diff options
author | rwatson <rwatson@FreeBSD.org> | 2007-10-25 11:31:11 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2007-10-25 11:31:11 +0000 |
commit | 2fd98af619b989e0cb105bb5b81e41d895fd8e20 (patch) | |
tree | 61b4f64bfe3a4b94291e8d7bf90db127671545c7 /sys/security/mac_mls | |
parent | 9d167f82e426b3c6481ebd3bcdba5afbae063a7d (diff) | |
download | FreeBSD-src-2fd98af619b989e0cb105bb5b81e41d895fd8e20.zip FreeBSD-src-2fd98af619b989e0cb105bb5b81e41d895fd8e20.tar.gz |
Consistently name functions for mac_<policy> as <policy>_whatever rather
than mac_<policy>_whatever, as this shortens the names and makes the code
a bit easier to read.
When dealing with label structures, name variables 'mb', 'ml', 'mm rather
than the longer 'mac_biba', 'mac_lomac', and 'mac_mls', likewise making
the code a little easier to read.
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac_mls')
-rw-r--r-- | sys/security/mac_mls/mac_mls.c | 1449 |
1 files changed, 720 insertions, 729 deletions
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index ea62f3f..cfca2af 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -93,14 +93,14 @@ SYSCTL_DECL(_security_mac); SYSCTL_NODE(_security_mac, OID_AUTO, mls, CTLFLAG_RW, 0, "TrustedBSD mac_mls policy controls"); -static int mac_mls_label_size = sizeof(struct mac_mls); +static int mls_label_size = sizeof(struct mac_mls); SYSCTL_INT(_security_mac_mls, OID_AUTO, label_size, CTLFLAG_RD, - &mac_mls_label_size, 0, "Size of struct mac_mls"); + &mls_label_size, 0, "Size of struct mac_mls"); -static int mac_mls_enabled = 1; -SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW, - &mac_mls_enabled, 0, "Enforce MAC/MLS policy"); -TUNABLE_INT("security.mac.mls.enabled", &mac_mls_enabled); +static int mls_enabled = 1; +SYSCTL_INT(_security_mac_mls, OID_AUTO, enabled, CTLFLAG_RW, &mls_enabled, 0, + "Enforce MAC/MLS policy"); +TUNABLE_INT("security.mac.mls.enabled", &mls_enabled); static int destroyed_not_inited; SYSCTL_INT(_security_mac_mls, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, @@ -120,9 +120,9 @@ static int max_compartments = MAC_MLS_MAX_COMPARTMENTS; SYSCTL_INT(_security_mac_mls, OID_AUTO, max_compartments, CTLFLAG_RD, &max_compartments, 0, "Maximum compartments the policy supports"); -static int mac_mls_slot; -#define SLOT(l) ((struct mac_mls *)mac_label_get((l), mac_mls_slot)) -#define SLOT_SET(l, val) mac_label_set((l), mac_mls_slot, (uintptr_t)(val)) +static int mls_slot; +#define SLOT(l) ((struct mac_mls *)mac_label_get((l), mls_slot)) +#define SLOT_SET(l, val) mac_label_set((l), mls_slot, (uintptr_t)(val)) static uma_zone_t zone_mls; @@ -144,27 +144,26 @@ mls_alloc(int flag) } static void -mls_free(struct mac_mls *mac_mls) +mls_free(struct mac_mls *mm) { - if (mac_mls != NULL) - uma_zfree(zone_mls, mac_mls); + if (mm != NULL) + uma_zfree(zone_mls, mm); else atomic_add_int(&destroyed_not_inited, 1); } static int -mls_atmostflags(struct mac_mls *mac_mls, int flags) +mls_atmostflags(struct mac_mls *mm, int flags) { - if ((mac_mls->mm_flags & flags) != mac_mls->mm_flags) + if ((mm->mm_flags & flags) != mm->mm_flags) return (EINVAL); return (0); } static int -mac_mls_dominate_element(struct mac_mls_element *a, - struct mac_mls_element *b) +mls_dominate_element(struct mac_mls_element *a, struct mac_mls_element *b) { int bit; @@ -184,7 +183,7 @@ mac_mls_dominate_element(struct mac_mls_element *a, return (1); default: - panic("mac_mls_dominate_element: b->mme_type invalid"); + panic("mls_dominate_element: b->mme_type invalid"); } case MAC_MLS_TYPE_LEVEL: @@ -205,56 +204,56 @@ mac_mls_dominate_element(struct mac_mls_element *a, return (a->mme_level >= b->mme_level); default: - panic("mac_mls_dominate_element: b->mme_type invalid"); + panic("mls_dominate_element: b->mme_type invalid"); } default: - panic("mac_mls_dominate_element: a->mme_type invalid"); + panic("mls_dominate_element: a->mme_type invalid"); } return (0); } static int -mac_mls_range_in_range(struct mac_mls *rangea, struct mac_mls *rangeb) +mls_range_in_range(struct mac_mls *rangea, struct mac_mls *rangeb) { - return (mac_mls_dominate_element(&rangeb->mm_rangehigh, + return (mls_dominate_element(&rangeb->mm_rangehigh, &rangea->mm_rangehigh) && - mac_mls_dominate_element(&rangea->mm_rangelow, + mls_dominate_element(&rangea->mm_rangelow, &rangeb->mm_rangelow)); } static int -mac_mls_effective_in_range(struct mac_mls *effective, struct mac_mls *range) +mls_effective_in_range(struct mac_mls *effective, struct mac_mls *range) { KASSERT((effective->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, - ("mac_mls_effective_in_range: a not effective")); + ("mls_effective_in_range: a not effective")); KASSERT((range->mm_flags & MAC_MLS_FLAG_RANGE) != 0, - ("mac_mls_effective_in_range: b not range")); + ("mls_effective_in_range: b not range")); - return (mac_mls_dominate_element(&range->mm_rangehigh, + return (mls_dominate_element(&range->mm_rangehigh, &effective->mm_effective) && - mac_mls_dominate_element(&effective->mm_effective, + mls_dominate_element(&effective->mm_effective, &range->mm_rangelow)); return (1); } static int -mac_mls_dominate_effective(struct mac_mls *a, struct mac_mls *b) +mls_dominate_effective(struct mac_mls *a, struct mac_mls *b) { KASSERT((a->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, - ("mac_mls_dominate_effective: a not effective")); + ("mls_dominate_effective: a not effective")); KASSERT((b->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, - ("mac_mls_dominate_effective: b not effective")); + ("mls_dominate_effective: b not effective")); - return (mac_mls_dominate_element(&a->mm_effective, &b->mm_effective)); + return (mls_dominate_element(&a->mm_effective, &b->mm_effective)); } static int -mac_mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b) +mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b) { if (a->mme_type == MAC_MLS_TYPE_EQUAL || @@ -265,29 +264,29 @@ mac_mls_equal_element(struct mac_mls_element *a, struct mac_mls_element *b) } static int -mac_mls_equal_effective(struct mac_mls *a, struct mac_mls *b) +mls_equal_effective(struct mac_mls *a, struct mac_mls *b) { KASSERT((a->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, - ("mac_mls_equal_effective: a not effective")); + ("mls_equal_effective: a not effective")); KASSERT((b->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, - ("mac_mls_equal_effective: b not effective")); + ("mls_equal_effective: b not effective")); - return (mac_mls_equal_element(&a->mm_effective, &b->mm_effective)); + return (mls_equal_element(&a->mm_effective, &b->mm_effective)); } static int -mac_mls_contains_equal(struct mac_mls *mac_mls) +mls_contains_equal(struct mac_mls *mm) { - if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) - if (mac_mls->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL) + if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) + if (mm->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL) return (1); - if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) { - if (mac_mls->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL) + if (mm->mm_flags & MAC_MLS_FLAG_RANGE) { + if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL) return (1); - if (mac_mls->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL) + if (mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL) return (1); } @@ -295,25 +294,24 @@ mac_mls_contains_equal(struct mac_mls *mac_mls) } static int -mac_mls_subject_privileged(struct mac_mls *mac_mls) +mls_subject_privileged(struct mac_mls *mm) { - KASSERT((mac_mls->mm_flags & MAC_MLS_FLAGS_BOTH) == - MAC_MLS_FLAGS_BOTH, - ("mac_mls_subject_privileged: subject doesn't have both labels")); + KASSERT((mm->mm_flags & MAC_MLS_FLAGS_BOTH) == MAC_MLS_FLAGS_BOTH, + ("mls_subject_privileged: subject doesn't have both labels")); /* If the effective is EQUAL, it's ok. */ - if (mac_mls->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL) + if (mm->mm_effective.mme_type == MAC_MLS_TYPE_EQUAL) return (0); /* If either range endpoint is EQUAL, it's ok. */ - if (mac_mls->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL || - mac_mls->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL) + if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_EQUAL || + mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_EQUAL) return (0); /* If the range is low-high, it's ok. */ - if (mac_mls->mm_rangelow.mme_type == MAC_MLS_TYPE_LOW && - mac_mls->mm_rangehigh.mme_type == MAC_MLS_TYPE_HIGH) + if (mm->mm_rangelow.mme_type == MAC_MLS_TYPE_LOW && + mm->mm_rangehigh.mme_type == MAC_MLS_TYPE_HIGH) return (0); /* It's not ok. */ @@ -321,20 +319,20 @@ mac_mls_subject_privileged(struct mac_mls *mac_mls) } static int -mac_mls_valid(struct mac_mls *mac_mls) +mls_valid(struct mac_mls *mm) { - if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { - switch (mac_mls->mm_effective.mme_type) { + if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { + switch (mm->mm_effective.mme_type) { case MAC_MLS_TYPE_LEVEL: break; case MAC_MLS_TYPE_EQUAL: case MAC_MLS_TYPE_HIGH: case MAC_MLS_TYPE_LOW: - if (mac_mls->mm_effective.mme_level != 0 || + if (mm->mm_effective.mme_level != 0 || !MAC_MLS_BIT_SET_EMPTY( - mac_mls->mm_effective.mme_compartments)) + mm->mm_effective.mme_compartments)) return (EINVAL); break; @@ -342,21 +340,21 @@ mac_mls_valid(struct mac_mls *mac_mls) return (EINVAL); } } else { - if (mac_mls->mm_effective.mme_type != MAC_MLS_TYPE_UNDEF) + if (mm->mm_effective.mme_type != MAC_MLS_TYPE_UNDEF) return (EINVAL); } - if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) { - switch (mac_mls->mm_rangelow.mme_type) { + if (mm->mm_flags & MAC_MLS_FLAG_RANGE) { + switch (mm->mm_rangelow.mme_type) { case MAC_MLS_TYPE_LEVEL: break; case MAC_MLS_TYPE_EQUAL: case MAC_MLS_TYPE_HIGH: case MAC_MLS_TYPE_LOW: - if (mac_mls->mm_rangelow.mme_level != 0 || + if (mm->mm_rangelow.mme_level != 0 || !MAC_MLS_BIT_SET_EMPTY( - mac_mls->mm_rangelow.mme_compartments)) + mm->mm_rangelow.mme_compartments)) return (EINVAL); break; @@ -364,28 +362,28 @@ mac_mls_valid(struct mac_mls *mac_mls) return (EINVAL); } - switch (mac_mls->mm_rangehigh.mme_type) { + switch (mm->mm_rangehigh.mme_type) { case MAC_MLS_TYPE_LEVEL: break; case MAC_MLS_TYPE_EQUAL: case MAC_MLS_TYPE_HIGH: case MAC_MLS_TYPE_LOW: - if (mac_mls->mm_rangehigh.mme_level != 0 || + if (mm->mm_rangehigh.mme_level != 0 || !MAC_MLS_BIT_SET_EMPTY( - mac_mls->mm_rangehigh.mme_compartments)) + mm->mm_rangehigh.mme_compartments)) return (EINVAL); break; default: return (EINVAL); } - if (!mac_mls_dominate_element(&mac_mls->mm_rangehigh, - &mac_mls->mm_rangelow)) + if (!mls_dominate_element(&mm->mm_rangehigh, + &mm->mm_rangelow)) return (EINVAL); } else { - if (mac_mls->mm_rangelow.mme_type != MAC_MLS_TYPE_UNDEF || - mac_mls->mm_rangehigh.mme_type != MAC_MLS_TYPE_UNDEF) + if (mm->mm_rangelow.mme_type != MAC_MLS_TYPE_UNDEF || + mm->mm_rangehigh.mme_type != MAC_MLS_TYPE_UNDEF) return (EINVAL); } @@ -393,45 +391,45 @@ mac_mls_valid(struct mac_mls *mac_mls) } static void -mac_mls_set_range(struct mac_mls *mac_mls, u_short typelow, - u_short levellow, u_char *compartmentslow, u_short typehigh, - u_short levelhigh, u_char *compartmentshigh) +mls_set_range(struct mac_mls *mm, u_short typelow, u_short levellow, + u_char *compartmentslow, u_short typehigh, u_short levelhigh, + u_char *compartmentshigh) { - mac_mls->mm_rangelow.mme_type = typelow; - mac_mls->mm_rangelow.mme_level = levellow; + mm->mm_rangelow.mme_type = typelow; + mm->mm_rangelow.mme_level = levellow; if (compartmentslow != NULL) - memcpy(mac_mls->mm_rangelow.mme_compartments, + memcpy(mm->mm_rangelow.mme_compartments, compartmentslow, - sizeof(mac_mls->mm_rangelow.mme_compartments)); - mac_mls->mm_rangehigh.mme_type = typehigh; - mac_mls->mm_rangehigh.mme_level = levelhigh; + sizeof(mm->mm_rangelow.mme_compartments)); + mm->mm_rangehigh.mme_type = typehigh; + mm->mm_rangehigh.mme_level = levelhigh; if (compartmentshigh != NULL) - memcpy(mac_mls->mm_rangehigh.mme_compartments, + memcpy(mm->mm_rangehigh.mme_compartments, compartmentshigh, - sizeof(mac_mls->mm_rangehigh.mme_compartments)); - mac_mls->mm_flags |= MAC_MLS_FLAG_RANGE; + sizeof(mm->mm_rangehigh.mme_compartments)); + mm->mm_flags |= MAC_MLS_FLAG_RANGE; } static void -mac_mls_set_effective(struct mac_mls *mac_mls, u_short type, u_short level, +mls_set_effective(struct mac_mls *mm, u_short type, u_short level, u_char *compartments) { - mac_mls->mm_effective.mme_type = type; - mac_mls->mm_effective.mme_level = level; + mm->mm_effective.mme_type = type; + mm->mm_effective.mme_level = level; if (compartments != NULL) - memcpy(mac_mls->mm_effective.mme_compartments, compartments, - sizeof(mac_mls->mm_effective.mme_compartments)); - mac_mls->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; + memcpy(mm->mm_effective.mme_compartments, compartments, + sizeof(mm->mm_effective.mme_compartments)); + mm->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; } static void -mac_mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto) +mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto) { KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_RANGE) != 0, - ("mac_mls_copy_range: labelfrom not range")); + ("mls_copy_range: labelfrom not range")); labelto->mm_rangelow = labelfrom->mm_rangelow; labelto->mm_rangehigh = labelfrom->mm_rangehigh; @@ -439,31 +437,31 @@ mac_mls_copy_range(struct mac_mls *labelfrom, struct mac_mls *labelto) } static void -mac_mls_copy_effective(struct mac_mls *labelfrom, struct mac_mls *labelto) +mls_copy_effective(struct mac_mls *labelfrom, struct mac_mls *labelto) { KASSERT((labelfrom->mm_flags & MAC_MLS_FLAG_EFFECTIVE) != 0, - ("mac_mls_copy_effective: labelfrom not effective")); + ("mls_copy_effective: labelfrom not effective")); labelto->mm_effective = labelfrom->mm_effective; labelto->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; } static void -mac_mls_copy(struct mac_mls *source, struct mac_mls *dest) +mls_copy(struct mac_mls *source, struct mac_mls *dest) { if (source->mm_flags & MAC_MLS_FLAG_EFFECTIVE) - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); if (source->mm_flags & MAC_MLS_FLAG_RANGE) - mac_mls_copy_range(source, dest); + mls_copy_range(source, dest); } /* * Policy module operations. */ static void -mac_mls_init(struct mac_policy_conf *conf) +mls_init(struct mac_policy_conf *conf) { zone_mls = uma_zcreate("mac_mls", sizeof(struct mac_mls), NULL, @@ -474,14 +472,14 @@ mac_mls_init(struct mac_policy_conf *conf) * Label operations. */ static void -mac_mls_init_label(struct label *label) +mls_init_label(struct label *label) { SLOT_SET(label, mls_alloc(M_WAITOK)); } static int -mac_mls_init_label_waitcheck(struct label *label, int flag) +mls_init_label_waitcheck(struct label *label, int flag) { SLOT_SET(label, mls_alloc(flag)); @@ -492,7 +490,7 @@ mac_mls_init_label_waitcheck(struct label *label, int flag) } static void -mac_mls_destroy_label(struct label *label) +mls_destroy_label(struct label *label) { mls_free(SLOT(label)); @@ -500,12 +498,12 @@ mac_mls_destroy_label(struct label *label) } /* - * mac_mls_element_to_string() accepts an sbuf and MLS element. It - * converts the MLS element to a string and stores the result in the - * sbuf; if there isn't space in the sbuf, -1 is returned. + * mls_element_to_string() accepts an sbuf and MLS element. It converts the + * MLS element to a string and stores the result in the sbuf; if there isn't + * space in the sbuf, -1 is returned. */ static int -mac_mls_element_to_string(struct sbuf *sb, struct mac_mls_element *element) +mls_element_to_string(struct sbuf *sb, struct mac_mls_element *element) { int i, first; @@ -541,41 +539,38 @@ mac_mls_element_to_string(struct sbuf *sb, struct mac_mls_element *element) return (0); default: - panic("mac_mls_element_to_string: invalid type (%d)", + panic("mls_element_to_string: invalid type (%d)", element->mme_type); } } /* - * mac_mls_to_string() converts an MLS label to a string, and places - * the results in the passed sbuf. It returns 0 on success, or EINVAL - * if there isn't room in the sbuf. Note: the sbuf will be modified - * even in a failure case, so the caller may need to revert the sbuf - * by restoring the offset if that's undesired. + * mls_to_string() converts an MLS label to a string, and places the results + * in the passed sbuf. It returns 0 on success, or EINVAL if there isn't + * room in the sbuf. Note: the sbuf will be modified even in a failure case, + * so the caller may need to revert the sbuf by restoring the offset if + * that's undesired. */ static int -mac_mls_to_string(struct sbuf *sb, struct mac_mls *mac_mls) +mls_to_string(struct sbuf *sb, struct mac_mls *mm) { - if (mac_mls->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { - if (mac_mls_element_to_string(sb, &mac_mls->mm_effective) - == -1) + if (mm->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { + if (mls_element_to_string(sb, &mm->mm_effective) == -1) return (EINVAL); } - if (mac_mls->mm_flags & MAC_MLS_FLAG_RANGE) { + if (mm->mm_flags & MAC_MLS_FLAG_RANGE) { if (sbuf_putc(sb, '(') == -1) return (EINVAL); - if (mac_mls_element_to_string(sb, &mac_mls->mm_rangelow) - == -1) + if (mls_element_to_string(sb, &mm->mm_rangelow) == -1) return (EINVAL); if (sbuf_putc(sb, '-') == -1) return (EINVAL); - if (mac_mls_element_to_string(sb, &mac_mls->mm_rangehigh) - == -1) + if (mls_element_to_string(sb, &mm->mm_rangehigh) == -1) return (EINVAL); if (sbuf_putc(sb, ')') == -1) @@ -586,33 +581,31 @@ mac_mls_to_string(struct sbuf *sb, struct mac_mls *mac_mls) } static int -mac_mls_externalize_label(struct label *label, char *element_name, +mls_externalize_label(struct label *label, char *element_name, struct sbuf *sb, int *claimed) { - struct mac_mls *mac_mls; + struct mac_mls *mm; if (strcmp(MAC_MLS_LABEL_NAME, element_name) != 0) return (0); (*claimed)++; - mac_mls = SLOT(label); + mm = SLOT(label); - return (mac_mls_to_string(sb, mac_mls)); + return (mls_to_string(sb, mm)); } static int -mac_mls_parse_element(struct mac_mls_element *element, char *string) +mls_parse_element(struct mac_mls_element *element, char *string) { char *compartment, *end, *level; int value; - if (strcmp(string, "high") == 0 || - strcmp(string, "hi") == 0) { + if (strcmp(string, "high") == 0 || strcmp(string, "hi") == 0) { element->mme_type = MAC_MLS_TYPE_HIGH; element->mme_level = MAC_MLS_TYPE_UNDEF; - } else if (strcmp(string, "low") == 0 || - strcmp(string, "lo") == 0) { + } else if (strcmp(string, "low") == 0 || strcmp(string, "lo") == 0) { element->mme_type = MAC_MLS_TYPE_LOW; element->mme_level = MAC_MLS_TYPE_UNDEF; } else if (strcmp(string, "equal") == 0 || @@ -634,9 +627,8 @@ mac_mls_parse_element(struct mac_mls_element *element, char *string) element->mme_level = value; /* - * Optional compartment piece of the element. If none - * are included, we assume that the label has no - * compartments. + * Optional compartment piece of the element. If none are + * included, we assume that the label has no compartments. */ if (string == NULL) return (0); @@ -657,11 +649,11 @@ mac_mls_parse_element(struct mac_mls_element *element, char *string) } /* - * Note: destructively consumes the string, make a local copy before - * calling if that's a problem. + * Note: destructively consumes the string, make a local copy before calling + * if that's a problem. */ static int -mac_mls_parse(struct mac_mls *mac_mls, char *string) +mls_parse(struct mac_mls *mm, char *string) { char *rangehigh, *rangelow, *effective; int error; @@ -686,29 +678,29 @@ mac_mls_parse(struct mac_mls *mac_mls, char *string) KASSERT((rangelow != NULL && rangehigh != NULL) || (rangelow == NULL && rangehigh == NULL), - ("mac_mls_parse: range mismatch")); + ("mls_parse: range mismatch")); - bzero(mac_mls, sizeof(*mac_mls)); + bzero(mm, sizeof(*mm)); if (effective != NULL) { - error = mac_mls_parse_element(&mac_mls->mm_effective, effective); + error = mls_parse_element(&mm->mm_effective, effective); if (error) return (error); - mac_mls->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; + mm->mm_flags |= MAC_MLS_FLAG_EFFECTIVE; } if (rangelow != NULL) { - error = mac_mls_parse_element(&mac_mls->mm_rangelow, + error = mls_parse_element(&mm->mm_rangelow, rangelow); if (error) return (error); - error = mac_mls_parse_element(&mac_mls->mm_rangehigh, + error = mls_parse_element(&mm->mm_rangehigh, rangehigh); if (error) return (error); - mac_mls->mm_flags |= MAC_MLS_FLAG_RANGE; + mm->mm_flags |= MAC_MLS_FLAG_RANGE; } - error = mac_mls_valid(mac_mls); + error = mls_valid(mm); if (error) return (error); @@ -716,10 +708,10 @@ mac_mls_parse(struct mac_mls *mac_mls, char *string) } static int -mac_mls_internalize_label(struct label *label, char *element_name, +mls_internalize_label(struct label *label, char *element_name, char *element_data, int *claimed) { - struct mac_mls *mac_mls, mac_mls_temp; + struct mac_mls *mm, mm_temp; int error; if (strcmp(MAC_MLS_LABEL_NAME, element_name) != 0) @@ -727,35 +719,35 @@ mac_mls_internalize_label(struct label *label, char *element_name, (*claimed)++; - error = mac_mls_parse(&mac_mls_temp, element_data); + error = mls_parse(&mm_temp, element_data); if (error) return (error); - mac_mls = SLOT(label); - *mac_mls = mac_mls_temp; + mm = SLOT(label); + *mm = mm_temp; return (0); } static void -mac_mls_copy_label(struct label *src, struct label *dest) +mls_copy_label(struct label *src, struct label *dest) { *SLOT(dest) = *SLOT(src); } /* - * Labeling event operations: file system objects, and things that look - * a lot like file system objects. + * Labeling event operations: file system objects, and things that look a lot + * like file system objects. */ static void -mac_mls_devfs_create_device(struct ucred *cred, struct mount *mp, +mls_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { - struct mac_mls *mac_mls; + struct mac_mls *mm; int mls_type; - mac_mls = SLOT(delabel); + mm = SLOT(delabel); if (strcmp(dev->si_name, "null") == 0 || strcmp(dev->si_name, "zero") == 0 || strcmp(dev->si_name, "random") == 0 || @@ -770,21 +762,21 @@ mac_mls_devfs_create_device(struct ucred *cred, struct mount *mp, mls_type = MAC_MLS_TYPE_EQUAL; else mls_type = MAC_MLS_TYPE_LOW; - mac_mls_set_effective(mac_mls, mls_type, 0, NULL); + mls_set_effective(mm, mls_type, 0, NULL); } static void -mac_mls_devfs_create_directory(struct mount *mp, char *dirname, - int dirnamelen, struct devfs_dirent *de, struct label *delabel) +mls_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, + struct devfs_dirent *de, struct label *delabel) { - struct mac_mls *mac_mls; + struct mac_mls *mm; - mac_mls = SLOT(delabel); - mac_mls_set_effective(mac_mls, MAC_MLS_TYPE_LOW, 0, NULL); + mm = SLOT(delabel); + mls_set_effective(mm, MAC_MLS_TYPE_LOW, 0, NULL); } static void -mac_mls_devfs_create_symlink(struct ucred *cred, struct mount *mp, +mls_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -793,22 +785,22 @@ mac_mls_devfs_create_symlink(struct ucred *cred, struct mount *mp, source = SLOT(cred->cr_label); dest = SLOT(delabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_mount_create(struct ucred *cred, struct mount *mp, - struct label *mplabel) +mls_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_mls *source, *dest; source = SLOT(cred->cr_label); dest = SLOT(mplabel); - mac_mls_copy_effective(source, dest); + + mls_copy_effective(source, dest); } static void -mac_mls_vnode_relabel(struct ucred *cred, struct vnode *vp, +mls_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { struct mac_mls *source, *dest; @@ -816,11 +808,11 @@ mac_mls_vnode_relabel(struct ucred *cred, struct vnode *vp, source = SLOT(label); dest = SLOT(vplabel); - mac_mls_copy(source, dest); + mls_copy(source, dest); } static void -mac_mls_devfs_update(struct mount *mp, struct devfs_dirent *de, +mls_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_mls *source, *dest; @@ -828,11 +820,11 @@ mac_mls_devfs_update(struct mount *mp, struct devfs_dirent *de, source = SLOT(vplabel); dest = SLOT(delabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel, +mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -841,103 +833,103 @@ mac_mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel, source = SLOT(delabel); dest = SLOT(vplabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static int -mac_mls_vnode_associate_extattr(struct mount *mp, struct label *mplabel, +mls_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { - struct mac_mls temp, *source, *dest; + struct mac_mls mm_temp, *source, *dest; int buflen, error; source = SLOT(mplabel); dest = SLOT(vplabel); - buflen = sizeof(temp); - bzero(&temp, buflen); + buflen = sizeof(mm_temp); + bzero(&mm_temp, buflen); error = vn_extattr_get(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE, - MAC_MLS_EXTATTR_NAME, &buflen, (char *) &temp, curthread); + MAC_MLS_EXTATTR_NAME, &buflen, (char *) &mm_temp, curthread); if (error == ENOATTR || error == EOPNOTSUPP) { /* Fall back to the mntlabel. */ - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); return (0); } else if (error) return (error); - if (buflen != sizeof(temp)) { - printf("mac_mls_vnode_associate_extattr: bad size %d\n", - buflen); + if (buflen != sizeof(mm_temp)) { + printf("mls_vnode_associate_extattr: bad size %d\n", buflen); return (EPERM); } - if (mac_mls_valid(&temp) != 0) { - printf("mac_mls_vnode_associate_extattr: invalid\n"); + if (mls_valid(&mm_temp) != 0) { + printf("mls_vnode_associate_extattr: invalid\n"); return (EPERM); } - if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_EFFECTIVE) { - printf("mac_mls_associated_vnode_extattr: not effective\n"); + if ((mm_temp.mm_flags & MAC_MLS_FLAGS_BOTH) != + MAC_MLS_FLAG_EFFECTIVE) { + printf("mls_associated_vnode_extattr: not effective\n"); return (EPERM); } - mac_mls_copy_effective(&temp, dest); + mls_copy_effective(&mm_temp, dest); return (0); } static void -mac_mls_vnode_associate_singlelabel(struct mount *mp, - struct label *mplabel, struct vnode *vp, struct label *vplabel) +mls_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, + struct vnode *vp, struct label *vplabel) { struct mac_mls *source, *dest; source = SLOT(mplabel); dest = SLOT(vplabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static int -mac_mls_vnode_create_extattr(struct ucred *cred, struct mount *mp, +mls_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { - struct mac_mls *source, *dest, temp; + struct mac_mls *source, *dest, mm_temp; size_t buflen; int error; - buflen = sizeof(temp); - bzero(&temp, buflen); + buflen = sizeof(mm_temp); + bzero(&mm_temp, buflen); source = SLOT(cred->cr_label); dest = SLOT(vplabel); - mac_mls_copy_effective(source, &temp); + mls_copy_effective(source, &mm_temp); error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE, - MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread); + MAC_MLS_EXTATTR_NAME, buflen, (char *) &mm_temp, curthread); if (error == 0) - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); return (error); } static int -mac_mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, +mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { - struct mac_mls *source, temp; + struct mac_mls *source, mm_temp; size_t buflen; int error; - buflen = sizeof(temp); - bzero(&temp, buflen); + buflen = sizeof(mm_temp); + bzero(&mm_temp, buflen); source = SLOT(intlabel); if ((source->mm_flags & MAC_MLS_FLAG_EFFECTIVE) == 0) return (0); - mac_mls_copy_effective(source, &temp); + mls_copy_effective(source, &mm_temp); error = vn_extattr_set(vp, IO_NODELOCKED, MAC_MLS_EXTATTR_NAMESPACE, - MAC_MLS_EXTATTR_NAME, buflen, (char *) &temp, curthread); + MAC_MLS_EXTATTR_NAME, buflen, (char *) &mm_temp, curthread); return (error); } @@ -945,19 +937,19 @@ mac_mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, * Labeling event operations: IPC object. */ static void -mac_mls_inpcb_create(struct socket *so, struct label *solabel, - struct inpcb *inp, struct label *inplabel) +mls_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, + struct label *inplabel) { struct mac_mls *source, *dest; source = SLOT(solabel); dest = SLOT(inplabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_socket_create_mbuf(struct socket *so, struct label *solabel, +mls_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -965,11 +957,11 @@ mac_mls_socket_create_mbuf(struct socket *so, struct label *solabel, source = SLOT(solabel); dest = SLOT(mlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_socket_create(struct ucred *cred, struct socket *so, +mls_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_mls *source, *dest; @@ -977,11 +969,11 @@ mac_mls_socket_create(struct ucred *cred, struct socket *so, source = SLOT(cred->cr_label); dest = SLOT(solabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_pipe_create(struct ucred *cred, struct pipepair *pp, +mls_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *source, *dest; @@ -989,11 +981,11 @@ mac_mls_pipe_create(struct ucred *cred, struct pipepair *pp, source = SLOT(cred->cr_label); dest = SLOT(pplabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_posixsem_create(struct ucred *cred, struct ksem *ks, +mls_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *source, *dest; @@ -1001,11 +993,11 @@ mac_mls_posixsem_create(struct ucred *cred, struct ksem *ks, source = SLOT(cred->cr_label); dest = SLOT(kslabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_socket_newconn(struct socket *oldso, struct label *oldsolabel, +mls_socket_newconn(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsolabel) { struct mac_mls *source, *dest; @@ -1013,11 +1005,11 @@ mac_mls_socket_newconn(struct socket *oldso, struct label *oldsolabel, source = SLOT(oldsolabel); dest = SLOT(newsolabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_socket_relabel(struct ucred *cred, struct socket *so, +mls_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1025,11 +1017,11 @@ mac_mls_socket_relabel(struct ucred *cred, struct socket *so, source = SLOT(newlabel); dest = SLOT(solabel); - mac_mls_copy(source, dest); + mls_copy(source, dest); } static void -mac_mls_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mls_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1037,11 +1029,11 @@ mac_mls_pipe_relabel(struct ucred *cred, struct pipepair *pp, source = SLOT(newlabel); dest = SLOT(pplabel); - mac_mls_copy(source, dest); + mls_copy(source, dest); } static void -mac_mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, +mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { struct mac_mls *source, *dest; @@ -1049,14 +1041,14 @@ mac_mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, source = SLOT(mlabel); dest = SLOT(sopeerlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } /* * Labeling event operations: System V IPC objects. */ static void -mac_mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, +mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { struct mac_mls *source, *dest; @@ -1065,11 +1057,11 @@ mac_mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, source = SLOT(cred->cr_label); dest = SLOT(msglabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, +mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { struct mac_mls *source, *dest; @@ -1077,11 +1069,11 @@ mac_mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, source = SLOT(cred->cr_label); dest = SLOT(msqlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, +mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { struct mac_mls *source, *dest; @@ -1089,11 +1081,11 @@ mac_mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, source = SLOT(cred->cr_label); dest = SLOT(semalabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, +mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { struct mac_mls *source, *dest; @@ -1101,14 +1093,14 @@ mac_mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, source = SLOT(cred->cr_label); dest = SLOT(shmlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } /* * Labeling event operations: network objects. */ static void -mac_mls_socketpeer_set_from_socket(struct socket *oldso, +mls_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -1117,23 +1109,22 @@ mac_mls_socketpeer_set_from_socket(struct socket *oldso, source = SLOT(oldsolabel); dest = SLOT(newsopeerlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_bpfdesc_create(struct ucred *cred, struct bpf_d *d, - struct label *dlabel) +mls_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { struct mac_mls *source, *dest; source = SLOT(cred->cr_label); dest = SLOT(dlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel) +mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { struct mac_mls *dest; int type; @@ -1145,12 +1136,12 @@ mac_mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel) else type = MAC_MLS_TYPE_LOW; - mac_mls_set_effective(dest, type, 0, NULL); - mac_mls_set_range(dest, type, 0, NULL, type, 0, NULL); + mls_set_effective(dest, type, 0, NULL); + mls_set_range(dest, type, 0, NULL, type, 0, NULL); } static void -mac_mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_mls *source, *dest; @@ -1158,12 +1149,12 @@ mac_mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, source = SLOT(mlabel); dest = SLOT(ipqlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, - struct mbuf *m, struct label *mlabel) +mls_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, + struct label *mlabel) { struct mac_mls *source, *dest; @@ -1171,23 +1162,23 @@ mac_mls_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, dest = SLOT(mlabel); /* Just use the head, since we require them all to match. */ - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_netinet_fragment(struct mbuf *m, struct label *mlabel, - struct mbuf *frag, struct label *fraglabel) +mls_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, + struct label *fraglabel) { struct mac_mls *source, *dest; source = SLOT(mlabel); dest = SLOT(fraglabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, +mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1195,22 +1186,22 @@ mac_mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, source = SLOT(inplabel); dest = SLOT(mlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, +mls_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *dest; dest = SLOT(mlabel); - mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); + mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); } static void -mac_mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, +mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1218,11 +1209,11 @@ mac_mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, source = SLOT(dlabel); dest = SLOT(mlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, +mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1230,11 +1221,11 @@ mac_mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, source = SLOT(ifplabel); dest = SLOT(mlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, +mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -1243,11 +1234,11 @@ mac_mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, source = SLOT(mlabel); dest = SLOT(mnewlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static void -mac_mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, +mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel) { struct mac_mls *source, *dest; @@ -1255,11 +1246,11 @@ mac_mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, source = SLOT(mlabel); dest = SLOT(mnewlabel); - mac_mls_copy_effective(source, dest); + mls_copy_effective(source, dest); } static int -mac_mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_mls *a, *b; @@ -1267,11 +1258,11 @@ mac_mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, a = SLOT(ipqlabel); b = SLOT(mlabel); - return (mac_mls_equal_effective(a, b)); + return (mls_equal_effective(a, b)); } static void -mac_mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1279,11 +1270,11 @@ mac_mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, source = SLOT(newlabel); dest = SLOT(ifplabel); - mac_mls_copy(source, dest); + mls_copy(source, dest); } static void -mac_mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -1291,7 +1282,7 @@ mac_mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, +mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { struct mac_mls *source, *dest; @@ -1299,105 +1290,107 @@ mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, source = SLOT(solabel); dest = SLOT(inplabel); - mac_mls_copy(source, dest); + mls_copy(source, dest); } static void -mac_mls_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) +mls_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) { struct mac_mls *dest; dest = SLOT(mlabel); /* XXX: where is the label for the firewall really comming from? */ - mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); + mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); } static void -mac_mls_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) +mls_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) { struct mac_mls *source, *dest; source = SLOT(inp->inp_label); dest = SLOT(label); - mac_mls_copy_effective(source, dest); + + mls_copy_effective(source, dest); } static void -mac_mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, +mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; source = SLOT(sc_label); dest = SLOT(mlabel); - mac_mls_copy_effective(source, dest); + + mls_copy_effective(source, dest); } /* * Labeling event operations: processes. */ static void -mac_mls_proc_create_swapper(struct ucred *cred) +mls_proc_create_swapper(struct ucred *cred) { struct mac_mls *dest; dest = SLOT(cred->cr_label); - mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); - mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, - 0, NULL); + mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); + mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, + NULL); } static void -mac_mls_proc_create_init(struct ucred *cred) +mls_proc_create_init(struct ucred *cred) { struct mac_mls *dest; dest = SLOT(cred->cr_label); - mac_mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); - mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, - 0, NULL); + mls_set_effective(dest, MAC_MLS_TYPE_LOW, 0, NULL); + mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, + NULL); } static void -mac_mls_cred_relabel(struct ucred *cred, struct label *newlabel) +mls_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *source, *dest; source = SLOT(newlabel); dest = SLOT(cred->cr_label); - mac_mls_copy(source, dest); + mls_copy(source, dest); } /* * Label cleanup/flush operations. */ static void -mac_mls_sysvmsg_cleanup(struct label *msglabel) +mls_sysvmsg_cleanup(struct label *msglabel) { bzero(SLOT(msglabel), sizeof(struct mac_mls)); } static void -mac_mls_sysvmsq_cleanup(struct label *msqlabel) +mls_sysvmsq_cleanup(struct label *msqlabel) { bzero(SLOT(msqlabel), sizeof(struct mac_mls)); } static void -mac_mls_sysvsem_cleanup(struct label *semalabel) +mls_sysvsem_cleanup(struct label *semalabel) { bzero(SLOT(semalabel), sizeof(struct mac_mls)); } static void -mac_mls_sysvshm_cleanup(struct label *shmlabel) +mls_sysvshm_cleanup(struct label *shmlabel) { bzero(SLOT(shmlabel), sizeof(struct mac_mls)); @@ -1407,24 +1400,24 @@ mac_mls_sysvshm_cleanup(struct label *shmlabel) * Access control checks. */ static int -mac_mls_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, +mls_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { struct mac_mls *a, *b; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); a = SLOT(dlabel); b = SLOT(ifplabel); - if (mac_mls_equal_effective(a, b)) + if (mls_equal_effective(a, b)) return (0); return (EACCES); } static int -mac_mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) +mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *subj, *new; int error; @@ -1433,8 +1426,8 @@ mac_mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) new = SLOT(newlabel); /* - * If there is an MLS label update for the credential, it may be - * an update of effective, range, or both. + * If there is an MLS label update for the credential, it may be an + * update of effective, range, or both. */ error = mls_atmostflags(new, MAC_MLS_FLAGS_BOTH); if (error) @@ -1445,38 +1438,36 @@ mac_mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) */ if (new->mm_flags & MAC_MLS_FLAGS_BOTH) { /* - * If the change request modifies both the MLS label effective - * and range, check that the new effective will be in the - * new range. + * If the change request modifies both the MLS label + * effective and range, check that the new effective will be + * in the new range. */ if ((new->mm_flags & MAC_MLS_FLAGS_BOTH) == - MAC_MLS_FLAGS_BOTH && - !mac_mls_effective_in_range(new, new)) + MAC_MLS_FLAGS_BOTH && !mls_effective_in_range(new, new)) return (EINVAL); /* - * To change the MLS effective label on a credential, the - * new effective label must be in the current range. + * To change the MLS effective label on a credential, the new + * effective label must be in the current range. */ if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE && - !mac_mls_effective_in_range(new, subj)) + !mls_effective_in_range(new, subj)) return (EPERM); /* - * To change the MLS range label on a credential, the - * new range must be in the current range. + * To change the MLS range label on a credential, the new + * range must be in the current range. */ if (new->mm_flags & MAC_MLS_FLAG_RANGE && - !mac_mls_range_in_range(new, subj)) + !mls_range_in_range(new, subj)) return (EPERM); /* - * To have EQUAL in any component of the new credential - * MLS label, the subject must already have EQUAL in - * their label. + * To have EQUAL in any component of the new credential MLS + * label, the subject must already have EQUAL in their label. */ - if (mac_mls_contains_equal(new)) { - error = mac_mls_subject_privileged(subj); + if (mls_contains_equal(new)) { + error = mls_subject_privileged(subj); if (error) return (error); } @@ -1486,25 +1477,25 @@ mac_mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2) +mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cr1->cr_label); obj = SLOT(cr2->cr_label); /* XXX: range */ - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (ESRCH); return (0); } static int -mac_mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, +mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_mls *subj, *new; @@ -1514,8 +1505,8 @@ mac_mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, new = SLOT(newlabel); /* - * If there is an MLS label update for the interface, it may - * be an update of effective, range, or both. + * If there is an MLS label update for the interface, it may be an + * update of effective, range, or both. */ error = mls_atmostflags(new, MAC_MLS_FLAGS_BOTH); if (error) @@ -1524,138 +1515,138 @@ mac_mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, /* * Relabeling network interfaces requires MLS privilege. */ - error = mac_mls_subject_privileged(subj); + error = mls_subject_privileged(subj); return (0); } static int -mac_mls_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, +mls_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *i; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); p = SLOT(mlabel); i = SLOT(ifplabel); - return (mac_mls_effective_in_range(p, i) ? 0 : EACCES); + return (mls_effective_in_range(p, i) ? 0 : EACCES); } static int -mac_mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, +mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *i; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); p = SLOT(mlabel); i = SLOT(inplabel); - return (mac_mls_equal_effective(p, i) ? 0 : EACCES); + return (mls_equal_effective(p, i) ? 0 : EACCES); } static int -mac_mls_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, +mls_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(msglabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, +mls_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(msglabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_sysvmsq_check_msqget(struct ucred *cred, - struct msqid_kernel *msqkptr, struct label *msqklabel) +mls_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqklabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(msqklabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_sysvmsq_check_msqsnd(struct ucred *cred, - struct msqid_kernel *msqkptr, struct label *msqklabel) +mls_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqklabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(msqklabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_sysvmsq_check_msqrcv(struct ucred *cred, - struct msqid_kernel *msqkptr, struct label *msqklabel) +mls_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqklabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(msqklabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_sysvmsq_check_msqctl(struct ucred *cred, - struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) +mls_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, + struct label *msqklabel, int cmd) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); @@ -1664,12 +1655,12 @@ mac_mls_sysvmsq_check_msqctl(struct ucred *cred, switch(cmd) { case IPC_RMID: case IPC_SET: - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); break; case IPC_STAT: - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); break; @@ -1681,12 +1672,12 @@ mac_mls_sysvmsq_check_msqctl(struct ucred *cred, } static int -mac_mls_sysvsem_check_semctl(struct ucred *cred, - struct semid_kernel *semakptr, struct label *semaklabel, int cmd) +mls_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, + struct label *semaklabel, int cmd) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); @@ -1697,7 +1688,7 @@ mac_mls_sysvsem_check_semctl(struct ucred *cred, case IPC_SET: case SETVAL: case SETALL: - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); break; @@ -1707,7 +1698,7 @@ mac_mls_sysvsem_check_semctl(struct ucred *cred, case GETNCNT: case GETZCNT: case GETALL: - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); break; @@ -1719,75 +1710,75 @@ mac_mls_sysvsem_check_semctl(struct ucred *cred, } static int -mac_mls_sysvsem_check_semget(struct ucred *cred, - struct semid_kernel *semakptr, struct label *semaklabel) +mls_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr, + struct label *semaklabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(semaklabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_sysvsem_check_semop(struct ucred *cred, - struct semid_kernel *semakptr, struct label *semaklabel, - size_t accesstype) +mls_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, + struct label *semaklabel, size_t accesstype) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(semaklabel); if( accesstype & SEM_R ) - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); if( accesstype & SEM_A ) - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_sysvshm_check_shmat(struct ucred *cred, - struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) +mls_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, + struct label *shmseglabel, int shmflg) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(shmseglabel); - if (!mac_mls_dominate_effective(subj, obj)) - return (EACCES); - if ((shmflg & SHM_RDONLY) == 0) - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(subj, obj)) + return (EACCES); + if ((shmflg & SHM_RDONLY) == 0) { + if (!mls_dominate_effective(obj, subj)) return (EACCES); + } return (0); } static int -mac_mls_sysvshm_check_shmctl(struct ucred *cred, - struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) +mls_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, + struct label *shmseglabel, int cmd) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); @@ -1796,13 +1787,13 @@ mac_mls_sysvshm_check_shmctl(struct ucred *cred, switch(cmd) { case IPC_RMID: case IPC_SET: - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); break; case IPC_STAT: case SHM_STAT: - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); break; @@ -1814,47 +1805,47 @@ mac_mls_sysvshm_check_shmctl(struct ucred *cred, } static int -mac_mls_sysvshm_check_shmget(struct ucred *cred, - struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) +mls_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, + struct label *shmseglabel, int shmflg) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(shmseglabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_mount_check_stat(struct ucred *cred, struct mount *mp, +mls_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(mntlabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, +mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { - if(!mac_mls_enabled) + if (!mls_enabled) return (0); /* XXX: This will be implemented soon... */ @@ -1863,43 +1854,43 @@ mac_mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_pipe_check_poll(struct ucred *cred, struct pipepair *pp, +mls_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(pplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_pipe_check_read(struct ucred *cred, struct pipepair *pp, +mls_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(pplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, +mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; @@ -1910,8 +1901,8 @@ mac_mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, obj = SLOT(pplabel); /* - * If there is an MLS label update for a pipe, it must be a - * effective update. + * If there is an MLS label update for a pipe, it must be a effective + * update. */ error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE); if (error) @@ -1921,7 +1912,7 @@ mac_mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, * To perform a relabel of a pipe (MLS label or not), MLS must * authorize the relabel. */ - if (!mac_mls_effective_in_range(obj, subj)) + if (!mls_effective_in_range(obj, subj)) return (EPERM); /* @@ -1929,18 +1920,18 @@ mac_mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, */ if (new->mm_flags & MAC_MLS_FLAG_EFFECTIVE) { /* - * To change the MLS label on a pipe, the new pipe label - * must be in the subject range. + * To change the MLS label on a pipe, the new pipe label must + * be in the subject range. */ - if (!mac_mls_effective_in_range(new, subj)) + if (!mls_effective_in_range(new, subj)) return (EPERM); /* - * To change the MLS label on a pipe to be EQUAL, the - * subject must have appropriate privilege. + * To change the MLS label on a pipe to be EQUAL, the subject + * must have appropriate privilege. */ - if (mac_mls_contains_equal(new)) { - error = mac_mls_subject_privileged(subj); + if (mls_contains_equal(new)) { + error = mls_subject_privileged(subj); if (error) return (error); } @@ -1950,154 +1941,154 @@ mac_mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_pipe_check_stat(struct