diff options
| author | rwatson <rwatson@FreeBSD.org> | 2003-11-12 03:14:31 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2003-11-12 03:14:31 +0000 |
| commit | 77ed6e2d1cbbf9a46dd5ae6d089eeb45ab81fbcb (patch) | |
| tree | a3d104511a2cb91c797ff9c5bcc6f9c70abc63ce /sys/security | |
| parent | 9352a05d4022d31faee0a088a5df3456001e11ae (diff) | |
| download | FreeBSD-src-77ed6e2d1cbbf9a46dd5ae6d089eeb45ab81fbcb.zip FreeBSD-src-77ed6e2d1cbbf9a46dd5ae6d089eeb45ab81fbcb.tar.gz | |
Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.
This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.
While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.
NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.
Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys/security')
| -rw-r--r-- | sys/security/mac/mac_framework.c | 119 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 11 | ||||
| -rw-r--r-- | sys/security/mac/mac_internal.h | 14 | ||||
| -rw-r--r-- | sys/security/mac/mac_label.c | 97 | ||||
| -rw-r--r-- | sys/security/mac/mac_net.c | 259 | ||||
| -rw-r--r-- | sys/security/mac/mac_pipe.c | 25 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 64 | ||||
| -rw-r--r-- | sys/security/mac/mac_syscalls.c | 119 | ||||
| -rw-r--r-- | sys/security/mac/mac_system.c | 8 | ||||
| -rw-r--r-- | sys/security/mac/mac_vfs.c | 222 | ||||
| -rw-r--r-- | sys/security/mac_biba/mac_biba.c | 136 | ||||
| -rw-r--r-- | sys/security/mac_lomac/mac_lomac.c | 112 | ||||
| -rw-r--r-- | sys/security/mac_mls/mac_mls.c | 122 | ||||
| -rw-r--r-- | sys/security/mac_partition/mac_partition.c | 18 | ||||
| -rw-r--r-- | sys/security/mac_test/mac_test.c | 182 |
15 files changed, 864 insertions, 644 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c index c459003..f9adf9b 100644 --- a/sys/security/mac/mac_framework.c +++ b/sys/security/mac/mac_framework.c @@ -256,6 +256,7 @@ mac_init(void) LIST_INIT(&mac_static_policy_list); LIST_INIT(&mac_policy_list); + mac_labelzone_init(); mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF); cv_init(&mac_policy_cv, "mac_policy_cv"); @@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&tcred->cr_label, elements, + error = mac_externalize_cred_label(tcred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&td->td_ucred->cr_label, + error = mac_externalize_cred_label(td->td_ucred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -619,7 +620,7 @@ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; - struct label intlabel; + struct label *intlabel; struct proc *p; struct mac mac; char *buffer; @@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) return (error); } - mac_init_cred_label(&intlabel); - error = mac_internalize_cred_label(&intlabel, buffer); + intlabel = mac_cred_label_alloc(); + error = mac_internalize_cred_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_cred_label(&intlabel); - return (error); - } + if (error) + goto out; newcred = crget(); @@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_cred_relabel(oldcred, &intlabel); + error = mac_check_cred_relabel(oldcred, intlabel); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) setsugid(p); crcopy(newcred, oldcred); - mac_relabel_cred(newcred, &intlabel); + mac_relabel_cred(newcred, intlabel); p->p_ucred = newcred; /* @@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) crfree(oldcred); out: - mac_destroy_cred_label(&intlabel); + mac_cred_label_free(intlabel); return (error); } @@ -694,7 +693,7 @@ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { char *elements, *buffer; - struct label intlabel; + struct label *intlabel; struct file *fp; struct mac mac; struct vnode *vp; @@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_VNODE: vp = fp->f_vnode; - mac_init_vnode_label(&intlabel); + intlabel = mac_vnode_label_alloc(); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - mac_copy_vnode_label(&vp->v_label, &intlabel); + mac_copy_vnode_label(vp->v_label, intlabel); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = fp->f_data; - mac_init_pipe_label(&intlabel); + intlabel = mac_pipe_label_alloc(); PIPE_LOCK(pipe); - mac_copy_pipe_label(pipe->pipe_label, &intlabel); + mac_copy_pipe_label(pipe->pipe_label, intlabel); PIPE_UNLOCK(pipe); break; default: @@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_FIFO: case DTYPE_VNODE: if (error == 0) - error = mac_externalize_vnode_label(&intlabel, + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - error = mac_externalize_pipe_label(&intlabel, elements, + error = mac_externalize_pipe_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: panic("__mac_get_fd: corrupted label_type"); @@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -895,7 +894,7 @@ out: int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { - struct label intlabel; + struct label *intlabel; struct pipe *pipe; struct file *fp; struct mount *mp; @@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); if (error) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vp = fp->f_vnode; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = vn_setlabel(vp, &intlabel, td->td_ucred); + error = vn_setlabel(vp, intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - mac_init_pipe_label(&intlabel); - error = mac_internalize_pipe_label(&intlabel, buffer); + intlabel = mac_pipe_label_alloc(); + error = mac_internalize_pipe_label(intlabel, buffer); if (error == 0) { pipe = fp->f_data; PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, - &intlabel); + intlabel); PIPE_UNLOCK(pipe); } - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: @@ -983,7 +982,7 @@ out: int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } @@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) int __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 7955c25a..1dc6bf1 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -144,7 +144,6 @@ int mac_init_mbuf_tag(struct m_tag *, int flag); void mac_init_mount(struct mount *); void mac_init_proc(struct proc *); void mac_init_vnode(struct vnode *); -void mac_init_vnode_label(struct label *); void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); void mac_copy_vnode_label(struct label *, struct label *label); void mac_destroy_bpfdesc(struct bpf_d *); @@ -158,7 +157,12 @@ void mac_destroy_proc(struct proc *); void mac_destroy_mbuf_tag(struct m_tag *); void mac_destroy_mount(struct mount *); void mac_destroy_vnode(struct vnode *); -void mac_destroy_vnode_label(struct label *); + +struct label *mac_cred_label_alloc(void); +void mac_cred_label_free(struct label *label); +struct label *mac_vnode_label_alloc(void); +void mac_vnode_label_free(struct label *label); +void mac_destroy_vnode_label(struct label *); /* * Labeling event operations: file system objects, and things that @@ -220,8 +224,7 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); * Labeling event operations: processes. */ void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child); -int mac_execve_enter(struct image_params *imgp, struct mac *mac_p, - struct label *execlabel); +int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); void mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *interpvnodelabel, diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index b07cf6f..957057b 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -59,6 +59,7 @@ extern struct mac_policy_list_head mac_policy_list; extern struct mac_policy_list_head mac_static_policy_list; extern int mac_late; extern int mac_enforce_process; +extern int mac_enforce_sysv; extern int mac_enforce_vm; #ifndef MAC_ALWAYS_LABEL_MBUF extern int mac_labelmbufs; @@ -88,6 +89,10 @@ void mac_policy_list_busy(void); int mac_policy_list_conditional_busy(void); void mac_policy_list_unbusy(void); +struct label *mac_labelzone_alloc(int flags); +void mac_labelzone_free(struct label *label); +void mac_labelzone_init(void); + void mac_init_label(struct label *label); void mac_destroy_label(struct label *label); int mac_check_structmac_consistent(struct mac *mac); @@ -98,19 +103,18 @@ int mac_allocate_slot(void); * the namespaces, etc, should work for these, so for now, sort by * object type. */ +struct label *mac_pipe_label_alloc(void); +void mac_pipe_label_free(struct label *label); + int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); -void mac_destroy_cred_label(struct label *label); -int mac_externalize_cred_label(struct label *label, char *elements, +int mac_externalize_cred_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -void mac_init_cred_label(struct label *label); int mac_internalize_cred_label(struct label *label, char *string); void mac_relabel_cred(struct ucred *cred, struct label *newlabel); void mac_copy_pipe_label(struct label *src, struct label *dest); -void mac_destroy_pipe_label(struct label *label); int mac_externalize_pipe_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -void mac_init_pipe_label(struct label *label); int mac_internalize_pipe_label(struct label *label, char *string); int mac_externalize_vnode_label(struct label *label, char *elements, diff --git a/sys/security/mac/mac_label.c b/sys/security/mac/mac_label.c new file mode 100644 index 0000000..eedc1df --- /dev/null +++ b/sys/security/mac/mac_label.c @@ -0,0 +1,97 @@ +/*- + * Copyright (c) 2003 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project in part by Network + * Associates Laboratories, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), + * as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include "opt_mac.h" + +#include <sys/param.h> +#include <sys/mac.h> +#include <sys/sysctl.h> +#include <sys/systm.h> + +#include <vm/uma.h> + +#include <security/mac/mac_internal.h> + +uma_zone_t zone_label; + +static void mac_labelzone_ctor(void *mem, int size, void *arg); +static void mac_labelzone_dtor(void *mem, int size, void *arg); + +void +mac_labelzone_init(void) +{ + + zone_label = uma_zcreate("MAC labels", sizeof(struct label), + mac_labelzone_ctor, mac_labelzone_dtor, NULL, NULL, + UMA_ALIGN_PTR, 0); +} + +static void +mac_labelzone_ctor(void *mem, int size, void *arg) +{ + struct label *label; + + KASSERT(size == sizeof(*label), ("mac_labelzone_ctor: wrong size\n")); + label = mem; + bzero(label, sizeof(*label)); + label->l_flags = MAC_FLAG_INITIALIZED; +} + +static void +mac_labelzone_dtor(void *mem, int size, void *arg) +{ + struct label *label; + + KASSERT(size == sizeof(*label), ("mac_labelzone_dtor: wrong size\n")); + label = mem; +#ifdef DIAGNOSTIC + bzero(label, sizeof(*label)); +#else + label->l_flags &= ~MAC_FLAG_INITIALIZED; +#endif +} + +struct label * +mac_labelzone_alloc(int flags) +{ + + return (uma_zalloc(zone_label, flags)); +} + +void +mac_labelzone_free(struct label *label) +{ + + uma_zfree(zone_label, label); +} diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 308231e..7950393 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -91,7 +91,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD, &nmacsockets, 0, "number of sockets in use"); #endif -static void mac_destroy_socket_label(struct label *label); +static void mac_socket_label_free(struct label *label); + static struct label * mbuf_to_label(struct mbuf *mbuf) @@ -105,46 +106,70 @@ mbuf_to_label(struct mbuf *mbuf) return (label); } +static struct label * +mac_bpfdesc_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_bpfdesc_label, label); + MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); + return (label); +} + void mac_init_bpfdesc(struct bpf_d *bpf_d) { - mac_init_label(&bpf_d->bd_label); - MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label); - MAC_DEBUG_COUNTER_INC(&nmacbpfdescs); + bpf_d->bd_label = mac_bpfdesc_label_alloc(); } -static void -mac_init_ifnet_label(struct label *label) +static struct label * +mac_ifnet_label_alloc(void) { + struct label *label; - mac_init_label(label); + label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(init_ifnet_label, label); MAC_DEBUG_COUNTER_INC(&nmacifnets); + return (label); } void mac_init_ifnet(struct ifnet *ifp) { - mac_init_ifnet_label(&ifp->if_label); + ifp->if_label = mac_ifnet_label_alloc(); } -int -mac_init_ipq(struct ipq *ipq, int flag) +static struct label * +mac_ipq_label_alloc(int flag) { + struct label *label; int error; - mac_init_label(&ipq->ipq_label); + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); - MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag); + MAC_CHECK(init_ipq_label, label, flag); if (error) { - MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); - mac_destroy_label(&ipq->ipq_label); - } else { - MAC_DEBUG_COUNTER_INC(&nmacipqs); + MAC_PERFORM(destroy_ipq_label, label); + mac_labelzone_free(label); + return (NULL); } - return (error); + MAC_DEBUG_COUNTER_INC(&nmacipqs); + return (label); +} + +int +mac_init_ipq(struct ipq *ipq, int flag) +{ + + ipq->ipq_label = mac_ipq_label_alloc(flag); + if (ipq->ipq_label == NULL) + return (ENOMEM); + return (0); } int @@ -195,71 +220,85 @@ mac_init_mbuf(struct mbuf *m, int flag) return (0); } -static int -mac_init_socket_label(struct label *label, int flag) +static struct label * +mac_socket_label_alloc(int flag) { + struct label *label; int error; - mac_init_label(label); + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); MAC_CHECK(init_socket_label, label, flag); if (error) { MAC_PERFORM(destroy_socket_label, label); - mac_destroy_label(label); - } else { - MAC_DEBUG_COUNTER_INC(&nmacsockets); + mac_labelzone_free(label); + return (NULL); } - - return (error); + MAC_DEBUG_COUNTER_INC(&nmacsockets); + return (label); } -static int -mac_init_socket_peer_label(struct label *label, int flag) +static struct label * +mac_socket_peer_label_alloc(int flag) { + struct label *label; int error; - mac_init_label(label); + label = mac_labelzone_alloc(flag); + if (label == NULL) + return (NULL); MAC_CHECK(init_socket_peer_label, label, flag); if (error) { MAC_PERFORM(destroy_socket_peer_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); + return (NULL); } - - return (error); + MAC_DEBUG_COUNTER_INC(&nmacsockets); + return (label); } int -mac_init_socket(struct socket *socket, int flag) +mac_init_socket(struct socket *so, int flag) { - int error; - error = mac_init_socket_label(&socket->so_label, flag); - if (error) - return (error); + so->so_label = mac_socket_label_alloc(flag); + if (so->so_label == NULL) + return (ENOMEM); + so->so_peerlabel = mac_socket_peer_label_alloc(flag); + if (so->so_peerlabel == NULL) { + mac_socket_label_free(so->so_label); + so->so_label = NULL; + return (ENOMEM); + } + return (0); +} - error = mac_init_socket_peer_label(&socket->so_peerlabel, flag); - if (error) - mac_destroy_socket_label(&socket->so_label); +static void +mac_bpfdesc_label_free(struct label *label) +{ - return (error); + MAC_PERFORM(destroy_bpfdesc_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); } void mac_destroy_bpfdesc(struct bpf_d *bpf_d) { - MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label); - mac_destroy_label(&bpf_d->bd_label); - MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs); + mac_bpfdesc_label_free(bpf_d->bd_label); + bpf_d->bd_label = NULL; } static void -mac_destroy_ifnet_label(struct label *label) +mac_ifnet_label_free(struct label *label) { MAC_PERFORM(destroy_ifnet_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmacifnets); } @@ -267,16 +306,25 @@ void mac_destroy_ifnet(struct ifnet *ifp) { - mac_destroy_ifnet_label(&ifp->if_label); + mac_ifnet_label_free(ifp->if_label); + ifp->if_label = NULL; +} + +static void +mac_ipq_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_ipq_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacipqs); } void mac_destroy_ipq(struct ipq *ipq) { - MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label); - mac_destroy_label(&ipq->ipq_label); - MAC_DEBUG_COUNTER_DEC(&nmacipqs); + mac_ipq_label_free(ipq->ipq_label); + ipq->ipq_label = NULL; } void @@ -292,28 +340,31 @@ mac_destroy_mbuf_tag(struct m_tag *tag) } static void -mac_destroy_socket_label(struct label *label) +mac_socket_label_free(struct label *label) { MAC_PERFORM(destroy_socket_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmacsockets); } static void -mac_destroy_socket_peer_label(struct label *label) +mac_socket_peer_label_free(struct label *label) { MAC_PERFORM(destroy_socket_peer_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacsockets); } void mac_destroy_socket(struct socket *socket) { - mac_destroy_socket_label(&socket->so_label); - mac_destroy_socket_peer_label(&socket->so_peerlabel); + mac_socket_label_free(socket->so_label); + socket->so_label = NULL; + mac_socket_peer_label_free(socket->so_peerlabel); + socket->so_peerlabel = NULL; } void @@ -388,21 +439,21 @@ void mac_create_ifnet(struct ifnet *ifnet) { - MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label); + MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label); } void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) { - MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label); + MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label); } void mac_create_socket(struct ucred *cred, struct socket *socket) { - MAC_PERFORM(create_socket, cred, socket, &socket->so_label); + MAC_PERFORM(create_socket, cred, socket, socket->so_label); } void @@ -410,8 +461,8 @@ mac_create_socket_from_socket(struct socket *oldsocket, struct socket *newsocket) { - MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label, - newsocket, &newsocket->so_label); + MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label, + newsocket, newsocket->so_label); } static void @@ -419,7 +470,7 @@ mac_relabel_socket(struct ucred *cred, struct socket *socket, struct label *newlabel) { - MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel); + MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel); } void @@ -430,7 +481,7 @@ mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) label = mbuf_to_label(mbuf); MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket, - &socket->so_peerlabel); + socket->so_peerlabel); } void @@ -439,7 +490,7 @@ mac_set_socket_peer_from_socket(struct socket *oldsocket, { MAC_PERFORM(set_socket_peer_from_socket, oldsocket, - &oldsocket->so_label, newsocket, &newsocket->so_peerlabel); + oldsocket->so_label, newsocket, newsocket->so_peerlabel); } void @@ -449,7 +500,7 @@ mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram) label = mbuf_to_label(datagram); - MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label, + MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, datagram, label); } @@ -472,7 +523,7 @@ mac_create_ipq(struct mbuf *fragment, struct ipq *ipq) label = mbuf_to_label(fragment); - MAC_PERFORM(create_ipq, fragment, label, ipq, &ipq->ipq_label); + MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label); } void @@ -494,7 +545,7 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf, + MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf, label); } @@ -505,7 +556,7 @@ mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf, + MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf, label); } @@ -516,7 +567,7 @@ mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf, + MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf, label); } @@ -530,7 +581,7 @@ mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet, newmbuflabel = mbuf_to_label(newmbuf); MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel, - ifnet, &ifnet->if_label, newmbuf, newmbuflabel); + ifnet, ifnet->if_label, newmbuf, newmbuflabel); } void @@ -555,7 +606,7 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq) result = 1; MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq, - &ipq->ipq_label); + ipq->ipq_label); return (result); } @@ -586,7 +637,7 @@ mac_update_ipq(struct mbuf *fragment, struct ipq *ipq) label = mbuf_to_label(fragment); - MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label); + MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label); } void @@ -596,7 +647,7 @@ mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf, + MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf, label); } @@ -608,8 +659,8 @@ mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet) if (!mac_enforce_network) return (0); - MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet, - &ifnet->if_label); + MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet, + ifnet->if_label); return (error); } @@ -627,7 +678,7 @@ mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf, + MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf, label); return (error); @@ -642,7 +693,7 @@ mac_check_socket_bind(struct ucred *ucred, struct socket *socket, if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label, + MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label, sockaddr); return (error); @@ -657,7 +708,7 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket, if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label, + MAC_CHECK(check_socket_connect, cred, socket, socket->so_label, sockaddr); return (error); @@ -674,7 +725,7 @@ mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf) label = mbuf_to_label(mbuf); - MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf, + MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf, label); return (error); @@ -688,7 +739,7 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket) if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label); + MAC_CHECK(check_socket_listen, cred, socket, socket->so_label); return (error); } @@ -700,7 +751,7 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so) if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_receive, cred, so, &so->so_label); + MAC_CHECK(check_socket_receive, cred, so, so->so_label); return (error); } @@ -711,7 +762,7 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket, { int error; - MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label, + MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label, newlabel); return (error); @@ -725,7 +776,7 @@ mac_check_socket_send(struct ucred *cred, struct socket *so) if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_send, cred, so, &so->so_label); + MAC_CHECK(check_socket_send, cred, so, so->so_label); return (error); } @@ -738,7 +789,7 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket) if (!mac_enforce_socket) return (0); - MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label); + MAC_CHECK(check_socket_visible, cred, socket, socket->so_label); return (error); } @@ -767,7 +818,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_ifnet_label(&ifnet->if_label, elements, + error = mac_externalize_ifnet_label(ifnet->if_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -782,7 +833,7 @@ int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifnet) { - struct label intlabel; + struct label *intlabel; struct mac mac; char *buffer; int error; @@ -802,11 +853,11 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, return (error); } - mac_init_ifnet_label(&intlabel); - error = mac_internalize_ifnet_label(&intlabel, buffer); + intlabel = mac_ifnet_label_alloc(); + error = mac_internalize_ifnet_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) { - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (error); } @@ -817,20 +868,20 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, */ error = suser_cred(cred, 0); if (error) { - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (error); } - MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label, - &intlabel); + MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label, + intlabel); if (error) { - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (error); } - MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel); + MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel); - mac_destroy_ifnet_label(&intlabel); + mac_ifnet_label_free(intlabel); return (0); } @@ -838,7 +889,7 @@ int mac_setsockopt_label_set(struct ucred *cred, struct socket *so, struct mac *mac) { - struct label intlabel; + struct label *intlabel; char *buffer; int error; @@ -853,23 +904,23 @@ mac_setsockopt_label_set(struct ucred *cred, struct socket *so, return (error); } - mac_init_socket_label(&intlabel, M_WAITOK); - error = mac_internalize_socket_label(&intlabel, buffer); + intlabel = mac_socket_label_alloc(M_WAITOK); + error = mac_internalize_socket_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) { - mac_destroy_socket_label(&intlabel); + mac_socket_label_free(intlabel); return (error); } - mac_check_socket_relabel(cred, so, &intlabel); + mac_check_socket_relabel(cred, so, intlabel); if (error) { - mac_destroy_socket_label(&intlabel); + mac_socket_label_free(intlabel); return (error); } - mac_relabel_socket(cred, so, &intlabel); + mac_relabel_socket(cred, so, intlabel); - mac_destroy_socket_label(&intlabel); + mac_socket_label_free(intlabel); return (0); } @@ -892,7 +943,7 @@ mac_getsockopt_label_get(struct ucred *cred, struct socket *so, } buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_socket_label(&so->so_label, elements, + error = mac_externalize_socket_label(so->so_label, elements, buffer, mac->m_buflen); if (error == 0) error = copyout(buffer, mac->m_string, strlen(buffer)+1); @@ -922,7 +973,7 @@ mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so, } buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_socket_peer_label(&so->so_peerlabel, + error = mac_externalize_socket_peer_label(so->so_peerlabel, elements, buffer, mac->m_buflen); if (error == 0) error = copyout(buffer, mac->m_string, strlen(buffer)+1); diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index b30ebaf..61633c3 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -61,34 +61,31 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD, &nmacpipes, 0, "number of pipes in use"); #endif -MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes"); - -void -mac_init_pipe_label(struct label *label) +struct label * +mac_pipe_label_alloc(void) { + struct label *label; - mac_init_label(label); + label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(init_pipe_label, label); MAC_DEBUG_COUNTER_INC(&nmacpipes); + return (label); } void mac_init_pipe(struct pipe *pipe) { - struct label *label; - label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK); - pipe->pipe_label = label; - pipe->pipe_peer->pipe_label = label; - mac_init_pipe_label(label); + pipe->pipe_label = pipe->pipe_peer->pipe_label = + mac_pipe_label_alloc(); } void -mac_destroy_pipe_label(struct label *label) +mac_pipe_label_free(struct label *label) { MAC_PERFORM(destroy_pipe_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmacpipes); } @@ -96,8 +93,8 @@ void mac_destroy_pipe(struct pipe *pipe) { - mac_destroy_pipe_label(pipe->pipe_label); - free(pipe->pipe_label, M_MACPIPELABEL); + mac_pipe_label_free(pipe->pipe_label); + pipe->pipe_label = NULL; } void diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 7697671..68d847d 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -96,37 +96,48 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD, static void mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, struct vm_map *map); -void -mac_init_cred_label(struct label *label) +struct label * +mac_cred_label_alloc(void) { + struct label *label; - mac_init_label(label); + label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(init_cred_label, label); MAC_DEBUG_COUNTER_INC(&nmaccreds); + return (label); } void mac_init_cred(struct ucred *cred) { - mac_init_cred_label(&cred->cr_label); + cred->cr_label = mac_cred_label_alloc(); +} + +static struct label * +mac_proc_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_proc_label, label); + MAC_DEBUG_COUNTER_INC(&nmacprocs); + return (label); } void mac_init_proc(struct proc *p) { - mac_init_label(&p->p_label); - MAC_PERFORM(init_proc_label, &p->p_label); - MAC_DEBUG_COUNTER_INC(&nmacprocs); + p->p_label = mac_proc_label_alloc(); } void -mac_destroy_cred_label(struct label *label) +mac_cred_label_free(struct label *label) { MAC_PERFORM(destroy_cred_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmaccreds); } @@ -134,16 +145,25 @@ void mac_destroy_cred(struct ucred *cred) { - mac_destroy_cred_label(&cred->cr_label); + mac_cred_label_free(cred->cr_label); + cred->cr_label = NULL; +} + +static void +mac_proc_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_proc_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacprocs); } void mac_destroy_proc(struct proc *p) { - MAC_PERFORM(destroy_proc_label, &p->p_label); - mac_destroy_label(&p->p_label); - MAC_DEBUG_COUNTER_DEC(&nmacprocs); + mac_proc_label_free(p->p_label); + p->p_label = NULL; } int @@ -209,9 +229,9 @@ mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred) } int -mac_execve_enter(struct image_params *imgp, struct mac *mac_p, - struct label *execlabelstorage) +mac_execve_enter(struct image_params *imgp, struct mac *mac_p) { + struct label *label; struct mac mac; char *buffer; int error; @@ -234,22 +254,24 @@ mac_execve_enter(struct image_params *imgp, struct mac *mac_p, return (error); } - mac_init_cred_label(execlabelstorage); - error = mac_internalize_cred_label(execlabelstorage, buffer); + label = mac_cred_label_alloc(); + error = mac_internalize_cred_label(label, buffer); free(buffer, M_MACTEMP); if (error) { - mac_destroy_cred_label(execlabelstorage); + mac_cred_label_free(label); return (error); } - imgp->execlabel = execlabelstorage; + imgp->execlabel = label; return (0); } void mac_execve_exit(struct image_params *imgp) { - if (imgp->execlabel != NULL) - mac_destroy_cred_label(imgp->execlabel); + if (imgp->execlabel != NULL) { + mac_cred_label_free(imgp->execlabel); + imgp->execlabel = NULL; + } } /* diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index c459003..f9adf9b 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -256,6 +256,7 @@ mac_init(void) LIST_INIT(&mac_static_policy_list); LIST_INIT(&mac_policy_list); + mac_labelzone_init(); mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF); cv_init(&mac_policy_cv, "mac_policy_cv"); @@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&tcred->cr_label, elements, + error = mac_externalize_cred_label(tcred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(&td->td_ucred->cr_label, + error = mac_externalize_cred_label(td->td_ucred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -619,7 +620,7 @@ int __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) { struct ucred *newcred, *oldcred; - struct label intlabel; + struct label *intlabel; struct proc *p; struct mac mac; char *buffer; @@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) return (error); } - mac_init_cred_label(&intlabel); - error = mac_internalize_cred_label(&intlabel, buffer); + intlabel = mac_cred_label_alloc(); + error = mac_internalize_cred_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_cred_label(&intlabel); - return (error); - } + if (error) + goto out; newcred = crget(); @@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_cred_relabel(oldcred, &intlabel); + error = mac_check_cred_relabel(oldcred, intlabel); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) setsugid(p); crcopy(newcred, oldcred); - mac_relabel_cred(newcred, &intlabel); + mac_relabel_cred(newcred, intlabel); p->p_ucred = newcred; /* @@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) crfree(oldcred); out: - mac_destroy_cred_label(&intlabel); + mac_cred_label_free(intlabel); return (error); } @@ -694,7 +693,7 @@ int __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) { char *elements, *buffer; - struct label intlabel; + struct label *intlabel; struct file *fp; struct mac mac; struct vnode *vp; @@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_VNODE: vp = fp->f_vnode; - mac_init_vnode_label(&intlabel); + intlabel = mac_vnode_label_alloc(); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - mac_copy_vnode_label(&vp->v_label, &intlabel); + mac_copy_vnode_label(vp->v_label, intlabel); VOP_UNLOCK(vp, 0, td); break; case DTYPE_PIPE: pipe = fp->f_data; - mac_init_pipe_label(&intlabel); + intlabel = mac_pipe_label_alloc(); PIPE_LOCK(pipe); - mac_copy_pipe_label(pipe->pipe_label, &intlabel); + mac_copy_pipe_label(pipe->pipe_label, intlabel); PIPE_UNLOCK(pipe); break; default: @@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) case DTYPE_FIFO: case DTYPE_VNODE: if (error == 0) - error = mac_externalize_vnode_label(&intlabel, + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - error = mac_externalize_pipe_label(&intlabel, elements, + error = mac_externalize_pipe_label(intlabel, elements, buffer, mac.m_buflen); - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: panic("__mac_get_fd: corrupted label_type"); @@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) { char *elements, *buffer; struct nameidata nd; - struct label intlabel; + struct label *intlabel; struct mac mac; int error; @@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) if (error) goto out; - mac_init_vnode_label(&intlabel); - mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel); - error = mac_externalize_vnode_label(&intlabel, elements, buffer, + intlabel = mac_vnode_label_alloc(); + mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); + error = mac_externalize_vnode_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -895,7 +894,7 @@ out: int __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) { - struct label intlabel; + struct label *intlabel; struct pipe *pipe; struct file *fp; struct mount *mp; @@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) switch (fp->f_type) { case DTYPE_FIFO: case DTYPE_VNODE: - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); if (error) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vp = fp->f_vnode; error = vn_start_write(vp, &mp, V_WAIT | PCATCH); if (error != 0) { - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; } vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = vn_setlabel(vp, &intlabel, td->td_ucred); + error = vn_setlabel(vp, intlabel, td->td_ucred); VOP_UNLOCK(vp, 