summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--sys/kern/kern_mac.c154
-rw-r--r--sys/security/mac/mac_framework.c154
-rw-r--r--sys/security/mac/mac_internal.h154
-rw-r--r--sys/security/mac/mac_net.c154
-rw-r--r--sys/security/mac/mac_pipe.c154
-rw-r--r--sys/security/mac/mac_policy.h103
-rw-r--r--sys/security/mac/mac_process.c154
-rw-r--r--sys/security/mac/mac_syscalls.c154
-rw-r--r--sys/security/mac/mac_system.c154
-rw-r--r--sys/security/mac/mac_vfs.c154
-rw-r--r--sys/security/mac_biba/mac_biba.c263
-rw-r--r--sys/security/mac_mls/mac_mls.c263
-rw-r--r--sys/security/mac_none/mac_none.c222
-rw-r--r--sys/security/mac_stub/mac_stub.c222
-rw-r--r--sys/security/mac_test/mac_test.c224
-rw-r--r--sys/sys/mac_policy.h103
16 files changed, 1246 insertions, 1540 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index 2c07abe..cfe6670 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 52fee33..a54e925 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -72,34 +72,33 @@ struct mac_policy_ops {
/*
* Label operations.
*/
- void (*mpo_init_bpfdesc)(struct bpf_d *, struct label *label);
- void (*mpo_init_cred)(struct ucred *, struct label *label);
- void (*mpo_init_devfsdirent)(struct devfs_dirent *,
- struct label *label);
- void (*mpo_init_ifnet)(struct ifnet *, struct label *label);
- void (*mpo_init_ipq)(struct ipq *ipq, struct label *label);
- int (*mpo_init_mbuf)(struct mbuf *, int how, struct label *label);
- void (*mpo_init_mount)(struct mount *, struct label *mntlabel,
- struct label *fslabel);
- void (*mpo_init_socket)(struct socket *so, struct label *label,
- struct label *peerlabel);
- void (*mpo_init_pipe)(struct pipe *pipe, struct label *label);
- void (*mpo_init_temp)(struct label *label);
- void (*mpo_init_vnode)(struct vnode *, struct label *label);
- void (*mpo_destroy_bpfdesc)(struct bpf_d *, struct label *label);
- void (*mpo_destroy_cred)(struct ucred *, struct label *label);
- void (*mpo_destroy_devfsdirent)(struct devfs_dirent *de,
- struct label *label);
- void (*mpo_destroy_ifnet)(struct ifnet *, struct label *label);
- void (*mpo_destroy_ipq)(struct ipq *ipq, struct label *label);
- void (*mpo_destroy_mbuf)(struct mbuf *, struct label *label);
- void (*mpo_destroy_mount)(struct mount *, struct label *mntlabel,
- struct label *fslabel);
- void (*mpo_destroy_socket)(struct socket *so, struct label *label,
- struct label *peerlabel);
- void (*mpo_destroy_pipe)(struct pipe *pipe, struct label *label);
- void (*mpo_destroy_temp)(struct label *label);
- void (*mpo_destroy_vnode)(struct vnode *, struct label *label);
+ void (*mpo_init_bpfdesc_label)(struct label *label);
+ void (*mpo_init_cred_label)(struct label *label);
+ void (*mpo_init_devfsdirent_label)(struct label *label);
+ void (*mpo_init_ifnet_label)(struct label *label);
+ void (*mpo_init_ipq_label)(struct label *label);
+ int (*mpo_init_mbuf_label)(struct label *label, int flag);
+ void (*mpo_init_mount_label)(struct label *label);
+ void (*mpo_init_mount_fs_label)(struct label *label);
+ void (*mpo_init_socket_label)(struct label *label);
+ void (*mpo_init_socket_peer_label)(struct label *label);
+ void (*mpo_init_pipe_label)(struct label *label);
+ void (*mpo_init_temp_label)(struct label *label);
+ void (*mpo_init_vnode_label)(struct label *label);
+ void (*mpo_destroy_bpfdesc_label)(struct label *label);
+ void (*mpo_destroy_cred_label)(struct label *label);
+ void (*mpo_destroy_devfsdirent_label)(struct label *label);
+ void (*mpo_destroy_ifnet_label)(struct label *label);
+ void (*mpo_destroy_ipq_label)(struct label *label);
+ void (*mpo_destroy_mbuf_label)(struct label *label);
+ void (*mpo_destroy_mount_label)(struct label *label);
+ void (*mpo_destroy_mount_fs_label)(struct label *label);
+ void (*mpo_destroy_socket_label)(struct label *label);
+ void (*mpo_destroy_socket_peer_label)(struct label *label);
+ void (*mpo_destroy_pipe_label)(struct label *label);
+ void (*mpo_destroy_temp_label)(struct label *label);
+ void (*mpo_destroy_vnode_label)(struct label *label);
+
int (*mpo_externalize)(struct label *label, struct mac *extmac);
int (*mpo_internalize)(struct label *label, struct mac *extmac);
@@ -355,28 +354,32 @@ enum mac_op_constant {
MAC_DESTROY,
MAC_INIT,
MAC_SYSCALL,
- MAC_INIT_BPFDESC,
- MAC_INIT_CRED,
- MAC_INIT_DEVFSDIRENT,
- MAC_INIT_IFNET,
- MAC_INIT_IPQ,
- MAC_INIT_MBUF,
- MAC_INIT_MOUNT,
- MAC_INIT_PIPE,
- MAC_INIT_SOCKET,
- MAC_INIT_TEMP,
- MAC_INIT_VNODE,
- MAC_DESTROY_BPFDESC,
- MAC_DESTROY_CRED,
- MAC_DESTROY_DEVFSDIRENT,
- MAC_DESTROY_IFNET,
- MAC_DESTROY_IPQ,
- MAC_DESTROY_MBUF,
- MAC_DESTROY_MOUNT,
- MAC_DESTROY_PIPE,
- MAC_DESTROY_SOCKET,
- MAC_DESTROY_TEMP,
- MAC_DESTROY_VNODE,
+ MAC_INIT_BPFDESC_LABEL,
+ MAC_INIT_CRED_LABEL,
+ MAC_INIT_DEVFSDIRENT_LABEL,
+ MAC_INIT_IFNET_LABEL,
+ MAC_INIT_IPQ_LABEL,
+ MAC_INIT_MBUF_LABEL,
+ MAC_INIT_MOUNT_LABEL,
+ MAC_INIT_MOUNT_FS_LABEL,
+ MAC_INIT_PIPE_LABEL,
+ MAC_INIT_SOCKET_LABEL,
+ MAC_INIT_SOCKET_PEER_LABEL,
+ MAC_INIT_TEMP_LABEL,
+ MAC_INIT_VNODE_LABEL,
+ MAC_DESTROY_BPFDESC_LABEL,
+ MAC_DESTROY_CRED_LABEL,
+ MAC_DESTROY_DEVFSDIRENT_LABEL,
+ MAC_DESTROY_IFNET_LABEL,
+ MAC_DESTROY_IPQ_LABEL,
+ MAC_DESTROY_MBUF_LABEL,
+ MAC_DESTROY_MOUNT_LABEL,
+ MAC_DESTROY_MOUNT_FS_LABEL,
+ MAC_DESTROY_PIPE_LABEL,
+ MAC_DESTROY_SOCKET_LABEL,
+ MAC_DESTROY_SOCKET_PEER_LABEL,
+ MAC_DESTROY_TEMP_LABEL,
+ MAC_DESTROY_VNODE_LABEL,
MAC_EXTERNALIZE,
MAC_INTERNALIZE,
MAC_CREATE_DEVFS_DEVICE,
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 2c07abe..cfe6670 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -394,92 +394,108 @@ mac_policy_register(struct mac_policy_conf *mpc)
mpc->mpc_ops->mpo_syscall =
mpe->mpe_function;
break;
- case MAC_INIT_BPFDESC:
- mpc->mpc_ops->mpo_init_bpfdesc =
+ case MAC_INIT_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_init_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_INIT_CRED:
- mpc->mpc_ops->mpo_init_cred =
+ case MAC_INIT_CRED_LABEL:
+ mpc->mpc_ops->mpo_init_cred_label =
mpe->mpe_function;
break;
- case MAC_INIT_DEVFSDIRENT:
- mpc->mpc_ops->mpo_init_devfsdirent =
+ case MAC_INIT_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_init_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_INIT_IFNET:
- mpc->mpc_ops->mpo_init_ifnet =
+ case MAC_INIT_IFNET_LABEL:
+ mpc->mpc_ops->mpo_init_ifnet_label =
mpe->mpe_function;
break;
- case MAC_INIT_IPQ:
- mpc->mpc_ops->mpo_init_ipq =
+ case MAC_INIT_IPQ_LABEL:
+ mpc->mpc_ops->mpo_init_ipq_label =
mpe->mpe_function;
break;
- case MAC_INIT_MBUF:
- mpc->mpc_ops->mpo_init_mbuf =
+ case MAC_INIT_MBUF_LABEL:
+ mpc->mpc_ops->mpo_init_mbuf_label =
mpe->mpe_function;
break;
- case MAC_INIT_MOUNT:
- mpc->mpc_ops->mpo_init_mount =
+ case MAC_INIT_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_init_mount_label =
mpe->mpe_function;
break;
- case MAC_INIT_PIPE:
- mpc->mpc_ops->mpo_init_pipe =
+ case MAC_INIT_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_init_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_INIT_SOCKET:
- mpc->mpc_ops->mpo_init_socket =
+ case MAC_INIT_PIPE_LABEL:
+ mpc->mpc_ops->mpo_init_pipe_label =
mpe->mpe_function;
break;
- case MAC_INIT_TEMP:
- mpc->mpc_ops->mpo_init_temp =