ucred *cred, struct pipepair *pp, +mls_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(pplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_pipe_check_write(struct ucred *cred, struct pipepair *pp, +mls_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(pplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_posixsem_check_write(struct ucred *cred, struct ksem *ks, +mls_posixsem_check_write(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(kslabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, +mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(kslabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_proc_check_debug(struct ucred *cred, struct proc *p) +mls_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(p->p_ucred->cr_label); /* XXX: range checks */ - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (ESRCH); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_proc_check_sched(struct ucred *cred, struct proc *p) +mls_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(p->p_ucred->cr_label); /* XXX: range checks */ - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (ESRCH); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum) +mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(p->p_ucred->cr_label); /* XXX: range checks */ - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (ESRCH); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_socket_check_deliver(struct socket *so, struct label *solabel, +mls_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *s; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); p = SLOT(mlabel); s = SLOT(solabel); - return (mac_mls_equal_effective(p, s) ? 0 : EACCES); + return (mls_equal_effective(p, s) ? 0 : EACCES); } static int -mac_mls_socket_check_relabel(struct ucred *cred, struct socket *so, +mls_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; @@ -2108,18 +2099,18 @@ mac_mls_socket_check_relabel(struct ucred *cred, struct socket *so, obj = SLOT(solabel); /* - * If there is an MLS label update for the socket, it may be - * an update of effective. + * If there is an MLS label update for the socket, it may be an + * update of effective. */ error = mls_atmostflags(new, MAC_MLS_FLAG_EFFECTIVE); if (error) return (error); /* - * To relabel a socket, the old socket effective must be in the subject - * range. + * To relabel a socket, the old socket effective must be in the + * subject range. */ - if (!mac_mls_effective_in_range(obj, subj)) + if (!mls_effective_in_range(obj, subj)) return (EPERM); /* @@ -2130,15 +2121,15 @@ mac_mls_socket_check_relabel(struct ucred *cred, struct socket *so, * To relabel a socket, the new socket effective must be in * the subject range. */ - if (!mac_mls_effective_in_range(new, subj)) + if (!mls_effective_in_range(new, subj)) return (EPERM); /* * To change the MLS label on the socket to contain EQUAL, * the subject must have appropriate privilege. */ - if (mac_mls_contains_equal(new)) { - error = mac_mls_subject_privileged(subj); + if (mls_contains_equal(new)) { + error = mls_subject_privileged(subj); if (error) return (error); } @@ -2148,172 +2139,172 @@ mac_mls_socket_check_relabel(struct ucred *cred, struct socket *so, } static int -mac_mls_socket_check_visible(struct ucred *cred, struct socket *so, +mls_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(solabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (ENOENT); return (0); } static int -mac_mls_system_check_acct(struct ucred *cred, struct vnode *vp, +mls_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj) || - !mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(obj, subj) || + !mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_system_check_auditctl(struct ucred *cred, struct vnode *vp, +mls_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj) || - !mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(obj, subj) || + !mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_system_check_swapon(struct ucred *cred, struct vnode *vp, +mls_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj) || - !mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(obj, subj) || + !mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, +mls_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(dvplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, +mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(dvplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_create(struct ucred *cred, struct vnode *dvp, +mls_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(dvplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, +mls_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, +mls_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_exec(struct ucred *cred, struct vnode *vp, +mls_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -2323,8 +2314,8 @@ mac_mls_vnode_check_exec(struct ucred *cred, struct vnode *vp, if (execlabel != NULL) { /* * We currently don't permit labels to be changed at - * exec-time as part of MLS, so disallow non-NULL - * MLS label elements in the execlabel. + * exec-time as part of MLS, so disallow non-NULL MLS label + * elements in the execlabel. */ exec = SLOT(execlabel); error = mls_atmostflags(exec, 0); @@ -2332,117 +2323,117 @@ mac_mls_vnode_check_exec(struct ucred *cred, struct vnode *vp, return (error); } - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_getacl(struct ucred *cred, struct vnode *vp, +mls_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, +mls_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_link(struct ucred *cred, struct vnode *dvp, +mls_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(dvplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, +mls_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, +mls_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(dvplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp, +mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { struct mac_mls *subj, *obj; @@ -2451,18 +2442,18 @@ mac_mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp, * Rely on the use of open()-time protections to handle * non-revocation cases. */ - if (!mac_mls_enabled || !revocation_enabled) + if (!mls_enabled || !revocation_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); } if (((prot & VM_PROT_WRITE) != 0) && ((flags & MAP_SHARED) != 0)) { - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); } @@ -2470,12 +2461,12 @@ mac_mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp, } static int -mac_mls_vnode_check_open(struct ucred *cred, struct vnode *vp, +mls_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); @@ -2483,11 +2474,11 @@ mac_mls_vnode_check_open(struct ucred *cred, struct vnode *vp, /* XXX privilege override for admin? */ if (acc_mode & (VREAD | VEXEC | VSTAT)) { - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); } if (acc_mode & (VWRITE | VAPPEND | VADMIN)) { - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); } @@ -2495,79 +2486,79 @@ mac_mls_vnode_check_open(struct ucred *cred, struct vnode *vp, } static int -mac_mls_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, +mls_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled || !revocation_enabled) + if (!mls_enabled || !revocation_enabled) return (0); subj = SLOT(active_cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, +mls_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled || !revocation_enabled) + if (!mls_enabled || !revocation_enabled) return (0); subj = SLOT(active_cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, +mls_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(dvplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_readlink(struct ucred *cred, struct vnode *vp, +mls_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp, +mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_mls *old, *new, *subj; @@ -2589,7 +2580,7 @@ mac_mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp, * To perform a relabel of the vnode (MLS label or not), MLS must * authorize the relabel. */ - if (!mac_mls_effective_in_range(old, subj)) + if (!mls_effective_in_range(old, subj)) return (EPERM); /* @@ -2600,15 +2591,15 @@ mac_mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp, * To change the MLS label on a vnode, the new vnode label * must be in the subject range. */ - if (!mac_mls_effective_in_range(new, subj)) + if (!mls_effective_in_range(new, subj)) return (EPERM); /* - * To change the MLS label on the vnode to be EQUAL, - * the subject must have appropriate privilege. + * To change the MLS label on the vnode to be EQUAL, the + * subject must have appropriate privilege. */ - if (mac_mls_contains_equal(new)) { - error = mac_mls_subject_privileged(subj); + if (mls_contains_equal(new)) { + error = mls_subject_privileged(subj); if (error) return (error); } @@ -2618,49 +2609,49 @@ mac_mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp, } static int -mac_mls_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, +mls_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(dvplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, +mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(dvplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); if (vp != NULL) { obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); } @@ -2668,55 +2659,55 @@ mac_mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_vnode_check_revoke(struct ucred *cred, struct vnode *vp, +mls_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_setacl(struct ucred *cred, struct vnode *vp, +mls_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, +mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); /* XXX: protect the MAC EA in a special way? */ @@ -2725,327 +2716,327 @@ mac_mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_vnode_check_setflags(struct ucred *cred, struct vnode *vp, +mls_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_setmode(struct ucred *cred, struct vnode *vp, +mls_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_setowner(struct ucred *cred, struct vnode *vp, +mls_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, +mls_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, +mls_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(active_cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(subj, obj)) + if (!mls_dominate_effective(subj, obj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, +mls_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled) + if (!mls_enabled) return (0); subj = SLOT(cred->cr_label); obj = SLOT(dvplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static int -mac_mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, +mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; - if (!mac_mls_enabled || !revocation_enabled) + if (!mls_enabled || !revocation_enabled) return (0); subj = SLOT(active_cred->cr_label); obj = SLOT(vplabel); - if (!mac_mls_dominate_effective(obj, subj)) + if (!mls_dominate_effective(obj, subj)) return (EACCES); return (0); } static void -mac_mls_associate_nfsd_label(struct ucred *cred) +mls_associate_nfsd_label(struct ucred *cred) { struct mac_mls *label; label = SLOT(cred->cr_label); - mac_mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL); - mac_mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, - MAC_MLS_TYPE_HIGH, 0, NULL); -} - -static struct mac_policy_ops mac_mls_ops = -{ - .mpo_init = mac_mls_init, - .mpo_bpfdesc_init_label = mac_mls_init_label, - .mpo_cred_init_label = mac_mls_init_label, - .mpo_devfs_init_label = mac_mls_init_label, - .mpo_ifnet_init_label = mac_mls_init_label, - .mpo_inpcb_init_label = mac_mls_init_label_waitcheck, - .mpo_init_syncache_label = mac_mls_init_label_waitcheck, - .mpo_sysvmsg_init_label = mac_mls_init_label, - .mpo_sysvmsq_init_label = mac_mls_init_label, - .mpo_sysvsem_init_label = mac_mls_init_label, - .mpo_sysvshm_init_label = mac_mls_init_label, - .mpo_ipq_init_label = mac_mls_init_label_waitcheck, - .mpo_mbuf_init_label = mac_mls_init_label_waitcheck, - .mpo_mount_init_label = mac_mls_init_label, - .mpo_pipe_init_label = mac_mls_init_label, - .mpo_posixsem_init_label = mac_mls_init_label, - .mpo_socket_init_label = mac_mls_init_label_waitcheck, - .mpo_socketpeer_init_label = mac_mls_init_label_waitcheck, - .mpo_vnode_init_label = mac_mls_init_label, - .mpo_bpfdesc_destroy_label = mac_mls_destroy_label, - .mpo_cred_destroy_label = mac_mls_destroy_label, - .mpo_devfs_destroy_label = mac_mls_destroy_label, - .mpo_ifnet_destroy_label = mac_mls_destroy_label, - .mpo_inpcb_destroy_label = mac_mls_destroy_label, - .mpo_destroy_syncache_label = mac_mls_destroy_label, - .mpo_sysvmsg_destroy_label = mac_mls_destroy_label, - .mpo_sysvmsq_destroy_label = mac_mls_destroy_label, - .mpo_sysvsem_destroy_label = mac_mls_destroy_label, - .mpo_sysvshm_destroy_label = mac_mls_destroy_label, - .mpo_ipq_destroy_label = mac_mls_destroy_label, - .mpo_mbuf_destroy_label = mac_mls_destroy_label, - .mpo_mount_destroy_label = mac_mls_destroy_label, - .mpo_pipe_destroy_label = mac_mls_destroy_label, - .mpo_posixsem_destroy_label = mac_mls_destroy_label, - .mpo_socket_destroy_label = mac_mls_destroy_label, - .mpo_socketpeer_destroy_label = mac_mls_destroy_label, - .mpo_vnode_destroy_label = mac_mls_destroy_label, - .mpo_cred_copy_label = mac_mls_copy_label, - .mpo_ifnet_copy_label = mac_mls_copy_label, - .mpo_mbuf_copy_label = mac_mls_copy_label, - .mpo_pipe_copy_label = mac_mls_copy_label, - .mpo_socket_copy_label = mac_mls_copy_label, - .mpo_vnode_copy_label = mac_mls_copy_label, - .mpo_cred_externalize_label = mac_mls_externalize_label, - .mpo_ifnet_externalize_label = mac_mls_externalize_label, - .mpo_pipe_externalize_label = mac_mls_externalize_label, - .mpo_socket_externalize_label = mac_mls_externalize_label, - .mpo_socketpeer_externalize_label = mac_mls_externalize_label, - .mpo_vnode_externalize_label = mac_mls_externalize_label, - .mpo_cred_internalize_label = mac_mls_internalize_label, - .mpo_ifnet_internalize_label = mac_mls_internalize_label, - .mpo_pipe_internalize_label = mac_mls_internalize_label, - .mpo_socket_internalize_label = mac_mls_internalize_label, - .mpo_vnode_internalize_label = mac_mls_internalize_label, - .mpo_devfs_create_device = mac_mls_devfs_create_device, - .mpo_devfs_create_directory = mac_mls_devfs_create_directory, - .mpo_devfs_create_symlink = mac_mls_devfs_create_symlink, - .mpo_mount_create = mac_mls_mount_create, - .mpo_vnode_relabel = mac_mls_vnode_relabel, - .mpo_devfs_update = mac_mls_devfs_update, - .mpo_devfs_vnode_associate = mac_mls_devfs_vnode_associate, - .mpo_vnode_associate_extattr = mac_mls_vnode_associate_extattr, - .mpo_vnode_associate_singlelabel = mac_mls_vnode_associate_singlelabel, - .mpo_vnode_create_extattr = mac_mls_vnode_create_extattr, - .mpo_vnode_setlabel_extattr = mac_mls_vnode_setlabel_extattr, - .mpo_socket_create_mbuf = mac_mls_socket_create_mbuf, - .mpo_create_mbuf_from_syncache = mac_mls_create_mbuf_from_syncache, - .mpo_pipe_create = mac_mls_pipe_create, - .mpo_posixsem_create = mac_mls_posixsem_create, - .mpo_socket_create = mac_mls_socket_create, - .mpo_socket_newconn = mac_mls_socket_newconn, - .mpo_pipe_relabel = mac_mls_pipe_relabel, - .mpo_socket_relabel = mac_mls_socket_relabel, - .mpo_socketpeer_set_from_mbuf = mac_mls_socketpeer_set_from_mbuf, - .mpo_socketpeer_set_from_socket = mac_mls_socketpeer_set_from_socket, - .mpo_bpfdesc_create = mac_mls_bpfdesc_create, - .mpo_ipq_reassemble = mac_mls_ipq_reassemble, - .mpo_netinet_fragment = mac_mls_netinet_fragment, - .mpo_ifnet_create = mac_mls_ifnet_create, - .mpo_inpcb_create = mac_mls_inpcb_create, - .mpo_init_syncache_from_inpcb = mac_mls_init_syncache_from_inpcb, - .mpo_ipq_create = mac_mls_ipq_create, - .mpo_sysvmsg_create = mac_mls_sysvmsg_create, - .mpo_sysvmsq_create = mac_mls_sysvmsq_create, - .mpo_sysvsem_create = mac_mls_sysvsem_create, - .mpo_sysvshm_create = mac_mls_sysvshm_create, - .mpo_inpcb_create_mbuf = mac_mls_inpcb_create_mbuf, - .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer, - .mpo_bpfdesc_create_mbuf = mac_mls_bpfdesc_create_mbuf, - .mpo_ifnet_create_mbuf = mac_mls_ifnet_create_mbuf, - .mpo_mbuf_create_multicast_encap = mac_mls_mbuf_create_multicast_encap, - .mpo_mbuf_create_netlayer = mac_mls_mbuf_create_netlayer, - .mpo_ipq_match = mac_mls_ipq_match, - .mpo_ifnet_relabel = mac_mls_ifnet_relabel, - .mpo_ipq_update = mac_mls_ipq_update, - .mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel, - .mpo_proc_create_swapper = mac_mls_proc_create_swapper, - .mpo_proc_create_init = mac_mls_proc_create_init, - .mpo_cred_relabel = mac_mls_cred_relabel, - .mpo_sysvmsg_cleanup = mac_mls_sysvmsg_cleanup, - .mpo_sysvmsq_cleanup = mac_mls_sysvmsq_cleanup, - .mpo_sysvsem_cleanup = mac_mls_sysvsem_cleanup, - .mpo_sysvshm_cleanup = mac_mls_sysvshm_cleanup, - .mpo_bpfdesc_check_receive = mac_mls_bpfdesc_check_receive, - .mpo_cred_check_relabel = mac_mls_cred_check_relabel, - .mpo_cred_check_visible = mac_mls_cred_check_visible, - .mpo_ifnet_check_relabel = mac_mls_ifnet_check_relabel, - .mpo_ifnet_check_transmit = mac_mls_ifnet_check_transmit, - .mpo_inpcb_check_deliver = mac_mls_inpcb_check_deliver, - .mpo_sysvmsq_check_msgrcv = mac_mls_sysvmsq_check_msgrcv, - .mpo_sysvmsq_check_msgrmid = mac_mls_sysvmsq_check_msgrmid, - .mpo_sysvmsq_check_msqget = mac_mls_sysvmsq_check_msqget, - .mpo_sysvmsq_check_msqsnd = mac_mls_sysvmsq_check_msqsnd, - .mpo_sysvmsq_check_msqrcv = mac_mls_sysvmsq_check_msqrcv, - .mpo_sysvmsq_check_msqctl = mac_mls_sysvmsq_check_msqctl, - .mpo_sysvsem_check_semctl = mac_mls_sysvsem_check_semctl, - .mpo_sysvsem_check_semget = mac_mls_sysvsem_check_semget, - .mpo_sysvsem_check_semop = mac_mls_sysvsem_check_semop, - .mpo_sysvshm_check_shmat = mac_mls_sysvshm_check_shmat, - .mpo_sysvshm_check_shmctl = mac_mls_sysvshm_check_shmctl, - .mpo_sysvshm_check_shmget = mac_mls_sysvshm_check_shmget, - .mpo_mount_check_stat = mac_mls_mount_check_stat, - .mpo_pipe_check_ioctl = mac_mls_pipe_check_ioctl, - .mpo_pipe_check_poll = mac_mls_pipe_check_poll, - .mpo_pipe_check_read = mac_mls_pipe_check_read, - .mpo_pipe_check_relabel = mac_mls_pipe_check_relabel, - .mpo_pipe_check_stat = mac_mls_pipe_check_stat, - .mpo_pipe_check_write = mac_mls_pipe_check_write, - .mpo_posixsem_check_destroy = mac_mls_posixsem_check_write, - .mpo_posixsem_check_getvalue = mac_mls_posixsem_check_rdonly, - .mpo_posixsem_check_open = mac_mls_posixsem_check_write, - .mpo_posixsem_check_post = mac_mls_posixsem_check_write, - .mpo_posixsem_check_unlink = mac_mls_posixsem_check_write, - .mpo_posixsem_check_wait = mac_mls_posixsem_check_write, - .mpo_proc_check_debug = mac_mls_proc_check_debug, - .mpo_proc_check_sched = mac_mls_proc_check_sched, - .mpo_proc_check_signal = mac_mls_proc_check_signal, - .mpo_socket_check_deliver = mac_mls_socket_check_deliver, - .mpo_socket_check_relabel = mac_mls_socket_check_relabel, - .mpo_socket_check_visible = mac_mls_socket_check_visible, - .mpo_system_check_acct = mac_mls_system_check_acct, - .mpo_system_check_auditctl = mac_mls_system_check_auditctl, - .mpo_system_check_swapon = mac_mls_system_check_swapon, - .mpo_vnode_check_access = mac_mls_vnode_check_open, - .mpo_vnode_check_chdir = mac_mls_vnode_check_chdir, - .mpo_vnode_check_chroot = mac_mls_vnode_check_chroot, - .mpo_vnode_check_create = mac_mls_vnode_check_create, - .mpo_vnode_check_deleteacl = mac_mls_vnode_check_deleteacl, - .mpo_vnode_check_deleteextattr = mac_mls_vnode_check_deleteextattr, - .mpo_vnode_check_exec = mac_mls_vnode_check_exec, - .mpo_vnode_check_getacl = mac_mls_vnode_check_getacl, - .mpo_vnode_check_getextattr = mac_mls_vnode_check_getextattr, - .mpo_vnode_check_link = mac_mls_vnode_check_link, - .mpo_vnode_check_listextattr = mac_mls_vnode_check_listextattr, - .mpo_vnode_check_lookup = mac_mls_vnode_check_lookup, - .mpo_vnode_check_mmap = mac_mls_vnode_check_mmap, - .mpo_vnode_check_open = mac_mls_vnode_check_open, - .mpo_vnode_check_poll = mac_mls_vnode_check_poll, - .mpo_vnode_check_read = mac_mls_vnode_check_read, - .mpo_vnode_check_readdir = mac_mls_vnode_check_readdir, - .mpo_vnode_check_readlink = mac_mls_vnode_check_readlink, - .mpo_vnode_check_relabel = mac_mls_vnode_check_relabel, - .mpo_vnode_check_rename_from = mac_mls_vnode_check_rename_from, - .mpo_vnode_check_rename_to = mac_mls_vnode_check_rename_to, - .mpo_vnode_check_revoke = mac_mls_vnode_check_revoke, - .mpo_vnode_check_setacl = mac_mls_vnode_check_setacl, - .mpo_vnode_check_setextattr = mac_mls_vnode_check_setextattr, - .mpo_vnode_check_setflags = mac_mls_vnode_check_setflags, - .mpo_vnode_check_setmode = mac_mls_vnode_check_setmode, - .mpo_vnode_check_setowner = mac_mls_vnode_check_setowner, - .mpo_vnode_check_setutimes = mac_mls_vnode_check_setutimes, - .mpo_vnode_check_stat = mac_mls_vnode_check_stat, - .mpo_vnode_check_unlink = mac_mls_vnode_check_unlink, - .mpo_vnode_check_write = mac_mls_vnode_check_write, - .mpo_associate_nfsd_label = mac_mls_associate_nfsd_label, - .mpo_mbuf_create_from_firewall = mac_mls_mbuf_create_from_firewall, + mls_set_effective(label, MAC_MLS_TYPE_LOW, 0, NULL); + mls_set_range(label, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, 0, + NULL); +} + +static struct mac_policy_ops mls_ops = +{ + .mpo_init = mls_init, + .mpo_bpfdesc_init_label = mls_init_label, + .mpo_cred_init_label = mls_init_label, + .mpo_devfs_init_label = mls_init_label, + .mpo_ifnet_init_label = mls_init_label, + .mpo_inpcb_init_label = mls_init_label_waitcheck, + .mpo_init_syncache_label = mls_init_label_waitcheck, + .mpo_sysvmsg_init_label = mls_init_label, + .mpo_sysvmsq_init_label = mls_init_label, + .mpo_sysvsem_init_label = mls_init_label, + .mpo_sysvshm_init_label = mls_init_label, + .mpo_ipq_init_label = mls_init_label_waitcheck, + .mpo_mbuf_init_label = mls_init_label_waitcheck, + .mpo_mount_init_label = mls_init_label, + .mpo_pipe_init_label = mls_init_label, + .mpo_posixsem_init_label = mls_init_label, + .mpo_socket_init_label = mls_init_label_waitcheck, + .mpo_socketpeer_init_label = mls_init_label_waitcheck, + .mpo_vnode_init_label = mls_init_label, + .mpo_bpfdesc_destroy_label = mls_destroy_label, + .mpo_cred_destroy_label = mls_destroy_label, + .mpo_devfs_destroy_label = mls_destroy_label, + .mpo_ifnet_destroy_label = mls_destroy_label, + .mpo_inpcb_destroy_label = mls_destroy_label, + .mpo_destroy_syncache_label = mls_destroy_label, + .mpo_sysvmsg_destroy_label = mls_destroy_label, + .mpo_sysvmsq_destroy_label = mls_destroy_label, + .mpo_sysvsem_destroy_label = mls_destroy_label, + .mpo_sysvshm_destroy_label = mls_destroy_label, + .mpo_ipq_destroy_label = mls_destroy_label, + .mpo_mbuf_destroy_label = mls_destroy_label, + .mpo_mount_destroy_label = mls_destroy_label, + .mpo_pipe_destroy_label = mls_destroy_label, + .mpo_posixsem_destroy_label = mls_destroy_label, + .mpo_socket_destroy_label = mls_destroy_label, + .mpo_socketpeer_destroy_label = mls_destroy_label, + .mpo_vnode_destroy_label = mls_destroy_label, + .mpo_cred_copy_label = mls_copy_label, + .mpo_ifnet_copy_label = mls_copy_label, + .mpo_mbuf_copy_label = mls_copy_label, + .mpo_pipe_copy_label = mls_copy_label, + .mpo_socket_copy_label = mls_copy_label, + .mpo_vnode_copy_label = mls_copy_label, + .mpo_cred_externalize_label = mls_externalize_label, + .mpo_ifnet_externalize_label = mls_externalize_label, + .mpo_pipe_externalize_label = mls_externalize_label, + .mpo_socket_externalize_label = mls_externalize_label, + .mpo_socketpeer_externalize_label = mls_externalize_label, + .mpo_vnode_externalize_label = mls_externalize_label, + .mpo_cred_internalize_label = mls_internalize_label, + .mpo_ifnet_internalize_label = mls_internalize_label, + .mpo_pipe_internalize_label = mls_internalize_label, + .mpo_socket_internalize_label = mls_internalize_label, + .mpo_vnode_internalize_label = mls_internalize_label, + .mpo_devfs_create_device = mls_devfs_create_device, + .mpo_devfs_create_directory = mls_devfs_create_directory, + .mpo_devfs_create_symlink = mls_devfs_create_symlink, + .mpo_mount_create = mls_mount_create, + .mpo_vnode_relabel = mls_vnode_relabel, + .mpo_devfs_update = mls_devfs_update, + .mpo_devfs_vnode_associate = mls_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mls_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = mls_vnode_associate_singlelabel, + .mpo_vnode_create_extattr = mls_vnode_create_extattr, + .mpo_vnode_setlabel_extattr = mls_vnode_setlabel_extattr, + .mpo_socket_create_mbuf = mls_socket_create_mbuf, + .mpo_create_mbuf_from_syncache = mls_create_mbuf_from_syncache, + .mpo_pipe_create = mls_pipe_create, + .mpo_posixsem_create = mls_posixsem_create, + .mpo_socket_create = mls_socket_create, + .mpo_socket_newconn = mls_socket_newconn, + .mpo_pipe_relabel = mls_pipe_relabel, + .mpo_socket_relabel = mls_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mls_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = mls_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mls_bpfdesc_create, + .mpo_ipq_reassemble = mls_ipq_reassemble, + .mpo_netinet_fragment = mls_netinet_fragment, + .mpo_ifnet_create = mls_ifnet_create, + .mpo_inpcb_create = mls_inpcb_create, + .mpo_init_syncache_from_inpcb = mls_init_syncache_from_inpcb, + .mpo_ipq_create = mls_ipq_create, + .mpo_sysvmsg_create = mls_sysvmsg_create, + .mpo_sysvmsq_create = mls_sysvmsq_create, + .mpo_sysvsem_create = mls_sysvsem_create, + .mpo_sysvshm_create = mls_sysvshm_create, + .mpo_inpcb_create_mbuf = mls_inpcb_create_mbuf, + .mpo_create_mbuf_linklayer = mls_create_mbuf_linklayer, + .mpo_bpfdesc_create_mbuf = mls_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mls_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = mls_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mls_mbuf_create_netlayer, + .mpo_ipq_match = mls_ipq_match, + .mpo_ifnet_relabel = mls_ifnet_relabel, + .mpo_ipq_update = mls_ipq_update, + .mpo_inpcb_sosetlabel = mls_inpcb_sosetlabel, + .mpo_proc_create_swapper = mls_proc_create_swapper, + .mpo_proc_create_init = mls_proc_create_init, + .mpo_cred_relabel = mls_cred_relabel, + .mpo_sysvmsg_cleanup = mls_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = mls_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = mls_sysvsem_cleanup, + .mpo_sysvshm_cleanup = mls_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = mls_bpfdesc_check_receive, + .mpo_cred_check_relabel = mls_cred_check_relabel, + .mpo_cred_check_visible = mls_cred_check_visible, + .mpo_ifnet_check_relabel = mls_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mls_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mls_inpcb_check_deliver, + .mpo_sysvmsq_check_msgrcv = mls_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = mls_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = mls_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = mls_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = mls_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = mls_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = mls_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = mls_sysvsem_check_semget, + .mpo_sysvsem_check_semop = mls_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = mls_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = mls_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmget = mls_sysvshm_check_shmget, + .mpo_mount_check_stat = mls_mount_check_stat, + .mpo_pipe_check_ioctl = mls_pipe_check_ioctl, + .mpo_pipe_check_poll = mls_pipe_check_poll, + .mpo_pipe_check_read = mls_pipe_check_read, + .mpo_pipe_check_relabel = mls_pipe_check_relabel, + .mpo_pipe_check_stat = mls_pipe_check_stat, + .mpo_pipe_check_write = mls_pipe_check_write, + .mpo_posixsem_check_destroy = mls_posixsem_check_write, + .mpo_posixsem_check_getvalue = mls_posixsem_check_rdonly, + .mpo_posixsem_check_open = mls_posixsem_check_write, + .mpo_posixsem_check_post = mls_posixsem_check_write, + .mpo_posixsem_check_unlink = mls_posixsem_check_write, + .mpo_posixsem_check_wait = mls_posixsem_check_write, + .mpo_proc_check_debug = mls_proc_check_debug, + .mpo_proc_check_sched = mls_proc_check_sched, + .mpo_proc_check_signal = mls_proc_check_signal, + .mpo_socket_check_deliver = mls_socket_check_deliver, + .mpo_socket_check_relabel = mls_socket_check_relabel, + .mpo_socket_check_visible = mls_socket_check_visible, + .mpo_system_check_acct = mls_system_check_acct, + .mpo_system_check_auditctl = mls_system_check_auditctl, + .mpo_system_check_swapon = mls_system_check_swapon, + .mpo_vnode_check_access = mls_vnode_check_open, + .mpo_vnode_check_chdir = mls_vnode_check_chdir, + .mpo_vnode_check_chroot = mls_vnode_check_chroot, + .mpo_vnode_check_create = mls_vnode_check_create, + .mpo_vnode_check_deleteacl = mls_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mls_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mls_vnode_check_exec, + .mpo_vnode_check_getacl = mls_vnode_check_getacl, + .mpo_vnode_check_getextattr = mls_vnode_check_getextattr, + .mpo_vnode_check_link = mls_vnode_check_link, + .mpo_vnode_check_listextattr = mls_vnode_check_listextattr, + .mpo_vnode_check_lookup = mls_vnode_check_lookup, + .mpo_vnode_check_mmap = mls_vnode_check_mmap, + .mpo_vnode_check_open = mls_vnode_check_open, + .mpo_vnode_check_poll = mls_vnode_check_poll, + .mpo_vnode_check_read = mls_vnode_check_read, + .mpo_vnode_check_readdir = mls_vnode_check_readdir, + .mpo_vnode_check_readlink = mls_vnode_check_readlink, + .mpo_vnode_check_relabel = mls_vnode_check_relabel, + .mpo_vnode_check_rename_from = mls_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mls_vnode_check_rename_to, + .mpo_vnode_check_revoke = mls_vnode_check_revoke, + .mpo_vnode_check_setacl = mls_vnode_check_setacl, + .mpo_vnode_check_setextattr = mls_vnode_check_setextattr, + .mpo_vnode_check_setflags = mls_vnode_check_setflags, + .mpo_vnode_check_setmode = mls_vnode_check_setmode, + .mpo_vnode_check_setowner = mls_vnode_check_setowner, + .mpo_vnode_check_setutimes = mls_vnode_check_setutimes, + .mpo_vnode_check_stat = mls_vnode_check_stat, + .mpo_vnode_check_unlink = mls_vnode_check_unlink, + .mpo_vnode_check_write = mls_vnode_check_write, + .mpo_associate_nfsd_label = mls_associate_nfsd_label, + .mpo_mbuf_create_from_firewall = mls_mbuf_create_from_firewall, }; -MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS", - MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mac_mls_slot); +MAC_POLICY_SET(&mls_ops, mac_mls, "TrustedBSD MAC/MLS", + MPC_LOADTIME_FLAG_NOTLATE | MPC_LOADTIME_FLAG_LABELMBUFS, &mls_slot); |