Begin another merge from the TrustedBSD MAC branch:

- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy
  entry points to mpo_init_foo_label(label) and
  mpo_destroy_foo_label(label).  This will permit the use of the same
  entry points for holding temporary type-specific label during
  internalization and externalization, as well as for caching purposes.
- Because of this, break out mpo_{init,destroy}_socket() and
  mpo_{init,destroy}_mount() into seperate entry points for socket
  main/peer labels and mount main/fs labels.
- Since the prototype for label initialization is the same across almost
  all entry points, implement these entry points using common
  implementations for Biba, MLS, and Test, reducing the number of
  almost identical looking functions.

This simplifies policy implementation, as well as preparing us for the
merge of the new flexible userland API for managing labels on objects.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 58 insertions, 205 deletions

diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index d9056c6..8d53cdb 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -117,11 +117,11 @@ static int	mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
 		    struct label *vnodelabel, mode_t acc_mode);
 
 static struct mac_biba *
-biba_alloc(int how)
+biba_alloc(int flag)
 {
 	struct mac_biba *mac_biba;
 
-	mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | how);
+	mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | flag);
 
 	return (mac_biba);
 }
@@ -385,46 +385,17 @@ mac_biba_init(struct mac_policy_conf *conf)
  * Label operations.
  */
 static void
-mac_biba_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
-	SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_cred(struct ucred *ucred, struct label *label)
-{
-
-	SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_devfsdirent(struct devfs_dirent *devfs_dirent,
-    struct label *label)
-{
-
-	SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
-	SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_ipq(struct ipq *ipq, struct label *label)
+mac_biba_init_label(struct label *label)
 {
 
 	SLOT(label) = biba_alloc(M_WAITOK);
 }
 
 static int
-mac_biba_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_biba_init_label_waitcheck(struct label *label, int flag)
 {
 
-	SLOT(label) = biba_alloc(how);
+	SLOT(label) = biba_alloc(flag);
 	if (SLOT(label) == NULL)
 		return (ENOMEM);
 
@@ -432,133 +403,7 @@ mac_biba_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
 }
 
 static void
-mac_biba_init_mount(struct mount *mount, struct label *mntlabel,
-    struct label *fslabel)
-{
-
-	SLOT(mntlabel) = biba_alloc(M_WAITOK);
-	SLOT(fslabel) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_socket(struct socket *socket, struct label *label,
-    struct label *peerlabel)
-{
-
-	SLOT(label) = biba_alloc(M_WAITOK);
-	SLOT(peerlabel) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_pipe(struct pipe *pipe, struct label *label)
-{
-
-	SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_temp(struct label *label)
-{
-
-	SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_vnode(struct vnode *vp, struct label *label)
-{
-
-	SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
-	biba_free(SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_cred(struct ucred *ucred, struct label *label)
-{
-
-	biba_free(SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
-    struct label *label)
-{
-
-	biba_free(SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
-	biba_free(SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_ipq(struct ipq *ipq, struct label *label)
-{
-
-	biba_free(SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_mbuf(struct mbuf *mbuf, struct label *label)
-{
-
-	biba_free(SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_mount(struct mount *mount, struct label *mntlabel,
-    struct label *fslabel)
-{
-
-	biba_free(SLOT(mntlabel));
-	SLOT(mntlabel) = NULL;
-	biba_free(SLOT(fslabel));
-	SLOT(fslabel) = NULL;
-}
-
-static void
-mac_biba_destroy_socket(struct socket *socket, struct label *label,
-    struct label *peerlabel)
-{
-
-	biba_free(SLOT(label));
-	SLOT(label) = NULL;
-	biba_free(SLOT(peerlabel));
-	SLOT(peerlabel) = NULL;
-}
-
-static void
-mac_biba_destroy_pipe(struct pipe *pipe, struct label *label)
-{
-
-	biba_free(SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_temp(struct label *label)
-{
-
-	biba_free(SLOT(label));
-	SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_vnode(struct vnode *vp, struct label *label)
+mac_biba_destroy_label(struct label *label)
 {
 
