diff options
| author | rwatson <rwatson@FreeBSD.org> | 2007-10-24 19:04:04 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2007-10-24 19:04:04 +0000 |
| commit | 60570a92bf794d255e5f8ed235b49c553776ad92 (patch) | |
| tree | fea282db79628eed98808fd38cc46445b2f97ca5 /sys/kern | |
| parent | 7781c2181af1113baab38322a55a90b5469cba03 (diff) | |
| download | FreeBSD-src-60570a92bf794d255e5f8ed235b49c553776ad92.zip FreeBSD-src-60570a92bf794d255e5f8ed235b49c553776ad92.tar.gz | |
Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:
mac_<object>_<method/action>
mac_<object>_check_<method/action>
The previous naming scheme was inconsistent and mostly
reversed from the new scheme. Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier. Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods. Also simplify, slightly,
some entry point names.
All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.
Sponsored by: SPARTA (original patches against Mac OS X)
Obtained from: TrustedBSD Project, Apple Computer
Diffstat (limited to 'sys/kern')
33 files changed, 182 insertions, 182 deletions
diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c index ef404b3..ae18f12 100644 --- a/sys/kern/init_main.c +++ b/sys/kern/init_main.c @@ -448,7 +448,7 @@ proc0_init(void *dummy __unused) audit_cred_kproc0(p->p_ucred); #endif #ifdef MAC - mac_create_proc0(p->p_ucred); + mac_proc_create_swapper(p->p_ucred); #endif td->td_ucred = crhold(p->p_ucred); @@ -714,7 +714,7 @@ create_init(const void *udata __unused) oldcred = initproc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - mac_create_proc1(newcred); + mac_proc_create_init(newcred); #endif #ifdef AUDIT audit_cred_proc1(newcred); diff --git a/sys/kern/kern_acct.c b/sys/kern/kern_acct.c index 17a74c4..13c9b70 100644 --- a/sys/kern/kern_acct.c +++ b/sys/kern/kern_acct.c @@ -218,7 +218,7 @@ acct(struct thread *td, struct acct_args *uap) vfslocked = NDHASGIANT(&nd); NDFREE(&nd, NDF_ONLY_PNBUF); #ifdef MAC - error = mac_check_system_acct(td->td_ucred, nd.ni_vp); + error = mac_system_check_acct(td->td_ucred, nd.ni_vp); if (error) { VOP_UNLOCK(nd.ni_vp, 0, td); vn_close(nd.ni_vp, flags, td->td_ucred, td); @@ -235,7 +235,7 @@ acct(struct thread *td, struct acct_args *uap) VFS_UNLOCK_GIANT(vfslocked); #ifdef MAC } else { - error = mac_check_system_acct(td->td_ucred, NULL); + error = mac_system_check_acct(td->td_ucred, NULL); if (error) return (error); #endif diff --git a/sys/kern/kern_alq.c b/sys/kern/kern_alq.c index a141034..6d132a9 100644 --- a/sys/kern/kern_alq.c +++ b/sys/kern/kern_alq.c @@ -300,7 +300,7 @@ alq_doio(struct alq *alq) * XXX: VOP_WRITE error checks are ignored. */ #ifdef MAC - if (mac_check_vnode_write(alq->aq_cred, NOCRED, vp) == 0) + if (mac_vnode_check_write(alq->aq_cred, NOCRED, vp) == 0) #endif VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, alq->aq_cred); VOP_UNLOCK(vp, 0, td); diff --git a/sys/kern/kern_environment.c b/sys/kern/kern_environment.c index ca20f38..34b1eec 100644 --- a/sys/kern/kern_environment.c +++ b/sys/kern/kern_environment.c @@ -95,7 +95,7 @@ kenv(td, uap) error = 0; if (uap->what == KENV_DUMP) { #ifdef MAC - error = mac_check_kenv_dump(td->td_ucred); + error = mac_kenv_check_dump(td->td_ucred); if (error) return (error); #endif @@ -148,7 +148,7 @@ kenv(td, uap) switch (uap->what) { case KENV_GET: #ifdef MAC - error = mac_check_kenv_get(td->td_ucred, name); + error = mac_kenv_check_get(td->td_ucred, name); if (error) goto done; #endif @@ -181,7 +181,7 @@ kenv(td, uap) goto done; } #ifdef MAC - error = mac_check_kenv_set(td->td_ucred, name, value); + error = mac_kenv_check_set(td->td_ucred, name, value); if (error == 0) #endif setenv(name, value); @@ -189,7 +189,7 @@ kenv(td, uap) break; case KENV_UNSET: #ifdef MAC - error = mac_check_kenv_unset(td->td_ucred, name); + error = mac_kenv_check_unset(td->td_ucred, name); if (error) goto done; #endif diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index b3884d0..d2798db 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -439,7 +439,7 @@ interpret: NDFREE(ndp, NDF_ONLY_PNBUF); #ifdef MAC interplabel = mac_vnode_label_alloc(); - mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel); + mac_vnode_copy_label(ndp->ni_vp->v_label, interplabel); #endif vput(ndp->ni_vp); vm_object_deallocate(imgp->object); @@ -550,7 +550,7 @@ interpret: credential_changing |= (attr.va_mode & VSGID) && oldcred->cr_gid != attr.va_gid; #ifdef MAC - will_transition = mac_execve_will_transition(oldcred, imgp->vp, + will_transition = mac_vnode_execve_will_transition(oldcred, imgp->vp, interplabel, imgp); credential_changing |= will_transition; #endif @@ -604,7 +604,7 @@ interpret: change_egid(newcred, attr.va_gid); #ifdef MAC if (will_transition) { - mac_execve_transition(oldcred, newcred, imgp->vp, + mac_vnode_execve_transition(oldcred, newcred, imgp->vp, interplabel, imgp); } #endif @@ -1191,7 +1191,7 @@ exec_check_permissions(imgp) return (error); #ifdef MAC - error = mac_check_vnode_exec(td->td_ucred, imgp->vp, imgp); + error = mac_vnode_check_exec(td->td_ucred, imgp->vp, imgp); if (error) return (error); #endif diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 696a101..94b949b 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -791,7 +791,7 @@ loop: */ vm_waitproc(p); #ifdef MAC - mac_destroy_proc(p); + mac_proc_destroy(p); #endif KASSERT(FIRST_THREAD_IN_PROC(p), ("kern_wait: no residual thread!")); diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index 1043d1c..52f68f0 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -285,7 +285,7 @@ fork1(td, flags, pages, procp) /* Allocate new proc. */ newproc = uma_zalloc(proc_zone, M_WAITOK); #ifdef MAC - mac_init_proc(newproc); + mac_proc_init(newproc); #endif knlist_init(&newproc->p_klist, &newproc->p_mtx, NULL, NULL, NULL); STAILQ_INIT(&newproc->p_ktr); @@ -752,7 +752,7 @@ fail: td->td_ucred->cr_ruid); sx_xunlock(&allproc_lock); #ifdef MAC - mac_destroy_proc(newproc); + mac_proc_destroy(newproc); #endif uma_zfree(proc_zone, newproc); if (p1->p_flag & P_HADTHREADS) { diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 