - COUNTER_INC(copy_ifnet_label); + COUNTER_INC(ifnet_copy_label); } -COUNTER_DECL(copy_mbuf_label); +COUNTER_DECL(mbuf_copy_label); static void -mac_test_copy_mbuf_label(struct label *src, struct label *dest) +mac_test_mbuf_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_MBUF); LABEL_CHECK(dest, MAGIC_MBUF); - COUNTER_INC(copy_mbuf_label); + COUNTER_INC(mbuf_copy_label); } -COUNTER_DECL(copy_pipe_label); +COUNTER_DECL(pipe_copy_label); static void -mac_test_copy_pipe_label(struct label *src, struct label *dest) +mac_test_pipe_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_PIPE); LABEL_CHECK(dest, MAGIC_PIPE); - COUNTER_INC(copy_pipe_label); + COUNTER_INC(pipe_copy_label); } -COUNTER_DECL(copy_socket_label); +COUNTER_DECL(socket_copy_label); static void -mac_test_copy_socket_label(struct label *src, struct label *dest) +mac_test_socket_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_SOCKET); LABEL_CHECK(dest, MAGIC_SOCKET); - COUNTER_INC(copy_socket_label); + COUNTER_INC(socket_copy_label); } -COUNTER_DECL(copy_vnode_label); +COUNTER_DECL(vnode_copy_label); static void -mac_test_copy_vnode_label(struct label *src, struct label *dest) +mac_test_vnode_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_VNODE); LABEL_CHECK(dest, MAGIC_VNODE); - COUNTER_INC(copy_vnode_label); + COUNTER_INC(vnode_copy_label); } COUNTER_DECL(externalize_label); @@ -592,9 +596,9 @@ mac_test_internalize_label(struct label *label, char *element_name, * Labeling event operations: file system objects, and things that look * a lot like file system objects. */ -COUNTER_DECL(associate_vnode_devfs); +COUNTER_DECL(devfs_vnode_associate); static void -mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +mac_test_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -602,58 +606,58 @@ mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel, LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(delabel, MAGIC_DEVFS); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(associate_vnode_devfs); + COUNTER_INC(devfs_vnode_associate); } -COUNTER_DECL(associate_vnode_extattr); +COUNTER_DECL(vnode_associate_extattr); static int -mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_test_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(associate_vnode_extattr); + COUNTER_INC(vnode_associate_extattr); return (0); } -COUNTER_DECL(associate_vnode_singlelabel); +COUNTER_DECL(vnode_associate_singlelabel); static void -mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel, +mac_test_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(associate_vnode_singlelabel); + COUNTER_INC(vnode_associate_singlelabel); } -COUNTER_DECL(create_devfs_device); +COUNTER_DECL(devfs_create_device); static void -mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_test_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { if (cred != NULL) LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(delabel, MAGIC_DEVFS); - COUNTER_INC(create_devfs_device); + COUNTER_INC(devfs_create_device); } -COUNTER_DECL(create_devfs_directory); +COUNTER_DECL(devfs_create_directory); static void -mac_test_create_devfs_directory(struct mount *mp, char *dirname, +mac_test_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { LABEL_CHECK(delabel, MAGIC_DEVFS); - COUNTER_INC(create_devfs_directory); + COUNTER_INC(devfs_create_directory); } -COUNTER_DECL(create_devfs_symlink); +COUNTER_DECL(devfs_create_symlink); static void -mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_test_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -661,12 +665,12 @@ mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ddlabel, MAGIC_DEVFS); LABEL_CHECK(delabel, MAGIC_DEVFS); - COUNTER_INC(create_devfs_symlink); + COUNTER_INC(devfs_create_symlink); } -COUNTER_DECL(create_vnode_extattr); +COUNTER_DECL(vnode_create_extattr); static int -mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_test_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -674,281 +678,281 @@ mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(create_vnode_extattr); + COUNTER_INC(vnode_create_extattr); return (0); } -COUNTER_DECL(create_mount); +COUNTER_DECL(mount_create); static void -mac_test_create_mount(struct ucred *cred, struct mount *mp, +mac_test_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); - COUNTER_INC(create_mount); + COUNTER_INC(mount_create); } -COUNTER_DECL(relabel_vnode); +COUNTER_DECL(vnode_relabel); static void -mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_test_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(label, MAGIC_VNODE); - COUNTER_INC(relabel_vnode); + COUNTER_INC(vnode_relabel); } -COUNTER_DECL(setlabel_vnode_extattr); +COUNTER_DECL(vnode_setlabel_extattr); static int -mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(intlabel, MAGIC_VNODE); - COUNTER_INC(setlabel_vnode_extattr); + COUNTER_INC(vnode_setlabel_extattr); return (0); } -COUNTER_DECL(update_devfs); +COUNTER_DECL(devfs_update); static void -mac_test_update_devfs(struct mount *mp, struct devfs_dirent *devfs_dirent, +mac_test_devfs_update(struct mount *mp, struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(direntlabel, MAGIC_DEVFS); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(update_devfs); + COUNTER_INC(devfs_update); } /* * Labeling event operations: IPC object. */ -COUNTER_DECL(create_mbuf_from_socket); +COUNTER_DECL(socket_create_mbuf); static void -mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, +mac_test_socket_create_mbuf(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { LABEL_CHECK(socketlabel, MAGIC_SOCKET); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_socket); + COUNTER_INC(socket_create_mbuf); } -COUNTER_DECL(create_socket); +COUNTER_DECL(socket_create); static void -mac_test_create_socket(struct ucred *cred, struct socket *socket, +mac_test_socket_create(struct ucred *cred, struct socket *socket, struct label *socketlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(socketlabel, MAGIC_SOCKET); - COUNTER_INC(create_socket); + COUNTER_INC(socket_create); } -COUNTER_DECL(create_pipe); +COUNTER_DECL(pipe_create); static void -mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(create_pipe); + COUNTER_INC(pipe_create); } -COUNTER_DECL(create_posix_sem); +COUNTER_DECL(posixsem_create); static void -mac_test_create_posix_sem(struct ucred *cred, struct ksem *ks, +mac_test_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); - COUNTER_INC(create_posix_sem); + COUNTER_INC(posixsem_create); } -COUNTER_DECL(create_socket_from_socket); +COUNTER_DECL(socket_newconn); static void -mac_test_create_socket_from_socket(struct socket *oldsocket, +mac_test_socket_newconn(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel) { LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); LABEL_CHECK(newsocketlabel, MAGIC_SOCKET); - COUNTER_INC(create_socket_from_socket); + COUNTER_INC(socket_newconn); } -COUNTER_DECL(relabel_socket); +COUNTER_DECL(socket_relabel); static void -mac_test_relabel_socket(struct ucred *cred, struct socket *socket, +mac_test_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(newlabel, MAGIC_SOCKET); - COUNTER_INC(relabel_socket); + COUNTER_INC(socket_relabel); } -COUNTER_DECL(relabel_pipe); +COUNTER_DECL(pipe_relabel); static void -mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); LABEL_CHECK(newlabel, MAGIC_PIPE); - COUNTER_INC(relabel_pipe); + COUNTER_INC(pipe_relabel); } -COUNTER_DECL(set_socket_peer_from_mbuf); +COUNTER_DECL(socketpeer_set_from_mbuf); static void -mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, +mac_test_socketpeer_set_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, struct socket *socket, struct label *socketpeerlabel) { LABEL_CHECK(mbuflabel, MAGIC_MBUF); LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET); - COUNTER_INC(set_socket_peer_from_mbuf); + COUNTER_INC(socketpeer_set_from_mbuf); } /* * Labeling event operations: network objects. */ -COUNTER_DECL(set_socket_peer_from_socket); +COUNTER_DECL(socketpeer_set_from_socket); static void -mac_test_set_socket_peer_from_socket(struct socket *oldsocket, +mac_test_socketpeer_set_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel) { LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET); - COUNTER_INC(set_socket_peer_from_socket); + COUNTER_INC(socketpeer_set_from_socket); } -COUNTER_DECL(create_bpfdesc); +COUNTER_DECL(bpfdesc_create); static void -mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, +mac_test_bpfdesc_create(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(bpflabel, MAGIC_BPF); - COUNTER_INC(create_bpfdesc); + COUNTER_INC(bpfdesc_create); } -COUNTER_DECL(create_datagram_from_ipq); +COUNTER_DECL(ipq_reassemble); static