summaryrefslogtreecommitdiffstats
path: root/sys
diff options
context:
space:
mode:
authorrwatson <rwatson@FreeBSD.org>2002-10-05 15:10:00 +0000
committerrwatson <rwatson@FreeBSD.org>2002-10-05 15:10:00 +0000
commit2670ddfd3d617662ee379ec7c426c9cd053767ae (patch)
tree33e53f3fb9bde26be881ac4487a7db7aea0d39f8 /sys
parent781fb4bca3a26571aaae08aa44fda8853a68a7ef (diff)
downloadFreeBSD-src-2670ddfd3d617662ee379ec7c426c9cd053767ae.zip
FreeBSD-src-2670ddfd3d617662ee379ec7c426c9cd053767ae.tar.gz
Begin another merge from the TrustedBSD MAC branch:
- Change mpo_init_foo(obj, label) and mpo_destroy_foo(obj, label) policy entry points to mpo_init_foo_label(label) and mpo_destroy_foo_label(label). This will permit the use of the same entry points for holding temporary type-specific label during internalization and externalization, as well as for caching purposes. - Because of this, break out mpo_{init,destroy}_socket() and mpo_{init,destroy}_mount() into seperate entry points for socket main/peer labels and mount main/fs labels. - Since the prototype for label initialization is the same across almost all entry points, implement these entry points using common implementations for Biba, MLS, and Test, reducing the number of almost identical looking functions. This simplifies policy implementation, as well as preparing us for the merge of the new flexible userland API for managing labels on objects. Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
Diffstat (limited to 'sys')
-rw-r--r--sys/kern/kern_mac.c154
-rw-r--r--sys/security/mac/mac_framework.c154
-rw-r--r--sys/security/mac/mac_internal.h154
-rw-r--r--sys/security/mac/mac_net.c154
-rw-r--r--sys/security/mac/mac_pipe.c154
-rw-r--r--sys/security/mac/mac_policy.h103
-rw-r--r--sys/security/mac/mac_process.c154
-rw-r--r--sys/security/mac/mac_syscalls.c154
-rw-r--r--sys/security/mac/mac_system.c154
-rw-r--r--sys/security/mac/mac_vfs.c154
-rw-r--r--sys/security/mac_biba/mac_biba.c263
-rw-r--r--sys/security/mac_mls/mac_mls.c263
-rw-r--r--sys/security/mac_none/mac_none.c222
-rw-r--r--sys/security/mac_stub/mac_stub.c222
-rw-r--r--sys/security/mac_test/mac_test.c224
-rw-r--r--sys/sys/mac_policy.h103
16 files changed, 1246 insertions, 1540 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index 2c07abe..cfe6670 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 52fee33..a54e925 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -72,34 +72,33 @@ struct mac_policy_ops {
/*
* Label operations.
*/
- void (*mpo_init_bpfdesc)(struct bpf_d *, struct label *label);
- void (*mpo_init_cred)(struct ucred *, struct label *label);
- void (*mpo_init_devfsdirent)(struct devfs_dirent *,
- struct label *label);
- void (*mpo_init_ifnet)(struct ifnet *, struct label *label);
- void (*mpo_init_ipq)(struct ipq *ipq, struct label *label);
- int (*mpo_init_mbuf)(struct mbuf *, int how, struct label *label);
- void (*mpo_init_mount)(struct mount *, struct label *mntlabel,
- struct label *fslabel);
- void (*mpo_init_socket)(struct socket *so, struct label *label,
- struct label *peerlabel);
- void (*mpo_init_pipe)(struct pipe *pipe, struct label *label);
- void (*mpo_init_temp)(struct label *label);
- void (*mpo_init_vnode)(struct vnode *, struct label *label);
- void (*mpo_destroy_bpfdesc)(struct bpf_d *, struct label *label);
- void (*mpo_destroy_cred)(struct ucred *, struct label *label);
- void (*mpo_destroy_devfsdirent)(struct devfs_dirent *de,
- struct label *label);
- void (*mpo_destroy_ifnet)(struct ifnet *, struct label *label);
- void (*mpo_destroy_ipq)(struct ipq *ipq, struct label *label);
- void (*mpo_destroy_mbuf)(struct mbuf *, struct label *label);
- void (*mpo_destroy_mount)(struct mount *, struct label *mntlabel,
- struct label *fslabel);
- void (*mpo_destroy_socket)(struct socket *so, struct label *label,
- struct label *peerlabel);
- void (*mpo_destroy_pipe)(struct pipe *pipe, struct label *label);
- void (*mpo_destroy_temp)(struct label *label);
- void (*mpo_destroy_vnode)(struct vnode *, struct label *label);
+ void (*mpo_init_bpfdesc_label)(struct label *label);
+ void (*mpo_init_cred_label)(struct label *label);
+ void (*mpo_init_devfsdirent_label)(struct label *label);
+ void (*mpo_init_ifnet_label)(struct label *label);
+ void (*mpo_init_ipq_label)(struct label *label);
+ int (*mpo_init_mbuf_label)(struct label *label, int flag);
+ void (*mpo_init_mount_label)(struct label *label);
+ void (*mpo_init_mount_fs_label)(struct label *label);
+ void (*mpo_init_socket_label)(struct label *label);
+ void (*mpo_init_socket_peer_label)(struct label *label);
+ void (*mpo_init_pipe_label)(struct label *label);
+ void (*mpo_init_temp_label)(struct label *label);
+ void (*mpo_init_vnode_label)(struct label *label);
+ void (*mpo_destroy_bpfdesc_label)(struct label *label);
+ void (*mpo_destroy_cred_label)(struct label *label);
+ void (*mpo_destroy_devfsdirent_label)(struct label *label);
+ void (*mpo_destroy_ifnet_label)(struct label *label);
+ void (*mpo_destroy_ipq_label)(struct label *label);
+ void (*mpo_destroy_mbuf_label)(struct label *label);
+ void (*mpo_destroy_mount_label)(struct label *label);
+ void (*mpo_destroy_mount_fs_label)(struct label *label);
+ void (*mpo_destroy_socket_label)(struct label *label);
+ void (*mpo_destroy_socket_peer_label)(struct label *label);
+ void (*mpo_destroy_pipe_label)(struct label *label);
+ void (*mpo_destroy_temp_label)(struct label *label);
+ void (*mpo_destroy_vnode_label)(struct label *label);
+
int (*mpo_externalize)(struct label *label, struct mac *extmac);
int (*mpo_internalize)(struct label *label, struct mac *extmac);
@@ -355,28 +354,32 @@ enum mac_op_constant {
MAC_DESTROY,
MAC_INIT,
MAC_SYSCALL,
- MAC_INIT_BPFDESC,
- MAC_INIT_CRED,
- MAC_INIT_DEVFSDIRENT,
- MAC_INIT_IFNET,
- MAC_INIT_IPQ,
- MAC_INIT_MBUF,
- MAC_INIT_MOUNT,
- MAC_INIT_PIPE,
- MAC_INIT_SOCKET,
- MAC_INIT_TEMP,
- MAC_INIT_VNODE,
- MAC_DESTROY_BPFDESC,
- MAC_DESTROY_CRED,
- MAC_DESTROY_DEVFSDIRENT,
- MAC_DESTROY_IFNET,
- MAC_DESTROY_IPQ,
- MAC_DESTROY_MBUF,
- MAC_DESTROY_MOUNT,
- MAC_DESTROY_PIPE,
