In the MAC Framework implementation, file systems have two per-mountpoint

labels: the mount label (label of the mountpoint) and the fs label (label
of the file system).  In practice, policies appear to only ever use one,
and the distinction is not helpful.

Combine mnt_mntlabel and mnt_fslabel into a single mnt_label, and
eliminate extra machinery required to maintain the additional label.
Update policies to reflect removal of extra entry points and label.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA, Inc.

1 files changed, 8 insertions, 12 deletions

diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index e1cbc91..5169360 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -793,15 +793,13 @@ mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp,
 
 static void
 mac_mls_create_mount(struct ucred *cred, struct mount *mp,
-    struct label *mntlabel, struct label *fslabel)
+    struct label *mntlabel)
 {
 	struct mac_mls *source, *dest;
 
 	source = SLOT(cred->cr_label);
 	dest = SLOT(mntlabel);
 	mac_mls_copy_effective(source, dest);
-	dest = SLOT(fslabel);
-	mac_mls_copy_effective(source, dest);
 }
 
 static void
@@ -830,7 +828,7 @@ mac_mls_update_devfsdirent(struct mount *mp,
 }
 
 static void
-mac_mls_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
+mac_mls_associate_vnode_devfs(struct mount *mp, struct label *mntlabel,
     struct devfs_dirent *de, struct label *delabel, struct vnode *vp,
     struct label *vlabel)
 {
@@ -843,13 +841,13 @@ mac_mls_associate_vnode_devfs(struct mount *mp, struct label *fslabel,
 }
 
 static int
-mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
+mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mntlabel,
     struct vnode *vp, struct label *vlabel)
 {
 	struct mac_mls temp, *source, *dest;
 	int buflen, error;
 
-	source = SLOT(fslabel);
+	source = SLOT(mntlabel);
 	dest = SLOT(vlabel);
 
 	buflen = sizeof(temp);
@@ -858,7 +856,7 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
 	error = vn_extattr_get(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE,
 	    MAC_MLS_EXTATTR_NAME, &buflen, (char *) &temp, curthread);
 	if (error == ENOATTR || error == EOPNOTSUPP) {
-		/* Fall back to the fslabel. */
+		/* Fall back to the mntlabel. */
 		mac_mls_copy_effective(source, dest);
 		return (0);
 	} else if (error)
@@ -884,11 +882,11 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *fslabel,
 
 static void
 mac_mls_associate_vnode_singlelabel(struct mount *mp,
-    struct label *fslabel, struct vnode *vp, struct label *vlabel)
+    struct label *mntlabel, struct vnode *vp, struct label *vlabel)
 {
 	struct mac_mls *source, *dest;
 
-	source = SLOT(fslabel);
+	source = SLOT(mntlabel);
 	dest = SLOT(vlabel);
 
 	mac_mls_copy_effective(source, dest);
@@ -896,7 +894,7 @@ mac_mls_associate_vnode_singlelabel(struct mount *mp,
 
 static int
 mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp,
-    struct label *fslabel, struct vnode *dvp, struct label *dlabel,
+    struct label *mntlabel, struct vnode *dvp, struct label *dlabel,
     struct vnode *vp, struct label *vlabel, struct componentname *cnp)
 {
 	struct mac_mls *source, *dest, temp;
@@ -2882,7 +2880,6 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_init_ipq_label = mac_mls_init_label_waitcheck,
 	.mpo_init_mbuf_label = mac_mls_init_label_waitcheck,
 	.mpo_init_mount_label = mac_mls_init_label,
-	.mpo_init_mount_fs_label = mac_mls_init_label,
 	.mpo_init_pipe_label = mac_mls_init_label,
 	.mpo_init_posix_sem_label = mac_mls_init_label,
 	.mpo_init_socket_label = mac_mls_init_label_waitcheck,
@@ -2901,7 +2898,6 @@ static struct mac_policy_ops mac_mls_ops =
 	.mpo_destroy_ipq_label = mac_mls_destroy_label,
 	.mpo_destroy_mbuf_label = mac_mls_destroy_label,
 	.mpo_destroy_mount_label = mac_mls_destroy_label,
-	.mpo_destroy_mount_fs_label = mac_mls_destroy_label,
 	.mpo_destroy_pipe_label = mac_mls_destroy_label,
 	.mpo_destroy_posix_sem_label = mac_mls_destroy_label,
 	.mpo_destroy_socket_label = mac_mls_destroy_label,