void -mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_test_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel) { LABEL_CHECK(ipqlabel, MAGIC_IPQ); LABEL_CHECK(datagramlabel, MAGIC_MBUF); - COUNTER_INC(create_datagram_from_ipq); + COUNTER_INC(ipq_reassemble); } -COUNTER_DECL(create_fragment); +COUNTER_DECL(netinet_fragment); static void -mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, +mac_test_netinet_fragment(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel) { LABEL_CHECK(datagramlabel, MAGIC_MBUF); LABEL_CHECK(fragmentlabel, MAGIC_MBUF); - COUNTER_INC(create_fragment); + COUNTER_INC(netinet_fragment); } -COUNTER_DECL(create_ifnet); +COUNTER_DECL(ifnet_create); static void -mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) +mac_test_ifnet_create(struct ifnet *ifnet, struct label *ifnetlabel) { LABEL_CHECK(ifnetlabel, MAGIC_IFNET); - COUNTER_INC(create_ifnet); + COUNTER_INC(ifnet_create); } -COUNTER_DECL(create_inpcb_from_socket); +COUNTER_DECL(inpcb_create); static void -mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_test_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { LABEL_CHECK(solabel, MAGIC_SOCKET); LABEL_CHECK(inplabel, MAGIC_INPCB); - COUNTER_INC(create_inpcb_from_socket); + COUNTER_INC(inpcb_create); } -COUNTER_DECL(create_sysv_msgmsg); +COUNTER_DECL(sysvmsg_create); static void -mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_test_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); - COUNTER_INC(create_sysv_msgmsg); + COUNTER_INC(sysvmsg_create); } -COUNTER_DECL(create_sysv_msgqueue); +COUNTER_DECL(sysvmsq_create); static void -mac_test_create_sysv_msgqueue(struct ucred *cred, +mac_test_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); - COUNTER_INC(create_sysv_msgqueue); + COUNTER_INC(sysvmsq_create); } -COUNTER_DECL(create_sysv_sem); +COUNTER_DECL(sysvsem_create); static void -mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +mac_test_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); - COUNTER_INC(create_sysv_sem); + COUNTER_INC(sysvsem_create); } -COUNTER_DECL(create_sysv_shm); +COUNTER_DECL(sysvshm_create); static void -mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_test_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); - COUNTER_INC(create_sysv_shm); + COUNTER_INC(sysvshm_create); } -COUNTER_DECL(create_ipq); +COUNTER_DECL(ipq_create); static void -mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, +mac_test_ipq_create(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { LABEL_CHECK(fragmentlabel, MAGIC_MBUF); LABEL_CHECK(ipqlabel, MAGIC_IPQ); - COUNTER_INC(create_ipq); + COUNTER_INC(ipq_create); } -COUNTER_DECL(create_mbuf_from_inpcb); +COUNTER_DECL(inpcb_create_mbuf); static void -mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { LABEL_CHECK(inplabel, MAGIC_INPCB); LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_inpcb); + COUNTER_INC(inpcb_create_mbuf); } COUNTER_DECL(create_mbuf_linklayer); @@ -962,31 +966,31 @@ mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, COUNTER_INC(create_mbuf_linklayer); } -COUNTER_DECL(create_mbuf_from_bpfdesc); +COUNTER_DECL(bpfdesc_create_mbuf); static void -mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, +mac_test_bpfdesc_create_mbuf(struct bpf_d *bpf_d, struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel) { LABEL_CHECK(bpflabel, MAGIC_BPF); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_bpfdesc); + COUNTER_INC(bpfdesc_create_mbuf); } -COUNTER_DECL(create_mbuf_from_ifnet); +COUNTER_DECL(ifnet_create_mbuf); static void -mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, +mac_test_ifnet_create_mbuf(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_ifnet); + COUNTER_INC(ifnet_create_mbuf); } -COUNTER_DECL(create_mbuf_multicast_encap); +COUNTER_DECL(mbuf_create_multicast_encap); static void -mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, +mac_test_mbuf_create_multicast_encap(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *newmbuf, struct label *newmbuflabel) { @@ -994,73 +998,73 @@ mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(newmbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_multicast_encap); + COUNTER_INC(mbuf_create_multicast_encap); } -COUNTER_DECL(create_mbuf_netlayer); +COUNTER_DECL(mbuf_create_netlayer); static void -mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, +mac_test_mbuf_create_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); LABEL_CHECK(newmbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_netlayer); + COUNTER_INC(mbuf_create_netlayer); } -COUNTER_DECL(fragment_match); +COUNTER_DECL(ipq_match); static int -mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, +mac_test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { LABEL_CHECK(fragmentlabel, MAGIC_MBUF); LABEL_CHECK(ipqlabel, MAGIC_IPQ); - COUNTER_INC(fragment_match); + COUNTER_INC(ipq_match); return (1); } -COUNTER_DECL(reflect_mbuf_icmp); +COUNTER_DECL(netinet_icmp_reply); static void -mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) +mac_test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel) { LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(reflect_mbuf_icmp); + COUNTER_INC(netinet_icmp_reply); } -COUNTER_DECL(reflect_mbuf_tcp); +COUNTER_DECL(netinet_tcp_reply); static void -mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) +mac_test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) { LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(reflect_mbuf_tcp); + COUNTER_INC(netinet_tcp_reply); } -COUNTER_DECL(relabel_ifnet); +COUNTER_DECL(ifnet_relabel); static void -mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, +mac_test_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(newlabel, MAGIC_IFNET); - COUNTER_INC(relabel_ifnet); + COUNTER_INC(ifnet_relabel); } -COUNTER_DECL(update_ipq); +COUNTER_DECL(ipq_update); static void -mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, +mac_test_ipq_update(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { LABEL_CHECK(fragmentlabel, MAGIC_MBUF); LABEL_CHECK(ipqlabel, MAGIC_IPQ); - COUNTER_INC(update_ipq); + COUNTER_INC(ipq_update); } COUNTER_DECL(inpcb_sosetlabel); @@ -1077,9 +1081,9 @@ mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, /* * Labeling event operations: processes. */ -COUNTER_DECL(execve_transition); +COUNTER_DECL(vnode_execve_transition); static void -mac_test_execve_transition(struct ucred *old, struct ucred *new, +mac_test_vnode_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *filelabel, struct label *interpvplabel, struct image_params *imgp, struct label *execlabel) @@ -1090,12 +1094,12 @@ mac_test_execve_transition(struct ucred *old, struct ucred *new, LABEL_CHECK(filelabel, MAGIC_VNODE); LABEL_CHECK(interpvplabel, MAGIC_VNODE); LABEL_CHECK(execlabel, MAGIC_CRED); - COUNTER_INC(execve_transition); + COUNTER_INC(vnode_execve_transition); } -COUNTER_DECL(execve_will_transition); +COUNTER_DECL(vnode_execve_will_transition); static int -mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, +mac_test_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *filelabel, struct label *interpvplabel, struct image_params *imgp, struct label *execlabel) { @@ -1104,37 +1108,37 @@ mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, LABEL_CHECK(filelabel, MAGIC_VNODE); LABEL_CHECK(interpvplabel, MAGIC_VNODE); LABEL_CHECK(execlabel, MAGIC_CRED); - COUNTER_INC(execve_will_transition); + COUNTER_INC(vnode_execve_will_transition); return (0); } -COUNTER_DECL(create_proc0); +COUNTER_DECL(proc_create_swapper); static void -mac_test_create_proc0(struct ucred *cred) +mac_test_proc_create_swapper(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(create_proc0); + COUNTER_INC(proc_create_swapper); } -COUNTER_DECL(create_proc1); +COUNTER_DECL(proc_create_init); static void -mac_test_create_proc1(struct ucred *cred) +mac_test_proc_create_init(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(create_proc1); + COUNTER_INC(proc_create_init); } -COUNTER_DECL(relabel_cred); +COUNTER_DECL(cred_relabel); static void -mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_test_cred_relabel(struct ucred *cred, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(newlabel, MAGIC_CRED); - COUNTER_INC(relabel_cred); + COUNTER_INC(cred_relabel); } COUNTER_DECL(thread_userret); @@ -1148,125 +1152,125 @@ mac_test_thread_userret(struct thread *td) /* * Label cleanup/flush operations */ -COUNTER_DECL(cleanup_sysv_msgmsg); +COUNTER_DECL(sysvmsg_cleanup); static void -mac_test_cleanup_sysv_msgmsg(struct label *msglabel) +mac_test_sysvmsg_cleanup(struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); - COUNTER_INC(cleanup_sysv_msgmsg); + COUNTER_INC(sysvmsg_cleanup); } -COUNTER_DECL(cleanup_sysv_msgqueue); +COUNTER_DECL(sysvmsq_cleanup); static