summaryrefslogtreecommitdiffstats
path: root/sys/security/mac
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security/mac')
-rw-r--r--sys/security/mac/mac_framework.c119
-rw-r--r--sys/security/mac/mac_framework.h11
-rw-r--r--sys/security/mac/mac_internal.h14
-rw-r--r--sys/security/mac/mac_label.c97
-rw-r--r--sys/security/mac/mac_net.c259
-rw-r--r--sys/security/mac/mac_pipe.c25
-rw-r--r--sys/security/mac/mac_process.c64
-rw-r--r--sys/security/mac/mac_syscalls.c119
-rw-r--r--sys/security/mac/mac_system.c8
-rw-r--r--sys/security/mac/mac_vfs.c222
10 files changed, 579 insertions, 359 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index c459003..f9adf9b 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -256,6 +256,7 @@ mac_init(void)
LIST_INIT(&mac_static_policy_list);
LIST_INIT(&mac_policy_list);
+ mac_labelzone_init();
mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
cv_init(&mac_policy_cv, "mac_policy_cv");
@@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_cred_label(&tcred->cr_label, elements,
+ error = mac_externalize_cred_label(tcred->cr_label, elements,
buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_cred_label(&td->td_ucred->cr_label,
+ error = mac_externalize_cred_label(td->td_ucred->cr_label,
elements, buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -619,7 +620,7 @@ int
__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
{
struct ucred *newcred, *oldcred;
- struct label intlabel;
+ struct label *intlabel;
struct proc *p;
struct mac mac;
char *buffer;
@@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
return (error);
}
- mac_init_cred_label(&intlabel);
- error = mac_internalize_cred_label(&intlabel, buffer);
+ intlabel = mac_cred_label_alloc();
+ error = mac_internalize_cred_label(intlabel, buffer);
free(buffer, M_MACTEMP);
- if (error) {
- mac_destroy_cred_label(&intlabel);
- return (error);
- }
+ if (error)
+ goto out;
newcred = crget();
@@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
PROC_LOCK(p);
oldcred = p->p_ucred;
- error = mac_check_cred_relabel(oldcred, &intlabel);
+ error = mac_check_cred_relabel(oldcred, intlabel);
if (error) {
PROC_UNLOCK(p);
crfree(newcred);
@@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
setsugid(p);
crcopy(newcred, oldcred);
- mac_relabel_cred(newcred, &intlabel);
+ mac_relabel_cred(newcred, intlabel);
p->p_ucred = newcred;
/*
@@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
crfree(oldcred);
out:
- mac_destroy_cred_label(&intlabel);
+ mac_cred_label_free(intlabel);
return (error);
}
@@ -694,7 +693,7 @@ int
__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
{
char *elements, *buffer;
- struct label intlabel;
+ struct label *intlabel;
struct file *fp;
struct mac mac;
struct vnode *vp;
@@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
case DTYPE_VNODE:
vp = fp->f_vnode;
- mac_init_vnode_label(&intlabel);
+ intlabel = mac_vnode_label_alloc();
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- mac_copy_vnode_label(&vp->v_label, &intlabel);
+ mac_copy_vnode_label(vp->v_label, intlabel);
VOP_UNLOCK(vp, 0, td);
break;
case DTYPE_PIPE:
pipe = fp->f_data;
- mac_init_pipe_label(&intlabel);
+ intlabel = mac_pipe_label_alloc();
PIPE_LOCK(pipe);
- mac_copy_pipe_label(pipe->pipe_label, &intlabel);
+ mac_copy_pipe_label(pipe->pipe_label, intlabel);
PIPE_UNLOCK(pipe);
break;
default:
@@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
case DTYPE_FIFO:
case DTYPE_VNODE:
if (error == 0)
- error = mac_externalize_vnode_label(&intlabel,
+ error = mac_externalize_vnode_label(intlabel,
elements, buffer, mac.m_buflen);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
- error = mac_externalize_pipe_label(&intlabel, elements,
+ error = mac_externalize_pipe_label(intlabel, elements,
buffer, mac.m_buflen);
- mac_destroy_pipe_label(&intlabel);
+ mac_pipe_label_free(intlabel);
break;
default:
panic("__mac_get_fd: corrupted label_type");
@@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
{
char *elements, *buffer;
struct nameidata nd;
- struct label intlabel;
+ struct label *intlabel;
struct mac mac;
int error;
@@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
if (error)
goto out;
- mac_init_vnode_label(&intlabel);
- mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
- error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+ intlabel = mac_vnode_label_alloc();
+ mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+ error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
{
char *elements, *buffer;
struct nameidata nd;
- struct label intlabel;
+ struct label *intlabel;
struct mac mac;
int error;
@@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
if (error)
goto out;
- mac_init_vnode_label(&intlabel);
- mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
- error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+ intlabel = mac_vnode_label_alloc();
+ mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+ error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -895,7 +894,7 @@ out:
int
__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
{
- struct label intlabel;
+ struct label *intlabel;
struct pipe *pipe;
struct file *fp;
struct mount *mp;
@@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
switch (fp->f_type) {
case DTYPE_FIFO:
case DTYPE_VNODE:
- mac_init_vnode_label(&intlabel);
- error = mac_internalize_vnode_label(&intlabel, buffer);
+ intlabel = mac_vnode_label_alloc();
+ error = mac_internalize_vnode_label(intlabel, buffer);
if (error) {
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
}
vp = fp->f_vnode;
error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
if (error != 0) {
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
}
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- error = vn_setlabel(vp, &intlabel, td->td_ucred);
+ error = vn_setlabel(vp, intlabel, td->td_ucred);
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
- mac_init_pipe_label(&intlabel);
- error = mac_internalize_pipe_label(&intlabel, buffer);
+ intlabel = mac_pipe_label_alloc();
+ error = mac_internalize_pipe_label(intlabel, buffer);
if (error == 0) {
pipe = fp->f_data;
PIPE_LOCK(pipe);
error = mac_pipe_label_set(td->td_ucred, pipe,
- &intlabel);
+ intlabel);
PIPE_UNLOCK(pipe);
}
- mac_destroy_pipe_label(&intlabel);
+ mac_pipe_label_free(intlabel);
break;
default:
@@ -983,7 +982,7 @@ out:
int
__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
{
- struct label intlabel;
+ struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
return (error);
}
- mac_init_vnode_label(&intlabel);
- error = mac_internalize_vnode_label(&intlabel, buffer);
+ intlabel = mac_vnode_label_alloc();
+ error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
- if (error) {
- mac_destroy_vnode_label(&intlabel);
- return (error);
- }
+ if (error)
+ goto out;
mtx_lock(&Giant); /* VFS */
@@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
- error = vn_setlabel(nd.ni_vp, &intlabel,
+ error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
- mac_destroy_vnode_label(&intlabel);
-
+out:
+ mac_vnode_label_free(intlabel);
return (error);
}
@@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
int
__mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
{
- struct label intlabel;
+ struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
return (error);
}
- mac_init_vnode_label(&intlabel);
- error = mac_internalize_vnode_label(&intlabel, buffer);
+ intlabel = mac_vnode_label_alloc();
+ error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
- if (error) {
- mac_destroy_vnode_label(&intlabel);
- return (error);
- }
+ if (error)
+ goto out;
mtx_lock(&Giant); /* VFS */
@@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
- error = vn_setlabel(nd.ni_vp, &intlabel,
+ error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
- mac_destroy_vnode_label(&intlabel);
-
+out:
+ mac_vnode_label_free(intlabel);
return (error);
}
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 7955c25a..1dc6bf1 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -144,7 +144,6 @@ int mac_init_mbuf_tag(struct m_tag *, int flag);
void mac_init_mount(struct mount *);
void mac_init_proc(struct proc *);
void mac_init_vnode(struct vnode *);
-void mac_init_vnode_label(struct label *);
void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
void mac_copy_vnode_label(struct label *, struct label *label);
void mac_destroy_bpfdesc(struct bpf_d *);
@@ -158,7 +157,12 @@ void mac_destroy_proc(struct proc *);
void mac_destroy_mbuf_tag(struct m_tag *);
void mac_destroy_mount(struct mount *);
void mac_destroy_vnode(struct vnode *);
-void mac_destroy_vnode_label(struct label *);
+
+struct label *mac_cred_label_alloc(void);
+void mac_cred_label_free(struct label *label);
+struct label *mac_vnode_label_alloc(void);
+void mac_vnode_label_free(struct label *label);
+void mac_destroy_vnode_label(struct label *);
/*
* Labeling event operations: file system objects, and things that
@@ -220,8 +224,7 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
* Labeling event operations: processes.
