summaryrefslogtreecommitdiffstats
path: root/sys/security/mac
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security/mac')
-rw-r--r--sys/security/mac/mac_framework.c16
-rw-r--r--sys/security/mac/mac_internal.h1
-rw-r--r--sys/security/mac/mac_socket.c75
3 files changed, 70 insertions, 22 deletions
diff --git a/sys/security/mac/mac_framework.c b/sys/security/mac/mac_framework.c
index 6f675cb..3d2a139 100644
--- a/sys/security/mac/mac_framework.c
+++ b/sys/security/mac/mac_framework.c
@@ -179,6 +179,7 @@ static struct sx mac_policy_sx; /* Sleeping entry points. */
struct mac_policy_list_head mac_policy_list;
struct mac_policy_list_head mac_static_policy_list;
+u_int mac_policy_count; /* Registered policy count. */
static void mac_policy_xlock(void);
static void mac_policy_xlock_assert(void);
@@ -351,17 +352,22 @@ mac_policy_getlabeled(struct mac_policy_conf *mpc)
* requiring labels across all policies.
*/
static void
-mac_policy_updateflags(void)
+mac_policy_update(void)
{
struct mac_policy_conf *mpc;
mac_policy_xlock_assert();
mac_labeled = 0;
- LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list)
+ mac_policy_count = 0;
+ LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) {
mac_labeled |= mac_policy_getlabeled(mpc);
- LIST_FOREACH(mpc, &mac_policy_list, mpc_list)
+ mac_policy_count++;
+ }
+ LIST_FOREACH(mpc, &mac_policy_list, mpc_list) {
mac_labeled |= mac_policy_getlabeled(mpc);
+ mac_policy_count++;
+ }
}
static int
@@ -434,7 +440,7 @@ mac_policy_register(struct mac_policy_conf *mpc)
*/
if (mpc->mpc_ops->mpo_init != NULL)
(*(mpc->mpc_ops->mpo_init))(mpc);
- mac_policy_updateflags();
+ mac_policy_update();
SDT_PROBE(mac, kernel, policy, register, mpc, 0, 0, 0, 0);
printf("Security policy loaded: %s (%s)\n", mpc->mpc_fullname,
@@ -480,7 +486,7 @@ mac_policy_unregister(struct mac_policy_conf *mpc)
LIST_REMOVE(mpc, mpc_list);
mpc->mpc_runtime_flags &= ~MPC_RUNTIME_FLAG_REGISTERED;
- mac_policy_updateflags();
+ mac_policy_update();
mac_policy_xunlock();
SDT_PROBE(mac, kernel, policy, unregister, mpc, 0, 0, 0, 0);
diff --git a/sys/security/mac/mac_internal.h b/sys/security/mac/mac_internal.h
index 45bd524..39fc404 100644
--- a/sys/security/mac/mac_internal.h
+++ b/sys/security/mac/mac_internal.h
@@ -189,6 +189,7 @@ struct label {
*/
extern struct mac_policy_list_head mac_policy_list;
extern struct mac_policy_list_head mac_static_policy_list;
+extern u_int mac_policy_count;
extern uint64_t mac_labeled;
extern struct mtx mac_ifnet_mtx;
diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c
index 25f8dae..704c60b 100644
--- a/sys/security/mac/mac_socket.c
+++ b/sys/security/mac/mac_socket.c
@@ -234,10 +234,13 @@ void
mac_socket_newconn(struct socket *oldso, struct socket *newso)
{
- SOCK_LOCK_ASSERT(oldso);
+ if (mac_policy_count == 0)
+ return;
+ SOCK_LOCK(oldso);
MAC_POLICY_PERFORM_NOSLEEP(socket_newconn, oldso, oldso->so_label,
newso, newso->so_label);
+ SOCK_UNLOCK(oldso);
}
static void
@@ -256,25 +259,30 @@ mac_socketpeer_set_from_mbuf(struct mbuf *m, struct socket *so)
{
struct label *label;
- SOCK_LOCK_ASSERT(so);
-
label = mac_mbuf_to_label(m);
+ SOCK_LOCK(so);
MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_mbuf, m, label, so,
so->so_peerlabel);
+ SOCK_UNLOCK(so);
}
void
mac_socketpeer_set_from_socket(struct socket *oldso, struct socket *newso)
{
+
+ if (mac_policy_count == 0)
+ return;
/*
- * XXXRW: only hold the socket lock on one at a time, as one socket
- * is the original, and one is the new. However, it's called in both
- * directions, so we can't assert the lock here currently.