+ case MAC_INIT_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_init_socket_label =
mpe->mpe_function;
break;
- case MAC_INIT_VNODE:
- mpc->mpc_ops->mpo_init_vnode =
+ case MAC_INIT_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_init_socket_peer_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_BPFDESC:
- mpc->mpc_ops->mpo_destroy_bpfdesc =
+ case MAC_INIT_TEMP_LABEL:
+ mpc->mpc_ops->mpo_init_temp_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_CRED:
- mpc->mpc_ops->mpo_destroy_cred =
+ case MAC_INIT_VNODE_LABEL:
+ mpc->mpc_ops->mpo_init_vnode_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_DEVFSDIRENT:
- mpc->mpc_ops->mpo_destroy_devfsdirent =
+ case MAC_DESTROY_BPFDESC_LABEL:
+ mpc->mpc_ops->mpo_destroy_bpfdesc_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IFNET:
- mpc->mpc_ops->mpo_destroy_ifnet =
+ case MAC_DESTROY_CRED_LABEL:
+ mpc->mpc_ops->mpo_destroy_cred_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_IPQ:
- mpc->mpc_ops->mpo_destroy_ipq =
+ case MAC_DESTROY_DEVFSDIRENT_LABEL:
+ mpc->mpc_ops->mpo_destroy_devfsdirent_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MBUF:
- mpc->mpc_ops->mpo_destroy_mbuf =
+ case MAC_DESTROY_IFNET_LABEL:
+ mpc->mpc_ops->mpo_destroy_ifnet_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_MOUNT:
- mpc->mpc_ops->mpo_destroy_mount =
+ case MAC_DESTROY_IPQ_LABEL:
+ mpc->mpc_ops->mpo_destroy_ipq_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_PIPE:
- mpc->mpc_ops->mpo_destroy_pipe =
+ case MAC_DESTROY_MBUF_LABEL:
+ mpc->mpc_ops->mpo_destroy_mbuf_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_SOCKET:
- mpc->mpc_ops->mpo_destroy_socket =
+ case MAC_DESTROY_MOUNT_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_TEMP:
- mpc->mpc_ops->mpo_destroy_temp =
+ case MAC_DESTROY_MOUNT_FS_LABEL:
+ mpc->mpc_ops->mpo_destroy_mount_fs_label =
mpe->mpe_function;
break;
- case MAC_DESTROY_VNODE:
- mpc->mpc_ops->mpo_destroy_vnode =
+ case MAC_DESTROY_PIPE_LABEL:
+ mpc->mpc_ops->mpo_destroy_pipe_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_SOCKET_PEER_LABEL:
+ mpc->mpc_ops->mpo_destroy_socket_peer_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_TEMP_LABEL:
+ mpc->mpc_ops->mpo_destroy_temp_label =
+ mpe->mpe_function;
+ break;
+ case MAC_DESTROY_VNODE_LABEL:
+ mpc->mpc_ops->mpo_destroy_vnode_label =
mpe->mpe_function;
break;
case MAC_EXTERNALIZE:
@@ -1290,7 +1306,7 @@ mac_init_mbuf(struct mbuf *m, int how)
/* "how" is one of M_(TRY|DONT)WAIT */
mac_init_label(&m->m_pkthdr.label);
- MAC_PERFORM(init_mbuf, m, how, &m->m_pkthdr.label);
+ MAC_PERFORM(init_mbuf_label, &m->m_pkthdr.label, how);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmbufs, 1);
#endif
@@ -1301,7 +1317,7 @@ void
mac_destroy_mbuf(struct mbuf *m)
{
- MAC_PERFORM(destroy_mbuf, m, &m->m_pkthdr.label);
+ MAC_PERFORM(destroy_mbuf_label, &m->m_pkthdr.label);
mac_destroy_label(&m->m_pkthdr.label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacmbufs, 1);
@@ -1313,7 +1329,7 @@ mac_init_cred(struct ucred *cr)
{
mac_init_label(&cr->cr_label);
- MAC_PERFORM(init_cred, cr, &cr->cr_label);
+ MAC_PERFORM(init_cred_label, &cr->cr_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmaccreds, 1);
#endif
@@ -1323,7 +1339,7 @@ void
mac_destroy_cred(struct ucred *cr)
{
- MAC_PERFORM(destroy_cred, cr, &cr->cr_label);
+ MAC_PERFORM(destroy_cred_label, &cr->cr_label);
mac_destroy_label(&cr->cr_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmaccreds, 1);
@@ -1335,7 +1351,7 @@ mac_init_ifnet(struct ifnet *ifp)
{
mac_init_label(&ifp->if_label);
- MAC_PERFORM(init_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(init_ifnet_label, &ifp->if_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacifnets, 1);
#endif
@@ -1345,7 +1361,7 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- MAC_PERFORM(destroy_ifnet, ifp, &ifp->if_label);
+ MAC_PERFORM(destroy_ifnet_label, &ifp->if_label);
mac_destroy_label(&ifp->if_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacifnets, 1);
@@ -1357,7 +1373,7 @@ mac_init_ipq(struct ipq *ipq)
{
mac_init_label(&ipq->ipq_label);
- MAC_PERFORM(init_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(init_ipq_label, &ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacipqs, 1);
#endif
@@ -1367,7 +1383,7 @@ void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq, ipq, &ipq->ipq_label);
+ MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
mac_destroy_label(&ipq->ipq_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacipqs, 1);
@@ -1380,8 +1396,8 @@ mac_init_socket(struct socket *socket)
mac_init_label(&socket->so_label);
mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(init_socket_label, &socket->so_label);
+ MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacsockets, 1);
#endif
@@ -1391,8 +1407,8 @@ void
mac_destroy_socket(struct socket *socket)
{
- MAC_PERFORM(destroy_socket, socket, &socket->so_label,
- &socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, &socket->so_label);
+ MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
mac_destroy_label(&socket->so_label);
mac_destroy_label(&socket->so_peerlabel);
#ifdef MAC_DEBUG
@@ -1409,7 +1425,7 @@ mac_init_pipe(struct pipe *pipe)
mac_init_label(label);
pipe->pipe_label = label;
pipe->pipe_peer->pipe_label = label;
- MAC_PERFORM(init_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(init_pipe_label, pipe->pipe_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacpipes, 1);
#endif
@@ -1419,7 +1435,7 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- MAC_PERFORM(destroy_pipe, pipe, pipe->pipe_label);
+ MAC_PERFORM(destroy_pipe_label, pipe->pipe_label);
mac_destroy_label(pipe->pipe_label);
free(pipe->pipe_label, M_MACPIPELABEL);
#ifdef MAC_DEBUG
@@ -1432,7 +1448,7 @@ mac_init_bpfdesc(struct bpf_d *bpf_d)
{
mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacbpfdescs, 1);
#endif
@@ -1442,7 +1458,7 @@ void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
mac_destroy_label(&bpf_d->bd_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacbpfdescs, 1);
@@ -1455,7 +1471,8 @@ mac_init_mount(struct mount *mp)
mac_init_label(&mp->mnt_mntlabel);
mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
#ifdef MAC_DEBUG
atomic_add_int(&nmacmounts, 1);
#endif
@@ -1465,7 +1482,8 @@ void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount, mp, &mp->mnt_mntlabel, &mp->mnt_fslabel);
+ MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
+ MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_fslabel);
mac_destroy_label(&mp->mnt_mntlabel);
#ifdef MAC_DEBUG
@@ -1478,7 +1496,7 @@ mac_init_temp(struct label *label)
{
mac_init_label(label);
- MAC_PERFORM(init_temp, label);
+ MAC_PERFORM(init_temp_label, label);
#ifdef MAC_DEBUG
atomic_add_int(&nmactemp, 1);
#endif
@@ -1488,7 +1506,7 @@ static void
mac_destroy_temp(struct label *label)
{
- MAC_PERFORM(destroy_temp, label);
+ MAC_PERFORM(destroy_temp_label, label);
mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmactemp, 1);
@@ -1500,7 +1518,7 @@ mac_init_vnode(struct vnode *vp)
{
mac_init_label(&vp->v_label);
- MAC_PERFORM(init_vnode, vp, &vp->v_label);