- MAC_DESTROY_SOCKET,
- MAC_DESTROY_TEMP,
- MAC_DESTROY_VNODE,
+ MAC_INIT_BPFDESC_LABEL,
+ MAC_INIT_CRED_LABEL,
+ MAC_INIT_DEVFSDIRENT_LABEL,
+ MAC_INIT_IFNET_LABEL,
+ MAC_INIT_IPQ_LABEL,
+ MAC_INIT_MBUF_LABEL,
+ MAC_INIT_MOUNT_LABEL,
+ MAC_INIT_MOUNT_FS_LABEL,
+ MAC_INIT_PIPE_LABEL,
+ MAC_INIT_SOCKET_LABEL,
+ MAC_INIT_SOCKET_PEER_LABEL,
+ MAC_INIT_TEMP_LABEL,
+ MAC_INIT_VNODE_LABEL,
+ MAC_DESTROY_BPFDESC_LABEL,
+ MAC_DESTROY_CRED_LABEL,
+ MAC_DESTROY_DEVFSDIRENT_LABEL,
+ MAC_DESTROY_IFNET_LABEL,
+ MAC_DESTROY_IPQ_LABEL,
+ MAC_DESTROY_MBUF_LABEL,
+ MAC_DESTROY_MOUNT_LABEL,
+ MAC_DESTROY_MOUNT_FS_LABEL,
+ MAC_DESTROY_PIPE_LABEL,
+ MAC_DESTROY_SOCKET_LABEL,
+ MAC_DESTROY_SOCKET_PEER_LABEL,
+ MAC_DESTROY_TEMP_LABEL,
+ MAC_DESTROY_VNODE_LABEL,
MAC_EXTERNALIZE,
MAC_INTERNALIZE,
MAC_CREATE_DEVFS_DEVICE,
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index d9056c6..8d53cdb 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -117,11 +117,11 @@ static int mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, mode_t acc_mode);
static struct mac_biba *
-biba_alloc(int how)
+biba_alloc(int flag)
{
struct mac_biba *mac_biba;
- mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | how);
+ mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | flag);
return (mac_biba);
}
@@ -385,46 +385,17 @@ mac_biba_init(struct mac_policy_conf *conf)
* Label operations.
*/
static void
-mac_biba_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_cred(struct ucred *ucred, struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_ipq(struct ipq *ipq, struct label *label)
+mac_biba_init_label(struct label *label)
{
SLOT(label) = biba_alloc(M_WAITOK);
}
static int
-mac_biba_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_biba_init_label_waitcheck(struct label *label, int flag)
{
- SLOT(label) = biba_alloc(how);
+ SLOT(label) = biba_alloc(flag);
if (SLOT(label) == NULL)
return (ENOMEM);
@@ -432,133 +403,7 @@ mac_biba_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
}
static void
-mac_biba_init_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
- SLOT(mntlabel) = biba_alloc(M_WAITOK);
- SLOT(fslabel) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
- SLOT(peerlabel) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_pipe(struct pipe *pipe, struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_temp(struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_vnode(struct vnode *vp, struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_cred(struct ucred *ucred, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_ipq(struct ipq *ipq, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_mbuf(struct mbuf *mbuf, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
- biba_free(SLOT(mntlabel));
- SLOT(mntlabel) = NULL;
- biba_free(SLOT(fslabel));
- SLOT(fslabel) = NULL;
-}
-
-static void
-mac_biba_destroy_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
- biba_free(SLOT(peerlabel));
- SLOT(peerlabel) = NULL;
-}
-
-static void
-mac_biba_destroy_pipe(struct pipe *pipe, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_temp(struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_vnode(struct vnode *vp, struct label *label)
+mac_biba_destroy_label(struct label *label)
{
biba_free(SLOT(label));
@@ -2054,50 +1899,58 @@ static struct mac_policy_op_entry mac_biba_ops[] =
(macop_t)mac_biba_destroy },
{ MAC_INIT,
(macop_t)mac_biba_init },
- { MAC_INIT_BPFDESC,
- (macop_t)mac_biba_init_bpfdesc },
- { MAC_INIT_CRED,
- (macop_t)mac_biba_init_cred },
- { MAC_INIT_DEVFSDIRENT,
- (macop_t)mac_biba_init_devfsdirent },
- { MAC_INIT_IFNET,
- (macop_t)mac_biba_init_ifnet },
- { MAC_INIT_IPQ,
- (macop_t)mac_biba_init_ipq },
- { MAC_INIT_MBUF,
- (macop_t)mac_biba_init_mbuf },
- { MAC_INIT_MOUNT,
- (macop_t)mac_biba_init_mount },
- { MAC_INIT_PIPE,
- (macop_t)mac_biba_init_pipe },
- { MAC_INIT_SOCKET,
- (macop_t)mac_biba_init_socket },
- { MAC_INIT_TEMP,
- (macop_t)mac_biba_init_temp },
- { MAC_INIT_VNODE,
- (macop_t)mac_biba_init_vnode },
- { MAC_DESTROY_BPFDESC,
- (macop_t)mac_biba_destroy_bpfdesc },
- { MAC_DESTROY_CRED,
- (macop_t)mac_biba_destroy_cred },
- { MAC_DESTROY_DEVFSDIRENT,
- (macop_t)mac_biba_destroy_devfsdirent },
- { MAC_DESTROY_IFNET,
- (macop_t)mac_biba_destroy_ifnet },
- { MAC_DESTROY_IPQ,
- (macop_t)mac_biba_destroy_ipq },
- { MAC_DESTROY_MBUF,
- (macop_t)mac_biba_destroy_mbuf },
- { MAC_DESTROY_MOUNT,
- (macop_t)mac_biba_destroy_mount },
- { MAC_DESTROY_PIPE,
- (macop_t)mac_biba_destroy_pipe },
- { MAC_DESTROY_SOCKET,
- (macop_t)mac_biba_destroy_socket },
- { MAC_DESTROY_TEMP,
- (macop_t)mac_biba_destroy_temp },
- { MAC_DESTROY_VNODE,
- (macop_t)mac_biba_destroy_vnode },
+ { MAC_INIT_BPFDESC_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_CRED_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_DEVFSDIRENT_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_IFNET_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_IPQ_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_MBUF_LABEL,
+ (macop_t)mac_biba_init_label_waitcheck },
+ { MAC_INIT_MOUNT_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_MOUNT_FS_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_PIPE_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_SOCKET_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_SOCKET_PEER_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_TEMP_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_VNODE_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_DESTROY_BPFDESC_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_CRED_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_DEVFSDIRENT_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_IFNET_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_IPQ_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_MBUF_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_MOUNT_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_MOUNT_FS_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_PIPE_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_SOCKET_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_SOCKET_PEER_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_TEMP_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_VNODE_LABEL,