49bc0806..1bcc264 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -258,7 +258,7 @@ jail_attach(struct thread *td, struct jail_attach_args *uap) if ((error = change_dir(pr->pr_root, td)) != 0) goto e_unlock; #ifdef MAC - if ((error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root))) + if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root))) goto e_unlock; #endif VOP_UNLOCK(pr->pr_root, 0, td); diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 2b7ee33..4e5a63c 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -927,7 +927,7 @@ ktr_writerequest(struct thread *td, struct ktr_request *req) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); (void)VOP_LEASE(vp, td, cred, LEASE_WRITE); #ifdef MAC - error = mac_check_vnode_write(cred, NOCRED, vp); + error = mac_vnode_check_write(cred, NOCRED, vp); if (error == 0) #endif error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred); diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c index 324d349..e6080aa 100644 --- a/sys/kern/kern_linker.c +++ b/sys/kern/kern_linker.c @@ -995,7 +995,7 @@ kldfind(struct thread *td, struct kldfind_args *uap) int error; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1026,7 +1026,7 @@ kldnext(struct thread *td, struct kldnext_args *uap) int error = 0; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1076,7 +1076,7 @@ kldstat(struct thread *td, struct kldstat_args *uap) return (EINVAL); #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1119,7 +1119,7 @@ kldfirstmod(struct thread *td, struct kldfirstmod_args *uap) int error = 0; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1151,7 +1151,7 @@ kldsym(struct thread *td, struct kldsym_args *uap) int error = 0; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1997,7 +1997,7 @@ sysctl_kern_function_list(SYSCTL_HANDLER_ARGS) int error; #ifdef MAC - error = mac_check_kld_stat(req->td->td_ucred); + error = mac_kld_check_stat(req->td->td_ucred); if (error) return (error); #endif diff --git a/sys/kern/kern_mbuf.c b/sys/kern/kern_mbuf.c index 9015e24..97f4075 100644 --- a/sys/kern/kern_mbuf.c +++ b/sys/kern/kern_mbuf.c @@ -323,7 +323,7 @@ mb_ctor_mbuf(void *mem, int size, void *arg, int how) SLIST_INIT(&m->m_pkthdr.tags); #ifdef MAC /* If the label init fails, fail the alloc */ - error = mac_init_mbuf(m, how); + error = mac_mbuf_init(m, how); if (error) return (error); #endif @@ -543,7 +543,7 @@ mb_ctor_pack(void *mem, int size, void *arg, int how) SLIST_INIT(&m->m_pkthdr.tags); #ifdef MAC /* If the label init fails, fail the alloc */ - error = mac_init_mbuf(m, how); + error = mac_mbuf_init(m, how); if (error) return (error); #endif diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 18d3b2a..cd0fb17 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -482,7 +482,7 @@ setuid(struct thread *td, struct setuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setuid(p, oldcred, uid); + error = mac_proc_check_setuid(p, oldcred, uid); if (error) goto fail; #endif @@ -594,7 +594,7 @@ seteuid(struct thread *td, struct seteuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_seteuid(p, oldcred, euid); + error = mac_proc_check_seteuid(p, oldcred, euid); if (error) goto fail; #endif @@ -647,7 +647,7 @@ setgid(struct thread *td, struct setgid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setgid(p, oldcred, gid); + error = mac_proc_check_setgid(p, oldcred, gid); if (error) goto fail; #endif @@ -746,7 +746,7 @@ setegid(struct thread *td, struct setegid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setegid(p, oldcred, egid); + error = mac_proc_check_setegid(p, oldcred, egid); if (error) goto fail; #endif @@ -808,7 +808,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setgroups(p, oldcred, ngrp, groups); + error = mac_proc_check_setgroups(p, oldcred, ngrp, groups); if (error) goto fail; #endif @@ -873,7 +873,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setreuid(p, oldcred, ruid, euid); + error = mac_proc_check_setreuid(p, oldcred, ruid, euid); if (error) goto fail; #endif @@ -938,7 +938,7 @@ setregid(register struct thread *td, struct setregid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setregid(p, oldcred, rgid, egid); + error = mac_proc_check_setregid(p, oldcred, rgid, egid); if (error) goto fail; #endif @@ -1009,7 +1009,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid); + error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid); if (error) goto fail; #endif @@ -1086,7 +1086,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid); + error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid); if (error) goto fail; #endif @@ -1369,7 +1369,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2) if ((error = prison_check(u1, u2))) return (error); #ifdef MAC - if ((error = mac_check_cred_visible(u1, u2))) + if ((error = mac_cred_check_visible(u1, u2))) return (error); #endif if ((error = cr_seeotheruids(u1, u2))) @@ -1430,7 +1430,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) if (error) return (error); #ifdef MAC - if ((error = mac_check_proc_signal(cred, proc, signum))) + if ((error = mac_proc_check_signal(cred, proc, signum))) return (error); #endif if ((error = cr_seeotheruids(cred, proc->p_ucred))) @@ -1547,7 +1547,7 @@ p_cansched(struct thread *td, struct proc *p) if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_sched(td->td_ucred, p))) + if ((error = mac_proc_check_sched(td->td_ucred, p))) return (error); #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) @@ -1604,7 +1604,7 @@ p_candebug(struct thread *td, struct proc *p) if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_debug(td->td_ucred, p))) + if ((error = mac_proc_check_debug(td->td_ucred, p))) return (error); #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) @@ -1691,7 +1691,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so) return (ENOENT); #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_visible(cred, so); + error = mac_socket_check_visible(cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -1723,7 +1723,7 @@ p_canwait(struct thread *td, struct proc *p) if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_wait(td->td_ucred, p))) + if ((error = mac_proc_check_wait(td->td_ucred, p))) return (error); #endif #if 0 @@ -1749,7 +1749,7 @@ crget(void) audit_cred_init(cr); #endif #ifdef MAC - mac_init_cred(cr); + mac_cred_init(cr); #endif return (cr); } @@ -1793,7 +1793,7 @@ crfree(struct ucred *cr) audit_cred_destroy(cr); #endif #ifdef MAC - mac_destroy_cred(cr); + mac_cred_destroy(cr); #endif FREE(cr, M_CRED); } @@ -1828,7 +1828,7 @@ crcopy(struct ucred *dest, struct ucred *src) audit_cred_copy(src, dest); #endif #ifdef MAC - mac_copy_cred(src, dest); + mac_cred_copy(src, dest); #endif } diff --git a/sys/kern/kern_shutdown.c b/sys/kern/kern_shutdown.c index bd1aeaf..14a74b7 100644 --- a/sys/kern/kern_shutdown.c +++ b/sys/kern/kern_shutdown.c @@ -160,7 +160,7 @@ reboot(struct thread *td, struct reboot_args *uap) error = 0; #ifdef MAC - error = mac_check_system_reboot(td->td_ucred, uap->opt); + error = mac_system_check_reboot(td->td_ucred, uap->opt); #endif if (error == 0) error = priv_check(td, PRIV_REBOOT); diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index dc64f31..2ce6f7e 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1298,7 +1298,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS) arg2 = oid->oid_arg2; } #ifdef MAC - error = mac_check_system_sysctl(req->td->td_ucred, oid, arg1, arg2, + error = mac_system_check_sysctl(req->td->td_ucred, oid, arg1, arg2, req); if (error != 0) return (error); diff --git a/sys/kern/link_elf.c b/sys/kern/link_elf.c index 5e9480c..86e69a2 100644 --- a/sys/kern/link_elf.c +++ b/sys/kern/link_elf.c @@ -572,7 +572,7 @@ link_elf_load_file(linker_class_t cls, const char* filename, vfslocked = NDHASGIANT(&nd); NDFREE(&nd, NDF_ONLY_PNBUF); #ifdef MAC - error = mac_check_kld_load(curthread->td_ucred, nd.ni_vp); + error = mac_kld_check_load(curthread->td_ucred, nd.ni_vp); if (error) { firstpage = NULL; goto out; diff --git a/sys/kern/link_elf_obj.c b/sys/kern/link_elf_obj.c index 6426fc0..1798253 100644 --- a/sys/kern/link_elf_obj.c +++ b/sys/kern/link_elf_obj.c @@ -410,7 +410,7 @@ link_elf_load_file(linker_class_t cls, const char *filename, vfslocked = NDHASGIANT(&nd); NDFREE(&nd, NDF_ONLY_PNBUF); #ifdef MAC - error = mac_check_kld_load(td->td_ucred, nd.ni_vp); + error = mac_kld_check_load(td->td_ucred, nd.ni_vp); if (error) { goto out; } diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index 6871306..4e3f523 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -323,11 +323,11 @@ pipe(td, uap) #ifdef MAC /* * The MAC label is shared between the connected endpoints. As a - * result mac_init_pipe() and mac_create_pipe() are called once + * result mac_pipe_init() and mac_pipe_create() are called once * for the pair, and not on the endpoints. */ - mac_init_pipe(pp); - mac_create_pipe(td->td_ucred, pp); + mac_pipe_init(pp); + mac_pipe_create(td->td_ucred, pp); #endif rpipe = &pp->pp_rpipe; wpipe = &pp->pp_wpipe; @@ -576,7 +576,7 @@ pipe_read(fp, uio, active_cred, flags, td) goto unlocked_error; #ifdef MAC - error = mac_check_pipe_read(active_cred, rpipe->pipe_pair); + error = mac_pipe_check_read(active_cred, rpipe->pipe_pair); if (error) goto locked_error; #endif @@ -986,7 +986,7 @@ pipe_write(fp, uio, active_cred, flags, td) return (EPIPE); } #ifdef MAC - error = mac_check_pipe_write(active_cred, wpipe->pipe_pair); + error = mac_pipe_check_write(active_cred, wpipe->pipe_pair); if (error) { pipeunlock(wpipe); PIPE_UNLOCK(rpipe); @@ -1252,7 +1252,7 @@ pipe_ioctl(fp, cmd, data, active_cred, td) PIPE_LOCK(mpipe); #ifdef MAC - error = mac_check_pipe_ioctl(active_cred, mpipe->pipe_pair, cmd, data); + error = mac_pipe_check_ioctl(active_cred, mpipe->pipe_pair, cmd, data); if (error) { PIPE_UNLOCK(mpipe); return (error); @@ -1326,7 +1326,7 @@ pipe_poll(fp, events, active_cred, td) wpipe = rpipe->pipe_peer; PIPE_LOCK(rpipe); #ifdef MAC - error = mac_check_pipe_poll(active_cred, rpipe->pipe_pair); + error = mac_pipe_check_poll(active_cred, rpipe->pipe_pair); if (error) goto locked_error; #endif @@ -1382,7 +1382,7 @@ pipe_stat(fp, ub, active_cred, td) int error; PIPE_LOCK(pipe); - error = mac_check_pipe_stat(active_cred, pipe->pipe_pair); + error = mac_pipe_check_stat(active_cred, pipe->pipe_pair); PIPE_UNLOCK(pipe); if (error) return (error); @@ -1511,7 +1511,7 @@ pipeclose(cpipe) if (ppipe->pipe_present == 0) { PIPE_UNLOCK(cpipe); #ifdef MAC - mac_destroy_pipe(pp); + mac_pipe_destroy(pp); #endif uma_zfree(pipe_zone, cpipe->pipe_pair); } else diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c index 9229658..7e4547c 100644 --- a/sys/kern/sys_socket.c +++ b/sys/kern/sys_socket.c @@ -77,7 +77,7 @@ soo_read(struct file *fp, struct uio *uio, struct ucred *active_cred, int error; SOCK_LOCK(so); - error = mac_check_socket_receive(active_cred, so); + error = mac_socket_check_receive(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -95,7 +95,7 @@ soo_write(struct file *fp, struct uio *uio, struct ucred *active_cred, #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(active_cred, so); + error = mac_socket_check_send(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -208,7 +208,7 @@ soo_poll(struct file *fp, int events, struct ucred *active_cred, int error; SOCK_LOCK(so); - error = mac_check_socket_poll(active_cred, so); + error = mac_socket_check_poll(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -229,7 +229,7 @@ soo_stat(struct file *fp, struct stat *ub, struct ucred *active_cred, ub->st_mode = S_IFSOCK; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_stat(active_cred, so); + error = mac_socket_check_stat(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); diff --git a/sys/kern/sysv_msg.c b/sys/kern/sysv_msg.c index bd5ca90..fe92186 100644 --- a/sys/kern/sysv_msg.c +++ b/sys/kern/sysv_msg.c @@ -224,7 +224,7 @@ msginit() msghdrs[i-1].msg_next = &msghdrs[i]; msghdrs[i].msg_next = NULL; #ifdef MAC - mac_init_sysv_msgmsg(&msghdrs[i]); + mac_sysvmsg_init(&msghdrs[i]); #endif } free_msghdrs = &msghdrs[0]; @@ -237,7 +237,7 @@ msginit() msqids[i].u.msg_perm.seq = 0; /* reset to a known value */ msqids[i].u.msg_perm.mode = 0; #ifdef MAC - mac_init_sysv_msgqueue(&msqids[i]); + mac_sysvmsq_init(&msqids[i]); #endif } mtx_init(&msq_mtx, "msq", NULL, MTX_DEF); @@ -269,9 +269,9 @@ msgunload() #ifdef MAC for (i = 0; i < msginfo.msgtql; i++) - mac_destroy_sysv_msgmsg(&msghdrs[i]); + mac_sysvmsg_destroy(&msghdrs[i]); for (msqid = 0; msqid < msginfo.msgmni; msqid++) - mac_destroy_sysv_msgqueue(&msqids[msqid]); + mac_sysvmsq_destroy(&msqids[msqid]); #endif free(msgpool, M_MSG); free(msgmaps, M_MSG); @@ -369,7 +369,7 @@ msg_freehdr(msghdr) msghdr->msg_next = free_msghdrs; free_msghdrs = msghdr; #ifdef MAC - mac_cleanup_sysv_msgmsg(msghdr); + mac_sysvmsg_cleanup(msghdr); #endif } @@ -435,7 +435,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) goto done2; } #ifdef MAC - error = mac_check_sysv_msqctl(td->td_ucred, msqkptr, cmd); + error = mac_sysvmsq_check_msqctl(td->td_ucred, msqkptr, cmd); if (error != 0) goto done2; #endif @@ -463,7 +463,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) */ for (msghdr = msqkptr->u.msg_first; msghdr != NULL; msghdr = msghdr->msg_next) { - error = mac_check_sysv_msgrmid(td->td_ucred, msghdr); + error = mac_sysvmsq_check_msgrmid(td->td_ucred, msghdr); if (error != 0) goto done2; } @@ -490,7 +490,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) msqkptr->u.msg_qbytes = 0; /* Mark it as free */ #ifdef MAC - mac_cleanup_sysv_msgqueue(msqkptr); + mac_sysvmsq_cleanup(msqkptr); #endif wakeup(msqkptr); @@ -589,7 +589,7 @@ msgget(td, uap) goto done2; } #ifdef MAC - error = mac_check_sysv_msqget(cred, msqkptr); + error = mac_sysvmsq_check_msqget(cred, msqkptr); if (error != 0) goto done2; #endif @@ -636,7 +636,7 @@ msgget(td, uap) msqkptr->u.msg_rtime = 0; msqkptr->u.msg_ctime = time_second; #ifdef MAC - mac_create_sysv_msgqueue(cred, msqkptr); + mac_sysvmsq_create(cred, msqkptr); #endif } else { DPRINTF(("didn't find it and wasn't asked to create it\n")); @@ -705,7 +705,7 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype) } #ifdef MAC - error = mac_check_sysv_msqsnd(td->td_ucred, msqkptr); + error = mac_sysvmsq_check_msqsnd(td->td_ucred, msqkptr); if (error != 0) goto done2; #endif @@ -830,11 +830,11 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype) msghdr->msg_type = mtype; #ifdef MAC /* - * XXXMAC: Should the mac_check_sysv_msgmsq check follow here + * XXXMAC: Should the mac_sysvmsq_check_msgmsq check follow here * immediately? Or, should it be checked just before the msg is * enqueued in the msgq (as it is done now)? */ - mac_create_sysv_msgmsg(td->td_ucred, msqkptr, msghdr); + mac_sysvmsg_create(td->td_ucred, msqkptr, msghdr); #endif /* @@ -928,14 +928,14 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype) * Note: Since the task/thread allocates the msghdr and usually * primes it with its own MAC label, for a majority of policies, it * won't be necessary to check whether the msghdr has access - * permissions to the msgq. The mac_check_sysv_msqsnd check would + * permissions to the msgq. The mac_sysvmsq_check_msqsnd check would * suffice in that case. However, this hook may be required where * individual policies derive a non-identical label for the msghdr * from the current thread label and may want to check the msghdr * enqueue permissions, along with read/write permissions to the * msgq. */ - error = mac_check_sysv_msgmsq(td->td_ucred, msghdr, msqkptr); + error = mac_sysvmsq_check_msgmsq(td->td_ucred, msghdr, msqkptr); if (error != 0) { msg_freehdr(msghdr); wakeup(msqkptr); @@ -1042,7 +1042,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype) } #ifdef MAC - error = mac_check_sysv_msqrcv(td->td_ucred, msqkptr); + error = mac_sysvmsq_check_msqrcv(td->td_ucred, msqkptr); if (error != 0) goto done2; #endif @@ -1061,7 +1061,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype) goto done2; } #ifdef MAC - error = mac_check_sysv_msgrcv(td->td_ucred, + error = mac_sysvmsq_check_msgrcv(td->td_ucred, msghdr); if (error != 0) goto done2; @@ -1106,7 +1106,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype) goto done2; } #ifdef MAC - error = mac_check_sysv_msgrcv( + error = mac_sysvmsq_check_msgrcv( td->td_ucred, msghdr); if (error != 0) goto done2; diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c index 48548a2..bea7832 100644 --- a/sys/kern/sysv_sem.c +++ b/sys/kern/sysv_sem.c @@ -245,7 +245,7 @@ seminit(void) sema[i].u.sem_perm.mode = 0; sema[i].u.sem_perm.seq = 0; #ifdef MAC - mac_init_sysv_sem(&sema[i]); + mac_sysvsem_init(&sema[i]); #endif } for (i = 0; i < seminfo.semmni; i++) @@ -271,7 +271,7 @@ semunload(void) EVENTHANDLER_DEREGISTER(process_exit, semexit_tag); #ifdef MAC for (i = 0; i < seminfo.semmni; i++) - mac_destroy_sysv_sem(&sema[i]); + mac_sysvsem_destroy(&sema[i]); #endif free(sem, M_SEM); free(sema, M_SEM); @@ -639,7 +639,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd, if ((error = ipcperm(td, &semakptr->u.sem_perm, IPC_R))) goto done2; #ifdef MAC - error = mac_check_sysv_semctl(cred, semakptr, cmd); + error = mac_sysvsem_check_semctl(cred, semakptr, cmd); if (error != 0) goto done2; #endif @@ -657,7 +657,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd, sema_mtxp = &sema_mtx[semidx]; mtx_lock(sema_mtxp); #ifdef MAC - error = mac_check_sysv_semctl(cred, semakptr, cmd); + error = mac_sysvsem_check_semctl(cred, semakptr, cmd); if (error != 0) goto done2; #endif @@ -683,7 +683,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd, } semakptr->u.sem_perm.mode = 0; #ifdef MAC - mac_cleanup_sysv_sem(semakptr); + mac_sysvsem_cleanup(semakptr); #endif SEMUNDO_LOCK(); semundo_clear(semidx, -1); @@ -906,7 +906,7 @@ semget(td, uap) goto done2; } #ifdef MAC - error = mac_check_sysv_semget(cred, &sema[semid]); + error = mac_sysvsem_check_semget(cred, &sema[semid]); if (error != 0) goto done2; #endif @@ -955,7 +955,7 @@ semget(td, uap) bzero(sema[semid].u.sem_base, sizeof(sema[semid].u.sem_base[0])*nsems); #ifdef MAC - mac_create_sysv_sem(cred, &sema[semid]); + mac_sysvsem_create(cred, &sema[semid]); #endif DPRINTF(("sembase = %p, next = %p\n", sema[semid].u.sem_base, &sem[semtot])); @@ -1063,7 +1063,7 @@ semop(td, uap) goto