+ MAC_PERFORM(init_vnode_label, &vp->v_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacvnodes, 1);
#endif
@@ -1510,7 +1528,7 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- MAC_PERFORM(destroy_vnode, vp, &vp->v_label);
+ MAC_PERFORM(destroy_vnode_label, &vp->v_label);
mac_destroy_label(&vp->v_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacvnodes, 1);
@@ -1522,7 +1540,7 @@ mac_init_devfsdirent(struct devfs_dirent *de)
{
mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(init_devfsdirent_label, &de->de_label);
#ifdef MAC_DEBUG
atomic_add_int(&nmacdevfsdirents, 1);
#endif
@@ -1532,7 +1550,7 @@ void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent, de, &de->de_label);
+ MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
mac_destroy_label(&de->de_label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacdevfsdirents, 1);
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index d9056c6..8d53cdb 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -117,11 +117,11 @@ static int mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, mode_t acc_mode);
static struct mac_biba *
-biba_alloc(int how)
+biba_alloc(int flag)
{
struct mac_biba *mac_biba;
- mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | how);
+ mac_biba = malloc(sizeof(struct mac_biba), M_MACBIBA, M_ZERO | flag);
return (mac_biba);
}
@@ -385,46 +385,17 @@ mac_biba_init(struct mac_policy_conf *conf)
* Label operations.
*/
static void
-mac_biba_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_cred(struct ucred *ucred, struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_ipq(struct ipq *ipq, struct label *label)
+mac_biba_init_label(struct label *label)
{
SLOT(label) = biba_alloc(M_WAITOK);
}
static int
-mac_biba_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_biba_init_label_waitcheck(struct label *label, int flag)
{
- SLOT(label) = biba_alloc(how);
+ SLOT(label) = biba_alloc(flag);
if (SLOT(label) == NULL)
return (ENOMEM);
@@ -432,133 +403,7 @@ mac_biba_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
}
static void
-mac_biba_init_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
- SLOT(mntlabel) = biba_alloc(M_WAITOK);
- SLOT(fslabel) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
- SLOT(peerlabel) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_pipe(struct pipe *pipe, struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_temp(struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_init_vnode(struct vnode *vp, struct label *label)
-{
-
- SLOT(label) = biba_alloc(M_WAITOK);
-}
-
-static void
-mac_biba_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_cred(struct ucred *ucred, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_ipq(struct ipq *ipq, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_mbuf(struct mbuf *mbuf, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
- biba_free(SLOT(mntlabel));
- SLOT(mntlabel) = NULL;
- biba_free(SLOT(fslabel));
- SLOT(fslabel) = NULL;
-}
-
-static void
-mac_biba_destroy_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
- biba_free(SLOT(peerlabel));
- SLOT(peerlabel) = NULL;
-}
-
-static void
-mac_biba_destroy_pipe(struct pipe *pipe, struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_temp(struct label *label)
-{
-
- biba_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_biba_destroy_vnode(struct vnode *vp, struct label *label)
+mac_biba_destroy_label(struct label *label)
{
biba_free(SLOT(label));
@@ -2054,50 +1899,58 @@ static struct mac_policy_op_entry mac_biba_ops[] =
(macop_t)mac_biba_destroy },
{ MAC_INIT,
(macop_t)mac_biba_init },
- { MAC_INIT_BPFDESC,
- (macop_t)mac_biba_init_bpfdesc },
- { MAC_INIT_CRED,
- (macop_t)mac_biba_init_cred },
- { MAC_INIT_DEVFSDIRENT,
- (macop_t)mac_biba_init_devfsdirent },
- { MAC_INIT_IFNET,
- (macop_t)mac_biba_init_ifnet },
- { MAC_INIT_IPQ,
- (macop_t)mac_biba_init_ipq },
- { MAC_INIT_MBUF,
- (macop_t)mac_biba_init_mbuf },
- { MAC_INIT_MOUNT,
- (macop_t)mac_biba_init_mount },
- { MAC_INIT_PIPE,
- (macop_t)mac_biba_init_pipe },
- { MAC_INIT_SOCKET,
- (macop_t)mac_biba_init_socket },
- { MAC_INIT_TEMP,
- (macop_t)mac_biba_init_temp },
- { MAC_INIT_VNODE,
- (macop_t)mac_biba_init_vnode },
- { MAC_DESTROY_BPFDESC,
- (macop_t)mac_biba_destroy_bpfdesc },
- { MAC_DESTROY_CRED,
- (macop_t)mac_biba_destroy_cred },
- { MAC_DESTROY_DEVFSDIRENT,
- (macop_t)mac_biba_destroy_devfsdirent },
- { MAC_DESTROY_IFNET,
- (macop_t)mac_biba_destroy_ifnet },
- { MAC_DESTROY_IPQ,
- (macop_t)mac_biba_destroy_ipq },
- { MAC_DESTROY_MBUF,
- (macop_t)mac_biba_destroy_mbuf },
- { MAC_DESTROY_MOUNT,
- (macop_t)mac_biba_destroy_mount },
- { MAC_DESTROY_PIPE,
- (macop_t)mac_biba_destroy_pipe },
- { MAC_DESTROY_SOCKET,
- (macop_t)mac_biba_destroy_socket },
- { MAC_DESTROY_TEMP,
- (macop_t)mac_biba_destroy_temp },
- { MAC_DESTROY_VNODE,
- (macop_t)mac_biba_destroy_vnode },
+ { MAC_INIT_BPFDESC_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_CRED_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_DEVFSDIRENT_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_IFNET_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_IPQ_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_MBUF_LABEL,
+ (macop_t)mac_biba_init_label_waitcheck },
+ { MAC_INIT_MOUNT_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_MOUNT_FS_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_PIPE_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_SOCKET_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_SOCKET_PEER_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_TEMP_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_INIT_VNODE_LABEL,
+ (macop_t)mac_biba_init_label },
+ { MAC_DESTROY_BPFDESC_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_CRED_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_DEVFSDIRENT_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_IFNET_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_IPQ_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_MBUF_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_MOUNT_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_MOUNT_FS_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_PIPE_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_SOCKET_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_SOCKET_PEER_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_TEMP_LABEL,
+ (macop_t)mac_biba_destroy_label },
+ { MAC_DESTROY_VNODE_LABEL,
+ (macop_t)mac_biba_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_biba_externalize },
{ MAC_INTERNALIZE,
diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c
index 60675dd..27b74b1 100644
--- a/sys/security/mac_mls/mac_mls.c
+++ b/sys/security/mac_mls/mac_mls.c
@@ -106,11 +106,11 @@ static int mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp,
struct label *vnodelabel, mode_t acc_mode);
static struct mac_mls *
-mls_alloc(int how)
+mls_alloc(int flag)
{
struct mac_mls *mac_mls;
- mac_mls = malloc(sizeof(struct mac_mls), M_MACMLS, M_ZERO | how);
+ mac_mls = malloc(sizeof(struct mac_mls), M_MACMLS, M_ZERO | flag);
return (mac_mls);
}
@@ -374,46 +374,17 @@ mac_mls_init(struct mac_policy_conf *conf)
* Label operations.