*/
void mac_create_cred(struct ucred *cred_parent, struct ucred *cred_child);
-int mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
- struct label *execlabel);
+int mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
void mac_execve_exit(struct image_params *imgp);
void mac_execve_transition(struct ucred *old, struct ucred *new,
struct vnode *vp, struct label *interpvnodelabel,
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index b07cf6f..957057b 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -59,6 +59,7 @@ extern struct mac_policy_list_head mac_policy_list;
extern struct mac_policy_list_head mac_static_policy_list;
extern int mac_late;
extern int mac_enforce_process;
+extern int mac_enforce_sysv;
extern int mac_enforce_vm;
#ifndef MAC_ALWAYS_LABEL_MBUF
extern int mac_labelmbufs;
@@ -88,6 +89,10 @@ void mac_policy_list_busy(void);
int mac_policy_list_conditional_busy(void);
void mac_policy_list_unbusy(void);
+struct label *mac_labelzone_alloc(int flags);
+void mac_labelzone_free(struct label *label);
+void mac_labelzone_init(void);
+
void mac_init_label(struct label *label);
void mac_destroy_label(struct label *label);
int mac_check_structmac_consistent(struct mac *mac);
@@ -98,19 +103,18 @@ int mac_allocate_slot(void);
* the namespaces, etc, should work for these, so for now, sort by
* object type.
*/
+struct label *mac_pipe_label_alloc(void);
+void mac_pipe_label_free(struct label *label);
+
int mac_check_cred_relabel(struct ucred *cred, struct label *newlabel);
-void mac_destroy_cred_label(struct label *label);
-int mac_externalize_cred_label(struct label *label, char *elements,
+int mac_externalize_cred_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
-void mac_init_cred_label(struct label *label);
int mac_internalize_cred_label(struct label *label, char *string);
void mac_relabel_cred(struct ucred *cred, struct label *newlabel);
void mac_copy_pipe_label(struct label *src, struct label *dest);
-void mac_destroy_pipe_label(struct label *label);
int mac_externalize_pipe_label(struct label *label, char *elements,
char *outbuf, size_t outbuflen);
-void mac_init_pipe_label(struct label *label);
int mac_internalize_pipe_label(struct label *label, char *string);
int mac_externalize_vnode_label(struct label *label, char *elements,
diff --git a/sys/security/mac/mac_label.c b/sys/security/mac/mac_label.c
new file mode 100644
index 0000000..eedc1df
--- /dev/null
+++ b/sys/security/mac/mac_label.c
@@ -0,0 +1,97 @@
+/*-
+ * Copyright (c) 2003 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project in part by Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
+ * as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include "opt_mac.h"
+
+#include <sys/param.h>
+#include <sys/mac.h>
+#include <sys/sysctl.h>
+#include <sys/systm.h>
+
+#include <vm/uma.h>
+
+#include <security/mac/mac_internal.h>
+
+uma_zone_t zone_label;
+
+static void mac_labelzone_ctor(void *mem, int size, void *arg);
+static void mac_labelzone_dtor(void *mem, int size, void *arg);
+
+void
+mac_labelzone_init(void)
+{
+
+ zone_label = uma_zcreate("MAC labels", sizeof(struct label),
+ mac_labelzone_ctor, mac_labelzone_dtor, NULL, NULL,
+ UMA_ALIGN_PTR, 0);
+}
+
+static void
+mac_labelzone_ctor(void *mem, int size, void *arg)
+{
+ struct label *label;
+
+ KASSERT(size == sizeof(*label), ("mac_labelzone_ctor: wrong size\n"));
+ label = mem;
+ bzero(label, sizeof(*label));
+ label->l_flags = MAC_FLAG_INITIALIZED;
+}
+
+static void
+mac_labelzone_dtor(void *mem, int size, void *arg)
+{
+ struct label *label;
+
+ KASSERT(size == sizeof(*label), ("mac_labelzone_dtor: wrong size\n"));
+ label = mem;
+#ifdef DIAGNOSTIC
+ bzero(label, sizeof(*label));
+#else
+ label->l_flags &= ~MAC_FLAG_INITIALIZED;
+#endif
+}
+
+struct label *
+mac_labelzone_alloc(int flags)
+{
+
+ return (uma_zalloc(zone_label, flags));
+}
+
+void
+mac_labelzone_free(struct label *label)
+{
+
+ uma_zfree(zone_label, label);
+}
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 308231e..7950393 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -91,7 +91,8 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, sockets, CTLFLAG_RD,
&nmacsockets, 0, "number of sockets in use");
#endif
-static void mac_destroy_socket_label(struct label *label);
+static void mac_socket_label_free(struct label *label);
+
static struct label *
mbuf_to_label(struct mbuf *mbuf)
@@ -105,46 +106,70 @@ mbuf_to_label(struct mbuf *mbuf)
return (label);
}
+static struct label *
+mac_bpfdesc_label_alloc(void)
+{
+ struct label *label;
+
+ label = mac_labelzone_alloc(M_WAITOK);
+ MAC_PERFORM(init_bpfdesc_label, label);
+ MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
+ return (label);
+}
+
void
mac_init_bpfdesc(struct bpf_d *bpf_d)
{
- mac_init_label(&bpf_d->bd_label);
- MAC_PERFORM(init_bpfdesc_label, &bpf_d->bd_label);
- MAC_DEBUG_COUNTER_INC(&nmacbpfdescs);
+ bpf_d->bd_label = mac_bpfdesc_label_alloc();
}
-static void
-mac_init_ifnet_label(struct label *label)
+static struct label *
+mac_ifnet_label_alloc(void)
{
+ struct label *label;
- mac_init_label(label);
+ label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_ifnet_label, label);
MAC_DEBUG_COUNTER_INC(&nmacifnets);
+ return (label);
}
void
mac_init_ifnet(struct ifnet *ifp)
{
- mac_init_ifnet_label(&ifp->if_label);
+ ifp->if_label = mac_ifnet_label_alloc();
}
-int
-mac_init_ipq(struct ipq *ipq, int flag)
+static struct label *
+mac_ipq_label_alloc(int flag)
{
+ struct label *label;
int error;
- mac_init_label(&ipq->ipq_label);
+ label = mac_labelzone_alloc(flag);
+ if (label == NULL)
+ return (NULL);
- MAC_CHECK(init_ipq_label, &ipq->ipq_label, flag);
+ MAC_CHECK(init_ipq_label, label, flag);
if (error) {
- MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
- mac_destroy_label(&ipq->ipq_label);
- } else {
- MAC_DEBUG_COUNTER_INC(&nmacipqs);
+ MAC_PERFORM(destroy_ipq_label, label);
+ mac_labelzone_free(label);
+ return (NULL);
}
- return (error);
+ MAC_DEBUG_COUNTER_INC(&nmacipqs);
+ return (label);
+}
+
+int
+mac_init_ipq(struct ipq *ipq, int flag)
+{
+
+ ipq->ipq_label = mac_ipq_label_alloc(flag);
+ if (ipq->ipq_label == NULL)
+ return (ENOMEM);
+ return (0);
}
int
@@ -195,71 +220,85 @@ mac_init_mbuf(struct mbuf *m, int flag)
return (0);
}
-static int
-mac_init_socket_label(struct label *label, int flag)
+static struct label *
+mac_socket_label_alloc(int flag)
{
+ struct label *label;
int error;
- mac_init_label(label);
+ label = mac_labelzone_alloc(flag);
+ if (label == NULL)
+ return (NULL);
MAC_CHECK(init_socket_label, label, flag);
if (error) {
MAC_PERFORM(destroy_socket_label, label);
- mac_destroy_label(label);
- } else {
- MAC_DEBUG_COUNTER_INC(&nmacsockets);
+ mac_labelzone_free(label);
+ return (NULL);
}
-
- return (error);
+ MAC_DEBUG_COUNTER_INC(&nmacsockets);
+ return (label);
}
-static int
-mac_init_socket_peer_label(struct label *label, int flag)
+static struct label *
+mac_socket_peer_label_alloc(int flag)
{
+ struct label *label;
int error;
- mac_init_label(label);
+ label = mac_labelzone_alloc(flag);
+ if (label == NULL)
+ return (NULL);
MAC_CHECK(init_socket_peer_label, label, flag);