done2; } #ifdef MAC - error = mac_check_sysv_semop(td->td_ucred, semakptr, j); + error = mac_sysvsem_check_semop(td->td_ucred, semakptr, j); if (error != 0) goto done2; #endif diff --git a/sys/kern/sysv_shm.c b/sys/kern/sysv_shm.c index 574c3de..57b6c5e 100644 --- a/sys/kern/sysv_shm.c +++ b/sys/kern/sysv_shm.c @@ -255,7 +255,7 @@ shm_deallocate_segment(shmseg) shm_nused--; shmseg->u.shm_perm.mode = SHMSEG_FREE; #ifdef MAC - mac_cleanup_sysv_shm(shmseg); + mac_sysvshm_cleanup(shmseg); #endif } @@ -322,7 +322,7 @@ shmdt(td, uap) } #ifdef MAC shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)]; - error = mac_check_sysv_shmdt(td->td_ucred, shmsegptr); + error = mac_sysvshm_check_shmdt(td->td_ucred, shmsegptr); if (error != 0) goto done2; #endif @@ -377,7 +377,7 @@ kern_shmat(td, shmid, shmaddr, shmflg) if (error) goto done2; #ifdef MAC - error = mac_check_sysv_shmat(td->td_ucred, shmseg, shmflg); + error = mac_sysvshm_check_shmat(td->td_ucred, shmseg, shmflg); if (error != 0) goto done2; #endif @@ -492,7 +492,7 @@ oshmctl(td, uap) if (error) goto done2; #ifdef MAC - error = mac_check_sysv_shmctl(td->td_ucred, shmseg, uap->cmd); + error = mac_sysvshm_check_shmctl(td->td_ucred, shmseg, uap->cmd); if (error != 0) goto done2; #endif @@ -575,7 +575,7 @@ kern_shmctl(td, shmid, cmd, buf, bufsz) goto done2; } #ifdef MAC - error = mac_check_sysv_shmctl(td->td_ucred, shmseg, cmd); + error = mac_sysvshm_check_shmctl(td->td_ucred, shmseg, cmd); if (error != 0) goto done2; #endif @@ -701,7 +701,7 @@ shmget_existing(td, uap, mode, segnum) if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL)) return (EEXIST); #ifdef MAC - error = mac_check_sysv_shmget(td->td_ucred, shmseg, uap->shmflg); + error = mac_sysvshm_check_shmget(td->td_ucred, shmseg, uap->shmflg); if (error != 0) return (error); #endif @@ -779,7 +779,7 @@ shmget_allocate_segment(td, uap, mode) shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0; shmseg->u.shm_atime = shmseg->u.shm_dtime = 0; #ifdef MAC - mac_create_sysv_shm(cred, shmseg); + mac_sysvshm_create(cred, shmseg); #endif shmseg->u.shm_ctime = time_second; shm_committed += btoc(size); @@ -911,7 +911,7 @@ shmrealloc(void) shmsegs[i].u.shm_perm.mode = SHMSEG_FREE; shmsegs[i].u.shm_perm.seq = 0; #ifdef MAC - mac_init_sysv_shm(&shmsegs[i]); + mac_sysvshm_init(&shmsegs[i]); #endif } free(shmsegs, M_SHM); @@ -943,7 +943,7 @@ shminit() shmsegs[i].u.shm_perm.mode = SHMSEG_FREE; shmsegs[i].u.shm_perm.seq = 0; #ifdef MAC - mac_init_sysv_shm(&shmsegs[i]); + mac_sysvshm_init(&shmsegs[i]); #endif } shm_last_free = 0; @@ -965,7 +965,7 @@ shmunload() #ifdef MAC for (i = 0; i < shmalloced; i++) - mac_destroy_sysv_shm(&shmsegs[i]); + mac_sysvshm_destroy(&shmsegs[i]); #endif free(shmsegs, M_SHM); shmexit_hook = NULL; diff --git a/sys/kern/uipc_mbuf2.c b/sys/kern/uipc_mbuf2.c index c8363f8..6fe83b0 100644 --- a/sys/kern/uipc_mbuf2.c +++ b/sys/kern/uipc_mbuf2.c @@ -309,7 +309,7 @@ m_tag_free_default(struct m_tag *t) { #ifdef MAC if (t->m_tag_id == PACKET_TAG_MACLABEL) - mac_destroy_mbuf_tag(t); + mac_mbuf_tag_destroy(t); #endif free(t, M_PACKET_TAGS); } @@ -413,11 +413,11 @@ m_tag_copy(struct m_tag *t, int how) * special from the mbuf code? */ if (t->m_tag_id == PACKET_TAG_MACLABEL) { - if (mac_init_mbuf_tag(p, how) != 0) { + if (mac_mbuf_tag_init(p, how) != 0) { m_tag_free(p); return (NULL); } - mac_copy_mbuf_tag(t, p); + mac_mbuf_tag_copy(t, p); } else #endif bcopy(t + 1, p + 1, t->m_tag_len); /* Copy the data */ diff --git a/sys/kern/uipc_sem.c b/sys/kern/uipc_sem.c index c9903aa..588d6bf 100644 --- a/sys/kern/uipc_sem.c +++ b/sys/kern/uipc_sem.c @@ -215,8 +215,8 @@ sem_create(struct thread *td, const char *name, struct ksem **ksret, cv_init(&ret->ks_cv, "sem"); LIST_INIT(&ret->ks_users); #ifdef MAC - mac_init_posix_sem(ret); - mac_create_posix_sem(uc, ret); + mac_posixsem_init(ret); + mac_posixsem_create(uc, ret); #endif if (name != NULL) sem_enter(td->td_proc, ret); @@ -381,7 +381,7 @@ kern_sem_open(struct thread *td, int dir, const char *name, int oflag, } } else { #ifdef MAC - error = mac_check_posix_sem_open(td->td_ucred, ks); + error = mac_posixsem_check_open(td->td_ucred, ks); if (error) goto err_open; #endif @@ -540,7 +540,7 @@ kern_sem_unlink(struct thread *td, const char *name) ks = sem_lookup_byname(name); if (ks != NULL) { #ifdef MAC - error = mac_check_posix_sem_unlink(td->td_ucred, ks); + error = mac_posixsem_check_unlink(td->td_ucred, ks); if (error) { mtx_unlock(&sem_lock); return (error); @@ -614,7 +614,7 @@ kern_sem_post(struct thread *td, semid_t id) goto err; } #ifdef MAC - error = mac_check_posix_sem_post(td->td_ucred, ks); + error = mac_posixsem_check_post(td->td_ucred, ks); if (error) goto err; #endif @@ -709,7 +709,7 @@ kern_sem_wait(struct thread *td, semid_t id, int tryflag, goto err; } #ifdef MAC - error = mac_check_posix_sem_wait(td->td_ucred, ks); + error = mac_posixsem_check_wait(td->td_ucred, ks); if (error) { DP(("kern_sem_wait mac failed\n")); goto err; @@ -772,7 +772,7 @@ ksem_getvalue(struct thread *td, struct ksem_getvalue_args *uap) return (EINVAL); } #ifdef MAC - error = mac_check_posix_sem_getvalue(td->td_ucred, ks); + error = mac_posixsem_check_getvalue(td->td_ucred, ks); if (error) { mtx_unlock(&sem_lock); return (error); @@ -804,7 +804,7 @@ ksem_destroy(struct thread *td, struct ksem_destroy_args *uap) goto err; } #ifdef MAC - error = mac_check_posix_sem_destroy(td->td_ucred, ks); + error = mac_posixsem_check_destroy(td->td_ucred, ks); if (error) goto err; #endif diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index e2cf09b..d89b435 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -267,7 +267,7 @@ soalloc(void) if (so == NULL) return (NULL); #ifdef MAC - if (mac_init_socket(so, M_NOWAIT) != 0) { + if (mac_socket_init(so, M_NOWAIT) != 0) { uma_zfree(socket_zone, so); return (NULL); } @@ -312,7 +312,7 @@ sodealloc(struct socket *so) do_setopt_accept_filter(so, NULL); #endif #ifdef MAC - mac_destroy_socket(so); + mac_socket_destroy(so); #endif crfree(so->so_cred); sx_destroy(&so->so_snd.sb_sx); @@ -362,7 +362,7 @@ socreate(int