diff options
103 files changed, 3601 insertions, 3518 deletions
diff --git a/sys/compat/linux/linux_file.c b/sys/compat/linux/linux_file.c index 5833b39..bee733c 100644 --- a/sys/compat/linux/linux_file.c +++ b/sys/compat/linux/linux_file.c @@ -467,7 +467,7 @@ again: /* * Do directory search MAC check using non-cached credentials. */ - if ((error = mac_check_vnode_readdir(td->td_ucred, vp))) + if ((error = mac_vnode_check_readdir(td->td_ucred, vp))) goto out; #endif /* MAC */ if ((error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, &ncookies, diff --git a/sys/compat/linux/linux_getcwd.c b/sys/compat/linux/linux_getcwd.c index c244e50..1110fc1 100644 --- a/sys/compat/linux/linux_getcwd.c +++ b/sys/compat/linux/linux_getcwd.c @@ -170,7 +170,7 @@ linux_getcwd_scandir(lvpp, uvpp, bpp, bufp, td) * On successful return, *uvpp will be locked */ #ifdef MAC - error = mac_check_vnode_lookup(td->td_ucred, lvp, &cn); + error = mac_vnode_check_lookup(td->td_ucred, lvp, &cn); if (error == 0) #endif error = VOP_LOOKUP(lvp, uvpp, &cn); @@ -216,7 +216,7 @@ unionread: eofflag = 0; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, uvp); + error = mac_vnode_check_readdir(td->td_ucred, uvp); if (error == 0) #endif /* MAC */ error = VOP_READDIR(uvp, &uio, td->td_ucred, &eofflag, diff --git a/sys/compat/linux/linux_misc.c b/sys/compat/linux/linux_misc.c index 01f1cee..96adc6d 100644 --- a/sys/compat/linux/linux_misc.c +++ b/sys/compat/linux/linux_misc.c @@ -301,7 +301,7 @@ linux_uselib(struct thread *td, struct linux_uselib_args *args) * than vn_open(). */ #ifdef MAC - error = mac_check_vnode_open(td->td_ucred, vp, FREAD); + error = mac_vnode_check_open(td->td_ucred, vp, FREAD); if (error) goto cleanup; #endif diff --git a/sys/compat/svr4/svr4_fcntl.c b/sys/compat/svr4/svr4_fcntl.c index 8735abb..792a8a7 100644 --- a/sys/compat/svr4/svr4_fcntl.c +++ b/sys/compat/svr4/svr4_fcntl.c @@ -271,7 +271,7 @@ fd_revoke(td, fd) #ifdef MAC vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_revoke(td->td_ucred, vp); + error = mac_vnode_check_revoke(td->td_ucred, vp); VOP_UNLOCK(vp, 0, td); if (error) goto out; diff --git a/sys/compat/svr4/svr4_misc.c b/sys/compat/svr4/svr4_misc.c index e4c48c0..85385b5 100644 --- a/sys/compat/svr4/svr4_misc.c +++ b/sys/compat/svr4/svr4_misc.c @@ -296,7 +296,7 @@ again: } #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) goto out; #endif @@ -461,7 +461,7 @@ again: auio.uio_offset = off; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) goto out; #endif @@ -625,7 +625,7 @@ svr4_sys_fchroot(td, uap) if (error) goto fail; #ifdef MAC - error = mac_check_vnode_chroot(td->td_ucred, vp); + error = mac_vnode_check_chroot(td->td_ucred, vp); if (error) goto fail; #endif diff --git a/sys/contrib/pf/net/pf.c b/sys/contrib/pf/net/pf.c index 0c996ab..5b209af 100644 --- a/sys/contrib/pf/net/pf.c +++ b/sys/contrib/pf/net/pf.c @@ -1818,9 +1818,9 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t af, #ifdef __FreeBSD__ #ifdef MAC if (replyto) - mac_create_mbuf_netlayer(replyto, m); + mac_mbuf_create_netlayer(replyto, m); else - mac_create_mbuf_from_firewall(m); + mac_mbuf_create_from_firewall(m); #else (void)replyto; #endif diff --git a/sys/fs/devfs/devfs_devs.c b/sys/fs/devfs/devfs_devs.c index ca5c2de..526f20d 100644 --- a/sys/fs/devfs/devfs_devs.c +++ b/sys/fs/devfs/devfs_devs.c @@ -182,7 +182,7 @@ devfs_newdirent(char *name, int namelen) de->de_links = 1; de->de_holdcnt = 1; #ifdef MAC - mac_init_devfs(de); + mac_devfs_init(de); #endif return (de); } @@ -226,7 +226,7 @@ devfs_vmkdir(struct devfs_mount *dmp, char *name, int namelen, struct devfs_dire } #ifdef MAC - mac_create_devfs_directory(dmp->dm_mount, name, namelen, dd); + mac_devfs_create_directory(dmp->dm_mount, name, namelen, dd); #endif return (dd); } @@ -274,7 +274,7 @@ devfs_delete(struct devfs_mount *dm, struct devfs_dirent *de, int vp_locked) de->de_symlink = NULL; } #ifdef MAC - mac_destroy_devfs(de); + mac_devfs_destroy(de); #endif if (de->de_inode > DEVFS_ROOTINO) { free_unr(devfs_inos, de->de_inode); @@ -452,7 +452,7 @@ devfs_populate_loop(struct devfs_mount *dm, int cleanup) de->de_inode = cdp->cdp_inode; de->de_cdp = cdp; #ifdef MAC - mac_create_devfs_device(cdp->cdp_c.si_cred, dm->dm_mount, + mac_devfs_create_device(cdp->cdp_c.si_cred, dm->dm_mount, &cdp->cdp_c, de); #endif de->de_dir = dd; diff --git a/sys/fs/devfs/devfs_vnops.c b/sys/fs/devfs/devfs_vnops.c index 5ed41de..ba01318 100644 --- a/sys/fs/devfs/devfs_vnops.c +++ b/sys/fs/devfs/devfs_vnops.c @@ -262,7 +262,7 @@ devfs_allocv(struct devfs_dirent *de, struct mount *mp, struct vnode **vpp, stru return (ENOENT); } #ifdef MAC - mac_associate_vnode_devfs(mp, de, vp); + mac_devfs_vnode_associate(mp, de, vp); #endif sx_xunlock(&dmp->dm_lock); *vpp = vp; @@ -1233,8 +1233,8 @@ devfs_setlabel(struct vop_setlabel_args *ap) vp = ap->a_vp; de = vp->v_data; - mac_relabel_vnode(ap->a_cred, vp, ap->a_label); - mac_update_devfs(vp->v_mount, de, vp); + mac_vnode_relabel(ap->a_cred, vp, ap->a_label); + mac_devfs_update(vp->v_mount, de, vp); return (0); } @@ -1275,7 +1275,7 @@ devfs_symlink(struct vop_symlink_args *ap) bcopy(ap->a_target, de->de_symlink, i); sx_xlock(&dmp->dm_lock); #ifdef MAC - mac_create_devfs_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de); + mac_devfs_create_symlink(ap->a_cnp->cn_cred, dmp->dm_mount, dd, de); #endif TAILQ_INSERT_TAIL(&dd->de_dlist, de, de_list); return (devfs_allocv(de, ap->a_dvp->v_mount, ap->a_vpp, td)); diff --git a/sys/fs/unionfs/union_subr.c b/sys/fs/unionfs/union_subr.c index fc5e27c..05dd077 100644 --- a/sys/fs/unionfs/union_subr.c +++ b/sys/fs/unionfs/union_subr.c @@ -966,7 +966,7 @@ unionfs_check_rmdir(struct vnode *vp, struct ucred *cred, struct thread *td) /* open vnode */ #ifdef MAC - if ((error = mac_check_vnode_open(cred, vp, VEXEC|VREAD)) != 0) + if ((error = mac_vnode_check_open(cred, vp, VEXEC|VREAD)) != 0) return (error); #endif if ((error = VOP_ACCESS(vp, VEXEC|VREAD, cred, td)) != 0) @@ -980,7 +980,7 @@ unionfs_check_rmdir(struct vnode *vp, struct ucred *cred, struct thread *td) uio.uio_offset = 0; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, lvp); + error = mac_vnode_check_readdir(td->td_ucred, lvp); #endif while (!error && !eofflag) { iov.iov_base = buf; diff --git a/sys/i386/ibcs2/ibcs2_misc.c b/sys/i386/ibcs2/ibcs2_misc.c index f6375c3..8dae2b2 100644 --- a/sys/i386/ibcs2/ibcs2_misc.c +++ b/sys/i386/ibcs2/ibcs2_misc.c @@ -374,7 +374,7 @@ again: } #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) goto out; #endif @@ -536,7 +536,7 @@ again: } #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) goto out; #endif diff --git a/sys/kern/init_main.c b/sys/kern/init_main.c index ef404b3..ae18f12 100644 --- a/sys/kern/init_main.c +++ b/sys/kern/init_main.c @@ -448,7 +448,7 @@ proc0_init(void *dummy __unused) audit_cred_kproc0(p->p_ucred); #endif #ifdef MAC - mac_create_proc0(p->p_ucred); + mac_proc_create_swapper(p->p_ucred); #endif td->td_ucred = crhold(p->p_ucred); @@ -714,7 +714,7 @@ create_init(const void *udata __unused) oldcred = initproc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - mac_create_proc1(newcred); + mac_proc_create_init(newcred); #endif #ifdef AUDIT audit_cred_proc1(newcred); diff --git a/sys/kern/kern_acct.c b/sys/kern/kern_acct.c index 17a74c4..13c9b70 100644 --- a/sys/kern/kern_acct.c +++ b/sys/kern/kern_acct.c @@ -218,7 +218,7 @@ acct(struct thread *td, struct acct_args *uap) vfslocked = NDHASGIANT(&nd); NDFREE(&nd, NDF_ONLY_PNBUF); #ifdef MAC - error = mac_check_system_acct(td->td_ucred, nd.ni_vp); + error = mac_system_check_acct(td->td_ucred, nd.ni_vp); if (error) { VOP_UNLOCK(nd.ni_vp, 0, td); vn_close(nd.ni_vp, flags, td->td_ucred, td); @@ -235,7 +235,7 @@ acct(struct thread *td, struct acct_args *uap) VFS_UNLOCK_GIANT(vfslocked); #ifdef MAC } else { - error = mac_check_system_acct(td->td_ucred, NULL); + error = mac_system_check_acct(td->td_ucred, NULL); if (error) return (error); #endif diff --git a/sys/kern/kern_alq.c b/sys/kern/kern_alq.c index a141034..6d132a9 100644 --- a/sys/kern/kern_alq.c +++ b/sys/kern/kern_alq.c @@ -300,7 +300,7 @@ alq_doio(struct alq *alq) * XXX: VOP_WRITE error checks are ignored. */ #ifdef MAC - if (mac_check_vnode_write(alq->aq_cred, NOCRED, vp) == 0) + if (mac_vnode_check_write(alq->aq_cred, NOCRED, vp) == 0) #endif VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, alq->aq_cred); VOP_UNLOCK(vp, 0, td); diff --git a/sys/kern/kern_environment.c b/sys/kern/kern_environment.c index ca20f38..34b1eec 100644 --- a/sys/kern/kern_environment.c +++ b/sys/kern/kern_environment.c @@ -95,7 +95,7 @@ kenv(td, uap) error = 0; if (uap->what == KENV_DUMP) { #ifdef MAC - error = mac_check_kenv_dump(td->td_ucred); + error = mac_kenv_check_dump(td->td_ucred); if (error) return (error); #endif @@ -148,7 +148,7 @@ kenv(td, uap) switch (uap->what) { case KENV_GET: #ifdef MAC - error = mac_check_kenv_get(td->td_ucred, name); + error = mac_kenv_check_get(td->td_ucred, name); if (error) goto done; #endif @@ -181,7 +181,7 @@ kenv(td, uap) goto done; } #ifdef MAC - error = mac_check_kenv_set(td->td_ucred, name, value); + error = mac_kenv_check_set(td->td_ucred, name, value); if (error == 0) #endif setenv(name, value); @@ -189,7 +189,7 @@ kenv(td, uap) break; case KENV_UNSET: #ifdef MAC - error = mac_check_kenv_unset(td->td_ucred, name); + error = mac_kenv_check_unset(td->td_ucred, name); if (error) goto done; #endif diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index b3884d0..d2798db 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -439,7 +439,7 @@ interpret: NDFREE(ndp, NDF_ONLY_PNBUF); #ifdef MAC interplabel = mac_vnode_label_alloc(); - mac_copy_vnode_label(ndp->ni_vp->v_label, interplabel); + mac_vnode_copy_label(ndp->ni_vp->v_label, interplabel); #endif vput(ndp->ni_vp); vm_object_deallocate(imgp->object); @@ -550,7 +550,7 @@ interpret: credential_changing |= (attr.va_mode & VSGID) && oldcred->cr_gid != attr.va_gid; #ifdef MAC - will_transition = mac_execve_will_transition(oldcred, imgp->vp, + will_transition = mac_vnode_execve_will_transition(oldcred, imgp->vp, interplabel, imgp); credential_changing |= will_transition; #endif @@ -604,7 +604,7 @@ interpret: change_egid(newcred, attr.va_gid); #ifdef MAC if (will_transition) { - mac_execve_transition(oldcred, newcred, imgp->vp, + mac_vnode_execve_transition(oldcred, newcred, imgp->vp, interplabel, imgp); } #endif @@ -1191,7 +1191,7 @@ exec_check_permissions(imgp) return (error); #ifdef MAC - error = mac_check_vnode_exec(td->td_ucred, imgp->vp, imgp); + error = mac_vnode_check_exec(td->td_ucred, imgp->vp, imgp); if (error) return (error); #endif diff --git a/sys/kern/kern_exit.c b/sys/kern/kern_exit.c index 696a101..94b949b 100644 --- a/sys/kern/kern_exit.c +++ b/sys/kern/kern_exit.c @@ -791,7 +791,7 @@ loop: */ vm_waitproc(p); #ifdef MAC - mac_destroy_proc(p); + mac_proc_destroy(p); #endif KASSERT(FIRST_THREAD_IN_PROC(p), ("kern_wait: no residual thread!")); diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c index 1043d1c..52f68f0 100644 --- a/sys/kern/kern_fork.c +++ b/sys/kern/kern_fork.c @@ -285,7 +285,7 @@ fork1(td, flags, pages, procp) /* Allocate new proc. */ newproc = uma_zalloc(proc_zone, M_WAITOK); #ifdef MAC - mac_init_proc(newproc); + mac_proc_init(newproc); #endif knlist_init(&newproc->p_klist, &newproc->p_mtx, NULL, NULL, NULL); STAILQ_INIT(&newproc->p_ktr); @@ -752,7 +752,7 @@ fail: td->td_ucred->cr_ruid); sx_xunlock(&allproc_lock); #ifdef MAC - mac_destroy_proc(newproc); + mac_proc_destroy(newproc); #endif uma_zfree(proc_zone, newproc); if (p1->p_flag & P_HADTHREADS) { diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 49bc0806..1bcc264 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -258,7 +258,7 @@ jail_attach(struct thread *td, struct jail_attach_args *uap) if ((error = change_dir(pr->pr_root, td)) != 0) goto e_unlock; #ifdef MAC - if ((error = mac_check_vnode_chroot(td->td_ucred, pr->pr_root))) + if ((error = mac_vnode_check_chroot(td->td_ucred, pr->pr_root))) goto e_unlock; #endif VOP_UNLOCK(pr->pr_root, 0, td); diff --git a/sys/kern/kern_ktrace.c b/sys/kern/kern_ktrace.c index 2b7ee33..4e5a63c 100644 --- a/sys/kern/kern_ktrace.c +++ b/sys/kern/kern_ktrace.c @@ -927,7 +927,7 @@ ktr_writerequest(struct thread *td, struct ktr_request *req) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); (void)VOP_LEASE(vp, td, cred, LEASE_WRITE); #ifdef MAC - error = mac_check_vnode_write(cred, NOCRED, vp); + error = mac_vnode_check_write(cred, NOCRED, vp); if (error == 0) #endif error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred); diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c index 324d349..e6080aa 100644 --- a/sys/kern/kern_linker.c +++ b/sys/kern/kern_linker.c @@ -995,7 +995,7 @@ kldfind(struct thread *td, struct kldfind_args *uap) int error; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1026,7 +1026,7 @@ kldnext(struct thread *td, struct kldnext_args *uap) int error = 0; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1076,7 +1076,7 @@ kldstat(struct thread *td, struct kldstat_args *uap) return (EINVAL); #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1119,7 +1119,7 @@ kldfirstmod(struct thread *td, struct kldfirstmod_args *uap) int error = 0; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1151,7 +1151,7 @@ kldsym(struct thread *td, struct kldsym_args *uap) int error = 0; #ifdef MAC - error = mac_check_kld_stat(td->td_ucred); + error = mac_kld_check_stat(td->td_ucred); if (error) return (error); #endif @@ -1997,7 +1997,7 @@ sysctl_kern_function_list(SYSCTL_HANDLER_ARGS) int error; #ifdef MAC - error = mac_check_kld_stat(req->td->td_ucred); + error = mac_kld_check_stat(req->td->td_ucred); if (error) return (error); #endif diff --git a/sys/kern/kern_mbuf.c b/sys/kern/kern_mbuf.c index 9015e24..97f4075 100644 --- a/sys/kern/kern_mbuf.c +++ b/sys/kern/kern_mbuf.c @@ -323,7 +323,7 @@ mb_ctor_mbuf(void *mem, int size, void *arg, int how) SLIST_INIT(&m->m_pkthdr.tags); #ifdef MAC /* If the label init fails, fail the alloc */ - error = mac_init_mbuf(m, how); + error = mac_mbuf_init(m, how); if (error) return (error); #endif @@ -543,7 +543,7 @@ mb_ctor_pack(void *mem, int size, void *arg, int how) SLIST_INIT(&m->m_pkthdr.tags); #ifdef MAC /* If the label init fails, fail the alloc */ - error = mac_init_mbuf(m, how); + error = mac_mbuf_init(m, how); if (error) return (error); #endif diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 18d3b2a..cd0fb17 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -482,7 +482,7 @@ setuid(struct thread *td, struct setuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setuid(p, oldcred, uid); + error = mac_proc_check_setuid(p, oldcred, uid); if (error) goto fail; #endif @@ -594,7 +594,7 @@ seteuid(struct thread *td, struct seteuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_seteuid(p, oldcred, euid); + error = mac_proc_check_seteuid(p, oldcred, euid); if (error) goto fail; #endif @@ -647,7 +647,7 @@ setgid(struct thread *td, struct setgid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setgid(p, oldcred, gid); + error = mac_proc_check_setgid(p, oldcred, gid); if (error) goto fail; #endif @@ -746,7 +746,7 @@ setegid(struct thread *td, struct setegid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setegid(p, oldcred, egid); + error = mac_proc_check_setegid(p, oldcred, egid); if (error) goto fail; #endif @@ -808,7 +808,7 @@ kern_setgroups(struct thread *td, u_int ngrp, gid_t *groups) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setgroups(p, oldcred, ngrp, groups); + error = mac_proc_check_setgroups(p, oldcred, ngrp, groups); if (error) goto fail; #endif @@ -873,7 +873,7 @@ setreuid(register struct thread *td, struct setreuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setreuid(p, oldcred, ruid, euid); + error = mac_proc_check_setreuid(p, oldcred, ruid, euid); if (error) goto fail; #endif @@ -938,7 +938,7 @@ setregid(register struct thread *td, struct setregid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setregid(p, oldcred, rgid, egid); + error = mac_proc_check_setregid(p, oldcred, rgid, egid); if (error) goto fail; #endif @@ -1009,7 +1009,7 @@ setresuid(register struct thread *td, struct setresuid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid); + error = mac_proc_check_setresuid(p, oldcred, ruid, euid, suid); if (error) goto fail; #endif @@ -1086,7 +1086,7 @@ setresgid(register struct thread *td, struct setresgid_args *uap) oldcred = p->p_ucred; #ifdef MAC - error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid); + error = mac_proc_check_setresgid(p, oldcred, rgid, egid, sgid); if (error) goto fail; #endif @@ -1369,7 +1369,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2) if ((error = prison_check(u1, u2))) return (error); #ifdef MAC - if ((error = mac_check_cred_visible(u1, u2))) + if ((error = mac_cred_check_visible(u1, u2))) return (error); #endif if ((error = cr_seeotheruids(u1, u2))) @@ -1430,7 +1430,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) if (error) return (error); #ifdef MAC - if ((error = mac_check_proc_signal(cred, proc, signum))) + if ((error = mac_proc_check_signal(cred, proc, signum))) return (error); #endif if ((error = cr_seeotheruids(cred, proc->p_ucred))) @@ -1547,7 +1547,7 @@ p_cansched(struct thread *td, struct proc *p) if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_sched(td->td_ucred, p))) + if ((error = mac_proc_check_sched(td->td_ucred, p))) return (error); #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) @@ -1604,7 +1604,7 @@ p_candebug(struct thread *td, struct proc *p) if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_debug(td->td_ucred, p))) + if ((error = mac_proc_check_debug(td->td_ucred, p))) return (error); #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) @@ -1691,7 +1691,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so) return (ENOENT); #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_visible(cred, so); + error = mac_socket_check_visible(cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -1723,7 +1723,7 @@ p_canwait(struct thread *td, struct proc *p) if ((error = prison_check(td->td_ucred, p->p_ucred))) return (error); #ifdef MAC - if ((error = mac_check_proc_wait(td->td_ucred, p))) + if ((error = mac_proc_check_wait(td->td_ucred, p))) return (error); #endif #if 0 @@ -1749,7 +1749,7 @@ crget(void) audit_cred_init(cr); #endif #ifdef MAC - mac_init_cred(cr); + mac_cred_init(cr); #endif return (cr); } @@ -1793,7 +1793,7 @@ crfree(struct ucred *cr) audit_cred_destroy(cr); #endif #ifdef MAC - mac_destroy_cred(cr); + mac_cred_destroy(cr); #endif FREE(cr, M_CRED); } @@ -1828,7 +1828,7 @@ crcopy(struct ucred *dest, struct ucred *src) audit_cred_copy(src, dest); #endif #ifdef MAC - mac_copy_cred(src, dest); + mac_cred_copy(src, dest); #endif } diff --git a/sys/kern/kern_shutdown.c b/sys/kern/kern_shutdown.c index bd1aeaf..14a74b7 100644 --- a/sys/kern/kern_shutdown.c +++ b/sys/kern/kern_shutdown.c @@ -160,7 +160,7 @@ reboot(struct thread *td, struct reboot_args *uap) error = 0; #ifdef MAC - error = mac_check_system_reboot(td->td_ucred, uap->opt); + error = mac_system_check_reboot(td->td_ucred, uap->opt); #endif if (error == 0) error = priv_check(td, PRIV_REBOOT); diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index dc64f31..2ce6f7e 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1298,7 +1298,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS) arg2 = oid->oid_arg2; } #ifdef MAC - error = mac_check_system_sysctl(req->td->td_ucred, oid, arg1, arg2, + error = mac_system_check_sysctl(req->td->td_ucred, oid, arg1, arg2, req); if (error != 0) return (error); diff --git a/sys/kern/link_elf.c b/sys/kern/link_elf.c index 5e9480c..86e69a2 100644 --- a/sys/kern/link_elf.c +++ b/sys/kern/link_elf.c @@ -572,7 +572,7 @@ link_elf_load_file(linker_class_t cls, const char* filename, vfslocked = NDHASGIANT(&nd); NDFREE(&nd, NDF_ONLY_PNBUF); #ifdef MAC - error = mac_check_kld_load(curthread->td_ucred, nd.ni_vp); + error = mac_kld_check_load(curthread->td_ucred, nd.ni_vp); if (error) { firstpage = NULL; goto out; diff --git a/sys/kern/link_elf_obj.c b/sys/kern/link_elf_obj.c index 6426fc0..1798253 100644 --- a/sys/kern/link_elf_obj.c +++ b/sys/kern/link_elf_obj.c @@ -410,7 +410,7 @@ link_elf_load_file(linker_class_t cls, const char *filename, vfslocked = NDHASGIANT(&nd); NDFREE(&nd, NDF_ONLY_PNBUF); #ifdef MAC - error = mac_check_kld_load(td->td_ucred, nd.ni_vp); + error = mac_kld_check_load(td->td_ucred, nd.ni_vp); if (error) { goto out; } diff --git a/sys/kern/sys_pipe.c b/sys/kern/sys_pipe.c index 6871306..4e3f523 100644 --- a/sys/kern/sys_pipe.c +++ b/sys/kern/sys_pipe.c @@ -323,11 +323,11 @@ pipe(td, uap) #ifdef MAC /* * The MAC label is shared between the connected endpoints. As a - * result mac_init_pipe() and mac_create_pipe() are called once + * result mac_pipe_init() and mac_pipe_create() are called once * for the pair, and not on the endpoints. */ - mac_init_pipe(pp); - mac_create_pipe(td->td_ucred, pp); + mac_pipe_init(pp); + mac_pipe_create(td->td_ucred, pp); #endif rpipe = &pp->pp_rpipe; wpipe = &pp->pp_wpipe; @@ -576,7 +576,7 @@ pipe_read(fp, uio, active_cred, flags, td) goto unlocked_error; #ifdef MAC - error = mac_check_pipe_read(active_cred, rpipe->pipe_pair); + error = mac_pipe_check_read(active_cred, rpipe->pipe_pair); if (error) goto locked_error; #endif @@ -986,7 +986,7 @@ pipe_write(fp, uio, active_cred, flags, td) return (EPIPE); } #ifdef MAC - error = mac_check_pipe_write(active_cred, wpipe->pipe_pair); + error = mac_pipe_check_write(active_cred, wpipe->pipe_pair); if (error) { pipeunlock(wpipe); PIPE_UNLOCK(rpipe); @@ -1252,7 +1252,7 @@ pipe_ioctl(fp, cmd, data, active_cred, td) PIPE_LOCK(mpipe); #ifdef MAC - error = mac_check_pipe_ioctl(active_cred, mpipe->pipe_pair, cmd, data); + error = mac_pipe_check_ioctl(active_cred, mpipe->pipe_pair, cmd, data); if (error) { PIPE_UNLOCK(mpipe); return (error); @@ -1326,7 +1326,7 @@ pipe_poll(fp, events, active_cred, td) wpipe = rpipe->pipe_peer; PIPE_LOCK(rpipe); #ifdef MAC - error = mac_check_pipe_poll(active_cred, rpipe->pipe_pair); + error = mac_pipe_check_poll(active_cred, rpipe->pipe_pair); if (error) goto locked_error; #endif @@ -1382,7 +1382,7 @@ pipe_stat(fp, ub, active_cred, td) int error; PIPE_LOCK(pipe); - error = mac_check_pipe_stat(active_cred, pipe->pipe_pair); + error = mac_pipe_check_stat(active_cred, pipe->pipe_pair); PIPE_UNLOCK(pipe); if (error) return (error); @@ -1511,7 +1511,7 @@ pipeclose(cpipe) if (ppipe->pipe_present == 0) { PIPE_UNLOCK(cpipe); #ifdef MAC - mac_destroy_pipe(pp); + mac_pipe_destroy(pp); #endif uma_zfree(pipe_zone, cpipe->pipe_pair); } else diff --git a/sys/kern/sys_socket.c b/sys/kern/sys_socket.c index 9229658..7e4547c 100644 --- a/sys/kern/sys_socket.c +++ b/sys/kern/sys_socket.c @@ -77,7 +77,7 @@ soo_read(struct file *fp, struct uio *uio, struct ucred *active_cred, int error; SOCK_LOCK(so); - error = mac_check_socket_receive(active_cred, so); + error = mac_socket_check_receive(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -95,7 +95,7 @@ soo_write(struct file *fp, struct uio *uio, struct ucred *active_cred, #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(active_cred, so); + error = mac_socket_check_send(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -208,7 +208,7 @@ soo_poll(struct file *fp, int events, struct ucred *active_cred, int error; SOCK_LOCK(so); - error = mac_check_socket_poll(active_cred, so); + error = mac_socket_check_poll(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); @@ -229,7 +229,7 @@ soo_stat(struct file *fp, struct stat *ub, struct ucred *active_cred, ub->st_mode = S_IFSOCK; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_stat(active_cred, so); + error = mac_socket_check_stat(active_cred, so); SOCK_UNLOCK(so); if (error) return (error); diff --git a/sys/kern/sysv_msg.c b/sys/kern/sysv_msg.c index bd5ca90..fe92186 100644 --- a/sys/kern/sysv_msg.c +++ b/sys/kern/sysv_msg.c @@ -224,7 +224,7 @@ msginit() msghdrs[i-1].msg_next = &msghdrs[i]; msghdrs[i].msg_next = NULL; #ifdef MAC - mac_init_sysv_msgmsg(&msghdrs[i]); + mac_sysvmsg_init(&msghdrs[i]); #endif } free_msghdrs = &msghdrs[0]; @@ -237,7 +237,7 @@ msginit() msqids[i].u.msg_perm.seq = 0; /* reset to a known value */ msqids[i].u.msg_perm.mode = 0; #ifdef MAC - mac_init_sysv_msgqueue(&msqids[i]); + mac_sysvmsq_init(&msqids[i]); #endif } mtx_init(&msq_mtx, "msq", NULL, MTX_DEF); @@ -269,9 +269,9 @@ msgunload() #ifdef MAC for (i = 0; i < msginfo.msgtql; i++) - mac_destroy_sysv_msgmsg(&msghdrs[i]); + mac_sysvmsg_destroy(&msghdrs[i]); for (msqid = 0; msqid < msginfo.msgmni; msqid++) - mac_destroy_sysv_msgqueue(&msqids[msqid]); + mac_sysvmsq_destroy(&msqids[msqid]); #endif free(msgpool, M_MSG); free(msgmaps, M_MSG); @@ -369,7 +369,7 @@ msg_freehdr(msghdr) msghdr->msg_next = free_msghdrs; free_msghdrs = msghdr; #ifdef MAC - mac_cleanup_sysv_msgmsg(msghdr); + mac_sysvmsg_cleanup(msghdr); #endif } @@ -435,7 +435,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) goto done2; } #ifdef MAC - error = mac_check_sysv_msqctl(td->td_ucred, msqkptr, cmd); + error = mac_sysvmsq_check_msqctl(td->td_ucred, msqkptr, cmd); if (error != 0) goto done2; #endif @@ -463,7 +463,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) */ for (msghdr = msqkptr->u.msg_first; msghdr != NULL; msghdr = msghdr->msg_next) { - error = mac_check_sysv_msgrmid(td->td_ucred, msghdr); + error = mac_sysvmsq_check_msgrmid(td->td_ucred, msghdr); if (error != 0) goto done2; } @@ -490,7 +490,7 @@ kern_msgctl(td, msqid, cmd, msqbuf) msqkptr->u.msg_qbytes = 0; /* Mark it as free */ #ifdef MAC - mac_cleanup_sysv_msgqueue(msqkptr); + mac_sysvmsq_cleanup(msqkptr); #endif wakeup(msqkptr); @@ -589,7 +589,7 @@ msgget(td, uap) goto done2; } #ifdef MAC - error = mac_check_sysv_msqget(cred, msqkptr); + error = mac_sysvmsq_check_msqget(cred, msqkptr); if (error != 0) goto done2; #endif @@ -636,7 +636,7 @@ msgget(td, uap) msqkptr->u.msg_rtime = 0; msqkptr->u.msg_ctime = time_second; #ifdef MAC - mac_create_sysv_msgqueue(cred, msqkptr); + mac_sysvmsq_create(cred, msqkptr); #endif } else { DPRINTF(("didn't find it and wasn't asked to create it\n")); @@ -705,7 +705,7 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype) } #ifdef MAC - error = mac_check_sysv_msqsnd(td->td_ucred, msqkptr); + error = mac_sysvmsq_check_msqsnd(td->td_ucred, msqkptr); if (error != 0) goto done2; #endif @@ -830,11 +830,11 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype) msghdr->msg_type = mtype; #ifdef MAC /* - * XXXMAC: Should the mac_check_sysv_msgmsq check follow here + * XXXMAC: Should the mac_sysvmsq_check_msgmsq check follow here * immediately? Or, should it be checked just before the msg is * enqueued in the msgq (as it is done now)? */ - mac_create_sysv_msgmsg(td->td_ucred, msqkptr, msghdr); + mac_sysvmsg_create(td->td_ucred, msqkptr, msghdr); #endif /* @@ -928,14 +928,14 @@ kern_msgsnd(td, msqid, msgp, msgsz, msgflg, mtype) * Note: Since the task/thread allocates the msghdr and usually * primes it with its own MAC label, for a majority of policies, it * won't be necessary to check whether the msghdr has access - * permissions to the msgq. The mac_check_sysv_msqsnd check would + * permissions to the msgq. The mac_sysvmsq_check_msqsnd check would * suffice in that case. However, this hook may be required where * individual policies derive a non-identical label for the msghdr * from the current thread label and may want to check the msghdr * enqueue permissions, along with read/write permissions to the * msgq. */ - error = mac_check_sysv_msgmsq(td->td_ucred, msghdr, msqkptr); + error = mac_sysvmsq_check_msgmsq(td->td_ucred, msghdr, msqkptr); if (error != 0) { msg_freehdr(msghdr); wakeup(msqkptr); @@ -1042,7 +1042,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype) } #ifdef MAC - error = mac_check_sysv_msqrcv(td->td_ucred, msqkptr); + error = mac_sysvmsq_check_msqrcv(td->td_ucred, msqkptr); if (error != 0) goto done2; #endif @@ -1061,7 +1061,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype) goto done2; } #ifdef MAC - error = mac_check_sysv_msgrcv(td->td_ucred, + error = mac_sysvmsq_check_msgrcv(td->td_ucred, msghdr); if (error != 0) goto done2; @@ -1106,7 +1106,7 @@ kern_msgrcv(td, msqid, msgp, msgsz, msgtyp, msgflg, mtype) goto done2; } #ifdef MAC - error = mac_check_sysv_msgrcv( + error = mac_sysvmsq_check_msgrcv( td->td_ucred, msghdr); if (error != 0) goto done2; diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c index 48548a2..bea7832 100644 --- a/sys/kern/sysv_sem.c +++ b/sys/kern/sysv_sem.c @@ -245,7 +245,7 @@ seminit(void) sema[i].u.sem_perm.mode = 0; sema[i].u.sem_perm.seq = 0; #ifdef MAC - mac_init_sysv_sem(&sema[i]); + mac_sysvsem_init(&sema[i]); #endif } for (i = 0; i < seminfo.semmni; i++) @@ -271,7 +271,7 @@ semunload(void) EVENTHANDLER_DEREGISTER(process_exit, semexit_tag); #ifdef MAC for (i = 0; i < seminfo.semmni; i++) - mac_destroy_sysv_sem(&sema[i]); + mac_sysvsem_destroy(&sema[i]); #endif free(sem, M_SEM); free(sema, M_SEM); @@ -639,7 +639,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd, if ((error = ipcperm(td, &semakptr->u.sem_perm, IPC_R))) goto done2; #ifdef MAC - error = mac_check_sysv_semctl(cred, semakptr, cmd); + error = mac_sysvsem_check_semctl(cred, semakptr, cmd); if (error != 0) goto done2; #endif @@ -657,7 +657,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd, sema_mtxp = &sema_mtx[semidx]; mtx_lock(sema_mtxp); #ifdef MAC - error = mac_check_sysv_semctl(cred, semakptr, cmd); + error = mac_sysvsem_check_semctl(cred, semakptr, cmd); if (error != 0) goto done2; #endif @@ -683,7 +683,7 @@ kern_semctl(struct thread *td, int semid, int semnum, int cmd, } semakptr->u.sem_perm.mode = 0; #ifdef MAC - mac_cleanup_sysv_sem(semakptr); + mac_sysvsem_cleanup(semakptr); #endif SEMUNDO_LOCK(); semundo_clear(semidx, -1); @@ -906,7 +906,7 @@ semget(td, uap) goto done2; } #ifdef MAC - error = mac_check_sysv_semget(cred, &sema[semid]); + error = mac_sysvsem_check_semget(cred, &sema[semid]); if (error != 0) goto done2; #endif @@ -955,7 +955,7 @@ semget(td, uap) bzero(sema[semid].u.sem_base, sizeof(sema[semid].u.sem_base[0])*nsems); #ifdef MAC - mac_create_sysv_sem(cred, &sema[semid]); + mac_sysvsem_create(cred, &sema[semid]); #endif DPRINTF(("sembase = %p, next = %p\n", sema[semid].u.sem_base, &sem[semtot])); @@ -1063,7 +1063,7 @@ semop(td, uap) goto done2; } #ifdef MAC - error = mac_check_sysv_semop(td->td_ucred, semakptr, j); + error = mac_sysvsem_check_semop(td->td_ucred, semakptr, j); if (error != 0) goto done2; #endif diff --git a/sys/kern/sysv_shm.c b/sys/kern/sysv_shm.c index 574c3de..57b6c5e 100644 --- a/sys/kern/sysv_shm.c +++ b/sys/kern/sysv_shm.c @@ -255,7 +255,7 @@ shm_deallocate_segment(shmseg) shm_nused--; shmseg->u.shm_perm.mode = SHMSEG_FREE; #ifdef MAC - mac_cleanup_sysv_shm(shmseg); + mac_sysvshm_cleanup(shmseg); #endif } @@ -322,7 +322,7 @@ shmdt(td, uap) } #ifdef MAC shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)]; - error = mac_check_sysv_shmdt(td->td_ucred, shmsegptr); + error = mac_sysvshm_check_shmdt(td->td_ucred, shmsegptr); if (error != 0) goto done2; #endif @@ -377,7 +377,7 @@ kern_shmat(td, shmid, shmaddr, shmflg) if (error) goto done2; #ifdef MAC - error = mac_check_sysv_shmat(td->td_ucred, shmseg, shmflg); + error = mac_sysvshm_check_shmat(td->td_ucred, shmseg, shmflg); if (error != 0) goto done2; #endif @@ -492,7 +492,7 @@ oshmctl(td, uap) if (error) goto done2; #ifdef MAC - error = mac_check_sysv_shmctl(td->td_ucred, shmseg, uap->cmd); + error = mac_sysvshm_check_shmctl(td->td_ucred, shmseg, uap->cmd); if (error != 0) goto done2; #endif @@ -575,7 +575,7 @@ kern_shmctl(td, shmid, cmd, buf, bufsz) goto done2; } #ifdef MAC - error = mac_check_sysv_shmctl(td->td_ucred, shmseg, cmd); + error = mac_sysvshm_check_shmctl(td->td_ucred, shmseg, cmd); if (error != 0) goto done2; #endif @@ -701,7 +701,7 @@ shmget_existing(td, uap, mode, segnum) if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL)) return (EEXIST); #ifdef MAC - error = mac_check_sysv_shmget(td->td_ucred, shmseg, uap->shmflg); + error = mac_sysvshm_check_shmget(td->td_ucred, shmseg, uap->shmflg); if (error != 0) return (error); #endif @@ -779,7 +779,7 @@ shmget_allocate_segment(td, uap, mode) shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0; shmseg->u.shm_atime = shmseg->u.shm_dtime = 0; #ifdef MAC - mac_create_sysv_shm(cred, shmseg); + mac_sysvshm_create(cred, shmseg); #endif shmseg->u.shm_ctime = time_second; shm_committed += btoc(size); @@ -911,7 +911,7 @@ shmrealloc(void) shmsegs[i].u.shm_perm.mode = SHMSEG_FREE; shmsegs[i].u.shm_perm.seq = 0; #ifdef MAC - mac_init_sysv_shm(&shmsegs[i]); + mac_sysvshm_init(&shmsegs[i]); #endif } free(shmsegs, M_SHM); @@ -943,7 +943,7 @@ shminit() shmsegs[i].u.shm_perm.mode = SHMSEG_FREE; shmsegs[i].u.shm_perm.seq = 0; #ifdef MAC - mac_init_sysv_shm(&shmsegs[i]); + mac_sysvshm_init(&shmsegs[i]); #endif } shm_last_free = 0; @@ -965,7 +965,7 @@ shmunload() #ifdef MAC for (i = 0; i < shmalloced; i++) - mac_destroy_sysv_shm(&shmsegs[i]); + mac_sysvshm_destroy(&shmsegs[i]); #endif free(shmsegs, M_SHM); shmexit_hook = NULL; diff --git a/sys/kern/uipc_mbuf2.c b/sys/kern/uipc_mbuf2.c index c8363f8..6fe83b0 100644 --- a/sys/kern/uipc_mbuf2.c +++ b/sys/kern/uipc_mbuf2.c @@ -309,7 +309,7 @@ m_tag_free_default(struct m_tag *t) { #ifdef MAC if (t->m_tag_id == PACKET_TAG_MACLABEL) - mac_destroy_mbuf_tag(t); + mac_mbuf_tag_destroy(t); #endif free(t, M_PACKET_TAGS); } @@ -413,11 +413,11 @@ m_tag_copy(struct m_tag *t, int how) * special from the mbuf code? */ if (t->m_tag_id == PACKET_TAG_MACLABEL) { - if (mac_init_mbuf_tag(p, how) != 0) { + if (mac_mbuf_tag_init(p, how) != 0) { m_tag_free(p); return (NULL); } - mac_copy_mbuf_tag(t, p); + mac_mbuf_tag_copy(t, p); } else #endif bcopy(t + 1, p + 1, t->m_tag_len); /* Copy the data */ diff --git a/sys/kern/uipc_sem.c b/sys/kern/uipc_sem.c index c9903aa..588d6bf 100644 --- a/sys/kern/uipc_sem.c +++ b/sys/kern/uipc_sem.c @@ -215,8 +215,8 @@ sem_create(struct thread *td, const char *name, struct ksem **ksret, cv_init(&ret->ks_cv, "sem"); LIST_INIT(&ret->ks_users); #ifdef MAC - mac_init_posix_sem(ret); - mac_create_posix_sem(uc, ret); + mac_posixsem_init(ret); + mac_posixsem_create(uc, ret); #endif if (name != NULL) sem_enter(td->td_proc, ret); @@ -381,7 +381,7 @@ kern_sem_open(struct thread *td, int dir, const char *name, int oflag, } } else { #ifdef MAC - error = mac_check_posix_sem_open(td->td_ucred, ks); + error = mac_posixsem_check_open(td->td_ucred, ks); if (error) goto err_open; #endif @@ -540,7 +540,7 @@ kern_sem_unlink(struct thread *td, const char *name) ks = sem_lookup_byname(name); if (ks != NULL) { #ifdef MAC - error = mac_check_posix_sem_unlink(td->td_ucred, ks); + error = mac_posixsem_check_unlink(td->td_ucred, ks); if (error) { mtx_unlock(&sem_lock); return (error); @@ -614,7 +614,7 @@ kern_sem_post(struct thread *td, semid_t id) goto err; } #ifdef MAC - error = mac_check_posix_sem_post(td->td_ucred, ks); + error = mac_posixsem_check_post(td->td_ucred, ks); if (error) goto err; #endif @@ -709,7 +709,7 @@ kern_sem_wait(struct thread *td, semid_t id, int tryflag, goto err; } #ifdef MAC - error = mac_check_posix_sem_wait(td->td_ucred, ks); + error = mac_posixsem_check_wait(td->td_ucred, ks); if (error) { DP(("kern_sem_wait mac failed\n")); goto err; @@ -772,7 +772,7 @@ ksem_getvalue(struct thread *td, struct ksem_getvalue_args *uap) return (EINVAL); } #ifdef MAC - error = mac_check_posix_sem_getvalue(td->td_ucred, ks); + error = mac_posixsem_check_getvalue(td->td_ucred, ks); if (error) { mtx_unlock(&sem_lock); return (error); @@ -804,7 +804,7 @@ ksem_destroy(struct thread *td, struct ksem_destroy_args *uap) goto err; } #ifdef MAC - error = mac_check_posix_sem_destroy(td->td_ucred, ks); + error = mac_posixsem_check_destroy(td->td_ucred, ks); if (error) goto err; #endif diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index e2cf09b..d89b435 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -267,7 +267,7 @@ soalloc(void) if (so == NULL) return (NULL); #ifdef MAC - if (mac_init_socket(so, M_NOWAIT) != 0) { + if (mac_socket_init(so, M_NOWAIT) != 0) { uma_zfree(socket_zone, so); return (NULL); } @@ -312,7 +312,7 @@ sodealloc(struct socket *so) do_setopt_accept_filter(so, NULL); #endif #ifdef MAC - mac_destroy_socket(so); + mac_socket_destroy(so); #endif crfree(so->so_cred); sx_destroy(&so->so_snd.sb_sx); @@ -362,7 +362,7 @@ socreate(int dom, struct socket **aso, int type, int proto, so->so_cred = crhold(cred); so->so_proto = prp; #ifdef MAC - mac_create_socket(cred, so); + mac_socket_create(cred, so); #endif knlist_init(&so->so_rcv.sb_sel.si_note, SOCKBUF_MTX(&so->so_rcv), NULL, NULL, NULL); @@ -429,7 +429,7 @@ sonewconn(struct socket *head, int connstatus) so->so_cred = crhold(head->so_cred); #ifdef MAC SOCK_LOCK(head); - mac_create_socket_from_socket(head, so); + mac_socket_newconn(head, so); SOCK_UNLOCK(head); #endif knlist_init(&so->so_rcv.sb_sel.si_note, SOCKBUF_MTX(&so->so_rcv), diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 2821a5e..faf7f24 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -165,7 +165,7 @@ socket(td, uap) int fd, error; #ifdef MAC - error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type, + error = mac_socket_check_create(td->td_ucred, uap->domain, uap->type, uap->protocol); if (error) return (error); @@ -229,7 +229,7 @@ kern_bind(td, fd, sa) so = fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_bind(td->td_ucred, so, sa); + error = mac_socket_check_bind(td->td_ucred, so, sa); SOCK_UNLOCK(so); if (error) goto done; @@ -260,7 +260,7 @@ listen(td, uap) so = fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_listen(td->td_ucred, so); + error = mac_socket_check_listen(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto done; @@ -360,7 +360,7 @@ kern_accept(struct thread *td, int s, struct sockaddr **name, } #ifdef MAC SOCK_LOCK(head); - error = mac_check_socket_accept(td->td_ucred, head); + error = mac_socket_check_accept(td->td_ucred, head); SOCK_UNLOCK(head); if (error != 0) goto done; @@ -550,7 +550,7 @@ kern_connect(td, fd, sa) } #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_connect(td->td_ucred, so, sa); + error = mac_socket_check_connect(td->td_ucred, so, sa); SOCK_UNLOCK(so); if (error) goto bad; @@ -604,7 +604,7 @@ socketpair(td, uap) #ifdef MAC /* We might want to have a separate check for socket pairs. */ - error = mac_check_socket_create(td->td_ucred, uap->domain, uap->type, + error = mac_socket_check_create(td->td_ucred, uap->domain, uap->type, uap->protocol); if (error) return (error); @@ -761,7 +761,7 @@ kern_sendit(td, s, mp, flags, control, segflg) #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto bad; @@ -956,7 +956,7 @@ kern_recvit(td, s, mp, fromseg, controlp) #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_receive(td->td_ucred, so); + error = mac_socket_check_receive(td->td_ucred, so); SOCK_UNLOCK(so); if (error) { fdrop(fp, td); @@ -1849,7 +1849,7 @@ kern_sendfile(struct thread *td, struct sendfile_args *uap, #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto out; @@ -2354,7 +2354,7 @@ sctp_generic_sendmsg (td, uap) so = (struct socket *)fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto sctp_bad; @@ -2454,7 +2454,7 @@ sctp_generic_sendmsg_iov(td, uap) so = (struct socket *)fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_send(td->td_ucred, so); + error = mac_socket_check_send(td->td_ucred, so); SOCK_UNLOCK(so); if (error) goto sctp_bad; @@ -2551,7 +2551,7 @@ sctp_generic_recvmsg(td, uap) so = fp->f_data; #ifdef MAC SOCK_LOCK(so); - error = mac_check_socket_receive(td->td_ucred, so); + error = mac_socket_check_receive(td->td_ucred, so); SOCK_UNLOCK(so); if (error) { goto out; diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 682496e..9fea71b4 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -449,7 +449,7 @@ restart: vattr.va_type = VSOCK; vattr.va_mode = (ACCESSPERMS & ~td->td_proc->p_fd->fd_cmask); #ifdef MAC - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); #endif if (error == 0) { @@ -1159,7 +1159,7 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) goto bad; } #ifdef MAC - error = mac_check_vnode_open(td->td_ucred, vp, VWRITE | VREAD); + error = mac_vnode_check_open(td->td_ucred, vp, VWRITE | VREAD); if (error) goto bad; #endif @@ -1236,8 +1236,8 @@ unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td) UNP_PCB_UNLOCK(unp); #ifdef MAC SOCK_LOCK(so); - mac_set_socket_peer_from_socket(so, so3); - mac_set_socket_peer_from_socket(so3, so); + mac_socketpeer_set_from_socket(so, so3); + mac_socketpeer_set_from_socket(so3, so); SOCK_UNLOCK(so); #endif diff --git a/sys/kern/vfs_acl.c b/sys/kern/vfs_acl.c index c2456be..ea33f66 100644 --- a/sys/kern/vfs_acl.c +++ b/sys/kern/vfs_acl.c @@ -93,7 +93,7 @@ vacl_set_acl(struct thread *td, struct vnode *vp, acl_type_t type, VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_setacl(td->td_ucred, vp, type, &inkernacl); + error = mac_vnode_check_setacl(td->td_ucred, vp, type, &inkernacl); if (error != 0) goto out; #endif @@ -119,7 +119,7 @@ vacl_get_acl(struct thread *td, struct vnode *vp, acl_type_t type, VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_getacl(td->td_ucred, vp, type); + error = mac_vnode_check_getacl(td->td_ucred, vp, type); if (error != 0) goto out; #endif @@ -148,7 +148,7 @@ vacl_delete(struct thread *td, struct vnode *vp, acl_type_t type) VOP_LEASE(vp, td, td->td_ucred, LEASE_WRITE); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_deleteacl(td->td_ucred, vp, type); + error = mac_vnode_check_deleteacl(td->td_ucred, vp, type); if (error) goto out; #endif diff --git a/sys/kern/vfs_extattr.c b/sys/kern/vfs_extattr.c index 48bfd66..0d414f8 100644 --- a/sys/kern/vfs_extattr.c +++ b/sys/kern/vfs_extattr.c @@ -180,7 +180,7 @@ extattr_set_vp(struct vnode *vp, int attrnamespace, const char *attrname, cnt = nbytes; #ifdef MAC - error = mac_check_vnode_setextattr(td->td_ucred, vp, attrnamespace, + error = mac_vnode_check_setextattr(td->td_ucred, vp, attrnamespace, attrname, &auio); if (error) goto done; @@ -358,7 +358,7 @@ extattr_get_vp(struct vnode *vp, int attrnamespace, const char *attrname, sizep = &size; #ifdef MAC - error = mac_check_vnode_getextattr(td->td_ucred, vp, attrnamespace, + error = mac_vnode_check_getextattr(td->td_ucred, vp, attrnamespace, attrname, &auio); if (error) goto done; @@ -512,7 +512,7 @@ extattr_delete_vp(struct vnode *vp, int attrnamespace, const char *attrname, vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_deleteextattr(td->td_ucred, vp, attrnamespace, + error = mac_vnode_check_deleteextattr(td->td_ucred, vp, attrnamespace, attrname); if (error) goto done; @@ -676,7 +676,7 @@ extattr_list_vp(struct vnode *vp, int attrnamespace, void *data, sizep = &size; #ifdef MAC - error = mac_check_vnode_listextattr(td->td_ucred, vp, attrnamespace); + error = mac_vnode_check_listextattr(td->td_ucred, vp, attrnamespace); if (error) goto done; #endif diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c index 6349c36..0841fd3 100644 --- a/sys/kern/vfs_lookup.c +++ b/sys/kern/vfs_lookup.c @@ -252,7 +252,7 @@ namei(struct nameidata *ndp) } #ifdef MAC if ((cnp->cn_flags & NOMACCHECK) == 0) { - error = mac_check_vnode_readlink(td->td_ucred, + error = mac_vnode_check_readlink(td->td_ucred, ndp->ni_vp); if (error) break; @@ -556,7 +556,7 @@ dirloop: unionlookup: #ifdef MAC if ((cnp->cn_flags & NOMACCHECK) == 0) { - error = mac_check_vnode_lookup(td->td_ucred, dp, cnp); + error = mac_vnode_check_lookup(td->td_ucred, dp, cnp); if (error) goto bad; } diff --git a/sys/kern/vfs_mount.c b/sys/kern/vfs_mount.c index a109a3b..e8fbd50 100644 --- a/sys/kern/vfs_mount.c +++ b/sys/kern/vfs_mount.c @@ -488,8 +488,8 @@ vfs_mount_alloc(struct vnode *vp, struct vfsconf *vfsp, strlcpy(mp->mnt_stat.f_mntonname, fspath, MNAMELEN); mp->mnt_iosize_max = DFLTPHYS; #ifdef MAC - mac_init_mount(mp); - mac_create_mount(td->td_ucred, mp); + mac_mount_init(mp); + mac_mount_create(td->td_ucred, mp); #endif arc4rand(&mp->mnt_hashseed, sizeof mp->mnt_hashseed, 0); return (mp); @@ -567,7 +567,7 @@ vfs_mount_destroy(struct mount *mp) mp->mnt_secondary_writes = -1000; MNT_IUNLOCK(mp); #ifdef MAC - mac_destroy_mount(mp); + mac_mount_destroy(mp); #endif if (mp->mnt_opt != NULL) vfs_freeopts(mp->mnt_opt); diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c index fce5beb..8dca49b 100644 --- a/sys/kern/vfs_subr.c +++ b/sys/kern/vfs_subr.c @@ -811,7 +811,7 @@ vdestroy(struct vnode *vp) VNASSERT(LIST_EMPTY(&vp->v_cache_src), vp, ("vp has namecache src")); VI_UNLOCK(vp); #ifdef MAC - mac_destroy_vnode(vp); + mac_vnode_destroy(vp); #endif if (vp->v_pollinfo != NULL) { knlist_destroy(&vp->v_pollinfo->vpi_selinfo.si_note); @@ -955,9 +955,9 @@ alloc: v_incr_usecount(vp); vp->v_data = 0; #ifdef MAC - mac_init_vnode(vp); + mac_vnode_init(vp); if (mp != NULL && (mp->mnt_flag & MNT_MULTILABEL) == 0) - mac_associate_vnode_singlelabel(mp, vp); + mac_vnode_associate_singlelabel(mp, vp); else if (mp == NULL) printf("NULL mp in getnewvnode()\n"); #endif diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 07a8de1..20d722e 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -293,7 +293,7 @@ kern_statfs(struct thread *td, char *path, enum uio_seg pathseg, NDFREE(&nd, NDF_ONLY_PNBUF); vput(nd.ni_vp); #ifdef MAC - error = mac_check_mount_stat(td->td_ucred, mp); + error = mac_mount_check_stat(td->td_ucred, mp); if (error) goto out; #endif @@ -378,7 +378,7 @@ kern_fstatfs(struct thread *td, int fd, struct statfs *buf) goto out; } #ifdef MAC - error = mac_check_mount_stat(td->td_ucred, mp); + error = mac_mount_check_stat(td->td_ucred, mp); if (error) goto out; #endif @@ -470,7 +470,7 @@ kern_getfsstat(struct thread *td, struct statfs **buf, size_t bufsize, continue; } #ifdef MAC - if (mac_check_mount_stat(td->td_ucred, mp) != 0) { + if (mac_mount_check_stat(td->td_ucred, mp) != 0) { nmp = TAILQ_NEXT(mp, mnt_list); continue; } @@ -891,7 +891,7 @@ chroot(td, uap) if ((error = change_dir(nd.ni_vp, td)) != 0) goto e_vunlock; #ifdef MAC - if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) + if ((error = mac_vnode_check_chroot(td->td_ucred, nd.ni_vp))) goto e_vunlock; #endif VOP_UNLOCK(nd.ni_vp, 0, td); @@ -923,7 +923,7 @@ change_dir(vp, td) if (vp->v_type != VDIR) return (ENOTDIR); #ifdef MAC - error = mac_check_vnode_chdir(td->td_ucred, vp); + error = mac_vnode_check_chdir(td->td_ucred, vp); if (error) return (error); #endif @@ -933,8 +933,8 @@ change_dir(vp, td) /* * Common routine for kern_chroot() and jail_attach(). The caller is - * responsible for invoking priv_check() and mac_check_chroot() to authorize - * this operation. + * responsible for invoking priv_check() and mac_vnode_check_chroot() to + * authorize this operation. */ int change_root(vp, td) @@ -1103,7 +1103,7 @@ kern_open(struct thread *td, char *path, enum uio_seg pathseg, int flags, vat.va_size = 0; vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_vnode_write(td->td_ucred, fp->f_cred, vp); + error = mac_vnode_check_write(td->td_ucred, fp->f_cred, vp); if (error == 0) #endif error = VOP_SETATTR(vp, &vat, td->td_ucred, td); @@ -1258,7 +1258,7 @@ restart: } #ifdef MAC if (error == 0 && !whiteout) - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); #endif if (!error) { @@ -1341,7 +1341,7 @@ restart: vattr.va_mode = (mode & ALLPERMS) & ~td->td_proc->p_fd->fd_cmask; FILEDESC_SUNLOCK(td->td_proc->p_fd); #ifdef MAC - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); if (error) goto out; @@ -1467,7 +1467,7 @@ kern_link(struct thread *td, char *path, char *link, enum uio_seg segflg) error = can_hardlink(vp, td, td->td_ucred); if (error == 0) #ifdef MAC - error = mac_check_vnode_link(td->td_ucred, + error = mac_vnode_check_link(td->td_ucred, nd.ni_dvp, vp, &nd.ni_cnd); if (error == 0) #endif @@ -1555,7 +1555,7 @@ restart: FILEDESC_SUNLOCK(td->td_proc->p_fd); #ifdef MAC vattr.va_type = VLNK; - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); if (error) goto out2; @@ -1693,7 +1693,7 @@ restart: goto restart; } #ifdef MAC - error = mac_check_vnode_unlink(td->td_ucred, nd.ni_dvp, vp, + error = mac_vnode_check_unlink(td->td_ucred, nd.ni_dvp, vp, &nd.ni_cnd); if (error) goto out; @@ -1872,7 +1872,7 @@ vn_access(vp, user_flags, cred, td) if (user_flags & X_OK) flags |= VEXEC; #ifdef MAC - error = mac_check_vnode_access(cred, vp, flags); + error = mac_vnode_check_access(cred, vp, flags); if (error) return (error); #endif @@ -2341,7 +2341,7 @@ kern_readlink(struct thread *td, char *path, enum uio_seg pathseg, char *buf, vfslocked = NDHASGIANT(&nd); vp = nd.ni_vp; #ifdef MAC - error = mac_check_vnode_readlink(td->td_ucred, vp); + error = mac_vnode_check_readlink(td->td_ucred, vp); if (error) { vput(vp); VFS_UNLOCK_GIANT(vfslocked); @@ -2400,7 +2400,7 @@ setfflags(td, vp, flags) VATTR_NULL(&vattr); vattr.va_flags = flags; #ifdef MAC - error = mac_check_vnode_setflags(td->td_ucred, vp, vattr.va_flags); + error = mac_vnode_check_setflags(td->td_ucred, vp, vattr.va_flags); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); @@ -2528,7 +2528,7 @@ setfmode(td, vp, mode) VATTR_NULL(&vattr); vattr.va_mode = mode & ALLPERMS; #ifdef MAC - error = mac_check_vnode_setmode(td->td_ucred, vp, vattr.va_mode); + error = mac_vnode_check_setmode(td->td_ucred, vp, vattr.va_mode); if (error == 0) #endif error = VOP_SETATTR(vp, &vattr, td->td_ucred, td); @@ -2670,7 +2670,7 @@ setfown(td, vp, uid, gid) vattr.va_uid = uid; vattr.va_gid = gid; #ifdef MAC - error = mac_check_vnode_setowner(td->td_ucred, vp, vattr.va_uid, + error = mac_vnode_check_setowner(td->td_ucred, vp, vattr.va_uid, vattr.va_gid); if (error == 0) #endif @@ -2873,7 +2873,7 @@ setutimes(td, vp, ts, numtimes, nullflag) if (nullflag) vattr.va_vaflags |= VA_UTIMES_NULL; #ifdef MAC - error = mac_check_vnode_setutimes(td->td_ucred, vp, vattr.va_atime, + error = mac_vnode_check_setutimes(td->td_ucred, vp, vattr.va_atime, vattr.va_mtime); #endif if (error == 0) @@ -3069,7 +3069,7 @@ kern_truncate(struct thread *td, char *path, enum uio_seg pathseg, off_t length) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_write(td->td_ucred, NOCRED, vp))) { + else if ((error = mac_vnode_check_write(td->td_ucred, NOCRED, vp))) { } #endif else if ((error = vn_writechk(vp)) == 0 && @@ -3129,7 +3129,7 @@ ftruncate(td, uap) if (vp->v_type == VDIR) error = EISDIR; #ifdef MAC - else if ((error = mac_check_vnode_write(td->td_ucred, fp->f_cred, + else if ((error = mac_vnode_check_write(td->td_ucred, fp->f_cred, vp))) { } #endif @@ -3315,7 +3315,7 @@ kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg) fvfslocked = NDHASGIANT(&fromnd); tvfslocked = 0; #ifdef MAC - error = mac_check_vnode_rename_from(td->td_ucred, fromnd.ni_dvp, + error = mac_vnode_check_rename_from(td->td_ucred, fromnd.ni_dvp, fromnd.ni_vp, &fromnd.ni_cnd); VOP_UNLOCK(fromnd.ni_dvp, 0, td); if (fromnd.ni_dvp != fromnd.ni_vp) @@ -3366,7 +3366,7 @@ kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg) error = -1; #ifdef MAC else - error = mac_check_vnode_rename_to(td->td_ucred, tdvp, + error = mac_vnode_check_rename_to(td->td_ucred, tdvp, tond.ni_vp, fromnd.ni_dvp == tdvp, &tond.ni_cnd); #endif out: @@ -3476,7 +3476,7 @@ restart: vattr.va_mode = (mode & ACCESSPERMS) &~ td->td_proc->p_fd->fd_cmask; FILEDESC_SUNLOCK(td->td_proc->p_fd); #ifdef MAC - error = mac_check_vnode_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, + error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd, &vattr); if (error) goto out; @@ -3550,7 +3550,7 @@ restart: goto out; } #ifdef MAC - error = mac_check_vnode_unlink(td->td_ucred, nd.ni_dvp, vp, + error = mac_vnode_check_unlink(td->td_ucred, nd.ni_dvp, vp, &nd.ni_cnd); if (error) goto out; @@ -3641,7 +3641,7 @@ unionread: vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); loff = auio.uio_offset = fp->f_offset; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error) { VOP_UNLOCK(vp, 0, td); VFS_UNLOCK_GIANT(vfslocked); @@ -3785,7 +3785,7 @@ unionread: AUDIT_ARG(vnode, vp, ARG_VNODE1); loff = auio.uio_offset = fp->f_offset; #ifdef MAC - error = mac_check_vnode_readdir(td->td_ucred, vp); + error = mac_vnode_check_readdir(td->td_ucred, vp); if (error == 0) #endif error = VOP_READDIR(vp, &auio, fp->f_cred, &eofflag, NULL, @@ -3903,7 +3903,7 @@ revoke(td, uap) goto out; } #ifdef MAC - error = mac_check_vnode_revoke(td->td_ucred, vp); + error = mac_vnode_check_revoke(td->td_ucred, vp); if (error) goto out; #endif @@ -4126,7 +4126,7 @@ fhopen(td, uap) if (fmode & O_APPEND) mode |= VAPPEND; #ifdef MAC - error = mac_check_vnode_open(td->td_ucred, vp, mode); + error = mac_vnode_check_open(td->td_ucred, vp, mode); if (error) goto bad; #endif @@ -4148,7 +4148,7 @@ fhopen(td, uap) * We don't yet have fp->f_cred, so use td->td_ucred, which * should be right. */ - error = mac_check_vnode_write(td->td_ucred, td->td_ucred, vp); + error = mac_vnode_check_write(td->td_ucred, td->td_ucred, vp); if (error == 0) { #endif VATTR_NULL(vap); @@ -4337,7 +4337,7 @@ kern_fhstatfs(struct thread *td, fhandle_t fh, struct statfs *buf) if (error) goto out; #ifdef MAC - error = mac_check_mount_stat(td->td_ucred, mp); + error = mac_mount_check_stat(td->td_ucred, mp); if (error) goto out; #endif diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c index 4f5305e..5083574 100644 --- a/sys/kern/vfs_vnops.c +++ b/sys/kern/vfs_vnops.c @@ -148,7 +148,7 @@ restart: goto restart; } #ifdef MAC - error = mac_check_vnode_create(cred, ndp->ni_dvp, + error = mac_vnode_check_create(cred, ndp->ni_dvp, &ndp->ni_cnd, vap); if (error == 0) { #endif @@ -213,7 +213,7 @@ restart: if (fmode & O_APPEND) mode |= VAPPEND; #ifdef MAC - error = mac_check_vnode_open(cred, vp, mode); + error = mac_vnode_check_open(cred, vp, mode); if (error) goto bad; #endif @@ -387,10 +387,10 @@ vn_rdwr(rw, vp, base, len, offset, segflg, ioflg, active_cred, file_cred, #ifdef MAC if ((ioflg & IO_NOMACCHECK) == 0) { if (rw == UIO_READ) - error = mac_check_vnode_read(active_cred, file_cred, + error = mac_vnode_check_read(active_cred, file_cred, vp); else - error = mac_check_vnode_write(active_cred, file_cred, + error = mac_vnode_check_write(active_cred, file_cred, vp); } #endif @@ -520,7 +520,7 @@ vn_read(fp, uio, active_cred, flags, td) ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_read(active_cred, fp->f_cred, vp); + error = mac_vnode_check_read(active_cred, fp->f_cred, vp); if (error == 0) #endif error = VOP_READ(vp, uio, ioflag, fp->f_cred); @@ -580,7 +580,7 @@ vn_write(fp, uio, active_cred, flags, td) uio->uio_offset = fp->f_offset; ioflag |= sequential_heuristic(uio, fp); #ifdef MAC - error = mac_check_vnode_write(active_cred, fp->f_cred, vp); + error = mac_vnode_check_write(active_cred, fp->f_cred, vp); if (error == 0) #endif error = VOP_WRITE(vp, uio, ioflag, fp->f_cred); @@ -635,7 +635,7 @@ vn_stat(vp, sb, active_cred, file_cred, td) u_short mode; #ifdef MAC - error = mac_check_vnode_stat(active_cred, file_cred, vp); + error = mac_vnode_check_stat(active_cred, file_cred, vp); if (error) return (error); #endif @@ -783,7 +783,7 @@ vn_poll(fp, events, active_cred, td) vfslocked = VFS_LOCK_GIANT(vp->v_mount); #ifdef MAC vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_vnode_poll(active_cred, fp->f_cred, vp); + error = mac_vnode_check_poll(active_cred, fp->f_cred, vp); VOP_UNLOCK(vp, 0, td); if (!error) #endif diff --git a/sys/net/bpf.c b/sys/net/bpf.c index 7af9f3c..2d6630a 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -416,8 +416,8 @@ bpfopen(struct cdev *dev, int flags, int fmt, struct thread *td) d->bd_direction = BPF_D_INOUT; d->bd_pid = td->td_proc->p_pid; #ifdef MAC - mac_init_bpfdesc(d); - mac_create_bpfdesc(td->td_ucred, d); + mac_bpfdesc_init(d); + mac_bpfdesc_create(td->td_ucred, d); #endif mtx_init(&d->bd_mtx, devtoname(dev), "bpf cdev lock", MTX_DEF); callout_init(&d->bd_callout, CALLOUT_MPSAFE); @@ -448,7 +448,7 @@ bpfclose(struct cdev *dev, int flags, int fmt, struct thread *td) mtx_unlock(&bpf_mtx); selwakeuppri(&d->bd_sel, PRINET); #ifdef MAC - mac_destroy_bpfdesc(d); + mac_bpfdesc_destroy(d); #endif /* MAC */ knlist_destroy(&d->bd_sel.si_note); bpf_freed(d); @@ -656,9 +656,9 @@ bpfwrite(struct cdev *dev, struct uio *uio, int ioflag) #ifdef MAC BPFD_LOCK(d); - mac_create_mbuf_from_bpfdesc(d, m); + mac_bpfdesc_create_mbuf(d, m); if (mc != NULL) - mac_create_mbuf_from_bpfdesc(d, mc); + mac_bpfdesc_create_mbuf(d, mc); BPFD_UNLOCK(d); #endif @@ -1299,7 +1299,7 @@ bpf_tap(struct bpf_if *bp, u_char *pkt, u_int pktlen) gottime = 1; } #ifdef MAC - if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0) + if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0) #endif catchpacket(d, pkt, pktlen, slen, bcopy, &tv); } @@ -1378,7 +1378,7 @@ bpf_mtap(struct bpf_if *bp, struct mbuf *m) gottime = 1; } #ifdef MAC - if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0) + if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0) #endif catchpacket(d, (u_char *)m, pktlen, slen, bpf_mcopy, &tv); @@ -1433,7 +1433,7 @@ bpf_mtap2(struct bpf_if *bp, void *data, u_int dlen, struct mbuf *m) gottime = 1; } #ifdef MAC - if (mac_check_bpfdesc_receive(d, bp->bif_ifp) == 0) + if (mac_bpfdesc_check_receive(d, bp->bif_ifp) == 0) #endif catchpacket(d, (u_char *)&mb, pktlen, slen, bpf_mcopy, &tv); diff --git a/sys/net/bsd_comp.c b/sys/net/bsd_comp.c index 139f772..3506196 100644 --- a/sys/net/bsd_comp.c +++ b/sys/net/bsd_comp.c @@ -881,7 +881,7 @@ bsd_decompress(state, cmp, dmpp) wptr = mtod(dmp, u_char *); space = M_TRAILINGSPACE(dmp) - PPP_HDRLEN + 1; #ifdef MAC - mac_copy_mbuf(cmp, dmp); + mac_mbuf_copy(cmp, dmp); #endif /* diff --git a/sys/net/if.c b/sys/net/if.c index 0b602bc..a6db03d 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -478,8 +478,8 @@ if_attach(struct ifnet *ifp) ifp->if_data.ifi_datalen = sizeof(struct if_data); #ifdef MAC - mac_init_ifnet(ifp); - mac_create_ifnet(ifp); + mac_ifnet_init(ifp); + mac_ifnet_create(ifp); #endif ifdev_byindex(ifp->if_index) = make_dev(&net_cdevsw, @@ -758,7 +758,7 @@ if_detach(struct ifnet *ifp) IF_AFDATA_UNLOCK(ifp); #ifdef MAC - mac_destroy_ifnet(ifp); + mac_ifnet_destroy(ifp); #endif /* MAC */ KNOTE_UNLOCKED(&ifp->if_klist, NOTE_EXIT); knlist_clear(&ifp->if_klist, 0); @@ -1534,7 +1534,7 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td) #ifdef MAC case SIOCGIFMAC: - error = mac_ioctl_ifnet_get(td->td_ucred, ifr, ifp); + error = mac_ifnet_ioctl_get(td->td_ucred, ifr, ifp); break; #endif @@ -1610,7 +1610,7 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td) #ifdef MAC case SIOCSIFMAC: - error = mac_ioctl_ifnet_set(td->td_ucred, ifr, ifp); + error = mac_ifnet_ioctl_set(td->td_ucred, ifr, ifp); break; #endif diff --git a/sys/net/if_atmsubr.c b/sys/net/if_atmsubr.c index b84b08a..9d1a7fa 100644 --- a/sys/net/if_atmsubr.c +++ b/sys/net/if_atmsubr.c @@ -134,7 +134,7 @@ atm_output(struct ifnet *ifp, struct mbuf *m0, struct sockaddr *dst, u_int32_t atm_flags; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) senderr(error); #endif @@ -261,7 +261,7 @@ atm_input(struct ifnet *ifp, struct atm_pseudohdr *ah, struct mbuf *m, return; } #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif ifp->if_ibytes += m->m_pkthdr.len; diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c index a06a6cd..e3d3620 100644 --- a/sys/net/if_ethersubr.c +++ b/sys/net/if_ethersubr.c @@ -157,7 +157,7 @@ ether_output(struct ifnet *ifp, struct mbuf *m, int hlen; /* link layer header length */ #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) senderr(error); #endif @@ -570,7 +570,7 @@ ether_input(struct ifnet *ifp, struct mbuf *m) * Tag the mbuf with an appropriate MAC label before any other * consumers can get to it. */ - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* diff --git a/sys/net/if_fddisubr.c b/sys/net/if_fddisubr.c index a2fd00b..7152eac 100644 --- a/sys/net/if_fddisubr.c +++ b/sys/net/if_fddisubr.c @@ -121,7 +121,7 @@ fddi_output(ifp, m, dst, rt0) struct fddi_header *fh; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) senderr(error); #endif @@ -407,7 +407,7 @@ fddi_input(ifp, m) } #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* diff --git a/sys/net/if_fwsubr.c b/sys/net/if_fwsubr.c index b1c68d2..e001c29 100644 --- a/sys/net/if_fwsubr.c +++ b/sys/net/if_fwsubr.c @@ -91,7 +91,7 @@ firewire_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, static int next_dgl; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) goto bad; #endif @@ -557,7 +557,7 @@ firewire_input(struct ifnet *ifp, struct mbuf *m, uint16_t src) * Tag the mbuf with an appropriate MAC label before any other * consumers can get to it. */ - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* diff --git a/sys/net/if_gif.c b/sys/net/if_gif.c index dfe69bd..4743a05 100644 --- a/sys/net/if_gif.c +++ b/sys/net/if_gif.c @@ -360,7 +360,7 @@ gif_output(ifp, m, dst, rt) u_int32_t af; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) { m_freem(m); goto end; @@ -479,7 +479,7 @@ gif_input(m, af, ifp) m->m_pkthdr.rcvif = ifp; #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif if (bpf_peers_present(ifp->if_bpf)) { diff --git a/sys/net/if_iso88025subr.c b/sys/net/if_iso88025subr.c index 8dca499..7abf585 100644 --- a/sys/net/if_iso88025subr.c +++ b/sys/net/if_iso88025subr.c @@ -244,7 +244,7 @@ iso88025_output(ifp, m, dst, rt0) struct rtentry *rt = NULL; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) senderr(error); #endif @@ -503,7 +503,7 @@ iso88025_input(ifp, m) } #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* diff --git a/sys/net/if_ppp.c b/sys/net/if_ppp.c index 462b7c5..5030ac58 100644 --- a/sys/net/if_ppp.c +++ b/sys/net/if_ppp.c @@ -815,7 +815,7 @@ pppoutput(ifp, m0, dst, rtp) int len; #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m0); + error = mac_ifnet_check_transmit(ifp, m0); if (error) goto bad; #endif @@ -1231,7 +1231,7 @@ pppintr() if (m == NULL) break; #ifdef MAC - mac_create_mbuf_from_ifnet(PPP2IFP(sc), m); + mac_ifnet_create_mbuf(PPP2IFP(sc), m); #endif ppp_inproc(sc, m); } @@ -1509,7 +1509,7 @@ ppp_inproc(sc, m) } } #ifdef MAC - mac_copy_mbuf(m, mp); + mac_mbuf_copy(m, mp); #endif cp = mtod(mp, u_char *); cp[0] = adrs; @@ -1563,7 +1563,7 @@ ppp_inproc(sc, m) MGETHDR(mp, M_DONTWAIT, MT_DATA); if (mp != NULL) { #ifdef MAC - mac_copy_mbuf(m, mp); + mac_mbuf_copy(m, mp); #endif m_copydata(m, 0, ilen, mtod(mp, caddr_t)); m_freem(m); diff --git a/sys/net/if_stf.c b/sys/net/if_stf.c index dfb9aea..8f70df6 100644 --- a/sys/net/if_stf.c +++ b/sys/net/if_stf.c @@ -406,7 +406,7 @@ stf_output(ifp, m, dst, rt) #ifdef MAC int error; - error = mac_check_ifnet_transmit(ifp, m); + error = mac_ifnet_check_transmit(ifp, m); if (error) { m_freem(m); return (error); @@ -674,7 +674,7 @@ in_stf_input(m, off) ifp = STF2IFP(sc); #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* diff --git a/sys/net/if_tun.c b/sys/net/if_tun.c index 61f08d7..cf4a3b9 100644 --- a/sys/net/if_tun.c +++ b/sys/net/if_tun.c @@ -579,7 +579,7 @@ tunoutput( TUNDEBUG (ifp, "tunoutput\n"); #ifdef MAC - error = mac_check_ifnet_transmit(ifp, m0); + error = mac_ifnet_check_transmit(ifp, m0); if (error) { m_freem(m0); return (error); @@ -875,7 +875,7 @@ tunwrite(struct cdev *dev, struct uio *uio, int flag) m->m_pkthdr.rcvif = ifp; #ifdef MAC - mac_create_mbuf_from_ifnet(ifp, m); + mac_ifnet_create_mbuf(ifp, m); #endif /* Could be unlocked read? */ diff --git a/sys/netatalk/ddp_input.c b/sys/netatalk/ddp_input.c index 7e15cb1..2e7dac8 100644 --- a/sys/netatalk/ddp_input.c +++ b/sys/netatalk/ddp_input.c @@ -411,7 +411,7 @@ ddp_input(struct mbuf *m, struct ifnet *ifp, struct elaphdr *elh, int phase) #ifdef MAC SOCK_LOCK(ddp->ddp_socket); - if (mac_check_socket_deliver(ddp->ddp_socket, m) != 0) { + if (mac_socket_check_deliver(ddp->ddp_socket, m) != 0) { SOCK_UNLOCK(ddp->ddp_socket); goto out; } diff --git a/sys/netatalk/ddp_output.c b/sys/netatalk/ddp_output.c index