if (error) {
MAC_PERFORM(destroy_socket_peer_label, label);
- mac_destroy_label(label);
+ mac_labelzone_free(label);
+ return (NULL);
}
-
- return (error);
+ MAC_DEBUG_COUNTER_INC(&nmacsockets);
+ return (label);
}
int
-mac_init_socket(struct socket *socket, int flag)
+mac_init_socket(struct socket *so, int flag)
{
- int error;
- error = mac_init_socket_label(&socket->so_label, flag);
- if (error)
- return (error);
+ so->so_label = mac_socket_label_alloc(flag);
+ if (so->so_label == NULL)
+ return (ENOMEM);
+ so->so_peerlabel = mac_socket_peer_label_alloc(flag);
+ if (so->so_peerlabel == NULL) {
+ mac_socket_label_free(so->so_label);
+ so->so_label = NULL;
+ return (ENOMEM);
+ }
+ return (0);
+}
- error = mac_init_socket_peer_label(&socket->so_peerlabel, flag);
- if (error)
- mac_destroy_socket_label(&socket->so_label);
+static void
+mac_bpfdesc_label_free(struct label *label)
+{
- return (error);
+ MAC_PERFORM(destroy_bpfdesc_label, label);
+ mac_labelzone_free(label);
+ MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
}
void
mac_destroy_bpfdesc(struct bpf_d *bpf_d)
{
- MAC_PERFORM(destroy_bpfdesc_label, &bpf_d->bd_label);
- mac_destroy_label(&bpf_d->bd_label);
- MAC_DEBUG_COUNTER_DEC(&nmacbpfdescs);
+ mac_bpfdesc_label_free(bpf_d->bd_label);
+ bpf_d->bd_label = NULL;
}
static void
-mac_destroy_ifnet_label(struct label *label)
+mac_ifnet_label_free(struct label *label)
{
MAC_PERFORM(destroy_ifnet_label, label);
- mac_destroy_label(label);
+ mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacifnets);
}
@@ -267,16 +306,25 @@ void
mac_destroy_ifnet(struct ifnet *ifp)
{
- mac_destroy_ifnet_label(&ifp->if_label);
+ mac_ifnet_label_free(ifp->if_label);
+ ifp->if_label = NULL;
+}
+
+static void
+mac_ipq_label_free(struct label *label)
+{
+
+ MAC_PERFORM(destroy_ipq_label, label);
+ mac_labelzone_free(label);
+ MAC_DEBUG_COUNTER_DEC(&nmacipqs);
}
void
mac_destroy_ipq(struct ipq *ipq)
{
- MAC_PERFORM(destroy_ipq_label, &ipq->ipq_label);
- mac_destroy_label(&ipq->ipq_label);
- MAC_DEBUG_COUNTER_DEC(&nmacipqs);
+ mac_ipq_label_free(ipq->ipq_label);
+ ipq->ipq_label = NULL;
}
void
@@ -292,28 +340,31 @@ mac_destroy_mbuf_tag(struct m_tag *tag)
}
static void
-mac_destroy_socket_label(struct label *label)
+mac_socket_label_free(struct label *label)
{
MAC_PERFORM(destroy_socket_label, label);
- mac_destroy_label(label);
+ mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacsockets);
}
static void
-mac_destroy_socket_peer_label(struct label *label)
+mac_socket_peer_label_free(struct label *label)
{
MAC_PERFORM(destroy_socket_peer_label, label);
- mac_destroy_label(label);
+ mac_labelzone_free(label);
+ MAC_DEBUG_COUNTER_DEC(&nmacsockets);
}
void
mac_destroy_socket(struct socket *socket)
{
- mac_destroy_socket_label(&socket->so_label);
- mac_destroy_socket_peer_label(&socket->so_peerlabel);
+ mac_socket_label_free(socket->so_label);
+ socket->so_label = NULL;
+ mac_socket_peer_label_free(socket->so_peerlabel);
+ socket->so_peerlabel = NULL;
}
void
@@ -388,21 +439,21 @@ void
mac_create_ifnet(struct ifnet *ifnet)
{
- MAC_PERFORM(create_ifnet, ifnet, &ifnet->if_label);
+ MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label);
}
void
mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
{
- MAC_PERFORM(create_bpfdesc, cred, bpf_d, &bpf_d->bd_label);
+ MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label);
}
void
mac_create_socket(struct ucred *cred, struct socket *socket)
{
- MAC_PERFORM(create_socket, cred, socket, &socket->so_label);
+ MAC_PERFORM(create_socket, cred, socket, socket->so_label);
}
void
@@ -410,8 +461,8 @@ mac_create_socket_from_socket(struct socket *oldsocket,
struct socket *newsocket)
{
- MAC_PERFORM(create_socket_from_socket, oldsocket, &oldsocket->so_label,
- newsocket, &newsocket->so_label);
+ MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label,
+ newsocket, newsocket->so_label);
}
static void
@@ -419,7 +470,7 @@ mac_relabel_socket(struct ucred *cred, struct socket *socket,
struct label *newlabel)
{
- MAC_PERFORM(relabel_socket, cred, socket, &socket->so_label, newlabel);
+ MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel);
}
void
@@ -430,7 +481,7 @@ mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket)
label = mbuf_to_label(mbuf);
MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket,
- &socket->so_peerlabel);
+ socket->so_peerlabel);
}
void
@@ -439,7 +490,7 @@ mac_set_socket_peer_from_socket(struct socket *oldsocket,
{
MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
- &oldsocket->so_label, newsocket, &newsocket->so_peerlabel);
+ oldsocket->so_label, newsocket, newsocket->so_peerlabel);
}
void
@@ -449,7 +500,7 @@ mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram)
label = mbuf_to_label(datagram);
- MAC_PERFORM(create_datagram_from_ipq, ipq, &ipq->ipq_label,
+ MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label,
datagram, label);
}
@@ -472,7 +523,7 @@ mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
label = mbuf_to_label(fragment);
- MAC_PERFORM(create_ipq, fragment, label, ipq, &ipq->ipq_label);
+ MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label);
}
void
@@ -494,7 +545,7 @@ mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
- MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, &bpf_d->bd_label, mbuf,
+ MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf,
label);
}
@@ -505,7 +556,7 @@ mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
- MAC_PERFORM(create_mbuf_linklayer, ifnet, &ifnet->if_label, mbuf,
+ MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf,
label);
}
@@ -516,7 +567,7 @@ mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
- MAC_PERFORM(create_mbuf_from_ifnet, ifnet, &ifnet->if_label, mbuf,
+ MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf,
label);
}
@@ -530,7 +581,7 @@ mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet,
newmbuflabel = mbuf_to_label(newmbuf);
MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel,
- ifnet, &ifnet->if_label, newmbuf, newmbuflabel);
+ ifnet, ifnet->if_label, newmbuf, newmbuflabel);
}
void
@@ -555,7 +606,7 @@ mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
result = 1;
MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq,
- &ipq->ipq_label);
+ ipq->ipq_label);
return (result);
}
@@ -586,7 +637,7 @@ mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
label = mbuf_to_label(fragment);
- MAC_PERFORM(update_ipq, fragment, label, ipq, &ipq->ipq_label);
+ MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label);
}
void
@@ -596,7 +647,7 @@ mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
- MAC_PERFORM(create_mbuf_from_socket, socket, &socket->so_label, mbuf,
+ MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf,
label);
}
@@ -608,8 +659,8 @@ mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
if (!mac_enforce_network)
return (0);
- MAC_CHECK(check_bpfdesc_receive, bpf_d, &bpf_d->bd_label, ifnet,
- &ifnet->if_label);
+ MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet,
+ ifnet->if_label);
return (error);
}
@@ -627,7 +678,7 @@ mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