*/
static void
-mac_mls_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_cred(struct ucred *ucred, struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_ipq(struct ipq *ipq, struct label *label)
+mac_mls_init_label(struct label *label)
{
SLOT(label) = mls_alloc(M_WAITOK);
}
static int
-mac_mls_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_mls_init_label_waitcheck(struct label *label, int flag)
{
- SLOT(label) = mls_alloc(how);
+ SLOT(label) = mls_alloc(flag);
if (SLOT(label) == NULL)
return (ENOMEM);
@@ -421,133 +392,7 @@ mac_mls_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
}
static void
-mac_mls_init_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
- SLOT(mntlabel) = mls_alloc(M_WAITOK);
- SLOT(fslabel) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
- SLOT(peerlabel) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_pipe(struct pipe *pipe, struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_temp(struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_init_vnode(struct vnode *vp, struct label *label)
-{
-
- SLOT(label) = mls_alloc(M_WAITOK);
-}
-
-static void
-mac_mls_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_cred(struct ucred *ucred, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_ipq(struct ipq *ipq, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_mbuf(struct mbuf *mbuf, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
- mls_free(SLOT(mntlabel));
- SLOT(mntlabel) = NULL;
- mls_free(SLOT(fslabel));
- SLOT(fslabel) = NULL;
-}
-
-static void
-mac_mls_destroy_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
- mls_free(SLOT(peerlabel));
- SLOT(peerlabel) = NULL;
-}
-
-static void
-mac_mls_destroy_pipe(struct pipe *pipe, struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_temp(struct label *label)
-{
-
- mls_free(SLOT(label));
- SLOT(label) = NULL;
-}
-
-static void
-mac_mls_destroy_vnode(struct vnode *vp, struct label *label)
+mac_mls_destroy_label(struct label *label)
{
mls_free(SLOT(label));
@@ -2017,50 +1862,58 @@ static struct mac_policy_op_entry mac_mls_ops[] =
(macop_t)mac_mls_destroy },
{ MAC_INIT,
(macop_t)mac_mls_init },
- { MAC_INIT_BPFDESC,
- (macop_t)mac_mls_init_bpfdesc },
- { MAC_INIT_CRED,
- (macop_t)mac_mls_init_cred },
- { MAC_INIT_DEVFSDIRENT,
- (macop_t)mac_mls_init_devfsdirent },
- { MAC_INIT_IFNET,
- (macop_t)mac_mls_init_ifnet },
- { MAC_INIT_IPQ,
- (macop_t)mac_mls_init_ipq },
- { MAC_INIT_MBUF,
- (macop_t)mac_mls_init_mbuf },
- { MAC_INIT_MOUNT,
- (macop_t)mac_mls_init_mount },
- { MAC_INIT_PIPE,
- (macop_t)mac_mls_init_pipe },
- { MAC_INIT_SOCKET,
- (macop_t)mac_mls_init_socket },
- { MAC_INIT_TEMP,
- (macop_t)mac_mls_init_temp },
- { MAC_INIT_VNODE,
- (macop_t)mac_mls_init_vnode },
- { MAC_DESTROY_BPFDESC,
- (macop_t)mac_mls_destroy_bpfdesc },
- { MAC_DESTROY_CRED,
- (macop_t)mac_mls_destroy_cred },
- { MAC_DESTROY_DEVFSDIRENT,
- (macop_t)mac_mls_destroy_devfsdirent },
- { MAC_DESTROY_IFNET,
- (macop_t)mac_mls_destroy_ifnet },
- { MAC_DESTROY_IPQ,
- (macop_t)mac_mls_destroy_ipq },
- { MAC_DESTROY_MBUF,
- (macop_t)mac_mls_destroy_mbuf },
- { MAC_DESTROY_MOUNT,
- (macop_t)mac_mls_destroy_mount },
- { MAC_DESTROY_PIPE,
- (macop_t)mac_mls_destroy_pipe },
- { MAC_DESTROY_SOCKET,
- (macop_t)mac_mls_destroy_socket },
- { MAC_DESTROY_TEMP,
- (macop_t)mac_mls_destroy_temp },
- { MAC_DESTROY_VNODE,
- (macop_t)mac_mls_destroy_vnode },
+ { MAC_INIT_BPFDESC_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_CRED_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_DEVFSDIRENT_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_IFNET_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_IPQ_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_MBUF_LABEL,
+ (macop_t)mac_mls_init_label_waitcheck },
+ { MAC_INIT_MOUNT_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_MOUNT_FS_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_PIPE_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_SOCKET_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_SOCKET_PEER_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_TEMP_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_INIT_VNODE_LABEL,
+ (macop_t)mac_mls_init_label },
+ { MAC_DESTROY_BPFDESC_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_CRED_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_DEVFSDIRENT_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_IFNET_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_IPQ_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_MBUF_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_MOUNT_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_MOUNT_FS_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_PIPE_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_SOCKET_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_SOCKET_PEER_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_TEMP_LABEL,
+ (macop_t)mac_mls_destroy_label },
+ { MAC_DESTROY_VNODE_LABEL,
+ (macop_t)mac_mls_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_mls_externalize },
{ MAC_INTERNALIZE,
diff --git a/sys/security/mac_none/mac_none.c b/sys/security/mac_none/mac_none.c
index dcc829c..052628b 100644
--- a/sys/security/mac_none/mac_none.c
+++ b/sys/security/mac_none/mac_none.c
@@ -109,140 +109,20 @@ mac_none_syscall(struct thread *td, int call, void *arg)
* Label operations.