dom, struct socket **aso, int type, int proto, so->so_cred = crhold(cred); so->so_proto = prp; #ifdef MAC - mac_create_socket(cred, so); + mac_socket_create(cred, so); #endif knlist_init(&so->so_rcv.sb_sel.si_note, SOCKBUF_MTX(&so->so_rcv), NULL, NULL, NULL); @@ -429,7 +429,7 @@ sonewconn(struct socket *head, int connstatus) so->so_cred = crhold(head->so_cred); #ifdef MAC SOCK_LOCK(head); - mac_create_socket_from_socket(head, so); + mac_socket_newconn(head, so); SOCK_UNLOCK(head); #endif knlist_init(&so->so_rcv.sb_sel.si_note, SOCKBUF_MTX(&so->so_rcv), diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 2821a5e..faf7f24 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -165,7 +165,7 @@ socket(td, uap) int fd, error; #ifdef MAC - error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type, + error = mac_socket_check_create(td->td_ucred, uap->domain, uap->type, uap->protocol); if (error) return (error); @@ -229,7 +229,7 @@ kern_bind(td, fd, sa) so = fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_bind(td->td_ucred, so, sa); + error = mac_socket_check_bind(td->td_ucred, so, sa); SOCK_UNLOCK(so); if (error) goto done; @@ -260,7 +260,7 @@ listen(td, uap) so = fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_listen(td->td_ucred, so); + error = mac_socket_check_listen(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto done; @@ -360,7 +360,7 @@ kern_accept(struct thread *td, int s, struct sockaddr **name, } #ifdef MAC SOCK_LOCK(head); - error = mac_check_socket_accept(td->td_ucred, head); + error = mac_socket_check_accept(td->td_ucred, head); SOCK_UNLOCK(head); if (error != 0) goto done; @@ -550,7 +550,7 @@ kern_connect(td, fd, sa) } #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_connect(td->td_ucred, so, sa); + error = mac_socket_check_connect(td->td_ucred, so, sa); SOCK_UNLOCK(so); if (error) goto bad; @@ -604,7 +604,7 @@ socketpair(td, uap) #ifdef MAC /* We might want to have a separate check for socket pairs. */ - error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type, + error = mac_socket_check_create(td->td_ucred, uap->domain, uap->type, uap->protocol); if (error) return (error); @@ -761,7 +761,7 @@ kern_sendit(td, s, mp, flags, control, segflg) #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto bad; @@ -956,7 +956,7 @@ kern_recvit(td, s, mp, fromseg, controlp) #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_receive(td->td_ucred, so); + error = mac_socket_check_receive(td->td_ucred, so); SOCK_UNLOCK(so); if (error) { fdrop(fp, td); @@ -1849,7 +1849,7 @@ kern_sendfile(struct thread *td, struct sendfile_args *uap, #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto out; @@ -2354,7 +2354,7 @@ sctp_generic_sendmsg (td, uap) so = (struct socket *)fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto sctp_bad; @@ -2454,7 +2454,7 @@ sctp_generic_sendmsg_iov(td, uap) so = (struct socket *)fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto sctp_bad; @@ -2551,7 +2551,7 @@ sctp_generic_recvmsg(td, uap) so = fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_receive(td->td_ucred, so); + error = mac_socket_check_receive(td->td_ucred, so); SOCK_UNLOCK(so); if (error) { goto out; diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 682496e..9fea71b4 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -449,7 +449,7 @@ restart: vattr.va_type = VSOCK; vattr.va_mode = (ACCESSPERMS & ~td->td_proc->p_fd->fd_cmask); #ifdef MAC - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); #endif if (error == 0) { @@ -1159,7 +1159,7 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) goto bad; } #ifdef MAC - error = mac_check_vnode_open(td->td_ucred, vp, VWRITE | VREAD); + error = mac_vnode_check_open(td->td_ucred, vp, VWRITE | VREAD); if (error) goto bad; #endif @@ -1236,8 +1236,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) UNP_PCB_UNLOCK(unp); #ifdef MAC SOCK_LOCK(so); - mac_set_socket_peer_from_socket(so, so3); - mac_set_socket_peer_from_socket(so3, so); + mac_socketpeer_set_from_socket(so, so3); + mac_socketpeer_set_from_socket(so3, so); SOCK_UNLOCK(so); #endif diff --git a/sys/kern/vfs_acl.c b/sys/kern/vfs_acl.c index c2456be..ea33f66 100644 --- a/sys/kern/vfs_acl.c +++ b/sys/kern/vfs_acl.c @@ -93,7 +93,7 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type, VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl); + error = mac_vnode_check_setacl(td->td_ucred, vp, type, &inkernacl); if (error != 0) goto out; #endif @@ -119,7 +119,7 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type, VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_getacl(td->td_ucred, vp, type); + error = mac_vnode_check_getacl(td->td_ucred, vp, type); if (error != 0) goto out; #endif @@ -148,7 +148,7 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type) VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_deleteacl(td->td_ucred, vp, type); + error = mac_vnode_check_deleteacl(td->td_ucred, vp, type); if (error) goto out; #endif diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 48bfd66..0d414f8 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -180,7 +180,7 @@ extattr_set_vp(struct vnode *vp, int attrnamespace, const char *attrname, cnt = nbytes; #ifdef MAC - error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, + error = mac_vnode_check_setextattr(td->td_ucred, vp, attrnamespace, attrname, &auio); if (error) goto done; @@ -358,7 +358,7 @@ extattr_get_vp(struct vnode *vp, int attrnamespace, const char *attrname, sizep = &size; #ifdef MAC - error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace, + error = mac_vnode_check_getextattr(td->td_ucred, vp, attrnamespace, attrname, &auio); if (error) goto done; @@ -512,7 +512,7 @@ extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname, vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace, + error = mac_vnode_check_deleteextattr(td->td_ucred, vp, attrnamespace, attrname); if (error) goto done; @@ -676,7 +676,7 @@ extattr_list_vp(struct vnode *vp, int attrnamespace, void *data, sizep = &size; #ifdef MAC - error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace); + error = mac_vnode_check_listextattr(td->td_ucred, vp, attrnamespace); if (error) goto done; #endif diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index 6349c36..0841fd3 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -252,7 +252,7 @@ namei(struct nameidata *ndp) } #ifdef MAC if ((cnp->cn_flags & NOMACCHECK) == 0) { - error = mac_check_vnode_readlink(td->td_ucred, + error = mac_vnode_check_readlink(td->td_ucred, ndp->ni_vp); if (error) break; @@ -556,7 +556,7 @@ dirloop: unionlookup: #ifdef MAC if ((cnp->cn_flags & NOMACCHECK) == 0) { - error = mac_check_vnode_lookup(td->td_ucred, dp, cnp); + error = mac_vnode_check_lookup(td->td_ucred, dp, cnp); if (error) goto bad; } diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c index a109a3b..e8fbd50 100644 --- a/sys/kern/vfs_mount.c +++ b/sys/kern/vfs_mount.c @@ -488,8 +488,8 @@ vfs_mount_alloc(struct vnode *vp, struct vfsconf *vfsp, strlcpy(mp->mnt_stat.f_mntonname, fspath, MNAMELEN); mp->mnt_iosize_max = DFLTPHYS; #ifdef MAC - mac_init_mount(mp); - mac_create_mount(td->td_ucred, mp); + mac_mount_init(mp); + mac_mount_create(td->td_ucred, mp); #endif arc4rand(&mp->mnt_hashseed, sizeof mp->mnt_hashseed, 0); return (mp); @@ -567,7 +567,7 @@ vfs_mount_destroy(struct mount *mp) mp->mnt_secondary_writes = -1000; MNT_IUNLOCK(mp); #ifdef MAC - mac_destroy_mount(mp); + mac_mount_destroy(mp); #endif if (mp->mnt_opt != NULL) vfs_freeopts(mp->mnt_opt); diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c index fce5beb..8dca49b 100644 --- a/sys/kern/vfs_subr.c +++ b/sys/kern/vfs_subr.c @@ -811,7 +811,7 @@ vdestroy(struct vnode *vp) VNASSERT(LIST_EMPTY(&vp->v_cache_src), vp, ("vp has namecache src")); VI_UNLOCK(vp); #ifdef MAC - mac_destroy_vnode(vp); + mac_vnode_destroy(vp); #endif if (vp->v_pollinfo != NULL) { knlist_destroy(&vp->v_pollinfo->vpi_selinfo.si_note); @@ -955,9 +955,9 @@ alloc: v_incr_usecount(vp); vp->v_data = 0; #ifdef MAC - mac_init_vnode(vp); + mac_vnode_init(vp); if (mp != NULL && (mp->mnt_flag & MNT_MULTILABEL) == 0) - mac_associate_vnode_singlelabel(mp, vp); + mac_vnode_associate_singlelabel(mp, vp); else if (mp == NULL) printf("NULL mp in getnewvnode()\n"); #endif diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 07a8de1..20d722e 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -293,7 +293,7 @@ kern_statfs(struct thread *td, char *path, enum uio_seg pathseg, NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_vp); #ifdef MAC - error = mac_check_mount_stat(td->td_ucred, mp); + error = mac_mount_check_stat(td->td_ucred, mp); if (error) goto out; #endif @@ -378,7 +378,7 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf) goto out; } #ifdef MAC - error = mac_check_mount_stat(td->td_ucred, mp); + error = mac_mount_check_stat(td->td_ucred, mp); if (error) goto out; #endif @@ -470,7 +470,7 @@ kern_getfsstat(struct thread *td, struct statfs **buf, size_t bufsize, continue; } #ifdef MAC - if (mac_check_mount_stat(td->td_ucred, mp) != 0) { + if (mac_mount_check_stat(td->td_ucred, mp) != 0) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } @@ -891,7 +891,7 @@ chroot(td, uap) if ((error = change_dir(nd.ni_vp, td)) != 0) goto e_vunlock; #ifdef MAC - if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) + if ((error = mac_vnode_check_chroot(td->td_ucred, nd.ni_vp))) goto e_vunlock; #endif VOP_UNLOCK(nd.ni_vp, 0, td); @@ -923,7 +923,7 @@ change_dir(vp, td) if (vp->v_type != VDIR) return (ENOTDIR); #ifdef MAC - error = mac_check_vnode_chdir(td->td_ucred, vp); + error = mac_vnode_check_chdir(td->td_ucred, vp); if (error) return (error); #endif @@ -933,8 +933,8 @@ change_dir(vp, td) /* * Common routine for kern_chroot() and jail_attach(). The caller is - * responsible for invoking priv_check() and mac_check_chroot() to authorize - * this operation. + * responsible for invoking priv_check() and mac_vnode_check_chroot() to + * authorize this operation. */ int change_root(vp, td) @@ -1103,7 +1103,7 @@ kern_open(struct thread *td, char *path, enum uio_seg pathseg, int flags, vat.va_size = 0; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_write(td->td_ucred, fp->f_cred, vp); + error = mac_vnode_check_write(td->td_ucred, fp->f_cred, vp); if (error == 0) #endif error = VOP_SETATTR(vp, &vat, td->td_ucred, td); @@ -1258,7 +1258,7 @@ restart: } #ifdef MAC if (error == 0 && !whiteout) - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); #endif if (!error) { @@ -1341,7 +1341,7 @@ restart: vattr.va_mode = (mode & ALLPERMS) & ~td->td_proc->p_fd->fd_cmask; FILEDESC_SUNLOCK(td->td_proc->p_fd); #ifdef MAC - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); if (error) goto out; @@ -1467,7 +1467,7 @@ kern_link(struct thread *td, char *path, char *link, enum uio_seg segflg) error = can_hardlink(vp, td, td->td_ucred); if (error == 0) #ifdef MAC - error = mac_check_vnode_link(td->td_ucred, + error = mac_vnode_check_link(td->td_ucred, nd.ni_dvp, vp, &nd.ni_cnd); if (error == 0) #endif @@ -1555,7 +1555,7 @@ restart: FILEDESC_SUNLOCK(td->td_proc->p_fd); #ifdef MAC vattr.va_type = VLNK; - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); if (error) goto out2; @@ -1693,7 +1693,7 @@ restart: goto restart; } #ifdef MAC - error = mac_check_vnode_unlink(td->td_ucred, nd.ni_dvp, vp, + error = mac_vnode_check_unlink(td->td_ucred, nd.ni_dvp, vp, &nd.ni_cnd); if (error) goto out; @@ -1872,7 +1872,7 @@ vn_access(vp, user_flags, cred, td) if (user_flags & X_OK) flags |= VEXEC; #ifdef MAC - error = mac_check_vnode_access(cred, vp, flags); + error = mac_vnode_check_access(cred, vp, flags); if (error) return (error); #endif @@ -2341,7 +2341,7 @@ kern_readlink(struct thread *td, char *path, enum uio_seg pathseg, char *buf, vfslocked = NDHASGIANT(&nd); vp = nd.ni_vp; #ifdef MAC - error = mac_check_vnode_readlink(td->td_ucred, vp); + error = mac_vnode_check_readlink(td->td_ucred, vp); if (error) { vput(vp); VFS_UNLOCK_GIANT(vfslocked); @@ -2400,7 +2400,7 @@ setfflags(td, vp, flags) VATTR_NULL(&vattr); vattr.va_flags = flags; #ifdef MAC - error = mac_check_vnode_setflags(td->td_ucred, vp, vattr.va_flags); + error = mac_vnode_check_setflags(td->td_ucred, vp, vattr.va_flags); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); @@ -2528,7 +2528,7 @@ setfmode(td, vp, mode) VATTR_NULL(&vattr); vattr.va_mode = mode & ALLPERMS; #ifdef MAC - error = mac_check_vnode_setmode(td->td_ucred, vp, vattr.va_mode); + error = mac_vnode_check_setmode(td->td_ucred, vp, vattr.va_mode); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); @@ -2670,7 +2670,7 @@ setfown(td, vp, uid, gid) vattr.va_uid = uid; vattr.va_gid = gid; #ifdef MAC - error = mac_check_vnode_setowner(td->td_ucred, vp, vattr.va_uid, + error = mac_vnode_check_setowner(td->td_ucred, vp, vattr.va_uid, vattr.va_gid); if (error == 0) #endif @@ -2873,7 +2873,7 @@ setutimes(td, vp, ts, numtimes, nullflag) if (nullflag) vattr.va_vaflags |= VA_UTIMES_NULL; #ifdef MAC - error = mac_check_vnode_setutimes(td->td_ucred, vp, vattr.va_atime, + error = mac_vnode_check_setutimes(td->td_ucred, vp, vattr.va_atime, vattr.va_mtime); #endif if (error == 0) @@ -3069,7 +3069,7 @@ kern_truncate(struct thread *td, char *path, enum uio_seg pathseg, off_t length) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_write(td->td_ucred, NOCRED, vp))) { + else if ((error = mac_vnode_check_write(td->td_ucred, NOCRED, vp))) { } #endif else if ((error = vn_writechk(vp)) == 0 && @@ -3129,7 +3129,7 @@ ftruncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_write(td->td_ucred, fp->f_cred, + else if ((error = mac_vnode_check_write(td->td_ucred, fp->f_cred, vp))) { } #endif @@ -3315,7 +3315,7 @@ kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg) fvfslocked = NDHASGIANT(&fromnd); tvfslocked = 0; #ifdef MAC - error = mac_check_vnode_rename_from(td->td_ucred, fromnd.ni_dvp, + error = mac_vnode_check_rename_from(td->td_ucred, fromnd.ni_dvp, fromnd.ni_vp, &fromnd.ni_cnd); VOP_UNLOCK(fromnd.ni_dvp, 0, td); if (fromnd.ni_dvp != fromnd.ni_vp) @@ -3366,7 +3366,7 @@ kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg) error = -1; #ifdef MAC else - error = mac_check_vnode_rename_to(td->td_ucred, tdvp, + error = mac_vnode_check_rename_to(td->td_ucred, tdvp, tond.ni_vp, fromnd.ni_dvp == tdvp, &tond.ni_cnd); #endif out: @@ -3476,7 +3476,7 @@ restart: vattr.va_mode = (mode & ACCESSPERMS) &~ td->td_proc->p_fd->fd_cmask; FILEDESC_SUNLOCK(td->td_proc->p_fd); #ifdef MAC - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); if (error) goto out; @@ -3550,7 +3550,7 @@ restart: goto out; } #ifdef MAC - error = mac_check_vnode_unlink(td->td_ucred, nd.ni_dvp, vp, + error = mac_vnode_check_unlink(td->td_ucred, nd.ni_dvp, vp, &nd.ni_cnd); if (error) goto out; @@ -3641,7 +3641,7 @@ unionread: vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); loff = auio.uio_offset = fp->f_offset; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) { VOP_UNLOCK(vp, 0, td); VFS_UNLOCK_GIANT(vfslocked); @@ -3785,7 +3785,7 @@ unionread: AUDIT_ARG(vnode, vp, ARG_VNODE1); loff = auio.uio_offset = fp->f_offset; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error == 0) #endif error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, NULL, @@ -3903,7 +3903,7 @@ revoke(td, uap) goto out; } #ifdef MAC - error = mac_check_vnode_revoke(td->td_ucred, vp); + error = mac_vnode_check_revoke(td->td_ucred, vp); if (error) goto out; #endif @@ -4126,7 +4126,7 @@ fhopen(td, uap) if (fmode & O_APPEND) mode |= VAPPEND; #ifdef MAC - error = mac_check_vnode_open(td->td_ucred, vp, mode); + error = mac_vnode_check_open(td->td_ucred, vp, mode); if (error) goto bad; #endif @@ -4148,7 +4148,7 @@ fhopen(td, uap) * We don't yet have fp->f_cred, so use td->td_ucred, which * should be right. */ - error = mac_check_vnode_write(td->td_ucred, td->td_ucred, vp); + error = mac_vnode_check_write(td->td_ucred, td->td_ucred, vp); if (error == 0) { #endif VATTR_NULL(vap); @@ -4337,7 +4337,7 @@ kern_fhstatfs(struct thread *td, fhandle_t fh, struct statfs *buf) if (error) goto out; #ifdef MAC - error = mac_check_mount_stat(td->td_ucred, mp); + error = mac_mount_check_stat(td->td_ucred, mp); if (error) goto out; #endif diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index 4f5305e..5083574 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -148,7 +148,7 @@ restart: goto restart; } #ifdef MAC - error = mac_check_vnode_create(cred, ndp->ni_dvp, + error = mac_vnode_check_create(cred, ndp->ni_dvp, &ndp->ni_cnd, vap); if (error == 0) { #endif @@ -213,7 +213,7 @@ restart: if (fmode & O_APPEND) mode |= VAPPEND; #ifdef MAC - error = mac_check_vnode_open(cred, vp, mode); + error = mac_vnode_check_open(cred, vp, mode); if (error) goto bad; #endif @@ -387,10 +387,10 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred, #ifdef MAC if ((ioflg & IO_NOMACCHECK) == 0) { if (rw == UIO_READ) - error = mac_check_vnode_read(active_cred, file_cred, + error = mac_vnode_check_read(active_cred, file_cred, vp); else - error = mac_check_vnode_write(active_cred, file_cred, + error = mac_vnode_check_write(active_cred, file_cred, vp); } #endif @@ -520,7 +520,7 @@ vn_read(fp, uio, active_cred, flags, td) ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_read(active_cred, fp->f_cred, vp); + error = mac_vnode_check_read(active_cred, fp->f_cred, vp); if (error == 0) #endif error = VOP_READ(vp, uio, ioflag, fp->f_cred); @@ -580,7 +580,7 @@ vn_write(fp, uio, active_cred, flags, td) uio->uio_offset = fp->f_offset; ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_write(active_cred, fp->f_cred, vp); + error = mac_vnode_check_write(active_cred, fp->f_cred, vp); if (error == 0) #endif error = VOP_WRITE(vp, uio, ioflag, fp->f_cred); @@ -635,7 +635,7 @@ vn_stat(vp, sb, active_cred, file_cred, td) u_short mode; #ifdef MAC - error = mac_check_vnode_stat(active_cred, file_cred, vp); + error = mac_vnode_check_stat(active_cred, file_cred, vp); if (error) return (error); #endif @@ -783,7 +783,7 @@ vn_poll(fp, events, active_cred, td) vfslocked = VFS_LOCK_GIANT(vp->v_mount); #ifdef MAC vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_poll(active_cred, fp->f_cred, vp); + error = mac_vnode_check_poll(active_cred, fp->f_cred, vp); VOP_UNLOCK(vp, 0, td); if (!error) #endif |
