1 files changed, 80 insertions, 19 deletions

diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 34336fc..280c8b8 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -194,12 +194,10 @@ extern struct mtx			mac_ifnet_mtx;
  */
 int	mac_error_select(int error1, int error2);
 
-void	mac_policy_grab_exclusive(void);
-void	mac_policy_assert_exclusive(void);
-void	mac_policy_release_exclusive(void);
-void	mac_policy_list_busy(void);
-int	mac_policy_list_conditional_busy(void);
-void	mac_policy_list_unbusy(void);
+void	mac_policy_slock_nosleep(void);
+void	mac_policy_slock_sleep(void);
+void	mac_policy_sunlock_nosleep(void);
+void	mac_policy_sunlock_sleep(void);
 
 struct label	*mac_labelzone_alloc(int flags);
 void		 mac_labelzone_free(struct label *label);
@@ -255,13 +253,16 @@ int	vn_setlabel(struct vnode *vp, struct label *intlabel,
 	    struct ucred *cred);
 
 /*
+ * MAC Framework composition macros invoke all registered MAC policies for a
+ * specific entry point.  They come in two forms: one which permits policies
+ * to sleep/block, and another that does not.
+ *
  * MAC_CHECK performs the designated check by walking the policy module list
  * and checking with each as to how it feels about the request.  Note that it
  * returns its value via 'error' in the scope of the caller.
  */
 #define	MAC_CHECK(check, args...) do {					\
 	struct mac_policy_conf *mpc;					\
-	int entrycount;							\
 									\
 	error = 0;							\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
@@ -270,14 +271,37 @@ int	vn_setlabel(struct vnode *vp, struct label *intlabel,
 			    mpc->mpc_ops->mpo_ ## check (args),		\
 			    error);					\
 	}								\
-	if ((entrycount = mac_policy_list_conditional_busy()) != 0) {	\
+	if (!LIST_EMPTY(&mac_policy_list)) {				\
+		mac_policy_slock_sleep();				\
+		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
+			if (mpc->mpc_ops->mpo_ ## check != NULL)	\
+				error = mac_error_select(		\
+				    mpc->mpc_ops->mpo_ ## check (args),	\
+				    error);				\
+		}							\
+		mac_policy_sunlock_sleep();				\
+	}								\
+} while (0)
+
+#define	MAC_CHECK_NOSLEEP(check, args...) do {				\
+	struct mac_policy_conf *mpc;					\
+									\
+	error = 0;							\
+	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
+		if (mpc->mpc_ops->mpo_ ## check != NULL)		\
+			error = mac_error_select(			\
+			    mpc->mpc_ops->mpo_ ## check (args),		\
+			    error);					\
+	}								\
+	if (!LIST_EMPTY(&mac_policy_list)) {				\
+		mac_policy_slock_nosleep();				\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## check != NULL)	\
 				error = mac_error_select(		\
 				    mpc->mpc_ops->mpo_ ## check (args),	\
 				    error);				\
 		}							\
-		mac_policy_list_unbusy();				\
+		mac_policy_sunlock_nosleep();				\
 	}								\
 } while (0)
 
@@ -288,9 +312,8 @@ int	vn_setlabel(struct vnode *vp, struct label *intlabel,
  * EPERM.  Note that it returns its value via 'error' in the scope of the
  * caller.
  */
-#define	MAC_GRANT(check, args...) do {					\
+#define	MAC_GRANT_NOSLEEP(check, args...) do {				\
 	struct mac_policy_conf *mpc;					\
-	int entrycount;							\
 									\
 	error = EPERM;							\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
@@ -299,7 +322,8 @@ int	vn_setlabel(struct vnode *vp, struct label *intlabel,
 				error = 0;				\
 		}							\
 	}								\
-	if ((entrycount = mac_policy_list_conditional_busy()) != 0) {	\
+	if (!LIST_EMPTY(&mac_policy_list)) {				\
+		mac_policy_slock_nosleep();				\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## check != NULL) {	\
 				if (mpc->mpc_ops->mpo_ ## check (args)	\
@@ -307,7 +331,7 @@ int	vn_setlabel(struct vnode *vp, struct label *intlabel,
 					error = 0;			\
 			}						\
 		}							\
-		mac_policy_list_unbusy();				\
+		mac_policy_sunlock_nosleep();				\
 	}								\
 } while (0)
 
@@ -320,21 +344,41 @@ int	vn_setlabel(struct vnode *vp, struct label *intlabel,
  */
 #define	MAC_BOOLEAN(operation, composition, args...) do {		\
 	struct mac_policy_conf *mpc;					\
-	int entrycount;							\
 									\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
 		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
 			result = result composition			\
 			    mpc->mpc_ops->mpo_ ## operation (args);	\
 	}								\
-	if ((entrycount = mac_policy_list_conditional_busy()) != 0) {	\
+	if (!LIST_EMPTY(&mac_policy_list)) {				\
+		mac_policy_slock_sleep();				\
+		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
+			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
+				result = result composition		\
+				    mpc->mpc_ops->mpo_ ## operation	\
+				    (args);				\
+		}							\
+		mac_policy_sunlock_sleep();				\
+	}								\
+} while (0)
+
+#define	MAC_BOOLEAN_NOSLEEP(operation, composition, args...) do {	\
+	struct mac_policy_conf *mpc;					\
+									\
+	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
+		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
+			result = result composition			\
+			    mpc->mpc_ops->mpo_ ## operation (args);	\
+	}								\
+	if (!LIST_EMPTY(&mac_policy_list)) {				\
+		mac_policy_slock_nosleep();				\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
 				result = result composition		\
 				    mpc->mpc_ops->mpo_ ## operation	\
 				    (args);				\
 		}							\
-		mac_policy_list_unbusy();				\
+		mac_policy_sunlock_nosleep();				\
 	}								\
 } while (0)
 
@@ -425,18 +469,35 @@ int	vn_setlabel(struct vnode *vp, struct label *intlabel,
  */
 #define	MAC_PERFORM(operation, args...) do {				\
 	struct mac_policy_conf *mpc;					\
-	int entrycount;							\
 									\
 	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
 		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
 			mpc->mpc_ops->mpo_ ## operation (args);		\
 	}								\
-	if ((entrycount = mac_policy_list_conditional_busy()) != 0) {	\
+	if (!LIST_EMPTY(&mac_policy_list)) {				\
+		mac_policy_slock_sleep();				\
+		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
+			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
+				mpc->mpc_ops->mpo_ ## operation (args);	\
+		}							\
+		mac_policy_sunlock_sleep();				\
+	}								\
+} while (0)
+
+#define	MAC_PERFORM_NOSLEEP(operation, args...) do {			\
+	struct mac_policy_conf *mpc;					\
+									\
+	LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {		\
+		if (mpc->mpc_ops->mpo_ ## operation != NULL)		\
+			mpc->mpc_ops->mpo_ ## operation (args);		\
+	}								\
+	if (!LIST_EMPTY(&mac_policy_list)) {				\
+		mac_policy_slock_nosleep();				\
 		LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {		\
 			if (mpc->mpc_ops->mpo_ ## operation != NULL)	\
 				mpc->mpc_ops->mpo_ ## operation (args);	\
 		}							\
-		mac_policy_list_unbusy();				\
+		mac_policy_sunlock_nosleep();				\
 	}								\
 } while (0)