c67264e..bc85fcb 100644 --- a/sys/netatalk/ddp_output.c +++ b/sys/netatalk/ddp_output.c @@ -54,7 +54,7 @@ ddp_output(struct mbuf *m, struct socket *so) #ifdef MAC SOCK_LOCK(so); - mac_create_mbuf_from_socket(so, m); + mac_socket_create_mbuf(so, m); SOCK_UNLOCK(so); #endif @@ -200,7 +200,7 @@ ddp_route(struct mbuf *m, struct route *ro) return (ENOBUFS); } #ifdef MAC - mac_copy_mbuf(m, m0); + mac_mbuf_copy(m, m0); #endif m0->m_next = m; /* XXX perhaps we ought to align the header? */ diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index d85251e..c1727ca 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -187,11 +187,11 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo) inp->inp_pcbinfo = pcbinfo; inp->inp_socket = so; #ifdef MAC - error = mac_init_inpcb(inp, M_NOWAIT); + error = mac_inpcb_init(inp, M_NOWAIT); if (error != 0) goto out; SOCK_LOCK(so); - mac_create_inpcb_from_socket(so, inp); + mac_inpcb_create(so, inp); SOCK_UNLOCK(so); #endif @@ -725,7 +725,7 @@ in_pcbfree(struct inpcb *inp) inp->inp_vflag = 0; #ifdef MAC - mac_destroy_inpcb(inp); + mac_inpcb_destroy(inp); #endif INP_UNLOCK(inp); uma_zfree(ipi->ipi_zone, inp); diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index 35208ff..ee81288 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -376,7 +376,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin, ipstat.ips_rawout++; /* XXX */ #ifdef MAC - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif /* * Get ready to inject the packet into ip_output(). @@ -439,7 +439,7 @@ div_output(struct socket *so, struct mbuf *m, struct sockaddr_in *sin, } #ifdef MAC SOCK_LOCK(so); - mac_create_mbuf_from_socket(so, m); + mac_socket_create_mbuf(so, m); SOCK_UNLOCK(so); #endif /* Send packet to input processing via netisr */ diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 2519519..db407e5 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -1619,9 +1619,9 @@ send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, #ifdef MAC if (replyto != NULL) - mac_create_mbuf_netlayer(replyto, m); + mac_mbuf_create_netlayer(replyto, m); else - mac_create_mbuf_from_firewall(m); + mac_mbuf_create_from_firewall(m); #else (void)replyto; /* don't warn about unused arg */ #endif diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index f5843a0..35718c9 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -221,7 +221,7 @@ stdreply: icmpelen = max(8, min(icmp_quotelen, oip->ip_len - oiphlen)); if (m == NULL) goto freeit; #ifdef MAC - mac_create_mbuf_netlayer(n, m); + mac_mbuf_create_netlayer(n, m); #endif icmplen = min(icmplen, M_TRAILINGSPACE(m) - sizeof(struct ip) - ICMP_MINLEN); m_align(m, ICMP_MINLEN + icmplen); @@ -699,7 +699,7 @@ icmp_reflect(struct mbuf *m) } match: #ifdef MAC - mac_reflect_mbuf_icmp(m); + mac_netinet_icmp_reply(m); #endif t = IA_SIN(ia)->sin_addr; ip->ip_src = t; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 20bdd6f..7f8703f 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -776,7 +776,7 @@ ip_reass(struct mbuf *m) ip->ip_src.s_addr == fp->ipq_src.s_addr && ip->ip_dst.s_addr == fp->ipq_dst.s_addr && #ifdef MAC - mac_fragment_match(m, fp) && + mac_ipq_match(m, fp) && #endif ip->ip_p == fp->ipq_p) goto found; @@ -852,12 +852,12 @@ found: if (fp == NULL) goto dropfrag; #ifdef MAC - if (mac_init_ipq(fp, M_NOWAIT) != 0) { + if (mac_ipq_init(fp, M_NOWAIT) != 0) { uma_zfree(ipq_zone, fp); fp = NULL; goto dropfrag; } - mac_create_ipq(m, fp); + mac_ipq_create(m, fp); #endif TAILQ_INSERT_HEAD(head, fp, ipq_list); nipq++; @@ -873,7 +873,7 @@ found: } else { fp->ipq_nfrags++; #ifdef MAC - mac_update_ipq(m, fp); + mac_ipq_update(m, fp); #endif } @@ -1015,8 +1015,8 @@ found: m->m_pkthdr.csum_data = (m->m_pkthdr.csum_data & 0xffff) + (m->m_pkthdr.csum_data >> 16); #ifdef MAC - mac_create_datagram_from_ipq(fp, m); - mac_destroy_ipq(fp); + mac_ipq_reassemble(fp, m); + mac_ipq_destroy(fp); #endif /* diff --git a/sys/netinet/ip_options.c b/sys/netinet/ip_options.c index d1c0594..f190df1 100644 --- a/sys/netinet/ip_options.c +++ b/sys/netinet/ip_options.c @@ -508,7 +508,7 @@ ip_insertoptions(struct mbuf *m, struct mbuf *opt, int *phlen) M_MOVE_PKTHDR(n, m); n->m_pkthdr.rcvif = NULL; #ifdef MAC - mac_copy_mbuf(m, n); + mac_mbuf_copy(m, n); #endif n->m_pkthdr.len += optlen; m->m_len -= sizeof(struct ip); diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 261a15f..4105fe4 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -733,7 +733,7 @@ smart_frag_failure: m->m_pkthdr.len = mhlen + len; m->m_pkthdr.rcvif = NULL; #ifdef MAC - mac_create_fragment(m0, m); + mac_netinet_fragment(m0, m); #endif m->m_pkthdr.csum_flags = m0->m_pkthdr.csum_flags; mhip->ip_off = htons(mhip->ip_off); diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 1d0ced5..f23aaf1 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -164,7 +164,7 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) } #endif /* IPSEC */ #ifdef MAC - if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) + if (!policyfail && mac_inpcb_check_deliver(last, n) != 0) policyfail = 1; #endif /* Check the minimum TTL for socket. */ @@ -330,7 +330,7 @@ rip_output(struct mbuf *m, struct socket *so, u_long dst) flags |= IP_SENDONES; #ifdef MAC - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif error = ip_output(m, inp->inp_options, NULL, flags, diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 4e69016..deb31fb 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -534,7 +534,7 @@ findpcb: #ifdef MAC INP_LOCK_ASSERT(inp); - if (mac_check_inpcb_deliver(inp, m)) + if (mac_inpcb_check_deliver(inp, m)) goto dropunlock; #endif so = inp->inp_socket; @@ -1278,7 +1278,7 @@ tcp_do_segment(struct mbuf *m, struct tcphdr *th, struct socket *so, soisconnected(so); #ifdef MAC SOCK_LOCK(so); - mac_set_socket_peer_from_mbuf(m, so); + mac_socketpeer_set_from_mbuf(m, so); SOCK_UNLOCK(so); #endif /* Do window scaling on this connection? */ diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index c554ffb..58a4ad9 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -846,7 +846,7 @@ send: SOCKBUF_UNLOCK_ASSERT(&so->so_snd); m->m_pkthdr.rcvif = (struct ifnet *)0; #ifdef MAC - mac_create_mbuf_from_inpcb(tp->t_inpcb, m); + mac_inpcb_create_mbuf(tp->t_inpcb, m); #endif #ifdef INET6 if (isipv6) { diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 64d1835..688a5d2 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -525,13 +525,13 @@ tcp_respond(struct tcpcb *tp, void *ipgen, struct tcphdr *th, struct mbuf *m, * label of the response to reflect the socket label. */ INP_LOCK_ASSERT(inp); - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); } else { /* * Packet is not associated with a socket, so possibly * update the label in place. */ - mac_reflect_mbuf_tcp(m); + mac_netinet_tcp_reply(m); } #endif nth->th_seq = htonl(seq); diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index aaee985..430640a 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -640,7 +640,7 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m) } #ifdef MAC SOCK_LOCK(so); - mac_set_socket_peer_from_mbuf(m, so); + mac_socketpeer_set_from_mbuf(m, so); SOCK_UNLOCK(so); #endif diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index d31e99c..6882642 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -540,7 +540,7 @@ tcp_twrespond(struct tcptw *tw, int flags) m->m_data += max_linkhdr; #ifdef MAC - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif #ifdef INET6 diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 3e122bf..d55377f 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -206,7 +206,7 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off, } #endif /* IPSEC */ #ifdef MAC - if (mac_check_inpcb_deliver(inp, n) != 0) { + if (mac_inpcb_check_deliver(inp, n) != 0) { m_freem(n); return; } @@ -843,7 +843,7 @@ udp_output(struct inpcb *inp, struct mbuf *m, struct sockaddr *addr, INP_LOCK(inp); #ifdef MAC - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif /* diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index b443ead..e9c7328 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -138,7 +138,7 @@ udp6_append(struct inpcb *inp, struct mbuf *n, int off, } #endif /* IPSEC */ #ifdef MAC - if (mac_check_inpcb_deliver(inp, n) != 0) { + if (mac_inpcb_check_deliver(inp, n) != 0) { m_freem(n); return; } @@ -990,7 +990,7 @@ udp6_send(struct socket *so, int flags, struct mbuf *m, } #endif #ifdef MAC - mac_create_mbuf_from_inpcb(inp, m); + mac_inpcb_create_mbuf(inp, m); #endif error = udp6_output(inp, m, addr, control, td); out: diff --git a/sys/security/audit/audit_syscalls.c b/sys/security/audit/audit_syscalls.c index fa037ab..f9865f5 100644 --- a/sys/security/audit/audit_syscalls.c +++ b/sys/security/audit/audit_syscalls.c @@ -114,7 +114,7 @@ audit(struct thread *td, struct audit_args *uap) } #ifdef MAC - error = mac_check_system_audit(td->td_ucred, rec, uap->length); + error = mac_system_check_audit(td->td_ucred, rec, uap->length); if (error) goto free_out; #endif @@ -166,7 +166,7 @@ auditon(struct thread *td, struct auditon_args *uap) AUDIT_ARG(cmd, uap->cmd); #ifdef MAC - error = mac_check_system_auditon(td->td_ucred, uap->cmd); + error = mac_system_check_auditon(td->td_ucred, uap->cmd); if (error) return (error); #endif @@ -470,7 +470,7 @@ setauid(struct thread *td, struct setauid_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_check_proc_setauid(oldcred, id); + error = mac_proc_check_setauid(oldcred, id); if (error) goto fail; #endif @@ -533,7 +533,7 @@ setaudit(struct thread *td, struct setaudit_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_check_proc_setaudit(oldcred, &ai); + error = mac_proc_check_setaudit(oldcred, &ai); if (error) goto fail; #endif @@ -596,7 +596,7 @@ setaudit_addr(struct thread *td, struct setaudit_addr_args *uap) oldcred = td->td_proc->p_ucred; crcopy(newcred, oldcred); #ifdef MAC - error = mac_check_proc_setaudit_addr(oldcred, &aia); + error = mac_proc_check_setaudit_addr(oldcred, &aia); if (error) goto fail; #endif @@ -655,7 +655,7 @@ auditctl(struct thread *td, struct auditctl_args *uap) vfslocked = NDHASGIANT(&nd); vp = nd.ni_vp; #ifdef MAC - error = mac_check_system_auditctl(td->td_ucred, vp); + error = mac_system_check_auditctl(td->td_ucred, vp); VOP_UNLOCK(vp, 0, td); if (error) { vn_close(vp, AUDIT_CLOSE_FLAGS, td->td_ucred, td); diff --git a/sys/security/mac/mac_audit.c b/sys/security/mac/mac_audit.c index 69731c7..d8cd8e6 100644 --- a/sys/security/mac/mac_audit.c +++ b/sys/security/mac/mac_audit.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. @@ -11,6 +12,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -46,66 +50,66 @@ #include <security/mac/mac_policy.h> int -mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) { int error; - MAC_CHECK(check_proc_setaudit, cred, ai); + MAC_CHECK(proc_check_setaudit, cred, ai); return (error); } int -mac_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { int error; - MAC_CHECK(check_proc_setaudit_addr, cred, aia); + MAC_CHECK(proc_check_setaudit_addr, cred, aia); return (error); } int -mac_check_proc_setauid(struct ucred *cred, uid_t auid) +mac_proc_check_setauid(struct ucred *cred, uid_t auid) { int error; - MAC_CHECK(check_proc_setauid, cred, auid); + MAC_CHECK(proc_check_setauid, cred, auid); return (error); } int -mac_check_system_audit(struct ucred *cred, void *record, int length) +mac_system_check_audit(struct ucred *cred, void *record, int length) { int error; - MAC_CHECK(check_system_audit, cred, record, length); + MAC_CHECK(system_check_audit, cred, record, length); return (error); } int -mac_check_system_auditctl(struct ucred *cred, struct vnode *vp) +mac_system_check_auditctl(struct ucred *cred, struct vnode *vp) { int error; struct label *vl; - ASSERT_VOP_LOCKED(vp, "mac_check_system_auditctl"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_auditctl"); vl = (vp != NULL) ? vp->v_label : NULL; - MAC_CHECK(check_system_auditctl, cred, vp, vl); + MAC_CHECK(system_check_auditctl, cred, vp, vl); return (error); } int -mac_check_system_auditon(struct ucred *cred, int cmd) +mac_system_check_auditon(struct ucred *cred, int cmd) { int error; - MAC_CHECK(check_system_auditon, cred, cmd); + MAC_CHECK(system_check_auditon, cred, cmd); return (error); } diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index d9ede98..a00b90f 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -90,44 +90,44 @@ struct vop_setlabel_args; /* * Kernel functions to manage and evaluate labels. */ -void mac_init_bpfdesc(struct bpf_d *); -void mac_init_cred(struct ucred *); -void mac_init_devfs(struct devfs_dirent *); -void mac_init_ifnet(struct ifnet *); -int mac_init_inpcb(struct inpcb *, int); -void mac_init_sysv_msgmsg(struct msg *); -void mac_init_sysv_msgqueue(struct msqid_kernel *); -void mac_init_sysv_sem(struct semid_kernel *); -void mac_init_sysv_shm(struct shmid_kernel *); -int mac_init_ipq(struct ipq *, int); -int mac_init_socket(struct socket *, int); -void mac_init_pipe(struct pipepair *); -void mac_init_posix_sem(struct ksem *); -int mac_init_mbuf(struct mbuf *, int); -int mac_init_mbuf_tag(struct m_tag *, int); -void mac_init_mount(struct mount *); -void mac_init_proc(struct proc *); -void mac_init_vnode(struct vnode *); -void mac_copy_mbuf(struct mbuf *, struct mbuf *); -void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *); -void mac_copy_vnode_label(struct label *, struct label *); -void mac_destroy_bpfdesc(struct bpf_d *); -void mac_destroy_cred(struct ucred *); -void mac_destroy_devfs(struct devfs_dirent *); -void mac_destroy_ifnet(struct ifnet *); -void mac_destroy_inpcb(struct inpcb *); -void mac_destroy_sysv_msgmsg(struct msg *); -void mac_destroy_sysv_msgqueue(struct msqid_kernel *); -void mac_destroy_sysv_sem(struct semid_kernel *); -void mac_destroy_sysv_shm(struct shmid_kernel *); -void mac_destroy_ipq(struct ipq *); -void mac_destroy_socket(struct socket *); -void mac_destroy_pipe(struct pipepair *); -void mac_destroy_posix_sem(struct ksem *); -void mac_destroy_proc(struct proc *); -void mac_destroy_mbuf_tag(struct m_tag *); -void mac_destroy_mount(struct mount *); -void mac_destroy_vnode(struct vnode *); +void mac_bpfdesc_init(struct bpf_d *); +void mac_cred_init(struct ucred *); +void mac_devfs_init(struct devfs_dirent *); +void mac_ifnet_init(struct ifnet *); +int mac_inpcb_init(struct inpcb *, int); +void mac_sysvmsg_init(struct msg *); +void mac_sysvmsq_init(struct msqid_kernel *); +void mac_sysvsem_init(struct semid_kernel *); +void mac_sysvshm_init(struct shmid_kernel *); +int mac_ipq_init(struct ipq *, int); +int mac_socket_init(struct socket *, int); +void mac_pipe_init(struct pipepair *); +void mac_posixsem_init(struct ksem *); +int mac_mbuf_init(struct mbuf *, int); +int mac_mbuf_tag_init(struct m_tag *, int); +void mac_mount_init(struct mount *); +void mac_proc_init(struct proc *); +void mac_vnode_init(struct vnode *); +void mac_mbuf_copy(struct mbuf *, struct mbuf *); +void mac_mbuf_tag_copy(struct m_tag *, struct m_tag *); +void mac_vnode_copy_label(struct label *, struct label *); +void mac_bpfdesc_destroy(struct bpf_d *); +void mac_cred_destroy(struct ucred *); +void mac_devfs_destroy(struct devfs_dirent *); +void mac_ifnet_destroy(struct ifnet *); +void mac_inpcb_destroy(struct inpcb *); +void mac_sysvmsg_destroy(struct msg *); +void mac_sysvmsq_destroy(struct msqid_kernel *); +void mac_sysvsem_destroy(struct semid_kernel *); +void mac_sysvshm_destroy(struct shmid_kernel *); +void mac_ipq_destroy(struct ipq *); +void mac_socket_destroy(struct socket *); +void mac_pipe_destroy(struct pipepair *); +void mac_posixsem_destroy(struct ksem *); +void mac_proc_destroy(struct proc *); +void mac_mbuf_tag_destroy(struct m_tag *); +void mac_mount_destroy(struct mount *); +void mac_vnode_destroy(struct vnode *); struct label *mac_cred_label_alloc(void); void mac_cred_label_free(struct label *); @@ -138,75 +138,73 @@ void mac_vnode_label_free(struct label *); * Labeling event operations: file system objects, and things that look a lot * like file system objects. */ -void mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, +void mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); -int mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp); -void mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp); -void mac_create_devfs_device(struct ucred *cred, struct mount *mp, +int mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp); +void mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp); +void mac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de); -void mac_create_devfs_directory(struct mount *mp, char *dirname, +void mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de); -void mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, +void mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de); -int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, +int mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -void mac_create_mount(struct ucred *cred, struct mount *mp); -void mac_relabel_vnode(struct ucred *cred, struct vnode *vp, +void mac_mount_create(struct ucred *cred, struct mount *mp); +void mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel); -void mac_update_devfs(struct mount *mp, struct devfs_dirent *de, +void mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp); /* * Labeling event operations: IPC objects. */ -void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m); -void mac_create_socket(struct ucred *cred, struct socket *so); -void mac_create_socket_from_socket(struct socket *oldso, +void mac_socket_create_mbuf(struct socket *so, struct mbuf *m); +void mac_socket_create(struct ucred *cred, struct socket *so); +void mac_socket_newconn(struct socket *oldso, struct socket *newso); +void mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so); +void mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso); -void mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so); -void mac_set_socket_peer_from_socket(struct socket *oldso, - struct socket *newso); -void mac_create_pipe(struct ucred *cred, struct pipepair *pp); +void mac_pipe_create(struct ucred *cred, struct pipepair *pp); /* * Labeling event operations: System V IPC primitives */ -void mac_create_sysv_msgmsg(struct ucred *cred, - struct msqid_kernel *msqkptr, struct msg *msgptr); -void mac_create_sysv_msgqueue(struct ucred *cred, - struct msqid_kernel *msqkptr); -void mac_create_sysv_sem(struct ucred *cred, +void mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, + struct msg *msgptr); +void mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr); +void mac_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr); -void mac_create_sysv_shm(struct ucred *cred, +void mac_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr); /* * Labeling event operations: POSIX (global/inter-process) semaphores. */ -void mac_create_posix_sem(struct ucred *cred, struct ksem *ks); +void mac_posixsem_create(struct ucred *cred, struct ksem *ks); /* * Labeling event operations: network objects. */ -void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d); -void mac_create_ifnet(struct ifnet *ifp); -void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp); -void mac_create_ipq(struct mbuf *m, struct ipq *ipq); -void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m); -void mac_create_fragment(struct mbuf *m, struct mbuf *frag); -void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m); +void mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d); +void mac_ifnet_create(struct ifnet *ifp); +void mac_inpcb_create(struct socket *so, struct inpcb *inp); +void mac_ipq_create(struct mbuf *m, struct ipq *ipq); +void mac_ipq_reassemble(struct ipq *ipq, struct mbuf *m); +void mac_netinet_fragment(struct mbuf *m, struct mbuf *frag); +void mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m); void mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m); -void mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m); -void mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m); -void mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, +void mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m); +void mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m); +void mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp, struct mbuf *mnew); -void mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew); -int mac_fragment_match(struct mbuf *m, struct ipq *ipq); -void mac_reflect_mbuf_icmp(struct mbuf *m); -void mac_reflect_mbuf_tcp(struct mbuf *m); -void mac_update_ipq(struct mbuf *m, struct ipq *ipq); +void mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew); +int mac_ipq_match(struct mbuf *m, struct ipq *ipq); +void mac_netinet_icmp_reply(struct mbuf *m); +void mac_netinet_tcp_reply(struct mbuf *m); +void mac_ipq_update(struct mbuf *m, struct ipq *ipq); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); -void mac_create_mbuf_from_firewall(struct mbuf *m); +void mac_mbuf_create_from_firewall(struct mbuf *m); void mac_destroy_syncache(struct label **l); int mac_init_syncache(struct label **l); void mac_init_syncache_from_inpcb(struct label *l, struct inpcb *inp); @@ -215,16 +213,17 @@ void mac_create_mbuf_from_syncache(struct label *l, struct mbuf *m); /* * Labeling event operations: processes. */ -void mac_copy_cred(struct ucred *cr1, struct ucred *cr2); +void mac_cred_copy(struct ucred *cr1, struct ucred *cr2); int mac_execve_enter(struct image_params *imgp, struct mac *mac_p); void mac_execve_exit(struct image_params *imgp); -void mac_execve_transition(struct ucred *oldcred, struct ucred *newcred, +void mac_vnode_execve_transition(struct ucred *oldcred, + struct ucred *newcred, struct vnode *vp, + struct label *interpvnodelabel, struct image_params *imgp); +int mac_vnode_execve_will_transition(struct ucred *cred, struct vnode *vp, struct label *interpvnodelabel, struct image_params *imgp); -int mac_execve_will_transition(struct ucred *cred, struct vnode *vp, - struct label *interpvnodelabel, struct image_params *imgp); -void mac_create_proc0(struct ucred *cred); -void mac_create_proc1(struct ucred *cred); +void mac_proc_create_swapper(struct ucred *cred); +void mac_proc_create_init(struct ucred *cred); void mac_thread_userret(struct thread *td); /* @@ -238,177 +237,177 @@ void mac_thread_userret(struct thread *td); * XXXRW: These object methods are inconsistent with the life cycles of other * objects, and likely should be revised to be more consistent. */ -void mac_cleanup_sysv_msgmsg(struct msg *msgptr); -void mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr); -void mac_cleanup_sysv_sem(struct semid_kernel *semakptr); -void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr); +void mac_sysvmsg_cleanup(struct msg *msgptr); +void mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr); +void mac_sysvsem_cleanup(struct semid_kernel *semakptr); +void mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr); /* * Access control checks. */ -int mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp); -int mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2); -int mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m); -int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m); -int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +int mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp); +int mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2); +int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m); +int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m); +int mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr); -int mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr); -int mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr); -int mac_check_sysv_msqget(struct ucred *cred, +int mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr); +int mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr); +int mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr); -int mac_check_sysv_msqsnd(struct ucred *cred, +int mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr); -int mac_check_sysv_msqrcv(struct ucred *cred, +int mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr); -int mac_check_sysv_msqctl(struct ucred *cred, +int mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, int cmd); -int mac_check_sysv_semctl(struct ucred *cred, +int mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, int cmd); -int mac_check_sysv_semget(struct ucred *cred, +int mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr); -int mac_check_sysv_semop(struct ucred *cred,struct semid_kernel *semakptr, - size_t accesstype); -int mac_check_sysv_shmat(struct ucred *cred, +int mac_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, size_t accesstype); +int mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg); -int mac_check_sysv_shmctl(struct ucred *cred, +int mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, int cmd); -int mac_check_sysv_shmdt(struct ucred *cred, +int mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr); -int mac_check_sysv_shmget(struct ucred *cred, +int mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg); -int mac_check_kenv_dump(struct ucred *cred); -int mac_check_kenv_get(struct ucred *cred, char *name); -int mac_check_kenv_set(struct ucred *cred, char *name, char *value); -int mac_check_kenv_unset(struct ucred *cred, char *name); -int mac_check_kld_load(struct ucred *cred, struct vnode *vp); -int mac_check_kld_stat(struct ucred *cred); -int mac_check_mount_stat(struct ucred *cred, struct mount *mp); -int mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +int mac_kenv_check_dump(struct ucred *cred); +int mac_kenv_check_get(struct ucred *cred, char *name); +int mac_kenv_check_set(struct ucred *cred, char *name, char *value); +int mac_kenv_check_unset(struct ucred *cred, char *name); +int mac_kld_check_load(struct ucred *cred, struct vnode *vp); +int mac_kld_check_stat(struct ucred *cred); +int mac_mount_check_stat(struct ucred *cred, struct mount *mp); +int mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data); -int mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp); -int mac_check_pipe_read(struct ucred *cred, struct pipepair *pp); -int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp); -int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp); -int mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_getvalue(struct ucred *cred,struct ksem *ks); -int mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks); -int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks); -int mac_check_proc_debug(struct ucred *cred, struct proc *p); -int mac_check_proc_sched(struct ucred *cred, struct proc *p); -int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai); -int mac_check_proc_setaudit_addr(struct ucred *cred, +int mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_read(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp); +int mac_pipe_check_write(struct ucred *cred, struct pipepair *pp); +int mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_getvalue(struct ucred *cred,struct ksem *ks); +int mac_posixsem_check_open(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_post(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks); +int mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks); +int mac_proc_check_debug(struct ucred *cred, struct proc *p); +int mac_proc_check_sched(struct ucred *cred, struct proc *p); +int mac_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai); +int mac_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia); -int mac_check_proc_setauid(struct ucred *cred, uid_t auid); -int mac_check_proc_setuid(struct proc *p, struct ucred *cred, +int mac_proc_check_setauid(struct ucred *cred, uid_t auid); +int mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid); -int mac_check_proc_seteuid(struct proc *p, struct ucred *cred, +int mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid); -int mac_check_proc_setgid(struct proc *p, struct ucred *cred, +int mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid); -int mac_check_proc_setegid(struct proc *p, struct ucred *cred, +int mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid); -int mac_check_proc_setgroups(struct proc *p, struct ucred *cred, +int mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups, gid_t *gidset); -int mac_check_proc_setreuid(struct proc *p, struct ucred *cred, +int mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid); -int mac_check_proc_setregid(struct proc *p, struct ucred *cred, +int mac_proc_check_setregid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid); -int mac_check_proc_setresuid(struct proc *p, struct ucred *cred, +int mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid); -int mac_check_proc_setresgid(struct proc *p, struct ucred *cred, +int mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); -int mac_check_proc_signal(struct ucred *cred, struct proc *p, +int mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum); -int mac_check_proc_wait(struct ucred *cred, struct proc *p); -int mac_check_socket_accept(struct ucred *cred, struct socket *so); -int mac_check_socket_bind(struct ucred *cred, struct socket *so, +int mac_proc_check_wait(struct ucred *cred, struct proc *p); +int mac_socket_check_accept(struct ucred *cred, struct socket *so); +int mac_socket_check_bind(struct ucred *cred, struct socket *so, struct sockaddr *sa); -int mac_check_socket_connect(struct ucred *cred, struct socket *so, +int mac_socket_check_connect(struct ucred *cred, struct socket *so, struct sockaddr *sa); -int mac_check_socket_create(struct ucred *cred, int domain, int type, +int mac_socket_check_create(struct ucred *cred, int domain, int type, int proto); -int mac_check_socket_deliver(struct socket *so, struct mbuf *m); -int mac_check_socket_listen(struct ucred *cred, struct socket *so); -int mac_check_socket_poll(struct ucred *cred, struct socket *so); -int mac_check_socket_receive(struct ucred *cred, struct socket *so); -int mac_check_socket_send(struct ucred *cred, struct socket *so); -int mac_check_socket_stat(struct ucred *cred, struct socket *so); -int mac_check_socket_visible(struct ucred *cred, struct socket *so); -int mac_check_system_acct(struct ucred *cred, struct vnode *vp); -int mac_check_system_audit(struct ucred *cred, void *record, int length); -int mac_check_system_auditctl(struct ucred *cred, struct vnode *vp); -int mac_check_system_auditon(struct ucred *cred, int cmd); -int mac_check_system_reboot(struct ucred *cred, int howto); -int mac_check_system_swapon(struct ucred *cred, struct vnode *vp); -int mac_check_system_swapoff(struct ucred *cred, struct vnode *vp); -int mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +int mac_socket_check_deliver(struct socket *so, struct mbuf *m); +int mac_socket_check_listen(struct ucred *cred, struct socket *so); +int mac_socket_check_poll(struct ucred *cred, struct socket *so); +int mac_socket_check_receive(struct ucred *cred, struct socket *so); +int mac_socket_check_send(struct ucred *cred, struct socket *so); +int mac_socket_check_stat(struct ucred *cred, struct socket *so); +int mac_socket_check_visible(struct ucred *cred, struct socket *so); +int mac_system_check_acct(struct ucred *cred, struct vnode *vp); +int mac_system_check_audit(struct ucred *cred, void *record, int length); +int mac_system_check_auditctl(struct ucred *cred, struct vnode *vp); +int mac_system_check_auditon(struct ucred *cred, int cmd); +int mac_system_check_reboot(struct ucred *cred, int howto); +int mac_system_check_swapon(struct ucred *cred, struct vnode *vp); +int mac_system_check_swapoff(struct ucred *cred, struct vnode *vp); +int mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); -int mac_check_vnode_access(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode); -int mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp); -int mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp); -int mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp); +int mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp); +int mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap); -int mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type); -int mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name); -int mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp); -int mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type); -int mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); -int mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace); -int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp); -int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot, +int mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, int flags); -int mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot); -int mac_check_vnode_open(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode); -int mac_check_vnode_poll(struct ucred *active_cred, +int mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_check_vnode_read(struct ucred *active_cred, +int mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_check_vnode_readdir(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_readdir(struct ucred *cred, struct vnode *vp); +int mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp); +int mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp); -int mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp); -int mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp); +int mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl); -int mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio); -int mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags); -int mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode); -int mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid); -int mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +int mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime); -int mac_check_vnode_stat(struct ucred *active_cred, +int mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); -int mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +int mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp); -int mac_check_vnode_write(struct ucred *active_cred, +int mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp); int mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *extmac); int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, struct mac *extmac); -int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, +int mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp); -int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, +int mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp); int mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *extmac); diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c index 7704d73..001be116 100644 --- a/sys/security/mac/mac_inet.c +++ b/sys/security/mac/mac_inet.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -12,6 +13,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -74,9 +78,9 @@ mac_inpcb_label_alloc(int flag) label = mac_labelzone_alloc(flag); if (label == NULL) return (NULL); - MAC_CHECK(init_inpcb_label, label, flag); + MAC_CHECK(inpcb_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_inpcb_label, label); + MAC_PERFORM(inpcb_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -84,7 +88,7 @@ mac_inpcb_label_alloc(int flag) } int -mac_init_inpcb(struct inpcb *inp, int flag) +mac_inpcb_init(struct inpcb *inp, int flag) { inp->inp_label = mac_inpcb_label_alloc(flag); @@ -103,9 +107,9 @@ mac_ipq_label_alloc(int flag) if (label == NULL) return (NULL); - MAC_CHECK(init_ipq_label, label, flag); + MAC_CHECK(ipq_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_ipq_label, label); + MAC_PERFORM(ipq_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -113,7 +117,7 @@ mac_ipq_label_alloc(int flag) } int -mac_init_ipq(struct ipq *ipq, int flag) +mac_ipq_init(struct ipq *ipq, int flag) { ipq->ipq_label = mac_ipq_label_alloc(flag); @@ -126,12 +130,12 @@ static void mac_inpcb_label_free(struct label *label) { - MAC_PERFORM(destroy_inpcb_label, label); + MAC_PERFORM(inpcb_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_inpcb(struct inpcb *inp) +mac_inpcb_destroy(struct inpcb *inp) { mac_inpcb_label_free(inp->inp_label); @@ -142,12 +146,12 @@ static void mac_ipq_label_free(struct label *label) { - MAC_PERFORM(destroy_ipq_label, label); + MAC_PERFORM(ipq_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_ipq(struct ipq *ipq) +mac_ipq_destroy(struct ipq *ipq) { mac_ipq_label_free(ipq->ipq_label); @@ -155,57 +159,56 @@ mac_destroy_ipq(struct ipq *ipq) } void -mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp) +mac_inpcb_create(struct socket *so, struct inpcb *inp) { - MAC_PERFORM(create_inpcb_from_socket, so, so->so_label, inp, - inp->inp_label); + MAC_PERFORM(inpcb_create, so, so->so_label, inp, inp->inp_label); } void -mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m) +mac_ipq_reassemble(struct ipq *ipq, struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, m, label); + MAC_PERFORM(ipq_reassemble, ipq, ipq->ipq_label, m, label); } void -mac_create_fragment(struct mbuf *m, struct mbuf *frag) +mac_netinet_fragment(struct mbuf *m, struct mbuf *frag) { struct label *mlabel, *fraglabel; mlabel = mac_mbuf_to_label(m); fraglabel = mac_mbuf_to_label(frag); - MAC_PERFORM(create_fragment, m, mlabel, frag, fraglabel); + MAC_PERFORM(netinet_fragment, m, mlabel, frag, fraglabel); } void -mac_create_ipq(struct mbuf *m, struct ipq *ipq) +mac_ipq_create(struct mbuf *m, struct ipq *ipq) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(create_ipq, m, label, ipq, ipq->ipq_label); + MAC_PERFORM(ipq_create, m, label, ipq, ipq->ipq_label); } void -mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m) +mac_inpcb_create_mbuf(struct inpcb *inp, struct mbuf *m) { struct label *mlabel; INP_LOCK_ASSERT(inp); mlabel = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_inpcb, inp, inp->inp_label, m, mlabel); + MAC_PERFORM(inpcb_create_mbuf, inp, inp->inp_label, m, mlabel); } int -mac_fragment_match(struct mbuf *m, struct ipq *ipq) +mac_ipq_match(struct mbuf *m, struct ipq *ipq) { struct label *label; int result; @@ -213,43 +216,43 @@ mac_fragment_match(struct mbuf *m, struct ipq *ipq) label = mac_mbuf_to_label(m); result = 1; - MAC_BOOLEAN(fragment_match, &&, m, label, ipq, ipq->ipq_label); + MAC_BOOLEAN(ipq_match, &&, m, label, ipq, ipq->ipq_label); return (result); } void -mac_reflect_mbuf_icmp(struct mbuf *m) +mac_netinet_icmp_reply(struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(reflect_mbuf_icmp, m, label); + MAC_PERFORM(netinet_icmp_reply, m, label); } void -mac_reflect_mbuf_tcp(struct mbuf *m) +mac_netinet_tcp_reply(struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(reflect_mbuf_tcp, m, label); + MAC_PERFORM(netinet_tcp_reply, m, label); } void -mac_update_ipq(struct mbuf *m, struct ipq *ipq) +mac_ipq_update(struct mbuf *m, struct ipq *ipq) { struct label *label; label = mac_mbuf_to_label(m); - MAC_PERFORM(update_ipq, m, label, ipq, ipq->ipq_label); + MAC_PERFORM(ipq_update, m, label, ipq, ipq->ipq_label); } int -mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) +mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *m) { struct label *label; int error; @@ -258,7 +261,7 @@ mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_CHECK(check_inpcb_deliver, inp, inp->inp_label, m, label); + MAC_CHECK(inpcb_check_deliver, inp, inp->inp_label, m, label); return (error); } @@ -273,13 +276,13 @@ mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp) } void -mac_create_mbuf_from_firewall(struct mbuf *m) +mac_mbuf_create_from_firewall(struct mbuf *m) { struct label *label; M_ASSERTPKTHDR(m); label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_firewall, m, label); + MAC_PERFORM(mbuf_create_from_firewall, m, label); } /* diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h index fcf59aa..2cdc006 100644 --- a/sys/security/mac/mac_internal.h +++ b/sys/security/mac/mac_internal.h @@ -3,6 +3,7 @@ * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. * Copyright (c) 2006 nCircle Network Security, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -16,6 +17,9 @@ * This software was developed by Robert N. M. Watson for the TrustedBSD * Project under contract to nCircle Network Security, Inc. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -118,30 +122,30 @@ void mac_pipe_label_free(struct label *label); struct label *mac_socket_label_alloc(int flag); void mac_socket_label_free(struct label *label); -int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel); -int mac_externalize_cred_label(struct label *label, char *elements, +int mac_cred_check_relabel(struct ucred *cred, struct label *newlabel); +int mac_cred_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_cred_label(struct label *label, char *string); -void mac_relabel_cred(struct ucred *cred, struct label *newlabel); +int mac_cred_internalize_label(struct label *label, char *string); +void mac_cred_relabel(struct ucred *cred, struct label *newlabel); struct label *mac_mbuf_to_label(struct mbuf *m); -void mac_copy_pipe_label(struct label *src, struct label *dest); -int mac_externalize_pipe_label(struct label *label, char *elements, +void mac_pipe_copy_label(struct label *src, struct label *dest); +int mac_pipe_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_pipe_label(struct label *label, char *string); +int mac_pipe_internalize_label(struct label *label, char *string); int mac_socket_label_set(struct ucred *cred, struct socket *so, struct label *label); -void mac_copy_socket_label(struct label *src, struct label *dest); -int mac_externalize_socket_label(struct label *label, char *elements, +void mac_socket_copy_label(struct label *src, struct label *dest); +int mac_socket_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_socket_label(struct label *label, char *string); +int mac_socket_internalize_label(struct label *label, char *string); -int mac_externalize_vnode_label(struct label *label, char *elements, +int mac_vnode_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen); -int mac_internalize_vnode_label(struct label *label, char *string); -void mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, +int mac_vnode_internalize_label(struct label *label, char *string); +void mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot); int vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred); @@ -263,7 +267,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, break; \ } \ claimed = 0; \ - MAC_CHECK(externalize_ ## type ## _label, label, \ + MAC_CHECK(type ## _externalize_label, label, \ element_name, &sb, &claimed); \ if (error) \ break; \ @@ -299,7 +303,7 @@ int vn_setlabel(struct vnode *vp, struct label *intlabel, break; \ } \ claimed = 0; \ - MAC_CHECK(internalize_ ## type ## _label, label, \ + MAC_CHECK(type ## _internalize_label, label, \ element_name, element_data, &claimed); \ if (error) \ break; \ diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c index 05a0073..406e1f8 100644 --- a/sys/security/mac/mac_net.c +++ b/sys/security/mac/mac_net.c @@ -2,11 +2,15 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the * TrustedBSD Project. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * This software was developed for the FreeBSD Project in part by Network * Associates Laboratories, the Security Research Division of Network * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), @@ -102,12 +106,12 @@ mac_bpfdesc_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_bpfdesc_label, label); + MAC_PERFORM(bpfdesc_init_label, label); return (label); } void -mac_init_bpfdesc(struct bpf_d *d) +mac_bpfdesc_init(struct bpf_d *d) { d->bd_label = mac_bpfdesc_label_alloc(); @@ -119,19 +123,19 @@ mac_ifnet_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_ifnet_label, label); + MAC_PERFORM(ifnet_init_label, label); return (label); } void -mac_init_ifnet(struct ifnet *ifp) +mac_ifnet_init(struct ifnet *ifp) { ifp->if_label = mac_ifnet_label_alloc(); } int -mac_init_mbuf_tag(struct m_tag *tag, int flag) +mac_mbuf_tag_init(struct m_tag *tag, int flag) { struct label *label; int error; @@ -139,16 +143,16 @@ mac_init_mbuf_tag(struct m_tag *tag, int flag) label = (struct label *) (tag + 1); mac_init_label(label); - MAC_CHECK(init_mbuf_label, label, flag); + MAC_CHECK(mbuf_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_mbuf_label, label); + MAC_PERFORM(mbuf_destroy_label, label); mac_destroy_label(label); } return (error); } int -mac_init_mbuf(struct mbuf *m, int flag) +mac_mbuf_init(struct mbuf *m, int flag) { struct m_tag *tag; int error; @@ -167,7 +171,7 @@ mac_init_mbuf(struct mbuf *m, int flag) flag); if (tag == NULL) return (ENOMEM); - error = mac_init_mbuf_tag(tag, flag); + error = mac_mbuf_tag_init(tag, flag); if (error) { m_tag_free(tag); return (error); @@ -180,12 +184,12 @@ static void mac_bpfdesc_label_free(struct label *label) { - MAC_PERFORM(destroy_bpfdesc_label, label); + MAC_PERFORM(bpfdesc_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_bpfdesc(struct bpf_d *d) +mac_bpfdesc_destroy(struct bpf_d *d) { mac_bpfdesc_label_free(d->bd_label); @@ -196,12 +200,12 @@ static void mac_ifnet_label_free(struct label *label) { - MAC_PERFORM(destroy_ifnet_label, label); + MAC_PERFORM(ifnet_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_ifnet(struct ifnet *ifp) +mac_ifnet_destroy(struct ifnet *ifp) { mac_ifnet_label_free(ifp->if_label); @@ -209,22 +213,22 @@ mac_destroy_ifnet(struct ifnet *ifp) } void -mac_destroy_mbuf_tag(struct m_tag *tag) +mac_mbuf_tag_destroy(struct m_tag *tag) { struct label *label; label = (struct label *)(tag+1); - MAC_PERFORM(destroy_mbuf_label, label); + MAC_PERFORM(mbuf_destroy_label, label); mac_destroy_label(label); } /* - * mac_copy_mbuf_tag is called when an mbuf header is duplicated, in which + * mac_mbuf_tag_copy is called when an mbuf header is duplicated, in which * case the labels must also be duplicated. */ void -mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) +mac_mbuf_tag_copy(struct m_tag *src, struct m_tag *dest) { struct label *src_label, *dest_label; @@ -232,32 +236,32 @@ mac_copy_mbuf_tag(struct m_tag *src, struct m_tag *dest) dest_label = (struct label *)(dest+1); /* - * mac_init_mbuf_tag() is called on the target tag in m_tag_copy(), + * mac_mbuf_tag_init() is called on the target tag in m_tag_copy(), * so we don't need to call it here. */ - MAC_PERFORM(copy_mbuf_label, src_label, dest_label); + MAC_PERFORM(mbuf_copy_label, src_label, dest_label); } void -mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to) +mac_mbuf_copy(struct mbuf *m_from, struct mbuf *m_to) { struct label *src_label, *dest_label; src_label = mac_mbuf_to_label(m_from); dest_label = mac_mbuf_to_label(m_to); - MAC_PERFORM(copy_mbuf_label, src_label, dest_label); + MAC_PERFORM(mbuf_copy_label, src_label, dest_label); } static void -mac_copy_ifnet_label(struct label *src, struct label *dest) +mac_ifnet_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_ifnet_label, src, dest); + MAC_PERFORM(ifnet_copy_label, src, dest); } static int -mac_externalize_ifnet_label(struct label *label, char *elements, +mac_ifnet_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -268,7 +272,7 @@ mac_externalize_ifnet_label(struct label *label, char *elements, } static int -mac_internalize_ifnet_label(struct label *label, char *string) +mac_ifnet_internalize_label(struct label *label, char *string) { int error; @@ -278,23 +282,23 @@ mac_internalize_ifnet_label(struct label *label, char *string) } void -mac_create_ifnet(struct ifnet *ifp) +mac_ifnet_create(struct ifnet *ifp) { MAC_IFNET_LOCK(ifp); - MAC_PERFORM(create_ifnet, ifp, ifp->if_label); + MAC_PERFORM(ifnet_create, ifp, ifp->if_label); MAC_IFNET_UNLOCK(ifp); } void -mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d) +mac_bpfdesc_create(struct ucred *cred, struct bpf_d *d) { - MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label); + MAC_PERFORM(bpfdesc_create, cred, d, d->bd_label); } void -mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m) +mac_bpfdesc_create_mbuf(struct bpf_d *d, struct mbuf *m) { struct label *label; @@ -302,7 +306,7 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label); + MAC_PERFORM(bpfdesc_create_mbuf, d, d->bd_label, m, label); } void @@ -318,19 +322,19 @@ mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m) } void -mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m) +mac_ifnet_create_mbuf(struct ifnet *ifp, struct mbuf *m) { struct label *label; label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label); + MAC_PERFORM(ifnet_create_mbuf, ifp, ifp->if_label, m, label); MAC_IFNET_UNLOCK(ifp); } void -mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, +mac_mbuf_create_multicast_encap(struct mbuf *m, struct ifnet *ifp, struct mbuf *mnew) { struct label *mlabel, *mnewlabel; @@ -339,38 +343,38 @@ mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp, mnewlabel = mac_mbuf_to_label(mnew); MAC_IFNET_LOCK(ifp); - MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp, + MAC_PERFORM(mbuf_create_multicast_encap, m, mlabel, ifp, ifp->if_label, mnew, mnewlabel); MAC_IFNET_UNLOCK(ifp); } void -mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew) +mac_mbuf_create_netlayer(struct mbuf *m, struct mbuf *mnew) { struct label *mlabel, *mnewlabel; mlabel = mac_mbuf_to_label(m); mnewlabel = mac_mbuf_to_label(mnew); - MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel); + MAC_PERFORM(mbuf_create_netlayer, m, mlabel, mnew, mnewlabel); } int -mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp) +mac_bpfdesc_check_receive(struct bpf_d *d, struct ifnet *ifp) { int error; BPFD_LOCK_ASSERT(d); MAC_IFNET_LOCK(ifp); - MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label); + MAC_CHECK(bpfdesc_check_receive, d, d->bd_label, ifp, ifp->if_label); MAC_IFNET_UNLOCK(ifp); return (error); } int -mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m) +mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *m) { struct label *label; int error; @@ -380,14 +384,14 @@ mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m) label = mac_mbuf_to_label(m); MAC_IFNET_LOCK(ifp); - MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label); + MAC_CHECK(ifnet_check_transmit, ifp, ifp->if_label, m, label); MAC_IFNET_UNLOCK(ifp); return (error); } int -mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, +mac_ifnet_ioctl_get(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) { char *elements, *buffer; @@ -413,9 +417,9 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_ifnet_label_alloc(); MAC_IFNET_LOCK(ifp); - mac_copy_ifnet_label(ifp->if_label, intlabel); + mac_ifnet_copy_label(ifp->if_label, intlabel); MAC_IFNET_UNLOCK(ifp); - error = mac_externalize_ifnet_label(intlabel, elements, buffer, + error = mac_ifnet_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_ifnet_label_free(intlabel); if (error == 0) @@ -428,7 +432,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr, } int -mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) +mac_ifnet_ioctl_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) { struct label *intlabel; struct mac mac; @@ -451,7 +455,7 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) } intlabel = mac_ifnet_label_alloc(); - error = mac_internalize_ifnet_label(intlabel, buffer); + error = mac_ifnet_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) { mac_ifnet_label_free(intlabel); @@ -470,14 +474,14 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp) } MAC_IFNET_LOCK(ifp); - MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel); + MAC_CHECK(ifnet_check_relabel, cred, ifp, ifp->if_label, intlabel); if (error) { MAC_IFNET_UNLOCK(ifp); mac_ifnet_label_free(intlabel); return (error); } - MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel); + MAC_PERFORM(ifnet_relabel, cred, ifp, ifp->if_label, intlabel); MAC_IFNET_UNLOCK(ifp); mac_ifnet_label_free(intlabel); diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c index 6578517..0a352bb 100644 --- a/sys/security/mac/mac_pipe.c +++ b/sys/security/mac/mac_pipe.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -56,12 +60,12 @@ mac_pipe_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_pipe_label, label); + MAC_PERFORM(pipe_init_label, label); return (label); } void -mac_init_pipe(struct pipepair *pp) +mac_pipe_init(struct pipepair *pp) { pp->pp_label = mac_pipe_label_alloc(); @@ -71,12 +75,12 @@ void mac_pipe_label_free(struct label *label) { - MAC_PERFORM(destroy_pipe_label, label); + MAC_PERFORM(pipe_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_pipe(struct pipepair *pp) +mac_pipe_destroy(struct pipepair *pp) { mac_pipe_label_free(pp->pp_label); @@ -84,14 +88,14 @@ mac_destroy_pipe(struct pipepair *pp) } void -mac_copy_pipe_label(struct label *src, struct label *dest) +mac_pipe_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_pipe_label, src, dest); + MAC_PERFORM(pipe_copy_label, src, dest); } int -mac_externalize_pipe_label(struct label *label, char *elements, +mac_pipe_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -102,7 +106,7 @@ mac_externalize_pipe_label(struct label *label, char *elements, } int -mac_internalize_pipe_label(struct label *label, char *string) +mac_pipe_internalize_label(struct label *label, char *string) { int error; @@ -112,90 +116,90 @@ mac_internalize_pipe_label(struct label *label, char *string) } void -mac_create_pipe(struct ucred *cred, struct pipepair *pp) +mac_pipe_create(struct ucred *cred, struct pipepair *pp) { - MAC_PERFORM(create_pipe, cred, pp, pp->pp_label); + MAC_PERFORM(pipe_create, cred, pp, pp->pp_label); } static void -mac_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *newlabel) { - MAC_PERFORM(relabel_pipe, cred, pp, pp->pp_label, newlabel); + MAC_PERFORM(pipe_relabel, cred, pp, pp->pp_label, newlabel); } int -mac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, unsigned long cmd, void *data) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_ioctl, cred, pp, pp->pp_label, cmd, data); + MAC_CHECK(pipe_check_ioctl, cred, pp, pp->pp_label, cmd, data); return (error); } int -mac_check_pipe_poll(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_poll(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_poll, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_poll, cred, pp, pp->pp_label); return (error); } int -mac_check_pipe_read(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_read(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_read, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_read, cred, pp, pp->pp_label); return (error); } static int -mac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *newlabel) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_relabel, cred, pp, pp->pp_label, newlabel); + MAC_CHECK(pipe_check_relabel, cred, pp, pp->pp_label, newlabel); return (error); } int -mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_stat(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_stat, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_stat, cred, pp, pp->pp_label); return (error); } int -mac_check_pipe_write(struct ucred *cred, struct pipepair *pp) +mac_pipe_check_write(struct ucred *cred, struct pipepair *pp) { int error; mtx_assert(&pp->pp_mtx, MA_OWNED); - MAC_CHECK(check_pipe_write, cred, pp, pp->pp_label); + MAC_CHECK(pipe_check_write, cred, pp, pp->pp_label); return (error); } @@ -208,11 +212,11 @@ mac_pipe_label_set(struct ucred *cred, struct pipepair *pp, mtx_assert(&pp->pp_mtx, MA_OWNED); - error = mac_check_pipe_relabel(cred, pp, label); + error = mac_pipe_check_relabel(cred, pp, label); if (error) return (error); - mac_relabel_pipe(cred, pp, label); + mac_pipe_relabel(cred, pp, label); return (0); } diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index c061e2e..5106d94 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -116,217 +116,217 @@ typedef void (*mpo_placeholder_t)(void); * recycle for re-use without init/destroy, copy a label to initialized * storage, and externalize/internalize from/to initialized storage. */ -typedef void (*mpo_init_bpfdesc_label_t)(struct label *label); -typedef void (*mpo_init_cred_label_t)(struct label *label); -typedef void (*mpo_init_devfs_label_t)(struct label *label); -typedef void (*mpo_init_ifnet_label_t)(struct label *label); -typedef int (*mpo_init_inpcb_label_t)(struct label *label, int flag); -typedef void (*mpo_init_sysv_msgmsg_label_t)(struct label *label); -typedef void (*mpo_init_sysv_msgqueue_label_t)(struct label *label); -typedef void (*mpo_init_sysv_sem_label_t)(struct label *label); -typedef void (*mpo_init_sysv_shm_label_t)(struct label *label); -typedef int (*mpo_init_ipq_label_t)(struct label *label, int flag); -typedef int (*mpo_init_mbuf_label_t)(struct label *label, int flag); -typedef void (*mpo_init_mount_label_t)(struct label *label); -typedef int (*mpo_init_socket_label_t)(struct label *label, int flag); -typedef int (*mpo_init_socket_peer_label_t)(struct label *label, +typedef void (*mpo_bpfdesc_init_label_t)(struct label *label); +typedef void (*mpo_cred_init_label_t)(struct label *label); +typedef void (*mpo_devfs_init_label_t)(struct label *label); +typedef void (*mpo_ifnet_init_label_t)(struct label *label); +typedef int (*mpo_inpcb_init_label_t)(struct label *label, int flag); +typedef void (*mpo_sysvmsg_init_label_t)(struct label *label); +typedef void (*mpo_sysvmsq_init_label_t)(struct label *label); +typedef void (*mpo_sysvsem_init_label_t)(struct label *label); +typedef void (*mpo_sysvshm_init_label_t)(struct label *label); +typedef int (*mpo_ipq_init_label_t)(struct label *label, int flag); +typedef int (*mpo_mbuf_init_label_t)(struct label *label, int flag); +typedef void (*mpo_mount_init_label_t)(struct label *label); +typedef int (*mpo_socket_init_label_t)(struct label *label, int flag); +typedef int (*mpo_socketpeer_init_label_t)(struct label *label, int flag); -typedef void (*mpo_init_pipe_label_t)(struct label *label); -typedef void (*mpo_init_posix_sem_label_t)(struct label *label); -typedef void (*mpo_init_proc_label_t)(struct label *label); -typedef void (*mpo_init_vnode_label_t)(struct label *label); -typedef void (*mpo_destroy_bpfdesc_label_t)(struct label *label); -typedef void (*mpo_destroy_cred_label_t)(struct label *label); -typedef void (*mpo_destroy_devfs_label_t)(struct label *label); -typedef void (*mpo_destroy_ifnet_label_t)(struct label *label); -typedef void (*mpo_destroy_inpcb_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_msgmsg_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_msgqueue_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_sem_label_t)(struct label *label); -typedef void (*mpo_destroy_sysv_shm_label_t)(struct label *label); -typedef void (*mpo_destroy_ipq_label_t)(struct label *label); -typedef void (*mpo_destroy_mbuf_label_t)(struct label *label); -typedef void (*mpo_destroy_mount_label_t)(struct label *label); -typedef void (*mpo_destroy_socket_label_t)(struct label *label); -typedef void (*mpo_destroy_socket_peer_label_t)(struct label *label); -typedef void (*mpo_destroy_pipe_label_t)(struct label *label); -typedef void (*mpo_destroy_posix_sem_label_t)(struct label *label); -typedef void (*mpo_destroy_proc_label_t)(struct label *label); -typedef void (*mpo_destroy_vnode_label_t)(struct label *label); -typedef void (*mpo_cleanup_sysv_msgmsg_t)(struct label *msglabel); -typedef void (*mpo_cleanup_sysv_msgqueue_t)(struct label *msqlabel); -typedef void (*mpo_cleanup_sysv_sem_t)(struct label *semalabel); -typedef void (*mpo_cleanup_sysv_shm_t)(struct label *shmlabel); -typedef void (*mpo_copy_cred_label_t)(struct label *src, +typedef void (*mpo_pipe_init_label_t)(struct label *label); +typedef void (*mpo_posixsem_init_label_t)(struct label *label); +typedef void (*mpo_proc_init_label_t)(struct label *label); +typedef void (*mpo_vnode_init_label_t)(struct label *label); +typedef void (*mpo_bpfdesc_destroy_label_t)(struct label *label); +typedef void (*mpo_cred_destroy_label_t)(struct label *label); +typedef void (*mpo_devfs_destroy_label_t)(struct label *label); +typedef void (*mpo_ifnet_destroy_label_t)(struct label *label); +typedef void (*mpo_inpcb_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvmsg_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvmsq_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvsem_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvshm_destroy_label_t)(struct label *label); +typedef void (*mpo_ipq_destroy_label_t)(struct label *label); +typedef void (*mpo_mbuf_destroy_label_t)(struct label *label); +typedef void (*mpo_mount_destroy_label_t)(struct label *label); +typedef void (*mpo_socket_destroy_label_t)(struct label *label); +typedef void (*mpo_socketpeer_destroy_label_t)(struct label *label); +typedef void (*mpo_pipe_destroy_label_t)(struct label *label); +typedef void (*mpo_posixsem_destroy_label_t)(struct label *label); +typedef void (*mpo_proc_destroy_label_t)(struct label *label); +typedef void (*mpo_vnode_destroy_label_t)(struct label *label); +typedef void (*mpo_sysvmsg_cleanup_t)(struct label *msglabel); +typedef void (*mpo_sysvmsq_cleanup_t)(struct label *msqlabel); +typedef void (*mpo_sysvsem_cleanup_t)(struct label *semalabel); +typedef void (*mpo_sysvshm_cleanup_t)(struct label *shmlabel); +typedef void (*mpo_cred_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_ifnet_label_t)(struct label *src, +typedef void (*mpo_ifnet_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_mbuf_label_t)(struct label *src, +typedef void (*mpo_mbuf_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_pipe_label_t)(struct label *src, +typedef void (*mpo_pipe_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_socket_label_t)(struct label *src, +typedef void (*mpo_socket_copy_label_t)(struct label *src, struct label *dest); -typedef void (*mpo_copy_vnode_label_t)(struct label *src, +typedef void (*mpo_vnode_copy_label_t)(struct label *src, struct label *dest); -typedef int (*mpo_externalize_cred_label_t)(struct label *label, +typedef int (*mpo_cred_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_ifnet_label_t)(struct label *label, +typedef int (*mpo_ifnet_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_pipe_label_t)(struct label *label, +typedef int (*mpo_pipe_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_socket_label_t)(struct label *label, +typedef int (*mpo_socket_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_socket_peer_label_t)(struct label *label, +typedef int (*mpo_socketpeer_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_externalize_vnode_label_t)(struct label *label, +typedef int (*mpo_vnode_externalize_label_t)(struct label *label, char *element_name, struct sbuf *sb, int *claimed); -typedef int (*mpo_internalize_cred_label_t)(struct label *label, +typedef int (*mpo_cred_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_ifnet_label_t)(struct label *label, +typedef int (*mpo_ifnet_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_pipe_label_t)(struct label *label, +typedef int (*mpo_pipe_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_socket_label_t)(struct label *label, +typedef int (*mpo_socket_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); -typedef int (*mpo_internalize_vnode_label_t)(struct label *label, +typedef int (*mpo_vnode_internalize_label_t)(struct label *label, char *element_name, char *element_data, int *claimed); /* * Labeling event operations: file system objects, and things that look a lot * like file system objects. */ -typedef void (*mpo_associate_vnode_devfs_t)(struct mount *mp, +typedef void (*mpo_devfs_vnode_associate_t)(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_associate_vnode_extattr_t)(struct mount *mp, +typedef int (*mpo_vnode_associate_extattr_t)(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel); -typedef void (*mpo_associate_vnode_singlelabel_t)(struct mount *mp, +typedef void (*mpo_vnode_associate_singlelabel_t)(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel); -typedef void (*mpo_create_devfs_device_t)(struct ucred *cred, +typedef void (*mpo_devfs_create_device_t)(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel); -typedef void (*mpo_create_devfs_directory_t)(struct mount *mp, +typedef void (*mpo_devfs_create_directory_t)(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel); -typedef void (*mpo_create_devfs_symlink_t)(struct ucred *cred, +typedef void (*mpo_devfs_create_symlink_t)(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel); -typedef int (*mpo_create_vnode_extattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_create_extattr_t)(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef void (*mpo_create_mount_t)(struct ucred *cred, struct mount *mp, +typedef void (*mpo_mount_create_t)(struct ucred *cred, struct mount *mp, struct label *mplabel); -typedef void (*mpo_relabel_vnode_t)(struct ucred *cred, struct vnode *vp, +typedef void (*mpo_vnode_relabel_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label); -typedef int (*mpo_setlabel_vnode_extattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_setlabel_extattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel); -typedef void (*mpo_update_devfs_t)(struct mount *mp, +typedef void (*mpo_devfs_update_t)(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel); /* * Labeling event operations: IPC objects. */ -typedef void (*mpo_create_mbuf_from_socket_t)(struct socket *so, +typedef void (*mpo_socket_create_mbuf_t)(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_socket_t)(struct ucred *cred, struct socket *so, +typedef void (*mpo_socket_create_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldso, +typedef void (*mpo_socket_newconn_t)(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsolabel); -typedef void (*mpo_relabel_socket_t)(struct ucred *cred, struct socket *so, +typedef void (*mpo_socket_relabel_t)(struct ucred *cred, struct socket *so, struct label *oldlabel, struct label *newlabel); -typedef void (*mpo_relabel_pipe_t)(struct ucred *cred, struct pipepair *pp, +typedef void (*mpo_pipe_relabel_t)(struct ucred *cred, struct pipepair *pp, struct label *oldlabel, struct label *newlabel); -typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *m, +typedef void (*mpo_socketpeer_set_from_mbuf_t)(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel); -typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldso, +typedef void (*mpo_socketpeer_set_from_socket_t)(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel); -typedef void (*mpo_create_pipe_t)(struct ucred *cred, struct pipepair *pp, +typedef void (*mpo_pipe_create_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); /* * Labeling event operations: System V IPC primitives. */ -typedef void (*mpo_create_sysv_msgmsg_t)(struct ucred *cred, +typedef void (*mpo_sysvmsg_create_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel); -typedef void (*mpo_create_sysv_msgqueue_t)(struct ucred *cred, +typedef void (*mpo_sysvmsq_create_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel); -typedef void (*mpo_create_sysv_sem_t)(struct ucred *cred, +typedef void (*mpo_sysvsem_create_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel); -typedef void (*mpo_create_sysv_shm_t)(struct ucred *cred, +typedef void (*mpo_sysvshm_create_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel); /* * Labeling event operations: POSIX (global/inter-process) semaphores. */ -typedef void (*mpo_create_posix_sem_t)(struct ucred *cred, +typedef void (*mpo_posixsem_create_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); /* * Labeling event operations: network objects. */ -typedef void (*mpo_create_bpfdesc_t)(struct ucred *cred, +typedef void (*mpo_bpfdesc_create_t)(struct ucred *cred, struct bpf_d *d, struct label *dlabel); -typedef void (*mpo_create_ifnet_t)(struct ifnet *ifp, +typedef void (*mpo_ifnet_create_t)(struct ifnet *ifp, struct label *ifplabel); -typedef void (*mpo_create_inpcb_from_socket_t)(struct socket *so, +typedef void (*mpo_inpcb_create_t)(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel); -typedef void (*mpo_create_ipq_t)(struct mbuf *m, struct label *mlabel, +typedef void (*mpo_ipq_create_t)(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel); -typedef void (*mpo_create_datagram_from_ipq) +typedef void (*mpo_ipq_reassemble) (struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_fragment_t)(struct mbuf *m, +typedef void (*mpo_netinet_fragment_t)(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel); -typedef void (*mpo_create_mbuf_from_inpcb_t)(struct inpcb *inp, +typedef void (*mpo_inpcb_create_mbuf_t)(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel); typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *d, +typedef void (*mpo_bpfdesc_create_mbuf_t)(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifp, +typedef void (*mpo_ifnet_create_mbuf_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel); -typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *m, +typedef void (*mpo_mbuf_create_multicast_encap_t)(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel); -typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *m, +typedef void (*mpo_mbuf_create_netlayer_t)(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel); -typedef int (*mpo_fragment_match_t)(struct mbuf *m, struct label *mlabel, +typedef int (*mpo_ipq_match_t)(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel); -typedef void (*mpo_reflect_mbuf_icmp_t)(struct mbuf *m, +typedef void (*mpo_netinet_icmp_reply_t)(struct mbuf *m, struct label *mlabel); -typedef void (*mpo_reflect_mbuf_tcp_t)(struct mbuf *m, +typedef void (*mpo_netinet_tcp_reply_t)(struct mbuf *m, struct label *mlabel); -typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred, struct ifnet *ifp, +typedef void (*mpo_ifnet_relabel_t)(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel); -typedef void (*mpo_update_ipq_t)(struct mbuf *m, struct label *mlabel, +typedef void (*mpo_ipq_update_t)(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel); typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); -typedef void (*mpo_create_mbuf_from_firewall_t)(struct mbuf *m, +typedef void (*mpo_mbuf_create_from_firewall_t)(struct mbuf *m, struct label *label); typedef void (*mpo_destroy_syncache_label_t)(struct label *label); typedef int (*mpo_init_syncache_label_t)(struct label *label, int flag); @@ -337,274 +337,274 @@ typedef void (*mpo_create_mbuf_from_syncache_t)(struct label *sc_label, /* * Labeling event operations: processes. */ -typedef void (*mpo_execve_transition_t)(struct ucred *old, +typedef void (*mpo_vnode_execve_transition_t)(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel); -typedef int (*mpo_execve_will_transition_t)(struct ucred *old, +typedef int (*mpo_vnode_execve_will_transition_t)(struct ucred *old, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel); -typedef void (*mpo_create_proc0_t)(struct ucred *cred); -typedef void (*mpo_create_proc1_t)(struct ucred *cred); -typedef void (*mpo_relabel_cred_t)(struct ucred *cred, +typedef void (*mpo_proc_create_swapper_t)(struct ucred *cred); +typedef void (*mpo_proc_create_init_t)(struct ucred *cred); +typedef void (*mpo_cred_relabel_t)(struct ucred *cred, struct label *newlabel); typedef void (*mpo_thread_userret_t)(struct thread *thread); /* * Access control checks. */ -typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *d, +typedef int (*mpo_bpfdesc_check_receive_t)(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel); -typedef int (*mpo_check_cred_relabel_t)(struct ucred *cred, +typedef int (*mpo_cred_check_relabel_t)(struct ucred *cred, struct label *newlabel); -typedef int (*mpo_check_cred_visible_t)(struct ucred *cr1, +typedef int (*mpo_cred_check_visible_t)(struct ucred *cr1, struct ucred *cr2); -typedef int (*mpo_check_ifnet_relabel_t)(struct ucred *cred, +typedef int (*mpo_ifnet_check_relabel_t)(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel); -typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifp, +typedef int (*mpo_ifnet_check_transmit_t)(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel); -typedef int (*mpo_check_inpcb_deliver_t)(struct inpcb *inp, +typedef int (*mpo_inpcb_check_deliver_t)(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel); -typedef int (*mpo_check_sysv_msgmsq_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msgmsq_t)(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msgrcv_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msgrcv_t)(struct ucred *cred, struct msg *msgptr, struct label *msglabel); -typedef int (*mpo_check_sysv_msgrmid_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msgrmid_t)(struct ucred *cred, struct msg *msgptr, struct label *msglabel); -typedef int (*mpo_check_sysv_msqget_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqget_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msqsnd_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqsnd_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msqrcv_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqrcv_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel); -typedef int (*mpo_check_sysv_msqctl_t)(struct ucred *cred, +typedef int (*mpo_sysvmsq_check_msqctl_t)(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd); -typedef int (*mpo_check_sysv_semctl_t)(struct ucred *cred, +typedef int (*mpo_sysvsem_check_semctl_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, int cmd); -typedef int (*mpo_check_sysv_semget_t)(struct ucred *cred, +typedef int (*mpo_sysvsem_check_semget_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel); -typedef int (*mpo_check_sysv_semop_t)(struct ucred *cred, +typedef int (*mpo_sysvsem_check_semop_t)(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype); -typedef int (*mpo_check_sysv_shmat_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmat_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg); -typedef int (*mpo_check_sysv_shmctl_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmctl_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd); -typedef int (*mpo_check_sysv_shmdt_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmdt_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel); -typedef int (*mpo_check_sysv_shmget_t)(struct ucred *cred, +typedef int (*mpo_sysvshm_check_shmget_t)(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg); -typedef int (*mpo_check_kenv_dump_t)(struct ucred *cred); -typedef int (*mpo_check_kenv_get_t)(struct ucred *cred, char *name); -typedef int (*mpo_check_kenv_set_t)(struct ucred *cred, char *name, +typedef int (*mpo_kenv_check_dump_t)(struct ucred *cred); +typedef int (*mpo_kenv_check_get_t)(struct ucred *cred, char *name); +typedef int (*mpo_kenv_check_set_t)(struct ucred *cred, char *name, char *value); -typedef int (*mpo_check_kenv_unset_t)(struct ucred *cred, char *name); -typedef int (*mpo_check_kld_load_t)(struct ucred *cred, struct vnode *vp, +typedef int (*mpo_kenv_check_unset_t)(struct ucred *cred, char *name); +typedef int (*mpo_kld_check_load_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_kld_stat_t)(struct ucred *cred); +typedef int (*mpo_kld_check_stat_t)(struct ucred *cred); typedef int (*mpo_mpo_placeholder19_t)(void); typedef int (*mpo_mpo_placeholder20_t)(void); -typedef int (*mpo_check_mount_stat_t)(struct ucred *cred, +typedef int (*mpo_mount_check_stat_t)(struct ucred *cred, struct mount *mp, struct label *mplabel); typedef int (*mpo_mpo_placeholder21_t)(void); -typedef int (*mpo_check_pipe_ioctl_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_ioctl_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void *data); -typedef int (*mpo_check_pipe_poll_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_poll_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_pipe_read_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_read_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_pipe_relabel_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_relabel_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel); -typedef int (*mpo_check_pipe_stat_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_stat_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_pipe_write_t)(struct ucred *cred, +typedef int (*mpo_pipe_check_write_t)(struct ucred *cred, struct pipepair *pp, struct label *pplabel); -typedef int (*mpo_check_posix_sem_destroy_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_destroy_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_getvalue_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_getvalue_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_open_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_open_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_post_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_post_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_unlink_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_unlink_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_posix_sem_wait_t)(struct ucred *cred, +typedef int (*mpo_posixsem_check_wait_t)(struct ucred *cred, struct ksem *ks, struct label *kslabel); -typedef int (*mpo_check_proc_debug_t)(struct ucred *cred, +typedef int (*mpo_proc_check_debug_t)(struct ucred *cred, struct proc *p); -typedef int (*mpo_check_proc_sched_t)(struct ucred *cred, +typedef int (*mpo_proc_check_sched_t)(struct ucred *cred, struct proc *p); -typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred, +typedef int (*mpo_proc_check_setaudit_t)(struct ucred *cred, struct auditinfo *ai); -typedef int (*mpo_check_proc_setaudit_addr_t)(struct ucred *cred, +typedef int (*mpo_proc_check_setaudit_addr_t)(struct ucred *cred, struct auditinfo_addr *aia); -typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid); -typedef int (*mpo_check_proc_setuid_t)(struct ucred *cred, uid_t uid); -typedef int (*mpo_check_proc_seteuid_t)(struct ucred *cred, uid_t euid); -typedef int (*mpo_check_proc_setgid_t)(struct ucred *cred, gid_t gid); -typedef int (*mpo_check_proc_setegid_t)(struct ucred *cred, gid_t egid); -typedef int (*mpo_check_proc_setgroups_t)(struct ucred *cred, int ngroups, +typedef int (*mpo_proc_check_setauid_t)(struct ucred *cred, uid_t auid); +typedef int (*mpo_proc_check_setuid_t)(struct ucred *cred, uid_t uid); +typedef int (*mpo_proc_check_seteuid_t)(struct ucred *cred, uid_t euid); +typedef int (*mpo_proc_check_setgid_t)(struct ucred *cred, gid_t gid); +typedef int (*mpo_proc_check_setegid_t)(struct ucred *cred, gid_t egid); +typedef int (*mpo_proc_check_setgroups_t)(struct ucred *cred, int ngroups, gid_t *gidset); -typedef int (*mpo_check_proc_setreuid_t)(struct ucred *cred, uid_t ruid, +typedef int (*mpo_proc_check_setreuid_t)(struct ucred *cred, uid_t ruid, uid_t euid); -typedef int (*mpo_check_proc_setregid_t)(struct ucred *cred, gid_t rgid, +typedef int (*mpo_proc_check_setregid_t)(struct ucred *cred, gid_t rgid, gid_t egid); -typedef int (*mpo_check_proc_setresuid_t)(struct ucred *cred, uid_t ruid, +typedef int (*mpo_proc_check_setresuid_t)(struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid); -typedef int (*mpo_check_proc_setresgid_t)(struct ucred *cred, gid_t rgid, +typedef int (*mpo_proc_check_setresgid_t)(struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); -typedef int (*mpo_check_proc_signal_t)(struct ucred *cred, +typedef int (*mpo_proc_check_signal_t)(struct ucred *cred, struct proc *proc, int signum); -typedef int (*mpo_check_proc_wait_t)(struct ucred *cred, +typedef int (*mpo_proc_check_wait_t)(struct ucred *cred, struct proc *proc); -typedef int (*mpo_check_socket_accept_t)(struct ucred *cred, +typedef int (*mpo_socket_check_accept_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_bind_t)(struct ucred *cred, +typedef int (*mpo_socket_check_bind_t)(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa); -typedef int (*mpo_check_socket_connect_t)(struct ucred *cred, +typedef int (*mpo_socket_check_connect_t)(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa); -typedef int (*mpo_check_socket_create_t)(struct ucred *cred, int domain, +typedef int (*mpo_socket_check_create_t)(struct ucred *cred, int domain, int type, int protocol); -typedef int (*mpo_check_socket_deliver_t)(struct socket *so, +typedef int (*mpo_socket_check_deliver_t)(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel); -typedef int (*mpo_check_socket_listen_t)(struct ucred *cred, +typedef int (*mpo_socket_check_listen_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_poll_t)(struct ucred *cred, +typedef int (*mpo_socket_check_poll_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_receive_t)(struct ucred *cred, +typedef int (*mpo_socket_check_receive_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_relabel_t)(struct ucred *cred, +typedef int (*mpo_socket_check_relabel_t)(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel); -typedef int (*mpo_check_socket_send_t)(struct ucred *cred, +typedef int (*mpo_socket_check_send_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_stat_t)(struct ucred *cred, +typedef int (*mpo_socket_check_stat_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_socket_visible_t)(struct ucred *cred, +typedef int (*mpo_socket_check_visible_t)(struct ucred *cred, struct socket *so, struct label *solabel); -typedef int (*mpo_check_system_acct_t)(struct ucred *cred, +typedef int (*mpo_system_check_acct_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_audit_t)(struct ucred *cred, void *record, +typedef int (*mpo_system_check_audit_t)(struct ucred *cred, void *record, int length); -typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred, +typedef int (*mpo_system_check_auditctl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_auditon_t)(struct ucred *cred, int cmd); -typedef int (*mpo_check_system_reboot_t)(struct ucred *cred, int howto); -typedef int (*mpo_check_system_swapon_t)(struct ucred *cred, +typedef int (*mpo_system_check_auditon_t)(struct ucred *cred, int cmd); +typedef int (*mpo_system_check_reboot_t)(struct ucred *cred, int howto); +typedef int (*mpo_system_check_swapon_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_swapoff_t)(struct ucred *cred, +typedef int (*mpo_system_check_swapoff_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_system_sysctl_t)(struct ucred *cred, +typedef int (*mpo_system_check_sysctl_t)(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req); -typedef int (*mpo_check_vnode_access_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_access_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode); -typedef int (*mpo_check_vnode_chdir_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_chdir_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); -typedef int (*mpo_check_vnode_chroot_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_chroot_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); -typedef int (*mpo_check_vnode_create_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_create_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap); -typedef int (*mpo_check_vnode_deleteacl_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_deleteacl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type); -typedef int (*mpo_check_vnode_deleteextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_deleteextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name); -typedef int (*mpo_check_vnode_exec_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_exec_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel); -typedef int (*mpo_check_vnode_getacl_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_getacl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type); -typedef int (*mpo_check_vnode_getextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_getextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio); -typedef int (*mpo_check_vnode_link_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_link_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_listextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_listextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace); -typedef int (*mpo_check_vnode_lookup_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_lookup_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_mmap_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_mmap_t)(struct ucred *cred, struct vnode *vp, struct label *label, int prot, int flags); -typedef void (*mpo_check_vnode_mmap_downgrade_t)(struct ucred *cred, +typedef void (*mpo_vnode_check_mmap_downgrade_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int *prot); -typedef int (*mpo_check_vnode_mprotect_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_mprotect_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot); -typedef int (*mpo_check_vnode_open_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_open_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode); -typedef int (*mpo_check_vnode_poll_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_poll_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_read_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_read_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_readdir_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_readdir_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel); -typedef int (*mpo_check_vnode_readlink_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_readlink_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_relabel_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_relabel_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel); -typedef int (*mpo_check_vnode_rename_from_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_rename_from_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_rename_to_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_rename_to_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp); -typedef int (*mpo_check_vnode_revoke_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_revoke_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_setacl_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setacl_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl); -typedef int (*mpo_check_vnode_setextattr_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setextattr_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio); -typedef int (*mpo_check_vnode_setflags_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setflags_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags); -typedef int (*mpo_check_vnode_setmode_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setmode_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode); -typedef int (*mpo_check_vnode_setowner_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setowner_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid); -typedef int (*mpo_check_vnode_setutimes_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_setutimes_t)(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime); -typedef int (*mpo_check_vnode_stat_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_stat_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); -typedef int (*mpo_check_vnode_unlink_t)(struct ucred *cred, +typedef int (*mpo_vnode_check_unlink_t)(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp); -typedef int (*mpo_check_vnode_write_t)(struct ucred *active_cred, +typedef int (*mpo_vnode_check_write_t)(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel); typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred); @@ -631,151 +631,151 @@ struct mac_policy_ops { * initialized storage, and externalize/internalize from/to * initialized storage. */ - mpo_init_bpfdesc_label_t mpo_init_bpfdesc_label; - mpo_init_cred_label_t mpo_init_cred_label; - mpo_init_devfs_label_t mpo_init_devfs_label; + mpo_bpfdesc_init_label_t mpo_bpfdesc_init_label; + mpo_cred_init_label_t mpo_cred_init_label; + mpo_devfs_init_label_t mpo_devfs_init_label; mpo_placeholder_t _mpo_placeholder0; - mpo_init_ifnet_label_t mpo_init_ifnet_label; - mpo_init_inpcb_label_t mpo_init_inpcb_label; - mpo_init_sysv_msgmsg_label_t mpo_init_sysv_msgmsg_label; - mpo_init_sysv_msgqueue_label_t mpo_init_sysv_msgqueue_label; - mpo_init_sysv_sem_label_t mpo_init_sysv_sem_label; - mpo_init_sysv_shm_label_t mpo_init_sysv_shm_label; - mpo_init_ipq_label_t mpo_init_ipq_label; - mpo_init_mbuf_label_t mpo_init_mbuf_label; - mpo_init_mount_label_t mpo_init_mount_label; - mpo_init_socket_label_t mpo_init_socket_label; - mpo_init_socket_peer_label_t mpo_init_socket_peer_label; - mpo_init_pipe_label_t mpo_init_pipe_label; - mpo_init_posix_sem_label_t mpo_init_posix_sem_label; - mpo_init_proc_label_t mpo_init_proc_label; - mpo_init_vnode_label_t mpo_init_vnode_label; - mpo_destroy_bpfdesc_label_t mpo_destroy_bpfdesc_label; - mpo_destroy_cred_label_t mpo_destroy_cred_label; - mpo_destroy_devfs_label_t mpo_destroy_devfs_label; + mpo_ifnet_init_label_t mpo_ifnet_init_label; + mpo_inpcb_init_label_t mpo_inpcb_init_label; + mpo_sysvmsg_init_label_t mpo_sysvmsg_init_label; + mpo_sysvmsq_init_label_t mpo_sysvmsq_init_label; + mpo_sysvsem_init_label_t mpo_sysvsem_init_label; + mpo_sysvshm_init_label_t mpo_sysvshm_init_label; + mpo_ipq_init_label_t mpo_ipq_init_label; + mpo_mbuf_init_label_t mpo_mbuf_init_label; + mpo_mount_init_label_t mpo_mount_init_label; + mpo_socket_init_label_t mpo_socket_init_label; + mpo_socketpeer_init_label_t mpo_socketpeer_init_label; + mpo_pipe_init_label_t mpo_pipe_init_label; + mpo_posixsem_init_label_t mpo_posixsem_init_label; + mpo_proc_init_label_t mpo_proc_init_label; + mpo_vnode_init_label_t mpo_vnode_init_label; + mpo_bpfdesc_destroy_label_t mpo_bpfdesc_destroy_label; + mpo_cred_destroy_label_t mpo_cred_destroy_label; + mpo_devfs_destroy_label_t mpo_devfs_destroy_label; mpo_placeholder_t _mpo_placeholder1; - mpo_destroy_ifnet_label_t mpo_destroy_ifnet_label; - mpo_destroy_inpcb_label_t mpo_destroy_inpcb_label; - mpo_destroy_sysv_msgmsg_label_t mpo_destroy_sysv_msgmsg_label; - mpo_destroy_sysv_msgqueue_label_t mpo_destroy_sysv_msgqueue_label; - mpo_destroy_sysv_sem_label_t mpo_destroy_sysv_sem_label; - mpo_destroy_sysv_shm_label_t mpo_destroy_sysv_shm_label; - mpo_destroy_ipq_label_t mpo_destroy_ipq_label; - mpo_destroy_mbuf_label_t mpo_destroy_mbuf_label; - mpo_destroy_mount_label_t mpo_destroy_mount_label; - mpo_destroy_socket_label_t mpo_destroy_socket_label; - mpo_destroy_socket_peer_label_t mpo_destroy_socket_peer_label; - mpo_destroy_pipe_label_t mpo_destroy_pipe_label; - mpo_destroy_posix_sem_label_t mpo_destroy_posix_sem_label; - mpo_destroy_proc_label_t mpo_destroy_proc_label; - mpo_destroy_vnode_label_t mpo_destroy_vnode_label; - mpo_cleanup_sysv_msgmsg_t mpo_cleanup_sysv_msgmsg; - mpo_cleanup_sysv_msgqueue_t mpo_cleanup_sysv_msgqueue; - mpo_cleanup_sysv_sem_t mpo_cleanup_sysv_sem; - mpo_cleanup_sysv_shm_t mpo_cleanup_sysv_shm; - mpo_copy_cred_label_t mpo_copy_cred_label; - mpo_copy_ifnet_label_t mpo_copy_ifnet_label; - mpo_copy_mbuf_label_t mpo_copy_mbuf_label; + mpo_ifnet_destroy_label_t mpo_ifnet_destroy_label; + mpo_inpcb_destroy_label_t mpo_inpcb_destroy_label; + mpo_sysvmsg_destroy_label_t mpo_sysvmsg_destroy_label; + mpo_sysvmsq_destroy_label_t mpo_sysvmsq_destroy_label; + mpo_sysvsem_destroy_label_t mpo_sysvsem_destroy_label; + mpo_sysvshm_destroy_label_t mpo_sysvshm_destroy_label; + mpo_ipq_destroy_label_t mpo_ipq_destroy_label; + mpo_mbuf_destroy_label_t mpo_mbuf_destroy_label; + mpo_mount_destroy_label_t mpo_mount_destroy_label; + mpo_socket_destroy_label_t mpo_socket_destroy_label; + mpo_socketpeer_destroy_label_t mpo_socketpeer_destroy_label; + mpo_pipe_destroy_label_t mpo_pipe_destroy_label; + mpo_posixsem_destroy_label_t mpo_posixsem_destroy_label; + mpo_proc_destroy_label_t mpo_proc_destroy_label; + mpo_vnode_destroy_label_t mpo_vnode_destroy_label; + mpo_sysvmsg_cleanup_t mpo_sysvmsg_cleanup; + mpo_sysvmsq_cleanup_t mpo_sysvmsq_cleanup; + mpo_sysvsem_cleanup_t mpo_sysvsem_cleanup; + mpo_sysvshm_cleanup_t mpo_sysvshm_cleanup; + mpo_cred_copy_label_t mpo_cred_copy_label; + mpo_ifnet_copy_label_t mpo_ifnet_copy_label; + mpo_mbuf_copy_label_t mpo_mbuf_copy_label; mpo_placeholder_t _mpo_placeholder2; - mpo_copy_pipe_label_t mpo_copy_pipe_label; - mpo_copy_socket_label_t mpo_copy_socket_label; - mpo_copy_vnode_label_t mpo_copy_vnode_label; - mpo_externalize_cred_label_t mpo_externalize_cred_label; - mpo_externalize_ifnet_label_t mpo_externalize_ifnet_label; + mpo_pipe_copy_label_t mpo_pipe_copy_label; + mpo_socket_copy_label_t mpo_socket_copy_label; + mpo_vnode_copy_label_t mpo_vnode_copy_label; + mpo_cred_externalize_label_t mpo_cred_externalize_label; + mpo_ifnet_externalize_label_t mpo_ifnet_externalize_label; mpo_placeholder_t _mpo_placeholder3; - mpo_externalize_pipe_label_t mpo_externalize_pipe_label; - mpo_externalize_socket_label_t mpo_externalize_socket_label; - mpo_externalize_socket_peer_label_t mpo_externalize_socket_peer_label; - mpo_externalize_vnode_label_t mpo_externalize_vnode_label; - mpo_internalize_cred_label_t mpo_internalize_cred_label; - mpo_internalize_ifnet_label_t mpo_internalize_ifnet_label; + mpo_pipe_externalize_label_t mpo_pipe_externalize_label; + mpo_socket_externalize_label_t mpo_socket_externalize_label; + mpo_socketpeer_externalize_label_t mpo_socketpeer_externalize_label; + mpo_vnode_externalize_label_t mpo_vnode_externalize_label; + mpo_cred_internalize_label_t mpo_cred_internalize_label; + mpo_ifnet_internalize_label_t mpo_ifnet_internalize_label; mpo_placeholder_t _mpo_placeholder4; - mpo_internalize_pipe_label_t mpo_internalize_pipe_label; - mpo_internalize_socket_label_t mpo_internalize_socket_label; - mpo_internalize_vnode_label_t mpo_internalize_vnode_label; + mpo_pipe_internalize_label_t mpo_pipe_internalize_label; + mpo_socket_internalize_label_t mpo_socket_internalize_label; + mpo_vnode_internalize_label_t mpo_vnode_internalize_label; /* * Labeling event operations: file system objects, and things that * look a lot like file system objects. */ - mpo_associate_vnode_devfs_t mpo_associate_vnode_devfs; - mpo_associate_vnode_extattr_t mpo_associate_vnode_extattr; - mpo_associate_vnode_singlelabel_t mpo_associate_vnode_singlelabel; - mpo_create_devfs_device_t mpo_create_devfs_device; - mpo_create_devfs_directory_t mpo_create_devfs_directory; - mpo_create_devfs_symlink_t mpo_create_devfs_symlink; + mpo_devfs_vnode_associate_t mpo_devfs_vnode_associate; + mpo_vnode_associate_extattr_t mpo_vnode_associate_extattr; + mpo_vnode_associate_singlelabel_t mpo_vnode_associate_singlelabel; + mpo_devfs_create_device_t mpo_devfs_create_device; + mpo_devfs_create_directory_t mpo_devfs_create_directory; + mpo_devfs_create_symlink_t mpo_devfs_create_symlink; mpo_placeholder_t _mpo_placeholder5; - mpo_create_vnode_extattr_t mpo_create_vnode_extattr; - mpo_create_mount_t mpo_create_mount; - mpo_relabel_vnode_t mpo_relabel_vnode; - mpo_setlabel_vnode_extattr_t mpo_setlabel_vnode_extattr; - mpo_update_devfs_t mpo_update_devfs; + mpo_vnode_create_extattr_t mpo_vnode_create_extattr; + mpo_mount_create_t mpo_mount_create; + mpo_vnode_relabel_t mpo_vnode_relabel; + mpo_vnode_setlabel_extattr_t mpo_vnode_setlabel_extattr; + mpo_devfs_update_t mpo_devfs_update; /* * Labeling event operations: IPC objects. */ - mpo_create_mbuf_from_socket_t mpo_create_mbuf_from_socket; - mpo_create_socket_t mpo_create_socket; - mpo_create_socket_from_socket_t mpo_create_socket_from_socket; - mpo_relabel_socket_t mpo_relabel_socket; - mpo_relabel_pipe_t mpo_relabel_pipe; - mpo_set_socket_peer_from_mbuf_t mpo_set_socket_peer_from_mbuf; - mpo_set_socket_peer_from_socket_t mpo_set_socket_peer_from_socket; - mpo_create_pipe_t mpo_create_pipe; + mpo_socket_create_mbuf_t mpo_socket_create_mbuf; + mpo_socket_create_t mpo_socket_create; + mpo_socket_newconn_t mpo_socket_newconn; + mpo_socket_relabel_t mpo_socket_relabel; + mpo_pipe_relabel_t mpo_pipe_relabel; + mpo_socketpeer_set_from_mbuf_t mpo_socketpeer_set_from_mbuf; + mpo_socketpeer_set_from_socket_t mpo_socketpeer_set_from_socket; + mpo_pipe_create_t mpo_pipe_create; /* * Labeling event operations: System V IPC primitives. */ - mpo_create_sysv_msgmsg_t mpo_create_sysv_msgmsg; - mpo_create_sysv_msgqueue_t mpo_create_sysv_msgqueue; - mpo_create_sysv_sem_t mpo_create_sysv_sem; - mpo_create_sysv_shm_t mpo_create_sysv_shm; + mpo_sysvmsg_create_t mpo_sysvmsg_create; + mpo_sysvmsq_create_t mpo_sysvmsq_create; + mpo_sysvsem_create_t mpo_sysvsem_create; + mpo_sysvshm_create_t mpo_sysvshm_create; /* * Labeling event operations: POSIX (global/inter-process) semaphores. */ - mpo_create_posix_sem_t mpo_create_posix_sem; + mpo_posixsem_create_t mpo_posixsem_create; /* * Labeling event operations: network objects. */ - mpo_create_bpfdesc_t mpo_create_bpfdesc; - mpo_create_ifnet_t mpo_create_ifnet; - mpo_create_inpcb_from_socket_t mpo_create_inpcb_from_socket; - mpo_create_ipq_t mpo_create_ipq; - mpo_create_datagram_from_ipq mpo_create_datagram_from_ipq; - mpo_create_fragment_t mpo_create_fragment; - mpo_create_mbuf_from_inpcb_t mpo_create_mbuf_from_inpcb; + mpo_bpfdesc_create_t mpo_bpfdesc_create; + mpo_ifnet_create_t mpo_ifnet_create; + mpo_inpcb_create_t mpo_inpcb_create; + mpo_ipq_create_t mpo_ipq_create; + mpo_ipq_reassemble mpo_ipq_reassemble; + mpo_netinet_fragment_t mpo_netinet_fragment; + mpo_inpcb_create_mbuf_t mpo_inpcb_create_mbuf; mpo_create_mbuf_linklayer_t mpo_create_mbuf_linklayer; - mpo_create_mbuf_from_bpfdesc_t mpo_create_mbuf_from_bpfdesc; - mpo_create_mbuf_from_ifnet_t mpo_create_mbuf_from_ifnet; - mpo_create_mbuf_multicast_encap_t mpo_create_mbuf_multicast_encap; - mpo_create_mbuf_netlayer_t mpo_create_mbuf_netlayer; - mpo_fragment_match_t mpo_fragment_match; - mpo_reflect_mbuf_icmp_t mpo_reflect_mbuf_icmp; - mpo_reflect_mbuf_tcp_t mpo_reflect_mbuf_tcp; - mpo_relabel_ifnet_t mpo_relabel_ifnet; - mpo_update_ipq_t mpo_update_ipq; + mpo_bpfdesc_create_mbuf_t mpo_bpfdesc_create_mbuf; + mpo_ifnet_create_mbuf_t mpo_ifnet_create_mbuf; + mpo_mbuf_create_multicast_encap_t mpo_mbuf_create_multicast_encap; + mpo_mbuf_create_netlayer_t mpo_mbuf_create_netlayer; + mpo_ipq_match_t mpo_ipq_match; + mpo_netinet_icmp_reply_t mpo_netinet_icmp_reply; + mpo_netinet_tcp_reply_t mpo_netinet_tcp_reply; + mpo_ifnet_relabel_t mpo_ifnet_relabel; + mpo_ipq_update_t mpo_ipq_update; mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; /* * Labeling event operations: processes. */ - mpo_execve_transition_t mpo_execve_transition; - mpo_execve_will_transition_t mpo_execve_will_transition; - mpo_create_proc0_t mpo_create_proc0; - mpo_create_proc1_t mpo_create_proc1; - mpo_relabel_cred_t mpo_relabel_cred; + mpo_vnode_execve_transition_t mpo_vnode_execve_transition; + mpo_vnode_execve_will_transition_t mpo_vnode_execve_will_transition; + mpo_proc_create_swapper_t mpo_proc_create_swapper; + mpo_proc_create_init_t mpo_proc_create_init; + mpo_cred_relabel_t mpo_cred_relabel; mpo_placeholder_t _mpo_placeholder6; mpo_thread_userret_t mpo_thread_userret; /* * Access control checks. */ - mpo_check_bpfdesc_receive_t mpo_check_bpfdesc_receive; + mpo_bpfdesc_check_receive_t mpo_bpfdesc_check_receive; mpo_placeholder_t _mpo_placeholder7; - mpo_check_cred_relabel_t mpo_check_cred_relabel; - mpo_check_cred_visible_t mpo_check_cred_visible; + mpo_cred_check_relabel_t mpo_cred_check_relabel; + mpo_cred_check_visible_t mpo_cred_check_visible; mpo_placeholder_t _mpo_placeholder8; mpo_placeholder_t _mpo_placeholder9; mpo_placeholder_t _mpo_placeholder10; @@ -787,119 +787,119 @@ struct mac_policy_ops { mpo_placeholder_t _mpo_placeholder16; mpo_placeholder_t _mpo_placeholder17; mpo_placeholder_t _mpo_placeholder18; - mpo_check_ifnet_relabel_t mpo_check_ifnet_relabel; - mpo_check_ifnet_transmit_t mpo_check_ifnet_transmit; - mpo_check_inpcb_deliver_t mpo_check_inpcb_deliver; - mpo_check_sysv_msgmsq_t mpo_check_sysv_msgmsq; - mpo_check_sysv_msgrcv_t mpo_check_sysv_msgrcv; - mpo_check_sysv_msgrmid_t mpo_check_sysv_msgrmid; - mpo_check_sysv_msqget_t mpo_check_sysv_msqget; - mpo_check_sysv_msqsnd_t mpo_check_sysv_msqsnd; - mpo_check_sysv_msqrcv_t mpo_check_sysv_msqrcv; - mpo_check_sysv_msqctl_t mpo_check_sysv_msqctl; - mpo_check_sysv_semctl_t mpo_check_sysv_semctl; - mpo_check_sysv_semget_t mpo_check_sysv_semget; - mpo_check_sysv_semop_t mpo_check_sysv_semop; - mpo_check_sysv_shmat_t mpo_check_sysv_shmat; - mpo_check_sysv_shmctl_t mpo_check_sysv_shmctl; - mpo_check_sysv_shmdt_t mpo_check_sysv_shmdt; - mpo_check_sysv_shmget_t mpo_check_sysv_shmget; - mpo_check_kenv_dump_t mpo_check_kenv_dump; - mpo_check_kenv_get_t mpo_check_kenv_get; - mpo_check_kenv_set_t mpo_check_kenv_set; - mpo_check_kenv_unset_t mpo_check_kenv_unset; - mpo_check_kld_load_t mpo_check_kld_load; - mpo_check_kld_stat_t mpo_check_kld_stat; + mpo_ifnet_check_relabel_t mpo_ifnet_check_relabel; + mpo_ifnet_check_transmit_t mpo_ifnet_check_transmit; + mpo_inpcb_check_deliver_t mpo_inpcb_check_deliver; + mpo_sysvmsq_check_msgmsq_t mpo_sysvmsq_check_msgmsq; + mpo_sysvmsq_check_msgrcv_t mpo_sysvmsq_check_msgrcv; + mpo_sysvmsq_check_msgrmid_t mpo_sysvmsq_check_msgrmid; + mpo_sysvmsq_check_msqget_t mpo_sysvmsq_check_msqget; + mpo_sysvmsq_check_msqsnd_t mpo_sysvmsq_check_msqsnd; + mpo_sysvmsq_check_msqrcv_t mpo_sysvmsq_check_msqrcv; + mpo_sysvmsq_check_msqctl_t mpo_sysvmsq_check_msqctl; + mpo_sysvsem_check_semctl_t mpo_sysvsem_check_semctl; + mpo_sysvsem_check_semget_t mpo_sysvsem_check_semget; + mpo_sysvsem_check_semop_t mpo_sysvsem_check_semop; + mpo_sysvshm_check_shmat_t mpo_sysvshm_check_shmat; + mpo_sysvshm_check_shmctl_t mpo_sysvshm_check_shmctl; + mpo_sysvshm_check_shmdt_t mpo_sysvshm_check_shmdt; + mpo_sysvshm_check_shmget_t mpo_sysvshm_check_shmget; + mpo_kenv_check_dump_t mpo_kenv_check_dump; + mpo_kenv_check_get_t mpo_kenv_check_get; + mpo_kenv_check_set_t mpo_kenv_check_set; + mpo_kenv_check_unset_t mpo_kenv_check_unset; + mpo_kld_check_load_t mpo_kld_check_load; + mpo_kld_check_stat_t mpo_kld_check_stat; mpo_placeholder_t _mpo_placeholder19; mpo_placeholder_t _mpo_placeholder20; - mpo_check_mount_stat_t mpo_check_mount_stat; + mpo_mount_check_stat_t mpo_mount_check_stat; mpo_placeholder_t _mpo_placeholder_21; - mpo_check_pipe_ioctl_t mpo_check_pipe_ioctl; - mpo_check_pipe_poll_t mpo_check_pipe_poll; - mpo_check_pipe_read_t mpo_check_pipe_read; - mpo_check_pipe_relabel_t mpo_check_pipe_relabel; - mpo_check_pipe_stat_t mpo_check_pipe_stat; - mpo_check_pipe_write_t mpo_check_pipe_write; - mpo_check_posix_sem_destroy_t mpo_check_posix_sem_destroy; - mpo_check_posix_sem_getvalue_t mpo_check_posix_sem_getvalue; - mpo_check_posix_sem_open_t mpo_check_posix_sem_open; - mpo_check_posix_sem_post_t mpo_check_posix_sem_post; - mpo_check_posix_sem_unlink_t mpo_check_posix_sem_unlink; - mpo_check_posix_sem_wait_t mpo_check_posix_sem_wait; - mpo_check_proc_debug_t mpo_check_proc_debug; - mpo_check_proc_sched_t mpo_check_proc_sched; - mpo_check_proc_setaudit_t mpo_check_proc_setaudit; - mpo_check_proc_setaudit_addr_t mpo_check_proc_setaudit_addr; - mpo_check_proc_setauid_t mpo_check_proc_setauid; - mpo_check_proc_setuid_t mpo_check_proc_setuid; - mpo_check_proc_seteuid_t mpo_check_proc_seteuid; - mpo_check_proc_setgid_t mpo_check_proc_setgid; - mpo_check_proc_setegid_t mpo_check_proc_setegid; - mpo_check_proc_setgroups_t mpo_check_proc_setgroups; - mpo_check_proc_setreuid_t mpo_check_proc_setreuid; - mpo_check_proc_setregid_t mpo_check_proc_setregid; - mpo_check_proc_setresuid_t mpo_check_proc_setresuid; - mpo_check_proc_setresgid_t mpo_check_proc_setresgid; - mpo_check_proc_signal_t mpo_check_proc_signal; - mpo_check_proc_wait_t mpo_check_proc_wait; - mpo_check_socket_accept_t mpo_check_socket_accept; - mpo_check_socket_bind_t mpo_check_socket_bind; - mpo_check_socket_connect_t mpo_check_socket_connect; - mpo_check_socket_create_t mpo_check_socket_create; - mpo_check_socket_deliver_t mpo_check_socket_deliver; + mpo_pipe_check_ioctl_t mpo_pipe_check_ioctl; + mpo_pipe_check_poll_t mpo_pipe_check_poll; + mpo_pipe_check_read_t mpo_pipe_check_read; + mpo_pipe_check_relabel_t mpo_pipe_check_relabel; + mpo_pipe_check_stat_t mpo_pipe_check_stat; + mpo_pipe_check_write_t mpo_pipe_check_write; + mpo_posixsem_check_destroy_t mpo_posixsem_check_destroy; + mpo_posixsem_check_getvalue_t mpo_posixsem_check_getvalue; + mpo_posixsem_check_open_t mpo_posixsem_check_open; + mpo_posixsem_check_post_t mpo_posixsem_check_post; + mpo_posixsem_check_unlink_t mpo_posixsem_check_unlink; + mpo_posixsem_check_wait_t mpo_posixsem_check_wait; + mpo_proc_check_debug_t mpo_proc_check_debug; + mpo_proc_check_sched_t mpo_proc_check_sched; + mpo_proc_check_setaudit_t mpo_proc_check_setaudit; + mpo_proc_check_setaudit_addr_t mpo_proc_check_setaudit_addr; + mpo_proc_check_setauid_t mpo_proc_check_setauid; + mpo_proc_check_setuid_t mpo_proc_check_setuid; + mpo_proc_check_seteuid_t mpo_proc_check_seteuid; + mpo_proc_check_setgid_t mpo_proc_check_setgid; + mpo_proc_check_setegid_t mpo_proc_check_setegid; + mpo_proc_check_setgroups_t mpo_proc_check_setgroups; + mpo_proc_check_setreuid_t mpo_proc_check_setreuid; + mpo_proc_check_setregid_t mpo_proc_check_setregid; + mpo_proc_check_setresuid_t mpo_proc_check_setresuid; + mpo_proc_check_setresgid_t mpo_proc_check_setresgid; + mpo_proc_check_signal_t mpo_proc_check_signal; + mpo_proc_check_wait_t mpo_proc_check_wait; + mpo_socket_check_accept_t mpo_socket_check_accept; + mpo_socket_check_bind_t mpo_socket_check_bind; + mpo_socket_check_connect_t mpo_socket_check_connect; + mpo_socket_check_create_t mpo_socket_check_create; + mpo_socket_check_deliver_t mpo_socket_check_deliver; mpo_placeholder_t _mpo_placeholder22; - mpo_check_socket_listen_t mpo_check_socket_listen; - mpo_check_socket_poll_t mpo_check_socket_poll; - mpo_check_socket_receive_t mpo_check_socket_receive; - mpo_check_socket_relabel_t mpo_check_socket_relabel; - mpo_check_socket_send_t mpo_check_socket_send; - mpo_check_socket_stat_t mpo_check_socket_stat; - mpo_check_socket_visible_t mpo_check_socket_visible; - mpo_check_system_acct_t mpo_check_system_acct; - mpo_check_system_audit_t mpo_check_system_audit; - mpo_check_system_auditctl_t mpo_check_system_auditctl; - mpo_check_system_auditon_t mpo_check_system_auditon; - mpo_check_system_reboot_t mpo_check_system_reboot; - mpo_check_system_swapon_t mpo_check_system_swapon; - mpo_check_system_swapoff_t mpo_check_system_swapoff; - mpo_check_system_sysctl_t mpo_check_system_sysctl; + mpo_socket_check_listen_t mpo_socket_check_listen; + mpo_socket_check_poll_t mpo_socket_check_poll; + mpo_socket_check_receive_t mpo_socket_check_receive; + mpo_socket_check_relabel_t mpo_socket_check_relabel; + mpo_socket_check_send_t mpo_socket_check_send; + mpo_socket_check_stat_t mpo_socket_check_stat; + mpo_socket_check_visible_t mpo_socket_check_visible; + mpo_system_check_acct_t mpo_system_check_acct; + mpo_system_check_audit_t mpo_system_check_audit; + mpo_system_check_auditctl_t mpo_system_check_auditctl; + mpo_system_check_auditon_t mpo_system_check_auditon; + mpo_system_check_reboot_t mpo_system_check_reboot; + mpo_system_check_swapon_t mpo_system_check_swapon; + mpo_system_check_swapoff_t mpo_system_check_swapoff; + mpo_system_check_sysctl_t mpo_system_check_sysctl; mpo_placeholder_t _mpo_placeholder23; - mpo_check_vnode_access_t mpo_check_vnode_access; - mpo_check_vnode_chdir_t mpo_check_vnode_chdir; - mpo_check_vnode_chroot_t mpo_check_vnode_chroot; - mpo_check_vnode_create_t mpo_check_vnode_create; - mpo_check_vnode_deleteacl_t mpo_check_vnode_deleteacl; - mpo_check_vnode_deleteextattr_t mpo_check_vnode_deleteextattr; - mpo_check_vnode_exec_t mpo_check_vnode_exec; - mpo_check_vnode_getacl_t mpo_check_vnode_getacl; - mpo_check_vnode_getextattr_t mpo_check_vnode_getextattr; + mpo_vnode_check_access_t mpo_vnode_check_access; + mpo_vnode_check_chdir_t mpo_vnode_check_chdir; + mpo_vnode_check_chroot_t mpo_vnode_check_chroot; + mpo_vnode_check_create_t mpo_vnode_check_create; + mpo_vnode_check_deleteacl_t mpo_vnode_check_deleteacl; + mpo_vnode_check_deleteextattr_t mpo_vnode_check_deleteextattr; + mpo_vnode_check_exec_t mpo_vnode_check_exec; + mpo_vnode_check_getacl_t mpo_vnode_check_getacl; + mpo_vnode_check_getextattr_t mpo_vnode_check_getextattr; mpo_placeholder_t _mpo_placeholder24; - mpo_check_vnode_link_t mpo_check_vnode_link; - mpo_check_vnode_listextattr_t mpo_check_vnode_listextattr; - mpo_check_vnode_lookup_t mpo_check_vnode_lookup; - mpo_check_vnode_mmap_t mpo_check_vnode_mmap; - mpo_check_vnode_mmap_downgrade_t mpo_check_vnode_mmap_downgrade; - mpo_check_vnode_mprotect_t mpo_check_vnode_mprotect; - mpo_check_vnode_open_t mpo_check_vnode_open; - mpo_check_vnode_poll_t mpo_check_vnode_poll; - mpo_check_vnode_read_t mpo_check_vnode_read; - mpo_check_vnode_readdir_t mpo_check_vnode_readdir; - mpo_check_vnode_readlink_t mpo_check_vnode_readlink; - mpo_check_vnode_relabel_t mpo_check_vnode_relabel; - mpo_check_vnode_rename_from_t mpo_check_vnode_rename_from; - mpo_check_vnode_rename_to_t mpo_check_vnode_rename_to; - mpo_check_vnode_revoke_t mpo_check_vnode_revoke; - mpo_check_vnode_setacl_t mpo_check_vnode_setacl; - mpo_check_vnode_setextattr_t mpo_check_vnode_setextattr; - mpo_check_vnode_setflags_t mpo_check_vnode_setflags; - mpo_check_vnode_setmode_t mpo_check_vnode_setmode; - mpo_check_vnode_setowner_t mpo_check_vnode_setowner; - mpo_check_vnode_setutimes_t mpo_check_vnode_setutimes; - mpo_check_vnode_stat_t mpo_check_vnode_stat; - mpo_check_vnode_unlink_t mpo_check_vnode_unlink; - mpo_check_vnode_write_t mpo_check_vnode_write; + mpo_vnode_check_link_t mpo_vnode_check_link; + mpo_vnode_check_listextattr_t mpo_vnode_check_listextattr; + mpo_vnode_check_lookup_t mpo_vnode_check_lookup; + mpo_vnode_check_mmap_t mpo_vnode_check_mmap; + mpo_vnode_check_mmap_downgrade_t mpo_vnode_check_mmap_downgrade; + mpo_vnode_check_mprotect_t mpo_vnode_check_mprotect; + mpo_vnode_check_open_t mpo_vnode_check_open; + mpo_vnode_check_poll_t mpo_vnode_check_poll; + mpo_vnode_check_read_t mpo_vnode_check_read; + mpo_vnode_check_readdir_t mpo_vnode_check_readdir; + mpo_vnode_check_readlink_t mpo_vnode_check_readlink; + mpo_vnode_check_relabel_t mpo_vnode_check_relabel; + mpo_vnode_check_rename_from_t mpo_vnode_check_rename_from; + mpo_vnode_check_rename_to_t mpo_vnode_check_rename_to; + mpo_vnode_check_revoke_t mpo_vnode_check_revoke; + mpo_vnode_check_setacl_t mpo_vnode_check_setacl; + mpo_vnode_check_setextattr_t mpo_vnode_check_setextattr; + mpo_vnode_check_setflags_t mpo_vnode_check_setflags; + mpo_vnode_check_setmode_t mpo_vnode_check_setmode; + mpo_vnode_check_setowner_t mpo_vnode_check_setowner; + mpo_vnode_check_setutimes_t mpo_vnode_check_setutimes; + mpo_vnode_check_stat_t mpo_vnode_check_stat; + mpo_vnode_check_unlink_t mpo_vnode_check_unlink; + mpo_vnode_check_write_t mpo_vnode_check_write; mpo_associate_nfsd_label_t mpo_associate_nfsd_label; - mpo_create_mbuf_from_firewall_t mpo_create_mbuf_from_firewall; + mpo_mbuf_create_from_firewall_t mpo_mbuf_create_from_firewall; mpo_init_syncache_label_t mpo_init_syncache_label; mpo_destroy_syncache_label_t mpo_destroy_syncache_label; mpo_init_syncache_from_inpcb_t mpo_init_syncache_from_inpcb; diff --git a/sys/security/mac/mac_posix_sem.c b/sys/security/mac/mac_posix_sem.c index 103eab2..2ea3c72 100644 --- a/sys/security/mac/mac_posix_sem.c +++ b/sys/security/mac/mac_posix_sem.c @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2003-2005 SPARTA, Inc. + * Copyright (c) 2003-2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +7,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -48,100 +51,100 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_policy.h> static struct label * -mac_posix_sem_label_alloc(void) +mac_posixsem_label_alloc(void) { struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_posix_sem_label, label); + MAC_PERFORM(posixsem_init_label, label); return (label); } void -mac_init_posix_sem(struct ksem *ks) +mac_posixsem_init(struct ksem *ks) { - ks->ks_label = mac_posix_sem_label_alloc(); + ks->ks_label = mac_posixsem_label_alloc(); } static void -mac_posix_sem_label_free(struct label *label) +mac_posixsem_label_free(struct label *label) { - MAC_PERFORM(destroy_posix_sem_label, label); + MAC_PERFORM(posixsem_destroy_label, label); } void -mac_destroy_posix_sem(struct ksem *ks) +mac_posixsem_destroy(struct ksem *ks) { - mac_posix_sem_label_free(ks->ks_label); + mac_posixsem_label_free(ks->ks_label); ks->ks_label = NULL; } void -mac_create_posix_sem(struct ucred *cred, struct ksem *ks) +mac_posixsem_create(struct ucred *cred, struct ksem *ks) { - MAC_PERFORM(create_posix_sem, cred, ks, ks->ks_label); + MAC_PERFORM(posixsem_create, cred, ks, ks->ks_label); } int -mac_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_destroy(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_destroy, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_destroy, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_open(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_open(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_open, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_open, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_getvalue, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_getvalue, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_post(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_post(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_post, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_post, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_unlink(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_unlink, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_unlink, cred, ks, ks->ks_label); return (error); } int -mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ks) +mac_posixsem_check_wait(struct ucred *cred, struct ksem *ks) { int error; - MAC_CHECK(check_posix_sem_wait, cred, ks, ks->ks_label); + MAC_CHECK(posixsem_check_wait, cred, ks, ks->ks_label); return (error); } diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index abba4a9..c6c5cd8 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -3,6 +3,7 @@ * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. * Copyright (c) 2005 Samy Al Bahra + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -13,6 +14,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -85,12 +89,12 @@ mac_cred_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_cred_label, label); + MAC_PERFORM(cred_init_label, label); return (label); } void -mac_init_cred(struct ucred *cred) +mac_cred_init(struct ucred *cred) { cred->cr_label = mac_cred_label_alloc(); @@ -102,12 +106,12 @@ mac_proc_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_proc_label, label); + MAC_PERFORM(proc_init_label, label); return (label); } void -mac_init_proc(struct proc *p) +mac_proc_init(struct proc *p) { p->p_label = mac_proc_label_alloc(); @@ -117,12 +121,12 @@ void mac_cred_label_free(struct label *label) { - MAC_PERFORM(destroy_cred_label, label); + MAC_PERFORM(cred_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_cred(struct ucred *cred) +mac_cred_destroy(struct ucred *cred) { mac_cred_label_free(cred->cr_label); @@ -133,12 +137,12 @@ static void mac_proc_label_free(struct label *label) { - MAC_PERFORM(destroy_proc_label, label); + MAC_PERFORM(proc_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_proc(struct proc *p) +mac_proc_destroy(struct proc *p) { mac_proc_label_free(p->p_label); @@ -146,7 +150,7 @@ mac_destroy_proc(struct proc *p) } int -mac_externalize_cred_label(struct label *label, char *elements, +mac_cred_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -157,7 +161,7 @@ mac_externalize_cred_label(struct label *label, char *elements, } int -mac_internalize_cred_label(struct label *label, char *string) +mac_cred_internalize_label(struct label *label, char *string) { int error; @@ -171,10 +175,10 @@ mac_internalize_cred_label(struct label *label, char *string) * processes and threads are spawned. */ void -mac_create_proc0(struct ucred *cred) +mac_proc_create_swapper(struct ucred *cred) { - MAC_PERFORM(create_proc0, cred); + MAC_PERFORM(proc_create_swapper, cred); } /* @@ -182,10 +186,10 @@ mac_create_proc0(struct ucred *cred) * userland processes and threads are spawned. */ void -mac_create_proc1(struct ucred *cred) +mac_proc_create_init(struct ucred *cred) { - MAC_PERFORM(create_proc1, cred); + MAC_PERFORM(proc_create_init, cred); } void @@ -201,10 +205,10 @@ mac_thread_userret(struct thread *td) * This function allows that processing to take place. */ void -mac_copy_cred(struct ucred *src, struct ucred *dest) +mac_cred_copy(struct ucred *src, struct ucred *dest) { - MAC_PERFORM(copy_cred_label, src->cr_label, dest->cr_label); + MAC_PERFORM(cred_copy_label, src->cr_label, dest->cr_label); } int @@ -234,7 +238,7 @@ mac_execve_enter(struct image_params *imgp, struct mac *mac_p) } label = mac_cred_label_alloc(); - error = mac_internalize_cred_label(label, buffer); + error = mac_cred_internalize_label(label, buffer); free(buffer, M_MACTEMP); if (error) { mac_cred_label_free(label); @@ -347,7 +351,7 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, vfslocked = VFS_LOCK_GIANT(vp->v_mount); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); result = vme->max_protection; - mac_check_vnode_mmap_downgrade(cred, vp, &result); + mac_vnode_check_mmap_downgrade(cred, vp, &result); VOP_UNLOCK(vp, 0, td); /* * Find out what maximum protection we may be allowing now @@ -429,185 +433,185 @@ mac_cred_mmapped_drop_perms_recurse(struct thread *td, struct ucred *cred, * buffer cache. */ void -mac_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_cred_relabel(struct ucred *cred, struct label *newlabel) { - MAC_PERFORM(relabel_cred, cred, newlabel); + MAC_PERFORM(cred_relabel, cred, newlabel); } int -mac_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_cred_check_relabel(struct ucred *cred, struct label *newlabel) { int error; - MAC_CHECK(check_cred_relabel, cred, newlabel); + MAC_CHECK(cred_check_relabel, cred, newlabel); return (error); } int -mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { int error; - MAC_CHECK(check_cred_visible, cr1, cr2); + MAC_CHECK(cred_check_visible, cr1, cr2); return (error); } int -mac_check_proc_debug(struct ucred *cred, struct proc *p) +mac_proc_check_debug(struct ucred *cred, struct proc *p) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_debug, cred, p); + MAC_CHECK(proc_check_debug, cred, p); return (error); } int -mac_check_proc_sched(struct ucred *cred, struct proc *p) +mac_proc_check_sched(struct ucred *cred, struct proc *p) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_sched, cred, p); + MAC_CHECK(proc_check_sched, cred, p); return (error); } int -mac_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_signal, cred, p, signum); + MAC_CHECK(proc_check_signal, cred, p, signum); return (error); } int -mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid) +mac_proc_check_setuid(struct proc *p, struct ucred *cred, uid_t uid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setuid, cred, uid); + MAC_CHECK(proc_check_setuid, cred, uid); return (error); } int -mac_check_proc_seteuid(struct proc *p, struct ucred *cred, uid_t euid) +mac_proc_check_seteuid(struct proc *p, struct ucred *cred, uid_t euid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_seteuid, cred, euid); + MAC_CHECK(proc_check_seteuid, cred, euid); return (error); } int -mac_check_proc_setgid(struct proc *p, struct ucred *cred, gid_t gid) +mac_proc_check_setgid(struct proc *p, struct ucred *cred, gid_t gid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setgid, cred, gid); + MAC_CHECK(proc_check_setgid, cred, gid); return (error); } int -mac_check_proc_setegid(struct proc *p, struct ucred *cred, gid_t egid) +mac_proc_check_setegid(struct proc *p, struct ucred *cred, gid_t egid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setegid, cred, egid); + MAC_CHECK(proc_check_setegid, cred, egid); return (error); } int -mac_check_proc_setgroups(struct proc *p, struct ucred *cred, int ngroups, +mac_proc_check_setgroups(struct proc *p, struct ucred *cred, int ngroups, gid_t *gidset) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset); + MAC_CHECK(proc_check_setgroups, cred, ngroups, gidset); return (error); } int -mac_check_proc_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, +mac_proc_check_setreuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setreuid, cred, ruid, euid); + MAC_CHECK(proc_check_setreuid, cred, ruid, euid); return (error); } int -mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, +mac_proc_check_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, gid_t egid) { int error; PROC_LOCK_ASSERT(proc, MA_OWNED); - MAC_CHECK(check_proc_setregid, cred, rgid, egid); + MAC_CHECK(proc_check_setregid, cred, rgid, egid); return (error); } int -mac_check_proc_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, +mac_proc_check_setresuid(struct proc *p, struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid); + MAC_CHECK(proc_check_setresuid, cred, ruid, euid, suid); return (error); } int -mac_check_proc_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, +mac_proc_check_setresgid(struct proc *p, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid); + MAC_CHECK(proc_check_setresgid, cred, rgid, egid, sgid); return (error); } int -mac_check_proc_wait(struct ucred *cred, struct proc *p) +mac_proc_check_wait(struct ucred *cred, struct proc *p) { int error; PROC_LOCK_ASSERT(p, MA_OWNED); - MAC_CHECK(check_proc_wait, cred, p); + MAC_CHECK(proc_check_wait, cred, p); return (error); } diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c index 07722ad..37dfa3f 100644 --- a/sys/security/mac/mac_socket.c +++ b/sys/security/mac/mac_socket.c @@ -2,7 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2005 Networks Associates Technology, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -94,9 +94,9 @@ mac_socket_label_alloc(int flag) if (label == NULL) return (NULL); - MAC_CHECK(init_socket_label, label, flag); + MAC_CHECK(socket_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_socket_label, label); + MAC_PERFORM(socket_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -104,7 +104,7 @@ mac_socket_label_alloc(int flag) } static struct label * -mac_socket_peer_label_alloc(int flag) +mac_socketpeer_label_alloc(int flag) { struct label *label; int error; @@ -113,9 +113,9 @@ mac_socket_peer_label_alloc(int flag) if (label == NULL) return (NULL); - MAC_CHECK(init_socket_peer_label, label, flag); + MAC_CHECK(socketpeer_init_label, label, flag); if (error) { - MAC_PERFORM(destroy_socket_peer_label, label); + MAC_PERFORM(socketpeer_destroy_label, label); mac_labelzone_free(label); return (NULL); } @@ -123,13 +123,13 @@ mac_socket_peer_label_alloc(int flag) } int -mac_init_socket(struct socket *so, int flag) +mac_socket_init(struct socket *so, int flag) { so->so_label = mac_socket_label_alloc(flag); if (so->so_label == NULL) return (ENOMEM); - so->so_peerlabel = mac_socket_peer_label_alloc(flag); + so->so_peerlabel = mac_socketpeer_label_alloc(flag); if (so->so_peerlabel == NULL) { mac_socket_label_free(so->so_label); so->so_label = NULL; @@ -142,37 +142,37 @@ void mac_socket_label_free(struct label *label) { - MAC_PERFORM(destroy_socket_label, label); + MAC_PERFORM(socket_destroy_label, label); mac_labelzone_free(label); } static void -mac_socket_peer_label_free(struct label *label) +mac_socketpeer_label_free(struct label *label) { - MAC_PERFORM(destroy_socket_peer_label, label); + MAC_PERFORM(socketpeer_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_socket(struct socket *so) +mac_socket_destroy(struct socket *so) { mac_socket_label_free(so->so_label); so->so_label = NULL; - mac_socket_peer_label_free(so->so_peerlabel); + mac_socketpeer_label_free(so->so_peerlabel); so->so_peerlabel = NULL; } void -mac_copy_socket_label(struct label *src, struct label *dest) +mac_socket_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_socket_label, src, dest); + MAC_PERFORM(socket_copy_label, src, dest); } int -mac_externalize_socket_label(struct label *label, char *elements, +mac_socket_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -183,18 +183,18 @@ mac_externalize_socket_label(struct label *label, char *elements, } static int -mac_externalize_socket_peer_label(struct label *label, char *elements, +mac_socketpeer_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; - MAC_EXTERNALIZE(socket_peer, label, elements, outbuf, outbuflen); + MAC_EXTERNALIZE(socketpeer, label, elements, outbuf, outbuflen); return (error); } int -mac_internalize_socket_label(struct label *label, char *string) +mac_socket_internalize_label(struct label *label, char *string) { int error; @@ -204,34 +204,34 @@ mac_internalize_socket_label(struct label *label, char *string) } void -mac_create_socket(struct ucred *cred, struct socket *so) +mac_socket_create(struct ucred *cred, struct socket *so) { - MAC_PERFORM(create_socket, cred, so, so->so_label); + MAC_PERFORM(socket_create, cred, so, so->so_label); } void -mac_create_socket_from_socket(struct socket *oldso, struct socket *newso) +mac_socket_newconn(struct socket *oldso, struct socket *newso) { SOCK_LOCK_ASSERT(oldso); - MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso, + MAC_PERFORM(socket_newconn, oldso, oldso->so_label, newso, newso->so_label); } static void -mac_relabel_socket(struct ucred *cred, struct socket *so, +mac_socket_relabel(struct ucred *cred, struct socket *so, struct label *newlabel) { SOCK_LOCK_ASSERT(so); - MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel); + MAC_PERFORM(socket_relabel, cred, so, so->so_label, newlabel); } void -mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so) +mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so) { struct label *label; @@ -239,12 +239,12 @@ mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so) label = mac_mbuf_to_label(m); - MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so, + MAC_PERFORM(socketpeer_set_from_mbuf, m, label, so, so->so_peerlabel); } void -mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso) +mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso) { /* @@ -252,12 +252,12 @@ mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso) * is the original, and one is the new. However, it's called in both * directions, so we can't assert the lock here currently. */ - MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label, + MAC_PERFORM(socketpeer_set_from_socket, oldso, oldso->so_label, newso, newso->so_peerlabel); } void -mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m) +mac_socket_create_mbuf(struct socket *so, struct mbuf *m) { struct label *label; @@ -265,59 +265,59 @@ mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label); + MAC_PERFORM(socket_create_mbuf, so, so->so_label, m, label); } int -mac_check_socket_accept(struct ucred *cred, struct socket *so) +mac_socket_check_accept(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_accept, cred, so, so->so_label); + MAC_CHECK(socket_check_accept, cred, so, so->so_label); return (error); } int -mac_check_socket_bind(struct ucred *ucred, struct socket *so, +mac_socket_check_bind(struct ucred *ucred, struct socket *so, struct sockaddr *sa) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa); + MAC_CHECK(socket_check_bind, ucred, so, so->so_label, sa); return (error); } int -mac_check_socket_connect(struct ucred *cred, struct socket *so, +mac_socket_check_connect(struct ucred *cred, struct socket *so, struct sockaddr *sa) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa); + MAC_CHECK(socket_check_connect, cred, so, so->so_label, sa); return (error); } int -mac_check_socket_create(struct ucred *cred, int domain, int type, int proto) +mac_socket_check_create(struct ucred *cred, int domain, int type, int proto) { int error; - MAC_CHECK(check_socket_create, cred, domain, type, proto); + MAC_CHECK(socket_check_create, cred, domain, type, proto); return (error); } int -mac_check_socket_deliver(struct socket *so, struct mbuf *m) +mac_socket_check_deliver(struct socket *so, struct mbuf *m) { struct label *label; int error; @@ -326,92 +326,92 @@ mac_check_socket_deliver(struct socket *so, struct mbuf *m) label = mac_mbuf_to_label(m); - MAC_CHECK(check_socket_deliver, so, so->so_label, m, label); + MAC_CHECK(socket_check_deliver, so, so->so_label, m, label); return (error); } int -mac_check_socket_listen(struct ucred *cred, struct socket *so) +mac_socket_check_listen(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_listen, cred, so, so->so_label); + MAC_CHECK(socket_check_listen, cred, so, so->so_label); return (error); } int -mac_check_socket_poll(struct ucred *cred, struct socket *so) +mac_socket_check_poll(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_poll, cred, so, so->so_label); + MAC_CHECK(socket_check_poll, cred, so, so->so_label); return (error); } int -mac_check_socket_receive(struct ucred *cred, struct socket *so) +mac_socket_check_receive(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_receive, cred, so, so->so_label); + MAC_CHECK(socket_check_receive, cred, so, so->so_label); return (error); } static int -mac_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *newlabel) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel); + MAC_CHECK(socket_check_relabel, cred, so, so->so_label, newlabel); return (error); } int -mac_check_socket_send(struct ucred *cred, struct socket *so) +mac_socket_check_send(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_send, cred, so, so->so_label); + MAC_CHECK(socket_check_send, cred, so, so->so_label); return (error); } int -mac_check_socket_stat(struct ucred *cred, struct socket *so) +mac_socket_check_stat(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_stat, cred, so, so->so_label); + MAC_CHECK(socket_check_stat, cred, so, so->so_label); return (error); } int -mac_check_socket_visible(struct ucred *cred, struct socket *so) +mac_socket_check_visible(struct ucred *cred, struct socket *so) { int error; SOCK_LOCK_ASSERT(so); - MAC_CHECK(check_socket_visible, cred, so, so->so_label); + MAC_CHECK(socket_check_visible, cred, so, so->so_label); return (error); } @@ -431,13 +431,13 @@ mac_socket_label_set(struct ucred *cred, struct socket *so, * acquire the socket lock before refreshing, holding both locks. */ SOCK_LOCK(so); - error = mac_check_socket_relabel(cred, so, label); + error = mac_socket_check_relabel(cred, so, label); if (error) { SOCK_UNLOCK(so); return (error); } - mac_relabel_socket(cred, so, label); + mac_socket_relabel(cred, so, label); SOCK_UNLOCK(so); /* @@ -471,7 +471,7 @@ mac_setsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) } intlabel = mac_socket_label_alloc(M_WAITOK); - error = mac_internalize_socket_label(intlabel, buffer); + error = mac_socket_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; @@ -503,9 +503,9 @@ mac_getsockopt_label(struct ucred *cred, struct socket *so, struct mac *mac) buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_socket_label_alloc(M_WAITOK); SOCK_LOCK(so); - mac_copy_socket_label(so->so_label, intlabel); + mac_socket_copy_label(so->so_label, intlabel); SOCK_UNLOCK(so); - error = mac_externalize_socket_label(intlabel, elements, buffer, + error = mac_socket_externalize_label(intlabel, elements, buffer, mac->m_buflen); mac_socket_label_free(intlabel); if (error == 0) @@ -539,9 +539,9 @@ mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so, buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); intlabel = mac_socket_label_alloc(M_WAITOK); SOCK_LOCK(so); - mac_copy_socket_label(so->so_peerlabel, intlabel); + mac_socket_copy_label(so->so_peerlabel, intlabel); SOCK_UNLOCK(so); - error = mac_externalize_socket_peer_label(intlabel, elements, buffer, + error = mac_socketpeer_externalize_label(intlabel, elements, buffer, mac->m_buflen); mac_socket_label_free(intlabel); if (error == 0) diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index cda98c2..0c41c78 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -105,7 +105,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(tcred->cr_label, elements, + error = mac_cred_externalize_label(tcred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -139,7 +139,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap) } buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO); - error = mac_externalize_cred_label(td->td_ucred->cr_label, + error = mac_cred_externalize_label(td->td_ucred->cr_label, elements, buffer, mac.m_buflen); if (error == 0) error = copyout(buffer, mac.m_string, strlen(buffer)+1); @@ -175,7 +175,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) } intlabel = mac_cred_label_alloc(); - error = mac_internalize_cred_label(intlabel, buffer); + error = mac_cred_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; @@ -186,7 +186,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) PROC_LOCK(p); oldcred = p->p_ucred; - error = mac_check_cred_relabel(oldcred, intlabel); + error = mac_cred_check_relabel(oldcred, intlabel); if (error) { PROC_UNLOCK(p); crfree(newcred); @@ -195,7 +195,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap) setsugid(p); crcopy(newcred, oldcred); - mac_relabel_cred(newcred, intlabel); + mac_cred_relabel(newcred, intlabel); p->p_ucred = newcred; /* @@ -256,10 +256,10 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) intlabel = mac_vnode_label_alloc(); vfslocked = VFS_LOCK_GIANT(vp->v_mount); vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); - mac_copy_vnode_label(vp->v_label, intlabel); + mac_vnode_copy_label(vp->v_label, intlabel); VOP_UNLOCK(vp, 0, td); VFS_UNLOCK_GIANT(vfslocked); - error = mac_externalize_vnode_label(intlabel, elements, + error = mac_vnode_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_vnode_label_free(intlabel); break; @@ -268,9 +268,9 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) pipe = fp->f_data; intlabel = mac_pipe_label_alloc(); PIPE_LOCK(pipe); - mac_copy_pipe_label(pipe->pipe_pair->pp_label, intlabel); + mac_pipe_copy_label(pipe->pipe_pair->pp_label, intlabel); PIPE_UNLOCK(pipe); - error = mac_externalize_pipe_label(intlabel, elements, + error = mac_pipe_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_pipe_label_free(intlabel); break; @@ -279,9 +279,9 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap) so = fp->f_data; intlabel = mac_socket_label_alloc(M_WAITOK); SOCK_LOCK(so); - mac_copy_socket_label(so->so_label, intlabel); + mac_socket_copy_label(so->so_label, intlabel); SOCK_UNLOCK(so); - error = mac_externalize_socket_label(intlabel, elements, + error = mac_socket_externalize_label(intlabel, elements, buffer, mac.m_buflen); mac_socket_label_free(intlabel); break; @@ -332,8 +332,8 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap) intlabel = mac_vnode_label_alloc(); vfslocked = NDHASGIANT(&nd); - mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); - error = mac_externalize_vnode_label(intlabel, elements, buffer, + mac_vnode_copy_label(nd.ni_vp->v_label, intlabel); + error = mac_vnode_externalize_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); @@ -382,8 +382,8 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap) intlabel = mac_vnode_label_alloc(); vfslocked = NDHASGIANT(&nd); - mac_copy_vnode_label(nd.ni_vp->v_label, intlabel); - error = mac_externalize_vnode_label(intlabel, elements, buffer, + mac_vnode_copy_label(nd.ni_vp->v_label, intlabel); + error = mac_vnode_externalize_label(intlabel, elements, buffer, mac.m_buflen); NDFREE(&nd, 0); VFS_UNLOCK_GIANT(vfslocked); @@ -435,7 +435,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) case DTYPE_FIFO: case DTYPE_VNODE: intlabel = mac_vnode_label_alloc(); - error = mac_internalize_vnode_label(intlabel, buffer); + error = mac_vnode_internalize_label(intlabel, buffer); if (error) { mac_vnode_label_free(intlabel); break; @@ -458,7 +458,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) case DTYPE_PIPE: intlabel = mac_pipe_label_alloc(); - error = mac_internalize_pipe_label(intlabel, buffer); + error = mac_pipe_internalize_label(intlabel, buffer); if (error == 0) { pipe = fp->f_data; PIPE_LOCK(pipe); @@ -471,7 +471,7 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap) case DTYPE_SOCKET: intlabel = mac_socket_label_alloc(M_WAITOK); - error = mac_internalize_socket_label(intlabel, buffer); + error = mac_socket_internalize_label(intlabel, buffer); if (error == 0) { so = fp->f_data; error = mac_socket_label_set(td->td_ucred, so, @@ -515,7 +515,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap) } intlabel = mac_vnode_label_alloc(); - error = mac_internalize_vnode_label(intlabel, buffer); + error = mac_vnode_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; @@ -566,7 +566,7 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap) } intlabel = mac_vnode_label_alloc(); - error = mac_internalize_vnode_label(intlabel, buffer); + error = mac_vnode_internalize_label(intlabel, buffer); free(buffer, M_MACTEMP); if (error) goto out; diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c index 380466e..588e019 100644 --- a/sys/security/mac/mac_system.c +++ b/sys/security/mac/mac_system.