Rather than having MAC policies explicitly declare what object types

they label, derive that information implicitly from the set of label
initializers in their policy operations set.  This avoids a possible
class of programmer errors, while retaining the structure that
allows us to avoid allocating labels for objects that don't need
them.  As before, we regenerate a global mask of labeled objects
each time a policy is loaded or unloaded, stored in mac_labeled.

Discussed with:   csjp
Suggested by:     Jacques Vidrine <nectar at apple.com>
Obtained from:    TrustedBSD Project
Sponsored by:     Apple, Inc.

3 files changed, 77 insertions, 37 deletions

diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 0a7b085..d18f3e5 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -3,7 +3,7 @@
  * Copyright (c) 2001 Ilmar S. Habibulin
  * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
  * Copyright (c) 2005-2006 SPARTA, Inc.
- * Copyright (c) 2008 Apple Inc.
+ * Copyright (c) 2008-2009 Apple Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -329,10 +329,48 @@ mac_late_init(void)
 }
 
 /*
- * After the policy list has changed, walk the list to update any global
- * flags.  Currently, we support only one flag, and it's conditionally
- * defined; as a result, the entire function is conditional.  Eventually, the
- * #else case might also iterate across the policies.
+ * Given a policy, derive from its set of non-NULL label init methods what
+ * object types the policy is interested in.
+ */
+static uint64_t
+mac_policy_getlabeled(struct mac_policy_conf *mpc)
+{
+	uint64_t labeled;
+
+#define	MPC_FLAG(method, flag)					\
+	if (mpc->mpc_ops->mpo_ ## method != NULL)			\
+		labeled |= (flag);					\
+
+	labeled = 0;
+	MPC_FLAG(cred_init_label, MPC_OBJECT_CRED);
+	MPC_FLAG(proc_init_label, MPC_OBJECT_PROC);
+	MPC_FLAG(vnode_init_label, MPC_OBJECT_VNODE);
+	MPC_FLAG(inpcb_init_label, MPC_OBJECT_INPCB);
+	MPC_FLAG(socket_init_label, MPC_OBJECT_SOCKET);
+	MPC_FLAG(devfs_init_label, MPC_OBJECT_DEVFS);
+	MPC_FLAG(mbuf_init_label, MPC_OBJECT_MBUF);
+	MPC_FLAG(ipq_init_label, MPC_OBJECT_IPQ);
+	MPC_FLAG(ifnet_init_label, MPC_OBJECT_IFNET);
+	MPC_FLAG(bpfdesc_init_label, MPC_OBJECT_BPFDESC);
+	MPC_FLAG(pipe_init_label, MPC_OBJECT_PIPE);
+	MPC_FLAG(mount_init_label, MPC_OBJECT_MOUNT);
+	MPC_FLAG(posixsem_init_label, MPC_OBJECT_POSIXSEM);
+	MPC_FLAG(posixshm_init_label, MPC_OBJECT_POSIXSHM);
+	MPC_FLAG(sysvmsg_init_label, MPC_OBJECT_SYSVMSG);
+	MPC_FLAG(sysvmsq_init_label, MPC_OBJECT_SYSVMSQ);
+	MPC_FLAG(sysvsem_init_label, MPC_OBJECT_SYSVSEM);
+	MPC_FLAG(sysvshm_init_label, MPC_OBJECT_SYSVSHM);
+	MPC_FLAG(syncache_init_label, MPC_OBJECT_SYNCACHE);
+	MPC_FLAG(ip6q_init_label, MPC_OBJECT_IP6Q);
+
+#undef MPC_FLAG
+	return (labeled);
+}
+
+/*
+ * When policies are loaded or unloaded, walk the list of registered policies
+ * and built mac_labeled, a bitmask representing the union of all objects
+ * requiring labels across all policies.
  */
 static void
 mac_policy_updateflags(void)
@@ -343,9 +381,9 @@ mac_policy_updateflags(void)
 
 	mac_labeled = 0;
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list)
-		mac_labeled |= mpc->mpc_labeled;
+		mac_labeled |= mac_policy_getlabeled(mpc);
 	LIST_FOREACH(mpc, &mac_policy_list, mpc_list)
-		mac_labeled |= mpc->mpc_labeled;
+		mac_labeled |= mac_policy_getlabeled(mpc);
 }
 
 static int
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 23da90a..79544c3 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -4,6 +4,7 @@
  * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
  * Copyright (c) 2006 nCircle Network Security, Inc.
  * Copyright (c) 2006 SPARTA, Inc.
+ * Copyright (c) 2009 Apple, Inc.
  * All rights reserved.
  *
  * This software was developed by Robert Watson and Ilmar Habibulin for the
@@ -83,6 +84,34 @@ struct label {
 	intptr_t	l_perpolicy[MAC_MAX_SLOTS];
 };
 