void -mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) +mac_test_sysvmsq_cleanup(struct label *msqlabel) { LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); - COUNTER_INC(cleanup_sysv_msgqueue); + COUNTER_INC(sysvmsq_cleanup); } -COUNTER_DECL(cleanup_sysv_sem); +COUNTER_DECL(sysvsem_cleanup); static void -mac_test_cleanup_sysv_sem(struct label *semalabel) +mac_test_sysvsem_cleanup(struct label *semalabel) { LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); - COUNTER_INC(cleanup_sysv_sem); + COUNTER_INC(sysvsem_cleanup); } -COUNTER_DECL(cleanup_sysv_shm); +COUNTER_DECL(sysvshm_cleanup); static void -mac_test_cleanup_sysv_shm(struct label *shmlabel) +mac_test_sysvshm_cleanup(struct label *shmlabel) { LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); - COUNTER_INC(cleanup_sysv_shm); + COUNTER_INC(sysvshm_cleanup); } /* * Access control checks. */ -COUNTER_DECL(check_bpfdesc_receive); +COUNTER_DECL(bpfdesc_check_receive); static int -mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, +mac_test_bpfdesc_check_receive(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel) { LABEL_CHECK(bpflabel, MAGIC_BPF); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); - COUNTER_INC(check_bpfdesc_receive); + COUNTER_INC(bpfdesc_check_receive); return (0); } -COUNTER_DECL(check_cred_relabel); +COUNTER_DECL(cred_check_relabel); static int -mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_test_cred_check_relabel(struct ucred *cred, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(newlabel, MAGIC_CRED); - COUNTER_INC(check_cred_relabel); + COUNTER_INC(cred_check_relabel); return (0); } -COUNTER_DECL(check_cred_visible); +COUNTER_DECL(cred_check_visible); static int -mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) +mac_test_cred_check_visible(struct ucred *u1, struct ucred *u2) { LABEL_CHECK(u1->cr_label, MAGIC_CRED); LABEL_CHECK(u2->cr_label, MAGIC_CRED); - COUNTER_INC(check_cred_visible); + COUNTER_INC(cred_check_visible); return (0); } -COUNTER_DECL(check_ifnet_relabel); +COUNTER_DECL(ifnet_check_relabel); static int -mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, +mac_test_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(newlabel, MAGIC_IFNET); - COUNTER_INC(check_ifnet_relabel); + COUNTER_INC(ifnet_check_relabel); return (0); } -COUNTER_DECL(check_ifnet_transmit); +COUNTER_DECL(ifnet_check_transmit); static int -mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, +mac_test_ifnet_check_transmit(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(check_ifnet_transmit); + COUNTER_INC(ifnet_check_transmit); return (0); } -COUNTER_DECL(check_inpcb_deliver); +COUNTER_DECL(inpcb_check_deliver); static int -mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_test_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { LABEL_CHECK(inplabel, MAGIC_INPCB); LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(check_inpcb_deliver); + COUNTER_INC(inpcb_check_deliver); return (0); } -COUNTER_DECL(check_sysv_msgmsq); +COUNTER_DECL(sysvmsq_check_msgmsq); static int -mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +mac_test_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -1274,859 +1278,859 @@ mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msgmsq); + COUNTER_INC(sysvmsq_check_msgmsq); return (0); } -COUNTER_DECL(check_sysv_msgrcv); +COUNTER_DECL(sysvmsq_check_msgrcv); static int -mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +mac_test_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msgrcv); + COUNTER_INC(sysvmsq_check_msgrcv); return (0); } -COUNTER_DECL(check_sysv_msgrmid); +COUNTER_DECL(sysvmsq_check_msgrmid); static int -mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +mac_test_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msgrmid); + COUNTER_INC(sysvmsq_check_msgrmid); return (0); } -COUNTER_DECL(check_sysv_msqget); +COUNTER_DECL(sysvmsq_check_msqget); static int -mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_test_sysvmsq_check_msqget(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqget); + COUNTER_INC(sysvmsq_check_msqget); return (0); } -COUNTER_DECL(check_sysv_msqsnd); +COUNTER_DECL(sysvmsq_check_msqsnd); static int -mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_test_sysvmsq_check_msqsnd(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqsnd); + COUNTER_INC(sysvmsq_check_msqsnd); return (0); } -COUNTER_DECL(check_sysv_msqrcv); +COUNTER_DECL(sysvmsq_check_msqrcv); static int -mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_test_sysvmsq_check_msqrcv(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqrcv); + COUNTER_INC(sysvmsq_check_msqrcv); return (0); } -COUNTER_DECL(check_sysv_msqctl); +COUNTER_DECL(sysvmsq_check_msqctl); static int -mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel, int cmd) +mac_test_sysvmsq_check_msqctl(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqctl); + COUNTER_INC(sysvmsq_check_msqctl); return (0); } -COUNTER_DECL(check_sysv_semctl); +COUNTER_DECL(sysvsem_check_semctl); static int -mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, int cmd) +mac_test_sysvsem_check_semctl(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); - COUNTER_INC(check_sysv_semctl); + COUNTER_INC(sysvsem_check_semctl); return (0); } -COUNTER_DECL(check_sysv_semget); +COUNTER_DECL(sysvsem_check_semget); static int -mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel) +mac_test_sysvsem_check_semget(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); - COUNTER_INC(check_sysv_semget); + COUNTER_INC(sysvsem_check_semget); return (0); } -COUNTER_DECL(check_sysv_semop); +COUNTER_DECL(sysvsem_check_semop); static int -mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, size_t accesstype) +mac_test_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); - COUNTER_INC(check_sysv_semop); + COUNTER_INC(sysvsem_check_semop); return (0); } -COUNTER_DECL(check_sysv_shmat); +COUNTER_DECL(sysvshm_check_shmat); static int -mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_test_sysvshm_check_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmat); + COUNTER_INC(sysvshm_check_shmat); return (0); } -COUNTER_DECL(check_sysv_shmctl); +COUNTER_DECL(sysvshm_check_shmctl); static int -mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int cmd) +mac_test_sysvshm_check_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmctl); + COUNTER_INC(sysvshm_check_shmctl); return (0); } -COUNTER_DECL(check_sysv_shmdt); +COUNTER_DECL(sysvshm_check_shmdt); static int -mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel) +mac_test_sysvshm_check_shmdt(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmdt); + COUNTER_INC(sysvshm_check_shmdt); return (0); } -COUNTER_DECL(check_sysv_shmget); +COUNTER_DECL(sysvshm_check_shmget); static int -mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_test_sysvshm_check_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmget); + COUNTER_INC(sysvshm_check_shmget); return (0); } -COUNTER_DECL(check_kenv_dump); +COUNTER_DECL(kenv_check_dump); static int -mac_test_check_kenv_dump(struct ucred *cred) +mac_test_kenv_check_dump(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_dump); + COUNTER_INC(kenv_check_dump); return (0); } -COUNTER_DECL(check_kenv_get); +COUNTER_DECL(kenv_check_get); static int -mac_test_check_kenv_get(struct ucred *cred, char *name) +mac_test_kenv_check_get(struct ucred *cred, char *name) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_get); + COUNTER_INC(kenv_check_get); return (0); } -COUNTER_DECL(check_kenv_set); +COUNTER_DECL(kenv_check_set); static int -mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) +mac_test_kenv_check_set(struct ucred *cred, char *name, char *value) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_set); + COUNTER_INC(kenv_check_set); return (0); } -COUNTER_DECL(check_kenv_unset); +COUNTER_DECL(kenv_check_unset); static int -mac_test_check_kenv_unset(struct ucred *cred, char *name) +mac_test_kenv_check_unset(struct ucred *cred, char *name) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_unset); + COUNTER_INC(kenv_check_unset); return (0); } -COUNTER_DECL(check_kld_load); +COUNTER_DECL(kld_check_load); static int -mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, +mac_test_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *label) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(label, MAGIC_VNODE); - COUNTER_INC(check_kld_load); + COUNTER_INC(kld_check_load); return (0); } -COUNTER_DECL(check_kld_stat); +COUNTER_DECL(kld_check_stat); static int -mac_test_check_kld_stat(struct