summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_mac.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/kern/kern_mac.c')
-rw-r--r--sys/kern/kern_mac.c82
1 files changed, 69 insertions, 13 deletions
diff --git a/sys/kern/kern_mac.c b/sys/kern/kern_mac.c
index 8a9de01..69b1772 100644
--- a/sys/kern/kern_mac.c
+++ b/sys/kern/kern_mac.c
@@ -221,6 +221,8 @@ static void mac_cred_mmapped_drop_perms(struct thread *td,
static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
struct ucred *cred, struct vm_map *map);
+static void mac_destroy_socket_label(struct label *label);
+
MALLOC_DEFINE(M_MACOPVEC, "macopvec", "MAC policy operation vector");
MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
@@ -1156,17 +1158,57 @@ mac_init_pipe(struct pipe *pipe)
#endif
}
-void
-mac_init_socket(struct socket *socket)
+static int
+mac_init_socket_label(struct label *label, int flag)
{
+ int error;
+
+ mac_init_label(label);
+
+ MAC_CHECK(init_socket_label, label, flag);
+ if (error) {
+ MAC_PERFORM(destroy_socket_label, label);
+ mac_destroy_label(label);
+ }
- mac_init_label(&socket->so_label);
- mac_init_label(&socket->so_peerlabel);
- MAC_PERFORM(init_socket_label, &socket->so_label);
- MAC_PERFORM(init_socket_peer_label, &socket->so_peerlabel);
#ifdef MAC_DEBUG
- atomic_add_int(&nmacsockets, 1);
+ if (error == 0)
+ atomic_add_int(&nmacsockets, 1);
#endif
+
+ return (error);
+}
+
+static int
+mac_init_socket_peer_label(struct label *label, int flag)
+{
+ int error;
+
+ mac_init_label(label);
+
+ MAC_CHECK(init_socket_peer_label, label, flag);
+ if (error) {
+ MAC_PERFORM(destroy_socket_label, label);
+ mac_destroy_label(label);
+ }
+
+ return (error);
+}
+
+int
+mac_init_socket(struct socket *socket, int flag)
+{
+ int error;
+
+ error = mac_init_socket_label(&socket->so_label, flag);
+ if (error)
+ return (error);
+
+ error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
+ if (error)
+ mac_destroy_socket_label(&socket->so_label);
+
+ return (error);
}
static void
@@ -1282,20 +1324,34 @@ mac_destroy_pipe(struct pipe *pipe)
#endif
}
-void
-mac_destroy_socket(struct socket *socket)
+static void
+mac_destroy_socket_label(struct label *label)
{
- MAC_PERFORM(destroy_socket_label, &socket->so_label);
- MAC_PERFORM(destroy_socket_peer_label, &socket->so_peerlabel);
- mac_destroy_label(&socket->so_label);
- mac_destroy_label(&socket->so_peerlabel);
+ MAC_PERFORM(destroy_socket_label, label);
+ mac_destroy_label(label);
#ifdef MAC_DEBUG
atomic_subtract_int(&nmacsockets, 1);
#endif
}
static void
+mac_destroy_socket_peer_label(struct label *label)
+{
+
+ MAC_PERFORM(destroy_socket_peer_label, label);
+ mac_destroy_label(label);
+}
+
+void
+mac_destroy_socket(struct socket *socket)
+{
+
+ mac_destroy_socket_label(&socket->so_label);
+ mac_destroy_socket_peer_label(&socket->so_peerlabel);
+}
+
+static void
mac_destroy_temp(struct label *label)
{
OpenPOWER on IntegriCloud