 	biba_free(SLOT(label));
@@ -2054,50 +1899,58 @@ static struct mac_policy_op_entry mac_biba_ops[] =
 	    (macop_t)mac_biba_destroy },
 	{ MAC_INIT,
 	    (macop_t)mac_biba_init },
-	{ MAC_INIT_BPFDESC,
-	    (macop_t)mac_biba_init_bpfdesc },
-	{ MAC_INIT_CRED,
-	    (macop_t)mac_biba_init_cred },
-	{ MAC_INIT_DEVFSDIRENT,
-	    (macop_t)mac_biba_init_devfsdirent },
-	{ MAC_INIT_IFNET,
-	    (macop_t)mac_biba_init_ifnet },
-	{ MAC_INIT_IPQ,
-	    (macop_t)mac_biba_init_ipq },
-	{ MAC_INIT_MBUF,
-	    (macop_t)mac_biba_init_mbuf },
-	{ MAC_INIT_MOUNT,
-	    (macop_t)mac_biba_init_mount },
-	{ MAC_INIT_PIPE,
-	    (macop_t)mac_biba_init_pipe },
-	{ MAC_INIT_SOCKET,
-	    (macop_t)mac_biba_init_socket },
-	{ MAC_INIT_TEMP,
-	    (macop_t)mac_biba_init_temp },
-	{ MAC_INIT_VNODE,
-	    (macop_t)mac_biba_init_vnode },
-	{ MAC_DESTROY_BPFDESC,
-	    (macop_t)mac_biba_destroy_bpfdesc },
-	{ MAC_DESTROY_CRED,
-	    (macop_t)mac_biba_destroy_cred },
-	{ MAC_DESTROY_DEVFSDIRENT,
-	    (macop_t)mac_biba_destroy_devfsdirent },
-	{ MAC_DESTROY_IFNET,
-	    (macop_t)mac_biba_destroy_ifnet },
-	{ MAC_DESTROY_IPQ,
-	    (macop_t)mac_biba_destroy_ipq },
-	{ MAC_DESTROY_MBUF,
-	    (macop_t)mac_biba_destroy_mbuf },
-	{ MAC_DESTROY_MOUNT,
-	    (macop_t)mac_biba_destroy_mount },
-	{ MAC_DESTROY_PIPE,
-	    (macop_t)mac_biba_destroy_pipe },
-	{ MAC_DESTROY_SOCKET,
-	    (macop_t)mac_biba_destroy_socket },
-	{ MAC_DESTROY_TEMP,
-	    (macop_t)mac_biba_destroy_temp },
-	{ MAC_DESTROY_VNODE,
-	    (macop_t)mac_biba_destroy_vnode },
+	{ MAC_INIT_BPFDESC_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_CRED_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_DEVFSDIRENT_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_IFNET_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_IPQ_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_MBUF_LABEL,
+	    (macop_t)mac_biba_init_label_waitcheck },
+	{ MAC_INIT_MOUNT_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_MOUNT_FS_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_PIPE_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_SOCKET_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_SOCKET_PEER_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_TEMP_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_INIT_VNODE_LABEL,
+	    (macop_t)mac_biba_init_label },
+	{ MAC_DESTROY_BPFDESC_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_CRED_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_DEVFSDIRENT_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_IFNET_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_IPQ_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_MBUF_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_MOUNT_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_MOUNT_FS_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_PIPE_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_SOCKET_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_SOCKET_PEER_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_TEMP_LABEL,
+	    (macop_t)mac_biba_destroy_label },
+	{ MAC_DESTROY_VNODE_LABEL,
+	    (macop_t)mac_biba_destroy_label },
 	{ MAC_EXTERNALIZE,
 	    (macop_t)mac_biba_externalize },
 	{ MAC_INTERNALIZE,