ucred *cred) +mac_test_kld_check_stat(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kld_stat); + COUNTER_INC(kld_check_stat); return (0); } -COUNTER_DECL(check_mount_stat); +COUNTER_DECL(mount_check_stat); static int -mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, +mac_test_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); - COUNTER_INC(check_mount_stat); + COUNTER_INC(mount_check_stat); return (0); } -COUNTER_DECL(check_pipe_ioctl); +COUNTER_DECL(pipe_check_ioctl); static int -mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_ioctl); + COUNTER_INC(pipe_check_ioctl); return (0); } -COUNTER_DECL(check_pipe_poll); +COUNTER_DECL(pipe_check_poll); static int -mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_poll); + COUNTER_INC(pipe_check_poll); return (0); } -COUNTER_DECL(check_pipe_read); +COUNTER_DECL(pipe_check_read); static int -mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_read); + COUNTER_INC(pipe_check_read); return (0); } -COUNTER_DECL(check_pipe_relabel); +COUNTER_DECL(pipe_check_relabel); static int -mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); LABEL_CHECK(newlabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_relabel); + COUNTER_INC(pipe_check_relabel); return (0); } -COUNTER_DECL(check_pipe_stat); +COUNTER_DECL(pipe_check_stat); static int -mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_stat); + COUNTER_INC(pipe_check_stat); return (0); } -COUNTER_DECL(check_pipe_write); +COUNTER_DECL(pipe_check_write); static int -mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_write); + COUNTER_INC(pipe_check_write); return (0); } -COUNTER_DECL(check_posix_sem); +COUNTER_DECL(posixsem_check); static int -mac_test_check_posix_sem(struct ucred *cred, struct ksem *ks, +mac_test_posixsem_check(struct ucred *cred, struct ksem *ks, struct label *kslabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); - COUNTER_INC(check_posix_sem); + COUNTER_INC(posixsem_check); return (0); } -COUNTER_DECL(check_proc_debug); +COUNTER_DECL(proc_check_debug); static int -mac_test_check_proc_debug(struct ucred *cred, struct proc *p) +mac_test_proc_check_debug(struct ucred *cred, struct proc *p) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_debug); + COUNTER_INC(proc_check_debug); return (0); } -COUNTER_DECL(check_proc_sched); +COUNTER_DECL(proc_check_sched); static int -mac_test_check_proc_sched(struct ucred *cred, struct proc *p) +mac_test_proc_check_sched(struct ucred *cred, struct proc *p) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_sched); + COUNTER_INC(proc_check_sched); return (0); } -COUNTER_DECL(check_proc_signal); +COUNTER_DECL(proc_check_signal); static int -mac_test_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_test_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_signal); + COUNTER_INC(proc_check_signal); return (0); } -COUNTER_DECL(check_proc_setaudit); +COUNTER_DECL(proc_check_setaudit); static int -mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +mac_test_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setaudit); + COUNTER_INC(proc_check_setaudit); return (0); } -COUNTER_DECL(check_proc_setaudit_addr); +COUNTER_DECL(proc_check_setaudit_addr); static int -mac_test_check_proc_setaudit_addr(struct ucred *cred, +mac_test_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setaudit_addr); + COUNTER_INC(proc_check_setaudit_addr); return (0); } -COUNTER_DECL(check_proc_setauid); +COUNTER_DECL(proc_check_setauid); static int -mac_test_check_proc_setauid(struct ucred *cred, uid_t auid) +mac_test_proc_check_setauid(struct ucred *cred, uid_t auid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setauid); + COUNTER_INC(proc_check_setauid); return (0); } -COUNTER_DECL(check_proc_setuid); +COUNTER_DECL(proc_check_setuid); static int -mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) +mac_test_proc_check_setuid(struct ucred *cred, uid_t uid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setuid); + COUNTER_INC(proc_check_setuid); return (0); } -COUNTER_DECL(check_proc_euid); +COUNTER_DECL(proc_check_euid); static int -mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) +mac_test_proc_check_seteuid(struct ucred *cred, uid_t euid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_euid); + COUNTER_INC(proc_check_euid); return (0); } -COUNTER_DECL(check_proc_setgid); +COUNTER_DECL(proc_check_setgid); static int -mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) +mac_test_proc_check_setgid(struct ucred *cred, gid_t gid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setgid); + COUNTER_INC(proc_check_setgid); return (0); } -COUNTER_DECL(check_proc_setegid); +COUNTER_DECL(proc_check_setegid); static int -mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) +mac_test_proc_check_setegid(struct ucred *cred, gid_t egid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setegid); + COUNTER_INC(proc_check_setegid); return (0); } -COUNTER_DECL(check_proc_setgroups); +COUNTER_DECL(proc_check_setgroups); static int -mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, +mac_test_proc_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setgroups); + COUNTER_INC(proc_check_setgroups); return (0); } -COUNTER_DECL(check_proc_setreuid); +COUNTER_DECL(proc_check_setreuid); static int -mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +mac_test_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setreuid); + COUNTER_INC(proc_check_setreuid); return (0); } -COUNTER_DECL(check_proc_setregid); +COUNTER_DECL(proc_check_setregid); static int -mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +mac_test_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setregid); + COUNTER_INC(proc_check_setregid); return (0); } -COUNTER_DECL(check_proc_setresuid); +COUNTER_DECL(proc_check_setresuid); static int -mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, +mac_test_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setresuid); + COUNTER_INC(proc_check_setresuid); return (0); } -COUNTER_DECL(check_proc_setresgid); +COUNTER_DECL(proc_check_setresgid); static int -mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, +mac_test_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setresgid); + COUNTER_INC(proc_check_setresgid); return (0); } -COUNTER_DECL(check_proc_wait); +COUNTER_DECL(proc_check_wait); static int -mac_test_check_proc_wait(struct ucred *cred, struct proc *p) +mac_test_proc_check_wait(struct ucred *cred, struct proc *p) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_wait); + COUNTER_INC(proc_check_wait); return (0); } -COUNTER_DECL(check_socket_accept); +COUNTER_DECL(socket_check_accept); static int -mac_test_check_socket_accept(struct ucred *cred, struct socket *so, +mac_test_socket_check_accept(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_accept); + COUNTER_INC(socket_check_accept); return (0); } -COUNTER_DECL(check_socket_bind); +COUNTER_DECL(socket_check_bind); static int -mac_test_check_socket_bind(struct ucred *cred, struct socket *so, +mac_test_socket_check_bind(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_bind); + COUNTER_INC(socket_check_bind); return (0); } -COUNTER_DECL(check_socket_connect); +COUNTER_DECL(socket_check_connect); static int -mac_test_check_socket_connect(struct ucred *cred, struct socket *so, +mac_test_socket_check_connect(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_connect); + COUNTER_INC(socket_check_connect); return (0); } -COUNTER_DECL(check_socket_deliver); +COUNTER_DECL(socket_check_deliver); static int -mac_test_check_socket_deliver(struct socket *so, struct label *solabel, +mac_test_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { LABEL_CHECK(solabel, MAGIC_SOCKET); LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(check_socket_deliver); + COUNTER_INC(socket_check_deliver); return (0); } -COUNTER_DECL(check_socket_listen); +COUNTER_DECL(socket_check_listen); static int -mac_test_check_socket_listen(struct ucred *cred, struct socket *so, +mac_test_socket_check_listen(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_listen); + COUNTER_INC(socket_check_listen); return (0); } -COUNTER_DECL(check_socket_poll); +COUNTER_DECL(socket_check_poll); static int -mac_test_check_socket_poll(struct ucred *cred, struct socket *so, +mac_test_socket_check_poll(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_poll); + COUNTER_INC(socket_check_poll); return (0); } -COUNTER_DECL(check_socket_receive); +COUNTER_DECL(socket_check_receive); static int -mac_test_check_socket_receive(struct ucred *cred, struct socket *so, +mac_test_socket_check_receive(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_receive); + COUNTER_INC(socket_check_receive); return (0); } -COUNTER_DECL(check_socket_relabel); +COUNTER_DECL(socket_check_relabel); static int -mac_test_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_test_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); LABEL_CHECK(newlabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_relabel); + COUNTER_INC(socket_check_relabel); return (0); } -COUNTER_DECL(check_socket_send); +COUNTER_DECL(socket_check_send); static int -mac_test_check_socket_send(struct ucred *cred, struct socket *so, +mac_test_socket_check_send(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_send); + COUNTER_INC(socket_check_send); return (0); } -COUNTER_DECL(check_socket_stat); +COUNTER_DECL(socket_check_stat); static int -mac_test_check_socket_stat(struct ucred *cred, struct socket *so, +mac_test_socket_check_stat(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_stat); + COUNTER_INC(socket_check_stat); return (0); } -COUNTER_DECL(check_socket_visible); +COUNTER_DECL(socket_check_visible); static int -mac_test_check_socket_visible(struct ucred *cred, struct socket *so, +mac_test_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_visible); + COUNTER_INC(socket_check_visible); return (0); } -COUNTER_DECL(check_system_acct); +COUNTER_DECL(system_check_acct); static int -mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_test_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_acct); + COUNTER_INC(system_check_acct); return (0); } -COUNTER_DECL(check_system_audit); +COUNTER_DECL(system_check_audit); static int -mac_test_check_system_audit(struct ucred *cred, void *record, int length) +mac_test_system_check_audit(struct ucred *cred, void *record, int length) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_audit); + COUNTER_INC(system_check_audit); return (0); } -COUNTER_DECL(check_system_auditctl); +COUNTER_DECL(system_check_auditctl); static int -mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_test_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_auditctl); + COUNTER_INC(system_check_auditctl); return (0); } -COUNTER_DECL(check_system_auditon); +COUNTER_DECL(system_check_auditon); static int -mac_test_check_system_auditon(struct ucred *cred, int cmd) +mac_test_system_check_auditon(struct ucred *cred, int cmd) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_auditon); + COUNTER_INC(system_check_auditon); return (0); } -COUNTER_DECL(check_system_reboot); +COUNTER_DECL(system_check_reboot); static int -mac_test_check_system_reboot(struct ucred *cred, int how) +mac_test_system_check_reboot(struct ucred *cred, int how) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_reboot); + COUNTER_INC(system_check_reboot); return (0); } -COUNTER_DECL(check_system_swapoff); +COUNTER_DECL(system_check_swapoff); static int -mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_test_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_swapoff); + COUNTER_INC(system_check_swapoff); return (0); } -COUNTER_DECL(check_system_swapon); +COUNTER_DECL(system_check_swapon); static int -mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_test_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_swapon); + COUNTER_INC(system_check_swapon); return (0); } -COUNTER_DECL(check_system_sysctl); +COUNTER_DECL(system_check_sysctl); static int -mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_test_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_sysctl); + COUNTER_INC(system_check_sysctl); return (0); } -COUNTER_DECL(check_vnode_access); +COUNTER_DECL(vnode_check_access); static int -mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_access); + COUNTER_INC(vnode_check_access); return (0); } -COUNTER_DECL(check_vnode_chdir); +COUNTER_DECL(vnode_check_chdir); static int -mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_chdir); + COUNTER_INC(vnode_check_chdir); return (0); } -COUNTER_DECL(check_vnode_chroot); +COUNTER_DECL(vnode_check_chroot); static int -mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_chroot); + COUNTER_INC(vnode_check_chroot); return (0); } -COUNTER_DECL(check_vnode_create); +COUNTER_DECL(vnode_check_create); static int -mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_create); + COUNTER_INC(vnode_check_create); return (0); } -COUNTER_DECL(check_vnode_deleteacl); +COUNTER_DECL(vnode_check_deleteacl); static int -mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_deleteacl); + COUNTER_INC(vnode_check_deleteacl); return (0); } -COUNTER_DECL(check_vnode_deleteextattr); +COUNTER_DECL(vnode_check_deleteextattr); static int -mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_deleteextattr); + COUNTER_INC(vnode_check_deleteextattr); return (0); } -COUNTER_DECL(check_vnode_exec); +COUNTER_DECL(vnode_check_exec); static int -mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -2134,41 +2138,41 @@ mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(execlabel, MAGIC_CRED); - COUNTER_INC(check_vnode_exec); + COUNTER_INC(vnode_check_exec); return (0); } -COUNTER_DECL(check_vnode_getacl); +COUNTER_DECL(vnode_check_getacl); static int -mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_getacl); + COUNTER_INC(vnode_check_getacl); return (0); } -COUNTER_DECL(check_vnode_getextattr); +COUNTER_DECL(vnode_check_getextattr); static int -mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_getextattr); + COUNTER_INC(vnode_check_getextattr); return (0); } -COUNTER_DECL(check_vnode_link); +COUNTER_DECL(vnode_check_link); static int -mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2176,66 +2180,66 @@ mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_link); + COUNTER_INC(vnode_check_link); return (0); } -COUNTER_DECL(check_vnode_listextattr); +COUNTER_DECL(vnode_check_listextattr); static int -mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_listextattr); + COUNTER_INC(vnode_check_listextattr); return (0); } -COUNTER_DECL(check_vnode_lookup); +COUNTER_DECL(vnode_check_lookup); static int -mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_lookup); + COUNTER_INC(vnode_check_lookup); return (0); } -COUNTER_DECL(check_vnode_mmap); +COUNTER_DECL(vnode_check_mmap); static int -mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_mmap); + COUNTER_INC(vnode_check_mmap); return (0); } -COUNTER_DECL(check_vnode_open); +COUNTER_DECL(vnode_check_open); static int -mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_open); + COUNTER_INC(vnode_check_open); return (0); } -COUNTER_DECL(check_vnode_poll); +COUNTER_DECL(vnode_check_poll); static int -mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_test_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2243,14 +2247,14 @@ mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_poll); + COUNTER_INC(vnode_check_poll); return (0); } -COUNTER_DECL(check_vnode_read); +COUNTER_DECL(vnode_check_read); static int -mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_test_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2258,54 +2262,54 @@ mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_read); + COUNTER_INC(vnode_check_read); return (0); } -COUNTER_DECL(check_vnode_readdir); +COUNTER_DECL(vnode_check_readdir); static int -mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_readdir); + COUNTER_INC(vnode_check_readdir); return (0); } -COUNTER_DECL(check_vnode_readlink); +COUNTER_DECL(vnode_check_readlink); static int -mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_readlink); + COUNTER_INC(vnode_check_readlink); return (0); } -COUNTER_DECL(check_vnode_relabel); +COUNTER_DECL(vnode_check_relabel); static int -mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(newlabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_relabel); + COUNTER_INC(vnode_check_relabel); return (0); } -COUNTER_DECL(check_vnode_rename_from); +COUNTER_DECL(vnode_check_rename_from); static int -mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2313,14 +2317,14 @@ mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_rename_from); + COUNTER_INC(vnode_check_rename_from); return (0); } -COUNTER_DECL(check_vnode_rename_to); +COUNTER_DECL(vnode_check_rename_to); static int -mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -2328,106 +2332,106 @@ mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_rename_to); + COUNTER_INC(vnode_check_rename_to); return (0); } -COUNTER_DECL(check_vnode_revoke); +COUNTER_DECL(vnode_check_revoke); static int -mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_revoke); + COUNTER_INC(vnode_check_revoke); return (0); } -COUNTER_DECL(check_vnode_setacl); +COUNTER_DECL(vnode_check_setacl); static int -mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setacl); + COUNTER_INC(vnode_check_setacl); return (0); } -COUNTER_DECL(check_vnode_setextattr); +COUNTER_DECL(vnode_check_setextattr); static int -mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setextattr); + COUNTER_INC(vnode_check_setextattr); return (0); } -COUNTER_DECL(check_vnode_setflags); +COUNTER_DECL(vnode_check_setflags); static int -mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setflags); + COUNTER_INC(vnode_check_setflags); return (0); } -COUNTER_DECL(check_vnode_setmode); +COUNTER_DECL(vnode_check_setmode); static int -mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setmode); + COUNTER_INC(vnode_check_setmode); return (0); } -COUNTER_DECL(check_vnode_setowner); +COUNTER_DECL(vnode_check_setowner); static int -mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setowner); + COUNTER_INC(vnode_check_setowner); return (0); } -COUNTER_DECL(check_vnode_setutimes); +COUNTER_DECL(vnode_check_setutimes); static int -mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setutimes); + COUNTER_INC(vnode_check_setutimes); return (0); } -COUNTER_DECL(check_vnode_stat); +COUNTER_DECL(vnode_check_stat); static int -mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_test_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2435,14 +2439,14 @@ mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_stat); + COUNTER_INC(vnode_check_stat); return (0); } -COUNTER_DECL(check_vnode_unlink); +COUNTER_DECL(vnode_check_unlink); static int -mac_test_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2450,14 +2454,14 @@ mac_test_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_unlink); + COUNTER_INC(vnode_check_unlink); return (0); } -COUNTER_DECL(check_vnode_write); +COUNTER_DECL(vnode_check_write); static int -mac_test_check_vnode_write(struct ucred *active_cred, +mac_test_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2465,224 +2469,225 @@ mac_test_check_vnode_write(struct ucred *active_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_write); + COUNTER_INC(vnode_check_write); return (0); } static struct mac_policy_ops mac_test_ops = { - .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, - .mpo_init_cred_label = mac_test_init_cred_label, - .mpo_init_devfs_label = mac_test_init_devfs_label, - .mpo_init_ifnet_label = mac_test_init_ifnet_label, - .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, - .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, - .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label, - .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, - .mpo_init_inpcb_label = mac_test_init_inpcb_label, - .mpo_init_ipq_label = mac_test_init_ipq_label, - .mpo_init_mbuf_label = mac_test_init_mbuf_label, - .mpo_init_mount_label = mac_test_init_mount_label, - .mpo_init_pipe_label = mac_test_init_pipe_label, - .mpo_init_posix_sem_label = mac_test_init_posix_sem_label, - .mpo_init_proc_label = mac_test_init_proc_label, - .mpo_init_socket_label = mac_test_init_socket_label, - .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, - .mpo_init_vnode_label = mac_test_init_vnode_label, - .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, - .mpo_destroy_cred_label = mac_test_destroy_cred_label, - .mpo_destroy_devfs_label = mac_test_destroy_devfs_label, - .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, - .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, - .mpo_destroy_sysv_msgqueue_label = - mac_test_destroy_sysv_msgqueue_label, - .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label, - .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, - .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, - .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, - .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, - .mpo_destroy_mount_label = mac_test_destroy_mount_label, - .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, - .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label, - .mpo_destroy_proc_label = mac_test_destroy_proc_label, - .mpo_destroy_socket_label = mac_test_destroy_socket_label, - .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, - .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, - .mpo_copy_cred_label = mac_test_copy_cred_label, - .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, - .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, - .mpo_copy_pipe_label = mac_test_copy_pipe_label, - .mpo_copy_socket_label = mac_test_copy_socket_label, - .mpo_copy_vnode_label = mac_test_copy_vnode_label, - .mpo_externalize_cred_label = mac_test_externalize_label, - .mpo_externalize_ifnet_label = mac_test_externalize_label, - .mpo_externalize_pipe_label = mac_test_externalize_label, - .mpo_externalize_socket_label = mac_test_externalize_label, - .mpo_externalize_socket_peer_label = mac_test_externalize_label, - .mpo_externalize_vnode_label = mac_test_externalize_label, - .mpo_internalize_cred_label = mac_test_internalize_label, - .mpo_internalize_ifnet_label = mac_test_internalize_label, - .mpo_internalize_pipe_label = mac_test_internalize_label, - .mpo_internalize_socket_label = mac_test_internalize_label, - .mpo_internalize_vnode_label = mac_test_internalize_label, - .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, - .mpo_create_devfs_device = mac_test_create_devfs_device, - .mpo_create_devfs_directory = mac_test_create_devfs_directory, - .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, - .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, - .mpo_create_mount = mac_test_create_mount, - .mpo_relabel_vnode = mac_test_relabel_vnode, - .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, - .mpo_update_devfs = mac_test_update_devfs, - .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, - .mpo_create_pipe = mac_test_create_pipe, - .mpo_create_posix_sem = mac_test_create_posix_sem, - .mpo_create_socket = mac_test_create_socket, - .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, - .mpo_relabel_pipe = mac_test_relabel_pipe, - .mpo_relabel_socket = mac_test_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_test_create_bpfdesc, - .mpo_create_ifnet = mac_test_create_ifnet, - .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, - .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, - .mpo_create_sysv_sem = mac_test_create_sysv_sem, - .mpo_create_sysv_shm = mac_test_create_sysv_shm, - .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, - .mpo_create_fragment = mac_test_create_fragment, - .mpo_create_ipq = mac_test_create_ipq, - .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, + .mpo_bpfdesc_init_label = mac_test_bpfdesc_init_label, + .mpo_cred_init_label = mac_test_cred_init_label, + .mpo_devfs_init_label = mac_test_devfs_init_label, + .mpo_ifnet_init_label = mac_test_ifnet_init_label, + .mpo_sysvmsg_init_label = mac_test_sysvmsg_init_label, + .mpo_sysvmsq_init_label = mac_test_sysvmsq_init_label, + .mpo_sysvsem_init_label = mac_test_sysvsem_init_label, + .mpo_sysvshm_init_label = mac_test_sysvshm_init_label, + .mpo_inpcb_init_label = mac_test_inpcb_init_label, + .mpo_ipq_init_label = mac_test_ipq_init_label, + .mpo_mbuf_init_label = mac_test_mbuf_init_label, + .mpo_mount_init_label = mac_test_mount_init_label, + .mpo_pipe_init_label = mac_test_pipe_init_label, + .mpo_posixsem_init_label = mac_test_posixsem_init_label, + .mpo_proc_init_label = mac_test_proc_init_label, + .mpo_socket_init_label = mac_test_socket_init_label, + .mpo_socketpeer_init_label = mac_test_socketpeer_init_label, + .mpo_vnode_init_label = mac_test_vnode_init_label, + .mpo_bpfdesc_destroy_label = mac_test_bpfdesc_destroy_label, + .mpo_cred_destroy_label = mac_test_cred_destroy_label, + .mpo_devfs_destroy_label = mac_test_devfs_destroy_label, + .mpo_ifnet_destroy_label = mac_test_ifnet_destroy_label, + .mpo_sysvmsg_destroy_label = mac_test_sysvmsg_destroy_label, + .mpo_sysvmsq_destroy_label = + mac_test_sysvmsq_destroy_label, + .mpo_sysvsem_destroy_label = mac_test_sysvsem_destroy_label, + .mpo_sysvshm_destroy_label = mac_test_sysvshm_destroy_label, + .mpo_inpcb_destroy_label = mac_test_inpcb_destroy_label, + .mpo_ipq_destroy_label = mac_test_ipq_destroy_label, + .mpo_mbuf_destroy_label = mac_test_mbuf_destroy_label, + .mpo_mount_destroy_label = mac_test_mount_destroy_label, + .mpo_pipe_destroy_label = mac_test_pipe_destroy_label, + .mpo_posixsem_destroy_label = mac_test_posixsem_destroy_label, + .mpo_proc_destroy_label = mac_test_proc_destroy_label, + .mpo_socket_destroy_label = mac_test_socket_destroy_label, + .mpo_socketpeer_destroy_label = mac_test_socketpeer_destroy_label, + .mpo_vnode_destroy_label = mac_test_vnode_destroy_label, + .mpo_cred_copy_label = mac_test_cred_copy_label, + .mpo_ifnet_copy_label = mac_test_ifnet_copy_label, + .mpo_mbuf_copy_label = mac_test_mbuf_copy_label, + .mpo_pipe_copy_label = mac_test_pipe_copy_label, + .mpo_socket_copy_label = mac_test_socket_copy_label, + .mpo_vnode_copy_label = mac_test_vnode_copy_label, + .mpo_cred_externalize_label = mac_test_externalize_label, + .mpo_ifnet_externalize_label = mac_test_externalize_label, + .mpo_pipe_externalize_label = mac_test_externalize_label, + .mpo_socket_externalize_label = mac_test_externalize_label, + .mpo_socketpeer_externalize_label = mac_test_externalize_label, + .mpo_vnode_externalize_label = mac_test_externalize_label, + .mpo_cred_internalize_label = mac_test_internalize_label, + .mpo_ifnet_internalize_label = mac_test_internalize_label, + .mpo_pipe_internalize_label = mac_test_internalize_label, + .mpo_socket_internalize_label = mac_test_internalize_label, + .mpo_vnode_internalize_label = mac_test_internalize_label, + .mpo_devfs_vnode_associate = mac_test_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_test_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = mac_test_vnode_associate_singlelabel, + .mpo_devfs_create_device = mac_test_devfs_create_device, + .mpo_devfs_create_directory = mac_test_devfs_create_directory, + .mpo_devfs_create_symlink = mac_test_devfs_create_symlink, + .mpo_vnode_create_extattr = mac_test_vnode_create_extattr, + .mpo_mount_create = mac_test_mount_create, + .mpo_vnode_relabel = mac_test_vnode_relabel, + .mpo_vnode_setlabel_extattr = mac_test_vnode_setlabel_extattr, + .mpo_devfs_update = mac_test_devfs_update, + .mpo_socket_create_mbuf = mac_test_socket_create_mbuf, + .mpo_pipe_create = mac_test_pipe_create, + .mpo_posixsem_create = mac_test_posixsem_create, + .mpo_socket_create = mac_test_socket_create, + .mpo_socket_newconn = mac_test_socket_newconn, + .mpo_pipe_relabel = mac_test_pipe_relabel, + .mpo_socket_relabel = mac_test_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_test_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = mac_test_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_test_bpfdesc_create, + .mpo_ifnet_create = mac_test_ifnet_create, + .mpo_inpcb_create = mac_test_inpcb_create, + .mpo_sysvmsg_create = mac_test_sysvmsg_create, + .mpo_sysvmsq_create = mac_test_sysvmsq_create, + .mpo_sysvsem_create = mac_test_sysvsem_create, + .mpo_sysvshm_create = mac_test_sysvshm_create, + .mpo_ipq_reassemble = mac_test_ipq_reassemble, + .mpo_netinet_fragment = mac_test_netinet_fragment, + .mpo_ipq_create = mac_test_ipq_create, + .mpo_inpcb_create_mbuf = mac_test_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, - .mpo_fragment_match = mac_test_fragment_match, - .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, - .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, - .mpo_relabel_ifnet = mac_test_relabel_ifnet, - .mpo_update_ipq = mac_test_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_test_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_test_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = mac_test_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_test_mbuf_create_netlayer, + .mpo_ipq_match = mac_test_ipq_match, + .mpo_netinet_icmp_reply = mac_test_netinet_icmp_reply, + .mpo_netinet_tcp_reply = mac_test_netinet_tcp_reply, + .mpo_ifnet_relabel = mac_test_ifnet_relabel, + .mpo_ipq_update = mac_test_ipq_update, .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, - .mpo_execve_transition = mac_test_execve_transition, - .mpo_execve_will_transition = mac_test_execve_will_transition, - .mpo_create_proc0 = mac_test_create_proc0, - .mpo_create_proc1 = mac_test_create_proc1, - .mpo_relabel_cred = mac_test_relabel_cred, + .mpo_vnode_execve_transition = mac_test_vnode_execve_transition, + .mpo_vnode_execve_will_transition = + mac_test_vnode_execve_will_transition, + .mpo_proc_create_swapper = mac_test_proc_create_swapper, + .mpo_proc_create_init = mac_test_proc_create_init, + .mpo_cred_relabel = mac_test_cred_relabel, .mpo_thread_userret = mac_test_thread_userret, - .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_test_check_cred_relabel, - .mpo_check_cred_visible = mac_test_check_cred_visible, - .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, - .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, - .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, - .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, - .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, - .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, - .mpo_check_sysv_semget = mac_test_check_sysv_semget, - .mpo_check_sysv_semop = mac_test_check_sysv_semop, - .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, - .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, - .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, - .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, - .mpo_check_kenv_dump = mac_test_check_kenv_dump, - .mpo_check_kenv_get = mac_test_check_kenv_get, - .mpo_check_kenv_set = mac_test_check_kenv_set, - .mpo_check_kenv_unset = mac_test_check_kenv_unset, - .mpo_check_kld_load = mac_test_check_kld_load, - .mpo_check_kld_stat = mac_test_check_kld_stat, - .mpo_check_mount_stat = mac_test_check_mount_stat, - .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, - .mpo_check_pipe_poll = mac_test_check_pipe_poll, - .mpo_check_pipe_read = mac_test_check_pipe_read, - .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, - .mpo_check_pipe_stat = mac_test_check_pipe_stat, - .mpo_check_pipe_write = mac_test_check_pipe_write, - .mpo_check_posix_sem_destroy = mac_test_check_posix_sem, - .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem, - .mpo_check_posix_sem_open = mac_test_check_posix_sem, - .mpo_check_posix_sem_post = mac_test_check_posix_sem, - .mpo_check_posix_sem_unlink = mac_test_check_posix_sem, - .mpo_check_posix_sem_wait = mac_test_check_posix_sem, - .mpo_check_proc_debug = mac_test_check_proc_debug, - .mpo_check_proc_sched = mac_test_check_proc_sched, - .mpo_check_proc_setaudit = mac_test_check_proc_setaudit, - .mpo_check_proc_setaudit_addr = mac_test_check_proc_setaudit_addr, - .mpo_check_proc_setauid = mac_test_check_proc_setauid, - .mpo_check_proc_setuid = mac_test_check_proc_setuid, - .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, - .mpo_check_proc_setgid = mac_test_check_proc_setgid, - .mpo_check_proc_setegid = mac_test_check_proc_setegid, - .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, - .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, - .mpo_check_proc_setregid = mac_test_check_proc_setregid, - .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, - .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, - .mpo_check_proc_signal = mac_test_check_proc_signal, - .mpo_check_proc_wait = mac_test_check_proc_wait, - .mpo_check_socket_accept = mac_test_check_socket_accept, - .mpo_check_socket_bind = mac_test_check_socket_bind, - .mpo_check_socket_connect = mac_test_check_socket_connect, - .mpo_check_socket_deliver = mac_test_check_socket_deliver, - .mpo_check_socket_listen = mac_test_check_socket_listen, - .mpo_check_socket_poll = mac_test_check_socket_poll, - .mpo_check_socket_receive = mac_test_check_socket_receive, - .mpo_check_socket_relabel = mac_test_check_socket_relabel, - .mpo_check_socket_send = mac_test_check_socket_send, - .mpo_check_socket_stat = mac_test_check_socket_stat, - .mpo_check_socket_visible = mac_test_check_socket_visible, - .mpo_check_system_acct = mac_test_check_system_acct, - .mpo_check_system_audit = mac_test_check_system_audit, - .mpo_check_system_auditctl = mac_test_check_system_auditctl, - .mpo_check_system_auditon = mac_test_check_system_auditon, - .mpo_check_system_reboot = mac_test_check_system_reboot, - .mpo_check_system_swapoff = mac_test_check_system_swapoff, - .mpo_check_system_swapon = mac_test_check_system_swapon, - .mpo_check_system_sysctl = mac_test_check_system_sysctl, - .mpo_check_vnode_access = mac_test_check_vnode_access, - .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, - .mpo_check_vnode_create = mac_test_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_test_check_vnode_exec, - .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, - .mpo_check_vnode_link = mac_test_check_vnode_link, - .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, - .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, - .mpo_check_vnode_open = mac_test_check_vnode_open, - .mpo_check_vnode_poll = mac_test_check_vnode_poll, - .mpo_check_vnode_read = mac_test_check_vnode_read, - .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, - .