+ (macop_t)mac_biba_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_biba_externalize },
{ MAC_INTERNALIZE,
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 60675dd..27b74b1 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -106,11 +106,11 @@ static int mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, mode_t acc_mode);
static struct mac_mls *
-mls_alloc(int how)
+mls_alloc(int flag)
{
struct mac_mls *mac_mls;
- mac_mls = malloc(sizeof(struct mac_mls), M_MACMLS, M_ZERO | how);
+ mac_mls = malloc(sizeof(struct mac_mls), M_MACMLS, M_ZERO | flag);
return (mac_mls);
}
@@ -374,46 +374,17 @@ mac_mls_init(struct mac_policy_conf *conf)
* Label operations.
*/
static void
-mac_mls_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_cred(struct ucred *ucred, struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_ipq(struct ipq *ipq, struct label *label)
+mac_mls_init_label(struct label *label)
{
SLOT(label) = mls_alloc(M_WAITOK);
}
static int
-mac_mls_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_mls_init_label_waitcheck(struct label *label, int flag)
{
- SLOT(label) = mls_alloc(how);
+ SLOT(label) = mls_alloc(flag);
if (SLOT(label) == NULL)
return (ENOMEM);
@@ -421,133 +392,7 @@ mac_mls_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
}
static void
-mac_mls_init_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
- SLOT(mntlabel) = mls_alloc(M_WAITOK);
- SLOT(fslabel) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
- SLOT(peerlabel) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_pipe(struct pipe *pipe, struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_temp(struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_vnode(struct vnode *vp, struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_cred(struct ucred *ucred, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_ipq(struct ipq *ipq, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_mbuf(struct mbuf *mbuf, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
- mls_free(SLOT(mntlabel));
- SLOT(mntlabel) = NULL;
- mls_free(SLOT(fslabel));
- SLOT(fslabel) = NULL;
-}
-
-static void
-mac_mls_destroy_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
- mls_free(SLOT(peerlabel));
- SLOT(peerlabel) = NULL;
-}
-
-static void
-mac_mls_destroy_pipe(struct pipe *pipe, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_temp(struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_vnode(struct vnode *vp, struct label *label)
+mac_mls_destroy_label(struct label *label)
{
mls_free(SLOT(label));
@@ -2017,50 +1862,58 @@ static struct mac_policy_op_entry mac_mls_ops[] =
(macop_t)mac_mls_destroy },
{ MAC_INIT,
(macop_t)mac_mls_init },
- { MAC_INIT_BPFDESC,
- (macop_t)mac_mls_init_bpfdesc },
- { MAC_INIT_CRED,
- (macop_t)mac_mls_init_cred },
- { MAC_INIT_DEVFSDIRENT,
- (macop_t)mac_mls_init_devfsdirent },
- { MAC_INIT_IFNET,
- (macop_t)mac_mls_init_ifnet },
- { MAC_INIT_IPQ,
- (macop_t)mac_mls_init_ipq },
- { MAC_INIT_MBUF,
- (macop_t)mac_mls_init_mbuf },
- { MAC_INIT_MOUNT,
- (macop_t)mac_mls_init_mount },
- { MAC_INIT_PIPE,
- (macop_t)mac_mls_init_pipe },
- { MAC_INIT_SOCKET,
- (macop_t)mac_mls_init_socket },
- { MAC_INIT_TEMP,
- (macop_t)mac_mls_init_temp },
- { MAC_INIT_VNODE,
- (macop_t)mac_mls_init_vnode },
- { MAC_DESTROY_BPFDESC,
- (macop_t)mac_mls_destroy_bpfdesc },
- { MAC_DESTROY_CRED,
- (macop_t)mac_mls_destroy_cred },
- { MAC_DESTROY_DEVFSDIRENT,
- (macop_t)mac_mls_destroy_devfsdirent },
- { MAC_DESTROY_IFNET,
- (macop_t)mac_mls_destroy_ifnet },
- { MAC_DESTROY_IPQ,
- (macop_t)mac_mls_destroy_ipq },
- { MAC_DESTROY_MBUF,
- (macop_t)mac_mls_destroy_mbuf },
- { MAC_DESTROY_MOUNT,
- (macop_t)mac_mls_destroy_mount },
- { MAC_DESTROY_PIPE,
- (macop_t)mac_mls_destroy_pipe },
- { MAC_DESTROY_SOCKET,
- (macop_t)mac_mls_destroy_socket },
- { MAC_DESTROY_TEMP,
- (macop_t)mac_mls_destroy_temp },
- { MAC_DESTROY_VNODE,
- (macop_t)mac_mls_destroy_vnode },
+ { MAC_INIT_BPFDESC_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_CRED_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_DEVFSDIRENT_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_IFNET_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_IPQ_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_MBUF_LABEL,
+ (macop_t)mac_mls_init_label_waitcheck },
+ { MAC_INIT_MOUNT_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_MOUNT_FS_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_PIPE_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_SOCKET_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_SOCKET_PEER_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_TEMP_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_VNODE_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_DESTROY_BPFDESC_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_CRED_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_DEVFSDIRENT_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_IFNET_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_IPQ_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_MBUF_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_MOUNT_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_MOUNT_FS_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_PIPE_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_SOCKET_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_SOCKET_PEER_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_TEMP_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_VNODE_LABEL,
+ (macop_t)mac_mls_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_mls_externalize },
{ MAC_INTERNALIZE,
diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c
index dcc829c..052628b 100644
--- a/sys/security/mac_none/mac_none.c
+++ b/sys/security/mac_none/mac_none.c
@@ -109,140 +109,20 @@ mac_none_syscall(struct thread *td, int call, void *arg)
* Label operations.