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2002-2003 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * Copyright (c) 2007 Robert N. M. Watson * All rights reserved. * @@ -11,6 +12,9 @@ * Portions of this software were developed by Robert Watson for the * TrustedBSD Project. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -63,116 +67,116 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_policy.h> int -mac_check_kenv_dump(struct ucred *cred) +mac_kenv_check_dump(struct ucred *cred) { int error; - MAC_CHECK(check_kenv_dump, cred); + MAC_CHECK(kenv_check_dump, cred); return (error); } int -mac_check_kenv_get(struct ucred *cred, char *name) +mac_kenv_check_get(struct ucred *cred, char *name) { int error; - MAC_CHECK(check_kenv_get, cred, name); + MAC_CHECK(kenv_check_get, cred, name); return (error); } int -mac_check_kenv_set(struct ucred *cred, char *name, char *value) +mac_kenv_check_set(struct ucred *cred, char *name, char *value) { int error; - MAC_CHECK(check_kenv_set, cred, name, value); + MAC_CHECK(kenv_check_set, cred, name, value); return (error); } int -mac_check_kenv_unset(struct ucred *cred, char *name) +mac_kenv_check_unset(struct ucred *cred, char *name) { int error; - MAC_CHECK(check_kenv_unset, cred, name); + MAC_CHECK(kenv_check_unset, cred, name); return (error); } int -mac_check_kld_load(struct ucred *cred, struct vnode *vp) +mac_kld_check_load(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_kld_load"); + ASSERT_VOP_LOCKED(vp, "mac_kld_check_load"); - MAC_CHECK(check_kld_load, cred, vp, vp->v_label); + MAC_CHECK(kld_check_load, cred, vp, vp->v_label); return (error); } int -mac_check_kld_stat(struct ucred *cred) +mac_kld_check_stat(struct ucred *cred) { int error; - MAC_CHECK(check_kld_stat, cred); + MAC_CHECK(kld_check_stat, cred); return (error); } int -mac_check_system_acct(struct ucred *cred, struct vnode *vp) +mac_system_check_acct(struct ucred *cred, struct vnode *vp) { int error; if (vp != NULL) { - ASSERT_VOP_LOCKED(vp, "mac_check_system_acct"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_acct"); } - MAC_CHECK(check_system_acct, cred, vp, + MAC_CHECK(system_check_acct, cred, vp, vp != NULL ? vp->v_label : NULL); return (error); } int -mac_check_system_reboot(struct ucred *cred, int howto) +mac_system_check_reboot(struct ucred *cred, int howto) { int error; - MAC_CHECK(check_system_reboot, cred, howto); + MAC_CHECK(system_check_reboot, cred, howto); return (error); } int -mac_check_system_swapon(struct ucred *cred, struct vnode *vp) +mac_system_check_swapon(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_system_swapon"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_swapon"); - MAC_CHECK(check_system_swapon, cred, vp, vp->v_label); + MAC_CHECK(system_check_swapon, cred, vp, vp->v_label); return (error); } int -mac_check_system_swapoff(struct ucred *cred, struct vnode *vp) +mac_system_check_swapoff(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_system_swapoff"); + ASSERT_VOP_LOCKED(vp, "mac_system_check_swapoff"); - MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label); + MAC_CHECK(system_check_swapoff, cred, vp, vp->v_label); return (error); } int -mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { int error; @@ -181,7 +185,7 @@ mac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, * XXXMAC: We would very much like to assert the SYSCTL_LOCK here, * but since it's not exported from kern_sysctl.c, we can't. */ - MAC_CHECK(check_system_sysctl, cred, oidp, arg1, arg2, req); + MAC_CHECK(system_check_sysctl, cred, oidp, arg1, arg2, req); return (error); } diff --git a/sys/security/mac/mac_sysv_msg.c b/sys/security/mac/mac_sysv_msg.c index 054614b..5db6270 100644 --- a/sys/security/mac/mac_sysv_msg.c +++ b/sys/security/mac/mac_sysv_msg.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -58,12 +62,12 @@ mac_sysv_msgmsg_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_msgmsg_label, label); + MAC_PERFORM(sysvmsg_init_label, label); return (label); } void -mac_init_sysv_msgmsg(struct msg *msgptr) +mac_sysvmsg_init(struct msg *msgptr) { msgptr->label = mac_sysv_msgmsg_label_alloc(); @@ -75,12 +79,12 @@ mac_sysv_msgqueue_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_msgqueue_label, label); + MAC_PERFORM(sysvmsq_init_label, label); return (label); } void -mac_init_sysv_msgqueue(struct msqid_kernel *msqkptr) +mac_sysvmsq_init(struct msqid_kernel *msqkptr) { msqkptr->label = mac_sysv_msgqueue_label_alloc(); @@ -90,12 +94,12 @@ static void mac_sysv_msgmsg_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_msgmsg_label, label); + MAC_PERFORM(sysvmsg_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_msgmsg(struct msg *msgptr) +mac_sysvmsg_destroy(struct msg *msgptr) { mac_sysv_msgmsg_label_free(msgptr->label); @@ -106,12 +110,12 @@ static void mac_sysv_msgqueue_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_msgqueue_label, label); + MAC_PERFORM(sysvmsq_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr) +mac_sysvmsq_destroy(struct msqid_kernel *msqkptr) { mac_sysv_msgqueue_label_free(msqkptr->label); @@ -119,104 +123,104 @@ mac_destroy_sysv_msgqueue(struct msqid_kernel *msqkptr) } void -mac_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct msg *msgptr) { - MAC_PERFORM(create_sysv_msgmsg, cred, msqkptr, msqkptr->label, + MAC_PERFORM(sysvmsg_create, cred, msqkptr, msqkptr->label, msgptr, msgptr->label); } void -mac_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr) { - MAC_PERFORM(create_sysv_msgqueue, cred, msqkptr, msqkptr->label); + MAC_PERFORM(sysvmsq_create, cred, msqkptr, msqkptr->label); } void -mac_cleanup_sysv_msgmsg(struct msg *msgptr) +mac_sysvmsg_cleanup(struct msg *msgptr) { - MAC_PERFORM(cleanup_sysv_msgmsg, msgptr->label); + MAC_PERFORM(sysvmsg_cleanup, msgptr->label); } void -mac_cleanup_sysv_msgqueue(struct msqid_kernel *msqkptr) +mac_sysvmsq_cleanup(struct msqid_kernel *msqkptr) { - MAC_PERFORM(cleanup_sysv_msgqueue, msqkptr->label); + MAC_PERFORM(sysvmsq_cleanup, msqkptr->label); } int -mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +mac_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msgmsq, cred, msgptr, msgptr->label, msqkptr, - msqkptr->label); + MAC_CHECK(sysvmsq_check_msgmsq, cred, msgptr, msgptr->label, + msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr) +mac_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr) { int error; - MAC_CHECK(check_sysv_msgrcv, cred, msgptr, msgptr->label); + MAC_CHECK(sysvmsq_check_msgrcv, cred, msgptr, msgptr->label); return (error); } int -mac_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr) +mac_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr) { int error; - MAC_CHECK(check_sysv_msgrmid, cred, msgptr, msgptr->label); + MAC_CHECK(sysvmsq_check_msgrmid, cred, msgptr, msgptr->label); return (error); } int -mac_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msqget, cred, msqkptr, msqkptr->label); + MAC_CHECK(sysvmsq_check_msqget, cred, msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msqsnd, cred, msqkptr, msqkptr->label); + MAC_CHECK(sysvmsq_check_msqsnd, cred, msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) +mac_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr) { int error; - MAC_CHECK(check_sysv_msqrcv, cred, msqkptr, msqkptr->label); + MAC_CHECK(sysvmsq_check_msqrcv, cred, msqkptr, msqkptr->label); return (error); } int -mac_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, int cmd) { int error; - MAC_CHECK(check_sysv_msqctl, cred, msqkptr, msqkptr->label, cmd); + MAC_CHECK(sysvmsq_check_msqctl, cred, msqkptr, msqkptr->label, cmd); return (error); } diff --git a/sys/security/mac/mac_sysv_sem.c b/sys/security/mac/mac_sysv_sem.c index e77331e..5f7c4f9 100644 --- a/sys/security/mac/mac_sysv_sem.c +++ b/sys/security/mac/mac_sysv_sem.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -58,12 +62,12 @@ mac_sysv_sem_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_sem_label, label); + MAC_PERFORM(sysvsem_init_label, label); return (label); } void -mac_init_sysv_sem(struct semid_kernel *semakptr) +mac_sysvsem_init(struct semid_kernel *semakptr) { semakptr->label = mac_sysv_sem_label_alloc(); @@ -73,12 +77,12 @@ static void mac_sysv_sem_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_sem_label, label); + MAC_PERFORM(sysvsem_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_sem(struct semid_kernel *semakptr) +mac_sysvsem_destroy(struct semid_kernel *semakptr) { mac_sysv_sem_label_free(semakptr->label); @@ -86,47 +90,48 @@ mac_destroy_sysv_sem(struct semid_kernel *semakptr) } void -mac_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr) +mac_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr) { - MAC_PERFORM(create_sysv_sem, cred, semakptr, semakptr->label); + MAC_PERFORM(sysvsem_create, cred, semakptr, semakptr->label); } void -mac_cleanup_sysv_sem(struct semid_kernel *semakptr) +mac_sysvsem_cleanup(struct semid_kernel *semakptr) { - MAC_PERFORM(cleanup_sysv_sem, semakptr->label); + MAC_PERFORM(sysvsem_cleanup, semakptr->label); } int -mac_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, +mac_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, int cmd) { int error; - MAC_CHECK(check_sysv_semctl, cred, semakptr, semakptr->label, cmd); + MAC_CHECK(sysvsem_check_semctl, cred, semakptr, semakptr->label, + cmd); return (error); } int -mac_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr) +mac_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr) { int error; - MAC_CHECK(check_sysv_semget, cred, semakptr, semakptr->label); + MAC_CHECK(sysvsem_check_semget, cred, semakptr, semakptr->label); return (error); } int -mac_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, +mac_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, size_t accesstype) { int error; - MAC_CHECK(check_sysv_semop, cred, semakptr, semakptr->label, + MAC_CHECK(sysvsem_check_semop, cred, semakptr, semakptr->label, accesstype); return (error); diff --git a/sys/security/mac/mac_sysv_shm.c b/sys/security/mac/mac_sysv_shm.c index 6cabeb4..05ec1e1 100644 --- a/sys/security/mac/mac_sysv_shm.c +++ b/sys/security/mac/mac_sysv_shm.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project in part by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -58,12 +62,12 @@ mac_sysv_shm_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_sysv_shm_label, label); + MAC_PERFORM(sysvshm_init_label, label); return (label); } void -mac_init_sysv_shm(struct shmid_kernel *shmsegptr) +mac_sysvshm_init(struct shmid_kernel *shmsegptr) { shmsegptr->label = mac_sysv_shm_label_alloc(); @@ -73,12 +77,12 @@ static void mac_sysv_shm_label_free(struct label *label) { - MAC_PERFORM(destroy_sysv_shm_label, label); + MAC_PERFORM(sysvshm_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr) +mac_sysvshm_destroy(struct shmid_kernel *shmsegptr) { mac_sysv_shm_label_free(shmsegptr->label); @@ -86,60 +90,60 @@ mac_destroy_sysv_shm(struct shmid_kernel *shmsegptr) } void -mac_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr) +mac_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr) { - MAC_PERFORM(create_sysv_shm, cred, shmsegptr, shmsegptr->label); + MAC_PERFORM(sysvshm_create, cred, shmsegptr, shmsegptr->label); } void -mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr) +mac_sysvshm_cleanup(struct shmid_kernel *shmsegptr) { - MAC_PERFORM(cleanup_sysv_shm, shmsegptr->label); + MAC_PERFORM(sysvshm_cleanup, shmsegptr->label); } int -mac_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg) { int error; - MAC_CHECK(check_sysv_shmat, cred, shmsegptr, shmsegptr->label, + MAC_CHECK(sysvshm_check_shmat, cred, shmsegptr, shmsegptr->label, shmflg); return (error); } int -mac_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, int cmd) { int error; - MAC_CHECK(check_sysv_shmctl, cred, shmsegptr, shmsegptr->label, + MAC_CHECK(sysvshm_check_shmctl, cred, shmsegptr, shmsegptr->label, cmd); return (error); } int -mac_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) +mac_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr) { int error; - MAC_CHECK(check_sysv_shmdt, cred, shmsegptr, shmsegptr->label); + MAC_CHECK(sysvshm_check_shmdt, cred, shmsegptr, shmsegptr->label); return (error); } int -mac_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, int shmflg) { int error; - MAC_CHECK(check_sysv_shmget, cred, shmsegptr, shmsegptr->label, + MAC_CHECK(sysvshm_check_shmget, cred, shmsegptr, shmsegptr->label, shmflg); return (error); diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c index ad6a0e6..d6546f6 100644 --- a/sys/security/mac/mac_vfs.c +++ b/sys/security/mac/mac_vfs.c @@ -77,7 +77,7 @@ __FBSDID("$FreeBSD$"); */ static int ea_warn_once = 0; -static int mac_setlabel_vnode_extattr(struct ucred *cred, +static int mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel); static struct label * @@ -86,12 +86,12 @@ mac_devfs_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_devfs_label, label); + MAC_PERFORM(devfs_init_label, label); return (label); } void -mac_init_devfs(struct devfs_dirent *de) +mac_devfs_init(struct devfs_dirent *de) { de->de_label = mac_devfs_label_alloc(); @@ -103,12 +103,12 @@ mac_mount_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_mount_label, label); + MAC_PERFORM(mount_init_label, label); return (label); } void -mac_init_mount(struct mount *mp) +mac_mount_init(struct mount *mp) { mp->mnt_label = mac_mount_label_alloc(); @@ -120,12 +120,12 @@ mac_vnode_label_alloc(void) struct label *label; label = mac_labelzone_alloc(M_WAITOK); - MAC_PERFORM(init_vnode_label, label); + MAC_PERFORM(vnode_init_label, label); return (label); } void -mac_init_vnode(struct vnode *vp) +mac_vnode_init(struct vnode *vp) { vp->v_label = mac_vnode_label_alloc(); @@ -135,12 +135,12 @@ static void mac_devfs_label_free(struct label *label) { - MAC_PERFORM(destroy_devfs_label, label); + MAC_PERFORM(devfs_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_devfs(struct devfs_dirent *de) +mac_devfs_destroy(struct devfs_dirent *de) { mac_devfs_label_free(de->de_label); @@ -151,12 +151,12 @@ static void mac_mount_label_free(struct label *label) { - MAC_PERFORM(destroy_mount_label, label); + MAC_PERFORM(mount_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_mount(struct mount *mp) +mac_mount_destroy(struct mount *mp) { mac_mount_label_free(mp->mnt_label); @@ -167,12 +167,12 @@ void mac_vnode_label_free(struct label *label) { - MAC_PERFORM(destroy_vnode_label, label); + MAC_PERFORM(vnode_destroy_label, label); mac_labelzone_free(label); } void -mac_destroy_vnode(struct vnode *vp) +mac_vnode_destroy(struct vnode *vp) { mac_vnode_label_free(vp->v_label); @@ -180,14 +180,14 @@ mac_destroy_vnode(struct vnode *vp) } void -mac_copy_vnode_label(struct label *src, struct label *dest) +mac_vnode_copy_label(struct label *src, struct label *dest) { - MAC_PERFORM(copy_vnode_label, src, dest); + MAC_PERFORM(vnode_copy_label, src, dest); } int -mac_externalize_vnode_label(struct label *label, char *elements, +mac_vnode_externalize_label(struct label *label, char *elements, char *outbuf, size_t outbuflen) { int error; @@ -198,7 +198,7 @@ mac_externalize_vnode_label(struct label *label, char *elements, } int -mac_internalize_vnode_label(struct label *label, char *string) +mac_vnode_internalize_label(struct label *label, char *string) { int error; @@ -208,39 +208,39 @@ mac_internalize_vnode_label(struct label *label, char *string) } void -mac_update_devfs(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) +mac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(update_devfs, mp, de, de->de_label, vp, vp->v_label); + MAC_PERFORM(devfs_update, mp, de, de->de_label, vp, vp->v_label); } void -mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de, +mac_devfs_vnode_associate(struct mount *mp, struct devfs_dirent *de, struct vnode *vp) { - MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_label, de, + MAC_PERFORM(devfs_vnode_associate, mp, mp->mnt_label, de, de->de_label, vp, vp->v_label); } int -mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp) +mac_vnode_associate_extattr(struct mount *mp, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_associate_extattr"); - MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_label, vp, + MAC_CHECK(vnode_associate_extattr, mp, mp->mnt_label, vp, vp->v_label); return (error); } void -mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) +mac_vnode_associate_singlelabel(struct mount *mp, struct vnode *vp) { - MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_label, vp, + MAC_PERFORM(vnode_associate_singlelabel, mp, mp->mnt_label, vp, vp->v_label); } @@ -254,13 +254,13 @@ mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp) * printf warning. */ int -mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_create_vnode_extattr"); - ASSERT_VOP_LOCKED(vp, "mac_create_vnode_extattr"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_create_extattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_create_extattr"); error = VOP_OPENEXTATTR(vp, cred, curthread); if (error == EOPNOTSUPP) { @@ -272,7 +272,7 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } else if (error) return (error); - MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_label, dvp, + MAC_CHECK(vnode_create_extattr, cred, mp, mp->mnt_label, dvp, dvp->v_label, vp, vp->v_label, cnp); if (error) { @@ -288,12 +288,12 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *intlabel) { int error; - ASSERT_VOP_LOCKED(vp, "mac_setlabel_vnode_extattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_setlabel_extattr"); error = VOP_OPENEXTATTR(vp, cred, curthread); if (error == EOPNOTSUPP) { @@ -305,7 +305,7 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } else if (error) return (error); - MAC_CHECK(setlabel_vnode_extattr, cred, vp, vp->v_label, intlabel); + MAC_CHECK(vnode_setlabel_extattr, cred, vp, vp->v_label, intlabel); if (error) { VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread); @@ -320,487 +320,488 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } void -mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, - struct label *interpvnodelabel, struct image_params *imgp) +mac_vnode_execve_transition(struct ucred *old, struct ucred *new, + struct vnode *vp, struct label *interpvnodelabel, + struct image_params *imgp) { - ASSERT_VOP_LOCKED(vp, "mac_execve_transition"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_transition"); - MAC_PERFORM(execve_transition, old, new, vp, vp->v_label, + MAC_PERFORM(vnode_execve_transition, old, new, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); } int -mac_execve_will_transition(struct ucred *old, struct vnode *vp, +mac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *interpvnodelabel, struct image_params *imgp) { int result; - ASSERT_VOP_LOCKED(vp, "mac_execve_will_transition"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_execve_will_transition"); result = 0; - MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label, + MAC_BOOLEAN(vnode_execve_will_transition, ||, old, vp, vp->v_label, interpvnodelabel, imgp, imgp->execlabel); return (result); } int -mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode) +mac_vnode_check_access(struct ucred *cred, struct vnode *vp, int acc_mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_access"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_access"); - MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode); + MAC_CHECK(vnode_check_access, cred, vp, vp->v_label, acc_mode); return (error); } int -mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp) +mac_vnode_check_chdir(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chdir"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chdir"); - MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label); + MAC_CHECK(vnode_check_chdir, cred, dvp, dvp->v_label); return (error); } int -mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp) +mac_vnode_check_chroot(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_chroot"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_chroot"); - MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label); + MAC_CHECK(vnode_check_chroot, cred, dvp, dvp->v_label); return (error); } int -mac_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct componentname *cnp, struct vattr *vap) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_create"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_create"); - MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap); + MAC_CHECK(vnode_check_create, cred, dvp, dvp->v_label, cnp, vap); return (error); } int -mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteacl"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteacl"); - MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type); + MAC_CHECK(vnode_check_deleteacl, cred, vp, vp->v_label, type); return (error); } int -mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_deleteextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_deleteextattr"); - MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_deleteextattr, cred, vp, vp->v_label, attrnamespace, name); return (error); } int -mac_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct image_params *imgp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_exec"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_exec"); - MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp, + MAC_CHECK(vnode_check_exec, cred, vp, vp->v_label, imgp, imgp->execlabel); return (error); } int -mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) +mac_vnode_check_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getacl"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getacl"); - MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type); + MAC_CHECK(vnode_check_getacl, cred, vp, vp->v_label, type); return (error); } int -mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_getextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_getextattr"); - MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_getextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); } int -mac_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_link"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_link"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_link"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_link"); - MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_link, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); } int -mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, int attrnamespace) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_listextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_listextattr"); - MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_listextattr, cred, vp, vp->v_label, attrnamespace); return (error); } int -mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_lookup"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_lookup"); - MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp); + MAC_CHECK(vnode_check_lookup, cred, dvp, dvp->v_label, cnp); return (error); } int -mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, int prot, int flags) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap"); - MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot, flags); + MAC_CHECK(vnode_check_mmap, cred, vp, vp->v_label, prot, flags); return (error); } void -mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) +mac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot) { int result = *prot; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mmap_downgrade"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mmap_downgrade"); - MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label, + MAC_PERFORM(vnode_check_mmap_downgrade, cred, vp, vp->v_label, &result); *prot = result; } int -mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot) +mac_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, int prot) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_mprotect"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_mprotect"); - MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot); + MAC_CHECK(vnode_check_mprotect, cred, vp, vp->v_label, prot); return (error); } int -mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode) +mac_vnode_check_open(struct ucred *cred, struct vnode *vp, int acc_mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_open"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_open"); - MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode); + MAC_CHECK(vnode_check_open, cred, vp, vp->v_label, acc_mode); return (error); } int -mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_poll"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_poll"); - MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_poll, active_cred, file_cred, vp, vp->v_label); return (error); } int -mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_read"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_read"); - MAC_CHECK(check_vnode_read, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_read, active_cred, file_cred, vp, vp->v_label); return (error); } int -mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp) +mac_vnode_check_readdir(struct ucred *cred, struct vnode *dvp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_readdir"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_readdir"); - MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label); + MAC_CHECK(vnode_check_readdir, cred, dvp, dvp->v_label); return (error); } int -mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp) +mac_vnode_check_readlink(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_readlink"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_readlink"); - MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label); + MAC_CHECK(vnode_check_readlink, cred, vp, vp->v_label); return (error); } static int -mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_relabel"); - MAC_CHECK(check_vnode_relabel, cred, vp, vp->v_label, newlabel); + MAC_CHECK(vnode_check_relabel, cred, vp, vp->v_label, newlabel); return (error); } int -mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_from"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_from"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_from"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_from"); - MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_rename_from, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); } int -mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct vnode *vp, int samedir, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_rename_to"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_rename_to"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_rename_to"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_rename_to"); - MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_rename_to, cred, dvp, dvp->v_label, vp, vp != NULL ? vp->v_label : NULL, samedir, cnp); return (error); } int -mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp) +mac_vnode_check_revoke(struct ucred *cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_revoke"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_revoke"); - MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label); + MAC_CHECK(vnode_check_revoke, cred, vp, vp->v_label); return (error); } int -mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, +mac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type, struct acl *acl) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setacl"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setacl"); - MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl); + MAC_CHECK(vnode_check_setacl, cred, vp, vp->v_label, type, acl); return (error); } int -mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, int attrnamespace, const char *name, struct uio *uio) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setextattr"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setextattr"); - MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label, + MAC_CHECK(vnode_check_setextattr, cred, vp, vp->v_label, attrnamespace, name, uio); return (error); } int -mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags) +mac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, u_long flags) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setflags"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setflags"); - MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags); + MAC_CHECK(vnode_check_setflags, cred, vp, vp->v_label, flags); return (error); } int -mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) +mac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, mode_t mode) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setmode"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setmode"); - MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode); + MAC_CHECK(vnode_check_setmode, cred, vp, vp->v_label, mode); return (error); } int -mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, +mac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, uid_t uid, gid_t gid) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setowner"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setowner"); - MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid); + MAC_CHECK(vnode_check_setowner, cred, vp, vp->v_label, uid, gid); return (error); } int -mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct timespec atime, struct timespec mtime) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_setutimes"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_setutimes"); - MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime, + MAC_CHECK(vnode_check_setutimes, cred, vp, vp->v_label, atime, mtime); return (error); } int -mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_stat"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_stat"); - MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_stat, active_cred, file_cred, vp, vp->v_label); return (error); } int -mac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, +mac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; - ASSERT_VOP_LOCKED(dvp, "mac_check_vnode_unlink"); - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_unlink"); + ASSERT_VOP_LOCKED(dvp, "mac_vnode_check_unlink"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_unlink"); - MAC_CHECK(check_vnode_unlink, cred, dvp, dvp->v_label, vp, + MAC_CHECK(vnode_check_unlink, cred, dvp, dvp->v_label, vp, vp->v_label, cnp); return (error); } int -mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, +mac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp) { int error; - ASSERT_VOP_LOCKED(vp, "mac_check_vnode_write"); + ASSERT_VOP_LOCKED(vp, "mac_vnode_check_write"); - MAC_CHECK(check_vnode_write, active_cred, file_cred, vp, + MAC_CHECK(vnode_check_write, active_cred, file_cred, vp, vp->v_label); return (error); } void -mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel) +mac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *newlabel) { - MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel); + MAC_PERFORM(vnode_relabel, cred, vp, vp->v_label, newlabel); } void -mac_create_mount(struct ucred *cred, struct mount *mp) +mac_mount_create(struct ucred *cred, struct mount *mp) { - MAC_PERFORM(create_mount, cred, mp, mp->mnt_label); + MAC_PERFORM(mount_create, cred, mp, mp->mnt_label); } int -mac_check_mount_stat(struct ucred *cred, struct mount *mount) +mac_mount_check_stat(struct ucred *cred, struct mount *mount) { int error; - MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_label); + MAC_CHECK(mount_check_stat, cred, mount, mount->mnt_label); return (error); } void -mac_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_device, cred, mp, dev, de, de->de_label); + MAC_PERFORM(devfs_create_device, cred, mp, dev, de, de->de_label); } void -mac_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_symlink, cred, mp, dd, dd->de_label, de, + MAC_PERFORM(devfs_create_symlink, cred, mp, dd, dd->de_label, de, de->de_label); } void -mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen, +mac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de) { - MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de, + MAC_PERFORM(devfs_create_directory, mp, dirname, dirnamelen, de, de->de_label); } @@ -821,11 +822,11 @@ vop_stdsetlabel_ea(struct vop_setlabel_args *ap) if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) return (EOPNOTSUPP); - error = mac_setlabel_vnode_extattr(ap->a_cred, vp, intlabel); + error = mac_vnode_setlabel_extattr(ap->a_cred, vp, intlabel); if (error) return (error); - mac_relabel_vnode(ap->a_cred, vp, intlabel); + mac_vnode_relabel(ap->a_cred, vp, intlabel); return (0); } @@ -853,7 +854,7 @@ vn_setlabel(struct vnode *vp, struct label *intlabel, struct ucred *cred) * Question: maybe the filesystem should update the vnode at the end * as part of VOP_SETLABEL()? */ - error = mac_check_vnode_relabel(cred, vp, intlabel); + error = mac_vnode_check_relabel(cred, vp, intlabel); if (error) return (error); diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 5a87aee..2b66972 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -783,7 +787,7 @@ mac_biba_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_biba_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { struct mac_biba *mac_biba; @@ -805,7 +809,7 @@ mac_biba_create_devfs_device(struct ucred *cred, struct mount *mp, } static void -mac_biba_create_devfs_directory(struct mount *mp, char *dirname, +mac_biba_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { struct mac_biba *mac_biba; @@ -815,7 +819,7 @@ mac_biba_create_devfs_directory(struct mount *mp, char *dirname, } static void -mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_biba_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -828,7 +832,7 @@ mac_biba_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static void -mac_biba_create_mount(struct ucred *cred, struct mount *mp, +mac_biba_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_biba *source, *dest; @@ -839,7 +843,7 @@ mac_biba_create_mount(struct ucred *cred, struct mount *mp, } static void -mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -851,7 +855,7 @@ mac_biba_relabel_vnode(struct ucred *cred, struct vnode *vp, } static void -mac_biba_update_devfs(struct mount *mp, struct devfs_dirent *de, +mac_biba_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_biba *source, *dest; @@ -863,7 +867,7 @@ mac_biba_update_devfs(struct mount *mp, struct devfs_dirent *de, } static void -mac_biba_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, +mac_biba_devfs_vnode_associate(struct mount *mp, struct label *mntlabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -876,7 +880,7 @@ mac_biba_associate_vnode_devfs(struct mount *mp, struct label *mntlabel, } static int -mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_biba_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_biba temp, *source, *dest; @@ -898,16 +902,16 @@ mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel, return (error); if (buflen != sizeof(temp)) { - printf("mac_biba_associate_vnode_extattr: bad size %d\n", + printf("mac_biba_vnode_associate_extattr: bad size %d\n", buflen); return (EPERM); } if (mac_biba_valid(&temp) != 0) { - printf("mac_biba_associate_vnode_extattr: invalid\n"); + printf("mac_biba_vnode_associate_extattr: invalid\n"); return (EPERM); } if ((temp.mb_flags & MAC_BIBA_FLAGS_BOTH) != MAC_BIBA_FLAG_EFFECTIVE) { - printf("mac_biba_associate_vnode_extattr: not effective\n"); + printf("mac_biba_vnode_associate_extattr: not effective\n"); return (EPERM); } @@ -916,7 +920,7 @@ mac_biba_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -mac_biba_associate_vnode_singlelabel(struct mount *mp, +mac_biba_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_biba *source, *dest; @@ -928,7 +932,7 @@ mac_biba_associate_vnode_singlelabel(struct mount *mp, } static int -mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_biba_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -951,7 +955,7 @@ mac_biba_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_biba_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { struct mac_biba *source, temp; @@ -976,7 +980,7 @@ mac_biba_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, * Labeling event operations: IPC object. */ static void -mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_biba_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { struct mac_biba *source, *dest; @@ -988,7 +992,7 @@ mac_biba_create_inpcb_from_socket(struct socket *so, struct label *solabel, } static void -mac_biba_create_mbuf_from_socket(struct socket *so, struct label *solabel, +mac_biba_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1000,7 +1004,7 @@ mac_biba_create_mbuf_from_socket(struct socket *so, struct label *solabel, } static void -mac_biba_create_socket(struct ucred *cred, struct socket *so, +mac_biba_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_biba *source, *dest; @@ -1012,7 +1016,7 @@ mac_biba_create_socket(struct ucred *cred, struct socket *so, } static void -mac_biba_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *source, *dest; @@ -1024,7 +1028,7 @@ mac_biba_create_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_biba_create_posix_sem(struct ucred *cred, struct ksem *ks, +mac_biba_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_biba *source, *dest; @@ -1036,8 +1040,8 @@ mac_biba_create_posix_sem(struct ucred *cred, struct ksem *ks, } static void -mac_biba_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +mac_biba_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { struct mac_biba *source, *dest; @@ -1048,7 +1052,7 @@ mac_biba_create_socket_from_socket(struct socket *oldso, } static void -mac_biba_relabel_socket(struct ucred *cred, struct socket *so, +mac_biba_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1060,7 +1064,7 @@ mac_biba_relabel_socket(struct ucred *cred, struct socket *so, } static void -mac_biba_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1072,7 +1076,7 @@ mac_biba_relabel_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_biba_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +mac_biba_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { struct mac_biba *source, *dest; @@ -1087,7 +1091,7 @@ mac_biba_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, * Labeling event operations: System V IPC objects. */ static void -mac_biba_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_biba_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { struct mac_biba *source, *dest; @@ -1100,7 +1104,7 @@ mac_biba_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, } static void -mac_biba_create_sysv_msgqueue(struct ucred *cred, +mac_biba_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { struct mac_biba *source, *dest; @@ -1112,7 +1116,7 @@ mac_biba_create_sysv_msgqueue(struct ucred *cred, } static void -mac_biba_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +mac_biba_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { struct mac_biba *source, *dest; @@ -1124,7 +1128,7 @@ mac_biba_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, } static void -mac_biba_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_biba_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { struct mac_biba *source, *dest; @@ -1139,7 +1143,7 @@ mac_biba_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, * Labeling event operations: network objects. */ static void -mac_biba_set_socket_peer_from_socket(struct socket *oldso, +mac_biba_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -1152,7 +1156,7 @@ mac_biba_set_socket_peer_from_socket(struct socket *oldso, } static void -mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +mac_biba_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { struct mac_biba *source, *dest; @@ -1164,7 +1168,7 @@ mac_biba_create_bpfdesc(struct ucred *cred, struct bpf_d *d, } static void -mac_biba_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +mac_biba_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { char tifname[IFNAMSIZ], *p, *q; char tiflist[sizeof(trusted_interfaces)]; @@ -1221,7 +1225,7 @@ set: } static void -mac_biba_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_biba_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_biba *source, *dest; @@ -1233,7 +1237,7 @@ mac_biba_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_biba_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1246,7 +1250,7 @@ mac_biba_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, } static void -mac_biba_create_fragment(struct mbuf *m, struct label *mlabel, +mac_biba_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { struct mac_biba *source, *dest; @@ -1258,7 +1262,7 @@ mac_biba_create_fragment(struct mbuf *m, struct label *mlabel, } static void -mac_biba_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_biba_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1281,7 +1285,7 @@ mac_biba_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, } static void -mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +mac_biba_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1293,7 +1297,7 @@ mac_biba_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, } static void -mac_biba_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +mac_biba_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *source, *dest; @@ -1305,7 +1309,7 @@ mac_biba_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, } static void -mac_biba_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +mac_biba_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -1318,7 +1322,7 @@ mac_biba_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -mac_biba_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +mac_biba_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *newm, struct label *mnewlabel) { struct mac_biba *source, *dest; @@ -1330,8 +1334,8 @@ mac_biba_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, } static int -mac_biba_fragment_match(struct mbuf *m, struct label *mlabel, - struct ipq *ipq, struct label *ipqlabel) +mac_biba_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, + struct label *ipqlabel) { struct mac_biba *a, *b; @@ -1342,7 +1346,7 @@ mac_biba_fragment_match(struct mbuf *m, struct label *mlabel, } static void -mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +mac_biba_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1354,7 +1358,7 @@ mac_biba_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, } static void -mac_biba_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_biba_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -1374,7 +1378,7 @@ mac_biba_inpcb_sosetlabel(struct socket *so, struct label *solabel, } static void -mac_biba_create_mbuf_from_firewall(struct mbuf *m, struct label *label) +mac_biba_mbuf_create_from_firewall(struct mbuf *m, struct label *label) { struct mac_biba *dest; @@ -1388,7 +1392,7 @@ mac_biba_create_mbuf_from_firewall(struct mbuf *m, struct label *label) * Labeling event operations: processes. */ static void -mac_biba_create_proc0(struct ucred *cred) +mac_biba_proc_create_swapper(struct ucred *cred) { struct mac_biba *dest; @@ -1400,7 +1404,7 @@ mac_biba_create_proc0(struct ucred *cred) } static void -mac_biba_create_proc1(struct ucred *cred) +mac_biba_proc_create_init(struct ucred *cred) { struct mac_biba *dest; @@ -1412,7 +1416,7 @@ mac_biba_create_proc1(struct ucred *cred) } static void -mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_biba_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_biba *source, *dest; @@ -1426,28 +1430,28 @@ mac_biba_relabel_cred(struct ucred *cred, struct label *newlabel) * Label cleanup/flush operations */ static void -mac_biba_cleanup_sysv_msgmsg(struct label *msglabel) +mac_biba_sysvmsg_cleanup(struct label *msglabel) { bzero(SLOT(msglabel), sizeof(struct mac_biba)); } static void -mac_biba_cleanup_sysv_msgqueue(struct label *msqlabel) +mac_biba_sysvmsq_cleanup(struct label *msqlabel) { bzero(SLOT(msqlabel), sizeof(struct mac_biba)); } static void -mac_biba_cleanup_sysv_sem(struct label *semalabel) +mac_biba_sysvsem_cleanup(struct label *semalabel) { bzero(SLOT(semalabel), sizeof(struct mac_biba)); } static void -mac_biba_cleanup_sysv_shm(struct label *shmlabel) +mac_biba_sysvshm_cleanup(struct label *shmlabel) { bzero(SLOT(shmlabel), sizeof(struct mac_biba)); } @@ -1456,7 +1460,7 @@ mac_biba_cleanup_sysv_shm(struct label *shmlabel) * Access control checks. */ static int -mac_biba_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_biba_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { struct mac_biba *a, *b; @@ -1473,7 +1477,7 @@ mac_biba_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_biba_cred_check_relabel(struct ucred *cred, struct label *newlabel) { struct mac_biba *subj, *new; int error; @@ -1535,7 +1539,7 @@ mac_biba_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) +mac_biba_cred_check_visible(struct ucred *u1, struct ucred *u2) { struct mac_biba *subj, *obj; @@ -1553,7 +1557,7 @@ mac_biba_check_cred_visible(struct ucred *u1, struct ucred *u2) } static int -mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +mac_biba_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_biba *subj, *new; @@ -1581,7 +1585,7 @@ mac_biba_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -mac_biba_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_biba_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *p, *i; @@ -1596,7 +1600,7 @@ mac_biba_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_biba_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *p, *i; @@ -1611,7 +1615,7 @@ mac_biba_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -mac_biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +mac_biba_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_biba *subj, *obj; @@ -1629,7 +1633,7 @@ mac_biba_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, } static int -mac_biba_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +mac_biba_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_biba *subj, *obj; @@ -1647,8 +1651,8 @@ mac_biba_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, } static int -mac_biba_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_biba_sysvmsq_check_msqget(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -1665,8 +1669,8 @@ mac_biba_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_biba_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_biba_sysvmsq_check_msqsnd(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -1683,8 +1687,8 @@ mac_biba_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_biba_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_biba_sysvmsq_check_msqrcv(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_biba *subj, *obj; @@ -1702,8 +1706,8 @@ mac_biba_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, static int -mac_biba_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel, int cmd) +mac_biba_sysvmsq_check_msqctl(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { struct mac_biba *subj, *obj; @@ -1733,8 +1737,8 @@ mac_biba_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_biba_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, int cmd) +mac_biba_sysvsem_check_semctl(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { struct mac_biba *subj, *obj; @@ -1771,8 +1775,8 @@ mac_biba_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_biba_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel) +mac_biba_sysvsem_check_semget(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel) { struct mac_biba *subj, *obj; @@ -1790,8 +1794,9 @@ mac_biba_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, static int -mac_biba_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, size_t accesstype) +mac_biba_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, + size_t accesstype) { struct mac_biba *subj, *obj; @@ -1813,8 +1818,8 @@ mac_biba_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_biba_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_biba_sysvshm_check_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_biba *subj, *obj; @@ -1835,8 +1840,8 @@ mac_biba_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_biba_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int cmd) +mac_biba_sysvshm_check_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { struct mac_biba *subj, *obj; @@ -1867,8 +1872,8 @@ mac_biba_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_biba_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_biba_sysvshm_check_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_biba *subj, *obj; @@ -1885,7 +1890,7 @@ mac_biba_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, +mac_biba_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -1908,7 +1913,7 @@ mac_biba_check_kld_load(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, +mac_biba_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_biba *subj, *obj; @@ -1926,7 +1931,7 @@ mac_biba_check_mount_stat(struct ucred *cred, struct mount *mp, } static int -mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -1939,7 +1944,7 @@ mac_biba_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -1957,7 +1962,7 @@ mac_biba_check_pipe_poll(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -1975,7 +1980,7 @@ mac_biba_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_biba *subj, *obj, *new; @@ -2026,7 +2031,7 @@ mac_biba_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -2044,7 +2049,7 @@ mac_biba_check_pipe_stat(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_biba_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_biba *subj, *obj; @@ -2062,7 +2067,7 @@ mac_biba_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ks, +mac_biba_posixsem_check_write(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_biba *subj, *obj; @@ -2080,7 +2085,7 @@ mac_biba_check_posix_sem_write(struct ucred *cred, struct ksem *ks, } static int -mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, +mac_biba_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_biba *subj, *obj; @@ -2098,7 +2103,7 @@ mac_biba_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, } static int -mac_biba_check_proc_debug(struct ucred *cred, struct proc *p) +mac_biba_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_biba *subj, *obj; @@ -2118,7 +2123,7 @@ mac_biba_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_biba_check_proc_sched(struct ucred *cred, struct proc *p) +mac_biba_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_biba *subj, *obj; @@ -2138,7 +2143,7 @@ mac_biba_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_biba_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_biba_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_biba *subj, *obj; @@ -2158,7 +2163,7 @@ mac_biba_check_proc_signal(struct ucred *cred, struct proc *p, int signum) } static int -mac_biba_check_socket_deliver(struct socket *so, struct label *solabel, +mac_biba_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_biba *p, *s; @@ -2173,7 +2178,7 @@ mac_biba_check_socket_deliver(struct socket *so, struct label *solabel, } static int -mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_biba_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_biba *subj, *obj, *new; @@ -2224,7 +2229,7 @@ mac_biba_check_socket_relabel(struct ucred *cred, struct socket *so, } static int -mac_biba_check_socket_visible(struct ucred *cred, struct socket *so, +mac_biba_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_biba *subj, *obj; @@ -2431,7 +2436,7 @@ mac_biba_priv_check(struct ucred *cred, int priv) } static int -mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2457,7 +2462,7 @@ mac_biba_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2483,7 +2488,7 @@ mac_biba_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_auditon(struct ucred *cred, int cmd) +mac_biba_system_check_auditon(struct ucred *cred, int cmd) { struct mac_biba *subj; int error; @@ -2501,7 +2506,7 @@ mac_biba_check_system_auditon(struct ucred *cred, int cmd) } static int -mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2524,7 +2529,7 @@ mac_biba_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_biba_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *label) { struct mac_biba *subj; @@ -2543,7 +2548,7 @@ mac_biba_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_biba_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { struct mac_biba *subj; @@ -2571,7 +2576,7 @@ mac_biba_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, } static int -mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_biba *subj, *obj; @@ -2589,7 +2594,7 @@ mac_biba_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_biba *subj, *obj; @@ -2607,7 +2612,7 @@ mac_biba_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { struct mac_biba *subj, *obj; @@ -2625,7 +2630,7 @@ mac_biba_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_biba *subj, *obj; @@ -2643,7 +2648,7 @@ mac_biba_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { struct mac_biba *subj, *obj; @@ -2661,7 +2666,7 @@ mac_biba_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -2693,7 +2698,7 @@ mac_biba_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_biba *subj, *obj; @@ -2711,7 +2716,7 @@ mac_biba_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2730,7 +2735,7 @@ mac_biba_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2754,7 +2759,7 @@ mac_biba_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { struct mac_biba *subj, *obj; @@ -2772,7 +2777,7 @@ mac_biba_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { struct mac_biba *subj, *obj; @@ -2790,7 +2795,7 @@ mac_biba_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { struct mac_biba *subj, *obj; @@ -2818,7 +2823,7 @@ mac_biba_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { struct mac_biba *subj, *obj; @@ -2843,7 +2848,7 @@ mac_biba_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_biba_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2861,7 +2866,7 @@ mac_biba_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_biba_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2879,7 +2884,7 @@ mac_biba_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_biba *subj, *obj; @@ -2897,7 +2902,7 @@ mac_biba_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -2915,7 +2920,7 @@ mac_biba_check_vnode_readlink(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_biba *old, *new, *subj; @@ -2966,7 +2971,7 @@ mac_biba_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2990,7 +2995,7 @@ mac_biba_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -3016,7 +3021,7 @@ mac_biba_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -3034,7 +3039,7 @@ mac_biba_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { struct mac_biba *subj, *obj; @@ -3052,7 +3057,7 @@ mac_biba_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -3073,7 +3078,7 @@ mac_biba_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { struct mac_biba *subj, *obj; @@ -3091,7 +3096,7 @@ mac_biba_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { struct mac_biba *subj, *obj; @@ -3109,7 +3114,7 @@ mac_biba_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { struct mac_biba *subj, *obj; @@ -3127,7 +3132,7 @@ mac_biba_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_biba_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { struct mac_biba *subj, *obj; @@ -3145,7 +3150,7 @@ mac_biba_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_biba_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -3163,7 +3168,7 @@ mac_biba_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_biba_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_biba_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -3187,7 +3192,7 @@ mac_biba_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -mac_biba_check_vnode_write(struct ucred *active_cred, +mac_biba_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_biba *subj, *obj; @@ -3239,185 +3244,185 @@ mac_biba_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, static struct mac_policy_ops mac_biba_ops = { .mpo_init = mac_biba_init, - .mpo_init_bpfdesc_label = mac_biba_init_label, - .mpo_init_cred_label = mac_biba_init_label, - .mpo_init_devfs_label = mac_biba_init_label, - .mpo_init_ifnet_label = mac_biba_init_label, - .mpo_init_inpcb_label = mac_biba_init_label_waitcheck, + .mpo_bpfdesc_init_label = mac_biba_init_label, + .mpo_cred_init_label = mac_biba_init_label, + .mpo_devfs_init_label = mac_biba_init_label, + .mpo_ifnet_init_label = mac_biba_init_label, + .mpo_inpcb_init_label = mac_biba_init_label_waitcheck, .mpo_init_syncache_label = mac_biba_init_label_waitcheck, - .mpo_init_sysv_msgmsg_label = mac_biba_init_label, - .mpo_init_sysv_msgqueue_label = mac_biba_init_label, - .mpo_init_sysv_sem_label = mac_biba_init_label, - .mpo_init_sysv_shm_label = mac_biba_init_label, - .mpo_init_ipq_label = mac_biba_init_label_waitcheck, - .mpo_init_mbuf_label = mac_biba_init_label_waitcheck, - .mpo_init_mount_label = mac_biba_init_label, - .mpo_init_pipe_label = mac_biba_init_label, - .mpo_init_posix_sem_label = mac_biba_init_label, - .mpo_init_socket_label = mac_biba_init_label_waitcheck, - .mpo_init_socket_peer_label = mac_biba_init_label_waitcheck, + .mpo_sysvmsg_init_label = mac_biba_init_label, + .mpo_sysvmsq_init_label = mac_biba_init_label, + .mpo_sysvsem_init_label = mac_biba_init_label, + .mpo_sysvshm_init_label = mac_biba_init_label, + .mpo_ipq_init_label = mac_biba_init_label_waitcheck, + .mpo_mbuf_init_label = mac_biba_init_label_waitcheck, + .mpo_mount_init_label = mac_biba_init_label, + .mpo_pipe_init_label = mac_biba_init_label, + .mpo_posixsem_init_label = mac_biba_init_label, + .mpo_socket_init_label = mac_biba_init_label_waitcheck, + .mpo_socketpeer_init_label = mac_biba_init_label_waitcheck, .mpo_init_syncache_from_inpcb = mac_biba_init_syncache_from_inpcb, - .mpo_init_vnode_label = mac_biba_init_label, - .mpo_destroy_bpfdesc_label = mac_biba_destroy_label, - .mpo_destroy_cred_label = mac_biba_destroy_label, - .mpo_destroy_devfs_label = mac_biba_destroy_label, - .mpo_destroy_ifnet_label = mac_biba_destroy_label, - .mpo_destroy_inpcb_label = mac_biba_destroy_label, + .mpo_vnode_init_label = mac_biba_init_label, + .mpo_bpfdesc_destroy_label = mac_biba_destroy_label, + .mpo_cred_destroy_label = mac_biba_destroy_label, + .mpo_devfs_destroy_label = mac_biba_destroy_label, + .mpo_ifnet_destroy_label = mac_biba_destroy_label, + .mpo_inpcb_destroy_label = mac_biba_destroy_label, .mpo_destroy_syncache_label = mac_biba_destroy_label, - .mpo_destroy_sysv_msgmsg_label = mac_biba_destroy_label, - .mpo_destroy_sysv_msgqueue_label = mac_biba_destroy_label, - .mpo_destroy_sysv_sem_label = mac_biba_destroy_label, - .mpo_destroy_sysv_shm_label = mac_biba_destroy_label, - .mpo_destroy_ipq_label = mac_biba_destroy_label, - .mpo_destroy_mbuf_label = mac_biba_destroy_label, - .mpo_destroy_mount_label = mac_biba_destroy_label, - .mpo_destroy_pipe_label = mac_biba_destroy_label, - .mpo_destroy_posix_sem_label = mac_biba_destroy_label, - .mpo_destroy_socket_label = mac_biba_destroy_label, - .mpo_destroy_socket_peer_label = mac_biba_destroy_label, - .mpo_destroy_vnode_label = mac_biba_destroy_label, - .mpo_copy_cred_label = mac_biba_copy_label, - .mpo_copy_ifnet_label = mac_biba_copy_label, - .mpo_copy_mbuf_label = mac_biba_copy_label, - .mpo_copy_pipe_label = mac_biba_copy_label, - .mpo_copy_socket_label = mac_biba_copy_label, - .mpo_copy_vnode_label = mac_biba_copy_label, - .mpo_externalize_cred_label = mac_biba_externalize_label, - .mpo_externalize_ifnet_label = mac_biba_externalize_label, - .mpo_externalize_pipe_label = mac_biba_externalize_label, - .mpo_externalize_socket_label = mac_biba_externalize_label, - .mpo_externalize_socket_peer_label = mac_biba_externalize_label, - .mpo_externalize_vnode_label = mac_biba_externalize_label, - .mpo_internalize_cred_label = mac_biba_internalize_label, - .mpo_internalize_ifnet_label = mac_biba_internalize_label, - .mpo_internalize_pipe_label = mac_biba_internalize_label, - .mpo_internalize_socket_label = mac_biba_internalize_label, - .mpo_internalize_vnode_label = mac_biba_internalize_label, - .mpo_create_devfs_device = mac_biba_create_devfs_device, - .mpo_create_devfs_directory = mac_biba_create_devfs_directory, - .mpo_create_devfs_symlink = mac_biba_create_devfs_symlink, - .mpo_create_mount = mac_biba_create_mount, - .mpo_relabel_vnode = mac_biba_relabel_vnode, - .mpo_update_devfs = mac_biba_update_devfs, - .mpo_associate_vnode_devfs = mac_biba_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_biba_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = mac_biba_associate_vnode_singlelabel, - .mpo_create_vnode_extattr = mac_biba_create_vnode_extattr, - .mpo_setlabel_vnode_extattr = mac_biba_setlabel_vnode_extattr, - .mpo_create_mbuf_from_socket = mac_biba_create_mbuf_from_socket, + .mpo_sysvmsg_destroy_label = mac_biba_destroy_label, + .mpo_sysvmsq_destroy_label = mac_biba_destroy_label, + .mpo_sysvsem_destroy_label = mac_biba_destroy_label, + .mpo_sysvshm_destroy_label = mac_biba_destroy_label, + .mpo_ipq_destroy_label = mac_biba_destroy_label, + .mpo_mbuf_destroy_label = mac_biba_destroy_label, + .mpo_mount_destroy_label = mac_biba_destroy_label, + .mpo_pipe_destroy_label = mac_biba_destroy_label, + .mpo_posixsem_destroy_label = mac_biba_destroy_label, + .mpo_socket_destroy_label = mac_biba_destroy_label, + .mpo_socketpeer_destroy_label = mac_biba_destroy_label, + .mpo_vnode_destroy_label = mac_biba_destroy_label, + .mpo_cred_copy_label = mac_biba_copy_label, + .mpo_ifnet_copy_label = mac_biba_copy_label, + .mpo_mbuf_copy_label = mac_biba_copy_label, + .mpo_pipe_copy_label = mac_biba_copy_label, + .mpo_socket_copy_label = mac_biba_copy_label, + .mpo_vnode_copy_label = mac_biba_copy_label, + .mpo_cred_externalize_label = mac_biba_externalize_label, + .mpo_ifnet_externalize_label = mac_biba_externalize_label, + .mpo_pipe_externalize_label = mac_biba_externalize_label, + .mpo_socket_externalize_label = mac_biba_externalize_label, + .mpo_socketpeer_externalize_label = mac_biba_externalize_label, + .mpo_vnode_externalize_label = mac_biba_externalize_label, + .mpo_cred_internalize_label = mac_biba_internalize_label, + .mpo_ifnet_internalize_label = mac_biba_internalize_label, + .mpo_pipe_internalize_label = mac_biba_internalize_label, + .mpo_socket_internalize_label = mac_biba_internalize_label, + .mpo_vnode_internalize_label = mac_biba_internalize_label, + .mpo_devfs_create_device = mac_biba_devfs_create_device, + .mpo_devfs_create_directory = mac_biba_devfs_create_directory, + .mpo_devfs_create_symlink = mac_biba_devfs_create_symlink, + .mpo_mount_create = mac_biba_mount_create, + .mpo_vnode_relabel = mac_biba_vnode_relabel, + .mpo_devfs_update = mac_biba_devfs_update, + .mpo_devfs_vnode_associate = mac_biba_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_biba_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = mac_biba_vnode_associate_singlelabel, + .mpo_vnode_create_extattr = mac_biba_vnode_create_extattr, + .mpo_vnode_setlabel_extattr = mac_biba_vnode_setlabel_extattr, + .mpo_socket_create_mbuf = mac_biba_socket_create_mbuf, .mpo_create_mbuf_from_syncache = mac_biba_create_mbuf_from_syncache, - .mpo_create_pipe = mac_biba_create_pipe, - .mpo_create_posix_sem = mac_biba_create_posix_sem, - .mpo_create_socket = mac_biba_create_socket, - .mpo_create_socket_from_socket = mac_biba_create_socket_from_socket, - .mpo_relabel_pipe = mac_biba_relabel_pipe, - .mpo_relabel_socket = mac_biba_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_biba_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = mac_biba_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_biba_create_bpfdesc, - .mpo_create_datagram_from_ipq = mac_biba_create_datagram_from_ipq, - .mpo_create_fragment = mac_biba_create_fragment, - .mpo_create_ifnet = mac_biba_create_ifnet, - .mpo_create_inpcb_from_socket = mac_biba_create_inpcb_from_socket, - .mpo_create_sysv_msgmsg = mac_biba_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = mac_biba_create_sysv_msgqueue, - .mpo_create_sysv_sem = mac_biba_create_sysv_sem, - .mpo_create_sysv_shm = mac_biba_create_sysv_shm, - .mpo_create_ipq = mac_biba_create_ipq, - .mpo_create_mbuf_from_inpcb = mac_biba_create_mbuf_from_inpcb, + .mpo_pipe_create = mac_biba_pipe_create, + .mpo_posixsem_create = mac_biba_posixsem_create, + .mpo_socket_create = mac_biba_socket_create, + .mpo_socket_newconn = mac_biba_socket_newconn, + .mpo_pipe_relabel = mac_biba_pipe_relabel, + .mpo_socket_relabel = mac_biba_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_biba_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = mac_biba_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_biba_bpfdesc_create, + .mpo_ipq_reassemble = mac_biba_ipq_reassemble, + .mpo_netinet_fragment = mac_biba_netinet_fragment, + .mpo_ifnet_create = mac_biba_ifnet_create, + .mpo_inpcb_create = mac_biba_inpcb_create, + .mpo_sysvmsg_create = mac_biba_sysvmsg_create, + .mpo_sysvmsq_create = mac_biba_sysvmsq_create, + .mpo_sysvsem_create = mac_biba_sysvsem_create, + .mpo_sysvshm_create = mac_biba_sysvshm_create, + .mpo_ipq_create = mac_biba_ipq_create, + .mpo_inpcb_create_mbuf = mac_biba_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_biba_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_biba_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_biba_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = mac_biba_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_biba_create_mbuf_netlayer, - .mpo_fragment_match = mac_biba_fragment_match, - .mpo_relabel_ifnet = mac_biba_relabel_ifnet, - .mpo_update_ipq = mac_biba_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_biba_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_biba_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = mac_biba_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_biba_mbuf_create_netlayer, + .mpo_ipq_match = mac_biba_ipq_match, + .mpo_ifnet_relabel = mac_biba_ifnet_relabel, + .mpo_ipq_update = mac_biba_ipq_update, .mpo_inpcb_sosetlabel = mac_biba_inpcb_sosetlabel, - .mpo_create_proc0 = mac_biba_create_proc0, - .mpo_create_proc1 = mac_biba_create_proc1, - .mpo_relabel_cred = mac_biba_relabel_cred, - .mpo_cleanup_sysv_msgmsg = mac_biba_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = mac_biba_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = mac_biba_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = mac_biba_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = mac_biba_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_biba_check_cred_relabel, - .mpo_check_cred_visible = mac_biba_check_cred_visible, - .mpo_check_ifnet_relabel = mac_biba_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_biba_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_biba_check_inpcb_deliver, - .mpo_check_sysv_msgrcv = mac_biba_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = mac_biba_check_sysv_msgrmid, - .mpo_check_sysv_msqget = mac_biba_check_sysv_msqget, - .mpo_check_sysv_msqsnd = mac_biba_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = mac_biba_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = mac_biba_check_sysv_msqctl, - .mpo_check_sysv_semctl = mac_biba_check_sysv_semctl, - .mpo_check_sysv_semget = mac_biba_check_sysv_semget, - .mpo_check_sysv_semop = mac_biba_check_sysv_semop, - .mpo_check_sysv_shmat = mac_biba_check_sysv_shmat, - .mpo_check_sysv_shmctl = mac_biba_check_sysv_shmctl, - .mpo_check_sysv_shmget = mac_biba_check_sysv_shmget, - .mpo_check_kld_load = mac_biba_check_kld_load, - .mpo_check_mount_stat = mac_biba_check_mount_stat, - .mpo_check_pipe_ioctl = mac_biba_check_pipe_ioctl, - .mpo_check_pipe_poll = mac_biba_check_pipe_poll, - .mpo_check_pipe_read = mac_biba_check_pipe_read, - .mpo_check_pipe_relabel = mac_biba_check_pipe_relabel, - .mpo_check_pipe_stat = mac_biba_check_pipe_stat, - .mpo_check_pipe_write = mac_biba_check_pipe_write, - .mpo_check_posix_sem_destroy = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_getvalue = mac_biba_check_posix_sem_rdonly, - .mpo_check_posix_sem_open = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_post = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_unlink = mac_biba_check_posix_sem_write, - .mpo_check_posix_sem_wait = mac_biba_check_posix_sem_write, - .mpo_check_proc_debug = mac_biba_check_proc_debug, - .mpo_check_proc_sched = mac_biba_check_proc_sched, - .mpo_check_proc_signal = mac_biba_check_proc_signal, - .mpo_check_socket_deliver = mac_biba_check_socket_deliver, - .mpo_check_socket_relabel = mac_biba_check_socket_relabel, - .mpo_check_socket_visible = mac_biba_check_socket_visible, - .mpo_check_system_acct = mac_biba_check_system_acct, - .mpo_check_system_auditctl = mac_biba_check_system_auditctl, - .mpo_check_system_auditon = mac_biba_check_system_auditon, - .mpo_check_system_swapon = mac_biba_check_system_swapon, - .mpo_check_system_swapoff = mac_biba_check_system_swapoff, - .mpo_check_system_sysctl = mac_biba_check_system_sysctl, - .mpo_check_vnode_access = mac_biba_check_vnode_open, - .mpo_check_vnode_chdir = mac_biba_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_biba_check_vnode_chroot, - .mpo_check_vnode_create = mac_biba_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_biba_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_biba_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_biba_check_vnode_exec, - .mpo_check_vnode_getacl = mac_biba_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_biba_check_vnode_getextattr, - .mpo_check_vnode_link = mac_biba_check_vnode_link, - .mpo_check_vnode_listextattr = mac_biba_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_biba_check_vnode_lookup, - .mpo_check_vnode_mmap = mac_biba_check_vnode_mmap, - .mpo_check_vnode_open = mac_biba_check_vnode_open, - .mpo_check_vnode_poll = mac_biba_check_vnode_poll, - .mpo_check_vnode_read = mac_biba_check_vnode_read, - .mpo_check_vnode_readdir = mac_biba_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_biba_check_vnode_readlink, - .mpo_check_vnode_relabel = mac_biba_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_biba_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_biba_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_biba_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_biba_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_biba_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_biba_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_biba_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_biba_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_biba_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_biba_check_vnode_stat, - .mpo_check_vnode_unlink = mac_biba_check_vnode_unlink, - .mpo_check_vnode_write = mac_biba_check_vnode_write, + .mpo_proc_create_swapper = mac_biba_proc_create_swapper, + .mpo_proc_create_init = mac_biba_proc_create_init, + .mpo_cred_relabel = mac_biba_cred_relabel, + .mpo_sysvmsg_cleanup = mac_biba_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = mac_biba_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = mac_biba_sysvsem_cleanup, + .mpo_sysvshm_cleanup = mac_biba_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = mac_biba_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_biba_cred_check_relabel, + .mpo_cred_check_visible = mac_biba_cred_check_visible, + .mpo_ifnet_check_relabel = mac_biba_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_biba_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_biba_inpcb_check_deliver, + .mpo_sysvmsq_check_msgrcv = mac_biba_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = mac_biba_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = mac_biba_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = mac_biba_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = mac_biba_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = mac_biba_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = mac_biba_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = mac_biba_sysvsem_check_semget, + .mpo_sysvsem_check_semop = mac_biba_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = mac_biba_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = mac_biba_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmget = mac_biba_sysvshm_check_shmget, + .mpo_kld_check_load = mac_biba_kld_check_load, + .mpo_mount_check_stat = mac_biba_mount_check_stat, + .mpo_pipe_check_ioctl = mac_biba_pipe_check_ioctl, + .mpo_pipe_check_poll = mac_biba_pipe_check_poll, + .mpo_pipe_check_read = mac_biba_pipe_check_read, + .mpo_pipe_check_relabel = mac_biba_pipe_check_relabel, + .mpo_pipe_check_stat = mac_biba_pipe_check_stat, + .mpo_pipe_check_write = mac_biba_pipe_check_write, + .mpo_posixsem_check_destroy = mac_biba_posixsem_check_write, + .mpo_posixsem_check_getvalue = mac_biba_posixsem_check_rdonly, + .mpo_posixsem_check_open = mac_biba_posixsem_check_write, + .mpo_posixsem_check_post = mac_biba_posixsem_check_write, + .mpo_posixsem_check_unlink = mac_biba_posixsem_check_write, + .mpo_posixsem_check_wait = mac_biba_posixsem_check_write, + .mpo_proc_check_debug = mac_biba_proc_check_debug, + .mpo_proc_check_sched = mac_biba_proc_check_sched, + .mpo_proc_check_signal = mac_biba_proc_check_signal, + .mpo_socket_check_deliver = mac_biba_socket_check_deliver, + .mpo_socket_check_relabel = mac_biba_socket_check_relabel, + .mpo_socket_check_visible = mac_biba_socket_check_visible, + .mpo_system_check_acct = mac_biba_system_check_acct, + .mpo_system_check_auditctl = mac_biba_system_check_auditctl, + .mpo_system_check_auditon = mac_biba_system_check_auditon, + .mpo_system_check_swapon = mac_biba_system_check_swapon, + .mpo_system_check_swapoff = mac_biba_system_check_swapoff, + .mpo_system_check_sysctl = mac_biba_system_check_sysctl, + .mpo_vnode_check_access = mac_biba_vnode_check_open, + .mpo_vnode_check_chdir = mac_biba_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_biba_vnode_check_chroot, + .mpo_vnode_check_create = mac_biba_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_biba_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_biba_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_biba_vnode_check_exec, + .mpo_vnode_check_getacl = mac_biba_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_biba_vnode_check_getextattr, + .mpo_vnode_check_link = mac_biba_vnode_check_link, + .mpo_vnode_check_listextattr = mac_biba_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_biba_vnode_check_lookup, + .mpo_vnode_check_mmap = mac_biba_vnode_check_mmap, + .mpo_vnode_check_open = mac_biba_vnode_check_open, + .mpo_vnode_check_poll = mac_biba_vnode_check_poll, + .mpo_vnode_check_read = mac_biba_vnode_check_read, + .mpo_vnode_check_readdir = mac_biba_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_biba_vnode_check_readlink, + .mpo_vnode_check_relabel = mac_biba_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_biba_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_biba_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_biba_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_biba_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_biba_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_biba_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_biba_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_biba_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_biba_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_biba_vnode_check_stat, + .mpo_vnode_check_unlink = mac_biba_vnode_check_unlink, + .mpo_vnode_check_write = mac_biba_vnode_check_write, .mpo_associate_nfsd_label = mac_biba_associate_nfsd_label, - .mpo_create_mbuf_from_firewall = mac_biba_create_mbuf_from_firewall, + .mpo_mbuf_create_from_firewall = mac_biba_mbuf_create_from_firewall, .mpo_priv_check = mac_biba_priv_check, }; diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index bdeadce..05521fe 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. * Copyright (c) 2005 Tom Rhodes + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -12,6 +13,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -440,7 +444,7 @@ mac_bsdextended_check_vp(struct ucred *cred, struct vnode *vp, int acc_mode) } static int -mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -448,7 +452,7 @@ mac_bsdextended_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -456,7 +460,7 @@ mac_bsdextended_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -464,7 +468,7 @@ mac_bsdextended_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_bsdextended_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -472,7 +476,7 @@ mac_bsdextended_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -480,7 +484,7 @@ mac_bsdextended_check_vnode_access(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -488,7 +492,7 @@ mac_bsdextended_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -504,7 +508,7 @@ mac_bsdextended_check_create_vnode(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -512,7 +516,7 @@ mac_bsdextended_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, +mac_bsdextended_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { @@ -521,7 +525,7 @@ mac_bsdextended_check_vnode_deleteextattr(struct ucred *cred, } static int -mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -530,7 +534,7 @@ mac_bsdextended_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -538,7 +542,7 @@ mac_bsdextended_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -547,7 +551,7 @@ mac_bsdextended_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *label, struct componentname *cnp) { @@ -563,7 +567,7 @@ mac_bsdextended_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { @@ -571,7 +575,7 @@ mac_bsdextended_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { @@ -579,7 +583,7 @@ mac_bsdextended_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -587,7 +591,7 @@ mac_bsdextended_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -595,7 +599,7 @@ mac_bsdextended_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_readdlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -603,7 +607,7 @@ mac_bsdextended_check_vnode_readdlink(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -616,7 +620,7 @@ mac_bsdextended_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -631,7 +635,7 @@ mac_bsdextended_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_bsdextended_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -647,7 +651,7 @@ mac_bsdextended_check_setacl_vnode(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -656,7 +660,7 @@ mac_bsdextended_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { @@ -664,7 +668,7 @@ mac_bsdextended_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { @@ -672,7 +676,7 @@ mac_bsdextended_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { @@ -680,7 +684,7 @@ mac_bsdextended_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_bsdextended_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec utime) { @@ -688,7 +692,7 @@ mac_bsdextended_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_bsdextended_check_vnode_stat(struct ucred *active_cred, +mac_bsdextended_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -696,7 +700,7 @@ mac_bsdextended_check_vnode_stat(struct ucred *active_cred, } static int -mac_bsdextended_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_bsdextended_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -712,36 +716,36 @@ static struct mac_policy_ops mac_bsdextended_ops = { .mpo_destroy = mac_bsdextended_destroy, .mpo_init = mac_bsdextended_init, - .mpo_check_system_acct = mac_bsdextended_check_system_acct, - .mpo_check_system_auditctl = mac_bsdextended_check_system_auditctl, - .mpo_check_system_swapoff = mac_bsdextended_check_system_swapoff, - .mpo_check_system_swapon = mac_bsdextended_check_system_swapon, - .mpo_check_vnode_access = mac_bsdextended_check_vnode_access, - .mpo_check_vnode_chdir = mac_bsdextended_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_bsdextended_check_vnode_chroot, - .mpo_check_vnode_create = mac_bsdextended_check_create_vnode, - .mpo_check_vnode_deleteacl = mac_bsdextended_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_bsdextended_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_bsdextended_check_vnode_exec, - .mpo_check_vnode_getacl = mac_bsdextended_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_bsdextended_check_vnode_getextattr, - .mpo_check_vnode_link = mac_bsdextended_check_vnode_link, - .mpo_check_vnode_listextattr = mac_bsdextended_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_bsdextended_check_vnode_lookup, - .mpo_check_vnode_open = mac_bsdextended_check_vnode_open, - .mpo_check_vnode_readdir = mac_bsdextended_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_bsdextended_check_vnode_readdlink, - .mpo_check_vnode_rename_from = mac_bsdextended_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_bsdextended_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_bsdextended_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_bsdextended_check_setacl_vnode, - .mpo_check_vnode_setextattr = mac_bsdextended_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_bsdextended_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_bsdextended_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_bsdextended_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_bsdextended_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_bsdextended_check_vnode_stat, - .mpo_check_vnode_unlink = mac_bsdextended_check_vnode_unlink, + .mpo_system_check_acct = mac_bsdextended_system_check_acct, + .mpo_system_check_auditctl = mac_bsdextended_system_check_auditctl, + .mpo_system_check_swapoff = mac_bsdextended_system_check_swapoff, + .mpo_system_check_swapon = mac_bsdextended_system_check_swapon, + .mpo_vnode_check_access = mac_bsdextended_vnode_check_access, + .mpo_vnode_check_chdir = mac_bsdextended_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_bsdextended_vnode_check_chroot, + .mpo_vnode_check_create = mac_bsdextended_check_create_vnode, + .mpo_vnode_check_deleteacl = mac_bsdextended_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_bsdextended_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_bsdextended_vnode_check_exec, + .mpo_vnode_check_getacl = mac_bsdextended_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_bsdextended_vnode_check_getextattr, + .mpo_vnode_check_link = mac_bsdextended_vnode_check_link, + .mpo_vnode_check_listextattr = mac_bsdextended_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_bsdextended_vnode_check_lookup, + .mpo_vnode_check_open = mac_bsdextended_vnode_check_open, + .mpo_vnode_check_readdir = mac_bsdextended_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_bsdextended_vnode_check_readdlink, + .mpo_vnode_check_rename_from = mac_bsdextended_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_bsdextended_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_bsdextended_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_bsdextended_check_setacl_vnode, + .mpo_vnode_check_setextattr = mac_bsdextended_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_bsdextended_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_bsdextended_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_bsdextended_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_bsdextended_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_bsdextended_vnode_check_stat, + .mpo_vnode_check_unlink = mac_bsdextended_vnode_check_unlink, }; MAC_POLICY_SET(&mac_bsdextended_ops, mac_bsdextended, diff --git a/sys/security/mac_ifoff/mac_ifoff.c b/sys/security/mac_ifoff/mac_ifoff.c index 412a547..31bf09a 100644 --- a/sys/security/mac_ifoff/mac_ifoff.c +++ b/sys/security/mac_ifoff/mac_ifoff.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -79,7 +83,7 @@ SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW, TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled); static int -check_ifnet_outgoing(struct ifnet *ifp) +ifnet_check_outgoing(struct ifnet *ifp) { if (!mac_ifoff_enabled) @@ -95,7 +99,7 @@ check_ifnet_outgoing(struct ifnet *ifp) } static int -check_ifnet_incoming(struct ifnet *ifp, int viabpf) +ifnet_check_incoming(struct ifnet *ifp, int viabpf) { if (!mac_ifoff_enabled) return (0); @@ -113,51 +117,51 @@ check_ifnet_incoming(struct ifnet *ifp, int viabpf) } static int -mac_ifoff_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_ifoff_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { - return (check_ifnet_incoming(ifp, 1)); + return (ifnet_check_incoming(ifp, 1)); } static int -mac_ifoff_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_ifoff_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { - return (check_ifnet_outgoing(ifp)); + return (ifnet_check_outgoing(ifp)); } static int -mac_ifoff_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_ifoff_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { M_ASSERTPKTHDR(m); if (m->m_pkthdr.rcvif != NULL) - return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0)); + return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0)); return (0); } static int -mac_ifoff_check_socket_deliver(struct socket *so, struct label *solabel, +mac_ifoff_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { M_ASSERTPKTHDR(m); if (m->m_pkthdr.rcvif != NULL) - return (check_ifnet_incoming(m->m_pkthdr.rcvif, 0)); + return (ifnet_check_incoming(m->m_pkthdr.rcvif, 0)); return (0); } static struct mac_policy_ops mac_ifoff_ops = { - .mpo_check_bpfdesc_receive = mac_ifoff_check_bpfdesc_receive, - .mpo_check_ifnet_transmit = mac_ifoff_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_ifoff_check_inpcb_deliver, - .mpo_check_socket_deliver = mac_ifoff_check_socket_deliver, + .mpo_bpfdesc_check_receive = mac_ifoff_bpfdesc_check_receive, + .mpo_ifnet_check_transmit = mac_ifoff_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_ifoff_inpcb_check_deliver, + .mpo_socket_check_deliver = mac_ifoff_socket_check_deliver, }; MAC_POLICY_SET(&mac_ifoff_ops, mac_ifoff, "TrustedBSD MAC/ifoff", diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 2186b97..8b44a09 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -631,7 +635,7 @@ mac_lomac_init_label_waitcheck(struct label *label, int flag) } static void -mac_lomac_init_proc_label(struct label *label) +mac_lomac_proc_init_label(struct label *label) { PSLOT_SET(label, malloc(sizeof(struct mac_lomac_proc), M_MACLOMAC, @@ -648,7 +652,7 @@ mac_lomac_destroy_label(struct label *label) } static void -mac_lomac_destroy_proc_label(struct label *label) +mac_lomac_proc_destroy_label(struct label *label) { mtx_destroy(&PSLOT(label)->mtx); @@ -901,7 +905,7 @@ mac_lomac_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_lomac_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { struct mac_lomac *mac_lomac; @@ -924,7 +928,7 @@ mac_lomac_create_devfs_device(struct ucred *cred, struct mount *mp, } static void -mac_lomac_create_devfs_directory(struct mount *mp, char *dirname, +mac_lomac_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { struct mac_lomac *mac_lomac; @@ -934,7 +938,7 @@ mac_lomac_create_devfs_directory(struct mount *mp, char *dirname, } static void -mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_lomac_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -947,7 +951,7 @@ mac_lomac_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static void -mac_lomac_create_mount(struct ucred *cred, struct mount *mp, +mac_lomac_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_lomac *source, *dest; @@ -958,7 +962,7 @@ mac_lomac_create_mount(struct ucred *cred, struct mount *mp, } static void -mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -970,7 +974,7 @@ mac_lomac_relabel_vnode(struct ucred *cred, struct vnode *vp, } static void -mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de, +mac_lomac_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_lomac *source, *dest; @@ -982,7 +986,7 @@ mac_lomac_update_devfs(struct mount *mp, struct devfs_dirent *de, } static void -mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +mac_lomac_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -995,7 +999,7 @@ mac_lomac_associate_vnode_devfs(struct mount *mp, struct label *mplabel, } static int -mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_lomac_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_lomac temp, *source, *dest; @@ -1018,7 +1022,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, if (buflen != sizeof(temp)) { if (buflen != sizeof(temp) - sizeof(temp.ml_auxsingle)) { - printf("mac_lomac_associate_vnode_extattr: bad size %d\n", + printf("mac_lomac_vnode_associate_extattr: bad size %d\n", buflen); return (EPERM); } @@ -1029,11 +1033,11 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, buflen, (char *)&temp, curthread); } if (mac_lomac_valid(&temp) != 0) { - printf("mac_lomac_associate_vnode_extattr: invalid\n"); + printf("mac_lomac_vnode_associate_extattr: invalid\n"); return (EPERM); } if ((temp.ml_flags & MAC_LOMAC_FLAGS_BOTH) != MAC_LOMAC_FLAG_SINGLE) { - printf("mac_lomac_associate_vnode_extattr: not single\n"); + printf("mac_lomac_vnode_associate_extattr: not single\n"); return (EPERM); } @@ -1042,7 +1046,7 @@ mac_lomac_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -mac_lomac_associate_vnode_singlelabel(struct mount *mp, +mac_lomac_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_lomac *source, *dest; @@ -1054,7 +1058,7 @@ mac_lomac_associate_vnode_singlelabel(struct mount *mp, } static int -mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_lomac_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1084,7 +1088,7 @@ mac_lomac_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { struct mac_lomac *source, temp; @@ -1108,7 +1112,7 @@ mac_lomac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, * Labeling event operations: IPC object. */ static void -mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_lomac_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { struct mac_lomac *source, *dest; @@ -1120,7 +1124,7 @@ mac_lomac_create_inpcb_from_socket(struct socket *so, struct label *solabel, } static void -mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel, +mac_lomac_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1132,7 +1136,7 @@ mac_lomac_create_mbuf_from_socket(struct socket *so, struct label *solabel, } static void -mac_lomac_create_socket(struct ucred *cred, struct socket *so, +mac_lomac_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_lomac *source, *dest; @@ -1144,7 +1148,7 @@ mac_lomac_create_socket(struct ucred *cred, struct socket *so, } static void -mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_lomac *source, *dest; @@ -1156,8 +1160,8 @@ mac_lomac_create_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_lomac_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +mac_lomac_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { struct mac_lomac *source, *dest; @@ -1168,7 +1172,7 @@ mac_lomac_create_socket_from_socket(struct socket *oldso, } static void -mac_lomac_relabel_socket(struct ucred *cred, struct socket *so, +mac_lomac_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1180,7 +1184,7 @@ mac_lomac_relabel_socket(struct ucred *cred, struct socket *so, } static void -mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1192,7 +1196,7 @@ mac_lomac_relabel_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +mac_lomac_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { struct mac_lomac *source, *dest; @@ -1207,7 +1211,7 @@ mac_lomac_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, * Labeling event operations: network objects. */ static void -mac_lomac_set_socket_peer_from_socket(struct socket *oldso, +mac_lomac_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -1220,7 +1224,7 @@ mac_lomac_set_socket_peer_from_socket(struct socket *oldso, } static void -mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +mac_lomac_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { struct mac_lomac *source, *dest; @@ -1232,7 +1236,7 @@ mac_lomac_create_bpfdesc(struct ucred *cred, struct bpf_d *d, } static void -mac_lomac_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +mac_lomac_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { char tifname[IFNAMSIZ], *p, *q; char tiflist[sizeof(trusted_interfaces)]; @@ -1290,7 +1294,7 @@ set: } static void -mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_lomac_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_lomac *source, *dest; @@ -1302,7 +1306,7 @@ mac_lomac_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_lomac_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1315,7 +1319,7 @@ mac_lomac_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, } static void -mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel, +mac_lomac_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { struct mac_lomac *source, *dest; @@ -1327,7 +1331,7 @@ mac_lomac_create_fragment(struct mbuf *m, struct label *mlabel, } static void -mac_lomac_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_lomac_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1350,7 +1354,7 @@ mac_lomac_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, } static void -mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +mac_lomac_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1362,7 +1366,7 @@ mac_lomac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, } static void -mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +mac_lomac_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *source, *dest; @@ -1374,7 +1378,7 @@ mac_lomac_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, } static void -mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +mac_lomac_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -1387,7 +1391,7 @@ mac_lomac_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +mac_lomac_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel) { struct mac_lomac *source, *dest; @@ -1399,8 +1403,8 @@ mac_lomac_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, } static int -mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel, - struct ipq *ipq, struct label *ipqlabel) +mac_lomac_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, + struct label *ipqlabel) { struct mac_lomac *a, *b; @@ -1411,7 +1415,7 @@ mac_lomac_fragment_match(struct mbuf *m, struct label *mlabel, } static void -mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +mac_lomac_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1423,7 +1427,7 @@ mac_lomac_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, } static void -mac_lomac_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_lomac_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -1464,7 +1468,7 @@ mac_lomac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, } static void -mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) +mac_lomac_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) { struct mac_lomac *dest; @@ -1478,7 +1482,7 @@ mac_lomac_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) * Labeling event operations: processes. */ static void -mac_lomac_execve_transition(struct ucred *old, struct ucred *new, +mac_lomac_vnode_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -1514,7 +1518,7 @@ mac_lomac_execve_transition(struct ucred *old, struct ucred *new, } static int -mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp, +mac_lomac_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -1534,7 +1538,7 @@ mac_lomac_execve_will_transition(struct ucred *old, struct vnode *vp, } static void -mac_lomac_create_proc0(struct ucred *cred) +mac_lomac_proc_create_swapper(struct ucred *cred) { struct mac_lomac *dest; @@ -1546,7 +1550,7 @@ mac_lomac_create_proc0(struct ucred *cred) } static void -mac_lomac_create_proc1(struct ucred *cred) +mac_lomac_proc_create_init(struct ucred *cred) { struct mac_lomac *dest; @@ -1558,7 +1562,7 @@ mac_lomac_create_proc1(struct ucred *cred) } static void -mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_lomac_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_lomac *source, *dest; @@ -1572,7 +1576,7 @@ mac_lomac_relabel_cred(struct ucred *cred, struct label *newlabel) * Access control checks. */ static int -mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_lomac_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { struct mac_lomac *a, *b; @@ -1589,7 +1593,7 @@ mac_lomac_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_lomac_cred_check_relabel(struct ucred *cred, struct label *newlabel) { struct mac_lomac *subj, *new; int error; @@ -1655,7 +1659,7 @@ mac_lomac_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_lomac_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { struct mac_lomac *subj, *obj; @@ -1673,7 +1677,7 @@ mac_lomac_check_cred_visible(struct ucred *cr1, struct ucred *cr2) } static int -mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +mac_lomac_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_lomac *subj, *new; @@ -1730,7 +1734,7 @@ mac_lomac_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_lomac_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *p, *i; @@ -1745,7 +1749,7 @@ mac_lomac_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_lomac_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *p, *i; @@ -1760,7 +1764,7 @@ mac_lomac_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, +mac_lomac_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -1781,7 +1785,7 @@ mac_lomac_check_kld_load(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -1794,7 +1798,7 @@ mac_lomac_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_lomac *subj, *obj; @@ -1812,7 +1816,7 @@ mac_lomac_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_lomac *subj, *obj, *new; @@ -1863,7 +1867,7 @@ mac_lomac_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_lomac_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_lomac *subj, *obj; @@ -1881,7 +1885,7 @@ mac_lomac_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p) +mac_lomac_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_lomac *subj, *obj; @@ -1901,7 +1905,7 @@ mac_lomac_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p) +mac_lomac_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_lomac *subj, *obj; @@ -1921,7 +1925,7 @@ mac_lomac_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_lomac_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_lomac *subj, *obj; @@ -1941,7 +1945,7 @@ mac_lomac_check_proc_signal(struct ucred *cred, struct proc *p, int signum) } static int -mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel, +mac_lomac_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_lomac *p, *s; @@ -1956,7 +1960,7 @@ mac_lomac_check_socket_deliver(struct socket *so, struct label *solabel, } static int -mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_lomac_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_lomac *subj, *obj, *new; @@ -2007,7 +2011,7 @@ mac_lomac_check_socket_relabel(struct ucred *cred, struct socket *so, } static int -mac_lomac_check_socket_visible(struct ucred *cred, struct socket *so, +mac_lomac_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_lomac *subj, *obj; @@ -2215,7 +2219,7 @@ mac_lomac_priv_check(struct ucred *cred, int priv) static int -mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2236,7 +2240,7 @@ mac_lomac_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2257,7 +2261,7 @@ mac_lomac_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj; @@ -2274,7 +2278,7 @@ mac_lomac_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_lomac_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2295,7 +2299,7 @@ mac_lomac_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_lomac_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { struct mac_lomac *subj; @@ -2323,7 +2327,7 @@ mac_lomac_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, } static int -mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { struct mac_lomac *subj, *obj; @@ -2344,7 +2348,7 @@ mac_lomac_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_lomac *subj, *obj; @@ -2362,7 +2366,7 @@ mac_lomac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2386,7 +2390,7 @@ mac_lomac_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { struct mac_lomac *subj, *obj; @@ -2414,7 +2418,7 @@ mac_lomac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static void -mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, struct label *vplabel, /* XXX vm_prot_t */ int *prot) { struct mac_lomac *subj, *obj; @@ -2434,7 +2438,7 @@ mac_lomac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { struct mac_lomac *subj, *obj; @@ -2455,7 +2459,7 @@ mac_lomac_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_lomac_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2473,7 +2477,7 @@ mac_lomac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_lomac *old, *new, *subj; @@ -2549,7 +2553,7 @@ mac_lomac_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2573,7 +2577,7 @@ mac_lomac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -2599,7 +2603,7 @@ mac_lomac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2617,7 +2621,7 @@ mac_lomac_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { struct mac_lomac *subj, *obj; @@ -2635,7 +2639,7 @@ mac_lomac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2656,7 +2660,7 @@ mac_lomac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { struct mac_lomac *subj, *obj; @@ -2674,7 +2678,7 @@ mac_lomac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { struct mac_lomac *subj, *obj; @@ -2692,7 +2696,7 @@ mac_lomac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { struct mac_lomac *subj, *obj; @@ -2710,7 +2714,7 @@ mac_lomac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_lomac_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { struct mac_lomac *subj, *obj; @@ -2728,7 +2732,7 @@ mac_lomac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_lomac_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2752,7 +2756,7 @@ mac_lomac_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -mac_lomac_check_vnode_write(struct ucred *active_cred, +mac_lomac_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_lomac *subj, *obj; @@ -2818,140 +2822,141 @@ mac_lomac_thread_userret(struct thread *td) static struct mac_policy_ops mac_lomac_ops = { .mpo_init = mac_lomac_init, - .mpo_init_bpfdesc_label = mac_lomac_init_label, - .mpo_init_cred_label = mac_lomac_init_label, - .mpo_init_devfs_label = mac_lomac_init_label, - .mpo_init_ifnet_label = mac_lomac_init_label, + .mpo_bpfdesc_init_label = mac_lomac_init_label, + .mpo_cred_init_label = mac_lomac_init_label, + .mpo_devfs_init_label = mac_lomac_init_label, + .mpo_ifnet_init_label = mac_lomac_init_label, .mpo_init_syncache_label = mac_lomac_init_label_waitcheck, - .mpo_init_inpcb_label = mac_lomac_init_label_waitcheck, - .mpo_init_ipq_label = mac_lomac_init_label_waitcheck, - .mpo_init_mbuf_label = mac_lomac_init_label_waitcheck, - .mpo_init_mount_label = mac_lomac_init_label, - .mpo_init_pipe_label = mac_lomac_init_label, - .mpo_init_proc_label = mac_lomac_init_proc_label, - .mpo_init_socket_label = mac_lomac_init_label_waitcheck, - .mpo_init_socket_peer_label = mac_lomac_init_label_waitcheck, - .mpo_init_vnode_label = mac_lomac_init_label, + .mpo_inpcb_init_label = mac_lomac_init_label_waitcheck, + .mpo_ipq_init_label = mac_lomac_init_label_waitcheck, + .mpo_mbuf_init_label = mac_lomac_init_label_waitcheck, + .mpo_mount_init_label = mac_lomac_init_label, + .mpo_pipe_init_label = mac_lomac_init_label, + .mpo_proc_init_label = mac_lomac_proc_init_label, + .mpo_socket_init_label = mac_lomac_init_label_waitcheck, + .mpo_socketpeer_init_label = mac_lomac_init_label_waitcheck, + .mpo_vnode_init_label = mac_lomac_init_label, .mpo_init_syncache_from_inpcb = mac_lomac_init_syncache_from_inpcb, - .mpo_destroy_bpfdesc_label = mac_lomac_destroy_label, - .mpo_destroy_cred_label = mac_lomac_destroy_label, - .mpo_destroy_devfs_label = mac_lomac_destroy_label, - .mpo_destroy_ifnet_label = mac_lomac_destroy_label, - .mpo_destroy_inpcb_label = mac_lomac_destroy_label, - .mpo_destroy_ipq_label = mac_lomac_destroy_label, - .mpo_destroy_mbuf_label = mac_lomac_destroy_label, - .mpo_destroy_mount_label = mac_lomac_destroy_label, - .mpo_destroy_pipe_label = mac_lomac_destroy_label, - .mpo_destroy_proc_label = mac_lomac_destroy_proc_label, + .mpo_bpfdesc_destroy_label = mac_lomac_destroy_label, + .mpo_cred_destroy_label = mac_lomac_destroy_label, + .mpo_devfs_destroy_label = mac_lomac_destroy_label, + .mpo_ifnet_destroy_label = mac_lomac_destroy_label, + .mpo_inpcb_destroy_label = mac_lomac_destroy_label, + .mpo_ipq_destroy_label = mac_lomac_destroy_label, + .mpo_mbuf_destroy_label = mac_lomac_destroy_label, + .mpo_mount_destroy_label = mac_lomac_destroy_label, + .mpo_pipe_destroy_label = mac_lomac_destroy_label, + .mpo_proc_destroy_label = mac_lomac_proc_destroy_label, .mpo_destroy_syncache_label = mac_lomac_destroy_label, - .mpo_destroy_socket_label = mac_lomac_destroy_label, - .mpo_destroy_socket_peer_label = mac_lomac_destroy_label, - .mpo_destroy_vnode_label = mac_lomac_destroy_label, - .mpo_copy_cred_label = mac_lomac_copy_label, - .mpo_copy_ifnet_label = mac_lomac_copy_label, - .mpo_copy_mbuf_label = mac_lomac_copy_label, - .mpo_copy_pipe_label = mac_lomac_copy_label, - .mpo_copy_socket_label = mac_lomac_copy_label, - .mpo_copy_vnode_label = mac_lomac_copy_label, - .mpo_externalize_cred_label = mac_lomac_externalize_label, - .mpo_externalize_ifnet_label = mac_lomac_externalize_label, - .mpo_externalize_pipe_label = mac_lomac_externalize_label, - .mpo_externalize_socket_label = mac_lomac_externalize_label, - .mpo_externalize_socket_peer_label = mac_lomac_externalize_label, - .mpo_externalize_vnode_label = mac_lomac_externalize_label, - .mpo_internalize_cred_label = mac_lomac_internalize_label, - .mpo_internalize_ifnet_label = mac_lomac_internalize_label, - .mpo_internalize_pipe_label = mac_lomac_internalize_label, - .mpo_internalize_socket_label = mac_lomac_internalize_label, - .mpo_internalize_vnode_label = mac_lomac_internalize_label, - .mpo_create_devfs_device = mac_lomac_create_devfs_device, - .mpo_create_devfs_directory = mac_lomac_create_devfs_directory, - .mpo_create_devfs_symlink = mac_lomac_create_devfs_symlink, - .mpo_create_mount = mac_lomac_create_mount, - .mpo_relabel_vnode = mac_lomac_relabel_vnode, - .mpo_update_devfs = mac_lomac_update_devfs, - .mpo_associate_vnode_devfs = mac_lomac_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_lomac_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = - mac_lomac_associate_vnode_singlelabel, - .mpo_create_vnode_extattr = mac_lomac_create_vnode_extattr, - .mpo_setlabel_vnode_extattr = mac_lomac_setlabel_vnode_extattr, - .mpo_create_mbuf_from_socket = mac_lomac_create_mbuf_from_socket, + .mpo_socket_destroy_label = mac_lomac_destroy_label, + .mpo_socketpeer_destroy_label = mac_lomac_destroy_label, + .mpo_vnode_destroy_label = mac_lomac_destroy_label, + .mpo_cred_copy_label = mac_lomac_copy_label, + .mpo_ifnet_copy_label = mac_lomac_copy_label, + .mpo_mbuf_copy_label = mac_lomac_copy_label, + .mpo_pipe_copy_label = mac_lomac_copy_label, + .mpo_socket_copy_label = mac_lomac_copy_label, + .mpo_vnode_copy_label = mac_lomac_copy_label, + .mpo_cred_externalize_label = mac_lomac_externalize_label, + .mpo_ifnet_externalize_label = mac_lomac_externalize_label, + .mpo_pipe_externalize_label = mac_lomac_externalize_label, + .mpo_socket_externalize_label = mac_lomac_externalize_label, + .mpo_socketpeer_externalize_label = mac_lomac_externalize_label, + .mpo_vnode_externalize_label = mac_lomac_externalize_label, + .mpo_cred_internalize_label = mac_lomac_internalize_label, + .mpo_ifnet_internalize_label = mac_lomac_internalize_label, + .mpo_pipe_internalize_label = mac_lomac_internalize_label, + .mpo_socket_internalize_label = mac_lomac_internalize_label, + .mpo_vnode_internalize_label = mac_lomac_internalize_label, + .mpo_devfs_create_device = mac_lomac_devfs_create_device, + .mpo_devfs_create_directory = mac_lomac_devfs_create_directory, + .mpo_devfs_create_symlink = mac_lomac_devfs_create_symlink, + .mpo_mount_create = mac_lomac_mount_create, + .mpo_vnode_relabel = mac_lomac_vnode_relabel, + .mpo_devfs_update = mac_lomac_devfs_update, + .mpo_devfs_vnode_associate = mac_lomac_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_lomac_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = + mac_lomac_vnode_associate_singlelabel, + .mpo_vnode_create_extattr = mac_lomac_vnode_create_extattr, + .mpo_vnode_setlabel_extattr = mac_lomac_vnode_setlabel_extattr, + .mpo_socket_create_mbuf = mac_lomac_socket_create_mbuf, .mpo_create_mbuf_from_syncache = mac_lomac_create_mbuf_from_syncache, - .mpo_create_pipe = mac_lomac_create_pipe, - .mpo_create_socket = mac_lomac_create_socket, - .mpo_create_socket_from_socket = mac_lomac_create_socket_from_socket, - .mpo_relabel_pipe = mac_lomac_relabel_pipe, - .mpo_relabel_socket = mac_lomac_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_lomac_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = - mac_lomac_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_lomac_create_bpfdesc, - .mpo_create_datagram_from_ipq = mac_lomac_create_datagram_from_ipq, - .mpo_create_fragment = mac_lomac_create_fragment, - .mpo_create_ifnet = mac_lomac_create_ifnet, - .mpo_create_inpcb_from_socket = mac_lomac_create_inpcb_from_socket, - .mpo_create_ipq = mac_lomac_create_ipq, - .mpo_create_mbuf_from_inpcb = mac_lomac_create_mbuf_from_inpcb, + .mpo_pipe_create = mac_lomac_pipe_create, + .mpo_socket_create = mac_lomac_socket_create, + .mpo_socket_newconn = mac_lomac_socket_newconn, + .mpo_pipe_relabel = mac_lomac_pipe_relabel, + .mpo_socket_relabel = mac_lomac_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_lomac_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = + mac_lomac_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_lomac_bpfdesc_create, + .mpo_ipq_reassemble = mac_lomac_ipq_reassemble, + .mpo_netinet_fragment = mac_lomac_netinet_fragment, + .mpo_ifnet_create = mac_lomac_ifnet_create, + .mpo_inpcb_create = mac_lomac_inpcb_create, + .mpo_ipq_create = mac_lomac_ipq_create, + .mpo_inpcb_create_mbuf = mac_lomac_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_lomac_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_lomac_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_lomac_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = - mac_lomac_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_lomac_create_mbuf_netlayer, - .mpo_fragment_match = mac_lomac_fragment_match, - .mpo_relabel_ifnet = mac_lomac_relabel_ifnet, - .mpo_update_ipq = mac_lomac_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_lomac_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_lomac_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = + mac_lomac_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_lomac_mbuf_create_netlayer, + .mpo_ipq_match = mac_lomac_ipq_match, + .mpo_ifnet_relabel = mac_lomac_ifnet_relabel, + .mpo_ipq_update = mac_lomac_ipq_update, .mpo_inpcb_sosetlabel = mac_lomac_inpcb_sosetlabel, - .mpo_execve_transition = mac_lomac_execve_transition, - .mpo_execve_will_transition = mac_lomac_execve_will_transition, - .mpo_create_proc0 = mac_lomac_create_proc0, - .mpo_create_proc1 = mac_lomac_create_proc1, - .mpo_relabel_cred = mac_lomac_relabel_cred, - .mpo_check_bpfdesc_receive = mac_lomac_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_lomac_check_cred_relabel, - .mpo_check_cred_visible = mac_lomac_check_cred_visible, - .mpo_check_ifnet_relabel = mac_lomac_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_lomac_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_lomac_check_inpcb_deliver, - .mpo_check_kld_load = mac_lomac_check_kld_load, - .mpo_check_pipe_ioctl = mac_lomac_check_pipe_ioctl, - .mpo_check_pipe_read = mac_lomac_check_pipe_read, - .mpo_check_pipe_relabel = mac_lomac_check_pipe_relabel, - .mpo_check_pipe_write = mac_lomac_check_pipe_write, - .mpo_check_proc_debug = mac_lomac_check_proc_debug, - .mpo_check_proc_sched = mac_lomac_check_proc_sched, - .mpo_check_proc_signal = mac_lomac_check_proc_signal, - .mpo_check_socket_deliver = mac_lomac_check_socket_deliver, - .mpo_check_socket_relabel = mac_lomac_check_socket_relabel, - .mpo_check_socket_visible = mac_lomac_check_socket_visible, - .mpo_check_system_acct = mac_lomac_check_system_acct, - .mpo_check_system_auditctl = mac_lomac_check_system_auditctl, - .mpo_check_system_swapoff = mac_lomac_check_system_swapoff, - .mpo_check_system_swapon = mac_lomac_check_system_swapon, - .mpo_check_system_sysctl = mac_lomac_check_system_sysctl, - .mpo_check_vnode_access = mac_lomac_check_vnode_open, - .mpo_check_vnode_create = mac_lomac_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_lomac_check_vnode_deleteacl, - .mpo_check_vnode_link = mac_lomac_check_vnode_link, - .mpo_check_vnode_mmap = mac_lomac_check_vnode_mmap, - .mpo_check_vnode_mmap_downgrade = mac_lomac_check_vnode_mmap_downgrade, - .mpo_check_vnode_open = mac_lomac_check_vnode_open, - .mpo_check_vnode_read = mac_lomac_check_vnode_read, - .mpo_check_vnode_relabel = mac_lomac_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_lomac_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_lomac_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_lomac_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_lomac_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_lomac_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_lomac_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_lomac_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_lomac_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_lomac_check_vnode_setutimes, - .mpo_check_vnode_unlink = mac_lomac_check_vnode_unlink, - .mpo_check_vnode_write = mac_lomac_check_vnode_write, + .mpo_vnode_execve_transition = mac_lomac_vnode_execve_transition, + .mpo_vnode_execve_will_transition = + mac_lomac_vnode_execve_will_transition, + .mpo_proc_create_swapper = mac_lomac_proc_create_swapper, + .mpo_proc_create_init = mac_lomac_proc_create_init, + .mpo_cred_relabel = mac_lomac_cred_relabel, + .mpo_bpfdesc_check_receive = mac_lomac_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_lomac_cred_check_relabel, + .mpo_cred_check_visible = mac_lomac_cred_check_visible, + .mpo_ifnet_check_relabel = mac_lomac_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_lomac_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_lomac_inpcb_check_deliver, + .mpo_kld_check_load = mac_lomac_kld_check_load, + .mpo_pipe_check_ioctl = mac_lomac_pipe_check_ioctl, + .mpo_pipe_check_read = mac_lomac_pipe_check_read, + .mpo_pipe_check_relabel = mac_lomac_pipe_check_relabel, + .mpo_pipe_check_write = mac_lomac_pipe_check_write, + .mpo_proc_check_debug = mac_lomac_proc_check_debug, + .mpo_proc_check_sched = mac_lomac_proc_check_sched, + .mpo_proc_check_signal = mac_lomac_proc_check_signal, + .mpo_socket_check_deliver = mac_lomac_socket_check_deliver, + .mpo_socket_check_relabel = mac_lomac_socket_check_relabel, + .mpo_socket_check_visible = mac_lomac_socket_check_visible, + .mpo_system_check_acct = mac_lomac_system_check_acct, + .mpo_system_check_auditctl = mac_lomac_system_check_auditctl, + .mpo_system_check_swapoff = mac_lomac_system_check_swapoff, + .mpo_system_check_swapon = mac_lomac_system_check_swapon, + .mpo_system_check_sysctl = mac_lomac_system_check_sysctl, + .mpo_vnode_check_access = mac_lomac_vnode_check_open, + .mpo_vnode_check_create = mac_lomac_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_lomac_vnode_check_deleteacl, + .mpo_vnode_check_link = mac_lomac_vnode_check_link, + .mpo_vnode_check_mmap = mac_lomac_vnode_check_mmap, + .mpo_vnode_check_mmap_downgrade = mac_lomac_vnode_check_mmap_downgrade, + .mpo_vnode_check_open = mac_lomac_vnode_check_open, + .mpo_vnode_check_read = mac_lomac_vnode_check_read, + .mpo_vnode_check_relabel = mac_lomac_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_lomac_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_lomac_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_lomac_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_lomac_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_lomac_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_lomac_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_lomac_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_lomac_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_lomac_vnode_check_setutimes, + .mpo_vnode_check_unlink = mac_lomac_vnode_check_unlink, + .mpo_vnode_check_write = mac_lomac_vnode_check_write, .mpo_thread_userret = mac_lomac_thread_userret, - .mpo_create_mbuf_from_firewall = mac_lomac_create_mbuf_from_firewall, + .mpo_mbuf_create_from_firewall = mac_lomac_mbuf_create_from_firewall, .mpo_priv_check = mac_lomac_priv_check, }; diff --git a/sys/security/mac_mls/mac_mls.c b/sys/security/mac_mls/mac_mls.c index 0a84ae1..ea62f3f 100644 --- a/sys/security/mac_mls/mac_mls.c +++ b/sys/security/mac_mls/mac_mls.