+
+/*
+ * Flags for mac_labeled, a bitmask of object types need across the union of
+ * all policies currently registered with the MAC Framework, used to key
+ * whether or not labels are allocated and constructors for the type are
+ * invoked.
+ */
+#define	MPC_OBJECT_CRED			0x0000000000000001
+#define	MPC_OBJECT_PROC			0x0000000000000002
+#define	MPC_OBJECT_VNODE		0x0000000000000004
+#define	MPC_OBJECT_INPCB		0x0000000000000008
+#define	MPC_OBJECT_SOCKET		0x0000000000000010
+#define	MPC_OBJECT_DEVFS		0x0000000000000020
+#define	MPC_OBJECT_MBUF			0x0000000000000040
+#define	MPC_OBJECT_IPQ			0x0000000000000080
+#define	MPC_OBJECT_IFNET		0x0000000000000100
+#define	MPC_OBJECT_BPFDESC		0x0000000000000200
+#define	MPC_OBJECT_PIPE			0x0000000000000400
+#define	MPC_OBJECT_MOUNT		0x0000000000000800
+#define	MPC_OBJECT_POSIXSEM		0x0000000000001000
+#define	MPC_OBJECT_POSIXSHM		0x0000000000002000
+#define	MPC_OBJECT_SYSVMSG		0x0000000000004000
+#define	MPC_OBJECT_SYSVMSQ		0x0000000000008000
+#define	MPC_OBJECT_SYSVSEM		0x0000000000010000
+#define	MPC_OBJECT_SYSVSHM		0x0000000000020000
+#define	MPC_OBJECT_SYNCACHE		0x0000000000040000
+#define	MPC_OBJECT_IP6Q			0x0000000000080000
+
 /*
  * MAC Framework global variables.
  */
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index ecf68a6..e333409 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -956,9 +956,9 @@ struct mac_policy_conf {
 	int				*mpc_field_off; /* security field */
 	int				 mpc_runtime_flags; /* flags */
 	int				 _mpc_spare1;	/* Spare. */
-	uint64_t			 mpc_labeled;	/* Labeled objects. */
 	uint64_t			 _mpc_spare2;	/* Spare. */
-	void				*_mpc_spare3;	/* Spare. */
+	uint64_t			 _mpc_spare3;	/* Spare. */
+	void				*_mpc_spare4;	/* Spare. */
 	LIST_ENTRY(mac_policy_conf)	 mpc_list;	/* global list */
 };
 
@@ -969,31 +969,6 @@ struct mac_policy_conf {
 /* Flags for the mpc_runtime_flags field. */
 #define	MPC_RUNTIME_FLAG_REGISTERED	0x00000001
 
-/*
- * Flags for mpc_labeled declaring which objects should have labels allocated
- * for them by the MAC Framework.
- */
-#define	MPC_OBJECT_CRED			0x0000000000000001
-#define	MPC_OBJECT_PROC			0x0000000000000002
-#define	MPC_OBJECT_VNODE		0x0000000000000004
-#define	MPC_OBJECT_INPCB		0x0000000000000008
-#define	MPC_OBJECT_SOCKET		0x0000000000000010
-#define	MPC_OBJECT_DEVFS		0x0000000000000020
-#define	MPC_OBJECT_MBUF			0x0000000000000040
-#define	MPC_OBJECT_IPQ			0x0000000000000080
-#define	MPC_OBJECT_IFNET		0x0000000000000100
-#define	MPC_OBJECT_BPFDESC		0x0000000000000200
-#define	MPC_OBJECT_PIPE			0x0000000000000400
-#define	MPC_OBJECT_MOUNT		0x0000000000000800
-#define	MPC_OBJECT_POSIXSEM		0x0000000000001000
-#define	MPC_OBJECT_POSIXSHM		0x0000000000002000
-#define	MPC_OBJECT_SYSVMSG		0x0000000000004000
-#define	MPC_OBJECT_SYSVMSQ		0x0000000000008000
-#define	MPC_OBJECT_SYSVSEM		0x0000000000010000
-#define	MPC_OBJECT_SYSVSHM		0x0000000000020000
-#define	MPC_OBJECT_SYNCACHE		0x0000000000040000
-#define	MPC_OBJECT_IP6Q			0x0000000000080000
-
 /*-
  * The TrustedBSD MAC Framework has a major version number, MAC_VERSION,
  * which defines the ABI of the Framework present in the kernel (and depended
@@ -1009,15 +984,13 @@ struct mac_policy_conf {
  */
 #define	MAC_VERSION	4
 
-#define	MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted, \
-    labeled)								\
+#define	MAC_POLICY_SET(mpops, mpname, mpfullname, mpflags, privdata_wanted) \
 	static struct mac_policy_conf mpname##_mac_policy_conf = {	\
 		.mpc_name = #mpname,					\
 		.mpc_fullname = mpfullname,				\
 		.mpc_ops = mpops,					\
 		.mpc_loadtime_flags = mpflags,				\
 		.mpc_field_off = privdata_wanted,			\
-		.mpc_labeled = labeled,					\
 	};								\
 	static moduledata_t mpname##_mod = {				\
 		#mpname,						\