*/
static void
-mac_none_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_cred(struct ucred *ucred, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
-}
-
-static void
-mac_none_init_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_ipq(struct ipq *ipq, struct label *ipqlabel)
+mac_none_init_label(struct label *label)
{
}
static int
-mac_none_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_none_init_label_waitcheck(struct label *label, int flag)
{
return (0);
}
static void
-mac_none_init_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
-}
-
-static void
-mac_none_init_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
-}
-
-static void
-mac_none_init_pipe(struct pipe *pipe, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_temp(struct label *label)
-{
-
-}
-
-static void
-mac_none_init_vnode(struct vnode *vp, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_cred(struct ucred *ucred, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_ipq(struct ipq *ipq, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_mbuf(struct mbuf *mbuf, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
-}
-
-static void
-mac_none_destroy_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
-}
-
-static void
-mac_none_destroy_pipe(struct pipe *pipe, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_temp(struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_vnode(struct vnode *vp, struct label *label)
+mac_none_destroy_label(struct label *label)
{
}
@@ -943,50 +823,58 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_init },
{ MAC_SYSCALL,
(macop_t)mac_none_syscall },
- { MAC_INIT_BPFDESC,
- (macop_t)mac_none_init_bpfdesc },
- { MAC_INIT_CRED,
- (macop_t)mac_none_init_cred },
- { MAC_INIT_DEVFSDIRENT,
- (macop_t)mac_none_init_devfsdirent },
- { MAC_INIT_IFNET,
- (macop_t)mac_none_init_ifnet },
- { MAC_INIT_IPQ,
- (macop_t)mac_none_init_ipq },
- { MAC_INIT_MBUF,
- (macop_t)mac_none_init_mbuf },
- { MAC_INIT_MOUNT,
- (macop_t)mac_none_init_mount },
- { MAC_INIT_PIPE,
- (macop_t)mac_none_init_pipe },
- { MAC_INIT_SOCKET,
- (macop_t)mac_none_init_socket },
- { MAC_INIT_TEMP,
- (macop_t)mac_none_init_temp },
- { MAC_INIT_VNODE,
- (macop_t)mac_none_init_vnode },
- { MAC_DESTROY_BPFDESC,
- (macop_t)mac_none_destroy_bpfdesc },
- { MAC_DESTROY_CRED,
- (macop_t)mac_none_destroy_cred },
- { MAC_DESTROY_DEVFSDIRENT,
- (macop_t)mac_none_destroy_devfsdirent },
- { MAC_DESTROY_IFNET,
- (macop_t)mac_none_destroy_ifnet },
- { MAC_DESTROY_IPQ,
- (macop_t)mac_none_destroy_ipq },
- { MAC_DESTROY_MBUF,
- (macop_t)mac_none_destroy_mbuf },
- { MAC_DESTROY_MOUNT,
- (macop_t)mac_none_destroy_mount },
- { MAC_DESTROY_PIPE,
- (macop_t)mac_none_destroy_pipe },
- { MAC_DESTROY_SOCKET,
- (macop_t)mac_none_destroy_socket },
- { MAC_DESTROY_TEMP,
- (macop_t)mac_none_destroy_temp },
- { MAC_DESTROY_VNODE,
- (macop_t)mac_none_destroy_vnode },
+ { MAC_INIT_BPFDESC_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_CRED_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_DEVFSDIRENT_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_IFNET_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_IPQ_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_MBUF_LABEL,
+ (macop_t)mac_none_init_label_waitcheck },
+ { MAC_INIT_MOUNT_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_MOUNT_FS_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_PIPE_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_SOCKET_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_SOCKET_PEER_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_TEMP_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_VNODE_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_DESTROY_BPFDESC_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_CRED_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_DEVFSDIRENT_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_IFNET_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_IPQ_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MBUF_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MOUNT_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MOUNT_FS_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_PIPE_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_SOCKET_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_SOCKET_PEER_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_TEMP_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_VNODE_LABEL,
+ (macop_t)mac_none_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_none_externalize },
{ MAC_INTERNALIZE,
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index dcc829c..052628b 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -109,140 +109,20 @@ mac_none_syscall(struct thread *td, int call, void *arg)
* Label operations.
