summaryrefslogtreecommitdiffstats
path: root/sys/security/mac
diff options
context:
space:
mode:
Diffstat (limited to 'sys/security/mac')
-rw-r--r--sys/security/mac/mac_framework.h119
-rw-r--r--sys/security/mac/mac_inet.c44
-rw-r--r--sys/security/mac/mac_net.c134
-rw-r--r--sys/security/mac/mac_pipe.c2
-rw-r--r--sys/security/mac/mac_policy.h286
-rw-r--r--sys/security/mac/mac_process.c75
-rw-r--r--sys/security/mac/mac_socket.c117
-rw-r--r--sys/security/mac/mac_system.c2
8 files changed, 384 insertions, 395 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index 98b04c0..64b4b90 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -93,23 +93,23 @@ void mac_init_bpfdesc(struct bpf_d *);
void mac_init_cred(struct ucred *);
void mac_init_devfsdirent(struct devfs_dirent *);
void mac_init_ifnet(struct ifnet *);
-int mac_init_inpcb(struct inpcb *, int flag);
+int mac_init_inpcb(struct inpcb *, int);
void mac_init_sysv_msgmsg(struct msg *);
-void mac_init_sysv_msgqueue(struct msqid_kernel*);
-void mac_init_sysv_sem(struct semid_kernel*);
-void mac_init_sysv_shm(struct shmid_kernel*);
-int mac_init_ipq(struct ipq *, int flag);
-int mac_init_socket(struct socket *, int flag);
+void mac_init_sysv_msgqueue(struct msqid_kernel *);
+void mac_init_sysv_sem(struct semid_kernel *);
+void mac_init_sysv_shm(struct shmid_kernel *);
+int mac_init_ipq(struct ipq *, int);
+int mac_init_socket(struct socket *, int);
void mac_init_pipe(struct pipepair *);
void mac_init_posix_sem(struct ksem *);
-int mac_init_mbuf(struct mbuf *mbuf, int flag);
-int mac_init_mbuf_tag(struct m_tag *, int flag);
+int mac_init_mbuf(struct mbuf *, int);
+int mac_init_mbuf_tag(struct m_tag *, int);
void mac_init_mount(struct mount *);
void mac_init_proc(struct proc *);
void mac_init_vnode(struct vnode *);
-void mac_copy_mbuf(struct mbuf *m_from, struct mbuf *m_to);
+void mac_copy_mbuf(struct mbuf *, struct mbuf *);
void mac_copy_mbuf_tag(struct m_tag *, struct m_tag *);
-void mac_copy_vnode_label(struct label *, struct label *label);
+void mac_copy_vnode_label(struct label *, struct label *);
void mac_destroy_bpfdesc(struct bpf_d *);
void mac_destroy_cred(struct ucred *);
void mac_destroy_devfsdirent(struct devfs_dirent *);
@@ -129,9 +129,9 @@ void mac_destroy_mount(struct mount *);
void mac_destroy_vnode(struct vnode *);
struct label *mac_cred_label_alloc(void);
-void mac_cred_label_free(struct label *label);
+void mac_cred_label_free(struct label *);
struct label *mac_vnode_label_alloc(void);
-void mac_vnode_label_free(struct label *label);
+void mac_vnode_label_free(struct label *);
/*
* Labeling event operations: file system objects, and things that look a lot
@@ -159,13 +159,12 @@ void mac_update_devfsdirent(struct mount *mp, struct devfs_dirent *de,
* Labeling event operations: IPC objects.
*/
void mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m);
-void mac_create_socket(struct ucred *cred, struct socket *socket);
-void mac_create_socket_from_socket(struct socket *oldsocket,
- struct socket *newsocket);
-void mac_set_socket_peer_from_mbuf(struct mbuf *mbuf,
- struct socket *socket);
-void mac_set_socket_peer_from_socket(struct socket *oldsocket,
- struct socket *newsocket);
+void mac_create_socket(struct ucred *cred, struct socket *so);
+void mac_create_socket_from_socket(struct socket *oldso,
+ struct socket *newso);
+void mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so);
+void mac_set_socket_peer_from_socket(struct socket *oldso,
+ struct socket *newso);
void mac_create_pipe(struct ucred *cred, struct pipepair *pp);
/*
@@ -188,29 +187,29 @@ void mac_create_posix_sem(struct ucred *cred, struct ksem *ksemptr);
/*
* Labeling event operations: network objects.
*/
-void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d);
+void mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d);
void mac_create_ifnet(struct ifnet *ifp);
void mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp);
-void mac_create_ipq(struct mbuf *fragment, struct ipq *ipq);
-void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram);
-void mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment);
+void mac_create_ipq(struct mbuf *m, struct ipq *ipq);
+void mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m);
+void mac_create_fragment(struct mbuf *m, struct mbuf *frag);
void mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m);
-void mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *m);
-void mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m);
-void mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *m);
-void mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf,
- struct ifnet *ifnet, struct mbuf *newmbuf);
-void mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf);
-int mac_fragment_match(struct mbuf *fragment, struct ipq *ipq);
+void mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m);
+void mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m);
+void mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m);
+void mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
+ struct mbuf *mnew);
+void mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew);
+int mac_fragment_match(struct mbuf *m, struct ipq *ipq);
void mac_reflect_mbuf_icmp(struct mbuf *m);
void mac_reflect_mbuf_tcp(struct mbuf *m);
-void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq);
+void mac_update_ipq(struct mbuf *m, struct ipq *ipq);
void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp);
void mac_create_mbuf_from_firewall(struct mbuf *m);
-void mac_destroy_syncache(struct label **label);
-int mac_init_syncache(struct label **label);
-void mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp);
-void mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m);
+void mac_destroy_syncache(struct label **l);
+int mac_init_syncache(struct label **l);
+void mac_init_syncache_from_inpcb(struct label *l, struct inpcb *inp);
+void mac_create_mbuf_from_syncache(struct label *l, struct mbuf *m);
/*
* Labeling event operations: processes.
@@ -218,10 +217,10 @@ void mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m);
void mac_copy_cred(struct ucred *cr1, struct ucred *cr2);
int mac_execve_enter(struct image_params *imgp, struct mac *mac_p);
void mac_execve_exit(struct image_params *imgp);
-void mac_execve_transition(struct ucred *old, struct ucred *new,
+void mac_execve_transition(struct ucred *oldcred, struct ucred *newcred,
struct vnode *vp, struct label *interpvnodelabel,
struct image_params *imgp);
-int mac_execve_will_transition(struct ucred *old, struct vnode *vp,
+int mac_execve_will_transition(struct ucred *cred, struct vnode *vp,
struct label *interpvnodelabel, struct image_params *imgp);
void mac_create_proc0(struct ucred *cred);
void mac_create_proc1(struct ucred *cred);
@@ -246,9 +245,9 @@ void mac_cleanup_sysv_shm(struct shmid_kernel *shmsegptr);
/*
* Access control checks.
