diff options
author | rwatson <rwatson@FreeBSD.org> | 2003-03-26 15:12:03 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2003-03-26 15:12:03 +0000 |
commit | e5680de54abac941f9b0f099aec14f24e493feb4 (patch) | |
tree | edbc245cbca8647afd1e19854b10c0489fdc26fe /sys/security | |
parent | 8b9c7fb58f9ec620d4ec3143b3463523a89f2d9d (diff) | |
download | FreeBSD-src-e5680de54abac941f9b0f099aec14f24e493feb4.zip FreeBSD-src-e5680de54abac941f9b0f099aec14f24e493feb4.tar.gz |
Modify the mac_init_ipq() MAC Framework entry point to accept an
additional flags argument to indicate blocking disposition, and
pass in M_NOWAIT from the IP reassembly code to indicate that
blocking is not OK when labeling a new IP fragment reassembly
queue. This should eliminate some of the WITNESS warnings that
have started popping up since fine-grained IP stack locking
started going in; if memory allocation fails, the creation of
the fragment queue will be aborted.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/security')
-rw-r--r-- | sys/security/mac/mac_framework.c | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_framework.h | 2 | ||||
-rw-r--r-- | sys/security/mac/mac_internal.h | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_net.c | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_pipe.c | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_policy.h | 2 | ||||
-rw-r--r-- | sys/security/mac/mac_process.c | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_syscalls.c | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_system.c | 16 | ||||
-rw-r--r-- | sys/security/mac/mac_vfs.c | 16 | ||||
-rw-r--r-- | sys/security/mac_biba/mac_biba.c | 2 | ||||
-rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 2 | ||||
-rw-r--r-- | sys/security/mac_mls/mac_mls.c | 2 | ||||
-rw-r--r-- | sys/security/mac_none/mac_none.c | 2 | ||||
-rw-r--r-- | sys/security/mac_stub/mac_stub.c | 2 | ||||
-rw-r--r-- | sys/security/mac_test/mac_test.c | 5 |
16 files changed, 106 insertions, 41 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index 6b2e653..17b37d8 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index b12ba2a..3cc856d 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -133,7 +133,7 @@ void mac_init_bpfdesc(struct bpf_d *); void mac_init_cred(struct ucred *); void mac_init_devfsdirent(struct devfs_dirent *); void mac_init_ifnet(struct ifnet *); -void mac_init_ipq(struct ipq *); +int mac_init_ipq(struct ipq *, int flag); int mac_init_socket(struct socket *, int flag); void mac_init_pipe(struct pipe *); int mac_init_mbuf(struct mbuf *m, int flag); diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index 6b2e653..17b37d8 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 6b2e653..17b37d8 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 6b2e653..17b37d8 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index d536f05..4e00577 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -73,7 +73,7 @@ struct mac_policy_ops { void (*mpo_init_cred_label)(struct label *label); void (*mpo_init_devfsdirent_label)(struct label *label); void (*mpo_init_ifnet_label)(struct label *label); - void (*mpo_init_ipq_label)(struct label *label); + int (*mpo_init_ipq_label)(struct label *label, int flag); int (*mpo_init_mbuf_label)(struct label *label, int flag); void (*mpo_init_mount_label)(struct label *label); void (*mpo_init_mount_fs_label)(struct label *label); diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 6b2e653..17b37d8 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 6b2e653..17b37d8 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 6b2e653..17b37d8 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 6b2e653..17b37d8 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -697,15 +697,23 @@ mac_init_ifnet(struct ifnet *ifp) mac_init_ifnet_label(&ifp->if_label); } -void -mac_init_ipq(struct ipq *ipq) +int +mac_init_ipq(struct ipq *ipq, int flag) { + int error; mac_init_label(&ipq->ipq_label); - MAC_PERFORM(init_ipq_label, &ipq->ipq_label); + + MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + if (error) { + MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); + mac_destroy_label(&ipq->ipq_label); + } #ifdef MAC_DEBUG - atomic_add_int(&nmacipqs, 1); + if (error == 0) + atomic_add_int(&nmacipqs, 1); #endif + return (error); } int diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 2b045e4..8f2efe4 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -2621,7 +2621,7 @@ static struct mac_policy_ops mac_biba_ops = .mpo_init_cred_label = mac_biba_init_label, .mpo_init_devfsdirent_label = mac_biba_init_label, .mpo_init_ifnet_label = mac_biba_init_label, - .mpo_init_ipq_label = mac_biba_init_label, + .mpo_init_ipq_label = mac_biba_init_label_waitcheck, .mpo_init_mbuf_label = mac_biba_init_label_waitcheck, .mpo_init_mount_label = mac_biba_init_label, .mpo_init_mount_fs_label = mac_biba_init_label, diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index ef11d63..0287ad2 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -2612,7 +2612,7 @@ static struct mac_policy_ops mac_lomac_ops = .mpo_init_cred_label = mac_lomac_init_label, .mpo_init_devfsdirent_label = mac_lomac_init_label, .mpo_init_ifnet_label = mac_lomac_init_label, - .mpo_init_ipq_label = mac_lomac_init_label, + .mpo_init_ipq_label = mac_lomac_init_label_waitcheck, .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck, .mpo_init_mount_label = mac_lomac_init_label, .mpo_init_mount_fs_label = mac_lomac_init_label, diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index ed7ac61..0645cf9 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -2384,7 +2384,7 @@ static struct mac_policy_ops mac_mls_ops = .mpo_init_cred_label = mac_mls_init_label, .mpo_init_devfsdirent_label = mac_mls_init_label, .mpo_init_ifnet_label = mac_mls_init_label, - .mpo_init_ipq_label = mac_mls_init_label, + .mpo_init_ipq_label = mac_mls_init_label_waitcheck, .mpo_init_mbuf_label = mac_mls_init_label_waitcheck, .mpo_init_mount_label = mac_mls_init_label, .mpo_init_mount_fs_label = mac_mls_init_label, diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c index 482128a..5bb8a42 100644 --- a/sys/security/mac_none/mac_none.c +++ b/sys/security/mac_none/mac_none.c @@ -974,7 +974,7 @@ static struct mac_policy_ops mac_none_ops = .mpo_init_cred_label = mac_none_init_label, .mpo_init_devfsdirent_label = mac_none_init_label, .mpo_init_ifnet_label = mac_none_init_label, - .mpo_init_ipq_label = mac_none_init_label, + .mpo_init_ipq_label = mac_none_init_label_waitcheck, .mpo_init_mbuf_label = mac_none_init_label_waitcheck, .mpo_init_mount_label = mac_none_init_label, .mpo_init_mount_fs_label = mac_none_init_label, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 482128a..5bb8a42 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -974,7 +974,7 @@ static struct mac_policy_ops mac_none_ops = .mpo_init_cred_label = mac_none_init_label, .mpo_init_devfsdirent_label = mac_none_init_label, .mpo_init_ifnet_label = mac_none_init_label, - .mpo_init_ipq_label = mac_none_init_label, + .mpo_init_ipq_label = mac_none_init_label_waitcheck, .mpo_init_mbuf_label = mac_none_init_label_waitcheck, .mpo_init_mount_label = mac_none_init_label, .mpo_init_mount_fs_label = mac_none_init_label, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 2509731..751186d 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -242,12 +242,13 @@ mac_test_init_ifnet_label(struct label *label) atomic_add_int(&init_count_ifnet, 1); } -static void -mac_test_init_ipq_label(struct label *label) +static int +mac_test_init_ipq_label(struct label *label, int flag) { SLOT(label) = IPQMAGIC; atomic_add_int(&init_count_ipq, 1); + return (0); } static int |