*/
static void
-mac_none_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_cred(struct ucred *ucred, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
-}
-
-static void
-mac_none_init_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_ipq(struct ipq *ipq, struct label *ipqlabel)
+mac_none_init_label(struct label *label)
{
}
static int
-mac_none_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_none_init_label_waitcheck(struct label *label, int flag)
{
return (0);
}
static void
-mac_none_init_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
-}
-
-static void
-mac_none_init_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
-}
-
-static void
-mac_none_init_pipe(struct pipe *pipe, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_temp(struct label *label)
-{
-
-}
-
-static void
-mac_none_init_vnode(struct vnode *vp, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_cred(struct ucred *ucred, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_ipq(struct ipq *ipq, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_mbuf(struct mbuf *mbuf, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
-}
-
-static void
-mac_none_destroy_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
-}
-
-static void
-mac_none_destroy_pipe(struct pipe *pipe, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_temp(struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_vnode(struct vnode *vp, struct label *label)
+mac_none_destroy_label(struct label *label)
{
}
@@ -943,50 +823,58 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_init },
{ MAC_SYSCALL,
(macop_t)mac_none_syscall },
- { MAC_INIT_BPFDESC,
- (macop_t)mac_none_init_bpfdesc },
- { MAC_INIT_CRED,
- (macop_t)mac_none_init_cred },
- { MAC_INIT_DEVFSDIRENT,
- (macop_t)mac_none_init_devfsdirent },
- { MAC_INIT_IFNET,
- (macop_t)mac_none_init_ifnet },
- { MAC_INIT_IPQ,
- (macop_t)mac_none_init_ipq },
- { MAC_INIT_MBUF,
- (macop_t)mac_none_init_mbuf },
- { MAC_INIT_MOUNT,
- (macop_t)mac_none_init_mount },
- { MAC_INIT_PIPE,
- (macop_t)mac_none_init_pipe },
- { MAC_INIT_SOCKET,
- (macop_t)mac_none_init_socket },
- { MAC_INIT_TEMP,
- (macop_t)mac_none_init_temp },
- { MAC_INIT_VNODE,
- (macop_t)mac_none_init_vnode },
- { MAC_DESTROY_BPFDESC,
- (macop_t)mac_none_destroy_bpfdesc },
- { MAC_DESTROY_CRED,
- (macop_t)mac_none_destroy_cred },
- { MAC_DESTROY_DEVFSDIRENT,
- (macop_t)mac_none_destroy_devfsdirent },
- { MAC_DESTROY_IFNET,
- (macop_t)mac_none_destroy_ifnet },
- { MAC_DESTROY_IPQ,
- (macop_t)mac_none_destroy_ipq },
- { MAC_DESTROY_MBUF,
- (macop_t)mac_none_destroy_mbuf },
- { MAC_DESTROY_MOUNT,
- (macop_t)mac_none_destroy_mount },
- { MAC_DESTROY_PIPE,
- (macop_t)mac_none_destroy_pipe },
- { MAC_DESTROY_SOCKET,
- (macop_t)mac_none_destroy_socket },
- { MAC_DESTROY_TEMP,
- (macop_t)mac_none_destroy_temp },
- { MAC_DESTROY_VNODE,
- (macop_t)mac_none_destroy_vnode },
+ { MAC_INIT_BPFDESC_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_CRED_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_DEVFSDIRENT_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_IFNET_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_IPQ_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_MBUF_LABEL,
+ (macop_t)mac_none_init_label_waitcheck },
+ { MAC_INIT_MOUNT_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_MOUNT_FS_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_PIPE_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_SOCKET_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_SOCKET_PEER_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_TEMP_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_VNODE_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_DESTROY_BPFDESC_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_CRED_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_DEVFSDIRENT_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_IFNET_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_IPQ_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MBUF_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MOUNT_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MOUNT_FS_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_PIPE_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_SOCKET_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_SOCKET_PEER_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_TEMP_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_VNODE_LABEL,
+ (macop_t)mac_none_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_none_externalize },
{ MAC_INTERNALIZE,
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 4ccae53..c6335da 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -118,9 +118,16 @@ SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
static int init_count_mount;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
&init_count_mount, 0, "mount init calls");
+static int init_count_mount_fslabel;
+SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
+ &init_count_mount_fslabel, 0, "mount_fslabel init calls");
static int init_count_socket;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
&init_count_socket, 0, "socket init calls");
+static int init_count_socket_peerlabel;
+SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
+ CTLFLAG_RD, &init_count_socket_peerlabel, 0,
+ "socket_peerlabel init calls");
static int init_count_pipe;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
&init_count_pipe, 0, "pipe init calls");
@@ -152,9 +159,17 @@ SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
static int destroy_count_mount;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
&destroy_count_mount, 0, "mount destroy calls");
+static int destroy_count_mount_fslabel;
+SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
+ CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
+ "mount_fslabel destroy calls");
static int destroy_count_socket;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
&destroy_count_socket, 0, "socket destroy calls");
+static int destroy_count_socket_peerlabel;
+SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
+ CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
+ "socket_peerlabel destroy calls");
static int destroy_count_pipe;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
&destroy_count_pipe, 0, "pipe destroy calls");
@@ -198,7 +213,7 @@ mac_test_syscall(struct thread *td, int call, void *arg)
* Label operations.