*/
static void
-mac_none_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_cred(struct ucred *ucred, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
-}
-
-static void
-mac_none_init_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_ipq(struct ipq *ipq, struct label *ipqlabel)
+mac_none_init_label(struct label *label)
{
}
static int
-mac_none_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_none_init_label_waitcheck(struct label *label, int flag)
{
return (0);
}
static void
-mac_none_init_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
-}
-
-static void
-mac_none_init_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
-}
-
-static void
-mac_none_init_pipe(struct pipe *pipe, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_temp(struct label *label)
-{
-
-}
-
-static void
-mac_none_init_vnode(struct vnode *vp, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_cred(struct ucred *ucred, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_ipq(struct ipq *ipq, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_mbuf(struct mbuf *mbuf, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
-}
-
-static void
-mac_none_destroy_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
-}
-
-static void
-mac_none_destroy_pipe(struct pipe *pipe, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_temp(struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_vnode(struct vnode *vp, struct label *label)
+mac_none_destroy_label(struct label *label)
{
}
@@ -943,50 +823,58 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_init },
{ MAC_SYSCALL,
(macop_t)mac_none_syscall },
- { MAC_INIT_BPFDESC,
- (macop_t)mac_none_init_bpfdesc },
- { MAC_INIT_CRED,
- (macop_t)mac_none_init_cred },
- { MAC_INIT_DEVFSDIRENT,
- (macop_t)mac_none_init_devfsdirent },
- { MAC_INIT_IFNET,
- (macop_t)mac_none_init_ifnet },
- { MAC_INIT_IPQ,
- (macop_t)mac_none_init_ipq },
- { MAC_INIT_MBUF,
- (macop_t)mac_none_init_mbuf },
- { MAC_INIT_MOUNT,
- (macop_t)mac_none_init_mount },
- { MAC_INIT_PIPE,
- (macop_t)mac_none_init_pipe },
- { MAC_INIT_SOCKET,
- (macop_t)mac_none_init_socket },
- { MAC_INIT_TEMP,
- (macop_t)mac_none_init_temp },
- { MAC_INIT_VNODE,
- (macop_t)mac_none_init_vnode },
- { MAC_DESTROY_BPFDESC,
- (macop_t)mac_none_destroy_bpfdesc },
- { MAC_DESTROY_CRED,
- (macop_t)mac_none_destroy_cred },
- { MAC_DESTROY_DEVFSDIRENT,
- (macop_t)mac_none_destroy_devfsdirent },
- { MAC_DESTROY_IFNET,
- (macop_t)mac_none_destroy_ifnet },
- { MAC_DESTROY_IPQ,
- (macop_t)mac_none_destroy_ipq },
- { MAC_DESTROY_MBUF,
- (macop_t)mac_none_destroy_mbuf },
- { MAC_DESTROY_MOUNT,
- (macop_t)mac_none_destroy_mount },
- { MAC_DESTROY_PIPE,
- (macop_t)mac_none_destroy_pipe },
- { MAC_DESTROY_SOCKET,
- (macop_t)mac_none_destroy_socket },
- { MAC_DESTROY_TEMP,
- (macop_t)mac_none_destroy_temp },
- { MAC_DESTROY_VNODE,
- (macop_t)mac_none_destroy_vnode },
+ { MAC_INIT_BPFDESC_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_CRED_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_DEVFSDIRENT_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_IFNET_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_IPQ_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_MBUF_LABEL,
+ (macop_t)mac_none_init_label_waitcheck },
+ { MAC_INIT_MOUNT_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_MOUNT_FS_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_PIPE_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_SOCKET_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_SOCKET_PEER_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_TEMP_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_VNODE_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_DESTROY_BPFDESC_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_CRED_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_DEVFSDIRENT_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_IFNET_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_IPQ_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MBUF_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MOUNT_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MOUNT_FS_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_PIPE_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_SOCKET_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_SOCKET_PEER_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_TEMP_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_VNODE_LABEL,
+ (macop_t)mac_none_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_none_externalize },
{ MAC_INTERNALIZE,
diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c
index dcc829c..052628b 100644
--- a/sys/security/mac_stub/mac_stub.c
+++ b/sys/security/mac_stub/mac_stub.c
@@ -109,140 +109,20 @@ mac_none_syscall(struct thread *td, int call, void *arg)
* Label operations.
*/
static void
-mac_none_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_cred(struct ucred *ucred, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
-}
-
-static void
-mac_none_init_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_ipq(struct ipq *ipq, struct label *ipqlabel)
+mac_none_init_label(struct label *label)
{
}
static int
-mac_none_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_none_init_label_waitcheck(struct label *label, int flag)
{
return (0);
}
static void
-mac_none_init_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
-}
-
-static void
-mac_none_init_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
-}
-
-static void
-mac_none_init_pipe(struct pipe *pipe, struct label *label)
-{
-
-}
-
-static void
-mac_none_init_temp(struct label *label)
-{
-
-}
-
-static void
-mac_none_init_vnode(struct vnode *vp, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_cred(struct ucred *ucred, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_ifnet(struct ifnet *ifnet, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_ipq(struct ipq *ipq, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_mbuf(struct mbuf *mbuf, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
-{
-
-}
-
-static void
-mac_none_destroy_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
-{
-
-}
-
-static void
-mac_none_destroy_pipe(struct pipe *pipe, struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_temp(struct label *label)
-{
-
-}
-
-static void
-mac_none_destroy_vnode(struct vnode *vp, struct label *label)
+mac_none_destroy_label(struct label *label)
{
}
@@ -943,50 +823,58 @@ static struct mac_policy_op_entry mac_none_ops[] =
(macop_t)mac_none_init },
{ MAC_SYSCALL,
(macop_t)mac_none_syscall },
- { MAC_INIT_BPFDESC,
- (macop_t)mac_none_init_bpfdesc },
- { MAC_INIT_CRED,
- (macop_t)mac_none_init_cred },
- { MAC_INIT_DEVFSDIRENT,
- (macop_t)mac_none_init_devfsdirent },
- { MAC_INIT_IFNET,
- (macop_t)mac_none_init_ifnet },
- { MAC_INIT_IPQ,
- (macop_t)mac_none_init_ipq },
- { MAC_INIT_MBUF,
- (macop_t)mac_none_init_mbuf },
- { MAC_INIT_MOUNT,
- (macop_t)mac_none_init_mount },
- { MAC_INIT_PIPE,
- (macop_t)mac_none_init_pipe },
- { MAC_INIT_SOCKET,
- (macop_t)mac_none_init_socket },
- { MAC_INIT_TEMP,
- (macop_t)mac_none_init_temp },
- { MAC_INIT_VNODE,
- (macop_t)mac_none_init_vnode },
- { MAC_DESTROY_BPFDESC,
- (macop_t)mac_none_destroy_bpfdesc },
- { MAC_DESTROY_CRED,
- (macop_t)mac_none_destroy_cred },
- { MAC_DESTROY_DEVFSDIRENT,
- (macop_t)mac_none_destroy_devfsdirent },
- { MAC_DESTROY_IFNET,
- (macop_t)mac_none_destroy_ifnet },
- { MAC_DESTROY_IPQ,
- (macop_t)mac_none_destroy_ipq },
- { MAC_DESTROY_MBUF,
- (macop_t)mac_none_destroy_mbuf },
- { MAC_DESTROY_MOUNT,
- (macop_t)mac_none_destroy_mount },
- { MAC_DESTROY_PIPE,
- (macop_t)mac_none_destroy_pipe },
- { MAC_DESTROY_SOCKET,
- (macop_t)mac_none_destroy_socket },
- { MAC_DESTROY_TEMP,
- (macop_t)mac_none_destroy_temp },
- { MAC_DESTROY_VNODE,
- (macop_t)mac_none_destroy_vnode },
+ { MAC_INIT_BPFDESC_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_CRED_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_DEVFSDIRENT_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_IFNET_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_IPQ_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_MBUF_LABEL,
+ (macop_t)mac_none_init_label_waitcheck },
+ { MAC_INIT_MOUNT_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_MOUNT_FS_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_PIPE_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_SOCKET_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_SOCKET_PEER_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_TEMP_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_INIT_VNODE_LABEL,
+ (macop_t)mac_none_init_label },
+ { MAC_DESTROY_BPFDESC_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_CRED_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_DEVFSDIRENT_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_IFNET_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_IPQ_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MBUF_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MOUNT_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_MOUNT_FS_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_PIPE_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_SOCKET_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_SOCKET_PEER_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_TEMP_LABEL,
+ (macop_t)mac_none_destroy_label },
+ { MAC_DESTROY_VNODE_LABEL,
+ (macop_t)mac_none_destroy_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_none_externalize },
{ MAC_INTERNALIZE,
diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c
index 4ccae53..c6335da 100644
--- a/sys/security/mac_test/mac_test.c
+++ b/sys/security/mac_test/mac_test.c
@@ -118,9 +118,16 @@ SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mbuf, CTLFLAG_RD,
static int init_count_mount;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount, CTLFLAG_RD,
&init_count_mount, 0, "mount init calls");
+static int init_count_mount_fslabel;
+SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_mount_fslabel, CTLFLAG_RD,
+ &init_count_mount_fslabel, 0, "mount_fslabel init calls");
static int init_count_socket;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket, CTLFLAG_RD,
&init_count_socket, 0, "socket init calls");
+static int init_count_socket_peerlabel;
+SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_socket_peerlabel,
+ CTLFLAG_RD, &init_count_socket_peerlabel, 0,
+ "socket_peerlabel init calls");
static int init_count_pipe;
SYSCTL_INT(_security_mac_test, OID_AUTO, init_count_pipe, CTLFLAG_RD,
&init_count_pipe, 0, "pipe init calls");
@@ -152,9 +159,17 @@ SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mbuf, CTLFLAG_RD,
static int destroy_count_mount;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount, CTLFLAG_RD,
&destroy_count_mount, 0, "mount destroy calls");
+static int destroy_count_mount_fslabel;
+SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_mount_fslabel,
+ CTLFLAG_RD, &destroy_count_mount_fslabel, 0,
+ "mount_fslabel destroy calls");
static int destroy_count_socket;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket, CTLFLAG_RD,
&destroy_count_socket, 0, "socket destroy calls");
+static int destroy_count_socket_peerlabel;
+SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_socket_peerlabel,
+ CTLFLAG_RD, &destroy_count_socket_peerlabel, 0,
+ "socket_peerlabel destroy calls");
static int destroy_count_pipe;
SYSCTL_INT(_security_mac_test, OID_AUTO, destroy_count_pipe, CTLFLAG_RD,
&destroy_count_pipe, 0, "pipe destroy calls");
@@ -198,7 +213,7 @@ mac_test_syscall(struct thread *td, int call, void *arg)
* Label operations.