*/
-int mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet);
-int mac_check_cred_visible(struct ucred *u1, struct ucred *u2);
-int mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *m);
+int mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp);
+int mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2);
+int mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m);
int mac_check_inpcb_deliver(struct inpcb *inp, struct mbuf *m);
int mac_check_sysv_msgmsq(struct ucred *cred, struct msg *msgptr,
struct msqid_kernel *msqkptr);
@@ -295,38 +294,38 @@ int mac_check_posix_sem_open(struct ucred *cred, struct ksem *ksemptr);
int mac_check_posix_sem_post(struct ucred *cred, struct ksem *ksemptr);
int mac_check_posix_sem_unlink(struct ucred *cred, struct ksem *ksemptr);
int mac_check_posix_sem_wait(struct ucred *cred, struct ksem *ksemptr);
-int mac_check_proc_debug(struct ucred *cred, struct proc *proc);
-int mac_check_proc_sched(struct ucred *cred, struct proc *proc);
+int mac_check_proc_debug(struct ucred *cred, struct proc *p);
+int mac_check_proc_sched(struct ucred *cred, struct proc *p);
int mac_check_proc_setaudit(struct ucred *cred, struct auditinfo *ai);
int mac_check_proc_setauid(struct ucred *cred, uid_t auid);
-int mac_check_proc_setuid(struct proc *proc, struct ucred *cred,
+int mac_check_proc_setuid(struct proc *p, struct ucred *cred,
uid_t uid);
-int mac_check_proc_seteuid(struct proc *proc, struct ucred *cred,
+int mac_check_proc_seteuid(struct proc *p, struct ucred *cred,
uid_t euid);
-int mac_check_proc_setgid(struct proc *proc, struct ucred *cred,
+int mac_check_proc_setgid(struct proc *p, struct ucred *cred,
gid_t gid);
-int mac_check_proc_setegid(struct proc *proc, struct ucred *cred,
+int mac_check_proc_setegid(struct proc *p, struct ucred *cred,
gid_t egid);
-int mac_check_proc_setgroups(struct proc *proc, struct ucred *cred,
+int mac_check_proc_setgroups(struct proc *p, struct ucred *cred,
int ngroups, gid_t *gidset);
-int mac_check_proc_setreuid(struct proc *proc, struct ucred *cred,
+int mac_check_proc_setreuid(struct proc *p, struct ucred *cred,
uid_t ruid, uid_t euid);
-int mac_check_proc_setregid(struct proc *proc, struct ucred *cred,
+int mac_check_proc_setregid(struct proc *p, struct ucred *cred,
gid_t rgid, gid_t egid);
-int mac_check_proc_setresuid(struct proc *proc, struct ucred *cred,
+int mac_check_proc_setresuid(struct proc *p, struct ucred *cred,
uid_t ruid, uid_t euid, uid_t suid);
-int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred,
+int mac_check_proc_setresgid(struct proc *p, struct ucred *cred,
gid_t rgid, gid_t egid, gid_t sgid);
-int mac_check_proc_signal(struct ucred *cred, struct proc *proc,
+int mac_check_proc_signal(struct ucred *cred, struct proc *p,
int signum);
-int mac_check_proc_wait(struct ucred *cred, struct proc *proc);
+int mac_check_proc_wait(struct ucred *cred, struct proc *p);
int mac_check_socket_accept(struct ucred *cred, struct socket *so);
int mac_check_socket_bind(struct ucred *cred, struct socket *so,
- struct sockaddr *sockaddr);
+ struct sockaddr *sa);
int mac_check_socket_connect(struct ucred *cred, struct socket *so,
- struct sockaddr *sockaddr);
+ struct sockaddr *sa);
int mac_check_socket_create(struct ucred *cred, int domain, int type,
- int protocol);
+ int proto);
int mac_check_socket_deliver(struct socket *so, struct mbuf *m);
int mac_check_socket_listen(struct ucred *cred, struct socket *so);
int mac_check_socket_poll(struct ucred *cred, struct socket *so);
@@ -367,8 +366,8 @@ int mac_check_vnode_listextattr(struct ucred *cred, struct vnode *vp,
int attrnamespace);
int mac_check_vnode_lookup(struct ucred *cred, struct vnode *dvp,
struct componentname *cnp);
-int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp,
- int prot, int flags);
+int mac_check_vnode_mmap(struct ucred *cred, struct vnode *vp, int prot,
+ int flags);
int mac_check_vnode_mprotect(struct ucred *cred, struct vnode *vp,
int prot);
int mac_check_vnode_open(struct ucred *cred, struct vnode *vp,
@@ -405,9 +404,9 @@ int mac_getsockopt_label(struct ucred *cred, struct socket *so,
int mac_getsockopt_peerlabel(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
- struct ifnet *ifnet);
+ struct ifnet *ifp);
int mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
- struct ifnet *ifnet);
+ struct ifnet *ifp);
int mac_setsockopt_label(struct ucred *cred, struct socket *so,
struct mac *extmac);
int mac_pipe_label_set(struct ucred *cred, struct pipepair *pp,
diff --git a/sys/security/mac/mac_inet.c b/sys/security/mac/mac_inet.c
index b1d8df2..7704d73 100644
--- a/sys/security/mac/mac_inet.c
+++ b/sys/security/mac/mac_inet.c
@@ -163,36 +163,34 @@ mac_create_inpcb_from_socket(struct socket *so, struct inpcb *inp)
}
void
-mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *datagram)
+mac_create_datagram_from_ipq(struct ipq *ipq, struct mbuf *m)
{
struct label *label;
- label = mac_mbuf_to_label(datagram);
+ label = mac_mbuf_to_label(m);
- MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label,
- datagram, label);
+ MAC_PERFORM(create_datagram_from_ipq, ipq, ipq->ipq_label, m, label);
}
void
-mac_create_fragment(struct mbuf *datagram, struct mbuf *fragment)
+mac_create_fragment(struct mbuf *m, struct mbuf *frag)
{
- struct label *datagramlabel, *fragmentlabel;
+ struct label *mlabel, *fraglabel;
- datagramlabel = mac_mbuf_to_label(datagram);
- fragmentlabel = mac_mbuf_to_label(fragment);
+ mlabel = mac_mbuf_to_label(m);
+ fraglabel = mac_mbuf_to_label(frag);
- MAC_PERFORM(create_fragment, datagram, datagramlabel, fragment,
- fragmentlabel);
+ MAC_PERFORM(create_fragment, m, mlabel, frag, fraglabel);
}
void
-mac_create_ipq(struct mbuf *fragment, struct ipq *ipq)
+mac_create_ipq(struct mbuf *m, struct ipq *ipq)
{
struct label *label;
- label = mac_mbuf_to_label(fragment);
+ label = mac_mbuf_to_label(m);
- MAC_PERFORM(create_ipq, fragment, label, ipq, ipq->ipq_label);
+ MAC_PERFORM(create_ipq, m, label, ipq, ipq->ipq_label);
}
void
@@ -207,16 +205,15 @@ mac_create_mbuf_from_inpcb(struct inpcb *inp, struct mbuf *m)
}
int
-mac_fragment_match(struct mbuf *fragment, struct ipq *ipq)
+mac_fragment_match(struct mbuf *m, struct ipq *ipq)
{
struct label *label;
int result;
- label = mac_mbuf_to_label(fragment);
+ label = mac_mbuf_to_label(m);
result = 1;
- MAC_BOOLEAN(fragment_match, &&, fragment, label, ipq,
- ipq->ipq_label);
+ MAC_BOOLEAN(fragment_match, &&, m, label, ipq, ipq->ipq_label);
return (result);
}
@@ -230,6 +227,7 @@ mac_reflect_mbuf_icmp(struct mbuf *m)
MAC_PERFORM(reflect_mbuf_icmp, m, label);
}
+
void
mac_reflect_mbuf_tcp(struct mbuf *m)
{
@@ -241,13 +239,13 @@ mac_reflect_mbuf_tcp(struct mbuf *m)
}
void
-mac_update_ipq(struct mbuf *fragment, struct ipq *ipq)
+mac_update_ipq(struct mbuf *m, struct ipq *ipq)
{
struct label *label;
- label = mac_mbuf_to_label(fragment);
+ label = mac_mbuf_to_label(m);
- MAC_PERFORM(update_ipq, fragment, label, ipq, ipq->ipq_label);
+ MAC_PERFORM(update_ipq, m, label, ipq, ipq->ipq_label);
}
int
@@ -331,9 +329,9 @@ mac_init_syncache_from_inpcb(struct label *label, struct inpcb *inp)
void
mac_create_mbuf_from_syncache(struct label *sc_label, struct mbuf *m)
{
- struct label *mbuf_label;
+ struct label *mlabel;
M_ASSERTPKTHDR(m);
- mbuf_label = mac_mbuf_to_label(m);
- MAC_PERFORM(create_mbuf_from_syncache, sc_label, m, mbuf_label);
+ mlabel = mac_mbuf_to_label(m);
+ MAC_PERFORM(create_mbuf_from_syncache, sc_label, m, mlabel);
}
diff --git a/sys/security/mac/mac_net.c b/sys/security/mac/mac_net.c
index 49e6664..05a0073 100644
--- a/sys/security/mac/mac_net.c
+++ b/sys/security/mac/mac_net.c
@@ -82,14 +82,14 @@ MTX_SYSINIT(mac_ifnet_mtx, &mac_ifnet_mtx, "mac_ifnet", MTX_DEF);
* early loading.