*/
static void
-mac_test_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
+mac_test_init_bpfdesc_label(struct label *label)
{
SLOT(label) = BPFMAGIC;
@@ -206,7 +221,7 @@ mac_test_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
}
static void
-mac_test_init_cred(struct ucred *ucred, struct label *label)
+mac_test_init_cred_label(struct label *label)
{
SLOT(label) = CREDMAGIC;
@@ -214,8 +229,7 @@ mac_test_init_cred(struct ucred *ucred, struct label *label)
}
static void
-mac_test_init_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
+mac_test_init_devfsdirent_label(struct label *label)
{
SLOT(label) = DEVFSMAGIC;
@@ -223,7 +237,7 @@ mac_test_init_devfsdirent(struct devfs_dirent *devfs_dirent,
}
static void
-mac_test_init_ifnet(struct ifnet *ifnet, struct label *label)
+mac_test_init_ifnet_label(struct label *label)
{
SLOT(label) = IFNETMAGIC;
@@ -231,7 +245,7 @@ mac_test_init_ifnet(struct ifnet *ifnet, struct label *label)
}
static void
-mac_test_init_ipq(struct ipq *ipq, struct label *label)
+mac_test_init_ipq_label(struct label *label)
{
SLOT(label) = IPQMAGIC;
@@ -239,7 +253,7 @@ mac_test_init_ipq(struct ipq *ipq, struct label *label)
}
static int
-mac_test_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_test_init_mbuf_label(struct label *label, int flag)
{
SLOT(label) = MBUFMAGIC;
@@ -248,27 +262,39 @@ mac_test_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
}
static void
-mac_test_init_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
+mac_test_init_mount_label(struct label *label)
{
- SLOT(mntlabel) = MOUNTMAGIC;
- SLOT(fslabel) = MOUNTMAGIC;
+ SLOT(label) = MOUNTMAGIC;
atomic_add_int(&init_count_mount, 1);
}
static void
-mac_test_init_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
+mac_test_init_mount_fs_label(struct label *label)
+{
+
+ SLOT(label) = MOUNTMAGIC;
+ atomic_add_int(&init_count_mount_fslabel, 1);
+}
+
+static void
+mac_test_init_socket_label(struct label *label)
{
SLOT(label) = SOCKETMAGIC;
- SLOT(peerlabel) = SOCKETMAGIC;
atomic_add_int(&init_count_socket, 1);
}
static void
-mac_test_init_pipe(struct pipe *pipe, struct label *label)
+mac_test_init_socket_peer_label(struct label *label)
+{
+
+ SLOT(label) = SOCKETMAGIC;
+ atomic_add_int(&init_count_socket_peerlabel, 1);
+}
+
+static void
+mac_test_init_pipe_label(struct label *label)
{
SLOT(label) = PIPEMAGIC;
@@ -276,7 +302,7 @@ mac_test_init_pipe(struct pipe *pipe, struct label *label)
}
static void
-mac_test_init_temp(struct label *label)
+mac_test_init_temp_label(struct label *label)
{
SLOT(label) = TEMPMAGIC;
@@ -284,7 +310,7 @@ mac_test_init_temp(struct label *label)
}
static void
-mac_test_init_vnode(struct vnode *vp, struct label *label)
+mac_test_init_vnode_label(struct label *label)
{
SLOT(label) = VNODEMAGIC;
@@ -292,7 +318,7 @@ mac_test_init_vnode(struct vnode *vp, struct label *label)
}
static void
-mac_test_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
+mac_test_destroy_bpfdesc_label(struct label *label)
{
if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
@@ -306,7 +332,7 @@ mac_test_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
}
static void
-mac_test_destroy_cred(struct ucred *ucred, struct label *label)
+mac_test_destroy_cred_label(struct label *label)
{
if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
@@ -320,8 +346,7 @@ mac_test_destroy_cred(struct ucred *ucred, struct label *label)
}
static void
-mac_test_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
+mac_test_destroy_devfsdirent_label(struct label *label)
{
if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
@@ -335,7 +360,7 @@ mac_test_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
}
static void
-mac_test_destroy_ifnet(struct ifnet *ifnet, struct label *label)
+mac_test_destroy_ifnet_label(struct label *label)
{
if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
@@ -349,7 +374,7 @@ mac_test_destroy_ifnet(struct ifnet *ifnet, struct label *label)
}
static void
-mac_test_destroy_ipq(struct ipq *ipq, struct label *label)
+mac_test_destroy_ipq_label(struct label *label)
{
if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
@@ -363,7 +388,7 @@ mac_test_destroy_ipq(struct ipq *ipq, struct label *label)
}
static void
-mac_test_destroy_mbuf(struct mbuf *mbuf, struct label *label)
+mac_test_destroy_mbuf_label(struct label *label)
{
if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
@@ -377,16 +402,13 @@ mac_test_destroy_mbuf(struct mbuf *mbuf, struct label *label)
}
static void
-mac_test_destroy_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
+mac_test_destroy_mount_label(struct label *label)
{
- if ((SLOT(mntlabel) == MOUNTMAGIC || SLOT(mntlabel) == 0) &&
- (SLOT(fslabel) == MOUNTMAGIC || SLOT(fslabel) == 0)) {
+ if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
atomic_add_int(&destroy_count_mount, 1);
- SLOT(mntlabel) = EXMAGIC;
- SLOT(fslabel) = EXMAGIC;
- } else if (SLOT(mntlabel) == EXMAGIC || SLOT(fslabel) == EXMAGIC) {
+ SLOT(label) = EXMAGIC;
+ } else if (SLOT(label) == EXMAGIC) {
Debugger("mac_test_destroy_mount: dup destroy");
} else {
Debugger("mac_test_destroy_mount: corrupted label");
@@ -394,23 +416,49 @@ mac_test_destroy_mount(struct mount *mount, struct label *mntlabel,
}
static void
-mac_test_destroy_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
+mac_test_destroy_mount_fs_label(struct label *label)
{
- if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0) &&