- MAC_CHECK(check_ifnet_transmit, ifnet, &ifnet->if_label, mbuf,
+ MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf,
label);
return (error);
@@ -642,7 +693,7 @@ mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_bind, ucred, socket, &socket->so_label,
+ MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label,
sockaddr);
return (error);
@@ -657,7 +708,7 @@ mac_check_socket_connect(struct ucred *cred, struct socket *socket,
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_connect, cred, socket, &socket->so_label,
+ MAC_CHECK(check_socket_connect, cred, socket, socket->so_label,
sockaddr);
return (error);
@@ -674,7 +725,7 @@ mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
label = mbuf_to_label(mbuf);
- MAC_CHECK(check_socket_deliver, socket, &socket->so_label, mbuf,
+ MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf,
label);
return (error);
@@ -688,7 +739,7 @@ mac_check_socket_listen(struct ucred *cred, struct socket *socket)
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_listen, cred, socket, &socket->so_label);
+ MAC_CHECK(check_socket_listen, cred, socket, socket->so_label);
return (error);
}
@@ -700,7 +751,7 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so)
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_receive, cred, so, &so->so_label);
+ MAC_CHECK(check_socket_receive, cred, so, so->so_label);
return (error);
}
@@ -711,7 +762,7 @@ mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
{
int error;
- MAC_CHECK(check_socket_relabel, cred, socket, &socket->so_label,
+ MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label,
newlabel);
return (error);
@@ -725,7 +776,7 @@ mac_check_socket_send(struct ucred *cred, struct socket *so)
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_send, cred, so, &so->so_label);
+ MAC_CHECK(check_socket_send, cred, so, so->so_label);
return (error);
}
@@ -738,7 +789,7 @@ mac_check_socket_visible(struct ucred *cred, struct socket *socket)
if (!mac_enforce_socket)
return (0);
- MAC_CHECK(check_socket_visible, cred, socket, &socket->so_label);
+ MAC_CHECK(check_socket_visible, cred, socket, socket->so_label);
return (error);
}
@@ -767,7 +818,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_ifnet_label(&ifnet->if_label, elements,
+ error = mac_externalize_ifnet_label(ifnet->if_label, elements,
buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -782,7 +833,7 @@ int
mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
struct ifnet *ifnet)
{
- struct label intlabel;
+ struct label *intlabel;
struct mac mac;
char *buffer;
int error;
@@ -802,11 +853,11 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
return (error);
}
- mac_init_ifnet_label(&intlabel);
- error = mac_internalize_ifnet_label(&intlabel, buffer);
+ intlabel = mac_ifnet_label_alloc();
+ error = mac_internalize_ifnet_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
- mac_destroy_ifnet_label(&intlabel);
+ mac_ifnet_label_free(intlabel);
return (error);
}
@@ -817,20 +868,20 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
*/
error = suser_cred(cred, 0);
if (error) {
- mac_destroy_ifnet_label(&intlabel);
+ mac_ifnet_label_free(intlabel);
return (error);
}
- MAC_CHECK(check_ifnet_relabel, cred, ifnet, &ifnet->if_label,
- &intlabel);
+ MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label,
+ intlabel);
if (error) {
- mac_destroy_ifnet_label(&intlabel);
+ mac_ifnet_label_free(intlabel);
return (error);
}
- MAC_PERFORM(relabel_ifnet, cred, ifnet, &ifnet->if_label, &intlabel);
+ MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel);
- mac_destroy_ifnet_label(&intlabel);
+ mac_ifnet_label_free(intlabel);
return (0);
}
@@ -838,7 +889,7 @@ int
mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
struct mac *mac)
{
- struct label intlabel;
+ struct label *intlabel;
char *buffer;
int error;
@@ -853,23 +904,23 @@ mac_setsockopt_label_set(struct ucred *cred, struct socket *so,
return (error);
}
- mac_init_socket_label(&intlabel, M_WAITOK);
- error = mac_internalize_socket_label(&intlabel, buffer);
+ intlabel = mac_socket_label_alloc(M_WAITOK);
+ error = mac_internalize_socket_label(intlabel, buffer);
free(buffer, M_MACTEMP);
if (error) {
- mac_destroy_socket_label(&intlabel);
+ mac_socket_label_free(intlabel);
return (error);
}
- mac_check_socket_relabel(cred, so, &intlabel);
+ mac_check_socket_relabel(cred, so, intlabel);
if (error) {
- mac_destroy_socket_label(&intlabel);
+ mac_socket_label_free(intlabel);
return (error);
}
- mac_relabel_socket(cred, so, &intlabel);
+ mac_relabel_socket(cred, so, intlabel);
- mac_destroy_socket_label(&intlabel);
+ mac_socket_label_free(intlabel);
return (0);
}
@@ -892,7 +943,7 @@ mac_getsockopt_label_get(struct ucred *cred, struct socket *so,
}
buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_socket_label(&so->so_label, elements,
+ error = mac_externalize_socket_label(so->so_label, elements,
buffer, mac->m_buflen);
if (error == 0)
error = copyout(buffer, mac->m_string, strlen(buffer)+1);
@@ -922,7 +973,7 @@ mac_getsockopt_peerlabel_get(struct ucred *cred, struct socket *so,
}
buffer = malloc(mac->m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_socket_peer_label(&so->so_peerlabel,
+ error = mac_externalize_socket_peer_label(so->so_peerlabel,
elements, buffer, mac->m_buflen);
if (error == 0)
error = copyout(buffer, mac->m_string, strlen(buffer)+1);
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index b30ebaf..61633c3 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -61,34 +61,31 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, pipes, CTLFLAG_RD,
&nmacpipes, 0, "number of pipes in use");
#endif
-MALLOC_DEFINE(M_MACPIPELABEL, "macpipelabel", "MAC labels for pipes");
-
-void
-mac_init_pipe_label(struct label *label)
+struct label *
+mac_pipe_label_alloc(void)
{
+ struct label *label;
- mac_init_label(label);
+ label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_pipe_label, label);
MAC_DEBUG_COUNTER_INC(&nmacpipes);
+ return (label);
}
void
mac_init_pipe(struct pipe *pipe)
{
- struct label *label;
- label = malloc(sizeof(struct label), M_MACPIPELABEL, M_ZERO|M_WAITOK);
- pipe->pipe_label = label;
- pipe->pipe_peer->pipe_label = label;
- mac_init_pipe_label(label);
+ pipe->pipe_label = pipe->pipe_peer->pipe_label =
+ mac_pipe_label_alloc();
}
void
-mac_destroy_pipe_label(struct label *label)
+mac_pipe_label_free(struct label *label)
{
MAC_PERFORM(destroy_pipe_label, label);
- mac_destroy_label(label);
+ mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacpipes);
}
@@ -96,8 +93,8 @@ void
mac_destroy_pipe(struct pipe *pipe)
{
- mac_destroy_pipe_label(pipe->pipe_label);
- free(pipe->pipe_label, M_MACPIPELABEL);
+ mac_pipe_label_free(pipe->pipe_label);
+ pipe->pipe_label = NULL;
}
void
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index 7697671..68d847d 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -96,37 +96,48 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, procs, CTLFLAG_RD,
static void mac_cred_mmapped_drop_perms_recurse(struct thread *td,
struct ucred *cred, struct vm_map *map);
-void
-mac_init_cred_label(struct label *label)
+struct label *
+mac_cred_label_alloc(void)
