Introduce two related changes to the TrustedBSD MAC Framework:

(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2)
    so that the general exec code isn't aware of the details of
    allocating, copying, and freeing labels, rather, simply passes in
    a void pointer to start and stop functions that will be used by
    the framework.  This change will be MFC'd.

(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface
    allowing policies to declare which types of objects require label
    allocation, initialization, and destruction, and define a set of
    flags covering various supported object types (MPC_OBJECT_PROC,
    MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...).  This change reduces the
    overhead of compiling the MAC Framework into the kernel if policies
    aren't loaded, or if policies require labels on only a small number
    or even no object types.  Each time a policy is loaded or unloaded,
    we recalculate a mask of labeled object types across all policies
    present in the system.  Eliminate MAC_ALWAYS_LABEL_MBUF option as it
    is no longer required.

MFC after:	1 week ((1) only)
Reviewed by:	csjp
Obtained from:	TrustedBSD Project
Sponsored by:	Apple, Inc.

1 files changed, 34 insertions, 23 deletions

diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 0b4ec4e..8e8afea 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -3,6 +3,7 @@
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
+ * Copyright (c) 2008 Apple Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -112,7 +113,10 @@ void
 mac_bpfdesc_init(struct bpf_d *d)
 {
 
-	d->bd_label = mac_bpfdesc_label_alloc();
+	if (mac_labeled & MPC_OBJECT_BPFDESC)
+		d->bd_label = mac_bpfdesc_label_alloc();
+	else
+		d->bd_label = NULL;
 }
 
 static struct label *
@@ -129,7 +133,10 @@ void
 mac_ifnet_init(struct ifnet *ifp)
 {
 
-	ifp->if_label = mac_ifnet_label_alloc();
+	if (mac_labeled & MPC_OBJECT_IFNET)
+		ifp->if_label = mac_ifnet_label_alloc();
+	else
+		ifp->if_label = NULL;
 }
 
 int
@@ -157,24 +164,18 @@ mac_mbuf_init(struct mbuf *m, int flag)
 
 	M_ASSERTPKTHDR(m);
 
-#ifndef MAC_ALWAYS_LABEL_MBUF
-	/*
-	 * If conditionally allocating mbuf labels, don't allocate unless
-	 * they are required.
-	 */
-	if (!mac_labelmbufs)
-		return (0);
-#endif
-	tag = m_tag_get(PACKET_TAG_MACLABEL, sizeof(struct label),
-	    flag);
-	if (tag == NULL)
-		return (ENOMEM);
-	error = mac_mbuf_tag_init(tag, flag);
-	if (error) {
-		m_tag_free(tag);
-		return (error);
+	if (mac_labeled & MPC_OBJECT_MBUF) {
+		tag = m_tag_get(PACKET_TAG_MACLABEL, sizeof(struct label),
+		    flag);
+		if (tag == NULL)
+			return (ENOMEM);
+		error = mac_mbuf_tag_init(tag, flag);
+		if (error) {
+			m_tag_free(tag);
+			return (error);
+		}
+		m_tag_prepend(m, tag);
 	}
-	m_tag_prepend(m, tag);
 	return (0);
 }
 
@@ -190,8 +191,10 @@ void
 mac_bpfdesc_destroy(struct bpf_d *d)
 {
 
-	mac_bpfdesc_label_free(d->bd_label);
-	d->bd_label = NULL;
+	if (d->bd_label != NULL) {
+		mac_bpfdesc_label_free(d->bd_label);
+		d->bd_label = NULL;
+	}
 }
 
 static void
@@ -206,8 +209,10 @@ void
 mac_ifnet_destroy(struct ifnet *ifp)
 {
 
-	mac_ifnet_label_free(ifp->if_label);
-	ifp->if_label = NULL;
+	if (ifp->if_label != NULL) {
+		mac_ifnet_label_free(ifp->if_label);
+		ifp->if_label = NULL;
+	}
 }
 
 void
@@ -359,6 +364,9 @@ mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr,
 	struct mac mac;
 	int error;
 
+	if (!(mac_labeled & MPC_OBJECT_IFNET))
+		return (EINVAL);
+
 	error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac));
 	if (error)
 		return (error);
@@ -399,6 +407,9 @@ mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
 	char *buffer;
 	int error;
 
+	if (!(mac_labeled & MPC_OBJECT_IFNET))
+		return (EINVAL);
+
 	error = copyin(ifr->ifr_ifru.ifru_data, &mac, sizeof(mac));
 	if (error)
 		return (error);