*/
struct label *
-mac_mbuf_to_label(struct mbuf *mbuf)
+mac_mbuf_to_label(struct mbuf *m)
{
struct m_tag *tag;
struct label *label;
- if (mbuf == NULL)
+ if (m == NULL)
return (NULL);
- tag = m_tag_find(mbuf, PACKET_TAG_MACLABEL, NULL);
+ tag = m_tag_find(m, PACKET_TAG_MACLABEL, NULL);
if (tag == NULL)
return (NULL);
label = (struct label *)(tag+1);
@@ -107,10 +107,10 @@ mac_bpfdesc_label_alloc(void)
}
void
-mac_init_bpfdesc(struct bpf_d *bpf_d)
+mac_init_bpfdesc(struct bpf_d *d)
{
- bpf_d->bd_label = mac_bpfdesc_label_alloc();
+ d->bd_label = mac_bpfdesc_label_alloc();
}
static struct label *
@@ -185,11 +185,11 @@ mac_bpfdesc_label_free(struct label *label)
}
void
-mac_destroy_bpfdesc(struct bpf_d *bpf_d)
+mac_destroy_bpfdesc(struct bpf_d *d)
{
- mac_bpfdesc_label_free(bpf_d->bd_label);
- bpf_d->bd_label = NULL;
+ mac_bpfdesc_label_free(d->bd_label);
+ d->bd_label = NULL;
}
static void
@@ -278,123 +278,117 @@ mac_internalize_ifnet_label(struct label *label, char *string)
}
void
-mac_create_ifnet(struct ifnet *ifnet)
+mac_create_ifnet(struct ifnet *ifp)
{
- MAC_IFNET_LOCK(ifnet);
- MAC_PERFORM(create_ifnet, ifnet, ifnet->if_label);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_PERFORM(create_ifnet, ifp, ifp->if_label);
+ MAC_IFNET_UNLOCK(ifp);
}
void
-mac_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d)
+mac_create_bpfdesc(struct ucred *cred, struct bpf_d *d)
{
- MAC_PERFORM(create_bpfdesc, cred, bpf_d, bpf_d->bd_label);
+ MAC_PERFORM(create_bpfdesc, cred, d, d->bd_label);
}
void
-mac_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf)
+mac_create_mbuf_from_bpfdesc(struct bpf_d *d, struct mbuf *m)
{
struct label *label;
- BPFD_LOCK_ASSERT(bpf_d);
+ BPFD_LOCK_ASSERT(d);
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_PERFORM(create_mbuf_from_bpfdesc, bpf_d, bpf_d->bd_label, mbuf,
- label);
+ MAC_PERFORM(create_mbuf_from_bpfdesc, d, d->bd_label, m, label);
}
void
-mac_create_mbuf_linklayer(struct ifnet *ifnet, struct mbuf *mbuf)
+mac_create_mbuf_linklayer(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_IFNET_LOCK(ifnet);
- MAC_PERFORM(create_mbuf_linklayer, ifnet, ifnet->if_label, mbuf,
- label);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_PERFORM(create_mbuf_linklayer, ifp, ifp->if_label, m, label);
+ MAC_IFNET_UNLOCK(ifp);
}
void
-mac_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *mbuf)
+mac_create_mbuf_from_ifnet(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_IFNET_LOCK(ifnet);
- MAC_PERFORM(create_mbuf_from_ifnet, ifnet, ifnet->if_label, mbuf,
- label);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_PERFORM(create_mbuf_from_ifnet, ifp, ifp->if_label, m, label);
+ MAC_IFNET_UNLOCK(ifp);
}
void
-mac_create_mbuf_multicast_encap(struct mbuf *oldmbuf, struct ifnet *ifnet,
- struct mbuf *newmbuf)
+mac_create_mbuf_multicast_encap(struct mbuf *m, struct ifnet *ifp,
+ struct mbuf *mnew)
{
- struct label *oldmbuflabel, *newmbuflabel;
+ struct label *mlabel, *mnewlabel;
- oldmbuflabel = mac_mbuf_to_label(oldmbuf);
- newmbuflabel = mac_mbuf_to_label(newmbuf);
+ mlabel = mac_mbuf_to_label(m);
+ mnewlabel = mac_mbuf_to_label(mnew);
- MAC_IFNET_LOCK(ifnet);
- MAC_PERFORM(create_mbuf_multicast_encap, oldmbuf, oldmbuflabel,
- ifnet, ifnet->if_label, newmbuf, newmbuflabel);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_PERFORM(create_mbuf_multicast_encap, m, mlabel, ifp,
+ ifp->if_label, mnew, mnewlabel);
+ MAC_IFNET_UNLOCK(ifp);
}
void
-mac_create_mbuf_netlayer(struct mbuf *oldmbuf, struct mbuf *newmbuf)
+mac_create_mbuf_netlayer(struct mbuf *m, struct mbuf *mnew)
{
- struct label *oldmbuflabel, *newmbuflabel;
+ struct label *mlabel, *mnewlabel;
- oldmbuflabel = mac_mbuf_to_label(oldmbuf);
- newmbuflabel = mac_mbuf_to_label(newmbuf);
+ mlabel = mac_mbuf_to_label(m);
+ mnewlabel = mac_mbuf_to_label(mnew);
- MAC_PERFORM(create_mbuf_netlayer, oldmbuf, oldmbuflabel, newmbuf,
- newmbuflabel);
+ MAC_PERFORM(create_mbuf_netlayer, m, mlabel, mnew, mnewlabel);
}
int
-mac_check_bpfdesc_receive(struct bpf_d *bpf_d, struct ifnet *ifnet)
+mac_check_bpfdesc_receive(struct bpf_d *d, struct ifnet *ifp)
{
int error;
- BPFD_LOCK_ASSERT(bpf_d);
+ BPFD_LOCK_ASSERT(d);
- MAC_IFNET_LOCK(ifnet);
- MAC_CHECK(check_bpfdesc_receive, bpf_d, bpf_d->bd_label, ifnet,
- ifnet->if_label);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_CHECK(check_bpfdesc_receive, d, d->bd_label, ifp, ifp->if_label);
+ MAC_IFNET_UNLOCK(ifp);
return (error);
}
int
-mac_check_ifnet_transmit(struct ifnet *ifnet, struct mbuf *mbuf)
+mac_check_ifnet_transmit(struct ifnet *ifp, struct mbuf *m)
{
struct label *label;
int error;
- M_ASSERTPKTHDR(mbuf);
+ M_ASSERTPKTHDR(m);
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_IFNET_LOCK(ifnet);
- MAC_CHECK(check_ifnet_transmit, ifnet, ifnet->if_label, mbuf,
- label);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ MAC_CHECK(check_ifnet_transmit, ifp, ifp->if_label, m, label);
+ MAC_IFNET_UNLOCK(ifp);
return (error);
}
int
mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
- struct ifnet *ifnet)
+ struct ifnet *ifp)
{
char *elements, *buffer;
struct label *intlabel;
@@ -418,9 +412,9 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
buffer = malloc(mac.m_buflen, M_MACTEMP, M_WAITOK | M_ZERO);
intlabel = mac_ifnet_label_alloc();
- MAC_IFNET_LOCK(ifnet);
- mac_copy_ifnet_label(ifnet->if_label, intlabel);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_LOCK(ifp);
+ mac_copy_ifnet_label(ifp->if_label, intlabel);
+ MAC_IFNET_UNLOCK(ifp);
error = mac_externalize_ifnet_label(intlabel, elements, buffer,