*/
static void
-mac_test_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
+mac_test_init_bpfdesc_label(struct label *label)
{
SLOT(label) = BPFMAGIC;
@@ -206,7 +221,7 @@ mac_test_init_bpfdesc(struct bpf_d *bpf_d, struct label *label)
}
static void
-mac_test_init_cred(struct ucred *ucred, struct label *label)
+mac_test_init_cred_label(struct label *label)
{
SLOT(label) = CREDMAGIC;
@@ -214,8 +229,7 @@ mac_test_init_cred(struct ucred *ucred, struct label *label)
}
static void
-mac_test_init_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
+mac_test_init_devfsdirent_label(struct label *label)
{
SLOT(label) = DEVFSMAGIC;
@@ -223,7 +237,7 @@ mac_test_init_devfsdirent(struct devfs_dirent *devfs_dirent,
}
static void
-mac_test_init_ifnet(struct ifnet *ifnet, struct label *label)
+mac_test_init_ifnet_label(struct label *label)
{
SLOT(label) = IFNETMAGIC;
@@ -231,7 +245,7 @@ mac_test_init_ifnet(struct ifnet *ifnet, struct label *label)
}
static void
-mac_test_init_ipq(struct ipq *ipq, struct label *label)
+mac_test_init_ipq_label(struct label *label)
{
SLOT(label) = IPQMAGIC;
@@ -239,7 +253,7 @@ mac_test_init_ipq(struct ipq *ipq, struct label *label)
}
static int
-mac_test_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
+mac_test_init_mbuf_label(struct label *label, int flag)
{
SLOT(label) = MBUFMAGIC;
@@ -248,27 +262,39 @@ mac_test_init_mbuf(struct mbuf *mbuf, int how, struct label *label)
}
static void
-mac_test_init_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
+mac_test_init_mount_label(struct label *label)
{
- SLOT(mntlabel) = MOUNTMAGIC;
- SLOT(fslabel) = MOUNTMAGIC;
+ SLOT(label) = MOUNTMAGIC;
atomic_add_int(&init_count_mount, 1);
}
static void
-mac_test_init_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
+mac_test_init_mount_fs_label(struct label *label)
+{
+
+ SLOT(label) = MOUNTMAGIC;
+ atomic_add_int(&init_count_mount_fslabel, 1);
+}
+
+static void
+mac_test_init_socket_label(struct label *label)
{
SLOT(label) = SOCKETMAGIC;
- SLOT(peerlabel) = SOCKETMAGIC;
atomic_add_int(&init_count_socket, 1);
}
static void
-mac_test_init_pipe(struct pipe *pipe, struct label *label)
+mac_test_init_socket_peer_label(struct label *label)
+{
+
+ SLOT(label) = SOCKETMAGIC;
+ atomic_add_int(&init_count_socket_peerlabel, 1);
+}
+
+static void
+mac_test_init_pipe_label(struct label *label)
{
SLOT(label) = PIPEMAGIC;
@@ -276,7 +302,7 @@ mac_test_init_pipe(struct pipe *pipe, struct label *label)
}
static void
-mac_test_init_temp(struct label *label)
+mac_test_init_temp_label(struct label *label)
{
SLOT(label) = TEMPMAGIC;
@@ -284,7 +310,7 @@ mac_test_init_temp(struct label *label)
}
static void
-mac_test_init_vnode(struct vnode *vp, struct label *label)
+mac_test_init_vnode_label(struct label *label)
{
SLOT(label) = VNODEMAGIC;
@@ -292,7 +318,7 @@ mac_test_init_vnode(struct vnode *vp, struct label *label)
}
static void
-mac_test_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
+mac_test_destroy_bpfdesc_label(struct label *label)
{
if (SLOT(label) == BPFMAGIC || SLOT(label) == 0) {
@@ -306,7 +332,7 @@ mac_test_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label)
}
static void
-mac_test_destroy_cred(struct ucred *ucred, struct label *label)
+mac_test_destroy_cred_label(struct label *label)
{
if (SLOT(label) == CREDMAGIC || SLOT(label) == 0) {
@@ -320,8 +346,7 @@ mac_test_destroy_cred(struct ucred *ucred, struct label *label)
}
static void
-mac_test_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
- struct label *label)
+mac_test_destroy_devfsdirent_label(struct label *label)
{
if (SLOT(label) == DEVFSMAGIC || SLOT(label) == 0) {
@@ -335,7 +360,7 @@ mac_test_destroy_devfsdirent(struct devfs_dirent *devfs_dirent,
}
static void
-mac_test_destroy_ifnet(struct ifnet *ifnet, struct label *label)
+mac_test_destroy_ifnet_label(struct label *label)
{
if (SLOT(label) == IFNETMAGIC || SLOT(label) == 0) {
@@ -349,7 +374,7 @@ mac_test_destroy_ifnet(struct ifnet *ifnet, struct label *label)
}
static void
-mac_test_destroy_ipq(struct ipq *ipq, struct label *label)
+mac_test_destroy_ipq_label(struct label *label)
{
if (SLOT(label) == IPQMAGIC || SLOT(label) == 0) {
@@ -363,7 +388,7 @@ mac_test_destroy_ipq(struct ipq *ipq, struct label *label)
}
static void
-mac_test_destroy_mbuf(struct mbuf *mbuf, struct label *label)
+mac_test_destroy_mbuf_label(struct label *label)
{
if (SLOT(label) == MBUFMAGIC || SLOT(label) == 0) {
@@ -377,16 +402,13 @@ mac_test_destroy_mbuf(struct mbuf *mbuf, struct label *label)
}
static void
-mac_test_destroy_mount(struct mount *mount, struct label *mntlabel,
- struct label *fslabel)
+mac_test_destroy_mount_label(struct label *label)
{
- if ((SLOT(mntlabel) == MOUNTMAGIC || SLOT(mntlabel) == 0) &&
- (SLOT(fslabel) == MOUNTMAGIC || SLOT(fslabel) == 0)) {
+ if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
atomic_add_int(&destroy_count_mount, 1);
- SLOT(mntlabel) = EXMAGIC;
- SLOT(fslabel) = EXMAGIC;
- } else if (SLOT(mntlabel) == EXMAGIC || SLOT(fslabel) == EXMAGIC) {
+ SLOT(label) = EXMAGIC;
+ } else if (SLOT(label) == EXMAGIC) {
Debugger("mac_test_destroy_mount: dup destroy");
} else {
Debugger("mac_test_destroy_mount: corrupted label");
@@ -394,23 +416,49 @@ mac_test_destroy_mount(struct mount *mount, struct label *mntlabel,
}
static void
-mac_test_destroy_socket(struct socket *socket, struct label *label,
- struct label *peerlabel)
+mac_test_destroy_mount_fs_label(struct label *label)
{