{
+ struct label *label;
- mac_init_label(label);
+ label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_cred_label, label);
MAC_DEBUG_COUNTER_INC(&nmaccreds);
+ return (label);
}
void
mac_init_cred(struct ucred *cred)
{
- mac_init_cred_label(&cred->cr_label);
+ cred->cr_label = mac_cred_label_alloc();
+}
+
+static struct label *
+mac_proc_label_alloc(void)
+{
+ struct label *label;
+
+ label = mac_labelzone_alloc(M_WAITOK);
+ MAC_PERFORM(init_proc_label, label);
+ MAC_DEBUG_COUNTER_INC(&nmacprocs);
+ return (label);
}
void
mac_init_proc(struct proc *p)
{
- mac_init_label(&p->p_label);
- MAC_PERFORM(init_proc_label, &p->p_label);
- MAC_DEBUG_COUNTER_INC(&nmacprocs);
+ p->p_label = mac_proc_label_alloc();
}
void
-mac_destroy_cred_label(struct label *label)
+mac_cred_label_free(struct label *label)
{
MAC_PERFORM(destroy_cred_label, label);
- mac_destroy_label(label);
+ mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmaccreds);
}
@@ -134,16 +145,25 @@ void
mac_destroy_cred(struct ucred *cred)
{
- mac_destroy_cred_label(&cred->cr_label);
+ mac_cred_label_free(cred->cr_label);
+ cred->cr_label = NULL;
+}
+
+static void
+mac_proc_label_free(struct label *label)
+{
+
+ MAC_PERFORM(destroy_proc_label, label);
+ mac_labelzone_free(label);
+ MAC_DEBUG_COUNTER_DEC(&nmacprocs);
}
void
mac_destroy_proc(struct proc *p)
{
- MAC_PERFORM(destroy_proc_label, &p->p_label);
- mac_destroy_label(&p->p_label);
- MAC_DEBUG_COUNTER_DEC(&nmacprocs);
+ mac_proc_label_free(p->p_label);
+ p->p_label = NULL;
}
int
@@ -209,9 +229,9 @@ mac_create_cred(struct ucred *parent_cred, struct ucred *child_cred)
}
int
-mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
- struct label *execlabelstorage)
+mac_execve_enter(struct image_params *imgp, struct mac *mac_p)
{
+ struct label *label;
struct mac mac;
char *buffer;
int error;
@@ -234,22 +254,24 @@ mac_execve_enter(struct image_params *imgp, struct mac *mac_p,
return (error);
}
- mac_init_cred_label(execlabelstorage);
- error = mac_internalize_cred_label(execlabelstorage, buffer);
+ label = mac_cred_label_alloc();
+ error = mac_internalize_cred_label(label, buffer);
free(buffer, M_MACTEMP);
if (error) {
- mac_destroy_cred_label(execlabelstorage);
+ mac_cred_label_free(label);
return (error);
}
- imgp->execlabel = execlabelstorage;
+ imgp->execlabel = label;
return (0);
}
void
mac_execve_exit(struct image_params *imgp)
{
- if (imgp->execlabel != NULL)
- mac_destroy_cred_label(imgp->execlabel);
+ if (imgp->execlabel != NULL) {
+ mac_cred_label_free(imgp->execlabel);
+ imgp->execlabel = NULL;
+ }
}
/*
diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c
index c459003..f9adf9b 100644
--- a/sys/security/mac/mac_syscalls.c
+++ b/sys/security/mac/mac_syscalls.c
@@ -256,6 +256,7 @@ mac_init(void)
LIST_INIT(&mac_static_policy_list);
LIST_INIT(&mac_policy_list);
+ mac_labelzone_init();
mtx_init(&mac_policy_mtx, "mac_policy_mtx", NULL, MTX_DEF);
cv_init(&mac_policy_cv, "mac_policy_cv");
@@ -565,7 +566,7 @@ __mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_cred_label(&tcred->cr_label, elements,
+ error = mac_externalize_cred_label(tcred->cr_label, elements,
buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -602,7 +603,7 @@ __mac_get_proc(struct thread *td, struct __mac_get_proc_args *uap)
}
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
- error = mac_externalize_cred_label(&td->td_ucred->cr_label,
+ error = mac_externalize_cred_label(td->td_ucred->cr_label,
elements, buffer, mac.m_buflen);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -619,7 +620,7 @@ int
__mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
{
struct ucred *newcred, *oldcred;
- struct label intlabel;
+ struct label *intlabel;
struct proc *p;
struct mac mac;
char *buffer;
@@ -640,13 +641,11 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
return (error);
}
- mac_init_cred_label(&intlabel);
- error = mac_internalize_cred_label(&intlabel, buffer);
+ intlabel = mac_cred_label_alloc();
+ error = mac_internalize_cred_label(intlabel, buffer);
free(buffer, M_MACTEMP);
- if (error) {
- mac_destroy_cred_label(&intlabel);
- return (error);
- }
+ if (error)
+ goto out;
newcred = crget();
@@ -654,7 +653,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
PROC_LOCK(p);
oldcred = p->p_ucred;
- error = mac_check_cred_relabel(oldcred, &intlabel);
+ error = mac_check_cred_relabel(oldcred, intlabel);
if (error) {
PROC_UNLOCK(p);
crfree(newcred);
@@ -663,7 +662,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
setsugid(p);
crcopy(newcred, oldcred);
- mac_relabel_cred(newcred, &intlabel);
+ mac_relabel_cred(newcred, intlabel);
p->p_ucred = newcred;
/*
@@ -683,7 +682,7 @@ __mac_set_proc(struct thread *td, struct __mac_set_proc_args *uap)
crfree(oldcred);
out:
- mac_destroy_cred_label(&intlabel);
+ mac_cred_label_free(intlabel);
return (error);
}
@@ -694,7 +693,7 @@ int
__mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
{
char *elements, *buffer;
- struct label intlabel;
+ struct label *intlabel;
struct file *fp;
struct mac mac;
struct vnode *vp;
@@ -729,20 +728,20 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
case DTYPE_VNODE:
vp = fp->f_vnode;
- mac_init_vnode_label(&intlabel);
+ intlabel = mac_vnode_label_alloc();
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- mac_copy_vnode_label(&vp->v_label, &intlabel);
+ mac_copy_vnode_label(vp->v_label, intlabel);
VOP_UNLOCK(vp, 0, td);
break;
case DTYPE_PIPE:
pipe = fp->f_data;
- mac_init_pipe_label(&intlabel);
+ intlabel = mac_pipe_label_alloc();
PIPE_LOCK(pipe);
- mac_copy_pipe_label(pipe->pipe_label, &intlabel);
+ mac_copy_pipe_label(pipe->pipe_label, intlabel);
PIPE_UNLOCK(pipe);
break;
default:
@@ -756,14 +755,14 @@ __mac_get_fd(struct thread *td, struct __mac_get_fd_args *uap)
case DTYPE_FIFO:
case DTYPE_VNODE:
if (error == 0)
- error = mac_externalize_vnode_label(&intlabel,
+ error = mac_externalize_vnode_label(intlabel,
elements, buffer, mac.m_buflen);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
- error = mac_externalize_pipe_label(&intlabel, elements,
+ error = mac_externalize_pipe_label(intlabel, elements,
buffer, mac.m_buflen);
- mac_destroy_pipe_label(&intlabel);
+ mac_pipe_label_free(intlabel);
break;
default:
panic("__mac_get_fd: corrupted label_type");
@@ -788,7 +787,7 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
{
char *elements, *buffer;
struct nameidata nd;
- struct label intlabel;
+ struct label *intlabel;
struct mac mac;
int error;
@@ -815,13 +814,13 @@ __mac_get_file(struct thread *td, struct __mac_get_file_args *uap)
if (error)
goto out;
- mac_init_vnode_label(&intlabel);
- mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
- error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+ intlabel = mac_vnode_label_alloc();
+ mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+ error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -843,7 +842,7 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
{
char *elements, *buffer;
struct nameidata nd;
- struct label intlabel;
+ struct label *intlabel;
struct mac mac;
int error;
@@ -870,12 +869,12 @@ __mac_get_link(struct thread *td, struct __mac_get_link_args *uap)