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -745,7 +749,7 @@ mac_mls_copy_label(struct label *src, struct label *dest) * a lot like file system objects. */ static void -mac_mls_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_mls_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { struct mac_mls *mac_mls; @@ -770,7 +774,7 @@ mac_mls_create_devfs_device(struct ucred *cred, struct mount *mp, } static void -mac_mls_create_devfs_directory(struct mount *mp, char *dirname, +mac_mls_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { struct mac_mls *mac_mls; @@ -780,7 +784,7 @@ mac_mls_create_devfs_directory(struct mount *mp, char *dirname, } static void -mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_mls_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -793,7 +797,7 @@ mac_mls_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static void -mac_mls_create_mount(struct ucred *cred, struct mount *mp, +mac_mls_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { struct mac_mls *source, *dest; @@ -804,7 +808,7 @@ mac_mls_create_mount(struct ucred *cred, struct mount *mp, } static void -mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { struct mac_mls *source, *dest; @@ -816,7 +820,7 @@ mac_mls_relabel_vnode(struct ucred *cred, struct vnode *vp, } static void -mac_mls_update_devfs(struct mount *mp, struct devfs_dirent *de, +mac_mls_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { struct mac_mls *source, *dest; @@ -828,7 +832,7 @@ mac_mls_update_devfs(struct mount *mp, struct devfs_dirent *de, } static void -mac_mls_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +mac_mls_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -841,7 +845,7 @@ mac_mls_associate_vnode_devfs(struct mount *mp, struct label *mplabel, } static int -mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_mls_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_mls temp, *source, *dest; @@ -863,12 +867,12 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mplabel, return (error); if (buflen != sizeof(temp)) { - printf("mac_mls_associate_vnode_extattr: bad size %d\n", + printf("mac_mls_vnode_associate_extattr: bad size %d\n", buflen); return (EPERM); } if (mac_mls_valid(&temp) != 0) { - printf("mac_mls_associate_vnode_extattr: invalid\n"); + printf("mac_mls_vnode_associate_extattr: invalid\n"); return (EPERM); } if ((temp.mm_flags & MAC_MLS_FLAGS_BOTH) != MAC_MLS_FLAG_EFFECTIVE) { @@ -881,7 +885,7 @@ mac_mls_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -mac_mls_associate_vnode_singlelabel(struct mount *mp, +mac_mls_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { struct mac_mls *source, *dest; @@ -893,7 +897,7 @@ mac_mls_associate_vnode_singlelabel(struct mount *mp, } static int -mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_mls_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -916,7 +920,7 @@ mac_mls_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static int -mac_mls_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { struct mac_mls *source, temp; @@ -941,7 +945,7 @@ mac_mls_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, * Labeling event operations: IPC object. */ static void -mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_mls_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { struct mac_mls *source, *dest; @@ -953,7 +957,7 @@ mac_mls_create_inpcb_from_socket(struct socket *so, struct label *solabel, } static void -mac_mls_create_mbuf_from_socket(struct socket *so, struct label *solabel, +mac_mls_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -965,7 +969,7 @@ mac_mls_create_mbuf_from_socket(struct socket *so, struct label *solabel, } static void -mac_mls_create_socket(struct ucred *cred, struct socket *so, +mac_mls_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_mls *source, *dest; @@ -977,7 +981,7 @@ mac_mls_create_socket(struct ucred *cred, struct socket *so, } static void -mac_mls_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *source, *dest; @@ -989,7 +993,7 @@ mac_mls_create_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_mls_create_posix_sem(struct ucred *cred, struct ksem *ks, +mac_mls_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *source, *dest; @@ -1001,8 +1005,8 @@ mac_mls_create_posix_sem(struct ucred *cred, struct ksem *ks, } static void -mac_mls_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +mac_mls_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { struct mac_mls *source, *dest; @@ -1013,7 +1017,7 @@ mac_mls_create_socket_from_socket(struct socket *oldso, } static void -mac_mls_relabel_socket(struct ucred *cred, struct socket *so, +mac_mls_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1025,7 +1029,7 @@ mac_mls_relabel_socket(struct ucred *cred, struct socket *so, } static void -mac_mls_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1037,7 +1041,7 @@ mac_mls_relabel_pipe(struct ucred *cred, struct pipepair *pp, } static void -mac_mls_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +mac_mls_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { struct mac_mls *source, *dest; @@ -1052,7 +1056,7 @@ mac_mls_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, * Labeling event operations: System V IPC objects. */ static void -mac_mls_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_mls_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { struct mac_mls *source, *dest; @@ -1065,7 +1069,7 @@ mac_mls_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, } static void -mac_mls_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_mls_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { struct mac_mls *source, *dest; @@ -1077,7 +1081,7 @@ mac_mls_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, } static void -mac_mls_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +mac_mls_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { struct mac_mls *source, *dest; @@ -1089,7 +1093,7 @@ mac_mls_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, } static void -mac_mls_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_mls_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { struct mac_mls *source, *dest; @@ -1104,7 +1108,7 @@ mac_mls_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, * Labeling event operations: network objects. */ static void -mac_mls_set_socket_peer_from_socket(struct socket *oldso, +mac_mls_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -1117,7 +1121,7 @@ mac_mls_set_socket_peer_from_socket(struct socket *oldso, } static void -mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +mac_mls_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { struct mac_mls *source, *dest; @@ -1129,7 +1133,7 @@ mac_mls_create_bpfdesc(struct ucred *cred, struct bpf_d *d, } static void -mac_mls_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +mac_mls_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { struct mac_mls *dest; int type; @@ -1146,7 +1150,7 @@ mac_mls_create_ifnet(struct ifnet *ifp, struct label *ifplabel) } static void -mac_mls_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_mls_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_mls *source, *dest; @@ -1158,7 +1162,7 @@ mac_mls_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_mls_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_mls_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1171,7 +1175,7 @@ mac_mls_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, } static void -mac_mls_create_fragment(struct mbuf *m, struct label *mlabel, +mac_mls_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { struct mac_mls *source, *dest; @@ -1183,7 +1187,7 @@ mac_mls_create_fragment(struct mbuf *m, struct label *mlabel, } static void -mac_mls_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_mls_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1206,7 +1210,7 @@ mac_mls_create_mbuf_linklayer(struct ifnet *ifp, struct label *ifplabel, } static void -mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +mac_mls_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1218,7 +1222,7 @@ mac_mls_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, } static void -mac_mls_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +mac_mls_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *source, *dest; @@ -1230,7 +1234,7 @@ mac_mls_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, } static void -mac_mls_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +mac_mls_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -1243,7 +1247,7 @@ mac_mls_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -mac_mls_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +mac_mls_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel) { struct mac_mls *source, *dest; @@ -1255,7 +1259,7 @@ mac_mls_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, } static int -mac_mls_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_mls_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { struct mac_mls *a, *b; @@ -1267,7 +1271,7 @@ mac_mls_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +mac_mls_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1279,7 +1283,7 @@ mac_mls_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, } static void -mac_mls_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +mac_mls_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -1299,7 +1303,7 @@ mac_mls_inpcb_sosetlabel(struct socket *so, struct label *solabel, } static void -mac_mls_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) +mac_mls_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) { struct mac_mls *dest; @@ -1334,7 +1338,7 @@ mac_mls_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m, * Labeling event operations: processes. */ static void -mac_mls_create_proc0(struct ucred *cred) +mac_mls_proc_create_swapper(struct ucred *cred) { struct mac_mls *dest; @@ -1346,7 +1350,7 @@ mac_mls_create_proc0(struct ucred *cred) } static void -mac_mls_create_proc1(struct ucred *cred) +mac_mls_proc_create_init(struct ucred *cred) { struct mac_mls *dest; @@ -1358,7 +1362,7 @@ mac_mls_create_proc1(struct ucred *cred) } static void -mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_mls_cred_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *source, *dest; @@ -1372,28 +1376,28 @@ mac_mls_relabel_cred(struct ucred *cred, struct label *newlabel) * Label cleanup/flush operations. */ static void -mac_mls_cleanup_sysv_msgmsg(struct label *msglabel) +mac_mls_sysvmsg_cleanup(struct label *msglabel) { bzero(SLOT(msglabel), sizeof(struct mac_mls)); } static void -mac_mls_cleanup_sysv_msgqueue(struct label *msqlabel) +mac_mls_sysvmsq_cleanup(struct label *msqlabel) { bzero(SLOT(msqlabel), sizeof(struct mac_mls)); } static void -mac_mls_cleanup_sysv_sem(struct label *semalabel) +mac_mls_sysvsem_cleanup(struct label *semalabel) { bzero(SLOT(semalabel), sizeof(struct mac_mls)); } static void -mac_mls_cleanup_sysv_shm(struct label *shmlabel) +mac_mls_sysvshm_cleanup(struct label *shmlabel) { bzero(SLOT(shmlabel), sizeof(struct mac_mls)); @@ -1403,7 +1407,7 @@ mac_mls_cleanup_sysv_shm(struct label *shmlabel) * Access control checks. */ static int -mac_mls_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +mac_mls_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { struct mac_mls *a, *b; @@ -1420,7 +1424,7 @@ mac_mls_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_mls_cred_check_relabel(struct ucred *cred, struct label *newlabel) { struct mac_mls *subj, *new; int error; @@ -1482,7 +1486,7 @@ mac_mls_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_mls_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_mls_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { struct mac_mls *subj, *obj; @@ -1500,7 +1504,7 @@ mac_mls_check_cred_visible(struct ucred *cr1, struct ucred *cr2) } static int -mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +mac_mls_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { struct mac_mls *subj, *new; @@ -1526,7 +1530,7 @@ mac_mls_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -mac_mls_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +mac_mls_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *i; @@ -1541,7 +1545,7 @@ mac_mls_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -mac_mls_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_mls_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *i; @@ -1556,7 +1560,7 @@ mac_mls_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -mac_mls_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +mac_mls_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_mls *subj, *obj; @@ -1574,7 +1578,7 @@ mac_mls_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, } static int -mac_mls_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +mac_mls_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { struct mac_mls *subj, *obj; @@ -1592,8 +1596,8 @@ mac_mls_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, } static int -mac_mls_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_mls_sysvmsq_check_msqget(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_mls *subj, *obj; @@ -1610,8 +1614,8 @@ mac_mls_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_mls_sysvmsq_check_msqsnd(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_mls *subj, *obj; @@ -1628,8 +1632,8 @@ mac_mls_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_mls_sysvmsq_check_msqrcv(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { struct mac_mls *subj, *obj; @@ -1646,8 +1650,8 @@ mac_mls_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel, int cmd) +mac_mls_sysvmsq_check_msqctl(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { struct mac_mls *subj, *obj; @@ -1677,8 +1681,8 @@ mac_mls_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -mac_mls_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, int cmd) +mac_mls_sysvsem_check_semctl(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { struct mac_mls *subj, *obj; @@ -1715,8 +1719,8 @@ mac_mls_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_mls_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel) +mac_mls_sysvsem_check_semget(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel) { struct mac_mls *subj, *obj; @@ -1733,8 +1737,9 @@ mac_mls_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_mls_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, size_t accesstype) +mac_mls_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, + size_t accesstype) { struct mac_mls *subj, *obj; @@ -1756,8 +1761,8 @@ mac_mls_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, } static int -mac_mls_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_mls_sysvshm_check_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_mls *subj, *obj; @@ -1777,8 +1782,8 @@ mac_mls_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_mls_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int cmd) +mac_mls_sysvshm_check_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { struct mac_mls *subj, *obj; @@ -1809,8 +1814,8 @@ mac_mls_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_mls_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_mls_sysvshm_check_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { struct mac_mls *subj, *obj; @@ -1827,7 +1832,7 @@ mac_mls_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, +mac_mls_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mntlabel) { struct mac_mls *subj, *obj; @@ -1845,7 +1850,7 @@ mac_mls_check_mount_stat(struct ucred *cred, struct mount *mp, } static int -mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -1858,7 +1863,7 @@ mac_mls_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1876,7 +1881,7 @@ mac_mls_check_pipe_poll(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1894,7 +1899,7 @@ mac_mls_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; @@ -1945,7 +1950,7 @@ mac_mls_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1963,7 +1968,7 @@ mac_mls_check_pipe_stat(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_mls_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { struct mac_mls *subj, *obj; @@ -1981,7 +1986,7 @@ mac_mls_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -mac_mls_check_posix_sem_write(struct ucred *cred, struct ksem *ks, +mac_mls_posixsem_check_write(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *subj, *obj; @@ -1999,7 +2004,7 @@ mac_mls_check_posix_sem_write(struct ucred *cred, struct ksem *ks, } static int -mac_mls_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, +mac_mls_posixsem_check_rdonly(struct ucred *cred, struct ksem *ks, struct label *kslabel) { struct mac_mls *subj, *obj; @@ -2017,7 +2022,7 @@ mac_mls_check_posix_sem_rdonly(struct ucred *cred, struct ksem *ks, } static int -mac_mls_check_proc_debug(struct ucred *cred, struct proc *p) +mac_mls_proc_check_debug(struct ucred *cred, struct proc *p) { struct mac_mls *subj, *obj; @@ -2037,7 +2042,7 @@ mac_mls_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_mls_check_proc_sched(struct ucred *cred, struct proc *p) +mac_mls_proc_check_sched(struct ucred *cred, struct proc *p) { struct mac_mls *subj, *obj; @@ -2057,7 +2062,7 @@ mac_mls_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_mls_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_mls_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { struct mac_mls *subj, *obj; @@ -2077,7 +2082,7 @@ mac_mls_check_proc_signal(struct ucred *cred, struct proc *p, int signum) } static int -mac_mls_check_socket_deliver(struct socket *so, struct label *solabel, +mac_mls_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { struct mac_mls *p, *s; @@ -2092,7 +2097,7 @@ mac_mls_check_socket_deliver(struct socket *so, struct label *solabel, } static int -mac_mls_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_mls_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { struct mac_mls *subj, *obj, *new; @@ -2143,7 +2148,7 @@ mac_mls_check_socket_relabel(struct ucred *cred, struct socket *so, } static int -mac_mls_check_socket_visible(struct ucred *cred, struct socket *so, +mac_mls_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { struct mac_mls *subj, *obj; @@ -2161,7 +2166,7 @@ mac_mls_check_socket_visible(struct ucred *cred, struct socket *so, } static int -mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_mls_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2180,7 +2185,7 @@ mac_mls_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_mls_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2199,7 +2204,7 @@ mac_mls_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_mls_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2218,7 +2223,7 @@ mac_mls_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; @@ -2236,7 +2241,7 @@ mac_mls_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; @@ -2254,7 +2259,7 @@ mac_mls_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { struct mac_mls *subj, *obj; @@ -2272,7 +2277,7 @@ mac_mls_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_mls *subj, *obj; @@ -2290,7 +2295,7 @@ mac_mls_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { struct mac_mls *subj, *obj; @@ -2308,7 +2313,7 @@ mac_mls_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -2340,7 +2345,7 @@ mac_mls_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { struct mac_mls *subj, *obj; @@ -2358,7 +2363,7 @@ mac_mls_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2377,7 +2382,7 @@ mac_mls_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2400,7 +2405,7 @@ mac_mls_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { @@ -2419,7 +2424,7 @@ mac_mls_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { struct mac_mls *subj, *obj; @@ -2437,7 +2442,7 @@ mac_mls_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { struct mac_mls *subj, *obj; @@ -2465,7 +2470,7 @@ mac_mls_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { struct mac_mls *subj, *obj; @@ -2490,7 +2495,7 @@ mac_mls_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2508,7 +2513,7 @@ mac_mls_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2526,7 +2531,7 @@ mac_mls_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { struct mac_mls *subj, *obj; @@ -2544,7 +2549,7 @@ mac_mls_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2562,7 +2567,7 @@ mac_mls_check_vnode_readlink(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { struct mac_mls *old, *new, *subj; @@ -2613,7 +2618,7 @@ mac_mls_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2637,7 +2642,7 @@ mac_mls_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -2663,7 +2668,7 @@ mac_mls_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2681,7 +2686,7 @@ mac_mls_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { struct mac_mls *subj, *obj; @@ -2699,7 +2704,7 @@ mac_mls_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -2720,7 +2725,7 @@ mac_mls_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { struct mac_mls *subj, *obj; @@ -2738,7 +2743,7 @@ mac_mls_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { struct mac_mls *subj, *obj; @@ -2756,7 +2761,7 @@ mac_mls_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { struct mac_mls *subj, *obj; @@ -2774,7 +2779,7 @@ mac_mls_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_mls_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { struct mac_mls *subj, *obj; @@ -2792,7 +2797,7 @@ mac_mls_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2810,7 +2815,7 @@ mac_mls_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, } static int -mac_mls_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_mls_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2834,7 +2839,7 @@ mac_mls_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -mac_mls_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, +mac_mls_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { struct mac_mls *subj, *obj; @@ -2865,181 +2870,181 @@ mac_mls_associate_nfsd_label(struct ucred *cred) static struct mac_policy_ops mac_mls_ops = { .mpo_init = mac_mls_init, - .mpo_init_bpfdesc_label = mac_mls_init_label, - .mpo_init_cred_label = mac_mls_init_label, - .mpo_init_devfs_label = mac_mls_init_label, - .mpo_init_ifnet_label = mac_mls_init_label, - .mpo_init_inpcb_label = mac_mls_init_label_waitcheck, + .mpo_bpfdesc_init_label = mac_mls_init_label, + .mpo_cred_init_label = mac_mls_init_label, + .mpo_devfs_init_label = mac_mls_init_label, + .mpo_ifnet_init_label = mac_mls_init_label, + .mpo_inpcb_init_label = mac_mls_init_label_waitcheck, .mpo_init_syncache_label = mac_mls_init_label_waitcheck, - .mpo_init_sysv_msgmsg_label = mac_mls_init_label, - .mpo_init_sysv_msgqueue_label = mac_mls_init_label, - .mpo_init_sysv_sem_label = mac_mls_init_label, - .mpo_init_sysv_shm_label = mac_mls_init_label, - .mpo_init_ipq_label = mac_mls_init_label_waitcheck, - .mpo_init_mbuf_label = mac_mls_init_label_waitcheck, - .mpo_init_mount_label = mac_mls_init_label, - .mpo_init_pipe_label = mac_mls_init_label, - .mpo_init_posix_sem_label = mac_mls_init_label, - .mpo_init_socket_label = mac_mls_init_label_waitcheck, - .mpo_init_socket_peer_label = mac_mls_init_label_waitcheck, - .mpo_init_vnode_label = mac_mls_init_label, - .mpo_destroy_bpfdesc_label = mac_mls_destroy_label, - .mpo_destroy_cred_label = mac_mls_destroy_label, - .mpo_destroy_devfs_label = mac_mls_destroy_label, - .mpo_destroy_ifnet_label = mac_mls_destroy_label, - .mpo_destroy_inpcb_label = mac_mls_destroy_label, + .mpo_sysvmsg_init_label = mac_mls_init_label, + .mpo_sysvmsq_init_label = mac_mls_init_label, + .mpo_sysvsem_init_label = mac_mls_init_label, + .mpo_sysvshm_init_label = mac_mls_init_label, + .mpo_ipq_init_label = mac_mls_init_label_waitcheck, + .mpo_mbuf_init_label = mac_mls_init_label_waitcheck, + .mpo_mount_init_label = mac_mls_init_label, + .mpo_pipe_init_label = mac_mls_init_label, + .mpo_posixsem_init_label = mac_mls_init_label, + .mpo_socket_init_label = mac_mls_init_label_waitcheck, + .mpo_socketpeer_init_label = mac_mls_init_label_waitcheck, + .mpo_vnode_init_label = mac_mls_init_label, + .mpo_bpfdesc_destroy_label = mac_mls_destroy_label, + .mpo_cred_destroy_label = mac_mls_destroy_label, + .mpo_devfs_destroy_label = mac_mls_destroy_label, + .mpo_ifnet_destroy_label = mac_mls_destroy_label, + .mpo_inpcb_destroy_label = mac_mls_destroy_label, .mpo_destroy_syncache_label = mac_mls_destroy_label, - .mpo_destroy_sysv_msgmsg_label = mac_mls_destroy_label, - .mpo_destroy_sysv_msgqueue_label = mac_mls_destroy_label, - .mpo_destroy_sysv_sem_label = mac_mls_destroy_label, - .mpo_destroy_sysv_shm_label = mac_mls_destroy_label, - .mpo_destroy_ipq_label = mac_mls_destroy_label, - .mpo_destroy_mbuf_label = mac_mls_destroy_label, - .mpo_destroy_mount_label = mac_mls_destroy_label, - .mpo_destroy_pipe_label = mac_mls_destroy_label, - .mpo_destroy_posix_sem_label = mac_mls_destroy_label, - .mpo_destroy_socket_label = mac_mls_destroy_label, - .mpo_destroy_socket_peer_label = mac_mls_destroy_label, - .mpo_destroy_vnode_label = mac_mls_destroy_label, - .mpo_copy_cred_label = mac_mls_copy_label, - .mpo_copy_ifnet_label = mac_mls_copy_label, - .mpo_copy_mbuf_label = mac_mls_copy_label, - .mpo_copy_pipe_label = mac_mls_copy_label, - .mpo_copy_socket_label = mac_mls_copy_label, - .mpo_copy_vnode_label = mac_mls_copy_label, - .mpo_externalize_cred_label = mac_mls_externalize_label, - .mpo_externalize_ifnet_label = mac_mls_externalize_label, - .mpo_externalize_pipe_label = mac_mls_externalize_label, - .mpo_externalize_socket_label = mac_mls_externalize_label, - .mpo_externalize_socket_peer_label = mac_mls_externalize_label, - .mpo_externalize_vnode_label = mac_mls_externalize_label, - .mpo_internalize_cred_label = mac_mls_internalize_label, - .mpo_internalize_ifnet_label = mac_mls_internalize_label, - .mpo_internalize_pipe_label = mac_mls_internalize_label, - .mpo_internalize_socket_label = mac_mls_internalize_label, - .mpo_internalize_vnode_label = mac_mls_internalize_label, - .mpo_create_devfs_device = mac_mls_create_devfs_device, - .mpo_create_devfs_directory = mac_mls_create_devfs_directory, - .mpo_create_devfs_symlink = mac_mls_create_devfs_symlink, - .mpo_create_mount = mac_mls_create_mount, - .mpo_relabel_vnode = mac_mls_relabel_vnode, - .mpo_update_devfs = mac_mls_update_devfs, - .mpo_associate_vnode_devfs = mac_mls_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_mls_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = mac_mls_associate_vnode_singlelabel, - .mpo_create_vnode_extattr = mac_mls_create_vnode_extattr, - .mpo_setlabel_vnode_extattr = mac_mls_setlabel_vnode_extattr, - .mpo_create_mbuf_from_socket = mac_mls_create_mbuf_from_socket, + .mpo_sysvmsg_destroy_label = mac_mls_destroy_label, + .mpo_sysvmsq_destroy_label = mac_mls_destroy_label, + .mpo_sysvsem_destroy_label = mac_mls_destroy_label, + .mpo_sysvshm_destroy_label = mac_mls_destroy_label, + .mpo_ipq_destroy_label = mac_mls_destroy_label, + .mpo_mbuf_destroy_label = mac_mls_destroy_label, + .mpo_mount_destroy_label = mac_mls_destroy_label, + .mpo_pipe_destroy_label = mac_mls_destroy_label, + .mpo_posixsem_destroy_label = mac_mls_destroy_label, + .mpo_socket_destroy_label = mac_mls_destroy_label, + .mpo_socketpeer_destroy_label = mac_mls_destroy_label, + .mpo_vnode_destroy_label = mac_mls_destroy_label, + .mpo_cred_copy_label = mac_mls_copy_label, + .mpo_ifnet_copy_label = mac_mls_copy_label, + .mpo_mbuf_copy_label = mac_mls_copy_label, + .mpo_pipe_copy_label = mac_mls_copy_label, + .mpo_socket_copy_label = mac_mls_copy_label, + .mpo_vnode_copy_label = mac_mls_copy_label, + .mpo_cred_externalize_label = mac_mls_externalize_label, + .mpo_ifnet_externalize_label = mac_mls_externalize_label, + .mpo_pipe_externalize_label = mac_mls_externalize_label, + .mpo_socket_externalize_label = mac_mls_externalize_label, + .mpo_socketpeer_externalize_label = mac_mls_externalize_label, + .mpo_vnode_externalize_label = mac_mls_externalize_label, + .mpo_cred_internalize_label = mac_mls_internalize_label, + .mpo_ifnet_internalize_label = mac_mls_internalize_label, + .mpo_pipe_internalize_label = mac_mls_internalize_label, + .mpo_socket_internalize_label = mac_mls_internalize_label, + .mpo_vnode_internalize_label = mac_mls_internalize_label, + .mpo_devfs_create_device = mac_mls_devfs_create_device, + .mpo_devfs_create_directory = mac_mls_devfs_create_directory, + .mpo_devfs_create_symlink = mac_mls_devfs_create_symlink, + .mpo_mount_create = mac_mls_mount_create, + .mpo_vnode_relabel = mac_mls_vnode_relabel, + .mpo_devfs_update = mac_mls_devfs_update, + .mpo_devfs_vnode_associate = mac_mls_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_mls_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = mac_mls_vnode_associate_singlelabel, + .mpo_vnode_create_extattr = mac_mls_vnode_create_extattr, + .mpo_vnode_setlabel_extattr = mac_mls_vnode_setlabel_extattr, + .mpo_socket_create_mbuf = mac_mls_socket_create_mbuf, .mpo_create_mbuf_from_syncache = mac_mls_create_mbuf_from_syncache, - .mpo_create_pipe = mac_mls_create_pipe, - .mpo_create_posix_sem = mac_mls_create_posix_sem, - .mpo_create_socket = mac_mls_create_socket, - .mpo_create_socket_from_socket = mac_mls_create_socket_from_socket, - .mpo_relabel_pipe = mac_mls_relabel_pipe, - .mpo_relabel_socket = mac_mls_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_mls_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = mac_mls_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_mls_create_bpfdesc, - .mpo_create_datagram_from_ipq = mac_mls_create_datagram_from_ipq, - .mpo_create_fragment = mac_mls_create_fragment, - .mpo_create_ifnet = mac_mls_create_ifnet, - .mpo_create_inpcb_from_socket = mac_mls_create_inpcb_from_socket, + .mpo_pipe_create = mac_mls_pipe_create, + .mpo_posixsem_create = mac_mls_posixsem_create, + .mpo_socket_create = mac_mls_socket_create, + .mpo_socket_newconn = mac_mls_socket_newconn, + .mpo_pipe_relabel = mac_mls_pipe_relabel, + .mpo_socket_relabel = mac_mls_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_mls_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = mac_mls_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_mls_bpfdesc_create, + .mpo_ipq_reassemble = mac_mls_ipq_reassemble, + .mpo_netinet_fragment = mac_mls_netinet_fragment, + .mpo_ifnet_create = mac_mls_ifnet_create, + .mpo_inpcb_create = mac_mls_inpcb_create, .mpo_init_syncache_from_inpcb = mac_mls_init_syncache_from_inpcb, - .mpo_create_ipq = mac_mls_create_ipq, - .mpo_create_sysv_msgmsg = mac_mls_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = mac_mls_create_sysv_msgqueue, - .mpo_create_sysv_sem = mac_mls_create_sysv_sem, - .mpo_create_sysv_shm = mac_mls_create_sysv_shm, - .mpo_create_mbuf_from_inpcb = mac_mls_create_mbuf_from_inpcb, + .mpo_ipq_create = mac_mls_ipq_create, + .mpo_sysvmsg_create = mac_mls_sysvmsg_create, + .mpo_sysvmsq_create = mac_mls_sysvmsq_create, + .mpo_sysvsem_create = mac_mls_sysvsem_create, + .mpo_sysvshm_create = mac_mls_sysvshm_create, + .mpo_inpcb_create_mbuf = mac_mls_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_mls_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_mls_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_mls_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = mac_mls_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_mls_create_mbuf_netlayer, - .mpo_fragment_match = mac_mls_fragment_match, - .mpo_relabel_ifnet = mac_mls_relabel_ifnet, - .mpo_update_ipq = mac_mls_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_mls_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_mls_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = mac_mls_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_mls_mbuf_create_netlayer, + .mpo_ipq_match = mac_mls_ipq_match, + .mpo_ifnet_relabel = mac_mls_ifnet_relabel, + .mpo_ipq_update = mac_mls_ipq_update, .mpo_inpcb_sosetlabel = mac_mls_inpcb_sosetlabel, - .mpo_create_proc0 = mac_mls_create_proc0, - .mpo_create_proc1 = mac_mls_create_proc1, - .mpo_relabel_cred = mac_mls_relabel_cred, - .mpo_cleanup_sysv_msgmsg = mac_mls_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = mac_mls_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = mac_mls_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = mac_mls_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = mac_mls_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_mls_check_cred_relabel, - .mpo_check_cred_visible = mac_mls_check_cred_visible, - .mpo_check_ifnet_relabel = mac_mls_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_mls_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_mls_check_inpcb_deliver, - .mpo_check_sysv_msgrcv = mac_mls_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = mac_mls_check_sysv_msgrmid, - .mpo_check_sysv_msqget = mac_mls_check_sysv_msqget, - .mpo_check_sysv_msqsnd = mac_mls_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = mac_mls_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = mac_mls_check_sysv_msqctl, - .mpo_check_sysv_semctl = mac_mls_check_sysv_semctl, - .mpo_check_sysv_semget = mac_mls_check_sysv_semget, - .mpo_check_sysv_semop = mac_mls_check_sysv_semop, - .mpo_check_sysv_shmat = mac_mls_check_sysv_shmat, - .mpo_check_sysv_shmctl = mac_mls_check_sysv_shmctl, - .mpo_check_sysv_shmget = mac_mls_check_sysv_shmget, - .mpo_check_mount_stat = mac_mls_check_mount_stat, - .mpo_check_pipe_ioctl = mac_mls_check_pipe_ioctl, - .mpo_check_pipe_poll = mac_mls_check_pipe_poll, - .mpo_check_pipe_read = mac_mls_check_pipe_read, - .mpo_check_pipe_relabel = mac_mls_check_pipe_relabel, - .mpo_check_pipe_stat = mac_mls_check_pipe_stat, - .mpo_check_pipe_write = mac_mls_check_pipe_write, - .mpo_check_posix_sem_destroy = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_getvalue = mac_mls_check_posix_sem_rdonly, - .mpo_check_posix_sem_open = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_post = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_unlink = mac_mls_check_posix_sem_write, - .mpo_check_posix_sem_wait = mac_mls_check_posix_sem_write, - .mpo_check_proc_debug = mac_mls_check_proc_debug, - .mpo_check_proc_sched = mac_mls_check_proc_sched, - .mpo_check_proc_signal = mac_mls_check_proc_signal, - .mpo_check_socket_deliver = mac_mls_check_socket_deliver, - .mpo_check_socket_relabel = mac_mls_check_socket_relabel, - .mpo_check_socket_visible = mac_mls_check_socket_visible, - .mpo_check_system_acct = mac_mls_check_system_acct, - .mpo_check_system_auditctl = mac_mls_check_system_auditctl, - .mpo_check_system_swapon = mac_mls_check_system_swapon, - .mpo_check_vnode_access = mac_mls_check_vnode_open, - .mpo_check_vnode_chdir = mac_mls_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_mls_check_vnode_chroot, - .mpo_check_vnode_create = mac_mls_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_mls_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_mls_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_mls_check_vnode_exec, - .mpo_check_vnode_getacl = mac_mls_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_mls_check_vnode_getextattr, - .mpo_check_vnode_link = mac_mls_check_vnode_link, - .mpo_check_vnode_listextattr = mac_mls_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_mls_check_vnode_lookup, - .mpo_check_vnode_mmap = mac_mls_check_vnode_mmap, - .mpo_check_vnode_open = mac_mls_check_vnode_open, - .mpo_check_vnode_poll = mac_mls_check_vnode_poll, - .mpo_check_vnode_read = mac_mls_check_vnode_read, - .mpo_check_vnode_readdir = mac_mls_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_mls_check_vnode_readlink, - .mpo_check_vnode_relabel = mac_mls_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_mls_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_mls_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_mls_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_mls_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_mls_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_mls_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_mls_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_mls_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_mls_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_mls_check_vnode_stat, - .mpo_check_vnode_unlink = mac_mls_check_vnode_unlink, - .mpo_check_vnode_write = mac_mls_check_vnode_write, + .mpo_proc_create_swapper = mac_mls_proc_create_swapper, + .mpo_proc_create_init = mac_mls_proc_create_init, + .mpo_cred_relabel = mac_mls_cred_relabel, + .mpo_sysvmsg_cleanup = mac_mls_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = mac_mls_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = mac_mls_sysvsem_cleanup, + .mpo_sysvshm_cleanup = mac_mls_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = mac_mls_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_mls_cred_check_relabel, + .mpo_cred_check_visible = mac_mls_cred_check_visible, + .mpo_ifnet_check_relabel = mac_mls_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_mls_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_mls_inpcb_check_deliver, + .mpo_sysvmsq_check_msgrcv = mac_mls_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = mac_mls_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = mac_mls_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = mac_mls_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = mac_mls_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = mac_mls_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = mac_mls_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = mac_mls_sysvsem_check_semget, + .mpo_sysvsem_check_semop = mac_mls_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = mac_mls_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = mac_mls_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmget = mac_mls_sysvshm_check_shmget, + .mpo_mount_check_stat = mac_mls_mount_check_stat, + .mpo_pipe_check_ioctl = mac_mls_pipe_check_ioctl, + .mpo_pipe_check_poll = mac_mls_pipe_check_poll, + .mpo_pipe_check_read = mac_mls_pipe_check_read, + .mpo_pipe_check_relabel = mac_mls_pipe_check_relabel, + .mpo_pipe_check_stat = mac_mls_pipe_check_stat, + .mpo_pipe_check_write = mac_mls_pipe_check_write, + .mpo_posixsem_check_destroy = mac_mls_posixsem_check_write, + .mpo_posixsem_check_getvalue = mac_mls_posixsem_check_rdonly, + .mpo_posixsem_check_open = mac_mls_posixsem_check_write, + .mpo_posixsem_check_post = mac_mls_posixsem_check_write, + .mpo_posixsem_check_unlink = mac_mls_posixsem_check_write, + .mpo_posixsem_check_wait = mac_mls_posixsem_check_write, + .mpo_proc_check_debug = mac_mls_proc_check_debug, + .mpo_proc_check_sched = mac_mls_proc_check_sched, + .mpo_proc_check_signal = mac_mls_proc_check_signal, + .mpo_socket_check_deliver = mac_mls_socket_check_deliver, + .mpo_socket_check_relabel = mac_mls_socket_check_relabel, + .mpo_socket_check_visible = mac_mls_socket_check_visible, + .mpo_system_check_acct = mac_mls_system_check_acct, + .mpo_system_check_auditctl = mac_mls_system_check_auditctl, + .mpo_system_check_swapon = mac_mls_system_check_swapon, + .mpo_vnode_check_access = mac_mls_vnode_check_open, + .mpo_vnode_check_chdir = mac_mls_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_mls_vnode_check_chroot, + .mpo_vnode_check_create = mac_mls_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_mls_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_mls_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_mls_vnode_check_exec, + .mpo_vnode_check_getacl = mac_mls_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_mls_vnode_check_getextattr, + .mpo_vnode_check_link = mac_mls_vnode_check_link, + .mpo_vnode_check_listextattr = mac_mls_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_mls_vnode_check_lookup, + .mpo_vnode_check_mmap = mac_mls_vnode_check_mmap, + .mpo_vnode_check_open = mac_mls_vnode_check_open, + .mpo_vnode_check_poll = mac_mls_vnode_check_poll, + .mpo_vnode_check_read = mac_mls_vnode_check_read, + .mpo_vnode_check_readdir = mac_mls_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_mls_vnode_check_readlink, + .mpo_vnode_check_relabel = mac_mls_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_mls_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_mls_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_mls_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_mls_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_mls_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_mls_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_mls_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_mls_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_mls_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_mls_vnode_check_stat, + .mpo_vnode_check_unlink = mac_mls_vnode_check_unlink, + .mpo_vnode_check_write = mac_mls_vnode_check_write, .mpo_associate_nfsd_label = mac_mls_associate_nfsd_label, - .mpo_create_mbuf_from_firewall = mac_mls_create_mbuf_from_firewall, + .mpo_mbuf_create_from_firewall = mac_mls_mbuf_create_from_firewall, }; MAC_POLICY_SET(&mac_mls_ops, mac_mls, "TrustedBSD MAC/MLS", diff --git a/sys/security/mac_partition/mac_partition.c b/sys/security/mac_partition/mac_partition.c index c418d3f..986406a 100644 --- a/sys/security/mac_partition/mac_partition.c +++ b/sys/security/mac_partition/mac_partition.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -115,21 +119,21 @@ mac_partition_internalize_label(struct label *label, char *element_name, } static void -mac_partition_create_proc0(struct ucred *cred) +mac_partition_proc_create_swapper(struct ucred *cred) { SLOT_SET(cred->cr_label, 0); } static void -mac_partition_create_proc1(struct ucred *cred) +mac_partition_proc_create_init(struct ucred *cred) { SLOT_SET(cred->cr_label, 0); } static void -mac_partition_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_partition_cred_relabel(struct ucred *cred, struct label *newlabel) { if (SLOT(newlabel) != 0) @@ -153,7 +157,7 @@ label_on_label(struct label *subject, struct label *object) } static int -mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_partition_cred_check_relabel(struct ucred *cred, struct label *newlabel) { int error; @@ -174,7 +178,7 @@ mac_partition_check_cred_relabel(struct ucred *cred, struct label *newlabel) } static int -mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_partition_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { int error; @@ -184,7 +188,7 @@ mac_partition_check_cred_visible(struct ucred *cr1, struct ucred *cr2) } static int -mac_partition_check_proc_debug(struct ucred *cred, struct proc *p) +mac_partition_proc_check_debug(struct ucred *cred, struct proc *p) { int error; @@ -194,7 +198,7 @@ mac_partition_check_proc_debug(struct ucred *cred, struct proc *p) } static int -mac_partition_check_proc_sched(struct ucred *cred, struct proc *p) +mac_partition_proc_check_sched(struct ucred *cred, struct proc *p) { int error; @@ -204,7 +208,7 @@ mac_partition_check_proc_sched(struct ucred *cred, struct proc *p) } static int -mac_partition_check_proc_signal(struct ucred *cred, struct proc *p, +mac_partition_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { int error; @@ -215,7 +219,7 @@ mac_partition_check_proc_signal(struct ucred *cred, struct proc *p, } static int -mac_partition_check_socket_visible(struct ucred *cred, struct socket *so, +mac_partition_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { int error; @@ -226,7 +230,7 @@ mac_partition_check_socket_visible(struct ucred *cred, struct socket *so, } static int -mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_partition_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -246,21 +250,21 @@ mac_partition_check_vnode_exec(struct ucred *cred, struct vnode *vp, static struct mac_policy_ops mac_partition_ops = { - .mpo_init_cred_label = mac_partition_init_label, - .mpo_destroy_cred_label = mac_partition_destroy_label, - .mpo_copy_cred_label = mac_partition_copy_label, - .mpo_externalize_cred_label = mac_partition_externalize_label, - .mpo_internalize_cred_label = mac_partition_internalize_label, - .mpo_create_proc0 = mac_partition_create_proc0, - .mpo_create_proc1 = mac_partition_create_proc1, - .mpo_relabel_cred = mac_partition_relabel_cred, - .mpo_check_cred_relabel = mac_partition_check_cred_relabel, - .mpo_check_cred_visible = mac_partition_check_cred_visible, - .mpo_check_proc_debug = mac_partition_check_proc_debug, - .mpo_check_proc_sched = mac_partition_check_proc_sched, - .mpo_check_proc_signal = mac_partition_check_proc_signal, - .mpo_check_socket_visible = mac_partition_check_socket_visible, - .mpo_check_vnode_exec = mac_partition_check_vnode_exec, + .mpo_cred_init_label = mac_partition_init_label, + .mpo_cred_destroy_label = mac_partition_destroy_label, + .mpo_cred_copy_label = mac_partition_copy_label, + .mpo_cred_externalize_label = mac_partition_externalize_label, + .mpo_cred_internalize_label = mac_partition_internalize_label, + .mpo_proc_create_swapper = mac_partition_proc_create_swapper, + .mpo_proc_create_init = mac_partition_proc_create_init, + .mpo_cred_relabel = mac_partition_cred_relabel, + .mpo_cred_check_relabel = mac_partition_cred_check_relabel, + .mpo_cred_check_visible = mac_partition_cred_check_visible, + .mpo_proc_check_debug = mac_partition_proc_check_debug, + .mpo_proc_check_sched = mac_partition_proc_check_sched, + .mpo_proc_check_signal = mac_partition_proc_check_signal, + .mpo_socket_check_visible = mac_partition_socket_check_visible, + .mpo_vnode_check_exec = mac_partition_vnode_check_exec, }; MAC_POLICY_SET(&mac_partition_ops, mac_partition, "TrustedBSD MAC/Partition", diff --git a/sys/security/mac_portacl/mac_portacl.c b/sys/security/mac_portacl/mac_portacl.c index 633f606..0d4428d 100644 --- a/sys/security/mac_portacl/mac_portacl.c +++ b/sys/security/mac_portacl/mac_portacl.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2003-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed for the FreeBSD Project by Network @@ -7,6 +8,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -430,7 +434,7 @@ rules_check(struct ucred *cred, int family, int type, u_int16_t port) * the source port is left up to the IP stack to determine automatically. */ static int -check_socket_bind(struct ucred *cred, struct socket *so, +socket_check_bind(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { struct sockaddr_in *sin; @@ -482,7 +486,7 @@ static struct mac_policy_ops mac_portacl_ops = { .mpo_destroy = destroy, .mpo_init = init, - .mpo_check_socket_bind = check_socket_bind, + .mpo_socket_check_bind = socket_check_bind, }; MAC_POLICY_SET(&mac_portacl_ops, trustedbsd_mac_portacl, diff --git a/sys/security/mac_seeotheruids/mac_seeotheruids.c b/sys/security/mac_seeotheruids/mac_seeotheruids.c index 1e5e4df..8681b86 100644 --- a/sys/security/mac_seeotheruids/mac_seeotheruids.c +++ b/sys/security/mac_seeotheruids/mac_seeotheruids.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2002 Networks Associates Technology, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -122,14 +126,14 @@ mac_seeotheruids_check(struct ucred *cr1, struct ucred *cr2) } static int -mac_seeotheruids_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +mac_seeotheruids_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { return (mac_seeotheruids_check(cr1, cr2)); } static int -mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p, +mac_seeotheruids_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { @@ -137,21 +141,21 @@ mac_seeotheruids_check_proc_signal(struct ucred *cred, struct proc *p, } static int -mac_seeotheruids_check_proc_sched(struct ucred *cred, struct proc *p) +mac_seeotheruids_proc_check_sched(struct ucred *cred, struct proc *p) { return (mac_seeotheruids_check(cred, p->p_ucred)); } static int -mac_seeotheruids_check_proc_debug(struct ucred *cred, struct proc *p) +mac_seeotheruids_proc_check_debug(struct ucred *cred, struct proc *p) { return (mac_seeotheruids_check(cred, p->p_ucred)); } static int -mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so, +mac_seeotheruids_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -160,11 +164,11 @@ mac_seeotheruids_check_socket_visible(struct ucred *cred, struct socket *so, static struct mac_policy_ops mac_seeotheruids_ops = { - .mpo_check_cred_visible = mac_seeotheruids_check_cred_visible, - .mpo_check_proc_debug = mac_seeotheruids_check_proc_debug, - .mpo_check_proc_sched = mac_seeotheruids_check_proc_sched, - .mpo_check_proc_signal = mac_seeotheruids_check_proc_signal, - .mpo_check_socket_visible = mac_seeotheruids_check_socket_visible, + .mpo_cred_check_visible = mac_seeotheruids_cred_check_visible, + .mpo_proc_check_debug = mac_seeotheruids_proc_check_debug, + .mpo_proc_check_sched = mac_seeotheruids_proc_check_sched, + .mpo_proc_check_signal = mac_seeotheruids_proc_check_signal, + .mpo_socket_check_visible = mac_seeotheruids_socket_check_visible, }; MAC_POLICY_SET(&mac_seeotheruids_ops, mac_seeotheruids, diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 8fa9a0d..56a0953 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -1,7 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. - * Copyright (c) 2005 SPARTA, Inc. + * Copyright (c) 2005-2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -163,7 +163,7 @@ stub_internalize_label(struct label *label, char *element_name, * a lot like file system objects. */ static void -stub_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +stub_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -171,7 +171,7 @@ stub_associate_vnode_devfs(struct mount *mp, struct label *mplabel, } static int -stub_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +stub_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { @@ -179,7 +179,7 @@ stub_associate_vnode_extattr(struct mount *mp, struct label *mplabel, } static void -stub_associate_vnode_singlelabel(struct mount *mp, +stub_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { @@ -192,21 +192,21 @@ stub_associate_nfsd_label(struct ucred *cred) } static void -stub_create_devfs_device(struct ucred *cred, struct mount *mp, +stub_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { } static void -stub_create_devfs_directory(struct mount *mp, char *dirname, +stub_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { } static void -stub_create_devfs_symlink(struct ucred *cred, struct mount *mp, +stub_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -214,7 +214,7 @@ stub_create_devfs_symlink(struct ucred *cred, struct mount *mp, } static int -stub_create_vnode_extattr(struct ucred *cred, struct mount *mp, +stub_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mntlabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -223,21 +223,21 @@ stub_create_vnode_extattr(struct ucred *cred, struct mount *mp, } static void -stub_create_mount(struct ucred *cred, struct mount *mp, +stub_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { } static void -stub_relabel_vnode(struct ucred *cred, struct vnode *vp, +stub_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { } static int -stub_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +stub_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { @@ -245,7 +245,7 @@ stub_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, } static void -stub_update_devfs(struct mount *mp, struct devfs_dirent *de, +stub_devfs_update(struct mount *mp, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -255,63 +255,63 @@ stub_update_devfs(struct mount *mp, struct devfs_dirent *de, * Labeling event operations: IPC object. */ static void -stub_create_mbuf_from_socket(struct socket *so, struct label *solabel, +stub_socket_create_mbuf(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_socket(struct ucred *cred, struct socket *so, +stub_socket_create(struct ucred *cred, struct socket *so, struct label *solabel) { } static void -stub_create_pipe(struct ucred *cred, struct pipepair *pp, +stub_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { } static void -stub_create_posix_sem(struct ucred *cred, struct ksem *ks, +stub_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { } static void -stub_create_socket_from_socket(struct socket *oldso, - struct label *oldsolabel, struct socket *newso, struct label *newsolabel) +stub_socket_newconn(struct socket *oldso, struct label *oldsolabel, + struct socket *newso, struct label *newsolabel) { } static void -stub_relabel_socket(struct ucred *cred, struct socket *so, +stub_socket_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { } static void -stub_relabel_pipe(struct ucred *cred, struct pipepair *pp, +stub_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { } static void -stub_set_socket_peer_from_mbuf(struct mbuf *m, struct label *mlabel, +stub_socketpeer_set_from_mbuf(struct mbuf *m, struct label *mlabel, struct socket *so, struct label *sopeerlabel) { } static void -stub_set_socket_peer_from_socket(struct socket *oldso, +stub_socketpeer_set_from_socket(struct socket *oldso, struct label *oldsolabel, struct socket *newso, struct label *newsopeerlabel) { @@ -322,34 +322,34 @@ stub_set_socket_peer_from_socket(struct socket *oldso, * Labeling event operations: network objects. */ static void -stub_create_bpfdesc(struct ucred *cred, struct bpf_d *d, +stub_bpfdesc_create(struct ucred *cred, struct bpf_d *d, struct label *dlabel) { } static void -stub_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +stub_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, +stub_netinet_fragment(struct mbuf *m, struct label *mlabel, struct mbuf *frag, struct label *fraglabel) { } static void -stub_create_ifnet(struct ifnet *ifp, struct label *ifplabel) +stub_ifnet_create(struct ifnet *ifp, struct label *ifplabel) { } static void -stub_create_inpcb_from_socket(struct socket *so, struct label *solabel, +stub_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { @@ -362,42 +362,42 @@ stub_init_syncache_from_inpcb(struct label *label, struct inpcb *inp) } static void -stub_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { } static void -stub_create_sysv_msgqueue(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { } static void -stub_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { } static void -stub_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmalabel) { } static void -stub_create_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +stub_ipq_create(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { } static void -stub_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +stub_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { @@ -418,21 +418,21 @@ stub_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, } static void -stub_create_mbuf_from_bpfdesc(struct bpf_d *d, struct label *dlabel, +stub_bpfdesc_create_mbuf(struct bpf_d *d, struct label *dlabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_mbuf_from_ifnet(struct ifnet *ifp, struct label *ifplabel, +stub_ifnet_create_mbuf(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { } static void -stub_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, +stub_mbuf_create_multicast_encap(struct mbuf *m, struct label *mlabel, struct ifnet *ifp, struct label *ifplabel, struct mbuf *mnew, struct label *mnewlabel) { @@ -440,20 +440,20 @@ stub_create_mbuf_multicast_encap(struct mbuf *m, struct label *mlabel, } static void -stub_create_mbuf_netlayer(struct mbuf *m, struct label *mlabel, +stub_mbuf_create_netlayer(struct mbuf *m, struct label *mlabel, struct mbuf *mnew, struct label *mnewlabel) { } static void -stub_create_mbuf_from_firewall(struct mbuf *m, struct label *mlabel) +stub_mbuf_create_from_firewall(struct mbuf *m, struct label *mlabel) { } static int -stub_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +stub_ipq_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -461,26 +461,26 @@ stub_fragment_match(struct mbuf *m, struct label *mlabel, struct ipq *ipq, } static void -stub_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) +stub_netinet_icmp_reply(struct mbuf *m, struct label *mlabel) { } static void -stub_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) +stub_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) { } static void -stub_relabel_ifnet(struct ucred *cred, struct ifnet *ifp, +stub_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { } static void -stub_update_ipq(struct mbuf *m, struct label *mlabel, struct ipq *ipq, +stub_ipq_update(struct mbuf *m, struct label *mlabel, struct ipq *ipq, struct label *ipqlabel) { @@ -497,7 +497,7 @@ stub_inpcb_sosetlabel(struct socket *so, struct label *solabel, * Labeling event operations: processes. */ static void -stub_execve_transition(struct ucred *old, struct ucred *new, +stub_vnode_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -505,7 +505,7 @@ stub_execve_transition(struct ucred *old, struct ucred *new, } static int -stub_execve_will_transition(struct ucred *old, struct vnode *vp, +stub_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *vplabel, struct label *interpvnodelabel, struct image_params *imgp, struct label *execlabel) { @@ -514,19 +514,19 @@ stub_execve_will_transition(struct ucred *old, struct vnode *vp, } static void -stub_create_proc0(struct ucred *cred) +stub_proc_create_swapper(struct ucred *cred) { } static void -stub_create_proc1(struct ucred *cred) +stub_proc_create_init(struct ucred *cred) { } static void -stub_relabel_cred(struct ucred *cred, struct label *newlabel) +stub_cred_relabel(struct ucred *cred, struct label *newlabel) { } @@ -541,25 +541,25 @@ stub_thread_userret(struct thread *td) * Label cleanup/flush operations */ static void -stub_cleanup_sysv_msgmsg(struct label *msglabel) +stub_sysvmsg_cleanup(struct label *msglabel) { } static void -stub_cleanup_sysv_msgqueue(struct label *msqlabel) +stub_sysvmsq_cleanup(struct label *msqlabel) { } static void -stub_cleanup_sysv_sem(struct label *semalabel) +stub_sysvsem_cleanup(struct label *semalabel) { } static void -stub_cleanup_sysv_shm(struct label *shmlabel) +stub_sysvshm_cleanup(struct label *shmlabel) { } @@ -568,7 +568,7 @@ stub_cleanup_sysv_shm(struct label *shmlabel) * Access control checks. */ static int -stub_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, +stub_bpfdesc_check_receive(struct bpf_d *d, struct label *dlabel, struct ifnet *ifp, struct label *ifplabel) { @@ -576,21 +576,21 @@ stub_check_bpfdesc_receive(struct bpf_d *d, struct label *dlabel, } static int -stub_check_cred_relabel(struct ucred *cred, struct label *newlabel) +stub_cred_check_relabel(struct ucred *cred, struct label *newlabel) { return (0); } static int -stub_check_cred_visible(struct ucred *cr1, struct ucred *cr2) +stub_cred_check_visible(struct ucred *cr1, struct ucred *cr2) { return (0); } static int -stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, +stub_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifp, struct label *ifplabel, struct label *newlabel) { @@ -598,7 +598,7 @@ stub_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifp, } static int -stub_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, +stub_ifnet_check_transmit(struct ifnet *ifp, struct label *ifplabel, struct mbuf *m, struct label *mlabel) { @@ -606,7 +606,7 @@ stub_check_ifnet_transmit(struct ifnet *ifp, struct label *ifplabel, } static int -stub_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +stub_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { @@ -614,7 +614,7 @@ stub_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, } static int -stub_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +stub_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -623,7 +623,7 @@ stub_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, } static int -stub_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +stub_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -632,7 +632,7 @@ stub_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, static int -stub_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +stub_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { @@ -641,7 +641,7 @@ stub_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, static int -stub_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -650,7 +650,7 @@ stub_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, static int -stub_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -658,7 +658,7 @@ stub_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, } static int -stub_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -667,7 +667,7 @@ stub_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, static int -stub_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, +stub_sysvmsq_check_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { @@ -676,7 +676,7 @@ stub_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, static int -stub_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_check_semctl(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { @@ -684,7 +684,7 @@ stub_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, } static int -stub_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_check_semget(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel) { @@ -693,7 +693,7 @@ stub_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, static int -stub_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, +stub_sysvsem_check_semop(struct ucred *cred, struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype) { @@ -701,7 +701,7 @@ stub_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, } static int -stub_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { @@ -709,7 +709,7 @@ stub_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -stub_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { @@ -717,7 +717,7 @@ stub_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -stub_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel) { @@ -726,7 +726,7 @@ stub_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, static int -stub_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, +stub_sysvshm_check_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { @@ -734,35 +734,35 @@ stub_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, } static int -stub_check_kenv_dump(struct ucred *cred) +stub_kenv_check_dump(struct ucred *cred) { return (0); } static int -stub_check_kenv_get(struct ucred *cred, char *name) +stub_kenv_check_get(struct ucred *cred, char *name) { return (0); } static int -stub_check_kenv_set(struct ucred *cred, char *name, char *value) +stub_kenv_check_set(struct ucred *cred, char *name, char *value) { return (0); } static int -stub_check_kenv_unset(struct ucred *cred, char *name) +stub_kenv_check_unset(struct ucred *cred, char *name) { return (0); } static int -stub_check_kld_load(struct ucred *cred, struct vnode *vp, +stub_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -770,14 +770,14 @@ stub_check_kld_load(struct ucred *cred, struct vnode *vp, } static int -stub_check_kld_stat(struct ucred *cred) +stub_kld_check_stat(struct ucred *cred) { return (0); } static int -stub_check_mount_stat(struct ucred *cred, struct mount *mp, +stub_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mplabel) { @@ -785,7 +785,7 @@ stub_check_mount_stat(struct ucred *cred, struct mount *mp, } static int -stub_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pplabel, unsigned long cmd, void /* caddr_t */ *data) { @@ -793,7 +793,7 @@ stub_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -801,7 +801,7 @@ stub_check_pipe_poll(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_read(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -809,7 +809,7 @@ stub_check_pipe_read(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pplabel, struct label *newlabel) { @@ -817,7 +817,7 @@ stub_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -825,7 +825,7 @@ stub_check_pipe_stat(struct ucred *cred, struct pipepair *pp, } static int -stub_check_pipe_write(struct ucred *cred, struct pipepair *pp, +stub_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pplabel) { @@ -833,7 +833,7 @@ stub_check_pipe_write(struct ucred *cred, struct pipepair *pp, } static int -stub_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_destroy(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -841,7 +841,7 @@ stub_check_posix_sem_destroy(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_getvalue(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -849,7 +849,7 @@ stub_check_posix_sem_getvalue(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_open(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_open(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -857,7 +857,7 @@ stub_check_posix_sem_open(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_post(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_post(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -865,7 +865,7 @@ stub_check_posix_sem_post(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_unlink(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -873,7 +873,7 @@ stub_check_posix_sem_unlink(struct ucred *cred, struct ksem *ks, } static int -stub_check_posix_sem_wait(struct ucred *cred, struct ksem *ks, +stub_posixsem_check_wait(struct ucred *cred, struct ksem *ks, struct label *kslabel) { @@ -881,84 +881,84 @@ stub_check_posix_sem_wait(struct ucred *cred, struct ksem *ks, } static int -stub_check_proc_debug(struct ucred *cred, struct proc *p) +stub_proc_check_debug(struct ucred *cred, struct proc *p) { return (0); } static int -stub_check_proc_sched(struct ucred *cred, struct proc *p) +stub_proc_check_sched(struct ucred *cred, struct proc *p) { return (0); } static int -stub_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +stub_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { return (0); } static int -stub_check_proc_wait(struct ucred *cred, struct proc *p) +stub_proc_check_wait(struct ucred *cred, struct proc *p) { return (0); } static int -stub_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +stub_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) { return (0); } static int -stub_check_proc_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) +stub_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { return (0); } static int -stub_check_proc_setauid(struct ucred *cred, uid_t auid) +stub_proc_check_setauid(struct ucred *cred, uid_t auid) { return (0); } static int -stub_check_proc_setuid(struct ucred *cred, uid_t uid) +stub_proc_check_setuid(struct ucred *cred, uid_t uid) { return (0); } static int -stub_check_proc_seteuid(struct ucred *cred, uid_t euid) +stub_proc_check_seteuid(struct ucred *cred, uid_t euid) { return (0); } static int -stub_check_proc_setgid(struct ucred *cred, gid_t gid) +stub_proc_check_setgid(struct ucred *cred, gid_t gid) { return (0); } static int -stub_check_proc_setegid(struct ucred *cred, gid_t egid) +stub_proc_check_setegid(struct ucred *cred, gid_t egid) { return (0); } static int -stub_check_proc_setgroups(struct ucred *cred, int ngroups, +stub_proc_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) { @@ -966,21 +966,21 @@ stub_check_proc_setgroups(struct ucred *cred, int ngroups, } static int -stub_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +stub_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) { return (0); } static int -stub_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +stub_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) { return (0); } static int -stub_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, +stub_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid) { @@ -988,7 +988,7 @@ stub_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, } static int -stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, +stub_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid) { @@ -996,7 +996,7 @@ stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, } static int -stub_check_socket_accept(struct ucred *cred, struct socket *so, +stub_socket_check_accept(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1004,7 +1004,7 @@ stub_check_socket_accept(struct ucred *cred, struct socket *so, } static int -stub_check_socket_bind(struct ucred *cred, struct socket *so, +stub_socket_check_bind(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { @@ -1012,7 +1012,7 @@ stub_check_socket_bind(struct ucred *cred, struct socket *so, } static int -stub_check_socket_connect(struct ucred *cred, struct socket *so, +stub_socket_check_connect(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { @@ -1020,14 +1020,14 @@ stub_check_socket_connect(struct ucred *cred, struct socket *so, } static int -stub_check_socket_create(struct ucred *cred, int domain, int type, int proto) +stub_socket_check_create(struct ucred *cred, int domain, int type, int proto) { return (0); } static int -stub_check_socket_deliver(struct socket *so, struct label *solabel, +stub_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { @@ -1035,7 +1035,7 @@ stub_check_socket_deliver(struct socket *so, struct label *solabel, } static int -stub_check_socket_listen(struct ucred *cred, struct socket *so, +stub_socket_check_listen(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1043,7 +1043,7 @@ stub_check_socket_listen(struct ucred *cred, struct socket *so, } static int -stub_check_socket_poll(struct ucred *cred, struct socket *so, +stub_socket_check_poll(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1051,7 +1051,7 @@ stub_check_socket_poll(struct ucred *cred, struct socket *so, } static int -stub_check_socket_receive(struct ucred *cred, struct socket *so, +stub_socket_check_receive(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1059,14 +1059,14 @@ stub_check_socket_receive(struct ucred *cred, struct socket *so, } static int -stub_check_socket_relabel(struct ucred *cred, struct socket *so, +stub_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { return (0); } static int -stub_check_socket_send(struct ucred *cred, struct socket *so, +stub_socket_check_send(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1074,7 +1074,7 @@ stub_check_socket_send(struct ucred *cred, struct socket *so, } static int -stub_check_socket_stat(struct ucred *cred, struct socket *so, +stub_socket_check_stat(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1082,7 +1082,7 @@ stub_check_socket_stat(struct ucred *cred, struct socket *so, } static int -stub_check_socket_visible(struct ucred *cred, struct socket *so, +stub_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { @@ -1090,7 +1090,7 @@ stub_check_socket_visible(struct ucred *cred, struct socket *so, } static int -stub_check_system_acct(struct ucred *cred, struct vnode *vp, +stub_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1098,14 +1098,14 @@ stub_check_system_acct(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_audit(struct ucred *cred, void *record, int length) +stub_system_check_audit(struct ucred *cred, void *record, int length) { return (0); } static int -stub_check_system_auditctl(struct ucred *cred, struct vnode *vp, +stub_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1113,21 +1113,21 @@ stub_check_system_auditctl(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_auditon(struct ucred *cred, int cmd) +stub_system_check_auditon(struct ucred *cred, int cmd) { return (0); } static int -stub_check_system_reboot(struct ucred *cred, int how) +stub_system_check_reboot(struct ucred *cred, int how) { return (0); } static int -stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, +stub_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1135,7 +1135,7 @@ stub_check_system_swapoff(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_swapon(struct ucred *cred, struct vnode *vp, +stub_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1143,7 +1143,7 @@ stub_check_system_swapon(struct ucred *cred, struct vnode *vp, } static int -stub_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +stub_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { @@ -1151,7 +1151,7 @@ stub_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, } static int -stub_check_vnode_access(struct ucred *cred, struct vnode *vp, +stub_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -1159,7 +1159,7 @@ stub_check_vnode_access(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -1167,7 +1167,7 @@ stub_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { @@ -1175,7 +1175,7 @@ stub_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_create(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { @@ -1183,7 +1183,7 @@ stub_check_vnode_create(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +stub_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -1191,7 +1191,7 @@ stub_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { @@ -1199,7 +1199,7 @@ stub_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_exec(struct ucred *cred, struct vnode *vp, +stub_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -1208,7 +1208,7 @@ stub_check_vnode_exec(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +stub_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { @@ -1216,7 +1216,7 @@ stub_check_vnode_getacl(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -1225,7 +1225,7 @@ stub_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_link(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1234,7 +1234,7 @@ stub_check_vnode_link(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { @@ -1242,7 +1242,7 @@ stub_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { @@ -1250,7 +1250,7 @@ stub_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +stub_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { @@ -1258,14 +1258,14 @@ stub_check_vnode_mmap(struct ucred *cred, struct vnode *vp, } static void -stub_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, +stub_vnode_check_mmap_downgrade(struct ucred *cred, struct vnode *vp, struct label *vplabel, int *prot) { } static int -stub_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, +stub_vnode_check_mprotect(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot) { @@ -1273,7 +1273,7 @@ stub_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_open(struct ucred *cred, struct vnode *vp, +stub_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { @@ -1281,7 +1281,7 @@ stub_check_vnode_open(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1289,7 +1289,7 @@ stub_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, } static int -stub_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1297,7 +1297,7 @@ stub_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, } static int -stub_check_vnode_readdir(struct ucred *cred, struct vnode *vp, +stub_vnode_check_readdir(struct ucred *cred, struct vnode *vp, struct label *dvplabel) { @@ -1305,7 +1305,7 @@ stub_check_vnode_readdir(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +stub_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1313,7 +1313,7 @@ stub_check_vnode_readlink(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +stub_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { @@ -1321,7 +1321,7 @@ stub_check_vnode_relabel(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1330,7 +1330,7 @@ stub_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -1339,7 +1339,7 @@ stub_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +stub_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { @@ -1347,7 +1347,7 @@ stub_check_vnode_revoke(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { @@ -1355,7 +1355,7 @@ stub_check_vnode_setacl(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { @@ -1364,7 +1364,7 @@ stub_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { @@ -1372,7 +1372,7 @@ stub_check_vnode_setflags(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { @@ -1380,7 +1380,7 @@ stub_check_vnode_setmode(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { @@ -1388,7 +1388,7 @@ stub_check_vnode_setowner(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +stub_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { @@ -1396,7 +1396,7 @@ stub_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, } static int -stub_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1404,7 +1404,7 @@ stub_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, } static int -stub_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +stub_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -1413,7 +1413,7 @@ stub_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, } static int -stub_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred, +stub_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -1439,219 +1439,219 @@ static struct mac_policy_ops mac_stub_ops = .mpo_destroy = stub_destroy, .mpo_init = stub_init, .mpo_syscall = stub_syscall, - .mpo_init_bpfdesc_label = stub_init_label, - .mpo_init_cred_label = stub_init_label, - .mpo_init_devfs_label = stub_init_label, - .mpo_init_ifnet_label = stub_init_label, - .mpo_init_inpcb_label = stub_init_label_waitcheck, - .mpo_init_sysv_msgmsg_label = stub_init_label, - .mpo_init_sysv_msgqueue_label = stub_init_label, - .mpo_init_sysv_sem_label = stub_init_label, - .mpo_init_sysv_shm_label = stub_init_label, - .mpo_init_ipq_label = stub_init_label_waitcheck, - .mpo_init_mbuf_label = stub_init_label_waitcheck, - .mpo_init_mount_label = stub_init_label, - .mpo_init_pipe_label = stub_init_label, - .mpo_init_posix_sem_label = stub_init_label, - .mpo_init_socket_label = stub_init_label_waitcheck, - .mpo_init_socket_peer_label = stub_init_label_waitcheck, - .mpo_init_vnode_label = stub_init_label, - .mpo_destroy_bpfdesc_label = stub_destroy_label, - .mpo_destroy_cred_label = stub_destroy_label, - .mpo_destroy_devfs_label = stub_destroy_label, - .mpo_destroy_ifnet_label = stub_destroy_label, - .mpo_destroy_inpcb_label = stub_destroy_label, - .mpo_destroy_sysv_msgmsg_label = stub_destroy_label, - .mpo_destroy_sysv_msgqueue_label = stub_destroy_label, - .mpo_destroy_sysv_sem_label = stub_destroy_label, - .mpo_destroy_sysv_shm_label = stub_destroy_label, - .mpo_destroy_ipq_label = stub_destroy_label, - .mpo_destroy_mbuf_label = stub_destroy_label, - .mpo_destroy_mount_label = stub_destroy_label, - .mpo_destroy_pipe_label = stub_destroy_label, - .mpo_destroy_posix_sem_label = stub_destroy_label, - .mpo_destroy_socket_label = stub_destroy_label, - .mpo_destroy_socket_peer_label = stub_destroy_label, - .mpo_destroy_vnode_label = stub_destroy_label, - .mpo_copy_cred_label = stub_copy_label, - .mpo_copy_ifnet_label = stub_copy_label, - .mpo_copy_mbuf_label = stub_copy_label, - .mpo_copy_pipe_label = stub_copy_label, - .mpo_copy_socket_label = stub_copy_label, - .mpo_copy_vnode_label = stub_copy_label, - .mpo_externalize_cred_label = stub_externalize_label, - .mpo_externalize_ifnet_label = stub_externalize_label, - .mpo_externalize_pipe_label = stub_externalize_label, - .mpo_externalize_socket_label = stub_externalize_label, - .mpo_externalize_socket_peer_label = stub_externalize_label, - .mpo_externalize_vnode_label = stub_externalize_label, - .mpo_internalize_cred_label = stub_internalize_label, - .mpo_internalize_ifnet_label = stub_internalize_label, - .mpo_internalize_pipe_label = stub_internalize_label, - .mpo_internalize_socket_label = stub_internalize_label, - .mpo_internalize_vnode_label = stub_internalize_label, - .mpo_associate_vnode_devfs = stub_associate_vnode_devfs, - .mpo_associate_vnode_extattr = stub_associate_vnode_extattr, + .mpo_bpfdesc_init_label = stub_init_label, + .mpo_cred_init_label = stub_init_label, + .mpo_devfs_init_label = stub_init_label, + .mpo_ifnet_init_label = stub_init_label, + .mpo_inpcb_init_label = stub_init_label_waitcheck, + .mpo_sysvmsg_init_label = stub_init_label, + .mpo_sysvmsq_init_label = stub_init_label, + .mpo_sysvsem_init_label = stub_init_label, + .mpo_sysvshm_init_label = stub_init_label, + .mpo_ipq_init_label = stub_init_label_waitcheck, + .mpo_mbuf_init_label = stub_init_label_waitcheck, + .mpo_mount_init_label = stub_init_label, + .mpo_pipe_init_label = stub_init_label, + .mpo_posixsem_init_label = stub_init_label, + .mpo_socket_init_label = stub_init_label_waitcheck, + .mpo_socketpeer_init_label = stub_init_label_waitcheck, + .mpo_vnode_init_label = stub_init_label, + .mpo_bpfdesc_destroy_label = stub_destroy_label, + .mpo_cred_destroy_label = stub_destroy_label, + .mpo_devfs_destroy_label = stub_destroy_label, + .mpo_ifnet_destroy_label = stub_destroy_label, + .mpo_inpcb_destroy_label = stub_destroy_label, + .mpo_sysvmsg_destroy_label = stub_destroy_label, + .mpo_sysvmsq_destroy_label = stub_destroy_label, + .mpo_sysvsem_destroy_label = stub_destroy_label, + .mpo_sysvshm_destroy_label = stub_destroy_label, + .mpo_ipq_destroy_label = stub_destroy_label, + .mpo_mbuf_destroy_label = stub_destroy_label, + .mpo_mount_destroy_label = stub_destroy_label, + .mpo_pipe_destroy_label = stub_destroy_label, + .mpo_posixsem_destroy_label = stub_destroy_label, + .mpo_socket_destroy_label = stub_destroy_label, + .mpo_socketpeer_destroy_label = stub_destroy_label, + .mpo_vnode_destroy_label = stub_destroy_label, + .mpo_cred_copy_label = stub_copy_label, + .mpo_ifnet_copy_label = stub_copy_label, + .mpo_mbuf_copy_label = stub_copy_label, + .mpo_pipe_copy_label = stub_copy_label, + .mpo_socket_copy_label = stub_copy_label, + .mpo_vnode_copy_label = stub_copy_label, + .mpo_cred_externalize_label = stub_externalize_label, + .mpo_ifnet_externalize_label = stub_externalize_label, + .mpo_pipe_externalize_label = stub_externalize_label, + .mpo_socket_externalize_label = stub_externalize_label, + .mpo_socketpeer_externalize_label = stub_externalize_label, + .mpo_vnode_externalize_label = stub_externalize_label, + .mpo_cred_internalize_label = stub_internalize_label, + .mpo_ifnet_internalize_label = stub_internalize_label, + .mpo_pipe_internalize_label = stub_internalize_label, + .mpo_socket_internalize_label = stub_internalize_label, + .mpo_vnode_internalize_label = stub_internalize_label, + .mpo_devfs_vnode_associate = stub_devfs_vnode_associate, + .mpo_vnode_associate_extattr = stub_vnode_associate_extattr, .mpo_associate_nfsd_label = stub_associate_nfsd_label, - .mpo_associate_vnode_singlelabel = stub_associate_vnode_singlelabel, - .mpo_create_devfs_device = stub_create_devfs_device, - .mpo_create_devfs_directory = stub_create_devfs_directory, - .mpo_create_devfs_symlink = stub_create_devfs_symlink, - .mpo_create_sysv_msgmsg = stub_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = stub_create_sysv_msgqueue, - .mpo_create_sysv_sem = stub_create_sysv_sem, - .mpo_create_sysv_shm = stub_create_sysv_shm, - .mpo_create_vnode_extattr = stub_create_vnode_extattr, - .mpo_create_mount = stub_create_mount, - .mpo_relabel_vnode = stub_relabel_vnode, - .mpo_setlabel_vnode_extattr = stub_setlabel_vnode_extattr, - .mpo_update_devfs = stub_update_devfs, - .mpo_create_mbuf_from_socket = stub_create_mbuf_from_socket, - .mpo_create_pipe = stub_create_pipe, - .mpo_create_posix_sem = stub_create_posix_sem, - .mpo_create_socket = stub_create_socket, - .mpo_create_socket_from_socket = stub_create_socket_from_socket, - .mpo_relabel_pipe = stub_relabel_pipe, - .mpo_relabel_socket = stub_relabel_socket, - .mpo_set_socket_peer_from_mbuf = stub_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = stub_set_socket_peer_from_socket, - .mpo_create_bpfdesc = stub_create_bpfdesc, - .mpo_create_ifnet = stub_create_ifnet, - .mpo_create_inpcb_from_socket = stub_create_inpcb_from_socket, - .mpo_create_ipq = stub_create_ipq, - .mpo_create_datagram_from_ipq = stub_create_datagram_from_ipq, - .mpo_create_fragment = stub_create_fragment, - .mpo_create_mbuf_from_inpcb = stub_create_mbuf_from_inpcb, + .mpo_vnode_associate_singlelabel = stub_vnode_associate_singlelabel, + .mpo_devfs_create_device = stub_devfs_create_device, + .mpo_devfs_create_directory = stub_devfs_create_directory, + .mpo_devfs_create_symlink = stub_devfs_create_symlink, + .mpo_sysvmsg_create = stub_sysvmsg_create, + .mpo_sysvmsq_create = stub_sysvmsq_create, + .mpo_sysvsem_create = stub_sysvsem_create, + .mpo_sysvshm_create = stub_sysvshm_create, + .mpo_vnode_create_extattr = stub_vnode_create_extattr, + .mpo_mount_create = stub_mount_create, + .mpo_vnode_relabel = stub_vnode_relabel, + .mpo_vnode_setlabel_extattr = stub_vnode_setlabel_extattr, + .mpo_devfs_update = stub_devfs_update, + .mpo_socket_create_mbuf = stub_socket_create_mbuf, + .mpo_pipe_create = stub_pipe_create, + .mpo_posixsem_create = stub_posixsem_create, + .mpo_socket_create = stub_socket_create, + .mpo_socket_newconn = stub_socket_newconn, + .mpo_pipe_relabel = stub_pipe_relabel, + .mpo_socket_relabel = stub_socket_relabel, + .mpo_socketpeer_set_from_mbuf = stub_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = stub_socketpeer_set_from_socket, + .mpo_bpfdesc_create = stub_bpfdesc_create, + .mpo_ifnet_create = stub_ifnet_create, + .mpo_inpcb_create = stub_inpcb_create, + .mpo_ipq_create = stub_ipq_create, + .mpo_ipq_reassemble = stub_ipq_reassemble, + .mpo_netinet_fragment = stub_netinet_fragment, + .mpo_inpcb_create_mbuf = stub_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = stub_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = stub_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = stub_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = stub_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = stub_create_mbuf_netlayer, - .mpo_create_mbuf_from_firewall = stub_create_mbuf_from_firewall, - .mpo_fragment_match = stub_fragment_match, - .mpo_reflect_mbuf_icmp = stub_reflect_mbuf_icmp, - .mpo_reflect_mbuf_tcp = stub_reflect_mbuf_tcp, - .mpo_relabel_ifnet = stub_relabel_ifnet, - .mpo_update_ipq = stub_update_ipq, + .mpo_bpfdesc_create_mbuf = stub_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = stub_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = stub_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = stub_mbuf_create_netlayer, + .mpo_mbuf_create_from_firewall = stub_mbuf_create_from_firewall, + .mpo_ipq_match = stub_ipq_match, + .mpo_netinet_icmp_reply = stub_netinet_icmp_reply, + .mpo_netinet_tcp_reply = stub_netinet_tcp_reply, + .mpo_ifnet_relabel = stub_ifnet_relabel, + .mpo_ipq_update = stub_ipq_update, .mpo_inpcb_sosetlabel = stub_inpcb_sosetlabel, - .mpo_execve_transition = stub_execve_transition, - .mpo_execve_will_transition = stub_execve_will_transition, - .mpo_create_proc0 = stub_create_proc0, - .mpo_create_proc1 = stub_create_proc1, - .mpo_relabel_cred = stub_relabel_cred, + .mpo_vnode_execve_transition = stub_vnode_execve_transition, + .mpo_vnode_execve_will_transition = stub_vnode_execve_will_transition, + .mpo_proc_create_swapper = stub_proc_create_swapper, + .mpo_proc_create_init = stub_proc_create_init, + .mpo_cred_relabel= stub_cred_relabel, .mpo_thread_userret = stub_thread_userret, - .mpo_cleanup_sysv_msgmsg = stub_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = stub_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = stub_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = stub_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = stub_check_bpfdesc_receive, - .mpo_check_cred_relabel = stub_check_cred_relabel, - .mpo_check_cred_visible = stub_check_cred_visible, - .mpo_check_ifnet_relabel = stub_check_ifnet_relabel, - .mpo_check_ifnet_transmit = stub_check_ifnet_transmit, - .mpo_check_inpcb_deliver = stub_check_inpcb_deliver, - .mpo_check_sysv_msgmsq = stub_check_sysv_msgmsq, - .mpo_check_sysv_msgrcv = stub_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = stub_check_sysv_msgrmid, - .mpo_check_sysv_msqget = stub_check_sysv_msqget, - .mpo_check_sysv_msqsnd = stub_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = stub_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = stub_check_sysv_msqctl, - .mpo_check_sysv_semctl = stub_check_sysv_semctl, - .mpo_check_sysv_semget = stub_check_sysv_semget, - .mpo_check_sysv_semop = stub_check_sysv_semop, - .mpo_check_sysv_shmat = stub_check_sysv_shmat, - .mpo_check_sysv_shmctl = stub_check_sysv_shmctl, - .mpo_check_sysv_shmdt = stub_check_sysv_shmdt, - .mpo_check_sysv_shmget = stub_check_sysv_shmget, - .mpo_check_kenv_dump = stub_check_kenv_dump, - .mpo_check_kenv_get = stub_check_kenv_get, - .mpo_check_kenv_set = stub_check_kenv_set, - .mpo_check_kenv_unset = stub_check_kenv_unset, - .mpo_check_kld_load = stub_check_kld_load, - .mpo_check_kld_stat = stub_check_kld_stat, - .mpo_check_mount_stat = stub_check_mount_stat, - .mpo_check_pipe_ioctl = stub_check_pipe_ioctl, - .mpo_check_pipe_poll = stub_check_pipe_poll, - .mpo_check_pipe_read = stub_check_pipe_read, - .mpo_check_pipe_relabel = stub_check_pipe_relabel, - .mpo_check_pipe_stat = stub_check_pipe_stat, - .mpo_check_pipe_write = stub_check_pipe_write, - .mpo_check_posix_sem_destroy = stub_check_posix_sem_destroy, - .mpo_check_posix_sem_getvalue = stub_check_posix_sem_getvalue, - .mpo_check_posix_sem_open = stub_check_posix_sem_open, - .mpo_check_posix_sem_post = stub_check_posix_sem_post, - .mpo_check_posix_sem_unlink = stub_check_posix_sem_unlink, - .mpo_check_posix_sem_wait = stub_check_posix_sem_wait, - .mpo_check_proc_debug = stub_check_proc_debug, - .mpo_check_proc_sched = stub_check_proc_sched, - .mpo_check_proc_setaudit = stub_check_proc_setaudit, - .mpo_check_proc_setaudit_addr = stub_check_proc_setaudit_addr, - .mpo_check_proc_setauid = stub_check_proc_setauid, - .mpo_check_proc_setuid = stub_check_proc_setuid, - .mpo_check_proc_seteuid = stub_check_proc_seteuid, - .mpo_check_proc_setgid = stub_check_proc_setgid, - .mpo_check_proc_setegid = stub_check_proc_setegid, - .mpo_check_proc_setgroups = stub_check_proc_setgroups, - .mpo_check_proc_setreuid = stub_check_proc_setreuid, - .mpo_check_proc_setregid = stub_check_proc_setregid, - .mpo_check_proc_setresuid = stub_check_proc_setresuid, - .mpo_check_proc_setresgid = stub_check_proc_setresgid, - .mpo_check_proc_signal = stub_check_proc_signal, - .mpo_check_proc_wait = stub_check_proc_wait, - .mpo_check_socket_accept = stub_check_socket_accept, - .mpo_check_socket_bind = stub_check_socket_bind, - .mpo_check_socket_connect = stub_check_socket_connect, - .mpo_check_socket_create = stub_check_socket_create, - .mpo_check_socket_deliver = stub_check_socket_deliver, - .mpo_check_socket_listen = stub_check_socket_listen, - .mpo_check_socket_poll = stub_check_socket_poll, - .mpo_check_socket_receive = stub_check_socket_receive, - .mpo_check_socket_relabel = stub_check_socket_relabel, - .mpo_check_socket_send = stub_check_socket_send, - .mpo_check_socket_stat = stub_check_socket_stat, - .mpo_check_socket_visible = stub_check_socket_visible, - .mpo_check_system_acct = stub_check_system_acct, - .mpo_check_system_audit = stub_check_system_audit, - .mpo_check_system_auditctl = stub_check_system_auditctl, - .mpo_check_system_auditon = stub_check_system_auditon, - .mpo_check_system_reboot = stub_check_system_reboot, - .mpo_check_system_swapoff = stub_check_system_swapoff, - .mpo_check_system_swapon = stub_check_system_swapon, - .mpo_check_system_sysctl = stub_check_system_sysctl, - .mpo_check_vnode_access = stub_check_vnode_access, - .mpo_check_vnode_chdir = stub_check_vnode_chdir, - .mpo_check_vnode_chroot = stub_check_vnode_chroot, - .mpo_check_vnode_create = stub_check_vnode_create, - .mpo_check_vnode_deleteacl = stub_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = stub_check_vnode_deleteextattr, - .mpo_check_vnode_exec = stub_check_vnode_exec, - .mpo_check_vnode_getacl = stub_check_vnode_getacl, - .mpo_check_vnode_getextattr = stub_check_vnode_getextattr, - .mpo_check_vnode_link = stub_check_vnode_link, - .mpo_check_vnode_listextattr = stub_check_vnode_listextattr, - .mpo_check_vnode_lookup = stub_check_vnode_lookup, - .mpo_check_vnode_mmap = stub_check_vnode_mmap, - .mpo_check_vnode_mmap_downgrade = stub_check_vnode_mmap_downgrade, - .mpo_check_vnode_mprotect = stub_check_vnode_mprotect, - .mpo_check_vnode_open = stub_check_vnode_open, - .mpo_check_vnode_poll = stub_check_vnode_poll, - .mpo_check_vnode_read = stub_check_vnode_read, - .mpo_check_vnode_readdir = stub_check_vnode_readdir, - .mpo_check_vnode_readlink = stub_check_vnode_readlink, - .mpo_check_vnode_relabel = stub_check_vnode_relabel, - .mpo_check_vnode_rename_from = stub_check_vnode_rename_from, - .mpo_check_vnode_rename_to = stub_check_vnode_rename_to, - .mpo_check_vnode_revoke = stub_check_vnode_revoke, - .mpo_check_vnode_setacl = stub_check_vnode_setacl, - .mpo_check_vnode_setextattr = stub_check_vnode_setextattr, - .mpo_check_vnode_setflags = stub_check_vnode_setflags, - .mpo_check_vnode_setmode = stub_check_vnode_setmode, - .mpo_check_vnode_setowner = stub_check_vnode_setowner, - .mpo_check_vnode_setutimes = stub_check_vnode_setutimes, - .mpo_check_vnode_stat = stub_check_vnode_stat, - .mpo_check_vnode_unlink = stub_check_vnode_unlink, - .mpo_check_vnode_write = stub_check_vnode_write, + .mpo_sysvmsg_cleanup = stub_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = stub_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = stub_sysvsem_cleanup, + .mpo_sysvshm_cleanup = stub_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = stub_bpfdesc_check_receive, + .mpo_cred_check_relabel = stub_cred_check_relabel, + .mpo_cred_check_visible = stub_cred_check_visible, + .mpo_ifnet_check_relabel = stub_ifnet_check_relabel, + .mpo_ifnet_check_transmit = stub_ifnet_check_transmit, + .mpo_inpcb_check_deliver = stub_inpcb_check_deliver, + .mpo_sysvmsq_check_msgmsq = stub_sysvmsq_check_msgmsq, + .mpo_sysvmsq_check_msgrcv = stub_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = stub_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = stub_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = stub_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = stub_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = stub_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = stub_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = stub_sysvsem_check_semget, + .mpo_sysvsem_check_semop = stub_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = stub_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = stub_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmdt = stub_sysvshm_check_shmdt, + .mpo_sysvshm_check_shmget = stub_sysvshm_check_shmget, + .mpo_kenv_check_dump = stub_kenv_check_dump, + .mpo_kenv_check_get = stub_kenv_check_get, + .mpo_kenv_check_set = stub_kenv_check_set, + .mpo_kenv_check_unset = stub_kenv_check_unset, + .mpo_kld_check_load = stub_kld_check_load, + .mpo_kld_check_stat = stub_kld_check_stat, + .mpo_mount_check_stat = stub_mount_check_stat, + .mpo_pipe_check_ioctl = stub_pipe_check_ioctl, + .mpo_pipe_check_poll = stub_pipe_check_poll, + .mpo_pipe_check_read = stub_pipe_check_read, + .mpo_pipe_check_relabel = stub_pipe_check_relabel, + .mpo_pipe_check_stat = stub_pipe_check_stat, + .mpo_pipe_check_write = stub_pipe_check_write, + .mpo_posixsem_check_destroy = stub_posixsem_check_destroy, + .mpo_posixsem_check_getvalue = stub_posixsem_check_getvalue, + .mpo_posixsem_check_open = stub_posixsem_check_open, + .mpo_posixsem_check_post = stub_posixsem_check_post, + .mpo_posixsem_check_unlink = stub_posixsem_check_unlink, + .mpo_posixsem_check_wait = stub_posixsem_check_wait, + .mpo_proc_check_debug = stub_proc_check_debug, + .mpo_proc_check_sched = stub_proc_check_sched, + .mpo_proc_check_setaudit = stub_proc_check_setaudit, + .mpo_proc_check_setaudit_addr = stub_proc_check_setaudit_addr, + .mpo_proc_check_setauid = stub_proc_check_setauid, + .mpo_proc_check_setuid = stub_proc_check_setuid, + .mpo_proc_check_seteuid = stub_proc_check_seteuid, + .mpo_proc_check_setgid = stub_proc_check_setgid, + .mpo_proc_check_setegid = stub_proc_check_setegid, + .mpo_proc_check_setgroups = stub_proc_check_setgroups, + .mpo_proc_check_setreuid = stub_proc_check_setreuid, + .mpo_proc_check_setregid = stub_proc_check_setregid, + .mpo_proc_check_setresuid = stub_proc_check_setresuid, + .mpo_proc_check_setresgid = stub_proc_check_setresgid, + .mpo_proc_check_signal = stub_proc_check_signal, + .mpo_proc_check_wait = stub_proc_check_wait, + .mpo_socket_check_accept = stub_socket_check_accept, + .mpo_socket_check_bind = stub_socket_check_bind, + .mpo_socket_check_connect = stub_socket_check_connect, + .mpo_socket_check_create = stub_socket_check_create, + .mpo_socket_check_deliver = stub_socket_check_deliver, + .mpo_socket_check_listen = stub_socket_check_listen, + .mpo_socket_check_poll = stub_socket_check_poll, + .mpo_socket_check_receive = stub_socket_check_receive, + .mpo_socket_check_relabel = stub_socket_check_relabel, + .mpo_socket_check_send = stub_socket_check_send, + .mpo_socket_check_stat = stub_socket_check_stat, + .mpo_socket_check_visible = stub_socket_check_visible, + .mpo_system_check_acct = stub_system_check_acct, + .mpo_system_check_audit = stub_system_check_audit, + .mpo_system_check_auditctl = stub_system_check_auditctl, + .mpo_system_check_auditon = stub_system_check_auditon, + .mpo_system_check_reboot = stub_system_check_reboot, + .mpo_system_check_swapoff = stub_system_check_swapoff, + .mpo_system_check_swapon = stub_system_check_swapon, + .mpo_system_check_sysctl = stub_system_check_sysctl, + .mpo_vnode_check_access = stub_vnode_check_access, + .mpo_vnode_check_chdir = stub_vnode_check_chdir, + .mpo_vnode_check_chroot = stub_vnode_check_chroot, + .mpo_vnode_check_create = stub_vnode_check_create, + .mpo_vnode_check_deleteacl = stub_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = stub_vnode_check_deleteextattr, + .mpo_vnode_check_exec = stub_vnode_check_exec, + .mpo_vnode_check_getacl = stub_vnode_check_getacl, + .mpo_vnode_check_getextattr = stub_vnode_check_getextattr, + .mpo_vnode_check_link = stub_vnode_check_link, + .mpo_vnode_check_listextattr = stub_vnode_check_listextattr, + .mpo_vnode_check_lookup = stub_vnode_check_lookup, + .mpo_vnode_check_mmap = stub_vnode_check_mmap, + .mpo_vnode_check_mmap_downgrade = stub_vnode_check_mmap_downgrade, + .mpo_vnode_check_mprotect = stub_vnode_check_mprotect, + .mpo_vnode_check_open = stub_vnode_check_open, + .mpo_vnode_check_poll = stub_vnode_check_poll, + .mpo_vnode_check_read = stub_vnode_check_read, + .mpo_vnode_check_readdir = stub_vnode_check_readdir, + .mpo_vnode_check_readlink = stub_vnode_check_readlink, + .mpo_vnode_check_relabel = stub_vnode_check_relabel, + .mpo_vnode_check_rename_from = stub_vnode_check_rename_from, + .mpo_vnode_check_rename_to = stub_vnode_check_rename_to, + .mpo_vnode_check_revoke = stub_vnode_check_revoke, + .mpo_vnode_check_setacl = stub_vnode_check_setacl, + .mpo_vnode_check_setextattr = stub_vnode_check_setextattr, + .mpo_vnode_check_setflags = stub_vnode_check_setflags, + .mpo_vnode_check_setmode = stub_vnode_check_setmode, + .mpo_vnode_check_setowner = stub_vnode_check_setowner, + .mpo_vnode_check_setutimes = stub_vnode_check_setutimes, + .mpo_vnode_check_stat = stub_vnode_check_stat, + .mpo_vnode_check_unlink = stub_vnode_check_unlink, + .mpo_vnode_check_write = stub_vnode_check_write, .mpo_priv_check = stub_priv_check, .mpo_priv_grant = stub_priv_grant, .mpo_init_syncache_label = stub_init_label_waitcheck, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 4947cdc..c7eaaad 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1,6 +1,7 @@ /*- * Copyright (c) 1999-2002, 2007 Robert N. M. Watson * Copyright (c) 2001-2005 McAfee, Inc. + * Copyright (c) 2006 SPARTA, Inc. * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -10,6 +11,9 @@ * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA * CHATS research program. * + * This software was enhanced by SPARTA ISSO under SPAWAR contract + * N66001-04-C-6019 ("SEFOS"). + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -146,287 +150,287 @@ SYSCTL_NODE(_security_mac_test, OID_AUTO, counter, CTLFLAG_RW, 0, /* * Label operations. */ -COUNTER_DECL(init_bpfdesc_label); +COUNTER_DECL(bpfdesc_init_label); static void -mac_test_init_bpfdesc_label(struct label *label) +mac_test_bpfdesc_init_label(struct label *label) { LABEL_INIT(label, MAGIC_BPF); - COUNTER_INC(init_bpfdesc_label); + COUNTER_INC(bpfdesc_init_label); } -COUNTER_DECL(init_cred_label); +COUNTER_DECL(cred_init_label); static void -mac_test_init_cred_label(struct label *label) +mac_test_cred_init_label(struct label *label) { LABEL_INIT(label, MAGIC_CRED); - COUNTER_INC(init_cred_label); + COUNTER_INC(cred_init_label); } -COUNTER_DECL(init_devfs_label); +COUNTER_DECL(devfs_init_label); static void -mac_test_init_devfs_label(struct label *label) +mac_test_devfs_init_label(struct label *label) { LABEL_INIT(label, MAGIC_DEVFS); - COUNTER_INC(init_devfs_label); + COUNTER_INC(devfs_init_label); } -COUNTER_DECL(init_ifnet_label); +COUNTER_DECL(ifnet_init_label); static void -mac_test_init_ifnet_label(struct label *label) +mac_test_ifnet_init_label(struct label *label) { LABEL_INIT(label, MAGIC_IFNET); - COUNTER_INC(init_ifnet_label); + COUNTER_INC(ifnet_init_label); } -COUNTER_DECL(init_inpcb_label); +COUNTER_DECL(inpcb_init_label); static int -mac_test_init_inpcb_label(struct label *label, int flag) +mac_test_inpcb_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_inpcb_label() at %s:%d", __FILE__, + "mac_test_inpcb_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_INPCB); - COUNTER_INC(init_inpcb_label); + COUNTER_INC(inpcb_init_label); return (0); } -COUNTER_DECL(init_sysv_msg_label); +COUNTER_DECL(sysvmsg_init_label); static void -mac_test_init_sysv_msgmsg_label(struct label *label) +mac_test_sysvmsg_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_MSG); - COUNTER_INC(init_sysv_msg_label); + COUNTER_INC(sysvmsg_init_label); } -COUNTER_DECL(init_sysv_msq_label); +COUNTER_DECL(sysvmsq_init_label); static void -mac_test_init_sysv_msgqueue_label(struct label *label) +mac_test_sysvmsq_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_MSQ); - COUNTER_INC(init_sysv_msq_label); + COUNTER_INC(sysvmsq_init_label); } -COUNTER_DECL(init_sysv_sem_label); +COUNTER_DECL(sysvsem_init_label); static void -mac_test_init_sysv_sem_label(struct label *label) +mac_test_sysvsem_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_SEM); - COUNTER_INC(init_sysv_sem_label); + COUNTER_INC(sysvsem_init_label); } -COUNTER_DECL(init_sysv_shm_label); +COUNTER_DECL(sysvshm_init_label); static void -mac_test_init_sysv_shm_label(struct label *label) +mac_test_sysvshm_init_label(struct label *label) { LABEL_INIT(label, MAGIC_SYSV_SHM); - COUNTER_INC(init_sysv_shm_label); + COUNTER_INC(sysvshm_init_label); } -COUNTER_DECL(init_ipq_label); +COUNTER_DECL(ipq_init_label); static int -mac_test_init_ipq_label(struct label *label, int flag) +mac_test_ipq_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_ipq_label() at %s:%d", __FILE__, + "mac_test_ipq_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_IPQ); - COUNTER_INC(init_ipq_label); + COUNTER_INC(ipq_init_label); return (0); } -COUNTER_DECL(init_mbuf_label); +COUNTER_DECL(mbuf_init_label); static int -mac_test_init_mbuf_label(struct label *label, int flag) +mac_test_mbuf_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_mbuf_label() at %s:%d", __FILE__, + "mac_test_mbuf_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_MBUF); - COUNTER_INC(init_mbuf_label); + COUNTER_INC(mbuf_init_label); return (0); } -COUNTER_DECL(init_mount_label); +COUNTER_DECL(mount_init_label); static void -mac_test_init_mount_label(struct label *label) +mac_test_mount_init_label(struct label *label) { LABEL_INIT(label, MAGIC_MOUNT); - COUNTER_INC(init_mount_label); + COUNTER_INC(mount_init_label); } -COUNTER_DECL(init_socket_label); +COUNTER_DECL(socket_init_label); static int -mac_test_init_socket_label(struct label *label, int flag) +mac_test_socket_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_socket_label() at %s:%d", __FILE__, + "mac_test_socket_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_SOCKET); - COUNTER_INC(init_socket_label); + COUNTER_INC(socket_init_label); return (0); } -COUNTER_DECL(init_socket_peer_label); +COUNTER_DECL(socketpeer_init_label); static int -mac_test_init_socket_peer_label(struct label *label, int flag) +mac_test_socketpeer_init_label(struct label *label, int flag) { if (flag & M_WAITOK) WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL, - "mac_test_init_socket_peer_label() at %s:%d", __FILE__, + "mac_test_socketpeer_init_label() at %s:%d", __FILE__, __LINE__); LABEL_INIT(label, MAGIC_SOCKET); - COUNTER_INC(init_socket_peer_label); + COUNTER_INC(socketpeer_init_label); return (0); } -COUNTER_DECL(init_pipe_label); +COUNTER_DECL(pipe_init_label); static void -mac_test_init_pipe_label(struct label *label) +mac_test_pipe_init_label(struct label *label) { LABEL_INIT(label, MAGIC_PIPE); - COUNTER_INC(init_pipe_label); + COUNTER_INC(pipe_init_label); } -COUNTER_DECL(init_posix_sem_label); +COUNTER_DECL(posixsem_init_label); static void -mac_test_init_posix_sem_label(struct label *label) +mac_test_posixsem_init_label(struct label *label) { LABEL_INIT(label, MAGIC_POSIX_SEM); - COUNTER_INC(init_posix_sem_label); + COUNTER_INC(posixsem_init_label); } -COUNTER_DECL(init_proc_label); +COUNTER_DECL(proc_init_label); static void -mac_test_init_proc_label(struct label *label) +mac_test_proc_init_label(struct label *label) { LABEL_INIT(label, MAGIC_PROC); - COUNTER_INC(init_proc_label); + COUNTER_INC(proc_init_label); } -COUNTER_DECL(init_vnode_label); +COUNTER_DECL(vnode_init_label); static void -mac_test_init_vnode_label(struct label *label) +mac_test_vnode_init_label(struct label *label) { LABEL_INIT(label, MAGIC_VNODE); - COUNTER_INC(init_vnode_label); + COUNTER_INC(vnode_init_label); } -COUNTER_DECL(destroy_bpfdesc_label); +COUNTER_DECL(bpfdesc_destroy_label); static void -mac_test_destroy_bpfdesc_label(struct label *label) +mac_test_bpfdesc_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_BPF); - COUNTER_INC(destroy_bpfdesc_label); + COUNTER_INC(bpfdesc_destroy_label); } -COUNTER_DECL(destroy_cred_label); +COUNTER_DECL(cred_destroy_label); static void -mac_test_destroy_cred_label(struct label *label) +mac_test_cred_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_CRED); - COUNTER_INC(destroy_cred_label); + COUNTER_INC(cred_destroy_label); } -COUNTER_DECL(destroy_devfs_label); +COUNTER_DECL(devfs_destroy_label); static void -mac_test_destroy_devfs_label(struct label *label) +mac_test_devfs_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_DEVFS); - COUNTER_INC(destroy_devfs_label); + COUNTER_INC(devfs_destroy_label); } -COUNTER_DECL(destroy_ifnet_label); +COUNTER_DECL(ifnet_destroy_label); static void -mac_test_destroy_ifnet_label(struct label *label) +mac_test_ifnet_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_IFNET); - COUNTER_INC(destroy_ifnet_label); + COUNTER_INC(ifnet_destroy_label); } -COUNTER_DECL(destroy_inpcb_label); +COUNTER_DECL(inpcb_destroy_label); static void -mac_test_destroy_inpcb_label(struct label *label) +mac_test_inpcb_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_INPCB); - COUNTER_INC(destroy_inpcb_label); + COUNTER_INC(inpcb_destroy_label); } -COUNTER_DECL(destroy_sysv_msg_label); +COUNTER_DECL(sysvmsg_destroy_label); static void -mac_test_destroy_sysv_msgmsg_label(struct label *label) +mac_test_sysvmsg_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_MSG); - COUNTER_INC(destroy_sysv_msg_label); + COUNTER_INC(sysvmsg_destroy_label); } -COUNTER_DECL(destroy_sysv_msq_label); +COUNTER_DECL(sysvmsq_destroy_label); static void -mac_test_destroy_sysv_msgqueue_label(struct label *label) +mac_test_sysvmsq_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_MSQ); - COUNTER_INC(destroy_sysv_msq_label); + COUNTER_INC(sysvmsq_destroy_label); } -COUNTER_DECL(destroy_sysv_sem_label); +COUNTER_DECL(sysvsem_destroy_label); static void -mac_test_destroy_sysv_sem_label(struct label *label) +mac_test_sysvsem_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_SEM); - COUNTER_INC(destroy_sysv_sem_label); + COUNTER_INC(sysvsem_destroy_label); } -COUNTER_DECL(destroy_sysv_shm_label); +COUNTER_DECL(sysvshm_destroy_label); static void -mac_test_destroy_sysv_shm_label(struct label *label) +mac_test_sysvshm_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SYSV_SHM); - COUNTER_INC(destroy_sysv_shm_label); + COUNTER_INC(sysvshm_destroy_label); } -COUNTER_DECL(destroy_ipq_label); +COUNTER_DECL(ipq_destroy_label); static void -mac_test_destroy_ipq_label(struct label *label) +mac_test_ipq_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_IPQ); - COUNTER_INC(destroy_ipq_label); + COUNTER_INC(ipq_destroy_label); } -COUNTER_DECL(destroy_mbuf_label); +COUNTER_DECL(mbuf_destroy_label); static void -mac_test_destroy_mbuf_label(struct label *label) +mac_test_mbuf_destroy_label(struct label *label) { /* @@ -438,130 +442,130 @@ mac_test_destroy_mbuf_label(struct label *label) return; LABEL_DESTROY(label, MAGIC_MBUF); - COUNTER_INC(destroy_mbuf_label); + COUNTER_INC(mbuf_destroy_label); } -COUNTER_DECL(destroy_mount_label); +COUNTER_DECL(mount_destroy_label); static void -mac_test_destroy_mount_label(struct label *label) +mac_test_mount_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_MOUNT); - COUNTER_INC(destroy_mount_label); + COUNTER_INC(mount_destroy_label); } -COUNTER_DECL(destroy_socket_label); +COUNTER_DECL(socket_destroy_label); static void -mac_test_destroy_socket_label(struct label *label) +mac_test_socket_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SOCKET); - COUNTER_INC(destroy_socket_label); + COUNTER_INC(socket_destroy_label); } -COUNTER_DECL(destroy_socket_peer_label); +COUNTER_DECL(socketpeer_destroy_label); static void -mac_test_destroy_socket_peer_label(struct label *label) +mac_test_socketpeer_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_SOCKET); - COUNTER_INC(destroy_socket_peer_label); + COUNTER_INC(socketpeer_destroy_label); } -COUNTER_DECL(destroy_pipe_label); +COUNTER_DECL(pipe_destroy_label); static void -mac_test_destroy_pipe_label(struct label *label) +mac_test_pipe_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_PIPE); - COUNTER_INC(destroy_pipe_label); + COUNTER_INC(pipe_destroy_label); } -COUNTER_DECL(destroy_posix_sem_label); +COUNTER_DECL(posixsem_destroy_label); static void -mac_test_destroy_posix_sem_label(struct label *label) +mac_test_posixsem_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_POSIX_SEM); - COUNTER_INC(destroy_posix_sem_label); + COUNTER_INC(posixsem_destroy_label); } -COUNTER_DECL(destroy_proc_label); +COUNTER_DECL(proc_destroy_label); static void -mac_test_destroy_proc_label(struct label *label) +mac_test_proc_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_PROC); - COUNTER_INC(destroy_proc_label); + COUNTER_INC(proc_destroy_label); } -COUNTER_DECL(destroy_vnode_label); +COUNTER_DECL(vnode_destroy_label); static void -mac_test_destroy_vnode_label(struct label *label) +mac_test_vnode_destroy_label(struct label *label) { LABEL_DESTROY(label, MAGIC_VNODE); - COUNTER_INC(destroy_vnode_label); + COUNTER_INC(vnode_destroy_label); } -COUNTER_DECL(copy_cred_label); +COUNTER_DECL(cred_copy_label); static void -mac_test_copy_cred_label(struct label *src, struct label *dest) +mac_test_cred_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_CRED); LABEL_CHECK(dest, MAGIC_CRED); - COUNTER_INC(copy_cred_label); + COUNTER_INC(cred_copy_label); } -COUNTER_DECL(copy_ifnet_label); +COUNTER_DECL(ifnet_copy_label); static void -mac_test_copy_ifnet_label(struct label *src, struct label *dest) +mac_test_ifnet_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_IFNET); LABEL_CHECK(dest, MAGIC_IFNET); - COUNTER_INC(copy_ifnet_label); + COUNTER_INC(ifnet_copy_label); } -COUNTER_DECL(copy_mbuf_label); +COUNTER_DECL(mbuf_copy_label); static void -mac_test_copy_mbuf_label(struct label *src, struct label *dest) +mac_test_mbuf_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_MBUF); LABEL_CHECK(dest, MAGIC_MBUF); - COUNTER_INC(copy_mbuf_label); + COUNTER_INC(mbuf_copy_label); } -COUNTER_DECL(copy_pipe_label); +COUNTER_DECL(pipe_copy_label); static void -mac_test_copy_pipe_label(struct label *src, struct label *dest) +mac_test_pipe_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_PIPE); LABEL_CHECK(dest, MAGIC_PIPE); - COUNTER_INC(copy_pipe_label); + COUNTER_INC(pipe_copy_label); } -COUNTER_DECL(copy_socket_label); +COUNTER_DECL(socket_copy_label); static void -mac_test_copy_socket_label(struct label *src, struct label *dest) +mac_test_socket_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_SOCKET); LABEL_CHECK(dest, MAGIC_SOCKET); - COUNTER_INC(copy_socket_label); + COUNTER_INC(socket_copy_label); } -COUNTER_DECL(copy_vnode_label); +COUNTER_DECL(vnode_copy_label); static void -mac_test_copy_vnode_label(struct label *src, struct label *dest) +mac_test_vnode_copy_label(struct label *src, struct label *dest) { LABEL_CHECK(src, MAGIC_VNODE); LABEL_CHECK(dest, MAGIC_VNODE); - COUNTER_INC(copy_vnode_label); + COUNTER_INC(vnode_copy_label); } COUNTER_DECL(externalize_label); @@ -592,9 +596,9 @@ mac_test_internalize_label(struct label *label, char *element_name, * Labeling event operations: file system objects, and things that look * a lot like file system objects. */ -COUNTER_DECL(associate_vnode_devfs); +COUNTER_DECL(devfs_vnode_associate); static void -mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel, +mac_test_devfs_vnode_associate(struct mount *mp, struct label *mplabel, struct devfs_dirent *de, struct label *delabel, struct vnode *vp, struct label *vplabel) { @@ -602,58 +606,58 @@ mac_test_associate_vnode_devfs(struct mount *mp, struct label *mplabel, LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(delabel, MAGIC_DEVFS); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(associate_vnode_devfs); + COUNTER_INC(devfs_vnode_associate); } -COUNTER_DECL(associate_vnode_extattr); +COUNTER_DECL(vnode_associate_extattr); static int -mac_test_associate_vnode_extattr(struct mount *mp, struct label *mplabel, +mac_test_vnode_associate_extattr(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(associate_vnode_extattr); + COUNTER_INC(vnode_associate_extattr); return (0); } -COUNTER_DECL(associate_vnode_singlelabel); +COUNTER_DECL(vnode_associate_singlelabel); static void -mac_test_associate_vnode_singlelabel(struct mount *mp, struct label *mplabel, +mac_test_vnode_associate_singlelabel(struct mount *mp, struct label *mplabel, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(associate_vnode_singlelabel); + COUNTER_INC(vnode_associate_singlelabel); } -COUNTER_DECL(create_devfs_device); +COUNTER_DECL(devfs_create_device); static void -mac_test_create_devfs_device(struct ucred *cred, struct mount *mp, +mac_test_devfs_create_device(struct ucred *cred, struct mount *mp, struct cdev *dev, struct devfs_dirent *de, struct label *delabel) { if (cred != NULL) LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(delabel, MAGIC_DEVFS); - COUNTER_INC(create_devfs_device); + COUNTER_INC(devfs_create_device); } -COUNTER_DECL(create_devfs_directory); +COUNTER_DECL(devfs_create_directory); static void -mac_test_create_devfs_directory(struct mount *mp, char *dirname, +mac_test_devfs_create_directory(struct mount *mp, char *dirname, int dirnamelen, struct devfs_dirent *de, struct label *delabel) { LABEL_CHECK(delabel, MAGIC_DEVFS); - COUNTER_INC(create_devfs_directory); + COUNTER_INC(devfs_create_directory); } -COUNTER_DECL(create_devfs_symlink); +COUNTER_DECL(devfs_create_symlink); static void -mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, +mac_test_devfs_create_symlink(struct ucred *cred, struct mount *mp, struct devfs_dirent *dd, struct label *ddlabel, struct devfs_dirent *de, struct label *delabel) { @@ -661,12 +665,12 @@ mac_test_create_devfs_symlink(struct ucred *cred, struct mount *mp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ddlabel, MAGIC_DEVFS); LABEL_CHECK(delabel, MAGIC_DEVFS); - COUNTER_INC(create_devfs_symlink); + COUNTER_INC(devfs_create_symlink); } -COUNTER_DECL(create_vnode_extattr); +COUNTER_DECL(vnode_create_extattr); static int -mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, +mac_test_vnode_create_extattr(struct ucred *cred, struct mount *mp, struct label *mplabel, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -674,281 +678,281 @@ mac_test_create_vnode_extattr(struct ucred *cred, struct mount *mp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(create_vnode_extattr); + COUNTER_INC(vnode_create_extattr); return (0); } -COUNTER_DECL(create_mount); +COUNTER_DECL(mount_create); static void -mac_test_create_mount(struct ucred *cred, struct mount *mp, +mac_test_mount_create(struct ucred *cred, struct mount *mp, struct label *mplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); - COUNTER_INC(create_mount); + COUNTER_INC(mount_create); } -COUNTER_DECL(relabel_vnode); +COUNTER_DECL(vnode_relabel); static void -mac_test_relabel_vnode(struct ucred *cred, struct vnode *vp, +mac_test_vnode_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *label) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(label, MAGIC_VNODE); - COUNTER_INC(relabel_vnode); + COUNTER_INC(vnode_relabel); } -COUNTER_DECL(setlabel_vnode_extattr); +COUNTER_DECL(vnode_setlabel_extattr); static int -mac_test_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_setlabel_extattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *intlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(intlabel, MAGIC_VNODE); - COUNTER_INC(setlabel_vnode_extattr); + COUNTER_INC(vnode_setlabel_extattr); return (0); } -COUNTER_DECL(update_devfs); +COUNTER_DECL(devfs_update); static void -mac_test_update_devfs(struct mount *mp, struct devfs_dirent *devfs_dirent, +mac_test_devfs_update(struct mount *mp, struct devfs_dirent *devfs_dirent, struct label *direntlabel, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(direntlabel, MAGIC_DEVFS); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(update_devfs); + COUNTER_INC(devfs_update); } /* * Labeling event operations: IPC object. */ -COUNTER_DECL(create_mbuf_from_socket); +COUNTER_DECL(socket_create_mbuf); static void -mac_test_create_mbuf_from_socket(struct socket *so, struct label *socketlabel, +mac_test_socket_create_mbuf(struct socket *so, struct label *socketlabel, struct mbuf *m, struct label *mbuflabel) { LABEL_CHECK(socketlabel, MAGIC_SOCKET); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_socket); + COUNTER_INC(socket_create_mbuf); } -COUNTER_DECL(create_socket); +COUNTER_DECL(socket_create); static void -mac_test_create_socket(struct ucred *cred, struct socket *socket, +mac_test_socket_create(struct ucred *cred, struct socket *socket, struct label *socketlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(socketlabel, MAGIC_SOCKET); - COUNTER_INC(create_socket); + COUNTER_INC(socket_create); } -COUNTER_DECL(create_pipe); +COUNTER_DECL(pipe_create); static void -mac_test_create_pipe(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_create(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(create_pipe); + COUNTER_INC(pipe_create); } -COUNTER_DECL(create_posix_sem); +COUNTER_DECL(posixsem_create); static void -mac_test_create_posix_sem(struct ucred *cred, struct ksem *ks, +mac_test_posixsem_create(struct ucred *cred, struct ksem *ks, struct label *kslabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); - COUNTER_INC(create_posix_sem); + COUNTER_INC(posixsem_create); } -COUNTER_DECL(create_socket_from_socket); +COUNTER_DECL(socket_newconn); static void -mac_test_create_socket_from_socket(struct socket *oldsocket, +mac_test_socket_newconn(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketlabel) { LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); LABEL_CHECK(newsocketlabel, MAGIC_SOCKET); - COUNTER_INC(create_socket_from_socket); + COUNTER_INC(socket_newconn); } -COUNTER_DECL(relabel_socket); +COUNTER_DECL(socket_relabel); static void -mac_test_relabel_socket(struct ucred *cred, struct socket *socket, +mac_test_socket_relabel(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(newlabel, MAGIC_SOCKET); - COUNTER_INC(relabel_socket); + COUNTER_INC(socket_relabel); } -COUNTER_DECL(relabel_pipe); +COUNTER_DECL(pipe_relabel); static void -mac_test_relabel_pipe(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_relabel(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); LABEL_CHECK(newlabel, MAGIC_PIPE); - COUNTER_INC(relabel_pipe); + COUNTER_INC(pipe_relabel); } -COUNTER_DECL(set_socket_peer_from_mbuf); +COUNTER_DECL(socketpeer_set_from_mbuf); static void -mac_test_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, +mac_test_socketpeer_set_from_mbuf(struct mbuf *mbuf, struct label *mbuflabel, struct socket *socket, struct label *socketpeerlabel) { LABEL_CHECK(mbuflabel, MAGIC_MBUF); LABEL_CHECK(socketpeerlabel, MAGIC_SOCKET); - COUNTER_INC(set_socket_peer_from_mbuf); + COUNTER_INC(socketpeer_set_from_mbuf); } /* * Labeling event operations: network objects. */ -COUNTER_DECL(set_socket_peer_from_socket); +COUNTER_DECL(socketpeer_set_from_socket); static void -mac_test_set_socket_peer_from_socket(struct socket *oldsocket, +mac_test_socketpeer_set_from_socket(struct socket *oldsocket, struct label *oldsocketlabel, struct socket *newsocket, struct label *newsocketpeerlabel) { LABEL_CHECK(oldsocketlabel, MAGIC_SOCKET); LABEL_CHECK(newsocketpeerlabel, MAGIC_SOCKET); - COUNTER_INC(set_socket_peer_from_socket); + COUNTER_INC(socketpeer_set_from_socket); } -COUNTER_DECL(create_bpfdesc); +COUNTER_DECL(bpfdesc_create); static void -mac_test_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, +mac_test_bpfdesc_create(struct ucred *cred, struct bpf_d *bpf_d, struct label *bpflabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(bpflabel, MAGIC_BPF); - COUNTER_INC(create_bpfdesc); + COUNTER_INC(bpfdesc_create); } -COUNTER_DECL(create_datagram_from_ipq); +COUNTER_DECL(ipq_reassemble); static void -mac_test_create_datagram_from_ipq(struct ipq *ipq, struct label *ipqlabel, +mac_test_ipq_reassemble(struct ipq *ipq, struct label *ipqlabel, struct mbuf *datagram, struct label *datagramlabel) { LABEL_CHECK(ipqlabel, MAGIC_IPQ); LABEL_CHECK(datagramlabel, MAGIC_MBUF); - COUNTER_INC(create_datagram_from_ipq); + COUNTER_INC(ipq_reassemble); } -COUNTER_DECL(create_fragment); +COUNTER_DECL(netinet_fragment); static void -mac_test_create_fragment(struct mbuf *datagram, struct label *datagramlabel, +mac_test_netinet_fragment(struct mbuf *datagram, struct label *datagramlabel, struct mbuf *fragment, struct label *fragmentlabel) { LABEL_CHECK(datagramlabel, MAGIC_MBUF); LABEL_CHECK(fragmentlabel, MAGIC_MBUF); - COUNTER_INC(create_fragment); + COUNTER_INC(netinet_fragment); } -COUNTER_DECL(create_ifnet); +COUNTER_DECL(ifnet_create); static void -mac_test_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) +mac_test_ifnet_create(struct ifnet *ifnet, struct label *ifnetlabel) { LABEL_CHECK(ifnetlabel, MAGIC_IFNET); - COUNTER_INC(create_ifnet); + COUNTER_INC(ifnet_create); } -COUNTER_DECL(create_inpcb_from_socket); +COUNTER_DECL(inpcb_create); static void -mac_test_create_inpcb_from_socket(struct socket *so, struct label *solabel, +mac_test_inpcb_create(struct socket *so, struct label *solabel, struct inpcb *inp, struct label *inplabel) { LABEL_CHECK(solabel, MAGIC_SOCKET); LABEL_CHECK(inplabel, MAGIC_INPCB); - COUNTER_INC(create_inpcb_from_socket); + COUNTER_INC(inpcb_create); } -COUNTER_DECL(create_sysv_msgmsg); +COUNTER_DECL(sysvmsg_create); static void -mac_test_create_sysv_msgmsg(struct ucred *cred, struct msqid_kernel *msqkptr, +mac_test_sysvmsg_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel, struct msg *msgptr, struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); - COUNTER_INC(create_sysv_msgmsg); + COUNTER_INC(sysvmsg_create); } -COUNTER_DECL(create_sysv_msgqueue); +COUNTER_DECL(sysvmsq_create); static void -mac_test_create_sysv_msgqueue(struct ucred *cred, +mac_test_sysvmsq_create(struct ucred *cred, struct msqid_kernel *msqkptr, struct label *msqlabel) { LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); - COUNTER_INC(create_sysv_msgqueue); + COUNTER_INC(sysvmsq_create); } -COUNTER_DECL(create_sysv_sem); +COUNTER_DECL(sysvsem_create); static void -mac_test_create_sysv_sem(struct ucred *cred, struct semid_kernel *semakptr, +mac_test_sysvsem_create(struct ucred *cred, struct semid_kernel *semakptr, struct label *semalabel) { LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); - COUNTER_INC(create_sysv_sem); + COUNTER_INC(sysvsem_create); } -COUNTER_DECL(create_sysv_shm); +COUNTER_DECL(sysvshm_create); static void -mac_test_create_sysv_shm(struct ucred *cred, struct shmid_kernel *shmsegptr, +mac_test_sysvshm_create(struct ucred *cred, struct shmid_kernel *shmsegptr, struct label *shmlabel) { LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); - COUNTER_INC(create_sysv_shm); + COUNTER_INC(sysvshm_create); } -COUNTER_DECL(create_ipq); +COUNTER_DECL(ipq_create); static void -mac_test_create_ipq(struct mbuf *fragment, struct label *fragmentlabel, +mac_test_ipq_create(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { LABEL_CHECK(fragmentlabel, MAGIC_MBUF); LABEL_CHECK(ipqlabel, MAGIC_IPQ); - COUNTER_INC(create_ipq); + COUNTER_INC(ipq_create); } -COUNTER_DECL(create_mbuf_from_inpcb); +COUNTER_DECL(inpcb_create_mbuf); static void -mac_test_create_mbuf_from_inpcb(struct inpcb *inp, struct label *inplabel, +mac_test_inpcb_create_mbuf(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { LABEL_CHECK(inplabel, MAGIC_INPCB); LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_inpcb); + COUNTER_INC(inpcb_create_mbuf); } COUNTER_DECL(create_mbuf_linklayer); @@ -962,31 +966,31 @@ mac_test_create_mbuf_linklayer(struct ifnet *ifnet, struct label *ifnetlabel, COUNTER_INC(create_mbuf_linklayer); } -COUNTER_DECL(create_mbuf_from_bpfdesc); +COUNTER_DECL(bpfdesc_create_mbuf); static void -mac_test_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bpflabel, +mac_test_bpfdesc_create_mbuf(struct bpf_d *bpf_d, struct label *bpflabel, struct mbuf *mbuf, struct label *mbuflabel) { LABEL_CHECK(bpflabel, MAGIC_BPF); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_bpfdesc); + COUNTER_INC(bpfdesc_create_mbuf); } -COUNTER_DECL(create_mbuf_from_ifnet); +COUNTER_DECL(ifnet_create_mbuf); static void -mac_test_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *ifnetlabel, +mac_test_ifnet_create_mbuf(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_from_ifnet); + COUNTER_INC(ifnet_create_mbuf); } -COUNTER_DECL(create_mbuf_multicast_encap); +COUNTER_DECL(mbuf_create_multicast_encap); static void -mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, +mac_test_mbuf_create_multicast_encap(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *newmbuf, struct label *newmbuflabel) { @@ -994,73 +998,73 @@ mac_test_create_mbuf_multicast_encap(struct mbuf *oldmbuf, LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(newmbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_multicast_encap); + COUNTER_INC(mbuf_create_multicast_encap); } -COUNTER_DECL(create_mbuf_netlayer); +COUNTER_DECL(mbuf_create_netlayer); static void -mac_test_create_mbuf_netlayer(struct mbuf *oldmbuf, +mac_test_mbuf_create_netlayer(struct mbuf *oldmbuf, struct label *oldmbuflabel, struct mbuf *newmbuf, struct label *newmbuflabel) { LABEL_CHECK(oldmbuflabel, MAGIC_MBUF); LABEL_CHECK(newmbuflabel, MAGIC_MBUF); - COUNTER_INC(create_mbuf_netlayer); + COUNTER_INC(mbuf_create_netlayer); } -COUNTER_DECL(fragment_match); +COUNTER_DECL(ipq_match); static int -mac_test_fragment_match(struct mbuf *fragment, struct label *fragmentlabel, +mac_test_ipq_match(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { LABEL_CHECK(fragmentlabel, MAGIC_MBUF); LABEL_CHECK(ipqlabel, MAGIC_IPQ); - COUNTER_INC(fragment_match); + COUNTER_INC(ipq_match); return (1); } -COUNTER_DECL(reflect_mbuf_icmp); +COUNTER_DECL(netinet_icmp_reply); static void -mac_test_reflect_mbuf_icmp(struct mbuf *m, struct label *mlabel) +mac_test_netinet_icmp_reply(struct mbuf *m, struct label *mlabel) { LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(reflect_mbuf_icmp); + COUNTER_INC(netinet_icmp_reply); } -COUNTER_DECL(reflect_mbuf_tcp); +COUNTER_DECL(netinet_tcp_reply); static void -mac_test_reflect_mbuf_tcp(struct mbuf *m, struct label *mlabel) +mac_test_netinet_tcp_reply(struct mbuf *m, struct label *mlabel) { LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(reflect_mbuf_tcp); + COUNTER_INC(netinet_tcp_reply); } -COUNTER_DECL(relabel_ifnet); +COUNTER_DECL(ifnet_relabel); static void -mac_test_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, +mac_test_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(newlabel, MAGIC_IFNET); - COUNTER_INC(relabel_ifnet); + COUNTER_INC(ifnet_relabel); } -COUNTER_DECL(update_ipq); +COUNTER_DECL(ipq_update); static void -mac_test_update_ipq(struct mbuf *fragment, struct label *fragmentlabel, +mac_test_ipq_update(struct mbuf *fragment, struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { LABEL_CHECK(fragmentlabel, MAGIC_MBUF); LABEL_CHECK(ipqlabel, MAGIC_IPQ); - COUNTER_INC(update_ipq); + COUNTER_INC(ipq_update); } COUNTER_DECL(inpcb_sosetlabel); @@ -1077,9 +1081,9 @@ mac_test_inpcb_sosetlabel(struct socket *so, struct label *solabel, /* * Labeling event operations: processes. */ -COUNTER_DECL(execve_transition); +COUNTER_DECL(vnode_execve_transition); static void -mac_test_execve_transition(struct ucred *old, struct ucred *new, +mac_test_vnode_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp, struct label *filelabel, struct label *interpvplabel, struct image_params *imgp, struct label *execlabel) @@ -1090,12 +1094,12 @@ mac_test_execve_transition(struct ucred *old, struct ucred *new, LABEL_CHECK(filelabel, MAGIC_VNODE); LABEL_CHECK(interpvplabel, MAGIC_VNODE); LABEL_CHECK(execlabel, MAGIC_CRED); - COUNTER_INC(execve_transition); + COUNTER_INC(vnode_execve_transition); } -COUNTER_DECL(execve_will_transition); +COUNTER_DECL(vnode_execve_will_transition); static