- if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0) &&
- (SLOT(peerlabel) == SOCKETMAGIC || SLOT(peerlabel) == 0)) {
+ if ((SLOT(label) == MOUNTMAGIC || SLOT(label) == 0)) {
+ atomic_add_int(&destroy_count_mount_fslabel, 1);
+ SLOT(label) = EXMAGIC;
+ } else if (SLOT(label) == EXMAGIC) {
+ Debugger("mac_test_destroy_mount_fslabel: dup destroy");
+ } else {
+ Debugger("mac_test_destroy_mount_fslabel: corrupted label");
+ }
+}
+
+static void
+mac_test_destroy_socket_label(struct label *label)
+{
+
+ if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
atomic_add_int(&destroy_count_socket, 1);
SLOT(label) = EXMAGIC;
- SLOT(peerlabel) = EXMAGIC;
- } else if (SLOT(label) == EXMAGIC || SLOT(peerlabel) == EXMAGIC) {
+ } else if (SLOT(label) == EXMAGIC) {
Debugger("mac_test_destroy_socket: dup destroy");
} else {
Debugger("mac_test_destroy_socket: corrupted label");
}
}
+
+static void
+mac_test_destroy_socket_peer_label(struct label *label)
+{
+
+ if ((SLOT(label) == SOCKETMAGIC || SLOT(label) == 0)) {
+ atomic_add_int(&destroy_count_socket_peerlabel, 1);
+ SLOT(label) = EXMAGIC;
+ } else if (SLOT(label) == EXMAGIC) {
+ Debugger("mac_test_destroy_socket_peerlabel: dup destroy");
+ } else {
+ Debugger("mac_test_destroy_socket_peerlabel: corrupted label");
+ }
+}
+
static void
-mac_test_destroy_pipe(struct pipe *pipe, struct label *label)
+mac_test_destroy_pipe_label(struct label *label)
{
if ((SLOT(label) == PIPEMAGIC || SLOT(label) == 0)) {
@@ -424,7 +472,7 @@ mac_test_destroy_pipe(struct pipe *pipe, struct label *label)
}
static void
-mac_test_destroy_temp(struct label *label)
+mac_test_destroy_temp_label(struct label *label)
{
if (SLOT(label) == TEMPMAGIC || SLOT(label) == 0) {
@@ -438,7 +486,7 @@ mac_test_destroy_temp(struct label *label)
}
static void
-mac_test_destroy_vnode(struct vnode *vp, struct label *label)
+mac_test_destroy_vnode_label(struct label *label)
{
if (SLOT(label) == VNODEMAGIC || SLOT(label) == 0) {
@@ -1151,50 +1199,58 @@ static struct mac_policy_op_entry mac_test_ops[] =
(macop_t)mac_test_init },
{ MAC_SYSCALL,
(macop_t)mac_test_syscall },
- { MAC_INIT_BPFDESC,
- (macop_t)mac_test_init_bpfdesc },
- { MAC_INIT_CRED,
- (macop_t)mac_test_init_cred },
- { MAC_INIT_DEVFSDIRENT,
- (macop_t)mac_test_init_devfsdirent },
- { MAC_INIT_IFNET,
- (macop_t)mac_test_init_ifnet },
- { MAC_INIT_IPQ,
- (macop_t)mac_test_init_ipq },
- { MAC_INIT_MBUF,
- (macop_t)mac_test_init_mbuf },
- { MAC_INIT_MOUNT,
- (macop_t)mac_test_init_mount },
- { MAC_INIT_PIPE,
- (macop_t)mac_test_init_pipe },
- { MAC_INIT_SOCKET,
- (macop_t)mac_test_init_socket },
- { MAC_INIT_TEMP,
- (macop_t)mac_test_init_temp },
- { MAC_INIT_VNODE,
- (macop_t)mac_test_init_vnode },
- { MAC_DESTROY_BPFDESC,
- (macop_t)mac_test_destroy_bpfdesc },
- { MAC_DESTROY_CRED,
- (macop_t)mac_test_destroy_cred },
- { MAC_DESTROY_DEVFSDIRENT,
- (macop_t)mac_test_destroy_devfsdirent },
- { MAC_DESTROY_IFNET,
- (macop_t)mac_test_destroy_ifnet },
- { MAC_DESTROY_IPQ,
- (macop_t)mac_test_destroy_ipq },
- { MAC_DESTROY_MBUF,
- (macop_t)mac_test_destroy_mbuf },
- { MAC_DESTROY_MOUNT,
- (macop_t)mac_test_destroy_mount },
- { MAC_DESTROY_PIPE,
- (macop_t)mac_test_destroy_pipe },
- { MAC_DESTROY_SOCKET,
- (macop_t)mac_test_destroy_socket },
- { MAC_DESTROY_TEMP,
- (macop_t)mac_test_destroy_temp },
- { MAC_DESTROY_VNODE,
- (macop_t)mac_test_destroy_vnode },
+ { MAC_INIT_BPFDESC_LABEL,
+ (macop_t)mac_test_init_bpfdesc_label },
+ { MAC_INIT_CRED_LABEL,
+ (macop_t)mac_test_init_cred_label },
+ { MAC_INIT_DEVFSDIRENT_LABEL,
+ (macop_t)mac_test_init_devfsdirent_label },
+ { MAC_INIT_IFNET_LABEL,
+ (macop_t)mac_test_init_ifnet_label },
+ { MAC_INIT_IPQ_LABEL,
+ (macop_t)mac_test_init_ipq_label },
+ { MAC_INIT_MBUF_LABEL,
+ (macop_t)mac_test_init_mbuf_label },
+ { MAC_INIT_MOUNT_LABEL,
+ (macop_t)mac_test_init_mount_label },
+ { MAC_INIT_MOUNT_FS_LABEL,
+ (macop_t)mac_test_init_mount_fs_label },
+ { MAC_INIT_PIPE_LABEL,
+ (macop_t)mac_test_init_pipe_label },
+ { MAC_INIT_SOCKET_LABEL,
+ (macop_t)mac_test_init_socket_label },
+ { MAC_INIT_SOCKET_PEER_LABEL,
+ (macop_t)mac_test_init_socket_peer_label },
+ { MAC_INIT_TEMP_LABEL,
+ (macop_t)mac_test_init_temp_label },
+ { MAC_INIT_VNODE_LABEL,
+ (macop_t)mac_test_init_vnode_label },
+ { MAC_DESTROY_BPFDESC_LABEL,
+ (macop_t)mac_test_destroy_bpfdesc_label },
+ { MAC_DESTROY_CRED_LABEL,
+ (macop_t)mac_test_destroy_cred_label },
+ { MAC_DESTROY_DEVFSDIRENT_LABEL,
+ (macop_t)mac_test_destroy_devfsdirent_label },
+ { MAC_DESTROY_IFNET_LABEL,
+ (macop_t)mac_test_destroy_ifnet_label },
+ { MAC_DESTROY_IPQ_LABEL,
+ (macop_t)mac_test_destroy_ipq_label },
+ { MAC_DESTROY_MBUF_LABEL,
+ (macop_t)mac_test_destroy_mbuf_label },
+ { MAC_DESTROY_MOUNT_LABEL,
+ (macop_t)mac_test_destroy_mount_label },
+ { MAC_DESTROY_MOUNT_FS_LABEL,
+ (macop_t)mac_test_destroy_mount_fs_label },
+ { MAC_DESTROY_PIPE_LABEL,
+ (macop_t)mac_test_destroy_pipe_label },
+ { MAC_DESTROY_SOCKET_LABEL,
+ (macop_t)mac_test_destroy_socket_label },
+ { MAC_DESTROY_SOCKET_PEER_LABEL,
+ (macop_t)mac_test_destroy_socket_peer_label },
+ { MAC_DESTROY_TEMP_LABEL,
+ (macop_t)mac_test_destroy_temp_label },
+ { MAC_DESTROY_VNODE_LABEL,
+ (macop_t)mac_test_destroy_vnode_label },
{ MAC_EXTERNALIZE,
(macop_t)mac_test_externalize },
{ MAC_INTERNALIZE,
diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h
index 52fee33..a54e925 100644
--- a/sys/sys/mac_policy.h
+++ b/sys/sys/mac_policy.h
@@ -72,34 +72,33 @@ struct mac_policy_ops {
/*
* Label operations.