mac.m_buflen);
mac_ifnet_label_free(intlabel);
@@ -434,8 +428,7 @@ mac_ioctl_ifnet_get(struct ucred *cred, struct ifreq *ifr,
}
int
-mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
- struct ifnet *ifnet)
+mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr, struct ifnet *ifp)
{
struct label *intlabel;
struct mac mac;
@@ -476,17 +469,16 @@ mac_ioctl_ifnet_set(struct ucred *cred, struct ifreq *ifr,
return (error);
}
- MAC_IFNET_LOCK(ifnet);
- MAC_CHECK(check_ifnet_relabel, cred, ifnet, ifnet->if_label,
- intlabel);
+ MAC_IFNET_LOCK(ifp);
+ MAC_CHECK(check_ifnet_relabel, cred, ifp, ifp->if_label, intlabel);
if (error) {
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_IFNET_UNLOCK(ifp);
mac_ifnet_label_free(intlabel);
return (error);
}
- MAC_PERFORM(relabel_ifnet, cred, ifnet, ifnet->if_label, intlabel);
- MAC_IFNET_UNLOCK(ifnet);
+ MAC_PERFORM(relabel_ifnet, cred, ifp, ifp->if_label, intlabel);
+ MAC_IFNET_UNLOCK(ifp);
mac_ifnet_label_free(intlabel);
return (0);
diff --git a/sys/security/mac/mac_pipe.c b/sys/security/mac/mac_pipe.c
index 88d181e..6578517 100644
--- a/sys/security/mac/mac_pipe.c
+++ b/sys/security/mac/mac_pipe.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project in part by Network
diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h
index 77d3f98..75a55bd 100644
--- a/sys/security/mac/mac_policy.h
+++ b/sys/security/mac/mac_policy.h
@@ -196,65 +196,64 @@ typedef int (*mpo_internalize_vnode_label_t)(struct label *label,
* like file system objects.
*/
typedef void (*mpo_associate_vnode_devfs_t)(struct mount *mp,
- struct label *mntlabel, struct devfs_dirent *de,
+ struct label *mplabel, struct devfs_dirent *de,
struct label *delabel, struct vnode *vp,
- struct label *vlabel);
+ struct label *vplabel);
typedef int (*mpo_associate_vnode_extattr_t)(struct mount *mp,
- struct label *mntlabel, struct vnode *vp,
- struct label *vlabel);
+ struct label *mplabel, struct vnode *vp,
+ struct label *vplabel);
typedef void (*mpo_associate_vnode_singlelabel_t)(struct mount *mp,
- struct label *mntlabel, struct vnode *vp,
- struct label *vlabel);
+ struct label *mplabel, struct vnode *vp,
+ struct label *vplabel);
typedef void (*mpo_create_devfs_device_t)(struct ucred *cred,
struct mount *mp, struct cdev *dev,
- struct devfs_dirent *de, struct label *label);
+ struct devfs_dirent *de, struct label *delabel);
typedef void (*mpo_create_devfs_directory_t)(struct mount *mp,
char *dirname, int dirnamelen, struct devfs_dirent *de,
- struct label *label);
+ struct label *delabel);
typedef void (*mpo_create_devfs_symlink_t)(struct ucred *cred,
struct mount *mp, struct devfs_dirent *dd,
struct label *ddlabel, struct devfs_dirent *de,
struct label *delabel);
typedef int (*mpo_create_vnode_extattr_t)(struct ucred *cred,
- struct mount *mp, struct label *mntlabel,
- struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, struct label *vlabel,
+ struct mount *mp, struct label *mplabel,
+ struct vnode *dvp, struct label *dvplabel,
+ struct vnode *vp, struct label *vplabel,
struct componentname *cnp);
typedef void (*mpo_create_mount_t)(struct ucred *cred, struct mount *mp,
- struct label *mntlabel);
+ struct label *mplabel);
typedef void (*mpo_relabel_vnode_t)(struct ucred *cred, struct vnode *vp,
- struct label *vnodelabel, struct label *label);
+ struct label *vplabel, struct label *label);
typedef int (*mpo_setlabel_vnode_extattr_t)(struct ucred *cred,
- struct vnode *vp, struct label *vlabel,
+ struct vnode *vp, struct label *vplabel,
struct label *intlabel);
typedef void (*mpo_update_devfsdirent_t)(struct mount *mp,
- struct devfs_dirent *devfs_dirent,
- struct label *direntlabel, struct vnode *vp,
- struct label *vnodelabel);
+ struct devfs_dirent *de, struct label *delabel,
+ struct vnode *vp, struct label *vplabel);
/*
* Labeling event operations: IPC objects.
*/
typedef void (*mpo_create_mbuf_from_socket_t)(struct socket *so,
- struct label *socketlabel, struct mbuf *m,
- struct label *mbuflabel);
+ struct label *solabel, struct mbuf *m,
+ struct label *mlabel);
typedef void (*mpo_create_socket_t)(struct ucred *cred, struct socket *so,
- struct label *socketlabel);
-typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketlabel);
+ struct label *solabel);
+typedef void (*mpo_create_socket_from_socket_t)(struct socket *oldso,
+ struct label *oldsolabel, struct socket *newso,
+ struct label *newsolabel);
typedef void (*mpo_relabel_socket_t)(struct ucred *cred, struct socket *so,
struct label *oldlabel, struct label *newlabel);
typedef void (*mpo_relabel_pipe_t)(struct ucred *cred, struct pipepair *pp,
struct label *oldlabel, struct label *newlabel);
-typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *mbuf,
- struct label *mbuflabel, struct socket *so,
- struct label *socketpeerlabel);
-typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldsocket,
- struct label *oldsocketlabel, struct socket *newsocket,
- struct label *newsocketpeerlabel);
+typedef void (*mpo_set_socket_peer_from_mbuf_t)(struct mbuf *m,
+ struct label *mlabel, struct socket *so,
+ struct label *sopeerlabel);
+typedef void (*mpo_set_socket_peer_from_socket_t)(struct socket *oldso,
+ struct label *oldsolabel, struct socket *newso,
+ struct label *newsopeerlabel);
typedef void (*mpo_create_pipe_t)(struct ucred *cred, struct pipepair *pp,
- struct label *pipelabel);
+ struct label *pplabel);
/*
* Labeling event operations: System V IPC primitives.
@@ -279,53 +278,49 @@ typedef void (*mpo_create_posix_sem_t)(struct ucred *cred,
* Labeling event operations: network objects.
