Introduce two related changes to the TrustedBSD MAC Framework:

(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
    so that the general exec code isn't aware of the details of
    allocating, copying, and freeing labels, rather, simply passes in
    a void pointer to start and stop functions that will be used by
    the framework.  This change will be MFC'd.

(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
    allowing policies to declare which types of objects require label
    allocation, initialization, and destruction, and define a set of
    flags covering various supported object types (MPC_OBJECT_PROC,
    MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...).  This change reduces the
    overhead of compiling the MAC Framework into the kernel if policies
    aren't loaded, or if policies require labels on only a small number
    or even no object types.  Each time a policy is loaded or unloaded,
    we recalculate a mask of labeled object types across all policies
    present in the system.  Eliminate MAC_ALWAYS_LABEL_MBUF option as it
    is no longer required.

MFC after:	1 week ((1) only)
Reviewed by:	csjp
Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.

1 files changed, 14 insertions, 29 deletions

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index d54316e..0a7b085 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -3,6 +3,7 @@
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
+ * Copyright (c) 2008 Apple Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -125,22 +126,14 @@ SYSCTL_UINT(_security_mac, OID_AUTO, max_slots, CTLFLAG_RD, &mac_max_slots,
 static int	mac_late = 0;
 
 /*
- * Flag to indicate whether or not we should allocate label storage for new
- * mbufs.  Since most dynamic policies we currently work with don't rely on
- * mbuf labeling, try to avoid paying the cost of mtag allocation unless
- * specifically notified of interest.  One result of this is that if a
- * dynamically loaded policy requests mbuf labels, it must be able to deal
- * with a NULL label being returned on any mbufs that were already in flight
- * when the policy was loaded.  Since the policy already has to deal with
- * uninitialized labels, this probably won't be a problem.  Note: currently
- * no locking.  Will this be a problem?
- *
- * In the future, we may want to allow objects to request labeling on a per-
- * object type basis, rather than globally for all objects.
+ * Each policy declares a mask of object types requiring labels to be
+ * allocated for them.  For convenience, we combine and cache the bitwise or
+ * of the per-policy object flags to track whether we will allocate a label
+ * for an object type at run-time.
  */
-#ifndef MAC_ALWAYS_LABEL_MBUF
-int	mac_labelmbufs = 0;
-#endif
+uint64_t	mac_labeled;
+SYSCTL_QUAD(_security_mac, OID_AUTO, labeled, CTLFLAG_RD, &mac_labeled, 0,
+    "Mask of object types being labeled");
 
 MALLOC_DEFINE(M_MACTEMP, "mactemp", "MAC temporary label storage");
 
@@ -344,23 +337,15 @@ mac_late_init(void)
 static void
 mac_policy_updateflags(void)
 {
-#ifndef MAC_ALWAYS_LABEL_MBUF
-	struct mac_policy_conf *tmpc;
-	int labelmbufs;
+	struct mac_policy_conf *mpc;
 
 	mac_policy_assert_exclusive();
 
-	labelmbufs = 0;
-	LIST_FOREACH(tmpc, &mac_static_policy_list, mpc_list) {
-		if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS)
-			labelmbufs++;
-	}
-	LIST_FOREACH(tmpc, &mac_policy_list, mpc_list) {
-		if (tmpc->mpc_loadtime_flags & MPC_LOADTIME_FLAG_LABELMBUFS)
-			labelmbufs++;
-	}
-	mac_labelmbufs = (labelmbufs != 0);
-#endif
+	mac_labeled = 0;
+	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list)
+		mac_labeled |= mpc->mpc_labeled;
+	LIST_FOREACH(mpc, &mac_policy_list, mpc_list)
+		mac_labeled |= mpc->mpc_labeled;
 }
 
 static int