*/
- void (*mpo_init_bpfdesc)(struct bpf_d *, struct label *label);
- void (*mpo_init_cred)(struct ucred *, struct label *label);
- void (*mpo_init_devfsdirent)(struct devfs_dirent *,
- struct label *label);
- void (*mpo_init_ifnet)(struct ifnet *, struct label *label);
- void (*mpo_init_ipq)(struct ipq *ipq, struct label *label);
- int (*mpo_init_mbuf)(struct mbuf *, int how, struct label *label);
- void (*mpo_init_mount)(struct mount *, struct label *mntlabel,
- struct label *fslabel);
- void (*mpo_init_socket)(struct socket *so, struct label *label,
- struct label *peerlabel);
- void (*mpo_init_pipe)(struct pipe *pipe, struct label *label);
- void (*mpo_init_temp)(struct label *label);
- void (*mpo_init_vnode)(struct vnode *, struct label *label);
- void (*mpo_destroy_bpfdesc)(struct bpf_d *, struct label *label);
- void (*mpo_destroy_cred)(struct ucred *, struct label *label);
- void (*mpo_destroy_devfsdirent)(struct devfs_dirent *de,
- struct label *label);
- void (*mpo_destroy_ifnet)(struct ifnet *, struct label *label);
- void (*mpo_destroy_ipq)(struct ipq *ipq, struct label *label);
- void (*mpo_destroy_mbuf)(struct mbuf *, struct label *label);
- void (*mpo_destroy_mount)(struct mount *, struct label *mntlabel,
- struct label *fslabel);
- void (*mpo_destroy_socket)(struct socket *so, struct label *label,
- struct label *peerlabel);
- void (*mpo_destroy_pipe)(struct pipe *pipe, struct label *label);
- void (*mpo_destroy_temp)(struct label *label);
- void (*mpo_destroy_vnode)(struct vnode *, struct label *label);
+ void (*mpo_init_bpfdesc_label)(struct label *label);
+ void (*mpo_init_cred_label)(struct label *label);
+ void (*mpo_init_devfsdirent_label)(struct label *label);
+ void (*mpo_init_ifnet_label)(struct label *label);
+ void (*mpo_init_ipq_label)(struct label *label);
+ int (*mpo_init_mbuf_label)(struct label *label, int flag);
+ void (*mpo_init_mount_label)(struct label *label);
+ void (*mpo_init_mount_fs_label)(struct label *label);
+ void (*mpo_init_socket_label)(struct label *label);
+ void (*mpo_init_socket_peer_label)(struct label *label);
+ void (*mpo_init_pipe_label)(struct label *label);
+ void (*mpo_init_temp_label)(struct label *label);
+ void (*mpo_init_vnode_label)(struct label *label);
+ void (*mpo_destroy_bpfdesc_label)(struct label *label);
+ void (*mpo_destroy_cred_label)(struct label *label);
+ void (*mpo_destroy_devfsdirent_label)(struct label *label);
+ void (*mpo_destroy_ifnet_label)(struct label *label);
+ void (*mpo_destroy_ipq_label)(struct label *label);
+ void (*mpo_destroy_mbuf_label)(struct label *label);
+ void (*mpo_destroy_mount_label)(struct label *label);
+ void (*mpo_destroy_mount_fs_label)(struct label *label);
+ void (*mpo_destroy_socket_label)(struct label *label);
+ void (*mpo_destroy_socket_peer_label)(struct label *label);
+ void (*mpo_destroy_pipe_label)(struct label *label);
+ void (*mpo_destroy_temp_label)(struct label *label);
+ void (*mpo_destroy_vnode_label)(struct label *label);
+
int (*mpo_externalize)(struct label *label, struct mac *extmac);
int (*mpo_internalize)(struct label *label, struct mac *extmac);
@@ -355,28 +354,32 @@ enum mac_op_constant {
MAC_DESTROY,
MAC_INIT,
MAC_SYSCALL,
- MAC_INIT_BPFDESC,
- MAC_INIT_CRED,
- MAC_INIT_DEVFSDIRENT,
- MAC_INIT_IFNET,
- MAC_INIT_IPQ,
- MAC_INIT_MBUF,
- MAC_INIT_MOUNT,
- MAC_INIT_PIPE,
- MAC_INIT_SOCKET,
- MAC_INIT_TEMP,
- MAC_INIT_VNODE,
- MAC_DESTROY_BPFDESC,
- MAC_DESTROY_CRED,
- MAC_DESTROY_DEVFSDIRENT,
- MAC_DESTROY_IFNET,
- MAC_DESTROY_IPQ,
- MAC_DESTROY_MBUF,
- MAC_DESTROY_MOUNT,
- MAC_DESTROY_PIPE,
- MAC_DESTROY_SOCKET,
- MAC_DESTROY_TEMP,
- MAC_DESTROY_VNODE,
+ MAC_INIT_BPFDESC_LABEL,
+ MAC_INIT_CRED_LABEL,
+ MAC_INIT_DEVFSDIRENT_LABEL,
+ MAC_INIT_IFNET_LABEL,
+ MAC_INIT_IPQ_LABEL,
+ MAC_INIT_MBUF_LABEL,
+ MAC_INIT_MOUNT_LABEL,
+ MAC_INIT_MOUNT_FS_LABEL,
+ MAC_INIT_PIPE_LABEL,
+ MAC_INIT_SOCKET_LABEL,
+ MAC_INIT_SOCKET_PEER_LABEL,
+ MAC_INIT_TEMP_LABEL,
+ MAC_INIT_VNODE_LABEL,
+ MAC_DESTROY_BPFDESC_LABEL,
+ MAC_DESTROY_CRED_LABEL,
+ MAC_DESTROY_DEVFSDIRENT_LABEL,
+ MAC_DESTROY_IFNET_LABEL,
+ MAC_DESTROY_IPQ_LABEL,
+ MAC_DESTROY_MBUF_LABEL,
+ MAC_DESTROY_MOUNT_LABEL,
+ MAC_DESTROY_MOUNT_FS_LABEL,
+ MAC_DESTROY_PIPE_LABEL,
+ MAC_DESTROY_SOCKET_LABEL,
+ MAC_DESTROY_SOCKET_PEER_LABEL,
+ MAC_DESTROY_TEMP_LABEL,
+ MAC_DESTROY_VNODE_LABEL,
MAC_EXTERNALIZE,
MAC_INTERNALIZE,
MAC_CREATE_DEVFS_DEVICE,
OpenPOWER on IntegriCloud