0, td); vn_finished_write(mp); - mac_destroy_vnode_label(&intlabel); + mac_vnode_label_free(intlabel); break; case DTYPE_PIPE: - mac_init_pipe_label(&intlabel); - error = mac_internalize_pipe_label(&intlabel, buffer); + intlabel = mac_pipe_label_alloc(); + error = mac_internalize_pipe_label(intlabel, buffer); if (error == 0) { pipe = fp->f_data; PIPE_LOCK(pipe); error = mac_pipe_label_set(td->td_ucred, pipe, - &intlabel); + intlabel); PIPE_UNLOCK(pipe); } - mac_destroy_pipe_label(&intlabel); + mac_pipe_label_free(intlabel); break; default: @@ -983,7 +982,7 @@ out: int __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } @@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) int __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) { - struct label intlabel; + struct label *intlabel; struct nameidata nd; struct mount *mp; struct mac mac; @@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) return (error); } - mac_init_vnode_label(&intlabel); - error = mac_internalize_vnode_label(&intlabel, buffer); + intlabel = mac_vnode_label_alloc(); + error = mac_internalize_vnode_label(intlabel, buffer); free(buffer, M_MACTEMP); - if (error) { - mac_destroy_vnode_label(&intlabel); - return (error); - } + if (error) + goto out; mtx_lock(&Giant); /* VFS */ @@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) if (error == 0) { error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH); if (error == 0) - error = vn_setlabel(nd.ni_vp, &intlabel, + error = vn_setlabel(nd.ni_vp, intlabel, td->td_ucred); vn_finished_write(mp); } NDFREE(&nd, 0); mtx_unlock(&Giant); /* VFS */ - mac_destroy_vnode_label(&intlabel); - +out: + mac_vnode_label_free(intlabel); return (error); } diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index e5041a2..14755cf 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -120,7 +120,7 @@ mac_check_kld_load(struct ucred *cred, struct vnode *vp) if (!mac_enforce_kld) return (0); - MAC_CHECK(check_kld_load, cred, vp, &vp->v_label); + MAC_CHECK(check_kld_load, cred, vp, vp->v_label); return (error); } @@ -176,7 +176,7 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp) return (0); MAC_CHECK(check_system_acct, cred, vp, - vp != NULL ? &vp->v_label : NULL); + vp != NULL ? vp->v_label : NULL); return (error); } @@ -230,7 +230,7 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp) if (!mac_enforce_system) return (0); - MAC_CHECK(check_system_swapon, cred, vp, &vp->v_label); + MAC_CHECK(check_system_swapon, cred, vp, vp->v_label); return (error); } @@ -244,7 +244,7 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) if (!mac_enforce_system) return (0); - MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label); + MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label); return (error); } diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index 08e78bb..8d475a5 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -100,68 +100,123 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD, static int mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel); -void -mac_init_devfsdirent(struct devfs_dirent *de) +static struct label * +mac_devfsdirent_label_alloc(void) { + struct label *label; - mac_init_label(&de->de_label); - MAC_PERFORM(init_devfsdirent_label, &de->de_label); + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_devfsdirent_label, label); MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents); + return (label); } void -mac_init_mount(struct mount *mp) +mac_init_devfsdirent(struct devfs_dirent *de) +{ + + de->de_label = mac_devfsdirent_label_alloc(); +} + +static struct label * +mac_mount_label_alloc(void) +{ + struct label *label; + + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_mount_label, label); + MAC_DEBUG_COUNTER_INC(&nmacmounts); + return (label); +} + +static struct label * +mac_mount_fs_label_alloc(void) { + struct label *label; - mac_init_label(&mp->mnt_mntlabel); - mac_init_label(&mp->mnt_fslabel); - MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel); - MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel); + label = mac_labelzone_alloc(M_WAITOK); + MAC_PERFORM(init_mount_fs_label, label); MAC_DEBUG_COUNTER_INC(&nmacmounts); + return (label); } void -mac_init_vnode_label(struct label *label) +mac_init_mount(struct mount *mp) +{ + + mp->mnt_mntlabel = mac_mount_label_alloc(); + mp->mnt_fslabel = mac_mount_fs_label_alloc(); +} + +struct label * +mac_vnode_label_alloc(void) { + struct label *label; - mac_init_label(label); + label = mac_labelzone_alloc(M_WAITOK); MAC_PERFORM(init_vnode_label, label); MAC_DEBUG_COUNTER_INC(&nmacvnodes); + return (label); } void mac_init_vnode(struct vnode *vp) { - mac_init_vnode_label(&vp->v_label); + vp->v_label = mac_vnode_label_alloc(); +} + +static void +mac_devfsdirent_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_devfsdirent_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents); } void mac_destroy_devfsdirent(struct devfs_dirent *de) { - MAC_PERFORM(destroy_devfsdirent_label, &de->de_label); - mac_destroy_label(&de->de_label); - MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents); + mac_devfsdirent_label_free(de->de_label); + de->de_label = NULL; +} + +static void +mac_mount_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_mount_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacmounts); +} + +static void +mac_mount_fs_label_free(struct label *label) +{ + + MAC_PERFORM(destroy_mount_fs_label, label); + mac_labelzone_free(label); + MAC_DEBUG_COUNTER_DEC(&nmacmounts); } void mac_destroy_mount(struct mount *mp) { - MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel); - MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel); - mac_destroy_label(&mp->mnt_fslabel); - mac_destroy_label(&mp->mnt_mntlabel); - MAC_DEBUG_COUNTER_DEC(&nmacmounts); + mac_mount_fs_label_free(mp->mnt_fslabel); + mp->mnt_fslabel = NULL; + mac_mount_label_free(mp->mnt_mntlabel); + mp->mnt_mntlabel = NULL; } void -mac_destroy_vnode_label(struct label *label) +mac_vnode_label_free(struct label *label) { MAC_PERFORM(destroy_vnode_label, label); - mac_destroy_label(label); + mac_labelzone_free(label); MAC_DEBUG_COUNTER_DEC(&nmacvnodes); } @@ -169,7 +224,8 @@ void mac_destroy_vnode(struct vnode *vp) { - mac_destroy_vnode_label(&vp->v_label); + mac_vnode_label_free(vp->v_label); + vp->v_label = NULL; } void @@ -205,8 +261,8 @@ mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(update_devfsdirent, mp, de, &de->de_label, vp, - &vp->v_label); + MAC_PERFORM(update_devfsdirent, mp, de, de->de_label, vp, + vp->v_label); } void @@ -214,8 +270,8 @@ mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de, - &de->de_label, vp, &vp->v_label); + MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_fslabel, de, + de->de_label, vp, vp->v_label); } int @@ -225,8 +281,8 @@ mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); - MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp, - &vp->v_label); + MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_fslabel, vp, + vp->v_label); return (error); } @@ -235,8 +291,8 @@ void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) { - MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp, - &vp->v_label); + MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_fslabel, vp, + vp->v_label); } int @@ -259,8 +315,8 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } else if (error) return (error); - MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel, - dvp, &dvp->v_label, vp, &vp->v_label, cnp); + MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, + dvp, dvp->v_label, vp, vp->v_label, cnp); if (error) { VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); @@ -294,7 +350,7 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } else if (error) return (error); - MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel); + MAC_CHECK(setlabel_vnode_extattr, cred, vp, vp->v_label, intlabel); if (error) { VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); @@ -319,7 +375,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return; - MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label, + MAC_PERFORM(execve_transition, old, new, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); } @@ -335,7 +391,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp, return (0); result = 0; - MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label, + MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); return (result); @@ -351,7 +407,7 @@ mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode); return (error); } @@ -365,7 +421,7 @@ mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label); + MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label); return (error); } @@ -379,7 +435,7 @@ mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label); + MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label); return (error); } @@ -394,7 +450,7 @@ mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap); + MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap); return (error); } @@ -410,8 +466,8 @@ mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp, - &vp->v_label, cnp); + MAC_CHECK(check_vnode_delete, cred, dvp, dvp->v_label, vp, + vp->v_label, cnp); return (error); } @@ -426,7 +482,7 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type); + MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type); return (error); } @@ -441,7 +497,7 @@ mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label, + MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label, attrnamespace, name); return (error); } @@ -457,7 +513,7 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_enforce_process && !mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp, + MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp, imgp->execlabel); return (error); @@ -473,7 +529,7 @@ mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type); + MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type); return (error); } @@ -488,7 +544,7 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label, + MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); } @@ -505,8 +561,8 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp, - &vp->v_label, cnp); + MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp, + vp->v_label, cnp); return (error); } @@ -521,7 +577,7 @@ mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label, + MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label, attrnamespace); return (error); } @@ -537,7 +593,7 @@ mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp); + MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp); return (error); } @@ -551,7 +607,7 @@ mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot) if (!mac_enforce_fs || !mac_enforce_vm) return (0); - MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot); + MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot); return (error); } @@ -565,7 +621,7 @@ mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) if (!mac_enforce_fs || !mac_enforce_vm) return; - MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label, + MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label, &result); *prot = result; @@ -581,7 +637,7 @@ mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot) if (!mac_enforce_fs || !mac_enforce_vm) return (0); - MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot); + MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot); return (error); } @@ -595,7 +651,7 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode); + MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode); return (error); } @@ -611,7 +667,7 @@ mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, return (0); MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, - &vp->v_label); + vp->v_label); return (error); } @@ -628,7 +684,7 @@ mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, return (0); MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, - &vp->v_label); + vp->v_label); return (error); } @@ -643,7 +699,7 @@ mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label); + MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label); return (error); } @@ -657,7 +713,7 @@ mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label); return (error); } @@ -669,7 +725,7 @@ mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); - MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel); + MAC_CHECK(check_vnode_relabel, cred, vp, vp->v_label, newlabel); return (error); } @@ -686,8 +742,8 @@ mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp, - &vp->v_label, cnp); + MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp, + vp->v_label, cnp); return (error); } @@ -703,8 +759,8 @@ mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp, - vp != NULL ? &vp->v_label : NULL, samedir, cnp); + MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp, + vp != NULL ? vp->v_label : NULL, samedir, cnp); return (error); } @@ -718,7 +774,7 @@ mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label); + MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label); return (error); } @@ -733,7 +789,7 @@ mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl); + MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl); return (error); } @@ -748,7 +804,7 @@ mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label, + MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); } @@ -763,7 +819,7 @@ mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags); + MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags); return (error); } @@ -777,7 +833,7 @@ mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode); + MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode); return (error); } @@ -792,7 +848,7 @@ mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid); + MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid); return (error); } @@ -807,7 +863,7 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, if (!mac_enforce_fs) return (0); - MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime, + MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime, mtime); return (error); } @@ -824,7 +880,7 @@ mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, return (0); MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, - &vp->v_label); + vp->v_label); return (error); } @@ -840,7 +896,7 @@ mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, return (0); MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, - &vp->v_label); + vp->v_label); return (error); } @@ -849,23 +905,23 @@ void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) { - MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel); + MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel); } void mac_create_mount(struct ucred *cred, struct mount *mp) { - MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel, - &mp->mnt_fslabel); + MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel, + mp->mnt_fslabel); } void mac_create_root_mount(struct ucred *cred, struct mount *mp) { - MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel, - &mp->mnt_fslabel); + MAC_PERFORM(create_root_mount, cred, mp, mp->mnt_mntlabel, + mp->mnt_fslabel); } int @@ -876,7 +932,7 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount) if (!mac_enforce_fs) return (0); - MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel); + MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel); return (error); } @@ -885,7 +941,7 @@ void mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label); + MAC_PERFORM(create_devfs_device, mp, dev, de, de->de_label); } void @@ -893,8 +949,8 @@ mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de, - &de->de_label); + MAC_PERFORM(create_devfs_symlink, cred, mp, dd, dd->de_label, de, + de->de_label); } void @@ -903,7 +959,7 @@ mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, { MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de, - &de->de_label); + de->de_label); } /* diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index d825842..7689583 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -811,11 +811,11 @@ mac_biba_create_devfs_directory(struct mount *mp, char *dirname, static void mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) + struct label *delabel, const char *fullpath) { struct mac_biba *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(delabel); mac_biba_copy_single(source, dest); @@ -827,7 +827,7 @@ mac_biba_create_mount(struct ucred *cred, struct mount *mp, { struct mac_biba *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(mntlabel); mac_biba_copy_single(source, dest); dest = SLOT(fslabel); @@ -949,7 +949,7 @@ mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp, buflen = sizeof(temp); bzero(&temp, buflen); - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(vlabel); mac_biba_copy_single(source, &temp); @@ -1003,7 +1003,7 @@ mac_biba_create_socket(struct ucred *cred, struct socket *socket, { struct mac_biba *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(socketlabel); mac_biba_copy_single(source, dest); @@ -1015,7 +1015,7 @@ mac_biba_create_pipe(struct ucred *cred, struct pipe *pipe, { struct mac_biba *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(pipelabel); mac_biba_copy_single(source, dest); @@ -1092,7 +1092,7 @@ mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, { struct mac_biba *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(bpflabel); mac_biba_copy_single(source, dest); @@ -1313,8 +1313,8 @@ mac_biba_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { struct mac_biba *source, *dest; - source = SLOT(&cred_parent->cr_label); - dest = SLOT(&cred_child->cr_label); + source = SLOT(cred_parent->cr_label); + dest = SLOT(cred_child->cr_label); mac_biba_copy_single(source, dest); mac_biba_copy_range(source, dest); @@ -1325,7 +1325,7 @@ mac_biba_create_proc0(struct ucred *cred) { struct mac_biba *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_biba_set_single(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, @@ -1337,7 +1337,7 @@ mac_biba_create_proc1(struct ucred *cred) { struct mac_biba *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_biba_set_single(dest, MAC_BIBA_TYPE_HIGH, 0, NULL); mac_biba_set_range(dest, MAC_BIBA_TYPE_LOW, 0, NULL, @@ -1350,7 +1350,7 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) struct mac_biba *source, *dest; source = SLOT(newlabel); - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_biba_copy(source, dest); } @@ -1381,7 +1381,7 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) struct mac_biba *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1445,8 +1445,8 @@ mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) if (!mac_biba_enabled) return (0); - subj = SLOT(&u1->cr_label); - obj = SLOT(&u2->cr_label); + subj = SLOT(u1->cr_label); + obj = SLOT(u2->cr_label); /* XXX: range */ if (!mac_biba_dominate_single(obj, subj)) @@ -1462,7 +1462,7 @@ mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct mac_biba *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1508,7 +1508,7 @@ mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); error = mac_biba_subject_privileged(subj); if (error) @@ -1530,7 +1530,7 @@ mac_biba_check_kld_unload(struct ucred *cred) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); return (mac_biba_subject_privileged(subj)); } @@ -1544,7 +1544,7 @@ mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(mntlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -1575,7 +1575,7 @@ mac_biba_check_pipe_poll(struct ucred *cred, struct pipe *pipe, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_biba_dominate_single(obj, subj)) @@ -1593,7 +1593,7 @@ mac_biba_check_pipe_read(struct ucred *cred, struct pipe *pipe, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_biba_dominate_single(obj, subj)) @@ -1610,7 +1610,7 @@ mac_biba_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(pipelabel); /* @@ -1662,7 +1662,7 @@ mac_biba_check_pipe_stat(struct ucred *cred, struct pipe *pipe, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_biba_dominate_single(obj, subj)) @@ -1680,7 +1680,7 @@ mac_biba_check_pipe_write(struct ucred *cred, struct pipe *pipe, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_biba_dominate_single(subj, obj)) @@ -1697,8 +1697,8 @@ mac_biba_check_proc_debug(struct ucred *cred, struct proc *proc) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_biba_dominate_single(obj, subj)) @@ -1717,8 +1717,8 @@ mac_biba_check_proc_sched(struct ucred *cred, struct proc *proc) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_biba_dominate_single(obj, subj)) @@ -1737,8 +1737,8 @@ mac_biba_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_biba_dominate_single(obj, subj)) @@ -1772,7 +1772,7 @@ mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); /* @@ -1824,7 +1824,7 @@ mac_biba_check_socket_visible(struct ucred *cred, struct socket *socket, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -1842,7 +1842,7 @@ mac_biba_check_sysarch_ioperm(struct ucred *cred) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); error = mac_biba_subject_privileged(subj); if (error) @@ -1861,7 +1861,7 @@ mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); error = mac_biba_subject_privileged(subj); if (error) @@ -1886,7 +1886,7 @@ mac_biba_check_system_settime(struct ucred *cred) if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); error = mac_biba_subject_privileged(subj); if (error) @@ -1905,7 +1905,7 @@ mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); error = mac_biba_subject_privileged(subj); @@ -1928,7 +1928,7 @@ mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); error = mac_biba_subject_privileged(subj); @@ -1948,7 +1948,7 @@ mac_biba_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); /* * In general, treat sysctl variables as biba/high, but also @@ -1981,7 +1981,7 @@ mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -1999,7 +1999,7 @@ mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -2017,7 +2017,7 @@ mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2036,7 +2036,7 @@ mac_biba_check_vnode_delete(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2059,7 +2059,7 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) @@ -2077,7 +2077,7 @@ mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) @@ -2109,7 +2109,7 @@ mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2127,7 +2127,7 @@ mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2145,7 +2145,7 @@ mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2164,7 +2164,7 @@ mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2187,7 +2187,7 @@ mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2205,7 +2205,7 @@ mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -2227,7 +2227,7 @@ mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled || !revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { @@ -2251,7 +2251,7 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); /* XXX privilege override for admin? */ @@ -2276,7 +2276,7 @@ mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, if (!mac_biba_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2294,7 +2294,7 @@ mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, if (!mac_biba_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2312,7 +2312,7 @@ mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(obj, subj)) @@ -2330,7 +2330,7 @@ mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(obj, subj)) @@ -2348,7 +2348,7 @@ mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, old = SLOT(vnodelabel); new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); /* * If there is a Biba label update for the vnode, it must be a @@ -2400,7 +2400,7 @@ mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2424,7 +2424,7 @@ mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2449,7 +2449,7 @@ mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) @@ -2467,7 +2467,7 @@ mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) @@ -2486,7 +2486,7 @@ mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2506,7 +2506,7 @@ mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2524,7 +2524,7 @@ mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2542,7 +2542,7 @@ mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2560,7 +2560,7 @@ mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, if (!mac_biba_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(subj, obj)) @@ -2578,7 +2578,7 @@ mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, if (!mac_biba_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(vnodelabel); if (!mac_biba_dominate_single(obj, subj)) @@ -2596,7 +2596,7 @@ mac_biba_check_vnode_write(struct ucred *active_cred, if (!mac_biba_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_biba_dominate_single(subj, obj)) diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index c6261bf..be13a47 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -499,7 +499,7 @@ maybe_demote(struct mac_lomac *subjlabel, struct mac_lomac *objlabel, struct proc *p; pid_t pgid; - subj = PSLOT(&curthread->td_proc->p_label); + subj = PSLOT(curthread->td_proc->p_label); p = curthread->td_proc; mtx_lock(&subj->mtx); @@ -941,7 +941,7 @@ mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp, { struct mac_lomac *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(delabel); mac_lomac_copy_single(source, dest); @@ -953,7 +953,7 @@ mac_lomac_create_mount(struct ucred *cred, struct mount *mp, { struct mac_lomac *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(mntlabel); mac_lomac_copy_single(source, dest); dest = SLOT(fslabel); @@ -1082,7 +1082,7 @@ mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp, buflen = sizeof(temp); bzero(&temp, buflen); - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(vlabel); dir = SLOT(dlabel); if (dir->ml_flags & MAC_LOMAC_FLAG_AUX) { @@ -1142,7 +1142,7 @@ mac_lomac_create_socket(struct ucred *cred, struct socket *socket, { struct mac_lomac *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(socketlabel); mac_lomac_copy_single(source, dest); @@ -1154,7 +1154,7 @@ mac_lomac_create_pipe(struct ucred *cred, struct pipe *pipe, { struct mac_lomac *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(pipelabel); mac_lomac_copy_single(source, dest); @@ -1231,7 +1231,7 @@ mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, { struct mac_lomac *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(bpflabel); mac_lomac_copy_single(source, dest); @@ -1453,8 +1453,8 @@ mac_lomac_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { struct mac_lomac *source, *dest; - source = SLOT(&cred_parent->cr_label); - dest = SLOT(&cred_child->cr_label); + source = SLOT(cred_parent->cr_label); + dest = SLOT(cred_child->cr_label); mac_lomac_copy_single(source, dest); mac_lomac_copy_range(source, dest); @@ -1468,8 +1468,8 @@ mac_lomac_execve_transition(struct ucred *old, struct ucred *new, { struct mac_lomac *source, *dest, *obj, *robj; - source = SLOT(&old->cr_label); - dest = SLOT(&new->cr_label); + source = SLOT(old->cr_label); + dest = SLOT(new->cr_label); obj = SLOT(vnodelabel); robj = interpvnodelabel != NULL ? SLOT(interpvnodelabel) : obj; @@ -1507,7 +1507,7 @@ mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp, if (!mac_lomac_enabled || !revocation_enabled) return (0); - subj = SLOT(&old->cr_label); + subj = SLOT(old->cr_label); obj = SLOT(vnodelabel); robj = interpvnodelabel != NULL ? SLOT(interpvnodelabel) : obj; @@ -1522,7 +1522,7 @@ mac_lomac_create_proc0(struct ucred *cred) { struct mac_lomac *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); mac_lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, @@ -1534,7 +1534,7 @@ mac_lomac_create_proc1(struct ucred *cred) { struct mac_lomac *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_lomac_set_single(dest, MAC_LOMAC_TYPE_HIGH, 0); mac_lomac_set_range(dest, MAC_LOMAC_TYPE_LOW, 0, MAC_LOMAC_TYPE_HIGH, @@ -1547,7 +1547,7 @@ mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel) struct mac_lomac *source, *dest; source = SLOT(newlabel); - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); try_relabel(source, dest); } @@ -1578,7 +1578,7 @@ mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel) struct mac_lomac *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1646,8 +1646,8 @@ mac_lomac_check_cred_visible(struct ucred *u1, struct ucred *u2) if (!mac_lomac_enabled) return (0); - subj = SLOT(&u1->cr_label); - obj = SLOT(&u2->cr_label); + subj = SLOT(u1->cr_label); + obj = SLOT(u2->cr_label); /* XXX: range */ if (!mac_lomac_dominate_single(obj, subj)) @@ -1663,7 +1663,7 @@ mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct mac_lomac *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1735,7 +1735,7 @@ mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (mac_lomac_subject_privileged(subj)) @@ -1755,7 +1755,7 @@ mac_lomac_check_kld_unload(struct ucred *cred) if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); if (mac_lomac_subject_privileged(subj)) return (EPERM); @@ -1785,7 +1785,7 @@ mac_lomac_check_pipe_read(struct ucred *cred, struct pipe *pipe, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_lomac_dominate_single(obj, subj)) @@ -1802,7 +1802,7 @@ mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(pipelabel); /* @@ -1854,7 +1854,7 @@ mac_lomac_check_pipe_write(struct ucred *cred, struct pipe *pipe, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_lomac_subject_dominate(subj, obj)) @@ -1871,8 +1871,8 @@ mac_lomac_check_proc_debug(struct ucred *cred, struct proc *proc) if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_lomac_dominate_single(obj, subj)) @@ -1891,8 +1891,8 @@ mac_lomac_check_proc_sched(struct ucred *cred, struct proc *proc) if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_lomac_dominate_single(obj, subj)) @@ -1911,8 +1911,8 @@ mac_lomac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_lomac_dominate_single(obj, subj)) @@ -1946,7 +1946,7 @@ mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *socket, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); /* @@ -1998,7 +1998,7 @@ mac_lomac_check_socket_visible(struct ucred *cred, struct socket *socket, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); if (!mac_lomac_dominate_single(obj, subj)) @@ -2016,7 +2016,7 @@ mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (mac_lomac_subject_privileged(subj)) @@ -2037,7 +2037,7 @@ mac_lomac_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); /* * In general, treat sysctl variables as lomac/high, but also @@ -2071,7 +2071,7 @@ mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2093,7 +2093,7 @@ mac_lomac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2116,7 +2116,7 @@ mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2135,7 +2135,7 @@ mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2162,7 +2162,7 @@ mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (prot & VM_PROT_WRITE) { @@ -2190,7 +2190,7 @@ mac_lomac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled || !revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (prot & VM_PROT_WRITE) { @@ -2218,7 +2218,7 @@ mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled || !revocation_enabled) return; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2234,7 +2234,7 @@ mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); /* XXX privilege override for admin? */ @@ -2255,7 +2255,7 @@ mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, if (!mac_lomac_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_lomac_dominate_single(obj, subj)) @@ -2273,7 +2273,7 @@ mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, old = SLOT(vnodelabel); new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); /* * If there is a LOMAC label update for the vnode, it must be a @@ -2350,7 +2350,7 @@ mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2374,7 +2374,7 @@ mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2399,7 +2399,7 @@ mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2417,7 +2417,7 @@ mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2436,7 +2436,7 @@ mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2456,7 +2456,7 @@ mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2474,7 +2474,7 @@ mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2492,7 +2492,7 @@ mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2510,7 +2510,7 @@ mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, if (!mac_lomac_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2528,7 +2528,7 @@ mac_lomac_check_vnode_write(struct ucred *active_cred, if (!mac_lomac_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_lomac_subject_dominate(subj, obj)) @@ -2541,7 +2541,7 @@ static void mac_lomac_thread_userret(struct thread *td) { struct proc *p = td->td_proc; - struct mac_lomac_proc *subj = PSLOT(&p->p_label); + struct mac_lomac_proc *subj = PSLOT(p->p_label); struct ucred *newcred, *oldcred; int dodrop; @@ -2568,7 +2568,7 @@ mac_lomac_thread_userret(struct thread *td) oldcred = p->p_ucred; crcopy(newcred, oldcred); crhold(newcred); - mac_lomac_copy(&subj->mac_lomac, SLOT(&newcred->cr_label)); + mac_lomac_copy(&subj->mac_lomac, SLOT(newcred->cr_label)); p->p_ucred = newcred; crfree(oldcred); dodrop = 1; diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index eb3c320..69bd374 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -781,11 +781,11 @@ mac_mls_create_devfs_directory(struct mount *mp, char *dirname, static void mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, - struct label *delabel) + struct label *delabel, const char *fullpath) { struct mac_mls *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(delabel); mac_mls_copy_single(source, dest); @@ -797,7 +797,7 @@ mac_mls_create_mount(struct ucred *cred, struct mount *mp, { struct mac_mls *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(mntlabel); mac_mls_copy_single(source, dest); dest = SLOT(fslabel); @@ -919,7 +919,7 @@ mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp, buflen = sizeof(temp); bzero(&temp, buflen); - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(vlabel); mac_mls_copy_single(source, &temp); @@ -973,7 +973,7 @@ mac_mls_create_socket(struct ucred *cred, struct socket *socket, { struct mac_mls *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(socketlabel); mac_mls_copy_single(source, dest); @@ -985,7 +985,7 @@ mac_mls_create_pipe(struct ucred *cred, struct pipe *pipe, { struct mac_mls *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(pipelabel); mac_mls_copy_single(source, dest); @@ -1062,7 +1062,7 @@ mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, { struct mac_mls *source, *dest; - source = SLOT(&cred->cr_label); + source = SLOT(cred->cr_label); dest = SLOT(bpflabel); mac_mls_copy_single(source, dest); @@ -1243,8 +1243,8 @@ mac_mls_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { struct mac_mls *source, *dest; - source = SLOT(&cred_parent->cr_label); - dest = SLOT(&cred_child->cr_label); + source = SLOT(cred_parent->cr_label); + dest = SLOT(cred_child->cr_label); mac_mls_copy_single(source, dest); mac_mls_copy_range(source, dest); @@ -1255,7 +1255,7 @@ mac_mls_create_proc0(struct ucred *cred) { struct mac_mls *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_mls_set_single(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, @@ -1267,7 +1267,7 @@ mac_mls_create_proc1(struct ucred *cred) { struct mac_mls *dest; - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_mls_set_single(dest, MAC_MLS_TYPE_LOW, 0, NULL); mac_mls_set_range(dest, MAC_MLS_TYPE_LOW, 0, NULL, MAC_MLS_TYPE_HIGH, @@ -1280,7 +1280,7 @@ mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) struct mac_mls *source, *dest; source = SLOT(newlabel); - dest = SLOT(&cred->cr_label); + dest = SLOT(cred->cr_label); mac_mls_copy(source, dest); } @@ -1311,7 +1311,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) struct mac_mls *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1375,8 +1375,8 @@ mac_mls_check_cred_visible(struct ucred *u1, struct ucred *u2) if (!mac_mls_enabled) return (0); - subj = SLOT(&u1->cr_label); - obj = SLOT(&u2->cr_label); + subj = SLOT(u1->cr_label); + obj = SLOT(u2->cr_label); /* XXX: range */ if (!mac_mls_dominate_single(subj, obj)) @@ -1392,7 +1392,7 @@ mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct mac_mls *subj, *new; int error; - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); new = SLOT(newlabel); /* @@ -1435,7 +1435,7 @@ mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(mntlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1466,7 +1466,7 @@ mac_mls_check_pipe_poll(struct ucred *cred, struct pipe *pipe, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_mls_dominate_single(subj, obj)) @@ -1484,7 +1484,7 @@ mac_mls_check_pipe_read(struct ucred *cred, struct pipe *pipe, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_mls_dominate_single(subj, obj)) @@ -1501,7 +1501,7 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(pipelabel); /* @@ -1553,7 +1553,7 @@ mac_mls_check_pipe_stat(struct ucred *cred, struct pipe *pipe, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_mls_dominate_single(subj, obj)) @@ -1571,7 +1571,7 @@ mac_mls_check_pipe_write(struct ucred *cred, struct pipe *pipe, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT((pipelabel)); if (!mac_mls_dominate_single(obj, subj)) @@ -1588,8 +1588,8 @@ mac_mls_check_proc_debug(struct ucred *cred, struct proc *proc) if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_mls_dominate_single(subj, obj)) @@ -1608,8 +1608,8 @@ mac_mls_check_proc_sched(struct ucred *cred, struct proc *proc) if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_mls_dominate_single(subj, obj)) @@ -1628,8 +1628,8 @@ mac_mls_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); - obj = SLOT(&proc->p_ucred->cr_label); + subj = SLOT(cred->cr_label); + obj = SLOT(proc->p_ucred->cr_label); /* XXX: range checks */ if (!mac_mls_dominate_single(subj, obj)) @@ -1663,7 +1663,7 @@ mac_mls_check_socket_relabel(struct ucred *cred, struct socket *socket, int error; new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); /* @@ -1715,7 +1715,7 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *socket, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(socketlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1733,7 +1733,7 @@ mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj) || @@ -1752,7 +1752,7 @@ mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1770,7 +1770,7 @@ mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1788,7 +1788,7 @@ mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) @@ -1807,7 +1807,7 @@ mac_mls_check_vnode_delete(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) @@ -1830,7 +1830,7 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) @@ -1848,7 +1848,7 @@ mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) @@ -1880,7 +1880,7 @@ mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -1898,7 +1898,7 @@ mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -1916,7 +1916,7 @@ mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -1935,7 +1935,7 @@ mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) @@ -1958,7 +1958,7 @@ mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -1976,7 +1976,7 @@ mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -1998,7 +1998,7 @@ mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled || !revocation_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (prot & (VM_PROT_READ | VM_PROT_EXECUTE)) { @@ -2022,7 +2022,7 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); /* XXX privilege override for admin? */ @@ -2047,7 +2047,7 @@ mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, if (!mac_mls_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -2065,7 +2065,7 @@ mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, if (!mac_mls_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(subj, obj)) @@ -2083,7 +2083,7 @@ mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(subj, obj)) @@ -2101,7 +2101,7 @@ mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(subj, obj)) @@ -2119,7 +2119,7 @@ mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, old = SLOT(vnodelabel); new = SLOT(newlabel); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); /* * If there is an MLS label update for the vnode, it must be a @@ -2172,7 +2172,7 @@ mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2196,7 +2196,7 @@ mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(dlabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2221,7 +2221,7 @@ mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) @@ -2239,7 +2239,7 @@ mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) @@ -2258,7 +2258,7 @@ mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2278,7 +2278,7 @@ mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2296,7 +2296,7 @@ mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2314,7 +2314,7 @@ mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2332,7 +2332,7 @@ mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, if (!mac_mls_enabled) return (0); - subj = SLOT(&cred->cr_label); + subj = SLOT(cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(obj, subj)) @@ -2350,7 +2350,7 @@ mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, if (!mac_mls_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(vnodelabel); if (!mac_mls_dominate_single(subj, obj)) @@ -2368,7 +2368,7 @@ mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, if (!mac_mls_enabled || !revocation_enabled) return (0); - subj = SLOT(&active_cred->cr_label); + subj = SLOT(active_cred->cr_label); obj = SLOT(label); if (!mac_mls_dominate_single(obj, subj)) diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c index ed5bc2e..74df98c 100644 --- a/sys/security/mac_partition/mac_partition.c +++ b/sys/security/mac_partition/mac_partition.c @@ -134,21 +134,21 @@ static void mac_partition_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { - SLOT(&cred_child->cr_label) = SLOT(&cred_parent->cr_label); + SLOT(cred_child->cr_label) = SLOT(cred_parent->cr_label); } static void mac_partition_create_proc0(struct ucred *cred) { - SLOT(&cred->cr_label) = 0; + SLOT(cred->cr_label) = 0; } static void mac_partition_create_proc1(struct ucred *cred) { - SLOT(&cred->cr_label) = 0; + SLOT(cred->cr_label) = 0; } static void @@ -156,7 +156,7 @@ mac_partition_relabel_cred(struct ucred *cred, struct label *newlabel) { if (SLOT(newlabel) != 0) - SLOT(&cred->cr_label) = SLOT(newlabel); + SLOT(cred->cr_label) = SLOT(newlabel); } static int @@ -201,7 +201,7 @@ mac_partition_check_cred_visible(struct ucred *u1, struct ucred *u2) { int error; - error = label_on_label(&u1->cr_label, &u2->cr_label); + error = label_on_label(u1->cr_label, u2->cr_label); return (error == 0 ? 0 : ESRCH); } @@ -211,7 +211,7 @@ mac_partition_check_proc_debug(struct ucred *cred, struct proc *proc) { int error; - error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label); + error = label_on_label(cred->cr_label, proc->p_ucred->cr_label); return (error ? ESRCH : 0); } @@ -221,7 +221,7 @@ mac_partition_check_proc_sched(struct ucred *cred, struct proc *proc) { int error; - error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label); + error = label_on_label(cred->cr_label, proc->p_ucred->cr_label); return (error ? ESRCH : 0); } @@ -232,7 +232,7 @@ mac_partition_check_proc_signal(struct ucred *cred, struct proc *proc, { int error; - error = label_on_label(&cred->cr_label, &proc->p_ucred->cr_label); + error = label_on_label(cred->cr_label, proc->p_ucred->cr_label); return (error ? ESRCH : 0); } @@ -243,7 +243,7 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *socket, { int error; - error = label_on_label(&cred->cr_label, socketlabel); + error = label_on_label(cred->cr_label, socketlabel); return (error ? ENOENT : 0); } diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 1aafa92..3226679 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -635,7 +635,7 @@ mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, struct label *delabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_DEVFS_LABEL(ddlabel); ASSERT_DEVFS_LABEL(delabel); } @@ -646,7 +646,7 @@ mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct vnode *vp, struct label *vlabel, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_MOUNT_LABEL(fslabel); ASSERT_VNODE_LABEL(dlabel); @@ -658,7 +658,7 @@ mac_test_create_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_MOUNT_LABEL(mntlabel); ASSERT_MOUNT_LABEL(fslabel); } @@ -668,7 +668,7 @@ mac_test_create_root_mount(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct label *fslabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_MOUNT_LABEL(mntlabel); ASSERT_MOUNT_LABEL(fslabel); } @@ -678,7 +678,7 @@ mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(vnodelabel); ASSERT_VNODE_LABEL(label); } @@ -688,7 +688,7 @@ mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, struct label *vlabel, struct label *intlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(vlabel); ASSERT_VNODE_LABEL(intlabel); return (0); @@ -721,7 +721,7 @@ mac_test_create_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); } @@ -730,7 +730,7 @@ mac_test_create_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); } @@ -749,7 +749,7 @@ mac_test_relabel_socket(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(newlabel); } @@ -758,7 +758,7 @@ mac_test_relabel_pipe(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); ASSERT_PIPE_LABEL(newlabel); } @@ -790,7 +790,7 @@ mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_BPF_LABEL(bpflabel); } @@ -916,7 +916,7 @@ mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_IFNET_LABEL(ifnetlabel); ASSERT_IFNET_LABEL(newlabel); } @@ -937,8 +937,8 @@ static void mac_test_create_cred(struct ucred *cred_parent, struct ucred *cred_child) { - ASSERT_CRED_LABEL(&cred_parent->cr_label); - ASSERT_CRED_LABEL(&cred_child->cr_label); + ASSERT_CRED_LABEL(cred_parent->cr_label); + ASSERT_CRED_LABEL(cred_child->cr_label); } static void @@ -948,8 +948,8 @@ mac_test_execve_transition(struct ucred *old, struct ucred *new, struct label *execlabel) { - ASSERT_CRED_LABEL(&old->cr_label); - ASSERT_CRED_LABEL(&new->cr_label); + ASSERT_CRED_LABEL(old->cr_label); + ASSERT_CRED_LABEL(new->cr_label); ASSERT_VNODE_LABEL(filelabel); ASSERT_VNODE_LABEL(interpvnodelabel); if (execlabel != NULL) { @@ -963,7 +963,7 @@ mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, struct image_params *imgp, struct label *execlabel) { - ASSERT_CRED_LABEL(&old->cr_label); + ASSERT_CRED_LABEL(old->cr_label); ASSERT_VNODE_LABEL(filelabel); if (interpvnodelabel != NULL) { ASSERT_VNODE_LABEL(interpvnodelabel); @@ -979,21 +979,21 @@ static void mac_test_create_proc0(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); } static void mac_test_create_proc1(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); } static void mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(newlabel); } @@ -1023,7 +1023,7 @@ static int mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_CRED_LABEL(newlabel); return (0); @@ -1033,8 +1033,8 @@ static int mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) { - ASSERT_CRED_LABEL(&u1->cr_label); - ASSERT_CRED_LABEL(&u2->cr_label); + ASSERT_CRED_LABEL(u1->cr_label); + ASSERT_CRED_LABEL(u2->cr_label); return (0); } @@ -1044,7 +1044,7 @@ mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_IFNET_LABEL(ifnetlabel); ASSERT_IFNET_LABEL(newlabel); return (0); @@ -1074,7 +1074,7 @@ static int mac_test_check_kenv_get(struct ucred *cred, char *name) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1083,7 +1083,7 @@ static int mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1092,7 +1092,7 @@ static int mac_test_check_kenv_unset(struct ucred *cred, char *name) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1102,7 +1102,7 @@ mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1112,7 +1112,7 @@ static int mac_test_check_kld_stat(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1121,7 +1121,7 @@ static int mac_test_check_kld_unload(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1131,7 +1131,7 @@ mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_MOUNT_LABEL(mntlabel); return (0); @@ -1142,7 +1142,7 @@ mac_test_check_pipe_ioctl(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); return (0); @@ -1153,7 +1153,7 @@ mac_test_check_pipe_poll(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); return (0); @@ -1164,7 +1164,7 @@ mac_test_check_pipe_read(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); return (0); @@ -1175,7 +1175,7 @@ mac_test_check_pipe_relabel(struct ucred *cred, struct pipe *pipe, struct label *pipelabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); ASSERT_PIPE_LABEL(newlabel); @@ -1187,7 +1187,7 @@ mac_test_check_pipe_stat(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); return (0); @@ -1198,7 +1198,7 @@ mac_test_check_pipe_write(struct ucred *cred, struct pipe *pipe, struct label *pipelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_PIPE_LABEL(pipelabel); return (0); @@ -1208,8 +1208,8 @@ static int mac_test_check_proc_debug(struct ucred *cred, struct proc *proc) { - ASSERT_CRED_LABEL(&cred->cr_label); - ASSERT_CRED_LABEL(&proc->p_ucred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_CRED_LABEL(proc->p_ucred->cr_label); return (0); } @@ -1218,8 +1218,8 @@ static int mac_test_check_proc_sched(struct ucred *cred, struct proc *proc) { - ASSERT_CRED_LABEL(&cred->cr_label); - ASSERT_CRED_LABEL(&proc->p_ucred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_CRED_LABEL(proc->p_ucred->cr_label); return (0); } @@ -1228,8 +1228,8 @@ static int mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) { - ASSERT_CRED_LABEL(&cred->cr_label); - ASSERT_CRED_LABEL(&proc->p_ucred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_CRED_LABEL(proc->p_ucred->cr_label); return (0); } @@ -1239,7 +1239,7 @@ mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); return (0); @@ -1250,7 +1250,7 @@ mac_test_check_socket_connect(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); return (0); @@ -1272,7 +1272,7 @@ mac_test_check_socket_listen(struct ucred *cred, struct socket *socket, struct label *socketlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); return (0); @@ -1283,7 +1283,7 @@ mac_test_check_socket_visible(struct ucred *cred, struct socket *socket, struct label *socketlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); return (0); @@ -1294,7 +1294,7 @@ mac_test_check_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_SOCKET_LABEL(socketlabel); ASSERT_SOCKET_LABEL(newlabel); @@ -1305,7 +1305,7 @@ static int mac_test_check_sysarch_ioperm(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1315,7 +1315,7 @@ mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1324,7 +1324,7 @@ static int mac_test_check_system_reboot(struct ucred *cred, int how) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1333,7 +1333,7 @@ static int mac_test_check_system_settime(struct ucred *cred) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1343,7 +1343,7 @@ mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1354,7 +1354,7 @@ mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1365,7 +1365,7 @@ mac_test_check_system_sysctl(struct ucred *cred, int *name, u_int namelen, void *old, size_t *oldlenp, int inkernel, void *new, size_t newlen) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); return (0); } @@ -1375,7 +1375,7 @@ mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, struct label *label, int acc_mode) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1386,7 +1386,7 @@ mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); return (0); @@ -1397,7 +1397,7 @@ mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); return (0); @@ -1408,7 +1408,7 @@ mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp, struct vattr *vap) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); return (0); @@ -1420,7 +1420,7 @@ mac_test_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); ASSERT_VNODE_LABEL(label); @@ -1432,7 +1432,7 @@ mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1443,7 +1443,7 @@ mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1455,7 +1455,7 @@ mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, struct label *execlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); if (execlabel != NULL) { ASSERT_CRED_LABEL(execlabel); @@ -1469,7 +1469,7 @@ mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1480,7 +1480,7 @@ mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1492,7 +1492,7 @@ mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); ASSERT_VNODE_LABEL(label); @@ -1504,7 +1504,7 @@ mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1515,7 +1515,7 @@ mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, struct label *dlabel, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); return (0); @@ -1526,7 +1526,7 @@ mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, struct label *label, int prot) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1537,7 +1537,7 @@ mac_test_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, struct label *label, int prot) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1548,7 +1548,7 @@ mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, struct label *filelabel, int acc_mode) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(filelabel); return (0); @@ -1559,8 +1559,8 @@ mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&active_cred->cr_label); - ASSERT_CRED_LABEL(&file_cred->cr_label); + ASSERT_CRED_LABEL(active_cred->cr_label); + ASSERT_CRED_LABEL(file_cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1571,9 +1571,9 @@ mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&active_cred->cr_label); + ASSERT_CRED_LABEL(active_cred->cr_label); if (file_cred != NULL) { - ASSERT_CRED_LABEL(&file_cred->cr_label); + ASSERT_CRED_LABEL(file_cred->cr_label); } ASSERT_VNODE_LABEL(label); @@ -1585,7 +1585,7 @@ mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, struct label *dlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); return (0); @@ -1596,7 +1596,7 @@ mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, struct label *vnodelabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(vnodelabel); return (0); @@ -1607,7 +1607,7 @@ mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vnodelabel, struct label *newlabel) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(vnodelabel); ASSERT_VNODE_LABEL(newlabel); @@ -1620,7 +1620,7 @@ mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); ASSERT_VNODE_LABEL(label); @@ -1633,7 +1633,7 @@ mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(dlabel); if (vp != NULL) { @@ -1648,7 +1648,7 @@ mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1659,7 +1659,7 @@ mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, struct label *label, acl_type_t type, struct acl *acl) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1670,7 +1670,7 @@ mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, struct label *label, int attrnamespace, const char *name, struct uio *uio) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1681,7 +1681,7 @@ mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, struct label *label, u_long flags) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1692,7 +1692,7 @@ mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, struct label *label, mode_t mode) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1703,7 +1703,7 @@ mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, struct label *label, uid_t uid, gid_t gid) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1714,7 +1714,7 @@ mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, struct label *label, struct timespec atime, struct timespec mtime) { - ASSERT_CRED_LABEL(&cred->cr_label); + ASSERT_CRED_LABEL(cred->cr_label); ASSERT_VNODE_LABEL(label); return (0); @@ -1725,9 +1725,9 @@ mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&active_cred->cr_label); + ASSERT_CRED_LABEL(active_cred->cr_label); if (file_cred != NULL) { - ASSERT_CRED_LABEL(&file_cred->cr_label); + ASSERT_CRED_LABEL(file_cred->cr_label); } ASSERT_VNODE_LABEL(label); @@ -1739,9 +1739,9 @@ mac_test_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *label) { - ASSERT_CRED_LABEL(&active_cred->cr_label); + ASSERT_CRED_LABEL(active_cred->cr_label); if (file_cred != NULL) { - ASSERT_CRED_LABEL(&file_cred->cr_label); + ASSERT_CRED_LABEL(file_cred->cr_label); } ASSERT_VNODE_LABEL(label); |