if (error)
goto out;
- mac_init_vnode_label(&intlabel);
- mac_copy_vnode_label(&nd.ni_vp->v_label, &intlabel);
- error = mac_externalize_vnode_label(&intlabel, elements, buffer,
+ intlabel = mac_vnode_label_alloc();
+ mac_copy_vnode_label(nd.ni_vp->v_label, intlabel);
+ error = mac_externalize_vnode_label(intlabel, elements, buffer,
mac.m_buflen);
NDFREE(&nd, 0);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
if (error == 0)
error = copyout(buffer, mac.m_string, strlen(buffer)+1);
@@ -895,7 +894,7 @@ out:
int
__mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
{
- struct label intlabel;
+ struct label *intlabel;
struct pipe *pipe;
struct file *fp;
struct mount *mp;
@@ -928,40 +927,40 @@ __mac_set_fd(struct thread *td, struct __mac_set_fd_args *uap)
switch (fp->f_type) {
case DTYPE_FIFO:
case DTYPE_VNODE:
- mac_init_vnode_label(&intlabel);
- error = mac_internalize_vnode_label(&intlabel, buffer);
+ intlabel = mac_vnode_label_alloc();
+ error = mac_internalize_vnode_label(intlabel, buffer);
if (error) {
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
}
vp = fp->f_vnode;
error = vn_start_write(vp, &mp, V_WAIT | PCATCH);
if (error != 0) {
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
}
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, td);
- error = vn_setlabel(vp, &intlabel, td->td_ucred);
+ error = vn_setlabel(vp, intlabel, td->td_ucred);
VOP_UNLOCK(vp, 0, td);
vn_finished_write(mp);
- mac_destroy_vnode_label(&intlabel);
+ mac_vnode_label_free(intlabel);
break;
case DTYPE_PIPE:
- mac_init_pipe_label(&intlabel);
- error = mac_internalize_pipe_label(&intlabel, buffer);
+ intlabel = mac_pipe_label_alloc();
+ error = mac_internalize_pipe_label(intlabel, buffer);
if (error == 0) {
pipe = fp->f_data;
PIPE_LOCK(pipe);
error = mac_pipe_label_set(td->td_ucred, pipe,
- &intlabel);
+ intlabel);
PIPE_UNLOCK(pipe);
}
- mac_destroy_pipe_label(&intlabel);
+ mac_pipe_label_free(intlabel);
break;
default:
@@ -983,7 +982,7 @@ out:
int
__mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
{
- struct label intlabel;
+ struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@@ -1005,13 +1004,11 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
return (error);
}
- mac_init_vnode_label(&intlabel);
- error = mac_internalize_vnode_label(&intlabel, buffer);
+ intlabel = mac_vnode_label_alloc();
+ error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
- if (error) {
- mac_destroy_vnode_label(&intlabel);
- return (error);
- }
+ if (error)
+ goto out;
mtx_lock(&Giant); /* VFS */
@@ -1021,15 +1018,15 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
- error = vn_setlabel(nd.ni_vp, &intlabel,
+ error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
- mac_destroy_vnode_label(&intlabel);
-
+out:
+ mac_vnode_label_free(intlabel);
return (error);
}
@@ -1039,7 +1036,7 @@ __mac_set_file(struct thread *td, struct __mac_set_file_args *uap)
int
__mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
{
- struct label intlabel;
+ struct label *intlabel;
struct nameidata nd;
struct mount *mp;
struct mac mac;
@@ -1061,13 +1058,11 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
return (error);
}
- mac_init_vnode_label(&intlabel);
- error = mac_internalize_vnode_label(&intlabel, buffer);
+ intlabel = mac_vnode_label_alloc();
+ error = mac_internalize_vnode_label(intlabel, buffer);
free(buffer, M_MACTEMP);
- if (error) {
- mac_destroy_vnode_label(&intlabel);
- return (error);
- }
+ if (error)
+ goto out;
mtx_lock(&Giant); /* VFS */
@@ -1077,15 +1072,15 @@ __mac_set_link(struct thread *td, struct __mac_set_link_args *uap)
if (error == 0) {
error = vn_start_write(nd.ni_vp, &mp, V_WAIT | PCATCH);
if (error == 0)
- error = vn_setlabel(nd.ni_vp, &intlabel,
+ error = vn_setlabel(nd.ni_vp, intlabel,
td->td_ucred);
vn_finished_write(mp);
}
NDFREE(&nd, 0);
mtx_unlock(&Giant); /* VFS */
- mac_destroy_vnode_label(&intlabel);
-
+out:
+ mac_vnode_label_free(intlabel);
return (error);
}
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index e5041a2..14755cf 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -120,7 +120,7 @@ mac_check_kld_load(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_kld)
return (0);
- MAC_CHECK(check_kld_load, cred, vp, &vp->v_label);
+ MAC_CHECK(check_kld_load, cred, vp, vp->v_label);
return (error);
}
@@ -176,7 +176,7 @@ mac_check_system_acct(struct ucred *cred, struct vnode *vp)
return (0);
MAC_CHECK(check_system_acct, cred, vp,
- vp != NULL ? &vp->v_label : NULL);
+ vp != NULL ? vp->v_label : NULL);
return (error);
}
@@ -230,7 +230,7 @@ mac_check_system_swapon(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_system)
return (0);
- MAC_CHECK(check_system_swapon, cred, vp, &vp->v_label);
+ MAC_CHECK(check_system_swapon, cred, vp, vp->v_label);
return (error);
}
@@ -244,7 +244,7 @@ mac_check_system_swapoff(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_system)
return (0);
- MAC_CHECK(check_system_swapoff, cred, vp, &vp->v_label);
+ MAC_CHECK(check_system_swapoff, cred, vp, vp->v_label);
return (error);
}
diff --git a/sys/security/mac/mac_vfs.c b/sys/security/mac/mac_vfs.c
index 08e78bb..8d475a5 100644
--- a/sys/security/mac/mac_vfs.c
+++ b/sys/security/mac/mac_vfs.c
@@ -100,68 +100,123 @@ SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, devfsdirents, CTLFLAG_RD,
static int mac_setlabel_vnode_extattr(struct ucred *cred,
struct vnode *vp, struct label *intlabel);
-void
-mac_init_devfsdirent(struct devfs_dirent *de)
+static struct label *
+mac_devfsdirent_label_alloc(void)
{
+ struct label *label;
- mac_init_label(&de->de_label);
- MAC_PERFORM(init_devfsdirent_label, &de->de_label);
+ label = mac_labelzone_alloc(M_WAITOK);
+ MAC_PERFORM(init_devfsdirent_label, label);
MAC_DEBUG_COUNTER_INC(&nmacdevfsdirents);
+ return (label);
}
void
-mac_init_mount(struct mount *mp)
+mac_init_devfsdirent(struct devfs_dirent *de)
+{
+
+ de->de_label = mac_devfsdirent_label_alloc();
+}
+
+static struct label *
+mac_mount_label_alloc(void)
+{
+ struct label *label;
+
+ label = mac_labelzone_alloc(M_WAITOK);
+ MAC_PERFORM(init_mount_label, label);
+ MAC_DEBUG_COUNTER_INC(&nmacmounts);
+ return (label);
+}
+
+static struct label *
+mac_mount_fs_label_alloc(void)
{
+ struct label *label;
- mac_init_label(&mp->mnt_mntlabel);
- mac_init_label(&mp->mnt_fslabel);
- MAC_PERFORM(init_mount_label, &mp->mnt_mntlabel);
- MAC_PERFORM(init_mount_fs_label, &mp->mnt_fslabel);
+ label = mac_labelzone_alloc(M_WAITOK);
+ MAC_PERFORM(init_mount_fs_label, label);
MAC_DEBUG_COUNTER_INC(&nmacmounts);
+ return (label);
}
void
-mac_init_vnode_label(struct label *label)
+mac_init_mount(struct mount *mp)
+{
+
+ mp->mnt_mntlabel = mac_mount_label_alloc();
+ mp->mnt_fslabel = mac_mount_fs_label_alloc();
+}
+
+struct label *
+mac_vnode_label_alloc(void)
{
+ struct label *label;
- mac_init_label(label);
+ label = mac_labelzone_alloc(M_WAITOK);
MAC_PERFORM(init_vnode_label, label);
MAC_DEBUG_COUNTER_INC(&nmacvnodes);
+ return (label);
}
void
mac_init_vnode(struct vnode *vp)
{
- mac_init_vnode_label(&vp->v_label);
+ vp->v_label = mac_vnode_label_alloc();
+}
+
+static void