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_test_check_vnode_stat, - .mpo_check_vnode_unlink = mac_test_check_vnode_unlink, - .mpo_check_vnode_write = mac_test_check_vnode_write, + .mpo_sysvmsg_cleanup = mac_test_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = mac_test_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = mac_test_sysvsem_cleanup, + .mpo_sysvshm_cleanup = mac_test_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = mac_test_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_test_cred_check_relabel, + .mpo_cred_check_visible = mac_test_cred_check_visible, + .mpo_ifnet_check_relabel = mac_test_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_test_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_test_inpcb_check_deliver, + .mpo_sysvmsq_check_msgmsq = mac_test_sysvmsq_check_msgmsq, + .mpo_sysvmsq_check_msgrcv = mac_test_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = mac_test_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = mac_test_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = mac_test_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = mac_test_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = mac_test_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = mac_test_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = mac_test_sysvsem_check_semget, + .mpo_sysvsem_check_semop = mac_test_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = mac_test_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = mac_test_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmdt = mac_test_sysvshm_check_shmdt, + .mpo_sysvshm_check_shmget = mac_test_sysvshm_check_shmget, + .mpo_kenv_check_dump = mac_test_kenv_check_dump, + .mpo_kenv_check_get = mac_test_kenv_check_get, + .mpo_kenv_check_set = mac_test_kenv_check_set, + .mpo_kenv_check_unset = mac_test_kenv_check_unset, + .mpo_kld_check_load = mac_test_kld_check_load, + .mpo_kld_check_stat = mac_test_kld_check_stat, + .mpo_mount_check_stat = mac_test_mount_check_stat, + .mpo_pipe_check_ioctl = mac_test_pipe_check_ioctl, + .mpo_pipe_check_poll = mac_test_pipe_check_poll, + .mpo_pipe_check_read = mac_test_pipe_check_read, + .mpo_pipe_check_relabel = mac_test_pipe_check_relabel, + .mpo_pipe_check_stat = mac_test_pipe_check_stat, + .mpo_pipe_check_write = mac_test_pipe_check_write, + .mpo_posixsem_check_destroy = mac_test_posixsem_check, + .mpo_posixsem_check_getvalue = mac_test_posixsem_check, + .mpo_posixsem_check_open = mac_test_posixsem_check, + .mpo_posixsem_check_post = mac_test_posixsem_check, + .mpo_posixsem_check_unlink = mac_test_posixsem_check, + .mpo_posixsem_check_wait = mac_test_posixsem_check, + .mpo_proc_check_debug = mac_test_proc_check_debug, + .mpo_proc_check_sched = mac_test_proc_check_sched, + .mpo_proc_check_setaudit = mac_test_proc_check_setaudit, + .mpo_proc_check_setaudit_addr = mac_test_proc_check_setaudit_addr, + .mpo_proc_check_setauid = mac_test_proc_check_setauid, + .mpo_proc_check_setuid = mac_test_proc_check_setuid, + .mpo_proc_check_seteuid = mac_test_proc_check_seteuid, + .mpo_proc_check_setgid = mac_test_proc_check_setgid, + .mpo_proc_check_setegid = mac_test_proc_check_setegid, + .mpo_proc_check_setgroups = mac_test_proc_check_setgroups, + .mpo_proc_check_setreuid = mac_test_proc_check_setreuid, + .mpo_proc_check_setregid = mac_test_proc_check_setregid, + .mpo_proc_check_setresuid = mac_test_proc_check_setresuid, + .mpo_proc_check_setresgid = mac_test_proc_check_setresgid, + .mpo_proc_check_signal = mac_test_proc_check_signal, + .mpo_proc_check_wait = mac_test_proc_check_wait, + .mpo_socket_check_accept = mac_test_socket_check_accept, + .mpo_socket_check_bind = mac_test_socket_check_bind, + .mpo_socket_check_connect = mac_test_socket_check_connect, + .mpo_socket_check_deliver = mac_test_socket_check_deliver, + .mpo_socket_check_listen = mac_test_socket_check_listen, + .mpo_socket_check_poll = mac_test_socket_check_poll, + .mpo_socket_check_receive = mac_test_socket_check_receive, + .mpo_socket_check_relabel = mac_test_socket_check_relabel, + .mpo_socket_check_send = mac_test_socket_check_send, + .mpo_socket_check_stat = mac_test_socket_check_stat, + .mpo_socket_check_visible = mac_test_socket_check_visible, + .mpo_system_check_acct = mac_test_system_check_acct, + .mpo_system_check_audit = mac_test_system_check_audit, + .mpo_system_check_auditctl = mac_test_system_check_auditctl, + .mpo_system_check_auditon = mac_test_system_check_auditon, + .mpo_system_check_reboot = mac_test_system_check_reboot, + .mpo_system_check_swapoff = mac_test_system_check_swapoff, + .mpo_system_check_swapon = mac_test_system_check_swapon, + .mpo_system_check_sysctl = mac_test_system_check_sysctl, + .mpo_vnode_check_access = mac_test_vnode_check_access, + .mpo_vnode_check_chdir = mac_test_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_test_vnode_check_chroot, + .mpo_vnode_check_create = mac_test_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_test_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_test_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_test_vnode_check_exec, + .mpo_vnode_check_getacl = mac_test_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_test_vnode_check_getextattr, + .mpo_vnode_check_link = mac_test_vnode_check_link, + .mpo_vnode_check_listextattr = mac_test_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_test_vnode_check_lookup, + .mpo_vnode_check_mmap = mac_test_vnode_check_mmap, + .mpo_vnode_check_open = mac_test_vnode_check_open, + .mpo_vnode_check_poll = mac_test_vnode_check_poll, + .mpo_vnode_check_read = mac_test_vnode_check_read, + .mpo_vnode_check_readdir = mac_test_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_test_vnode_check_readlink, + .mpo_vnode_check_relabel = mac_test_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_test_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_test_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_test_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_test_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_test_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_test_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_test_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_test_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_test_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_test_vnode_check_stat, + .mpo_vnode_check_unlink = mac_test_vnode_check_unlink, + .mpo_vnode_check_write = mac_test_vnode_check_write, }; MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", diff --git a/sys/ufs/ffs/ffs_vfsops.c b/sys/ufs/ffs/ffs_vfsops.c index 8f5a046..cdead73 100644 --- a/sys/ufs/ffs/ffs_vfsops.c +++ b/sys/ufs/ffs/ffs_vfsops.c @@ -1464,7 +1464,7 @@ ffs_vget(mp, ino, flags, vpp) * multi-label, attempt to perform a label association * from the extended attributes on the inode. */ - error = mac_associate_vnode_extattr(mp, vp); + error = mac_vnode_associate_extattr(mp, vp); if (error) { /* ufs_inactive will release ip->i_devvp ref. */ vput(vp); diff --git a/sys/ufs/ufs/ufs_vnops.c b/sys/ufs/ufs/ufs_vnops.c index ec28c2d..9256a69 100644 --- a/sys/ufs/ufs/ufs_vnops.c +++ b/sys/ufs/ufs/ufs_vnops.c @@ -1545,7 +1545,7 @@ ufs_mkdir(ap) goto bad; #ifdef MAC if (dvp->v_mount->mnt_flag & MNT_MULTILABEL) { - error = mac_create_vnode_extattr(cnp->cn_cred, dvp->v_mount, + error = mac_vnode_create_extattr(cnp->cn_cred, dvp->v_mount, dvp, tvp, cnp); if (error) goto bad; @@ -2382,7 +2382,7 @@ ufs_makeinode(mode, dvp, vpp, cnp) goto bad; #ifdef MAC if (dvp->v_mount->mnt_flag & MNT_MULTILABEL) { - error = mac_create_vnode_extattr(cnp->cn_cred, dvp->v_mount, + error = mac_vnode_create_extattr(cnp->cn_cred, dvp->v_mount, dvp, tvp, cnp); if (error) goto bad; diff --git a/sys/vm/swap_pager.c b/sys/vm/swap_pager.c index eb82579..e6b294e 100644 --- a/sys/vm/swap_pager.c +++ b/sys/vm/swap_pager.c @@ -2119,7 +2119,7 @@ swapoff_one(struct swdevt *sp, struct thread *td) mtx_assert(&Giant, MA_OWNED); #ifdef MAC (void) vn_lock(sp->sw_vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_system_swapoff(td->td_ucred, sp->sw_vp); + error = mac_system_check_swapoff(td->td_ucred, sp->sw_vp); (void) VOP_UNLOCK(sp->sw_vp, 0, td); if (error != 0) return (error); @@ -2529,7 +2529,7 @@ swaponvp(struct thread *td, struct vnode *vp, u_long nblks) (void) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_system_swapon(td->td_ucred, vp); + error = mac_system_check_swapon(td->td_ucred, vp); if (error == 0) #endif error = VOP_OPEN(vp, FREAD | FWRITE, td->td_ucred, td, NULL); diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c index 8b8e356..4820a14 100644 --- a/sys/vm/vm_mmap.c +++ b/sys/vm/vm_mmap.c @@ -1203,7 +1203,7 @@ vm_mmap_vnode(struct thread *td, vm_size_t objsize, goto done; } #ifdef MAC - error = mac_check_vnode_mmap(td->td_ucred, vp, prot, flags); + error = mac_vnode_check_mmap(td->td_ucred, vp, prot, flags); if (error != 0) goto done; #endif |