*/
typedef void (*mpo_create_bpfdesc_t)(struct ucred *cred,
- struct bpf_d *bpf_d, struct label *bpflabel);
-typedef void (*mpo_create_ifnet_t)(struct ifnet *ifnet,
- struct label *ifnetlabel);
+ struct bpf_d *d, struct label *dlabel);
+typedef void (*mpo_create_ifnet_t)(struct ifnet *ifp,
+ struct label *ifplabel);
typedef void (*mpo_create_inpcb_from_socket_t)(struct socket *so,
struct label *solabel, struct inpcb *inp,
struct label *inplabel);
-typedef void (*mpo_create_ipq_t)(struct mbuf *fragment,
- struct label *fragmentlabel, struct ipq *ipq,
- struct label *ipqlabel);
+typedef void (*mpo_create_ipq_t)(struct mbuf *m, struct label *mlabel,
+ struct ipq *ipq, struct label *ipqlabel);
typedef void (*mpo_create_datagram_from_ipq)
- (struct ipq *ipq, struct label *ipqlabel,
- struct mbuf *datagram, struct label *datagramlabel);
-typedef void (*mpo_create_fragment_t)(struct mbuf *datagram,
- struct label *datagramlabel, struct mbuf *fragment,
- struct label *fragmentlabel);
+ (struct ipq *ipq, struct label *ipqlabel, struct mbuf *m,
+ struct label *mlabel);
+typedef void (*mpo_create_fragment_t)(struct mbuf *m,
+ struct label *mlabel, struct mbuf *frag,
+ struct label *fraglabel);
typedef void (*mpo_create_mbuf_from_inpcb_t)(struct inpcb *inp,
struct label *inplabel, struct mbuf *m,
struct label *mlabel);
-typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifnet,
- struct label *ifnetlabel, struct mbuf *mbuf,
- struct label *mbuflabel);
-typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *bpf_d,
- struct label *bpflabel, struct mbuf *mbuf,
- struct label *mbuflabel);
-typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifnet,
- struct label *ifnetlabel, struct mbuf *mbuf,
- struct label *mbuflabel);
-typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *oldmbuf,
- struct label *oldmbuflabel, struct ifnet *ifnet,
- struct label *ifnetlabel, struct mbuf *newmbuf,
- struct label *newmbuflabel);
-typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *oldmbuf,
- struct label *oldmbuflabel, struct mbuf *newmbuf,
- struct label *newmbuflabel);
-typedef int (*mpo_fragment_match_t)(struct mbuf *fragment,
- struct label *fragmentlabel, struct ipq *ipq,
- struct label *ipqlabel);
+typedef void (*mpo_create_mbuf_linklayer_t)(struct ifnet *ifp,
+ struct label *ifplabel, struct mbuf *m,
+ struct label *mlabel);
+typedef void (*mpo_create_mbuf_from_bpfdesc_t)(struct bpf_d *d,
+ struct label *dlabel, struct mbuf *m,
+ struct label *mlabel);
+typedef void (*mpo_create_mbuf_from_ifnet_t)(struct ifnet *ifp,
+ struct label *ifplabel, struct mbuf *m,
+ struct label *mlabel);
+typedef void (*mpo_create_mbuf_multicast_encap_t)(struct mbuf *m,
+ struct label *mlabel, struct ifnet *ifp,
+ struct label *ifplabel, struct mbuf *mnew,
+ struct label *mnewlabel);
+typedef void (*mpo_create_mbuf_netlayer_t)(struct mbuf *m,
+ struct label *mlabel, struct mbuf *mnew,
+ struct label *mnewlabel);
+typedef int (*mpo_fragment_match_t)(struct mbuf *m, struct label *mlabel,
+ struct ipq *ipq, struct label *ipqlabel);
typedef void (*mpo_reflect_mbuf_icmp_t)(struct mbuf *m,
struct label *mlabel);
typedef void (*mpo_reflect_mbuf_tcp_t)(struct mbuf *m,
struct label *mlabel);
-typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred,
- struct ifnet *ifnet, struct label *ifnetlabel,
- struct label *newlabel);
-typedef void (*mpo_update_ipq_t)(struct mbuf *fragment,
- struct label *fragmentlabel, struct ipq *ipq,
- struct label *ipqlabel);
+typedef void (*mpo_relabel_ifnet_t)(struct ucred *cred, struct ifnet *ifp,
+ struct label *ifplabel, struct label *newlabel);
+typedef void (*mpo_update_ipq_t)(struct mbuf *m, struct label *mlabel,
+ struct ipq *ipq, struct label *ipqlabel);
typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so,
struct label *label, struct inpcb *inp,
struct label *inplabel);
@@ -337,16 +332,16 @@ typedef int (*mpo_init_syncache_label_t)(struct label *label, int flag);
typedef void (*mpo_init_syncache_from_inpcb_t)(struct label *label,
struct inpcb *inp);
typedef void (*mpo_create_mbuf_from_syncache_t)(struct label *sc_label,
- struct mbuf *m, struct label *mbuf_label);
+ struct mbuf *m, struct label *mlabel);
/*
* Labeling event operations: processes.
*/
typedef void (*mpo_execve_transition_t)(struct ucred *old,
struct ucred *new, struct vnode *vp,
- struct label *vnodelabel, struct label *interpvnodelabel,
+ struct label *vplabel, struct label *interpvnodelabel,
struct image_params *imgp, struct label *execlabel);
typedef int (*mpo_execve_will_transition_t)(struct ucred *old,
- struct vnode *vp, struct label *vnodelabel,
+ struct vnode *vp, struct label *vplabel,
struct label *interpvnodelabel,
struct image_params *imgp, struct label *execlabel);
typedef void (*mpo_create_proc0_t)(struct ucred *cred);
@@ -358,19 +353,19 @@ typedef void (*mpo_thread_userret_t)(struct thread *thread);
/*
* Access control checks.
*/
-typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *bpf_d,
- struct label *bpflabel, struct ifnet *ifnet,
- struct label *ifnetlabel);
+typedef int (*mpo_check_bpfdesc_receive_t)(struct bpf_d *d,
+ struct label *dlabel, struct ifnet *ifp,
+ struct label *ifplabel);
typedef int (*mpo_check_cred_relabel_t)(struct ucred *cred,
struct label *newlabel);
-typedef int (*mpo_check_cred_visible_t)(struct ucred *u1,
- struct ucred *u2);
+typedef int (*mpo_check_cred_visible_t)(struct ucred *cr1,
+ struct ucred *cr2);
typedef int (*mpo_check_ifnet_relabel_t)(struct ucred *cred,
- struct ifnet *ifnet, struct label *ifnetlabel,
+ struct ifnet *ifp, struct label *ifplabel,
struct label *newlabel);
-typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifnet,
- struct label *ifnetlabel, struct mbuf *m,
- struct label *mbuflabel);
+typedef int (*mpo_check_ifnet_transmit_t)(struct ifnet *ifp,
+ struct label *ifplabel, struct mbuf *m,
+ struct label *mlabel);
typedef int (*mpo_check_inpcb_deliver_t)(struct inpcb *inp,
struct label *inplabel, struct mbuf *m,
struct label *mlabel);
@@ -416,27 +411,27 @@ typedef int (*mpo_check_kenv_set_t)(struct ucred *cred, char *name,
char *value);
typedef int (*mpo_check_kenv_unset_t)(struct ucred *cred, char *name);
typedef int (*mpo_check_kld_load_t)(struct ucred *cred, struct vnode *vp,
- struct label *vlabel);
+ struct label *vplabel);
typedef int (*mpo_check_kld_stat_t)(struct ucred *cred);
typedef int (*mpo_mpo_placeholder19_t)(void);
typedef int (*mpo_mpo_placeholder20_t)(void);
typedef int (*mpo_check_mount_stat_t)(struct ucred *cred,
- struct mount *mp, struct label *mntlabel);
+ struct mount *mp, struct label *mplabel);
typedef int (*mpo_mpo_placeholder21_t)(void);
typedef int (*mpo_check_pipe_ioctl_t)(struct ucred *cred,
- struct pipepair *pp, struct label *pipelabel,
+ struct pipepair *pp, struct label *pplabel,
unsigned long cmd, void *data);
typedef int (*mpo_check_pipe_poll_t)(struct ucred *cred,
- struct pipepair *pp, struct label *pipelabel);
+ struct pipepair *pp, struct label *pplabel);
typedef int (*mpo_check_pipe_read_t)(struct ucred *cred,
- struct pipepair *pp, struct label *pipelabel);