- (SLOT(peerlabel) == SOCKETMAGIC || SLOT(peerlabel) == 0)) {
+ if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
+ atomic_add_int(&destroy_count_mount_fslabel, 1);
+ SLOT(label) = EXMAGIC;
+ } else if (SLOT(label) == EXMAGIC) {
+ Debugger("mac_test_destroy_mount_fslabel: dup destroy");
+ } else {
+ Debugger("mac_test_destroy_mount_fslabel: corrupted label");
+ }
+}
+
+static void
+mac_test_destroy_socket_label(struct label *label)
+{
+
+ if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
atomic_add_int(&destroy_count_socket, 1);
SLOT(label) = EXMAGIC;
- SLOT(peerlabel) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC || SLOT(peerlabel) == EXMAGIC) {
+ } else if (SLOT(label) == EXMAGIC) {
Debugger("mac_test_destroy_socket: dup destroy");
} else {
Debugger("mac_test_destroy_socket: corrupted label");
}
}
+
+static void
+mac_test_destroy_socket_peer_label(struct label *label)
+{
+
+ if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
+ atomic_add_int(&destroy_count_socket_peerlabel, 1);
+ SLOT(label) = EXMAGIC;
+ } else if (SLOT(label) == EXMAGIC) {
+ Debugger("mac_test_destroy_socket_peerlabel: dup destroy");
+ } else {
+ Debugger("mac_test_destroy_socket_peerlabel: corrupted label");
+ }
+}
+
static void
-mac_test_destroy_pipe(struct pipe *pipe, struct label *label)
+mac_test_destroy_pipe_label(struct label *label)
{
if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
@@ -424,7 +472,7 @@ mac_test_destroy_pipe(struct pipe *pipe, struct label *label)
}
static void
-mac_test_destroy_temp(struct label *label)
+mac_test_destroy_temp_label(struct label *label)
{
if (SLOT(label) == TEMPMAGIC || SLOT(label) == 0) {
@@ -438,7 +486,7 @@ mac_test_destroy_temp(struct label *label)
}
static void
-mac_test_destroy_vnode(struct vnode *vp, struct label *label)
+mac_test_destroy_vnode_label(struct label *label)
{
if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
@@ -1151,50 +1199,58 @@ static struct mac_policy_op_entry mac_test_ops[] =
(macop_t)mac_test_init },
{ MAC_SYSCALL,
(macop_t)mac_test_syscall },
- { MAC_INIT_BPFDESC,
- (macop_t)mac_test_init_bpfdesc },
- { MAC_INIT_CRED,
- (macop_t)mac_test_init_cred },
- { MAC_INIT_DEVFSDIRENT,
- (macop_t)mac_test_init_devfsdirent },
- { MAC_INIT_IFNET,
- (macop_t)mac_test_init_ifnet },
- { MAC_INIT_IPQ,
- (macop_t)mac_test_init_ipq },
- { MAC_INIT_MBUF,
- (macop_t)mac_test_init_mbuf },
- { MAC_INIT_MOUNT,
- (macop_t)mac_test_init_mount },
- { MAC_INIT_PIPE,
- (macop_t)mac_test_init_pipe },
- { MAC_INIT_SOCKET,
- (macop_t)mac_test_init_socket },
- { MAC_INIT_TEMP,
- (macop_t)mac_test_init_temp },
- { MAC_INIT_VNODE,
- (macop_t)mac_test_init_vnode },
- { MAC_DESTROY_BPFDESC,
- (macop_t)mac_test_destroy_bpfdesc },
- { MAC_DESTROY_CRED,
- (macop_t)mac_test_destroy_cred },
- { MAC_DESTROY_DEVFSDIRENT,
- (macop_t)mac_test_destroy_devfsdirent },
- { MAC_DESTROY_IFNET,
- (macop_t)mac_test_destroy_ifnet },
- { MAC_DESTROY_IPQ,
- (macop_t)mac_test_destroy_ipq },
- { MAC_DESTROY_MBUF,
- (macop_t)mac_test_destroy_mbuf },
- { MAC_DESTROY_MOUNT,
- (macop_t)mac_test_destroy_mount },
- { MAC_DESTROY_PIPE,
- (macop_t)mac_test_destroy_pipe },
- { MAC_DESTROY_SOCKET,
- (macop_t)mac_test_destroy_socket },
- { MAC_DESTROY_TEMP,
- (macop_t)mac_test_destroy_temp },
- { MAC_DESTROY_VNODE,
- (macop_t)mac_test_destroy_vnode },
+ { MAC_INIT_BPFDESC_LABEL,
+ (macop_t)mac_test_init_bpfdesc_label },
+ { MAC_INIT_CRED_LABEL,
+ (macop_t)mac_test_init_cred_label },
+ { MAC_INIT_DEVFSDIRENT_LABEL,
+ (macop_t)mac_test_init_devfsdirent_label },
+ { MAC_INIT_IFNET_LABEL,
+ (macop_t)mac_test_init_ifnet_label },
+ { MAC_INIT_IPQ_LABEL,
+ (macop_t)mac_test_init_ipq_label },
+ { MAC_INIT_MBUF_LABEL,
+ (macop_t)mac_test_init_mbuf_label },
+ { MAC_INIT_MOUNT_LABEL,
+ (macop_t)mac_test_init_mount_label },
+ { MAC_INIT_MOUNT_FS_LABEL,
+ (macop_t)mac_test_init_mount_fs_label },
+ { MAC_INIT_PIPE_LABEL,
+ (macop_t)mac_test_init_pipe_label },
+ { MAC_INIT_SOCKET_LABEL,
+ (macop_t)mac_test_init_socket_label },
+ { MAC_INIT_SOCKET_PEER_LABEL,
+ (macop_t)mac_test_init_socket_peer_label },
+ { MAC_INIT_TEMP_LABEL,
+ (macop_t)mac_test_init_temp_label },
+ { MAC_INIT_VNODE_LABEL,
+ (macop_t)mac_test_init_vnode_label },
+ { MAC_DESTROY_BPFDESC_LABEL,
+ (macop_t)mac_test_destroy_bpfdesc_label },
+ { MAC_DESTROY_CRED_LABEL,
+ (macop_t)mac_test_destroy_cred_label },
+ { MAC_DESTROY_DEVFSDIRENT_LABEL,
+ (macop_t)mac_test_destroy_devfsdirent_label },
+ { MAC_DESTROY_IFNET_LABEL,
+ (macop_t)mac_test_destroy_ifnet_label },
+ { MAC_DESTROY_IPQ_LABEL,
+ (macop_t)mac_test_destroy_ipq_label },
+ { MAC_DESTROY_MBUF_LABEL,
+ (macop_t)mac_test_destroy_mbuf_label },
+ { MAC_DESTROY_MOUNT_LABEL,
+ (macop_t)mac_test_destroy_mount_label },
+ { MAC_DESTROY_MOUNT_FS_LABEL,
+ (macop_t)mac_test_destroy_mount_fs_label },
+ { MAC_DESTROY_PIPE_LABEL,
+ (macop_t)mac_test_destroy_pipe_label },
+ { MAC_DESTROY_SOCKET_LABEL,
+ (macop_t)mac_test_destroy_socket_label },
+ { MAC_DESTROY_SOCKET_PEER_LABEL,
+ (macop_t)mac_test_destroy_socket_peer_label },
+ { MAC_DESTROY_TEMP_LABEL,
+ (macop_t)mac_test_destroy_temp_label },
+ { MAC_DESTROY_VNODE_LABEL,
+ (macop_t)mac_test_destroy_vnode_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_test_externalize },
{ MAC_INTERNALIZE,
diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h
index 52fee33..a54e925 100644
--- a/sys/sys/mac_policy.h
+++ b/sys/sys/mac_policy.h
@@ -72,34 +72,33 @@ struct mac_policy_ops {
/*
* Label operations.