+mac_devfsdirent_label_free(struct label *label)
+{
+
+ MAC_PERFORM(destroy_devfsdirent_label, label);
+ mac_labelzone_free(label);
+ MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
}
void
mac_destroy_devfsdirent(struct devfs_dirent *de)
{
- MAC_PERFORM(destroy_devfsdirent_label, &de->de_label);
- mac_destroy_label(&de->de_label);
- MAC_DEBUG_COUNTER_DEC(&nmacdevfsdirents);
+ mac_devfsdirent_label_free(de->de_label);
+ de->de_label = NULL;
+}
+
+static void
+mac_mount_label_free(struct label *label)
+{
+
+ MAC_PERFORM(destroy_mount_label, label);
+ mac_labelzone_free(label);
+ MAC_DEBUG_COUNTER_DEC(&nmacmounts);
+}
+
+static void
+mac_mount_fs_label_free(struct label *label)
+{
+
+ MAC_PERFORM(destroy_mount_fs_label, label);
+ mac_labelzone_free(label);
+ MAC_DEBUG_COUNTER_DEC(&nmacmounts);
}
void
mac_destroy_mount(struct mount *mp)
{
- MAC_PERFORM(destroy_mount_label, &mp->mnt_mntlabel);
- MAC_PERFORM(destroy_mount_fs_label, &mp->mnt_fslabel);
- mac_destroy_label(&mp->mnt_fslabel);
- mac_destroy_label(&mp->mnt_mntlabel);
- MAC_DEBUG_COUNTER_DEC(&nmacmounts);
+ mac_mount_fs_label_free(mp->mnt_fslabel);
+ mp->mnt_fslabel = NULL;
+ mac_mount_label_free(mp->mnt_mntlabel);
+ mp->mnt_mntlabel = NULL;
}
void
-mac_destroy_vnode_label(struct label *label)
+mac_vnode_label_free(struct label *label)
{
MAC_PERFORM(destroy_vnode_label, label);
- mac_destroy_label(label);
+ mac_labelzone_free(label);
MAC_DEBUG_COUNTER_DEC(&nmacvnodes);
}
@@ -169,7 +224,8 @@ void
mac_destroy_vnode(struct vnode *vp)
{
- mac_destroy_vnode_label(&vp->v_label);
+ mac_vnode_label_free(vp->v_label);
+ vp->v_label = NULL;
}
void
@@ -205,8 +261,8 @@ mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp)
{
- MAC_PERFORM(update_devfsdirent, mp, de, &de->de_label, vp,
- &vp->v_label);
+ MAC_PERFORM(update_devfsdirent, mp, de, de->de_label, vp,
+ vp->v_label);
}
void
@@ -214,8 +270,8 @@ mac_associate_vnode_devfs(struct mount *mp, struct devfs_dirent *de,
struct vnode *vp)
{
- MAC_PERFORM(associate_vnode_devfs, mp, &mp->mnt_fslabel, de,
- &de->de_label, vp, &vp->v_label);
+ MAC_PERFORM(associate_vnode_devfs, mp, mp->mnt_fslabel, de,
+ de->de_label, vp, vp->v_label);
}
int
@@ -225,8 +281,8 @@ mac_associate_vnode_extattr(struct mount *mp, struct vnode *vp)
ASSERT_VOP_LOCKED(vp, "mac_associate_vnode_extattr");
- MAC_CHECK(associate_vnode_extattr, mp, &mp->mnt_fslabel, vp,
- &vp->v_label);
+ MAC_CHECK(associate_vnode_extattr, mp, mp->mnt_fslabel, vp,
+ vp->v_label);
return (error);
}
@@ -235,8 +291,8 @@ void
mac_associate_vnode_singlelabel(struct mount *mp, struct vnode *vp)
{
- MAC_PERFORM(associate_vnode_singlelabel, mp, &mp->mnt_fslabel, vp,
- &vp->v_label);
+ MAC_PERFORM(associate_vnode_singlelabel, mp, mp->mnt_fslabel, vp,
+ vp->v_label);
}
int
@@ -259,8 +315,8 @@ mac_create_vnode_extattr(struct ucred *cred, struct mount *mp,
} else if (error)
return (error);
- MAC_CHECK(create_vnode_extattr, cred, mp, &mp->mnt_fslabel,
- dvp, &dvp->v_label, vp, &vp->v_label, cnp);
+ MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel,
+ dvp, dvp->v_label, vp, vp->v_label, cnp);
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
@@ -294,7 +350,7 @@ mac_setlabel_vnode_extattr(struct ucred *cred, struct vnode *vp,
} else if (error)
return (error);
- MAC_CHECK(setlabel_vnode_extattr, cred, vp, &vp->v_label, intlabel);
+ MAC_CHECK(setlabel_vnode_extattr, cred, vp, vp->v_label, intlabel);
if (error) {
VOP_CLOSEEXTATTR(vp, 0, NOCRED, curthread);
@@ -319,7 +375,7 @@ mac_execve_transition(struct ucred *old, struct ucred *new, struct vnode *vp,
if (!mac_enforce_process && !mac_enforce_fs)
return;
- MAC_PERFORM(execve_transition, old, new, vp, &vp->v_label,
+ MAC_PERFORM(execve_transition, old, new, vp, vp->v_label,
interpvnodelabel, imgp, imgp->execlabel);
}
@@ -335,7 +391,7 @@ mac_execve_will_transition(struct ucred *old, struct vnode *vp,
return (0);
result = 0;
- MAC_BOOLEAN(execve_will_transition, ||, old, vp, &vp->v_label,
+ MAC_BOOLEAN(execve_will_transition, ||, old, vp, vp->v_label,
interpvnodelabel, imgp, imgp->execlabel);
return (result);
@@ -351,7 +407,7 @@ mac_check_vnode_access(struct ucred *cred, struct vnode *vp, int acc_mode)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_access, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_access, cred, vp, vp->v_label, acc_mode);
return (error);
}
@@ -365,7 +421,7 @@ mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_chdir, cred, dvp, &dvp->v_label);
+ MAC_CHECK(check_vnode_chdir, cred, dvp, dvp->v_label);
return (error);
}
@@ -379,7 +435,7 @@ mac_check_vnode_chroot(struct ucred *cred, struct vnode *dvp)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_chroot, cred, dvp, &dvp->v_label);
+ MAC_CHECK(check_vnode_chroot, cred, dvp, dvp->v_label);
return (error);
}
@@ -394,7 +450,7 @@ mac_check_vnode_create(struct ucred *cred, struct vnode *dvp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_create, cred, dvp, &dvp->v_label, cnp, vap);
+ MAC_CHECK(check_vnode_create, cred, dvp, dvp->v_label, cnp, vap);
return (error);
}
@@ -410,8 +466,8 @@ mac_check_vnode_delete(struct ucred *cred, struct vnode *dvp, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_delete, cred, dvp, &dvp->v_label, vp,
- &vp->v_label, cnp);
+ MAC_CHECK(check_vnode_delete, cred, dvp, dvp->v_label, vp,
+ vp->v_label, cnp);
return (error);
}
@@ -426,7 +482,7 @@ mac_check_vnode_deleteacl(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_deleteacl, cred, vp, &vp->v_label, type);
+ MAC_CHECK(check_vnode_deleteacl, cred, vp, vp->v_label, type);
return (error);
}
@@ -441,7 +497,7 @@ mac_check_vnode_deleteextattr(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_deleteextattr, cred, vp, &vp->v_label,
+ MAC_CHECK(check_vnode_deleteextattr, cred, vp, vp->v_label,
attrnamespace, name);
return (error);
}
@@ -457,7 +513,7 @@ mac_check_vnode_exec(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_process && !mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_exec, cred, vp, &vp->v_label, imgp,
+ MAC_CHECK(check_vnode_exec, cred, vp, vp->v_label, imgp,
imgp->execlabel);
return (error);
@@ -473,7 +529,7 @@ mac_check_vnode_getacl(struct ucred *cred, struct vnode *vp, acl_type_t type)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_getacl, cred, vp, &vp->v_label, type);
+ MAC_CHECK(check_vnode_getacl, cred, vp, vp->v_label, type);
return (error);
}
@@ -488,7 +544,7 @@ mac_check_vnode_getextattr(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_getextattr, cred, vp, &vp->v_label,
+ MAC_CHECK(check_vnode_getextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
return (error);
}
@@ -505,8 +561,8 @@ mac_check_vnode_link(struct ucred *cred, struct vnode *dvp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_link, cred, dvp, &dvp->v_label, vp,
- &vp->v_label, cnp);
+ MAC_CHECK(check_vnode_link, cred, dvp, dvp->v_label, vp,
+ vp->v_label, cnp);
return (error);
}
@@ -521,7 +577,7 @@ mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_listextattr, cred, vp, &vp->v_label,
+ MAC_CHECK(check_vnode_listextattr, cred, vp, vp->v_label,
attrnamespace);
return (error);
}