+ struct pipepair *pp, struct label *pplabel);
typedef int (*mpo_check_pipe_relabel_t)(struct ucred *cred,
- struct pipepair *pp, struct label *pipelabel,
+ struct pipepair *pp, struct label *pplabel,
struct label *newlabel);
typedef int (*mpo_check_pipe_stat_t)(struct ucred *cred,
- struct pipepair *pp, struct label *pipelabel);
+ struct pipepair *pp, struct label *pplabel);
typedef int (*mpo_check_pipe_write_t)(struct ucred *cred,
- struct pipepair *pp, struct label *pipelabel);
+ struct pipepair *pp, struct label *pplabel);
typedef int (*mpo_check_posix_sem_destroy_t)(struct ucred *cred,
struct ksem *ksemptr, struct label *ks_label);
typedef int (*mpo_check_posix_sem_getvalue_t)(struct ucred *cred,
@@ -450,9 +445,9 @@ typedef int (*mpo_check_posix_sem_unlink_t)(struct ucred *cred,
typedef int (*mpo_check_posix_sem_wait_t)(struct ucred *cred,
struct ksem *ksemptr, struct label *ks_label);
typedef int (*mpo_check_proc_debug_t)(struct ucred *cred,
- struct proc *proc);
+ struct proc *p);
typedef int (*mpo_check_proc_sched_t)(struct ucred *cred,
- struct proc *proc);
+ struct proc *p);
typedef int (*mpo_check_proc_setaudit_t)(struct ucred *cred,
struct auditinfo *ai);
typedef int (*mpo_check_proc_setauid_t)(struct ucred *cred, uid_t auid);
@@ -475,35 +470,35 @@ typedef int (*mpo_check_proc_signal_t)(struct ucred *cred,
typedef int (*mpo_check_proc_wait_t)(struct ucred *cred,
struct proc *proc);
typedef int (*mpo_check_socket_accept_t)(struct ucred *cred,
- struct socket *so, struct label *socketlabel);
+ struct socket *so, struct label *solabel);
typedef int (*mpo_check_socket_bind_t)(struct ucred *cred,
- struct socket *so, struct label *socketlabel,
- struct sockaddr *sockaddr);
+ struct socket *so, struct label *solabel,
+ struct sockaddr *sa);
typedef int (*mpo_check_socket_connect_t)(struct ucred *cred,
- struct socket *so, struct label *socketlabel,
- struct sockaddr *sockaddr);
+ struct socket *so, struct label *solabel,
+ struct sockaddr *sa);
typedef int (*mpo_check_socket_create_t)(struct ucred *cred, int domain,
int type, int protocol);
typedef int (*mpo_check_socket_deliver_t)(struct socket *so,
- struct label *socketlabel, struct mbuf *m,
- struct label *mbuflabel);
+ struct label *solabel, struct mbuf *m,
+ struct label *mlabel);
typedef int (*mpo_check_socket_listen_t)(struct ucred *cred,
- struct socket *so, struct label *socketlabel);
+ struct socket *so, struct label *solabel);
typedef int (*mpo_check_socket_poll_t)(struct ucred *cred,
- struct socket *so, struct label *socketlabel);
+ struct socket *so, struct label *solabel);
typedef int (*mpo_check_socket_receive_t)(struct ucred *cred,
- struct socket *so, struct label *socketlabel);
+ struct socket *so, struct label *solabel);
typedef int (*mpo_check_socket_relabel_t)(struct ucred *cred,
- struct socket *so, struct label *socketlabel,
+ struct socket *so, struct label *solabel,
struct label *newlabel);
typedef int (*mpo_check_socket_send_t)(struct ucred *cred,
- struct socket *so, struct label *socketlabel);
+ struct socket *so, struct label *solabel);
typedef int (*mpo_check_socket_stat_t)(struct ucred *cred,
- struct socket *so, struct label *socketlabel);
+ struct socket *so, struct label *solabel);
typedef int (*mpo_check_socket_visible_t)(struct ucred *cred,
- struct socket *so, struct label *socketlabel);
+ struct socket *so, struct label *solabel);
typedef int (*mpo_check_system_acct_t)(struct ucred *cred,
- struct vnode *vp, struct label *vlabel);
+ struct vnode *vp, struct label *vplabel);
typedef int (*mpo_check_system_audit_t)(struct ucred *cred, void *record,
int length);
typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred,
@@ -511,101 +506,104 @@ typedef int (*mpo_check_system_auditctl_t)(struct ucred *cred,
typedef int (*mpo_check_system_auditon_t)(struct ucred *cred, int cmd);
typedef int (*mpo_check_system_reboot_t)(struct ucred *cred, int howto);
typedef int (*mpo_check_system_swapon_t)(struct ucred *cred,
- struct vnode *vp, struct label *label);
+ struct vnode *vp, struct label *vplabel);
typedef int (*mpo_check_system_swapoff_t)(struct ucred *cred,
- struct vnode *vp, struct label *label);
+ struct vnode *vp, struct label *vplabel);
typedef int (*mpo_check_system_sysctl_t)(struct ucred *cred,
struct sysctl_oid *oidp, void *arg1, int arg2,
struct sysctl_req *req);
typedef int (*mpo_check_vnode_access_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, int acc_mode);
+ struct vnode *vp, struct label *vplabel, int acc_mode);
typedef int (*mpo_check_vnode_chdir_t)(struct ucred *cred,
- struct vnode *dvp, struct label *dlabel);
+ struct vnode *dvp, struct label *dvplabel);
typedef int (*mpo_check_vnode_chroot_t)(struct ucred *cred,
- struct vnode *dvp, struct label *dlabel);
+ struct vnode *dvp, struct label *dvplabel);
typedef int (*mpo_check_vnode_create_t)(struct ucred *cred,
- struct vnode *dvp, struct label *dlabel,
+ struct vnode *dvp, struct label *dvplabel,
struct componentname *cnp, struct vattr *vap);
typedef int (*mpo_check_vnode_delete_t)(struct ucred *cred,
- struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, struct label *label,
+ struct vnode *dvp, struct label *dvplabel,
+ struct vnode *vp, struct label *vplabel,
struct componentname *cnp);
typedef int (*mpo_check_vnode_deleteacl_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, acl_type_t type);
+ struct vnode *vp, struct label *vplabel,
+ acl_type_t type);
typedef int (*mpo_check_vnode_deleteextattr_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, int attrnamespace,
- const char *name);
+ struct vnode *vp, struct label *vplabel,
+ int attrnamespace, const char *name);
typedef int (*mpo_check_vnode_exec_t)(struct ucred *cred,
- struct vnode *vp, struct label *label,
+ struct vnode *vp, struct label *vplabel,
struct image_params *imgp, struct label *execlabel);
typedef int (*mpo_check_vnode_getacl_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, acl_type_t type);
+ struct vnode *vp, struct label *vplabel,
+ acl_type_t type);
typedef int (*mpo_check_vnode_getextattr_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, int attrnamespace,
- const char *name, struct uio *uio);
+ struct vnode *vp, struct label *vplabel,
+ int attrnamespace, const char *name, struct uio *uio);
typedef int (*mpo_check_vnode_link_t)(struct ucred *cred,
- struct vnode *dvp, struct label *dlabel, struct vnode *vp,
- struct label *label, struct componentname *cnp);
+ struct vnode *dvp, struct label *dvplabel,
+ struct vnode *vp, struct label *vplabel,
+ struct componentname *cnp);
typedef int (*mpo_check_vnode_listextattr_t)(struct ucred *cred,
- struct vnode *vp, struct label *label,
+ struct vnode *vp, struct label *vplabel,
int attrnamespace);
typedef int (*mpo_check_vnode_lookup_t)(struct ucred *cred,
- struct vnode *dvp, struct label *dlabel,
+ struct vnode *dvp, struct label *dvplabel,
struct componentname *cnp);
typedef int (*mpo_check_vnode_mmap_t)(struct ucred *cred,
struct vnode *vp, struct label *label, int prot,
int flags);
typedef void (*mpo_check_vnode_mmap_downgrade_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, int *prot);