+ * XXXRW: We want to hold locks on both sockets, but can't currently
+ * due to lock order -- opt to lock the socket where we're accessing
+ * so_label as it's more likely to change.
*/
+ SOCK_LOCK(oldso);
MAC_POLICY_PERFORM_NOSLEEP(socketpeer_set_from_socket, oldso,
oldso->so_label, newso, newso->so_peerlabel);
+ SOCK_UNLOCK(oldso);
}
void
@@ -282,12 +290,15 @@ mac_socket_create_mbuf(struct socket *so, struct mbuf *m)
{
struct label *label;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return;
label = mac_mbuf_to_label(m);
+ SOCK_LOCK(so);
MAC_POLICY_PERFORM_NOSLEEP(socket_create_mbuf, so, so->so_label, m,
label);
+ SOCK_UNLOCK(so);
}
MAC_CHECK_PROBE_DEFINE2(socket_check_accept, "struct ucred *",
@@ -298,11 +309,14 @@ mac_socket_check_accept(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return (0);
+ SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_accept, cred, so,
so->so_label);
MAC_CHECK_PROBE2(socket_check_accept, error, cred, so);
+ SOCK_UNLOCK(so);
return (error);
}
@@ -316,11 +330,14 @@ mac_socket_check_bind(struct ucred *cred, struct socket *so,
{
int error;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return (0);
+ SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_bind, cred, so, so->so_label,
sa);
MAC_CHECK_PROBE3(socket_check_bind, error, cred, so, sa);
+ SOCK_UNLOCK(so);
return (error);
}
@@ -334,11 +351,14 @@ mac_socket_check_connect(struct ucred *cred, struct socket *so,
{
int error;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return (0);
+ SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_connect, cred, so,
so->so_label, sa);
MAC_CHECK_PROBE3(socket_check_connect, error, cred, so, sa);
+ SOCK_UNLOCK(so);
return (error);
}
@@ -368,13 +388,16 @@ mac_socket_check_deliver(struct socket *so, struct mbuf *m)
struct label *label;
int error;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return (0);
label = mac_mbuf_to_label(m);
+ SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_deliver, so, so->so_label, m,
label);
MAC_CHECK_PROBE2(socket_check_deliver, error, so, m);
+ SOCK_UNLOCK(so);
return (error);
}
@@ -387,11 +410,14 @@ mac_socket_check_listen(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return (0);
+ SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_listen, cred, so,
so->so_label);
MAC_CHECK_PROBE2(socket_check_listen, error, cred, so);
+ SOCK_UNLOCK(so);
return (error);
}
@@ -404,10 +430,13 @@ mac_socket_check_poll(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return (0);
+ SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_poll, cred, so, so->so_label);
MAC_CHECK_PROBE2(socket_check_poll, error, cred, so);
+ SOCK_UNLOCK(so);
return (error);
}
@@ -420,11 +449,14 @@ mac_socket_check_receive(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return (0);
+ SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_receive, cred, so,
so->so_label);
MAC_CHECK_PROBE2(socket_check_receive, error, cred, so);
+ SOCK_UNLOCK(so);
return (error);
}
@@ -455,10 +487,13 @@ mac_socket_check_send(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return (0);
+ SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_send, cred, so, so->so_label);
MAC_CHECK_PROBE2(socket_check_send, error, cred, so);
+ SOCK_UNLOCK(so);
return (error);
}
@@ -471,10 +506,13 @@ mac_socket_check_stat(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return (0);
+ SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_stat, cred, so, so->so_label);
MAC_CHECK_PROBE2(socket_check_stat, error, cred, so);
+ SOCK_UNLOCK(so);
return (error);
}
@@ -487,11 +525,14 @@ mac_socket_check_visible(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(so);
+ if (mac_policy_count == 0)
+ return (0);
+ SOCK_LOCK(so);
MAC_POLICY_CHECK_NOSLEEP(socket_check_visible, cred, so,
so->so_label);
MAC_CHECK_PROBE2(socket_check_visible, error, cred, so);
+ SOCK_UNLOCK(so);
return (error);
}
OpenPOWER on IntegriCloud