*/
- void (*mpo_init_bpfdesc)(struct bpf_d *, struct label *label);
- void (*mpo_init_cred)(struct ucred *, struct label *label);
- void (*mpo_init_devfsdirent)(struct devfs_dirent *,
- struct label *label);
- void (*mpo_init_ifnet)(struct ifnet *, struct label *label);
- void (*mpo_init_ipq)(struct ipq *ipq, struct label *label);
- int (*mpo_init_mbuf)(struct mbuf *, int how, struct label *label);
- void (*mpo_init_mount)(struct mount *, struct label *mntlabel,
- struct label *fslabel);
- void (*mpo_init_socket)(struct socket *so, struct label *label,
- struct label *peerlabel);
- void (*mpo_init_pipe)(struct pipe *pipe, struct label *label);
- void (*mpo_init_temp)(struct label *label);
- void (*mpo_init_vnode)(struct vnode *, struct label *label);
- void (*mpo_destroy_bpfdesc)(struct bpf_d *, struct label *label);
- void (*mpo_destroy_cred)(struct ucred *, struct label *label);
- void (*mpo_destroy_devfsdirent)(struct devfs_dirent *de,
- struct label *label);
- void (*mpo_destroy_ifnet)(struct ifnet *, struct label *label);
- void (*mpo_destroy_ipq)(struct ipq *ipq, struct label *label);
- void (*mpo_destroy_mbuf)(struct mbuf *, struct label *label);
- void (*mpo_destroy_mount)(struct mount *, struct label *mntlabel,
- struct label *fslabel);
- void (*mpo_destroy_socket)(struct socket *so, struct label *label,
- struct label *peerlabel);
- void (*mpo_destroy_pipe)(struct pipe *pipe, struct label *label);
- void (*mpo_destroy_temp)(struct label *label);
- void (*mpo_destroy_vnode)(struct vnode *, struct label *label);
+ void (*mpo_init_bpfdesc_label)(struct label *label);
+ void (*mpo_init_cred_label)(struct label *label);
+ void (*mpo_init_devfsdirent_label)(struct label *label);
+ void (*mpo_init_ifnet_label)(struct label *label);
+ void (*mpo_init_ipq_label)(struct label *label);
+ int (*mpo_init_mbuf_label)(struct label *label, int flag);
+ void (*mpo_init_mount_label)(struct label *label);
+ void (*mpo_init_mount_fs_label)(struct label *label);
+ void (*mpo_init_socket_label)(struct label *label);
+ void (*mpo_init_socket_peer_label)(struct label *label);
+ void (*mpo_init_pipe_label)(struct label *label);
+ void (*mpo_init_temp_label)(struct label *label);
+ void (*mpo_init_vnode_label)(struct label *label);
+ void (*mpo_destroy_bpfdesc_label)(struct label *label);
+ void (*mpo_destroy_cred_label)(struct label *label);
+ void (*mpo_destroy_devfsdirent_label)(struct label *label);
+ void (*mpo_destroy_ifnet_label)(struct label *label);
+ void (*mpo_destroy_ipq_label)(struct label *label);
+ void (*mpo_destroy_mbuf_label)(struct label *label);
+ void (*mpo_destroy_mount_label)(struct label *label);
+ void (*mpo_destroy_mount_fs_label)(struct label *label);
+ void (*mpo_destroy_socket_label)(struct label *label);
+ void (*mpo_destroy_socket_peer_label)(struct label *label);
+ void (*mpo_destroy_pipe_label)(struct label *label);
+ void (*mpo_destroy_temp_label)(struct label *label);
+ void (*mpo_destroy_vnode_label)(struct label *label);
+
int (*mpo_externalize)(struct label *label, struct mac *extmac);
int (*mpo_internalize)(struct label *label, struct mac *extmac);
@@ -355,28 +354,32 @@ enum mac_op_constant {
MAC_DESTROY,
MAC_INIT,
MAC_SYSCALL,
- MAC_INIT_BPFDESC,
- MAC_INIT_CRED,
- MAC_INIT_DEVFSDIRENT,
- MAC_INIT_IFNET,
- MAC_INIT_IPQ,
- MAC_INIT_MBUF,
- MAC_INIT_MOUNT,
- MAC_INIT_PIPE,
- MAC_INIT_SOCKET,
- MAC_INIT_TEMP,
- MAC_INIT_VNODE,
- MAC_DESTROY_BPFDESC,
- MAC_DESTROY_CRED,
- MAC_DESTROY_DEVFSDIRENT,
- MAC_DESTROY_IFNET,
- MAC_DESTROY_IPQ,
- MAC_DESTROY_MBUF,
- MAC_DESTROY_MOUNT,
- MAC_DESTROY_PIPE,
- MAC_DESTROY_SOCKET,
- MAC_DESTROY_TEMP,
- MAC_DESTROY_VNODE,
+ MAC_INIT_BPFDESC_LABEL,
+ MAC_INIT_CRED_LABEL,
+ MAC_INIT_DEVFSDIRENT_LABEL,
+ MAC_INIT_IFNET_LABEL,
+ MAC_INIT_IPQ_LABEL,
+ MAC_INIT_MBUF_LABEL,
+ MAC_INIT_MOUNT_LABEL,
+ MAC_INIT_MOUNT_FS_LABEL,
+ MAC_INIT_PIPE_LABEL,
+ MAC_INIT_SOCKET_LABEL,
+ MAC_INIT_SOCKET_PEER_LABEL,
+ MAC_INIT_TEMP_LABEL,
+ MAC_INIT_VNODE_LABEL,
+ MAC_DESTROY_BPFDESC_LABEL,
+ MAC_DESTROY_CRED_LABEL,
+ MAC_DESTROY_DEVFSDIRENT_LABEL,
+ MAC_DESTROY_IFNET_LABEL,
+ MAC_DESTROY_IPQ_LABEL,
+ MAC_DESTROY_MBUF_LABEL,
+ MAC_DESTROY_MOUNT_LABEL,
+ MAC_DESTROY_MOUNT_FS_LABEL,
+ MAC_DESTROY_PIPE_LABEL,
+ MAC_DESTROY_SOCKET_LABEL,
+ MAC_DESTROY_SOCKET_PEER_LABEL,
+ MAC_DESTROY_TEMP_LABEL,
+ MAC_DESTROY_VNODE_LABEL,
MAC_EXTERNALIZE,
MAC_INTERNALIZE,
MAC_CREATE_DEVFS_DEVICE,
OpenPOWER on IntegriCloud