+ struct vnode *vp, struct label *vplabel, int *prot);
typedef int (*mpo_check_vnode_mprotect_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, int prot);
+ struct vnode *vp, struct label *vplabel, int prot);
typedef int (*mpo_check_vnode_open_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, int acc_mode);
+ struct vnode *vp, struct label *vplabel, int acc_mode);
typedef int (*mpo_check_vnode_poll_t)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
- struct label *label);
+ struct label *vplabel);
typedef int (*mpo_check_vnode_read_t)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
- struct label *label);
+ struct label *vplabel);
typedef int (*mpo_check_vnode_readdir_t)(struct ucred *cred,
- struct vnode *dvp, struct label *dlabel);
+ struct vnode *dvp, struct label *dvplabel);
typedef int (*mpo_check_vnode_readlink_t)(struct ucred *cred,
- struct vnode *vp, struct label *label);
+ struct vnode *vp, struct label *vplabel);
typedef int (*mpo_check_vnode_relabel_t)(struct ucred *cred,
- struct vnode *vp, struct label *vnodelabel,
+ struct vnode *vp, struct label *vplabel,
struct label *newlabel);
typedef int (*mpo_check_vnode_rename_from_t)(struct ucred *cred,
- struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, struct label *label,
+ struct vnode *dvp, struct label *dvplabel,
+ struct vnode *vp, struct label *vplabel,
struct componentname *cnp);
typedef int (*mpo_check_vnode_rename_to_t)(struct ucred *cred,
- struct vnode *dvp, struct label *dlabel,
- struct vnode *vp, struct label *label, int samedir,
+ struct vnode *dvp, struct label *dvplabel,
+ struct vnode *vp, struct label *vplabel, int samedir,
struct componentname *cnp);
typedef int (*mpo_check_vnode_revoke_t)(struct ucred *cred,
- struct vnode *vp, struct label *label);
+ struct vnode *vp, struct label *vplabel);
typedef int (*mpo_check_vnode_setacl_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, acl_type_t type,
+ struct vnode *vp, struct label *vplabel, acl_type_t type,
struct acl *acl);
typedef int (*mpo_check_vnode_setextattr_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, int attrnamespace,
- const char *name, struct uio *uio);
+ struct vnode *vp, struct label *vplabel,
+ int attrnamespace, const char *name, struct uio *uio);
typedef int (*mpo_check_vnode_setflags_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, u_long flags);
+ struct vnode *vp, struct label *vplabel, u_long flags);
typedef int (*mpo_check_vnode_setmode_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, mode_t mode);
+ struct vnode *vp, struct label *vplabel, mode_t mode);
typedef int (*mpo_check_vnode_setowner_t)(struct ucred *cred,
- struct vnode *vp, struct label *label, uid_t uid,
+ struct vnode *vp, struct label *vplabel, uid_t uid,
gid_t gid);
typedef int (*mpo_check_vnode_setutimes_t)(struct ucred *cred,
- struct vnode *vp, struct label *label,
+ struct vnode *vp, struct label *vplabel,
struct timespec atime, struct timespec mtime);
typedef int (*mpo_check_vnode_stat_t)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
- struct label *label);
+ struct label *vplabel);
typedef int (*mpo_check_vnode_write_t)(struct ucred *active_cred,
struct ucred *file_cred, struct vnode *vp,
- struct label *label);
+ struct label *vplabel);
typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred);
typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv);
typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv);
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c
index f9c8e2e..abba4a9 100644
--- a/sys/security/mac/mac_process.c
+++ b/sys/security/mac/mac_process.c
@@ -446,163 +446,168 @@ mac_check_cred_relabel(struct ucred *cred, struct label *newlabel)
}
int
-mac_check_cred_visible(struct ucred *u1, struct ucred *u2)
+mac_check_cred_visible(struct ucred *cr1, struct ucred *cr2)
{
int error;
- MAC_CHECK(check_cred_visible, u1, u2);
+ MAC_CHECK(check_cred_visible, cr1, cr2);
return (error);
}
int
-mac_check_proc_debug(struct ucred *cred, struct proc *proc)
+mac_check_proc_debug(struct ucred *cred, struct proc *p)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
- MAC_CHECK(check_proc_debug, cred, proc);
+ MAC_CHECK(check_proc_debug, cred, p);
return (error);
}
int
-mac_check_proc_sched(struct ucred *cred, struct proc *proc)
+mac_check_proc_sched(struct ucred *cred, struct proc *p)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
- MAC_CHECK(check_proc_sched, cred, proc);
+ MAC_CHECK(check_proc_sched, cred, p);
return (error);
}
int
-mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
+mac_check_proc_signal(struct ucred *cred, struct proc *p, int signum)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
- MAC_CHECK(check_proc_signal, cred, proc, signum);
+ MAC_CHECK(check_proc_signal, cred, p, signum);
return (error);
}
int
-mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid)
+mac_check_proc_setuid(struct proc *p, struct ucred *cred, uid_t uid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setuid, cred, uid);
return (error);
}
int
-mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, uid_t euid)
+mac_check_proc_seteuid(struct proc *p, struct ucred *cred, uid_t euid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_seteuid, cred, euid);
return (error);
}
int
-mac_check_proc_setgid(struct proc *proc, struct ucred *cred, gid_t gid)
+mac_check_proc_setgid(struct proc *p, struct ucred *cred, gid_t gid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setgid, cred, gid);
+
return (error);
}
int
-mac_check_proc_setegid(struct proc *proc, struct ucred *cred, gid_t egid)
+mac_check_proc_setegid(struct proc *p, struct ucred *cred, gid_t egid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setegid, cred, egid);
+
return (error);
}
int
-mac_check_proc_setgroups(struct proc *proc, struct ucred *cred,
- int ngroups, gid_t *gidset)
+mac_check_proc_setgroups(struct proc *p, struct ucred *cred, int ngroups,
+ gid_t *gidset)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset);
return (error);
}
int
-mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, uid_t ruid,
- uid_t euid)
+mac_check_proc_setreuid(struct proc *p, struct ucred *cred, uid_t ruid,
+ uid_t euid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setreuid, cred, ruid, euid);
+
return (error);
}
int
mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
- gid_t egid)
+ gid_t egid)
{
int error;
PROC_LOCK_ASSERT(proc, MA_OWNED);
MAC_CHECK(check_proc_setregid, cred, rgid, egid);
+
return (error);
}
int
-mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, uid_t ruid,
- uid_t euid, uid_t suid)
+mac_check_proc_setresuid(struct proc *p, struct ucred *cred, uid_t ruid,
+ uid_t euid, uid_t suid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid);
return (error);
}
int
-mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid,
- gid_t egid, gid_t sgid)
+mac_check_proc_setresgid(struct proc *p, struct ucred *cred, gid_t rgid,
+ gid_t egid, gid_t sgid)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid);
+
return (error);
}
int
-mac_check_proc_wait(struct ucred *cred, struct proc *proc)