@@ -537,7 +593,7 @@ mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_lookup, cred, dvp, &dvp->v_label, cnp);
+ MAC_CHECK(check_vnode_lookup, cred, dvp, dvp->v_label, cnp);
return (error);
}
@@ -551,7 +607,7 @@ mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot)
if (!mac_enforce_fs || !mac_enforce_vm)
return (0);
- MAC_CHECK(check_vnode_mmap, cred, vp, &vp->v_label, prot);
+ MAC_CHECK(check_vnode_mmap, cred, vp, vp->v_label, prot);
return (error);
}
@@ -565,7 +621,7 @@ mac_check_vnode_mmap_downgrade(struct ucred *cred, struct vnode *vp, int *prot)
if (!mac_enforce_fs || !mac_enforce_vm)
return;
- MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, &vp->v_label,
+ MAC_PERFORM(check_vnode_mmap_downgrade, cred, vp, vp->v_label,
&result);
*prot = result;
@@ -581,7 +637,7 @@ mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp, int prot)
if (!mac_enforce_fs || !mac_enforce_vm)
return (0);
- MAC_CHECK(check_vnode_mprotect, cred, vp, &vp->v_label, prot);
+ MAC_CHECK(check_vnode_mprotect, cred, vp, vp->v_label, prot);
return (error);
}
@@ -595,7 +651,7 @@ mac_check_vnode_open(struct ucred *cred, struct vnode *vp, int acc_mode)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_open, cred, vp, &vp->v_label, acc_mode);
+ MAC_CHECK(check_vnode_open, cred, vp, vp->v_label, acc_mode);
return (error);
}
@@ -611,7 +667,7 @@ mac_check_vnode_poll(struct ucred *active_cred, struct ucred *file_cred,
return (0);
MAC_CHECK(check_vnode_poll, active_cred, file_cred, vp,
- &vp->v_label);
+ vp->v_label);
return (error);
}
@@ -628,7 +684,7 @@ mac_check_vnode_read(struct ucred *active_cred, struct ucred *file_cred,
return (0);
MAC_CHECK(check_vnode_read, active_cred, file_cred, vp,
- &vp->v_label);
+ vp->v_label);
return (error);
}
@@ -643,7 +699,7 @@ mac_check_vnode_readdir(struct ucred *cred, struct vnode *dvp)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_readdir, cred, dvp, &dvp->v_label);
+ MAC_CHECK(check_vnode_readdir, cred, dvp, dvp->v_label);
return (error);
}
@@ -657,7 +713,7 @@ mac_check_vnode_readlink(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_readlink, cred, vp, &vp->v_label);
+ MAC_CHECK(check_vnode_readlink, cred, vp, vp->v_label);
return (error);
}
@@ -669,7 +725,7 @@ mac_check_vnode_relabel(struct ucred *cred, struct vnode *vp,
ASSERT_VOP_LOCKED(vp, "mac_check_vnode_relabel");
- MAC_CHECK(check_vnode_relabel, cred, vp, &vp->v_label, newlabel);
+ MAC_CHECK(check_vnode_relabel, cred, vp, vp->v_label, newlabel);
return (error);
}
@@ -686,8 +742,8 @@ mac_check_vnode_rename_from(struct ucred *cred, struct vnode *dvp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_rename_from, cred, dvp, &dvp->v_label, vp,
- &vp->v_label, cnp);
+ MAC_CHECK(check_vnode_rename_from, cred, dvp, dvp->v_label, vp,
+ vp->v_label, cnp);
return (error);
}
@@ -703,8 +759,8 @@ mac_check_vnode_rename_to(struct ucred *cred, struct vnode *dvp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_rename_to, cred, dvp, &dvp->v_label, vp,
- vp != NULL ? &vp->v_label : NULL, samedir, cnp);
+ MAC_CHECK(check_vnode_rename_to, cred, dvp, dvp->v_label, vp,
+ vp != NULL ? vp->v_label : NULL, samedir, cnp);
return (error);
}
@@ -718,7 +774,7 @@ mac_check_vnode_revoke(struct ucred *cred, struct vnode *vp)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_revoke, cred, vp, &vp->v_label);
+ MAC_CHECK(check_vnode_revoke, cred, vp, vp->v_label);
return (error);
}
@@ -733,7 +789,7 @@ mac_check_vnode_setacl(struct ucred *cred, struct vnode *vp, acl_type_t type,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_setacl, cred, vp, &vp->v_label, type, acl);
+ MAC_CHECK(check_vnode_setacl, cred, vp, vp->v_label, type, acl);
return (error);
}
@@ -748,7 +804,7 @@ mac_check_vnode_setextattr(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_setextattr, cred, vp, &vp->v_label,
+ MAC_CHECK(check_vnode_setextattr, cred, vp, vp->v_label,
attrnamespace, name, uio);
return (error);
}
@@ -763,7 +819,7 @@ mac_check_vnode_setflags(struct ucred *cred, struct vnode *vp, u_long flags)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_setflags, cred, vp, &vp->v_label, flags);
+ MAC_CHECK(check_vnode_setflags, cred, vp, vp->v_label, flags);
return (error);
}
@@ -777,7 +833,7 @@ mac_check_vnode_setmode(struct ucred *cred, struct vnode *vp, mode_t mode)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_setmode, cred, vp, &vp->v_label, mode);
+ MAC_CHECK(check_vnode_setmode, cred, vp, vp->v_label, mode);
return (error);
}
@@ -792,7 +848,7 @@ mac_check_vnode_setowner(struct ucred *cred, struct vnode *vp, uid_t uid,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_setowner, cred, vp, &vp->v_label, uid, gid);
+ MAC_CHECK(check_vnode_setowner, cred, vp, vp->v_label, uid, gid);
return (error);
}
@@ -807,7 +863,7 @@ mac_check_vnode_setutimes(struct ucred *cred, struct vnode *vp,
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_vnode_setutimes, cred, vp, &vp->v_label, atime,
+ MAC_CHECK(check_vnode_setutimes, cred, vp, vp->v_label, atime,
mtime);
return (error);
}
@@ -824,7 +880,7 @@ mac_check_vnode_stat(struct ucred *active_cred, struct ucred *file_cred,
return (0);
MAC_CHECK(check_vnode_stat, active_cred, file_cred, vp,
- &vp->v_label);
+ vp->v_label);
return (error);
}
@@ -840,7 +896,7 @@ mac_check_vnode_write(struct ucred *active_cred, struct ucred *file_cred,
return (0);
MAC_CHECK(check_vnode_write, active_cred, file_cred, vp,
- &vp->v_label);
+ vp->v_label);
return (error);
}
@@ -849,23 +905,23 @@ void
mac_relabel_vnode(struct ucred *cred, struct vnode *vp, struct label *newlabel)
{
- MAC_PERFORM(relabel_vnode, cred, vp, &vp->v_label, newlabel);
+ MAC_PERFORM(relabel_vnode, cred, vp, vp->v_label, newlabel);
}
void
mac_create_mount(struct ucred *cred, struct mount *mp)
{
- MAC_PERFORM(create_mount, cred, mp, &mp->mnt_mntlabel,
- &mp->mnt_fslabel);
+ MAC_PERFORM(create_mount, cred, mp, mp->mnt_mntlabel,
+ mp->mnt_fslabel);
}
void
mac_create_root_mount(struct ucred *cred, struct mount *mp)
{
- MAC_PERFORM(create_root_mount, cred, mp, &mp->mnt_mntlabel,
- &mp->mnt_fslabel);
+ MAC_PERFORM(create_root_mount, cred, mp, mp->mnt_mntlabel,
+ mp->mnt_fslabel);
}
int
@@ -876,7 +932,7 @@ mac_check_mount_stat(struct ucred *cred, struct mount *mount)
if (!mac_enforce_fs)
return (0);
- MAC_CHECK(check_mount_stat, cred, mount, &mount->mnt_mntlabel);
+ MAC_CHECK(check_mount_stat, cred, mount, mount->mnt_mntlabel);
return (error);
}
@@ -885,7 +941,7 @@ void
mac_create_devfs_device(struct mount *mp, dev_t dev, struct devfs_dirent *de)
{
- MAC_PERFORM(create_devfs_device, mp, dev, de, &de->de_label);
+ MAC_PERFORM(create_devfs_device, mp, dev, de, de->de_label);
}
void
@@ -893,8 +949,8 @@ mac_create_devfs_symlink(struct ucred *cred, struct mount *mp,
struct devfs_dirent *dd, struct devfs_dirent *de)
{
- MAC_PERFORM(create_devfs_symlink, cred, mp, dd, &dd->de_label, de,
- &de->de_label);
+ MAC_PERFORM(create_devfs_symlink, cred, mp, dd, dd->de_label, de,
+ de->de_label);
}
void
@@ -903,7 +959,7 @@ mac_create_devfs_directory(struct mount *mp, char *dirname, int dirnamelen,
{
MAC_PERFORM(create_devfs_directory, mp, dirname, dirnamelen, de,
- &de->de_label);
+ de->de_label);
}
/*
OpenPOWER on IntegriCloud