int -mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, +mac_test_vnode_execve_will_transition(struct ucred *old, struct vnode *vp, struct label *filelabel, struct label *interpvplabel, struct image_params *imgp, struct label *execlabel) { @@ -1104,37 +1108,37 @@ mac_test_execve_will_transition(struct ucred *old, struct vnode *vp, LABEL_CHECK(filelabel, MAGIC_VNODE); LABEL_CHECK(interpvplabel, MAGIC_VNODE); LABEL_CHECK(execlabel, MAGIC_CRED); - COUNTER_INC(execve_will_transition); + COUNTER_INC(vnode_execve_will_transition); return (0); } -COUNTER_DECL(create_proc0); +COUNTER_DECL(proc_create_swapper); static void -mac_test_create_proc0(struct ucred *cred) +mac_test_proc_create_swapper(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(create_proc0); + COUNTER_INC(proc_create_swapper); } -COUNTER_DECL(create_proc1); +COUNTER_DECL(proc_create_init); static void -mac_test_create_proc1(struct ucred *cred) +mac_test_proc_create_init(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(create_proc1); + COUNTER_INC(proc_create_init); } -COUNTER_DECL(relabel_cred); +COUNTER_DECL(cred_relabel); static void -mac_test_relabel_cred(struct ucred *cred, struct label *newlabel) +mac_test_cred_relabel(struct ucred *cred, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(newlabel, MAGIC_CRED); - COUNTER_INC(relabel_cred); + COUNTER_INC(cred_relabel); } COUNTER_DECL(thread_userret); @@ -1148,125 +1152,125 @@ mac_test_thread_userret(struct thread *td) /* * Label cleanup/flush operations */ -COUNTER_DECL(cleanup_sysv_msgmsg); +COUNTER_DECL(sysvmsg_cleanup); static void -mac_test_cleanup_sysv_msgmsg(struct label *msglabel) +mac_test_sysvmsg_cleanup(struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); - COUNTER_INC(cleanup_sysv_msgmsg); + COUNTER_INC(sysvmsg_cleanup); } -COUNTER_DECL(cleanup_sysv_msgqueue); +COUNTER_DECL(sysvmsq_cleanup); static void -mac_test_cleanup_sysv_msgqueue(struct label *msqlabel) +mac_test_sysvmsq_cleanup(struct label *msqlabel) { LABEL_CHECK(msqlabel, MAGIC_SYSV_MSQ); - COUNTER_INC(cleanup_sysv_msgqueue); + COUNTER_INC(sysvmsq_cleanup); } -COUNTER_DECL(cleanup_sysv_sem); +COUNTER_DECL(sysvsem_cleanup); static void -mac_test_cleanup_sysv_sem(struct label *semalabel) +mac_test_sysvsem_cleanup(struct label *semalabel) { LABEL_CHECK(semalabel, MAGIC_SYSV_SEM); - COUNTER_INC(cleanup_sysv_sem); + COUNTER_INC(sysvsem_cleanup); } -COUNTER_DECL(cleanup_sysv_shm); +COUNTER_DECL(sysvshm_cleanup); static void -mac_test_cleanup_sysv_shm(struct label *shmlabel) +mac_test_sysvshm_cleanup(struct label *shmlabel) { LABEL_CHECK(shmlabel, MAGIC_SYSV_SHM); - COUNTER_INC(cleanup_sysv_shm); + COUNTER_INC(sysvshm_cleanup); } /* * Access control checks. */ -COUNTER_DECL(check_bpfdesc_receive); +COUNTER_DECL(bpfdesc_check_receive); static int -mac_test_check_bpfdesc_receive(struct bpf_d *bpf_d, struct label *bpflabel, +mac_test_bpfdesc_check_receive(struct bpf_d *bpf_d, struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel) { LABEL_CHECK(bpflabel, MAGIC_BPF); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); - COUNTER_INC(check_bpfdesc_receive); + COUNTER_INC(bpfdesc_check_receive); return (0); } -COUNTER_DECL(check_cred_relabel); +COUNTER_DECL(cred_check_relabel); static int -mac_test_check_cred_relabel(struct ucred *cred, struct label *newlabel) +mac_test_cred_check_relabel(struct ucred *cred, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(newlabel, MAGIC_CRED); - COUNTER_INC(check_cred_relabel); + COUNTER_INC(cred_check_relabel); return (0); } -COUNTER_DECL(check_cred_visible); +COUNTER_DECL(cred_check_visible); static int -mac_test_check_cred_visible(struct ucred *u1, struct ucred *u2) +mac_test_cred_check_visible(struct ucred *u1, struct ucred *u2) { LABEL_CHECK(u1->cr_label, MAGIC_CRED); LABEL_CHECK(u2->cr_label, MAGIC_CRED); - COUNTER_INC(check_cred_visible); + COUNTER_INC(cred_check_visible); return (0); } -COUNTER_DECL(check_ifnet_relabel); +COUNTER_DECL(ifnet_check_relabel); static int -mac_test_check_ifnet_relabel(struct ucred *cred, struct ifnet *ifnet, +mac_test_ifnet_check_relabel(struct ucred *cred, struct ifnet *ifnet, struct label *ifnetlabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(newlabel, MAGIC_IFNET); - COUNTER_INC(check_ifnet_relabel); + COUNTER_INC(ifnet_check_relabel); return (0); } -COUNTER_DECL(check_ifnet_transmit); +COUNTER_DECL(ifnet_check_transmit); static int -mac_test_check_ifnet_transmit(struct ifnet *ifnet, struct label *ifnetlabel, +mac_test_ifnet_check_transmit(struct ifnet *ifnet, struct label *ifnetlabel, struct mbuf *m, struct label *mbuflabel) { LABEL_CHECK(ifnetlabel, MAGIC_IFNET); LABEL_CHECK(mbuflabel, MAGIC_MBUF); - COUNTER_INC(check_ifnet_transmit); + COUNTER_INC(ifnet_check_transmit); return (0); } -COUNTER_DECL(check_inpcb_deliver); +COUNTER_DECL(inpcb_check_deliver); static int -mac_test_check_inpcb_deliver(struct inpcb *inp, struct label *inplabel, +mac_test_inpcb_check_deliver(struct inpcb *inp, struct label *inplabel, struct mbuf *m, struct label *mlabel) { LABEL_CHECK(inplabel, MAGIC_INPCB); LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(check_inpcb_deliver); + COUNTER_INC(inpcb_check_deliver); return (0); } -COUNTER_DECL(check_sysv_msgmsq); +COUNTER_DECL(sysvmsq_check_msgmsq); static int -mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, +mac_test_sysvmsq_check_msgmsq(struct ucred *cred, struct msg *msgptr, struct label *msglabel, struct msqid_kernel *msqkptr, struct label *msqklabel) { @@ -1274,859 +1278,859 @@ mac_test_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr, LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msgmsq); + COUNTER_INC(sysvmsq_check_msgmsq); return (0); } -COUNTER_DECL(check_sysv_msgrcv); +COUNTER_DECL(sysvmsq_check_msgrcv); static int -mac_test_check_sysv_msgrcv(struct ucred *cred, struct msg *msgptr, +mac_test_sysvmsq_check_msgrcv(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msgrcv); + COUNTER_INC(sysvmsq_check_msgrcv); return (0); } -COUNTER_DECL(check_sysv_msgrmid); +COUNTER_DECL(sysvmsq_check_msgrmid); static int -mac_test_check_sysv_msgrmid(struct ucred *cred, struct msg *msgptr, +mac_test_sysvmsq_check_msgrmid(struct ucred *cred, struct msg *msgptr, struct label *msglabel) { LABEL_CHECK(msglabel, MAGIC_SYSV_MSG); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msgrmid); + COUNTER_INC(sysvmsq_check_msgrmid); return (0); } -COUNTER_DECL(check_sysv_msqget); +COUNTER_DECL(sysvmsq_check_msqget); static int -mac_test_check_sysv_msqget(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_test_sysvmsq_check_msqget(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqget); + COUNTER_INC(sysvmsq_check_msqget); return (0); } -COUNTER_DECL(check_sysv_msqsnd); +COUNTER_DECL(sysvmsq_check_msqsnd); static int -mac_test_check_sysv_msqsnd(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_test_sysvmsq_check_msqsnd(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqsnd); + COUNTER_INC(sysvmsq_check_msqsnd); return (0); } -COUNTER_DECL(check_sysv_msqrcv); +COUNTER_DECL(sysvmsq_check_msqrcv); static int -mac_test_check_sysv_msqrcv(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel) +mac_test_sysvmsq_check_msqrcv(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqrcv); + COUNTER_INC(sysvmsq_check_msqrcv); return (0); } -COUNTER_DECL(check_sysv_msqctl); +COUNTER_DECL(sysvmsq_check_msqctl); static int -mac_test_check_sysv_msqctl(struct ucred *cred, struct msqid_kernel *msqkptr, - struct label *msqklabel, int cmd) +mac_test_sysvmsq_check_msqctl(struct ucred *cred, + struct msqid_kernel *msqkptr, struct label *msqklabel, int cmd) { LABEL_CHECK(msqklabel, MAGIC_SYSV_MSQ); LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_sysv_msqctl); + COUNTER_INC(sysvmsq_check_msqctl); return (0); } -COUNTER_DECL(check_sysv_semctl); +COUNTER_DECL(sysvsem_check_semctl); static int -mac_test_check_sysv_semctl(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, int cmd) +mac_test_sysvsem_check_semctl(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, int cmd) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); - COUNTER_INC(check_sysv_semctl); + COUNTER_INC(sysvsem_check_semctl); return (0); } -COUNTER_DECL(check_sysv_semget); +COUNTER_DECL(sysvsem_check_semget); static int -mac_test_check_sysv_semget(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel) +mac_test_sysvsem_check_semget(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); - COUNTER_INC(check_sysv_semget); + COUNTER_INC(sysvsem_check_semget); return (0); } -COUNTER_DECL(check_sysv_semop); +COUNTER_DECL(sysvsem_check_semop); static int -mac_test_check_sysv_semop(struct ucred *cred, struct semid_kernel *semakptr, - struct label *semaklabel, size_t accesstype) +mac_test_sysvsem_check_semop(struct ucred *cred, + struct semid_kernel *semakptr, struct label *semaklabel, size_t accesstype) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); - COUNTER_INC(check_sysv_semop); + COUNTER_INC(sysvsem_check_semop); return (0); } -COUNTER_DECL(check_sysv_shmat); +COUNTER_DECL(sysvshm_check_shmat); static int -mac_test_check_sysv_shmat(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_test_sysvshm_check_shmat(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmat); + COUNTER_INC(sysvshm_check_shmat); return (0); } -COUNTER_DECL(check_sysv_shmctl); +COUNTER_DECL(sysvshm_check_shmctl); static int -mac_test_check_sysv_shmctl(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int cmd) +mac_test_sysvshm_check_shmctl(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int cmd) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmctl); + COUNTER_INC(sysvshm_check_shmctl); return (0); } -COUNTER_DECL(check_sysv_shmdt); +COUNTER_DECL(sysvshm_check_shmdt); static int -mac_test_check_sysv_shmdt(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel) +mac_test_sysvshm_check_shmdt(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmdt); + COUNTER_INC(sysvshm_check_shmdt); return (0); } -COUNTER_DECL(check_sysv_shmget); +COUNTER_DECL(sysvshm_check_shmget); static int -mac_test_check_sysv_shmget(struct ucred *cred, struct shmid_kernel *shmsegptr, - struct label *shmseglabel, int shmflg) +mac_test_sysvshm_check_shmget(struct ucred *cred, + struct shmid_kernel *shmsegptr, struct label *shmseglabel, int shmflg) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(shmseglabel, MAGIC_SYSV_SHM); - COUNTER_INC(check_sysv_shmget); + COUNTER_INC(sysvshm_check_shmget); return (0); } -COUNTER_DECL(check_kenv_dump); +COUNTER_DECL(kenv_check_dump); static int -mac_test_check_kenv_dump(struct ucred *cred) +mac_test_kenv_check_dump(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_dump); + COUNTER_INC(kenv_check_dump); return (0); } -COUNTER_DECL(check_kenv_get); +COUNTER_DECL(kenv_check_get); static int -mac_test_check_kenv_get(struct ucred *cred, char *name) +mac_test_kenv_check_get(struct ucred *cred, char *name) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_get); + COUNTER_INC(kenv_check_get); return (0); } -COUNTER_DECL(check_kenv_set); +COUNTER_DECL(kenv_check_set); static int -mac_test_check_kenv_set(struct ucred *cred, char *name, char *value) +mac_test_kenv_check_set(struct ucred *cred, char *name, char *value) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_set); + COUNTER_INC(kenv_check_set); return (0); } -COUNTER_DECL(check_kenv_unset); +COUNTER_DECL(kenv_check_unset); static int -mac_test_check_kenv_unset(struct ucred *cred, char *name) +mac_test_kenv_check_unset(struct ucred *cred, char *name) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kenv_unset); + COUNTER_INC(kenv_check_unset); return (0); } -COUNTER_DECL(check_kld_load); +COUNTER_DECL(kld_check_load); static int -mac_test_check_kld_load(struct ucred *cred, struct vnode *vp, +mac_test_kld_check_load(struct ucred *cred, struct vnode *vp, struct label *label) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(label, MAGIC_VNODE); - COUNTER_INC(check_kld_load); + COUNTER_INC(kld_check_load); return (0); } -COUNTER_DECL(check_kld_stat); +COUNTER_DECL(kld_check_stat); static int -mac_test_check_kld_stat(struct ucred *cred) +mac_test_kld_check_stat(struct ucred *cred) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_kld_stat); + COUNTER_INC(kld_check_stat); return (0); } -COUNTER_DECL(check_mount_stat); +COUNTER_DECL(mount_check_stat); static int -mac_test_check_mount_stat(struct ucred *cred, struct mount *mp, +mac_test_mount_check_stat(struct ucred *cred, struct mount *mp, struct label *mplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(mplabel, MAGIC_MOUNT); - COUNTER_INC(check_mount_stat); + COUNTER_INC(mount_check_stat); return (0); } -COUNTER_DECL(check_pipe_ioctl); +COUNTER_DECL(pipe_check_ioctl); static int -mac_test_check_pipe_ioctl(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_ioctl(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, unsigned long cmd, void /* caddr_t */ *data) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_ioctl); + COUNTER_INC(pipe_check_ioctl); return (0); } -COUNTER_DECL(check_pipe_poll); +COUNTER_DECL(pipe_check_poll); static int -mac_test_check_pipe_poll(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_poll(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_poll); + COUNTER_INC(pipe_check_poll); return (0); } -COUNTER_DECL(check_pipe_read); +COUNTER_DECL(pipe_check_read); static int -mac_test_check_pipe_read(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_read(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_read); + COUNTER_INC(pipe_check_read); return (0); } -COUNTER_DECL(check_pipe_relabel); +COUNTER_DECL(pipe_check_relabel); static int -mac_test_check_pipe_relabel(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_relabel(struct ucred *cred, struct pipepair *pp, struct label *pipelabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); LABEL_CHECK(newlabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_relabel); + COUNTER_INC(pipe_check_relabel); return (0); } -COUNTER_DECL(check_pipe_stat); +COUNTER_DECL(pipe_check_stat); static int -mac_test_check_pipe_stat(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_stat(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_stat); + COUNTER_INC(pipe_check_stat); return (0); } -COUNTER_DECL(check_pipe_write); +COUNTER_DECL(pipe_check_write); static int -mac_test_check_pipe_write(struct ucred *cred, struct pipepair *pp, +mac_test_pipe_check_write(struct ucred *cred, struct pipepair *pp, struct label *pipelabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(pipelabel, MAGIC_PIPE); - COUNTER_INC(check_pipe_write); + COUNTER_INC(pipe_check_write); return (0); } -COUNTER_DECL(check_posix_sem); +COUNTER_DECL(posixsem_check); static int -mac_test_check_posix_sem(struct ucred *cred, struct ksem *ks, +mac_test_posixsem_check(struct ucred *cred, struct ksem *ks, struct label *kslabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(kslabel, MAGIC_POSIX_SEM); - COUNTER_INC(check_posix_sem); + COUNTER_INC(posixsem_check); return (0); } -COUNTER_DECL(check_proc_debug); +COUNTER_DECL(proc_check_debug); static int -mac_test_check_proc_debug(struct ucred *cred, struct proc *p) +mac_test_proc_check_debug(struct ucred *cred, struct proc *p) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_debug); + COUNTER_INC(proc_check_debug); return (0); } -COUNTER_DECL(check_proc_sched); +COUNTER_DECL(proc_check_sched); static int -mac_test_check_proc_sched(struct ucred *cred, struct proc *p) +mac_test_proc_check_sched(struct ucred *cred, struct proc *p) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_sched); + COUNTER_INC(proc_check_sched); return (0); } -COUNTER_DECL(check_proc_signal); +COUNTER_DECL(proc_check_signal); static int -mac_test_check_proc_signal(struct ucred *cred, struct proc *p, int signum) +mac_test_proc_check_signal(struct ucred *cred, struct proc *p, int signum) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_signal); + COUNTER_INC(proc_check_signal); return (0); } -COUNTER_DECL(check_proc_setaudit); +COUNTER_DECL(proc_check_setaudit); static int -mac_test_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai) +mac_test_proc_check_setaudit(struct ucred *cred, struct auditinfo *ai) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setaudit); + COUNTER_INC(proc_check_setaudit); return (0); } -COUNTER_DECL(check_proc_setaudit_addr); +COUNTER_DECL(proc_check_setaudit_addr); static int -mac_test_check_proc_setaudit_addr(struct ucred *cred, +mac_test_proc_check_setaudit_addr(struct ucred *cred, struct auditinfo_addr *aia) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setaudit_addr); + COUNTER_INC(proc_check_setaudit_addr); return (0); } -COUNTER_DECL(check_proc_setauid); +COUNTER_DECL(proc_check_setauid); static int -mac_test_check_proc_setauid(struct ucred *cred, uid_t auid) +mac_test_proc_check_setauid(struct ucred *cred, uid_t auid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setauid); + COUNTER_INC(proc_check_setauid); return (0); } -COUNTER_DECL(check_proc_setuid); +COUNTER_DECL(proc_check_setuid); static int -mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) +mac_test_proc_check_setuid(struct ucred *cred, uid_t uid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setuid); + COUNTER_INC(proc_check_setuid); return (0); } -COUNTER_DECL(check_proc_euid); +COUNTER_DECL(proc_check_euid); static int -mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) +mac_test_proc_check_seteuid(struct ucred *cred, uid_t euid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_euid); + COUNTER_INC(proc_check_euid); return (0); } -COUNTER_DECL(check_proc_setgid); +COUNTER_DECL(proc_check_setgid); static int -mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) +mac_test_proc_check_setgid(struct ucred *cred, gid_t gid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setgid); + COUNTER_INC(proc_check_setgid); return (0); } -COUNTER_DECL(check_proc_setegid); +COUNTER_DECL(proc_check_setegid); static int -mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) +mac_test_proc_check_setegid(struct ucred *cred, gid_t egid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setegid); + COUNTER_INC(proc_check_setegid); return (0); } -COUNTER_DECL(check_proc_setgroups); +COUNTER_DECL(proc_check_setgroups); static int -mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, +mac_test_proc_check_setgroups(struct ucred *cred, int ngroups, gid_t *gidset) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setgroups); + COUNTER_INC(proc_check_setgroups); return (0); } -COUNTER_DECL(check_proc_setreuid); +COUNTER_DECL(proc_check_setreuid); static int -mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +mac_test_proc_check_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setreuid); + COUNTER_INC(proc_check_setreuid); return (0); } -COUNTER_DECL(check_proc_setregid); +COUNTER_DECL(proc_check_setregid); static int -mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +mac_test_proc_check_setregid(struct ucred *cred, gid_t rgid, gid_t egid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setregid); + COUNTER_INC(proc_check_setregid); return (0); } -COUNTER_DECL(check_proc_setresuid); +COUNTER_DECL(proc_check_setresuid); static int -mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, +mac_test_proc_check_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, uid_t suid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setresuid); + COUNTER_INC(proc_check_setresuid); return (0); } -COUNTER_DECL(check_proc_setresgid); +COUNTER_DECL(proc_check_setresgid); static int -mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, +mac_test_proc_check_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_setresgid); + COUNTER_INC(proc_check_setresgid); return (0); } -COUNTER_DECL(check_proc_wait); +COUNTER_DECL(proc_check_wait); static int -mac_test_check_proc_wait(struct ucred *cred, struct proc *p) +mac_test_proc_check_wait(struct ucred *cred, struct proc *p) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(p->p_ucred->cr_label, MAGIC_CRED); - COUNTER_INC(check_proc_wait); + COUNTER_INC(proc_check_wait); return (0); } -COUNTER_DECL(check_socket_accept); +COUNTER_DECL(socket_check_accept); static int -mac_test_check_socket_accept(struct ucred *cred, struct socket *so, +mac_test_socket_check_accept(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_accept); + COUNTER_INC(socket_check_accept); return (0); } -COUNTER_DECL(check_socket_bind); +COUNTER_DECL(socket_check_bind); static int -mac_test_check_socket_bind(struct ucred *cred, struct socket *so, +mac_test_socket_check_bind(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_bind); + COUNTER_INC(socket_check_bind); return (0); } -COUNTER_DECL(check_socket_connect); +COUNTER_DECL(socket_check_connect); static int -mac_test_check_socket_connect(struct ucred *cred, struct socket *so, +mac_test_socket_check_connect(struct ucred *cred, struct socket *so, struct label *solabel, struct sockaddr *sa) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_connect); + COUNTER_INC(socket_check_connect); return (0); } -COUNTER_DECL(check_socket_deliver); +COUNTER_DECL(socket_check_deliver); static int -mac_test_check_socket_deliver(struct socket *so, struct label *solabel, +mac_test_socket_check_deliver(struct socket *so, struct label *solabel, struct mbuf *m, struct label *mlabel) { LABEL_CHECK(solabel, MAGIC_SOCKET); LABEL_CHECK(mlabel, MAGIC_MBUF); - COUNTER_INC(check_socket_deliver); + COUNTER_INC(socket_check_deliver); return (0); } -COUNTER_DECL(check_socket_listen); +COUNTER_DECL(socket_check_listen); static int -mac_test_check_socket_listen(struct ucred *cred, struct socket *so, +mac_test_socket_check_listen(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_listen); + COUNTER_INC(socket_check_listen); return (0); } -COUNTER_DECL(check_socket_poll); +COUNTER_DECL(socket_check_poll); static int -mac_test_check_socket_poll(struct ucred *cred, struct socket *so, +mac_test_socket_check_poll(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_poll); + COUNTER_INC(socket_check_poll); return (0); } -COUNTER_DECL(check_socket_receive); +COUNTER_DECL(socket_check_receive); static int -mac_test_check_socket_receive(struct ucred *cred, struct socket *so, +mac_test_socket_check_receive(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_receive); + COUNTER_INC(socket_check_receive); return (0); } -COUNTER_DECL(check_socket_relabel); +COUNTER_DECL(socket_check_relabel); static int -mac_test_check_socket_relabel(struct ucred *cred, struct socket *so, +mac_test_socket_check_relabel(struct ucred *cred, struct socket *so, struct label *solabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); LABEL_CHECK(newlabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_relabel); + COUNTER_INC(socket_check_relabel); return (0); } -COUNTER_DECL(check_socket_send); +COUNTER_DECL(socket_check_send); static int -mac_test_check_socket_send(struct ucred *cred, struct socket *so, +mac_test_socket_check_send(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_send); + COUNTER_INC(socket_check_send); return (0); } -COUNTER_DECL(check_socket_stat); +COUNTER_DECL(socket_check_stat); static int -mac_test_check_socket_stat(struct ucred *cred, struct socket *so, +mac_test_socket_check_stat(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_stat); + COUNTER_INC(socket_check_stat); return (0); } -COUNTER_DECL(check_socket_visible); +COUNTER_DECL(socket_check_visible); static int -mac_test_check_socket_visible(struct ucred *cred, struct socket *so, +mac_test_socket_check_visible(struct ucred *cred, struct socket *so, struct label *solabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(solabel, MAGIC_SOCKET); - COUNTER_INC(check_socket_visible); + COUNTER_INC(socket_check_visible); return (0); } -COUNTER_DECL(check_system_acct); +COUNTER_DECL(system_check_acct); static int -mac_test_check_system_acct(struct ucred *cred, struct vnode *vp, +mac_test_system_check_acct(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_acct); + COUNTER_INC(system_check_acct); return (0); } -COUNTER_DECL(check_system_audit); +COUNTER_DECL(system_check_audit); static int -mac_test_check_system_audit(struct ucred *cred, void *record, int length) +mac_test_system_check_audit(struct ucred *cred, void *record, int length) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_audit); + COUNTER_INC(system_check_audit); return (0); } -COUNTER_DECL(check_system_auditctl); +COUNTER_DECL(system_check_auditctl); static int -mac_test_check_system_auditctl(struct ucred *cred, struct vnode *vp, +mac_test_system_check_auditctl(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_auditctl); + COUNTER_INC(system_check_auditctl); return (0); } -COUNTER_DECL(check_system_auditon); +COUNTER_DECL(system_check_auditon); static int -mac_test_check_system_auditon(struct ucred *cred, int cmd) +mac_test_system_check_auditon(struct ucred *cred, int cmd) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_auditon); + COUNTER_INC(system_check_auditon); return (0); } -COUNTER_DECL(check_system_reboot); +COUNTER_DECL(system_check_reboot); static int -mac_test_check_system_reboot(struct ucred *cred, int how) +mac_test_system_check_reboot(struct ucred *cred, int how) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_reboot); + COUNTER_INC(system_check_reboot); return (0); } -COUNTER_DECL(check_system_swapoff); +COUNTER_DECL(system_check_swapoff); static int -mac_test_check_system_swapoff(struct ucred *cred, struct vnode *vp, +mac_test_system_check_swapoff(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_swapoff); + COUNTER_INC(system_check_swapoff); return (0); } -COUNTER_DECL(check_system_swapon); +COUNTER_DECL(system_check_swapon); static int -mac_test_check_system_swapon(struct ucred *cred, struct vnode *vp, +mac_test_system_check_swapon(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_system_swapon); + COUNTER_INC(system_check_swapon); return (0); } -COUNTER_DECL(check_system_sysctl); +COUNTER_DECL(system_check_sysctl); static int -mac_test_check_system_sysctl(struct ucred *cred, struct sysctl_oid *oidp, +mac_test_system_check_sysctl(struct ucred *cred, struct sysctl_oid *oidp, void *arg1, int arg2, struct sysctl_req *req) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); - COUNTER_INC(check_system_sysctl); + COUNTER_INC(system_check_sysctl); return (0); } -COUNTER_DECL(check_vnode_access); +COUNTER_DECL(vnode_check_access); static int -mac_test_check_vnode_access(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_access(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_access); + COUNTER_INC(vnode_check_access); return (0); } -COUNTER_DECL(check_vnode_chdir); +COUNTER_DECL(vnode_check_chdir); static int -mac_test_check_vnode_chdir(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_chdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_chdir); + COUNTER_INC(vnode_check_chdir); return (0); } -COUNTER_DECL(check_vnode_chroot); +COUNTER_DECL(vnode_check_chroot); static int -mac_test_check_vnode_chroot(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_chroot(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_chroot); + COUNTER_INC(vnode_check_chroot); return (0); } -COUNTER_DECL(check_vnode_create); +COUNTER_DECL(vnode_check_create); static int -mac_test_check_vnode_create(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_create(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp, struct vattr *vap) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_create); + COUNTER_INC(vnode_check_create); return (0); } -COUNTER_DECL(check_vnode_deleteacl); +COUNTER_DECL(vnode_check_deleteacl); static int -mac_test_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_deleteacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_deleteacl); + COUNTER_INC(vnode_check_deleteacl); return (0); } -COUNTER_DECL(check_vnode_deleteextattr); +COUNTER_DECL(vnode_check_deleteextattr); static int -mac_test_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_deleteextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_deleteextattr); + COUNTER_INC(vnode_check_deleteextattr); return (0); } -COUNTER_DECL(check_vnode_exec); +COUNTER_DECL(vnode_check_exec); static int -mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_exec(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct image_params *imgp, struct label *execlabel) { @@ -2134,41 +2138,41 @@ mac_test_check_vnode_exec(struct ucred *cred, struct vnode *vp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(execlabel, MAGIC_CRED); - COUNTER_INC(check_vnode_exec); + COUNTER_INC(vnode_check_exec); return (0); } -COUNTER_DECL(check_vnode_getacl); +COUNTER_DECL(vnode_check_getacl); static int -mac_test_check_vnode_getacl(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_getacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_getacl); + COUNTER_INC(vnode_check_getacl); return (0); } -COUNTER_DECL(check_vnode_getextattr); +COUNTER_DECL(vnode_check_getextattr); static int -mac_test_check_vnode_getextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_getextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_getextattr); + COUNTER_INC(vnode_check_getextattr); return (0); } -COUNTER_DECL(check_vnode_link); +COUNTER_DECL(vnode_check_link); static int -mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_link(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2176,66 +2180,66 @@ mac_test_check_vnode_link(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_link); + COUNTER_INC(vnode_check_link); return (0); } -COUNTER_DECL(check_vnode_listextattr); +COUNTER_DECL(vnode_check_listextattr); static int -mac_test_check_vnode_listextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_listextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_listextattr); + COUNTER_INC(vnode_check_listextattr); return (0); } -COUNTER_DECL(check_vnode_lookup); +COUNTER_DECL(vnode_check_lookup); static int -mac_test_check_vnode_lookup(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_lookup(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct componentname *cnp) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_lookup); + COUNTER_INC(vnode_check_lookup); return (0); } -COUNTER_DECL(check_vnode_mmap); +COUNTER_DECL(vnode_check_mmap); static int -mac_test_check_vnode_mmap(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_mmap(struct ucred *cred, struct vnode *vp, struct label *vplabel, int prot, int flags) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_mmap); + COUNTER_INC(vnode_check_mmap); return (0); } -COUNTER_DECL(check_vnode_open); +COUNTER_DECL(vnode_check_open); static int -mac_test_check_vnode_open(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_open(struct ucred *cred, struct vnode *vp, struct label *vplabel, int acc_mode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_open); + COUNTER_INC(vnode_check_open); return (0); } -COUNTER_DECL(check_vnode_poll); +COUNTER_DECL(vnode_check_poll); static int -mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, +mac_test_vnode_check_poll(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2243,14 +2247,14 @@ mac_test_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_poll); + COUNTER_INC(vnode_check_poll); return (0); } -COUNTER_DECL(check_vnode_read); +COUNTER_DECL(vnode_check_read); static int -mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, +mac_test_vnode_check_read(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2258,54 +2262,54 @@ mac_test_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_read); + COUNTER_INC(vnode_check_read); return (0); } -COUNTER_DECL(check_vnode_readdir); +COUNTER_DECL(vnode_check_readdir); static int -mac_test_check_vnode_readdir(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_readdir(struct ucred *cred, struct vnode *dvp, struct label *dvplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_readdir); + COUNTER_INC(vnode_check_readdir); return (0); } -COUNTER_DECL(check_vnode_readlink); +COUNTER_DECL(vnode_check_readlink); static int -mac_test_check_vnode_readlink(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_readlink(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_readlink); + COUNTER_INC(vnode_check_readlink); return (0); } -COUNTER_DECL(check_vnode_relabel); +COUNTER_DECL(vnode_check_relabel); static int -mac_test_check_vnode_relabel(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_relabel(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct label *newlabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); LABEL_CHECK(newlabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_relabel); + COUNTER_INC(vnode_check_relabel); return (0); } -COUNTER_DECL(check_vnode_rename_from); +COUNTER_DECL(vnode_check_rename_from); static int -mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_rename_from(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2313,14 +2317,14 @@ mac_test_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_rename_from); + COUNTER_INC(vnode_check_rename_from); return (0); } -COUNTER_DECL(check_vnode_rename_to); +COUNTER_DECL(vnode_check_rename_to); static int -mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_rename_to(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, int samedir, struct componentname *cnp) { @@ -2328,106 +2332,106 @@ mac_test_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_rename_to); + COUNTER_INC(vnode_check_rename_to); return (0); } -COUNTER_DECL(check_vnode_revoke); +COUNTER_DECL(vnode_check_revoke); static int -mac_test_check_vnode_revoke(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_revoke(struct ucred *cred, struct vnode *vp, struct label *vplabel) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_revoke); + COUNTER_INC(vnode_check_revoke); return (0); } -COUNTER_DECL(check_vnode_setacl); +COUNTER_DECL(vnode_check_setacl); static int -mac_test_check_vnode_setacl(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setacl(struct ucred *cred, struct vnode *vp, struct label *vplabel, acl_type_t type, struct acl *acl) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setacl); + COUNTER_INC(vnode_check_setacl); return (0); } -COUNTER_DECL(check_vnode_setextattr); +COUNTER_DECL(vnode_check_setextattr); static int -mac_test_check_vnode_setextattr(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setextattr(struct ucred *cred, struct vnode *vp, struct label *vplabel, int attrnamespace, const char *name, struct uio *uio) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setextattr); + COUNTER_INC(vnode_check_setextattr); return (0); } -COUNTER_DECL(check_vnode_setflags); +COUNTER_DECL(vnode_check_setflags); static int -mac_test_check_vnode_setflags(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setflags(struct ucred *cred, struct vnode *vp, struct label *vplabel, u_long flags) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setflags); + COUNTER_INC(vnode_check_setflags); return (0); } -COUNTER_DECL(check_vnode_setmode); +COUNTER_DECL(vnode_check_setmode); static int -mac_test_check_vnode_setmode(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setmode(struct ucred *cred, struct vnode *vp, struct label *vplabel, mode_t mode) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setmode); + COUNTER_INC(vnode_check_setmode); return (0); } -COUNTER_DECL(check_vnode_setowner); +COUNTER_DECL(vnode_check_setowner); static int -mac_test_check_vnode_setowner(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setowner(struct ucred *cred, struct vnode *vp, struct label *vplabel, uid_t uid, gid_t gid) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setowner); + COUNTER_INC(vnode_check_setowner); return (0); } -COUNTER_DECL(check_vnode_setutimes); +COUNTER_DECL(vnode_check_setutimes); static int -mac_test_check_vnode_setutimes(struct ucred *cred, struct vnode *vp, +mac_test_vnode_check_setutimes(struct ucred *cred, struct vnode *vp, struct label *vplabel, struct timespec atime, struct timespec mtime) { LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_setutimes); + COUNTER_INC(vnode_check_setutimes); return (0); } -COUNTER_DECL(check_vnode_stat); +COUNTER_DECL(vnode_check_stat); static int -mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, +mac_test_vnode_check_stat(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2435,14 +2439,14 @@ mac_test_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_stat); + COUNTER_INC(vnode_check_stat); return (0); } -COUNTER_DECL(check_vnode_unlink); +COUNTER_DECL(vnode_check_unlink); static int -mac_test_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, +mac_test_vnode_check_unlink(struct ucred *cred, struct vnode *dvp, struct label *dvplabel, struct vnode *vp, struct label *vplabel, struct componentname *cnp) { @@ -2450,14 +2454,14 @@ mac_test_check_vnode_unlink(struct ucred *cred, struct vnode *dvp, LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(dvplabel, MAGIC_VNODE); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_unlink); + COUNTER_INC(vnode_check_unlink); return (0); } -COUNTER_DECL(check_vnode_write); +COUNTER_DECL(vnode_check_write); static int -mac_test_check_vnode_write(struct ucred *active_cred, +mac_test_vnode_check_write(struct ucred *active_cred, struct ucred *file_cred, struct vnode *vp, struct label *vplabel) { @@ -2465,224 +2469,225 @@ mac_test_check_vnode_write(struct ucred *active_cred, if (file_cred != NULL) LABEL_CHECK(file_cred->cr_label, MAGIC_CRED); LABEL_CHECK(vplabel, MAGIC_VNODE); - COUNTER_INC(check_vnode_write); + COUNTER_INC(vnode_check_write); return (0); } static struct mac_policy_ops mac_test_ops = { - .mpo_init_bpfdesc_label = mac_test_init_bpfdesc_label, - .mpo_init_cred_label = mac_test_init_cred_label, - .mpo_init_devfs_label = mac_test_init_devfs_label, - .mpo_init_ifnet_label = mac_test_init_ifnet_label, - .mpo_init_sysv_msgmsg_label = mac_test_init_sysv_msgmsg_label, - .mpo_init_sysv_msgqueue_label = mac_test_init_sysv_msgqueue_label, - .mpo_init_sysv_sem_label = mac_test_init_sysv_sem_label, - .mpo_init_sysv_shm_label = mac_test_init_sysv_shm_label, - .mpo_init_inpcb_label = mac_test_init_inpcb_label, - .mpo_init_ipq_label = mac_test_init_ipq_label, - .mpo_init_mbuf_label = mac_test_init_mbuf_label, - .mpo_init_mount_label = mac_test_init_mount_label, - .mpo_init_pipe_label = mac_test_init_pipe_label, - .mpo_init_posix_sem_label = mac_test_init_posix_sem_label, - .mpo_init_proc_label = mac_test_init_proc_label, - .mpo_init_socket_label = mac_test_init_socket_label, - .mpo_init_socket_peer_label = mac_test_init_socket_peer_label, - .mpo_init_vnode_label = mac_test_init_vnode_label, - .mpo_destroy_bpfdesc_label = mac_test_destroy_bpfdesc_label, - .mpo_destroy_cred_label = mac_test_destroy_cred_label, - .mpo_destroy_devfs_label = mac_test_destroy_devfs_label, - .mpo_destroy_ifnet_label = mac_test_destroy_ifnet_label, - .mpo_destroy_sysv_msgmsg_label = mac_test_destroy_sysv_msgmsg_label, - .mpo_destroy_sysv_msgqueue_label = - mac_test_destroy_sysv_msgqueue_label, - .mpo_destroy_sysv_sem_label = mac_test_destroy_sysv_sem_label, - .mpo_destroy_sysv_shm_label = mac_test_destroy_sysv_shm_label, - .mpo_destroy_inpcb_label = mac_test_destroy_inpcb_label, - .mpo_destroy_ipq_label = mac_test_destroy_ipq_label, - .mpo_destroy_mbuf_label = mac_test_destroy_mbuf_label, - .mpo_destroy_mount_label = mac_test_destroy_mount_label, - .mpo_destroy_pipe_label = mac_test_destroy_pipe_label, - .mpo_destroy_posix_sem_label = mac_test_destroy_posix_sem_label, - .mpo_destroy_proc_label = mac_test_destroy_proc_label, - .mpo_destroy_socket_label = mac_test_destroy_socket_label, - .mpo_destroy_socket_peer_label = mac_test_destroy_socket_peer_label, - .mpo_destroy_vnode_label = mac_test_destroy_vnode_label, - .mpo_copy_cred_label = mac_test_copy_cred_label, - .mpo_copy_ifnet_label = mac_test_copy_ifnet_label, - .mpo_copy_mbuf_label = mac_test_copy_mbuf_label, - .mpo_copy_pipe_label = mac_test_copy_pipe_label, - .mpo_copy_socket_label = mac_test_copy_socket_label, - .mpo_copy_vnode_label = mac_test_copy_vnode_label, - .mpo_externalize_cred_label = mac_test_externalize_label, - .mpo_externalize_ifnet_label = mac_test_externalize_label, - .mpo_externalize_pipe_label = mac_test_externalize_label, - .mpo_externalize_socket_label = mac_test_externalize_label, - .mpo_externalize_socket_peer_label = mac_test_externalize_label, - .mpo_externalize_vnode_label = mac_test_externalize_label, - .mpo_internalize_cred_label = mac_test_internalize_label, - .mpo_internalize_ifnet_label = mac_test_internalize_label, - .mpo_internalize_pipe_label = mac_test_internalize_label, - .mpo_internalize_socket_label = mac_test_internalize_label, - .mpo_internalize_vnode_label = mac_test_internalize_label, - .mpo_associate_vnode_devfs = mac_test_associate_vnode_devfs, - .mpo_associate_vnode_extattr = mac_test_associate_vnode_extattr, - .mpo_associate_vnode_singlelabel = mac_test_associate_vnode_singlelabel, - .mpo_create_devfs_device = mac_test_create_devfs_device, - .mpo_create_devfs_directory = mac_test_create_devfs_directory, - .mpo_create_devfs_symlink = mac_test_create_devfs_symlink, - .mpo_create_vnode_extattr = mac_test_create_vnode_extattr, - .mpo_create_mount = mac_test_create_mount, - .mpo_relabel_vnode = mac_test_relabel_vnode, - .mpo_setlabel_vnode_extattr = mac_test_setlabel_vnode_extattr, - .mpo_update_devfs = mac_test_update_devfs, - .mpo_create_mbuf_from_socket = mac_test_create_mbuf_from_socket, - .mpo_create_pipe = mac_test_create_pipe, - .mpo_create_posix_sem = mac_test_create_posix_sem, - .mpo_create_socket = mac_test_create_socket, - .mpo_create_socket_from_socket = mac_test_create_socket_from_socket, - .mpo_relabel_pipe = mac_test_relabel_pipe, - .mpo_relabel_socket = mac_test_relabel_socket, - .mpo_set_socket_peer_from_mbuf = mac_test_set_socket_peer_from_mbuf, - .mpo_set_socket_peer_from_socket = mac_test_set_socket_peer_from_socket, - .mpo_create_bpfdesc = mac_test_create_bpfdesc, - .mpo_create_ifnet = mac_test_create_ifnet, - .mpo_create_inpcb_from_socket = mac_test_create_inpcb_from_socket, - .mpo_create_sysv_msgmsg = mac_test_create_sysv_msgmsg, - .mpo_create_sysv_msgqueue = mac_test_create_sysv_msgqueue, - .mpo_create_sysv_sem = mac_test_create_sysv_sem, - .mpo_create_sysv_shm = mac_test_create_sysv_shm, - .mpo_create_datagram_from_ipq = mac_test_create_datagram_from_ipq, - .mpo_create_fragment = mac_test_create_fragment, - .mpo_create_ipq = mac_test_create_ipq, - .mpo_create_mbuf_from_inpcb = mac_test_create_mbuf_from_inpcb, + .mpo_bpfdesc_init_label = mac_test_bpfdesc_init_label, + .mpo_cred_init_label = mac_test_cred_init_label, + .mpo_devfs_init_label = mac_test_devfs_init_label, + .mpo_ifnet_init_label = mac_test_ifnet_init_label, + .mpo_sysvmsg_init_label = mac_test_sysvmsg_init_label, + .mpo_sysvmsq_init_label = mac_test_sysvmsq_init_label, + .mpo_sysvsem_init_label = mac_test_sysvsem_init_label, + .mpo_sysvshm_init_label = mac_test_sysvshm_init_label, + .mpo_inpcb_init_label = mac_test_inpcb_init_label, + .mpo_ipq_init_label = mac_test_ipq_init_label, + .mpo_mbuf_init_label = mac_test_mbuf_init_label, + .mpo_mount_init_label = mac_test_mount_init_label, + .mpo_pipe_init_label = mac_test_pipe_init_label, + .mpo_posixsem_init_label = mac_test_posixsem_init_label, + .mpo_proc_init_label = mac_test_proc_init_label, + .mpo_socket_init_label = mac_test_socket_init_label, + .mpo_socketpeer_init_label = mac_test_socketpeer_init_label, + .mpo_vnode_init_label = mac_test_vnode_init_label, + .mpo_bpfdesc_destroy_label = mac_test_bpfdesc_destroy_label, + .mpo_cred_destroy_label = mac_test_cred_destroy_label, + .mpo_devfs_destroy_label = mac_test_devfs_destroy_label, + .mpo_ifnet_destroy_label = mac_test_ifnet_destroy_label, + .mpo_sysvmsg_destroy_label = mac_test_sysvmsg_destroy_label, + .mpo_sysvmsq_destroy_label = + mac_test_sysvmsq_destroy_label, + .mpo_sysvsem_destroy_label = mac_test_sysvsem_destroy_label, + .mpo_sysvshm_destroy_label = mac_test_sysvshm_destroy_label, + .mpo_inpcb_destroy_label = mac_test_inpcb_destroy_label, + .mpo_ipq_destroy_label = mac_test_ipq_destroy_label, + .mpo_mbuf_destroy_label = mac_test_mbuf_destroy_label, + .mpo_mount_destroy_label = mac_test_mount_destroy_label, + .mpo_pipe_destroy_label = mac_test_pipe_destroy_label, + .mpo_posixsem_destroy_label = mac_test_posixsem_destroy_label, + .mpo_proc_destroy_label = mac_test_proc_destroy_label, + .mpo_socket_destroy_label = mac_test_socket_destroy_label, + .mpo_socketpeer_destroy_label = mac_test_socketpeer_destroy_label, + .mpo_vnode_destroy_label = mac_test_vnode_destroy_label, + .mpo_cred_copy_label = mac_test_cred_copy_label, + .mpo_ifnet_copy_label = mac_test_ifnet_copy_label, + .mpo_mbuf_copy_label = mac_test_mbuf_copy_label, + .mpo_pipe_copy_label = mac_test_pipe_copy_label, + .mpo_socket_copy_label = mac_test_socket_copy_label, + .mpo_vnode_copy_label = mac_test_vnode_copy_label, + .mpo_cred_externalize_label = mac_test_externalize_label, + .mpo_ifnet_externalize_label = mac_test_externalize_label, + .mpo_pipe_externalize_label = mac_test_externalize_label, + .mpo_socket_externalize_label = mac_test_externalize_label, + .mpo_socketpeer_externalize_label = mac_test_externalize_label, + .mpo_vnode_externalize_label = mac_test_externalize_label, + .mpo_cred_internalize_label = mac_test_internalize_label, + .mpo_ifnet_internalize_label = mac_test_internalize_label, + .mpo_pipe_internalize_label = mac_test_internalize_label, + .mpo_socket_internalize_label = mac_test_internalize_label, + .mpo_vnode_internalize_label = mac_test_internalize_label, + .mpo_devfs_vnode_associate = mac_test_devfs_vnode_associate, + .mpo_vnode_associate_extattr = mac_test_vnode_associate_extattr, + .mpo_vnode_associate_singlelabel = mac_test_vnode_associate_singlelabel, + .mpo_devfs_create_device = mac_test_devfs_create_device, + .mpo_devfs_create_directory = mac_test_devfs_create_directory, + .mpo_devfs_create_symlink = mac_test_devfs_create_symlink, + .mpo_vnode_create_extattr = mac_test_vnode_create_extattr, + .mpo_mount_create = mac_test_mount_create, + .mpo_vnode_relabel = mac_test_vnode_relabel, + .mpo_vnode_setlabel_extattr = mac_test_vnode_setlabel_extattr, + .mpo_devfs_update = mac_test_devfs_update, + .mpo_socket_create_mbuf = mac_test_socket_create_mbuf, + .mpo_pipe_create = mac_test_pipe_create, + .mpo_posixsem_create = mac_test_posixsem_create, + .mpo_socket_create = mac_test_socket_create, + .mpo_socket_newconn = mac_test_socket_newconn, + .mpo_pipe_relabel = mac_test_pipe_relabel, + .mpo_socket_relabel = mac_test_socket_relabel, + .mpo_socketpeer_set_from_mbuf = mac_test_socketpeer_set_from_mbuf, + .mpo_socketpeer_set_from_socket = mac_test_socketpeer_set_from_socket, + .mpo_bpfdesc_create = mac_test_bpfdesc_create, + .mpo_ifnet_create = mac_test_ifnet_create, + .mpo_inpcb_create = mac_test_inpcb_create, + .mpo_sysvmsg_create = mac_test_sysvmsg_create, + .mpo_sysvmsq_create = mac_test_sysvmsq_create, + .mpo_sysvsem_create = mac_test_sysvsem_create, + .mpo_sysvshm_create = mac_test_sysvshm_create, + .mpo_ipq_reassemble = mac_test_ipq_reassemble, + .mpo_netinet_fragment = mac_test_netinet_fragment, + .mpo_ipq_create = mac_test_ipq_create, + .mpo_inpcb_create_mbuf = mac_test_inpcb_create_mbuf, .mpo_create_mbuf_linklayer = mac_test_create_mbuf_linklayer, - .mpo_create_mbuf_from_bpfdesc = mac_test_create_mbuf_from_bpfdesc, - .mpo_create_mbuf_from_ifnet = mac_test_create_mbuf_from_ifnet, - .mpo_create_mbuf_multicast_encap = mac_test_create_mbuf_multicast_encap, - .mpo_create_mbuf_netlayer = mac_test_create_mbuf_netlayer, - .mpo_fragment_match = mac_test_fragment_match, - .mpo_reflect_mbuf_icmp = mac_test_reflect_mbuf_icmp, - .mpo_reflect_mbuf_tcp = mac_test_reflect_mbuf_tcp, - .mpo_relabel_ifnet = mac_test_relabel_ifnet, - .mpo_update_ipq = mac_test_update_ipq, + .mpo_bpfdesc_create_mbuf = mac_test_bpfdesc_create_mbuf, + .mpo_ifnet_create_mbuf = mac_test_ifnet_create_mbuf, + .mpo_mbuf_create_multicast_encap = mac_test_mbuf_create_multicast_encap, + .mpo_mbuf_create_netlayer = mac_test_mbuf_create_netlayer, + .mpo_ipq_match = mac_test_ipq_match, + .mpo_netinet_icmp_reply = mac_test_netinet_icmp_reply, + .mpo_netinet_tcp_reply = mac_test_netinet_tcp_reply, + .mpo_ifnet_relabel = mac_test_ifnet_relabel, + .mpo_ipq_update = mac_test_ipq_update, .mpo_inpcb_sosetlabel = mac_test_inpcb_sosetlabel, - .mpo_execve_transition = mac_test_execve_transition, - .mpo_execve_will_transition = mac_test_execve_will_transition, - .mpo_create_proc0 = mac_test_create_proc0, - .mpo_create_proc1 = mac_test_create_proc1, - .mpo_relabel_cred = mac_test_relabel_cred, + .mpo_vnode_execve_transition = mac_test_vnode_execve_transition, + .mpo_vnode_execve_will_transition = + mac_test_vnode_execve_will_transition, + .mpo_proc_create_swapper = mac_test_proc_create_swapper, + .mpo_proc_create_init = mac_test_proc_create_init, + .mpo_cred_relabel = mac_test_cred_relabel, .mpo_thread_userret = mac_test_thread_userret, - .mpo_cleanup_sysv_msgmsg = mac_test_cleanup_sysv_msgmsg, - .mpo_cleanup_sysv_msgqueue = mac_test_cleanup_sysv_msgqueue, - .mpo_cleanup_sysv_sem = mac_test_cleanup_sysv_sem, - .mpo_cleanup_sysv_shm = mac_test_cleanup_sysv_shm, - .mpo_check_bpfdesc_receive = mac_test_check_bpfdesc_receive, - .mpo_check_cred_relabel = mac_test_check_cred_relabel, - .mpo_check_cred_visible = mac_test_check_cred_visible, - .mpo_check_ifnet_relabel = mac_test_check_ifnet_relabel, - .mpo_check_ifnet_transmit = mac_test_check_ifnet_transmit, - .mpo_check_inpcb_deliver = mac_test_check_inpcb_deliver, - .mpo_check_sysv_msgmsq = mac_test_check_sysv_msgmsq, - .mpo_check_sysv_msgrcv = mac_test_check_sysv_msgrcv, - .mpo_check_sysv_msgrmid = mac_test_check_sysv_msgrmid, - .mpo_check_sysv_msqget = mac_test_check_sysv_msqget, - .mpo_check_sysv_msqsnd = mac_test_check_sysv_msqsnd, - .mpo_check_sysv_msqrcv = mac_test_check_sysv_msqrcv, - .mpo_check_sysv_msqctl = mac_test_check_sysv_msqctl, - .mpo_check_sysv_semctl = mac_test_check_sysv_semctl, - .mpo_check_sysv_semget = mac_test_check_sysv_semget, - .mpo_check_sysv_semop = mac_test_check_sysv_semop, - .mpo_check_sysv_shmat = mac_test_check_sysv_shmat, - .mpo_check_sysv_shmctl = mac_test_check_sysv_shmctl, - .mpo_check_sysv_shmdt = mac_test_check_sysv_shmdt, - .mpo_check_sysv_shmget = mac_test_check_sysv_shmget, - .mpo_check_kenv_dump = mac_test_check_kenv_dump, - .mpo_check_kenv_get = mac_test_check_kenv_get, - .mpo_check_kenv_set = mac_test_check_kenv_set, - .mpo_check_kenv_unset = mac_test_check_kenv_unset, - .mpo_check_kld_load = mac_test_check_kld_load, - .mpo_check_kld_stat = mac_test_check_kld_stat, - .mpo_check_mount_stat = mac_test_check_mount_stat, - .mpo_check_pipe_ioctl = mac_test_check_pipe_ioctl, - .mpo_check_pipe_poll = mac_test_check_pipe_poll, - .mpo_check_pipe_read = mac_test_check_pipe_read, - .mpo_check_pipe_relabel = mac_test_check_pipe_relabel, - .mpo_check_pipe_stat = mac_test_check_pipe_stat, - .mpo_check_pipe_write = mac_test_check_pipe_write, - .mpo_check_posix_sem_destroy = mac_test_check_posix_sem, - .mpo_check_posix_sem_getvalue = mac_test_check_posix_sem, - .mpo_check_posix_sem_open = mac_test_check_posix_sem, - .mpo_check_posix_sem_post = mac_test_check_posix_sem, - .mpo_check_posix_sem_unlink = mac_test_check_posix_sem, - .mpo_check_posix_sem_wait = mac_test_check_posix_sem, - .mpo_check_proc_debug = mac_test_check_proc_debug, - .mpo_check_proc_sched = mac_test_check_proc_sched, - .mpo_check_proc_setaudit = mac_test_check_proc_setaudit, - .mpo_check_proc_setaudit_addr = mac_test_check_proc_setaudit_addr, - .mpo_check_proc_setauid = mac_test_check_proc_setauid, - .mpo_check_proc_setuid = mac_test_check_proc_setuid, - .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, - .mpo_check_proc_setgid = mac_test_check_proc_setgid, - .mpo_check_proc_setegid = mac_test_check_proc_setegid, - .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, - .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, - .mpo_check_proc_setregid = mac_test_check_proc_setregid, - .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, - .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, - .mpo_check_proc_signal = mac_test_check_proc_signal, - .mpo_check_proc_wait = mac_test_check_proc_wait, - .mpo_check_socket_accept = mac_test_check_socket_accept, - .mpo_check_socket_bind = mac_test_check_socket_bind, - .mpo_check_socket_connect = mac_test_check_socket_connect, - .mpo_check_socket_deliver = mac_test_check_socket_deliver, - .mpo_check_socket_listen = mac_test_check_socket_listen, - .mpo_check_socket_poll = mac_test_check_socket_poll, - .mpo_check_socket_receive = mac_test_check_socket_receive, - .mpo_check_socket_relabel = mac_test_check_socket_relabel, - .mpo_check_socket_send = mac_test_check_socket_send, - .mpo_check_socket_stat = mac_test_check_socket_stat, - .mpo_check_socket_visible = mac_test_check_socket_visible, - .mpo_check_system_acct = mac_test_check_system_acct, - .mpo_check_system_audit = mac_test_check_system_audit, - .mpo_check_system_auditctl = mac_test_check_system_auditctl, - .mpo_check_system_auditon = mac_test_check_system_auditon, - .mpo_check_system_reboot = mac_test_check_system_reboot, - .mpo_check_system_swapoff = mac_test_check_system_swapoff, - .mpo_check_system_swapon = mac_test_check_system_swapon, - .mpo_check_system_sysctl = mac_test_check_system_sysctl, - .mpo_check_vnode_access = mac_test_check_vnode_access, - .mpo_check_vnode_chdir = mac_test_check_vnode_chdir, - .mpo_check_vnode_chroot = mac_test_check_vnode_chroot, - .mpo_check_vnode_create = mac_test_check_vnode_create, - .mpo_check_vnode_deleteacl = mac_test_check_vnode_deleteacl, - .mpo_check_vnode_deleteextattr = mac_test_check_vnode_deleteextattr, - .mpo_check_vnode_exec = mac_test_check_vnode_exec, - .mpo_check_vnode_getacl = mac_test_check_vnode_getacl, - .mpo_check_vnode_getextattr = mac_test_check_vnode_getextattr, - .mpo_check_vnode_link = mac_test_check_vnode_link, - .mpo_check_vnode_listextattr = mac_test_check_vnode_listextattr, - .mpo_check_vnode_lookup = mac_test_check_vnode_lookup, - .mpo_check_vnode_mmap = mac_test_check_vnode_mmap, - .mpo_check_vnode_open = mac_test_check_vnode_open, - .mpo_check_vnode_poll = mac_test_check_vnode_poll, - .mpo_check_vnode_read = mac_test_check_vnode_read, - .mpo_check_vnode_readdir = mac_test_check_vnode_readdir, - .mpo_check_vnode_readlink = mac_test_check_vnode_readlink, - .mpo_check_vnode_relabel = mac_test_check_vnode_relabel, - .mpo_check_vnode_rename_from = mac_test_check_vnode_rename_from, - .mpo_check_vnode_rename_to = mac_test_check_vnode_rename_to, - .mpo_check_vnode_revoke = mac_test_check_vnode_revoke, - .mpo_check_vnode_setacl = mac_test_check_vnode_setacl, - .mpo_check_vnode_setextattr = mac_test_check_vnode_setextattr, - .mpo_check_vnode_setflags = mac_test_check_vnode_setflags, - .mpo_check_vnode_setmode = mac_test_check_vnode_setmode, - .mpo_check_vnode_setowner = mac_test_check_vnode_setowner, - .mpo_check_vnode_setutimes = mac_test_check_vnode_setutimes, - .mpo_check_vnode_stat = mac_test_check_vnode_stat, - .mpo_check_vnode_unlink = mac_test_check_vnode_unlink, - .mpo_check_vnode_write = mac_test_check_vnode_write, + .mpo_sysvmsg_cleanup = mac_test_sysvmsg_cleanup, + .mpo_sysvmsq_cleanup = mac_test_sysvmsq_cleanup, + .mpo_sysvsem_cleanup = mac_test_sysvsem_cleanup, + .mpo_sysvshm_cleanup = mac_test_sysvshm_cleanup, + .mpo_bpfdesc_check_receive = mac_test_bpfdesc_check_receive, + .mpo_cred_check_relabel = mac_test_cred_check_relabel, + .mpo_cred_check_visible = mac_test_cred_check_visible, + .mpo_ifnet_check_relabel = mac_test_ifnet_check_relabel, + .mpo_ifnet_check_transmit = mac_test_ifnet_check_transmit, + .mpo_inpcb_check_deliver = mac_test_inpcb_check_deliver, + .mpo_sysvmsq_check_msgmsq = mac_test_sysvmsq_check_msgmsq, + .mpo_sysvmsq_check_msgrcv = mac_test_sysvmsq_check_msgrcv, + .mpo_sysvmsq_check_msgrmid = mac_test_sysvmsq_check_msgrmid, + .mpo_sysvmsq_check_msqget = mac_test_sysvmsq_check_msqget, + .mpo_sysvmsq_check_msqsnd = mac_test_sysvmsq_check_msqsnd, + .mpo_sysvmsq_check_msqrcv = mac_test_sysvmsq_check_msqrcv, + .mpo_sysvmsq_check_msqctl = mac_test_sysvmsq_check_msqctl, + .mpo_sysvsem_check_semctl = mac_test_sysvsem_check_semctl, + .mpo_sysvsem_check_semget = mac_test_sysvsem_check_semget, + .mpo_sysvsem_check_semop = mac_test_sysvsem_check_semop, + .mpo_sysvshm_check_shmat = mac_test_sysvshm_check_shmat, + .mpo_sysvshm_check_shmctl = mac_test_sysvshm_check_shmctl, + .mpo_sysvshm_check_shmdt = mac_test_sysvshm_check_shmdt, + .mpo_sysvshm_check_shmget = mac_test_sysvshm_check_shmget, + .mpo_kenv_check_dump = mac_test_kenv_check_dump, + .mpo_kenv_check_get = mac_test_kenv_check_get, + .mpo_kenv_check_set = mac_test_kenv_check_set, + .mpo_kenv_check_unset = mac_test_kenv_check_unset, + .mpo_kld_check_load = mac_test_kld_check_load, + .mpo_kld_check_stat = mac_test_kld_check_stat, + .mpo_mount_check_stat = mac_test_mount_check_stat, + .mpo_pipe_check_ioctl = mac_test_pipe_check_ioctl, + .mpo_pipe_check_poll = mac_test_pipe_check_poll, + .mpo_pipe_check_read = mac_test_pipe_check_read, + .mpo_pipe_check_relabel = mac_test_pipe_check_relabel, + .mpo_pipe_check_stat = mac_test_pipe_check_stat, + .mpo_pipe_check_write = mac_test_pipe_check_write, + .mpo_posixsem_check_destroy = mac_test_posixsem_check, + .mpo_posixsem_check_getvalue = mac_test_posixsem_check, + .mpo_posixsem_check_open = mac_test_posixsem_check, + .mpo_posixsem_check_post = mac_test_posixsem_check, + .mpo_posixsem_check_unlink = mac_test_posixsem_check, + .mpo_posixsem_check_wait = mac_test_posixsem_check, + .mpo_proc_check_debug = mac_test_proc_check_debug, + .mpo_proc_check_sched = mac_test_proc_check_sched, + .mpo_proc_check_setaudit = mac_test_proc_check_setaudit, + .mpo_proc_check_setaudit_addr = mac_test_proc_check_setaudit_addr, + .mpo_proc_check_setauid = mac_test_proc_check_setauid, + .mpo_proc_check_setuid = mac_test_proc_check_setuid, + .mpo_proc_check_seteuid = mac_test_proc_check_seteuid, + .mpo_proc_check_setgid = mac_test_proc_check_setgid, + .mpo_proc_check_setegid = mac_test_proc_check_setegid, + .mpo_proc_check_setgroups = mac_test_proc_check_setgroups, + .mpo_proc_check_setreuid = mac_test_proc_check_setreuid, + .mpo_proc_check_setregid = mac_test_proc_check_setregid, + .mpo_proc_check_setresuid = mac_test_proc_check_setresuid, + .mpo_proc_check_setresgid = mac_test_proc_check_setresgid, + .mpo_proc_check_signal = mac_test_proc_check_signal, + .mpo_proc_check_wait = mac_test_proc_check_wait, + .mpo_socket_check_accept = mac_test_socket_check_accept, + .mpo_socket_check_bind = mac_test_socket_check_bind, + .mpo_socket_check_connect = mac_test_socket_check_connect, + .mpo_socket_check_deliver = mac_test_socket_check_deliver, + .mpo_socket_check_listen = mac_test_socket_check_listen, + .mpo_socket_check_poll = mac_test_socket_check_poll, + .mpo_socket_check_receive = mac_test_socket_check_receive, + .mpo_socket_check_relabel = mac_test_socket_check_relabel, + .mpo_socket_check_send = mac_test_socket_check_send, + .mpo_socket_check_stat = mac_test_socket_check_stat, + .mpo_socket_check_visible = mac_test_socket_check_visible, + .mpo_system_check_acct = mac_test_system_check_acct, + .mpo_system_check_audit = mac_test_system_check_audit, + .mpo_system_check_auditctl = mac_test_system_check_auditctl, + .mpo_system_check_auditon = mac_test_system_check_auditon, + .mpo_system_check_reboot = mac_test_system_check_reboot, + .mpo_system_check_swapoff = mac_test_system_check_swapoff, + .mpo_system_check_swapon = mac_test_system_check_swapon, + .mpo_system_check_sysctl = mac_test_system_check_sysctl, + .mpo_vnode_check_access = mac_test_vnode_check_access, + .mpo_vnode_check_chdir = mac_test_vnode_check_chdir, + .mpo_vnode_check_chroot = mac_test_vnode_check_chroot, + .mpo_vnode_check_create = mac_test_vnode_check_create, + .mpo_vnode_check_deleteacl = mac_test_vnode_check_deleteacl, + .mpo_vnode_check_deleteextattr = mac_test_vnode_check_deleteextattr, + .mpo_vnode_check_exec = mac_test_vnode_check_exec, + .mpo_vnode_check_getacl = mac_test_vnode_check_getacl, + .mpo_vnode_check_getextattr = mac_test_vnode_check_getextattr, + .mpo_vnode_check_link = mac_test_vnode_check_link, + .mpo_vnode_check_listextattr = mac_test_vnode_check_listextattr, + .mpo_vnode_check_lookup = mac_test_vnode_check_lookup, + .mpo_vnode_check_mmap = mac_test_vnode_check_mmap, + .mpo_vnode_check_open = mac_test_vnode_check_open, + .mpo_vnode_check_poll = mac_test_vnode_check_poll, + .mpo_vnode_check_read = mac_test_vnode_check_read, + .mpo_vnode_check_readdir = mac_test_vnode_check_readdir, + .mpo_vnode_check_readlink = mac_test_vnode_check_readlink, + .mpo_vnode_check_relabel = mac_test_vnode_check_relabel, + .mpo_vnode_check_rename_from = mac_test_vnode_check_rename_from, + .mpo_vnode_check_rename_to = mac_test_vnode_check_rename_to, + .mpo_vnode_check_revoke = mac_test_vnode_check_revoke, + .mpo_vnode_check_setacl = mac_test_vnode_check_setacl, + .mpo_vnode_check_setextattr = mac_test_vnode_check_setextattr, + .mpo_vnode_check_setflags = mac_test_vnode_check_setflags, + .mpo_vnode_check_setmode = mac_test_vnode_check_setmode, + .mpo_vnode_check_setowner = mac_test_vnode_check_setowner, + .mpo_vnode_check_setutimes = mac_test_vnode_check_setutimes, + .mpo_vnode_check_stat = mac_test_vnode_check_stat, + .mpo_vnode_check_unlink = mac_test_vnode_check_unlink, + .mpo_vnode_check_write = mac_test_vnode_check_write, }; MAC_POLICY_SET(&mac_test_ops, mac_test, "TrustedBSD MAC/Test", diff --git a/sys/ufs/ffs/ffs_vfsops.c b/sys/ufs/ffs/ffs_vfsops.c index 8f5a046..cdead73 100644 --- a/sys/ufs/ffs/ffs_vfsops.c +++ b/sys/ufs/ffs/ffs_vfsops.c @@ -1464,7 +1464,7 @@ ffs_vget(mp, ino, flags, vpp) * multi-label, attempt to perform a label association * from the extended attributes on the inode. */ - error = mac_associate_vnode_extattr(mp, vp); + error = mac_vnode_associate_extattr(mp, vp); if (error) { /* ufs_inactive will release ip->i_devvp ref. */ vput(vp); diff --git a/sys/ufs/ufs/ufs_vnops.c b/sys/ufs/ufs/ufs_vnops.c index ec28c2d..9256a69 100644 --- a/sys/ufs/ufs/ufs_vnops.c +++ b/sys/ufs/ufs/ufs_vnops.c @@ -1545,7 +1545,7 @@ ufs_mkdir(ap) goto bad; #ifdef MAC if (dvp->v_mount->mnt_flag & MNT_MULTILABEL) { - error = mac_create_vnode_extattr(cnp->cn_cred, dvp->v_mount, + error = mac_vnode_create_extattr(cnp->cn_cred, dvp->v_mount, dvp, tvp, cnp); if (error) goto bad; @@ -2382,7 +2382,7 @@ ufs_makeinode(mode, dvp, vpp, cnp) goto bad; #ifdef MAC if (dvp->v_mount->mnt_flag & MNT_MULTILABEL) { - error = mac_create_vnode_extattr(cnp->cn_cred, dvp->v_mount, + error = mac_vnode_create_extattr(cnp->cn_cred, dvp->v_mount, dvp, tvp, cnp); if (error) goto bad; diff --git a/sys/vm/swap_pager.c b/sys/vm/swap_pager.c index eb82579..e6b294e 100644 --- a/sys/vm/swap_pager.c +++ b/sys/vm/swap_pager.c @@ -2119,7 +2119,7 @@ swapoff_one(struct swdevt *sp, struct thread *td) mtx_assert(&Giant, MA_OWNED); #ifdef MAC (void) vn_lock(sp->sw_vp, LK_EXCLUSIVE | LK_RETRY, td); - error = mac_check_system_swapoff(td->td_ucred, sp->sw_vp); + error = mac_system_check_swapoff(td->td_ucred, sp->sw_vp); (void) VOP_UNLOCK(sp->sw_vp, 0, td); if (error != 0) return (error); @@ -2529,7 +2529,7 @@ swaponvp(struct thread *td, struct vnode *vp, u_long nblks) (void) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td); #ifdef MAC - error = mac_check_system_swapon(td->td_ucred, vp); + error = mac_system_check_swapon(td->td_ucred, vp); if (error == 0) #endif error = VOP_OPEN(vp, FREAD | FWRITE, td->td_ucred, td, NULL); diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c index 8b8e356..4820a14 100644 --- a/sys/vm/vm_mmap.c +++ b/sys/vm/vm_mmap.c @@ -1203,7 +1203,7 @@ vm_mmap_vnode(struct thread *td, vm_size_t objsize, goto done; } #ifdef MAC - error = mac_check_vnode_mmap(td->td_ucred, vp, prot, flags); + error = mac_vnode_check_mmap(td->td_ucred, vp, prot, flags); if (error != 0) goto done; #endif |