+mac_check_proc_wait(struct ucred *cred, struct proc *p)
{
int error;
- PROC_LOCK_ASSERT(proc, MA_OWNED);
+ PROC_LOCK_ASSERT(p, MA_OWNED);
- MAC_CHECK(check_proc_wait, cred, proc);
+ MAC_CHECK(check_proc_wait, cred, p);
return (error);
}
diff --git a/sys/security/mac/mac_socket.c b/sys/security/mac/mac_socket.c
index 1f12ea6..07722ad 100644
--- a/sys/security/mac/mac_socket.c
+++ b/sys/security/mac/mac_socket.c
@@ -155,13 +155,13 @@ mac_socket_peer_label_free(struct label *label)
}
void
-mac_destroy_socket(struct socket *socket)
+mac_destroy_socket(struct socket *so)
{
- mac_socket_label_free(socket->so_label);
- socket->so_label = NULL;
- mac_socket_peer_label_free(socket->so_peerlabel);
- socket->so_peerlabel = NULL;
+ mac_socket_label_free(so->so_label);
+ so->so_label = NULL;
+ mac_socket_peer_label_free(so->so_peerlabel);
+ so->so_peerlabel = NULL;
}
void
@@ -204,47 +204,47 @@ mac_internalize_socket_label(struct label *label, char *string)
}
void
-mac_create_socket(struct ucred *cred, struct socket *socket)
+mac_create_socket(struct ucred *cred, struct socket *so)
{
- MAC_PERFORM(create_socket, cred, socket, socket->so_label);
+ MAC_PERFORM(create_socket, cred, so, so->so_label);
}
void
-mac_create_socket_from_socket(struct socket *oldsocket,
- struct socket *newsocket)
+mac_create_socket_from_socket(struct socket *oldso, struct socket *newso)
{
- SOCK_LOCK_ASSERT(oldsocket);
- MAC_PERFORM(create_socket_from_socket, oldsocket, oldsocket->so_label,
- newsocket, newsocket->so_label);
+ SOCK_LOCK_ASSERT(oldso);
+
+ MAC_PERFORM(create_socket_from_socket, oldso, oldso->so_label, newso,
+ newso->so_label);
}
static void
-mac_relabel_socket(struct ucred *cred, struct socket *socket,
+mac_relabel_socket(struct ucred *cred, struct socket *so,
struct label *newlabel)
{
- SOCK_LOCK_ASSERT(socket);
- MAC_PERFORM(relabel_socket, cred, socket, socket->so_label, newlabel);
+ SOCK_LOCK_ASSERT(so);
+
+ MAC_PERFORM(relabel_socket, cred, so, so->so_label, newlabel);
}
void
-mac_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket)
+mac_set_socket_peer_from_mbuf(struct mbuf *m, struct socket *so)
{
struct label *label;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_PERFORM(set_socket_peer_from_mbuf, mbuf, label, socket,
- socket->so_peerlabel);
+ MAC_PERFORM(set_socket_peer_from_mbuf, m, label, so,
+ so->so_peerlabel);
}
void
-mac_set_socket_peer_from_socket(struct socket *oldsocket,
- struct socket *newsocket)
+mac_set_socket_peer_from_socket(struct socket *oldso, struct socket *newso)
{
/*
@@ -252,97 +252,94 @@ mac_set_socket_peer_from_socket(struct socket *oldsocket,
* is the original, and one is the new. However, it's called in both
* directions, so we can't assert the lock here currently.
*/
- MAC_PERFORM(set_socket_peer_from_socket, oldsocket,
- oldsocket->so_label, newsocket, newsocket->so_peerlabel);
+ MAC_PERFORM(set_socket_peer_from_socket, oldso, oldso->so_label,
+ newso, newso->so_peerlabel);
}
void
-mac_create_mbuf_from_socket(struct socket *socket, struct mbuf *mbuf)
+mac_create_mbuf_from_socket(struct socket *so, struct mbuf *m)
{
struct label *label;
- label = mac_mbuf_to_label(mbuf);
+ SOCK_LOCK_ASSERT(so);
+
+ label = mac_mbuf_to_label(m);
- SOCK_LOCK_ASSERT(socket);
- MAC_PERFORM(create_mbuf_from_socket, socket, socket->so_label, mbuf,
- label);
+ MAC_PERFORM(create_mbuf_from_socket, so, so->so_label, m, label);
}
int
-mac_check_socket_accept(struct ucred *cred, struct socket *socket)
+mac_check_socket_accept(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
- MAC_CHECK(check_socket_accept, cred, socket, socket->so_label);
+ MAC_CHECK(check_socket_accept, cred, so, so->so_label);
return (error);
}
int
-mac_check_socket_bind(struct ucred *ucred, struct socket *socket,
- struct sockaddr *sockaddr)
+mac_check_socket_bind(struct ucred *ucred, struct socket *so,
+ struct sockaddr *sa)
{
int error;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
- MAC_CHECK(check_socket_bind, ucred, socket, socket->so_label,
- sockaddr);
+ MAC_CHECK(check_socket_bind, ucred, so, so->so_label, sa);
return (error);
}
int
-mac_check_socket_connect(struct ucred *cred, struct socket *socket,
- struct sockaddr *sockaddr)
+mac_check_socket_connect(struct ucred *cred, struct socket *so,
+ struct sockaddr *sa)
{
int error;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
- MAC_CHECK(check_socket_connect, cred, socket, socket->so_label,
- sockaddr);
+ MAC_CHECK(check_socket_connect, cred, so, so->so_label, sa);
return (error);
}
int
-mac_check_socket_create(struct ucred *cred, int domain, int type,
- int protocol)
+mac_check_socket_create(struct ucred *cred, int domain, int type, int proto)
{
int error;
- MAC_CHECK(check_socket_create, cred, domain, type, protocol);
+ MAC_CHECK(check_socket_create, cred, domain, type, proto);
return (error);
}
int
-mac_check_socket_deliver(struct socket *socket, struct mbuf *mbuf)
+mac_check_socket_deliver(struct socket *so, struct mbuf *m)
{
struct label *label;
int error;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
- label = mac_mbuf_to_label(mbuf);
+ label = mac_mbuf_to_label(m);
- MAC_CHECK(check_socket_deliver, socket, socket->so_label, mbuf,
- label);
+ MAC_CHECK(check_socket_deliver, so, so->so_label, m, label);
return (error);
}
int
-mac_check_socket_listen(struct ucred *cred, struct socket *socket)
+mac_check_socket_listen(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
+
+ MAC_CHECK(check_socket_listen, cred, so, so->so_label);
- MAC_CHECK(check_socket_listen, cred, socket, socket->so_label);
return (error);
}
@@ -354,6 +351,7 @@ mac_check_socket_poll(struct ucred *cred, struct socket *so)
SOCK_LOCK_ASSERT(so);
MAC_CHECK(check_socket_poll, cred, so, so->so_label);
+
return (error);
}
@@ -370,15 +368,14 @@ mac_check_socket_receive(struct ucred *cred, struct socket *so)
}
static int
-mac_check_socket_relabel(struct ucred *cred, struct socket *socket,
+mac_check_socket_relabel(struct ucred *cred, struct socket *so,
struct label *newlabel)
{
int error;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
- MAC_CHECK(check_socket_relabel, cred, socket, socket->so_label,
- newlabel);
+ MAC_CHECK(check_socket_relabel, cred, so, so->so_label, newlabel);
return (error);
}
@@ -408,13 +405,13 @@ mac_check_socket_stat(struct ucred *cred, struct socket *so)
}
int
-mac_check_socket_visible(struct ucred *cred, struct socket *socket)
+mac_check_socket_visible(struct ucred *cred, struct socket *so)
{
int error;
- SOCK_LOCK_ASSERT(socket);
+ SOCK_LOCK_ASSERT(so);
- MAC_CHECK(check_socket_visible, cred, socket, socket->so_label);
+ MAC_CHECK(check_socket_visible, cred, so, so->so_label);
return (error);
}
diff --git a/sys/security/mac/mac_system.c b/sys/security/mac/mac_system.c
index 07a975c..380466e 100644
--- a/sys/security/mac/mac_system.c
+++ b/sys/security/mac/mac_system.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2002, 2003 Networks Associates Technology, Inc.
+ * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
* Copyright (c) 2007 Robert N. M. Watson
* All rights reserved.
*
OpenPOWER on IntegriCloud